lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250407091451.1174056-1-dhowells@redhat.com>
Date: Mon,  7 Apr 2025 10:14:31 +0100
From: David Howells <dhowells@...hat.com>
To: netdev@...r.kernel.org
Cc: David Howells <dhowells@...hat.com>,
	Marc Dionne <marc.dionne@...istor.com>,
	Jakub Kicinski <kuba@...nel.org>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>,
	Christian Brauner <brauner@...nel.org>,
	Chuck Lever <chuck.lever@...cle.com>,
	linux-afs@...ts.infradead.org,
	openafs-devel@...nafs.org,
	linux-kernel@...r.kernel.org
Subject: [PATCH net-next 00/12] rxrpc, afs: Add AFS GSSAPI security class to AF_RXRPC and kafs

Here's a set of patches to add basic support for the AFS GSSAPI security
class to AF_RXRPC and kafs.  It provides transport security for keys that
match the security index 6 (YFS) for connections to the AFS fileserver and
VL server.

Note that security index 4 (OpenAFS) can also be supported using this, but
it needs more work as it's slightly different.

The patches also provide the ability to secure the callback channel -
connections from the fileserver back to the client that are used to pass
file change notifications, amongst other things.  When challenged by the
fileserver, kafs will generate a token specific to that server and include
it in the RESPONSE packet as the appdata.  The server then extracts this
and uses it to send callback RPC calls back to the client.

It can also be used to provide transport security on the callback channel,
but a further set of patches is required to provide the token and key to
set that up when the client responds to the fileserver's challenge.

This makes use of the previously added crypto-krb5 library that is now
upstream (last commit fc0cf10c04f4).

This series of patches consist of the following parts:

 (1) Push reponding to CHALLENGE packets over to recvmsg() or the kernel
     equivalent so that the application layer can include user-defined
     information in the RESPONSE packet.  In a follow-up patch set, this
     will allow the callback channel to be secured by the AFS filesystem.

 (2) Add the AF_RXRPC RxGK security class that uses a key obtained from the
     AFS GSS security service to do Kerberos 5-based encryption instead of
     pcbc(fcrypt) and pcbc(des).

 (3) Add support for callback channel encryption in kafs.

 (4) Provide the test rxperf server module with some fixed krb5 keys.

David

The patches can be found on this branch also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-next

David Howells (12):
  rxrpc: Pull out certain app callback funcs into an ops table
  rxrpc: Allow CHALLENGEs to the passed to the app for a RESPONSE
  rxrpc: Add the security index for yfs-rxgk
  rxrpc: Add YFS RxGK (GSSAPI) security class
  rxrpc: rxgk: Provide infrastructure and key derivation
  rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)
  rxrpc: rxgk: Implement connection rekeying
  rxrpc: Allow the app to store private data on peer structs
  rxrpc: Display security params in the afs_cb_call tracepoint
  afs: Use rxgk RESPONSE to pass token for callback channel
  rxrpc: Add more CHALLENGE/RESPONSE packet tracing
  rxrpc: rxperf: Add test RxGK server keys

 fs/afs/Kconfig               |    1 +
 fs/afs/Makefile              |    1 +
 fs/afs/cm_security.c         |  340 +++++++++
 fs/afs/internal.h            |   20 +
 fs/afs/main.c                |    1 +
 fs/afs/misc.c                |   27 +
 fs/afs/rxrpc.c               |   40 +-
 fs/afs/server.c              |    2 +
 include/crypto/krb5.h        |    5 +
 include/keys/rxrpc-type.h    |   17 +
 include/net/af_rxrpc.h       |   51 +-
 include/trace/events/afs.h   |   11 +-
 include/trace/events/rxrpc.h |  163 +++-
 include/uapi/linux/rxrpc.h   |   77 +-
 net/rxrpc/Kconfig            |   23 +
 net/rxrpc/Makefile           |    6 +-
 net/rxrpc/af_rxrpc.c         |   72 +-
 net/rxrpc/ar-internal.h      |   78 +-
 net/rxrpc/call_accept.c      |   34 +-
 net/rxrpc/call_object.c      |   20 +-
 net/rxrpc/conn_event.c       |  134 +++-
 net/rxrpc/conn_object.c      |    2 +
 net/rxrpc/insecure.c         |   13 +-
 net/rxrpc/io_thread.c        |   12 +-
 net/rxrpc/key.c              |  185 +++++
 net/rxrpc/oob.c              |  371 +++++++++
 net/rxrpc/output.c           |   60 +-
 net/rxrpc/protocol.h         |   20 +
 net/rxrpc/recvmsg.c          |  120 ++-
 net/rxrpc/rxgk.c             | 1365 ++++++++++++++++++++++++++++++++++
 net/rxrpc/rxgk_app.c         |  285 +++++++
 net/rxrpc/rxgk_common.h      |  139 ++++
 net/rxrpc/rxgk_kdf.c         |  287 +++++++
 net/rxrpc/rxkad.c            |  294 +++++---
 net/rxrpc/rxperf.c           |   78 +-
 net/rxrpc/security.c         |    3 +
 net/rxrpc/sendmsg.c          |   15 +-
 net/rxrpc/server_key.c       |   40 +
 38 files changed, 4187 insertions(+), 225 deletions(-)
 create mode 100644 fs/afs/cm_security.c
 create mode 100644 net/rxrpc/oob.c
 create mode 100644 net/rxrpc/rxgk.c
 create mode 100644 net/rxrpc/rxgk_app.c
 create mode 100644 net/rxrpc/rxgk_common.h
 create mode 100644 net/rxrpc/rxgk_kdf.c


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ