Lines Matching +full:realm +full:-
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Kerberos-based RxRPC security
18 #include <linux/key-type.h>
21 #include <keys/rxrpc-type.h>
22 #include "ar-internal.h"
57 * The data should be the 8-byte secret key.
63 if (prep->datalen != 8)
64 return -EINVAL;
66 memcpy(&prep->payload.data[2], prep->data, 8);
74 if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)
77 prep->payload.data[0] = ci;
85 if (prep->payload.data[0])
86 crypto_free_skcipher(prep->payload.data[0]);
91 if (key->payload.data[0]) {
92 crypto_free_skcipher(key->payload.data[0]);
93 key->payload.data[0] = NULL;
106 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
108 conn->security_ix = token->security_index;
117 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
118 sizeof(token->kad->session_key)) < 0)
121 switch (conn->security_level) {
127 ret = -EKEYREJECTED;
135 conn->rxkad.cipher = ci;
153 remain = umin(remain, 65535 - sizeof(struct rxrpc_wire_header));
155 switch (call->conn->security_level) {
167 limit = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN) - shdr;
180 txb->crypto_header = 0;
181 txb->sec_header = shdr;
182 txb->offset += shdr;
183 txb->space = part;
203 if (!conn->key)
208 return -ENOMEM;
210 req = skcipher_request_alloc(&ci->base, GFP_NOFS);
213 return -ENOMEM;
216 token = conn->key->payload.data[0];
217 memcpy(&iv, token->kad->session_key, sizeof(iv));
219 tmpbuf[0] = htonl(conn->proto.epoch);
220 tmpbuf[1] = htonl(conn->proto.cid);
222 tmpbuf[3] = htonl(conn->security_ix);
231 memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
243 struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
262 struct rxkad_level1_hdr *hdr = txb->data;
270 check = txb->seq ^ call->call_id;
271 hdr->data_size = htonl((u32)check << 16 | txb->len);
273 txb->pkt_len = sizeof(struct rxkad_level1_hdr) + txb->len;
274 pad = txb->pkt_len;
275 pad = RXKAD_ALIGN - pad;
276 pad &= RXKAD_ALIGN - 1;
278 memset(txb->data + txb->offset, 0, pad);
279 txb->pkt_len += pad;
286 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
304 struct rxkad_level2_hdr *rxkhdr = txb->data;
313 check = txb->seq ^ call->call_id;
315 rxkhdr->data_size = htonl(txb->len | (u32)check << 16);
316 rxkhdr->checksum = 0;
318 content = sizeof(struct rxkad_level2_hdr) + txb->len;
319 txb->pkt_len = round_up(content, RXKAD_ALIGN);
320 pad = txb->pkt_len - content;
322 memset(txb->data + txb->offset, 0, pad);
325 token = call->conn->key->payload.data[0];
326 memcpy(&iv, token->kad->session_key, sizeof(iv));
328 sg_init_one(&sg, rxkhdr, txb->pkt_len);
329 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
331 skcipher_request_set_crypt(req, &sg, &sg, txb->pkt_len, iv.x);
352 call->debug_id, key_serial(call->conn->key),
353 txb->seq, txb->len);
355 if (!call->conn->rxkad.cipher)
358 ret = key_validate(call->conn->key);
364 return -ENOMEM;
367 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
370 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
371 x |= txb->seq & 0x3fffffff;
372 crypto.buf[0] = htonl(call->call_id);
376 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
386 txb->cksum = htons(y);
388 switch (call->conn->security_level) {
390 txb->pkt_len = txb->len;
395 if (txb->alloc_size == RXRPC_JUMBO_DATALEN)
396 txb->jumboable = true;
400 if (txb->alloc_size == RXRPC_JUMBO_DATALEN)
401 txb->jumboable = true;
404 ret = -EPERM;
409 if (txb->pkt_len < txb->alloc_size) {
410 size_t gap = txb->alloc_size - txb->pkt_len;
411 void *p = txb->data;
413 memset(p + txb->pkt_len, 0, gap);
438 if (sp->len < 8)
442 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
446 ret = skb_to_sgvec(skb, sg, sp->offset, 8);
453 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
460 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
463 sp->offset += sizeof(sechdr);
464 sp->len -= sizeof(sechdr);
470 check ^= seq ^ call->call_id;
475 if (data_size > sp->len)
478 sp->len = data_size;
500 _enter(",{%d}", sp->len);
502 if (sp->len < 8)
506 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
510 nsg = skb_shinfo(skb)->nr_frags + 1;
516 return -ENOMEM;
520 ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
528 token = call->conn->key->payload.data[0];
529 memcpy(&iv, token->kad->session_key, sizeof(iv));
531 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
533 skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
540 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
543 sp->offset += sizeof(sechdr);
544 sp->len -= sizeof(sechdr);
550 check ^= seq ^ call->call_id;
556 if (data_size > sp->len)
560 sp->len = data_size;
577 rxrpc_seq_t seq = sp->hdr.seq;
583 call->debug_id, key_serial(call->conn->key), seq);
585 if (!call->conn->rxkad.cipher)
590 return -ENOMEM;
593 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
596 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
598 crypto.buf[0] = htonl(call->call_id);
602 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
613 if (cksum != sp->hdr.cksum) {
619 switch (call->conn->security_level) {
630 ret = -ENOANO;
652 _enter("{%d}", conn->debug_id);
654 get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
657 challenge.nonce = htonl(conn->rxkad.nonce);
661 msg.msg_name = &conn->peer->srx.transport;
662 msg.msg_namelen = conn->peer->srx.transport_len;
667 whdr.epoch = htonl(conn->proto.epoch);
668 whdr.cid = htonl(conn->proto.cid);
672 whdr.flags = conn->out_clientflag;
674 whdr.securityIndex = conn->security_ix;
676 whdr.serviceId = htons(conn->service_id);
688 trace_rxrpc_tx_challenge(conn, serial, 0, conn->rxkad.nonce);
690 ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len);
692 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
694 return -EAGAIN;
697 conn->peer->last_tx_at = ktime_get_seconds();
698 trace_rxrpc_tx_packet(conn->debug_id, &whdr,
713 for (loop = sizeof(*response); loop > 0; loop--)
716 response->encrypted.checksum = htonl(csum);
729 size_t encsize = sizeof(((struct rxkad_response *)0)->encrypted);
739 req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
741 return -ENOMEM;
744 memcpy(&iv, s2->session_key, sizeof(iv));
746 skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
765 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
767 if (!conn->key) {
768 rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
773 ret = key_validate(conn->key);
782 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
788 sp->chall.rxkad_nonce = ntohl(challenge.nonce);
791 trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version,
792 sp->chall.rxkad_nonce, min_level);
795 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
800 if (conn->security_level < min_level) {
801 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES,
825 h.whdr.epoch = htonl(conn->proto.epoch);
826 h.whdr.cid = htonl(conn->proto.cid);
831 h.whdr.flags = conn->out_clientflag;
833 h.whdr.securityIndex = conn->security_ix;
835 h.whdr.serviceId = htons(conn->service_id);
838 h.resp.encrypted.epoch = htonl(conn->proto.epoch);
839 h.resp.encrypted.cid = htonl(conn->proto.cid);
841 h.resp.encrypted.securityIndex = htonl(conn->security_ix);
842 h.resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
843 h.resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
844 h.resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
845 h.resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
846 h.resp.encrypted.inc_nonce = htonl(csp->chall.rxkad_nonce + 1);
847 h.resp.encrypted.level = htonl(conn->security_level);
848 h.resp.kvno = htonl(token->kad->kvno);
849 h.resp.ticket_len = htonl(token->kad->ticket_len);
868 int ret = -EPROTO;
870 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
872 ret = key_validate(conn->key);
877 token = conn->key->payload.data[0];
882 token->kad->ticket_len;
888 response->len = len;
889 response->data_len = len;
897 ret = rxkad_encrypt_response(conn, response, token->kad);
901 ret = skb_store_bits(response, offset, token->kad->ticket,
902 token->kad->ticket_len);
908 rsp->resp.len = len;
909 rsp->resp.challenge_serial = csp->hdr.serial;
926 return -EINVAL;
930 * rxkad_kernel_respond_to_challenge - Respond to a challenge with appdata
941 return rxkad_respond_to_challenge(csp->chall.conn, challenge);
964 _enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
968 ASSERT(server_key->payload.data[0] != NULL);
971 memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
973 req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
975 return -ENOMEM;
989 q = memchr(p, 0, end - p); \
990 if (!q || q - p > field##_SZ) \
992 conn, skb, RXKADBADTICKET, -EPROTO, \
997 conn, skb, RXKADBADTICKET, -EPROTO, \
1017 name = Z(REALM, realm);
1018 _debug("KIV REALM: %s", name);
1020 if (end - p < 4 + 8 + 4 + 2)
1021 return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
1055 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED,
1057 if (issue < now - life)
1058 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED,
1085 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1088 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1095 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1098 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1123 _enter("{%d}", conn->debug_id);
1129 case -ENOKEY:
1132 case -EKEYEXPIRED:
1141 ret = -ENOMEM;
1148 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1153 version = ntohl(response->version);
1154 ticket_len = ntohl(response->ticket_len);
1155 kvno = ntohl(response->kvno);
1157 trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
1160 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
1166 rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
1172 rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
1178 ret = -ENOMEM;
1185 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1199 if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
1200 ntohl(response->encrypted.cid) != conn->proto.cid ||
1201 ntohl(response->encrypted.securityIndex) != conn->security_ix) {
1202 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1207 csum = response->encrypted.checksum;
1208 response->encrypted.checksum = 0;
1210 if (response->encrypted.checksum != csum) {
1211 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1217 u32 call_id = ntohl(response->encrypted.call_id[i]);
1218 u32 counter = READ_ONCE(conn->channels[i].call_counter);
1221 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1227 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1233 if (conn->channels[i].call) {
1234 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1238 conn->channels[i].call_counter = call_id;
1242 if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
1243 rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
1248 level = ntohl(response->encrypted.level);
1250 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
1254 conn->security_level = level;
1256 /* create a key to hold the security data and expiration time - after
1273 return -EPROTO;
1295 if (conn->rxkad.cipher)
1296 crypto_free_sync_skcipher(conn->rxkad.cipher);
1313 req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1323 return -ENOMEM;
1336 * RxRPC Kerberos-based security