1 /* RxRPC key management 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 * 11 * RxRPC keys should have a description of describing their purpose: 12 * "afs@CAMBRIDGE.REDHAT.COM> 13 */ 14 15 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 16 17 #include <crypto/skcipher.h> 18 #include <linux/module.h> 19 #include <linux/net.h> 20 #include <linux/skbuff.h> 21 #include <linux/key-type.h> 22 #include <linux/ctype.h> 23 #include <linux/slab.h> 24 #include <net/sock.h> 25 #include <net/af_rxrpc.h> 26 #include <keys/rxrpc-type.h> 27 #include <keys/user-type.h> 28 #include "ar-internal.h" 29 30 static int rxrpc_vet_description_s(const char *); 31 static int rxrpc_preparse(struct key_preparsed_payload *); 32 static int rxrpc_preparse_s(struct key_preparsed_payload *); 33 static void rxrpc_free_preparse(struct key_preparsed_payload *); 34 static void rxrpc_free_preparse_s(struct key_preparsed_payload *); 35 static void rxrpc_destroy(struct key *); 36 static void rxrpc_destroy_s(struct key *); 37 static void rxrpc_describe(const struct key *, struct seq_file *); 38 static long rxrpc_read(const struct key *, char __user *, size_t); 39 40 /* 41 * rxrpc defined keys take an arbitrary string as the description and an 42 * arbitrary blob of data as the payload 43 */ 44 struct key_type key_type_rxrpc = { 45 .name = "rxrpc", 46 .preparse = rxrpc_preparse, 47 .free_preparse = rxrpc_free_preparse, 48 .instantiate = generic_key_instantiate, 49 .destroy = rxrpc_destroy, 50 .describe = rxrpc_describe, 51 .read = rxrpc_read, 52 }; 53 EXPORT_SYMBOL(key_type_rxrpc); 54 55 /* 56 * rxrpc server defined keys take "<serviceId>:<securityIndex>" as the 57 * description and an 8-byte decryption key as the payload 58 */ 59 struct key_type key_type_rxrpc_s = { 60 .name = "rxrpc_s", 61 .vet_description = rxrpc_vet_description_s, 62 .preparse = rxrpc_preparse_s, 63 .free_preparse = rxrpc_free_preparse_s, 64 .instantiate = generic_key_instantiate, 65 .destroy = rxrpc_destroy_s, 66 .describe = rxrpc_describe, 67 }; 68 69 /* 70 * Vet the description for an RxRPC server key 71 */ 72 static int rxrpc_vet_description_s(const char *desc) 73 { 74 unsigned long num; 75 char *p; 76 77 num = simple_strtoul(desc, &p, 10); 78 if (*p != ':' || num > 65535) 79 return -EINVAL; 80 num = simple_strtoul(p + 1, &p, 10); 81 if (*p || num < 1 || num > 255) 82 return -EINVAL; 83 return 0; 84 } 85 86 /* 87 * parse an RxKAD type XDR format token 88 * - the caller guarantees we have at least 4 words 89 */ 90 static int rxrpc_preparse_xdr_rxkad(struct key_preparsed_payload *prep, 91 size_t datalen, 92 const __be32 *xdr, unsigned int toklen) 93 { 94 struct rxrpc_key_token *token, **pptoken; 95 size_t plen; 96 u32 tktlen; 97 98 _enter(",{%x,%x,%x,%x},%u", 99 ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), ntohl(xdr[3]), 100 toklen); 101 102 if (toklen <= 8 * 4) 103 return -EKEYREJECTED; 104 tktlen = ntohl(xdr[7]); 105 _debug("tktlen: %x", tktlen); 106 if (tktlen > AFSTOKEN_RK_TIX_MAX) 107 return -EKEYREJECTED; 108 if (toklen < 8 * 4 + tktlen) 109 return -EKEYREJECTED; 110 111 plen = sizeof(*token) + sizeof(*token->kad) + tktlen; 112 prep->quotalen = datalen + plen; 113 114 plen -= sizeof(*token); 115 token = kzalloc(sizeof(*token), GFP_KERNEL); 116 if (!token) 117 return -ENOMEM; 118 119 token->kad = kzalloc(plen, GFP_KERNEL); 120 if (!token->kad) { 121 kfree(token); 122 return -ENOMEM; 123 } 124 125 token->security_index = RXRPC_SECURITY_RXKAD; 126 token->kad->ticket_len = tktlen; 127 token->kad->vice_id = ntohl(xdr[0]); 128 token->kad->kvno = ntohl(xdr[1]); 129 token->kad->start = ntohl(xdr[4]); 130 token->kad->expiry = ntohl(xdr[5]); 131 token->kad->primary_flag = ntohl(xdr[6]); 132 memcpy(&token->kad->session_key, &xdr[2], 8); 133 memcpy(&token->kad->ticket, &xdr[8], tktlen); 134 135 _debug("SCIX: %u", token->security_index); 136 _debug("TLEN: %u", token->kad->ticket_len); 137 _debug("EXPY: %x", token->kad->expiry); 138 _debug("KVNO: %u", token->kad->kvno); 139 _debug("PRIM: %u", token->kad->primary_flag); 140 _debug("SKEY: %02x%02x%02x%02x%02x%02x%02x%02x", 141 token->kad->session_key[0], token->kad->session_key[1], 142 token->kad->session_key[2], token->kad->session_key[3], 143 token->kad->session_key[4], token->kad->session_key[5], 144 token->kad->session_key[6], token->kad->session_key[7]); 145 if (token->kad->ticket_len >= 8) 146 _debug("TCKT: %02x%02x%02x%02x%02x%02x%02x%02x", 147 token->kad->ticket[0], token->kad->ticket[1], 148 token->kad->ticket[2], token->kad->ticket[3], 149 token->kad->ticket[4], token->kad->ticket[5], 150 token->kad->ticket[6], token->kad->ticket[7]); 151 152 /* count the number of tokens attached */ 153 prep->payload.data[1] = (void *)((unsigned long)prep->payload.data[1] + 1); 154 155 /* attach the data */ 156 for (pptoken = (struct rxrpc_key_token **)&prep->payload.data[0]; 157 *pptoken; 158 pptoken = &(*pptoken)->next) 159 continue; 160 *pptoken = token; 161 if (token->kad->expiry < prep->expiry) 162 prep->expiry = token->kad->expiry; 163 164 _leave(" = 0"); 165 return 0; 166 } 167 168 static void rxrpc_free_krb5_principal(struct krb5_principal *princ) 169 { 170 int loop; 171 172 if (princ->name_parts) { 173 for (loop = princ->n_name_parts - 1; loop >= 0; loop--) 174 kfree(princ->name_parts[loop]); 175 kfree(princ->name_parts); 176 } 177 kfree(princ->realm); 178 } 179 180 static void rxrpc_free_krb5_tagged(struct krb5_tagged_data *td) 181 { 182 kfree(td->data); 183 } 184 185 /* 186 * free up an RxK5 token 187 */ 188 static void rxrpc_rxk5_free(struct rxk5_key *rxk5) 189 { 190 int loop; 191 192 rxrpc_free_krb5_principal(&rxk5->client); 193 rxrpc_free_krb5_principal(&rxk5->server); 194 rxrpc_free_krb5_tagged(&rxk5->session); 195 196 if (rxk5->addresses) { 197 for (loop = rxk5->n_addresses - 1; loop >= 0; loop--) 198 rxrpc_free_krb5_tagged(&rxk5->addresses[loop]); 199 kfree(rxk5->addresses); 200 } 201 if (rxk5->authdata) { 202 for (loop = rxk5->n_authdata - 1; loop >= 0; loop--) 203 rxrpc_free_krb5_tagged(&rxk5->authdata[loop]); 204 kfree(rxk5->authdata); 205 } 206 207 kfree(rxk5->ticket); 208 kfree(rxk5->ticket2); 209 kfree(rxk5); 210 } 211 212 /* 213 * extract a krb5 principal 214 */ 215 static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, 216 const __be32 **_xdr, 217 unsigned int *_toklen) 218 { 219 const __be32 *xdr = *_xdr; 220 unsigned int toklen = *_toklen, n_parts, loop, tmp; 221 222 /* there must be at least one name, and at least #names+1 length 223 * words */ 224 if (toklen <= 12) 225 return -EINVAL; 226 227 _enter(",{%x,%x,%x},%u", 228 ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), toklen); 229 230 n_parts = ntohl(*xdr++); 231 toklen -= 4; 232 if (n_parts <= 0 || n_parts > AFSTOKEN_K5_COMPONENTS_MAX) 233 return -EINVAL; 234 princ->n_name_parts = n_parts; 235 236 if (toklen <= (n_parts + 1) * 4) 237 return -EINVAL; 238 239 princ->name_parts = kcalloc(n_parts, sizeof(char *), GFP_KERNEL); 240 if (!princ->name_parts) 241 return -ENOMEM; 242 243 for (loop = 0; loop < n_parts; loop++) { 244 if (toklen < 4) 245 return -EINVAL; 246 tmp = ntohl(*xdr++); 247 toklen -= 4; 248 if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX) 249 return -EINVAL; 250 if (tmp > toklen) 251 return -EINVAL; 252 princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL); 253 if (!princ->name_parts[loop]) 254 return -ENOMEM; 255 memcpy(princ->name_parts[loop], xdr, tmp); 256 princ->name_parts[loop][tmp] = 0; 257 tmp = (tmp + 3) & ~3; 258 toklen -= tmp; 259 xdr += tmp >> 2; 260 } 261 262 if (toklen < 4) 263 return -EINVAL; 264 tmp = ntohl(*xdr++); 265 toklen -= 4; 266 if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX) 267 return -EINVAL; 268 if (tmp > toklen) 269 return -EINVAL; 270 princ->realm = kmalloc(tmp + 1, GFP_KERNEL); 271 if (!princ->realm) 272 return -ENOMEM; 273 memcpy(princ->realm, xdr, tmp); 274 princ->realm[tmp] = 0; 275 tmp = (tmp + 3) & ~3; 276 toklen -= tmp; 277 xdr += tmp >> 2; 278 279 _debug("%s/...@%s", princ->name_parts[0], princ->realm); 280 281 *_xdr = xdr; 282 *_toklen = toklen; 283 _leave(" = 0 [toklen=%u]", toklen); 284 return 0; 285 } 286 287 /* 288 * extract a piece of krb5 tagged data 289 */ 290 static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td, 291 size_t max_data_size, 292 const __be32 **_xdr, 293 unsigned int *_toklen) 294 { 295 const __be32 *xdr = *_xdr; 296 unsigned int toklen = *_toklen, len; 297 298 /* there must be at least one tag and one length word */ 299 if (toklen <= 8) 300 return -EINVAL; 301 302 _enter(",%zu,{%x,%x},%u", 303 max_data_size, ntohl(xdr[0]), ntohl(xdr[1]), toklen); 304 305 td->tag = ntohl(*xdr++); 306 len = ntohl(*xdr++); 307 toklen -= 8; 308 if (len > max_data_size) 309 return -EINVAL; 310 td->data_len = len; 311 312 if (len > 0) { 313 td->data = kmemdup(xdr, len, GFP_KERNEL); 314 if (!td->data) 315 return -ENOMEM; 316 len = (len + 3) & ~3; 317 toklen -= len; 318 xdr += len >> 2; 319 } 320 321 _debug("tag %x len %x", td->tag, td->data_len); 322 323 *_xdr = xdr; 324 *_toklen = toklen; 325 _leave(" = 0 [toklen=%u]", toklen); 326 return 0; 327 } 328 329 /* 330 * extract an array of tagged data 331 */ 332 static int rxrpc_krb5_decode_tagged_array(struct krb5_tagged_data **_td, 333 u8 *_n_elem, 334 u8 max_n_elem, 335 size_t max_elem_size, 336 const __be32 **_xdr, 337 unsigned int *_toklen) 338 { 339 struct krb5_tagged_data *td; 340 const __be32 *xdr = *_xdr; 341 unsigned int toklen = *_toklen, n_elem, loop; 342 int ret; 343 344 /* there must be at least one count */ 345 if (toklen < 4) 346 return -EINVAL; 347 348 _enter(",,%u,%zu,{%x},%u", 349 max_n_elem, max_elem_size, ntohl(xdr[0]), toklen); 350 351 n_elem = ntohl(*xdr++); 352 toklen -= 4; 353 if (n_elem > max_n_elem) 354 return -EINVAL; 355 *_n_elem = n_elem; 356 if (n_elem > 0) { 357 if (toklen <= (n_elem + 1) * 4) 358 return -EINVAL; 359 360 _debug("n_elem %d", n_elem); 361 362 td = kcalloc(n_elem, sizeof(struct krb5_tagged_data), 363 GFP_KERNEL); 364 if (!td) 365 return -ENOMEM; 366 *_td = td; 367 368 for (loop = 0; loop < n_elem; loop++) { 369 ret = rxrpc_krb5_decode_tagged_data(&td[loop], 370 max_elem_size, 371 &xdr, &toklen); 372 if (ret < 0) 373 return ret; 374 } 375 } 376 377 *_xdr = xdr; 378 *_toklen = toklen; 379 _leave(" = 0 [toklen=%u]", toklen); 380 return 0; 381 } 382 383 /* 384 * extract a krb5 ticket 385 */ 386 static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, 387 const __be32 **_xdr, unsigned int *_toklen) 388 { 389 const __be32 *xdr = *_xdr; 390 unsigned int toklen = *_toklen, len; 391 392 /* there must be at least one length word */ 393 if (toklen <= 4) 394 return -EINVAL; 395 396 _enter(",{%x},%u", ntohl(xdr[0]), toklen); 397 398 len = ntohl(*xdr++); 399 toklen -= 4; 400 if (len > AFSTOKEN_K5_TIX_MAX) 401 return -EINVAL; 402 *_tktlen = len; 403 404 _debug("ticket len %u", len); 405 406 if (len > 0) { 407 *_ticket = kmemdup(xdr, len, GFP_KERNEL); 408 if (!*_ticket) 409 return -ENOMEM; 410 len = (len + 3) & ~3; 411 toklen -= len; 412 xdr += len >> 2; 413 } 414 415 *_xdr = xdr; 416 *_toklen = toklen; 417 _leave(" = 0 [toklen=%u]", toklen); 418 return 0; 419 } 420 421 /* 422 * parse an RxK5 type XDR format token 423 * - the caller guarantees we have at least 4 words 424 */ 425 static int rxrpc_preparse_xdr_rxk5(struct key_preparsed_payload *prep, 426 size_t datalen, 427 const __be32 *xdr, unsigned int toklen) 428 { 429 struct rxrpc_key_token *token, **pptoken; 430 struct rxk5_key *rxk5; 431 const __be32 *end_xdr = xdr + (toklen >> 2); 432 int ret; 433 434 _enter(",{%x,%x,%x,%x},%u", 435 ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), ntohl(xdr[3]), 436 toklen); 437 438 /* reserve some payload space for this subkey - the length of the token 439 * is a reasonable approximation */ 440 prep->quotalen = datalen + toklen; 441 442 token = kzalloc(sizeof(*token), GFP_KERNEL); 443 if (!token) 444 return -ENOMEM; 445 446 rxk5 = kzalloc(sizeof(*rxk5), GFP_KERNEL); 447 if (!rxk5) { 448 kfree(token); 449 return -ENOMEM; 450 } 451 452 token->security_index = RXRPC_SECURITY_RXK5; 453 token->k5 = rxk5; 454 455 /* extract the principals */ 456 ret = rxrpc_krb5_decode_principal(&rxk5->client, &xdr, &toklen); 457 if (ret < 0) 458 goto error; 459 ret = rxrpc_krb5_decode_principal(&rxk5->server, &xdr, &toklen); 460 if (ret < 0) 461 goto error; 462 463 /* extract the session key and the encoding type (the tag field -> 464 * ENCTYPE_xxx) */ 465 ret = rxrpc_krb5_decode_tagged_data(&rxk5->session, AFSTOKEN_DATA_MAX, 466 &xdr, &toklen); 467 if (ret < 0) 468 goto error; 469 470 if (toklen < 4 * 8 + 2 * 4) 471 goto inval; 472 rxk5->authtime = be64_to_cpup((const __be64 *) xdr); 473 xdr += 2; 474 rxk5->starttime = be64_to_cpup((const __be64 *) xdr); 475 xdr += 2; 476 rxk5->endtime = be64_to_cpup((const __be64 *) xdr); 477 xdr += 2; 478 rxk5->renew_till = be64_to_cpup((const __be64 *) xdr); 479 xdr += 2; 480 rxk5->is_skey = ntohl(*xdr++); 481 rxk5->flags = ntohl(*xdr++); 482 toklen -= 4 * 8 + 2 * 4; 483 484 _debug("times: a=%llx s=%llx e=%llx rt=%llx", 485 rxk5->authtime, rxk5->starttime, rxk5->endtime, 486 rxk5->renew_till); 487 _debug("is_skey=%x flags=%x", rxk5->is_skey, rxk5->flags); 488 489 /* extract the permitted client addresses */ 490 ret = rxrpc_krb5_decode_tagged_array(&rxk5->addresses, 491 &rxk5->n_addresses, 492 AFSTOKEN_K5_ADDRESSES_MAX, 493 AFSTOKEN_DATA_MAX, 494 &xdr, &toklen); 495 if (ret < 0) 496 goto error; 497 498 ASSERTCMP((end_xdr - xdr) << 2, ==, toklen); 499 500 /* extract the tickets */ 501 ret = rxrpc_krb5_decode_ticket(&rxk5->ticket, &rxk5->ticket_len, 502 &xdr, &toklen); 503 if (ret < 0) 504 goto error; 505 ret = rxrpc_krb5_decode_ticket(&rxk5->ticket2, &rxk5->ticket2_len, 506 &xdr, &toklen); 507 if (ret < 0) 508 goto error; 509 510 ASSERTCMP((end_xdr - xdr) << 2, ==, toklen); 511 512 /* extract the typed auth data */ 513 ret = rxrpc_krb5_decode_tagged_array(&rxk5->authdata, 514 &rxk5->n_authdata, 515 AFSTOKEN_K5_AUTHDATA_MAX, 516 AFSTOKEN_BDATALN_MAX, 517 &xdr, &toklen); 518 if (ret < 0) 519 goto error; 520 521 ASSERTCMP((end_xdr - xdr) << 2, ==, toklen); 522 523 if (toklen != 0) 524 goto inval; 525 526 /* attach the payload */ 527 for (pptoken = (struct rxrpc_key_token **)&prep->payload.data[0]; 528 *pptoken; 529 pptoken = &(*pptoken)->next) 530 continue; 531 *pptoken = token; 532 if (token->kad->expiry < prep->expiry) 533 prep->expiry = token->kad->expiry; 534 535 _leave(" = 0"); 536 return 0; 537 538 inval: 539 ret = -EINVAL; 540 error: 541 rxrpc_rxk5_free(rxk5); 542 kfree(token); 543 _leave(" = %d", ret); 544 return ret; 545 } 546 547 /* 548 * attempt to parse the data as the XDR format 549 * - the caller guarantees we have more than 7 words 550 */ 551 static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep) 552 { 553 const __be32 *xdr = prep->data, *token; 554 const char *cp; 555 unsigned int len, tmp, loop, ntoken, toklen, sec_ix; 556 size_t datalen = prep->datalen; 557 int ret; 558 559 _enter(",{%x,%x,%x,%x},%zu", 560 ntohl(xdr[0]), ntohl(xdr[1]), ntohl(xdr[2]), ntohl(xdr[3]), 561 prep->datalen); 562 563 if (datalen > AFSTOKEN_LENGTH_MAX) 564 goto not_xdr; 565 566 /* XDR is an array of __be32's */ 567 if (datalen & 3) 568 goto not_xdr; 569 570 /* the flags should be 0 (the setpag bit must be handled by 571 * userspace) */ 572 if (ntohl(*xdr++) != 0) 573 goto not_xdr; 574 datalen -= 4; 575 576 /* check the cell name */ 577 len = ntohl(*xdr++); 578 if (len < 1 || len > AFSTOKEN_CELL_MAX) 579 goto not_xdr; 580 datalen -= 4; 581 tmp = (len + 3) & ~3; 582 if (tmp > datalen) 583 goto not_xdr; 584 585 cp = (const char *) xdr; 586 for (loop = 0; loop < len; loop++) 587 if (!isprint(cp[loop])) 588 goto not_xdr; 589 if (len < tmp) 590 for (; loop < tmp; loop++) 591 if (cp[loop]) 592 goto not_xdr; 593 _debug("cellname: [%u/%u] '%*.*s'", 594 len, tmp, len, len, (const char *) xdr); 595 datalen -= tmp; 596 xdr += tmp >> 2; 597 598 /* get the token count */ 599 if (datalen < 12) 600 goto not_xdr; 601 ntoken = ntohl(*xdr++); 602 datalen -= 4; 603 _debug("ntoken: %x", ntoken); 604 if (ntoken < 1 || ntoken > AFSTOKEN_MAX) 605 goto not_xdr; 606 607 /* check each token wrapper */ 608 token = xdr; 609 loop = ntoken; 610 do { 611 if (datalen < 8) 612 goto not_xdr; 613 toklen = ntohl(*xdr++); 614 sec_ix = ntohl(*xdr); 615 datalen -= 4; 616 _debug("token: [%x/%zx] %x", toklen, datalen, sec_ix); 617 if (toklen < 20 || toklen > datalen) 618 goto not_xdr; 619 datalen -= (toklen + 3) & ~3; 620 xdr += (toklen + 3) >> 2; 621 622 } while (--loop > 0); 623 624 _debug("remainder: %zu", datalen); 625 if (datalen != 0) 626 goto not_xdr; 627 628 /* okay: we're going to assume it's valid XDR format 629 * - we ignore the cellname, relying on the key to be correctly named 630 */ 631 do { 632 xdr = token; 633 toklen = ntohl(*xdr++); 634 token = xdr + ((toklen + 3) >> 2); 635 sec_ix = ntohl(*xdr++); 636 toklen -= 4; 637 638 _debug("TOKEN type=%u [%p-%p]", sec_ix, xdr, token); 639 640 switch (sec_ix) { 641 case RXRPC_SECURITY_RXKAD: 642 ret = rxrpc_preparse_xdr_rxkad(prep, datalen, xdr, toklen); 643 if (ret != 0) 644 goto error; 645 break; 646 647 case RXRPC_SECURITY_RXK5: 648 ret = rxrpc_preparse_xdr_rxk5(prep, datalen, xdr, toklen); 649 if (ret != 0) 650 goto error; 651 break; 652 653 default: 654 ret = -EPROTONOSUPPORT; 655 goto error; 656 } 657 658 } while (--ntoken > 0); 659 660 _leave(" = 0"); 661 return 0; 662 663 not_xdr: 664 _leave(" = -EPROTO"); 665 return -EPROTO; 666 error: 667 _leave(" = %d", ret); 668 return ret; 669 } 670 671 /* 672 * Preparse an rxrpc defined key. 673 * 674 * Data should be of the form: 675 * OFFSET LEN CONTENT 676 * 0 4 key interface version number 677 * 4 2 security index (type) 678 * 6 2 ticket length 679 * 8 4 key expiry time (time_t) 680 * 12 4 kvno 681 * 16 8 session key 682 * 24 [len] ticket 683 * 684 * if no data is provided, then a no-security key is made 685 */ 686 static int rxrpc_preparse(struct key_preparsed_payload *prep) 687 { 688 const struct rxrpc_key_data_v1 *v1; 689 struct rxrpc_key_token *token, **pp; 690 size_t plen; 691 u32 kver; 692 int ret; 693 694 _enter("%zu", prep->datalen); 695 696 /* handle a no-security key */ 697 if (!prep->data && prep->datalen == 0) 698 return 0; 699 700 /* determine if the XDR payload format is being used */ 701 if (prep->datalen > 7 * 4) { 702 ret = rxrpc_preparse_xdr(prep); 703 if (ret != -EPROTO) 704 return ret; 705 } 706 707 /* get the key interface version number */ 708 ret = -EINVAL; 709 if (prep->datalen <= 4 || !prep->data) 710 goto error; 711 memcpy(&kver, prep->data, sizeof(kver)); 712 prep->data += sizeof(kver); 713 prep->datalen -= sizeof(kver); 714 715 _debug("KEY I/F VERSION: %u", kver); 716 717 ret = -EKEYREJECTED; 718 if (kver != 1) 719 goto error; 720 721 /* deal with a version 1 key */ 722 ret = -EINVAL; 723 if (prep->datalen < sizeof(*v1)) 724 goto error; 725 726 v1 = prep->data; 727 if (prep->datalen != sizeof(*v1) + v1->ticket_length) 728 goto error; 729 730 _debug("SCIX: %u", v1->security_index); 731 _debug("TLEN: %u", v1->ticket_length); 732 _debug("EXPY: %x", v1->expiry); 733 _debug("KVNO: %u", v1->kvno); 734 _debug("SKEY: %02x%02x%02x%02x%02x%02x%02x%02x", 735 v1->session_key[0], v1->session_key[1], 736 v1->session_key[2], v1->session_key[3], 737 v1->session_key[4], v1->session_key[5], 738 v1->session_key[6], v1->session_key[7]); 739 if (v1->ticket_length >= 8) 740 _debug("TCKT: %02x%02x%02x%02x%02x%02x%02x%02x", 741 v1->ticket[0], v1->ticket[1], 742 v1->ticket[2], v1->ticket[3], 743 v1->ticket[4], v1->ticket[5], 744 v1->ticket[6], v1->ticket[7]); 745 746 ret = -EPROTONOSUPPORT; 747 if (v1->security_index != RXRPC_SECURITY_RXKAD) 748 goto error; 749 750 plen = sizeof(*token->kad) + v1->ticket_length; 751 prep->quotalen = plen + sizeof(*token); 752 753 ret = -ENOMEM; 754 token = kzalloc(sizeof(*token), GFP_KERNEL); 755 if (!token) 756 goto error; 757 token->kad = kzalloc(plen, GFP_KERNEL); 758 if (!token->kad) 759 goto error_free; 760 761 token->security_index = RXRPC_SECURITY_RXKAD; 762 token->kad->ticket_len = v1->ticket_length; 763 token->kad->expiry = v1->expiry; 764 token->kad->kvno = v1->kvno; 765 memcpy(&token->kad->session_key, &v1->session_key, 8); 766 memcpy(&token->kad->ticket, v1->ticket, v1->ticket_length); 767 768 /* count the number of tokens attached */ 769 prep->payload.data[1] = (void *)((unsigned long)prep->payload.data[1] + 1); 770 771 /* attach the data */ 772 pp = (struct rxrpc_key_token **)&prep->payload.data[0]; 773 while (*pp) 774 pp = &(*pp)->next; 775 *pp = token; 776 if (token->kad->expiry < prep->expiry) 777 prep->expiry = token->kad->expiry; 778 token = NULL; 779 ret = 0; 780 781 error_free: 782 kfree(token); 783 error: 784 return ret; 785 } 786 787 /* 788 * Free token list. 789 */ 790 static void rxrpc_free_token_list(struct rxrpc_key_token *token) 791 { 792 struct rxrpc_key_token *next; 793 794 for (; token; token = next) { 795 next = token->next; 796 switch (token->security_index) { 797 case RXRPC_SECURITY_RXKAD: 798 kfree(token->kad); 799 break; 800 case RXRPC_SECURITY_RXK5: 801 if (token->k5) 802 rxrpc_rxk5_free(token->k5); 803 break; 804 default: 805 pr_err("Unknown token type %x on rxrpc key\n", 806 token->security_index); 807 BUG(); 808 } 809 810 kfree(token); 811 } 812 } 813 814 /* 815 * Clean up preparse data. 816 */ 817 static void rxrpc_free_preparse(struct key_preparsed_payload *prep) 818 { 819 rxrpc_free_token_list(prep->payload.data[0]); 820 } 821 822 /* 823 * Preparse a server secret key. 824 * 825 * The data should be the 8-byte secret key. 826 */ 827 static int rxrpc_preparse_s(struct key_preparsed_payload *prep) 828 { 829 struct crypto_skcipher *ci; 830 831 _enter("%zu", prep->datalen); 832 833 if (prep->datalen != 8) 834 return -EINVAL; 835 836 memcpy(&prep->payload.data[2], prep->data, 8); 837 838 ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC); 839 if (IS_ERR(ci)) { 840 _leave(" = %ld", PTR_ERR(ci)); 841 return PTR_ERR(ci); 842 } 843 844 if (crypto_skcipher_setkey(ci, prep->data, 8) < 0) 845 BUG(); 846 847 prep->payload.data[0] = ci; 848 _leave(" = 0"); 849 return 0; 850 } 851 852 /* 853 * Clean up preparse data. 854 */ 855 static void rxrpc_free_preparse_s(struct key_preparsed_payload *prep) 856 { 857 if (prep->payload.data[0]) 858 crypto_free_skcipher(prep->payload.data[0]); 859 } 860 861 /* 862 * dispose of the data dangling from the corpse of a rxrpc key 863 */ 864 static void rxrpc_destroy(struct key *key) 865 { 866 rxrpc_free_token_list(key->payload.data[0]); 867 } 868 869 /* 870 * dispose of the data dangling from the corpse of a rxrpc key 871 */ 872 static void rxrpc_destroy_s(struct key *key) 873 { 874 if (key->payload.data[0]) { 875 crypto_free_skcipher(key->payload.data[0]); 876 key->payload.data[0] = NULL; 877 } 878 } 879 880 /* 881 * describe the rxrpc key 882 */ 883 static void rxrpc_describe(const struct key *key, struct seq_file *m) 884 { 885 seq_puts(m, key->description); 886 } 887 888 /* 889 * grab the security key for a socket 890 */ 891 int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen) 892 { 893 struct key *key; 894 char *description; 895 896 _enter(""); 897 898 if (optlen <= 0 || optlen > PAGE_SIZE - 1) 899 return -EINVAL; 900 901 description = memdup_user_nul(optval, optlen); 902 if (IS_ERR(description)) 903 return PTR_ERR(description); 904 905 key = request_key(&key_type_rxrpc, description, NULL); 906 if (IS_ERR(key)) { 907 kfree(description); 908 _leave(" = %ld", PTR_ERR(key)); 909 return PTR_ERR(key); 910 } 911 912 rx->key = key; 913 kfree(description); 914 _leave(" = 0 [key %x]", key->serial); 915 return 0; 916 } 917 918 /* 919 * grab the security keyring for a server socket 920 */ 921 int rxrpc_server_keyring(struct rxrpc_sock *rx, char __user *optval, 922 int optlen) 923 { 924 struct key *key; 925 char *description; 926 927 _enter(""); 928 929 if (optlen <= 0 || optlen > PAGE_SIZE - 1) 930 return -EINVAL; 931 932 description = memdup_user_nul(optval, optlen); 933 if (IS_ERR(description)) 934 return PTR_ERR(description); 935 936 key = request_key(&key_type_keyring, description, NULL); 937 if (IS_ERR(key)) { 938 kfree(description); 939 _leave(" = %ld", PTR_ERR(key)); 940 return PTR_ERR(key); 941 } 942 943 rx->securities = key; 944 kfree(description); 945 _leave(" = 0 [key %x]", key->serial); 946 return 0; 947 } 948 949 /* 950 * generate a server data key 951 */ 952 int rxrpc_get_server_data_key(struct rxrpc_connection *conn, 953 const void *session_key, 954 time_t expiry, 955 u32 kvno) 956 { 957 const struct cred *cred = current_cred(); 958 struct key *key; 959 int ret; 960 961 struct { 962 u32 kver; 963 struct rxrpc_key_data_v1 v1; 964 } data; 965 966 _enter(""); 967 968 key = key_alloc(&key_type_rxrpc, "x", 969 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, 0, 970 KEY_ALLOC_NOT_IN_QUOTA, NULL); 971 if (IS_ERR(key)) { 972 _leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key)); 973 return -ENOMEM; 974 } 975 976 _debug("key %d", key_serial(key)); 977 978 data.kver = 1; 979 data.v1.security_index = RXRPC_SECURITY_RXKAD; 980 data.v1.ticket_length = 0; 981 data.v1.expiry = expiry; 982 data.v1.kvno = 0; 983 984 memcpy(&data.v1.session_key, session_key, sizeof(data.v1.session_key)); 985 986 ret = key_instantiate_and_link(key, &data, sizeof(data), NULL, NULL); 987 if (ret < 0) 988 goto error; 989 990 conn->params.key = key; 991 _leave(" = 0 [%d]", key_serial(key)); 992 return 0; 993 994 error: 995 key_revoke(key); 996 key_put(key); 997 _leave(" = -ENOMEM [ins %d]", ret); 998 return -ENOMEM; 999 } 1000 EXPORT_SYMBOL(rxrpc_get_server_data_key); 1001 1002 /** 1003 * rxrpc_get_null_key - Generate a null RxRPC key 1004 * @keyname: The name to give the key. 1005 * 1006 * Generate a null RxRPC key that can be used to indicate anonymous security is 1007 * required for a particular domain. 1008 */ 1009 struct key *rxrpc_get_null_key(const char *keyname) 1010 { 1011 const struct cred *cred = current_cred(); 1012 struct key *key; 1013 int ret; 1014 1015 key = key_alloc(&key_type_rxrpc, keyname, 1016 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, 1017 KEY_POS_SEARCH, KEY_ALLOC_NOT_IN_QUOTA, NULL); 1018 if (IS_ERR(key)) 1019 return key; 1020 1021 ret = key_instantiate_and_link(key, NULL, 0, NULL, NULL); 1022 if (ret < 0) { 1023 key_revoke(key); 1024 key_put(key); 1025 return ERR_PTR(ret); 1026 } 1027 1028 return key; 1029 } 1030 EXPORT_SYMBOL(rxrpc_get_null_key); 1031 1032 /* 1033 * read the contents of an rxrpc key 1034 * - this returns the result in XDR form 1035 */ 1036 static long rxrpc_read(const struct key *key, 1037 char __user *buffer, size_t buflen) 1038 { 1039 const struct rxrpc_key_token *token; 1040 const struct krb5_principal *princ; 1041 size_t size; 1042 __be32 __user *xdr, *oldxdr; 1043 u32 cnlen, toksize, ntoks, tok, zero; 1044 u16 toksizes[AFSTOKEN_MAX]; 1045 int loop; 1046 1047 _enter(""); 1048 1049 /* we don't know what form we should return non-AFS keys in */ 1050 if (memcmp(key->description, "afs@", 4) != 0) 1051 return -EOPNOTSUPP; 1052 cnlen = strlen(key->description + 4); 1053 1054 #define RND(X) (((X) + 3) & ~3) 1055 1056 /* AFS keys we return in XDR form, so we need to work out the size of 1057 * the XDR */ 1058 size = 2 * 4; /* flags, cellname len */ 1059 size += RND(cnlen); /* cellname */ 1060 size += 1 * 4; /* token count */ 1061 1062 ntoks = 0; 1063 for (token = key->payload.data[0]; token; token = token->next) { 1064 toksize = 4; /* sec index */ 1065 1066 switch (token->security_index) { 1067 case RXRPC_SECURITY_RXKAD: 1068 toksize += 8 * 4; /* viceid, kvno, key*2, begin, 1069 * end, primary, tktlen */ 1070 toksize += RND(token->kad->ticket_len); 1071 break; 1072 1073 case RXRPC_SECURITY_RXK5: 1074 princ = &token->k5->client; 1075 toksize += 4 + princ->n_name_parts * 4; 1076 for (loop = 0; loop < princ->n_name_parts; loop++) 1077 toksize += RND(strlen(princ->name_parts[loop])); 1078 toksize += 4 + RND(strlen(princ->realm)); 1079 1080 princ = &token->k5->server; 1081 toksize += 4 + princ->n_name_parts * 4; 1082 for (loop = 0; loop < princ->n_name_parts; loop++) 1083 toksize += RND(strlen(princ->name_parts[loop])); 1084 toksize += 4 + RND(strlen(princ->realm)); 1085 1086 toksize += 8 + RND(token->k5->session.data_len); 1087 1088 toksize += 4 * 8 + 2 * 4; 1089 1090 toksize += 4 + token->k5->n_addresses * 8; 1091 for (loop = 0; loop < token->k5->n_addresses; loop++) 1092 toksize += RND(token->k5->addresses[loop].data_len); 1093 1094 toksize += 4 + RND(token->k5->ticket_len); 1095 toksize += 4 + RND(token->k5->ticket2_len); 1096 1097 toksize += 4 + token->k5->n_authdata * 8; 1098 for (loop = 0; loop < token->k5->n_authdata; loop++) 1099 toksize += RND(token->k5->authdata[loop].data_len); 1100 break; 1101 1102 default: /* we have a ticket we can't encode */ 1103 BUG(); 1104 continue; 1105 } 1106 1107 _debug("token[%u]: toksize=%u", ntoks, toksize); 1108 ASSERTCMP(toksize, <=, AFSTOKEN_LENGTH_MAX); 1109 1110 toksizes[ntoks++] = toksize; 1111 size += toksize + 4; /* each token has a length word */ 1112 } 1113 1114 #undef RND 1115 1116 if (!buffer || buflen < size) 1117 return size; 1118 1119 xdr = (__be32 __user *) buffer; 1120 zero = 0; 1121 #define ENCODE(x) \ 1122 do { \ 1123 __be32 y = htonl(x); \ 1124 if (put_user(y, xdr++) < 0) \ 1125 goto fault; \ 1126 } while(0) 1127 #define ENCODE_DATA(l, s) \ 1128 do { \ 1129 u32 _l = (l); \ 1130 ENCODE(l); \ 1131 if (copy_to_user(xdr, (s), _l) != 0) \ 1132 goto fault; \ 1133 if (_l & 3 && \ 1134 copy_to_user((u8 __user *)xdr + _l, &zero, 4 - (_l & 3)) != 0) \ 1135 goto fault; \ 1136 xdr += (_l + 3) >> 2; \ 1137 } while(0) 1138 #define ENCODE64(x) \ 1139 do { \ 1140 __be64 y = cpu_to_be64(x); \ 1141 if (copy_to_user(xdr, &y, 8) != 0) \ 1142 goto fault; \ 1143 xdr += 8 >> 2; \ 1144 } while(0) 1145 #define ENCODE_STR(s) \ 1146 do { \ 1147 const char *_s = (s); \ 1148 ENCODE_DATA(strlen(_s), _s); \ 1149 } while(0) 1150 1151 ENCODE(0); /* flags */ 1152 ENCODE_DATA(cnlen, key->description + 4); /* cellname */ 1153 ENCODE(ntoks); 1154 1155 tok = 0; 1156 for (token = key->payload.data[0]; token; token = token->next) { 1157 toksize = toksizes[tok++]; 1158 ENCODE(toksize); 1159 oldxdr = xdr; 1160 ENCODE(token->security_index); 1161 1162 switch (token->security_index) { 1163 case RXRPC_SECURITY_RXKAD: 1164 ENCODE(token->kad->vice_id); 1165 ENCODE(token->kad->kvno); 1166 ENCODE_DATA(8, token->kad->session_key); 1167 ENCODE(token->kad->start); 1168 ENCODE(token->kad->expiry); 1169 ENCODE(token->kad->primary_flag); 1170 ENCODE_DATA(token->kad->ticket_len, token->kad->ticket); 1171 break; 1172 1173 case RXRPC_SECURITY_RXK5: 1174 princ = &token->k5->client; 1175 ENCODE(princ->n_name_parts); 1176 for (loop = 0; loop < princ->n_name_parts; loop++) 1177 ENCODE_STR(princ->name_parts[loop]); 1178 ENCODE_STR(princ->realm); 1179 1180 princ = &token->k5->server; 1181 ENCODE(princ->n_name_parts); 1182 for (loop = 0; loop < princ->n_name_parts; loop++) 1183 ENCODE_STR(princ->name_parts[loop]); 1184 ENCODE_STR(princ->realm); 1185 1186 ENCODE(token->k5->session.tag); 1187 ENCODE_DATA(token->k5->session.data_len, 1188 token->k5->session.data); 1189 1190 ENCODE64(token->k5->authtime); 1191 ENCODE64(token->k5->starttime); 1192 ENCODE64(token->k5->endtime); 1193 ENCODE64(token->k5->renew_till); 1194 ENCODE(token->k5->is_skey); 1195 ENCODE(token->k5->flags); 1196 1197 ENCODE(token->k5->n_addresses); 1198 for (loop = 0; loop < token->k5->n_addresses; loop++) { 1199 ENCODE(token->k5->addresses[loop].tag); 1200 ENCODE_DATA(token->k5->addresses[loop].data_len, 1201 token->k5->addresses[loop].data); 1202 } 1203 1204 ENCODE_DATA(token->k5->ticket_len, token->k5->ticket); 1205 ENCODE_DATA(token->k5->ticket2_len, token->k5->ticket2); 1206 1207 ENCODE(token->k5->n_authdata); 1208 for (loop = 0; loop < token->k5->n_authdata; loop++) { 1209 ENCODE(token->k5->authdata[loop].tag); 1210 ENCODE_DATA(token->k5->authdata[loop].data_len, 1211 token->k5->authdata[loop].data); 1212 } 1213 break; 1214 1215 default: 1216 BUG(); 1217 break; 1218 } 1219 1220 ASSERTCMP((unsigned long)xdr - (unsigned long)oldxdr, ==, 1221 toksize); 1222 } 1223 1224 #undef ENCODE_STR 1225 #undef ENCODE_DATA 1226 #undef ENCODE64 1227 #undef ENCODE 1228 1229 ASSERTCMP(tok, ==, ntoks); 1230 ASSERTCMP((char __user *) xdr - buffer, ==, size); 1231 _leave(" = %zu", size); 1232 return size; 1233 1234 fault: 1235 _leave(" = -EFAULT"); 1236 return -EFAULT; 1237 } 1238