1 /* RxRPC key type
2  *
3  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11 
12 #ifndef _KEYS_RXRPC_TYPE_H
13 #define _KEYS_RXRPC_TYPE_H
14 
15 #include <linux/key.h>
16 
17 /*
18  * key type for AF_RXRPC keys
19  */
20 extern struct key_type key_type_rxrpc;
21 
22 extern struct key *rxrpc_get_null_key(const char *);
23 
24 /*
25  * RxRPC key for Kerberos IV (type-2 security)
26  */
27 struct rxkad_key {
28 	u32	vice_id;
29 	u32	start;			/* time at which ticket starts */
30 	u32	expiry;			/* time at which ticket expires */
31 	u32	kvno;			/* key version number */
32 	u8	primary_flag;		/* T if key for primary cell for this user */
33 	u16	ticket_len;		/* length of ticket[] */
34 	u8	session_key[8];		/* DES session key */
35 	u8	ticket[0];		/* the encrypted ticket */
36 };
37 
38 /*
39  * Kerberos 5 principal
40  *	name/name/name@realm
41  */
42 struct krb5_principal {
43 	u8	n_name_parts;		/* N of parts of the name part of the principal */
44 	char	**name_parts;		/* parts of the name part of the principal */
45 	char	*realm;			/* parts of the realm part of the principal */
46 };
47 
48 /*
49  * Kerberos 5 tagged data
50  */
51 struct krb5_tagged_data {
52 	/* for tag value, see /usr/include/krb5/krb5.h
53 	 * - KRB5_AUTHDATA_* for auth data
54 	 * -
55 	 */
56 	s32		tag;
57 	u32		data_len;
58 	u8		*data;
59 };
60 
61 /*
62  * RxRPC key for Kerberos V (type-5 security)
63  */
64 struct rxk5_key {
65 	u64			authtime;	/* time at which auth token generated */
66 	u64			starttime;	/* time at which auth token starts */
67 	u64			endtime;	/* time at which auth token expired */
68 	u64			renew_till;	/* time to which auth token can be renewed */
69 	s32			is_skey;	/* T if ticket is encrypted in another ticket's
70 						 * skey */
71 	s32			flags;		/* mask of TKT_FLG_* bits (krb5/krb5.h) */
72 	struct krb5_principal	client;		/* client principal name */
73 	struct krb5_principal	server;		/* server principal name */
74 	u16			ticket_len;	/* length of ticket */
75 	u16			ticket2_len;	/* length of second ticket */
76 	u8			n_authdata;	/* number of authorisation data elements */
77 	u8			n_addresses;	/* number of addresses */
78 	struct krb5_tagged_data	session;	/* session data; tag is enctype */
79 	struct krb5_tagged_data *addresses;	/* addresses */
80 	u8			*ticket;	/* krb5 ticket */
81 	u8			*ticket2;	/* second krb5 ticket, if related to ticket (via
82 						 * DUPLICATE-SKEY or ENC-TKT-IN-SKEY) */
83 	struct krb5_tagged_data *authdata;	/* authorisation data */
84 };
85 
86 /*
87  * list of tokens attached to an rxrpc key
88  */
89 struct rxrpc_key_token {
90 	u16	security_index;		/* RxRPC header security index */
91 	struct rxrpc_key_token *next;	/* the next token in the list */
92 	union {
93 		struct rxkad_key *kad;
94 		struct rxk5_key *k5;
95 	};
96 };
97 
98 /*
99  * structure of raw payloads passed to add_key() or instantiate key
100  */
101 struct rxrpc_key_data_v1 {
102 	u16		security_index;
103 	u16		ticket_length;
104 	u32		expiry;			/* time_t */
105 	u32		kvno;
106 	u8		session_key[8];
107 	u8		ticket[0];
108 };
109 
110 /*
111  * AF_RXRPC key payload derived from XDR format
112  * - based on openafs-1.4.10/src/auth/afs_token.xg
113  */
114 #define AFSTOKEN_LENGTH_MAX		16384	/* max payload size */
115 #define AFSTOKEN_STRING_MAX		256	/* max small string length */
116 #define AFSTOKEN_DATA_MAX		64	/* max small data length */
117 #define AFSTOKEN_CELL_MAX		64	/* max cellname length */
118 #define AFSTOKEN_MAX			8	/* max tokens per payload */
119 #define AFSTOKEN_BDATALN_MAX		16384	/* max big data length */
120 #define AFSTOKEN_RK_TIX_MAX		12000	/* max RxKAD ticket size */
121 #define AFSTOKEN_GK_KEY_MAX		64	/* max GSSAPI key size */
122 #define AFSTOKEN_GK_TOKEN_MAX		16384	/* max GSSAPI token size */
123 #define AFSTOKEN_K5_COMPONENTS_MAX	16	/* max K5 components */
124 #define AFSTOKEN_K5_NAME_MAX		128	/* max K5 name length */
125 #define AFSTOKEN_K5_REALM_MAX		64	/* max K5 realm name length */
126 #define AFSTOKEN_K5_TIX_MAX		16384	/* max K5 ticket size */
127 #define AFSTOKEN_K5_ADDRESSES_MAX	16	/* max K5 addresses */
128 #define AFSTOKEN_K5_AUTHDATA_MAX	16	/* max K5 pieces of auth data */
129 
130 /*
131  * Truncate a time64_t to the range from 1970 to 2106 as in the network
132  * protocol.
133  */
rxrpc_time64_to_u32(time64_t time)134 static inline u32 rxrpc_time64_to_u32(time64_t time)
135 {
136 	if (time < 0)
137 		return 0;
138 
139 	if (time > UINT_MAX)
140 		return UINT_MAX;
141 
142 	return (u32)time;
143 }
144 
145 /*
146  * Extend u32 back to time64_t using the same 1970-2106 range.
147  */
rxrpc_u32_to_time64(u32 time)148 static inline time64_t rxrpc_u32_to_time64(u32 time)
149 {
150 	return (time64_t)time;
151 }
152 
153 #endif /* _KEYS_RXRPC_TYPE_H */
154