| Author | Tokens | Token Proportion | Commits | Commit Proportion |
|---|---|---|---|---|
| David Howells | 1483 | 99.73% | 11 | 78.57% |
| Linus Torvalds (pre-git) | 2 | 0.13% | 1 | 7.14% |
| Linus Torvalds | 1 | 0.07% | 1 | 7.14% |
| Thomas Gleixner | 1 | 0.07% | 1 | 7.14% |
| Total | 1487 | 14 |
// SPDX-License-Identifier: GPL-2.0-or-later /* Cache manager security. * * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) */ #include <linux/slab.h> #include <crypto/krb5.h> #include "internal.h" #include "afs_cm.h" #include "afs_fs.h" #include "protocol_yfs.h" #define RXRPC_TRACE_ONLY_DEFINE_ENUMS #include <trace/events/rxrpc.h> #define RXGK_SERVER_ENC_TOKEN 1036U // 0x40c #define xdr_round_up(x) (round_up((x), sizeof(__be32))) #define xdr_len_object(x) (4 + round_up((x), sizeof(__be32))) #ifdef CONFIG_RXGK static int afs_create_yfs_cm_token(struct sk_buff *challenge, struct afs_server *server); #endif /* * Respond to an RxGK challenge, adding appdata. */ static int afs_respond_to_challenge(struct sk_buff *challenge) { #ifdef CONFIG_RXGK struct krb5_buffer appdata = {}; struct afs_server *server; #endif struct rxrpc_peer *peer; unsigned long peer_data; u16 service_id; u8 security_index; rxrpc_kernel_query_challenge(challenge, &peer, &peer_data, &service_id, &security_index); _enter("%u,%u", service_id, security_index); switch (service_id) { /* We don't send CM_SERVICE RPCs, so don't expect a challenge * therefrom. */ case FS_SERVICE: case VL_SERVICE: case YFS_FS_SERVICE: case YFS_VL_SERVICE: break; default: pr_warn("Can't respond to unknown challenge %u:%u", service_id, security_index); return rxrpc_kernel_reject_challenge(challenge, RX_USER_ABORT, -EPROTO, afs_abort_unsupported_sec_class); } switch (security_index) { #ifdef CONFIG_RXKAD case RXRPC_SECURITY_RXKAD: return rxkad_kernel_respond_to_challenge(challenge); #endif #ifdef CONFIG_RXGK case RXRPC_SECURITY_RXGK: return rxgk_kernel_respond_to_challenge(challenge, &appdata); case RXRPC_SECURITY_YFS_RXGK: switch (service_id) { case FS_SERVICE: case YFS_FS_SERVICE: server = (struct afs_server *)peer_data; if (!server->cm_rxgk_appdata.data) { mutex_lock(&server->cm_token_lock); if (!server->cm_rxgk_appdata.data) afs_create_yfs_cm_token(challenge, server); mutex_unlock(&server->cm_token_lock); } if (server->cm_rxgk_appdata.data) appdata = server->cm_rxgk_appdata; break; } return rxgk_kernel_respond_to_challenge(challenge, &appdata); #endif default: return rxrpc_kernel_reject_challenge(challenge, RX_USER_ABORT, -EPROTO, afs_abort_unsupported_sec_class); } } /* * Process the OOB message queue, processing challenge packets. */ void afs_process_oob_queue(struct work_struct *work) { struct afs_net *net = container_of(work, struct afs_net, rx_oob_work); struct sk_buff *oob; enum rxrpc_oob_type type; while ((oob = rxrpc_kernel_dequeue_oob(net->socket, &type))) { switch (type) { case RXRPC_OOB_CHALLENGE: afs_respond_to_challenge(oob); break; } rxrpc_kernel_free_oob(oob); } } #ifdef CONFIG_RXGK /* * Create a securities keyring for the cache manager and attach a key to it for * the RxGK tokens we want to use to secure the callback connection back from * the fileserver. */ int afs_create_token_key(struct afs_net *net, struct socket *socket) { const struct krb5_enctype *krb5; struct key *ring; key_ref_t key; char K0[32], *desc; int ret; ring = keyring_alloc("kafs", GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(), KEY_POS_SEARCH | KEY_POS_WRITE | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH, KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); if (IS_ERR(ring)) return PTR_ERR(ring); ret = rxrpc_sock_set_security_keyring(socket->sk, ring); if (ret < 0) goto out; ret = -ENOPKG; krb5 = crypto_krb5_find_enctype(KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96); if (!krb5) goto out; if (WARN_ON_ONCE(krb5->key_len > sizeof(K0))) goto out; ret = -ENOMEM; desc = kasprintf(GFP_KERNEL, "%u:%u:%u:%u", YFS_CM_SERVICE, RXRPC_SECURITY_YFS_RXGK, 1, krb5->etype); if (!desc) goto out; wait_for_random_bytes(); get_random_bytes(K0, krb5->key_len); key = key_create(make_key_ref(ring, true), "rxrpc_s", desc, K0, krb5->key_len, KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | KEY_USR_VIEW, KEY_ALLOC_NOT_IN_QUOTA); kfree(desc); if (IS_ERR(key)) { ret = PTR_ERR(key); goto out; } net->fs_cm_token_key = key_ref_to_ptr(key); ret = 0; out: key_put(ring); return ret; } /* * Create an YFS RxGK GSS token to use as a ticket to the specified fileserver. */ static int afs_create_yfs_cm_token(struct sk_buff *challenge, struct afs_server *server) { const struct krb5_enctype *conn_krb5, *token_krb5; const struct krb5_buffer *token_key; struct crypto_aead *aead; struct scatterlist sg; struct afs_net *net = server->cell->net; const struct key *key = net->fs_cm_token_key; size_t keysize, uuidsize, authsize, toksize, encsize, contsize, adatasize, offset; __be32 caps[1] = { [0] = htonl(AFS_CAP_ERROR_TRANSLATION), }; __be32 *xdr; void *appdata, *K0, *encbase; u32 enctype; int ret; if (!key) return -ENOKEY; /* Assume that the fileserver is happy to use the same encoding type as * we were told to use by the token obtained by the user. */ enctype = rxgk_kernel_query_challenge(challenge); conn_krb5 = crypto_krb5_find_enctype(enctype); if (!conn_krb5) return -ENOPKG; token_krb5 = key->payload.data[0]; token_key = (const struct krb5_buffer *)&key->payload.data[2]; /* struct rxgk_key { * afs_uint32 enctype; * opaque key<>; * }; */ keysize = 4 + xdr_len_object(conn_krb5->key_len); /* struct RXGK_AuthName { * afs_int32 kind; * opaque data<AUTHDATAMAX>; * opaque display<AUTHPRINTABLEMAX>; * }; */ uuidsize = sizeof(server->uuid); authsize = 4 + xdr_len_object(uuidsize) + xdr_len_object(0); /* struct RXGK_Token { * rxgk_key K0; * RXGK_Level level; * rxgkTime starttime; * afs_int32 lifetime; * afs_int32 bytelife; * rxgkTime expirationtime; * struct RXGK_AuthName identities<>; * }; */ toksize = keysize + 8 + 4 + 4 + 8 + xdr_len_object(authsize); offset = 0; encsize = crypto_krb5_how_much_buffer(token_krb5, KRB5_ENCRYPT_MODE, toksize, &offset); /* struct RXGK_TokenContainer { * afs_int32 kvno; * afs_int32 enctype; * opaque encrypted_token<>; * }; */ contsize = 4 + 4 + xdr_len_object(encsize); /* struct YFSAppData { * opr_uuid initiatorUuid; * opr_uuid acceptorUuid; * Capabilities caps; * afs_int32 enctype; * opaque callbackKey<>; * opaque callbackToken<>; * }; */ adatasize = 16 + 16 + xdr_len_object(sizeof(caps)) + 4 + xdr_len_object(conn_krb5->key_len) + xdr_len_object(contsize); ret = -ENOMEM; appdata = kzalloc(adatasize, GFP_KERNEL); if (!appdata) goto out; xdr = appdata; memcpy(xdr, &net->uuid, 16); /* appdata.initiatorUuid */ xdr += 16 / 4; memcpy(xdr, &server->uuid, 16); /* appdata.acceptorUuid */ xdr += 16 / 4; *xdr++ = htonl(ARRAY_SIZE(caps)); /* appdata.caps.len */ memcpy(xdr, &caps, sizeof(caps)); /* appdata.caps */ xdr += ARRAY_SIZE(caps); *xdr++ = htonl(conn_krb5->etype); /* appdata.enctype */ *xdr++ = htonl(conn_krb5->key_len); /* appdata.callbackKey.len */ K0 = xdr; get_random_bytes(K0, conn_krb5->key_len); /* appdata.callbackKey.data */ xdr += xdr_round_up(conn_krb5->key_len) / 4; *xdr++ = htonl(contsize); /* appdata.callbackToken.len */ *xdr++ = htonl(1); /* cont.kvno */ *xdr++ = htonl(token_krb5->etype); /* cont.enctype */ *xdr++ = htonl(encsize); /* cont.encrypted_token.len */ encbase = xdr; xdr += offset / 4; *xdr++ = htonl(conn_krb5->etype); /* token.K0.enctype */ *xdr++ = htonl(conn_krb5->key_len); /* token.K0.key.len */ memcpy(xdr, K0, conn_krb5->key_len); /* token.K0.key.data */ xdr += xdr_round_up(conn_krb5->key_len) / 4; *xdr++ = htonl(RXRPC_SECURITY_ENCRYPT); /* token.level */ *xdr++ = htonl(0); /* token.starttime */ *xdr++ = htonl(0); /* " */ *xdr++ = htonl(0); /* token.lifetime */ *xdr++ = htonl(0); /* token.bytelife */ *xdr++ = htonl(0); /* token.expirationtime */ *xdr++ = htonl(0); /* " */ *xdr++ = htonl(1); /* token.identities.count */ *xdr++ = htonl(0); /* token.identities[0].kind */ *xdr++ = htonl(uuidsize); /* token.identities[0].data.len */ memcpy(xdr, &server->uuid, uuidsize); xdr += xdr_round_up(uuidsize) / 4; *xdr++ = htonl(0); /* token.identities[0].display.len */ xdr = encbase + xdr_round_up(encsize); if ((unsigned long)xdr - (unsigned long)appdata != adatasize) pr_err("Appdata size incorrect %lx != %zx\n", (unsigned long)xdr - (unsigned long)appdata, adatasize); aead = crypto_krb5_prepare_encryption(token_krb5, token_key, RXGK_SERVER_ENC_TOKEN, GFP_KERNEL); if (IS_ERR(aead)) { ret = PTR_ERR(aead); goto out_token; } sg_init_one(&sg, encbase, encsize); ret = crypto_krb5_encrypt(token_krb5, aead, &sg, 1, encsize, offset, toksize, false); if (ret < 0) goto out_aead; server->cm_rxgk_appdata.len = adatasize; server->cm_rxgk_appdata.data = appdata; appdata = NULL; out_aead: crypto_free_aead(aead); out_token: kfree(appdata); out: return ret; } #endif /* CONFIG_RXGK */
Information contained on this website is for historical information purposes only and does not indicate or represent copyright ownership.
Created with Cregit http://github.com/cregit/cregit
Version 2.0-RC1