rxkad.c (35700B)
1// SPDX-License-Identifier: GPL-2.0-or-later 2/* Kerberos-based RxRPC security 3 * 4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 10#include <crypto/skcipher.h> 11#include <linux/module.h> 12#include <linux/net.h> 13#include <linux/skbuff.h> 14#include <linux/udp.h> 15#include <linux/scatterlist.h> 16#include <linux/ctype.h> 17#include <linux/slab.h> 18#include <linux/key-type.h> 19#include <net/sock.h> 20#include <net/af_rxrpc.h> 21#include <keys/rxrpc-type.h> 22#include "ar-internal.h" 23 24#define RXKAD_VERSION 2 25#define MAXKRB5TICKETLEN 1024 26#define RXKAD_TKT_TYPE_KERBEROS_V5 256 27#define ANAME_SZ 40 /* size of authentication name */ 28#define INST_SZ 40 /* size of principal's instance */ 29#define REALM_SZ 40 /* size of principal's auth domain */ 30#define SNAME_SZ 40 /* size of service name */ 31#define RXKAD_ALIGN 8 32 33struct rxkad_level1_hdr { 34 __be32 data_size; /* true data size (excluding padding) */ 35}; 36 37struct rxkad_level2_hdr { 38 __be32 data_size; /* true data size (excluding padding) */ 39 __be32 checksum; /* decrypted data checksum */ 40}; 41 42static int rxkad_prime_packet_security(struct rxrpc_connection *conn, 43 struct crypto_sync_skcipher *ci); 44 45/* 46 * this holds a pinned cipher so that keventd doesn't get called by the cipher 47 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 48 * packets 49 */ 50static struct crypto_sync_skcipher *rxkad_ci; 51static struct skcipher_request *rxkad_ci_req; 52static DEFINE_MUTEX(rxkad_ci_mutex); 53 54/* 55 * Parse the information from a server key 56 * 57 * The data should be the 8-byte secret key. 58 */ 59static int rxkad_preparse_server_key(struct key_preparsed_payload *prep) 60{ 61 struct crypto_skcipher *ci; 62 63 if (prep->datalen != 8) 64 return -EINVAL; 65 66 memcpy(&prep->payload.data[2], prep->data, 8); 67 68 ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC); 69 if (IS_ERR(ci)) { 70 _leave(" = %ld", PTR_ERR(ci)); 71 return PTR_ERR(ci); 72 } 73 74 if (crypto_skcipher_setkey(ci, prep->data, 8) < 0) 75 BUG(); 76 77 prep->payload.data[0] = ci; 78 _leave(" = 0"); 79 return 0; 80} 81 82static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep) 83{ 84 85 if (prep->payload.data[0]) 86 crypto_free_skcipher(prep->payload.data[0]); 87} 88 89static void rxkad_destroy_server_key(struct key *key) 90{ 91 if (key->payload.data[0]) { 92 crypto_free_skcipher(key->payload.data[0]); 93 key->payload.data[0] = NULL; 94 } 95} 96 97/* 98 * initialise connection security 99 */ 100static int rxkad_init_connection_security(struct rxrpc_connection *conn, 101 struct rxrpc_key_token *token) 102{ 103 struct crypto_sync_skcipher *ci; 104 int ret; 105 106 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key)); 107 108 conn->security_ix = token->security_index; 109 110 ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); 111 if (IS_ERR(ci)) { 112 _debug("no cipher"); 113 ret = PTR_ERR(ci); 114 goto error; 115 } 116 117 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key, 118 sizeof(token->kad->session_key)) < 0) 119 BUG(); 120 121 switch (conn->params.security_level) { 122 case RXRPC_SECURITY_PLAIN: 123 case RXRPC_SECURITY_AUTH: 124 case RXRPC_SECURITY_ENCRYPT: 125 break; 126 default: 127 ret = -EKEYREJECTED; 128 goto error; 129 } 130 131 ret = rxkad_prime_packet_security(conn, ci); 132 if (ret < 0) 133 goto error_ci; 134 135 conn->rxkad.cipher = ci; 136 return 0; 137 138error_ci: 139 crypto_free_sync_skcipher(ci); 140error: 141 _leave(" = %d", ret); 142 return ret; 143} 144 145/* 146 * Work out how much data we can put in a packet. 147 */ 148static int rxkad_how_much_data(struct rxrpc_call *call, size_t remain, 149 size_t *_buf_size, size_t *_data_size, size_t *_offset) 150{ 151 size_t shdr, buf_size, chunk; 152 153 switch (call->conn->params.security_level) { 154 default: 155 buf_size = chunk = min_t(size_t, remain, RXRPC_JUMBO_DATALEN); 156 shdr = 0; 157 goto out; 158 case RXRPC_SECURITY_AUTH: 159 shdr = sizeof(struct rxkad_level1_hdr); 160 break; 161 case RXRPC_SECURITY_ENCRYPT: 162 shdr = sizeof(struct rxkad_level2_hdr); 163 break; 164 } 165 166 buf_size = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN); 167 168 chunk = buf_size - shdr; 169 if (remain < chunk) 170 buf_size = round_up(shdr + remain, RXKAD_ALIGN); 171 172out: 173 *_buf_size = buf_size; 174 *_data_size = chunk; 175 *_offset = shdr; 176 return 0; 177} 178 179/* 180 * prime the encryption state with the invariant parts of a connection's 181 * description 182 */ 183static int rxkad_prime_packet_security(struct rxrpc_connection *conn, 184 struct crypto_sync_skcipher *ci) 185{ 186 struct skcipher_request *req; 187 struct rxrpc_key_token *token; 188 struct scatterlist sg; 189 struct rxrpc_crypt iv; 190 __be32 *tmpbuf; 191 size_t tmpsize = 4 * sizeof(__be32); 192 193 _enter(""); 194 195 if (!conn->params.key) 196 return 0; 197 198 tmpbuf = kmalloc(tmpsize, GFP_KERNEL); 199 if (!tmpbuf) 200 return -ENOMEM; 201 202 req = skcipher_request_alloc(&ci->base, GFP_NOFS); 203 if (!req) { 204 kfree(tmpbuf); 205 return -ENOMEM; 206 } 207 208 token = conn->params.key->payload.data[0]; 209 memcpy(&iv, token->kad->session_key, sizeof(iv)); 210 211 tmpbuf[0] = htonl(conn->proto.epoch); 212 tmpbuf[1] = htonl(conn->proto.cid); 213 tmpbuf[2] = 0; 214 tmpbuf[3] = htonl(conn->security_ix); 215 216 sg_init_one(&sg, tmpbuf, tmpsize); 217 skcipher_request_set_sync_tfm(req, ci); 218 skcipher_request_set_callback(req, 0, NULL, NULL); 219 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); 220 crypto_skcipher_encrypt(req); 221 skcipher_request_free(req); 222 223 memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv)); 224 kfree(tmpbuf); 225 _leave(" = 0"); 226 return 0; 227} 228 229/* 230 * Allocate and prepare the crypto request on a call. For any particular call, 231 * this is called serially for the packets, so no lock should be necessary. 232 */ 233static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call) 234{ 235 struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base; 236 struct skcipher_request *cipher_req = call->cipher_req; 237 238 if (!cipher_req) { 239 cipher_req = skcipher_request_alloc(tfm, GFP_NOFS); 240 if (!cipher_req) 241 return NULL; 242 call->cipher_req = cipher_req; 243 } 244 245 return cipher_req; 246} 247 248/* 249 * Clean up the crypto on a call. 250 */ 251static void rxkad_free_call_crypto(struct rxrpc_call *call) 252{ 253 if (call->cipher_req) 254 skcipher_request_free(call->cipher_req); 255 call->cipher_req = NULL; 256} 257 258/* 259 * partially encrypt a packet (level 1 security) 260 */ 261static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 262 struct sk_buff *skb, u32 data_size, 263 struct skcipher_request *req) 264{ 265 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 266 struct rxkad_level1_hdr hdr; 267 struct rxrpc_crypt iv; 268 struct scatterlist sg; 269 size_t pad; 270 u16 check; 271 272 _enter(""); 273 274 check = sp->hdr.seq ^ call->call_id; 275 data_size |= (u32)check << 16; 276 277 hdr.data_size = htonl(data_size); 278 memcpy(skb->head, &hdr, sizeof(hdr)); 279 280 pad = sizeof(struct rxkad_level1_hdr) + data_size; 281 pad = RXKAD_ALIGN - pad; 282 pad &= RXKAD_ALIGN - 1; 283 if (pad) 284 skb_put_zero(skb, pad); 285 286 /* start the encryption afresh */ 287 memset(&iv, 0, sizeof(iv)); 288 289 sg_init_one(&sg, skb->head, 8); 290 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 291 skcipher_request_set_callback(req, 0, NULL, NULL); 292 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 293 crypto_skcipher_encrypt(req); 294 skcipher_request_zero(req); 295 296 _leave(" = 0"); 297 return 0; 298} 299 300/* 301 * wholly encrypt a packet (level 2 security) 302 */ 303static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 304 struct sk_buff *skb, 305 u32 data_size, 306 struct skcipher_request *req) 307{ 308 const struct rxrpc_key_token *token; 309 struct rxkad_level2_hdr rxkhdr; 310 struct rxrpc_skb_priv *sp; 311 struct rxrpc_crypt iv; 312 struct scatterlist sg[16]; 313 unsigned int len; 314 size_t pad; 315 u16 check; 316 int err; 317 318 sp = rxrpc_skb(skb); 319 320 _enter(""); 321 322 check = sp->hdr.seq ^ call->call_id; 323 324 rxkhdr.data_size = htonl(data_size | (u32)check << 16); 325 rxkhdr.checksum = 0; 326 memcpy(skb->head, &rxkhdr, sizeof(rxkhdr)); 327 328 pad = sizeof(struct rxkad_level2_hdr) + data_size; 329 pad = RXKAD_ALIGN - pad; 330 pad &= RXKAD_ALIGN - 1; 331 if (pad) 332 skb_put_zero(skb, pad); 333 334 /* encrypt from the session key */ 335 token = call->conn->params.key->payload.data[0]; 336 memcpy(&iv, token->kad->session_key, sizeof(iv)); 337 338 sg_init_one(&sg[0], skb->head, sizeof(rxkhdr)); 339 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 340 skcipher_request_set_callback(req, 0, NULL, NULL); 341 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x); 342 crypto_skcipher_encrypt(req); 343 344 /* we want to encrypt the skbuff in-place */ 345 err = -EMSGSIZE; 346 if (skb_shinfo(skb)->nr_frags > 16) 347 goto out; 348 349 len = round_up(data_size, RXKAD_ALIGN); 350 351 sg_init_table(sg, ARRAY_SIZE(sg)); 352 err = skb_to_sgvec(skb, sg, 8, len); 353 if (unlikely(err < 0)) 354 goto out; 355 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 356 crypto_skcipher_encrypt(req); 357 358 _leave(" = 0"); 359 err = 0; 360 361out: 362 skcipher_request_zero(req); 363 return err; 364} 365 366/* 367 * checksum an RxRPC packet header 368 */ 369static int rxkad_secure_packet(struct rxrpc_call *call, 370 struct sk_buff *skb, 371 size_t data_size) 372{ 373 struct rxrpc_skb_priv *sp; 374 struct skcipher_request *req; 375 struct rxrpc_crypt iv; 376 struct scatterlist sg; 377 u32 x, y; 378 int ret; 379 380 sp = rxrpc_skb(skb); 381 382 _enter("{%d{%x}},{#%u},%zu,", 383 call->debug_id, key_serial(call->conn->params.key), 384 sp->hdr.seq, data_size); 385 386 if (!call->conn->rxkad.cipher) 387 return 0; 388 389 ret = key_validate(call->conn->params.key); 390 if (ret < 0) 391 return ret; 392 393 req = rxkad_get_call_crypto(call); 394 if (!req) 395 return -ENOMEM; 396 397 /* continue encrypting from where we left off */ 398 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv)); 399 400 /* calculate the security checksum */ 401 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 402 x |= sp->hdr.seq & 0x3fffffff; 403 call->crypto_buf[0] = htonl(call->call_id); 404 call->crypto_buf[1] = htonl(x); 405 406 sg_init_one(&sg, call->crypto_buf, 8); 407 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 408 skcipher_request_set_callback(req, 0, NULL, NULL); 409 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 410 crypto_skcipher_encrypt(req); 411 skcipher_request_zero(req); 412 413 y = ntohl(call->crypto_buf[1]); 414 y = (y >> 16) & 0xffff; 415 if (y == 0) 416 y = 1; /* zero checksums are not permitted */ 417 sp->hdr.cksum = y; 418 419 switch (call->conn->params.security_level) { 420 case RXRPC_SECURITY_PLAIN: 421 ret = 0; 422 break; 423 case RXRPC_SECURITY_AUTH: 424 ret = rxkad_secure_packet_auth(call, skb, data_size, req); 425 break; 426 case RXRPC_SECURITY_ENCRYPT: 427 ret = rxkad_secure_packet_encrypt(call, skb, data_size, req); 428 break; 429 default: 430 ret = -EPERM; 431 break; 432 } 433 434 _leave(" = %d [set %hx]", ret, y); 435 return ret; 436} 437 438/* 439 * decrypt partial encryption on a packet (level 1 security) 440 */ 441static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb, 442 unsigned int offset, unsigned int len, 443 rxrpc_seq_t seq, 444 struct skcipher_request *req) 445{ 446 struct rxkad_level1_hdr sechdr; 447 struct rxrpc_crypt iv; 448 struct scatterlist sg[16]; 449 bool aborted; 450 u32 data_size, buf; 451 u16 check; 452 int ret; 453 454 _enter(""); 455 456 if (len < 8) { 457 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H", 458 RXKADSEALEDINCON); 459 goto protocol_error; 460 } 461 462 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 463 * directly into the target buffer. 464 */ 465 sg_init_table(sg, ARRAY_SIZE(sg)); 466 ret = skb_to_sgvec(skb, sg, offset, 8); 467 if (unlikely(ret < 0)) 468 return ret; 469 470 /* start the decryption afresh */ 471 memset(&iv, 0, sizeof(iv)); 472 473 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 474 skcipher_request_set_callback(req, 0, NULL, NULL); 475 skcipher_request_set_crypt(req, sg, sg, 8, iv.x); 476 crypto_skcipher_decrypt(req); 477 skcipher_request_zero(req); 478 479 /* Extract the decrypted packet length */ 480 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 481 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1", 482 RXKADDATALEN); 483 goto protocol_error; 484 } 485 len -= sizeof(sechdr); 486 487 buf = ntohl(sechdr.data_size); 488 data_size = buf & 0xffff; 489 490 check = buf >> 16; 491 check ^= seq ^ call->call_id; 492 check &= 0xffff; 493 if (check != 0) { 494 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C", 495 RXKADSEALEDINCON); 496 goto protocol_error; 497 } 498 499 if (data_size > len) { 500 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L", 501 RXKADDATALEN); 502 goto protocol_error; 503 } 504 505 _leave(" = 0 [dlen=%x]", data_size); 506 return 0; 507 508protocol_error: 509 if (aborted) 510 rxrpc_send_abort_packet(call); 511 return -EPROTO; 512} 513 514/* 515 * wholly decrypt a packet (level 2 security) 516 */ 517static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, 518 unsigned int offset, unsigned int len, 519 rxrpc_seq_t seq, 520 struct skcipher_request *req) 521{ 522 const struct rxrpc_key_token *token; 523 struct rxkad_level2_hdr sechdr; 524 struct rxrpc_crypt iv; 525 struct scatterlist _sg[4], *sg; 526 bool aborted; 527 u32 data_size, buf; 528 u16 check; 529 int nsg, ret; 530 531 _enter(",{%d}", skb->len); 532 533 if (len < 8) { 534 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H", 535 RXKADSEALEDINCON); 536 goto protocol_error; 537 } 538 539 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 540 * directly into the target buffer. 541 */ 542 sg = _sg; 543 nsg = skb_shinfo(skb)->nr_frags; 544 if (nsg <= 4) { 545 nsg = 4; 546 } else { 547 sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO); 548 if (!sg) 549 goto nomem; 550 } 551 552 sg_init_table(sg, nsg); 553 ret = skb_to_sgvec(skb, sg, offset, len); 554 if (unlikely(ret < 0)) { 555 if (sg != _sg) 556 kfree(sg); 557 return ret; 558 } 559 560 /* decrypt from the session key */ 561 token = call->conn->params.key->payload.data[0]; 562 memcpy(&iv, token->kad->session_key, sizeof(iv)); 563 564 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 565 skcipher_request_set_callback(req, 0, NULL, NULL); 566 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 567 crypto_skcipher_decrypt(req); 568 skcipher_request_zero(req); 569 if (sg != _sg) 570 kfree(sg); 571 572 /* Extract the decrypted packet length */ 573 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 574 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2", 575 RXKADDATALEN); 576 goto protocol_error; 577 } 578 len -= sizeof(sechdr); 579 580 buf = ntohl(sechdr.data_size); 581 data_size = buf & 0xffff; 582 583 check = buf >> 16; 584 check ^= seq ^ call->call_id; 585 check &= 0xffff; 586 if (check != 0) { 587 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C", 588 RXKADSEALEDINCON); 589 goto protocol_error; 590 } 591 592 if (data_size > len) { 593 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L", 594 RXKADDATALEN); 595 goto protocol_error; 596 } 597 598 _leave(" = 0 [dlen=%x]", data_size); 599 return 0; 600 601protocol_error: 602 if (aborted) 603 rxrpc_send_abort_packet(call); 604 return -EPROTO; 605 606nomem: 607 _leave(" = -ENOMEM"); 608 return -ENOMEM; 609} 610 611/* 612 * Verify the security on a received packet or subpacket (if part of a 613 * jumbo packet). 614 */ 615static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb, 616 unsigned int offset, unsigned int len, 617 rxrpc_seq_t seq, u16 expected_cksum) 618{ 619 struct skcipher_request *req; 620 struct rxrpc_crypt iv; 621 struct scatterlist sg; 622 bool aborted; 623 u16 cksum; 624 u32 x, y; 625 626 _enter("{%d{%x}},{#%u}", 627 call->debug_id, key_serial(call->conn->params.key), seq); 628 629 if (!call->conn->rxkad.cipher) 630 return 0; 631 632 req = rxkad_get_call_crypto(call); 633 if (!req) 634 return -ENOMEM; 635 636 /* continue encrypting from where we left off */ 637 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv)); 638 639 /* validate the security checksum */ 640 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 641 x |= seq & 0x3fffffff; 642 call->crypto_buf[0] = htonl(call->call_id); 643 call->crypto_buf[1] = htonl(x); 644 645 sg_init_one(&sg, call->crypto_buf, 8); 646 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 647 skcipher_request_set_callback(req, 0, NULL, NULL); 648 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 649 crypto_skcipher_encrypt(req); 650 skcipher_request_zero(req); 651 652 y = ntohl(call->crypto_buf[1]); 653 cksum = (y >> 16) & 0xffff; 654 if (cksum == 0) 655 cksum = 1; /* zero checksums are not permitted */ 656 657 if (cksum != expected_cksum) { 658 aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK", 659 RXKADSEALEDINCON); 660 goto protocol_error; 661 } 662 663 switch (call->conn->params.security_level) { 664 case RXRPC_SECURITY_PLAIN: 665 return 0; 666 case RXRPC_SECURITY_AUTH: 667 return rxkad_verify_packet_1(call, skb, offset, len, seq, req); 668 case RXRPC_SECURITY_ENCRYPT: 669 return rxkad_verify_packet_2(call, skb, offset, len, seq, req); 670 default: 671 return -ENOANO; 672 } 673 674protocol_error: 675 if (aborted) 676 rxrpc_send_abort_packet(call); 677 return -EPROTO; 678} 679 680/* 681 * Locate the data contained in a packet that was partially encrypted. 682 */ 683static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb, 684 unsigned int *_offset, unsigned int *_len) 685{ 686 struct rxkad_level1_hdr sechdr; 687 688 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 689 BUG(); 690 *_offset += sizeof(sechdr); 691 *_len = ntohl(sechdr.data_size) & 0xffff; 692} 693 694/* 695 * Locate the data contained in a packet that was completely encrypted. 696 */ 697static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb, 698 unsigned int *_offset, unsigned int *_len) 699{ 700 struct rxkad_level2_hdr sechdr; 701 702 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 703 BUG(); 704 *_offset += sizeof(sechdr); 705 *_len = ntohl(sechdr.data_size) & 0xffff; 706} 707 708/* 709 * Locate the data contained in an already decrypted packet. 710 */ 711static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb, 712 unsigned int *_offset, unsigned int *_len) 713{ 714 switch (call->conn->params.security_level) { 715 case RXRPC_SECURITY_AUTH: 716 rxkad_locate_data_1(call, skb, _offset, _len); 717 return; 718 case RXRPC_SECURITY_ENCRYPT: 719 rxkad_locate_data_2(call, skb, _offset, _len); 720 return; 721 default: 722 return; 723 } 724} 725 726/* 727 * issue a challenge 728 */ 729static int rxkad_issue_challenge(struct rxrpc_connection *conn) 730{ 731 struct rxkad_challenge challenge; 732 struct rxrpc_wire_header whdr; 733 struct msghdr msg; 734 struct kvec iov[2]; 735 size_t len; 736 u32 serial; 737 int ret; 738 739 _enter("{%d}", conn->debug_id); 740 741 get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce)); 742 743 challenge.version = htonl(2); 744 challenge.nonce = htonl(conn->rxkad.nonce); 745 challenge.min_level = htonl(0); 746 challenge.__padding = 0; 747 748 msg.msg_name = &conn->params.peer->srx.transport; 749 msg.msg_namelen = conn->params.peer->srx.transport_len; 750 msg.msg_control = NULL; 751 msg.msg_controllen = 0; 752 msg.msg_flags = 0; 753 754 whdr.epoch = htonl(conn->proto.epoch); 755 whdr.cid = htonl(conn->proto.cid); 756 whdr.callNumber = 0; 757 whdr.seq = 0; 758 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 759 whdr.flags = conn->out_clientflag; 760 whdr.userStatus = 0; 761 whdr.securityIndex = conn->security_ix; 762 whdr._rsvd = 0; 763 whdr.serviceId = htons(conn->service_id); 764 765 iov[0].iov_base = &whdr; 766 iov[0].iov_len = sizeof(whdr); 767 iov[1].iov_base = &challenge; 768 iov[1].iov_len = sizeof(challenge); 769 770 len = iov[0].iov_len + iov[1].iov_len; 771 772 serial = atomic_inc_return(&conn->serial); 773 whdr.serial = htonl(serial); 774 _proto("Tx CHALLENGE %%%u", serial); 775 776 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len); 777 if (ret < 0) { 778 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, 779 rxrpc_tx_point_rxkad_challenge); 780 return -EAGAIN; 781 } 782 783 conn->params.peer->last_tx_at = ktime_get_seconds(); 784 trace_rxrpc_tx_packet(conn->debug_id, &whdr, 785 rxrpc_tx_point_rxkad_challenge); 786 _leave(" = 0"); 787 return 0; 788} 789 790/* 791 * send a Kerberos security response 792 */ 793static int rxkad_send_response(struct rxrpc_connection *conn, 794 struct rxrpc_host_header *hdr, 795 struct rxkad_response *resp, 796 const struct rxkad_key *s2) 797{ 798 struct rxrpc_wire_header whdr; 799 struct msghdr msg; 800 struct kvec iov[3]; 801 size_t len; 802 u32 serial; 803 int ret; 804 805 _enter(""); 806 807 msg.msg_name = &conn->params.peer->srx.transport; 808 msg.msg_namelen = conn->params.peer->srx.transport_len; 809 msg.msg_control = NULL; 810 msg.msg_controllen = 0; 811 msg.msg_flags = 0; 812 813 memset(&whdr, 0, sizeof(whdr)); 814 whdr.epoch = htonl(hdr->epoch); 815 whdr.cid = htonl(hdr->cid); 816 whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 817 whdr.flags = conn->out_clientflag; 818 whdr.securityIndex = hdr->securityIndex; 819 whdr.serviceId = htons(hdr->serviceId); 820 821 iov[0].iov_base = &whdr; 822 iov[0].iov_len = sizeof(whdr); 823 iov[1].iov_base = resp; 824 iov[1].iov_len = sizeof(*resp); 825 iov[2].iov_base = (void *)s2->ticket; 826 iov[2].iov_len = s2->ticket_len; 827 828 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 829 830 serial = atomic_inc_return(&conn->serial); 831 whdr.serial = htonl(serial); 832 _proto("Tx RESPONSE %%%u", serial); 833 834 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len); 835 if (ret < 0) { 836 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, 837 rxrpc_tx_point_rxkad_response); 838 return -EAGAIN; 839 } 840 841 conn->params.peer->last_tx_at = ktime_get_seconds(); 842 _leave(" = 0"); 843 return 0; 844} 845 846/* 847 * calculate the response checksum 848 */ 849static void rxkad_calc_response_checksum(struct rxkad_response *response) 850{ 851 u32 csum = 1000003; 852 int loop; 853 u8 *p = (u8 *) response; 854 855 for (loop = sizeof(*response); loop > 0; loop--) 856 csum = csum * 0x10204081 + *p++; 857 858 response->encrypted.checksum = htonl(csum); 859} 860 861/* 862 * encrypt the response packet 863 */ 864static int rxkad_encrypt_response(struct rxrpc_connection *conn, 865 struct rxkad_response *resp, 866 const struct rxkad_key *s2) 867{ 868 struct skcipher_request *req; 869 struct rxrpc_crypt iv; 870 struct scatterlist sg[1]; 871 872 req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS); 873 if (!req) 874 return -ENOMEM; 875 876 /* continue encrypting from where we left off */ 877 memcpy(&iv, s2->session_key, sizeof(iv)); 878 879 sg_init_table(sg, 1); 880 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 881 skcipher_request_set_sync_tfm(req, conn->rxkad.cipher); 882 skcipher_request_set_callback(req, 0, NULL, NULL); 883 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 884 crypto_skcipher_encrypt(req); 885 skcipher_request_free(req); 886 return 0; 887} 888 889/* 890 * respond to a challenge packet 891 */ 892static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 893 struct sk_buff *skb, 894 u32 *_abort_code) 895{ 896 const struct rxrpc_key_token *token; 897 struct rxkad_challenge challenge; 898 struct rxkad_response *resp; 899 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 900 const char *eproto; 901 u32 version, nonce, min_level, abort_code; 902 int ret; 903 904 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 905 906 eproto = tracepoint_string("chall_no_key"); 907 abort_code = RX_PROTOCOL_ERROR; 908 if (!conn->params.key) 909 goto protocol_error; 910 911 abort_code = RXKADEXPIRED; 912 ret = key_validate(conn->params.key); 913 if (ret < 0) 914 goto other_error; 915 916 eproto = tracepoint_string("chall_short"); 917 abort_code = RXKADPACKETSHORT; 918 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 919 &challenge, sizeof(challenge)) < 0) 920 goto protocol_error; 921 922 version = ntohl(challenge.version); 923 nonce = ntohl(challenge.nonce); 924 min_level = ntohl(challenge.min_level); 925 926 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 927 sp->hdr.serial, version, nonce, min_level); 928 929 eproto = tracepoint_string("chall_ver"); 930 abort_code = RXKADINCONSISTENCY; 931 if (version != RXKAD_VERSION) 932 goto protocol_error; 933 934 abort_code = RXKADLEVELFAIL; 935 ret = -EACCES; 936 if (conn->params.security_level < min_level) 937 goto other_error; 938 939 token = conn->params.key->payload.data[0]; 940 941 /* build the response packet */ 942 resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); 943 if (!resp) 944 return -ENOMEM; 945 946 resp->version = htonl(RXKAD_VERSION); 947 resp->encrypted.epoch = htonl(conn->proto.epoch); 948 resp->encrypted.cid = htonl(conn->proto.cid); 949 resp->encrypted.securityIndex = htonl(conn->security_ix); 950 resp->encrypted.inc_nonce = htonl(nonce + 1); 951 resp->encrypted.level = htonl(conn->params.security_level); 952 resp->kvno = htonl(token->kad->kvno); 953 resp->ticket_len = htonl(token->kad->ticket_len); 954 resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter); 955 resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter); 956 resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter); 957 resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter); 958 959 /* calculate the response checksum and then do the encryption */ 960 rxkad_calc_response_checksum(resp); 961 ret = rxkad_encrypt_response(conn, resp, token->kad); 962 if (ret == 0) 963 ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad); 964 kfree(resp); 965 return ret; 966 967protocol_error: 968 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 969 ret = -EPROTO; 970other_error: 971 *_abort_code = abort_code; 972 return ret; 973} 974 975/* 976 * decrypt the kerberos IV ticket in the response 977 */ 978static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 979 struct key *server_key, 980 struct sk_buff *skb, 981 void *ticket, size_t ticket_len, 982 struct rxrpc_crypt *_session_key, 983 time64_t *_expiry, 984 u32 *_abort_code) 985{ 986 struct skcipher_request *req; 987 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 988 struct rxrpc_crypt iv, key; 989 struct scatterlist sg[1]; 990 struct in_addr addr; 991 unsigned int life; 992 const char *eproto; 993 time64_t issue, now; 994 bool little_endian; 995 int ret; 996 u32 abort_code; 997 u8 *p, *q, *name, *end; 998 999 _enter("{%d},{%x}", conn->debug_id, key_serial(server_key)); 1000 1001 *_expiry = 0; 1002 1003 ASSERT(server_key->payload.data[0] != NULL); 1004 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 1005 1006 memcpy(&iv, &server_key->payload.data[2], sizeof(iv)); 1007 1008 ret = -ENOMEM; 1009 req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS); 1010 if (!req) 1011 goto temporary_error; 1012 1013 sg_init_one(&sg[0], ticket, ticket_len); 1014 skcipher_request_set_callback(req, 0, NULL, NULL); 1015 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); 1016 crypto_skcipher_decrypt(req); 1017 skcipher_request_free(req); 1018 1019 p = ticket; 1020 end = p + ticket_len; 1021 1022#define Z(field) \ 1023 ({ \ 1024 u8 *__str = p; \ 1025 eproto = tracepoint_string("rxkad_bad_"#field); \ 1026 q = memchr(p, 0, end - p); \ 1027 if (!q || q - p > (field##_SZ)) \ 1028 goto bad_ticket; \ 1029 for (; p < q; p++) \ 1030 if (!isprint(*p)) \ 1031 goto bad_ticket; \ 1032 p++; \ 1033 __str; \ 1034 }) 1035 1036 /* extract the ticket flags */ 1037 _debug("KIV FLAGS: %x", *p); 1038 little_endian = *p & 1; 1039 p++; 1040 1041 /* extract the authentication name */ 1042 name = Z(ANAME); 1043 _debug("KIV ANAME: %s", name); 1044 1045 /* extract the principal's instance */ 1046 name = Z(INST); 1047 _debug("KIV INST : %s", name); 1048 1049 /* extract the principal's authentication domain */ 1050 name = Z(REALM); 1051 _debug("KIV REALM: %s", name); 1052 1053 eproto = tracepoint_string("rxkad_bad_len"); 1054 if (end - p < 4 + 8 + 4 + 2) 1055 goto bad_ticket; 1056 1057 /* get the IPv4 address of the entity that requested the ticket */ 1058 memcpy(&addr, p, sizeof(addr)); 1059 p += 4; 1060 _debug("KIV ADDR : %pI4", &addr); 1061 1062 /* get the session key from the ticket */ 1063 memcpy(&key, p, sizeof(key)); 1064 p += 8; 1065 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 1066 memcpy(_session_key, &key, sizeof(key)); 1067 1068 /* get the ticket's lifetime */ 1069 life = *p++ * 5 * 60; 1070 _debug("KIV LIFE : %u", life); 1071 1072 /* get the issue time of the ticket */ 1073 if (little_endian) { 1074 __le32 stamp; 1075 memcpy(&stamp, p, 4); 1076 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp)); 1077 } else { 1078 __be32 stamp; 1079 memcpy(&stamp, p, 4); 1080 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp)); 1081 } 1082 p += 4; 1083 now = ktime_get_real_seconds(); 1084 _debug("KIV ISSUE: %llx [%llx]", issue, now); 1085 1086 /* check the ticket is in date */ 1087 if (issue > now) { 1088 abort_code = RXKADNOAUTH; 1089 ret = -EKEYREJECTED; 1090 goto other_error; 1091 } 1092 1093 if (issue < now - life) { 1094 abort_code = RXKADEXPIRED; 1095 ret = -EKEYEXPIRED; 1096 goto other_error; 1097 } 1098 1099 *_expiry = issue + life; 1100 1101 /* get the service name */ 1102 name = Z(SNAME); 1103 _debug("KIV SNAME: %s", name); 1104 1105 /* get the service instance name */ 1106 name = Z(INST); 1107 _debug("KIV SINST: %s", name); 1108 return 0; 1109 1110bad_ticket: 1111 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 1112 abort_code = RXKADBADTICKET; 1113 ret = -EPROTO; 1114other_error: 1115 *_abort_code = abort_code; 1116 return ret; 1117temporary_error: 1118 return ret; 1119} 1120 1121/* 1122 * decrypt the response packet 1123 */ 1124static void rxkad_decrypt_response(struct rxrpc_connection *conn, 1125 struct rxkad_response *resp, 1126 const struct rxrpc_crypt *session_key) 1127{ 1128 struct skcipher_request *req = rxkad_ci_req; 1129 struct scatterlist sg[1]; 1130 struct rxrpc_crypt iv; 1131 1132 _enter(",,%08x%08x", 1133 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 1134 1135 mutex_lock(&rxkad_ci_mutex); 1136 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x, 1137 sizeof(*session_key)) < 0) 1138 BUG(); 1139 1140 memcpy(&iv, session_key, sizeof(iv)); 1141 1142 sg_init_table(sg, 1); 1143 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 1144 skcipher_request_set_sync_tfm(req, rxkad_ci); 1145 skcipher_request_set_callback(req, 0, NULL, NULL); 1146 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 1147 crypto_skcipher_decrypt(req); 1148 skcipher_request_zero(req); 1149 1150 mutex_unlock(&rxkad_ci_mutex); 1151 1152 _leave(""); 1153} 1154 1155/* 1156 * verify a response 1157 */ 1158static int rxkad_verify_response(struct rxrpc_connection *conn, 1159 struct sk_buff *skb, 1160 u32 *_abort_code) 1161{ 1162 struct rxkad_response *response; 1163 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 1164 struct rxrpc_crypt session_key; 1165 struct key *server_key; 1166 const char *eproto; 1167 time64_t expiry; 1168 void *ticket; 1169 u32 abort_code, version, kvno, ticket_len, level; 1170 __be32 csum; 1171 int ret, i; 1172 1173 _enter("{%d}", conn->debug_id); 1174 1175 server_key = rxrpc_look_up_server_security(conn, skb, 0, 0); 1176 if (IS_ERR(server_key)) { 1177 switch (PTR_ERR(server_key)) { 1178 case -ENOKEY: 1179 abort_code = RXKADUNKNOWNKEY; 1180 break; 1181 case -EKEYEXPIRED: 1182 abort_code = RXKADEXPIRED; 1183 break; 1184 default: 1185 abort_code = RXKADNOAUTH; 1186 break; 1187 } 1188 trace_rxrpc_abort(0, "SVK", 1189 sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq, 1190 abort_code, PTR_ERR(server_key)); 1191 *_abort_code = abort_code; 1192 return -EPROTO; 1193 } 1194 1195 ret = -ENOMEM; 1196 response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); 1197 if (!response) 1198 goto temporary_error; 1199 1200 eproto = tracepoint_string("rxkad_rsp_short"); 1201 abort_code = RXKADPACKETSHORT; 1202 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 1203 response, sizeof(*response)) < 0) 1204 goto protocol_error; 1205 1206 version = ntohl(response->version); 1207 ticket_len = ntohl(response->ticket_len); 1208 kvno = ntohl(response->kvno); 1209 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1210 sp->hdr.serial, version, kvno, ticket_len); 1211 1212 eproto = tracepoint_string("rxkad_rsp_ver"); 1213 abort_code = RXKADINCONSISTENCY; 1214 if (version != RXKAD_VERSION) 1215 goto protocol_error; 1216 1217 eproto = tracepoint_string("rxkad_rsp_tktlen"); 1218 abort_code = RXKADTICKETLEN; 1219 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1220 goto protocol_error; 1221 1222 eproto = tracepoint_string("rxkad_rsp_unkkey"); 1223 abort_code = RXKADUNKNOWNKEY; 1224 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1225 goto protocol_error; 1226 1227 /* extract the kerberos ticket and decrypt and decode it */ 1228 ret = -ENOMEM; 1229 ticket = kmalloc(ticket_len, GFP_NOFS); 1230 if (!ticket) 1231 goto temporary_error_free_resp; 1232 1233 eproto = tracepoint_string("rxkad_tkt_short"); 1234 abort_code = RXKADPACKETSHORT; 1235 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response), 1236 ticket, ticket_len) < 0) 1237 goto protocol_error_free; 1238 1239 ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len, 1240 &session_key, &expiry, _abort_code); 1241 if (ret < 0) 1242 goto temporary_error_free_ticket; 1243 1244 /* use the session key from inside the ticket to decrypt the 1245 * response */ 1246 rxkad_decrypt_response(conn, response, &session_key); 1247 1248 eproto = tracepoint_string("rxkad_rsp_param"); 1249 abort_code = RXKADSEALEDINCON; 1250 if (ntohl(response->encrypted.epoch) != conn->proto.epoch) 1251 goto protocol_error_free; 1252 if (ntohl(response->encrypted.cid) != conn->proto.cid) 1253 goto protocol_error_free; 1254 if (ntohl(response->encrypted.securityIndex) != conn->security_ix) 1255 goto protocol_error_free; 1256 csum = response->encrypted.checksum; 1257 response->encrypted.checksum = 0; 1258 rxkad_calc_response_checksum(response); 1259 eproto = tracepoint_string("rxkad_rsp_csum"); 1260 if (response->encrypted.checksum != csum) 1261 goto protocol_error_free; 1262 1263 spin_lock(&conn->bundle->channel_lock); 1264 for (i = 0; i < RXRPC_MAXCALLS; i++) { 1265 struct rxrpc_call *call; 1266 u32 call_id = ntohl(response->encrypted.call_id[i]); 1267 1268 eproto = tracepoint_string("rxkad_rsp_callid"); 1269 if (call_id > INT_MAX) 1270 goto protocol_error_unlock; 1271 1272 eproto = tracepoint_string("rxkad_rsp_callctr"); 1273 if (call_id < conn->channels[i].call_counter) 1274 goto protocol_error_unlock; 1275 1276 eproto = tracepoint_string("rxkad_rsp_callst"); 1277 if (call_id > conn->channels[i].call_counter) { 1278 call = rcu_dereference_protected( 1279 conn->channels[i].call, 1280 lockdep_is_held(&conn->bundle->channel_lock)); 1281 if (call && call->state < RXRPC_CALL_COMPLETE) 1282 goto protocol_error_unlock; 1283 conn->channels[i].call_counter = call_id; 1284 } 1285 } 1286 spin_unlock(&conn->bundle->channel_lock); 1287 1288 eproto = tracepoint_string("rxkad_rsp_seq"); 1289 abort_code = RXKADOUTOFSEQUENCE; 1290 if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) 1291 goto protocol_error_free; 1292 1293 eproto = tracepoint_string("rxkad_rsp_level"); 1294 abort_code = RXKADLEVELFAIL; 1295 level = ntohl(response->encrypted.level); 1296 if (level > RXRPC_SECURITY_ENCRYPT) 1297 goto protocol_error_free; 1298 conn->params.security_level = level; 1299 1300 /* create a key to hold the security data and expiration time - after 1301 * this the connection security can be handled in exactly the same way 1302 * as for a client connection */ 1303 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1304 if (ret < 0) 1305 goto temporary_error_free_ticket; 1306 1307 kfree(ticket); 1308 kfree(response); 1309 _leave(" = 0"); 1310 return 0; 1311 1312protocol_error_unlock: 1313 spin_unlock(&conn->bundle->channel_lock); 1314protocol_error_free: 1315 kfree(ticket); 1316protocol_error: 1317 kfree(response); 1318 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 1319 key_put(server_key); 1320 *_abort_code = abort_code; 1321 return -EPROTO; 1322 1323temporary_error_free_ticket: 1324 kfree(ticket); 1325temporary_error_free_resp: 1326 kfree(response); 1327temporary_error: 1328 /* Ignore the response packet if we got a temporary error such as 1329 * ENOMEM. We just want to send the challenge again. Note that we 1330 * also come out this way if the ticket decryption fails. 1331 */ 1332 key_put(server_key); 1333 return ret; 1334} 1335 1336/* 1337 * clear the connection security 1338 */ 1339static void rxkad_clear(struct rxrpc_connection *conn) 1340{ 1341 _enter(""); 1342 1343 if (conn->rxkad.cipher) 1344 crypto_free_sync_skcipher(conn->rxkad.cipher); 1345} 1346 1347/* 1348 * Initialise the rxkad security service. 1349 */ 1350static int rxkad_init(void) 1351{ 1352 struct crypto_sync_skcipher *tfm; 1353 struct skcipher_request *req; 1354 1355 /* pin the cipher we need so that the crypto layer doesn't invoke 1356 * keventd to go get it */ 1357 tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); 1358 if (IS_ERR(tfm)) 1359 return PTR_ERR(tfm); 1360 1361 req = skcipher_request_alloc(&tfm->base, GFP_KERNEL); 1362 if (!req) 1363 goto nomem_tfm; 1364 1365 rxkad_ci_req = req; 1366 rxkad_ci = tfm; 1367 return 0; 1368 1369nomem_tfm: 1370 crypto_free_sync_skcipher(tfm); 1371 return -ENOMEM; 1372} 1373 1374/* 1375 * Clean up the rxkad security service. 1376 */ 1377static void rxkad_exit(void) 1378{ 1379 crypto_free_sync_skcipher(rxkad_ci); 1380 skcipher_request_free(rxkad_ci_req); 1381} 1382 1383/* 1384 * RxRPC Kerberos-based security 1385 */ 1386const struct rxrpc_security rxkad = { 1387 .name = "rxkad", 1388 .security_index = RXRPC_SECURITY_RXKAD, 1389 .no_key_abort = RXKADUNKNOWNKEY, 1390 .init = rxkad_init, 1391 .exit = rxkad_exit, 1392 .preparse_server_key = rxkad_preparse_server_key, 1393 .free_preparse_server_key = rxkad_free_preparse_server_key, 1394 .destroy_server_key = rxkad_destroy_server_key, 1395 .init_connection_security = rxkad_init_connection_security, 1396 .how_much_data = rxkad_how_much_data, 1397 .secure_packet = rxkad_secure_packet, 1398 .verify_packet = rxkad_verify_packet, 1399 .free_call_crypto = rxkad_free_call_crypto, 1400 .locate_data = rxkad_locate_data, 1401 .issue_challenge = rxkad_issue_challenge, 1402 .respond_to_challenge = rxkad_respond_to_challenge, 1403 .verify_response = rxkad_verify_response, 1404 .clear = rxkad_clear, 1405};