Linux Audio

Check our new training course

Loading...
v6.2
   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/* Kerberos-based RxRPC security
   3 *
   4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
   5 * Written by David Howells (dhowells@redhat.com)
 
 
 
 
 
   6 */
   7
   8#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
   9
  10#include <crypto/skcipher.h>
  11#include <linux/module.h>
  12#include <linux/net.h>
  13#include <linux/skbuff.h>
  14#include <linux/udp.h>
  15#include <linux/scatterlist.h>
  16#include <linux/ctype.h>
  17#include <linux/slab.h>
  18#include <linux/key-type.h>
  19#include <net/sock.h>
  20#include <net/af_rxrpc.h>
  21#include <keys/rxrpc-type.h>
  22#include "ar-internal.h"
  23
  24#define RXKAD_VERSION			2
  25#define MAXKRB5TICKETLEN		1024
  26#define RXKAD_TKT_TYPE_KERBEROS_V5	256
  27#define ANAME_SZ			40	/* size of authentication name */
  28#define INST_SZ				40	/* size of principal's instance */
  29#define REALM_SZ			40	/* size of principal's auth domain */
  30#define SNAME_SZ			40	/* size of service name */
  31#define RXKAD_ALIGN			8
  32
  33struct rxkad_level1_hdr {
  34	__be32	data_size;	/* true data size (excluding padding) */
  35};
  36
  37struct rxkad_level2_hdr {
  38	__be32	data_size;	/* true data size (excluding padding) */
  39	__be32	checksum;	/* decrypted data checksum */
  40};
  41
  42static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
  43				       struct crypto_sync_skcipher *ci);
  44
  45/*
  46 * this holds a pinned cipher so that keventd doesn't get called by the cipher
  47 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
  48 * packets
  49 */
  50static struct crypto_sync_skcipher *rxkad_ci;
  51static struct skcipher_request *rxkad_ci_req;
  52static DEFINE_MUTEX(rxkad_ci_mutex);
  53
  54/*
  55 * Parse the information from a server key
  56 *
  57 * The data should be the 8-byte secret key.
  58 */
  59static int rxkad_preparse_server_key(struct key_preparsed_payload *prep)
  60{
  61	struct crypto_skcipher *ci;
  62
  63	if (prep->datalen != 8)
  64		return -EINVAL;
  65
  66	memcpy(&prep->payload.data[2], prep->data, 8);
  67
  68	ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC);
  69	if (IS_ERR(ci)) {
  70		_leave(" = %ld", PTR_ERR(ci));
  71		return PTR_ERR(ci);
  72	}
  73
  74	if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)
  75		BUG();
  76
  77	prep->payload.data[0] = ci;
  78	_leave(" = 0");
  79	return 0;
  80}
  81
  82static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep)
  83{
  84
  85	if (prep->payload.data[0])
  86		crypto_free_skcipher(prep->payload.data[0]);
  87}
  88
  89static void rxkad_destroy_server_key(struct key *key)
  90{
  91	if (key->payload.data[0]) {
  92		crypto_free_skcipher(key->payload.data[0]);
  93		key->payload.data[0] = NULL;
  94	}
  95}
  96
  97/*
  98 * initialise connection security
  99 */
 100static int rxkad_init_connection_security(struct rxrpc_connection *conn,
 101					  struct rxrpc_key_token *token)
 102{
 103	struct crypto_sync_skcipher *ci;
 
 104	int ret;
 105
 106	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
 107
 
 108	conn->security_ix = token->security_index;
 109
 110	ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
 111	if (IS_ERR(ci)) {
 112		_debug("no cipher");
 113		ret = PTR_ERR(ci);
 114		goto error;
 115	}
 116
 117	if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
 118				   sizeof(token->kad->session_key)) < 0)
 119		BUG();
 120
 121	switch (conn->security_level) {
 122	case RXRPC_SECURITY_PLAIN:
 
 123	case RXRPC_SECURITY_AUTH:
 
 
 
 124	case RXRPC_SECURITY_ENCRYPT:
 
 
 125		break;
 126	default:
 127		ret = -EKEYREJECTED;
 128		goto error;
 129	}
 130
 131	ret = rxkad_prime_packet_security(conn, ci);
 132	if (ret < 0)
 133		goto error_ci;
 134
 135	conn->rxkad.cipher = ci;
 136	return 0;
 137
 138error_ci:
 139	crypto_free_sync_skcipher(ci);
 140error:
 141	_leave(" = %d", ret);
 142	return ret;
 143}
 144
 145/*
 146 * Work out how much data we can put in a packet.
 147 */
 148static int rxkad_how_much_data(struct rxrpc_call *call, size_t remain,
 149			       size_t *_buf_size, size_t *_data_size, size_t *_offset)
 150{
 151	size_t shdr, buf_size, chunk;
 152
 153	switch (call->conn->security_level) {
 154	default:
 155		buf_size = chunk = min_t(size_t, remain, RXRPC_JUMBO_DATALEN);
 156		shdr = 0;
 157		goto out;
 158	case RXRPC_SECURITY_AUTH:
 159		shdr = sizeof(struct rxkad_level1_hdr);
 160		break;
 161	case RXRPC_SECURITY_ENCRYPT:
 162		shdr = sizeof(struct rxkad_level2_hdr);
 163		break;
 164	}
 165
 166	buf_size = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN);
 167
 168	chunk = buf_size - shdr;
 169	if (remain < chunk)
 170		buf_size = round_up(shdr + remain, RXKAD_ALIGN);
 171
 172out:
 173	*_buf_size = buf_size;
 174	*_data_size = chunk;
 175	*_offset = shdr;
 176	return 0;
 177}
 178
 179/*
 180 * prime the encryption state with the invariant parts of a connection's
 181 * description
 182 */
 183static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
 184				       struct crypto_sync_skcipher *ci)
 185{
 186	struct skcipher_request *req;
 187	struct rxrpc_key_token *token;
 
 188	struct scatterlist sg;
 189	struct rxrpc_crypt iv;
 190	__be32 *tmpbuf;
 191	size_t tmpsize = 4 * sizeof(__be32);
 192
 193	_enter("");
 194
 195	if (!conn->key)
 196		return 0;
 197
 198	tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
 199	if (!tmpbuf)
 200		return -ENOMEM;
 201
 202	req = skcipher_request_alloc(&ci->base, GFP_NOFS);
 203	if (!req) {
 204		kfree(tmpbuf);
 205		return -ENOMEM;
 206	}
 207
 208	token = conn->key->payload.data[0];
 209	memcpy(&iv, token->kad->session_key, sizeof(iv));
 210
 211	tmpbuf[0] = htonl(conn->proto.epoch);
 212	tmpbuf[1] = htonl(conn->proto.cid);
 213	tmpbuf[2] = 0;
 214	tmpbuf[3] = htonl(conn->security_ix);
 215
 216	sg_init_one(&sg, tmpbuf, tmpsize);
 217	skcipher_request_set_sync_tfm(req, ci);
 218	skcipher_request_set_callback(req, 0, NULL, NULL);
 219	skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
 220	crypto_skcipher_encrypt(req);
 221	skcipher_request_free(req);
 222
 223	memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
 224	kfree(tmpbuf);
 225	_leave(" = 0");
 226	return 0;
 227}
 228
 229/*
 230 * Allocate and prepare the crypto request on a call.  For any particular call,
 231 * this is called serially for the packets, so no lock should be necessary.
 232 */
 233static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
 234{
 235	struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
 236
 237	return skcipher_request_alloc(tfm, GFP_NOFS);
 238}
 239
 240/*
 241 * Clean up the crypto on a call.
 242 */
 243static void rxkad_free_call_crypto(struct rxrpc_call *call)
 244{
 245}
 246
 247/*
 248 * partially encrypt a packet (level 1 security)
 249 */
 250static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
 251				    struct rxrpc_txbuf *txb,
 252				    struct skcipher_request *req)
 
 253{
 254	struct rxkad_level1_hdr *hdr = (void *)txb->data;
 
 
 255	struct rxrpc_crypt iv;
 256	struct scatterlist sg;
 257	size_t pad;
 258	u16 check;
 259
 260	_enter("");
 261
 262	check = txb->seq ^ ntohl(txb->wire.callNumber);
 263	hdr->data_size = htonl((u32)check << 16 | txb->len);
 264
 265	txb->len += sizeof(struct rxkad_level1_hdr);
 266	pad = txb->len;
 267	pad = RXKAD_ALIGN - pad;
 268	pad &= RXKAD_ALIGN - 1;
 269	if (pad) {
 270		memset(txb->data + txb->offset, 0, pad);
 271		txb->len += pad;
 272	}
 273
 274	/* start the encryption afresh */
 275	memset(&iv, 0, sizeof(iv));
 276
 277	sg_init_one(&sg, txb->data, 8);
 278	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 279	skcipher_request_set_callback(req, 0, NULL, NULL);
 280	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 281	crypto_skcipher_encrypt(req);
 282	skcipher_request_zero(req);
 283
 284	_leave(" = 0");
 285	return 0;
 286}
 287
 288/*
 289 * wholly encrypt a packet (level 2 security)
 290 */
 291static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
 292				       struct rxrpc_txbuf *txb,
 293				       struct skcipher_request *req)
 
 294{
 295	const struct rxrpc_key_token *token;
 296	struct rxkad_level2_hdr *rxkhdr = (void *)txb->data;
 
 
 297	struct rxrpc_crypt iv;
 298	struct scatterlist sg;
 299	size_t pad;
 
 300	u16 check;
 301	int ret;
 
 302
 303	_enter("");
 304
 305	check = txb->seq ^ ntohl(txb->wire.callNumber);
 306
 307	rxkhdr->data_size = htonl(txb->len | (u32)check << 16);
 308	rxkhdr->checksum = 0;
 309
 310	txb->len += sizeof(struct rxkad_level2_hdr);
 311	pad = txb->len;
 312	pad = RXKAD_ALIGN - pad;
 313	pad &= RXKAD_ALIGN - 1;
 314	if (pad) {
 315		memset(txb->data + txb->offset, 0, pad);
 316		txb->len += pad;
 317	}
 318
 319	/* encrypt from the session key */
 320	token = call->conn->key->payload.data[0];
 321	memcpy(&iv, token->kad->session_key, sizeof(iv));
 322
 323	sg_init_one(&sg, txb->data, txb->len);
 324	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 325	skcipher_request_set_callback(req, 0, NULL, NULL);
 326	skcipher_request_set_crypt(req, &sg, &sg, txb->len, iv.x);
 327	ret = crypto_skcipher_encrypt(req);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 328	skcipher_request_zero(req);
 329	return ret;
 330}
 331
 332/*
 333 * checksum an RxRPC packet header
 334 */
 335static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb)
 
 
 
 336{
 337	struct skcipher_request	*req;
 
 338	struct rxrpc_crypt iv;
 339	struct scatterlist sg;
 340	union {
 341		__be32 buf[2];
 342	} crypto __aligned(8);
 343	u32 x, y;
 344	int ret;
 345
 346	_enter("{%d{%x}},{#%u},%u,",
 347	       call->debug_id, key_serial(call->conn->key),
 348	       txb->seq, txb->len);
 
 
 349
 350	if (!call->conn->rxkad.cipher)
 351		return 0;
 352
 353	ret = key_validate(call->conn->key);
 354	if (ret < 0)
 355		return ret;
 356
 357	req = rxkad_get_call_crypto(call);
 358	if (!req)
 359		return -ENOMEM;
 360
 361	/* continue encrypting from where we left off */
 362	memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
 363
 364	/* calculate the security checksum */
 365	x = (ntohl(txb->wire.cid) & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
 366	x |= txb->seq & 0x3fffffff;
 367	crypto.buf[0] = txb->wire.callNumber;
 368	crypto.buf[1] = htonl(x);
 369
 370	sg_init_one(&sg, crypto.buf, 8);
 371	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 372	skcipher_request_set_callback(req, 0, NULL, NULL);
 373	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 374	crypto_skcipher_encrypt(req);
 375	skcipher_request_zero(req);
 376
 377	y = ntohl(crypto.buf[1]);
 378	y = (y >> 16) & 0xffff;
 379	if (y == 0)
 380		y = 1; /* zero checksums are not permitted */
 381	txb->wire.cksum = htons(y);
 382
 383	switch (call->conn->security_level) {
 384	case RXRPC_SECURITY_PLAIN:
 385		ret = 0;
 386		break;
 387	case RXRPC_SECURITY_AUTH:
 388		ret = rxkad_secure_packet_auth(call, txb, req);
 389		break;
 390	case RXRPC_SECURITY_ENCRYPT:
 391		ret = rxkad_secure_packet_encrypt(call, txb, req);
 
 392		break;
 393	default:
 394		ret = -EPERM;
 395		break;
 396	}
 397
 398	skcipher_request_free(req);
 399	_leave(" = %d [set %x]", ret, y);
 400	return ret;
 401}
 402
 403/*
 404 * decrypt partial encryption on a packet (level 1 security)
 405 */
 406static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
 407				 rxrpc_seq_t seq,
 408				 struct skcipher_request *req)
 409{
 410	struct rxkad_level1_hdr sechdr;
 411	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 412	struct rxrpc_crypt iv;
 413	struct scatterlist sg[16];
 
 
 414	u32 data_size, buf;
 415	u16 check;
 416	int ret;
 417
 418	_enter("");
 419
 420	if (sp->len < 8)
 421		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
 422					  rxkad_abort_1_short_header);
 
 
 423
 424	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
 425	 * directly into the target buffer.
 426	 */
 427	sg_init_table(sg, ARRAY_SIZE(sg));
 428	ret = skb_to_sgvec(skb, sg, sp->offset, 8);
 
 
 
 
 429	if (unlikely(ret < 0))
 430		return ret;
 431
 432	/* start the decryption afresh */
 433	memset(&iv, 0, sizeof(iv));
 434
 435	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 436	skcipher_request_set_callback(req, 0, NULL, NULL);
 437	skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
 438	crypto_skcipher_decrypt(req);
 439	skcipher_request_zero(req);
 440
 441	/* Extract the decrypted packet length */
 442	if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
 443		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
 444					  rxkad_abort_1_short_encdata);
 445	sp->offset += sizeof(sechdr);
 446	sp->len    -= sizeof(sechdr);
 
 
 447
 448	buf = ntohl(sechdr.data_size);
 449	data_size = buf & 0xffff;
 450
 451	check = buf >> 16;
 452	check ^= seq ^ call->call_id;
 453	check &= 0xffff;
 454	if (check != 0)
 455		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
 456					  rxkad_abort_1_short_check);
 457	if (data_size > sp->len)
 458		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
 459					  rxkad_abort_1_short_data);
 460	sp->len = data_size;
 
 
 
 
 461
 462	_leave(" = 0 [dlen=%x]", data_size);
 463	return 0;
 
 
 
 
 
 
 
 
 
 464}
 465
 466/*
 467 * wholly decrypt a packet (level 2 security)
 468 */
 469static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
 470				 rxrpc_seq_t seq,
 471				 struct skcipher_request *req)
 472{
 473	const struct rxrpc_key_token *token;
 474	struct rxkad_level2_hdr sechdr;
 475	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 476	struct rxrpc_crypt iv;
 477	struct scatterlist _sg[4], *sg;
 
 
 478	u32 data_size, buf;
 479	u16 check;
 480	int nsg, ret;
 481
 482	_enter(",{%d}", sp->len);
 483
 484	if (sp->len < 8)
 485		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
 486					  rxkad_abort_2_short_header);
 
 
 487
 488	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
 489	 * directly into the target buffer.
 490	 */
 
 
 
 
 491	sg = _sg;
 492	nsg = skb_shinfo(skb)->nr_frags + 1;
 493	if (nsg <= 4) {
 494		nsg = 4;
 495	} else {
 496		sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
 497		if (!sg)
 498			return -ENOMEM;
 499	}
 500
 501	sg_init_table(sg, nsg);
 502	ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
 503	if (unlikely(ret < 0)) {
 504		if (sg != _sg)
 505			kfree(sg);
 506		return ret;
 507	}
 508
 509	/* decrypt from the session key */
 510	token = call->conn->key->payload.data[0];
 511	memcpy(&iv, token->kad->session_key, sizeof(iv));
 512
 513	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 514	skcipher_request_set_callback(req, 0, NULL, NULL);
 515	skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
 516	crypto_skcipher_decrypt(req);
 517	skcipher_request_zero(req);
 518	if (sg != _sg)
 519		kfree(sg);
 520
 521	/* Extract the decrypted packet length */
 522	if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
 523		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
 524					  rxkad_abort_2_short_len);
 525	sp->offset += sizeof(sechdr);
 526	sp->len    -= sizeof(sechdr);
 
 
 527
 528	buf = ntohl(sechdr.data_size);
 529	data_size = buf & 0xffff;
 530
 531	check = buf >> 16;
 532	check ^= seq ^ call->call_id;
 533	check &= 0xffff;
 534	if (check != 0)
 535		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
 536					  rxkad_abort_2_short_check);
 537
 538	if (data_size > sp->len)
 539		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
 540					  rxkad_abort_2_short_data);
 
 
 
 
 541
 542	sp->len = data_size;
 543	_leave(" = 0 [dlen=%x]", data_size);
 544	return 0;
 
 
 
 
 
 
 
 
 
 545}
 546
 547/*
 548 * Verify the security on a received packet and the subpackets therein.
 
 549 */
 550static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
 
 
 551{
 552	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 553	struct skcipher_request	*req;
 554	struct rxrpc_crypt iv;
 555	struct scatterlist sg;
 556	union {
 557		__be32 buf[2];
 558	} crypto __aligned(8);
 559	rxrpc_seq_t seq = sp->hdr.seq;
 560	int ret;
 561	u16 cksum;
 562	u32 x, y;
 563
 564	_enter("{%d{%x}},{#%u}",
 565	       call->debug_id, key_serial(call->conn->key), seq);
 566
 567	if (!call->conn->rxkad.cipher)
 568		return 0;
 569
 570	req = rxkad_get_call_crypto(call);
 571	if (!req)
 572		return -ENOMEM;
 573
 574	/* continue encrypting from where we left off */
 575	memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
 576
 577	/* validate the security checksum */
 578	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
 579	x |= seq & 0x3fffffff;
 580	crypto.buf[0] = htonl(call->call_id);
 581	crypto.buf[1] = htonl(x);
 582
 583	sg_init_one(&sg, crypto.buf, 8);
 584	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
 585	skcipher_request_set_callback(req, 0, NULL, NULL);
 586	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 587	crypto_skcipher_encrypt(req);
 588	skcipher_request_zero(req);
 589
 590	y = ntohl(crypto.buf[1]);
 591	cksum = (y >> 16) & 0xffff;
 592	if (cksum == 0)
 593		cksum = 1; /* zero checksums are not permitted */
 594
 595	if (cksum != sp->hdr.cksum) {
 596		ret = rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
 597					 rxkad_abort_bad_checksum);
 598		goto out;
 599	}
 600
 601	switch (call->conn->security_level) {
 602	case RXRPC_SECURITY_PLAIN:
 603		ret = 0;
 604		break;
 605	case RXRPC_SECURITY_AUTH:
 606		ret = rxkad_verify_packet_1(call, skb, seq, req);
 607		break;
 608	case RXRPC_SECURITY_ENCRYPT:
 609		ret = rxkad_verify_packet_2(call, skb, seq, req);
 610		break;
 611	default:
 612		ret = -ENOANO;
 613		break;
 614	}
 615
 616out:
 617	skcipher_request_free(req);
 618	return ret;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 619}
 620
 621/*
 622 * issue a challenge
 623 */
 624static int rxkad_issue_challenge(struct rxrpc_connection *conn)
 625{
 626	struct rxkad_challenge challenge;
 627	struct rxrpc_wire_header whdr;
 628	struct msghdr msg;
 629	struct kvec iov[2];
 630	size_t len;
 631	u32 serial;
 632	int ret;
 633
 634	_enter("{%d}", conn->debug_id);
 635
 636	get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
 
 
 
 
 637
 638	challenge.version	= htonl(2);
 639	challenge.nonce		= htonl(conn->rxkad.nonce);
 640	challenge.min_level	= htonl(0);
 641	challenge.__padding	= 0;
 642
 643	msg.msg_name	= &conn->peer->srx.transport;
 644	msg.msg_namelen	= conn->peer->srx.transport_len;
 645	msg.msg_control	= NULL;
 646	msg.msg_controllen = 0;
 647	msg.msg_flags	= 0;
 648
 649	whdr.epoch	= htonl(conn->proto.epoch);
 650	whdr.cid	= htonl(conn->proto.cid);
 651	whdr.callNumber	= 0;
 652	whdr.seq	= 0;
 653	whdr.type	= RXRPC_PACKET_TYPE_CHALLENGE;
 654	whdr.flags	= conn->out_clientflag;
 655	whdr.userStatus	= 0;
 656	whdr.securityIndex = conn->security_ix;
 657	whdr._rsvd	= 0;
 658	whdr.serviceId	= htons(conn->service_id);
 659
 660	iov[0].iov_base	= &whdr;
 661	iov[0].iov_len	= sizeof(whdr);
 662	iov[1].iov_base	= &challenge;
 663	iov[1].iov_len	= sizeof(challenge);
 664
 665	len = iov[0].iov_len + iov[1].iov_len;
 666
 667	serial = atomic_inc_return(&conn->serial);
 668	whdr.serial = htonl(serial);
 
 669
 670	ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len);
 671	if (ret < 0) {
 672		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
 673				    rxrpc_tx_point_rxkad_challenge);
 674		return -EAGAIN;
 675	}
 676
 677	conn->peer->last_tx_at = ktime_get_seconds();
 678	trace_rxrpc_tx_packet(conn->debug_id, &whdr,
 679			      rxrpc_tx_point_rxkad_challenge);
 680	_leave(" = 0");
 681	return 0;
 682}
 683
 684/*
 685 * send a Kerberos security response
 686 */
 687static int rxkad_send_response(struct rxrpc_connection *conn,
 688			       struct rxrpc_host_header *hdr,
 689			       struct rxkad_response *resp,
 690			       const struct rxkad_key *s2)
 691{
 692	struct rxrpc_wire_header whdr;
 693	struct msghdr msg;
 694	struct kvec iov[3];
 695	size_t len;
 696	u32 serial;
 697	int ret;
 698
 699	_enter("");
 700
 701	msg.msg_name	= &conn->peer->srx.transport;
 702	msg.msg_namelen	= conn->peer->srx.transport_len;
 703	msg.msg_control	= NULL;
 704	msg.msg_controllen = 0;
 705	msg.msg_flags	= 0;
 706
 707	memset(&whdr, 0, sizeof(whdr));
 708	whdr.epoch	= htonl(hdr->epoch);
 709	whdr.cid	= htonl(hdr->cid);
 710	whdr.type	= RXRPC_PACKET_TYPE_RESPONSE;
 711	whdr.flags	= conn->out_clientflag;
 712	whdr.securityIndex = hdr->securityIndex;
 713	whdr.serviceId	= htons(hdr->serviceId);
 714
 715	iov[0].iov_base	= &whdr;
 716	iov[0].iov_len	= sizeof(whdr);
 717	iov[1].iov_base	= resp;
 718	iov[1].iov_len	= sizeof(*resp);
 719	iov[2].iov_base	= (void *)s2->ticket;
 720	iov[2].iov_len	= s2->ticket_len;
 721
 722	len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
 723
 724	serial = atomic_inc_return(&conn->serial);
 725	whdr.serial = htonl(serial);
 
 726
 727	ret = kernel_sendmsg(conn->local->socket, &msg, iov, 3, len);
 728	if (ret < 0) {
 729		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
 730				    rxrpc_tx_point_rxkad_response);
 731		return -EAGAIN;
 732	}
 733
 734	conn->peer->last_tx_at = ktime_get_seconds();
 735	_leave(" = 0");
 736	return 0;
 737}
 738
 739/*
 740 * calculate the response checksum
 741 */
 742static void rxkad_calc_response_checksum(struct rxkad_response *response)
 743{
 744	u32 csum = 1000003;
 745	int loop;
 746	u8 *p = (u8 *) response;
 747
 748	for (loop = sizeof(*response); loop > 0; loop--)
 749		csum = csum * 0x10204081 + *p++;
 750
 751	response->encrypted.checksum = htonl(csum);
 752}
 753
 754/*
 755 * encrypt the response packet
 756 */
 757static int rxkad_encrypt_response(struct rxrpc_connection *conn,
 758				  struct rxkad_response *resp,
 759				  const struct rxkad_key *s2)
 760{
 761	struct skcipher_request *req;
 762	struct rxrpc_crypt iv;
 763	struct scatterlist sg[1];
 764
 765	req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
 766	if (!req)
 767		return -ENOMEM;
 768
 769	/* continue encrypting from where we left off */
 770	memcpy(&iv, s2->session_key, sizeof(iv));
 771
 772	sg_init_table(sg, 1);
 773	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
 774	skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
 775	skcipher_request_set_callback(req, 0, NULL, NULL);
 776	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
 777	crypto_skcipher_encrypt(req);
 778	skcipher_request_free(req);
 779	return 0;
 780}
 781
 782/*
 783 * respond to a challenge packet
 784 */
 785static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
 786				      struct sk_buff *skb)
 
 787{
 788	const struct rxrpc_key_token *token;
 789	struct rxkad_challenge challenge;
 790	struct rxkad_response *resp;
 791	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 792	u32 version, nonce, min_level;
 793	int ret = -EPROTO;
 
 794
 795	_enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
 796
 797	if (!conn->key)
 798		return rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
 799					rxkad_abort_chall_no_key);
 
 800
 801	ret = key_validate(conn->key);
 
 802	if (ret < 0)
 803		return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
 804					rxkad_abort_chall_key_expired);
 805
 
 
 806	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
 807			  &challenge, sizeof(challenge)) < 0)
 808		return rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
 809					rxkad_abort_chall_short);
 810
 811	version = ntohl(challenge.version);
 812	nonce = ntohl(challenge.nonce);
 813	min_level = ntohl(challenge.min_level);
 814
 815	trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version, nonce, min_level);
 
 816
 
 
 817	if (version != RXKAD_VERSION)
 818		return rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
 819					rxkad_abort_chall_version);
 820
 821	if (conn->security_level < min_level)
 822		return rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES,
 823					rxkad_abort_chall_level);
 
 824
 825	token = conn->key->payload.data[0];
 826
 827	/* build the response packet */
 828	resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
 829	if (!resp)
 830		return -ENOMEM;
 831
 832	resp->version			= htonl(RXKAD_VERSION);
 833	resp->encrypted.epoch		= htonl(conn->proto.epoch);
 834	resp->encrypted.cid		= htonl(conn->proto.cid);
 835	resp->encrypted.securityIndex	= htonl(conn->security_ix);
 836	resp->encrypted.inc_nonce	= htonl(nonce + 1);
 837	resp->encrypted.level		= htonl(conn->security_level);
 838	resp->kvno			= htonl(token->kad->kvno);
 839	resp->ticket_len		= htonl(token->kad->ticket_len);
 840	resp->encrypted.call_id[0]	= htonl(conn->channels[0].call_counter);
 841	resp->encrypted.call_id[1]	= htonl(conn->channels[1].call_counter);
 842	resp->encrypted.call_id[2]	= htonl(conn->channels[2].call_counter);
 843	resp->encrypted.call_id[3]	= htonl(conn->channels[3].call_counter);
 844
 845	/* calculate the response checksum and then do the encryption */
 846	rxkad_calc_response_checksum(resp);
 847	ret = rxkad_encrypt_response(conn, resp, token->kad);
 848	if (ret == 0)
 849		ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
 850	kfree(resp);
 851	return ret;
 
 
 
 
 
 
 
 852}
 853
 854/*
 855 * decrypt the kerberos IV ticket in the response
 856 */
 857static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
 858				struct key *server_key,
 859				struct sk_buff *skb,
 860				void *ticket, size_t ticket_len,
 861				struct rxrpc_crypt *_session_key,
 862				time64_t *_expiry)
 
 863{
 864	struct skcipher_request *req;
 
 865	struct rxrpc_crypt iv, key;
 866	struct scatterlist sg[1];
 867	struct in_addr addr;
 868	unsigned int life;
 
 869	time64_t issue, now;
 870	bool little_endian;
 
 
 871	u8 *p, *q, *name, *end;
 872
 873	_enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
 874
 875	*_expiry = 0;
 876
 877	ASSERT(server_key->payload.data[0] != NULL);
 
 
 
 
 
 
 
 
 
 
 
 
 878	ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
 879
 880	memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
 881
 882	req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
 
 
 883	if (!req)
 884		return -ENOMEM;
 885
 886	sg_init_one(&sg[0], ticket, ticket_len);
 887	skcipher_request_set_callback(req, 0, NULL, NULL);
 888	skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
 889	crypto_skcipher_decrypt(req);
 890	skcipher_request_free(req);
 891
 892	p = ticket;
 893	end = p + ticket_len;
 894
 895#define Z(field, fieldl)						\
 896	({								\
 897		u8 *__str = p;						\
 898		q = memchr(p, 0, end - p);				\
 899		if (!q || q - p > field##_SZ)				\
 900			return rxrpc_abort_conn(			\
 901				conn, skb, RXKADBADTICKET, -EPROTO,	\
 902				rxkad_abort_resp_tkt_##fieldl);		\
 903		for (; p < q; p++)					\
 904			if (!isprint(*p))				\
 905				return rxrpc_abort_conn(		\
 906					conn, skb, RXKADBADTICKET, -EPROTO, \
 907					rxkad_abort_resp_tkt_##fieldl);	\
 908		p++;							\
 909		__str;							\
 910	})
 911
 912	/* extract the ticket flags */
 913	_debug("KIV FLAGS: %x", *p);
 914	little_endian = *p & 1;
 915	p++;
 916
 917	/* extract the authentication name */
 918	name = Z(ANAME, aname);
 919	_debug("KIV ANAME: %s", name);
 920
 921	/* extract the principal's instance */
 922	name = Z(INST, inst);
 923	_debug("KIV INST : %s", name);
 924
 925	/* extract the principal's authentication domain */
 926	name = Z(REALM, realm);
 927	_debug("KIV REALM: %s", name);
 928
 
 929	if (end - p < 4 + 8 + 4 + 2)
 930		return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
 931					rxkad_abort_resp_tkt_short);
 932
 933	/* get the IPv4 address of the entity that requested the ticket */
 934	memcpy(&addr, p, sizeof(addr));
 935	p += 4;
 936	_debug("KIV ADDR : %pI4", &addr);
 937
 938	/* get the session key from the ticket */
 939	memcpy(&key, p, sizeof(key));
 940	p += 8;
 941	_debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
 942	memcpy(_session_key, &key, sizeof(key));
 943
 944	/* get the ticket's lifetime */
 945	life = *p++ * 5 * 60;
 946	_debug("KIV LIFE : %u", life);
 947
 948	/* get the issue time of the ticket */
 949	if (little_endian) {
 950		__le32 stamp;
 951		memcpy(&stamp, p, 4);
 952		issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
 953	} else {
 954		__be32 stamp;
 955		memcpy(&stamp, p, 4);
 956		issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
 957	}
 958	p += 4;
 959	now = ktime_get_real_seconds();
 960	_debug("KIV ISSUE: %llx [%llx]", issue, now);
 961
 962	/* check the ticket is in date */
 963	if (issue > now)
 964		return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED,
 965					rxkad_abort_resp_tkt_future);
 966	if (issue < now - life)
 967		return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED,
 968					rxkad_abort_resp_tkt_expired);
 
 
 
 
 
 969
 970	*_expiry = issue + life;
 971
 972	/* get the service name */
 973	name = Z(SNAME, sname);
 974	_debug("KIV SNAME: %s", name);
 975
 976	/* get the service instance name */
 977	name = Z(INST, sinst);
 978	_debug("KIV SINST: %s", name);
 979	return 0;
 
 
 
 
 
 
 
 
 
 
 980}
 981
 982/*
 983 * decrypt the response packet
 984 */
 985static void rxkad_decrypt_response(struct rxrpc_connection *conn,
 986				   struct rxkad_response *resp,
 987				   const struct rxrpc_crypt *session_key)
 988{
 989	struct skcipher_request *req = rxkad_ci_req;
 990	struct scatterlist sg[1];
 991	struct rxrpc_crypt iv;
 992
 993	_enter(",,%08x%08x",
 994	       ntohl(session_key->n[0]), ntohl(session_key->n[1]));
 995
 
 
 996	mutex_lock(&rxkad_ci_mutex);
 997	if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
 998					sizeof(*session_key)) < 0)
 999		BUG();
1000
1001	memcpy(&iv, session_key, sizeof(iv));
1002
1003	sg_init_table(sg, 1);
1004	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1005	skcipher_request_set_sync_tfm(req, rxkad_ci);
1006	skcipher_request_set_callback(req, 0, NULL, NULL);
1007	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1008	crypto_skcipher_decrypt(req);
1009	skcipher_request_zero(req);
1010
1011	mutex_unlock(&rxkad_ci_mutex);
1012
1013	_leave("");
1014}
1015
1016/*
1017 * verify a response
1018 */
1019static int rxkad_verify_response(struct rxrpc_connection *conn,
1020				 struct sk_buff *skb)
 
1021{
1022	struct rxkad_response *response;
1023	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1024	struct rxrpc_crypt session_key;
1025	struct key *server_key;
1026	time64_t expiry;
1027	void *ticket;
1028	u32 version, kvno, ticket_len, level;
1029	__be32 csum;
1030	int ret, i;
1031
1032	_enter("{%d}", conn->debug_id);
1033
1034	server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
1035	if (IS_ERR(server_key)) {
1036		ret = PTR_ERR(server_key);
1037		switch (ret) {
1038		case -ENOKEY:
1039			return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret,
1040						rxkad_abort_resp_nokey);
1041		case -EKEYEXPIRED:
1042			return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
1043						rxkad_abort_resp_key_expired);
1044		default:
1045			return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret,
1046						rxkad_abort_resp_key_rejected);
1047		}
1048	}
1049
1050	ret = -ENOMEM;
1051	response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1052	if (!response)
1053		goto temporary_error;
1054
 
 
1055	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1056			  response, sizeof(*response)) < 0) {
1057		rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1058				 rxkad_abort_resp_short);
1059		goto protocol_error;
1060	}
 
1061
1062	version = ntohl(response->version);
1063	ticket_len = ntohl(response->ticket_len);
1064	kvno = ntohl(response->kvno);
 
 
1065
1066	trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
1067
1068	if (version != RXKAD_VERSION) {
1069		rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
1070				 rxkad_abort_resp_version);
1071		goto protocol_error;
1072	}
1073
1074	if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) {
1075		rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
1076				 rxkad_abort_resp_tkt_len);
1077		goto protocol_error;
1078	}
1079
1080	if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) {
1081		rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
1082				 rxkad_abort_resp_unknown_tkt);
1083		goto protocol_error;
1084	}
1085
1086	/* extract the kerberos ticket and decrypt and decode it */
1087	ret = -ENOMEM;
1088	ticket = kmalloc(ticket_len, GFP_NOFS);
1089	if (!ticket)
1090		goto temporary_error_free_resp;
1091
1092	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
1093			  ticket, ticket_len) < 0) {
1094		rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1095				 rxkad_abort_resp_short_tkt);
1096		goto protocol_error;
1097	}
1098
1099	ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
1100				   &session_key, &expiry);
1101	if (ret < 0)
1102		goto temporary_error_free_ticket;
1103
1104	/* use the session key from inside the ticket to decrypt the
1105	 * response */
1106	rxkad_decrypt_response(conn, response, &session_key);
1107
1108	if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
1109	    ntohl(response->encrypted.cid) != conn->proto.cid ||
1110	    ntohl(response->encrypted.securityIndex) != conn->security_ix) {
1111		rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1112				 rxkad_abort_resp_bad_param);
 
 
1113		goto protocol_error_free;
1114	}
1115
1116	csum = response->encrypted.checksum;
1117	response->encrypted.checksum = 0;
1118	rxkad_calc_response_checksum(response);
1119	if (response->encrypted.checksum != csum) {
1120		rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1121				 rxkad_abort_resp_bad_checksum);
1122		goto protocol_error_free;
1123	}
1124
 
1125	for (i = 0; i < RXRPC_MAXCALLS; i++) {
 
1126		u32 call_id = ntohl(response->encrypted.call_id[i]);
1127		u32 counter = READ_ONCE(conn->channels[i].call_counter);
1128
1129		if (call_id > INT_MAX) {
1130			rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1131					 rxkad_abort_resp_bad_callid);
1132			goto protocol_error_free;
1133		}
1134
1135		if (call_id < counter) {
1136			rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1137					 rxkad_abort_resp_call_ctr);
1138			goto protocol_error_free;
1139		}
1140
1141		if (call_id > counter) {
1142			if (conn->channels[i].call) {
1143				rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1144						 rxkad_abort_resp_call_state);
1145				goto protocol_error_free;
1146			}
 
 
 
 
 
 
 
 
 
1147			conn->channels[i].call_counter = call_id;
1148		}
1149	}
 
1150
1151	if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
1152		rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
1153				 rxkad_abort_resp_ooseq);
1154		goto protocol_error_free;
1155	}
1156
 
 
1157	level = ntohl(response->encrypted.level);
1158	if (level > RXRPC_SECURITY_ENCRYPT) {
1159		rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
1160				 rxkad_abort_resp_level);
1161		goto protocol_error_free;
1162	}
1163	conn->security_level = level;
1164
1165	/* create a key to hold the security data and expiration time - after
1166	 * this the connection security can be handled in exactly the same way
1167	 * as for a client connection */
1168	ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1169	if (ret < 0)
1170		goto temporary_error_free_ticket;
1171
1172	kfree(ticket);
1173	kfree(response);
1174	_leave(" = 0");
1175	return 0;
1176
 
 
1177protocol_error_free:
1178	kfree(ticket);
1179protocol_error:
1180	kfree(response);
1181	key_put(server_key);
 
1182	return -EPROTO;
1183
1184temporary_error_free_ticket:
1185	kfree(ticket);
1186temporary_error_free_resp:
1187	kfree(response);
1188temporary_error:
1189	/* Ignore the response packet if we got a temporary error such as
1190	 * ENOMEM.  We just want to send the challenge again.  Note that we
1191	 * also come out this way if the ticket decryption fails.
1192	 */
1193	key_put(server_key);
1194	return ret;
1195}
1196
1197/*
1198 * clear the connection security
1199 */
1200static void rxkad_clear(struct rxrpc_connection *conn)
1201{
1202	_enter("");
1203
1204	if (conn->rxkad.cipher)
1205		crypto_free_sync_skcipher(conn->rxkad.cipher);
1206}
1207
1208/*
1209 * Initialise the rxkad security service.
1210 */
1211static int rxkad_init(void)
1212{
1213	struct crypto_sync_skcipher *tfm;
1214	struct skcipher_request *req;
1215
1216	/* pin the cipher we need so that the crypto layer doesn't invoke
1217	 * keventd to go get it */
1218	tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1219	if (IS_ERR(tfm))
1220		return PTR_ERR(tfm);
1221
1222	req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1223	if (!req)
1224		goto nomem_tfm;
1225
1226	rxkad_ci_req = req;
1227	rxkad_ci = tfm;
1228	return 0;
1229
1230nomem_tfm:
1231	crypto_free_sync_skcipher(tfm);
1232	return -ENOMEM;
1233}
1234
1235/*
1236 * Clean up the rxkad security service.
1237 */
1238static void rxkad_exit(void)
1239{
1240	crypto_free_sync_skcipher(rxkad_ci);
1241	skcipher_request_free(rxkad_ci_req);
1242}
1243
1244/*
1245 * RxRPC Kerberos-based security
1246 */
1247const struct rxrpc_security rxkad = {
1248	.name				= "rxkad",
1249	.security_index			= RXRPC_SECURITY_RXKAD,
1250	.no_key_abort			= RXKADUNKNOWNKEY,
1251	.init				= rxkad_init,
1252	.exit				= rxkad_exit,
1253	.preparse_server_key		= rxkad_preparse_server_key,
1254	.free_preparse_server_key	= rxkad_free_preparse_server_key,
1255	.destroy_server_key		= rxkad_destroy_server_key,
1256	.init_connection_security	= rxkad_init_connection_security,
1257	.how_much_data			= rxkad_how_much_data,
1258	.secure_packet			= rxkad_secure_packet,
1259	.verify_packet			= rxkad_verify_packet,
1260	.free_call_crypto		= rxkad_free_call_crypto,
1261	.issue_challenge		= rxkad_issue_challenge,
1262	.respond_to_challenge		= rxkad_respond_to_challenge,
1263	.verify_response		= rxkad_verify_response,
1264	.clear				= rxkad_clear,
1265};
v4.17
 
   1/* Kerberos-based RxRPC security
   2 *
   3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
   4 * Written by David Howells (dhowells@redhat.com)
   5 *
   6 * This program is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU General Public License
   8 * as published by the Free Software Foundation; either version
   9 * 2 of the License, or (at your option) any later version.
  10 */
  11
  12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  13
  14#include <crypto/skcipher.h>
  15#include <linux/module.h>
  16#include <linux/net.h>
  17#include <linux/skbuff.h>
  18#include <linux/udp.h>
  19#include <linux/scatterlist.h>
  20#include <linux/ctype.h>
  21#include <linux/slab.h>
 
  22#include <net/sock.h>
  23#include <net/af_rxrpc.h>
  24#include <keys/rxrpc-type.h>
  25#include "ar-internal.h"
  26
  27#define RXKAD_VERSION			2
  28#define MAXKRB5TICKETLEN		1024
  29#define RXKAD_TKT_TYPE_KERBEROS_V5	256
  30#define ANAME_SZ			40	/* size of authentication name */
  31#define INST_SZ				40	/* size of principal's instance */
  32#define REALM_SZ			40	/* size of principal's auth domain */
  33#define SNAME_SZ			40	/* size of service name */
 
  34
  35struct rxkad_level1_hdr {
  36	__be32	data_size;	/* true data size (excluding padding) */
  37};
  38
  39struct rxkad_level2_hdr {
  40	__be32	data_size;	/* true data size (excluding padding) */
  41	__be32	checksum;	/* decrypted data checksum */
  42};
  43
 
 
 
  44/*
  45 * this holds a pinned cipher so that keventd doesn't get called by the cipher
  46 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
  47 * packets
  48 */
  49static struct crypto_skcipher *rxkad_ci;
 
  50static DEFINE_MUTEX(rxkad_ci_mutex);
  51
  52/*
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  53 * initialise connection security
  54 */
  55static int rxkad_init_connection_security(struct rxrpc_connection *conn)
 
  56{
  57	struct crypto_skcipher *ci;
  58	struct rxrpc_key_token *token;
  59	int ret;
  60
  61	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
  62
  63	token = conn->params.key->payload.data[0];
  64	conn->security_ix = token->security_index;
  65
  66	ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
  67	if (IS_ERR(ci)) {
  68		_debug("no cipher");
  69		ret = PTR_ERR(ci);
  70		goto error;
  71	}
  72
  73	if (crypto_skcipher_setkey(ci, token->kad->session_key,
  74				   sizeof(token->kad->session_key)) < 0)
  75		BUG();
  76
  77	switch (conn->params.security_level) {
  78	case RXRPC_SECURITY_PLAIN:
  79		break;
  80	case RXRPC_SECURITY_AUTH:
  81		conn->size_align = 8;
  82		conn->security_size = sizeof(struct rxkad_level1_hdr);
  83		break;
  84	case RXRPC_SECURITY_ENCRYPT:
  85		conn->size_align = 8;
  86		conn->security_size = sizeof(struct rxkad_level2_hdr);
  87		break;
  88	default:
  89		ret = -EKEYREJECTED;
  90		goto error;
  91	}
  92
  93	conn->cipher = ci;
  94	ret = 0;
 
 
 
 
 
 
 
  95error:
  96	_leave(" = %d", ret);
  97	return ret;
  98}
  99
 100/*
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 101 * prime the encryption state with the invariant parts of a connection's
 102 * description
 103 */
 104static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
 
 105{
 
 106	struct rxrpc_key_token *token;
 107	SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
 108	struct scatterlist sg;
 109	struct rxrpc_crypt iv;
 110	__be32 *tmpbuf;
 111	size_t tmpsize = 4 * sizeof(__be32);
 112
 113	_enter("");
 114
 115	if (!conn->params.key)
 116		return 0;
 117
 118	tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
 119	if (!tmpbuf)
 120		return -ENOMEM;
 121
 122	token = conn->params.key->payload.data[0];
 
 
 
 
 
 
 123	memcpy(&iv, token->kad->session_key, sizeof(iv));
 124
 125	tmpbuf[0] = htonl(conn->proto.epoch);
 126	tmpbuf[1] = htonl(conn->proto.cid);
 127	tmpbuf[2] = 0;
 128	tmpbuf[3] = htonl(conn->security_ix);
 129
 130	sg_init_one(&sg, tmpbuf, tmpsize);
 131	skcipher_request_set_tfm(req, conn->cipher);
 132	skcipher_request_set_callback(req, 0, NULL, NULL);
 133	skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
 134	crypto_skcipher_encrypt(req);
 135	skcipher_request_zero(req);
 136
 137	memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
 138	kfree(tmpbuf);
 139	_leave(" = 0");
 140	return 0;
 141}
 142
 143/*
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 144 * partially encrypt a packet (level 1 security)
 145 */
 146static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
 147				    struct sk_buff *skb,
 148				    u32 data_size,
 149				    void *sechdr)
 150{
 151	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 152	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 153	struct rxkad_level1_hdr hdr;
 154	struct rxrpc_crypt iv;
 155	struct scatterlist sg;
 
 156	u16 check;
 157
 158	_enter("");
 159
 160	check = sp->hdr.seq ^ call->call_id;
 161	data_size |= (u32)check << 16;
 162
 163	hdr.data_size = htonl(data_size);
 164	memcpy(sechdr, &hdr, sizeof(hdr));
 
 
 
 
 
 
 165
 166	/* start the encryption afresh */
 167	memset(&iv, 0, sizeof(iv));
 168
 169	sg_init_one(&sg, sechdr, 8);
 170	skcipher_request_set_tfm(req, call->conn->cipher);
 171	skcipher_request_set_callback(req, 0, NULL, NULL);
 172	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 173	crypto_skcipher_encrypt(req);
 174	skcipher_request_zero(req);
 175
 176	_leave(" = 0");
 177	return 0;
 178}
 179
 180/*
 181 * wholly encrypt a packet (level 2 security)
 182 */
 183static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
 184				       struct sk_buff *skb,
 185				       u32 data_size,
 186				       void *sechdr)
 187{
 188	const struct rxrpc_key_token *token;
 189	struct rxkad_level2_hdr rxkhdr;
 190	struct rxrpc_skb_priv *sp;
 191	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 192	struct rxrpc_crypt iv;
 193	struct scatterlist sg[16];
 194	struct sk_buff *trailer;
 195	unsigned int len;
 196	u16 check;
 197	int nsg;
 198	int err;
 199
 200	sp = rxrpc_skb(skb);
 201
 202	_enter("");
 203
 204	check = sp->hdr.seq ^ call->call_id;
 
 205
 206	rxkhdr.data_size = htonl(data_size | (u32)check << 16);
 207	rxkhdr.checksum = 0;
 208	memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
 
 
 
 
 
 209
 210	/* encrypt from the session key */
 211	token = call->conn->params.key->payload.data[0];
 212	memcpy(&iv, token->kad->session_key, sizeof(iv));
 213
 214	sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
 215	skcipher_request_set_tfm(req, call->conn->cipher);
 216	skcipher_request_set_callback(req, 0, NULL, NULL);
 217	skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
 218	crypto_skcipher_encrypt(req);
 219
 220	/* we want to encrypt the skbuff in-place */
 221	nsg = skb_cow_data(skb, 0, &trailer);
 222	err = -ENOMEM;
 223	if (nsg < 0 || nsg > 16)
 224		goto out;
 225
 226	len = data_size + call->conn->size_align - 1;
 227	len &= ~(call->conn->size_align - 1);
 228
 229	sg_init_table(sg, nsg);
 230	err = skb_to_sgvec(skb, sg, 0, len);
 231	if (unlikely(err < 0))
 232		goto out;
 233	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 234	crypto_skcipher_encrypt(req);
 235
 236	_leave(" = 0");
 237	err = 0;
 238
 239out:
 240	skcipher_request_zero(req);
 241	return err;
 242}
 243
 244/*
 245 * checksum an RxRPC packet header
 246 */
 247static int rxkad_secure_packet(struct rxrpc_call *call,
 248			       struct sk_buff *skb,
 249			       size_t data_size,
 250			       void *sechdr)
 251{
 252	struct rxrpc_skb_priv *sp;
 253	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 254	struct rxrpc_crypt iv;
 255	struct scatterlist sg;
 
 
 
 256	u32 x, y;
 257	int ret;
 258
 259	sp = rxrpc_skb(skb);
 260
 261	_enter("{%d{%x}},{#%u},%zu,",
 262	       call->debug_id, key_serial(call->conn->params.key),
 263	       sp->hdr.seq, data_size);
 264
 265	if (!call->conn->cipher)
 266		return 0;
 267
 268	ret = key_validate(call->conn->params.key);
 269	if (ret < 0)
 270		return ret;
 271
 
 
 
 
 272	/* continue encrypting from where we left off */
 273	memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
 274
 275	/* calculate the security checksum */
 276	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
 277	x |= sp->hdr.seq & 0x3fffffff;
 278	call->crypto_buf[0] = htonl(call->call_id);
 279	call->crypto_buf[1] = htonl(x);
 280
 281	sg_init_one(&sg, call->crypto_buf, 8);
 282	skcipher_request_set_tfm(req, call->conn->cipher);
 283	skcipher_request_set_callback(req, 0, NULL, NULL);
 284	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 285	crypto_skcipher_encrypt(req);
 286	skcipher_request_zero(req);
 287
 288	y = ntohl(call->crypto_buf[1]);
 289	y = (y >> 16) & 0xffff;
 290	if (y == 0)
 291		y = 1; /* zero checksums are not permitted */
 292	sp->hdr.cksum = y;
 293
 294	switch (call->conn->params.security_level) {
 295	case RXRPC_SECURITY_PLAIN:
 296		ret = 0;
 297		break;
 298	case RXRPC_SECURITY_AUTH:
 299		ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
 300		break;
 301	case RXRPC_SECURITY_ENCRYPT:
 302		ret = rxkad_secure_packet_encrypt(call, skb, data_size,
 303						  sechdr);
 304		break;
 305	default:
 306		ret = -EPERM;
 307		break;
 308	}
 309
 310	_leave(" = %d [set %hx]", ret, y);
 
 311	return ret;
 312}
 313
 314/*
 315 * decrypt partial encryption on a packet (level 1 security)
 316 */
 317static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
 318				 unsigned int offset, unsigned int len,
 319				 rxrpc_seq_t seq)
 320{
 321	struct rxkad_level1_hdr sechdr;
 322	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 323	struct rxrpc_crypt iv;
 324	struct scatterlist sg[16];
 325	struct sk_buff *trailer;
 326	bool aborted;
 327	u32 data_size, buf;
 328	u16 check;
 329	int nsg, ret;
 330
 331	_enter("");
 332
 333	if (len < 8) {
 334		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
 335					   RXKADSEALEDINCON);
 336		goto protocol_error;
 337	}
 338
 339	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
 340	 * directly into the target buffer.
 341	 */
 342	nsg = skb_cow_data(skb, 0, &trailer);
 343	if (nsg < 0 || nsg > 16)
 344		goto nomem;
 345
 346	sg_init_table(sg, nsg);
 347	ret = skb_to_sgvec(skb, sg, offset, 8);
 348	if (unlikely(ret < 0))
 349		return ret;
 350
 351	/* start the decryption afresh */
 352	memset(&iv, 0, sizeof(iv));
 353
 354	skcipher_request_set_tfm(req, call->conn->cipher);
 355	skcipher_request_set_callback(req, 0, NULL, NULL);
 356	skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
 357	crypto_skcipher_decrypt(req);
 358	skcipher_request_zero(req);
 359
 360	/* Extract the decrypted packet length */
 361	if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
 362		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
 363					     RXKADDATALEN);
 364		goto protocol_error;
 365	}
 366	offset += sizeof(sechdr);
 367	len -= sizeof(sechdr);
 368
 369	buf = ntohl(sechdr.data_size);
 370	data_size = buf & 0xffff;
 371
 372	check = buf >> 16;
 373	check ^= seq ^ call->call_id;
 374	check &= 0xffff;
 375	if (check != 0) {
 376		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
 377					     RXKADSEALEDINCON);
 378		goto protocol_error;
 379	}
 380
 381	if (data_size > len) {
 382		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
 383					     RXKADDATALEN);
 384		goto protocol_error;
 385	}
 386
 387	_leave(" = 0 [dlen=%x]", data_size);
 388	return 0;
 389
 390protocol_error:
 391	if (aborted)
 392		rxrpc_send_abort_packet(call);
 393	return -EPROTO;
 394
 395nomem:
 396	_leave(" = -ENOMEM");
 397	return -ENOMEM;
 398}
 399
 400/*
 401 * wholly decrypt a packet (level 2 security)
 402 */
 403static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
 404				 unsigned int offset, unsigned int len,
 405				 rxrpc_seq_t seq)
 406{
 407	const struct rxrpc_key_token *token;
 408	struct rxkad_level2_hdr sechdr;
 409	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 410	struct rxrpc_crypt iv;
 411	struct scatterlist _sg[4], *sg;
 412	struct sk_buff *trailer;
 413	bool aborted;
 414	u32 data_size, buf;
 415	u16 check;
 416	int nsg, ret;
 417
 418	_enter(",{%d}", skb->len);
 419
 420	if (len < 8) {
 421		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
 422					     RXKADSEALEDINCON);
 423		goto protocol_error;
 424	}
 425
 426	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
 427	 * directly into the target buffer.
 428	 */
 429	nsg = skb_cow_data(skb, 0, &trailer);
 430	if (nsg < 0)
 431		goto nomem;
 432
 433	sg = _sg;
 434	if (unlikely(nsg > 4)) {
 435		sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
 
 
 
 436		if (!sg)
 437			goto nomem;
 438	}
 439
 440	sg_init_table(sg, nsg);
 441	ret = skb_to_sgvec(skb, sg, offset, len);
 442	if (unlikely(ret < 0)) {
 443		if (sg != _sg)
 444			kfree(sg);
 445		return ret;
 446	}
 447
 448	/* decrypt from the session key */
 449	token = call->conn->params.key->payload.data[0];
 450	memcpy(&iv, token->kad->session_key, sizeof(iv));
 451
 452	skcipher_request_set_tfm(req, call->conn->cipher);
 453	skcipher_request_set_callback(req, 0, NULL, NULL);
 454	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 455	crypto_skcipher_decrypt(req);
 456	skcipher_request_zero(req);
 457	if (sg != _sg)
 458		kfree(sg);
 459
 460	/* Extract the decrypted packet length */
 461	if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
 462		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
 463					     RXKADDATALEN);
 464		goto protocol_error;
 465	}
 466	offset += sizeof(sechdr);
 467	len -= sizeof(sechdr);
 468
 469	buf = ntohl(sechdr.data_size);
 470	data_size = buf & 0xffff;
 471
 472	check = buf >> 16;
 473	check ^= seq ^ call->call_id;
 474	check &= 0xffff;
 475	if (check != 0) {
 476		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
 477					     RXKADSEALEDINCON);
 478		goto protocol_error;
 479	}
 480
 481	if (data_size > len) {
 482		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
 483					     RXKADDATALEN);
 484		goto protocol_error;
 485	}
 486
 
 487	_leave(" = 0 [dlen=%x]", data_size);
 488	return 0;
 489
 490protocol_error:
 491	if (aborted)
 492		rxrpc_send_abort_packet(call);
 493	return -EPROTO;
 494
 495nomem:
 496	_leave(" = -ENOMEM");
 497	return -ENOMEM;
 498}
 499
 500/*
 501 * Verify the security on a received packet or subpacket (if part of a
 502 * jumbo packet).
 503 */
 504static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
 505			       unsigned int offset, unsigned int len,
 506			       rxrpc_seq_t seq, u16 expected_cksum)
 507{
 508	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 
 509	struct rxrpc_crypt iv;
 510	struct scatterlist sg;
 511	bool aborted;
 
 
 
 
 512	u16 cksum;
 513	u32 x, y;
 514
 515	_enter("{%d{%x}},{#%u}",
 516	       call->debug_id, key_serial(call->conn->params.key), seq);
 517
 518	if (!call->conn->cipher)
 519		return 0;
 520
 
 
 
 
 521	/* continue encrypting from where we left off */
 522	memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
 523
 524	/* validate the security checksum */
 525	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
 526	x |= seq & 0x3fffffff;
 527	call->crypto_buf[0] = htonl(call->call_id);
 528	call->crypto_buf[1] = htonl(x);
 529
 530	sg_init_one(&sg, call->crypto_buf, 8);
 531	skcipher_request_set_tfm(req, call->conn->cipher);
 532	skcipher_request_set_callback(req, 0, NULL, NULL);
 533	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 534	crypto_skcipher_encrypt(req);
 535	skcipher_request_zero(req);
 536
 537	y = ntohl(call->crypto_buf[1]);
 538	cksum = (y >> 16) & 0xffff;
 539	if (cksum == 0)
 540		cksum = 1; /* zero checksums are not permitted */
 541
 542	if (cksum != expected_cksum) {
 543		aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
 544					     RXKADSEALEDINCON);
 545		goto protocol_error;
 546	}
 547
 548	switch (call->conn->params.security_level) {
 549	case RXRPC_SECURITY_PLAIN:
 550		return 0;
 
 551	case RXRPC_SECURITY_AUTH:
 552		return rxkad_verify_packet_1(call, skb, offset, len, seq);
 
 553	case RXRPC_SECURITY_ENCRYPT:
 554		return rxkad_verify_packet_2(call, skb, offset, len, seq);
 
 555	default:
 556		return -ENOANO;
 
 557	}
 558
 559protocol_error:
 560	if (aborted)
 561		rxrpc_send_abort_packet(call);
 562	return -EPROTO;
 563}
 564
 565/*
 566 * Locate the data contained in a packet that was partially encrypted.
 567 */
 568static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
 569				unsigned int *_offset, unsigned int *_len)
 570{
 571	struct rxkad_level1_hdr sechdr;
 572
 573	if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
 574		BUG();
 575	*_offset += sizeof(sechdr);
 576	*_len = ntohl(sechdr.data_size) & 0xffff;
 577}
 578
 579/*
 580 * Locate the data contained in a packet that was completely encrypted.
 581 */
 582static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
 583				unsigned int *_offset, unsigned int *_len)
 584{
 585	struct rxkad_level2_hdr sechdr;
 586
 587	if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
 588		BUG();
 589	*_offset += sizeof(sechdr);
 590	*_len = ntohl(sechdr.data_size) & 0xffff;
 591}
 592
 593/*
 594 * Locate the data contained in an already decrypted packet.
 595 */
 596static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
 597			      unsigned int *_offset, unsigned int *_len)
 598{
 599	switch (call->conn->params.security_level) {
 600	case RXRPC_SECURITY_AUTH:
 601		rxkad_locate_data_1(call, skb, _offset, _len);
 602		return;
 603	case RXRPC_SECURITY_ENCRYPT:
 604		rxkad_locate_data_2(call, skb, _offset, _len);
 605		return;
 606	default:
 607		return;
 608	}
 609}
 610
 611/*
 612 * issue a challenge
 613 */
 614static int rxkad_issue_challenge(struct rxrpc_connection *conn)
 615{
 616	struct rxkad_challenge challenge;
 617	struct rxrpc_wire_header whdr;
 618	struct msghdr msg;
 619	struct kvec iov[2];
 620	size_t len;
 621	u32 serial;
 622	int ret;
 623
 624	_enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
 625
 626	ret = key_validate(conn->params.key);
 627	if (ret < 0)
 628		return ret;
 629
 630	get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
 631
 632	challenge.version	= htonl(2);
 633	challenge.nonce		= htonl(conn->security_nonce);
 634	challenge.min_level	= htonl(0);
 635	challenge.__padding	= 0;
 636
 637	msg.msg_name	= &conn->params.peer->srx.transport;
 638	msg.msg_namelen	= conn->params.peer->srx.transport_len;
 639	msg.msg_control	= NULL;
 640	msg.msg_controllen = 0;
 641	msg.msg_flags	= 0;
 642
 643	whdr.epoch	= htonl(conn->proto.epoch);
 644	whdr.cid	= htonl(conn->proto.cid);
 645	whdr.callNumber	= 0;
 646	whdr.seq	= 0;
 647	whdr.type	= RXRPC_PACKET_TYPE_CHALLENGE;
 648	whdr.flags	= conn->out_clientflag;
 649	whdr.userStatus	= 0;
 650	whdr.securityIndex = conn->security_ix;
 651	whdr._rsvd	= 0;
 652	whdr.serviceId	= htons(conn->service_id);
 653
 654	iov[0].iov_base	= &whdr;
 655	iov[0].iov_len	= sizeof(whdr);
 656	iov[1].iov_base	= &challenge;
 657	iov[1].iov_len	= sizeof(challenge);
 658
 659	len = iov[0].iov_len + iov[1].iov_len;
 660
 661	serial = atomic_inc_return(&conn->serial);
 662	whdr.serial = htonl(serial);
 663	_proto("Tx CHALLENGE %%%u", serial);
 664
 665	ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
 666	if (ret < 0) {
 667		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
 668				    rxrpc_tx_fail_conn_challenge);
 669		return -EAGAIN;
 670	}
 671
 672	conn->params.peer->last_tx_at = ktime_get_real();
 
 
 673	_leave(" = 0");
 674	return 0;
 675}
 676
 677/*
 678 * send a Kerberos security response
 679 */
 680static int rxkad_send_response(struct rxrpc_connection *conn,
 681			       struct rxrpc_host_header *hdr,
 682			       struct rxkad_response *resp,
 683			       const struct rxkad_key *s2)
 684{
 685	struct rxrpc_wire_header whdr;
 686	struct msghdr msg;
 687	struct kvec iov[3];
 688	size_t len;
 689	u32 serial;
 690	int ret;
 691
 692	_enter("");
 693
 694	msg.msg_name	= &conn->params.peer->srx.transport;
 695	msg.msg_namelen	= conn->params.peer->srx.transport_len;
 696	msg.msg_control	= NULL;
 697	msg.msg_controllen = 0;
 698	msg.msg_flags	= 0;
 699
 700	memset(&whdr, 0, sizeof(whdr));
 701	whdr.epoch	= htonl(hdr->epoch);
 702	whdr.cid	= htonl(hdr->cid);
 703	whdr.type	= RXRPC_PACKET_TYPE_RESPONSE;
 704	whdr.flags	= conn->out_clientflag;
 705	whdr.securityIndex = hdr->securityIndex;
 706	whdr.serviceId	= htons(hdr->serviceId);
 707
 708	iov[0].iov_base	= &whdr;
 709	iov[0].iov_len	= sizeof(whdr);
 710	iov[1].iov_base	= resp;
 711	iov[1].iov_len	= sizeof(*resp);
 712	iov[2].iov_base	= (void *)s2->ticket;
 713	iov[2].iov_len	= s2->ticket_len;
 714
 715	len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
 716
 717	serial = atomic_inc_return(&conn->serial);
 718	whdr.serial = htonl(serial);
 719	_proto("Tx RESPONSE %%%u", serial);
 720
 721	ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
 722	if (ret < 0) {
 723		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
 724				    rxrpc_tx_fail_conn_response);
 725		return -EAGAIN;
 726	}
 727
 728	conn->params.peer->last_tx_at = ktime_get_real();
 729	_leave(" = 0");
 730	return 0;
 731}
 732
 733/*
 734 * calculate the response checksum
 735 */
 736static void rxkad_calc_response_checksum(struct rxkad_response *response)
 737{
 738	u32 csum = 1000003;
 739	int loop;
 740	u8 *p = (u8 *) response;
 741
 742	for (loop = sizeof(*response); loop > 0; loop--)
 743		csum = csum * 0x10204081 + *p++;
 744
 745	response->encrypted.checksum = htonl(csum);
 746}
 747
 748/*
 749 * encrypt the response packet
 750 */
 751static void rxkad_encrypt_response(struct rxrpc_connection *conn,
 752				   struct rxkad_response *resp,
 753				   const struct rxkad_key *s2)
 754{
 755	SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
 756	struct rxrpc_crypt iv;
 757	struct scatterlist sg[1];
 758
 
 
 
 
 759	/* continue encrypting from where we left off */
 760	memcpy(&iv, s2->session_key, sizeof(iv));
 761
 762	sg_init_table(sg, 1);
 763	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
 764	skcipher_request_set_tfm(req, conn->cipher);
 765	skcipher_request_set_callback(req, 0, NULL, NULL);
 766	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
 767	crypto_skcipher_encrypt(req);
 768	skcipher_request_zero(req);
 
 769}
 770
 771/*
 772 * respond to a challenge packet
 773 */
 774static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
 775				      struct sk_buff *skb,
 776				      u32 *_abort_code)
 777{
 778	const struct rxrpc_key_token *token;
 779	struct rxkad_challenge challenge;
 780	struct rxkad_response *resp;
 781	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 782	const char *eproto;
 783	u32 version, nonce, min_level, abort_code;
 784	int ret;
 785
 786	_enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
 787
 788	eproto = tracepoint_string("chall_no_key");
 789	abort_code = RX_PROTOCOL_ERROR;
 790	if (!conn->params.key)
 791		goto protocol_error;
 792
 793	abort_code = RXKADEXPIRED;
 794	ret = key_validate(conn->params.key);
 795	if (ret < 0)
 796		goto other_error;
 
 797
 798	eproto = tracepoint_string("chall_short");
 799	abort_code = RXKADPACKETSHORT;
 800	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
 801			  &challenge, sizeof(challenge)) < 0)
 802		goto protocol_error;
 
 803
 804	version = ntohl(challenge.version);
 805	nonce = ntohl(challenge.nonce);
 806	min_level = ntohl(challenge.min_level);
 807
 808	_proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
 809	       sp->hdr.serial, version, nonce, min_level);
 810
 811	eproto = tracepoint_string("chall_ver");
 812	abort_code = RXKADINCONSISTENCY;
 813	if (version != RXKAD_VERSION)
 814		goto protocol_error;
 
 815
 816	abort_code = RXKADLEVELFAIL;
 817	ret = -EACCES;
 818	if (conn->params.security_level < min_level)
 819		goto other_error;
 820
 821	token = conn->params.key->payload.data[0];
 822
 823	/* build the response packet */
 824	resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
 825	if (!resp)
 826		return -ENOMEM;
 827
 828	resp->version			= htonl(RXKAD_VERSION);
 829	resp->encrypted.epoch		= htonl(conn->proto.epoch);
 830	resp->encrypted.cid		= htonl(conn->proto.cid);
 831	resp->encrypted.securityIndex	= htonl(conn->security_ix);
 832	resp->encrypted.inc_nonce	= htonl(nonce + 1);
 833	resp->encrypted.level		= htonl(conn->params.security_level);
 834	resp->kvno			= htonl(token->kad->kvno);
 835	resp->ticket_len		= htonl(token->kad->ticket_len);
 836	resp->encrypted.call_id[0]	= htonl(conn->channels[0].call_counter);
 837	resp->encrypted.call_id[1]	= htonl(conn->channels[1].call_counter);
 838	resp->encrypted.call_id[2]	= htonl(conn->channels[2].call_counter);
 839	resp->encrypted.call_id[3]	= htonl(conn->channels[3].call_counter);
 840
 841	/* calculate the response checksum and then do the encryption */
 842	rxkad_calc_response_checksum(resp);
 843	rxkad_encrypt_response(conn, resp, token->kad);
 844	ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
 
 845	kfree(resp);
 846	return ret;
 847
 848protocol_error:
 849	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
 850	ret = -EPROTO;
 851other_error:
 852	*_abort_code = abort_code;
 853	return ret;
 854}
 855
 856/*
 857 * decrypt the kerberos IV ticket in the response
 858 */
 859static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
 
 860				struct sk_buff *skb,
 861				void *ticket, size_t ticket_len,
 862				struct rxrpc_crypt *_session_key,
 863				time64_t *_expiry,
 864				u32 *_abort_code)
 865{
 866	struct skcipher_request *req;
 867	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 868	struct rxrpc_crypt iv, key;
 869	struct scatterlist sg[1];
 870	struct in_addr addr;
 871	unsigned int life;
 872	const char *eproto;
 873	time64_t issue, now;
 874	bool little_endian;
 875	int ret;
 876	u32 abort_code;
 877	u8 *p, *q, *name, *end;
 878
 879	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
 880
 881	*_expiry = 0;
 882
 883	ret = key_validate(conn->server_key);
 884	if (ret < 0) {
 885		switch (ret) {
 886		case -EKEYEXPIRED:
 887			abort_code = RXKADEXPIRED;
 888			goto other_error;
 889		default:
 890			abort_code = RXKADNOAUTH;
 891			goto other_error;
 892		}
 893	}
 894
 895	ASSERT(conn->server_key->payload.data[0] != NULL);
 896	ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
 897
 898	memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
 899
 900	ret = -ENOMEM;
 901	req = skcipher_request_alloc(conn->server_key->payload.data[0],
 902				     GFP_NOFS);
 903	if (!req)
 904		goto temporary_error;
 905
 906	sg_init_one(&sg[0], ticket, ticket_len);
 907	skcipher_request_set_callback(req, 0, NULL, NULL);
 908	skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
 909	crypto_skcipher_decrypt(req);
 910	skcipher_request_free(req);
 911
 912	p = ticket;
 913	end = p + ticket_len;
 914
 915#define Z(field)					\
 916	({						\
 917		u8 *__str = p;				\
 918		eproto = tracepoint_string("rxkad_bad_"#field); \
 919		q = memchr(p, 0, end - p);		\
 920		if (!q || q - p > (field##_SZ))		\
 921			goto bad_ticket;		\
 922		for (; p < q; p++)			\
 923			if (!isprint(*p))		\
 924				goto bad_ticket;	\
 925		p++;					\
 926		__str;					\
 
 
 
 927	})
 928
 929	/* extract the ticket flags */
 930	_debug("KIV FLAGS: %x", *p);
 931	little_endian = *p & 1;
 932	p++;
 933
 934	/* extract the authentication name */
 935	name = Z(ANAME);
 936	_debug("KIV ANAME: %s", name);
 937
 938	/* extract the principal's instance */
 939	name = Z(INST);
 940	_debug("KIV INST : %s", name);
 941
 942	/* extract the principal's authentication domain */
 943	name = Z(REALM);
 944	_debug("KIV REALM: %s", name);
 945
 946	eproto = tracepoint_string("rxkad_bad_len");
 947	if (end - p < 4 + 8 + 4 + 2)
 948		goto bad_ticket;
 
 949
 950	/* get the IPv4 address of the entity that requested the ticket */
 951	memcpy(&addr, p, sizeof(addr));
 952	p += 4;
 953	_debug("KIV ADDR : %pI4", &addr);
 954
 955	/* get the session key from the ticket */
 956	memcpy(&key, p, sizeof(key));
 957	p += 8;
 958	_debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
 959	memcpy(_session_key, &key, sizeof(key));
 960
 961	/* get the ticket's lifetime */
 962	life = *p++ * 5 * 60;
 963	_debug("KIV LIFE : %u", life);
 964
 965	/* get the issue time of the ticket */
 966	if (little_endian) {
 967		__le32 stamp;
 968		memcpy(&stamp, p, 4);
 969		issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
 970	} else {
 971		__be32 stamp;
 972		memcpy(&stamp, p, 4);
 973		issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
 974	}
 975	p += 4;
 976	now = ktime_get_real_seconds();
 977	_debug("KIV ISSUE: %llx [%llx]", issue, now);
 978
 979	/* check the ticket is in date */
 980	if (issue > now) {
 981		abort_code = RXKADNOAUTH;
 982		ret = -EKEYREJECTED;
 983		goto other_error;
 984	}
 985
 986	if (issue < now - life) {
 987		abort_code = RXKADEXPIRED;
 988		ret = -EKEYEXPIRED;
 989		goto other_error;
 990	}
 991
 992	*_expiry = issue + life;
 993
 994	/* get the service name */
 995	name = Z(SNAME);
 996	_debug("KIV SNAME: %s", name);
 997
 998	/* get the service instance name */
 999	name = Z(INST);
1000	_debug("KIV SINST: %s", name);
1001	return 0;
1002
1003bad_ticket:
1004	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1005	abort_code = RXKADBADTICKET;
1006	ret = -EPROTO;
1007other_error:
1008	*_abort_code = abort_code;
1009	return ret;
1010temporary_error:
1011	return ret;
1012}
1013
1014/*
1015 * decrypt the response packet
1016 */
1017static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1018				   struct rxkad_response *resp,
1019				   const struct rxrpc_crypt *session_key)
1020{
1021	SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
1022	struct scatterlist sg[1];
1023	struct rxrpc_crypt iv;
1024
1025	_enter(",,%08x%08x",
1026	       ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1027
1028	ASSERT(rxkad_ci != NULL);
1029
1030	mutex_lock(&rxkad_ci_mutex);
1031	if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
1032				   sizeof(*session_key)) < 0)
1033		BUG();
1034
1035	memcpy(&iv, session_key, sizeof(iv));
1036
1037	sg_init_table(sg, 1);
1038	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1039	skcipher_request_set_tfm(req, rxkad_ci);
1040	skcipher_request_set_callback(req, 0, NULL, NULL);
1041	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1042	crypto_skcipher_decrypt(req);
1043	skcipher_request_zero(req);
1044
1045	mutex_unlock(&rxkad_ci_mutex);
1046
1047	_leave("");
1048}
1049
1050/*
1051 * verify a response
1052 */
1053static int rxkad_verify_response(struct rxrpc_connection *conn,
1054				 struct sk_buff *skb,
1055				 u32 *_abort_code)
1056{
1057	struct rxkad_response *response;
1058	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1059	struct rxrpc_crypt session_key;
1060	const char *eproto;
1061	time64_t expiry;
1062	void *ticket;
1063	u32 abort_code, version, kvno, ticket_len, level;
1064	__be32 csum;
1065	int ret, i;
1066
1067	_enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1068
1069	ret = -ENOMEM;
1070	response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1071	if (!response)
1072		goto temporary_error;
1073
1074	eproto = tracepoint_string("rxkad_rsp_short");
1075	abort_code = RXKADPACKETSHORT;
1076	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1077			  response, sizeof(*response)) < 0)
 
 
1078		goto protocol_error;
1079	if (!pskb_pull(skb, sizeof(*response)))
1080		BUG();
1081
1082	version = ntohl(response->version);
1083	ticket_len = ntohl(response->ticket_len);
1084	kvno = ntohl(response->kvno);
1085	_proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1086	       sp->hdr.serial, version, kvno, ticket_len);
1087
1088	eproto = tracepoint_string("rxkad_rsp_ver");
1089	abort_code = RXKADINCONSISTENCY;
1090	if (version != RXKAD_VERSION)
 
 
1091		goto protocol_error;
 
1092
1093	eproto = tracepoint_string("rxkad_rsp_tktlen");
1094	abort_code = RXKADTICKETLEN;
1095	if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1096		goto protocol_error;
 
1097
1098	eproto = tracepoint_string("rxkad_rsp_unkkey");
1099	abort_code = RXKADUNKNOWNKEY;
1100	if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1101		goto protocol_error;
 
1102
1103	/* extract the kerberos ticket and decrypt and decode it */
1104	ret = -ENOMEM;
1105	ticket = kmalloc(ticket_len, GFP_NOFS);
1106	if (!ticket)
1107		goto temporary_error;
1108
1109	eproto = tracepoint_string("rxkad_tkt_short");
1110	abort_code = RXKADPACKETSHORT;
1111	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1112			  ticket, ticket_len) < 0)
1113		goto protocol_error_free;
 
1114
1115	ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key,
1116				   &expiry, _abort_code);
1117	if (ret < 0)
1118		goto temporary_error_free_resp;
1119
1120	/* use the session key from inside the ticket to decrypt the
1121	 * response */
1122	rxkad_decrypt_response(conn, response, &session_key);
1123
1124	eproto = tracepoint_string("rxkad_rsp_param");
1125	abort_code = RXKADSEALEDINCON;
1126	if (ntohl(response->encrypted.epoch) != conn->proto.epoch)
1127		goto protocol_error_free;
1128	if (ntohl(response->encrypted.cid) != conn->proto.cid)
1129		goto protocol_error_free;
1130	if (ntohl(response->encrypted.securityIndex) != conn->security_ix)
1131		goto protocol_error_free;
 
 
1132	csum = response->encrypted.checksum;
1133	response->encrypted.checksum = 0;
1134	rxkad_calc_response_checksum(response);
1135	eproto = tracepoint_string("rxkad_rsp_csum");
1136	if (response->encrypted.checksum != csum)
 
1137		goto protocol_error_free;
 
1138
1139	spin_lock(&conn->channel_lock);
1140	for (i = 0; i < RXRPC_MAXCALLS; i++) {
1141		struct rxrpc_call *call;
1142		u32 call_id = ntohl(response->encrypted.call_id[i]);
 
 
 
 
 
 
 
 
 
 
 
 
 
1143
1144		eproto = tracepoint_string("rxkad_rsp_callid");
1145		if (call_id > INT_MAX)
1146			goto protocol_error_unlock;
1147
1148		eproto = tracepoint_string("rxkad_rsp_callctr");
1149		if (call_id < conn->channels[i].call_counter)
1150			goto protocol_error_unlock;
1151
1152		eproto = tracepoint_string("rxkad_rsp_callst");
1153		if (call_id > conn->channels[i].call_counter) {
1154			call = rcu_dereference_protected(
1155				conn->channels[i].call,
1156				lockdep_is_held(&conn->channel_lock));
1157			if (call && call->state < RXRPC_CALL_COMPLETE)
1158				goto protocol_error_unlock;
1159			conn->channels[i].call_counter = call_id;
1160		}
1161	}
1162	spin_unlock(&conn->channel_lock);
1163
1164	eproto = tracepoint_string("rxkad_rsp_seq");
1165	abort_code = RXKADOUTOFSEQUENCE;
1166	if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1)
1167		goto protocol_error_free;
 
1168
1169	eproto = tracepoint_string("rxkad_rsp_level");
1170	abort_code = RXKADLEVELFAIL;
1171	level = ntohl(response->encrypted.level);
1172	if (level > RXRPC_SECURITY_ENCRYPT)
 
 
1173		goto protocol_error_free;
1174	conn->params.security_level = level;
 
1175
1176	/* create a key to hold the security data and expiration time - after
1177	 * this the connection security can be handled in exactly the same way
1178	 * as for a client connection */
1179	ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1180	if (ret < 0)
1181		goto temporary_error_free_ticket;
1182
1183	kfree(ticket);
1184	kfree(response);
1185	_leave(" = 0");
1186	return 0;
1187
1188protocol_error_unlock:
1189	spin_unlock(&conn->channel_lock);
1190protocol_error_free:
1191	kfree(ticket);
1192protocol_error:
1193	kfree(response);
1194	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1195	*_abort_code = abort_code;
1196	return -EPROTO;
1197
1198temporary_error_free_ticket:
1199	kfree(ticket);
1200temporary_error_free_resp:
1201	kfree(response);
1202temporary_error:
1203	/* Ignore the response packet if we got a temporary error such as
1204	 * ENOMEM.  We just want to send the challenge again.  Note that we
1205	 * also come out this way if the ticket decryption fails.
1206	 */
 
1207	return ret;
1208}
1209
1210/*
1211 * clear the connection security
1212 */
1213static void rxkad_clear(struct rxrpc_connection *conn)
1214{
1215	_enter("");
1216
1217	if (conn->cipher)
1218		crypto_free_skcipher(conn->cipher);
1219}
1220
1221/*
1222 * Initialise the rxkad security service.
1223 */
1224static int rxkad_init(void)
1225{
 
 
 
1226	/* pin the cipher we need so that the crypto layer doesn't invoke
1227	 * keventd to go get it */
1228	rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
1229	return PTR_ERR_OR_ZERO(rxkad_ci);
 
 
 
 
 
 
 
 
 
 
 
 
 
1230}
1231
1232/*
1233 * Clean up the rxkad security service.
1234 */
1235static void rxkad_exit(void)
1236{
1237	if (rxkad_ci)
1238		crypto_free_skcipher(rxkad_ci);
1239}
1240
1241/*
1242 * RxRPC Kerberos-based security
1243 */
1244const struct rxrpc_security rxkad = {
1245	.name				= "rxkad",
1246	.security_index			= RXRPC_SECURITY_RXKAD,
 
1247	.init				= rxkad_init,
1248	.exit				= rxkad_exit,
 
 
 
1249	.init_connection_security	= rxkad_init_connection_security,
1250	.prime_packet_security		= rxkad_prime_packet_security,
1251	.secure_packet			= rxkad_secure_packet,
1252	.verify_packet			= rxkad_verify_packet,
1253	.locate_data			= rxkad_locate_data,
1254	.issue_challenge		= rxkad_issue_challenge,
1255	.respond_to_challenge		= rxkad_respond_to_challenge,
1256	.verify_response		= rxkad_verify_response,
1257	.clear				= rxkad_clear,
1258};