1 /* Kerberos-based RxRPC security 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/net.h> 14 #include <linux/skbuff.h> 15 #include <linux/udp.h> 16 #include <linux/crypto.h> 17 #include <linux/scatterlist.h> 18 #include <linux/ctype.h> 19 #include <net/sock.h> 20 #include <net/af_rxrpc.h> 21 #define rxrpc_debug rxkad_debug 22 #include "ar-internal.h" 23 24 #define RXKAD_VERSION 2 25 #define MAXKRB5TICKETLEN 1024 26 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 27 #define ANAME_SZ 40 /* size of authentication name */ 28 #define INST_SZ 40 /* size of principal's instance */ 29 #define REALM_SZ 40 /* size of principal's auth domain */ 30 #define SNAME_SZ 40 /* size of service name */ 31 32 unsigned rxrpc_debug; 33 module_param_named(debug, rxrpc_debug, uint, S_IWUSR | S_IRUGO); 34 MODULE_PARM_DESC(rxrpc_debug, "rxkad debugging mask"); 35 36 struct rxkad_level1_hdr { 37 __be32 data_size; /* true data size (excluding padding) */ 38 }; 39 40 struct rxkad_level2_hdr { 41 __be32 data_size; /* true data size (excluding padding) */ 42 __be32 checksum; /* decrypted data checksum */ 43 }; 44 45 MODULE_DESCRIPTION("RxRPC network protocol type-2 security (Kerberos)"); 46 MODULE_AUTHOR("Red Hat, Inc."); 47 MODULE_LICENSE("GPL"); 48 49 /* 50 * this holds a pinned cipher so that keventd doesn't get called by the cipher 51 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 52 * packets 53 */ 54 static struct crypto_blkcipher *rxkad_ci; 55 static DEFINE_MUTEX(rxkad_ci_mutex); 56 57 /* 58 * initialise connection security 59 */ 60 static int rxkad_init_connection_security(struct rxrpc_connection *conn) 61 { 62 struct rxrpc_key_payload *payload; 63 struct crypto_blkcipher *ci; 64 int ret; 65 66 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key)); 67 68 payload = conn->key->payload.data; 69 conn->security_ix = payload->k.security_index; 70 71 ci = crypto_alloc_blkcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 72 if (IS_ERR(ci)) { 73 _debug("no cipher"); 74 ret = PTR_ERR(ci); 75 goto error; 76 } 77 78 if (crypto_blkcipher_setkey(ci, payload->k.session_key, 79 sizeof(payload->k.session_key)) < 0) 80 BUG(); 81 82 switch (conn->security_level) { 83 case RXRPC_SECURITY_PLAIN: 84 break; 85 case RXRPC_SECURITY_AUTH: 86 conn->size_align = 8; 87 conn->security_size = sizeof(struct rxkad_level1_hdr); 88 conn->header_size += sizeof(struct rxkad_level1_hdr); 89 break; 90 case RXRPC_SECURITY_ENCRYPT: 91 conn->size_align = 8; 92 conn->security_size = sizeof(struct rxkad_level2_hdr); 93 conn->header_size += sizeof(struct rxkad_level2_hdr); 94 break; 95 default: 96 ret = -EKEYREJECTED; 97 goto error; 98 } 99 100 conn->cipher = ci; 101 ret = 0; 102 error: 103 _leave(" = %d", ret); 104 return ret; 105 } 106 107 /* 108 * prime the encryption state with the invariant parts of a connection's 109 * description 110 */ 111 static void rxkad_prime_packet_security(struct rxrpc_connection *conn) 112 { 113 struct rxrpc_key_payload *payload; 114 struct blkcipher_desc desc; 115 struct scatterlist sg[2]; 116 struct rxrpc_crypt iv; 117 struct { 118 __be32 x[4]; 119 } tmpbuf __attribute__((aligned(16))); /* must all be in same page */ 120 121 _enter(""); 122 123 if (!conn->key) 124 return; 125 126 payload = conn->key->payload.data; 127 memcpy(&iv, payload->k.session_key, sizeof(iv)); 128 129 desc.tfm = conn->cipher; 130 desc.info = iv.x; 131 desc.flags = 0; 132 133 tmpbuf.x[0] = conn->epoch; 134 tmpbuf.x[1] = conn->cid; 135 tmpbuf.x[2] = 0; 136 tmpbuf.x[3] = htonl(conn->security_ix); 137 138 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 139 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 140 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 141 142 memcpy(&conn->csum_iv, &tmpbuf.x[2], sizeof(conn->csum_iv)); 143 ASSERTCMP(conn->csum_iv.n[0], ==, tmpbuf.x[2]); 144 145 _leave(""); 146 } 147 148 /* 149 * partially encrypt a packet (level 1 security) 150 */ 151 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 152 struct sk_buff *skb, 153 u32 data_size, 154 void *sechdr) 155 { 156 struct rxrpc_skb_priv *sp; 157 struct blkcipher_desc desc; 158 struct rxrpc_crypt iv; 159 struct scatterlist sg[2]; 160 struct { 161 struct rxkad_level1_hdr hdr; 162 __be32 first; /* first four bytes of data and padding */ 163 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 164 u16 check; 165 166 sp = rxrpc_skb(skb); 167 168 _enter(""); 169 170 check = ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 171 data_size |= (u32) check << 16; 172 173 tmpbuf.hdr.data_size = htonl(data_size); 174 memcpy(&tmpbuf.first, sechdr + 4, sizeof(tmpbuf.first)); 175 176 /* start the encryption afresh */ 177 memset(&iv, 0, sizeof(iv)); 178 desc.tfm = call->conn->cipher; 179 desc.info = iv.x; 180 desc.flags = 0; 181 182 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 183 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 184 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 185 186 memcpy(sechdr, &tmpbuf, sizeof(tmpbuf)); 187 188 _leave(" = 0"); 189 return 0; 190 } 191 192 /* 193 * wholly encrypt a packet (level 2 security) 194 */ 195 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 196 struct sk_buff *skb, 197 u32 data_size, 198 void *sechdr) 199 { 200 const struct rxrpc_key_payload *payload; 201 struct rxkad_level2_hdr rxkhdr 202 __attribute__((aligned(8))); /* must be all on one page */ 203 struct rxrpc_skb_priv *sp; 204 struct blkcipher_desc desc; 205 struct rxrpc_crypt iv; 206 struct scatterlist sg[16]; 207 struct sk_buff *trailer; 208 unsigned len; 209 u16 check; 210 int nsg; 211 212 sp = rxrpc_skb(skb); 213 214 _enter(""); 215 216 check = ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 217 218 rxkhdr.data_size = htonl(data_size | (u32) check << 16); 219 rxkhdr.checksum = 0; 220 221 /* encrypt from the session key */ 222 payload = call->conn->key->payload.data; 223 memcpy(&iv, payload->k.session_key, sizeof(iv)); 224 desc.tfm = call->conn->cipher; 225 desc.info = iv.x; 226 desc.flags = 0; 227 228 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr)); 229 sg_init_one(&sg[1], &rxkhdr, sizeof(rxkhdr)); 230 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(rxkhdr)); 231 232 /* we want to encrypt the skbuff in-place */ 233 nsg = skb_cow_data(skb, 0, &trailer); 234 if (nsg < 0 || nsg > 16) 235 return -ENOMEM; 236 237 len = data_size + call->conn->size_align - 1; 238 len &= ~(call->conn->size_align - 1); 239 240 sg_init_table(sg, nsg); 241 skb_to_sgvec(skb, sg, 0, len); 242 crypto_blkcipher_encrypt_iv(&desc, sg, sg, len); 243 244 _leave(" = 0"); 245 return 0; 246 } 247 248 /* 249 * checksum an RxRPC packet header 250 */ 251 static int rxkad_secure_packet(const struct rxrpc_call *call, 252 struct sk_buff *skb, 253 size_t data_size, 254 void *sechdr) 255 { 256 struct rxrpc_skb_priv *sp; 257 struct blkcipher_desc desc; 258 struct rxrpc_crypt iv; 259 struct scatterlist sg[2]; 260 struct { 261 __be32 x[2]; 262 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 263 __be32 x; 264 int ret; 265 266 sp = rxrpc_skb(skb); 267 268 _enter("{%d{%x}},{#%u},%zu,", 269 call->debug_id, key_serial(call->conn->key), ntohl(sp->hdr.seq), 270 data_size); 271 272 if (!call->conn->cipher) 273 return 0; 274 275 ret = key_validate(call->conn->key); 276 if (ret < 0) 277 return ret; 278 279 /* continue encrypting from where we left off */ 280 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 281 desc.tfm = call->conn->cipher; 282 desc.info = iv.x; 283 desc.flags = 0; 284 285 /* calculate the security checksum */ 286 x = htonl(call->channel << (32 - RXRPC_CIDSHIFT)); 287 x |= sp->hdr.seq & cpu_to_be32(0x3fffffff); 288 tmpbuf.x[0] = sp->hdr.callNumber; 289 tmpbuf.x[1] = x; 290 291 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 292 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 293 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 294 295 x = ntohl(tmpbuf.x[1]); 296 x = (x >> 16) & 0xffff; 297 if (x == 0) 298 x = 1; /* zero checksums are not permitted */ 299 sp->hdr.cksum = htons(x); 300 301 switch (call->conn->security_level) { 302 case RXRPC_SECURITY_PLAIN: 303 ret = 0; 304 break; 305 case RXRPC_SECURITY_AUTH: 306 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr); 307 break; 308 case RXRPC_SECURITY_ENCRYPT: 309 ret = rxkad_secure_packet_encrypt(call, skb, data_size, 310 sechdr); 311 break; 312 default: 313 ret = -EPERM; 314 break; 315 } 316 317 _leave(" = %d [set %hx]", ret, x); 318 return ret; 319 } 320 321 /* 322 * decrypt partial encryption on a packet (level 1 security) 323 */ 324 static int rxkad_verify_packet_auth(const struct rxrpc_call *call, 325 struct sk_buff *skb, 326 u32 *_abort_code) 327 { 328 struct rxkad_level1_hdr sechdr; 329 struct rxrpc_skb_priv *sp; 330 struct blkcipher_desc desc; 331 struct rxrpc_crypt iv; 332 struct scatterlist sg[16]; 333 struct sk_buff *trailer; 334 u32 data_size, buf; 335 u16 check; 336 int nsg; 337 338 _enter(""); 339 340 sp = rxrpc_skb(skb); 341 342 /* we want to decrypt the skbuff in-place */ 343 nsg = skb_cow_data(skb, 0, &trailer); 344 if (nsg < 0 || nsg > 16) 345 goto nomem; 346 347 sg_init_table(sg, nsg); 348 skb_to_sgvec(skb, sg, 0, 8); 349 350 /* start the decryption afresh */ 351 memset(&iv, 0, sizeof(iv)); 352 desc.tfm = call->conn->cipher; 353 desc.info = iv.x; 354 desc.flags = 0; 355 356 crypto_blkcipher_decrypt_iv(&desc, sg, sg, 8); 357 358 /* remove the decrypted packet length */ 359 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 360 goto datalen_error; 361 if (!skb_pull(skb, sizeof(sechdr))) 362 BUG(); 363 364 buf = ntohl(sechdr.data_size); 365 data_size = buf & 0xffff; 366 367 check = buf >> 16; 368 check ^= ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 369 check &= 0xffff; 370 if (check != 0) { 371 *_abort_code = RXKADSEALEDINCON; 372 goto protocol_error; 373 } 374 375 /* shorten the packet to remove the padding */ 376 if (data_size > skb->len) 377 goto datalen_error; 378 else if (data_size < skb->len) 379 skb->len = data_size; 380 381 _leave(" = 0 [dlen=%x]", data_size); 382 return 0; 383 384 datalen_error: 385 *_abort_code = RXKADDATALEN; 386 protocol_error: 387 _leave(" = -EPROTO"); 388 return -EPROTO; 389 390 nomem: 391 _leave(" = -ENOMEM"); 392 return -ENOMEM; 393 } 394 395 /* 396 * wholly decrypt a packet (level 2 security) 397 */ 398 static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call, 399 struct sk_buff *skb, 400 u32 *_abort_code) 401 { 402 const struct rxrpc_key_payload *payload; 403 struct rxkad_level2_hdr sechdr; 404 struct rxrpc_skb_priv *sp; 405 struct blkcipher_desc desc; 406 struct rxrpc_crypt iv; 407 struct scatterlist _sg[4], *sg; 408 struct sk_buff *trailer; 409 u32 data_size, buf; 410 u16 check; 411 int nsg; 412 413 _enter(",{%d}", skb->len); 414 415 sp = rxrpc_skb(skb); 416 417 /* we want to decrypt the skbuff in-place */ 418 nsg = skb_cow_data(skb, 0, &trailer); 419 if (nsg < 0) 420 goto nomem; 421 422 sg = _sg; 423 if (unlikely(nsg > 4)) { 424 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO); 425 if (!sg) 426 goto nomem; 427 } 428 429 sg_init_table(sg, nsg); 430 skb_to_sgvec(skb, sg, 0, skb->len); 431 432 /* decrypt from the session key */ 433 payload = call->conn->key->payload.data; 434 memcpy(&iv, payload->k.session_key, sizeof(iv)); 435 desc.tfm = call->conn->cipher; 436 desc.info = iv.x; 437 desc.flags = 0; 438 439 crypto_blkcipher_decrypt_iv(&desc, sg, sg, skb->len); 440 if (sg != _sg) 441 kfree(sg); 442 443 /* remove the decrypted packet length */ 444 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 445 goto datalen_error; 446 if (!skb_pull(skb, sizeof(sechdr))) 447 BUG(); 448 449 buf = ntohl(sechdr.data_size); 450 data_size = buf & 0xffff; 451 452 check = buf >> 16; 453 check ^= ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 454 check &= 0xffff; 455 if (check != 0) { 456 *_abort_code = RXKADSEALEDINCON; 457 goto protocol_error; 458 } 459 460 /* shorten the packet to remove the padding */ 461 if (data_size > skb->len) 462 goto datalen_error; 463 else if (data_size < skb->len) 464 skb->len = data_size; 465 466 _leave(" = 0 [dlen=%x]", data_size); 467 return 0; 468 469 datalen_error: 470 *_abort_code = RXKADDATALEN; 471 protocol_error: 472 _leave(" = -EPROTO"); 473 return -EPROTO; 474 475 nomem: 476 _leave(" = -ENOMEM"); 477 return -ENOMEM; 478 } 479 480 /* 481 * verify the security on a received packet 482 */ 483 static int rxkad_verify_packet(const struct rxrpc_call *call, 484 struct sk_buff *skb, 485 u32 *_abort_code) 486 { 487 struct blkcipher_desc desc; 488 struct rxrpc_skb_priv *sp; 489 struct rxrpc_crypt iv; 490 struct scatterlist sg[2]; 491 struct { 492 __be32 x[2]; 493 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 494 __be32 x; 495 __be16 cksum; 496 int ret; 497 498 sp = rxrpc_skb(skb); 499 500 _enter("{%d{%x}},{#%u}", 501 call->debug_id, key_serial(call->conn->key), 502 ntohl(sp->hdr.seq)); 503 504 if (!call->conn->cipher) 505 return 0; 506 507 if (sp->hdr.securityIndex != 2) { 508 *_abort_code = RXKADINCONSISTENCY; 509 _leave(" = -EPROTO [not rxkad]"); 510 return -EPROTO; 511 } 512 513 /* continue encrypting from where we left off */ 514 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 515 desc.tfm = call->conn->cipher; 516 desc.info = iv.x; 517 desc.flags = 0; 518 519 /* validate the security checksum */ 520 x = htonl(call->channel << (32 - RXRPC_CIDSHIFT)); 521 x |= sp->hdr.seq & cpu_to_be32(0x3fffffff); 522 tmpbuf.x[0] = call->call_id; 523 tmpbuf.x[1] = x; 524 525 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 526 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 527 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 528 529 x = ntohl(tmpbuf.x[1]); 530 x = (x >> 16) & 0xffff; 531 if (x == 0) 532 x = 1; /* zero checksums are not permitted */ 533 534 cksum = htons(x); 535 if (sp->hdr.cksum != cksum) { 536 *_abort_code = RXKADSEALEDINCON; 537 _leave(" = -EPROTO [csum failed]"); 538 return -EPROTO; 539 } 540 541 switch (call->conn->security_level) { 542 case RXRPC_SECURITY_PLAIN: 543 ret = 0; 544 break; 545 case RXRPC_SECURITY_AUTH: 546 ret = rxkad_verify_packet_auth(call, skb, _abort_code); 547 break; 548 case RXRPC_SECURITY_ENCRYPT: 549 ret = rxkad_verify_packet_encrypt(call, skb, _abort_code); 550 break; 551 default: 552 ret = -ENOANO; 553 break; 554 } 555 556 _leave(" = %d", ret); 557 return ret; 558 } 559 560 /* 561 * issue a challenge 562 */ 563 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 564 { 565 struct rxkad_challenge challenge; 566 struct rxrpc_header hdr; 567 struct msghdr msg; 568 struct kvec iov[2]; 569 size_t len; 570 int ret; 571 572 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 573 574 ret = key_validate(conn->key); 575 if (ret < 0) 576 return ret; 577 578 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce)); 579 580 challenge.version = htonl(2); 581 challenge.nonce = htonl(conn->security_nonce); 582 challenge.min_level = htonl(0); 583 challenge.__padding = 0; 584 585 msg.msg_name = &conn->trans->peer->srx.transport.sin; 586 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin); 587 msg.msg_control = NULL; 588 msg.msg_controllen = 0; 589 msg.msg_flags = 0; 590 591 hdr.epoch = conn->epoch; 592 hdr.cid = conn->cid; 593 hdr.callNumber = 0; 594 hdr.seq = 0; 595 hdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 596 hdr.flags = conn->out_clientflag; 597 hdr.userStatus = 0; 598 hdr.securityIndex = conn->security_ix; 599 hdr._rsvd = 0; 600 hdr.serviceId = conn->service_id; 601 602 iov[0].iov_base = &hdr; 603 iov[0].iov_len = sizeof(hdr); 604 iov[1].iov_base = &challenge; 605 iov[1].iov_len = sizeof(challenge); 606 607 len = iov[0].iov_len + iov[1].iov_len; 608 609 hdr.serial = htonl(atomic_inc_return(&conn->serial)); 610 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial)); 611 612 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len); 613 if (ret < 0) { 614 _debug("sendmsg failed: %d", ret); 615 return -EAGAIN; 616 } 617 618 _leave(" = 0"); 619 return 0; 620 } 621 622 /* 623 * send a Kerberos security response 624 */ 625 static int rxkad_send_response(struct rxrpc_connection *conn, 626 struct rxrpc_header *hdr, 627 struct rxkad_response *resp, 628 const struct rxkad_key *s2) 629 { 630 struct msghdr msg; 631 struct kvec iov[3]; 632 size_t len; 633 int ret; 634 635 _enter(""); 636 637 msg.msg_name = &conn->trans->peer->srx.transport.sin; 638 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin); 639 msg.msg_control = NULL; 640 msg.msg_controllen = 0; 641 msg.msg_flags = 0; 642 643 hdr->epoch = conn->epoch; 644 hdr->seq = 0; 645 hdr->type = RXRPC_PACKET_TYPE_RESPONSE; 646 hdr->flags = conn->out_clientflag; 647 hdr->userStatus = 0; 648 hdr->_rsvd = 0; 649 650 iov[0].iov_base = hdr; 651 iov[0].iov_len = sizeof(*hdr); 652 iov[1].iov_base = resp; 653 iov[1].iov_len = sizeof(*resp); 654 iov[2].iov_base = (void *) s2->ticket; 655 iov[2].iov_len = s2->ticket_len; 656 657 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 658 659 hdr->serial = htonl(atomic_inc_return(&conn->serial)); 660 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); 661 662 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); 663 if (ret < 0) { 664 _debug("sendmsg failed: %d", ret); 665 return -EAGAIN; 666 } 667 668 _leave(" = 0"); 669 return 0; 670 } 671 672 /* 673 * calculate the response checksum 674 */ 675 static void rxkad_calc_response_checksum(struct rxkad_response *response) 676 { 677 u32 csum = 1000003; 678 int loop; 679 u8 *p = (u8 *) response; 680 681 for (loop = sizeof(*response); loop > 0; loop--) 682 csum = csum * 0x10204081 + *p++; 683 684 response->encrypted.checksum = htonl(csum); 685 } 686 687 /* 688 * load a scatterlist with a potentially split-page buffer 689 */ 690 static void rxkad_sg_set_buf2(struct scatterlist sg[2], 691 void *buf, size_t buflen) 692 { 693 int nsg = 1; 694 695 sg_init_table(sg, 2); 696 697 sg_set_buf(&sg[0], buf, buflen); 698 if (sg[0].offset + buflen > PAGE_SIZE) { 699 /* the buffer was split over two pages */ 700 sg[0].length = PAGE_SIZE - sg[0].offset; 701 sg_set_buf(&sg[1], buf + sg[0].length, buflen - sg[0].length); 702 nsg++; 703 } 704 705 sg_mark_end(&sg[nsg - 1]); 706 707 ASSERTCMP(sg[0].length + sg[1].length, ==, buflen); 708 } 709 710 /* 711 * encrypt the response packet 712 */ 713 static void rxkad_encrypt_response(struct rxrpc_connection *conn, 714 struct rxkad_response *resp, 715 const struct rxkad_key *s2) 716 { 717 struct blkcipher_desc desc; 718 struct rxrpc_crypt iv; 719 struct scatterlist sg[2]; 720 721 /* continue encrypting from where we left off */ 722 memcpy(&iv, s2->session_key, sizeof(iv)); 723 desc.tfm = conn->cipher; 724 desc.info = iv.x; 725 desc.flags = 0; 726 727 rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted)); 728 crypto_blkcipher_encrypt_iv(&desc, sg, sg, sizeof(resp->encrypted)); 729 } 730 731 /* 732 * respond to a challenge packet 733 */ 734 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 735 struct sk_buff *skb, 736 u32 *_abort_code) 737 { 738 const struct rxrpc_key_payload *payload; 739 struct rxkad_challenge challenge; 740 struct rxkad_response resp 741 __attribute__((aligned(8))); /* must be aligned for crypto */ 742 struct rxrpc_skb_priv *sp; 743 u32 version, nonce, min_level, abort_code; 744 int ret; 745 746 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 747 748 if (!conn->key) { 749 _leave(" = -EPROTO [no key]"); 750 return -EPROTO; 751 } 752 753 ret = key_validate(conn->key); 754 if (ret < 0) { 755 *_abort_code = RXKADEXPIRED; 756 return ret; 757 } 758 759 abort_code = RXKADPACKETSHORT; 760 sp = rxrpc_skb(skb); 761 if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0) 762 goto protocol_error; 763 764 version = ntohl(challenge.version); 765 nonce = ntohl(challenge.nonce); 766 min_level = ntohl(challenge.min_level); 767 768 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 769 ntohl(sp->hdr.serial), version, nonce, min_level); 770 771 abort_code = RXKADINCONSISTENCY; 772 if (version != RXKAD_VERSION) 773 goto protocol_error; 774 775 abort_code = RXKADLEVELFAIL; 776 if (conn->security_level < min_level) 777 goto protocol_error; 778 779 payload = conn->key->payload.data; 780 781 /* build the response packet */ 782 memset(&resp, 0, sizeof(resp)); 783 784 resp.version = RXKAD_VERSION; 785 resp.encrypted.epoch = conn->epoch; 786 resp.encrypted.cid = conn->cid; 787 resp.encrypted.securityIndex = htonl(conn->security_ix); 788 resp.encrypted.call_id[0] = 789 (conn->channels[0] ? conn->channels[0]->call_id : 0); 790 resp.encrypted.call_id[1] = 791 (conn->channels[1] ? conn->channels[1]->call_id : 0); 792 resp.encrypted.call_id[2] = 793 (conn->channels[2] ? conn->channels[2]->call_id : 0); 794 resp.encrypted.call_id[3] = 795 (conn->channels[3] ? conn->channels[3]->call_id : 0); 796 resp.encrypted.inc_nonce = htonl(nonce + 1); 797 resp.encrypted.level = htonl(conn->security_level); 798 resp.kvno = htonl(payload->k.kvno); 799 resp.ticket_len = htonl(payload->k.ticket_len); 800 801 /* calculate the response checksum and then do the encryption */ 802 rxkad_calc_response_checksum(&resp); 803 rxkad_encrypt_response(conn, &resp, &payload->k); 804 return rxkad_send_response(conn, &sp->hdr, &resp, &payload->k); 805 806 protocol_error: 807 *_abort_code = abort_code; 808 _leave(" = -EPROTO [%d]", abort_code); 809 return -EPROTO; 810 } 811 812 /* 813 * decrypt the kerberos IV ticket in the response 814 */ 815 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 816 void *ticket, size_t ticket_len, 817 struct rxrpc_crypt *_session_key, 818 time_t *_expiry, 819 u32 *_abort_code) 820 { 821 struct blkcipher_desc desc; 822 struct rxrpc_crypt iv, key; 823 struct scatterlist sg[1]; 824 struct in_addr addr; 825 unsigned life; 826 time_t issue, now; 827 bool little_endian; 828 int ret; 829 u8 *p, *q, *name, *end; 830 831 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key)); 832 833 *_expiry = 0; 834 835 ret = key_validate(conn->server_key); 836 if (ret < 0) { 837 switch (ret) { 838 case -EKEYEXPIRED: 839 *_abort_code = RXKADEXPIRED; 840 goto error; 841 default: 842 *_abort_code = RXKADNOAUTH; 843 goto error; 844 } 845 } 846 847 ASSERT(conn->server_key->payload.data != NULL); 848 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 849 850 memcpy(&iv, &conn->server_key->type_data, sizeof(iv)); 851 852 desc.tfm = conn->server_key->payload.data; 853 desc.info = iv.x; 854 desc.flags = 0; 855 856 sg_init_one(&sg[0], ticket, ticket_len); 857 crypto_blkcipher_decrypt_iv(&desc, sg, sg, ticket_len); 858 859 p = ticket; 860 end = p + ticket_len; 861 862 #define Z(size) \ 863 ({ \ 864 u8 *__str = p; \ 865 q = memchr(p, 0, end - p); \ 866 if (!q || q - p > (size)) \ 867 goto bad_ticket; \ 868 for (; p < q; p++) \ 869 if (!isprint(*p)) \ 870 goto bad_ticket; \ 871 p++; \ 872 __str; \ 873 }) 874 875 /* extract the ticket flags */ 876 _debug("KIV FLAGS: %x", *p); 877 little_endian = *p & 1; 878 p++; 879 880 /* extract the authentication name */ 881 name = Z(ANAME_SZ); 882 _debug("KIV ANAME: %s", name); 883 884 /* extract the principal's instance */ 885 name = Z(INST_SZ); 886 _debug("KIV INST : %s", name); 887 888 /* extract the principal's authentication domain */ 889 name = Z(REALM_SZ); 890 _debug("KIV REALM: %s", name); 891 892 if (end - p < 4 + 8 + 4 + 2) 893 goto bad_ticket; 894 895 /* get the IPv4 address of the entity that requested the ticket */ 896 memcpy(&addr, p, sizeof(addr)); 897 p += 4; 898 _debug("KIV ADDR : "NIPQUAD_FMT, NIPQUAD(addr)); 899 900 /* get the session key from the ticket */ 901 memcpy(&key, p, sizeof(key)); 902 p += 8; 903 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 904 memcpy(_session_key, &key, sizeof(key)); 905 906 /* get the ticket's lifetime */ 907 life = *p++ * 5 * 60; 908 _debug("KIV LIFE : %u", life); 909 910 /* get the issue time of the ticket */ 911 if (little_endian) { 912 __le32 stamp; 913 memcpy(&stamp, p, 4); 914 issue = le32_to_cpu(stamp); 915 } else { 916 __be32 stamp; 917 memcpy(&stamp, p, 4); 918 issue = be32_to_cpu(stamp); 919 } 920 p += 4; 921 now = get_seconds(); 922 _debug("KIV ISSUE: %lx [%lx]", issue, now); 923 924 /* check the ticket is in date */ 925 if (issue > now) { 926 *_abort_code = RXKADNOAUTH; 927 ret = -EKEYREJECTED; 928 goto error; 929 } 930 931 if (issue < now - life) { 932 *_abort_code = RXKADEXPIRED; 933 ret = -EKEYEXPIRED; 934 goto error; 935 } 936 937 *_expiry = issue + life; 938 939 /* get the service name */ 940 name = Z(SNAME_SZ); 941 _debug("KIV SNAME: %s", name); 942 943 /* get the service instance name */ 944 name = Z(INST_SZ); 945 _debug("KIV SINST: %s", name); 946 947 ret = 0; 948 error: 949 _leave(" = %d", ret); 950 return ret; 951 952 bad_ticket: 953 *_abort_code = RXKADBADTICKET; 954 ret = -EBADMSG; 955 goto error; 956 } 957 958 /* 959 * decrypt the response packet 960 */ 961 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 962 struct rxkad_response *resp, 963 const struct rxrpc_crypt *session_key) 964 { 965 struct blkcipher_desc desc; 966 struct scatterlist sg[2]; 967 struct rxrpc_crypt iv; 968 969 _enter(",,%08x%08x", 970 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 971 972 ASSERT(rxkad_ci != NULL); 973 974 mutex_lock(&rxkad_ci_mutex); 975 if (crypto_blkcipher_setkey(rxkad_ci, session_key->x, 976 sizeof(*session_key)) < 0) 977 BUG(); 978 979 memcpy(&iv, session_key, sizeof(iv)); 980 desc.tfm = rxkad_ci; 981 desc.info = iv.x; 982 desc.flags = 0; 983 984 rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted)); 985 crypto_blkcipher_decrypt_iv(&desc, sg, sg, sizeof(resp->encrypted)); 986 mutex_unlock(&rxkad_ci_mutex); 987 988 _leave(""); 989 } 990 991 /* 992 * verify a response 993 */ 994 static int rxkad_verify_response(struct rxrpc_connection *conn, 995 struct sk_buff *skb, 996 u32 *_abort_code) 997 { 998 struct rxkad_response response 999 __attribute__((aligned(8))); /* must be aligned for crypto */ 1000 struct rxrpc_skb_priv *sp; 1001 struct rxrpc_crypt session_key; 1002 time_t expiry; 1003 void *ticket; 1004 u32 abort_code, version, kvno, ticket_len, csum, level; 1005 int ret; 1006 1007 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); 1008 1009 abort_code = RXKADPACKETSHORT; 1010 if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0) 1011 goto protocol_error; 1012 if (!pskb_pull(skb, sizeof(response))) 1013 BUG(); 1014 1015 version = ntohl(response.version); 1016 ticket_len = ntohl(response.ticket_len); 1017 kvno = ntohl(response.kvno); 1018 sp = rxrpc_skb(skb); 1019 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1020 ntohl(sp->hdr.serial), version, kvno, ticket_len); 1021 1022 abort_code = RXKADINCONSISTENCY; 1023 if (version != RXKAD_VERSION) 1024 goto protocol_error; 1025 1026 abort_code = RXKADTICKETLEN; 1027 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1028 goto protocol_error; 1029 1030 abort_code = RXKADUNKNOWNKEY; 1031 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1032 goto protocol_error; 1033 1034 /* extract the kerberos ticket and decrypt and decode it */ 1035 ticket = kmalloc(ticket_len, GFP_NOFS); 1036 if (!ticket) 1037 return -ENOMEM; 1038 1039 abort_code = RXKADPACKETSHORT; 1040 if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0) 1041 goto protocol_error_free; 1042 1043 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key, 1044 &expiry, &abort_code); 1045 if (ret < 0) { 1046 *_abort_code = abort_code; 1047 kfree(ticket); 1048 return ret; 1049 } 1050 1051 /* use the session key from inside the ticket to decrypt the 1052 * response */ 1053 rxkad_decrypt_response(conn, &response, &session_key); 1054 1055 abort_code = RXKADSEALEDINCON; 1056 if (response.encrypted.epoch != conn->epoch) 1057 goto protocol_error_free; 1058 if (response.encrypted.cid != conn->cid) 1059 goto protocol_error_free; 1060 if (ntohl(response.encrypted.securityIndex) != conn->security_ix) 1061 goto protocol_error_free; 1062 csum = response.encrypted.checksum; 1063 response.encrypted.checksum = 0; 1064 rxkad_calc_response_checksum(&response); 1065 if (response.encrypted.checksum != csum) 1066 goto protocol_error_free; 1067 1068 if (ntohl(response.encrypted.call_id[0]) > INT_MAX || 1069 ntohl(response.encrypted.call_id[1]) > INT_MAX || 1070 ntohl(response.encrypted.call_id[2]) > INT_MAX || 1071 ntohl(response.encrypted.call_id[3]) > INT_MAX) 1072 goto protocol_error_free; 1073 1074 abort_code = RXKADOUTOFSEQUENCE; 1075 if (response.encrypted.inc_nonce != htonl(conn->security_nonce + 1)) 1076 goto protocol_error_free; 1077 1078 abort_code = RXKADLEVELFAIL; 1079 level = ntohl(response.encrypted.level); 1080 if (level > RXRPC_SECURITY_ENCRYPT) 1081 goto protocol_error_free; 1082 conn->security_level = level; 1083 1084 /* create a key to hold the security data and expiration time - after 1085 * this the connection security can be handled in exactly the same way 1086 * as for a client connection */ 1087 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1088 if (ret < 0) { 1089 kfree(ticket); 1090 return ret; 1091 } 1092 1093 kfree(ticket); 1094 _leave(" = 0"); 1095 return 0; 1096 1097 protocol_error_free: 1098 kfree(ticket); 1099 protocol_error: 1100 *_abort_code = abort_code; 1101 _leave(" = -EPROTO [%d]", abort_code); 1102 return -EPROTO; 1103 } 1104 1105 /* 1106 * clear the connection security 1107 */ 1108 static void rxkad_clear(struct rxrpc_connection *conn) 1109 { 1110 _enter(""); 1111 1112 if (conn->cipher) 1113 crypto_free_blkcipher(conn->cipher); 1114 } 1115 1116 /* 1117 * RxRPC Kerberos-based security 1118 */ 1119 static struct rxrpc_security rxkad = { 1120 .owner = THIS_MODULE, 1121 .name = "rxkad", 1122 .security_index = RXKAD_VERSION, 1123 .init_connection_security = rxkad_init_connection_security, 1124 .prime_packet_security = rxkad_prime_packet_security, 1125 .secure_packet = rxkad_secure_packet, 1126 .verify_packet = rxkad_verify_packet, 1127 .issue_challenge = rxkad_issue_challenge, 1128 .respond_to_challenge = rxkad_respond_to_challenge, 1129 .verify_response = rxkad_verify_response, 1130 .clear = rxkad_clear, 1131 }; 1132 1133 static __init int rxkad_init(void) 1134 { 1135 _enter(""); 1136 1137 /* pin the cipher we need so that the crypto layer doesn't invoke 1138 * keventd to go get it */ 1139 rxkad_ci = crypto_alloc_blkcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 1140 if (IS_ERR(rxkad_ci)) 1141 return PTR_ERR(rxkad_ci); 1142 1143 return rxrpc_register_security(&rxkad); 1144 } 1145 1146 module_init(rxkad_init); 1147 1148 static __exit void rxkad_exit(void) 1149 { 1150 _enter(""); 1151 1152 rxrpc_unregister_security(&rxkad); 1153 crypto_free_blkcipher(rxkad_ci); 1154 } 1155 1156 module_exit(rxkad_exit); 1157