#
4d65a7c6 |
|
24-Nov-2023 |
Warner Losh <imp@FreeBSD.org> |
usr.sbin: Automated cleanup of cdefs and other formatting Apply the following automated changes to try to eliminate no-longer-needed sys/cdefs.h includes as well as now-empty blank lines in a row. Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/ Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/ Remove /\n+#if.*\n#endif.*\n+/ Remove /^#if.*\n#endif.*\n/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/ Sponsored by: Netflix
|
#
1d386b48 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
88ea9628 |
|
01-Jun-2023 |
Rick Macklem <rmacklem@FreeBSD.org> |
rpc.tls[serv|clnt]d.c: Clean up code for OpenSSL3 There were several function calls that are deprecated for OpenSSL1.1.1. These have been removed. There was also a function call deprecated for OpenSSL3 and that one has been #ifdef'd on OPENSSL_VERSION_NUMBER. Reviewed by: emaste, ngie Differential Revision: https://reviews.freebsd.org/D40275
|
#
4d846d26 |
|
10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
|
#
ab3c59a1 |
|
22-Dec-2022 |
Rick Macklem <rmacklem@FreeBSD.org> |
rpc.tlsservd: Check for a tls syscall failure. Although the tls syscall to set up the upcall should not normally fail, the daemon should check for such a failure. This patch adds a check for that failure. MFC after: 1 week
|
#
1e588a9c |
|
08-Oct-2022 |
Rick Macklem <rmacklem@FreeBSD.org> |
rpc.tlsservd: Add an option to run multiple daemons During discussions with someone that was doing NFS-over-TLS development for Solaris, we had a concern that the server might become overloaded after rebooting, due to a large number of TLS handshake requests from clients. To alleviate this potential problem, this patch modifies rpc.tlsservd so that it supports the "-N/--numdaemons" command line option, which specifies that up to RPCTLS_SRV_MAXNPROCS (currently defined as 16 in the patch) may be started. When there are multiple daemons, one is selected by the patched kernel in a round-robin fashion, to serve a TLS handshake request. The man page update will be done in a future commit. Reviewed by: emaste, karels Differential Revision: https://reviews.freebsd.org/D35886
|
#
b4fa7fde |
|
22-May-2022 |
Rick Macklem <rmacklem@FreeBSD.org> |
rpc.tlsservd: Add the -2 option to the usage line Commit 0637b12b13be added the -2 option to allow TLS 1.2 NFS-over-TLS mounts. It did not add -2 to the usage message. This patch adds -2 to the usage message. MFC after: 2 weeks
|
#
8d098ded |
|
22-May-2022 |
Rick Macklem <rmacklem@FreeBSD.org> |
rpc.tlsservd: Modify the -C option to use SSL_CTX_set_ciphersuites Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS version 1.3 for NFS-over-TLS, as required by the draft (someday to be an RFC). This patch replaces SSL_CTX_set_cipher_list() with SSL_CTX_set_ciphersuites(), since that is the function that is used for TLS1.3. The man page has already been updated. MFC after: 2 weeks
|
#
0637b12b |
|
20-May-2022 |
Rick Macklem <rmacklem@FreeBSD.org> |
rpc.tlsservd: Add an option to allow TLS version 1.2 Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS version 1.3 for NFS-over-TLS, as required by the draft (someday to be an RFC). Since FreeBSD 13.0, 13.1 use TLS version 1.2 for NFS-over-TLS mounts, this command line option may be used so that mounts from 13.0, 13.1 will still work. Without the command line option, only TLS version 1.3 mounts are permitted. The man page update will be a separate commit. MFC after: 2 weeks
|
#
d71c9f14 |
|
06-May-2022 |
Rick Macklem <rmacklem@FreeBSD.org> |
rpc.tlsservd: Add logging of TLS version and cipher used This patch adds logging of the version of TLS and cipher negotiated successfully by the TLS handshake for each client, if the "-v" command line option has been specified. This information may be useful for monitoring and debugging NFS-over-TLS mounts. MFC after: 2 weeks
|
#
15881823 |
|
05-May-2022 |
Rick Macklem <rmacklem@FreeBSD.org> |
rpc.tlsclntd, rpc.tlsservd: Fix getopt_long argument The "C" option in the argument to getopt_long() was missing a ":" for both rpc.tlsclntd.c and rpc.tlsservd.c. This patch fixes this. MFC after: 2 weeks
|
#
712aac13 |
|
05-May-2022 |
Rick Macklem <rmacklem@FreeBSD.org> |
rpc.tlsservd: Add a -C command line option for preferred_ciphers rpc.tlsclntd has a -C command line option for setting preferred_ciphers. Testing at a recent IETF NFSv4 testing event showed that setting preferred_ciphers is not normally needed for the rpc.tlsservd. This patch modifies rpc.tlsservd to not specify preferred_ciphers by default, but provides the same -C option as rpc.tlsclntd to set preferred_ciphers, in case it is needed. The man page update will be done as a separate commit. MFC after: 2 weeks
|
#
350668eb |
|
26-Apr-2022 |
Rick Macklem <rmacklem@FreeBSD.org> |
rpc.tlsservd: Delete set but unused variable
|
#
c7bb0f47 |
|
10-Aug-2021 |
John Baldwin <jhb@FreeBSD.org> |
nfs tls: Update for SSL_OP_ENABLE_KTLS. Upstream OpenSSL (and the KTLS backport) have switched to an opt-in option (SSL_OP_ENABLE_KTLS) in place of opt-out modes (SSL_MODE_NO_KTLS_TX and SSL_MODE_NO_KTLS_RX) for controlling kernel TLS. Reviewed by: rmacklem Sponsored by: Netflix MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31445
|
#
b9cbc85d |
|
18-Feb-2021 |
Rick Macklem <rmacklem@FreeBSD.org> |
nfs-over-tls: add user space daemons rpc.tlsclntd and rpc.tlsservd The kernel changes needed for nfs-over-tls have been committed to main. However, nfs-over-tls requires user space daemons to handle the TLS handshake and other non-application data TLS records. There is one daemon (rpc.tlsclntd) for the client side and one daemon (rpc.tlsservd) for the server side, although they share a fair amount of code found in rpc.tlscommon.c and rpc.tlscommon.h. They use a KTLS enabled OpenSSL to perform the actual work and, as such, are only built when MK_OPENSSL_KTLS is set. Communication with the kernel is done via upcall RPCs done on AF_LOCAL sockets and the custom system call rpctls_syscall. Reviewed by: gbe (man pages only), jhb (usr.sbin/Makefile only) Comments by: jhb MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D28430 Relnotes: yes
|