Lines Matching full:conn
42 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
100 static int rxkad_init_connection_security(struct rxrpc_connection *conn,
106 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
108 conn->security_ix = token->security_index;
121 switch (conn->security_level) {
131 ret = rxkad_prime_packet_security(conn, ci);
135 conn->rxkad.cipher = ci;
155 switch (call->conn->security_level) {
191 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
203 if (!conn->key)
216 token = conn->key->payload.data[0];
219 tmpbuf[0] = htonl(conn->proto.epoch);
220 tmpbuf[1] = htonl(conn->proto.cid);
222 tmpbuf[3] = htonl(conn->security_ix);
231 memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
243 struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
286 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
325 token = call->conn->key->payload.data[0];
329 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
352 call->debug_id, key_serial(call->conn->key),
355 if (!call->conn->rxkad.cipher)
358 ret = key_validate(call->conn->key);
367 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
376 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
388 switch (call->conn->security_level) {
453 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
528 token = call->conn->key->payload.data[0];
531 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
583 call->debug_id, key_serial(call->conn->key), seq);
585 if (!call->conn->rxkad.cipher)
593 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
602 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
619 switch (call->conn->security_level) {
642 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
652 _enter("{%d}", conn->debug_id);
654 get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
657 challenge.nonce = htonl(conn->rxkad.nonce);
661 msg.msg_name = &conn->peer->srx.transport;
662 msg.msg_namelen = conn->peer->srx.transport_len;
667 whdr.epoch = htonl(conn->proto.epoch);
668 whdr.cid = htonl(conn->proto.cid);
672 whdr.flags = conn->out_clientflag;
674 whdr.securityIndex = conn->security_ix;
676 whdr.serviceId = htons(conn->service_id);
685 serial = rxrpc_get_next_serial(conn);
688 trace_rxrpc_tx_challenge(conn, serial, 0, conn->rxkad.nonce);
690 ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len);
692 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
697 conn->peer->last_tx_at = ktime_get_seconds();
698 trace_rxrpc_tx_packet(conn->debug_id, &whdr,
722 static int rxkad_encrypt_response(struct rxrpc_connection *conn,
739 req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
746 skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
757 static bool rxkad_validate_challenge(struct rxrpc_connection *conn,
765 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
767 if (!conn->key) {
768 rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
773 ret = key_validate(conn->key);
775 rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
782 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
791 trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version,
795 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
800 if (conn->security_level < min_level) {
801 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES,
812 int rxkad_insert_response_header(struct rxrpc_connection *conn,
825 h.whdr.epoch = htonl(conn->proto.epoch);
826 h.whdr.cid = htonl(conn->proto.cid);
831 h.whdr.flags = conn->out_clientflag;
833 h.whdr.securityIndex = conn->security_ix;
835 h.whdr.serviceId = htons(conn->service_id);
838 h.resp.encrypted.epoch = htonl(conn->proto.epoch);
839 h.resp.encrypted.cid = htonl(conn->proto.cid);
841 h.resp.encrypted.securityIndex = htonl(conn->security_ix);
842 h.resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
843 h.resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
844 h.resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
845 h.resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
847 h.resp.encrypted.level = htonl(conn->security_level);
861 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
870 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
872 ret = key_validate(conn->key);
874 return rxrpc_abort_conn(conn, challenge, RXKADEXPIRED, ret,
877 token = conn->key->payload.data[0];
892 ret = rxkad_insert_response_header(conn, token, challenge, response,
897 ret = rxkad_encrypt_response(conn, response, token->kad);
910 rxrpc_post_response(conn, response);
941 return rxkad_respond_to_challenge(csp->chall.conn, challenge);
948 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
964 _enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
992 conn, skb, RXKADBADTICKET, -EPROTO, \
997 conn, skb, RXKADBADTICKET, -EPROTO, \
1021 return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
1055 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED,
1058 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED,
1076 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1110 static int rxkad_verify_response(struct rxrpc_connection *conn,
1123 _enter("{%d}", conn->debug_id);
1125 server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
1130 return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret,
1133 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
1136 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret,
1148 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1157 trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
1160 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
1166 rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
1172 rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
1185 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1190 ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
1197 rxkad_decrypt_response(conn, response, &session_key);
1199 if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
1200 ntohl(response->encrypted.cid) != conn->proto.cid ||
1201 ntohl(response->encrypted.securityIndex) != conn->security_ix) {
1202 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1211 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1218 u32 counter = READ_ONCE(conn->channels[i].call_counter);
1221 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1227 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1233 if (conn->channels[i].call) {
1234 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1238 conn->channels[i].call_counter = call_id;
1242 if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
1243 rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
1250 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
1254 conn->security_level = level;
1259 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1291 static void rxkad_clear(struct rxrpc_connection *conn)
1295 if (conn->rxkad.cipher)
1296 crypto_free_sync_skcipher(conn->rxkad.cipher);