| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <160616220405.830164.2239716599743995145.stgit@warthog.procyon.org.uk>
Date: Mon, 23 Nov 2020 20:10:04 +0000
From: David Howells <dhowells@...hat.com>
To: netdev@...r.kernel.org
Cc: dhowells@...hat.com, linux-afs@...ts.infradead.org,
linux-kernel@...r.kernel.org
Subject: [PATCH net 00/17] rxrpc: Prelude to gssapi support
Here are some patches that do some reorganisation of the security class
handling in rxrpc to allow implementation of the RxGK security class that
will allow AF_RXRPC to use GSSAPI-negotiated tokens and better crypto. The
RxGK security class is not included in this patchset.
It does the following things:
(1) Add a keyrings patch to provide the original key description, as
provided to add_key(), to the payload preparser so that it can
interpret the content on that basis. Unfortunately, the rxrpc_s key
type wasn't written to interpret its payload as anything other than a
string of bytes comprising a key, but for RxGK, more information is
required as multiple Kerberos enctypes are supported.
(2) Remove the rxk5 security class key parsing. The rxk5 class never got
rolled out in OpenAFS and got replaced with rxgk.
(3) Support the creation of rxrpc keys with multiple tokens of different
types. If some types are not supported, the ENOPKG error is
suppressed if at least one other token's type is supported.
(4) Punt the handling of server keys (rxrpc_s type) to the appropriate
security class.
(5) Organise the security bits in the rxrpc_connection struct into a
union to make it easier to override for other classes.
(6) Move some bits from core code into rxkad that won't be appropriate to
rxgk.
The patches are tagged here:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
rxrpc-next-20201123
and can also be found on the following branch:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-next
David
---
David Howells (17):
keys: Provide the original description to the key preparser
rxrpc: Remove the rxk5 security class as it's now defunct
rxrpc: List the held token types in the key description in /proc/keys
rxrpc: Support keys with multiple authentication tokens
rxrpc: Don't retain the server key in the connection
rxrpc: Split the server key type (rxrpc_s) into its own file
rxrpc: Hand server key parsing off to the security class
rxrpc: Don't leak the service-side session key to userspace
rxrpc: Allow security classes to give more info on server keys
rxrpc: Make the parsing of xdr payloads more coherent
rxrpc: Ignore unknown tokens in key payload unless no known tokens
rxrpc: Fix example key name in a comment
rxrpc: Merge prime_packet_security into init_connection_security
rxrpc: Don't reserve security header in Tx DATA skbuff
rxrpc: Organise connection security to use a union
rxrpc: rxkad: Don't use pskb_pull() to advance through the response packet
rxrpc: Ask the security class how much space to allow in a packet
include/keys/rxrpc-type.h | 56 +---
net/rxrpc/Makefile | 1 +
net/rxrpc/ar-internal.h | 63 ++--
net/rxrpc/call_accept.c | 14 +-
net/rxrpc/conn_client.c | 6 -
net/rxrpc/conn_event.c | 8 +-
net/rxrpc/conn_object.c | 2 -
net/rxrpc/conn_service.c | 2 -
net/rxrpc/insecure.c | 19 +-
net/rxrpc/key.c | 658 ++++----------------------------------
net/rxrpc/rxkad.c | 256 ++++++++++-----
net/rxrpc/security.c | 98 ++++--
net/rxrpc/sendmsg.c | 45 +--
net/rxrpc/server_key.c | 143 +++++++++
14 files changed, 519 insertions(+), 852 deletions(-)
create mode 100644 net/rxrpc/server_key.c
Powered by blists - more mailing lists