net/rxrpc/security.c

   1 /* RxRPC security handling
   2  *
   3  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
   4  * Written by David Howells (dhowells@redhat.com)
   5  *
   6  * This program is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU General Public License
   8  * as published by the Free Software Foundation; either version
   9  * 2 of the License, or (at your option) any later version.
  10  */
  11
  12 #include <linux/module.h>
  13 #include <linux/net.h>
  14 #include <linux/skbuff.h>
  15 #include <linux/udp.h>
  16 #include <linux/crypto.h>
  17 #include <net/sock.h>
  18 #include <net/af_rxrpc.h>
  19 #include <keys/rxrpc-type.h>
  20 #include "ar-internal.h"
  21
  22 static const struct rxrpc_security *rxrpc_security_types[] = {
  23         [RXRPC_SECURITY_NONE]   = &rxrpc_no_security,
  24 #ifdef CONFIG_RXKAD
  25         [RXRPC_SECURITY_RXKAD]  = &rxkad,
  26 #endif
  27 };
  28
  29 int __init rxrpc_init_security(void)
  30 {
  31         int i, ret;
  32
  33         for (i = 0; i < ARRAY_SIZE(rxrpc_security_types); i++) {
  34                 if (rxrpc_security_types[i]) {
  35                         ret = rxrpc_security_types[i]->init();
  36                         if (ret < 0)
  37                                 goto failed;
  38                 }
  39         }
  40
  41         return 0;
  42
  43 failed:
  44         for (i--; i >= 0; i--)
  45                 if (rxrpc_security_types[i])
  46                         rxrpc_security_types[i]->exit();
  47         return ret;
  48 }
  49
  50 void rxrpc_exit_security(void)
  51 {
  52         int i;
  53
  54         for (i = 0; i < ARRAY_SIZE(rxrpc_security_types); i++)
  55                 if (rxrpc_security_types[i])
  56                         rxrpc_security_types[i]->exit();
  57 }
  58
  59 /*
  60  * look up an rxrpc security module
  61  */
  62 static const struct rxrpc_security *rxrpc_security_lookup(u8 security_index)
  63 {
  64         if (security_index >= ARRAY_SIZE(rxrpc_security_types))
  65                 return NULL;
  66         return rxrpc_security_types[security_index];
  67 }
  68
  69 /*
  70  * initialise the security on a client connection
  71  */
  72 int rxrpc_init_client_conn_security(struct rxrpc_connection *conn)
  73 {
  74         const struct rxrpc_security *sec;
  75         struct rxrpc_key_token *token;
  76         struct key *key = conn->params.key;
  77         int ret;
  78
  79         _enter("{%d},{%x}", conn->debug_id, key_serial(key));
  80
  81         if (!key)
  82                 return 0;
  83
  84         ret = key_validate(key);
  85         if (ret < 0)
  86                 return ret;
  87
  88         token = key->payload.data[0];
  89         if (!token)
  90                 return -EKEYREJECTED;
  91
  92         sec = rxrpc_security_lookup(token->security_index);
  93         if (!sec)
  94                 return -EKEYREJECTED;
  95         conn->security = sec;
  96
  97         ret = conn->security->init_connection_security(conn);
  98         if (ret < 0) {
  99                 conn->security = &rxrpc_no_security;
 100                 return ret;
 101         }
 102
 103         _leave(" = 0");
 104         return 0;
 105 }
 106
 107 /*
 108  * initialise the security on a server connection
 109  */
 110 int rxrpc_init_server_conn_security(struct rxrpc_connection *conn)
 111 {
 112         const struct rxrpc_security *sec;
 113         struct rxrpc_local *local = conn->params.local;
 114         struct rxrpc_sock *rx;
 115         struct key *key;
 116         key_ref_t kref;
 117         char kdesc[5 + 1 + 3 + 1];
 118
 119         _enter("");
 120
 121         sprintf(kdesc, "%u:%u", conn->service_id, conn->security_ix);
 122
 123         sec = rxrpc_security_lookup(conn->security_ix);
 124         if (!sec) {
 125                 _leave(" = -ENOKEY [lookup]");
 126                 return -ENOKEY;
 127         }
 128
 129         /* find the service */
 130         read_lock(&local->services_lock);
 131         rx = rcu_dereference_protected(local->service,
 132                                        lockdep_is_held(&local->services_lock));
 133         if (rx && (rx->srx.srx_service == conn->service_id ||
 134                    rx->second_service == conn->service_id))
 135                 goto found_service;
 136
 137         /* the service appears to have died */
 138         read_unlock(&local->services_lock);
 139         _leave(" = -ENOENT");
 140         return -ENOENT;
 141
 142 found_service:
 143         if (!rx->securities) {
 144                 read_unlock(&local->services_lock);
 145                 _leave(" = -ENOKEY");
 146                 return -ENOKEY;
 147         }
 148
 149         /* look through the service's keyring */
 150         kref = keyring_search(make_key_ref(rx->securities, 1UL),
 151                               &key_type_rxrpc_s, kdesc);
 152         if (IS_ERR(kref)) {
 153                 read_unlock(&local->services_lock);
 154                 _leave(" = %ld [search]", PTR_ERR(kref));
 155                 return PTR_ERR(kref);
 156         }
 157
 158         key = key_ref_to_ptr(kref);
 159         read_unlock(&local->services_lock);
 160
 161         conn->server_key = key;
 162         conn->security = sec;
 163
 164         _leave(" = 0");
 165         return 0;
 166 }