xref: /openbmc/linux/net/rxrpc/rxkad.c (revision 8730046c)
1 /* Kerberos-based RxRPC security
2  *
3  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11 
12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13 
14 #include <crypto/skcipher.h>
15 #include <linux/module.h>
16 #include <linux/net.h>
17 #include <linux/skbuff.h>
18 #include <linux/udp.h>
19 #include <linux/scatterlist.h>
20 #include <linux/ctype.h>
21 #include <linux/slab.h>
22 #include <net/sock.h>
23 #include <net/af_rxrpc.h>
24 #include <keys/rxrpc-type.h>
25 #include "ar-internal.h"
26 
27 #define RXKAD_VERSION			2
28 #define MAXKRB5TICKETLEN		1024
29 #define RXKAD_TKT_TYPE_KERBEROS_V5	256
30 #define ANAME_SZ			40	/* size of authentication name */
31 #define INST_SZ				40	/* size of principal's instance */
32 #define REALM_SZ			40	/* size of principal's auth domain */
33 #define SNAME_SZ			40	/* size of service name */
34 
35 struct rxkad_level1_hdr {
36 	__be32	data_size;	/* true data size (excluding padding) */
37 };
38 
39 struct rxkad_level2_hdr {
40 	__be32	data_size;	/* true data size (excluding padding) */
41 	__be32	checksum;	/* decrypted data checksum */
42 };
43 
44 /*
45  * this holds a pinned cipher so that keventd doesn't get called by the cipher
46  * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
47  * packets
48  */
49 static struct crypto_skcipher *rxkad_ci;
50 static DEFINE_MUTEX(rxkad_ci_mutex);
51 
52 /*
53  * initialise connection security
54  */
55 static int rxkad_init_connection_security(struct rxrpc_connection *conn)
56 {
57 	struct crypto_skcipher *ci;
58 	struct rxrpc_key_token *token;
59 	int ret;
60 
61 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
62 
63 	token = conn->params.key->payload.data[0];
64 	conn->security_ix = token->security_index;
65 
66 	ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
67 	if (IS_ERR(ci)) {
68 		_debug("no cipher");
69 		ret = PTR_ERR(ci);
70 		goto error;
71 	}
72 
73 	if (crypto_skcipher_setkey(ci, token->kad->session_key,
74 				   sizeof(token->kad->session_key)) < 0)
75 		BUG();
76 
77 	switch (conn->params.security_level) {
78 	case RXRPC_SECURITY_PLAIN:
79 		break;
80 	case RXRPC_SECURITY_AUTH:
81 		conn->size_align = 8;
82 		conn->security_size = sizeof(struct rxkad_level1_hdr);
83 		break;
84 	case RXRPC_SECURITY_ENCRYPT:
85 		conn->size_align = 8;
86 		conn->security_size = sizeof(struct rxkad_level2_hdr);
87 		break;
88 	default:
89 		ret = -EKEYREJECTED;
90 		goto error;
91 	}
92 
93 	conn->cipher = ci;
94 	ret = 0;
95 error:
96 	_leave(" = %d", ret);
97 	return ret;
98 }
99 
100 /*
101  * prime the encryption state with the invariant parts of a connection's
102  * description
103  */
104 static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
105 {
106 	struct rxrpc_key_token *token;
107 	SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
108 	struct scatterlist sg;
109 	struct rxrpc_crypt iv;
110 	__be32 *tmpbuf;
111 	size_t tmpsize = 4 * sizeof(__be32);
112 
113 	_enter("");
114 
115 	if (!conn->params.key)
116 		return 0;
117 
118 	tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
119 	if (!tmpbuf)
120 		return -ENOMEM;
121 
122 	token = conn->params.key->payload.data[0];
123 	memcpy(&iv, token->kad->session_key, sizeof(iv));
124 
125 	tmpbuf[0] = htonl(conn->proto.epoch);
126 	tmpbuf[1] = htonl(conn->proto.cid);
127 	tmpbuf[2] = 0;
128 	tmpbuf[3] = htonl(conn->security_ix);
129 
130 	sg_init_one(&sg, tmpbuf, tmpsize);
131 	skcipher_request_set_tfm(req, conn->cipher);
132 	skcipher_request_set_callback(req, 0, NULL, NULL);
133 	skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
134 	crypto_skcipher_encrypt(req);
135 	skcipher_request_zero(req);
136 
137 	memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
138 	kfree(tmpbuf);
139 	_leave(" = 0");
140 	return 0;
141 }
142 
143 /*
144  * partially encrypt a packet (level 1 security)
145  */
146 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
147 				    struct sk_buff *skb,
148 				    u32 data_size,
149 				    void *sechdr)
150 {
151 	struct rxrpc_skb_priv *sp;
152 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
153 	struct rxkad_level1_hdr hdr;
154 	struct rxrpc_crypt iv;
155 	struct scatterlist sg;
156 	u16 check;
157 
158 	sp = rxrpc_skb(skb);
159 
160 	_enter("");
161 
162 	check = sp->hdr.seq ^ call->call_id;
163 	data_size |= (u32)check << 16;
164 
165 	hdr.data_size = htonl(data_size);
166 	memcpy(sechdr, &hdr, sizeof(hdr));
167 
168 	/* start the encryption afresh */
169 	memset(&iv, 0, sizeof(iv));
170 
171 	sg_init_one(&sg, sechdr, 8);
172 	skcipher_request_set_tfm(req, call->conn->cipher);
173 	skcipher_request_set_callback(req, 0, NULL, NULL);
174 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
175 	crypto_skcipher_encrypt(req);
176 	skcipher_request_zero(req);
177 
178 	_leave(" = 0");
179 	return 0;
180 }
181 
182 /*
183  * wholly encrypt a packet (level 2 security)
184  */
185 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
186 				       struct sk_buff *skb,
187 				       u32 data_size,
188 				       void *sechdr)
189 {
190 	const struct rxrpc_key_token *token;
191 	struct rxkad_level2_hdr rxkhdr;
192 	struct rxrpc_skb_priv *sp;
193 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
194 	struct rxrpc_crypt iv;
195 	struct scatterlist sg[16];
196 	struct sk_buff *trailer;
197 	unsigned int len;
198 	u16 check;
199 	int nsg;
200 	int err;
201 
202 	sp = rxrpc_skb(skb);
203 
204 	_enter("");
205 
206 	check = sp->hdr.seq ^ call->call_id;
207 
208 	rxkhdr.data_size = htonl(data_size | (u32)check << 16);
209 	rxkhdr.checksum = 0;
210 	memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
211 
212 	/* encrypt from the session key */
213 	token = call->conn->params.key->payload.data[0];
214 	memcpy(&iv, token->kad->session_key, sizeof(iv));
215 
216 	sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
217 	skcipher_request_set_tfm(req, call->conn->cipher);
218 	skcipher_request_set_callback(req, 0, NULL, NULL);
219 	skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
220 	crypto_skcipher_encrypt(req);
221 
222 	/* we want to encrypt the skbuff in-place */
223 	nsg = skb_cow_data(skb, 0, &trailer);
224 	err = -ENOMEM;
225 	if (nsg < 0 || nsg > 16)
226 		goto out;
227 
228 	len = data_size + call->conn->size_align - 1;
229 	len &= ~(call->conn->size_align - 1);
230 
231 	sg_init_table(sg, nsg);
232 	skb_to_sgvec(skb, sg, 0, len);
233 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
234 	crypto_skcipher_encrypt(req);
235 
236 	_leave(" = 0");
237 	err = 0;
238 
239 out:
240 	skcipher_request_zero(req);
241 	return err;
242 }
243 
244 /*
245  * checksum an RxRPC packet header
246  */
247 static int rxkad_secure_packet(struct rxrpc_call *call,
248 			       struct sk_buff *skb,
249 			       size_t data_size,
250 			       void *sechdr)
251 {
252 	struct rxrpc_skb_priv *sp;
253 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
254 	struct rxrpc_crypt iv;
255 	struct scatterlist sg;
256 	u32 x, y;
257 	int ret;
258 
259 	sp = rxrpc_skb(skb);
260 
261 	_enter("{%d{%x}},{#%u},%zu,",
262 	       call->debug_id, key_serial(call->conn->params.key),
263 	       sp->hdr.seq, data_size);
264 
265 	if (!call->conn->cipher)
266 		return 0;
267 
268 	ret = key_validate(call->conn->params.key);
269 	if (ret < 0)
270 		return ret;
271 
272 	/* continue encrypting from where we left off */
273 	memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
274 
275 	/* calculate the security checksum */
276 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
277 	x |= sp->hdr.seq & 0x3fffffff;
278 	call->crypto_buf[0] = htonl(call->call_id);
279 	call->crypto_buf[1] = htonl(x);
280 
281 	sg_init_one(&sg, call->crypto_buf, 8);
282 	skcipher_request_set_tfm(req, call->conn->cipher);
283 	skcipher_request_set_callback(req, 0, NULL, NULL);
284 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
285 	crypto_skcipher_encrypt(req);
286 	skcipher_request_zero(req);
287 
288 	y = ntohl(call->crypto_buf[1]);
289 	y = (y >> 16) & 0xffff;
290 	if (y == 0)
291 		y = 1; /* zero checksums are not permitted */
292 	sp->hdr.cksum = y;
293 
294 	switch (call->conn->params.security_level) {
295 	case RXRPC_SECURITY_PLAIN:
296 		ret = 0;
297 		break;
298 	case RXRPC_SECURITY_AUTH:
299 		ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
300 		break;
301 	case RXRPC_SECURITY_ENCRYPT:
302 		ret = rxkad_secure_packet_encrypt(call, skb, data_size,
303 						  sechdr);
304 		break;
305 	default:
306 		ret = -EPERM;
307 		break;
308 	}
309 
310 	_leave(" = %d [set %hx]", ret, y);
311 	return ret;
312 }
313 
314 /*
315  * decrypt partial encryption on a packet (level 1 security)
316  */
317 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
318 				 unsigned int offset, unsigned int len,
319 				 rxrpc_seq_t seq)
320 {
321 	struct rxkad_level1_hdr sechdr;
322 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
323 	struct rxrpc_crypt iv;
324 	struct scatterlist sg[16];
325 	struct sk_buff *trailer;
326 	u32 data_size, buf;
327 	u16 check;
328 	int nsg;
329 
330 	_enter("");
331 
332 	if (len < 8) {
333 		rxrpc_abort_call("V1H", call, seq, RXKADSEALEDINCON, EPROTO);
334 		goto protocol_error;
335 	}
336 
337 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
338 	 * directly into the target buffer.
339 	 */
340 	nsg = skb_cow_data(skb, 0, &trailer);
341 	if (nsg < 0 || nsg > 16)
342 		goto nomem;
343 
344 	sg_init_table(sg, nsg);
345 	skb_to_sgvec(skb, sg, offset, 8);
346 
347 	/* start the decryption afresh */
348 	memset(&iv, 0, sizeof(iv));
349 
350 	skcipher_request_set_tfm(req, call->conn->cipher);
351 	skcipher_request_set_callback(req, 0, NULL, NULL);
352 	skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
353 	crypto_skcipher_decrypt(req);
354 	skcipher_request_zero(req);
355 
356 	/* Extract the decrypted packet length */
357 	if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
358 		rxrpc_abort_call("XV1", call, seq, RXKADDATALEN, EPROTO);
359 		goto protocol_error;
360 	}
361 	offset += sizeof(sechdr);
362 	len -= sizeof(sechdr);
363 
364 	buf = ntohl(sechdr.data_size);
365 	data_size = buf & 0xffff;
366 
367 	check = buf >> 16;
368 	check ^= seq ^ call->call_id;
369 	check &= 0xffff;
370 	if (check != 0) {
371 		rxrpc_abort_call("V1C", call, seq, RXKADSEALEDINCON, EPROTO);
372 		goto protocol_error;
373 	}
374 
375 	if (data_size > len) {
376 		rxrpc_abort_call("V1L", call, seq, RXKADDATALEN, EPROTO);
377 		goto protocol_error;
378 	}
379 
380 	_leave(" = 0 [dlen=%x]", data_size);
381 	return 0;
382 
383 protocol_error:
384 	rxrpc_send_abort_packet(call);
385 	_leave(" = -EPROTO");
386 	return -EPROTO;
387 
388 nomem:
389 	_leave(" = -ENOMEM");
390 	return -ENOMEM;
391 }
392 
393 /*
394  * wholly decrypt a packet (level 2 security)
395  */
396 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
397 				 unsigned int offset, unsigned int len,
398 				 rxrpc_seq_t seq)
399 {
400 	const struct rxrpc_key_token *token;
401 	struct rxkad_level2_hdr sechdr;
402 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
403 	struct rxrpc_crypt iv;
404 	struct scatterlist _sg[4], *sg;
405 	struct sk_buff *trailer;
406 	u32 data_size, buf;
407 	u16 check;
408 	int nsg;
409 
410 	_enter(",{%d}", skb->len);
411 
412 	if (len < 8) {
413 		rxrpc_abort_call("V2H", call, seq, RXKADSEALEDINCON, EPROTO);
414 		goto protocol_error;
415 	}
416 
417 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
418 	 * directly into the target buffer.
419 	 */
420 	nsg = skb_cow_data(skb, 0, &trailer);
421 	if (nsg < 0)
422 		goto nomem;
423 
424 	sg = _sg;
425 	if (unlikely(nsg > 4)) {
426 		sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
427 		if (!sg)
428 			goto nomem;
429 	}
430 
431 	sg_init_table(sg, nsg);
432 	skb_to_sgvec(skb, sg, offset, len);
433 
434 	/* decrypt from the session key */
435 	token = call->conn->params.key->payload.data[0];
436 	memcpy(&iv, token->kad->session_key, sizeof(iv));
437 
438 	skcipher_request_set_tfm(req, call->conn->cipher);
439 	skcipher_request_set_callback(req, 0, NULL, NULL);
440 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
441 	crypto_skcipher_decrypt(req);
442 	skcipher_request_zero(req);
443 	if (sg != _sg)
444 		kfree(sg);
445 
446 	/* Extract the decrypted packet length */
447 	if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
448 		rxrpc_abort_call("XV2", call, seq, RXKADDATALEN, EPROTO);
449 		goto protocol_error;
450 	}
451 	offset += sizeof(sechdr);
452 	len -= sizeof(sechdr);
453 
454 	buf = ntohl(sechdr.data_size);
455 	data_size = buf & 0xffff;
456 
457 	check = buf >> 16;
458 	check ^= seq ^ call->call_id;
459 	check &= 0xffff;
460 	if (check != 0) {
461 		rxrpc_abort_call("V2C", call, seq, RXKADSEALEDINCON, EPROTO);
462 		goto protocol_error;
463 	}
464 
465 	if (data_size > len) {
466 		rxrpc_abort_call("V2L", call, seq, RXKADDATALEN, EPROTO);
467 		goto protocol_error;
468 	}
469 
470 	_leave(" = 0 [dlen=%x]", data_size);
471 	return 0;
472 
473 protocol_error:
474 	rxrpc_send_abort_packet(call);
475 	_leave(" = -EPROTO");
476 	return -EPROTO;
477 
478 nomem:
479 	_leave(" = -ENOMEM");
480 	return -ENOMEM;
481 }
482 
483 /*
484  * Verify the security on a received packet or subpacket (if part of a
485  * jumbo packet).
486  */
487 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
488 			       unsigned int offset, unsigned int len,
489 			       rxrpc_seq_t seq, u16 expected_cksum)
490 {
491 	SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
492 	struct rxrpc_crypt iv;
493 	struct scatterlist sg;
494 	u16 cksum;
495 	u32 x, y;
496 
497 	_enter("{%d{%x}},{#%u}",
498 	       call->debug_id, key_serial(call->conn->params.key), seq);
499 
500 	if (!call->conn->cipher)
501 		return 0;
502 
503 	/* continue encrypting from where we left off */
504 	memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
505 
506 	/* validate the security checksum */
507 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
508 	x |= seq & 0x3fffffff;
509 	call->crypto_buf[0] = htonl(call->call_id);
510 	call->crypto_buf[1] = htonl(x);
511 
512 	sg_init_one(&sg, call->crypto_buf, 8);
513 	skcipher_request_set_tfm(req, call->conn->cipher);
514 	skcipher_request_set_callback(req, 0, NULL, NULL);
515 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
516 	crypto_skcipher_encrypt(req);
517 	skcipher_request_zero(req);
518 
519 	y = ntohl(call->crypto_buf[1]);
520 	cksum = (y >> 16) & 0xffff;
521 	if (cksum == 0)
522 		cksum = 1; /* zero checksums are not permitted */
523 
524 	if (cksum != expected_cksum) {
525 		rxrpc_abort_call("VCK", call, seq, RXKADSEALEDINCON, EPROTO);
526 		rxrpc_send_abort_packet(call);
527 		_leave(" = -EPROTO [csum failed]");
528 		return -EPROTO;
529 	}
530 
531 	switch (call->conn->params.security_level) {
532 	case RXRPC_SECURITY_PLAIN:
533 		return 0;
534 	case RXRPC_SECURITY_AUTH:
535 		return rxkad_verify_packet_1(call, skb, offset, len, seq);
536 	case RXRPC_SECURITY_ENCRYPT:
537 		return rxkad_verify_packet_2(call, skb, offset, len, seq);
538 	default:
539 		return -ENOANO;
540 	}
541 }
542 
543 /*
544  * Locate the data contained in a packet that was partially encrypted.
545  */
546 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
547 				unsigned int *_offset, unsigned int *_len)
548 {
549 	struct rxkad_level1_hdr sechdr;
550 
551 	if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
552 		BUG();
553 	*_offset += sizeof(sechdr);
554 	*_len = ntohl(sechdr.data_size) & 0xffff;
555 }
556 
557 /*
558  * Locate the data contained in a packet that was completely encrypted.
559  */
560 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
561 				unsigned int *_offset, unsigned int *_len)
562 {
563 	struct rxkad_level2_hdr sechdr;
564 
565 	if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
566 		BUG();
567 	*_offset += sizeof(sechdr);
568 	*_len = ntohl(sechdr.data_size) & 0xffff;
569 }
570 
571 /*
572  * Locate the data contained in an already decrypted packet.
573  */
574 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
575 			      unsigned int *_offset, unsigned int *_len)
576 {
577 	switch (call->conn->params.security_level) {
578 	case RXRPC_SECURITY_AUTH:
579 		rxkad_locate_data_1(call, skb, _offset, _len);
580 		return;
581 	case RXRPC_SECURITY_ENCRYPT:
582 		rxkad_locate_data_2(call, skb, _offset, _len);
583 		return;
584 	default:
585 		return;
586 	}
587 }
588 
589 /*
590  * issue a challenge
591  */
592 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
593 {
594 	struct rxkad_challenge challenge;
595 	struct rxrpc_wire_header whdr;
596 	struct msghdr msg;
597 	struct kvec iov[2];
598 	size_t len;
599 	u32 serial;
600 	int ret;
601 
602 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
603 
604 	ret = key_validate(conn->params.key);
605 	if (ret < 0)
606 		return ret;
607 
608 	get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
609 
610 	challenge.version	= htonl(2);
611 	challenge.nonce		= htonl(conn->security_nonce);
612 	challenge.min_level	= htonl(0);
613 	challenge.__padding	= 0;
614 
615 	msg.msg_name	= &conn->params.peer->srx.transport.sin;
616 	msg.msg_namelen	= sizeof(conn->params.peer->srx.transport.sin);
617 	msg.msg_control	= NULL;
618 	msg.msg_controllen = 0;
619 	msg.msg_flags	= 0;
620 
621 	whdr.epoch	= htonl(conn->proto.epoch);
622 	whdr.cid	= htonl(conn->proto.cid);
623 	whdr.callNumber	= 0;
624 	whdr.seq	= 0;
625 	whdr.type	= RXRPC_PACKET_TYPE_CHALLENGE;
626 	whdr.flags	= conn->out_clientflag;
627 	whdr.userStatus	= 0;
628 	whdr.securityIndex = conn->security_ix;
629 	whdr._rsvd	= 0;
630 	whdr.serviceId	= htons(conn->params.service_id);
631 
632 	iov[0].iov_base	= &whdr;
633 	iov[0].iov_len	= sizeof(whdr);
634 	iov[1].iov_base	= &challenge;
635 	iov[1].iov_len	= sizeof(challenge);
636 
637 	len = iov[0].iov_len + iov[1].iov_len;
638 
639 	serial = atomic_inc_return(&conn->serial);
640 	whdr.serial = htonl(serial);
641 	_proto("Tx CHALLENGE %%%u", serial);
642 
643 	ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
644 	if (ret < 0) {
645 		_debug("sendmsg failed: %d", ret);
646 		return -EAGAIN;
647 	}
648 
649 	_leave(" = 0");
650 	return 0;
651 }
652 
653 /*
654  * send a Kerberos security response
655  */
656 static int rxkad_send_response(struct rxrpc_connection *conn,
657 			       struct rxrpc_host_header *hdr,
658 			       struct rxkad_response *resp,
659 			       const struct rxkad_key *s2)
660 {
661 	struct rxrpc_wire_header whdr;
662 	struct msghdr msg;
663 	struct kvec iov[3];
664 	size_t len;
665 	u32 serial;
666 	int ret;
667 
668 	_enter("");
669 
670 	msg.msg_name	= &conn->params.peer->srx.transport.sin;
671 	msg.msg_namelen	= sizeof(conn->params.peer->srx.transport.sin);
672 	msg.msg_control	= NULL;
673 	msg.msg_controllen = 0;
674 	msg.msg_flags	= 0;
675 
676 	memset(&whdr, 0, sizeof(whdr));
677 	whdr.epoch	= htonl(hdr->epoch);
678 	whdr.cid	= htonl(hdr->cid);
679 	whdr.type	= RXRPC_PACKET_TYPE_RESPONSE;
680 	whdr.flags	= conn->out_clientflag;
681 	whdr.securityIndex = hdr->securityIndex;
682 	whdr.serviceId	= htons(hdr->serviceId);
683 
684 	iov[0].iov_base	= &whdr;
685 	iov[0].iov_len	= sizeof(whdr);
686 	iov[1].iov_base	= resp;
687 	iov[1].iov_len	= sizeof(*resp);
688 	iov[2].iov_base	= (void *)s2->ticket;
689 	iov[2].iov_len	= s2->ticket_len;
690 
691 	len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
692 
693 	serial = atomic_inc_return(&conn->serial);
694 	whdr.serial = htonl(serial);
695 	_proto("Tx RESPONSE %%%u", serial);
696 
697 	ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
698 	if (ret < 0) {
699 		_debug("sendmsg failed: %d", ret);
700 		return -EAGAIN;
701 	}
702 
703 	_leave(" = 0");
704 	return 0;
705 }
706 
707 /*
708  * calculate the response checksum
709  */
710 static void rxkad_calc_response_checksum(struct rxkad_response *response)
711 {
712 	u32 csum = 1000003;
713 	int loop;
714 	u8 *p = (u8 *) response;
715 
716 	for (loop = sizeof(*response); loop > 0; loop--)
717 		csum = csum * 0x10204081 + *p++;
718 
719 	response->encrypted.checksum = htonl(csum);
720 }
721 
722 /*
723  * encrypt the response packet
724  */
725 static void rxkad_encrypt_response(struct rxrpc_connection *conn,
726 				   struct rxkad_response *resp,
727 				   const struct rxkad_key *s2)
728 {
729 	SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
730 	struct rxrpc_crypt iv;
731 	struct scatterlist sg[1];
732 
733 	/* continue encrypting from where we left off */
734 	memcpy(&iv, s2->session_key, sizeof(iv));
735 
736 	sg_init_table(sg, 1);
737 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
738 	skcipher_request_set_tfm(req, conn->cipher);
739 	skcipher_request_set_callback(req, 0, NULL, NULL);
740 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
741 	crypto_skcipher_encrypt(req);
742 	skcipher_request_zero(req);
743 }
744 
745 /*
746  * respond to a challenge packet
747  */
748 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
749 				      struct sk_buff *skb,
750 				      u32 *_abort_code)
751 {
752 	const struct rxrpc_key_token *token;
753 	struct rxkad_challenge challenge;
754 	struct rxkad_response resp
755 		__attribute__((aligned(8))); /* must be aligned for crypto */
756 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
757 	u32 version, nonce, min_level, abort_code;
758 	int ret;
759 
760 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
761 
762 	if (!conn->params.key) {
763 		_leave(" = -EPROTO [no key]");
764 		return -EPROTO;
765 	}
766 
767 	ret = key_validate(conn->params.key);
768 	if (ret < 0) {
769 		*_abort_code = RXKADEXPIRED;
770 		return ret;
771 	}
772 
773 	abort_code = RXKADPACKETSHORT;
774 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
775 			  &challenge, sizeof(challenge)) < 0)
776 		goto protocol_error;
777 
778 	version = ntohl(challenge.version);
779 	nonce = ntohl(challenge.nonce);
780 	min_level = ntohl(challenge.min_level);
781 
782 	_proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
783 	       sp->hdr.serial, version, nonce, min_level);
784 
785 	abort_code = RXKADINCONSISTENCY;
786 	if (version != RXKAD_VERSION)
787 		goto protocol_error;
788 
789 	abort_code = RXKADLEVELFAIL;
790 	if (conn->params.security_level < min_level)
791 		goto protocol_error;
792 
793 	token = conn->params.key->payload.data[0];
794 
795 	/* build the response packet */
796 	memset(&resp, 0, sizeof(resp));
797 
798 	resp.version			= htonl(RXKAD_VERSION);
799 	resp.encrypted.epoch		= htonl(conn->proto.epoch);
800 	resp.encrypted.cid		= htonl(conn->proto.cid);
801 	resp.encrypted.securityIndex	= htonl(conn->security_ix);
802 	resp.encrypted.inc_nonce	= htonl(nonce + 1);
803 	resp.encrypted.level		= htonl(conn->params.security_level);
804 	resp.kvno			= htonl(token->kad->kvno);
805 	resp.ticket_len			= htonl(token->kad->ticket_len);
806 
807 	resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
808 	resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
809 	resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
810 	resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
811 
812 	/* calculate the response checksum and then do the encryption */
813 	rxkad_calc_response_checksum(&resp);
814 	rxkad_encrypt_response(conn, &resp, token->kad);
815 	return rxkad_send_response(conn, &sp->hdr, &resp, token->kad);
816 
817 protocol_error:
818 	*_abort_code = abort_code;
819 	_leave(" = -EPROTO [%d]", abort_code);
820 	return -EPROTO;
821 }
822 
823 /*
824  * decrypt the kerberos IV ticket in the response
825  */
826 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
827 				void *ticket, size_t ticket_len,
828 				struct rxrpc_crypt *_session_key,
829 				time_t *_expiry,
830 				u32 *_abort_code)
831 {
832 	struct skcipher_request *req;
833 	struct rxrpc_crypt iv, key;
834 	struct scatterlist sg[1];
835 	struct in_addr addr;
836 	unsigned int life;
837 	time_t issue, now;
838 	bool little_endian;
839 	int ret;
840 	u8 *p, *q, *name, *end;
841 
842 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
843 
844 	*_expiry = 0;
845 
846 	ret = key_validate(conn->server_key);
847 	if (ret < 0) {
848 		switch (ret) {
849 		case -EKEYEXPIRED:
850 			*_abort_code = RXKADEXPIRED;
851 			goto error;
852 		default:
853 			*_abort_code = RXKADNOAUTH;
854 			goto error;
855 		}
856 	}
857 
858 	ASSERT(conn->server_key->payload.data[0] != NULL);
859 	ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
860 
861 	memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
862 
863 	req = skcipher_request_alloc(conn->server_key->payload.data[0],
864 				     GFP_NOFS);
865 	if (!req) {
866 		*_abort_code = RXKADNOAUTH;
867 		ret = -ENOMEM;
868 		goto error;
869 	}
870 
871 	sg_init_one(&sg[0], ticket, ticket_len);
872 	skcipher_request_set_callback(req, 0, NULL, NULL);
873 	skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
874 	crypto_skcipher_decrypt(req);
875 	skcipher_request_free(req);
876 
877 	p = ticket;
878 	end = p + ticket_len;
879 
880 #define Z(size)						\
881 	({						\
882 		u8 *__str = p;				\
883 		q = memchr(p, 0, end - p);		\
884 		if (!q || q - p > (size))		\
885 			goto bad_ticket;		\
886 		for (; p < q; p++)			\
887 			if (!isprint(*p))		\
888 				goto bad_ticket;	\
889 		p++;					\
890 		__str;					\
891 	})
892 
893 	/* extract the ticket flags */
894 	_debug("KIV FLAGS: %x", *p);
895 	little_endian = *p & 1;
896 	p++;
897 
898 	/* extract the authentication name */
899 	name = Z(ANAME_SZ);
900 	_debug("KIV ANAME: %s", name);
901 
902 	/* extract the principal's instance */
903 	name = Z(INST_SZ);
904 	_debug("KIV INST : %s", name);
905 
906 	/* extract the principal's authentication domain */
907 	name = Z(REALM_SZ);
908 	_debug("KIV REALM: %s", name);
909 
910 	if (end - p < 4 + 8 + 4 + 2)
911 		goto bad_ticket;
912 
913 	/* get the IPv4 address of the entity that requested the ticket */
914 	memcpy(&addr, p, sizeof(addr));
915 	p += 4;
916 	_debug("KIV ADDR : %pI4", &addr);
917 
918 	/* get the session key from the ticket */
919 	memcpy(&key, p, sizeof(key));
920 	p += 8;
921 	_debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
922 	memcpy(_session_key, &key, sizeof(key));
923 
924 	/* get the ticket's lifetime */
925 	life = *p++ * 5 * 60;
926 	_debug("KIV LIFE : %u", life);
927 
928 	/* get the issue time of the ticket */
929 	if (little_endian) {
930 		__le32 stamp;
931 		memcpy(&stamp, p, 4);
932 		issue = le32_to_cpu(stamp);
933 	} else {
934 		__be32 stamp;
935 		memcpy(&stamp, p, 4);
936 		issue = be32_to_cpu(stamp);
937 	}
938 	p += 4;
939 	now = get_seconds();
940 	_debug("KIV ISSUE: %lx [%lx]", issue, now);
941 
942 	/* check the ticket is in date */
943 	if (issue > now) {
944 		*_abort_code = RXKADNOAUTH;
945 		ret = -EKEYREJECTED;
946 		goto error;
947 	}
948 
949 	if (issue < now - life) {
950 		*_abort_code = RXKADEXPIRED;
951 		ret = -EKEYEXPIRED;
952 		goto error;
953 	}
954 
955 	*_expiry = issue + life;
956 
957 	/* get the service name */
958 	name = Z(SNAME_SZ);
959 	_debug("KIV SNAME: %s", name);
960 
961 	/* get the service instance name */
962 	name = Z(INST_SZ);
963 	_debug("KIV SINST: %s", name);
964 
965 	ret = 0;
966 error:
967 	_leave(" = %d", ret);
968 	return ret;
969 
970 bad_ticket:
971 	*_abort_code = RXKADBADTICKET;
972 	ret = -EBADMSG;
973 	goto error;
974 }
975 
976 /*
977  * decrypt the response packet
978  */
979 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
980 				   struct rxkad_response *resp,
981 				   const struct rxrpc_crypt *session_key)
982 {
983 	SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
984 	struct scatterlist sg[1];
985 	struct rxrpc_crypt iv;
986 
987 	_enter(",,%08x%08x",
988 	       ntohl(session_key->n[0]), ntohl(session_key->n[1]));
989 
990 	ASSERT(rxkad_ci != NULL);
991 
992 	mutex_lock(&rxkad_ci_mutex);
993 	if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
994 				   sizeof(*session_key)) < 0)
995 		BUG();
996 
997 	memcpy(&iv, session_key, sizeof(iv));
998 
999 	sg_init_table(sg, 1);
1000 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1001 	skcipher_request_set_tfm(req, rxkad_ci);
1002 	skcipher_request_set_callback(req, 0, NULL, NULL);
1003 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1004 	crypto_skcipher_decrypt(req);
1005 	skcipher_request_zero(req);
1006 
1007 	mutex_unlock(&rxkad_ci_mutex);
1008 
1009 	_leave("");
1010 }
1011 
1012 /*
1013  * verify a response
1014  */
1015 static int rxkad_verify_response(struct rxrpc_connection *conn,
1016 				 struct sk_buff *skb,
1017 				 u32 *_abort_code)
1018 {
1019 	struct rxkad_response response
1020 		__attribute__((aligned(8))); /* must be aligned for crypto */
1021 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1022 	struct rxrpc_crypt session_key;
1023 	time_t expiry;
1024 	void *ticket;
1025 	u32 abort_code, version, kvno, ticket_len, level;
1026 	__be32 csum;
1027 	int ret, i;
1028 
1029 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1030 
1031 	abort_code = RXKADPACKETSHORT;
1032 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1033 			  &response, sizeof(response)) < 0)
1034 		goto protocol_error;
1035 	if (!pskb_pull(skb, sizeof(response)))
1036 		BUG();
1037 
1038 	version = ntohl(response.version);
1039 	ticket_len = ntohl(response.ticket_len);
1040 	kvno = ntohl(response.kvno);
1041 	_proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1042 	       sp->hdr.serial, version, kvno, ticket_len);
1043 
1044 	abort_code = RXKADINCONSISTENCY;
1045 	if (version != RXKAD_VERSION)
1046 		goto protocol_error;
1047 
1048 	abort_code = RXKADTICKETLEN;
1049 	if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1050 		goto protocol_error;
1051 
1052 	abort_code = RXKADUNKNOWNKEY;
1053 	if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1054 		goto protocol_error;
1055 
1056 	/* extract the kerberos ticket and decrypt and decode it */
1057 	ticket = kmalloc(ticket_len, GFP_NOFS);
1058 	if (!ticket)
1059 		return -ENOMEM;
1060 
1061 	abort_code = RXKADPACKETSHORT;
1062 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1063 			  ticket, ticket_len) < 0)
1064 		goto protocol_error_free;
1065 
1066 	ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key,
1067 				   &expiry, &abort_code);
1068 	if (ret < 0) {
1069 		*_abort_code = abort_code;
1070 		kfree(ticket);
1071 		return ret;
1072 	}
1073 
1074 	/* use the session key from inside the ticket to decrypt the
1075 	 * response */
1076 	rxkad_decrypt_response(conn, &response, &session_key);
1077 
1078 	abort_code = RXKADSEALEDINCON;
1079 	if (ntohl(response.encrypted.epoch) != conn->proto.epoch)
1080 		goto protocol_error_free;
1081 	if (ntohl(response.encrypted.cid) != conn->proto.cid)
1082 		goto protocol_error_free;
1083 	if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
1084 		goto protocol_error_free;
1085 	csum = response.encrypted.checksum;
1086 	response.encrypted.checksum = 0;
1087 	rxkad_calc_response_checksum(&response);
1088 	if (response.encrypted.checksum != csum)
1089 		goto protocol_error_free;
1090 
1091 	spin_lock(&conn->channel_lock);
1092 	for (i = 0; i < RXRPC_MAXCALLS; i++) {
1093 		struct rxrpc_call *call;
1094 		u32 call_id = ntohl(response.encrypted.call_id[i]);
1095 
1096 		if (call_id > INT_MAX)
1097 			goto protocol_error_unlock;
1098 
1099 		if (call_id < conn->channels[i].call_counter)
1100 			goto protocol_error_unlock;
1101 		if (call_id > conn->channels[i].call_counter) {
1102 			call = rcu_dereference_protected(
1103 				conn->channels[i].call,
1104 				lockdep_is_held(&conn->channel_lock));
1105 			if (call && call->state < RXRPC_CALL_COMPLETE)
1106 				goto protocol_error_unlock;
1107 			conn->channels[i].call_counter = call_id;
1108 		}
1109 	}
1110 	spin_unlock(&conn->channel_lock);
1111 
1112 	abort_code = RXKADOUTOFSEQUENCE;
1113 	if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1)
1114 		goto protocol_error_free;
1115 
1116 	abort_code = RXKADLEVELFAIL;
1117 	level = ntohl(response.encrypted.level);
1118 	if (level > RXRPC_SECURITY_ENCRYPT)
1119 		goto protocol_error_free;
1120 	conn->params.security_level = level;
1121 
1122 	/* create a key to hold the security data and expiration time - after
1123 	 * this the connection security can be handled in exactly the same way
1124 	 * as for a client connection */
1125 	ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1126 	if (ret < 0) {
1127 		kfree(ticket);
1128 		return ret;
1129 	}
1130 
1131 	kfree(ticket);
1132 	_leave(" = 0");
1133 	return 0;
1134 
1135 protocol_error_unlock:
1136 	spin_unlock(&conn->channel_lock);
1137 protocol_error_free:
1138 	kfree(ticket);
1139 protocol_error:
1140 	*_abort_code = abort_code;
1141 	_leave(" = -EPROTO [%d]", abort_code);
1142 	return -EPROTO;
1143 }
1144 
1145 /*
1146  * clear the connection security
1147  */
1148 static void rxkad_clear(struct rxrpc_connection *conn)
1149 {
1150 	_enter("");
1151 
1152 	if (conn->cipher)
1153 		crypto_free_skcipher(conn->cipher);
1154 }
1155 
1156 /*
1157  * Initialise the rxkad security service.
1158  */
1159 static int rxkad_init(void)
1160 {
1161 	/* pin the cipher we need so that the crypto layer doesn't invoke
1162 	 * keventd to go get it */
1163 	rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
1164 	return PTR_ERR_OR_ZERO(rxkad_ci);
1165 }
1166 
1167 /*
1168  * Clean up the rxkad security service.
1169  */
1170 static void rxkad_exit(void)
1171 {
1172 	if (rxkad_ci)
1173 		crypto_free_skcipher(rxkad_ci);
1174 }
1175 
1176 /*
1177  * RxRPC Kerberos-based security
1178  */
1179 const struct rxrpc_security rxkad = {
1180 	.name				= "rxkad",
1181 	.security_index			= RXRPC_SECURITY_RXKAD,
1182 	.init				= rxkad_init,
1183 	.exit				= rxkad_exit,
1184 	.init_connection_security	= rxkad_init_connection_security,
1185 	.prime_packet_security		= rxkad_prime_packet_security,
1186 	.secure_packet			= rxkad_secure_packet,
1187 	.verify_packet			= rxkad_verify_packet,
1188 	.locate_data			= rxkad_locate_data,
1189 	.issue_challenge		= rxkad_issue_challenge,
1190 	.respond_to_challenge		= rxkad_respond_to_challenge,
1191 	.verify_response		= rxkad_verify_response,
1192 	.clear				= rxkad_clear,
1193 };
1194