xref: /openbmc/linux/net/rxrpc/rxkad.c (revision b830f94f)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Kerberos-based RxRPC security
3  *
4  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9 
10 #include <crypto/skcipher.h>
11 #include <linux/module.h>
12 #include <linux/net.h>
13 #include <linux/skbuff.h>
14 #include <linux/udp.h>
15 #include <linux/scatterlist.h>
16 #include <linux/ctype.h>
17 #include <linux/slab.h>
18 #include <net/sock.h>
19 #include <net/af_rxrpc.h>
20 #include <keys/rxrpc-type.h>
21 #include "ar-internal.h"
22 
23 #define RXKAD_VERSION			2
24 #define MAXKRB5TICKETLEN		1024
25 #define RXKAD_TKT_TYPE_KERBEROS_V5	256
26 #define ANAME_SZ			40	/* size of authentication name */
27 #define INST_SZ				40	/* size of principal's instance */
28 #define REALM_SZ			40	/* size of principal's auth domain */
29 #define SNAME_SZ			40	/* size of service name */
30 
31 struct rxkad_level1_hdr {
32 	__be32	data_size;	/* true data size (excluding padding) */
33 };
34 
35 struct rxkad_level2_hdr {
36 	__be32	data_size;	/* true data size (excluding padding) */
37 	__be32	checksum;	/* decrypted data checksum */
38 };
39 
40 /*
41  * this holds a pinned cipher so that keventd doesn't get called by the cipher
42  * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
43  * packets
44  */
45 static struct crypto_sync_skcipher *rxkad_ci;
46 static DEFINE_MUTEX(rxkad_ci_mutex);
47 
48 /*
49  * initialise connection security
50  */
51 static int rxkad_init_connection_security(struct rxrpc_connection *conn)
52 {
53 	struct crypto_sync_skcipher *ci;
54 	struct rxrpc_key_token *token;
55 	int ret;
56 
57 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
58 
59 	token = conn->params.key->payload.data[0];
60 	conn->security_ix = token->security_index;
61 
62 	ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
63 	if (IS_ERR(ci)) {
64 		_debug("no cipher");
65 		ret = PTR_ERR(ci);
66 		goto error;
67 	}
68 
69 	if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
70 				   sizeof(token->kad->session_key)) < 0)
71 		BUG();
72 
73 	switch (conn->params.security_level) {
74 	case RXRPC_SECURITY_PLAIN:
75 		break;
76 	case RXRPC_SECURITY_AUTH:
77 		conn->size_align = 8;
78 		conn->security_size = sizeof(struct rxkad_level1_hdr);
79 		break;
80 	case RXRPC_SECURITY_ENCRYPT:
81 		conn->size_align = 8;
82 		conn->security_size = sizeof(struct rxkad_level2_hdr);
83 		break;
84 	default:
85 		ret = -EKEYREJECTED;
86 		goto error;
87 	}
88 
89 	conn->cipher = ci;
90 	ret = 0;
91 error:
92 	_leave(" = %d", ret);
93 	return ret;
94 }
95 
96 /*
97  * prime the encryption state with the invariant parts of a connection's
98  * description
99  */
100 static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
101 {
102 	struct rxrpc_key_token *token;
103 	SYNC_SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
104 	struct scatterlist sg;
105 	struct rxrpc_crypt iv;
106 	__be32 *tmpbuf;
107 	size_t tmpsize = 4 * sizeof(__be32);
108 
109 	_enter("");
110 
111 	if (!conn->params.key)
112 		return 0;
113 
114 	tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
115 	if (!tmpbuf)
116 		return -ENOMEM;
117 
118 	token = conn->params.key->payload.data[0];
119 	memcpy(&iv, token->kad->session_key, sizeof(iv));
120 
121 	tmpbuf[0] = htonl(conn->proto.epoch);
122 	tmpbuf[1] = htonl(conn->proto.cid);
123 	tmpbuf[2] = 0;
124 	tmpbuf[3] = htonl(conn->security_ix);
125 
126 	sg_init_one(&sg, tmpbuf, tmpsize);
127 	skcipher_request_set_sync_tfm(req, conn->cipher);
128 	skcipher_request_set_callback(req, 0, NULL, NULL);
129 	skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
130 	crypto_skcipher_encrypt(req);
131 	skcipher_request_zero(req);
132 
133 	memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
134 	kfree(tmpbuf);
135 	_leave(" = 0");
136 	return 0;
137 }
138 
139 /*
140  * partially encrypt a packet (level 1 security)
141  */
142 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
143 				    struct sk_buff *skb,
144 				    u32 data_size,
145 				    void *sechdr,
146 				    struct skcipher_request *req)
147 {
148 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
149 	struct rxkad_level1_hdr hdr;
150 	struct rxrpc_crypt iv;
151 	struct scatterlist sg;
152 	u16 check;
153 
154 	_enter("");
155 
156 	check = sp->hdr.seq ^ call->call_id;
157 	data_size |= (u32)check << 16;
158 
159 	hdr.data_size = htonl(data_size);
160 	memcpy(sechdr, &hdr, sizeof(hdr));
161 
162 	/* start the encryption afresh */
163 	memset(&iv, 0, sizeof(iv));
164 
165 	sg_init_one(&sg, sechdr, 8);
166 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
167 	skcipher_request_set_callback(req, 0, NULL, NULL);
168 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
169 	crypto_skcipher_encrypt(req);
170 	skcipher_request_zero(req);
171 
172 	_leave(" = 0");
173 	return 0;
174 }
175 
176 /*
177  * wholly encrypt a packet (level 2 security)
178  */
179 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
180 				       struct sk_buff *skb,
181 				       u32 data_size,
182 				       void *sechdr,
183 				       struct skcipher_request *req)
184 {
185 	const struct rxrpc_key_token *token;
186 	struct rxkad_level2_hdr rxkhdr;
187 	struct rxrpc_skb_priv *sp;
188 	struct rxrpc_crypt iv;
189 	struct scatterlist sg[16];
190 	struct sk_buff *trailer;
191 	unsigned int len;
192 	u16 check;
193 	int nsg;
194 	int err;
195 
196 	sp = rxrpc_skb(skb);
197 
198 	_enter("");
199 
200 	check = sp->hdr.seq ^ call->call_id;
201 
202 	rxkhdr.data_size = htonl(data_size | (u32)check << 16);
203 	rxkhdr.checksum = 0;
204 	memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
205 
206 	/* encrypt from the session key */
207 	token = call->conn->params.key->payload.data[0];
208 	memcpy(&iv, token->kad->session_key, sizeof(iv));
209 
210 	sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
211 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
212 	skcipher_request_set_callback(req, 0, NULL, NULL);
213 	skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
214 	crypto_skcipher_encrypt(req);
215 
216 	/* we want to encrypt the skbuff in-place */
217 	nsg = skb_cow_data(skb, 0, &trailer);
218 	err = -ENOMEM;
219 	if (nsg < 0 || nsg > 16)
220 		goto out;
221 
222 	len = data_size + call->conn->size_align - 1;
223 	len &= ~(call->conn->size_align - 1);
224 
225 	sg_init_table(sg, nsg);
226 	err = skb_to_sgvec(skb, sg, 0, len);
227 	if (unlikely(err < 0))
228 		goto out;
229 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
230 	crypto_skcipher_encrypt(req);
231 
232 	_leave(" = 0");
233 	err = 0;
234 
235 out:
236 	skcipher_request_zero(req);
237 	return err;
238 }
239 
240 /*
241  * checksum an RxRPC packet header
242  */
243 static int rxkad_secure_packet(struct rxrpc_call *call,
244 			       struct sk_buff *skb,
245 			       size_t data_size,
246 			       void *sechdr)
247 {
248 	struct rxrpc_skb_priv *sp;
249 	SYNC_SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
250 	struct rxrpc_crypt iv;
251 	struct scatterlist sg;
252 	u32 x, y;
253 	int ret;
254 
255 	sp = rxrpc_skb(skb);
256 
257 	_enter("{%d{%x}},{#%u},%zu,",
258 	       call->debug_id, key_serial(call->conn->params.key),
259 	       sp->hdr.seq, data_size);
260 
261 	if (!call->conn->cipher)
262 		return 0;
263 
264 	ret = key_validate(call->conn->params.key);
265 	if (ret < 0)
266 		return ret;
267 
268 	/* continue encrypting from where we left off */
269 	memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
270 
271 	/* calculate the security checksum */
272 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
273 	x |= sp->hdr.seq & 0x3fffffff;
274 	call->crypto_buf[0] = htonl(call->call_id);
275 	call->crypto_buf[1] = htonl(x);
276 
277 	sg_init_one(&sg, call->crypto_buf, 8);
278 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
279 	skcipher_request_set_callback(req, 0, NULL, NULL);
280 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
281 	crypto_skcipher_encrypt(req);
282 	skcipher_request_zero(req);
283 
284 	y = ntohl(call->crypto_buf[1]);
285 	y = (y >> 16) & 0xffff;
286 	if (y == 0)
287 		y = 1; /* zero checksums are not permitted */
288 	sp->hdr.cksum = y;
289 
290 	switch (call->conn->params.security_level) {
291 	case RXRPC_SECURITY_PLAIN:
292 		ret = 0;
293 		break;
294 	case RXRPC_SECURITY_AUTH:
295 		ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr,
296 					       req);
297 		break;
298 	case RXRPC_SECURITY_ENCRYPT:
299 		ret = rxkad_secure_packet_encrypt(call, skb, data_size,
300 						  sechdr, req);
301 		break;
302 	default:
303 		ret = -EPERM;
304 		break;
305 	}
306 
307 	_leave(" = %d [set %hx]", ret, y);
308 	return ret;
309 }
310 
311 /*
312  * decrypt partial encryption on a packet (level 1 security)
313  */
314 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
315 				 unsigned int offset, unsigned int len,
316 				 rxrpc_seq_t seq,
317 				 struct skcipher_request *req)
318 {
319 	struct rxkad_level1_hdr sechdr;
320 	struct rxrpc_crypt iv;
321 	struct scatterlist sg[16];
322 	struct sk_buff *trailer;
323 	bool aborted;
324 	u32 data_size, buf;
325 	u16 check;
326 	int nsg, ret;
327 
328 	_enter("");
329 
330 	if (len < 8) {
331 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
332 					   RXKADSEALEDINCON);
333 		goto protocol_error;
334 	}
335 
336 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
337 	 * directly into the target buffer.
338 	 */
339 	nsg = skb_cow_data(skb, 0, &trailer);
340 	if (nsg < 0 || nsg > 16)
341 		goto nomem;
342 
343 	sg_init_table(sg, nsg);
344 	ret = skb_to_sgvec(skb, sg, offset, 8);
345 	if (unlikely(ret < 0))
346 		return ret;
347 
348 	/* start the decryption afresh */
349 	memset(&iv, 0, sizeof(iv));
350 
351 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
352 	skcipher_request_set_callback(req, 0, NULL, NULL);
353 	skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
354 	crypto_skcipher_decrypt(req);
355 	skcipher_request_zero(req);
356 
357 	/* Extract the decrypted packet length */
358 	if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
359 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
360 					     RXKADDATALEN);
361 		goto protocol_error;
362 	}
363 	offset += sizeof(sechdr);
364 	len -= sizeof(sechdr);
365 
366 	buf = ntohl(sechdr.data_size);
367 	data_size = buf & 0xffff;
368 
369 	check = buf >> 16;
370 	check ^= seq ^ call->call_id;
371 	check &= 0xffff;
372 	if (check != 0) {
373 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
374 					     RXKADSEALEDINCON);
375 		goto protocol_error;
376 	}
377 
378 	if (data_size > len) {
379 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
380 					     RXKADDATALEN);
381 		goto protocol_error;
382 	}
383 
384 	_leave(" = 0 [dlen=%x]", data_size);
385 	return 0;
386 
387 protocol_error:
388 	if (aborted)
389 		rxrpc_send_abort_packet(call);
390 	return -EPROTO;
391 
392 nomem:
393 	_leave(" = -ENOMEM");
394 	return -ENOMEM;
395 }
396 
397 /*
398  * wholly decrypt a packet (level 2 security)
399  */
400 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
401 				 unsigned int offset, unsigned int len,
402 				 rxrpc_seq_t seq,
403 				 struct skcipher_request *req)
404 {
405 	const struct rxrpc_key_token *token;
406 	struct rxkad_level2_hdr sechdr;
407 	struct rxrpc_crypt iv;
408 	struct scatterlist _sg[4], *sg;
409 	struct sk_buff *trailer;
410 	bool aborted;
411 	u32 data_size, buf;
412 	u16 check;
413 	int nsg, ret;
414 
415 	_enter(",{%d}", skb->len);
416 
417 	if (len < 8) {
418 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
419 					     RXKADSEALEDINCON);
420 		goto protocol_error;
421 	}
422 
423 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt
424 	 * directly into the target buffer.
425 	 */
426 	nsg = skb_cow_data(skb, 0, &trailer);
427 	if (nsg < 0)
428 		goto nomem;
429 
430 	sg = _sg;
431 	if (unlikely(nsg > 4)) {
432 		sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
433 		if (!sg)
434 			goto nomem;
435 	}
436 
437 	sg_init_table(sg, nsg);
438 	ret = skb_to_sgvec(skb, sg, offset, len);
439 	if (unlikely(ret < 0)) {
440 		if (sg != _sg)
441 			kfree(sg);
442 		return ret;
443 	}
444 
445 	/* decrypt from the session key */
446 	token = call->conn->params.key->payload.data[0];
447 	memcpy(&iv, token->kad->session_key, sizeof(iv));
448 
449 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
450 	skcipher_request_set_callback(req, 0, NULL, NULL);
451 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
452 	crypto_skcipher_decrypt(req);
453 	skcipher_request_zero(req);
454 	if (sg != _sg)
455 		kfree(sg);
456 
457 	/* Extract the decrypted packet length */
458 	if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
459 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
460 					     RXKADDATALEN);
461 		goto protocol_error;
462 	}
463 	offset += sizeof(sechdr);
464 	len -= sizeof(sechdr);
465 
466 	buf = ntohl(sechdr.data_size);
467 	data_size = buf & 0xffff;
468 
469 	check = buf >> 16;
470 	check ^= seq ^ call->call_id;
471 	check &= 0xffff;
472 	if (check != 0) {
473 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
474 					     RXKADSEALEDINCON);
475 		goto protocol_error;
476 	}
477 
478 	if (data_size > len) {
479 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
480 					     RXKADDATALEN);
481 		goto protocol_error;
482 	}
483 
484 	_leave(" = 0 [dlen=%x]", data_size);
485 	return 0;
486 
487 protocol_error:
488 	if (aborted)
489 		rxrpc_send_abort_packet(call);
490 	return -EPROTO;
491 
492 nomem:
493 	_leave(" = -ENOMEM");
494 	return -ENOMEM;
495 }
496 
497 /*
498  * Verify the security on a received packet or subpacket (if part of a
499  * jumbo packet).
500  */
501 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
502 			       unsigned int offset, unsigned int len,
503 			       rxrpc_seq_t seq, u16 expected_cksum)
504 {
505 	SYNC_SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
506 	struct rxrpc_crypt iv;
507 	struct scatterlist sg;
508 	bool aborted;
509 	u16 cksum;
510 	u32 x, y;
511 
512 	_enter("{%d{%x}},{#%u}",
513 	       call->debug_id, key_serial(call->conn->params.key), seq);
514 
515 	if (!call->conn->cipher)
516 		return 0;
517 
518 	/* continue encrypting from where we left off */
519 	memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
520 
521 	/* validate the security checksum */
522 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
523 	x |= seq & 0x3fffffff;
524 	call->crypto_buf[0] = htonl(call->call_id);
525 	call->crypto_buf[1] = htonl(x);
526 
527 	sg_init_one(&sg, call->crypto_buf, 8);
528 	skcipher_request_set_sync_tfm(req, call->conn->cipher);
529 	skcipher_request_set_callback(req, 0, NULL, NULL);
530 	skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
531 	crypto_skcipher_encrypt(req);
532 	skcipher_request_zero(req);
533 
534 	y = ntohl(call->crypto_buf[1]);
535 	cksum = (y >> 16) & 0xffff;
536 	if (cksum == 0)
537 		cksum = 1; /* zero checksums are not permitted */
538 
539 	if (cksum != expected_cksum) {
540 		aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
541 					     RXKADSEALEDINCON);
542 		goto protocol_error;
543 	}
544 
545 	switch (call->conn->params.security_level) {
546 	case RXRPC_SECURITY_PLAIN:
547 		return 0;
548 	case RXRPC_SECURITY_AUTH:
549 		return rxkad_verify_packet_1(call, skb, offset, len, seq, req);
550 	case RXRPC_SECURITY_ENCRYPT:
551 		return rxkad_verify_packet_2(call, skb, offset, len, seq, req);
552 	default:
553 		return -ENOANO;
554 	}
555 
556 protocol_error:
557 	if (aborted)
558 		rxrpc_send_abort_packet(call);
559 	return -EPROTO;
560 }
561 
562 /*
563  * Locate the data contained in a packet that was partially encrypted.
564  */
565 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
566 				unsigned int *_offset, unsigned int *_len)
567 {
568 	struct rxkad_level1_hdr sechdr;
569 
570 	if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
571 		BUG();
572 	*_offset += sizeof(sechdr);
573 	*_len = ntohl(sechdr.data_size) & 0xffff;
574 }
575 
576 /*
577  * Locate the data contained in a packet that was completely encrypted.
578  */
579 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
580 				unsigned int *_offset, unsigned int *_len)
581 {
582 	struct rxkad_level2_hdr sechdr;
583 
584 	if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
585 		BUG();
586 	*_offset += sizeof(sechdr);
587 	*_len = ntohl(sechdr.data_size) & 0xffff;
588 }
589 
590 /*
591  * Locate the data contained in an already decrypted packet.
592  */
593 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
594 			      unsigned int *_offset, unsigned int *_len)
595 {
596 	switch (call->conn->params.security_level) {
597 	case RXRPC_SECURITY_AUTH:
598 		rxkad_locate_data_1(call, skb, _offset, _len);
599 		return;
600 	case RXRPC_SECURITY_ENCRYPT:
601 		rxkad_locate_data_2(call, skb, _offset, _len);
602 		return;
603 	default:
604 		return;
605 	}
606 }
607 
608 /*
609  * issue a challenge
610  */
611 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
612 {
613 	struct rxkad_challenge challenge;
614 	struct rxrpc_wire_header whdr;
615 	struct msghdr msg;
616 	struct kvec iov[2];
617 	size_t len;
618 	u32 serial;
619 	int ret;
620 
621 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
622 
623 	ret = key_validate(conn->params.key);
624 	if (ret < 0)
625 		return ret;
626 
627 	get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
628 
629 	challenge.version	= htonl(2);
630 	challenge.nonce		= htonl(conn->security_nonce);
631 	challenge.min_level	= htonl(0);
632 	challenge.__padding	= 0;
633 
634 	msg.msg_name	= &conn->params.peer->srx.transport;
635 	msg.msg_namelen	= conn->params.peer->srx.transport_len;
636 	msg.msg_control	= NULL;
637 	msg.msg_controllen = 0;
638 	msg.msg_flags	= 0;
639 
640 	whdr.epoch	= htonl(conn->proto.epoch);
641 	whdr.cid	= htonl(conn->proto.cid);
642 	whdr.callNumber	= 0;
643 	whdr.seq	= 0;
644 	whdr.type	= RXRPC_PACKET_TYPE_CHALLENGE;
645 	whdr.flags	= conn->out_clientflag;
646 	whdr.userStatus	= 0;
647 	whdr.securityIndex = conn->security_ix;
648 	whdr._rsvd	= 0;
649 	whdr.serviceId	= htons(conn->service_id);
650 
651 	iov[0].iov_base	= &whdr;
652 	iov[0].iov_len	= sizeof(whdr);
653 	iov[1].iov_base	= &challenge;
654 	iov[1].iov_len	= sizeof(challenge);
655 
656 	len = iov[0].iov_len + iov[1].iov_len;
657 
658 	serial = atomic_inc_return(&conn->serial);
659 	whdr.serial = htonl(serial);
660 	_proto("Tx CHALLENGE %%%u", serial);
661 
662 	ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
663 	if (ret < 0) {
664 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
665 				    rxrpc_tx_point_rxkad_challenge);
666 		return -EAGAIN;
667 	}
668 
669 	conn->params.peer->last_tx_at = ktime_get_seconds();
670 	trace_rxrpc_tx_packet(conn->debug_id, &whdr,
671 			      rxrpc_tx_point_rxkad_challenge);
672 	_leave(" = 0");
673 	return 0;
674 }
675 
676 /*
677  * send a Kerberos security response
678  */
679 static int rxkad_send_response(struct rxrpc_connection *conn,
680 			       struct rxrpc_host_header *hdr,
681 			       struct rxkad_response *resp,
682 			       const struct rxkad_key *s2)
683 {
684 	struct rxrpc_wire_header whdr;
685 	struct msghdr msg;
686 	struct kvec iov[3];
687 	size_t len;
688 	u32 serial;
689 	int ret;
690 
691 	_enter("");
692 
693 	msg.msg_name	= &conn->params.peer->srx.transport;
694 	msg.msg_namelen	= conn->params.peer->srx.transport_len;
695 	msg.msg_control	= NULL;
696 	msg.msg_controllen = 0;
697 	msg.msg_flags	= 0;
698 
699 	memset(&whdr, 0, sizeof(whdr));
700 	whdr.epoch	= htonl(hdr->epoch);
701 	whdr.cid	= htonl(hdr->cid);
702 	whdr.type	= RXRPC_PACKET_TYPE_RESPONSE;
703 	whdr.flags	= conn->out_clientflag;
704 	whdr.securityIndex = hdr->securityIndex;
705 	whdr.serviceId	= htons(hdr->serviceId);
706 
707 	iov[0].iov_base	= &whdr;
708 	iov[0].iov_len	= sizeof(whdr);
709 	iov[1].iov_base	= resp;
710 	iov[1].iov_len	= sizeof(*resp);
711 	iov[2].iov_base	= (void *)s2->ticket;
712 	iov[2].iov_len	= s2->ticket_len;
713 
714 	len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
715 
716 	serial = atomic_inc_return(&conn->serial);
717 	whdr.serial = htonl(serial);
718 	_proto("Tx RESPONSE %%%u", serial);
719 
720 	ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
721 	if (ret < 0) {
722 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
723 				    rxrpc_tx_point_rxkad_response);
724 		return -EAGAIN;
725 	}
726 
727 	conn->params.peer->last_tx_at = ktime_get_seconds();
728 	_leave(" = 0");
729 	return 0;
730 }
731 
732 /*
733  * calculate the response checksum
734  */
735 static void rxkad_calc_response_checksum(struct rxkad_response *response)
736 {
737 	u32 csum = 1000003;
738 	int loop;
739 	u8 *p = (u8 *) response;
740 
741 	for (loop = sizeof(*response); loop > 0; loop--)
742 		csum = csum * 0x10204081 + *p++;
743 
744 	response->encrypted.checksum = htonl(csum);
745 }
746 
747 /*
748  * encrypt the response packet
749  */
750 static void rxkad_encrypt_response(struct rxrpc_connection *conn,
751 				   struct rxkad_response *resp,
752 				   const struct rxkad_key *s2)
753 {
754 	SYNC_SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
755 	struct rxrpc_crypt iv;
756 	struct scatterlist sg[1];
757 
758 	/* continue encrypting from where we left off */
759 	memcpy(&iv, s2->session_key, sizeof(iv));
760 
761 	sg_init_table(sg, 1);
762 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
763 	skcipher_request_set_sync_tfm(req, conn->cipher);
764 	skcipher_request_set_callback(req, 0, NULL, NULL);
765 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
766 	crypto_skcipher_encrypt(req);
767 	skcipher_request_zero(req);
768 }
769 
770 /*
771  * respond to a challenge packet
772  */
773 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
774 				      struct sk_buff *skb,
775 				      u32 *_abort_code)
776 {
777 	const struct rxrpc_key_token *token;
778 	struct rxkad_challenge challenge;
779 	struct rxkad_response *resp;
780 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
781 	const char *eproto;
782 	u32 version, nonce, min_level, abort_code;
783 	int ret;
784 
785 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
786 
787 	eproto = tracepoint_string("chall_no_key");
788 	abort_code = RX_PROTOCOL_ERROR;
789 	if (!conn->params.key)
790 		goto protocol_error;
791 
792 	abort_code = RXKADEXPIRED;
793 	ret = key_validate(conn->params.key);
794 	if (ret < 0)
795 		goto other_error;
796 
797 	eproto = tracepoint_string("chall_short");
798 	abort_code = RXKADPACKETSHORT;
799 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
800 			  &challenge, sizeof(challenge)) < 0)
801 		goto protocol_error;
802 
803 	version = ntohl(challenge.version);
804 	nonce = ntohl(challenge.nonce);
805 	min_level = ntohl(challenge.min_level);
806 
807 	_proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
808 	       sp->hdr.serial, version, nonce, min_level);
809 
810 	eproto = tracepoint_string("chall_ver");
811 	abort_code = RXKADINCONSISTENCY;
812 	if (version != RXKAD_VERSION)
813 		goto protocol_error;
814 
815 	abort_code = RXKADLEVELFAIL;
816 	ret = -EACCES;
817 	if (conn->params.security_level < min_level)
818 		goto other_error;
819 
820 	token = conn->params.key->payload.data[0];
821 
822 	/* build the response packet */
823 	resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
824 	if (!resp)
825 		return -ENOMEM;
826 
827 	resp->version			= htonl(RXKAD_VERSION);
828 	resp->encrypted.epoch		= htonl(conn->proto.epoch);
829 	resp->encrypted.cid		= htonl(conn->proto.cid);
830 	resp->encrypted.securityIndex	= htonl(conn->security_ix);
831 	resp->encrypted.inc_nonce	= htonl(nonce + 1);
832 	resp->encrypted.level		= htonl(conn->params.security_level);
833 	resp->kvno			= htonl(token->kad->kvno);
834 	resp->ticket_len		= htonl(token->kad->ticket_len);
835 	resp->encrypted.call_id[0]	= htonl(conn->channels[0].call_counter);
836 	resp->encrypted.call_id[1]	= htonl(conn->channels[1].call_counter);
837 	resp->encrypted.call_id[2]	= htonl(conn->channels[2].call_counter);
838 	resp->encrypted.call_id[3]	= htonl(conn->channels[3].call_counter);
839 
840 	/* calculate the response checksum and then do the encryption */
841 	rxkad_calc_response_checksum(resp);
842 	rxkad_encrypt_response(conn, resp, token->kad);
843 	ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
844 	kfree(resp);
845 	return ret;
846 
847 protocol_error:
848 	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
849 	ret = -EPROTO;
850 other_error:
851 	*_abort_code = abort_code;
852 	return ret;
853 }
854 
855 /*
856  * decrypt the kerberos IV ticket in the response
857  */
858 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
859 				struct sk_buff *skb,
860 				void *ticket, size_t ticket_len,
861 				struct rxrpc_crypt *_session_key,
862 				time64_t *_expiry,
863 				u32 *_abort_code)
864 {
865 	struct skcipher_request *req;
866 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
867 	struct rxrpc_crypt iv, key;
868 	struct scatterlist sg[1];
869 	struct in_addr addr;
870 	unsigned int life;
871 	const char *eproto;
872 	time64_t issue, now;
873 	bool little_endian;
874 	int ret;
875 	u32 abort_code;
876 	u8 *p, *q, *name, *end;
877 
878 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
879 
880 	*_expiry = 0;
881 
882 	ret = key_validate(conn->server_key);
883 	if (ret < 0) {
884 		switch (ret) {
885 		case -EKEYEXPIRED:
886 			abort_code = RXKADEXPIRED;
887 			goto other_error;
888 		default:
889 			abort_code = RXKADNOAUTH;
890 			goto other_error;
891 		}
892 	}
893 
894 	ASSERT(conn->server_key->payload.data[0] != NULL);
895 	ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
896 
897 	memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
898 
899 	ret = -ENOMEM;
900 	req = skcipher_request_alloc(conn->server_key->payload.data[0],
901 				     GFP_NOFS);
902 	if (!req)
903 		goto temporary_error;
904 
905 	sg_init_one(&sg[0], ticket, ticket_len);
906 	skcipher_request_set_callback(req, 0, NULL, NULL);
907 	skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
908 	crypto_skcipher_decrypt(req);
909 	skcipher_request_free(req);
910 
911 	p = ticket;
912 	end = p + ticket_len;
913 
914 #define Z(field)					\
915 	({						\
916 		u8 *__str = p;				\
917 		eproto = tracepoint_string("rxkad_bad_"#field); \
918 		q = memchr(p, 0, end - p);		\
919 		if (!q || q - p > (field##_SZ))		\
920 			goto bad_ticket;		\
921 		for (; p < q; p++)			\
922 			if (!isprint(*p))		\
923 				goto bad_ticket;	\
924 		p++;					\
925 		__str;					\
926 	})
927 
928 	/* extract the ticket flags */
929 	_debug("KIV FLAGS: %x", *p);
930 	little_endian = *p & 1;
931 	p++;
932 
933 	/* extract the authentication name */
934 	name = Z(ANAME);
935 	_debug("KIV ANAME: %s", name);
936 
937 	/* extract the principal's instance */
938 	name = Z(INST);
939 	_debug("KIV INST : %s", name);
940 
941 	/* extract the principal's authentication domain */
942 	name = Z(REALM);
943 	_debug("KIV REALM: %s", name);
944 
945 	eproto = tracepoint_string("rxkad_bad_len");
946 	if (end - p < 4 + 8 + 4 + 2)
947 		goto bad_ticket;
948 
949 	/* get the IPv4 address of the entity that requested the ticket */
950 	memcpy(&addr, p, sizeof(addr));
951 	p += 4;
952 	_debug("KIV ADDR : %pI4", &addr);
953 
954 	/* get the session key from the ticket */
955 	memcpy(&key, p, sizeof(key));
956 	p += 8;
957 	_debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
958 	memcpy(_session_key, &key, sizeof(key));
959 
960 	/* get the ticket's lifetime */
961 	life = *p++ * 5 * 60;
962 	_debug("KIV LIFE : %u", life);
963 
964 	/* get the issue time of the ticket */
965 	if (little_endian) {
966 		__le32 stamp;
967 		memcpy(&stamp, p, 4);
968 		issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
969 	} else {
970 		__be32 stamp;
971 		memcpy(&stamp, p, 4);
972 		issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
973 	}
974 	p += 4;
975 	now = ktime_get_real_seconds();
976 	_debug("KIV ISSUE: %llx [%llx]", issue, now);
977 
978 	/* check the ticket is in date */
979 	if (issue > now) {
980 		abort_code = RXKADNOAUTH;
981 		ret = -EKEYREJECTED;
982 		goto other_error;
983 	}
984 
985 	if (issue < now - life) {
986 		abort_code = RXKADEXPIRED;
987 		ret = -EKEYEXPIRED;
988 		goto other_error;
989 	}
990 
991 	*_expiry = issue + life;
992 
993 	/* get the service name */
994 	name = Z(SNAME);
995 	_debug("KIV SNAME: %s", name);
996 
997 	/* get the service instance name */
998 	name = Z(INST);
999 	_debug("KIV SINST: %s", name);
1000 	return 0;
1001 
1002 bad_ticket:
1003 	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1004 	abort_code = RXKADBADTICKET;
1005 	ret = -EPROTO;
1006 other_error:
1007 	*_abort_code = abort_code;
1008 	return ret;
1009 temporary_error:
1010 	return ret;
1011 }
1012 
1013 /*
1014  * decrypt the response packet
1015  */
1016 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1017 				   struct rxkad_response *resp,
1018 				   const struct rxrpc_crypt *session_key)
1019 {
1020 	SYNC_SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
1021 	struct scatterlist sg[1];
1022 	struct rxrpc_crypt iv;
1023 
1024 	_enter(",,%08x%08x",
1025 	       ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1026 
1027 	ASSERT(rxkad_ci != NULL);
1028 
1029 	mutex_lock(&rxkad_ci_mutex);
1030 	if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1031 				   sizeof(*session_key)) < 0)
1032 		BUG();
1033 
1034 	memcpy(&iv, session_key, sizeof(iv));
1035 
1036 	sg_init_table(sg, 1);
1037 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1038 	skcipher_request_set_sync_tfm(req, rxkad_ci);
1039 	skcipher_request_set_callback(req, 0, NULL, NULL);
1040 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1041 	crypto_skcipher_decrypt(req);
1042 	skcipher_request_zero(req);
1043 
1044 	mutex_unlock(&rxkad_ci_mutex);
1045 
1046 	_leave("");
1047 }
1048 
1049 /*
1050  * verify a response
1051  */
1052 static int rxkad_verify_response(struct rxrpc_connection *conn,
1053 				 struct sk_buff *skb,
1054 				 u32 *_abort_code)
1055 {
1056 	struct rxkad_response *response;
1057 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1058 	struct rxrpc_crypt session_key;
1059 	const char *eproto;
1060 	time64_t expiry;
1061 	void *ticket;
1062 	u32 abort_code, version, kvno, ticket_len, level;
1063 	__be32 csum;
1064 	int ret, i;
1065 
1066 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1067 
1068 	ret = -ENOMEM;
1069 	response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1070 	if (!response)
1071 		goto temporary_error;
1072 
1073 	eproto = tracepoint_string("rxkad_rsp_short");
1074 	abort_code = RXKADPACKETSHORT;
1075 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1076 			  response, sizeof(*response)) < 0)
1077 		goto protocol_error;
1078 	if (!pskb_pull(skb, sizeof(*response)))
1079 		BUG();
1080 
1081 	version = ntohl(response->version);
1082 	ticket_len = ntohl(response->ticket_len);
1083 	kvno = ntohl(response->kvno);
1084 	_proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1085 	       sp->hdr.serial, version, kvno, ticket_len);
1086 
1087 	eproto = tracepoint_string("rxkad_rsp_ver");
1088 	abort_code = RXKADINCONSISTENCY;
1089 	if (version != RXKAD_VERSION)
1090 		goto protocol_error;
1091 
1092 	eproto = tracepoint_string("rxkad_rsp_tktlen");
1093 	abort_code = RXKADTICKETLEN;
1094 	if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1095 		goto protocol_error;
1096 
1097 	eproto = tracepoint_string("rxkad_rsp_unkkey");
1098 	abort_code = RXKADUNKNOWNKEY;
1099 	if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1100 		goto protocol_error;
1101 
1102 	/* extract the kerberos ticket and decrypt and decode it */
1103 	ret = -ENOMEM;
1104 	ticket = kmalloc(ticket_len, GFP_NOFS);
1105 	if (!ticket)
1106 		goto temporary_error;
1107 
1108 	eproto = tracepoint_string("rxkad_tkt_short");
1109 	abort_code = RXKADPACKETSHORT;
1110 	if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1111 			  ticket, ticket_len) < 0)
1112 		goto protocol_error_free;
1113 
1114 	ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key,
1115 				   &expiry, _abort_code);
1116 	if (ret < 0)
1117 		goto temporary_error_free_resp;
1118 
1119 	/* use the session key from inside the ticket to decrypt the
1120 	 * response */
1121 	rxkad_decrypt_response(conn, response, &session_key);
1122 
1123 	eproto = tracepoint_string("rxkad_rsp_param");
1124 	abort_code = RXKADSEALEDINCON;
1125 	if (ntohl(response->encrypted.epoch) != conn->proto.epoch)
1126 		goto protocol_error_free;
1127 	if (ntohl(response->encrypted.cid) != conn->proto.cid)
1128 		goto protocol_error_free;
1129 	if (ntohl(response->encrypted.securityIndex) != conn->security_ix)
1130 		goto protocol_error_free;
1131 	csum = response->encrypted.checksum;
1132 	response->encrypted.checksum = 0;
1133 	rxkad_calc_response_checksum(response);
1134 	eproto = tracepoint_string("rxkad_rsp_csum");
1135 	if (response->encrypted.checksum != csum)
1136 		goto protocol_error_free;
1137 
1138 	spin_lock(&conn->channel_lock);
1139 	for (i = 0; i < RXRPC_MAXCALLS; i++) {
1140 		struct rxrpc_call *call;
1141 		u32 call_id = ntohl(response->encrypted.call_id[i]);
1142 
1143 		eproto = tracepoint_string("rxkad_rsp_callid");
1144 		if (call_id > INT_MAX)
1145 			goto protocol_error_unlock;
1146 
1147 		eproto = tracepoint_string("rxkad_rsp_callctr");
1148 		if (call_id < conn->channels[i].call_counter)
1149 			goto protocol_error_unlock;
1150 
1151 		eproto = tracepoint_string("rxkad_rsp_callst");
1152 		if (call_id > conn->channels[i].call_counter) {
1153 			call = rcu_dereference_protected(
1154 				conn->channels[i].call,
1155 				lockdep_is_held(&conn->channel_lock));
1156 			if (call && call->state < RXRPC_CALL_COMPLETE)
1157 				goto protocol_error_unlock;
1158 			conn->channels[i].call_counter = call_id;
1159 		}
1160 	}
1161 	spin_unlock(&conn->channel_lock);
1162 
1163 	eproto = tracepoint_string("rxkad_rsp_seq");
1164 	abort_code = RXKADOUTOFSEQUENCE;
1165 	if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1)
1166 		goto protocol_error_free;
1167 
1168 	eproto = tracepoint_string("rxkad_rsp_level");
1169 	abort_code = RXKADLEVELFAIL;
1170 	level = ntohl(response->encrypted.level);
1171 	if (level > RXRPC_SECURITY_ENCRYPT)
1172 		goto protocol_error_free;
1173 	conn->params.security_level = level;
1174 
1175 	/* create a key to hold the security data and expiration time - after
1176 	 * this the connection security can be handled in exactly the same way
1177 	 * as for a client connection */
1178 	ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1179 	if (ret < 0)
1180 		goto temporary_error_free_ticket;
1181 
1182 	kfree(ticket);
1183 	kfree(response);
1184 	_leave(" = 0");
1185 	return 0;
1186 
1187 protocol_error_unlock:
1188 	spin_unlock(&conn->channel_lock);
1189 protocol_error_free:
1190 	kfree(ticket);
1191 protocol_error:
1192 	kfree(response);
1193 	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1194 	*_abort_code = abort_code;
1195 	return -EPROTO;
1196 
1197 temporary_error_free_ticket:
1198 	kfree(ticket);
1199 temporary_error_free_resp:
1200 	kfree(response);
1201 temporary_error:
1202 	/* Ignore the response packet if we got a temporary error such as
1203 	 * ENOMEM.  We just want to send the challenge again.  Note that we
1204 	 * also come out this way if the ticket decryption fails.
1205 	 */
1206 	return ret;
1207 }
1208 
1209 /*
1210  * clear the connection security
1211  */
1212 static void rxkad_clear(struct rxrpc_connection *conn)
1213 {
1214 	_enter("");
1215 
1216 	if (conn->cipher)
1217 		crypto_free_sync_skcipher(conn->cipher);
1218 }
1219 
1220 /*
1221  * Initialise the rxkad security service.
1222  */
1223 static int rxkad_init(void)
1224 {
1225 	/* pin the cipher we need so that the crypto layer doesn't invoke
1226 	 * keventd to go get it */
1227 	rxkad_ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1228 	return PTR_ERR_OR_ZERO(rxkad_ci);
1229 }
1230 
1231 /*
1232  * Clean up the rxkad security service.
1233  */
1234 static void rxkad_exit(void)
1235 {
1236 	if (rxkad_ci)
1237 		crypto_free_sync_skcipher(rxkad_ci);
1238 }
1239 
1240 /*
1241  * RxRPC Kerberos-based security
1242  */
1243 const struct rxrpc_security rxkad = {
1244 	.name				= "rxkad",
1245 	.security_index			= RXRPC_SECURITY_RXKAD,
1246 	.init				= rxkad_init,
1247 	.exit				= rxkad_exit,
1248 	.init_connection_security	= rxkad_init_connection_security,
1249 	.prime_packet_security		= rxkad_prime_packet_security,
1250 	.secure_packet			= rxkad_secure_packet,
1251 	.verify_packet			= rxkad_verify_packet,
1252 	.locate_data			= rxkad_locate_data,
1253 	.issue_challenge		= rxkad_issue_challenge,
1254 	.respond_to_challenge		= rxkad_respond_to_challenge,
1255 	.verify_response		= rxkad_verify_response,
1256 	.clear				= rxkad_clear,
1257 };
1258