xref: /openbmc/linux/net/rxrpc/rxkad.c (revision 6fa24b41)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Kerberos-based RxRPC security
3  *
4  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9 
10 #include <crypto/skcipher.h>
11 #include <linux/module.h>
12 #include <linux/net.h>
13 #include <linux/skbuff.h>
14 #include <linux/udp.h>
15 #include <linux/scatterlist.h>
16 #include <linux/ctype.h>
17 #include <linux/slab.h>
18 #include <linux/key-type.h>
19 #include <net/sock.h>
20 #include <net/af_rxrpc.h>
21 #include <keys/rxrpc-type.h>
22 #include "ar-internal.h"
23 
24 #define RXKAD_VERSION			2
25 #define MAXKRB5TICKETLEN		1024
26 #define RXKAD_TKT_TYPE_KERBEROS_V5	256
27 #define ANAME_SZ			40	/* size of authentication name */
28 #define INST_SZ				40	/* size of principal's instance */
29 #define REALM_SZ			40	/* size of principal's auth domain */
30 #define SNAME_SZ			40	/* size of service name */
31 #define RXKAD_ALIGN			8
32 
33 struct rxkad_level1_hdr {
34 	__be32	data_size;	/* true data size (excluding padding) */
35 };
36 
37 struct rxkad_level2_hdr {
38 	__be32	data_size;	/* true data size (excluding padding) */
39 	__be32	checksum;	/* decrypted data checksum */
40 };
41 
42 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
43 				       struct crypto_sync_skcipher *ci);
44 
45 /*
46  * this holds a pinned cipher so that keventd doesn't get called by the cipher
47  * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
48  * packets
49  */
50 static struct crypto_sync_skcipher *rxkad_ci;
51 static struct skcipher_request *rxkad_ci_req;
52 static DEFINE_MUTEX(rxkad_ci_mutex);
53 
54 /*
55  * Parse the information from a server key
56  *
57  * The data should be the 8-byte secret key.
58  */
59 static int rxkad_preparse_server_key(struct key_preparsed_payload *prep)
60 {
61 	struct crypto_skcipher *ci;
62 
63 	if (prep->datalen != 8)
64 		return -EINVAL;
65 
66 	memcpy(&prep->payload.data[2], prep->data, 8);
67 
68 	ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC);
69 	if (IS_ERR(ci)) {
70 		_leave(" = %ld", PTR_ERR(ci));
71 		return PTR_ERR(ci);
72 	}
73 
74 	if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)
75 		BUG();
76 
77 	prep->payload.data[0] = ci;
78 	_leave(" = 0");
79 	return 0;
80 }
81 
82 static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep)
83 {
84 
85 	if (prep->payload.data[0])
86 		crypto_free_skcipher(prep->payload.data[0]);
87 }
88 
89 static void rxkad_destroy_server_key(struct key *key)
90 {
91 	if (key->payload.data[0]) {
92 		crypto_free_skcipher(key->payload.data[0]);
93 		key->payload.data[0] = NULL;
94 	}
95 }
96 
97 /*
98  * initialise connection security
99  */
100 static int rxkad_init_connection_security(struct rxrpc_connection *conn,
101 					  struct rxrpc_key_token *token)
102 {
103 	struct crypto_sync_skcipher *ci;
104 	int ret;
105 
106 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
107 
108 	conn->security_ix = token->security_index;
109 
110 	ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
111 	if (IS_ERR(ci)) {
112 		_debug("no cipher");
113 		ret = PTR_ERR(ci);
114 		goto error;
115 	}
116 
117 	if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
118 				   sizeof(token->kad->session_key)) < 0)
119 		BUG();
120 
121 	switch (conn->security_level) {
122 	case RXRPC_SECURITY_PLAIN:
123 	case RXRPC_SECURITY_AUTH:
124 	case RXRPC_SECURITY_ENCRYPT:
125 		break;
126 	default:
127 		ret = -EKEYREJECTED;
128 		goto error;
129 	}
130 
131 	ret = rxkad_prime_packet_security(conn, ci);
132 	if (ret < 0)
133 		goto error_ci;
134 
135 	conn->rxkad.cipher = ci;
136 	return 0;
137 
138 error_ci:
139 	crypto_free_sync_skcipher(ci);
140 error:
141 	_leave(" = %d", ret);
142 	return ret;
143 }
144 
145 /*
146  * Work out how much data we can put in a packet.
147  */
148 static int rxkad_how_much_data(struct rxrpc_call *call, size_t remain,
149 			       size_t *_buf_size, size_t *_data_size, size_t *_offset)
150 {
151 	size_t shdr, buf_size, chunk;
152 
153 	switch (call->conn->security_level) {
154 	default:
155 		buf_size = chunk = min_t(size_t, remain, RXRPC_JUMBO_DATALEN);
156 		shdr = 0;
157 		goto out;
158 	case RXRPC_SECURITY_AUTH:
159 		shdr = sizeof(struct rxkad_level1_hdr);
160 		break;
161 	case RXRPC_SECURITY_ENCRYPT:
162 		shdr = sizeof(struct rxkad_level2_hdr);
163 		break;
164 	}
165 
166 	buf_size = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN);
167 
168 	chunk = buf_size - shdr;
169 	if (remain < chunk)
170 		buf_size = round_up(shdr + remain, RXKAD_ALIGN);
171 
172 out:
173 	*_buf_size = buf_size;
174 	*_data_size = chunk;
175 	*_offset = shdr;
176 	return 0;
177 }
178 
179 /*
180  * prime the encryption state with the invariant parts of a connection's
181  * description
182  */
183 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
184 				       struct crypto_sync_skcipher *ci)
185 {
186 	struct skcipher_request *req;
187 	struct rxrpc_key_token *token;
188 	struct scatterlist sg;
189 	struct rxrpc_crypt iv;
190 	__be32 *tmpbuf;
191 	size_t tmpsize = 4 * sizeof(__be32);
192 
193 	_enter("");
194 
195 	if (!conn->key)
196 		return 0;
197 
198 	tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
199 	if (!tmpbuf)
200 		return -ENOMEM;
201 
202 	req = skcipher_request_alloc(&ci->base, GFP_NOFS);
203 	if (!req) {
204 		kfree(tmpbuf);
205 		return -ENOMEM;
206 	}
207 
208 	token = conn->key->payload.data[0];
209 	memcpy(&iv, token->kad->session_key, sizeof(iv));
210 
211 	tmpbuf[0] = htonl(conn->proto.epoch);
212 	tmpbuf[1] = htonl(conn->proto.cid);
213 	tmpbuf[2] = 0;
214 	tmpbuf[3] = htonl(conn->security_ix);
215 
216 	sg_init_one(&sg, tmpbuf, tmpsize);
217 	skcipher_request_set_sync_tfm(req, ci);
218 	skcipher_request_set_callback(req, 0, NULL, NULL);
219 	skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
220 	crypto_skcipher_encrypt(req);
221 	skcipher_request_free(req);
222 
223 	memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
224 	kfree(tmpbuf);
225 	_leave(" = 0");
226 	return 0;
227 }
228 
229 /*
230  * Allocate and prepare the crypto request on a call.  For any particular call,
231  * this is called serially for the packets, so no lock should be necessary.
232  */
233 static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
234 {
235 	struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
236 
237 	return skcipher_request_alloc(tfm, GFP_NOFS);
238 }
239 
240 /*
241  * Clean up the crypto on a call.
242  */
243 static void rxkad_free_call_crypto(struct rxrpc_call *call)
244 {
245 }
246 
247 /*
248  * partially encrypt a packet (level 1 security)
249  */
250 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
251 				    struct rxrpc_txbuf *txb,
252 				    struct skcipher_request *req)
253 {
254 	struct rxkad_level1_hdr *hdr = (void *)txb->data;
255 	struct rxrpc_crypt iv;
256 	struct scatterlist sg;
257 	size_t pad;
258 	u16 check;
259 
260 	_enter("");
261 
262 	check = txb->seq ^ call->call_id;
263 	hdr->data_size = htonl((u32)check << 16 | txb->len);
264 
265 	txb->len += sizeof(struct rxkad_level1_hdr);
266 	pad = txb->len;
267 	pad = RXKAD_ALIGN - pad;
268 	pad &= RXKAD_ALIGN - 1;
269 	if (pad) {
270 		memset(txb->data + txb->offset, 0, pad);
271 		txb->len += pad;
272 	}
273 
274 	/* start the encryption afresh */
275 	memset(&iv, 0, sizeof(iv));
276 
277 	sg_init_one(&sg, txb->data, 8);
278 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
279 	skcipher_request_set_callback(req, 0, NULL, NULL);
280 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
281 	crypto_skcipher_encrypt(req);
282 	skcipher_request_zero(req);
283 
284 	_leave(" = 0");
285 	return 0;
286 }
287 
288 /*
289  * wholly encrypt a packet (level 2 security)
290  */
291 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
292 				       struct rxrpc_txbuf *txb,
293 				       struct skcipher_request *req)
294 {
295 	const struct rxrpc_key_token *token;
296 	struct rxkad_level2_hdr *rxkhdr = (void *)txb->data;
297 	struct rxrpc_crypt iv;
298 	struct scatterlist sg;
299 	size_t pad;
300 	u16 check;
301 	int ret;
302 
303 	_enter("");
304 
305 	check = txb->seq ^ call->call_id;
306 
307 	rxkhdr->data_size = htonl(txb->len | (u32)check << 16);
308 	rxkhdr->checksum = 0;
309 
310 	txb->len += sizeof(struct rxkad_level2_hdr);
311 	pad = txb->len;
312 	pad = RXKAD_ALIGN - pad;
313 	pad &= RXKAD_ALIGN - 1;
314 	if (pad) {
315 		memset(txb->data + txb->offset, 0, pad);
316 		txb->len += pad;
317 	}
318 
319 	/* encrypt from the session key */
320 	token = call->conn->key->payload.data[0];
321 	memcpy(&iv, token->kad->session_key, sizeof(iv));
322 
323 	sg_init_one(&sg, txb->data, txb->len);
324 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
325 	skcipher_request_set_callback(req, 0, NULL, NULL);
326 	skcipher_request_set_crypt(req, &sg, &sg, txb->len, iv.x);
327 	ret = crypto_skcipher_encrypt(req);
328 	skcipher_request_zero(req);
329 	return ret;
330 }
331 
332 /*
333  * checksum an RxRPC packet header
334  */
335 static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb)
336 {
337 	struct skcipher_request	*req;
338 	struct rxrpc_crypt iv;
339 	struct scatterlist sg;
340 	union {
341 		__be32 buf[2];
342 	} crypto __aligned(8);
343 	u32 x, y;
344 	int ret;
345 
346 	_enter("{%d{%x}},{#%u},%u,",
347 	       call->debug_id, key_serial(call->conn->key),
348 	       txb->seq, txb->len);
349 
350 	if (!call->conn->rxkad.cipher)
351 		return 0;
352 
353 	ret = key_validate(call->conn->key);
354 	if (ret < 0)
355 		return ret;
356 
357 	req = rxkad_get_call_crypto(call);
358 	if (!req)
359 		return -ENOMEM;
360 
361 	/* continue encrypting from where we left off */
362 	memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
363 
364 	/* calculate the security checksum */
365 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
366 	x |= txb->seq & 0x3fffffff;
367 	crypto.buf[0] = htonl(call->call_id);
368 	crypto.buf[1] = htonl(x);
369 
370 	sg_init_one(&sg, crypto.buf, 8);
371 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
372 	skcipher_request_set_callback(req, 0, NULL, NULL);
373 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
374 	crypto_skcipher_encrypt(req);
375 	skcipher_request_zero(req);
376 
377 	y = ntohl(crypto.buf[1]);
378 	y = (y >> 16) & 0xffff;
379 	if (y == 0)
380 		y = 1; /* zero checksums are not permitted */
381 	txb->wire.cksum = htons(y);
382 
383 	switch (call->conn->security_level) {
384 	case RXRPC_SECURITY_PLAIN:
385 		ret = 0;
386 		break;
387 	case RXRPC_SECURITY_AUTH:
388 		ret = rxkad_secure_packet_auth(call, txb, req);
389 		break;
390 	case RXRPC_SECURITY_ENCRYPT:
391 		ret = rxkad_secure_packet_encrypt(call, txb, req);
392 		break;
393 	default:
394 		ret = -EPERM;
395 		break;
396 	}
397 
398 	skcipher_request_free(req);
399 	_leave(" = %d [set %x]", ret, y);
400 	return ret;
401 }
402 
403 /*
404  * decrypt partial encryption on a packet (level 1 security)
405  */
406 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
407 				 rxrpc_seq_t seq,
408 				 struct skcipher_request *req)
409 {
410 	struct rxkad_level1_hdr sechdr;
411 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
412 	struct rxrpc_crypt iv;
413 	struct scatterlist sg[16];
414 	u32 data_size, buf;
415 	u16 check;
416 	int ret;
417 
418 	_enter("");
419 
420 	if (sp->len < 8)
421 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
422 					  rxkad_abort_1_short_header);
423 
424 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
425 	 * directly into the target buffer.
426 	 */
427 	sg_init_table(sg, ARRAY_SIZE(sg));
428 	ret = skb_to_sgvec(skb, sg, sp->offset, 8);
429 	if (unlikely(ret < 0))
430 		return ret;
431 
432 	/* start the decryption afresh */
433 	memset(&iv, 0, sizeof(iv));
434 
435 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
436 	skcipher_request_set_callback(req, 0, NULL, NULL);
437 	skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
438 	crypto_skcipher_decrypt(req);
439 	skcipher_request_zero(req);
440 
441 	/* Extract the decrypted packet length */
442 	if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
443 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
444 					  rxkad_abort_1_short_encdata);
445 	sp->offset += sizeof(sechdr);
446 	sp->len    -= sizeof(sechdr);
447 
448 	buf = ntohl(sechdr.data_size);
449 	data_size = buf & 0xffff;
450 
451 	check = buf >> 16;
452 	check ^= seq ^ call->call_id;
453 	check &= 0xffff;
454 	if (check != 0)
455 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
456 					  rxkad_abort_1_short_check);
457 	if (data_size > sp->len)
458 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
459 					  rxkad_abort_1_short_data);
460 	sp->len = data_size;
461 
462 	_leave(" = 0 [dlen=%x]", data_size);
463 	return 0;
464 }
465 
466 /*
467  * wholly decrypt a packet (level 2 security)
468  */
469 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
470 				 rxrpc_seq_t seq,
471 				 struct skcipher_request *req)
472 {
473 	const struct rxrpc_key_token *token;
474 	struct rxkad_level2_hdr sechdr;
475 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
476 	struct rxrpc_crypt iv;
477 	struct scatterlist _sg[4], *sg;
478 	u32 data_size, buf;
479 	u16 check;
480 	int nsg, ret;
481 
482 	_enter(",{%d}", sp->len);
483 
484 	if (sp->len < 8)
485 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
486 					  rxkad_abort_2_short_header);
487 
488 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
489 	 * directly into the target buffer.
490 	 */
491 	sg = _sg;
492 	nsg = skb_shinfo(skb)->nr_frags + 1;
493 	if (nsg <= 4) {
494 		nsg = 4;
495 	} else {
496 		sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
497 		if (!sg)
498 			return -ENOMEM;
499 	}
500 
501 	sg_init_table(sg, nsg);
502 	ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
503 	if (unlikely(ret < 0)) {
504 		if (sg != _sg)
505 			kfree(sg);
506 		return ret;
507 	}
508 
509 	/* decrypt from the session key */
510 	token = call->conn->key->payload.data[0];
511 	memcpy(&iv, token->kad->session_key, sizeof(iv));
512 
513 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
514 	skcipher_request_set_callback(req, 0, NULL, NULL);
515 	skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
516 	crypto_skcipher_decrypt(req);
517 	skcipher_request_zero(req);
518 	if (sg != _sg)
519 		kfree(sg);
520 
521 	/* Extract the decrypted packet length */
522 	if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
523 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
524 					  rxkad_abort_2_short_len);
525 	sp->offset += sizeof(sechdr);
526 	sp->len    -= sizeof(sechdr);
527 
528 	buf = ntohl(sechdr.data_size);
529 	data_size = buf & 0xffff;
530 
531 	check = buf >> 16;
532 	check ^= seq ^ call->call_id;
533 	check &= 0xffff;
534 	if (check != 0)
535 		return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
536 					  rxkad_abort_2_short_check);
537 
538 	if (data_size > sp->len)
539 		return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
540 					  rxkad_abort_2_short_data);
541 
542 	sp->len = data_size;
543 	_leave(" = 0 [dlen=%x]", data_size);
544 	return 0;
545 }
546 
547 /*
548  * Verify the security on a received packet and the subpackets therein.
549  */
550 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
551 {
552 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
553 	struct skcipher_request	*req;
554 	struct rxrpc_crypt iv;
555 	struct scatterlist sg;
556 	union {
557 		__be32 buf[2];
558 	} crypto __aligned(8);
559 	rxrpc_seq_t seq = sp->hdr.seq;
560 	int ret;
561 	u16 cksum;
562 	u32 x, y;
563 
564 	_enter("{%d{%x}},{#%u}",
565 	       call->debug_id, key_serial(call->conn->key), seq);
566 
567 	if (!call->conn->rxkad.cipher)
568 		return 0;
569 
570 	req = rxkad_get_call_crypto(call);
571 	if (!req)
572 		return -ENOMEM;
573 
574 	/* continue encrypting from where we left off */
575 	memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
576 
577 	/* validate the security checksum */
578 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
579 	x |= seq & 0x3fffffff;
580 	crypto.buf[0] = htonl(call->call_id);
581 	crypto.buf[1] = htonl(x);
582 
583 	sg_init_one(&sg, crypto.buf, 8);
584 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
585 	skcipher_request_set_callback(req, 0, NULL, NULL);
586 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
587 	crypto_skcipher_encrypt(req);
588 	skcipher_request_zero(req);
589 
590 	y = ntohl(crypto.buf[1]);
591 	cksum = (y >> 16) & 0xffff;
592 	if (cksum == 0)
593 		cksum = 1; /* zero checksums are not permitted */
594 
595 	if (cksum != sp->hdr.cksum) {
596 		ret = rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
597 					 rxkad_abort_bad_checksum);
598 		goto out;
599 	}
600 
601 	switch (call->conn->security_level) {
602 	case RXRPC_SECURITY_PLAIN:
603 		ret = 0;
604 		break;
605 	case RXRPC_SECURITY_AUTH:
606 		ret = rxkad_verify_packet_1(call, skb, seq, req);
607 		break;
608 	case RXRPC_SECURITY_ENCRYPT:
609 		ret = rxkad_verify_packet_2(call, skb, seq, req);
610 		break;
611 	default:
612 		ret = -ENOANO;
613 		break;
614 	}
615 
616 out:
617 	skcipher_request_free(req);
618 	return ret;
619 }
620 
621 /*
622  * issue a challenge
623  */
624 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
625 {
626 	struct rxkad_challenge challenge;
627 	struct rxrpc_wire_header whdr;
628 	struct msghdr msg;
629 	struct kvec iov[2];
630 	size_t len;
631 	u32 serial;
632 	int ret;
633 
634 	_enter("{%d}", conn->debug_id);
635 
636 	get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
637 
638 	challenge.version	= htonl(2);
639 	challenge.nonce		= htonl(conn->rxkad.nonce);
640 	challenge.min_level	= htonl(0);
641 	challenge.__padding	= 0;
642 
643 	msg.msg_name	= &conn->peer->srx.transport;
644 	msg.msg_namelen	= conn->peer->srx.transport_len;
645 	msg.msg_control	= NULL;
646 	msg.msg_controllen = 0;
647 	msg.msg_flags	= 0;
648 
649 	whdr.epoch	= htonl(conn->proto.epoch);
650 	whdr.cid	= htonl(conn->proto.cid);
651 	whdr.callNumber	= 0;
652 	whdr.seq	= 0;
653 	whdr.type	= RXRPC_PACKET_TYPE_CHALLENGE;
654 	whdr.flags	= conn->out_clientflag;
655 	whdr.userStatus	= 0;
656 	whdr.securityIndex = conn->security_ix;
657 	whdr._rsvd	= 0;
658 	whdr.serviceId	= htons(conn->service_id);
659 
660 	iov[0].iov_base	= &whdr;
661 	iov[0].iov_len	= sizeof(whdr);
662 	iov[1].iov_base	= &challenge;
663 	iov[1].iov_len	= sizeof(challenge);
664 
665 	len = iov[0].iov_len + iov[1].iov_len;
666 
667 	serial = rxrpc_get_next_serial(conn);
668 	whdr.serial = htonl(serial);
669 
670 	ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len);
671 	if (ret < 0) {
672 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
673 				    rxrpc_tx_point_rxkad_challenge);
674 		return -EAGAIN;
675 	}
676 
677 	conn->peer->last_tx_at = ktime_get_seconds();
678 	trace_rxrpc_tx_packet(conn->debug_id, &whdr,
679 			      rxrpc_tx_point_rxkad_challenge);
680 	_leave(" = 0");
681 	return 0;
682 }
683 
684 /*
685  * send a Kerberos security response
686  */
687 static int rxkad_send_response(struct rxrpc_connection *conn,
688 			       struct rxrpc_host_header *hdr,
689 			       struct rxkad_response *resp,
690 			       const struct rxkad_key *s2)
691 {
692 	struct rxrpc_wire_header whdr;
693 	struct msghdr msg;
694 	struct kvec iov[3];
695 	size_t len;
696 	u32 serial;
697 	int ret;
698 
699 	_enter("");
700 
701 	msg.msg_name	= &conn->peer->srx.transport;
702 	msg.msg_namelen	= conn->peer->srx.transport_len;
703 	msg.msg_control	= NULL;
704 	msg.msg_controllen = 0;
705 	msg.msg_flags	= 0;
706 
707 	memset(&whdr, 0, sizeof(whdr));
708 	whdr.epoch	= htonl(hdr->epoch);
709 	whdr.cid	= htonl(hdr->cid);
710 	whdr.type	= RXRPC_PACKET_TYPE_RESPONSE;
711 	whdr.flags	= conn->out_clientflag;
712 	whdr.securityIndex = hdr->securityIndex;
713 	whdr.serviceId	= htons(hdr->serviceId);
714 
715 	iov[0].iov_base	= &whdr;
716 	iov[0].iov_len	= sizeof(whdr);
717 	iov[1].iov_base	= resp;
718 	iov[1].iov_len	= sizeof(*resp);
719 	iov[2].iov_base	= (void *)s2->ticket;
720 	iov[2].iov_len	= s2->ticket_len;
721 
722 	len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
723 
724 	serial = rxrpc_get_next_serial(conn);
725 	whdr.serial = htonl(serial);
726 
727 	rxrpc_local_dont_fragment(conn->local, false);
728 	ret = kernel_sendmsg(conn->local->socket, &msg, iov, 3, len);
729 	rxrpc_local_dont_fragment(conn->local, true);
730 	if (ret < 0) {
731 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
732 				    rxrpc_tx_point_rxkad_response);
733 		return -EAGAIN;
734 	}
735 
736 	conn->peer->last_tx_at = ktime_get_seconds();
737 	_leave(" = 0");
738 	return 0;
739 }
740 
741 /*
742  * calculate the response checksum
743  */
744 static void rxkad_calc_response_checksum(struct rxkad_response *response)
745 {
746 	u32 csum = 1000003;
747 	int loop;
748 	u8 *p = (u8 *) response;
749 
750 	for (loop = sizeof(*response); loop > 0; loop--)
751 		csum = csum * 0x10204081 + *p++;
752 
753 	response->encrypted.checksum = htonl(csum);
754 }
755 
756 /*
757  * encrypt the response packet
758  */
759 static int rxkad_encrypt_response(struct rxrpc_connection *conn,
760 				  struct rxkad_response *resp,
761 				  const struct rxkad_key *s2)
762 {
763 	struct skcipher_request *req;
764 	struct rxrpc_crypt iv;
765 	struct scatterlist sg[1];
766 
767 	req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
768 	if (!req)
769 		return -ENOMEM;
770 
771 	/* continue encrypting from where we left off */
772 	memcpy(&iv, s2->session_key, sizeof(iv));
773 
774 	sg_init_table(sg, 1);
775 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
776 	skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
777 	skcipher_request_set_callback(req, 0, NULL, NULL);
778 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
779 	crypto_skcipher_encrypt(req);
780 	skcipher_request_free(req);
781 	return 0;
782 }
783 
784 /*
785  * respond to a challenge packet
786  */
787 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
788 				      struct sk_buff *skb)
789 {
790 	const struct rxrpc_key_token *token;
791 	struct rxkad_challenge challenge;
792 	struct rxkad_response *resp;
793 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
794 	u32 version, nonce, min_level;
795 	int ret = -EPROTO;
796 
797 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
798 
799 	if (!conn->key)
800 		return rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
801 					rxkad_abort_chall_no_key);
802 
803 	ret = key_validate(conn->key);
804 	if (ret < 0)
805 		return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
806 					rxkad_abort_chall_key_expired);
807 
808 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
809 			  &challenge, sizeof(challenge)) < 0)
810 		return rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
811 					rxkad_abort_chall_short);
812 
813 	version = ntohl(challenge.version);
814 	nonce = ntohl(challenge.nonce);
815 	min_level = ntohl(challenge.min_level);
816 
817 	trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version, nonce, min_level);
818 
819 	if (version != RXKAD_VERSION)
820 		return rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
821 					rxkad_abort_chall_version);
822 
823 	if (conn->security_level < min_level)
824 		return rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES,
825 					rxkad_abort_chall_level);
826 
827 	token = conn->key->payload.data[0];
828 
829 	/* build the response packet */
830 	resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
831 	if (!resp)
832 		return -ENOMEM;
833 
834 	resp->version			= htonl(RXKAD_VERSION);
835 	resp->encrypted.epoch		= htonl(conn->proto.epoch);
836 	resp->encrypted.cid		= htonl(conn->proto.cid);
837 	resp->encrypted.securityIndex	= htonl(conn->security_ix);
838 	resp->encrypted.inc_nonce	= htonl(nonce + 1);
839 	resp->encrypted.level		= htonl(conn->security_level);
840 	resp->kvno			= htonl(token->kad->kvno);
841 	resp->ticket_len		= htonl(token->kad->ticket_len);
842 	resp->encrypted.call_id[0]	= htonl(conn->channels[0].call_counter);
843 	resp->encrypted.call_id[1]	= htonl(conn->channels[1].call_counter);
844 	resp->encrypted.call_id[2]	= htonl(conn->channels[2].call_counter);
845 	resp->encrypted.call_id[3]	= htonl(conn->channels[3].call_counter);
846 
847 	/* calculate the response checksum and then do the encryption */
848 	rxkad_calc_response_checksum(resp);
849 	ret = rxkad_encrypt_response(conn, resp, token->kad);
850 	if (ret == 0)
851 		ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
852 	kfree(resp);
853 	return ret;
854 }
855 
856 /*
857  * decrypt the kerberos IV ticket in the response
858  */
859 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
860 				struct key *server_key,
861 				struct sk_buff *skb,
862 				void *ticket, size_t ticket_len,
863 				struct rxrpc_crypt *_session_key,
864 				time64_t *_expiry)
865 {
866 	struct skcipher_request *req;
867 	struct rxrpc_crypt iv, key;
868 	struct scatterlist sg[1];
869 	struct in_addr addr;
870 	unsigned int life;
871 	time64_t issue, now;
872 	bool little_endian;
873 	u8 *p, *q, *name, *end;
874 
875 	_enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
876 
877 	*_expiry = 0;
878 
879 	ASSERT(server_key->payload.data[0] != NULL);
880 	ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
881 
882 	memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
883 
884 	req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
885 	if (!req)
886 		return -ENOMEM;
887 
888 	sg_init_one(&sg[0], ticket, ticket_len);
889 	skcipher_request_set_callback(req, 0, NULL, NULL);
890 	skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
891 	crypto_skcipher_decrypt(req);
892 	skcipher_request_free(req);
893 
894 	p = ticket;
895 	end = p + ticket_len;
896 
897 #define Z(field, fieldl)						\
898 	({								\
899 		u8 *__str = p;						\
900 		q = memchr(p, 0, end - p);				\
901 		if (!q || q - p > field##_SZ)				\
902 			return rxrpc_abort_conn(			\
903 				conn, skb, RXKADBADTICKET, -EPROTO,	\
904 				rxkad_abort_resp_tkt_##fieldl);		\
905 		for (; p < q; p++)					\
906 			if (!isprint(*p))				\
907 				return rxrpc_abort_conn(		\
908 					conn, skb, RXKADBADTICKET, -EPROTO, \
909 					rxkad_abort_resp_tkt_##fieldl);	\
910 		p++;							\
911 		__str;							\
912 	})
913 
914 	/* extract the ticket flags */
915 	_debug("KIV FLAGS: %x", *p);
916 	little_endian = *p & 1;
917 	p++;
918 
919 	/* extract the authentication name */
920 	name = Z(ANAME, aname);
921 	_debug("KIV ANAME: %s", name);
922 
923 	/* extract the principal's instance */
924 	name = Z(INST, inst);
925 	_debug("KIV INST : %s", name);
926 
927 	/* extract the principal's authentication domain */
928 	name = Z(REALM, realm);
929 	_debug("KIV REALM: %s", name);
930 
931 	if (end - p < 4 + 8 + 4 + 2)
932 		return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
933 					rxkad_abort_resp_tkt_short);
934 
935 	/* get the IPv4 address of the entity that requested the ticket */
936 	memcpy(&addr, p, sizeof(addr));
937 	p += 4;
938 	_debug("KIV ADDR : %pI4", &addr);
939 
940 	/* get the session key from the ticket */
941 	memcpy(&key, p, sizeof(key));
942 	p += 8;
943 	_debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
944 	memcpy(_session_key, &key, sizeof(key));
945 
946 	/* get the ticket's lifetime */
947 	life = *p++ * 5 * 60;
948 	_debug("KIV LIFE : %u", life);
949 
950 	/* get the issue time of the ticket */
951 	if (little_endian) {
952 		__le32 stamp;
953 		memcpy(&stamp, p, 4);
954 		issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
955 	} else {
956 		__be32 stamp;
957 		memcpy(&stamp, p, 4);
958 		issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
959 	}
960 	p += 4;
961 	now = ktime_get_real_seconds();
962 	_debug("KIV ISSUE: %llx [%llx]", issue, now);
963 
964 	/* check the ticket is in date */
965 	if (issue > now)
966 		return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED,
967 					rxkad_abort_resp_tkt_future);
968 	if (issue < now - life)
969 		return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED,
970 					rxkad_abort_resp_tkt_expired);
971 
972 	*_expiry = issue + life;
973 
974 	/* get the service name */
975 	name = Z(SNAME, sname);
976 	_debug("KIV SNAME: %s", name);
977 
978 	/* get the service instance name */
979 	name = Z(INST, sinst);
980 	_debug("KIV SINST: %s", name);
981 	return 0;
982 }
983 
984 /*
985  * decrypt the response packet
986  */
987 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
988 				   struct rxkad_response *resp,
989 				   const struct rxrpc_crypt *session_key)
990 {
991 	struct skcipher_request *req = rxkad_ci_req;
992 	struct scatterlist sg[1];
993 	struct rxrpc_crypt iv;
994 
995 	_enter(",,%08x%08x",
996 	       ntohl(session_key->n[0]), ntohl(session_key->n[1]));
997 
998 	mutex_lock(&rxkad_ci_mutex);
999 	if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1000 					sizeof(*session_key)) < 0)
1001 		BUG();
1002 
1003 	memcpy(&iv, session_key, sizeof(iv));
1004 
1005 	sg_init_table(sg, 1);
1006 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1007 	skcipher_request_set_sync_tfm(req, rxkad_ci);
1008 	skcipher_request_set_callback(req, 0, NULL, NULL);
1009 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1010 	crypto_skcipher_decrypt(req);
1011 	skcipher_request_zero(req);
1012 
1013 	mutex_unlock(&rxkad_ci_mutex);
1014 
1015 	_leave("");
1016 }
1017 
1018 /*
1019  * verify a response
1020  */
1021 static int rxkad_verify_response(struct rxrpc_connection *conn,
1022 				 struct sk_buff *skb)
1023 {
1024 	struct rxkad_response *response;
1025 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1026 	struct rxrpc_crypt session_key;
1027 	struct key *server_key;
1028 	time64_t expiry;
1029 	void *ticket;
1030 	u32 version, kvno, ticket_len, level;
1031 	__be32 csum;
1032 	int ret, i;
1033 
1034 	_enter("{%d}", conn->debug_id);
1035 
1036 	server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
1037 	if (IS_ERR(server_key)) {
1038 		ret = PTR_ERR(server_key);
1039 		switch (ret) {
1040 		case -ENOKEY:
1041 			return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret,
1042 						rxkad_abort_resp_nokey);
1043 		case -EKEYEXPIRED:
1044 			return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
1045 						rxkad_abort_resp_key_expired);
1046 		default:
1047 			return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret,
1048 						rxkad_abort_resp_key_rejected);
1049 		}
1050 	}
1051 
1052 	ret = -ENOMEM;
1053 	response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1054 	if (!response)
1055 		goto temporary_error;
1056 
1057 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1058 			  response, sizeof(*response)) < 0) {
1059 		rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1060 				 rxkad_abort_resp_short);
1061 		goto protocol_error;
1062 	}
1063 
1064 	version = ntohl(response->version);
1065 	ticket_len = ntohl(response->ticket_len);
1066 	kvno = ntohl(response->kvno);
1067 
1068 	trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
1069 
1070 	if (version != RXKAD_VERSION) {
1071 		rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
1072 				 rxkad_abort_resp_version);
1073 		goto protocol_error;
1074 	}
1075 
1076 	if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) {
1077 		rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
1078 				 rxkad_abort_resp_tkt_len);
1079 		goto protocol_error;
1080 	}
1081 
1082 	if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) {
1083 		rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
1084 				 rxkad_abort_resp_unknown_tkt);
1085 		goto protocol_error;
1086 	}
1087 
1088 	/* extract the kerberos ticket and decrypt and decode it */
1089 	ret = -ENOMEM;
1090 	ticket = kmalloc(ticket_len, GFP_NOFS);
1091 	if (!ticket)
1092 		goto temporary_error_free_resp;
1093 
1094 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
1095 			  ticket, ticket_len) < 0) {
1096 		rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1097 				 rxkad_abort_resp_short_tkt);
1098 		goto protocol_error;
1099 	}
1100 
1101 	ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
1102 				   &session_key, &expiry);
1103 	if (ret < 0)
1104 		goto temporary_error_free_ticket;
1105 
1106 	/* use the session key from inside the ticket to decrypt the
1107 	 * response */
1108 	rxkad_decrypt_response(conn, response, &session_key);
1109 
1110 	if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
1111 	    ntohl(response->encrypted.cid) != conn->proto.cid ||
1112 	    ntohl(response->encrypted.securityIndex) != conn->security_ix) {
1113 		rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1114 				 rxkad_abort_resp_bad_param);
1115 		goto protocol_error_free;
1116 	}
1117 
1118 	csum = response->encrypted.checksum;
1119 	response->encrypted.checksum = 0;
1120 	rxkad_calc_response_checksum(response);
1121 	if (response->encrypted.checksum != csum) {
1122 		rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1123 				 rxkad_abort_resp_bad_checksum);
1124 		goto protocol_error_free;
1125 	}
1126 
1127 	for (i = 0; i < RXRPC_MAXCALLS; i++) {
1128 		u32 call_id = ntohl(response->encrypted.call_id[i]);
1129 		u32 counter = READ_ONCE(conn->channels[i].call_counter);
1130 
1131 		if (call_id > INT_MAX) {
1132 			rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1133 					 rxkad_abort_resp_bad_callid);
1134 			goto protocol_error_free;
1135 		}
1136 
1137 		if (call_id < counter) {
1138 			rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1139 					 rxkad_abort_resp_call_ctr);
1140 			goto protocol_error_free;
1141 		}
1142 
1143 		if (call_id > counter) {
1144 			if (conn->channels[i].call) {
1145 				rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1146 						 rxkad_abort_resp_call_state);
1147 				goto protocol_error_free;
1148 			}
1149 			conn->channels[i].call_counter = call_id;
1150 		}
1151 	}
1152 
1153 	if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
1154 		rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
1155 				 rxkad_abort_resp_ooseq);
1156 		goto protocol_error_free;
1157 	}
1158 
1159 	level = ntohl(response->encrypted.level);
1160 	if (level > RXRPC_SECURITY_ENCRYPT) {
1161 		rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
1162 				 rxkad_abort_resp_level);
1163 		goto protocol_error_free;
1164 	}
1165 	conn->security_level = level;
1166 
1167 	/* create a key to hold the security data and expiration time - after
1168 	 * this the connection security can be handled in exactly the same way
1169 	 * as for a client connection */
1170 	ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1171 	if (ret < 0)
1172 		goto temporary_error_free_ticket;
1173 
1174 	kfree(ticket);
1175 	kfree(response);
1176 	_leave(" = 0");
1177 	return 0;
1178 
1179 protocol_error_free:
1180 	kfree(ticket);
1181 protocol_error:
1182 	kfree(response);
1183 	key_put(server_key);
1184 	return -EPROTO;
1185 
1186 temporary_error_free_ticket:
1187 	kfree(ticket);
1188 temporary_error_free_resp:
1189 	kfree(response);
1190 temporary_error:
1191 	/* Ignore the response packet if we got a temporary error such as
1192 	 * ENOMEM.  We just want to send the challenge again.  Note that we
1193 	 * also come out this way if the ticket decryption fails.
1194 	 */
1195 	key_put(server_key);
1196 	return ret;
1197 }
1198 
1199 /*
1200  * clear the connection security
1201  */
1202 static void rxkad_clear(struct rxrpc_connection *conn)
1203 {
1204 	_enter("");
1205 
1206 	if (conn->rxkad.cipher)
1207 		crypto_free_sync_skcipher(conn->rxkad.cipher);
1208 }
1209 
1210 /*
1211  * Initialise the rxkad security service.
1212  */
1213 static int rxkad_init(void)
1214 {
1215 	struct crypto_sync_skcipher *tfm;
1216 	struct skcipher_request *req;
1217 
1218 	/* pin the cipher we need so that the crypto layer doesn't invoke
1219 	 * keventd to go get it */
1220 	tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1221 	if (IS_ERR(tfm))
1222 		return PTR_ERR(tfm);
1223 
1224 	req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1225 	if (!req)
1226 		goto nomem_tfm;
1227 
1228 	rxkad_ci_req = req;
1229 	rxkad_ci = tfm;
1230 	return 0;
1231 
1232 nomem_tfm:
1233 	crypto_free_sync_skcipher(tfm);
1234 	return -ENOMEM;
1235 }
1236 
1237 /*
1238  * Clean up the rxkad security service.
1239  */
1240 static void rxkad_exit(void)
1241 {
1242 	crypto_free_sync_skcipher(rxkad_ci);
1243 	skcipher_request_free(rxkad_ci_req);
1244 }
1245 
1246 /*
1247  * RxRPC Kerberos-based security
1248  */
1249 const struct rxrpc_security rxkad = {
1250 	.name				= "rxkad",
1251 	.security_index			= RXRPC_SECURITY_RXKAD,
1252 	.no_key_abort			= RXKADUNKNOWNKEY,
1253 	.init				= rxkad_init,
1254 	.exit				= rxkad_exit,
1255 	.preparse_server_key		= rxkad_preparse_server_key,
1256 	.free_preparse_server_key	= rxkad_free_preparse_server_key,
1257 	.destroy_server_key		= rxkad_destroy_server_key,
1258 	.init_connection_security	= rxkad_init_connection_security,
1259 	.how_much_data			= rxkad_how_much_data,
1260 	.secure_packet			= rxkad_secure_packet,
1261 	.verify_packet			= rxkad_verify_packet,
1262 	.free_call_crypto		= rxkad_free_call_crypto,
1263 	.issue_challenge		= rxkad_issue_challenge,
1264 	.respond_to_challenge		= rxkad_respond_to_challenge,
1265 	.verify_response		= rxkad_verify_response,
1266 	.clear				= rxkad_clear,
1267 };
1268