linux/include/keys/rxrpc-type.h

/* SPDX-License-Identifier: GPL-2.0-or-later */
/* RxRPC key type
 *
 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
 */

#ifndef _KEYS_RXRPC_TYPE_H
#define _KEYS_RXRPC_TYPE_H

#include <linux/key.h>

/*
 * key type for AF_RXRPC keys
 */
extern struct key_type key_type_rxrpc;

extern struct key *rxrpc_get_null_key(const char *);

/*
 * RxRPC key for Kerberos IV (type-2 security)
 */
struct rxkad_key {
	u32	vice_id;
	u32	start;			/* time at which ticket starts */
	u32	expiry;			/* time at which ticket expires */
	u32	kvno;			/* key version number */
	u8	primary_flag;		/* T if key for primary cell for this user */
	u16	ticket_len;		/* length of ticket[] */
	u8	session_key[8];		/* DES session key */
	u8	ticket[0];		/* the encrypted ticket */
};

/*
 * Kerberos 5 principal
 *	name/name/name@realm
 */
struct krb5_principal {
	u8	n_name_parts;		/* N of parts of the name part of the principal */
	char	**name_parts;		/* parts of the name part of the principal */
	char	*realm;			/* parts of the realm part of the principal */
};

/*
 * Kerberos 5 tagged data
 */
struct krb5_tagged_data {
	/* for tag value, see /usr/include/krb5/krb5.h
	 * - KRB5_AUTHDATA_* for auth data
	 * -
	 */
	s32		tag;
	u32		data_len;
	u8		*data;
};

/*
 * RxRPC key for Kerberos V (type-5 security)
 */
struct rxk5_key {
	u64			authtime;	/* time at which auth token generated */
	u64			starttime;	/* time at which auth token starts */
	u64			endtime;	/* time at which auth token expired */
	u64			renew_till;	/* time to which auth token can be renewed */
	s32			is_skey;	/* T if ticket is encrypted in another ticket's
						 * skey */
	s32			flags;		/* mask of TKT_FLG_* bits (krb5/krb5.h) */
	struct krb5_principal	client;		/* client principal name */
	struct krb5_principal	server;		/* server principal name */
	u16			ticket_len;	/* length of ticket */
	u16			ticket2_len;	/* length of second ticket */
	u8			n_authdata;	/* number of authorisation data elements */
	u8			n_addresses;	/* number of addresses */
	struct krb5_tagged_data	session;	/* session data; tag is enctype */
	struct krb5_tagged_data *addresses;	/* addresses */
	u8			*ticket;	/* krb5 ticket */
	u8			*ticket2;	/* second krb5 ticket, if related to ticket (via
						 * DUPLICATE-SKEY or ENC-TKT-IN-SKEY) */
	struct krb5_tagged_data *authdata;	/* authorisation data */
};

/*
 * list of tokens attached to an rxrpc key
 */
struct rxrpc_key_token {
	u16	security_index;		/* RxRPC header security index */
	struct rxrpc_key_token *next;	/* the next token in the list */
	union {
		struct rxkad_key *kad;
		struct rxk5_key *k5;
	};
};

/*
 * structure of raw payloads passed to add_key() or instantiate key
 */
struct rxrpc_key_data_v1 {
	u16		security_index;
	u16		ticket_length;
	u32		expiry;			/* time_t */
	u32		kvno;
	u8		session_key[8];
	u8		ticket[0];
};

/*
 * AF_RXRPC key payload derived from XDR format
 * - based on openafs-1.4.10/src/auth/afs_token.xg
 */
#define AFSTOKEN_LENGTH_MAX		16384	/* max payload size */
#define AFSTOKEN_STRING_MAX		256	/* max small string length */
#define AFSTOKEN_DATA_MAX		64	/* max small data length */
#define AFSTOKEN_CELL_MAX		64	/* max cellname length */
#define AFSTOKEN_MAX			8	/* max tokens per payload */
#define AFSTOKEN_BDATALN_MAX		16384	/* max big data length */
#define AFSTOKEN_RK_TIX_MAX		12000	/* max RxKAD ticket size */
#define AFSTOKEN_GK_KEY_MAX		64	/* max GSSAPI key size */
#define AFSTOKEN_GK_TOKEN_MAX		16384	/* max GSSAPI token size */
#define AFSTOKEN_K5_COMPONENTS_MAX	16	/* max K5 components */
#define AFSTOKEN_K5_NAME_MAX		128	/* max K5 name length */
#define AFSTOKEN_K5_REALM_MAX		64	/* max K5 realm name length */
#define AFSTOKEN_K5_TIX_MAX		16384	/* max K5 ticket size */
#define AFSTOKEN_K5_ADDRESSES_MAX	16	/* max K5 addresses */
#define AFSTOKEN_K5_AUTHDATA_MAX	16	/* max K5 pieces of auth data */

/*
 * Truncate a time64_t to the range from 1970 to 2106 as in the network
 * protocol.
 */
static inline u32 rxrpc_time64_to_u32(time64_t time)
{
	if (time < 0)
		return 0;

	if (time > UINT_MAX)
		return UINT_MAX;

	return (u32)time;
}

/*
 * Extend u32 back to time64_t using the same 1970-2106 range.
 */
static inline time64_t rxrpc_u32_to_time64(u32 time)
{
	return (time64_t)time;
}

#endif /* _KEYS_RXRPC_TYPE_H */
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license or at your option any later version extracted by the scancode license scanner the SPDX license identifier GPL-2.0-or-later has been chosen to replace the boilerplate/reference in 3029 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-05-27 08:55:01 +02:00			`/* SPDX-License-Identifier: GPL-2.0-or-later */`
[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both Provide AF_RXRPC sockets that can be used to talk to AFS servers, or serve answers to AFS clients. KerberosIV security is fully supported. The patches and some example test programs can be found in: http://people.redhat.com/~dhowells/rxrpc/ This will eventually replace the old implementation of kernel-only RxRPC currently resident in net/rxrpc/. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2007-04-26 15:48:28 -07:00			`/* RxRPC key type`
			`*`
			`* Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.`
			`* Written by David Howells (dhowells@redhat.com)`
			`*/`

			`#ifndef _KEYS_RXRPC_TYPE_H`
			`#define _KEYS_RXRPC_TYPE_H`

			`#include <linux/key.h>`

			`/*`
			`* key type for AF_RXRPC keys`
			`*/`
			`extern struct key_type key_type_rxrpc;`

KEYS: Make request_key() and co fundamentally asynchronous Make request_key() and co fundamentally asynchronous to make it easier for NFS to make use of them. There are now accessor functions that do asynchronous constructions, a wait function to wait for construction to complete, and a completion function for the key type to indicate completion of construction. Note that the construction queue is now gone. Instead, keys under construction are linked in to the appropriate keyring in advance, and that anyone encountering one must wait for it to be complete before they can use it. This is done automatically for userspace. The following auxiliary changes are also made: (1) Key type implementation stuff is split from linux/key.h into linux/key-type.h. (2) AF_RXRPC provides a way to allocate null rxrpc-type keys so that AFS does not need to call key_instantiate_and_link() directly. (3) Adjust the debugging macros so that they're -Wformat checked even if they are disabled, and make it so they can be enabled simply by defining __KDEBUG to be consistent with other code of mine. (3) Documentation. [alan@lxorguk.ukuu.org.uk: keys: missing word in documentation] Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2007-10-16 23:29:46 -07:00			`extern struct key rxrpc_get_null_key(const char );`

RxRPC: Allow key payloads to be passed in XDR form Allow add_key() and KEYCTL_INSTANTIATE to accept key payloads in XDR form as described by openafs-1.4.10/src/auth/afs_token.xg. This provides a way of passing kaserver, Kerberos 4, Kerberos 5 and GSSAPI keys from userspace, and allows for future expansion. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:35 +00:00			`/*`
			`* RxRPC key for Kerberos IV (type-2 security)`
			`*/`
			`struct rxkad_key {`
			`u32 vice_id;`
			`u32 start; /* time at which ticket starts */`
			`u32 expiry; /* time at which ticket expires */`
			`u32 kvno; /* key version number */`
			`u8 primary_flag; /* T if key for primary cell for this user */`
			`u16 ticket_len; /* length of ticket[] */`
			`u8 session_key[8]; /* DES session key */`
			`u8 ticket[0]; /* the encrypted ticket */`
			`};`

RxRPC: Parse security index 5 keys (Kerberos 5) Parse RxRPC security index 5 type keys (Kerberos 5 tokens). Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:46 +00:00			`/*`
			`* Kerberos 5 principal`
			`* name/name/name@realm`
			`*/`
			`struct krb5_principal {`
			`u8 n_name_parts; /* N of parts of the name part of the principal */`
			`char *name_parts; / parts of the name part of the principal */`
			`char realm; / parts of the realm part of the principal */`
			`};`

			`/*`
			`* Kerberos 5 tagged data`
			`*/`
			`struct krb5_tagged_data {`
			`/* for tag value, see /usr/include/krb5/krb5.h`
			`* - KRB5_AUTHDATA_* for auth data`
KEYS: Strip trailing spaces Strip some trailing spaces. Signed-off-by: David Howells <dhowells@redhat.com> 2016-06-14 10:29:44 +01:00			`* -`
RxRPC: Parse security index 5 keys (Kerberos 5) Parse RxRPC security index 5 type keys (Kerberos 5 tokens). Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:46 +00:00			`*/`
RxRPC: Use uX/sX rather than uintX_t/intX_t types Use uX rather than uintX_t types for consistency. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-16 00:01:13 -07:00			`s32 tag;`
			`u32 data_len;`
RxRPC: Parse security index 5 keys (Kerberos 5) Parse RxRPC security index 5 type keys (Kerberos 5 tokens). Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:46 +00:00			`u8 *data;`
			`};`

			`/*`
			`* RxRPC key for Kerberos V (type-5 security)`
			`*/`
			`struct rxk5_key {`
RxRPC: Use uX/sX rather than uintX_t/intX_t types Use uX rather than uintX_t types for consistency. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-16 00:01:13 -07:00			`u64 authtime; /* time at which auth token generated */`
			`u64 starttime; /* time at which auth token starts */`
			`u64 endtime; /* time at which auth token expired */`
			`u64 renew_till; /* time to which auth token can be renewed */`
			`s32 is_skey; /* T if ticket is encrypted in another ticket's`
RxRPC: Parse security index 5 keys (Kerberos 5) Parse RxRPC security index 5 type keys (Kerberos 5 tokens). Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:46 +00:00			`* skey */`
RxRPC: Use uX/sX rather than uintX_t/intX_t types Use uX rather than uintX_t types for consistency. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-16 00:01:13 -07:00			`s32 flags; /* mask of TKT_FLG_* bits (krb5/krb5.h) */`
RxRPC: Parse security index 5 keys (Kerberos 5) Parse RxRPC security index 5 type keys (Kerberos 5 tokens). Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:46 +00:00			`struct krb5_principal client; /* client principal name */`
			`struct krb5_principal server; /* server principal name */`
RxRPC: Use uX/sX rather than uintX_t/intX_t types Use uX rather than uintX_t types for consistency. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-16 00:01:13 -07:00			`u16 ticket_len; /* length of ticket */`
			`u16 ticket2_len; /* length of second ticket */`
RxRPC: Parse security index 5 keys (Kerberos 5) Parse RxRPC security index 5 type keys (Kerberos 5 tokens). Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:46 +00:00			`u8 n_authdata; /* number of authorisation data elements */`
			`u8 n_addresses; /* number of addresses */`
			`struct krb5_tagged_data session; /* session data; tag is enctype */`
			`struct krb5_tagged_data addresses; / addresses */`
			`u8 ticket; / krb5 ticket */`
			`u8 ticket2; / second krb5 ticket, if related to ticket (via`
			`* DUPLICATE-SKEY or ENC-TKT-IN-SKEY) */`
			`struct krb5_tagged_data authdata; / authorisation data */`
			`};`

RxRPC: Allow key payloads to be passed in XDR form Allow add_key() and KEYCTL_INSTANTIATE to accept key payloads in XDR form as described by openafs-1.4.10/src/auth/afs_token.xg. This provides a way of passing kaserver, Kerberos 4, Kerberos 5 and GSSAPI keys from userspace, and allows for future expansion. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:35 +00:00			`/*`
			`* list of tokens attached to an rxrpc key`
			`*/`
			`struct rxrpc_key_token {`
			`u16 security_index; /* RxRPC header security index */`
			`struct rxrpc_key_token next; / the next token in the list */`
			`union {`
			`struct rxkad_key *kad;`
RxRPC: Parse security index 5 keys (Kerberos 5) Parse RxRPC security index 5 type keys (Kerberos 5 tokens). Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:46 +00:00			`struct rxk5_key *k5;`
RxRPC: Allow key payloads to be passed in XDR form Allow add_key() and KEYCTL_INSTANTIATE to accept key payloads in XDR form as described by openafs-1.4.10/src/auth/afs_token.xg. This provides a way of passing kaserver, Kerberos 4, Kerberos 5 and GSSAPI keys from userspace, and allows for future expansion. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:35 +00:00			`};`
			`};`

			`/*`
			`* structure of raw payloads passed to add_key() or instantiate key`
			`*/`
			`struct rxrpc_key_data_v1 {`
			`u16 security_index;`
			`u16 ticket_length;`
			`u32 expiry; /* time_t */`
			`u32 kvno;`
			`u8 session_key[8];`
			`u8 ticket[0];`
			`};`

			`/*`
			`* AF_RXRPC key payload derived from XDR format`
			`* - based on openafs-1.4.10/src/auth/afs_token.xg`
			`*/`
			`#define AFSTOKEN_LENGTH_MAX 16384 /* max payload size */`
RxRPC: Parse security index 5 keys (Kerberos 5) Parse RxRPC security index 5 type keys (Kerberos 5 tokens). Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:46 +00:00			`#define AFSTOKEN_STRING_MAX 256 /* max small string length */`
			`#define AFSTOKEN_DATA_MAX 64 /* max small data length */`
RxRPC: Allow key payloads to be passed in XDR form Allow add_key() and KEYCTL_INSTANTIATE to accept key payloads in XDR form as described by openafs-1.4.10/src/auth/afs_token.xg. This provides a way of passing kaserver, Kerberos 4, Kerberos 5 and GSSAPI keys from userspace, and allows for future expansion. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:35 +00:00			`#define AFSTOKEN_CELL_MAX 64 /* max cellname length */`
			`#define AFSTOKEN_MAX 8 /* max tokens per payload */`
RxRPC: Parse security index 5 keys (Kerberos 5) Parse RxRPC security index 5 type keys (Kerberos 5 tokens). Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:46 +00:00			`#define AFSTOKEN_BDATALN_MAX 16384 /* max big data length */`
RxRPC: Allow key payloads to be passed in XDR form Allow add_key() and KEYCTL_INSTANTIATE to accept key payloads in XDR form as described by openafs-1.4.10/src/auth/afs_token.xg. This provides a way of passing kaserver, Kerberos 4, Kerberos 5 and GSSAPI keys from userspace, and allows for future expansion. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-09-14 01:17:35 +00:00			`#define AFSTOKEN_RK_TIX_MAX 12000 /* max RxKAD ticket size */`
			`#define AFSTOKEN_GK_KEY_MAX 64 /* max GSSAPI key size */`
			`#define AFSTOKEN_GK_TOKEN_MAX 16384 /* max GSSAPI token size */`
			`#define AFSTOKEN_K5_COMPONENTS_MAX 16 /* max K5 components */`
			`#define AFSTOKEN_K5_NAME_MAX 128 /* max K5 name length */`
			`#define AFSTOKEN_K5_REALM_MAX 64 /* max K5 realm name length */`
			`#define AFSTOKEN_K5_TIX_MAX 16384 /* max K5 ticket size */`
			`#define AFSTOKEN_K5_ADDRESSES_MAX 16 /* max K5 addresses */`
			`#define AFSTOKEN_K5_AUTHDATA_MAX 16 /* max K5 pieces of auth data */`

net: rxrpc: Replace time_t type with time64_t type Since the 'expiry' variable of 'struct key_preparsed_payload' has been changed to 'time64_t' type, which is year 2038 safe on 32bits system. In net/rxrpc subsystem, we need convert 'u32' type to 'time64_t' type when copying ticket expires time to 'prep->expiry', then this patch introduces two helper functions to help convert 'u32' to 'time64_t' type. This patch also uses ktime_get_real_seconds() to get current time instead of get_seconds() which is not year 2038 safe on 32bits system. Signed-off-by: Baolin Wang <baolin.wang@linaro.org> Signed-off-by: David Howells <dhowells@redhat.com> 2017-08-29 10:15:40 +01:00			`/*`
			`* Truncate a time64_t to the range from 1970 to 2106 as in the network`
			`* protocol.`
			`*/`
			`static inline u32 rxrpc_time64_to_u32(time64_t time)`
			`{`
			`if (time < 0)`
			`return 0;`

			`if (time > UINT_MAX)`
			`return UINT_MAX;`

			`return (u32)time;`
			`}`

			`/*`
			`* Extend u32 back to time64_t using the same 1970-2106 range.`
			`*/`
			`static inline time64_t rxrpc_u32_to_time64(u32 time)`
			`{`
			`return (time64_t)time;`
			`}`

KEYS: Fix the comment to match the file name in rxrpc-type.h. Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> 2008-04-21 22:43:55 +00:00			`#endif /* _KEYS_RXRPC_TYPE_H */`