1 /* Kerberos-based RxRPC security 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/net.h> 14 #include <linux/skbuff.h> 15 #include <linux/udp.h> 16 #include <linux/crypto.h> 17 #include <linux/scatterlist.h> 18 #include <linux/ctype.h> 19 #include <net/sock.h> 20 #include <net/af_rxrpc.h> 21 #define rxrpc_debug rxkad_debug 22 #include "ar-internal.h" 23 24 #define RXKAD_VERSION 2 25 #define MAXKRB5TICKETLEN 1024 26 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 27 #define ANAME_SZ 40 /* size of authentication name */ 28 #define INST_SZ 40 /* size of principal's instance */ 29 #define REALM_SZ 40 /* size of principal's auth domain */ 30 #define SNAME_SZ 40 /* size of service name */ 31 32 unsigned rxrpc_debug; 33 module_param_named(debug, rxrpc_debug, uint, S_IWUSR | S_IRUGO); 34 MODULE_PARM_DESC(rxrpc_debug, "rxkad debugging mask"); 35 36 struct rxkad_level1_hdr { 37 __be32 data_size; /* true data size (excluding padding) */ 38 }; 39 40 struct rxkad_level2_hdr { 41 __be32 data_size; /* true data size (excluding padding) */ 42 __be32 checksum; /* decrypted data checksum */ 43 }; 44 45 MODULE_DESCRIPTION("RxRPC network protocol type-2 security (Kerberos)"); 46 MODULE_AUTHOR("Red Hat, Inc."); 47 MODULE_LICENSE("GPL"); 48 49 /* 50 * this holds a pinned cipher so that keventd doesn't get called by the cipher 51 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 52 * packets 53 */ 54 static struct crypto_blkcipher *rxkad_ci; 55 static DEFINE_MUTEX(rxkad_ci_mutex); 56 57 /* 58 * initialise connection security 59 */ 60 static int rxkad_init_connection_security(struct rxrpc_connection *conn) 61 { 62 struct rxrpc_key_payload *payload; 63 struct crypto_blkcipher *ci; 64 int ret; 65 66 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key)); 67 68 payload = conn->key->payload.data; 69 conn->security_ix = payload->k.security_index; 70 71 ci = crypto_alloc_blkcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 72 if (IS_ERR(ci)) { 73 _debug("no cipher"); 74 ret = PTR_ERR(ci); 75 goto error; 76 } 77 78 if (crypto_blkcipher_setkey(ci, payload->k.session_key, 79 sizeof(payload->k.session_key)) < 0) 80 BUG(); 81 82 switch (conn->security_level) { 83 case RXRPC_SECURITY_PLAIN: 84 break; 85 case RXRPC_SECURITY_AUTH: 86 conn->size_align = 8; 87 conn->security_size = sizeof(struct rxkad_level1_hdr); 88 conn->header_size += sizeof(struct rxkad_level1_hdr); 89 break; 90 case RXRPC_SECURITY_ENCRYPT: 91 conn->size_align = 8; 92 conn->security_size = sizeof(struct rxkad_level2_hdr); 93 conn->header_size += sizeof(struct rxkad_level2_hdr); 94 break; 95 default: 96 ret = -EKEYREJECTED; 97 goto error; 98 } 99 100 conn->cipher = ci; 101 ret = 0; 102 error: 103 _leave(" = %d", ret); 104 return ret; 105 } 106 107 /* 108 * prime the encryption state with the invariant parts of a connection's 109 * description 110 */ 111 static void rxkad_prime_packet_security(struct rxrpc_connection *conn) 112 { 113 struct rxrpc_key_payload *payload; 114 struct blkcipher_desc desc; 115 struct scatterlist sg[2]; 116 struct rxrpc_crypt iv; 117 struct { 118 __be32 x[4]; 119 } tmpbuf __attribute__((aligned(16))); /* must all be in same page */ 120 121 _enter(""); 122 123 if (!conn->key) 124 return; 125 126 payload = conn->key->payload.data; 127 memcpy(&iv, payload->k.session_key, sizeof(iv)); 128 129 desc.tfm = conn->cipher; 130 desc.info = iv.x; 131 desc.flags = 0; 132 133 tmpbuf.x[0] = conn->epoch; 134 tmpbuf.x[1] = conn->cid; 135 tmpbuf.x[2] = 0; 136 tmpbuf.x[3] = htonl(conn->security_ix); 137 138 memset(sg, 0, sizeof(sg)); 139 sg_set_buf(&sg[0], &tmpbuf, sizeof(tmpbuf)); 140 sg_set_buf(&sg[1], &tmpbuf, sizeof(tmpbuf)); 141 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 142 143 memcpy(&conn->csum_iv, &tmpbuf.x[2], sizeof(conn->csum_iv)); 144 ASSERTCMP(conn->csum_iv.n[0], ==, tmpbuf.x[2]); 145 146 _leave(""); 147 } 148 149 /* 150 * partially encrypt a packet (level 1 security) 151 */ 152 static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 153 struct sk_buff *skb, 154 u32 data_size, 155 void *sechdr) 156 { 157 struct rxrpc_skb_priv *sp; 158 struct blkcipher_desc desc; 159 struct rxrpc_crypt iv; 160 struct scatterlist sg[2]; 161 struct { 162 struct rxkad_level1_hdr hdr; 163 __be32 first; /* first four bytes of data and padding */ 164 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 165 u16 check; 166 167 sp = rxrpc_skb(skb); 168 169 _enter(""); 170 171 check = ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 172 data_size |= (u32) check << 16; 173 174 tmpbuf.hdr.data_size = htonl(data_size); 175 memcpy(&tmpbuf.first, sechdr + 4, sizeof(tmpbuf.first)); 176 177 /* start the encryption afresh */ 178 memset(&iv, 0, sizeof(iv)); 179 desc.tfm = call->conn->cipher; 180 desc.info = iv.x; 181 desc.flags = 0; 182 183 memset(sg, 0, sizeof(sg)); 184 sg_set_buf(&sg[0], &tmpbuf, sizeof(tmpbuf)); 185 sg_set_buf(&sg[1], &tmpbuf, sizeof(tmpbuf)); 186 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 187 188 memcpy(sechdr, &tmpbuf, sizeof(tmpbuf)); 189 190 _leave(" = 0"); 191 return 0; 192 } 193 194 /* 195 * wholly encrypt a packet (level 2 security) 196 */ 197 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 198 struct sk_buff *skb, 199 u32 data_size, 200 void *sechdr) 201 { 202 const struct rxrpc_key_payload *payload; 203 struct rxkad_level2_hdr rxkhdr 204 __attribute__((aligned(8))); /* must be all on one page */ 205 struct rxrpc_skb_priv *sp; 206 struct blkcipher_desc desc; 207 struct rxrpc_crypt iv; 208 struct scatterlist sg[16]; 209 struct sk_buff *trailer; 210 unsigned len; 211 u16 check; 212 int nsg; 213 214 sp = rxrpc_skb(skb); 215 216 _enter(""); 217 218 check = ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 219 220 rxkhdr.data_size = htonl(data_size | (u32) check << 16); 221 rxkhdr.checksum = 0; 222 223 /* encrypt from the session key */ 224 payload = call->conn->key->payload.data; 225 memcpy(&iv, payload->k.session_key, sizeof(iv)); 226 desc.tfm = call->conn->cipher; 227 desc.info = iv.x; 228 desc.flags = 0; 229 230 memset(sg, 0, sizeof(sg[0]) * 2); 231 sg_set_buf(&sg[0], sechdr, sizeof(rxkhdr)); 232 sg_set_buf(&sg[1], &rxkhdr, sizeof(rxkhdr)); 233 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(rxkhdr)); 234 235 /* we want to encrypt the skbuff in-place */ 236 nsg = skb_cow_data(skb, 0, &trailer); 237 if (nsg < 0 || nsg > 16) 238 return -ENOMEM; 239 240 len = data_size + call->conn->size_align - 1; 241 len &= ~(call->conn->size_align - 1); 242 243 skb_to_sgvec(skb, sg, 0, len); 244 crypto_blkcipher_encrypt_iv(&desc, sg, sg, len); 245 246 _leave(" = 0"); 247 return 0; 248 } 249 250 /* 251 * checksum an RxRPC packet header 252 */ 253 static int rxkad_secure_packet(const struct rxrpc_call *call, 254 struct sk_buff *skb, 255 size_t data_size, 256 void *sechdr) 257 { 258 struct rxrpc_skb_priv *sp; 259 struct blkcipher_desc desc; 260 struct rxrpc_crypt iv; 261 struct scatterlist sg[2]; 262 struct { 263 __be32 x[2]; 264 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 265 __be32 x; 266 int ret; 267 268 sp = rxrpc_skb(skb); 269 270 _enter("{%d{%x}},{#%u},%zu,", 271 call->debug_id, key_serial(call->conn->key), ntohl(sp->hdr.seq), 272 data_size); 273 274 if (!call->conn->cipher) 275 return 0; 276 277 ret = key_validate(call->conn->key); 278 if (ret < 0) 279 return ret; 280 281 /* continue encrypting from where we left off */ 282 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 283 desc.tfm = call->conn->cipher; 284 desc.info = iv.x; 285 desc.flags = 0; 286 287 /* calculate the security checksum */ 288 x = htonl(call->channel << (32 - RXRPC_CIDSHIFT)); 289 x |= sp->hdr.seq & __constant_cpu_to_be32(0x3fffffff); 290 tmpbuf.x[0] = sp->hdr.callNumber; 291 tmpbuf.x[1] = x; 292 293 memset(&sg, 0, sizeof(sg)); 294 sg_set_buf(&sg[0], &tmpbuf, sizeof(tmpbuf)); 295 sg_set_buf(&sg[1], &tmpbuf, sizeof(tmpbuf)); 296 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 297 298 x = ntohl(tmpbuf.x[1]); 299 x = (x >> 16) & 0xffff; 300 if (x == 0) 301 x = 1; /* zero checksums are not permitted */ 302 sp->hdr.cksum = htons(x); 303 304 switch (call->conn->security_level) { 305 case RXRPC_SECURITY_PLAIN: 306 ret = 0; 307 break; 308 case RXRPC_SECURITY_AUTH: 309 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr); 310 break; 311 case RXRPC_SECURITY_ENCRYPT: 312 ret = rxkad_secure_packet_encrypt(call, skb, data_size, 313 sechdr); 314 break; 315 default: 316 ret = -EPERM; 317 break; 318 } 319 320 _leave(" = %d [set %hx]", ret, x); 321 return ret; 322 } 323 324 /* 325 * decrypt partial encryption on a packet (level 1 security) 326 */ 327 static int rxkad_verify_packet_auth(const struct rxrpc_call *call, 328 struct sk_buff *skb, 329 u32 *_abort_code) 330 { 331 struct rxkad_level1_hdr sechdr; 332 struct rxrpc_skb_priv *sp; 333 struct blkcipher_desc desc; 334 struct rxrpc_crypt iv; 335 struct scatterlist sg[2]; 336 struct sk_buff *trailer; 337 u32 data_size, buf; 338 u16 check; 339 340 _enter(""); 341 342 sp = rxrpc_skb(skb); 343 344 /* we want to decrypt the skbuff in-place */ 345 if (skb_cow_data(skb, 0, &trailer) < 0) 346 goto nomem; 347 348 skb_to_sgvec(skb, sg, 0, 8); 349 350 /* start the decryption afresh */ 351 memset(&iv, 0, sizeof(iv)); 352 desc.tfm = call->conn->cipher; 353 desc.info = iv.x; 354 desc.flags = 0; 355 356 crypto_blkcipher_decrypt_iv(&desc, sg, sg, 8); 357 358 /* remove the decrypted packet length */ 359 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 360 goto datalen_error; 361 if (!skb_pull(skb, sizeof(sechdr))) 362 BUG(); 363 364 buf = ntohl(sechdr.data_size); 365 data_size = buf & 0xffff; 366 367 check = buf >> 16; 368 check ^= ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 369 check &= 0xffff; 370 if (check != 0) { 371 *_abort_code = RXKADSEALEDINCON; 372 goto protocol_error; 373 } 374 375 /* shorten the packet to remove the padding */ 376 if (data_size > skb->len) 377 goto datalen_error; 378 else if (data_size < skb->len) 379 skb->len = data_size; 380 381 _leave(" = 0 [dlen=%x]", data_size); 382 return 0; 383 384 datalen_error: 385 *_abort_code = RXKADDATALEN; 386 protocol_error: 387 _leave(" = -EPROTO"); 388 return -EPROTO; 389 390 nomem: 391 _leave(" = -ENOMEM"); 392 return -ENOMEM; 393 } 394 395 /* 396 * wholly decrypt a packet (level 2 security) 397 */ 398 static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call, 399 struct sk_buff *skb, 400 u32 *_abort_code) 401 { 402 const struct rxrpc_key_payload *payload; 403 struct rxkad_level2_hdr sechdr; 404 struct rxrpc_skb_priv *sp; 405 struct blkcipher_desc desc; 406 struct rxrpc_crypt iv; 407 struct scatterlist _sg[4], *sg; 408 struct sk_buff *trailer; 409 u32 data_size, buf; 410 u16 check; 411 int nsg; 412 413 _enter(",{%d}", skb->len); 414 415 sp = rxrpc_skb(skb); 416 417 /* we want to decrypt the skbuff in-place */ 418 nsg = skb_cow_data(skb, 0, &trailer); 419 if (nsg < 0) 420 goto nomem; 421 422 sg = _sg; 423 if (unlikely(nsg > 4)) { 424 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO); 425 if (!sg) 426 goto nomem; 427 } 428 429 skb_to_sgvec(skb, sg, 0, skb->len); 430 431 /* decrypt from the session key */ 432 payload = call->conn->key->payload.data; 433 memcpy(&iv, payload->k.session_key, sizeof(iv)); 434 desc.tfm = call->conn->cipher; 435 desc.info = iv.x; 436 desc.flags = 0; 437 438 crypto_blkcipher_decrypt_iv(&desc, sg, sg, skb->len); 439 if (sg != _sg) 440 kfree(sg); 441 442 /* remove the decrypted packet length */ 443 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 444 goto datalen_error; 445 if (!skb_pull(skb, sizeof(sechdr))) 446 BUG(); 447 448 buf = ntohl(sechdr.data_size); 449 data_size = buf & 0xffff; 450 451 check = buf >> 16; 452 check ^= ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 453 check &= 0xffff; 454 if (check != 0) { 455 *_abort_code = RXKADSEALEDINCON; 456 goto protocol_error; 457 } 458 459 /* shorten the packet to remove the padding */ 460 if (data_size > skb->len) 461 goto datalen_error; 462 else if (data_size < skb->len) 463 skb->len = data_size; 464 465 _leave(" = 0 [dlen=%x]", data_size); 466 return 0; 467 468 datalen_error: 469 *_abort_code = RXKADDATALEN; 470 protocol_error: 471 _leave(" = -EPROTO"); 472 return -EPROTO; 473 474 nomem: 475 _leave(" = -ENOMEM"); 476 return -ENOMEM; 477 } 478 479 /* 480 * verify the security on a received packet 481 */ 482 static int rxkad_verify_packet(const struct rxrpc_call *call, 483 struct sk_buff *skb, 484 u32 *_abort_code) 485 { 486 struct blkcipher_desc desc; 487 struct rxrpc_skb_priv *sp; 488 struct rxrpc_crypt iv; 489 struct scatterlist sg[2]; 490 struct { 491 __be32 x[2]; 492 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 493 __be32 x; 494 __be16 cksum; 495 int ret; 496 497 sp = rxrpc_skb(skb); 498 499 _enter("{%d{%x}},{#%u}", 500 call->debug_id, key_serial(call->conn->key), 501 ntohl(sp->hdr.seq)); 502 503 if (!call->conn->cipher) 504 return 0; 505 506 if (sp->hdr.securityIndex != 2) { 507 *_abort_code = RXKADINCONSISTENCY; 508 _leave(" = -EPROTO [not rxkad]"); 509 return -EPROTO; 510 } 511 512 /* continue encrypting from where we left off */ 513 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 514 desc.tfm = call->conn->cipher; 515 desc.info = iv.x; 516 desc.flags = 0; 517 518 /* validate the security checksum */ 519 x = htonl(call->channel << (32 - RXRPC_CIDSHIFT)); 520 x |= sp->hdr.seq & __constant_cpu_to_be32(0x3fffffff); 521 tmpbuf.x[0] = call->call_id; 522 tmpbuf.x[1] = x; 523 524 memset(&sg, 0, sizeof(sg)); 525 sg_set_buf(&sg[0], &tmpbuf, sizeof(tmpbuf)); 526 sg_set_buf(&sg[1], &tmpbuf, sizeof(tmpbuf)); 527 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 528 529 x = ntohl(tmpbuf.x[1]); 530 x = (x >> 16) & 0xffff; 531 if (x == 0) 532 x = 1; /* zero checksums are not permitted */ 533 534 cksum = htons(x); 535 if (sp->hdr.cksum != cksum) { 536 *_abort_code = RXKADSEALEDINCON; 537 _leave(" = -EPROTO [csum failed]"); 538 return -EPROTO; 539 } 540 541 switch (call->conn->security_level) { 542 case RXRPC_SECURITY_PLAIN: 543 ret = 0; 544 break; 545 case RXRPC_SECURITY_AUTH: 546 ret = rxkad_verify_packet_auth(call, skb, _abort_code); 547 break; 548 case RXRPC_SECURITY_ENCRYPT: 549 ret = rxkad_verify_packet_encrypt(call, skb, _abort_code); 550 break; 551 default: 552 ret = -ENOANO; 553 break; 554 } 555 556 _leave(" = %d", ret); 557 return ret; 558 } 559 560 /* 561 * issue a challenge 562 */ 563 static int rxkad_issue_challenge(struct rxrpc_connection *conn) 564 { 565 struct rxkad_challenge challenge; 566 struct rxrpc_header hdr; 567 struct msghdr msg; 568 struct kvec iov[2]; 569 size_t len; 570 int ret; 571 572 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 573 574 ret = key_validate(conn->key); 575 if (ret < 0) 576 return ret; 577 578 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce)); 579 580 challenge.version = htonl(2); 581 challenge.nonce = htonl(conn->security_nonce); 582 challenge.min_level = htonl(0); 583 challenge.__padding = 0; 584 585 msg.msg_name = &conn->trans->peer->srx.transport.sin; 586 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin); 587 msg.msg_control = NULL; 588 msg.msg_controllen = 0; 589 msg.msg_flags = 0; 590 591 hdr.epoch = conn->epoch; 592 hdr.cid = conn->cid; 593 hdr.callNumber = 0; 594 hdr.seq = 0; 595 hdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 596 hdr.flags = conn->out_clientflag; 597 hdr.userStatus = 0; 598 hdr.securityIndex = conn->security_ix; 599 hdr._rsvd = 0; 600 hdr.serviceId = conn->service_id; 601 602 iov[0].iov_base = &hdr; 603 iov[0].iov_len = sizeof(hdr); 604 iov[1].iov_base = &challenge; 605 iov[1].iov_len = sizeof(challenge); 606 607 len = iov[0].iov_len + iov[1].iov_len; 608 609 hdr.serial = htonl(atomic_inc_return(&conn->serial)); 610 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial)); 611 612 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len); 613 if (ret < 0) { 614 _debug("sendmsg failed: %d", ret); 615 return -EAGAIN; 616 } 617 618 _leave(" = 0"); 619 return 0; 620 } 621 622 /* 623 * send a Kerberos security response 624 */ 625 static int rxkad_send_response(struct rxrpc_connection *conn, 626 struct rxrpc_header *hdr, 627 struct rxkad_response *resp, 628 const struct rxkad_key *s2) 629 { 630 struct msghdr msg; 631 struct kvec iov[3]; 632 size_t len; 633 int ret; 634 635 _enter(""); 636 637 msg.msg_name = &conn->trans->peer->srx.transport.sin; 638 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin); 639 msg.msg_control = NULL; 640 msg.msg_controllen = 0; 641 msg.msg_flags = 0; 642 643 hdr->epoch = conn->epoch; 644 hdr->seq = 0; 645 hdr->type = RXRPC_PACKET_TYPE_RESPONSE; 646 hdr->flags = conn->out_clientflag; 647 hdr->userStatus = 0; 648 hdr->_rsvd = 0; 649 650 iov[0].iov_base = hdr; 651 iov[0].iov_len = sizeof(*hdr); 652 iov[1].iov_base = resp; 653 iov[1].iov_len = sizeof(*resp); 654 iov[2].iov_base = (void *) s2->ticket; 655 iov[2].iov_len = s2->ticket_len; 656 657 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 658 659 hdr->serial = htonl(atomic_inc_return(&conn->serial)); 660 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); 661 662 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); 663 if (ret < 0) { 664 _debug("sendmsg failed: %d", ret); 665 return -EAGAIN; 666 } 667 668 _leave(" = 0"); 669 return 0; 670 } 671 672 /* 673 * calculate the response checksum 674 */ 675 static void rxkad_calc_response_checksum(struct rxkad_response *response) 676 { 677 u32 csum = 1000003; 678 int loop; 679 u8 *p = (u8 *) response; 680 681 for (loop = sizeof(*response); loop > 0; loop--) 682 csum = csum * 0x10204081 + *p++; 683 684 response->encrypted.checksum = htonl(csum); 685 } 686 687 /* 688 * load a scatterlist with a potentially split-page buffer 689 */ 690 static void rxkad_sg_set_buf2(struct scatterlist sg[2], 691 void *buf, size_t buflen) 692 { 693 694 memset(sg, 0, sizeof(sg)); 695 696 sg_set_buf(&sg[0], buf, buflen); 697 if (sg[0].offset + buflen > PAGE_SIZE) { 698 /* the buffer was split over two pages */ 699 sg[0].length = PAGE_SIZE - sg[0].offset; 700 sg_set_buf(&sg[1], buf + sg[0].length, buflen - sg[0].length); 701 } 702 703 ASSERTCMP(sg[0].length + sg[1].length, ==, buflen); 704 } 705 706 /* 707 * encrypt the response packet 708 */ 709 static void rxkad_encrypt_response(struct rxrpc_connection *conn, 710 struct rxkad_response *resp, 711 const struct rxkad_key *s2) 712 { 713 struct blkcipher_desc desc; 714 struct rxrpc_crypt iv; 715 struct scatterlist ssg[2], dsg[2]; 716 717 /* continue encrypting from where we left off */ 718 memcpy(&iv, s2->session_key, sizeof(iv)); 719 desc.tfm = conn->cipher; 720 desc.info = iv.x; 721 desc.flags = 0; 722 723 rxkad_sg_set_buf2(ssg, &resp->encrypted, sizeof(resp->encrypted)); 724 memcpy(dsg, ssg, sizeof(dsg)); 725 crypto_blkcipher_encrypt_iv(&desc, dsg, ssg, sizeof(resp->encrypted)); 726 } 727 728 /* 729 * respond to a challenge packet 730 */ 731 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 732 struct sk_buff *skb, 733 u32 *_abort_code) 734 { 735 const struct rxrpc_key_payload *payload; 736 struct rxkad_challenge challenge; 737 struct rxkad_response resp 738 __attribute__((aligned(8))); /* must be aligned for crypto */ 739 struct rxrpc_skb_priv *sp; 740 u32 version, nonce, min_level, abort_code; 741 int ret; 742 743 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 744 745 if (!conn->key) { 746 _leave(" = -EPROTO [no key]"); 747 return -EPROTO; 748 } 749 750 ret = key_validate(conn->key); 751 if (ret < 0) { 752 *_abort_code = RXKADEXPIRED; 753 return ret; 754 } 755 756 abort_code = RXKADPACKETSHORT; 757 sp = rxrpc_skb(skb); 758 if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0) 759 goto protocol_error; 760 761 version = ntohl(challenge.version); 762 nonce = ntohl(challenge.nonce); 763 min_level = ntohl(challenge.min_level); 764 765 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 766 ntohl(sp->hdr.serial), version, nonce, min_level); 767 768 abort_code = RXKADINCONSISTENCY; 769 if (version != RXKAD_VERSION) 770 goto protocol_error; 771 772 abort_code = RXKADLEVELFAIL; 773 if (conn->security_level < min_level) 774 goto protocol_error; 775 776 payload = conn->key->payload.data; 777 778 /* build the response packet */ 779 memset(&resp, 0, sizeof(resp)); 780 781 resp.version = RXKAD_VERSION; 782 resp.encrypted.epoch = conn->epoch; 783 resp.encrypted.cid = conn->cid; 784 resp.encrypted.securityIndex = htonl(conn->security_ix); 785 resp.encrypted.call_id[0] = 786 (conn->channels[0] ? conn->channels[0]->call_id : 0); 787 resp.encrypted.call_id[1] = 788 (conn->channels[1] ? conn->channels[1]->call_id : 0); 789 resp.encrypted.call_id[2] = 790 (conn->channels[2] ? conn->channels[2]->call_id : 0); 791 resp.encrypted.call_id[3] = 792 (conn->channels[3] ? conn->channels[3]->call_id : 0); 793 resp.encrypted.inc_nonce = htonl(nonce + 1); 794 resp.encrypted.level = htonl(conn->security_level); 795 resp.kvno = htonl(payload->k.kvno); 796 resp.ticket_len = htonl(payload->k.ticket_len); 797 798 /* calculate the response checksum and then do the encryption */ 799 rxkad_calc_response_checksum(&resp); 800 rxkad_encrypt_response(conn, &resp, &payload->k); 801 return rxkad_send_response(conn, &sp->hdr, &resp, &payload->k); 802 803 protocol_error: 804 *_abort_code = abort_code; 805 _leave(" = -EPROTO [%d]", abort_code); 806 return -EPROTO; 807 } 808 809 /* 810 * decrypt the kerberos IV ticket in the response 811 */ 812 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 813 void *ticket, size_t ticket_len, 814 struct rxrpc_crypt *_session_key, 815 time_t *_expiry, 816 u32 *_abort_code) 817 { 818 struct blkcipher_desc desc; 819 struct rxrpc_crypt iv, key; 820 struct scatterlist ssg[1], dsg[1]; 821 struct in_addr addr; 822 unsigned life; 823 time_t issue, now; 824 bool little_endian; 825 int ret; 826 u8 *p, *q, *name, *end; 827 828 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key)); 829 830 *_expiry = 0; 831 832 ret = key_validate(conn->server_key); 833 if (ret < 0) { 834 switch (ret) { 835 case -EKEYEXPIRED: 836 *_abort_code = RXKADEXPIRED; 837 goto error; 838 default: 839 *_abort_code = RXKADNOAUTH; 840 goto error; 841 } 842 } 843 844 ASSERT(conn->server_key->payload.data != NULL); 845 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 846 847 memcpy(&iv, &conn->server_key->type_data, sizeof(iv)); 848 849 desc.tfm = conn->server_key->payload.data; 850 desc.info = iv.x; 851 desc.flags = 0; 852 853 sg_init_one(&ssg[0], ticket, ticket_len); 854 memcpy(dsg, ssg, sizeof(dsg)); 855 crypto_blkcipher_decrypt_iv(&desc, dsg, ssg, ticket_len); 856 857 p = ticket; 858 end = p + ticket_len; 859 860 #define Z(size) \ 861 ({ \ 862 u8 *__str = p; \ 863 q = memchr(p, 0, end - p); \ 864 if (!q || q - p > (size)) \ 865 goto bad_ticket; \ 866 for (; p < q; p++) \ 867 if (!isprint(*p)) \ 868 goto bad_ticket; \ 869 p++; \ 870 __str; \ 871 }) 872 873 /* extract the ticket flags */ 874 _debug("KIV FLAGS: %x", *p); 875 little_endian = *p & 1; 876 p++; 877 878 /* extract the authentication name */ 879 name = Z(ANAME_SZ); 880 _debug("KIV ANAME: %s", name); 881 882 /* extract the principal's instance */ 883 name = Z(INST_SZ); 884 _debug("KIV INST : %s", name); 885 886 /* extract the principal's authentication domain */ 887 name = Z(REALM_SZ); 888 _debug("KIV REALM: %s", name); 889 890 if (end - p < 4 + 8 + 4 + 2) 891 goto bad_ticket; 892 893 /* get the IPv4 address of the entity that requested the ticket */ 894 memcpy(&addr, p, sizeof(addr)); 895 p += 4; 896 _debug("KIV ADDR : "NIPQUAD_FMT, NIPQUAD(addr)); 897 898 /* get the session key from the ticket */ 899 memcpy(&key, p, sizeof(key)); 900 p += 8; 901 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 902 memcpy(_session_key, &key, sizeof(key)); 903 904 /* get the ticket's lifetime */ 905 life = *p++ * 5 * 60; 906 _debug("KIV LIFE : %u", life); 907 908 /* get the issue time of the ticket */ 909 if (little_endian) { 910 __le32 stamp; 911 memcpy(&stamp, p, 4); 912 issue = le32_to_cpu(stamp); 913 } else { 914 __be32 stamp; 915 memcpy(&stamp, p, 4); 916 issue = be32_to_cpu(stamp); 917 } 918 p += 4; 919 now = xtime.tv_sec; 920 _debug("KIV ISSUE: %lx [%lx]", issue, now); 921 922 /* check the ticket is in date */ 923 if (issue > now) { 924 *_abort_code = RXKADNOAUTH; 925 ret = -EKEYREJECTED; 926 goto error; 927 } 928 929 if (issue < now - life) { 930 *_abort_code = RXKADEXPIRED; 931 ret = -EKEYEXPIRED; 932 goto error; 933 } 934 935 *_expiry = issue + life; 936 937 /* get the service name */ 938 name = Z(SNAME_SZ); 939 _debug("KIV SNAME: %s", name); 940 941 /* get the service instance name */ 942 name = Z(INST_SZ); 943 _debug("KIV SINST: %s", name); 944 945 ret = 0; 946 error: 947 _leave(" = %d", ret); 948 return ret; 949 950 bad_ticket: 951 *_abort_code = RXKADBADTICKET; 952 ret = -EBADMSG; 953 goto error; 954 } 955 956 /* 957 * decrypt the response packet 958 */ 959 static void rxkad_decrypt_response(struct rxrpc_connection *conn, 960 struct rxkad_response *resp, 961 const struct rxrpc_crypt *session_key) 962 { 963 struct blkcipher_desc desc; 964 struct scatterlist ssg[2], dsg[2]; 965 struct rxrpc_crypt iv; 966 967 _enter(",,%08x%08x", 968 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 969 970 ASSERT(rxkad_ci != NULL); 971 972 mutex_lock(&rxkad_ci_mutex); 973 if (crypto_blkcipher_setkey(rxkad_ci, session_key->x, 974 sizeof(*session_key)) < 0) 975 BUG(); 976 977 memcpy(&iv, session_key, sizeof(iv)); 978 desc.tfm = rxkad_ci; 979 desc.info = iv.x; 980 desc.flags = 0; 981 982 rxkad_sg_set_buf2(ssg, &resp->encrypted, sizeof(resp->encrypted)); 983 memcpy(dsg, ssg, sizeof(dsg)); 984 crypto_blkcipher_decrypt_iv(&desc, dsg, ssg, sizeof(resp->encrypted)); 985 mutex_unlock(&rxkad_ci_mutex); 986 987 _leave(""); 988 } 989 990 /* 991 * verify a response 992 */ 993 static int rxkad_verify_response(struct rxrpc_connection *conn, 994 struct sk_buff *skb, 995 u32 *_abort_code) 996 { 997 struct rxkad_response response 998 __attribute__((aligned(8))); /* must be aligned for crypto */ 999 struct rxrpc_skb_priv *sp; 1000 struct rxrpc_crypt session_key; 1001 time_t expiry; 1002 void *ticket; 1003 u32 abort_code, version, kvno, ticket_len, csum, level; 1004 int ret; 1005 1006 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); 1007 1008 abort_code = RXKADPACKETSHORT; 1009 if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0) 1010 goto protocol_error; 1011 if (!pskb_pull(skb, sizeof(response))) 1012 BUG(); 1013 1014 version = ntohl(response.version); 1015 ticket_len = ntohl(response.ticket_len); 1016 kvno = ntohl(response.kvno); 1017 sp = rxrpc_skb(skb); 1018 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1019 ntohl(sp->hdr.serial), version, kvno, ticket_len); 1020 1021 abort_code = RXKADINCONSISTENCY; 1022 if (version != RXKAD_VERSION) 1023 1024 abort_code = RXKADTICKETLEN; 1025 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1026 goto protocol_error; 1027 1028 abort_code = RXKADUNKNOWNKEY; 1029 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1030 goto protocol_error; 1031 1032 /* extract the kerberos ticket and decrypt and decode it */ 1033 ticket = kmalloc(ticket_len, GFP_NOFS); 1034 if (!ticket) 1035 return -ENOMEM; 1036 1037 abort_code = RXKADPACKETSHORT; 1038 if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0) 1039 goto protocol_error_free; 1040 1041 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key, 1042 &expiry, &abort_code); 1043 if (ret < 0) { 1044 *_abort_code = abort_code; 1045 kfree(ticket); 1046 return ret; 1047 } 1048 1049 /* use the session key from inside the ticket to decrypt the 1050 * response */ 1051 rxkad_decrypt_response(conn, &response, &session_key); 1052 1053 abort_code = RXKADSEALEDINCON; 1054 if (response.encrypted.epoch != conn->epoch) 1055 goto protocol_error_free; 1056 if (response.encrypted.cid != conn->cid) 1057 goto protocol_error_free; 1058 if (ntohl(response.encrypted.securityIndex) != conn->security_ix) 1059 goto protocol_error_free; 1060 csum = response.encrypted.checksum; 1061 response.encrypted.checksum = 0; 1062 rxkad_calc_response_checksum(&response); 1063 if (response.encrypted.checksum != csum) 1064 goto protocol_error_free; 1065 1066 if (ntohl(response.encrypted.call_id[0]) > INT_MAX || 1067 ntohl(response.encrypted.call_id[1]) > INT_MAX || 1068 ntohl(response.encrypted.call_id[2]) > INT_MAX || 1069 ntohl(response.encrypted.call_id[3]) > INT_MAX) 1070 goto protocol_error_free; 1071 1072 abort_code = RXKADOUTOFSEQUENCE; 1073 if (response.encrypted.inc_nonce != htonl(conn->security_nonce + 1)) 1074 goto protocol_error_free; 1075 1076 abort_code = RXKADLEVELFAIL; 1077 level = ntohl(response.encrypted.level); 1078 if (level > RXRPC_SECURITY_ENCRYPT) 1079 goto protocol_error_free; 1080 conn->security_level = level; 1081 1082 /* create a key to hold the security data and expiration time - after 1083 * this the connection security can be handled in exactly the same way 1084 * as for a client connection */ 1085 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1086 if (ret < 0) { 1087 kfree(ticket); 1088 return ret; 1089 } 1090 1091 kfree(ticket); 1092 _leave(" = 0"); 1093 return 0; 1094 1095 protocol_error_free: 1096 kfree(ticket); 1097 protocol_error: 1098 *_abort_code = abort_code; 1099 _leave(" = -EPROTO [%d]", abort_code); 1100 return -EPROTO; 1101 } 1102 1103 /* 1104 * clear the connection security 1105 */ 1106 static void rxkad_clear(struct rxrpc_connection *conn) 1107 { 1108 _enter(""); 1109 1110 if (conn->cipher) 1111 crypto_free_blkcipher(conn->cipher); 1112 } 1113 1114 /* 1115 * RxRPC Kerberos-based security 1116 */ 1117 static struct rxrpc_security rxkad = { 1118 .owner = THIS_MODULE, 1119 .name = "rxkad", 1120 .security_index = RXKAD_VERSION, 1121 .init_connection_security = rxkad_init_connection_security, 1122 .prime_packet_security = rxkad_prime_packet_security, 1123 .secure_packet = rxkad_secure_packet, 1124 .verify_packet = rxkad_verify_packet, 1125 .issue_challenge = rxkad_issue_challenge, 1126 .respond_to_challenge = rxkad_respond_to_challenge, 1127 .verify_response = rxkad_verify_response, 1128 .clear = rxkad_clear, 1129 }; 1130 1131 static __init int rxkad_init(void) 1132 { 1133 _enter(""); 1134 1135 /* pin the cipher we need so that the crypto layer doesn't invoke 1136 * keventd to go get it */ 1137 rxkad_ci = crypto_alloc_blkcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 1138 if (IS_ERR(rxkad_ci)) 1139 return PTR_ERR(rxkad_ci); 1140 1141 return rxrpc_register_security(&rxkad); 1142 } 1143 1144 module_init(rxkad_init); 1145 1146 static __exit void rxkad_exit(void) 1147 { 1148 _enter(""); 1149 1150 rxrpc_unregister_security(&rxkad); 1151 crypto_free_blkcipher(rxkad_ci); 1152 } 1153 1154 module_exit(rxkad_exit); 1155