projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branches 'pm-cpuidle', 'pm-sleep' and 'pm-powercap'
[linux-block.git] / net / rxrpc / rxkad.c
CommitLineData
2874c5fd 1// SPDX-License-Identifier: GPL-2.0-or-later
17926a79
DH		 2/* Kerberos-based RxRPC security
3 *
4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
17926a79
DH		 6 */
7
9b6d5398
JP		 8#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9
1afe593b 10#include <crypto/skcipher.h>
17926a79
DH		 11#include <linux/module.h>
12#include <linux/net.h>
13#include <linux/skbuff.h>
14#include <linux/udp.h>
17926a79
DH		 15#include <linux/scatterlist.h>
16#include <linux/ctype.h>
5a0e3ad6 17#include <linux/slab.h>
12da59fc 18#include <linux/key-type.h>
17926a79
DH		 19#include <net/sock.h>
20#include <net/af_rxrpc.h>
33941284 21#include <keys/rxrpc-type.h>
17926a79
DH		 22#include "ar-internal.h"
23
24#define RXKAD_VERSION 2
25#define MAXKRB5TICKETLEN 1024
26#define RXKAD_TKT_TYPE_KERBEROS_V5 256
27#define ANAME_SZ 40 /* size of authentication name */
28#define INST_SZ 40 /* size of principal's instance */
29#define REALM_SZ 40 /* size of principal's auth domain */
30#define SNAME_SZ 40 /* size of service name */
d7d775b1 31#define RXKAD_ALIGN 8
17926a79 32
17926a79
DH		 33struct rxkad_level1_hdr {
34 __be32 data_size; /* true data size (excluding padding) */
35};
36
37struct rxkad_level2_hdr {
38 __be32 data_size; /* true data size (excluding padding) */
39 __be32 checksum; /* decrypted data checksum */
40};
41
8d47a43c
DH		 42static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
43 struct crypto_sync_skcipher *ci);
44
17926a79
DH		 45/*
46 * this holds a pinned cipher so that keventd doesn't get called by the cipher
47 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
48 * packets
49 */
69d826fa 50static struct crypto_sync_skcipher *rxkad_ci;
1db88c53 51static struct skcipher_request *rxkad_ci_req;
17926a79
DH		 52static DEFINE_MUTEX(rxkad_ci_mutex);
53
12da59fc
DH		 54/*
55 * Parse the information from a server key
56 *
57 * The data should be the 8-byte secret key.
58 */
59static int rxkad_preparse_server_key(struct key_preparsed_payload *prep)
60{
61 struct crypto_skcipher *ci;
62
63 if (prep->datalen != 8)
64 return -EINVAL;
65
66 memcpy(&prep->payload.data[2], prep->data, 8);
67
68 ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC);
69 if (IS_ERR(ci)) {
70 _leave(" = %ld", PTR_ERR(ci));
71 return PTR_ERR(ci);
72 }
73
74 if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)
75 BUG();
76
77 prep->payload.data[0] = ci;
78 _leave(" = 0");
79 return 0;
80}
81
82static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep)
83{
d7d775b1 84
12da59fc
DH		 85 if (prep->payload.data[0])
86 crypto_free_skcipher(prep->payload.data[0]);
87}
88
89static void rxkad_destroy_server_key(struct key *key)
90{
91 if (key->payload.data[0]) {
92 crypto_free_skcipher(key->payload.data[0]);
93 key->payload.data[0] = NULL;
94 }
95}
96
17926a79
DH		 97/*
98 * initialise connection security
99 */
41057ebd
DH		 100static int rxkad_init_connection_security(struct rxrpc_connection *conn,
101 struct rxrpc_key_token *token)
17926a79 102{
69d826fa 103 struct crypto_sync_skcipher *ci;
17926a79
DH		 104 int ret;
105
2cc80086 106 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
17926a79 107
33941284 108 conn->security_ix = token->security_index;
17926a79 109
69d826fa 110 ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
17926a79
DH		 111 if (IS_ERR(ci)) {
112 _debug("no cipher");
113 ret = PTR_ERR(ci);
114 goto error;
115 }
116
69d826fa 117 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
1afe593b 118 sizeof(token->kad->session_key)) < 0)
17926a79
DH		 119 BUG();
120
2cc80086 121 switch (conn->security_level) {
17926a79 122 case RXRPC_SECURITY_PLAIN:
17926a79 123 case RXRPC_SECURITY_AUTH:
17926a79 124 case RXRPC_SECURITY_ENCRYPT:
17926a79
DH		 125 break;
126 default:
127 ret = -EKEYREJECTED;
128 goto error;
129 }
130
8d47a43c
DH		 131 ret = rxkad_prime_packet_security(conn, ci);
132 if (ret < 0)
133 goto error_ci;
134
521bb304 135 conn->rxkad.cipher = ci;
8d47a43c
DH		 136 return 0;
137
138error_ci:
139 crypto_free_sync_skcipher(ci);
17926a79
DH		 140error:
141 _leave(" = %d", ret);
142 return ret;
143}
144
d7d775b1
DH		 145/*
146 * Work out how much data we can put in a packet.
147 */
49489bb0 148static struct rxrpc_txbuf *rxkad_alloc_txbuf(struct rxrpc_call *call, size_t remain, gfp_t gfp)
d7d775b1 149{
49489bb0
DH		 150 struct rxrpc_txbuf *txb;
151 size_t shdr, space;
152
153 remain = min(remain, 65535 - sizeof(struct rxrpc_wire_header));
d7d775b1 154
2cc80086 155 switch (call->conn->security_level) {
d7d775b1 156 default:
49489bb0 157 space = min_t(size_t, remain, RXRPC_JUMBO_DATALEN);
9f8eeea1 158 return rxrpc_alloc_data_txbuf(call, space, 1, gfp);
d7d775b1
DH		 159 case RXRPC_SECURITY_AUTH:
160 shdr = sizeof(struct rxkad_level1_hdr);
161 break;
162 case RXRPC_SECURITY_ENCRYPT:
163 shdr = sizeof(struct rxkad_level2_hdr);
164 break;
165 }
166
49489bb0
DH		 167 space = min_t(size_t, round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN), remain + shdr);
168 space = round_up(space, RXKAD_ALIGN);
d7d775b1 169
49489bb0
DH		 170 txb = rxrpc_alloc_data_txbuf(call, space, RXKAD_ALIGN, gfp);
171 if (!txb)
172 return NULL;
d7d775b1 173
49489bb0
DH		 174 txb->offset += shdr;
175 txb->space -= shdr;
176 return txb;
d7d775b1
DH		 177}
178
17926a79
DH		 179/*
180 * prime the encryption state with the invariant parts of a connection's
181 * description
182 */
8d47a43c
DH		 183static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
184 struct crypto_sync_skcipher *ci)
17926a79 185{
1db88c53 186 struct skcipher_request *req;
33941284 187 struct rxrpc_key_token *token;
a263629d 188 struct scatterlist sg;
17926a79 189 struct rxrpc_crypt iv;
a263629d
HX		 190 __be32 *tmpbuf;
191 size_t tmpsize = 4 * sizeof(__be32);
17926a79
DH		 192
193 _enter("");
194
2cc80086 195 if (!conn->key)
a263629d
HX		 196 return 0;
197
198 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
199 if (!tmpbuf)
200 return -ENOMEM;
17926a79 201
8d47a43c 202 req = skcipher_request_alloc(&ci->base, GFP_NOFS);
1db88c53
DH		 203 if (!req) {
204 kfree(tmpbuf);
205 return -ENOMEM;
206 }
207
2cc80086 208 token = conn->key->payload.data[0];
33941284 209 memcpy(&iv, token->kad->session_key, sizeof(iv));
17926a79 210
a263629d
HX		 211 tmpbuf[0] = htonl(conn->proto.epoch);
212 tmpbuf[1] = htonl(conn->proto.cid);
213 tmpbuf[2] = 0;
214 tmpbuf[3] = htonl(conn->security_ix);
1afe593b 215
a263629d 216 sg_init_one(&sg, tmpbuf, tmpsize);
8d47a43c 217 skcipher_request_set_sync_tfm(req, ci);
1afe593b 218 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 219 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
1afe593b 220 crypto_skcipher_encrypt(req);
1db88c53 221 skcipher_request_free(req);
17926a79 222
521bb304 223 memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
a263629d
HX		 224 kfree(tmpbuf);
225 _leave(" = 0");
226 return 0;
17926a79
DH		 227}
228
1db88c53
DH		 229/*
230 * Allocate and prepare the crypto request on a call. For any particular call,
231 * this is called serially for the packets, so no lock should be necessary.
232 */
233static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
234{
521bb304 235 struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
1db88c53 236
30d95efe 237 return skcipher_request_alloc(tfm, GFP_NOFS);
1db88c53
DH		 238}
239
240/*
241 * Clean up the crypto on a call.
242 */
243static void rxkad_free_call_crypto(struct rxrpc_call *call)
244{
1db88c53
DH		 245}
246
17926a79
DH		 247/*
248 * partially encrypt a packet (level 1 security)
249 */
250static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
a4ea4c47 251 struct rxrpc_txbuf *txb,
54424d38 252 struct skcipher_request *req)
17926a79 253{
49489bb0
DH		 254 struct rxrpc_wire_header *whdr = txb->kvec[0].iov_base;
255 struct rxkad_level1_hdr *hdr = (void *)(whdr + 1);
17926a79 256 struct rxrpc_crypt iv;
a263629d 257 struct scatterlist sg;
d7d775b1 258 size_t pad;
17926a79
DH		 259 u16 check;
260
17926a79
DH		 261 _enter("");
262
a1c9af4d 263 check = txb->seq ^ call->call_id;
a4ea4c47 264 hdr->data_size = htonl((u32)check << 16 | txb->len);
17926a79 265
a4ea4c47
DH		 266 txb->len += sizeof(struct rxkad_level1_hdr);
267 pad = txb->len;
d7d775b1
DH		 268 pad = RXKAD_ALIGN - pad;
269 pad &= RXKAD_ALIGN - 1;
a4ea4c47 270 if (pad) {
49489bb0 271 memset(txb->kvec[0].iov_base + txb->offset, 0, pad);
a4ea4c47
DH		 272 txb->len += pad;
273 }
d7d775b1 274
17926a79
DH		 275 /* start the encryption afresh */
276 memset(&iv, 0, sizeof(iv));
17926a79 277
49489bb0 278 sg_init_one(&sg, hdr, 8);
521bb304 279 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b 280 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 281 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
1afe593b
HX		 282 crypto_skcipher_encrypt(req);
283 skcipher_request_zero(req);
17926a79 284
17926a79
DH		 285 _leave(" = 0");
286 return 0;
287}
288
289/*
290 * wholly encrypt a packet (level 2 security)
291 */
292static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
a4ea4c47 293 struct rxrpc_txbuf *txb,
54424d38 294 struct skcipher_request *req)
17926a79 295{
33941284 296 const struct rxrpc_key_token *token;
49489bb0
DH		 297 struct rxrpc_wire_header *whdr = txb->kvec[0].iov_base;
298 struct rxkad_level2_hdr *rxkhdr = (void *)(whdr + 1);
17926a79 299 struct rxrpc_crypt iv;
a4ea4c47 300 struct scatterlist sg;
d7d775b1 301 size_t pad;
17926a79 302 u16 check;
a4ea4c47 303 int ret;
17926a79
DH		 304
305 _enter("");
306
a1c9af4d 307 check = txb->seq ^ call->call_id;
17926a79 308
a4ea4c47
DH		 309 rxkhdr->data_size = htonl(txb->len | (u32)check << 16);
310 rxkhdr->checksum = 0;
17926a79 311
a4ea4c47
DH		 312 txb->len += sizeof(struct rxkad_level2_hdr);
313 pad = txb->len;
d7d775b1
DH		 314 pad = RXKAD_ALIGN - pad;
315 pad &= RXKAD_ALIGN - 1;
a4ea4c47 316 if (pad) {
49489bb0 317 memset(txb->kvec[0].iov_base + txb->offset, 0, pad);
a4ea4c47
DH		 318 txb->len += pad;
319 }
d7d775b1 320
17926a79 321 /* encrypt from the session key */
2cc80086 322 token = call->conn->key->payload.data[0];
33941284 323 memcpy(&iv, token->kad->session_key, sizeof(iv));
17926a79 324
49489bb0 325 sg_init_one(&sg, rxkhdr, txb->len);
521bb304 326 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b 327 skcipher_request_set_callback(req, 0, NULL, NULL);
a4ea4c47
DH		 328 skcipher_request_set_crypt(req, &sg, &sg, txb->len, iv.x);
329 ret = crypto_skcipher_encrypt(req);
1afe593b 330 skcipher_request_zero(req);
a4ea4c47 331 return ret;
17926a79
DH		 332}
333
334/*
335 * checksum an RxRPC packet header
336 */
a4ea4c47 337static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb)
17926a79 338{
1db88c53 339 struct skcipher_request *req;
17926a79 340 struct rxrpc_crypt iv;
a263629d 341 struct scatterlist sg;
30d95efe
DH		 342 union {
343 __be32 buf[2];
344 } crypto __aligned(8);
0d12f8a4 345 u32 x, y;
17926a79
DH		 346 int ret;
347
a4ea4c47 348 _enter("{%d{%x}},{#%u},%u,",
2cc80086 349 call->debug_id, key_serial(call->conn->key),
a4ea4c47 350 txb->seq, txb->len);
17926a79 351
521bb304 352 if (!call->conn->rxkad.cipher)
17926a79
DH		 353 return 0;
354
2cc80086 355 ret = key_validate(call->conn->key);
17926a79
DH		 356 if (ret < 0)
357 return ret;
358
1db88c53
DH		 359 req = rxkad_get_call_crypto(call);
360 if (!req)
361 return -ENOMEM;
362
17926a79 363 /* continue encrypting from where we left off */
521bb304 364 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
17926a79
DH		 365
366 /* calculate the security checksum */
a1c9af4d 367 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
a4ea4c47 368 x |= txb->seq & 0x3fffffff;
a1c9af4d 369 crypto.buf[0] = htonl(call->call_id);
30d95efe 370 crypto.buf[1] = htonl(x);
1afe593b 371
30d95efe 372 sg_init_one(&sg, crypto.buf, 8);
521bb304 373 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b 374 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 375 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
1afe593b
HX		 376 crypto_skcipher_encrypt(req);
377 skcipher_request_zero(req);
17926a79 378
30d95efe 379 y = ntohl(crypto.buf[1]);
91e916cf
AV		 380 y = (y >> 16) & 0xffff;
381 if (y == 0)
382 y = 1; /* zero checksums are not permitted */
41b8debb 383 txb->cksum = htons(y);
17926a79 384
2cc80086 385 switch (call->conn->security_level) {
17926a79
DH		 386 case RXRPC_SECURITY_PLAIN:
387 ret = 0;
388 break;
389 case RXRPC_SECURITY_AUTH:
a4ea4c47 390 ret = rxkad_secure_packet_auth(call, txb, req);
17926a79
DH		 391 break;
392 case RXRPC_SECURITY_ENCRYPT:
a4ea4c47 393 ret = rxkad_secure_packet_encrypt(call, txb, req);
17926a79
DH		 394 break;
395 default:
396 ret = -EPERM;
397 break;
398 }
399
30d95efe 400 skcipher_request_free(req);
5b47d236 401 _leave(" = %d [set %x]", ret, y);
17926a79
DH		 402 return ret;
403}
404
405/*
406 * decrypt partial encryption on a packet (level 1 security)
407 */
5a42976d 408static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
54424d38
KC		 409 rxrpc_seq_t seq,
410 struct skcipher_request *req)
17926a79
DH		 411{
412 struct rxkad_level1_hdr sechdr;
d4d02d8b 413 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
17926a79 414 struct rxrpc_crypt iv;
68e3f5dd 415 struct scatterlist sg[16];
17926a79
DH		 416 u32 data_size, buf;
417 u16 check;
d0d5c0cd 418 int ret;
17926a79
DH		 419
420 _enter("");
421
57af281e
DH		 422 if (sp->len < 8)
423 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
424 rxkad_abort_1_short_header);
17926a79 425
248f219c
DH		 426 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
427 * directly into the target buffer.
428 */
d0d5c0cd 429 sg_init_table(sg, ARRAY_SIZE(sg));
d4d02d8b 430 ret = skb_to_sgvec(skb, sg, sp->offset, 8);
89a5ea99
JD		 431 if (unlikely(ret < 0))
432 return ret;
17926a79
DH		 433
434 /* start the decryption afresh */
435 memset(&iv, 0, sizeof(iv));
17926a79 436
521bb304 437 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b
HX		 438 skcipher_request_set_callback(req, 0, NULL, NULL);
439 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
1afe593b
HX		 440 crypto_skcipher_decrypt(req);
441 skcipher_request_zero(req);
17926a79 442
5a42976d 443 /* Extract the decrypted packet length */
57af281e
DH		 444 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
445 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
446 rxkad_abort_1_short_encdata);
d4d02d8b
DH		 447 sp->offset += sizeof(sechdr);
448 sp->len -= sizeof(sechdr);
17926a79
DH		 449
450 buf = ntohl(sechdr.data_size);
451 data_size = buf & 0xffff;
452
453 check = buf >> 16;
5a42976d 454 check ^= seq ^ call->call_id;
17926a79 455 check &= 0xffff;
57af281e
DH		 456 if (check != 0)
457 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
458 rxkad_abort_1_short_check);
459 if (data_size > sp->len)
460 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
461 rxkad_abort_1_short_data);
d4d02d8b 462 sp->len = data_size;
17926a79
DH		 463
464 _leave(" = 0 [dlen=%x]", data_size);
465 return 0;
17926a79
DH		 466}
467
468/*
469 * wholly decrypt a packet (level 2 security)
470 */
5a42976d 471static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
54424d38
KC		 472 rxrpc_seq_t seq,
473 struct skcipher_request *req)
17926a79 474{
33941284 475 const struct rxrpc_key_token *token;
17926a79 476 struct rxkad_level2_hdr sechdr;
d4d02d8b 477 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
17926a79
DH		 478 struct rxrpc_crypt iv;
479 struct scatterlist _sg[4], *sg;
17926a79
DH		 480 u32 data_size, buf;
481 u16 check;
89a5ea99 482 int nsg, ret;
17926a79 483
d4d02d8b 484 _enter(",{%d}", sp->len);
17926a79 485
57af281e
DH		 486 if (sp->len < 8)
487 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
488 rxkad_abort_2_short_header);
17926a79 489
248f219c
DH		 490 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
491 * directly into the target buffer.
492 */
17926a79 493 sg = _sg;
0d40f728 494 nsg = skb_shinfo(skb)->nr_frags + 1;
d0d5c0cd
DH		 495 if (nsg <= 4) {
496 nsg = 4;
497 } else {
6da2ec56 498 sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
17926a79 499 if (!sg)
57af281e 500 return -ENOMEM;
17926a79
DH		 501 }
502
68e3f5dd 503 sg_init_table(sg, nsg);
d4d02d8b 504 ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
89a5ea99
JD		 505 if (unlikely(ret < 0)) {
506 if (sg != _sg)
507 kfree(sg);
508 return ret;
509 }
17926a79
DH		 510
511 /* decrypt from the session key */
2cc80086 512 token = call->conn->key->payload.data[0];
33941284 513 memcpy(&iv, token->kad->session_key, sizeof(iv));
17926a79 514
521bb304 515 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b 516 skcipher_request_set_callback(req, 0, NULL, NULL);
d4d02d8b 517 skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
1afe593b
HX		 518 crypto_skcipher_decrypt(req);
519 skcipher_request_zero(req);
17926a79
DH		 520 if (sg != _sg)
521 kfree(sg);
522
5a42976d 523 /* Extract the decrypted packet length */
57af281e
DH		 524 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
525 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
526 rxkad_abort_2_short_len);
d4d02d8b
DH		 527 sp->offset += sizeof(sechdr);
528 sp->len -= sizeof(sechdr);
17926a79
DH		 529
530 buf = ntohl(sechdr.data_size);
531 data_size = buf & 0xffff;
532
533 check = buf >> 16;
5a42976d 534 check ^= seq ^ call->call_id;
17926a79 535 check &= 0xffff;
57af281e
DH		 536 if (check != 0)
537 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
538 rxkad_abort_2_short_check);
17926a79 539
57af281e
DH		 540 if (data_size > sp->len)
541 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
542 rxkad_abort_2_short_data);
17926a79 543
d4d02d8b 544 sp->len = data_size;
17926a79
DH		 545 _leave(" = 0 [dlen=%x]", data_size);
546 return 0;
17926a79
DH		 547}
548
549/*
d4d02d8b 550 * Verify the security on a received packet and the subpackets therein.
17926a79 551 */
d4d02d8b 552static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
17926a79 553{
d4d02d8b 554 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1db88c53 555 struct skcipher_request *req;
17926a79 556 struct rxrpc_crypt iv;
a263629d 557 struct scatterlist sg;
30d95efe
DH		 558 union {
559 __be32 buf[2];
560 } crypto __aligned(8);
d4d02d8b 561 rxrpc_seq_t seq = sp->hdr.seq;
30d95efe 562 int ret;
0d12f8a4
DH		 563 u16 cksum;
564 u32 x, y;
17926a79
DH		 565
566 _enter("{%d{%x}},{#%u}",
2cc80086 567 call->debug_id, key_serial(call->conn->key), seq);
17926a79 568
521bb304 569 if (!call->conn->rxkad.cipher)
17926a79
DH		 570 return 0;
571
1db88c53
DH		 572 req = rxkad_get_call_crypto(call);
573 if (!req)
574 return -ENOMEM;
575
17926a79 576 /* continue encrypting from where we left off */
521bb304 577 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
17926a79
DH		 578
579 /* validate the security checksum */
01a90a45 580 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
5a42976d 581 x |= seq & 0x3fffffff;
30d95efe
DH		 582 crypto.buf[0] = htonl(call->call_id);
583 crypto.buf[1] = htonl(x);
1afe593b 584
30d95efe 585 sg_init_one(&sg, crypto.buf, 8);
521bb304 586 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b 587 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 588 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
1afe593b
HX		 589 crypto_skcipher_encrypt(req);
590 skcipher_request_zero(req);
17926a79 591
30d95efe 592 y = ntohl(crypto.buf[1]);
0d12f8a4
DH		 593 cksum = (y >> 16) & 0xffff;
594 if (cksum == 0)
595 cksum = 1; /* zero checksums are not permitted */
17926a79 596
d4d02d8b 597 if (cksum != sp->hdr.cksum) {
57af281e
DH		 598 ret = rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
599 rxkad_abort_bad_checksum);
600 goto out;
17926a79
DH		 601 }
602
2cc80086 603 switch (call->conn->security_level) {
17926a79 604 case RXRPC_SECURITY_PLAIN:
30d95efe
DH		 605 ret = 0;
606 break;
17926a79 607 case RXRPC_SECURITY_AUTH:
30d95efe
DH		 608 ret = rxkad_verify_packet_1(call, skb, seq, req);
609 break;
17926a79 610 case RXRPC_SECURITY_ENCRYPT:
30d95efe
DH		 611 ret = rxkad_verify_packet_2(call, skb, seq, req);
612 break;
17926a79 613 default:
30d95efe
DH		 614 ret = -ENOANO;
615 break;
17926a79 616 }
fb46f6ee 617
57af281e 618out:
30d95efe
DH		 619 skcipher_request_free(req);
620 return ret;
17926a79
DH		 621}
622
623/*
624 * issue a challenge
625 */
626static int rxkad_issue_challenge(struct rxrpc_connection *conn)
627{
628 struct rxkad_challenge challenge;
0d12f8a4 629 struct rxrpc_wire_header whdr;
17926a79
DH		 630 struct msghdr msg;
631 struct kvec iov[2];
632 size_t len;
0d12f8a4 633 u32 serial;
17926a79
DH		 634 int ret;
635
ec832bd0 636 _enter("{%d}", conn->debug_id);
17926a79 637
521bb304 638 get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
17926a79
DH		 639
640 challenge.version = htonl(2);
521bb304 641 challenge.nonce = htonl(conn->rxkad.nonce);
17926a79
DH		 642 challenge.min_level = htonl(0);
643 challenge.__padding = 0;
644
2cc80086
DH		 645 msg.msg_name = &conn->peer->srx.transport;
646 msg.msg_namelen = conn->peer->srx.transport_len;
17926a79
DH		 647 msg.msg_control = NULL;
648 msg.msg_controllen = 0;
649 msg.msg_flags = 0;
650
19ffa01c
DH		 651 whdr.epoch = htonl(conn->proto.epoch);
652 whdr.cid = htonl(conn->proto.cid);
0d12f8a4
DH		 653 whdr.callNumber = 0;
654 whdr.seq = 0;
655 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
656 whdr.flags = conn->out_clientflag;
657 whdr.userStatus = 0;
658 whdr.securityIndex = conn->security_ix;
659 whdr._rsvd = 0;
68d6d1ae 660 whdr.serviceId = htons(conn->service_id);
0d12f8a4
DH		 661
662 iov[0].iov_base = &whdr;
663 iov[0].iov_len = sizeof(whdr);
17926a79
DH		 664 iov[1].iov_base = &challenge;
665 iov[1].iov_len = sizeof(challenge);
666
667 len = iov[0].iov_len + iov[1].iov_len;
668
f3104141 669 serial = rxrpc_get_next_serial(conn);
0d12f8a4 670 whdr.serial = htonl(serial);
17926a79 671
2cc80086 672 ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len);
17926a79 673 if (ret < 0) {
6b47fe1d 674 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
4764c0da 675 rxrpc_tx_point_rxkad_challenge);
17926a79
DH		 676 return -EAGAIN;
677 }
678
2cc80086 679 conn->peer->last_tx_at = ktime_get_seconds();
4764c0da
DH		 680 trace_rxrpc_tx_packet(conn->debug_id, &whdr,
681 rxrpc_tx_point_rxkad_challenge);
17926a79
DH		 682 _leave(" = 0");
683 return 0;
684}
685
686/*
687 * send a Kerberos security response
688 */
689static int rxkad_send_response(struct rxrpc_connection *conn,
0d12f8a4 690 struct rxrpc_host_header *hdr,
17926a79
DH		 691 struct rxkad_response *resp,
692 const struct rxkad_key *s2)
693{
0d12f8a4 694 struct rxrpc_wire_header whdr;
17926a79
DH		 695 struct msghdr msg;
696 struct kvec iov[3];
697 size_t len;
0d12f8a4 698 u32 serial;
17926a79
DH		 699 int ret;
700
701 _enter("");
702
2cc80086
DH		 703 msg.msg_name = &conn->peer->srx.transport;
704 msg.msg_namelen = conn->peer->srx.transport_len;
17926a79
DH		 705 msg.msg_control = NULL;
706 msg.msg_controllen = 0;
707 msg.msg_flags = 0;
708
0d12f8a4
DH		 709 memset(&whdr, 0, sizeof(whdr));
710 whdr.epoch = htonl(hdr->epoch);
711 whdr.cid = htonl(hdr->cid);
712 whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
713 whdr.flags = conn->out_clientflag;
714 whdr.securityIndex = hdr->securityIndex;
715 whdr.serviceId = htons(hdr->serviceId);
17926a79 716
0d12f8a4
DH		 717 iov[0].iov_base = &whdr;
718 iov[0].iov_len = sizeof(whdr);
17926a79
DH		 719 iov[1].iov_base = resp;
720 iov[1].iov_len = sizeof(*resp);
0d12f8a4 721 iov[2].iov_base = (void *)s2->ticket;
17926a79
DH		 722 iov[2].iov_len = s2->ticket_len;
723
724 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
725
f3104141 726 serial = rxrpc_get_next_serial(conn);
0d12f8a4 727 whdr.serial = htonl(serial);
17926a79 728
87220143 729 rxrpc_local_dont_fragment(conn->local, false);
2cc80086 730 ret = kernel_sendmsg(conn->local->socket, &msg, iov, 3, len);
17926a79 731 if (ret < 0) {
6b47fe1d 732 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
4764c0da 733 rxrpc_tx_point_rxkad_response);
17926a79
DH		 734 return -EAGAIN;
735 }
736
2cc80086 737 conn->peer->last_tx_at = ktime_get_seconds();
17926a79
DH		 738 _leave(" = 0");
739 return 0;
740}
741
742/*
743 * calculate the response checksum
744 */
745static void rxkad_calc_response_checksum(struct rxkad_response *response)
746{
747 u32 csum = 1000003;
748 int loop;
749 u8 *p = (u8 *) response;
750
751 for (loop = sizeof(*response); loop > 0; loop--)
752 csum = csum * 0x10204081 + *p++;
753
754 response->encrypted.checksum = htonl(csum);
755}
756
17926a79
DH		 757/*
758 * encrypt the response packet
759 */
1db88c53
DH		 760static int rxkad_encrypt_response(struct rxrpc_connection *conn,
761 struct rxkad_response *resp,
762 const struct rxkad_key *s2)
17926a79 763{
1db88c53 764 struct skcipher_request *req;
17926a79 765 struct rxrpc_crypt iv;
a263629d 766 struct scatterlist sg[1];
17926a79 767
521bb304 768 req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
1db88c53
DH		 769 if (!req)
770 return -ENOMEM;
771
17926a79
DH		 772 /* continue encrypting from where we left off */
773 memcpy(&iv, s2->session_key, sizeof(iv));
17926a79 774
a263629d
HX		 775 sg_init_table(sg, 1);
776 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
521bb304 777 skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
1afe593b
HX		 778 skcipher_request_set_callback(req, 0, NULL, NULL);
779 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1afe593b 780 crypto_skcipher_encrypt(req);
1db88c53
DH		 781 skcipher_request_free(req);
782 return 0;
17926a79
DH		 783}
784
785/*
786 * respond to a challenge packet
787 */
788static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
a00ce28b 789 struct sk_buff *skb)
17926a79 790{
33941284 791 const struct rxrpc_key_token *token;
17926a79 792 struct rxkad_challenge challenge;
8c2f826d 793 struct rxkad_response *resp;
248f219c 794 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
57af281e
DH		 795 u32 version, nonce, min_level;
796 int ret = -EPROTO;
17926a79 797
2cc80086 798 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
17926a79 799
2cc80086 800 if (!conn->key)
57af281e
DH		 801 return rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
802 rxkad_abort_chall_no_key);
17926a79 803
2cc80086 804 ret = key_validate(conn->key);
ef68622d 805 if (ret < 0)
57af281e
DH		 806 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
807 rxkad_abort_chall_key_expired);
17926a79 808
775e5b71
DH		 809 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
810 &challenge, sizeof(challenge)) < 0)
57af281e
DH		 811 return rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
812 rxkad_abort_chall_short);
17926a79
DH		 813
814 version = ntohl(challenge.version);
815 nonce = ntohl(challenge.nonce);
816 min_level = ntohl(challenge.min_level);
817
2ebdb26e 818 trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version, nonce, min_level);
17926a79 819
17926a79 820 if (version != RXKAD_VERSION)
57af281e
DH		 821 return rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
822 rxkad_abort_chall_version);
17926a79 823
2cc80086 824 if (conn->security_level < min_level)
57af281e
DH		 825 return rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES,
826 rxkad_abort_chall_level);
17926a79 827
2cc80086 828 token = conn->key->payload.data[0];
17926a79
DH		 829
830 /* build the response packet */
8c2f826d
DH		 831 resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
832 if (!resp)
833 return -ENOMEM;
834
835 resp->version = htonl(RXKAD_VERSION);
836 resp->encrypted.epoch = htonl(conn->proto.epoch);
837 resp->encrypted.cid = htonl(conn->proto.cid);
838 resp->encrypted.securityIndex = htonl(conn->security_ix);
839 resp->encrypted.inc_nonce = htonl(nonce + 1);
2cc80086 840 resp->encrypted.level = htonl(conn->security_level);
8c2f826d
DH		 841 resp->kvno = htonl(token->kad->kvno);
842 resp->ticket_len = htonl(token->kad->ticket_len);
843 resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
844 resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
845 resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
846 resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
17926a79
DH		 847
848 /* calculate the response checksum and then do the encryption */
8c2f826d 849 rxkad_calc_response_checksum(resp);
1db88c53
DH		 850 ret = rxkad_encrypt_response(conn, resp, token->kad);
851 if (ret == 0)
852 ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
8c2f826d
DH		 853 kfree(resp);
854 return ret;
17926a79
DH		 855}
856
857/*
858 * decrypt the kerberos IV ticket in the response
859 */
860static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
ec832bd0 861 struct key *server_key,
fb46f6ee 862 struct sk_buff *skb,
17926a79
DH		 863 void *ticket, size_t ticket_len,
864 struct rxrpc_crypt *_session_key,
a00ce28b 865 time64_t *_expiry)
17926a79 866{
1afe593b 867 struct skcipher_request *req;
17926a79 868 struct rxrpc_crypt iv, key;
68e3f5dd 869 struct scatterlist sg[1];
17926a79 870 struct in_addr addr;
95c96174 871 unsigned int life;
10674a03 872 time64_t issue, now;
17926a79 873 bool little_endian;
17926a79
DH		 874 u8 *p, *q, *name, *end;
875
ec832bd0 876 _enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
17926a79
DH		 877
878 *_expiry = 0;
879
ec832bd0 880 ASSERT(server_key->payload.data[0] != NULL);
17926a79
DH		 881 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
882
ec832bd0 883 memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
17926a79 884
ec832bd0 885 req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
ef68622d 886 if (!req)
57af281e 887 return -ENOMEM;
17926a79 888
68e3f5dd 889 sg_init_one(&sg[0], ticket, ticket_len);
1afe593b
HX		 890 skcipher_request_set_callback(req, 0, NULL, NULL);
891 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
1afe593b
HX		 892 crypto_skcipher_decrypt(req);
893 skcipher_request_free(req);
17926a79
DH		 894
895 p = ticket;
896 end = p + ticket_len;
897
57af281e
DH		 898#define Z(field, fieldl) \
899 ({ \
900 u8 *__str = p; \
901 q = memchr(p, 0, end - p); \
902 if (!q || q - p > field##_SZ) \
903 return rxrpc_abort_conn( \
904 conn, skb, RXKADBADTICKET, -EPROTO, \
905 rxkad_abort_resp_tkt_##fieldl); \
906 for (; p < q; p++) \
907 if (!isprint(*p)) \
908 return rxrpc_abort_conn( \
909 conn, skb, RXKADBADTICKET, -EPROTO, \
910 rxkad_abort_resp_tkt_##fieldl); \
911 p++; \
912 __str; \
17926a79
DH		 913 })
914
915 /* extract the ticket flags */
916 _debug("KIV FLAGS: %x", *p);
917 little_endian = *p & 1;
918 p++;
919
920 /* extract the authentication name */
57af281e 921 name = Z(ANAME, aname);
17926a79
DH		 922 _debug("KIV ANAME: %s", name);
923
924 /* extract the principal's instance */
57af281e 925 name = Z(INST, inst);
17926a79
DH		 926 _debug("KIV INST : %s", name);
927
928 /* extract the principal's authentication domain */
57af281e 929 name = Z(REALM, realm);
17926a79
DH		 930 _debug("KIV REALM: %s", name);
931
932 if (end - p < 4 + 8 + 4 + 2)
57af281e
DH		 933 return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
934 rxkad_abort_resp_tkt_short);
17926a79
DH		 935
936 /* get the IPv4 address of the entity that requested the ticket */
937 memcpy(&addr, p, sizeof(addr));
938 p += 4;
21454aaa 939 _debug("KIV ADDR : %pI4", &addr);
17926a79
DH		 940
941 /* get the session key from the ticket */
942 memcpy(&key, p, sizeof(key));
943 p += 8;
944 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
945 memcpy(_session_key, &key, sizeof(key));
946
947 /* get the ticket's lifetime */
948 life = *p++ * 5 * 60;
949 _debug("KIV LIFE : %u", life);
950
951 /* get the issue time of the ticket */
952 if (little_endian) {
953 __le32 stamp;
954 memcpy(&stamp, p, 4);
10674a03 955 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
17926a79
DH		 956 } else {
957 __be32 stamp;
958 memcpy(&stamp, p, 4);
10674a03 959 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
17926a79
DH		 960 }
961 p += 4;
10674a03
BW		 962 now = ktime_get_real_seconds();
963 _debug("KIV ISSUE: %llx [%llx]", issue, now);
17926a79
DH		 964
965 /* check the ticket is in date */
57af281e
DH		 966 if (issue > now)
967 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED,
968 rxkad_abort_resp_tkt_future);
969 if (issue < now - life)
970 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED,
971 rxkad_abort_resp_tkt_expired);
17926a79
DH		 972
973 *_expiry = issue + life;
974
975 /* get the service name */
57af281e 976 name = Z(SNAME, sname);
17926a79
DH		 977 _debug("KIV SNAME: %s", name);
978
979 /* get the service instance name */
57af281e 980 name = Z(INST, sinst);
17926a79 981 _debug("KIV SINST: %s", name);
ef68622d 982 return 0;
17926a79
DH		 983}
984
985/*
986 * decrypt the response packet
987 */
988static void rxkad_decrypt_response(struct rxrpc_connection *conn,
989 struct rxkad_response *resp,
990 const struct rxrpc_crypt *session_key)
991{
1db88c53 992 struct skcipher_request *req = rxkad_ci_req;
a263629d 993 struct scatterlist sg[1];
17926a79
DH		 994 struct rxrpc_crypt iv;
995
996 _enter(",,%08x%08x",
997 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
998
17926a79 999 mutex_lock(&rxkad_ci_mutex);
69d826fa 1000 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1db88c53 1001 sizeof(*session_key)) < 0)
17926a79
DH		 1002 BUG();
1003
1004 memcpy(&iv, session_key, sizeof(iv));
17926a79 1005
a263629d
HX		 1006 sg_init_table(sg, 1);
1007 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
69d826fa 1008 skcipher_request_set_sync_tfm(req, rxkad_ci);
1afe593b
HX		 1009 skcipher_request_set_callback(req, 0, NULL, NULL);
1010 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1afe593b
HX		 1011 crypto_skcipher_decrypt(req);
1012 skcipher_request_zero(req);
1013
17926a79
DH		 1014 mutex_unlock(&rxkad_ci_mutex);
1015
1016 _leave("");
1017}
1018
1019/*
1020 * verify a response
1021 */
1022static int rxkad_verify_response(struct rxrpc_connection *conn,
a00ce28b 1023 struct sk_buff *skb)
17926a79 1024{
8c2f826d 1025 struct rxkad_response *response;
248f219c 1026 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
17926a79 1027 struct rxrpc_crypt session_key;
ec832bd0 1028 struct key *server_key;
10674a03 1029 time64_t expiry;
17926a79 1030 void *ticket;
57af281e 1031 u32 version, kvno, ticket_len, level;
91e916cf 1032 __be32 csum;
a1399f8b 1033 int ret, i;
17926a79 1034
ec832bd0
DH		 1035 _enter("{%d}", conn->debug_id);
1036
1037 server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
1038 if (IS_ERR(server_key)) {
57af281e
DH		 1039 ret = PTR_ERR(server_key);
1040 switch (ret) {
ec832bd0 1041 case -ENOKEY:
57af281e
DH		 1042 return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret,
1043 rxkad_abort_resp_nokey);
ec832bd0 1044 case -EKEYEXPIRED:
57af281e
DH		 1045 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
1046 rxkad_abort_resp_key_expired);
ec832bd0 1047 default:
57af281e
DH		 1048 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret,
1049 rxkad_abort_resp_key_rejected);
ec832bd0 1050 }
ec832bd0 1051 }
17926a79 1052
8c2f826d
DH		 1053 ret = -ENOMEM;
1054 response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1055 if (!response)
1056 goto temporary_error;
1057
775e5b71 1058 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
57af281e
DH		 1059 response, sizeof(*response)) < 0) {
1060 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1061 rxkad_abort_resp_short);
17926a79 1062 goto protocol_error;
57af281e 1063 }
17926a79 1064
8c2f826d
DH		 1065 version = ntohl(response->version);
1066 ticket_len = ntohl(response->ticket_len);
1067 kvno = ntohl(response->kvno);
2ebdb26e
DH		 1068
1069 trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
17926a79 1070
57af281e
DH		 1071 if (version != RXKAD_VERSION) {
1072 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
1073 rxkad_abort_resp_version);
4aa9cb32 1074 goto protocol_error;
57af281e 1075 }
17926a79 1076
57af281e
DH		 1077 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) {
1078 rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
1079 rxkad_abort_resp_tkt_len);
17926a79 1080 goto protocol_error;
57af281e 1081 }
17926a79 1082
57af281e
DH		 1083 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) {
1084 rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
1085 rxkad_abort_resp_unknown_tkt);
17926a79 1086 goto protocol_error;
57af281e 1087 }
17926a79
DH		 1088
1089 /* extract the kerberos ticket and decrypt and decode it */
ef68622d 1090 ret = -ENOMEM;
17926a79
DH		 1091 ticket = kmalloc(ticket_len, GFP_NOFS);
1092 if (!ticket)
b43c75ab 1093 goto temporary_error_free_resp;
17926a79 1094
57af281e
DH		 1095 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
1096 ticket, ticket_len) < 0) {
1097 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1098 rxkad_abort_resp_short_tkt);
1099 goto protocol_error;
1100 }
17926a79 1101
ec832bd0 1102 ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
a00ce28b 1103 &session_key, &expiry);
ef68622d 1104 if (ret < 0)
f45d01f4 1105 goto temporary_error_free_ticket;
17926a79
DH		 1106
1107 /* use the session key from inside the ticket to decrypt the
1108 * response */
8c2f826d 1109 rxkad_decrypt_response(conn, response, &session_key);
17926a79 1110
57af281e
DH		 1111 if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
1112 ntohl(response->encrypted.cid) != conn->proto.cid ||
1113 ntohl(response->encrypted.securityIndex) != conn->security_ix) {
1114 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1115 rxkad_abort_resp_bad_param);
17926a79 1116 goto protocol_error_free;
57af281e
DH		 1117 }
1118
8c2f826d
DH		 1119 csum = response->encrypted.checksum;
1120 response->encrypted.checksum = 0;
1121 rxkad_calc_response_checksum(response);
57af281e
DH		 1122 if (response->encrypted.checksum != csum) {
1123 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1124 rxkad_abort_resp_bad_checksum);
17926a79 1125 goto protocol_error_free;
57af281e 1126 }
17926a79 1127
a1399f8b 1128 for (i = 0; i < RXRPC_MAXCALLS; i++) {
8c2f826d 1129 u32 call_id = ntohl(response->encrypted.call_id[i]);
9d35d880 1130 u32 counter = READ_ONCE(conn->channels[i].call_counter);
a1399f8b 1131
57af281e
DH		 1132 if (call_id > INT_MAX) {
1133 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1134 rxkad_abort_resp_bad_callid);
9d35d880 1135 goto protocol_error_free;
57af281e 1136 }
a1399f8b 1137
9d35d880 1138 if (call_id < counter) {
57af281e
DH		 1139 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1140 rxkad_abort_resp_call_ctr);
9d35d880 1141 goto protocol_error_free;
57af281e 1142 }
fb46f6ee 1143
9d35d880
DH		 1144 if (call_id > counter) {
1145 if (conn->channels[i].call) {
57af281e
DH		 1146 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1147 rxkad_abort_resp_call_state);
9d35d880 1148 goto protocol_error_free;
57af281e 1149 }
a1399f8b
DH		 1150 conn->channels[i].call_counter = call_id;
1151 }
1152 }
17926a79 1153
57af281e
DH		 1154 if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
1155 rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
1156 rxkad_abort_resp_ooseq);
17926a79 1157 goto protocol_error_free;
57af281e 1158 }
17926a79 1159
8c2f826d 1160 level = ntohl(response->encrypted.level);
57af281e
DH		 1161 if (level > RXRPC_SECURITY_ENCRYPT) {
1162 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
1163 rxkad_abort_resp_level);
17926a79 1164 goto protocol_error_free;
57af281e 1165 }
2cc80086 1166 conn->security_level = level;
17926a79
DH		 1167
1168 /* create a key to hold the security data and expiration time - after
1169 * this the connection security can be handled in exactly the same way
1170 * as for a client connection */
1171 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
ef68622d 1172 if (ret < 0)
8c2f826d 1173 goto temporary_error_free_ticket;
17926a79
DH		 1174
1175 kfree(ticket);
8c2f826d 1176 kfree(response);
17926a79
DH		 1177 _leave(" = 0");
1178 return 0;
1179
1180protocol_error_free:
1181 kfree(ticket);
1182protocol_error:
8c2f826d 1183 kfree(response);
ec832bd0 1184 key_put(server_key);
57af281e 1185 return -EPROTO;
ef68622d 1186
8c2f826d 1187temporary_error_free_ticket:
ef68622d 1188 kfree(ticket);
b43c75ab 1189temporary_error_free_resp:
8c2f826d 1190 kfree(response);
ef68622d
DH		 1191temporary_error:
1192 /* Ignore the response packet if we got a temporary error such as
1193 * ENOMEM. We just want to send the challenge again. Note that we
1194 * also come out this way if the ticket decryption fails.
1195 */
ec832bd0 1196 key_put(server_key);
ef68622d 1197 return ret;
17926a79
DH		 1198}
1199
1200/*
1201 * clear the connection security
1202 */
1203static void rxkad_clear(struct rxrpc_connection *conn)
1204{
1205 _enter("");
1206
521bb304
DH		 1207 if (conn->rxkad.cipher)
1208 crypto_free_sync_skcipher(conn->rxkad.cipher);
17926a79
DH		 1209}
1210
648af7fc
DH		 1211/*
1212 * Initialise the rxkad security service.
1213 */
1214static int rxkad_init(void)
1215{
1db88c53
DH		 1216 struct crypto_sync_skcipher *tfm;
1217 struct skcipher_request *req;
1218
648af7fc
DH		 1219 /* pin the cipher we need so that the crypto layer doesn't invoke
1220 * keventd to go get it */
1db88c53
DH		 1221 tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1222 if (IS_ERR(tfm))
1223 return PTR_ERR(tfm);
1224
1225 req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1226 if (!req)
1227 goto nomem_tfm;
1228
1229 rxkad_ci_req = req;
1230 rxkad_ci = tfm;
1231 return 0;
1232
1233nomem_tfm:
1234 crypto_free_sync_skcipher(tfm);
1235 return -ENOMEM;
648af7fc
DH		 1236}
1237
1238/*
1239 * Clean up the rxkad security service.
1240 */
1241static void rxkad_exit(void)
1242{
1db88c53
DH		 1243 crypto_free_sync_skcipher(rxkad_ci);
1244 skcipher_request_free(rxkad_ci_req);
648af7fc
DH		 1245}
1246
17926a79
DH		 1247/*
1248 * RxRPC Kerberos-based security
1249 */
648af7fc 1250const struct rxrpc_security rxkad = {
17926a79 1251 .name = "rxkad",
8b815477 1252 .security_index = RXRPC_SECURITY_RXKAD,
063c60d3 1253 .no_key_abort = RXKADUNKNOWNKEY,
648af7fc
DH		 1254 .init = rxkad_init,
1255 .exit = rxkad_exit,
12da59fc
DH		 1256 .preparse_server_key = rxkad_preparse_server_key,
1257 .free_preparse_server_key = rxkad_free_preparse_server_key,
1258 .destroy_server_key = rxkad_destroy_server_key,
17926a79 1259 .init_connection_security = rxkad_init_connection_security,
49489bb0 1260 .alloc_txbuf = rxkad_alloc_txbuf,
17926a79
DH		 1261 .secure_packet = rxkad_secure_packet,
1262 .verify_packet = rxkad_verify_packet,
1db88c53 1263 .free_call_crypto = rxkad_free_call_crypto,
17926a79
DH		 1264 .issue_challenge = rxkad_issue_challenge,
1265 .respond_to_challenge = rxkad_respond_to_challenge,
1266 .verify_response = rxkad_verify_response,
1267 .clear = rxkad_clear,
1268};
Linux 6.x block layer and io_uring tree(s)