On Wed, Aug 9, 2017 at 3:26 PM, David Howells <dhowe...@redhat.com> wrote: > Arnd Bergmann <a...@arndb.de> wrote: > >> Do you know which format is used in practice? Are both kad and k5 common >> among rxrpc users? > > The aklog program I'm using uses the non-XDR interface to push a Kerberos 5 > ticket to the kernel, so it doesn't actually invoke rxrpc_preparse_xdr() from > rxrpc_preparse().
Ah, I'm slowly starting to understand how this fits together. So you can add a key either through key_add() from local user space, or through an rxrpc socket. >From what I can tell, the program you have at http://people.redhat.com/~dhowells/rxrpc/klog.c will keep working beyond 2038 but not beyond 2106 on all 64-bit architectures and on those 32-bit systems that have a libc with 64-bit time_t. It could be modified to use the xdr_rxk5 key format, which would make it use 64-bit time values (and require the kernel fix mentioned above). In contrast, the rxrpc socket interface would need a major rework to support 64-bit expiration times. It receives a kerberos ticket with a 32-bit issue time that gets used to calculate the expiry time in rxkad_decrypt_ticket, and from there we pass it through a rxrpc_key_data_v1 into key_instantiate_and_link(), which calls rxrpc_preparse() and that just takes the expiry out again and sticks it into another 32-bit field in struct rxkad_key, from where it finally gets copied into the (now 64-bit) key_preparsed_payload->expiry field. Does my understanding match what you intended for the interfaces? Is there a need to extend the rxrpc socket interface to support xdr_rxk5 keys as well? Arnd