1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Kerberos-based RxRPC security 3 * 4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 10 #include <crypto/skcipher.h> 11 #include <linux/module.h> 12 #include <linux/net.h> 13 #include <linux/skbuff.h> 14 #include <linux/udp.h> 15 #include <linux/scatterlist.h> 16 #include <linux/ctype.h> 17 #include <linux/slab.h> 18 #include <net/sock.h> 19 #include <net/af_rxrpc.h> 20 #include <keys/rxrpc-type.h> 21 #include "ar-internal.h" 22 23 #define RXKAD_VERSION 2 24 #define MAXKRB5TICKETLEN 1024 25 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 26 #define ANAME_SZ 40 /* size of authentication name */ 27 #define INST_SZ 40 /* size of principal's instance */ 28 #define REALM_SZ 40 /* size of principal's auth domain */ 29 #define SNAME_SZ 40 /* size of service name */ 30 31 struct rxkad_level1_hdr { 32 __be32 data_size; /* true data size (excluding padding) */ 33 }; 34 35 struct rxkad_level2_hdr { 36 __be32 data_size; /* true data size (excluding padding) */ 37 __be32 checksum; /* decrypted data checksum */ 38 }; 39 40 /* 41 * this holds a pinned cipher so that keventd doesn't get called by the cipher 42 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 43 * packets 44 */ 45 static struct crypto_sync_skcipher *rxkad_ci; 46 static struct skcipher_request *rxkad_ci_req; 47 static DEFINE_MUTEX(rxkad_ci_mutex); 48 49 /* 50 * initialise connection security 51 */ 52 static int rxkad_init_connection_security(struct rxrpc_connection *conn) 53 { 54 struct crypto_sync_skcipher *ci; 55 struct rxrpc_key_token *token; 56 int ret; 57 58 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key)); 59 60 token = conn->params.key->payload.data[0]; 61 conn->security_ix = token->security_index; 62 63 ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); 64 if (IS_ERR(ci)) { 65 _debug("no cipher"); 66 ret = PTR_ERR(ci); 67 goto error; 68 } 69 70 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key, 71 sizeof(token->kad->session_key)) < 0) 72 BUG(); 73 74 switch (conn->params.security_level) { 75 case RXRPC_SECURITY_PLAIN: 76 break; 77 case RXRPC_SECURITY_AUTH: 78 conn->size_align = 8; 79 conn->security_size = sizeof(struct rxkad_level1_hdr); 80 break; 81 case RXRPC_SECURITY_ENCRYPT: 82 conn->size_align = 8; 83 conn->security_size = sizeof(struct rxkad_level2_hdr); 84 break; 85 default: 86 ret = -EKEYREJECTED; 87 goto error; 88 } 89 90 conn->cipher = ci; 91 ret = 0; 92 error: 93 _leave(" = %d", ret); 94 return ret; 95 } 96 97 /* 98 * prime the encryption state with the invariant parts of a connection's 99 * description 100 */ 101 static int rxkad_prime_packet_security(struct rxrpc_connection *conn) 102 { 103 struct skcipher_request *req; 104 struct rxrpc_key_token *token; 105 struct scatterlist sg; 106 struct rxrpc_crypt iv; 107 __be32 *tmpbuf; 108 size_t tmpsize = 4 * sizeof(__be32); 109 110 _enter(""); 111 112 if (!conn->params.key) 113 return 0; 114 115 tmpbuf = kmalloc(tmpsize, GFP_KERNEL); 116 if (!tmpbuf) 117 return -ENOMEM; 118 119 req = skcipher_request_alloc(&conn->cipher->base, GFP_NOFS); 120 if (!req) { 121 kfree(tmpbuf); 122 return -ENOMEM; 123 } 124 125 token = conn->params.key->payload.data[0]; 126 memcpy(&iv, token->kad->session_key, sizeof(iv)); 127 128 tmpbuf[0] = htonl(conn->proto.epoch); 129 tmpbuf[1] = htonl(conn->proto.cid); 130 tmpbuf[2] = 0; 131 tmpbuf[3] = htonl(conn->security_ix); 132 133 sg_init_one(&sg, tmpbuf, tmpsize); 134 skcipher_request_set_sync_tfm(req, conn->cipher); 135 skcipher_request_set_callback(req, 0, NULL, NULL); 136 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); 137 crypto_skcipher_encrypt(req); 138 skcipher_request_free(req); 139 140 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv)); 141 kfree(tmpbuf); 142 _leave(" = 0"); 143 return 0; 144 } 145 146 /* 147 * Allocate and prepare the crypto request on a call. For any particular call, 148 * this is called serially for the packets, so no lock should be necessary. 149 */ 150 static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call) 151 { 152 struct crypto_skcipher *tfm = &call->conn->cipher->base; 153 struct skcipher_request *cipher_req = call->cipher_req; 154 155 if (!cipher_req) { 156 cipher_req = skcipher_request_alloc(tfm, GFP_NOFS); 157 if (!cipher_req) 158 return NULL; 159 call->cipher_req = cipher_req; 160 } 161 162 return cipher_req; 163 } 164 165 /* 166 * Clean up the crypto on a call. 167 */ 168 static void rxkad_free_call_crypto(struct rxrpc_call *call) 169 { 170 if (call->cipher_req) 171 skcipher_request_free(call->cipher_req); 172 call->cipher_req = NULL; 173 } 174 175 /* 176 * partially encrypt a packet (level 1 security) 177 */ 178 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 179 struct sk_buff *skb, 180 u32 data_size, 181 void *sechdr, 182 struct skcipher_request *req) 183 { 184 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 185 struct rxkad_level1_hdr hdr; 186 struct rxrpc_crypt iv; 187 struct scatterlist sg; 188 u16 check; 189 190 _enter(""); 191 192 check = sp->hdr.seq ^ call->call_id; 193 data_size |= (u32)check << 16; 194 195 hdr.data_size = htonl(data_size); 196 memcpy(sechdr, &hdr, sizeof(hdr)); 197 198 /* start the encryption afresh */ 199 memset(&iv, 0, sizeof(iv)); 200 201 sg_init_one(&sg, sechdr, 8); 202 skcipher_request_set_sync_tfm(req, call->conn->cipher); 203 skcipher_request_set_callback(req, 0, NULL, NULL); 204 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 205 crypto_skcipher_encrypt(req); 206 skcipher_request_zero(req); 207 208 _leave(" = 0"); 209 return 0; 210 } 211 212 /* 213 * wholly encrypt a packet (level 2 security) 214 */ 215 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 216 struct sk_buff *skb, 217 u32 data_size, 218 void *sechdr, 219 struct skcipher_request *req) 220 { 221 const struct rxrpc_key_token *token; 222 struct rxkad_level2_hdr rxkhdr; 223 struct rxrpc_skb_priv *sp; 224 struct rxrpc_crypt iv; 225 struct scatterlist sg[16]; 226 struct sk_buff *trailer; 227 unsigned int len; 228 u16 check; 229 int nsg; 230 int err; 231 232 sp = rxrpc_skb(skb); 233 234 _enter(""); 235 236 check = sp->hdr.seq ^ call->call_id; 237 238 rxkhdr.data_size = htonl(data_size | (u32)check << 16); 239 rxkhdr.checksum = 0; 240 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr)); 241 242 /* encrypt from the session key */ 243 token = call->conn->params.key->payload.data[0]; 244 memcpy(&iv, token->kad->session_key, sizeof(iv)); 245 246 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr)); 247 skcipher_request_set_sync_tfm(req, call->conn->cipher); 248 skcipher_request_set_callback(req, 0, NULL, NULL); 249 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x); 250 crypto_skcipher_encrypt(req); 251 252 /* we want to encrypt the skbuff in-place */ 253 nsg = skb_cow_data(skb, 0, &trailer); 254 err = -ENOMEM; 255 if (nsg < 0 || nsg > 16) 256 goto out; 257 258 len = data_size + call->conn->size_align - 1; 259 len &= ~(call->conn->size_align - 1); 260 261 sg_init_table(sg, nsg); 262 err = skb_to_sgvec(skb, sg, 0, len); 263 if (unlikely(err < 0)) 264 goto out; 265 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 266 crypto_skcipher_encrypt(req); 267 268 _leave(" = 0"); 269 err = 0; 270 271 out: 272 skcipher_request_zero(req); 273 return err; 274 } 275 276 /* 277 * checksum an RxRPC packet header 278 */ 279 static int rxkad_secure_packet(struct rxrpc_call *call, 280 struct sk_buff *skb, 281 size_t data_size, 282 void *sechdr) 283 { 284 struct rxrpc_skb_priv *sp; 285 struct skcipher_request *req; 286 struct rxrpc_crypt iv; 287 struct scatterlist sg; 288 u32 x, y; 289 int ret; 290 291 sp = rxrpc_skb(skb); 292 293 _enter("{%d{%x}},{#%u},%zu,", 294 call->debug_id, key_serial(call->conn->params.key), 295 sp->hdr.seq, data_size); 296 297 if (!call->conn->cipher) 298 return 0; 299 300 ret = key_validate(call->conn->params.key); 301 if (ret < 0) 302 return ret; 303 304 req = rxkad_get_call_crypto(call); 305 if (!req) 306 return -ENOMEM; 307 308 /* continue encrypting from where we left off */ 309 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 310 311 /* calculate the security checksum */ 312 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 313 x |= sp->hdr.seq & 0x3fffffff; 314 call->crypto_buf[0] = htonl(call->call_id); 315 call->crypto_buf[1] = htonl(x); 316 317 sg_init_one(&sg, call->crypto_buf, 8); 318 skcipher_request_set_sync_tfm(req, call->conn->cipher); 319 skcipher_request_set_callback(req, 0, NULL, NULL); 320 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 321 crypto_skcipher_encrypt(req); 322 skcipher_request_zero(req); 323 324 y = ntohl(call->crypto_buf[1]); 325 y = (y >> 16) & 0xffff; 326 if (y == 0) 327 y = 1; /* zero checksums are not permitted */ 328 sp->hdr.cksum = y; 329 330 switch (call->conn->params.security_level) { 331 case RXRPC_SECURITY_PLAIN: 332 ret = 0; 333 break; 334 case RXRPC_SECURITY_AUTH: 335 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr, 336 req); 337 break; 338 case RXRPC_SECURITY_ENCRYPT: 339 ret = rxkad_secure_packet_encrypt(call, skb, data_size, 340 sechdr, req); 341 break; 342 default: 343 ret = -EPERM; 344 break; 345 } 346 347 _leave(" = %d [set %hx]", ret, y); 348 return ret; 349 } 350 351 /* 352 * decrypt partial encryption on a packet (level 1 security) 353 */ 354 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb, 355 unsigned int offset, unsigned int len, 356 rxrpc_seq_t seq, 357 struct skcipher_request *req) 358 { 359 struct rxkad_level1_hdr sechdr; 360 struct rxrpc_crypt iv; 361 struct scatterlist sg[16]; 362 struct sk_buff *trailer; 363 bool aborted; 364 u32 data_size, buf; 365 u16 check; 366 int nsg, ret; 367 368 _enter(""); 369 370 if (len < 8) { 371 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H", 372 RXKADSEALEDINCON); 373 goto protocol_error; 374 } 375 376 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 377 * directly into the target buffer. 378 */ 379 nsg = skb_cow_data(skb, 0, &trailer); 380 if (nsg < 0 || nsg > 16) 381 goto nomem; 382 383 sg_init_table(sg, nsg); 384 ret = skb_to_sgvec(skb, sg, offset, 8); 385 if (unlikely(ret < 0)) 386 return ret; 387 388 /* start the decryption afresh */ 389 memset(&iv, 0, sizeof(iv)); 390 391 skcipher_request_set_sync_tfm(req, call->conn->cipher); 392 skcipher_request_set_callback(req, 0, NULL, NULL); 393 skcipher_request_set_crypt(req, sg, sg, 8, iv.x); 394 crypto_skcipher_decrypt(req); 395 skcipher_request_zero(req); 396 397 /* Extract the decrypted packet length */ 398 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 399 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1", 400 RXKADDATALEN); 401 goto protocol_error; 402 } 403 offset += sizeof(sechdr); 404 len -= sizeof(sechdr); 405 406 buf = ntohl(sechdr.data_size); 407 data_size = buf & 0xffff; 408 409 check = buf >> 16; 410 check ^= seq ^ call->call_id; 411 check &= 0xffff; 412 if (check != 0) { 413 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C", 414 RXKADSEALEDINCON); 415 goto protocol_error; 416 } 417 418 if (data_size > len) { 419 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L", 420 RXKADDATALEN); 421 goto protocol_error; 422 } 423 424 _leave(" = 0 [dlen=%x]", data_size); 425 return 0; 426 427 protocol_error: 428 if (aborted) 429 rxrpc_send_abort_packet(call); 430 return -EPROTO; 431 432 nomem: 433 _leave(" = -ENOMEM"); 434 return -ENOMEM; 435 } 436 437 /* 438 * wholly decrypt a packet (level 2 security) 439 */ 440 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, 441 unsigned int offset, unsigned int len, 442 rxrpc_seq_t seq, 443 struct skcipher_request *req) 444 { 445 const struct rxrpc_key_token *token; 446 struct rxkad_level2_hdr sechdr; 447 struct rxrpc_crypt iv; 448 struct scatterlist _sg[4], *sg; 449 struct sk_buff *trailer; 450 bool aborted; 451 u32 data_size, buf; 452 u16 check; 453 int nsg, ret; 454 455 _enter(",{%d}", skb->len); 456 457 if (len < 8) { 458 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H", 459 RXKADSEALEDINCON); 460 goto protocol_error; 461 } 462 463 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 464 * directly into the target buffer. 465 */ 466 nsg = skb_cow_data(skb, 0, &trailer); 467 if (nsg < 0) 468 goto nomem; 469 470 sg = _sg; 471 if (unlikely(nsg > 4)) { 472 sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO); 473 if (!sg) 474 goto nomem; 475 } 476 477 sg_init_table(sg, nsg); 478 ret = skb_to_sgvec(skb, sg, offset, len); 479 if (unlikely(ret < 0)) { 480 if (sg != _sg) 481 kfree(sg); 482 return ret; 483 } 484 485 /* decrypt from the session key */ 486 token = call->conn->params.key->payload.data[0]; 487 memcpy(&iv, token->kad->session_key, sizeof(iv)); 488 489 skcipher_request_set_sync_tfm(req, call->conn->cipher); 490 skcipher_request_set_callback(req, 0, NULL, NULL); 491 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 492 crypto_skcipher_decrypt(req); 493 skcipher_request_zero(req); 494 if (sg != _sg) 495 kfree(sg); 496 497 /* Extract the decrypted packet length */ 498 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 499 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2", 500 RXKADDATALEN); 501 goto protocol_error; 502 } 503 offset += sizeof(sechdr); 504 len -= sizeof(sechdr); 505 506 buf = ntohl(sechdr.data_size); 507 data_size = buf & 0xffff; 508 509 check = buf >> 16; 510 check ^= seq ^ call->call_id; 511 check &= 0xffff; 512 if (check != 0) { 513 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C", 514 RXKADSEALEDINCON); 515 goto protocol_error; 516 } 517 518 if (data_size > len) { 519 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L", 520 RXKADDATALEN); 521 goto protocol_error; 522 } 523 524 _leave(" = 0 [dlen=%x]", data_size); 525 return 0; 526 527 protocol_error: 528 if (aborted) 529 rxrpc_send_abort_packet(call); 530 return -EPROTO; 531 532 nomem: 533 _leave(" = -ENOMEM"); 534 return -ENOMEM; 535 } 536 537 /* 538 * Verify the security on a received packet or subpacket (if part of a 539 * jumbo packet). 540 */ 541 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb, 542 unsigned int offset, unsigned int len, 543 rxrpc_seq_t seq, u16 expected_cksum) 544 { 545 struct skcipher_request *req; 546 struct rxrpc_crypt iv; 547 struct scatterlist sg; 548 bool aborted; 549 u16 cksum; 550 u32 x, y; 551 552 _enter("{%d{%x}},{#%u}", 553 call->debug_id, key_serial(call->conn->params.key), seq); 554 555 if (!call->conn->cipher) 556 return 0; 557 558 req = rxkad_get_call_crypto(call); 559 if (!req) 560 return -ENOMEM; 561 562 /* continue encrypting from where we left off */ 563 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 564 565 /* validate the security checksum */ 566 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 567 x |= seq & 0x3fffffff; 568 call->crypto_buf[0] = htonl(call->call_id); 569 call->crypto_buf[1] = htonl(x); 570 571 sg_init_one(&sg, call->crypto_buf, 8); 572 skcipher_request_set_sync_tfm(req, call->conn->cipher); 573 skcipher_request_set_callback(req, 0, NULL, NULL); 574 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 575 crypto_skcipher_encrypt(req); 576 skcipher_request_zero(req); 577 578 y = ntohl(call->crypto_buf[1]); 579 cksum = (y >> 16) & 0xffff; 580 if (cksum == 0) 581 cksum = 1; /* zero checksums are not permitted */ 582 583 if (cksum != expected_cksum) { 584 aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK", 585 RXKADSEALEDINCON); 586 goto protocol_error; 587 } 588 589 switch (call->conn->params.security_level) { 590 case RXRPC_SECURITY_PLAIN: 591 return 0; 592 case RXRPC_SECURITY_AUTH: 593 return rxkad_verify_packet_1(call, skb, offset, len, seq, req); 594 case RXRPC_SECURITY_ENCRYPT: 595 return rxkad_verify_packet_2(call, skb, offset, len, seq, req); 596 default: 597 return -ENOANO; 598 } 599 600 protocol_error: 601 if (aborted) 602 rxrpc_send_abort_packet(call); 603 return -EPROTO; 604 } 605 606 /* 607 * Locate the data contained in a packet that was partially encrypted. 608 */ 609 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb, 610 unsigned int *_offset, unsigned int *_len) 611 { 612 struct rxkad_level1_hdr sechdr; 613 614 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 615 BUG(); 616 *_offset += sizeof(sechdr); 617 *_len = ntohl(sechdr.data_size) & 0xffff; 618 } 619 620 /* 621 * Locate the data contained in a packet that was completely encrypted. 622 */ 623 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb, 624 unsigned int *_offset, unsigned int *_len) 625 { 626 struct rxkad_level2_hdr sechdr; 627 628 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 629 BUG(); 630 *_offset += sizeof(sechdr); 631 *_len = ntohl(sechdr.data_size) & 0xffff; 632 } 633 634 /* 635 * Locate the data contained in an already decrypted packet. 636 */ 637 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb, 638 unsigned int *_offset, unsigned int *_len) 639 { 640 switch (call->conn->params.security_level) { 641 case RXRPC_SECURITY_AUTH: 642 rxkad_locate_data_1(call, skb, _offset, _len); 643 return; 644 case RXRPC_SECURITY_ENCRYPT: 645 rxkad_locate_data_2(call, skb, _offset, _len); 646 return; 647 default: 648 return; 649 } 650 } 651 652 /* 653 * issue a challenge 654 */ 655 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 656 { 657 struct rxkad_challenge challenge; 658 struct rxrpc_wire_header whdr; 659 struct msghdr msg; 660 struct kvec iov[2]; 661 size_t len; 662 u32 serial; 663 int ret; 664 665 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 666 667 ret = key_validate(conn->params.key); 668 if (ret < 0) 669 return ret; 670 671 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce)); 672 673 challenge.version = htonl(2); 674 challenge.nonce = htonl(conn->security_nonce); 675 challenge.min_level = htonl(0); 676 challenge.__padding = 0; 677 678 msg.msg_name = &conn->params.peer->srx.transport; 679 msg.msg_namelen = conn->params.peer->srx.transport_len; 680 msg.msg_control = NULL; 681 msg.msg_controllen = 0; 682 msg.msg_flags = 0; 683 684 whdr.epoch = htonl(conn->proto.epoch); 685 whdr.cid = htonl(conn->proto.cid); 686 whdr.callNumber = 0; 687 whdr.seq = 0; 688 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 689 whdr.flags = conn->out_clientflag; 690 whdr.userStatus = 0; 691 whdr.securityIndex = conn->security_ix; 692 whdr._rsvd = 0; 693 whdr.serviceId = htons(conn->service_id); 694 695 iov[0].iov_base = &whdr; 696 iov[0].iov_len = sizeof(whdr); 697 iov[1].iov_base = &challenge; 698 iov[1].iov_len = sizeof(challenge); 699 700 len = iov[0].iov_len + iov[1].iov_len; 701 702 serial = atomic_inc_return(&conn->serial); 703 whdr.serial = htonl(serial); 704 _proto("Tx CHALLENGE %%%u", serial); 705 706 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len); 707 if (ret < 0) { 708 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, 709 rxrpc_tx_point_rxkad_challenge); 710 return -EAGAIN; 711 } 712 713 conn->params.peer->last_tx_at = ktime_get_seconds(); 714 trace_rxrpc_tx_packet(conn->debug_id, &whdr, 715 rxrpc_tx_point_rxkad_challenge); 716 _leave(" = 0"); 717 return 0; 718 } 719 720 /* 721 * send a Kerberos security response 722 */ 723 static int rxkad_send_response(struct rxrpc_connection *conn, 724 struct rxrpc_host_header *hdr, 725 struct rxkad_response *resp, 726 const struct rxkad_key *s2) 727 { 728 struct rxrpc_wire_header whdr; 729 struct msghdr msg; 730 struct kvec iov[3]; 731 size_t len; 732 u32 serial; 733 int ret; 734 735 _enter(""); 736 737 msg.msg_name = &conn->params.peer->srx.transport; 738 msg.msg_namelen = conn->params.peer->srx.transport_len; 739 msg.msg_control = NULL; 740 msg.msg_controllen = 0; 741 msg.msg_flags = 0; 742 743 memset(&whdr, 0, sizeof(whdr)); 744 whdr.epoch = htonl(hdr->epoch); 745 whdr.cid = htonl(hdr->cid); 746 whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 747 whdr.flags = conn->out_clientflag; 748 whdr.securityIndex = hdr->securityIndex; 749 whdr.serviceId = htons(hdr->serviceId); 750 751 iov[0].iov_base = &whdr; 752 iov[0].iov_len = sizeof(whdr); 753 iov[1].iov_base = resp; 754 iov[1].iov_len = sizeof(*resp); 755 iov[2].iov_base = (void *)s2->ticket; 756 iov[2].iov_len = s2->ticket_len; 757 758 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 759 760 serial = atomic_inc_return(&conn->serial); 761 whdr.serial = htonl(serial); 762 _proto("Tx RESPONSE %%%u", serial); 763 764 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len); 765 if (ret < 0) { 766 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, 767 rxrpc_tx_point_rxkad_response); 768 return -EAGAIN; 769 } 770 771 conn->params.peer->last_tx_at = ktime_get_seconds(); 772 _leave(" = 0"); 773 return 0; 774 } 775 776 /* 777 * calculate the response checksum 778 */ 779 static void rxkad_calc_response_checksum(struct rxkad_response *response) 780 { 781 u32 csum = 1000003; 782 int loop; 783 u8 *p = (u8 *) response; 784 785 for (loop = sizeof(*response); loop > 0; loop--) 786 csum = csum * 0x10204081 + *p++; 787 788 response->encrypted.checksum = htonl(csum); 789 } 790 791 /* 792 * encrypt the response packet 793 */ 794 static int rxkad_encrypt_response(struct rxrpc_connection *conn, 795 struct rxkad_response *resp, 796 const struct rxkad_key *s2) 797 { 798 struct skcipher_request *req; 799 struct rxrpc_crypt iv; 800 struct scatterlist sg[1]; 801 802 req = skcipher_request_alloc(&conn->cipher->base, GFP_NOFS); 803 if (!req) 804 return -ENOMEM; 805 806 /* continue encrypting from where we left off */ 807 memcpy(&iv, s2->session_key, sizeof(iv)); 808 809 sg_init_table(sg, 1); 810 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 811 skcipher_request_set_sync_tfm(req, conn->cipher); 812 skcipher_request_set_callback(req, 0, NULL, NULL); 813 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 814 crypto_skcipher_encrypt(req); 815 skcipher_request_free(req); 816 return 0; 817 } 818 819 /* 820 * respond to a challenge packet 821 */ 822 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 823 struct sk_buff *skb, 824 u32 *_abort_code) 825 { 826 const struct rxrpc_key_token *token; 827 struct rxkad_challenge challenge; 828 struct rxkad_response *resp; 829 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 830 const char *eproto; 831 u32 version, nonce, min_level, abort_code; 832 int ret; 833 834 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 835 836 eproto = tracepoint_string("chall_no_key"); 837 abort_code = RX_PROTOCOL_ERROR; 838 if (!conn->params.key) 839 goto protocol_error; 840 841 abort_code = RXKADEXPIRED; 842 ret = key_validate(conn->params.key); 843 if (ret < 0) 844 goto other_error; 845 846 eproto = tracepoint_string("chall_short"); 847 abort_code = RXKADPACKETSHORT; 848 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 849 &challenge, sizeof(challenge)) < 0) 850 goto protocol_error; 851 852 version = ntohl(challenge.version); 853 nonce = ntohl(challenge.nonce); 854 min_level = ntohl(challenge.min_level); 855 856 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 857 sp->hdr.serial, version, nonce, min_level); 858 859 eproto = tracepoint_string("chall_ver"); 860 abort_code = RXKADINCONSISTENCY; 861 if (version != RXKAD_VERSION) 862 goto protocol_error; 863 864 abort_code = RXKADLEVELFAIL; 865 ret = -EACCES; 866 if (conn->params.security_level < min_level) 867 goto other_error; 868 869 token = conn->params.key->payload.data[0]; 870 871 /* build the response packet */ 872 resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); 873 if (!resp) 874 return -ENOMEM; 875 876 resp->version = htonl(RXKAD_VERSION); 877 resp->encrypted.epoch = htonl(conn->proto.epoch); 878 resp->encrypted.cid = htonl(conn->proto.cid); 879 resp->encrypted.securityIndex = htonl(conn->security_ix); 880 resp->encrypted.inc_nonce = htonl(nonce + 1); 881 resp->encrypted.level = htonl(conn->params.security_level); 882 resp->kvno = htonl(token->kad->kvno); 883 resp->ticket_len = htonl(token->kad->ticket_len); 884 resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter); 885 resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter); 886 resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter); 887 resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter); 888 889 /* calculate the response checksum and then do the encryption */ 890 rxkad_calc_response_checksum(resp); 891 ret = rxkad_encrypt_response(conn, resp, token->kad); 892 if (ret == 0) 893 ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad); 894 kfree(resp); 895 return ret; 896 897 protocol_error: 898 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 899 ret = -EPROTO; 900 other_error: 901 *_abort_code = abort_code; 902 return ret; 903 } 904 905 /* 906 * decrypt the kerberos IV ticket in the response 907 */ 908 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 909 struct sk_buff *skb, 910 void *ticket, size_t ticket_len, 911 struct rxrpc_crypt *_session_key, 912 time64_t *_expiry, 913 u32 *_abort_code) 914 { 915 struct skcipher_request *req; 916 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 917 struct rxrpc_crypt iv, key; 918 struct scatterlist sg[1]; 919 struct in_addr addr; 920 unsigned int life; 921 const char *eproto; 922 time64_t issue, now; 923 bool little_endian; 924 int ret; 925 u32 abort_code; 926 u8 *p, *q, *name, *end; 927 928 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key)); 929 930 *_expiry = 0; 931 932 ret = key_validate(conn->server_key); 933 if (ret < 0) { 934 switch (ret) { 935 case -EKEYEXPIRED: 936 abort_code = RXKADEXPIRED; 937 goto other_error; 938 default: 939 abort_code = RXKADNOAUTH; 940 goto other_error; 941 } 942 } 943 944 ASSERT(conn->server_key->payload.data[0] != NULL); 945 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 946 947 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv)); 948 949 ret = -ENOMEM; 950 req = skcipher_request_alloc(conn->server_key->payload.data[0], 951 GFP_NOFS); 952 if (!req) 953 goto temporary_error; 954 955 sg_init_one(&sg[0], ticket, ticket_len); 956 skcipher_request_set_callback(req, 0, NULL, NULL); 957 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); 958 crypto_skcipher_decrypt(req); 959 skcipher_request_free(req); 960 961 p = ticket; 962 end = p + ticket_len; 963 964 #define Z(field) \ 965 ({ \ 966 u8 *__str = p; \ 967 eproto = tracepoint_string("rxkad_bad_"#field); \ 968 q = memchr(p, 0, end - p); \ 969 if (!q || q - p > (field##_SZ)) \ 970 goto bad_ticket; \ 971 for (; p < q; p++) \ 972 if (!isprint(*p)) \ 973 goto bad_ticket; \ 974 p++; \ 975 __str; \ 976 }) 977 978 /* extract the ticket flags */ 979 _debug("KIV FLAGS: %x", *p); 980 little_endian = *p & 1; 981 p++; 982 983 /* extract the authentication name */ 984 name = Z(ANAME); 985 _debug("KIV ANAME: %s", name); 986 987 /* extract the principal's instance */ 988 name = Z(INST); 989 _debug("KIV INST : %s", name); 990 991 /* extract the principal's authentication domain */ 992 name = Z(REALM); 993 _debug("KIV REALM: %s", name); 994 995 eproto = tracepoint_string("rxkad_bad_len"); 996 if (end - p < 4 + 8 + 4 + 2) 997 goto bad_ticket; 998 999 /* get the IPv4 address of the entity that requested the ticket */ 1000 memcpy(&addr, p, sizeof(addr)); 1001 p += 4; 1002 _debug("KIV ADDR : %pI4", &addr); 1003 1004 /* get the session key from the ticket */ 1005 memcpy(&key, p, sizeof(key)); 1006 p += 8; 1007 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 1008 memcpy(_session_key, &key, sizeof(key)); 1009 1010 /* get the ticket's lifetime */ 1011 life = *p++ * 5 * 60; 1012 _debug("KIV LIFE : %u", life); 1013 1014 /* get the issue time of the ticket */ 1015 if (little_endian) { 1016 __le32 stamp; 1017 memcpy(&stamp, p, 4); 1018 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp)); 1019 } else { 1020 __be32 stamp; 1021 memcpy(&stamp, p, 4); 1022 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp)); 1023 } 1024 p += 4; 1025 now = ktime_get_real_seconds(); 1026 _debug("KIV ISSUE: %llx [%llx]", issue, now); 1027 1028 /* check the ticket is in date */ 1029 if (issue > now) { 1030 abort_code = RXKADNOAUTH; 1031 ret = -EKEYREJECTED; 1032 goto other_error; 1033 } 1034 1035 if (issue < now - life) { 1036 abort_code = RXKADEXPIRED; 1037 ret = -EKEYEXPIRED; 1038 goto other_error; 1039 } 1040 1041 *_expiry = issue + life; 1042 1043 /* get the service name */ 1044 name = Z(SNAME); 1045 _debug("KIV SNAME: %s", name); 1046 1047 /* get the service instance name */ 1048 name = Z(INST); 1049 _debug("KIV SINST: %s", name); 1050 return 0; 1051 1052 bad_ticket: 1053 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 1054 abort_code = RXKADBADTICKET; 1055 ret = -EPROTO; 1056 other_error: 1057 *_abort_code = abort_code; 1058 return ret; 1059 temporary_error: 1060 return ret; 1061 } 1062 1063 /* 1064 * decrypt the response packet 1065 */ 1066 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 1067 struct rxkad_response *resp, 1068 const struct rxrpc_crypt *session_key) 1069 { 1070 struct skcipher_request *req = rxkad_ci_req; 1071 struct scatterlist sg[1]; 1072 struct rxrpc_crypt iv; 1073 1074 _enter(",,%08x%08x", 1075 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 1076 1077 mutex_lock(&rxkad_ci_mutex); 1078 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x, 1079 sizeof(*session_key)) < 0) 1080 BUG(); 1081 1082 memcpy(&iv, session_key, sizeof(iv)); 1083 1084 sg_init_table(sg, 1); 1085 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 1086 skcipher_request_set_sync_tfm(req, rxkad_ci); 1087 skcipher_request_set_callback(req, 0, NULL, NULL); 1088 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 1089 crypto_skcipher_decrypt(req); 1090 skcipher_request_zero(req); 1091 1092 mutex_unlock(&rxkad_ci_mutex); 1093 1094 _leave(""); 1095 } 1096 1097 /* 1098 * verify a response 1099 */ 1100 static int rxkad_verify_response(struct rxrpc_connection *conn, 1101 struct sk_buff *skb, 1102 u32 *_abort_code) 1103 { 1104 struct rxkad_response *response; 1105 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 1106 struct rxrpc_crypt session_key; 1107 const char *eproto; 1108 time64_t expiry; 1109 void *ticket; 1110 u32 abort_code, version, kvno, ticket_len, level; 1111 __be32 csum; 1112 int ret, i; 1113 1114 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); 1115 1116 ret = -ENOMEM; 1117 response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); 1118 if (!response) 1119 goto temporary_error; 1120 1121 eproto = tracepoint_string("rxkad_rsp_short"); 1122 abort_code = RXKADPACKETSHORT; 1123 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 1124 response, sizeof(*response)) < 0) 1125 goto protocol_error; 1126 if (!pskb_pull(skb, sizeof(*response))) 1127 BUG(); 1128 1129 version = ntohl(response->version); 1130 ticket_len = ntohl(response->ticket_len); 1131 kvno = ntohl(response->kvno); 1132 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1133 sp->hdr.serial, version, kvno, ticket_len); 1134 1135 eproto = tracepoint_string("rxkad_rsp_ver"); 1136 abort_code = RXKADINCONSISTENCY; 1137 if (version != RXKAD_VERSION) 1138 goto protocol_error; 1139 1140 eproto = tracepoint_string("rxkad_rsp_tktlen"); 1141 abort_code = RXKADTICKETLEN; 1142 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1143 goto protocol_error; 1144 1145 eproto = tracepoint_string("rxkad_rsp_unkkey"); 1146 abort_code = RXKADUNKNOWNKEY; 1147 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1148 goto protocol_error; 1149 1150 /* extract the kerberos ticket and decrypt and decode it */ 1151 ret = -ENOMEM; 1152 ticket = kmalloc(ticket_len, GFP_NOFS); 1153 if (!ticket) 1154 goto temporary_error; 1155 1156 eproto = tracepoint_string("rxkad_tkt_short"); 1157 abort_code = RXKADPACKETSHORT; 1158 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 1159 ticket, ticket_len) < 0) 1160 goto protocol_error_free; 1161 1162 ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key, 1163 &expiry, _abort_code); 1164 if (ret < 0) 1165 goto temporary_error_free_resp; 1166 1167 /* use the session key from inside the ticket to decrypt the 1168 * response */ 1169 rxkad_decrypt_response(conn, response, &session_key); 1170 1171 eproto = tracepoint_string("rxkad_rsp_param"); 1172 abort_code = RXKADSEALEDINCON; 1173 if (ntohl(response->encrypted.epoch) != conn->proto.epoch) 1174 goto protocol_error_free; 1175 if (ntohl(response->encrypted.cid) != conn->proto.cid) 1176 goto protocol_error_free; 1177 if (ntohl(response->encrypted.securityIndex) != conn->security_ix) 1178 goto protocol_error_free; 1179 csum = response->encrypted.checksum; 1180 response->encrypted.checksum = 0; 1181 rxkad_calc_response_checksum(response); 1182 eproto = tracepoint_string("rxkad_rsp_csum"); 1183 if (response->encrypted.checksum != csum) 1184 goto protocol_error_free; 1185 1186 spin_lock(&conn->channel_lock); 1187 for (i = 0; i < RXRPC_MAXCALLS; i++) { 1188 struct rxrpc_call *call; 1189 u32 call_id = ntohl(response->encrypted.call_id[i]); 1190 1191 eproto = tracepoint_string("rxkad_rsp_callid"); 1192 if (call_id > INT_MAX) 1193 goto protocol_error_unlock; 1194 1195 eproto = tracepoint_string("rxkad_rsp_callctr"); 1196 if (call_id < conn->channels[i].call_counter) 1197 goto protocol_error_unlock; 1198 1199 eproto = tracepoint_string("rxkad_rsp_callst"); 1200 if (call_id > conn->channels[i].call_counter) { 1201 call = rcu_dereference_protected( 1202 conn->channels[i].call, 1203 lockdep_is_held(&conn->channel_lock)); 1204 if (call && call->state < RXRPC_CALL_COMPLETE) 1205 goto protocol_error_unlock; 1206 conn->channels[i].call_counter = call_id; 1207 } 1208 } 1209 spin_unlock(&conn->channel_lock); 1210 1211 eproto = tracepoint_string("rxkad_rsp_seq"); 1212 abort_code = RXKADOUTOFSEQUENCE; 1213 if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1) 1214 goto protocol_error_free; 1215 1216 eproto = tracepoint_string("rxkad_rsp_level"); 1217 abort_code = RXKADLEVELFAIL; 1218 level = ntohl(response->encrypted.level); 1219 if (level > RXRPC_SECURITY_ENCRYPT) 1220 goto protocol_error_free; 1221 conn->params.security_level = level; 1222 1223 /* create a key to hold the security data and expiration time - after 1224 * this the connection security can be handled in exactly the same way 1225 * as for a client connection */ 1226 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1227 if (ret < 0) 1228 goto temporary_error_free_ticket; 1229 1230 kfree(ticket); 1231 kfree(response); 1232 _leave(" = 0"); 1233 return 0; 1234 1235 protocol_error_unlock: 1236 spin_unlock(&conn->channel_lock); 1237 protocol_error_free: 1238 kfree(ticket); 1239 protocol_error: 1240 kfree(response); 1241 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); 1242 *_abort_code = abort_code; 1243 return -EPROTO; 1244 1245 temporary_error_free_ticket: 1246 kfree(ticket); 1247 temporary_error_free_resp: 1248 kfree(response); 1249 temporary_error: 1250 /* Ignore the response packet if we got a temporary error such as 1251 * ENOMEM. We just want to send the challenge again. Note that we 1252 * also come out this way if the ticket decryption fails. 1253 */ 1254 return ret; 1255 } 1256 1257 /* 1258 * clear the connection security 1259 */ 1260 static void rxkad_clear(struct rxrpc_connection *conn) 1261 { 1262 _enter(""); 1263 1264 if (conn->cipher) 1265 crypto_free_sync_skcipher(conn->cipher); 1266 } 1267 1268 /* 1269 * Initialise the rxkad security service. 1270 */ 1271 static int rxkad_init(void) 1272 { 1273 struct crypto_sync_skcipher *tfm; 1274 struct skcipher_request *req; 1275 1276 /* pin the cipher we need so that the crypto layer doesn't invoke 1277 * keventd to go get it */ 1278 tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); 1279 if (IS_ERR(tfm)) 1280 return PTR_ERR(tfm); 1281 1282 req = skcipher_request_alloc(&tfm->base, GFP_KERNEL); 1283 if (!req) 1284 goto nomem_tfm; 1285 1286 rxkad_ci_req = req; 1287 rxkad_ci = tfm; 1288 return 0; 1289 1290 nomem_tfm: 1291 crypto_free_sync_skcipher(tfm); 1292 return -ENOMEM; 1293 } 1294 1295 /* 1296 * Clean up the rxkad security service. 1297 */ 1298 static void rxkad_exit(void) 1299 { 1300 crypto_free_sync_skcipher(rxkad_ci); 1301 skcipher_request_free(rxkad_ci_req); 1302 } 1303 1304 /* 1305 * RxRPC Kerberos-based security 1306 */ 1307 const struct rxrpc_security rxkad = { 1308 .name = "rxkad", 1309 .security_index = RXRPC_SECURITY_RXKAD, 1310 .init = rxkad_init, 1311 .exit = rxkad_exit, 1312 .init_connection_security = rxkad_init_connection_security, 1313 .prime_packet_security = rxkad_prime_packet_security, 1314 .secure_packet = rxkad_secure_packet, 1315 .verify_packet = rxkad_verify_packet, 1316 .free_call_crypto = rxkad_free_call_crypto, 1317 .locate_data = rxkad_locate_data, 1318 .issue_challenge = rxkad_issue_challenge, 1319 .respond_to_challenge = rxkad_respond_to_challenge, 1320 .verify_response = rxkad_verify_response, 1321 .clear = rxkad_clear, 1322 }; 1323