Lines Matching +full:- +full:eproto
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* GSSAPI-based RxRPC security
13 #include <linux/key-type.h>
14 #include "ar-internal.h"
23 struct krb5_buffer *server_key = (void *)&prep->payload.data[2]; in rxgk_preparse_server_key()
27 _enter("%zu", prep->datalen); in rxgk_preparse_server_key()
29 if (sscanf(prep->orig_description, "%u:%u:%u:%u%n", in rxgk_preparse_server_key()
31 return -EINVAL; in rxgk_preparse_server_key()
33 if (prep->orig_description[n]) in rxgk_preparse_server_key()
34 return -EINVAL; in rxgk_preparse_server_key()
38 return -ENOPKG; in rxgk_preparse_server_key()
40 prep->payload.data[0] = (struct krb5_enctype *)krb5; in rxgk_preparse_server_key()
42 if (prep->datalen != krb5->key_len) in rxgk_preparse_server_key()
43 return -EKEYREJECTED; in rxgk_preparse_server_key()
45 server_key->len = prep->datalen; in rxgk_preparse_server_key()
46 server_key->data = kmemdup(prep->data, prep->datalen, GFP_KERNEL); in rxgk_preparse_server_key()
47 if (!server_key->data) in rxgk_preparse_server_key()
48 return -ENOMEM; in rxgk_preparse_server_key()
56 struct krb5_buffer *server_key = (void *)&payload->data[2]; in rxgk_free_server_key()
58 kfree_sensitive(server_key->data); in rxgk_free_server_key()
63 rxgk_free_server_key(&prep->payload); in rxgk_free_preparse_server_key()
68 rxgk_free_server_key(&key->payload); in rxgk_destroy_server_key()
73 const struct krb5_enctype *krb5 = key->payload.data[0]; in rxgk_describe_server_key()
76 seq_printf(m, ": %s", krb5->name); in rxgk_describe_server_key()
83 * Returns a ref on the context if successful or -ESTALE if the key is out of
90 unsigned int key_number, current_key, mask = ARRAY_SIZE(conn->rxgk.keys) - 1; in rxgk_rekey()
93 _enter("%d", specific_key_number ? *specific_key_number : -1); in rxgk_rekey()
95 mutex_lock(&conn->security_lock); in rxgk_rekey()
97 current_key = conn->rxgk.key_number; in rxgk_rekey()
103 else if (*specific_key_number == (u16)(current_key - 1)) in rxgk_rekey()
104 key_number = current_key - 1; in rxgk_rekey()
111 gk = conn->rxgk.keys[key_number & mask]; in rxgk_rekey()
115 test_bit(RXGK_TK_NEEDS_REKEY, &gk->flags)) in rxgk_rekey()
119 refcount_inc(&gk->usage); in rxgk_rekey()
120 mutex_unlock(&conn->security_lock); in rxgk_rekey()
126 specific_key_number ? *specific_key_number : -1); in rxgk_rekey()
130 set_bit(RXRPC_CONN_DONT_REUSE, &conn->flags); in rxgk_rekey()
133 if (WARN_ON(conn->rxgk.keys[key_number & mask])) in rxgk_rekey()
138 gk = conn->rxgk.keys[current_key & mask]; in rxgk_rekey()
139 gk = rxgk_generate_transport_key(conn, gk->key, key_number, GFP_NOFS); in rxgk_rekey()
141 mutex_unlock(&conn->security_lock); in rxgk_rekey()
145 write_lock(&conn->security_use_lock); in rxgk_rekey()
148 conn->rxgk.key_number = current_key; in rxgk_rekey()
149 dead = conn->rxgk.keys[(current_key - 2) & mask]; in rxgk_rekey()
150 conn->rxgk.keys[(current_key - 2) & mask] = NULL; in rxgk_rekey()
152 conn->rxgk.keys[current_key & mask] = gk; in rxgk_rekey()
153 write_unlock(&conn->security_use_lock); in rxgk_rekey()
157 mutex_unlock(&conn->security_lock); in rxgk_rekey()
158 return ERR_PTR(-ESTALE); in rxgk_rekey()
164 * Returns a ref on the context if successful or -ESTALE if the key is out of
171 unsigned int key_number, current_key, mask = ARRAY_SIZE(conn->rxgk.keys) - 1; in rxgk_get_key()
174 conn->rxgk.key_number, specific_key_number ? *specific_key_number : -1); in rxgk_get_key()
176 read_lock(&conn->security_use_lock); in rxgk_get_key()
178 current_key = conn->rxgk.key_number; in rxgk_get_key()
188 else if (*specific_key_number == (u16)(current_key - 1)) in rxgk_get_key()
189 key_number = current_key - 1; in rxgk_get_key()
196 gk = conn->rxgk.keys[key_number & mask]; in rxgk_get_key()
201 if (time_after(jiffies, gk->expiry) || in rxgk_get_key()
202 gk->bytes_remaining < 0) { in rxgk_get_key()
203 set_bit(RXGK_TK_NEEDS_REKEY, &gk->flags); in rxgk_get_key()
207 if (test_bit(RXGK_TK_NEEDS_REKEY, &gk->flags)) in rxgk_get_key()
211 refcount_inc(&gk->usage); in rxgk_get_key()
212 read_unlock(&conn->security_use_lock); in rxgk_get_key()
219 gk = conn->rxgk.keys[current_key & mask]; in rxgk_get_key()
221 set_bit(RXGK_TK_NEEDS_REKEY, &gk->flags); in rxgk_get_key()
223 read_unlock(&conn->security_use_lock); in rxgk_get_key()
226 read_unlock(&conn->security_use_lock); in rxgk_get_key()
227 return ERR_PTR(-ESTALE); in rxgk_get_key()
240 conn->debug_id, conn->rxgk.key_number, key_serial(conn->key)); in rxgk_init_connection_security()
242 conn->security_ix = token->security_index; in rxgk_init_connection_security()
243 conn->security_level = token->rxgk->level; in rxgk_init_connection_security()
246 conn->rxgk.start_time = ktime_get(); in rxgk_init_connection_security()
247 do_div(conn->rxgk.start_time, 100); in rxgk_init_connection_security()
250 gk = rxgk_generate_transport_key(conn, token->rxgk, conn->rxgk.key_number, in rxgk_init_connection_security()
254 conn->rxgk.enctype = gk->krb5->etype; in rxgk_init_connection_security()
255 conn->rxgk.keys[gk->key_number & 3] = gk; in rxgk_init_connection_security()
257 switch (conn->security_level) { in rxgk_init_connection_security()
263 ret = -EKEYREJECTED; in rxgk_init_connection_security()
290 switch (call->conn->security_level) { in rxgk_alloc_txbuf()
304 gk = rxgk_get_key(call->conn, NULL); in rxgk_alloc_txbuf()
310 limit = crypto_krb5_how_much_data(gk->krb5, mode, &alloc, &offset); in rxgk_alloc_txbuf()
312 if (remain < limit - shdr) { in rxgk_alloc_txbuf()
314 alloc = crypto_krb5_how_much_buffer(gk->krb5, mode, in rxgk_alloc_txbuf()
318 part = limit - shdr; in rxgk_alloc_txbuf()
319 gap = RXRPC_JUMBO_DATALEN - alloc; in rxgk_alloc_txbuf()
329 txb->crypto_header = offset; in rxgk_alloc_txbuf()
330 txb->sec_header = shdr; in rxgk_alloc_txbuf()
331 txb->offset += offset + shdr; in rxgk_alloc_txbuf()
332 txb->space = part; in rxgk_alloc_txbuf()
336 memset(txb->data + alloc - gap, 0, gap); in rxgk_alloc_txbuf()
341 * Integrity mode (sign a packet - level 1 security)
350 int ret = -ENOMEM; in rxgk_secure_packet_integrity()
358 hdr->epoch = htonl(call->conn->proto.epoch); in rxgk_secure_packet_integrity()
359 hdr->cid = htonl(call->cid); in rxgk_secure_packet_integrity()
360 hdr->call_number = htonl(call->call_id); in rxgk_secure_packet_integrity()
361 hdr->seq = htonl(txb->seq); in rxgk_secure_packet_integrity()
362 hdr->sec_index = htonl(call->security_ix); in rxgk_secure_packet_integrity()
363 hdr->data_len = htonl(txb->len); in rxgk_secure_packet_integrity()
368 sg_set_buf(&sg[0], txb->data, txb->alloc_size); in rxgk_secure_packet_integrity()
370 ret = crypto_krb5_get_mic(gk->krb5, gk->tx_Kc, &metadata, in rxgk_secure_packet_integrity()
371 sg, 1, txb->alloc_size, in rxgk_secure_packet_integrity()
372 txb->crypto_header, txb->sec_header + txb->len); in rxgk_secure_packet_integrity()
374 txb->pkt_len = ret; in rxgk_secure_packet_integrity()
375 if (txb->alloc_size == RXRPC_JUMBO_DATALEN) in rxgk_secure_packet_integrity()
376 txb->jumboable = true; in rxgk_secure_packet_integrity()
377 gk->bytes_remaining -= ret; in rxgk_secure_packet_integrity()
397 _enter("%x", txb->len); in rxgk_secure_packet_encrypted()
400 hdr = txb->data + txb->crypto_header; in rxgk_secure_packet_encrypted()
401 hdr->epoch = htonl(call->conn->proto.epoch); in rxgk_secure_packet_encrypted()
402 hdr->cid = htonl(call->cid); in rxgk_secure_packet_encrypted()
403 hdr->call_number = htonl(call->call_id); in rxgk_secure_packet_encrypted()
404 hdr->seq = htonl(txb->seq); in rxgk_secure_packet_encrypted()
405 hdr->sec_index = htonl(call->security_ix); in rxgk_secure_packet_encrypted()
406 hdr->data_len = htonl(txb->len); in rxgk_secure_packet_encrypted()
409 sg_set_buf(&sg[0], txb->data, txb->alloc_size); in rxgk_secure_packet_encrypted()
411 ret = crypto_krb5_encrypt(gk->krb5, gk->tx_enc, in rxgk_secure_packet_encrypted()
412 sg, 1, txb->alloc_size, in rxgk_secure_packet_encrypted()
413 txb->crypto_header, txb->sec_header + txb->len, in rxgk_secure_packet_encrypted()
416 txb->pkt_len = ret; in rxgk_secure_packet_encrypted()
417 if (txb->alloc_size == RXRPC_JUMBO_DATALEN) in rxgk_secure_packet_encrypted()
418 txb->jumboable = true; in rxgk_secure_packet_encrypted()
419 gk->bytes_remaining -= ret; in rxgk_secure_packet_encrypted()
436 call->debug_id, key_serial(call->conn->key), txb->seq, txb->len); in rxgk_secure_packet()
438 gk = rxgk_get_key(call->conn, NULL); in rxgk_secure_packet()
440 return PTR_ERR(gk) == -ESTALE ? -EKEYREJECTED : PTR_ERR(gk); in rxgk_secure_packet()
442 ret = key_validate(call->conn->key); in rxgk_secure_packet()
448 call->security_enctype = gk->krb5->etype; in rxgk_secure_packet()
449 txb->cksum = htons(gk->key_number); in rxgk_secure_packet()
451 switch (call->conn->security_level) { in rxgk_secure_packet()
454 txb->pkt_len = txb->len; in rxgk_secure_packet()
462 return -EPERM; in rxgk_secure_packet()
467 * Integrity mode (check the signature on a packet - level 1 security)
476 unsigned int offset = sp->offset, len = sp->len; in rxgk_verify_packet_integrity()
479 int ret = -ENOMEM; in rxgk_verify_packet_integrity()
483 crypto_krb5_where_is_the_data(gk->krb5, KRB5_CHECKSUM_MODE, in rxgk_verify_packet_integrity()
490 hdr->epoch = htonl(call->conn->proto.epoch); in rxgk_verify_packet_integrity()
491 hdr->cid = htonl(call->cid); in rxgk_verify_packet_integrity()
492 hdr->call_number = htonl(call->call_id); in rxgk_verify_packet_integrity()
493 hdr->seq = htonl(sp->hdr.seq); in rxgk_verify_packet_integrity()
494 hdr->sec_index = htonl(call->security_ix); in rxgk_verify_packet_integrity()
495 hdr->data_len = htonl(data_len); in rxgk_verify_packet_integrity()
499 ret = rxgk_verify_mic_skb(gk->krb5, gk->rx_Kc, &metadata, in rxgk_verify_packet_integrity()
503 if (ret != -ENOMEM) in rxgk_verify_packet_integrity()
507 sp->offset = offset; in rxgk_verify_packet_integrity()
508 sp->len = len; in rxgk_verify_packet_integrity()
526 unsigned int offset = sp->offset, len = sp->len; in rxgk_verify_packet_encrypted()
532 ret = rxgk_decrypt_skb(gk->krb5, gk->rx_enc, skb, &offset, &len, &ac); in rxgk_verify_packet_encrypted()
534 if (ret != -ENOMEM) in rxgk_verify_packet_encrypted()
553 len -= sizeof(hdr); in rxgk_verify_packet_encrypted()
555 if (ntohl(hdr.epoch) != call->conn->proto.epoch || in rxgk_verify_packet_encrypted()
556 ntohl(hdr.cid) != call->cid || in rxgk_verify_packet_encrypted()
557 ntohl(hdr.call_number) != call->call_id || in rxgk_verify_packet_encrypted()
558 ntohl(hdr.seq) != sp->hdr.seq || in rxgk_verify_packet_encrypted()
559 ntohl(hdr.sec_index) != call->security_ix || in rxgk_verify_packet_encrypted()
566 sp->offset = offset; in rxgk_verify_packet_encrypted()
567 sp->len = ntohl(hdr.data_len); in rxgk_verify_packet_encrypted()
583 u16 key_number = sp->hdr.cksum; in rxgk_verify_packet()
586 call->debug_id, key_serial(call->conn->key), sp->hdr.seq); in rxgk_verify_packet()
588 gk = rxgk_get_key(call->conn, &key_number); in rxgk_verify_packet()
591 case -ESTALE: in rxgk_verify_packet()
599 call->security_enctype = gk->krb5->etype; in rxgk_verify_packet()
600 switch (call->conn->security_level) { in rxgk_verify_packet()
610 return -ENOANO; in rxgk_verify_packet()
616 * in the io_thread, so we can't use ->tx_alloc.
638 size_t len = sizeof(*whdr) + sizeof(conn->rxgk.nonce); in rxgk_issue_challenge()
642 _enter("{%d}", conn->debug_id); in rxgk_issue_challenge()
644 get_random_bytes(&conn->rxgk.nonce, sizeof(conn->rxgk.nonce)); in rxgk_issue_challenge()
646 /* We can't use conn->tx_alloc without a lock */ in rxgk_issue_challenge()
647 page = rxgk_alloc_packet(sizeof(*whdr) + sizeof(conn->rxgk.nonce)); in rxgk_issue_challenge()
649 return -ENOMEM; in rxgk_issue_challenge()
654 msg.msg_name = &conn->peer->srx.transport; in rxgk_issue_challenge()
655 msg.msg_namelen = conn->peer->srx.transport_len; in rxgk_issue_challenge()
661 whdr->epoch = htonl(conn->proto.epoch); in rxgk_issue_challenge()
662 whdr->cid = htonl(conn->proto.cid); in rxgk_issue_challenge()
663 whdr->callNumber = 0; in rxgk_issue_challenge()
664 whdr->seq = 0; in rxgk_issue_challenge()
665 whdr->type = RXRPC_PACKET_TYPE_CHALLENGE; in rxgk_issue_challenge()
666 whdr->flags = conn->out_clientflag; in rxgk_issue_challenge()
667 whdr->userStatus = 0; in rxgk_issue_challenge()
668 whdr->securityIndex = conn->security_ix; in rxgk_issue_challenge()
669 whdr->_rsvd = 0; in rxgk_issue_challenge()
670 whdr->serviceId = htons(conn->service_id); in rxgk_issue_challenge()
672 memcpy(whdr + 1, conn->rxgk.nonce, sizeof(conn->rxgk.nonce)); in rxgk_issue_challenge()
675 whdr->serial = htonl(serial); in rxgk_issue_challenge()
677 trace_rxrpc_tx_challenge(conn, serial, 0, *(u32 *)&conn->rxgk.nonce); in rxgk_issue_challenge()
679 ret = do_udp_sendmsg(conn->local->socket, &msg, len); in rxgk_issue_challenge()
681 conn->peer->last_tx_at = ktime_get_seconds(); in rxgk_issue_challenge()
685 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, in rxgk_issue_challenge()
687 return -EAGAIN; in rxgk_issue_challenge()
690 trace_rxrpc_tx_packet(conn->debug_id, whdr, in rxgk_issue_challenge()
705 if (!conn->key) { in rxgk_validate_challenge()
706 rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO, in rxgk_validate_challenge()
711 if (key_validate(conn->key) < 0) { in rxgk_validate_challenge()
712 rxrpc_abort_conn(conn, skb, RXGK_EXPIRED, -EPROTO, in rxgk_validate_challenge()
719 rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO, in rxgk_validate_challenge()
724 trace_rxrpc_rx_challenge(conn, sp->hdr.serial, 0, *(u32 *)nonce, 0); in rxgk_validate_challenge()
729 * rxgk_kernel_query_challenge - Query RxGK-specific challenge parameters
738 return sp->chall.conn->rxgk.enctype; in rxgk_kernel_query_challenge()
752 chall.base.service_id = conn->service_id; in rxgk_challenge_to_recvmsg()
753 chall.base.security_index = conn->security_ix; in rxgk_challenge_to_recvmsg()
754 chall.enctype = conn->rxgk.enctype; in rxgk_challenge_to_recvmsg()
765 size_t pad = xdr_round_up(len) - len; in rxgk_pad_out()
795 rsp->resp.kvno = gk->key_number; in rxgk_insert_response_header()
796 rsp->resp.version = gk->krb5->etype; in rxgk_insert_response_header()
798 h.whdr.epoch = htonl(conn->proto.epoch); in rxgk_insert_response_header()
799 h.whdr.cid = htonl(conn->proto.cid); in rxgk_insert_response_header()
804 h.whdr.flags = conn->out_clientflag; in rxgk_insert_response_header()
806 h.whdr.securityIndex = conn->security_ix; in rxgk_insert_response_header()
807 h.whdr.cksum = htons(gk->key_number); in rxgk_insert_response_header()
808 h.whdr.serviceId = htons(conn->service_id); in rxgk_insert_response_header()
809 h.start_time_msw = htonl(upper_32_bits(conn->rxgk.start_time)); in rxgk_insert_response_header()
810 h.start_time_lsw = htonl(lower_32_bits(conn->rxgk.start_time)); in rxgk_insert_response_header()
811 h.ticket_len = htonl(gk->key->ticket.len); in rxgk_insert_response_header()
851 return -EPROTO; in rxgk_construct_authenticator()
853 a.appdata_len = htonl(appdata->len); in rxgk_construct_authenticator()
860 if (appdata->len) { in rxgk_construct_authenticator()
861 ret = skb_store_bits(response, offset, appdata->data, appdata->len); in rxgk_construct_authenticator()
864 offset += appdata->len; in rxgk_construct_authenticator()
866 ret = rxgk_pad_out(response, appdata->len, offset); in rxgk_construct_authenticator()
872 b.level = htonl(conn->security_level); in rxgk_construct_authenticator()
873 b.epoch = htonl(conn->proto.epoch); in rxgk_construct_authenticator()
874 b.cid = htonl(conn->proto.cid); in rxgk_construct_authenticator()
876 b.call_numbers[0] = htonl(conn->channels[0].call_counter); in rxgk_construct_authenticator()
877 b.call_numbers[1] = htonl(conn->channels[1].call_counter); in rxgk_construct_authenticator()
878 b.call_numbers[2] = htonl(conn->channels[2].call_counter); in rxgk_construct_authenticator()
879 b.call_numbers[3] = htonl(conn->channels[3].call_counter); in rxgk_construct_authenticator()
884 return sizeof(a) + xdr_round_up(appdata->len) + sizeof(b); in rxgk_construct_authenticator()
902 return crypto_krb5_encrypt(gk->krb5, gk->resp_enc, sg, nr_sg, alloc_len, in rxgk_encrypt_authenticator()
930 auth_len = 20 + (4 + appdata->len) + 12 + (1 + 4) * 4; in rxgk_construct_response()
931 authx_len = crypto_krb5_how_much_buffer(gk->krb5, KRB5_ENCRYPT_MODE, in rxgk_construct_response()
934 8 + (4 + xdr_round_up(gk->key->ticket.len)) + (4 + authx_len); in rxgk_construct_response()
940 response->len = len; in rxgk_construct_response()
941 response->data_len = len; in rxgk_construct_response()
948 ret = skb_store_bits(response, offset, gk->key->ticket.data, gk->key->ticket.len); in rxgk_construct_response()
951 offset += gk->key->ticket.len; in rxgk_construct_response()
952 ret = rxgk_pad_out(response, gk->key->ticket.len, offset); in rxgk_construct_response()
972 ret = skb_store_bits(response, authx_offset - 4, &tmp, 4); in rxgk_construct_response()
981 if (len != response->len) { in rxgk_construct_response()
982 response->len = len; in rxgk_construct_response()
983 response->data_len = len; in rxgk_construct_response()
988 rsp->resp.len = len; in rxgk_construct_response()
989 rsp->resp.challenge_serial = csp->hdr.serial; in rxgk_construct_response()
1008 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); in rxgk_respond_to_challenge()
1010 if (key_validate(conn->key) < 0) in rxgk_respond_to_challenge()
1011 return rxrpc_abort_conn(conn, NULL, RXGK_EXPIRED, -EPROTO, in rxgk_respond_to_challenge()
1026 * rxgk_kernel_respond_to_challenge - Respond to a challenge with appdata
1040 return rxgk_respond_to_challenge(csp->chall.conn, challenge, appdata); in rxgk_kernel_respond_to_challenge()
1055 if (cmsg->cmsg_level != SOL_RXRPC || in rxgk_sendmsg_respond_to_challenge()
1056 cmsg->cmsg_type != RXRPC_RESP_RXGK_APPDATA) in rxgk_sendmsg_respond_to_challenge()
1059 return -EINVAL; in rxgk_sendmsg_respond_to_challenge()
1061 appdata.len = cmsg->cmsg_len - sizeof(struct cmsghdr); in rxgk_sendmsg_respond_to_challenge()
1088 if (memcmp(p, conn->rxgk.nonce, 20) != 0) in rxgk_do_verify_authenticator()
1089 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, in rxgk_do_verify_authenticator()
1094 if (app_len > (end - p) * sizeof(__be32)) in rxgk_do_verify_authenticator()
1095 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, in rxgk_do_verify_authenticator()
1099 if (end - p < 4) in rxgk_do_verify_authenticator()
1100 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, in rxgk_do_verify_authenticator()
1108 if (level != conn->security_level || in rxgk_do_verify_authenticator()
1109 epoch != conn->proto.epoch || in rxgk_do_verify_authenticator()
1110 cid != conn->proto.cid || in rxgk_do_verify_authenticator()
1112 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, in rxgk_do_verify_authenticator()
1115 if (end - p < call_count) in rxgk_do_verify_authenticator()
1116 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, in rxgk_do_verify_authenticator()
1123 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, in rxgk_do_verify_authenticator()
1126 if (call_id < conn->channels[i].call_counter) in rxgk_do_verify_authenticator()
1127 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, in rxgk_do_verify_authenticator()
1130 if (call_id > conn->channels[i].call_counter) { in rxgk_do_verify_authenticator()
1131 if (conn->channels[i].call) in rxgk_do_verify_authenticator()
1132 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, in rxgk_do_verify_authenticator()
1135 conn->channels[i].call_counter = call_id; in rxgk_do_verify_authenticator()
1157 return -ENOMEM; in rxgk_verify_authenticator()
1161 ret = rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO, in rxgk_verify_authenticator()
1192 unsigned int len = skb->len - sizeof(struct rxrpc_wire_header); in rxgk_verify_response()
1198 _enter("{%d}", conn->debug_id); in rxgk_verify_response()
1207 len -= sizeof(rhdr); in rxgk_verify_response()
1214 trace_rxrpc_rx_response(conn, sp->hdr.serial, 0, sp->hdr.cksum, token_len); in rxgk_verify_response()
1217 len -= xdr_round_up(token_len); in rxgk_verify_response()
1222 len -= sizeof(xauth_len); in rxgk_verify_response()
1234 * key for it. This bit, however, is application-specific. If in rxgk_verify_response()
1236 * to the app to deal with - which might mean a round trip to in rxgk_verify_response()
1251 token = key->payload.data[0]; in rxgk_verify_response()
1252 conn->security_level = token->rxgk->level; in rxgk_verify_response()
1253 conn->rxgk.start_time = __be64_to_cpu(rhdr.start_time); in rxgk_verify_response()
1255 gk = rxgk_generate_transport_key(conn, token->rxgk, sp->hdr.cksum, GFP_NOFS); in rxgk_verify_response()
1261 krb5 = gk->krb5; in rxgk_verify_response()
1263 trace_rxrpc_rx_response(conn, sp->hdr.serial, krb5->etype, sp->hdr.cksum, token_len); in rxgk_verify_response()
1266 ret = rxgk_decrypt_skb(krb5, gk->resp_enc, skb, in rxgk_verify_response()
1278 conn->key = key; in rxgk_verify_response()
1287 ret = rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO, in rxgk_verify_response()
1291 ret = rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO, in rxgk_verify_response()
1295 ret = rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO, in rxgk_verify_response()
1301 case -ENOMEM: in rxgk_verify_response()
1303 case -EINVAL: in rxgk_verify_response()
1304 ret = rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EKEYREJECTED, in rxgk_verify_response()
1307 case -ENOPKG: in rxgk_verify_response()
1309 -EKEYREJECTED, rxgk_abort_resp_nopkg); in rxgk_verify_response()
1328 for (i = 0; i < ARRAY_SIZE(conn->rxgk.keys); i++) in rxgk_clear()
1329 rxgk_put(conn->rxgk.keys[i]); in rxgk_clear()
1348 * RxRPC YFS GSSAPI-based security
1351 .name = "yfs-rxgk",