> On Feb 3, 2025, at 9:23 AM, David Howells <dhowells@xxxxxxxxxx> wrote:
>
> Add the security index and abort codes for the YFS variant of rxgk.
>
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
> ---
> fs/afs/misc.c | 13 +++++++++++++
> include/uapi/linux/rxrpc.h | 17 +++++++++++++++++
> 2 files changed, 30 insertions(+)
>
> diff --git a/fs/afs/misc.c b/fs/afs/misc.c
> index b8180bf2281f..57f779804d50 100644
...
> diff --git a/include/uapi/linux/rxrpc.h b/include/uapi/linux/rxrpc.h
> index eac460d37598..cdf97c3f8637 100644
> --- a/include/uapi/linux/rxrpc.h
> +++ b/include/uapi/linux/rxrpc.h
> @@ -80,6 +80,7 @@ enum rxrpc_cmsg_type {
> #define RXRPC_SECURITY_RXKAD 2 /* kaserver or kerberos 4 */
> #define RXRPC_SECURITY_RXGK 4 /* gssapi-based */
> #define RXRPC_SECURITY_RXK5 5 /* kerberos 5 */
> +#define RXRPC_SECURITY_YFS_RXGK 6 /* YFS gssapi-based */
>
> /*
> * RxRPC-level abort codes
> @@ -125,6 +126,22 @@ enum rxrpc_cmsg_type {
> #define RXKADDATALEN 19270411 /* user data too long */
> #define RXKADILLEGALLEVEL 19270412 /* caller not authorised to use encrypted conns */
>
> +/*
> + * RxGK GSSAPI security abort codes.
> + */
> +#define RXGK_INCONSISTENCY 1233242880 /* Security module structure inconsistent */
> +#define RXGK_PACKETSHORT 1233242881 /* Packet too short for security challenge */
> +#define RXGK_BADCHALLENGE 1233242882 /* Invalid security challenge */
> +#define RXGK_BADETYPE 1233242883 /* Invalid or impermissible encryption type */
> +#define RXGK_BADLEVEL 1233242884 /* Invalid or impermissible security level */
> +#define RXGK_BADKEYNO 1233242885 /* Key version number not found */
> +#define RXGK_EXPIRED 1233242886 /* Token has expired */
> +#define RXGK_NOTAUTH 1233242887 /* Caller not authorized */
> +#define RXGK_BAD_TOKEN 1233242888 /* Security object was passed a bad token */
> +#define RXGK_SEALED_INCON 1233242889 /* Sealed data inconsistent */
> +#define RXGK_DATA_LEN 1233242890 /* User data too long */
> +#define RXGK_BAD_QOP 1233242891 /* Inadequate quality of protection available */
> +
> /*
> * Challenge information in the RXRPC_CHALLENGED control message.
> */
David,
Unfortunately these are not the RXGK error code assignments used by YFS_RXGK.
The correct assignments are documented at
https://registrar.central.org/et/RXGK_auristorfs.html
RXGKINCONSISTENCY (1233242880L) Security module structure inconsistent
RXGKPACKETSHORT (1233242881L) Packet too short for security challenge
RXGKBADCHALLENGE (1233242882L) Security challenge/response failed
RXGKSEALEDINCON (1233242883L) Sealed data is inconsistent
RXGKNOTAUTH (1233242884L) Caller not authorised
RXGKEXPIRED (1233242885L) Authentication expired
RXGKBADLEVEL (1233242886L) Unsupported or not permitted security level
RXGKBADKEYNO (1233242887L) Bad transport key number
RXGKNOTRXGK (1233242888L) Security layer is not rxgk
RXGKUNSUPPORTED (1233242889L) Endpoint does not support rxgk
RXGKGSSERROR (1233242890L) GSSAPI mechanism error
The YFS_RXGK variant of the RXGK error table conflicts with the error table
documented in rxgk: GSSAPI based security class for RX.
https://datatracker.ietf.org/doc/draft-wilkinson-afs3-rxgk/
The RXGK error table used in conjunction with the yfs-rxgk security class
predates the error table in the Internet-Draft by more than two years.
A request that OpenAFS renumber was submitted in June 2023 but has yet to be acted upon.
https://gerrit.openafs.org/#/c/15467/
Sorry for the inconvenience.
Jeffrey Altman
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
