[net,20/24] rxrpc: Add the security index for yfs-rxgk

Message ID	20250203142343.248839-21-dhowells@redhat.com (mailing list archive)
State	Handled Elsewhere
Headers	show Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD850209663 for <linux-nfs@vger.kernel.org>; Mon, 3 Feb 2025 14:26:03 +0000 (UTC) From: David Howells <dhowells@redhat.com> To: netdev@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au> Cc: David Howells <dhowells@redhat.com>, Marc Dionne <marc.dionne@auristor.com>, Jakub Kicinski <kuba@kernel.org>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>, Trond Myklebust <trond.myklebust@hammerspace.com>, Chuck Lever <chuck.lever@oracle.com>, Eric Biggers <ebiggers@kernel.org>, Ard Biesheuvel <ardb@kernel.org>, linux-crypto@vger.kernel.org, linux-afs@lists.infradead.org, linux-nfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net 20/24] rxrpc: Add the security index for yfs-rxgk Date: Mon, 3 Feb 2025 14:23:36 +0000 Message-ID: <20250203142343.248839-21-dhowells@redhat.com> In-Reply-To: <20250203142343.248839-1-dhowells@redhat.com> References: <20250203142343.248839-1-dhowells@redhat.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	net/rxrpc, crypto: Add Kerberos crypto lib and AF_RXRPC GSSAPI security class \| expand [net,00/24] net/rxrpc, crypto: Add Kerberos crypto lib and AF_RXRPC GSSAPI security class [net,01/24] crypto/krb5: Add API Documentation [net,02/24] crypto/krb5: Add some constants out of sunrpc headers [net,03/24] crypto: Add 'krb5enc' hash and cipher AEAD algorithm [net,04/24] crypto/krb5: Test manager data [net,05/24] crypto/krb5: Implement Kerberos crypto core [net,06/24] crypto/krb5: Add an API to query the layout of the crypto section [net,07/24] crypto/krb5: Add an API to alloc and prepare a crypto object [net,08/24] crypto/krb5: Add an API to perform requests [net,09/24] crypto/krb5: Provide infrastructure and key derivation [net,10/24] crypto/krb5: Implement the Kerberos5 rfc3961 key derivation [net,11/24] crypto/krb5: Provide RFC3961 setkey packaging functions [net,12/24] crypto/krb5: Implement the Kerberos5 rfc3961 encrypt and decrypt functions [net,13/24] crypto/krb5: Implement the Kerberos5 rfc3961 get_mic and verify_mic [net,14/24] crypto/krb5: Implement the AES enctypes from rfc3962 [net,15/24] crypto/krb5: Implement the AES enctypes from rfc8009 [net,16/24] crypto/krb5: Implement the Camellia enctypes from rfc6803 [net,17/24] crypto/krb5: Implement crypto self-testing [net,18/24] rxrpc: Pull out certain app callback funcs into an ops table [net,19/24] rxrpc: Pass CHALLENGE packets to the call for recvmsg() to respond to [net,20/24] rxrpc: Add the security index for yfs-rxgk [net,21/24] rxrpc: Add YFS RxGK (GSSAPI) security class [net,22/24] rxrpc: rxgk: Provide infrastructure and key derivation [net,23/24] rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI) [net,24/24] rxrpc: rxgk: Implement connection rekeying

Message ID

20250203142343.248839-21-dhowells@redhat.com (mailing list archive)

State

Handled Elsewhere

Headers

From: David Howells <dhowells@redhat.com>
To: netdev@vger.kernel.org,
	Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Howells <dhowells@redhat.com>,
	Marc Dionne <marc.dionne@auristor.com>,
	Jakub Kicinski <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Trond Myklebust <trond.myklebust@hammerspace.com>,
	Chuck Lever <chuck.lever@oracle.com>,
	Eric Biggers <ebiggers@kernel.org>,
	Ard Biesheuvel <ardb@kernel.org>,
	linux-crypto@vger.kernel.org,
	linux-afs@lists.infradead.org,
	linux-nfs@vger.kernel.org,
	linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH net 20/24] rxrpc: Add the security index for yfs-rxgk
Date: Mon,  3 Feb 2025 14:23:36 +0000
Message-ID: <20250203142343.248839-21-dhowells@redhat.com>
In-Reply-To: <20250203142343.248839-1-dhowells@redhat.com>
References: <20250203142343.248839-1-dhowells@redhat.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

net/rxrpc, crypto: Add Kerberos crypto lib and AF_RXRPC GSSAPI security class | expand

Commit Message

David Howells Feb. 3, 2025, 2:23 p.m. UTC

Add the security index and abort codes for the YFS variant of rxgk.

Signed-off-by: David Howells <dhowells@redhat.com>
---
 fs/afs/misc.c              | 13 +++++++++++++
 include/uapi/linux/rxrpc.h | 17 +++++++++++++++++
 2 files changed, 30 insertions(+)

Comments

Jeffrey Altman Feb. 6, 2025, 9:54 a.m. UTC | #1

> On Feb 3, 2025, at 9:23 AM, David Howells <dhowells@redhat.com> wrote:
> 
> Add the security index and abort codes for the YFS variant of rxgk.
> 
> Signed-off-by: David Howells <dhowells@redhat.com>
> ---
> fs/afs/misc.c              | 13 +++++++++++++
> include/uapi/linux/rxrpc.h | 17 +++++++++++++++++
> 2 files changed, 30 insertions(+)
> 
> diff --git a/fs/afs/misc.c b/fs/afs/misc.c
> index b8180bf2281f..57f779804d50 100644
...
> diff --git a/include/uapi/linux/rxrpc.h b/include/uapi/linux/rxrpc.h
> index eac460d37598..cdf97c3f8637 100644
> --- a/include/uapi/linux/rxrpc.h
> +++ b/include/uapi/linux/rxrpc.h
> @@ -80,6 +80,7 @@ enum rxrpc_cmsg_type {
> #define RXRPC_SECURITY_RXKAD 2 /* kaserver or kerberos 4 */
> #define RXRPC_SECURITY_RXGK 4 /* gssapi-based */
> #define RXRPC_SECURITY_RXK5 5 /* kerberos 5 */
> +#define RXRPC_SECURITY_YFS_RXGK 6 /* YFS gssapi-based */
> 
> /*
>  * RxRPC-level abort codes
> @@ -125,6 +126,22 @@ enum rxrpc_cmsg_type {
> #define RXKADDATALEN 19270411 /* user data too long */
> #define RXKADILLEGALLEVEL 19270412 /* caller not authorised to use encrypted conns */
> 
> +/*
> + * RxGK GSSAPI security abort codes.
> + */
> +#define RXGK_INCONSISTENCY 1233242880 /* Security module structure inconsistent */
> +#define RXGK_PACKETSHORT 1233242881 /* Packet too short for security challenge */
> +#define RXGK_BADCHALLENGE 1233242882 /* Invalid security challenge */
> +#define RXGK_BADETYPE 1233242883 /* Invalid or impermissible encryption type */
> +#define RXGK_BADLEVEL 1233242884 /* Invalid or impermissible security level */
> +#define RXGK_BADKEYNO 1233242885 /* Key version number not found */
> +#define RXGK_EXPIRED 1233242886 /* Token has expired */
> +#define RXGK_NOTAUTH 1233242887 /* Caller not authorized */
> +#define RXGK_BAD_TOKEN 1233242888 /* Security object was passed a bad token */
> +#define RXGK_SEALED_INCON 1233242889 /* Sealed data inconsistent */
> +#define RXGK_DATA_LEN 1233242890 /* User data too long */
> +#define RXGK_BAD_QOP 1233242891 /* Inadequate quality of protection available */
> +
> /*
>  * Challenge information in the RXRPC_CHALLENGED control message.
>  */

David,

Unfortunately these are not the RXGK error code assignments used by YFS_RXGK.   
The correct assignments are documented at

  https://registrar.central.org/et/RXGK_auristorfs.html

RXGKINCONSISTENCY (1233242880L) Security module structure inconsistent
RXGKPACKETSHORT (1233242881L) Packet too short for security challenge
RXGKBADCHALLENGE (1233242882L) Security challenge/response failed
RXGKSEALEDINCON (1233242883L) Sealed data is inconsistent
RXGKNOTAUTH (1233242884L) Caller not authorised
RXGKEXPIRED (1233242885L) Authentication expired
RXGKBADLEVEL (1233242886L) Unsupported or not permitted security level
RXGKBADKEYNO (1233242887L) Bad transport key number
RXGKNOTRXGK (1233242888L) Security layer is not rxgk
RXGKUNSUPPORTED (1233242889L) Endpoint does not support rxgk
RXGKGSSERROR (1233242890L) GSSAPI mechanism error

The YFS_RXGK variant of the RXGK error table conflicts with the error table 
documented in rxgk: GSSAPI based security class for RX. 

  https://datatracker.ietf.org/doc/draft-wilkinson-afs3-rxgk/

The RXGK error table used in conjunction with the yfs-rxgk security class 
predates the error table in the Internet-Draft by more than two years.

A request that OpenAFS renumber was submitted in June 2023 but has yet to be acted upon.

  https://gerrit.openafs.org/#/c/15467/

Sorry for the inconvenience.

Jeffrey Altman

diff --git a/fs/afs/misc.c b/fs/afs/misc.c
index b8180bf2281f..57f779804d50 100644
--- a/fs/afs/misc.c
+++ b/fs/afs/misc.c
@@ -103,6 +103,19 @@  int afs_abort_to_error(u32 abort_code)
 	case RXKADDATALEN:	return -EKEYREJECTED;
 	case RXKADILLEGALLEVEL:	return -EKEYREJECTED;
 
+	case RXGK_INCONSISTENCY:	return -EPROTO;
+	case RXGK_PACKETSHORT:		return -EPROTO;
+	case RXGK_BADCHALLENGE:		return -EPROTO;
+	case RXGK_BADETYPE:		return -ENOPKG;
+	case RXGK_BADLEVEL:		return -EKEYREJECTED;
+	case RXGK_BADKEYNO:		return -EKEYREJECTED;
+	case RXGK_EXPIRED:		return -EKEYEXPIRED;
+	case RXGK_NOTAUTH:		return -EKEYREJECTED;
+	case RXGK_BAD_TOKEN:		return -EKEYREJECTED;
+	case RXGK_SEALED_INCON:		return -EKEYREJECTED;
+	case RXGK_DATA_LEN:		return -EPROTO;
+	case RXGK_BAD_QOP:		return -EKEYREJECTED;
+
 	case RXGEN_OPCODE:	return -ENOTSUPP;
 
 	default:		return -EREMOTEIO;
diff --git a/include/uapi/linux/rxrpc.h b/include/uapi/linux/rxrpc.h
index eac460d37598..cdf97c3f8637 100644
--- a/include/uapi/linux/rxrpc.h
+++ b/include/uapi/linux/rxrpc.h
@@ -80,6 +80,7 @@  enum rxrpc_cmsg_type {
 #define RXRPC_SECURITY_RXKAD	2	/* kaserver or kerberos 4 */
 #define RXRPC_SECURITY_RXGK	4	/* gssapi-based */
 #define RXRPC_SECURITY_RXK5	5	/* kerberos 5 */
+#define RXRPC_SECURITY_YFS_RXGK	6	/* YFS gssapi-based */
 
 /*
  * RxRPC-level abort codes
@@ -125,6 +126,22 @@  enum rxrpc_cmsg_type {
 #define RXKADDATALEN		19270411	/* user data too long */
 #define RXKADILLEGALLEVEL	19270412	/* caller not authorised to use encrypted conns */
 
+/*
+ * RxGK GSSAPI security abort codes.
+ */
+#define RXGK_INCONSISTENCY	1233242880	/* Security module structure inconsistent */
+#define RXGK_PACKETSHORT	1233242881	/* Packet too short for security challenge */
+#define RXGK_BADCHALLENGE	1233242882	/* Invalid security challenge */
+#define RXGK_BADETYPE		1233242883	/* Invalid or impermissible encryption type */
+#define RXGK_BADLEVEL		1233242884	/* Invalid or impermissible security level */
+#define RXGK_BADKEYNO		1233242885	/* Key version number not found */
+#define RXGK_EXPIRED		1233242886	/* Token has expired */
+#define RXGK_NOTAUTH		1233242887	/* Caller not authorized */
+#define RXGK_BAD_TOKEN		1233242888	/* Security object was passed a bad token */
+#define RXGK_SEALED_INCON	1233242889	/* Sealed data inconsistent */
+#define RXGK_DATA_LEN		1233242890	/* User data too long */
+#define RXGK_BAD_QOP		1233242891	/* Inadequate quality of protection available */
+
 /*
  * Challenge information in the RXRPC_CHALLENGED control message.
  */

[net,20/24] rxrpc: Add the security index for yfs-rxgk

Commit Message

Comments

Patch