LXR linux/net/rxrpc/rxkad.c

   1/* Kerberos-based RxRPC security
   2 *
   3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
   4 * Written by David Howells (dhowells@redhat.com)
   5 *
   6 * This program is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU General Public License
   8 * as published by the Free Software Foundation; either version
   9 * 2 of the License, or (at your option) any later version.
  10 */
  11
  12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  13
  14#include <crypto/skcipher.h>
  15#include <linux/module.h>
  16#include <linux/net.h>
  17#include <linux/skbuff.h>
  18#include <linux/udp.h>
  19#include <linux/scatterlist.h>
  20#include <linux/ctype.h>
  21#include <linux/slab.h>
  22#include <net/sock.h>
  23#include <net/af_rxrpc.h>
  24#include <keys/rxrpc-type.h>
  25#include "ar-internal.h"
  26
  27#define RXKAD_VERSION                   2
  28#define MAXKRB5TICKETLEN                1024
  29#define RXKAD_TKT_TYPE_KERBEROS_V5      256
  30#define ANAME_SZ                        40      /* size of authentication name */
  31#define INST_SZ                         40      /* size of principal's instance */
  32#define REALM_SZ                        40      /* size of principal's auth domain */
  33#define SNAME_SZ                        40      /* size of service name */
  34
  35struct rxkad_level1_hdr {
  36        __be32  data_size;      /* true data size (excluding padding) */
  37};
  38
  39struct rxkad_level2_hdr {
  40        __be32  data_size;      /* true data size (excluding padding) */
  41        __be32  checksum;       /* decrypted data checksum */
  42};
  43
  44/*
  45 * this holds a pinned cipher so that keventd doesn't get called by the cipher
  46 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
  47 * packets
  48 */
  49static struct crypto_skcipher *rxkad_ci;
  50static DEFINE_MUTEX(rxkad_ci_mutex);
  51
  52/*
  53 * initialise connection security
  54 */
  55static int rxkad_init_connection_security(struct rxrpc_connection *conn)
  56{
  57        struct crypto_skcipher *ci;
  58        struct rxrpc_key_token *token;
  59        int ret;
  60
  61        _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
  62
  63        token = conn->params.key->payload.data[0];
  64        conn->security_ix = token->security_index;
  65
  66        ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
  67        if (IS_ERR(ci)) {
  68                _debug("no cipher");
  69                ret = PTR_ERR(ci);
  70                goto error;
  71        }
  72
  73        if (crypto_skcipher_setkey(ci, token->kad->session_key,
  74                                   sizeof(token->kad->session_key)) < 0)
  75                BUG();
  76
  77        switch (conn->params.security_level) {
  78        case RXRPC_SECURITY_PLAIN:
  79                break;
  80        case RXRPC_SECURITY_AUTH:
  81                conn->size_align = 8;
  82                conn->security_size = sizeof(struct rxkad_level1_hdr);
  83                break;
  84        case RXRPC_SECURITY_ENCRYPT:
  85                conn->size_align = 8;
  86                conn->security_size = sizeof(struct rxkad_level2_hdr);
  87                break;
  88        default:
  89                ret = -EKEYREJECTED;
  90                goto error;
  91        }
  92
  93        conn->cipher = ci;
  94        ret = 0;
  95error:
  96        _leave(" = %d", ret);
  97        return ret;
  98}
  99
 100/*
 101 * prime the encryption state with the invariant parts of a connection's
 102 * description
 103 */
 104static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
 105{
 106        struct rxrpc_key_token *token;
 107        SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
 108        struct scatterlist sg;
 109        struct rxrpc_crypt iv;
 110        __be32 *tmpbuf;
 111        size_t tmpsize = 4 * sizeof(__be32);
 112
 113        _enter("");
 114
 115        if (!conn->params.key)
 116                return 0;
 117
 118        tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
 119        if (!tmpbuf)
 120                return -ENOMEM;
 121
 122        token = conn->params.key->payload.data[0];
 123        memcpy(&iv, token->kad->session_key, sizeof(iv));
 124
 125        tmpbuf[0] = htonl(conn->proto.epoch);
 126        tmpbuf[1] = htonl(conn->proto.cid);
 127        tmpbuf[2] = 0;
 128        tmpbuf[3] = htonl(conn->security_ix);
 129
 130        sg_init_one(&sg, tmpbuf, tmpsize);
 131        skcipher_request_set_tfm(req, conn->cipher);
 132        skcipher_request_set_callback(req, 0, NULL, NULL);
 133        skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
 134        crypto_skcipher_encrypt(req);
 135        skcipher_request_zero(req);
 136
 137        memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
 138        kfree(tmpbuf);
 139        _leave(" = 0");
 140        return 0;
 141}
 142
 143/*
 144 * partially encrypt a packet (level 1 security)
 145 */
 146static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
 147                                    struct sk_buff *skb,
 148                                    u32 data_size,
 149                                    void *sechdr)
 150{
 151        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 152        SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 153        struct rxkad_level1_hdr hdr;
 154        struct rxrpc_crypt iv;
 155        struct scatterlist sg;
 156        u16 check;
 157
 158        _enter("");
 159
 160        check = sp->hdr.seq ^ call->call_id;
 161        data_size |= (u32)check << 16;
 162
 163        hdr.data_size = htonl(data_size);
 164        memcpy(sechdr, &hdr, sizeof(hdr));
 165
 166        /* start the encryption afresh */
 167        memset(&iv, 0, sizeof(iv));
 168
 169        sg_init_one(&sg, sechdr, 8);
 170        skcipher_request_set_tfm(req, call->conn->cipher);
 171        skcipher_request_set_callback(req, 0, NULL, NULL);
 172        skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 173        crypto_skcipher_encrypt(req);
 174        skcipher_request_zero(req);
 175
 176        _leave(" = 0");
 177        return 0;
 178}
 179
 180/*
 181 * wholly encrypt a packet (level 2 security)
 182 */
 183static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
 184                                       struct sk_buff *skb,
 185                                       u32 data_size,
 186                                       void *sechdr)
 187{
 188        const struct rxrpc_key_token *token;
 189        struct rxkad_level2_hdr rxkhdr;
 190        struct rxrpc_skb_priv *sp;
 191        SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 192        struct rxrpc_crypt iv;
 193        struct scatterlist sg[16];
 194        struct sk_buff *trailer;
 195        unsigned int len;
 196        u16 check;
 197        int nsg;
 198        int err;
 199
 200        sp = rxrpc_skb(skb);
 201
 202        _enter("");
 203
 204        check = sp->hdr.seq ^ call->call_id;
 205
 206        rxkhdr.data_size = htonl(data_size | (u32)check << 16);
 207        rxkhdr.checksum = 0;
 208        memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
 209
 210        /* encrypt from the session key */
 211        token = call->conn->params.key->payload.data[0];
 212        memcpy(&iv, token->kad->session_key, sizeof(iv));
 213
 214        sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
 215        skcipher_request_set_tfm(req, call->conn->cipher);
 216        skcipher_request_set_callback(req, 0, NULL, NULL);
 217        skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
 218        crypto_skcipher_encrypt(req);
 219
 220        /* we want to encrypt the skbuff in-place */
 221        nsg = skb_cow_data(skb, 0, &trailer);
 222        err = -ENOMEM;
 223        if (nsg < 0 || nsg > 16)
 224                goto out;
 225
 226        len = data_size + call->conn->size_align - 1;
 227        len &= ~(call->conn->size_align - 1);
 228
 229        sg_init_table(sg, nsg);
 230        err = skb_to_sgvec(skb, sg, 0, len);
 231        if (unlikely(err < 0))
 232                goto out;
 233        skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 234        crypto_skcipher_encrypt(req);
 235
 236        _leave(" = 0");
 237        err = 0;
 238
 239out:
 240        skcipher_request_zero(req);
 241        return err;
 242}
 243
 244/*
 245 * checksum an RxRPC packet header
 246 */
 247static int rxkad_secure_packet(struct rxrpc_call *call,
 248                               struct sk_buff *skb,
 249                               size_t data_size,
 250                               void *sechdr)
 251{
 252        struct rxrpc_skb_priv *sp;
 253        SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 254        struct rxrpc_crypt iv;
 255        struct scatterlist sg;
 256        u32 x, y;
 257        int ret;
 258
 259        sp = rxrpc_skb(skb);
 260
 261        _enter("{%d{%x}},{#%u},%zu,",
 262               call->debug_id, key_serial(call->conn->params.key),
 263               sp->hdr.seq, data_size);
 264
 265        if (!call->conn->cipher)
 266                return 0;
 267
 268        ret = key_validate(call->conn->params.key);
 269        if (ret < 0)
 270                return ret;
 271
 272        /* continue encrypting from where we left off */
 273        memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
 274
 275        /* calculate the security checksum */
 276        x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
 277        x |= sp->hdr.seq & 0x3fffffff;
 278        call->crypto_buf[0] = htonl(call->call_id);
 279        call->crypto_buf[1] = htonl(x);
 280
 281        sg_init_one(&sg, call->crypto_buf, 8);
 282        skcipher_request_set_tfm(req, call->conn->cipher);
 283        skcipher_request_set_callback(req, 0, NULL, NULL);
 284        skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 285        crypto_skcipher_encrypt(req);
 286        skcipher_request_zero(req);
 287
 288        y = ntohl(call->crypto_buf[1]);
 289        y = (y >> 16) & 0xffff;
 290        if (y == 0)
 291                y = 1; /* zero checksums are not permitted */
 292        sp->hdr.cksum = y;
 293
 294        switch (call->conn->params.security_level) {
 295        case RXRPC_SECURITY_PLAIN:
 296                ret = 0;
 297                break;
 298        case RXRPC_SECURITY_AUTH:
 299                ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
 300                break;
 301        case RXRPC_SECURITY_ENCRYPT:
 302                ret = rxkad_secure_packet_encrypt(call, skb, data_size,
 303                                                  sechdr);
 304                break;
 305        default:
 306                ret = -EPERM;
 307                break;
 308        }
 309
 310        _leave(" = %d [set %hx]", ret, y);
 311        return ret;
 312}
 313
 314/*
 315 * decrypt partial encryption on a packet (level 1 security)
 316 */
 317static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
 318                                 unsigned int offset, unsigned int len,
 319                                 rxrpc_seq_t seq)
 320{
 321        struct rxkad_level1_hdr sechdr;
 322        SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 323        struct rxrpc_crypt iv;
 324        struct scatterlist sg[16];
 325        struct sk_buff *trailer;
 326        bool aborted;
 327        u32 data_size, buf;
 328        u16 check;
 329        int nsg, ret;
 330
 331        _enter("");
 332
 333        if (len < 8) {
 334                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
 335                                           RXKADSEALEDINCON);
 336                goto protocol_error;
 337        }
 338
 339        /* Decrypt the skbuff in-place.  TODO: We really want to decrypt
 340         * directly into the target buffer.
 341         */
 342        nsg = skb_cow_data(skb, 0, &trailer);
 343        if (nsg < 0 || nsg > 16)
 344                goto nomem;
 345
 346        sg_init_table(sg, nsg);
 347        ret = skb_to_sgvec(skb, sg, offset, 8);
 348        if (unlikely(ret < 0))
 349                return ret;
 350
 351        /* start the decryption afresh */
 352        memset(&iv, 0, sizeof(iv));
 353
 354        skcipher_request_set_tfm(req, call->conn->cipher);
 355        skcipher_request_set_callback(req, 0, NULL, NULL);
 356        skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
 357        crypto_skcipher_decrypt(req);
 358        skcipher_request_zero(req);
 359
 360        /* Extract the decrypted packet length */
 361        if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
 362                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
 363                                             RXKADDATALEN);
 364                goto protocol_error;
 365        }
 366        offset += sizeof(sechdr);
 367        len -= sizeof(sechdr);
 368
 369        buf = ntohl(sechdr.data_size);
 370        data_size = buf & 0xffff;
 371
 372        check = buf >> 16;
 373        check ^= seq ^ call->call_id;
 374        check &= 0xffff;
 375        if (check != 0) {
 376                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
 377                                             RXKADSEALEDINCON);
 378                goto protocol_error;
 379        }
 380
 381        if (data_size > len) {
 382                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
 383                                             RXKADDATALEN);
 384                goto protocol_error;
 385        }
 386
 387        _leave(" = 0 [dlen=%x]", data_size);
 388        return 0;
 389
 390protocol_error:
 391        if (aborted)
 392                rxrpc_send_abort_packet(call);
 393        return -EPROTO;
 394
 395nomem:
 396        _leave(" = -ENOMEM");
 397        return -ENOMEM;
 398}
 399
 400/*
 401 * wholly decrypt a packet (level 2 security)
 402 */
 403static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
 404                                 unsigned int offset, unsigned int len,
 405                                 rxrpc_seq_t seq)
 406{
 407        const struct rxrpc_key_token *token;
 408        struct rxkad_level2_hdr sechdr;
 409        SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 410        struct rxrpc_crypt iv;
 411        struct scatterlist _sg[4], *sg;
 412        struct sk_buff *trailer;
 413        bool aborted;
 414        u32 data_size, buf;
 415        u16 check;
 416        int nsg, ret;
 417
 418        _enter(",{%d}", skb->len);
 419
 420        if (len < 8) {
 421                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
 422                                             RXKADSEALEDINCON);
 423                goto protocol_error;
 424        }
 425
 426        /* Decrypt the skbuff in-place.  TODO: We really want to decrypt
 427         * directly into the target buffer.
 428         */
 429        nsg = skb_cow_data(skb, 0, &trailer);
 430        if (nsg < 0)
 431                goto nomem;
 432
 433        sg = _sg;
 434        if (unlikely(nsg > 4)) {
 435                sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
 436                if (!sg)
 437                        goto nomem;
 438        }
 439
 440        sg_init_table(sg, nsg);
 441        ret = skb_to_sgvec(skb, sg, offset, len);
 442        if (unlikely(ret < 0)) {
 443                if (sg != _sg)
 444                        kfree(sg);
 445                return ret;
 446        }
 447
 448        /* decrypt from the session key */
 449        token = call->conn->params.key->payload.data[0];
 450        memcpy(&iv, token->kad->session_key, sizeof(iv));
 451
 452        skcipher_request_set_tfm(req, call->conn->cipher);
 453        skcipher_request_set_callback(req, 0, NULL, NULL);
 454        skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 455        crypto_skcipher_decrypt(req);
 456        skcipher_request_zero(req);
 457        if (sg != _sg)
 458                kfree(sg);
 459
 460        /* Extract the decrypted packet length */
 461        if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
 462                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
 463                                             RXKADDATALEN);
 464                goto protocol_error;
 465        }
 466        offset += sizeof(sechdr);
 467        len -= sizeof(sechdr);
 468
 469        buf = ntohl(sechdr.data_size);
 470        data_size = buf & 0xffff;
 471
 472        check = buf >> 16;
 473        check ^= seq ^ call->call_id;
 474        check &= 0xffff;
 475        if (check != 0) {
 476                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
 477                                             RXKADSEALEDINCON);
 478                goto protocol_error;
 479        }
 480
 481        if (data_size > len) {
 482                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
 483                                             RXKADDATALEN);
 484                goto protocol_error;
 485        }
 486
 487        _leave(" = 0 [dlen=%x]", data_size);
 488        return 0;
 489
 490protocol_error:
 491        if (aborted)
 492                rxrpc_send_abort_packet(call);
 493        return -EPROTO;
 494
 495nomem:
 496        _leave(" = -ENOMEM");
 497        return -ENOMEM;
 498}
 499
 500/*
 501 * Verify the security on a received packet or subpacket (if part of a
 502 * jumbo packet).
 503 */
 504static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
 505                               unsigned int offset, unsigned int len,
 506                               rxrpc_seq_t seq, u16 expected_cksum)
 507{
 508        SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 509        struct rxrpc_crypt iv;
 510        struct scatterlist sg;
 511        bool aborted;
 512        u16 cksum;
 513        u32 x, y;
 514
 515        _enter("{%d{%x}},{#%u}",
 516               call->debug_id, key_serial(call->conn->params.key), seq);
 517
 518        if (!call->conn->cipher)
 519                return 0;
 520
 521        /* continue encrypting from where we left off */
 522        memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
 523
 524        /* validate the security checksum */
 525        x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
 526        x |= seq & 0x3fffffff;
 527        call->crypto_buf[0] = htonl(call->call_id);
 528        call->crypto_buf[1] = htonl(x);
 529
 530        sg_init_one(&sg, call->crypto_buf, 8);
 531        skcipher_request_set_tfm(req, call->conn->cipher);
 532        skcipher_request_set_callback(req, 0, NULL, NULL);
 533        skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 534        crypto_skcipher_encrypt(req);
 535        skcipher_request_zero(req);
 536
 537        y = ntohl(call->crypto_buf[1]);
 538        cksum = (y >> 16) & 0xffff;
 539        if (cksum == 0)
 540                cksum = 1; /* zero checksums are not permitted */
 541
 542        if (cksum != expected_cksum) {
 543                aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
 544                                             RXKADSEALEDINCON);
 545                goto protocol_error;
 546        }
 547
 548        switch (call->conn->params.security_level) {
 549        case RXRPC_SECURITY_PLAIN:
 550                return 0;
 551        case RXRPC_SECURITY_AUTH:
 552                return rxkad_verify_packet_1(call, skb, offset, len, seq);
 553        case RXRPC_SECURITY_ENCRYPT:
 554                return rxkad_verify_packet_2(call, skb, offset, len, seq);
 555        default:
 556                return -ENOANO;
 557        }
 558
 559protocol_error:
 560        if (aborted)
 561                rxrpc_send_abort_packet(call);
 562        return -EPROTO;
 563}
 564
 565/*
 566 * Locate the data contained in a packet that was partially encrypted.
 567 */
 568static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
 569                                unsigned int *_offset, unsigned int *_len)
 570{
 571        struct rxkad_level1_hdr sechdr;
 572
 573        if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
 574                BUG();
 575        *_offset += sizeof(sechdr);
 576        *_len = ntohl(sechdr.data_size) & 0xffff;
 577}
 578
 579/*
 580 * Locate the data contained in a packet that was completely encrypted.
 581 */
 582static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
 583                                unsigned int *_offset, unsigned int *_len)
 584{
 585        struct rxkad_level2_hdr sechdr;
 586
 587        if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
 588                BUG();
 589        *_offset += sizeof(sechdr);
 590        *_len = ntohl(sechdr.data_size) & 0xffff;
 591}
 592
 593/*
 594 * Locate the data contained in an already decrypted packet.
 595 */
 596static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
 597                              unsigned int *_offset, unsigned int *_len)
 598{
 599        switch (call->conn->params.security_level) {
 600        case RXRPC_SECURITY_AUTH:
 601                rxkad_locate_data_1(call, skb, _offset, _len);
 602                return;
 603        case RXRPC_SECURITY_ENCRYPT:
 604                rxkad_locate_data_2(call, skb, _offset, _len);
 605                return;
 606        default:
 607                return;
 608        }
 609}
 610
 611/*
 612 * issue a challenge
 613 */
 614static int rxkad_issue_challenge(struct rxrpc_connection *conn)
 615{
 616        struct rxkad_challenge challenge;
 617        struct rxrpc_wire_header whdr;
 618        struct msghdr msg;
 619        struct kvec iov[2];
 620        size_t len;
 621        u32 serial;
 622        int ret;
 623
 624        _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
 625
 626        ret = key_validate(conn->params.key);
 627        if (ret < 0)
 628                return ret;
 629
 630        get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
 631
 632        challenge.version       = htonl(2);
 633        challenge.nonce         = htonl(conn->security_nonce);
 634        challenge.min_level     = htonl(0);
 635        challenge.__padding     = 0;
 636
 637        msg.msg_name    = &conn->params.peer->srx.transport;
 638        msg.msg_namelen = conn->params.peer->srx.transport_len;
 639        msg.msg_control = NULL;
 640        msg.msg_controllen = 0;
 641        msg.msg_flags   = 0;
 642
 643        whdr.epoch      = htonl(conn->proto.epoch);
 644        whdr.cid        = htonl(conn->proto.cid);
 645        whdr.callNumber = 0;
 646        whdr.seq        = 0;
 647        whdr.type       = RXRPC_PACKET_TYPE_CHALLENGE;
 648        whdr.flags      = conn->out_clientflag;
 649        whdr.userStatus = 0;
 650        whdr.securityIndex = conn->security_ix;
 651        whdr._rsvd      = 0;
 652        whdr.serviceId  = htons(conn->service_id);
 653
 654        iov[0].iov_base = &whdr;
 655        iov[0].iov_len  = sizeof(whdr);
 656        iov[1].iov_base = &challenge;
 657        iov[1].iov_len  = sizeof(challenge);
 658
 659        len = iov[0].iov_len + iov[1].iov_len;
 660
 661        serial = atomic_inc_return(&conn->serial);
 662        whdr.serial = htonl(serial);
 663        _proto("Tx CHALLENGE %%%u", serial);
 664
 665        ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
 666        if (ret < 0) {
 667                trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
 668                                    rxrpc_tx_fail_conn_challenge);
 669                return -EAGAIN;
 670        }
 671
 672        conn->params.peer->last_tx_at = ktime_get_real();
 673        _leave(" = 0");
 674        return 0;
 675}
 676
 677/*
 678 * send a Kerberos security response
 679 */
 680static int rxkad_send_response(struct rxrpc_connection *conn,
 681                               struct rxrpc_host_header *hdr,
 682                               struct rxkad_response *resp,
 683                               const struct rxkad_key *s2)
 684{
 685        struct rxrpc_wire_header whdr;
 686        struct msghdr msg;
 687        struct kvec iov[3];
 688        size_t len;
 689        u32 serial;
 690        int ret;
 691
 692        _enter("");
 693
 694        msg.msg_name    = &conn->params.peer->srx.transport;
 695        msg.msg_namelen = conn->params.peer->srx.transport_len;
 696        msg.msg_control = NULL;
 697        msg.msg_controllen = 0;
 698        msg.msg_flags   = 0;
 699
 700        memset(&whdr, 0, sizeof(whdr));
 701        whdr.epoch      = htonl(hdr->epoch);
 702        whdr.cid        = htonl(hdr->cid);
 703        whdr.type       = RXRPC_PACKET_TYPE_RESPONSE;
 704        whdr.flags      = conn->out_clientflag;
 705        whdr.securityIndex = hdr->securityIndex;
 706        whdr.serviceId  = htons(hdr->serviceId);
 707
 708        iov[0].iov_base = &whdr;
 709        iov[0].iov_len  = sizeof(whdr);
 710        iov[1].iov_base = resp;
 711        iov[1].iov_len  = sizeof(*resp);
 712        iov[2].iov_base = (void *)s2->ticket;
 713        iov[2].iov_len  = s2->ticket_len;
 714
 715        len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
 716
 717        serial = atomic_inc_return(&conn->serial);
 718        whdr.serial = htonl(serial);
 719        _proto("Tx RESPONSE %%%u", serial);
 720
 721        ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
 722        if (ret < 0) {
 723                trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
 724                                    rxrpc_tx_fail_conn_response);
 725                return -EAGAIN;
 726        }
 727
 728        conn->params.peer->last_tx_at = ktime_get_real();
 729        _leave(" = 0");
 730        return 0;
 731}
 732
 733/*
 734 * calculate the response checksum
 735 */
 736static void rxkad_calc_response_checksum(struct rxkad_response *response)
 737{
 738        u32 csum = 1000003;
 739        int loop;
 740        u8 *p = (u8 *) response;
 741
 742        for (loop = sizeof(*response); loop > 0; loop--)
 743                csum = csum * 0x10204081 + *p++;
 744
 745        response->encrypted.checksum = htonl(csum);
 746}
 747
 748/*
 749 * encrypt the response packet
 750 */
 751static void rxkad_encrypt_response(struct rxrpc_connection *conn,
 752                                   struct rxkad_response *resp,
 753                                   const struct rxkad_key *s2)
 754{
 755        SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
 756        struct rxrpc_crypt iv;
 757        struct scatterlist sg[1];
 758
 759        /* continue encrypting from where we left off */
 760        memcpy(&iv, s2->session_key, sizeof(iv));
 761
 762        sg_init_table(sg, 1);
 763        sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
 764        skcipher_request_set_tfm(req, conn->cipher);
 765        skcipher_request_set_callback(req, 0, NULL, NULL);
 766        skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
 767        crypto_skcipher_encrypt(req);
 768        skcipher_request_zero(req);
 769}
 770
 771/*
 772 * respond to a challenge packet
 773 */
 774static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
 775                                      struct sk_buff *skb,
 776                                      u32 *_abort_code)
 777{
 778        const struct rxrpc_key_token *token;
 779        struct rxkad_challenge challenge;
 780        struct rxkad_response *resp;
 781        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 782        const char *eproto;
 783        u32 version, nonce, min_level, abort_code;
 784        int ret;
 785
 786        _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
 787
 788        eproto = tracepoint_string("chall_no_key");
 789        abort_code = RX_PROTOCOL_ERROR;
 790        if (!conn->params.key)
 791                goto protocol_error;
 792
 793        abort_code = RXKADEXPIRED;
 794        ret = key_validate(conn->params.key);
 795        if (ret < 0)
 796                goto other_error;
 797
 798        eproto = tracepoint_string("chall_short");
 799        abort_code = RXKADPACKETSHORT;
 800        if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
 801                          &challenge, sizeof(challenge)) < 0)
 802                goto protocol_error;
 803
 804        version = ntohl(challenge.version);
 805        nonce = ntohl(challenge.nonce);
 806        min_level = ntohl(challenge.min_level);
 807
 808        _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
 809               sp->hdr.serial, version, nonce, min_level);
 810
 811        eproto = tracepoint_string("chall_ver");
 812        abort_code = RXKADINCONSISTENCY;
 813        if (version != RXKAD_VERSION)
 814                goto protocol_error;
 815
 816        abort_code = RXKADLEVELFAIL;
 817        ret = -EACCES;
 818        if (conn->params.security_level < min_level)
 819                goto other_error;
 820
 821        token = conn->params.key->payload.data[0];
 822
 823        /* build the response packet */
 824        resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
 825        if (!resp)
 826                return -ENOMEM;
 827
 828        resp->version                   = htonl(RXKAD_VERSION);
 829        resp->encrypted.epoch           = htonl(conn->proto.epoch);
 830        resp->encrypted.cid             = htonl(conn->proto.cid);
 831        resp->encrypted.securityIndex   = htonl(conn->security_ix);
 832        resp->encrypted.inc_nonce       = htonl(nonce + 1);
 833        resp->encrypted.level           = htonl(conn->params.security_level);
 834        resp->kvno                      = htonl(token->kad->kvno);
 835        resp->ticket_len                = htonl(token->kad->ticket_len);
 836        resp->encrypted.call_id[0]      = htonl(conn->channels[0].call_counter);
 837        resp->encrypted.call_id[1]      = htonl(conn->channels[1].call_counter);
 838        resp->encrypted.call_id[2]      = htonl(conn->channels[2].call_counter);
 839        resp->encrypted.call_id[3]      = htonl(conn->channels[3].call_counter);
 840
 841        /* calculate the response checksum and then do the encryption */
 842        rxkad_calc_response_checksum(resp);
 843        rxkad_encrypt_response(conn, resp, token->kad);
 844        ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
 845        kfree(resp);
 846        return ret;
 847
 848protocol_error:
 849        trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
 850        ret = -EPROTO;
 851other_error:
 852        *_abort_code = abort_code;
 853        return ret;
 854}
 855
 856/*
 857 * decrypt the kerberos IV ticket in the response
 858 */
 859static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
 860                                struct sk_buff *skb,
 861                                void *ticket, size_t ticket_len,
 862                                struct rxrpc_crypt *_session_key,
 863                                time64_t *_expiry,
 864                                u32 *_abort_code)
 865{
 866        struct skcipher_request *req;
 867        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 868        struct rxrpc_crypt iv, key;
 869        struct scatterlist sg[1];
 870        struct in_addr addr;
 871        unsigned int life;
 872        const char *eproto;
 873        time64_t issue, now;
 874        bool little_endian;
 875        int ret;
 876        u32 abort_code;
 877        u8 *p, *q, *name, *end;
 878
 879        _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
 880
 881        *_expiry = 0;
 882
 883        ret = key_validate(conn->server_key);
 884        if (ret < 0) {
 885                switch (ret) {
 886                case -EKEYEXPIRED:
 887                        abort_code = RXKADEXPIRED;
 888                        goto other_error;
 889                default:
 890                        abort_code = RXKADNOAUTH;
 891                        goto other_error;
 892                }
 893        }
 894
 895        ASSERT(conn->server_key->payload.data[0] != NULL);
 896        ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
 897
 898        memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
 899
 900        ret = -ENOMEM;
 901        req = skcipher_request_alloc(conn->server_key->payload.data[0],
 902                                     GFP_NOFS);
 903        if (!req)
 904                goto temporary_error;
 905
 906        sg_init_one(&sg[0], ticket, ticket_len);
 907        skcipher_request_set_callback(req, 0, NULL, NULL);
 908        skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
 909        crypto_skcipher_decrypt(req);
 910        skcipher_request_free(req);
 911
 912        p = ticket;
 913        end = p + ticket_len;
 914
 915#define Z(field)                                        \
 916        ({                                              \
 917                u8 *__str = p;                          \
 918                eproto = tracepoint_string("rxkad_bad_"#field); \
 919                q = memchr(p, 0, end - p);              \
 920                if (!q || q - p > (field##_SZ))         \
 921                        goto bad_ticket;                \
 922                for (; p < q; p++)                      \
 923                        if (!isprint(*p))               \
 924                                goto bad_ticket;        \
 925                p++;                                    \
 926                __str;                                  \
 927        })
 928
 929        /* extract the ticket flags */
 930        _debug("KIV FLAGS: %x", *p);
 931        little_endian = *p & 1;
 932        p++;
 933
 934        /* extract the authentication name */
 935        name = Z(ANAME);
 936        _debug("KIV ANAME: %s", name);
 937
 938        /* extract the principal's instance */
 939        name = Z(INST);
 940        _debug("KIV INST : %s", name);
 941
 942        /* extract the principal's authentication domain */
 943        name = Z(REALM);
 944        _debug("KIV REALM: %s", name);
 945
 946        eproto = tracepoint_string("rxkad_bad_len");
 947        if (end - p < 4 + 8 + 4 + 2)
 948                goto bad_ticket;
 949
 950        /* get the IPv4 address of the entity that requested the ticket */
 951        memcpy(&addr, p, sizeof(addr));
 952        p += 4;
 953        _debug("KIV ADDR : %pI4", &addr);
 954
 955        /* get the session key from the ticket */
 956        memcpy(&key, p, sizeof(key));
 957        p += 8;
 958        _debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
 959        memcpy(_session_key, &key, sizeof(key));
 960
 961        /* get the ticket's lifetime */
 962        life = *p++ * 5 * 60;
 963        _debug("KIV LIFE : %u", life);
 964
 965        /* get the issue time of the ticket */
 966        if (little_endian) {
 967                __le32 stamp;
 968                memcpy(&stamp, p, 4);
 969                issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
 970        } else {
 971                __be32 stamp;
 972                memcpy(&stamp, p, 4);
 973                issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
 974        }
 975        p += 4;
 976        now = ktime_get_real_seconds();
 977        _debug("KIV ISSUE: %llx [%llx]", issue, now);
 978
 979        /* check the ticket is in date */
 980        if (issue > now) {
 981                abort_code = RXKADNOAUTH;
 982                ret = -EKEYREJECTED;
 983                goto other_error;
 984        }
 985
 986        if (issue < now - life) {
 987                abort_code = RXKADEXPIRED;
 988                ret = -EKEYEXPIRED;
 989                goto other_error;
 990        }
 991
 992        *_expiry = issue + life;
 993
 994        /* get the service name */
 995        name = Z(SNAME);
 996        _debug("KIV SNAME: %s", name);
 997
 998        /* get the service instance name */
 999        name = Z(INST);
1000        _debug("KIV SINST: %s", name);

1001        return 0;
1002
1003bad_ticket:
1004        trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1005        abort_code = RXKADBADTICKET;
1006        ret = -EPROTO;
1007other_error:
1008        *_abort_code = abort_code;
1009        return ret;
1010temporary_error:
1011        return ret;
1012}
1013
1014/*
1015 * decrypt the response packet
1016 */
1017static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1018                                   struct rxkad_response *resp,
1019                                   const struct rxrpc_crypt *session_key)
1020{
1021        SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
1022        struct scatterlist sg[1];
1023        struct rxrpc_crypt iv;
1024
1025        _enter(",,%08x%08x",
1026               ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1027
1028        ASSERT(rxkad_ci != NULL);
1029
1030        mutex_lock(&rxkad_ci_mutex);
1031        if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
1032                                   sizeof(*session_key)) < 0)
1033                BUG();
1034
1035        memcpy(&iv, session_key, sizeof(iv));
1036
1037        sg_init_table(sg, 1);
1038        sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1039        skcipher_request_set_tfm(req, rxkad_ci);
1040        skcipher_request_set_callback(req, 0, NULL, NULL);
1041        skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1042        crypto_skcipher_decrypt(req);
1043        skcipher_request_zero(req);
1044
1045        mutex_unlock(&rxkad_ci_mutex);
1046
1047        _leave("");
1048}
1049
1050/*
1051 * verify a response
1052 */
1053static int rxkad_verify_response(struct rxrpc_connection *conn,
1054                                 struct sk_buff *skb,
1055                                 u32 *_abort_code)
1056{
1057        struct rxkad_response *response;
1058        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1059        struct rxrpc_crypt session_key;
1060        const char *eproto;
1061        time64_t expiry;
1062        void *ticket;
1063        u32 abort_code, version, kvno, ticket_len, level;
1064        __be32 csum;
1065        int ret, i;
1066
1067        _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1068
1069        ret = -ENOMEM;
1070        response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1071        if (!response)
1072                goto temporary_error;
1073
1074        eproto = tracepoint_string("rxkad_rsp_short");
1075        abort_code = RXKADPACKETSHORT;
1076        if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1077                          response, sizeof(*response)) < 0)
1078                goto protocol_error;
1079        if (!pskb_pull(skb, sizeof(*response)))
1080                BUG();
1081
1082        version = ntohl(response->version);
1083        ticket_len = ntohl(response->ticket_len);
1084        kvno = ntohl(response->kvno);
1085        _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1086               sp->hdr.serial, version, kvno, ticket_len);
1087
1088        eproto = tracepoint_string("rxkad_rsp_ver");
1089        abort_code = RXKADINCONSISTENCY;
1090        if (version != RXKAD_VERSION)
1091                goto protocol_error;
1092
1093        eproto = tracepoint_string("rxkad_rsp_tktlen");
1094        abort_code = RXKADTICKETLEN;
1095        if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1096                goto protocol_error;
1097
1098        eproto = tracepoint_string("rxkad_rsp_unkkey");
1099        abort_code = RXKADUNKNOWNKEY;
1100        if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1101                goto protocol_error;
1102
1103        /* extract the kerberos ticket and decrypt and decode it */
1104        ret = -ENOMEM;
1105        ticket = kmalloc(ticket_len, GFP_NOFS);
1106        if (!ticket)
1107                goto temporary_error;
1108
1109        eproto = tracepoint_string("rxkad_tkt_short");
1110        abort_code = RXKADPACKETSHORT;
1111        if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1112                          ticket, ticket_len) < 0)
1113                goto protocol_error_free;
1114
1115        ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key,
1116                                   &expiry, _abort_code);
1117        if (ret < 0)
1118                goto temporary_error_free_resp;
1119
1120        /* use the session key from inside the ticket to decrypt the
1121         * response */
1122        rxkad_decrypt_response(conn, response, &session_key);
1123
1124        eproto = tracepoint_string("rxkad_rsp_param");
1125        abort_code = RXKADSEALEDINCON;
1126        if (ntohl(response->encrypted.epoch) != conn->proto.epoch)
1127                goto protocol_error_free;
1128        if (ntohl(response->encrypted.cid) != conn->proto.cid)
1129                goto protocol_error_free;
1130        if (ntohl(response->encrypted.securityIndex) != conn->security_ix)
1131                goto protocol_error_free;
1132        csum = response->encrypted.checksum;
1133        response->encrypted.checksum = 0;
1134        rxkad_calc_response_checksum(response);
1135        eproto = tracepoint_string("rxkad_rsp_csum");
1136        if (response->encrypted.checksum != csum)
1137                goto protocol_error_free;
1138
1139        spin_lock(&conn->channel_lock);
1140        for (i = 0; i < RXRPC_MAXCALLS; i++) {
1141                struct rxrpc_call *call;
1142                u32 call_id = ntohl(response->encrypted.call_id[i]);
1143
1144                eproto = tracepoint_string("rxkad_rsp_callid");
1145                if (call_id > INT_MAX)
1146                        goto protocol_error_unlock;
1147
1148                eproto = tracepoint_string("rxkad_rsp_callctr");
1149                if (call_id < conn->channels[i].call_counter)
1150                        goto protocol_error_unlock;
1151
1152                eproto = tracepoint_string("rxkad_rsp_callst");
1153                if (call_id > conn->channels[i].call_counter) {
1154                        call = rcu_dereference_protected(
1155                                conn->channels[i].call,
1156                                lockdep_is_held(&conn->channel_lock));
1157                        if (call && call->state < RXRPC_CALL_COMPLETE)
1158                                goto protocol_error_unlock;
1159                        conn->channels[i].call_counter = call_id;
1160                }
1161        }
1162        spin_unlock(&conn->channel_lock);
1163
1164        eproto = tracepoint_string("rxkad_rsp_seq");
1165        abort_code = RXKADOUTOFSEQUENCE;
1166        if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1)
1167                goto protocol_error_free;
1168
1169        eproto = tracepoint_string("rxkad_rsp_level");
1170        abort_code = RXKADLEVELFAIL;
1171        level = ntohl(response->encrypted.level);
1172        if (level > RXRPC_SECURITY_ENCRYPT)
1173                goto protocol_error_free;
1174        conn->params.security_level = level;
1175
1176        /* create a key to hold the security data and expiration time - after
1177         * this the connection security can be handled in exactly the same way
1178         * as for a client connection */
1179        ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1180        if (ret < 0)
1181                goto temporary_error_free_ticket;
1182
1183        kfree(ticket);
1184        kfree(response);
1185        _leave(" = 0");
1186        return 0;
1187
1188protocol_error_unlock:
1189        spin_unlock(&conn->channel_lock);
1190protocol_error_free:
1191        kfree(ticket);
1192protocol_error:
1193        kfree(response);
1194        trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1195        *_abort_code = abort_code;
1196        return -EPROTO;
1197
1198temporary_error_free_ticket:
1199        kfree(ticket);
1200temporary_error_free_resp:
1201        kfree(response);
1202temporary_error:
1203        /* Ignore the response packet if we got a temporary error such as
1204         * ENOMEM.  We just want to send the challenge again.  Note that we
1205         * also come out this way if the ticket decryption fails.
1206         */
1207        return ret;
1208}
1209
1210/*
1211 * clear the connection security
1212 */
1213static void rxkad_clear(struct rxrpc_connection *conn)
1214{
1215        _enter("");
1216
1217        if (conn->cipher)
1218                crypto_free_skcipher(conn->cipher);
1219}
1220
1221/*
1222 * Initialise the rxkad security service.
1223 */
1224static int rxkad_init(void)
1225{
1226        /* pin the cipher we need so that the crypto layer doesn't invoke
1227         * keventd to go get it */
1228        rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
1229        return PTR_ERR_OR_ZERO(rxkad_ci);
1230}
1231
1232/*
1233 * Clean up the rxkad security service.
1234 */
1235static void rxkad_exit(void)
1236{
1237        if (rxkad_ci)
1238                crypto_free_skcipher(rxkad_ci);
1239}
1240
1241/*
1242 * RxRPC Kerberos-based security
1243 */
1244const struct rxrpc_security rxkad = {
1245        .name                           = "rxkad",
1246        .security_index                 = RXRPC_SECURITY_RXKAD,
1247        .init                           = rxkad_init,
1248        .exit                           = rxkad_exit,
1249        .init_connection_security       = rxkad_init_connection_security,
1250        .prime_packet_security          = rxkad_prime_packet_security,
1251        .secure_packet                  = rxkad_secure_packet,
1252        .verify_packet                  = rxkad_verify_packet,
1253        .locate_data                    = rxkad_locate_data,
1254        .issue_challenge                = rxkad_issue_challenge,
1255        .respond_to_challenge           = rxkad_respond_to_challenge,
1256        .verify_response                = rxkad_verify_response,
1257        .clear                          = rxkad_clear,
1258};
1259