1 /* RxRPC key management
3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
11 * RxRPC keys should have a description of describing their purpose:
12 * "afs@CAMBRIDGE.REDHAT.COM>
15 #include <linux/module.h>
16 #include <linux/net.h>
17 #include <linux/skbuff.h>
18 #include <linux/key-type.h>
19 #include <linux/crypto.h>
20 #include <linux/ctype.h>
21 #include <linux/slab.h>
23 #include <net/af_rxrpc.h>
24 #include <keys/rxrpc-type.h>
25 #include <keys/user-type.h>
26 #include "ar-internal.h"
28 static int rxrpc_instantiate(struct key
*, const void *, size_t);
29 static int rxrpc_instantiate_s(struct key
*, const void *, size_t);
30 static void rxrpc_destroy(struct key
*);
31 static void rxrpc_destroy_s(struct key
*);
32 static void rxrpc_describe(const struct key
*, struct seq_file
*);
33 static long rxrpc_read(const struct key
*, char __user
*, size_t);
36 * rxrpc defined keys take an arbitrary string as the description and an
37 * arbitrary blob of data as the payload
39 struct key_type key_type_rxrpc
= {
41 .instantiate
= rxrpc_instantiate
,
43 .destroy
= rxrpc_destroy
,
44 .describe
= rxrpc_describe
,
47 EXPORT_SYMBOL(key_type_rxrpc
);
50 * rxrpc server defined keys take "<serviceId>:<securityIndex>" as the
51 * description and an 8-byte decryption key as the payload
53 struct key_type key_type_rxrpc_s
= {
55 .instantiate
= rxrpc_instantiate_s
,
57 .destroy
= rxrpc_destroy_s
,
58 .describe
= rxrpc_describe
,
62 * parse an RxKAD type XDR format token
63 * - the caller guarantees we have at least 4 words
65 static int rxrpc_instantiate_xdr_rxkad(struct key
*key
, const __be32
*xdr
,
68 struct rxrpc_key_token
*token
, **pptoken
;
73 _enter(",{%x,%x,%x,%x},%u",
74 ntohl(xdr
[0]), ntohl(xdr
[1]), ntohl(xdr
[2]), ntohl(xdr
[3]),
79 tktlen
= ntohl(xdr
[7]);
80 _debug("tktlen: %x", tktlen
);
81 if (tktlen
> AFSTOKEN_RK_TIX_MAX
)
83 if (8 * 4 + tktlen
!= toklen
)
86 plen
= sizeof(*token
) + sizeof(*token
->kad
) + tktlen
;
87 ret
= key_payload_reserve(key
, key
->datalen
+ plen
);
91 plen
-= sizeof(*token
);
92 token
= kzalloc(sizeof(*token
), GFP_KERNEL
);
96 token
->kad
= kzalloc(plen
, GFP_KERNEL
);
102 token
->security_index
= RXRPC_SECURITY_RXKAD
;
103 token
->kad
->ticket_len
= tktlen
;
104 token
->kad
->vice_id
= ntohl(xdr
[0]);
105 token
->kad
->kvno
= ntohl(xdr
[1]);
106 token
->kad
->start
= ntohl(xdr
[4]);
107 token
->kad
->expiry
= ntohl(xdr
[5]);
108 token
->kad
->primary_flag
= ntohl(xdr
[6]);
109 memcpy(&token
->kad
->session_key
, &xdr
[2], 8);
110 memcpy(&token
->kad
->ticket
, &xdr
[8], tktlen
);
112 _debug("SCIX: %u", token
->security_index
);
113 _debug("TLEN: %u", token
->kad
->ticket_len
);
114 _debug("EXPY: %x", token
->kad
->expiry
);
115 _debug("KVNO: %u", token
->kad
->kvno
);
116 _debug("PRIM: %u", token
->kad
->primary_flag
);
117 _debug("SKEY: %02x%02x%02x%02x%02x%02x%02x%02x",
118 token
->kad
->session_key
[0], token
->kad
->session_key
[1],
119 token
->kad
->session_key
[2], token
->kad
->session_key
[3],
120 token
->kad
->session_key
[4], token
->kad
->session_key
[5],
121 token
->kad
->session_key
[6], token
->kad
->session_key
[7]);
122 if (token
->kad
->ticket_len
>= 8)
123 _debug("TCKT: %02x%02x%02x%02x%02x%02x%02x%02x",
124 token
->kad
->ticket
[0], token
->kad
->ticket
[1],
125 token
->kad
->ticket
[2], token
->kad
->ticket
[3],
126 token
->kad
->ticket
[4], token
->kad
->ticket
[5],
127 token
->kad
->ticket
[6], token
->kad
->ticket
[7]);
129 /* count the number of tokens attached */
130 key
->type_data
.x
[0]++;
132 /* attach the data */
133 for (pptoken
= (struct rxrpc_key_token
**)&key
->payload
.data
;
135 pptoken
= &(*pptoken
)->next
)
138 if (token
->kad
->expiry
< key
->expiry
)
139 key
->expiry
= token
->kad
->expiry
;
145 static void rxrpc_free_krb5_principal(struct krb5_principal
*princ
)
149 if (princ
->name_parts
) {
150 for (loop
= princ
->n_name_parts
- 1; loop
>= 0; loop
--)
151 kfree(princ
->name_parts
[loop
]);
152 kfree(princ
->name_parts
);
157 static void rxrpc_free_krb5_tagged(struct krb5_tagged_data
*td
)
163 * free up an RxK5 token
165 static void rxrpc_rxk5_free(struct rxk5_key
*rxk5
)
169 rxrpc_free_krb5_principal(&rxk5
->client
);
170 rxrpc_free_krb5_principal(&rxk5
->server
);
171 rxrpc_free_krb5_tagged(&rxk5
->session
);
173 if (rxk5
->addresses
) {
174 for (loop
= rxk5
->n_addresses
- 1; loop
>= 0; loop
--)
175 rxrpc_free_krb5_tagged(&rxk5
->addresses
[loop
]);
176 kfree(rxk5
->addresses
);
178 if (rxk5
->authdata
) {
179 for (loop
= rxk5
->n_authdata
- 1; loop
>= 0; loop
--)
180 rxrpc_free_krb5_tagged(&rxk5
->authdata
[loop
]);
181 kfree(rxk5
->authdata
);
185 kfree(rxk5
->ticket2
);
190 * extract a krb5 principal
192 static int rxrpc_krb5_decode_principal(struct krb5_principal
*princ
,
196 const __be32
*xdr
= *_xdr
;
197 unsigned toklen
= *_toklen
, n_parts
, loop
, tmp
;
199 /* there must be at least one name, and at least #names+1 length
204 _enter(",{%x,%x,%x},%u",
205 ntohl(xdr
[0]), ntohl(xdr
[1]), ntohl(xdr
[2]), toklen
);
207 n_parts
= ntohl(*xdr
++);
209 if (n_parts
<= 0 || n_parts
> AFSTOKEN_K5_COMPONENTS_MAX
)
211 princ
->n_name_parts
= n_parts
;
213 if (toklen
<= (n_parts
+ 1) * 4)
216 princ
->name_parts
= kcalloc(sizeof(char *), n_parts
, GFP_KERNEL
);
217 if (!princ
->name_parts
)
220 for (loop
= 0; loop
< n_parts
; loop
++) {
225 if (tmp
<= 0 || tmp
> AFSTOKEN_STRING_MAX
)
229 princ
->name_parts
[loop
] = kmalloc(tmp
+ 1, GFP_KERNEL
);
230 if (!princ
->name_parts
[loop
])
232 memcpy(princ
->name_parts
[loop
], xdr
, tmp
);
233 princ
->name_parts
[loop
][tmp
] = 0;
234 tmp
= (tmp
+ 3) & ~3;
243 if (tmp
<= 0 || tmp
> AFSTOKEN_K5_REALM_MAX
)
247 princ
->realm
= kmalloc(tmp
+ 1, GFP_KERNEL
);
250 memcpy(princ
->realm
, xdr
, tmp
);
251 princ
->realm
[tmp
] = 0;
252 tmp
= (tmp
+ 3) & ~3;
256 _debug("%s/...@%s", princ
->name_parts
[0], princ
->realm
);
260 _leave(" = 0 [toklen=%u]", toklen
);
265 * extract a piece of krb5 tagged data
267 static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data
*td
,
268 size_t max_data_size
,
272 const __be32
*xdr
= *_xdr
;
273 unsigned toklen
= *_toklen
, len
;
275 /* there must be at least one tag and one length word */
279 _enter(",%zu,{%x,%x},%u",
280 max_data_size
, ntohl(xdr
[0]), ntohl(xdr
[1]), toklen
);
282 td
->tag
= ntohl(*xdr
++);
285 if (len
> max_data_size
)
290 td
->data
= kmalloc(len
, GFP_KERNEL
);
293 memcpy(td
->data
, xdr
, len
);
294 len
= (len
+ 3) & ~3;
299 _debug("tag %x len %x", td
->tag
, td
->data_len
);
303 _leave(" = 0 [toklen=%u]", toklen
);
308 * extract an array of tagged data
310 static int rxrpc_krb5_decode_tagged_array(struct krb5_tagged_data
**_td
,
313 size_t max_elem_size
,
317 struct krb5_tagged_data
*td
;
318 const __be32
*xdr
= *_xdr
;
319 unsigned toklen
= *_toklen
, n_elem
, loop
;
322 /* there must be at least one count */
326 _enter(",,%u,%zu,{%x},%u",
327 max_n_elem
, max_elem_size
, ntohl(xdr
[0]), toklen
);
329 n_elem
= ntohl(*xdr
++);
331 if (n_elem
< 0 || n_elem
> max_n_elem
)
335 if (toklen
<= (n_elem
+ 1) * 4)
338 _debug("n_elem %d", n_elem
);
340 td
= kcalloc(sizeof(struct krb5_tagged_data
), n_elem
,
346 for (loop
= 0; loop
< n_elem
; loop
++) {
347 ret
= rxrpc_krb5_decode_tagged_data(&td
[loop
],
357 _leave(" = 0 [toklen=%u]", toklen
);
362 * extract a krb5 ticket
364 static int rxrpc_krb5_decode_ticket(u8
**_ticket
, u16
*_tktlen
,
365 const __be32
**_xdr
, unsigned *_toklen
)
367 const __be32
*xdr
= *_xdr
;
368 unsigned toklen
= *_toklen
, len
;
370 /* there must be at least one length word */
374 _enter(",{%x},%u", ntohl(xdr
[0]), toklen
);
378 if (len
> AFSTOKEN_K5_TIX_MAX
)
382 _debug("ticket len %u", len
);
385 *_ticket
= kmalloc(len
, GFP_KERNEL
);
388 memcpy(*_ticket
, xdr
, len
);
389 len
= (len
+ 3) & ~3;
396 _leave(" = 0 [toklen=%u]", toklen
);
401 * parse an RxK5 type XDR format token
402 * - the caller guarantees we have at least 4 words
404 static int rxrpc_instantiate_xdr_rxk5(struct key
*key
, const __be32
*xdr
,
407 struct rxrpc_key_token
*token
, **pptoken
;
408 struct rxk5_key
*rxk5
;
409 const __be32
*end_xdr
= xdr
+ (toklen
>> 2);
412 _enter(",{%x,%x,%x,%x},%u",
413 ntohl(xdr
[0]), ntohl(xdr
[1]), ntohl(xdr
[2]), ntohl(xdr
[3]),
416 /* reserve some payload space for this subkey - the length of the token
417 * is a reasonable approximation */
418 ret
= key_payload_reserve(key
, key
->datalen
+ toklen
);
422 token
= kzalloc(sizeof(*token
), GFP_KERNEL
);
426 rxk5
= kzalloc(sizeof(*rxk5
), GFP_KERNEL
);
432 token
->security_index
= RXRPC_SECURITY_RXK5
;
435 /* extract the principals */
436 ret
= rxrpc_krb5_decode_principal(&rxk5
->client
, &xdr
, &toklen
);
439 ret
= rxrpc_krb5_decode_principal(&rxk5
->server
, &xdr
, &toklen
);
443 /* extract the session key and the encoding type (the tag field ->
445 ret
= rxrpc_krb5_decode_tagged_data(&rxk5
->session
, AFSTOKEN_DATA_MAX
,
450 if (toklen
< 4 * 8 + 2 * 4)
452 rxk5
->authtime
= be64_to_cpup((const __be64
*) xdr
);
454 rxk5
->starttime
= be64_to_cpup((const __be64
*) xdr
);
456 rxk5
->endtime
= be64_to_cpup((const __be64
*) xdr
);
458 rxk5
->renew_till
= be64_to_cpup((const __be64
*) xdr
);
460 rxk5
->is_skey
= ntohl(*xdr
++);
461 rxk5
->flags
= ntohl(*xdr
++);
462 toklen
-= 4 * 8 + 2 * 4;
464 _debug("times: a=%llx s=%llx e=%llx rt=%llx",
465 rxk5
->authtime
, rxk5
->starttime
, rxk5
->endtime
,
467 _debug("is_skey=%x flags=%x", rxk5
->is_skey
, rxk5
->flags
);
469 /* extract the permitted client addresses */
470 ret
= rxrpc_krb5_decode_tagged_array(&rxk5
->addresses
,
472 AFSTOKEN_K5_ADDRESSES_MAX
,
478 ASSERTCMP((end_xdr
- xdr
) << 2, ==, toklen
);
480 /* extract the tickets */
481 ret
= rxrpc_krb5_decode_ticket(&rxk5
->ticket
, &rxk5
->ticket_len
,
485 ret
= rxrpc_krb5_decode_ticket(&rxk5
->ticket2
, &rxk5
->ticket2_len
,
490 ASSERTCMP((end_xdr
- xdr
) << 2, ==, toklen
);
492 /* extract the typed auth data */
493 ret
= rxrpc_krb5_decode_tagged_array(&rxk5
->authdata
,
495 AFSTOKEN_K5_AUTHDATA_MAX
,
496 AFSTOKEN_BDATALN_MAX
,
501 ASSERTCMP((end_xdr
- xdr
) << 2, ==, toklen
);
506 /* attach the payload to the key */
507 for (pptoken
= (struct rxrpc_key_token
**)&key
->payload
.data
;
509 pptoken
= &(*pptoken
)->next
)
512 if (token
->kad
->expiry
< key
->expiry
)
513 key
->expiry
= token
->kad
->expiry
;
521 rxrpc_rxk5_free(rxk5
);
523 _leave(" = %d", ret
);
528 * attempt to parse the data as the XDR format
529 * - the caller guarantees we have more than 7 words
531 static int rxrpc_instantiate_xdr(struct key
*key
, const void *data
, size_t datalen
)
533 const __be32
*xdr
= data
, *token
;
535 unsigned len
, tmp
, loop
, ntoken
, toklen
, sec_ix
;
538 _enter(",{%x,%x,%x,%x},%zu",
539 ntohl(xdr
[0]), ntohl(xdr
[1]), ntohl(xdr
[2]), ntohl(xdr
[3]),
542 if (datalen
> AFSTOKEN_LENGTH_MAX
)
545 /* XDR is an array of __be32's */
549 /* the flags should be 0 (the setpag bit must be handled by
551 if (ntohl(*xdr
++) != 0)
555 /* check the cell name */
557 if (len
< 1 || len
> AFSTOKEN_CELL_MAX
)
560 tmp
= (len
+ 3) & ~3;
564 cp
= (const char *) xdr
;
565 for (loop
= 0; loop
< len
; loop
++)
566 if (!isprint(cp
[loop
]))
569 for (; loop
< tmp
; loop
++)
572 _debug("cellname: [%u/%u] '%*.*s'",
573 len
, tmp
, len
, len
, (const char *) xdr
);
577 /* get the token count */
580 ntoken
= ntohl(*xdr
++);
582 _debug("ntoken: %x", ntoken
);
583 if (ntoken
< 1 || ntoken
> AFSTOKEN_MAX
)
586 /* check each token wrapper */
592 toklen
= ntohl(*xdr
++);
593 sec_ix
= ntohl(*xdr
);
595 _debug("token: [%x/%zx] %x", toklen
, datalen
, sec_ix
);
596 if (toklen
< 20 || toklen
> datalen
)
598 datalen
-= (toklen
+ 3) & ~3;
599 xdr
+= (toklen
+ 3) >> 2;
601 } while (--loop
> 0);
603 _debug("remainder: %zu", datalen
);
607 /* okay: we're going to assume it's valid XDR format
608 * - we ignore the cellname, relying on the key to be correctly named
612 toklen
= ntohl(*xdr
++);
613 token
= xdr
+ ((toklen
+ 3) >> 2);
614 sec_ix
= ntohl(*xdr
++);
617 _debug("TOKEN type=%u [%p-%p]", sec_ix
, xdr
, token
);
620 case RXRPC_SECURITY_RXKAD
:
621 ret
= rxrpc_instantiate_xdr_rxkad(key
, xdr
, toklen
);
626 case RXRPC_SECURITY_RXK5
:
627 ret
= rxrpc_instantiate_xdr_rxk5(key
, xdr
, toklen
);
633 ret
= -EPROTONOSUPPORT
;
637 } while (--ntoken
> 0);
643 _leave(" = -EPROTO");
646 _leave(" = %d", ret
);
651 * instantiate an rxrpc defined key
652 * data should be of the form:
654 * 0 4 key interface version number
655 * 4 2 security index (type)
657 * 8 4 key expiry time (time_t)
662 * if no data is provided, then a no-security key is made
664 static int rxrpc_instantiate(struct key
*key
, const void *data
, size_t datalen
)
666 const struct rxrpc_key_data_v1
*v1
;
667 struct rxrpc_key_token
*token
, **pp
;
672 _enter("{%x},,%zu", key_serial(key
), datalen
);
674 /* handle a no-security key */
675 if (!data
&& datalen
== 0)
678 /* determine if the XDR payload format is being used */
679 if (datalen
> 7 * 4) {
680 ret
= rxrpc_instantiate_xdr(key
, data
, datalen
);
685 /* get the key interface version number */
687 if (datalen
<= 4 || !data
)
689 memcpy(&kver
, data
, sizeof(kver
));
690 data
+= sizeof(kver
);
691 datalen
-= sizeof(kver
);
693 _debug("KEY I/F VERSION: %u", kver
);
699 /* deal with a version 1 key */
701 if (datalen
< sizeof(*v1
))
705 if (datalen
!= sizeof(*v1
) + v1
->ticket_length
)
708 _debug("SCIX: %u", v1
->security_index
);
709 _debug("TLEN: %u", v1
->ticket_length
);
710 _debug("EXPY: %x", v1
->expiry
);
711 _debug("KVNO: %u", v1
->kvno
);
712 _debug("SKEY: %02x%02x%02x%02x%02x%02x%02x%02x",
713 v1
->session_key
[0], v1
->session_key
[1],
714 v1
->session_key
[2], v1
->session_key
[3],
715 v1
->session_key
[4], v1
->session_key
[5],
716 v1
->session_key
[6], v1
->session_key
[7]);
717 if (v1
->ticket_length
>= 8)
718 _debug("TCKT: %02x%02x%02x%02x%02x%02x%02x%02x",
719 v1
->ticket
[0], v1
->ticket
[1],
720 v1
->ticket
[2], v1
->ticket
[3],
721 v1
->ticket
[4], v1
->ticket
[5],
722 v1
->ticket
[6], v1
->ticket
[7]);
724 ret
= -EPROTONOSUPPORT
;
725 if (v1
->security_index
!= RXRPC_SECURITY_RXKAD
)
728 plen
= sizeof(*token
->kad
) + v1
->ticket_length
;
729 ret
= key_payload_reserve(key
, plen
+ sizeof(*token
));
734 token
= kzalloc(sizeof(*token
), GFP_KERNEL
);
737 token
->kad
= kzalloc(plen
, GFP_KERNEL
);
741 token
->security_index
= RXRPC_SECURITY_RXKAD
;
742 token
->kad
->ticket_len
= v1
->ticket_length
;
743 token
->kad
->expiry
= v1
->expiry
;
744 token
->kad
->kvno
= v1
->kvno
;
745 memcpy(&token
->kad
->session_key
, &v1
->session_key
, 8);
746 memcpy(&token
->kad
->ticket
, v1
->ticket
, v1
->ticket_length
);
748 /* attach the data */
749 key
->type_data
.x
[0]++;
751 pp
= (struct rxrpc_key_token
**)&key
->payload
.data
;
755 if (token
->kad
->expiry
< key
->expiry
)
756 key
->expiry
= token
->kad
->expiry
;
767 * instantiate a server secret key
768 * data should be a pointer to the 8-byte secret key
770 static int rxrpc_instantiate_s(struct key
*key
, const void *data
,
773 struct crypto_blkcipher
*ci
;
775 _enter("{%x},,%zu", key_serial(key
), datalen
);
780 memcpy(&key
->type_data
, data
, 8);
782 ci
= crypto_alloc_blkcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC
);
784 _leave(" = %ld", PTR_ERR(ci
));
788 if (crypto_blkcipher_setkey(ci
, data
, 8) < 0)
791 key
->payload
.data
= ci
;
797 * dispose of the data dangling from the corpse of a rxrpc key
799 static void rxrpc_destroy(struct key
*key
)
801 struct rxrpc_key_token
*token
;
803 while ((token
= key
->payload
.data
)) {
804 key
->payload
.data
= token
->next
;
805 switch (token
->security_index
) {
806 case RXRPC_SECURITY_RXKAD
:
809 case RXRPC_SECURITY_RXK5
:
811 rxrpc_rxk5_free(token
->k5
);
814 printk(KERN_ERR
"Unknown token type %x on rxrpc key\n",
815 token
->security_index
);
824 * dispose of the data dangling from the corpse of a rxrpc key
826 static void rxrpc_destroy_s(struct key
*key
)
828 if (key
->payload
.data
) {
829 crypto_free_blkcipher(key
->payload
.data
);
830 key
->payload
.data
= NULL
;
835 * describe the rxrpc key
837 static void rxrpc_describe(const struct key
*key
, struct seq_file
*m
)
839 seq_puts(m
, key
->description
);
843 * grab the security key for a socket
845 int rxrpc_request_key(struct rxrpc_sock
*rx
, char __user
*optval
, int optlen
)
852 if (optlen
<= 0 || optlen
> PAGE_SIZE
- 1)
855 description
= kmalloc(optlen
+ 1, GFP_KERNEL
);
859 if (copy_from_user(description
, optval
, optlen
)) {
863 description
[optlen
] = 0;
865 key
= request_key(&key_type_rxrpc
, description
, NULL
);
868 _leave(" = %ld", PTR_ERR(key
));
874 _leave(" = 0 [key %x]", key
->serial
);
879 * grab the security keyring for a server socket
881 int rxrpc_server_keyring(struct rxrpc_sock
*rx
, char __user
*optval
,
889 if (optlen
<= 0 || optlen
> PAGE_SIZE
- 1)
892 description
= kmalloc(optlen
+ 1, GFP_KERNEL
);
896 if (copy_from_user(description
, optval
, optlen
)) {
900 description
[optlen
] = 0;
902 key
= request_key(&key_type_keyring
, description
, NULL
);
905 _leave(" = %ld", PTR_ERR(key
));
909 rx
->securities
= key
;
911 _leave(" = 0 [key %x]", key
->serial
);
916 * generate a server data key
918 int rxrpc_get_server_data_key(struct rxrpc_connection
*conn
,
919 const void *session_key
,
923 const struct cred
*cred
= current_cred();
929 struct rxrpc_key_data_v1 v1
;
934 key
= key_alloc(&key_type_rxrpc
, "x", 0, 0, cred
, 0,
935 KEY_ALLOC_NOT_IN_QUOTA
);
937 _leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key
));
941 _debug("key %d", key_serial(key
));
944 data
.v1
.security_index
= RXRPC_SECURITY_RXKAD
;
945 data
.v1
.ticket_length
= 0;
946 data
.v1
.expiry
= expiry
;
949 memcpy(&data
.v1
.session_key
, session_key
, sizeof(data
.v1
.session_key
));
951 ret
= key_instantiate_and_link(key
, &data
, sizeof(data
), NULL
, NULL
);
956 _leave(" = 0 [%d]", key_serial(key
));
962 _leave(" = -ENOMEM [ins %d]", ret
);
965 EXPORT_SYMBOL(rxrpc_get_server_data_key
);
968 * rxrpc_get_null_key - Generate a null RxRPC key
969 * @keyname: The name to give the key.
971 * Generate a null RxRPC key that can be used to indicate anonymous security is
972 * required for a particular domain.
974 struct key
*rxrpc_get_null_key(const char *keyname
)
976 const struct cred
*cred
= current_cred();
980 key
= key_alloc(&key_type_rxrpc
, keyname
, 0, 0, cred
,
981 KEY_POS_SEARCH
, KEY_ALLOC_NOT_IN_QUOTA
);
985 ret
= key_instantiate_and_link(key
, NULL
, 0, NULL
, NULL
);
994 EXPORT_SYMBOL(rxrpc_get_null_key
);
997 * read the contents of an rxrpc key
998 * - this returns the result in XDR form
1000 static long rxrpc_read(const struct key
*key
,
1001 char __user
*buffer
, size_t buflen
)
1003 const struct rxrpc_key_token
*token
;
1004 const struct krb5_principal
*princ
;
1006 __be32 __user
*xdr
, *oldxdr
;
1007 u32 cnlen
, toksize
, ntoks
, tok
, zero
;
1008 u16 toksizes
[AFSTOKEN_MAX
];
1013 /* we don't know what form we should return non-AFS keys in */
1014 if (memcmp(key
->description
, "afs@", 4) != 0)
1016 cnlen
= strlen(key
->description
+ 4);
1018 #define RND(X) (((X) + 3) & ~3)
1020 /* AFS keys we return in XDR form, so we need to work out the size of
1022 size
= 2 * 4; /* flags, cellname len */
1023 size
+= RND(cnlen
); /* cellname */
1024 size
+= 1 * 4; /* token count */
1027 for (token
= key
->payload
.data
; token
; token
= token
->next
) {
1028 toksize
= 4; /* sec index */
1030 switch (token
->security_index
) {
1031 case RXRPC_SECURITY_RXKAD
:
1032 toksize
+= 8 * 4; /* viceid, kvno, key*2, begin,
1033 * end, primary, tktlen */
1034 toksize
+= RND(token
->kad
->ticket_len
);
1037 case RXRPC_SECURITY_RXK5
:
1038 princ
= &token
->k5
->client
;
1039 toksize
+= 4 + princ
->n_name_parts
* 4;
1040 for (loop
= 0; loop
< princ
->n_name_parts
; loop
++)
1041 toksize
+= RND(strlen(princ
->name_parts
[loop
]));
1042 toksize
+= 4 + RND(strlen(princ
->realm
));
1044 princ
= &token
->k5
->server
;
1045 toksize
+= 4 + princ
->n_name_parts
* 4;
1046 for (loop
= 0; loop
< princ
->n_name_parts
; loop
++)
1047 toksize
+= RND(strlen(princ
->name_parts
[loop
]));
1048 toksize
+= 4 + RND(strlen(princ
->realm
));
1050 toksize
+= 8 + RND(token
->k5
->session
.data_len
);
1052 toksize
+= 4 * 8 + 2 * 4;
1054 toksize
+= 4 + token
->k5
->n_addresses
* 8;
1055 for (loop
= 0; loop
< token
->k5
->n_addresses
; loop
++)
1056 toksize
+= RND(token
->k5
->addresses
[loop
].data_len
);
1058 toksize
+= 4 + RND(token
->k5
->ticket_len
);
1059 toksize
+= 4 + RND(token
->k5
->ticket2_len
);
1061 toksize
+= 4 + token
->k5
->n_authdata
* 8;
1062 for (loop
= 0; loop
< token
->k5
->n_authdata
; loop
++)
1063 toksize
+= RND(token
->k5
->authdata
[loop
].data_len
);
1066 default: /* we have a ticket we can't encode */
1071 _debug("token[%u]: toksize=%u", ntoks
, toksize
);
1072 ASSERTCMP(toksize
, <=, AFSTOKEN_LENGTH_MAX
);
1074 toksizes
[ntoks
++] = toksize
;
1075 size
+= toksize
+ 4; /* each token has a length word */
1080 if (!buffer
|| buflen
< size
)
1083 xdr
= (__be32 __user
*) buffer
;
1087 __be32 y = htonl(x); \
1088 if (put_user(y, xdr++) < 0) \
1091 #define ENCODE_DATA(l, s) \
1095 if (copy_to_user(xdr, (s), _l) != 0) \
1098 copy_to_user((u8 *)xdr + _l, &zero, 4 - (_l & 3)) != 0) \
1100 xdr += (_l + 3) >> 2; \
1102 #define ENCODE64(x) \
1104 __be64 y = cpu_to_be64(x); \
1105 if (copy_to_user(xdr, &y, 8) != 0) \
1109 #define ENCODE_STR(s) \
1111 const char *_s = (s); \
1112 ENCODE_DATA(strlen(_s), _s); \
1115 ENCODE(0); /* flags */
1116 ENCODE_DATA(cnlen
, key
->description
+ 4); /* cellname */
1120 for (token
= key
->payload
.data
; token
; token
= token
->next
) {
1121 toksize
= toksizes
[tok
++];
1124 ENCODE(token
->security_index
);
1126 switch (token
->security_index
) {
1127 case RXRPC_SECURITY_RXKAD
:
1128 ENCODE(token
->kad
->vice_id
);
1129 ENCODE(token
->kad
->kvno
);
1130 ENCODE_DATA(8, token
->kad
->session_key
);
1131 ENCODE(token
->kad
->start
);
1132 ENCODE(token
->kad
->expiry
);
1133 ENCODE(token
->kad
->primary_flag
);
1134 ENCODE_DATA(token
->kad
->ticket_len
, token
->kad
->ticket
);
1137 case RXRPC_SECURITY_RXK5
:
1138 princ
= &token
->k5
->client
;
1139 ENCODE(princ
->n_name_parts
);
1140 for (loop
= 0; loop
< princ
->n_name_parts
; loop
++)
1141 ENCODE_STR(princ
->name_parts
[loop
]);
1142 ENCODE_STR(princ
->realm
);
1144 princ
= &token
->k5
->server
;
1145 ENCODE(princ
->n_name_parts
);
1146 for (loop
= 0; loop
< princ
->n_name_parts
; loop
++)
1147 ENCODE_STR(princ
->name_parts
[loop
]);
1148 ENCODE_STR(princ
->realm
);
1150 ENCODE(token
->k5
->session
.tag
);
1151 ENCODE_DATA(token
->k5
->session
.data_len
,
1152 token
->k5
->session
.data
);
1154 ENCODE64(token
->k5
->authtime
);
1155 ENCODE64(token
->k5
->starttime
);
1156 ENCODE64(token
->k5
->endtime
);
1157 ENCODE64(token
->k5
->renew_till
);
1158 ENCODE(token
->k5
->is_skey
);
1159 ENCODE(token
->k5
->flags
);
1161 ENCODE(token
->k5
->n_addresses
);
1162 for (loop
= 0; loop
< token
->k5
->n_addresses
; loop
++) {
1163 ENCODE(token
->k5
->addresses
[loop
].tag
);
1164 ENCODE_DATA(token
->k5
->addresses
[loop
].data_len
,
1165 token
->k5
->addresses
[loop
].data
);
1168 ENCODE_DATA(token
->k5
->ticket_len
, token
->k5
->ticket
);
1169 ENCODE_DATA(token
->k5
->ticket2_len
, token
->k5
->ticket2
);
1171 ENCODE(token
->k5
->n_authdata
);
1172 for (loop
= 0; loop
< token
->k5
->n_authdata
; loop
++) {
1173 ENCODE(token
->k5
->authdata
[loop
].tag
);
1174 ENCODE_DATA(token
->k5
->authdata
[loop
].data_len
,
1175 token
->k5
->authdata
[loop
].data
);
1184 ASSERTCMP((unsigned long)xdr
- (unsigned long)oldxdr
, ==,
1193 ASSERTCMP(tok
, ==, ntoks
);
1194 ASSERTCMP((char __user
*) xdr
- buffer
, ==, size
);
1195 _leave(" = %zu", size
);
1199 _leave(" = -EFAULT");