1 /* Kerberos-based RxRPC security 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 14 #include <crypto/skcipher.h> 15 #include <linux/module.h> 16 #include <linux/net.h> 17 #include <linux/skbuff.h> 18 #include <linux/udp.h> 19 #include <linux/scatterlist.h> 20 #include <linux/ctype.h> 21 #include <linux/slab.h> 22 #include <net/sock.h> 23 #include <net/af_rxrpc.h> 24 #include <keys/rxrpc-type.h> 25 #include "ar-internal.h" 26 27 #define RXKAD_VERSION 2 28 #define MAXKRB5TICKETLEN 1024 29 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 30 #define ANAME_SZ 40 /* size of authentication name */ 31 #define INST_SZ 40 /* size of principal's instance */ 32 #define REALM_SZ 40 /* size of principal's auth domain */ 33 #define SNAME_SZ 40 /* size of service name */ 34 35 struct rxkad_level1_hdr { 36 __be32 data_size; /* true data size (excluding padding) */ 37 }; 38 39 struct rxkad_level2_hdr { 40 __be32 data_size; /* true data size (excluding padding) */ 41 __be32 checksum; /* decrypted data checksum */ 42 }; 43 44 /* 45 * this holds a pinned cipher so that keventd doesn't get called by the cipher 46 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 47 * packets 48 */ 49 static struct crypto_skcipher *rxkad_ci; 50 static DEFINE_MUTEX(rxkad_ci_mutex); 51 52 /* 53 * initialise connection security 54 */ 55 static int rxkad_init_connection_security(struct rxrpc_connection *conn) 56 { 57 struct crypto_skcipher *ci; 58 struct rxrpc_key_token *token; 59 int ret; 60 61 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key)); 62 63 token = conn->params.key->payload.data[0]; 64 conn->security_ix = token->security_index; 65 66 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 67 if (IS_ERR(ci)) { 68 _debug("no cipher"); 69 ret = PTR_ERR(ci); 70 goto error; 71 } 72 73 if (crypto_skcipher_setkey(ci, token->kad->session_key, 74 sizeof(token->kad->session_key)) < 0) 75 BUG(); 76 77 switch (conn->params.security_level) { 78 case RXRPC_SECURITY_PLAIN: 79 break; 80 case RXRPC_SECURITY_AUTH: 81 conn->size_align = 8; 82 conn->security_size = sizeof(struct rxkad_level1_hdr); 83 break; 84 case RXRPC_SECURITY_ENCRYPT: 85 conn->size_align = 8; 86 conn->security_size = sizeof(struct rxkad_level2_hdr); 87 break; 88 default: 89 ret = -EKEYREJECTED; 90 goto error; 91 } 92 93 conn->cipher = ci; 94 ret = 0; 95 error: 96 _leave(" = %d", ret); 97 return ret; 98 } 99 100 /* 101 * prime the encryption state with the invariant parts of a connection's 102 * description 103 */ 104 static int rxkad_prime_packet_security(struct rxrpc_connection *conn) 105 { 106 struct rxrpc_key_token *token; 107 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 108 struct scatterlist sg; 109 struct rxrpc_crypt iv; 110 __be32 *tmpbuf; 111 size_t tmpsize = 4 * sizeof(__be32); 112 113 _enter(""); 114 115 if (!conn->params.key) 116 return 0; 117 118 tmpbuf = kmalloc(tmpsize, GFP_KERNEL); 119 if (!tmpbuf) 120 return -ENOMEM; 121 122 token = conn->params.key->payload.data[0]; 123 memcpy(&iv, token->kad->session_key, sizeof(iv)); 124 125 tmpbuf[0] = htonl(conn->proto.epoch); 126 tmpbuf[1] = htonl(conn->proto.cid); 127 tmpbuf[2] = 0; 128 tmpbuf[3] = htonl(conn->security_ix); 129 130 sg_init_one(&sg, tmpbuf, tmpsize); 131 skcipher_request_set_tfm(req, conn->cipher); 132 skcipher_request_set_callback(req, 0, NULL, NULL); 133 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); 134 crypto_skcipher_encrypt(req); 135 skcipher_request_zero(req); 136 137 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv)); 138 kfree(tmpbuf); 139 _leave(" = 0"); 140 return 0; 141 } 142 143 /* 144 * partially encrypt a packet (level 1 security) 145 */ 146 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 147 struct sk_buff *skb, 148 u32 data_size, 149 void *sechdr) 150 { 151 struct rxrpc_skb_priv *sp; 152 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 153 struct rxkad_level1_hdr hdr; 154 struct rxrpc_crypt iv; 155 struct scatterlist sg; 156 u16 check; 157 158 sp = rxrpc_skb(skb); 159 160 _enter(""); 161 162 check = sp->hdr.seq ^ call->call_id; 163 data_size |= (u32)check << 16; 164 165 hdr.data_size = htonl(data_size); 166 memcpy(sechdr, &hdr, sizeof(hdr)); 167 168 /* start the encryption afresh */ 169 memset(&iv, 0, sizeof(iv)); 170 171 sg_init_one(&sg, sechdr, 8); 172 skcipher_request_set_tfm(req, call->conn->cipher); 173 skcipher_request_set_callback(req, 0, NULL, NULL); 174 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 175 crypto_skcipher_encrypt(req); 176 skcipher_request_zero(req); 177 178 _leave(" = 0"); 179 return 0; 180 } 181 182 /* 183 * wholly encrypt a packet (level 2 security) 184 */ 185 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 186 struct sk_buff *skb, 187 u32 data_size, 188 void *sechdr) 189 { 190 const struct rxrpc_key_token *token; 191 struct rxkad_level2_hdr rxkhdr; 192 struct rxrpc_skb_priv *sp; 193 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 194 struct rxrpc_crypt iv; 195 struct scatterlist sg[16]; 196 struct sk_buff *trailer; 197 unsigned int len; 198 u16 check; 199 int nsg; 200 int err; 201 202 sp = rxrpc_skb(skb); 203 204 _enter(""); 205 206 check = sp->hdr.seq ^ call->call_id; 207 208 rxkhdr.data_size = htonl(data_size | (u32)check << 16); 209 rxkhdr.checksum = 0; 210 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr)); 211 212 /* encrypt from the session key */ 213 token = call->conn->params.key->payload.data[0]; 214 memcpy(&iv, token->kad->session_key, sizeof(iv)); 215 216 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr)); 217 skcipher_request_set_tfm(req, call->conn->cipher); 218 skcipher_request_set_callback(req, 0, NULL, NULL); 219 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x); 220 crypto_skcipher_encrypt(req); 221 222 /* we want to encrypt the skbuff in-place */ 223 nsg = skb_cow_data(skb, 0, &trailer); 224 err = -ENOMEM; 225 if (nsg < 0 || nsg > 16) 226 goto out; 227 228 len = data_size + call->conn->size_align - 1; 229 len &= ~(call->conn->size_align - 1); 230 231 sg_init_table(sg, nsg); 232 skb_to_sgvec(skb, sg, 0, len); 233 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 234 crypto_skcipher_encrypt(req); 235 236 _leave(" = 0"); 237 err = 0; 238 239 out: 240 skcipher_request_zero(req); 241 return err; 242 } 243 244 /* 245 * checksum an RxRPC packet header 246 */ 247 static int rxkad_secure_packet(struct rxrpc_call *call, 248 struct sk_buff *skb, 249 size_t data_size, 250 void *sechdr) 251 { 252 struct rxrpc_skb_priv *sp; 253 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 254 struct rxrpc_crypt iv; 255 struct scatterlist sg; 256 u32 x, y; 257 int ret; 258 259 sp = rxrpc_skb(skb); 260 261 _enter("{%d{%x}},{#%u},%zu,", 262 call->debug_id, key_serial(call->conn->params.key), 263 sp->hdr.seq, data_size); 264 265 if (!call->conn->cipher) 266 return 0; 267 268 ret = key_validate(call->conn->params.key); 269 if (ret < 0) 270 return ret; 271 272 /* continue encrypting from where we left off */ 273 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 274 275 /* calculate the security checksum */ 276 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 277 x |= sp->hdr.seq & 0x3fffffff; 278 call->crypto_buf[0] = htonl(call->call_id); 279 call->crypto_buf[1] = htonl(x); 280 281 sg_init_one(&sg, call->crypto_buf, 8); 282 skcipher_request_set_tfm(req, call->conn->cipher); 283 skcipher_request_set_callback(req, 0, NULL, NULL); 284 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 285 crypto_skcipher_encrypt(req); 286 skcipher_request_zero(req); 287 288 y = ntohl(call->crypto_buf[1]); 289 y = (y >> 16) & 0xffff; 290 if (y == 0) 291 y = 1; /* zero checksums are not permitted */ 292 sp->hdr.cksum = y; 293 294 switch (call->conn->params.security_level) { 295 case RXRPC_SECURITY_PLAIN: 296 ret = 0; 297 break; 298 case RXRPC_SECURITY_AUTH: 299 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr); 300 break; 301 case RXRPC_SECURITY_ENCRYPT: 302 ret = rxkad_secure_packet_encrypt(call, skb, data_size, 303 sechdr); 304 break; 305 default: 306 ret = -EPERM; 307 break; 308 } 309 310 _leave(" = %d [set %hx]", ret, y); 311 return ret; 312 } 313 314 /* 315 * decrypt partial encryption on a packet (level 1 security) 316 */ 317 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb, 318 unsigned int offset, unsigned int len, 319 rxrpc_seq_t seq) 320 { 321 struct rxkad_level1_hdr sechdr; 322 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 323 struct rxrpc_crypt iv; 324 struct scatterlist sg[16]; 325 struct sk_buff *trailer; 326 u32 data_size, buf; 327 u16 check; 328 int nsg; 329 330 _enter(""); 331 332 if (len < 8) { 333 rxrpc_abort_call("V1H", call, seq, RXKADSEALEDINCON, EPROTO); 334 goto protocol_error; 335 } 336 337 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 338 * directly into the target buffer. 339 */ 340 nsg = skb_cow_data(skb, 0, &trailer); 341 if (nsg < 0 || nsg > 16) 342 goto nomem; 343 344 sg_init_table(sg, nsg); 345 skb_to_sgvec(skb, sg, offset, 8); 346 347 /* start the decryption afresh */ 348 memset(&iv, 0, sizeof(iv)); 349 350 skcipher_request_set_tfm(req, call->conn->cipher); 351 skcipher_request_set_callback(req, 0, NULL, NULL); 352 skcipher_request_set_crypt(req, sg, sg, 8, iv.x); 353 crypto_skcipher_decrypt(req); 354 skcipher_request_zero(req); 355 356 /* Extract the decrypted packet length */ 357 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 358 rxrpc_abort_call("XV1", call, seq, RXKADDATALEN, EPROTO); 359 goto protocol_error; 360 } 361 offset += sizeof(sechdr); 362 len -= sizeof(sechdr); 363 364 buf = ntohl(sechdr.data_size); 365 data_size = buf & 0xffff; 366 367 check = buf >> 16; 368 check ^= seq ^ call->call_id; 369 check &= 0xffff; 370 if (check != 0) { 371 rxrpc_abort_call("V1C", call, seq, RXKADSEALEDINCON, EPROTO); 372 goto protocol_error; 373 } 374 375 if (data_size > len) { 376 rxrpc_abort_call("V1L", call, seq, RXKADDATALEN, EPROTO); 377 goto protocol_error; 378 } 379 380 _leave(" = 0 [dlen=%x]", data_size); 381 return 0; 382 383 protocol_error: 384 rxrpc_send_abort_packet(call); 385 _leave(" = -EPROTO"); 386 return -EPROTO; 387 388 nomem: 389 _leave(" = -ENOMEM"); 390 return -ENOMEM; 391 } 392 393 /* 394 * wholly decrypt a packet (level 2 security) 395 */ 396 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, 397 unsigned int offset, unsigned int len, 398 rxrpc_seq_t seq) 399 { 400 const struct rxrpc_key_token *token; 401 struct rxkad_level2_hdr sechdr; 402 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 403 struct rxrpc_crypt iv; 404 struct scatterlist _sg[4], *sg; 405 struct sk_buff *trailer; 406 u32 data_size, buf; 407 u16 check; 408 int nsg; 409 410 _enter(",{%d}", skb->len); 411 412 if (len < 8) { 413 rxrpc_abort_call("V2H", call, seq, RXKADSEALEDINCON, EPROTO); 414 goto protocol_error; 415 } 416 417 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 418 * directly into the target buffer. 419 */ 420 nsg = skb_cow_data(skb, 0, &trailer); 421 if (nsg < 0) 422 goto nomem; 423 424 sg = _sg; 425 if (unlikely(nsg > 4)) { 426 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO); 427 if (!sg) 428 goto nomem; 429 } 430 431 sg_init_table(sg, nsg); 432 skb_to_sgvec(skb, sg, offset, len); 433 434 /* decrypt from the session key */ 435 token = call->conn->params.key->payload.data[0]; 436 memcpy(&iv, token->kad->session_key, sizeof(iv)); 437 438 skcipher_request_set_tfm(req, call->conn->cipher); 439 skcipher_request_set_callback(req, 0, NULL, NULL); 440 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 441 crypto_skcipher_decrypt(req); 442 skcipher_request_zero(req); 443 if (sg != _sg) 444 kfree(sg); 445 446 /* Extract the decrypted packet length */ 447 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 448 rxrpc_abort_call("XV2", call, seq, RXKADDATALEN, EPROTO); 449 goto protocol_error; 450 } 451 offset += sizeof(sechdr); 452 len -= sizeof(sechdr); 453 454 buf = ntohl(sechdr.data_size); 455 data_size = buf & 0xffff; 456 457 check = buf >> 16; 458 check ^= seq ^ call->call_id; 459 check &= 0xffff; 460 if (check != 0) { 461 rxrpc_abort_call("V2C", call, seq, RXKADSEALEDINCON, EPROTO); 462 goto protocol_error; 463 } 464 465 if (data_size > len) { 466 rxrpc_abort_call("V2L", call, seq, RXKADDATALEN, EPROTO); 467 goto protocol_error; 468 } 469 470 _leave(" = 0 [dlen=%x]", data_size); 471 return 0; 472 473 protocol_error: 474 rxrpc_send_abort_packet(call); 475 _leave(" = -EPROTO"); 476 return -EPROTO; 477 478 nomem: 479 _leave(" = -ENOMEM"); 480 return -ENOMEM; 481 } 482 483 /* 484 * Verify the security on a received packet or subpacket (if part of a 485 * jumbo packet). 486 */ 487 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb, 488 unsigned int offset, unsigned int len, 489 rxrpc_seq_t seq, u16 expected_cksum) 490 { 491 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 492 struct rxrpc_crypt iv; 493 struct scatterlist sg; 494 u16 cksum; 495 u32 x, y; 496 497 _enter("{%d{%x}},{#%u}", 498 call->debug_id, key_serial(call->conn->params.key), seq); 499 500 if (!call->conn->cipher) 501 return 0; 502 503 /* continue encrypting from where we left off */ 504 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 505 506 /* validate the security checksum */ 507 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 508 x |= seq & 0x3fffffff; 509 call->crypto_buf[0] = htonl(call->call_id); 510 call->crypto_buf[1] = htonl(x); 511 512 sg_init_one(&sg, call->crypto_buf, 8); 513 skcipher_request_set_tfm(req, call->conn->cipher); 514 skcipher_request_set_callback(req, 0, NULL, NULL); 515 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 516 crypto_skcipher_encrypt(req); 517 skcipher_request_zero(req); 518 519 y = ntohl(call->crypto_buf[1]); 520 cksum = (y >> 16) & 0xffff; 521 if (cksum == 0) 522 cksum = 1; /* zero checksums are not permitted */ 523 524 if (cksum != expected_cksum) { 525 rxrpc_abort_call("VCK", call, seq, RXKADSEALEDINCON, EPROTO); 526 rxrpc_send_abort_packet(call); 527 _leave(" = -EPROTO [csum failed]"); 528 return -EPROTO; 529 } 530 531 switch (call->conn->params.security_level) { 532 case RXRPC_SECURITY_PLAIN: 533 return 0; 534 case RXRPC_SECURITY_AUTH: 535 return rxkad_verify_packet_1(call, skb, offset, len, seq); 536 case RXRPC_SECURITY_ENCRYPT: 537 return rxkad_verify_packet_2(call, skb, offset, len, seq); 538 default: 539 return -ENOANO; 540 } 541 } 542 543 /* 544 * Locate the data contained in a packet that was partially encrypted. 545 */ 546 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb, 547 unsigned int *_offset, unsigned int *_len) 548 { 549 struct rxkad_level1_hdr sechdr; 550 551 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 552 BUG(); 553 *_offset += sizeof(sechdr); 554 *_len = ntohl(sechdr.data_size) & 0xffff; 555 } 556 557 /* 558 * Locate the data contained in a packet that was completely encrypted. 559 */ 560 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb, 561 unsigned int *_offset, unsigned int *_len) 562 { 563 struct rxkad_level2_hdr sechdr; 564 565 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 566 BUG(); 567 *_offset += sizeof(sechdr); 568 *_len = ntohl(sechdr.data_size) & 0xffff; 569 } 570 571 /* 572 * Locate the data contained in an already decrypted packet. 573 */ 574 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb, 575 unsigned int *_offset, unsigned int *_len) 576 { 577 switch (call->conn->params.security_level) { 578 case RXRPC_SECURITY_AUTH: 579 rxkad_locate_data_1(call, skb, _offset, _len); 580 return; 581 case RXRPC_SECURITY_ENCRYPT: 582 rxkad_locate_data_2(call, skb, _offset, _len); 583 return; 584 default: 585 return; 586 } 587 } 588 589 /* 590 * issue a challenge 591 */ 592 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 593 { 594 struct rxkad_challenge challenge; 595 struct rxrpc_wire_header whdr; 596 struct msghdr msg; 597 struct kvec iov[2]; 598 size_t len; 599 u32 serial; 600 int ret; 601 602 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 603 604 ret = key_validate(conn->params.key); 605 if (ret < 0) 606 return ret; 607 608 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce)); 609 610 challenge.version = htonl(2); 611 challenge.nonce = htonl(conn->security_nonce); 612 challenge.min_level = htonl(0); 613 challenge.__padding = 0; 614 615 msg.msg_name = &conn->params.peer->srx.transport.sin; 616 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin); 617 msg.msg_control = NULL; 618 msg.msg_controllen = 0; 619 msg.msg_flags = 0; 620 621 whdr.epoch = htonl(conn->proto.epoch); 622 whdr.cid = htonl(conn->proto.cid); 623 whdr.callNumber = 0; 624 whdr.seq = 0; 625 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 626 whdr.flags = conn->out_clientflag; 627 whdr.userStatus = 0; 628 whdr.securityIndex = conn->security_ix; 629 whdr._rsvd = 0; 630 whdr.serviceId = htons(conn->params.service_id); 631 632 iov[0].iov_base = &whdr; 633 iov[0].iov_len = sizeof(whdr); 634 iov[1].iov_base = &challenge; 635 iov[1].iov_len = sizeof(challenge); 636 637 len = iov[0].iov_len + iov[1].iov_len; 638 639 serial = atomic_inc_return(&conn->serial); 640 whdr.serial = htonl(serial); 641 _proto("Tx CHALLENGE %%%u", serial); 642 643 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len); 644 if (ret < 0) { 645 _debug("sendmsg failed: %d", ret); 646 return -EAGAIN; 647 } 648 649 _leave(" = 0"); 650 return 0; 651 } 652 653 /* 654 * send a Kerberos security response 655 */ 656 static int rxkad_send_response(struct rxrpc_connection *conn, 657 struct rxrpc_host_header *hdr, 658 struct rxkad_response *resp, 659 const struct rxkad_key *s2) 660 { 661 struct rxrpc_wire_header whdr; 662 struct msghdr msg; 663 struct kvec iov[3]; 664 size_t len; 665 u32 serial; 666 int ret; 667 668 _enter(""); 669 670 msg.msg_name = &conn->params.peer->srx.transport.sin; 671 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin); 672 msg.msg_control = NULL; 673 msg.msg_controllen = 0; 674 msg.msg_flags = 0; 675 676 memset(&whdr, 0, sizeof(whdr)); 677 whdr.epoch = htonl(hdr->epoch); 678 whdr.cid = htonl(hdr->cid); 679 whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 680 whdr.flags = conn->out_clientflag; 681 whdr.securityIndex = hdr->securityIndex; 682 whdr.serviceId = htons(hdr->serviceId); 683 684 iov[0].iov_base = &whdr; 685 iov[0].iov_len = sizeof(whdr); 686 iov[1].iov_base = resp; 687 iov[1].iov_len = sizeof(*resp); 688 iov[2].iov_base = (void *)s2->ticket; 689 iov[2].iov_len = s2->ticket_len; 690 691 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 692 693 serial = atomic_inc_return(&conn->serial); 694 whdr.serial = htonl(serial); 695 _proto("Tx RESPONSE %%%u", serial); 696 697 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len); 698 if (ret < 0) { 699 _debug("sendmsg failed: %d", ret); 700 return -EAGAIN; 701 } 702 703 _leave(" = 0"); 704 return 0; 705 } 706 707 /* 708 * calculate the response checksum 709 */ 710 static void rxkad_calc_response_checksum(struct rxkad_response *response) 711 { 712 u32 csum = 1000003; 713 int loop; 714 u8 *p = (u8 *) response; 715 716 for (loop = sizeof(*response); loop > 0; loop--) 717 csum = csum * 0x10204081 + *p++; 718 719 response->encrypted.checksum = htonl(csum); 720 } 721 722 /* 723 * encrypt the response packet 724 */ 725 static void rxkad_encrypt_response(struct rxrpc_connection *conn, 726 struct rxkad_response *resp, 727 const struct rxkad_key *s2) 728 { 729 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 730 struct rxrpc_crypt iv; 731 struct scatterlist sg[1]; 732 733 /* continue encrypting from where we left off */ 734 memcpy(&iv, s2->session_key, sizeof(iv)); 735 736 sg_init_table(sg, 1); 737 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 738 skcipher_request_set_tfm(req, conn->cipher); 739 skcipher_request_set_callback(req, 0, NULL, NULL); 740 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 741 crypto_skcipher_encrypt(req); 742 skcipher_request_zero(req); 743 } 744 745 /* 746 * respond to a challenge packet 747 */ 748 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 749 struct sk_buff *skb, 750 u32 *_abort_code) 751 { 752 const struct rxrpc_key_token *token; 753 struct rxkad_challenge challenge; 754 struct rxkad_response resp 755 __attribute__((aligned(8))); /* must be aligned for crypto */ 756 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 757 u32 version, nonce, min_level, abort_code; 758 int ret; 759 760 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 761 762 if (!conn->params.key) { 763 _leave(" = -EPROTO [no key]"); 764 return -EPROTO; 765 } 766 767 ret = key_validate(conn->params.key); 768 if (ret < 0) { 769 *_abort_code = RXKADEXPIRED; 770 return ret; 771 } 772 773 abort_code = RXKADPACKETSHORT; 774 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 775 &challenge, sizeof(challenge)) < 0) 776 goto protocol_error; 777 778 version = ntohl(challenge.version); 779 nonce = ntohl(challenge.nonce); 780 min_level = ntohl(challenge.min_level); 781 782 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 783 sp->hdr.serial, version, nonce, min_level); 784 785 abort_code = RXKADINCONSISTENCY; 786 if (version != RXKAD_VERSION) 787 goto protocol_error; 788 789 abort_code = RXKADLEVELFAIL; 790 if (conn->params.security_level < min_level) 791 goto protocol_error; 792 793 token = conn->params.key->payload.data[0]; 794 795 /* build the response packet */ 796 memset(&resp, 0, sizeof(resp)); 797 798 resp.version = htonl(RXKAD_VERSION); 799 resp.encrypted.epoch = htonl(conn->proto.epoch); 800 resp.encrypted.cid = htonl(conn->proto.cid); 801 resp.encrypted.securityIndex = htonl(conn->security_ix); 802 resp.encrypted.inc_nonce = htonl(nonce + 1); 803 resp.encrypted.level = htonl(conn->params.security_level); 804 resp.kvno = htonl(token->kad->kvno); 805 resp.ticket_len = htonl(token->kad->ticket_len); 806 807 resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter); 808 resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter); 809 resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter); 810 resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter); 811 812 /* calculate the response checksum and then do the encryption */ 813 rxkad_calc_response_checksum(&resp); 814 rxkad_encrypt_response(conn, &resp, token->kad); 815 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad); 816 817 protocol_error: 818 *_abort_code = abort_code; 819 _leave(" = -EPROTO [%d]", abort_code); 820 return -EPROTO; 821 } 822 823 /* 824 * decrypt the kerberos IV ticket in the response 825 */ 826 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 827 void *ticket, size_t ticket_len, 828 struct rxrpc_crypt *_session_key, 829 time_t *_expiry, 830 u32 *_abort_code) 831 { 832 struct skcipher_request *req; 833 struct rxrpc_crypt iv, key; 834 struct scatterlist sg[1]; 835 struct in_addr addr; 836 unsigned int life; 837 time_t issue, now; 838 bool little_endian; 839 int ret; 840 u8 *p, *q, *name, *end; 841 842 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key)); 843 844 *_expiry = 0; 845 846 ret = key_validate(conn->server_key); 847 if (ret < 0) { 848 switch (ret) { 849 case -EKEYEXPIRED: 850 *_abort_code = RXKADEXPIRED; 851 goto error; 852 default: 853 *_abort_code = RXKADNOAUTH; 854 goto error; 855 } 856 } 857 858 ASSERT(conn->server_key->payload.data[0] != NULL); 859 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 860 861 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv)); 862 863 req = skcipher_request_alloc(conn->server_key->payload.data[0], 864 GFP_NOFS); 865 if (!req) { 866 *_abort_code = RXKADNOAUTH; 867 ret = -ENOMEM; 868 goto error; 869 } 870 871 sg_init_one(&sg[0], ticket, ticket_len); 872 skcipher_request_set_callback(req, 0, NULL, NULL); 873 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); 874 crypto_skcipher_decrypt(req); 875 skcipher_request_free(req); 876 877 p = ticket; 878 end = p + ticket_len; 879 880 #define Z(size) \ 881 ({ \ 882 u8 *__str = p; \ 883 q = memchr(p, 0, end - p); \ 884 if (!q || q - p > (size)) \ 885 goto bad_ticket; \ 886 for (; p < q; p++) \ 887 if (!isprint(*p)) \ 888 goto bad_ticket; \ 889 p++; \ 890 __str; \ 891 }) 892 893 /* extract the ticket flags */ 894 _debug("KIV FLAGS: %x", *p); 895 little_endian = *p & 1; 896 p++; 897 898 /* extract the authentication name */ 899 name = Z(ANAME_SZ); 900 _debug("KIV ANAME: %s", name); 901 902 /* extract the principal's instance */ 903 name = Z(INST_SZ); 904 _debug("KIV INST : %s", name); 905 906 /* extract the principal's authentication domain */ 907 name = Z(REALM_SZ); 908 _debug("KIV REALM: %s", name); 909 910 if (end - p < 4 + 8 + 4 + 2) 911 goto bad_ticket; 912 913 /* get the IPv4 address of the entity that requested the ticket */ 914 memcpy(&addr, p, sizeof(addr)); 915 p += 4; 916 _debug("KIV ADDR : %pI4", &addr); 917 918 /* get the session key from the ticket */ 919 memcpy(&key, p, sizeof(key)); 920 p += 8; 921 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 922 memcpy(_session_key, &key, sizeof(key)); 923 924 /* get the ticket's lifetime */ 925 life = *p++ * 5 * 60; 926 _debug("KIV LIFE : %u", life); 927 928 /* get the issue time of the ticket */ 929 if (little_endian) { 930 __le32 stamp; 931 memcpy(&stamp, p, 4); 932 issue = le32_to_cpu(stamp); 933 } else { 934 __be32 stamp; 935 memcpy(&stamp, p, 4); 936 issue = be32_to_cpu(stamp); 937 } 938 p += 4; 939 now = get_seconds(); 940 _debug("KIV ISSUE: %lx [%lx]", issue, now); 941 942 /* check the ticket is in date */ 943 if (issue > now) { 944 *_abort_code = RXKADNOAUTH; 945 ret = -EKEYREJECTED; 946 goto error; 947 } 948 949 if (issue < now - life) { 950 *_abort_code = RXKADEXPIRED; 951 ret = -EKEYEXPIRED; 952 goto error; 953 } 954 955 *_expiry = issue + life; 956 957 /* get the service name */ 958 name = Z(SNAME_SZ); 959 _debug("KIV SNAME: %s", name); 960 961 /* get the service instance name */ 962 name = Z(INST_SZ); 963 _debug("KIV SINST: %s", name); 964 965 ret = 0; 966 error: 967 _leave(" = %d", ret); 968 return ret; 969 970 bad_ticket: 971 *_abort_code = RXKADBADTICKET; 972 ret = -EBADMSG; 973 goto error; 974 } 975 976 /* 977 * decrypt the response packet 978 */ 979 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 980 struct rxkad_response *resp, 981 const struct rxrpc_crypt *session_key) 982 { 983 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci); 984 struct scatterlist sg[1]; 985 struct rxrpc_crypt iv; 986 987 _enter(",,%08x%08x", 988 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 989 990 ASSERT(rxkad_ci != NULL); 991 992 mutex_lock(&rxkad_ci_mutex); 993 if (crypto_skcipher_setkey(rxkad_ci, session_key->x, 994 sizeof(*session_key)) < 0) 995 BUG(); 996 997 memcpy(&iv, session_key, sizeof(iv)); 998 999 sg_init_table(sg, 1); 1000 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 1001 skcipher_request_set_tfm(req, rxkad_ci); 1002 skcipher_request_set_callback(req, 0, NULL, NULL); 1003 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 1004 crypto_skcipher_decrypt(req); 1005 skcipher_request_zero(req); 1006 1007 mutex_unlock(&rxkad_ci_mutex); 1008 1009 _leave(""); 1010 } 1011 1012 /* 1013 * verify a response 1014 */ 1015 static int rxkad_verify_response(struct rxrpc_connection *conn, 1016 struct sk_buff *skb, 1017 u32 *_abort_code) 1018 { 1019 struct rxkad_response response 1020 __attribute__((aligned(8))); /* must be aligned for crypto */ 1021 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 1022 struct rxrpc_crypt session_key; 1023 time_t expiry; 1024 void *ticket; 1025 u32 abort_code, version, kvno, ticket_len, level; 1026 __be32 csum; 1027 int ret, i; 1028 1029 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); 1030 1031 abort_code = RXKADPACKETSHORT; 1032 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 1033 &response, sizeof(response)) < 0) 1034 goto protocol_error; 1035 if (!pskb_pull(skb, sizeof(response))) 1036 BUG(); 1037 1038 version = ntohl(response.version); 1039 ticket_len = ntohl(response.ticket_len); 1040 kvno = ntohl(response.kvno); 1041 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1042 sp->hdr.serial, version, kvno, ticket_len); 1043 1044 abort_code = RXKADINCONSISTENCY; 1045 if (version != RXKAD_VERSION) 1046 goto protocol_error; 1047 1048 abort_code = RXKADTICKETLEN; 1049 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1050 goto protocol_error; 1051 1052 abort_code = RXKADUNKNOWNKEY; 1053 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1054 goto protocol_error; 1055 1056 /* extract the kerberos ticket and decrypt and decode it */ 1057 ticket = kmalloc(ticket_len, GFP_NOFS); 1058 if (!ticket) 1059 return -ENOMEM; 1060 1061 abort_code = RXKADPACKETSHORT; 1062 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 1063 ticket, ticket_len) < 0) 1064 goto protocol_error_free; 1065 1066 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key, 1067 &expiry, &abort_code); 1068 if (ret < 0) { 1069 *_abort_code = abort_code; 1070 kfree(ticket); 1071 return ret; 1072 } 1073 1074 /* use the session key from inside the ticket to decrypt the 1075 * response */ 1076 rxkad_decrypt_response(conn, &response, &session_key); 1077 1078 abort_code = RXKADSEALEDINCON; 1079 if (ntohl(response.encrypted.epoch) != conn->proto.epoch) 1080 goto protocol_error_free; 1081 if (ntohl(response.encrypted.cid) != conn->proto.cid) 1082 goto protocol_error_free; 1083 if (ntohl(response.encrypted.securityIndex) != conn->security_ix) 1084 goto protocol_error_free; 1085 csum = response.encrypted.checksum; 1086 response.encrypted.checksum = 0; 1087 rxkad_calc_response_checksum(&response); 1088 if (response.encrypted.checksum != csum) 1089 goto protocol_error_free; 1090 1091 spin_lock(&conn->channel_lock); 1092 for (i = 0; i < RXRPC_MAXCALLS; i++) { 1093 struct rxrpc_call *call; 1094 u32 call_id = ntohl(response.encrypted.call_id[i]); 1095 1096 if (call_id > INT_MAX) 1097 goto protocol_error_unlock; 1098 1099 if (call_id < conn->channels[i].call_counter) 1100 goto protocol_error_unlock; 1101 if (call_id > conn->channels[i].call_counter) { 1102 call = rcu_dereference_protected( 1103 conn->channels[i].call, 1104 lockdep_is_held(&conn->channel_lock)); 1105 if (call && call->state < RXRPC_CALL_COMPLETE) 1106 goto protocol_error_unlock; 1107 conn->channels[i].call_counter = call_id; 1108 } 1109 } 1110 spin_unlock(&conn->channel_lock); 1111 1112 abort_code = RXKADOUTOFSEQUENCE; 1113 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1) 1114 goto protocol_error_free; 1115 1116 abort_code = RXKADLEVELFAIL; 1117 level = ntohl(response.encrypted.level); 1118 if (level > RXRPC_SECURITY_ENCRYPT) 1119 goto protocol_error_free; 1120 conn->params.security_level = level; 1121 1122 /* create a key to hold the security data and expiration time - after 1123 * this the connection security can be handled in exactly the same way 1124 * as for a client connection */ 1125 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1126 if (ret < 0) { 1127 kfree(ticket); 1128 return ret; 1129 } 1130 1131 kfree(ticket); 1132 _leave(" = 0"); 1133 return 0; 1134 1135 protocol_error_unlock: 1136 spin_unlock(&conn->channel_lock); 1137 protocol_error_free: 1138 kfree(ticket); 1139 protocol_error: 1140 *_abort_code = abort_code; 1141 _leave(" = -EPROTO [%d]", abort_code); 1142 return -EPROTO; 1143 } 1144 1145 /* 1146 * clear the connection security 1147 */ 1148 static void rxkad_clear(struct rxrpc_connection *conn) 1149 { 1150 _enter(""); 1151 1152 if (conn->cipher) 1153 crypto_free_skcipher(conn->cipher); 1154 } 1155 1156 /* 1157 * Initialise the rxkad security service. 1158 */ 1159 static int rxkad_init(void) 1160 { 1161 /* pin the cipher we need so that the crypto layer doesn't invoke 1162 * keventd to go get it */ 1163 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 1164 return PTR_ERR_OR_ZERO(rxkad_ci); 1165 } 1166 1167 /* 1168 * Clean up the rxkad security service. 1169 */ 1170 static void rxkad_exit(void) 1171 { 1172 if (rxkad_ci) 1173 crypto_free_skcipher(rxkad_ci); 1174 } 1175 1176 /* 1177 * RxRPC Kerberos-based security 1178 */ 1179 const struct rxrpc_security rxkad = { 1180 .name = "rxkad", 1181 .security_index = RXRPC_SECURITY_RXKAD, 1182 .init = rxkad_init, 1183 .exit = rxkad_exit, 1184 .init_connection_security = rxkad_init_connection_security, 1185 .prime_packet_security = rxkad_prime_packet_security, 1186 .secure_packet = rxkad_secure_packet, 1187 .verify_packet = rxkad_verify_packet, 1188 .locate_data = rxkad_locate_data, 1189 .issue_challenge = rxkad_issue_challenge, 1190 .respond_to_challenge = rxkad_respond_to_challenge, 1191 .verify_response = rxkad_verify_response, 1192 .clear = rxkad_clear, 1193 }; 1194