1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Kerberos-based RxRPC security
4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10 #include <crypto/skcipher.h>
11 #include <linux/module.h>
12 #include <linux/net.h>
13 #include <linux/skbuff.h>
14 #include <linux/udp.h>
15 #include <linux/scatterlist.h>
16 #include <linux/ctype.h>
17 #include <linux/slab.h>
18 #include <linux/key-type.h>
20 #include <net/af_rxrpc.h>
21 #include <keys/rxrpc-type.h>
22 #include "ar-internal.h"
24 #define RXKAD_VERSION 2
25 #define MAXKRB5TICKETLEN 1024
26 #define RXKAD_TKT_TYPE_KERBEROS_V5 256
27 #define ANAME_SZ 40 /* size of authentication name */
28 #define INST_SZ 40 /* size of principal's instance */
29 #define REALM_SZ 40 /* size of principal's auth domain */
30 #define SNAME_SZ 40 /* size of service name */
33 struct rxkad_level1_hdr
{
34 __be32 data_size
; /* true data size (excluding padding) */
37 struct rxkad_level2_hdr
{
38 __be32 data_size
; /* true data size (excluding padding) */
39 __be32 checksum
; /* decrypted data checksum */
42 static int rxkad_prime_packet_security(struct rxrpc_connection
*conn
,
43 struct crypto_sync_skcipher
*ci
);
46 * this holds a pinned cipher so that keventd doesn't get called by the cipher
47 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
50 static struct crypto_sync_skcipher
*rxkad_ci
;
51 static struct skcipher_request
*rxkad_ci_req
;
52 static DEFINE_MUTEX(rxkad_ci_mutex
);
55 * Parse the information from a server key
57 * The data should be the 8-byte secret key.
59 static int rxkad_preparse_server_key(struct key_preparsed_payload
*prep
)
61 struct crypto_skcipher
*ci
;
63 if (prep
->datalen
!= 8)
66 memcpy(&prep
->payload
.data
[2], prep
->data
, 8);
68 ci
= crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC
);
70 _leave(" = %ld", PTR_ERR(ci
));
74 if (crypto_skcipher_setkey(ci
, prep
->data
, 8) < 0)
77 prep
->payload
.data
[0] = ci
;
82 static void rxkad_free_preparse_server_key(struct key_preparsed_payload
*prep
)
85 if (prep
->payload
.data
[0])
86 crypto_free_skcipher(prep
->payload
.data
[0]);
89 static void rxkad_destroy_server_key(struct key
*key
)
91 if (key
->payload
.data
[0]) {
92 crypto_free_skcipher(key
->payload
.data
[0]);
93 key
->payload
.data
[0] = NULL
;
98 * initialise connection security
100 static int rxkad_init_connection_security(struct rxrpc_connection
*conn
,
101 struct rxrpc_key_token
*token
)
103 struct crypto_sync_skcipher
*ci
;
106 _enter("{%d},{%x}", conn
->debug_id
, key_serial(conn
->params
.key
));
108 conn
->security_ix
= token
->security_index
;
110 ci
= crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
117 if (crypto_sync_skcipher_setkey(ci
, token
->kad
->session_key
,
118 sizeof(token
->kad
->session_key
)) < 0)
121 switch (conn
->params
.security_level
) {
122 case RXRPC_SECURITY_PLAIN
:
123 case RXRPC_SECURITY_AUTH
:
124 case RXRPC_SECURITY_ENCRYPT
:
131 ret
= rxkad_prime_packet_security(conn
, ci
);
135 conn
->rxkad
.cipher
= ci
;
139 crypto_free_sync_skcipher(ci
);
141 _leave(" = %d", ret
);
146 * Work out how much data we can put in a packet.
148 static int rxkad_how_much_data(struct rxrpc_call
*call
, size_t remain
,
149 size_t *_buf_size
, size_t *_data_size
, size_t *_offset
)
151 size_t shdr
, buf_size
, chunk
;
153 switch (call
->conn
->params
.security_level
) {
155 buf_size
= chunk
= min_t(size_t, remain
, RXRPC_JUMBO_DATALEN
);
158 case RXRPC_SECURITY_AUTH
:
159 shdr
= sizeof(struct rxkad_level1_hdr
);
161 case RXRPC_SECURITY_ENCRYPT
:
162 shdr
= sizeof(struct rxkad_level2_hdr
);
166 buf_size
= round_down(RXRPC_JUMBO_DATALEN
, RXKAD_ALIGN
);
168 chunk
= buf_size
- shdr
;
170 buf_size
= round_up(shdr
+ remain
, RXKAD_ALIGN
);
173 *_buf_size
= buf_size
;
180 * prime the encryption state with the invariant parts of a connection's
183 static int rxkad_prime_packet_security(struct rxrpc_connection
*conn
,
184 struct crypto_sync_skcipher
*ci
)
186 struct skcipher_request
*req
;
187 struct rxrpc_key_token
*token
;
188 struct scatterlist sg
;
189 struct rxrpc_crypt iv
;
191 size_t tmpsize
= 4 * sizeof(__be32
);
195 if (!conn
->params
.key
)
198 tmpbuf
= kmalloc(tmpsize
, GFP_KERNEL
);
202 req
= skcipher_request_alloc(&ci
->base
, GFP_NOFS
);
208 token
= conn
->params
.key
->payload
.data
[0];
209 memcpy(&iv
, token
->kad
->session_key
, sizeof(iv
));
211 tmpbuf
[0] = htonl(conn
->proto
.epoch
);
212 tmpbuf
[1] = htonl(conn
->proto
.cid
);
214 tmpbuf
[3] = htonl(conn
->security_ix
);
216 sg_init_one(&sg
, tmpbuf
, tmpsize
);
217 skcipher_request_set_sync_tfm(req
, ci
);
218 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
219 skcipher_request_set_crypt(req
, &sg
, &sg
, tmpsize
, iv
.x
);
220 crypto_skcipher_encrypt(req
);
221 skcipher_request_free(req
);
223 memcpy(&conn
->rxkad
.csum_iv
, tmpbuf
+ 2, sizeof(conn
->rxkad
.csum_iv
));
230 * Allocate and prepare the crypto request on a call. For any particular call,
231 * this is called serially for the packets, so no lock should be necessary.
233 static struct skcipher_request
*rxkad_get_call_crypto(struct rxrpc_call
*call
)
235 struct crypto_skcipher
*tfm
= &call
->conn
->rxkad
.cipher
->base
;
236 struct skcipher_request
*cipher_req
= call
->cipher_req
;
239 cipher_req
= skcipher_request_alloc(tfm
, GFP_NOFS
);
242 call
->cipher_req
= cipher_req
;
249 * Clean up the crypto on a call.
251 static void rxkad_free_call_crypto(struct rxrpc_call
*call
)
253 if (call
->cipher_req
)
254 skcipher_request_free(call
->cipher_req
);
255 call
->cipher_req
= NULL
;
259 * partially encrypt a packet (level 1 security)
261 static int rxkad_secure_packet_auth(const struct rxrpc_call
*call
,
262 struct sk_buff
*skb
, u32 data_size
,
263 struct skcipher_request
*req
)
265 struct rxrpc_skb_priv
*sp
= rxrpc_skb(skb
);
266 struct rxkad_level1_hdr hdr
;
267 struct rxrpc_crypt iv
;
268 struct scatterlist sg
;
274 check
= sp
->hdr
.seq
^ call
->call_id
;
275 data_size
|= (u32
)check
<< 16;
277 hdr
.data_size
= htonl(data_size
);
278 memcpy(skb
->head
, &hdr
, sizeof(hdr
));
280 pad
= sizeof(struct rxkad_level1_hdr
) + data_size
;
281 pad
= RXKAD_ALIGN
- pad
;
282 pad
&= RXKAD_ALIGN
- 1;
284 skb_put_zero(skb
, pad
);
286 /* start the encryption afresh */
287 memset(&iv
, 0, sizeof(iv
));
289 sg_init_one(&sg
, skb
->head
, 8);
290 skcipher_request_set_sync_tfm(req
, call
->conn
->rxkad
.cipher
);
291 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
292 skcipher_request_set_crypt(req
, &sg
, &sg
, 8, iv
.x
);
293 crypto_skcipher_encrypt(req
);
294 skcipher_request_zero(req
);
301 * wholly encrypt a packet (level 2 security)
303 static int rxkad_secure_packet_encrypt(const struct rxrpc_call
*call
,
306 struct skcipher_request
*req
)
308 const struct rxrpc_key_token
*token
;
309 struct rxkad_level2_hdr rxkhdr
;
310 struct rxrpc_skb_priv
*sp
;
311 struct rxrpc_crypt iv
;
312 struct scatterlist sg
[16];
322 check
= sp
->hdr
.seq
^ call
->call_id
;
324 rxkhdr
.data_size
= htonl(data_size
| (u32
)check
<< 16);
326 memcpy(skb
->head
, &rxkhdr
, sizeof(rxkhdr
));
328 pad
= sizeof(struct rxkad_level2_hdr
) + data_size
;
329 pad
= RXKAD_ALIGN
- pad
;
330 pad
&= RXKAD_ALIGN
- 1;
332 skb_put_zero(skb
, pad
);
334 /* encrypt from the session key */
335 token
= call
->conn
->params
.key
->payload
.data
[0];
336 memcpy(&iv
, token
->kad
->session_key
, sizeof(iv
));
338 sg_init_one(&sg
[0], skb
->head
, sizeof(rxkhdr
));
339 skcipher_request_set_sync_tfm(req
, call
->conn
->rxkad
.cipher
);
340 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
341 skcipher_request_set_crypt(req
, &sg
[0], &sg
[0], sizeof(rxkhdr
), iv
.x
);
342 crypto_skcipher_encrypt(req
);
344 /* we want to encrypt the skbuff in-place */
346 if (skb_shinfo(skb
)->nr_frags
> 16)
349 len
= round_up(data_size
, RXKAD_ALIGN
);
351 sg_init_table(sg
, ARRAY_SIZE(sg
));
352 err
= skb_to_sgvec(skb
, sg
, 8, len
);
353 if (unlikely(err
< 0))
355 skcipher_request_set_crypt(req
, sg
, sg
, len
, iv
.x
);
356 crypto_skcipher_encrypt(req
);
362 skcipher_request_zero(req
);
367 * checksum an RxRPC packet header
369 static int rxkad_secure_packet(struct rxrpc_call
*call
,
373 struct rxrpc_skb_priv
*sp
;
374 struct skcipher_request
*req
;
375 struct rxrpc_crypt iv
;
376 struct scatterlist sg
;
382 _enter("{%d{%x}},{#%u},%zu,",
383 call
->debug_id
, key_serial(call
->conn
->params
.key
),
384 sp
->hdr
.seq
, data_size
);
386 if (!call
->conn
->rxkad
.cipher
)
389 ret
= key_validate(call
->conn
->params
.key
);
393 req
= rxkad_get_call_crypto(call
);
397 /* continue encrypting from where we left off */
398 memcpy(&iv
, call
->conn
->rxkad
.csum_iv
.x
, sizeof(iv
));
400 /* calculate the security checksum */
401 x
= (call
->cid
& RXRPC_CHANNELMASK
) << (32 - RXRPC_CIDSHIFT
);
402 x
|= sp
->hdr
.seq
& 0x3fffffff;
403 call
->crypto_buf
[0] = htonl(call
->call_id
);
404 call
->crypto_buf
[1] = htonl(x
);
406 sg_init_one(&sg
, call
->crypto_buf
, 8);
407 skcipher_request_set_sync_tfm(req
, call
->conn
->rxkad
.cipher
);
408 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
409 skcipher_request_set_crypt(req
, &sg
, &sg
, 8, iv
.x
);
410 crypto_skcipher_encrypt(req
);
411 skcipher_request_zero(req
);
413 y
= ntohl(call
->crypto_buf
[1]);
414 y
= (y
>> 16) & 0xffff;
416 y
= 1; /* zero checksums are not permitted */
419 switch (call
->conn
->params
.security_level
) {
420 case RXRPC_SECURITY_PLAIN
:
423 case RXRPC_SECURITY_AUTH
:
424 ret
= rxkad_secure_packet_auth(call
, skb
, data_size
, req
);
426 case RXRPC_SECURITY_ENCRYPT
:
427 ret
= rxkad_secure_packet_encrypt(call
, skb
, data_size
, req
);
434 _leave(" = %d [set %hx]", ret
, y
);
439 * decrypt partial encryption on a packet (level 1 security)
441 static int rxkad_verify_packet_1(struct rxrpc_call
*call
, struct sk_buff
*skb
,
442 unsigned int offset
, unsigned int len
,
444 struct skcipher_request
*req
)
446 struct rxkad_level1_hdr sechdr
;
447 struct rxrpc_crypt iv
;
448 struct scatterlist sg
[16];
457 aborted
= rxrpc_abort_eproto(call
, skb
, "rxkad_1_hdr", "V1H",
462 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
463 * directly into the target buffer.
465 sg_init_table(sg
, ARRAY_SIZE(sg
));
466 ret
= skb_to_sgvec(skb
, sg
, offset
, 8);
467 if (unlikely(ret
< 0))
470 /* start the decryption afresh */
471 memset(&iv
, 0, sizeof(iv
));
473 skcipher_request_set_sync_tfm(req
, call
->conn
->rxkad
.cipher
);
474 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
475 skcipher_request_set_crypt(req
, sg
, sg
, 8, iv
.x
);
476 crypto_skcipher_decrypt(req
);
477 skcipher_request_zero(req
);
479 /* Extract the decrypted packet length */
480 if (skb_copy_bits(skb
, offset
, &sechdr
, sizeof(sechdr
)) < 0) {
481 aborted
= rxrpc_abort_eproto(call
, skb
, "rxkad_1_len", "XV1",
485 len
-= sizeof(sechdr
);
487 buf
= ntohl(sechdr
.data_size
);
488 data_size
= buf
& 0xffff;
491 check
^= seq
^ call
->call_id
;
494 aborted
= rxrpc_abort_eproto(call
, skb
, "rxkad_1_check", "V1C",
499 if (data_size
> len
) {
500 aborted
= rxrpc_abort_eproto(call
, skb
, "rxkad_1_datalen", "V1L",
505 _leave(" = 0 [dlen=%x]", data_size
);
510 rxrpc_send_abort_packet(call
);
515 * wholly decrypt a packet (level 2 security)
517 static int rxkad_verify_packet_2(struct rxrpc_call
*call
, struct sk_buff
*skb
,
518 unsigned int offset
, unsigned int len
,
520 struct skcipher_request
*req
)
522 const struct rxrpc_key_token
*token
;
523 struct rxkad_level2_hdr sechdr
;
524 struct rxrpc_crypt iv
;
525 struct scatterlist _sg
[4], *sg
;
531 _enter(",{%d}", skb
->len
);
534 aborted
= rxrpc_abort_eproto(call
, skb
, "rxkad_2_hdr", "V2H",
539 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
540 * directly into the target buffer.
543 nsg
= skb_shinfo(skb
)->nr_frags
;
547 sg
= kmalloc_array(nsg
, sizeof(*sg
), GFP_NOIO
);
552 sg_init_table(sg
, nsg
);
553 ret
= skb_to_sgvec(skb
, sg
, offset
, len
);
554 if (unlikely(ret
< 0)) {
560 /* decrypt from the session key */
561 token
= call
->conn
->params
.key
->payload
.data
[0];
562 memcpy(&iv
, token
->kad
->session_key
, sizeof(iv
));
564 skcipher_request_set_sync_tfm(req
, call
->conn
->rxkad
.cipher
);
565 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
566 skcipher_request_set_crypt(req
, sg
, sg
, len
, iv
.x
);
567 crypto_skcipher_decrypt(req
);
568 skcipher_request_zero(req
);
572 /* Extract the decrypted packet length */
573 if (skb_copy_bits(skb
, offset
, &sechdr
, sizeof(sechdr
)) < 0) {
574 aborted
= rxrpc_abort_eproto(call
, skb
, "rxkad_2_len", "XV2",
578 len
-= sizeof(sechdr
);
580 buf
= ntohl(sechdr
.data_size
);
581 data_size
= buf
& 0xffff;
584 check
^= seq
^ call
->call_id
;
587 aborted
= rxrpc_abort_eproto(call
, skb
, "rxkad_2_check", "V2C",
592 if (data_size
> len
) {
593 aborted
= rxrpc_abort_eproto(call
, skb
, "rxkad_2_datalen", "V2L",
598 _leave(" = 0 [dlen=%x]", data_size
);
603 rxrpc_send_abort_packet(call
);
607 _leave(" = -ENOMEM");
612 * Verify the security on a received packet or subpacket (if part of a
615 static int rxkad_verify_packet(struct rxrpc_call
*call
, struct sk_buff
*skb
,
616 unsigned int offset
, unsigned int len
,
617 rxrpc_seq_t seq
, u16 expected_cksum
)
619 struct skcipher_request
*req
;
620 struct rxrpc_crypt iv
;
621 struct scatterlist sg
;
626 _enter("{%d{%x}},{#%u}",
627 call
->debug_id
, key_serial(call
->conn
->params
.key
), seq
);
629 if (!call
->conn
->rxkad
.cipher
)
632 req
= rxkad_get_call_crypto(call
);
636 /* continue encrypting from where we left off */
637 memcpy(&iv
, call
->conn
->rxkad
.csum_iv
.x
, sizeof(iv
));
639 /* validate the security checksum */
640 x
= (call
->cid
& RXRPC_CHANNELMASK
) << (32 - RXRPC_CIDSHIFT
);
641 x
|= seq
& 0x3fffffff;
642 call
->crypto_buf
[0] = htonl(call
->call_id
);
643 call
->crypto_buf
[1] = htonl(x
);
645 sg_init_one(&sg
, call
->crypto_buf
, 8);
646 skcipher_request_set_sync_tfm(req
, call
->conn
->rxkad
.cipher
);
647 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
648 skcipher_request_set_crypt(req
, &sg
, &sg
, 8, iv
.x
);
649 crypto_skcipher_encrypt(req
);
650 skcipher_request_zero(req
);
652 y
= ntohl(call
->crypto_buf
[1]);
653 cksum
= (y
>> 16) & 0xffff;
655 cksum
= 1; /* zero checksums are not permitted */
657 if (cksum
!= expected_cksum
) {
658 aborted
= rxrpc_abort_eproto(call
, skb
, "rxkad_csum", "VCK",
663 switch (call
->conn
->params
.security_level
) {
664 case RXRPC_SECURITY_PLAIN
:
666 case RXRPC_SECURITY_AUTH
:
667 return rxkad_verify_packet_1(call
, skb
, offset
, len
, seq
, req
);
668 case RXRPC_SECURITY_ENCRYPT
:
669 return rxkad_verify_packet_2(call
, skb
, offset
, len
, seq
, req
);
676 rxrpc_send_abort_packet(call
);
681 * Locate the data contained in a packet that was partially encrypted.
683 static void rxkad_locate_data_1(struct rxrpc_call
*call
, struct sk_buff
*skb
,
684 unsigned int *_offset
, unsigned int *_len
)
686 struct rxkad_level1_hdr sechdr
;
688 if (skb_copy_bits(skb
, *_offset
, &sechdr
, sizeof(sechdr
)) < 0)
690 *_offset
+= sizeof(sechdr
);
691 *_len
= ntohl(sechdr
.data_size
) & 0xffff;
695 * Locate the data contained in a packet that was completely encrypted.
697 static void rxkad_locate_data_2(struct rxrpc_call
*call
, struct sk_buff
*skb
,
698 unsigned int *_offset
, unsigned int *_len
)
700 struct rxkad_level2_hdr sechdr
;
702 if (skb_copy_bits(skb
, *_offset
, &sechdr
, sizeof(sechdr
)) < 0)
704 *_offset
+= sizeof(sechdr
);
705 *_len
= ntohl(sechdr
.data_size
) & 0xffff;
709 * Locate the data contained in an already decrypted packet.
711 static void rxkad_locate_data(struct rxrpc_call
*call
, struct sk_buff
*skb
,
712 unsigned int *_offset
, unsigned int *_len
)
714 switch (call
->conn
->params
.security_level
) {
715 case RXRPC_SECURITY_AUTH
:
716 rxkad_locate_data_1(call
, skb
, _offset
, _len
);
718 case RXRPC_SECURITY_ENCRYPT
:
719 rxkad_locate_data_2(call
, skb
, _offset
, _len
);
729 static int rxkad_issue_challenge(struct rxrpc_connection
*conn
)
731 struct rxkad_challenge challenge
;
732 struct rxrpc_wire_header whdr
;
739 _enter("{%d}", conn
->debug_id
);
741 get_random_bytes(&conn
->rxkad
.nonce
, sizeof(conn
->rxkad
.nonce
));
743 challenge
.version
= htonl(2);
744 challenge
.nonce
= htonl(conn
->rxkad
.nonce
);
745 challenge
.min_level
= htonl(0);
746 challenge
.__padding
= 0;
748 msg
.msg_name
= &conn
->params
.peer
->srx
.transport
;
749 msg
.msg_namelen
= conn
->params
.peer
->srx
.transport_len
;
750 msg
.msg_control
= NULL
;
751 msg
.msg_controllen
= 0;
754 whdr
.epoch
= htonl(conn
->proto
.epoch
);
755 whdr
.cid
= htonl(conn
->proto
.cid
);
758 whdr
.type
= RXRPC_PACKET_TYPE_CHALLENGE
;
759 whdr
.flags
= conn
->out_clientflag
;
761 whdr
.securityIndex
= conn
->security_ix
;
763 whdr
.serviceId
= htons(conn
->service_id
);
765 iov
[0].iov_base
= &whdr
;
766 iov
[0].iov_len
= sizeof(whdr
);
767 iov
[1].iov_base
= &challenge
;
768 iov
[1].iov_len
= sizeof(challenge
);
770 len
= iov
[0].iov_len
+ iov
[1].iov_len
;
772 serial
= atomic_inc_return(&conn
->serial
);
773 whdr
.serial
= htonl(serial
);
774 _proto("Tx CHALLENGE %%%u", serial
);
776 ret
= kernel_sendmsg(conn
->params
.local
->socket
, &msg
, iov
, 2, len
);
778 trace_rxrpc_tx_fail(conn
->debug_id
, serial
, ret
,
779 rxrpc_tx_point_rxkad_challenge
);
783 conn
->params
.peer
->last_tx_at
= ktime_get_seconds();
784 trace_rxrpc_tx_packet(conn
->debug_id
, &whdr
,
785 rxrpc_tx_point_rxkad_challenge
);
791 * send a Kerberos security response
793 static int rxkad_send_response(struct rxrpc_connection
*conn
,
794 struct rxrpc_host_header
*hdr
,
795 struct rxkad_response
*resp
,
796 const struct rxkad_key
*s2
)
798 struct rxrpc_wire_header whdr
;
807 msg
.msg_name
= &conn
->params
.peer
->srx
.transport
;
808 msg
.msg_namelen
= conn
->params
.peer
->srx
.transport_len
;
809 msg
.msg_control
= NULL
;
810 msg
.msg_controllen
= 0;
813 memset(&whdr
, 0, sizeof(whdr
));
814 whdr
.epoch
= htonl(hdr
->epoch
);
815 whdr
.cid
= htonl(hdr
->cid
);
816 whdr
.type
= RXRPC_PACKET_TYPE_RESPONSE
;
817 whdr
.flags
= conn
->out_clientflag
;
818 whdr
.securityIndex
= hdr
->securityIndex
;
819 whdr
.serviceId
= htons(hdr
->serviceId
);
821 iov
[0].iov_base
= &whdr
;
822 iov
[0].iov_len
= sizeof(whdr
);
823 iov
[1].iov_base
= resp
;
824 iov
[1].iov_len
= sizeof(*resp
);
825 iov
[2].iov_base
= (void *)s2
->ticket
;
826 iov
[2].iov_len
= s2
->ticket_len
;
828 len
= iov
[0].iov_len
+ iov
[1].iov_len
+ iov
[2].iov_len
;
830 serial
= atomic_inc_return(&conn
->serial
);
831 whdr
.serial
= htonl(serial
);
832 _proto("Tx RESPONSE %%%u", serial
);
834 ret
= kernel_sendmsg(conn
->params
.local
->socket
, &msg
, iov
, 3, len
);
836 trace_rxrpc_tx_fail(conn
->debug_id
, serial
, ret
,
837 rxrpc_tx_point_rxkad_response
);
841 conn
->params
.peer
->last_tx_at
= ktime_get_seconds();
847 * calculate the response checksum
849 static void rxkad_calc_response_checksum(struct rxkad_response
*response
)
853 u8
*p
= (u8
*) response
;
855 for (loop
= sizeof(*response
); loop
> 0; loop
--)
856 csum
= csum
* 0x10204081 + *p
++;
858 response
->encrypted
.checksum
= htonl(csum
);
862 * encrypt the response packet
864 static int rxkad_encrypt_response(struct rxrpc_connection
*conn
,
865 struct rxkad_response
*resp
,
866 const struct rxkad_key
*s2
)
868 struct skcipher_request
*req
;
869 struct rxrpc_crypt iv
;
870 struct scatterlist sg
[1];
872 req
= skcipher_request_alloc(&conn
->rxkad
.cipher
->base
, GFP_NOFS
);
876 /* continue encrypting from where we left off */
877 memcpy(&iv
, s2
->session_key
, sizeof(iv
));
879 sg_init_table(sg
, 1);
880 sg_set_buf(sg
, &resp
->encrypted
, sizeof(resp
->encrypted
));
881 skcipher_request_set_sync_tfm(req
, conn
->rxkad
.cipher
);
882 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
883 skcipher_request_set_crypt(req
, sg
, sg
, sizeof(resp
->encrypted
), iv
.x
);
884 crypto_skcipher_encrypt(req
);
885 skcipher_request_free(req
);
890 * respond to a challenge packet
892 static int rxkad_respond_to_challenge(struct rxrpc_connection
*conn
,
896 const struct rxrpc_key_token
*token
;
897 struct rxkad_challenge challenge
;
898 struct rxkad_response
*resp
;
899 struct rxrpc_skb_priv
*sp
= rxrpc_skb(skb
);
901 u32 version
, nonce
, min_level
, abort_code
;
904 _enter("{%d,%x}", conn
->debug_id
, key_serial(conn
->params
.key
));
906 eproto
= tracepoint_string("chall_no_key");
907 abort_code
= RX_PROTOCOL_ERROR
;
908 if (!conn
->params
.key
)
911 abort_code
= RXKADEXPIRED
;
912 ret
= key_validate(conn
->params
.key
);
916 eproto
= tracepoint_string("chall_short");
917 abort_code
= RXKADPACKETSHORT
;
918 if (skb_copy_bits(skb
, sizeof(struct rxrpc_wire_header
),
919 &challenge
, sizeof(challenge
)) < 0)
922 version
= ntohl(challenge
.version
);
923 nonce
= ntohl(challenge
.nonce
);
924 min_level
= ntohl(challenge
.min_level
);
926 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
927 sp
->hdr
.serial
, version
, nonce
, min_level
);
929 eproto
= tracepoint_string("chall_ver");
930 abort_code
= RXKADINCONSISTENCY
;
931 if (version
!= RXKAD_VERSION
)
934 abort_code
= RXKADLEVELFAIL
;
936 if (conn
->params
.security_level
< min_level
)
939 token
= conn
->params
.key
->payload
.data
[0];
941 /* build the response packet */
942 resp
= kzalloc(sizeof(struct rxkad_response
), GFP_NOFS
);
946 resp
->version
= htonl(RXKAD_VERSION
);
947 resp
->encrypted
.epoch
= htonl(conn
->proto
.epoch
);
948 resp
->encrypted
.cid
= htonl(conn
->proto
.cid
);
949 resp
->encrypted
.securityIndex
= htonl(conn
->security_ix
);
950 resp
->encrypted
.inc_nonce
= htonl(nonce
+ 1);
951 resp
->encrypted
.level
= htonl(conn
->params
.security_level
);
952 resp
->kvno
= htonl(token
->kad
->kvno
);
953 resp
->ticket_len
= htonl(token
->kad
->ticket_len
);
954 resp
->encrypted
.call_id
[0] = htonl(conn
->channels
[0].call_counter
);
955 resp
->encrypted
.call_id
[1] = htonl(conn
->channels
[1].call_counter
);
956 resp
->encrypted
.call_id
[2] = htonl(conn
->channels
[2].call_counter
);
957 resp
->encrypted
.call_id
[3] = htonl(conn
->channels
[3].call_counter
);
959 /* calculate the response checksum and then do the encryption */
960 rxkad_calc_response_checksum(resp
);
961 ret
= rxkad_encrypt_response(conn
, resp
, token
->kad
);
963 ret
= rxkad_send_response(conn
, &sp
->hdr
, resp
, token
->kad
);
968 trace_rxrpc_rx_eproto(NULL
, sp
->hdr
.serial
, eproto
);
971 *_abort_code
= abort_code
;
976 * decrypt the kerberos IV ticket in the response
978 static int rxkad_decrypt_ticket(struct rxrpc_connection
*conn
,
979 struct key
*server_key
,
981 void *ticket
, size_t ticket_len
,
982 struct rxrpc_crypt
*_session_key
,
986 struct skcipher_request
*req
;
987 struct rxrpc_skb_priv
*sp
= rxrpc_skb(skb
);
988 struct rxrpc_crypt iv
, key
;
989 struct scatterlist sg
[1];
997 u8
*p
, *q
, *name
, *end
;
999 _enter("{%d},{%x}", conn
->debug_id
, key_serial(server_key
));
1003 ASSERT(server_key
->payload
.data
[0] != NULL
);
1004 ASSERTCMP((unsigned long) ticket
& 7UL, ==, 0);
1006 memcpy(&iv
, &server_key
->payload
.data
[2], sizeof(iv
));
1009 req
= skcipher_request_alloc(server_key
->payload
.data
[0], GFP_NOFS
);
1011 goto temporary_error
;
1013 sg_init_one(&sg
[0], ticket
, ticket_len
);
1014 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
1015 skcipher_request_set_crypt(req
, sg
, sg
, ticket_len
, iv
.x
);
1016 crypto_skcipher_decrypt(req
);
1017 skcipher_request_free(req
);
1020 end
= p
+ ticket_len
;
1025 eproto = tracepoint_string("rxkad_bad_"#field); \
1026 q = memchr(p, 0, end - p); \
1027 if (!q || q - p > (field##_SZ)) \
1029 for (; p < q; p++) \
1036 /* extract the ticket flags */
1037 _debug("KIV FLAGS: %x", *p
);
1038 little_endian
= *p
& 1;
1041 /* extract the authentication name */
1043 _debug("KIV ANAME: %s", name
);
1045 /* extract the principal's instance */
1047 _debug("KIV INST : %s", name
);
1049 /* extract the principal's authentication domain */
1051 _debug("KIV REALM: %s", name
);
1053 eproto
= tracepoint_string("rxkad_bad_len");
1054 if (end
- p
< 4 + 8 + 4 + 2)
1057 /* get the IPv4 address of the entity that requested the ticket */
1058 memcpy(&addr
, p
, sizeof(addr
));
1060 _debug("KIV ADDR : %pI4", &addr
);
1062 /* get the session key from the ticket */
1063 memcpy(&key
, p
, sizeof(key
));
1065 _debug("KIV KEY : %08x %08x", ntohl(key
.n
[0]), ntohl(key
.n
[1]));
1066 memcpy(_session_key
, &key
, sizeof(key
));
1068 /* get the ticket's lifetime */
1069 life
= *p
++ * 5 * 60;
1070 _debug("KIV LIFE : %u", life
);
1072 /* get the issue time of the ticket */
1073 if (little_endian
) {
1075 memcpy(&stamp
, p
, 4);
1076 issue
= rxrpc_u32_to_time64(le32_to_cpu(stamp
));
1079 memcpy(&stamp
, p
, 4);
1080 issue
= rxrpc_u32_to_time64(be32_to_cpu(stamp
));
1083 now
= ktime_get_real_seconds();
1084 _debug("KIV ISSUE: %llx [%llx]", issue
, now
);
1086 /* check the ticket is in date */
1088 abort_code
= RXKADNOAUTH
;
1089 ret
= -EKEYREJECTED
;
1093 if (issue
< now
- life
) {
1094 abort_code
= RXKADEXPIRED
;
1099 *_expiry
= issue
+ life
;
1101 /* get the service name */
1103 _debug("KIV SNAME: %s", name
);
1105 /* get the service instance name */
1107 _debug("KIV SINST: %s", name
);
1111 trace_rxrpc_rx_eproto(NULL
, sp
->hdr
.serial
, eproto
);
1112 abort_code
= RXKADBADTICKET
;
1115 *_abort_code
= abort_code
;
1122 * decrypt the response packet
1124 static void rxkad_decrypt_response(struct rxrpc_connection
*conn
,
1125 struct rxkad_response
*resp
,
1126 const struct rxrpc_crypt
*session_key
)
1128 struct skcipher_request
*req
= rxkad_ci_req
;
1129 struct scatterlist sg
[1];
1130 struct rxrpc_crypt iv
;
1132 _enter(",,%08x%08x",
1133 ntohl(session_key
->n
[0]), ntohl(session_key
->n
[1]));
1135 mutex_lock(&rxkad_ci_mutex
);
1136 if (crypto_sync_skcipher_setkey(rxkad_ci
, session_key
->x
,
1137 sizeof(*session_key
)) < 0)
1140 memcpy(&iv
, session_key
, sizeof(iv
));
1142 sg_init_table(sg
, 1);
1143 sg_set_buf(sg
, &resp
->encrypted
, sizeof(resp
->encrypted
));
1144 skcipher_request_set_sync_tfm(req
, rxkad_ci
);
1145 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
1146 skcipher_request_set_crypt(req
, sg
, sg
, sizeof(resp
->encrypted
), iv
.x
);
1147 crypto_skcipher_decrypt(req
);
1148 skcipher_request_zero(req
);
1150 mutex_unlock(&rxkad_ci_mutex
);
1158 static int rxkad_verify_response(struct rxrpc_connection
*conn
,
1159 struct sk_buff
*skb
,
1162 struct rxkad_response
*response
;
1163 struct rxrpc_skb_priv
*sp
= rxrpc_skb(skb
);
1164 struct rxrpc_crypt session_key
;
1165 struct key
*server_key
;
1169 u32 abort_code
, version
, kvno
, ticket_len
, level
;
1173 _enter("{%d}", conn
->debug_id
);
1175 server_key
= rxrpc_look_up_server_security(conn
, skb
, 0, 0);
1176 if (IS_ERR(server_key
)) {
1177 switch (PTR_ERR(server_key
)) {
1179 abort_code
= RXKADUNKNOWNKEY
;
1182 abort_code
= RXKADEXPIRED
;
1185 abort_code
= RXKADNOAUTH
;
1188 trace_rxrpc_abort(0, "SVK",
1189 sp
->hdr
.cid
, sp
->hdr
.callNumber
, sp
->hdr
.seq
,
1190 abort_code
, PTR_ERR(server_key
));
1191 *_abort_code
= abort_code
;
1196 response
= kzalloc(sizeof(struct rxkad_response
), GFP_NOFS
);
1198 goto temporary_error
;
1200 eproto
= tracepoint_string("rxkad_rsp_short");
1201 abort_code
= RXKADPACKETSHORT
;
1202 if (skb_copy_bits(skb
, sizeof(struct rxrpc_wire_header
),
1203 response
, sizeof(*response
)) < 0)
1204 goto protocol_error
;
1206 version
= ntohl(response
->version
);
1207 ticket_len
= ntohl(response
->ticket_len
);
1208 kvno
= ntohl(response
->kvno
);
1209 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1210 sp
->hdr
.serial
, version
, kvno
, ticket_len
);
1212 eproto
= tracepoint_string("rxkad_rsp_ver");
1213 abort_code
= RXKADINCONSISTENCY
;
1214 if (version
!= RXKAD_VERSION
)
1215 goto protocol_error
;
1217 eproto
= tracepoint_string("rxkad_rsp_tktlen");
1218 abort_code
= RXKADTICKETLEN
;
1219 if (ticket_len
< 4 || ticket_len
> MAXKRB5TICKETLEN
)
1220 goto protocol_error
;
1222 eproto
= tracepoint_string("rxkad_rsp_unkkey");
1223 abort_code
= RXKADUNKNOWNKEY
;
1224 if (kvno
>= RXKAD_TKT_TYPE_KERBEROS_V5
)
1225 goto protocol_error
;
1227 /* extract the kerberos ticket and decrypt and decode it */
1229 ticket
= kmalloc(ticket_len
, GFP_NOFS
);
1231 goto temporary_error_free_resp
;
1233 eproto
= tracepoint_string("rxkad_tkt_short");
1234 abort_code
= RXKADPACKETSHORT
;
1235 if (skb_copy_bits(skb
, sizeof(struct rxrpc_wire_header
) + sizeof(*response
),
1236 ticket
, ticket_len
) < 0)
1237 goto protocol_error_free
;
1239 ret
= rxkad_decrypt_ticket(conn
, server_key
, skb
, ticket
, ticket_len
,
1240 &session_key
, &expiry
, _abort_code
);
1242 goto temporary_error_free_ticket
;
1244 /* use the session key from inside the ticket to decrypt the
1246 rxkad_decrypt_response(conn
, response
, &session_key
);
1248 eproto
= tracepoint_string("rxkad_rsp_param");
1249 abort_code
= RXKADSEALEDINCON
;
1250 if (ntohl(response
->encrypted
.epoch
) != conn
->proto
.epoch
)
1251 goto protocol_error_free
;
1252 if (ntohl(response
->encrypted
.cid
) != conn
->proto
.cid
)
1253 goto protocol_error_free
;
1254 if (ntohl(response
->encrypted
.securityIndex
) != conn
->security_ix
)
1255 goto protocol_error_free
;
1256 csum
= response
->encrypted
.checksum
;
1257 response
->encrypted
.checksum
= 0;
1258 rxkad_calc_response_checksum(response
);
1259 eproto
= tracepoint_string("rxkad_rsp_csum");
1260 if (response
->encrypted
.checksum
!= csum
)
1261 goto protocol_error_free
;
1263 spin_lock(&conn
->bundle
->channel_lock
);
1264 for (i
= 0; i
< RXRPC_MAXCALLS
; i
++) {
1265 struct rxrpc_call
*call
;
1266 u32 call_id
= ntohl(response
->encrypted
.call_id
[i
]);
1268 eproto
= tracepoint_string("rxkad_rsp_callid");
1269 if (call_id
> INT_MAX
)
1270 goto protocol_error_unlock
;
1272 eproto
= tracepoint_string("rxkad_rsp_callctr");
1273 if (call_id
< conn
->channels
[i
].call_counter
)
1274 goto protocol_error_unlock
;
1276 eproto
= tracepoint_string("rxkad_rsp_callst");
1277 if (call_id
> conn
->channels
[i
].call_counter
) {
1278 call
= rcu_dereference_protected(
1279 conn
->channels
[i
].call
,
1280 lockdep_is_held(&conn
->bundle
->channel_lock
));
1281 if (call
&& call
->state
< RXRPC_CALL_COMPLETE
)
1282 goto protocol_error_unlock
;
1283 conn
->channels
[i
].call_counter
= call_id
;
1286 spin_unlock(&conn
->bundle
->channel_lock
);
1288 eproto
= tracepoint_string("rxkad_rsp_seq");
1289 abort_code
= RXKADOUTOFSEQUENCE
;
1290 if (ntohl(response
->encrypted
.inc_nonce
) != conn
->rxkad
.nonce
+ 1)
1291 goto protocol_error_free
;
1293 eproto
= tracepoint_string("rxkad_rsp_level");
1294 abort_code
= RXKADLEVELFAIL
;
1295 level
= ntohl(response
->encrypted
.level
);
1296 if (level
> RXRPC_SECURITY_ENCRYPT
)
1297 goto protocol_error_free
;
1298 conn
->params
.security_level
= level
;
1300 /* create a key to hold the security data and expiration time - after
1301 * this the connection security can be handled in exactly the same way
1302 * as for a client connection */
1303 ret
= rxrpc_get_server_data_key(conn
, &session_key
, expiry
, kvno
);
1305 goto temporary_error_free_ticket
;
1312 protocol_error_unlock
:
1313 spin_unlock(&conn
->bundle
->channel_lock
);
1314 protocol_error_free
:
1318 trace_rxrpc_rx_eproto(NULL
, sp
->hdr
.serial
, eproto
);
1319 key_put(server_key
);
1320 *_abort_code
= abort_code
;
1323 temporary_error_free_ticket
:
1325 temporary_error_free_resp
:
1328 /* Ignore the response packet if we got a temporary error such as
1329 * ENOMEM. We just want to send the challenge again. Note that we
1330 * also come out this way if the ticket decryption fails.
1332 key_put(server_key
);
1337 * clear the connection security
1339 static void rxkad_clear(struct rxrpc_connection
*conn
)
1343 if (conn
->rxkad
.cipher
)
1344 crypto_free_sync_skcipher(conn
->rxkad
.cipher
);
1348 * Initialise the rxkad security service.
1350 static int rxkad_init(void)
1352 struct crypto_sync_skcipher
*tfm
;
1353 struct skcipher_request
*req
;
1355 /* pin the cipher we need so that the crypto layer doesn't invoke
1356 * keventd to go get it */
1357 tfm
= crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1359 return PTR_ERR(tfm
);
1361 req
= skcipher_request_alloc(&tfm
->base
, GFP_KERNEL
);
1370 crypto_free_sync_skcipher(tfm
);
1375 * Clean up the rxkad security service.
1377 static void rxkad_exit(void)
1379 crypto_free_sync_skcipher(rxkad_ci
);
1380 skcipher_request_free(rxkad_ci_req
);
1384 * RxRPC Kerberos-based security
1386 const struct rxrpc_security rxkad
= {
1388 .security_index
= RXRPC_SECURITY_RXKAD
,
1389 .no_key_abort
= RXKADUNKNOWNKEY
,
1392 .preparse_server_key
= rxkad_preparse_server_key
,
1393 .free_preparse_server_key
= rxkad_free_preparse_server_key
,
1394 .destroy_server_key
= rxkad_destroy_server_key
,
1395 .init_connection_security
= rxkad_init_connection_security
,
1396 .how_much_data
= rxkad_how_much_data
,
1397 .secure_packet
= rxkad_secure_packet
,
1398 .verify_packet
= rxkad_verify_packet
,
1399 .free_call_crypto
= rxkad_free_call_crypto
,
1400 .locate_data
= rxkad_locate_data
,
1401 .issue_challenge
= rxkad_issue_challenge
,
1402 .respond_to_challenge
= rxkad_respond_to_challenge
,
1403 .verify_response
= rxkad_verify_response
,
1404 .clear
= rxkad_clear
,