1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Kerberos-based RxRPC security 3 * 4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 10 #include <crypto/des.h> 11 #include <kunit/visibility.h> 12 #include <linux/export.h> 13 #include <linux/fips.h> 14 #include <linux/module.h> 15 #include <linux/net.h> 16 #include <linux/skbuff.h> 17 #include <linux/udp.h> 18 #include <linux/ctype.h> 19 #include <linux/slab.h> 20 #include <linux/key-type.h> 21 #include <linux/unaligned.h> 22 #include <net/sock.h> 23 #include <net/af_rxrpc.h> 24 #include <keys/rxrpc-type.h> 25 #include "ar-internal.h" 26 27 #define RXKAD_VERSION 2 28 #define MAXKRB5TICKETLEN 1024 29 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 30 #define ANAME_SZ 40 /* size of authentication name */ 31 #define INST_SZ 40 /* size of principal's instance */ 32 #define REALM_SZ 40 /* size of principal's auth domain */ 33 #define SNAME_SZ 40 /* size of service name */ 34 #define RXKAD_ALIGN 8 35 36 static const u8 zero_iv[FCRYPT_BSIZE]; 37 38 struct rxkad_level1_hdr { 39 __be32 data_size; /* true data size (excluding padding) */ 40 }; 41 42 struct rxkad_level2_hdr { 43 __be32 data_size; /* true data size (excluding padding) */ 44 __be32 checksum; /* decrypted data checksum */ 45 }; 46 47 static void rxkad_prime_packet_security(struct rxrpc_connection *conn, 48 const struct fcrypt_key *cipher); 49 50 /* 51 * Parse the information from a server key 52 * 53 * The data should be the 8-byte secret key. 54 */ 55 static int rxkad_preparse_server_key(struct key_preparsed_payload *prep) 56 { 57 struct des_ctx *des_key; 58 int err; 59 60 if (prep->datalen != 8) 61 return -EINVAL; 62 63 memcpy(&prep->payload.data[2], prep->data, 8); 64 65 des_key = kmalloc_obj(*des_key); 66 if (!des_key) { 67 _leave(" = -ENOMEM"); 68 return -ENOMEM; 69 } 70 71 err = des_expand_key(des_key, prep->data, 8); 72 if (err) { 73 kfree_sensitive(des_key); 74 _leave(" = %d", err); 75 return err; 76 } 77 78 prep->payload.data[0] = des_key; 79 _leave(" = 0"); 80 return 0; 81 } 82 83 static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep) 84 { 85 kfree_sensitive(prep->payload.data[0]); 86 } 87 88 static void rxkad_destroy_server_key(struct key *key) 89 { 90 kfree_sensitive(key->payload.data[0]); 91 key->payload.data[0] = NULL; 92 } 93 94 /* 95 * initialise connection security 96 */ 97 static int rxkad_init_connection_security(struct rxrpc_connection *conn, 98 struct rxrpc_key_token *token) 99 { 100 struct fcrypt_key *ci; 101 int ret; 102 103 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key)); 104 105 conn->security_ix = token->security_index; 106 107 ci = kmalloc_obj(*ci); 108 if (!ci) { 109 ret = -ENOMEM; 110 goto error; 111 } 112 fcrypt_preparekey(ci, token->kad->session_key); 113 114 switch (conn->security_level) { 115 case RXRPC_SECURITY_PLAIN: 116 case RXRPC_SECURITY_AUTH: 117 case RXRPC_SECURITY_ENCRYPT: 118 break; 119 default: 120 ret = -EKEYREJECTED; 121 goto error_ci; 122 } 123 124 rxkad_prime_packet_security(conn, ci); 125 126 conn->rxkad.cipher = ci; 127 return 0; 128 129 error_ci: 130 kfree_sensitive(ci); 131 error: 132 _leave(" = %d", ret); 133 return ret; 134 } 135 136 /* 137 * Work out how much data we can put in a packet. 138 */ 139 static struct rxrpc_txbuf *rxkad_alloc_txbuf(struct rxrpc_call *call, size_t remain, gfp_t gfp) 140 { 141 struct rxrpc_txbuf *txb; 142 size_t shdr, alloc, limit, part; 143 144 remain = umin(remain, 65535 - sizeof(struct rxrpc_wire_header)); 145 146 switch (call->conn->security_level) { 147 default: 148 alloc = umin(remain, RXRPC_JUMBO_DATALEN); 149 return rxrpc_alloc_data_txbuf(call, alloc, 1, gfp); 150 case RXRPC_SECURITY_AUTH: 151 shdr = sizeof(struct rxkad_level1_hdr); 152 break; 153 case RXRPC_SECURITY_ENCRYPT: 154 shdr = sizeof(struct rxkad_level2_hdr); 155 break; 156 } 157 158 limit = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN) - shdr; 159 if (remain < limit) { 160 part = remain; 161 alloc = round_up(shdr + part, RXKAD_ALIGN); 162 } else { 163 part = limit; 164 alloc = RXRPC_JUMBO_DATALEN; 165 } 166 167 txb = rxrpc_alloc_data_txbuf(call, alloc, RXKAD_ALIGN, gfp); 168 if (!txb) 169 return NULL; 170 171 txb->crypto_header = 0; 172 txb->sec_header = shdr; 173 txb->offset += shdr; 174 txb->space = part; 175 return txb; 176 } 177 178 /* 179 * prime the encryption state with the invariant parts of a connection's 180 * description 181 */ 182 static void rxkad_prime_packet_security(struct rxrpc_connection *conn, 183 const struct fcrypt_key *cipher) 184 { 185 struct rxrpc_key_token *token; 186 __be32 tmpbuf[4]; 187 188 _enter(""); 189 190 if (!conn->key) 191 return; 192 token = conn->key->payload.data[0]; 193 194 tmpbuf[0] = htonl(conn->proto.epoch); 195 tmpbuf[1] = htonl(conn->proto.cid); 196 tmpbuf[2] = 0; 197 tmpbuf[3] = htonl(conn->security_ix); 198 199 static_assert(sizeof(tmpbuf) % FCRYPT_BSIZE == 0); 200 fcrypt_pcbc_encrypt(cipher, /* iv= */ token->kad->session_key, tmpbuf, 201 tmpbuf, sizeof(tmpbuf) / FCRYPT_BSIZE); 202 memcpy(&conn->rxkad.csum_iv, &tmpbuf[2], sizeof(conn->rxkad.csum_iv)); 203 _leave(""); 204 } 205 206 /* 207 * Clean up the crypto on a call. 208 */ 209 static void rxkad_free_call_crypto(struct rxrpc_call *call) 210 { 211 } 212 213 /* 214 * partially encrypt a packet (level 1 security) 215 */ 216 static void rxkad_secure_packet_auth(const struct rxrpc_call *call, 217 struct rxrpc_txbuf *txb) 218 { 219 struct rxkad_level1_hdr *hdr = txb->data; 220 size_t pad; 221 u16 check; 222 223 _enter(""); 224 225 check = txb->seq ^ call->call_id; 226 hdr->data_size = htonl((u32)check << 16 | txb->len); 227 228 txb->pkt_len = sizeof(struct rxkad_level1_hdr) + txb->len; 229 pad = txb->pkt_len; 230 pad = RXKAD_ALIGN - pad; 231 pad &= RXKAD_ALIGN - 1; 232 if (pad) { 233 memset(txb->data + txb->offset, 0, pad); 234 txb->pkt_len += pad; 235 } 236 237 /* start the encryption afresh */ 238 fcrypt_pcbc_encrypt(call->conn->rxkad.cipher, zero_iv, hdr, hdr, 1); 239 _leave(""); 240 } 241 242 /* 243 * wholly encrypt a packet (level 2 security) 244 */ 245 static void rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 246 struct rxrpc_txbuf *txb) 247 { 248 const struct rxrpc_key_token *token; 249 struct rxkad_level2_hdr *rxkhdr = txb->data; 250 size_t content, pad; 251 u16 check; 252 253 _enter(""); 254 255 check = txb->seq ^ call->call_id; 256 257 rxkhdr->data_size = htonl(txb->len | (u32)check << 16); 258 rxkhdr->checksum = 0; 259 260 content = sizeof(struct rxkad_level2_hdr) + txb->len; 261 static_assert(RXKAD_ALIGN == FCRYPT_BSIZE); 262 txb->pkt_len = round_up(content, RXKAD_ALIGN); 263 pad = txb->pkt_len - content; 264 if (pad) 265 memset(txb->data + txb->offset, 0, pad); 266 /* Now txb->pkt_len % FCRYPT_BSIZE == 0. */ 267 268 /* encrypt from the session key */ 269 token = call->conn->key->payload.data[0]; 270 fcrypt_pcbc_encrypt(call->conn->rxkad.cipher, token->kad->session_key, 271 rxkhdr, rxkhdr, txb->pkt_len / FCRYPT_BSIZE); 272 _leave(""); 273 } 274 275 /* 276 * checksum an RxRPC packet header 277 */ 278 static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb) 279 { 280 union { 281 __be32 buf[2]; 282 } crypto __aligned(8); 283 u32 x, y = 0; 284 int ret; 285 286 _enter("{%d{%x}},{#%u},%u,", 287 call->debug_id, key_serial(call->conn->key), 288 txb->seq, txb->len); 289 290 if (!call->conn->rxkad.cipher) 291 return 0; 292 293 ret = key_validate(call->conn->key); 294 if (ret < 0) 295 return ret; 296 297 /* calculate the security checksum */ 298 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 299 x |= txb->seq & 0x3fffffff; 300 crypto.buf[0] = htonl(call->call_id); 301 crypto.buf[1] = htonl(x); 302 303 /* continue encrypting from where we left off */ 304 fcrypt_pcbc_encrypt(call->conn->rxkad.cipher, 305 call->conn->rxkad.csum_iv.x, crypto.buf, crypto.buf, 306 1); 307 308 y = ntohl(crypto.buf[1]); 309 y = (y >> 16) & 0xffff; 310 if (y == 0) 311 y = 1; /* zero checksums are not permitted */ 312 txb->cksum = htons(y); 313 314 switch (call->conn->security_level) { 315 case RXRPC_SECURITY_PLAIN: 316 txb->pkt_len = txb->len; 317 ret = 0; 318 break; 319 case RXRPC_SECURITY_AUTH: 320 rxkad_secure_packet_auth(call, txb); 321 if (txb->alloc_size == RXRPC_JUMBO_DATALEN) 322 txb->jumboable = true; 323 ret = 0; 324 break; 325 case RXRPC_SECURITY_ENCRYPT: 326 rxkad_secure_packet_encrypt(call, txb); 327 if (txb->alloc_size == RXRPC_JUMBO_DATALEN) 328 txb->jumboable = true; 329 ret = 0; 330 break; 331 default: 332 ret = -EPERM; 333 break; 334 } 335 336 /* Clear excess space in the packet */ 337 if (txb->pkt_len < txb->alloc_size) { 338 size_t gap = txb->alloc_size - txb->pkt_len; 339 void *p = txb->data; 340 341 memset(p + txb->pkt_len, 0, gap); 342 } 343 344 _leave(" = %d [set %x]", ret, y); 345 return ret; 346 } 347 348 /* 349 * decrypt partial encryption on a packet (level 1 security) 350 */ 351 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb, 352 rxrpc_seq_t seq) 353 { 354 struct rxkad_level1_hdr *sechdr; 355 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 356 void *data = call->rx_dec_buffer; 357 u32 len = sp->len, data_size, buf; 358 u16 check; 359 360 _enter(""); 361 362 if (len < 8) 363 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 364 rxkad_abort_1_short_header); 365 366 /* Decrypt the first 8-byte block of the packet, using the zero IV. */ 367 fcrypt_pcbc_decrypt(call->conn->rxkad.cipher, zero_iv, data, data, 1); 368 369 /* Extract the decrypted packet length */ 370 sechdr = data; 371 call->rx_dec_offset = sizeof(*sechdr); 372 len -= sizeof(*sechdr); 373 374 buf = ntohl(sechdr->data_size); 375 data_size = buf & 0xffff; 376 377 check = buf >> 16; 378 check ^= seq ^ call->call_id; 379 check &= 0xffff; 380 if (check != 0) 381 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 382 rxkad_abort_1_short_check); 383 if (data_size > len) 384 return rxrpc_abort_eproto(call, skb, RXKADDATALEN, 385 rxkad_abort_1_short_data); 386 call->rx_dec_len = data_size; 387 388 _leave(" = 0 [dlen=%x]", data_size); 389 return 0; 390 } 391 392 /* 393 * wholly decrypt a packet (level 2 security) 394 */ 395 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, 396 rxrpc_seq_t seq) 397 { 398 const struct rxrpc_key_token *token; 399 struct rxkad_level2_hdr *sechdr; 400 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 401 void *data = call->rx_dec_buffer; 402 u32 len = sp->len, data_size, buf; 403 u16 check; 404 405 _enter(",{%d}", len); 406 407 if (len < 8) 408 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 409 rxkad_abort_2_short_header); 410 411 /* Don't let the crypto algo see a misaligned length. */ 412 len = round_down(len, 8); 413 414 /* decrypt from the session key */ 415 token = call->conn->key->payload.data[0]; 416 fcrypt_pcbc_decrypt(call->conn->rxkad.cipher, token->kad->session_key, 417 data, data, len / FCRYPT_BSIZE); 418 419 /* Extract the decrypted packet length */ 420 sechdr = data; 421 call->rx_dec_offset = sizeof(*sechdr); 422 len -= sizeof(*sechdr); 423 424 buf = ntohl(sechdr->data_size); 425 data_size = buf & 0xffff; 426 427 check = buf >> 16; 428 check ^= seq ^ call->call_id; 429 check &= 0xffff; 430 if (check != 0) 431 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 432 rxkad_abort_2_short_check); 433 434 if (data_size > len) 435 return rxrpc_abort_eproto(call, skb, RXKADDATALEN, 436 rxkad_abort_2_short_data); 437 438 call->rx_dec_len = data_size; 439 _leave(" = 0 [dlen=%x]", data_size); 440 return 0; 441 } 442 443 /* 444 * Verify the security on a received (sub)packet. If the packet needs 445 * modifying (e.g. decrypting), it must be copied. 446 */ 447 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb) 448 { 449 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 450 union { 451 __be32 buf[2]; 452 } crypto __aligned(8); 453 rxrpc_seq_t seq = sp->hdr.seq; 454 int ret; 455 u16 cksum; 456 u32 x, y; 457 458 _enter("{%d{%x}},{#%u}", 459 call->debug_id, key_serial(call->conn->key), seq); 460 461 if (!call->conn->rxkad.cipher) 462 return 0; 463 464 /* validate the security checksum */ 465 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 466 x |= seq & 0x3fffffff; 467 crypto.buf[0] = htonl(call->call_id); 468 crypto.buf[1] = htonl(x); 469 470 /* continue encrypting from where we left off */ 471 fcrypt_pcbc_encrypt(call->conn->rxkad.cipher, 472 call->conn->rxkad.csum_iv.x, crypto.buf, crypto.buf, 473 1); 474 475 y = ntohl(crypto.buf[1]); 476 cksum = (y >> 16) & 0xffff; 477 if (cksum == 0) 478 cksum = 1; /* zero checksums are not permitted */ 479 480 if (cksum != sp->hdr.cksum) { 481 ret = rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 482 rxkad_abort_bad_checksum); 483 goto out; 484 } 485 486 switch (call->conn->security_level) { 487 case RXRPC_SECURITY_PLAIN: 488 ret = 0; 489 break; 490 case RXRPC_SECURITY_AUTH: 491 ret = rxkad_verify_packet_1(call, skb, seq); 492 break; 493 case RXRPC_SECURITY_ENCRYPT: 494 ret = rxkad_verify_packet_2(call, skb, seq); 495 break; 496 default: 497 ret = -ENOANO; 498 break; 499 } 500 out: 501 return ret; 502 } 503 504 /* 505 * issue a challenge 506 */ 507 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 508 { 509 struct rxkad_challenge challenge; 510 struct rxrpc_wire_header whdr; 511 struct msghdr msg; 512 struct kvec iov[2]; 513 size_t len; 514 u32 serial; 515 int ret; 516 517 _enter("{%d}", conn->debug_id); 518 519 get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce)); 520 521 challenge.version = htonl(2); 522 challenge.nonce = htonl(conn->rxkad.nonce); 523 challenge.min_level = htonl(0); 524 challenge.__padding = 0; 525 526 msg.msg_name = &conn->peer->srx.transport; 527 msg.msg_namelen = conn->peer->srx.transport_len; 528 msg.msg_control = NULL; 529 msg.msg_controllen = 0; 530 msg.msg_flags = 0; 531 532 whdr.epoch = htonl(conn->proto.epoch); 533 whdr.cid = htonl(conn->proto.cid); 534 whdr.callNumber = 0; 535 whdr.seq = 0; 536 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 537 whdr.flags = conn->out_clientflag; 538 whdr.userStatus = 0; 539 whdr.securityIndex = conn->security_ix; 540 whdr._rsvd = 0; 541 whdr.serviceId = htons(conn->service_id); 542 543 iov[0].iov_base = &whdr; 544 iov[0].iov_len = sizeof(whdr); 545 iov[1].iov_base = &challenge; 546 iov[1].iov_len = sizeof(challenge); 547 548 len = iov[0].iov_len + iov[1].iov_len; 549 550 serial = rxrpc_get_next_serial(conn); 551 whdr.serial = htonl(serial); 552 553 trace_rxrpc_tx_challenge(conn, serial, 0, conn->rxkad.nonce); 554 555 ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len); 556 if (ret < 0) { 557 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, 558 rxrpc_tx_point_rxkad_challenge); 559 return -EAGAIN; 560 } 561 562 rxrpc_peer_mark_tx(conn->peer); 563 trace_rxrpc_tx_packet(conn->debug_id, &whdr, 564 rxrpc_tx_point_rxkad_challenge); 565 _leave(" = 0"); 566 return 0; 567 } 568 569 /* 570 * calculate the response checksum 571 */ 572 static void rxkad_calc_response_checksum(struct rxkad_response *response) 573 { 574 u32 csum = 1000003; 575 int loop; 576 u8 *p = (u8 *) response; 577 578 for (loop = sizeof(*response); loop > 0; loop--) 579 csum = csum * 0x10204081 + *p++; 580 581 response->encrypted.checksum = htonl(csum); 582 } 583 584 /* 585 * Validate a challenge packet. 586 */ 587 static bool rxkad_validate_challenge(struct rxrpc_connection *conn, 588 struct sk_buff *skb) 589 { 590 struct rxkad_challenge challenge; 591 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 592 u32 version, min_level; 593 int ret; 594 595 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 596 597 if (!conn->key) { 598 rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO, 599 rxkad_abort_chall_no_key); 600 return false; 601 } 602 603 ret = key_validate(conn->key); 604 if (ret < 0) { 605 rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret, 606 rxkad_abort_chall_key_expired); 607 return false; 608 } 609 610 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 611 &challenge, sizeof(challenge)) < 0) { 612 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, 613 rxkad_abort_chall_short); 614 return false; 615 } 616 617 version = ntohl(challenge.version); 618 sp->chall.rxkad_nonce = ntohl(challenge.nonce); 619 min_level = ntohl(challenge.min_level); 620 621 trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version, 622 sp->chall.rxkad_nonce, min_level); 623 624 if (version != RXKAD_VERSION) { 625 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO, 626 rxkad_abort_chall_version); 627 return false; 628 } 629 630 if (conn->security_level < min_level) { 631 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES, 632 rxkad_abort_chall_level); 633 return false; 634 } 635 return true; 636 } 637 638 /* 639 * Insert the header into the response. 640 */ 641 static noinline 642 int rxkad_insert_response_header(struct rxrpc_connection *conn, 643 const struct rxrpc_key_token *token, 644 struct sk_buff *challenge, 645 struct sk_buff *response, 646 size_t *offset) 647 { 648 struct rxrpc_skb_priv *csp = rxrpc_skb(challenge); 649 struct { 650 struct rxrpc_wire_header whdr; 651 struct rxkad_response resp; 652 } h; 653 int ret; 654 655 h.whdr.epoch = htonl(conn->proto.epoch); 656 h.whdr.cid = htonl(conn->proto.cid); 657 h.whdr.callNumber = 0; 658 h.whdr.serial = 0; 659 h.whdr.seq = 0; 660 h.whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 661 h.whdr.flags = conn->out_clientflag; 662 h.whdr.userStatus = 0; 663 h.whdr.securityIndex = conn->security_ix; 664 h.whdr.cksum = 0; 665 h.whdr.serviceId = htons(conn->service_id); 666 h.resp.version = htonl(RXKAD_VERSION); 667 h.resp.__pad = 0; 668 h.resp.encrypted.epoch = htonl(conn->proto.epoch); 669 h.resp.encrypted.cid = htonl(conn->proto.cid); 670 h.resp.encrypted.checksum = 0; 671 h.resp.encrypted.securityIndex = htonl(conn->security_ix); 672 h.resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter); 673 h.resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter); 674 h.resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter); 675 h.resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter); 676 h.resp.encrypted.inc_nonce = htonl(csp->chall.rxkad_nonce + 1); 677 h.resp.encrypted.level = htonl(conn->security_level); 678 h.resp.kvno = htonl(token->kad->kvno); 679 h.resp.ticket_len = htonl(token->kad->ticket_len); 680 681 rxkad_calc_response_checksum(&h.resp); 682 683 /* encrypt the response packet */ 684 static_assert(sizeof(h.resp.encrypted) % FCRYPT_BSIZE == 0); 685 fcrypt_pcbc_encrypt(conn->rxkad.cipher, token->kad->session_key, 686 &h.resp.encrypted, &h.resp.encrypted, 687 sizeof(h.resp.encrypted) / FCRYPT_BSIZE); 688 689 ret = skb_store_bits(response, *offset, &h, sizeof(h)); 690 *offset += sizeof(h); 691 return ret; 692 } 693 694 /* 695 * respond to a challenge packet 696 */ 697 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 698 struct sk_buff *challenge) 699 { 700 const struct rxrpc_key_token *token; 701 struct rxrpc_skb_priv *csp, *rsp; 702 struct sk_buff *response; 703 size_t len, offset = 0; 704 int ret = -EPROTO; 705 706 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 707 708 ret = key_validate(conn->key); 709 if (ret < 0) 710 return rxrpc_abort_conn(conn, challenge, RXKADEXPIRED, ret, 711 rxkad_abort_chall_key_expired); 712 713 token = conn->key->payload.data[0]; 714 715 /* build the response packet */ 716 len = sizeof(struct rxrpc_wire_header) + 717 sizeof(struct rxkad_response) + 718 token->kad->ticket_len; 719 720 response = alloc_skb_with_frags(0, len, 0, &ret, GFP_NOFS); 721 if (!response) 722 goto error; 723 rxrpc_new_skb(response, rxrpc_skb_new_response_rxkad); 724 response->len = len; 725 response->data_len = len; 726 727 offset = 0; 728 ret = rxkad_insert_response_header(conn, token, challenge, response, 729 &offset); 730 if (ret < 0) 731 goto error; 732 733 ret = skb_store_bits(response, offset, token->kad->ticket, 734 token->kad->ticket_len); 735 if (ret < 0) 736 goto error; 737 738 csp = rxrpc_skb(challenge); 739 rsp = rxrpc_skb(response); 740 rsp->resp.len = len; 741 rsp->resp.challenge_serial = csp->hdr.serial; 742 rxrpc_post_response(conn, response); 743 response = NULL; 744 ret = 0; 745 746 error: 747 rxrpc_free_skb(response, rxrpc_skb_put_response); 748 return ret; 749 } 750 751 /* 752 * RxKAD does automatic response only as there's nothing to manage that isn't 753 * already in the key. 754 */ 755 static int rxkad_sendmsg_respond_to_challenge(struct sk_buff *challenge, 756 struct msghdr *msg) 757 { 758 return -EINVAL; 759 } 760 761 /** 762 * rxkad_kernel_respond_to_challenge - Respond to a challenge with appdata 763 * @challenge: The challenge to respond to 764 * 765 * Allow a kernel application to respond to a CHALLENGE. 766 * 767 * Return: %0 if successful and a negative error code otherwise. 768 */ 769 int rxkad_kernel_respond_to_challenge(struct sk_buff *challenge) 770 { 771 struct rxrpc_skb_priv *csp = rxrpc_skb(challenge); 772 773 return rxkad_respond_to_challenge(csp->chall.conn, challenge); 774 } 775 EXPORT_SYMBOL(rxkad_kernel_respond_to_challenge); 776 777 /* Decrypt data in-place using DES-PCBC. @len must be a multiple of 8. */ 778 VISIBLE_IF_KUNIT void des_pcbc_decrypt_inplace(const struct des_ctx *key, 779 __le64 iv, u8 *data, size_t len) 780 { 781 for (size_t i = 0; i < len; i += DES_BLOCK_SIZE) { 782 __le64 ctext, ptext; 783 784 ctext = get_unaligned((const __le64 *)&data[i]); 785 des_decrypt(key, (u8 *)&ptext, (const u8 *)&ctext); 786 ptext ^= iv; 787 put_unaligned(ptext, (__le64 *)&data[i]); 788 iv = ptext ^ ctext; 789 } 790 } 791 EXPORT_SYMBOL_IF_KUNIT(des_pcbc_decrypt_inplace); 792 793 /* 794 * decrypt the kerberos IV ticket in the response 795 */ 796 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 797 struct key *server_key, 798 struct sk_buff *skb, 799 void *ticket, size_t ticket_len, 800 struct rxrpc_crypt *_session_key, 801 time64_t *_expiry) 802 { 803 struct rxrpc_crypt key; 804 struct in_addr addr; 805 unsigned int life; 806 time64_t issue, now; 807 bool little_endian; 808 u8 *p, *q, *name, *end; 809 810 _enter("{%d},{%x}", conn->debug_id, key_serial(server_key)); 811 812 *_expiry = 0; 813 814 ASSERT(server_key->payload.data[0] != NULL); 815 816 if (ticket_len % DES_BLOCK_SIZE != 0) 817 return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO, 818 rxkad_abort_resp_tkt_short); 819 des_pcbc_decrypt_inplace( 820 server_key->payload.data[0], 821 get_unaligned((const __le64 *)&server_key->payload.data[2]), 822 ticket, ticket_len); 823 p = ticket; 824 end = p + ticket_len; 825 826 #define Z(field, fieldl) \ 827 ({ \ 828 u8 *__str = p; \ 829 q = memchr(p, 0, end - p); \ 830 if (!q || q - p > field##_SZ) \ 831 return rxrpc_abort_conn( \ 832 conn, skb, RXKADBADTICKET, -EPROTO, \ 833 rxkad_abort_resp_tkt_##fieldl); \ 834 for (; p < q; p++) \ 835 if (!isprint(*p)) \ 836 return rxrpc_abort_conn( \ 837 conn, skb, RXKADBADTICKET, -EPROTO, \ 838 rxkad_abort_resp_tkt_##fieldl); \ 839 p++; \ 840 __str; \ 841 }) 842 843 /* extract the ticket flags */ 844 _debug("KIV FLAGS: %x", *p); 845 little_endian = *p & 1; 846 p++; 847 848 /* extract the authentication name */ 849 name = Z(ANAME, aname); 850 _debug("KIV ANAME: %s", name); 851 852 /* extract the principal's instance */ 853 name = Z(INST, inst); 854 _debug("KIV INST : %s", name); 855 856 /* extract the principal's authentication domain */ 857 name = Z(REALM, realm); 858 _debug("KIV REALM: %s", name); 859 860 if (end - p < 4 + 8 + 4 + 2) 861 return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO, 862 rxkad_abort_resp_tkt_short); 863 864 /* get the IPv4 address of the entity that requested the ticket */ 865 memcpy(&addr, p, sizeof(addr)); 866 p += 4; 867 _debug("KIV ADDR : %pI4", &addr); 868 869 /* get the session key from the ticket */ 870 memcpy(&key, p, sizeof(key)); 871 p += 8; 872 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 873 memcpy(_session_key, &key, sizeof(key)); 874 875 /* get the ticket's lifetime */ 876 life = *p++ * 5 * 60; 877 _debug("KIV LIFE : %u", life); 878 879 /* get the issue time of the ticket */ 880 if (little_endian) { 881 __le32 stamp; 882 memcpy(&stamp, p, 4); 883 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp)); 884 } else { 885 __be32 stamp; 886 memcpy(&stamp, p, 4); 887 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp)); 888 } 889 p += 4; 890 now = ktime_get_real_seconds(); 891 _debug("KIV ISSUE: %llx [%llx]", issue, now); 892 893 /* check the ticket is in date */ 894 if (issue > now) 895 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED, 896 rxkad_abort_resp_tkt_future); 897 if (issue < now - life) 898 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED, 899 rxkad_abort_resp_tkt_expired); 900 901 *_expiry = issue + life; 902 903 /* get the service name */ 904 name = Z(SNAME, sname); 905 _debug("KIV SNAME: %s", name); 906 907 /* get the service instance name */ 908 name = Z(INST, sinst); 909 _debug("KIV SINST: %s", name); 910 return 0; 911 } 912 913 /* 914 * decrypt the response packet 915 */ 916 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 917 struct rxkad_response *resp, 918 const struct rxrpc_crypt *session_key) 919 { 920 struct fcrypt_key cipher; 921 922 _enter(",,%08x%08x", 923 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 924 925 fcrypt_preparekey(&cipher, session_key->x); 926 927 static_assert(sizeof(resp->encrypted) % FCRYPT_BSIZE == 0); 928 fcrypt_pcbc_decrypt(&cipher, session_key->x, &resp->encrypted, 929 &resp->encrypted, 930 sizeof(resp->encrypted) / FCRYPT_BSIZE); 931 _leave(""); 932 } 933 934 /* 935 * verify a response 936 */ 937 static int rxkad_verify_response(struct rxrpc_connection *conn, 938 struct sk_buff *skb, 939 void *buffer, unsigned int len) 940 { 941 struct rxkad_response *response; 942 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 943 struct rxrpc_crypt session_key; 944 struct key *server_key; 945 time64_t expiry; 946 void *ticket; 947 u32 version, kvno, ticket_len, level; 948 __be32 csum; 949 int ret, i; 950 951 _enter("{%d}", conn->debug_id); 952 953 server_key = rxrpc_look_up_server_security(conn, skb, 0, 0); 954 if (IS_ERR(server_key)) { 955 ret = PTR_ERR(server_key); 956 switch (ret) { 957 case -ENOKEY: 958 return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret, 959 rxkad_abort_resp_nokey); 960 case -EKEYEXPIRED: 961 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret, 962 rxkad_abort_resp_key_expired); 963 default: 964 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret, 965 rxkad_abort_resp_key_rejected); 966 } 967 } 968 969 response = buffer; 970 if (len < sizeof(*response)) { 971 ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, 972 rxkad_abort_resp_short); 973 goto error; 974 } 975 976 version = ntohl(response->version); 977 ticket_len = ntohl(response->ticket_len); 978 kvno = ntohl(response->kvno); 979 980 trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len); 981 982 buffer += sizeof(*response); 983 len -= sizeof(*response); 984 985 if (version != RXKAD_VERSION) { 986 ret = rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO, 987 rxkad_abort_resp_version); 988 goto error; 989 } 990 991 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) { 992 ret = rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO, 993 rxkad_abort_resp_tkt_len); 994 goto error; 995 } 996 997 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) { 998 ret = rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO, 999 rxkad_abort_resp_unknown_tkt); 1000 goto error; 1001 } 1002 1003 /* extract the kerberos ticket and decrypt and decode it */ 1004 ticket = buffer; 1005 if (ticket_len > len) { 1006 ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, 1007 rxkad_abort_resp_short_tkt); 1008 goto error; 1009 } 1010 1011 ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len, 1012 &session_key, &expiry); 1013 if (ret < 0) 1014 goto error; 1015 1016 /* use the session key from inside the ticket to decrypt the 1017 * response */ 1018 rxkad_decrypt_response(conn, response, &session_key); 1019 1020 if (ntohl(response->encrypted.epoch) != conn->proto.epoch || 1021 ntohl(response->encrypted.cid) != conn->proto.cid || 1022 ntohl(response->encrypted.securityIndex) != conn->security_ix) { 1023 ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1024 rxkad_abort_resp_bad_param); 1025 goto error; 1026 } 1027 1028 csum = response->encrypted.checksum; 1029 response->encrypted.checksum = 0; 1030 rxkad_calc_response_checksum(response); 1031 if (response->encrypted.checksum != csum) { 1032 ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1033 rxkad_abort_resp_bad_checksum); 1034 goto error; 1035 } 1036 1037 for (i = 0; i < RXRPC_MAXCALLS; i++) { 1038 u32 call_id = ntohl(response->encrypted.call_id[i]); 1039 u32 counter = READ_ONCE(conn->channels[i].call_counter); 1040 1041 if (call_id > INT_MAX) { 1042 ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1043 rxkad_abort_resp_bad_callid); 1044 goto error; 1045 } 1046 1047 if (call_id < counter) { 1048 ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1049 rxkad_abort_resp_call_ctr); 1050 goto error; 1051 } 1052 1053 if (call_id > counter) { 1054 if (conn->channels[i].call) { 1055 ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1056 rxkad_abort_resp_call_state); 1057 goto error; 1058 } 1059 conn->channels[i].call_counter = call_id; 1060 } 1061 } 1062 1063 if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) { 1064 ret = rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO, 1065 rxkad_abort_resp_ooseq); 1066 goto error; 1067 } 1068 1069 level = ntohl(response->encrypted.level); 1070 if (level > RXRPC_SECURITY_ENCRYPT) { 1071 ret = rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO, 1072 rxkad_abort_resp_level); 1073 goto error; 1074 } 1075 conn->security_level = level; 1076 1077 /* create a key to hold the security data and expiration time - after 1078 * this the connection security can be handled in exactly the same way 1079 * as for a client connection */ 1080 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1081 1082 error: 1083 key_put(server_key); 1084 _leave(" = %d", ret); 1085 return ret; 1086 } 1087 1088 /* 1089 * clear the connection security 1090 */ 1091 static void rxkad_clear(struct rxrpc_connection *conn) 1092 { 1093 _enter(""); 1094 1095 kfree_sensitive(conn->rxkad.cipher); 1096 conn->rxkad.cipher = NULL; 1097 } 1098 1099 /* 1100 * Initialise the rxkad security service. 1101 */ 1102 static int rxkad_init(void) 1103 { 1104 if (fips_enabled) { 1105 pr_warn("rxkad support is disabled due to FIPS\n"); 1106 return -ENOENT; 1107 } 1108 return 0; 1109 } 1110 1111 /* 1112 * Clean up the rxkad security service. 1113 */ 1114 static void rxkad_exit(void) 1115 { 1116 } 1117 1118 /* 1119 * RxRPC Kerberos-based security 1120 */ 1121 const struct rxrpc_security rxkad = { 1122 .name = "rxkad", 1123 .security_index = RXRPC_SECURITY_RXKAD, 1124 .no_key_abort = RXKADUNKNOWNKEY, 1125 .init = rxkad_init, 1126 .exit = rxkad_exit, 1127 .preparse_server_key = rxkad_preparse_server_key, 1128 .free_preparse_server_key = rxkad_free_preparse_server_key, 1129 .destroy_server_key = rxkad_destroy_server_key, 1130 .init_connection_security = rxkad_init_connection_security, 1131 .alloc_txbuf = rxkad_alloc_txbuf, 1132 .secure_packet = rxkad_secure_packet, 1133 .verify_packet = rxkad_verify_packet, 1134 .free_call_crypto = rxkad_free_call_crypto, 1135 .issue_challenge = rxkad_issue_challenge, 1136 .validate_challenge = rxkad_validate_challenge, 1137 .sendmsg_respond_to_challenge = rxkad_sendmsg_respond_to_challenge, 1138 .respond_to_challenge = rxkad_respond_to_challenge, 1139 .verify_response = rxkad_verify_response, 1140 .clear = rxkad_clear, 1141 }; 1142