1
2
3
4
5
6
7
8
9
10
11
12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
14#include <crypto/skcipher.h>
15#include <linux/module.h>
16#include <linux/net.h>
17#include <linux/skbuff.h>
18#include <linux/udp.h>
19#include <linux/scatterlist.h>
20#include <linux/ctype.h>
21#include <linux/slab.h>
22#include <net/sock.h>
23#include <net/af_rxrpc.h>
24#include <keys/rxrpc-type.h>
25#include "ar-internal.h"
26
27#define RXKAD_VERSION 2
28#define MAXKRB5TICKETLEN 1024
29#define RXKAD_TKT_TYPE_KERBEROS_V5 256
30#define ANAME_SZ 40
31#define INST_SZ 40
32#define REALM_SZ 40
33#define SNAME_SZ 40
34
35struct rxkad_level1_hdr {
36 __be32 data_size;
37};
38
39struct rxkad_level2_hdr {
40 __be32 data_size;
41 __be32 checksum;
42};
43
44
45
46
47
48
49static struct crypto_skcipher *rxkad_ci;
50static DEFINE_MUTEX(rxkad_ci_mutex);
51
52
53
54
55static int rxkad_init_connection_security(struct rxrpc_connection *conn)
56{
57 struct crypto_skcipher *ci;
58 struct rxrpc_key_token *token;
59 int ret;
60
61 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
62
63 token = conn->params.key->payload.data[0];
64 conn->security_ix = token->security_index;
65
66 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
67 if (IS_ERR(ci)) {
68 _debug("no cipher");
69 ret = PTR_ERR(ci);
70 goto error;
71 }
72
73 if (crypto_skcipher_setkey(ci, token->kad->session_key,
74 sizeof(token->kad->session_key)) < 0)
75 BUG();
76
77 switch (conn->params.security_level) {
78 case RXRPC_SECURITY_PLAIN:
79 break;
80 case RXRPC_SECURITY_AUTH:
81 conn->size_align = 8;
82 conn->security_size = sizeof(struct rxkad_level1_hdr);
83 break;
84 case RXRPC_SECURITY_ENCRYPT:
85 conn->size_align = 8;
86 conn->security_size = sizeof(struct rxkad_level2_hdr);
87 break;
88 default:
89 ret = -EKEYREJECTED;
90 goto error;
91 }
92
93 conn->cipher = ci;
94 ret = 0;
95error:
96 _leave(" = %d", ret);
97 return ret;
98}
99
100
101
102
103
104static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
105{
106 struct rxrpc_key_token *token;
107 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
108 struct scatterlist sg;
109 struct rxrpc_crypt iv;
110 __be32 *tmpbuf;
111 size_t tmpsize = 4 * sizeof(__be32);
112
113 _enter("");
114
115 if (!conn->params.key)
116 return 0;
117
118 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
119 if (!tmpbuf)
120 return -ENOMEM;
121
122 token = conn->params.key->payload.data[0];
123 memcpy(&iv, token->kad->session_key, sizeof(iv));
124
125 tmpbuf[0] = htonl(conn->proto.epoch);
126 tmpbuf[1] = htonl(conn->proto.cid);
127 tmpbuf[2] = 0;
128 tmpbuf[3] = htonl(conn->security_ix);
129
130 sg_init_one(&sg, tmpbuf, tmpsize);
131 skcipher_request_set_tfm(req, conn->cipher);
132 skcipher_request_set_callback(req, 0, NULL, NULL);
133 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
134 crypto_skcipher_encrypt(req);
135 skcipher_request_zero(req);
136
137 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
138 kfree(tmpbuf);
139 _leave(" = 0");
140 return 0;
141}
142
143
144
145
146static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
147 struct sk_buff *skb,
148 u32 data_size,
149 void *sechdr)
150{
151 struct rxrpc_skb_priv *sp;
152 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
153 struct rxkad_level1_hdr hdr;
154 struct rxrpc_crypt iv;
155 struct scatterlist sg;
156 u16 check;
157
158 sp = rxrpc_skb(skb);
159
160 _enter("");
161
162 check = sp->hdr.seq ^ call->call_id;
163 data_size |= (u32)check << 16;
164
165 hdr.data_size = htonl(data_size);
166 memcpy(sechdr, &hdr, sizeof(hdr));
167
168
169 memset(&iv, 0, sizeof(iv));
170
171 sg_init_one(&sg, sechdr, 8);
172 skcipher_request_set_tfm(req, call->conn->cipher);
173 skcipher_request_set_callback(req, 0, NULL, NULL);
174 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
175 crypto_skcipher_encrypt(req);
176 skcipher_request_zero(req);
177
178 _leave(" = 0");
179 return 0;
180}
181
182
183
184
185static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
186 struct sk_buff *skb,
187 u32 data_size,
188 void *sechdr)
189{
190 const struct rxrpc_key_token *token;
191 struct rxkad_level2_hdr rxkhdr;
192 struct rxrpc_skb_priv *sp;
193 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
194 struct rxrpc_crypt iv;
195 struct scatterlist sg[16];
196 struct sk_buff *trailer;
197 unsigned int len;
198 u16 check;
199 int nsg;
200 int err;
201
202 sp = rxrpc_skb(skb);
203
204 _enter("");
205
206 check = sp->hdr.seq ^ call->call_id;
207
208 rxkhdr.data_size = htonl(data_size | (u32)check << 16);
209 rxkhdr.checksum = 0;
210 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
211
212
213 token = call->conn->params.key->payload.data[0];
214 memcpy(&iv, token->kad->session_key, sizeof(iv));
215
216 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
217 skcipher_request_set_tfm(req, call->conn->cipher);
218 skcipher_request_set_callback(req, 0, NULL, NULL);
219 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
220 crypto_skcipher_encrypt(req);
221
222
223 nsg = skb_cow_data(skb, 0, &trailer);
224 err = -ENOMEM;
225 if (nsg < 0 || nsg > 16)
226 goto out;
227
228 len = data_size + call->conn->size_align - 1;
229 len &= ~(call->conn->size_align - 1);
230
231 sg_init_table(sg, nsg);
232 skb_to_sgvec(skb, sg, 0, len);
233 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
234 crypto_skcipher_encrypt(req);
235
236 _leave(" = 0");
237 err = 0;
238
239out:
240 skcipher_request_zero(req);
241 return err;
242}
243
244
245
246
247static int rxkad_secure_packet(struct rxrpc_call *call,
248 struct sk_buff *skb,
249 size_t data_size,
250 void *sechdr)
251{
252 struct rxrpc_skb_priv *sp;
253 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
254 struct rxrpc_crypt iv;
255 struct scatterlist sg;
256 u32 x, y;
257 int ret;
258
259 sp = rxrpc_skb(skb);
260
261 _enter("{%d{%x}},{#%u},%zu,",
262 call->debug_id, key_serial(call->conn->params.key),
263 sp->hdr.seq, data_size);
264
265 if (!call->conn->cipher)
266 return 0;
267
268 ret = key_validate(call->conn->params.key);
269 if (ret < 0)
270 return ret;
271
272
273 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
274
275
276 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
277 x |= sp->hdr.seq & 0x3fffffff;
278 call->crypto_buf[0] = htonl(call->call_id);
279 call->crypto_buf[1] = htonl(x);
280
281 sg_init_one(&sg, call->crypto_buf, 8);
282 skcipher_request_set_tfm(req, call->conn->cipher);
283 skcipher_request_set_callback(req, 0, NULL, NULL);
284 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
285 crypto_skcipher_encrypt(req);
286 skcipher_request_zero(req);
287
288 y = ntohl(call->crypto_buf[1]);
289 y = (y >> 16) & 0xffff;
290 if (y == 0)
291 y = 1;
292 sp->hdr.cksum = y;
293
294 switch (call->conn->params.security_level) {
295 case RXRPC_SECURITY_PLAIN:
296 ret = 0;
297 break;
298 case RXRPC_SECURITY_AUTH:
299 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
300 break;
301 case RXRPC_SECURITY_ENCRYPT:
302 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
303 sechdr);
304 break;
305 default:
306 ret = -EPERM;
307 break;
308 }
309
310 _leave(" = %d [set %hx]", ret, y);
311 return ret;
312}
313
314
315
316
317static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
318 unsigned int offset, unsigned int len,
319 rxrpc_seq_t seq)
320{
321 struct rxkad_level1_hdr sechdr;
322 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
323 struct rxrpc_crypt iv;
324 struct scatterlist sg[16];
325 struct sk_buff *trailer;
326 u32 data_size, buf;
327 u16 check;
328 int nsg;
329
330 _enter("");
331
332 if (len < 8) {
333 rxrpc_abort_call("V1H", call, seq, RXKADSEALEDINCON, EPROTO);
334 goto protocol_error;
335 }
336
337
338
339
340 nsg = skb_cow_data(skb, 0, &trailer);
341 if (nsg < 0 || nsg > 16)
342 goto nomem;
343
344 sg_init_table(sg, nsg);
345 skb_to_sgvec(skb, sg, offset, 8);
346
347
348 memset(&iv, 0, sizeof(iv));
349
350 skcipher_request_set_tfm(req, call->conn->cipher);
351 skcipher_request_set_callback(req, 0, NULL, NULL);
352 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
353 crypto_skcipher_decrypt(req);
354 skcipher_request_zero(req);
355
356
357 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
358 rxrpc_abort_call("XV1", call, seq, RXKADDATALEN, EPROTO);
359 goto protocol_error;
360 }
361 offset += sizeof(sechdr);
362 len -= sizeof(sechdr);
363
364 buf = ntohl(sechdr.data_size);
365 data_size = buf & 0xffff;
366
367 check = buf >> 16;
368 check ^= seq ^ call->call_id;
369 check &= 0xffff;
370 if (check != 0) {
371 rxrpc_abort_call("V1C", call, seq, RXKADSEALEDINCON, EPROTO);
372 goto protocol_error;
373 }
374
375 if (data_size > len) {
376 rxrpc_abort_call("V1L", call, seq, RXKADDATALEN, EPROTO);
377 goto protocol_error;
378 }
379
380 _leave(" = 0 [dlen=%x]", data_size);
381 return 0;
382
383protocol_error:
384 rxrpc_send_abort_packet(call);
385 _leave(" = -EPROTO");
386 return -EPROTO;
387
388nomem:
389 _leave(" = -ENOMEM");
390 return -ENOMEM;
391}
392
393
394
395
396static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
397 unsigned int offset, unsigned int len,
398 rxrpc_seq_t seq)
399{
400 const struct rxrpc_key_token *token;
401 struct rxkad_level2_hdr sechdr;
402 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
403 struct rxrpc_crypt iv;
404 struct scatterlist _sg[4], *sg;
405 struct sk_buff *trailer;
406 u32 data_size, buf;
407 u16 check;
408 int nsg;
409
410 _enter(",{%d}", skb->len);
411
412 if (len < 8) {
413 rxrpc_abort_call("V2H", call, seq, RXKADSEALEDINCON, EPROTO);
414 goto protocol_error;
415 }
416
417
418
419
420 nsg = skb_cow_data(skb, 0, &trailer);
421 if (nsg < 0)
422 goto nomem;
423
424 sg = _sg;
425 if (unlikely(nsg > 4)) {
426 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
427 if (!sg)
428 goto nomem;
429 }
430
431 sg_init_table(sg, nsg);
432 skb_to_sgvec(skb, sg, offset, len);
433
434
435 token = call->conn->params.key->payload.data[0];
436 memcpy(&iv, token->kad->session_key, sizeof(iv));
437
438 skcipher_request_set_tfm(req, call->conn->cipher);
439 skcipher_request_set_callback(req, 0, NULL, NULL);
440 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
441 crypto_skcipher_decrypt(req);
442 skcipher_request_zero(req);
443 if (sg != _sg)
444 kfree(sg);
445
446
447 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
448 rxrpc_abort_call("XV2", call, seq, RXKADDATALEN, EPROTO);
449 goto protocol_error;
450 }
451 offset += sizeof(sechdr);
452 len -= sizeof(sechdr);
453
454 buf = ntohl(sechdr.data_size);
455 data_size = buf & 0xffff;
456
457 check = buf >> 16;
458 check ^= seq ^ call->call_id;
459 check &= 0xffff;
460 if (check != 0) {
461 rxrpc_abort_call("V2C", call, seq, RXKADSEALEDINCON, EPROTO);
462 goto protocol_error;
463 }
464
465 if (data_size > len) {
466 rxrpc_abort_call("V2L", call, seq, RXKADDATALEN, EPROTO);
467 goto protocol_error;
468 }
469
470 _leave(" = 0 [dlen=%x]", data_size);
471 return 0;
472
473protocol_error:
474 rxrpc_send_abort_packet(call);
475 _leave(" = -EPROTO");
476 return -EPROTO;
477
478nomem:
479 _leave(" = -ENOMEM");
480 return -ENOMEM;
481}
482
483
484
485
486
487static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
488 unsigned int offset, unsigned int len,
489 rxrpc_seq_t seq, u16 expected_cksum)
490{
491 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
492 struct rxrpc_crypt iv;
493 struct scatterlist sg;
494 u16 cksum;
495 u32 x, y;
496
497 _enter("{%d{%x}},{#%u}",
498 call->debug_id, key_serial(call->conn->params.key), seq);
499
500 if (!call->conn->cipher)
501 return 0;
502
503
504 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
505
506
507 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
508 x |= seq & 0x3fffffff;
509 call->crypto_buf[0] = htonl(call->call_id);
510 call->crypto_buf[1] = htonl(x);
511
512 sg_init_one(&sg, call->crypto_buf, 8);
513 skcipher_request_set_tfm(req, call->conn->cipher);
514 skcipher_request_set_callback(req, 0, NULL, NULL);
515 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
516 crypto_skcipher_encrypt(req);
517 skcipher_request_zero(req);
518
519 y = ntohl(call->crypto_buf[1]);
520 cksum = (y >> 16) & 0xffff;
521 if (cksum == 0)
522 cksum = 1;
523
524 if (cksum != expected_cksum) {
525 rxrpc_abort_call("VCK", call, seq, RXKADSEALEDINCON, EPROTO);
526 rxrpc_send_abort_packet(call);
527 _leave(" = -EPROTO [csum failed]");
528 return -EPROTO;
529 }
530
531 switch (call->conn->params.security_level) {
532 case RXRPC_SECURITY_PLAIN:
533 return 0;
534 case RXRPC_SECURITY_AUTH:
535 return rxkad_verify_packet_1(call, skb, offset, len, seq);
536 case RXRPC_SECURITY_ENCRYPT:
537 return rxkad_verify_packet_2(call, skb, offset, len, seq);
538 default:
539 return -ENOANO;
540 }
541}
542
543
544
545
546static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
547 unsigned int *_offset, unsigned int *_len)
548{
549 struct rxkad_level1_hdr sechdr;
550
551 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
552 BUG();
553 *_offset += sizeof(sechdr);
554 *_len = ntohl(sechdr.data_size) & 0xffff;
555}
556
557
558
559
560static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
561 unsigned int *_offset, unsigned int *_len)
562{
563 struct rxkad_level2_hdr sechdr;
564
565 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
566 BUG();
567 *_offset += sizeof(sechdr);
568 *_len = ntohl(sechdr.data_size) & 0xffff;
569}
570
571
572
573
574static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
575 unsigned int *_offset, unsigned int *_len)
576{
577 switch (call->conn->params.security_level) {
578 case RXRPC_SECURITY_AUTH:
579 rxkad_locate_data_1(call, skb, _offset, _len);
580 return;
581 case RXRPC_SECURITY_ENCRYPT:
582 rxkad_locate_data_2(call, skb, _offset, _len);
583 return;
584 default:
585 return;
586 }
587}
588
589
590
591
592static int rxkad_issue_challenge(struct rxrpc_connection *conn)
593{
594 struct rxkad_challenge challenge;
595 struct rxrpc_wire_header whdr;
596 struct msghdr msg;
597 struct kvec iov[2];
598 size_t len;
599 u32 serial;
600 int ret;
601
602 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
603
604 ret = key_validate(conn->params.key);
605 if (ret < 0)
606 return ret;
607
608 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
609
610 challenge.version = htonl(2);
611 challenge.nonce = htonl(conn->security_nonce);
612 challenge.min_level = htonl(0);
613 challenge.__padding = 0;
614
615 msg.msg_name = &conn->params.peer->srx.transport.sin;
616 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
617 msg.msg_control = NULL;
618 msg.msg_controllen = 0;
619 msg.msg_flags = 0;
620
621 whdr.epoch = htonl(conn->proto.epoch);
622 whdr.cid = htonl(conn->proto.cid);
623 whdr.callNumber = 0;
624 whdr.seq = 0;
625 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
626 whdr.flags = conn->out_clientflag;
627 whdr.userStatus = 0;
628 whdr.securityIndex = conn->security_ix;
629 whdr._rsvd = 0;
630 whdr.serviceId = htons(conn->params.service_id);
631
632 iov[0].iov_base = &whdr;
633 iov[0].iov_len = sizeof(whdr);
634 iov[1].iov_base = &challenge;
635 iov[1].iov_len = sizeof(challenge);
636
637 len = iov[0].iov_len + iov[1].iov_len;
638
639 serial = atomic_inc_return(&conn->serial);
640 whdr.serial = htonl(serial);
641 _proto("Tx CHALLENGE %%%u", serial);
642
643 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
644 if (ret < 0) {
645 _debug("sendmsg failed: %d", ret);
646 return -EAGAIN;
647 }
648
649 _leave(" = 0");
650 return 0;
651}
652
653
654
655
656static int rxkad_send_response(struct rxrpc_connection *conn,
657 struct rxrpc_host_header *hdr,
658 struct rxkad_response *resp,
659 const struct rxkad_key *s2)
660{
661 struct rxrpc_wire_header whdr;
662 struct msghdr msg;
663 struct kvec iov[3];
664 size_t len;
665 u32 serial;
666 int ret;
667
668 _enter("");
669
670 msg.msg_name = &conn->params.peer->srx.transport.sin;
671 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
672 msg.msg_control = NULL;
673 msg.msg_controllen = 0;
674 msg.msg_flags = 0;
675
676 memset(&whdr, 0, sizeof(whdr));
677 whdr.epoch = htonl(hdr->epoch);
678 whdr.cid = htonl(hdr->cid);
679 whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
680 whdr.flags = conn->out_clientflag;
681 whdr.securityIndex = hdr->securityIndex;
682 whdr.serviceId = htons(hdr->serviceId);
683
684 iov[0].iov_base = &whdr;
685 iov[0].iov_len = sizeof(whdr);
686 iov[1].iov_base = resp;
687 iov[1].iov_len = sizeof(*resp);
688 iov[2].iov_base = (void *)s2->ticket;
689 iov[2].iov_len = s2->ticket_len;
690
691 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
692
693 serial = atomic_inc_return(&conn->serial);
694 whdr.serial = htonl(serial);
695 _proto("Tx RESPONSE %%%u", serial);
696
697 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
698 if (ret < 0) {
699 _debug("sendmsg failed: %d", ret);
700 return -EAGAIN;
701 }
702
703 _leave(" = 0");
704 return 0;
705}
706
707
708
709
710static void rxkad_calc_response_checksum(struct rxkad_response *response)
711{
712 u32 csum = 1000003;
713 int loop;
714 u8 *p = (u8 *) response;
715
716 for (loop = sizeof(*response); loop > 0; loop--)
717 csum = csum * 0x10204081 + *p++;
718
719 response->encrypted.checksum = htonl(csum);
720}
721
722
723
724
725static void rxkad_encrypt_response(struct rxrpc_connection *conn,
726 struct rxkad_response *resp,
727 const struct rxkad_key *s2)
728{
729 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
730 struct rxrpc_crypt iv;
731 struct scatterlist sg[1];
732
733
734 memcpy(&iv, s2->session_key, sizeof(iv));
735
736 sg_init_table(sg, 1);
737 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
738 skcipher_request_set_tfm(req, conn->cipher);
739 skcipher_request_set_callback(req, 0, NULL, NULL);
740 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
741 crypto_skcipher_encrypt(req);
742 skcipher_request_zero(req);
743}
744
745
746
747
748static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
749 struct sk_buff *skb,
750 u32 *_abort_code)
751{
752 const struct rxrpc_key_token *token;
753 struct rxkad_challenge challenge;
754 struct rxkad_response resp
755 __attribute__((aligned(8)));
756 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
757 u32 version, nonce, min_level, abort_code;
758 int ret;
759
760 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
761
762 if (!conn->params.key) {
763 _leave(" = -EPROTO [no key]");
764 return -EPROTO;
765 }
766
767 ret = key_validate(conn->params.key);
768 if (ret < 0) {
769 *_abort_code = RXKADEXPIRED;
770 return ret;
771 }
772
773 abort_code = RXKADPACKETSHORT;
774 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
775 &challenge, sizeof(challenge)) < 0)
776 goto protocol_error;
777
778 version = ntohl(challenge.version);
779 nonce = ntohl(challenge.nonce);
780 min_level = ntohl(challenge.min_level);
781
782 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
783 sp->hdr.serial, version, nonce, min_level);
784
785 abort_code = RXKADINCONSISTENCY;
786 if (version != RXKAD_VERSION)
787 goto protocol_error;
788
789 abort_code = RXKADLEVELFAIL;
790 if (conn->params.security_level < min_level)
791 goto protocol_error;
792
793 token = conn->params.key->payload.data[0];
794
795
796 memset(&resp, 0, sizeof(resp));
797
798 resp.version = htonl(RXKAD_VERSION);
799 resp.encrypted.epoch = htonl(conn->proto.epoch);
800 resp.encrypted.cid = htonl(conn->proto.cid);
801 resp.encrypted.securityIndex = htonl(conn->security_ix);
802 resp.encrypted.inc_nonce = htonl(nonce + 1);
803 resp.encrypted.level = htonl(conn->params.security_level);
804 resp.kvno = htonl(token->kad->kvno);
805 resp.ticket_len = htonl(token->kad->ticket_len);
806
807 resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
808 resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
809 resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
810 resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
811
812
813 rxkad_calc_response_checksum(&resp);
814 rxkad_encrypt_response(conn, &resp, token->kad);
815 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad);
816
817protocol_error:
818 *_abort_code = abort_code;
819 _leave(" = -EPROTO [%d]", abort_code);
820 return -EPROTO;
821}
822
823
824
825
826static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
827 void *ticket, size_t ticket_len,
828 struct rxrpc_crypt *_session_key,
829 time_t *_expiry,
830 u32 *_abort_code)
831{
832 struct skcipher_request *req;
833 struct rxrpc_crypt iv, key;
834 struct scatterlist sg[1];
835 struct in_addr addr;
836 unsigned int life;
837 time_t issue, now;
838 bool little_endian;
839 int ret;
840 u8 *p, *q, *name, *end;
841
842 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
843
844 *_expiry = 0;
845
846 ret = key_validate(conn->server_key);
847 if (ret < 0) {
848 switch (ret) {
849 case -EKEYEXPIRED:
850 *_abort_code = RXKADEXPIRED;
851 goto error;
852 default:
853 *_abort_code = RXKADNOAUTH;
854 goto error;
855 }
856 }
857
858 ASSERT(conn->server_key->payload.data[0] != NULL);
859 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
860
861 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
862
863 req = skcipher_request_alloc(conn->server_key->payload.data[0],
864 GFP_NOFS);
865 if (!req) {
866 *_abort_code = RXKADNOAUTH;
867 ret = -ENOMEM;
868 goto error;
869 }
870
871 sg_init_one(&sg[0], ticket, ticket_len);
872 skcipher_request_set_callback(req, 0, NULL, NULL);
873 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
874 crypto_skcipher_decrypt(req);
875 skcipher_request_free(req);
876
877 p = ticket;
878 end = p + ticket_len;
879
880#define Z(size) \
881 ({ \
882 u8 *__str = p; \
883 q = memchr(p, 0, end - p); \
884 if (!q || q - p > (size)) \
885 goto bad_ticket; \
886 for (; p < q; p++) \
887 if (!isprint(*p)) \
888 goto bad_ticket; \
889 p++; \
890 __str; \
891 })
892
893
894 _debug("KIV FLAGS: %x", *p);
895 little_endian = *p & 1;
896 p++;
897
898
899 name = Z(ANAME_SZ);
900 _debug("KIV ANAME: %s", name);
901
902
903 name = Z(INST_SZ);
904 _debug("KIV INST : %s", name);
905
906
907 name = Z(REALM_SZ);
908 _debug("KIV REALM: %s", name);
909
910 if (end - p < 4 + 8 + 4 + 2)
911 goto bad_ticket;
912
913
914 memcpy(&addr, p, sizeof(addr));
915 p += 4;
916 _debug("KIV ADDR : %pI4", &addr);
917
918
919 memcpy(&key, p, sizeof(key));
920 p += 8;
921 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
922 memcpy(_session_key, &key, sizeof(key));
923
924
925 life = *p++ * 5 * 60;
926 _debug("KIV LIFE : %u", life);
927
928
929 if (little_endian) {
930 __le32 stamp;
931 memcpy(&stamp, p, 4);
932 issue = le32_to_cpu(stamp);
933 } else {
934 __be32 stamp;
935 memcpy(&stamp, p, 4);
936 issue = be32_to_cpu(stamp);
937 }
938 p += 4;
939 now = get_seconds();
940 _debug("KIV ISSUE: %lx [%lx]", issue, now);
941
942
943 if (issue > now) {
944 *_abort_code = RXKADNOAUTH;
945 ret = -EKEYREJECTED;
946 goto error;
947 }
948
949 if (issue < now - life) {
950 *_abort_code = RXKADEXPIRED;
951 ret = -EKEYEXPIRED;
952 goto error;
953 }
954
955 *_expiry = issue + life;
956
957
958 name = Z(SNAME_SZ);
959 _debug("KIV SNAME: %s", name);
960
961
962 name = Z(INST_SZ);
963 _debug("KIV SINST: %s", name);
964
965 ret = 0;
966error:
967 _leave(" = %d", ret);
968 return ret;
969
970bad_ticket:
971 *_abort_code = RXKADBADTICKET;
972 ret = -EBADMSG;
973 goto error;
974}
975
976
977
978
979static void rxkad_decrypt_response(struct rxrpc_connection *conn,
980 struct rxkad_response *resp,
981 const struct rxrpc_crypt *session_key)
982{
983 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
984 struct scatterlist sg[1];
985 struct rxrpc_crypt iv;
986
987 _enter(",,%08x%08x",
988 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
989
990 ASSERT(rxkad_ci != NULL);
991
992 mutex_lock(&rxkad_ci_mutex);
993 if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
994 sizeof(*session_key)) < 0)
995 BUG();
996
997 memcpy(&iv, session_key, sizeof(iv));
998
999 sg_init_table(sg, 1);
1000 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1001 skcipher_request_set_tfm(req, rxkad_ci);
1002 skcipher_request_set_callback(req, 0, NULL, NULL);
1003 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1004 crypto_skcipher_decrypt(req);
1005 skcipher_request_zero(req);
1006
1007 mutex_unlock(&rxkad_ci_mutex);
1008
1009 _leave("");
1010}
1011
1012
1013
1014
1015static int rxkad_verify_response(struct rxrpc_connection *conn,
1016 struct sk_buff *skb,
1017 u32 *_abort_code)
1018{
1019 struct rxkad_response response
1020 __attribute__((aligned(8)));
1021 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1022 struct rxrpc_crypt session_key;
1023 time_t expiry;
1024 void *ticket;
1025 u32 abort_code, version, kvno, ticket_len, level;
1026 __be32 csum;
1027 int ret, i;
1028
1029 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1030
1031 abort_code = RXKADPACKETSHORT;
1032 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1033 &response, sizeof(response)) < 0)
1034 goto protocol_error;
1035 if (!pskb_pull(skb, sizeof(response)))
1036 BUG();
1037
1038 version = ntohl(response.version);
1039 ticket_len = ntohl(response.ticket_len);
1040 kvno = ntohl(response.kvno);
1041 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1042 sp->hdr.serial, version, kvno, ticket_len);
1043
1044 abort_code = RXKADINCONSISTENCY;
1045 if (version != RXKAD_VERSION)
1046 goto protocol_error;
1047
1048 abort_code = RXKADTICKETLEN;
1049 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1050 goto protocol_error;
1051
1052 abort_code = RXKADUNKNOWNKEY;
1053 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1054 goto protocol_error;
1055
1056
1057 ticket = kmalloc(ticket_len, GFP_NOFS);
1058 if (!ticket)
1059 return -ENOMEM;
1060
1061 abort_code = RXKADPACKETSHORT;
1062 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1063 ticket, ticket_len) < 0)
1064 goto protocol_error_free;
1065
1066 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key,
1067 &expiry, &abort_code);
1068 if (ret < 0) {
1069 *_abort_code = abort_code;
1070 kfree(ticket);
1071 return ret;
1072 }
1073
1074
1075
1076 rxkad_decrypt_response(conn, &response, &session_key);
1077
1078 abort_code = RXKADSEALEDINCON;
1079 if (ntohl(response.encrypted.epoch) != conn->proto.epoch)
1080 goto protocol_error_free;
1081 if (ntohl(response.encrypted.cid) != conn->proto.cid)
1082 goto protocol_error_free;
1083 if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
1084 goto protocol_error_free;
1085 csum = response.encrypted.checksum;
1086 response.encrypted.checksum = 0;
1087 rxkad_calc_response_checksum(&response);
1088 if (response.encrypted.checksum != csum)
1089 goto protocol_error_free;
1090
1091 spin_lock(&conn->channel_lock);
1092 for (i = 0; i < RXRPC_MAXCALLS; i++) {
1093 struct rxrpc_call *call;
1094 u32 call_id = ntohl(response.encrypted.call_id[i]);
1095
1096 if (call_id > INT_MAX)
1097 goto protocol_error_unlock;
1098
1099 if (call_id < conn->channels[i].call_counter)
1100 goto protocol_error_unlock;
1101 if (call_id > conn->channels[i].call_counter) {
1102 call = rcu_dereference_protected(
1103 conn->channels[i].call,
1104 lockdep_is_held(&conn->channel_lock));
1105 if (call && call->state < RXRPC_CALL_COMPLETE)
1106 goto protocol_error_unlock;
1107 conn->channels[i].call_counter = call_id;
1108 }
1109 }
1110 spin_unlock(&conn->channel_lock);
1111
1112 abort_code = RXKADOUTOFSEQUENCE;
1113 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1)
1114 goto protocol_error_free;
1115
1116 abort_code = RXKADLEVELFAIL;
1117 level = ntohl(response.encrypted.level);
1118 if (level > RXRPC_SECURITY_ENCRYPT)
1119 goto protocol_error_free;
1120 conn->params.security_level = level;
1121
1122
1123
1124
1125 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1126 if (ret < 0) {
1127 kfree(ticket);
1128 return ret;
1129 }
1130
1131 kfree(ticket);
1132 _leave(" = 0");
1133 return 0;
1134
1135protocol_error_unlock:
1136 spin_unlock(&conn->channel_lock);
1137protocol_error_free:
1138 kfree(ticket);
1139protocol_error:
1140 *_abort_code = abort_code;
1141 _leave(" = -EPROTO [%d]", abort_code);
1142 return -EPROTO;
1143}
1144
1145
1146
1147
1148static void rxkad_clear(struct rxrpc_connection *conn)
1149{
1150 _enter("");
1151
1152 if (conn->cipher)
1153 crypto_free_skcipher(conn->cipher);
1154}
1155
1156
1157
1158
1159static int rxkad_init(void)
1160{
1161
1162
1163 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
1164 return PTR_ERR_OR_ZERO(rxkad_ci);
1165}
1166
1167
1168
1169
1170static void rxkad_exit(void)
1171{
1172 if (rxkad_ci)
1173 crypto_free_skcipher(rxkad_ci);
1174}
1175
1176
1177
1178
1179const struct rxrpc_security rxkad = {
1180 .name = "rxkad",
1181 .security_index = RXRPC_SECURITY_RXKAD,
1182 .init = rxkad_init,
1183 .exit = rxkad_exit,
1184 .init_connection_security = rxkad_init_connection_security,
1185 .prime_packet_security = rxkad_prime_packet_security,
1186 .secure_packet = rxkad_secure_packet,
1187 .verify_packet = rxkad_verify_packet,
1188 .locate_data = rxkad_locate_data,
1189 .issue_challenge = rxkad_issue_challenge,
1190 .respond_to_challenge = rxkad_respond_to_challenge,
1191 .verify_response = rxkad_verify_response,
1192 .clear = rxkad_clear,
1193};
1194