rxkad.c 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170
  1. /* Kerberos-based RxRPC security
  2. *
  3. * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
  4. * Written by David Howells (dhowells@redhat.com)
  5. *
  6. * This program is free software; you can redistribute it and/or
  7. * modify it under the terms of the GNU General Public License
  8. * as published by the Free Software Foundation; either version
  9. * 2 of the License, or (at your option) any later version.
  10. */
  11. #include <linux/module.h>
  12. #include <linux/net.h>
  13. #include <linux/skbuff.h>
  14. #include <linux/udp.h>
  15. #include <linux/crypto.h>
  16. #include <linux/scatterlist.h>
  17. #include <linux/ctype.h>
  18. #include <linux/slab.h>
  19. #include <net/sock.h>
  20. #include <net/af_rxrpc.h>
  21. #include <keys/rxrpc-type.h>
  22. #define rxrpc_debug rxkad_debug
  23. #include "ar-internal.h"
  24. #define RXKAD_VERSION 2
  25. #define MAXKRB5TICKETLEN 1024
  26. #define RXKAD_TKT_TYPE_KERBEROS_V5 256
  27. #define ANAME_SZ 40 /* size of authentication name */
  28. #define INST_SZ 40 /* size of principal's instance */
  29. #define REALM_SZ 40 /* size of principal's auth domain */
  30. #define SNAME_SZ 40 /* size of service name */
  31. unsigned int rxrpc_debug;
  32. module_param_named(debug, rxrpc_debug, uint, S_IWUSR | S_IRUGO);
  33. MODULE_PARM_DESC(debug, "rxkad debugging mask");
  34. struct rxkad_level1_hdr {
  35. __be32 data_size; /* true data size (excluding padding) */
  36. };
  37. struct rxkad_level2_hdr {
  38. __be32 data_size; /* true data size (excluding padding) */
  39. __be32 checksum; /* decrypted data checksum */
  40. };
  41. MODULE_DESCRIPTION("RxRPC network protocol type-2 security (Kerberos 4)");
  42. MODULE_AUTHOR("Red Hat, Inc.");
  43. MODULE_LICENSE("GPL");
  44. /*
  45. * this holds a pinned cipher so that keventd doesn't get called by the cipher
  46. * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
  47. * packets
  48. */
  49. static struct crypto_blkcipher *rxkad_ci;
  50. static DEFINE_MUTEX(rxkad_ci_mutex);
  51. /*
  52. * initialise connection security
  53. */
  54. static int rxkad_init_connection_security(struct rxrpc_connection *conn)
  55. {
  56. struct crypto_blkcipher *ci;
  57. struct rxrpc_key_token *token;
  58. int ret;
  59. _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
  60. token = conn->key->payload.data[0];
  61. conn->security_ix = token->security_index;
  62. ci = crypto_alloc_blkcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
  63. if (IS_ERR(ci)) {
  64. _debug("no cipher");
  65. ret = PTR_ERR(ci);
  66. goto error;
  67. }
  68. if (crypto_blkcipher_setkey(ci, token->kad->session_key,
  69. sizeof(token->kad->session_key)) < 0)
  70. BUG();
  71. switch (conn->security_level) {
  72. case RXRPC_SECURITY_PLAIN:
  73. break;
  74. case RXRPC_SECURITY_AUTH:
  75. conn->size_align = 8;
  76. conn->security_size = sizeof(struct rxkad_level1_hdr);
  77. conn->header_size += sizeof(struct rxkad_level1_hdr);
  78. break;
  79. case RXRPC_SECURITY_ENCRYPT:
  80. conn->size_align = 8;
  81. conn->security_size = sizeof(struct rxkad_level2_hdr);
  82. conn->header_size += sizeof(struct rxkad_level2_hdr);
  83. break;
  84. default:
  85. ret = -EKEYREJECTED;
  86. goto error;
  87. }
  88. conn->cipher = ci;
  89. ret = 0;
  90. error:
  91. _leave(" = %d", ret);
  92. return ret;
  93. }
  94. /*
  95. * prime the encryption state with the invariant parts of a connection's
  96. * description
  97. */
  98. static void rxkad_prime_packet_security(struct rxrpc_connection *conn)
  99. {
  100. struct rxrpc_key_token *token;
  101. struct blkcipher_desc desc;
  102. struct scatterlist sg[2];
  103. struct rxrpc_crypt iv;
  104. struct {
  105. __be32 x[4];
  106. } tmpbuf __attribute__((aligned(16))); /* must all be in same page */
  107. _enter("");
  108. if (!conn->key)
  109. return;
  110. token = conn->key->payload.data[0];
  111. memcpy(&iv, token->kad->session_key, sizeof(iv));
  112. desc.tfm = conn->cipher;
  113. desc.info = iv.x;
  114. desc.flags = 0;
  115. tmpbuf.x[0] = conn->epoch;
  116. tmpbuf.x[1] = conn->cid;
  117. tmpbuf.x[2] = 0;
  118. tmpbuf.x[3] = htonl(conn->security_ix);
  119. sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
  120. sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
  121. crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf));
  122. memcpy(&conn->csum_iv, &tmpbuf.x[2], sizeof(conn->csum_iv));
  123. ASSERTCMP(conn->csum_iv.n[0], ==, tmpbuf.x[2]);
  124. _leave("");
  125. }
  126. /*
  127. * partially encrypt a packet (level 1 security)
  128. */
  129. static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
  130. struct sk_buff *skb,
  131. u32 data_size,
  132. void *sechdr)
  133. {
  134. struct rxrpc_skb_priv *sp;
  135. struct blkcipher_desc desc;
  136. struct rxrpc_crypt iv;
  137. struct scatterlist sg[2];
  138. struct {
  139. struct rxkad_level1_hdr hdr;
  140. __be32 first; /* first four bytes of data and padding */
  141. } tmpbuf __attribute__((aligned(8))); /* must all be in same page */
  142. u16 check;
  143. sp = rxrpc_skb(skb);
  144. _enter("");
  145. check = ntohl(sp->hdr.seq ^ sp->hdr.callNumber);
  146. data_size |= (u32) check << 16;
  147. tmpbuf.hdr.data_size = htonl(data_size);
  148. memcpy(&tmpbuf.first, sechdr + 4, sizeof(tmpbuf.first));
  149. /* start the encryption afresh */
  150. memset(&iv, 0, sizeof(iv));
  151. desc.tfm = call->conn->cipher;
  152. desc.info = iv.x;
  153. desc.flags = 0;
  154. sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
  155. sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
  156. crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf));
  157. memcpy(sechdr, &tmpbuf, sizeof(tmpbuf));
  158. _leave(" = 0");
  159. return 0;
  160. }
  161. /*
  162. * wholly encrypt a packet (level 2 security)
  163. */
  164. static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
  165. struct sk_buff *skb,
  166. u32 data_size,
  167. void *sechdr)
  168. {
  169. const struct rxrpc_key_token *token;
  170. struct rxkad_level2_hdr rxkhdr
  171. __attribute__((aligned(8))); /* must be all on one page */
  172. struct rxrpc_skb_priv *sp;
  173. struct blkcipher_desc desc;
  174. struct rxrpc_crypt iv;
  175. struct scatterlist sg[16];
  176. struct sk_buff *trailer;
  177. unsigned int len;
  178. u16 check;
  179. int nsg, err;
  180. sp = rxrpc_skb(skb);
  181. _enter("");
  182. check = ntohl(sp->hdr.seq ^ sp->hdr.callNumber);
  183. rxkhdr.data_size = htonl(data_size | (u32) check << 16);
  184. rxkhdr.checksum = 0;
  185. /* encrypt from the session key */
  186. token = call->conn->key->payload.data[0];
  187. memcpy(&iv, token->kad->session_key, sizeof(iv));
  188. desc.tfm = call->conn->cipher;
  189. desc.info = iv.x;
  190. desc.flags = 0;
  191. sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
  192. sg_init_one(&sg[1], &rxkhdr, sizeof(rxkhdr));
  193. crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(rxkhdr));
  194. /* we want to encrypt the skbuff in-place */
  195. nsg = skb_cow_data(skb, 0, &trailer);
  196. if (nsg < 0 || nsg > 16)
  197. return -ENOMEM;
  198. len = data_size + call->conn->size_align - 1;
  199. len &= ~(call->conn->size_align - 1);
  200. sg_init_table(sg, nsg);
  201. err = skb_to_sgvec(skb, sg, 0, len);
  202. if (unlikely(err < 0))
  203. return err;
  204. crypto_blkcipher_encrypt_iv(&desc, sg, sg, len);
  205. _leave(" = 0");
  206. return 0;
  207. }
  208. /*
  209. * checksum an RxRPC packet header
  210. */
  211. static int rxkad_secure_packet(const struct rxrpc_call *call,
  212. struct sk_buff *skb,
  213. size_t data_size,
  214. void *sechdr)
  215. {
  216. struct rxrpc_skb_priv *sp;
  217. struct blkcipher_desc desc;
  218. struct rxrpc_crypt iv;
  219. struct scatterlist sg[2];
  220. struct {
  221. __be32 x[2];
  222. } tmpbuf __attribute__((aligned(8))); /* must all be in same page */
  223. __be32 x;
  224. u32 y;
  225. int ret;
  226. sp = rxrpc_skb(skb);
  227. _enter("{%d{%x}},{#%u},%zu,",
  228. call->debug_id, key_serial(call->conn->key), ntohl(sp->hdr.seq),
  229. data_size);
  230. if (!call->conn->cipher)
  231. return 0;
  232. ret = key_validate(call->conn->key);
  233. if (ret < 0)
  234. return ret;
  235. /* continue encrypting from where we left off */
  236. memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
  237. desc.tfm = call->conn->cipher;
  238. desc.info = iv.x;
  239. desc.flags = 0;
  240. /* calculate the security checksum */
  241. x = htonl(call->channel << (32 - RXRPC_CIDSHIFT));
  242. x |= sp->hdr.seq & cpu_to_be32(0x3fffffff);
  243. tmpbuf.x[0] = sp->hdr.callNumber;
  244. tmpbuf.x[1] = x;
  245. sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
  246. sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
  247. crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf));
  248. y = ntohl(tmpbuf.x[1]);
  249. y = (y >> 16) & 0xffff;
  250. if (y == 0)
  251. y = 1; /* zero checksums are not permitted */
  252. sp->hdr.cksum = htons(y);
  253. switch (call->conn->security_level) {
  254. case RXRPC_SECURITY_PLAIN:
  255. ret = 0;
  256. break;
  257. case RXRPC_SECURITY_AUTH:
  258. ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
  259. break;
  260. case RXRPC_SECURITY_ENCRYPT:
  261. ret = rxkad_secure_packet_encrypt(call, skb, data_size,
  262. sechdr);
  263. break;
  264. default:
  265. ret = -EPERM;
  266. break;
  267. }
  268. _leave(" = %d [set %hx]", ret, y);
  269. return ret;
  270. }
  271. /*
  272. * decrypt partial encryption on a packet (level 1 security)
  273. */
  274. static int rxkad_verify_packet_auth(const struct rxrpc_call *call,
  275. struct sk_buff *skb,
  276. u32 *_abort_code)
  277. {
  278. struct rxkad_level1_hdr sechdr;
  279. struct rxrpc_skb_priv *sp;
  280. struct blkcipher_desc desc;
  281. struct rxrpc_crypt iv;
  282. struct scatterlist sg[16];
  283. struct sk_buff *trailer;
  284. u32 data_size, buf;
  285. u16 check;
  286. int nsg, ret;
  287. _enter("");
  288. sp = rxrpc_skb(skb);
  289. /* we want to decrypt the skbuff in-place */
  290. nsg = skb_cow_data(skb, 0, &trailer);
  291. if (nsg < 0 || nsg > 16)
  292. goto nomem;
  293. sg_init_table(sg, nsg);
  294. ret = skb_to_sgvec(skb, sg, 0, 8);
  295. if (unlikely(ret < 0))
  296. return ret;
  297. /* start the decryption afresh */
  298. memset(&iv, 0, sizeof(iv));
  299. desc.tfm = call->conn->cipher;
  300. desc.info = iv.x;
  301. desc.flags = 0;
  302. crypto_blkcipher_decrypt_iv(&desc, sg, sg, 8);
  303. /* remove the decrypted packet length */
  304. if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
  305. goto datalen_error;
  306. if (!skb_pull(skb, sizeof(sechdr)))
  307. BUG();
  308. buf = ntohl(sechdr.data_size);
  309. data_size = buf & 0xffff;
  310. check = buf >> 16;
  311. check ^= ntohl(sp->hdr.seq ^ sp->hdr.callNumber);
  312. check &= 0xffff;
  313. if (check != 0) {
  314. *_abort_code = RXKADSEALEDINCON;
  315. goto protocol_error;
  316. }
  317. /* shorten the packet to remove the padding */
  318. if (data_size > skb->len)
  319. goto datalen_error;
  320. else if (data_size < skb->len)
  321. skb->len = data_size;
  322. _leave(" = 0 [dlen=%x]", data_size);
  323. return 0;
  324. datalen_error:
  325. *_abort_code = RXKADDATALEN;
  326. protocol_error:
  327. _leave(" = -EPROTO");
  328. return -EPROTO;
  329. nomem:
  330. _leave(" = -ENOMEM");
  331. return -ENOMEM;
  332. }
  333. /*
  334. * wholly decrypt a packet (level 2 security)
  335. */
  336. static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call,
  337. struct sk_buff *skb,
  338. u32 *_abort_code)
  339. {
  340. const struct rxrpc_key_token *token;
  341. struct rxkad_level2_hdr sechdr;
  342. struct rxrpc_skb_priv *sp;
  343. struct blkcipher_desc desc;
  344. struct rxrpc_crypt iv;
  345. struct scatterlist _sg[4], *sg;
  346. struct sk_buff *trailer;
  347. u32 data_size, buf;
  348. u16 check;
  349. int nsg, ret;
  350. _enter(",{%d}", skb->len);
  351. sp = rxrpc_skb(skb);
  352. /* we want to decrypt the skbuff in-place */
  353. nsg = skb_cow_data(skb, 0, &trailer);
  354. if (nsg < 0)
  355. goto nomem;
  356. sg = _sg;
  357. if (unlikely(nsg > 4)) {
  358. sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
  359. if (!sg)
  360. goto nomem;
  361. }
  362. sg_init_table(sg, nsg);
  363. ret = skb_to_sgvec(skb, sg, 0, skb->len);
  364. if (unlikely(ret < 0)) {
  365. if (sg != _sg)
  366. kfree(sg);
  367. return ret;
  368. }
  369. /* decrypt from the session key */
  370. token = call->conn->key->payload.data[0];
  371. memcpy(&iv, token->kad->session_key, sizeof(iv));
  372. desc.tfm = call->conn->cipher;
  373. desc.info = iv.x;
  374. desc.flags = 0;
  375. crypto_blkcipher_decrypt_iv(&desc, sg, sg, skb->len);
  376. if (sg != _sg)
  377. kfree(sg);
  378. /* remove the decrypted packet length */
  379. if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
  380. goto datalen_error;
  381. if (!skb_pull(skb, sizeof(sechdr)))
  382. BUG();
  383. buf = ntohl(sechdr.data_size);
  384. data_size = buf & 0xffff;
  385. check = buf >> 16;
  386. check ^= ntohl(sp->hdr.seq ^ sp->hdr.callNumber);
  387. check &= 0xffff;
  388. if (check != 0) {
  389. *_abort_code = RXKADSEALEDINCON;
  390. goto protocol_error;
  391. }
  392. /* shorten the packet to remove the padding */
  393. if (data_size > skb->len)
  394. goto datalen_error;
  395. else if (data_size < skb->len)
  396. skb->len = data_size;
  397. _leave(" = 0 [dlen=%x]", data_size);
  398. return 0;
  399. datalen_error:
  400. *_abort_code = RXKADDATALEN;
  401. protocol_error:
  402. _leave(" = -EPROTO");
  403. return -EPROTO;
  404. nomem:
  405. _leave(" = -ENOMEM");
  406. return -ENOMEM;
  407. }
  408. /*
  409. * verify the security on a received packet
  410. */
  411. static int rxkad_verify_packet(const struct rxrpc_call *call,
  412. struct sk_buff *skb,
  413. u32 *_abort_code)
  414. {
  415. struct blkcipher_desc desc;
  416. struct rxrpc_skb_priv *sp;
  417. struct rxrpc_crypt iv;
  418. struct scatterlist sg[2];
  419. struct {
  420. __be32 x[2];
  421. } tmpbuf __attribute__((aligned(8))); /* must all be in same page */
  422. __be32 x;
  423. __be16 cksum;
  424. u32 y;
  425. int ret;
  426. sp = rxrpc_skb(skb);
  427. _enter("{%d{%x}},{#%u}",
  428. call->debug_id, key_serial(call->conn->key),
  429. ntohl(sp->hdr.seq));
  430. if (!call->conn->cipher)
  431. return 0;
  432. if (sp->hdr.securityIndex != RXRPC_SECURITY_RXKAD) {
  433. *_abort_code = RXKADINCONSISTENCY;
  434. _leave(" = -EPROTO [not rxkad]");
  435. return -EPROTO;
  436. }
  437. /* continue encrypting from where we left off */
  438. memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
  439. desc.tfm = call->conn->cipher;
  440. desc.info = iv.x;
  441. desc.flags = 0;
  442. /* validate the security checksum */
  443. x = htonl(call->channel << (32 - RXRPC_CIDSHIFT));
  444. x |= sp->hdr.seq & cpu_to_be32(0x3fffffff);
  445. tmpbuf.x[0] = call->call_id;
  446. tmpbuf.x[1] = x;
  447. sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
  448. sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
  449. crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf));
  450. y = ntohl(tmpbuf.x[1]);
  451. y = (y >> 16) & 0xffff;
  452. if (y == 0)
  453. y = 1; /* zero checksums are not permitted */
  454. cksum = htons(y);
  455. if (sp->hdr.cksum != cksum) {
  456. *_abort_code = RXKADSEALEDINCON;
  457. _leave(" = -EPROTO [csum failed]");
  458. return -EPROTO;
  459. }
  460. switch (call->conn->security_level) {
  461. case RXRPC_SECURITY_PLAIN:
  462. ret = 0;
  463. break;
  464. case RXRPC_SECURITY_AUTH:
  465. ret = rxkad_verify_packet_auth(call, skb, _abort_code);
  466. break;
  467. case RXRPC_SECURITY_ENCRYPT:
  468. ret = rxkad_verify_packet_encrypt(call, skb, _abort_code);
  469. break;
  470. default:
  471. ret = -ENOANO;
  472. break;
  473. }
  474. _leave(" = %d", ret);
  475. return ret;
  476. }
  477. /*
  478. * issue a challenge
  479. */
  480. static int rxkad_issue_challenge(struct rxrpc_connection *conn)
  481. {
  482. struct rxkad_challenge challenge;
  483. struct rxrpc_header hdr;
  484. struct msghdr msg;
  485. struct kvec iov[2];
  486. size_t len;
  487. int ret;
  488. _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
  489. ret = key_validate(conn->key);
  490. if (ret < 0)
  491. return ret;
  492. get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
  493. challenge.version = htonl(2);
  494. challenge.nonce = htonl(conn->security_nonce);
  495. challenge.min_level = htonl(0);
  496. challenge.__padding = 0;
  497. msg.msg_name = &conn->trans->peer->srx.transport.sin;
  498. msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin);
  499. msg.msg_control = NULL;
  500. msg.msg_controllen = 0;
  501. msg.msg_flags = 0;
  502. hdr.epoch = conn->epoch;
  503. hdr.cid = conn->cid;
  504. hdr.callNumber = 0;
  505. hdr.seq = 0;
  506. hdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
  507. hdr.flags = conn->out_clientflag;
  508. hdr.userStatus = 0;
  509. hdr.securityIndex = conn->security_ix;
  510. hdr._rsvd = 0;
  511. hdr.serviceId = conn->service_id;
  512. iov[0].iov_base = &hdr;
  513. iov[0].iov_len = sizeof(hdr);
  514. iov[1].iov_base = &challenge;
  515. iov[1].iov_len = sizeof(challenge);
  516. len = iov[0].iov_len + iov[1].iov_len;
  517. hdr.serial = htonl(atomic_inc_return(&conn->serial));
  518. _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
  519. ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
  520. if (ret < 0) {
  521. _debug("sendmsg failed: %d", ret);
  522. return -EAGAIN;
  523. }
  524. _leave(" = 0");
  525. return 0;
  526. }
  527. /*
  528. * send a Kerberos security response
  529. */
  530. static int rxkad_send_response(struct rxrpc_connection *conn,
  531. struct rxrpc_header *hdr,
  532. struct rxkad_response *resp,
  533. const struct rxkad_key *s2)
  534. {
  535. struct msghdr msg;
  536. struct kvec iov[3];
  537. size_t len;
  538. int ret;
  539. _enter("");
  540. msg.msg_name = &conn->trans->peer->srx.transport.sin;
  541. msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin);
  542. msg.msg_control = NULL;
  543. msg.msg_controllen = 0;
  544. msg.msg_flags = 0;
  545. hdr->epoch = conn->epoch;
  546. hdr->seq = 0;
  547. hdr->type = RXRPC_PACKET_TYPE_RESPONSE;
  548. hdr->flags = conn->out_clientflag;
  549. hdr->userStatus = 0;
  550. hdr->_rsvd = 0;
  551. iov[0].iov_base = hdr;
  552. iov[0].iov_len = sizeof(*hdr);
  553. iov[1].iov_base = resp;
  554. iov[1].iov_len = sizeof(*resp);
  555. iov[2].iov_base = (void *) s2->ticket;
  556. iov[2].iov_len = s2->ticket_len;
  557. len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
  558. hdr->serial = htonl(atomic_inc_return(&conn->serial));
  559. _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
  560. ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
  561. if (ret < 0) {
  562. _debug("sendmsg failed: %d", ret);
  563. return -EAGAIN;
  564. }
  565. _leave(" = 0");
  566. return 0;
  567. }
  568. /*
  569. * calculate the response checksum
  570. */
  571. static void rxkad_calc_response_checksum(struct rxkad_response *response)
  572. {
  573. u32 csum = 1000003;
  574. int loop;
  575. u8 *p = (u8 *) response;
  576. for (loop = sizeof(*response); loop > 0; loop--)
  577. csum = csum * 0x10204081 + *p++;
  578. response->encrypted.checksum = htonl(csum);
  579. }
  580. /*
  581. * load a scatterlist with a potentially split-page buffer
  582. */
  583. static void rxkad_sg_set_buf2(struct scatterlist sg[2],
  584. void *buf, size_t buflen)
  585. {
  586. int nsg = 1;
  587. sg_init_table(sg, 2);
  588. sg_set_buf(&sg[0], buf, buflen);
  589. if (sg[0].offset + buflen > PAGE_SIZE) {
  590. /* the buffer was split over two pages */
  591. sg[0].length = PAGE_SIZE - sg[0].offset;
  592. sg_set_buf(&sg[1], buf + sg[0].length, buflen - sg[0].length);
  593. nsg++;
  594. }
  595. sg_mark_end(&sg[nsg - 1]);
  596. ASSERTCMP(sg[0].length + sg[1].length, ==, buflen);
  597. }
  598. /*
  599. * encrypt the response packet
  600. */
  601. static void rxkad_encrypt_response(struct rxrpc_connection *conn,
  602. struct rxkad_response *resp,
  603. const struct rxkad_key *s2)
  604. {
  605. struct blkcipher_desc desc;
  606. struct rxrpc_crypt iv;
  607. struct scatterlist sg[2];
  608. /* continue encrypting from where we left off */
  609. memcpy(&iv, s2->session_key, sizeof(iv));
  610. desc.tfm = conn->cipher;
  611. desc.info = iv.x;
  612. desc.flags = 0;
  613. rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted));
  614. crypto_blkcipher_encrypt_iv(&desc, sg, sg, sizeof(resp->encrypted));
  615. }
  616. /*
  617. * respond to a challenge packet
  618. */
  619. static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
  620. struct sk_buff *skb,
  621. u32 *_abort_code)
  622. {
  623. const struct rxrpc_key_token *token;
  624. struct rxkad_challenge challenge;
  625. struct rxkad_response resp
  626. __attribute__((aligned(8))); /* must be aligned for crypto */
  627. struct rxrpc_skb_priv *sp;
  628. u32 version, nonce, min_level, abort_code;
  629. int ret;
  630. _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
  631. if (!conn->key) {
  632. _leave(" = -EPROTO [no key]");
  633. return -EPROTO;
  634. }
  635. ret = key_validate(conn->key);
  636. if (ret < 0) {
  637. *_abort_code = RXKADEXPIRED;
  638. return ret;
  639. }
  640. abort_code = RXKADPACKETSHORT;
  641. sp = rxrpc_skb(skb);
  642. if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0)
  643. goto protocol_error;
  644. version = ntohl(challenge.version);
  645. nonce = ntohl(challenge.nonce);
  646. min_level = ntohl(challenge.min_level);
  647. _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
  648. ntohl(sp->hdr.serial), version, nonce, min_level);
  649. abort_code = RXKADINCONSISTENCY;
  650. if (version != RXKAD_VERSION)
  651. goto protocol_error;
  652. abort_code = RXKADLEVELFAIL;
  653. if (conn->security_level < min_level)
  654. goto protocol_error;
  655. token = conn->key->payload.data[0];
  656. /* build the response packet */
  657. memset(&resp, 0, sizeof(resp));
  658. resp.version = RXKAD_VERSION;
  659. resp.encrypted.epoch = conn->epoch;
  660. resp.encrypted.cid = conn->cid;
  661. resp.encrypted.securityIndex = htonl(conn->security_ix);
  662. resp.encrypted.call_id[0] =
  663. (conn->channels[0] ? conn->channels[0]->call_id : 0);
  664. resp.encrypted.call_id[1] =
  665. (conn->channels[1] ? conn->channels[1]->call_id : 0);
  666. resp.encrypted.call_id[2] =
  667. (conn->channels[2] ? conn->channels[2]->call_id : 0);
  668. resp.encrypted.call_id[3] =
  669. (conn->channels[3] ? conn->channels[3]->call_id : 0);
  670. resp.encrypted.inc_nonce = htonl(nonce + 1);
  671. resp.encrypted.level = htonl(conn->security_level);
  672. resp.kvno = htonl(token->kad->kvno);
  673. resp.ticket_len = htonl(token->kad->ticket_len);
  674. /* calculate the response checksum and then do the encryption */
  675. rxkad_calc_response_checksum(&resp);
  676. rxkad_encrypt_response(conn, &resp, token->kad);
  677. return rxkad_send_response(conn, &sp->hdr, &resp, token->kad);
  678. protocol_error:
  679. *_abort_code = abort_code;
  680. _leave(" = -EPROTO [%d]", abort_code);
  681. return -EPROTO;
  682. }
  683. /*
  684. * decrypt the kerberos IV ticket in the response
  685. */
  686. static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
  687. void *ticket, size_t ticket_len,
  688. struct rxrpc_crypt *_session_key,
  689. time_t *_expiry,
  690. u32 *_abort_code)
  691. {
  692. struct blkcipher_desc desc;
  693. struct rxrpc_crypt iv, key;
  694. struct scatterlist sg[1];
  695. struct in_addr addr;
  696. unsigned int life;
  697. time_t issue, now;
  698. bool little_endian;
  699. int ret;
  700. u8 *p, *q, *name, *end;
  701. _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
  702. *_expiry = 0;
  703. ret = key_validate(conn->server_key);
  704. if (ret < 0) {
  705. switch (ret) {
  706. case -EKEYEXPIRED:
  707. *_abort_code = RXKADEXPIRED;
  708. goto error;
  709. default:
  710. *_abort_code = RXKADNOAUTH;
  711. goto error;
  712. }
  713. }
  714. ASSERT(conn->server_key->payload.data[0] != NULL);
  715. ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
  716. memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
  717. desc.tfm = conn->server_key->payload.data[0];
  718. desc.info = iv.x;
  719. desc.flags = 0;
  720. sg_init_one(&sg[0], ticket, ticket_len);
  721. crypto_blkcipher_decrypt_iv(&desc, sg, sg, ticket_len);
  722. p = ticket;
  723. end = p + ticket_len;
  724. #define Z(size) \
  725. ({ \
  726. u8 *__str = p; \
  727. q = memchr(p, 0, end - p); \
  728. if (!q || q - p > (size)) \
  729. goto bad_ticket; \
  730. for (; p < q; p++) \
  731. if (!isprint(*p)) \
  732. goto bad_ticket; \
  733. p++; \
  734. __str; \
  735. })
  736. /* extract the ticket flags */
  737. _debug("KIV FLAGS: %x", *p);
  738. little_endian = *p & 1;
  739. p++;
  740. /* extract the authentication name */
  741. name = Z(ANAME_SZ);
  742. _debug("KIV ANAME: %s", name);
  743. /* extract the principal's instance */
  744. name = Z(INST_SZ);
  745. _debug("KIV INST : %s", name);
  746. /* extract the principal's authentication domain */
  747. name = Z(REALM_SZ);
  748. _debug("KIV REALM: %s", name);
  749. if (end - p < 4 + 8 + 4 + 2)
  750. goto bad_ticket;
  751. /* get the IPv4 address of the entity that requested the ticket */
  752. memcpy(&addr, p, sizeof(addr));
  753. p += 4;
  754. _debug("KIV ADDR : %pI4", &addr);
  755. /* get the session key from the ticket */
  756. memcpy(&key, p, sizeof(key));
  757. p += 8;
  758. _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
  759. memcpy(_session_key, &key, sizeof(key));
  760. /* get the ticket's lifetime */
  761. life = *p++ * 5 * 60;
  762. _debug("KIV LIFE : %u", life);
  763. /* get the issue time of the ticket */
  764. if (little_endian) {
  765. __le32 stamp;
  766. memcpy(&stamp, p, 4);
  767. issue = le32_to_cpu(stamp);
  768. } else {
  769. __be32 stamp;
  770. memcpy(&stamp, p, 4);
  771. issue = be32_to_cpu(stamp);
  772. }
  773. p += 4;
  774. now = get_seconds();
  775. _debug("KIV ISSUE: %lx [%lx]", issue, now);
  776. /* check the ticket is in date */
  777. if (issue > now) {
  778. *_abort_code = RXKADNOAUTH;
  779. ret = -EKEYREJECTED;
  780. goto error;
  781. }
  782. if (issue < now - life) {
  783. *_abort_code = RXKADEXPIRED;
  784. ret = -EKEYEXPIRED;
  785. goto error;
  786. }
  787. *_expiry = issue + life;
  788. /* get the service name */
  789. name = Z(SNAME_SZ);
  790. _debug("KIV SNAME: %s", name);
  791. /* get the service instance name */
  792. name = Z(INST_SZ);
  793. _debug("KIV SINST: %s", name);
  794. ret = 0;
  795. error:
  796. _leave(" = %d", ret);
  797. return ret;
  798. bad_ticket:
  799. *_abort_code = RXKADBADTICKET;
  800. ret = -EBADMSG;
  801. goto error;
  802. }
  803. /*
  804. * decrypt the response packet
  805. */
  806. static void rxkad_decrypt_response(struct rxrpc_connection *conn,
  807. struct rxkad_response *resp,
  808. const struct rxrpc_crypt *session_key)
  809. {
  810. struct blkcipher_desc desc;
  811. struct scatterlist sg[2];
  812. struct rxrpc_crypt iv;
  813. _enter(",,%08x%08x",
  814. ntohl(session_key->n[0]), ntohl(session_key->n[1]));
  815. ASSERT(rxkad_ci != NULL);
  816. mutex_lock(&rxkad_ci_mutex);
  817. if (crypto_blkcipher_setkey(rxkad_ci, session_key->x,
  818. sizeof(*session_key)) < 0)
  819. BUG();
  820. memcpy(&iv, session_key, sizeof(iv));
  821. desc.tfm = rxkad_ci;
  822. desc.info = iv.x;
  823. desc.flags = 0;
  824. rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted));
  825. crypto_blkcipher_decrypt_iv(&desc, sg, sg, sizeof(resp->encrypted));
  826. mutex_unlock(&rxkad_ci_mutex);
  827. _leave("");
  828. }
  829. /*
  830. * verify a response
  831. */
  832. static int rxkad_verify_response(struct rxrpc_connection *conn,
  833. struct sk_buff *skb,
  834. u32 *_abort_code)
  835. {
  836. struct rxkad_response response
  837. __attribute__((aligned(8))); /* must be aligned for crypto */
  838. struct rxrpc_skb_priv *sp;
  839. struct rxrpc_crypt session_key;
  840. time_t expiry;
  841. void *ticket;
  842. u32 abort_code, version, kvno, ticket_len, level;
  843. __be32 csum;
  844. int ret;
  845. _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
  846. abort_code = RXKADPACKETSHORT;
  847. if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0)
  848. goto protocol_error;
  849. if (!pskb_pull(skb, sizeof(response)))
  850. BUG();
  851. version = ntohl(response.version);
  852. ticket_len = ntohl(response.ticket_len);
  853. kvno = ntohl(response.kvno);
  854. sp = rxrpc_skb(skb);
  855. _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
  856. ntohl(sp->hdr.serial), version, kvno, ticket_len);
  857. abort_code = RXKADINCONSISTENCY;
  858. if (version != RXKAD_VERSION)
  859. goto protocol_error;
  860. abort_code = RXKADTICKETLEN;
  861. if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
  862. goto protocol_error;
  863. abort_code = RXKADUNKNOWNKEY;
  864. if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
  865. goto protocol_error;
  866. /* extract the kerberos ticket and decrypt and decode it */
  867. ticket = kmalloc(ticket_len, GFP_NOFS);
  868. if (!ticket)
  869. return -ENOMEM;
  870. abort_code = RXKADPACKETSHORT;
  871. if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0)
  872. goto protocol_error_free;
  873. ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key,
  874. &expiry, &abort_code);
  875. if (ret < 0) {
  876. *_abort_code = abort_code;
  877. kfree(ticket);
  878. return ret;
  879. }
  880. /* use the session key from inside the ticket to decrypt the
  881. * response */
  882. rxkad_decrypt_response(conn, &response, &session_key);
  883. abort_code = RXKADSEALEDINCON;
  884. if (response.encrypted.epoch != conn->epoch)
  885. goto protocol_error_free;
  886. if (response.encrypted.cid != conn->cid)
  887. goto protocol_error_free;
  888. if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
  889. goto protocol_error_free;
  890. csum = response.encrypted.checksum;
  891. response.encrypted.checksum = 0;
  892. rxkad_calc_response_checksum(&response);
  893. if (response.encrypted.checksum != csum)
  894. goto protocol_error_free;
  895. if (ntohl(response.encrypted.call_id[0]) > INT_MAX ||
  896. ntohl(response.encrypted.call_id[1]) > INT_MAX ||
  897. ntohl(response.encrypted.call_id[2]) > INT_MAX ||
  898. ntohl(response.encrypted.call_id[3]) > INT_MAX)
  899. goto protocol_error_free;
  900. abort_code = RXKADOUTOFSEQUENCE;
  901. if (response.encrypted.inc_nonce != htonl(conn->security_nonce + 1))
  902. goto protocol_error_free;
  903. abort_code = RXKADLEVELFAIL;
  904. level = ntohl(response.encrypted.level);
  905. if (level > RXRPC_SECURITY_ENCRYPT)
  906. goto protocol_error_free;
  907. conn->security_level = level;
  908. /* create a key to hold the security data and expiration time - after
  909. * this the connection security can be handled in exactly the same way
  910. * as for a client connection */
  911. ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
  912. if (ret < 0) {
  913. kfree(ticket);
  914. return ret;
  915. }
  916. kfree(ticket);
  917. _leave(" = 0");
  918. return 0;
  919. protocol_error_free:
  920. kfree(ticket);
  921. protocol_error:
  922. *_abort_code = abort_code;
  923. _leave(" = -EPROTO [%d]", abort_code);
  924. return -EPROTO;
  925. }
  926. /*
  927. * clear the connection security
  928. */
  929. static void rxkad_clear(struct rxrpc_connection *conn)
  930. {
  931. _enter("");
  932. if (conn->cipher)
  933. crypto_free_blkcipher(conn->cipher);
  934. }
  935. /*
  936. * RxRPC Kerberos-based security
  937. */
  938. static struct rxrpc_security rxkad = {
  939. .owner = THIS_MODULE,
  940. .name = "rxkad",
  941. .security_index = RXRPC_SECURITY_RXKAD,
  942. .init_connection_security = rxkad_init_connection_security,
  943. .prime_packet_security = rxkad_prime_packet_security,
  944. .secure_packet = rxkad_secure_packet,
  945. .verify_packet = rxkad_verify_packet,
  946. .issue_challenge = rxkad_issue_challenge,
  947. .respond_to_challenge = rxkad_respond_to_challenge,
  948. .verify_response = rxkad_verify_response,
  949. .clear = rxkad_clear,
  950. };
  951. static __init int rxkad_init(void)
  952. {
  953. _enter("");
  954. /* pin the cipher we need so that the crypto layer doesn't invoke
  955. * keventd to go get it */
  956. rxkad_ci = crypto_alloc_blkcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
  957. if (IS_ERR(rxkad_ci))
  958. return PTR_ERR(rxkad_ci);
  959. return rxrpc_register_security(&rxkad);
  960. }
  961. module_init(rxkad_init);
  962. static __exit void rxkad_exit(void)
  963. {
  964. _enter("");
  965. rxrpc_unregister_security(&rxkad);
  966. crypto_free_blkcipher(rxkad_ci);
  967. }
  968. module_exit(rxkad_exit);