Add TLS support to the kernel RPC.

An internet draft titled "Towards Remote Procedure Call Encryption By Default"
describes how TLS is to be used for Sun RPC, with NFS as an intended use case.
This patch adds client and server support for this to the kernel RPC,
using KERN_TLS and upcalls to daemons for the handshake, peer reset and
other non-application data record cases.

The upcalls to the daemons use three fields to uniquely identify the
TCP connection. They are the time.tv_sec, time.tv_usec of the connection
establshment, plus a 64bit sequence number. The time fields avoid problems
with re-use of the sequence number after a daemon restart.
For the server side, once a Null RPC with AUTH_TLS is received, kernel
reception on the socket is blocked and an upcall to the rpctlssd(8) daemon
is done to perform the TLS handshake.  Upon completion, the completion
status of the handshake is stored in xp_tls as flag bits and the reply to
the Null RPC is sent.
For the client, if CLSET_TLS has been set, a new TCP connection will
send the Null RPC with AUTH_TLS to initiate the handshake.  The client
kernel RPC code will then block kernel I/O on the socket and do an upcall
to the rpctlscd(8) daemon to perform the handshake.
If the upcall is successful, ct_rcvstate will be maintained to indicate
if/when an upcall is being done.

If non-application data records are received, the code does an upcall to
the appropriate daemon, which will do a SSL_read() of 0 length to handle
the record(s).

When the socket is being shut down, upcalls are done to the daemons, so
that they can perform SSL_shutdown() calls to perform the "peer reset".

The rpctlssd(8) and rpctlscd(8) daemons require a patched version of the
openssl library and, as such, will not be committed to head at this time.

Although the changes done by this patch are fairly numerous, there should
be no semantics change to the kernel RPC at this time.
A future commit to the NFS code will optionally enable use of TLS for NFS.

1 files changed, 15 insertions, 0 deletions

diff --git a/sys/rpc/krpc.h b/sys/rpc/krpc.h
index 978edbe8ca48..53d46deddf65 100644
--- a/sys/rpc/krpc.h
+++ b/sys/rpc/krpc.h
@@ -42,6 +42,7 @@
 void clnt_bck_svccall(void *, struct mbuf *, uint32_t);
 enum clnt_stat clnt_bck_call(CLIENT *, struct rpc_callextra *, rpcproc_t,
     struct mbuf *, struct mbuf **, struct timeval, SVCXPRT *);
+struct mbuf *_rpc_copym_into_ext_pgs(struct mbuf *, int);
 
 /*
  * A pending RPC request which awaits a reply. Requests which have
@@ -78,8 +79,18 @@ struct rc_data {
 	CLIENT*			rc_client; /* underlying RPC client */
 	struct rpc_err		rc_err;
 	void			*rc_backchannel;
+	bool			rc_tls; /* Enable TLS on connection */
 };
 
+/* Bits for ct_rcvstate. */
+#define RPCRCVSTATE_NORMAL		0x01	/* Normal reception. */
+#define RPCRCVSTATE_NONAPPDATA		0x02	/* Reception of a non-application record. */
+#define RPCRCVSTATE_TLSHANDSHAKE	0x04	/* Reception blocked for TLS handshake. */
+#define RPCRCVSTATE_UPCALLNEEDED	0x08	/* Upcall to rpctlscd needed. */
+#define RPCRCVSTATE_UPCALLINPROG	0x10	/* Upcall to rpctlscd in progress. */
+#define RPCRCVSTATE_SOUPCALLNEEDED	0x20	/* Socket upcall needed. */
+#define RPCRCVSTATE_UPCALLTHREAD	0x40	/* Upcall kthread running. */
+
 struct ct_data {
 	struct mtx	ct_lock;
 	int		ct_threads;	/* number of threads in clnt_vc_call */
@@ -101,6 +112,10 @@ struct ct_data {
 	struct ct_request_list ct_pending;
 	int		ct_upcallrefs;	/* Ref cnt of upcalls in prog. */
 	SVCXPRT		*ct_backchannelxprt; /* xprt for backchannel */
+	uint64_t	ct_sslsec;	/* RPC-over-TLS connection. */
+	uint64_t	ct_sslusec;
+	uint64_t	ct_sslrefno;
+	uint32_t 	ct_rcvstate;	/* Handle receiving for TLS upcalls */
 	struct mbuf	*ct_raw;	/* Raw mbufs recv'd */
 };