search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 4.8-rc8
[linux/fpc-iii.git] / net / rxrpc / rxkad.c
blob63afa9e9cc08b2db0cd0a13dfdf98ef71507d404
1 /* Kerberos-based RxRPC security
2 *
3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
14 #include <crypto/skcipher.h>
15 #include <linux/module.h>
16 #include <linux/net.h>
17 #include <linux/skbuff.h>
18 #include <linux/udp.h>
19 #include <linux/scatterlist.h>
20 #include <linux/ctype.h>
21 #include <linux/slab.h>
22 #include <net/sock.h>
23 #include <net/af_rxrpc.h>
24 #include <keys/rxrpc-type.h>
25 #include "ar-internal.h"
26
27 #define RXKAD_VERSION 2
28 #define MAXKRB5TICKETLEN 1024
29 #define RXKAD_TKT_TYPE_KERBEROS_V5 256
30 #define ANAME_SZ 40 /* size of authentication name */
31 #define INST_SZ 40 /* size of principal's instance */
32 #define REALM_SZ 40 /* size of principal's auth domain */
33 #define SNAME_SZ 40 /* size of service name */
34
35 struct rxkad_level1_hdr {
36 __be32 data_size; /* true data size (excluding padding) */
37 };
38
39 struct rxkad_level2_hdr {
40 __be32 data_size; /* true data size (excluding padding) */
41 __be32 checksum; /* decrypted data checksum */
42 };
43
44 /*
45 * this holds a pinned cipher so that keventd doesn't get called by the cipher
46 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
47 * packets
48 */
49 static struct crypto_skcipher *rxkad_ci;
50 static DEFINE_MUTEX(rxkad_ci_mutex);
51
52 /*
53 * initialise connection security
54 */
55 static int rxkad_init_connection_security(struct rxrpc_connection *conn)
56 {
57 struct crypto_skcipher *ci;
58 struct rxrpc_key_token *token;
59 int ret;
60
61 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
62
63 token = conn->params.key->payload.data[0];
64 conn->security_ix = token->security_index;
65
66 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
67 if (IS_ERR(ci)) {
68 _debug("no cipher");
69 ret = PTR_ERR(ci);
70 goto error;
71 }
72
73 if (crypto_skcipher_setkey(ci, token->kad->session_key,
74 sizeof(token->kad->session_key)) < 0)
75 BUG();
76
77 switch (conn->params.security_level) {
78 case RXRPC_SECURITY_PLAIN:
79 break;
80 case RXRPC_SECURITY_AUTH:
81 conn->size_align = 8;
82 conn->security_size = sizeof(struct rxkad_level1_hdr);
83 conn->header_size += sizeof(struct rxkad_level1_hdr);
84 break;
85 case RXRPC_SECURITY_ENCRYPT:
86 conn->size_align = 8;
87 conn->security_size = sizeof(struct rxkad_level2_hdr);
88 conn->header_size += sizeof(struct rxkad_level2_hdr);
89 break;
90 default:
91 ret = -EKEYREJECTED;
92 goto error;
93 }
94
95 conn->cipher = ci;
96 ret = 0;
97 error:
98 _leave(" = %d", ret);
99 return ret;
100 }
101
102 /*
103 * prime the encryption state with the invariant parts of a connection's
104 * description
105 */
106 static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
107 {
108 struct rxrpc_key_token *token;
109 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
110 struct scatterlist sg;
111 struct rxrpc_crypt iv;
112 __be32 *tmpbuf;
113 size_t tmpsize = 4 * sizeof(__be32);
114
115 _enter("");
116
117 if (!conn->params.key)
118 return 0;
119
120 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
121 if (!tmpbuf)
122 return -ENOMEM;
123
124 token = conn->params.key->payload.data[0];
125 memcpy(&iv, token->kad->session_key, sizeof(iv));
126
127 tmpbuf[0] = htonl(conn->proto.epoch);
128 tmpbuf[1] = htonl(conn->proto.cid);
129 tmpbuf[2] = 0;
130 tmpbuf[3] = htonl(conn->security_ix);
131
132 sg_init_one(&sg, tmpbuf, tmpsize);
133 skcipher_request_set_tfm(req, conn->cipher);
134 skcipher_request_set_callback(req, 0, NULL, NULL);
135 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
136 crypto_skcipher_encrypt(req);
137 skcipher_request_zero(req);
138
139 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
140 kfree(tmpbuf);
141 _leave(" = 0");
142 return 0;
143 }
144
145 /*
146 * partially encrypt a packet (level 1 security)
147 */
148 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
149 struct sk_buff *skb,
150 u32 data_size,
151 void *sechdr)
152 {
153 struct rxrpc_skb_priv *sp;
154 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
155 struct rxkad_level1_hdr hdr;
156 struct rxrpc_crypt iv;
157 struct scatterlist sg;
158 u16 check;
159
160 sp = rxrpc_skb(skb);
161
162 _enter("");
163
164 check = sp->hdr.seq ^ sp->hdr.callNumber;
165 data_size |= (u32)check << 16;
166
167 hdr.data_size = htonl(data_size);
168 memcpy(sechdr, &hdr, sizeof(hdr));
169
170 /* start the encryption afresh */
171 memset(&iv, 0, sizeof(iv));
172
173 sg_init_one(&sg, sechdr, 8);
174 skcipher_request_set_tfm(req, call->conn->cipher);
175 skcipher_request_set_callback(req, 0, NULL, NULL);
176 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
177 crypto_skcipher_encrypt(req);
178 skcipher_request_zero(req);
179
180 _leave(" = 0");
181 return 0;
182 }
183
184 /*
185 * wholly encrypt a packet (level 2 security)
186 */
187 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
188 struct sk_buff *skb,
189 u32 data_size,
190 void *sechdr)
191 {
192 const struct rxrpc_key_token *token;
193 struct rxkad_level2_hdr rxkhdr;
194 struct rxrpc_skb_priv *sp;
195 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
196 struct rxrpc_crypt iv;
197 struct scatterlist sg[16];
198 struct sk_buff *trailer;
199 unsigned int len;
200 u16 check;
201 int nsg;
202 int err;
203
204 sp = rxrpc_skb(skb);
205
206 _enter("");
207
208 check = sp->hdr.seq ^ sp->hdr.callNumber;
209
210 rxkhdr.data_size = htonl(data_size | (u32)check << 16);
211 rxkhdr.checksum = 0;
212 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
213
214 /* encrypt from the session key */
215 token = call->conn->params.key->payload.data[0];
216 memcpy(&iv, token->kad->session_key, sizeof(iv));
217
218 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
219 skcipher_request_set_tfm(req, call->conn->cipher);
220 skcipher_request_set_callback(req, 0, NULL, NULL);
221 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
222 crypto_skcipher_encrypt(req);
223
224 /* we want to encrypt the skbuff in-place */
225 nsg = skb_cow_data(skb, 0, &trailer);
226 err = -ENOMEM;
227 if (nsg < 0 || nsg > 16)
228 goto out;
229
230 len = data_size + call->conn->size_align - 1;
231 len &= ~(call->conn->size_align - 1);
232
233 sg_init_table(sg, nsg);
234 skb_to_sgvec(skb, sg, 0, len);
235 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
236 crypto_skcipher_encrypt(req);
237
238 _leave(" = 0");
239 err = 0;
240
241 out:
242 skcipher_request_zero(req);
243 return err;
244 }
245
246 /*
247 * checksum an RxRPC packet header
248 */
249 static int rxkad_secure_packet(struct rxrpc_call *call,
250 struct sk_buff *skb,
251 size_t data_size,
252 void *sechdr)
253 {
254 struct rxrpc_skb_priv *sp;
255 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
256 struct rxrpc_crypt iv;
257 struct scatterlist sg;
258 u32 x, y;
259 int ret;
260
261 sp = rxrpc_skb(skb);
262
263 _enter("{%d{%x}},{#%u},%zu,",
264 call->debug_id, key_serial(call->conn->params.key),
265 sp->hdr.seq, data_size);
266
267 if (!call->conn->cipher)
268 return 0;
269
270 ret = key_validate(call->conn->params.key);
271 if (ret < 0)
272 return ret;
273
274 /* continue encrypting from where we left off */
275 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
276
277 /* calculate the security checksum */
278 x = call->channel << (32 - RXRPC_CIDSHIFT);
279 x |= sp->hdr.seq & 0x3fffffff;
280 call->crypto_buf[0] = htonl(sp->hdr.callNumber);
281 call->crypto_buf[1] = htonl(x);
282
283 sg_init_one(&sg, call->crypto_buf, 8);
284 skcipher_request_set_tfm(req, call->conn->cipher);
285 skcipher_request_set_callback(req, 0, NULL, NULL);
286 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
287 crypto_skcipher_encrypt(req);
288 skcipher_request_zero(req);
289
290 y = ntohl(call->crypto_buf[1]);
291 y = (y >> 16) & 0xffff;
292 if (y == 0)
293 y = 1; /* zero checksums are not permitted */
294 sp->hdr.cksum = y;
295
296 switch (call->conn->params.security_level) {
297 case RXRPC_SECURITY_PLAIN:
298 ret = 0;
299 break;
300 case RXRPC_SECURITY_AUTH:
301 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
302 break;
303 case RXRPC_SECURITY_ENCRYPT:
304 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
305 sechdr);
306 break;
307 default:
308 ret = -EPERM;
309 break;
310 }
311
312 _leave(" = %d [set %hx]", ret, y);
313 return ret;
314 }
315
316 /*
317 * decrypt partial encryption on a packet (level 1 security)
318 */
319 static int rxkad_verify_packet_auth(const struct rxrpc_call *call,
320 struct sk_buff *skb,
321 u32 *_abort_code)
322 {
323 struct rxkad_level1_hdr sechdr;
324 struct rxrpc_skb_priv *sp;
325 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
326 struct rxrpc_crypt iv;
327 struct scatterlist sg[16];
328 struct sk_buff *trailer;
329 u32 data_size, buf;
330 u16 check;
331 int nsg;
332
333 _enter("");
334
335 sp = rxrpc_skb(skb);
336
337 /* we want to decrypt the skbuff in-place */
338 nsg = skb_cow_data(skb, 0, &trailer);
339 if (nsg < 0 || nsg > 16)
340 goto nomem;
341
342 sg_init_table(sg, nsg);
343 skb_to_sgvec(skb, sg, 0, 8);
344
345 /* start the decryption afresh */
346 memset(&iv, 0, sizeof(iv));
347
348 skcipher_request_set_tfm(req, call->conn->cipher);
349 skcipher_request_set_callback(req, 0, NULL, NULL);
350 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
351 crypto_skcipher_decrypt(req);
352 skcipher_request_zero(req);
353
354 /* remove the decrypted packet length */
355 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
356 goto datalen_error;
357 if (!skb_pull(skb, sizeof(sechdr)))
358 BUG();
359
360 buf = ntohl(sechdr.data_size);
361 data_size = buf & 0xffff;
362
363 check = buf >> 16;
364 check ^= sp->hdr.seq ^ sp->hdr.callNumber;
365 check &= 0xffff;
366 if (check != 0) {
367 *_abort_code = RXKADSEALEDINCON;
368 goto protocol_error;
369 }
370
371 /* shorten the packet to remove the padding */
372 if (data_size > skb->len)
373 goto datalen_error;
374 else if (data_size < skb->len)
375 skb->len = data_size;
376
377 _leave(" = 0 [dlen=%x]", data_size);
378 return 0;
379
380 datalen_error:
381 *_abort_code = RXKADDATALEN;
382 protocol_error:
383 _leave(" = -EPROTO");
384 return -EPROTO;
385
386 nomem:
387 _leave(" = -ENOMEM");
388 return -ENOMEM;
389 }
390
391 /*
392 * wholly decrypt a packet (level 2 security)
393 */
394 static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call,
395 struct sk_buff *skb,
396 u32 *_abort_code)
397 {
398 const struct rxrpc_key_token *token;
399 struct rxkad_level2_hdr sechdr;
400 struct rxrpc_skb_priv *sp;
401 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
402 struct rxrpc_crypt iv;
403 struct scatterlist _sg[4], *sg;
404 struct sk_buff *trailer;
405 u32 data_size, buf;
406 u16 check;
407 int nsg;
408
409 _enter(",{%d}", skb->len);
410
411 sp = rxrpc_skb(skb);
412
413 /* we want to decrypt the skbuff in-place */
414 nsg = skb_cow_data(skb, 0, &trailer);
415 if (nsg < 0)
416 goto nomem;
417
418 sg = _sg;
419 if (unlikely(nsg > 4)) {
420 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
421 if (!sg)
422 goto nomem;
423 }
424
425 sg_init_table(sg, nsg);
426 skb_to_sgvec(skb, sg, 0, skb->len);
427
428 /* decrypt from the session key */
429 token = call->conn->params.key->payload.data[0];
430 memcpy(&iv, token->kad->session_key, sizeof(iv));
431
432 skcipher_request_set_tfm(req, call->conn->cipher);
433 skcipher_request_set_callback(req, 0, NULL, NULL);
434 skcipher_request_set_crypt(req, sg, sg, skb->len, iv.x);
435 crypto_skcipher_decrypt(req);
436 skcipher_request_zero(req);
437 if (sg != _sg)
438 kfree(sg);
439
440 /* remove the decrypted packet length */
441 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
442 goto datalen_error;
443 if (!skb_pull(skb, sizeof(sechdr)))
444 BUG();
445
446 buf = ntohl(sechdr.data_size);
447 data_size = buf & 0xffff;
448
449 check = buf >> 16;
450 check ^= sp->hdr.seq ^ sp->hdr.callNumber;
451 check &= 0xffff;
452 if (check != 0) {
453 *_abort_code = RXKADSEALEDINCON;
454 goto protocol_error;
455 }
456
457 /* shorten the packet to remove the padding */
458 if (data_size > skb->len)
459 goto datalen_error;
460 else if (data_size < skb->len)
461 skb->len = data_size;
462
463 _leave(" = 0 [dlen=%x]", data_size);
464 return 0;
465
466 datalen_error:
467 *_abort_code = RXKADDATALEN;
468 protocol_error:
469 _leave(" = -EPROTO");
470 return -EPROTO;
471
472 nomem:
473 _leave(" = -ENOMEM");
474 return -ENOMEM;
475 }
476
477 /*
478 * verify the security on a received packet
479 */
480 static int rxkad_verify_packet(struct rxrpc_call *call,
481 struct sk_buff *skb,
482 u32 *_abort_code)
483 {
484 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
485 struct rxrpc_skb_priv *sp;
486 struct rxrpc_crypt iv;
487 struct scatterlist sg;
488 u16 cksum;
489 u32 x, y;
490 int ret;
491
492 sp = rxrpc_skb(skb);
493
494 _enter("{%d{%x}},{#%u}",
495 call->debug_id, key_serial(call->conn->params.key), sp->hdr.seq);
496
497 if (!call->conn->cipher)
498 return 0;
499
500 if (sp->hdr.securityIndex != RXRPC_SECURITY_RXKAD) {
501 *_abort_code = RXKADINCONSISTENCY;
502 _leave(" = -EPROTO [not rxkad]");
503 return -EPROTO;
504 }
505
506 /* continue encrypting from where we left off */
507 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
508
509 /* validate the security checksum */
510 x = call->channel << (32 - RXRPC_CIDSHIFT);
511 x |= sp->hdr.seq & 0x3fffffff;
512 call->crypto_buf[0] = htonl(call->call_id);
513 call->crypto_buf[1] = htonl(x);
514
515 sg_init_one(&sg, call->crypto_buf, 8);
516 skcipher_request_set_tfm(req, call->conn->cipher);
517 skcipher_request_set_callback(req, 0, NULL, NULL);
518 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
519 crypto_skcipher_encrypt(req);
520 skcipher_request_zero(req);
521
522 y = ntohl(call->crypto_buf[1]);
523 cksum = (y >> 16) & 0xffff;
524 if (cksum == 0)
525 cksum = 1; /* zero checksums are not permitted */
526
527 if (sp->hdr.cksum != cksum) {
528 *_abort_code = RXKADSEALEDINCON;
529 _leave(" = -EPROTO [csum failed]");
530 return -EPROTO;
531 }
532
533 switch (call->conn->params.security_level) {
534 case RXRPC_SECURITY_PLAIN:
535 ret = 0;
536 break;
537 case RXRPC_SECURITY_AUTH:
538 ret = rxkad_verify_packet_auth(call, skb, _abort_code);
539 break;
540 case RXRPC_SECURITY_ENCRYPT:
541 ret = rxkad_verify_packet_encrypt(call, skb, _abort_code);
542 break;
543 default:
544 ret = -ENOANO;
545 break;
546 }
547
548 _leave(" = %d", ret);
549 return ret;
550 }
551
552 /*
553 * issue a challenge
554 */
555 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
556 {
557 struct rxkad_challenge challenge;
558 struct rxrpc_wire_header whdr;
559 struct msghdr msg;
560 struct kvec iov[2];
561 size_t len;
562 u32 serial;
563 int ret;
564
565 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
566
567 ret = key_validate(conn->params.key);
568 if (ret < 0)
569 return ret;
570
571 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
572
573 challenge.version = htonl(2);
574 challenge.nonce = htonl(conn->security_nonce);
575 challenge.min_level = htonl(0);
576 challenge.__padding = 0;
577
578 msg.msg_name = &conn->params.peer->srx.transport.sin;
579 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
580 msg.msg_control = NULL;
581 msg.msg_controllen = 0;
582 msg.msg_flags = 0;
583
584 whdr.epoch = htonl(conn->proto.epoch);
585 whdr.cid = htonl(conn->proto.cid);
586 whdr.callNumber = 0;
587 whdr.seq = 0;
588 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
589 whdr.flags = conn->out_clientflag;
590 whdr.userStatus = 0;
591 whdr.securityIndex = conn->security_ix;
592 whdr._rsvd = 0;
593 whdr.serviceId = htons(conn->params.service_id);
594
595 iov[0].iov_base = &whdr;
596 iov[0].iov_len = sizeof(whdr);
597 iov[1].iov_base = &challenge;
598 iov[1].iov_len = sizeof(challenge);
599
600 len = iov[0].iov_len + iov[1].iov_len;
601
602 serial = atomic_inc_return(&conn->serial);
603 whdr.serial = htonl(serial);
604 _proto("Tx CHALLENGE %%%u", serial);
605
606 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
607 if (ret < 0) {
608 _debug("sendmsg failed: %d", ret);
609 return -EAGAIN;
610 }
611
612 _leave(" = 0");
613 return 0;
614 }
615
616 /*
617 * send a Kerberos security response
618 */
619 static int rxkad_send_response(struct rxrpc_connection *conn,
620 struct rxrpc_host_header *hdr,
621 struct rxkad_response *resp,
622 const struct rxkad_key *s2)
623 {
624 struct rxrpc_wire_header whdr;
625 struct msghdr msg;
626 struct kvec iov[3];
627 size_t len;
628 u32 serial;
629 int ret;
630
631 _enter("");
632
633 msg.msg_name = &conn->params.peer->srx.transport.sin;
634 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
635 msg.msg_control = NULL;
636 msg.msg_controllen = 0;
637 msg.msg_flags = 0;
638
639 memset(&whdr, 0, sizeof(whdr));
640 whdr.epoch = htonl(hdr->epoch);
641 whdr.cid = htonl(hdr->cid);
642 whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
643 whdr.flags = conn->out_clientflag;
644 whdr.securityIndex = hdr->securityIndex;
645 whdr.serviceId = htons(hdr->serviceId);
646
647 iov[0].iov_base = &whdr;
648 iov[0].iov_len = sizeof(whdr);
649 iov[1].iov_base = resp;
650 iov[1].iov_len = sizeof(*resp);
651 iov[2].iov_base = (void *)s2->ticket;
652 iov[2].iov_len = s2->ticket_len;
653
654 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
655
656 serial = atomic_inc_return(&conn->serial);
657 whdr.serial = htonl(serial);
658 _proto("Tx RESPONSE %%%u", serial);
659
660 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
661 if (ret < 0) {
662 _debug("sendmsg failed: %d", ret);
663 return -EAGAIN;
664 }
665
666 _leave(" = 0");
667 return 0;
668 }
669
670 /*
671 * calculate the response checksum
672 */
673 static void rxkad_calc_response_checksum(struct rxkad_response *response)
674 {
675 u32 csum = 1000003;
676 int loop;
677 u8 *p = (u8 *) response;
678
679 for (loop = sizeof(*response); loop > 0; loop--)
680 csum = csum * 0x10204081 + *p++;
681
682 response->encrypted.checksum = htonl(csum);
683 }
684
685 /*
686 * encrypt the response packet
687 */
688 static void rxkad_encrypt_response(struct rxrpc_connection *conn,
689 struct rxkad_response *resp,
690 const struct rxkad_key *s2)
691 {
692 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
693 struct rxrpc_crypt iv;
694 struct scatterlist sg[1];
695
696 /* continue encrypting from where we left off */
697 memcpy(&iv, s2->session_key, sizeof(iv));
698
699 sg_init_table(sg, 1);
700 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
701 skcipher_request_set_tfm(req, conn->cipher);
702 skcipher_request_set_callback(req, 0, NULL, NULL);
703 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
704 crypto_skcipher_encrypt(req);
705 skcipher_request_zero(req);
706 }
707
708 /*
709 * respond to a challenge packet
710 */
711 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
712 struct sk_buff *skb,
713 u32 *_abort_code)
714 {
715 const struct rxrpc_key_token *token;
716 struct rxkad_challenge challenge;
717 struct rxkad_response resp
718 __attribute__((aligned(8))); /* must be aligned for crypto */
719 struct rxrpc_skb_priv *sp;
720 u32 version, nonce, min_level, abort_code;
721 int ret;
722
723 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
724
725 if (!conn->params.key) {
726 _leave(" = -EPROTO [no key]");
727 return -EPROTO;
728 }
729
730 ret = key_validate(conn->params.key);
731 if (ret < 0) {
732 *_abort_code = RXKADEXPIRED;
733 return ret;
734 }
735
736 abort_code = RXKADPACKETSHORT;
737 sp = rxrpc_skb(skb);
738 if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0)
739 goto protocol_error;
740
741 version = ntohl(challenge.version);
742 nonce = ntohl(challenge.nonce);
743 min_level = ntohl(challenge.min_level);
744
745 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
746 sp->hdr.serial, version, nonce, min_level);
747
748 abort_code = RXKADINCONSISTENCY;
749 if (version != RXKAD_VERSION)
750 goto protocol_error;
751
752 abort_code = RXKADLEVELFAIL;
753 if (conn->params.security_level < min_level)
754 goto protocol_error;
755
756 token = conn->params.key->payload.data[0];
757
758 /* build the response packet */
759 memset(&resp, 0, sizeof(resp));
760
761 resp.version = htonl(RXKAD_VERSION);
762 resp.encrypted.epoch = htonl(conn->proto.epoch);
763 resp.encrypted.cid = htonl(conn->proto.cid);
764 resp.encrypted.securityIndex = htonl(conn->security_ix);
765 resp.encrypted.inc_nonce = htonl(nonce + 1);
766 resp.encrypted.level = htonl(conn->params.security_level);
767 resp.kvno = htonl(token->kad->kvno);
768 resp.ticket_len = htonl(token->kad->ticket_len);
769
770 resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
771 resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
772 resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
773 resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
774
775 /* calculate the response checksum and then do the encryption */
776 rxkad_calc_response_checksum(&resp);
777 rxkad_encrypt_response(conn, &resp, token->kad);
778 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad);
779
780 protocol_error:
781 *_abort_code = abort_code;
782 _leave(" = -EPROTO [%d]", abort_code);
783 return -EPROTO;
784 }
785
786 /*
787 * decrypt the kerberos IV ticket in the response
788 */
789 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
790 void *ticket, size_t ticket_len,
791 struct rxrpc_crypt *_session_key,
792 time_t *_expiry,
793 u32 *_abort_code)
794 {
795 struct skcipher_request *req;
796 struct rxrpc_crypt iv, key;
797 struct scatterlist sg[1];
798 struct in_addr addr;
799 unsigned int life;
800 time_t issue, now;
801 bool little_endian;
802 int ret;
803 u8 *p, *q, *name, *end;
804
805 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
806
807 *_expiry = 0;
808
809 ret = key_validate(conn->server_key);
810 if (ret < 0) {
811 switch (ret) {
812 case -EKEYEXPIRED:
813 *_abort_code = RXKADEXPIRED;
814 goto error;
815 default:
816 *_abort_code = RXKADNOAUTH;
817 goto error;
818 }
819 }
820
821 ASSERT(conn->server_key->payload.data[0] != NULL);
822 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
823
824 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
825
826 req = skcipher_request_alloc(conn->server_key->payload.data[0],
827 GFP_NOFS);
828 if (!req) {
829 *_abort_code = RXKADNOAUTH;
830 ret = -ENOMEM;
831 goto error;
832 }
833
834 sg_init_one(&sg[0], ticket, ticket_len);
835 skcipher_request_set_callback(req, 0, NULL, NULL);
836 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
837 crypto_skcipher_decrypt(req);
838 skcipher_request_free(req);
839
840 p = ticket;
841 end = p + ticket_len;
842
843 #define Z(size) \
844 ({ \
845 u8 *__str = p; \
846 q = memchr(p, 0, end - p); \
847 if (!q || q - p > (size)) \
848 goto bad_ticket; \
849 for (; p < q; p++) \
850 if (!isprint(*p)) \
851 goto bad_ticket; \
852 p++; \
853 __str; \
854 })
855
856 /* extract the ticket flags */
857 _debug("KIV FLAGS: %x", *p);
858 little_endian = *p & 1;
859 p++;
860
861 /* extract the authentication name */
862 name = Z(ANAME_SZ);
863 _debug("KIV ANAME: %s", name);
864
865 /* extract the principal's instance */
866 name = Z(INST_SZ);
867 _debug("KIV INST : %s", name);
868
869 /* extract the principal's authentication domain */
870 name = Z(REALM_SZ);
871 _debug("KIV REALM: %s", name);
872
873 if (end - p < 4 + 8 + 4 + 2)
874 goto bad_ticket;
875
876 /* get the IPv4 address of the entity that requested the ticket */
877 memcpy(&addr, p, sizeof(addr));
878 p += 4;
879 _debug("KIV ADDR : %pI4", &addr);
880
881 /* get the session key from the ticket */
882 memcpy(&key, p, sizeof(key));
883 p += 8;
884 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
885 memcpy(_session_key, &key, sizeof(key));
886
887 /* get the ticket's lifetime */
888 life = *p++ * 5 * 60;
889 _debug("KIV LIFE : %u", life);
890
891 /* get the issue time of the ticket */
892 if (little_endian) {
893 __le32 stamp;
894 memcpy(&stamp, p, 4);
895 issue = le32_to_cpu(stamp);
896 } else {
897 __be32 stamp;
898 memcpy(&stamp, p, 4);
899 issue = be32_to_cpu(stamp);
900 }
901 p += 4;
902 now = get_seconds();
903 _debug("KIV ISSUE: %lx [%lx]", issue, now);
904
905 /* check the ticket is in date */
906 if (issue > now) {
907 *_abort_code = RXKADNOAUTH;
908 ret = -EKEYREJECTED;
909 goto error;
910 }
911
912 if (issue < now - life) {
913 *_abort_code = RXKADEXPIRED;
914 ret = -EKEYEXPIRED;
915 goto error;
916 }
917
918 *_expiry = issue + life;
919
920 /* get the service name */
921 name = Z(SNAME_SZ);
922 _debug("KIV SNAME: %s", name);
923
924 /* get the service instance name */
925 name = Z(INST_SZ);
926 _debug("KIV SINST: %s", name);
927
928 ret = 0;
929 error:
930 _leave(" = %d", ret);
931 return ret;
932
933 bad_ticket:
934 *_abort_code = RXKADBADTICKET;
935 ret = -EBADMSG;
936 goto error;
937 }
938
939 /*
940 * decrypt the response packet
941 */
942 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
943 struct rxkad_response *resp,
944 const struct rxrpc_crypt *session_key)
945 {
946 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
947 struct scatterlist sg[1];
948 struct rxrpc_crypt iv;
949
950 _enter(",,%08x%08x",
951 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
952
953 ASSERT(rxkad_ci != NULL);
954
955 mutex_lock(&rxkad_ci_mutex);
956 if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
957 sizeof(*session_key)) < 0)
958 BUG();
959
960 memcpy(&iv, session_key, sizeof(iv));
961
962 sg_init_table(sg, 1);
963 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
964 skcipher_request_set_tfm(req, rxkad_ci);
965 skcipher_request_set_callback(req, 0, NULL, NULL);
966 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
967 crypto_skcipher_decrypt(req);
968 skcipher_request_zero(req);
969
970 mutex_unlock(&rxkad_ci_mutex);
971
972 _leave("");
973 }
974
975 /*
976 * verify a response
977 */
978 static int rxkad_verify_response(struct rxrpc_connection *conn,
979 struct sk_buff *skb,
980 u32 *_abort_code)
981 {
982 struct rxkad_response response
983 __attribute__((aligned(8))); /* must be aligned for crypto */
984 struct rxrpc_skb_priv *sp;
985 struct rxrpc_crypt session_key;
986 time_t expiry;
987 void *ticket;
988 u32 abort_code, version, kvno, ticket_len, level;
989 __be32 csum;
990 int ret, i;
991
992 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
993
994 abort_code = RXKADPACKETSHORT;
995 if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0)
996 goto protocol_error;
997 if (!pskb_pull(skb, sizeof(response)))
998 BUG();
999
1000 version = ntohl(response.version);
1001 ticket_len = ntohl(response.ticket_len);
1002 kvno = ntohl(response.kvno);
1003 sp = rxrpc_skb(skb);
1004 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1005 sp->hdr.serial, version, kvno, ticket_len);
1006
1007 abort_code = RXKADINCONSISTENCY;
1008 if (version != RXKAD_VERSION)
1009 goto protocol_error;
1010
1011 abort_code = RXKADTICKETLEN;
1012 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1013 goto protocol_error;
1014
1015 abort_code = RXKADUNKNOWNKEY;
1016 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1017 goto protocol_error;
1018
1019 /* extract the kerberos ticket and decrypt and decode it */
1020 ticket = kmalloc(ticket_len, GFP_NOFS);
1021 if (!ticket)
1022 return -ENOMEM;
1023
1024 abort_code = RXKADPACKETSHORT;
1025 if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0)
1026 goto protocol_error_free;
1027
1028 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key,
1029 &expiry, &abort_code);
1030 if (ret < 0) {
1031 *_abort_code = abort_code;
1032 kfree(ticket);
1033 return ret;
1034 }
1035
1036 /* use the session key from inside the ticket to decrypt the
1037 * response */
1038 rxkad_decrypt_response(conn, &response, &session_key);
1039
1040 abort_code = RXKADSEALEDINCON;
1041 if (ntohl(response.encrypted.epoch) != conn->proto.epoch)
1042 goto protocol_error_free;
1043 if (ntohl(response.encrypted.cid) != conn->proto.cid)
1044 goto protocol_error_free;
1045 if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
1046 goto protocol_error_free;
1047 csum = response.encrypted.checksum;
1048 response.encrypted.checksum = 0;
1049 rxkad_calc_response_checksum(&response);
1050 if (response.encrypted.checksum != csum)
1051 goto protocol_error_free;
1052
1053 spin_lock(&conn->channel_lock);
1054 for (i = 0; i < RXRPC_MAXCALLS; i++) {
1055 struct rxrpc_call *call;
1056 u32 call_id = ntohl(response.encrypted.call_id[i]);
1057
1058 if (call_id > INT_MAX)
1059 goto protocol_error_unlock;
1060
1061 if (call_id < conn->channels[i].call_counter)
1062 goto protocol_error_unlock;
1063 if (call_id > conn->channels[i].call_counter) {
1064 call = rcu_dereference_protected(
1065 conn->channels[i].call,
1066 lockdep_is_held(&conn->channel_lock));
1067 if (call && call->state < RXRPC_CALL_COMPLETE)
1068 goto protocol_error_unlock;
1069 conn->channels[i].call_counter = call_id;
1070 }
1071 }
1072 spin_unlock(&conn->channel_lock);
1073
1074 abort_code = RXKADOUTOFSEQUENCE;
1075 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1)
1076 goto protocol_error_free;
1077
1078 abort_code = RXKADLEVELFAIL;
1079 level = ntohl(response.encrypted.level);
1080 if (level > RXRPC_SECURITY_ENCRYPT)
1081 goto protocol_error_free;
1082 conn->params.security_level = level;
1083
1084 /* create a key to hold the security data and expiration time - after
1085 * this the connection security can be handled in exactly the same way
1086 * as for a client connection */
1087 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1088 if (ret < 0) {
1089 kfree(ticket);
1090 return ret;
1091 }
1092
1093 kfree(ticket);
1094 _leave(" = 0");
1095 return 0;
1096
1097 protocol_error_unlock:
1098 spin_unlock(&conn->channel_lock);
1099 protocol_error_free:
1100 kfree(ticket);
1101 protocol_error:
1102 *_abort_code = abort_code;
1103 _leave(" = -EPROTO [%d]", abort_code);
1104 return -EPROTO;
1105 }
1106
1107 /*
1108 * clear the connection security
1109 */
1110 static void rxkad_clear(struct rxrpc_connection *conn)
1111 {
1112 _enter("");
1113
1114 if (conn->cipher)
1115 crypto_free_skcipher(conn->cipher);
1116 }
1117
1118 /*
1119 * Initialise the rxkad security service.
1120 */
1121 static int rxkad_init(void)
1122 {
1123 /* pin the cipher we need so that the crypto layer doesn't invoke
1124 * keventd to go get it */
1125 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
1126 return PTR_ERR_OR_ZERO(rxkad_ci);
1127 }
1128
1129 /*
1130 * Clean up the rxkad security service.
1131 */
1132 static void rxkad_exit(void)
1133 {
1134 if (rxkad_ci)
1135 crypto_free_skcipher(rxkad_ci);
1136 }
1137
1138 /*
1139 * RxRPC Kerberos-based security
1140 */
1141 const struct rxrpc_security rxkad = {
1142 .name = "rxkad",
1143 .security_index = RXRPC_SECURITY_RXKAD,
1144 .init = rxkad_init,
1145 .exit = rxkad_exit,
1146 .init_connection_security = rxkad_init_connection_security,
1147 .prime_packet_security = rxkad_prime_packet_security,
1148 .secure_packet = rxkad_secure_packet,
1149 .verify_packet = rxkad_verify_packet,
1150 .issue_challenge = rxkad_issue_challenge,
1151 .respond_to_challenge = rxkad_respond_to_challenge,
1152 .verify_response = rxkad_verify_response,
1153 .clear = rxkad_clear,
1154 };
Linux with added FPC-III support