fs/afs/cm_security.c

Source file repositories/reference/linux-study-clean/fs/afs/cm_security.c

File Facts

System
Linux kernel
Corpus path
fs/afs/cm_security.c
Extension
.c
Size
9118 bytes
Lines
341
Domain
Core OS
Bucket
VFS And Filesystem Core
Inferred role
Core OS: implementation source
Status
source implementation candidate

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

switch (service_id) {
		case FS_SERVICE:
		case YFS_FS_SERVICE:
			server = (struct afs_server *)peer_data;
			if (!server->cm_rxgk_appdata.data) {
				mutex_lock(&server->cm_token_lock);
				if (!server->cm_rxgk_appdata.data)
					afs_create_yfs_cm_token(challenge, server);
				mutex_unlock(&server->cm_token_lock);
			}
			if (server->cm_rxgk_appdata.data)
				appdata = server->cm_rxgk_appdata;
			break;
		}
		return rxgk_kernel_respond_to_challenge(challenge, &appdata);
#endif

	default:
		return rxrpc_kernel_reject_challenge(challenge, RX_USER_ABORT, -EPROTO,
						     afs_abort_unsupported_sec_class);
	}
}

/*
 * Process the OOB message queue, processing challenge packets.
 */
void afs_process_oob_queue(struct work_struct *work)
{
	struct afs_net *net = container_of(work, struct afs_net, rx_oob_work);
	struct sk_buff *oob;
	enum rxrpc_oob_type type;

	while ((oob = rxrpc_kernel_dequeue_oob(net->socket, &type))) {
		switch (type) {
		case RXRPC_OOB_CHALLENGE:
			afs_respond_to_challenge(oob);
			break;
		}
		rxrpc_kernel_free_oob(oob);
	}
}

#ifdef CONFIG_RXGK
/*
 * Create a securities keyring for the cache manager and attach a key to it for
 * the RxGK tokens we want to use to secure the callback connection back from
 * the fileserver.
 */
int afs_create_token_key(struct afs_net *net, struct socket *socket)
{
	const struct krb5_enctype *krb5;
	struct key *ring;
	key_ref_t key;
	char K0[32], *desc;
	int ret;

	ring = keyring_alloc("kafs",
			     GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
			     KEY_POS_SEARCH | KEY_POS_WRITE |
			     KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH,
			     KEY_ALLOC_NOT_IN_QUOTA,
			     NULL, NULL);
	if (IS_ERR(ring))
		return PTR_ERR(ring);

	ret = rxrpc_sock_set_security_keyring(socket->sk, ring);
	if (ret < 0)
		goto out;

	ret = -ENOPKG;
	krb5 = crypto_krb5_find_enctype(KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96);
	if (!krb5)
		goto out;

	if (WARN_ON_ONCE(krb5->key_len > sizeof(K0)))
		goto out;

	ret = -ENOMEM;
	desc = kasprintf(GFP_KERNEL, "%u:%u:%u:%u",
			 YFS_CM_SERVICE, RXRPC_SECURITY_YFS_RXGK, 1, krb5->etype);
	if (!desc)
		goto out;

	wait_for_random_bytes();
	get_random_bytes(K0, krb5->key_len);

	key = key_create(make_key_ref(ring, true),
			 "rxrpc_s", desc,
			 K0, krb5->key_len,
			 KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | KEY_USR_VIEW,

Annotation

Implementation Notes