rxrpc: Don't leak the service-side session key to userspace

Don't let someone reading a service-side rxrpc-type key get access to the
session key that was exchanged with the client.  The server application
will, at some point, need to be able to read the information in the ticket,
but this probably shouldn't include the key material.

Signed-off-by: David Howells <dhowells@redhat.com>

diff --git a/include/keys/rxrpc-type.h b/include/keys/rxrpc-type.h
index 8e4ced9b4ecfeee38b9376d1fac3e97df1b5356a..333c0f49a9cd2a24650301f62bb3cfb6dce6397c 100644 (file)
--- a/include/keys/rxrpc-type.h
+++ b/include/keys/rxrpc-type.h
@@ -36,6 +36,7 @@ struct rxkad_key {
  */
 struct rxrpc_key_token {
        u16     security_index;         /* RxRPC header security index */
+       bool    no_leak_key;            /* Don't copy the key to userspace */
        struct rxrpc_key_token *next;   /* the next token in the list */
        union {
                struct rxkad_key *kad;

diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
index 3bd7b9d48d27025cb50ead2d44d20512042b1f8f..ed29ec01237be606797b8713f1f718702121a444 100644 (file)
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -579,7 +579,8 @@ static long rxrpc_read(const struct key *key,
                case RXRPC_SECURITY_RXKAD:
                        toksize += 8 * 4;       /* viceid, kvno, key*2, begin,
                                                 * end, primary, tktlen */
-                       toksize += RND(token->kad->ticket_len);
+                       if (!token->no_leak_key)
+                               toksize += RND(token->kad->ticket_len);
                        break;
 
                default: /* we have a ticket we can't encode */
@@ -654,7 +655,10 @@ static long rxrpc_read(const struct key *key,
                        ENCODE(token->kad->start);
                        ENCODE(token->kad->expiry);
                        ENCODE(token->kad->primary_flag);
-                       ENCODE_DATA(token->kad->ticket_len, token->kad->ticket);
+                       if (token->no_leak_key)
+                               ENCODE(0);
+                       else
+                               ENCODE_DATA(token->kad->ticket_len, token->kad->ticket);
                        break;
 
                default: