1 /* Kerberos-based RxRPC security
3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14 #include <crypto/skcipher.h>
15 #include <linux/module.h>
16 #include <linux/net.h>
17 #include <linux/skbuff.h>
18 #include <linux/udp.h>
19 #include <linux/scatterlist.h>
20 #include <linux/ctype.h>
21 #include <linux/slab.h>
23 #include <net/af_rxrpc.h>
24 #include <keys/rxrpc-type.h>
25 #include "ar-internal.h"
27 #define RXKAD_VERSION 2
28 #define MAXKRB5TICKETLEN 1024
29 #define RXKAD_TKT_TYPE_KERBEROS_V5 256
30 #define ANAME_SZ 40 /* size of authentication name */
31 #define INST_SZ 40 /* size of principal's instance */
32 #define REALM_SZ 40 /* size of principal's auth domain */
33 #define SNAME_SZ 40 /* size of service name */
35 struct rxkad_level1_hdr {
36 __be32 data_size; /* true data size (excluding padding) */
39 struct rxkad_level2_hdr {
40 __be32 data_size; /* true data size (excluding padding) */
41 __be32 checksum; /* decrypted data checksum */
45 * this holds a pinned cipher so that keventd doesn't get called by the cipher
46 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
49 static struct crypto_skcipher *rxkad_ci;
50 static DEFINE_MUTEX(rxkad_ci_mutex);
53 * initialise connection security
55 static int rxkad_init_connection_security(struct rxrpc_connection *conn)
57 struct crypto_skcipher *ci;
58 struct rxrpc_key_token *token;
61 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
63 token = conn->params.key->payload.data[0];
64 conn->security_ix = token->security_index;
66 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
73 if (crypto_skcipher_setkey(ci, token->kad->session_key,
74 sizeof(token->kad->session_key)) < 0)
77 switch (conn->params.security_level) {
78 case RXRPC_SECURITY_PLAIN:
80 case RXRPC_SECURITY_AUTH:
82 conn->security_size = sizeof(struct rxkad_level1_hdr);
84 case RXRPC_SECURITY_ENCRYPT:
86 conn->security_size = sizeof(struct rxkad_level2_hdr);
101 * prime the encryption state with the invariant parts of a connection's
104 static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
106 struct rxrpc_key_token *token;
107 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
108 struct scatterlist sg;
109 struct rxrpc_crypt iv;
111 size_t tmpsize = 4 * sizeof(__be32);
115 if (!conn->params.key)
118 tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
122 token = conn->params.key->payload.data[0];
123 memcpy(&iv, token->kad->session_key, sizeof(iv));
125 tmpbuf[0] = htonl(conn->proto.epoch);
126 tmpbuf[1] = htonl(conn->proto.cid);
128 tmpbuf[3] = htonl(conn->security_ix);
130 sg_init_one(&sg, tmpbuf, tmpsize);
131 skcipher_request_set_tfm(req, conn->cipher);
132 skcipher_request_set_callback(req, 0, NULL, NULL);
133 skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
134 crypto_skcipher_encrypt(req);
135 skcipher_request_zero(req);
137 memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
144 * partially encrypt a packet (level 1 security)
146 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
151 struct rxrpc_skb_priv *sp;
152 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
153 struct rxkad_level1_hdr hdr;
154 struct rxrpc_crypt iv;
155 struct scatterlist sg;
162 check = sp->hdr.seq ^ call->call_id;
163 data_size |= (u32)check << 16;
165 hdr.data_size = htonl(data_size);
166 memcpy(sechdr, &hdr, sizeof(hdr));
168 /* start the encryption afresh */
169 memset(&iv, 0, sizeof(iv));
171 sg_init_one(&sg, sechdr, 8);
172 skcipher_request_set_tfm(req, call->conn->cipher);
173 skcipher_request_set_callback(req, 0, NULL, NULL);
174 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
175 crypto_skcipher_encrypt(req);
176 skcipher_request_zero(req);
183 * wholly encrypt a packet (level 2 security)
185 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
190 const struct rxrpc_key_token *token;
191 struct rxkad_level2_hdr rxkhdr;
192 struct rxrpc_skb_priv *sp;
193 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
194 struct rxrpc_crypt iv;
195 struct scatterlist sg[16];
196 struct sk_buff *trailer;
206 check = sp->hdr.seq ^ call->call_id;
208 rxkhdr.data_size = htonl(data_size | (u32)check << 16);
210 memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
212 /* encrypt from the session key */
213 token = call->conn->params.key->payload.data[0];
214 memcpy(&iv, token->kad->session_key, sizeof(iv));
216 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
217 skcipher_request_set_tfm(req, call->conn->cipher);
218 skcipher_request_set_callback(req, 0, NULL, NULL);
219 skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
220 crypto_skcipher_encrypt(req);
222 /* we want to encrypt the skbuff in-place */
223 nsg = skb_cow_data(skb, 0, &trailer);
225 if (nsg < 0 || nsg > 16)
228 len = data_size + call->conn->size_align - 1;
229 len &= ~(call->conn->size_align - 1);
231 sg_init_table(sg, nsg);
232 skb_to_sgvec(skb, sg, 0, len);
233 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
234 crypto_skcipher_encrypt(req);
240 skcipher_request_zero(req);
245 * checksum an RxRPC packet header
247 static int rxkad_secure_packet(struct rxrpc_call *call,
252 struct rxrpc_skb_priv *sp;
253 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
254 struct rxrpc_crypt iv;
255 struct scatterlist sg;
261 _enter("{%d{%x}},{#%u},%zu,",
262 call->debug_id, key_serial(call->conn->params.key),
263 sp->hdr.seq, data_size);
265 if (!call->conn->cipher)
268 ret = key_validate(call->conn->params.key);
272 /* continue encrypting from where we left off */
273 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
275 /* calculate the security checksum */
276 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
277 x |= sp->hdr.seq & 0x3fffffff;
278 call->crypto_buf[0] = htonl(call->call_id);
279 call->crypto_buf[1] = htonl(x);
281 sg_init_one(&sg, call->crypto_buf, 8);
282 skcipher_request_set_tfm(req, call->conn->cipher);
283 skcipher_request_set_callback(req, 0, NULL, NULL);
284 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
285 crypto_skcipher_encrypt(req);
286 skcipher_request_zero(req);
288 y = ntohl(call->crypto_buf[1]);
289 y = (y >> 16) & 0xffff;
291 y = 1; /* zero checksums are not permitted */
294 switch (call->conn->params.security_level) {
295 case RXRPC_SECURITY_PLAIN:
298 case RXRPC_SECURITY_AUTH:
299 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
301 case RXRPC_SECURITY_ENCRYPT:
302 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
310 _leave(" = %d [set %hx]", ret, y);
315 * decrypt partial encryption on a packet (level 1 security)
317 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
318 unsigned int offset, unsigned int len,
321 struct rxkad_level1_hdr sechdr;
322 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
323 struct rxrpc_crypt iv;
324 struct scatterlist sg[16];
325 struct sk_buff *trailer;
333 rxrpc_abort_call("V1H", call, seq, RXKADSEALEDINCON, EPROTO);
337 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
338 * directly into the target buffer.
340 nsg = skb_cow_data(skb, 0, &trailer);
341 if (nsg < 0 || nsg > 16)
344 sg_init_table(sg, nsg);
345 skb_to_sgvec(skb, sg, offset, 8);
347 /* start the decryption afresh */
348 memset(&iv, 0, sizeof(iv));
350 skcipher_request_set_tfm(req, call->conn->cipher);
351 skcipher_request_set_callback(req, 0, NULL, NULL);
352 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
353 crypto_skcipher_decrypt(req);
354 skcipher_request_zero(req);
356 /* Extract the decrypted packet length */
357 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
358 rxrpc_abort_call("XV1", call, seq, RXKADDATALEN, EPROTO);
361 offset += sizeof(sechdr);
362 len -= sizeof(sechdr);
364 buf = ntohl(sechdr.data_size);
365 data_size = buf & 0xffff;
368 check ^= seq ^ call->call_id;
371 rxrpc_abort_call("V1C", call, seq, RXKADSEALEDINCON, EPROTO);
375 if (data_size > len) {
376 rxrpc_abort_call("V1L", call, seq, RXKADDATALEN, EPROTO);
380 _leave(" = 0 [dlen=%x]", data_size);
384 rxrpc_send_abort_packet(call);
385 _leave(" = -EPROTO");
389 _leave(" = -ENOMEM");
394 * wholly decrypt a packet (level 2 security)
396 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
397 unsigned int offset, unsigned int len,
400 const struct rxrpc_key_token *token;
401 struct rxkad_level2_hdr sechdr;
402 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
403 struct rxrpc_crypt iv;
404 struct scatterlist _sg[4], *sg;
405 struct sk_buff *trailer;
410 _enter(",{%d}", skb->len);
413 rxrpc_abort_call("V2H", call, seq, RXKADSEALEDINCON, EPROTO);
417 /* Decrypt the skbuff in-place. TODO: We really want to decrypt
418 * directly into the target buffer.
420 nsg = skb_cow_data(skb, 0, &trailer);
425 if (unlikely(nsg > 4)) {
426 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
431 sg_init_table(sg, nsg);
432 skb_to_sgvec(skb, sg, offset, len);
434 /* decrypt from the session key */
435 token = call->conn->params.key->payload.data[0];
436 memcpy(&iv, token->kad->session_key, sizeof(iv));
438 skcipher_request_set_tfm(req, call->conn->cipher);
439 skcipher_request_set_callback(req, 0, NULL, NULL);
440 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
441 crypto_skcipher_decrypt(req);
442 skcipher_request_zero(req);
446 /* Extract the decrypted packet length */
447 if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
448 rxrpc_abort_call("XV2", call, seq, RXKADDATALEN, EPROTO);
451 offset += sizeof(sechdr);
452 len -= sizeof(sechdr);
454 buf = ntohl(sechdr.data_size);
455 data_size = buf & 0xffff;
458 check ^= seq ^ call->call_id;
461 rxrpc_abort_call("V2C", call, seq, RXKADSEALEDINCON, EPROTO);
465 if (data_size > len) {
466 rxrpc_abort_call("V2L", call, seq, RXKADDATALEN, EPROTO);
470 _leave(" = 0 [dlen=%x]", data_size);
474 rxrpc_send_abort_packet(call);
475 _leave(" = -EPROTO");
479 _leave(" = -ENOMEM");
484 * Verify the security on a received packet or subpacket (if part of a
487 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
488 unsigned int offset, unsigned int len,
489 rxrpc_seq_t seq, u16 expected_cksum)
491 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
492 struct rxrpc_crypt iv;
493 struct scatterlist sg;
497 _enter("{%d{%x}},{#%u}",
498 call->debug_id, key_serial(call->conn->params.key), seq);
500 if (!call->conn->cipher)
503 /* continue encrypting from where we left off */
504 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
506 /* validate the security checksum */
507 x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
508 x |= seq & 0x3fffffff;
509 call->crypto_buf[0] = htonl(call->call_id);
510 call->crypto_buf[1] = htonl(x);
512 sg_init_one(&sg, call->crypto_buf, 8);
513 skcipher_request_set_tfm(req, call->conn->cipher);
514 skcipher_request_set_callback(req, 0, NULL, NULL);
515 skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
516 crypto_skcipher_encrypt(req);
517 skcipher_request_zero(req);
519 y = ntohl(call->crypto_buf[1]);
520 cksum = (y >> 16) & 0xffff;
522 cksum = 1; /* zero checksums are not permitted */
524 if (cksum != expected_cksum) {
525 rxrpc_abort_call("VCK", call, seq, RXKADSEALEDINCON, EPROTO);
526 rxrpc_send_abort_packet(call);
527 _leave(" = -EPROTO [csum failed]");
531 switch (call->conn->params.security_level) {
532 case RXRPC_SECURITY_PLAIN:
534 case RXRPC_SECURITY_AUTH:
535 return rxkad_verify_packet_1(call, skb, offset, len, seq);
536 case RXRPC_SECURITY_ENCRYPT:
537 return rxkad_verify_packet_2(call, skb, offset, len, seq);
544 * Locate the data contained in a packet that was partially encrypted.
546 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
547 unsigned int *_offset, unsigned int *_len)
549 struct rxkad_level1_hdr sechdr;
551 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
553 *_offset += sizeof(sechdr);
554 *_len = ntohl(sechdr.data_size) & 0xffff;
558 * Locate the data contained in a packet that was completely encrypted.
560 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
561 unsigned int *_offset, unsigned int *_len)
563 struct rxkad_level2_hdr sechdr;
565 if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
567 *_offset += sizeof(sechdr);
568 *_len = ntohl(sechdr.data_size) & 0xffff;
572 * Locate the data contained in an already decrypted packet.
574 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
575 unsigned int *_offset, unsigned int *_len)
577 switch (call->conn->params.security_level) {
578 case RXRPC_SECURITY_AUTH:
579 rxkad_locate_data_1(call, skb, _offset, _len);
581 case RXRPC_SECURITY_ENCRYPT:
582 rxkad_locate_data_2(call, skb, _offset, _len);
592 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
594 struct rxkad_challenge challenge;
595 struct rxrpc_wire_header whdr;
602 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
604 ret = key_validate(conn->params.key);
608 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
610 challenge.version = htonl(2);
611 challenge.nonce = htonl(conn->security_nonce);
612 challenge.min_level = htonl(0);
613 challenge.__padding = 0;
615 msg.msg_name = &conn->params.peer->srx.transport.sin;
616 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
617 msg.msg_control = NULL;
618 msg.msg_controllen = 0;
621 whdr.epoch = htonl(conn->proto.epoch);
622 whdr.cid = htonl(conn->proto.cid);
625 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
626 whdr.flags = conn->out_clientflag;
628 whdr.securityIndex = conn->security_ix;
630 whdr.serviceId = htons(conn->params.service_id);
632 iov[0].iov_base = &whdr;
633 iov[0].iov_len = sizeof(whdr);
634 iov[1].iov_base = &challenge;
635 iov[1].iov_len = sizeof(challenge);
637 len = iov[0].iov_len + iov[1].iov_len;
639 serial = atomic_inc_return(&conn->serial);
640 whdr.serial = htonl(serial);
641 _proto("Tx CHALLENGE %%%u", serial);
643 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
645 _debug("sendmsg failed: %d", ret);
654 * send a Kerberos security response
656 static int rxkad_send_response(struct rxrpc_connection *conn,
657 struct rxrpc_host_header *hdr,
658 struct rxkad_response *resp,
659 const struct rxkad_key *s2)
661 struct rxrpc_wire_header whdr;
670 msg.msg_name = &conn->params.peer->srx.transport.sin;
671 msg.msg_namelen = sizeof(conn->params.peer->srx.transport.sin);
672 msg.msg_control = NULL;
673 msg.msg_controllen = 0;
676 memset(&whdr, 0, sizeof(whdr));
677 whdr.epoch = htonl(hdr->epoch);
678 whdr.cid = htonl(hdr->cid);
679 whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
680 whdr.flags = conn->out_clientflag;
681 whdr.securityIndex = hdr->securityIndex;
682 whdr.serviceId = htons(hdr->serviceId);
684 iov[0].iov_base = &whdr;
685 iov[0].iov_len = sizeof(whdr);
686 iov[1].iov_base = resp;
687 iov[1].iov_len = sizeof(*resp);
688 iov[2].iov_base = (void *)s2->ticket;
689 iov[2].iov_len = s2->ticket_len;
691 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
693 serial = atomic_inc_return(&conn->serial);
694 whdr.serial = htonl(serial);
695 _proto("Tx RESPONSE %%%u", serial);
697 ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
699 _debug("sendmsg failed: %d", ret);
708 * calculate the response checksum
710 static void rxkad_calc_response_checksum(struct rxkad_response *response)
714 u8 *p = (u8 *) response;
716 for (loop = sizeof(*response); loop > 0; loop--)
717 csum = csum * 0x10204081 + *p++;
719 response->encrypted.checksum = htonl(csum);
723 * encrypt the response packet
725 static void rxkad_encrypt_response(struct rxrpc_connection *conn,
726 struct rxkad_response *resp,
727 const struct rxkad_key *s2)
729 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
730 struct rxrpc_crypt iv;
731 struct scatterlist sg[1];
733 /* continue encrypting from where we left off */
734 memcpy(&iv, s2->session_key, sizeof(iv));
736 sg_init_table(sg, 1);
737 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
738 skcipher_request_set_tfm(req, conn->cipher);
739 skcipher_request_set_callback(req, 0, NULL, NULL);
740 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
741 crypto_skcipher_encrypt(req);
742 skcipher_request_zero(req);
746 * respond to a challenge packet
748 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
752 const struct rxrpc_key_token *token;
753 struct rxkad_challenge challenge;
754 struct rxkad_response resp
755 __attribute__((aligned(8))); /* must be aligned for crypto */
756 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
757 u32 version, nonce, min_level, abort_code;
760 _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
762 if (!conn->params.key) {
763 _leave(" = -EPROTO [no key]");
767 ret = key_validate(conn->params.key);
769 *_abort_code = RXKADEXPIRED;
773 abort_code = RXKADPACKETSHORT;
774 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
775 &challenge, sizeof(challenge)) < 0)
778 version = ntohl(challenge.version);
779 nonce = ntohl(challenge.nonce);
780 min_level = ntohl(challenge.min_level);
782 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
783 sp->hdr.serial, version, nonce, min_level);
785 abort_code = RXKADINCONSISTENCY;
786 if (version != RXKAD_VERSION)
789 abort_code = RXKADLEVELFAIL;
790 if (conn->params.security_level < min_level)
793 token = conn->params.key->payload.data[0];
795 /* build the response packet */
796 memset(&resp, 0, sizeof(resp));
798 resp.version = htonl(RXKAD_VERSION);
799 resp.encrypted.epoch = htonl(conn->proto.epoch);
800 resp.encrypted.cid = htonl(conn->proto.cid);
801 resp.encrypted.securityIndex = htonl(conn->security_ix);
802 resp.encrypted.inc_nonce = htonl(nonce + 1);
803 resp.encrypted.level = htonl(conn->params.security_level);
804 resp.kvno = htonl(token->kad->kvno);
805 resp.ticket_len = htonl(token->kad->ticket_len);
807 resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
808 resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
809 resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
810 resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
812 /* calculate the response checksum and then do the encryption */
813 rxkad_calc_response_checksum(&resp);
814 rxkad_encrypt_response(conn, &resp, token->kad);
815 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad);
818 *_abort_code = abort_code;
819 _leave(" = -EPROTO [%d]", abort_code);
824 * decrypt the kerberos IV ticket in the response
826 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
827 void *ticket, size_t ticket_len,
828 struct rxrpc_crypt *_session_key,
832 struct skcipher_request *req;
833 struct rxrpc_crypt iv, key;
834 struct scatterlist sg[1];
840 u8 *p, *q, *name, *end;
842 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
846 ret = key_validate(conn->server_key);
850 *_abort_code = RXKADEXPIRED;
853 *_abort_code = RXKADNOAUTH;
858 ASSERT(conn->server_key->payload.data[0] != NULL);
859 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
861 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
863 req = skcipher_request_alloc(conn->server_key->payload.data[0],
866 *_abort_code = RXKADNOAUTH;
871 sg_init_one(&sg[0], ticket, ticket_len);
872 skcipher_request_set_callback(req, 0, NULL, NULL);
873 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
874 crypto_skcipher_decrypt(req);
875 skcipher_request_free(req);
878 end = p + ticket_len;
883 q = memchr(p, 0, end - p); \
884 if (!q || q - p > (size)) \
893 /* extract the ticket flags */
894 _debug("KIV FLAGS: %x", *p);
895 little_endian = *p & 1;
898 /* extract the authentication name */
900 _debug("KIV ANAME: %s", name);
902 /* extract the principal's instance */
904 _debug("KIV INST : %s", name);
906 /* extract the principal's authentication domain */
908 _debug("KIV REALM: %s", name);
910 if (end - p < 4 + 8 + 4 + 2)
913 /* get the IPv4 address of the entity that requested the ticket */
914 memcpy(&addr, p, sizeof(addr));
916 _debug("KIV ADDR : %pI4", &addr);
918 /* get the session key from the ticket */
919 memcpy(&key, p, sizeof(key));
921 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
922 memcpy(_session_key, &key, sizeof(key));
924 /* get the ticket's lifetime */
925 life = *p++ * 5 * 60;
926 _debug("KIV LIFE : %u", life);
928 /* get the issue time of the ticket */
931 memcpy(&stamp, p, 4);
932 issue = le32_to_cpu(stamp);
935 memcpy(&stamp, p, 4);
936 issue = be32_to_cpu(stamp);
940 _debug("KIV ISSUE: %lx [%lx]", issue, now);
942 /* check the ticket is in date */
944 *_abort_code = RXKADNOAUTH;
949 if (issue < now - life) {
950 *_abort_code = RXKADEXPIRED;
955 *_expiry = issue + life;
957 /* get the service name */
959 _debug("KIV SNAME: %s", name);
961 /* get the service instance name */
963 _debug("KIV SINST: %s", name);
967 _leave(" = %d", ret);
971 *_abort_code = RXKADBADTICKET;
977 * decrypt the response packet
979 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
980 struct rxkad_response *resp,
981 const struct rxrpc_crypt *session_key)
983 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
984 struct scatterlist sg[1];
985 struct rxrpc_crypt iv;
988 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
990 ASSERT(rxkad_ci != NULL);
992 mutex_lock(&rxkad_ci_mutex);
993 if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
994 sizeof(*session_key)) < 0)
997 memcpy(&iv, session_key, sizeof(iv));
999 sg_init_table(sg, 1);
1000 sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1001 skcipher_request_set_tfm(req, rxkad_ci);
1002 skcipher_request_set_callback(req, 0, NULL, NULL);
1003 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1004 crypto_skcipher_decrypt(req);
1005 skcipher_request_zero(req);
1007 mutex_unlock(&rxkad_ci_mutex);
1015 static int rxkad_verify_response(struct rxrpc_connection *conn,
1016 struct sk_buff *skb,
1019 struct rxkad_response response
1020 __attribute__((aligned(8))); /* must be aligned for crypto */
1021 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1022 struct rxrpc_crypt session_key;
1025 u32 abort_code, version, kvno, ticket_len, level;
1029 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1031 abort_code = RXKADPACKETSHORT;
1032 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1033 &response, sizeof(response)) < 0)
1034 goto protocol_error;
1035 if (!pskb_pull(skb, sizeof(response)))
1038 version = ntohl(response.version);
1039 ticket_len = ntohl(response.ticket_len);
1040 kvno = ntohl(response.kvno);
1041 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1042 sp->hdr.serial, version, kvno, ticket_len);
1044 abort_code = RXKADINCONSISTENCY;
1045 if (version != RXKAD_VERSION)
1046 goto protocol_error;
1048 abort_code = RXKADTICKETLEN;
1049 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1050 goto protocol_error;
1052 abort_code = RXKADUNKNOWNKEY;
1053 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1054 goto protocol_error;
1056 /* extract the kerberos ticket and decrypt and decode it */
1057 ticket = kmalloc(ticket_len, GFP_NOFS);
1061 abort_code = RXKADPACKETSHORT;
1062 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1063 ticket, ticket_len) < 0)
1064 goto protocol_error_free;
1066 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key,
1067 &expiry, &abort_code);
1069 *_abort_code = abort_code;
1074 /* use the session key from inside the ticket to decrypt the
1076 rxkad_decrypt_response(conn, &response, &session_key);
1078 abort_code = RXKADSEALEDINCON;
1079 if (ntohl(response.encrypted.epoch) != conn->proto.epoch)
1080 goto protocol_error_free;
1081 if (ntohl(response.encrypted.cid) != conn->proto.cid)
1082 goto protocol_error_free;
1083 if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
1084 goto protocol_error_free;
1085 csum = response.encrypted.checksum;
1086 response.encrypted.checksum = 0;
1087 rxkad_calc_response_checksum(&response);
1088 if (response.encrypted.checksum != csum)
1089 goto protocol_error_free;
1091 spin_lock(&conn->channel_lock);
1092 for (i = 0; i < RXRPC_MAXCALLS; i++) {
1093 struct rxrpc_call *call;
1094 u32 call_id = ntohl(response.encrypted.call_id[i]);
1096 if (call_id > INT_MAX)
1097 goto protocol_error_unlock;
1099 if (call_id < conn->channels[i].call_counter)
1100 goto protocol_error_unlock;
1101 if (call_id > conn->channels[i].call_counter) {
1102 call = rcu_dereference_protected(
1103 conn->channels[i].call,
1104 lockdep_is_held(&conn->channel_lock));
1105 if (call && call->state < RXRPC_CALL_COMPLETE)
1106 goto protocol_error_unlock;
1107 conn->channels[i].call_counter = call_id;
1110 spin_unlock(&conn->channel_lock);
1112 abort_code = RXKADOUTOFSEQUENCE;
1113 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1)
1114 goto protocol_error_free;
1116 abort_code = RXKADLEVELFAIL;
1117 level = ntohl(response.encrypted.level);
1118 if (level > RXRPC_SECURITY_ENCRYPT)
1119 goto protocol_error_free;
1120 conn->params.security_level = level;
1122 /* create a key to hold the security data and expiration time - after
1123 * this the connection security can be handled in exactly the same way
1124 * as for a client connection */
1125 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1135 protocol_error_unlock:
1136 spin_unlock(&conn->channel_lock);
1137 protocol_error_free:
1140 *_abort_code = abort_code;
1141 _leave(" = -EPROTO [%d]", abort_code);
1146 * clear the connection security
1148 static void rxkad_clear(struct rxrpc_connection *conn)
1153 crypto_free_skcipher(conn->cipher);
1157 * Initialise the rxkad security service.
1159 static int rxkad_init(void)
1161 /* pin the cipher we need so that the crypto layer doesn't invoke
1162 * keventd to go get it */
1163 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
1164 return PTR_ERR_OR_ZERO(rxkad_ci);
1168 * Clean up the rxkad security service.
1170 static void rxkad_exit(void)
1173 crypto_free_skcipher(rxkad_ci);
1177 * RxRPC Kerberos-based security
1179 const struct rxrpc_security rxkad = {
1181 .security_index = RXRPC_SECURITY_RXKAD,
1184 .init_connection_security = rxkad_init_connection_security,
1185 .prime_packet_security = rxkad_prime_packet_security,
1186 .secure_packet = rxkad_secure_packet,
1187 .verify_packet = rxkad_verify_packet,
1188 .locate_data = rxkad_locate_data,
1189 .issue_challenge = rxkad_issue_challenge,
1190 .respond_to_challenge = rxkad_respond_to_challenge,
1191 .verify_response = rxkad_verify_response,
1192 .clear = rxkad_clear,
projects / cascardo / linux.git / blob