xref: /openbmc/linux/net/rxrpc/rxkad.c (revision 7587eb18)
1 /* Kerberos-based RxRPC security
2  *
3  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11 
12 #include <crypto/skcipher.h>
13 #include <linux/module.h>
14 #include <linux/net.h>
15 #include <linux/skbuff.h>
16 #include <linux/udp.h>
17 #include <linux/scatterlist.h>
18 #include <linux/ctype.h>
19 #include <linux/slab.h>
20 #include <net/sock.h>
21 #include <net/af_rxrpc.h>
22 #include <keys/rxrpc-type.h>
23 #include "ar-internal.h"
24 
25 #define RXKAD_VERSION			2
26 #define MAXKRB5TICKETLEN		1024
27 #define RXKAD_TKT_TYPE_KERBEROS_V5	256
28 #define ANAME_SZ			40	/* size of authentication name */
29 #define INST_SZ				40	/* size of principal's instance */
30 #define REALM_SZ			40	/* size of principal's auth domain */
31 #define SNAME_SZ			40	/* size of service name */
32 
33 struct rxkad_level1_hdr {
34 	__be32	data_size;	/* true data size (excluding padding) */
35 };
36 
37 struct rxkad_level2_hdr {
38 	__be32	data_size;	/* true data size (excluding padding) */
39 	__be32	checksum;	/* decrypted data checksum */
40 };
41 
42 /*
43  * this holds a pinned cipher so that keventd doesn't get called by the cipher
44  * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
45  * packets
46  */
47 static struct crypto_skcipher *rxkad_ci;
48 static DEFINE_MUTEX(rxkad_ci_mutex);
49 
50 /*
51  * initialise connection security
52  */
53 static int rxkad_init_connection_security(struct rxrpc_connection *conn)
54 {
55 	struct crypto_skcipher *ci;
56 	struct rxrpc_key_token *token;
57 	int ret;
58 
59 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
60 
61 	token = conn->key->payload.data[0];
62 	conn->security_ix = token->security_index;
63 
64 	ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
65 	if (IS_ERR(ci)) {
66 		_debug("no cipher");
67 		ret = PTR_ERR(ci);
68 		goto error;
69 	}
70 
71 	if (crypto_skcipher_setkey(ci, token->kad->session_key,
72 				   sizeof(token->kad->session_key)) < 0)
73 		BUG();
74 
75 	switch (conn->security_level) {
76 	case RXRPC_SECURITY_PLAIN:
77 		break;
78 	case RXRPC_SECURITY_AUTH:
79 		conn->size_align = 8;
80 		conn->security_size = sizeof(struct rxkad_level1_hdr);
81 		conn->header_size += sizeof(struct rxkad_level1_hdr);
82 		break;
83 	case RXRPC_SECURITY_ENCRYPT:
84 		conn->size_align = 8;
85 		conn->security_size = sizeof(struct rxkad_level2_hdr);
86 		conn->header_size += sizeof(struct rxkad_level2_hdr);
87 		break;
88 	default:
89 		ret = -EKEYREJECTED;
90 		goto error;
91 	}
92 
93 	conn->cipher = ci;
94 	ret = 0;
95 error:
96 	_leave(" = %d", ret);
97 	return ret;
98 }
99 
100 /*
101  * prime the encryption state with the invariant parts of a connection's
102  * description
103  */
104 static void rxkad_prime_packet_security(struct rxrpc_connection *conn)
105 {
106 	struct rxrpc_key_token *token;
107 	SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
108 	struct scatterlist sg[2];
109 	struct rxrpc_crypt iv;
110 	struct {
111 		__be32 x[4];
112 	} tmpbuf __attribute__((aligned(16))); /* must all be in same page */
113 
114 	_enter("");
115 
116 	if (!conn->key)
117 		return;
118 
119 	token = conn->key->payload.data[0];
120 	memcpy(&iv, token->kad->session_key, sizeof(iv));
121 
122 	tmpbuf.x[0] = htonl(conn->epoch);
123 	tmpbuf.x[1] = htonl(conn->cid);
124 	tmpbuf.x[2] = 0;
125 	tmpbuf.x[3] = htonl(conn->security_ix);
126 
127 	sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
128 	sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
129 
130 	skcipher_request_set_tfm(req, conn->cipher);
131 	skcipher_request_set_callback(req, 0, NULL, NULL);
132 	skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x);
133 
134 	crypto_skcipher_encrypt(req);
135 	skcipher_request_zero(req);
136 
137 	memcpy(&conn->csum_iv, &tmpbuf.x[2], sizeof(conn->csum_iv));
138 	ASSERTCMP((u32 __force)conn->csum_iv.n[0], ==, (u32 __force)tmpbuf.x[2]);
139 
140 	_leave("");
141 }
142 
143 /*
144  * partially encrypt a packet (level 1 security)
145  */
146 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
147 				    struct sk_buff *skb,
148 				    u32 data_size,
149 				    void *sechdr)
150 {
151 	struct rxrpc_skb_priv *sp;
152 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
153 	struct rxrpc_crypt iv;
154 	struct scatterlist sg[2];
155 	struct {
156 		struct rxkad_level1_hdr hdr;
157 		__be32	first;	/* first four bytes of data and padding */
158 	} tmpbuf __attribute__((aligned(8))); /* must all be in same page */
159 	u16 check;
160 
161 	sp = rxrpc_skb(skb);
162 
163 	_enter("");
164 
165 	check = sp->hdr.seq ^ sp->hdr.callNumber;
166 	data_size |= (u32)check << 16;
167 
168 	tmpbuf.hdr.data_size = htonl(data_size);
169 	memcpy(&tmpbuf.first, sechdr + 4, sizeof(tmpbuf.first));
170 
171 	/* start the encryption afresh */
172 	memset(&iv, 0, sizeof(iv));
173 
174 	sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
175 	sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
176 
177 	skcipher_request_set_tfm(req, call->conn->cipher);
178 	skcipher_request_set_callback(req, 0, NULL, NULL);
179 	skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x);
180 
181 	crypto_skcipher_encrypt(req);
182 	skcipher_request_zero(req);
183 
184 	memcpy(sechdr, &tmpbuf, sizeof(tmpbuf));
185 
186 	_leave(" = 0");
187 	return 0;
188 }
189 
190 /*
191  * wholly encrypt a packet (level 2 security)
192  */
193 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
194 				       struct sk_buff *skb,
195 				       u32 data_size,
196 				       void *sechdr)
197 {
198 	const struct rxrpc_key_token *token;
199 	struct rxkad_level2_hdr rxkhdr
200 		__attribute__((aligned(8))); /* must be all on one page */
201 	struct rxrpc_skb_priv *sp;
202 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
203 	struct rxrpc_crypt iv;
204 	struct scatterlist sg[16];
205 	struct sk_buff *trailer;
206 	unsigned int len;
207 	u16 check;
208 	int nsg;
209 	int err;
210 
211 	sp = rxrpc_skb(skb);
212 
213 	_enter("");
214 
215 	check = sp->hdr.seq ^ sp->hdr.callNumber;
216 
217 	rxkhdr.data_size = htonl(data_size | (u32)check << 16);
218 	rxkhdr.checksum = 0;
219 
220 	/* encrypt from the session key */
221 	token = call->conn->key->payload.data[0];
222 	memcpy(&iv, token->kad->session_key, sizeof(iv));
223 
224 	sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
225 	sg_init_one(&sg[1], &rxkhdr, sizeof(rxkhdr));
226 
227 	skcipher_request_set_tfm(req, call->conn->cipher);
228 	skcipher_request_set_callback(req, 0, NULL, NULL);
229 	skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(rxkhdr), iv.x);
230 
231 	crypto_skcipher_encrypt(req);
232 
233 	/* we want to encrypt the skbuff in-place */
234 	nsg = skb_cow_data(skb, 0, &trailer);
235 	err = -ENOMEM;
236 	if (nsg < 0 || nsg > 16)
237 		goto out;
238 
239 	len = data_size + call->conn->size_align - 1;
240 	len &= ~(call->conn->size_align - 1);
241 
242 	sg_init_table(sg, nsg);
243 	skb_to_sgvec(skb, sg, 0, len);
244 
245 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
246 
247 	crypto_skcipher_encrypt(req);
248 
249 	_leave(" = 0");
250 	err = 0;
251 
252 out:
253 	skcipher_request_zero(req);
254 	return err;
255 }
256 
257 /*
258  * checksum an RxRPC packet header
259  */
260 static int rxkad_secure_packet(const struct rxrpc_call *call,
261 			       struct sk_buff *skb,
262 			       size_t data_size,
263 			       void *sechdr)
264 {
265 	struct rxrpc_skb_priv *sp;
266 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
267 	struct rxrpc_crypt iv;
268 	struct scatterlist sg[2];
269 	struct {
270 		__be32 x[2];
271 	} tmpbuf __attribute__((aligned(8))); /* must all be in same page */
272 	u32 x, y;
273 	int ret;
274 
275 	sp = rxrpc_skb(skb);
276 
277 	_enter("{%d{%x}},{#%u},%zu,",
278 	       call->debug_id, key_serial(call->conn->key), sp->hdr.seq,
279 	       data_size);
280 
281 	if (!call->conn->cipher)
282 		return 0;
283 
284 	ret = key_validate(call->conn->key);
285 	if (ret < 0)
286 		return ret;
287 
288 	/* continue encrypting from where we left off */
289 	memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
290 
291 	/* calculate the security checksum */
292 	x = call->channel << (32 - RXRPC_CIDSHIFT);
293 	x |= sp->hdr.seq & 0x3fffffff;
294 	tmpbuf.x[0] = htonl(sp->hdr.callNumber);
295 	tmpbuf.x[1] = htonl(x);
296 
297 	sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
298 	sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
299 
300 	skcipher_request_set_tfm(req, call->conn->cipher);
301 	skcipher_request_set_callback(req, 0, NULL, NULL);
302 	skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x);
303 
304 	crypto_skcipher_encrypt(req);
305 	skcipher_request_zero(req);
306 
307 	y = ntohl(tmpbuf.x[1]);
308 	y = (y >> 16) & 0xffff;
309 	if (y == 0)
310 		y = 1; /* zero checksums are not permitted */
311 	sp->hdr.cksum = y;
312 
313 	switch (call->conn->security_level) {
314 	case RXRPC_SECURITY_PLAIN:
315 		ret = 0;
316 		break;
317 	case RXRPC_SECURITY_AUTH:
318 		ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
319 		break;
320 	case RXRPC_SECURITY_ENCRYPT:
321 		ret = rxkad_secure_packet_encrypt(call, skb, data_size,
322 						  sechdr);
323 		break;
324 	default:
325 		ret = -EPERM;
326 		break;
327 	}
328 
329 	_leave(" = %d [set %hx]", ret, y);
330 	return ret;
331 }
332 
333 /*
334  * decrypt partial encryption on a packet (level 1 security)
335  */
336 static int rxkad_verify_packet_auth(const struct rxrpc_call *call,
337 				    struct sk_buff *skb,
338 				    u32 *_abort_code)
339 {
340 	struct rxkad_level1_hdr sechdr;
341 	struct rxrpc_skb_priv *sp;
342 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
343 	struct rxrpc_crypt iv;
344 	struct scatterlist sg[16];
345 	struct sk_buff *trailer;
346 	u32 data_size, buf;
347 	u16 check;
348 	int nsg;
349 
350 	_enter("");
351 
352 	sp = rxrpc_skb(skb);
353 
354 	/* we want to decrypt the skbuff in-place */
355 	nsg = skb_cow_data(skb, 0, &trailer);
356 	if (nsg < 0 || nsg > 16)
357 		goto nomem;
358 
359 	sg_init_table(sg, nsg);
360 	skb_to_sgvec(skb, sg, 0, 8);
361 
362 	/* start the decryption afresh */
363 	memset(&iv, 0, sizeof(iv));
364 
365 	skcipher_request_set_tfm(req, call->conn->cipher);
366 	skcipher_request_set_callback(req, 0, NULL, NULL);
367 	skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
368 
369 	crypto_skcipher_decrypt(req);
370 	skcipher_request_zero(req);
371 
372 	/* remove the decrypted packet length */
373 	if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
374 		goto datalen_error;
375 	if (!skb_pull(skb, sizeof(sechdr)))
376 		BUG();
377 
378 	buf = ntohl(sechdr.data_size);
379 	data_size = buf & 0xffff;
380 
381 	check = buf >> 16;
382 	check ^= sp->hdr.seq ^ sp->hdr.callNumber;
383 	check &= 0xffff;
384 	if (check != 0) {
385 		*_abort_code = RXKADSEALEDINCON;
386 		goto protocol_error;
387 	}
388 
389 	/* shorten the packet to remove the padding */
390 	if (data_size > skb->len)
391 		goto datalen_error;
392 	else if (data_size < skb->len)
393 		skb->len = data_size;
394 
395 	_leave(" = 0 [dlen=%x]", data_size);
396 	return 0;
397 
398 datalen_error:
399 	*_abort_code = RXKADDATALEN;
400 protocol_error:
401 	_leave(" = -EPROTO");
402 	return -EPROTO;
403 
404 nomem:
405 	_leave(" = -ENOMEM");
406 	return -ENOMEM;
407 }
408 
409 /*
410  * wholly decrypt a packet (level 2 security)
411  */
412 static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call,
413 				       struct sk_buff *skb,
414 				       u32 *_abort_code)
415 {
416 	const struct rxrpc_key_token *token;
417 	struct rxkad_level2_hdr sechdr;
418 	struct rxrpc_skb_priv *sp;
419 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
420 	struct rxrpc_crypt iv;
421 	struct scatterlist _sg[4], *sg;
422 	struct sk_buff *trailer;
423 	u32 data_size, buf;
424 	u16 check;
425 	int nsg;
426 
427 	_enter(",{%d}", skb->len);
428 
429 	sp = rxrpc_skb(skb);
430 
431 	/* we want to decrypt the skbuff in-place */
432 	nsg = skb_cow_data(skb, 0, &trailer);
433 	if (nsg < 0)
434 		goto nomem;
435 
436 	sg = _sg;
437 	if (unlikely(nsg > 4)) {
438 		sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
439 		if (!sg)
440 			goto nomem;
441 	}
442 
443 	sg_init_table(sg, nsg);
444 	skb_to_sgvec(skb, sg, 0, skb->len);
445 
446 	/* decrypt from the session key */
447 	token = call->conn->key->payload.data[0];
448 	memcpy(&iv, token->kad->session_key, sizeof(iv));
449 
450 	skcipher_request_set_tfm(req, call->conn->cipher);
451 	skcipher_request_set_callback(req, 0, NULL, NULL);
452 	skcipher_request_set_crypt(req, sg, sg, skb->len, iv.x);
453 
454 	crypto_skcipher_decrypt(req);
455 	skcipher_request_zero(req);
456 	if (sg != _sg)
457 		kfree(sg);
458 
459 	/* remove the decrypted packet length */
460 	if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
461 		goto datalen_error;
462 	if (!skb_pull(skb, sizeof(sechdr)))
463 		BUG();
464 
465 	buf = ntohl(sechdr.data_size);
466 	data_size = buf & 0xffff;
467 
468 	check = buf >> 16;
469 	check ^= sp->hdr.seq ^ sp->hdr.callNumber;
470 	check &= 0xffff;
471 	if (check != 0) {
472 		*_abort_code = RXKADSEALEDINCON;
473 		goto protocol_error;
474 	}
475 
476 	/* shorten the packet to remove the padding */
477 	if (data_size > skb->len)
478 		goto datalen_error;
479 	else if (data_size < skb->len)
480 		skb->len = data_size;
481 
482 	_leave(" = 0 [dlen=%x]", data_size);
483 	return 0;
484 
485 datalen_error:
486 	*_abort_code = RXKADDATALEN;
487 protocol_error:
488 	_leave(" = -EPROTO");
489 	return -EPROTO;
490 
491 nomem:
492 	_leave(" = -ENOMEM");
493 	return -ENOMEM;
494 }
495 
496 /*
497  * verify the security on a received packet
498  */
499 static int rxkad_verify_packet(const struct rxrpc_call *call,
500 			       struct sk_buff *skb,
501 			       u32 *_abort_code)
502 {
503 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
504 	struct rxrpc_skb_priv *sp;
505 	struct rxrpc_crypt iv;
506 	struct scatterlist sg[2];
507 	struct {
508 		__be32 x[2];
509 	} tmpbuf __attribute__((aligned(8))); /* must all be in same page */
510 	u16 cksum;
511 	u32 x, y;
512 	int ret;
513 
514 	sp = rxrpc_skb(skb);
515 
516 	_enter("{%d{%x}},{#%u}",
517 	       call->debug_id, key_serial(call->conn->key), sp->hdr.seq);
518 
519 	if (!call->conn->cipher)
520 		return 0;
521 
522 	if (sp->hdr.securityIndex != RXRPC_SECURITY_RXKAD) {
523 		*_abort_code = RXKADINCONSISTENCY;
524 		_leave(" = -EPROTO [not rxkad]");
525 		return -EPROTO;
526 	}
527 
528 	/* continue encrypting from where we left off */
529 	memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
530 
531 	/* validate the security checksum */
532 	x = call->channel << (32 - RXRPC_CIDSHIFT);
533 	x |= sp->hdr.seq & 0x3fffffff;
534 	tmpbuf.x[0] = htonl(call->call_id);
535 	tmpbuf.x[1] = htonl(x);
536 
537 	sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
538 	sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
539 
540 	skcipher_request_set_tfm(req, call->conn->cipher);
541 	skcipher_request_set_callback(req, 0, NULL, NULL);
542 	skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x);
543 
544 	crypto_skcipher_encrypt(req);
545 	skcipher_request_zero(req);
546 
547 	y = ntohl(tmpbuf.x[1]);
548 	cksum = (y >> 16) & 0xffff;
549 	if (cksum == 0)
550 		cksum = 1; /* zero checksums are not permitted */
551 
552 	if (sp->hdr.cksum != cksum) {
553 		*_abort_code = RXKADSEALEDINCON;
554 		_leave(" = -EPROTO [csum failed]");
555 		return -EPROTO;
556 	}
557 
558 	switch (call->conn->security_level) {
559 	case RXRPC_SECURITY_PLAIN:
560 		ret = 0;
561 		break;
562 	case RXRPC_SECURITY_AUTH:
563 		ret = rxkad_verify_packet_auth(call, skb, _abort_code);
564 		break;
565 	case RXRPC_SECURITY_ENCRYPT:
566 		ret = rxkad_verify_packet_encrypt(call, skb, _abort_code);
567 		break;
568 	default:
569 		ret = -ENOANO;
570 		break;
571 	}
572 
573 	_leave(" = %d", ret);
574 	return ret;
575 }
576 
577 /*
578  * issue a challenge
579  */
580 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
581 {
582 	struct rxkad_challenge challenge;
583 	struct rxrpc_wire_header whdr;
584 	struct msghdr msg;
585 	struct kvec iov[2];
586 	size_t len;
587 	u32 serial;
588 	int ret;
589 
590 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
591 
592 	ret = key_validate(conn->key);
593 	if (ret < 0)
594 		return ret;
595 
596 	get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
597 
598 	challenge.version	= htonl(2);
599 	challenge.nonce		= htonl(conn->security_nonce);
600 	challenge.min_level	= htonl(0);
601 	challenge.__padding	= 0;
602 
603 	msg.msg_name	= &conn->trans->peer->srx.transport.sin;
604 	msg.msg_namelen	= sizeof(conn->trans->peer->srx.transport.sin);
605 	msg.msg_control	= NULL;
606 	msg.msg_controllen = 0;
607 	msg.msg_flags	= 0;
608 
609 	whdr.epoch	= htonl(conn->epoch);
610 	whdr.cid	= htonl(conn->cid);
611 	whdr.callNumber	= 0;
612 	whdr.seq	= 0;
613 	whdr.type	= RXRPC_PACKET_TYPE_CHALLENGE;
614 	whdr.flags	= conn->out_clientflag;
615 	whdr.userStatus	= 0;
616 	whdr.securityIndex = conn->security_ix;
617 	whdr._rsvd	= 0;
618 	whdr.serviceId	= htons(conn->service_id);
619 
620 	iov[0].iov_base	= &whdr;
621 	iov[0].iov_len	= sizeof(whdr);
622 	iov[1].iov_base	= &challenge;
623 	iov[1].iov_len	= sizeof(challenge);
624 
625 	len = iov[0].iov_len + iov[1].iov_len;
626 
627 	serial = atomic_inc_return(&conn->serial);
628 	whdr.serial = htonl(serial);
629 	_proto("Tx CHALLENGE %%%u", serial);
630 
631 	ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
632 	if (ret < 0) {
633 		_debug("sendmsg failed: %d", ret);
634 		return -EAGAIN;
635 	}
636 
637 	_leave(" = 0");
638 	return 0;
639 }
640 
641 /*
642  * send a Kerberos security response
643  */
644 static int rxkad_send_response(struct rxrpc_connection *conn,
645 			       struct rxrpc_host_header *hdr,
646 			       struct rxkad_response *resp,
647 			       const struct rxkad_key *s2)
648 {
649 	struct rxrpc_wire_header whdr;
650 	struct msghdr msg;
651 	struct kvec iov[3];
652 	size_t len;
653 	u32 serial;
654 	int ret;
655 
656 	_enter("");
657 
658 	msg.msg_name	= &conn->trans->peer->srx.transport.sin;
659 	msg.msg_namelen	= sizeof(conn->trans->peer->srx.transport.sin);
660 	msg.msg_control	= NULL;
661 	msg.msg_controllen = 0;
662 	msg.msg_flags	= 0;
663 
664 	memset(&whdr, 0, sizeof(whdr));
665 	whdr.epoch	= htonl(hdr->epoch);
666 	whdr.cid	= htonl(hdr->cid);
667 	whdr.type	= RXRPC_PACKET_TYPE_RESPONSE;
668 	whdr.flags	= conn->out_clientflag;
669 	whdr.securityIndex = hdr->securityIndex;
670 	whdr.serviceId	= htons(hdr->serviceId);
671 
672 	iov[0].iov_base	= &whdr;
673 	iov[0].iov_len	= sizeof(whdr);
674 	iov[1].iov_base	= resp;
675 	iov[1].iov_len	= sizeof(*resp);
676 	iov[2].iov_base	= (void *)s2->ticket;
677 	iov[2].iov_len	= s2->ticket_len;
678 
679 	len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
680 
681 	serial = atomic_inc_return(&conn->serial);
682 	whdr.serial = htonl(serial);
683 	_proto("Tx RESPONSE %%%u", serial);
684 
685 	ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
686 	if (ret < 0) {
687 		_debug("sendmsg failed: %d", ret);
688 		return -EAGAIN;
689 	}
690 
691 	_leave(" = 0");
692 	return 0;
693 }
694 
695 /*
696  * calculate the response checksum
697  */
698 static void rxkad_calc_response_checksum(struct rxkad_response *response)
699 {
700 	u32 csum = 1000003;
701 	int loop;
702 	u8 *p = (u8 *) response;
703 
704 	for (loop = sizeof(*response); loop > 0; loop--)
705 		csum = csum * 0x10204081 + *p++;
706 
707 	response->encrypted.checksum = htonl(csum);
708 }
709 
710 /*
711  * load a scatterlist with a potentially split-page buffer
712  */
713 static void rxkad_sg_set_buf2(struct scatterlist sg[2],
714 			      void *buf, size_t buflen)
715 {
716 	int nsg = 1;
717 
718 	sg_init_table(sg, 2);
719 
720 	sg_set_buf(&sg[0], buf, buflen);
721 	if (sg[0].offset + buflen > PAGE_SIZE) {
722 		/* the buffer was split over two pages */
723 		sg[0].length = PAGE_SIZE - sg[0].offset;
724 		sg_set_buf(&sg[1], buf + sg[0].length, buflen - sg[0].length);
725 		nsg++;
726 	}
727 
728 	sg_mark_end(&sg[nsg - 1]);
729 
730 	ASSERTCMP(sg[0].length + sg[1].length, ==, buflen);
731 }
732 
733 /*
734  * encrypt the response packet
735  */
736 static void rxkad_encrypt_response(struct rxrpc_connection *conn,
737 				   struct rxkad_response *resp,
738 				   const struct rxkad_key *s2)
739 {
740 	SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
741 	struct rxrpc_crypt iv;
742 	struct scatterlist sg[2];
743 
744 	/* continue encrypting from where we left off */
745 	memcpy(&iv, s2->session_key, sizeof(iv));
746 
747 	rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted));
748 
749 	skcipher_request_set_tfm(req, conn->cipher);
750 	skcipher_request_set_callback(req, 0, NULL, NULL);
751 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
752 
753 	crypto_skcipher_encrypt(req);
754 	skcipher_request_zero(req);
755 }
756 
757 /*
758  * respond to a challenge packet
759  */
760 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
761 				      struct sk_buff *skb,
762 				      u32 *_abort_code)
763 {
764 	const struct rxrpc_key_token *token;
765 	struct rxkad_challenge challenge;
766 	struct rxkad_response resp
767 		__attribute__((aligned(8))); /* must be aligned for crypto */
768 	struct rxrpc_skb_priv *sp;
769 	u32 version, nonce, min_level, abort_code;
770 	int ret;
771 
772 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
773 
774 	if (!conn->key) {
775 		_leave(" = -EPROTO [no key]");
776 		return -EPROTO;
777 	}
778 
779 	ret = key_validate(conn->key);
780 	if (ret < 0) {
781 		*_abort_code = RXKADEXPIRED;
782 		return ret;
783 	}
784 
785 	abort_code = RXKADPACKETSHORT;
786 	sp = rxrpc_skb(skb);
787 	if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0)
788 		goto protocol_error;
789 
790 	version = ntohl(challenge.version);
791 	nonce = ntohl(challenge.nonce);
792 	min_level = ntohl(challenge.min_level);
793 
794 	_proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
795 	       sp->hdr.serial, version, nonce, min_level);
796 
797 	abort_code = RXKADINCONSISTENCY;
798 	if (version != RXKAD_VERSION)
799 		goto protocol_error;
800 
801 	abort_code = RXKADLEVELFAIL;
802 	if (conn->security_level < min_level)
803 		goto protocol_error;
804 
805 	token = conn->key->payload.data[0];
806 
807 	/* build the response packet */
808 	memset(&resp, 0, sizeof(resp));
809 
810 	resp.version			= htonl(RXKAD_VERSION);
811 	resp.encrypted.epoch		= htonl(conn->epoch);
812 	resp.encrypted.cid		= htonl(conn->cid);
813 	resp.encrypted.securityIndex	= htonl(conn->security_ix);
814 	resp.encrypted.inc_nonce	= htonl(nonce + 1);
815 	resp.encrypted.level		= htonl(conn->security_level);
816 	resp.kvno			= htonl(token->kad->kvno);
817 	resp.ticket_len			= htonl(token->kad->ticket_len);
818 
819 	resp.encrypted.call_id[0] =
820 		htonl(conn->channels[0] ? conn->channels[0]->call_id : 0);
821 	resp.encrypted.call_id[1] =
822 		htonl(conn->channels[1] ? conn->channels[1]->call_id : 0);
823 	resp.encrypted.call_id[2] =
824 		htonl(conn->channels[2] ? conn->channels[2]->call_id : 0);
825 	resp.encrypted.call_id[3] =
826 		htonl(conn->channels[3] ? conn->channels[3]->call_id : 0);
827 
828 	/* calculate the response checksum and then do the encryption */
829 	rxkad_calc_response_checksum(&resp);
830 	rxkad_encrypt_response(conn, &resp, token->kad);
831 	return rxkad_send_response(conn, &sp->hdr, &resp, token->kad);
832 
833 protocol_error:
834 	*_abort_code = abort_code;
835 	_leave(" = -EPROTO [%d]", abort_code);
836 	return -EPROTO;
837 }
838 
839 /*
840  * decrypt the kerberos IV ticket in the response
841  */
842 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
843 				void *ticket, size_t ticket_len,
844 				struct rxrpc_crypt *_session_key,
845 				time_t *_expiry,
846 				u32 *_abort_code)
847 {
848 	struct skcipher_request *req;
849 	struct rxrpc_crypt iv, key;
850 	struct scatterlist sg[1];
851 	struct in_addr addr;
852 	unsigned int life;
853 	time_t issue, now;
854 	bool little_endian;
855 	int ret;
856 	u8 *p, *q, *name, *end;
857 
858 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
859 
860 	*_expiry = 0;
861 
862 	ret = key_validate(conn->server_key);
863 	if (ret < 0) {
864 		switch (ret) {
865 		case -EKEYEXPIRED:
866 			*_abort_code = RXKADEXPIRED;
867 			goto error;
868 		default:
869 			*_abort_code = RXKADNOAUTH;
870 			goto error;
871 		}
872 	}
873 
874 	ASSERT(conn->server_key->payload.data[0] != NULL);
875 	ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
876 
877 	memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
878 
879 	req = skcipher_request_alloc(conn->server_key->payload.data[0],
880 				     GFP_NOFS);
881 	if (!req) {
882 		*_abort_code = RXKADNOAUTH;
883 		ret = -ENOMEM;
884 		goto error;
885 	}
886 
887 	sg_init_one(&sg[0], ticket, ticket_len);
888 
889 	skcipher_request_set_callback(req, 0, NULL, NULL);
890 	skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
891 
892 	crypto_skcipher_decrypt(req);
893 	skcipher_request_free(req);
894 
895 	p = ticket;
896 	end = p + ticket_len;
897 
898 #define Z(size)						\
899 	({						\
900 		u8 *__str = p;				\
901 		q = memchr(p, 0, end - p);		\
902 		if (!q || q - p > (size))		\
903 			goto bad_ticket;		\
904 		for (; p < q; p++)			\
905 			if (!isprint(*p))		\
906 				goto bad_ticket;	\
907 		p++;					\
908 		__str;					\
909 	})
910 
911 	/* extract the ticket flags */
912 	_debug("KIV FLAGS: %x", *p);
913 	little_endian = *p & 1;
914 	p++;
915 
916 	/* extract the authentication name */
917 	name = Z(ANAME_SZ);
918 	_debug("KIV ANAME: %s", name);
919 
920 	/* extract the principal's instance */
921 	name = Z(INST_SZ);
922 	_debug("KIV INST : %s", name);
923 
924 	/* extract the principal's authentication domain */
925 	name = Z(REALM_SZ);
926 	_debug("KIV REALM: %s", name);
927 
928 	if (end - p < 4 + 8 + 4 + 2)
929 		goto bad_ticket;
930 
931 	/* get the IPv4 address of the entity that requested the ticket */
932 	memcpy(&addr, p, sizeof(addr));
933 	p += 4;
934 	_debug("KIV ADDR : %pI4", &addr);
935 
936 	/* get the session key from the ticket */
937 	memcpy(&key, p, sizeof(key));
938 	p += 8;
939 	_debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
940 	memcpy(_session_key, &key, sizeof(key));
941 
942 	/* get the ticket's lifetime */
943 	life = *p++ * 5 * 60;
944 	_debug("KIV LIFE : %u", life);
945 
946 	/* get the issue time of the ticket */
947 	if (little_endian) {
948 		__le32 stamp;
949 		memcpy(&stamp, p, 4);
950 		issue = le32_to_cpu(stamp);
951 	} else {
952 		__be32 stamp;
953 		memcpy(&stamp, p, 4);
954 		issue = be32_to_cpu(stamp);
955 	}
956 	p += 4;
957 	now = get_seconds();
958 	_debug("KIV ISSUE: %lx [%lx]", issue, now);
959 
960 	/* check the ticket is in date */
961 	if (issue > now) {
962 		*_abort_code = RXKADNOAUTH;
963 		ret = -EKEYREJECTED;
964 		goto error;
965 	}
966 
967 	if (issue < now - life) {
968 		*_abort_code = RXKADEXPIRED;
969 		ret = -EKEYEXPIRED;
970 		goto error;
971 	}
972 
973 	*_expiry = issue + life;
974 
975 	/* get the service name */
976 	name = Z(SNAME_SZ);
977 	_debug("KIV SNAME: %s", name);
978 
979 	/* get the service instance name */
980 	name = Z(INST_SZ);
981 	_debug("KIV SINST: %s", name);
982 
983 	ret = 0;
984 error:
985 	_leave(" = %d", ret);
986 	return ret;
987 
988 bad_ticket:
989 	*_abort_code = RXKADBADTICKET;
990 	ret = -EBADMSG;
991 	goto error;
992 }
993 
994 /*
995  * decrypt the response packet
996  */
997 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
998 				   struct rxkad_response *resp,
999 				   const struct rxrpc_crypt *session_key)
1000 {
1001 	SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
1002 	struct scatterlist sg[2];
1003 	struct rxrpc_crypt iv;
1004 
1005 	_enter(",,%08x%08x",
1006 	       ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1007 
1008 	ASSERT(rxkad_ci != NULL);
1009 
1010 	mutex_lock(&rxkad_ci_mutex);
1011 	if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
1012 				   sizeof(*session_key)) < 0)
1013 		BUG();
1014 
1015 	memcpy(&iv, session_key, sizeof(iv));
1016 
1017 	rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted));
1018 
1019 	skcipher_request_set_tfm(req, rxkad_ci);
1020 	skcipher_request_set_callback(req, 0, NULL, NULL);
1021 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1022 
1023 	crypto_skcipher_decrypt(req);
1024 	skcipher_request_zero(req);
1025 
1026 	mutex_unlock(&rxkad_ci_mutex);
1027 
1028 	_leave("");
1029 }
1030 
1031 /*
1032  * verify a response
1033  */
1034 static int rxkad_verify_response(struct rxrpc_connection *conn,
1035 				 struct sk_buff *skb,
1036 				 u32 *_abort_code)
1037 {
1038 	struct rxkad_response response
1039 		__attribute__((aligned(8))); /* must be aligned for crypto */
1040 	struct rxrpc_skb_priv *sp;
1041 	struct rxrpc_crypt session_key;
1042 	time_t expiry;
1043 	void *ticket;
1044 	u32 abort_code, version, kvno, ticket_len, level;
1045 	__be32 csum;
1046 	int ret;
1047 
1048 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1049 
1050 	abort_code = RXKADPACKETSHORT;
1051 	if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0)
1052 		goto protocol_error;
1053 	if (!pskb_pull(skb, sizeof(response)))
1054 		BUG();
1055 
1056 	version = ntohl(response.version);
1057 	ticket_len = ntohl(response.ticket_len);
1058 	kvno = ntohl(response.kvno);
1059 	sp = rxrpc_skb(skb);
1060 	_proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1061 	       sp->hdr.serial, version, kvno, ticket_len);
1062 
1063 	abort_code = RXKADINCONSISTENCY;
1064 	if (version != RXKAD_VERSION)
1065 		goto protocol_error;
1066 
1067 	abort_code = RXKADTICKETLEN;
1068 	if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1069 		goto protocol_error;
1070 
1071 	abort_code = RXKADUNKNOWNKEY;
1072 	if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1073 		goto protocol_error;
1074 
1075 	/* extract the kerberos ticket and decrypt and decode it */
1076 	ticket = kmalloc(ticket_len, GFP_NOFS);
1077 	if (!ticket)
1078 		return -ENOMEM;
1079 
1080 	abort_code = RXKADPACKETSHORT;
1081 	if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0)
1082 		goto protocol_error_free;
1083 
1084 	ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key,
1085 				   &expiry, &abort_code);
1086 	if (ret < 0) {
1087 		*_abort_code = abort_code;
1088 		kfree(ticket);
1089 		return ret;
1090 	}
1091 
1092 	/* use the session key from inside the ticket to decrypt the
1093 	 * response */
1094 	rxkad_decrypt_response(conn, &response, &session_key);
1095 
1096 	abort_code = RXKADSEALEDINCON;
1097 	if (ntohl(response.encrypted.epoch) != conn->epoch)
1098 		goto protocol_error_free;
1099 	if (ntohl(response.encrypted.cid) != conn->cid)
1100 		goto protocol_error_free;
1101 	if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
1102 		goto protocol_error_free;
1103 	csum = response.encrypted.checksum;
1104 	response.encrypted.checksum = 0;
1105 	rxkad_calc_response_checksum(&response);
1106 	if (response.encrypted.checksum != csum)
1107 		goto protocol_error_free;
1108 
1109 	if (ntohl(response.encrypted.call_id[0]) > INT_MAX ||
1110 	    ntohl(response.encrypted.call_id[1]) > INT_MAX ||
1111 	    ntohl(response.encrypted.call_id[2]) > INT_MAX ||
1112 	    ntohl(response.encrypted.call_id[3]) > INT_MAX)
1113 		goto protocol_error_free;
1114 
1115 	abort_code = RXKADOUTOFSEQUENCE;
1116 	if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1)
1117 		goto protocol_error_free;
1118 
1119 	abort_code = RXKADLEVELFAIL;
1120 	level = ntohl(response.encrypted.level);
1121 	if (level > RXRPC_SECURITY_ENCRYPT)
1122 		goto protocol_error_free;
1123 	conn->security_level = level;
1124 
1125 	/* create a key to hold the security data and expiration time - after
1126 	 * this the connection security can be handled in exactly the same way
1127 	 * as for a client connection */
1128 	ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1129 	if (ret < 0) {
1130 		kfree(ticket);
1131 		return ret;
1132 	}
1133 
1134 	kfree(ticket);
1135 	_leave(" = 0");
1136 	return 0;
1137 
1138 protocol_error_free:
1139 	kfree(ticket);
1140 protocol_error:
1141 	*_abort_code = abort_code;
1142 	_leave(" = -EPROTO [%d]", abort_code);
1143 	return -EPROTO;
1144 }
1145 
1146 /*
1147  * clear the connection security
1148  */
1149 static void rxkad_clear(struct rxrpc_connection *conn)
1150 {
1151 	_enter("");
1152 
1153 	if (conn->cipher)
1154 		crypto_free_skcipher(conn->cipher);
1155 }
1156 
1157 /*
1158  * Initialise the rxkad security service.
1159  */
1160 static int rxkad_init(void)
1161 {
1162 	/* pin the cipher we need so that the crypto layer doesn't invoke
1163 	 * keventd to go get it */
1164 	rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
1165 	return PTR_ERR_OR_ZERO(rxkad_ci);
1166 }
1167 
1168 /*
1169  * Clean up the rxkad security service.
1170  */
1171 static void rxkad_exit(void)
1172 {
1173 	if (rxkad_ci)
1174 		crypto_free_skcipher(rxkad_ci);
1175 }
1176 
1177 /*
1178  * RxRPC Kerberos-based security
1179  */
1180 const struct rxrpc_security rxkad = {
1181 	.name				= "rxkad",
1182 	.security_index			= RXRPC_SECURITY_RXKAD,
1183 	.init				= rxkad_init,
1184 	.exit				= rxkad_exit,
1185 	.init_connection_security	= rxkad_init_connection_security,
1186 	.prime_packet_security		= rxkad_prime_packet_security,
1187 	.secure_packet			= rxkad_secure_packet,
1188 	.verify_packet			= rxkad_verify_packet,
1189 	.issue_challenge		= rxkad_issue_challenge,
1190 	.respond_to_challenge		= rxkad_respond_to_challenge,
1191 	.verify_response		= rxkad_verify_response,
1192 	.clear				= rxkad_clear,
1193 };
1194