blob: 4374e7b9c7bff9fdd1d36a5a9fc8f135414ed360 [file] [log] [blame]
David Howells17926a72007-04-26 15:48:28 -07001/* Kerberos-based RxRPC security
2 *
3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
Joe Perches9b6d5392016-06-02 12:08:52 -070012#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
Herbert Xu1afe5932016-01-24 21:19:01 +080014#include <crypto/skcipher.h>
David Howells17926a72007-04-26 15:48:28 -070015#include <linux/module.h>
16#include <linux/net.h>
17#include <linux/skbuff.h>
18#include <linux/udp.h>
David Howells17926a72007-04-26 15:48:28 -070019#include <linux/scatterlist.h>
20#include <linux/ctype.h>
Tejun Heo5a0e3ad2010-03-24 17:04:11 +090021#include <linux/slab.h>
David Howells17926a72007-04-26 15:48:28 -070022#include <net/sock.h>
23#include <net/af_rxrpc.h>
David Howells33941282009-09-14 01:17:35 +000024#include <keys/rxrpc-type.h>
David Howells17926a72007-04-26 15:48:28 -070025#include "ar-internal.h"
26
27#define RXKAD_VERSION 2
28#define MAXKRB5TICKETLEN 1024
29#define RXKAD_TKT_TYPE_KERBEROS_V5 256
30#define ANAME_SZ 40 /* size of authentication name */
31#define INST_SZ 40 /* size of principal's instance */
32#define REALM_SZ 40 /* size of principal's auth domain */
33#define SNAME_SZ 40 /* size of service name */
34
David Howells17926a72007-04-26 15:48:28 -070035struct rxkad_level1_hdr {
36 __be32 data_size; /* true data size (excluding padding) */
37};
38
39struct rxkad_level2_hdr {
40 __be32 data_size; /* true data size (excluding padding) */
41 __be32 checksum; /* decrypted data checksum */
42};
43
David Howells17926a72007-04-26 15:48:28 -070044/*
45 * this holds a pinned cipher so that keventd doesn't get called by the cipher
46 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
47 * packets
48 */
Herbert Xu1afe5932016-01-24 21:19:01 +080049static struct crypto_skcipher *rxkad_ci;
David Howells17926a72007-04-26 15:48:28 -070050static DEFINE_MUTEX(rxkad_ci_mutex);
51
52/*
53 * initialise connection security
54 */
55static int rxkad_init_connection_security(struct rxrpc_connection *conn)
56{
Herbert Xu1afe5932016-01-24 21:19:01 +080057 struct crypto_skcipher *ci;
David Howells33941282009-09-14 01:17:35 +000058 struct rxrpc_key_token *token;
David Howells17926a72007-04-26 15:48:28 -070059 int ret;
60
David Howells19ffa012016-04-04 14:00:36 +010061 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
David Howells17926a72007-04-26 15:48:28 -070062
David Howells19ffa012016-04-04 14:00:36 +010063 token = conn->params.key->payload.data[0];
David Howells33941282009-09-14 01:17:35 +000064 conn->security_ix = token->security_index;
David Howells17926a72007-04-26 15:48:28 -070065
Herbert Xu1afe5932016-01-24 21:19:01 +080066 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
David Howells17926a72007-04-26 15:48:28 -070067 if (IS_ERR(ci)) {
68 _debug("no cipher");
69 ret = PTR_ERR(ci);
70 goto error;
71 }
72
Herbert Xu1afe5932016-01-24 21:19:01 +080073 if (crypto_skcipher_setkey(ci, token->kad->session_key,
74 sizeof(token->kad->session_key)) < 0)
David Howells17926a72007-04-26 15:48:28 -070075 BUG();
76
David Howells19ffa012016-04-04 14:00:36 +010077 switch (conn->params.security_level) {
David Howells17926a72007-04-26 15:48:28 -070078 case RXRPC_SECURITY_PLAIN:
79 break;
80 case RXRPC_SECURITY_AUTH:
81 conn->size_align = 8;
82 conn->security_size = sizeof(struct rxkad_level1_hdr);
David Howells17926a72007-04-26 15:48:28 -070083 break;
84 case RXRPC_SECURITY_ENCRYPT:
85 conn->size_align = 8;
86 conn->security_size = sizeof(struct rxkad_level2_hdr);
David Howells17926a72007-04-26 15:48:28 -070087 break;
88 default:
89 ret = -EKEYREJECTED;
90 goto error;
91 }
92
93 conn->cipher = ci;
94 ret = 0;
95error:
96 _leave(" = %d", ret);
97 return ret;
98}
99
100/*
101 * prime the encryption state with the invariant parts of a connection's
102 * description
103 */
Herbert Xua2636292016-06-26 14:55:24 -0700104static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
David Howells17926a72007-04-26 15:48:28 -0700105{
David Howells33941282009-09-14 01:17:35 +0000106 struct rxrpc_key_token *token;
Herbert Xu1afe5932016-01-24 21:19:01 +0800107 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
Herbert Xua2636292016-06-26 14:55:24 -0700108 struct scatterlist sg;
David Howells17926a72007-04-26 15:48:28 -0700109 struct rxrpc_crypt iv;
Herbert Xua2636292016-06-26 14:55:24 -0700110 __be32 *tmpbuf;
111 size_t tmpsize = 4 * sizeof(__be32);
David Howells17926a72007-04-26 15:48:28 -0700112
113 _enter("");
114
David Howells19ffa012016-04-04 14:00:36 +0100115 if (!conn->params.key)
Herbert Xua2636292016-06-26 14:55:24 -0700116 return 0;
117
118 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
119 if (!tmpbuf)
120 return -ENOMEM;
David Howells17926a72007-04-26 15:48:28 -0700121
David Howells19ffa012016-04-04 14:00:36 +0100122 token = conn->params.key->payload.data[0];
David Howells33941282009-09-14 01:17:35 +0000123 memcpy(&iv, token->kad->session_key, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700124
Herbert Xua2636292016-06-26 14:55:24 -0700125 tmpbuf[0] = htonl(conn->proto.epoch);
126 tmpbuf[1] = htonl(conn->proto.cid);
127 tmpbuf[2] = 0;
128 tmpbuf[3] = htonl(conn->security_ix);
David Howells17926a72007-04-26 15:48:28 -0700129
Herbert Xua2636292016-06-26 14:55:24 -0700130 sg_init_one(&sg, tmpbuf, tmpsize);
Herbert Xu1afe5932016-01-24 21:19:01 +0800131 skcipher_request_set_tfm(req, conn->cipher);
132 skcipher_request_set_callback(req, 0, NULL, NULL);
Herbert Xua2636292016-06-26 14:55:24 -0700133 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800134 crypto_skcipher_encrypt(req);
135 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700136
Herbert Xua2636292016-06-26 14:55:24 -0700137 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
138 kfree(tmpbuf);
139 _leave(" = 0");
140 return 0;
David Howells17926a72007-04-26 15:48:28 -0700141}
142
143/*
144 * partially encrypt a packet (level 1 security)
145 */
146static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
147 struct sk_buff *skb,
148 u32 data_size,
149 void *sechdr)
150{
151 struct rxrpc_skb_priv *sp;
Herbert Xu1afe5932016-01-24 21:19:01 +0800152 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
Herbert Xua2636292016-06-26 14:55:24 -0700153 struct rxkad_level1_hdr hdr;
David Howells17926a72007-04-26 15:48:28 -0700154 struct rxrpc_crypt iv;
Herbert Xua2636292016-06-26 14:55:24 -0700155 struct scatterlist sg;
David Howells17926a72007-04-26 15:48:28 -0700156 u16 check;
157
158 sp = rxrpc_skb(skb);
159
160 _enter("");
161
David Howells5a924b82016-09-22 00:29:31 +0100162 check = sp->hdr.seq ^ call->call_id;
David Howells0d12f8a2016-03-04 15:53:46 +0000163 data_size |= (u32)check << 16;
David Howells17926a72007-04-26 15:48:28 -0700164
Herbert Xua2636292016-06-26 14:55:24 -0700165 hdr.data_size = htonl(data_size);
166 memcpy(sechdr, &hdr, sizeof(hdr));
David Howells17926a72007-04-26 15:48:28 -0700167
168 /* start the encryption afresh */
169 memset(&iv, 0, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700170
Herbert Xua2636292016-06-26 14:55:24 -0700171 sg_init_one(&sg, sechdr, 8);
Herbert Xu1afe5932016-01-24 21:19:01 +0800172 skcipher_request_set_tfm(req, call->conn->cipher);
173 skcipher_request_set_callback(req, 0, NULL, NULL);
Herbert Xua2636292016-06-26 14:55:24 -0700174 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800175 crypto_skcipher_encrypt(req);
176 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700177
David Howells17926a72007-04-26 15:48:28 -0700178 _leave(" = 0");
179 return 0;
180}
181
182/*
183 * wholly encrypt a packet (level 2 security)
184 */
185static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
David Howellsb4f13422016-03-04 15:56:19 +0000186 struct sk_buff *skb,
187 u32 data_size,
188 void *sechdr)
David Howells17926a72007-04-26 15:48:28 -0700189{
David Howells33941282009-09-14 01:17:35 +0000190 const struct rxrpc_key_token *token;
Herbert Xua2636292016-06-26 14:55:24 -0700191 struct rxkad_level2_hdr rxkhdr;
David Howells17926a72007-04-26 15:48:28 -0700192 struct rxrpc_skb_priv *sp;
Herbert Xu1afe5932016-01-24 21:19:01 +0800193 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700194 struct rxrpc_crypt iv;
195 struct scatterlist sg[16];
196 struct sk_buff *trailer;
Eric Dumazet95c96172012-04-15 05:58:06 +0000197 unsigned int len;
David Howells17926a72007-04-26 15:48:28 -0700198 u16 check;
199 int nsg;
Herbert Xu1afe5932016-01-24 21:19:01 +0800200 int err;
David Howells17926a72007-04-26 15:48:28 -0700201
202 sp = rxrpc_skb(skb);
203
204 _enter("");
205
David Howells5a924b82016-09-22 00:29:31 +0100206 check = sp->hdr.seq ^ call->call_id;
David Howells17926a72007-04-26 15:48:28 -0700207
David Howells0d12f8a2016-03-04 15:53:46 +0000208 rxkhdr.data_size = htonl(data_size | (u32)check << 16);
David Howells17926a72007-04-26 15:48:28 -0700209 rxkhdr.checksum = 0;
Herbert Xua2636292016-06-26 14:55:24 -0700210 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
David Howells17926a72007-04-26 15:48:28 -0700211
212 /* encrypt from the session key */
David Howells19ffa012016-04-04 14:00:36 +0100213 token = call->conn->params.key->payload.data[0];
David Howells33941282009-09-14 01:17:35 +0000214 memcpy(&iv, token->kad->session_key, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700215
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700216 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
Herbert Xu1afe5932016-01-24 21:19:01 +0800217 skcipher_request_set_tfm(req, call->conn->cipher);
218 skcipher_request_set_callback(req, 0, NULL, NULL);
Herbert Xua2636292016-06-26 14:55:24 -0700219 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800220 crypto_skcipher_encrypt(req);
David Howells17926a72007-04-26 15:48:28 -0700221
222 /* we want to encrypt the skbuff in-place */
223 nsg = skb_cow_data(skb, 0, &trailer);
Herbert Xu1afe5932016-01-24 21:19:01 +0800224 err = -ENOMEM;
David Howells17926a72007-04-26 15:48:28 -0700225 if (nsg < 0 || nsg > 16)
Herbert Xu1afe5932016-01-24 21:19:01 +0800226 goto out;
David Howells17926a72007-04-26 15:48:28 -0700227
228 len = data_size + call->conn->size_align - 1;
229 len &= ~(call->conn->size_align - 1);
230
David S. Miller51c739d2007-10-30 21:29:29 -0700231 sg_init_table(sg, nsg);
232 skb_to_sgvec(skb, sg, 0, len);
Herbert Xu1afe5932016-01-24 21:19:01 +0800233 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800234 crypto_skcipher_encrypt(req);
David Howells17926a72007-04-26 15:48:28 -0700235
236 _leave(" = 0");
Herbert Xu1afe5932016-01-24 21:19:01 +0800237 err = 0;
238
239out:
240 skcipher_request_zero(req);
241 return err;
David Howells17926a72007-04-26 15:48:28 -0700242}
243
244/*
245 * checksum an RxRPC packet header
246 */
Herbert Xua2636292016-06-26 14:55:24 -0700247static int rxkad_secure_packet(struct rxrpc_call *call,
David Howellsb4f13422016-03-04 15:56:19 +0000248 struct sk_buff *skb,
249 size_t data_size,
250 void *sechdr)
David Howells17926a72007-04-26 15:48:28 -0700251{
252 struct rxrpc_skb_priv *sp;
Herbert Xu1afe5932016-01-24 21:19:01 +0800253 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700254 struct rxrpc_crypt iv;
Herbert Xua2636292016-06-26 14:55:24 -0700255 struct scatterlist sg;
David Howells0d12f8a2016-03-04 15:53:46 +0000256 u32 x, y;
David Howells17926a72007-04-26 15:48:28 -0700257 int ret;
258
259 sp = rxrpc_skb(skb);
260
261 _enter("{%d{%x}},{#%u},%zu,",
David Howells19ffa012016-04-04 14:00:36 +0100262 call->debug_id, key_serial(call->conn->params.key),
263 sp->hdr.seq, data_size);
David Howells17926a72007-04-26 15:48:28 -0700264
265 if (!call->conn->cipher)
266 return 0;
267
David Howells19ffa012016-04-04 14:00:36 +0100268 ret = key_validate(call->conn->params.key);
David Howells17926a72007-04-26 15:48:28 -0700269 if (ret < 0)
270 return ret;
271
272 /* continue encrypting from where we left off */
273 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700274
275 /* calculate the security checksum */
David Howells01a90a42016-08-23 15:27:24 +0100276 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
David Howells0d12f8a2016-03-04 15:53:46 +0000277 x |= sp->hdr.seq & 0x3fffffff;
David Howells5a924b82016-09-22 00:29:31 +0100278 call->crypto_buf[0] = htonl(call->call_id);
Herbert Xua2636292016-06-26 14:55:24 -0700279 call->crypto_buf[1] = htonl(x);
David Howells17926a72007-04-26 15:48:28 -0700280
Herbert Xua2636292016-06-26 14:55:24 -0700281 sg_init_one(&sg, call->crypto_buf, 8);
Herbert Xu1afe5932016-01-24 21:19:01 +0800282 skcipher_request_set_tfm(req, call->conn->cipher);
283 skcipher_request_set_callback(req, 0, NULL, NULL);
Herbert Xua2636292016-06-26 14:55:24 -0700284 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800285 crypto_skcipher_encrypt(req);
286 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700287
Herbert Xua2636292016-06-26 14:55:24 -0700288 y = ntohl(call->crypto_buf[1]);
Al Viro91e916c2008-03-29 03:08:38 +0000289 y = (y >> 16) & 0xffff;
290 if (y == 0)
291 y = 1; /* zero checksums are not permitted */
David Howells0d12f8a2016-03-04 15:53:46 +0000292 sp->hdr.cksum = y;
David Howells17926a72007-04-26 15:48:28 -0700293
David Howells19ffa012016-04-04 14:00:36 +0100294 switch (call->conn->params.security_level) {
David Howells17926a72007-04-26 15:48:28 -0700295 case RXRPC_SECURITY_PLAIN:
296 ret = 0;
297 break;
298 case RXRPC_SECURITY_AUTH:
299 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
300 break;
301 case RXRPC_SECURITY_ENCRYPT:
302 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
303 sechdr);
304 break;
305 default:
306 ret = -EPERM;
307 break;
308 }
309
Al Viro91e916c2008-03-29 03:08:38 +0000310 _leave(" = %d [set %hx]", ret, y);
David Howells17926a72007-04-26 15:48:28 -0700311 return ret;
312}
313
314/*
315 * decrypt partial encryption on a packet (level 1 security)
316 */
David Howells5a429762016-09-06 22:19:51 +0100317static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
David Howells248f2192016-09-08 11:10:12 +0100318 unsigned int offset, unsigned int len,
David Howells5a429762016-09-06 22:19:51 +0100319 rxrpc_seq_t seq)
David Howells17926a72007-04-26 15:48:28 -0700320{
321 struct rxkad_level1_hdr sechdr;
Herbert Xu1afe5932016-01-24 21:19:01 +0800322 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700323 struct rxrpc_crypt iv;
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700324 struct scatterlist sg[16];
David Howells17926a72007-04-26 15:48:28 -0700325 struct sk_buff *trailer;
326 u32 data_size, buf;
327 u16 check;
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700328 int nsg;
David Howells17926a72007-04-26 15:48:28 -0700329
330 _enter("");
331
David Howells248f2192016-09-08 11:10:12 +0100332 if (len < 8) {
David Howells5a429762016-09-06 22:19:51 +0100333 rxrpc_abort_call("V1H", call, seq, RXKADSEALEDINCON, EPROTO);
334 goto protocol_error;
335 }
David Howells17926a72007-04-26 15:48:28 -0700336
David Howells248f2192016-09-08 11:10:12 +0100337 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
338 * directly into the target buffer.
339 */
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700340 nsg = skb_cow_data(skb, 0, &trailer);
341 if (nsg < 0 || nsg > 16)
David Howells17926a72007-04-26 15:48:28 -0700342 goto nomem;
343
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700344 sg_init_table(sg, nsg);
David Howells248f2192016-09-08 11:10:12 +0100345 skb_to_sgvec(skb, sg, offset, 8);
David Howells17926a72007-04-26 15:48:28 -0700346
347 /* start the decryption afresh */
348 memset(&iv, 0, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700349
Herbert Xu1afe5932016-01-24 21:19:01 +0800350 skcipher_request_set_tfm(req, call->conn->cipher);
351 skcipher_request_set_callback(req, 0, NULL, NULL);
352 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800353 crypto_skcipher_decrypt(req);
354 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700355
David Howells5a429762016-09-06 22:19:51 +0100356 /* Extract the decrypted packet length */
David Howells248f2192016-09-08 11:10:12 +0100357 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
David Howells5a429762016-09-06 22:19:51 +0100358 rxrpc_abort_call("XV1", call, seq, RXKADDATALEN, EPROTO);
359 goto protocol_error;
360 }
David Howells248f2192016-09-08 11:10:12 +0100361 offset += sizeof(sechdr);
362 len -= sizeof(sechdr);
David Howells17926a72007-04-26 15:48:28 -0700363
364 buf = ntohl(sechdr.data_size);
365 data_size = buf & 0xffff;
366
367 check = buf >> 16;
David Howells5a429762016-09-06 22:19:51 +0100368 check ^= seq ^ call->call_id;
David Howells17926a72007-04-26 15:48:28 -0700369 check &= 0xffff;
370 if (check != 0) {
David Howells5a429762016-09-06 22:19:51 +0100371 rxrpc_abort_call("V1C", call, seq, RXKADSEALEDINCON, EPROTO);
David Howells17926a72007-04-26 15:48:28 -0700372 goto protocol_error;
373 }
374
David Howells248f2192016-09-08 11:10:12 +0100375 if (data_size > len) {
David Howells5a429762016-09-06 22:19:51 +0100376 rxrpc_abort_call("V1L", call, seq, RXKADDATALEN, EPROTO);
377 goto protocol_error;
378 }
David Howells17926a72007-04-26 15:48:28 -0700379
380 _leave(" = 0 [dlen=%x]", data_size);
381 return 0;
382
David Howells17926a72007-04-26 15:48:28 -0700383protocol_error:
David Howells26cb02a2016-10-06 08:11:49 +0100384 rxrpc_send_abort_packet(call);
David Howells17926a72007-04-26 15:48:28 -0700385 _leave(" = -EPROTO");
386 return -EPROTO;
387
388nomem:
389 _leave(" = -ENOMEM");
390 return -ENOMEM;
391}
392
393/*
394 * wholly decrypt a packet (level 2 security)
395 */
David Howells5a429762016-09-06 22:19:51 +0100396static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
David Howells248f2192016-09-08 11:10:12 +0100397 unsigned int offset, unsigned int len,
David Howells5a429762016-09-06 22:19:51 +0100398 rxrpc_seq_t seq)
David Howells17926a72007-04-26 15:48:28 -0700399{
David Howells33941282009-09-14 01:17:35 +0000400 const struct rxrpc_key_token *token;
David Howells17926a72007-04-26 15:48:28 -0700401 struct rxkad_level2_hdr sechdr;
Herbert Xu1afe5932016-01-24 21:19:01 +0800402 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700403 struct rxrpc_crypt iv;
404 struct scatterlist _sg[4], *sg;
405 struct sk_buff *trailer;
406 u32 data_size, buf;
407 u16 check;
408 int nsg;
409
410 _enter(",{%d}", skb->len);
411
David Howells248f2192016-09-08 11:10:12 +0100412 if (len < 8) {
David Howells5a429762016-09-06 22:19:51 +0100413 rxrpc_abort_call("V2H", call, seq, RXKADSEALEDINCON, EPROTO);
414 goto protocol_error;
415 }
David Howells17926a72007-04-26 15:48:28 -0700416
David Howells248f2192016-09-08 11:10:12 +0100417 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
418 * directly into the target buffer.
419 */
David Howells17926a72007-04-26 15:48:28 -0700420 nsg = skb_cow_data(skb, 0, &trailer);
421 if (nsg < 0)
422 goto nomem;
423
424 sg = _sg;
425 if (unlikely(nsg > 4)) {
426 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
427 if (!sg)
428 goto nomem;
429 }
430
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700431 sg_init_table(sg, nsg);
David Howells248f2192016-09-08 11:10:12 +0100432 skb_to_sgvec(skb, sg, offset, len);
David Howells17926a72007-04-26 15:48:28 -0700433
434 /* decrypt from the session key */
David Howells19ffa012016-04-04 14:00:36 +0100435 token = call->conn->params.key->payload.data[0];
David Howells33941282009-09-14 01:17:35 +0000436 memcpy(&iv, token->kad->session_key, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700437
Herbert Xu1afe5932016-01-24 21:19:01 +0800438 skcipher_request_set_tfm(req, call->conn->cipher);
439 skcipher_request_set_callback(req, 0, NULL, NULL);
David Howells248f2192016-09-08 11:10:12 +0100440 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800441 crypto_skcipher_decrypt(req);
442 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700443 if (sg != _sg)
444 kfree(sg);
445
David Howells5a429762016-09-06 22:19:51 +0100446 /* Extract the decrypted packet length */
David Howells248f2192016-09-08 11:10:12 +0100447 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
David Howells5a429762016-09-06 22:19:51 +0100448 rxrpc_abort_call("XV2", call, seq, RXKADDATALEN, EPROTO);
449 goto protocol_error;
450 }
David Howells248f2192016-09-08 11:10:12 +0100451 offset += sizeof(sechdr);
452 len -= sizeof(sechdr);
David Howells17926a72007-04-26 15:48:28 -0700453
454 buf = ntohl(sechdr.data_size);
455 data_size = buf & 0xffff;
456
457 check = buf >> 16;
David Howells5a429762016-09-06 22:19:51 +0100458 check ^= seq ^ call->call_id;
David Howells17926a72007-04-26 15:48:28 -0700459 check &= 0xffff;
460 if (check != 0) {
David Howells5a429762016-09-06 22:19:51 +0100461 rxrpc_abort_call("V2C", call, seq, RXKADSEALEDINCON, EPROTO);
David Howells17926a72007-04-26 15:48:28 -0700462 goto protocol_error;
463 }
464
David Howells248f2192016-09-08 11:10:12 +0100465 if (data_size > len) {
David Howells5a429762016-09-06 22:19:51 +0100466 rxrpc_abort_call("V2L", call, seq, RXKADDATALEN, EPROTO);
467 goto protocol_error;
468 }
David Howells17926a72007-04-26 15:48:28 -0700469
470 _leave(" = 0 [dlen=%x]", data_size);
471 return 0;
472
David Howells17926a72007-04-26 15:48:28 -0700473protocol_error:
David Howells26cb02a2016-10-06 08:11:49 +0100474 rxrpc_send_abort_packet(call);
David Howells17926a72007-04-26 15:48:28 -0700475 _leave(" = -EPROTO");
476 return -EPROTO;
477
478nomem:
479 _leave(" = -ENOMEM");
480 return -ENOMEM;
481}
482
483/*
David Howells5a429762016-09-06 22:19:51 +0100484 * Verify the security on a received packet or subpacket (if part of a
485 * jumbo packet).
David Howells17926a72007-04-26 15:48:28 -0700486 */
David Howells5a429762016-09-06 22:19:51 +0100487static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
David Howells248f2192016-09-08 11:10:12 +0100488 unsigned int offset, unsigned int len,
David Howells5a429762016-09-06 22:19:51 +0100489 rxrpc_seq_t seq, u16 expected_cksum)
David Howells17926a72007-04-26 15:48:28 -0700490{
Herbert Xu1afe5932016-01-24 21:19:01 +0800491 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700492 struct rxrpc_crypt iv;
Herbert Xua2636292016-06-26 14:55:24 -0700493 struct scatterlist sg;
David Howells0d12f8a2016-03-04 15:53:46 +0000494 u16 cksum;
495 u32 x, y;
David Howells17926a72007-04-26 15:48:28 -0700496
497 _enter("{%d{%x}},{#%u}",
David Howells5a429762016-09-06 22:19:51 +0100498 call->debug_id, key_serial(call->conn->params.key), seq);
David Howells17926a72007-04-26 15:48:28 -0700499
500 if (!call->conn->cipher)
501 return 0;
502
David Howells17926a72007-04-26 15:48:28 -0700503 /* continue encrypting from where we left off */
504 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700505
506 /* validate the security checksum */
David Howells01a90a42016-08-23 15:27:24 +0100507 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
David Howells5a429762016-09-06 22:19:51 +0100508 x |= seq & 0x3fffffff;
Herbert Xua2636292016-06-26 14:55:24 -0700509 call->crypto_buf[0] = htonl(call->call_id);
510 call->crypto_buf[1] = htonl(x);
David Howells17926a72007-04-26 15:48:28 -0700511
Herbert Xua2636292016-06-26 14:55:24 -0700512 sg_init_one(&sg, call->crypto_buf, 8);
Herbert Xu1afe5932016-01-24 21:19:01 +0800513 skcipher_request_set_tfm(req, call->conn->cipher);
514 skcipher_request_set_callback(req, 0, NULL, NULL);
Herbert Xua2636292016-06-26 14:55:24 -0700515 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800516 crypto_skcipher_encrypt(req);
517 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700518
Herbert Xua2636292016-06-26 14:55:24 -0700519 y = ntohl(call->crypto_buf[1]);
David Howells0d12f8a2016-03-04 15:53:46 +0000520 cksum = (y >> 16) & 0xffff;
521 if (cksum == 0)
522 cksum = 1; /* zero checksums are not permitted */
David Howells17926a72007-04-26 15:48:28 -0700523
David Howells5a429762016-09-06 22:19:51 +0100524 if (cksum != expected_cksum) {
525 rxrpc_abort_call("VCK", call, seq, RXKADSEALEDINCON, EPROTO);
David Howells26cb02a2016-10-06 08:11:49 +0100526 rxrpc_send_abort_packet(call);
David Howells17926a72007-04-26 15:48:28 -0700527 _leave(" = -EPROTO [csum failed]");
528 return -EPROTO;
529 }
530
David Howells19ffa012016-04-04 14:00:36 +0100531 switch (call->conn->params.security_level) {
David Howells17926a72007-04-26 15:48:28 -0700532 case RXRPC_SECURITY_PLAIN:
David Howells5a429762016-09-06 22:19:51 +0100533 return 0;
David Howells17926a72007-04-26 15:48:28 -0700534 case RXRPC_SECURITY_AUTH:
David Howells248f2192016-09-08 11:10:12 +0100535 return rxkad_verify_packet_1(call, skb, offset, len, seq);
David Howells17926a72007-04-26 15:48:28 -0700536 case RXRPC_SECURITY_ENCRYPT:
David Howells248f2192016-09-08 11:10:12 +0100537 return rxkad_verify_packet_2(call, skb, offset, len, seq);
David Howells17926a72007-04-26 15:48:28 -0700538 default:
David Howells5a429762016-09-06 22:19:51 +0100539 return -ENOANO;
David Howells17926a72007-04-26 15:48:28 -0700540 }
David Howells17926a72007-04-26 15:48:28 -0700541}
542
543/*
David Howells248f2192016-09-08 11:10:12 +0100544 * Locate the data contained in a packet that was partially encrypted.
545 */
546static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
547 unsigned int *_offset, unsigned int *_len)
548{
549 struct rxkad_level1_hdr sechdr;
550
551 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
552 BUG();
553 *_offset += sizeof(sechdr);
554 *_len = ntohl(sechdr.data_size) & 0xffff;
555}
556
557/*
558 * Locate the data contained in a packet that was completely encrypted.
559 */
560static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
561 unsigned int *_offset, unsigned int *_len)
562{
563 struct rxkad_level2_hdr sechdr;
564
565 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
566 BUG();
567 *_offset += sizeof(sechdr);
568 *_len = ntohl(sechdr.data_size) & 0xffff;
569}
570
571/*
572 * Locate the data contained in an already decrypted packet.
573 */
574static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
575 unsigned int *_offset, unsigned int *_len)
576{
577 switch (call->conn->params.security_level) {
578 case RXRPC_SECURITY_AUTH:
579 rxkad_locate_data_1(call, skb, _offset, _len);
580 return;
581 case RXRPC_SECURITY_ENCRYPT:
582 rxkad_locate_data_2(call, skb, _offset, _len);
583 return;
584 default:
585 return;
586 }
587}
588
589/*
David Howells17926a72007-04-26 15:48:28 -0700590 * issue a challenge
591 */
592static int rxkad_issue_challenge(struct rxrpc_connection *conn)
593{
594 struct rxkad_challenge challenge;
David Howells0d12f8a2016-03-04 15:53:46 +0000595 struct rxrpc_wire_header whdr;
David Howells17926a72007-04-26 15:48:28 -0700596 struct msghdr msg;
597 struct kvec iov[2];
598 size_t len;
David Howells0d12f8a2016-03-04 15:53:46 +0000599 u32 serial;
David Howells17926a72007-04-26 15:48:28 -0700600 int ret;
601
David Howells19ffa012016-04-04 14:00:36 +0100602 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
David Howells17926a72007-04-26 15:48:28 -0700603
David Howells19ffa012016-04-04 14:00:36 +0100604 ret = key_validate(conn->params.key);
David Howells17926a72007-04-26 15:48:28 -0700605 if (ret < 0)
606 return ret;
607
608 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
609
610 challenge.version = htonl(2);
611 challenge.nonce = htonl(conn->security_nonce);
612 challenge.min_level = htonl(0);
613 challenge.__padding = 0;
614
David Howells85f32272016-04-04 14:00:36 +0100615 msg.msg_name = &conn->params.peer->srx.transport.sin;
616 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
David Howells17926a72007-04-26 15:48:28 -0700617 msg.msg_control = NULL;
618 msg.msg_controllen = 0;
619 msg.msg_flags = 0;
620
David Howells19ffa012016-04-04 14:00:36 +0100621 whdr.epoch = htonl(conn->proto.epoch);
622 whdr.cid = htonl(conn->proto.cid);
David Howells0d12f8a2016-03-04 15:53:46 +0000623 whdr.callNumber = 0;
624 whdr.seq = 0;
625 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
626 whdr.flags = conn->out_clientflag;
627 whdr.userStatus = 0;
628 whdr.securityIndex = conn->security_ix;
629 whdr._rsvd = 0;
David Howells19ffa012016-04-04 14:00:36 +0100630 whdr.serviceId = htons(conn->params.service_id);
David Howells17926a72007-04-26 15:48:28 -0700631
David Howells0d12f8a2016-03-04 15:53:46 +0000632 iov[0].iov_base = &whdr;
633 iov[0].iov_len = sizeof(whdr);
David Howells17926a72007-04-26 15:48:28 -0700634 iov[1].iov_base = &challenge;
635 iov[1].iov_len = sizeof(challenge);
636
637 len = iov[0].iov_len + iov[1].iov_len;
638
David Howells0d12f8a2016-03-04 15:53:46 +0000639 serial = atomic_inc_return(&conn->serial);
640 whdr.serial = htonl(serial);
641 _proto("Tx CHALLENGE %%%u", serial);
David Howells17926a72007-04-26 15:48:28 -0700642
David Howells85f32272016-04-04 14:00:36 +0100643 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
David Howells17926a72007-04-26 15:48:28 -0700644 if (ret < 0) {
645 _debug("sendmsg failed: %d", ret);
646 return -EAGAIN;
647 }
648
649 _leave(" = 0");
650 return 0;
651}
652
653/*
654 * send a Kerberos security response
655 */
656static int rxkad_send_response(struct rxrpc_connection *conn,
David Howells0d12f8a2016-03-04 15:53:46 +0000657 struct rxrpc_host_header *hdr,
David Howells17926a72007-04-26 15:48:28 -0700658 struct rxkad_response *resp,
659 const struct rxkad_key *s2)
660{
David Howells0d12f8a2016-03-04 15:53:46 +0000661 struct rxrpc_wire_header whdr;
David Howells17926a72007-04-26 15:48:28 -0700662 struct msghdr msg;
663 struct kvec iov[3];
664 size_t len;
David Howells0d12f8a2016-03-04 15:53:46 +0000665 u32 serial;
David Howells17926a72007-04-26 15:48:28 -0700666 int ret;
667
668 _enter("");
669
David Howells85f32272016-04-04 14:00:36 +0100670 msg.msg_name = &conn->params.peer->srx.transport.sin;
671 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
David Howells17926a72007-04-26 15:48:28 -0700672 msg.msg_control = NULL;
673 msg.msg_controllen = 0;
674 msg.msg_flags = 0;
675
David Howells0d12f8a2016-03-04 15:53:46 +0000676 memset(&whdr, 0, sizeof(whdr));
677 whdr.epoch = htonl(hdr->epoch);
678 whdr.cid = htonl(hdr->cid);
679 whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
680 whdr.flags = conn->out_clientflag;
681 whdr.securityIndex = hdr->securityIndex;
682 whdr.serviceId = htons(hdr->serviceId);
David Howells17926a72007-04-26 15:48:28 -0700683
David Howells0d12f8a2016-03-04 15:53:46 +0000684 iov[0].iov_base = &whdr;
685 iov[0].iov_len = sizeof(whdr);
David Howells17926a72007-04-26 15:48:28 -0700686 iov[1].iov_base = resp;
687 iov[1].iov_len = sizeof(*resp);
David Howells0d12f8a2016-03-04 15:53:46 +0000688 iov[2].iov_base = (void *)s2->ticket;
David Howells17926a72007-04-26 15:48:28 -0700689 iov[2].iov_len = s2->ticket_len;
690
691 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
692
David Howells0d12f8a2016-03-04 15:53:46 +0000693 serial = atomic_inc_return(&conn->serial);
694 whdr.serial = htonl(serial);
695 _proto("Tx RESPONSE %%%u", serial);
David Howells17926a72007-04-26 15:48:28 -0700696
David Howells85f32272016-04-04 14:00:36 +0100697 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
David Howells17926a72007-04-26 15:48:28 -0700698 if (ret < 0) {
699 _debug("sendmsg failed: %d", ret);
700 return -EAGAIN;
701 }
702
703 _leave(" = 0");
704 return 0;
705}
706
707/*
708 * calculate the response checksum
709 */
710static void rxkad_calc_response_checksum(struct rxkad_response *response)
711{
712 u32 csum = 1000003;
713 int loop;
714 u8 *p = (u8 *) response;
715
716 for (loop = sizeof(*response); loop > 0; loop--)
717 csum = csum * 0x10204081 + *p++;
718
719 response->encrypted.checksum = htonl(csum);
720}
721
722/*
David Howells17926a72007-04-26 15:48:28 -0700723 * encrypt the response packet
724 */
725static void rxkad_encrypt_response(struct rxrpc_connection *conn,
726 struct rxkad_response *resp,
727 const struct rxkad_key *s2)
728{
Herbert Xu1afe5932016-01-24 21:19:01 +0800729 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700730 struct rxrpc_crypt iv;
Herbert Xua2636292016-06-26 14:55:24 -0700731 struct scatterlist sg[1];
David Howells17926a72007-04-26 15:48:28 -0700732
733 /* continue encrypting from where we left off */
734 memcpy(&iv, s2->session_key, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700735
Herbert Xua2636292016-06-26 14:55:24 -0700736 sg_init_table(sg, 1);
737 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
Herbert Xu1afe5932016-01-24 21:19:01 +0800738 skcipher_request_set_tfm(req, conn->cipher);
739 skcipher_request_set_callback(req, 0, NULL, NULL);
740 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800741 crypto_skcipher_encrypt(req);
742 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700743}
744
745/*
746 * respond to a challenge packet
747 */
748static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
749 struct sk_buff *skb,
750 u32 *_abort_code)
751{
David Howells33941282009-09-14 01:17:35 +0000752 const struct rxrpc_key_token *token;
David Howells17926a72007-04-26 15:48:28 -0700753 struct rxkad_challenge challenge;
754 struct rxkad_response resp
755 __attribute__((aligned(8))); /* must be aligned for crypto */
David Howells248f2192016-09-08 11:10:12 +0100756 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
David Howells17926a72007-04-26 15:48:28 -0700757 u32 version, nonce, min_level, abort_code;
758 int ret;
759
David Howells19ffa012016-04-04 14:00:36 +0100760 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
David Howells17926a72007-04-26 15:48:28 -0700761
David Howells19ffa012016-04-04 14:00:36 +0100762 if (!conn->params.key) {
David Howells17926a72007-04-26 15:48:28 -0700763 _leave(" = -EPROTO [no key]");
764 return -EPROTO;
765 }
766
David Howells19ffa012016-04-04 14:00:36 +0100767 ret = key_validate(conn->params.key);
David Howells17926a72007-04-26 15:48:28 -0700768 if (ret < 0) {
769 *_abort_code = RXKADEXPIRED;
770 return ret;
771 }
772
773 abort_code = RXKADPACKETSHORT;
David Howells775e5b72016-09-30 13:26:03 +0100774 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
775 &challenge, sizeof(challenge)) < 0)
David Howells17926a72007-04-26 15:48:28 -0700776 goto protocol_error;
777
778 version = ntohl(challenge.version);
779 nonce = ntohl(challenge.nonce);
780 min_level = ntohl(challenge.min_level);
781
782 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
David Howells0d12f8a2016-03-04 15:53:46 +0000783 sp->hdr.serial, version, nonce, min_level);
David Howells17926a72007-04-26 15:48:28 -0700784
785 abort_code = RXKADINCONSISTENCY;
786 if (version != RXKAD_VERSION)
787 goto protocol_error;
788
789 abort_code = RXKADLEVELFAIL;
David Howells19ffa012016-04-04 14:00:36 +0100790 if (conn->params.security_level < min_level)
David Howells17926a72007-04-26 15:48:28 -0700791 goto protocol_error;
792
David Howells19ffa012016-04-04 14:00:36 +0100793 token = conn->params.key->payload.data[0];
David Howells17926a72007-04-26 15:48:28 -0700794
795 /* build the response packet */
796 memset(&resp, 0, sizeof(resp));
797
David Howells098a2092016-03-04 15:59:00 +0000798 resp.version = htonl(RXKAD_VERSION);
David Howells19ffa012016-04-04 14:00:36 +0100799 resp.encrypted.epoch = htonl(conn->proto.epoch);
800 resp.encrypted.cid = htonl(conn->proto.cid);
David Howells098a2092016-03-04 15:59:00 +0000801 resp.encrypted.securityIndex = htonl(conn->security_ix);
802 resp.encrypted.inc_nonce = htonl(nonce + 1);
David Howells19ffa012016-04-04 14:00:36 +0100803 resp.encrypted.level = htonl(conn->params.security_level);
David Howells098a2092016-03-04 15:59:00 +0000804 resp.kvno = htonl(token->kad->kvno);
805 resp.ticket_len = htonl(token->kad->ticket_len);
806
David Howellsa1399f82016-06-27 14:39:44 +0100807 resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
808 resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
809 resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
810 resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
David Howells17926a72007-04-26 15:48:28 -0700811
812 /* calculate the response checksum and then do the encryption */
813 rxkad_calc_response_checksum(&resp);
David Howells33941282009-09-14 01:17:35 +0000814 rxkad_encrypt_response(conn, &resp, token->kad);
815 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad);
David Howells17926a72007-04-26 15:48:28 -0700816
817protocol_error:
818 *_abort_code = abort_code;
819 _leave(" = -EPROTO [%d]", abort_code);
820 return -EPROTO;
821}
822
823/*
824 * decrypt the kerberos IV ticket in the response
825 */
826static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
827 void *ticket, size_t ticket_len,
828 struct rxrpc_crypt *_session_key,
829 time_t *_expiry,
830 u32 *_abort_code)
831{
Herbert Xu1afe5932016-01-24 21:19:01 +0800832 struct skcipher_request *req;
David Howells17926a72007-04-26 15:48:28 -0700833 struct rxrpc_crypt iv, key;
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700834 struct scatterlist sg[1];
David Howells17926a72007-04-26 15:48:28 -0700835 struct in_addr addr;
Eric Dumazet95c96172012-04-15 05:58:06 +0000836 unsigned int life;
David Howells17926a72007-04-26 15:48:28 -0700837 time_t issue, now;
838 bool little_endian;
839 int ret;
840 u8 *p, *q, *name, *end;
841
842 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
843
844 *_expiry = 0;
845
846 ret = key_validate(conn->server_key);
847 if (ret < 0) {
848 switch (ret) {
849 case -EKEYEXPIRED:
850 *_abort_code = RXKADEXPIRED;
851 goto error;
852 default:
853 *_abort_code = RXKADNOAUTH;
854 goto error;
855 }
856 }
857
David Howells146aa8b2015-10-21 14:04:48 +0100858 ASSERT(conn->server_key->payload.data[0] != NULL);
David Howells17926a72007-04-26 15:48:28 -0700859 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
860
David Howells146aa8b2015-10-21 14:04:48 +0100861 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700862
Herbert Xu1afe5932016-01-24 21:19:01 +0800863 req = skcipher_request_alloc(conn->server_key->payload.data[0],
864 GFP_NOFS);
865 if (!req) {
866 *_abort_code = RXKADNOAUTH;
867 ret = -ENOMEM;
868 goto error;
869 }
David Howells17926a72007-04-26 15:48:28 -0700870
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700871 sg_init_one(&sg[0], ticket, ticket_len);
Herbert Xu1afe5932016-01-24 21:19:01 +0800872 skcipher_request_set_callback(req, 0, NULL, NULL);
873 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800874 crypto_skcipher_decrypt(req);
875 skcipher_request_free(req);
David Howells17926a72007-04-26 15:48:28 -0700876
877 p = ticket;
878 end = p + ticket_len;
879
880#define Z(size) \
881 ({ \
882 u8 *__str = p; \
883 q = memchr(p, 0, end - p); \
884 if (!q || q - p > (size)) \
885 goto bad_ticket; \
886 for (; p < q; p++) \
887 if (!isprint(*p)) \
888 goto bad_ticket; \
889 p++; \
890 __str; \
891 })
892
893 /* extract the ticket flags */
894 _debug("KIV FLAGS: %x", *p);
895 little_endian = *p & 1;
896 p++;
897
898 /* extract the authentication name */
899 name = Z(ANAME_SZ);
900 _debug("KIV ANAME: %s", name);
901
902 /* extract the principal's instance */
903 name = Z(INST_SZ);
904 _debug("KIV INST : %s", name);
905
906 /* extract the principal's authentication domain */
907 name = Z(REALM_SZ);
908 _debug("KIV REALM: %s", name);
909
910 if (end - p < 4 + 8 + 4 + 2)
911 goto bad_ticket;
912
913 /* get the IPv4 address of the entity that requested the ticket */
914 memcpy(&addr, p, sizeof(addr));
915 p += 4;
Harvey Harrison21454aa2008-10-31 00:54:56 -0700916 _debug("KIV ADDR : %pI4", &addr);
David Howells17926a72007-04-26 15:48:28 -0700917
918 /* get the session key from the ticket */
919 memcpy(&key, p, sizeof(key));
920 p += 8;
921 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
922 memcpy(_session_key, &key, sizeof(key));
923
924 /* get the ticket's lifetime */
925 life = *p++ * 5 * 60;
926 _debug("KIV LIFE : %u", life);
927
928 /* get the issue time of the ticket */
929 if (little_endian) {
930 __le32 stamp;
931 memcpy(&stamp, p, 4);
932 issue = le32_to_cpu(stamp);
933 } else {
934 __be32 stamp;
935 memcpy(&stamp, p, 4);
936 issue = be32_to_cpu(stamp);
937 }
938 p += 4;
john stultz2c6b47d2007-07-24 17:47:43 -0700939 now = get_seconds();
David Howells17926a72007-04-26 15:48:28 -0700940 _debug("KIV ISSUE: %lx [%lx]", issue, now);
941
942 /* check the ticket is in date */
943 if (issue > now) {
944 *_abort_code = RXKADNOAUTH;
945 ret = -EKEYREJECTED;
946 goto error;
947 }
948
949 if (issue < now - life) {
950 *_abort_code = RXKADEXPIRED;
951 ret = -EKEYEXPIRED;
952 goto error;
953 }
954
955 *_expiry = issue + life;
956
957 /* get the service name */
958 name = Z(SNAME_SZ);
959 _debug("KIV SNAME: %s", name);
960
961 /* get the service instance name */
962 name = Z(INST_SZ);
963 _debug("KIV SINST: %s", name);
964
965 ret = 0;
966error:
967 _leave(" = %d", ret);
968 return ret;
969
970bad_ticket:
971 *_abort_code = RXKADBADTICKET;
972 ret = -EBADMSG;
973 goto error;
974}
975
976/*
977 * decrypt the response packet
978 */
979static void rxkad_decrypt_response(struct rxrpc_connection *conn,
980 struct rxkad_response *resp,
981 const struct rxrpc_crypt *session_key)
982{
Herbert Xu1afe5932016-01-24 21:19:01 +0800983 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
Herbert Xua2636292016-06-26 14:55:24 -0700984 struct scatterlist sg[1];
David Howells17926a72007-04-26 15:48:28 -0700985 struct rxrpc_crypt iv;
986
987 _enter(",,%08x%08x",
988 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
989
990 ASSERT(rxkad_ci != NULL);
991
992 mutex_lock(&rxkad_ci_mutex);
Herbert Xu1afe5932016-01-24 21:19:01 +0800993 if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
994 sizeof(*session_key)) < 0)
David Howells17926a72007-04-26 15:48:28 -0700995 BUG();
996
997 memcpy(&iv, session_key, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700998
Herbert Xua2636292016-06-26 14:55:24 -0700999 sg_init_table(sg, 1);
1000 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
Herbert Xu1afe5932016-01-24 21:19:01 +08001001 skcipher_request_set_tfm(req, rxkad_ci);
1002 skcipher_request_set_callback(req, 0, NULL, NULL);
1003 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +08001004 crypto_skcipher_decrypt(req);
1005 skcipher_request_zero(req);
1006
David Howells17926a72007-04-26 15:48:28 -07001007 mutex_unlock(&rxkad_ci_mutex);
1008
1009 _leave("");
1010}
1011
1012/*
1013 * verify a response
1014 */
1015static int rxkad_verify_response(struct rxrpc_connection *conn,
1016 struct sk_buff *skb,
1017 u32 *_abort_code)
1018{
1019 struct rxkad_response response
1020 __attribute__((aligned(8))); /* must be aligned for crypto */
David Howells248f2192016-09-08 11:10:12 +01001021 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
David Howells17926a72007-04-26 15:48:28 -07001022 struct rxrpc_crypt session_key;
1023 time_t expiry;
1024 void *ticket;
Al Viro91e916c2008-03-29 03:08:38 +00001025 u32 abort_code, version, kvno, ticket_len, level;
1026 __be32 csum;
David Howellsa1399f82016-06-27 14:39:44 +01001027 int ret, i;
David Howells17926a72007-04-26 15:48:28 -07001028
1029 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1030
1031 abort_code = RXKADPACKETSHORT;
David Howells775e5b72016-09-30 13:26:03 +01001032 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1033 &response, sizeof(response)) < 0)
David Howells17926a72007-04-26 15:48:28 -07001034 goto protocol_error;
1035 if (!pskb_pull(skb, sizeof(response)))
1036 BUG();
1037
1038 version = ntohl(response.version);
1039 ticket_len = ntohl(response.ticket_len);
1040 kvno = ntohl(response.kvno);
David Howells17926a72007-04-26 15:48:28 -07001041 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
David Howells0d12f8a2016-03-04 15:53:46 +00001042 sp->hdr.serial, version, kvno, ticket_len);
David Howells17926a72007-04-26 15:48:28 -07001043
1044 abort_code = RXKADINCONSISTENCY;
1045 if (version != RXKAD_VERSION)
David Howells4aa9cb32007-12-07 04:31:47 -08001046 goto protocol_error;
David Howells17926a72007-04-26 15:48:28 -07001047
1048 abort_code = RXKADTICKETLEN;
1049 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1050 goto protocol_error;
1051
1052 abort_code = RXKADUNKNOWNKEY;
1053 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1054 goto protocol_error;
1055
1056 /* extract the kerberos ticket and decrypt and decode it */
1057 ticket = kmalloc(ticket_len, GFP_NOFS);
1058 if (!ticket)
1059 return -ENOMEM;
1060
1061 abort_code = RXKADPACKETSHORT;
David Howells775e5b72016-09-30 13:26:03 +01001062 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1063 ticket, ticket_len) < 0)
David Howells17926a72007-04-26 15:48:28 -07001064 goto protocol_error_free;
1065
1066 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key,
1067 &expiry, &abort_code);
1068 if (ret < 0) {
1069 *_abort_code = abort_code;
1070 kfree(ticket);
1071 return ret;
1072 }
1073
1074 /* use the session key from inside the ticket to decrypt the
1075 * response */
1076 rxkad_decrypt_response(conn, &response, &session_key);
1077
1078 abort_code = RXKADSEALEDINCON;
David Howells19ffa012016-04-04 14:00:36 +01001079 if (ntohl(response.encrypted.epoch) != conn->proto.epoch)
David Howells17926a72007-04-26 15:48:28 -07001080 goto protocol_error_free;
David Howells19ffa012016-04-04 14:00:36 +01001081 if (ntohl(response.encrypted.cid) != conn->proto.cid)
David Howells17926a72007-04-26 15:48:28 -07001082 goto protocol_error_free;
1083 if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
1084 goto protocol_error_free;
1085 csum = response.encrypted.checksum;
1086 response.encrypted.checksum = 0;
1087 rxkad_calc_response_checksum(&response);
1088 if (response.encrypted.checksum != csum)
1089 goto protocol_error_free;
1090
David Howellsa1399f82016-06-27 14:39:44 +01001091 spin_lock(&conn->channel_lock);
1092 for (i = 0; i < RXRPC_MAXCALLS; i++) {
1093 struct rxrpc_call *call;
1094 u32 call_id = ntohl(response.encrypted.call_id[i]);
1095
1096 if (call_id > INT_MAX)
1097 goto protocol_error_unlock;
1098
1099 if (call_id < conn->channels[i].call_counter)
1100 goto protocol_error_unlock;
1101 if (call_id > conn->channels[i].call_counter) {
1102 call = rcu_dereference_protected(
1103 conn->channels[i].call,
1104 lockdep_is_held(&conn->channel_lock));
1105 if (call && call->state < RXRPC_CALL_COMPLETE)
1106 goto protocol_error_unlock;
1107 conn->channels[i].call_counter = call_id;
1108 }
1109 }
1110 spin_unlock(&conn->channel_lock);
David Howells17926a72007-04-26 15:48:28 -07001111
1112 abort_code = RXKADOUTOFSEQUENCE;
David Howells0d12f8a2016-03-04 15:53:46 +00001113 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1)
David Howells17926a72007-04-26 15:48:28 -07001114 goto protocol_error_free;
1115
1116 abort_code = RXKADLEVELFAIL;
1117 level = ntohl(response.encrypted.level);
1118 if (level > RXRPC_SECURITY_ENCRYPT)
1119 goto protocol_error_free;
David Howells19ffa012016-04-04 14:00:36 +01001120 conn->params.security_level = level;
David Howells17926a72007-04-26 15:48:28 -07001121
1122 /* create a key to hold the security data and expiration time - after
1123 * this the connection security can be handled in exactly the same way
1124 * as for a client connection */
1125 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1126 if (ret < 0) {
1127 kfree(ticket);
1128 return ret;
1129 }
1130
1131 kfree(ticket);
1132 _leave(" = 0");
1133 return 0;
1134
David Howellsa1399f82016-06-27 14:39:44 +01001135protocol_error_unlock:
1136 spin_unlock(&conn->channel_lock);
David Howells17926a72007-04-26 15:48:28 -07001137protocol_error_free:
1138 kfree(ticket);
1139protocol_error:
1140 *_abort_code = abort_code;
1141 _leave(" = -EPROTO [%d]", abort_code);
1142 return -EPROTO;
1143}
1144
1145/*
1146 * clear the connection security
1147 */
1148static void rxkad_clear(struct rxrpc_connection *conn)
1149{
1150 _enter("");
1151
1152 if (conn->cipher)
Herbert Xu1afe5932016-01-24 21:19:01 +08001153 crypto_free_skcipher(conn->cipher);
David Howells17926a72007-04-26 15:48:28 -07001154}
1155
1156/*
David Howells648af7f2016-04-07 17:23:51 +01001157 * Initialise the rxkad security service.
1158 */
1159static int rxkad_init(void)
1160{
1161 /* pin the cipher we need so that the crypto layer doesn't invoke
1162 * keventd to go get it */
1163 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
Wu Fengguangfa54cc72016-06-05 07:17:19 +08001164 return PTR_ERR_OR_ZERO(rxkad_ci);
David Howells648af7f2016-04-07 17:23:51 +01001165}
1166
1167/*
1168 * Clean up the rxkad security service.
1169 */
1170static void rxkad_exit(void)
1171{
1172 if (rxkad_ci)
1173 crypto_free_skcipher(rxkad_ci);
1174}
1175
1176/*
David Howells17926a72007-04-26 15:48:28 -07001177 * RxRPC Kerberos-based security
1178 */
David Howells648af7f2016-04-07 17:23:51 +01001179const struct rxrpc_security rxkad = {
David Howells17926a72007-04-26 15:48:28 -07001180 .name = "rxkad",
David Howells8b815472009-09-14 01:17:30 +00001181 .security_index = RXRPC_SECURITY_RXKAD,
David Howells648af7f2016-04-07 17:23:51 +01001182 .init = rxkad_init,
1183 .exit = rxkad_exit,
David Howells17926a72007-04-26 15:48:28 -07001184 .init_connection_security = rxkad_init_connection_security,
1185 .prime_packet_security = rxkad_prime_packet_security,
1186 .secure_packet = rxkad_secure_packet,
1187 .verify_packet = rxkad_verify_packet,
David Howells248f2192016-09-08 11:10:12 +01001188 .locate_data = rxkad_locate_data,
David Howells17926a72007-04-26 15:48:28 -07001189 .issue_challenge = rxkad_issue_challenge,
1190 .respond_to_challenge = rxkad_respond_to_challenge,
1191 .verify_response = rxkad_verify_response,
1192 .clear = rxkad_clear,
1193};