~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/rxrpc/rxkad.c

Version: ~ [ linux-5.4-rc3 ] ~ [ linux-5.3.6 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.79 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.149 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.196 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.196 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.75 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /* Kerberos-based RxRPC security
  2  *
  3  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
  4  * Written by David Howells (dhowells@redhat.com)
  5  *
  6  * This program is free software; you can redistribute it and/or
  7  * modify it under the terms of the GNU General Public License
  8  * as published by the Free Software Foundation; either version
  9  * 2 of the License, or (at your option) any later version.
 10  */
 11 
 12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 13 
 14 #include <crypto/skcipher.h>
 15 #include <linux/module.h>
 16 #include <linux/net.h>
 17 #include <linux/skbuff.h>
 18 #include <linux/udp.h>
 19 #include <linux/scatterlist.h>
 20 #include <linux/ctype.h>
 21 #include <linux/slab.h>
 22 #include <net/sock.h>
 23 #include <net/af_rxrpc.h>
 24 #include <keys/rxrpc-type.h>
 25 #include "ar-internal.h"
 26 
 27 #define RXKAD_VERSION                   2
 28 #define MAXKRB5TICKETLEN                1024
 29 #define RXKAD_TKT_TYPE_KERBEROS_V5      256
 30 #define ANAME_SZ                        40      /* size of authentication name */
 31 #define INST_SZ                         40      /* size of principal's instance */
 32 #define REALM_SZ                        40      /* size of principal's auth domain */
 33 #define SNAME_SZ                        40      /* size of service name */
 34 
 35 struct rxkad_level1_hdr {
 36         __be32  data_size;      /* true data size (excluding padding) */
 37 };
 38 
 39 struct rxkad_level2_hdr {
 40         __be32  data_size;      /* true data size (excluding padding) */
 41         __be32  checksum;       /* decrypted data checksum */
 42 };
 43 
 44 /*
 45  * this holds a pinned cipher so that keventd doesn't get called by the cipher
 46  * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
 47  * packets
 48  */
 49 static struct crypto_skcipher *rxkad_ci;
 50 static DEFINE_MUTEX(rxkad_ci_mutex);
 51 
 52 /*
 53  * initialise connection security
 54  */
 55 static int rxkad_init_connection_security(struct rxrpc_connection *conn)
 56 {
 57         struct crypto_skcipher *ci;
 58         struct rxrpc_key_token *token;
 59         int ret;
 60 
 61         _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
 62 
 63         token = conn->params.key->payload.data[0];
 64         conn->security_ix = token->security_index;
 65 
 66         ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
 67         if (IS_ERR(ci)) {
 68                 _debug("no cipher");
 69                 ret = PTR_ERR(ci);
 70                 goto error;
 71         }
 72 
 73         if (crypto_skcipher_setkey(ci, token->kad->session_key,
 74                                    sizeof(token->kad->session_key)) < 0)
 75                 BUG();
 76 
 77         switch (conn->params.security_level) {
 78         case RXRPC_SECURITY_PLAIN:
 79                 break;
 80         case RXRPC_SECURITY_AUTH:
 81                 conn->size_align = 8;
 82                 conn->security_size = sizeof(struct rxkad_level1_hdr);
 83                 break;
 84         case RXRPC_SECURITY_ENCRYPT:
 85                 conn->size_align = 8;
 86                 conn->security_size = sizeof(struct rxkad_level2_hdr);
 87                 break;
 88         default:
 89                 ret = -EKEYREJECTED;
 90                 goto error;
 91         }
 92 
 93         conn->cipher = ci;
 94         ret = 0;
 95 error:
 96         _leave(" = %d", ret);
 97         return ret;
 98 }
 99 
100 /*
101  * prime the encryption state with the invariant parts of a connection's
102  * description
103  */
104 static int rxkad_prime_packet_security(struct rxrpc_connection *conn)
105 {
106         struct rxrpc_key_token *token;
107         SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
108         struct scatterlist sg;
109         struct rxrpc_crypt iv;
110         __be32 *tmpbuf;
111         size_t tmpsize = 4 * sizeof(__be32);
112 
113         _enter("");
114 
115         if (!conn->params.key)
116                 return 0;
117 
118         tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
119         if (!tmpbuf)
120                 return -ENOMEM;
121 
122         token = conn->params.key->payload.data[0];
123         memcpy(&iv, token->kad->session_key, sizeof(iv));
124 
125         tmpbuf[0] = htonl(conn->proto.epoch);
126         tmpbuf[1] = htonl(conn->proto.cid);
127         tmpbuf[2] = 0;
128         tmpbuf[3] = htonl(conn->security_ix);
129 
130         sg_init_one(&sg, tmpbuf, tmpsize);
131         skcipher_request_set_tfm(req, conn->cipher);
132         skcipher_request_set_callback(req, 0, NULL, NULL);
133         skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
134         crypto_skcipher_encrypt(req);
135         skcipher_request_zero(req);
136 
137         memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv));
138         kfree(tmpbuf);
139         _leave(" = 0");
140         return 0;
141 }
142 
143 /*
144  * partially encrypt a packet (level 1 security)
145  */
146 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
147                                     struct sk_buff *skb,
148                                     u32 data_size,
149                                     void *sechdr)
150 {
151         struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
152         SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
153         struct rxkad_level1_hdr hdr;
154         struct rxrpc_crypt iv;
155         struct scatterlist sg;
156         u16 check;
157 
158         _enter("");
159 
160         check = sp->hdr.seq ^ call->call_id;
161         data_size |= (u32)check << 16;
162 
163         hdr.data_size = htonl(data_size);
164         memcpy(sechdr, &hdr, sizeof(hdr));
165 
166         /* start the encryption afresh */
167         memset(&iv, 0, sizeof(iv));
168 
169         sg_init_one(&sg, sechdr, 8);
170         skcipher_request_set_tfm(req, call->conn->cipher);
171         skcipher_request_set_callback(req, 0, NULL, NULL);
172         skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
173         crypto_skcipher_encrypt(req);
174         skcipher_request_zero(req);
175 
176         _leave(" = 0");
177         return 0;
178 }
179 
180 /*
181  * wholly encrypt a packet (level 2 security)
182  */
183 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
184                                        struct sk_buff *skb,
185                                        u32 data_size,
186                                        void *sechdr)
187 {
188         const struct rxrpc_key_token *token;
189         struct rxkad_level2_hdr rxkhdr;
190         struct rxrpc_skb_priv *sp;
191         SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
192         struct rxrpc_crypt iv;
193         struct scatterlist sg[16];
194         struct sk_buff *trailer;
195         unsigned int len;
196         u16 check;
197         int nsg;
198         int err;
199 
200         sp = rxrpc_skb(skb);
201 
202         _enter("");
203 
204         check = sp->hdr.seq ^ call->call_id;
205 
206         rxkhdr.data_size = htonl(data_size | (u32)check << 16);
207         rxkhdr.checksum = 0;
208         memcpy(sechdr, &rxkhdr, sizeof(rxkhdr));
209 
210         /* encrypt from the session key */
211         token = call->conn->params.key->payload.data[0];
212         memcpy(&iv, token->kad->session_key, sizeof(iv));
213 
214         sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
215         skcipher_request_set_tfm(req, call->conn->cipher);
216         skcipher_request_set_callback(req, 0, NULL, NULL);
217         skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
218         crypto_skcipher_encrypt(req);
219 
220         /* we want to encrypt the skbuff in-place */
221         nsg = skb_cow_data(skb, 0, &trailer);
222         err = -ENOMEM;
223         if (nsg < 0 || nsg > 16)
224                 goto out;
225 
226         len = data_size + call->conn->size_align - 1;
227         len &= ~(call->conn->size_align - 1);
228 
229         sg_init_table(sg, nsg);
230         err = skb_to_sgvec(skb, sg, 0, len);
231         if (unlikely(err < 0))
232                 goto out;
233         skcipher_request_set_crypt(req, sg, sg, len, iv.x);
234         crypto_skcipher_encrypt(req);
235 
236         _leave(" = 0");
237         err = 0;
238 
239 out:
240         skcipher_request_zero(req);
241         return err;
242 }
243 
244 /*
245  * checksum an RxRPC packet header
246  */
247 static int rxkad_secure_packet(struct rxrpc_call *call,
248                                struct sk_buff *skb,
249                                size_t data_size,
250                                void *sechdr)
251 {
252         struct rxrpc_skb_priv *sp;
253         SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
254         struct rxrpc_crypt iv;
255         struct scatterlist sg;
256         u32 x, y;
257         int ret;
258 
259         sp = rxrpc_skb(skb);
260 
261         _enter("{%d{%x}},{#%u},%zu,",
262                call->debug_id, key_serial(call->conn->params.key),
263                sp->hdr.seq, data_size);
264 
265         if (!call->conn->cipher)
266                 return 0;
267 
268         ret = key_validate(call->conn->params.key);
269         if (ret < 0)
270                 return ret;
271 
272         /* continue encrypting from where we left off */
273         memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
274 
275         /* calculate the security checksum */
276         x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
277         x |= sp->hdr.seq & 0x3fffffff;
278         call->crypto_buf[0] = htonl(call->call_id);
279         call->crypto_buf[1] = htonl(x);
280 
281         sg_init_one(&sg, call->crypto_buf, 8);
282         skcipher_request_set_tfm(req, call->conn->cipher);
283         skcipher_request_set_callback(req, 0, NULL, NULL);
284         skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
285         crypto_skcipher_encrypt(req);
286         skcipher_request_zero(req);
287 
288         y = ntohl(call->crypto_buf[1]);
289         y = (y >> 16) & 0xffff;
290         if (y == 0)
291                 y = 1; /* zero checksums are not permitted */
292         sp->hdr.cksum = y;
293 
294         switch (call->conn->params.security_level) {
295         case RXRPC_SECURITY_PLAIN:
296                 ret = 0;
297                 break;
298         case RXRPC_SECURITY_AUTH:
299                 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
300                 break;
301         case RXRPC_SECURITY_ENCRYPT:
302                 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
303                                                   sechdr);
304                 break;
305         default:
306                 ret = -EPERM;
307                 break;
308         }
309 
310         _leave(" = %d [set %hx]", ret, y);
311         return ret;
312 }
313 
314 /*
315  * decrypt partial encryption on a packet (level 1 security)
316  */
317 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
318                                  unsigned int offset, unsigned int len,
319                                  rxrpc_seq_t seq)
320 {
321         struct rxkad_level1_hdr sechdr;
322         SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
323         struct rxrpc_crypt iv;
324         struct scatterlist sg[16];
325         struct sk_buff *trailer;
326         bool aborted;
327         u32 data_size, buf;
328         u16 check;
329         int nsg, ret;
330 
331         _enter("");
332 
333         if (len < 8) {
334                 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
335                                            RXKADSEALEDINCON);
336                 goto protocol_error;
337         }
338 
339         /* Decrypt the skbuff in-place.  TODO: We really want to decrypt
340          * directly into the target buffer.
341          */
342         nsg = skb_cow_data(skb, 0, &trailer);
343         if (nsg < 0 || nsg > 16)
344                 goto nomem;
345 
346         sg_init_table(sg, nsg);
347         ret = skb_to_sgvec(skb, sg, offset, 8);
348         if (unlikely(ret < 0))
349                 return ret;
350 
351         /* start the decryption afresh */
352         memset(&iv, 0, sizeof(iv));
353 
354         skcipher_request_set_tfm(req, call->conn->cipher);
355         skcipher_request_set_callback(req, 0, NULL, NULL);
356         skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
357         crypto_skcipher_decrypt(req);
358         skcipher_request_zero(req);
359 
360         /* Extract the decrypted packet length */
361         if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
362                 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
363                                              RXKADDATALEN);
364                 goto protocol_error;
365         }
366         offset += sizeof(sechdr);
367         len -= sizeof(sechdr);
368 
369         buf = ntohl(sechdr.data_size);
370         data_size = buf & 0xffff;
371 
372         check = buf >> 16;
373         check ^= seq ^ call->call_id;
374         check &= 0xffff;
375         if (check != 0) {
376                 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
377                                              RXKADSEALEDINCON);
378                 goto protocol_error;
379         }
380 
381         if (data_size > len) {
382                 aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
383                                              RXKADDATALEN);
384                 goto protocol_error;
385         }
386 
387         _leave(" = 0 [dlen=%x]", data_size);
388         return 0;
389 
390 protocol_error:
391         if (aborted)
392                 rxrpc_send_abort_packet(call);
393         return -EPROTO;
394 
395 nomem:
396         _leave(" = -ENOMEM");
397         return -ENOMEM;
398 }
399 
400 /*
401  * wholly decrypt a packet (level 2 security)
402  */
403 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
404                                  unsigned int offset, unsigned int len,
405                                  rxrpc_seq_t seq)
406 {
407         const struct rxrpc_key_token *token;
408         struct rxkad_level2_hdr sechdr;
409         SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
410         struct rxrpc_crypt iv;
411         struct scatterlist _sg[4], *sg;
412         struct sk_buff *trailer;
413         bool aborted;
414         u32 data_size, buf;
415         u16 check;
416         int nsg, ret;
417 
418         _enter(",{%d}", skb->len);
419 
420         if (len < 8) {
421                 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
422                                              RXKADSEALEDINCON);
423                 goto protocol_error;
424         }
425 
426         /* Decrypt the skbuff in-place.  TODO: We really want to decrypt
427          * directly into the target buffer.
428          */
429         nsg = skb_cow_data(skb, 0, &trailer);
430         if (nsg < 0)
431                 goto nomem;
432 
433         sg = _sg;
434         if (unlikely(nsg > 4)) {
435                 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
436                 if (!sg)
437                         goto nomem;
438         }
439 
440         sg_init_table(sg, nsg);
441         ret = skb_to_sgvec(skb, sg, offset, len);
442         if (unlikely(ret < 0)) {
443                 if (sg != _sg)
444                         kfree(sg);
445                 return ret;
446         }
447 
448         /* decrypt from the session key */
449         token = call->conn->params.key->payload.data[0];
450         memcpy(&iv, token->kad->session_key, sizeof(iv));
451 
452         skcipher_request_set_tfm(req, call->conn->cipher);
453         skcipher_request_set_callback(req, 0, NULL, NULL);
454         skcipher_request_set_crypt(req, sg, sg, len, iv.x);
455         crypto_skcipher_decrypt(req);
456         skcipher_request_zero(req);
457         if (sg != _sg)
458                 kfree(sg);
459 
460         /* Extract the decrypted packet length */
461         if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
462                 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
463                                              RXKADDATALEN);
464                 goto protocol_error;
465         }
466         offset += sizeof(sechdr);
467         len -= sizeof(sechdr);
468 
469         buf = ntohl(sechdr.data_size);
470         data_size = buf & 0xffff;
471 
472         check = buf >> 16;
473         check ^= seq ^ call->call_id;
474         check &= 0xffff;
475         if (check != 0) {
476                 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
477                                              RXKADSEALEDINCON);
478                 goto protocol_error;
479         }
480 
481         if (data_size > len) {
482                 aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
483                                              RXKADDATALEN);
484                 goto protocol_error;
485         }
486 
487         _leave(" = 0 [dlen=%x]", data_size);
488         return 0;
489 
490 protocol_error:
491         if (aborted)
492                 rxrpc_send_abort_packet(call);
493         return -EPROTO;
494 
495 nomem:
496         _leave(" = -ENOMEM");
497         return -ENOMEM;
498 }
499 
500 /*
501  * Verify the security on a received packet or subpacket (if part of a
502  * jumbo packet).
503  */
504 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
505                                unsigned int offset, unsigned int len,
506                                rxrpc_seq_t seq, u16 expected_cksum)
507 {
508         SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
509         struct rxrpc_crypt iv;
510         struct scatterlist sg;
511         bool aborted;
512         u16 cksum;
513         u32 x, y;
514 
515         _enter("{%d{%x}},{#%u}",
516                call->debug_id, key_serial(call->conn->params.key), seq);
517 
518         if (!call->conn->cipher)
519                 return 0;
520 
521         /* continue encrypting from where we left off */
522         memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
523 
524         /* validate the security checksum */
525         x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
526         x |= seq & 0x3fffffff;
527         call->crypto_buf[0] = htonl(call->call_id);
528         call->crypto_buf[1] = htonl(x);
529 
530         sg_init_one(&sg, call->crypto_buf, 8);
531         skcipher_request_set_tfm(req, call->conn->cipher);
532         skcipher_request_set_callback(req, 0, NULL, NULL);
533         skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
534         crypto_skcipher_encrypt(req);
535         skcipher_request_zero(req);
536 
537         y = ntohl(call->crypto_buf[1]);
538         cksum = (y >> 16) & 0xffff;
539         if (cksum == 0)
540                 cksum = 1; /* zero checksums are not permitted */
541 
542         if (cksum != expected_cksum) {
543                 aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
544                                              RXKADSEALEDINCON);
545                 goto protocol_error;
546         }
547 
548         switch (call->conn->params.security_level) {
549         case RXRPC_SECURITY_PLAIN:
550                 return 0;
551         case RXRPC_SECURITY_AUTH:
552                 return rxkad_verify_packet_1(call, skb, offset, len, seq);
553         case RXRPC_SECURITY_ENCRYPT:
554                 return rxkad_verify_packet_2(call, skb, offset, len, seq);
555         default:
556                 return -ENOANO;
557         }
558 
559 protocol_error:
560         if (aborted)
561                 rxrpc_send_abort_packet(call);
562         return -EPROTO;
563 }
564 
565 /*
566  * Locate the data contained in a packet that was partially encrypted.
567  */
568 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
569                                 unsigned int *_offset, unsigned int *_len)
570 {
571         struct rxkad_level1_hdr sechdr;
572 
573         if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
574                 BUG();
575         *_offset += sizeof(sechdr);
576         *_len = ntohl(sechdr.data_size) & 0xffff;
577 }
578 
579 /*
580  * Locate the data contained in a packet that was completely encrypted.
581  */
582 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
583                                 unsigned int *_offset, unsigned int *_len)
584 {
585         struct rxkad_level2_hdr sechdr;
586 
587         if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
588                 BUG();
589         *_offset += sizeof(sechdr);
590         *_len = ntohl(sechdr.data_size) & 0xffff;
591 }
592 
593 /*
594  * Locate the data contained in an already decrypted packet.
595  */
596 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
597                               unsigned int *_offset, unsigned int *_len)
598 {
599         switch (call->conn->params.security_level) {
600         case RXRPC_SECURITY_AUTH:
601                 rxkad_locate_data_1(call, skb, _offset, _len);
602                 return;
603         case RXRPC_SECURITY_ENCRYPT:
604                 rxkad_locate_data_2(call, skb, _offset, _len);
605                 return;
606         default:
607                 return;
608         }
609 }
610 
611 /*
612  * issue a challenge
613  */
614 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
615 {
616         struct rxkad_challenge challenge;
617         struct rxrpc_wire_header whdr;
618         struct msghdr msg;
619         struct kvec iov[2];
620         size_t len;
621         u32 serial;
622         int ret;
623 
624         _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
625 
626         ret = key_validate(conn->params.key);
627         if (ret < 0)
628                 return ret;
629 
630         get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
631 
632         challenge.version       = htonl(2);
633         challenge.nonce         = htonl(conn->security_nonce);
634         challenge.min_level     = htonl(0);
635         challenge.__padding     = 0;
636 
637         msg.msg_name    = &conn->params.peer->srx.transport;
638         msg.msg_namelen = conn->params.peer->srx.transport_len;
639         msg.msg_control = NULL;
640         msg.msg_controllen = 0;
641         msg.msg_flags   = 0;
642 
643         whdr.epoch      = htonl(conn->proto.epoch);
644         whdr.cid        = htonl(conn->proto.cid);
645         whdr.callNumber = 0;
646         whdr.seq        = 0;
647         whdr.type       = RXRPC_PACKET_TYPE_CHALLENGE;
648         whdr.flags      = conn->out_clientflag;
649         whdr.userStatus = 0;
650         whdr.securityIndex = conn->security_ix;
651         whdr._rsvd      = 0;
652         whdr.serviceId  = htons(conn->service_id);
653 
654         iov[0].iov_base = &whdr;
655         iov[0].iov_len  = sizeof(whdr);
656         iov[1].iov_base = &challenge;
657         iov[1].iov_len  = sizeof(challenge);
658 
659         len = iov[0].iov_len + iov[1].iov_len;
660 
661         serial = atomic_inc_return(&conn->serial);
662         whdr.serial = htonl(serial);
663         _proto("Tx CHALLENGE %%%u", serial);
664 
665         ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
666         if (ret < 0) {
667                 _debug("sendmsg failed: %d", ret);
668                 return -EAGAIN;
669         }
670 
671         _leave(" = 0");
672         return 0;
673 }
674 
675 /*
676  * send a Kerberos security response
677  */
678 static int rxkad_send_response(struct rxrpc_connection *conn,
679                                struct rxrpc_host_header *hdr,
680                                struct rxkad_response *resp,
681                                const struct rxkad_key *s2)
682 {
683         struct rxrpc_wire_header whdr;
684         struct msghdr msg;
685         struct kvec iov[3];
686         size_t len;
687         u32 serial;
688         int ret;
689 
690         _enter("");
691 
692         msg.msg_name    = &conn->params.peer->srx.transport;
693         msg.msg_namelen = conn->params.peer->srx.transport_len;
694         msg.msg_control = NULL;
695         msg.msg_controllen = 0;
696         msg.msg_flags   = 0;
697 
698         memset(&whdr, 0, sizeof(whdr));
699         whdr.epoch      = htonl(hdr->epoch);
700         whdr.cid        = htonl(hdr->cid);
701         whdr.type       = RXRPC_PACKET_TYPE_RESPONSE;
702         whdr.flags      = conn->out_clientflag;
703         whdr.securityIndex = hdr->securityIndex;
704         whdr.serviceId  = htons(hdr->serviceId);
705 
706         iov[0].iov_base = &whdr;
707         iov[0].iov_len  = sizeof(whdr);
708         iov[1].iov_base = resp;
709         iov[1].iov_len  = sizeof(*resp);
710         iov[2].iov_base = (void *)s2->ticket;
711         iov[2].iov_len  = s2->ticket_len;
712 
713         len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
714 
715         serial = atomic_inc_return(&conn->serial);
716         whdr.serial = htonl(serial);
717         _proto("Tx RESPONSE %%%u", serial);
718 
719         ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
720         if (ret < 0) {
721                 _debug("sendmsg failed: %d", ret);
722                 return -EAGAIN;
723         }
724 
725         _leave(" = 0");
726         return 0;
727 }
728 
729 /*
730  * calculate the response checksum
731  */
732 static void rxkad_calc_response_checksum(struct rxkad_response *response)
733 {
734         u32 csum = 1000003;
735         int loop;
736         u8 *p = (u8 *) response;
737 
738         for (loop = sizeof(*response); loop > 0; loop--)
739                 csum = csum * 0x10204081 + *p++;
740 
741         response->encrypted.checksum = htonl(csum);
742 }
743 
744 /*
745  * encrypt the response packet
746  */
747 static void rxkad_encrypt_response(struct rxrpc_connection *conn,
748                                    struct rxkad_response *resp,
749                                    const struct rxkad_key *s2)
750 {
751         SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
752         struct rxrpc_crypt iv;
753         struct scatterlist sg[1];
754 
755         /* continue encrypting from where we left off */
756         memcpy(&iv, s2->session_key, sizeof(iv));
757 
758         sg_init_table(sg, 1);
759         sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
760         skcipher_request_set_tfm(req, conn->cipher);
761         skcipher_request_set_callback(req, 0, NULL, NULL);
762         skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
763         crypto_skcipher_encrypt(req);
764         skcipher_request_zero(req);
765 }
766 
767 /*
768  * respond to a challenge packet
769  */
770 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
771                                       struct sk_buff *skb,
772                                       u32 *_abort_code)
773 {
774         const struct rxrpc_key_token *token;
775         struct rxkad_challenge challenge;
776         struct rxkad_response resp
777                 __attribute__((aligned(8))); /* must be aligned for crypto */
778         struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
779         const char *eproto;
780         u32 version, nonce, min_level, abort_code;
781         int ret;
782 
783         _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
784 
785         eproto = tracepoint_string("chall_no_key");
786         abort_code = RX_PROTOCOL_ERROR;
787         if (!conn->params.key)
788                 goto protocol_error;
789 
790         abort_code = RXKADEXPIRED;
791         ret = key_validate(conn->params.key);
792         if (ret < 0)
793                 goto other_error;
794 
795         eproto = tracepoint_string("chall_short");
796         abort_code = RXKADPACKETSHORT;
797         if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
798                           &challenge, sizeof(challenge)) < 0)
799                 goto protocol_error;
800 
801         version = ntohl(challenge.version);
802         nonce = ntohl(challenge.nonce);
803         min_level = ntohl(challenge.min_level);
804 
805         _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
806                sp->hdr.serial, version, nonce, min_level);
807 
808         eproto = tracepoint_string("chall_ver");
809         abort_code = RXKADINCONSISTENCY;
810         if (version != RXKAD_VERSION)
811                 goto protocol_error;
812 
813         abort_code = RXKADLEVELFAIL;
814         ret = -EACCES;
815         if (conn->params.security_level < min_level)
816                 goto other_error;
817 
818         token = conn->params.key->payload.data[0];
819 
820         /* build the response packet */
821         memset(&resp, 0, sizeof(resp));
822 
823         resp.version                    = htonl(RXKAD_VERSION);
824         resp.encrypted.epoch            = htonl(conn->proto.epoch);
825         resp.encrypted.cid              = htonl(conn->proto.cid);
826         resp.encrypted.securityIndex    = htonl(conn->security_ix);
827         resp.encrypted.inc_nonce        = htonl(nonce + 1);
828         resp.encrypted.level            = htonl(conn->params.security_level);
829         resp.kvno                       = htonl(token->kad->kvno);
830         resp.ticket_len                 = htonl(token->kad->ticket_len);
831 
832         resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter);
833         resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter);
834         resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter);
835         resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter);
836 
837         /* calculate the response checksum and then do the encryption */
838         rxkad_calc_response_checksum(&resp);
839         rxkad_encrypt_response(conn, &resp, token->kad);
840         return rxkad_send_response(conn, &sp->hdr, &resp, token->kad);
841 
842 protocol_error:
843         trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
844         ret = -EPROTO;
845 other_error:
846         *_abort_code = abort_code;
847         return ret;
848 }
849 
850 /*
851  * decrypt the kerberos IV ticket in the response
852  */
853 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
854                                 struct sk_buff *skb,
855                                 void *ticket, size_t ticket_len,
856                                 struct rxrpc_crypt *_session_key,
857                                 time64_t *_expiry,
858                                 u32 *_abort_code)
859 {
860         struct skcipher_request *req;
861         struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
862         struct rxrpc_crypt iv, key;
863         struct scatterlist sg[1];
864         struct in_addr addr;
865         unsigned int life;
866         const char *eproto;
867         time64_t issue, now;
868         bool little_endian;
869         int ret;
870         u32 abort_code;
871         u8 *p, *q, *name, *end;
872 
873         _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
874 
875         *_expiry = 0;
876 
877         ret = key_validate(conn->server_key);
878         if (ret < 0) {
879                 switch (ret) {
880                 case -EKEYEXPIRED:
881                         abort_code = RXKADEXPIRED;
882                         goto other_error;
883                 default:
884                         abort_code = RXKADNOAUTH;
885                         goto other_error;
886                 }
887         }
888 
889         ASSERT(conn->server_key->payload.data[0] != NULL);
890         ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
891 
892         memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
893 
894         ret = -ENOMEM;
895         req = skcipher_request_alloc(conn->server_key->payload.data[0],
896                                      GFP_NOFS);
897         if (!req)
898                 goto temporary_error;
899 
900         sg_init_one(&sg[0], ticket, ticket_len);
901         skcipher_request_set_callback(req, 0, NULL, NULL);
902         skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
903         crypto_skcipher_decrypt(req);
904         skcipher_request_free(req);
905 
906         p = ticket;
907         end = p + ticket_len;
908 
909 #define Z(field)                                        \
910         ({                                              \
911                 u8 *__str = p;                          \
912                 eproto = tracepoint_string("rxkad_bad_"#field); \
913                 q = memchr(p, 0, end - p);              \
914                 if (!q || q - p > (field##_SZ))         \
915                         goto bad_ticket;                \
916                 for (; p < q; p++)                      \
917                         if (!isprint(*p))               \
918                                 goto bad_ticket;        \
919                 p++;                                    \
920                 __str;                                  \
921         })
922 
923         /* extract the ticket flags */
924         _debug("KIV FLAGS: %x", *p);
925         little_endian = *p & 1;
926         p++;
927 
928         /* extract the authentication name */
929         name = Z(ANAME);
930         _debug("KIV ANAME: %s", name);
931 
932         /* extract the principal's instance */
933         name = Z(INST);
934         _debug("KIV INST : %s", name);
935 
936         /* extract the principal's authentication domain */
937         name = Z(REALM);
938         _debug("KIV REALM: %s", name);
939 
940         eproto = tracepoint_string("rxkad_bad_len");
941         if (end - p < 4 + 8 + 4 + 2)
942                 goto bad_ticket;
943 
944         /* get the IPv4 address of the entity that requested the ticket */
945         memcpy(&addr, p, sizeof(addr));
946         p += 4;
947         _debug("KIV ADDR : %pI4", &addr);
948 
949         /* get the session key from the ticket */
950         memcpy(&key, p, sizeof(key));
951         p += 8;
952         _debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
953         memcpy(_session_key, &key, sizeof(key));
954 
955         /* get the ticket's lifetime */
956         life = *p++ * 5 * 60;
957         _debug("KIV LIFE : %u", life);
958 
959         /* get the issue time of the ticket */
960         if (little_endian) {
961                 __le32 stamp;
962                 memcpy(&stamp, p, 4);
963                 issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
964         } else {
965                 __be32 stamp;
966                 memcpy(&stamp, p, 4);
967                 issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
968         }
969         p += 4;
970         now = ktime_get_real_seconds();
971         _debug("KIV ISSUE: %llx [%llx]", issue, now);
972 
973         /* check the ticket is in date */
974         if (issue > now) {
975                 abort_code = RXKADNOAUTH;
976                 ret = -EKEYREJECTED;
977                 goto other_error;
978         }
979 
980         if (issue < now - life) {
981                 abort_code = RXKADEXPIRED;
982                 ret = -EKEYEXPIRED;
983                 goto other_error;
984         }
985 
986         *_expiry = issue + life;
987 
988         /* get the service name */
989         name = Z(SNAME);
990         _debug("KIV SNAME: %s", name);
991 
992         /* get the service instance name */
993         name = Z(INST);
994         _debug("KIV SINST: %s", name);
995         return 0;
996 
997 bad_ticket:
998         trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
999         abort_code = RXKADBADTICKET;
1000         ret = -EPROTO;
1001 other_error:
1002         *_abort_code = abort_code;
1003         return ret;
1004 temporary_error:
1005         return ret;
1006 }
1007 
1008 /*
1009  * decrypt the response packet
1010  */
1011 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1012                                    struct rxkad_response *resp,
1013                                    const struct rxrpc_crypt *session_key)
1014 {
1015         SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
1016         struct scatterlist sg[1];
1017         struct rxrpc_crypt iv;
1018 
1019         _enter(",,%08x%08x",
1020                ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1021 
1022         ASSERT(rxkad_ci != NULL);
1023 
1024         mutex_lock(&rxkad_ci_mutex);
1025         if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
1026                                    sizeof(*session_key)) < 0)
1027                 BUG();
1028 
1029         memcpy(&iv, session_key, sizeof(iv));
1030 
1031         sg_init_table(sg, 1);
1032         sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1033         skcipher_request_set_tfm(req, rxkad_ci);
1034         skcipher_request_set_callback(req, 0, NULL, NULL);
1035         skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1036         crypto_skcipher_decrypt(req);
1037         skcipher_request_zero(req);
1038 
1039         mutex_unlock(&rxkad_ci_mutex);
1040 
1041         _leave("");
1042 }
1043 
1044 /*
1045  * verify a response
1046  */
1047 static int rxkad_verify_response(struct rxrpc_connection *conn,
1048                                  struct sk_buff *skb,
1049                                  u32 *_abort_code)
1050 {
1051         struct rxkad_response response
1052                 __attribute__((aligned(8))); /* must be aligned for crypto */
1053         struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1054         struct rxrpc_crypt session_key;
1055         const char *eproto;
1056         time64_t expiry;
1057         void *ticket;
1058         u32 abort_code, version, kvno, ticket_len, level;
1059         __be32 csum;
1060         int ret, i;
1061 
1062         _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1063 
1064         eproto = tracepoint_string("rxkad_rsp_short");
1065         abort_code = RXKADPACKETSHORT;
1066         if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1067                           &response, sizeof(response)) < 0)
1068                 goto protocol_error;
1069         if (!pskb_pull(skb, sizeof(response)))
1070                 BUG();
1071 
1072         version = ntohl(response.version);
1073         ticket_len = ntohl(response.ticket_len);
1074         kvno = ntohl(response.kvno);
1075         _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1076                sp->hdr.serial, version, kvno, ticket_len);
1077 
1078         eproto = tracepoint_string("rxkad_rsp_ver");
1079         abort_code = RXKADINCONSISTENCY;
1080         if (version != RXKAD_VERSION)
1081                 goto protocol_error;
1082 
1083         eproto = tracepoint_string("rxkad_rsp_tktlen");
1084         abort_code = RXKADTICKETLEN;
1085         if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1086                 goto protocol_error;
1087 
1088         eproto = tracepoint_string("rxkad_rsp_unkkey");
1089         abort_code = RXKADUNKNOWNKEY;
1090         if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1091                 goto protocol_error;
1092 
1093         /* extract the kerberos ticket and decrypt and decode it */
1094         ret = -ENOMEM;
1095         ticket = kmalloc(ticket_len, GFP_NOFS);
1096         if (!ticket)
1097                 goto temporary_error;
1098 
1099         eproto = tracepoint_string("rxkad_tkt_short");
1100         abort_code = RXKADPACKETSHORT;
1101         if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1102                           ticket, ticket_len) < 0)
1103                 goto protocol_error_free;
1104 
1105         ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key,
1106                                    &expiry, _abort_code);
1107         if (ret < 0)
1108                 goto temporary_error_free;
1109 
1110         /* use the session key from inside the ticket to decrypt the
1111          * response */
1112         rxkad_decrypt_response(conn, &response, &session_key);
1113 
1114         eproto = tracepoint_string("rxkad_rsp_param");
1115         abort_code = RXKADSEALEDINCON;
1116         if (ntohl(response.encrypted.epoch) != conn->proto.epoch)
1117                 goto protocol_error_free;
1118         if (ntohl(response.encrypted.cid) != conn->proto.cid)
1119                 goto protocol_error_free;
1120         if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
1121                 goto protocol_error_free;
1122         csum = response.encrypted.checksum;
1123         response.encrypted.checksum = 0;
1124         rxkad_calc_response_checksum(&response);
1125         eproto = tracepoint_string("rxkad_rsp_csum");
1126         if (response.encrypted.checksum != csum)
1127                 goto protocol_error_free;
1128 
1129         spin_lock(&conn->channel_lock);
1130         for (i = 0; i < RXRPC_MAXCALLS; i++) {
1131                 struct rxrpc_call *call;
1132                 u32 call_id = ntohl(response.encrypted.call_id[i]);
1133 
1134                 eproto = tracepoint_string("rxkad_rsp_callid");
1135                 if (call_id > INT_MAX)
1136                         goto protocol_error_unlock;
1137 
1138                 eproto = tracepoint_string("rxkad_rsp_callctr");
1139                 if (call_id < conn->channels[i].call_counter)
1140                         goto protocol_error_unlock;
1141 
1142                 eproto = tracepoint_string("rxkad_rsp_callst");
1143                 if (call_id > conn->channels[i].call_counter) {
1144                         call = rcu_dereference_protected(
1145                                 conn->channels[i].call,
1146                                 lockdep_is_held(&conn->channel_lock));
1147                         if (call && call->state < RXRPC_CALL_COMPLETE)
1148                                 goto protocol_error_unlock;
1149                         conn->channels[i].call_counter = call_id;
1150                 }
1151         }
1152         spin_unlock(&conn->channel_lock);
1153 
1154         eproto = tracepoint_string("rxkad_rsp_seq");
1155         abort_code = RXKADOUTOFSEQUENCE;
1156         if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1)
1157                 goto protocol_error_free;
1158 
1159         eproto = tracepoint_string("rxkad_rsp_level");
1160         abort_code = RXKADLEVELFAIL;
1161         level = ntohl(response.encrypted.level);
1162         if (level > RXRPC_SECURITY_ENCRYPT)
1163                 goto protocol_error_free;
1164         conn->params.security_level = level;
1165 
1166         /* create a key to hold the security data and expiration time - after
1167          * this the connection security can be handled in exactly the same way
1168          * as for a client connection */
1169         ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1170         if (ret < 0)
1171                 goto temporary_error_free;
1172 
1173         kfree(ticket);
1174         _leave(" = 0");
1175         return 0;
1176 
1177 protocol_error_unlock:
1178         spin_unlock(&conn->channel_lock);
1179 protocol_error_free:
1180         kfree(ticket);
1181 protocol_error:
1182         trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1183         *_abort_code = abort_code;
1184         return -EPROTO;
1185 
1186 temporary_error_free:
1187         kfree(ticket);
1188 temporary_error:
1189         /* Ignore the response packet if we got a temporary error such as
1190          * ENOMEM.  We just want to send the challenge again.  Note that we
1191          * also come out this way if the ticket decryption fails.
1192          */
1193         return ret;
1194 }
1195 
1196 /*
1197  * clear the connection security
1198  */
1199 static void rxkad_clear(struct rxrpc_connection *conn)
1200 {
1201         _enter("");
1202 
1203         if (conn->cipher)
1204                 crypto_free_skcipher(conn->cipher);
1205 }
1206 
1207 /*
1208  * Initialise the rxkad security service.
1209  */
1210 static int rxkad_init(void)
1211 {
1212         /* pin the cipher we need so that the crypto layer doesn't invoke
1213          * keventd to go get it */
1214         rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
1215         return PTR_ERR_OR_ZERO(rxkad_ci);
1216 }
1217 
1218 /*
1219  * Clean up the rxkad security service.
1220  */
1221 static void rxkad_exit(void)
1222 {
1223         if (rxkad_ci)
1224                 crypto_free_skcipher(rxkad_ci);
1225 }
1226 
1227 /*
1228  * RxRPC Kerberos-based security
1229  */
1230 const struct rxrpc_security rxkad = {
1231         .name                           = "rxkad",
1232         .security_index                 = RXRPC_SECURITY_RXKAD,
1233         .init                           = rxkad_init,
1234         .exit                           = rxkad_exit,
1235         .init_connection_security       = rxkad_init_connection_security,
1236         .prime_packet_security          = rxkad_prime_packet_security,
1237         .secure_packet                  = rxkad_secure_packet,
1238         .verify_packet                  = rxkad_verify_packet,
1239         .locate_data                    = rxkad_locate_data,
1240         .issue_challenge                = rxkad_issue_challenge,
1241         .respond_to_challenge           = rxkad_respond_to_challenge,
1242         .verify_response                = rxkad_verify_response,
1243         .clear                          = rxkad_clear,
1244 };
1245 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp