xref: /openbmc/linux/net/rxrpc/rxkad.c (revision 436396f2)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Kerberos-based RxRPC security
3  *
4  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9 
10 #include <crypto/skcipher.h>
11 #include <linux/module.h>
12 #include <linux/net.h>
13 #include <linux/skbuff.h>
14 #include <linux/udp.h>
15 #include <linux/scatterlist.h>
16 #include <linux/ctype.h>
17 #include <linux/slab.h>
18 #include <linux/key-type.h>
19 #include <net/sock.h>
20 #include <net/af_rxrpc.h>
21 #include <keys/rxrpc-type.h>
22 #include "ar-internal.h"
23 
24 #define RXKAD_VERSION			2
25 #define MAXKRB5TICKETLEN		1024
26 #define RXKAD_TKT_TYPE_KERBEROS_V5	256
27 #define ANAME_SZ			40	/* size of authentication name */
28 #define INST_SZ				40	/* size of principal's instance */
29 #define REALM_SZ			40	/* size of principal's auth domain */
30 #define SNAME_SZ			40	/* size of service name */
31 #define RXKAD_ALIGN			8
32 
33 struct rxkad_level1_hdr {
34 	__be32	data_size;	/* true data size (excluding padding) */
35 };
36 
37 struct rxkad_level2_hdr {
38 	__be32	data_size;	/* true data size (excluding padding) */
39 	__be32	checksum;	/* decrypted data checksum */
40 };
41 
42 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
43 				       struct crypto_sync_skcipher *ci);
44 
45 /*
46  * this holds a pinned cipher so that keventd doesn't get called by the cipher
47  * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
48  * packets
49  */
50 static struct crypto_sync_skcipher *rxkad_ci;
51 static struct skcipher_request *rxkad_ci_req;
52 static DEFINE_MUTEX(rxkad_ci_mutex);
53 
54 /*
55  * Parse the information from a server key
56  *
57  * The data should be the 8-byte secret key.
58  */
59 static int rxkad_preparse_server_key(struct key_preparsed_payload *prep)
60 {
61 	struct crypto_skcipher *ci;
62 
63 	if (prep->datalen != 8)
64 		return -EINVAL;
65 
66 	memcpy(&prep->payload.data[2], prep->data, 8);
67 
68 	ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC);
69 	if (IS_ERR(ci)) {
70 		_leave(" = %ld", PTR_ERR(ci));
71 		return PTR_ERR(ci);
72 	}
73 
74 	if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)
75 		BUG();
76 
77 	prep->payload.data[0] = ci;
78 	_leave(" = 0");
79 	return 0;
80 }
81 
82 static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep)
83 {
84 
85 	if (prep->payload.data[0])
86 		crypto_free_skcipher(prep->payload.data[0]);
87 }
88 
89 static void rxkad_destroy_server_key(struct key *key)
90 {
91 	if (key->payload.data[0]) {
92 		crypto_free_skcipher(key->payload.data[0]);
93 		key->payload.data[0] = NULL;
94 	}
95 }
96 
97 /*
98  * initialise connection security
99  */
100 static int rxkad_init_connection_security(struct rxrpc_connection *conn,
101 					  struct rxrpc_key_token *token)
102 {
103 	struct crypto_sync_skcipher *ci;
104 	int ret;
105 
106 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
107 
108 	conn->security_ix = token->security_index;
109 
110 	ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
111 	if (IS_ERR(ci)) {
112 		_debug("no cipher");
113 		ret = PTR_ERR(ci);
114 		goto error;
115 	}
116 
117 	if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
118 				   sizeof(token->kad->session_key)) < 0)
119 		BUG();
120 
121 	switch (conn->security_level) {
122 	case RXRPC_SECURITY_PLAIN:
123 	case RXRPC_SECURITY_AUTH:
124 	case RXRPC_SECURITY_ENCRYPT:
125 		break;
126 	default:
127 		ret = -EKEYREJECTED;
128 		goto error;
129 	}
130 
131 	ret = rxkad_prime_packet_security(conn, ci);
132 	if (ret < 0)
133 		goto error_ci;
134 
135 	conn->rxkad.cipher = ci;
136 	return 0;
137 
138 error_ci:
139 	crypto_free_sync_skcipher(ci);
140 error:
141 	_leave(" = %d", ret);
142 	return ret;
143 }
144 
145 /*
146  * Work out how much data we can put in a packet.
147  */
148 static int rxkad_how_much_data(struct rxrpc_call *call, size_t remain,
149 			       size_t *_buf_size, size_t *_data_size, size_t *_offset)
150 {
151 	size_t shdr, buf_size, chunk;
152 
153 	switch (call->conn->security_level) {
154 	default:
155 		buf_size = chunk = min_t(size_t, remain, RXRPC_JUMBO_DATALEN);
156 		shdr = 0;
157 		goto out;
158 	case RXRPC_SECURITY_AUTH:
159 		shdr = sizeof(struct rxkad_level1_hdr);
160 		break;
161 	case RXRPC_SECURITY_ENCRYPT:
162 		shdr = sizeof(struct rxkad_level2_hdr);
163 		break;
164 	}
165 
166 	buf_size = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN);
167 
168 	chunk = buf_size - shdr;
169 	if (remain < chunk)
170 		buf_size = round_up(shdr + remain, RXKAD_ALIGN);
171 
172 out:
173 	*_buf_size = buf_size;
174 	*_data_size = chunk;
175 	*_offset = shdr;
176 	return 0;
177 }
178 
179 /*
180  * prime the encryption state with the invariant parts of a connection's
181  * description
182  */
183 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
184 				       struct crypto_sync_skcipher *ci)
185 {
186 	struct skcipher_request *req;
187 	struct rxrpc_key_token *token;
188 	struct scatterlist sg;
189 	struct rxrpc_crypt iv;
190 	__be32 *tmpbuf;
191 	size_t tmpsize = 4 * sizeof(__be32);
192 
193 	_enter("");
194 
195 	if (!conn->key)
196 		return 0;
197 
198 	tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
199 	if (!tmpbuf)
200 		return -ENOMEM;
201 
202 	req = skcipher_request_alloc(&ci->base, GFP_NOFS);
203 	if (!req) {
204 		kfree(tmpbuf);
205 		return -ENOMEM;
206 	}
207 
208 	token = conn->key->payload.data[0];
209 	memcpy(&iv, token->kad->session_key, sizeof(iv));
210 
211 	tmpbuf[0] = htonl(conn->proto.epoch);
212 	tmpbuf[1] = htonl(conn->proto.cid);
213 	tmpbuf[2] = 0;
214 	tmpbuf[3] = htonl(conn->security_ix);
215 
216 	sg_init_one(&sg, tmpbuf, tmpsize);
217 	skcipher_request_set_sync_tfm(req, ci);
218 	skcipher_request_set_callback(req, 0, NULL, NULL);
219 	skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
220 	crypto_skcipher_encrypt(req);
221 	skcipher_request_free(req);
222 
223 	memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
224 	kfree(tmpbuf);
225 	_leave(" = 0");
226 	return 0;
227 }
228 
229 /*
230  * Allocate and prepare the crypto request on a call.  For any particular call,
231  * this is called serially for the packets, so no lock should be necessary.
232  */
233 static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
234 {
235 	struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
236 
237 	return skcipher_request_alloc(tfm, GFP_NOFS);
238 }
239 
240 /*
241  * Clean up the crypto on a call.
242  */
243 static void rxkad_free_call_crypto(struct rxrpc_call *call)
244 {
245 }
246 
247 /*
248  * partially encrypt a packet (level 1 security)
249  */
250 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
251 				    struct rxrpc_txbuf *txb,
252 				    struct skcipher_request *req)
253 {
254 	struct rxkad_level1_hdr *hdr = (void *)txb->data;
255 	struct rxrpc_crypt iv;
256 	struct scatterlist sg;
257 	size_t pad;
258 	u16 check;
259 
260 	_enter("");
261 
262 	check = txb->seq ^ ntohl(txb->wire.callNumber);
263 	hdr->data_size = htonl((u32)check << 16 | txb->len);
264 
265 	txb->len += sizeof(struct rxkad_level1_hdr);
266 	pad = txb->len;
267 	pad = RXKAD_ALIGN - pad;
268 	pad &= RXKAD_ALIGN - 1;
269 	if (pad) {
270 		memset(txb->data + txb->offset, 0, pad);
271 		txb->len += pad;
272 	}
273 
274 	/* start the encryption afresh */
275 	memset(&iv, 0, sizeof(iv));
276 
277 	sg_init_one(&sg, txb->data, 8);
278 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
279 	skcipher_request_set_callback(req, 0, NULL, NULL);
280 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
281 	crypto_skcipher_encrypt(req);
282 	skcipher_request_zero(req);
283 
284 	_leave(" = 0");
285 	return 0;
286 }
287 
288 /*
289  * wholly encrypt a packet (level 2 security)
290  */
291 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
292 				       struct rxrpc_txbuf *txb,
293 				       struct skcipher_request *req)
294 {
295 	const struct rxrpc_key_token *token;
296 	struct rxkad_level2_hdr *rxkhdr = (void *)txb->data;
297 	struct rxrpc_crypt iv;
298 	struct scatterlist sg;
299 	size_t pad;
300 	u16 check;
301 	int ret;
302 
303 	_enter("");
304 
305 	check = txb->seq ^ ntohl(txb->wire.callNumber);
306 
307 	rxkhdr->data_size = htonl(txb->len | (u32)check << 16);
308 	rxkhdr->checksum = 0;
309 
310 	txb->len += sizeof(struct rxkad_level2_hdr);
311 	pad = txb->len;
312 	pad = RXKAD_ALIGN - pad;
313 	pad &= RXKAD_ALIGN - 1;
314 	if (pad) {
315 		memset(txb->data + txb->offset, 0, pad);
316 		txb->len += pad;
317 	}
318 
319 	/* encrypt from the session key */
320 	token = call->conn->key->payload.data[0];
321 	memcpy(&iv, token->kad->session_key, sizeof(iv));
322 
323 	sg_init_one(&sg, txb->data, txb->len);
324 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
325 	skcipher_request_set_callback(req, 0, NULL, NULL);
326 	skcipher_request_set_crypt(req, &sg, &sg, txb->len, iv.x);
327 	ret = crypto_skcipher_encrypt(req);
328 	skcipher_request_zero(req);
329 	return ret;
330 }
331 
332 /*
333  * checksum an RxRPC packet header
334  */
335 static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb)
336 {
337 	struct skcipher_request	*req;
338 	struct rxrpc_crypt iv;
339 	struct scatterlist sg;
340 	union {
341 		__be32 buf[2];
342 	} crypto __aligned(8);
343 	u32 x, y;
344 	int ret;
345 
346 	_enter("{%d{%x}},{#%u},%u,",
347 	       call->debug_id, key_serial(call->conn->key),
348 	       txb->seq, txb->len);
349 
350 	if (!call->conn->rxkad.cipher)
351 		return 0;
352 
353 	ret = key_validate(call->conn->key);
354 	if (ret < 0)
355 		return ret;
356 
357 	req = rxkad_get_call_crypto(call);
358 	if (!req)
359 		return -ENOMEM;
360 
361 	/* continue encrypting from where we left off */
362 	memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
363 
364 	/* calculate the security checksum */
365 	x = (ntohl(txb->wire.cid) & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
366 	x |= txb->seq & 0x3fffffff;
367 	crypto.buf[0] = txb->wire.callNumber;
368 	crypto.buf[1] = htonl(x);
369 
370 	sg_init_one(&sg, crypto.buf, 8);
371 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
372 	skcipher_request_set_callback(req, 0, NULL, NULL);
373 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
374 	crypto_skcipher_encrypt(req);
375 	skcipher_request_zero(req);
376 
377 	y = ntohl(crypto.buf[1]);
378 	y = (y >> 16) & 0xffff;
379 	if (y == 0)
380 		y = 1; /* zero checksums are not permitted */
381 	txb->wire.cksum = htons(y);
382 
383 	switch (call->conn->security_level) {
384 	case RXRPC_SECURITY_PLAIN:
385 		ret = 0;
386 		break;
387 	case RXRPC_SECURITY_AUTH:
388 		ret = rxkad_secure_packet_auth(call, txb, req);
389 		break;
390 	case RXRPC_SECURITY_ENCRYPT:
391 		ret = rxkad_secure_packet_encrypt(call, txb, req);
392 		break;
393 	default:
394 		ret = -EPERM;
395 		break;
396 	}
397 
398 	skcipher_request_free(req);
399 	_leave(" = %d [set %x]", ret, y);
400 	return ret;
401 }
402 
403 /*
404  * decrypt partial encryption on a packet (level 1 security)
405  */
406 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
407 				 rxrpc_seq_t seq,
408 				 struct skcipher_request *req)
409 {
410 	struct rxkad_level1_hdr sechdr;
411 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
412 	struct rxrpc_crypt iv;
413 	struct scatterlist sg[16];
414 	u32 data_size, buf;
415 	u16 check;
416 	int ret;
417 
418 	_enter("");
419 
420 	if (sp->len < 8)
421 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
422 					  rxkad_abort_1_short_header);
423 
424 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
425 	 * directly into the target buffer.
426 	 */
427 	sg_init_table(sg, ARRAY_SIZE(sg));
428 	ret = skb_to_sgvec(skb, sg, sp->offset, 8);
429 	if (unlikely(ret < 0))
430 		return ret;
431 
432 	/* start the decryption afresh */
433 	memset(&iv, 0, sizeof(iv));
434 
435 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
436 	skcipher_request_set_callback(req, 0, NULL, NULL);
437 	skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
438 	crypto_skcipher_decrypt(req);
439 	skcipher_request_zero(req);
440 
441 	/* Extract the decrypted packet length */
442 	if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
443 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
444 					  rxkad_abort_1_short_encdata);
445 	sp->offset += sizeof(sechdr);
446 	sp->len    -= sizeof(sechdr);
447 
448 	buf = ntohl(sechdr.data_size);
449 	data_size = buf & 0xffff;
450 
451 	check = buf >> 16;
452 	check ^= seq ^ call->call_id;
453 	check &= 0xffff;
454 	if (check != 0)
455 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
456 					  rxkad_abort_1_short_check);
457 	if (data_size > sp->len)
458 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
459 					  rxkad_abort_1_short_data);
460 	sp->len = data_size;
461 
462 	_leave(" = 0 [dlen=%x]", data_size);
463 	return 0;
464 }
465 
466 /*
467  * wholly decrypt a packet (level 2 security)
468  */
469 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
470 				 rxrpc_seq_t seq,
471 				 struct skcipher_request *req)
472 {
473 	const struct rxrpc_key_token *token;
474 	struct rxkad_level2_hdr sechdr;
475 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
476 	struct rxrpc_crypt iv;
477 	struct scatterlist _sg[4], *sg;
478 	u32 data_size, buf;
479 	u16 check;
480 	int nsg, ret;
481 
482 	_enter(",{%d}", sp->len);
483 
484 	if (sp->len < 8)
485 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
486 					  rxkad_abort_2_short_header);
487 
488 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
489 	 * directly into the target buffer.
490 	 */
491 	sg = _sg;
492 	nsg = skb_shinfo(skb)->nr_frags + 1;
493 	if (nsg <= 4) {
494 		nsg = 4;
495 	} else {
496 		sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
497 		if (!sg)
498 			return -ENOMEM;
499 	}
500 
501 	sg_init_table(sg, nsg);
502 	ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
503 	if (unlikely(ret < 0)) {
504 		if (sg != _sg)
505 			kfree(sg);
506 		return ret;
507 	}
508 
509 	/* decrypt from the session key */
510 	token = call->conn->key->payload.data[0];
511 	memcpy(&iv, token->kad->session_key, sizeof(iv));
512 
513 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
514 	skcipher_request_set_callback(req, 0, NULL, NULL);
515 	skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
516 	crypto_skcipher_decrypt(req);
517 	skcipher_request_zero(req);
518 	if (sg != _sg)
519 		kfree(sg);
520 
521 	/* Extract the decrypted packet length */
522 	if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
523 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
524 					  rxkad_abort_2_short_len);
525 	sp->offset += sizeof(sechdr);
526 	sp->len    -= sizeof(sechdr);
527 
528 	buf = ntohl(sechdr.data_size);
529 	data_size = buf & 0xffff;
530 
531 	check = buf >> 16;
532 	check ^= seq ^ call->call_id;
533 	check &= 0xffff;
534 	if (check != 0)
535 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
536 					  rxkad_abort_2_short_check);
537 
538 	if (data_size > sp->len)
539 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
540 					  rxkad_abort_2_short_data);
541 
542 	sp->len = data_size;
543 	_leave(" = 0 [dlen=%x]", data_size);
544 	return 0;
545 }
546 
547 /*
548  * Verify the security on a received packet and the subpackets therein.
549  */
550 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
551 {
552 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
553 	struct skcipher_request	*req;
554 	struct rxrpc_crypt iv;
555 	struct scatterlist sg;
556 	union {
557 		__be32 buf[2];
558 	} crypto __aligned(8);
559 	rxrpc_seq_t seq = sp->hdr.seq;
560 	int ret;
561 	u16 cksum;
562 	u32 x, y;
563 
564 	_enter("{%d{%x}},{#%u}",
565 	       call->debug_id, key_serial(call->conn->key), seq);
566 
567 	if (!call->conn->rxkad.cipher)
568 		return 0;
569 
570 	req = rxkad_get_call_crypto(call);
571 	if (!req)
572 		return -ENOMEM;
573 
574 	/* continue encrypting from where we left off */
575 	memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
576 
577 	/* validate the security checksum */
578 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
579 	x |= seq & 0x3fffffff;
580 	crypto.buf[0] = htonl(call->call_id);
581 	crypto.buf[1] = htonl(x);
582 
583 	sg_init_one(&sg, crypto.buf, 8);
584 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
585 	skcipher_request_set_callback(req, 0, NULL, NULL);
586 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
587 	crypto_skcipher_encrypt(req);
588 	skcipher_request_zero(req);
589 
590 	y = ntohl(crypto.buf[1]);
591 	cksum = (y >> 16) & 0xffff;
592 	if (cksum == 0)
593 		cksum = 1; /* zero checksums are not permitted */
594 
595 	if (cksum != sp->hdr.cksum) {
596 		ret = rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
597 					 rxkad_abort_bad_checksum);
598 		goto out;
599 	}
600 
601 	switch (call->conn->security_level) {
602 	case RXRPC_SECURITY_PLAIN:
603 		ret = 0;
604 		break;
605 	case RXRPC_SECURITY_AUTH:
606 		ret = rxkad_verify_packet_1(call, skb, seq, req);
607 		break;
608 	case RXRPC_SECURITY_ENCRYPT:
609 		ret = rxkad_verify_packet_2(call, skb, seq, req);
610 		break;
611 	default:
612 		ret = -ENOANO;
613 		break;
614 	}
615 
616 out:
617 	skcipher_request_free(req);
618 	return ret;
619 }
620 
621 /*
622  * issue a challenge
623  */
624 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
625 {
626 	struct rxkad_challenge challenge;
627 	struct rxrpc_wire_header whdr;
628 	struct msghdr msg;
629 	struct kvec iov[2];
630 	size_t len;
631 	u32 serial;
632 	int ret;
633 
634 	_enter("{%d}", conn->debug_id);
635 
636 	get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
637 
638 	challenge.version	= htonl(2);
639 	challenge.nonce		= htonl(conn->rxkad.nonce);
640 	challenge.min_level	= htonl(0);
641 	challenge.__padding	= 0;
642 
643 	msg.msg_name	= &conn->peer->srx.transport;
644 	msg.msg_namelen	= conn->peer->srx.transport_len;
645 	msg.msg_control	= NULL;
646 	msg.msg_controllen = 0;
647 	msg.msg_flags	= 0;
648 
649 	whdr.epoch	= htonl(conn->proto.epoch);
650 	whdr.cid	= htonl(conn->proto.cid);
651 	whdr.callNumber	= 0;
652 	whdr.seq	= 0;
653 	whdr.type	= RXRPC_PACKET_TYPE_CHALLENGE;
654 	whdr.flags	= conn->out_clientflag;
655 	whdr.userStatus	= 0;
656 	whdr.securityIndex = conn->security_ix;
657 	whdr._rsvd	= 0;
658 	whdr.serviceId	= htons(conn->service_id);
659 
660 	iov[0].iov_base	= &whdr;
661 	iov[0].iov_len	= sizeof(whdr);
662 	iov[1].iov_base	= &challenge;
663 	iov[1].iov_len	= sizeof(challenge);
664 
665 	len = iov[0].iov_len + iov[1].iov_len;
666 
667 	serial = atomic_inc_return(&conn->serial);
668 	whdr.serial = htonl(serial);
669 
670 	ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len);
671 	if (ret < 0) {
672 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
673 				    rxrpc_tx_point_rxkad_challenge);
674 		return -EAGAIN;
675 	}
676 
677 	conn->peer->last_tx_at = ktime_get_seconds();
678 	trace_rxrpc_tx_packet(conn->debug_id, &whdr,
679 			      rxrpc_tx_point_rxkad_challenge);
680 	_leave(" = 0");
681 	return 0;
682 }
683 
684 /*
685  * send a Kerberos security response
686  */
687 static int rxkad_send_response(struct rxrpc_connection *conn,
688 			       struct rxrpc_host_header *hdr,
689 			       struct rxkad_response *resp,
690 			       const struct rxkad_key *s2)
691 {
692 	struct rxrpc_wire_header whdr;
693 	struct msghdr msg;
694 	struct kvec iov[3];
695 	size_t len;
696 	u32 serial;
697 	int ret;
698 
699 	_enter("");
700 
701 	msg.msg_name	= &conn->peer->srx.transport;
702 	msg.msg_namelen	= conn->peer->srx.transport_len;
703 	msg.msg_control	= NULL;
704 	msg.msg_controllen = 0;
705 	msg.msg_flags	= 0;
706 
707 	memset(&whdr, 0, sizeof(whdr));
708 	whdr.epoch	= htonl(hdr->epoch);
709 	whdr.cid	= htonl(hdr->cid);
710 	whdr.type	= RXRPC_PACKET_TYPE_RESPONSE;
711 	whdr.flags	= conn->out_clientflag;
712 	whdr.securityIndex = hdr->securityIndex;
713 	whdr.serviceId	= htons(hdr->serviceId);
714 
715 	iov[0].iov_base	= &whdr;
716 	iov[0].iov_len	= sizeof(whdr);
717 	iov[1].iov_base	= resp;
718 	iov[1].iov_len	= sizeof(*resp);
719 	iov[2].iov_base	= (void *)s2->ticket;
720 	iov[2].iov_len	= s2->ticket_len;
721 
722 	len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
723 
724 	serial = atomic_inc_return(&conn->serial);
725 	whdr.serial = htonl(serial);
726 
727 	ret = kernel_sendmsg(conn->local->socket, &msg, iov, 3, len);
728 	if (ret < 0) {
729 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
730 				    rxrpc_tx_point_rxkad_response);
731 		return -EAGAIN;
732 	}
733 
734 	conn->peer->last_tx_at = ktime_get_seconds();
735 	_leave(" = 0");
736 	return 0;
737 }
738 
739 /*
740  * calculate the response checksum
741  */
742 static void rxkad_calc_response_checksum(struct rxkad_response *response)
743 {
744 	u32 csum = 1000003;
745 	int loop;
746 	u8 *p = (u8 *) response;
747 
748 	for (loop = sizeof(*response); loop > 0; loop--)
749 		csum = csum * 0x10204081 + *p++;
750 
751 	response->encrypted.checksum = htonl(csum);
752 }
753 
754 /*
755  * encrypt the response packet
756  */
757 static int rxkad_encrypt_response(struct rxrpc_connection *conn,
758 				  struct rxkad_response *resp,
759 				  const struct rxkad_key *s2)
760 {
761 	struct skcipher_request *req;
762 	struct rxrpc_crypt iv;
763 	struct scatterlist sg[1];
764 
765 	req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
766 	if (!req)
767 		return -ENOMEM;
768 
769 	/* continue encrypting from where we left off */
770 	memcpy(&iv, s2->session_key, sizeof(iv));
771 
772 	sg_init_table(sg, 1);
773 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
774 	skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
775 	skcipher_request_set_callback(req, 0, NULL, NULL);
776 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
777 	crypto_skcipher_encrypt(req);
778 	skcipher_request_free(req);
779 	return 0;
780 }
781 
782 /*
783  * respond to a challenge packet
784  */
785 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
786 				      struct sk_buff *skb)
787 {
788 	const struct rxrpc_key_token *token;
789 	struct rxkad_challenge challenge;
790 	struct rxkad_response *resp;
791 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
792 	u32 version, nonce, min_level;
793 	int ret = -EPROTO;
794 
795 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
796 
797 	if (!conn->key)
798 		return rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
799 					rxkad_abort_chall_no_key);
800 
801 	ret = key_validate(conn->key);
802 	if (ret < 0)
803 		return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
804 					rxkad_abort_chall_key_expired);
805 
806 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
807 			  &challenge, sizeof(challenge)) < 0)
808 		return rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
809 					rxkad_abort_chall_short);
810 
811 	version = ntohl(challenge.version);
812 	nonce = ntohl(challenge.nonce);
813 	min_level = ntohl(challenge.min_level);
814 
815 	trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version, nonce, min_level);
816 
817 	if (version != RXKAD_VERSION)
818 		return rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
819 					rxkad_abort_chall_version);
820 
821 	if (conn->security_level < min_level)
822 		return rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES,
823 					rxkad_abort_chall_level);
824 
825 	token = conn->key->payload.data[0];
826 
827 	/* build the response packet */
828 	resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
829 	if (!resp)
830 		return -ENOMEM;
831 
832 	resp->version			= htonl(RXKAD_VERSION);
833 	resp->encrypted.epoch		= htonl(conn->proto.epoch);
834 	resp->encrypted.cid		= htonl(conn->proto.cid);
835 	resp->encrypted.securityIndex	= htonl(conn->security_ix);
836 	resp->encrypted.inc_nonce	= htonl(nonce + 1);
837 	resp->encrypted.level		= htonl(conn->security_level);
838 	resp->kvno			= htonl(token->kad->kvno);
839 	resp->ticket_len		= htonl(token->kad->ticket_len);
840 	resp->encrypted.call_id[0]	= htonl(conn->channels[0].call_counter);
841 	resp->encrypted.call_id[1]	= htonl(conn->channels[1].call_counter);
842 	resp->encrypted.call_id[2]	= htonl(conn->channels[2].call_counter);
843 	resp->encrypted.call_id[3]	= htonl(conn->channels[3].call_counter);
844 
845 	/* calculate the response checksum and then do the encryption */
846 	rxkad_calc_response_checksum(resp);
847 	ret = rxkad_encrypt_response(conn, resp, token->kad);
848 	if (ret == 0)
849 		ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
850 	kfree(resp);
851 	return ret;
852 }
853 
854 /*
855  * decrypt the kerberos IV ticket in the response
856  */
857 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
858 				struct key *server_key,
859 				struct sk_buff *skb,
860 				void *ticket, size_t ticket_len,
861 				struct rxrpc_crypt *_session_key,
862 				time64_t *_expiry)
863 {
864 	struct skcipher_request *req;
865 	struct rxrpc_crypt iv, key;
866 	struct scatterlist sg[1];
867 	struct in_addr addr;
868 	unsigned int life;
869 	time64_t issue, now;
870 	bool little_endian;
871 	u8 *p, *q, *name, *end;
872 
873 	_enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
874 
875 	*_expiry = 0;
876 
877 	ASSERT(server_key->payload.data[0] != NULL);
878 	ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
879 
880 	memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
881 
882 	req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
883 	if (!req)
884 		return -ENOMEM;
885 
886 	sg_init_one(&sg[0], ticket, ticket_len);
887 	skcipher_request_set_callback(req, 0, NULL, NULL);
888 	skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
889 	crypto_skcipher_decrypt(req);
890 	skcipher_request_free(req);
891 
892 	p = ticket;
893 	end = p + ticket_len;
894 
895 #define Z(field, fieldl)						\
896 	({								\
897 		u8 *__str = p;						\
898 		q = memchr(p, 0, end - p);				\
899 		if (!q || q - p > field##_SZ)				\
900 			return rxrpc_abort_conn(			\
901 				conn, skb, RXKADBADTICKET, -EPROTO,	\
902 				rxkad_abort_resp_tkt_##fieldl);		\
903 		for (; p < q; p++)					\
904 			if (!isprint(*p))				\
905 				return rxrpc_abort_conn(		\
906 					conn, skb, RXKADBADTICKET, -EPROTO, \
907 					rxkad_abort_resp_tkt_##fieldl);	\
908 		p++;							\
909 		__str;							\
910 	})
911 
912 	/* extract the ticket flags */
913 	_debug("KIV FLAGS: %x", *p);
914 	little_endian = *p & 1;
915 	p++;
916 
917 	/* extract the authentication name */
918 	name = Z(ANAME, aname);
919 	_debug("KIV ANAME: %s", name);
920 
921 	/* extract the principal's instance */
922 	name = Z(INST, inst);
923 	_debug("KIV INST : %s", name);
924 
925 	/* extract the principal's authentication domain */
926 	name = Z(REALM, realm);
927 	_debug("KIV REALM: %s", name);
928 
929 	if (end - p < 4 + 8 + 4 + 2)
930 		return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
931 					rxkad_abort_resp_tkt_short);
932 
933 	/* get the IPv4 address of the entity that requested the ticket */
934 	memcpy(&addr, p, sizeof(addr));
935 	p += 4;
936 	_debug("KIV ADDR : %pI4", &addr);
937 
938 	/* get the session key from the ticket */
939 	memcpy(&key, p, sizeof(key));
940 	p += 8;
941 	_debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
942 	memcpy(_session_key, &key, sizeof(key));
943 
944 	/* get the ticket's lifetime */
945 	life = *p++ * 5 * 60;
946 	_debug("KIV LIFE : %u", life);
947 
948 	/* get the issue time of the ticket */
949 	if (little_endian) {
950 		__le32 stamp;
951 		memcpy(&stamp, p, 4);
952 		issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
953 	} else {
954 		__be32 stamp;
955 		memcpy(&stamp, p, 4);
956 		issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
957 	}
958 	p += 4;
959 	now = ktime_get_real_seconds();
960 	_debug("KIV ISSUE: %llx [%llx]", issue, now);
961 
962 	/* check the ticket is in date */
963 	if (issue > now)
964 		return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED,
965 					rxkad_abort_resp_tkt_future);
966 	if (issue < now - life)
967 		return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED,
968 					rxkad_abort_resp_tkt_expired);
969 
970 	*_expiry = issue + life;
971 
972 	/* get the service name */
973 	name = Z(SNAME, sname);
974 	_debug("KIV SNAME: %s", name);
975 
976 	/* get the service instance name */
977 	name = Z(INST, sinst);
978 	_debug("KIV SINST: %s", name);
979 	return 0;
980 }
981 
982 /*
983  * decrypt the response packet
984  */
985 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
986 				   struct rxkad_response *resp,
987 				   const struct rxrpc_crypt *session_key)
988 {
989 	struct skcipher_request *req = rxkad_ci_req;
990 	struct scatterlist sg[1];
991 	struct rxrpc_crypt iv;
992 
993 	_enter(",,%08x%08x",
994 	       ntohl(session_key->n[0]), ntohl(session_key->n[1]));
995 
996 	mutex_lock(&rxkad_ci_mutex);
997 	if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
998 					sizeof(*session_key)) < 0)
999 		BUG();
1000 
1001 	memcpy(&iv, session_key, sizeof(iv));
1002 
1003 	sg_init_table(sg, 1);
1004 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1005 	skcipher_request_set_sync_tfm(req, rxkad_ci);
1006 	skcipher_request_set_callback(req, 0, NULL, NULL);
1007 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1008 	crypto_skcipher_decrypt(req);
1009 	skcipher_request_zero(req);
1010 
1011 	mutex_unlock(&rxkad_ci_mutex);
1012 
1013 	_leave("");
1014 }
1015 
1016 /*
1017  * verify a response
1018  */
1019 static int rxkad_verify_response(struct rxrpc_connection *conn,
1020 				 struct sk_buff *skb)
1021 {
1022 	struct rxkad_response *response;
1023 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1024 	struct rxrpc_crypt session_key;
1025 	struct key *server_key;
1026 	time64_t expiry;
1027 	void *ticket;
1028 	u32 version, kvno, ticket_len, level;
1029 	__be32 csum;
1030 	int ret, i;
1031 
1032 	_enter("{%d}", conn->debug_id);
1033 
1034 	server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
1035 	if (IS_ERR(server_key)) {
1036 		ret = PTR_ERR(server_key);
1037 		switch (ret) {
1038 		case -ENOKEY:
1039 			return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret,
1040 						rxkad_abort_resp_nokey);
1041 		case -EKEYEXPIRED:
1042 			return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
1043 						rxkad_abort_resp_key_expired);
1044 		default:
1045 			return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret,
1046 						rxkad_abort_resp_key_rejected);
1047 		}
1048 	}
1049 
1050 	ret = -ENOMEM;
1051 	response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1052 	if (!response)
1053 		goto temporary_error;
1054 
1055 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1056 			  response, sizeof(*response)) < 0) {
1057 		rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1058 				 rxkad_abort_resp_short);
1059 		goto protocol_error;
1060 	}
1061 
1062 	version = ntohl(response->version);
1063 	ticket_len = ntohl(response->ticket_len);
1064 	kvno = ntohl(response->kvno);
1065 
1066 	trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
1067 
1068 	if (version != RXKAD_VERSION) {
1069 		rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
1070 				 rxkad_abort_resp_version);
1071 		goto protocol_error;
1072 	}
1073 
1074 	if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) {
1075 		rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
1076 				 rxkad_abort_resp_tkt_len);
1077 		goto protocol_error;
1078 	}
1079 
1080 	if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) {
1081 		rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
1082 				 rxkad_abort_resp_unknown_tkt);
1083 		goto protocol_error;
1084 	}
1085 
1086 	/* extract the kerberos ticket and decrypt and decode it */
1087 	ret = -ENOMEM;
1088 	ticket = kmalloc(ticket_len, GFP_NOFS);
1089 	if (!ticket)
1090 		goto temporary_error_free_resp;
1091 
1092 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
1093 			  ticket, ticket_len) < 0) {
1094 		rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1095 				 rxkad_abort_resp_short_tkt);
1096 		goto protocol_error;
1097 	}
1098 
1099 	ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
1100 				   &session_key, &expiry);
1101 	if (ret < 0)
1102 		goto temporary_error_free_ticket;
1103 
1104 	/* use the session key from inside the ticket to decrypt the
1105 	 * response */
1106 	rxkad_decrypt_response(conn, response, &session_key);
1107 
1108 	if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
1109 	    ntohl(response->encrypted.cid) != conn->proto.cid ||
1110 	    ntohl(response->encrypted.securityIndex) != conn->security_ix) {
1111 		rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1112 				 rxkad_abort_resp_bad_param);
1113 		goto protocol_error_free;
1114 	}
1115 
1116 	csum = response->encrypted.checksum;
1117 	response->encrypted.checksum = 0;
1118 	rxkad_calc_response_checksum(response);
1119 	if (response->encrypted.checksum != csum) {
1120 		rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1121 				 rxkad_abort_resp_bad_checksum);
1122 		goto protocol_error_free;
1123 	}
1124 
1125 	for (i = 0; i < RXRPC_MAXCALLS; i++) {
1126 		u32 call_id = ntohl(response->encrypted.call_id[i]);
1127 		u32 counter = READ_ONCE(conn->channels[i].call_counter);
1128 
1129 		if (call_id > INT_MAX) {
1130 			rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1131 					 rxkad_abort_resp_bad_callid);
1132 			goto protocol_error_free;
1133 		}
1134 
1135 		if (call_id < counter) {
1136 			rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1137 					 rxkad_abort_resp_call_ctr);
1138 			goto protocol_error_free;
1139 		}
1140 
1141 		if (call_id > counter) {
1142 			if (conn->channels[i].call) {
1143 				rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1144 						 rxkad_abort_resp_call_state);
1145 				goto protocol_error_free;
1146 			}
1147 			conn->channels[i].call_counter = call_id;
1148 		}
1149 	}
1150 
1151 	if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
1152 		rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
1153 				 rxkad_abort_resp_ooseq);
1154 		goto protocol_error_free;
1155 	}
1156 
1157 	level = ntohl(response->encrypted.level);
1158 	if (level > RXRPC_SECURITY_ENCRYPT) {
1159 		rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
1160 				 rxkad_abort_resp_level);
1161 		goto protocol_error_free;
1162 	}
1163 	conn->security_level = level;
1164 
1165 	/* create a key to hold the security data and expiration time - after
1166 	 * this the connection security can be handled in exactly the same way
1167 	 * as for a client connection */
1168 	ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1169 	if (ret < 0)
1170 		goto temporary_error_free_ticket;
1171 
1172 	kfree(ticket);
1173 	kfree(response);
1174 	_leave(" = 0");
1175 	return 0;
1176 
1177 protocol_error_free:
1178 	kfree(ticket);
1179 protocol_error:
1180 	kfree(response);
1181 	key_put(server_key);
1182 	return -EPROTO;
1183 
1184 temporary_error_free_ticket:
1185 	kfree(ticket);
1186 temporary_error_free_resp:
1187 	kfree(response);
1188 temporary_error:
1189 	/* Ignore the response packet if we got a temporary error such as
1190 	 * ENOMEM.  We just want to send the challenge again.  Note that we
1191 	 * also come out this way if the ticket decryption fails.
1192 	 */
1193 	key_put(server_key);
1194 	return ret;
1195 }
1196 
1197 /*
1198  * clear the connection security
1199  */
1200 static void rxkad_clear(struct rxrpc_connection *conn)
1201 {
1202 	_enter("");
1203 
1204 	if (conn->rxkad.cipher)
1205 		crypto_free_sync_skcipher(conn->rxkad.cipher);
1206 }
1207 
1208 /*
1209  * Initialise the rxkad security service.
1210  */
1211 static int rxkad_init(void)
1212 {
1213 	struct crypto_sync_skcipher *tfm;
1214 	struct skcipher_request *req;
1215 
1216 	/* pin the cipher we need so that the crypto layer doesn't invoke
1217 	 * keventd to go get it */
1218 	tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1219 	if (IS_ERR(tfm))
1220 		return PTR_ERR(tfm);
1221 
1222 	req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1223 	if (!req)
1224 		goto nomem_tfm;
1225 
1226 	rxkad_ci_req = req;
1227 	rxkad_ci = tfm;
1228 	return 0;
1229 
1230 nomem_tfm:
1231 	crypto_free_sync_skcipher(tfm);
1232 	return -ENOMEM;
1233 }
1234 
1235 /*
1236  * Clean up the rxkad security service.
1237  */
1238 static void rxkad_exit(void)
1239 {
1240 	crypto_free_sync_skcipher(rxkad_ci);
1241 	skcipher_request_free(rxkad_ci_req);
1242 }
1243 
1244 /*
1245  * RxRPC Kerberos-based security
1246  */
1247 const struct rxrpc_security rxkad = {
1248 	.name				= "rxkad",
1249 	.security_index			= RXRPC_SECURITY_RXKAD,
1250 	.no_key_abort			= RXKADUNKNOWNKEY,
1251 	.init				= rxkad_init,
1252 	.exit				= rxkad_exit,
1253 	.preparse_server_key		= rxkad_preparse_server_key,
1254 	.free_preparse_server_key	= rxkad_free_preparse_server_key,
1255 	.destroy_server_key		= rxkad_destroy_server_key,
1256 	.init_connection_security	= rxkad_init_connection_security,
1257 	.how_much_data			= rxkad_how_much_data,
1258 	.secure_packet			= rxkad_secure_packet,
1259 	.verify_packet			= rxkad_verify_packet,
1260 	.free_call_crypto		= rxkad_free_call_crypto,
1261 	.issue_challenge		= rxkad_issue_challenge,
1262 	.respond_to_challenge		= rxkad_respond_to_challenge,
1263 	.verify_response		= rxkad_verify_response,
1264 	.clear				= rxkad_clear,
1265 };
1266