1 /* Kerberos-based RxRPC security 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 14 #include <crypto/skcipher.h> 15 #include <linux/module.h> 16 #include <linux/net.h> 17 #include <linux/skbuff.h> 18 #include <linux/udp.h> 19 #include <linux/scatterlist.h> 20 #include <linux/ctype.h> 21 #include <linux/slab.h> 22 #include <net/sock.h> 23 #include <net/af_rxrpc.h> 24 #include <keys/rxrpc-type.h> 25 #include "ar-internal.h" 26 27 #define RXKAD_VERSION 2 28 #define MAXKRB5TICKETLEN 1024 29 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 30 #define ANAME_SZ 40 /* size of authentication name */ 31 #define INST_SZ 40 /* size of principal's instance */ 32 #define REALM_SZ 40 /* size of principal's auth domain */ 33 #define SNAME_SZ 40 /* size of service name */ 34 35 struct rxkad_level1_hdr { 36 __be32 data_size; /* true data size (excluding padding) */ 37 }; 38 39 struct rxkad_level2_hdr { 40 __be32 data_size; /* true data size (excluding padding) */ 41 __be32 checksum; /* decrypted data checksum */ 42 }; 43 44 /* 45 * this holds a pinned cipher so that keventd doesn't get called by the cipher 46 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 47 * packets 48 */ 49 static struct crypto_skcipher *rxkad_ci; 50 static DEFINE_MUTEX(rxkad_ci_mutex); 51 52 /* 53 * initialise connection security 54 */ 55 static int rxkad_init_connection_security(struct rxrpc_connection *conn) 56 { 57 struct crypto_skcipher *ci; 58 struct rxrpc_key_token *token; 59 int ret; 60 61 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key)); 62 63 token = conn->params.key->payload.data[0]; 64 conn->security_ix = token->security_index; 65 66 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 67 if (IS_ERR(ci)) { 68 _debug("no cipher"); 69 ret = PTR_ERR(ci); 70 goto error; 71 } 72 73 if (crypto_skcipher_setkey(ci, token->kad->session_key, 74 sizeof(token->kad->session_key)) < 0) 75 BUG(); 76 77 switch (conn->params.security_level) { 78 case RXRPC_SECURITY_PLAIN: 79 break; 80 case RXRPC_SECURITY_AUTH: 81 conn->size_align = 8; 82 conn->security_size = sizeof(struct rxkad_level1_hdr); 83 break; 84 case RXRPC_SECURITY_ENCRYPT: 85 conn->size_align = 8; 86 conn->security_size = sizeof(struct rxkad_level2_hdr); 87 break; 88 default: 89 ret = -EKEYREJECTED; 90 goto error; 91 } 92 93 conn->cipher = ci; 94 ret = 0; 95 error: 96 _leave(" = %d", ret); 97 return ret; 98 } 99 100 /* 101 * prime the encryption state with the invariant parts of a connection's 102 * description 103 */ 104 static int rxkad_prime_packet_security(struct rxrpc_connection *conn) 105 { 106 struct rxrpc_key_token *token; 107 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 108 struct scatterlist sg; 109 struct rxrpc_crypt iv; 110 __be32 *tmpbuf; 111 size_t tmpsize = 4 * sizeof(__be32); 112 113 _enter(""); 114 115 if (!conn->params.key) 116 return 0; 117 118 tmpbuf = kmalloc(tmpsize, GFP_KERNEL); 119 if (!tmpbuf) 120 return -ENOMEM; 121 122 token = conn->params.key->payload.data[0]; 123 memcpy(&iv, token->kad->session_key, sizeof(iv)); 124 125 tmpbuf[0] = htonl(conn->proto.epoch); 126 tmpbuf[1] = htonl(conn->proto.cid); 127 tmpbuf[2] = 0; 128 tmpbuf[3] = htonl(conn->security_ix); 129 130 sg_init_one(&sg, tmpbuf, tmpsize); 131 skcipher_request_set_tfm(req, conn->cipher); 132 skcipher_request_set_callback(req, 0, NULL, NULL); 133 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); 134 crypto_skcipher_encrypt(req); 135 skcipher_request_zero(req); 136 137 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv)); 138 kfree(tmpbuf); 139 _leave(" = 0"); 140 return 0; 141 } 142 143 /* 144 * partially encrypt a packet (level 1 security) 145 */ 146 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 147 struct sk_buff *skb, 148 u32 data_size, 149 void *sechdr) 150 { 151 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 152 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 153 struct rxkad_level1_hdr hdr; 154 struct rxrpc_crypt iv; 155 struct scatterlist sg; 156 u16 check; 157 158 _enter(""); 159 160 check = sp->hdr.seq ^ call->call_id; 161 data_size |= (u32)check << 16; 162 163 hdr.data_size = htonl(data_size); 164 memcpy(sechdr, &hdr, sizeof(hdr)); 165 166 /* start the encryption afresh */ 167 memset(&iv, 0, sizeof(iv)); 168 169 sg_init_one(&sg, sechdr, 8); 170 skcipher_request_set_tfm(req, call->conn->cipher); 171 skcipher_request_set_callback(req, 0, NULL, NULL); 172 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 173 crypto_skcipher_encrypt(req); 174 skcipher_request_zero(req); 175 176 _leave(" = 0"); 177 return 0; 178 } 179 180 /* 181 * wholly encrypt a packet (level 2 security) 182 */ 183 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 184 struct sk_buff *skb, 185 u32 data_size, 186 void *sechdr) 187 { 188 const struct rxrpc_key_token *token; 189 struct rxkad_level2_hdr rxkhdr; 190 struct rxrpc_skb_priv *sp; 191 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 192 struct rxrpc_crypt iv; 193 struct scatterlist sg[16]; 194 struct sk_buff *trailer; 195 unsigned int len; 196 u16 check; 197 int nsg; 198 int err; 199 200 sp = rxrpc_skb(skb); 201 202 _enter(""); 203 204 check = sp->hdr.seq ^ call->call_id; 205 206 rxkhdr.data_size = htonl(data_size | (u32)check << 16); 207 rxkhdr.checksum = 0; 208 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr)); 209 210 /* encrypt from the session key */ 211 token = call->conn->params.key->payload.data[0]; 212 memcpy(&iv, token->kad->session_key, sizeof(iv)); 213 214 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr)); 215 skcipher_request_set_tfm(req, call->conn->cipher); 216 skcipher_request_set_callback(req, 0, NULL, NULL); 217 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x); 218 crypto_skcipher_encrypt(req); 219 220 /* we want to encrypt the skbuff in-place */ 221 nsg = skb_cow_data(skb, 0, &trailer); 222 err = -ENOMEM; 223 if (nsg < 0 || nsg > 16) 224 goto out; 225 226 len = data_size + call->conn->size_align - 1; 227 len &= ~(call->conn->size_align - 1); 228 229 sg_init_table(sg, nsg); 230 skb_to_sgvec(skb, sg, 0, len); 231 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 232 crypto_skcipher_encrypt(req); 233 234 _leave(" = 0"); 235 err = 0; 236 237 out: 238 skcipher_request_zero(req); 239 return err; 240 } 241 242 /* 243 * checksum an RxRPC packet header 244 */ 245 static int rxkad_secure_packet(struct rxrpc_call *call, 246 struct sk_buff *skb, 247 size_t data_size, 248 void *sechdr) 249 { 250 struct rxrpc_skb_priv *sp; 251 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 252 struct rxrpc_crypt iv; 253 struct scatterlist sg; 254 u32 x, y; 255 int ret; 256 257 sp = rxrpc_skb(skb); 258 259 _enter("{%d{%x}},{#%u},%zu,", 260 call->debug_id, key_serial(call->conn->params.key), 261 sp->hdr.seq, data_size); 262 263 if (!call->conn->cipher) 264 return 0; 265 266 ret = key_validate(call->conn->params.key); 267 if (ret < 0) 268 return ret; 269 270 /* continue encrypting from where we left off */ 271 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 272 273 /* calculate the security checksum */ 274 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 275 x |= sp->hdr.seq & 0x3fffffff; 276 call->crypto_buf[0] = htonl(call->call_id); 277 call->crypto_buf[1] = htonl(x); 278 279 sg_init_one(&sg, call->crypto_buf, 8); 280 skcipher_request_set_tfm(req, call->conn->cipher); 281 skcipher_request_set_callback(req, 0, NULL, NULL); 282 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 283 crypto_skcipher_encrypt(req); 284 skcipher_request_zero(req); 285 286 y = ntohl(call->crypto_buf[1]); 287 y = (y >> 16) & 0xffff; 288 if (y == 0) 289 y = 1; /* zero checksums are not permitted */ 290 sp->hdr.cksum = y; 291 292 switch (call->conn->params.security_level) { 293 case RXRPC_SECURITY_PLAIN: 294 ret = 0; 295 break; 296 case RXRPC_SECURITY_AUTH: 297 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr); 298 break; 299 case RXRPC_SECURITY_ENCRYPT: 300 ret = rxkad_secure_packet_encrypt(call, skb, data_size, 301 sechdr); 302 break; 303 default: 304 ret = -EPERM; 305 break; 306 } 307 308 _leave(" = %d [set %hx]", ret, y); 309 return ret; 310 } 311 312 /* 313 * decrypt partial encryption on a packet (level 1 security) 314 */ 315 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb, 316 unsigned int offset, unsigned int len, 317 rxrpc_seq_t seq) 318 { 319 struct rxkad_level1_hdr sechdr; 320 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 321 struct rxrpc_crypt iv; 322 struct scatterlist sg[16]; 323 struct sk_buff *trailer; 324 bool aborted; 325 u32 data_size, buf; 326 u16 check; 327 int nsg; 328 329 _enter(""); 330 331 if (len < 8) { 332 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H", 333 RXKADSEALEDINCON); 334 goto protocol_error; 335 } 336 337 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 338 * directly into the target buffer. 339 */ 340 nsg = skb_cow_data(skb, 0, &trailer); 341 if (nsg < 0 || nsg > 16) 342 goto nomem; 343 344 sg_init_table(sg, nsg); 345 skb_to_sgvec(skb, sg, offset, 8); 346 347 /* start the decryption afresh */ 348 memset(&iv, 0, sizeof(iv)); 349 350 skcipher_request_set_tfm(req, call->conn->cipher); 351 skcipher_request_set_callback(req, 0, NULL, NULL); 352 skcipher_request_set_crypt(req, sg, sg, 8, iv.x); 353 crypto_skcipher_decrypt(req); 354 skcipher_request_zero(req); 355 356 /* Extract the decrypted packet length */ 357 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 358 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1", 359 RXKADDATALEN); 360 goto protocol_error; 361 } 362 offset += sizeof(sechdr); 363 len -= sizeof(sechdr); 364 365 buf = ntohl(sechdr.data_size); 366 data_size = buf & 0xffff; 367 368 check = buf >> 16; 369 check ^= seq ^ call->call_id; 370 check &= 0xffff; 371 if (check != 0) { 372 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C", 373 RXKADSEALEDINCON); 374 goto protocol_error; 375 } 376 377 if (data_size > len) { 378 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L", 379 RXKADDATALEN); 380 goto protocol_error; 381 } 382 383 _leave(" = 0 [dlen=%x]", data_size); 384 return 0; 385 386 protocol_error: 387 if (aborted) 388 rxrpc_send_abort_packet(call); 389 return -EPROTO; 390 391 nomem: 392 _leave(" = -ENOMEM"); 393 return -ENOMEM; 394 } 395 396 /* 397 * wholly decrypt a packet (level 2 security) 398 */ 399 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, 400 unsigned int offset, unsigned int len, 401 rxrpc_seq_t seq) 402 { 403 const struct rxrpc_key_token *token; 404 struct rxkad_level2_hdr sechdr; 405 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 406 struct rxrpc_crypt iv; 407 struct scatterlist _sg[4], *sg; 408 struct sk_buff *trailer; 409 bool aborted; 410 u32 data_size, buf; 411 u16 check; 412 int nsg; 413 414 _enter(",{%d}", skb->len); 415 416 if (len < 8) { 417 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H", 418 RXKADSEALEDINCON); 419 goto protocol_error; 420 } 421 422 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 423 * directly into the target buffer. 424 */ 425 nsg = skb_cow_data(skb, 0, &trailer); 426 if (nsg < 0) 427 goto nomem; 428 429 sg = _sg; 430 if (unlikely(nsg > 4)) { 431 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO); 432 if (!sg) 433 goto nomem; 434 } 435 436 sg_init_table(sg, nsg); 437 skb_to_sgvec(skb, sg, offset, len); 438 439 /* decrypt from the session key */ 440 token = call->conn->params.key->payload.data[0]; 441 memcpy(&iv, token->kad->session_key, sizeof(iv)); 442 443 skcipher_request_set_tfm(req, call->conn->cipher); 444 skcipher_request_set_callback(req, 0, NULL, NULL); 445 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 446 crypto_skcipher_decrypt(req); 447 skcipher_request_zero(req); 448 if (sg != _sg) 449 kfree(sg); 450 451 /* Extract the decrypted packet length */ 452 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 453 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2", 454 RXKADDATALEN); 455 goto protocol_error; 456 } 457 offset += sizeof(sechdr); 458 len -= sizeof(sechdr); 459 460 buf = ntohl(sechdr.data_size); 461 data_size = buf & 0xffff; 462 463 check = buf >> 16; 464 check ^= seq ^ call->call_id; 465 check &= 0xffff; 466 if (check != 0) { 467 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C", 468 RXKADSEALEDINCON); 469 goto protocol_error; 470 } 471 472 if (data_size > len) { 473 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L", 474 RXKADDATALEN); 475 goto protocol_error; 476 } 477 478 _leave(" = 0 [dlen=%x]", data_size); 479 return 0; 480 481 protocol_error: 482 if (aborted) 483 rxrpc_send_abort_packet(call); 484 return -EPROTO; 485 486 nomem: 487 _leave(" = -ENOMEM"); 488 return -ENOMEM; 489 } 490 491 /* 492 * Verify the security on a received packet or subpacket (if part of a 493 * jumbo packet). 494 */ 495 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb, 496 unsigned int offset, unsigned int len, 497 rxrpc_seq_t seq, u16 expected_cksum) 498 { 499 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 500 struct rxrpc_crypt iv; 501 struct scatterlist sg; 502 bool aborted; 503 u16 cksum; 504 u32 x, y; 505 506 _enter("{%d{%x}},{#%u}", 507 call->debug_id, key_serial(call->conn->params.key), seq); 508 509 if (!call->conn->cipher) 510 return 0; 511 512 /* continue encrypting from where we left off */ 513 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 514 515 /* validate the security checksum */ 516 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 517 x |= seq & 0x3fffffff; 518 call->crypto_buf[0] = htonl(call->call_id); 519 call->crypto_buf[1] = htonl(x); 520 521 sg_init_one(&sg, call->crypto_buf, 8); 522 skcipher_request_set_tfm(req, call->conn->cipher); 523 skcipher_request_set_callback(req, 0, NULL, NULL); 524 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 525 crypto_skcipher_encrypt(req); 526 skcipher_request_zero(req); 527 528 y = ntohl(call->crypto_buf[1]); 529 cksum = (y >> 16) & 0xffff; 530 if (cksum == 0) 531 cksum = 1; /* zero checksums are not permitted */ 532 533 if (cksum != expected_cksum) { 534 aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK", 535 RXKADSEALEDINCON); 536 goto protocol_error; 537 } 538 539 switch (call->conn->params.security_level) { 540 case RXRPC_SECURITY_PLAIN: 541 return 0; 542 case RXRPC_SECURITY_AUTH: 543 return rxkad_verify_packet_1(call, skb, offset, len, seq); 544 case RXRPC_SECURITY_ENCRYPT: 545 return rxkad_verify_packet_2(call, skb, offset, len, seq); 546 default: 547 return -ENOANO; 548 } 549 550 protocol_error: 551 if (aborted) 552 rxrpc_send_abort_packet(call); 553 return -EPROTO; 554 } 555 556 /* 557 * Locate the data contained in a packet that was partially encrypted. 558 */ 559 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb, 560 unsigned int *_offset, unsigned int *_len) 561 { 562 struct rxkad_level1_hdr sechdr; 563 564 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 565 BUG(); 566 *_offset += sizeof(sechdr); 567 *_len = ntohl(sechdr.data_size) & 0xffff; 568 } 569 570 /* 571 * Locate the data contained in a packet that was completely encrypted. 572 */ 573 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb, 574 unsigned int *_offset, unsigned int *_len) 575 { 576 struct rxkad_level2_hdr sechdr; 577 578 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 579 BUG(); 580 *_offset += sizeof(sechdr); 581 *_len = ntohl(sechdr.data_size) & 0xffff; 582 } 583 584 /* 585 * Locate the data contained in an already decrypted packet. 586 */ 587 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb, 588 unsigned int *_offset, unsigned int *_len) 589 { 590 switch (call->conn->params.security_level) { 591 case RXRPC_SECURITY_AUTH: 592 rxkad_locate_data_1(call, skb, _offset, _len); 593 return; 594 case RXRPC_SECURITY_ENCRYPT: 595 rxkad_locate_data_2(call, skb, _offset, _len); 596 return; 597 default: 598 return; 599 } 600 } 601 602 /* 603 * issue a challenge 604 */ 605 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 606 { 607 struct rxkad_challenge challenge; 608 struct rxrpc_wire_header whdr; 609 struct msghdr msg; 610 struct kvec iov[2]; 611 size_t len; 612 u32 serial; 613 int ret; 614 615 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 616 617 ret = key_validate(conn->params.key); 618 if (ret < 0) 619 return ret; 620 621 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce)); 622 623 challenge.version = htonl(2); 624 challenge.nonce = htonl(conn->security_nonce); 625 challenge.min_level = htonl(0); 626 challenge.__padding = 0; 627 628 msg.msg_name = &conn->params.peer->srx.transport.sin; 629 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin); 630 msg.msg_control = NULL; 631 msg.msg_controllen = 0; 632 msg.msg_flags = 0; 633 634 whdr.epoch = htonl(conn->proto.epoch); 635 whdr.cid = htonl(conn->proto.cid); 636 whdr.callNumber = 0; 637 whdr.seq = 0; 638 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 639 whdr.flags = conn->out_clientflag; 640 whdr.userStatus = 0; 641 whdr.securityIndex = conn->security_ix; 642 whdr._rsvd = 0; 643 whdr.serviceId = htons(conn->params.service_id); 644 645 iov[0].iov_base = &whdr; 646 iov[0].iov_len = sizeof(whdr); 647 iov[1].iov_base = &challenge; 648 iov[1].iov_len = sizeof(challenge); 649 650 len = iov[0].iov_len + iov[1].iov_len; 651 652 serial = atomic_inc_return(&conn->serial); 653 whdr.serial = htonl(serial); 654 _proto("Tx CHALLENGE %%%u", serial); 655 656 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len); 657 if (ret < 0) { 658 _debug("sendmsg failed: %d", ret); 659 return -EAGAIN; 660 } 661 662 _leave(" = 0"); 663 return 0; 664 } 665 666 /* 667 * send a Kerberos security response 668 */ 669 static int rxkad_send_response(struct rxrpc_connection *conn, 670 struct rxrpc_host_header *hdr, 671 struct rxkad_response *resp, 672 const struct rxkad_key *s2) 673 { 674 struct rxrpc_wire_header whdr; 675 struct msghdr msg; 676 struct kvec iov[3]; 677 size_t len; 678 u32 serial; 679 int ret; 680 681 _enter(""); 682 683 msg.msg_name = &conn->params.peer->srx.transport.sin; 684 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin); 685 msg.msg_control = NULL; 686 msg.msg_controllen = 0; 687 msg.msg_flags = 0; 688 689 memset(&whdr, 0, sizeof(whdr)); 690 whdr.epoch = htonl(hdr->epoch); 691 whdr.cid = htonl(hdr->cid); 692 whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 693 whdr.flags = conn->out_clientflag; 694 whdr.securityIndex = hdr->securityIndex; 695 whdr.serviceId = htons(hdr->serviceId); 696 697 iov[0].iov_base = &whdr; 698 iov[0].iov_len = sizeof(whdr); 699 iov[1].iov_base = resp; 700 iov[1].iov_len = sizeof(*resp); 701 iov[2].iov_base = (void *)s2->ticket; 702 iov[2].iov_len = s2->ticket_len; 703 704 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 705 706 serial = atomic_inc_return(&conn->serial); 707 whdr.serial = htonl(serial); 708 _proto("Tx RESPONSE %%%u", serial); 709 710 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len); 711 if (ret < 0) { 712 _debug("sendmsg failed: %d", ret); 713 return -EAGAIN; 714 } 715 716 _leave(" = 0"); 717 return 0; 718 } 719 720 /* 721 * calculate the response checksum 722 */ 723 static void rxkad_calc_response_checksum(struct rxkad_response *response) 724 { 725 u32 csum = 1000003; 726 int loop; 727 u8 *p = (u8 *) response; 728 729 for (loop = sizeof(*response); loop > 0; loop--) 730 csum = csum * 0x10204081 + *p++; 731 732 response->encrypted.checksum = htonl(csum); 733 } 734 735 /* 736 * encrypt the response packet 737 */ 738 static void rxkad_encrypt_response(struct rxrpc_connection *conn, 739 struct rxkad_response *resp, 740 const struct rxkad_key *s2) 741 { 742 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 743 struct rxrpc_crypt iv; 744 struct scatterlist sg[1]; 745 746 /* continue encrypting from where we left off */ 747 memcpy(&iv, s2->session_key, sizeof(iv)); 748 749 sg_init_table(sg, 1); 750 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 751 skcipher_request_set_tfm(req, conn->cipher); 752 skcipher_request_set_callback(req, 0, NULL, NULL); 753 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 754 crypto_skcipher_encrypt(req); 755 skcipher_request_zero(req); 756 } 757 758 /* 759 * respond to a challenge packet 760 */ 761 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 762 struct sk_buff *skb, 763 u32 *_abort_code) 764 { 765 const struct rxrpc_key_token *token; 766 struct rxkad_challenge challenge; 767 struct rxkad_response resp 768 __attribute__((aligned(8))); /* must be aligned for crypto */ 769 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 770 const char *eproto; 771 u32 version, nonce, min_level, abort_code; 772 int ret; 773 774 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 775 776 eproto = tracepoint_string("chall_no_key"); 777 abort_code = RX_PROTOCOL_ERROR; 778 if (!conn->params.key) 779 goto protocol_error; 780 781 abort_code = RXKADEXPIRED; 782 ret = key_validate(conn->params.key); 783 if (ret < 0) 784 goto other_error; 785 786 eproto = tracepoint_string("chall_short"); 787 abort_code = RXKADPACKETSHORT; 788 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 789 &challenge, sizeof(challenge)) < 0) 790 goto protocol_error; 791 792 version = ntohl(challenge.version); 793 nonce = ntohl(challenge.nonce); 794 min_level = ntohl(challenge.min_level); 795 796 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 797 sp->hdr.serial, version, nonce, min_level); 798 799 eproto = tracepoint_string("chall_ver"); 800 abort_code = RXKADINCONSISTENCY; 801 if (version != RXKAD_VERSION) 802 goto protocol_error; 803 804 abort_code = RXKADLEVELFAIL; 805 ret = -EACCES; 806 if (conn->params.security_level < min_level) 807 goto other_error; 808 809 token = conn->params.key->payload.data[0]; 810 811 /* build the response packet */ 812 memset(&resp, 0, sizeof(resp)); 813 814 resp.version = htonl(RXKAD_VERSION); 815 resp.encrypted.epoch = htonl(conn->proto.epoch); 816 resp.encrypted.cid = htonl(conn->proto.cid); 817 resp.encrypted.securityIndex = htonl(conn->security_ix); 818 resp.encrypted.inc_nonce = htonl(nonce + 1); 819 resp.encrypted.level = htonl(conn->params.security_level); 820 resp.kvno = htonl(token->kad->kvno); 821 resp.ticket_len = htonl(token->kad->ticket_len); 822 823 resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter); 824 resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter); 825 resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter); 826 resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter); 827 828 /* calculate the response checksum and then do the encryption */ 829 rxkad_calc_response_checksum(&resp); 830 rxkad_encrypt_response(conn, &resp, token->kad); 831 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad); 832 833 protocol_error: 834 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 835 ret = -EPROTO; 836 other_error: 837 *_abort_code = abort_code; 838 return ret; 839 } 840 841 /* 842 * decrypt the kerberos IV ticket in the response 843 */ 844 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 845 struct sk_buff *skb, 846 void *ticket, size_t ticket_len, 847 struct rxrpc_crypt *_session_key, 848 time_t *_expiry, 849 u32 *_abort_code) 850 { 851 struct skcipher_request *req; 852 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 853 struct rxrpc_crypt iv, key; 854 struct scatterlist sg[1]; 855 struct in_addr addr; 856 unsigned int life; 857 const char *eproto; 858 time_t issue, now; 859 bool little_endian; 860 int ret; 861 u32 abort_code; 862 u8 *p, *q, *name, *end; 863 864 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key)); 865 866 *_expiry = 0; 867 868 ret = key_validate(conn->server_key); 869 if (ret < 0) { 870 switch (ret) { 871 case -EKEYEXPIRED: 872 abort_code = RXKADEXPIRED; 873 goto other_error; 874 default: 875 abort_code = RXKADNOAUTH; 876 goto other_error; 877 } 878 } 879 880 ASSERT(conn->server_key->payload.data[0] != NULL); 881 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 882 883 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv)); 884 885 ret = -ENOMEM; 886 req = skcipher_request_alloc(conn->server_key->payload.data[0], 887 GFP_NOFS); 888 if (!req) 889 goto temporary_error; 890 891 sg_init_one(&sg[0], ticket, ticket_len); 892 skcipher_request_set_callback(req, 0, NULL, NULL); 893 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); 894 crypto_skcipher_decrypt(req); 895 skcipher_request_free(req); 896 897 p = ticket; 898 end = p + ticket_len; 899 900 #define Z(field) \ 901 ({ \ 902 u8 *__str = p; \ 903 eproto = tracepoint_string("rxkad_bad_"#field); \ 904 q = memchr(p, 0, end - p); \ 905 if (!q || q - p > (field##_SZ)) \ 906 goto bad_ticket; \ 907 for (; p < q; p++) \ 908 if (!isprint(*p)) \ 909 goto bad_ticket; \ 910 p++; \ 911 __str; \ 912 }) 913 914 /* extract the ticket flags */ 915 _debug("KIV FLAGS: %x", *p); 916 little_endian = *p & 1; 917 p++; 918 919 /* extract the authentication name */ 920 name = Z(ANAME); 921 _debug("KIV ANAME: %s", name); 922 923 /* extract the principal's instance */ 924 name = Z(INST); 925 _debug("KIV INST : %s", name); 926 927 /* extract the principal's authentication domain */ 928 name = Z(REALM); 929 _debug("KIV REALM: %s", name); 930 931 eproto = tracepoint_string("rxkad_bad_len"); 932 if (end - p < 4 + 8 + 4 + 2) 933 goto bad_ticket; 934 935 /* get the IPv4 address of the entity that requested the ticket */ 936 memcpy(&addr, p, sizeof(addr)); 937 p += 4; 938 _debug("KIV ADDR : %pI4", &addr); 939 940 /* get the session key from the ticket */ 941 memcpy(&key, p, sizeof(key)); 942 p += 8; 943 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 944 memcpy(_session_key, &key, sizeof(key)); 945 946 /* get the ticket's lifetime */ 947 life = *p++ * 5 * 60; 948 _debug("KIV LIFE : %u", life); 949 950 /* get the issue time of the ticket */ 951 if (little_endian) { 952 __le32 stamp; 953 memcpy(&stamp, p, 4); 954 issue = le32_to_cpu(stamp); 955 } else { 956 __be32 stamp; 957 memcpy(&stamp, p, 4); 958 issue = be32_to_cpu(stamp); 959 } 960 p += 4; 961 now = get_seconds(); 962 _debug("KIV ISSUE: %lx [%lx]", issue, now); 963 964 /* check the ticket is in date */ 965 if (issue > now) { 966 abort_code = RXKADNOAUTH; 967 ret = -EKEYREJECTED; 968 goto other_error; 969 } 970 971 if (issue < now - life) { 972 abort_code = RXKADEXPIRED; 973 ret = -EKEYEXPIRED; 974 goto other_error; 975 } 976 977 *_expiry = issue + life; 978 979 /* get the service name */ 980 name = Z(SNAME); 981 _debug("KIV SNAME: %s", name); 982 983 /* get the service instance name */ 984 name = Z(INST); 985 _debug("KIV SINST: %s", name); 986 return 0; 987 988 bad_ticket: 989 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 990 abort_code = RXKADBADTICKET; 991 ret = -EPROTO; 992 other_error: 993 *_abort_code = abort_code; 994 return ret; 995 temporary_error: 996 return ret; 997 } 998 999 /* 1000 * decrypt the response packet 1001 */ 1002 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 1003 struct rxkad_response *resp, 1004 const struct rxrpc_crypt *session_key) 1005 { 1006 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci); 1007 struct scatterlist sg[1]; 1008 struct rxrpc_crypt iv; 1009 1010 _enter(",,%08x%08x", 1011 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 1012 1013 ASSERT(rxkad_ci != NULL); 1014 1015 mutex_lock(&rxkad_ci_mutex); 1016 if (crypto_skcipher_setkey(rxkad_ci, session_key->x, 1017 sizeof(*session_key)) < 0) 1018 BUG(); 1019 1020 memcpy(&iv, session_key, sizeof(iv)); 1021 1022 sg_init_table(sg, 1); 1023 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 1024 skcipher_request_set_tfm(req, rxkad_ci); 1025 skcipher_request_set_callback(req, 0, NULL, NULL); 1026 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 1027 crypto_skcipher_decrypt(req); 1028 skcipher_request_zero(req); 1029 1030 mutex_unlock(&rxkad_ci_mutex); 1031 1032 _leave(""); 1033 } 1034 1035 /* 1036 * verify a response 1037 */ 1038 static int rxkad_verify_response(struct rxrpc_connection *conn, 1039 struct sk_buff *skb, 1040 u32 *_abort_code) 1041 { 1042 struct rxkad_response response 1043 __attribute__((aligned(8))); /* must be aligned for crypto */ 1044 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 1045 struct rxrpc_crypt session_key; 1046 const char *eproto; 1047 time_t expiry; 1048 void *ticket; 1049 u32 abort_code, version, kvno, ticket_len, level; 1050 __be32 csum; 1051 int ret, i; 1052 1053 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); 1054 1055 eproto = tracepoint_string("rxkad_rsp_short"); 1056 abort_code = RXKADPACKETSHORT; 1057 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 1058 &response, sizeof(response)) < 0) 1059 goto protocol_error; 1060 if (!pskb_pull(skb, sizeof(response))) 1061 BUG(); 1062 1063 version = ntohl(response.version); 1064 ticket_len = ntohl(response.ticket_len); 1065 kvno = ntohl(response.kvno); 1066 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1067 sp->hdr.serial, version, kvno, ticket_len); 1068 1069 eproto = tracepoint_string("rxkad_rsp_ver"); 1070 abort_code = RXKADINCONSISTENCY; 1071 if (version != RXKAD_VERSION) 1072 goto protocol_error; 1073 1074 eproto = tracepoint_string("rxkad_rsp_tktlen"); 1075 abort_code = RXKADTICKETLEN; 1076 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1077 goto protocol_error; 1078 1079 eproto = tracepoint_string("rxkad_rsp_unkkey"); 1080 abort_code = RXKADUNKNOWNKEY; 1081 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1082 goto protocol_error; 1083 1084 /* extract the kerberos ticket and decrypt and decode it */ 1085 ret = -ENOMEM; 1086 ticket = kmalloc(ticket_len, GFP_NOFS); 1087 if (!ticket) 1088 goto temporary_error; 1089 1090 eproto = tracepoint_string("rxkad_tkt_short"); 1091 abort_code = RXKADPACKETSHORT; 1092 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 1093 ticket, ticket_len) < 0) 1094 goto protocol_error_free; 1095 1096 ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key, 1097 &expiry, _abort_code); 1098 if (ret < 0) 1099 goto temporary_error_free; 1100 1101 /* use the session key from inside the ticket to decrypt the 1102 * response */ 1103 rxkad_decrypt_response(conn, &response, &session_key); 1104 1105 eproto = tracepoint_string("rxkad_rsp_param"); 1106 abort_code = RXKADSEALEDINCON; 1107 if (ntohl(response.encrypted.epoch) != conn->proto.epoch) 1108 goto protocol_error_free; 1109 if (ntohl(response.encrypted.cid) != conn->proto.cid) 1110 goto protocol_error_free; 1111 if (ntohl(response.encrypted.securityIndex) != conn->security_ix) 1112 goto protocol_error_free; 1113 csum = response.encrypted.checksum; 1114 response.encrypted.checksum = 0; 1115 rxkad_calc_response_checksum(&response); 1116 eproto = tracepoint_string("rxkad_rsp_csum"); 1117 if (response.encrypted.checksum != csum) 1118 goto protocol_error_free; 1119 1120 spin_lock(&conn->channel_lock); 1121 for (i = 0; i < RXRPC_MAXCALLS; i++) { 1122 struct rxrpc_call *call; 1123 u32 call_id = ntohl(response.encrypted.call_id[i]); 1124 1125 eproto = tracepoint_string("rxkad_rsp_callid"); 1126 if (call_id > INT_MAX) 1127 goto protocol_error_unlock; 1128 1129 eproto = tracepoint_string("rxkad_rsp_callctr"); 1130 if (call_id < conn->channels[i].call_counter) 1131 goto protocol_error_unlock; 1132 1133 eproto = tracepoint_string("rxkad_rsp_callst"); 1134 if (call_id > conn->channels[i].call_counter) { 1135 call = rcu_dereference_protected( 1136 conn->channels[i].call, 1137 lockdep_is_held(&conn->channel_lock)); 1138 if (call && call->state < RXRPC_CALL_COMPLETE) 1139 goto protocol_error_unlock; 1140 conn->channels[i].call_counter = call_id; 1141 } 1142 } 1143 spin_unlock(&conn->channel_lock); 1144 1145 eproto = tracepoint_string("rxkad_rsp_seq"); 1146 abort_code = RXKADOUTOFSEQUENCE; 1147 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1) 1148 goto protocol_error_free; 1149 1150 eproto = tracepoint_string("rxkad_rsp_level"); 1151 abort_code = RXKADLEVELFAIL; 1152 level = ntohl(response.encrypted.level); 1153 if (level > RXRPC_SECURITY_ENCRYPT) 1154 goto protocol_error_free; 1155 conn->params.security_level = level; 1156 1157 /* create a key to hold the security data and expiration time - after 1158 * this the connection security can be handled in exactly the same way 1159 * as for a client connection */ 1160 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1161 if (ret < 0) 1162 goto temporary_error_free; 1163 1164 kfree(ticket); 1165 _leave(" = 0"); 1166 return 0; 1167 1168 protocol_error_unlock: 1169 spin_unlock(&conn->channel_lock); 1170 protocol_error_free: 1171 kfree(ticket); 1172 protocol_error: 1173 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 1174 *_abort_code = abort_code; 1175 return -EPROTO; 1176 1177 temporary_error_free: 1178 kfree(ticket); 1179 temporary_error: 1180 /* Ignore the response packet if we got a temporary error such as 1181 * ENOMEM. We just want to send the challenge again. Note that we 1182 * also come out this way if the ticket decryption fails. 1183 */ 1184 return ret; 1185 } 1186 1187 /* 1188 * clear the connection security 1189 */ 1190 static void rxkad_clear(struct rxrpc_connection *conn) 1191 { 1192 _enter(""); 1193 1194 if (conn->cipher) 1195 crypto_free_skcipher(conn->cipher); 1196 } 1197 1198 /* 1199 * Initialise the rxkad security service. 1200 */ 1201 static int rxkad_init(void) 1202 { 1203 /* pin the cipher we need so that the crypto layer doesn't invoke 1204 * keventd to go get it */ 1205 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 1206 return PTR_ERR_OR_ZERO(rxkad_ci); 1207 } 1208 1209 /* 1210 * Clean up the rxkad security service. 1211 */ 1212 static void rxkad_exit(void) 1213 { 1214 if (rxkad_ci) 1215 crypto_free_skcipher(rxkad_ci); 1216 } 1217 1218 /* 1219 * RxRPC Kerberos-based security 1220 */ 1221 const struct rxrpc_security rxkad = { 1222 .name = "rxkad", 1223 .security_index = RXRPC_SECURITY_RXKAD, 1224 .init = rxkad_init, 1225 .exit = rxkad_exit, 1226 .init_connection_security = rxkad_init_connection_security, 1227 .prime_packet_security = rxkad_prime_packet_security, 1228 .secure_packet = rxkad_secure_packet, 1229 .verify_packet = rxkad_verify_packet, 1230 .locate_data = rxkad_locate_data, 1231 .issue_challenge = rxkad_issue_challenge, 1232 .respond_to_challenge = rxkad_respond_to_challenge, 1233 .verify_response = rxkad_verify_response, 1234 .clear = rxkad_clear, 1235 }; 1236