forked from mirrors/linux
0ca100ff4d
Add support for the YFS-variant RxGK security class to support
GSSAPI-derived authentication. This also allows the use of better crypto
over the rxkad security class.
The key payload is XDR encoded of the form:
typedef int64_t opr_time;
const AFSTOKEN_RK_TIX_MAX = 12000; /* Matches entry in rxkad.h */
struct token_rxkad {
afs_int32 viceid;
afs_int32 kvno;
afs_int64 key;
afs_int32 begintime;
afs_int32 endtime;
afs_int32 primary_flag;
opaque ticket<AFSTOKEN_RK_TIX_MAX>;
};
struct token_rxgk {
opr_time begintime;
opr_time endtime;
afs_int64 level;
afs_int64 lifetime;
afs_int64 bytelife;
afs_int64 enctype;
opaque key<>;
opaque ticket<>;
};
const AFSTOKEN_UNION_NOAUTH = 0;
const AFSTOKEN_UNION_KAD = 2;
const AFSTOKEN_UNION_YFSGK = 6;
union ktc_tokenUnion switch (afs_int32 type) {
case AFSTOKEN_UNION_KAD:
token_rxkad kad;
case AFSTOKEN_UNION_YFSGK:
token_rxgk gk;
};
const AFSTOKEN_LENGTH_MAX = 16384;
typedef opaque token_opaque<AFSTOKEN_LENGTH_MAX>;
const AFSTOKEN_MAX = 8;
const AFSTOKEN_CELL_MAX = 64;
struct ktc_setTokenData {
afs_int32 flags;
string cell<AFSTOKEN_CELL_MAX>;
token_opaque tokens<AFSTOKEN_MAX>;
};
The parser for the basic token struct is already present, as is the rxkad
token type. This adds a parser for the rxgk token type.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: Chuck Lever <chuck.lever@oracle.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
Link: https://patch.msgid.link/20250411095303.2316168-7-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
112 lines
2.9 KiB
C
112 lines
2.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
|
/* RxRPC key type
|
|
*
|
|
* Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*/
|
|
|
|
#ifndef _KEYS_RXRPC_TYPE_H
|
|
#define _KEYS_RXRPC_TYPE_H
|
|
|
|
#include <linux/key.h>
|
|
#include <crypto/krb5.h>
|
|
|
|
/*
|
|
* key type for AF_RXRPC keys
|
|
*/
|
|
extern struct key_type key_type_rxrpc;
|
|
|
|
extern struct key *rxrpc_get_null_key(const char *);
|
|
|
|
/*
|
|
* RxRPC key for Kerberos IV (type-2 security)
|
|
*/
|
|
struct rxkad_key {
|
|
u32 vice_id;
|
|
u32 start; /* time at which ticket starts */
|
|
u32 expiry; /* time at which ticket expires */
|
|
u32 kvno; /* key version number */
|
|
u8 primary_flag; /* T if key for primary cell for this user */
|
|
u16 ticket_len; /* length of ticket[] */
|
|
u8 session_key[8]; /* DES session key */
|
|
u8 ticket[]; /* the encrypted ticket */
|
|
};
|
|
|
|
/*
|
|
* RxRPC key for YFS-RxGK (type-6 security)
|
|
*/
|
|
struct rxgk_key {
|
|
s64 begintime; /* Time at which the ticket starts */
|
|
s64 endtime; /* Time at which the ticket ends */
|
|
u64 lifetime; /* Maximum lifespan of a connection (seconds) */
|
|
u64 bytelife; /* Maximum number of bytes on a connection */
|
|
unsigned int enctype; /* Encoding type */
|
|
s8 level; /* Negotiated security RXRPC_SECURITY_PLAIN/AUTH/ENCRYPT */
|
|
struct krb5_buffer key; /* Master key, K0 */
|
|
struct krb5_buffer ticket; /* Ticket to be passed to server */
|
|
u8 _key[]; /* Key storage */
|
|
};
|
|
|
|
/*
|
|
* list of tokens attached to an rxrpc key
|
|
*/
|
|
struct rxrpc_key_token {
|
|
u16 security_index; /* RxRPC header security index */
|
|
bool no_leak_key; /* Don't copy the key to userspace */
|
|
struct rxrpc_key_token *next; /* the next token in the list */
|
|
union {
|
|
struct rxkad_key *kad;
|
|
struct rxgk_key *rxgk;
|
|
};
|
|
};
|
|
|
|
/*
|
|
* structure of raw payloads passed to add_key() or instantiate key
|
|
*/
|
|
struct rxrpc_key_data_v1 {
|
|
u16 security_index;
|
|
u16 ticket_length;
|
|
u32 expiry; /* time_t */
|
|
u32 kvno;
|
|
u8 session_key[8];
|
|
u8 ticket[];
|
|
};
|
|
|
|
/*
|
|
* AF_RXRPC key payload derived from XDR format
|
|
* - based on openafs-1.4.10/src/auth/afs_token.xg
|
|
*/
|
|
#define AFSTOKEN_LENGTH_MAX 16384 /* max payload size */
|
|
#define AFSTOKEN_STRING_MAX 256 /* max small string length */
|
|
#define AFSTOKEN_DATA_MAX 64 /* max small data length */
|
|
#define AFSTOKEN_CELL_MAX 64 /* max cellname length */
|
|
#define AFSTOKEN_MAX 8 /* max tokens per payload */
|
|
#define AFSTOKEN_BDATALN_MAX 16384 /* max big data length */
|
|
#define AFSTOKEN_RK_TIX_MAX 12000 /* max RxKAD ticket size */
|
|
#define AFSTOKEN_GK_KEY_MAX 64 /* max GSSAPI key size */
|
|
#define AFSTOKEN_GK_TOKEN_MAX 16384 /* max GSSAPI token size */
|
|
|
|
/*
|
|
* Truncate a time64_t to the range from 1970 to 2106 as in the network
|
|
* protocol.
|
|
*/
|
|
static inline u32 rxrpc_time64_to_u32(time64_t time)
|
|
{
|
|
if (time < 0)
|
|
return 0;
|
|
|
|
if (time > UINT_MAX)
|
|
return UINT_MAX;
|
|
|
|
return (u32)time;
|
|
}
|
|
|
|
/*
|
|
* Extend u32 back to time64_t using the same 1970-2106 range.
|
|
*/
|
|
static inline time64_t rxrpc_u32_to_time64(u32 time)
|
|
{
|
|
return (time64_t)time;
|
|
}
|
|
|
|
#endif /* _KEYS_RXRPC_TYPE_H */
|