LXR linux/net/rxrpc/rxkad.c

   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/* Kerberos-based RxRPC security
   3 *
   4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
   5 * Written by David Howells (dhowells@redhat.com)
   6 */
   7
   8#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
   9
  10#include <crypto/skcipher.h>
  11#include <linux/module.h>
  12#include <linux/net.h>
  13#include <linux/skbuff.h>
  14#include <linux/udp.h>
  15#include <linux/scatterlist.h>
  16#include <linux/ctype.h>
  17#include <linux/slab.h>
  18#include <net/sock.h>
  19#include <net/af_rxrpc.h>
  20#include <keys/rxrpc-type.h>
  21#include "ar-internal.h"
  22
  23#define RXKAD_VERSION                   2
  24#define MAXKRB5TICKETLEN                1024
  25#define RXKAD_TKT_TYPE_KERBEROS_V5      256
  26#define ANAME_SZ                        40      /* size of authentication name */
  27#define INST_SZ                         40      /* size of principal's instance */
  28#define REALM_SZ                        40      /* size of principal's auth domain */
  29#define SNAME_SZ                        40      /* size of service name */
  30
  31struct rxkad_level1_hdr {
  32        __be32  data_size;      /* true data size (excluding padding) */
  33};
  34
  35struct rxkad_level2_hdr {
  36        __be32  data_size;      /* true data size (excluding padding) */
  37        __be32  checksum;       /* decrypted data checksum */
  38};
  39
  40/*
  41 * this holds a pinned cipher so that keventd doesn't get called by the cipher
  42 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
  43 * packets
  44 */
  45static struct crypto_sync_skcipher *rxkad_ci;
  46static DEFINE_MUTEX(rxkad_ci_mutex);
  47
  48/*
  49 * initialise connection security
  50 */
  51static int rxkad_init_connection_security(struct rxrpc_connection *conn)
  52{
  53        struct crypto_sync_skcipher *ci;
  54        struct rxrpc_key_token *token;
  55        int ret;
  56
  57        _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
  58
  59        token = conn->params.key->payload.data[0];
  60        conn->security_ix = token->security_index;
  61
  62        ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
  63        if (IS_ERR(ci)) {
  64                _debug("no cipher");
  65                ret = PTR_ERR(ci);
  66                goto error;
  67        }
  68
  69        if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
  70                                   sizeof(token->kad->session_key)) < 0)
  71                BUG();
  72
  73        switch (conn->params.security_level) {
  74        case RXRPC_SECURITY_PLAIN:
  75                break;
  76        case RXRPC_SECURITY_AUTH:
  77                conn->size_align = 8;
  78                conn->security_size = sizeof(struct rxkad_level1_hdr);
  79                break;
  80        case RXRPC_SECURITY_ENCRYPT:
  81                conn->size_align = 8;
  82                conn->security_size = sizeof(struct rxkad_level2_hdr);
  83                break;
  84        default:
  85                ret = -EKEYREJECTED;
  86                goto error;
  87        }
  88
  89        conn->cipher = ci;
  90        ret = 0;
  91error:
  92        _leave(" = %d", ret);
  93        return ret;
  94}
  95
  96/*
  97 * prime the encryption state with the invariant parts of a connection's
  98 * description
  99 */
 100static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
 101{
 102        struct rxrpc_key_token *token;
 103        SYNC_SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
 104        struct scatterlist sg;
 105        struct rxrpc_crypt iv;
 106        __be32 *tmpbuf;
 107        size_t tmpsize = 4 * sizeof(__be32);
 108
 109        _enter("");
 110
 111        if (!conn->params.key)
 112                return 0;
 113
 114        tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
 115        if (!tmpbuf)
 116                return -ENOMEM;
 117
 118        token = conn->params.key->payload.data[0];
 119        memcpy(&iv, token->kad->session_key, sizeof(iv));
 120
 121        tmpbuf[0] = htonl(conn->proto.epoch);
 122        tmpbuf[1] = htonl(conn->proto.cid);
 123        tmpbuf[2] = 0;
 124        tmpbuf[3] = htonl(conn->security_ix);
 125
 126        sg_init_one(&sg, tmpbuf, tmpsize);
 127        skcipher_request_set_sync_tfm(req, conn->cipher);
 128        skcipher_request_set_callback(req, 0, NULL, NULL);
 129        skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
 130        crypto_skcipher_encrypt(req);
 131        skcipher_request_zero(req);
 132
 133        memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
 134        kfree(tmpbuf);
 135        _leave(" = 0");
 136        return 0;
 137}
 138
 139/*
 140 * partially encrypt a packet (level 1 security)
 141 */
 142static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
 143                                    struct sk_buff *skb,
 144                                    u32 data_size,
 145                                    void *sechdr,
 146                                    struct skcipher_request *req)
 147{
 148        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 149        struct rxkad_level1_hdr hdr;
 150        struct rxrpc_crypt iv;
 151        struct scatterlist sg;
 152        u16 check;
 153
 154        _enter("");
 155
 156        check = sp->hdr.seq ^ call->call_id;
 157        data_size |= (u32)check << 16;
 158
 159        hdr.data_size = htonl(data_size);
 160        memcpy(sechdr, &hdr, sizeof(hdr));
 161
 162        /* start the encryption afresh */
 163        memset(&iv, 0, sizeof(iv));
 164
 165        sg_init_one(&sg, sechdr, 8);
 166        skcipher_request_set_sync_tfm(req, call->conn->cipher);
 167        skcipher_request_set_callback(req, 0, NULL, NULL);
 168        skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 169        crypto_skcipher_encrypt(req);
 170        skcipher_request_zero(req);
 171
 172        _leave(" = 0");
 173        return 0;
 174}
 175
 176/*
 177 * wholly encrypt a packet (level 2 security)
 178 */
 179static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
 180                                       struct sk_buff *skb,
 181                                       u32 data_size,
 182                                       void *sechdr,
 183                                       struct skcipher_request *req)
 184{
 185        const struct rxrpc_key_token *token;
 186        struct rxkad_level2_hdr rxkhdr;
 187        struct rxrpc_skb_priv *sp;
 188        struct rxrpc_crypt iv;
 189        struct scatterlist sg[16];
 190        unsigned int len;
 191        u16 check;
 192        int err;
 193
 194        sp = rxrpc_skb(skb);
 195
 196        _enter("");
 197
 198        check = sp->hdr.seq ^ call->call_id;
 199
 200        rxkhdr.data_size = htonl(data_size | (u32)check << 16);
 201        rxkhdr.checksum = 0;
 202        memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
 203
 204        /* encrypt from the session key */
 205        token = call->conn->params.key->payload.data[0];
 206        memcpy(&iv, token->kad->session_key, sizeof(iv));
 207
 208        sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
 209        skcipher_request_set_sync_tfm(req, call->conn->cipher);
 210        skcipher_request_set_callback(req, 0, NULL, NULL);
 211        skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
 212        crypto_skcipher_encrypt(req);
 213
 214        /* we want to encrypt the skbuff in-place */
 215        err = -EMSGSIZE;
 216        if (skb_shinfo(skb)->nr_frags > 16)
 217                goto out;
 218
 219        len = data_size + call->conn->size_align - 1;
 220        len &= ~(call->conn->size_align - 1);
 221
 222        sg_init_table(sg, ARRAY_SIZE(sg));
 223        err = skb_to_sgvec(skb, sg, 0, len);
 224        if (unlikely(err < 0))
 225                goto out;
 226        skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 227        crypto_skcipher_encrypt(req);
 228
 229        _leave(" = 0");
 230        err = 0;
 231
 232out:
 233        skcipher_request_zero(req);
 234        return err;
 235}
 236
 237/*
 238 * checksum an RxRPC packet header
 239 */
 240static int rxkad_secure_packet(struct rxrpc_call *call,
 241                               struct sk_buff *skb,
 242                               size_t data_size,
 243                               void *sechdr)
 244{
 245        struct rxrpc_skb_priv *sp;
 246        SYNC_SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 247        struct rxrpc_crypt iv;
 248        struct scatterlist sg;
 249        u32 x, y;
 250        int ret;
 251
 252        sp = rxrpc_skb(skb);
 253
 254        _enter("{%d{%x}},{#%u},%zu,",
 255               call->debug_id, key_serial(call->conn->params.key),
 256               sp->hdr.seq, data_size);
 257
 258        if (!call->conn->cipher)
 259                return 0;
 260
 261        ret = key_validate(call->conn->params.key);
 262        if (ret < 0)
 263                return ret;
 264
 265        /* continue encrypting from where we left off */
 266        memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
 267
 268        /* calculate the security checksum */
 269        x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
 270        x |= sp->hdr.seq & 0x3fffffff;
 271        call->crypto_buf[0] = htonl(call->call_id);
 272        call->crypto_buf[1] = htonl(x);
 273
 274        sg_init_one(&sg, call->crypto_buf, 8);
 275        skcipher_request_set_sync_tfm(req, call->conn->cipher);
 276        skcipher_request_set_callback(req, 0, NULL, NULL);
 277        skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 278        crypto_skcipher_encrypt(req);
 279        skcipher_request_zero(req);
 280
 281        y = ntohl(call->crypto_buf[1]);
 282        y = (y >> 16) & 0xffff;
 283        if (y == 0)
 284                y = 1; /* zero checksums are not permitted */
 285        sp->hdr.cksum = y;
 286
 287        switch (call->conn->params.security_level) {
 288        case RXRPC_SECURITY_PLAIN:
 289                ret = 0;
 290                break;
 291        case RXRPC_SECURITY_AUTH:
 292                ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr,
 293                                               req);
 294                break;
 295        case RXRPC_SECURITY_ENCRYPT:
 296                ret = rxkad_secure_packet_encrypt(call, skb, data_size,
 297                                                  sechdr, req);
 298                break;
 299        default:
 300                ret = -EPERM;
 301                break;
 302        }
 303
 304        _leave(" = %d [set %hx]", ret, y);
 305        return ret;
 306}
 307
 308/*
 309 * decrypt partial encryption on a packet (level 1 security)
 310 */
 311static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
 312                                 unsigned int offset, unsigned int len,
 313                                 rxrpc_seq_t seq,
 314                                 struct skcipher_request *req)
 315{
 316        struct rxkad_level1_hdr sechdr;
 317        struct rxrpc_crypt iv;
 318        struct scatterlist sg[16];
 319        bool aborted;
 320        u32 data_size, buf;
 321        u16 check;
 322        int ret;
 323
 324        _enter("");
 325
 326        if (len < 8) {
 327                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
 328                                           RXKADSEALEDINCON);
 329                goto protocol_error;
 330        }
 331
 332        /* Decrypt the skbuff in-place.  TODO: We really want to decrypt
 333         * directly into the target buffer.
 334         */
 335        sg_init_table(sg, ARRAY_SIZE(sg));
 336        ret = skb_to_sgvec(skb, sg, offset, 8);
 337        if (unlikely(ret < 0))
 338                return ret;
 339
 340        /* start the decryption afresh */
 341        memset(&iv, 0, sizeof(iv));
 342
 343        skcipher_request_set_sync_tfm(req, call->conn->cipher);
 344        skcipher_request_set_callback(req, 0, NULL, NULL);
 345        skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
 346        crypto_skcipher_decrypt(req);
 347        skcipher_request_zero(req);
 348
 349        /* Extract the decrypted packet length */
 350        if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
 351                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
 352                                             RXKADDATALEN);
 353                goto protocol_error;
 354        }
 355        offset += sizeof(sechdr);
 356        len -= sizeof(sechdr);
 357
 358        buf = ntohl(sechdr.data_size);
 359        data_size = buf & 0xffff;
 360
 361        check = buf >> 16;
 362        check ^= seq ^ call->call_id;
 363        check &= 0xffff;
 364        if (check != 0) {
 365                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
 366                                             RXKADSEALEDINCON);
 367                goto protocol_error;
 368        }
 369
 370        if (data_size > len) {
 371                aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
 372                                             RXKADDATALEN);
 373                goto protocol_error;
 374        }
 375
 376        _leave(" = 0 [dlen=%x]", data_size);
 377        return 0;
 378
 379protocol_error:
 380        if (aborted)
 381                rxrpc_send_abort_packet(call);
 382        return -EPROTO;
 383}
 384
 385/*
 386 * wholly decrypt a packet (level 2 security)
 387 */
 388static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
 389                                 unsigned int offset, unsigned int len,
 390                                 rxrpc_seq_t seq,
 391                                 struct skcipher_request *req)
 392{
 393        const struct rxrpc_key_token *token;
 394        struct rxkad_level2_hdr sechdr;
 395        struct rxrpc_crypt iv;
 396        struct scatterlist _sg[4], *sg;
 397        bool aborted;
 398        u32 data_size, buf;
 399        u16 check;
 400        int nsg, ret;
 401
 402        _enter(",{%d}", skb->len);
 403
 404        if (len < 8) {
 405                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
 406                                             RXKADSEALEDINCON);
 407                goto protocol_error;
 408        }
 409
 410        /* Decrypt the skbuff in-place.  TODO: We really want to decrypt
 411         * directly into the target buffer.
 412         */
 413        sg = _sg;
 414        nsg = skb_shinfo(skb)->nr_frags;
 415        if (nsg <= 4) {
 416                nsg = 4;
 417        } else {
 418                sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
 419                if (!sg)
 420                        goto nomem;
 421        }
 422
 423        sg_init_table(sg, nsg);
 424        ret = skb_to_sgvec(skb, sg, offset, len);
 425        if (unlikely(ret < 0)) {
 426                if (sg != _sg)
 427                        kfree(sg);
 428                return ret;
 429        }
 430
 431        /* decrypt from the session key */
 432        token = call->conn->params.key->payload.data[0];
 433        memcpy(&iv, token->kad->session_key, sizeof(iv));
 434
 435        skcipher_request_set_sync_tfm(req, call->conn->cipher);
 436        skcipher_request_set_callback(req, 0, NULL, NULL);
 437        skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 438        crypto_skcipher_decrypt(req);
 439        skcipher_request_zero(req);
 440        if (sg != _sg)
 441                kfree(sg);
 442
 443        /* Extract the decrypted packet length */
 444        if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
 445                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
 446                                             RXKADDATALEN);
 447                goto protocol_error;
 448        }
 449        offset += sizeof(sechdr);
 450        len -= sizeof(sechdr);
 451
 452        buf = ntohl(sechdr.data_size);
 453        data_size = buf & 0xffff;
 454
 455        check = buf >> 16;
 456        check ^= seq ^ call->call_id;
 457        check &= 0xffff;
 458        if (check != 0) {
 459                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
 460                                             RXKADSEALEDINCON);
 461                goto protocol_error;
 462        }
 463
 464        if (data_size > len) {
 465                aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
 466                                             RXKADDATALEN);
 467                goto protocol_error;
 468        }
 469
 470        _leave(" = 0 [dlen=%x]", data_size);
 471        return 0;
 472
 473protocol_error:
 474        if (aborted)
 475                rxrpc_send_abort_packet(call);
 476        return -EPROTO;
 477
 478nomem:
 479        _leave(" = -ENOMEM");
 480        return -ENOMEM;
 481}
 482
 483/*
 484 * Verify the security on a received packet or subpacket (if part of a
 485 * jumbo packet).
 486 */
 487static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
 488                               unsigned int offset, unsigned int len,
 489                               rxrpc_seq_t seq, u16 expected_cksum)
 490{
 491        SYNC_SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
 492        struct rxrpc_crypt iv;
 493        struct scatterlist sg;
 494        bool aborted;
 495        u16 cksum;
 496        u32 x, y;
 497
 498        _enter("{%d{%x}},{#%u}",
 499               call->debug_id, key_serial(call->conn->params.key), seq);
 500
 501        if (!call->conn->cipher)
 502                return 0;
 503
 504        /* continue encrypting from where we left off */
 505        memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
 506
 507        /* validate the security checksum */
 508        x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
 509        x |= seq & 0x3fffffff;
 510        call->crypto_buf[0] = htonl(call->call_id);
 511        call->crypto_buf[1] = htonl(x);
 512
 513        sg_init_one(&sg, call->crypto_buf, 8);
 514        skcipher_request_set_sync_tfm(req, call->conn->cipher);
 515        skcipher_request_set_callback(req, 0, NULL, NULL);
 516        skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
 517        crypto_skcipher_encrypt(req);
 518        skcipher_request_zero(req);
 519
 520        y = ntohl(call->crypto_buf[1]);
 521        cksum = (y >> 16) & 0xffff;
 522        if (cksum == 0)
 523                cksum = 1; /* zero checksums are not permitted */
 524
 525        if (cksum != expected_cksum) {
 526                aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
 527                                             RXKADSEALEDINCON);
 528                goto protocol_error;
 529        }
 530
 531        switch (call->conn->params.security_level) {
 532        case RXRPC_SECURITY_PLAIN:
 533                return 0;
 534        case RXRPC_SECURITY_AUTH:
 535                return rxkad_verify_packet_1(call, skb, offset, len, seq, req);
 536        case RXRPC_SECURITY_ENCRYPT:
 537                return rxkad_verify_packet_2(call, skb, offset, len, seq, req);
 538        default:
 539                return -ENOANO;
 540        }
 541
 542protocol_error:
 543        if (aborted)
 544                rxrpc_send_abort_packet(call);
 545        return -EPROTO;
 546}
 547
 548/*
 549 * Locate the data contained in a packet that was partially encrypted.
 550 */
 551static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
 552                                unsigned int *_offset, unsigned int *_len)
 553{
 554        struct rxkad_level1_hdr sechdr;
 555
 556        if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
 557                BUG();
 558        *_offset += sizeof(sechdr);
 559        *_len = ntohl(sechdr.data_size) & 0xffff;
 560}
 561
 562/*
 563 * Locate the data contained in a packet that was completely encrypted.
 564 */
 565static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
 566                                unsigned int *_offset, unsigned int *_len)
 567{
 568        struct rxkad_level2_hdr sechdr;
 569
 570        if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
 571                BUG();
 572        *_offset += sizeof(sechdr);
 573        *_len = ntohl(sechdr.data_size) & 0xffff;
 574}
 575
 576/*
 577 * Locate the data contained in an already decrypted packet.
 578 */
 579static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
 580                              unsigned int *_offset, unsigned int *_len)
 581{
 582        switch (call->conn->params.security_level) {
 583        case RXRPC_SECURITY_AUTH:
 584                rxkad_locate_data_1(call, skb, _offset, _len);
 585                return;
 586        case RXRPC_SECURITY_ENCRYPT:
 587                rxkad_locate_data_2(call, skb, _offset, _len);
 588                return;
 589        default:
 590                return;
 591        }
 592}
 593
 594/*
 595 * issue a challenge
 596 */
 597static int rxkad_issue_challenge(struct rxrpc_connection *conn)
 598{
 599        struct rxkad_challenge challenge;
 600        struct rxrpc_wire_header whdr;
 601        struct msghdr msg;
 602        struct kvec iov[2];
 603        size_t len;
 604        u32 serial;
 605        int ret;
 606
 607        _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
 608
 609        ret = key_validate(conn->params.key);
 610        if (ret < 0)
 611                return ret;
 612
 613        get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
 614
 615        challenge.version       = htonl(2);
 616        challenge.nonce         = htonl(conn->security_nonce);
 617        challenge.min_level     = htonl(0);
 618        challenge.__padding     = 0;
 619
 620        msg.msg_name    = &conn->params.peer->srx.transport;
 621        msg.msg_namelen = conn->params.peer->srx.transport_len;
 622        msg.msg_control = NULL;
 623        msg.msg_controllen = 0;
 624        msg.msg_flags   = 0;
 625
 626        whdr.epoch      = htonl(conn->proto.epoch);
 627        whdr.cid        = htonl(conn->proto.cid);
 628        whdr.callNumber = 0;
 629        whdr.seq        = 0;
 630        whdr.type       = RXRPC_PACKET_TYPE_CHALLENGE;
 631        whdr.flags      = conn->out_clientflag;
 632        whdr.userStatus = 0;
 633        whdr.securityIndex = conn->security_ix;
 634        whdr._rsvd      = 0;
 635        whdr.serviceId  = htons(conn->service_id);
 636
 637        iov[0].iov_base = &whdr;
 638        iov[0].iov_len  = sizeof(whdr);
 639        iov[1].iov_base = &challenge;
 640        iov[1].iov_len  = sizeof(challenge);
 641
 642        len = iov[0].iov_len + iov[1].iov_len;
 643
 644        serial = atomic_inc_return(&conn->serial);
 645        whdr.serial = htonl(serial);
 646        _proto("Tx CHALLENGE %%%u", serial);
 647
 648        ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
 649        if (ret < 0) {
 650                trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
 651                                    rxrpc_tx_point_rxkad_challenge);
 652                return -EAGAIN;
 653        }
 654
 655        conn->params.peer->last_tx_at = ktime_get_seconds();
 656        trace_rxrpc_tx_packet(conn->debug_id, &whdr,
 657                              rxrpc_tx_point_rxkad_challenge);
 658        _leave(" = 0");
 659        return 0;
 660}
 661
 662/*
 663 * send a Kerberos security response
 664 */
 665static int rxkad_send_response(struct rxrpc_connection *conn,
 666                               struct rxrpc_host_header *hdr,
 667                               struct rxkad_response *resp,
 668                               const struct rxkad_key *s2)
 669{
 670        struct rxrpc_wire_header whdr;
 671        struct msghdr msg;
 672        struct kvec iov[3];
 673        size_t len;
 674        u32 serial;
 675        int ret;
 676
 677        _enter("");
 678
 679        msg.msg_name    = &conn->params.peer->srx.transport;
 680        msg.msg_namelen = conn->params.peer->srx.transport_len;
 681        msg.msg_control = NULL;
 682        msg.msg_controllen = 0;
 683        msg.msg_flags   = 0;
 684
 685        memset(&whdr, 0, sizeof(whdr));
 686        whdr.epoch      = htonl(hdr->epoch);
 687        whdr.cid        = htonl(hdr->cid);
 688        whdr.type       = RXRPC_PACKET_TYPE_RESPONSE;
 689        whdr.flags      = conn->out_clientflag;
 690        whdr.securityIndex = hdr->securityIndex;
 691        whdr.serviceId  = htons(hdr->serviceId);
 692
 693        iov[0].iov_base = &whdr;
 694        iov[0].iov_len  = sizeof(whdr);
 695        iov[1].iov_base = resp;
 696        iov[1].iov_len  = sizeof(*resp);
 697        iov[2].iov_base = (void *)s2->ticket;
 698        iov[2].iov_len  = s2->ticket_len;
 699
 700        len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
 701
 702        serial = atomic_inc_return(&conn->serial);
 703        whdr.serial = htonl(serial);
 704        _proto("Tx RESPONSE %%%u", serial);
 705
 706        ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
 707        if (ret < 0) {
 708                trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
 709                                    rxrpc_tx_point_rxkad_response);
 710                return -EAGAIN;
 711        }
 712
 713        conn->params.peer->last_tx_at = ktime_get_seconds();
 714        _leave(" = 0");
 715        return 0;
 716}
 717
 718/*
 719 * calculate the response checksum
 720 */
 721static void rxkad_calc_response_checksum(struct rxkad_response *response)
 722{
 723        u32 csum = 1000003;
 724        int loop;
 725        u8 *p = (u8 *) response;
 726
 727        for (loop = sizeof(*response); loop > 0; loop--)
 728                csum = csum * 0x10204081 + *p++;
 729
 730        response->encrypted.checksum = htonl(csum);
 731}
 732
 733/*
 734 * encrypt the response packet
 735 */
 736static void rxkad_encrypt_response(struct rxrpc_connection *conn,
 737                                   struct rxkad_response *resp,
 738                                   const struct rxkad_key *s2)
 739{
 740        SYNC_SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
 741        struct rxrpc_crypt iv;
 742        struct scatterlist sg[1];
 743
 744        /* continue encrypting from where we left off */
 745        memcpy(&iv, s2->session_key, sizeof(iv));
 746
 747        sg_init_table(sg, 1);
 748        sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
 749        skcipher_request_set_sync_tfm(req, conn->cipher);
 750        skcipher_request_set_callback(req, 0, NULL, NULL);
 751        skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
 752        crypto_skcipher_encrypt(req);
 753        skcipher_request_zero(req);
 754}
 755
 756/*
 757 * respond to a challenge packet
 758 */
 759static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
 760                                      struct sk_buff *skb,
 761                                      u32 *_abort_code)
 762{
 763        const struct rxrpc_key_token *token;
 764        struct rxkad_challenge challenge;
 765        struct rxkad_response *resp;
 766        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 767        const char *eproto;
 768        u32 version, nonce, min_level, abort_code;
 769        int ret;
 770
 771        _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
 772
 773        eproto = tracepoint_string("chall_no_key");
 774        abort_code = RX_PROTOCOL_ERROR;
 775        if (!conn->params.key)
 776                goto protocol_error;
 777
 778        abort_code = RXKADEXPIRED;
 779        ret = key_validate(conn->params.key);
 780        if (ret < 0)
 781                goto other_error;
 782
 783        eproto = tracepoint_string("chall_short");
 784        abort_code = RXKADPACKETSHORT;
 785        if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
 786                          &challenge, sizeof(challenge)) < 0)
 787                goto protocol_error;
 788
 789        version = ntohl(challenge.version);
 790        nonce = ntohl(challenge.nonce);
 791        min_level = ntohl(challenge.min_level);
 792
 793        _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
 794               sp->hdr.serial, version, nonce, min_level);
 795
 796        eproto = tracepoint_string("chall_ver");
 797        abort_code = RXKADINCONSISTENCY;
 798        if (version != RXKAD_VERSION)
 799                goto protocol_error;
 800
 801        abort_code = RXKADLEVELFAIL;
 802        ret = -EACCES;
 803        if (conn->params.security_level < min_level)
 804                goto other_error;
 805
 806        token = conn->params.key->payload.data[0];
 807
 808        /* build the response packet */
 809        resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
 810        if (!resp)
 811                return -ENOMEM;
 812
 813        resp->version                   = htonl(RXKAD_VERSION);
 814        resp->encrypted.epoch           = htonl(conn->proto.epoch);
 815        resp->encrypted.cid             = htonl(conn->proto.cid);
 816        resp->encrypted.securityIndex   = htonl(conn->security_ix);
 817        resp->encrypted.inc_nonce       = htonl(nonce + 1);
 818        resp->encrypted.level           = htonl(conn->params.security_level);
 819        resp->kvno                      = htonl(token->kad->kvno);
 820        resp->ticket_len                = htonl(token->kad->ticket_len);
 821        resp->encrypted.call_id[0]      = htonl(conn->channels[0].call_counter);
 822        resp->encrypted.call_id[1]      = htonl(conn->channels[1].call_counter);
 823        resp->encrypted.call_id[2]      = htonl(conn->channels[2].call_counter);
 824        resp->encrypted.call_id[3]      = htonl(conn->channels[3].call_counter);
 825
 826        /* calculate the response checksum and then do the encryption */
 827        rxkad_calc_response_checksum(resp);
 828        rxkad_encrypt_response(conn, resp, token->kad);
 829        ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
 830        kfree(resp);
 831        return ret;
 832
 833protocol_error:
 834        trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
 835        ret = -EPROTO;
 836other_error:
 837        *_abort_code = abort_code;
 838        return ret;
 839}
 840
 841/*
 842 * decrypt the kerberos IV ticket in the response
 843 */
 844static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
 845                                struct sk_buff *skb,
 846                                void *ticket, size_t ticket_len,
 847                                struct rxrpc_crypt *_session_key,
 848                                time64_t *_expiry,
 849                                u32 *_abort_code)
 850{
 851        struct skcipher_request *req;
 852        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
 853        struct rxrpc_crypt iv, key;
 854        struct scatterlist sg[1];
 855        struct in_addr addr;
 856        unsigned int life;
 857        const char *eproto;
 858        time64_t issue, now;
 859        bool little_endian;
 860        int ret;
 861        u32 abort_code;
 862        u8 *p, *q, *name, *end;
 863
 864        _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
 865
 866        *_expiry = 0;
 867
 868        ret = key_validate(conn->server_key);
 869        if (ret < 0) {
 870                switch (ret) {
 871                case -EKEYEXPIRED:
 872                        abort_code = RXKADEXPIRED;
 873                        goto other_error;
 874                default:
 875                        abort_code = RXKADNOAUTH;
 876                        goto other_error;
 877                }
 878        }
 879
 880        ASSERT(conn->server_key->payload.data[0] != NULL);
 881        ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
 882
 883        memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
 884
 885        ret = -ENOMEM;
 886        req = skcipher_request_alloc(conn->server_key->payload.data[0],
 887                                     GFP_NOFS);
 888        if (!req)
 889                goto temporary_error;
 890
 891        sg_init_one(&sg[0], ticket, ticket_len);
 892        skcipher_request_set_callback(req, 0, NULL, NULL);
 893        skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
 894        crypto_skcipher_decrypt(req);
 895        skcipher_request_free(req);
 896
 897        p = ticket;
 898        end = p + ticket_len;
 899
 900#define Z(field)                                        \
 901        ({                                              \
 902                u8 *__str = p;                          \
 903                eproto = tracepoint_string("rxkad_bad_"#field); \
 904                q = memchr(p, 0, end - p);              \
 905                if (!q || q - p > (field##_SZ))         \
 906                        goto bad_ticket;                \
 907                for (; p < q; p++)                      \
 908                        if (!isprint(*p))               \
 909                                goto bad_ticket;        \
 910                p++;                                    \
 911                __str;                                  \
 912        })
 913
 914        /* extract the ticket flags */
 915        _debug("KIV FLAGS: %x", *p);
 916        little_endian = *p & 1;
 917        p++;
 918
 919        /* extract the authentication name */
 920        name = Z(ANAME);
 921        _debug("KIV ANAME: %s", name);
 922
 923        /* extract the principal's instance */
 924        name = Z(INST);
 925        _debug("KIV INST : %s", name);
 926
 927        /* extract the principal's authentication domain */
 928        name = Z(REALM);
 929        _debug("KIV REALM: %s", name);
 930
 931        eproto = tracepoint_string("rxkad_bad_len");
 932        if (end - p < 4 + 8 + 4 + 2)
 933                goto bad_ticket;
 934
 935        /* get the IPv4 address of the entity that requested the ticket */
 936        memcpy(&addr, p, sizeof(addr));
 937        p += 4;
 938        _debug("KIV ADDR : %pI4", &addr);
 939
 940        /* get the session key from the ticket */
 941        memcpy(&key, p, sizeof(key));
 942        p += 8;
 943        _debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
 944        memcpy(_session_key, &key, sizeof(key));
 945
 946        /* get the ticket's lifetime */
 947        life = *p++ * 5 * 60;
 948        _debug("KIV LIFE : %u", life);
 949
 950        /* get the issue time of the ticket */
 951        if (little_endian) {
 952                __le32 stamp;
 953                memcpy(&stamp, p, 4);
 954                issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
 955        } else {
 956                __be32 stamp;
 957                memcpy(&stamp, p, 4);
 958                issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
 959        }
 960        p += 4;
 961        now = ktime_get_real_seconds();
 962        _debug("KIV ISSUE: %llx [%llx]", issue, now);
 963
 964        /* check the ticket is in date */
 965        if (issue > now) {
 966                abort_code = RXKADNOAUTH;
 967                ret = -EKEYREJECTED;
 968                goto other_error;
 969        }
 970
 971        if (issue < now - life) {
 972                abort_code = RXKADEXPIRED;
 973                ret = -EKEYEXPIRED;
 974                goto other_error;
 975        }
 976
 977        *_expiry = issue + life;
 978
 979        /* get the service name */
 980        name = Z(SNAME);
 981        _debug("KIV SNAME: %s", name);
 982
 983        /* get the service instance name */
 984        name = Z(INST);
 985        _debug("KIV SINST: %s", name);
 986        return 0;
 987
 988bad_ticket:
 989        trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
 990        abort_code = RXKADBADTICKET;
 991        ret = -EPROTO;
 992other_error:
 993        *_abort_code = abort_code;
 994        return ret;
 995temporary_error:
 996        return ret;
 997}
 998
 999/*
1000 * decrypt the response packet

1001 */
1002static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1003                                   struct rxkad_response *resp,
1004                                   const struct rxrpc_crypt *session_key)
1005{
1006        SYNC_SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
1007        struct scatterlist sg[1];
1008        struct rxrpc_crypt iv;
1009
1010        _enter(",,%08x%08x",
1011               ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1012
1013        ASSERT(rxkad_ci != NULL);
1014
1015        mutex_lock(&rxkad_ci_mutex);
1016        if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1017                                   sizeof(*session_key)) < 0)
1018                BUG();
1019
1020        memcpy(&iv, session_key, sizeof(iv));
1021
1022        sg_init_table(sg, 1);
1023        sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1024        skcipher_request_set_sync_tfm(req, rxkad_ci);
1025        skcipher_request_set_callback(req, 0, NULL, NULL);
1026        skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1027        crypto_skcipher_decrypt(req);
1028        skcipher_request_zero(req);
1029
1030        mutex_unlock(&rxkad_ci_mutex);
1031
1032        _leave("");
1033}
1034
1035/*
1036 * verify a response
1037 */
1038static int rxkad_verify_response(struct rxrpc_connection *conn,
1039                                 struct sk_buff *skb,
1040                                 u32 *_abort_code)
1041{
1042        struct rxkad_response *response;
1043        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1044        struct rxrpc_crypt session_key;
1045        const char *eproto;
1046        time64_t expiry;
1047        void *ticket;
1048        u32 abort_code, version, kvno, ticket_len, level;
1049        __be32 csum;
1050        int ret, i;
1051
1052        _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1053
1054        ret = -ENOMEM;
1055        response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1056        if (!response)
1057                goto temporary_error;
1058
1059        eproto = tracepoint_string("rxkad_rsp_short");
1060        abort_code = RXKADPACKETSHORT;
1061        if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1062                          response, sizeof(*response)) < 0)
1063                goto protocol_error;
1064        if (!pskb_pull(skb, sizeof(*response)))
1065                BUG();
1066
1067        version = ntohl(response->version);
1068        ticket_len = ntohl(response->ticket_len);
1069        kvno = ntohl(response->kvno);
1070        _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1071               sp->hdr.serial, version, kvno, ticket_len);
1072
1073        eproto = tracepoint_string("rxkad_rsp_ver");
1074        abort_code = RXKADINCONSISTENCY;
1075        if (version != RXKAD_VERSION)
1076                goto protocol_error;
1077
1078        eproto = tracepoint_string("rxkad_rsp_tktlen");
1079        abort_code = RXKADTICKETLEN;
1080        if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1081                goto protocol_error;
1082
1083        eproto = tracepoint_string("rxkad_rsp_unkkey");
1084        abort_code = RXKADUNKNOWNKEY;
1085        if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1086                goto protocol_error;
1087
1088        /* extract the kerberos ticket and decrypt and decode it */
1089        ret = -ENOMEM;
1090        ticket = kmalloc(ticket_len, GFP_NOFS);
1091        if (!ticket)
1092                goto temporary_error;
1093
1094        eproto = tracepoint_string("rxkad_tkt_short");
1095        abort_code = RXKADPACKETSHORT;
1096        if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1097                          ticket, ticket_len) < 0)
1098                goto protocol_error_free;
1099
1100        ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key,
1101                                   &expiry, _abort_code);
1102        if (ret < 0)
1103                goto temporary_error_free_resp;
1104
1105        /* use the session key from inside the ticket to decrypt the
1106         * response */
1107        rxkad_decrypt_response(conn, response, &session_key);
1108
1109        eproto = tracepoint_string("rxkad_rsp_param");
1110        abort_code = RXKADSEALEDINCON;
1111        if (ntohl(response->encrypted.epoch) != conn->proto.epoch)
1112                goto protocol_error_free;
1113        if (ntohl(response->encrypted.cid) != conn->proto.cid)
1114                goto protocol_error_free;
1115        if (ntohl(response->encrypted.securityIndex) != conn->security_ix)
1116                goto protocol_error_free;
1117        csum = response->encrypted.checksum;
1118        response->encrypted.checksum = 0;
1119        rxkad_calc_response_checksum(response);
1120        eproto = tracepoint_string("rxkad_rsp_csum");
1121        if (response->encrypted.checksum != csum)
1122                goto protocol_error_free;
1123
1124        spin_lock(&conn->channel_lock);
1125        for (i = 0; i < RXRPC_MAXCALLS; i++) {
1126                struct rxrpc_call *call;
1127                u32 call_id = ntohl(response->encrypted.call_id[i]);
1128
1129                eproto = tracepoint_string("rxkad_rsp_callid");
1130                if (call_id > INT_MAX)
1131                        goto protocol_error_unlock;
1132
1133                eproto = tracepoint_string("rxkad_rsp_callctr");
1134                if (call_id < conn->channels[i].call_counter)
1135                        goto protocol_error_unlock;
1136
1137                eproto = tracepoint_string("rxkad_rsp_callst");
1138                if (call_id > conn->channels[i].call_counter) {
1139                        call = rcu_dereference_protected(
1140                                conn->channels[i].call,
1141                                lockdep_is_held(&conn->channel_lock));
1142                        if (call && call->state < RXRPC_CALL_COMPLETE)
1143                                goto protocol_error_unlock;
1144                        conn->channels[i].call_counter = call_id;
1145                }
1146        }
1147        spin_unlock(&conn->channel_lock);
1148
1149        eproto = tracepoint_string("rxkad_rsp_seq");
1150        abort_code = RXKADOUTOFSEQUENCE;
1151        if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1)
1152                goto protocol_error_free;
1153
1154        eproto = tracepoint_string("rxkad_rsp_level");
1155        abort_code = RXKADLEVELFAIL;
1156        level = ntohl(response->encrypted.level);
1157        if (level > RXRPC_SECURITY_ENCRYPT)
1158                goto protocol_error_free;
1159        conn->params.security_level = level;
1160
1161        /* create a key to hold the security data and expiration time - after
1162         * this the connection security can be handled in exactly the same way
1163         * as for a client connection */
1164        ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1165        if (ret < 0)
1166                goto temporary_error_free_ticket;
1167
1168        kfree(ticket);
1169        kfree(response);
1170        _leave(" = 0");
1171        return 0;
1172
1173protocol_error_unlock:
1174        spin_unlock(&conn->channel_lock);
1175protocol_error_free:
1176        kfree(ticket);
1177protocol_error:
1178        kfree(response);
1179        trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1180        *_abort_code = abort_code;
1181        return -EPROTO;
1182
1183temporary_error_free_ticket:
1184        kfree(ticket);
1185temporary_error_free_resp:
1186        kfree(response);
1187temporary_error:
1188        /* Ignore the response packet if we got a temporary error such as
1189         * ENOMEM.  We just want to send the challenge again.  Note that we
1190         * also come out this way if the ticket decryption fails.
1191         */
1192        return ret;
1193}
1194
1195/*
1196 * clear the connection security
1197 */
1198static void rxkad_clear(struct rxrpc_connection *conn)
1199{
1200        _enter("");
1201
1202        if (conn->cipher)
1203                crypto_free_sync_skcipher(conn->cipher);
1204}
1205
1206/*
1207 * Initialise the rxkad security service.
1208 */
1209static int rxkad_init(void)
1210{
1211        /* pin the cipher we need so that the crypto layer doesn't invoke
1212         * keventd to go get it */
1213        rxkad_ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1214        return PTR_ERR_OR_ZERO(rxkad_ci);
1215}
1216
1217/*
1218 * Clean up the rxkad security service.
1219 */
1220static void rxkad_exit(void)
1221{
1222        if (rxkad_ci)
1223                crypto_free_sync_skcipher(rxkad_ci);
1224}
1225
1226/*
1227 * RxRPC Kerberos-based security
1228 */
1229const struct rxrpc_security rxkad = {
1230        .name                           = "rxkad",
1231        .security_index                 = RXRPC_SECURITY_RXKAD,
1232        .init                           = rxkad_init,
1233        .exit                           = rxkad_exit,
1234        .init_connection_security       = rxkad_init_connection_security,
1235        .prime_packet_security          = rxkad_prime_packet_security,
1236        .secure_packet                  = rxkad_secure_packet,
1237        .verify_packet                  = rxkad_verify_packet,
1238        .locate_data                    = rxkad_locate_data,
1239        .issue_challenge                = rxkad_issue_challenge,
1240        .respond_to_challenge           = rxkad_respond_to_challenge,
1241        .verify_response                = rxkad_verify_response,
1242        .clear                          = rxkad_clear,
1243};
1244