projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
rxrpc: Split the server key type (rxrpc_s) into its own file
[linux-block.git] / net / rxrpc / rxkad.c
CommitLineData
2874c5fd 1// SPDX-License-Identifier: GPL-2.0-or-later
17926a79
DH		 2/* Kerberos-based RxRPC security
3 *
4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
17926a79
DH		 6 */
7
9b6d5398
JP		 8#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9
1afe593b 10#include <crypto/skcipher.h>
17926a79
DH		 11#include <linux/module.h>
12#include <linux/net.h>
13#include <linux/skbuff.h>
14#include <linux/udp.h>
17926a79
DH		 15#include <linux/scatterlist.h>
16#include <linux/ctype.h>
5a0e3ad6 17#include <linux/slab.h>
17926a79
DH		 18#include <net/sock.h>
19#include <net/af_rxrpc.h>
33941284 20#include <keys/rxrpc-type.h>
17926a79
DH		 21#include "ar-internal.h"
22
23#define RXKAD_VERSION 2
24#define MAXKRB5TICKETLEN 1024
25#define RXKAD_TKT_TYPE_KERBEROS_V5 256
26#define ANAME_SZ 40 /* size of authentication name */
27#define INST_SZ 40 /* size of principal's instance */
28#define REALM_SZ 40 /* size of principal's auth domain */
29#define SNAME_SZ 40 /* size of service name */
30
17926a79
DH		 31struct rxkad_level1_hdr {
32 __be32 data_size; /* true data size (excluding padding) */
33};
34
35struct rxkad_level2_hdr {
36 __be32 data_size; /* true data size (excluding padding) */
37 __be32 checksum; /* decrypted data checksum */
38};
39
17926a79
DH		 40/*
41 * this holds a pinned cipher so that keventd doesn't get called by the cipher
42 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
43 * packets
44 */
69d826fa 45static struct crypto_sync_skcipher *rxkad_ci;
1db88c53 46static struct skcipher_request *rxkad_ci_req;
17926a79
DH		 47static DEFINE_MUTEX(rxkad_ci_mutex);
48
49/*
50 * initialise connection security
51 */
41057ebd
DH		 52static int rxkad_init_connection_security(struct rxrpc_connection *conn,
53 struct rxrpc_key_token *token)
17926a79 54{
69d826fa 55 struct crypto_sync_skcipher *ci;
17926a79
DH		 56 int ret;
57
19ffa01c 58 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
17926a79 59
33941284 60 conn->security_ix = token->security_index;
17926a79 61
69d826fa 62 ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
17926a79
DH		 63 if (IS_ERR(ci)) {
64 _debug("no cipher");
65 ret = PTR_ERR(ci);
66 goto error;
67 }
68
69d826fa 69 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
1afe593b 70 sizeof(token->kad->session_key)) < 0)
17926a79
DH		 71 BUG();
72
19ffa01c 73 switch (conn->params.security_level) {
17926a79
DH		 74 case RXRPC_SECURITY_PLAIN:
75 break;
76 case RXRPC_SECURITY_AUTH:
77 conn->size_align = 8;
78 conn->security_size = sizeof(struct rxkad_level1_hdr);
17926a79
DH		 79 break;
80 case RXRPC_SECURITY_ENCRYPT:
81 conn->size_align = 8;
82 conn->security_size = sizeof(struct rxkad_level2_hdr);
17926a79
DH		 83 break;
84 default:
85 ret = -EKEYREJECTED;
86 goto error;
87 }
88
89 conn->cipher = ci;
90 ret = 0;
91error:
92 _leave(" = %d", ret);
93 return ret;
94}
95
96/*
97 * prime the encryption state with the invariant parts of a connection's
98 * description
99 */
a263629d 100static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
17926a79 101{
1db88c53 102 struct skcipher_request *req;
33941284 103 struct rxrpc_key_token *token;
a263629d 104 struct scatterlist sg;
17926a79 105 struct rxrpc_crypt iv;
a263629d
HX		 106 __be32 *tmpbuf;
107 size_t tmpsize = 4 * sizeof(__be32);
17926a79
DH		 108
109 _enter("");
110
19ffa01c 111 if (!conn->params.key)
a263629d
HX		 112 return 0;
113
114 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
115 if (!tmpbuf)
116 return -ENOMEM;
17926a79 117
1db88c53
DH		 118 req = skcipher_request_alloc(&conn->cipher->base, GFP_NOFS);
119 if (!req) {
120 kfree(tmpbuf);
121 return -ENOMEM;
122 }
123
19ffa01c 124 token = conn->params.key->payload.data[0];
33941284 125 memcpy(&iv, token->kad->session_key, sizeof(iv));
17926a79 126
a263629d
HX		 127 tmpbuf[0] = htonl(conn->proto.epoch);
128 tmpbuf[1] = htonl(conn->proto.cid);
129 tmpbuf[2] = 0;
130 tmpbuf[3] = htonl(conn->security_ix);
1afe593b 131
a263629d 132 sg_init_one(&sg, tmpbuf, tmpsize);
69d826fa 133 skcipher_request_set_sync_tfm(req, conn->cipher);
1afe593b 134 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 135 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
1afe593b 136 crypto_skcipher_encrypt(req);
1db88c53 137 skcipher_request_free(req);
17926a79 138
a263629d
HX		 139 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
140 kfree(tmpbuf);
141 _leave(" = 0");
142 return 0;
17926a79
DH		 143}
144
1db88c53
DH		 145/*
146 * Allocate and prepare the crypto request on a call. For any particular call,
147 * this is called serially for the packets, so no lock should be necessary.
148 */
149static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
150{
151 struct crypto_skcipher *tfm = &call->conn->cipher->base;
152 struct skcipher_request *cipher_req = call->cipher_req;
153
154 if (!cipher_req) {
155 cipher_req = skcipher_request_alloc(tfm, GFP_NOFS);
156 if (!cipher_req)
157 return NULL;
158 call->cipher_req = cipher_req;
159 }
160
161 return cipher_req;
162}
163
164/*
165 * Clean up the crypto on a call.
166 */
167static void rxkad_free_call_crypto(struct rxrpc_call *call)
168{
169 if (call->cipher_req)
170 skcipher_request_free(call->cipher_req);
171 call->cipher_req = NULL;
172}
173
17926a79
DH		 174/*
175 * partially encrypt a packet (level 1 security)
176 */
177static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
178 struct sk_buff *skb,
179 u32 data_size,
54424d38
KC		 180 void *sechdr,
181 struct skcipher_request *req)
17926a79 182{
fb46f6ee 183 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
a263629d 184 struct rxkad_level1_hdr hdr;
17926a79 185 struct rxrpc_crypt iv;
a263629d 186 struct scatterlist sg;
17926a79
DH		 187 u16 check;
188
17926a79
DH		 189 _enter("");
190
5a924b89 191 check = sp->hdr.seq ^ call->call_id;
0d12f8a4 192 data_size |= (u32)check << 16;
17926a79 193
a263629d
HX		 194 hdr.data_size = htonl(data_size);
195 memcpy(sechdr, &hdr, sizeof(hdr));
17926a79
DH		 196
197 /* start the encryption afresh */
198 memset(&iv, 0, sizeof(iv));
17926a79 199
a263629d 200 sg_init_one(&sg, sechdr, 8);
69d826fa 201 skcipher_request_set_sync_tfm(req, call->conn->cipher);
1afe593b 202 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 203 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
1afe593b
HX		 204 crypto_skcipher_encrypt(req);
205 skcipher_request_zero(req);
17926a79 206
17926a79
DH		 207 _leave(" = 0");
208 return 0;
209}
210
211/*
212 * wholly encrypt a packet (level 2 security)
213 */
214static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
b4f1342f
DH		 215 struct sk_buff *skb,
216 u32 data_size,
54424d38
KC		 217 void *sechdr,
218 struct skcipher_request *req)
17926a79 219{
33941284 220 const struct rxrpc_key_token *token;
a263629d 221 struct rxkad_level2_hdr rxkhdr;
17926a79 222 struct rxrpc_skb_priv *sp;
17926a79
DH		 223 struct rxrpc_crypt iv;
224 struct scatterlist sg[16];
95c96174 225 unsigned int len;
17926a79 226 u16 check;
1afe593b 227 int err;
17926a79
DH		 228
229 sp = rxrpc_skb(skb);
230
231 _enter("");
232
5a924b89 233 check = sp->hdr.seq ^ call->call_id;
17926a79 234
0d12f8a4 235 rxkhdr.data_size = htonl(data_size | (u32)check << 16);
17926a79 236 rxkhdr.checksum = 0;
a263629d 237 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
17926a79
DH		 238
239 /* encrypt from the session key */
19ffa01c 240 token = call->conn->params.key->payload.data[0];
33941284 241 memcpy(&iv, token->kad->session_key, sizeof(iv));
17926a79 242
68e3f5dd 243 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
69d826fa 244 skcipher_request_set_sync_tfm(req, call->conn->cipher);
1afe593b 245 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 246 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
1afe593b 247 crypto_skcipher_encrypt(req);
17926a79
DH		 248
249 /* we want to encrypt the skbuff in-place */
d0d5c0cd
DH		 250 err = -EMSGSIZE;
251 if (skb_shinfo(skb)->nr_frags > 16)
1afe593b 252 goto out;
17926a79
DH		 253
254 len = data_size + call->conn->size_align - 1;
255 len &= ~(call->conn->size_align - 1);
256
d0d5c0cd 257 sg_init_table(sg, ARRAY_SIZE(sg));
89a5ea99
JD		 258 err = skb_to_sgvec(skb, sg, 0, len);
259 if (unlikely(err < 0))
260 goto out;
1afe593b 261 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
1afe593b 262 crypto_skcipher_encrypt(req);
17926a79
DH		 263
264 _leave(" = 0");
1afe593b
HX		 265 err = 0;
266
267out:
268 skcipher_request_zero(req);
269 return err;
17926a79
DH		 270}
271
272/*
273 * checksum an RxRPC packet header
274 */
a263629d 275static int rxkad_secure_packet(struct rxrpc_call *call,
b4f1342f
DH		 276 struct sk_buff *skb,
277 size_t data_size,
278 void *sechdr)
17926a79
DH		 279{
280 struct rxrpc_skb_priv *sp;
1db88c53 281 struct skcipher_request *req;
17926a79 282 struct rxrpc_crypt iv;
a263629d 283 struct scatterlist sg;
0d12f8a4 284 u32 x, y;
17926a79
DH		 285 int ret;
286
287 sp = rxrpc_skb(skb);
288
289 _enter("{%d{%x}},{#%u},%zu,",
19ffa01c
DH		 290 call->debug_id, key_serial(call->conn->params.key),
291 sp->hdr.seq, data_size);
17926a79
DH		 292
293 if (!call->conn->cipher)
294 return 0;
295
19ffa01c 296 ret = key_validate(call->conn->params.key);
17926a79
DH		 297 if (ret < 0)
298 return ret;
299
1db88c53
DH		 300 req = rxkad_get_call_crypto(call);
301 if (!req)
302 return -ENOMEM;
303
17926a79
DH		 304 /* continue encrypting from where we left off */
305 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
17926a79
DH		 306
307 /* calculate the security checksum */
01a90a45 308 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
0d12f8a4 309 x |= sp->hdr.seq & 0x3fffffff;
5a924b89 310 call->crypto_buf[0] = htonl(call->call_id);
a263629d 311 call->crypto_buf[1] = htonl(x);
1afe593b 312
a263629d 313 sg_init_one(&sg, call->crypto_buf, 8);
69d826fa 314 skcipher_request_set_sync_tfm(req, call->conn->cipher);
1afe593b 315 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 316 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
1afe593b
HX		 317 crypto_skcipher_encrypt(req);
318 skcipher_request_zero(req);
17926a79 319
a263629d 320 y = ntohl(call->crypto_buf[1]);
91e916cf
AV		 321 y = (y >> 16) & 0xffff;
322 if (y == 0)
323 y = 1; /* zero checksums are not permitted */
0d12f8a4 324 sp->hdr.cksum = y;
17926a79 325
19ffa01c 326 switch (call->conn->params.security_level) {
17926a79
DH		 327 case RXRPC_SECURITY_PLAIN:
328 ret = 0;
329 break;
330 case RXRPC_SECURITY_AUTH:
54424d38
KC		 331 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr,
332 req);
17926a79
DH		 333 break;
334 case RXRPC_SECURITY_ENCRYPT:
335 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
54424d38 336 sechdr, req);
17926a79
DH		 337 break;
338 default:
339 ret = -EPERM;
340 break;
341 }
342
91e916cf 343 _leave(" = %d [set %hx]", ret, y);
17926a79
DH		 344 return ret;
345}
346
347/*
348 * decrypt partial encryption on a packet (level 1 security)
349 */
5a42976d 350static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
248f219c 351 unsigned int offset, unsigned int len,
54424d38
KC		 352 rxrpc_seq_t seq,
353 struct skcipher_request *req)
17926a79
DH		 354{
355 struct rxkad_level1_hdr sechdr;
17926a79 356 struct rxrpc_crypt iv;
68e3f5dd 357 struct scatterlist sg[16];
fb46f6ee 358 bool aborted;
17926a79
DH		 359 u32 data_size, buf;
360 u16 check;
d0d5c0cd 361 int ret;
17926a79
DH		 362
363 _enter("");
364
248f219c 365 if (len < 8) {
fb46f6ee
DH		 366 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
367 RXKADSEALEDINCON);
5a42976d
DH		 368 goto protocol_error;
369 }
17926a79 370
248f219c
DH		 371 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
372 * directly into the target buffer.
373 */
d0d5c0cd 374 sg_init_table(sg, ARRAY_SIZE(sg));
89a5ea99
JD		 375 ret = skb_to_sgvec(skb, sg, offset, 8);
376 if (unlikely(ret < 0))
377 return ret;
17926a79
DH		 378
379 /* start the decryption afresh */
380 memset(&iv, 0, sizeof(iv));
17926a79 381
69d826fa 382 skcipher_request_set_sync_tfm(req, call->conn->cipher);
1afe593b
HX		 383 skcipher_request_set_callback(req, 0, NULL, NULL);
384 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
1afe593b
HX		 385 crypto_skcipher_decrypt(req);
386 skcipher_request_zero(req);
17926a79 387
5a42976d 388 /* Extract the decrypted packet length */
248f219c 389 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
fb46f6ee
DH		 390 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
391 RXKADDATALEN);
5a42976d
DH		 392 goto protocol_error;
393 }
248f219c
DH		 394 offset += sizeof(sechdr);
395 len -= sizeof(sechdr);
17926a79
DH		 396
397 buf = ntohl(sechdr.data_size);
398 data_size = buf & 0xffff;
399
400 check = buf >> 16;
5a42976d 401 check ^= seq ^ call->call_id;
17926a79
DH		 402 check &= 0xffff;
403 if (check != 0) {
fb46f6ee
DH		 404 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
405 RXKADSEALEDINCON);
17926a79
DH		 406 goto protocol_error;
407 }
408
248f219c 409 if (data_size > len) {
fb46f6ee
DH		 410 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
411 RXKADDATALEN);
5a42976d
DH		 412 goto protocol_error;
413 }
17926a79
DH		 414
415 _leave(" = 0 [dlen=%x]", data_size);
416 return 0;
417
17926a79 418protocol_error:
fb46f6ee
DH		 419 if (aborted)
420 rxrpc_send_abort_packet(call);
17926a79 421 return -EPROTO;
17926a79
DH		 422}
423
424/*
425 * wholly decrypt a packet (level 2 security)
426 */
5a42976d 427static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
248f219c 428 unsigned int offset, unsigned int len,
54424d38
KC		 429 rxrpc_seq_t seq,
430 struct skcipher_request *req)
17926a79 431{
33941284 432 const struct rxrpc_key_token *token;
17926a79 433 struct rxkad_level2_hdr sechdr;
17926a79
DH		 434 struct rxrpc_crypt iv;
435 struct scatterlist _sg[4], *sg;
fb46f6ee 436 bool aborted;
17926a79
DH		 437 u32 data_size, buf;
438 u16 check;
89a5ea99 439 int nsg, ret;
17926a79
DH		 440
441 _enter(",{%d}", skb->len);
442
248f219c 443 if (len < 8) {
fb46f6ee
DH		 444 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
445 RXKADSEALEDINCON);
5a42976d
DH		 446 goto protocol_error;
447 }
17926a79 448
248f219c
DH		 449 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
450 * directly into the target buffer.
451 */
17926a79 452 sg = _sg;
d0d5c0cd
DH		 453 nsg = skb_shinfo(skb)->nr_frags;
454 if (nsg <= 4) {
455 nsg = 4;
456 } else {
6da2ec56 457 sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
17926a79
DH		 458 if (!sg)
459 goto nomem;
460 }
461
68e3f5dd 462 sg_init_table(sg, nsg);
89a5ea99
JD		 463 ret = skb_to_sgvec(skb, sg, offset, len);
464 if (unlikely(ret < 0)) {
465 if (sg != _sg)
466 kfree(sg);
467 return ret;
468 }
17926a79
DH		 469
470 /* decrypt from the session key */
19ffa01c 471 token = call->conn->params.key->payload.data[0];
33941284 472 memcpy(&iv, token->kad->session_key, sizeof(iv));
17926a79 473
69d826fa 474 skcipher_request_set_sync_tfm(req, call->conn->cipher);
1afe593b 475 skcipher_request_set_callback(req, 0, NULL, NULL);
248f219c 476 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
1afe593b
HX		 477 crypto_skcipher_decrypt(req);
478 skcipher_request_zero(req);
17926a79
DH		 479 if (sg != _sg)
480 kfree(sg);
481
5a42976d 482 /* Extract the decrypted packet length */
248f219c 483 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
fb46f6ee
DH		 484 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
485 RXKADDATALEN);
5a42976d
DH		 486 goto protocol_error;
487 }
248f219c
DH		 488 offset += sizeof(sechdr);
489 len -= sizeof(sechdr);
17926a79
DH		 490
491 buf = ntohl(sechdr.data_size);
492 data_size = buf & 0xffff;
493
494 check = buf >> 16;
5a42976d 495 check ^= seq ^ call->call_id;
17926a79
DH		 496 check &= 0xffff;
497 if (check != 0) {
fb46f6ee
DH		 498 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
499 RXKADSEALEDINCON);
17926a79
DH		 500 goto protocol_error;
501 }
502
248f219c 503 if (data_size > len) {
fb46f6ee
DH		 504 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
505 RXKADDATALEN);
5a42976d
DH		 506 goto protocol_error;
507 }
17926a79
DH		 508
509 _leave(" = 0 [dlen=%x]", data_size);
510 return 0;
511
17926a79 512protocol_error:
fb46f6ee
DH		 513 if (aborted)
514 rxrpc_send_abort_packet(call);
17926a79
DH		 515 return -EPROTO;
516
517nomem:
518 _leave(" = -ENOMEM");
519 return -ENOMEM;
520}
521
522/*
5a42976d
DH		 523 * Verify the security on a received packet or subpacket (if part of a
524 * jumbo packet).
17926a79 525 */
5a42976d 526static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
248f219c 527 unsigned int offset, unsigned int len,
5a42976d 528 rxrpc_seq_t seq, u16 expected_cksum)
17926a79 529{
1db88c53 530 struct skcipher_request *req;
17926a79 531 struct rxrpc_crypt iv;
a263629d 532 struct scatterlist sg;
fb46f6ee 533 bool aborted;
0d12f8a4
DH		 534 u16 cksum;
535 u32 x, y;
17926a79
DH		 536
537 _enter("{%d{%x}},{#%u}",
5a42976d 538 call->debug_id, key_serial(call->conn->params.key), seq);
17926a79
DH		 539
540 if (!call->conn->cipher)
541 return 0;
542
1db88c53
DH		 543 req = rxkad_get_call_crypto(call);
544 if (!req)
545 return -ENOMEM;
546
17926a79
DH		 547 /* continue encrypting from where we left off */
548 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
17926a79
DH		 549
550 /* validate the security checksum */
01a90a45 551 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
5a42976d 552 x |= seq & 0x3fffffff;
a263629d
HX		 553 call->crypto_buf[0] = htonl(call->call_id);
554 call->crypto_buf[1] = htonl(x);
1afe593b 555
a263629d 556 sg_init_one(&sg, call->crypto_buf, 8);
69d826fa 557 skcipher_request_set_sync_tfm(req, call->conn->cipher);
1afe593b 558 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 559 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
1afe593b
HX		 560 crypto_skcipher_encrypt(req);
561 skcipher_request_zero(req);
17926a79 562
a263629d 563 y = ntohl(call->crypto_buf[1]);
0d12f8a4
DH		 564 cksum = (y >> 16) & 0xffff;
565 if (cksum == 0)
566 cksum = 1; /* zero checksums are not permitted */
17926a79 567
5a42976d 568 if (cksum != expected_cksum) {
fb46f6ee
DH		 569 aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
570 RXKADSEALEDINCON);
571 goto protocol_error;
17926a79
DH		 572 }
573
19ffa01c 574 switch (call->conn->params.security_level) {
17926a79 575 case RXRPC_SECURITY_PLAIN:
5a42976d 576 return 0;
17926a79 577 case RXRPC_SECURITY_AUTH:
54424d38 578 return rxkad_verify_packet_1(call, skb, offset, len, seq, req);
17926a79 579 case RXRPC_SECURITY_ENCRYPT:
54424d38 580 return rxkad_verify_packet_2(call, skb, offset, len, seq, req);
17926a79 581 default:
5a42976d 582 return -ENOANO;
17926a79 583 }
fb46f6ee
DH		 584
585protocol_error:
586 if (aborted)
587 rxrpc_send_abort_packet(call);
588 return -EPROTO;
17926a79
DH		 589}
590
248f219c
DH		 591/*
592 * Locate the data contained in a packet that was partially encrypted.
593 */
594static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
595 unsigned int *_offset, unsigned int *_len)
596{
597 struct rxkad_level1_hdr sechdr;
598
599 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
600 BUG();
601 *_offset += sizeof(sechdr);
602 *_len = ntohl(sechdr.data_size) & 0xffff;
603}
604
605/*
606 * Locate the data contained in a packet that was completely encrypted.
607 */
608static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
609 unsigned int *_offset, unsigned int *_len)
610{
611 struct rxkad_level2_hdr sechdr;
612
613 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
614 BUG();
615 *_offset += sizeof(sechdr);
616 *_len = ntohl(sechdr.data_size) & 0xffff;
617}
618
619/*
620 * Locate the data contained in an already decrypted packet.
621 */
622static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
623 unsigned int *_offset, unsigned int *_len)
624{
625 switch (call->conn->params.security_level) {
626 case RXRPC_SECURITY_AUTH:
627 rxkad_locate_data_1(call, skb, _offset, _len);
628 return;
629 case RXRPC_SECURITY_ENCRYPT:
630 rxkad_locate_data_2(call, skb, _offset, _len);
631 return;
632 default:
633 return;
634 }
635}
636
17926a79
DH		 637/*
638 * issue a challenge
639 */
640static int rxkad_issue_challenge(struct rxrpc_connection *conn)
641{
642 struct rxkad_challenge challenge;
0d12f8a4 643 struct rxrpc_wire_header whdr;
17926a79
DH		 644 struct msghdr msg;
645 struct kvec iov[2];
646 size_t len;
0d12f8a4 647 u32 serial;
17926a79
DH		 648 int ret;
649
ec832bd0 650 _enter("{%d}", conn->debug_id);
17926a79
DH		 651
652 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
653
654 challenge.version = htonl(2);
655 challenge.nonce = htonl(conn->security_nonce);
656 challenge.min_level = htonl(0);
657 challenge.__padding = 0;
658
7b674e39
DH		 659 msg.msg_name = &conn->params.peer->srx.transport;
660 msg.msg_namelen = conn->params.peer->srx.transport_len;
17926a79
DH		 661 msg.msg_control = NULL;
662 msg.msg_controllen = 0;
663 msg.msg_flags = 0;
664
19ffa01c
DH		 665 whdr.epoch = htonl(conn->proto.epoch);
666 whdr.cid = htonl(conn->proto.cid);
0d12f8a4
DH		 667 whdr.callNumber = 0;
668 whdr.seq = 0;
669 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
670 whdr.flags = conn->out_clientflag;
671 whdr.userStatus = 0;
672 whdr.securityIndex = conn->security_ix;
673 whdr._rsvd = 0;
68d6d1ae 674 whdr.serviceId = htons(conn->service_id);
0d12f8a4
DH		 675
676 iov[0].iov_base = &whdr;
677 iov[0].iov_len = sizeof(whdr);
17926a79
DH		 678 iov[1].iov_base = &challenge;
679 iov[1].iov_len = sizeof(challenge);
680
681 len = iov[0].iov_len + iov[1].iov_len;
682
0d12f8a4
DH		 683 serial = atomic_inc_return(&conn->serial);
684 whdr.serial = htonl(serial);
685 _proto("Tx CHALLENGE %%%u", serial);
17926a79 686
85f32278 687 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
17926a79 688 if (ret < 0) {
6b47fe1d 689 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
4764c0da 690 rxrpc_tx_point_rxkad_challenge);
17926a79
DH		 691 return -EAGAIN;
692 }
693
330bdcfa 694 conn->params.peer->last_tx_at = ktime_get_seconds();
4764c0da
DH		 695 trace_rxrpc_tx_packet(conn->debug_id, &whdr,
696 rxrpc_tx_point_rxkad_challenge);
17926a79
DH		 697 _leave(" = 0");
698 return 0;
699}
700
701/*
702 * send a Kerberos security response
703 */
704static int rxkad_send_response(struct rxrpc_connection *conn,
0d12f8a4 705 struct rxrpc_host_header *hdr,
17926a79
DH		 706 struct rxkad_response *resp,
707 const struct rxkad_key *s2)
708{
0d12f8a4 709 struct rxrpc_wire_header whdr;
17926a79
DH		 710 struct msghdr msg;
711 struct kvec iov[3];
712 size_t len;
0d12f8a4 713 u32 serial;
17926a79
DH		 714 int ret;
715
716 _enter("");
717
7b674e39
DH		 718 msg.msg_name = &conn->params.peer->srx.transport;
719 msg.msg_namelen = conn->params.peer->srx.transport_len;
17926a79
DH		 720 msg.msg_control = NULL;
721 msg.msg_controllen = 0;
722 msg.msg_flags = 0;
723
0d12f8a4
DH		 724 memset(&whdr, 0, sizeof(whdr));
725 whdr.epoch = htonl(hdr->epoch);
726 whdr.cid = htonl(hdr->cid);
727 whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
728 whdr.flags = conn->out_clientflag;
729 whdr.securityIndex = hdr->securityIndex;
730 whdr.serviceId = htons(hdr->serviceId);
17926a79 731
0d12f8a4
DH		 732 iov[0].iov_base = &whdr;
733 iov[0].iov_len = sizeof(whdr);
17926a79
DH		 734 iov[1].iov_base = resp;
735 iov[1].iov_len = sizeof(*resp);
0d12f8a4 736 iov[2].iov_base = (void *)s2->ticket;
17926a79
DH		 737 iov[2].iov_len = s2->ticket_len;
738
739 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
740
0d12f8a4
DH		 741 serial = atomic_inc_return(&conn->serial);
742 whdr.serial = htonl(serial);
743 _proto("Tx RESPONSE %%%u", serial);
17926a79 744
85f32278 745 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
17926a79 746 if (ret < 0) {
6b47fe1d 747 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
4764c0da 748 rxrpc_tx_point_rxkad_response);
17926a79
DH		 749 return -EAGAIN;
750 }
751
330bdcfa 752 conn->params.peer->last_tx_at = ktime_get_seconds();
17926a79
DH		 753 _leave(" = 0");
754 return 0;
755}
756
757/*
758 * calculate the response checksum
759 */
760static void rxkad_calc_response_checksum(struct rxkad_response *response)
761{
762 u32 csum = 1000003;
763 int loop;
764 u8 *p = (u8 *) response;
765
766 for (loop = sizeof(*response); loop > 0; loop--)
767 csum = csum * 0x10204081 + *p++;
768
769 response->encrypted.checksum = htonl(csum);
770}
771
17926a79
DH		 772/*
773 * encrypt the response packet
774 */
1db88c53
DH		 775static int rxkad_encrypt_response(struct rxrpc_connection *conn,
776 struct rxkad_response *resp,
777 const struct rxkad_key *s2)
17926a79 778{
1db88c53 779 struct skcipher_request *req;
17926a79 780 struct rxrpc_crypt iv;
a263629d 781 struct scatterlist sg[1];
17926a79 782
1db88c53
DH		 783 req = skcipher_request_alloc(&conn->cipher->base, GFP_NOFS);
784 if (!req)
785 return -ENOMEM;
786
17926a79
DH		 787 /* continue encrypting from where we left off */
788 memcpy(&iv, s2->session_key, sizeof(iv));
17926a79 789
a263629d
HX		 790 sg_init_table(sg, 1);
791 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
69d826fa 792 skcipher_request_set_sync_tfm(req, conn->cipher);
1afe593b
HX		 793 skcipher_request_set_callback(req, 0, NULL, NULL);
794 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1afe593b 795 crypto_skcipher_encrypt(req);
1db88c53
DH		 796 skcipher_request_free(req);
797 return 0;
17926a79
DH		 798}
799
800/*
801 * respond to a challenge packet
802 */
803static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
804 struct sk_buff *skb,
805 u32 *_abort_code)
806{
33941284 807 const struct rxrpc_key_token *token;
17926a79 808 struct rxkad_challenge challenge;
8c2f826d 809 struct rxkad_response *resp;
248f219c 810 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
fb46f6ee 811 const char *eproto;
17926a79
DH		 812 u32 version, nonce, min_level, abort_code;
813 int ret;
814
19ffa01c 815 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
17926a79 816
fb46f6ee 817 eproto = tracepoint_string("chall_no_key");
ef68622d
DH		 818 abort_code = RX_PROTOCOL_ERROR;
819 if (!conn->params.key)
820 goto protocol_error;
17926a79 821
ef68622d 822 abort_code = RXKADEXPIRED;
19ffa01c 823 ret = key_validate(conn->params.key);
ef68622d
DH		 824 if (ret < 0)
825 goto other_error;
17926a79 826
fb46f6ee 827 eproto = tracepoint_string("chall_short");
17926a79 828 abort_code = RXKADPACKETSHORT;
775e5b71
DH		 829 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
830 &challenge, sizeof(challenge)) < 0)
17926a79
DH		 831 goto protocol_error;
832
833 version = ntohl(challenge.version);
834 nonce = ntohl(challenge.nonce);
835 min_level = ntohl(challenge.min_level);
836
837 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
0d12f8a4 838 sp->hdr.serial, version, nonce, min_level);
17926a79 839
fb46f6ee 840 eproto = tracepoint_string("chall_ver");
17926a79
DH		 841 abort_code = RXKADINCONSISTENCY;
842 if (version != RXKAD_VERSION)
843 goto protocol_error;
844
845 abort_code = RXKADLEVELFAIL;
ef68622d 846 ret = -EACCES;
19ffa01c 847 if (conn->params.security_level < min_level)
ef68622d 848 goto other_error;
17926a79 849
19ffa01c 850 token = conn->params.key->payload.data[0];
17926a79
DH		 851
852 /* build the response packet */
8c2f826d
DH		 853 resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
854 if (!resp)
855 return -ENOMEM;
856
857 resp->version = htonl(RXKAD_VERSION);
858 resp->encrypted.epoch = htonl(conn->proto.epoch);
859 resp->encrypted.cid = htonl(conn->proto.cid);
860 resp->encrypted.securityIndex = htonl(conn->security_ix);
861 resp->encrypted.inc_nonce = htonl(nonce + 1);
862 resp->encrypted.level = htonl(conn->params.security_level);
863 resp->kvno = htonl(token->kad->kvno);
864 resp->ticket_len = htonl(token->kad->ticket_len);
865 resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
866 resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
867 resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
868 resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
17926a79
DH		 869
870 /* calculate the response checksum and then do the encryption */
8c2f826d 871 rxkad_calc_response_checksum(resp);
1db88c53
DH		 872 ret = rxkad_encrypt_response(conn, resp, token->kad);
873 if (ret == 0)
874 ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
8c2f826d
DH		 875 kfree(resp);
876 return ret;
17926a79
DH		 877
878protocol_error:
fb46f6ee 879 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
ef68622d
DH		 880 ret = -EPROTO;
881other_error:
17926a79 882 *_abort_code = abort_code;
ef68622d 883 return ret;
17926a79
DH		 884}
885
886/*
887 * decrypt the kerberos IV ticket in the response
888 */
889static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
ec832bd0 890 struct key *server_key,
fb46f6ee 891 struct sk_buff *skb,
17926a79
DH		 892 void *ticket, size_t ticket_len,
893 struct rxrpc_crypt *_session_key,
10674a03 894 time64_t *_expiry,
17926a79
DH		 895 u32 *_abort_code)
896{
1afe593b 897 struct skcipher_request *req;
fb46f6ee 898 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
17926a79 899 struct rxrpc_crypt iv, key;
68e3f5dd 900 struct scatterlist sg[1];
17926a79 901 struct in_addr addr;
95c96174 902 unsigned int life;
fb46f6ee 903 const char *eproto;
10674a03 904 time64_t issue, now;
17926a79
DH		 905 bool little_endian;
906 int ret;
fb46f6ee 907 u32 abort_code;
17926a79
DH		 908 u8 *p, *q, *name, *end;
909
ec832bd0 910 _enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
17926a79
DH		 911
912 *_expiry = 0;
913
ec832bd0 914 ASSERT(server_key->payload.data[0] != NULL);
17926a79
DH		 915 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
916
ec832bd0 917 memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
17926a79 918
ef68622d 919 ret = -ENOMEM;
ec832bd0 920 req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
ef68622d
DH		 921 if (!req)
922 goto temporary_error;
17926a79 923
68e3f5dd 924 sg_init_one(&sg[0], ticket, ticket_len);
1afe593b
HX		 925 skcipher_request_set_callback(req, 0, NULL, NULL);
926 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
1afe593b
HX		 927 crypto_skcipher_decrypt(req);
928 skcipher_request_free(req);
17926a79
DH		 929
930 p = ticket;
931 end = p + ticket_len;
932
fb46f6ee 933#define Z(field) \
17926a79
DH		 934 ({ \
935 u8 *__str = p; \
fb46f6ee 936 eproto = tracepoint_string("rxkad_bad_"#field); \
17926a79 937 q = memchr(p, 0, end - p); \
fb46f6ee 938 if (!q || q - p > (field##_SZ)) \
17926a79
DH		 939 goto bad_ticket; \
940 for (; p < q; p++) \
941 if (!isprint(*p)) \
942 goto bad_ticket; \
943 p++; \
944 __str; \
945 })
946
947 /* extract the ticket flags */
948 _debug("KIV FLAGS: %x", *p);
949 little_endian = *p & 1;
950 p++;
951
952 /* extract the authentication name */
fb46f6ee 953 name = Z(ANAME);
17926a79
DH		 954 _debug("KIV ANAME: %s", name);
955
956 /* extract the principal's instance */
fb46f6ee 957 name = Z(INST);
17926a79
DH		 958 _debug("KIV INST : %s", name);
959
960 /* extract the principal's authentication domain */
fb46f6ee 961 name = Z(REALM);
17926a79
DH		 962 _debug("KIV REALM: %s", name);
963
fb46f6ee 964 eproto = tracepoint_string("rxkad_bad_len");
17926a79
DH		 965 if (end - p < 4 + 8 + 4 + 2)
966 goto bad_ticket;
967
968 /* get the IPv4 address of the entity that requested the ticket */
969 memcpy(&addr, p, sizeof(addr));
970 p += 4;
21454aaa 971 _debug("KIV ADDR : %pI4", &addr);
17926a79
DH		 972
973 /* get the session key from the ticket */
974 memcpy(&key, p, sizeof(key));
975 p += 8;
976 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
977 memcpy(_session_key, &key, sizeof(key));
978
979 /* get the ticket's lifetime */
980 life = *p++ * 5 * 60;
981 _debug("KIV LIFE : %u", life);
982
983 /* get the issue time of the ticket */
984 if (little_endian) {
985 __le32 stamp;
986 memcpy(&stamp, p, 4);
10674a03 987 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
17926a79
DH		 988 } else {
989 __be32 stamp;
990 memcpy(&stamp, p, 4);
10674a03 991 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
17926a79
DH		 992 }
993 p += 4;
10674a03
BW		 994 now = ktime_get_real_seconds();
995 _debug("KIV ISSUE: %llx [%llx]", issue, now);
17926a79
DH		 996
997 /* check the ticket is in date */
998 if (issue > now) {
fb46f6ee 999 abort_code = RXKADNOAUTH;
17926a79 1000 ret = -EKEYREJECTED;
ef68622d 1001 goto other_error;
17926a79
DH		 1002 }
1003
1004 if (issue < now - life) {
fb46f6ee 1005 abort_code = RXKADEXPIRED;
17926a79 1006 ret = -EKEYEXPIRED;
ef68622d 1007 goto other_error;
17926a79
DH		 1008 }
1009
1010 *_expiry = issue + life;
1011
1012 /* get the service name */
fb46f6ee 1013 name = Z(SNAME);
17926a79
DH		 1014 _debug("KIV SNAME: %s", name);
1015
1016 /* get the service instance name */
fb46f6ee 1017 name = Z(INST);
17926a79 1018 _debug("KIV SINST: %s", name);
ef68622d 1019 return 0;
17926a79
DH		 1020
1021bad_ticket:
fb46f6ee
DH		 1022 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1023 abort_code = RXKADBADTICKET;
ef68622d
DH		 1024 ret = -EPROTO;
1025other_error:
fb46f6ee 1026 *_abort_code = abort_code;
ef68622d
DH		 1027 return ret;
1028temporary_error:
1029 return ret;
17926a79
DH		 1030}
1031
1032/*
1033 * decrypt the response packet
1034 */
1035static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1036 struct rxkad_response *resp,
1037 const struct rxrpc_crypt *session_key)
1038{
1db88c53 1039 struct skcipher_request *req = rxkad_ci_req;
a263629d 1040 struct scatterlist sg[1];
17926a79
DH		 1041 struct rxrpc_crypt iv;
1042
1043 _enter(",,%08x%08x",
1044 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1045
17926a79 1046 mutex_lock(&rxkad_ci_mutex);
69d826fa 1047 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1db88c53 1048 sizeof(*session_key)) < 0)
17926a79
DH		 1049 BUG();
1050
1051 memcpy(&iv, session_key, sizeof(iv));
17926a79 1052
a263629d
HX		 1053 sg_init_table(sg, 1);
1054 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
69d826fa 1055 skcipher_request_set_sync_tfm(req, rxkad_ci);
1afe593b
HX		 1056 skcipher_request_set_callback(req, 0, NULL, NULL);
1057 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1afe593b
HX		 1058 crypto_skcipher_decrypt(req);
1059 skcipher_request_zero(req);
1060
17926a79
DH		 1061 mutex_unlock(&rxkad_ci_mutex);
1062
1063 _leave("");
1064}
1065
1066/*
1067 * verify a response
1068 */
1069static int rxkad_verify_response(struct rxrpc_connection *conn,
1070 struct sk_buff *skb,
1071 u32 *_abort_code)
1072{
8c2f826d 1073 struct rxkad_response *response;
248f219c 1074 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
17926a79 1075 struct rxrpc_crypt session_key;
ec832bd0 1076 struct key *server_key;
fb46f6ee 1077 const char *eproto;
10674a03 1078 time64_t expiry;
17926a79 1079 void *ticket;
91e916cf
AV		 1080 u32 abort_code, version, kvno, ticket_len, level;
1081 __be32 csum;
a1399f8b 1082 int ret, i;
17926a79 1083
ec832bd0
DH		 1084 _enter("{%d}", conn->debug_id);
1085
1086 server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
1087 if (IS_ERR(server_key)) {
1088 switch (PTR_ERR(server_key)) {
1089 case -ENOKEY:
1090 abort_code = RXKADUNKNOWNKEY;
1091 break;
1092 case -EKEYEXPIRED:
1093 abort_code = RXKADEXPIRED;
1094 break;
1095 default:
1096 abort_code = RXKADNOAUTH;
1097 break;
1098 }
1099 trace_rxrpc_abort(0, "SVK",
1100 sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq,
1101 abort_code, PTR_ERR(server_key));
1102 *_abort_code = abort_code;
1103 return -EPROTO;
1104 }
17926a79 1105
8c2f826d
DH		 1106 ret = -ENOMEM;
1107 response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1108 if (!response)
1109 goto temporary_error;
1110
fb46f6ee 1111 eproto = tracepoint_string("rxkad_rsp_short");
17926a79 1112 abort_code = RXKADPACKETSHORT;
775e5b71 1113 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
8c2f826d 1114 response, sizeof(*response)) < 0)
17926a79 1115 goto protocol_error;
8c2f826d 1116 if (!pskb_pull(skb, sizeof(*response)))
17926a79
DH		 1117 BUG();
1118
8c2f826d
DH		 1119 version = ntohl(response->version);
1120 ticket_len = ntohl(response->ticket_len);
1121 kvno = ntohl(response->kvno);
17926a79 1122 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
0d12f8a4 1123 sp->hdr.serial, version, kvno, ticket_len);
17926a79 1124
fb46f6ee 1125 eproto = tracepoint_string("rxkad_rsp_ver");
17926a79
DH		 1126 abort_code = RXKADINCONSISTENCY;
1127 if (version != RXKAD_VERSION)
4aa9cb32 1128 goto protocol_error;
17926a79 1129
fb46f6ee 1130 eproto = tracepoint_string("rxkad_rsp_tktlen");
17926a79
DH		 1131 abort_code = RXKADTICKETLEN;
1132 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1133 goto protocol_error;
1134
fb46f6ee 1135 eproto = tracepoint_string("rxkad_rsp_unkkey");
17926a79
DH		 1136 abort_code = RXKADUNKNOWNKEY;
1137 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1138 goto protocol_error;
1139
1140 /* extract the kerberos ticket and decrypt and decode it */
ef68622d 1141 ret = -ENOMEM;
17926a79
DH		 1142 ticket = kmalloc(ticket_len, GFP_NOFS);
1143 if (!ticket)
b43c75ab 1144 goto temporary_error_free_resp;
17926a79 1145
fb46f6ee 1146 eproto = tracepoint_string("rxkad_tkt_short");
17926a79 1147 abort_code = RXKADPACKETSHORT;
775e5b71
DH		 1148 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1149 ticket, ticket_len) < 0)
17926a79
DH		 1150 goto protocol_error_free;
1151
ec832bd0
DH		 1152 ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
1153 &session_key, &expiry, _abort_code);
ef68622d 1154 if (ret < 0)
f45d01f4 1155 goto temporary_error_free_ticket;
17926a79
DH		 1156
1157 /* use the session key from inside the ticket to decrypt the
1158 * response */
8c2f826d 1159 rxkad_decrypt_response(conn, response, &session_key);
17926a79 1160
fb46f6ee 1161 eproto = tracepoint_string("rxkad_rsp_param");
17926a79 1162 abort_code = RXKADSEALEDINCON;
8c2f826d 1163 if (ntohl(response->encrypted.epoch) != conn->proto.epoch)
17926a79 1164 goto protocol_error_free;
8c2f826d 1165 if (ntohl(response->encrypted.cid) != conn->proto.cid)
17926a79 1166 goto protocol_error_free;
8c2f826d 1167 if (ntohl(response->encrypted.securityIndex) != conn->security_ix)
17926a79 1168 goto protocol_error_free;
8c2f826d
DH		 1169 csum = response->encrypted.checksum;
1170 response->encrypted.checksum = 0;
1171 rxkad_calc_response_checksum(response);
fb46f6ee 1172 eproto = tracepoint_string("rxkad_rsp_csum");
8c2f826d 1173 if (response->encrypted.checksum != csum)
17926a79
DH		 1174 goto protocol_error_free;
1175
245500d8 1176 spin_lock(&conn->bundle->channel_lock);
a1399f8b
DH		 1177 for (i = 0; i < RXRPC_MAXCALLS; i++) {
1178 struct rxrpc_call *call;
8c2f826d 1179 u32 call_id = ntohl(response->encrypted.call_id[i]);
a1399f8b 1180
fb46f6ee 1181 eproto = tracepoint_string("rxkad_rsp_callid");
a1399f8b
DH		 1182 if (call_id > INT_MAX)
1183 goto protocol_error_unlock;
1184
fb46f6ee 1185 eproto = tracepoint_string("rxkad_rsp_callctr");
a1399f8b
DH		 1186 if (call_id < conn->channels[i].call_counter)
1187 goto protocol_error_unlock;
fb46f6ee
DH		 1188
1189 eproto = tracepoint_string("rxkad_rsp_callst");
a1399f8b
DH		 1190 if (call_id > conn->channels[i].call_counter) {
1191 call = rcu_dereference_protected(
1192 conn->channels[i].call,
245500d8 1193 lockdep_is_held(&conn->bundle->channel_lock));
a1399f8b
DH		 1194 if (call && call->state < RXRPC_CALL_COMPLETE)
1195 goto protocol_error_unlock;
1196 conn->channels[i].call_counter = call_id;
1197 }
1198 }
245500d8 1199 spin_unlock(&conn->bundle->channel_lock);
17926a79 1200
fb46f6ee 1201 eproto = tracepoint_string("rxkad_rsp_seq");
17926a79 1202 abort_code = RXKADOUTOFSEQUENCE;
8c2f826d 1203 if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1)
17926a79
DH		 1204 goto protocol_error_free;
1205
fb46f6ee 1206 eproto = tracepoint_string("rxkad_rsp_level");
17926a79 1207 abort_code = RXKADLEVELFAIL;
8c2f826d 1208 level = ntohl(response->encrypted.level);
17926a79
DH		 1209 if (level > RXRPC_SECURITY_ENCRYPT)
1210 goto protocol_error_free;
19ffa01c 1211 conn->params.security_level = level;
17926a79
DH		 1212
1213 /* create a key to hold the security data and expiration time - after
1214 * this the connection security can be handled in exactly the same way
1215 * as for a client connection */
1216 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
ef68622d 1217 if (ret < 0)
8c2f826d 1218 goto temporary_error_free_ticket;
17926a79
DH		 1219
1220 kfree(ticket);
8c2f826d 1221 kfree(response);
17926a79
DH		 1222 _leave(" = 0");
1223 return 0;
1224
a1399f8b 1225protocol_error_unlock:
245500d8 1226 spin_unlock(&conn->bundle->channel_lock);
17926a79
DH		 1227protocol_error_free:
1228 kfree(ticket);
1229protocol_error:
8c2f826d 1230 kfree(response);
fb46f6ee 1231 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
ec832bd0 1232 key_put(server_key);
17926a79 1233 *_abort_code = abort_code;
17926a79 1234 return -EPROTO;
ef68622d 1235
8c2f826d 1236temporary_error_free_ticket:
ef68622d 1237 kfree(ticket);
b43c75ab 1238temporary_error_free_resp:
8c2f826d 1239 kfree(response);
ef68622d
DH		 1240temporary_error:
1241 /* Ignore the response packet if we got a temporary error such as
1242 * ENOMEM. We just want to send the challenge again. Note that we
1243 * also come out this way if the ticket decryption fails.
1244 */
ec832bd0 1245 key_put(server_key);
ef68622d 1246 return ret;
17926a79
DH		 1247}
1248
1249/*
1250 * clear the connection security
1251 */
1252static void rxkad_clear(struct rxrpc_connection *conn)
1253{
1254 _enter("");
1255
1256 if (conn->cipher)
69d826fa 1257 crypto_free_sync_skcipher(conn->cipher);
17926a79
DH		 1258}
1259
648af7fc
DH		 1260/*
1261 * Initialise the rxkad security service.
1262 */
1263static int rxkad_init(void)
1264{
1db88c53
DH		 1265 struct crypto_sync_skcipher *tfm;
1266 struct skcipher_request *req;
1267
648af7fc
DH		 1268 /* pin the cipher we need so that the crypto layer doesn't invoke
1269 * keventd to go get it */
1db88c53
DH		 1270 tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1271 if (IS_ERR(tfm))
1272 return PTR_ERR(tfm);
1273
1274 req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1275 if (!req)
1276 goto nomem_tfm;
1277
1278 rxkad_ci_req = req;
1279 rxkad_ci = tfm;
1280 return 0;
1281
1282nomem_tfm:
1283 crypto_free_sync_skcipher(tfm);
1284 return -ENOMEM;
648af7fc
DH		 1285}
1286
1287/*
1288 * Clean up the rxkad security service.
1289 */
1290static void rxkad_exit(void)
1291{
1db88c53
DH		 1292 crypto_free_sync_skcipher(rxkad_ci);
1293 skcipher_request_free(rxkad_ci_req);
648af7fc
DH		 1294}
1295
17926a79
DH		 1296/*
1297 * RxRPC Kerberos-based security
1298 */
648af7fc 1299const struct rxrpc_security rxkad = {
17926a79 1300 .name = "rxkad",
8b815477 1301 .security_index = RXRPC_SECURITY_RXKAD,
063c60d3 1302 .no_key_abort = RXKADUNKNOWNKEY,
648af7fc
DH		 1303 .init = rxkad_init,
1304 .exit = rxkad_exit,
17926a79
DH		 1305 .init_connection_security = rxkad_init_connection_security,
1306 .prime_packet_security = rxkad_prime_packet_security,
1307 .secure_packet = rxkad_secure_packet,
1308 .verify_packet = rxkad_verify_packet,
1db88c53 1309 .free_call_crypto = rxkad_free_call_crypto,
248f219c 1310 .locate_data = rxkad_locate_data,
17926a79
DH		 1311 .issue_challenge = rxkad_issue_challenge,
1312 .respond_to_challenge = rxkad_respond_to_challenge,
1313 .verify_response = rxkad_verify_response,
1314 .clear = rxkad_clear,
1315};
Linux 6.x block layer and io_uring tree(s)