lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <5EF4D194-76D8-4DDD-B977-2D0E4AA5D549@auristor.com>
Date: Thu, 6 Feb 2025 04:54:43 -0500
From: Jeffrey Altman <jaltman@...istor.com>
To: David Howells <dhowells@...hat.com>
Cc: netdev@...r.kernel.org,
 Herbert Xu <herbert@...dor.apana.org.au>,
 Marc Dionne <marc.dionne@...istor.com>,
 Jakub Kicinski <kuba@...nel.org>,
 "David S. Miller" <davem@...emloft.net>,
 Eric Dumazet <edumazet@...gle.com>,
 Paolo Abeni <pabeni@...hat.com>,
 Simon Horman <horms@...nel.org>,
 Trond Myklebust <trond.myklebust@...merspace.com>,
 Chuck Lever <chuck.lever@...cle.com>,
 Eric Biggers <ebiggers@...nel.org>,
 Ard Biesheuvel <ardb@...nel.org>,
 linux-crypto@...r.kernel.org,
 linux-afs@...ts.infradead.org,
 linux-nfs@...r.kernel.org,
 linux-fsdevel@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH net 20/24] rxrpc: Add the security index for yfs-rxgk



> On Feb 3, 2025, at 9:23 AM, David Howells <dhowells@...hat.com> wrote:
> 
> Add the security index and abort codes for the YFS variant of rxgk.
> 
> Signed-off-by: David Howells <dhowells@...hat.com>
> ---
> fs/afs/misc.c              | 13 +++++++++++++
> include/uapi/linux/rxrpc.h | 17 +++++++++++++++++
> 2 files changed, 30 insertions(+)
> 
> diff --git a/fs/afs/misc.c b/fs/afs/misc.c
> index b8180bf2281f..57f779804d50 100644
...
> diff --git a/include/uapi/linux/rxrpc.h b/include/uapi/linux/rxrpc.h
> index eac460d37598..cdf97c3f8637 100644
> --- a/include/uapi/linux/rxrpc.h
> +++ b/include/uapi/linux/rxrpc.h
> @@ -80,6 +80,7 @@ enum rxrpc_cmsg_type {
> #define RXRPC_SECURITY_RXKAD 2 /* kaserver or kerberos 4 */
> #define RXRPC_SECURITY_RXGK 4 /* gssapi-based */
> #define RXRPC_SECURITY_RXK5 5 /* kerberos 5 */
> +#define RXRPC_SECURITY_YFS_RXGK 6 /* YFS gssapi-based */
> 
> /*
>  * RxRPC-level abort codes
> @@ -125,6 +126,22 @@ enum rxrpc_cmsg_type {
> #define RXKADDATALEN 19270411 /* user data too long */
> #define RXKADILLEGALLEVEL 19270412 /* caller not authorised to use encrypted conns */
> 
> +/*
> + * RxGK GSSAPI security abort codes.
> + */
> +#define RXGK_INCONSISTENCY 1233242880 /* Security module structure inconsistent */
> +#define RXGK_PACKETSHORT 1233242881 /* Packet too short for security challenge */
> +#define RXGK_BADCHALLENGE 1233242882 /* Invalid security challenge */
> +#define RXGK_BADETYPE 1233242883 /* Invalid or impermissible encryption type */
> +#define RXGK_BADLEVEL 1233242884 /* Invalid or impermissible security level */
> +#define RXGK_BADKEYNO 1233242885 /* Key version number not found */
> +#define RXGK_EXPIRED 1233242886 /* Token has expired */
> +#define RXGK_NOTAUTH 1233242887 /* Caller not authorized */
> +#define RXGK_BAD_TOKEN 1233242888 /* Security object was passed a bad token */
> +#define RXGK_SEALED_INCON 1233242889 /* Sealed data inconsistent */
> +#define RXGK_DATA_LEN 1233242890 /* User data too long */
> +#define RXGK_BAD_QOP 1233242891 /* Inadequate quality of protection available */
> +
> /*
>  * Challenge information in the RXRPC_CHALLENGED control message.
>  */

David,

Unfortunately these are not the RXGK error code assignments used by YFS_RXGK.   
The correct assignments are documented at

  https://registrar.central.org/et/RXGK_auristorfs.html

RXGKINCONSISTENCY (1233242880L) Security module structure inconsistent
RXGKPACKETSHORT (1233242881L) Packet too short for security challenge
RXGKBADCHALLENGE (1233242882L) Security challenge/response failed
RXGKSEALEDINCON (1233242883L) Sealed data is inconsistent
RXGKNOTAUTH (1233242884L) Caller not authorised
RXGKEXPIRED (1233242885L) Authentication expired
RXGKBADLEVEL (1233242886L) Unsupported or not permitted security level
RXGKBADKEYNO (1233242887L) Bad transport key number
RXGKNOTRXGK (1233242888L) Security layer is not rxgk
RXGKUNSUPPORTED (1233242889L) Endpoint does not support rxgk
RXGKGSSERROR (1233242890L) GSSAPI mechanism error

The YFS_RXGK variant of the RXGK error table conflicts with the error table 
documented in rxgk: GSSAPI based security class for RX. 

  https://datatracker.ietf.org/doc/draft-wilkinson-afs3-rxgk/

The RXGK error table used in conjunction with the yfs-rxgk security class 
predates the error table in the Internet-Draft by more than two years.

A request that OpenAFS renumber was submitted in June 2023 but has yet to be acted upon.

  https://gerrit.openafs.org/#/c/15467/

Sorry for the inconvenience.

Jeffrey Altman






Download attachment "smime.p7s" of type "application/pkcs7-signature" (3929 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ