security.c source code [linux/net/rxrpc/security.c]

1	// SPDX-License-Identifier: GPL-2.0-or-later
2	/ RxRPC security handling*
3	*
4	* Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5	* Written by David Howells (dhowells@redhat.com)
6	*/
7
8	#include <linux/module.h>
9	#include <linux/net.h>
10	#include <linux/skbuff.h>
11	#include <linux/udp.h>
12	#include <linux/crypto.h>
13	#include <net/sock.h>
14	#include <net/af_rxrpc.h>
15	#include <keys/rxrpc-type.h>
16	#include "ar-internal.h"
17
18	static const struct rxrpc_security *rxrpc_security_types[] = {
19	[RXRPC_SECURITY_NONE] = &rxrpc_no_security,
20	#ifdef CONFIG_RXKAD
21	[RXRPC_SECURITY_RXKAD] = &rxkad,
22	#endif
23	};
24
25	int __init rxrpc_init_security(void)
26	{
27	int i, ret;
28
29	for (i = `0`; i < ARRAY_SIZE(rxrpc_security_types); i++) {
30	if (rxrpc_security_types[i]) {
31	ret = rxrpc_security_types[i]->init();
32	if (ret < `0`)
33	goto failed;
34	}
35	}
36
37	return `0`;
38
39	failed:
40	for (i--; i >= `0`; i--)
41	if (rxrpc_security_types[i])
42	rxrpc_security_types[i]->exit();
43	return ret;
44	}
45
46	void rxrpc_exit_security(void)
47	{
48	int i;
49
50	for (i = `0`; i < ARRAY_SIZE(rxrpc_security_types); i++)
51	if (rxrpc_security_types[i])
52	rxrpc_security_types[i]->exit();
53	}
54
55	/*
56	* look up an rxrpc security module
57	*/
58	const struct rxrpc_security *rxrpc_security_lookup(u8 security_index)
59	{
60	if (security_index >= ARRAY_SIZE(rxrpc_security_types))
61	return NULL;
62	return rxrpc_security_types[security_index];
63	}
64
65	/*
66	* Initialise the security on a client call.
67	*/
68	int rxrpc_init_client_call_security(struct rxrpc_call *call)
69	{
70	const struct rxrpc_security *sec = &rxrpc_no_security;
71	struct rxrpc_key_token *token;
72	struct key *key = call->key;
73	int ret;
74
75	if (!key)
76	goto found;
77
78	ret = key_validate(key);
79	if (ret < `0`)
80	return ret;
81
82	for (token = key->payload.data[`0`]; token; token = token->next) {
83	sec = rxrpc_security_lookup(security_index: token->security_index);
84	if (sec)
85	goto found;
86	}
87	return -EKEYREJECTED;
88
89	found:
90	call->security = sec;
91	call->security_ix = sec->security_index;
92	return `0`;
93	}
94
95	/*
96	* initialise the security on a client connection
97	*/
98	int rxrpc_init_client_conn_security(struct rxrpc_connection *conn)
99	{
100	struct rxrpc_key_token *token;
101	struct key *key = conn->key;
102	int ret = `0`;
103
104	_enter("{%d},{%x}", conn->debug_id, key_serial(key));
105
106	for (token = key->payload.data[`0`]; token; token = token->next) {
107	if (token->security_index == conn->security->security_index)
108	goto found;
109	}
110	return -EKEYREJECTED;
111
112	found:
113	mutex_lock(&conn->security_lock);
114	if (conn->state == RXRPC_CONN_CLIENT_UNSECURED) {
115	ret = conn->security->init_connection_security(conn, token);
116	if (ret == `0`) {
117	spin_lock(lock: &conn->state_lock);
118	if (conn->state == RXRPC_CONN_CLIENT_UNSECURED)
119	conn->state = RXRPC_CONN_CLIENT;
120	spin_unlock(lock: &conn->state_lock);
121	}
122	}
123	mutex_unlock(lock: &conn->security_lock);
124	return ret;
125	}
126
127	/*
128	* Set the ops a server connection.
129	*/
130	const struct rxrpc_security rxrpc_get_incoming_security(struct* rxrpc_sock *rx,
131	struct sk_buff *skb)
132	{
133	const struct rxrpc_security *sec;
134	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
135
136	_enter("");
137
138	sec = rxrpc_security_lookup(security_index: sp->hdr.securityIndex);
139	if (!sec) {
140	rxrpc_direct_abort(skb, why: rxrpc_abort_unsupported_security,
141	RX_INVALID_OPERATION, err: -EKEYREJECTED);
142	return NULL;
143	}
144
145	if (sp->hdr.securityIndex != RXRPC_SECURITY_NONE &&
146	!rx->securities) {
147	rxrpc_direct_abort(skb, why: rxrpc_abort_no_service_key,
148	abort_code: sec->no_key_abort, err: -EKEYREJECTED);
149	return NULL;
150	}
151
152	return sec;
153	}
154
155	/*
156	* Find the security key for a server connection.
157	*/
158	struct key rxrpc_look_up_server_security(struct* rxrpc_connection *conn,
159	struct sk_buff *skb,
160	u32 kvno, u32 enctype)
161	{
162	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
163	struct rxrpc_sock *rx;
164	struct key *key = ERR_PTR(error: -EKEYREJECTED);
165	key_ref_t kref = NULL;
166	char kdesc[`5` + `1` + `3` + `1` + `12` + `1` + `12` + `1`];
167	int ret;
168
169	_enter("");
170
171	if (enctype)
172	sprintf(buf: kdesc, fmt: "%u:%u:%u:%u",
173	sp->hdr.serviceId, sp->hdr.securityIndex, kvno, enctype);
174	else if (kvno)
175	sprintf(buf: kdesc, fmt: "%u:%u:%u",
176	sp->hdr.serviceId, sp->hdr.securityIndex, kvno);
177	else
178	sprintf(buf: kdesc, fmt: "%u:%u",
179	sp->hdr.serviceId, sp->hdr.securityIndex);
180
181	read_lock(&conn->local->services_lock);
182
183	rx = conn->local->service;
184	if (!rx)
185	goto out;
186
187	/ look through the service's keyring /
188	kref = keyring_search(keyring: make_key_ref(key: rx->securities, possession: `1UL`),
189	type: &key_type_rxrpc_s, description: kdesc, recurse: true);
190	if (IS_ERR(ptr: kref)) {
191	key = ERR_CAST(ptr: kref);
192	goto out;
193	}
194
195	key = key_ref_to_ptr(key_ref: kref);
196
197	ret = key_validate(key);
198	if (ret < `0`) {
199	key_put(key);
200	key = ERR_PTR(error: ret);
201	goto out;
202	}
203
204	out:
205	read_unlock(&conn->local->services_lock);
206	return key;
207	}
208

source code of linux/net/rxrpc/security.c