blob: 89f475febfd7fbdf121940d9d302acb5e1c94639 [file] [log] [blame]
David Howells17926a72007-04-26 15:48:28 -07001/* Kerberos-based RxRPC security
2 *
3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
Joe Perches9b6d5392016-06-02 12:08:52 -070012#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
Herbert Xu1afe5932016-01-24 21:19:01 +080014#include <crypto/skcipher.h>
David Howells17926a72007-04-26 15:48:28 -070015#include <linux/module.h>
16#include <linux/net.h>
17#include <linux/skbuff.h>
18#include <linux/udp.h>
David Howells17926a72007-04-26 15:48:28 -070019#include <linux/scatterlist.h>
20#include <linux/ctype.h>
Tejun Heo5a0e3ad2010-03-24 17:04:11 +090021#include <linux/slab.h>
David Howells17926a72007-04-26 15:48:28 -070022#include <net/sock.h>
23#include <net/af_rxrpc.h>
David Howells33941282009-09-14 01:17:35 +000024#include <keys/rxrpc-type.h>
David Howells17926a72007-04-26 15:48:28 -070025#include "ar-internal.h"
26
27#define RXKAD_VERSION 2
28#define MAXKRB5TICKETLEN 1024
29#define RXKAD_TKT_TYPE_KERBEROS_V5 256
30#define ANAME_SZ 40 /* size of authentication name */
31#define INST_SZ 40 /* size of principal's instance */
32#define REALM_SZ 40 /* size of principal's auth domain */
33#define SNAME_SZ 40 /* size of service name */
34
David Howells17926a72007-04-26 15:48:28 -070035struct rxkad_level1_hdr {
36 __be32 data_size; /* true data size (excluding padding) */
37};
38
39struct rxkad_level2_hdr {
40 __be32 data_size; /* true data size (excluding padding) */
41 __be32 checksum; /* decrypted data checksum */
42};
43
David Howells17926a72007-04-26 15:48:28 -070044/*
45 * this holds a pinned cipher so that keventd doesn't get called by the cipher
46 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
47 * packets
48 */
Herbert Xu1afe5932016-01-24 21:19:01 +080049static struct crypto_skcipher *rxkad_ci;
David Howells17926a72007-04-26 15:48:28 -070050static DEFINE_MUTEX(rxkad_ci_mutex);
51
52/*
53 * initialise connection security
54 */
55static int rxkad_init_connection_security(struct rxrpc_connection *conn)
56{
Herbert Xu1afe5932016-01-24 21:19:01 +080057 struct crypto_skcipher *ci;
David Howells33941282009-09-14 01:17:35 +000058 struct rxrpc_key_token *token;
David Howells17926a72007-04-26 15:48:28 -070059 int ret;
60
David Howells19ffa012016-04-04 14:00:36 +010061 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
David Howells17926a72007-04-26 15:48:28 -070062
David Howells19ffa012016-04-04 14:00:36 +010063 token = conn->params.key->payload.data[0];
David Howells33941282009-09-14 01:17:35 +000064 conn->security_ix = token->security_index;
David Howells17926a72007-04-26 15:48:28 -070065
Herbert Xu1afe5932016-01-24 21:19:01 +080066 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
David Howells17926a72007-04-26 15:48:28 -070067 if (IS_ERR(ci)) {
68 _debug("no cipher");
69 ret = PTR_ERR(ci);
70 goto error;
71 }
72
Herbert Xu1afe5932016-01-24 21:19:01 +080073 if (crypto_skcipher_setkey(ci, token->kad->session_key,
74 sizeof(token->kad->session_key)) < 0)
David Howells17926a72007-04-26 15:48:28 -070075 BUG();
76
David Howells19ffa012016-04-04 14:00:36 +010077 switch (conn->params.security_level) {
David Howells17926a72007-04-26 15:48:28 -070078 case RXRPC_SECURITY_PLAIN:
79 break;
80 case RXRPC_SECURITY_AUTH:
81 conn->size_align = 8;
82 conn->security_size = sizeof(struct rxkad_level1_hdr);
83 conn->header_size += sizeof(struct rxkad_level1_hdr);
84 break;
85 case RXRPC_SECURITY_ENCRYPT:
86 conn->size_align = 8;
87 conn->security_size = sizeof(struct rxkad_level2_hdr);
88 conn->header_size += sizeof(struct rxkad_level2_hdr);
89 break;
90 default:
91 ret = -EKEYREJECTED;
92 goto error;
93 }
94
95 conn->cipher = ci;
96 ret = 0;
97error:
98 _leave(" = %d", ret);
99 return ret;
100}
101
102/*
103 * prime the encryption state with the invariant parts of a connection's
104 * description
105 */
Herbert Xua2636292016-06-26 14:55:24 -0700106static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
David Howells17926a72007-04-26 15:48:28 -0700107{
David Howells33941282009-09-14 01:17:35 +0000108 struct rxrpc_key_token *token;
Herbert Xu1afe5932016-01-24 21:19:01 +0800109 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
Herbert Xua2636292016-06-26 14:55:24 -0700110 struct scatterlist sg;
David Howells17926a72007-04-26 15:48:28 -0700111 struct rxrpc_crypt iv;
Herbert Xua2636292016-06-26 14:55:24 -0700112 __be32 *tmpbuf;
113 size_t tmpsize = 4 * sizeof(__be32);
David Howells17926a72007-04-26 15:48:28 -0700114
115 _enter("");
116
David Howells19ffa012016-04-04 14:00:36 +0100117 if (!conn->params.key)
Herbert Xua2636292016-06-26 14:55:24 -0700118 return 0;
119
120 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
121 if (!tmpbuf)
122 return -ENOMEM;
David Howells17926a72007-04-26 15:48:28 -0700123
David Howells19ffa012016-04-04 14:00:36 +0100124 token = conn->params.key->payload.data[0];
David Howells33941282009-09-14 01:17:35 +0000125 memcpy(&iv, token->kad->session_key, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700126
Herbert Xua2636292016-06-26 14:55:24 -0700127 tmpbuf[0] = htonl(conn->proto.epoch);
128 tmpbuf[1] = htonl(conn->proto.cid);
129 tmpbuf[2] = 0;
130 tmpbuf[3] = htonl(conn->security_ix);
David Howells17926a72007-04-26 15:48:28 -0700131
Herbert Xua2636292016-06-26 14:55:24 -0700132 sg_init_one(&sg, tmpbuf, tmpsize);
Herbert Xu1afe5932016-01-24 21:19:01 +0800133 skcipher_request_set_tfm(req, conn->cipher);
134 skcipher_request_set_callback(req, 0, NULL, NULL);
Herbert Xua2636292016-06-26 14:55:24 -0700135 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800136 crypto_skcipher_encrypt(req);
137 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700138
Herbert Xua2636292016-06-26 14:55:24 -0700139 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
140 kfree(tmpbuf);
141 _leave(" = 0");
142 return 0;
David Howells17926a72007-04-26 15:48:28 -0700143}
144
145/*
146 * partially encrypt a packet (level 1 security)
147 */
148static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
149 struct sk_buff *skb,
150 u32 data_size,
151 void *sechdr)
152{
153 struct rxrpc_skb_priv *sp;
Herbert Xu1afe5932016-01-24 21:19:01 +0800154 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
Herbert Xua2636292016-06-26 14:55:24 -0700155 struct rxkad_level1_hdr hdr;
David Howells17926a72007-04-26 15:48:28 -0700156 struct rxrpc_crypt iv;
Herbert Xua2636292016-06-26 14:55:24 -0700157 struct scatterlist sg;
David Howells17926a72007-04-26 15:48:28 -0700158 u16 check;
159
160 sp = rxrpc_skb(skb);
161
162 _enter("");
163
David Howells0d12f8a2016-03-04 15:53:46 +0000164 check = sp->hdr.seq ^ sp->hdr.callNumber;
165 data_size |= (u32)check << 16;
David Howells17926a72007-04-26 15:48:28 -0700166
Herbert Xua2636292016-06-26 14:55:24 -0700167 hdr.data_size = htonl(data_size);
168 memcpy(sechdr, &hdr, sizeof(hdr));
David Howells17926a72007-04-26 15:48:28 -0700169
170 /* start the encryption afresh */
171 memset(&iv, 0, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700172
Herbert Xua2636292016-06-26 14:55:24 -0700173 sg_init_one(&sg, sechdr, 8);
Herbert Xu1afe5932016-01-24 21:19:01 +0800174 skcipher_request_set_tfm(req, call->conn->cipher);
175 skcipher_request_set_callback(req, 0, NULL, NULL);
Herbert Xua2636292016-06-26 14:55:24 -0700176 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800177 crypto_skcipher_encrypt(req);
178 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700179
David Howells17926a72007-04-26 15:48:28 -0700180 _leave(" = 0");
181 return 0;
182}
183
184/*
185 * wholly encrypt a packet (level 2 security)
186 */
187static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
David Howellsb4f13422016-03-04 15:56:19 +0000188 struct sk_buff *skb,
189 u32 data_size,
190 void *sechdr)
David Howells17926a72007-04-26 15:48:28 -0700191{
David Howells33941282009-09-14 01:17:35 +0000192 const struct rxrpc_key_token *token;
Herbert Xua2636292016-06-26 14:55:24 -0700193 struct rxkad_level2_hdr rxkhdr;
David Howells17926a72007-04-26 15:48:28 -0700194 struct rxrpc_skb_priv *sp;
Herbert Xu1afe5932016-01-24 21:19:01 +0800195 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700196 struct rxrpc_crypt iv;
197 struct scatterlist sg[16];
198 struct sk_buff *trailer;
Eric Dumazet95c96172012-04-15 05:58:06 +0000199 unsigned int len;
David Howells17926a72007-04-26 15:48:28 -0700200 u16 check;
201 int nsg;
Herbert Xu1afe5932016-01-24 21:19:01 +0800202 int err;
David Howells17926a72007-04-26 15:48:28 -0700203
204 sp = rxrpc_skb(skb);
205
206 _enter("");
207
David Howells0d12f8a2016-03-04 15:53:46 +0000208 check = sp->hdr.seq ^ sp->hdr.callNumber;
David Howells17926a72007-04-26 15:48:28 -0700209
David Howells0d12f8a2016-03-04 15:53:46 +0000210 rxkhdr.data_size = htonl(data_size | (u32)check << 16);
David Howells17926a72007-04-26 15:48:28 -0700211 rxkhdr.checksum = 0;
Herbert Xua2636292016-06-26 14:55:24 -0700212 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
David Howells17926a72007-04-26 15:48:28 -0700213
214 /* encrypt from the session key */
David Howells19ffa012016-04-04 14:00:36 +0100215 token = call->conn->params.key->payload.data[0];
David Howells33941282009-09-14 01:17:35 +0000216 memcpy(&iv, token->kad->session_key, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700217
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700218 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
Herbert Xu1afe5932016-01-24 21:19:01 +0800219 skcipher_request_set_tfm(req, call->conn->cipher);
220 skcipher_request_set_callback(req, 0, NULL, NULL);
Herbert Xua2636292016-06-26 14:55:24 -0700221 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800222 crypto_skcipher_encrypt(req);
David Howells17926a72007-04-26 15:48:28 -0700223
224 /* we want to encrypt the skbuff in-place */
225 nsg = skb_cow_data(skb, 0, &trailer);
Herbert Xu1afe5932016-01-24 21:19:01 +0800226 err = -ENOMEM;
David Howells17926a72007-04-26 15:48:28 -0700227 if (nsg < 0 || nsg > 16)
Herbert Xu1afe5932016-01-24 21:19:01 +0800228 goto out;
David Howells17926a72007-04-26 15:48:28 -0700229
230 len = data_size + call->conn->size_align - 1;
231 len &= ~(call->conn->size_align - 1);
232
David S. Miller51c739d2007-10-30 21:29:29 -0700233 sg_init_table(sg, nsg);
234 skb_to_sgvec(skb, sg, 0, len);
Herbert Xu1afe5932016-01-24 21:19:01 +0800235 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800236 crypto_skcipher_encrypt(req);
David Howells17926a72007-04-26 15:48:28 -0700237
238 _leave(" = 0");
Herbert Xu1afe5932016-01-24 21:19:01 +0800239 err = 0;
240
241out:
242 skcipher_request_zero(req);
243 return err;
David Howells17926a72007-04-26 15:48:28 -0700244}
245
246/*
247 * checksum an RxRPC packet header
248 */
Herbert Xua2636292016-06-26 14:55:24 -0700249static int rxkad_secure_packet(struct rxrpc_call *call,
David Howellsb4f13422016-03-04 15:56:19 +0000250 struct sk_buff *skb,
251 size_t data_size,
252 void *sechdr)
David Howells17926a72007-04-26 15:48:28 -0700253{
254 struct rxrpc_skb_priv *sp;
Herbert Xu1afe5932016-01-24 21:19:01 +0800255 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700256 struct rxrpc_crypt iv;
Herbert Xua2636292016-06-26 14:55:24 -0700257 struct scatterlist sg;
David Howells0d12f8a2016-03-04 15:53:46 +0000258 u32 x, y;
David Howells17926a72007-04-26 15:48:28 -0700259 int ret;
260
261 sp = rxrpc_skb(skb);
262
263 _enter("{%d{%x}},{#%u},%zu,",
David Howells19ffa012016-04-04 14:00:36 +0100264 call->debug_id, key_serial(call->conn->params.key),
265 sp->hdr.seq, data_size);
David Howells17926a72007-04-26 15:48:28 -0700266
267 if (!call->conn->cipher)
268 return 0;
269
David Howells19ffa012016-04-04 14:00:36 +0100270 ret = key_validate(call->conn->params.key);
David Howells17926a72007-04-26 15:48:28 -0700271 if (ret < 0)
272 return ret;
273
274 /* continue encrypting from where we left off */
275 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700276
277 /* calculate the security checksum */
David Howells01a90a42016-08-23 15:27:24 +0100278 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
David Howells0d12f8a2016-03-04 15:53:46 +0000279 x |= sp->hdr.seq & 0x3fffffff;
Herbert Xua2636292016-06-26 14:55:24 -0700280 call->crypto_buf[0] = htonl(sp->hdr.callNumber);
281 call->crypto_buf[1] = htonl(x);
David Howells17926a72007-04-26 15:48:28 -0700282
Herbert Xua2636292016-06-26 14:55:24 -0700283 sg_init_one(&sg, call->crypto_buf, 8);
Herbert Xu1afe5932016-01-24 21:19:01 +0800284 skcipher_request_set_tfm(req, call->conn->cipher);
285 skcipher_request_set_callback(req, 0, NULL, NULL);
Herbert Xua2636292016-06-26 14:55:24 -0700286 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800287 crypto_skcipher_encrypt(req);
288 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700289
Herbert Xua2636292016-06-26 14:55:24 -0700290 y = ntohl(call->crypto_buf[1]);
Al Viro91e916c2008-03-29 03:08:38 +0000291 y = (y >> 16) & 0xffff;
292 if (y == 0)
293 y = 1; /* zero checksums are not permitted */
David Howells0d12f8a2016-03-04 15:53:46 +0000294 sp->hdr.cksum = y;
David Howells17926a72007-04-26 15:48:28 -0700295
David Howells19ffa012016-04-04 14:00:36 +0100296 switch (call->conn->params.security_level) {
David Howells17926a72007-04-26 15:48:28 -0700297 case RXRPC_SECURITY_PLAIN:
298 ret = 0;
299 break;
300 case RXRPC_SECURITY_AUTH:
301 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
302 break;
303 case RXRPC_SECURITY_ENCRYPT:
304 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
305 sechdr);
306 break;
307 default:
308 ret = -EPERM;
309 break;
310 }
311
Al Viro91e916c2008-03-29 03:08:38 +0000312 _leave(" = %d [set %hx]", ret, y);
David Howells17926a72007-04-26 15:48:28 -0700313 return ret;
314}
315
316/*
317 * decrypt partial encryption on a packet (level 1 security)
318 */
319static int rxkad_verify_packet_auth(const struct rxrpc_call *call,
320 struct sk_buff *skb,
321 u32 *_abort_code)
322{
323 struct rxkad_level1_hdr sechdr;
324 struct rxrpc_skb_priv *sp;
Herbert Xu1afe5932016-01-24 21:19:01 +0800325 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700326 struct rxrpc_crypt iv;
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700327 struct scatterlist sg[16];
David Howells17926a72007-04-26 15:48:28 -0700328 struct sk_buff *trailer;
329 u32 data_size, buf;
330 u16 check;
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700331 int nsg;
David Howells17926a72007-04-26 15:48:28 -0700332
333 _enter("");
334
335 sp = rxrpc_skb(skb);
336
337 /* we want to decrypt the skbuff in-place */
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700338 nsg = skb_cow_data(skb, 0, &trailer);
339 if (nsg < 0 || nsg > 16)
David Howells17926a72007-04-26 15:48:28 -0700340 goto nomem;
341
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700342 sg_init_table(sg, nsg);
David S. Miller51c739d2007-10-30 21:29:29 -0700343 skb_to_sgvec(skb, sg, 0, 8);
David Howells17926a72007-04-26 15:48:28 -0700344
345 /* start the decryption afresh */
346 memset(&iv, 0, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700347
Herbert Xu1afe5932016-01-24 21:19:01 +0800348 skcipher_request_set_tfm(req, call->conn->cipher);
349 skcipher_request_set_callback(req, 0, NULL, NULL);
350 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800351 crypto_skcipher_decrypt(req);
352 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700353
354 /* remove the decrypted packet length */
355 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
356 goto datalen_error;
357 if (!skb_pull(skb, sizeof(sechdr)))
358 BUG();
359
360 buf = ntohl(sechdr.data_size);
361 data_size = buf & 0xffff;
362
363 check = buf >> 16;
David Howells0d12f8a2016-03-04 15:53:46 +0000364 check ^= sp->hdr.seq ^ sp->hdr.callNumber;
David Howells17926a72007-04-26 15:48:28 -0700365 check &= 0xffff;
366 if (check != 0) {
367 *_abort_code = RXKADSEALEDINCON;
368 goto protocol_error;
369 }
370
371 /* shorten the packet to remove the padding */
372 if (data_size > skb->len)
373 goto datalen_error;
374 else if (data_size < skb->len)
375 skb->len = data_size;
376
377 _leave(" = 0 [dlen=%x]", data_size);
378 return 0;
379
380datalen_error:
381 *_abort_code = RXKADDATALEN;
382protocol_error:
383 _leave(" = -EPROTO");
384 return -EPROTO;
385
386nomem:
387 _leave(" = -ENOMEM");
388 return -ENOMEM;
389}
390
391/*
392 * wholly decrypt a packet (level 2 security)
393 */
394static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call,
395 struct sk_buff *skb,
396 u32 *_abort_code)
397{
David Howells33941282009-09-14 01:17:35 +0000398 const struct rxrpc_key_token *token;
David Howells17926a72007-04-26 15:48:28 -0700399 struct rxkad_level2_hdr sechdr;
400 struct rxrpc_skb_priv *sp;
Herbert Xu1afe5932016-01-24 21:19:01 +0800401 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700402 struct rxrpc_crypt iv;
403 struct scatterlist _sg[4], *sg;
404 struct sk_buff *trailer;
405 u32 data_size, buf;
406 u16 check;
407 int nsg;
408
409 _enter(",{%d}", skb->len);
410
411 sp = rxrpc_skb(skb);
412
413 /* we want to decrypt the skbuff in-place */
414 nsg = skb_cow_data(skb, 0, &trailer);
415 if (nsg < 0)
416 goto nomem;
417
418 sg = _sg;
419 if (unlikely(nsg > 4)) {
420 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
421 if (!sg)
422 goto nomem;
423 }
424
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700425 sg_init_table(sg, nsg);
David S. Miller51c739d2007-10-30 21:29:29 -0700426 skb_to_sgvec(skb, sg, 0, skb->len);
David Howells17926a72007-04-26 15:48:28 -0700427
428 /* decrypt from the session key */
David Howells19ffa012016-04-04 14:00:36 +0100429 token = call->conn->params.key->payload.data[0];
David Howells33941282009-09-14 01:17:35 +0000430 memcpy(&iv, token->kad->session_key, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700431
Herbert Xu1afe5932016-01-24 21:19:01 +0800432 skcipher_request_set_tfm(req, call->conn->cipher);
433 skcipher_request_set_callback(req, 0, NULL, NULL);
434 skcipher_request_set_crypt(req, sg, sg, skb->len, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800435 crypto_skcipher_decrypt(req);
436 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700437 if (sg != _sg)
438 kfree(sg);
439
440 /* remove the decrypted packet length */
441 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
442 goto datalen_error;
443 if (!skb_pull(skb, sizeof(sechdr)))
444 BUG();
445
446 buf = ntohl(sechdr.data_size);
447 data_size = buf & 0xffff;
448
449 check = buf >> 16;
David Howells0d12f8a2016-03-04 15:53:46 +0000450 check ^= sp->hdr.seq ^ sp->hdr.callNumber;
David Howells17926a72007-04-26 15:48:28 -0700451 check &= 0xffff;
452 if (check != 0) {
453 *_abort_code = RXKADSEALEDINCON;
454 goto protocol_error;
455 }
456
457 /* shorten the packet to remove the padding */
458 if (data_size > skb->len)
459 goto datalen_error;
460 else if (data_size < skb->len)
461 skb->len = data_size;
462
463 _leave(" = 0 [dlen=%x]", data_size);
464 return 0;
465
466datalen_error:
467 *_abort_code = RXKADDATALEN;
468protocol_error:
469 _leave(" = -EPROTO");
470 return -EPROTO;
471
472nomem:
473 _leave(" = -ENOMEM");
474 return -ENOMEM;
475}
476
477/*
478 * verify the security on a received packet
479 */
Herbert Xua2636292016-06-26 14:55:24 -0700480static int rxkad_verify_packet(struct rxrpc_call *call,
David Howells17926a72007-04-26 15:48:28 -0700481 struct sk_buff *skb,
482 u32 *_abort_code)
483{
Herbert Xu1afe5932016-01-24 21:19:01 +0800484 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700485 struct rxrpc_skb_priv *sp;
486 struct rxrpc_crypt iv;
Herbert Xua2636292016-06-26 14:55:24 -0700487 struct scatterlist sg;
David Howells0d12f8a2016-03-04 15:53:46 +0000488 u16 cksum;
489 u32 x, y;
David Howells17926a72007-04-26 15:48:28 -0700490 int ret;
491
492 sp = rxrpc_skb(skb);
493
494 _enter("{%d{%x}},{#%u}",
David Howells19ffa012016-04-04 14:00:36 +0100495 call->debug_id, key_serial(call->conn->params.key), sp->hdr.seq);
David Howells17926a72007-04-26 15:48:28 -0700496
497 if (!call->conn->cipher)
498 return 0;
499
David Howells8b815472009-09-14 01:17:30 +0000500 if (sp->hdr.securityIndex != RXRPC_SECURITY_RXKAD) {
David Howells17926a72007-04-26 15:48:28 -0700501 *_abort_code = RXKADINCONSISTENCY;
502 _leave(" = -EPROTO [not rxkad]");
503 return -EPROTO;
504 }
505
506 /* continue encrypting from where we left off */
507 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700508
509 /* validate the security checksum */
David Howells01a90a42016-08-23 15:27:24 +0100510 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
David Howells0d12f8a2016-03-04 15:53:46 +0000511 x |= sp->hdr.seq & 0x3fffffff;
Herbert Xua2636292016-06-26 14:55:24 -0700512 call->crypto_buf[0] = htonl(call->call_id);
513 call->crypto_buf[1] = htonl(x);
David Howells17926a72007-04-26 15:48:28 -0700514
Herbert Xua2636292016-06-26 14:55:24 -0700515 sg_init_one(&sg, call->crypto_buf, 8);
Herbert Xu1afe5932016-01-24 21:19:01 +0800516 skcipher_request_set_tfm(req, call->conn->cipher);
517 skcipher_request_set_callback(req, 0, NULL, NULL);
Herbert Xua2636292016-06-26 14:55:24 -0700518 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800519 crypto_skcipher_encrypt(req);
520 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700521
Herbert Xua2636292016-06-26 14:55:24 -0700522 y = ntohl(call->crypto_buf[1]);
David Howells0d12f8a2016-03-04 15:53:46 +0000523 cksum = (y >> 16) & 0xffff;
524 if (cksum == 0)
525 cksum = 1; /* zero checksums are not permitted */
David Howells17926a72007-04-26 15:48:28 -0700526
David Howells17926a72007-04-26 15:48:28 -0700527 if (sp->hdr.cksum != cksum) {
528 *_abort_code = RXKADSEALEDINCON;
529 _leave(" = -EPROTO [csum failed]");
530 return -EPROTO;
531 }
532
David Howells19ffa012016-04-04 14:00:36 +0100533 switch (call->conn->params.security_level) {
David Howells17926a72007-04-26 15:48:28 -0700534 case RXRPC_SECURITY_PLAIN:
535 ret = 0;
536 break;
537 case RXRPC_SECURITY_AUTH:
538 ret = rxkad_verify_packet_auth(call, skb, _abort_code);
539 break;
540 case RXRPC_SECURITY_ENCRYPT:
541 ret = rxkad_verify_packet_encrypt(call, skb, _abort_code);
542 break;
543 default:
544 ret = -ENOANO;
545 break;
546 }
547
548 _leave(" = %d", ret);
549 return ret;
550}
551
552/*
553 * issue a challenge
554 */
555static int rxkad_issue_challenge(struct rxrpc_connection *conn)
556{
557 struct rxkad_challenge challenge;
David Howells0d12f8a2016-03-04 15:53:46 +0000558 struct rxrpc_wire_header whdr;
David Howells17926a72007-04-26 15:48:28 -0700559 struct msghdr msg;
560 struct kvec iov[2];
561 size_t len;
David Howells0d12f8a2016-03-04 15:53:46 +0000562 u32 serial;
David Howells17926a72007-04-26 15:48:28 -0700563 int ret;
564
David Howells19ffa012016-04-04 14:00:36 +0100565 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
David Howells17926a72007-04-26 15:48:28 -0700566
David Howells19ffa012016-04-04 14:00:36 +0100567 ret = key_validate(conn->params.key);
David Howells17926a72007-04-26 15:48:28 -0700568 if (ret < 0)
569 return ret;
570
571 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
572
573 challenge.version = htonl(2);
574 challenge.nonce = htonl(conn->security_nonce);
575 challenge.min_level = htonl(0);
576 challenge.__padding = 0;
577
David Howells85f32272016-04-04 14:00:36 +0100578 msg.msg_name = &conn->params.peer->srx.transport.sin;
579 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
David Howells17926a72007-04-26 15:48:28 -0700580 msg.msg_control = NULL;
581 msg.msg_controllen = 0;
582 msg.msg_flags = 0;
583
David Howells19ffa012016-04-04 14:00:36 +0100584 whdr.epoch = htonl(conn->proto.epoch);
585 whdr.cid = htonl(conn->proto.cid);
David Howells0d12f8a2016-03-04 15:53:46 +0000586 whdr.callNumber = 0;
587 whdr.seq = 0;
588 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
589 whdr.flags = conn->out_clientflag;
590 whdr.userStatus = 0;
591 whdr.securityIndex = conn->security_ix;
592 whdr._rsvd = 0;
David Howells19ffa012016-04-04 14:00:36 +0100593 whdr.serviceId = htons(conn->params.service_id);
David Howells17926a72007-04-26 15:48:28 -0700594
David Howells0d12f8a2016-03-04 15:53:46 +0000595 iov[0].iov_base = &whdr;
596 iov[0].iov_len = sizeof(whdr);
David Howells17926a72007-04-26 15:48:28 -0700597 iov[1].iov_base = &challenge;
598 iov[1].iov_len = sizeof(challenge);
599
600 len = iov[0].iov_len + iov[1].iov_len;
601
David Howells0d12f8a2016-03-04 15:53:46 +0000602 serial = atomic_inc_return(&conn->serial);
603 whdr.serial = htonl(serial);
604 _proto("Tx CHALLENGE %%%u", serial);
David Howells17926a72007-04-26 15:48:28 -0700605
David Howells85f32272016-04-04 14:00:36 +0100606 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
David Howells17926a72007-04-26 15:48:28 -0700607 if (ret < 0) {
608 _debug("sendmsg failed: %d", ret);
609 return -EAGAIN;
610 }
611
612 _leave(" = 0");
613 return 0;
614}
615
616/*
617 * send a Kerberos security response
618 */
619static int rxkad_send_response(struct rxrpc_connection *conn,
David Howells0d12f8a2016-03-04 15:53:46 +0000620 struct rxrpc_host_header *hdr,
David Howells17926a72007-04-26 15:48:28 -0700621 struct rxkad_response *resp,
622 const struct rxkad_key *s2)
623{
David Howells0d12f8a2016-03-04 15:53:46 +0000624 struct rxrpc_wire_header whdr;
David Howells17926a72007-04-26 15:48:28 -0700625 struct msghdr msg;
626 struct kvec iov[3];
627 size_t len;
David Howells0d12f8a2016-03-04 15:53:46 +0000628 u32 serial;
David Howells17926a72007-04-26 15:48:28 -0700629 int ret;
630
631 _enter("");
632
David Howells85f32272016-04-04 14:00:36 +0100633 msg.msg_name = &conn->params.peer->srx.transport.sin;
634 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
David Howells17926a72007-04-26 15:48:28 -0700635 msg.msg_control = NULL;
636 msg.msg_controllen = 0;
637 msg.msg_flags = 0;
638
David Howells0d12f8a2016-03-04 15:53:46 +0000639 memset(&whdr, 0, sizeof(whdr));
640 whdr.epoch = htonl(hdr->epoch);
641 whdr.cid = htonl(hdr->cid);
642 whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
643 whdr.flags = conn->out_clientflag;
644 whdr.securityIndex = hdr->securityIndex;
645 whdr.serviceId = htons(hdr->serviceId);
David Howells17926a72007-04-26 15:48:28 -0700646
David Howells0d12f8a2016-03-04 15:53:46 +0000647 iov[0].iov_base = &whdr;
648 iov[0].iov_len = sizeof(whdr);
David Howells17926a72007-04-26 15:48:28 -0700649 iov[1].iov_base = resp;
650 iov[1].iov_len = sizeof(*resp);
David Howells0d12f8a2016-03-04 15:53:46 +0000651 iov[2].iov_base = (void *)s2->ticket;
David Howells17926a72007-04-26 15:48:28 -0700652 iov[2].iov_len = s2->ticket_len;
653
654 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
655
David Howells0d12f8a2016-03-04 15:53:46 +0000656 serial = atomic_inc_return(&conn->serial);
657 whdr.serial = htonl(serial);
658 _proto("Tx RESPONSE %%%u", serial);
David Howells17926a72007-04-26 15:48:28 -0700659
David Howells85f32272016-04-04 14:00:36 +0100660 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
David Howells17926a72007-04-26 15:48:28 -0700661 if (ret < 0) {
662 _debug("sendmsg failed: %d", ret);
663 return -EAGAIN;
664 }
665
666 _leave(" = 0");
667 return 0;
668}
669
670/*
671 * calculate the response checksum
672 */
673static void rxkad_calc_response_checksum(struct rxkad_response *response)
674{
675 u32 csum = 1000003;
676 int loop;
677 u8 *p = (u8 *) response;
678
679 for (loop = sizeof(*response); loop > 0; loop--)
680 csum = csum * 0x10204081 + *p++;
681
682 response->encrypted.checksum = htonl(csum);
683}
684
685/*
David Howells17926a72007-04-26 15:48:28 -0700686 * encrypt the response packet
687 */
688static void rxkad_encrypt_response(struct rxrpc_connection *conn,
689 struct rxkad_response *resp,
690 const struct rxkad_key *s2)
691{
Herbert Xu1afe5932016-01-24 21:19:01 +0800692 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
David Howells17926a72007-04-26 15:48:28 -0700693 struct rxrpc_crypt iv;
Herbert Xua2636292016-06-26 14:55:24 -0700694 struct scatterlist sg[1];
David Howells17926a72007-04-26 15:48:28 -0700695
696 /* continue encrypting from where we left off */
697 memcpy(&iv, s2->session_key, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700698
Herbert Xua2636292016-06-26 14:55:24 -0700699 sg_init_table(sg, 1);
700 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
Herbert Xu1afe5932016-01-24 21:19:01 +0800701 skcipher_request_set_tfm(req, conn->cipher);
702 skcipher_request_set_callback(req, 0, NULL, NULL);
703 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800704 crypto_skcipher_encrypt(req);
705 skcipher_request_zero(req);
David Howells17926a72007-04-26 15:48:28 -0700706}
707
708/*
709 * respond to a challenge packet
710 */
711static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
712 struct sk_buff *skb,
713 u32 *_abort_code)
714{
David Howells33941282009-09-14 01:17:35 +0000715 const struct rxrpc_key_token *token;
David Howells17926a72007-04-26 15:48:28 -0700716 struct rxkad_challenge challenge;
717 struct rxkad_response resp
718 __attribute__((aligned(8))); /* must be aligned for crypto */
719 struct rxrpc_skb_priv *sp;
720 u32 version, nonce, min_level, abort_code;
721 int ret;
722
David Howells19ffa012016-04-04 14:00:36 +0100723 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
David Howells17926a72007-04-26 15:48:28 -0700724
David Howells19ffa012016-04-04 14:00:36 +0100725 if (!conn->params.key) {
David Howells17926a72007-04-26 15:48:28 -0700726 _leave(" = -EPROTO [no key]");
727 return -EPROTO;
728 }
729
David Howells19ffa012016-04-04 14:00:36 +0100730 ret = key_validate(conn->params.key);
David Howells17926a72007-04-26 15:48:28 -0700731 if (ret < 0) {
732 *_abort_code = RXKADEXPIRED;
733 return ret;
734 }
735
736 abort_code = RXKADPACKETSHORT;
737 sp = rxrpc_skb(skb);
738 if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0)
739 goto protocol_error;
740
741 version = ntohl(challenge.version);
742 nonce = ntohl(challenge.nonce);
743 min_level = ntohl(challenge.min_level);
744
745 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
David Howells0d12f8a2016-03-04 15:53:46 +0000746 sp->hdr.serial, version, nonce, min_level);
David Howells17926a72007-04-26 15:48:28 -0700747
748 abort_code = RXKADINCONSISTENCY;
749 if (version != RXKAD_VERSION)
750 goto protocol_error;
751
752 abort_code = RXKADLEVELFAIL;
David Howells19ffa012016-04-04 14:00:36 +0100753 if (conn->params.security_level < min_level)
David Howells17926a72007-04-26 15:48:28 -0700754 goto protocol_error;
755
David Howells19ffa012016-04-04 14:00:36 +0100756 token = conn->params.key->payload.data[0];
David Howells17926a72007-04-26 15:48:28 -0700757
758 /* build the response packet */
759 memset(&resp, 0, sizeof(resp));
760
David Howells098a2092016-03-04 15:59:00 +0000761 resp.version = htonl(RXKAD_VERSION);
David Howells19ffa012016-04-04 14:00:36 +0100762 resp.encrypted.epoch = htonl(conn->proto.epoch);
763 resp.encrypted.cid = htonl(conn->proto.cid);
David Howells098a2092016-03-04 15:59:00 +0000764 resp.encrypted.securityIndex = htonl(conn->security_ix);
765 resp.encrypted.inc_nonce = htonl(nonce + 1);
David Howells19ffa012016-04-04 14:00:36 +0100766 resp.encrypted.level = htonl(conn->params.security_level);
David Howells098a2092016-03-04 15:59:00 +0000767 resp.kvno = htonl(token->kad->kvno);
768 resp.ticket_len = htonl(token->kad->ticket_len);
769
David Howellsa1399f82016-06-27 14:39:44 +0100770 resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
771 resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
772 resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
773 resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
David Howells17926a72007-04-26 15:48:28 -0700774
775 /* calculate the response checksum and then do the encryption */
776 rxkad_calc_response_checksum(&resp);
David Howells33941282009-09-14 01:17:35 +0000777 rxkad_encrypt_response(conn, &resp, token->kad);
778 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad);
David Howells17926a72007-04-26 15:48:28 -0700779
780protocol_error:
781 *_abort_code = abort_code;
782 _leave(" = -EPROTO [%d]", abort_code);
783 return -EPROTO;
784}
785
786/*
787 * decrypt the kerberos IV ticket in the response
788 */
789static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
790 void *ticket, size_t ticket_len,
791 struct rxrpc_crypt *_session_key,
792 time_t *_expiry,
793 u32 *_abort_code)
794{
Herbert Xu1afe5932016-01-24 21:19:01 +0800795 struct skcipher_request *req;
David Howells17926a72007-04-26 15:48:28 -0700796 struct rxrpc_crypt iv, key;
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700797 struct scatterlist sg[1];
David Howells17926a72007-04-26 15:48:28 -0700798 struct in_addr addr;
Eric Dumazet95c96172012-04-15 05:58:06 +0000799 unsigned int life;
David Howells17926a72007-04-26 15:48:28 -0700800 time_t issue, now;
801 bool little_endian;
802 int ret;
803 u8 *p, *q, *name, *end;
804
805 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
806
807 *_expiry = 0;
808
809 ret = key_validate(conn->server_key);
810 if (ret < 0) {
811 switch (ret) {
812 case -EKEYEXPIRED:
813 *_abort_code = RXKADEXPIRED;
814 goto error;
815 default:
816 *_abort_code = RXKADNOAUTH;
817 goto error;
818 }
819 }
820
David Howells146aa8b2015-10-21 14:04:48 +0100821 ASSERT(conn->server_key->payload.data[0] != NULL);
David Howells17926a72007-04-26 15:48:28 -0700822 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
823
David Howells146aa8b2015-10-21 14:04:48 +0100824 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700825
Herbert Xu1afe5932016-01-24 21:19:01 +0800826 req = skcipher_request_alloc(conn->server_key->payload.data[0],
827 GFP_NOFS);
828 if (!req) {
829 *_abort_code = RXKADNOAUTH;
830 ret = -ENOMEM;
831 goto error;
832 }
David Howells17926a72007-04-26 15:48:28 -0700833
Herbert Xu68e3f5d2007-10-27 00:52:07 -0700834 sg_init_one(&sg[0], ticket, ticket_len);
Herbert Xu1afe5932016-01-24 21:19:01 +0800835 skcipher_request_set_callback(req, 0, NULL, NULL);
836 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800837 crypto_skcipher_decrypt(req);
838 skcipher_request_free(req);
David Howells17926a72007-04-26 15:48:28 -0700839
840 p = ticket;
841 end = p + ticket_len;
842
843#define Z(size) \
844 ({ \
845 u8 *__str = p; \
846 q = memchr(p, 0, end - p); \
847 if (!q || q - p > (size)) \
848 goto bad_ticket; \
849 for (; p < q; p++) \
850 if (!isprint(*p)) \
851 goto bad_ticket; \
852 p++; \
853 __str; \
854 })
855
856 /* extract the ticket flags */
857 _debug("KIV FLAGS: %x", *p);
858 little_endian = *p & 1;
859 p++;
860
861 /* extract the authentication name */
862 name = Z(ANAME_SZ);
863 _debug("KIV ANAME: %s", name);
864
865 /* extract the principal's instance */
866 name = Z(INST_SZ);
867 _debug("KIV INST : %s", name);
868
869 /* extract the principal's authentication domain */
870 name = Z(REALM_SZ);
871 _debug("KIV REALM: %s", name);
872
873 if (end - p < 4 + 8 + 4 + 2)
874 goto bad_ticket;
875
876 /* get the IPv4 address of the entity that requested the ticket */
877 memcpy(&addr, p, sizeof(addr));
878 p += 4;
Harvey Harrison21454aa2008-10-31 00:54:56 -0700879 _debug("KIV ADDR : %pI4", &addr);
David Howells17926a72007-04-26 15:48:28 -0700880
881 /* get the session key from the ticket */
882 memcpy(&key, p, sizeof(key));
883 p += 8;
884 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
885 memcpy(_session_key, &key, sizeof(key));
886
887 /* get the ticket's lifetime */
888 life = *p++ * 5 * 60;
889 _debug("KIV LIFE : %u", life);
890
891 /* get the issue time of the ticket */
892 if (little_endian) {
893 __le32 stamp;
894 memcpy(&stamp, p, 4);
895 issue = le32_to_cpu(stamp);
896 } else {
897 __be32 stamp;
898 memcpy(&stamp, p, 4);
899 issue = be32_to_cpu(stamp);
900 }
901 p += 4;
john stultz2c6b47d2007-07-24 17:47:43 -0700902 now = get_seconds();
David Howells17926a72007-04-26 15:48:28 -0700903 _debug("KIV ISSUE: %lx [%lx]", issue, now);
904
905 /* check the ticket is in date */
906 if (issue > now) {
907 *_abort_code = RXKADNOAUTH;
908 ret = -EKEYREJECTED;
909 goto error;
910 }
911
912 if (issue < now - life) {
913 *_abort_code = RXKADEXPIRED;
914 ret = -EKEYEXPIRED;
915 goto error;
916 }
917
918 *_expiry = issue + life;
919
920 /* get the service name */
921 name = Z(SNAME_SZ);
922 _debug("KIV SNAME: %s", name);
923
924 /* get the service instance name */
925 name = Z(INST_SZ);
926 _debug("KIV SINST: %s", name);
927
928 ret = 0;
929error:
930 _leave(" = %d", ret);
931 return ret;
932
933bad_ticket:
934 *_abort_code = RXKADBADTICKET;
935 ret = -EBADMSG;
936 goto error;
937}
938
939/*
940 * decrypt the response packet
941 */
942static void rxkad_decrypt_response(struct rxrpc_connection *conn,
943 struct rxkad_response *resp,
944 const struct rxrpc_crypt *session_key)
945{
Herbert Xu1afe5932016-01-24 21:19:01 +0800946 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
Herbert Xua2636292016-06-26 14:55:24 -0700947 struct scatterlist sg[1];
David Howells17926a72007-04-26 15:48:28 -0700948 struct rxrpc_crypt iv;
949
950 _enter(",,%08x%08x",
951 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
952
953 ASSERT(rxkad_ci != NULL);
954
955 mutex_lock(&rxkad_ci_mutex);
Herbert Xu1afe5932016-01-24 21:19:01 +0800956 if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
957 sizeof(*session_key)) < 0)
David Howells17926a72007-04-26 15:48:28 -0700958 BUG();
959
960 memcpy(&iv, session_key, sizeof(iv));
David Howells17926a72007-04-26 15:48:28 -0700961
Herbert Xua2636292016-06-26 14:55:24 -0700962 sg_init_table(sg, 1);
963 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
Herbert Xu1afe5932016-01-24 21:19:01 +0800964 skcipher_request_set_tfm(req, rxkad_ci);
965 skcipher_request_set_callback(req, 0, NULL, NULL);
966 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
Herbert Xu1afe5932016-01-24 21:19:01 +0800967 crypto_skcipher_decrypt(req);
968 skcipher_request_zero(req);
969
David Howells17926a72007-04-26 15:48:28 -0700970 mutex_unlock(&rxkad_ci_mutex);
971
972 _leave("");
973}
974
975/*
976 * verify a response
977 */
978static int rxkad_verify_response(struct rxrpc_connection *conn,
979 struct sk_buff *skb,
980 u32 *_abort_code)
981{
982 struct rxkad_response response
983 __attribute__((aligned(8))); /* must be aligned for crypto */
984 struct rxrpc_skb_priv *sp;
985 struct rxrpc_crypt session_key;
986 time_t expiry;
987 void *ticket;
Al Viro91e916c2008-03-29 03:08:38 +0000988 u32 abort_code, version, kvno, ticket_len, level;
989 __be32 csum;
David Howellsa1399f82016-06-27 14:39:44 +0100990 int ret, i;
David Howells17926a72007-04-26 15:48:28 -0700991
992 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
993
994 abort_code = RXKADPACKETSHORT;
995 if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0)
996 goto protocol_error;
997 if (!pskb_pull(skb, sizeof(response)))
998 BUG();
999
1000 version = ntohl(response.version);
1001 ticket_len = ntohl(response.ticket_len);
1002 kvno = ntohl(response.kvno);
1003 sp = rxrpc_skb(skb);
1004 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
David Howells0d12f8a2016-03-04 15:53:46 +00001005 sp->hdr.serial, version, kvno, ticket_len);
David Howells17926a72007-04-26 15:48:28 -07001006
1007 abort_code = RXKADINCONSISTENCY;
1008 if (version != RXKAD_VERSION)
David Howells4aa9cb32007-12-07 04:31:47 -08001009 goto protocol_error;
David Howells17926a72007-04-26 15:48:28 -07001010
1011 abort_code = RXKADTICKETLEN;
1012 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1013 goto protocol_error;
1014
1015 abort_code = RXKADUNKNOWNKEY;
1016 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1017 goto protocol_error;
1018
1019 /* extract the kerberos ticket and decrypt and decode it */
1020 ticket = kmalloc(ticket_len, GFP_NOFS);
1021 if (!ticket)
1022 return -ENOMEM;
1023
1024 abort_code = RXKADPACKETSHORT;
1025 if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0)
1026 goto protocol_error_free;
1027
1028 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key,
1029 &expiry, &abort_code);
1030 if (ret < 0) {
1031 *_abort_code = abort_code;
1032 kfree(ticket);
1033 return ret;
1034 }
1035
1036 /* use the session key from inside the ticket to decrypt the
1037 * response */
1038 rxkad_decrypt_response(conn, &response, &session_key);
1039
1040 abort_code = RXKADSEALEDINCON;
David Howells19ffa012016-04-04 14:00:36 +01001041 if (ntohl(response.encrypted.epoch) != conn->proto.epoch)
David Howells17926a72007-04-26 15:48:28 -07001042 goto protocol_error_free;
David Howells19ffa012016-04-04 14:00:36 +01001043 if (ntohl(response.encrypted.cid) != conn->proto.cid)
David Howells17926a72007-04-26 15:48:28 -07001044 goto protocol_error_free;
1045 if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
1046 goto protocol_error_free;
1047 csum = response.encrypted.checksum;
1048 response.encrypted.checksum = 0;
1049 rxkad_calc_response_checksum(&response);
1050 if (response.encrypted.checksum != csum)
1051 goto protocol_error_free;
1052
David Howellsa1399f82016-06-27 14:39:44 +01001053 spin_lock(&conn->channel_lock);
1054 for (i = 0; i < RXRPC_MAXCALLS; i++) {
1055 struct rxrpc_call *call;
1056 u32 call_id = ntohl(response.encrypted.call_id[i]);
1057
1058 if (call_id > INT_MAX)
1059 goto protocol_error_unlock;
1060
1061 if (call_id < conn->channels[i].call_counter)
1062 goto protocol_error_unlock;
1063 if (call_id > conn->channels[i].call_counter) {
1064 call = rcu_dereference_protected(
1065 conn->channels[i].call,
1066 lockdep_is_held(&conn->channel_lock));
1067 if (call && call->state < RXRPC_CALL_COMPLETE)
1068 goto protocol_error_unlock;
1069 conn->channels[i].call_counter = call_id;
1070 }
1071 }
1072 spin_unlock(&conn->channel_lock);
David Howells17926a72007-04-26 15:48:28 -07001073
1074 abort_code = RXKADOUTOFSEQUENCE;
David Howells0d12f8a2016-03-04 15:53:46 +00001075 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1)
David Howells17926a72007-04-26 15:48:28 -07001076 goto protocol_error_free;
1077
1078 abort_code = RXKADLEVELFAIL;
1079 level = ntohl(response.encrypted.level);
1080 if (level > RXRPC_SECURITY_ENCRYPT)
1081 goto protocol_error_free;
David Howells19ffa012016-04-04 14:00:36 +01001082 conn->params.security_level = level;
David Howells17926a72007-04-26 15:48:28 -07001083
1084 /* create a key to hold the security data and expiration time - after
1085 * this the connection security can be handled in exactly the same way
1086 * as for a client connection */
1087 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1088 if (ret < 0) {
1089 kfree(ticket);
1090 return ret;
1091 }
1092
1093 kfree(ticket);
1094 _leave(" = 0");
1095 return 0;
1096
David Howellsa1399f82016-06-27 14:39:44 +01001097protocol_error_unlock:
1098 spin_unlock(&conn->channel_lock);
David Howells17926a72007-04-26 15:48:28 -07001099protocol_error_free:
1100 kfree(ticket);
1101protocol_error:
1102 *_abort_code = abort_code;
1103 _leave(" = -EPROTO [%d]", abort_code);
1104 return -EPROTO;
1105}
1106
1107/*
1108 * clear the connection security
1109 */
1110static void rxkad_clear(struct rxrpc_connection *conn)
1111{
1112 _enter("");
1113
1114 if (conn->cipher)
Herbert Xu1afe5932016-01-24 21:19:01 +08001115 crypto_free_skcipher(conn->cipher);
David Howells17926a72007-04-26 15:48:28 -07001116}
1117
1118/*
David Howells648af7f2016-04-07 17:23:51 +01001119 * Initialise the rxkad security service.
1120 */
1121static int rxkad_init(void)
1122{
1123 /* pin the cipher we need so that the crypto layer doesn't invoke
1124 * keventd to go get it */
1125 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
Wu Fengguangfa54cc72016-06-05 07:17:19 +08001126 return PTR_ERR_OR_ZERO(rxkad_ci);
David Howells648af7f2016-04-07 17:23:51 +01001127}
1128
1129/*
1130 * Clean up the rxkad security service.
1131 */
1132static void rxkad_exit(void)
1133{
1134 if (rxkad_ci)
1135 crypto_free_skcipher(rxkad_ci);
1136}
1137
1138/*
David Howells17926a72007-04-26 15:48:28 -07001139 * RxRPC Kerberos-based security
1140 */
David Howells648af7f2016-04-07 17:23:51 +01001141const struct rxrpc_security rxkad = {
David Howells17926a72007-04-26 15:48:28 -07001142 .name = "rxkad",
David Howells8b815472009-09-14 01:17:30 +00001143 .security_index = RXRPC_SECURITY_RXKAD,
David Howells648af7f2016-04-07 17:23:51 +01001144 .init = rxkad_init,
1145 .exit = rxkad_exit,
David Howells17926a72007-04-26 15:48:28 -07001146 .init_connection_security = rxkad_init_connection_security,
1147 .prime_packet_security = rxkad_prime_packet_security,
1148 .secure_packet = rxkad_secure_packet,
1149 .verify_packet = rxkad_verify_packet,
1150 .issue_challenge = rxkad_issue_challenge,
1151 .respond_to_challenge = rxkad_respond_to_challenge,
1152 .verify_response = rxkad_verify_response,
1153 .clear = rxkad_clear,
1154};