]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - net/rxrpc/rxkad.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UBUNTU: [Debian] config-check -- Make it easier to find annotations syntax errors
[mirror_ubuntu-zesty-kernel.git] / net / rxrpc / rxkad.c
1 /* Kerberos-based RxRPC security
2 *
3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
14 #include <crypto/skcipher.h>
15 #include <linux/module.h>
16 #include <linux/net.h>
17 #include <linux/skbuff.h>
18 #include <linux/udp.h>
19 #include <linux/scatterlist.h>
20 #include <linux/ctype.h>
21 #include <linux/slab.h>
22 #include <net/sock.h>
23 #include <net/af_rxrpc.h>
24 #include <keys/rxrpc-type.h>
25 #include "ar-internal.h"
26
27 #define RXKAD_VERSION 2
28 #define MAXKRB5TICKETLEN 1024
29 #define RXKAD_TKT_TYPE_KERBEROS_V5 256
30 #define ANAME_SZ 40 /* size of authentication name */
31 #define INST_SZ 40 /* size of principal's instance */
32 #define REALM_SZ 40 /* size of principal's auth domain */
33 #define SNAME_SZ 40 /* size of service name */
34
35 struct rxkad_level1_hdr {
36 __be32 data_size; /* true data size (excluding padding) */
37 };
38
39 struct rxkad_level2_hdr {
40 __be32 data_size; /* true data size (excluding padding) */
41 __be32 checksum; /* decrypted data checksum */
42 };
43
44 /*
45 * this holds a pinned cipher so that keventd doesn't get called by the cipher
46 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
47 * packets
48 */
49 static struct crypto_skcipher *rxkad_ci;
50 static DEFINE_MUTEX(rxkad_ci_mutex);
51
52 /*
53 * initialise connection security
54 */
55 static int rxkad_init_connection_security(struct rxrpc_connection *conn)
56 {
57 struct crypto_skcipher *ci;
58 struct rxrpc_key_token *token;
59 int ret;
60
61 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
62
63 token = conn->params.key->payload.data[0];
64 conn->security_ix = token->security_index;
65
66 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
67 if (IS_ERR(ci)) {
68 _debug("no cipher");
69 ret = PTR_ERR(ci);
70 goto error;
71 }
72
73 if (crypto_skcipher_setkey(ci, token->kad->session_key,
74 sizeof(token->kad->session_key)) < 0)
75 BUG();
76
77 switch (conn->params.security_level) {
78 case RXRPC_SECURITY_PLAIN:
79 break;
80 case RXRPC_SECURITY_AUTH:
81 conn->size_align = 8;
82 conn->security_size = sizeof(struct rxkad_level1_hdr);
83 break;
84 case RXRPC_SECURITY_ENCRYPT:
85 conn->size_align = 8;
86 conn->security_size = sizeof(struct rxkad_level2_hdr);
87 break;
88 default:
89 ret = -EKEYREJECTED;
90 goto error;
91 }
92
93 conn->cipher = ci;
94 ret = 0;
95 error:
96 _leave(" = %d", ret);
97 return ret;
98 }
99
100 /*
101 * prime the encryption state with the invariant parts of a connection's
102 * description
103 */
104 static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
105 {
106 struct rxrpc_key_token *token;
107 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
108 struct scatterlist sg;
109 struct rxrpc_crypt iv;
110 __be32 *tmpbuf;
111 size_t tmpsize = 4 * sizeof(__be32);
112
113 _enter("");
114
115 if (!conn->params.key)
116 return 0;
117
118 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
119 if (!tmpbuf)
120 return -ENOMEM;
121
122 token = conn->params.key->payload.data[0];
123 memcpy(&iv, token->kad->session_key, sizeof(iv));
124
125 tmpbuf[0] = htonl(conn->proto.epoch);
126 tmpbuf[1] = htonl(conn->proto.cid);
127 tmpbuf[2] = 0;
128 tmpbuf[3] = htonl(conn->security_ix);
129
130 sg_init_one(&sg, tmpbuf, tmpsize);
131 skcipher_request_set_tfm(req, conn->cipher);
132 skcipher_request_set_callback(req, 0, NULL, NULL);
133 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
134 crypto_skcipher_encrypt(req);
135 skcipher_request_zero(req);
136
137 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
138 kfree(tmpbuf);
139 _leave(" = 0");
140 return 0;
141 }
142
143 /*
144 * partially encrypt a packet (level 1 security)
145 */
146 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
147 struct sk_buff *skb,
148 u32 data_size,
149 void *sechdr)
150 {
151 struct rxrpc_skb_priv *sp;
152 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
153 struct rxkad_level1_hdr hdr;
154 struct rxrpc_crypt iv;
155 struct scatterlist sg;
156 u16 check;
157
158 sp = rxrpc_skb(skb);
159
160 _enter("");
161
162 check = sp->hdr.seq ^ call->call_id;
163 data_size |= (u32)check << 16;
164
165 hdr.data_size = htonl(data_size);
166 memcpy(sechdr, &hdr, sizeof(hdr));
167
168 /* start the encryption afresh */
169 memset(&iv, 0, sizeof(iv));
170
171 sg_init_one(&sg, sechdr, 8);
172 skcipher_request_set_tfm(req, call->conn->cipher);
173 skcipher_request_set_callback(req, 0, NULL, NULL);
174 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
175 crypto_skcipher_encrypt(req);
176 skcipher_request_zero(req);
177
178 _leave(" = 0");
179 return 0;
180 }
181
182 /*
183 * wholly encrypt a packet (level 2 security)
184 */
185 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
186 struct sk_buff *skb,
187 u32 data_size,
188 void *sechdr)
189 {
190 const struct rxrpc_key_token *token;
191 struct rxkad_level2_hdr rxkhdr;
192 struct rxrpc_skb_priv *sp;
193 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
194 struct rxrpc_crypt iv;
195 struct scatterlist sg[16];
196 struct sk_buff *trailer;
197 unsigned int len;
198 u16 check;
199 int nsg;
200 int err;
201
202 sp = rxrpc_skb(skb);
203
204 _enter("");
205
206 check = sp->hdr.seq ^ call->call_id;
207
208 rxkhdr.data_size = htonl(data_size | (u32)check << 16);
209 rxkhdr.checksum = 0;
210 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
211
212 /* encrypt from the session key */
213 token = call->conn->params.key->payload.data[0];
214 memcpy(&iv, token->kad->session_key, sizeof(iv));
215
216 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
217 skcipher_request_set_tfm(req, call->conn->cipher);
218 skcipher_request_set_callback(req, 0, NULL, NULL);
219 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
220 crypto_skcipher_encrypt(req);
221
222 /* we want to encrypt the skbuff in-place */
223 nsg = skb_cow_data(skb, 0, &trailer);
224 err = -ENOMEM;
225 if (nsg < 0 || nsg > 16)
226 goto out;
227
228 len = data_size + call->conn->size_align - 1;
229 len &= ~(call->conn->size_align - 1);
230
231 sg_init_table(sg, nsg);
232 skb_to_sgvec(skb, sg, 0, len);
233 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
234 crypto_skcipher_encrypt(req);
235
236 _leave(" = 0");
237 err = 0;
238
239 out:
240 skcipher_request_zero(req);
241 return err;
242 }
243
244 /*
245 * checksum an RxRPC packet header
246 */
247 static int rxkad_secure_packet(struct rxrpc_call *call,
248 struct sk_buff *skb,
249 size_t data_size,
250 void *sechdr)
251 {
252 struct rxrpc_skb_priv *sp;
253 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
254 struct rxrpc_crypt iv;
255 struct scatterlist sg;
256 u32 x, y;
257 int ret;
258
259 sp = rxrpc_skb(skb);
260
261 _enter("{%d{%x}},{#%u},%zu,",
262 call->debug_id, key_serial(call->conn->params.key),
263 sp->hdr.seq, data_size);
264
265 if (!call->conn->cipher)
266 return 0;
267
268 ret = key_validate(call->conn->params.key);
269 if (ret < 0)
270 return ret;
271
272 /* continue encrypting from where we left off */
273 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
274
275 /* calculate the security checksum */
276 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
277 x |= sp->hdr.seq & 0x3fffffff;
278 call->crypto_buf[0] = htonl(call->call_id);
279 call->crypto_buf[1] = htonl(x);
280
281 sg_init_one(&sg, call->crypto_buf, 8);
282 skcipher_request_set_tfm(req, call->conn->cipher);
283 skcipher_request_set_callback(req, 0, NULL, NULL);
284 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
285 crypto_skcipher_encrypt(req);
286 skcipher_request_zero(req);
287
288 y = ntohl(call->crypto_buf[1]);
289 y = (y >> 16) & 0xffff;
290 if (y == 0)
291 y = 1; /* zero checksums are not permitted */
292 sp->hdr.cksum = y;
293
294 switch (call->conn->params.security_level) {
295 case RXRPC_SECURITY_PLAIN:
296 ret = 0;
297 break;
298 case RXRPC_SECURITY_AUTH:
299 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
300 break;
301 case RXRPC_SECURITY_ENCRYPT:
302 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
303 sechdr);
304 break;
305 default:
306 ret = -EPERM;
307 break;
308 }
309
310 _leave(" = %d [set %hx]", ret, y);
311 return ret;
312 }
313
314 /*
315 * decrypt partial encryption on a packet (level 1 security)
316 */
317 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
318 unsigned int offset, unsigned int len,
319 rxrpc_seq_t seq)
320 {
321 struct rxkad_level1_hdr sechdr;
322 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
323 struct rxrpc_crypt iv;
324 struct scatterlist sg[16];
325 struct sk_buff *trailer;
326 u32 data_size, buf;
327 u16 check;
328 int nsg;
329
330 _enter("");
331
332 if (len < 8) {
333 rxrpc_abort_call("V1H", call, seq, RXKADSEALEDINCON, EPROTO);
334 goto protocol_error;
335 }
336
337 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
338 * directly into the target buffer.
339 */
340 nsg = skb_cow_data(skb, 0, &trailer);
341 if (nsg < 0 || nsg > 16)
342 goto nomem;
343
344 sg_init_table(sg, nsg);
345 skb_to_sgvec(skb, sg, offset, 8);
346
347 /* start the decryption afresh */
348 memset(&iv, 0, sizeof(iv));
349
350 skcipher_request_set_tfm(req, call->conn->cipher);
351 skcipher_request_set_callback(req, 0, NULL, NULL);
352 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
353 crypto_skcipher_decrypt(req);
354 skcipher_request_zero(req);
355
356 /* Extract the decrypted packet length */
357 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
358 rxrpc_abort_call("XV1", call, seq, RXKADDATALEN, EPROTO);
359 goto protocol_error;
360 }
361 offset += sizeof(sechdr);
362 len -= sizeof(sechdr);
363
364 buf = ntohl(sechdr.data_size);
365 data_size = buf & 0xffff;
366
367 check = buf >> 16;
368 check ^= seq ^ call->call_id;
369 check &= 0xffff;
370 if (check != 0) {
371 rxrpc_abort_call("V1C", call, seq, RXKADSEALEDINCON, EPROTO);
372 goto protocol_error;
373 }
374
375 if (data_size > len) {
376 rxrpc_abort_call("V1L", call, seq, RXKADDATALEN, EPROTO);
377 goto protocol_error;
378 }
379
380 _leave(" = 0 [dlen=%x]", data_size);
381 return 0;
382
383 protocol_error:
384 rxrpc_send_abort_packet(call);
385 _leave(" = -EPROTO");
386 return -EPROTO;
387
388 nomem:
389 _leave(" = -ENOMEM");
390 return -ENOMEM;
391 }
392
393 /*
394 * wholly decrypt a packet (level 2 security)
395 */
396 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
397 unsigned int offset, unsigned int len,
398 rxrpc_seq_t seq)
399 {
400 const struct rxrpc_key_token *token;
401 struct rxkad_level2_hdr sechdr;
402 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
403 struct rxrpc_crypt iv;
404 struct scatterlist _sg[4], *sg;
405 struct sk_buff *trailer;
406 u32 data_size, buf;
407 u16 check;
408 int nsg;
409
410 _enter(",{%d}", skb->len);
411
412 if (len < 8) {
413 rxrpc_abort_call("V2H", call, seq, RXKADSEALEDINCON, EPROTO);
414 goto protocol_error;
415 }
416
417 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
418 * directly into the target buffer.
419 */
420 nsg = skb_cow_data(skb, 0, &trailer);
421 if (nsg < 0)
422 goto nomem;
423
424 sg = _sg;
425 if (unlikely(nsg > 4)) {
426 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
427 if (!sg)
428 goto nomem;
429 }
430
431 sg_init_table(sg, nsg);
432 skb_to_sgvec(skb, sg, offset, len);
433
434 /* decrypt from the session key */
435 token = call->conn->params.key->payload.data[0];
436 memcpy(&iv, token->kad->session_key, sizeof(iv));
437
438 skcipher_request_set_tfm(req, call->conn->cipher);
439 skcipher_request_set_callback(req, 0, NULL, NULL);
440 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
441 crypto_skcipher_decrypt(req);
442 skcipher_request_zero(req);
443 if (sg != _sg)
444 kfree(sg);
445
446 /* Extract the decrypted packet length */
447 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
448 rxrpc_abort_call("XV2", call, seq, RXKADDATALEN, EPROTO);
449 goto protocol_error;
450 }
451 offset += sizeof(sechdr);
452 len -= sizeof(sechdr);
453
454 buf = ntohl(sechdr.data_size);
455 data_size = buf & 0xffff;
456
457 check = buf >> 16;
458 check ^= seq ^ call->call_id;
459 check &= 0xffff;
460 if (check != 0) {
461 rxrpc_abort_call("V2C", call, seq, RXKADSEALEDINCON, EPROTO);
462 goto protocol_error;
463 }
464
465 if (data_size > len) {
466 rxrpc_abort_call("V2L", call, seq, RXKADDATALEN, EPROTO);
467 goto protocol_error;
468 }
469
470 _leave(" = 0 [dlen=%x]", data_size);
471 return 0;
472
473 protocol_error:
474 rxrpc_send_abort_packet(call);
475 _leave(" = -EPROTO");
476 return -EPROTO;
477
478 nomem:
479 _leave(" = -ENOMEM");
480 return -ENOMEM;
481 }
482
483 /*
484 * Verify the security on a received packet or subpacket (if part of a
485 * jumbo packet).
486 */
487 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
488 unsigned int offset, unsigned int len,
489 rxrpc_seq_t seq, u16 expected_cksum)
490 {
491 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
492 struct rxrpc_crypt iv;
493 struct scatterlist sg;
494 u16 cksum;
495 u32 x, y;
496
497 _enter("{%d{%x}},{#%u}",
498 call->debug_id, key_serial(call->conn->params.key), seq);
499
500 if (!call->conn->cipher)
501 return 0;
502
503 /* continue encrypting from where we left off */
504 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
505
506 /* validate the security checksum */
507 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
508 x |= seq & 0x3fffffff;
509 call->crypto_buf[0] = htonl(call->call_id);
510 call->crypto_buf[1] = htonl(x);
511
512 sg_init_one(&sg, call->crypto_buf, 8);
513 skcipher_request_set_tfm(req, call->conn->cipher);
514 skcipher_request_set_callback(req, 0, NULL, NULL);
515 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
516 crypto_skcipher_encrypt(req);
517 skcipher_request_zero(req);
518
519 y = ntohl(call->crypto_buf[1]);
520 cksum = (y >> 16) & 0xffff;
521 if (cksum == 0)
522 cksum = 1; /* zero checksums are not permitted */
523
524 if (cksum != expected_cksum) {
525 rxrpc_abort_call("VCK", call, seq, RXKADSEALEDINCON, EPROTO);
526 rxrpc_send_abort_packet(call);
527 _leave(" = -EPROTO [csum failed]");
528 return -EPROTO;
529 }
530
531 switch (call->conn->params.security_level) {
532 case RXRPC_SECURITY_PLAIN:
533 return 0;
534 case RXRPC_SECURITY_AUTH:
535 return rxkad_verify_packet_1(call, skb, offset, len, seq);
536 case RXRPC_SECURITY_ENCRYPT:
537 return rxkad_verify_packet_2(call, skb, offset, len, seq);
538 default:
539 return -ENOANO;
540 }
541 }
542
543 /*
544 * Locate the data contained in a packet that was partially encrypted.
545 */
546 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
547 unsigned int *_offset, unsigned int *_len)
548 {
549 struct rxkad_level1_hdr sechdr;
550
551 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
552 BUG();
553 *_offset += sizeof(sechdr);
554 *_len = ntohl(sechdr.data_size) & 0xffff;
555 }
556
557 /*
558 * Locate the data contained in a packet that was completely encrypted.
559 */
560 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
561 unsigned int *_offset, unsigned int *_len)
562 {
563 struct rxkad_level2_hdr sechdr;
564
565 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
566 BUG();
567 *_offset += sizeof(sechdr);
568 *_len = ntohl(sechdr.data_size) & 0xffff;
569 }
570
571 /*
572 * Locate the data contained in an already decrypted packet.
573 */
574 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
575 unsigned int *_offset, unsigned int *_len)
576 {
577 switch (call->conn->params.security_level) {
578 case RXRPC_SECURITY_AUTH:
579 rxkad_locate_data_1(call, skb, _offset, _len);
580 return;
581 case RXRPC_SECURITY_ENCRYPT:
582 rxkad_locate_data_2(call, skb, _offset, _len);
583 return;
584 default:
585 return;
586 }
587 }
588
589 /*
590 * issue a challenge
591 */
592 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
593 {
594 struct rxkad_challenge challenge;
595 struct rxrpc_wire_header whdr;
596 struct msghdr msg;
597 struct kvec iov[2];
598 size_t len;
599 u32 serial;
600 int ret;
601
602 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
603
604 ret = key_validate(conn->params.key);
605 if (ret < 0)
606 return ret;
607
608 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
609
610 challenge.version = htonl(2);
611 challenge.nonce = htonl(conn->security_nonce);
612 challenge.min_level = htonl(0);
613 challenge.__padding = 0;
614
615 msg.msg_name = &conn->params.peer->srx.transport.sin;
616 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
617 msg.msg_control = NULL;
618 msg.msg_controllen = 0;
619 msg.msg_flags = 0;
620
621 whdr.epoch = htonl(conn->proto.epoch);
622 whdr.cid = htonl(conn->proto.cid);
623 whdr.callNumber = 0;
624 whdr.seq = 0;
625 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
626 whdr.flags = conn->out_clientflag;
627 whdr.userStatus = 0;
628 whdr.securityIndex = conn->security_ix;
629 whdr._rsvd = 0;
630 whdr.serviceId = htons(conn->params.service_id);
631
632 iov[0].iov_base = &whdr;
633 iov[0].iov_len = sizeof(whdr);
634 iov[1].iov_base = &challenge;
635 iov[1].iov_len = sizeof(challenge);
636
637 len = iov[0].iov_len + iov[1].iov_len;
638
639 serial = atomic_inc_return(&conn->serial);
640 whdr.serial = htonl(serial);
641 _proto("Tx CHALLENGE %%%u", serial);
642
643 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
644 if (ret < 0) {
645 _debug("sendmsg failed: %d", ret);
646 return -EAGAIN;
647 }
648
649 _leave(" = 0");
650 return 0;
651 }
652
653 /*
654 * send a Kerberos security response
655 */
656 static int rxkad_send_response(struct rxrpc_connection *conn,
657 struct rxrpc_host_header *hdr,
658 struct rxkad_response *resp,
659 const struct rxkad_key *s2)
660 {
661 struct rxrpc_wire_header whdr;
662 struct msghdr msg;
663 struct kvec iov[3];
664 size_t len;
665 u32 serial;
666 int ret;
667
668 _enter("");
669
670 msg.msg_name = &conn->params.peer->srx.transport.sin;
671 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
672 msg.msg_control = NULL;
673 msg.msg_controllen = 0;
674 msg.msg_flags = 0;
675
676 memset(&whdr, 0, sizeof(whdr));
677 whdr.epoch = htonl(hdr->epoch);
678 whdr.cid = htonl(hdr->cid);
679 whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
680 whdr.flags = conn->out_clientflag;
681 whdr.securityIndex = hdr->securityIndex;
682 whdr.serviceId = htons(hdr->serviceId);
683
684 iov[0].iov_base = &whdr;
685 iov[0].iov_len = sizeof(whdr);
686 iov[1].iov_base = resp;
687 iov[1].iov_len = sizeof(*resp);
688 iov[2].iov_base = (void *)s2->ticket;
689 iov[2].iov_len = s2->ticket_len;
690
691 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
692
693 serial = atomic_inc_return(&conn->serial);
694 whdr.serial = htonl(serial);
695 _proto("Tx RESPONSE %%%u", serial);
696
697 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
698 if (ret < 0) {
699 _debug("sendmsg failed: %d", ret);
700 return -EAGAIN;
701 }
702
703 _leave(" = 0");
704 return 0;
705 }
706
707 /*
708 * calculate the response checksum
709 */
710 static void rxkad_calc_response_checksum(struct rxkad_response *response)
711 {
712 u32 csum = 1000003;
713 int loop;
714 u8 *p = (u8 *) response;
715
716 for (loop = sizeof(*response); loop > 0; loop--)
717 csum = csum * 0x10204081 + *p++;
718
719 response->encrypted.checksum = htonl(csum);
720 }
721
722 /*
723 * encrypt the response packet
724 */
725 static void rxkad_encrypt_response(struct rxrpc_connection *conn,
726 struct rxkad_response *resp,
727 const struct rxkad_key *s2)
728 {
729 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
730 struct rxrpc_crypt iv;
731 struct scatterlist sg[1];
732
733 /* continue encrypting from where we left off */
734 memcpy(&iv, s2->session_key, sizeof(iv));
735
736 sg_init_table(sg, 1);
737 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
738 skcipher_request_set_tfm(req, conn->cipher);
739 skcipher_request_set_callback(req, 0, NULL, NULL);
740 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
741 crypto_skcipher_encrypt(req);
742 skcipher_request_zero(req);
743 }
744
745 /*
746 * respond to a challenge packet
747 */
748 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
749 struct sk_buff *skb,
750 u32 *_abort_code)
751 {
752 const struct rxrpc_key_token *token;
753 struct rxkad_challenge challenge;
754 struct rxkad_response resp
755 __attribute__((aligned(8))); /* must be aligned for crypto */
756 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
757 u32 version, nonce, min_level, abort_code;
758 int ret;
759
760 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
761
762 if (!conn->params.key) {
763 _leave(" = -EPROTO [no key]");
764 return -EPROTO;
765 }
766
767 ret = key_validate(conn->params.key);
768 if (ret < 0) {
769 *_abort_code = RXKADEXPIRED;
770 return ret;
771 }
772
773 abort_code = RXKADPACKETSHORT;
774 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
775 &challenge, sizeof(challenge)) < 0)
776 goto protocol_error;
777
778 version = ntohl(challenge.version);
779 nonce = ntohl(challenge.nonce);
780 min_level = ntohl(challenge.min_level);
781
782 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
783 sp->hdr.serial, version, nonce, min_level);
784
785 abort_code = RXKADINCONSISTENCY;
786 if (version != RXKAD_VERSION)
787 goto protocol_error;
788
789 abort_code = RXKADLEVELFAIL;
790 if (conn->params.security_level < min_level)
791 goto protocol_error;
792
793 token = conn->params.key->payload.data[0];
794
795 /* build the response packet */
796 memset(&resp, 0, sizeof(resp));
797
798 resp.version = htonl(RXKAD_VERSION);
799 resp.encrypted.epoch = htonl(conn->proto.epoch);
800 resp.encrypted.cid = htonl(conn->proto.cid);
801 resp.encrypted.securityIndex = htonl(conn->security_ix);
802 resp.encrypted.inc_nonce = htonl(nonce + 1);
803 resp.encrypted.level = htonl(conn->params.security_level);
804 resp.kvno = htonl(token->kad->kvno);
805 resp.ticket_len = htonl(token->kad->ticket_len);
806
807 resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
808 resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
809 resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
810 resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
811
812 /* calculate the response checksum and then do the encryption */
813 rxkad_calc_response_checksum(&resp);
814 rxkad_encrypt_response(conn, &resp, token->kad);
815 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad);
816
817 protocol_error:
818 *_abort_code = abort_code;
819 _leave(" = -EPROTO [%d]", abort_code);
820 return -EPROTO;
821 }
822
823 /*
824 * decrypt the kerberos IV ticket in the response
825 */
826 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
827 void *ticket, size_t ticket_len,
828 struct rxrpc_crypt *_session_key,
829 time_t *_expiry,
830 u32 *_abort_code)
831 {
832 struct skcipher_request *req;
833 struct rxrpc_crypt iv, key;
834 struct scatterlist sg[1];
835 struct in_addr addr;
836 unsigned int life;
837 time_t issue, now;
838 bool little_endian;
839 int ret;
840 u8 *p, *q, *name, *end;
841
842 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
843
844 *_expiry = 0;
845
846 ret = key_validate(conn->server_key);
847 if (ret < 0) {
848 switch (ret) {
849 case -EKEYEXPIRED:
850 *_abort_code = RXKADEXPIRED;
851 goto error;
852 default:
853 *_abort_code = RXKADNOAUTH;
854 goto error;
855 }
856 }
857
858 ASSERT(conn->server_key->payload.data[0] != NULL);
859 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
860
861 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
862
863 req = skcipher_request_alloc(conn->server_key->payload.data[0],
864 GFP_NOFS);
865 if (!req) {
866 *_abort_code = RXKADNOAUTH;
867 ret = -ENOMEM;
868 goto error;
869 }
870
871 sg_init_one(&sg[0], ticket, ticket_len);
872 skcipher_request_set_callback(req, 0, NULL, NULL);
873 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
874 crypto_skcipher_decrypt(req);
875 skcipher_request_free(req);
876
877 p = ticket;
878 end = p + ticket_len;
879
880 #define Z(size) \
881 ({ \
882 u8 *__str = p; \
883 q = memchr(p, 0, end - p); \
884 if (!q || q - p > (size)) \
885 goto bad_ticket; \
886 for (; p < q; p++) \
887 if (!isprint(*p)) \
888 goto bad_ticket; \
889 p++; \
890 __str; \
891 })
892
893 /* extract the ticket flags */
894 _debug("KIV FLAGS: %x", *p);
895 little_endian = *p & 1;
896 p++;
897
898 /* extract the authentication name */
899 name = Z(ANAME_SZ);
900 _debug("KIV ANAME: %s", name);
901
902 /* extract the principal's instance */
903 name = Z(INST_SZ);
904 _debug("KIV INST : %s", name);
905
906 /* extract the principal's authentication domain */
907 name = Z(REALM_SZ);
908 _debug("KIV REALM: %s", name);
909
910 if (end - p < 4 + 8 + 4 + 2)
911 goto bad_ticket;
912
913 /* get the IPv4 address of the entity that requested the ticket */
914 memcpy(&addr, p, sizeof(addr));
915 p += 4;
916 _debug("KIV ADDR : %pI4", &addr);
917
918 /* get the session key from the ticket */
919 memcpy(&key, p, sizeof(key));
920 p += 8;
921 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
922 memcpy(_session_key, &key, sizeof(key));
923
924 /* get the ticket's lifetime */
925 life = *p++ * 5 * 60;
926 _debug("KIV LIFE : %u", life);
927
928 /* get the issue time of the ticket */
929 if (little_endian) {
930 __le32 stamp;
931 memcpy(&stamp, p, 4);
932 issue = le32_to_cpu(stamp);
933 } else {
934 __be32 stamp;
935 memcpy(&stamp, p, 4);
936 issue = be32_to_cpu(stamp);
937 }
938 p += 4;
939 now = get_seconds();
940 _debug("KIV ISSUE: %lx [%lx]", issue, now);
941
942 /* check the ticket is in date */
943 if (issue > now) {
944 *_abort_code = RXKADNOAUTH;
945 ret = -EKEYREJECTED;
946 goto error;
947 }
948
949 if (issue < now - life) {
950 *_abort_code = RXKADEXPIRED;
951 ret = -EKEYEXPIRED;
952 goto error;
953 }
954
955 *_expiry = issue + life;
956
957 /* get the service name */
958 name = Z(SNAME_SZ);
959 _debug("KIV SNAME: %s", name);
960
961 /* get the service instance name */
962 name = Z(INST_SZ);
963 _debug("KIV SINST: %s", name);
964
965 ret = 0;
966 error:
967 _leave(" = %d", ret);
968 return ret;
969
970 bad_ticket:
971 *_abort_code = RXKADBADTICKET;
972 ret = -EBADMSG;
973 goto error;
974 }
975
976 /*
977 * decrypt the response packet
978 */
979 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
980 struct rxkad_response *resp,
981 const struct rxrpc_crypt *session_key)
982 {
983 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
984 struct scatterlist sg[1];
985 struct rxrpc_crypt iv;
986
987 _enter(",,%08x%08x",
988 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
989
990 ASSERT(rxkad_ci != NULL);
991
992 mutex_lock(&rxkad_ci_mutex);
993 if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
994 sizeof(*session_key)) < 0)
995 BUG();
996
997 memcpy(&iv, session_key, sizeof(iv));
998
999 sg_init_table(sg, 1);
1000 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1001 skcipher_request_set_tfm(req, rxkad_ci);
1002 skcipher_request_set_callback(req, 0, NULL, NULL);
1003 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1004 crypto_skcipher_decrypt(req);
1005 skcipher_request_zero(req);
1006
1007 mutex_unlock(&rxkad_ci_mutex);
1008
1009 _leave("");
1010 }
1011
1012 /*
1013 * verify a response
1014 */
1015 static int rxkad_verify_response(struct rxrpc_connection *conn,
1016 struct sk_buff *skb,
1017 u32 *_abort_code)
1018 {
1019 struct rxkad_response response
1020 __attribute__((aligned(8))); /* must be aligned for crypto */
1021 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1022 struct rxrpc_crypt session_key;
1023 time_t expiry;
1024 void *ticket;
1025 u32 abort_code, version, kvno, ticket_len, level;
1026 __be32 csum;
1027 int ret, i;
1028
1029 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1030
1031 abort_code = RXKADPACKETSHORT;
1032 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1033 &response, sizeof(response)) < 0)
1034 goto protocol_error;
1035 if (!pskb_pull(skb, sizeof(response)))
1036 BUG();
1037
1038 version = ntohl(response.version);
1039 ticket_len = ntohl(response.ticket_len);
1040 kvno = ntohl(response.kvno);
1041 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1042 sp->hdr.serial, version, kvno, ticket_len);
1043
1044 abort_code = RXKADINCONSISTENCY;
1045 if (version != RXKAD_VERSION)
1046 goto protocol_error;
1047
1048 abort_code = RXKADTICKETLEN;
1049 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1050 goto protocol_error;
1051
1052 abort_code = RXKADUNKNOWNKEY;
1053 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1054 goto protocol_error;
1055
1056 /* extract the kerberos ticket and decrypt and decode it */
1057 ticket = kmalloc(ticket_len, GFP_NOFS);
1058 if (!ticket)
1059 return -ENOMEM;
1060
1061 abort_code = RXKADPACKETSHORT;
1062 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1063 ticket, ticket_len) < 0)
1064 goto protocol_error_free;
1065
1066 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key,
1067 &expiry, &abort_code);
1068 if (ret < 0) {
1069 *_abort_code = abort_code;
1070 kfree(ticket);
1071 return ret;
1072 }
1073
1074 /* use the session key from inside the ticket to decrypt the
1075 * response */
1076 rxkad_decrypt_response(conn, &response, &session_key);
1077
1078 abort_code = RXKADSEALEDINCON;
1079 if (ntohl(response.encrypted.epoch) != conn->proto.epoch)
1080 goto protocol_error_free;
1081 if (ntohl(response.encrypted.cid) != conn->proto.cid)
1082 goto protocol_error_free;
1083 if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
1084 goto protocol_error_free;
1085 csum = response.encrypted.checksum;
1086 response.encrypted.checksum = 0;
1087 rxkad_calc_response_checksum(&response);
1088 if (response.encrypted.checksum != csum)
1089 goto protocol_error_free;
1090
1091 spin_lock(&conn->channel_lock);
1092 for (i = 0; i < RXRPC_MAXCALLS; i++) {
1093 struct rxrpc_call *call;
1094 u32 call_id = ntohl(response.encrypted.call_id[i]);
1095
1096 if (call_id > INT_MAX)
1097 goto protocol_error_unlock;
1098
1099 if (call_id < conn->channels[i].call_counter)
1100 goto protocol_error_unlock;
1101 if (call_id > conn->channels[i].call_counter) {
1102 call = rcu_dereference_protected(
1103 conn->channels[i].call,
1104 lockdep_is_held(&conn->channel_lock));
1105 if (call && call->state < RXRPC_CALL_COMPLETE)
1106 goto protocol_error_unlock;
1107 conn->channels[i].call_counter = call_id;
1108 }
1109 }
1110 spin_unlock(&conn->channel_lock);
1111
1112 abort_code = RXKADOUTOFSEQUENCE;
1113 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1)
1114 goto protocol_error_free;
1115
1116 abort_code = RXKADLEVELFAIL;
1117 level = ntohl(response.encrypted.level);
1118 if (level > RXRPC_SECURITY_ENCRYPT)
1119 goto protocol_error_free;
1120 conn->params.security_level = level;
1121
1122 /* create a key to hold the security data and expiration time - after
1123 * this the connection security can be handled in exactly the same way
1124 * as for a client connection */
1125 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1126 if (ret < 0) {
1127 kfree(ticket);
1128 return ret;
1129 }
1130
1131 kfree(ticket);
1132 _leave(" = 0");
1133 return 0;
1134
1135 protocol_error_unlock:
1136 spin_unlock(&conn->channel_lock);
1137 protocol_error_free:
1138 kfree(ticket);
1139 protocol_error:
1140 *_abort_code = abort_code;
1141 _leave(" = -EPROTO [%d]", abort_code);
1142 return -EPROTO;
1143 }
1144
1145 /*
1146 * clear the connection security
1147 */
1148 static void rxkad_clear(struct rxrpc_connection *conn)
1149 {
1150 _enter("");
1151
1152 if (conn->cipher)
1153 crypto_free_skcipher(conn->cipher);
1154 }
1155
1156 /*
1157 * Initialise the rxkad security service.
1158 */
1159 static int rxkad_init(void)
1160 {
1161 /* pin the cipher we need so that the crypto layer doesn't invoke
1162 * keventd to go get it */
1163 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
1164 return PTR_ERR_OR_ZERO(rxkad_ci);
1165 }
1166
1167 /*
1168 * Clean up the rxkad security service.
1169 */
1170 static void rxkad_exit(void)
1171 {
1172 if (rxkad_ci)
1173 crypto_free_skcipher(rxkad_ci);
1174 }
1175
1176 /*
1177 * RxRPC Kerberos-based security
1178 */
1179 const struct rxrpc_security rxkad = {
1180 .name = "rxkad",
1181 .security_index = RXRPC_SECURITY_RXKAD,
1182 .init = rxkad_init,
1183 .exit = rxkad_exit,
1184 .init_connection_security = rxkad_init_connection_security,
1185 .prime_packet_security = rxkad_prime_packet_security,
1186 .secure_packet = rxkad_secure_packet,
1187 .verify_packet = rxkad_verify_packet,
1188 .locate_data = rxkad_locate_data,
1189 .issue_challenge = rxkad_issue_challenge,
1190 .respond_to_challenge = rxkad_respond_to_challenge,
1191 .verify_response = rxkad_verify_response,
1192 .clear = rxkad_clear,
1193 };
ubuntu-zesty-kernel mirror