net/rxrpc/security.c at master · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / net / rxrpc / security.c
at master 4.6 kB view raw
  1// SPDX-License-Identifier: GPL-2.0-or-later
  2/* RxRPC security handling
  3 *
  4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
  5 * Written by David Howells (dhowells@redhat.com)
  6 */
  7
  8#include <linux/module.h>
  9#include <linux/net.h>
 10#include <linux/skbuff.h>
 11#include <linux/udp.h>
 12#include <linux/crypto.h>
 13#include <net/sock.h>
 14#include <net/af_rxrpc.h>
 15#include <keys/rxrpc-type.h>
 16#include "ar-internal.h"
 17
 18static const struct rxrpc_security *rxrpc_security_types[] = {
 19	[RXRPC_SECURITY_NONE]	= &rxrpc_no_security,
 20#ifdef CONFIG_RXKAD
 21	[RXRPC_SECURITY_RXKAD]	= &rxkad,
 22#endif
 23#ifdef CONFIG_RXGK
 24	[RXRPC_SECURITY_YFS_RXGK] = &rxgk_yfs,
 25#endif
 26};
 27
 28int __init rxrpc_init_security(void)
 29{
 30	int i, ret;
 31
 32	for (i = 0; i < ARRAY_SIZE(rxrpc_security_types); i++) {
 33		if (rxrpc_security_types[i]) {
 34			ret = rxrpc_security_types[i]->init();
 35			if (ret < 0)
 36				goto failed;
 37		}
 38	}
 39
 40	return 0;
 41
 42failed:
 43	for (i--; i >= 0; i--)
 44		if (rxrpc_security_types[i])
 45			rxrpc_security_types[i]->exit();
 46	return ret;
 47}
 48
 49void rxrpc_exit_security(void)
 50{
 51	int i;
 52
 53	for (i = 0; i < ARRAY_SIZE(rxrpc_security_types); i++)
 54		if (rxrpc_security_types[i])
 55			rxrpc_security_types[i]->exit();
 56}
 57
 58/*
 59 * look up an rxrpc security module
 60 */
 61const struct rxrpc_security *rxrpc_security_lookup(u8 security_index)
 62{
 63	if (security_index >= ARRAY_SIZE(rxrpc_security_types))
 64		return NULL;
 65	return rxrpc_security_types[security_index];
 66}
 67
 68/*
 69 * Initialise the security on a client call.
 70 */
 71int rxrpc_init_client_call_security(struct rxrpc_call *call)
 72{
 73	const struct rxrpc_security *sec = &rxrpc_no_security;
 74	struct rxrpc_key_token *token;
 75	struct key *key = call->key;
 76	int ret;
 77
 78	if (!key)
 79		goto found;
 80
 81	ret = key_validate(key);
 82	if (ret < 0)
 83		return ret;
 84
 85	for (token = key->payload.data[0]; token; token = token->next) {
 86		sec = rxrpc_security_lookup(token->security_index);
 87		if (sec)
 88			goto found;
 89	}
 90	return -EKEYREJECTED;
 91
 92found:
 93	call->security = sec;
 94	call->security_ix = sec->security_index;
 95	return 0;
 96}
 97
 98/*
 99 * initialise the security on a client connection
100 */
101int rxrpc_init_client_conn_security(struct rxrpc_connection *conn)
102{
103	struct rxrpc_key_token *token;
104	struct key *key = conn->key;
105	int ret = 0;
106
107	_enter("{%d},{%x}", conn->debug_id, key_serial(key));
108
109	for (token = key->payload.data[0]; token; token = token->next) {
110		if (token->security_index == conn->security->security_index)
111			goto found;
112	}
113	return -EKEYREJECTED;
114
115found:
116	mutex_lock(&conn->security_lock);
117	if (conn->state == RXRPC_CONN_CLIENT_UNSECURED) {
118		ret = conn->security->init_connection_security(conn, token);
119		if (ret == 0) {
120			spin_lock_irq(&conn->state_lock);
121			if (conn->state == RXRPC_CONN_CLIENT_UNSECURED)
122				conn->state = RXRPC_CONN_CLIENT;
123			spin_unlock_irq(&conn->state_lock);
124		}
125	}
126	mutex_unlock(&conn->security_lock);
127	return ret;
128}
129
130/*
131 * Set the ops a server connection.
132 */
133const struct rxrpc_security *rxrpc_get_incoming_security(struct rxrpc_sock *rx,
134							 struct sk_buff *skb)
135{
136	const struct rxrpc_security *sec;
137	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
138
139	_enter("");
140
141	sec = rxrpc_security_lookup(sp->hdr.securityIndex);
142	if (!sec) {
143		rxrpc_direct_conn_abort(skb, rxrpc_abort_unsupported_security,
144					RX_INVALID_OPERATION, -EKEYREJECTED);
145		return NULL;
146	}
147
148	if (sp->hdr.securityIndex != RXRPC_SECURITY_NONE &&
149	    !rx->securities) {
150		rxrpc_direct_conn_abort(skb, rxrpc_abort_no_service_key,
151					sec->no_key_abort, -EKEYREJECTED);
152		return NULL;
153	}
154
155	return sec;
156}
157
158/*
159 * Find the security key for a server connection.
160 */
161struct key *rxrpc_look_up_server_security(struct rxrpc_connection *conn,
162					  struct sk_buff *skb,
163					  u32 kvno, u32 enctype)
164{
165	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
166	struct rxrpc_sock *rx;
167	struct key *key = ERR_PTR(-EKEYREJECTED);
168	key_ref_t kref = NULL;
169	char kdesc[5 + 1 + 3 + 1 + 12 + 1 + 12 + 1];
170	int ret;
171
172	_enter("");
173
174	if (enctype)
175		sprintf(kdesc, "%u:%u:%u:%u",
176			sp->hdr.serviceId, sp->hdr.securityIndex, kvno, enctype);
177	else if (kvno)
178		sprintf(kdesc, "%u:%u:%u",
179			sp->hdr.serviceId, sp->hdr.securityIndex, kvno);
180	else
181		sprintf(kdesc, "%u:%u",
182			sp->hdr.serviceId, sp->hdr.securityIndex);
183
184	read_lock(&conn->local->services_lock);
185
186	rx = conn->local->service;
187	if (!rx)
188		goto out;
189
190	/* look through the service's keyring */
191	kref = keyring_search(make_key_ref(rx->securities, 1UL),
192			      &key_type_rxrpc_s, kdesc, true);
193	if (IS_ERR(kref)) {
194		key = ERR_CAST(kref);
195		goto out;
196	}
197
198	key = key_ref_to_ptr(kref);
199
200	ret = key_validate(key);
201	if (ret < 0) {
202		key_put(key);
203		key = ERR_PTR(ret);
204		goto out;
205	}
206
207out:
208	read_unlock(&conn->local->services_lock);
209	return key;
210}