1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Kerberos-based RxRPC security 3 * 4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 10 #include <crypto/skcipher.h> 11 #include <linux/module.h> 12 #include <linux/net.h> 13 #include <linux/skbuff.h> 14 #include <linux/udp.h> 15 #include <linux/scatterlist.h> 16 #include <linux/ctype.h> 17 #include <linux/slab.h> 18 #include <linux/key-type.h> 19 #include <net/sock.h> 20 #include <net/af_rxrpc.h> 21 #include <keys/rxrpc-type.h> 22 #include "ar-internal.h" 23 24 #define RXKAD_VERSION 2 25 #define MAXKRB5TICKETLEN 1024 26 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 27 #define ANAME_SZ 40 /* size of authentication name */ 28 #define INST_SZ 40 /* size of principal's instance */ 29 #define REALM_SZ 40 /* size of principal's auth domain */ 30 #define SNAME_SZ 40 /* size of service name */ 31 #define RXKAD_ALIGN 8 32 33 struct rxkad_level1_hdr { 34 __be32 data_size; /* true data size (excluding padding) */ 35 }; 36 37 struct rxkad_level2_hdr { 38 __be32 data_size; /* true data size (excluding padding) */ 39 __be32 checksum; /* decrypted data checksum */ 40 }; 41 42 static int rxkad_prime_packet_security(struct rxrpc_connection *conn, 43 struct crypto_sync_skcipher *ci); 44 45 /* 46 * this holds a pinned cipher so that keventd doesn't get called by the cipher 47 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 48 * packets 49 */ 50 static struct crypto_sync_skcipher *rxkad_ci; 51 static struct skcipher_request *rxkad_ci_req; 52 static DEFINE_MUTEX(rxkad_ci_mutex); 53 54 /* 55 * Parse the information from a server key 56 * 57 * The data should be the 8-byte secret key. 58 */ 59 static int rxkad_preparse_server_key(struct key_preparsed_payload *prep) 60 { 61 struct crypto_skcipher *ci; 62 63 if (prep->datalen != 8) 64 return -EINVAL; 65 66 memcpy(&prep->payload.data[2], prep->data, 8); 67 68 ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC); 69 if (IS_ERR(ci)) { 70 _leave(" = %ld", PTR_ERR(ci)); 71 return PTR_ERR(ci); 72 } 73 74 if (crypto_skcipher_setkey(ci, prep->data, 8) < 0) 75 BUG(); 76 77 prep->payload.data[0] = ci; 78 _leave(" = 0"); 79 return 0; 80 } 81 82 static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep) 83 { 84 85 if (prep->payload.data[0]) 86 crypto_free_skcipher(prep->payload.data[0]); 87 } 88 89 static void rxkad_destroy_server_key(struct key *key) 90 { 91 if (key->payload.data[0]) { 92 crypto_free_skcipher(key->payload.data[0]); 93 key->payload.data[0] = NULL; 94 } 95 } 96 97 /* 98 * initialise connection security 99 */ 100 static int rxkad_init_connection_security(struct rxrpc_connection *conn, 101 struct rxrpc_key_token *token) 102 { 103 struct crypto_sync_skcipher *ci; 104 int ret; 105 106 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key)); 107 108 conn->security_ix = token->security_index; 109 110 ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); 111 if (IS_ERR(ci)) { 112 _debug("no cipher"); 113 ret = PTR_ERR(ci); 114 goto error; 115 } 116 117 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key, 118 sizeof(token->kad->session_key)) < 0) 119 BUG(); 120 121 switch (conn->security_level) { 122 case RXRPC_SECURITY_PLAIN: 123 case RXRPC_SECURITY_AUTH: 124 case RXRPC_SECURITY_ENCRYPT: 125 break; 126 default: 127 ret = -EKEYREJECTED; 128 goto error; 129 } 130 131 ret = rxkad_prime_packet_security(conn, ci); 132 if (ret < 0) 133 goto error_ci; 134 135 conn->rxkad.cipher = ci; 136 return 0; 137 138 error_ci: 139 crypto_free_sync_skcipher(ci); 140 error: 141 _leave(" = %d", ret); 142 return ret; 143 } 144 145 /* 146 * Work out how much data we can put in a packet. 147 */ 148 static struct rxrpc_txbuf *rxkad_alloc_txbuf(struct rxrpc_call *call, size_t remain, gfp_t gfp) 149 { 150 struct rxrpc_txbuf *txb; 151 size_t shdr, alloc, limit, part; 152 153 remain = umin(remain, 65535 - sizeof(struct rxrpc_wire_header)); 154 155 switch (call->conn->security_level) { 156 default: 157 alloc = umin(remain, RXRPC_JUMBO_DATALEN); 158 return rxrpc_alloc_data_txbuf(call, alloc, 1, gfp); 159 case RXRPC_SECURITY_AUTH: 160 shdr = sizeof(struct rxkad_level1_hdr); 161 break; 162 case RXRPC_SECURITY_ENCRYPT: 163 shdr = sizeof(struct rxkad_level2_hdr); 164 break; 165 } 166 167 limit = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN) - shdr; 168 if (remain < limit) { 169 part = remain; 170 alloc = round_up(shdr + part, RXKAD_ALIGN); 171 } else { 172 part = limit; 173 alloc = RXRPC_JUMBO_DATALEN; 174 } 175 176 txb = rxrpc_alloc_data_txbuf(call, alloc, RXKAD_ALIGN, gfp); 177 if (!txb) 178 return NULL; 179 180 txb->offset += shdr; 181 txb->space = part; 182 return txb; 183 } 184 185 /* 186 * prime the encryption state with the invariant parts of a connection's 187 * description 188 */ 189 static int rxkad_prime_packet_security(struct rxrpc_connection *conn, 190 struct crypto_sync_skcipher *ci) 191 { 192 struct skcipher_request *req; 193 struct rxrpc_key_token *token; 194 struct scatterlist sg; 195 struct rxrpc_crypt iv; 196 __be32 *tmpbuf; 197 size_t tmpsize = 4 * sizeof(__be32); 198 199 _enter(""); 200 201 if (!conn->key) 202 return 0; 203 204 tmpbuf = kmalloc(tmpsize, GFP_KERNEL); 205 if (!tmpbuf) 206 return -ENOMEM; 207 208 req = skcipher_request_alloc(&ci->base, GFP_NOFS); 209 if (!req) { 210 kfree(tmpbuf); 211 return -ENOMEM; 212 } 213 214 token = conn->key->payload.data[0]; 215 memcpy(&iv, token->kad->session_key, sizeof(iv)); 216 217 tmpbuf[0] = htonl(conn->proto.epoch); 218 tmpbuf[1] = htonl(conn->proto.cid); 219 tmpbuf[2] = 0; 220 tmpbuf[3] = htonl(conn->security_ix); 221 222 sg_init_one(&sg, tmpbuf, tmpsize); 223 skcipher_request_set_sync_tfm(req, ci); 224 skcipher_request_set_callback(req, 0, NULL, NULL); 225 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); 226 crypto_skcipher_encrypt(req); 227 skcipher_request_free(req); 228 229 memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv)); 230 kfree(tmpbuf); 231 _leave(" = 0"); 232 return 0; 233 } 234 235 /* 236 * Allocate and prepare the crypto request on a call. For any particular call, 237 * this is called serially for the packets, so no lock should be necessary. 238 */ 239 static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call) 240 { 241 struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base; 242 243 return skcipher_request_alloc(tfm, GFP_NOFS); 244 } 245 246 /* 247 * Clean up the crypto on a call. 248 */ 249 static void rxkad_free_call_crypto(struct rxrpc_call *call) 250 { 251 } 252 253 /* 254 * partially encrypt a packet (level 1 security) 255 */ 256 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 257 struct rxrpc_txbuf *txb, 258 struct skcipher_request *req) 259 { 260 struct rxkad_level1_hdr *hdr = txb->data; 261 struct rxrpc_crypt iv; 262 struct scatterlist sg; 263 size_t pad; 264 u16 check; 265 266 _enter(""); 267 268 check = txb->seq ^ call->call_id; 269 hdr->data_size = htonl((u32)check << 16 | txb->len); 270 271 txb->pkt_len = sizeof(struct rxkad_level1_hdr) + txb->len; 272 pad = txb->pkt_len; 273 pad = RXKAD_ALIGN - pad; 274 pad &= RXKAD_ALIGN - 1; 275 if (pad) { 276 memset(txb->data + txb->offset, 0, pad); 277 txb->pkt_len += pad; 278 } 279 280 /* start the encryption afresh */ 281 memset(&iv, 0, sizeof(iv)); 282 283 sg_init_one(&sg, hdr, 8); 284 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 285 skcipher_request_set_callback(req, 0, NULL, NULL); 286 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 287 crypto_skcipher_encrypt(req); 288 skcipher_request_zero(req); 289 290 _leave(" = 0"); 291 return 0; 292 } 293 294 /* 295 * wholly encrypt a packet (level 2 security) 296 */ 297 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 298 struct rxrpc_txbuf *txb, 299 struct skcipher_request *req) 300 { 301 const struct rxrpc_key_token *token; 302 struct rxkad_level2_hdr *rxkhdr = txb->data; 303 struct rxrpc_crypt iv; 304 struct scatterlist sg; 305 size_t content, pad; 306 u16 check; 307 int ret; 308 309 _enter(""); 310 311 check = txb->seq ^ call->call_id; 312 313 rxkhdr->data_size = htonl(txb->len | (u32)check << 16); 314 rxkhdr->checksum = 0; 315 316 content = sizeof(struct rxkad_level2_hdr) + txb->len; 317 txb->pkt_len = round_up(content, RXKAD_ALIGN); 318 pad = txb->pkt_len - content; 319 if (pad) 320 memset(txb->data + txb->offset, 0, pad); 321 322 /* encrypt from the session key */ 323 token = call->conn->key->payload.data[0]; 324 memcpy(&iv, token->kad->session_key, sizeof(iv)); 325 326 sg_init_one(&sg, rxkhdr, txb->pkt_len); 327 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 328 skcipher_request_set_callback(req, 0, NULL, NULL); 329 skcipher_request_set_crypt(req, &sg, &sg, txb->pkt_len, iv.x); 330 ret = crypto_skcipher_encrypt(req); 331 skcipher_request_zero(req); 332 return ret; 333 } 334 335 /* 336 * checksum an RxRPC packet header 337 */ 338 static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb) 339 { 340 struct skcipher_request *req; 341 struct rxrpc_crypt iv; 342 struct scatterlist sg; 343 union { 344 __be32 buf[2]; 345 } crypto __aligned(8); 346 u32 x, y; 347 int ret; 348 349 _enter("{%d{%x}},{#%u},%u,", 350 call->debug_id, key_serial(call->conn->key), 351 txb->seq, txb->len); 352 353 if (!call->conn->rxkad.cipher) 354 return 0; 355 356 ret = key_validate(call->conn->key); 357 if (ret < 0) 358 return ret; 359 360 req = rxkad_get_call_crypto(call); 361 if (!req) 362 return -ENOMEM; 363 364 /* continue encrypting from where we left off */ 365 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv)); 366 367 /* calculate the security checksum */ 368 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 369 x |= txb->seq & 0x3fffffff; 370 crypto.buf[0] = htonl(call->call_id); 371 crypto.buf[1] = htonl(x); 372 373 sg_init_one(&sg, crypto.buf, 8); 374 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 375 skcipher_request_set_callback(req, 0, NULL, NULL); 376 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 377 crypto_skcipher_encrypt(req); 378 skcipher_request_zero(req); 379 380 y = ntohl(crypto.buf[1]); 381 y = (y >> 16) & 0xffff; 382 if (y == 0) 383 y = 1; /* zero checksums are not permitted */ 384 txb->cksum = htons(y); 385 386 switch (call->conn->security_level) { 387 case RXRPC_SECURITY_PLAIN: 388 txb->pkt_len = txb->len; 389 ret = 0; 390 break; 391 case RXRPC_SECURITY_AUTH: 392 ret = rxkad_secure_packet_auth(call, txb, req); 393 if (txb->alloc_size == RXRPC_JUMBO_DATALEN) 394 txb->jumboable = true; 395 break; 396 case RXRPC_SECURITY_ENCRYPT: 397 ret = rxkad_secure_packet_encrypt(call, txb, req); 398 if (txb->alloc_size == RXRPC_JUMBO_DATALEN) 399 txb->jumboable = true; 400 break; 401 default: 402 ret = -EPERM; 403 break; 404 } 405 406 /* Clear excess space in the packet */ 407 if (txb->pkt_len < txb->alloc_size) { 408 size_t gap = txb->alloc_size - txb->pkt_len; 409 void *p = txb->data; 410 411 memset(p + txb->pkt_len, 0, gap); 412 } 413 414 skcipher_request_free(req); 415 _leave(" = %d [set %x]", ret, y); 416 return ret; 417 } 418 419 /* 420 * decrypt partial encryption on a packet (level 1 security) 421 */ 422 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb, 423 rxrpc_seq_t seq, 424 struct skcipher_request *req) 425 { 426 struct rxkad_level1_hdr sechdr; 427 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 428 struct rxrpc_crypt iv; 429 struct scatterlist sg[16]; 430 u32 data_size, buf; 431 u16 check; 432 int ret; 433 434 _enter(""); 435 436 if (sp->len < 8) 437 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 438 rxkad_abort_1_short_header); 439 440 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 441 * directly into the target buffer. 442 */ 443 sg_init_table(sg, ARRAY_SIZE(sg)); 444 ret = skb_to_sgvec(skb, sg, sp->offset, 8); 445 if (unlikely(ret < 0)) 446 return ret; 447 448 /* start the decryption afresh */ 449 memset(&iv, 0, sizeof(iv)); 450 451 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 452 skcipher_request_set_callback(req, 0, NULL, NULL); 453 skcipher_request_set_crypt(req, sg, sg, 8, iv.x); 454 crypto_skcipher_decrypt(req); 455 skcipher_request_zero(req); 456 457 /* Extract the decrypted packet length */ 458 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0) 459 return rxrpc_abort_eproto(call, skb, RXKADDATALEN, 460 rxkad_abort_1_short_encdata); 461 sp->offset += sizeof(sechdr); 462 sp->len -= sizeof(sechdr); 463 464 buf = ntohl(sechdr.data_size); 465 data_size = buf & 0xffff; 466 467 check = buf >> 16; 468 check ^= seq ^ call->call_id; 469 check &= 0xffff; 470 if (check != 0) 471 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 472 rxkad_abort_1_short_check); 473 if (data_size > sp->len) 474 return rxrpc_abort_eproto(call, skb, RXKADDATALEN, 475 rxkad_abort_1_short_data); 476 sp->len = data_size; 477 478 _leave(" = 0 [dlen=%x]", data_size); 479 return 0; 480 } 481 482 /* 483 * wholly decrypt a packet (level 2 security) 484 */ 485 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, 486 rxrpc_seq_t seq, 487 struct skcipher_request *req) 488 { 489 const struct rxrpc_key_token *token; 490 struct rxkad_level2_hdr sechdr; 491 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 492 struct rxrpc_crypt iv; 493 struct scatterlist _sg[4], *sg; 494 u32 data_size, buf; 495 u16 check; 496 int nsg, ret; 497 498 _enter(",{%d}", sp->len); 499 500 if (sp->len < 8) 501 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 502 rxkad_abort_2_short_header); 503 504 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 505 * directly into the target buffer. 506 */ 507 sg = _sg; 508 nsg = skb_shinfo(skb)->nr_frags + 1; 509 if (nsg <= 4) { 510 nsg = 4; 511 } else { 512 sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO); 513 if (!sg) 514 return -ENOMEM; 515 } 516 517 sg_init_table(sg, nsg); 518 ret = skb_to_sgvec(skb, sg, sp->offset, sp->len); 519 if (unlikely(ret < 0)) { 520 if (sg != _sg) 521 kfree(sg); 522 return ret; 523 } 524 525 /* decrypt from the session key */ 526 token = call->conn->key->payload.data[0]; 527 memcpy(&iv, token->kad->session_key, sizeof(iv)); 528 529 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 530 skcipher_request_set_callback(req, 0, NULL, NULL); 531 skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x); 532 crypto_skcipher_decrypt(req); 533 skcipher_request_zero(req); 534 if (sg != _sg) 535 kfree(sg); 536 537 /* Extract the decrypted packet length */ 538 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0) 539 return rxrpc_abort_eproto(call, skb, RXKADDATALEN, 540 rxkad_abort_2_short_len); 541 sp->offset += sizeof(sechdr); 542 sp->len -= sizeof(sechdr); 543 544 buf = ntohl(sechdr.data_size); 545 data_size = buf & 0xffff; 546 547 check = buf >> 16; 548 check ^= seq ^ call->call_id; 549 check &= 0xffff; 550 if (check != 0) 551 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 552 rxkad_abort_2_short_check); 553 554 if (data_size > sp->len) 555 return rxrpc_abort_eproto(call, skb, RXKADDATALEN, 556 rxkad_abort_2_short_data); 557 558 sp->len = data_size; 559 _leave(" = 0 [dlen=%x]", data_size); 560 return 0; 561 } 562 563 /* 564 * Verify the security on a received packet and the subpackets therein. 565 */ 566 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb) 567 { 568 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 569 struct skcipher_request *req; 570 struct rxrpc_crypt iv; 571 struct scatterlist sg; 572 union { 573 __be32 buf[2]; 574 } crypto __aligned(8); 575 rxrpc_seq_t seq = sp->hdr.seq; 576 int ret; 577 u16 cksum; 578 u32 x, y; 579 580 _enter("{%d{%x}},{#%u}", 581 call->debug_id, key_serial(call->conn->key), seq); 582 583 if (!call->conn->rxkad.cipher) 584 return 0; 585 586 req = rxkad_get_call_crypto(call); 587 if (!req) 588 return -ENOMEM; 589 590 /* continue encrypting from where we left off */ 591 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv)); 592 593 /* validate the security checksum */ 594 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 595 x |= seq & 0x3fffffff; 596 crypto.buf[0] = htonl(call->call_id); 597 crypto.buf[1] = htonl(x); 598 599 sg_init_one(&sg, crypto.buf, 8); 600 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 601 skcipher_request_set_callback(req, 0, NULL, NULL); 602 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 603 crypto_skcipher_encrypt(req); 604 skcipher_request_zero(req); 605 606 y = ntohl(crypto.buf[1]); 607 cksum = (y >> 16) & 0xffff; 608 if (cksum == 0) 609 cksum = 1; /* zero checksums are not permitted */ 610 611 if (cksum != sp->hdr.cksum) { 612 ret = rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 613 rxkad_abort_bad_checksum); 614 goto out; 615 } 616 617 switch (call->conn->security_level) { 618 case RXRPC_SECURITY_PLAIN: 619 ret = 0; 620 break; 621 case RXRPC_SECURITY_AUTH: 622 ret = rxkad_verify_packet_1(call, skb, seq, req); 623 break; 624 case RXRPC_SECURITY_ENCRYPT: 625 ret = rxkad_verify_packet_2(call, skb, seq, req); 626 break; 627 default: 628 ret = -ENOANO; 629 break; 630 } 631 632 out: 633 skcipher_request_free(req); 634 return ret; 635 } 636 637 /* 638 * issue a challenge 639 */ 640 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 641 { 642 struct rxkad_challenge challenge; 643 struct rxrpc_wire_header whdr; 644 struct msghdr msg; 645 struct kvec iov[2]; 646 size_t len; 647 u32 serial; 648 int ret; 649 650 _enter("{%d}", conn->debug_id); 651 652 get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce)); 653 654 challenge.version = htonl(2); 655 challenge.nonce = htonl(conn->rxkad.nonce); 656 challenge.min_level = htonl(0); 657 challenge.__padding = 0; 658 659 msg.msg_name = &conn->peer->srx.transport; 660 msg.msg_namelen = conn->peer->srx.transport_len; 661 msg.msg_control = NULL; 662 msg.msg_controllen = 0; 663 msg.msg_flags = 0; 664 665 whdr.epoch = htonl(conn->proto.epoch); 666 whdr.cid = htonl(conn->proto.cid); 667 whdr.callNumber = 0; 668 whdr.seq = 0; 669 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 670 whdr.flags = conn->out_clientflag; 671 whdr.userStatus = 0; 672 whdr.securityIndex = conn->security_ix; 673 whdr._rsvd = 0; 674 whdr.serviceId = htons(conn->service_id); 675 676 iov[0].iov_base = &whdr; 677 iov[0].iov_len = sizeof(whdr); 678 iov[1].iov_base = &challenge; 679 iov[1].iov_len = sizeof(challenge); 680 681 len = iov[0].iov_len + iov[1].iov_len; 682 683 serial = rxrpc_get_next_serial(conn); 684 whdr.serial = htonl(serial); 685 686 ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len); 687 if (ret < 0) { 688 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, 689 rxrpc_tx_point_rxkad_challenge); 690 return -EAGAIN; 691 } 692 693 conn->peer->last_tx_at = ktime_get_seconds(); 694 trace_rxrpc_tx_packet(conn->debug_id, &whdr, 695 rxrpc_tx_point_rxkad_challenge); 696 _leave(" = 0"); 697 return 0; 698 } 699 700 /* 701 * send a Kerberos security response 702 */ 703 static int rxkad_send_response(struct rxrpc_connection *conn, 704 struct rxrpc_host_header *hdr, 705 struct rxkad_response *resp, 706 const struct rxkad_key *s2) 707 { 708 struct rxrpc_wire_header whdr; 709 struct msghdr msg; 710 struct kvec iov[3]; 711 size_t len; 712 u32 serial; 713 int ret; 714 715 _enter(""); 716 717 msg.msg_name = &conn->peer->srx.transport; 718 msg.msg_namelen = conn->peer->srx.transport_len; 719 msg.msg_control = NULL; 720 msg.msg_controllen = 0; 721 msg.msg_flags = 0; 722 723 memset(&whdr, 0, sizeof(whdr)); 724 whdr.epoch = htonl(hdr->epoch); 725 whdr.cid = htonl(hdr->cid); 726 whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 727 whdr.flags = conn->out_clientflag; 728 whdr.securityIndex = hdr->securityIndex; 729 whdr.serviceId = htons(hdr->serviceId); 730 731 iov[0].iov_base = &whdr; 732 iov[0].iov_len = sizeof(whdr); 733 iov[1].iov_base = resp; 734 iov[1].iov_len = sizeof(*resp); 735 iov[2].iov_base = (void *)s2->ticket; 736 iov[2].iov_len = s2->ticket_len; 737 738 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 739 740 serial = rxrpc_get_next_serial(conn); 741 whdr.serial = htonl(serial); 742 743 rxrpc_local_dont_fragment(conn->local, false); 744 ret = kernel_sendmsg(conn->local->socket, &msg, iov, 3, len); 745 if (ret < 0) { 746 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, 747 rxrpc_tx_point_rxkad_response); 748 return -EAGAIN; 749 } 750 751 conn->peer->last_tx_at = ktime_get_seconds(); 752 _leave(" = 0"); 753 return 0; 754 } 755 756 /* 757 * calculate the response checksum 758 */ 759 static void rxkad_calc_response_checksum(struct rxkad_response *response) 760 { 761 u32 csum = 1000003; 762 int loop; 763 u8 *p = (u8 *) response; 764 765 for (loop = sizeof(*response); loop > 0; loop--) 766 csum = csum * 0x10204081 + *p++; 767 768 response->encrypted.checksum = htonl(csum); 769 } 770 771 /* 772 * encrypt the response packet 773 */ 774 static int rxkad_encrypt_response(struct rxrpc_connection *conn, 775 struct rxkad_response *resp, 776 const struct rxkad_key *s2) 777 { 778 struct skcipher_request *req; 779 struct rxrpc_crypt iv; 780 struct scatterlist sg[1]; 781 782 req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS); 783 if (!req) 784 return -ENOMEM; 785 786 /* continue encrypting from where we left off */ 787 memcpy(&iv, s2->session_key, sizeof(iv)); 788 789 sg_init_table(sg, 1); 790 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 791 skcipher_request_set_sync_tfm(req, conn->rxkad.cipher); 792 skcipher_request_set_callback(req, 0, NULL, NULL); 793 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 794 crypto_skcipher_encrypt(req); 795 skcipher_request_free(req); 796 return 0; 797 } 798 799 /* 800 * respond to a challenge packet 801 */ 802 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 803 struct sk_buff *skb) 804 { 805 const struct rxrpc_key_token *token; 806 struct rxkad_challenge challenge; 807 struct rxkad_response *resp; 808 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 809 u32 version, nonce, min_level; 810 int ret = -EPROTO; 811 812 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 813 814 if (!conn->key) 815 return rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO, 816 rxkad_abort_chall_no_key); 817 818 ret = key_validate(conn->key); 819 if (ret < 0) 820 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret, 821 rxkad_abort_chall_key_expired); 822 823 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 824 &challenge, sizeof(challenge)) < 0) 825 return rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, 826 rxkad_abort_chall_short); 827 828 version = ntohl(challenge.version); 829 nonce = ntohl(challenge.nonce); 830 min_level = ntohl(challenge.min_level); 831 832 trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version, nonce, min_level); 833 834 if (version != RXKAD_VERSION) 835 return rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO, 836 rxkad_abort_chall_version); 837 838 if (conn->security_level < min_level) 839 return rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES, 840 rxkad_abort_chall_level); 841 842 token = conn->key->payload.data[0]; 843 844 /* build the response packet */ 845 resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); 846 if (!resp) 847 return -ENOMEM; 848 849 resp->version = htonl(RXKAD_VERSION); 850 resp->encrypted.epoch = htonl(conn->proto.epoch); 851 resp->encrypted.cid = htonl(conn->proto.cid); 852 resp->encrypted.securityIndex = htonl(conn->security_ix); 853 resp->encrypted.inc_nonce = htonl(nonce + 1); 854 resp->encrypted.level = htonl(conn->security_level); 855 resp->kvno = htonl(token->kad->kvno); 856 resp->ticket_len = htonl(token->kad->ticket_len); 857 resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter); 858 resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter); 859 resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter); 860 resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter); 861 862 /* calculate the response checksum and then do the encryption */ 863 rxkad_calc_response_checksum(resp); 864 ret = rxkad_encrypt_response(conn, resp, token->kad); 865 if (ret == 0) 866 ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad); 867 kfree(resp); 868 return ret; 869 } 870 871 /* 872 * decrypt the kerberos IV ticket in the response 873 */ 874 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 875 struct key *server_key, 876 struct sk_buff *skb, 877 void *ticket, size_t ticket_len, 878 struct rxrpc_crypt *_session_key, 879 time64_t *_expiry) 880 { 881 struct skcipher_request *req; 882 struct rxrpc_crypt iv, key; 883 struct scatterlist sg[1]; 884 struct in_addr addr; 885 unsigned int life; 886 time64_t issue, now; 887 bool little_endian; 888 u8 *p, *q, *name, *end; 889 890 _enter("{%d},{%x}", conn->debug_id, key_serial(server_key)); 891 892 *_expiry = 0; 893 894 ASSERT(server_key->payload.data[0] != NULL); 895 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 896 897 memcpy(&iv, &server_key->payload.data[2], sizeof(iv)); 898 899 req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS); 900 if (!req) 901 return -ENOMEM; 902 903 sg_init_one(&sg[0], ticket, ticket_len); 904 skcipher_request_set_callback(req, 0, NULL, NULL); 905 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); 906 crypto_skcipher_decrypt(req); 907 skcipher_request_free(req); 908 909 p = ticket; 910 end = p + ticket_len; 911 912 #define Z(field, fieldl) \ 913 ({ \ 914 u8 *__str = p; \ 915 q = memchr(p, 0, end - p); \ 916 if (!q || q - p > field##_SZ) \ 917 return rxrpc_abort_conn( \ 918 conn, skb, RXKADBADTICKET, -EPROTO, \ 919 rxkad_abort_resp_tkt_##fieldl); \ 920 for (; p < q; p++) \ 921 if (!isprint(*p)) \ 922 return rxrpc_abort_conn( \ 923 conn, skb, RXKADBADTICKET, -EPROTO, \ 924 rxkad_abort_resp_tkt_##fieldl); \ 925 p++; \ 926 __str; \ 927 }) 928 929 /* extract the ticket flags */ 930 _debug("KIV FLAGS: %x", *p); 931 little_endian = *p & 1; 932 p++; 933 934 /* extract the authentication name */ 935 name = Z(ANAME, aname); 936 _debug("KIV ANAME: %s", name); 937 938 /* extract the principal's instance */ 939 name = Z(INST, inst); 940 _debug("KIV INST : %s", name); 941 942 /* extract the principal's authentication domain */ 943 name = Z(REALM, realm); 944 _debug("KIV REALM: %s", name); 945 946 if (end - p < 4 + 8 + 4 + 2) 947 return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO, 948 rxkad_abort_resp_tkt_short); 949 950 /* get the IPv4 address of the entity that requested the ticket */ 951 memcpy(&addr, p, sizeof(addr)); 952 p += 4; 953 _debug("KIV ADDR : %pI4", &addr); 954 955 /* get the session key from the ticket */ 956 memcpy(&key, p, sizeof(key)); 957 p += 8; 958 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 959 memcpy(_session_key, &key, sizeof(key)); 960 961 /* get the ticket's lifetime */ 962 life = *p++ * 5 * 60; 963 _debug("KIV LIFE : %u", life); 964 965 /* get the issue time of the ticket */ 966 if (little_endian) { 967 __le32 stamp; 968 memcpy(&stamp, p, 4); 969 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp)); 970 } else { 971 __be32 stamp; 972 memcpy(&stamp, p, 4); 973 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp)); 974 } 975 p += 4; 976 now = ktime_get_real_seconds(); 977 _debug("KIV ISSUE: %llx [%llx]", issue, now); 978 979 /* check the ticket is in date */ 980 if (issue > now) 981 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED, 982 rxkad_abort_resp_tkt_future); 983 if (issue < now - life) 984 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED, 985 rxkad_abort_resp_tkt_expired); 986 987 *_expiry = issue + life; 988 989 /* get the service name */ 990 name = Z(SNAME, sname); 991 _debug("KIV SNAME: %s", name); 992 993 /* get the service instance name */ 994 name = Z(INST, sinst); 995 _debug("KIV SINST: %s", name); 996 return 0; 997 } 998 999 /* 1000 * decrypt the response packet 1001 */ 1002 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 1003 struct rxkad_response *resp, 1004 const struct rxrpc_crypt *session_key) 1005 { 1006 struct skcipher_request *req = rxkad_ci_req; 1007 struct scatterlist sg[1]; 1008 struct rxrpc_crypt iv; 1009 1010 _enter(",,%08x%08x", 1011 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 1012 1013 mutex_lock(&rxkad_ci_mutex); 1014 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x, 1015 sizeof(*session_key)) < 0) 1016 BUG(); 1017 1018 memcpy(&iv, session_key, sizeof(iv)); 1019 1020 sg_init_table(sg, 1); 1021 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 1022 skcipher_request_set_sync_tfm(req, rxkad_ci); 1023 skcipher_request_set_callback(req, 0, NULL, NULL); 1024 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 1025 crypto_skcipher_decrypt(req); 1026 skcipher_request_zero(req); 1027 1028 mutex_unlock(&rxkad_ci_mutex); 1029 1030 _leave(""); 1031 } 1032 1033 /* 1034 * verify a response 1035 */ 1036 static int rxkad_verify_response(struct rxrpc_connection *conn, 1037 struct sk_buff *skb) 1038 { 1039 struct rxkad_response *response; 1040 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 1041 struct rxrpc_crypt session_key; 1042 struct key *server_key; 1043 time64_t expiry; 1044 void *ticket; 1045 u32 version, kvno, ticket_len, level; 1046 __be32 csum; 1047 int ret, i; 1048 1049 _enter("{%d}", conn->debug_id); 1050 1051 server_key = rxrpc_look_up_server_security(conn, skb, 0, 0); 1052 if (IS_ERR(server_key)) { 1053 ret = PTR_ERR(server_key); 1054 switch (ret) { 1055 case -ENOKEY: 1056 return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret, 1057 rxkad_abort_resp_nokey); 1058 case -EKEYEXPIRED: 1059 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret, 1060 rxkad_abort_resp_key_expired); 1061 default: 1062 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret, 1063 rxkad_abort_resp_key_rejected); 1064 } 1065 } 1066 1067 ret = -ENOMEM; 1068 response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); 1069 if (!response) 1070 goto temporary_error; 1071 1072 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 1073 response, sizeof(*response)) < 0) { 1074 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, 1075 rxkad_abort_resp_short); 1076 goto protocol_error; 1077 } 1078 1079 version = ntohl(response->version); 1080 ticket_len = ntohl(response->ticket_len); 1081 kvno = ntohl(response->kvno); 1082 1083 trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len); 1084 1085 if (version != RXKAD_VERSION) { 1086 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO, 1087 rxkad_abort_resp_version); 1088 goto protocol_error; 1089 } 1090 1091 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) { 1092 rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO, 1093 rxkad_abort_resp_tkt_len); 1094 goto protocol_error; 1095 } 1096 1097 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) { 1098 rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO, 1099 rxkad_abort_resp_unknown_tkt); 1100 goto protocol_error; 1101 } 1102 1103 /* extract the kerberos ticket and decrypt and decode it */ 1104 ret = -ENOMEM; 1105 ticket = kmalloc(ticket_len, GFP_NOFS); 1106 if (!ticket) 1107 goto temporary_error_free_resp; 1108 1109 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response), 1110 ticket, ticket_len) < 0) { 1111 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, 1112 rxkad_abort_resp_short_tkt); 1113 goto protocol_error; 1114 } 1115 1116 ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len, 1117 &session_key, &expiry); 1118 if (ret < 0) 1119 goto temporary_error_free_ticket; 1120 1121 /* use the session key from inside the ticket to decrypt the 1122 * response */ 1123 rxkad_decrypt_response(conn, response, &session_key); 1124 1125 if (ntohl(response->encrypted.epoch) != conn->proto.epoch || 1126 ntohl(response->encrypted.cid) != conn->proto.cid || 1127 ntohl(response->encrypted.securityIndex) != conn->security_ix) { 1128 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1129 rxkad_abort_resp_bad_param); 1130 goto protocol_error_free; 1131 } 1132 1133 csum = response->encrypted.checksum; 1134 response->encrypted.checksum = 0; 1135 rxkad_calc_response_checksum(response); 1136 if (response->encrypted.checksum != csum) { 1137 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1138 rxkad_abort_resp_bad_checksum); 1139 goto protocol_error_free; 1140 } 1141 1142 for (i = 0; i < RXRPC_MAXCALLS; i++) { 1143 u32 call_id = ntohl(response->encrypted.call_id[i]); 1144 u32 counter = READ_ONCE(conn->channels[i].call_counter); 1145 1146 if (call_id > INT_MAX) { 1147 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1148 rxkad_abort_resp_bad_callid); 1149 goto protocol_error_free; 1150 } 1151 1152 if (call_id < counter) { 1153 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1154 rxkad_abort_resp_call_ctr); 1155 goto protocol_error_free; 1156 } 1157 1158 if (call_id > counter) { 1159 if (conn->channels[i].call) { 1160 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1161 rxkad_abort_resp_call_state); 1162 goto protocol_error_free; 1163 } 1164 conn->channels[i].call_counter = call_id; 1165 } 1166 } 1167 1168 if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) { 1169 rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO, 1170 rxkad_abort_resp_ooseq); 1171 goto protocol_error_free; 1172 } 1173 1174 level = ntohl(response->encrypted.level); 1175 if (level > RXRPC_SECURITY_ENCRYPT) { 1176 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO, 1177 rxkad_abort_resp_level); 1178 goto protocol_error_free; 1179 } 1180 conn->security_level = level; 1181 1182 /* create a key to hold the security data and expiration time - after 1183 * this the connection security can be handled in exactly the same way 1184 * as for a client connection */ 1185 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1186 if (ret < 0) 1187 goto temporary_error_free_ticket; 1188 1189 kfree(ticket); 1190 kfree(response); 1191 _leave(" = 0"); 1192 return 0; 1193 1194 protocol_error_free: 1195 kfree(ticket); 1196 protocol_error: 1197 kfree(response); 1198 key_put(server_key); 1199 return -EPROTO; 1200 1201 temporary_error_free_ticket: 1202 kfree(ticket); 1203 temporary_error_free_resp: 1204 kfree(response); 1205 temporary_error: 1206 /* Ignore the response packet if we got a temporary error such as 1207 * ENOMEM. We just want to send the challenge again. Note that we 1208 * also come out this way if the ticket decryption fails. 1209 */ 1210 key_put(server_key); 1211 return ret; 1212 } 1213 1214 /* 1215 * clear the connection security 1216 */ 1217 static void rxkad_clear(struct rxrpc_connection *conn) 1218 { 1219 _enter(""); 1220 1221 if (conn->rxkad.cipher) 1222 crypto_free_sync_skcipher(conn->rxkad.cipher); 1223 } 1224 1225 /* 1226 * Initialise the rxkad security service. 1227 */ 1228 static int rxkad_init(void) 1229 { 1230 struct crypto_sync_skcipher *tfm; 1231 struct skcipher_request *req; 1232 1233 /* pin the cipher we need so that the crypto layer doesn't invoke 1234 * keventd to go get it */ 1235 tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); 1236 if (IS_ERR(tfm)) 1237 return PTR_ERR(tfm); 1238 1239 req = skcipher_request_alloc(&tfm->base, GFP_KERNEL); 1240 if (!req) 1241 goto nomem_tfm; 1242 1243 rxkad_ci_req = req; 1244 rxkad_ci = tfm; 1245 return 0; 1246 1247 nomem_tfm: 1248 crypto_free_sync_skcipher(tfm); 1249 return -ENOMEM; 1250 } 1251 1252 /* 1253 * Clean up the rxkad security service. 1254 */ 1255 static void rxkad_exit(void) 1256 { 1257 crypto_free_sync_skcipher(rxkad_ci); 1258 skcipher_request_free(rxkad_ci_req); 1259 } 1260 1261 /* 1262 * RxRPC Kerberos-based security 1263 */ 1264 const struct rxrpc_security rxkad = { 1265 .name = "rxkad", 1266 .security_index = RXRPC_SECURITY_RXKAD, 1267 .no_key_abort = RXKADUNKNOWNKEY, 1268 .init = rxkad_init, 1269 .exit = rxkad_exit, 1270 .preparse_server_key = rxkad_preparse_server_key, 1271 .free_preparse_server_key = rxkad_free_preparse_server_key, 1272 .destroy_server_key = rxkad_destroy_server_key, 1273 .init_connection_security = rxkad_init_connection_security, 1274 .alloc_txbuf = rxkad_alloc_txbuf, 1275 .secure_packet = rxkad_secure_packet, 1276 .verify_packet = rxkad_verify_packet, 1277 .free_call_crypto = rxkad_free_call_crypto, 1278 .issue_challenge = rxkad_issue_challenge, 1279 .respond_to_challenge = rxkad_respond_to_challenge, 1280 .verify_response = rxkad_verify_response, 1281 .clear = rxkad_clear, 1282 }; 1283