1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Kerberos-based RxRPC security
4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10 #include <crypto/skcipher.h>
11 #include <linux/module.h>
12 #include <linux/net.h>
13 #include <linux/skbuff.h>
14 #include <linux/udp.h>
15 #include <linux/scatterlist.h>
16 #include <linux/ctype.h>
17 #include <linux/slab.h>
18 #include <linux/key-type.h>
20 #include <net/af_rxrpc.h>
21 #include <keys/rxrpc-type.h>
22 #include "ar-internal.h"
24 #define RXKAD_VERSION 2
25 #define MAXKRB5TICKETLEN 1024
26 #define RXKAD_TKT_TYPE_KERBEROS_V5 256
27 #define ANAME_SZ 40 /* size of authentication name */
28 #define INST_SZ 40 /* size of principal's instance */
29 #define REALM_SZ 40 /* size of principal's auth domain */
30 #define SNAME_SZ 40 /* size of service name */
33 struct rxkad_level1_hdr {
34 __be32 data_size; /* true data size (excluding padding) */
37 struct rxkad_level2_hdr {
38 __be32 data_size; /* true data size (excluding padding) */
39 __be32 checksum; /* decrypted data checksum */
42 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
43 struct crypto_sync_skcipher *ci);
46 * this holds a pinned cipher so that keventd doesn't get called by the cipher
47 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
50 static struct crypto_sync_skcipher *rxkad_ci;
51 static struct skcipher_request *rxkad_ci_req;
52 static DEFINE_MUTEX(rxkad_ci_mutex);
55 * Parse the information from a server key
57 * The data should be the 8-byte secret key.
59 static int rxkad_preparse_server_key(struct key_preparsed_payload *prep)
61 struct crypto_skcipher *ci;
63 if (prep->datalen != 8)
66 memcpy(&prep->payload.data[2], prep->data, 8);
68 ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC);
70 _leave(" = %ld", PTR_ERR(ci));
74 if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)
77 prep->payload.data[0] = ci;
82 static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep)
85 if (prep->payload.data[0])
86 crypto_free_skcipher(prep->payload.data[0]);
89 static void rxkad_destroy_server_key(struct key *key)
91 if (key->payload.data[0]) {
92 crypto_free_skcipher(key->payload.data[0]);
93 key->payload.data[0] = NULL;
98 * initialise connection security
100 static int rxkad_init_connection_security(struct rxrpc_connection *conn,
101 struct rxrpc_key_token *token)
103 struct crypto_sync_skcipher *ci;
106 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
108 conn->security_ix = token->security_index;
110 ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
117 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
118 sizeof(token->kad->session_key)) < 0)
121 switch (conn->security_level) {
122 case RXRPC_SECURITY_PLAIN:
123 case RXRPC_SECURITY_AUTH:
124 case RXRPC_SECURITY_ENCRYPT:
131 ret = rxkad_prime_packet_security(conn, ci);
135 conn->rxkad.cipher = ci;
139 crypto_free_sync_skcipher(ci);
141 _leave(" = %d", ret);
146 * Work out how much data we can put in a packet.
148 static struct rxrpc_txbuf *rxkad_alloc_txbuf(struct rxrpc_call *call, size_t remain, gfp_t gfp)
150 struct rxrpc_txbuf *txb;
151 size_t shdr, alloc, limit, part;
153 remain = umin(remain, 65535 - sizeof(struct rxrpc_wire_header));
155 switch (call->conn->security_level) {
157 alloc = umin(remain, RXRPC_JUMBO_DATALEN);
158 return rxrpc_alloc_data_txbuf(call, alloc, 1, gfp);
159 case RXRPC_SECURITY_AUTH:
160 shdr = sizeof(struct rxkad_level1_hdr);
162 case RXRPC_SECURITY_ENCRYPT:
163 shdr = sizeof(struct rxkad_level2_hdr);
167 limit = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN) - shdr;
168 if (remain < limit) {
170 alloc = round_up(shdr + part, RXKAD_ALIGN);
173 alloc = RXRPC_JUMBO_DATALEN;
176 txb = rxrpc_alloc_data_txbuf(call, alloc, RXKAD_ALIGN, gfp);
180 txb->crypto_header = 0;
181 txb->sec_header = shdr;
188 * prime the encryption state with the invariant parts of a connection's
191 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
192 struct crypto_sync_skcipher *ci)
194 struct skcipher_request *req;
195 struct rxrpc_key_token *token;
196 struct scatterlist sg;
197 struct rxrpc_crypt iv;
199 size_t tmpsize = 4 * sizeof(__be32);
206 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
210 req = skcipher_request_alloc(&ci->base, GFP_NOFS);
216 token = conn->key->payload.data[0];
217 memcpy(&iv, token->kad->session_key, sizeof(iv));
219 tmpbuf[0] = htonl(conn->proto.epoch);
220 tmpbuf[1] = htonl(conn->proto.cid);
222 tmpbuf[3] = htonl(conn->security_ix);
224 sg_init_one(&sg, tmpbuf, tmpsize);
225 skcipher_request_set_sync_tfm(req, ci);
226 skcipher_request_set_callback(req, 0, NULL, NULL);
227 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
228 crypto_skcipher_encrypt(req);
229 skcipher_request_free(req);
231 memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
238 * Allocate and prepare the crypto request on a call. For any particular call,
239 * this is called serially for the packets, so no lock should be necessary.
241 static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
243 struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
245 return skcipher_request_alloc(tfm, GFP_NOFS);
249 * Clean up the crypto on a call.
251 static void rxkad_free_call_crypto(struct rxrpc_call *call)
256 * partially encrypt a packet (level 1 security)
258 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
259 struct rxrpc_txbuf *txb,
260 struct skcipher_request *req)
262 struct rxkad_level1_hdr *hdr = txb->data;
263 struct rxrpc_crypt iv;
264 struct scatterlist sg;
270 check = txb->seq ^ call->call_id;
271 hdr->data_size = htonl((u32)check << 16 | txb->len);
273 txb->pkt_len = sizeof(struct rxkad_level1_hdr) + txb->len;
275 pad = RXKAD_ALIGN - pad;
276 pad &= RXKAD_ALIGN - 1;
278 memset(txb->data + txb->offset, 0, pad);
282 /* start the encryption afresh */
283 memset(&iv, 0, sizeof(iv));
285 sg_init_one(&sg, hdr, 8);
286 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
287 skcipher_request_set_callback(req, 0, NULL, NULL);
288 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
289 crypto_skcipher_encrypt(req);
290 skcipher_request_zero(req);
297 * wholly encrypt a packet (level 2 security)
299 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
300 struct rxrpc_txbuf *txb,
301 struct skcipher_request *req)
303 const struct rxrpc_key_token *token;
304 struct rxkad_level2_hdr *rxkhdr = txb->data;
305 struct rxrpc_crypt iv;
306 struct scatterlist sg;
313 check = txb->seq ^ call->call_id;
315 rxkhdr->data_size = htonl(txb->len | (u32)check << 16);
316 rxkhdr->checksum = 0;
318 content = sizeof(struct rxkad_level2_hdr) + txb->len;
319 txb->pkt_len = round_up(content, RXKAD_ALIGN);
320 pad = txb->pkt_len - content;
322 memset(txb->data + txb->offset, 0, pad);
324 /* encrypt from the session key */
325 token = call->conn->key->payload.data[0];
326 memcpy(&iv, token->kad->session_key, sizeof(iv));
328 sg_init_one(&sg, rxkhdr, txb->pkt_len);
329 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
330 skcipher_request_set_callback(req, 0, NULL, NULL);
331 skcipher_request_set_crypt(req, &sg, &sg, txb->pkt_len, iv.x);
332 ret = crypto_skcipher_encrypt(req);
333 skcipher_request_zero(req);
338 * checksum an RxRPC packet header
340 static int rxkad_secure_packet(struct rxrpc_call *call, struct rxrpc_txbuf *txb)
342 struct skcipher_request *req;
343 struct rxrpc_crypt iv;
344 struct scatterlist sg;
347 } crypto __aligned(8);
351 _enter("{%d{%x}},{#%u},%u,",
352 call->debug_id, key_serial(call->conn->key),
355 if (!call->conn->rxkad.cipher)
358 ret = key_validate(call->conn->key);
362 req = rxkad_get_call_crypto(call);
366 /* continue encrypting from where we left off */
367 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
369 /* calculate the security checksum */
370 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
371 x |= txb->seq & 0x3fffffff;
372 crypto.buf[0] = htonl(call->call_id);
373 crypto.buf[1] = htonl(x);
375 sg_init_one(&sg, crypto.buf, 8);
376 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
377 skcipher_request_set_callback(req, 0, NULL, NULL);
378 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
379 crypto_skcipher_encrypt(req);
380 skcipher_request_zero(req);
382 y = ntohl(crypto.buf[1]);
383 y = (y >> 16) & 0xffff;
385 y = 1; /* zero checksums are not permitted */
386 txb->cksum = htons(y);
388 switch (call->conn->security_level) {
389 case RXRPC_SECURITY_PLAIN:
390 txb->pkt_len = txb->len;
393 case RXRPC_SECURITY_AUTH:
394 ret = rxkad_secure_packet_auth(call, txb, req);
395 if (txb->alloc_size == RXRPC_JUMBO_DATALEN)
396 txb->jumboable = true;
398 case RXRPC_SECURITY_ENCRYPT:
399 ret = rxkad_secure_packet_encrypt(call, txb, req);
400 if (txb->alloc_size == RXRPC_JUMBO_DATALEN)
401 txb->jumboable = true;
408 /* Clear excess space in the packet */
409 if (txb->pkt_len < txb->alloc_size) {
410 size_t gap = txb->alloc_size - txb->pkt_len;
413 memset(p + txb->pkt_len, 0, gap);
416 skcipher_request_free(req);
417 _leave(" = %d [set %x]", ret, y);
422 * decrypt partial encryption on a packet (level 1 security)
424 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
426 struct skcipher_request *req)
428 struct rxkad_level1_hdr sechdr;
429 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
430 struct rxrpc_crypt iv;
431 struct scatterlist sg[16];
439 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
440 rxkad_abort_1_short_header);
442 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
443 * directly into the target buffer.
445 sg_init_table(sg, ARRAY_SIZE(sg));
446 ret = skb_to_sgvec(skb, sg, sp->offset, 8);
447 if (unlikely(ret < 0))
450 /* start the decryption afresh */
451 memset(&iv, 0, sizeof(iv));
453 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
454 skcipher_request_set_callback(req, 0, NULL, NULL);
455 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
456 crypto_skcipher_decrypt(req);
457 skcipher_request_zero(req);
459 /* Extract the decrypted packet length */
460 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
461 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
462 rxkad_abort_1_short_encdata);
463 sp->offset += sizeof(sechdr);
464 sp->len -= sizeof(sechdr);
466 buf = ntohl(sechdr.data_size);
467 data_size = buf & 0xffff;
470 check ^= seq ^ call->call_id;
473 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
474 rxkad_abort_1_short_check);
475 if (data_size > sp->len)
476 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
477 rxkad_abort_1_short_data);
480 _leave(" = 0 [dlen=%x]", data_size);
485 * wholly decrypt a packet (level 2 security)
487 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
489 struct skcipher_request *req)
491 const struct rxrpc_key_token *token;
492 struct rxkad_level2_hdr sechdr;
493 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
494 struct rxrpc_crypt iv;
495 struct scatterlist _sg[4], *sg;
500 _enter(",{%d}", sp->len);
503 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
504 rxkad_abort_2_short_header);
506 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
507 * directly into the target buffer.
510 nsg = skb_shinfo(skb)->nr_frags + 1;
514 sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
519 sg_init_table(sg, nsg);
520 ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
521 if (unlikely(ret < 0)) {
527 /* decrypt from the session key */
528 token = call->conn->key->payload.data[0];
529 memcpy(&iv, token->kad->session_key, sizeof(iv));
531 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
532 skcipher_request_set_callback(req, 0, NULL, NULL);
533 skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
534 crypto_skcipher_decrypt(req);
535 skcipher_request_zero(req);
539 /* Extract the decrypted packet length */
540 if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
541 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
542 rxkad_abort_2_short_len);
543 sp->offset += sizeof(sechdr);
544 sp->len -= sizeof(sechdr);
546 buf = ntohl(sechdr.data_size);
547 data_size = buf & 0xffff;
550 check ^= seq ^ call->call_id;
553 return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
554 rxkad_abort_2_short_check);
556 if (data_size > sp->len)
557 return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
558 rxkad_abort_2_short_data);
561 _leave(" = 0 [dlen=%x]", data_size);
566 * Verify the security on a received packet and the subpackets therein.
568 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
570 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
571 struct skcipher_request *req;
572 struct rxrpc_crypt iv;
573 struct scatterlist sg;
576 } crypto __aligned(8);
577 rxrpc_seq_t seq = sp->hdr.seq;
582 _enter("{%d{%x}},{#%u}",
583 call->debug_id, key_serial(call->conn->key), seq);
585 if (!call->conn->rxkad.cipher)
588 req = rxkad_get_call_crypto(call);
592 /* continue encrypting from where we left off */
593 memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
595 /* validate the security checksum */
596 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
597 x |= seq & 0x3fffffff;
598 crypto.buf[0] = htonl(call->call_id);
599 crypto.buf[1] = htonl(x);
601 sg_init_one(&sg, crypto.buf, 8);
602 skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
603 skcipher_request_set_callback(req, 0, NULL, NULL);
604 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
605 crypto_skcipher_encrypt(req);
606 skcipher_request_zero(req);
608 y = ntohl(crypto.buf[1]);
609 cksum = (y >> 16) & 0xffff;
611 cksum = 1; /* zero checksums are not permitted */
613 if (cksum != sp->hdr.cksum) {
614 ret = rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
615 rxkad_abort_bad_checksum);
619 switch (call->conn->security_level) {
620 case RXRPC_SECURITY_PLAIN:
623 case RXRPC_SECURITY_AUTH:
624 ret = rxkad_verify_packet_1(call, skb, seq, req);
626 case RXRPC_SECURITY_ENCRYPT:
627 ret = rxkad_verify_packet_2(call, skb, seq, req);
635 skcipher_request_free(req);
642 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
644 struct rxkad_challenge challenge;
645 struct rxrpc_wire_header whdr;
652 _enter("{%d}", conn->debug_id);
654 get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
656 challenge.version = htonl(2);
657 challenge.nonce = htonl(conn->rxkad.nonce);
658 challenge.min_level = htonl(0);
659 challenge.__padding = 0;
661 msg.msg_name = &conn->peer->srx.transport;
662 msg.msg_namelen = conn->peer->srx.transport_len;
663 msg.msg_control = NULL;
664 msg.msg_controllen = 0;
667 whdr.epoch = htonl(conn->proto.epoch);
668 whdr.cid = htonl(conn->proto.cid);
671 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
672 whdr.flags = conn->out_clientflag;
674 whdr.securityIndex = conn->security_ix;
676 whdr.serviceId = htons(conn->service_id);
678 iov[0].iov_base = &whdr;
679 iov[0].iov_len = sizeof(whdr);
680 iov[1].iov_base = &challenge;
681 iov[1].iov_len = sizeof(challenge);
683 len = iov[0].iov_len + iov[1].iov_len;
685 serial = rxrpc_get_next_serial(conn);
686 whdr.serial = htonl(serial);
688 trace_rxrpc_tx_challenge(conn, serial, 0, conn->rxkad.nonce);
690 ret = kernel_sendmsg(conn->local->socket, &msg, iov, 2, len);
692 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
693 rxrpc_tx_point_rxkad_challenge);
697 conn->peer->last_tx_at = ktime_get_seconds();
698 trace_rxrpc_tx_packet(conn->debug_id, &whdr,
699 rxrpc_tx_point_rxkad_challenge);
705 * calculate the response checksum
707 static void rxkad_calc_response_checksum(struct rxkad_response *response)
711 u8 *p = (u8 *) response;
713 for (loop = sizeof(*response); loop > 0; loop--)
714 csum = csum * 0x10204081 + *p++;
716 response->encrypted.checksum = htonl(csum);
720 * encrypt the response packet
722 static int rxkad_encrypt_response(struct rxrpc_connection *conn,
723 struct sk_buff *response,
724 const struct rxkad_key *s2)
726 struct skcipher_request *req;
727 struct rxrpc_crypt iv;
728 struct scatterlist sg[1];
729 size_t encsize = sizeof(((struct rxkad_response *)0)->encrypted);
732 sg_init_table(sg, ARRAY_SIZE(sg));
733 ret = skb_to_sgvec(response, sg,
734 sizeof(struct rxrpc_wire_header) +
735 offsetof(struct rxkad_response, encrypted), encsize);
739 req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
743 /* continue encrypting from where we left off */
744 memcpy(&iv, s2->session_key, sizeof(iv));
746 skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
747 skcipher_request_set_callback(req, 0, NULL, NULL);
748 skcipher_request_set_crypt(req, sg, sg, encsize, iv.x);
749 ret = crypto_skcipher_encrypt(req);
750 skcipher_request_free(req);
755 * Validate a challenge packet.
757 static bool rxkad_validate_challenge(struct rxrpc_connection *conn,
760 struct rxkad_challenge challenge;
761 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
762 u32 version, min_level;
765 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
768 rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
769 rxkad_abort_chall_no_key);
773 ret = key_validate(conn->key);
775 rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
776 rxkad_abort_chall_key_expired);
780 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
781 &challenge, sizeof(challenge)) < 0) {
782 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
783 rxkad_abort_chall_short);
787 version = ntohl(challenge.version);
788 sp->chall.rxkad_nonce = ntohl(challenge.nonce);
789 min_level = ntohl(challenge.min_level);
791 trace_rxrpc_rx_challenge(conn, sp->hdr.serial, version,
792 sp->chall.rxkad_nonce, min_level);
794 if (version != RXKAD_VERSION) {
795 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
796 rxkad_abort_chall_version);
800 if (conn->security_level < min_level) {
801 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EACCES,
802 rxkad_abort_chall_level);
809 * Insert the header into the response.
812 int rxkad_insert_response_header(struct rxrpc_connection *conn,
813 const struct rxrpc_key_token *token,
814 struct sk_buff *challenge,
815 struct sk_buff *response,
818 struct rxrpc_skb_priv *csp = rxrpc_skb(challenge);
820 struct rxrpc_wire_header whdr;
821 struct rxkad_response resp;
825 h.whdr.epoch = htonl(conn->proto.epoch);
826 h.whdr.cid = htonl(conn->proto.cid);
827 h.whdr.callNumber = 0;
830 h.whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
831 h.whdr.flags = conn->out_clientflag;
832 h.whdr.userStatus = 0;
833 h.whdr.securityIndex = conn->security_ix;
835 h.whdr.serviceId = htons(conn->service_id);
836 h.resp.version = htonl(RXKAD_VERSION);
838 h.resp.encrypted.epoch = htonl(conn->proto.epoch);
839 h.resp.encrypted.cid = htonl(conn->proto.cid);
840 h.resp.encrypted.checksum = 0;
841 h.resp.encrypted.securityIndex = htonl(conn->security_ix);
842 h.resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
843 h.resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
844 h.resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
845 h.resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
846 h.resp.encrypted.inc_nonce = htonl(csp->chall.rxkad_nonce + 1);
847 h.resp.encrypted.level = htonl(conn->security_level);
848 h.resp.kvno = htonl(token->kad->kvno);
849 h.resp.ticket_len = htonl(token->kad->ticket_len);
851 rxkad_calc_response_checksum(&h.resp);
853 ret = skb_store_bits(response, *offset, &h, sizeof(h));
854 *offset += sizeof(h);
859 * respond to a challenge packet
861 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
862 struct sk_buff *challenge)
864 const struct rxrpc_key_token *token;
865 struct rxrpc_skb_priv *csp, *rsp;
866 struct sk_buff *response;
867 size_t len, offset = 0;
870 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
872 ret = key_validate(conn->key);
874 return rxrpc_abort_conn(conn, challenge, RXKADEXPIRED, ret,
875 rxkad_abort_chall_key_expired);
877 token = conn->key->payload.data[0];
879 /* build the response packet */
880 len = sizeof(struct rxrpc_wire_header) +
881 sizeof(struct rxkad_response) +
882 token->kad->ticket_len;
884 response = alloc_skb_with_frags(0, len, 0, &ret, GFP_NOFS);
887 rxrpc_new_skb(response, rxrpc_skb_new_response_rxkad);
889 response->data_len = len;
892 ret = rxkad_insert_response_header(conn, token, challenge, response,
897 ret = rxkad_encrypt_response(conn, response, token->kad);
901 ret = skb_store_bits(response, offset, token->kad->ticket,
902 token->kad->ticket_len);
906 csp = rxrpc_skb(challenge);
907 rsp = rxrpc_skb(response);
909 rsp->resp.challenge_serial = csp->hdr.serial;
910 rxrpc_post_response(conn, response);
915 rxrpc_free_skb(response, rxrpc_skb_put_response);
920 * RxKAD does automatic response only as there's nothing to manage that isn't
921 * already in the key.
923 static int rxkad_sendmsg_respond_to_challenge(struct sk_buff *challenge,
930 * rxkad_kernel_respond_to_challenge - Respond to a challenge with appdata
931 * @challenge: The challenge to respond to
933 * Allow a kernel application to respond to a CHALLENGE.
935 * Return: %0 if successful and a negative error code otherwise.
937 int rxkad_kernel_respond_to_challenge(struct sk_buff *challenge)
939 struct rxrpc_skb_priv *csp = rxrpc_skb(challenge);
941 return rxkad_respond_to_challenge(csp->chall.conn, challenge);
943 EXPORT_SYMBOL(rxkad_kernel_respond_to_challenge);
946 * decrypt the kerberos IV ticket in the response
948 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
949 struct key *server_key,
951 void *ticket, size_t ticket_len,
952 struct rxrpc_crypt *_session_key,
955 struct skcipher_request *req;
956 struct rxrpc_crypt iv, key;
957 struct scatterlist sg[1];
962 u8 *p, *q, *name, *end;
964 _enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
968 ASSERT(server_key->payload.data[0] != NULL);
969 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
971 memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
973 req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
977 sg_init_one(&sg[0], ticket, ticket_len);
978 skcipher_request_set_callback(req, 0, NULL, NULL);
979 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
980 crypto_skcipher_decrypt(req);
981 skcipher_request_free(req);
984 end = p + ticket_len;
986 #define Z(field, fieldl) \
989 q = memchr(p, 0, end - p); \
990 if (!q || q - p > field##_SZ) \
991 return rxrpc_abort_conn( \
992 conn, skb, RXKADBADTICKET, -EPROTO, \
993 rxkad_abort_resp_tkt_##fieldl); \
996 return rxrpc_abort_conn( \
997 conn, skb, RXKADBADTICKET, -EPROTO, \
998 rxkad_abort_resp_tkt_##fieldl); \
1003 /* extract the ticket flags */
1004 _debug("KIV FLAGS: %x", *p);
1005 little_endian = *p & 1;
1008 /* extract the authentication name */
1009 name = Z(ANAME, aname);
1010 _debug("KIV ANAME: %s", name);
1012 /* extract the principal's instance */
1013 name = Z(INST, inst);
1014 _debug("KIV INST : %s", name);
1016 /* extract the principal's authentication domain */
1017 name = Z(REALM, realm);
1018 _debug("KIV REALM: %s", name);
1020 if (end - p < 4 + 8 + 4 + 2)
1021 return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
1022 rxkad_abort_resp_tkt_short);
1024 /* get the IPv4 address of the entity that requested the ticket */
1025 memcpy(&addr, p, sizeof(addr));
1027 _debug("KIV ADDR : %pI4", &addr);
1029 /* get the session key from the ticket */
1030 memcpy(&key, p, sizeof(key));
1032 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
1033 memcpy(_session_key, &key, sizeof(key));
1035 /* get the ticket's lifetime */
1036 life = *p++ * 5 * 60;
1037 _debug("KIV LIFE : %u", life);
1039 /* get the issue time of the ticket */
1040 if (little_endian) {
1042 memcpy(&stamp, p, 4);
1043 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
1046 memcpy(&stamp, p, 4);
1047 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
1050 now = ktime_get_real_seconds();
1051 _debug("KIV ISSUE: %llx [%llx]", issue, now);
1053 /* check the ticket is in date */
1055 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, -EKEYREJECTED,
1056 rxkad_abort_resp_tkt_future);
1057 if (issue < now - life)
1058 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, -EKEYEXPIRED,
1059 rxkad_abort_resp_tkt_expired);
1061 *_expiry = issue + life;
1063 /* get the service name */
1064 name = Z(SNAME, sname);
1065 _debug("KIV SNAME: %s", name);
1067 /* get the service instance name */
1068 name = Z(INST, sinst);
1069 _debug("KIV SINST: %s", name);
1074 * decrypt the response packet
1076 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1077 struct rxkad_response *resp,
1078 const struct rxrpc_crypt *session_key)
1080 struct skcipher_request *req = rxkad_ci_req;
1081 struct scatterlist sg[1];
1082 struct rxrpc_crypt iv;
1084 _enter(",,%08x%08x",
1085 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1087 mutex_lock(&rxkad_ci_mutex);
1088 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1089 sizeof(*session_key)) < 0)
1092 memcpy(&iv, session_key, sizeof(iv));
1094 sg_init_table(sg, 1);
1095 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1096 skcipher_request_set_sync_tfm(req, rxkad_ci);
1097 skcipher_request_set_callback(req, 0, NULL, NULL);
1098 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1099 crypto_skcipher_decrypt(req);
1100 skcipher_request_zero(req);
1102 mutex_unlock(&rxkad_ci_mutex);
1110 static int rxkad_verify_response(struct rxrpc_connection *conn,
1111 struct sk_buff *skb)
1113 struct rxkad_response *response;
1114 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1115 struct rxrpc_crypt session_key;
1116 struct key *server_key;
1119 u32 version, kvno, ticket_len, level;
1123 _enter("{%d}", conn->debug_id);
1125 server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
1126 if (IS_ERR(server_key)) {
1127 ret = PTR_ERR(server_key);
1130 return rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, ret,
1131 rxkad_abort_resp_nokey);
1133 return rxrpc_abort_conn(conn, skb, RXKADEXPIRED, ret,
1134 rxkad_abort_resp_key_expired);
1136 return rxrpc_abort_conn(conn, skb, RXKADNOAUTH, ret,
1137 rxkad_abort_resp_key_rejected);
1142 response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1144 goto temporary_error;
1146 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1147 response, sizeof(*response)) < 0) {
1148 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1149 rxkad_abort_resp_short);
1150 goto protocol_error;
1153 version = ntohl(response->version);
1154 ticket_len = ntohl(response->ticket_len);
1155 kvno = ntohl(response->kvno);
1157 trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
1159 if (version != RXKAD_VERSION) {
1160 rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
1161 rxkad_abort_resp_version);
1162 goto protocol_error;
1165 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) {
1166 rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO,
1167 rxkad_abort_resp_tkt_len);
1168 goto protocol_error;
1171 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) {
1172 rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO,
1173 rxkad_abort_resp_unknown_tkt);
1174 goto protocol_error;
1177 /* extract the kerberos ticket and decrypt and decode it */
1179 ticket = kmalloc(ticket_len, GFP_NOFS);
1181 goto temporary_error_free_resp;
1183 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
1184 ticket, ticket_len) < 0) {
1185 rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
1186 rxkad_abort_resp_short_tkt);
1187 goto protocol_error;
1190 ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
1191 &session_key, &expiry);
1193 goto temporary_error_free_ticket;
1195 /* use the session key from inside the ticket to decrypt the
1197 rxkad_decrypt_response(conn, response, &session_key);
1199 if (ntohl(response->encrypted.epoch) != conn->proto.epoch ||
1200 ntohl(response->encrypted.cid) != conn->proto.cid ||
1201 ntohl(response->encrypted.securityIndex) != conn->security_ix) {
1202 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1203 rxkad_abort_resp_bad_param);
1204 goto protocol_error_free;
1207 csum = response->encrypted.checksum;
1208 response->encrypted.checksum = 0;
1209 rxkad_calc_response_checksum(response);
1210 if (response->encrypted.checksum != csum) {
1211 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1212 rxkad_abort_resp_bad_checksum);
1213 goto protocol_error_free;
1216 for (i = 0; i < RXRPC_MAXCALLS; i++) {
1217 u32 call_id = ntohl(response->encrypted.call_id[i]);
1218 u32 counter = READ_ONCE(conn->channels[i].call_counter);
1220 if (call_id > INT_MAX) {
1221 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1222 rxkad_abort_resp_bad_callid);
1223 goto protocol_error_free;
1226 if (call_id < counter) {
1227 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1228 rxkad_abort_resp_call_ctr);
1229 goto protocol_error_free;
1232 if (call_id > counter) {
1233 if (conn->channels[i].call) {
1234 rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO,
1235 rxkad_abort_resp_call_state);
1236 goto protocol_error_free;
1238 conn->channels[i].call_counter = call_id;
1242 if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) {
1243 rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO,
1244 rxkad_abort_resp_ooseq);
1245 goto protocol_error_free;
1248 level = ntohl(response->encrypted.level);
1249 if (level > RXRPC_SECURITY_ENCRYPT) {
1250 rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO,
1251 rxkad_abort_resp_level);
1252 goto protocol_error_free;
1254 conn->security_level = level;
1256 /* create a key to hold the security data and expiration time - after
1257 * this the connection security can be handled in exactly the same way
1258 * as for a client connection */
1259 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1261 goto temporary_error_free_ticket;
1268 protocol_error_free:
1272 key_put(server_key);
1275 temporary_error_free_ticket:
1277 temporary_error_free_resp:
1280 /* Ignore the response packet if we got a temporary error such as
1281 * ENOMEM. We just want to send the challenge again. Note that we
1282 * also come out this way if the ticket decryption fails.
1284 key_put(server_key);
1289 * clear the connection security
1291 static void rxkad_clear(struct rxrpc_connection *conn)
1295 if (conn->rxkad.cipher)
1296 crypto_free_sync_skcipher(conn->rxkad.cipher);
1300 * Initialise the rxkad security service.
1302 static int rxkad_init(void)
1304 struct crypto_sync_skcipher *tfm;
1305 struct skcipher_request *req;
1307 /* pin the cipher we need so that the crypto layer doesn't invoke
1308 * keventd to go get it */
1309 tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1311 return PTR_ERR(tfm);
1313 req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1322 crypto_free_sync_skcipher(tfm);
1327 * Clean up the rxkad security service.
1329 static void rxkad_exit(void)
1331 crypto_free_sync_skcipher(rxkad_ci);
1332 skcipher_request_free(rxkad_ci_req);
1336 * RxRPC Kerberos-based security
1338 const struct rxrpc_security rxkad = {
1340 .security_index = RXRPC_SECURITY_RXKAD,
1341 .no_key_abort = RXKADUNKNOWNKEY,
1344 .preparse_server_key = rxkad_preparse_server_key,
1345 .free_preparse_server_key = rxkad_free_preparse_server_key,
1346 .destroy_server_key = rxkad_destroy_server_key,
1347 .init_connection_security = rxkad_init_connection_security,
1348 .alloc_txbuf = rxkad_alloc_txbuf,
1349 .secure_packet = rxkad_secure_packet,
1350 .verify_packet = rxkad_verify_packet,
1351 .free_call_crypto = rxkad_free_call_crypto,
1352 .issue_challenge = rxkad_issue_challenge,
1353 .validate_challenge = rxkad_validate_challenge,
1354 .sendmsg_respond_to_challenge = rxkad_sendmsg_respond_to_challenge,
1355 .respond_to_challenge = rxkad_respond_to_challenge,
1356 .verify_response = rxkad_verify_response,
1357 .clear = rxkad_clear,
projects / linux-block.git / blob