rxrpc: Add the security index for yfs-rxgk

Add the security index and abort codes for the YFS variant of rxgk.

Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20250411095303.2316168-6-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/fs/afs/misc.c b/fs/afs/misc.c
index b8180bf2281f7214e4d52abe4590e6f5ecb5c3b8..8f2b3a17769082776f8c36e8ff8aef6f16ae0b4f 100644 (file)
--- a/fs/afs/misc.c
+++ b/fs/afs/misc.c
@@ -8,6 +8,7 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/errno.h>
+#include <crypto/krb5.h>
 #include "internal.h"
 #include "afs_fs.h"
 #include "protocol_uae.h"
@@ -103,6 +104,32 @@ int afs_abort_to_error(u32 abort_code)
        case RXKADDATALEN:      return -EKEYREJECTED;
        case RXKADILLEGALLEVEL: return -EKEYREJECTED;
 
+       case RXGK_INCONSISTENCY:        return -EPROTO;
+       case RXGK_PACKETSHORT:          return -EPROTO;
+       case RXGK_BADCHALLENGE:         return -EPROTO;
+       case RXGK_SEALEDINCON:          return -EKEYREJECTED;
+       case RXGK_NOTAUTH:              return -EKEYREJECTED;
+       case RXGK_EXPIRED:              return -EKEYEXPIRED;
+       case RXGK_BADLEVEL:             return -EKEYREJECTED;
+       case RXGK_BADKEYNO:             return -EKEYREJECTED;
+       case RXGK_NOTRXGK:              return -EKEYREJECTED;
+       case RXGK_UNSUPPORTED:          return -EKEYREJECTED;
+       case RXGK_GSSERROR:             return -EKEYREJECTED;
+#ifdef RXGK_BADETYPE
+       case RXGK_BADETYPE:             return -ENOPKG;
+#endif
+#ifdef RXGK_BADTOKEN
+       case RXGK_BADTOKEN:             return -EKEYREJECTED;
+#endif
+#ifdef RXGK_BADETYPE
+       case RXGK_DATALEN:              return -EPROTO;
+#endif
+#ifdef RXGK_BADQOP
+       case RXGK_BADQOP:               return -EKEYREJECTED;
+#endif
+
+       case KRB5_PROG_KEYTYPE_NOSUPP:  return -ENOPKG;
+
        case RXGEN_OPCODE:      return -ENOTSUPP;
 
        default:                return -EREMOTEIO;

diff --git a/include/crypto/krb5.h b/include/crypto/krb5.h
index 62d998e62f47d1040eea25cb8da3d829063c533c..71dd38f59be1def9233eeb1f94f83752a612fcd5 100644 (file)
--- a/include/crypto/krb5.h
+++ b/include/crypto/krb5.h
@@ -63,6 +63,11 @@ struct scatterlist;
 #define KEY_USAGE_SEED_ENCRYPTION       (0xAA)
 #define KEY_USAGE_SEED_INTEGRITY        (0x55)
 
+/*
+ * Standard Kerberos error codes.
+ */
+#define KRB5_PROG_KEYTYPE_NOSUPP               -1765328233
+
 /*
  * Mode of operation.
  */

diff --git a/include/uapi/linux/rxrpc.h b/include/uapi/linux/rxrpc.h
index c4e9833b0a12b0ff123864e97f242da58d56ec90..d9735abd4c79107b0cc5c9f103ad7afeb644ce09 100644 (file)
--- a/include/uapi/linux/rxrpc.h
+++ b/include/uapi/linux/rxrpc.h
@@ -80,6 +80,7 @@ enum rxrpc_cmsg_type {
 #define RXRPC_SECURITY_RXKAD   2       /* kaserver or kerberos 4 */
 #define RXRPC_SECURITY_RXGK    4       /* gssapi-based */
 #define RXRPC_SECURITY_RXK5    5       /* kerberos 5 */
+#define RXRPC_SECURITY_YFS_RXGK        6       /* YFS gssapi-based */
 
 /*
  * RxRPC-level abort codes
@@ -125,6 +126,36 @@ enum rxrpc_cmsg_type {
 #define RXKADDATALEN           19270411        /* user data too long */
 #define RXKADILLEGALLEVEL      19270412        /* caller not authorised to use encrypted conns */
 
+/*
+ * RxGK GSSAPI security abort codes.
+ */
+#if 0 /* Original standard abort codes (used by OpenAFS) */
+#define RXGK_INCONSISTENCY     1233242880      /* Security module structure inconsistent */
+#define RXGK_PACKETSHORT       1233242881      /* Packet too short for security challenge */
+#define RXGK_BADCHALLENGE      1233242882      /* Invalid security challenge */
+#define RXGK_BADETYPE          1233242883      /* Invalid or impermissible encryption type */
+#define RXGK_BADLEVEL          1233242884      /* Invalid or impermissible security level */
+#define RXGK_BADKEYNO          1233242885      /* Key version number not found */
+#define RXGK_EXPIRED           1233242886      /* Token has expired */
+#define RXGK_NOTAUTH           1233242887      /* Caller not authorized */
+#define RXGK_BAD_TOKEN         1233242888      /* Security object was passed a bad token */
+#define RXGK_SEALED_INCON      1233242889      /* Sealed data inconsistent */
+#define RXGK_DATA_LEN          1233242890      /* User data too long */
+#define RXGK_BAD_QOP           1233242891      /* Inadequate quality of protection available */
+#else /* Revised standard abort codes (used by YFS) */
+#define RXGK_INCONSISTENCY     1233242880      /* Security module structure inconsistent */
+#define RXGK_PACKETSHORT       1233242881      /* Packet too short for security challenge */
+#define RXGK_BADCHALLENGE      1233242882      /* Security challenge/response failed */
+#define RXGK_SEALEDINCON       1233242883      /* Sealed data is inconsistent */
+#define RXGK_NOTAUTH           1233242884      /* Caller not authorised */
+#define RXGK_EXPIRED           1233242885      /* Authentication expired */
+#define RXGK_BADLEVEL          1233242886      /* Unsupported or not permitted security level */
+#define RXGK_BADKEYNO          1233242887      /* Bad transport key number */
+#define RXGK_NOTRXGK           1233242888      /* Security layer is not rxgk */
+#define RXGK_UNSUPPORTED       1233242889      /* Endpoint does not support rxgk */
+#define RXGK_GSSERROR          1233242890      /* GSSAPI mechanism error */
+#endif
+
 /*
  * Challenge information in the RXRPC_CHALLENGED control message.
  */