1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Kerberos-based RxRPC security
4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10 #include <crypto/skcipher.h>
11 #include <linux/module.h>
12 #include <linux/net.h>
13 #include <linux/skbuff.h>
14 #include <linux/udp.h>
15 #include <linux/scatterlist.h>
16 #include <linux/ctype.h>
17 #include <linux/slab.h>
19 #include <net/af_rxrpc.h>
20 #include <keys/rxrpc-type.h>
21 #include "ar-internal.h"
23 #define RXKAD_VERSION 2
24 #define MAXKRB5TICKETLEN 1024
25 #define RXKAD_TKT_TYPE_KERBEROS_V5 256
26 #define ANAME_SZ 40 /* size of authentication name */
27 #define INST_SZ 40 /* size of principal's instance */
28 #define REALM_SZ 40 /* size of principal's auth domain */
29 #define SNAME_SZ 40 /* size of service name */
31 struct rxkad_level1_hdr {
32 __be32 data_size; /* true data size (excluding padding) */
35 struct rxkad_level2_hdr {
36 __be32 data_size; /* true data size (excluding padding) */
37 __be32 checksum; /* decrypted data checksum */
41 * this holds a pinned cipher so that keventd doesn't get called by the cipher
42 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
45 static struct crypto_sync_skcipher *rxkad_ci;
46 static DEFINE_MUTEX(rxkad_ci_mutex);
49 * initialise connection security
51 static int rxkad_init_connection_security(struct rxrpc_connection *conn)
53 struct crypto_sync_skcipher *ci;
54 struct rxrpc_key_token *token;
57 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
59 token = conn->params.key->payload.data[0];
60 conn->security_ix = token->security_index;
62 ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
69 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
70 sizeof(token->kad->session_key)) < 0)
73 switch (conn->params.security_level) {
74 case RXRPC_SECURITY_PLAIN:
76 case RXRPC_SECURITY_AUTH:
78 conn->security_size = sizeof(struct rxkad_level1_hdr);
80 case RXRPC_SECURITY_ENCRYPT:
82 conn->security_size = sizeof(struct rxkad_level2_hdr);
97 * prime the encryption state with the invariant parts of a connection's
100 static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
102 struct rxrpc_key_token *token;
103 SYNC_SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
104 struct scatterlist sg;
105 struct rxrpc_crypt iv;
107 size_t tmpsize = 4 * sizeof(__be32);
111 if (!conn->params.key)
114 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
118 token = conn->params.key->payload.data[0];
119 memcpy(&iv, token->kad->session_key, sizeof(iv));
121 tmpbuf[0] = htonl(conn->proto.epoch);
122 tmpbuf[1] = htonl(conn->proto.cid);
124 tmpbuf[3] = htonl(conn->security_ix);
126 sg_init_one(&sg, tmpbuf, tmpsize);
127 skcipher_request_set_sync_tfm(req, conn->cipher);
128 skcipher_request_set_callback(req, 0, NULL, NULL);
129 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
130 crypto_skcipher_encrypt(req);
131 skcipher_request_zero(req);
133 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
140 * partially encrypt a packet (level 1 security)
142 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
146 struct skcipher_request *req)
148 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
149 struct rxkad_level1_hdr hdr;
150 struct rxrpc_crypt iv;
151 struct scatterlist sg;
156 check = sp->hdr.seq ^ call->call_id;
157 data_size |= (u32)check << 16;
159 hdr.data_size = htonl(data_size);
160 memcpy(sechdr, &hdr, sizeof(hdr));
162 /* start the encryption afresh */
163 memset(&iv, 0, sizeof(iv));
165 sg_init_one(&sg, sechdr, 8);
166 skcipher_request_set_sync_tfm(req, call->conn->cipher);
167 skcipher_request_set_callback(req, 0, NULL, NULL);
168 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
169 crypto_skcipher_encrypt(req);
170 skcipher_request_zero(req);
177 * wholly encrypt a packet (level 2 security)
179 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
183 struct skcipher_request *req)
185 const struct rxrpc_key_token *token;
186 struct rxkad_level2_hdr rxkhdr;
187 struct rxrpc_skb_priv *sp;
188 struct rxrpc_crypt iv;
189 struct scatterlist sg[16];
198 check = sp->hdr.seq ^ call->call_id;
200 rxkhdr.data_size = htonl(data_size | (u32)check << 16);
202 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
204 /* encrypt from the session key */
205 token = call->conn->params.key->payload.data[0];
206 memcpy(&iv, token->kad->session_key, sizeof(iv));
208 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
209 skcipher_request_set_sync_tfm(req, call->conn->cipher);
210 skcipher_request_set_callback(req, 0, NULL, NULL);
211 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
212 crypto_skcipher_encrypt(req);
214 /* we want to encrypt the skbuff in-place */
216 if (skb_shinfo(skb)->nr_frags > 16)
219 len = data_size + call->conn->size_align - 1;
220 len &= ~(call->conn->size_align - 1);
222 sg_init_table(sg, ARRAY_SIZE(sg));
223 err = skb_to_sgvec(skb, sg, 0, len);
224 if (unlikely(err < 0))
226 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
227 crypto_skcipher_encrypt(req);
233 skcipher_request_zero(req);
238 * checksum an RxRPC packet header
240 static int rxkad_secure_packet(struct rxrpc_call *call,
245 struct rxrpc_skb_priv *sp;
246 SYNC_SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
247 struct rxrpc_crypt iv;
248 struct scatterlist sg;
254 _enter("{%d{%x}},{#%u},%zu,",
255 call->debug_id, key_serial(call->conn->params.key),
256 sp->hdr.seq, data_size);
258 if (!call->conn->cipher)
261 ret = key_validate(call->conn->params.key);
265 /* continue encrypting from where we left off */
266 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
268 /* calculate the security checksum */
269 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
270 x |= sp->hdr.seq & 0x3fffffff;
271 call->crypto_buf[0] = htonl(call->call_id);
272 call->crypto_buf[1] = htonl(x);
274 sg_init_one(&sg, call->crypto_buf, 8);
275 skcipher_request_set_sync_tfm(req, call->conn->cipher);
276 skcipher_request_set_callback(req, 0, NULL, NULL);
277 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
278 crypto_skcipher_encrypt(req);
279 skcipher_request_zero(req);
281 y = ntohl(call->crypto_buf[1]);
282 y = (y >> 16) & 0xffff;
284 y = 1; /* zero checksums are not permitted */
287 switch (call->conn->params.security_level) {
288 case RXRPC_SECURITY_PLAIN:
291 case RXRPC_SECURITY_AUTH:
292 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr,
295 case RXRPC_SECURITY_ENCRYPT:
296 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
304 _leave(" = %d [set %hx]", ret, y);
309 * decrypt partial encryption on a packet (level 1 security)
311 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
312 unsigned int offset, unsigned int len,
314 struct skcipher_request *req)
316 struct rxkad_level1_hdr sechdr;
317 struct rxrpc_crypt iv;
318 struct scatterlist sg[16];
327 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
332 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
333 * directly into the target buffer.
335 sg_init_table(sg, ARRAY_SIZE(sg));
336 ret = skb_to_sgvec(skb, sg, offset, 8);
337 if (unlikely(ret < 0))
340 /* start the decryption afresh */
341 memset(&iv, 0, sizeof(iv));
343 skcipher_request_set_sync_tfm(req, call->conn->cipher);
344 skcipher_request_set_callback(req, 0, NULL, NULL);
345 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
346 crypto_skcipher_decrypt(req);
347 skcipher_request_zero(req);
349 /* Extract the decrypted packet length */
350 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
351 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
355 offset += sizeof(sechdr);
356 len -= sizeof(sechdr);
358 buf = ntohl(sechdr.data_size);
359 data_size = buf & 0xffff;
362 check ^= seq ^ call->call_id;
365 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
370 if (data_size > len) {
371 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
376 _leave(" = 0 [dlen=%x]", data_size);
381 rxrpc_send_abort_packet(call);
386 * wholly decrypt a packet (level 2 security)
388 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
389 unsigned int offset, unsigned int len,
391 struct skcipher_request *req)
393 const struct rxrpc_key_token *token;
394 struct rxkad_level2_hdr sechdr;
395 struct rxrpc_crypt iv;
396 struct scatterlist _sg[4], *sg;
402 _enter(",{%d}", skb->len);
405 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
410 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
411 * directly into the target buffer.
414 nsg = skb_shinfo(skb)->nr_frags;
418 sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
423 sg_init_table(sg, nsg);
424 ret = skb_to_sgvec(skb, sg, offset, len);
425 if (unlikely(ret < 0)) {
431 /* decrypt from the session key */
432 token = call->conn->params.key->payload.data[0];
433 memcpy(&iv, token->kad->session_key, sizeof(iv));
435 skcipher_request_set_sync_tfm(req, call->conn->cipher);
436 skcipher_request_set_callback(req, 0, NULL, NULL);
437 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
438 crypto_skcipher_decrypt(req);
439 skcipher_request_zero(req);
443 /* Extract the decrypted packet length */
444 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
445 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
449 offset += sizeof(sechdr);
450 len -= sizeof(sechdr);
452 buf = ntohl(sechdr.data_size);
453 data_size = buf & 0xffff;
456 check ^= seq ^ call->call_id;
459 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
464 if (data_size > len) {
465 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
470 _leave(" = 0 [dlen=%x]", data_size);
475 rxrpc_send_abort_packet(call);
479 _leave(" = -ENOMEM");
484 * Verify the security on a received packet or subpacket (if part of a
487 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
488 unsigned int offset, unsigned int len,
489 rxrpc_seq_t seq, u16 expected_cksum)
491 SYNC_SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
492 struct rxrpc_crypt iv;
493 struct scatterlist sg;
498 _enter("{%d{%x}},{#%u}",
499 call->debug_id, key_serial(call->conn->params.key), seq);
501 if (!call->conn->cipher)
504 /* continue encrypting from where we left off */
505 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
507 /* validate the security checksum */
508 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
509 x |= seq & 0x3fffffff;
510 call->crypto_buf[0] = htonl(call->call_id);
511 call->crypto_buf[1] = htonl(x);
513 sg_init_one(&sg, call->crypto_buf, 8);
514 skcipher_request_set_sync_tfm(req, call->conn->cipher);
515 skcipher_request_set_callback(req, 0, NULL, NULL);
516 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
517 crypto_skcipher_encrypt(req);
518 skcipher_request_zero(req);
520 y = ntohl(call->crypto_buf[1]);
521 cksum = (y >> 16) & 0xffff;
523 cksum = 1; /* zero checksums are not permitted */
525 if (cksum != expected_cksum) {
526 aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
531 switch (call->conn->params.security_level) {
532 case RXRPC_SECURITY_PLAIN:
534 case RXRPC_SECURITY_AUTH:
535 return rxkad_verify_packet_1(call, skb, offset, len, seq, req);
536 case RXRPC_SECURITY_ENCRYPT:
537 return rxkad_verify_packet_2(call, skb, offset, len, seq, req);
544 rxrpc_send_abort_packet(call);
549 * Locate the data contained in a packet that was partially encrypted.
551 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
552 unsigned int *_offset, unsigned int *_len)
554 struct rxkad_level1_hdr sechdr;
556 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
558 *_offset += sizeof(sechdr);
559 *_len = ntohl(sechdr.data_size) & 0xffff;
563 * Locate the data contained in a packet that was completely encrypted.
565 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
566 unsigned int *_offset, unsigned int *_len)
568 struct rxkad_level2_hdr sechdr;
570 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
572 *_offset += sizeof(sechdr);
573 *_len = ntohl(sechdr.data_size) & 0xffff;
577 * Locate the data contained in an already decrypted packet.
579 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
580 unsigned int *_offset, unsigned int *_len)
582 switch (call->conn->params.security_level) {
583 case RXRPC_SECURITY_AUTH:
584 rxkad_locate_data_1(call, skb, _offset, _len);
586 case RXRPC_SECURITY_ENCRYPT:
587 rxkad_locate_data_2(call, skb, _offset, _len);
597 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
599 struct rxkad_challenge challenge;
600 struct rxrpc_wire_header whdr;
607 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
609 ret = key_validate(conn->params.key);
613 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
615 challenge.version = htonl(2);
616 challenge.nonce = htonl(conn->security_nonce);
617 challenge.min_level = htonl(0);
618 challenge.__padding = 0;
620 msg.msg_name = &conn->params.peer->srx.transport;
621 msg.msg_namelen = conn->params.peer->srx.transport_len;
622 msg.msg_control = NULL;
623 msg.msg_controllen = 0;
626 whdr.epoch = htonl(conn->proto.epoch);
627 whdr.cid = htonl(conn->proto.cid);
630 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
631 whdr.flags = conn->out_clientflag;
633 whdr.securityIndex = conn->security_ix;
635 whdr.serviceId = htons(conn->service_id);
637 iov[0].iov_base = &whdr;
638 iov[0].iov_len = sizeof(whdr);
639 iov[1].iov_base = &challenge;
640 iov[1].iov_len = sizeof(challenge);
642 len = iov[0].iov_len + iov[1].iov_len;
644 serial = atomic_inc_return(&conn->serial);
645 whdr.serial = htonl(serial);
646 _proto("Tx CHALLENGE %%%u", serial);
648 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
650 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
651 rxrpc_tx_point_rxkad_challenge);
655 conn->params.peer->last_tx_at = ktime_get_seconds();
656 trace_rxrpc_tx_packet(conn->debug_id, &whdr,
657 rxrpc_tx_point_rxkad_challenge);
663 * send a Kerberos security response
665 static int rxkad_send_response(struct rxrpc_connection *conn,
666 struct rxrpc_host_header *hdr,
667 struct rxkad_response *resp,
668 const struct rxkad_key *s2)
670 struct rxrpc_wire_header whdr;
679 msg.msg_name = &conn->params.peer->srx.transport;
680 msg.msg_namelen = conn->params.peer->srx.transport_len;
681 msg.msg_control = NULL;
682 msg.msg_controllen = 0;
685 memset(&whdr, 0, sizeof(whdr));
686 whdr.epoch = htonl(hdr->epoch);
687 whdr.cid = htonl(hdr->cid);
688 whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
689 whdr.flags = conn->out_clientflag;
690 whdr.securityIndex = hdr->securityIndex;
691 whdr.serviceId = htons(hdr->serviceId);
693 iov[0].iov_base = &whdr;
694 iov[0].iov_len = sizeof(whdr);
695 iov[1].iov_base = resp;
696 iov[1].iov_len = sizeof(*resp);
697 iov[2].iov_base = (void *)s2->ticket;
698 iov[2].iov_len = s2->ticket_len;
700 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
702 serial = atomic_inc_return(&conn->serial);
703 whdr.serial = htonl(serial);
704 _proto("Tx RESPONSE %%%u", serial);
706 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
708 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
709 rxrpc_tx_point_rxkad_response);
713 conn->params.peer->last_tx_at = ktime_get_seconds();
719 * calculate the response checksum
721 static void rxkad_calc_response_checksum(struct rxkad_response *response)
725 u8 *p = (u8 *) response;
727 for (loop = sizeof(*response); loop > 0; loop--)
728 csum = csum * 0x10204081 + *p++;
730 response->encrypted.checksum = htonl(csum);
734 * encrypt the response packet
736 static void rxkad_encrypt_response(struct rxrpc_connection *conn,
737 struct rxkad_response *resp,
738 const struct rxkad_key *s2)
740 SYNC_SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
741 struct rxrpc_crypt iv;
742 struct scatterlist sg[1];
744 /* continue encrypting from where we left off */
745 memcpy(&iv, s2->session_key, sizeof(iv));
747 sg_init_table(sg, 1);
748 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
749 skcipher_request_set_sync_tfm(req, conn->cipher);
750 skcipher_request_set_callback(req, 0, NULL, NULL);
751 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
752 crypto_skcipher_encrypt(req);
753 skcipher_request_zero(req);
757 * respond to a challenge packet
759 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
763 const struct rxrpc_key_token *token;
764 struct rxkad_challenge challenge;
765 struct rxkad_response *resp;
766 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
768 u32 version, nonce, min_level, abort_code;
771 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
773 eproto = tracepoint_string("chall_no_key");
774 abort_code = RX_PROTOCOL_ERROR;
775 if (!conn->params.key)
778 abort_code = RXKADEXPIRED;
779 ret = key_validate(conn->params.key);
783 eproto = tracepoint_string("chall_short");
784 abort_code = RXKADPACKETSHORT;
785 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
786 &challenge, sizeof(challenge)) < 0)
789 version = ntohl(challenge.version);
790 nonce = ntohl(challenge.nonce);
791 min_level = ntohl(challenge.min_level);
793 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
794 sp->hdr.serial, version, nonce, min_level);
796 eproto = tracepoint_string("chall_ver");
797 abort_code = RXKADINCONSISTENCY;
798 if (version != RXKAD_VERSION)
801 abort_code = RXKADLEVELFAIL;
803 if (conn->params.security_level < min_level)
806 token = conn->params.key->payload.data[0];
808 /* build the response packet */
809 resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
813 resp->version = htonl(RXKAD_VERSION);
814 resp->encrypted.epoch = htonl(conn->proto.epoch);
815 resp->encrypted.cid = htonl(conn->proto.cid);
816 resp->encrypted.securityIndex = htonl(conn->security_ix);
817 resp->encrypted.inc_nonce = htonl(nonce + 1);
818 resp->encrypted.level = htonl(conn->params.security_level);
819 resp->kvno = htonl(token->kad->kvno);
820 resp->ticket_len = htonl(token->kad->ticket_len);
821 resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
822 resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
823 resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
824 resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
826 /* calculate the response checksum and then do the encryption */
827 rxkad_calc_response_checksum(resp);
828 rxkad_encrypt_response(conn, resp, token->kad);
829 ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
834 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
837 *_abort_code = abort_code;
842 * decrypt the kerberos IV ticket in the response
844 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
846 void *ticket, size_t ticket_len,
847 struct rxrpc_crypt *_session_key,
851 struct skcipher_request *req;
852 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
853 struct rxrpc_crypt iv, key;
854 struct scatterlist sg[1];
862 u8 *p, *q, *name, *end;
864 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
868 ret = key_validate(conn->server_key);
872 abort_code = RXKADEXPIRED;
875 abort_code = RXKADNOAUTH;
880 ASSERT(conn->server_key->payload.data[0] != NULL);
881 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
883 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
886 req = skcipher_request_alloc(conn->server_key->payload.data[0],
889 goto temporary_error;
891 sg_init_one(&sg[0], ticket, ticket_len);
892 skcipher_request_set_callback(req, 0, NULL, NULL);
893 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
894 crypto_skcipher_decrypt(req);
895 skcipher_request_free(req);
898 end = p + ticket_len;
903 eproto = tracepoint_string("rxkad_bad_"#field); \
904 q = memchr(p, 0, end - p); \
905 if (!q || q - p > (field##_SZ)) \
914 /* extract the ticket flags */
915 _debug("KIV FLAGS: %x", *p);
916 little_endian = *p & 1;
919 /* extract the authentication name */
921 _debug("KIV ANAME: %s", name);
923 /* extract the principal's instance */
925 _debug("KIV INST : %s", name);
927 /* extract the principal's authentication domain */
929 _debug("KIV REALM: %s", name);
931 eproto = tracepoint_string("rxkad_bad_len");
932 if (end - p < 4 + 8 + 4 + 2)
935 /* get the IPv4 address of the entity that requested the ticket */
936 memcpy(&addr, p, sizeof(addr));
938 _debug("KIV ADDR : %pI4", &addr);
940 /* get the session key from the ticket */
941 memcpy(&key, p, sizeof(key));
943 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
944 memcpy(_session_key, &key, sizeof(key));
946 /* get the ticket's lifetime */
947 life = *p++ * 5 * 60;
948 _debug("KIV LIFE : %u", life);
950 /* get the issue time of the ticket */
953 memcpy(&stamp, p, 4);
954 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
957 memcpy(&stamp, p, 4);
958 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
961 now = ktime_get_real_seconds();
962 _debug("KIV ISSUE: %llx [%llx]", issue, now);
964 /* check the ticket is in date */
966 abort_code = RXKADNOAUTH;
971 if (issue < now - life) {
972 abort_code = RXKADEXPIRED;
977 *_expiry = issue + life;
979 /* get the service name */
981 _debug("KIV SNAME: %s", name);
983 /* get the service instance name */
985 _debug("KIV SINST: %s", name);
989 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
990 abort_code = RXKADBADTICKET;
993 *_abort_code = abort_code;
1000 * decrypt the response packet
1002 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1003 struct rxkad_response *resp,
1004 const struct rxrpc_crypt *session_key)
1006 SYNC_SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
1007 struct scatterlist sg[1];
1008 struct rxrpc_crypt iv;
1010 _enter(",,%08x%08x",
1011 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1013 ASSERT(rxkad_ci != NULL);
1015 mutex_lock(&rxkad_ci_mutex);
1016 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1017 sizeof(*session_key)) < 0)
1020 memcpy(&iv, session_key, sizeof(iv));
1022 sg_init_table(sg, 1);
1023 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1024 skcipher_request_set_sync_tfm(req, rxkad_ci);
1025 skcipher_request_set_callback(req, 0, NULL, NULL);
1026 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1027 crypto_skcipher_decrypt(req);
1028 skcipher_request_zero(req);
1030 mutex_unlock(&rxkad_ci_mutex);
1038 static int rxkad_verify_response(struct rxrpc_connection *conn,
1039 struct sk_buff *skb,
1042 struct rxkad_response *response;
1043 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1044 struct rxrpc_crypt session_key;
1048 u32 abort_code, version, kvno, ticket_len, level;
1052 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1055 response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1057 goto temporary_error;
1059 eproto = tracepoint_string("rxkad_rsp_short");
1060 abort_code = RXKADPACKETSHORT;
1061 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1062 response, sizeof(*response)) < 0)
1063 goto protocol_error;
1064 if (!pskb_pull(skb, sizeof(*response)))
1067 version = ntohl(response->version);
1068 ticket_len = ntohl(response->ticket_len);
1069 kvno = ntohl(response->kvno);
1070 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1071 sp->hdr.serial, version, kvno, ticket_len);
1073 eproto = tracepoint_string("rxkad_rsp_ver");
1074 abort_code = RXKADINCONSISTENCY;
1075 if (version != RXKAD_VERSION)
1076 goto protocol_error;
1078 eproto = tracepoint_string("rxkad_rsp_tktlen");
1079 abort_code = RXKADTICKETLEN;
1080 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1081 goto protocol_error;
1083 eproto = tracepoint_string("rxkad_rsp_unkkey");
1084 abort_code = RXKADUNKNOWNKEY;
1085 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1086 goto protocol_error;
1088 /* extract the kerberos ticket and decrypt and decode it */
1090 ticket = kmalloc(ticket_len, GFP_NOFS);
1092 goto temporary_error;
1094 eproto = tracepoint_string("rxkad_tkt_short");
1095 abort_code = RXKADPACKETSHORT;
1096 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1097 ticket, ticket_len) < 0)
1098 goto protocol_error_free;
1100 ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key,
1101 &expiry, _abort_code);
1103 goto temporary_error_free_resp;
1105 /* use the session key from inside the ticket to decrypt the
1107 rxkad_decrypt_response(conn, response, &session_key);
1109 eproto = tracepoint_string("rxkad_rsp_param");
1110 abort_code = RXKADSEALEDINCON;
1111 if (ntohl(response->encrypted.epoch) != conn->proto.epoch)
1112 goto protocol_error_free;
1113 if (ntohl(response->encrypted.cid) != conn->proto.cid)
1114 goto protocol_error_free;
1115 if (ntohl(response->encrypted.securityIndex) != conn->security_ix)
1116 goto protocol_error_free;
1117 csum = response->encrypted.checksum;
1118 response->encrypted.checksum = 0;
1119 rxkad_calc_response_checksum(response);
1120 eproto = tracepoint_string("rxkad_rsp_csum");
1121 if (response->encrypted.checksum != csum)
1122 goto protocol_error_free;
1124 spin_lock(&conn->channel_lock);
1125 for (i = 0; i < RXRPC_MAXCALLS; i++) {
1126 struct rxrpc_call *call;
1127 u32 call_id = ntohl(response->encrypted.call_id[i]);
1129 eproto = tracepoint_string("rxkad_rsp_callid");
1130 if (call_id > INT_MAX)
1131 goto protocol_error_unlock;
1133 eproto = tracepoint_string("rxkad_rsp_callctr");
1134 if (call_id < conn->channels[i].call_counter)
1135 goto protocol_error_unlock;
1137 eproto = tracepoint_string("rxkad_rsp_callst");
1138 if (call_id > conn->channels[i].call_counter) {
1139 call = rcu_dereference_protected(
1140 conn->channels[i].call,
1141 lockdep_is_held(&conn->channel_lock));
1142 if (call && call->state < RXRPC_CALL_COMPLETE)
1143 goto protocol_error_unlock;
1144 conn->channels[i].call_counter = call_id;
1147 spin_unlock(&conn->channel_lock);
1149 eproto = tracepoint_string("rxkad_rsp_seq");
1150 abort_code = RXKADOUTOFSEQUENCE;
1151 if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1)
1152 goto protocol_error_free;
1154 eproto = tracepoint_string("rxkad_rsp_level");
1155 abort_code = RXKADLEVELFAIL;
1156 level = ntohl(response->encrypted.level);
1157 if (level > RXRPC_SECURITY_ENCRYPT)
1158 goto protocol_error_free;
1159 conn->params.security_level = level;
1161 /* create a key to hold the security data and expiration time - after
1162 * this the connection security can be handled in exactly the same way
1163 * as for a client connection */
1164 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1166 goto temporary_error_free_ticket;
1173 protocol_error_unlock:
1174 spin_unlock(&conn->channel_lock);
1175 protocol_error_free:
1179 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1180 *_abort_code = abort_code;
1183 temporary_error_free_ticket:
1185 temporary_error_free_resp:
1188 /* Ignore the response packet if we got a temporary error such as
1189 * ENOMEM. We just want to send the challenge again. Note that we
1190 * also come out this way if the ticket decryption fails.
1196 * clear the connection security
1198 static void rxkad_clear(struct rxrpc_connection *conn)
1203 crypto_free_sync_skcipher(conn->cipher);
1207 * Initialise the rxkad security service.
1209 static int rxkad_init(void)
1211 /* pin the cipher we need so that the crypto layer doesn't invoke
1212 * keventd to go get it */
1213 rxkad_ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1214 return PTR_ERR_OR_ZERO(rxkad_ci);
1218 * Clean up the rxkad security service.
1220 static void rxkad_exit(void)
1223 crypto_free_sync_skcipher(rxkad_ci);
1227 * RxRPC Kerberos-based security
1229 const struct rxrpc_security rxkad = {
1231 .security_index = RXRPC_SECURITY_RXKAD,
1234 .init_connection_security = rxkad_init_connection_security,
1235 .prime_packet_security = rxkad_prime_packet_security,
1236 .secure_packet = rxkad_secure_packet,
1237 .verify_packet = rxkad_verify_packet,
1238 .locate_data = rxkad_locate_data,
1239 .issue_challenge = rxkad_issue_challenge,
1240 .respond_to_challenge = rxkad_respond_to_challenge,
1241 .verify_response = rxkad_verify_response,
1242 .clear = rxkad_clear,