xref: /linux/net/rxrpc/rxkad.c (revision 4232da23d75d173195c6766729e51947b64f83cd)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Kerberos-based RxRPC security
3  *
4  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9 
10 #include <crypto/skcipher.h>
11 #include <linux/module.h>
12 #include <linux/net.h>
13 #include <linux/skbuff.h>
14 #include <linux/udp.h>
15 #include <linux/scatterlist.h>
16 #include <linux/ctype.h>
17 #include <linux/slab.h>
18 #include <linux/key-type.h>
19 #include <net/sock.h>
20 #include <net/af_rxrpc.h>
21 #include <keys/rxrpc-type.h>
22 #include "ar-internal.h"
23 
24 #define RXKAD_VERSION			2
25 #define MAXKRB5TICKETLEN		1024
26 #define RXKAD_TKT_TYPE_KERBEROS_V5	256
27 #define ANAME_SZ			40	/* size of authentication name */
28 #define INST_SZ				40	/* size of principal's instance */
29 #define REALM_SZ			40	/* size of principal's auth domain */
30 #define SNAME_SZ			40	/* size of service name */
31 #define RXKAD_ALIGN			8
32 
33 struct rxkad_level1_hdr {
34 	__be32	data_size;	/* true data size (excluding padding) */
35 };
36 
37 struct rxkad_level2_hdr {
38 	__be32	data_size;	/* true data size (excluding padding) */
39 	__be32	checksum;	/* decrypted data checksum */
40 };
41 
42 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
43 				       struct crypto_sync_skcipher *ci);
44 
45 /*
46  * this holds a pinned cipher so that keventd doesn't get called by the cipher
47  * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
48  * packets
49  */
50 static struct crypto_sync_skcipher *rxkad_ci;
51 static struct skcipher_request *rxkad_ci_req;
52 static DEFINE_MUTEX(rxkad_ci_mutex);
53 
54 /*
55  * Parse the information from a server key
56  *
57  * The data should be the 8-byte secret key.
58  */
rxkad_preparse_server_key(struct key_preparsed_payload * prep)59 static int rxkad_preparse_server_key(struct key_preparsed_payload *prep)
60 {
61 	struct crypto_skcipher *ci;
62 
63 	if (prep->datalen != 8)
64 		return -EINVAL;
65 
66 	memcpy(&prep->payload.data[2], prep->data, 8);
67 
68 	ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC);
69 	if (IS_ERR(ci)) {
70 		_leave(" = %ld", PTR_ERR(ci));
71 		return PTR_ERR(ci);
72 	}
73 
74 	if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)
75 		BUG();
76 
77 	prep->payload.data[0] = ci;
78 	_leave(" = 0");
79 	return 0;
80 }
81 
rxkad_free_preparse_server_key(struct key_preparsed_payload * prep)82 static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep)
83 {
84 
85 	if (prep->payload.data[0])
86 		crypto_free_skcipher(prep->payload.data[0]);
87 }
88 
rxkad_destroy_server_key(struct key * key)89 static void rxkad_destroy_server_key(struct key *key)
90 {
91 	if (key->payload.data[0]) {
92 		crypto_free_skcipher(key->payload.data[0]);
93 		key->payload.data[0] = NULL;
94 	}
95 }
96 
97 /*
98  * initialise connection security
99  */
rxkad_init_connection_security(struct rxrpc_connection * conn,struct rxrpc_key_token * token)100 static int rxkad_init_connection_security(struct rxrpc_connection *conn,
101 					  struct rxrpc_key_token *token)
102 {
103 	struct crypto_sync_skcipher *ci;
104 	int ret;
105 
106 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
107 
108 	conn->security_ix = token->security_index;
109 
110 	ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
111 	if (IS_ERR(ci)) {
112 		_debug("no cipher");
113 		ret = PTR_ERR(ci);
114 		goto error;
115 	}
116 
117 	if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
118 				   sizeof(token->kad->session_key)) < 0)
119 		BUG();
120 
121 	switch (conn->security_level) {
122 	case RXRPC_SECURITY_PLAIN:
123 	case RXRPC_SECURITY_AUTH:
124 	case RXRPC_SECURITY_ENCRYPT:
125 		break;
126 	default:
127 		ret = -EKEYREJECTED;
128 		goto error;
129 	}
130 
131 	ret = rxkad_prime_packet_security(conn, ci);
132 	if (ret < 0)
133 		goto error_ci;
134 
135 	conn->rxkad.cipher = ci;
136 	return 0;
137 
138 error_ci:
139 	crypto_free_sync_skcipher(ci);
140 error:
141 	_leave(" = %d", ret);
142 	return ret;
143 }
144 
145 /*
146  * Work out how much data we can put in a packet.
147  */
rxkad_alloc_txbuf(struct rxrpc_call * call,size_t remain,gfp_t gfp)148 static struct rxrpc_txbuf *rxkad_alloc_txbuf(struct rxrpc_call *call, size_t remain, gfp_t gfp)
149 {
150 	struct rxrpc_txbuf *txb;
151 	size_t shdr, space;
152 
153 	remain = min(remain, 65535 - sizeof(struct rxrpc_wire_header));
154 
155 	switch (call->conn->security_level) {
156 	default:
157 		space = min_t(size_t, remain, RXRPC_JUMBO_DATALEN);
158 		return rxrpc_alloc_data_txbuf(call, space, 1, gfp);
159 	case RXRPC_SECURITY_AUTH:
160 		shdr = sizeof(struct rxkad_level1_hdr);
161 		break;
162 	case RXRPC_SECURITY_ENCRYPT:
163 		shdr = sizeof(struct rxkad_level2_hdr);
164 		break;
165 	}
166 
167 	space = min_t(size_t, round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN), remain + shdr);
168 	space = round_up(space, RXKAD_ALIGN);
169 
170 	txb = rxrpc_alloc_data_txbuf(call, space, RXKAD_ALIGN, gfp);
171 	if (!txb)
172 		return NULL;
173 
174 	txb->offset += shdr;
175 	txb->space -= shdr;
176 	return txb;
177 }
178 
179 /*
180  * prime the encryption state with the invariant parts of a connection's
181  * description
182  */
rxkad_prime_packet_security(struct rxrpc_connection * conn,struct crypto_sync_skcipher * ci)183 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
184 				       struct crypto_sync_skcipher *ci)
185 {
186 	struct skcipher_request *req;
187 	struct rxrpc_key_token *token;
188 	struct scatterlist sg;
189 	struct rxrpc_crypt iv;
190 	__be32 *tmpbuf;
191 	size_t tmpsize = 4 * sizeof(__be32);
192 
193 	_enter("");
194 
195 	if (!conn->key)
196 		return 0;
197 
198 	tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
199 	if (!tmpbuf)
200 		return -ENOMEM;
201 
202 	req = skcipher_request_alloc(&ci->base, GFP_NOFS);
203 	if (!req) {
204 		kfree(tmpbuf);
205 		return -ENOMEM;
206 	}
207 
208 	token = conn->key->payload.data[0];
209 	memcpy(&iv, token->kad->session_key, sizeof(iv));
210 
211 	tmpbuf[0] = htonl(conn->proto.epoch);
212 	tmpbuf[1] = htonl(conn->proto.cid);
213 	tmpbuf[2] = 0;
214 	tmpbuf[3] = htonl(conn->security_ix);
215 
216 	sg_init_one(&sg, tmpbuf, tmpsize);
217 	skcipher_request_set_sync_tfm(req, ci);
218 	skcipher_request_set_callback(req, 0, NULL, NULL);
219 	skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
220 	crypto_skcipher_encrypt(req);
221 	skcipher_request_free(req);
222 
223 	memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
224 	kfree(tmpbuf);
225 	_leave(" = 0");
226 	return 0;
227 }
228 
229 /*
230  * Allocate and prepare the crypto request on a call.  For any particular call,
231  * this is called serially for the packets, so no lock should be necessary.
232  */
rxkad_get_call_crypto(struct rxrpc_call * call)233 static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
234 {
235 	struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
236 
237 	return skcipher_request_alloc(tfm, GFP_NOFS);
238 }
239 
240 /*
241  * Clean up the crypto on a call.
242  */
rxkad_free_call_crypto(struct rxrpc_call * call)243 static void rxkad_free_call_crypto(struct rxrpc_call *call)
244 {
245 }
246 
247 /*
248  * partially encrypt a packet (level 1 security)
249  */
rxkad_secure_packet_auth(const struct rxrpc_call * call,struct rxrpc_txbuf * txb,struct skcipher_request * req)250 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
251 				    struct rxrpc_txbuf *txb,
252 				    struct skcipher_request *req)
253 {
254 	struct rxrpc_wire_header *whdr = txb->kvec[0].iov_base;
255 	struct rxkad_level1_hdr *hdr = (void *)(whdr + 1);
256 	struct rxrpc_crypt iv;
257 	struct scatterlist sg;
258 	size_t pad;
259 	u16 check;
260 
261 	_enter("");
262 
263 	check = txb->seq ^ call->call_id;
264 	hdr->data_size = htonl((u32)check << 16 | txb->len);
265 
266 	txb->len += sizeof(struct rxkad_level1_hdr);
267 	pad = txb->len;
268 	pad = RXKAD_ALIGN - pad;
269 	pad &= RXKAD_ALIGN - 1;
270 	if (pad) {
271 		memset(txb->kvec[0].iov_base + txb->offset, 0, pad);
272 		txb->len += pad;
273 	}
274 
275 	/* start the encryption afresh */
276 	memset(&iv, 0, sizeof(iv));
277 
278 	sg_init_one(&sg, hdr, 8);
279 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
280 	skcipher_request_set_callback(req, 0, NULL, NULL);
281 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
282 	crypto_skcipher_encrypt(req);
283 	skcipher_request_zero(req);
284 
285 	_leave(" = 0");
286 	return 0;
287 }
288 
289 /*
290  * wholly encrypt a packet (level 2 security)
291  */
rxkad_secure_packet_encrypt(const struct rxrpc_call * call,struct rxrpc_txbuf * txb,struct skcipher_request * req)292 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
293 				       struct rxrpc_txbuf *txb,
294 				       struct skcipher_request *req)
295 {
296 	const struct rxrpc_key_token *token;
297 	struct rxrpc_wire_header *whdr = txb->kvec[0].iov_base;
298 	struct rxkad_level2_hdr *rxkhdr = (void *)(whdr + 1);
299 	struct rxrpc_crypt iv;
300 	struct scatterlist sg;
301 	size_t pad;
302 	u16 check;
303 	int ret;
304 
305 	_enter("");
306 
307 	check = txb->seq ^ call->call_id;
308 
309 	rxkhdr->data_size = htonl(txb->len | (u32)check << 16);
310 	rxkhdr->checksum = 0;
311 
312 	txb->len += sizeof(struct rxkad_level2_hdr);
313 	pad = txb->len;
314 	pad = RXKAD_ALIGN - pad;
315 	pad &= RXKAD_ALIGN - 1;
316 	if (pad) {
317 		memset(txb->kvec[0].iov_base + txb->offset, 0, pad);
318 		txb->len += pad;
319 	}
320 
321 	/* encrypt from the session key */
322 	token = call->conn->key->payload.data[0];
323 	memcpy(&iv, token->kad->session_key, sizeof(iv));
324 
325 	sg_init_one(&sg, rxkhdr, txb->len);
326 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
327 	skcipher_request_set_callback(req, 0, NULL, NULL);
328 	skcipher_request_set_crypt(req, &sg, &sg, txb->len, iv.x);
329 	ret = crypto_skcipher_encrypt(req);
330 	skcipher_request_zero(req);
331 	return ret;
332 }
333 
334 /*
335  * checksum an RxRPC packet header
336  */
rxkad_secure_packet(struct rxrpc_call * call,struct rxrpc_txbuf * txb)337 static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb)
338 {
339 	struct skcipher_request	*req;
340 	struct rxrpc_crypt iv;
341 	struct scatterlist sg;
342 	union {
343 		__be32 buf[2];
344 	} crypto __aligned(8);
345 	u32 x, y;
346 	int ret;
347 
348 	_enter("{%d{%x}},{#%u},%u,",
349 	       call->debug_id, key_serial(call->conn->key),
350 	       txb->seq, txb->len);
351 
352 	if (!call->conn->rxkad.cipher)
353 		return 0;
354 
355 	ret = key_validate(call->conn->key);
356 	if (ret < 0)
357 		return ret;
358 
359 	req = rxkad_get_call_crypto(call);
360 	if (!req)
361 		return -ENOMEM;
362 
363 	/* continue encrypting from where we left off */
364 	memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
365 
366 	/* calculate the security checksum */
367 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
368 	x |= txb->seq & 0x3fffffff;
369 	crypto.buf[0] = htonl(call->call_id);
370 	crypto.buf[1] = htonl(x);
371 
372 	sg_init_one(&sg, crypto.buf, 8);
373 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
374 	skcipher_request_set_callback(req, 0, NULL, NULL);
375 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
376 	crypto_skcipher_encrypt(req);
377 	skcipher_request_zero(req);
378 
379 	y = ntohl(crypto.buf[1]);
380 	y = (y >> 16) & 0xffff;
381 	if (y == 0)
382 		y = 1; /* zero checksums are not permitted */
383 	txb->cksum = htons(y);
384 
385 	switch (call->conn->security_level) {
386 	case RXRPC_SECURITY_PLAIN:
387 		ret = 0;
388 		break;
389 	case RXRPC_SECURITY_AUTH:
390 		ret = rxkad_secure_packet_auth(call, txb, req);
391 		break;
392 	case RXRPC_SECURITY_ENCRYPT:
393 		ret = rxkad_secure_packet_encrypt(call, txb, req);
394 		break;
395 	default:
396 		ret = -EPERM;
397 		break;
398 	}
399 
400 	skcipher_request_free(req);
401 	_leave(" = %d [set %x]", ret, y);
402 	return ret;
403 }
404 
405 /*
406  * decrypt partial encryption on a packet (level 1 security)
407  */
rxkad_verify_packet_1(struct rxrpc_call * call,struct sk_buff * skb,rxrpc_seq_t seq,struct skcipher_request * req)408 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
409 				 rxrpc_seq_t seq,
410 				 struct skcipher_request *req)
411 {
412 	struct rxkad_level1_hdr sechdr;
413 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
414 	struct rxrpc_crypt iv;
415 	struct scatterlist sg[16];
416 	u32 data_size, buf;
417 	u16 check;
418 	int ret;
419 
420 	_enter("");
421 
422 	if (sp->len < 8)
423 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
424 					  rxkad_abort_1_short_header);
425 
426 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
427 	 * directly into the target buffer.
428 	 */
429 	sg_init_table(sg, ARRAY_SIZE(sg));
430 	ret = skb_to_sgvec(skb, sg, sp->offset, 8);
431 	if (unlikely(ret < 0))
432 		return ret;
433 
434 	/* start the decryption afresh */
435 	memset(&iv, 0, sizeof(iv));
436 
437 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
438 	skcipher_request_set_callback(req, 0, NULL, NULL);
439 	skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
440 	crypto_skcipher_decrypt(req);
441 	skcipher_request_zero(req);
442 
443 	/* Extract the decrypted packet length */
444 	if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
445 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
446 					  rxkad_abort_1_short_encdata);
447 	sp->offset += sizeof(sechdr);
448 	sp->len    -= sizeof(sechdr);
449 
450 	buf = ntohl(sechdr.data_size);
451 	data_size = buf & 0xffff;
452 
453 	check = buf >> 16;
454 	check ^= seq ^ call->call_id;
455 	check &= 0xffff;
456 	if (check != 0)
457 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
458 					  rxkad_abort_1_short_check);
459 	if (data_size > sp->len)
460 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
461 					  rxkad_abort_1_short_data);
462 	sp->len = data_size;
463 
464 	_leave(" = 0 [dlen=%x]", data_size);
465 	return 0;
466 }
467 
468 /*
469  * wholly decrypt a packet (level 2 security)
470  */
rxkad_verify_packet_2(struct rxrpc_call * call,struct sk_buff * skb,rxrpc_seq_t seq,struct skcipher_request * req)471 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
472 				 rxrpc_seq_t seq,
473 				 struct skcipher_request *req)
474 {
475 	const struct rxrpc_key_token *token;
476 	struct rxkad_level2_hdr sechdr;
477 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
478 	struct rxrpc_crypt iv;
479 	struct scatterlist _sg[4], *sg;
480 	u32 data_size, buf;
481 	u16 check;
482 	int nsg, ret;
483 
484 	_enter(",{%d}", sp->len);
485 
486 	if (sp->len < 8)
487 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
488 					  rxkad_abort_2_short_header);
489 
490 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
491 	 * directly into the target buffer.
492 	 */
493 	sg = _sg;
494 	nsg = skb_shinfo(skb)->nr_frags + 1;
495 	if (nsg <= 4) {
496 		nsg = 4;
497 	} else {
498 		sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
499 		if (!sg)
500 			return -ENOMEM;
501 	}
502 
503 	sg_init_table(sg, nsg);
504 	ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
505 	if (unlikely(ret < 0)) {
506 		if (sg != _sg)
507 			kfree(sg);
508 		return ret;
509 	}
510 
511 	/* decrypt from the session key */
512 	token = call->conn->key->payload.data[0];
513 	memcpy(&iv, token->kad->session_key, sizeof(iv));
514 
515 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
516 	skcipher_request_set_callback(req, 0, NULL, NULL);
517 	skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
518 	crypto_skcipher_decrypt(req);
519 	skcipher_request_zero(req);
520 	if (sg != _sg)
521 		kfree(sg);
522 
523 	/* Extract the decrypted packet length */
524 	if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
525 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
526 					  rxkad_abort_2_short_len);
527 	sp->offset += sizeof(sechdr);
528 	sp->len    -= sizeof(sechdr);
529 
530 	buf = ntohl(sechdr.data_size);
531 	data_size = buf & 0xffff;
532 
533 	check = buf >> 16;
534 	check ^= seq ^ call->call_id;
535 	check &= 0xffff;
536 	if (check != 0)
537 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
538 					  rxkad_abort_2_short_check);
539 
540 	if (data_size > sp->len)
541 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
542 					  rxkad_abort_2_short_data);
543 
544 	sp->len = data_size;
545 	_leave(" = 0 [dlen=%x]", data_size);
546 	return 0;
547 }
548 
549 /*
550  * Verify the security on a received packet and the subpackets therein.
551  */
rxkad_verify_packet(struct rxrpc_call * call,struct sk_buff * skb)552 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
553 {
554 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
555 	struct skcipher_request	*req;
556 	struct rxrpc_crypt iv;
557 	struct scatterlist sg;
558 	union {
559 		__be32 buf[2];
560 	} crypto __aligned(8);
561 	rxrpc_seq_t seq = sp->hdr.seq;
562 	int ret;
563 	u16 cksum;
564 	u32 x, y;
565 
566 	_enter("{%d{%x}},{#%u}",
567 	       call->debug_id, key_serial(call->conn->key), seq);
568 
569 	if (!call->conn->rxkad.cipher)
570 		return 0;
571 
572 	req = rxkad_get_call_crypto(call);
573 	if (!req)
574 		return -ENOMEM;
575 
576 	/* continue encrypting from where we left off */
577 	memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
578 
579 	/* validate the security checksum */
580 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
581 	x |= seq & 0x3fffffff;
582 	crypto.buf[0] = htonl(call->call_id);
583 	crypto.buf[1] = htonl(x);
584 
585 	sg_init_one(&sg, crypto.buf, 8);
586 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
587 	skcipher_request_set_callback(req, 0, NULL, NULL);
588 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
589 	crypto_skcipher_encrypt(req);
590 	skcipher_request_zero(req);
591 
592 	y = ntohl(crypto.buf[1]);
593 	cksum = (y >> 16) & 0xffff;
594 	if (cksum == 0)
595 		cksum = 1; /* zero checksums are not permitted */
596 
597 	if (cksum != sp->hdr.cksum) {
598 		ret = rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
599 					 rxkad_abort_bad_checksum);
600 		goto out;
601 	}
602 
603 	switch (call->conn->security_level) {
604 	case RXRPC_SECURITY_PLAIN:
605 		ret = 0;
606 		break;
607 	case RXRPC_SECURITY_AUTH:
608 		ret = rxkad_verify_packet_1(call, skb, seq, req);
609 		break;
610 	case RXRPC_SECURITY_ENCRYPT:
611 		ret = rxkad_verify_packet_2(call, skb, seq, req);
612 		break;
613 	default:
614 		ret = -ENOANO;
615 		break;
616 	}
617 
618 out:
619 	skcipher_request_free(req);
620 	return ret;
621 }
622 
623 /*
624  * issue a challenge
625  */
rxkad_issue_challenge(struct rxrpc_connection * conn)626 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
627 {
628 	struct rxkad_challenge challenge;
629 	struct rxrpc_wire_header whdr;
630 	struct msghdr msg;
631 	struct kvec iov[2];
632 	size_t len;
633 	u32 serial;
634 	int ret;
635 
636 	_enter("{%d}", conn->debug_id);
637 
638 	get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
639 
640 	challenge.version	= htonl(2);
641 	challenge.nonce		= htonl(conn->rxkad.nonce);
642 	challenge.min_level	= htonl(0);
643 	challenge.__padding	= 0;
644 
645 	msg.msg_name	= &conn->peer->srx.transport;
646 	msg.msg_namelen	= conn->peer->srx.transport_len;
647 	msg.msg_control	= NULL;
648 	msg.msg_controllen = 0;
649 	msg.msg_flags	= 0;
650 
651 	whdr.epoch	= htonl(conn->proto.epoch);
652 	whdr.cid	= htonl(conn->proto.cid);
653 	whdr.callNumber	= 0;
654 	whdr.seq	= 0;
655 	whdr.type	= RXRPC_PACKET_TYPE_CHALLENGE;
656 	whdr.flags	= conn->out_clientflag;
657 	whdr.userStatus	= 0;
658 	whdr.securityIndex = conn->security_ix;
659 	whdr._rsvd	= 0;
660 	whdr.serviceId	= htons(conn->service_id);
661 
662 	iov[0].iov_base	= &whdr;
663 	iov[0].iov_len	= sizeof(whdr);
664 	iov[1].iov_base	= &challenge;
665 	iov[1].iov_len	= sizeof(challenge);
666 
667 	len = iov[0].iov_len + iov[1].iov_len;
668 
669 	serial = rxrpc_get_next_serial(conn);
670 	whdr.serial = htonl(serial);
671 
672 	ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len);
673 	if (ret < 0) {
674 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
675 				    rxrpc_tx_point_rxkad_challenge);
676 		return -EAGAIN;
677 	}
678 
679 	conn->peer->last_tx_at = ktime_get_seconds();
680 	trace_rxrpc_tx_packet(conn->debug_id, &whdr,
681 			      rxrpc_tx_point_rxkad_challenge);
682 	_leave(" = 0");
683 	return 0;
684 }
685 
686 /*
687  * send a Kerberos security response
688  */
rxkad_send_response(struct rxrpc_connection * conn,struct rxrpc_host_header * hdr,struct rxkad_response * resp,const struct rxkad_key * s2)689 static int rxkad_send_response(struct rxrpc_connection *conn,
690 			       struct rxrpc_host_header *hdr,
691 			       struct rxkad_response *resp,
692 			       const struct rxkad_key *s2)
693 {
694 	struct rxrpc_wire_header whdr;
695 	struct msghdr msg;
696 	struct kvec iov[3];
697 	size_t len;
698 	u32 serial;
699 	int ret;
700 
701 	_enter("");
702 
703 	msg.msg_name	= &conn->peer->srx.transport;
704 	msg.msg_namelen	= conn->peer->srx.transport_len;
705 	msg.msg_control	= NULL;
706 	msg.msg_controllen = 0;
707 	msg.msg_flags	= 0;
708 
709 	memset(&whdr, 0, sizeof(whdr));
710 	whdr.epoch	= htonl(hdr->epoch);
711 	whdr.cid	= htonl(hdr->cid);
712 	whdr.type	= RXRPC_PACKET_TYPE_RESPONSE;
713 	whdr.flags	= conn->out_clientflag;
714 	whdr.securityIndex = hdr->securityIndex;
715 	whdr.serviceId	= htons(hdr->serviceId);
716 
717 	iov[0].iov_base	= &whdr;
718 	iov[0].iov_len	= sizeof(whdr);
719 	iov[1].iov_base	= resp;
720 	iov[1].iov_len	= sizeof(*resp);
721 	iov[2].iov_base	= (void *)s2->ticket;
722 	iov[2].iov_len	= s2->ticket_len;
723 
724 	len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
725 
726 	serial = rxrpc_get_next_serial(conn);
727 	whdr.serial = htonl(serial);
728 
729 	rxrpc_local_dont_fragment(conn->local, false);
730 	ret = kernel_sendmsg(conn->local->socket, &msg, iov, 3, len);
731 	if (ret < 0) {
732 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
733 				    rxrpc_tx_point_rxkad_response);
734 		return -EAGAIN;
735 	}
736 
737 	conn->peer->last_tx_at = ktime_get_seconds();
738 	_leave(" = 0");
739 	return 0;
740 }
741 
742 /*
743  * calculate the response checksum
744  */
rxkad_calc_response_checksum(struct rxkad_response * response)745 static void rxkad_calc_response_checksum(struct rxkad_response *response)
746 {
747 	u32 csum = 1000003;
748 	int loop;
749 	u8 *p = (u8 *) response;
750 
751 	for (loop = sizeof(*response); loop > 0; loop--)
752 		csum = csum * 0x10204081 + *p++;
753 
754 	response->encrypted.checksum = htonl(csum);
755 }
756 
757 /*
758  * encrypt the response packet
759  */
rxkad_encrypt_response(struct rxrpc_connection * conn,struct rxkad_response * resp,const struct rxkad_key * s2)760 static int rxkad_encrypt_response(struct rxrpc_connection *conn,
761 				  struct rxkad_response *resp,
762 				  const struct rxkad_key *s2)
763 {
764 	struct skcipher_request *req;
765 	struct rxrpc_crypt iv;
766 	struct scatterlist sg[1];
767 
768 	req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
769 	if (!req)
770 		return -ENOMEM;
771 
772 	/* continue encrypting from where we left off */
773 	memcpy(&iv, s2->session_key, sizeof(iv));
774 
775 	sg_init_table(sg, 1);
776 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
777 	skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
778 	skcipher_request_set_callback(req, 0, NULL, NULL);
779 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
780 	crypto_skcipher_encrypt(req);
781 	skcipher_request_free(req);
782 	return 0;
783 }
784 
785 /*
786  * respond to a challenge packet
787  */
rxkad_respond_to_challenge(struct rxrpc_connection * conn,struct sk_buff * skb)788 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
789 				      struct sk_buff *skb)
790 {
791 	const struct rxrpc_key_token *token;
792 	struct rxkad_challenge challenge;
793 	struct rxkad_response *resp;
794 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
795 	u32 version, nonce, min_level;
796 	int ret = -EPROTO;
797 
798 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
799 
800 	if (!conn->key)
801 		return rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
802 					rxkad_abort_chall_no_key);
803 
804 	ret = key_validate(conn->key);
805 	if (ret < 0)
806 		return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
807 					rxkad_abort_chall_key_expired);
808 
809 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
810 			  &challenge, sizeof(challenge)) < 0)
811 		return rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
812 					rxkad_abort_chall_short);
813 
814 	version = ntohl(challenge.version);
815 	nonce = ntohl(challenge.nonce);
816 	min_level = ntohl(challenge.min_level);
817 
818 	trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version, nonce, min_level);
819 
820 	if (version != RXKAD_VERSION)
821 		return rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
822 					rxkad_abort_chall_version);
823 
824 	if (conn->security_level < min_level)
825 		return rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES,
826 					rxkad_abort_chall_level);
827 
828 	token = conn->key->payload.data[0];
829 
830 	/* build the response packet */
831 	resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
832 	if (!resp)
833 		return -ENOMEM;
834 
835 	resp->version			= htonl(RXKAD_VERSION);
836 	resp->encrypted.epoch		= htonl(conn->proto.epoch);
837 	resp->encrypted.cid		= htonl(conn->proto.cid);
838 	resp->encrypted.securityIndex	= htonl(conn->security_ix);
839 	resp->encrypted.inc_nonce	= htonl(nonce + 1);
840 	resp->encrypted.level		= htonl(conn->security_level);
841 	resp->kvno			= htonl(token->kad->kvno);
842 	resp->ticket_len		= htonl(token->kad->ticket_len);
843 	resp->encrypted.call_id[0]	= htonl(conn->channels[0].call_counter);
844 	resp->encrypted.call_id[1]	= htonl(conn->channels[1].call_counter);
845 	resp->encrypted.call_id[2]	= htonl(conn->channels[2].call_counter);
846 	resp->encrypted.call_id[3]	= htonl(conn->channels[3].call_counter);
847 
848 	/* calculate the response checksum and then do the encryption */
849 	rxkad_calc_response_checksum(resp);
850 	ret = rxkad_encrypt_response(conn, resp, token->kad);
851 	if (ret == 0)
852 		ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
853 	kfree(resp);
854 	return ret;
855 }
856 
857 /*
858  * decrypt the kerberos IV ticket in the response
859  */
rxkad_decrypt_ticket(struct rxrpc_connection * conn,struct key * server_key,struct sk_buff * skb,void * ticket,size_t ticket_len,struct rxrpc_crypt * _session_key,time64_t * _expiry)860 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
861 				struct key *server_key,
862 				struct sk_buff *skb,
863 				void *ticket, size_t ticket_len,
864 				struct rxrpc_crypt *_session_key,
865 				time64_t *_expiry)
866 {
867 	struct skcipher_request *req;
868 	struct rxrpc_crypt iv, key;
869 	struct scatterlist sg[1];
870 	struct in_addr addr;
871 	unsigned int life;
872 	time64_t issue, now;
873 	bool little_endian;
874 	u8 *p, *q, *name, *end;
875 
876 	_enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
877 
878 	*_expiry = 0;
879 
880 	ASSERT(server_key->payload.data[0] != NULL);
881 	ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
882 
883 	memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
884 
885 	req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
886 	if (!req)
887 		return -ENOMEM;
888 
889 	sg_init_one(&sg[0], ticket, ticket_len);
890 	skcipher_request_set_callback(req, 0, NULL, NULL);
891 	skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
892 	crypto_skcipher_decrypt(req);
893 	skcipher_request_free(req);
894 
895 	p = ticket;
896 	end = p + ticket_len;
897 
898 #define Z(field, fieldl)						\
899 	({								\
900 		u8 *__str = p;						\
901 		q = memchr(p, 0, end - p);				\
902 		if (!q || q - p > field##_SZ)				\
903 			return rxrpc_abort_conn(			\
904 				conn, skb, RXKADBADTICKET, -EPROTO,	\
905 				rxkad_abort_resp_tkt_##fieldl);		\
906 		for (; p < q; p++)					\
907 			if (!isprint(*p))				\
908 				return rxrpc_abort_conn(		\
909 					conn, skb, RXKADBADTICKET, -EPROTO, \
910 					rxkad_abort_resp_tkt_##fieldl);	\
911 		p++;							\
912 		__str;							\
913 	})
914 
915 	/* extract the ticket flags */
916 	_debug("KIV FLAGS: %x", *p);
917 	little_endian = *p & 1;
918 	p++;
919 
920 	/* extract the authentication name */
921 	name = Z(ANAME, aname);
922 	_debug("KIV ANAME: %s", name);
923 
924 	/* extract the principal's instance */
925 	name = Z(INST, inst);
926 	_debug("KIV INST : %s", name);
927 
928 	/* extract the principal's authentication domain */
929 	name = Z(REALM, realm);
930 	_debug("KIV REALM: %s", name);
931 
932 	if (end - p < 4 + 8 + 4 + 2)
933 		return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
934 					rxkad_abort_resp_tkt_short);
935 
936 	/* get the IPv4 address of the entity that requested the ticket */
937 	memcpy(&addr, p, sizeof(addr));
938 	p += 4;
939 	_debug("KIV ADDR : %pI4", &addr);
940 
941 	/* get the session key from the ticket */
942 	memcpy(&key, p, sizeof(key));
943 	p += 8;
944 	_debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
945 	memcpy(_session_key, &key, sizeof(key));
946 
947 	/* get the ticket's lifetime */
948 	life = *p++ * 5 * 60;
949 	_debug("KIV LIFE : %u", life);
950 
951 	/* get the issue time of the ticket */
952 	if (little_endian) {
953 		__le32 stamp;
954 		memcpy(&stamp, p, 4);
955 		issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
956 	} else {
957 		__be32 stamp;
958 		memcpy(&stamp, p, 4);
959 		issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
960 	}
961 	p += 4;
962 	now = ktime_get_real_seconds();
963 	_debug("KIV ISSUE: %llx [%llx]", issue, now);
964 
965 	/* check the ticket is in date */
966 	if (issue > now)
967 		return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED,
968 					rxkad_abort_resp_tkt_future);
969 	if (issue < now - life)
970 		return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED,
971 					rxkad_abort_resp_tkt_expired);
972 
973 	*_expiry = issue + life;
974 
975 	/* get the service name */
976 	name = Z(SNAME, sname);
977 	_debug("KIV SNAME: %s", name);
978 
979 	/* get the service instance name */
980 	name = Z(INST, sinst);
981 	_debug("KIV SINST: %s", name);
982 	return 0;
983 }
984 
985 /*
986  * decrypt the response packet
987  */
rxkad_decrypt_response(struct rxrpc_connection * conn,struct rxkad_response * resp,const struct rxrpc_crypt * session_key)988 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
989 				   struct rxkad_response *resp,
990 				   const struct rxrpc_crypt *session_key)
991 {
992 	struct skcipher_request *req = rxkad_ci_req;
993 	struct scatterlist sg[1];
994 	struct rxrpc_crypt iv;
995 
996 	_enter(",,%08x%08x",
997 	       ntohl(session_key->n[0]), ntohl(session_key->n[1]));
998 
999 	mutex_lock(&rxkad_ci_mutex);
1000 	if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1001 					sizeof(*session_key)) < 0)
1002 		BUG();
1003 
1004 	memcpy(&iv, session_key, sizeof(iv));
1005 
1006 	sg_init_table(sg, 1);
1007 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1008 	skcipher_request_set_sync_tfm(req, rxkad_ci);
1009 	skcipher_request_set_callback(req, 0, NULL, NULL);
1010 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1011 	crypto_skcipher_decrypt(req);
1012 	skcipher_request_zero(req);
1013 
1014 	mutex_unlock(&rxkad_ci_mutex);
1015 
1016 	_leave("");
1017 }
1018 
1019 /*
1020  * verify a response
1021  */
rxkad_verify_response(struct rxrpc_connection * conn,struct sk_buff * skb)1022 static int rxkad_verify_response(struct rxrpc_connection *conn,
1023 				 struct sk_buff *skb)
1024 {
1025 	struct rxkad_response *response;
1026 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1027 	struct rxrpc_crypt session_key;
1028 	struct key *server_key;
1029 	time64_t expiry;
1030 	void *ticket;
1031 	u32 version, kvno, ticket_len, level;
1032 	__be32 csum;
1033 	int ret, i;
1034 
1035 	_enter("{%d}", conn->debug_id);
1036 
1037 	server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
1038 	if (IS_ERR(server_key)) {
1039 		ret = PTR_ERR(server_key);
1040 		switch (ret) {
1041 		case -ENOKEY:
1042 			return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret,
1043 						rxkad_abort_resp_nokey);
1044 		case -EKEYEXPIRED:
1045 			return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
1046 						rxkad_abort_resp_key_expired);
1047 		default:
1048 			return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret,
1049 						rxkad_abort_resp_key_rejected);
1050 		}
1051 	}
1052 
1053 	ret = -ENOMEM;
1054 	response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1055 	if (!response)
1056 		goto temporary_error;
1057 
1058 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1059 			  response, sizeof(*response)) < 0) {
1060 		rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1061 				 rxkad_abort_resp_short);
1062 		goto protocol_error;
1063 	}
1064 
1065 	version = ntohl(response->version);
1066 	ticket_len = ntohl(response->ticket_len);
1067 	kvno = ntohl(response->kvno);
1068 
1069 	trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
1070 
1071 	if (version != RXKAD_VERSION) {
1072 		rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
1073 				 rxkad_abort_resp_version);
1074 		goto protocol_error;
1075 	}
1076 
1077 	if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) {
1078 		rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
1079 				 rxkad_abort_resp_tkt_len);
1080 		goto protocol_error;
1081 	}
1082 
1083 	if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) {
1084 		rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
1085 				 rxkad_abort_resp_unknown_tkt);
1086 		goto protocol_error;
1087 	}
1088 
1089 	/* extract the kerberos ticket and decrypt and decode it */
1090 	ret = -ENOMEM;
1091 	ticket = kmalloc(ticket_len, GFP_NOFS);
1092 	if (!ticket)
1093 		goto temporary_error_free_resp;
1094 
1095 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
1096 			  ticket, ticket_len) < 0) {
1097 		rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1098 				 rxkad_abort_resp_short_tkt);
1099 		goto protocol_error;
1100 	}
1101 
1102 	ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
1103 				   &session_key, &expiry);
1104 	if (ret < 0)
1105 		goto temporary_error_free_ticket;
1106 
1107 	/* use the session key from inside the ticket to decrypt the
1108 	 * response */
1109 	rxkad_decrypt_response(conn, response, &session_key);
1110 
1111 	if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
1112 	    ntohl(response->encrypted.cid) != conn->proto.cid ||
1113 	    ntohl(response->encrypted.securityIndex) != conn->security_ix) {
1114 		rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1115 				 rxkad_abort_resp_bad_param);
1116 		goto protocol_error_free;
1117 	}
1118 
1119 	csum = response->encrypted.checksum;
1120 	response->encrypted.checksum = 0;
1121 	rxkad_calc_response_checksum(response);
1122 	if (response->encrypted.checksum != csum) {
1123 		rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1124 				 rxkad_abort_resp_bad_checksum);
1125 		goto protocol_error_free;
1126 	}
1127 
1128 	for (i = 0; i < RXRPC_MAXCALLS; i++) {
1129 		u32 call_id = ntohl(response->encrypted.call_id[i]);
1130 		u32 counter = READ_ONCE(conn->channels[i].call_counter);
1131 
1132 		if (call_id > INT_MAX) {
1133 			rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1134 					 rxkad_abort_resp_bad_callid);
1135 			goto protocol_error_free;
1136 		}
1137 
1138 		if (call_id < counter) {
1139 			rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1140 					 rxkad_abort_resp_call_ctr);
1141 			goto protocol_error_free;
1142 		}
1143 
1144 		if (call_id > counter) {
1145 			if (conn->channels[i].call) {
1146 				rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1147 						 rxkad_abort_resp_call_state);
1148 				goto protocol_error_free;
1149 			}
1150 			conn->channels[i].call_counter = call_id;
1151 		}
1152 	}
1153 
1154 	if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
1155 		rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
1156 				 rxkad_abort_resp_ooseq);
1157 		goto protocol_error_free;
1158 	}
1159 
1160 	level = ntohl(response->encrypted.level);
1161 	if (level > RXRPC_SECURITY_ENCRYPT) {
1162 		rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
1163 				 rxkad_abort_resp_level);
1164 		goto protocol_error_free;
1165 	}
1166 	conn->security_level = level;
1167 
1168 	/* create a key to hold the security data and expiration time - after
1169 	 * this the connection security can be handled in exactly the same way
1170 	 * as for a client connection */
1171 	ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1172 	if (ret < 0)
1173 		goto temporary_error_free_ticket;
1174 
1175 	kfree(ticket);
1176 	kfree(response);
1177 	_leave(" = 0");
1178 	return 0;
1179 
1180 protocol_error_free:
1181 	kfree(ticket);
1182 protocol_error:
1183 	kfree(response);
1184 	key_put(server_key);
1185 	return -EPROTO;
1186 
1187 temporary_error_free_ticket:
1188 	kfree(ticket);
1189 temporary_error_free_resp:
1190 	kfree(response);
1191 temporary_error:
1192 	/* Ignore the response packet if we got a temporary error such as
1193 	 * ENOMEM.  We just want to send the challenge again.  Note that we
1194 	 * also come out this way if the ticket decryption fails.
1195 	 */
1196 	key_put(server_key);
1197 	return ret;
1198 }
1199 
1200 /*
1201  * clear the connection security
1202  */
rxkad_clear(struct rxrpc_connection * conn)1203 static void rxkad_clear(struct rxrpc_connection *conn)
1204 {
1205 	_enter("");
1206 
1207 	if (conn->rxkad.cipher)
1208 		crypto_free_sync_skcipher(conn->rxkad.cipher);
1209 }
1210 
1211 /*
1212  * Initialise the rxkad security service.
1213  */
rxkad_init(void)1214 static int rxkad_init(void)
1215 {
1216 	struct crypto_sync_skcipher *tfm;
1217 	struct skcipher_request *req;
1218 
1219 	/* pin the cipher we need so that the crypto layer doesn't invoke
1220 	 * keventd to go get it */
1221 	tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1222 	if (IS_ERR(tfm))
1223 		return PTR_ERR(tfm);
1224 
1225 	req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1226 	if (!req)
1227 		goto nomem_tfm;
1228 
1229 	rxkad_ci_req = req;
1230 	rxkad_ci = tfm;
1231 	return 0;
1232 
1233 nomem_tfm:
1234 	crypto_free_sync_skcipher(tfm);
1235 	return -ENOMEM;
1236 }
1237 
1238 /*
1239  * Clean up the rxkad security service.
1240  */
rxkad_exit(void)1241 static void rxkad_exit(void)
1242 {
1243 	crypto_free_sync_skcipher(rxkad_ci);
1244 	skcipher_request_free(rxkad_ci_req);
1245 }
1246 
1247 /*
1248  * RxRPC Kerberos-based security
1249  */
1250 const struct rxrpc_security rxkad = {
1251 	.name				= "rxkad",
1252 	.security_index			= RXRPC_SECURITY_RXKAD,
1253 	.no_key_abort			= RXKADUNKNOWNKEY,
1254 	.init				= rxkad_init,
1255 	.exit				= rxkad_exit,
1256 	.preparse_server_key		= rxkad_preparse_server_key,
1257 	.free_preparse_server_key	= rxkad_free_preparse_server_key,
1258 	.destroy_server_key		= rxkad_destroy_server_key,
1259 	.init_connection_security	= rxkad_init_connection_security,
1260 	.alloc_txbuf			= rxkad_alloc_txbuf,
1261 	.secure_packet			= rxkad_secure_packet,
1262 	.verify_packet			= rxkad_verify_packet,
1263 	.free_call_crypto		= rxkad_free_call_crypto,
1264 	.issue_challenge		= rxkad_issue_challenge,
1265 	.respond_to_challenge		= rxkad_respond_to_challenge,
1266 	.verify_response		= rxkad_verify_response,
1267 	.clear				= rxkad_clear,
1268 };
1269