1/* Kerberos-based RxRPC security 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12#include <linux/module.h> 13#include <linux/net.h> 14#include <linux/skbuff.h> 15#include <linux/udp.h> 16#include <linux/crypto.h> 17#include <linux/scatterlist.h> 18#include <linux/ctype.h> 19#include <linux/slab.h> 20#include <net/sock.h> 21#include <net/af_rxrpc.h> 22#include <keys/rxrpc-type.h> 23#define rxrpc_debug rxkad_debug 24#include "ar-internal.h" 25 26#define RXKAD_VERSION 2 27#define MAXKRB5TICKETLEN 1024 28#define RXKAD_TKT_TYPE_KERBEROS_V5 256 29#define ANAME_SZ 40 /* size of authentication name */ 30#define INST_SZ 40 /* size of principal's instance */ 31#define REALM_SZ 40 /* size of principal's auth domain */ 32#define SNAME_SZ 40 /* size of service name */ 33 34unsigned int rxrpc_debug; 35module_param_named(debug, rxrpc_debug, uint, S_IWUSR | S_IRUGO); 36MODULE_PARM_DESC(debug, "rxkad debugging mask"); 37 38struct rxkad_level1_hdr { 39 __be32 data_size; /* true data size (excluding padding) */ 40}; 41 42struct rxkad_level2_hdr { 43 __be32 data_size; /* true data size (excluding padding) */ 44 __be32 checksum; /* decrypted data checksum */ 45}; 46 47MODULE_DESCRIPTION("RxRPC network protocol type-2 security (Kerberos 4)"); 48MODULE_AUTHOR("Red Hat, Inc."); 49MODULE_LICENSE("GPL"); 50 51/* 52 * this holds a pinned cipher so that keventd doesn't get called by the cipher 53 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE 54 * packets 55 */ 56static struct crypto_blkcipher *rxkad_ci; 57static DEFINE_MUTEX(rxkad_ci_mutex); 58 59/* 60 * initialise connection security 61 */ 62static int rxkad_init_connection_security(struct rxrpc_connection *conn) 63{ 64 struct crypto_blkcipher *ci; 65 struct rxrpc_key_token *token; 66 int ret; 67 68 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key)); 69 70 token = conn->key->payload.data; 71 conn->security_ix = token->security_index; 72 73 ci = crypto_alloc_blkcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 74 if (IS_ERR(ci)) { 75 _debug("no cipher"); 76 ret = PTR_ERR(ci); 77 goto error; 78 } 79 80 if (crypto_blkcipher_setkey(ci, token->kad->session_key, 81 sizeof(token->kad->session_key)) < 0) 82 BUG(); 83 84 switch (conn->security_level) { 85 case RXRPC_SECURITY_PLAIN: 86 break; 87 case RXRPC_SECURITY_AUTH: 88 conn->size_align = 8; 89 conn->security_size = sizeof(struct rxkad_level1_hdr); 90 conn->header_size += sizeof(struct rxkad_level1_hdr); 91 break; 92 case RXRPC_SECURITY_ENCRYPT: 93 conn->size_align = 8; 94 conn->security_size = sizeof(struct rxkad_level2_hdr); 95 conn->header_size += sizeof(struct rxkad_level2_hdr); 96 break; 97 default: 98 ret = -EKEYREJECTED; 99 goto error; 100 } 101 102 conn->cipher = ci; 103 ret = 0; 104error: 105 _leave(" = %d", ret); 106 return ret; 107} 108 109/* 110 * prime the encryption state with the invariant parts of a connection's 111 * description 112 */ 113static void rxkad_prime_packet_security(struct rxrpc_connection *conn) 114{ 115 struct rxrpc_key_token *token; 116 struct blkcipher_desc desc; 117 struct scatterlist sg[2]; 118 struct rxrpc_crypt iv; 119 struct { 120 __be32 x[4]; 121 } tmpbuf __attribute__((aligned(16))); /* must all be in same page */ 122 123 _enter(""); 124 125 if (!conn->key) 126 return; 127 128 token = conn->key->payload.data; 129 memcpy(&iv, token->kad->session_key, sizeof(iv)); 130 131 desc.tfm = conn->cipher; 132 desc.info = iv.x; 133 desc.flags = 0; 134 135 tmpbuf.x[0] = conn->epoch; 136 tmpbuf.x[1] = conn->cid; 137 tmpbuf.x[2] = 0; 138 tmpbuf.x[3] = htonl(conn->security_ix); 139 140 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 141 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 142 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 143 144 memcpy(&conn->csum_iv, &tmpbuf.x[2], sizeof(conn->csum_iv)); 145 ASSERTCMP(conn->csum_iv.n[0], ==, tmpbuf.x[2]); 146 147 _leave(""); 148} 149 150/* 151 * partially encrypt a packet (level 1 security) 152 */ 153static int rxkad_secure_packet_auth(const struct rxrpc_call *call, 154 struct sk_buff *skb, 155 u32 data_size, 156 void *sechdr) 157{ 158 struct rxrpc_skb_priv *sp; 159 struct blkcipher_desc desc; 160 struct rxrpc_crypt iv; 161 struct scatterlist sg[2]; 162 struct { 163 struct rxkad_level1_hdr hdr; 164 __be32 first; /* first four bytes of data and padding */ 165 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 166 u16 check; 167 168 sp = rxrpc_skb(skb); 169 170 _enter(""); 171 172 check = ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 173 data_size |= (u32) check << 16; 174 175 tmpbuf.hdr.data_size = htonl(data_size); 176 memcpy(&tmpbuf.first, sechdr + 4, sizeof(tmpbuf.first)); 177 178 /* start the encryption afresh */ 179 memset(&iv, 0, sizeof(iv)); 180 desc.tfm = call->conn->cipher; 181 desc.info = iv.x; 182 desc.flags = 0; 183 184 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 185 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 186 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 187 188 memcpy(sechdr, &tmpbuf, sizeof(tmpbuf)); 189 190 _leave(" = 0"); 191 return 0; 192} 193 194/* 195 * wholly encrypt a packet (level 2 security) 196 */ 197static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, 198 struct sk_buff *skb, 199 u32 data_size, 200 void *sechdr) 201{ 202 const struct rxrpc_key_token *token; 203 struct rxkad_level2_hdr rxkhdr 204 __attribute__((aligned(8))); /* must be all on one page */ 205 struct rxrpc_skb_priv *sp; 206 struct blkcipher_desc desc; 207 struct rxrpc_crypt iv; 208 struct scatterlist sg[16]; 209 struct sk_buff *trailer; 210 unsigned int len; 211 u16 check; 212 int nsg; 213 214 sp = rxrpc_skb(skb); 215 216 _enter(""); 217 218 check = ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 219 220 rxkhdr.data_size = htonl(data_size | (u32) check << 16); 221 rxkhdr.checksum = 0; 222 223 /* encrypt from the session key */ 224 token = call->conn->key->payload.data; 225 memcpy(&iv, token->kad->session_key, sizeof(iv)); 226 desc.tfm = call->conn->cipher; 227 desc.info = iv.x; 228 desc.flags = 0; 229 230 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr)); 231 sg_init_one(&sg[1], &rxkhdr, sizeof(rxkhdr)); 232 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(rxkhdr)); 233 234 /* we want to encrypt the skbuff in-place */ 235 nsg = skb_cow_data(skb, 0, &trailer); 236 if (nsg < 0 || nsg > 16) 237 return -ENOMEM; 238 239 len = data_size + call->conn->size_align - 1; 240 len &= ~(call->conn->size_align - 1); 241 242 sg_init_table(sg, nsg); 243 skb_to_sgvec(skb, sg, 0, len); 244 crypto_blkcipher_encrypt_iv(&desc, sg, sg, len); 245 246 _leave(" = 0"); 247 return 0; 248} 249 250/* 251 * checksum an RxRPC packet header 252 */ 253static int rxkad_secure_packet(const struct rxrpc_call *call, 254 struct sk_buff *skb, 255 size_t data_size, 256 void *sechdr) 257{ 258 struct rxrpc_skb_priv *sp; 259 struct blkcipher_desc desc; 260 struct rxrpc_crypt iv; 261 struct scatterlist sg[2]; 262 struct { 263 __be32 x[2]; 264 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 265 __be32 x; 266 u32 y; 267 int ret; 268 269 sp = rxrpc_skb(skb); 270 271 _enter("{%d{%x}},{#%u},%zu,", 272 call->debug_id, key_serial(call->conn->key), ntohl(sp->hdr.seq), 273 data_size); 274 275 if (!call->conn->cipher) 276 return 0; 277 278 ret = key_validate(call->conn->key); 279 if (ret < 0) 280 return ret; 281 282 /* continue encrypting from where we left off */ 283 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 284 desc.tfm = call->conn->cipher; 285 desc.info = iv.x; 286 desc.flags = 0; 287 288 /* calculate the security checksum */ 289 x = htonl(call->channel << (32 - RXRPC_CIDSHIFT)); 290 x |= sp->hdr.seq & cpu_to_be32(0x3fffffff); 291 tmpbuf.x[0] = sp->hdr.callNumber; 292 tmpbuf.x[1] = x; 293 294 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 295 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 296 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 297 298 y = ntohl(tmpbuf.x[1]); 299 y = (y >> 16) & 0xffff; 300 if (y == 0) 301 y = 1; /* zero checksums are not permitted */ 302 sp->hdr.cksum = htons(y); 303 304 switch (call->conn->security_level) { 305 case RXRPC_SECURITY_PLAIN: 306 ret = 0; 307 break; 308 case RXRPC_SECURITY_AUTH: 309 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr); 310 break; 311 case RXRPC_SECURITY_ENCRYPT: 312 ret = rxkad_secure_packet_encrypt(call, skb, data_size, 313 sechdr); 314 break; 315 default: 316 ret = -EPERM; 317 break; 318 } 319 320 _leave(" = %d [set %hx]", ret, y); 321 return ret; 322} 323 324/* 325 * decrypt partial encryption on a packet (level 1 security) 326 */ 327static int rxkad_verify_packet_auth(const struct rxrpc_call *call, 328 struct sk_buff *skb, 329 u32 *_abort_code) 330{ 331 struct rxkad_level1_hdr sechdr; 332 struct rxrpc_skb_priv *sp; 333 struct blkcipher_desc desc; 334 struct rxrpc_crypt iv; 335 struct scatterlist sg[16]; 336 struct sk_buff *trailer; 337 u32 data_size, buf; 338 u16 check; 339 int nsg; 340 341 _enter(""); 342 343 sp = rxrpc_skb(skb); 344 345 /* we want to decrypt the skbuff in-place */ 346 nsg = skb_cow_data(skb, 0, &trailer); 347 if (nsg < 0 || nsg > 16) 348 goto nomem; 349 350 sg_init_table(sg, nsg); 351 skb_to_sgvec(skb, sg, 0, 8); 352 353 /* start the decryption afresh */ 354 memset(&iv, 0, sizeof(iv)); 355 desc.tfm = call->conn->cipher; 356 desc.info = iv.x; 357 desc.flags = 0; 358 359 crypto_blkcipher_decrypt_iv(&desc, sg, sg, 8); 360 361 /* remove the decrypted packet length */ 362 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 363 goto datalen_error; 364 if (!skb_pull(skb, sizeof(sechdr))) 365 BUG(); 366 367 buf = ntohl(sechdr.data_size); 368 data_size = buf & 0xffff; 369 370 check = buf >> 16; 371 check ^= ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 372 check &= 0xffff; 373 if (check != 0) { 374 *_abort_code = RXKADSEALEDINCON; 375 goto protocol_error; 376 } 377 378 /* shorten the packet to remove the padding */ 379 if (data_size > skb->len) 380 goto datalen_error; 381 else if (data_size < skb->len) 382 skb->len = data_size; 383 384 _leave(" = 0 [dlen=%x]", data_size); 385 return 0; 386 387datalen_error: 388 *_abort_code = RXKADDATALEN; 389protocol_error: 390 _leave(" = -EPROTO"); 391 return -EPROTO; 392 393nomem: 394 _leave(" = -ENOMEM"); 395 return -ENOMEM; 396} 397 398/* 399 * wholly decrypt a packet (level 2 security) 400 */ 401static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call, 402 struct sk_buff *skb, 403 u32 *_abort_code) 404{ 405 const struct rxrpc_key_token *token; 406 struct rxkad_level2_hdr sechdr; 407 struct rxrpc_skb_priv *sp; 408 struct blkcipher_desc desc; 409 struct rxrpc_crypt iv; 410 struct scatterlist _sg[4], *sg; 411 struct sk_buff *trailer; 412 u32 data_size, buf; 413 u16 check; 414 int nsg; 415 416 _enter(",{%d}", skb->len); 417 418 sp = rxrpc_skb(skb); 419 420 /* we want to decrypt the skbuff in-place */ 421 nsg = skb_cow_data(skb, 0, &trailer); 422 if (nsg < 0) 423 goto nomem; 424 425 sg = _sg; 426 if (unlikely(nsg > 4)) { 427 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO); 428 if (!sg) 429 goto nomem; 430 } 431 432 sg_init_table(sg, nsg); 433 skb_to_sgvec(skb, sg, 0, skb->len); 434 435 /* decrypt from the session key */ 436 token = call->conn->key->payload.data; 437 memcpy(&iv, token->kad->session_key, sizeof(iv)); 438 desc.tfm = call->conn->cipher; 439 desc.info = iv.x; 440 desc.flags = 0; 441 442 crypto_blkcipher_decrypt_iv(&desc, sg, sg, skb->len); 443 if (sg != _sg) 444 kfree(sg); 445 446 /* remove the decrypted packet length */ 447 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0) 448 goto datalen_error; 449 if (!skb_pull(skb, sizeof(sechdr))) 450 BUG(); 451 452 buf = ntohl(sechdr.data_size); 453 data_size = buf & 0xffff; 454 455 check = buf >> 16; 456 check ^= ntohl(sp->hdr.seq ^ sp->hdr.callNumber); 457 check &= 0xffff; 458 if (check != 0) { 459 *_abort_code = RXKADSEALEDINCON; 460 goto protocol_error; 461 } 462 463 /* shorten the packet to remove the padding */ 464 if (data_size > skb->len) 465 goto datalen_error; 466 else if (data_size < skb->len) 467 skb->len = data_size; 468 469 _leave(" = 0 [dlen=%x]", data_size); 470 return 0; 471 472datalen_error: 473 *_abort_code = RXKADDATALEN; 474protocol_error: 475 _leave(" = -EPROTO"); 476 return -EPROTO; 477 478nomem: 479 _leave(" = -ENOMEM"); 480 return -ENOMEM; 481} 482 483/* 484 * verify the security on a received packet 485 */ 486static int rxkad_verify_packet(const struct rxrpc_call *call, 487 struct sk_buff *skb, 488 u32 *_abort_code) 489{ 490 struct blkcipher_desc desc; 491 struct rxrpc_skb_priv *sp; 492 struct rxrpc_crypt iv; 493 struct scatterlist sg[2]; 494 struct { 495 __be32 x[2]; 496 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */ 497 __be32 x; 498 __be16 cksum; 499 u32 y; 500 int ret; 501 502 sp = rxrpc_skb(skb); 503 504 _enter("{%d{%x}},{#%u}", 505 call->debug_id, key_serial(call->conn->key), 506 ntohl(sp->hdr.seq)); 507 508 if (!call->conn->cipher) 509 return 0; 510 511 if (sp->hdr.securityIndex != RXRPC_SECURITY_RXKAD) { 512 *_abort_code = RXKADINCONSISTENCY; 513 _leave(" = -EPROTO [not rxkad]"); 514 return -EPROTO; 515 } 516 517 /* continue encrypting from where we left off */ 518 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); 519 desc.tfm = call->conn->cipher; 520 desc.info = iv.x; 521 desc.flags = 0; 522 523 /* validate the security checksum */ 524 x = htonl(call->channel << (32 - RXRPC_CIDSHIFT)); 525 x |= sp->hdr.seq & cpu_to_be32(0x3fffffff); 526 tmpbuf.x[0] = call->call_id; 527 tmpbuf.x[1] = x; 528 529 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf)); 530 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf)); 531 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf)); 532 533 y = ntohl(tmpbuf.x[1]); 534 y = (y >> 16) & 0xffff; 535 if (y == 0) 536 y = 1; /* zero checksums are not permitted */ 537 538 cksum = htons(y); 539 if (sp->hdr.cksum != cksum) { 540 *_abort_code = RXKADSEALEDINCON; 541 _leave(" = -EPROTO [csum failed]"); 542 return -EPROTO; 543 } 544 545 switch (call->conn->security_level) { 546 case RXRPC_SECURITY_PLAIN: 547 ret = 0; 548 break; 549 case RXRPC_SECURITY_AUTH: 550 ret = rxkad_verify_packet_auth(call, skb, _abort_code); 551 break; 552 case RXRPC_SECURITY_ENCRYPT: 553 ret = rxkad_verify_packet_encrypt(call, skb, _abort_code); 554 break; 555 default: 556 ret = -ENOANO; 557 break; 558 } 559 560 _leave(" = %d", ret); 561 return ret; 562} 563 564/* 565 * issue a challenge 566 */ 567static int rxkad_issue_challenge(struct rxrpc_connection *conn) 568{ 569 struct rxkad_challenge challenge; 570 struct rxrpc_header hdr; 571 struct msghdr msg; 572 struct kvec iov[2]; 573 size_t len; 574 int ret; 575 576 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 577 578 ret = key_validate(conn->key); 579 if (ret < 0) 580 return ret; 581 582 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce)); 583 584 challenge.version = htonl(2); 585 challenge.nonce = htonl(conn->security_nonce); 586 challenge.min_level = htonl(0); 587 challenge.__padding = 0; 588 589 msg.msg_name = &conn->trans->peer->srx.transport.sin; 590 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin); 591 msg.msg_control = NULL; 592 msg.msg_controllen = 0; 593 msg.msg_flags = 0; 594 595 hdr.epoch = conn->epoch; 596 hdr.cid = conn->cid; 597 hdr.callNumber = 0; 598 hdr.seq = 0; 599 hdr.type = RXRPC_PACKET_TYPE_CHALLENGE; 600 hdr.flags = conn->out_clientflag; 601 hdr.userStatus = 0; 602 hdr.securityIndex = conn->security_ix; 603 hdr._rsvd = 0; 604 hdr.serviceId = conn->service_id; 605 606 iov[0].iov_base = &hdr; 607 iov[0].iov_len = sizeof(hdr); 608 iov[1].iov_base = &challenge; 609 iov[1].iov_len = sizeof(challenge); 610 611 len = iov[0].iov_len + iov[1].iov_len; 612 613 hdr.serial = htonl(atomic_inc_return(&conn->serial)); 614 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial)); 615 616 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len); 617 if (ret < 0) { 618 _debug("sendmsg failed: %d", ret); 619 return -EAGAIN; 620 } 621 622 _leave(" = 0"); 623 return 0; 624} 625 626/* 627 * send a Kerberos security response 628 */ 629static int rxkad_send_response(struct rxrpc_connection *conn, 630 struct rxrpc_header *hdr, 631 struct rxkad_response *resp, 632 const struct rxkad_key *s2) 633{ 634 struct msghdr msg; 635 struct kvec iov[3]; 636 size_t len; 637 int ret; 638 639 _enter(""); 640 641 msg.msg_name = &conn->trans->peer->srx.transport.sin; 642 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin); 643 msg.msg_control = NULL; 644 msg.msg_controllen = 0; 645 msg.msg_flags = 0; 646 647 hdr->epoch = conn->epoch; 648 hdr->seq = 0; 649 hdr->type = RXRPC_PACKET_TYPE_RESPONSE; 650 hdr->flags = conn->out_clientflag; 651 hdr->userStatus = 0; 652 hdr->_rsvd = 0; 653 654 iov[0].iov_base = hdr; 655 iov[0].iov_len = sizeof(*hdr); 656 iov[1].iov_base = resp; 657 iov[1].iov_len = sizeof(*resp); 658 iov[2].iov_base = (void *) s2->ticket; 659 iov[2].iov_len = s2->ticket_len; 660 661 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; 662 663 hdr->serial = htonl(atomic_inc_return(&conn->serial)); 664 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); 665 666 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); 667 if (ret < 0) { 668 _debug("sendmsg failed: %d", ret); 669 return -EAGAIN; 670 } 671 672 _leave(" = 0"); 673 return 0; 674} 675 676/* 677 * calculate the response checksum 678 */ 679static void rxkad_calc_response_checksum(struct rxkad_response *response) 680{ 681 u32 csum = 1000003; 682 int loop; 683 u8 *p = (u8 *) response; 684 685 for (loop = sizeof(*response); loop > 0; loop--) 686 csum = csum * 0x10204081 + *p++; 687 688 response->encrypted.checksum = htonl(csum); 689} 690 691/* 692 * load a scatterlist with a potentially split-page buffer 693 */ 694static void rxkad_sg_set_buf2(struct scatterlist sg[2], 695 void *buf, size_t buflen) 696{ 697 int nsg = 1; 698 699 sg_init_table(sg, 2); 700 701 sg_set_buf(&sg[0], buf, buflen); 702 if (sg[0].offset + buflen > PAGE_SIZE) { 703 /* the buffer was split over two pages */ 704 sg[0].length = PAGE_SIZE - sg[0].offset; 705 sg_set_buf(&sg[1], buf + sg[0].length, buflen - sg[0].length); 706 nsg++; 707 } 708 709 sg_mark_end(&sg[nsg - 1]); 710 711 ASSERTCMP(sg[0].length + sg[1].length, ==, buflen); 712} 713 714/* 715 * encrypt the response packet 716 */ 717static void rxkad_encrypt_response(struct rxrpc_connection *conn, 718 struct rxkad_response *resp, 719 const struct rxkad_key *s2) 720{ 721 struct blkcipher_desc desc; 722 struct rxrpc_crypt iv; 723 struct scatterlist sg[2]; 724 725 /* continue encrypting from where we left off */ 726 memcpy(&iv, s2->session_key, sizeof(iv)); 727 desc.tfm = conn->cipher; 728 desc.info = iv.x; 729 desc.flags = 0; 730 731 rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted)); 732 crypto_blkcipher_encrypt_iv(&desc, sg, sg, sizeof(resp->encrypted)); 733} 734 735/* 736 * respond to a challenge packet 737 */ 738static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, 739 struct sk_buff *skb, 740 u32 *_abort_code) 741{ 742 const struct rxrpc_key_token *token; 743 struct rxkad_challenge challenge; 744 struct rxkad_response resp 745 __attribute__((aligned(8))); /* must be aligned for crypto */ 746 struct rxrpc_skb_priv *sp; 747 u32 version, nonce, min_level, abort_code; 748 int ret; 749 750 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key)); 751 752 if (!conn->key) { 753 _leave(" = -EPROTO [no key]"); 754 return -EPROTO; 755 } 756 757 ret = key_validate(conn->key); 758 if (ret < 0) { 759 *_abort_code = RXKADEXPIRED; 760 return ret; 761 } 762 763 abort_code = RXKADPACKETSHORT; 764 sp = rxrpc_skb(skb); 765 if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0) 766 goto protocol_error; 767 768 version = ntohl(challenge.version); 769 nonce = ntohl(challenge.nonce); 770 min_level = ntohl(challenge.min_level); 771 772 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", 773 ntohl(sp->hdr.serial), version, nonce, min_level); 774 775 abort_code = RXKADINCONSISTENCY; 776 if (version != RXKAD_VERSION) 777 goto protocol_error; 778 779 abort_code = RXKADLEVELFAIL; 780 if (conn->security_level < min_level) 781 goto protocol_error; 782 783 token = conn->key->payload.data; 784 785 /* build the response packet */ 786 memset(&resp, 0, sizeof(resp)); 787 788 resp.version = RXKAD_VERSION; 789 resp.encrypted.epoch = conn->epoch; 790 resp.encrypted.cid = conn->cid; 791 resp.encrypted.securityIndex = htonl(conn->security_ix); 792 resp.encrypted.call_id[0] = 793 (conn->channels[0] ? conn->channels[0]->call_id : 0); 794 resp.encrypted.call_id[1] = 795 (conn->channels[1] ? conn->channels[1]->call_id : 0); 796 resp.encrypted.call_id[2] = 797 (conn->channels[2] ? conn->channels[2]->call_id : 0); 798 resp.encrypted.call_id[3] = 799 (conn->channels[3] ? conn->channels[3]->call_id : 0); 800 resp.encrypted.inc_nonce = htonl(nonce + 1); 801 resp.encrypted.level = htonl(conn->security_level); 802 resp.kvno = htonl(token->kad->kvno); 803 resp.ticket_len = htonl(token->kad->ticket_len); 804 805 /* calculate the response checksum and then do the encryption */ 806 rxkad_calc_response_checksum(&resp); 807 rxkad_encrypt_response(conn, &resp, token->kad); 808 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad); 809 810protocol_error: 811 *_abort_code = abort_code; 812 _leave(" = -EPROTO [%d]", abort_code); 813 return -EPROTO; 814} 815 816/* 817 * decrypt the kerberos IV ticket in the response 818 */ 819static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, 820 void *ticket, size_t ticket_len, 821 struct rxrpc_crypt *_session_key, 822 time_t *_expiry, 823 u32 *_abort_code) 824{ 825 struct blkcipher_desc desc; 826 struct rxrpc_crypt iv, key; 827 struct scatterlist sg[1]; 828 struct in_addr addr; 829 unsigned int life; 830 time_t issue, now; 831 bool little_endian; 832 int ret; 833 u8 *p, *q, *name, *end; 834 835 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key)); 836 837 *_expiry = 0; 838 839 ret = key_validate(conn->server_key); 840 if (ret < 0) { 841 switch (ret) { 842 case -EKEYEXPIRED: 843 *_abort_code = RXKADEXPIRED; 844 goto error; 845 default: 846 *_abort_code = RXKADNOAUTH; 847 goto error; 848 } 849 } 850 851 ASSERT(conn->server_key->payload.data != NULL); 852 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); 853 854 memcpy(&iv, &conn->server_key->type_data, sizeof(iv)); 855 856 desc.tfm = conn->server_key->payload.data; 857 desc.info = iv.x; 858 desc.flags = 0; 859 860 sg_init_one(&sg[0], ticket, ticket_len); 861 crypto_blkcipher_decrypt_iv(&desc, sg, sg, ticket_len); 862 863 p = ticket; 864 end = p + ticket_len; 865 866#define Z(size) \ 867 ({ \ 868 u8 *__str = p; \ 869 q = memchr(p, 0, end - p); \ 870 if (!q || q - p > (size)) \ 871 goto bad_ticket; \ 872 for (; p < q; p++) \ 873 if (!isprint(*p)) \ 874 goto bad_ticket; \ 875 p++; \ 876 __str; \ 877 }) 878 879 /* extract the ticket flags */ 880 _debug("KIV FLAGS: %x", *p); 881 little_endian = *p & 1; 882 p++; 883 884 /* extract the authentication name */ 885 name = Z(ANAME_SZ); 886 _debug("KIV ANAME: %s", name); 887 888 /* extract the principal's instance */ 889 name = Z(INST_SZ); 890 _debug("KIV INST : %s", name); 891 892 /* extract the principal's authentication domain */ 893 name = Z(REALM_SZ); 894 _debug("KIV REALM: %s", name); 895 896 if (end - p < 4 + 8 + 4 + 2) 897 goto bad_ticket; 898 899 /* get the IPv4 address of the entity that requested the ticket */ 900 memcpy(&addr, p, sizeof(addr)); 901 p += 4; 902 _debug("KIV ADDR : %pI4", &addr); 903 904 /* get the session key from the ticket */ 905 memcpy(&key, p, sizeof(key)); 906 p += 8; 907 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); 908 memcpy(_session_key, &key, sizeof(key)); 909 910 /* get the ticket's lifetime */ 911 life = *p++ * 5 * 60; 912 _debug("KIV LIFE : %u", life); 913 914 /* get the issue time of the ticket */ 915 if (little_endian) { 916 __le32 stamp; 917 memcpy(&stamp, p, 4); 918 issue = le32_to_cpu(stamp); 919 } else { 920 __be32 stamp; 921 memcpy(&stamp, p, 4); 922 issue = be32_to_cpu(stamp); 923 } 924 p += 4; 925 now = get_seconds(); 926 _debug("KIV ISSUE: %lx [%lx]", issue, now); 927 928 /* check the ticket is in date */ 929 if (issue > now) { 930 *_abort_code = RXKADNOAUTH; 931 ret = -EKEYREJECTED; 932 goto error; 933 } 934 935 if (issue < now - life) { 936 *_abort_code = RXKADEXPIRED; 937 ret = -EKEYEXPIRED; 938 goto error; 939 } 940 941 *_expiry = issue + life; 942 943 /* get the service name */ 944 name = Z(SNAME_SZ); 945 _debug("KIV SNAME: %s", name); 946 947 /* get the service instance name */ 948 name = Z(INST_SZ); 949 _debug("KIV SINST: %s", name); 950 951 ret = 0; 952error: 953 _leave(" = %d", ret); 954 return ret; 955 956bad_ticket: 957 *_abort_code = RXKADBADTICKET; 958 ret = -EBADMSG; 959 goto error; 960} 961 962/* 963 * decrypt the response packet 964 */ 965static void rxkad_decrypt_response(struct rxrpc_connection *conn, 966 struct rxkad_response *resp, 967 const struct rxrpc_crypt *session_key) 968{ 969 struct blkcipher_desc desc; 970 struct scatterlist sg[2]; 971 struct rxrpc_crypt iv; 972 973 _enter(",,%08x%08x", 974 ntohl(session_key->n[0]), ntohl(session_key->n[1])); 975 976 ASSERT(rxkad_ci != NULL); 977 978 mutex_lock(&rxkad_ci_mutex); 979 if (crypto_blkcipher_setkey(rxkad_ci, session_key->x, 980 sizeof(*session_key)) < 0) 981 BUG(); 982 983 memcpy(&iv, session_key, sizeof(iv)); 984 desc.tfm = rxkad_ci; 985 desc.info = iv.x; 986 desc.flags = 0; 987 988 rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted)); 989 crypto_blkcipher_decrypt_iv(&desc, sg, sg, sizeof(resp->encrypted)); 990 mutex_unlock(&rxkad_ci_mutex); 991 992 _leave(""); 993} 994 995/* 996 * verify a response 997 */ 998static int rxkad_verify_response(struct rxrpc_connection *conn, 999 struct sk_buff *skb, 1000 u32 *_abort_code) 1001{ 1002 struct rxkad_response response 1003 __attribute__((aligned(8))); /* must be aligned for crypto */ 1004 struct rxrpc_skb_priv *sp; 1005 struct rxrpc_crypt session_key; 1006 time_t expiry; 1007 void *ticket; 1008 u32 abort_code, version, kvno, ticket_len, level; 1009 __be32 csum; 1010 int ret; 1011 1012 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); 1013 1014 abort_code = RXKADPACKETSHORT; 1015 if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0) 1016 goto protocol_error; 1017 if (!pskb_pull(skb, sizeof(response))) 1018 BUG(); 1019 1020 version = ntohl(response.version); 1021 ticket_len = ntohl(response.ticket_len); 1022 kvno = ntohl(response.kvno); 1023 sp = rxrpc_skb(skb); 1024 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", 1025 ntohl(sp->hdr.serial), version, kvno, ticket_len); 1026 1027 abort_code = RXKADINCONSISTENCY; 1028 if (version != RXKAD_VERSION) 1029 goto protocol_error; 1030 1031 abort_code = RXKADTICKETLEN; 1032 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) 1033 goto protocol_error; 1034 1035 abort_code = RXKADUNKNOWNKEY; 1036 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) 1037 goto protocol_error; 1038 1039 /* extract the kerberos ticket and decrypt and decode it */ 1040 ticket = kmalloc(ticket_len, GFP_NOFS); 1041 if (!ticket) 1042 return -ENOMEM; 1043 1044 abort_code = RXKADPACKETSHORT; 1045 if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0) 1046 goto protocol_error_free; 1047 1048 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key, 1049 &expiry, &abort_code); 1050 if (ret < 0) { 1051 *_abort_code = abort_code; 1052 kfree(ticket); 1053 return ret; 1054 } 1055 1056 /* use the session key from inside the ticket to decrypt the 1057 * response */ 1058 rxkad_decrypt_response(conn, &response, &session_key); 1059 1060 abort_code = RXKADSEALEDINCON; 1061 if (response.encrypted.epoch != conn->epoch) 1062 goto protocol_error_free; 1063 if (response.encrypted.cid != conn->cid) 1064 goto protocol_error_free; 1065 if (ntohl(response.encrypted.securityIndex) != conn->security_ix) 1066 goto protocol_error_free; 1067 csum = response.encrypted.checksum; 1068 response.encrypted.checksum = 0; 1069 rxkad_calc_response_checksum(&response); 1070 if (response.encrypted.checksum != csum) 1071 goto protocol_error_free; 1072 1073 if (ntohl(response.encrypted.call_id[0]) > INT_MAX || 1074 ntohl(response.encrypted.call_id[1]) > INT_MAX || 1075 ntohl(response.encrypted.call_id[2]) > INT_MAX || 1076 ntohl(response.encrypted.call_id[3]) > INT_MAX) 1077 goto protocol_error_free; 1078 1079 abort_code = RXKADOUTOFSEQUENCE; 1080 if (response.encrypted.inc_nonce != htonl(conn->security_nonce + 1)) 1081 goto protocol_error_free; 1082 1083 abort_code = RXKADLEVELFAIL; 1084 level = ntohl(response.encrypted.level); 1085 if (level > RXRPC_SECURITY_ENCRYPT) 1086 goto protocol_error_free; 1087 conn->security_level = level; 1088 1089 /* create a key to hold the security data and expiration time - after 1090 * this the connection security can be handled in exactly the same way 1091 * as for a client connection */ 1092 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); 1093 if (ret < 0) { 1094 kfree(ticket); 1095 return ret; 1096 } 1097 1098 kfree(ticket); 1099 _leave(" = 0"); 1100 return 0; 1101 1102protocol_error_free: 1103 kfree(ticket); 1104protocol_error: 1105 *_abort_code = abort_code; 1106 _leave(" = -EPROTO [%d]", abort_code); 1107 return -EPROTO; 1108} 1109 1110/* 1111 * clear the connection security 1112 */ 1113static void rxkad_clear(struct rxrpc_connection *conn) 1114{ 1115 _enter(""); 1116 1117 if (conn->cipher) 1118 crypto_free_blkcipher(conn->cipher); 1119} 1120 1121/* 1122 * RxRPC Kerberos-based security 1123 */ 1124static struct rxrpc_security rxkad = { 1125 .owner = THIS_MODULE, 1126 .name = "rxkad", 1127 .security_index = RXRPC_SECURITY_RXKAD, 1128 .init_connection_security = rxkad_init_connection_security, 1129 .prime_packet_security = rxkad_prime_packet_security, 1130 .secure_packet = rxkad_secure_packet, 1131 .verify_packet = rxkad_verify_packet, 1132 .issue_challenge = rxkad_issue_challenge, 1133 .respond_to_challenge = rxkad_respond_to_challenge, 1134 .verify_response = rxkad_verify_response, 1135 .clear = rxkad_clear, 1136}; 1137 1138static __init int rxkad_init(void) 1139{ 1140 _enter(""); 1141 1142 /* pin the cipher we need so that the crypto layer doesn't invoke 1143 * keventd to go get it */ 1144 rxkad_ci = crypto_alloc_blkcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC); 1145 if (IS_ERR(rxkad_ci)) 1146 return PTR_ERR(rxkad_ci); 1147 1148 return rxrpc_register_security(&rxkad); 1149} 1150 1151module_init(rxkad_init); 1152 1153static __exit void rxkad_exit(void) 1154{ 1155 _enter(""); 1156 1157 rxrpc_unregister_security(&rxkad); 1158 crypto_free_blkcipher(rxkad_ci); 1159} 1160 1161module_exit(rxkad_exit); 1162