LXR linux/net/rxrpc/rxkad.c

   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/* Kerberos-based RxRPC security
   3 *
   4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
   5 * Written by David Howells (dhowells@redhat.com)
   6 */
   7
   8#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
   9
  10#include <crypto/skcipher.h>
  11#include <linux/module.h>
  12#include <linux/net.h>
  13#include <linux/skbuff.h>
  14#include <linux/udp.h>
  15#include <linux/scatterlist.h>
  16#include <linux/ctype.h>
  17#include <linux/slab.h>
  18#include <linux/key-type.h>
  19#include <net/sock.h>
  20#include <net/af_rxrpc.h>
  21#include <keys/rxrpc-type.h>
  22#include "ar-internal.h"
  23
  24#define RXKAD_VERSION                   2
  25#define MAXKRB5TICKETLEN                1024
  26#define RXKAD_TKT_TYPE_KERBEROS_V5      256
  27#define ANAME_SZ                        40      /* size of authentication name */
  28#define INST_SZ                         40      /* size of principal's instance */
  29#define REALM_SZ                        40      /* size of principal's auth domain */
  30#define SNAME_SZ                        40      /* size of service name */
  31#define RXKAD_ALIGN                     8
  32
  33struct rxkad_level1_hdr {
  34        __be32  data_size;      /* true data size (excluding padding) */
  35};
  36
  37struct rxkad_level2_hdr {
  38        __be32  data_size;      /* true data size (excluding padding) */
  39        __be32  checksum;       /* decrypted data checksum */
  40};
  41
  42static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
  43                                       struct crypto_sync_skcipher *ci);
  44
  45/*
  46 * this holds a pinned cipher so that keventd doesn't get called by the cipher
  47 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
  48 * packets
  49 */
  50static struct crypto_sync_skcipher *rxkad_ci;
  51static struct skcipher_request *rxkad_ci_req;
  52static DEFINE_MUTEX(rxkad_ci_mutex);
  53
  54/*
  55 * Parse the information from a server key
  56 *
  57 * The data should be the 8-byte secret key.
  58 */
  59static int rxkad_preparse_server_key(struct key_preparsed_payload *prep)
  60{
  61        struct crypto_skcipher *ci;
  62
  63        if (prep->datalen != 8)
  64                return -EINVAL;
  65
  66        memcpy(&prep->payload.data[2], prep->data, 8);
  67
  68        ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC);
  69        if (IS_ERR(ci)) {
  70                _leave(" = %ld", PTR_ERR(ci));
  71                return PTR_ERR(ci);
  72        }
  73
  74        if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)
  75                BUG();
  76
  77        prep->payload.data[0] = ci;
  78        _leave(" = 0");
  79        return 0;
  80}
  81
  82static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep)
  83{
  84
  85        if (prep->payload.data[0])
  86                crypto_free_skcipher(prep->payload.data[0]);
  87}
  88
  89static void rxkad_destroy_server_key(struct key *key)
  90{
  91        if (key->payload.data[0]) {
  92                crypto_free_skcipher(key->payload.data[0]);
  93                key->payload.data[0] = NULL;
  94        }
  95}
  96
  97/*
  98 * initialise connection security
  99 */
 100static int rxkad_init_connection_security(struct rxrpc_connection *conn,
 101                                          struct rxrpc_key_token *token)
 102{
 103        struct crypto_sync_skcipher *ci;
 104        int ret;
 105
 106        _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
 107
 108        conn->security_ix = token->security_index;
 109
 110        ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
 111        if (IS_ERR(ci)) {
 112                _debug("no cipher");
 113                ret = PTR_ERR(ci);
 114                goto error;
 115        }
 116
 117        if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
 118                                   sizeof(token->kad->session_key)) < 0)
 119                BUG();
 120
 121        switch (conn->params.security_level) {
 122        case RXRPC_SECURITY_PLAIN:
 123        case RXRPC_SECURITY_AUTH:
 124        case RXRPC_SECURITY_ENCRYPT:
 125                break;
 126        default:
 127                ret = -EKEYREJECTED;
 128                goto error;
 129        }
 130
 131        ret = rxkad_prime_packet_security(conn, ci);
 132        if (ret < 0)
 133                goto error_ci;
 134
 135        conn->rxkad.cipher = ci;
 136        return 0;
 137
 138error_ci:
 139        crypto_free_sync_skcipher(ci);
 140error:
 141        _leave(" = %d", ret);
 142        return ret;
 143}
 144
 145/*
 146 * Work out how much data we can put in a packet.
 147 */
 148static int rxkad_how_much_data(struct rxrpc_call *call, size_t remain,
 149                               size_t *_buf_size, size_t *_data_size, size_t *_offset)
 150{
 151        size_t shdr, buf_size, chunk;
 152
 153        switch (call->conn->params.security_level) {
 154        default:
 155                buf_size = chunk = min_t(size_t, remain, RXRPC_JUMBO_DATALEN);
 156                shdr = 0;
 157                goto out;
 158        case RXRPC_SECURITY_AUTH:
 159                shdr = sizeof(struct rxkad_level1_hdr);
 160                break;
 161        case RXRPC_SECURITY_ENCRYPT:
 162                shdr = sizeof(struct rxkad_level2_hdr);
 163                break;
 164        }
 165
 166        buf_size = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN);
 167
 168        chunk = buf_size - shdr;
 169        if (remain < chunk)
 170                buf_size = round_up(shdr + remain, RXKAD_ALIGN);
 171
 172out:
 173        *_buf_size = buf_size;
 174        *_data_size = chunk;
 175        *_offset = shdr;
 176        return 0;
 177}
 178
 179/*
 180 * prime the encryption state with the invariant parts of a connection's
 181 * description
 182 */
 183static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
 184                                       struct crypto_sync_skcipher *ci)
 185{
 186        struct skcipher_request *req;
 187        struct rxrpc_key_token *token;
 188        struct scatterlist sg;
 189        struct rxrpc_crypt iv;
 190        __be32 *tmpbuf;
 191        size_t tmpsize = 4 * sizeof(__be32);
 192
 193        _enter("");
 194
 195        if (!conn->params.key)
 196                return 0;
 197
 198        tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
 199        if (!tmpbuf)
 200                return -ENOMEM;
 201
 202        req = skcipher_request_alloc(&ci->base, GFP_NOFS);
 203        if (!req) {
 204                kfree(tmpbuf);
 205                return -ENOMEM;
 206        }
 207
 208        token = conn->params.key->payload.data[0];
 209        memcpy(&iv, token->kad->session_key, sizeof(iv));
 210
 211        tmpbuf[0] = htonl(conn->proto.epoch);
 212        tmpbuf[1] = htonl(conn->proto.cid);
 213        tmpbuf[2] = 0;
 214        tmpbuf[3] = htonl(conn->security_ix);
 215
 216        sg_init_one(&sg, tmpbuf, tmpsize);
 217        skcipher_request_set_sync_tfm(req, ci);
 218        skcipher_request_set_callback(req, 0, NULL, NULL);
 219        skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
 220        crypto_skcipher_encrypt(req);
 221        skcipher_request_free(req);
 222
 223        memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
 224        kfree(tmpbuf);
 225        _leave(" = 0");
 226        return 0;
 227}
 228
 229/*
 230 * Allocate and prepare the crypto request on a call.  For any particular call,
 231 * this is called serially for the packets, so no lock should be necessary.
 232 */
 233static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
 234{
 235        struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
 236        struct skcipher_request *cipher_req = call->cipher_req;
 237
 238        if (!cipher_req) {
 239                cipher_req = skcipher_request_alloc(tfm, GFP_NOFS);
 240                if (!cipher_req)
 241                        return NULL;
 242                call->cipher_req = cipher_req;
 243        }
 244
 245        return cipher_req;
 246}
 247
 248/*
 249 * Clean up the crypto on a call.
 250 */
 251static void rxkad_free_call_crypto(struct rxrpc_call *call)
 252{
 253        if (call->cipher_req)
 254                skcipher_request_free(call->cipher_req);
 255        call->cipher_req = NULL;
 256}
 257
 258/*
 259 * partially encrypt a packet (level 1 security)
 260 */
 261static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
 262                                    struct sk_buff *skb, u32 data_size,
 263                                    struct skcipher_request *req)
 264{
 265        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 266        struct rxkad_level1_hdr hdr;
 267        struct rxrpc_crypt iv;
 268        struct scatterlist sg;
 269        size_t pad;
 270        u16 check;
 271
 272        _enter("");
 273
 274        check = sp->hdr.seq ^ call->call_id;
 275        data_size |= (u32)check << 16;
 276
 277        hdr.data_size = htonl(data_size);
 278        memcpy(skb->head, &hdr, sizeof(hdr));
 279
 280        pad = sizeof(struct rxkad_level1_hdr) + data_size;
 281        pad = RXKAD_ALIGN - pad;
 282        pad &= RXKAD_ALIGN - 1;
 283        if (pad)
 284                skb_put_zero(skb, pad);
 285
 286        /* start the encryption afresh */
 287        memset(&iv, 0, sizeof(iv));
 288
 289        sg_init_one(&sg, skb->head, 8);
 290        skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 291        skcipher_request_set_callback(req, 0, NULL, NULL);
 292        skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 293        crypto_skcipher_encrypt(req);
 294        skcipher_request_zero(req);
 295
 296        _leave(" = 0");
 297        return 0;
 298}
 299
 300/*
 301 * wholly encrypt a packet (level 2 security)
 302 */
 303static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
 304                                       struct sk_buff *skb,
 305                                       u32 data_size,
 306                                       struct skcipher_request *req)
 307{
 308        const struct rxrpc_key_token *token;
 309        struct rxkad_level2_hdr rxkhdr;
 310        struct rxrpc_skb_priv *sp;
 311        struct rxrpc_crypt iv;
 312        struct scatterlist sg[16];
 313        unsigned int len;
 314        size_t pad;
 315        u16 check;
 316        int err;
 317
 318        sp = rxrpc_skb(skb);
 319
 320        _enter("");
 321
 322        check = sp->hdr.seq ^ call->call_id;
 323
 324        rxkhdr.data_size = htonl(data_size | (u32)check << 16);
 325        rxkhdr.checksum = 0;
 326        memcpy(skb->head, &rxkhdr, sizeof(rxkhdr));
 327
 328        pad = sizeof(struct rxkad_level2_hdr) + data_size;
 329        pad = RXKAD_ALIGN - pad;
 330        pad &= RXKAD_ALIGN - 1;
 331        if (pad)
 332                skb_put_zero(skb, pad);
 333
 334        /* encrypt from the session key */
 335        token = call->conn->params.key->payload.data[0];
 336        memcpy(&iv, token->kad->session_key, sizeof(iv));
 337
 338        sg_init_one(&sg[0], skb->head, sizeof(rxkhdr));
 339        skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 340        skcipher_request_set_callback(req, 0, NULL, NULL);
 341        skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
 342        crypto_skcipher_encrypt(req);
 343
 344        /* we want to encrypt the skbuff in-place */
 345        err = -EMSGSIZE;
 346        if (skb_shinfo(skb)->nr_frags > 16)
 347                goto out;
 348
 349        len = round_up(data_size, RXKAD_ALIGN);
 350
 351        sg_init_table(sg, ARRAY_SIZE(sg));
 352        err = skb_to_sgvec(skb, sg, 8, len);
 353        if (unlikely(err < 0))
 354                goto out;
 355        skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 356        crypto_skcipher_encrypt(req);
 357
 358        _leave(" = 0");
 359        err = 0;
 360
 361out:
 362        skcipher_request_zero(req);
 363        return err;
 364}
 365
 366/*
 367 * checksum an RxRPC packet header
 368 */
 369static int rxkad_secure_packet(struct rxrpc_call *call,
 370                               struct sk_buff *skb,
 371                               size_t data_size)
 372{
 373        struct rxrpc_skb_priv *sp;
 374        struct skcipher_request *req;
 375        struct rxrpc_crypt iv;
 376        struct scatterlist sg;
 377        u32 x, y;
 378        int ret;
 379
 380        sp = rxrpc_skb(skb);
 381
 382        _enter("{%d{%x}},{#%u},%zu,",
 383               call->debug_id, key_serial(call->conn->params.key),
 384               sp->hdr.seq, data_size);
 385
 386        if (!call->conn->rxkad.cipher)
 387                return 0;
 388
 389        ret = key_validate(call->conn->params.key);
 390        if (ret < 0)
 391                return ret;
 392
 393        req = rxkad_get_call_crypto(call);
 394        if (!req)
 395                return -ENOMEM;
 396
 397        /* continue encrypting from where we left off */
 398        memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
 399
 400        /* calculate the security checksum */
 401        x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
 402        x |= sp->hdr.seq & 0x3fffffff;
 403        call->crypto_buf[0] = htonl(call->call_id);
 404        call->crypto_buf[1] = htonl(x);
 405
 406        sg_init_one(&sg, call->crypto_buf, 8);
 407        skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 408        skcipher_request_set_callback(req, 0, NULL, NULL);
 409        skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 410        crypto_skcipher_encrypt(req);
 411        skcipher_request_zero(req);
 412
 413        y = ntohl(call->crypto_buf[1]);
 414        y = (y >> 16) & 0xffff;
 415        if (y == 0)
 416                y = 1; /* zero checksums are not permitted */
 417        sp->hdr.cksum = y;
 418
 419        switch (call->conn->params.security_level) {
 420        case RXRPC_SECURITY_PLAIN:
 421                ret = 0;
 422                break;
 423        case RXRPC_SECURITY_AUTH:
 424                ret = rxkad_secure_packet_auth(call, skb, data_size, req);
 425                break;
 426        case RXRPC_SECURITY_ENCRYPT:
 427                ret = rxkad_secure_packet_encrypt(call, skb, data_size, req);
 428                break;
 429        default:
 430                ret = -EPERM;
 431                break;
 432        }
 433
 434        _leave(" = %d [set %hx]", ret, y);
 435        return ret;
 436}
 437
 438/*
 439 * decrypt partial encryption on a packet (level 1 security)
 440 */
 441static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
 442                                 unsigned int offset, unsigned int len,
 443                                 rxrpc_seq_t seq,
 444                                 struct skcipher_request *req)
 445{
 446        struct rxkad_level1_hdr sechdr;
 447        struct rxrpc_crypt iv;
 448        struct scatterlist sg[16];
 449        bool aborted;
 450        u32 data_size, buf;
 451        u16 check;
 452        int ret;
 453
 454        _enter("");
 455
 456        if (len < 8) {
 457                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
 458                                           RXKADSEALEDINCON);
 459                goto protocol_error;
 460        }
 461
 462        /* Decrypt the skbuff in-place.  TODO: We really want to decrypt
 463         * directly into the target buffer.
 464         */
 465        sg_init_table(sg, ARRAY_SIZE(sg));
 466        ret = skb_to_sgvec(skb, sg, offset, 8);
 467        if (unlikely(ret < 0))
 468                return ret;
 469
 470        /* start the decryption afresh */
 471        memset(&iv, 0, sizeof(iv));
 472
 473        skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 474        skcipher_request_set_callback(req, 0, NULL, NULL);
 475        skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
 476        crypto_skcipher_decrypt(req);
 477        skcipher_request_zero(req);
 478
 479        /* Extract the decrypted packet length */
 480        if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
 481                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
 482                                             RXKADDATALEN);
 483                goto protocol_error;
 484        }
 485        len -= sizeof(sechdr);
 486
 487        buf = ntohl(sechdr.data_size);
 488        data_size = buf & 0xffff;
 489
 490        check = buf >> 16;
 491        check ^= seq ^ call->call_id;
 492        check &= 0xffff;
 493        if (check != 0) {
 494                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
 495                                             RXKADSEALEDINCON);
 496                goto protocol_error;
 497        }
 498
 499        if (data_size > len) {
 500                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
 501                                             RXKADDATALEN);
 502                goto protocol_error;
 503        }
 504
 505        _leave(" = 0 [dlen=%x]", data_size);
 506        return 0;
 507
 508protocol_error:
 509        if (aborted)
 510                rxrpc_send_abort_packet(call);
 511        return -EPROTO;
 512}
 513
 514/*
 515 * wholly decrypt a packet (level 2 security)
 516 */
 517static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
 518                                 unsigned int offset, unsigned int len,
 519                                 rxrpc_seq_t seq,
 520                                 struct skcipher_request *req)
 521{
 522        const struct rxrpc_key_token *token;
 523        struct rxkad_level2_hdr sechdr;
 524        struct rxrpc_crypt iv;
 525        struct scatterlist _sg[4], *sg;
 526        bool aborted;
 527        u32 data_size, buf;
 528        u16 check;
 529        int nsg, ret;
 530
 531        _enter(",{%d}", skb->len);
 532
 533        if (len < 8) {
 534                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
 535                                             RXKADSEALEDINCON);
 536                goto protocol_error;
 537        }
 538
 539        /* Decrypt the skbuff in-place.  TODO: We really want to decrypt
 540         * directly into the target buffer.
 541         */
 542        sg = _sg;
 543        nsg = skb_shinfo(skb)->nr_frags;
 544        if (nsg <= 4) {
 545                nsg = 4;
 546        } else {
 547                sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
 548                if (!sg)
 549                        goto nomem;
 550        }
 551
 552        sg_init_table(sg, nsg);
 553        ret = skb_to_sgvec(skb, sg, offset, len);
 554        if (unlikely(ret < 0)) {
 555                if (sg != _sg)
 556                        kfree(sg);
 557                return ret;
 558        }
 559
 560        /* decrypt from the session key */
 561        token = call->conn->params.key->payload.data[0];
 562        memcpy(&iv, token->kad->session_key, sizeof(iv));
 563
 564        skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 565        skcipher_request_set_callback(req, 0, NULL, NULL);
 566        skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 567        crypto_skcipher_decrypt(req);
 568        skcipher_request_zero(req);
 569        if (sg != _sg)
 570                kfree(sg);
 571
 572        /* Extract the decrypted packet length */
 573        if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
 574                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
 575                                             RXKADDATALEN);
 576                goto protocol_error;
 577        }
 578        len -= sizeof(sechdr);
 579
 580        buf = ntohl(sechdr.data_size);
 581        data_size = buf & 0xffff;
 582
 583        check = buf >> 16;
 584        check ^= seq ^ call->call_id;
 585        check &= 0xffff;
 586        if (check != 0) {
 587                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
 588                                             RXKADSEALEDINCON);
 589                goto protocol_error;
 590        }
 591
 592        if (data_size > len) {
 593                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
 594                                             RXKADDATALEN);
 595                goto protocol_error;
 596        }
 597
 598        _leave(" = 0 [dlen=%x]", data_size);
 599        return 0;
 600
 601protocol_error:
 602        if (aborted)
 603                rxrpc_send_abort_packet(call);
 604        return -EPROTO;
 605
 606nomem:
 607        _leave(" = -ENOMEM");
 608        return -ENOMEM;
 609}
 610
 611/*
 612 * Verify the security on a received packet or subpacket (if part of a
 613 * jumbo packet).
 614 */
 615static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
 616                               unsigned int offset, unsigned int len,
 617                               rxrpc_seq_t seq, u16 expected_cksum)
 618{
 619        struct skcipher_request *req;
 620        struct rxrpc_crypt iv;
 621        struct scatterlist sg;
 622        bool aborted;
 623        u16 cksum;
 624        u32 x, y;
 625
 626        _enter("{%d{%x}},{#%u}",
 627               call->debug_id, key_serial(call->conn->params.key), seq);
 628
 629        if (!call->conn->rxkad.cipher)
 630                return 0;
 631
 632        req = rxkad_get_call_crypto(call);
 633        if (!req)
 634                return -ENOMEM;
 635
 636        /* continue encrypting from where we left off */
 637        memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
 638
 639        /* validate the security checksum */
 640        x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
 641        x |= seq & 0x3fffffff;
 642        call->crypto_buf[0] = htonl(call->call_id);
 643        call->crypto_buf[1] = htonl(x);
 644
 645        sg_init_one(&sg, call->crypto_buf, 8);
 646        skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 647        skcipher_request_set_callback(req, 0, NULL, NULL);
 648        skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 649        crypto_skcipher_encrypt(req);
 650        skcipher_request_zero(req);
 651
 652        y = ntohl(call->crypto_buf[1]);
 653        cksum = (y >> 16) & 0xffff;
 654        if (cksum == 0)
 655                cksum = 1; /* zero checksums are not permitted */
 656
 657        if (cksum != expected_cksum) {
 658                aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
 659                                             RXKADSEALEDINCON);
 660                goto protocol_error;
 661        }
 662
 663        switch (call->conn->params.security_level) {
 664        case RXRPC_SECURITY_PLAIN:
 665                return 0;
 666        case RXRPC_SECURITY_AUTH:
 667                return rxkad_verify_packet_1(call, skb, offset, len, seq, req);
 668        case RXRPC_SECURITY_ENCRYPT:
 669                return rxkad_verify_packet_2(call, skb, offset, len, seq, req);
 670        default:
 671                return -ENOANO;
 672        }
 673
 674protocol_error:
 675        if (aborted)
 676                rxrpc_send_abort_packet(call);
 677        return -EPROTO;
 678}
 679
 680/*
 681 * Locate the data contained in a packet that was partially encrypted.
 682 */
 683static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
 684                                unsigned int *_offset, unsigned int *_len)
 685{
 686        struct rxkad_level1_hdr sechdr;
 687
 688        if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
 689                BUG();
 690        *_offset += sizeof(sechdr);
 691        *_len = ntohl(sechdr.data_size) & 0xffff;
 692}
 693
 694/*
 695 * Locate the data contained in a packet that was completely encrypted.
 696 */
 697static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
 698                                unsigned int *_offset, unsigned int *_len)
 699{
 700        struct rxkad_level2_hdr sechdr;
 701
 702        if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
 703                BUG();
 704        *_offset += sizeof(sechdr);
 705        *_len = ntohl(sechdr.data_size) & 0xffff;
 706}
 707
 708/*
 709 * Locate the data contained in an already decrypted packet.
 710 */
 711static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
 712                              unsigned int *_offset, unsigned int *_len)
 713{
 714        switch (call->conn->params.security_level) {
 715        case RXRPC_SECURITY_AUTH:
 716                rxkad_locate_data_1(call, skb, _offset, _len);
 717                return;
 718        case RXRPC_SECURITY_ENCRYPT:
 719                rxkad_locate_data_2(call, skb, _offset, _len);
 720                return;
 721        default:
 722                return;
 723        }
 724}
 725
 726/*
 727 * issue a challenge
 728 */
 729static int rxkad_issue_challenge(struct rxrpc_connection *conn)
 730{
 731        struct rxkad_challenge challenge;
 732        struct rxrpc_wire_header whdr;
 733        struct msghdr msg;
 734        struct kvec iov[2];
 735        size_t len;
 736        u32 serial;
 737        int ret;
 738
 739        _enter("{%d}", conn->debug_id);
 740
 741        get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
 742
 743        challenge.version       = htonl(2);
 744        challenge.nonce         = htonl(conn->rxkad.nonce);
 745        challenge.min_level     = htonl(0);
 746        challenge.__padding     = 0;
 747
 748        msg.msg_name    = &conn->params.peer->srx.transport;
 749        msg.msg_namelen = conn->params.peer->srx.transport_len;
 750        msg.msg_control = NULL;
 751        msg.msg_controllen = 0;
 752        msg.msg_flags   = 0;
 753
 754        whdr.epoch      = htonl(conn->proto.epoch);
 755        whdr.cid        = htonl(conn->proto.cid);
 756        whdr.callNumber = 0;
 757        whdr.seq        = 0;
 758        whdr.type       = RXRPC_PACKET_TYPE_CHALLENGE;
 759        whdr.flags      = conn->out_clientflag;
 760        whdr.userStatus = 0;
 761        whdr.securityIndex = conn->security_ix;
 762        whdr._rsvd      = 0;
 763        whdr.serviceId  = htons(conn->service_id);
 764
 765        iov[0].iov_base = &whdr;
 766        iov[0].iov_len  = sizeof(whdr);
 767        iov[1].iov_base = &challenge;
 768        iov[1].iov_len  = sizeof(challenge);
 769
 770        len = iov[0].iov_len + iov[1].iov_len;
 771
 772        serial = atomic_inc_return(&conn->serial);
 773        whdr.serial = htonl(serial);
 774        _proto("Tx CHALLENGE %%%u", serial);
 775
 776        ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
 777        if (ret < 0) {
 778                trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
 779                                    rxrpc_tx_point_rxkad_challenge);
 780                return -EAGAIN;
 781        }
 782
 783        conn->params.peer->last_tx_at = ktime_get_seconds();
 784        trace_rxrpc_tx_packet(conn->debug_id, &whdr,
 785                              rxrpc_tx_point_rxkad_challenge);
 786        _leave(" = 0");
 787        return 0;
 788}
 789
 790/*
 791 * send a Kerberos security response
 792 */
 793static int rxkad_send_response(struct rxrpc_connection *conn,
 794                               struct rxrpc_host_header *hdr,
 795                               struct rxkad_response *resp,
 796                               const struct rxkad_key *s2)
 797{
 798        struct rxrpc_wire_header whdr;
 799        struct msghdr msg;
 800        struct kvec iov[3];
 801        size_t len;
 802        u32 serial;
 803        int ret;
 804
 805        _enter("");
 806
 807        msg.msg_name    = &conn->params.peer->srx.transport;
 808        msg.msg_namelen = conn->params.peer->srx.transport_len;
 809        msg.msg_control = NULL;
 810        msg.msg_controllen = 0;
 811        msg.msg_flags   = 0;
 812
 813        memset(&whdr, 0, sizeof(whdr));
 814        whdr.epoch      = htonl(hdr->epoch);
 815        whdr.cid        = htonl(hdr->cid);
 816        whdr.type       = RXRPC_PACKET_TYPE_RESPONSE;
 817        whdr.flags      = conn->out_clientflag;
 818        whdr.securityIndex = hdr->securityIndex;
 819        whdr.serviceId  = htons(hdr->serviceId);
 820
 821        iov[0].iov_base = &whdr;
 822        iov[0].iov_len  = sizeof(whdr);
 823        iov[1].iov_base = resp;
 824        iov[1].iov_len  = sizeof(*resp);
 825        iov[2].iov_base = (void *)s2->ticket;
 826        iov[2].iov_len  = s2->ticket_len;
 827
 828        len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
 829
 830        serial = atomic_inc_return(&conn->serial);
 831        whdr.serial = htonl(serial);
 832        _proto("Tx RESPONSE %%%u", serial);
 833
 834        ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
 835        if (ret < 0) {
 836                trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
 837                                    rxrpc_tx_point_rxkad_response);
 838                return -EAGAIN;
 839        }
 840
 841        conn->params.peer->last_tx_at = ktime_get_seconds();
 842        _leave(" = 0");
 843        return 0;
 844}
 845
 846/*
 847 * calculate the response checksum
 848 */
 849static void rxkad_calc_response_checksum(struct rxkad_response *response)
 850{
 851        u32 csum = 1000003;
 852        int loop;
 853        u8 *p = (u8 *) response;
 854
 855        for (loop = sizeof(*response); loop > 0; loop--)
 856                csum = csum * 0x10204081 + *p++;
 857
 858        response->encrypted.checksum = htonl(csum);
 859}
 860
 861/*
 862 * encrypt the response packet
 863 */
 864static int rxkad_encrypt_response(struct rxrpc_connection *conn,
 865                                  struct rxkad_response *resp,
 866                                  const struct rxkad_key *s2)
 867{
 868        struct skcipher_request *req;
 869        struct rxrpc_crypt iv;
 870        struct scatterlist sg[1];
 871
 872        req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
 873        if (!req)
 874                return -ENOMEM;
 875
 876        /* continue encrypting from where we left off */
 877        memcpy(&iv, s2->session_key, sizeof(iv));
 878
 879        sg_init_table(sg, 1);
 880        sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
 881        skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
 882        skcipher_request_set_callback(req, 0, NULL, NULL);
 883        skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
 884        crypto_skcipher_encrypt(req);
 885        skcipher_request_free(req);
 886        return 0;
 887}
 888
 889/*
 890 * respond to a challenge packet
 891 */
 892static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
 893                                      struct sk_buff *skb,
 894                                      u32 *_abort_code)
 895{
 896        const struct rxrpc_key_token *token;
 897        struct rxkad_challenge challenge;
 898        struct rxkad_response *resp;
 899        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 900        const char *eproto;
 901        u32 version, nonce, min_level, abort_code;
 902        int ret;
 903
 904        _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
 905
 906        eproto = tracepoint_string("chall_no_key");
 907        abort_code = RX_PROTOCOL_ERROR;
 908        if (!conn->params.key)
 909                goto protocol_error;
 910
 911        abort_code = RXKADEXPIRED;
 912        ret = key_validate(conn->params.key);
 913        if (ret < 0)
 914                goto other_error;
 915
 916        eproto = tracepoint_string("chall_short");
 917        abort_code = RXKADPACKETSHORT;
 918        if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
 919                          &challenge, sizeof(challenge)) < 0)
 920                goto protocol_error;
 921
 922        version = ntohl(challenge.version);
 923        nonce = ntohl(challenge.nonce);
 924        min_level = ntohl(challenge.min_level);
 925
 926        _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
 927               sp->hdr.serial, version, nonce, min_level);
 928
 929        eproto = tracepoint_string("chall_ver");
 930        abort_code = RXKADINCONSISTENCY;
 931        if (version != RXKAD_VERSION)
 932                goto protocol_error;
 933
 934        abort_code = RXKADLEVELFAIL;
 935        ret = -EACCES;
 936        if (conn->params.security_level < min_level)
 937                goto other_error;
 938
 939        token = conn->params.key->payload.data[0];
 940
 941        /* build the response packet */
 942        resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
 943        if (!resp)
 944                return -ENOMEM;
 945
 946        resp->version                   = htonl(RXKAD_VERSION);
 947        resp->encrypted.epoch           = htonl(conn->proto.epoch);
 948        resp->encrypted.cid             = htonl(conn->proto.cid);
 949        resp->encrypted.securityIndex   = htonl(conn->security_ix);
 950        resp->encrypted.inc_nonce       = htonl(nonce + 1);
 951        resp->encrypted.level           = htonl(conn->params.security_level);
 952        resp->kvno                      = htonl(token->kad->kvno);
 953        resp->ticket_len                = htonl(token->kad->ticket_len);
 954        resp->encrypted.call_id[0]      = htonl(conn->channels[0].call_counter);
 955        resp->encrypted.call_id[1]      = htonl(conn->channels[1].call_counter);
 956        resp->encrypted.call_id[2]      = htonl(conn->channels[2].call_counter);
 957        resp->encrypted.call_id[3]      = htonl(conn->channels[3].call_counter);
 958
 959        /* calculate the response checksum and then do the encryption */
 960        rxkad_calc_response_checksum(resp);
 961        ret = rxkad_encrypt_response(conn, resp, token->kad);
 962        if (ret == 0)
 963                ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
 964        kfree(resp);
 965        return ret;
 966
 967protocol_error:
 968        trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
 969        ret = -EPROTO;
 970other_error:
 971        *_abort_code = abort_code;
 972        return ret;
 973}
 974
 975/*
 976 * decrypt the kerberos IV ticket in the response
 977 */
 978static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
 979                                struct key *server_key,
 980                                struct sk_buff *skb,
 981                                void *ticket, size_t ticket_len,
 982                                struct rxrpc_crypt *_session_key,
 983                                time64_t *_expiry,
 984                                u32 *_abort_code)
 985{
 986        struct skcipher_request *req;
 987        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 988        struct rxrpc_crypt iv, key;
 989        struct scatterlist sg[1];
 990        struct in_addr addr;
 991        unsigned int life;
 992        const char *eproto;
 993        time64_t issue, now;
 994        bool little_endian;
 995        int ret;
 996        u32 abort_code;
 997        u8 *p, *q, *name, *end;
 998
 999        _enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
1000

1001        *_expiry = 0;
1002
1003        ASSERT(server_key->payload.data[0] != NULL);
1004        ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
1005
1006        memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
1007
1008        ret = -ENOMEM;
1009        req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
1010        if (!req)
1011                goto temporary_error;
1012
1013        sg_init_one(&sg[0], ticket, ticket_len);
1014        skcipher_request_set_callback(req, 0, NULL, NULL);
1015        skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
1016        crypto_skcipher_decrypt(req);
1017        skcipher_request_free(req);
1018
1019        p = ticket;
1020        end = p + ticket_len;
1021
1022#define Z(field)                                        \
1023        ({                                              \
1024                u8 *__str = p;                          \
1025                eproto = tracepoint_string("rxkad_bad_"#field); \
1026                q = memchr(p, 0, end - p);              \
1027                if (!q || q - p > (field##_SZ))         \
1028                        goto bad_ticket;                \
1029                for (; p < q; p++)                      \
1030                        if (!isprint(*p))               \
1031                                goto bad_ticket;        \
1032                p++;                                    \
1033                __str;                                  \
1034        })
1035
1036        /* extract the ticket flags */
1037        _debug("KIV FLAGS: %x", *p);
1038        little_endian = *p & 1;
1039        p++;
1040
1041        /* extract the authentication name */
1042        name = Z(ANAME);
1043        _debug("KIV ANAME: %s", name);
1044
1045        /* extract the principal's instance */
1046        name = Z(INST);
1047        _debug("KIV INST : %s", name);
1048
1049        /* extract the principal's authentication domain */
1050        name = Z(REALM);
1051        _debug("KIV REALM: %s", name);
1052
1053        eproto = tracepoint_string("rxkad_bad_len");
1054        if (end - p < 4 + 8 + 4 + 2)
1055                goto bad_ticket;
1056
1057        /* get the IPv4 address of the entity that requested the ticket */
1058        memcpy(&addr, p, sizeof(addr));
1059        p += 4;
1060        _debug("KIV ADDR : %pI4", &addr);
1061
1062        /* get the session key from the ticket */
1063        memcpy(&key, p, sizeof(key));
1064        p += 8;
1065        _debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
1066        memcpy(_session_key, &key, sizeof(key));
1067
1068        /* get the ticket's lifetime */
1069        life = *p++ * 5 * 60;
1070        _debug("KIV LIFE : %u", life);
1071
1072        /* get the issue time of the ticket */
1073        if (little_endian) {
1074                __le32 stamp;
1075                memcpy(&stamp, p, 4);
1076                issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
1077        } else {
1078                __be32 stamp;
1079                memcpy(&stamp, p, 4);
1080                issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
1081        }
1082        p += 4;
1083        now = ktime_get_real_seconds();
1084        _debug("KIV ISSUE: %llx [%llx]", issue, now);
1085
1086        /* check the ticket is in date */
1087        if (issue > now) {
1088                abort_code = RXKADNOAUTH;
1089                ret = -EKEYREJECTED;
1090                goto other_error;
1091        }
1092
1093        if (issue < now - life) {
1094                abort_code = RXKADEXPIRED;
1095                ret = -EKEYEXPIRED;
1096                goto other_error;
1097        }
1098
1099        *_expiry = issue + life;
1100
1101        /* get the service name */
1102        name = Z(SNAME);
1103        _debug("KIV SNAME: %s", name);
1104
1105        /* get the service instance name */
1106        name = Z(INST);
1107        _debug("KIV SINST: %s", name);
1108        return 0;
1109
1110bad_ticket:
1111        trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1112        abort_code = RXKADBADTICKET;
1113        ret = -EPROTO;
1114other_error:
1115        *_abort_code = abort_code;
1116        return ret;
1117temporary_error:
1118        return ret;
1119}
1120
1121/*
1122 * decrypt the response packet
1123 */
1124static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1125                                   struct rxkad_response *resp,
1126                                   const struct rxrpc_crypt *session_key)
1127{
1128        struct skcipher_request *req = rxkad_ci_req;
1129        struct scatterlist sg[1];
1130        struct rxrpc_crypt iv;
1131
1132        _enter(",,%08x%08x",
1133               ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1134
1135        mutex_lock(&rxkad_ci_mutex);
1136        if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1137                                        sizeof(*session_key)) < 0)
1138                BUG();
1139
1140        memcpy(&iv, session_key, sizeof(iv));
1141
1142        sg_init_table(sg, 1);
1143        sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1144        skcipher_request_set_sync_tfm(req, rxkad_ci);
1145        skcipher_request_set_callback(req, 0, NULL, NULL);
1146        skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1147        crypto_skcipher_decrypt(req);
1148        skcipher_request_zero(req);
1149
1150        mutex_unlock(&rxkad_ci_mutex);
1151
1152        _leave("");
1153}
1154
1155/*
1156 * verify a response
1157 */
1158static int rxkad_verify_response(struct rxrpc_connection *conn,
1159                                 struct sk_buff *skb,
1160                                 u32 *_abort_code)
1161{
1162        struct rxkad_response *response;
1163        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1164        struct rxrpc_crypt session_key;
1165        struct key *server_key;
1166        const char *eproto;
1167        time64_t expiry;
1168        void *ticket;
1169        u32 abort_code, version, kvno, ticket_len, level;
1170        __be32 csum;
1171        int ret, i;
1172
1173        _enter("{%d}", conn->debug_id);
1174
1175        server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
1176        if (IS_ERR(server_key)) {
1177                switch (PTR_ERR(server_key)) {
1178                case -ENOKEY:
1179                        abort_code = RXKADUNKNOWNKEY;
1180                        break;
1181                case -EKEYEXPIRED:
1182                        abort_code = RXKADEXPIRED;
1183                        break;
1184                default:
1185                        abort_code = RXKADNOAUTH;
1186                        break;
1187                }
1188                trace_rxrpc_abort(0, "SVK",
1189                                  sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq,
1190                                  abort_code, PTR_ERR(server_key));
1191                *_abort_code = abort_code;
1192                return -EPROTO;
1193        }
1194
1195        ret = -ENOMEM;
1196        response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1197        if (!response)
1198                goto temporary_error;
1199
1200        eproto = tracepoint_string("rxkad_rsp_short");
1201        abort_code = RXKADPACKETSHORT;
1202        if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1203                          response, sizeof(*response)) < 0)
1204                goto protocol_error;
1205
1206        version = ntohl(response->version);
1207        ticket_len = ntohl(response->ticket_len);
1208        kvno = ntohl(response->kvno);
1209        _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1210               sp->hdr.serial, version, kvno, ticket_len);
1211
1212        eproto = tracepoint_string("rxkad_rsp_ver");
1213        abort_code = RXKADINCONSISTENCY;
1214        if (version != RXKAD_VERSION)
1215                goto protocol_error;
1216
1217        eproto = tracepoint_string("rxkad_rsp_tktlen");
1218        abort_code = RXKADTICKETLEN;
1219        if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1220                goto protocol_error;
1221
1222        eproto = tracepoint_string("rxkad_rsp_unkkey");
1223        abort_code = RXKADUNKNOWNKEY;
1224        if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1225                goto protocol_error;
1226
1227        /* extract the kerberos ticket and decrypt and decode it */
1228        ret = -ENOMEM;
1229        ticket = kmalloc(ticket_len, GFP_NOFS);
1230        if (!ticket)
1231                goto temporary_error_free_resp;
1232
1233        eproto = tracepoint_string("rxkad_tkt_short");
1234        abort_code = RXKADPACKETSHORT;
1235        if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
1236                          ticket, ticket_len) < 0)
1237                goto protocol_error_free;
1238
1239        ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
1240                                   &session_key, &expiry, _abort_code);
1241        if (ret < 0)
1242                goto temporary_error_free_ticket;
1243
1244        /* use the session key from inside the ticket to decrypt the
1245         * response */
1246        rxkad_decrypt_response(conn, response, &session_key);
1247
1248        eproto = tracepoint_string("rxkad_rsp_param");
1249        abort_code = RXKADSEALEDINCON;
1250        if (ntohl(response->encrypted.epoch) != conn->proto.epoch)
1251                goto protocol_error_free;
1252        if (ntohl(response->encrypted.cid) != conn->proto.cid)
1253                goto protocol_error_free;
1254        if (ntohl(response->encrypted.securityIndex) != conn->security_ix)
1255                goto protocol_error_free;
1256        csum = response->encrypted.checksum;
1257        response->encrypted.checksum = 0;
1258        rxkad_calc_response_checksum(response);
1259        eproto = tracepoint_string("rxkad_rsp_csum");
1260        if (response->encrypted.checksum != csum)
1261                goto protocol_error_free;
1262
1263        spin_lock(&conn->bundle->channel_lock);
1264        for (i = 0; i < RXRPC_MAXCALLS; i++) {
1265                struct rxrpc_call *call;
1266                u32 call_id = ntohl(response->encrypted.call_id[i]);
1267
1268                eproto = tracepoint_string("rxkad_rsp_callid");
1269                if (call_id > INT_MAX)
1270                        goto protocol_error_unlock;
1271
1272                eproto = tracepoint_string("rxkad_rsp_callctr");
1273                if (call_id < conn->channels[i].call_counter)
1274                        goto protocol_error_unlock;
1275
1276                eproto = tracepoint_string("rxkad_rsp_callst");
1277                if (call_id > conn->channels[i].call_counter) {
1278                        call = rcu_dereference_protected(
1279                                conn->channels[i].call,
1280                                lockdep_is_held(&conn->bundle->channel_lock));
1281                        if (call && call->state < RXRPC_CALL_COMPLETE)
1282                                goto protocol_error_unlock;
1283                        conn->channels[i].call_counter = call_id;
1284                }
1285        }
1286        spin_unlock(&conn->bundle->channel_lock);
1287
1288        eproto = tracepoint_string("rxkad_rsp_seq");
1289        abort_code = RXKADOUTOFSEQUENCE;
1290        if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1)
1291                goto protocol_error_free;
1292
1293        eproto = tracepoint_string("rxkad_rsp_level");
1294        abort_code = RXKADLEVELFAIL;
1295        level = ntohl(response->encrypted.level);
1296        if (level > RXRPC_SECURITY_ENCRYPT)
1297                goto protocol_error_free;
1298        conn->params.security_level = level;
1299
1300        /* create a key to hold the security data and expiration time - after
1301         * this the connection security can be handled in exactly the same way
1302         * as for a client connection */
1303        ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1304        if (ret < 0)
1305                goto temporary_error_free_ticket;
1306
1307        kfree(ticket);
1308        kfree(response);
1309        _leave(" = 0");
1310        return 0;
1311
1312protocol_error_unlock:
1313        spin_unlock(&conn->bundle->channel_lock);
1314protocol_error_free:
1315        kfree(ticket);
1316protocol_error:
1317        kfree(response);
1318        trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1319        key_put(server_key);
1320        *_abort_code = abort_code;
1321        return -EPROTO;
1322
1323temporary_error_free_ticket:
1324        kfree(ticket);
1325temporary_error_free_resp:
1326        kfree(response);
1327temporary_error:
1328        /* Ignore the response packet if we got a temporary error such as
1329         * ENOMEM.  We just want to send the challenge again.  Note that we
1330         * also come out this way if the ticket decryption fails.
1331         */
1332        key_put(server_key);
1333        return ret;
1334}
1335
1336/*
1337 * clear the connection security
1338 */
1339static void rxkad_clear(struct rxrpc_connection *conn)
1340{
1341        _enter("");
1342
1343        if (conn->rxkad.cipher)
1344                crypto_free_sync_skcipher(conn->rxkad.cipher);
1345}
1346
1347/*
1348 * Initialise the rxkad security service.
1349 */
1350static int rxkad_init(void)
1351{
1352        struct crypto_sync_skcipher *tfm;
1353        struct skcipher_request *req;
1354
1355        /* pin the cipher we need so that the crypto layer doesn't invoke
1356         * keventd to go get it */
1357        tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1358        if (IS_ERR(tfm))
1359                return PTR_ERR(tfm);
1360
1361        req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1362        if (!req)
1363                goto nomem_tfm;
1364
1365        rxkad_ci_req = req;
1366        rxkad_ci = tfm;
1367        return 0;
1368
1369nomem_tfm:
1370        crypto_free_sync_skcipher(tfm);
1371        return -ENOMEM;
1372}
1373
1374/*
1375 * Clean up the rxkad security service.
1376 */
1377static void rxkad_exit(void)
1378{
1379        crypto_free_sync_skcipher(rxkad_ci);
1380        skcipher_request_free(rxkad_ci_req);
1381}
1382
1383/*
1384 * RxRPC Kerberos-based security
1385 */
1386const struct rxrpc_security rxkad = {
1387        .name                           = "rxkad",
1388        .security_index                 = RXRPC_SECURITY_RXKAD,
1389        .no_key_abort                   = RXKADUNKNOWNKEY,
1390        .init                           = rxkad_init,
1391        .exit                           = rxkad_exit,
1392        .preparse_server_key            = rxkad_preparse_server_key,
1393        .free_preparse_server_key       = rxkad_free_preparse_server_key,
1394        .destroy_server_key             = rxkad_destroy_server_key,
1395        .init_connection_security       = rxkad_init_connection_security,
1396        .how_much_data                  = rxkad_how_much_data,
1397        .secure_packet                  = rxkad_secure_packet,
1398        .verify_packet                  = rxkad_verify_packet,
1399        .free_call_crypto               = rxkad_free_call_crypto,
1400        .locate_data                    = rxkad_locate_data,
1401        .issue_challenge                = rxkad_issue_challenge,
1402        .respond_to_challenge           = rxkad_respond_to_challenge,
1403        .verify_response                = rxkad_verify_response,
1404        .clear                          = rxkad_clear,
1405};
1406