1 /* Kerberos-based RxRPC security 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <crypto/skcipher.h> 13 #include <linux/module.h> 14 #include <linux/net.h> 15 #include <linux/skbuff.h> 16 #include <linux/udp.h> 17 #include <linux/scatterlist.h> 18 #include <linux/ctype.h> 19 #include <linux/slab.h> 20 #include <net/sock.h> 21 #include <net/af_rxrpc.h> 22 #include <keys/rxrpc-type.h> 23 #include "ar-internal.h" 24 25 #define RXKAD_VERSION 2 26 #define MAXKRB5TICKETLEN 1024 27 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 28 #define ANAME_SZ 40 /* size of authentication name */ 29 #define INST_SZ 40 /* size of principal's instance */ 30 #define REALM_SZ 40 /* size of principal's auth domain */ 31 #define SNAME_SZ 40 /* size of service name */ 32 33 struct rxkad_level1_hdr { 34 __be32 data_size; /* true data size (excluding padding) */ 35 }; 36 37 struct rxkad_level2_hdr { 38 __be32 data_size; /* true data size (excluding padding) */ 39 __be32 checksum; /* decrypted data checksum */ 40 }; 41 42 /* 43 * this holds a pinned cipher so that keventd doesn't get called by the cipher 44 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 45 * packets 46 */ 47 static struct crypto_skcipher *rxkad_ci; 48 static DEFINE_MUTEX(rxkad_ci_mutex); 49 50 /* 51 * initialise connection security 52 */ 53 static int rxkad_init_connection_security(struct rxrpc_connection *conn) 54 { 55 struct crypto_skcipher *ci; 56 struct rxrpc_key_token *token; 57 int ret; 58 59 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key)); 60 61 token = conn->key->payload.data[0]; 62 conn->security_ix = token->security_index; 63 64 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 65 if (IS_ERR(ci)) { 66 _debug("no cipher"); 67 ret = PTR_ERR(ci); 68 goto error; 69 } 70 71 if (crypto_skcipher_setkey(ci, token->kad->session_key, 72 sizeof(token->kad->session_key)) < 0) 73 BUG(); 74 75 switch (conn->security_level) { 76 case RXRPC_SECURITY_PLAIN: 77 break; 78 case RXRPC_SECURITY_AUTH: 79 conn->size_align = 8; 80 conn->security_size = sizeof(struct rxkad_level1_hdr); 81 conn->header_size += sizeof(struct rxkad_level1_hdr); 82 break; 83 case RXRPC_SECURITY_ENCRYPT: 84 conn->size_align = 8; 85 conn->security_size = sizeof(struct rxkad_level2_hdr); 86 conn->header_size += sizeof(struct rxkad_level2_hdr); 87 break; 88 default: 89 ret = -EKEYREJECTED; 90 goto error; 91 } 92 93 conn->cipher = ci; 94 ret = 0; 95 error: 96 _leave(" = %d", ret); 97 return ret; 98 } 99 100 /* 101 * prime the encryption state with the invariant parts of a connection's 102 * description 103 */ 104 static void rxkad_prime_packet_security(struct rxrpc_connection *conn) 105 { 106 struct rxrpc_key_token *token; 107 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 108 struct scatterlist sg[2]; 109 struct rxrpc_crypt iv; 110 struct { 111 __be32 x[4]; 112 } tmpbuf __attribute__((aligned(16))); /* must all be in same page */ 113 114 _enter(""); 115 116 if (!conn->key) 117 return; 118 119 token = conn->key->payload.data[0]; 120 memcpy(&iv, token->kad->session_key, sizeof(iv)); 121 122 tmpbuf.x[0] = htonl(conn->epoch); 123 tmpbuf.x[1] = htonl(conn->cid); 124 tmpbuf.x[2] = 0; 125 tmpbuf.x[3] = htonl(conn->security_ix); 126 127 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 128 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 129 130 skcipher_request_set_tfm(req, conn->cipher); 131 skcipher_request_set_callback(req, 0, NULL, NULL); 132 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x); 133 134 crypto_skcipher_encrypt(req); 135 skcipher_request_zero(req); 136 137 memcpy(&conn->csum_iv, &tmpbuf.x[2], sizeof(conn->csum_iv)); 138 ASSERTCMP((u32 __force)conn->csum_iv.n[0], ==, (u32 __force)tmpbuf.x[2]); 139 140 _leave(""); 141 } 142 143 /* 144 * partially encrypt a packet (level 1 security) 145 */ 146 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 147 struct sk_buff *skb, 148 u32 data_size, 149 void *sechdr) 150 { 151 struct rxrpc_skb_priv *sp; 152 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 153 struct rxrpc_crypt iv; 154 struct scatterlist sg[2]; 155 struct { 156 struct rxkad_level1_hdr hdr; 157 __be32 first; /* first four bytes of data and padding */ 158 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 159 u16 check; 160 161 sp = rxrpc_skb(skb); 162 163 _enter(""); 164 165 check = sp->hdr.seq ^ sp->hdr.callNumber; 166 data_size |= (u32)check << 16; 167 168 tmpbuf.hdr.data_size = htonl(data_size); 169 memcpy(&tmpbuf.first, sechdr + 4, sizeof(tmpbuf.first)); 170 171 /* start the encryption afresh */ 172 memset(&iv, 0, sizeof(iv)); 173 174 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 175 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 176 177 skcipher_request_set_tfm(req, call->conn->cipher); 178 skcipher_request_set_callback(req, 0, NULL, NULL); 179 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x); 180 181 crypto_skcipher_encrypt(req); 182 skcipher_request_zero(req); 183 184 memcpy(sechdr, &tmpbuf, sizeof(tmpbuf)); 185 186 _leave(" = 0"); 187 return 0; 188 } 189 190 /* 191 * wholly encrypt a packet (level 2 security) 192 */ 193 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 194 struct sk_buff *skb, 195 u32 data_size, 196 void *sechdr) 197 { 198 const struct rxrpc_key_token *token; 199 struct rxkad_level2_hdr rxkhdr 200 __attribute__((aligned(8))); /* must be all on one page */ 201 struct rxrpc_skb_priv *sp; 202 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 203 struct rxrpc_crypt iv; 204 struct scatterlist sg[16]; 205 struct sk_buff *trailer; 206 unsigned int len; 207 u16 check; 208 int nsg; 209 int err; 210 211 sp = rxrpc_skb(skb); 212 213 _enter(""); 214 215 check = sp->hdr.seq ^ sp->hdr.callNumber; 216 217 rxkhdr.data_size = htonl(data_size | (u32)check << 16); 218 rxkhdr.checksum = 0; 219 220 /* encrypt from the session key */ 221 token = call->conn->key->payload.data[0]; 222 memcpy(&iv, token->kad->session_key, sizeof(iv)); 223 224 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr)); 225 sg_init_one(&sg[1], &rxkhdr, sizeof(rxkhdr)); 226 227 skcipher_request_set_tfm(req, call->conn->cipher); 228 skcipher_request_set_callback(req, 0, NULL, NULL); 229 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(rxkhdr), iv.x); 230 231 crypto_skcipher_encrypt(req); 232 233 /* we want to encrypt the skbuff in-place */ 234 nsg = skb_cow_data(skb, 0, &trailer); 235 err = -ENOMEM; 236 if (nsg < 0 || nsg > 16) 237 goto out; 238 239 len = data_size + call->conn->size_align - 1; 240 len &= ~(call->conn->size_align - 1); 241 242 sg_init_table(sg, nsg); 243 skb_to_sgvec(skb, sg, 0, len); 244 245 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 246 247 crypto_skcipher_encrypt(req); 248 249 _leave(" = 0"); 250 err = 0; 251 252 out: 253 skcipher_request_zero(req); 254 return err; 255 } 256 257 /* 258 * checksum an RxRPC packet header 259 */ 260 static int rxkad_secure_packet(const struct rxrpc_call *call, 261 struct sk_buff *skb, 262 size_t data_size, 263 void *sechdr) 264 { 265 struct rxrpc_skb_priv *sp; 266 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 267 struct rxrpc_crypt iv; 268 struct scatterlist sg[2]; 269 struct { 270 __be32 x[2]; 271 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 272 u32 x, y; 273 int ret; 274 275 sp = rxrpc_skb(skb); 276 277 _enter("{%d{%x}},{#%u},%zu,", 278 call->debug_id, key_serial(call->conn->key), sp->hdr.seq, 279 data_size); 280 281 if (!call->conn->cipher) 282 return 0; 283 284 ret = key_validate(call->conn->key); 285 if (ret < 0) 286 return ret; 287 288 /* continue encrypting from where we left off */ 289 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 290 291 /* calculate the security checksum */ 292 x = call->channel << (32 - RXRPC_CIDSHIFT); 293 x |= sp->hdr.seq & 0x3fffffff; 294 tmpbuf.x[0] = htonl(sp->hdr.callNumber); 295 tmpbuf.x[1] = htonl(x); 296 297 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 298 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 299 300 skcipher_request_set_tfm(req, call->conn->cipher); 301 skcipher_request_set_callback(req, 0, NULL, NULL); 302 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x); 303 304 crypto_skcipher_encrypt(req); 305 skcipher_request_zero(req); 306 307 y = ntohl(tmpbuf.x[1]); 308 y = (y >> 16) & 0xffff; 309 if (y == 0) 310 y = 1; /* zero checksums are not permitted */ 311 sp->hdr.cksum = y; 312 313 switch (call->conn->security_level) { 314 case RXRPC_SECURITY_PLAIN: 315 ret = 0; 316 break; 317 case RXRPC_SECURITY_AUTH: 318 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr); 319 break; 320 case RXRPC_SECURITY_ENCRYPT: 321 ret = rxkad_secure_packet_encrypt(call, skb, data_size, 322 sechdr); 323 break; 324 default: 325 ret = -EPERM; 326 break; 327 } 328 329 _leave(" = %d [set %hx]", ret, y); 330 return ret; 331 } 332 333 /* 334 * decrypt partial encryption on a packet (level 1 security) 335 */ 336 static int rxkad_verify_packet_auth(const struct rxrpc_call *call, 337 struct sk_buff *skb, 338 u32 *_abort_code) 339 { 340 struct rxkad_level1_hdr sechdr; 341 struct rxrpc_skb_priv *sp; 342 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 343 struct rxrpc_crypt iv; 344 struct scatterlist sg[16]; 345 struct sk_buff *trailer; 346 u32 data_size, buf; 347 u16 check; 348 int nsg; 349 350 _enter(""); 351 352 sp = rxrpc_skb(skb); 353 354 /* we want to decrypt the skbuff in-place */ 355 nsg = skb_cow_data(skb, 0, &trailer); 356 if (nsg < 0 || nsg > 16) 357 goto nomem; 358 359 sg_init_table(sg, nsg); 360 skb_to_sgvec(skb, sg, 0, 8); 361 362 /* start the decryption afresh */ 363 memset(&iv, 0, sizeof(iv)); 364 365 skcipher_request_set_tfm(req, call->conn->cipher); 366 skcipher_request_set_callback(req, 0, NULL, NULL); 367 skcipher_request_set_crypt(req, sg, sg, 8, iv.x); 368 369 crypto_skcipher_decrypt(req); 370 skcipher_request_zero(req); 371 372 /* remove the decrypted packet length */ 373 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 374 goto datalen_error; 375 if (!skb_pull(skb, sizeof(sechdr))) 376 BUG(); 377 378 buf = ntohl(sechdr.data_size); 379 data_size = buf & 0xffff; 380 381 check = buf >> 16; 382 check ^= sp->hdr.seq ^ sp->hdr.callNumber; 383 check &= 0xffff; 384 if (check != 0) { 385 *_abort_code = RXKADSEALEDINCON; 386 goto protocol_error; 387 } 388 389 /* shorten the packet to remove the padding */ 390 if (data_size > skb->len) 391 goto datalen_error; 392 else if (data_size < skb->len) 393 skb->len = data_size; 394 395 _leave(" = 0 [dlen=%x]", data_size); 396 return 0; 397 398 datalen_error: 399 *_abort_code = RXKADDATALEN; 400 protocol_error: 401 _leave(" = -EPROTO"); 402 return -EPROTO; 403 404 nomem: 405 _leave(" = -ENOMEM"); 406 return -ENOMEM; 407 } 408 409 /* 410 * wholly decrypt a packet (level 2 security) 411 */ 412 static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call, 413 struct sk_buff *skb, 414 u32 *_abort_code) 415 { 416 const struct rxrpc_key_token *token; 417 struct rxkad_level2_hdr sechdr; 418 struct rxrpc_skb_priv *sp; 419 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 420 struct rxrpc_crypt iv; 421 struct scatterlist _sg[4], *sg; 422 struct sk_buff *trailer; 423 u32 data_size, buf; 424 u16 check; 425 int nsg; 426 427 _enter(",{%d}", skb->len); 428 429 sp = rxrpc_skb(skb); 430 431 /* we want to decrypt the skbuff in-place */ 432 nsg = skb_cow_data(skb, 0, &trailer); 433 if (nsg < 0) 434 goto nomem; 435 436 sg = _sg; 437 if (unlikely(nsg > 4)) { 438 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO); 439 if (!sg) 440 goto nomem; 441 } 442 443 sg_init_table(sg, nsg); 444 skb_to_sgvec(skb, sg, 0, skb->len); 445 446 /* decrypt from the session key */ 447 token = call->conn->key->payload.data[0]; 448 memcpy(&iv, token->kad->session_key, sizeof(iv)); 449 450 skcipher_request_set_tfm(req, call->conn->cipher); 451 skcipher_request_set_callback(req, 0, NULL, NULL); 452 skcipher_request_set_crypt(req, sg, sg, skb->len, iv.x); 453 454 crypto_skcipher_decrypt(req); 455 skcipher_request_zero(req); 456 if (sg != _sg) 457 kfree(sg); 458 459 /* remove the decrypted packet length */ 460 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 461 goto datalen_error; 462 if (!skb_pull(skb, sizeof(sechdr))) 463 BUG(); 464 465 buf = ntohl(sechdr.data_size); 466 data_size = buf & 0xffff; 467 468 check = buf >> 16; 469 check ^= sp->hdr.seq ^ sp->hdr.callNumber; 470 check &= 0xffff; 471 if (check != 0) { 472 *_abort_code = RXKADSEALEDINCON; 473 goto protocol_error; 474 } 475 476 /* shorten the packet to remove the padding */ 477 if (data_size > skb->len) 478 goto datalen_error; 479 else if (data_size < skb->len) 480 skb->len = data_size; 481 482 _leave(" = 0 [dlen=%x]", data_size); 483 return 0; 484 485 datalen_error: 486 *_abort_code = RXKADDATALEN; 487 protocol_error: 488 _leave(" = -EPROTO"); 489 return -EPROTO; 490 491 nomem: 492 _leave(" = -ENOMEM"); 493 return -ENOMEM; 494 } 495 496 /* 497 * verify the security on a received packet 498 */ 499 static int rxkad_verify_packet(const struct rxrpc_call *call, 500 struct sk_buff *skb, 501 u32 *_abort_code) 502 { 503 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 504 struct rxrpc_skb_priv *sp; 505 struct rxrpc_crypt iv; 506 struct scatterlist sg[2]; 507 struct { 508 __be32 x[2]; 509 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 510 u16 cksum; 511 u32 x, y; 512 int ret; 513 514 sp = rxrpc_skb(skb); 515 516 _enter("{%d{%x}},{#%u}", 517 call->debug_id, key_serial(call->conn->key), sp->hdr.seq); 518 519 if (!call->conn->cipher) 520 return 0; 521 522 if (sp->hdr.securityIndex != RXRPC_SECURITY_RXKAD) { 523 *_abort_code = RXKADINCONSISTENCY; 524 _leave(" = -EPROTO [not rxkad]"); 525 return -EPROTO; 526 } 527 528 /* continue encrypting from where we left off */ 529 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 530 531 /* validate the security checksum */ 532 x = call->channel << (32 - RXRPC_CIDSHIFT); 533 x |= sp->hdr.seq & 0x3fffffff; 534 tmpbuf.x[0] = htonl(call->call_id); 535 tmpbuf.x[1] = htonl(x); 536 537 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 538 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 539 540 skcipher_request_set_tfm(req, call->conn->cipher); 541 skcipher_request_set_callback(req, 0, NULL, NULL); 542 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x); 543 544 crypto_skcipher_encrypt(req); 545 skcipher_request_zero(req); 546 547 y = ntohl(tmpbuf.x[1]); 548 cksum = (y >> 16) & 0xffff; 549 if (cksum == 0) 550 cksum = 1; /* zero checksums are not permitted */ 551 552 if (sp->hdr.cksum != cksum) { 553 *_abort_code = RXKADSEALEDINCON; 554 _leave(" = -EPROTO [csum failed]"); 555 return -EPROTO; 556 } 557 558 switch (call->conn->security_level) { 559 case RXRPC_SECURITY_PLAIN: 560 ret = 0; 561 break; 562 case RXRPC_SECURITY_AUTH: 563 ret = rxkad_verify_packet_auth(call, skb, _abort_code); 564 break; 565 case RXRPC_SECURITY_ENCRYPT: 566 ret = rxkad_verify_packet_encrypt(call, skb, _abort_code); 567 break; 568 default: 569 ret = -ENOANO; 570 break; 571 } 572 573 _leave(" = %d", ret); 574 return ret; 575 } 576 577 /* 578 * issue a challenge 579 */ 580 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 581 { 582 struct rxkad_challenge challenge; 583 struct rxrpc_wire_header whdr; 584 struct msghdr msg; 585 struct kvec iov[2]; 586 size_t len; 587 u32 serial; 588 int ret; 589 590 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 591 592 ret = key_validate(conn->key); 593 if (ret < 0) 594 return ret; 595 596 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce)); 597 598 challenge.version = htonl(2); 599 challenge.nonce = htonl(conn->security_nonce); 600 challenge.min_level = htonl(0); 601 challenge.__padding = 0; 602 603 msg.msg_name = &conn->trans->peer->srx.transport.sin; 604 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin); 605 msg.msg_control = NULL; 606 msg.msg_controllen = 0; 607 msg.msg_flags = 0; 608 609 whdr.epoch = htonl(conn->epoch); 610 whdr.cid = htonl(conn->cid); 611 whdr.callNumber = 0; 612 whdr.seq = 0; 613 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 614 whdr.flags = conn->out_clientflag; 615 whdr.userStatus = 0; 616 whdr.securityIndex = conn->security_ix; 617 whdr._rsvd = 0; 618 whdr.serviceId = htons(conn->service_id); 619 620 iov[0].iov_base = &whdr; 621 iov[0].iov_len = sizeof(whdr); 622 iov[1].iov_base = &challenge; 623 iov[1].iov_len = sizeof(challenge); 624 625 len = iov[0].iov_len + iov[1].iov_len; 626 627 serial = atomic_inc_return(&conn->serial); 628 whdr.serial = htonl(serial); 629 _proto("Tx CHALLENGE %%%u", serial); 630 631 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len); 632 if (ret < 0) { 633 _debug("sendmsg failed: %d", ret); 634 return -EAGAIN; 635 } 636 637 _leave(" = 0"); 638 return 0; 639 } 640 641 /* 642 * send a Kerberos security response 643 */ 644 static int rxkad_send_response(struct rxrpc_connection *conn, 645 struct rxrpc_host_header *hdr, 646 struct rxkad_response *resp, 647 const struct rxkad_key *s2) 648 { 649 struct rxrpc_wire_header whdr; 650 struct msghdr msg; 651 struct kvec iov[3]; 652 size_t len; 653 u32 serial; 654 int ret; 655 656 _enter(""); 657 658 msg.msg_name = &conn->trans->peer->srx.transport.sin; 659 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin); 660 msg.msg_control = NULL; 661 msg.msg_controllen = 0; 662 msg.msg_flags = 0; 663 664 memset(&whdr, 0, sizeof(whdr)); 665 whdr.epoch = htonl(hdr->epoch); 666 whdr.cid = htonl(hdr->cid); 667 whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 668 whdr.flags = conn->out_clientflag; 669 whdr.securityIndex = hdr->securityIndex; 670 whdr.serviceId = htons(hdr->serviceId); 671 672 iov[0].iov_base = &whdr; 673 iov[0].iov_len = sizeof(whdr); 674 iov[1].iov_base = resp; 675 iov[1].iov_len = sizeof(*resp); 676 iov[2].iov_base = (void *)s2->ticket; 677 iov[2].iov_len = s2->ticket_len; 678 679 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 680 681 serial = atomic_inc_return(&conn->serial); 682 whdr.serial = htonl(serial); 683 _proto("Tx RESPONSE %%%u", serial); 684 685 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); 686 if (ret < 0) { 687 _debug("sendmsg failed: %d", ret); 688 return -EAGAIN; 689 } 690 691 _leave(" = 0"); 692 return 0; 693 } 694 695 /* 696 * calculate the response checksum 697 */ 698 static void rxkad_calc_response_checksum(struct rxkad_response *response) 699 { 700 u32 csum = 1000003; 701 int loop; 702 u8 *p = (u8 *) response; 703 704 for (loop = sizeof(*response); loop > 0; loop--) 705 csum = csum * 0x10204081 + *p++; 706 707 response->encrypted.checksum = htonl(csum); 708 } 709 710 /* 711 * load a scatterlist with a potentially split-page buffer 712 */ 713 static void rxkad_sg_set_buf2(struct scatterlist sg[2], 714 void *buf, size_t buflen) 715 { 716 int nsg = 1; 717 718 sg_init_table(sg, 2); 719 720 sg_set_buf(&sg[0], buf, buflen); 721 if (sg[0].offset + buflen > PAGE_SIZE) { 722 /* the buffer was split over two pages */ 723 sg[0].length = PAGE_SIZE - sg[0].offset; 724 sg_set_buf(&sg[1], buf + sg[0].length, buflen - sg[0].length); 725 nsg++; 726 } 727 728 sg_mark_end(&sg[nsg - 1]); 729 730 ASSERTCMP(sg[0].length + sg[1].length, ==, buflen); 731 } 732 733 /* 734 * encrypt the response packet 735 */ 736 static void rxkad_encrypt_response(struct rxrpc_connection *conn, 737 struct rxkad_response *resp, 738 const struct rxkad_key *s2) 739 { 740 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 741 struct rxrpc_crypt iv; 742 struct scatterlist sg[2]; 743 744 /* continue encrypting from where we left off */ 745 memcpy(&iv, s2->session_key, sizeof(iv)); 746 747 rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted)); 748 749 skcipher_request_set_tfm(req, conn->cipher); 750 skcipher_request_set_callback(req, 0, NULL, NULL); 751 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 752 753 crypto_skcipher_encrypt(req); 754 skcipher_request_zero(req); 755 } 756 757 /* 758 * respond to a challenge packet 759 */ 760 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 761 struct sk_buff *skb, 762 u32 *_abort_code) 763 { 764 const struct rxrpc_key_token *token; 765 struct rxkad_challenge challenge; 766 struct rxkad_response resp 767 __attribute__((aligned(8))); /* must be aligned for crypto */ 768 struct rxrpc_skb_priv *sp; 769 u32 version, nonce, min_level, abort_code; 770 int ret; 771 772 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 773 774 if (!conn->key) { 775 _leave(" = -EPROTO [no key]"); 776 return -EPROTO; 777 } 778 779 ret = key_validate(conn->key); 780 if (ret < 0) { 781 *_abort_code = RXKADEXPIRED; 782 return ret; 783 } 784 785 abort_code = RXKADPACKETSHORT; 786 sp = rxrpc_skb(skb); 787 if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0) 788 goto protocol_error; 789 790 version = ntohl(challenge.version); 791 nonce = ntohl(challenge.nonce); 792 min_level = ntohl(challenge.min_level); 793 794 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 795 sp->hdr.serial, version, nonce, min_level); 796 797 abort_code = RXKADINCONSISTENCY; 798 if (version != RXKAD_VERSION) 799 goto protocol_error; 800 801 abort_code = RXKADLEVELFAIL; 802 if (conn->security_level < min_level) 803 goto protocol_error; 804 805 token = conn->key->payload.data[0]; 806 807 /* build the response packet */ 808 memset(&resp, 0, sizeof(resp)); 809 810 resp.version = htonl(RXKAD_VERSION); 811 resp.encrypted.epoch = htonl(conn->epoch); 812 resp.encrypted.cid = htonl(conn->cid); 813 resp.encrypted.securityIndex = htonl(conn->security_ix); 814 resp.encrypted.inc_nonce = htonl(nonce + 1); 815 resp.encrypted.level = htonl(conn->security_level); 816 resp.kvno = htonl(token->kad->kvno); 817 resp.ticket_len = htonl(token->kad->ticket_len); 818 819 resp.encrypted.call_id[0] = 820 htonl(conn->channels[0] ? conn->channels[0]->call_id : 0); 821 resp.encrypted.call_id[1] = 822 htonl(conn->channels[1] ? conn->channels[1]->call_id : 0); 823 resp.encrypted.call_id[2] = 824 htonl(conn->channels[2] ? conn->channels[2]->call_id : 0); 825 resp.encrypted.call_id[3] = 826 htonl(conn->channels[3] ? conn->channels[3]->call_id : 0); 827 828 /* calculate the response checksum and then do the encryption */ 829 rxkad_calc_response_checksum(&resp); 830 rxkad_encrypt_response(conn, &resp, token->kad); 831 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad); 832 833 protocol_error: 834 *_abort_code = abort_code; 835 _leave(" = -EPROTO [%d]", abort_code); 836 return -EPROTO; 837 } 838 839 /* 840 * decrypt the kerberos IV ticket in the response 841 */ 842 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 843 void *ticket, size_t ticket_len, 844 struct rxrpc_crypt *_session_key, 845 time_t *_expiry, 846 u32 *_abort_code) 847 { 848 struct skcipher_request *req; 849 struct rxrpc_crypt iv, key; 850 struct scatterlist sg[1]; 851 struct in_addr addr; 852 unsigned int life; 853 time_t issue, now; 854 bool little_endian; 855 int ret; 856 u8 *p, *q, *name, *end; 857 858 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key)); 859 860 *_expiry = 0; 861 862 ret = key_validate(conn->server_key); 863 if (ret < 0) { 864 switch (ret) { 865 case -EKEYEXPIRED: 866 *_abort_code = RXKADEXPIRED; 867 goto error; 868 default: 869 *_abort_code = RXKADNOAUTH; 870 goto error; 871 } 872 } 873 874 ASSERT(conn->server_key->payload.data[0] != NULL); 875 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 876 877 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv)); 878 879 req = skcipher_request_alloc(conn->server_key->payload.data[0], 880 GFP_NOFS); 881 if (!req) { 882 *_abort_code = RXKADNOAUTH; 883 ret = -ENOMEM; 884 goto error; 885 } 886 887 sg_init_one(&sg[0], ticket, ticket_len); 888 889 skcipher_request_set_callback(req, 0, NULL, NULL); 890 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); 891 892 crypto_skcipher_decrypt(req); 893 skcipher_request_free(req); 894 895 p = ticket; 896 end = p + ticket_len; 897 898 #define Z(size) \ 899 ({ \ 900 u8 *__str = p; \ 901 q = memchr(p, 0, end - p); \ 902 if (!q || q - p > (size)) \ 903 goto bad_ticket; \ 904 for (; p < q; p++) \ 905 if (!isprint(*p)) \ 906 goto bad_ticket; \ 907 p++; \ 908 __str; \ 909 }) 910 911 /* extract the ticket flags */ 912 _debug("KIV FLAGS: %x", *p); 913 little_endian = *p & 1; 914 p++; 915 916 /* extract the authentication name */ 917 name = Z(ANAME_SZ); 918 _debug("KIV ANAME: %s", name); 919 920 /* extract the principal's instance */ 921 name = Z(INST_SZ); 922 _debug("KIV INST : %s", name); 923 924 /* extract the principal's authentication domain */ 925 name = Z(REALM_SZ); 926 _debug("KIV REALM: %s", name); 927 928 if (end - p < 4 + 8 + 4 + 2) 929 goto bad_ticket; 930 931 /* get the IPv4 address of the entity that requested the ticket */ 932 memcpy(&addr, p, sizeof(addr)); 933 p += 4; 934 _debug("KIV ADDR : %pI4", &addr); 935 936 /* get the session key from the ticket */ 937 memcpy(&key, p, sizeof(key)); 938 p += 8; 939 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 940 memcpy(_session_key, &key, sizeof(key)); 941 942 /* get the ticket's lifetime */ 943 life = *p++ * 5 * 60; 944 _debug("KIV LIFE : %u", life); 945 946 /* get the issue time of the ticket */ 947 if (little_endian) { 948 __le32 stamp; 949 memcpy(&stamp, p, 4); 950 issue = le32_to_cpu(stamp); 951 } else { 952 __be32 stamp; 953 memcpy(&stamp, p, 4); 954 issue = be32_to_cpu(stamp); 955 } 956 p += 4; 957 now = get_seconds(); 958 _debug("KIV ISSUE: %lx [%lx]", issue, now); 959 960 /* check the ticket is in date */ 961 if (issue > now) { 962 *_abort_code = RXKADNOAUTH; 963 ret = -EKEYREJECTED; 964 goto error; 965 } 966 967 if (issue < now - life) { 968 *_abort_code = RXKADEXPIRED; 969 ret = -EKEYEXPIRED; 970 goto error; 971 } 972 973 *_expiry = issue + life; 974 975 /* get the service name */ 976 name = Z(SNAME_SZ); 977 _debug("KIV SNAME: %s", name); 978 979 /* get the service instance name */ 980 name = Z(INST_SZ); 981 _debug("KIV SINST: %s", name); 982 983 ret = 0; 984 error: 985 _leave(" = %d", ret); 986 return ret; 987 988 bad_ticket: 989 *_abort_code = RXKADBADTICKET; 990 ret = -EBADMSG; 991 goto error; 992 } 993 994 /* 995 * decrypt the response packet 996 */ 997 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 998 struct rxkad_response *resp, 999 const struct rxrpc_crypt *session_key) 1000 { 1001 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci); 1002 struct scatterlist sg[2]; 1003 struct rxrpc_crypt iv; 1004 1005 _enter(",,%08x%08x", 1006 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 1007 1008 ASSERT(rxkad_ci != NULL); 1009 1010 mutex_lock(&rxkad_ci_mutex); 1011 if (crypto_skcipher_setkey(rxkad_ci, session_key->x, 1012 sizeof(*session_key)) < 0) 1013 BUG(); 1014 1015 memcpy(&iv, session_key, sizeof(iv)); 1016 1017 rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted)); 1018 1019 skcipher_request_set_tfm(req, rxkad_ci); 1020 skcipher_request_set_callback(req, 0, NULL, NULL); 1021 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 1022 1023 crypto_skcipher_decrypt(req); 1024 skcipher_request_zero(req); 1025 1026 mutex_unlock(&rxkad_ci_mutex); 1027 1028 _leave(""); 1029 } 1030 1031 /* 1032 * verify a response 1033 */ 1034 static int rxkad_verify_response(struct rxrpc_connection *conn, 1035 struct sk_buff *skb, 1036 u32 *_abort_code) 1037 { 1038 struct rxkad_response response 1039 __attribute__((aligned(8))); /* must be aligned for crypto */ 1040 struct rxrpc_skb_priv *sp; 1041 struct rxrpc_crypt session_key; 1042 time_t expiry; 1043 void *ticket; 1044 u32 abort_code, version, kvno, ticket_len, level; 1045 __be32 csum; 1046 int ret; 1047 1048 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); 1049 1050 abort_code = RXKADPACKETSHORT; 1051 if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0) 1052 goto protocol_error; 1053 if (!pskb_pull(skb, sizeof(response))) 1054 BUG(); 1055 1056 version = ntohl(response.version); 1057 ticket_len = ntohl(response.ticket_len); 1058 kvno = ntohl(response.kvno); 1059 sp = rxrpc_skb(skb); 1060 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1061 sp->hdr.serial, version, kvno, ticket_len); 1062 1063 abort_code = RXKADINCONSISTENCY; 1064 if (version != RXKAD_VERSION) 1065 goto protocol_error; 1066 1067 abort_code = RXKADTICKETLEN; 1068 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1069 goto protocol_error; 1070 1071 abort_code = RXKADUNKNOWNKEY; 1072 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1073 goto protocol_error; 1074 1075 /* extract the kerberos ticket and decrypt and decode it */ 1076 ticket = kmalloc(ticket_len, GFP_NOFS); 1077 if (!ticket) 1078 return -ENOMEM; 1079 1080 abort_code = RXKADPACKETSHORT; 1081 if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0) 1082 goto protocol_error_free; 1083 1084 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key, 1085 &expiry, &abort_code); 1086 if (ret < 0) { 1087 *_abort_code = abort_code; 1088 kfree(ticket); 1089 return ret; 1090 } 1091 1092 /* use the session key from inside the ticket to decrypt the 1093 * response */ 1094 rxkad_decrypt_response(conn, &response, &session_key); 1095 1096 abort_code = RXKADSEALEDINCON; 1097 if (ntohl(response.encrypted.epoch) != conn->epoch) 1098 goto protocol_error_free; 1099 if (ntohl(response.encrypted.cid) != conn->cid) 1100 goto protocol_error_free; 1101 if (ntohl(response.encrypted.securityIndex) != conn->security_ix) 1102 goto protocol_error_free; 1103 csum = response.encrypted.checksum; 1104 response.encrypted.checksum = 0; 1105 rxkad_calc_response_checksum(&response); 1106 if (response.encrypted.checksum != csum) 1107 goto protocol_error_free; 1108 1109 if (ntohl(response.encrypted.call_id[0]) > INT_MAX || 1110 ntohl(response.encrypted.call_id[1]) > INT_MAX || 1111 ntohl(response.encrypted.call_id[2]) > INT_MAX || 1112 ntohl(response.encrypted.call_id[3]) > INT_MAX) 1113 goto protocol_error_free; 1114 1115 abort_code = RXKADOUTOFSEQUENCE; 1116 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1) 1117 goto protocol_error_free; 1118 1119 abort_code = RXKADLEVELFAIL; 1120 level = ntohl(response.encrypted.level); 1121 if (level > RXRPC_SECURITY_ENCRYPT) 1122 goto protocol_error_free; 1123 conn->security_level = level; 1124 1125 /* create a key to hold the security data and expiration time - after 1126 * this the connection security can be handled in exactly the same way 1127 * as for a client connection */ 1128 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1129 if (ret < 0) { 1130 kfree(ticket); 1131 return ret; 1132 } 1133 1134 kfree(ticket); 1135 _leave(" = 0"); 1136 return 0; 1137 1138 protocol_error_free: 1139 kfree(ticket); 1140 protocol_error: 1141 *_abort_code = abort_code; 1142 _leave(" = -EPROTO [%d]", abort_code); 1143 return -EPROTO; 1144 } 1145 1146 /* 1147 * clear the connection security 1148 */ 1149 static void rxkad_clear(struct rxrpc_connection *conn) 1150 { 1151 _enter(""); 1152 1153 if (conn->cipher) 1154 crypto_free_skcipher(conn->cipher); 1155 } 1156 1157 /* 1158 * Initialise the rxkad security service. 1159 */ 1160 static int rxkad_init(void) 1161 { 1162 /* pin the cipher we need so that the crypto layer doesn't invoke 1163 * keventd to go get it */ 1164 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 1165 return PTR_ERR_OR_ZERO(rxkad_ci); 1166 } 1167 1168 /* 1169 * Clean up the rxkad security service. 1170 */ 1171 static void rxkad_exit(void) 1172 { 1173 if (rxkad_ci) 1174 crypto_free_skcipher(rxkad_ci); 1175 } 1176 1177 /* 1178 * RxRPC Kerberos-based security 1179 */ 1180 const struct rxrpc_security rxkad = { 1181 .name = "rxkad", 1182 .security_index = RXRPC_SECURITY_RXKAD, 1183 .init = rxkad_init, 1184 .exit = rxkad_exit, 1185 .init_connection_security = rxkad_init_connection_security, 1186 .prime_packet_security = rxkad_prime_packet_security, 1187 .secure_packet = rxkad_secure_packet, 1188 .verify_packet = rxkad_verify_packet, 1189 .issue_challenge = rxkad_issue_challenge, 1190 .respond_to_challenge = rxkad_respond_to_challenge, 1191 .verify_response = rxkad_verify_response, 1192 .clear = rxkad_clear, 1193 }; 1194