1 /* Kerberos-based RxRPC security 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 14 #include <crypto/skcipher.h> 15 #include <linux/module.h> 16 #include <linux/net.h> 17 #include <linux/skbuff.h> 18 #include <linux/udp.h> 19 #include <linux/scatterlist.h> 20 #include <linux/ctype.h> 21 #include <linux/slab.h> 22 #include <net/sock.h> 23 #include <net/af_rxrpc.h> 24 #include <keys/rxrpc-type.h> 25 #include "ar-internal.h" 26 27 #define RXKAD_VERSION 2 28 #define MAXKRB5TICKETLEN 1024 29 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 30 #define ANAME_SZ 40 /* size of authentication name */ 31 #define INST_SZ 40 /* size of principal's instance */ 32 #define REALM_SZ 40 /* size of principal's auth domain */ 33 #define SNAME_SZ 40 /* size of service name */ 34 35 struct rxkad_level1_hdr { 36 __be32 data_size; /* true data size (excluding padding) */ 37 }; 38 39 struct rxkad_level2_hdr { 40 __be32 data_size; /* true data size (excluding padding) */ 41 __be32 checksum; /* decrypted data checksum */ 42 }; 43 44 /* 45 * this holds a pinned cipher so that keventd doesn't get called by the cipher 46 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 47 * packets 48 */ 49 static struct crypto_skcipher *rxkad_ci; 50 static DEFINE_MUTEX(rxkad_ci_mutex); 51 52 /* 53 * initialise connection security 54 */ 55 static int rxkad_init_connection_security(struct rxrpc_connection *conn) 56 { 57 struct crypto_skcipher *ci; 58 struct rxrpc_key_token *token; 59 int ret; 60 61 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key)); 62 63 token = conn->params.key->payload.data[0]; 64 conn->security_ix = token->security_index; 65 66 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 67 if (IS_ERR(ci)) { 68 _debug("no cipher"); 69 ret = PTR_ERR(ci); 70 goto error; 71 } 72 73 if (crypto_skcipher_setkey(ci, token->kad->session_key, 74 sizeof(token->kad->session_key)) < 0) 75 BUG(); 76 77 switch (conn->params.security_level) { 78 case RXRPC_SECURITY_PLAIN: 79 break; 80 case RXRPC_SECURITY_AUTH: 81 conn->size_align = 8; 82 conn->security_size = sizeof(struct rxkad_level1_hdr); 83 conn->header_size += sizeof(struct rxkad_level1_hdr); 84 break; 85 case RXRPC_SECURITY_ENCRYPT: 86 conn->size_align = 8; 87 conn->security_size = sizeof(struct rxkad_level2_hdr); 88 conn->header_size += sizeof(struct rxkad_level2_hdr); 89 break; 90 default: 91 ret = -EKEYREJECTED; 92 goto error; 93 } 94 95 conn->cipher = ci; 96 ret = 0; 97 error: 98 _leave(" = %d", ret); 99 return ret; 100 } 101 102 /* 103 * prime the encryption state with the invariant parts of a connection's 104 * description 105 */ 106 static int rxkad_prime_packet_security(struct rxrpc_connection *conn) 107 { 108 struct rxrpc_key_token *token; 109 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 110 struct scatterlist sg; 111 struct rxrpc_crypt iv; 112 __be32 *tmpbuf; 113 size_t tmpsize = 4 * sizeof(__be32); 114 115 _enter(""); 116 117 if (!conn->params.key) 118 return 0; 119 120 tmpbuf = kmalloc(tmpsize, GFP_KERNEL); 121 if (!tmpbuf) 122 return -ENOMEM; 123 124 token = conn->params.key->payload.data[0]; 125 memcpy(&iv, token->kad->session_key, sizeof(iv)); 126 127 tmpbuf[0] = htonl(conn->proto.epoch); 128 tmpbuf[1] = htonl(conn->proto.cid); 129 tmpbuf[2] = 0; 130 tmpbuf[3] = htonl(conn->security_ix); 131 132 sg_init_one(&sg, tmpbuf, tmpsize); 133 skcipher_request_set_tfm(req, conn->cipher); 134 skcipher_request_set_callback(req, 0, NULL, NULL); 135 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); 136 crypto_skcipher_encrypt(req); 137 skcipher_request_zero(req); 138 139 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv)); 140 kfree(tmpbuf); 141 _leave(" = 0"); 142 return 0; 143 } 144 145 /* 146 * partially encrypt a packet (level 1 security) 147 */ 148 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 149 struct sk_buff *skb, 150 u32 data_size, 151 void *sechdr) 152 { 153 struct rxrpc_skb_priv *sp; 154 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 155 struct rxkad_level1_hdr hdr; 156 struct rxrpc_crypt iv; 157 struct scatterlist sg; 158 u16 check; 159 160 sp = rxrpc_skb(skb); 161 162 _enter(""); 163 164 check = sp->hdr.seq ^ sp->hdr.callNumber; 165 data_size |= (u32)check << 16; 166 167 hdr.data_size = htonl(data_size); 168 memcpy(sechdr, &hdr, sizeof(hdr)); 169 170 /* start the encryption afresh */ 171 memset(&iv, 0, sizeof(iv)); 172 173 sg_init_one(&sg, sechdr, 8); 174 skcipher_request_set_tfm(req, call->conn->cipher); 175 skcipher_request_set_callback(req, 0, NULL, NULL); 176 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 177 crypto_skcipher_encrypt(req); 178 skcipher_request_zero(req); 179 180 _leave(" = 0"); 181 return 0; 182 } 183 184 /* 185 * wholly encrypt a packet (level 2 security) 186 */ 187 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 188 struct sk_buff *skb, 189 u32 data_size, 190 void *sechdr) 191 { 192 const struct rxrpc_key_token *token; 193 struct rxkad_level2_hdr rxkhdr; 194 struct rxrpc_skb_priv *sp; 195 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 196 struct rxrpc_crypt iv; 197 struct scatterlist sg[16]; 198 struct sk_buff *trailer; 199 unsigned int len; 200 u16 check; 201 int nsg; 202 int err; 203 204 sp = rxrpc_skb(skb); 205 206 _enter(""); 207 208 check = sp->hdr.seq ^ sp->hdr.callNumber; 209 210 rxkhdr.data_size = htonl(data_size | (u32)check << 16); 211 rxkhdr.checksum = 0; 212 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr)); 213 214 /* encrypt from the session key */ 215 token = call->conn->params.key->payload.data[0]; 216 memcpy(&iv, token->kad->session_key, sizeof(iv)); 217 218 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr)); 219 skcipher_request_set_tfm(req, call->conn->cipher); 220 skcipher_request_set_callback(req, 0, NULL, NULL); 221 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x); 222 crypto_skcipher_encrypt(req); 223 224 /* we want to encrypt the skbuff in-place */ 225 nsg = skb_cow_data(skb, 0, &trailer); 226 err = -ENOMEM; 227 if (nsg < 0 || nsg > 16) 228 goto out; 229 230 len = data_size + call->conn->size_align - 1; 231 len &= ~(call->conn->size_align - 1); 232 233 sg_init_table(sg, nsg); 234 skb_to_sgvec(skb, sg, 0, len); 235 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 236 crypto_skcipher_encrypt(req); 237 238 _leave(" = 0"); 239 err = 0; 240 241 out: 242 skcipher_request_zero(req); 243 return err; 244 } 245 246 /* 247 * checksum an RxRPC packet header 248 */ 249 static int rxkad_secure_packet(struct rxrpc_call *call, 250 struct sk_buff *skb, 251 size_t data_size, 252 void *sechdr) 253 { 254 struct rxrpc_skb_priv *sp; 255 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 256 struct rxrpc_crypt iv; 257 struct scatterlist sg; 258 u32 x, y; 259 int ret; 260 261 sp = rxrpc_skb(skb); 262 263 _enter("{%d{%x}},{#%u},%zu,", 264 call->debug_id, key_serial(call->conn->params.key), 265 sp->hdr.seq, data_size); 266 267 if (!call->conn->cipher) 268 return 0; 269 270 ret = key_validate(call->conn->params.key); 271 if (ret < 0) 272 return ret; 273 274 /* continue encrypting from where we left off */ 275 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 276 277 /* calculate the security checksum */ 278 x = call->channel << (32 - RXRPC_CIDSHIFT); 279 x |= sp->hdr.seq & 0x3fffffff; 280 call->crypto_buf[0] = htonl(sp->hdr.callNumber); 281 call->crypto_buf[1] = htonl(x); 282 283 sg_init_one(&sg, call->crypto_buf, 8); 284 skcipher_request_set_tfm(req, call->conn->cipher); 285 skcipher_request_set_callback(req, 0, NULL, NULL); 286 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 287 crypto_skcipher_encrypt(req); 288 skcipher_request_zero(req); 289 290 y = ntohl(call->crypto_buf[1]); 291 y = (y >> 16) & 0xffff; 292 if (y == 0) 293 y = 1; /* zero checksums are not permitted */ 294 sp->hdr.cksum = y; 295 296 switch (call->conn->params.security_level) { 297 case RXRPC_SECURITY_PLAIN: 298 ret = 0; 299 break; 300 case RXRPC_SECURITY_AUTH: 301 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr); 302 break; 303 case RXRPC_SECURITY_ENCRYPT: 304 ret = rxkad_secure_packet_encrypt(call, skb, data_size, 305 sechdr); 306 break; 307 default: 308 ret = -EPERM; 309 break; 310 } 311 312 _leave(" = %d [set %hx]", ret, y); 313 return ret; 314 } 315 316 /* 317 * decrypt partial encryption on a packet (level 1 security) 318 */ 319 static int rxkad_verify_packet_auth(const struct rxrpc_call *call, 320 struct sk_buff *skb, 321 u32 *_abort_code) 322 { 323 struct rxkad_level1_hdr sechdr; 324 struct rxrpc_skb_priv *sp; 325 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 326 struct rxrpc_crypt iv; 327 struct scatterlist sg[16]; 328 struct sk_buff *trailer; 329 u32 data_size, buf; 330 u16 check; 331 int nsg; 332 333 _enter(""); 334 335 sp = rxrpc_skb(skb); 336 337 /* we want to decrypt the skbuff in-place */ 338 nsg = skb_cow_data(skb, 0, &trailer); 339 if (nsg < 0 || nsg > 16) 340 goto nomem; 341 342 sg_init_table(sg, nsg); 343 skb_to_sgvec(skb, sg, 0, 8); 344 345 /* start the decryption afresh */ 346 memset(&iv, 0, sizeof(iv)); 347 348 skcipher_request_set_tfm(req, call->conn->cipher); 349 skcipher_request_set_callback(req, 0, NULL, NULL); 350 skcipher_request_set_crypt(req, sg, sg, 8, iv.x); 351 crypto_skcipher_decrypt(req); 352 skcipher_request_zero(req); 353 354 /* remove the decrypted packet length */ 355 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 356 goto datalen_error; 357 if (!skb_pull(skb, sizeof(sechdr))) 358 BUG(); 359 360 buf = ntohl(sechdr.data_size); 361 data_size = buf & 0xffff; 362 363 check = buf >> 16; 364 check ^= sp->hdr.seq ^ sp->hdr.callNumber; 365 check &= 0xffff; 366 if (check != 0) { 367 *_abort_code = RXKADSEALEDINCON; 368 goto protocol_error; 369 } 370 371 /* shorten the packet to remove the padding */ 372 if (data_size > skb->len) 373 goto datalen_error; 374 else if (data_size < skb->len) 375 skb->len = data_size; 376 377 _leave(" = 0 [dlen=%x]", data_size); 378 return 0; 379 380 datalen_error: 381 *_abort_code = RXKADDATALEN; 382 protocol_error: 383 _leave(" = -EPROTO"); 384 return -EPROTO; 385 386 nomem: 387 _leave(" = -ENOMEM"); 388 return -ENOMEM; 389 } 390 391 /* 392 * wholly decrypt a packet (level 2 security) 393 */ 394 static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call, 395 struct sk_buff *skb, 396 u32 *_abort_code) 397 { 398 const struct rxrpc_key_token *token; 399 struct rxkad_level2_hdr sechdr; 400 struct rxrpc_skb_priv *sp; 401 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 402 struct rxrpc_crypt iv; 403 struct scatterlist _sg[4], *sg; 404 struct sk_buff *trailer; 405 u32 data_size, buf; 406 u16 check; 407 int nsg; 408 409 _enter(",{%d}", skb->len); 410 411 sp = rxrpc_skb(skb); 412 413 /* we want to decrypt the skbuff in-place */ 414 nsg = skb_cow_data(skb, 0, &trailer); 415 if (nsg < 0) 416 goto nomem; 417 418 sg = _sg; 419 if (unlikely(nsg > 4)) { 420 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO); 421 if (!sg) 422 goto nomem; 423 } 424 425 sg_init_table(sg, nsg); 426 skb_to_sgvec(skb, sg, 0, skb->len); 427 428 /* decrypt from the session key */ 429 token = call->conn->params.key->payload.data[0]; 430 memcpy(&iv, token->kad->session_key, sizeof(iv)); 431 432 skcipher_request_set_tfm(req, call->conn->cipher); 433 skcipher_request_set_callback(req, 0, NULL, NULL); 434 skcipher_request_set_crypt(req, sg, sg, skb->len, iv.x); 435 crypto_skcipher_decrypt(req); 436 skcipher_request_zero(req); 437 if (sg != _sg) 438 kfree(sg); 439 440 /* remove the decrypted packet length */ 441 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 442 goto datalen_error; 443 if (!skb_pull(skb, sizeof(sechdr))) 444 BUG(); 445 446 buf = ntohl(sechdr.data_size); 447 data_size = buf & 0xffff; 448 449 check = buf >> 16; 450 check ^= sp->hdr.seq ^ sp->hdr.callNumber; 451 check &= 0xffff; 452 if (check != 0) { 453 *_abort_code = RXKADSEALEDINCON; 454 goto protocol_error; 455 } 456 457 /* shorten the packet to remove the padding */ 458 if (data_size > skb->len) 459 goto datalen_error; 460 else if (data_size < skb->len) 461 skb->len = data_size; 462 463 _leave(" = 0 [dlen=%x]", data_size); 464 return 0; 465 466 datalen_error: 467 *_abort_code = RXKADDATALEN; 468 protocol_error: 469 _leave(" = -EPROTO"); 470 return -EPROTO; 471 472 nomem: 473 _leave(" = -ENOMEM"); 474 return -ENOMEM; 475 } 476 477 /* 478 * verify the security on a received packet 479 */ 480 static int rxkad_verify_packet(struct rxrpc_call *call, 481 struct sk_buff *skb, 482 u32 *_abort_code) 483 { 484 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 485 struct rxrpc_skb_priv *sp; 486 struct rxrpc_crypt iv; 487 struct scatterlist sg; 488 u16 cksum; 489 u32 x, y; 490 int ret; 491 492 sp = rxrpc_skb(skb); 493 494 _enter("{%d{%x}},{#%u}", 495 call->debug_id, key_serial(call->conn->params.key), sp->hdr.seq); 496 497 if (!call->conn->cipher) 498 return 0; 499 500 if (sp->hdr.securityIndex != RXRPC_SECURITY_RXKAD) { 501 *_abort_code = RXKADINCONSISTENCY; 502 _leave(" = -EPROTO [not rxkad]"); 503 return -EPROTO; 504 } 505 506 /* continue encrypting from where we left off */ 507 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 508 509 /* validate the security checksum */ 510 x = call->channel << (32 - RXRPC_CIDSHIFT); 511 x |= sp->hdr.seq & 0x3fffffff; 512 call->crypto_buf[0] = htonl(call->call_id); 513 call->crypto_buf[1] = htonl(x); 514 515 sg_init_one(&sg, call->crypto_buf, 8); 516 skcipher_request_set_tfm(req, call->conn->cipher); 517 skcipher_request_set_callback(req, 0, NULL, NULL); 518 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 519 crypto_skcipher_encrypt(req); 520 skcipher_request_zero(req); 521 522 y = ntohl(call->crypto_buf[1]); 523 cksum = (y >> 16) & 0xffff; 524 if (cksum == 0) 525 cksum = 1; /* zero checksums are not permitted */ 526 527 if (sp->hdr.cksum != cksum) { 528 *_abort_code = RXKADSEALEDINCON; 529 _leave(" = -EPROTO [csum failed]"); 530 return -EPROTO; 531 } 532 533 switch (call->conn->params.security_level) { 534 case RXRPC_SECURITY_PLAIN: 535 ret = 0; 536 break; 537 case RXRPC_SECURITY_AUTH: 538 ret = rxkad_verify_packet_auth(call, skb, _abort_code); 539 break; 540 case RXRPC_SECURITY_ENCRYPT: 541 ret = rxkad_verify_packet_encrypt(call, skb, _abort_code); 542 break; 543 default: 544 ret = -ENOANO; 545 break; 546 } 547 548 _leave(" = %d", ret); 549 return ret; 550 } 551 552 /* 553 * issue a challenge 554 */ 555 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 556 { 557 struct rxkad_challenge challenge; 558 struct rxrpc_wire_header whdr; 559 struct msghdr msg; 560 struct kvec iov[2]; 561 size_t len; 562 u32 serial; 563 int ret; 564 565 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 566 567 ret = key_validate(conn->params.key); 568 if (ret < 0) 569 return ret; 570 571 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce)); 572 573 challenge.version = htonl(2); 574 challenge.nonce = htonl(conn->security_nonce); 575 challenge.min_level = htonl(0); 576 challenge.__padding = 0; 577 578 msg.msg_name = &conn->params.peer->srx.transport.sin; 579 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin); 580 msg.msg_control = NULL; 581 msg.msg_controllen = 0; 582 msg.msg_flags = 0; 583 584 whdr.epoch = htonl(conn->proto.epoch); 585 whdr.cid = htonl(conn->proto.cid); 586 whdr.callNumber = 0; 587 whdr.seq = 0; 588 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 589 whdr.flags = conn->out_clientflag; 590 whdr.userStatus = 0; 591 whdr.securityIndex = conn->security_ix; 592 whdr._rsvd = 0; 593 whdr.serviceId = htons(conn->params.service_id); 594 595 iov[0].iov_base = &whdr; 596 iov[0].iov_len = sizeof(whdr); 597 iov[1].iov_base = &challenge; 598 iov[1].iov_len = sizeof(challenge); 599 600 len = iov[0].iov_len + iov[1].iov_len; 601 602 serial = atomic_inc_return(&conn->serial); 603 whdr.serial = htonl(serial); 604 _proto("Tx CHALLENGE %%%u", serial); 605 606 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len); 607 if (ret < 0) { 608 _debug("sendmsg failed: %d", ret); 609 return -EAGAIN; 610 } 611 612 _leave(" = 0"); 613 return 0; 614 } 615 616 /* 617 * send a Kerberos security response 618 */ 619 static int rxkad_send_response(struct rxrpc_connection *conn, 620 struct rxrpc_host_header *hdr, 621 struct rxkad_response *resp, 622 const struct rxkad_key *s2) 623 { 624 struct rxrpc_wire_header whdr; 625 struct msghdr msg; 626 struct kvec iov[3]; 627 size_t len; 628 u32 serial; 629 int ret; 630 631 _enter(""); 632 633 msg.msg_name = &conn->params.peer->srx.transport.sin; 634 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin); 635 msg.msg_control = NULL; 636 msg.msg_controllen = 0; 637 msg.msg_flags = 0; 638 639 memset(&whdr, 0, sizeof(whdr)); 640 whdr.epoch = htonl(hdr->epoch); 641 whdr.cid = htonl(hdr->cid); 642 whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 643 whdr.flags = conn->out_clientflag; 644 whdr.securityIndex = hdr->securityIndex; 645 whdr.serviceId = htons(hdr->serviceId); 646 647 iov[0].iov_base = &whdr; 648 iov[0].iov_len = sizeof(whdr); 649 iov[1].iov_base = resp; 650 iov[1].iov_len = sizeof(*resp); 651 iov[2].iov_base = (void *)s2->ticket; 652 iov[2].iov_len = s2->ticket_len; 653 654 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 655 656 serial = atomic_inc_return(&conn->serial); 657 whdr.serial = htonl(serial); 658 _proto("Tx RESPONSE %%%u", serial); 659 660 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len); 661 if (ret < 0) { 662 _debug("sendmsg failed: %d", ret); 663 return -EAGAIN; 664 } 665 666 _leave(" = 0"); 667 return 0; 668 } 669 670 /* 671 * calculate the response checksum 672 */ 673 static void rxkad_calc_response_checksum(struct rxkad_response *response) 674 { 675 u32 csum = 1000003; 676 int loop; 677 u8 *p = (u8 *) response; 678 679 for (loop = sizeof(*response); loop > 0; loop--) 680 csum = csum * 0x10204081 + *p++; 681 682 response->encrypted.checksum = htonl(csum); 683 } 684 685 /* 686 * encrypt the response packet 687 */ 688 static void rxkad_encrypt_response(struct rxrpc_connection *conn, 689 struct rxkad_response *resp, 690 const struct rxkad_key *s2) 691 { 692 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 693 struct rxrpc_crypt iv; 694 struct scatterlist sg[1]; 695 696 /* continue encrypting from where we left off */ 697 memcpy(&iv, s2->session_key, sizeof(iv)); 698 699 sg_init_table(sg, 1); 700 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 701 skcipher_request_set_tfm(req, conn->cipher); 702 skcipher_request_set_callback(req, 0, NULL, NULL); 703 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 704 crypto_skcipher_encrypt(req); 705 skcipher_request_zero(req); 706 } 707 708 /* 709 * respond to a challenge packet 710 */ 711 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 712 struct sk_buff *skb, 713 u32 *_abort_code) 714 { 715 const struct rxrpc_key_token *token; 716 struct rxkad_challenge challenge; 717 struct rxkad_response resp 718 __attribute__((aligned(8))); /* must be aligned for crypto */ 719 struct rxrpc_skb_priv *sp; 720 u32 version, nonce, min_level, abort_code; 721 int ret; 722 723 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 724 725 if (!conn->params.key) { 726 _leave(" = -EPROTO [no key]"); 727 return -EPROTO; 728 } 729 730 ret = key_validate(conn->params.key); 731 if (ret < 0) { 732 *_abort_code = RXKADEXPIRED; 733 return ret; 734 } 735 736 abort_code = RXKADPACKETSHORT; 737 sp = rxrpc_skb(skb); 738 if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0) 739 goto protocol_error; 740 741 version = ntohl(challenge.version); 742 nonce = ntohl(challenge.nonce); 743 min_level = ntohl(challenge.min_level); 744 745 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 746 sp->hdr.serial, version, nonce, min_level); 747 748 abort_code = RXKADINCONSISTENCY; 749 if (version != RXKAD_VERSION) 750 goto protocol_error; 751 752 abort_code = RXKADLEVELFAIL; 753 if (conn->params.security_level < min_level) 754 goto protocol_error; 755 756 token = conn->params.key->payload.data[0]; 757 758 /* build the response packet */ 759 memset(&resp, 0, sizeof(resp)); 760 761 resp.version = htonl(RXKAD_VERSION); 762 resp.encrypted.epoch = htonl(conn->proto.epoch); 763 resp.encrypted.cid = htonl(conn->proto.cid); 764 resp.encrypted.securityIndex = htonl(conn->security_ix); 765 resp.encrypted.inc_nonce = htonl(nonce + 1); 766 resp.encrypted.level = htonl(conn->params.security_level); 767 resp.kvno = htonl(token->kad->kvno); 768 resp.ticket_len = htonl(token->kad->ticket_len); 769 770 resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter); 771 resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter); 772 resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter); 773 resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter); 774 775 /* calculate the response checksum and then do the encryption */ 776 rxkad_calc_response_checksum(&resp); 777 rxkad_encrypt_response(conn, &resp, token->kad); 778 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad); 779 780 protocol_error: 781 *_abort_code = abort_code; 782 _leave(" = -EPROTO [%d]", abort_code); 783 return -EPROTO; 784 } 785 786 /* 787 * decrypt the kerberos IV ticket in the response 788 */ 789 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 790 void *ticket, size_t ticket_len, 791 struct rxrpc_crypt *_session_key, 792 time_t *_expiry, 793 u32 *_abort_code) 794 { 795 struct skcipher_request *req; 796 struct rxrpc_crypt iv, key; 797 struct scatterlist sg[1]; 798 struct in_addr addr; 799 unsigned int life; 800 time_t issue, now; 801 bool little_endian; 802 int ret; 803 u8 *p, *q, *name, *end; 804 805 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key)); 806 807 *_expiry = 0; 808 809 ret = key_validate(conn->server_key); 810 if (ret < 0) { 811 switch (ret) { 812 case -EKEYEXPIRED: 813 *_abort_code = RXKADEXPIRED; 814 goto error; 815 default: 816 *_abort_code = RXKADNOAUTH; 817 goto error; 818 } 819 } 820 821 ASSERT(conn->server_key->payload.data[0] != NULL); 822 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 823 824 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv)); 825 826 req = skcipher_request_alloc(conn->server_key->payload.data[0], 827 GFP_NOFS); 828 if (!req) { 829 *_abort_code = RXKADNOAUTH; 830 ret = -ENOMEM; 831 goto error; 832 } 833 834 sg_init_one(&sg[0], ticket, ticket_len); 835 skcipher_request_set_callback(req, 0, NULL, NULL); 836 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); 837 crypto_skcipher_decrypt(req); 838 skcipher_request_free(req); 839 840 p = ticket; 841 end = p + ticket_len; 842 843 #define Z(size) \ 844 ({ \ 845 u8 *__str = p; \ 846 q = memchr(p, 0, end - p); \ 847 if (!q || q - p > (size)) \ 848 goto bad_ticket; \ 849 for (; p < q; p++) \ 850 if (!isprint(*p)) \ 851 goto bad_ticket; \ 852 p++; \ 853 __str; \ 854 }) 855 856 /* extract the ticket flags */ 857 _debug("KIV FLAGS: %x", *p); 858 little_endian = *p & 1; 859 p++; 860 861 /* extract the authentication name */ 862 name = Z(ANAME_SZ); 863 _debug("KIV ANAME: %s", name); 864 865 /* extract the principal's instance */ 866 name = Z(INST_SZ); 867 _debug("KIV INST : %s", name); 868 869 /* extract the principal's authentication domain */ 870 name = Z(REALM_SZ); 871 _debug("KIV REALM: %s", name); 872 873 if (end - p < 4 + 8 + 4 + 2) 874 goto bad_ticket; 875 876 /* get the IPv4 address of the entity that requested the ticket */ 877 memcpy(&addr, p, sizeof(addr)); 878 p += 4; 879 _debug("KIV ADDR : %pI4", &addr); 880 881 /* get the session key from the ticket */ 882 memcpy(&key, p, sizeof(key)); 883 p += 8; 884 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 885 memcpy(_session_key, &key, sizeof(key)); 886 887 /* get the ticket's lifetime */ 888 life = *p++ * 5 * 60; 889 _debug("KIV LIFE : %u", life); 890 891 /* get the issue time of the ticket */ 892 if (little_endian) { 893 __le32 stamp; 894 memcpy(&stamp, p, 4); 895 issue = le32_to_cpu(stamp); 896 } else { 897 __be32 stamp; 898 memcpy(&stamp, p, 4); 899 issue = be32_to_cpu(stamp); 900 } 901 p += 4; 902 now = get_seconds(); 903 _debug("KIV ISSUE: %lx [%lx]", issue, now); 904 905 /* check the ticket is in date */ 906 if (issue > now) { 907 *_abort_code = RXKADNOAUTH; 908 ret = -EKEYREJECTED; 909 goto error; 910 } 911 912 if (issue < now - life) { 913 *_abort_code = RXKADEXPIRED; 914 ret = -EKEYEXPIRED; 915 goto error; 916 } 917 918 *_expiry = issue + life; 919 920 /* get the service name */ 921 name = Z(SNAME_SZ); 922 _debug("KIV SNAME: %s", name); 923 924 /* get the service instance name */ 925 name = Z(INST_SZ); 926 _debug("KIV SINST: %s", name); 927 928 ret = 0; 929 error: 930 _leave(" = %d", ret); 931 return ret; 932 933 bad_ticket: 934 *_abort_code = RXKADBADTICKET; 935 ret = -EBADMSG; 936 goto error; 937 } 938 939 /* 940 * decrypt the response packet 941 */ 942 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 943 struct rxkad_response *resp, 944 const struct rxrpc_crypt *session_key) 945 { 946 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci); 947 struct scatterlist sg[1]; 948 struct rxrpc_crypt iv; 949 950 _enter(",,%08x%08x", 951 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 952 953 ASSERT(rxkad_ci != NULL); 954 955 mutex_lock(&rxkad_ci_mutex); 956 if (crypto_skcipher_setkey(rxkad_ci, session_key->x, 957 sizeof(*session_key)) < 0) 958 BUG(); 959 960 memcpy(&iv, session_key, sizeof(iv)); 961 962 sg_init_table(sg, 1); 963 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 964 skcipher_request_set_tfm(req, rxkad_ci); 965 skcipher_request_set_callback(req, 0, NULL, NULL); 966 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 967 crypto_skcipher_decrypt(req); 968 skcipher_request_zero(req); 969 970 mutex_unlock(&rxkad_ci_mutex); 971 972 _leave(""); 973 } 974 975 /* 976 * verify a response 977 */ 978 static int rxkad_verify_response(struct rxrpc_connection *conn, 979 struct sk_buff *skb, 980 u32 *_abort_code) 981 { 982 struct rxkad_response response 983 __attribute__((aligned(8))); /* must be aligned for crypto */ 984 struct rxrpc_skb_priv *sp; 985 struct rxrpc_crypt session_key; 986 time_t expiry; 987 void *ticket; 988 u32 abort_code, version, kvno, ticket_len, level; 989 __be32 csum; 990 int ret, i; 991 992 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); 993 994 abort_code = RXKADPACKETSHORT; 995 if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0) 996 goto protocol_error; 997 if (!pskb_pull(skb, sizeof(response))) 998 BUG(); 999 1000 version = ntohl(response.version); 1001 ticket_len = ntohl(response.ticket_len); 1002 kvno = ntohl(response.kvno); 1003 sp = rxrpc_skb(skb); 1004 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1005 sp->hdr.serial, version, kvno, ticket_len); 1006 1007 abort_code = RXKADINCONSISTENCY; 1008 if (version != RXKAD_VERSION) 1009 goto protocol_error; 1010 1011 abort_code = RXKADTICKETLEN; 1012 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1013 goto protocol_error; 1014 1015 abort_code = RXKADUNKNOWNKEY; 1016 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1017 goto protocol_error; 1018 1019 /* extract the kerberos ticket and decrypt and decode it */ 1020 ticket = kmalloc(ticket_len, GFP_NOFS); 1021 if (!ticket) 1022 return -ENOMEM; 1023 1024 abort_code = RXKADPACKETSHORT; 1025 if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0) 1026 goto protocol_error_free; 1027 1028 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key, 1029 &expiry, &abort_code); 1030 if (ret < 0) { 1031 *_abort_code = abort_code; 1032 kfree(ticket); 1033 return ret; 1034 } 1035 1036 /* use the session key from inside the ticket to decrypt the 1037 * response */ 1038 rxkad_decrypt_response(conn, &response, &session_key); 1039 1040 abort_code = RXKADSEALEDINCON; 1041 if (ntohl(response.encrypted.epoch) != conn->proto.epoch) 1042 goto protocol_error_free; 1043 if (ntohl(response.encrypted.cid) != conn->proto.cid) 1044 goto protocol_error_free; 1045 if (ntohl(response.encrypted.securityIndex) != conn->security_ix) 1046 goto protocol_error_free; 1047 csum = response.encrypted.checksum; 1048 response.encrypted.checksum = 0; 1049 rxkad_calc_response_checksum(&response); 1050 if (response.encrypted.checksum != csum) 1051 goto protocol_error_free; 1052 1053 spin_lock(&conn->channel_lock); 1054 for (i = 0; i < RXRPC_MAXCALLS; i++) { 1055 struct rxrpc_call *call; 1056 u32 call_id = ntohl(response.encrypted.call_id[i]); 1057 1058 if (call_id > INT_MAX) 1059 goto protocol_error_unlock; 1060 1061 if (call_id < conn->channels[i].call_counter) 1062 goto protocol_error_unlock; 1063 if (call_id > conn->channels[i].call_counter) { 1064 call = rcu_dereference_protected( 1065 conn->channels[i].call, 1066 lockdep_is_held(&conn->channel_lock)); 1067 if (call && call->state < RXRPC_CALL_COMPLETE) 1068 goto protocol_error_unlock; 1069 conn->channels[i].call_counter = call_id; 1070 } 1071 } 1072 spin_unlock(&conn->channel_lock); 1073 1074 abort_code = RXKADOUTOFSEQUENCE; 1075 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1) 1076 goto protocol_error_free; 1077 1078 abort_code = RXKADLEVELFAIL; 1079 level = ntohl(response.encrypted.level); 1080 if (level > RXRPC_SECURITY_ENCRYPT) 1081 goto protocol_error_free; 1082 conn->params.security_level = level; 1083 1084 /* create a key to hold the security data and expiration time - after 1085 * this the connection security can be handled in exactly the same way 1086 * as for a client connection */ 1087 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1088 if (ret < 0) { 1089 kfree(ticket); 1090 return ret; 1091 } 1092 1093 kfree(ticket); 1094 _leave(" = 0"); 1095 return 0; 1096 1097 protocol_error_unlock: 1098 spin_unlock(&conn->channel_lock); 1099 protocol_error_free: 1100 kfree(ticket); 1101 protocol_error: 1102 *_abort_code = abort_code; 1103 _leave(" = -EPROTO [%d]", abort_code); 1104 return -EPROTO; 1105 } 1106 1107 /* 1108 * clear the connection security 1109 */ 1110 static void rxkad_clear(struct rxrpc_connection *conn) 1111 { 1112 _enter(""); 1113 1114 if (conn->cipher) 1115 crypto_free_skcipher(conn->cipher); 1116 } 1117 1118 /* 1119 * Initialise the rxkad security service. 1120 */ 1121 static int rxkad_init(void) 1122 { 1123 /* pin the cipher we need so that the crypto layer doesn't invoke 1124 * keventd to go get it */ 1125 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 1126 return PTR_ERR_OR_ZERO(rxkad_ci); 1127 } 1128 1129 /* 1130 * Clean up the rxkad security service. 1131 */ 1132 static void rxkad_exit(void) 1133 { 1134 if (rxkad_ci) 1135 crypto_free_skcipher(rxkad_ci); 1136 } 1137 1138 /* 1139 * RxRPC Kerberos-based security 1140 */ 1141 const struct rxrpc_security rxkad = { 1142 .name = "rxkad", 1143 .security_index = RXRPC_SECURITY_RXKAD, 1144 .init = rxkad_init, 1145 .exit = rxkad_exit, 1146 .init_connection_security = rxkad_init_connection_security, 1147 .prime_packet_security = rxkad_prime_packet_security, 1148 .secure_packet = rxkad_secure_packet, 1149 .verify_packet = rxkad_verify_packet, 1150 .issue_challenge = rxkad_issue_challenge, 1151 .respond_to_challenge = rxkad_respond_to_challenge, 1152 .verify_response = rxkad_verify_response, 1153 .clear = rxkad_clear, 1154 }; 1155