1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Kerberos-based RxRPC security 3 * 4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 10 #include <crypto/skcipher.h> 11 #include <linux/module.h> 12 #include <linux/net.h> 13 #include <linux/skbuff.h> 14 #include <linux/udp.h> 15 #include <linux/scatterlist.h> 16 #include <linux/ctype.h> 17 #include <linux/slab.h> 18 #include <linux/key-type.h> 19 #include <net/sock.h> 20 #include <net/af_rxrpc.h> 21 #include <keys/rxrpc-type.h> 22 #include "ar-internal.h" 23 24 #define RXKAD_VERSION 2 25 #define MAXKRB5TICKETLEN 1024 26 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 27 #define ANAME_SZ 40 /* size of authentication name */ 28 #define INST_SZ 40 /* size of principal's instance */ 29 #define REALM_SZ 40 /* size of principal's auth domain */ 30 #define SNAME_SZ 40 /* size of service name */ 31 #define RXKAD_ALIGN 8 32 33 struct rxkad_level1_hdr { 34 __be32 data_size; /* true data size (excluding padding) */ 35 }; 36 37 struct rxkad_level2_hdr { 38 __be32 data_size; /* true data size (excluding padding) */ 39 __be32 checksum; /* decrypted data checksum */ 40 }; 41 42 static int rxkad_prime_packet_security(struct rxrpc_connection *conn, 43 struct crypto_sync_skcipher *ci); 44 45 /* 46 * this holds a pinned cipher so that keventd doesn't get called by the cipher 47 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 48 * packets 49 */ 50 static struct crypto_sync_skcipher *rxkad_ci; 51 static struct skcipher_request *rxkad_ci_req; 52 static DEFINE_MUTEX(rxkad_ci_mutex); 53 54 /* 55 * Parse the information from a server key 56 * 57 * The data should be the 8-byte secret key. 58 */ 59 static int rxkad_preparse_server_key(struct key_preparsed_payload *prep) 60 { 61 struct crypto_skcipher *ci; 62 63 if (prep->datalen != 8) 64 return -EINVAL; 65 66 memcpy(&prep->payload.data[2], prep->data, 8); 67 68 ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC); 69 if (IS_ERR(ci)) { 70 _leave(" = %ld", PTR_ERR(ci)); 71 return PTR_ERR(ci); 72 } 73 74 if (crypto_skcipher_setkey(ci, prep->data, 8) < 0) 75 BUG(); 76 77 prep->payload.data[0] = ci; 78 _leave(" = 0"); 79 return 0; 80 } 81 82 static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep) 83 { 84 85 if (prep->payload.data[0]) 86 crypto_free_skcipher(prep->payload.data[0]); 87 } 88 89 static void rxkad_destroy_server_key(struct key *key) 90 { 91 if (key->payload.data[0]) { 92 crypto_free_skcipher(key->payload.data[0]); 93 key->payload.data[0] = NULL; 94 } 95 } 96 97 /* 98 * initialise connection security 99 */ 100 static int rxkad_init_connection_security(struct rxrpc_connection *conn, 101 struct rxrpc_key_token *token) 102 { 103 struct crypto_sync_skcipher *ci; 104 int ret; 105 106 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key)); 107 108 conn->security_ix = token->security_index; 109 110 ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); 111 if (IS_ERR(ci)) { 112 _debug("no cipher"); 113 ret = PTR_ERR(ci); 114 goto error; 115 } 116 117 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key, 118 sizeof(token->kad->session_key)) < 0) 119 BUG(); 120 121 switch (conn->params.security_level) { 122 case RXRPC_SECURITY_PLAIN: 123 case RXRPC_SECURITY_AUTH: 124 case RXRPC_SECURITY_ENCRYPT: 125 break; 126 default: 127 ret = -EKEYREJECTED; 128 goto error; 129 } 130 131 ret = rxkad_prime_packet_security(conn, ci); 132 if (ret < 0) 133 goto error_ci; 134 135 conn->rxkad.cipher = ci; 136 return 0; 137 138 error_ci: 139 crypto_free_sync_skcipher(ci); 140 error: 141 _leave(" = %d", ret); 142 return ret; 143 } 144 145 /* 146 * Work out how much data we can put in a packet. 147 */ 148 static int rxkad_how_much_data(struct rxrpc_call *call, size_t remain, 149 size_t *_buf_size, size_t *_data_size, size_t *_offset) 150 { 151 size_t shdr, buf_size, chunk; 152 153 switch (call->conn->params.security_level) { 154 default: 155 buf_size = chunk = min_t(size_t, remain, RXRPC_JUMBO_DATALEN); 156 shdr = 0; 157 goto out; 158 case RXRPC_SECURITY_AUTH: 159 shdr = sizeof(struct rxkad_level1_hdr); 160 break; 161 case RXRPC_SECURITY_ENCRYPT: 162 shdr = sizeof(struct rxkad_level2_hdr); 163 break; 164 } 165 166 buf_size = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN); 167 168 chunk = buf_size - shdr; 169 if (remain < chunk) 170 buf_size = round_up(shdr + remain, RXKAD_ALIGN); 171 172 out: 173 *_buf_size = buf_size; 174 *_data_size = chunk; 175 *_offset = shdr; 176 return 0; 177 } 178 179 /* 180 * prime the encryption state with the invariant parts of a connection's 181 * description 182 */ 183 static int rxkad_prime_packet_security(struct rxrpc_connection *conn, 184 struct crypto_sync_skcipher *ci) 185 { 186 struct skcipher_request *req; 187 struct rxrpc_key_token *token; 188 struct scatterlist sg; 189 struct rxrpc_crypt iv; 190 __be32 *tmpbuf; 191 size_t tmpsize = 4 * sizeof(__be32); 192 193 _enter(""); 194 195 if (!conn->params.key) 196 return 0; 197 198 tmpbuf = kmalloc(tmpsize, GFP_KERNEL); 199 if (!tmpbuf) 200 return -ENOMEM; 201 202 req = skcipher_request_alloc(&ci->base, GFP_NOFS); 203 if (!req) { 204 kfree(tmpbuf); 205 return -ENOMEM; 206 } 207 208 token = conn->params.key->payload.data[0]; 209 memcpy(&iv, token->kad->session_key, sizeof(iv)); 210 211 tmpbuf[0] = htonl(conn->proto.epoch); 212 tmpbuf[1] = htonl(conn->proto.cid); 213 tmpbuf[2] = 0; 214 tmpbuf[3] = htonl(conn->security_ix); 215 216 sg_init_one(&sg, tmpbuf, tmpsize); 217 skcipher_request_set_sync_tfm(req, ci); 218 skcipher_request_set_callback(req, 0, NULL, NULL); 219 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); 220 crypto_skcipher_encrypt(req); 221 skcipher_request_free(req); 222 223 memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv)); 224 kfree(tmpbuf); 225 _leave(" = 0"); 226 return 0; 227 } 228 229 /* 230 * Allocate and prepare the crypto request on a call. For any particular call, 231 * this is called serially for the packets, so no lock should be necessary. 232 */ 233 static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call) 234 { 235 struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base; 236 struct skcipher_request *cipher_req = call->cipher_req; 237 238 if (!cipher_req) { 239 cipher_req = skcipher_request_alloc(tfm, GFP_NOFS); 240 if (!cipher_req) 241 return NULL; 242 call->cipher_req = cipher_req; 243 } 244 245 return cipher_req; 246 } 247 248 /* 249 * Clean up the crypto on a call. 250 */ 251 static void rxkad_free_call_crypto(struct rxrpc_call *call) 252 { 253 if (call->cipher_req) 254 skcipher_request_free(call->cipher_req); 255 call->cipher_req = NULL; 256 } 257 258 /* 259 * partially encrypt a packet (level 1 security) 260 */ 261 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 262 struct sk_buff *skb, u32 data_size, 263 struct skcipher_request *req) 264 { 265 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 266 struct rxkad_level1_hdr hdr; 267 struct rxrpc_crypt iv; 268 struct scatterlist sg; 269 size_t pad; 270 u16 check; 271 272 _enter(""); 273 274 check = sp->hdr.seq ^ call->call_id; 275 data_size |= (u32)check << 16; 276 277 hdr.data_size = htonl(data_size); 278 memcpy(skb->head, &hdr, sizeof(hdr)); 279 280 pad = sizeof(struct rxkad_level1_hdr) + data_size; 281 pad = RXKAD_ALIGN - pad; 282 pad &= RXKAD_ALIGN - 1; 283 if (pad) 284 skb_put_zero(skb, pad); 285 286 /* start the encryption afresh */ 287 memset(&iv, 0, sizeof(iv)); 288 289 sg_init_one(&sg, skb->head, 8); 290 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 291 skcipher_request_set_callback(req, 0, NULL, NULL); 292 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 293 crypto_skcipher_encrypt(req); 294 skcipher_request_zero(req); 295 296 _leave(" = 0"); 297 return 0; 298 } 299 300 /* 301 * wholly encrypt a packet (level 2 security) 302 */ 303 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 304 struct sk_buff *skb, 305 u32 data_size, 306 struct skcipher_request *req) 307 { 308 const struct rxrpc_key_token *token; 309 struct rxkad_level2_hdr rxkhdr; 310 struct rxrpc_skb_priv *sp; 311 struct rxrpc_crypt iv; 312 struct scatterlist sg[16]; 313 unsigned int len; 314 size_t pad; 315 u16 check; 316 int err; 317 318 sp = rxrpc_skb(skb); 319 320 _enter(""); 321 322 check = sp->hdr.seq ^ call->call_id; 323 324 rxkhdr.data_size = htonl(data_size | (u32)check << 16); 325 rxkhdr.checksum = 0; 326 memcpy(skb->head, &rxkhdr, sizeof(rxkhdr)); 327 328 pad = sizeof(struct rxkad_level2_hdr) + data_size; 329 pad = RXKAD_ALIGN - pad; 330 pad &= RXKAD_ALIGN - 1; 331 if (pad) 332 skb_put_zero(skb, pad); 333 334 /* encrypt from the session key */ 335 token = call->conn->params.key->payload.data[0]; 336 memcpy(&iv, token->kad->session_key, sizeof(iv)); 337 338 sg_init_one(&sg[0], skb->head, sizeof(rxkhdr)); 339 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 340 skcipher_request_set_callback(req, 0, NULL, NULL); 341 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x); 342 crypto_skcipher_encrypt(req); 343 344 /* we want to encrypt the skbuff in-place */ 345 err = -EMSGSIZE; 346 if (skb_shinfo(skb)->nr_frags > 16) 347 goto out; 348 349 len = round_up(data_size, RXKAD_ALIGN); 350 351 sg_init_table(sg, ARRAY_SIZE(sg)); 352 err = skb_to_sgvec(skb, sg, 8, len); 353 if (unlikely(err < 0)) 354 goto out; 355 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 356 crypto_skcipher_encrypt(req); 357 358 _leave(" = 0"); 359 err = 0; 360 361 out: 362 skcipher_request_zero(req); 363 return err; 364 } 365 366 /* 367 * checksum an RxRPC packet header 368 */ 369 static int rxkad_secure_packet(struct rxrpc_call *call, 370 struct sk_buff *skb, 371 size_t data_size) 372 { 373 struct rxrpc_skb_priv *sp; 374 struct skcipher_request *req; 375 struct rxrpc_crypt iv; 376 struct scatterlist sg; 377 u32 x, y; 378 int ret; 379 380 sp = rxrpc_skb(skb); 381 382 _enter("{%d{%x}},{#%u},%zu,", 383 call->debug_id, key_serial(call->conn->params.key), 384 sp->hdr.seq, data_size); 385 386 if (!call->conn->rxkad.cipher) 387 return 0; 388 389 ret = key_validate(call->conn->params.key); 390 if (ret < 0) 391 return ret; 392 393 req = rxkad_get_call_crypto(call); 394 if (!req) 395 return -ENOMEM; 396 397 /* continue encrypting from where we left off */ 398 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv)); 399 400 /* calculate the security checksum */ 401 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 402 x |= sp->hdr.seq & 0x3fffffff; 403 call->crypto_buf[0] = htonl(call->call_id); 404 call->crypto_buf[1] = htonl(x); 405 406 sg_init_one(&sg, call->crypto_buf, 8); 407 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 408 skcipher_request_set_callback(req, 0, NULL, NULL); 409 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 410 crypto_skcipher_encrypt(req); 411 skcipher_request_zero(req); 412 413 y = ntohl(call->crypto_buf[1]); 414 y = (y >> 16) & 0xffff; 415 if (y == 0) 416 y = 1; /* zero checksums are not permitted */ 417 sp->hdr.cksum = y; 418 419 switch (call->conn->params.security_level) { 420 case RXRPC_SECURITY_PLAIN: 421 ret = 0; 422 break; 423 case RXRPC_SECURITY_AUTH: 424 ret = rxkad_secure_packet_auth(call, skb, data_size, req); 425 break; 426 case RXRPC_SECURITY_ENCRYPT: 427 ret = rxkad_secure_packet_encrypt(call, skb, data_size, req); 428 break; 429 default: 430 ret = -EPERM; 431 break; 432 } 433 434 _leave(" = %d [set %hx]", ret, y); 435 return ret; 436 } 437 438 /* 439 * decrypt partial encryption on a packet (level 1 security) 440 */ 441 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb, 442 unsigned int offset, unsigned int len, 443 rxrpc_seq_t seq, 444 struct skcipher_request *req) 445 { 446 struct rxkad_level1_hdr sechdr; 447 struct rxrpc_crypt iv; 448 struct scatterlist sg[16]; 449 bool aborted; 450 u32 data_size, buf; 451 u16 check; 452 int ret; 453 454 _enter(""); 455 456 if (len < 8) { 457 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H", 458 RXKADSEALEDINCON); 459 goto protocol_error; 460 } 461 462 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 463 * directly into the target buffer. 464 */ 465 sg_init_table(sg, ARRAY_SIZE(sg)); 466 ret = skb_to_sgvec(skb, sg, offset, 8); 467 if (unlikely(ret < 0)) 468 return ret; 469 470 /* start the decryption afresh */ 471 memset(&iv, 0, sizeof(iv)); 472 473 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 474 skcipher_request_set_callback(req, 0, NULL, NULL); 475 skcipher_request_set_crypt(req, sg, sg, 8, iv.x); 476 crypto_skcipher_decrypt(req); 477 skcipher_request_zero(req); 478 479 /* Extract the decrypted packet length */ 480 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 481 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1", 482 RXKADDATALEN); 483 goto protocol_error; 484 } 485 offset += sizeof(sechdr); 486 len -= sizeof(sechdr); 487 488 buf = ntohl(sechdr.data_size); 489 data_size = buf & 0xffff; 490 491 check = buf >> 16; 492 check ^= seq ^ call->call_id; 493 check &= 0xffff; 494 if (check != 0) { 495 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C", 496 RXKADSEALEDINCON); 497 goto protocol_error; 498 } 499 500 if (data_size > len) { 501 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L", 502 RXKADDATALEN); 503 goto protocol_error; 504 } 505 506 _leave(" = 0 [dlen=%x]", data_size); 507 return 0; 508 509 protocol_error: 510 if (aborted) 511 rxrpc_send_abort_packet(call); 512 return -EPROTO; 513 } 514 515 /* 516 * wholly decrypt a packet (level 2 security) 517 */ 518 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, 519 unsigned int offset, unsigned int len, 520 rxrpc_seq_t seq, 521 struct skcipher_request *req) 522 { 523 const struct rxrpc_key_token *token; 524 struct rxkad_level2_hdr sechdr; 525 struct rxrpc_crypt iv; 526 struct scatterlist _sg[4], *sg; 527 bool aborted; 528 u32 data_size, buf; 529 u16 check; 530 int nsg, ret; 531 532 _enter(",{%d}", skb->len); 533 534 if (len < 8) { 535 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H", 536 RXKADSEALEDINCON); 537 goto protocol_error; 538 } 539 540 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 541 * directly into the target buffer. 542 */ 543 sg = _sg; 544 nsg = skb_shinfo(skb)->nr_frags; 545 if (nsg <= 4) { 546 nsg = 4; 547 } else { 548 sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO); 549 if (!sg) 550 goto nomem; 551 } 552 553 sg_init_table(sg, nsg); 554 ret = skb_to_sgvec(skb, sg, offset, len); 555 if (unlikely(ret < 0)) { 556 if (sg != _sg) 557 kfree(sg); 558 return ret; 559 } 560 561 /* decrypt from the session key */ 562 token = call->conn->params.key->payload.data[0]; 563 memcpy(&iv, token->kad->session_key, sizeof(iv)); 564 565 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 566 skcipher_request_set_callback(req, 0, NULL, NULL); 567 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 568 crypto_skcipher_decrypt(req); 569 skcipher_request_zero(req); 570 if (sg != _sg) 571 kfree(sg); 572 573 /* Extract the decrypted packet length */ 574 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 575 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2", 576 RXKADDATALEN); 577 goto protocol_error; 578 } 579 offset += sizeof(sechdr); 580 len -= sizeof(sechdr); 581 582 buf = ntohl(sechdr.data_size); 583 data_size = buf & 0xffff; 584 585 check = buf >> 16; 586 check ^= seq ^ call->call_id; 587 check &= 0xffff; 588 if (check != 0) { 589 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C", 590 RXKADSEALEDINCON); 591 goto protocol_error; 592 } 593 594 if (data_size > len) { 595 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L", 596 RXKADDATALEN); 597 goto protocol_error; 598 } 599 600 _leave(" = 0 [dlen=%x]", data_size); 601 return 0; 602 603 protocol_error: 604 if (aborted) 605 rxrpc_send_abort_packet(call); 606 return -EPROTO; 607 608 nomem: 609 _leave(" = -ENOMEM"); 610 return -ENOMEM; 611 } 612 613 /* 614 * Verify the security on a received packet or subpacket (if part of a 615 * jumbo packet). 616 */ 617 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb, 618 unsigned int offset, unsigned int len, 619 rxrpc_seq_t seq, u16 expected_cksum) 620 { 621 struct skcipher_request *req; 622 struct rxrpc_crypt iv; 623 struct scatterlist sg; 624 bool aborted; 625 u16 cksum; 626 u32 x, y; 627 628 _enter("{%d{%x}},{#%u}", 629 call->debug_id, key_serial(call->conn->params.key), seq); 630 631 if (!call->conn->rxkad.cipher) 632 return 0; 633 634 req = rxkad_get_call_crypto(call); 635 if (!req) 636 return -ENOMEM; 637 638 /* continue encrypting from where we left off */ 639 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv)); 640 641 /* validate the security checksum */ 642 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 643 x |= seq & 0x3fffffff; 644 call->crypto_buf[0] = htonl(call->call_id); 645 call->crypto_buf[1] = htonl(x); 646 647 sg_init_one(&sg, call->crypto_buf, 8); 648 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 649 skcipher_request_set_callback(req, 0, NULL, NULL); 650 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 651 crypto_skcipher_encrypt(req); 652 skcipher_request_zero(req); 653 654 y = ntohl(call->crypto_buf[1]); 655 cksum = (y >> 16) & 0xffff; 656 if (cksum == 0) 657 cksum = 1; /* zero checksums are not permitted */ 658 659 if (cksum != expected_cksum) { 660 aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK", 661 RXKADSEALEDINCON); 662 goto protocol_error; 663 } 664 665 switch (call->conn->params.security_level) { 666 case RXRPC_SECURITY_PLAIN: 667 return 0; 668 case RXRPC_SECURITY_AUTH: 669 return rxkad_verify_packet_1(call, skb, offset, len, seq, req); 670 case RXRPC_SECURITY_ENCRYPT: 671 return rxkad_verify_packet_2(call, skb, offset, len, seq, req); 672 default: 673 return -ENOANO; 674 } 675 676 protocol_error: 677 if (aborted) 678 rxrpc_send_abort_packet(call); 679 return -EPROTO; 680 } 681 682 /* 683 * Locate the data contained in a packet that was partially encrypted. 684 */ 685 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb, 686 unsigned int *_offset, unsigned int *_len) 687 { 688 struct rxkad_level1_hdr sechdr; 689 690 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 691 BUG(); 692 *_offset += sizeof(sechdr); 693 *_len = ntohl(sechdr.data_size) & 0xffff; 694 } 695 696 /* 697 * Locate the data contained in a packet that was completely encrypted. 698 */ 699 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb, 700 unsigned int *_offset, unsigned int *_len) 701 { 702 struct rxkad_level2_hdr sechdr; 703 704 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 705 BUG(); 706 *_offset += sizeof(sechdr); 707 *_len = ntohl(sechdr.data_size) & 0xffff; 708 } 709 710 /* 711 * Locate the data contained in an already decrypted packet. 712 */ 713 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb, 714 unsigned int *_offset, unsigned int *_len) 715 { 716 switch (call->conn->params.security_level) { 717 case RXRPC_SECURITY_AUTH: 718 rxkad_locate_data_1(call, skb, _offset, _len); 719 return; 720 case RXRPC_SECURITY_ENCRYPT: 721 rxkad_locate_data_2(call, skb, _offset, _len); 722 return; 723 default: 724 return; 725 } 726 } 727 728 /* 729 * issue a challenge 730 */ 731 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 732 { 733 struct rxkad_challenge challenge; 734 struct rxrpc_wire_header whdr; 735 struct msghdr msg; 736 struct kvec iov[2]; 737 size_t len; 738 u32 serial; 739 int ret; 740 741 _enter("{%d}", conn->debug_id); 742 743 get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce)); 744 745 challenge.version = htonl(2); 746 challenge.nonce = htonl(conn->rxkad.nonce); 747 challenge.min_level = htonl(0); 748 challenge.__padding = 0; 749 750 msg.msg_name = &conn->params.peer->srx.transport; 751 msg.msg_namelen = conn->params.peer->srx.transport_len; 752 msg.msg_control = NULL; 753 msg.msg_controllen = 0; 754 msg.msg_flags = 0; 755 756 whdr.epoch = htonl(conn->proto.epoch); 757 whdr.cid = htonl(conn->proto.cid); 758 whdr.callNumber = 0; 759 whdr.seq = 0; 760 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 761 whdr.flags = conn->out_clientflag; 762 whdr.userStatus = 0; 763 whdr.securityIndex = conn->security_ix; 764 whdr._rsvd = 0; 765 whdr.serviceId = htons(conn->service_id); 766 767 iov[0].iov_base = &whdr; 768 iov[0].iov_len = sizeof(whdr); 769 iov[1].iov_base = &challenge; 770 iov[1].iov_len = sizeof(challenge); 771 772 len = iov[0].iov_len + iov[1].iov_len; 773 774 serial = atomic_inc_return(&conn->serial); 775 whdr.serial = htonl(serial); 776 _proto("Tx CHALLENGE %%%u", serial); 777 778 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len); 779 if (ret < 0) { 780 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, 781 rxrpc_tx_point_rxkad_challenge); 782 return -EAGAIN; 783 } 784 785 conn->params.peer->last_tx_at = ktime_get_seconds(); 786 trace_rxrpc_tx_packet(conn->debug_id, &whdr, 787 rxrpc_tx_point_rxkad_challenge); 788 _leave(" = 0"); 789 return 0; 790 } 791 792 /* 793 * send a Kerberos security response 794 */ 795 static int rxkad_send_response(struct rxrpc_connection *conn, 796 struct rxrpc_host_header *hdr, 797 struct rxkad_response *resp, 798 const struct rxkad_key *s2) 799 { 800 struct rxrpc_wire_header whdr; 801 struct msghdr msg; 802 struct kvec iov[3]; 803 size_t len; 804 u32 serial; 805 int ret; 806 807 _enter(""); 808 809 msg.msg_name = &conn->params.peer->srx.transport; 810 msg.msg_namelen = conn->params.peer->srx.transport_len; 811 msg.msg_control = NULL; 812 msg.msg_controllen = 0; 813 msg.msg_flags = 0; 814 815 memset(&whdr, 0, sizeof(whdr)); 816 whdr.epoch = htonl(hdr->epoch); 817 whdr.cid = htonl(hdr->cid); 818 whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 819 whdr.flags = conn->out_clientflag; 820 whdr.securityIndex = hdr->securityIndex; 821 whdr.serviceId = htons(hdr->serviceId); 822 823 iov[0].iov_base = &whdr; 824 iov[0].iov_len = sizeof(whdr); 825 iov[1].iov_base = resp; 826 iov[1].iov_len = sizeof(*resp); 827 iov[2].iov_base = (void *)s2->ticket; 828 iov[2].iov_len = s2->ticket_len; 829 830 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 831 832 serial = atomic_inc_return(&conn->serial); 833 whdr.serial = htonl(serial); 834 _proto("Tx RESPONSE %%%u", serial); 835 836 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len); 837 if (ret < 0) { 838 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, 839 rxrpc_tx_point_rxkad_response); 840 return -EAGAIN; 841 } 842 843 conn->params.peer->last_tx_at = ktime_get_seconds(); 844 _leave(" = 0"); 845 return 0; 846 } 847 848 /* 849 * calculate the response checksum 850 */ 851 static void rxkad_calc_response_checksum(struct rxkad_response *response) 852 { 853 u32 csum = 1000003; 854 int loop; 855 u8 *p = (u8 *) response; 856 857 for (loop = sizeof(*response); loop > 0; loop--) 858 csum = csum * 0x10204081 + *p++; 859 860 response->encrypted.checksum = htonl(csum); 861 } 862 863 /* 864 * encrypt the response packet 865 */ 866 static int rxkad_encrypt_response(struct rxrpc_connection *conn, 867 struct rxkad_response *resp, 868 const struct rxkad_key *s2) 869 { 870 struct skcipher_request *req; 871 struct rxrpc_crypt iv; 872 struct scatterlist sg[1]; 873 874 req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS); 875 if (!req) 876 return -ENOMEM; 877 878 /* continue encrypting from where we left off */ 879 memcpy(&iv, s2->session_key, sizeof(iv)); 880 881 sg_init_table(sg, 1); 882 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 883 skcipher_request_set_sync_tfm(req, conn->rxkad.cipher); 884 skcipher_request_set_callback(req, 0, NULL, NULL); 885 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 886 crypto_skcipher_encrypt(req); 887 skcipher_request_free(req); 888 return 0; 889 } 890 891 /* 892 * respond to a challenge packet 893 */ 894 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 895 struct sk_buff *skb, 896 u32 *_abort_code) 897 { 898 const struct rxrpc_key_token *token; 899 struct rxkad_challenge challenge; 900 struct rxkad_response *resp; 901 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 902 const char *eproto; 903 u32 version, nonce, min_level, abort_code; 904 int ret; 905 906 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 907 908 eproto = tracepoint_string("chall_no_key"); 909 abort_code = RX_PROTOCOL_ERROR; 910 if (!conn->params.key) 911 goto protocol_error; 912 913 abort_code = RXKADEXPIRED; 914 ret = key_validate(conn->params.key); 915 if (ret < 0) 916 goto other_error; 917 918 eproto = tracepoint_string("chall_short"); 919 abort_code = RXKADPACKETSHORT; 920 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 921 &challenge, sizeof(challenge)) < 0) 922 goto protocol_error; 923 924 version = ntohl(challenge.version); 925 nonce = ntohl(challenge.nonce); 926 min_level = ntohl(challenge.min_level); 927 928 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 929 sp->hdr.serial, version, nonce, min_level); 930 931 eproto = tracepoint_string("chall_ver"); 932 abort_code = RXKADINCONSISTENCY; 933 if (version != RXKAD_VERSION) 934 goto protocol_error; 935 936 abort_code = RXKADLEVELFAIL; 937 ret = -EACCES; 938 if (conn->params.security_level < min_level) 939 goto other_error; 940 941 token = conn->params.key->payload.data[0]; 942 943 /* build the response packet */ 944 resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); 945 if (!resp) 946 return -ENOMEM; 947 948 resp->version = htonl(RXKAD_VERSION); 949 resp->encrypted.epoch = htonl(conn->proto.epoch); 950 resp->encrypted.cid = htonl(conn->proto.cid); 951 resp->encrypted.securityIndex = htonl(conn->security_ix); 952 resp->encrypted.inc_nonce = htonl(nonce + 1); 953 resp->encrypted.level = htonl(conn->params.security_level); 954 resp->kvno = htonl(token->kad->kvno); 955 resp->ticket_len = htonl(token->kad->ticket_len); 956 resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter); 957 resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter); 958 resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter); 959 resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter); 960 961 /* calculate the response checksum and then do the encryption */ 962 rxkad_calc_response_checksum(resp); 963 ret = rxkad_encrypt_response(conn, resp, token->kad); 964 if (ret == 0) 965 ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad); 966 kfree(resp); 967 return ret; 968 969 protocol_error: 970 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 971 ret = -EPROTO; 972 other_error: 973 *_abort_code = abort_code; 974 return ret; 975 } 976 977 /* 978 * decrypt the kerberos IV ticket in the response 979 */ 980 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 981 struct key *server_key, 982 struct sk_buff *skb, 983 void *ticket, size_t ticket_len, 984 struct rxrpc_crypt *_session_key, 985 time64_t *_expiry, 986 u32 *_abort_code) 987 { 988 struct skcipher_request *req; 989 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 990 struct rxrpc_crypt iv, key; 991 struct scatterlist sg[1]; 992 struct in_addr addr; 993 unsigned int life; 994 const char *eproto; 995 time64_t issue, now; 996 bool little_endian; 997 int ret; 998 u32 abort_code; 999 u8 *p, *q, *name, *end; 1000 1001 _enter("{%d},{%x}", conn->debug_id, key_serial(server_key)); 1002 1003 *_expiry = 0; 1004 1005 ASSERT(server_key->payload.data[0] != NULL); 1006 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 1007 1008 memcpy(&iv, &server_key->payload.data[2], sizeof(iv)); 1009 1010 ret = -ENOMEM; 1011 req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS); 1012 if (!req) 1013 goto temporary_error; 1014 1015 sg_init_one(&sg[0], ticket, ticket_len); 1016 skcipher_request_set_callback(req, 0, NULL, NULL); 1017 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); 1018 crypto_skcipher_decrypt(req); 1019 skcipher_request_free(req); 1020 1021 p = ticket; 1022 end = p + ticket_len; 1023 1024 #define Z(field) \ 1025 ({ \ 1026 u8 *__str = p; \ 1027 eproto = tracepoint_string("rxkad_bad_"#field); \ 1028 q = memchr(p, 0, end - p); \ 1029 if (!q || q - p > (field##_SZ)) \ 1030 goto bad_ticket; \ 1031 for (; p < q; p++) \ 1032 if (!isprint(*p)) \ 1033 goto bad_ticket; \ 1034 p++; \ 1035 __str; \ 1036 }) 1037 1038 /* extract the ticket flags */ 1039 _debug("KIV FLAGS: %x", *p); 1040 little_endian = *p & 1; 1041 p++; 1042 1043 /* extract the authentication name */ 1044 name = Z(ANAME); 1045 _debug("KIV ANAME: %s", name); 1046 1047 /* extract the principal's instance */ 1048 name = Z(INST); 1049 _debug("KIV INST : %s", name); 1050 1051 /* extract the principal's authentication domain */ 1052 name = Z(REALM); 1053 _debug("KIV REALM: %s", name); 1054 1055 eproto = tracepoint_string("rxkad_bad_len"); 1056 if (end - p < 4 + 8 + 4 + 2) 1057 goto bad_ticket; 1058 1059 /* get the IPv4 address of the entity that requested the ticket */ 1060 memcpy(&addr, p, sizeof(addr)); 1061 p += 4; 1062 _debug("KIV ADDR : %pI4", &addr); 1063 1064 /* get the session key from the ticket */ 1065 memcpy(&key, p, sizeof(key)); 1066 p += 8; 1067 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 1068 memcpy(_session_key, &key, sizeof(key)); 1069 1070 /* get the ticket's lifetime */ 1071 life = *p++ * 5 * 60; 1072 _debug("KIV LIFE : %u", life); 1073 1074 /* get the issue time of the ticket */ 1075 if (little_endian) { 1076 __le32 stamp; 1077 memcpy(&stamp, p, 4); 1078 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp)); 1079 } else { 1080 __be32 stamp; 1081 memcpy(&stamp, p, 4); 1082 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp)); 1083 } 1084 p += 4; 1085 now = ktime_get_real_seconds(); 1086 _debug("KIV ISSUE: %llx [%llx]", issue, now); 1087 1088 /* check the ticket is in date */ 1089 if (issue > now) { 1090 abort_code = RXKADNOAUTH; 1091 ret = -EKEYREJECTED; 1092 goto other_error; 1093 } 1094 1095 if (issue < now - life) { 1096 abort_code = RXKADEXPIRED; 1097 ret = -EKEYEXPIRED; 1098 goto other_error; 1099 } 1100 1101 *_expiry = issue + life; 1102 1103 /* get the service name */ 1104 name = Z(SNAME); 1105 _debug("KIV SNAME: %s", name); 1106 1107 /* get the service instance name */ 1108 name = Z(INST); 1109 _debug("KIV SINST: %s", name); 1110 return 0; 1111 1112 bad_ticket: 1113 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 1114 abort_code = RXKADBADTICKET; 1115 ret = -EPROTO; 1116 other_error: 1117 *_abort_code = abort_code; 1118 return ret; 1119 temporary_error: 1120 return ret; 1121 } 1122 1123 /* 1124 * decrypt the response packet 1125 */ 1126 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 1127 struct rxkad_response *resp, 1128 const struct rxrpc_crypt *session_key) 1129 { 1130 struct skcipher_request *req = rxkad_ci_req; 1131 struct scatterlist sg[1]; 1132 struct rxrpc_crypt iv; 1133 1134 _enter(",,%08x%08x", 1135 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 1136 1137 mutex_lock(&rxkad_ci_mutex); 1138 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x, 1139 sizeof(*session_key)) < 0) 1140 BUG(); 1141 1142 memcpy(&iv, session_key, sizeof(iv)); 1143 1144 sg_init_table(sg, 1); 1145 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 1146 skcipher_request_set_sync_tfm(req, rxkad_ci); 1147 skcipher_request_set_callback(req, 0, NULL, NULL); 1148 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 1149 crypto_skcipher_decrypt(req); 1150 skcipher_request_zero(req); 1151 1152 mutex_unlock(&rxkad_ci_mutex); 1153 1154 _leave(""); 1155 } 1156 1157 /* 1158 * verify a response 1159 */ 1160 static int rxkad_verify_response(struct rxrpc_connection *conn, 1161 struct sk_buff *skb, 1162 u32 *_abort_code) 1163 { 1164 struct rxkad_response *response; 1165 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 1166 struct rxrpc_crypt session_key; 1167 struct key *server_key; 1168 const char *eproto; 1169 time64_t expiry; 1170 void *ticket; 1171 u32 abort_code, version, kvno, ticket_len, level; 1172 __be32 csum; 1173 int ret, i; 1174 1175 _enter("{%d}", conn->debug_id); 1176 1177 server_key = rxrpc_look_up_server_security(conn, skb, 0, 0); 1178 if (IS_ERR(server_key)) { 1179 switch (PTR_ERR(server_key)) { 1180 case -ENOKEY: 1181 abort_code = RXKADUNKNOWNKEY; 1182 break; 1183 case -EKEYEXPIRED: 1184 abort_code = RXKADEXPIRED; 1185 break; 1186 default: 1187 abort_code = RXKADNOAUTH; 1188 break; 1189 } 1190 trace_rxrpc_abort(0, "SVK", 1191 sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq, 1192 abort_code, PTR_ERR(server_key)); 1193 *_abort_code = abort_code; 1194 return -EPROTO; 1195 } 1196 1197 ret = -ENOMEM; 1198 response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); 1199 if (!response) 1200 goto temporary_error; 1201 1202 eproto = tracepoint_string("rxkad_rsp_short"); 1203 abort_code = RXKADPACKETSHORT; 1204 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 1205 response, sizeof(*response)) < 0) 1206 goto protocol_error; 1207 1208 version = ntohl(response->version); 1209 ticket_len = ntohl(response->ticket_len); 1210 kvno = ntohl(response->kvno); 1211 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1212 sp->hdr.serial, version, kvno, ticket_len); 1213 1214 eproto = tracepoint_string("rxkad_rsp_ver"); 1215 abort_code = RXKADINCONSISTENCY; 1216 if (version != RXKAD_VERSION) 1217 goto protocol_error; 1218 1219 eproto = tracepoint_string("rxkad_rsp_tktlen"); 1220 abort_code = RXKADTICKETLEN; 1221 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1222 goto protocol_error; 1223 1224 eproto = tracepoint_string("rxkad_rsp_unkkey"); 1225 abort_code = RXKADUNKNOWNKEY; 1226 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1227 goto protocol_error; 1228 1229 /* extract the kerberos ticket and decrypt and decode it */ 1230 ret = -ENOMEM; 1231 ticket = kmalloc(ticket_len, GFP_NOFS); 1232 if (!ticket) 1233 goto temporary_error_free_resp; 1234 1235 eproto = tracepoint_string("rxkad_tkt_short"); 1236 abort_code = RXKADPACKETSHORT; 1237 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response), 1238 ticket, ticket_len) < 0) 1239 goto protocol_error_free; 1240 1241 ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len, 1242 &session_key, &expiry, _abort_code); 1243 if (ret < 0) 1244 goto temporary_error_free_ticket; 1245 1246 /* use the session key from inside the ticket to decrypt the 1247 * response */ 1248 rxkad_decrypt_response(conn, response, &session_key); 1249 1250 eproto = tracepoint_string("rxkad_rsp_param"); 1251 abort_code = RXKADSEALEDINCON; 1252 if (ntohl(response->encrypted.epoch) != conn->proto.epoch) 1253 goto protocol_error_free; 1254 if (ntohl(response->encrypted.cid) != conn->proto.cid) 1255 goto protocol_error_free; 1256 if (ntohl(response->encrypted.securityIndex) != conn->security_ix) 1257 goto protocol_error_free; 1258 csum = response->encrypted.checksum; 1259 response->encrypted.checksum = 0; 1260 rxkad_calc_response_checksum(response); 1261 eproto = tracepoint_string("rxkad_rsp_csum"); 1262 if (response->encrypted.checksum != csum) 1263 goto protocol_error_free; 1264 1265 spin_lock(&conn->bundle->channel_lock); 1266 for (i = 0; i < RXRPC_MAXCALLS; i++) { 1267 struct rxrpc_call *call; 1268 u32 call_id = ntohl(response->encrypted.call_id[i]); 1269 1270 eproto = tracepoint_string("rxkad_rsp_callid"); 1271 if (call_id > INT_MAX) 1272 goto protocol_error_unlock; 1273 1274 eproto = tracepoint_string("rxkad_rsp_callctr"); 1275 if (call_id < conn->channels[i].call_counter) 1276 goto protocol_error_unlock; 1277 1278 eproto = tracepoint_string("rxkad_rsp_callst"); 1279 if (call_id > conn->channels[i].call_counter) { 1280 call = rcu_dereference_protected( 1281 conn->channels[i].call, 1282 lockdep_is_held(&conn->bundle->channel_lock)); 1283 if (call && call->state < RXRPC_CALL_COMPLETE) 1284 goto protocol_error_unlock; 1285 conn->channels[i].call_counter = call_id; 1286 } 1287 } 1288 spin_unlock(&conn->bundle->channel_lock); 1289 1290 eproto = tracepoint_string("rxkad_rsp_seq"); 1291 abort_code = RXKADOUTOFSEQUENCE; 1292 if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) 1293 goto protocol_error_free; 1294 1295 eproto = tracepoint_string("rxkad_rsp_level"); 1296 abort_code = RXKADLEVELFAIL; 1297 level = ntohl(response->encrypted.level); 1298 if (level > RXRPC_SECURITY_ENCRYPT) 1299 goto protocol_error_free; 1300 conn->params.security_level = level; 1301 1302 /* create a key to hold the security data and expiration time - after 1303 * this the connection security can be handled in exactly the same way 1304 * as for a client connection */ 1305 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1306 if (ret < 0) 1307 goto temporary_error_free_ticket; 1308 1309 kfree(ticket); 1310 kfree(response); 1311 _leave(" = 0"); 1312 return 0; 1313 1314 protocol_error_unlock: 1315 spin_unlock(&conn->bundle->channel_lock); 1316 protocol_error_free: 1317 kfree(ticket); 1318 protocol_error: 1319 kfree(response); 1320 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 1321 key_put(server_key); 1322 *_abort_code = abort_code; 1323 return -EPROTO; 1324 1325 temporary_error_free_ticket: 1326 kfree(ticket); 1327 temporary_error_free_resp: 1328 kfree(response); 1329 temporary_error: 1330 /* Ignore the response packet if we got a temporary error such as 1331 * ENOMEM. We just want to send the challenge again. Note that we 1332 * also come out this way if the ticket decryption fails. 1333 */ 1334 key_put(server_key); 1335 return ret; 1336 } 1337 1338 /* 1339 * clear the connection security 1340 */ 1341 static void rxkad_clear(struct rxrpc_connection *conn) 1342 { 1343 _enter(""); 1344 1345 if (conn->rxkad.cipher) 1346 crypto_free_sync_skcipher(conn->rxkad.cipher); 1347 } 1348 1349 /* 1350 * Initialise the rxkad security service. 1351 */ 1352 static int rxkad_init(void) 1353 { 1354 struct crypto_sync_skcipher *tfm; 1355 struct skcipher_request *req; 1356 1357 /* pin the cipher we need so that the crypto layer doesn't invoke 1358 * keventd to go get it */ 1359 tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); 1360 if (IS_ERR(tfm)) 1361 return PTR_ERR(tfm); 1362 1363 req = skcipher_request_alloc(&tfm->base, GFP_KERNEL); 1364 if (!req) 1365 goto nomem_tfm; 1366 1367 rxkad_ci_req = req; 1368 rxkad_ci = tfm; 1369 return 0; 1370 1371 nomem_tfm: 1372 crypto_free_sync_skcipher(tfm); 1373 return -ENOMEM; 1374 } 1375 1376 /* 1377 * Clean up the rxkad security service. 1378 */ 1379 static void rxkad_exit(void) 1380 { 1381 crypto_free_sync_skcipher(rxkad_ci); 1382 skcipher_request_free(rxkad_ci_req); 1383 } 1384 1385 /* 1386 * RxRPC Kerberos-based security 1387 */ 1388 const struct rxrpc_security rxkad = { 1389 .name = "rxkad", 1390 .security_index = RXRPC_SECURITY_RXKAD, 1391 .no_key_abort = RXKADUNKNOWNKEY, 1392 .init = rxkad_init, 1393 .exit = rxkad_exit, 1394 .preparse_server_key = rxkad_preparse_server_key, 1395 .free_preparse_server_key = rxkad_free_preparse_server_key, 1396 .destroy_server_key = rxkad_destroy_server_key, 1397 .init_connection_security = rxkad_init_connection_security, 1398 .how_much_data = rxkad_how_much_data, 1399 .secure_packet = rxkad_secure_packet, 1400 .verify_packet = rxkad_verify_packet, 1401 .free_call_crypto = rxkad_free_call_crypto, 1402 .locate_data = rxkad_locate_data, 1403 .issue_challenge = rxkad_issue_challenge, 1404 .respond_to_challenge = rxkad_respond_to_challenge, 1405 .verify_response = rxkad_verify_response, 1406 .clear = rxkad_clear, 1407 }; 1408