1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Application-specific bits for GSSAPI-based RxRPC security
13 #include <linux/key-type.h>
14 #include "ar-internal.h"
18  * Decode a default-style YFS ticket in a response and turn it into an
19  * rxrpc-type key.
47 	const struct cred *cred = current_cred(); // TODO - use socket creds  in rxgk_yfs_decode_ticket()
58 		return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,  in rxgk_yfs_decode_ticket()
64 		return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,  in rxgk_yfs_decode_ticket()
69 	if (klen > ticket_len - 10 * sizeof(__be32))  in rxgk_yfs_decode_ticket()
70 		return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,  in rxgk_yfs_decode_ticket()
80 		return -ENOMEM;  in rxgk_yfs_decode_ticket()
89 		ret = rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,  in rxgk_yfs_decode_ticket()
109 	q[1]  = t[1];		/* begintime - msw */  in rxgk_yfs_decode_ticket()
110 	q[2]  = t[2];		/* - lsw */  in rxgk_yfs_decode_ticket()
111 	q[3]  = t[5];		/* endtime - msw */  in rxgk_yfs_decode_ticket()
112 	q[4]  = t[6];		/* - lsw */  in rxgk_yfs_decode_ticket()
113 	q[5]  = 0;		/* level - msw */  in rxgk_yfs_decode_ticket()
114 	q[6]  = t[0];		/* - lsw */  in rxgk_yfs_decode_ticket()
115 	q[7]  = 0;		/* lifetime - msw */  in rxgk_yfs_decode_ticket()
116 	q[8]  = t[3];		/* - lsw */  in rxgk_yfs_decode_ticket()
117 	q[9]  = 0;		/* bytelife - msw */  in rxgk_yfs_decode_ticket()
118 	q[10] = t[4];		/* - lsw */  in rxgk_yfs_decode_ticket()
119 	q[11] = 0;		/* enctype - msw */  in rxgk_yfs_decode_ticket()
120 	q[12] = htonl(enctype);	/* - lsw */  in rxgk_yfs_decode_ticket()
130 		ret = -EIO;  in rxgk_yfs_decode_ticket()
136 	if (WARN_ON((unsigned long)q - (unsigned long)payload != payload_len)) {  in rxgk_yfs_decode_ticket()
137 		ret = -EIO;  in rxgk_yfs_decode_ticket()
147 		_leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key));  in rxgk_yfs_decode_ticket()
158 	token = key->payload.data[0];  in rxgk_yfs_decode_ticket()
159 	token->no_leak_key = true;  in rxgk_yfs_decode_ticket()
182  * [tools.ietf.org/html/draft-wilkinson-afs3-rxgk-afs-08 sec 6.1]
217 	if (xdr_round_up(ticket_len) > token_len - sizeof(container))  in rxgk_extract_token()
228 	down_read(&server_key->sem);  in rxgk_extract_token()
229 	server_secret = (const void *)&server_key->payload.data[2];  in rxgk_extract_token()
231 	up_read(&server_key->sem);  in rxgk_extract_token()
245 		if (ret != -ENOMEM)  in rxgk_extract_token()
250 	ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,  in rxgk_extract_token()
261 	case -ENOMEM:  in rxgk_extract_token()
263 	case -ENOKEY:  in rxgk_extract_token()
264 	case -EKEYREJECTED:  in rxgk_extract_token()
265 	case -EKEYEXPIRED:  in rxgk_extract_token()
266 	case -EKEYREVOKED:  in rxgk_extract_token()
267 	case -EPERM:  in rxgk_extract_token()
268 		return rxrpc_abort_conn(conn, skb, RXGK_BADKEYNO, -EKEYREJECTED,  in rxgk_extract_token()
271 		return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EKEYREJECTED,  in rxgk_extract_token()
277 	case -ENOMEM:  in rxgk_extract_token()
279 	case -EINVAL:  in rxgk_extract_token()
280 		return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EKEYREJECTED,  in rxgk_extract_token()
282 	case -ENOPKG:  in rxgk_extract_token()
284 					-EKEYREJECTED, rxgk_abort_resp_tok_nopkg);  in rxgk_extract_token()
295 	return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO,  in rxgk_extract_token()