• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Kerberos-based RxRPC security
3  *
4  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9 
10 #include <crypto/skcipher.h>
11 #include <linux/module.h>
12 #include <linux/net.h>
13 #include <linux/skbuff.h>
14 #include <linux/udp.h>
15 #include <linux/scatterlist.h>
16 #include <linux/ctype.h>
17 #include <linux/slab.h>
18 #include <net/sock.h>
19 #include <net/af_rxrpc.h>
20 #include <keys/rxrpc-type.h>
21 #include "ar-internal.h"
22 
23 #define RXKAD_VERSION			2
24 #define MAXKRB5TICKETLEN		1024
25 #define RXKAD_TKT_TYPE_KERBEROS_V5	256
26 #define ANAME_SZ			40	/* size of authentication name */
27 #define INST_SZ				40	/* size of principal's instance */
28 #define REALM_SZ			40	/* size of principal's auth domain */
29 #define SNAME_SZ			40	/* size of service name */
30 
31 struct rxkad_level1_hdr {
32 	__be32	data_size;	/* true data size (excluding padding) */
33 };
34 
35 struct rxkad_level2_hdr {
36 	__be32	data_size;	/* true data size (excluding padding) */
37 	__be32	checksum;	/* decrypted data checksum */
38 };
39 
40 /*
41  * this holds a pinned cipher so that keventd doesn't get called by the cipher
42  * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
43  * packets
44  */
45 static struct crypto_sync_skcipher *rxkad_ci;
46 static struct skcipher_request *rxkad_ci_req;
47 static DEFINE_MUTEX(rxkad_ci_mutex);
48 
49 /*
50  * initialise connection security
51  */
rxkad_init_connection_security(struct rxrpc_connection * conn)52 static int rxkad_init_connection_security(struct rxrpc_connection *conn)
53 {
54 	struct crypto_sync_skcipher *ci;
55 	struct rxrpc_key_token *token;
56 	int ret;
57 
58 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
59 
60 	token = conn->params.key->payload.data[0];
61 	conn->security_ix = token->security_index;
62 
63 	ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
64 	if (IS_ERR(ci)) {
65 		_debug("no cipher");
66 		ret = PTR_ERR(ci);
67 		goto error;
68 	}
69 
70 	if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
71 				   sizeof(token->kad->session_key)) < 0)
72 		BUG();
73 
74 	switch (conn->params.security_level) {
75 	case RXRPC_SECURITY_PLAIN:
76 		break;
77 	case RXRPC_SECURITY_AUTH:
78 		conn->size_align = 8;
79 		conn->security_size = sizeof(struct rxkad_level1_hdr);
80 		break;
81 	case RXRPC_SECURITY_ENCRYPT:
82 		conn->size_align = 8;
83 		conn->security_size = sizeof(struct rxkad_level2_hdr);
84 		break;
85 	default:
86 		ret = -EKEYREJECTED;
87 		goto error;
88 	}
89 
90 	conn->cipher = ci;
91 	ret = 0;
92 error:
93 	_leave(" = %d", ret);
94 	return ret;
95 }
96 
97 /*
98  * prime the encryption state with the invariant parts of a connection's
99  * description
100  */
rxkad_prime_packet_security(struct rxrpc_connection * conn)101 static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
102 {
103 	struct skcipher_request *req;
104 	struct rxrpc_key_token *token;
105 	struct scatterlist sg;
106 	struct rxrpc_crypt iv;
107 	__be32 *tmpbuf;
108 	size_t tmpsize = 4 * sizeof(__be32);
109 
110 	_enter("");
111 
112 	if (!conn->params.key)
113 		return 0;
114 
115 	tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
116 	if (!tmpbuf)
117 		return -ENOMEM;
118 
119 	req = skcipher_request_alloc(&conn->cipher->base, GFP_NOFS);
120 	if (!req) {
121 		kfree(tmpbuf);
122 		return -ENOMEM;
123 	}
124 
125 	token = conn->params.key->payload.data[0];
126 	memcpy(&iv, token->kad->session_key, sizeof(iv));
127 
128 	tmpbuf[0] = htonl(conn->proto.epoch);
129 	tmpbuf[1] = htonl(conn->proto.cid);
130 	tmpbuf[2] = 0;
131 	tmpbuf[3] = htonl(conn->security_ix);
132 
133 	sg_init_one(&sg, tmpbuf, tmpsize);
134 	skcipher_request_set_sync_tfm(req, conn->cipher);
135 	skcipher_request_set_callback(req, 0, NULL, NULL);
136 	skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
137 	crypto_skcipher_encrypt(req);
138 	skcipher_request_free(req);
139 
140 	memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
141 	kfree(tmpbuf);
142 	_leave(" = 0");
143 	return 0;
144 }
145 
146 /*
147  * Allocate and prepare the crypto request on a call.  For any particular call,
148  * this is called serially for the packets, so no lock should be necessary.
149  */
rxkad_get_call_crypto(struct rxrpc_call * call)150 static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
151 {
152 	struct crypto_skcipher *tfm = &call->conn->cipher->base;
153 	struct skcipher_request	*cipher_req = call->cipher_req;
154 
155 	if (!cipher_req) {
156 		cipher_req = skcipher_request_alloc(tfm, GFP_NOFS);
157 		if (!cipher_req)
158 			return NULL;
159 		call->cipher_req = cipher_req;
160 	}
161 
162 	return cipher_req;
163 }
164 
165 /*
166  * Clean up the crypto on a call.
167  */
rxkad_free_call_crypto(struct rxrpc_call * call)168 static void rxkad_free_call_crypto(struct rxrpc_call *call)
169 {
170 	if (call->cipher_req)
171 		skcipher_request_free(call->cipher_req);
172 	call->cipher_req = NULL;
173 }
174 
175 /*
176  * partially encrypt a packet (level 1 security)
177  */
rxkad_secure_packet_auth(const struct rxrpc_call * call,struct sk_buff * skb,u32 data_size,void * sechdr,struct skcipher_request * req)178 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
179 				    struct sk_buff *skb,
180 				    u32 data_size,
181 				    void *sechdr,
182 				    struct skcipher_request *req)
183 {
184 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
185 	struct rxkad_level1_hdr hdr;
186 	struct rxrpc_crypt iv;
187 	struct scatterlist sg;
188 	u16 check;
189 
190 	_enter("");
191 
192 	check = sp->hdr.seq ^ call->call_id;
193 	data_size |= (u32)check << 16;
194 
195 	hdr.data_size = htonl(data_size);
196 	memcpy(sechdr, &hdr, sizeof(hdr));
197 
198 	/* start the encryption afresh */
199 	memset(&iv, 0, sizeof(iv));
200 
201 	sg_init_one(&sg, sechdr, 8);
202 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
203 	skcipher_request_set_callback(req, 0, NULL, NULL);
204 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
205 	crypto_skcipher_encrypt(req);
206 	skcipher_request_zero(req);
207 
208 	_leave(" = 0");
209 	return 0;
210 }
211 
212 /*
213  * wholly encrypt a packet (level 2 security)
214  */
rxkad_secure_packet_encrypt(const struct rxrpc_call * call,struct sk_buff * skb,u32 data_size,void * sechdr,struct skcipher_request * req)215 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
216 				       struct sk_buff *skb,
217 				       u32 data_size,
218 				       void *sechdr,
219 				       struct skcipher_request *req)
220 {
221 	const struct rxrpc_key_token *token;
222 	struct rxkad_level2_hdr rxkhdr;
223 	struct rxrpc_skb_priv *sp;
224 	struct rxrpc_crypt iv;
225 	struct scatterlist sg[16];
226 	unsigned int len;
227 	u16 check;
228 	int err;
229 
230 	sp = rxrpc_skb(skb);
231 
232 	_enter("");
233 
234 	check = sp->hdr.seq ^ call->call_id;
235 
236 	rxkhdr.data_size = htonl(data_size | (u32)check << 16);
237 	rxkhdr.checksum = 0;
238 	memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
239 
240 	/* encrypt from the session key */
241 	token = call->conn->params.key->payload.data[0];
242 	memcpy(&iv, token->kad->session_key, sizeof(iv));
243 
244 	sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
245 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
246 	skcipher_request_set_callback(req, 0, NULL, NULL);
247 	skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
248 	crypto_skcipher_encrypt(req);
249 
250 	/* we want to encrypt the skbuff in-place */
251 	err = -EMSGSIZE;
252 	if (skb_shinfo(skb)->nr_frags > 16)
253 		goto out;
254 
255 	len = data_size + call->conn->size_align - 1;
256 	len &= ~(call->conn->size_align - 1);
257 
258 	sg_init_table(sg, ARRAY_SIZE(sg));
259 	err = skb_to_sgvec(skb, sg, 0, len);
260 	if (unlikely(err < 0))
261 		goto out;
262 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
263 	crypto_skcipher_encrypt(req);
264 
265 	_leave(" = 0");
266 	err = 0;
267 
268 out:
269 	skcipher_request_zero(req);
270 	return err;
271 }
272 
273 /*
274  * checksum an RxRPC packet header
275  */
rxkad_secure_packet(struct rxrpc_call * call,struct sk_buff * skb,size_t data_size,void * sechdr)276 static int rxkad_secure_packet(struct rxrpc_call *call,
277 			       struct sk_buff *skb,
278 			       size_t data_size,
279 			       void *sechdr)
280 {
281 	struct rxrpc_skb_priv *sp;
282 	struct skcipher_request	*req;
283 	struct rxrpc_crypt iv;
284 	struct scatterlist sg;
285 	u32 x, y;
286 	int ret;
287 
288 	sp = rxrpc_skb(skb);
289 
290 	_enter("{%d{%x}},{#%u},%zu,",
291 	       call->debug_id, key_serial(call->conn->params.key),
292 	       sp->hdr.seq, data_size);
293 
294 	if (!call->conn->cipher)
295 		return 0;
296 
297 	ret = key_validate(call->conn->params.key);
298 	if (ret < 0)
299 		return ret;
300 
301 	req = rxkad_get_call_crypto(call);
302 	if (!req)
303 		return -ENOMEM;
304 
305 	/* continue encrypting from where we left off */
306 	memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
307 
308 	/* calculate the security checksum */
309 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
310 	x |= sp->hdr.seq & 0x3fffffff;
311 	call->crypto_buf[0] = htonl(call->call_id);
312 	call->crypto_buf[1] = htonl(x);
313 
314 	sg_init_one(&sg, call->crypto_buf, 8);
315 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
316 	skcipher_request_set_callback(req, 0, NULL, NULL);
317 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
318 	crypto_skcipher_encrypt(req);
319 	skcipher_request_zero(req);
320 
321 	y = ntohl(call->crypto_buf[1]);
322 	y = (y >> 16) & 0xffff;
323 	if (y == 0)
324 		y = 1; /* zero checksums are not permitted */
325 	sp->hdr.cksum = y;
326 
327 	switch (call->conn->params.security_level) {
328 	case RXRPC_SECURITY_PLAIN:
329 		ret = 0;
330 		break;
331 	case RXRPC_SECURITY_AUTH:
332 		ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr,
333 					       req);
334 		break;
335 	case RXRPC_SECURITY_ENCRYPT:
336 		ret = rxkad_secure_packet_encrypt(call, skb, data_size,
337 						  sechdr, req);
338 		break;
339 	default:
340 		ret = -EPERM;
341 		break;
342 	}
343 
344 	_leave(" = %d [set %hx]", ret, y);
345 	return ret;
346 }
347 
348 /*
349  * decrypt partial encryption on a packet (level 1 security)
350  */
rxkad_verify_packet_1(struct rxrpc_call * call,struct sk_buff * skb,unsigned int offset,unsigned int len,rxrpc_seq_t seq,struct skcipher_request * req)351 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
352 				 unsigned int offset, unsigned int len,
353 				 rxrpc_seq_t seq,
354 				 struct skcipher_request *req)
355 {
356 	struct rxkad_level1_hdr sechdr;
357 	struct rxrpc_crypt iv;
358 	struct scatterlist sg[16];
359 	bool aborted;
360 	u32 data_size, buf;
361 	u16 check;
362 	int ret;
363 
364 	_enter("");
365 
366 	if (len < 8) {
367 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
368 					   RXKADSEALEDINCON);
369 		goto protocol_error;
370 	}
371 
372 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
373 	 * directly into the target buffer.
374 	 */
375 	sg_init_table(sg, ARRAY_SIZE(sg));
376 	ret = skb_to_sgvec(skb, sg, offset, 8);
377 	if (unlikely(ret < 0))
378 		return ret;
379 
380 	/* start the decryption afresh */
381 	memset(&iv, 0, sizeof(iv));
382 
383 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
384 	skcipher_request_set_callback(req, 0, NULL, NULL);
385 	skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
386 	crypto_skcipher_decrypt(req);
387 	skcipher_request_zero(req);
388 
389 	/* Extract the decrypted packet length */
390 	if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
391 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
392 					     RXKADDATALEN);
393 		goto protocol_error;
394 	}
395 	offset += sizeof(sechdr);
396 	len -= sizeof(sechdr);
397 
398 	buf = ntohl(sechdr.data_size);
399 	data_size = buf & 0xffff;
400 
401 	check = buf >> 16;
402 	check ^= seq ^ call->call_id;
403 	check &= 0xffff;
404 	if (check != 0) {
405 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
406 					     RXKADSEALEDINCON);
407 		goto protocol_error;
408 	}
409 
410 	if (data_size > len) {
411 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
412 					     RXKADDATALEN);
413 		goto protocol_error;
414 	}
415 
416 	_leave(" = 0 [dlen=%x]", data_size);
417 	return 0;
418 
419 protocol_error:
420 	if (aborted)
421 		rxrpc_send_abort_packet(call);
422 	return -EPROTO;
423 }
424 
425 /*
426  * wholly decrypt a packet (level 2 security)
427  */
rxkad_verify_packet_2(struct rxrpc_call * call,struct sk_buff * skb,unsigned int offset,unsigned int len,rxrpc_seq_t seq,struct skcipher_request * req)428 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
429 				 unsigned int offset, unsigned int len,
430 				 rxrpc_seq_t seq,
431 				 struct skcipher_request *req)
432 {
433 	const struct rxrpc_key_token *token;
434 	struct rxkad_level2_hdr sechdr;
435 	struct rxrpc_crypt iv;
436 	struct scatterlist _sg[4], *sg;
437 	bool aborted;
438 	u32 data_size, buf;
439 	u16 check;
440 	int nsg, ret;
441 
442 	_enter(",{%d}", skb->len);
443 
444 	if (len < 8) {
445 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
446 					     RXKADSEALEDINCON);
447 		goto protocol_error;
448 	}
449 
450 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
451 	 * directly into the target buffer.
452 	 */
453 	sg = _sg;
454 	nsg = skb_shinfo(skb)->nr_frags;
455 	if (nsg <= 4) {
456 		nsg = 4;
457 	} else {
458 		sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
459 		if (!sg)
460 			goto nomem;
461 	}
462 
463 	sg_init_table(sg, nsg);
464 	ret = skb_to_sgvec(skb, sg, offset, len);
465 	if (unlikely(ret < 0)) {
466 		if (sg != _sg)
467 			kfree(sg);
468 		return ret;
469 	}
470 
471 	/* decrypt from the session key */
472 	token = call->conn->params.key->payload.data[0];
473 	memcpy(&iv, token->kad->session_key, sizeof(iv));
474 
475 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
476 	skcipher_request_set_callback(req, 0, NULL, NULL);
477 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
478 	crypto_skcipher_decrypt(req);
479 	skcipher_request_zero(req);
480 	if (sg != _sg)
481 		kfree(sg);
482 
483 	/* Extract the decrypted packet length */
484 	if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
485 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
486 					     RXKADDATALEN);
487 		goto protocol_error;
488 	}
489 	offset += sizeof(sechdr);
490 	len -= sizeof(sechdr);
491 
492 	buf = ntohl(sechdr.data_size);
493 	data_size = buf & 0xffff;
494 
495 	check = buf >> 16;
496 	check ^= seq ^ call->call_id;
497 	check &= 0xffff;
498 	if (check != 0) {
499 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
500 					     RXKADSEALEDINCON);
501 		goto protocol_error;
502 	}
503 
504 	if (data_size > len) {
505 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
506 					     RXKADDATALEN);
507 		goto protocol_error;
508 	}
509 
510 	_leave(" = 0 [dlen=%x]", data_size);
511 	return 0;
512 
513 protocol_error:
514 	if (aborted)
515 		rxrpc_send_abort_packet(call);
516 	return -EPROTO;
517 
518 nomem:
519 	_leave(" = -ENOMEM");
520 	return -ENOMEM;
521 }
522 
523 /*
524  * Verify the security on a received packet or subpacket (if part of a
525  * jumbo packet).
526  */
rxkad_verify_packet(struct rxrpc_call * call,struct sk_buff * skb,unsigned int offset,unsigned int len,rxrpc_seq_t seq,u16 expected_cksum)527 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
528 			       unsigned int offset, unsigned int len,
529 			       rxrpc_seq_t seq, u16 expected_cksum)
530 {
531 	struct skcipher_request	*req;
532 	struct rxrpc_crypt iv;
533 	struct scatterlist sg;
534 	bool aborted;
535 	u16 cksum;
536 	u32 x, y;
537 
538 	_enter("{%d{%x}},{#%u}",
539 	       call->debug_id, key_serial(call->conn->params.key), seq);
540 
541 	if (!call->conn->cipher)
542 		return 0;
543 
544 	req = rxkad_get_call_crypto(call);
545 	if (!req)
546 		return -ENOMEM;
547 
548 	/* continue encrypting from where we left off */
549 	memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
550 
551 	/* validate the security checksum */
552 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
553 	x |= seq & 0x3fffffff;
554 	call->crypto_buf[0] = htonl(call->call_id);
555 	call->crypto_buf[1] = htonl(x);
556 
557 	sg_init_one(&sg, call->crypto_buf, 8);
558 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
559 	skcipher_request_set_callback(req, 0, NULL, NULL);
560 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
561 	crypto_skcipher_encrypt(req);
562 	skcipher_request_zero(req);
563 
564 	y = ntohl(call->crypto_buf[1]);
565 	cksum = (y >> 16) & 0xffff;
566 	if (cksum == 0)
567 		cksum = 1; /* zero checksums are not permitted */
568 
569 	if (cksum != expected_cksum) {
570 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
571 					     RXKADSEALEDINCON);
572 		goto protocol_error;
573 	}
574 
575 	switch (call->conn->params.security_level) {
576 	case RXRPC_SECURITY_PLAIN:
577 		return 0;
578 	case RXRPC_SECURITY_AUTH:
579 		return rxkad_verify_packet_1(call, skb, offset, len, seq, req);
580 	case RXRPC_SECURITY_ENCRYPT:
581 		return rxkad_verify_packet_2(call, skb, offset, len, seq, req);
582 	default:
583 		return -ENOANO;
584 	}
585 
586 protocol_error:
587 	if (aborted)
588 		rxrpc_send_abort_packet(call);
589 	return -EPROTO;
590 }
591 
592 /*
593  * Locate the data contained in a packet that was partially encrypted.
594  */
rxkad_locate_data_1(struct rxrpc_call * call,struct sk_buff * skb,unsigned int * _offset,unsigned int * _len)595 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
596 				unsigned int *_offset, unsigned int *_len)
597 {
598 	struct rxkad_level1_hdr sechdr;
599 
600 	if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
601 		BUG();
602 	*_offset += sizeof(sechdr);
603 	*_len = ntohl(sechdr.data_size) & 0xffff;
604 }
605 
606 /*
607  * Locate the data contained in a packet that was completely encrypted.
608  */
rxkad_locate_data_2(struct rxrpc_call * call,struct sk_buff * skb,unsigned int * _offset,unsigned int * _len)609 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
610 				unsigned int *_offset, unsigned int *_len)
611 {
612 	struct rxkad_level2_hdr sechdr;
613 
614 	if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
615 		BUG();
616 	*_offset += sizeof(sechdr);
617 	*_len = ntohl(sechdr.data_size) & 0xffff;
618 }
619 
620 /*
621  * Locate the data contained in an already decrypted packet.
622  */
rxkad_locate_data(struct rxrpc_call * call,struct sk_buff * skb,unsigned int * _offset,unsigned int * _len)623 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
624 			      unsigned int *_offset, unsigned int *_len)
625 {
626 	switch (call->conn->params.security_level) {
627 	case RXRPC_SECURITY_AUTH:
628 		rxkad_locate_data_1(call, skb, _offset, _len);
629 		return;
630 	case RXRPC_SECURITY_ENCRYPT:
631 		rxkad_locate_data_2(call, skb, _offset, _len);
632 		return;
633 	default:
634 		return;
635 	}
636 }
637 
638 /*
639  * issue a challenge
640  */
rxkad_issue_challenge(struct rxrpc_connection * conn)641 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
642 {
643 	struct rxkad_challenge challenge;
644 	struct rxrpc_wire_header whdr;
645 	struct msghdr msg;
646 	struct kvec iov[2];
647 	size_t len;
648 	u32 serial;
649 	int ret;
650 
651 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
652 
653 	ret = key_validate(conn->server_key);
654 	if (ret < 0)
655 		return ret;
656 
657 	get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
658 
659 	challenge.version	= htonl(2);
660 	challenge.nonce		= htonl(conn->security_nonce);
661 	challenge.min_level	= htonl(0);
662 	challenge.__padding	= 0;
663 
664 	msg.msg_name	= &conn->params.peer->srx.transport;
665 	msg.msg_namelen	= conn->params.peer->srx.transport_len;
666 	msg.msg_control	= NULL;
667 	msg.msg_controllen = 0;
668 	msg.msg_flags	= 0;
669 
670 	whdr.epoch	= htonl(conn->proto.epoch);
671 	whdr.cid	= htonl(conn->proto.cid);
672 	whdr.callNumber	= 0;
673 	whdr.seq	= 0;
674 	whdr.type	= RXRPC_PACKET_TYPE_CHALLENGE;
675 	whdr.flags	= conn->out_clientflag;
676 	whdr.userStatus	= 0;
677 	whdr.securityIndex = conn->security_ix;
678 	whdr._rsvd	= 0;
679 	whdr.serviceId	= htons(conn->service_id);
680 
681 	iov[0].iov_base	= &whdr;
682 	iov[0].iov_len	= sizeof(whdr);
683 	iov[1].iov_base	= &challenge;
684 	iov[1].iov_len	= sizeof(challenge);
685 
686 	len = iov[0].iov_len + iov[1].iov_len;
687 
688 	serial = atomic_inc_return(&conn->serial);
689 	whdr.serial = htonl(serial);
690 	_proto("Tx CHALLENGE %%%u", serial);
691 
692 	ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
693 	if (ret < 0) {
694 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
695 				    rxrpc_tx_point_rxkad_challenge);
696 		return -EAGAIN;
697 	}
698 
699 	conn->params.peer->last_tx_at = ktime_get_seconds();
700 	trace_rxrpc_tx_packet(conn->debug_id, &whdr,
701 			      rxrpc_tx_point_rxkad_challenge);
702 	_leave(" = 0");
703 	return 0;
704 }
705 
706 /*
707  * send a Kerberos security response
708  */
rxkad_send_response(struct rxrpc_connection * conn,struct rxrpc_host_header * hdr,struct rxkad_response * resp,const struct rxkad_key * s2)709 static int rxkad_send_response(struct rxrpc_connection *conn,
710 			       struct rxrpc_host_header *hdr,
711 			       struct rxkad_response *resp,
712 			       const struct rxkad_key *s2)
713 {
714 	struct rxrpc_wire_header whdr;
715 	struct msghdr msg;
716 	struct kvec iov[3];
717 	size_t len;
718 	u32 serial;
719 	int ret;
720 
721 	_enter("");
722 
723 	msg.msg_name	= &conn->params.peer->srx.transport;
724 	msg.msg_namelen	= conn->params.peer->srx.transport_len;
725 	msg.msg_control	= NULL;
726 	msg.msg_controllen = 0;
727 	msg.msg_flags	= 0;
728 
729 	memset(&whdr, 0, sizeof(whdr));
730 	whdr.epoch	= htonl(hdr->epoch);
731 	whdr.cid	= htonl(hdr->cid);
732 	whdr.type	= RXRPC_PACKET_TYPE_RESPONSE;
733 	whdr.flags	= conn->out_clientflag;
734 	whdr.securityIndex = hdr->securityIndex;
735 	whdr.serviceId	= htons(hdr->serviceId);
736 
737 	iov[0].iov_base	= &whdr;
738 	iov[0].iov_len	= sizeof(whdr);
739 	iov[1].iov_base	= resp;
740 	iov[1].iov_len	= sizeof(*resp);
741 	iov[2].iov_base	= (void *)s2->ticket;
742 	iov[2].iov_len	= s2->ticket_len;
743 
744 	len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
745 
746 	serial = atomic_inc_return(&conn->serial);
747 	whdr.serial = htonl(serial);
748 	_proto("Tx RESPONSE %%%u", serial);
749 
750 	ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
751 	if (ret < 0) {
752 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
753 				    rxrpc_tx_point_rxkad_response);
754 		return -EAGAIN;
755 	}
756 
757 	conn->params.peer->last_tx_at = ktime_get_seconds();
758 	_leave(" = 0");
759 	return 0;
760 }
761 
762 /*
763  * calculate the response checksum
764  */
rxkad_calc_response_checksum(struct rxkad_response * response)765 static void rxkad_calc_response_checksum(struct rxkad_response *response)
766 {
767 	u32 csum = 1000003;
768 	int loop;
769 	u8 *p = (u8 *) response;
770 
771 	for (loop = sizeof(*response); loop > 0; loop--)
772 		csum = csum * 0x10204081 + *p++;
773 
774 	response->encrypted.checksum = htonl(csum);
775 }
776 
777 /*
778  * encrypt the response packet
779  */
rxkad_encrypt_response(struct rxrpc_connection * conn,struct rxkad_response * resp,const struct rxkad_key * s2)780 static int rxkad_encrypt_response(struct rxrpc_connection *conn,
781 				  struct rxkad_response *resp,
782 				  const struct rxkad_key *s2)
783 {
784 	struct skcipher_request *req;
785 	struct rxrpc_crypt iv;
786 	struct scatterlist sg[1];
787 
788 	req = skcipher_request_alloc(&conn->cipher->base, GFP_NOFS);
789 	if (!req)
790 		return -ENOMEM;
791 
792 	/* continue encrypting from where we left off */
793 	memcpy(&iv, s2->session_key, sizeof(iv));
794 
795 	sg_init_table(sg, 1);
796 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
797 	skcipher_request_set_sync_tfm(req, conn->cipher);
798 	skcipher_request_set_callback(req, 0, NULL, NULL);
799 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
800 	crypto_skcipher_encrypt(req);
801 	skcipher_request_free(req);
802 	return 0;
803 }
804 
805 /*
806  * respond to a challenge packet
807  */
rxkad_respond_to_challenge(struct rxrpc_connection * conn,struct sk_buff * skb,u32 * _abort_code)808 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
809 				      struct sk_buff *skb,
810 				      u32 *_abort_code)
811 {
812 	const struct rxrpc_key_token *token;
813 	struct rxkad_challenge challenge;
814 	struct rxkad_response *resp;
815 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
816 	const char *eproto;
817 	u32 version, nonce, min_level, abort_code;
818 	int ret;
819 
820 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
821 
822 	eproto = tracepoint_string("chall_no_key");
823 	abort_code = RX_PROTOCOL_ERROR;
824 	if (!conn->params.key)
825 		goto protocol_error;
826 
827 	abort_code = RXKADEXPIRED;
828 	ret = key_validate(conn->params.key);
829 	if (ret < 0)
830 		goto other_error;
831 
832 	eproto = tracepoint_string("chall_short");
833 	abort_code = RXKADPACKETSHORT;
834 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
835 			  &challenge, sizeof(challenge)) < 0)
836 		goto protocol_error;
837 
838 	version = ntohl(challenge.version);
839 	nonce = ntohl(challenge.nonce);
840 	min_level = ntohl(challenge.min_level);
841 
842 	_proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
843 	       sp->hdr.serial, version, nonce, min_level);
844 
845 	eproto = tracepoint_string("chall_ver");
846 	abort_code = RXKADINCONSISTENCY;
847 	if (version != RXKAD_VERSION)
848 		goto protocol_error;
849 
850 	abort_code = RXKADLEVELFAIL;
851 	ret = -EACCES;
852 	if (conn->params.security_level < min_level)
853 		goto other_error;
854 
855 	token = conn->params.key->payload.data[0];
856 
857 	/* build the response packet */
858 	resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
859 	if (!resp)
860 		return -ENOMEM;
861 
862 	resp->version			= htonl(RXKAD_VERSION);
863 	resp->encrypted.epoch		= htonl(conn->proto.epoch);
864 	resp->encrypted.cid		= htonl(conn->proto.cid);
865 	resp->encrypted.securityIndex	= htonl(conn->security_ix);
866 	resp->encrypted.inc_nonce	= htonl(nonce + 1);
867 	resp->encrypted.level		= htonl(conn->params.security_level);
868 	resp->kvno			= htonl(token->kad->kvno);
869 	resp->ticket_len		= htonl(token->kad->ticket_len);
870 	resp->encrypted.call_id[0]	= htonl(conn->channels[0].call_counter);
871 	resp->encrypted.call_id[1]	= htonl(conn->channels[1].call_counter);
872 	resp->encrypted.call_id[2]	= htonl(conn->channels[2].call_counter);
873 	resp->encrypted.call_id[3]	= htonl(conn->channels[3].call_counter);
874 
875 	/* calculate the response checksum and then do the encryption */
876 	rxkad_calc_response_checksum(resp);
877 	ret = rxkad_encrypt_response(conn, resp, token->kad);
878 	if (ret == 0)
879 		ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
880 	kfree(resp);
881 	return ret;
882 
883 protocol_error:
884 	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
885 	ret = -EPROTO;
886 other_error:
887 	*_abort_code = abort_code;
888 	return ret;
889 }
890 
891 /*
892  * decrypt the kerberos IV ticket in the response
893  */
rxkad_decrypt_ticket(struct rxrpc_connection * conn,struct sk_buff * skb,void * ticket,size_t ticket_len,struct rxrpc_crypt * _session_key,time64_t * _expiry,u32 * _abort_code)894 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
895 				struct sk_buff *skb,
896 				void *ticket, size_t ticket_len,
897 				struct rxrpc_crypt *_session_key,
898 				time64_t *_expiry,
899 				u32 *_abort_code)
900 {
901 	struct skcipher_request *req;
902 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
903 	struct rxrpc_crypt iv, key;
904 	struct scatterlist sg[1];
905 	struct in_addr addr;
906 	unsigned int life;
907 	const char *eproto;
908 	time64_t issue, now;
909 	bool little_endian;
910 	int ret;
911 	u32 abort_code;
912 	u8 *p, *q, *name, *end;
913 
914 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
915 
916 	*_expiry = 0;
917 
918 	ret = key_validate(conn->server_key);
919 	if (ret < 0) {
920 		switch (ret) {
921 		case -EKEYEXPIRED:
922 			abort_code = RXKADEXPIRED;
923 			goto other_error;
924 		default:
925 			abort_code = RXKADNOAUTH;
926 			goto other_error;
927 		}
928 	}
929 
930 	ASSERT(conn->server_key->payload.data[0] != NULL);
931 	ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
932 
933 	memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
934 
935 	ret = -ENOMEM;
936 	req = skcipher_request_alloc(conn->server_key->payload.data[0],
937 				     GFP_NOFS);
938 	if (!req)
939 		goto temporary_error;
940 
941 	sg_init_one(&sg[0], ticket, ticket_len);
942 	skcipher_request_set_callback(req, 0, NULL, NULL);
943 	skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
944 	crypto_skcipher_decrypt(req);
945 	skcipher_request_free(req);
946 
947 	p = ticket;
948 	end = p + ticket_len;
949 
950 #define Z(field)					\
951 	({						\
952 		u8 *__str = p;				\
953 		eproto = tracepoint_string("rxkad_bad_"#field); \
954 		q = memchr(p, 0, end - p);		\
955 		if (!q || q - p > (field##_SZ))		\
956 			goto bad_ticket;		\
957 		for (; p < q; p++)			\
958 			if (!isprint(*p))		\
959 				goto bad_ticket;	\
960 		p++;					\
961 		__str;					\
962 	})
963 
964 	/* extract the ticket flags */
965 	_debug("KIV FLAGS: %x", *p);
966 	little_endian = *p & 1;
967 	p++;
968 
969 	/* extract the authentication name */
970 	name = Z(ANAME);
971 	_debug("KIV ANAME: %s", name);
972 
973 	/* extract the principal's instance */
974 	name = Z(INST);
975 	_debug("KIV INST : %s", name);
976 
977 	/* extract the principal's authentication domain */
978 	name = Z(REALM);
979 	_debug("KIV REALM: %s", name);
980 
981 	eproto = tracepoint_string("rxkad_bad_len");
982 	if (end - p < 4 + 8 + 4 + 2)
983 		goto bad_ticket;
984 
985 	/* get the IPv4 address of the entity that requested the ticket */
986 	memcpy(&addr, p, sizeof(addr));
987 	p += 4;
988 	_debug("KIV ADDR : %pI4", &addr);
989 
990 	/* get the session key from the ticket */
991 	memcpy(&key, p, sizeof(key));
992 	p += 8;
993 	_debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
994 	memcpy(_session_key, &key, sizeof(key));
995 
996 	/* get the ticket's lifetime */
997 	life = *p++ * 5 * 60;
998 	_debug("KIV LIFE : %u", life);
999 
1000 	/* get the issue time of the ticket */
1001 	if (little_endian) {
1002 		__le32 stamp;
1003 		memcpy(&stamp, p, 4);
1004 		issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
1005 	} else {
1006 		__be32 stamp;
1007 		memcpy(&stamp, p, 4);
1008 		issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
1009 	}
1010 	p += 4;
1011 	now = ktime_get_real_seconds();
1012 	_debug("KIV ISSUE: %llx [%llx]", issue, now);
1013 
1014 	/* check the ticket is in date */
1015 	if (issue > now) {
1016 		abort_code = RXKADNOAUTH;
1017 		ret = -EKEYREJECTED;
1018 		goto other_error;
1019 	}
1020 
1021 	if (issue < now - life) {
1022 		abort_code = RXKADEXPIRED;
1023 		ret = -EKEYEXPIRED;
1024 		goto other_error;
1025 	}
1026 
1027 	*_expiry = issue + life;
1028 
1029 	/* get the service name */
1030 	name = Z(SNAME);
1031 	_debug("KIV SNAME: %s", name);
1032 
1033 	/* get the service instance name */
1034 	name = Z(INST);
1035 	_debug("KIV SINST: %s", name);
1036 	return 0;
1037 
1038 bad_ticket:
1039 	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1040 	abort_code = RXKADBADTICKET;
1041 	ret = -EPROTO;
1042 other_error:
1043 	*_abort_code = abort_code;
1044 	return ret;
1045 temporary_error:
1046 	return ret;
1047 }
1048 
1049 /*
1050  * decrypt the response packet
1051  */
rxkad_decrypt_response(struct rxrpc_connection * conn,struct rxkad_response * resp,const struct rxrpc_crypt * session_key)1052 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1053 				   struct rxkad_response *resp,
1054 				   const struct rxrpc_crypt *session_key)
1055 {
1056 	struct skcipher_request *req = rxkad_ci_req;
1057 	struct scatterlist sg[1];
1058 	struct rxrpc_crypt iv;
1059 
1060 	_enter(",,%08x%08x",
1061 	       ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1062 
1063 	mutex_lock(&rxkad_ci_mutex);
1064 	if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1065 					sizeof(*session_key)) < 0)
1066 		BUG();
1067 
1068 	memcpy(&iv, session_key, sizeof(iv));
1069 
1070 	sg_init_table(sg, 1);
1071 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1072 	skcipher_request_set_sync_tfm(req, rxkad_ci);
1073 	skcipher_request_set_callback(req, 0, NULL, NULL);
1074 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1075 	crypto_skcipher_decrypt(req);
1076 	skcipher_request_zero(req);
1077 
1078 	mutex_unlock(&rxkad_ci_mutex);
1079 
1080 	_leave("");
1081 }
1082 
1083 /*
1084  * verify a response
1085  */
rxkad_verify_response(struct rxrpc_connection * conn,struct sk_buff * skb,u32 * _abort_code)1086 static int rxkad_verify_response(struct rxrpc_connection *conn,
1087 				 struct sk_buff *skb,
1088 				 u32 *_abort_code)
1089 {
1090 	struct rxkad_response *response;
1091 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1092 	struct rxrpc_crypt session_key;
1093 	const char *eproto;
1094 	time64_t expiry;
1095 	void *ticket;
1096 	u32 abort_code, version, kvno, ticket_len, level;
1097 	__be32 csum;
1098 	int ret, i;
1099 
1100 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1101 
1102 	ret = -ENOMEM;
1103 	response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1104 	if (!response)
1105 		goto temporary_error;
1106 
1107 	eproto = tracepoint_string("rxkad_rsp_short");
1108 	abort_code = RXKADPACKETSHORT;
1109 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1110 			  response, sizeof(*response)) < 0)
1111 		goto protocol_error;
1112 	if (!pskb_pull(skb, sizeof(*response)))
1113 		BUG();
1114 
1115 	version = ntohl(response->version);
1116 	ticket_len = ntohl(response->ticket_len);
1117 	kvno = ntohl(response->kvno);
1118 	_proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1119 	       sp->hdr.serial, version, kvno, ticket_len);
1120 
1121 	eproto = tracepoint_string("rxkad_rsp_ver");
1122 	abort_code = RXKADINCONSISTENCY;
1123 	if (version != RXKAD_VERSION)
1124 		goto protocol_error;
1125 
1126 	eproto = tracepoint_string("rxkad_rsp_tktlen");
1127 	abort_code = RXKADTICKETLEN;
1128 	if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1129 		goto protocol_error;
1130 
1131 	eproto = tracepoint_string("rxkad_rsp_unkkey");
1132 	abort_code = RXKADUNKNOWNKEY;
1133 	if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1134 		goto protocol_error;
1135 
1136 	/* extract the kerberos ticket and decrypt and decode it */
1137 	ret = -ENOMEM;
1138 	ticket = kmalloc(ticket_len, GFP_NOFS);
1139 	if (!ticket)
1140 		goto temporary_error;
1141 
1142 	eproto = tracepoint_string("rxkad_tkt_short");
1143 	abort_code = RXKADPACKETSHORT;
1144 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1145 			  ticket, ticket_len) < 0)
1146 		goto protocol_error_free;
1147 
1148 	ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key,
1149 				   &expiry, _abort_code);
1150 	if (ret < 0)
1151 		goto temporary_error_free_resp;
1152 
1153 	/* use the session key from inside the ticket to decrypt the
1154 	 * response */
1155 	rxkad_decrypt_response(conn, response, &session_key);
1156 
1157 	eproto = tracepoint_string("rxkad_rsp_param");
1158 	abort_code = RXKADSEALEDINCON;
1159 	if (ntohl(response->encrypted.epoch) != conn->proto.epoch)
1160 		goto protocol_error_free;
1161 	if (ntohl(response->encrypted.cid) != conn->proto.cid)
1162 		goto protocol_error_free;
1163 	if (ntohl(response->encrypted.securityIndex) != conn->security_ix)
1164 		goto protocol_error_free;
1165 	csum = response->encrypted.checksum;
1166 	response->encrypted.checksum = 0;
1167 	rxkad_calc_response_checksum(response);
1168 	eproto = tracepoint_string("rxkad_rsp_csum");
1169 	if (response->encrypted.checksum != csum)
1170 		goto protocol_error_free;
1171 
1172 	spin_lock(&conn->channel_lock);
1173 	for (i = 0; i < RXRPC_MAXCALLS; i++) {
1174 		struct rxrpc_call *call;
1175 		u32 call_id = ntohl(response->encrypted.call_id[i]);
1176 
1177 		eproto = tracepoint_string("rxkad_rsp_callid");
1178 		if (call_id > INT_MAX)
1179 			goto protocol_error_unlock;
1180 
1181 		eproto = tracepoint_string("rxkad_rsp_callctr");
1182 		if (call_id < conn->channels[i].call_counter)
1183 			goto protocol_error_unlock;
1184 
1185 		eproto = tracepoint_string("rxkad_rsp_callst");
1186 		if (call_id > conn->channels[i].call_counter) {
1187 			call = rcu_dereference_protected(
1188 				conn->channels[i].call,
1189 				lockdep_is_held(&conn->channel_lock));
1190 			if (call && call->state < RXRPC_CALL_COMPLETE)
1191 				goto protocol_error_unlock;
1192 			conn->channels[i].call_counter = call_id;
1193 		}
1194 	}
1195 	spin_unlock(&conn->channel_lock);
1196 
1197 	eproto = tracepoint_string("rxkad_rsp_seq");
1198 	abort_code = RXKADOUTOFSEQUENCE;
1199 	if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1)
1200 		goto protocol_error_free;
1201 
1202 	eproto = tracepoint_string("rxkad_rsp_level");
1203 	abort_code = RXKADLEVELFAIL;
1204 	level = ntohl(response->encrypted.level);
1205 	if (level > RXRPC_SECURITY_ENCRYPT)
1206 		goto protocol_error_free;
1207 	conn->params.security_level = level;
1208 
1209 	/* create a key to hold the security data and expiration time - after
1210 	 * this the connection security can be handled in exactly the same way
1211 	 * as for a client connection */
1212 	ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1213 	if (ret < 0)
1214 		goto temporary_error_free_ticket;
1215 
1216 	kfree(ticket);
1217 	kfree(response);
1218 	_leave(" = 0");
1219 	return 0;
1220 
1221 protocol_error_unlock:
1222 	spin_unlock(&conn->channel_lock);
1223 protocol_error_free:
1224 	kfree(ticket);
1225 protocol_error:
1226 	kfree(response);
1227 	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1228 	*_abort_code = abort_code;
1229 	return -EPROTO;
1230 
1231 temporary_error_free_ticket:
1232 	kfree(ticket);
1233 temporary_error_free_resp:
1234 	kfree(response);
1235 temporary_error:
1236 	/* Ignore the response packet if we got a temporary error such as
1237 	 * ENOMEM.  We just want to send the challenge again.  Note that we
1238 	 * also come out this way if the ticket decryption fails.
1239 	 */
1240 	return ret;
1241 }
1242 
1243 /*
1244  * clear the connection security
1245  */
rxkad_clear(struct rxrpc_connection * conn)1246 static void rxkad_clear(struct rxrpc_connection *conn)
1247 {
1248 	_enter("");
1249 
1250 	if (conn->cipher)
1251 		crypto_free_sync_skcipher(conn->cipher);
1252 }
1253 
1254 /*
1255  * Initialise the rxkad security service.
1256  */
rxkad_init(void)1257 static int rxkad_init(void)
1258 {
1259 	struct crypto_sync_skcipher *tfm;
1260 	struct skcipher_request *req;
1261 
1262 	/* pin the cipher we need so that the crypto layer doesn't invoke
1263 	 * keventd to go get it */
1264 	tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1265 	if (IS_ERR(tfm))
1266 		return PTR_ERR(tfm);
1267 
1268 	req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1269 	if (!req)
1270 		goto nomem_tfm;
1271 
1272 	rxkad_ci_req = req;
1273 	rxkad_ci = tfm;
1274 	return 0;
1275 
1276 nomem_tfm:
1277 	crypto_free_sync_skcipher(tfm);
1278 	return -ENOMEM;
1279 }
1280 
1281 /*
1282  * Clean up the rxkad security service.
1283  */
rxkad_exit(void)1284 static void rxkad_exit(void)
1285 {
1286 	crypto_free_sync_skcipher(rxkad_ci);
1287 	skcipher_request_free(rxkad_ci_req);
1288 }
1289 
1290 /*
1291  * RxRPC Kerberos-based security
1292  */
1293 const struct rxrpc_security rxkad = {
1294 	.name				= "rxkad",
1295 	.security_index			= RXRPC_SECURITY_RXKAD,
1296 	.no_key_abort			= RXKADUNKNOWNKEY,
1297 	.init				= rxkad_init,
1298 	.exit				= rxkad_exit,
1299 	.init_connection_security	= rxkad_init_connection_security,
1300 	.prime_packet_security		= rxkad_prime_packet_security,
1301 	.secure_packet			= rxkad_secure_packet,
1302 	.verify_packet			= rxkad_verify_packet,
1303 	.free_call_crypto		= rxkad_free_call_crypto,
1304 	.locate_data			= rxkad_locate_data,
1305 	.issue_challenge		= rxkad_issue_challenge,
1306 	.respond_to_challenge		= rxkad_respond_to_challenge,
1307 	.verify_response		= rxkad_verify_response,
1308 	.clear				= rxkad_clear,
1309 };
1310