1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Kerberos-based RxRPC security 3 * 4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 10 #include <crypto/skcipher.h> 11 #include <linux/module.h> 12 #include <linux/net.h> 13 #include <linux/skbuff.h> 14 #include <linux/udp.h> 15 #include <linux/scatterlist.h> 16 #include <linux/ctype.h> 17 #include <linux/slab.h> 18 #include <linux/key-type.h> 19 #include <net/sock.h> 20 #include <net/af_rxrpc.h> 21 #include <keys/rxrpc-type.h> 22 #include "ar-internal.h" 23 24 #define RXKAD_VERSION 2 25 #define MAXKRB5TICKETLEN 1024 26 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 27 #define ANAME_SZ 40 /* size of authentication name */ 28 #define INST_SZ 40 /* size of principal's instance */ 29 #define REALM_SZ 40 /* size of principal's auth domain */ 30 #define SNAME_SZ 40 /* size of service name */ 31 #define RXKAD_ALIGN 8 32 33 struct rxkad_level1_hdr { 34 __be32 data_size; /* true data size (excluding padding) */ 35 }; 36 37 struct rxkad_level2_hdr { 38 __be32 data_size; /* true data size (excluding padding) */ 39 __be32 checksum; /* decrypted data checksum */ 40 }; 41 42 static int rxkad_prime_packet_security(struct rxrpc_connection *conn, 43 struct crypto_sync_skcipher *ci); 44 45 /* 46 * this holds a pinned cipher so that keventd doesn't get called by the cipher 47 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 48 * packets 49 */ 50 static struct crypto_sync_skcipher *rxkad_ci; 51 static struct skcipher_request *rxkad_ci_req; 52 static DEFINE_MUTEX(rxkad_ci_mutex); 53 54 /* 55 * Parse the information from a server key 56 * 57 * The data should be the 8-byte secret key. 58 */ 59 static int rxkad_preparse_server_key(struct key_preparsed_payload *prep) 60 { 61 struct crypto_skcipher *ci; 62 63 if (prep->datalen != 8) 64 return -EINVAL; 65 66 memcpy(&prep->payload.data[2], prep->data, 8); 67 68 ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC); 69 if (IS_ERR(ci)) { 70 _leave(" = %ld", PTR_ERR(ci)); 71 return PTR_ERR(ci); 72 } 73 74 if (crypto_skcipher_setkey(ci, prep->data, 8) < 0) 75 BUG(); 76 77 prep->payload.data[0] = ci; 78 _leave(" = 0"); 79 return 0; 80 } 81 82 static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep) 83 { 84 85 if (prep->payload.data[0]) 86 crypto_free_skcipher(prep->payload.data[0]); 87 } 88 89 static void rxkad_destroy_server_key(struct key *key) 90 { 91 if (key->payload.data[0]) { 92 crypto_free_skcipher(key->payload.data[0]); 93 key->payload.data[0] = NULL; 94 } 95 } 96 97 /* 98 * initialise connection security 99 */ 100 static int rxkad_init_connection_security(struct rxrpc_connection *conn, 101 struct rxrpc_key_token *token) 102 { 103 struct crypto_sync_skcipher *ci; 104 int ret; 105 106 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key)); 107 108 conn->security_ix = token->security_index; 109 110 ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); 111 if (IS_ERR(ci)) { 112 _debug("no cipher"); 113 ret = PTR_ERR(ci); 114 goto error; 115 } 116 117 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key, 118 sizeof(token->kad->session_key)) < 0) 119 BUG(); 120 121 switch (conn->security_level) { 122 case RXRPC_SECURITY_PLAIN: 123 case RXRPC_SECURITY_AUTH: 124 case RXRPC_SECURITY_ENCRYPT: 125 break; 126 default: 127 ret = -EKEYREJECTED; 128 goto error; 129 } 130 131 ret = rxkad_prime_packet_security(conn, ci); 132 if (ret < 0) 133 goto error_ci; 134 135 conn->rxkad.cipher = ci; 136 return 0; 137 138 error_ci: 139 crypto_free_sync_skcipher(ci); 140 error: 141 _leave(" = %d", ret); 142 return ret; 143 } 144 145 /* 146 * Work out how much data we can put in a packet. 147 */ 148 static struct rxrpc_txbuf *rxkad_alloc_txbuf(struct rxrpc_call *call, size_t remain, gfp_t gfp) 149 { 150 struct rxrpc_txbuf *txb; 151 size_t shdr, alloc, limit, part; 152 153 remain = umin(remain, 65535 - sizeof(struct rxrpc_wire_header)); 154 155 switch (call->conn->security_level) { 156 default: 157 alloc = umin(remain, RXRPC_JUMBO_DATALEN); 158 return rxrpc_alloc_data_txbuf(call, alloc, 1, gfp); 159 case RXRPC_SECURITY_AUTH: 160 shdr = sizeof(struct rxkad_level1_hdr); 161 break; 162 case RXRPC_SECURITY_ENCRYPT: 163 shdr = sizeof(struct rxkad_level2_hdr); 164 break; 165 } 166 167 limit = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN) - shdr; 168 if (remain < limit) { 169 part = remain; 170 alloc = round_up(shdr + part, RXKAD_ALIGN); 171 } else { 172 part = limit; 173 alloc = RXRPC_JUMBO_DATALEN; 174 } 175 176 txb = rxrpc_alloc_data_txbuf(call, alloc, RXKAD_ALIGN, gfp); 177 if (!txb) 178 return NULL; 179 180 txb->offset += shdr; 181 txb->space = part; 182 return txb; 183 } 184 185 /* 186 * prime the encryption state with the invariant parts of a connection's 187 * description 188 */ 189 static int rxkad_prime_packet_security(struct rxrpc_connection *conn, 190 struct crypto_sync_skcipher *ci) 191 { 192 struct skcipher_request *req; 193 struct rxrpc_key_token *token; 194 struct scatterlist sg; 195 struct rxrpc_crypt iv; 196 __be32 *tmpbuf; 197 size_t tmpsize = 4 * sizeof(__be32); 198 199 _enter(""); 200 201 if (!conn->key) 202 return 0; 203 204 tmpbuf = kmalloc(tmpsize, GFP_KERNEL); 205 if (!tmpbuf) 206 return -ENOMEM; 207 208 req = skcipher_request_alloc(&ci->base, GFP_NOFS); 209 if (!req) { 210 kfree(tmpbuf); 211 return -ENOMEM; 212 } 213 214 token = conn->key->payload.data[0]; 215 memcpy(&iv, token->kad->session_key, sizeof(iv)); 216 217 tmpbuf[0] = htonl(conn->proto.epoch); 218 tmpbuf[1] = htonl(conn->proto.cid); 219 tmpbuf[2] = 0; 220 tmpbuf[3] = htonl(conn->security_ix); 221 222 sg_init_one(&sg, tmpbuf, tmpsize); 223 skcipher_request_set_sync_tfm(req, ci); 224 skcipher_request_set_callback(req, 0, NULL, NULL); 225 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); 226 crypto_skcipher_encrypt(req); 227 skcipher_request_free(req); 228 229 memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv)); 230 kfree(tmpbuf); 231 _leave(" = 0"); 232 return 0; 233 } 234 235 /* 236 * Allocate and prepare the crypto request on a call. For any particular call, 237 * this is called serially for the packets, so no lock should be necessary. 238 */ 239 static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call) 240 { 241 struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base; 242 243 return skcipher_request_alloc(tfm, GFP_NOFS); 244 } 245 246 /* 247 * Clean up the crypto on a call. 248 */ 249 static void rxkad_free_call_crypto(struct rxrpc_call *call) 250 { 251 } 252 253 /* 254 * partially encrypt a packet (level 1 security) 255 */ 256 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 257 struct rxrpc_txbuf *txb, 258 struct skcipher_request *req) 259 { 260 struct rxrpc_wire_header *whdr = txb->kvec[0].iov_base; 261 struct rxkad_level1_hdr *hdr = (void *)(whdr + 1); 262 struct rxrpc_crypt iv; 263 struct scatterlist sg; 264 size_t pad; 265 u16 check; 266 267 _enter(""); 268 269 check = txb->seq ^ call->call_id; 270 hdr->data_size = htonl((u32)check << 16 | txb->len); 271 272 txb->pkt_len = sizeof(struct rxkad_level1_hdr) + txb->len; 273 pad = txb->pkt_len; 274 pad = RXKAD_ALIGN - pad; 275 pad &= RXKAD_ALIGN - 1; 276 if (pad) { 277 memset(txb->kvec[0].iov_base + txb->offset, 0, pad); 278 txb->pkt_len += pad; 279 } 280 281 /* start the encryption afresh */ 282 memset(&iv, 0, sizeof(iv)); 283 284 sg_init_one(&sg, hdr, 8); 285 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 286 skcipher_request_set_callback(req, 0, NULL, NULL); 287 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 288 crypto_skcipher_encrypt(req); 289 skcipher_request_zero(req); 290 291 _leave(" = 0"); 292 return 0; 293 } 294 295 /* 296 * wholly encrypt a packet (level 2 security) 297 */ 298 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 299 struct rxrpc_txbuf *txb, 300 struct skcipher_request *req) 301 { 302 const struct rxrpc_key_token *token; 303 struct rxrpc_wire_header *whdr = txb->kvec[0].iov_base; 304 struct rxkad_level2_hdr *rxkhdr = (void *)(whdr + 1); 305 struct rxrpc_crypt iv; 306 struct scatterlist sg; 307 size_t content, pad; 308 u16 check; 309 int ret; 310 311 _enter(""); 312 313 check = txb->seq ^ call->call_id; 314 315 rxkhdr->data_size = htonl(txb->len | (u32)check << 16); 316 rxkhdr->checksum = 0; 317 318 content = sizeof(struct rxkad_level2_hdr) + txb->len; 319 txb->pkt_len = round_up(content, RXKAD_ALIGN); 320 pad = txb->pkt_len - content; 321 if (pad) 322 memset(txb->kvec[0].iov_base + txb->offset, 0, pad); 323 324 /* encrypt from the session key */ 325 token = call->conn->key->payload.data[0]; 326 memcpy(&iv, token->kad->session_key, sizeof(iv)); 327 328 sg_init_one(&sg, rxkhdr, txb->pkt_len); 329 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 330 skcipher_request_set_callback(req, 0, NULL, NULL); 331 skcipher_request_set_crypt(req, &sg, &sg, txb->pkt_len, iv.x); 332 ret = crypto_skcipher_encrypt(req); 333 skcipher_request_zero(req); 334 return ret; 335 } 336 337 /* 338 * checksum an RxRPC packet header 339 */ 340 static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb) 341 { 342 struct skcipher_request *req; 343 struct rxrpc_crypt iv; 344 struct scatterlist sg; 345 union { 346 __be32 buf[2]; 347 } crypto __aligned(8); 348 u32 x, y; 349 int ret; 350 351 _enter("{%d{%x}},{#%u},%u,", 352 call->debug_id, key_serial(call->conn->key), 353 txb->seq, txb->len); 354 355 if (!call->conn->rxkad.cipher) 356 return 0; 357 358 ret = key_validate(call->conn->key); 359 if (ret < 0) 360 return ret; 361 362 req = rxkad_get_call_crypto(call); 363 if (!req) 364 return -ENOMEM; 365 366 /* continue encrypting from where we left off */ 367 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv)); 368 369 /* calculate the security checksum */ 370 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 371 x |= txb->seq & 0x3fffffff; 372 crypto.buf[0] = htonl(call->call_id); 373 crypto.buf[1] = htonl(x); 374 375 sg_init_one(&sg, crypto.buf, 8); 376 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 377 skcipher_request_set_callback(req, 0, NULL, NULL); 378 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 379 crypto_skcipher_encrypt(req); 380 skcipher_request_zero(req); 381 382 y = ntohl(crypto.buf[1]); 383 y = (y >> 16) & 0xffff; 384 if (y == 0) 385 y = 1; /* zero checksums are not permitted */ 386 txb->cksum = htons(y); 387 388 switch (call->conn->security_level) { 389 case RXRPC_SECURITY_PLAIN: 390 txb->pkt_len = txb->len; 391 ret = 0; 392 break; 393 case RXRPC_SECURITY_AUTH: 394 ret = rxkad_secure_packet_auth(call, txb, req); 395 if (txb->alloc_size == RXRPC_JUMBO_DATALEN) 396 txb->jumboable = true; 397 break; 398 case RXRPC_SECURITY_ENCRYPT: 399 ret = rxkad_secure_packet_encrypt(call, txb, req); 400 if (txb->alloc_size == RXRPC_JUMBO_DATALEN) 401 txb->jumboable = true; 402 break; 403 default: 404 ret = -EPERM; 405 break; 406 } 407 408 /* Clear excess space in the packet */ 409 if (txb->pkt_len < txb->alloc_size) { 410 struct rxrpc_wire_header *whdr = txb->kvec[0].iov_base; 411 size_t gap = txb->alloc_size - txb->pkt_len; 412 void *p = whdr + 1; 413 414 memset(p + txb->pkt_len, 0, gap); 415 } 416 417 skcipher_request_free(req); 418 _leave(" = %d [set %x]", ret, y); 419 return ret; 420 } 421 422 /* 423 * decrypt partial encryption on a packet (level 1 security) 424 */ 425 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb, 426 rxrpc_seq_t seq, 427 struct skcipher_request *req) 428 { 429 struct rxkad_level1_hdr sechdr; 430 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 431 struct rxrpc_crypt iv; 432 struct scatterlist sg[16]; 433 u32 data_size, buf; 434 u16 check; 435 int ret; 436 437 _enter(""); 438 439 if (sp->len < 8) 440 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 441 rxkad_abort_1_short_header); 442 443 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 444 * directly into the target buffer. 445 */ 446 sg_init_table(sg, ARRAY_SIZE(sg)); 447 ret = skb_to_sgvec(skb, sg, sp->offset, 8); 448 if (unlikely(ret < 0)) 449 return ret; 450 451 /* start the decryption afresh */ 452 memset(&iv, 0, sizeof(iv)); 453 454 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 455 skcipher_request_set_callback(req, 0, NULL, NULL); 456 skcipher_request_set_crypt(req, sg, sg, 8, iv.x); 457 crypto_skcipher_decrypt(req); 458 skcipher_request_zero(req); 459 460 /* Extract the decrypted packet length */ 461 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0) 462 return rxrpc_abort_eproto(call, skb, RXKADDATALEN, 463 rxkad_abort_1_short_encdata); 464 sp->offset += sizeof(sechdr); 465 sp->len -= sizeof(sechdr); 466 467 buf = ntohl(sechdr.data_size); 468 data_size = buf & 0xffff; 469 470 check = buf >> 16; 471 check ^= seq ^ call->call_id; 472 check &= 0xffff; 473 if (check != 0) 474 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 475 rxkad_abort_1_short_check); 476 if (data_size > sp->len) 477 return rxrpc_abort_eproto(call, skb, RXKADDATALEN, 478 rxkad_abort_1_short_data); 479 sp->len = data_size; 480 481 _leave(" = 0 [dlen=%x]", data_size); 482 return 0; 483 } 484 485 /* 486 * wholly decrypt a packet (level 2 security) 487 */ 488 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, 489 rxrpc_seq_t seq, 490 struct skcipher_request *req) 491 { 492 const struct rxrpc_key_token *token; 493 struct rxkad_level2_hdr sechdr; 494 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 495 struct rxrpc_crypt iv; 496 struct scatterlist _sg[4], *sg; 497 u32 data_size, buf; 498 u16 check; 499 int nsg, ret; 500 501 _enter(",{%d}", sp->len); 502 503 if (sp->len < 8) 504 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 505 rxkad_abort_2_short_header); 506 507 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 508 * directly into the target buffer. 509 */ 510 sg = _sg; 511 nsg = skb_shinfo(skb)->nr_frags + 1; 512 if (nsg <= 4) { 513 nsg = 4; 514 } else { 515 sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO); 516 if (!sg) 517 return -ENOMEM; 518 } 519 520 sg_init_table(sg, nsg); 521 ret = skb_to_sgvec(skb, sg, sp->offset, sp->len); 522 if (unlikely(ret < 0)) { 523 if (sg != _sg) 524 kfree(sg); 525 return ret; 526 } 527 528 /* decrypt from the session key */ 529 token = call->conn->key->payload.data[0]; 530 memcpy(&iv, token->kad->session_key, sizeof(iv)); 531 532 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 533 skcipher_request_set_callback(req, 0, NULL, NULL); 534 skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x); 535 crypto_skcipher_decrypt(req); 536 skcipher_request_zero(req); 537 if (sg != _sg) 538 kfree(sg); 539 540 /* Extract the decrypted packet length */ 541 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0) 542 return rxrpc_abort_eproto(call, skb, RXKADDATALEN, 543 rxkad_abort_2_short_len); 544 sp->offset += sizeof(sechdr); 545 sp->len -= sizeof(sechdr); 546 547 buf = ntohl(sechdr.data_size); 548 data_size = buf & 0xffff; 549 550 check = buf >> 16; 551 check ^= seq ^ call->call_id; 552 check &= 0xffff; 553 if (check != 0) 554 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 555 rxkad_abort_2_short_check); 556 557 if (data_size > sp->len) 558 return rxrpc_abort_eproto(call, skb, RXKADDATALEN, 559 rxkad_abort_2_short_data); 560 561 sp->len = data_size; 562 _leave(" = 0 [dlen=%x]", data_size); 563 return 0; 564 } 565 566 /* 567 * Verify the security on a received packet and the subpackets therein. 568 */ 569 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb) 570 { 571 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 572 struct skcipher_request *req; 573 struct rxrpc_crypt iv; 574 struct scatterlist sg; 575 union { 576 __be32 buf[2]; 577 } crypto __aligned(8); 578 rxrpc_seq_t seq = sp->hdr.seq; 579 int ret; 580 u16 cksum; 581 u32 x, y; 582 583 _enter("{%d{%x}},{#%u}", 584 call->debug_id, key_serial(call->conn->key), seq); 585 586 if (!call->conn->rxkad.cipher) 587 return 0; 588 589 req = rxkad_get_call_crypto(call); 590 if (!req) 591 return -ENOMEM; 592 593 /* continue encrypting from where we left off */ 594 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv)); 595 596 /* validate the security checksum */ 597 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 598 x |= seq & 0x3fffffff; 599 crypto.buf[0] = htonl(call->call_id); 600 crypto.buf[1] = htonl(x); 601 602 sg_init_one(&sg, crypto.buf, 8); 603 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher); 604 skcipher_request_set_callback(req, 0, NULL, NULL); 605 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 606 crypto_skcipher_encrypt(req); 607 skcipher_request_zero(req); 608 609 y = ntohl(crypto.buf[1]); 610 cksum = (y >> 16) & 0xffff; 611 if (cksum == 0) 612 cksum = 1; /* zero checksums are not permitted */ 613 614 if (cksum != sp->hdr.cksum) { 615 ret = rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, 616 rxkad_abort_bad_checksum); 617 goto out; 618 } 619 620 switch (call->conn->security_level) { 621 case RXRPC_SECURITY_PLAIN: 622 ret = 0; 623 break; 624 case RXRPC_SECURITY_AUTH: 625 ret = rxkad_verify_packet_1(call, skb, seq, req); 626 break; 627 case RXRPC_SECURITY_ENCRYPT: 628 ret = rxkad_verify_packet_2(call, skb, seq, req); 629 break; 630 default: 631 ret = -ENOANO; 632 break; 633 } 634 635 out: 636 skcipher_request_free(req); 637 return ret; 638 } 639 640 /* 641 * issue a challenge 642 */ 643 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 644 { 645 struct rxkad_challenge challenge; 646 struct rxrpc_wire_header whdr; 647 struct msghdr msg; 648 struct kvec iov[2]; 649 size_t len; 650 u32 serial; 651 int ret; 652 653 _enter("{%d}", conn->debug_id); 654 655 get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce)); 656 657 challenge.version = htonl(2); 658 challenge.nonce = htonl(conn->rxkad.nonce); 659 challenge.min_level = htonl(0); 660 challenge.__padding = 0; 661 662 msg.msg_name = &conn->peer->srx.transport; 663 msg.msg_namelen = conn->peer->srx.transport_len; 664 msg.msg_control = NULL; 665 msg.msg_controllen = 0; 666 msg.msg_flags = 0; 667 668 whdr.epoch = htonl(conn->proto.epoch); 669 whdr.cid = htonl(conn->proto.cid); 670 whdr.callNumber = 0; 671 whdr.seq = 0; 672 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 673 whdr.flags = conn->out_clientflag; 674 whdr.userStatus = 0; 675 whdr.securityIndex = conn->security_ix; 676 whdr._rsvd = 0; 677 whdr.serviceId = htons(conn->service_id); 678 679 iov[0].iov_base = &whdr; 680 iov[0].iov_len = sizeof(whdr); 681 iov[1].iov_base = &challenge; 682 iov[1].iov_len = sizeof(challenge); 683 684 len = iov[0].iov_len + iov[1].iov_len; 685 686 serial = rxrpc_get_next_serial(conn); 687 whdr.serial = htonl(serial); 688 689 ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len); 690 if (ret < 0) { 691 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, 692 rxrpc_tx_point_rxkad_challenge); 693 return -EAGAIN; 694 } 695 696 conn->peer->last_tx_at = ktime_get_seconds(); 697 trace_rxrpc_tx_packet(conn->debug_id, &whdr, 698 rxrpc_tx_point_rxkad_challenge); 699 _leave(" = 0"); 700 return 0; 701 } 702 703 /* 704 * send a Kerberos security response 705 */ 706 static int rxkad_send_response(struct rxrpc_connection *conn, 707 struct rxrpc_host_header *hdr, 708 struct rxkad_response *resp, 709 const struct rxkad_key *s2) 710 { 711 struct rxrpc_wire_header whdr; 712 struct msghdr msg; 713 struct kvec iov[3]; 714 size_t len; 715 u32 serial; 716 int ret; 717 718 _enter(""); 719 720 msg.msg_name = &conn->peer->srx.transport; 721 msg.msg_namelen = conn->peer->srx.transport_len; 722 msg.msg_control = NULL; 723 msg.msg_controllen = 0; 724 msg.msg_flags = 0; 725 726 memset(&whdr, 0, sizeof(whdr)); 727 whdr.epoch = htonl(hdr->epoch); 728 whdr.cid = htonl(hdr->cid); 729 whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 730 whdr.flags = conn->out_clientflag; 731 whdr.securityIndex = hdr->securityIndex; 732 whdr.serviceId = htons(hdr->serviceId); 733 734 iov[0].iov_base = &whdr; 735 iov[0].iov_len = sizeof(whdr); 736 iov[1].iov_base = resp; 737 iov[1].iov_len = sizeof(*resp); 738 iov[2].iov_base = (void *)s2->ticket; 739 iov[2].iov_len = s2->ticket_len; 740 741 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 742 743 serial = rxrpc_get_next_serial(conn); 744 whdr.serial = htonl(serial); 745 746 rxrpc_local_dont_fragment(conn->local, false); 747 ret = kernel_sendmsg(conn->local->socket, &msg, iov, 3, len); 748 if (ret < 0) { 749 trace_rxrpc_tx_fail(conn->debug_id, serial, ret, 750 rxrpc_tx_point_rxkad_response); 751 return -EAGAIN; 752 } 753 754 conn->peer->last_tx_at = ktime_get_seconds(); 755 _leave(" = 0"); 756 return 0; 757 } 758 759 /* 760 * calculate the response checksum 761 */ 762 static void rxkad_calc_response_checksum(struct rxkad_response *response) 763 { 764 u32 csum = 1000003; 765 int loop; 766 u8 *p = (u8 *) response; 767 768 for (loop = sizeof(*response); loop > 0; loop--) 769 csum = csum * 0x10204081 + *p++; 770 771 response->encrypted.checksum = htonl(csum); 772 } 773 774 /* 775 * encrypt the response packet 776 */ 777 static int rxkad_encrypt_response(struct rxrpc_connection *conn, 778 struct rxkad_response *resp, 779 const struct rxkad_key *s2) 780 { 781 struct skcipher_request *req; 782 struct rxrpc_crypt iv; 783 struct scatterlist sg[1]; 784 785 req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS); 786 if (!req) 787 return -ENOMEM; 788 789 /* continue encrypting from where we left off */ 790 memcpy(&iv, s2->session_key, sizeof(iv)); 791 792 sg_init_table(sg, 1); 793 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 794 skcipher_request_set_sync_tfm(req, conn->rxkad.cipher); 795 skcipher_request_set_callback(req, 0, NULL, NULL); 796 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 797 crypto_skcipher_encrypt(req); 798 skcipher_request_free(req); 799 return 0; 800 } 801 802 /* 803 * respond to a challenge packet 804 */ 805 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 806 struct sk_buff *skb) 807 { 808 const struct rxrpc_key_token *token; 809 struct rxkad_challenge challenge; 810 struct rxkad_response *resp; 811 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 812 u32 version, nonce, min_level; 813 int ret = -EPROTO; 814 815 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 816 817 if (!conn->key) 818 return rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO, 819 rxkad_abort_chall_no_key); 820 821 ret = key_validate(conn->key); 822 if (ret < 0) 823 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret, 824 rxkad_abort_chall_key_expired); 825 826 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 827 &challenge, sizeof(challenge)) < 0) 828 return rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, 829 rxkad_abort_chall_short); 830 831 version = ntohl(challenge.version); 832 nonce = ntohl(challenge.nonce); 833 min_level = ntohl(challenge.min_level); 834 835 trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version, nonce, min_level); 836 837 if (version != RXKAD_VERSION) 838 return rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO, 839 rxkad_abort_chall_version); 840 841 if (conn->security_level < min_level) 842 return rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES, 843 rxkad_abort_chall_level); 844 845 token = conn->key->payload.data[0]; 846 847 /* build the response packet */ 848 resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); 849 if (!resp) 850 return -ENOMEM; 851 852 resp->version = htonl(RXKAD_VERSION); 853 resp->encrypted.epoch = htonl(conn->proto.epoch); 854 resp->encrypted.cid = htonl(conn->proto.cid); 855 resp->encrypted.securityIndex = htonl(conn->security_ix); 856 resp->encrypted.inc_nonce = htonl(nonce + 1); 857 resp->encrypted.level = htonl(conn->security_level); 858 resp->kvno = htonl(token->kad->kvno); 859 resp->ticket_len = htonl(token->kad->ticket_len); 860 resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter); 861 resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter); 862 resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter); 863 resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter); 864 865 /* calculate the response checksum and then do the encryption */ 866 rxkad_calc_response_checksum(resp); 867 ret = rxkad_encrypt_response(conn, resp, token->kad); 868 if (ret == 0) 869 ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad); 870 kfree(resp); 871 return ret; 872 } 873 874 /* 875 * decrypt the kerberos IV ticket in the response 876 */ 877 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 878 struct key *server_key, 879 struct sk_buff *skb, 880 void *ticket, size_t ticket_len, 881 struct rxrpc_crypt *_session_key, 882 time64_t *_expiry) 883 { 884 struct skcipher_request *req; 885 struct rxrpc_crypt iv, key; 886 struct scatterlist sg[1]; 887 struct in_addr addr; 888 unsigned int life; 889 time64_t issue, now; 890 bool little_endian; 891 u8 *p, *q, *name, *end; 892 893 _enter("{%d},{%x}", conn->debug_id, key_serial(server_key)); 894 895 *_expiry = 0; 896 897 ASSERT(server_key->payload.data[0] != NULL); 898 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 899 900 memcpy(&iv, &server_key->payload.data[2], sizeof(iv)); 901 902 req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS); 903 if (!req) 904 return -ENOMEM; 905 906 sg_init_one(&sg[0], ticket, ticket_len); 907 skcipher_request_set_callback(req, 0, NULL, NULL); 908 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); 909 crypto_skcipher_decrypt(req); 910 skcipher_request_free(req); 911 912 p = ticket; 913 end = p + ticket_len; 914 915 #define Z(field, fieldl) \ 916 ({ \ 917 u8 *__str = p; \ 918 q = memchr(p, 0, end - p); \ 919 if (!q || q - p > field##_SZ) \ 920 return rxrpc_abort_conn( \ 921 conn, skb, RXKADBADTICKET, -EPROTO, \ 922 rxkad_abort_resp_tkt_##fieldl); \ 923 for (; p < q; p++) \ 924 if (!isprint(*p)) \ 925 return rxrpc_abort_conn( \ 926 conn, skb, RXKADBADTICKET, -EPROTO, \ 927 rxkad_abort_resp_tkt_##fieldl); \ 928 p++; \ 929 __str; \ 930 }) 931 932 /* extract the ticket flags */ 933 _debug("KIV FLAGS: %x", *p); 934 little_endian = *p & 1; 935 p++; 936 937 /* extract the authentication name */ 938 name = Z(ANAME, aname); 939 _debug("KIV ANAME: %s", name); 940 941 /* extract the principal's instance */ 942 name = Z(INST, inst); 943 _debug("KIV INST : %s", name); 944 945 /* extract the principal's authentication domain */ 946 name = Z(REALM, realm); 947 _debug("KIV REALM: %s", name); 948 949 if (end - p < 4 + 8 + 4 + 2) 950 return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO, 951 rxkad_abort_resp_tkt_short); 952 953 /* get the IPv4 address of the entity that requested the ticket */ 954 memcpy(&addr, p, sizeof(addr)); 955 p += 4; 956 _debug("KIV ADDR : %pI4", &addr); 957 958 /* get the session key from the ticket */ 959 memcpy(&key, p, sizeof(key)); 960 p += 8; 961 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 962 memcpy(_session_key, &key, sizeof(key)); 963 964 /* get the ticket's lifetime */ 965 life = *p++ * 5 * 60; 966 _debug("KIV LIFE : %u", life); 967 968 /* get the issue time of the ticket */ 969 if (little_endian) { 970 __le32 stamp; 971 memcpy(&stamp, p, 4); 972 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp)); 973 } else { 974 __be32 stamp; 975 memcpy(&stamp, p, 4); 976 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp)); 977 } 978 p += 4; 979 now = ktime_get_real_seconds(); 980 _debug("KIV ISSUE: %llx [%llx]", issue, now); 981 982 /* check the ticket is in date */ 983 if (issue > now) 984 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED, 985 rxkad_abort_resp_tkt_future); 986 if (issue < now - life) 987 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED, 988 rxkad_abort_resp_tkt_expired); 989 990 *_expiry = issue + life; 991 992 /* get the service name */ 993 name = Z(SNAME, sname); 994 _debug("KIV SNAME: %s", name); 995 996 /* get the service instance name */ 997 name = Z(INST, sinst); 998 _debug("KIV SINST: %s", name); 999 return 0; 1000 } 1001 1002 /* 1003 * decrypt the response packet 1004 */ 1005 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 1006 struct rxkad_response *resp, 1007 const struct rxrpc_crypt *session_key) 1008 { 1009 struct skcipher_request *req = rxkad_ci_req; 1010 struct scatterlist sg[1]; 1011 struct rxrpc_crypt iv; 1012 1013 _enter(",,%08x%08x", 1014 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 1015 1016 mutex_lock(&rxkad_ci_mutex); 1017 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x, 1018 sizeof(*session_key)) < 0) 1019 BUG(); 1020 1021 memcpy(&iv, session_key, sizeof(iv)); 1022 1023 sg_init_table(sg, 1); 1024 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 1025 skcipher_request_set_sync_tfm(req, rxkad_ci); 1026 skcipher_request_set_callback(req, 0, NULL, NULL); 1027 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 1028 crypto_skcipher_decrypt(req); 1029 skcipher_request_zero(req); 1030 1031 mutex_unlock(&rxkad_ci_mutex); 1032 1033 _leave(""); 1034 } 1035 1036 /* 1037 * verify a response 1038 */ 1039 static int rxkad_verify_response(struct rxrpc_connection *conn, 1040 struct sk_buff *skb) 1041 { 1042 struct rxkad_response *response; 1043 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 1044 struct rxrpc_crypt session_key; 1045 struct key *server_key; 1046 time64_t expiry; 1047 void *ticket; 1048 u32 version, kvno, ticket_len, level; 1049 __be32 csum; 1050 int ret, i; 1051 1052 _enter("{%d}", conn->debug_id); 1053 1054 server_key = rxrpc_look_up_server_security(conn, skb, 0, 0); 1055 if (IS_ERR(server_key)) { 1056 ret = PTR_ERR(server_key); 1057 switch (ret) { 1058 case -ENOKEY: 1059 return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret, 1060 rxkad_abort_resp_nokey); 1061 case -EKEYEXPIRED: 1062 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret, 1063 rxkad_abort_resp_key_expired); 1064 default: 1065 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret, 1066 rxkad_abort_resp_key_rejected); 1067 } 1068 } 1069 1070 ret = -ENOMEM; 1071 response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); 1072 if (!response) 1073 goto temporary_error; 1074 1075 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 1076 response, sizeof(*response)) < 0) { 1077 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, 1078 rxkad_abort_resp_short); 1079 goto protocol_error; 1080 } 1081 1082 version = ntohl(response->version); 1083 ticket_len = ntohl(response->ticket_len); 1084 kvno = ntohl(response->kvno); 1085 1086 trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len); 1087 1088 if (version != RXKAD_VERSION) { 1089 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO, 1090 rxkad_abort_resp_version); 1091 goto protocol_error; 1092 } 1093 1094 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) { 1095 rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO, 1096 rxkad_abort_resp_tkt_len); 1097 goto protocol_error; 1098 } 1099 1100 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) { 1101 rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO, 1102 rxkad_abort_resp_unknown_tkt); 1103 goto protocol_error; 1104 } 1105 1106 /* extract the kerberos ticket and decrypt and decode it */ 1107 ret = -ENOMEM; 1108 ticket = kmalloc(ticket_len, GFP_NOFS); 1109 if (!ticket) 1110 goto temporary_error_free_resp; 1111 1112 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response), 1113 ticket, ticket_len) < 0) { 1114 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, 1115 rxkad_abort_resp_short_tkt); 1116 goto protocol_error; 1117 } 1118 1119 ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len, 1120 &session_key, &expiry); 1121 if (ret < 0) 1122 goto temporary_error_free_ticket; 1123 1124 /* use the session key from inside the ticket to decrypt the 1125 * response */ 1126 rxkad_decrypt_response(conn, response, &session_key); 1127 1128 if (ntohl(response->encrypted.epoch) != conn->proto.epoch || 1129 ntohl(response->encrypted.cid) != conn->proto.cid || 1130 ntohl(response->encrypted.securityIndex) != conn->security_ix) { 1131 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1132 rxkad_abort_resp_bad_param); 1133 goto protocol_error_free; 1134 } 1135 1136 csum = response->encrypted.checksum; 1137 response->encrypted.checksum = 0; 1138 rxkad_calc_response_checksum(response); 1139 if (response->encrypted.checksum != csum) { 1140 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1141 rxkad_abort_resp_bad_checksum); 1142 goto protocol_error_free; 1143 } 1144 1145 for (i = 0; i < RXRPC_MAXCALLS; i++) { 1146 u32 call_id = ntohl(response->encrypted.call_id[i]); 1147 u32 counter = READ_ONCE(conn->channels[i].call_counter); 1148 1149 if (call_id > INT_MAX) { 1150 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1151 rxkad_abort_resp_bad_callid); 1152 goto protocol_error_free; 1153 } 1154 1155 if (call_id < counter) { 1156 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1157 rxkad_abort_resp_call_ctr); 1158 goto protocol_error_free; 1159 } 1160 1161 if (call_id > counter) { 1162 if (conn->channels[i].call) { 1163 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, 1164 rxkad_abort_resp_call_state); 1165 goto protocol_error_free; 1166 } 1167 conn->channels[i].call_counter = call_id; 1168 } 1169 } 1170 1171 if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) { 1172 rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO, 1173 rxkad_abort_resp_ooseq); 1174 goto protocol_error_free; 1175 } 1176 1177 level = ntohl(response->encrypted.level); 1178 if (level > RXRPC_SECURITY_ENCRYPT) { 1179 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO, 1180 rxkad_abort_resp_level); 1181 goto protocol_error_free; 1182 } 1183 conn->security_level = level; 1184 1185 /* create a key to hold the security data and expiration time - after 1186 * this the connection security can be handled in exactly the same way 1187 * as for a client connection */ 1188 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1189 if (ret < 0) 1190 goto temporary_error_free_ticket; 1191 1192 kfree(ticket); 1193 kfree(response); 1194 _leave(" = 0"); 1195 return 0; 1196 1197 protocol_error_free: 1198 kfree(ticket); 1199 protocol_error: 1200 kfree(response); 1201 key_put(server_key); 1202 return -EPROTO; 1203 1204 temporary_error_free_ticket: 1205 kfree(ticket); 1206 temporary_error_free_resp: 1207 kfree(response); 1208 temporary_error: 1209 /* Ignore the response packet if we got a temporary error such as 1210 * ENOMEM. We just want to send the challenge again. Note that we 1211 * also come out this way if the ticket decryption fails. 1212 */ 1213 key_put(server_key); 1214 return ret; 1215 } 1216 1217 /* 1218 * clear the connection security 1219 */ 1220 static void rxkad_clear(struct rxrpc_connection *conn) 1221 { 1222 _enter(""); 1223 1224 if (conn->rxkad.cipher) 1225 crypto_free_sync_skcipher(conn->rxkad.cipher); 1226 } 1227 1228 /* 1229 * Initialise the rxkad security service. 1230 */ 1231 static int rxkad_init(void) 1232 { 1233 struct crypto_sync_skcipher *tfm; 1234 struct skcipher_request *req; 1235 1236 /* pin the cipher we need so that the crypto layer doesn't invoke 1237 * keventd to go get it */ 1238 tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); 1239 if (IS_ERR(tfm)) 1240 return PTR_ERR(tfm); 1241 1242 req = skcipher_request_alloc(&tfm->base, GFP_KERNEL); 1243 if (!req) 1244 goto nomem_tfm; 1245 1246 rxkad_ci_req = req; 1247 rxkad_ci = tfm; 1248 return 0; 1249 1250 nomem_tfm: 1251 crypto_free_sync_skcipher(tfm); 1252 return -ENOMEM; 1253 } 1254 1255 /* 1256 * Clean up the rxkad security service. 1257 */ 1258 static void rxkad_exit(void) 1259 { 1260 crypto_free_sync_skcipher(rxkad_ci); 1261 skcipher_request_free(rxkad_ci_req); 1262 } 1263 1264 /* 1265 * RxRPC Kerberos-based security 1266 */ 1267 const struct rxrpc_security rxkad = { 1268 .name = "rxkad", 1269 .security_index = RXRPC_SECURITY_RXKAD, 1270 .no_key_abort = RXKADUNKNOWNKEY, 1271 .init = rxkad_init, 1272 .exit = rxkad_exit, 1273 .preparse_server_key = rxkad_preparse_server_key, 1274 .free_preparse_server_key = rxkad_free_preparse_server_key, 1275 .destroy_server_key = rxkad_destroy_server_key, 1276 .init_connection_security = rxkad_init_connection_security, 1277 .alloc_txbuf = rxkad_alloc_txbuf, 1278 .secure_packet = rxkad_secure_packet, 1279 .verify_packet = rxkad_verify_packet, 1280 .free_call_crypto = rxkad_free_call_crypto, 1281 .issue_challenge = rxkad_issue_challenge, 1282 .respond_to_challenge = rxkad_respond_to_challenge, 1283 .verify_response = rxkad_verify_response, 1284 .clear = rxkad_clear, 1285 }; 1286