// SPDX-License-Identifier: GPL-2.0-or-later /* Kerberos-based RxRPC security * * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. * Written by David Howells ([email protected]) */ #define pr_fmt(fmt) … #include <crypto/skcipher.h> #include <linux/module.h> #include <linux/net.h> #include <linux/skbuff.h> #include <linux/udp.h> #include <linux/scatterlist.h> #include <linux/ctype.h> #include <linux/slab.h> #include <linux/key-type.h> #include <net/sock.h> #include <net/af_rxrpc.h> #include <keys/rxrpc-type.h> #include "ar-internal.h" #define RXKAD_VERSION … #define MAXKRB5TICKETLEN … #define RXKAD_TKT_TYPE_KERBEROS_V5 … #define ANAME_SZ … #define INST_SZ … #define REALM_SZ … #define SNAME_SZ … #define RXKAD_ALIGN … struct rxkad_level1_hdr { … }; struct rxkad_level2_hdr { … }; static int rxkad_prime_packet_security(struct rxrpc_connection *conn, struct crypto_sync_skcipher *ci); /* * this holds a pinned cipher so that keventd doesn't get called by the cipher * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE * packets */ static struct crypto_sync_skcipher *rxkad_ci; static struct skcipher_request *rxkad_ci_req; static DEFINE_MUTEX(rxkad_ci_mutex); /* * Parse the information from a server key * * The data should be the 8-byte secret key. */ static int rxkad_preparse_server_key(struct key_preparsed_payload *prep) { … } static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep) { … } static void rxkad_destroy_server_key(struct key *key) { … } /* * initialise connection security */ static int rxkad_init_connection_security(struct rxrpc_connection *conn, struct rxrpc_key_token *token) { … } /* * Work out how much data we can put in a packet. */ static struct rxrpc_txbuf *rxkad_alloc_txbuf(struct rxrpc_call *call, size_t remain, gfp_t gfp) { … } /* * prime the encryption state with the invariant parts of a connection's * description */ static int rxkad_prime_packet_security(struct rxrpc_connection *conn, struct crypto_sync_skcipher *ci) { … } /* * Allocate and prepare the crypto request on a call. For any particular call, * this is called serially for the packets, so no lock should be necessary. */ static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call) { … } /* * Clean up the crypto on a call. */ static void rxkad_free_call_crypto(struct rxrpc_call *call) { … } /* * partially encrypt a packet (level 1 security) */ static int rxkad_secure_packet_auth(const struct rxrpc_call *call, struct rxrpc_txbuf *txb, struct skcipher_request *req) { … } /* * wholly encrypt a packet (level 2 security) */ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, struct rxrpc_txbuf *txb, struct skcipher_request *req) { … } /* * checksum an RxRPC packet header */ static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb) { … } /* * decrypt partial encryption on a packet (level 1 security) */ static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb, rxrpc_seq_t seq, struct skcipher_request *req) { … } /* * wholly decrypt a packet (level 2 security) */ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, rxrpc_seq_t seq, struct skcipher_request *req) { … } /* * Verify the security on a received packet and the subpackets therein. */ static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb) { … } /* * issue a challenge */ static int rxkad_issue_challenge(struct rxrpc_connection *conn) { … } /* * send a Kerberos security response */ static int rxkad_send_response(struct rxrpc_connection *conn, struct rxrpc_host_header *hdr, struct rxkad_response *resp, const struct rxkad_key *s2) { … } /* * calculate the response checksum */ static void rxkad_calc_response_checksum(struct rxkad_response *response) { … } /* * encrypt the response packet */ static int rxkad_encrypt_response(struct rxrpc_connection *conn, struct rxkad_response *resp, const struct rxkad_key *s2) { … } /* * respond to a challenge packet */ static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, struct sk_buff *skb) { … } /* * decrypt the kerberos IV ticket in the response */ static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, struct key *server_key, struct sk_buff *skb, void *ticket, size_t ticket_len, struct rxrpc_crypt *_session_key, time64_t *_expiry) { … } /* * decrypt the response packet */ static void rxkad_decrypt_response(struct rxrpc_connection *conn, struct rxkad_response *resp, const struct rxrpc_crypt *session_key) { … } /* * verify a response */ static int rxkad_verify_response(struct rxrpc_connection *conn, struct sk_buff *skb) { … } /* * clear the connection security */ static void rxkad_clear(struct rxrpc_connection *conn) { … } /* * Initialise the rxkad security service. */ static int rxkad_init(void) { … } /* * Clean up the rxkad security service. */ static void rxkad_exit(void) { … } /* * RxRPC Kerberos-based security */ const struct rxrpc_security rxkad = …;
Codebase Browser
linux