1 /* Kerberos-based RxRPC security 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 14 #include <crypto/skcipher.h> 15 #include <linux/module.h> 16 #include <linux/net.h> 17 #include <linux/skbuff.h> 18 #include <linux/udp.h> 19 #include <linux/scatterlist.h> 20 #include <linux/ctype.h> 21 #include <linux/slab.h> 22 #include <net/sock.h> 23 #include <net/af_rxrpc.h> 24 #include <keys/rxrpc-type.h> 25 #include "ar-internal.h" 26 27 #define RXKAD_VERSION 2 28 #define MAXKRB5TICKETLEN 1024 29 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 30 #define ANAME_SZ 40 /* size of authentication name */ 31 #define INST_SZ 40 /* size of principal's instance */ 32 #define REALM_SZ 40 /* size of principal's auth domain */ 33 #define SNAME_SZ 40 /* size of service name */ 34 35 struct rxkad_level1_hdr { 36 __be32 data_size; /* true data size (excluding padding) */ 37 }; 38 39 struct rxkad_level2_hdr { 40 __be32 data_size; /* true data size (excluding padding) */ 41 __be32 checksum; /* decrypted data checksum */ 42 }; 43 44 /* 45 * this holds a pinned cipher so that keventd doesn't get called by the cipher 46 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 47 * packets 48 */ 49 static struct crypto_skcipher *rxkad_ci; 50 static DEFINE_MUTEX(rxkad_ci_mutex); 51 52 /* 53 * initialise connection security 54 */ 55 static int rxkad_init_connection_security(struct rxrpc_connection *conn) 56 { 57 struct crypto_skcipher *ci; 58 struct rxrpc_key_token *token; 59 int ret; 60 61 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key)); 62 63 token = conn->params.key->payload.data[0]; 64 conn->security_ix = token->security_index; 65 66 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 67 if (IS_ERR(ci)) { 68 _debug("no cipher"); 69 ret = PTR_ERR(ci); 70 goto error; 71 } 72 73 if (crypto_skcipher_setkey(ci, token->kad->session_key, 74 sizeof(token->kad->session_key)) < 0) 75 BUG(); 76 77 switch (conn->params.security_level) { 78 case RXRPC_SECURITY_PLAIN: 79 break; 80 case RXRPC_SECURITY_AUTH: 81 conn->size_align = 8; 82 conn->security_size = sizeof(struct rxkad_level1_hdr); 83 conn->header_size += sizeof(struct rxkad_level1_hdr); 84 break; 85 case RXRPC_SECURITY_ENCRYPT: 86 conn->size_align = 8; 87 conn->security_size = sizeof(struct rxkad_level2_hdr); 88 conn->header_size += sizeof(struct rxkad_level2_hdr); 89 break; 90 default: 91 ret = -EKEYREJECTED; 92 goto error; 93 } 94 95 conn->cipher = ci; 96 ret = 0; 97 error: 98 _leave(" = %d", ret); 99 return ret; 100 } 101 102 /* 103 * prime the encryption state with the invariant parts of a connection's 104 * description 105 */ 106 static int rxkad_prime_packet_security(struct rxrpc_connection *conn) 107 { 108 struct rxrpc_key_token *token; 109 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 110 struct scatterlist sg; 111 struct rxrpc_crypt iv; 112 __be32 *tmpbuf; 113 size_t tmpsize = 4 * sizeof(__be32); 114 115 _enter(""); 116 117 if (!conn->params.key) 118 return 0; 119 120 tmpbuf = kmalloc(tmpsize, GFP_KERNEL); 121 if (!tmpbuf) 122 return -ENOMEM; 123 124 token = conn->params.key->payload.data[0]; 125 memcpy(&iv, token->kad->session_key, sizeof(iv)); 126 127 tmpbuf[0] = htonl(conn->proto.epoch); 128 tmpbuf[1] = htonl(conn->proto.cid); 129 tmpbuf[2] = 0; 130 tmpbuf[3] = htonl(conn->security_ix); 131 132 sg_init_one(&sg, tmpbuf, tmpsize); 133 skcipher_request_set_tfm(req, conn->cipher); 134 skcipher_request_set_callback(req, 0, NULL, NULL); 135 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); 136 crypto_skcipher_encrypt(req); 137 skcipher_request_zero(req); 138 139 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv)); 140 kfree(tmpbuf); 141 _leave(" = 0"); 142 return 0; 143 } 144 145 /* 146 * partially encrypt a packet (level 1 security) 147 */ 148 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 149 struct sk_buff *skb, 150 u32 data_size, 151 void *sechdr) 152 { 153 struct rxrpc_skb_priv *sp; 154 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 155 struct rxkad_level1_hdr hdr; 156 struct rxrpc_crypt iv; 157 struct scatterlist sg; 158 u16 check; 159 160 sp = rxrpc_skb(skb); 161 162 _enter(""); 163 164 check = sp->hdr.seq ^ sp->hdr.callNumber; 165 data_size |= (u32)check << 16; 166 167 hdr.data_size = htonl(data_size); 168 memcpy(sechdr, &hdr, sizeof(hdr)); 169 170 /* start the encryption afresh */ 171 memset(&iv, 0, sizeof(iv)); 172 173 sg_init_one(&sg, sechdr, 8); 174 skcipher_request_set_tfm(req, call->conn->cipher); 175 skcipher_request_set_callback(req, 0, NULL, NULL); 176 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 177 crypto_skcipher_encrypt(req); 178 skcipher_request_zero(req); 179 180 _leave(" = 0"); 181 return 0; 182 } 183 184 /* 185 * wholly encrypt a packet (level 2 security) 186 */ 187 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 188 struct sk_buff *skb, 189 u32 data_size, 190 void *sechdr) 191 { 192 const struct rxrpc_key_token *token; 193 struct rxkad_level2_hdr rxkhdr; 194 struct rxrpc_skb_priv *sp; 195 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 196 struct rxrpc_crypt iv; 197 struct scatterlist sg[16]; 198 struct sk_buff *trailer; 199 unsigned int len; 200 u16 check; 201 int nsg; 202 int err; 203 204 sp = rxrpc_skb(skb); 205 206 _enter(""); 207 208 check = sp->hdr.seq ^ sp->hdr.callNumber; 209 210 rxkhdr.data_size = htonl(data_size | (u32)check << 16); 211 rxkhdr.checksum = 0; 212 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr)); 213 214 /* encrypt from the session key */ 215 token = call->conn->params.key->payload.data[0]; 216 memcpy(&iv, token->kad->session_key, sizeof(iv)); 217 218 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr)); 219 skcipher_request_set_tfm(req, call->conn->cipher); 220 skcipher_request_set_callback(req, 0, NULL, NULL); 221 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x); 222 crypto_skcipher_encrypt(req); 223 224 /* we want to encrypt the skbuff in-place */ 225 nsg = skb_cow_data(skb, 0, &trailer); 226 err = -ENOMEM; 227 if (nsg < 0 || nsg > 16) 228 goto out; 229 230 len = data_size + call->conn->size_align - 1; 231 len &= ~(call->conn->size_align - 1); 232 233 sg_init_table(sg, nsg); 234 skb_to_sgvec(skb, sg, 0, len); 235 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 236 crypto_skcipher_encrypt(req); 237 238 _leave(" = 0"); 239 err = 0; 240 241 out: 242 skcipher_request_zero(req); 243 return err; 244 } 245 246 /* 247 * checksum an RxRPC packet header 248 */ 249 static int rxkad_secure_packet(struct rxrpc_call *call, 250 struct sk_buff *skb, 251 size_t data_size, 252 void *sechdr) 253 { 254 struct rxrpc_skb_priv *sp; 255 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 256 struct rxrpc_crypt iv; 257 struct scatterlist sg; 258 u32 x, y; 259 int ret; 260 261 sp = rxrpc_skb(skb); 262 263 _enter("{%d{%x}},{#%u},%zu,", 264 call->debug_id, key_serial(call->conn->params.key), 265 sp->hdr.seq, data_size); 266 267 if (!call->conn->cipher) 268 return 0; 269 270 ret = key_validate(call->conn->params.key); 271 if (ret < 0) 272 return ret; 273 274 /* continue encrypting from where we left off */ 275 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 276 277 /* calculate the security checksum */ 278 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 279 x |= sp->hdr.seq & 0x3fffffff; 280 call->crypto_buf[0] = htonl(sp->hdr.callNumber); 281 call->crypto_buf[1] = htonl(x); 282 283 sg_init_one(&sg, call->crypto_buf, 8); 284 skcipher_request_set_tfm(req, call->conn->cipher); 285 skcipher_request_set_callback(req, 0, NULL, NULL); 286 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 287 crypto_skcipher_encrypt(req); 288 skcipher_request_zero(req); 289 290 y = ntohl(call->crypto_buf[1]); 291 y = (y >> 16) & 0xffff; 292 if (y == 0) 293 y = 1; /* zero checksums are not permitted */ 294 sp->hdr.cksum = y; 295 296 switch (call->conn->params.security_level) { 297 case RXRPC_SECURITY_PLAIN: 298 ret = 0; 299 break; 300 case RXRPC_SECURITY_AUTH: 301 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr); 302 break; 303 case RXRPC_SECURITY_ENCRYPT: 304 ret = rxkad_secure_packet_encrypt(call, skb, data_size, 305 sechdr); 306 break; 307 default: 308 ret = -EPERM; 309 break; 310 } 311 312 _leave(" = %d [set %hx]", ret, y); 313 return ret; 314 } 315 316 /* 317 * decrypt partial encryption on a packet (level 1 security) 318 */ 319 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb, 320 unsigned int offset, unsigned int len, 321 rxrpc_seq_t seq) 322 { 323 struct rxkad_level1_hdr sechdr; 324 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 325 struct rxrpc_crypt iv; 326 struct scatterlist sg[16]; 327 struct sk_buff *trailer; 328 u32 data_size, buf; 329 u16 check; 330 int nsg; 331 332 _enter(""); 333 334 if (len < 8) { 335 rxrpc_abort_call("V1H", call, seq, RXKADSEALEDINCON, EPROTO); 336 goto protocol_error; 337 } 338 339 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 340 * directly into the target buffer. 341 */ 342 nsg = skb_cow_data(skb, 0, &trailer); 343 if (nsg < 0 || nsg > 16) 344 goto nomem; 345 346 sg_init_table(sg, nsg); 347 skb_to_sgvec(skb, sg, offset, 8); 348 349 /* start the decryption afresh */ 350 memset(&iv, 0, sizeof(iv)); 351 352 skcipher_request_set_tfm(req, call->conn->cipher); 353 skcipher_request_set_callback(req, 0, NULL, NULL); 354 skcipher_request_set_crypt(req, sg, sg, 8, iv.x); 355 crypto_skcipher_decrypt(req); 356 skcipher_request_zero(req); 357 358 /* Extract the decrypted packet length */ 359 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 360 rxrpc_abort_call("XV1", call, seq, RXKADDATALEN, EPROTO); 361 goto protocol_error; 362 } 363 offset += sizeof(sechdr); 364 len -= sizeof(sechdr); 365 366 buf = ntohl(sechdr.data_size); 367 data_size = buf & 0xffff; 368 369 check = buf >> 16; 370 check ^= seq ^ call->call_id; 371 check &= 0xffff; 372 if (check != 0) { 373 rxrpc_abort_call("V1C", call, seq, RXKADSEALEDINCON, EPROTO); 374 goto protocol_error; 375 } 376 377 if (data_size > len) { 378 rxrpc_abort_call("V1L", call, seq, RXKADDATALEN, EPROTO); 379 goto protocol_error; 380 } 381 382 _leave(" = 0 [dlen=%x]", data_size); 383 return 0; 384 385 protocol_error: 386 rxrpc_send_call_packet(call, RXRPC_PACKET_TYPE_ABORT); 387 _leave(" = -EPROTO"); 388 return -EPROTO; 389 390 nomem: 391 _leave(" = -ENOMEM"); 392 return -ENOMEM; 393 } 394 395 /* 396 * wholly decrypt a packet (level 2 security) 397 */ 398 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, 399 unsigned int offset, unsigned int len, 400 rxrpc_seq_t seq) 401 { 402 const struct rxrpc_key_token *token; 403 struct rxkad_level2_hdr sechdr; 404 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 405 struct rxrpc_crypt iv; 406 struct scatterlist _sg[4], *sg; 407 struct sk_buff *trailer; 408 u32 data_size, buf; 409 u16 check; 410 int nsg; 411 412 _enter(",{%d}", skb->len); 413 414 if (len < 8) { 415 rxrpc_abort_call("V2H", call, seq, RXKADSEALEDINCON, EPROTO); 416 goto protocol_error; 417 } 418 419 /* Decrypt the skbuff in-place. TODO: We really want to decrypt 420 * directly into the target buffer. 421 */ 422 nsg = skb_cow_data(skb, 0, &trailer); 423 if (nsg < 0) 424 goto nomem; 425 426 sg = _sg; 427 if (unlikely(nsg > 4)) { 428 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO); 429 if (!sg) 430 goto nomem; 431 } 432 433 sg_init_table(sg, nsg); 434 skb_to_sgvec(skb, sg, offset, len); 435 436 /* decrypt from the session key */ 437 token = call->conn->params.key->payload.data[0]; 438 memcpy(&iv, token->kad->session_key, sizeof(iv)); 439 440 skcipher_request_set_tfm(req, call->conn->cipher); 441 skcipher_request_set_callback(req, 0, NULL, NULL); 442 skcipher_request_set_crypt(req, sg, sg, len, iv.x); 443 crypto_skcipher_decrypt(req); 444 skcipher_request_zero(req); 445 if (sg != _sg) 446 kfree(sg); 447 448 /* Extract the decrypted packet length */ 449 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { 450 rxrpc_abort_call("XV2", call, seq, RXKADDATALEN, EPROTO); 451 goto protocol_error; 452 } 453 offset += sizeof(sechdr); 454 len -= sizeof(sechdr); 455 456 buf = ntohl(sechdr.data_size); 457 data_size = buf & 0xffff; 458 459 check = buf >> 16; 460 check ^= seq ^ call->call_id; 461 check &= 0xffff; 462 if (check != 0) { 463 rxrpc_abort_call("V2C", call, seq, RXKADSEALEDINCON, EPROTO); 464 goto protocol_error; 465 } 466 467 if (data_size > len) { 468 rxrpc_abort_call("V2L", call, seq, RXKADDATALEN, EPROTO); 469 goto protocol_error; 470 } 471 472 _leave(" = 0 [dlen=%x]", data_size); 473 return 0; 474 475 protocol_error: 476 rxrpc_send_call_packet(call, RXRPC_PACKET_TYPE_ABORT); 477 _leave(" = -EPROTO"); 478 return -EPROTO; 479 480 nomem: 481 _leave(" = -ENOMEM"); 482 return -ENOMEM; 483 } 484 485 /* 486 * Verify the security on a received packet or subpacket (if part of a 487 * jumbo packet). 488 */ 489 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb, 490 unsigned int offset, unsigned int len, 491 rxrpc_seq_t seq, u16 expected_cksum) 492 { 493 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher); 494 struct rxrpc_crypt iv; 495 struct scatterlist sg; 496 u16 cksum; 497 u32 x, y; 498 499 _enter("{%d{%x}},{#%u}", 500 call->debug_id, key_serial(call->conn->params.key), seq); 501 502 if (!call->conn->cipher) 503 return 0; 504 505 /* continue encrypting from where we left off */ 506 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 507 508 /* validate the security checksum */ 509 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); 510 x |= seq & 0x3fffffff; 511 call->crypto_buf[0] = htonl(call->call_id); 512 call->crypto_buf[1] = htonl(x); 513 514 sg_init_one(&sg, call->crypto_buf, 8); 515 skcipher_request_set_tfm(req, call->conn->cipher); 516 skcipher_request_set_callback(req, 0, NULL, NULL); 517 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); 518 crypto_skcipher_encrypt(req); 519 skcipher_request_zero(req); 520 521 y = ntohl(call->crypto_buf[1]); 522 cksum = (y >> 16) & 0xffff; 523 if (cksum == 0) 524 cksum = 1; /* zero checksums are not permitted */ 525 526 if (cksum != expected_cksum) { 527 rxrpc_abort_call("VCK", call, seq, RXKADSEALEDINCON, EPROTO); 528 rxrpc_send_call_packet(call, RXRPC_PACKET_TYPE_ABORT); 529 _leave(" = -EPROTO [csum failed]"); 530 return -EPROTO; 531 } 532 533 switch (call->conn->params.security_level) { 534 case RXRPC_SECURITY_PLAIN: 535 return 0; 536 case RXRPC_SECURITY_AUTH: 537 return rxkad_verify_packet_1(call, skb, offset, len, seq); 538 case RXRPC_SECURITY_ENCRYPT: 539 return rxkad_verify_packet_2(call, skb, offset, len, seq); 540 default: 541 return -ENOANO; 542 } 543 } 544 545 /* 546 * Locate the data contained in a packet that was partially encrypted. 547 */ 548 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb, 549 unsigned int *_offset, unsigned int *_len) 550 { 551 struct rxkad_level1_hdr sechdr; 552 553 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 554 BUG(); 555 *_offset += sizeof(sechdr); 556 *_len = ntohl(sechdr.data_size) & 0xffff; 557 } 558 559 /* 560 * Locate the data contained in a packet that was completely encrypted. 561 */ 562 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb, 563 unsigned int *_offset, unsigned int *_len) 564 { 565 struct rxkad_level2_hdr sechdr; 566 567 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) 568 BUG(); 569 *_offset += sizeof(sechdr); 570 *_len = ntohl(sechdr.data_size) & 0xffff; 571 } 572 573 /* 574 * Locate the data contained in an already decrypted packet. 575 */ 576 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb, 577 unsigned int *_offset, unsigned int *_len) 578 { 579 switch (call->conn->params.security_level) { 580 case RXRPC_SECURITY_AUTH: 581 rxkad_locate_data_1(call, skb, _offset, _len); 582 return; 583 case RXRPC_SECURITY_ENCRYPT: 584 rxkad_locate_data_2(call, skb, _offset, _len); 585 return; 586 default: 587 return; 588 } 589 } 590 591 /* 592 * issue a challenge 593 */ 594 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 595 { 596 struct rxkad_challenge challenge; 597 struct rxrpc_wire_header whdr; 598 struct msghdr msg; 599 struct kvec iov[2]; 600 size_t len; 601 u32 serial; 602 int ret; 603 604 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 605 606 ret = key_validate(conn->params.key); 607 if (ret < 0) 608 return ret; 609 610 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce)); 611 612 challenge.version = htonl(2); 613 challenge.nonce = htonl(conn->security_nonce); 614 challenge.min_level = htonl(0); 615 challenge.__padding = 0; 616 617 msg.msg_name = &conn->params.peer->srx.transport.sin; 618 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin); 619 msg.msg_control = NULL; 620 msg.msg_controllen = 0; 621 msg.msg_flags = 0; 622 623 whdr.epoch = htonl(conn->proto.epoch); 624 whdr.cid = htonl(conn->proto.cid); 625 whdr.callNumber = 0; 626 whdr.seq = 0; 627 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 628 whdr.flags = conn->out_clientflag; 629 whdr.userStatus = 0; 630 whdr.securityIndex = conn->security_ix; 631 whdr._rsvd = 0; 632 whdr.serviceId = htons(conn->params.service_id); 633 634 iov[0].iov_base = &whdr; 635 iov[0].iov_len = sizeof(whdr); 636 iov[1].iov_base = &challenge; 637 iov[1].iov_len = sizeof(challenge); 638 639 len = iov[0].iov_len + iov[1].iov_len; 640 641 serial = atomic_inc_return(&conn->serial); 642 whdr.serial = htonl(serial); 643 _proto("Tx CHALLENGE %%%u", serial); 644 645 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len); 646 if (ret < 0) { 647 _debug("sendmsg failed: %d", ret); 648 return -EAGAIN; 649 } 650 651 _leave(" = 0"); 652 return 0; 653 } 654 655 /* 656 * send a Kerberos security response 657 */ 658 static int rxkad_send_response(struct rxrpc_connection *conn, 659 struct rxrpc_host_header *hdr, 660 struct rxkad_response *resp, 661 const struct rxkad_key *s2) 662 { 663 struct rxrpc_wire_header whdr; 664 struct msghdr msg; 665 struct kvec iov[3]; 666 size_t len; 667 u32 serial; 668 int ret; 669 670 _enter(""); 671 672 msg.msg_name = &conn->params.peer->srx.transport.sin; 673 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin); 674 msg.msg_control = NULL; 675 msg.msg_controllen = 0; 676 msg.msg_flags = 0; 677 678 memset(&whdr, 0, sizeof(whdr)); 679 whdr.epoch = htonl(hdr->epoch); 680 whdr.cid = htonl(hdr->cid); 681 whdr.type = RXRPC_PACKET_TYPE_RESPONSE; 682 whdr.flags = conn->out_clientflag; 683 whdr.securityIndex = hdr->securityIndex; 684 whdr.serviceId = htons(hdr->serviceId); 685 686 iov[0].iov_base = &whdr; 687 iov[0].iov_len = sizeof(whdr); 688 iov[1].iov_base = resp; 689 iov[1].iov_len = sizeof(*resp); 690 iov[2].iov_base = (void *)s2->ticket; 691 iov[2].iov_len = s2->ticket_len; 692 693 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 694 695 serial = atomic_inc_return(&conn->serial); 696 whdr.serial = htonl(serial); 697 _proto("Tx RESPONSE %%%u", serial); 698 699 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len); 700 if (ret < 0) { 701 _debug("sendmsg failed: %d", ret); 702 return -EAGAIN; 703 } 704 705 _leave(" = 0"); 706 return 0; 707 } 708 709 /* 710 * calculate the response checksum 711 */ 712 static void rxkad_calc_response_checksum(struct rxkad_response *response) 713 { 714 u32 csum = 1000003; 715 int loop; 716 u8 *p = (u8 *) response; 717 718 for (loop = sizeof(*response); loop > 0; loop--) 719 csum = csum * 0x10204081 + *p++; 720 721 response->encrypted.checksum = htonl(csum); 722 } 723 724 /* 725 * encrypt the response packet 726 */ 727 static void rxkad_encrypt_response(struct rxrpc_connection *conn, 728 struct rxkad_response *resp, 729 const struct rxkad_key *s2) 730 { 731 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher); 732 struct rxrpc_crypt iv; 733 struct scatterlist sg[1]; 734 735 /* continue encrypting from where we left off */ 736 memcpy(&iv, s2->session_key, sizeof(iv)); 737 738 sg_init_table(sg, 1); 739 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 740 skcipher_request_set_tfm(req, conn->cipher); 741 skcipher_request_set_callback(req, 0, NULL, NULL); 742 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 743 crypto_skcipher_encrypt(req); 744 skcipher_request_zero(req); 745 } 746 747 /* 748 * respond to a challenge packet 749 */ 750 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 751 struct sk_buff *skb, 752 u32 *_abort_code) 753 { 754 const struct rxrpc_key_token *token; 755 struct rxkad_challenge challenge; 756 struct rxkad_response resp 757 __attribute__((aligned(8))); /* must be aligned for crypto */ 758 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 759 u32 version, nonce, min_level, abort_code; 760 int ret; 761 762 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); 763 764 if (!conn->params.key) { 765 _leave(" = -EPROTO [no key]"); 766 return -EPROTO; 767 } 768 769 ret = key_validate(conn->params.key); 770 if (ret < 0) { 771 *_abort_code = RXKADEXPIRED; 772 return ret; 773 } 774 775 abort_code = RXKADPACKETSHORT; 776 if (skb_copy_bits(skb, sp->offset, &challenge, sizeof(challenge)) < 0) 777 goto protocol_error; 778 779 version = ntohl(challenge.version); 780 nonce = ntohl(challenge.nonce); 781 min_level = ntohl(challenge.min_level); 782 783 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 784 sp->hdr.serial, version, nonce, min_level); 785 786 abort_code = RXKADINCONSISTENCY; 787 if (version != RXKAD_VERSION) 788 goto protocol_error; 789 790 abort_code = RXKADLEVELFAIL; 791 if (conn->params.security_level < min_level) 792 goto protocol_error; 793 794 token = conn->params.key->payload.data[0]; 795 796 /* build the response packet */ 797 memset(&resp, 0, sizeof(resp)); 798 799 resp.version = htonl(RXKAD_VERSION); 800 resp.encrypted.epoch = htonl(conn->proto.epoch); 801 resp.encrypted.cid = htonl(conn->proto.cid); 802 resp.encrypted.securityIndex = htonl(conn->security_ix); 803 resp.encrypted.inc_nonce = htonl(nonce + 1); 804 resp.encrypted.level = htonl(conn->params.security_level); 805 resp.kvno = htonl(token->kad->kvno); 806 resp.ticket_len = htonl(token->kad->ticket_len); 807 808 resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter); 809 resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter); 810 resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter); 811 resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter); 812 813 /* calculate the response checksum and then do the encryption */ 814 rxkad_calc_response_checksum(&resp); 815 rxkad_encrypt_response(conn, &resp, token->kad); 816 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad); 817 818 protocol_error: 819 *_abort_code = abort_code; 820 _leave(" = -EPROTO [%d]", abort_code); 821 return -EPROTO; 822 } 823 824 /* 825 * decrypt the kerberos IV ticket in the response 826 */ 827 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 828 void *ticket, size_t ticket_len, 829 struct rxrpc_crypt *_session_key, 830 time_t *_expiry, 831 u32 *_abort_code) 832 { 833 struct skcipher_request *req; 834 struct rxrpc_crypt iv, key; 835 struct scatterlist sg[1]; 836 struct in_addr addr; 837 unsigned int life; 838 time_t issue, now; 839 bool little_endian; 840 int ret; 841 u8 *p, *q, *name, *end; 842 843 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key)); 844 845 *_expiry = 0; 846 847 ret = key_validate(conn->server_key); 848 if (ret < 0) { 849 switch (ret) { 850 case -EKEYEXPIRED: 851 *_abort_code = RXKADEXPIRED; 852 goto error; 853 default: 854 *_abort_code = RXKADNOAUTH; 855 goto error; 856 } 857 } 858 859 ASSERT(conn->server_key->payload.data[0] != NULL); 860 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 861 862 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv)); 863 864 req = skcipher_request_alloc(conn->server_key->payload.data[0], 865 GFP_NOFS); 866 if (!req) { 867 *_abort_code = RXKADNOAUTH; 868 ret = -ENOMEM; 869 goto error; 870 } 871 872 sg_init_one(&sg[0], ticket, ticket_len); 873 skcipher_request_set_callback(req, 0, NULL, NULL); 874 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); 875 crypto_skcipher_decrypt(req); 876 skcipher_request_free(req); 877 878 p = ticket; 879 end = p + ticket_len; 880 881 #define Z(size) \ 882 ({ \ 883 u8 *__str = p; \ 884 q = memchr(p, 0, end - p); \ 885 if (!q || q - p > (size)) \ 886 goto bad_ticket; \ 887 for (; p < q; p++) \ 888 if (!isprint(*p)) \ 889 goto bad_ticket; \ 890 p++; \ 891 __str; \ 892 }) 893 894 /* extract the ticket flags */ 895 _debug("KIV FLAGS: %x", *p); 896 little_endian = *p & 1; 897 p++; 898 899 /* extract the authentication name */ 900 name = Z(ANAME_SZ); 901 _debug("KIV ANAME: %s", name); 902 903 /* extract the principal's instance */ 904 name = Z(INST_SZ); 905 _debug("KIV INST : %s", name); 906 907 /* extract the principal's authentication domain */ 908 name = Z(REALM_SZ); 909 _debug("KIV REALM: %s", name); 910 911 if (end - p < 4 + 8 + 4 + 2) 912 goto bad_ticket; 913 914 /* get the IPv4 address of the entity that requested the ticket */ 915 memcpy(&addr, p, sizeof(addr)); 916 p += 4; 917 _debug("KIV ADDR : %pI4", &addr); 918 919 /* get the session key from the ticket */ 920 memcpy(&key, p, sizeof(key)); 921 p += 8; 922 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 923 memcpy(_session_key, &key, sizeof(key)); 924 925 /* get the ticket's lifetime */ 926 life = *p++ * 5 * 60; 927 _debug("KIV LIFE : %u", life); 928 929 /* get the issue time of the ticket */ 930 if (little_endian) { 931 __le32 stamp; 932 memcpy(&stamp, p, 4); 933 issue = le32_to_cpu(stamp); 934 } else { 935 __be32 stamp; 936 memcpy(&stamp, p, 4); 937 issue = be32_to_cpu(stamp); 938 } 939 p += 4; 940 now = get_seconds(); 941 _debug("KIV ISSUE: %lx [%lx]", issue, now); 942 943 /* check the ticket is in date */ 944 if (issue > now) { 945 *_abort_code = RXKADNOAUTH; 946 ret = -EKEYREJECTED; 947 goto error; 948 } 949 950 if (issue < now - life) { 951 *_abort_code = RXKADEXPIRED; 952 ret = -EKEYEXPIRED; 953 goto error; 954 } 955 956 *_expiry = issue + life; 957 958 /* get the service name */ 959 name = Z(SNAME_SZ); 960 _debug("KIV SNAME: %s", name); 961 962 /* get the service instance name */ 963 name = Z(INST_SZ); 964 _debug("KIV SINST: %s", name); 965 966 ret = 0; 967 error: 968 _leave(" = %d", ret); 969 return ret; 970 971 bad_ticket: 972 *_abort_code = RXKADBADTICKET; 973 ret = -EBADMSG; 974 goto error; 975 } 976 977 /* 978 * decrypt the response packet 979 */ 980 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 981 struct rxkad_response *resp, 982 const struct rxrpc_crypt *session_key) 983 { 984 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci); 985 struct scatterlist sg[1]; 986 struct rxrpc_crypt iv; 987 988 _enter(",,%08x%08x", 989 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 990 991 ASSERT(rxkad_ci != NULL); 992 993 mutex_lock(&rxkad_ci_mutex); 994 if (crypto_skcipher_setkey(rxkad_ci, session_key->x, 995 sizeof(*session_key)) < 0) 996 BUG(); 997 998 memcpy(&iv, session_key, sizeof(iv)); 999 1000 sg_init_table(sg, 1); 1001 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); 1002 skcipher_request_set_tfm(req, rxkad_ci); 1003 skcipher_request_set_callback(req, 0, NULL, NULL); 1004 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); 1005 crypto_skcipher_decrypt(req); 1006 skcipher_request_zero(req); 1007 1008 mutex_unlock(&rxkad_ci_mutex); 1009 1010 _leave(""); 1011 } 1012 1013 /* 1014 * verify a response 1015 */ 1016 static int rxkad_verify_response(struct rxrpc_connection *conn, 1017 struct sk_buff *skb, 1018 u32 *_abort_code) 1019 { 1020 struct rxkad_response response 1021 __attribute__((aligned(8))); /* must be aligned for crypto */ 1022 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 1023 struct rxrpc_crypt session_key; 1024 time_t expiry; 1025 void *ticket; 1026 u32 abort_code, version, kvno, ticket_len, level; 1027 __be32 csum; 1028 int ret, i; 1029 1030 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); 1031 1032 abort_code = RXKADPACKETSHORT; 1033 if (skb_copy_bits(skb, sp->offset, &response, sizeof(response)) < 0) 1034 goto protocol_error; 1035 if (!pskb_pull(skb, sizeof(response))) 1036 BUG(); 1037 1038 version = ntohl(response.version); 1039 ticket_len = ntohl(response.ticket_len); 1040 kvno = ntohl(response.kvno); 1041 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1042 sp->hdr.serial, version, kvno, ticket_len); 1043 1044 abort_code = RXKADINCONSISTENCY; 1045 if (version != RXKAD_VERSION) 1046 goto protocol_error; 1047 1048 abort_code = RXKADTICKETLEN; 1049 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1050 goto protocol_error; 1051 1052 abort_code = RXKADUNKNOWNKEY; 1053 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1054 goto protocol_error; 1055 1056 /* extract the kerberos ticket and decrypt and decode it */ 1057 ticket = kmalloc(ticket_len, GFP_NOFS); 1058 if (!ticket) 1059 return -ENOMEM; 1060 1061 abort_code = RXKADPACKETSHORT; 1062 if (skb_copy_bits(skb, sp->offset, ticket, ticket_len) < 0) 1063 goto protocol_error_free; 1064 1065 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key, 1066 &expiry, &abort_code); 1067 if (ret < 0) { 1068 *_abort_code = abort_code; 1069 kfree(ticket); 1070 return ret; 1071 } 1072 1073 /* use the session key from inside the ticket to decrypt the 1074 * response */ 1075 rxkad_decrypt_response(conn, &response, &session_key); 1076 1077 abort_code = RXKADSEALEDINCON; 1078 if (ntohl(response.encrypted.epoch) != conn->proto.epoch) 1079 goto protocol_error_free; 1080 if (ntohl(response.encrypted.cid) != conn->proto.cid) 1081 goto protocol_error_free; 1082 if (ntohl(response.encrypted.securityIndex) != conn->security_ix) 1083 goto protocol_error_free; 1084 csum = response.encrypted.checksum; 1085 response.encrypted.checksum = 0; 1086 rxkad_calc_response_checksum(&response); 1087 if (response.encrypted.checksum != csum) 1088 goto protocol_error_free; 1089 1090 spin_lock(&conn->channel_lock); 1091 for (i = 0; i < RXRPC_MAXCALLS; i++) { 1092 struct rxrpc_call *call; 1093 u32 call_id = ntohl(response.encrypted.call_id[i]); 1094 1095 if (call_id > INT_MAX) 1096 goto protocol_error_unlock; 1097 1098 if (call_id < conn->channels[i].call_counter) 1099 goto protocol_error_unlock; 1100 if (call_id > conn->channels[i].call_counter) { 1101 call = rcu_dereference_protected( 1102 conn->channels[i].call, 1103 lockdep_is_held(&conn->channel_lock)); 1104 if (call && call->state < RXRPC_CALL_COMPLETE) 1105 goto protocol_error_unlock; 1106 conn->channels[i].call_counter = call_id; 1107 } 1108 } 1109 spin_unlock(&conn->channel_lock); 1110 1111 abort_code = RXKADOUTOFSEQUENCE; 1112 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1) 1113 goto protocol_error_free; 1114 1115 abort_code = RXKADLEVELFAIL; 1116 level = ntohl(response.encrypted.level); 1117 if (level > RXRPC_SECURITY_ENCRYPT) 1118 goto protocol_error_free; 1119 conn->params.security_level = level; 1120 1121 /* create a key to hold the security data and expiration time - after 1122 * this the connection security can be handled in exactly the same way 1123 * as for a client connection */ 1124 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1125 if (ret < 0) { 1126 kfree(ticket); 1127 return ret; 1128 } 1129 1130 kfree(ticket); 1131 _leave(" = 0"); 1132 return 0; 1133 1134 protocol_error_unlock: 1135 spin_unlock(&conn->channel_lock); 1136 protocol_error_free: 1137 kfree(ticket); 1138 protocol_error: 1139 *_abort_code = abort_code; 1140 _leave(" = -EPROTO [%d]", abort_code); 1141 return -EPROTO; 1142 } 1143 1144 /* 1145 * clear the connection security 1146 */ 1147 static void rxkad_clear(struct rxrpc_connection *conn) 1148 { 1149 _enter(""); 1150 1151 if (conn->cipher) 1152 crypto_free_skcipher(conn->cipher); 1153 } 1154 1155 /* 1156 * Initialise the rxkad security service. 1157 */ 1158 static int rxkad_init(void) 1159 { 1160 /* pin the cipher we need so that the crypto layer doesn't invoke 1161 * keventd to go get it */ 1162 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 1163 return PTR_ERR_OR_ZERO(rxkad_ci); 1164 } 1165 1166 /* 1167 * Clean up the rxkad security service. 1168 */ 1169 static void rxkad_exit(void) 1170 { 1171 if (rxkad_ci) 1172 crypto_free_skcipher(rxkad_ci); 1173 } 1174 1175 /* 1176 * RxRPC Kerberos-based security 1177 */ 1178 const struct rxrpc_security rxkad = { 1179 .name = "rxkad", 1180 .security_index = RXRPC_SECURITY_RXKAD, 1181 .init = rxkad_init, 1182 .exit = rxkad_exit, 1183 .init_connection_security = rxkad_init_connection_security, 1184 .prime_packet_security = rxkad_prime_packet_security, 1185 .secure_packet = rxkad_secure_packet, 1186 .verify_packet = rxkad_verify_packet, 1187 .locate_data = rxkad_locate_data, 1188 .issue_challenge = rxkad_issue_challenge, 1189 .respond_to_challenge = rxkad_respond_to_challenge, 1190 .verify_response = rxkad_verify_response, 1191 .clear = rxkad_clear, 1192 }; 1193