1
2
3
4
5
6
7
8#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9
10#include <crypto/skcipher.h>
11#include <linux/module.h>
12#include <linux/net.h>
13#include <linux/skbuff.h>
14#include <linux/udp.h>
15#include <linux/scatterlist.h>
16#include <linux/ctype.h>
17#include <linux/slab.h>
18#include <net/sock.h>
19#include <net/af_rxrpc.h>
20#include <keys/rxrpc-type.h>
21#include "ar-internal.h"
22
23#define RXKAD_VERSION 2
24#define MAXKRB5TICKETLEN 1024
25#define RXKAD_TKT_TYPE_KERBEROS_V5 256
26#define ANAME_SZ 40
27#define INST_SZ 40
28#define REALM_SZ 40
29#define SNAME_SZ 40
30
31struct rxkad_level1_hdr {
32 __be32 data_size;
33};
34
35struct rxkad_level2_hdr {
36 __be32 data_size;
37 __be32 checksum;
38};
39
40
41
42
43
44
45static struct crypto_sync_skcipher *rxkad_ci;
46static DEFINE_MUTEX(rxkad_ci_mutex);
47
48
49
50
51static int rxkad_init_connection_security(struct rxrpc_connection *conn)
52{
53 struct crypto_sync_skcipher *ci;
54 struct rxrpc_key_token *token;
55 int ret;
56
57 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
58
59 token = conn->params.key->payload.data[0];
60 conn->security_ix = token->security_index;
61
62 ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
63 if (IS_ERR(ci)) {
64 _debug("no cipher");
65 ret = PTR_ERR(ci);
66 goto error;
67 }
68
69 if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
70 sizeof(token->kad->session_key)) < 0)
71 BUG();
72
73 switch (conn->params.security_level) {
74 case RXRPC_SECURITY_PLAIN:
75 break;
76 case RXRPC_SECURITY_AUTH:
77 conn->size_align = 8;
78 conn->security_size = sizeof(struct rxkad_level1_hdr);
79 break;
80 case RXRPC_SECURITY_ENCRYPT:
81 conn->size_align = 8;
82 conn->security_size = sizeof(struct rxkad_level2_hdr);
83 break;
84 default:
85 ret = -EKEYREJECTED;
86 goto error;
87 }
88
89 conn->cipher = ci;
90 ret = 0;
91error:
92 _leave(" = %d", ret);
93 return ret;
94}
95
96
97
98
99
100static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
101{
102 struct rxrpc_key_token *token;
103 SYNC_SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
104 struct scatterlist sg;
105 struct rxrpc_crypt iv;
106 __be32 *tmpbuf;
107 size_t tmpsize = 4 * sizeof(__be32);
108
109 _enter("");
110
111 if (!conn->params.key)
112 return 0;
113
114 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
115 if (!tmpbuf)
116 return -ENOMEM;
117
118 token = conn->params.key->payload.data[0];
119 memcpy(&iv, token->kad->session_key, sizeof(iv));
120
121 tmpbuf[0] = htonl(conn->proto.epoch);
122 tmpbuf[1] = htonl(conn->proto.cid);
123 tmpbuf[2] = 0;
124 tmpbuf[3] = htonl(conn->security_ix);
125
126 sg_init_one(&sg, tmpbuf, tmpsize);
127 skcipher_request_set_sync_tfm(req, conn->cipher);
128 skcipher_request_set_callback(req, 0, NULL, NULL);
129 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
130 crypto_skcipher_encrypt(req);
131 skcipher_request_zero(req);
132
133 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
134 kfree(tmpbuf);
135 _leave(" = 0");
136 return 0;
137}
138
139
140
141
142static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
143 struct sk_buff *skb,
144 u32 data_size,
145 void *sechdr,
146 struct skcipher_request *req)
147{
148 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
149 struct rxkad_level1_hdr hdr;
150 struct rxrpc_crypt iv;
151 struct scatterlist sg;
152 u16 check;
153
154 _enter("");
155
156 check = sp->hdr.seq ^ call->call_id;
157 data_size |= (u32)check << 16;
158
159 hdr.data_size = htonl(data_size);
160 memcpy(sechdr, &hdr, sizeof(hdr));
161
162
163 memset(&iv, 0, sizeof(iv));
164
165 sg_init_one(&sg, sechdr, 8);
166 skcipher_request_set_sync_tfm(req, call->conn->cipher);
167 skcipher_request_set_callback(req, 0, NULL, NULL);
168 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
169 crypto_skcipher_encrypt(req);
170 skcipher_request_zero(req);
171
172 _leave(" = 0");
173 return 0;
174}
175
176
177
178
179static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
180 struct sk_buff *skb,
181 u32 data_size,
182 void *sechdr,
183 struct skcipher_request *req)
184{
185 const struct rxrpc_key_token *token;
186 struct rxkad_level2_hdr rxkhdr;
187 struct rxrpc_skb_priv *sp;
188 struct rxrpc_crypt iv;
189 struct scatterlist sg[16];
190 unsigned int len;
191 u16 check;
192 int err;
193
194 sp = rxrpc_skb(skb);
195
196 _enter("");
197
198 check = sp->hdr.seq ^ call->call_id;
199
200 rxkhdr.data_size = htonl(data_size | (u32)check << 16);
201 rxkhdr.checksum = 0;
202 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
203
204
205 token = call->conn->params.key->payload.data[0];
206 memcpy(&iv, token->kad->session_key, sizeof(iv));
207
208 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
209 skcipher_request_set_sync_tfm(req, call->conn->cipher);
210 skcipher_request_set_callback(req, 0, NULL, NULL);
211 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
212 crypto_skcipher_encrypt(req);
213
214
215 err = -EMSGSIZE;
216 if (skb_shinfo(skb)->nr_frags > 16)
217 goto out;
218
219 len = data_size + call->conn->size_align - 1;
220 len &= ~(call->conn->size_align - 1);
221
222 sg_init_table(sg, ARRAY_SIZE(sg));
223 err = skb_to_sgvec(skb, sg, 0, len);
224 if (unlikely(err < 0))
225 goto out;
226 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
227 crypto_skcipher_encrypt(req);
228
229 _leave(" = 0");
230 err = 0;
231
232out:
233 skcipher_request_zero(req);
234 return err;
235}
236
237
238
239
240static int rxkad_secure_packet(struct rxrpc_call *call,
241 struct sk_buff *skb,
242 size_t data_size,
243 void *sechdr)
244{
245 struct rxrpc_skb_priv *sp;
246 SYNC_SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
247 struct rxrpc_crypt iv;
248 struct scatterlist sg;
249 u32 x, y;
250 int ret;
251
252 sp = rxrpc_skb(skb);
253
254 _enter("{%d{%x}},{#%u},%zu,",
255 call->debug_id, key_serial(call->conn->params.key),
256 sp->hdr.seq, data_size);
257
258 if (!call->conn->cipher)
259 return 0;
260
261 ret = key_validate(call->conn->params.key);
262 if (ret < 0)
263 return ret;
264
265
266 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
267
268
269 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
270 x |= sp->hdr.seq & 0x3fffffff;
271 call->crypto_buf[0] = htonl(call->call_id);
272 call->crypto_buf[1] = htonl(x);
273
274 sg_init_one(&sg, call->crypto_buf, 8);
275 skcipher_request_set_sync_tfm(req, call->conn->cipher);
276 skcipher_request_set_callback(req, 0, NULL, NULL);
277 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
278 crypto_skcipher_encrypt(req);
279 skcipher_request_zero(req);
280
281 y = ntohl(call->crypto_buf[1]);
282 y = (y >> 16) & 0xffff;
283 if (y == 0)
284 y = 1;
285 sp->hdr.cksum = y;
286
287 switch (call->conn->params.security_level) {
288 case RXRPC_SECURITY_PLAIN:
289 ret = 0;
290 break;
291 case RXRPC_SECURITY_AUTH:
292 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr,
293 req);
294 break;
295 case RXRPC_SECURITY_ENCRYPT:
296 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
297 sechdr, req);
298 break;
299 default:
300 ret = -EPERM;
301 break;
302 }
303
304 _leave(" = %d [set %hx]", ret, y);
305 return ret;
306}
307
308
309
310
311static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
312 unsigned int offset, unsigned int len,
313 rxrpc_seq_t seq,
314 struct skcipher_request *req)
315{
316 struct rxkad_level1_hdr sechdr;
317 struct rxrpc_crypt iv;
318 struct scatterlist sg[16];
319 bool aborted;
320 u32 data_size, buf;
321 u16 check;
322 int ret;
323
324 _enter("");
325
326 if (len < 8) {
327 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
328 RXKADSEALEDINCON);
329 goto protocol_error;
330 }
331
332
333
334
335 sg_init_table(sg, ARRAY_SIZE(sg));
336 ret = skb_to_sgvec(skb, sg, offset, 8);
337 if (unlikely(ret < 0))
338 return ret;
339
340
341 memset(&iv, 0, sizeof(iv));
342
343 skcipher_request_set_sync_tfm(req, call->conn->cipher);
344 skcipher_request_set_callback(req, 0, NULL, NULL);
345 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
346 crypto_skcipher_decrypt(req);
347 skcipher_request_zero(req);
348
349
350 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
351 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
352 RXKADDATALEN);
353 goto protocol_error;
354 }
355 offset += sizeof(sechdr);
356 len -= sizeof(sechdr);
357
358 buf = ntohl(sechdr.data_size);
359 data_size = buf & 0xffff;
360
361 check = buf >> 16;
362 check ^= seq ^ call->call_id;
363 check &= 0xffff;
364 if (check != 0) {
365 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
366 RXKADSEALEDINCON);
367 goto protocol_error;
368 }
369
370 if (data_size > len) {
371 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
372 RXKADDATALEN);
373 goto protocol_error;
374 }
375
376 _leave(" = 0 [dlen=%x]", data_size);
377 return 0;
378
379protocol_error:
380 if (aborted)
381 rxrpc_send_abort_packet(call);
382 return -EPROTO;
383}
384
385
386
387
388static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
389 unsigned int offset, unsigned int len,
390 rxrpc_seq_t seq,
391 struct skcipher_request *req)
392{
393 const struct rxrpc_key_token *token;
394 struct rxkad_level2_hdr sechdr;
395 struct rxrpc_crypt iv;
396 struct scatterlist _sg[4], *sg;
397 bool aborted;
398 u32 data_size, buf;
399 u16 check;
400 int nsg, ret;
401
402 _enter(",{%d}", skb->len);
403
404 if (len < 8) {
405 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
406 RXKADSEALEDINCON);
407 goto protocol_error;
408 }
409
410
411
412
413 sg = _sg;
414 nsg = skb_shinfo(skb)->nr_frags;
415 if (nsg <= 4) {
416 nsg = 4;
417 } else {
418 sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
419 if (!sg)
420 goto nomem;
421 }
422
423 sg_init_table(sg, nsg);
424 ret = skb_to_sgvec(skb, sg, offset, len);
425 if (unlikely(ret < 0)) {
426 if (sg != _sg)
427 kfree(sg);
428 return ret;
429 }
430
431
432 token = call->conn->params.key->payload.data[0];
433 memcpy(&iv, token->kad->session_key, sizeof(iv));
434
435 skcipher_request_set_sync_tfm(req, call->conn->cipher);
436 skcipher_request_set_callback(req, 0, NULL, NULL);
437 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
438 crypto_skcipher_decrypt(req);
439 skcipher_request_zero(req);
440 if (sg != _sg)
441 kfree(sg);
442
443
444 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
445 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
446 RXKADDATALEN);
447 goto protocol_error;
448 }
449 offset += sizeof(sechdr);
450 len -= sizeof(sechdr);
451
452 buf = ntohl(sechdr.data_size);
453 data_size = buf & 0xffff;
454
455 check = buf >> 16;
456 check ^= seq ^ call->call_id;
457 check &= 0xffff;
458 if (check != 0) {
459 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
460 RXKADSEALEDINCON);
461 goto protocol_error;
462 }
463
464 if (data_size > len) {
465 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
466 RXKADDATALEN);
467 goto protocol_error;
468 }
469
470 _leave(" = 0 [dlen=%x]", data_size);
471 return 0;
472
473protocol_error:
474 if (aborted)
475 rxrpc_send_abort_packet(call);
476 return -EPROTO;
477
478nomem:
479 _leave(" = -ENOMEM");
480 return -ENOMEM;
481}
482
483
484
485
486
487static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
488 unsigned int offset, unsigned int len,
489 rxrpc_seq_t seq, u16 expected_cksum)
490{
491 SYNC_SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
492 struct rxrpc_crypt iv;
493 struct scatterlist sg;
494 bool aborted;
495 u16 cksum;
496 u32 x, y;
497
498 _enter("{%d{%x}},{#%u}",
499 call->debug_id, key_serial(call->conn->params.key), seq);
500
501 if (!call->conn->cipher)
502 return 0;
503
504
505 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
506
507
508 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
509 x |= seq & 0x3fffffff;
510 call->crypto_buf[0] = htonl(call->call_id);
511 call->crypto_buf[1] = htonl(x);
512
513 sg_init_one(&sg, call->crypto_buf, 8);
514 skcipher_request_set_sync_tfm(req, call->conn->cipher);
515 skcipher_request_set_callback(req, 0, NULL, NULL);
516 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
517 crypto_skcipher_encrypt(req);
518 skcipher_request_zero(req);
519
520 y = ntohl(call->crypto_buf[1]);
521 cksum = (y >> 16) & 0xffff;
522 if (cksum == 0)
523 cksum = 1;
524
525 if (cksum != expected_cksum) {
526 aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
527 RXKADSEALEDINCON);
528 goto protocol_error;
529 }
530
531 switch (call->conn->params.security_level) {
532 case RXRPC_SECURITY_PLAIN:
533 return 0;
534 case RXRPC_SECURITY_AUTH:
535 return rxkad_verify_packet_1(call, skb, offset, len, seq, req);
536 case RXRPC_SECURITY_ENCRYPT:
537 return rxkad_verify_packet_2(call, skb, offset, len, seq, req);
538 default:
539 return -ENOANO;
540 }
541
542protocol_error:
543 if (aborted)
544 rxrpc_send_abort_packet(call);
545 return -EPROTO;
546}
547
548
549
550
551static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
552 unsigned int *_offset, unsigned int *_len)
553{
554 struct rxkad_level1_hdr sechdr;
555
556 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
557 BUG();
558 *_offset += sizeof(sechdr);
559 *_len = ntohl(sechdr.data_size) & 0xffff;
560}
561
562
563
564
565static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
566 unsigned int *_offset, unsigned int *_len)
567{
568 struct rxkad_level2_hdr sechdr;
569
570 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
571 BUG();
572 *_offset += sizeof(sechdr);
573 *_len = ntohl(sechdr.data_size) & 0xffff;
574}
575
576
577
578
579static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
580 unsigned int *_offset, unsigned int *_len)
581{
582 switch (call->conn->params.security_level) {
583 case RXRPC_SECURITY_AUTH:
584 rxkad_locate_data_1(call, skb, _offset, _len);
585 return;
586 case RXRPC_SECURITY_ENCRYPT:
587 rxkad_locate_data_2(call, skb, _offset, _len);
588 return;
589 default:
590 return;
591 }
592}
593
594
595
596
597static int rxkad_issue_challenge(struct rxrpc_connection *conn)
598{
599 struct rxkad_challenge challenge;
600 struct rxrpc_wire_header whdr;
601 struct msghdr msg;
602 struct kvec iov[2];
603 size_t len;
604 u32 serial;
605 int ret;
606
607 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
608
609 ret = key_validate(conn->params.key);
610 if (ret < 0)
611 return ret;
612
613 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
614
615 challenge.version = htonl(2);
616 challenge.nonce = htonl(conn->security_nonce);
617 challenge.min_level = htonl(0);
618 challenge.__padding = 0;
619
620 msg.msg_name = &conn->params.peer->srx.transport;
621 msg.msg_namelen = conn->params.peer->srx.transport_len;
622 msg.msg_control = NULL;
623 msg.msg_controllen = 0;
624 msg.msg_flags = 0;
625
626 whdr.epoch = htonl(conn->proto.epoch);
627 whdr.cid = htonl(conn->proto.cid);
628 whdr.callNumber = 0;
629 whdr.seq = 0;
630 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
631 whdr.flags = conn->out_clientflag;
632 whdr.userStatus = 0;
633 whdr.securityIndex = conn->security_ix;
634 whdr._rsvd = 0;
635 whdr.serviceId = htons(conn->service_id);
636
637 iov[0].iov_base = &whdr;
638 iov[0].iov_len = sizeof(whdr);
639 iov[1].iov_base = &challenge;
640 iov[1].iov_len = sizeof(challenge);
641
642 len = iov[0].iov_len + iov[1].iov_len;
643
644 serial = atomic_inc_return(&conn->serial);
645 whdr.serial = htonl(serial);
646 _proto("Tx CHALLENGE %%%u", serial);
647
648 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
649 if (ret < 0) {
650 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
651 rxrpc_tx_point_rxkad_challenge);
652 return -EAGAIN;
653 }
654
655 conn->params.peer->last_tx_at = ktime_get_seconds();
656 trace_rxrpc_tx_packet(conn->debug_id, &whdr,
657 rxrpc_tx_point_rxkad_challenge);
658 _leave(" = 0");
659 return 0;
660}
661
662
663
664
665static int rxkad_send_response(struct rxrpc_connection *conn,
666 struct rxrpc_host_header *hdr,
667 struct rxkad_response *resp,
668 const struct rxkad_key *s2)
669{
670 struct rxrpc_wire_header whdr;
671 struct msghdr msg;
672 struct kvec iov[3];
673 size_t len;
674 u32 serial;
675 int ret;
676
677 _enter("");
678
679 msg.msg_name = &conn->params.peer->srx.transport;
680 msg.msg_namelen = conn->params.peer->srx.transport_len;
681 msg.msg_control = NULL;
682 msg.msg_controllen = 0;
683 msg.msg_flags = 0;
684
685 memset(&whdr, 0, sizeof(whdr));
686 whdr.epoch = htonl(hdr->epoch);
687 whdr.cid = htonl(hdr->cid);
688 whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
689 whdr.flags = conn->out_clientflag;
690 whdr.securityIndex = hdr->securityIndex;
691 whdr.serviceId = htons(hdr->serviceId);
692
693 iov[0].iov_base = &whdr;
694 iov[0].iov_len = sizeof(whdr);
695 iov[1].iov_base = resp;
696 iov[1].iov_len = sizeof(*resp);
697 iov[2].iov_base = (void *)s2->ticket;
698 iov[2].iov_len = s2->ticket_len;
699
700 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
701
702 serial = atomic_inc_return(&conn->serial);
703 whdr.serial = htonl(serial);
704 _proto("Tx RESPONSE %%%u", serial);
705
706 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
707 if (ret < 0) {
708 trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
709 rxrpc_tx_point_rxkad_response);
710 return -EAGAIN;
711 }
712
713 conn->params.peer->last_tx_at = ktime_get_seconds();
714 _leave(" = 0");
715 return 0;
716}
717
718
719
720
721static void rxkad_calc_response_checksum(struct rxkad_response *response)
722{
723 u32 csum = 1000003;
724 int loop;
725 u8 *p = (u8 *) response;
726
727 for (loop = sizeof(*response); loop > 0; loop--)
728 csum = csum * 0x10204081 + *p++;
729
730 response->encrypted.checksum = htonl(csum);
731}
732
733
734
735
736static void rxkad_encrypt_response(struct rxrpc_connection *conn,
737 struct rxkad_response *resp,
738 const struct rxkad_key *s2)
739{
740 SYNC_SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
741 struct rxrpc_crypt iv;
742 struct scatterlist sg[1];
743
744
745 memcpy(&iv, s2->session_key, sizeof(iv));
746
747 sg_init_table(sg, 1);
748 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
749 skcipher_request_set_sync_tfm(req, conn->cipher);
750 skcipher_request_set_callback(req, 0, NULL, NULL);
751 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
752 crypto_skcipher_encrypt(req);
753 skcipher_request_zero(req);
754}
755
756
757
758
759static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
760 struct sk_buff *skb,
761 u32 *_abort_code)
762{
763 const struct rxrpc_key_token *token;
764 struct rxkad_challenge challenge;
765 struct rxkad_response *resp;
766 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
767 const char *eproto;
768 u32 version, nonce, min_level, abort_code;
769 int ret;
770
771 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
772
773 eproto = tracepoint_string("chall_no_key");
774 abort_code = RX_PROTOCOL_ERROR;
775 if (!conn->params.key)
776 goto protocol_error;
777
778 abort_code = RXKADEXPIRED;
779 ret = key_validate(conn->params.key);
780 if (ret < 0)
781 goto other_error;
782
783 eproto = tracepoint_string("chall_short");
784 abort_code = RXKADPACKETSHORT;
785 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
786 &challenge, sizeof(challenge)) < 0)
787 goto protocol_error;
788
789 version = ntohl(challenge.version);
790 nonce = ntohl(challenge.nonce);
791 min_level = ntohl(challenge.min_level);
792
793 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
794 sp->hdr.serial, version, nonce, min_level);
795
796 eproto = tracepoint_string("chall_ver");
797 abort_code = RXKADINCONSISTENCY;
798 if (version != RXKAD_VERSION)
799 goto protocol_error;
800
801 abort_code = RXKADLEVELFAIL;
802 ret = -EACCES;
803 if (conn->params.security_level < min_level)
804 goto other_error;
805
806 token = conn->params.key->payload.data[0];
807
808
809 resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
810 if (!resp)
811 return -ENOMEM;
812
813 resp->version = htonl(RXKAD_VERSION);
814 resp->encrypted.epoch = htonl(conn->proto.epoch);
815 resp->encrypted.cid = htonl(conn->proto.cid);
816 resp->encrypted.securityIndex = htonl(conn->security_ix);
817 resp->encrypted.inc_nonce = htonl(nonce + 1);
818 resp->encrypted.level = htonl(conn->params.security_level);
819 resp->kvno = htonl(token->kad->kvno);
820 resp->ticket_len = htonl(token->kad->ticket_len);
821 resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
822 resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
823 resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
824 resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
825
826
827 rxkad_calc_response_checksum(resp);
828 rxkad_encrypt_response(conn, resp, token->kad);
829 ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
830 kfree(resp);
831 return ret;
832
833protocol_error:
834 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
835 ret = -EPROTO;
836other_error:
837 *_abort_code = abort_code;
838 return ret;
839}
840
841
842
843
844static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
845 struct sk_buff *skb,
846 void *ticket, size_t ticket_len,
847 struct rxrpc_crypt *_session_key,
848 time64_t *_expiry,
849 u32 *_abort_code)
850{
851 struct skcipher_request *req;
852 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
853 struct rxrpc_crypt iv, key;
854 struct scatterlist sg[1];
855 struct in_addr addr;
856 unsigned int life;
857 const char *eproto;
858 time64_t issue, now;
859 bool little_endian;
860 int ret;
861 u32 abort_code;
862 u8 *p, *q, *name, *end;
863
864 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
865
866 *_expiry = 0;
867
868 ret = key_validate(conn->server_key);
869 if (ret < 0) {
870 switch (ret) {
871 case -EKEYEXPIRED:
872 abort_code = RXKADEXPIRED;
873 goto other_error;
874 default:
875 abort_code = RXKADNOAUTH;
876 goto other_error;
877 }
878 }
879
880 ASSERT(conn->server_key->payload.data[0] != NULL);
881 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
882
883 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
884
885 ret = -ENOMEM;
886 req = skcipher_request_alloc(conn->server_key->payload.data[0],
887 GFP_NOFS);
888 if (!req)
889 goto temporary_error;
890
891 sg_init_one(&sg[0], ticket, ticket_len);
892 skcipher_request_set_callback(req, 0, NULL, NULL);
893 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
894 crypto_skcipher_decrypt(req);
895 skcipher_request_free(req);
896
897 p = ticket;
898 end = p + ticket_len;
899
900#define Z(field) \
901 ({ \
902 u8 *__str = p; \
903 eproto = tracepoint_string("rxkad_bad_"#field); \
904 q = memchr(p, 0, end - p); \
905 if (!q || q - p > (field##_SZ)) \
906 goto bad_ticket; \
907 for (; p < q; p++) \
908 if (!isprint(*p)) \
909 goto bad_ticket; \
910 p++; \
911 __str; \
912 })
913
914
915 _debug("KIV FLAGS: %x", *p);
916 little_endian = *p & 1;
917 p++;
918
919
920 name = Z(ANAME);
921 _debug("KIV ANAME: %s", name);
922
923
924 name = Z(INST);
925 _debug("KIV INST : %s", name);
926
927
928 name = Z(REALM);
929 _debug("KIV REALM: %s", name);
930
931 eproto = tracepoint_string("rxkad_bad_len");
932 if (end - p < 4 + 8 + 4 + 2)
933 goto bad_ticket;
934
935
936 memcpy(&addr, p, sizeof(addr));
937 p += 4;
938 _debug("KIV ADDR : %pI4", &addr);
939
940
941 memcpy(&key, p, sizeof(key));
942 p += 8;
943 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
944 memcpy(_session_key, &key, sizeof(key));
945
946
947 life = *p++ * 5 * 60;
948 _debug("KIV LIFE : %u", life);
949
950
951 if (little_endian) {
952 __le32 stamp;
953 memcpy(&stamp, p, 4);
954 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
955 } else {
956 __be32 stamp;
957 memcpy(&stamp, p, 4);
958 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
959 }
960 p += 4;
961 now = ktime_get_real_seconds();
962 _debug("KIV ISSUE: %llx [%llx]", issue, now);
963
964
965 if (issue > now) {
966 abort_code = RXKADNOAUTH;
967 ret = -EKEYREJECTED;
968 goto other_error;
969 }
970
971 if (issue < now - life) {
972 abort_code = RXKADEXPIRED;
973 ret = -EKEYEXPIRED;
974 goto other_error;
975 }
976
977 *_expiry = issue + life;
978
979
980 name = Z(SNAME);
981 _debug("KIV SNAME: %s", name);
982
983
984 name = Z(INST);
985 _debug("KIV SINST: %s", name);
986 return 0;
987
988bad_ticket:
989 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
990 abort_code = RXKADBADTICKET;
991 ret = -EPROTO;
992other_error:
993 *_abort_code = abort_code;
994 return ret;
995temporary_error:
996 return ret;
997}
998
999
1000
1001
1002static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1003 struct rxkad_response *resp,
1004 const struct rxrpc_crypt *session_key)
1005{
1006 SYNC_SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
1007 struct scatterlist sg[1];
1008 struct rxrpc_crypt iv;
1009
1010 _enter(",,%08x%08x",
1011 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1012
1013 ASSERT(rxkad_ci != NULL);
1014
1015 mutex_lock(&rxkad_ci_mutex);
1016 if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1017 sizeof(*session_key)) < 0)
1018 BUG();
1019
1020 memcpy(&iv, session_key, sizeof(iv));
1021
1022 sg_init_table(sg, 1);
1023 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1024 skcipher_request_set_sync_tfm(req, rxkad_ci);
1025 skcipher_request_set_callback(req, 0, NULL, NULL);
1026 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1027 crypto_skcipher_decrypt(req);
1028 skcipher_request_zero(req);
1029
1030 mutex_unlock(&rxkad_ci_mutex);
1031
1032 _leave("");
1033}
1034
1035
1036
1037
1038static int rxkad_verify_response(struct rxrpc_connection *conn,
1039 struct sk_buff *skb,
1040 u32 *_abort_code)
1041{
1042 struct rxkad_response *response;
1043 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1044 struct rxrpc_crypt session_key;
1045 const char *eproto;
1046 time64_t expiry;
1047 void *ticket;
1048 u32 abort_code, version, kvno, ticket_len, level;
1049 __be32 csum;
1050 int ret, i;
1051
1052 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1053
1054 ret = -ENOMEM;
1055 response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1056 if (!response)
1057 goto temporary_error;
1058
1059 eproto = tracepoint_string("rxkad_rsp_short");
1060 abort_code = RXKADPACKETSHORT;
1061 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1062 response, sizeof(*response)) < 0)
1063 goto protocol_error;
1064 if (!pskb_pull(skb, sizeof(*response)))
1065 BUG();
1066
1067 version = ntohl(response->version);
1068 ticket_len = ntohl(response->ticket_len);
1069 kvno = ntohl(response->kvno);
1070 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1071 sp->hdr.serial, version, kvno, ticket_len);
1072
1073 eproto = tracepoint_string("rxkad_rsp_ver");
1074 abort_code = RXKADINCONSISTENCY;
1075 if (version != RXKAD_VERSION)
1076 goto protocol_error;
1077
1078 eproto = tracepoint_string("rxkad_rsp_tktlen");
1079 abort_code = RXKADTICKETLEN;
1080 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1081 goto protocol_error;
1082
1083 eproto = tracepoint_string("rxkad_rsp_unkkey");
1084 abort_code = RXKADUNKNOWNKEY;
1085 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1086 goto protocol_error;
1087
1088
1089 ret = -ENOMEM;
1090 ticket = kmalloc(ticket_len, GFP_NOFS);
1091 if (!ticket)
1092 goto temporary_error;
1093
1094 eproto = tracepoint_string("rxkad_tkt_short");
1095 abort_code = RXKADPACKETSHORT;
1096 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1097 ticket, ticket_len) < 0)
1098 goto protocol_error_free;
1099
1100 ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key,
1101 &expiry, _abort_code);
1102 if (ret < 0)
1103 goto temporary_error_free_resp;
1104
1105
1106
1107 rxkad_decrypt_response(conn, response, &session_key);
1108
1109 eproto = tracepoint_string("rxkad_rsp_param");
1110 abort_code = RXKADSEALEDINCON;
1111 if (ntohl(response->encrypted.epoch) != conn->proto.epoch)
1112 goto protocol_error_free;
1113 if (ntohl(response->encrypted.cid) != conn->proto.cid)
1114 goto protocol_error_free;
1115 if (ntohl(response->encrypted.securityIndex) != conn->security_ix)
1116 goto protocol_error_free;
1117 csum = response->encrypted.checksum;
1118 response->encrypted.checksum = 0;
1119 rxkad_calc_response_checksum(response);
1120 eproto = tracepoint_string("rxkad_rsp_csum");
1121 if (response->encrypted.checksum != csum)
1122 goto protocol_error_free;
1123
1124 spin_lock(&conn->channel_lock);
1125 for (i = 0; i < RXRPC_MAXCALLS; i++) {
1126 struct rxrpc_call *call;
1127 u32 call_id = ntohl(response->encrypted.call_id[i]);
1128
1129 eproto = tracepoint_string("rxkad_rsp_callid");
1130 if (call_id > INT_MAX)
1131 goto protocol_error_unlock;
1132
1133 eproto = tracepoint_string("rxkad_rsp_callctr");
1134 if (call_id < conn->channels[i].call_counter)
1135 goto protocol_error_unlock;
1136
1137 eproto = tracepoint_string("rxkad_rsp_callst");
1138 if (call_id > conn->channels[i].call_counter) {
1139 call = rcu_dereference_protected(
1140 conn->channels[i].call,
1141 lockdep_is_held(&conn->channel_lock));
1142 if (call && call->state < RXRPC_CALL_COMPLETE)
1143 goto protocol_error_unlock;
1144 conn->channels[i].call_counter = call_id;
1145 }
1146 }
1147 spin_unlock(&conn->channel_lock);
1148
1149 eproto = tracepoint_string("rxkad_rsp_seq");
1150 abort_code = RXKADOUTOFSEQUENCE;
1151 if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1)
1152 goto protocol_error_free;
1153
1154 eproto = tracepoint_string("rxkad_rsp_level");
1155 abort_code = RXKADLEVELFAIL;
1156 level = ntohl(response->encrypted.level);
1157 if (level > RXRPC_SECURITY_ENCRYPT)
1158 goto protocol_error_free;
1159 conn->params.security_level = level;
1160
1161
1162
1163
1164 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1165 if (ret < 0)
1166 goto temporary_error_free_ticket;
1167
1168 kfree(ticket);
1169 kfree(response);
1170 _leave(" = 0");
1171 return 0;
1172
1173protocol_error_unlock:
1174 spin_unlock(&conn->channel_lock);
1175protocol_error_free:
1176 kfree(ticket);
1177protocol_error:
1178 kfree(response);
1179 trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1180 *_abort_code = abort_code;
1181 return -EPROTO;
1182
1183temporary_error_free_ticket:
1184 kfree(ticket);
1185temporary_error_free_resp:
1186 kfree(response);
1187temporary_error:
1188
1189
1190
1191
1192 return ret;
1193}
1194
1195
1196
1197
1198static void rxkad_clear(struct rxrpc_connection *conn)
1199{
1200 _enter("");
1201
1202 if (conn->cipher)
1203 crypto_free_sync_skcipher(conn->cipher);
1204}
1205
1206
1207
1208
1209static int rxkad_init(void)
1210{
1211
1212
1213 rxkad_ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1214 return PTR_ERR_OR_ZERO(rxkad_ci);
1215}
1216
1217
1218
1219
1220static void rxkad_exit(void)
1221{
1222 if (rxkad_ci)
1223 crypto_free_sync_skcipher(rxkad_ci);
1224}
1225
1226
1227
1228
1229const struct rxrpc_security rxkad = {
1230 .name = "rxkad",
1231 .security_index = RXRPC_SECURITY_RXKAD,
1232 .init = rxkad_init,
1233 .exit = rxkad_exit,
1234 .init_connection_security = rxkad_init_connection_security,
1235 .prime_packet_security = rxkad_prime_packet_security,
1236 .secure_packet = rxkad_secure_packet,
1237 .verify_packet = rxkad_verify_packet,
1238 .locate_data = rxkad_locate_data,
1239 .issue_challenge = rxkad_issue_challenge,
1240 .respond_to_challenge = rxkad_respond_to_challenge,
1241 .verify_response = rxkad_verify_response,
1242 .clear = rxkad_clear,
1243};
1244