1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Application-specific bits for GSSAPI-based RxRPC security 3 * 4 * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 10 #include <linux/net.h> 11 #include <linux/skbuff.h> 12 #include <linux/slab.h> 13 #include <linux/key-type.h> 14 #include "ar-internal.h" 15 #include "rxgk_common.h" 16 17 /* 18 * Decode a default-style YFS ticket in a response and turn it into an 19 * rxrpc-type key. 20 * 21 * struct rxgk_key { 22 * afs_uint32 enctype; 23 * opaque key<>; 24 * }; 25 * 26 * struct RXGK_AuthName { 27 * afs_int32 kind; 28 * opaque data<AUTHDATAMAX>; 29 * opaque display<AUTHPRINTABLEMAX>; 30 * }; 31 * 32 * struct RXGK_Token { 33 * rxgk_key K0; 34 * RXGK_Level level; 35 * rxgkTime starttime; 36 * afs_int32 lifetime; 37 * afs_int32 bytelife; 38 * rxgkTime expirationtime; 39 * struct RXGK_AuthName identities<>; 40 * }; 41 */ 42 int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb, 43 void *buffer, unsigned int ticket_len, 44 struct key **_key) 45 { 46 struct rxrpc_key_token *token; 47 const struct cred *cred = current_cred(); // TODO - use socket creds 48 struct key *key; 49 size_t pre_ticket_len, payload_len; 50 unsigned int klen, enctype; 51 void *payload, *ticket; 52 __be32 *t, *p, *q, *tmp; 53 int ret; 54 55 _enter(""); 56 57 if (ticket_len < 10 * sizeof(__be32)) 58 return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO, 59 rxgk_abort_resp_short_yfs_tkt); 60 61 /* Get the session key length */ 62 tmp = buffer; 63 enctype = ntohl(tmp[0]); 64 klen = ntohl(tmp[1]); 65 66 if (klen > ticket_len - 10 * sizeof(__be32)) 67 return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO, 68 rxgk_abort_resp_short_yfs_key); 69 70 pre_ticket_len = ((5 + 14) * sizeof(__be32) + 71 xdr_round_up(klen) + 72 sizeof(__be32)); 73 payload_len = pre_ticket_len + xdr_round_up(ticket_len); 74 75 payload = kzalloc(payload_len, GFP_NOFS); 76 if (!payload) 77 return -ENOMEM; 78 79 /* We need to fill out the XDR form for a key payload that we can pass 80 * to add_key(). Start by copying in the ticket so that we can parse 81 * it. 82 */ 83 ticket = payload + pre_ticket_len; 84 memcpy(ticket, buffer, ticket_len); 85 86 /* Fill out the form header. */ 87 p = payload; 88 p[0] = htonl(0); /* Flags */ 89 p[1] = htonl(1); /* len(cellname) */ 90 p[2] = htonl(0x20000000); /* Cellname " " */ 91 p[3] = htonl(1); /* #tokens */ 92 p[4] = htonl(15 * sizeof(__be32) + xdr_round_up(klen) + 93 xdr_round_up(ticket_len)); /* Token len */ 94 95 /* Now fill in the body. Most of this we can just scrape directly from 96 * the ticket. 97 */ 98 t = ticket + sizeof(__be32) * 2 + xdr_round_up(klen); 99 q = payload + 5 * sizeof(__be32); 100 q[0] = htonl(RXRPC_SECURITY_YFS_RXGK); 101 q[1] = t[1]; /* begintime - msw */ 102 q[2] = t[2]; /* - lsw */ 103 q[3] = t[5]; /* endtime - msw */ 104 q[4] = t[6]; /* - lsw */ 105 q[5] = 0; /* level - msw */ 106 q[6] = t[0]; /* - lsw */ 107 q[7] = 0; /* lifetime - msw */ 108 q[8] = t[3]; /* - lsw */ 109 q[9] = 0; /* bytelife - msw */ 110 q[10] = t[4]; /* - lsw */ 111 q[11] = 0; /* enctype - msw */ 112 q[12] = htonl(enctype); /* - lsw */ 113 q[13] = htonl(klen); /* Key length */ 114 115 q += 14; 116 117 memcpy(q, ticket + sizeof(__be32) * 2, klen); 118 q += xdr_round_up(klen) / 4; 119 q[0] = htonl(ticket_len); 120 q++; 121 if (WARN_ON((unsigned long)q != (unsigned long)ticket)) { 122 ret = -EIO; 123 goto error; 124 } 125 126 /* Ticket appended above. */ 127 q += xdr_round_up(ticket_len) / 4; 128 if (WARN_ON((unsigned long)q - (unsigned long)payload != payload_len)) { 129 ret = -EIO; 130 goto error; 131 } 132 133 /* Now turn that into a key. */ 134 key = key_alloc(&key_type_rxrpc, "x", 135 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, // TODO: Use socket owner 136 KEY_USR_VIEW, 137 KEY_ALLOC_NOT_IN_QUOTA, NULL); 138 if (IS_ERR(key)) { 139 _leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key)); 140 ret = PTR_ERR(key); 141 goto error; 142 } 143 144 _debug("key %d", key_serial(key)); 145 146 ret = key_instantiate_and_link(key, payload, payload_len, NULL, NULL); 147 if (ret < 0) 148 goto error_key; 149 150 token = key->payload.data[0]; 151 token->no_leak_key = true; 152 *_key = key; 153 key = NULL; 154 ret = 0; 155 goto error; 156 157 error_key: 158 key_put(key); 159 error: 160 kfree_sensitive(payload); 161 _leave(" = %d", ret); 162 return ret; 163 } 164 165 /* 166 * Extract the token and set up a session key from the details. 167 * 168 * struct RXGK_TokenContainer { 169 * afs_int32 kvno; 170 * afs_int32 enctype; 171 * opaque encrypted_token<>; 172 * }; 173 * 174 * [tools.ietf.org/html/draft-wilkinson-afs3-rxgk-afs-08 sec 6.1] 175 */ 176 int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb, 177 void *token, unsigned int token_len, 178 struct key **_key) 179 { 180 const struct krb5_enctype *krb5; 181 const struct krb5_buffer *server_secret; 182 struct crypto_aead *token_enc = NULL; 183 struct key *server_key; 184 unsigned int ticket_len; 185 void *ticket; 186 u32 kvno, enctype; 187 int ret, ec = 0; 188 189 struct { 190 __be32 kvno; 191 __be32 enctype; 192 __be32 token_len; 193 } *container; 194 195 if (token_len < sizeof(*container)) 196 goto short_packet; 197 198 /* Decode the RXGK_TokenContainer object. This tells us which server 199 * key we should be using. We can then fetch the key, get the secret 200 * and set up the crypto to extract the token. 201 */ 202 container = token; 203 token += sizeof(*container); 204 205 kvno = ntohl(container->kvno); 206 enctype = ntohl(container->enctype); 207 ticket_len = ntohl(container->token_len); 208 209 if (ticket_len > xdr_round_down(token_len - sizeof(*container))) 210 goto short_packet; 211 212 _debug("KVNO %u", kvno); 213 _debug("ENC %u", enctype); 214 _debug("TLEN %u", ticket_len); 215 216 server_key = rxrpc_look_up_server_security(conn, skb, kvno, enctype); 217 if (IS_ERR(server_key)) 218 goto cant_get_server_key; 219 220 down_read(&server_key->sem); 221 server_secret = (const void *)&server_key->payload.data[2]; 222 ret = rxgk_set_up_token_cipher(server_secret, &token_enc, enctype, &krb5, GFP_NOFS); 223 up_read(&server_key->sem); 224 key_put(server_key); 225 if (ret < 0) 226 goto cant_get_token; 227 228 /* We can now decrypt and parse the token/ticket. This allows us to 229 * gain access to K0, from which we can derive the transport key and 230 * thence decode the authenticator. 231 */ 232 ticket = token; 233 ret = rxgk_decrypt(krb5, token_enc, &ticket, &ticket_len, &ec); 234 crypto_free_aead(token_enc); 235 token_enc = NULL; 236 if (ret < 0) { 237 if (ret != -ENOMEM) 238 return rxrpc_abort_conn(conn, skb, ec, ret, 239 rxgk_abort_resp_tok_dec); 240 return ret; 241 } 242 243 ret = conn->security->default_decode_ticket(conn, skb, ticket, 244 ticket_len, _key); 245 if (ret < 0) 246 goto cant_get_token; 247 248 _leave(" = 0"); 249 return ret; 250 251 cant_get_server_key: 252 ret = PTR_ERR(server_key); 253 switch (ret) { 254 case -ENOMEM: 255 goto temporary_error; 256 case -ENOKEY: 257 case -EKEYREJECTED: 258 case -EKEYEXPIRED: 259 case -EKEYREVOKED: 260 case -EPERM: 261 return rxrpc_abort_conn(conn, skb, RXGK_BADKEYNO, -EKEYREJECTED, 262 rxgk_abort_resp_tok_nokey); 263 default: 264 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EKEYREJECTED, 265 rxgk_abort_resp_tok_keyerr); 266 } 267 268 cant_get_token: 269 switch (ret) { 270 case -ENOMEM: 271 goto temporary_error; 272 case -EINVAL: 273 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EKEYREJECTED, 274 rxgk_abort_resp_tok_internal_error); 275 case -ENOPKG: 276 return rxrpc_abort_conn(conn, skb, KRB5_PROG_KEYTYPE_NOSUPP, 277 -EKEYREJECTED, rxgk_abort_resp_tok_nopkg); 278 } 279 280 temporary_error: 281 /* Ignore the response packet if we got a temporary error such as 282 * ENOMEM. We just want to send the challenge again. Note that we 283 * also come out this way if the ticket decryption fails. 284 */ 285 return ret; 286 287 short_packet: 288 return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO, 289 rxgk_abort_resp_tok_short); 290 } 291