projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'pm-6.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
[linux-2.6-block.git] / net / rxrpc / rxkad.c
CommitLineData
2874c5fd 1// SPDX-License-Identifier: GPL-2.0-or-later
17926a79
DH		 2/* Kerberos-based RxRPC security
3 *
4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
17926a79
DH		 6 */
7
9b6d5398
JP		 8#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9
1afe593b 10#include <crypto/skcipher.h>
17926a79
DH		 11#include <linux/module.h>
12#include <linux/net.h>
13#include <linux/skbuff.h>
14#include <linux/udp.h>
17926a79
DH		 15#include <linux/scatterlist.h>
16#include <linux/ctype.h>
5a0e3ad6 17#include <linux/slab.h>
12da59fc 18#include <linux/key-type.h>
17926a79
DH		 19#include <net/sock.h>
20#include <net/af_rxrpc.h>
33941284 21#include <keys/rxrpc-type.h>
17926a79
DH		 22#include "ar-internal.h"
23
24#define RXKAD_VERSION 2
25#define MAXKRB5TICKETLEN 1024
26#define RXKAD_TKT_TYPE_KERBEROS_V5 256
27#define ANAME_SZ 40 /* size of authentication name */
28#define INST_SZ 40 /* size of principal's instance */
29#define REALM_SZ 40 /* size of principal's auth domain */
30#define SNAME_SZ 40 /* size of service name */
d7d775b1 31#define RXKAD_ALIGN 8
17926a79 32
17926a79
DH		 33struct rxkad_level1_hdr {
34 __be32 data_size; /* true data size (excluding padding) */
35};
36
37struct rxkad_level2_hdr {
38 __be32 data_size; /* true data size (excluding padding) */
39 __be32 checksum; /* decrypted data checksum */
40};
41
8d47a43c
DH		 42static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
43 struct crypto_sync_skcipher *ci);
44
17926a79
DH		 45/*
46 * this holds a pinned cipher so that keventd doesn't get called by the cipher
47 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
48 * packets
49 */
69d826fa 50static struct crypto_sync_skcipher *rxkad_ci;
1db88c53 51static struct skcipher_request *rxkad_ci_req;
17926a79
DH		 52static DEFINE_MUTEX(rxkad_ci_mutex);
53
12da59fc
DH		 54/*
55 * Parse the information from a server key
56 *
57 * The data should be the 8-byte secret key.
58 */
59static int rxkad_preparse_server_key(struct key_preparsed_payload *prep)
60{
61 struct crypto_skcipher *ci;
62
63 if (prep->datalen != 8)
64 return -EINVAL;
65
66 memcpy(&prep->payload.data[2], prep->data, 8);
67
68 ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC);
69 if (IS_ERR(ci)) {
70 _leave(" = %ld", PTR_ERR(ci));
71 return PTR_ERR(ci);
72 }
73
74 if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)
75 BUG();
76
77 prep->payload.data[0] = ci;
78 _leave(" = 0");
79 return 0;
80}
81
82static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep)
83{
d7d775b1 84
12da59fc
DH		 85 if (prep->payload.data[0])
86 crypto_free_skcipher(prep->payload.data[0]);
87}
88
89static void rxkad_destroy_server_key(struct key *key)
90{
91 if (key->payload.data[0]) {
92 crypto_free_skcipher(key->payload.data[0]);
93 key->payload.data[0] = NULL;
94 }
95}
96
17926a79
DH		 97/*
98 * initialise connection security
99 */
41057ebd
DH		 100static int rxkad_init_connection_security(struct rxrpc_connection *conn,
101 struct rxrpc_key_token *token)
17926a79 102{
69d826fa 103 struct crypto_sync_skcipher *ci;
17926a79
DH		 104 int ret;
105
2cc80086 106 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
17926a79 107
33941284 108 conn->security_ix = token->security_index;
17926a79 109
69d826fa 110 ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
17926a79
DH		 111 if (IS_ERR(ci)) {
112 _debug("no cipher");
113 ret = PTR_ERR(ci);
114 goto error;
115 }
116
69d826fa 117 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
1afe593b 118 sizeof(token->kad->session_key)) < 0)
17926a79
DH		 119 BUG();
120
2cc80086 121 switch (conn->security_level) {
17926a79 122 case RXRPC_SECURITY_PLAIN:
17926a79 123 case RXRPC_SECURITY_AUTH:
17926a79 124 case RXRPC_SECURITY_ENCRYPT:
17926a79
DH		 125 break;
126 default:
127 ret = -EKEYREJECTED;
128 goto error;
129 }
130
8d47a43c
DH		 131 ret = rxkad_prime_packet_security(conn, ci);
132 if (ret < 0)
133 goto error_ci;
134
521bb304 135 conn->rxkad.cipher = ci;
8d47a43c
DH		 136 return 0;
137
138error_ci:
139 crypto_free_sync_skcipher(ci);
17926a79
DH		 140error:
141 _leave(" = %d", ret);
142 return ret;
143}
144
d7d775b1
DH		 145/*
146 * Work out how much data we can put in a packet.
147 */
49489bb0 148static struct rxrpc_txbuf *rxkad_alloc_txbuf(struct rxrpc_call *call, size_t remain, gfp_t gfp)
d7d775b1 149{
49489bb0 150 struct rxrpc_txbuf *txb;
3d2bdf73 151 size_t shdr, alloc, limit, part;
49489bb0 152
29e03ec7 153 remain = umin(remain, 65535 - sizeof(struct rxrpc_wire_header));
d7d775b1 154
2cc80086 155 switch (call->conn->security_level) {
d7d775b1 156 default:
3d2bdf73
DH		 157 alloc = umin(remain, RXRPC_JUMBO_DATALEN);
158 return rxrpc_alloc_data_txbuf(call, alloc, 1, gfp);
d7d775b1
DH		 159 case RXRPC_SECURITY_AUTH:
160 shdr = sizeof(struct rxkad_level1_hdr);
161 break;
162 case RXRPC_SECURITY_ENCRYPT:
163 shdr = sizeof(struct rxkad_level2_hdr);
164 break;
165 }
166
3d2bdf73
DH		 167 limit = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN) - shdr;
168 if (remain < limit) {
169 part = remain;
170 alloc = round_up(shdr + part, RXKAD_ALIGN);
171 } else {
172 part = limit;
173 alloc = RXRPC_JUMBO_DATALEN;
174 }
d7d775b1 175
3d2bdf73 176 txb = rxrpc_alloc_data_txbuf(call, alloc, RXKAD_ALIGN, gfp);
49489bb0
DH		 177 if (!txb)
178 return NULL;
d7d775b1 179
9d1d2b59
DH		 180 txb->crypto_header = 0;
181 txb->sec_header = shdr;
182 txb->offset += shdr;
183 txb->space = part;
49489bb0 184 return txb;
d7d775b1
DH		 185}
186
17926a79
DH		 187/*
188 * prime the encryption state with the invariant parts of a connection's
189 * description
190 */
8d47a43c
DH		 191static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
192 struct crypto_sync_skcipher *ci)
17926a79 193{
1db88c53 194 struct skcipher_request *req;
33941284 195 struct rxrpc_key_token *token;
a263629d 196 struct scatterlist sg;
17926a79 197 struct rxrpc_crypt iv;
a263629d
HX		 198 __be32 *tmpbuf;
199 size_t tmpsize = 4 * sizeof(__be32);
17926a79
DH		 200
201 _enter("");
202
2cc80086 203 if (!conn->key)
a263629d
HX		 204 return 0;
205
206 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
207 if (!tmpbuf)
208 return -ENOMEM;
17926a79 209
8d47a43c 210 req = skcipher_request_alloc(&ci->base, GFP_NOFS);
1db88c53
DH		 211 if (!req) {
212 kfree(tmpbuf);
213 return -ENOMEM;
214 }
215
2cc80086 216 token = conn->key->payload.data[0];
33941284 217 memcpy(&iv, token->kad->session_key, sizeof(iv));
17926a79 218
a263629d
HX		 219 tmpbuf[0] = htonl(conn->proto.epoch);
220 tmpbuf[1] = htonl(conn->proto.cid);
221 tmpbuf[2] = 0;
222 tmpbuf[3] = htonl(conn->security_ix);
1afe593b 223
a263629d 224 sg_init_one(&sg, tmpbuf, tmpsize);
8d47a43c 225 skcipher_request_set_sync_tfm(req, ci);
1afe593b 226 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 227 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
1afe593b 228 crypto_skcipher_encrypt(req);
1db88c53 229 skcipher_request_free(req);
17926a79 230
521bb304 231 memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
a263629d
HX		 232 kfree(tmpbuf);
233 _leave(" = 0");
234 return 0;
17926a79
DH		 235}
236
1db88c53
DH		 237/*
238 * Allocate and prepare the crypto request on a call. For any particular call,
239 * this is called serially for the packets, so no lock should be necessary.
240 */
241static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
242{
521bb304 243 struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
1db88c53 244
30d95efe 245 return skcipher_request_alloc(tfm, GFP_NOFS);
1db88c53
DH		 246}
247
248/*
249 * Clean up the crypto on a call.
250 */
251static void rxkad_free_call_crypto(struct rxrpc_call *call)
252{
1db88c53
DH		 253}
254
17926a79
DH		 255/*
256 * partially encrypt a packet (level 1 security)
257 */
258static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
a4ea4c47 259 struct rxrpc_txbuf *txb,
54424d38 260 struct skcipher_request *req)
17926a79 261{
06ea2c9c 262 struct rxkad_level1_hdr *hdr = txb->data;
17926a79 263 struct rxrpc_crypt iv;
a263629d 264 struct scatterlist sg;
d7d775b1 265 size_t pad;
17926a79
DH		 266 u16 check;
267
17926a79
DH		 268 _enter("");
269
a1c9af4d 270 check = txb->seq ^ call->call_id;
a4ea4c47 271 hdr->data_size = htonl((u32)check << 16 | txb->len);
17926a79 272
3d2bdf73
DH		 273 txb->pkt_len = sizeof(struct rxkad_level1_hdr) + txb->len;
274 pad = txb->pkt_len;
d7d775b1
DH		 275 pad = RXKAD_ALIGN - pad;
276 pad &= RXKAD_ALIGN - 1;
a4ea4c47 277 if (pad) {
06ea2c9c 278 memset(txb->data + txb->offset, 0, pad);
3d2bdf73 279 txb->pkt_len += pad;
a4ea4c47 280 }
d7d775b1 281
17926a79
DH		 282 /* start the encryption afresh */
283 memset(&iv, 0, sizeof(iv));
17926a79 284
49489bb0 285 sg_init_one(&sg, hdr, 8);
521bb304 286 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b 287 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 288 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
1afe593b
HX		 289 crypto_skcipher_encrypt(req);
290 skcipher_request_zero(req);
17926a79 291
17926a79
DH		 292 _leave(" = 0");
293 return 0;
294}
295
296/*
297 * wholly encrypt a packet (level 2 security)
298 */
299static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
a4ea4c47 300 struct rxrpc_txbuf *txb,
54424d38 301 struct skcipher_request *req)
17926a79 302{
33941284 303 const struct rxrpc_key_token *token;
06ea2c9c 304 struct rxkad_level2_hdr *rxkhdr = txb->data;
17926a79 305 struct rxrpc_crypt iv;
a4ea4c47 306 struct scatterlist sg;
3d2bdf73 307 size_t content, pad;
17926a79 308 u16 check;
a4ea4c47 309 int ret;
17926a79
DH		 310
311 _enter("");
312
a1c9af4d 313 check = txb->seq ^ call->call_id;
17926a79 314
a4ea4c47
DH		 315 rxkhdr->data_size = htonl(txb->len | (u32)check << 16);
316 rxkhdr->checksum = 0;
17926a79 317
3d2bdf73
DH		 318 content = sizeof(struct rxkad_level2_hdr) + txb->len;
319 txb->pkt_len = round_up(content, RXKAD_ALIGN);
320 pad = txb->pkt_len - content;
321 if (pad)
06ea2c9c 322 memset(txb->data + txb->offset, 0, pad);
d7d775b1 323
17926a79 324 /* encrypt from the session key */
2cc80086 325 token = call->conn->key->payload.data[0];
33941284 326 memcpy(&iv, token->kad->session_key, sizeof(iv));
17926a79 327
3d2bdf73 328 sg_init_one(&sg, rxkhdr, txb->pkt_len);
521bb304 329 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b 330 skcipher_request_set_callback(req, 0, NULL, NULL);
3d2bdf73 331 skcipher_request_set_crypt(req, &sg, &sg, txb->pkt_len, iv.x);
a4ea4c47 332 ret = crypto_skcipher_encrypt(req);
1afe593b 333 skcipher_request_zero(req);
a4ea4c47 334 return ret;
17926a79
DH		 335}
336
337/*
338 * checksum an RxRPC packet header
339 */
a4ea4c47 340static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb)
17926a79 341{
1db88c53 342 struct skcipher_request *req;
17926a79 343 struct rxrpc_crypt iv;
a263629d 344 struct scatterlist sg;
30d95efe
DH		 345 union {
346 __be32 buf[2];
347 } crypto __aligned(8);
0d12f8a4 348 u32 x, y;
17926a79
DH		 349 int ret;
350
a4ea4c47 351 _enter("{%d{%x}},{#%u},%u,",
2cc80086 352 call->debug_id, key_serial(call->conn->key),
a4ea4c47 353 txb->seq, txb->len);
17926a79 354
521bb304 355 if (!call->conn->rxkad.cipher)
17926a79
DH		 356 return 0;
357
2cc80086 358 ret = key_validate(call->conn->key);
17926a79
DH		 359 if (ret < 0)
360 return ret;
361
1db88c53
DH		 362 req = rxkad_get_call_crypto(call);
363 if (!req)
364 return -ENOMEM;
365
17926a79 366 /* continue encrypting from where we left off */
521bb304 367 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
17926a79
DH		 368
369 /* calculate the security checksum */
a1c9af4d 370 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
a4ea4c47 371 x |= txb->seq & 0x3fffffff;
a1c9af4d 372 crypto.buf[0] = htonl(call->call_id);
30d95efe 373 crypto.buf[1] = htonl(x);
1afe593b 374
30d95efe 375 sg_init_one(&sg, crypto.buf, 8);
521bb304 376 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b 377 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 378 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
1afe593b
HX		 379 crypto_skcipher_encrypt(req);
380 skcipher_request_zero(req);
17926a79 381
30d95efe 382 y = ntohl(crypto.buf[1]);
91e916cf
AV		 383 y = (y >> 16) & 0xffff;
384 if (y == 0)
385 y = 1; /* zero checksums are not permitted */
41b8debb 386 txb->cksum = htons(y);
17926a79 387
2cc80086 388 switch (call->conn->security_level) {
17926a79 389 case RXRPC_SECURITY_PLAIN:
3d2bdf73 390 txb->pkt_len = txb->len;
17926a79
DH		 391 ret = 0;
392 break;
393 case RXRPC_SECURITY_AUTH:
a4ea4c47 394 ret = rxkad_secure_packet_auth(call, txb, req);
b7313009
DH		 395 if (txb->alloc_size == RXRPC_JUMBO_DATALEN)
396 txb->jumboable = true;
17926a79
DH		 397 break;
398 case RXRPC_SECURITY_ENCRYPT:
a4ea4c47 399 ret = rxkad_secure_packet_encrypt(call, txb, req);
b7313009
DH		 400 if (txb->alloc_size == RXRPC_JUMBO_DATALEN)
401 txb->jumboable = true;
17926a79
DH		 402 break;
403 default:
404 ret = -EPERM;
405 break;
406 }
407
b7313009
DH		 408 /* Clear excess space in the packet */
409 if (txb->pkt_len < txb->alloc_size) {
b7313009 410 size_t gap = txb->alloc_size - txb->pkt_len;
06ea2c9c 411 void *p = txb->data;
b7313009
DH		 412
413 memset(p + txb->pkt_len, 0, gap);
414 }
415
30d95efe 416 skcipher_request_free(req);
5b47d236 417 _leave(" = %d [set %x]", ret, y);
17926a79
DH		 418 return ret;
419}
420
421/*
422 * decrypt partial encryption on a packet (level 1 security)
423 */
5a42976d 424static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
54424d38
KC		 425 rxrpc_seq_t seq,
426 struct skcipher_request *req)
17926a79
DH		 427{
428 struct rxkad_level1_hdr sechdr;
d4d02d8b 429 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
17926a79 430 struct rxrpc_crypt iv;
68e3f5dd 431 struct scatterlist sg[16];
17926a79
DH		 432 u32 data_size, buf;
433 u16 check;
d0d5c0cd 434 int ret;
17926a79
DH		 435
436 _enter("");
437
57af281e
DH		 438 if (sp->len < 8)
439 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
440 rxkad_abort_1_short_header);
17926a79 441
248f219c
DH		 442 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
443 * directly into the target buffer.
444 */
d0d5c0cd 445 sg_init_table(sg, ARRAY_SIZE(sg));
d4d02d8b 446 ret = skb_to_sgvec(skb, sg, sp->offset, 8);
89a5ea99
JD		 447 if (unlikely(ret < 0))
448 return ret;
17926a79
DH		 449
450 /* start the decryption afresh */
451 memset(&iv, 0, sizeof(iv));
17926a79 452
521bb304 453 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b
HX		 454 skcipher_request_set_callback(req, 0, NULL, NULL);
455 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
1afe593b
HX		 456 crypto_skcipher_decrypt(req);
457 skcipher_request_zero(req);
17926a79 458
5a42976d 459 /* Extract the decrypted packet length */
57af281e
DH		 460 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
461 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
462 rxkad_abort_1_short_encdata);
d4d02d8b
DH		 463 sp->offset += sizeof(sechdr);
464 sp->len -= sizeof(sechdr);
17926a79
DH		 465
466 buf = ntohl(sechdr.data_size);
467 data_size = buf & 0xffff;
468
469 check = buf >> 16;
5a42976d 470 check ^= seq ^ call->call_id;
17926a79 471 check &= 0xffff;
57af281e
DH		 472 if (check != 0)
473 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
474 rxkad_abort_1_short_check);
475 if (data_size > sp->len)
476 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
477 rxkad_abort_1_short_data);
d4d02d8b 478 sp->len = data_size;
17926a79
DH		 479
480 _leave(" = 0 [dlen=%x]", data_size);
481 return 0;
17926a79
DH		 482}
483
484/*
485 * wholly decrypt a packet (level 2 security)
486 */
5a42976d 487static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
54424d38
KC		 488 rxrpc_seq_t seq,
489 struct skcipher_request *req)
17926a79 490{
33941284 491 const struct rxrpc_key_token *token;
17926a79 492 struct rxkad_level2_hdr sechdr;
d4d02d8b 493 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
17926a79
DH		 494 struct rxrpc_crypt iv;
495 struct scatterlist _sg[4], *sg;
17926a79
DH		 496 u32 data_size, buf;
497 u16 check;
89a5ea99 498 int nsg, ret;
17926a79 499
d4d02d8b 500 _enter(",{%d}", sp->len);
17926a79 501
57af281e
DH		 502 if (sp->len < 8)
503 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
504 rxkad_abort_2_short_header);
17926a79 505
248f219c
DH		 506 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
507 * directly into the target buffer.
508 */
17926a79 509 sg = _sg;
0d40f728 510 nsg = skb_shinfo(skb)->nr_frags + 1;
d0d5c0cd
DH		 511 if (nsg <= 4) {
512 nsg = 4;
513 } else {
6da2ec56 514 sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
17926a79 515 if (!sg)
57af281e 516 return -ENOMEM;
17926a79
DH		 517 }
518
68e3f5dd 519 sg_init_table(sg, nsg);
d4d02d8b 520 ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
89a5ea99
JD		 521 if (unlikely(ret < 0)) {
522 if (sg != _sg)
523 kfree(sg);
524 return ret;
525 }
17926a79
DH		 526
527 /* decrypt from the session key */
2cc80086 528 token = call->conn->key->payload.data[0];
33941284 529 memcpy(&iv, token->kad->session_key, sizeof(iv));
17926a79 530
521bb304 531 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b 532 skcipher_request_set_callback(req, 0, NULL, NULL);
d4d02d8b 533 skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
1afe593b
HX		 534 crypto_skcipher_decrypt(req);
535 skcipher_request_zero(req);
17926a79
DH		 536 if (sg != _sg)
537 kfree(sg);
538
5a42976d 539 /* Extract the decrypted packet length */
57af281e
DH		 540 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
541 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
542 rxkad_abort_2_short_len);
d4d02d8b
DH		 543 sp->offset += sizeof(sechdr);
544 sp->len -= sizeof(sechdr);
17926a79
DH		 545
546 buf = ntohl(sechdr.data_size);
547 data_size = buf & 0xffff;
548
549 check = buf >> 16;
5a42976d 550 check ^= seq ^ call->call_id;
17926a79 551 check &= 0xffff;
57af281e
DH		 552 if (check != 0)
553 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
554 rxkad_abort_2_short_check);
17926a79 555
57af281e
DH		 556 if (data_size > sp->len)
557 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
558 rxkad_abort_2_short_data);
17926a79 559
d4d02d8b 560 sp->len = data_size;
17926a79
DH		 561 _leave(" = 0 [dlen=%x]", data_size);
562 return 0;
17926a79
DH		 563}
564
565/*
d4d02d8b 566 * Verify the security on a received packet and the subpackets therein.
17926a79 567 */
d4d02d8b 568static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
17926a79 569{
d4d02d8b 570 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1db88c53 571 struct skcipher_request *req;
17926a79 572 struct rxrpc_crypt iv;
a263629d 573 struct scatterlist sg;
30d95efe
DH		 574 union {
575 __be32 buf[2];
576 } crypto __aligned(8);
d4d02d8b 577 rxrpc_seq_t seq = sp->hdr.seq;
30d95efe 578 int ret;
0d12f8a4
DH		 579 u16 cksum;
580 u32 x, y;
17926a79
DH		 581
582 _enter("{%d{%x}},{#%u}",
2cc80086 583 call->debug_id, key_serial(call->conn->key), seq);
17926a79 584
521bb304 585 if (!call->conn->rxkad.cipher)
17926a79
DH		 586 return 0;
587
1db88c53
DH		 588 req = rxkad_get_call_crypto(call);
589 if (!req)
590 return -ENOMEM;
591
17926a79 592 /* continue encrypting from where we left off */
521bb304 593 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
17926a79
DH		 594
595 /* validate the security checksum */
01a90a45 596 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
5a42976d 597 x |= seq & 0x3fffffff;
30d95efe
DH		 598 crypto.buf[0] = htonl(call->call_id);
599 crypto.buf[1] = htonl(x);
1afe593b 600
30d95efe 601 sg_init_one(&sg, crypto.buf, 8);
521bb304 602 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
1afe593b 603 skcipher_request_set_callback(req, 0, NULL, NULL);
a263629d 604 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
1afe593b
HX		 605 crypto_skcipher_encrypt(req);
606 skcipher_request_zero(req);
17926a79 607
30d95efe 608 y = ntohl(crypto.buf[1]);
0d12f8a4
DH		 609 cksum = (y >> 16) & 0xffff;
610 if (cksum == 0)
611 cksum = 1; /* zero checksums are not permitted */
17926a79 612
d4d02d8b 613 if (cksum != sp->hdr.cksum) {
57af281e
DH		 614 ret = rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
615 rxkad_abort_bad_checksum);
616 goto out;
17926a79
DH		 617 }
618
2cc80086 619 switch (call->conn->security_level) {
17926a79 620 case RXRPC_SECURITY_PLAIN:
30d95efe
DH		 621 ret = 0;
622 break;
17926a79 623 case RXRPC_SECURITY_AUTH:
30d95efe
DH		 624 ret = rxkad_verify_packet_1(call, skb, seq, req);
625 break;
17926a79 626 case RXRPC_SECURITY_ENCRYPT:
30d95efe
DH		 627 ret = rxkad_verify_packet_2(call, skb, seq, req);
628 break;
17926a79 629 default:
30d95efe
DH		 630 ret = -ENOANO;
631 break;
17926a79 632 }
fb46f6ee 633
57af281e 634out:
30d95efe
DH		 635 skcipher_request_free(req);
636 return ret;
17926a79
DH		 637}
638
639/*
640 * issue a challenge
641 */
642static int rxkad_issue_challenge(struct rxrpc_connection *conn)
643{
644 struct rxkad_challenge challenge;
0d12f8a4 645 struct rxrpc_wire_header whdr;
17926a79
DH		 646 struct msghdr msg;
647 struct kvec iov[2];
648 size_t len;
0d12f8a4 649 u32 serial;
17926a79
DH		 650 int ret;
651
ec832bd0 652 _enter("{%d}", conn->debug_id);
17926a79 653
521bb304 654 get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
17926a79
DH		 655
656 challenge.version = htonl(2);
521bb304 657 challenge.nonce = htonl(conn->rxkad.nonce);
17926a79
DH		 658 challenge.min_level = htonl(0);
659 challenge.__padding = 0;
660
2cc80086
DH		 661 msg.msg_name = &conn->peer->srx.transport;
662 msg.msg_namelen = conn->peer->srx.transport_len;
17926a79
DH		 663 msg.msg_control = NULL;
664 msg.msg_controllen = 0;
665 msg.msg_flags = 0;
666
19ffa01c
DH		 667 whdr.epoch = htonl(conn->proto.epoch);
668 whdr.cid = htonl(conn->proto.cid);
0d12f8a4
DH		 669 whdr.callNumber = 0;
670 whdr.seq = 0;
671 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
672 whdr.flags = conn->out_clientflag;
673 whdr.userStatus = 0;
674 whdr.securityIndex = conn->security_ix;
675 whdr._rsvd = 0;
68d6d1ae 676 whdr.serviceId = htons(conn->service_id);
0d12f8a4
DH		 677
678 iov[0].iov_base = &whdr;
679 iov[0].iov_len = sizeof(whdr);
17926a79
DH		 680 iov[1].iov_base = &challenge;
681 iov[1].iov_len = sizeof(challenge);
682
683 len = iov[0].iov_len + iov[1].iov_len;
684
f3104141 685 serial = rxrpc_get_next_serial(conn);
0d12f8a4 686 whdr.serial = htonl(serial);
17926a79 687
fba69957
DH		 688 trace_rxrpc_tx_challenge(conn, serial, 0, conn->rxkad.nonce);
689
2cc80086 690 ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len);
17926a79 691 if (ret < 0) {
6b47fe1d 692 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
4764c0da 693 rxrpc_tx_point_rxkad_challenge);
17926a79
DH		 694 return -EAGAIN;
695 }
696
2cc80086 697 conn->peer->last_tx_at = ktime_get_seconds();
4764c0da
DH		 698 trace_rxrpc_tx_packet(conn->debug_id, &whdr,
699 rxrpc_tx_point_rxkad_challenge);
17926a79
DH		 700 _leave(" = 0");
701 return 0;
702}
703
17926a79
DH		 704/*
705 * calculate the response checksum
706 */
707static void rxkad_calc_response_checksum(struct rxkad_response *response)
708{
709 u32 csum = 1000003;
710 int loop;
711 u8 *p = (u8 *) response;
712
713 for (loop = sizeof(*response); loop > 0; loop--)
714 csum = csum * 0x10204081 + *p++;
715
716 response->encrypted.checksum = htonl(csum);
717}
718
17926a79
DH		 719/*
720 * encrypt the response packet
721 */
1db88c53 722static int rxkad_encrypt_response(struct rxrpc_connection *conn,
5800b1cf 723 struct sk_buff *response,
1db88c53 724 const struct rxkad_key *s2)
17926a79 725{
1db88c53 726 struct skcipher_request *req;
17926a79 727 struct rxrpc_crypt iv;
a263629d 728 struct scatterlist sg[1];
5800b1cf
DH		 729 size_t encsize = sizeof(((struct rxkad_response *)0)->encrypted);
730 int ret;
731
732 sg_init_table(sg, ARRAY_SIZE(sg));
733 ret = skb_to_sgvec(response, sg,
734 sizeof(struct rxrpc_wire_header) +
735 offsetof(struct rxkad_response, encrypted), encsize);
736 if (ret < 0)
737 return ret;
17926a79 738
521bb304 739 req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
1db88c53
DH		 740 if (!req)
741 return -ENOMEM;
742
17926a79
DH		 743 /* continue encrypting from where we left off */
744 memcpy(&iv, s2->session_key, sizeof(iv));
17926a79 745
521bb304 746 skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
1afe593b 747 skcipher_request_set_callback(req, 0, NULL, NULL);
5800b1cf
DH		 748 skcipher_request_set_crypt(req, sg, sg, encsize, iv.x);
749 ret = crypto_skcipher_encrypt(req);
1db88c53 750 skcipher_request_free(req);
5800b1cf 751 return ret;
17926a79
DH		 752}
753
754/*
5800b1cf 755 * Validate a challenge packet.
17926a79 756 */
5800b1cf
DH		 757static bool rxkad_validate_challenge(struct rxrpc_connection *conn,
758 struct sk_buff *skb)
17926a79 759{
17926a79 760 struct rxkad_challenge challenge;
248f219c 761 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
5800b1cf
DH		 762 u32 version, min_level;
763 int ret;
17926a79 764
2cc80086 765 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
17926a79 766
5800b1cf
DH		 767 if (!conn->key) {
768 rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
769 rxkad_abort_chall_no_key);
770 return false;
771 }
17926a79 772
2cc80086 773 ret = key_validate(conn->key);
5800b1cf
DH		 774 if (ret < 0) {
775 rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
776 rxkad_abort_chall_key_expired);
777 return false;
778 }
17926a79 779
775e5b71 780 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
5800b1cf
DH		 781 &challenge, sizeof(challenge)) < 0) {
782 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
783 rxkad_abort_chall_short);
784 return false;
785 }
17926a79
DH		 786
787 version = ntohl(challenge.version);
5800b1cf 788 sp->chall.rxkad_nonce = ntohl(challenge.nonce);
17926a79
DH		 789 min_level = ntohl(challenge.min_level);
790
5800b1cf
DH		 791 trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version,
792 sp->chall.rxkad_nonce, min_level);
17926a79 793
5800b1cf
DH		 794 if (version != RXKAD_VERSION) {
795 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
796 rxkad_abort_chall_version);
797 return false;
798 }
17926a79 799
5800b1cf
DH		 800 if (conn->security_level < min_level) {
801 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES,
802 rxkad_abort_chall_level);
803 return false;
804 }
805 return true;
806}
807
808/*
809 * Insert the header into the response.
810 */
811static noinline
812int rxkad_insert_response_header(struct rxrpc_connection *conn,
813 const struct rxrpc_key_token *token,
814 struct sk_buff *challenge,
815 struct sk_buff *response,
816 size_t *offset)
817{
818 struct rxrpc_skb_priv *csp = rxrpc_skb(challenge);
819 struct {
820 struct rxrpc_wire_header whdr;
821 struct rxkad_response resp;
822 } h;
823 int ret;
824
825 h.whdr.epoch = htonl(conn->proto.epoch);
826 h.whdr.cid = htonl(conn->proto.cid);
827 h.whdr.callNumber = 0;
828 h.whdr.serial = 0;
829 h.whdr.seq = 0;
830 h.whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
831 h.whdr.flags = conn->out_clientflag;
832 h.whdr.userStatus = 0;
833 h.whdr.securityIndex = conn->security_ix;
834 h.whdr.cksum = 0;
835 h.whdr.serviceId = htons(conn->service_id);
836 h.resp.version = htonl(RXKAD_VERSION);
837 h.resp.__pad = 0;
838 h.resp.encrypted.epoch = htonl(conn->proto.epoch);
839 h.resp.encrypted.cid = htonl(conn->proto.cid);
840 h.resp.encrypted.checksum = 0;
841 h.resp.encrypted.securityIndex = htonl(conn->security_ix);
842 h.resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
843 h.resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
844 h.resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
845 h.resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
846 h.resp.encrypted.inc_nonce = htonl(csp->chall.rxkad_nonce + 1);
847 h.resp.encrypted.level = htonl(conn->security_level);
848 h.resp.kvno = htonl(token->kad->kvno);
849 h.resp.ticket_len = htonl(token->kad->ticket_len);
850
851 rxkad_calc_response_checksum(&h.resp);
852
853 ret = skb_store_bits(response, *offset, &h, sizeof(h));
854 *offset += sizeof(h);
855 return ret;
856}
857
858/*
859 * respond to a challenge packet
860 */
861static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
862 struct sk_buff *challenge)
863{
864 const struct rxrpc_key_token *token;
865 struct rxrpc_skb_priv *csp, *rsp;
866 struct sk_buff *response;
867 size_t len, offset = 0;
868 int ret = -EPROTO;
869
870 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
871
872 ret = key_validate(conn->key);
873 if (ret < 0)
874 return rxrpc_abort_conn(conn, challenge, RXKADEXPIRED, ret,
875 rxkad_abort_chall_key_expired);
17926a79 876
2cc80086 877 token = conn->key->payload.data[0];
17926a79
DH		 878
879 /* build the response packet */
5800b1cf
DH		 880 len = sizeof(struct rxrpc_wire_header) +
881 sizeof(struct rxkad_response) +
882 token->kad->ticket_len;
883
884 response = alloc_skb_with_frags(0, len, 0, &ret, GFP_NOFS);
885 if (!response)
886 goto error;
887 rxrpc_new_skb(response, rxrpc_skb_new_response_rxkad);
888 response->len = len;
889 response->data_len = len;
890
891 offset = 0;
892 ret = rxkad_insert_response_header(conn, token, challenge, response,
893 &offset);
894 if (ret < 0)
895 goto error;
896
897 ret = rxkad_encrypt_response(conn, response, token->kad);
898 if (ret < 0)
899 goto error;
900
901 ret = skb_store_bits(response, offset, token->kad->ticket,
902 token->kad->ticket_len);
903 if (ret < 0)
904 goto error;
8c2f826d 905
5800b1cf
DH		 906 csp = rxrpc_skb(challenge);
907 rsp = rxrpc_skb(response);
908 rsp->resp.len = len;
909 rsp->resp.challenge_serial = csp->hdr.serial;
910 rxrpc_post_response(conn, response);
911 response = NULL;
912 ret = 0;
913
914error:
915 rxrpc_free_skb(response, rxrpc_skb_put_response);
8c2f826d 916 return ret;
17926a79
DH		 917}
918
5800b1cf
DH		 919/*
920 * RxKAD does automatic response only as there's nothing to manage that isn't
921 * already in the key.
922 */
923static int rxkad_sendmsg_respond_to_challenge(struct sk_buff *challenge,
924 struct msghdr *msg)
925{
926 return -EINVAL;
927}
928
929/**
930 * rxkad_kernel_respond_to_challenge - Respond to a challenge with appdata
931 * @challenge: The challenge to respond to
932 *
933 * Allow a kernel application to respond to a CHALLENGE.
934 *
935 * Return: %0 if successful and a negative error code otherwise.
936 */
937int rxkad_kernel_respond_to_challenge(struct sk_buff *challenge)
938{
939 struct rxrpc_skb_priv *csp = rxrpc_skb(challenge);
940
941 return rxkad_respond_to_challenge(csp->chall.conn, challenge);
942}
943EXPORT_SYMBOL(rxkad_kernel_respond_to_challenge);
944
17926a79
DH		 945/*
946 * decrypt the kerberos IV ticket in the response
947 */
948static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
ec832bd0 949 struct key *server_key,
fb46f6ee 950 struct sk_buff *skb,
17926a79
DH		 951 void *ticket, size_t ticket_len,
952 struct rxrpc_crypt *_session_key,
a00ce28b 953 time64_t *_expiry)
17926a79 954{
1afe593b 955 struct skcipher_request *req;
17926a79 956 struct rxrpc_crypt iv, key;
68e3f5dd 957 struct scatterlist sg[1];
17926a79 958 struct in_addr addr;
95c96174 959 unsigned int life;
10674a03 960 time64_t issue, now;
17926a79 961 bool little_endian;
17926a79
DH		 962 u8 *p, *q, *name, *end;
963
ec832bd0 964 _enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
17926a79
DH		 965
966 *_expiry = 0;
967
ec832bd0 968 ASSERT(server_key->payload.data[0] != NULL);
17926a79
DH		 969 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
970
ec832bd0 971 memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
17926a79 972
ec832bd0 973 req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
ef68622d 974 if (!req)
57af281e 975 return -ENOMEM;
17926a79 976
68e3f5dd 977 sg_init_one(&sg[0], ticket, ticket_len);
1afe593b
HX		 978 skcipher_request_set_callback(req, 0, NULL, NULL);
979 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
1afe593b
HX		 980 crypto_skcipher_decrypt(req);
981 skcipher_request_free(req);
17926a79
DH		 982
983 p = ticket;
984 end = p + ticket_len;
985
57af281e
DH		 986#define Z(field, fieldl) \
987 ({ \
988 u8 *__str = p; \
989 q = memchr(p, 0, end - p); \
990 if (!q || q - p > field##_SZ) \
991 return rxrpc_abort_conn( \
992 conn, skb, RXKADBADTICKET, -EPROTO, \
993 rxkad_abort_resp_tkt_##fieldl); \
994 for (; p < q; p++) \
995 if (!isprint(*p)) \
996 return rxrpc_abort_conn( \
997 conn, skb, RXKADBADTICKET, -EPROTO, \
998 rxkad_abort_resp_tkt_##fieldl); \
999 p++; \
1000 __str; \
17926a79
DH		 1001 })
1002
1003 /* extract the ticket flags */
1004 _debug("KIV FLAGS: %x", *p);
1005 little_endian = *p & 1;
1006 p++;
1007
1008 /* extract the authentication name */
57af281e 1009 name = Z(ANAME, aname);
17926a79
DH		 1010 _debug("KIV ANAME: %s", name);
1011
1012 /* extract the principal's instance */
57af281e 1013 name = Z(INST, inst);
17926a79
DH		 1014 _debug("KIV INST : %s", name);
1015
1016 /* extract the principal's authentication domain */
57af281e 1017 name = Z(REALM, realm);
17926a79
DH		 1018 _debug("KIV REALM: %s", name);
1019
1020 if (end - p < 4 + 8 + 4 + 2)
57af281e
DH		 1021 return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
1022 rxkad_abort_resp_tkt_short);
17926a79
DH		 1023
1024 /* get the IPv4 address of the entity that requested the ticket */
1025 memcpy(&addr, p, sizeof(addr));
1026 p += 4;
21454aaa 1027 _debug("KIV ADDR : %pI4", &addr);
17926a79
DH		 1028
1029 /* get the session key from the ticket */
1030 memcpy(&key, p, sizeof(key));
1031 p += 8;
1032 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
1033 memcpy(_session_key, &key, sizeof(key));
1034
1035 /* get the ticket's lifetime */
1036 life = *p++ * 5 * 60;
1037 _debug("KIV LIFE : %u", life);
1038
1039 /* get the issue time of the ticket */
1040 if (little_endian) {
1041 __le32 stamp;
1042 memcpy(&stamp, p, 4);
10674a03 1043 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
17926a79
DH		 1044 } else {
1045 __be32 stamp;
1046 memcpy(&stamp, p, 4);
10674a03 1047 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
17926a79
DH		 1048 }
1049 p += 4;
10674a03
BW		 1050 now = ktime_get_real_seconds();
1051 _debug("KIV ISSUE: %llx [%llx]", issue, now);
17926a79
DH		 1052
1053 /* check the ticket is in date */
57af281e
DH		 1054 if (issue > now)
1055 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED,
1056 rxkad_abort_resp_tkt_future);
1057 if (issue < now - life)
1058 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED,
1059 rxkad_abort_resp_tkt_expired);
17926a79
DH		 1060
1061 *_expiry = issue + life;
1062
1063 /* get the service name */
57af281e 1064 name = Z(SNAME, sname);
17926a79
DH		 1065 _debug("KIV SNAME: %s", name);
1066
1067 /* get the service instance name */
57af281e 1068 name = Z(INST, sinst);
17926a79 1069 _debug("KIV SINST: %s", name);
ef68622d 1070 return 0;
17926a79
DH		 1071}
1072
1073/*
1074 * decrypt the response packet
1075 */
1076static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1077 struct rxkad_response *resp,
1078 const struct rxrpc_crypt *session_key)
1079{
1db88c53 1080 struct skcipher_request *req = rxkad_ci_req;
a263629d 1081 struct scatterlist sg[1];
17926a79
DH		 1082 struct rxrpc_crypt iv;
1083
1084 _enter(",,%08x%08x",
1085 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1086
17926a79 1087 mutex_lock(&rxkad_ci_mutex);
69d826fa 1088 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1db88c53 1089 sizeof(*session_key)) < 0)
17926a79
DH		 1090 BUG();
1091
1092 memcpy(&iv, session_key, sizeof(iv));
17926a79 1093
a263629d
HX		 1094 sg_init_table(sg, 1);
1095 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
69d826fa 1096 skcipher_request_set_sync_tfm(req, rxkad_ci);
1afe593b
HX		 1097 skcipher_request_set_callback(req, 0, NULL, NULL);
1098 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1afe593b
HX		 1099 crypto_skcipher_decrypt(req);
1100 skcipher_request_zero(req);
1101
17926a79
DH		 1102 mutex_unlock(&rxkad_ci_mutex);
1103
1104 _leave("");
1105}
1106
1107/*
1108 * verify a response
1109 */
1110static int rxkad_verify_response(struct rxrpc_connection *conn,
a00ce28b 1111 struct sk_buff *skb)
17926a79 1112{
8c2f826d 1113 struct rxkad_response *response;
248f219c 1114 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
17926a79 1115 struct rxrpc_crypt session_key;
ec832bd0 1116 struct key *server_key;
10674a03 1117 time64_t expiry;
17926a79 1118 void *ticket;
57af281e 1119 u32 version, kvno, ticket_len, level;
91e916cf 1120 __be32 csum;
a1399f8b 1121 int ret, i;
17926a79 1122
ec832bd0
DH		 1123 _enter("{%d}", conn->debug_id);
1124
1125 server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
1126 if (IS_ERR(server_key)) {
57af281e
DH		 1127 ret = PTR_ERR(server_key);
1128 switch (ret) {
ec832bd0 1129 case -ENOKEY:
57af281e
DH		 1130 return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret,
1131 rxkad_abort_resp_nokey);
ec832bd0 1132 case -EKEYEXPIRED:
57af281e
DH		 1133 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
1134 rxkad_abort_resp_key_expired);
ec832bd0 1135 default:
57af281e
DH		 1136 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret,
1137 rxkad_abort_resp_key_rejected);
ec832bd0 1138 }
ec832bd0 1139 }
17926a79 1140
8c2f826d
DH		 1141 ret = -ENOMEM;
1142 response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1143 if (!response)
1144 goto temporary_error;
1145
775e5b71 1146 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
57af281e
DH		 1147 response, sizeof(*response)) < 0) {
1148 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1149 rxkad_abort_resp_short);
17926a79 1150 goto protocol_error;
57af281e 1151 }
17926a79 1152
8c2f826d
DH		 1153 version = ntohl(response->version);
1154 ticket_len = ntohl(response->ticket_len);
1155 kvno = ntohl(response->kvno);
2ebdb26e
DH		 1156
1157 trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
17926a79 1158
57af281e
DH		 1159 if (version != RXKAD_VERSION) {
1160 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
1161 rxkad_abort_resp_version);
4aa9cb32 1162 goto protocol_error;
57af281e 1163 }
17926a79 1164
57af281e
DH		 1165 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) {
1166 rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
1167 rxkad_abort_resp_tkt_len);
17926a79 1168 goto protocol_error;
57af281e 1169 }
17926a79 1170
57af281e
DH		 1171 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) {
1172 rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
1173 rxkad_abort_resp_unknown_tkt);
17926a79 1174 goto protocol_error;
57af281e 1175 }
17926a79
DH		 1176
1177 /* extract the kerberos ticket and decrypt and decode it */
ef68622d 1178 ret = -ENOMEM;
17926a79
DH		 1179 ticket = kmalloc(ticket_len, GFP_NOFS);
1180 if (!ticket)
b43c75ab 1181 goto temporary_error_free_resp;
17926a79 1182
57af281e
DH		 1183 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
1184 ticket, ticket_len) < 0) {
1185 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1186 rxkad_abort_resp_short_tkt);
1187 goto protocol_error;
1188 }
17926a79 1189
ec832bd0 1190 ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
a00ce28b 1191 &session_key, &expiry);
ef68622d 1192 if (ret < 0)
f45d01f4 1193 goto temporary_error_free_ticket;
17926a79
DH		 1194
1195 /* use the session key from inside the ticket to decrypt the
1196 * response */
8c2f826d 1197 rxkad_decrypt_response(conn, response, &session_key);
17926a79 1198
57af281e
DH		 1199 if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
1200 ntohl(response->encrypted.cid) != conn->proto.cid ||
1201 ntohl(response->encrypted.securityIndex) != conn->security_ix) {
1202 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1203 rxkad_abort_resp_bad_param);
17926a79 1204 goto protocol_error_free;
57af281e
DH		 1205 }
1206
8c2f826d
DH		 1207 csum = response->encrypted.checksum;
1208 response->encrypted.checksum = 0;
1209 rxkad_calc_response_checksum(response);
57af281e
DH		 1210 if (response->encrypted.checksum != csum) {
1211 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1212 rxkad_abort_resp_bad_checksum);
17926a79 1213 goto protocol_error_free;
57af281e 1214 }
17926a79 1215
a1399f8b 1216 for (i = 0; i < RXRPC_MAXCALLS; i++) {
8c2f826d 1217 u32 call_id = ntohl(response->encrypted.call_id[i]);
9d35d880 1218 u32 counter = READ_ONCE(conn->channels[i].call_counter);
a1399f8b 1219
57af281e
DH		 1220 if (call_id > INT_MAX) {
1221 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1222 rxkad_abort_resp_bad_callid);
9d35d880 1223 goto protocol_error_free;
57af281e 1224 }
a1399f8b 1225
9d35d880 1226 if (call_id < counter) {
57af281e
DH		 1227 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1228 rxkad_abort_resp_call_ctr);
9d35d880 1229 goto protocol_error_free;
57af281e 1230 }
fb46f6ee 1231
9d35d880
DH		 1232 if (call_id > counter) {
1233 if (conn->channels[i].call) {
57af281e
DH		 1234 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1235 rxkad_abort_resp_call_state);
9d35d880 1236 goto protocol_error_free;
57af281e 1237 }
a1399f8b
DH		 1238 conn->channels[i].call_counter = call_id;
1239 }
1240 }
17926a79 1241
57af281e
DH		 1242 if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
1243 rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
1244 rxkad_abort_resp_ooseq);
17926a79 1245 goto protocol_error_free;
57af281e 1246 }
17926a79 1247
8c2f826d 1248 level = ntohl(response->encrypted.level);
57af281e
DH		 1249 if (level > RXRPC_SECURITY_ENCRYPT) {
1250 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
1251 rxkad_abort_resp_level);
17926a79 1252 goto protocol_error_free;
57af281e 1253 }
2cc80086 1254 conn->security_level = level;
17926a79
DH		 1255
1256 /* create a key to hold the security data and expiration time - after
1257 * this the connection security can be handled in exactly the same way
1258 * as for a client connection */
1259 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
ef68622d 1260 if (ret < 0)
8c2f826d 1261 goto temporary_error_free_ticket;
17926a79
DH		 1262
1263 kfree(ticket);
8c2f826d 1264 kfree(response);
17926a79
DH		 1265 _leave(" = 0");
1266 return 0;
1267
1268protocol_error_free:
1269 kfree(ticket);
1270protocol_error:
8c2f826d 1271 kfree(response);
ec832bd0 1272 key_put(server_key);
57af281e 1273 return -EPROTO;
ef68622d 1274
8c2f826d 1275temporary_error_free_ticket:
ef68622d 1276 kfree(ticket);
b43c75ab 1277temporary_error_free_resp:
8c2f826d 1278 kfree(response);
ef68622d
DH		 1279temporary_error:
1280 /* Ignore the response packet if we got a temporary error such as
1281 * ENOMEM. We just want to send the challenge again. Note that we
1282 * also come out this way if the ticket decryption fails.
1283 */
ec832bd0 1284 key_put(server_key);
ef68622d 1285 return ret;
17926a79
DH		 1286}
1287
1288/*
1289 * clear the connection security
1290 */
1291static void rxkad_clear(struct rxrpc_connection *conn)
1292{
1293 _enter("");
1294
521bb304
DH		 1295 if (conn->rxkad.cipher)
1296 crypto_free_sync_skcipher(conn->rxkad.cipher);
17926a79
DH		 1297}
1298
648af7fc
DH		 1299/*
1300 * Initialise the rxkad security service.
1301 */
1302static int rxkad_init(void)
1303{
1db88c53
DH		 1304 struct crypto_sync_skcipher *tfm;
1305 struct skcipher_request *req;
1306
648af7fc
DH		 1307 /* pin the cipher we need so that the crypto layer doesn't invoke
1308 * keventd to go get it */
1db88c53
DH		 1309 tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1310 if (IS_ERR(tfm))
1311 return PTR_ERR(tfm);
1312
1313 req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1314 if (!req)
1315 goto nomem_tfm;
1316
1317 rxkad_ci_req = req;
1318 rxkad_ci = tfm;
1319 return 0;
1320
1321nomem_tfm:
1322 crypto_free_sync_skcipher(tfm);
1323 return -ENOMEM;
648af7fc
DH		 1324}
1325
1326/*
1327 * Clean up the rxkad security service.
1328 */
1329static void rxkad_exit(void)
1330{
1db88c53
DH		 1331 crypto_free_sync_skcipher(rxkad_ci);
1332 skcipher_request_free(rxkad_ci_req);
648af7fc
DH		 1333}
1334
17926a79
DH		 1335/*
1336 * RxRPC Kerberos-based security
1337 */
648af7fc 1338const struct rxrpc_security rxkad = {
17926a79 1339 .name = "rxkad",
8b815477 1340 .security_index = RXRPC_SECURITY_RXKAD,
063c60d3 1341 .no_key_abort = RXKADUNKNOWNKEY,
648af7fc
DH		 1342 .init = rxkad_init,
1343 .exit = rxkad_exit,
12da59fc
DH		 1344 .preparse_server_key = rxkad_preparse_server_key,
1345 .free_preparse_server_key = rxkad_free_preparse_server_key,
1346 .destroy_server_key = rxkad_destroy_server_key,
17926a79 1347 .init_connection_security = rxkad_init_connection_security,
49489bb0 1348 .alloc_txbuf = rxkad_alloc_txbuf,
17926a79
DH		 1349 .secure_packet = rxkad_secure_packet,
1350 .verify_packet = rxkad_verify_packet,
1db88c53 1351 .free_call_crypto = rxkad_free_call_crypto,
17926a79 1352 .issue_challenge = rxkad_issue_challenge,
5800b1cf
DH		 1353 .validate_challenge = rxkad_validate_challenge,
1354 .sendmsg_respond_to_challenge = rxkad_sendmsg_respond_to_challenge,
17926a79
DH		 1355 .respond_to_challenge = rxkad_respond_to_challenge,
1356 .verify_response = rxkad_verify_response,
1357 .clear = rxkad_clear,
1358};
Linux 6.x block layer and io_uring tree(s)