1 /* Kerberos-based RxRPC security 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <crypto/skcipher.h> 13 #include <linux/module.h> 14 #include <linux/net.h> 15 #include <linux/skbuff.h> 16 #include <linux/udp.h> 17 #include <linux/scatterlist.h> 18 #include <linux/ctype.h> 19 #include <linux/slab.h> 20 #include <net/sock.h> 21 #include <net/af_rxrpc.h> 22 #include <keys/rxrpc-type.h> 23 #define rxrpc_debug rxkad_debug 24 #include "ar-internal.h" 25 26 #define RXKAD_VERSION 2 27 #define MAXKRB5TICKETLEN 1024 28 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 29 #define ANAME_SZ 40 /* size of authentication name */ 30 #define INST_SZ 40 /* size of principal's instance */ 31 #define REALM_SZ 40 /* size of principal's auth domain */ 32 #define SNAME_SZ 40 /* size of service name */ 33 34 unsigned int rxrpc_debug; 35 module_param_named(debug, rxrpc_debug, uint, S_IWUSR | S_IRUGO); 36 MODULE_PARM_DESC(debug, "rxkad debugging mask"); 37 38 struct rxkad_level1_hdr { 39 __be32 data_size; /* true data size (excluding padding) */ 40 }; 41 42 struct rxkad_level2_hdr { 43 __be32 data_size; /* true data size (excluding padding) */ 44 __be32 checksum; /* decrypted data checksum */ 45 }; 46 47 MODULE_DESCRIPTION("RxRPC network protocol type-2 security (Kerberos 4)"); 48 MODULE_AUTHOR("Red Hat, Inc."); 49 MODULE_LICENSE("GPL"); 50 51 /* 52 * this holds a pinned cipher so that keventd doesn't get called by the cipher 53 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 54 * packets 55 */ 56 static struct crypto_skcipher *rxkad_ci; 57 static DEFINE_MUTEX(rxkad_ci_mutex); 58 59 /* 60 * initialise connection security 61 */ 62 static int rxkad_init_connection_security(struct rxrpc_connection *conn) 63 { 64 struct crypto_skcipher *ci; 65 struct rxrpc_key_token *token; 66 int ret; 67 68 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key)); 69 70 token = conn->key->payload.data[0]; 71 conn->security_ix = token->security_index; 72 73 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 74 if (IS_ERR(ci)) { 75 _debug("no cipher"); 76 ret = PTR_ERR(ci); 77 goto error; 78 } 79 80 if (crypto_skcipher_setkey(ci, token->kad->session_key, 81 sizeof(token->kad->session_key)) < 0) 82 BUG(); 83 84 switch (conn->security_level) { 85 case RXRPC_SECURITY_PLAIN: 86 break; 87 case RXRPC_SECURITY_AUTH: 88 conn->size_align = 8; 89 conn->security_size = sizeof(struct rxkad_level1_hdr); 90 conn->header_size += sizeof(struct rxkad_level1_hdr); 91 break; 92 case RXRPC_SECURITY_ENCRYPT: 93 conn->size_align = 8; 94 conn->security_size = sizeof(struct rxkad_level2_hdr); 95 conn->header_size += sizeof(struct rxkad_level2_hdr); 96 break; 97 default: 98 ret = -EKEYREJECTED; 99 goto error; 100 } 101 102 conn->cipher = ci; 103 ret = 0; 104 error: 105 _leave(" = %d", ret); 106 return ret; 107 } 108 109 /* 110 * prime the encryption state with the invariant parts of a connection's 111 * description 112 */ 113 static void rxkad_prime_packet_security(struct rxrpc_connection *conn) 114 { 115 struct rxrpc_key_token *token; 116 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 117 struct scatterlist sg[2]; 118 struct rxrpc_crypt iv; 119 struct { 120 __be32 x[4]; 121 } tmpbuf __attribute__((aligned(16))); /* must all be in same page */ 122 123 _enter(""); 124 125 if (!conn->key) 126 return; 127 128 token = conn->key->payload.data[0]; 129 memcpy(&iv, token->kad->session_key, sizeof(iv)); 130 131 tmpbuf.x[0] = htonl(conn->epoch); 132 tmpbuf.x[1] = htonl(conn->cid); 133 tmpbuf.x[2] = 0; 134 tmpbuf.x[3] = htonl(conn->security_ix); 135 136 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 137 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 138 139 skcipher_request_set_tfm(req, conn->cipher); 140 skcipher_request_set_callback(req, 0, NULL, NULL); 141 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x); 142 143 crypto_skcipher_encrypt(req); 144 skcipher_request_zero(req); 145 146 memcpy(&conn->csum_iv, &tmpbuf.x[2], sizeof(conn->csum_iv)); 147 ASSERTCMP((u32 __force)conn->csum_iv.n[0], ==, (u32 __force)tmpbuf.x[2]); 148 149 _leave(""); 150 } 151 152 /* 153 * partially encrypt a packet (level 1 security) 154 */ 155 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 156 struct sk_buff *skb, 157 u32 data_size, 158 void *sechdr) 159 { 160 struct rxrpc_skb_priv *sp; 161 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 162 struct rxrpc_crypt iv; 163 struct scatterlist sg[2]; 164 struct { 165 struct rxkad_level1_hdr hdr; 166 __be32 first; /* first four bytes of data and padding */ 167 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 168 u16 check; 169 170 sp = rxrpc_skb(skb); 171 172 _enter(""); 173 174 check = sp->hdr.seq ^ sp->hdr.callNumber; 175 data_size |= (u32)check << 16; 176 177 tmpbuf.hdr.data_size = htonl(data_size); 178 memcpy(&tmpbuf.first, sechdr + 4, sizeof(tmpbuf.first)); 179 180 /* start the encryption afresh */ 181 memset(&iv, 0, sizeof(iv)); 182 183 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 184 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 185 186 skcipher_request_set_tfm(req, call->conn->cipher); 187 skcipher_request_set_callback(req, 0, NULL, NULL); 188 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x); 189 190 crypto_skcipher_encrypt(req); 191 skcipher_request_zero(req); 192 193 memcpy(sechdr, &tmpbuf, sizeof(tmpbuf)); 194 195 _leave(" = 0"); 196 return 0; 197 } 198 199 /* 200 * wholly encrypt a packet (level 2 security) 201 */ 202 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 203 struct sk_buff *skb, 204 u32 data_size, 205 void *sechdr) 206 { 207 const struct rxrpc_key_token *token; 208 struct rxkad_level2_hdr rxkhdr 209 __attribute__((aligned(8))); /* must be all on one page */ 210 struct rxrpc_skb_priv *sp; 211 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 212 struct rxrpc_crypt iv; 213 struct scatterlist sg[16]; 214 struct sk_buff *trailer; 215 unsigned int len; 216 u16 check; 217 int nsg; 218 int err; 219 220 sp = rxrpc_skb(skb); 221 222 _enter(""); 223 224 check = sp->hdr.seq ^ sp->hdr.callNumber; 225 226 rxkhdr.data_size = htonl(data_size | (u32)check << 16); 227 rxkhdr.checksum = 0; 228 229 /* encrypt from the session key */ 230 token = call->conn->key->payload.data[0]; 231 memcpy(&iv, token->kad->session_key, sizeof(iv)); 232 233 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr)); 234 sg_init_one(&sg[1], &rxkhdr, sizeof(rxkhdr)); 235 236 skcipher_request_set_tfm(req, call->conn->cipher); 237 skcipher_request_set_callback(req, 0, NULL, NULL); 238 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(rxkhdr), iv.x); 239 240 crypto_skcipher_encrypt(req); 241 242 /* we want to encrypt the skbuff in-place */ 243 nsg = skb_cow_data(skb, 0, &trailer); 244 err = -ENOMEM; 245 if (nsg < 0 || nsg > 16) 246 goto out; 247 248 len = data_size + call->conn->size_align - 1; 249 len &= ~(call->conn->size_align - 1); 250 251 sg_init_table(sg, nsg); 252 skb_to_sgvec(skb, sg, 0, len); 253 254 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 255 256 crypto_skcipher_encrypt(req); 257 258 _leave(" = 0"); 259 err = 0; 260 261 out: 262 skcipher_request_zero(req); 263 return err; 264 } 265 266 /* 267 * checksum an RxRPC packet header 268 */ 269 static int rxkad_secure_packet(const struct rxrpc_call *call, 270 struct sk_buff *skb, 271 size_t data_size, 272 void *sechdr) 273 { 274 struct rxrpc_skb_priv *sp; 275 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 276 struct rxrpc_crypt iv; 277 struct scatterlist sg[2]; 278 struct { 279 __be32 x[2]; 280 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 281 u32 x, y; 282 int ret; 283 284 sp = rxrpc_skb(skb); 285 286 _enter("{%d{%x}},{#%u},%zu,", 287 call->debug_id, key_serial(call->conn->key), sp->hdr.seq, 288 data_size); 289 290 if (!call->conn->cipher) 291 return 0; 292 293 ret = key_validate(call->conn->key); 294 if (ret < 0) 295 return ret; 296 297 /* continue encrypting from where we left off */ 298 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 299 300 /* calculate the security checksum */ 301 x = call->channel << (32 - RXRPC_CIDSHIFT); 302 x |= sp->hdr.seq & 0x3fffffff; 303 tmpbuf.x[0] = htonl(sp->hdr.callNumber); 304 tmpbuf.x[1] = htonl(x); 305 306 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 307 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 308 309 skcipher_request_set_tfm(req, call->conn->cipher); 310 skcipher_request_set_callback(req, 0, NULL, NULL); 311 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x); 312 313 crypto_skcipher_encrypt(req); 314 skcipher_request_zero(req); 315 316 y = ntohl(tmpbuf.x[1]); 317 y = (y >> 16) & 0xffff; 318 if (y == 0) 319 y = 1; /* zero checksums are not permitted */ 320 sp->hdr.cksum = y; 321 322 switch (call->conn->security_level) { 323 case RXRPC_SECURITY_PLAIN: 324 ret = 0; 325 break; 326 case RXRPC_SECURITY_AUTH: 327 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr); 328 break; 329 case RXRPC_SECURITY_ENCRYPT: 330 ret = rxkad_secure_packet_encrypt(call, skb, data_size, 331 sechdr); 332 break; 333 default: 334 ret = -EPERM; 335 break; 336 } 337 338 _leave(" = %d [set %hx]", ret, y); 339 return ret; 340 } 341 342 /* 343 * decrypt partial encryption on a packet (level 1 security) 344 */ 345 static int rxkad_verify_packet_auth(const struct rxrpc_call *call, 346 struct sk_buff *skb, 347 u32 *_abort_code) 348 { 349 struct rxkad_level1_hdr sechdr; 350 struct rxrpc_skb_priv *sp; 351 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 352 struct rxrpc_crypt iv; 353 struct scatterlist sg[16]; 354 struct sk_buff *trailer; 355 u32 data_size, buf; 356 u16 check; 357 int nsg; 358 359 _enter(""); 360 361 sp = rxrpc_skb(skb); 362 363 /* we want to decrypt the skbuff in-place */ 364 nsg = skb_cow_data(skb, 0, &trailer); 365 if (nsg < 0 || nsg > 16) 366 goto nomem; 367 368 sg_init_table(sg, nsg); 369 skb_to_sgvec(skb, sg, 0, 8); 370 371 /* start the decryption afresh */ 372 memset(&iv, 0, sizeof(iv)); 373 374 skcipher_request_set_tfm(req, call->conn->cipher); 375 skcipher_request_set_callback(req, 0, NULL, NULL); 376 skcipher_request_set_crypt(req, sg, sg, 8, iv.x); 377 378 crypto_skcipher_decrypt(req); 379 skcipher_request_zero(req); 380 381 /* remove the decrypted packet length */ 382 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 383 goto datalen_error; 384 if (!skb_pull(skb, sizeof(sechdr))) 385 BUG(); 386 387 buf = ntohl(sechdr.data_size); 388 data_size = buf & 0xffff; 389 390 check = buf >> 16; 391 check ^= sp->hdr.seq ^ sp->hdr.callNumber; 392 check &= 0xffff; 393 if (check != 0) { 394 *_abort_code = RXKADSEALEDINCON; 395 goto protocol_error; 396 } 397 398 /* shorten the packet to remove the padding */ 399 if (data_size > skb->len) 400 goto datalen_error; 401 else if (data_size < skb->len) 402 skb->len = data_size; 403 404 _leave(" = 0 [dlen=%x]", data_size); 405 return 0; 406 407 datalen_error: 408 *_abort_code = RXKADDATALEN; 409 protocol_error: 410 _leave(" = -EPROTO"); 411 return -EPROTO; 412 413 nomem: 414 _leave(" = -ENOMEM"); 415 return -ENOMEM; 416 } 417 418 /* 419 * wholly decrypt a packet (level 2 security) 420 */ 421 static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call, 422 struct sk_buff *skb, 423 u32 *_abort_code) 424 { 425 const struct rxrpc_key_token *token; 426 struct rxkad_level2_hdr sechdr; 427 struct rxrpc_skb_priv *sp; 428 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 429 struct rxrpc_crypt iv; 430 struct scatterlist _sg[4], *sg; 431 struct sk_buff *trailer; 432 u32 data_size, buf; 433 u16 check; 434 int nsg; 435 436 _enter(",{%d}", skb->len); 437 438 sp = rxrpc_skb(skb); 439 440 /* we want to decrypt the skbuff in-place */ 441 nsg = skb_cow_data(skb, 0, &trailer); 442 if (nsg < 0) 443 goto nomem; 444 445 sg = _sg; 446 if (unlikely(nsg > 4)) { 447 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO); 448 if (!sg) 449 goto nomem; 450 } 451 452 sg_init_table(sg, nsg); 453 skb_to_sgvec(skb, sg, 0, skb->len); 454 455 /* decrypt from the session key */ 456 token = call->conn->key->payload.data[0]; 457 memcpy(&iv, token->kad->session_key, sizeof(iv)); 458 459 skcipher_request_set_tfm(req, call->conn->cipher); 460 skcipher_request_set_callback(req, 0, NULL, NULL); 461 skcipher_request_set_crypt(req, sg, sg, skb->len, iv.x); 462 463 crypto_skcipher_decrypt(req); 464 skcipher_request_zero(req); 465 if (sg != _sg) 466 kfree(sg); 467 468 /* remove the decrypted packet length */ 469 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 470 goto datalen_error; 471 if (!skb_pull(skb, sizeof(sechdr))) 472 BUG(); 473 474 buf = ntohl(sechdr.data_size); 475 data_size = buf & 0xffff; 476 477 check = buf >> 16; 478 check ^= sp->hdr.seq ^ sp->hdr.callNumber; 479 check &= 0xffff; 480 if (check != 0) { 481 *_abort_code = RXKADSEALEDINCON; 482 goto protocol_error; 483 } 484 485 /* shorten the packet to remove the padding */ 486 if (data_size > skb->len) 487 goto datalen_error; 488 else if (data_size < skb->len) 489 skb->len = data_size; 490 491 _leave(" = 0 [dlen=%x]", data_size); 492 return 0; 493 494 datalen_error: 495 *_abort_code = RXKADDATALEN; 496 protocol_error: 497 _leave(" = -EPROTO"); 498 return -EPROTO; 499 500 nomem: 501 _leave(" = -ENOMEM"); 502 return -ENOMEM; 503 } 504 505 /* 506 * verify the security on a received packet 507 */ 508 static int rxkad_verify_packet(const struct rxrpc_call *call, 509 struct sk_buff *skb, 510 u32 *_abort_code) 511 { 512 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 513 struct rxrpc_skb_priv *sp; 514 struct rxrpc_crypt iv; 515 struct scatterlist sg[2]; 516 struct { 517 __be32 x[2]; 518 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 519 u16 cksum; 520 u32 x, y; 521 int ret; 522 523 sp = rxrpc_skb(skb); 524 525 _enter("{%d{%x}},{#%u}", 526 call->debug_id, key_serial(call->conn->key), sp->hdr.seq); 527 528 if (!call->conn->cipher) 529 return 0; 530 531 if (sp->hdr.securityIndex != RXRPC_SECURITY_RXKAD) { 532 *_abort_code = RXKADINCONSISTENCY; 533 _leave(" = -EPROTO [not rxkad]"); 534 return -EPROTO; 535 } 536 537 /* continue encrypting from where we left off */ 538 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 539 540 /* validate the security checksum */ 541 x = call->channel << (32 - RXRPC_CIDSHIFT); 542 x |= sp->hdr.seq & 0x3fffffff; 543 tmpbuf.x[0] = htonl(call->call_id); 544 tmpbuf.x[1] = htonl(x); 545 546 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 547 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 548 549 skcipher_request_set_tfm(req, call->conn->cipher); 550 skcipher_request_set_callback(req, 0, NULL, NULL); 551 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x); 552 553 crypto_skcipher_encrypt(req); 554 skcipher_request_zero(req); 555 556 y = ntohl(tmpbuf.x[1]); 557 cksum = (y >> 16) & 0xffff; 558 if (cksum == 0) 559 cksum = 1; /* zero checksums are not permitted */ 560 561 if (sp->hdr.cksum != cksum) { 562 *_abort_code = RXKADSEALEDINCON; 563 _leave(" = -EPROTO [csum failed]"); 564 return -EPROTO; 565 } 566 567 switch (call->conn->security_level) { 568 case RXRPC_SECURITY_PLAIN: 569 ret = 0; 570 break; 571 case RXRPC_SECURITY_AUTH: 572 ret = rxkad_verify_packet_auth(call, skb, _abort_code); 573 break; 574 case RXRPC_SECURITY_ENCRYPT: 575 ret = rxkad_verify_packet_encrypt(call, skb, _abort_code); 576 break; 577 default: 578 ret = -ENOANO; 579 break; 580 } 581 582 _leave(" = %d", ret); 583 return ret; 584 } 585 586 /* 587 * issue a challenge 588 */ 589 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 590 { 591 struct rxkad_challenge challenge; 592 struct rxrpc_wire_header whdr; 593 struct msghdr msg; 594 struct kvec iov[2]; 595 size_t len; 596 u32 serial; 597 int ret; 598 599 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 600 601 ret = key_validate(conn->key); 602 if (ret < 0) 603 return ret; 604 605 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce)); 606 607 challenge.version = htonl(2); 608 challenge.nonce = htonl(conn->security_nonce); 609 challenge.min_level = htonl(0); 610 challenge.__padding = 0; 611 612 msg.msg_name = &conn->trans->peer->srx.transport.sin; 613 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin); 614 msg.msg_control = NULL; 615 msg.msg_controllen = 0; 616 msg.msg_flags = 0; 617 618 whdr.epoch = htonl(conn->epoch); 619 whdr.cid = htonl(conn->cid); 620 whdr.callNumber = 0; 621 whdr.seq = 0; 622 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 623 whdr.flags = conn->out_clientflag; 624 whdr.userStatus = 0; 625 whdr.securityIndex = conn->security_ix; 626 whdr._rsvd = 0; 627 whdr.serviceId = htons(conn->service_id); 628 629 iov[0].iov_base = &whdr; 630 iov[0].iov_len = sizeof(whdr); 631 iov[1].iov_base = &challenge; 632 iov[1].iov_len = sizeof(challenge); 633 634 len = iov[0].iov_len + iov[1].iov_len; 635 636 serial = atomic_inc_return(&conn->serial); 637 whdr.serial = htonl(serial); 638 _proto("Tx CHALLENGE %%%u", serial); 639 640 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len); 641 if (ret < 0) { 642 _debug("sendmsg failed: %d", ret); 643 return -EAGAIN; 644 } 645 646 _leave(" = 0"); 647 return 0; 648 } 649 650 /* 651 * send a Kerberos security response 652 */ 653 static int rxkad_send_response(struct rxrpc_connection *conn, 654 struct rxrpc_host_header *hdr, 655 struct rxkad_response *resp, 656 const struct rxkad_key *s2) 657 { 658 struct rxrpc_wire_header whdr; 659 struct msghdr msg; 660 struct kvec iov[3]; 661 size_t len; 662 u32 serial; 663 int ret; 664 665 _enter(""); 666 667 msg.msg_name = &conn->trans->peer->srx.transport.sin; 668 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin); 669 msg.msg_control = NULL; 670 msg.msg_controllen = 0; 671 msg.msg_flags = 0; 672 673 memset(&whdr, 0, sizeof(whdr)); 674 whdr.epoch = htonl(hdr->epoch); 675 whdr.cid = htonl(hdr->cid); 676 whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 677 whdr.flags = conn->out_clientflag; 678 whdr.securityIndex = hdr->securityIndex; 679 whdr.serviceId = htons(hdr->serviceId); 680 681 iov[0].iov_base = &whdr; 682 iov[0].iov_len = sizeof(whdr); 683 iov[1].iov_base = resp; 684 iov[1].iov_len = sizeof(*resp); 685 iov[2].iov_base = (void *)s2->ticket; 686 iov[2].iov_len = s2->ticket_len; 687 688 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 689 690 serial = atomic_inc_return(&conn->serial); 691 whdr.serial = htonl(serial); 692 _proto("Tx RESPONSE %%%u", serial); 693 694 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); 695 if (ret < 0) { 696 _debug("sendmsg failed: %d", ret); 697 return -EAGAIN; 698 } 699 700 _leave(" = 0"); 701 return 0; 702 } 703 704 /* 705 * calculate the response checksum 706 */ 707 static void rxkad_calc_response_checksum(struct rxkad_response *response) 708 { 709 u32 csum = 1000003; 710 int loop; 711 u8 *p = (u8 *) response; 712 713 for (loop = sizeof(*response); loop > 0; loop--) 714 csum = csum * 0x10204081 + *p++; 715 716 response->encrypted.checksum = htonl(csum); 717 } 718 719 /* 720 * load a scatterlist with a potentially split-page buffer 721 */ 722 static void rxkad_sg_set_buf2(struct scatterlist sg[2], 723 void *buf, size_t buflen) 724 { 725 int nsg = 1; 726 727 sg_init_table(sg, 2); 728 729 sg_set_buf(&sg[0], buf, buflen); 730 if (sg[0].offset + buflen > PAGE_SIZE) { 731 /* the buffer was split over two pages */ 732 sg[0].length = PAGE_SIZE - sg[0].offset; 733 sg_set_buf(&sg[1], buf + sg[0].length, buflen - sg[0].length); 734 nsg++; 735 } 736 737 sg_mark_end(&sg[nsg - 1]); 738 739 ASSERTCMP(sg[0].length + sg[1].length, ==, buflen); 740 } 741 742 /* 743 * encrypt the response packet 744 */ 745 static void rxkad_encrypt_response(struct rxrpc_connection *conn, 746 struct rxkad_response *resp, 747 const struct rxkad_key *s2) 748 { 749 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 750 struct rxrpc_crypt iv; 751 struct scatterlist sg[2]; 752 753 /* continue encrypting from where we left off */ 754 memcpy(&iv, s2->session_key, sizeof(iv)); 755 756 rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted)); 757 758 skcipher_request_set_tfm(req, conn->cipher); 759 skcipher_request_set_callback(req, 0, NULL, NULL); 760 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 761 762 crypto_skcipher_encrypt(req); 763 skcipher_request_zero(req); 764 } 765 766 /* 767 * respond to a challenge packet 768 */ 769 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 770 struct sk_buff *skb, 771 u32 *_abort_code) 772 { 773 const struct rxrpc_key_token *token; 774 struct rxkad_challenge challenge; 775 struct rxkad_response resp 776 __attribute__((aligned(8))); /* must be aligned for crypto */ 777 struct rxrpc_skb_priv *sp; 778 u32 version, nonce, min_level, abort_code; 779 int ret; 780 781 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 782 783 if (!conn->key) { 784 _leave(" = -EPROTO [no key]"); 785 return -EPROTO; 786 } 787 788 ret = key_validate(conn->key); 789 if (ret < 0) { 790 *_abort_code = RXKADEXPIRED; 791 return ret; 792 } 793 794 abort_code = RXKADPACKETSHORT; 795 sp = rxrpc_skb(skb); 796 if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0) 797 goto protocol_error; 798 799 version = ntohl(challenge.version); 800 nonce = ntohl(challenge.nonce); 801 min_level = ntohl(challenge.min_level); 802 803 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 804 sp->hdr.serial, version, nonce, min_level); 805 806 abort_code = RXKADINCONSISTENCY; 807 if (version != RXKAD_VERSION) 808 goto protocol_error; 809 810 abort_code = RXKADLEVELFAIL; 811 if (conn->security_level < min_level) 812 goto protocol_error; 813 814 token = conn->key->payload.data[0]; 815 816 /* build the response packet */ 817 memset(&resp, 0, sizeof(resp)); 818 819 resp.version = htonl(RXKAD_VERSION); 820 resp.encrypted.epoch = htonl(conn->epoch); 821 resp.encrypted.cid = htonl(conn->cid); 822 resp.encrypted.securityIndex = htonl(conn->security_ix); 823 resp.encrypted.inc_nonce = htonl(nonce + 1); 824 resp.encrypted.level = htonl(conn->security_level); 825 resp.kvno = htonl(token->kad->kvno); 826 resp.ticket_len = htonl(token->kad->ticket_len); 827 828 resp.encrypted.call_id[0] = 829 htonl(conn->channels[0] ? conn->channels[0]->call_id : 0); 830 resp.encrypted.call_id[1] = 831 htonl(conn->channels[1] ? conn->channels[1]->call_id : 0); 832 resp.encrypted.call_id[2] = 833 htonl(conn->channels[2] ? conn->channels[2]->call_id : 0); 834 resp.encrypted.call_id[3] = 835 htonl(conn->channels[3] ? conn->channels[3]->call_id : 0); 836 837 /* calculate the response checksum and then do the encryption */ 838 rxkad_calc_response_checksum(&resp); 839 rxkad_encrypt_response(conn, &resp, token->kad); 840 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad); 841 842 protocol_error: 843 *_abort_code = abort_code; 844 _leave(" = -EPROTO [%d]", abort_code); 845 return -EPROTO; 846 } 847 848 /* 849 * decrypt the kerberos IV ticket in the response 850 */ 851 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 852 void *ticket, size_t ticket_len, 853 struct rxrpc_crypt *_session_key, 854 time_t *_expiry, 855 u32 *_abort_code) 856 { 857 struct skcipher_request *req; 858 struct rxrpc_crypt iv, key; 859 struct scatterlist sg[1]; 860 struct in_addr addr; 861 unsigned int life; 862 time_t issue, now; 863 bool little_endian; 864 int ret; 865 u8 *p, *q, *name, *end; 866 867 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key)); 868 869 *_expiry = 0; 870 871 ret = key_validate(conn->server_key); 872 if (ret < 0) { 873 switch (ret) { 874 case -EKEYEXPIRED: 875 *_abort_code = RXKADEXPIRED; 876 goto error; 877 default: 878 *_abort_code = RXKADNOAUTH; 879 goto error; 880 } 881 } 882 883 ASSERT(conn->server_key->payload.data[0] != NULL); 884 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 885 886 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv)); 887 888 req = skcipher_request_alloc(conn->server_key->payload.data[0], 889 GFP_NOFS); 890 if (!req) { 891 *_abort_code = RXKADNOAUTH; 892 ret = -ENOMEM; 893 goto error; 894 } 895 896 sg_init_one(&sg[0], ticket, ticket_len); 897 898 skcipher_request_set_callback(req, 0, NULL, NULL); 899 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); 900 901 crypto_skcipher_decrypt(req); 902 skcipher_request_free(req); 903 904 p = ticket; 905 end = p + ticket_len; 906 907 #define Z(size) \ 908 ({ \ 909 u8 *__str = p; \ 910 q = memchr(p, 0, end - p); \ 911 if (!q || q - p > (size)) \ 912 goto bad_ticket; \ 913 for (; p < q; p++) \ 914 if (!isprint(*p)) \ 915 goto bad_ticket; \ 916 p++; \ 917 __str; \ 918 }) 919 920 /* extract the ticket flags */ 921 _debug("KIV FLAGS: %x", *p); 922 little_endian = *p & 1; 923 p++; 924 925 /* extract the authentication name */ 926 name = Z(ANAME_SZ); 927 _debug("KIV ANAME: %s", name); 928 929 /* extract the principal's instance */ 930 name = Z(INST_SZ); 931 _debug("KIV INST : %s", name); 932 933 /* extract the principal's authentication domain */ 934 name = Z(REALM_SZ); 935 _debug("KIV REALM: %s", name); 936 937 if (end - p < 4 + 8 + 4 + 2) 938 goto bad_ticket; 939 940 /* get the IPv4 address of the entity that requested the ticket */ 941 memcpy(&addr, p, sizeof(addr)); 942 p += 4; 943 _debug("KIV ADDR : %pI4", &addr); 944 945 /* get the session key from the ticket */ 946 memcpy(&key, p, sizeof(key)); 947 p += 8; 948 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 949 memcpy(_session_key, &key, sizeof(key)); 950 951 /* get the ticket's lifetime */ 952 life = *p++ * 5 * 60; 953 _debug("KIV LIFE : %u", life); 954 955 /* get the issue time of the ticket */ 956 if (little_endian) { 957 __le32 stamp; 958 memcpy(&stamp, p, 4); 959 issue = le32_to_cpu(stamp); 960 } else { 961 __be32 stamp; 962 memcpy(&stamp, p, 4); 963 issue = be32_to_cpu(stamp); 964 } 965 p += 4; 966 now = get_seconds(); 967 _debug("KIV ISSUE: %lx [%lx]", issue, now); 968 969 /* check the ticket is in date */ 970 if (issue > now) { 971 *_abort_code = RXKADNOAUTH; 972 ret = -EKEYREJECTED; 973 goto error; 974 } 975 976 if (issue < now - life) { 977 *_abort_code = RXKADEXPIRED; 978 ret = -EKEYEXPIRED; 979 goto error; 980 } 981 982 *_expiry = issue + life; 983 984 /* get the service name */ 985 name = Z(SNAME_SZ); 986 _debug("KIV SNAME: %s", name); 987 988 /* get the service instance name */ 989 name = Z(INST_SZ); 990 _debug("KIV SINST: %s", name); 991 992 ret = 0; 993 error: 994 _leave(" = %d", ret); 995 return ret; 996 997 bad_ticket: 998 *_abort_code = RXKADBADTICKET; 999 ret = -EBADMSG; 1000 goto error; 1001 } 1002 1003 /* 1004 * decrypt the response packet 1005 */ 1006 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 1007 struct rxkad_response *resp, 1008 const struct rxrpc_crypt *session_key) 1009 { 1010 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci); 1011 struct scatterlist sg[2]; 1012 struct rxrpc_crypt iv; 1013 1014 _enter(",,%08x%08x", 1015 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 1016 1017 ASSERT(rxkad_ci != NULL); 1018 1019 mutex_lock(&rxkad_ci_mutex); 1020 if (crypto_skcipher_setkey(rxkad_ci, session_key->x, 1021 sizeof(*session_key)) < 0) 1022 BUG(); 1023 1024 memcpy(&iv, session_key, sizeof(iv)); 1025 1026 rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted)); 1027 1028 skcipher_request_set_tfm(req, rxkad_ci); 1029 skcipher_request_set_callback(req, 0, NULL, NULL); 1030 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 1031 1032 crypto_skcipher_decrypt(req); 1033 skcipher_request_zero(req); 1034 1035 mutex_unlock(&rxkad_ci_mutex); 1036 1037 _leave(""); 1038 } 1039 1040 /* 1041 * verify a response 1042 */ 1043 static int rxkad_verify_response(struct rxrpc_connection *conn, 1044 struct sk_buff *skb, 1045 u32 *_abort_code) 1046 { 1047 struct rxkad_response response 1048 __attribute__((aligned(8))); /* must be aligned for crypto */ 1049 struct rxrpc_skb_priv *sp; 1050 struct rxrpc_crypt session_key; 1051 time_t expiry; 1052 void *ticket; 1053 u32 abort_code, version, kvno, ticket_len, level; 1054 __be32 csum; 1055 int ret; 1056 1057 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); 1058 1059 abort_code = RXKADPACKETSHORT; 1060 if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0) 1061 goto protocol_error; 1062 if (!pskb_pull(skb, sizeof(response))) 1063 BUG(); 1064 1065 version = ntohl(response.version); 1066 ticket_len = ntohl(response.ticket_len); 1067 kvno = ntohl(response.kvno); 1068 sp = rxrpc_skb(skb); 1069 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1070 sp->hdr.serial, version, kvno, ticket_len); 1071 1072 abort_code = RXKADINCONSISTENCY; 1073 if (version != RXKAD_VERSION) 1074 goto protocol_error; 1075 1076 abort_code = RXKADTICKETLEN; 1077 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1078 goto protocol_error; 1079 1080 abort_code = RXKADUNKNOWNKEY; 1081 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1082 goto protocol_error; 1083 1084 /* extract the kerberos ticket and decrypt and decode it */ 1085 ticket = kmalloc(ticket_len, GFP_NOFS); 1086 if (!ticket) 1087 return -ENOMEM; 1088 1089 abort_code = RXKADPACKETSHORT; 1090 if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0) 1091 goto protocol_error_free; 1092 1093 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key, 1094 &expiry, &abort_code); 1095 if (ret < 0) { 1096 *_abort_code = abort_code; 1097 kfree(ticket); 1098 return ret; 1099 } 1100 1101 /* use the session key from inside the ticket to decrypt the 1102 * response */ 1103 rxkad_decrypt_response(conn, &response, &session_key); 1104 1105 abort_code = RXKADSEALEDINCON; 1106 if (ntohl(response.encrypted.epoch) != conn->epoch) 1107 goto protocol_error_free; 1108 if (ntohl(response.encrypted.cid) != conn->cid) 1109 goto protocol_error_free; 1110 if (ntohl(response.encrypted.securityIndex) != conn->security_ix) 1111 goto protocol_error_free; 1112 csum = response.encrypted.checksum; 1113 response.encrypted.checksum = 0; 1114 rxkad_calc_response_checksum(&response); 1115 if (response.encrypted.checksum != csum) 1116 goto protocol_error_free; 1117 1118 if (ntohl(response.encrypted.call_id[0]) > INT_MAX || 1119 ntohl(response.encrypted.call_id[1]) > INT_MAX || 1120 ntohl(response.encrypted.call_id[2]) > INT_MAX || 1121 ntohl(response.encrypted.call_id[3]) > INT_MAX) 1122 goto protocol_error_free; 1123 1124 abort_code = RXKADOUTOFSEQUENCE; 1125 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1) 1126 goto protocol_error_free; 1127 1128 abort_code = RXKADLEVELFAIL; 1129 level = ntohl(response.encrypted.level); 1130 if (level > RXRPC_SECURITY_ENCRYPT) 1131 goto protocol_error_free; 1132 conn->security_level = level; 1133 1134 /* create a key to hold the security data and expiration time - after 1135 * this the connection security can be handled in exactly the same way 1136 * as for a client connection */ 1137 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1138 if (ret < 0) { 1139 kfree(ticket); 1140 return ret; 1141 } 1142 1143 kfree(ticket); 1144 _leave(" = 0"); 1145 return 0; 1146 1147 protocol_error_free: 1148 kfree(ticket); 1149 protocol_error: 1150 *_abort_code = abort_code; 1151 _leave(" = -EPROTO [%d]", abort_code); 1152 return -EPROTO; 1153 } 1154 1155 /* 1156 * clear the connection security 1157 */ 1158 static void rxkad_clear(struct rxrpc_connection *conn) 1159 { 1160 _enter(""); 1161 1162 if (conn->cipher) 1163 crypto_free_skcipher(conn->cipher); 1164 } 1165 1166 /* 1167 * RxRPC Kerberos-based security 1168 */ 1169 static struct rxrpc_security rxkad = { 1170 .owner = THIS_MODULE, 1171 .name = "rxkad", 1172 .security_index = RXRPC_SECURITY_RXKAD, 1173 .init_connection_security = rxkad_init_connection_security, 1174 .prime_packet_security = rxkad_prime_packet_security, 1175 .secure_packet = rxkad_secure_packet, 1176 .verify_packet = rxkad_verify_packet, 1177 .issue_challenge = rxkad_issue_challenge, 1178 .respond_to_challenge = rxkad_respond_to_challenge, 1179 .verify_response = rxkad_verify_response, 1180 .clear = rxkad_clear, 1181 }; 1182 1183 static __init int rxkad_init(void) 1184 { 1185 _enter(""); 1186 1187 /* pin the cipher we need so that the crypto layer doesn't invoke 1188 * keventd to go get it */ 1189 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 1190 if (IS_ERR(rxkad_ci)) 1191 return PTR_ERR(rxkad_ci); 1192 1193 return rxrpc_register_security(&rxkad); 1194 } 1195 1196 module_init(rxkad_init); 1197 1198 static __exit void rxkad_exit(void) 1199 { 1200 _enter(""); 1201 1202 rxrpc_unregister_security(&rxkad); 1203 crypto_free_skcipher(rxkad_ci); 1204 } 1205 1206 module_exit(rxkad_exit); 1207