aboutsummaryrefslogtreecommitdiffstats
path: root/net/rxrpc/rxkad.c
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2007-04-26 18:48:28 -0400
committerDavid S. Miller <davem@davemloft.net>2007-04-26 18:48:28 -0400
commit17926a79320afa9b95df6b977b40cca6d8713cea (patch)
tree5cedff43b69520ad17b86783d3752053686ec99c /net/rxrpc/rxkad.c
parente19dff1fdd99a25819af74cf0710e147fff4fd3a (diff)
[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both
Provide AF_RXRPC sockets that can be used to talk to AFS servers, or serve answers to AFS clients. KerberosIV security is fully supported. The patches and some example test programs can be found in: http://people.redhat.com/~dhowells/rxrpc/ This will eventually replace the old implementation of kernel-only RxRPC currently resident in net/rxrpc/. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/rxrpc/rxkad.c')
-rw-r--r--net/rxrpc/rxkad.c1153
1 files changed, 1153 insertions, 0 deletions
diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c
new file mode 100644
index 000000000000..1eaf529efac1
--- /dev/null
+++ b/net/rxrpc/rxkad.c
@@ -0,0 +1,1153 @@
1/* Kerberos-based RxRPC security
2 *
3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
12#include <linux/module.h>
13#include <linux/net.h>
14#include <linux/skbuff.h>
15#include <linux/udp.h>
16#include <linux/crypto.h>
17#include <linux/scatterlist.h>
18#include <linux/ctype.h>
19#include <net/sock.h>
20#include <net/af_rxrpc.h>
21#include "ar-internal.h"
22
23#define RXKAD_VERSION 2
24#define MAXKRB5TICKETLEN 1024
25#define RXKAD_TKT_TYPE_KERBEROS_V5 256
26#define ANAME_SZ 40 /* size of authentication name */
27#define INST_SZ 40 /* size of principal's instance */
28#define REALM_SZ 40 /* size of principal's auth domain */
29#define SNAME_SZ 40 /* size of service name */
30
31unsigned rxrpc_debug;
32module_param_named(debug, rxrpc_debug, uint, S_IWUSR | S_IRUGO);
33MODULE_PARM_DESC(rxrpc_debug, "rxkad debugging mask");
34
35struct rxkad_level1_hdr {
36 __be32 data_size; /* true data size (excluding padding) */
37};
38
39struct rxkad_level2_hdr {
40 __be32 data_size; /* true data size (excluding padding) */
41 __be32 checksum; /* decrypted data checksum */
42};
43
44MODULE_DESCRIPTION("RxRPC network protocol type-2 security (Kerberos)");
45MODULE_AUTHOR("Red Hat, Inc.");
46MODULE_LICENSE("GPL");
47
48/*
49 * this holds a pinned cipher so that keventd doesn't get called by the cipher
50 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
51 * packets
52 */
53static struct crypto_blkcipher *rxkad_ci;
54static DEFINE_MUTEX(rxkad_ci_mutex);
55
56/*
57 * initialise connection security
58 */
59static int rxkad_init_connection_security(struct rxrpc_connection *conn)
60{
61 struct rxrpc_key_payload *payload;
62 struct crypto_blkcipher *ci;
63 int ret;
64
65 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
66
67 payload = conn->key->payload.data;
68 conn->security_ix = payload->k.security_index;
69
70 ci = crypto_alloc_blkcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
71 if (IS_ERR(ci)) {
72 _debug("no cipher");
73 ret = PTR_ERR(ci);
74 goto error;
75 }
76
77 if (crypto_blkcipher_setkey(ci, payload->k.session_key,
78 sizeof(payload->k.session_key)) < 0)
79 BUG();
80
81 switch (conn->security_level) {
82 case RXRPC_SECURITY_PLAIN:
83 break;
84 case RXRPC_SECURITY_AUTH:
85 conn->size_align = 8;
86 conn->security_size = sizeof(struct rxkad_level1_hdr);
87 conn->header_size += sizeof(struct rxkad_level1_hdr);
88 break;
89 case RXRPC_SECURITY_ENCRYPT:
90 conn->size_align = 8;
91 conn->security_size = sizeof(struct rxkad_level2_hdr);
92 conn->header_size += sizeof(struct rxkad_level2_hdr);
93 break;
94 default:
95 ret = -EKEYREJECTED;
96 goto error;
97 }
98
99 conn->cipher = ci;
100 ret = 0;
101error:
102 _leave(" = %d", ret);
103 return ret;
104}
105
106/*
107 * prime the encryption state with the invariant parts of a connection's
108 * description
109 */
110static void rxkad_prime_packet_security(struct rxrpc_connection *conn)
111{
112 struct rxrpc_key_payload *payload;
113 struct blkcipher_desc desc;
114 struct scatterlist sg[2];
115 struct rxrpc_crypt iv;
116 struct {
117 __be32 x[4];
118 } tmpbuf __attribute__((aligned(16))); /* must all be in same page */
119
120 _enter("");
121
122 if (!conn->key)
123 return;
124
125 payload = conn->key->payload.data;
126 memcpy(&iv, payload->k.session_key, sizeof(iv));
127
128 desc.tfm = conn->cipher;
129 desc.info = iv.x;
130 desc.flags = 0;
131
132 tmpbuf.x[0] = conn->epoch;
133 tmpbuf.x[1] = conn->cid;
134 tmpbuf.x[2] = 0;
135 tmpbuf.x[3] = htonl(conn->security_ix);
136
137 memset(sg, 0, sizeof(sg));
138 sg_set_buf(&sg[0], &tmpbuf, sizeof(tmpbuf));
139 sg_set_buf(&sg[1], &tmpbuf, sizeof(tmpbuf));
140 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf));
141
142 memcpy(&conn->csum_iv, &tmpbuf.x[2], sizeof(conn->csum_iv));
143 ASSERTCMP(conn->csum_iv.n[0], ==, tmpbuf.x[2]);
144
145 _leave("");
146}
147
148/*
149 * partially encrypt a packet (level 1 security)
150 */
151static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
152 struct sk_buff *skb,
153 u32 data_size,
154 void *sechdr)
155{
156 struct rxrpc_skb_priv *sp;
157 struct blkcipher_desc desc;
158 struct rxrpc_crypt iv;
159 struct scatterlist sg[2];
160 struct {
161 struct rxkad_level1_hdr hdr;
162 __be32 first; /* first four bytes of data and padding */
163 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */
164 u16 check;
165
166 sp = rxrpc_skb(skb);
167
168 _enter("");
169
170 check = ntohl(sp->hdr.seq ^ sp->hdr.callNumber);
171 data_size |= (u32) check << 16;
172
173 tmpbuf.hdr.data_size = htonl(data_size);
174 memcpy(&tmpbuf.first, sechdr + 4, sizeof(tmpbuf.first));
175
176 /* start the encryption afresh */
177 memset(&iv, 0, sizeof(iv));
178 desc.tfm = call->conn->cipher;
179 desc.info = iv.x;
180 desc.flags = 0;
181
182 memset(sg, 0, sizeof(sg));
183 sg_set_buf(&sg[0], &tmpbuf, sizeof(tmpbuf));
184 sg_set_buf(&sg[1], &tmpbuf, sizeof(tmpbuf));
185 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf));
186
187 memcpy(sechdr, &tmpbuf, sizeof(tmpbuf));
188
189 _leave(" = 0");
190 return 0;
191}
192
193/*
194 * wholly encrypt a packet (level 2 security)
195 */
196static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
197 struct sk_buff *skb,
198 u32 data_size,
199 void *sechdr)
200{
201 const struct rxrpc_key_payload *payload;
202 struct rxkad_level2_hdr rxkhdr
203 __attribute__((aligned(8))); /* must be all on one page */
204 struct rxrpc_skb_priv *sp;
205 struct blkcipher_desc desc;
206 struct rxrpc_crypt iv;
207 struct scatterlist sg[16];
208 struct sk_buff *trailer;
209 unsigned len;
210 u16 check;
211 int nsg;
212
213 sp = rxrpc_skb(skb);
214
215 _enter("");
216
217 check = ntohl(sp->hdr.seq ^ sp->hdr.callNumber);
218
219 rxkhdr.data_size = htonl(data_size | (u32) check << 16);
220 rxkhdr.checksum = 0;
221
222 /* encrypt from the session key */
223 payload = call->conn->key->payload.data;
224 memcpy(&iv, payload->k.session_key, sizeof(iv));
225 desc.tfm = call->conn->cipher;
226 desc.info = iv.x;
227 desc.flags = 0;
228
229 memset(sg, 0, sizeof(sg[0]) * 2);
230 sg_set_buf(&sg[0], sechdr, sizeof(rxkhdr));
231 sg_set_buf(&sg[1], &rxkhdr, sizeof(rxkhdr));
232 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(rxkhdr));
233
234 /* we want to encrypt the skbuff in-place */
235 nsg = skb_cow_data(skb, 0, &trailer);
236 if (nsg < 0 || nsg > 16)
237 return -ENOMEM;
238
239 len = data_size + call->conn->size_align - 1;
240 len &= ~(call->conn->size_align - 1);
241
242 skb_to_sgvec(skb, sg, 0, len);
243 crypto_blkcipher_encrypt_iv(&desc, sg, sg, len);
244
245 _leave(" = 0");
246 return 0;
247}
248
249/*
250 * checksum an RxRPC packet header
251 */
252static int rxkad_secure_packet(const struct rxrpc_call *call,
253 struct sk_buff *skb,
254 size_t data_size,
255 void *sechdr)
256{
257 struct rxrpc_skb_priv *sp;
258 struct blkcipher_desc desc;
259 struct rxrpc_crypt iv;
260 struct scatterlist sg[2];
261 struct {
262 __be32 x[2];
263 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */
264 __be32 x;
265 int ret;
266
267 sp = rxrpc_skb(skb);
268
269 _enter("{%d{%x}},{#%u},%zu,",
270 call->debug_id, key_serial(call->conn->key), ntohl(sp->hdr.seq),
271 data_size);
272
273 if (!call->conn->cipher)
274 return 0;
275
276 ret = key_validate(call->conn->key);
277 if (ret < 0)
278 return ret;
279
280 /* continue encrypting from where we left off */
281 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
282 desc.tfm = call->conn->cipher;
283 desc.info = iv.x;
284 desc.flags = 0;
285
286 /* calculate the security checksum */
287 x = htonl(call->channel << (32 - RXRPC_CIDSHIFT));
288 x |= sp->hdr.seq & __constant_cpu_to_be32(0x3fffffff);
289 tmpbuf.x[0] = sp->hdr.callNumber;
290 tmpbuf.x[1] = x;
291
292 memset(&sg, 0, sizeof(sg));
293 sg_set_buf(&sg[0], &tmpbuf, sizeof(tmpbuf));
294 sg_set_buf(&sg[1], &tmpbuf, sizeof(tmpbuf));
295 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf));
296
297 x = ntohl(tmpbuf.x[1]);
298 x = (x >> 16) & 0xffff;
299 if (x == 0)
300 x = 1; /* zero checksums are not permitted */
301 sp->hdr.cksum = htons(x);
302
303 switch (call->conn->security_level) {
304 case RXRPC_SECURITY_PLAIN:
305 ret = 0;
306 break;
307 case RXRPC_SECURITY_AUTH:
308 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
309 break;
310 case RXRPC_SECURITY_ENCRYPT:
311 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
312 sechdr);
313 break;
314 default:
315 ret = -EPERM;
316 break;
317 }
318
319 _leave(" = %d [set %hx]", ret, x);
320 return ret;
321}
322
323/*
324 * decrypt partial encryption on a packet (level 1 security)
325 */
326static int rxkad_verify_packet_auth(const struct rxrpc_call *call,
327 struct sk_buff *skb,
328 u32 *_abort_code)
329{
330 struct rxkad_level1_hdr sechdr;
331 struct rxrpc_skb_priv *sp;
332 struct blkcipher_desc desc;
333 struct rxrpc_crypt iv;
334 struct scatterlist sg[2];
335 struct sk_buff *trailer;
336 u32 data_size, buf;
337 u16 check;
338
339 _enter("");
340
341 sp = rxrpc_skb(skb);
342
343 /* we want to decrypt the skbuff in-place */
344 if (skb_cow_data(skb, 0, &trailer) < 0)
345 goto nomem;
346
347 skb_to_sgvec(skb, sg, 0, 8);
348
349 /* start the decryption afresh */
350 memset(&iv, 0, sizeof(iv));
351 desc.tfm = call->conn->cipher;
352 desc.info = iv.x;
353 desc.flags = 0;
354
355 crypto_blkcipher_decrypt_iv(&desc, sg, sg, 8);
356
357 /* remove the decrypted packet length */
358 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
359 goto datalen_error;
360 if (!skb_pull(skb, sizeof(sechdr)))
361 BUG();
362
363 buf = ntohl(sechdr.data_size);
364 data_size = buf & 0xffff;
365
366 check = buf >> 16;
367 check ^= ntohl(sp->hdr.seq ^ sp->hdr.callNumber);
368 check &= 0xffff;
369 if (check != 0) {
370 *_abort_code = RXKADSEALEDINCON;
371 goto protocol_error;
372 }
373
374 /* shorten the packet to remove the padding */
375 if (data_size > skb->len)
376 goto datalen_error;
377 else if (data_size < skb->len)
378 skb->len = data_size;
379
380 _leave(" = 0 [dlen=%x]", data_size);
381 return 0;
382
383datalen_error:
384 *_abort_code = RXKADDATALEN;
385protocol_error:
386 _leave(" = -EPROTO");
387 return -EPROTO;
388
389nomem:
390 _leave(" = -ENOMEM");
391 return -ENOMEM;
392}
393
394/*
395 * wholly decrypt a packet (level 2 security)
396 */
397static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call,
398 struct sk_buff *skb,
399 u32 *_abort_code)
400{
401 const struct rxrpc_key_payload *payload;
402 struct rxkad_level2_hdr sechdr;
403 struct rxrpc_skb_priv *sp;
404 struct blkcipher_desc desc;
405 struct rxrpc_crypt iv;
406 struct scatterlist _sg[4], *sg;
407 struct sk_buff *trailer;
408 u32 data_size, buf;
409 u16 check;
410 int nsg;
411
412 _enter(",{%d}", skb->len);
413
414 sp = rxrpc_skb(skb);
415
416 /* we want to decrypt the skbuff in-place */
417 nsg = skb_cow_data(skb, 0, &trailer);
418 if (nsg < 0)
419 goto nomem;
420
421 sg = _sg;
422 if (unlikely(nsg > 4)) {
423 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
424 if (!sg)
425 goto nomem;
426 }
427
428 skb_to_sgvec(skb, sg, 0, skb->len);
429
430 /* decrypt from the session key */
431 payload = call->conn->key->payload.data;
432 memcpy(&iv, payload->k.session_key, sizeof(iv));
433 desc.tfm = call->conn->cipher;
434 desc.info = iv.x;
435 desc.flags = 0;
436
437 crypto_blkcipher_decrypt_iv(&desc, sg, sg, skb->len);
438 if (sg != _sg)
439 kfree(sg);
440
441 /* remove the decrypted packet length */
442 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
443 goto datalen_error;
444 if (!skb_pull(skb, sizeof(sechdr)))
445 BUG();
446
447 buf = ntohl(sechdr.data_size);
448 data_size = buf & 0xffff;
449
450 check = buf >> 16;
451 check ^= ntohl(sp->hdr.seq ^ sp->hdr.callNumber);
452 check &= 0xffff;
453 if (check != 0) {
454 *_abort_code = RXKADSEALEDINCON;
455 goto protocol_error;
456 }
457
458 /* shorten the packet to remove the padding */
459 if (data_size > skb->len)
460 goto datalen_error;
461 else if (data_size < skb->len)
462 skb->len = data_size;
463
464 _leave(" = 0 [dlen=%x]", data_size);
465 return 0;
466
467datalen_error:
468 *_abort_code = RXKADDATALEN;
469protocol_error:
470 _leave(" = -EPROTO");
471 return -EPROTO;
472
473nomem:
474 _leave(" = -ENOMEM");
475 return -ENOMEM;
476}
477
478/*
479 * verify the security on a received packet
480 */
481static int rxkad_verify_packet(const struct rxrpc_call *call,
482 struct sk_buff *skb,
483 u32 *_abort_code)
484{
485 struct blkcipher_desc desc;
486 struct rxrpc_skb_priv *sp;
487 struct rxrpc_crypt iv;
488 struct scatterlist sg[2];
489 struct {
490 __be32 x[2];
491 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */
492 __be32 x;
493 __be16 cksum;
494 int ret;
495
496 sp = rxrpc_skb(skb);
497
498 _enter("{%d{%x}},{#%u}",
499 call->debug_id, key_serial(call->conn->key),
500 ntohl(sp->hdr.seq));
501
502 if (!call->conn->cipher)
503 return 0;
504
505 if (sp->hdr.securityIndex != 2) {
506 *_abort_code = RXKADINCONSISTENCY;
507 _leave(" = -EPROTO [not rxkad]");
508 return -EPROTO;
509 }
510
511 /* continue encrypting from where we left off */
512 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
513 desc.tfm = call->conn->cipher;
514 desc.info = iv.x;
515 desc.flags = 0;
516
517 /* validate the security checksum */
518 x = htonl(call->channel << (32 - RXRPC_CIDSHIFT));
519 x |= sp->hdr.seq & __constant_cpu_to_be32(0x3fffffff);
520 tmpbuf.x[0] = call->call_id;
521 tmpbuf.x[1] = x;
522
523 memset(&sg, 0, sizeof(sg));
524 sg_set_buf(&sg[0], &tmpbuf, sizeof(tmpbuf));
525 sg_set_buf(&sg[1], &tmpbuf, sizeof(tmpbuf));
526 crypto_blkcipher_encrypt_iv(&desc, &sg[0], &sg[1], sizeof(tmpbuf));
527
528 x = ntohl(tmpbuf.x[1]);
529 x = (x >> 16) & 0xffff;
530 if (x == 0)
531 x = 1; /* zero checksums are not permitted */
532
533 cksum = htons(x);
534 if (sp->hdr.cksum != cksum) {
535 *_abort_code = RXKADSEALEDINCON;
536 _leave(" = -EPROTO [csum failed]");
537 return -EPROTO;
538 }
539
540 switch (call->conn->security_level) {
541 case RXRPC_SECURITY_PLAIN:
542 ret = 0;
543 break;
544 case RXRPC_SECURITY_AUTH:
545 ret = rxkad_verify_packet_auth(call, skb, _abort_code);
546 break;
547 case RXRPC_SECURITY_ENCRYPT:
548 ret = rxkad_verify_packet_encrypt(call, skb, _abort_code);
549 break;
550 default:
551 ret = -ENOANO;
552 break;
553 }
554
555 _leave(" = %d", ret);
556 return ret;
557}
558
559/*
560 * issue a challenge
561 */
562static int rxkad_issue_challenge(struct rxrpc_connection *conn)
563{
564 struct rxkad_challenge challenge;
565 struct rxrpc_header hdr;
566 struct msghdr msg;
567 struct kvec iov[2];
568 size_t len;
569 int ret;
570
571 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
572
573 ret = key_validate(conn->key);
574 if (ret < 0)
575 return ret;
576
577 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
578
579 challenge.version = htonl(2);
580 challenge.nonce = htonl(conn->security_nonce);
581 challenge.min_level = htonl(0);
582 challenge.__padding = 0;
583
584 msg.msg_name = &conn->trans->peer->srx.transport.sin;
585 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin);
586 msg.msg_control = NULL;
587 msg.msg_controllen = 0;
588 msg.msg_flags = 0;
589
590 hdr.epoch = conn->epoch;
591 hdr.cid = conn->cid;
592 hdr.callNumber = 0;
593 hdr.seq = 0;
594 hdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
595 hdr.flags = conn->out_clientflag;
596 hdr.userStatus = 0;
597 hdr.securityIndex = conn->security_ix;
598 hdr._rsvd = 0;
599 hdr.serviceId = conn->service_id;
600
601 iov[0].iov_base = &hdr;
602 iov[0].iov_len = sizeof(hdr);
603 iov[1].iov_base = &challenge;
604 iov[1].iov_len = sizeof(challenge);
605
606 len = iov[0].iov_len + iov[1].iov_len;
607
608 hdr.serial = htonl(atomic_inc_return(&conn->serial));
609 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
610
611 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
612 if (ret < 0) {
613 _debug("sendmsg failed: %d", ret);
614 return -EAGAIN;
615 }
616
617 _leave(" = 0");
618 return 0;
619}
620
621/*
622 * send a Kerberos security response
623 */
624static int rxkad_send_response(struct rxrpc_connection *conn,
625 struct rxrpc_header *hdr,
626 struct rxkad_response *resp,
627 const struct rxkad_key *s2)
628{
629 struct msghdr msg;
630 struct kvec iov[3];
631 size_t len;
632 int ret;
633
634 _enter("");
635
636 msg.msg_name = &conn->trans->peer->srx.transport.sin;
637 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin);
638 msg.msg_control = NULL;
639 msg.msg_controllen = 0;
640 msg.msg_flags = 0;
641
642 hdr->epoch = conn->epoch;
643 hdr->seq = 0;
644 hdr->type = RXRPC_PACKET_TYPE_RESPONSE;
645 hdr->flags = conn->out_clientflag;
646 hdr->userStatus = 0;
647 hdr->_rsvd = 0;
648
649 iov[0].iov_base = hdr;
650 iov[0].iov_len = sizeof(*hdr);
651 iov[1].iov_base = resp;
652 iov[1].iov_len = sizeof(*resp);
653 iov[2].iov_base = (void *) s2->ticket;
654 iov[2].iov_len = s2->ticket_len;
655
656 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
657
658 hdr->serial = htonl(atomic_inc_return(&conn->serial));
659 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
660
661 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
662 if (ret < 0) {
663 _debug("sendmsg failed: %d", ret);
664 return -EAGAIN;
665 }
666
667 _leave(" = 0");
668 return 0;
669}
670
671/*
672 * calculate the response checksum
673 */
674static void rxkad_calc_response_checksum(struct rxkad_response *response)
675{
676 u32 csum = 1000003;
677 int loop;
678 u8 *p = (u8 *) response;
679
680 for (loop = sizeof(*response); loop > 0; loop--)
681 csum = csum * 0x10204081 + *p++;
682
683 response->encrypted.checksum = htonl(csum);
684}
685
686/*
687 * load a scatterlist with a potentially split-page buffer
688 */
689static void rxkad_sg_set_buf2(struct scatterlist sg[2],
690 void *buf, size_t buflen)
691{
692
693 memset(sg, 0, sizeof(sg));
694
695 sg_set_buf(&sg[0], buf, buflen);
696 if (sg[0].offset + buflen > PAGE_SIZE) {
697 /* the buffer was split over two pages */
698 sg[0].length = PAGE_SIZE - sg[0].offset;
699 sg_set_buf(&sg[1], buf + sg[0].length, buflen - sg[0].length);
700 }
701
702 ASSERTCMP(sg[0].length + sg[1].length, ==, buflen);
703}
704
705/*
706 * encrypt the response packet
707 */
708static void rxkad_encrypt_response(struct rxrpc_connection *conn,
709 struct rxkad_response *resp,
710 const struct rxkad_key *s2)
711{
712 struct blkcipher_desc desc;
713 struct rxrpc_crypt iv;
714 struct scatterlist ssg[2], dsg[2];
715
716 /* continue encrypting from where we left off */
717 memcpy(&iv, s2->session_key, sizeof(iv));
718 desc.tfm = conn->cipher;
719 desc.info = iv.x;
720 desc.flags = 0;
721
722 rxkad_sg_set_buf2(ssg, &resp->encrypted, sizeof(resp->encrypted));
723 memcpy(dsg, ssg, sizeof(dsg));
724 crypto_blkcipher_encrypt_iv(&desc, dsg, ssg, sizeof(resp->encrypted));
725}
726
727/*
728 * respond to a challenge packet
729 */
730static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
731 struct sk_buff *skb,
732 u32 *_abort_code)
733{
734 const struct rxrpc_key_payload *payload;
735 struct rxkad_challenge challenge;
736 struct rxkad_response resp
737 __attribute__((aligned(8))); /* must be aligned for crypto */
738 struct rxrpc_skb_priv *sp;
739 u32 version, nonce, min_level, abort_code;
740 int ret;
741
742 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
743
744 if (!conn->key) {
745 _leave(" = -EPROTO [no key]");
746 return -EPROTO;
747 }
748
749 ret = key_validate(conn->key);
750 if (ret < 0) {
751 *_abort_code = RXKADEXPIRED;
752 return ret;
753 }
754
755 abort_code = RXKADPACKETSHORT;
756 sp = rxrpc_skb(skb);
757 if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0)
758 goto protocol_error;
759
760 version = ntohl(challenge.version);
761 nonce = ntohl(challenge.nonce);
762 min_level = ntohl(challenge.min_level);
763
764 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
765 ntohl(sp->hdr.serial), version, nonce, min_level);
766
767 abort_code = RXKADINCONSISTENCY;
768 if (version != RXKAD_VERSION)
769 goto protocol_error;
770
771 abort_code = RXKADLEVELFAIL;
772 if (conn->security_level < min_level)
773 goto protocol_error;
774
775 payload = conn->key->payload.data;
776
777 /* build the response packet */
778 memset(&resp, 0, sizeof(resp));
779
780 resp.version = RXKAD_VERSION;
781 resp.encrypted.epoch = conn->epoch;
782 resp.encrypted.cid = conn->cid;
783 resp.encrypted.securityIndex = htonl(conn->security_ix);
784 resp.encrypted.call_id[0] =
785 (conn->channels[0] ? conn->channels[0]->call_id : 0);
786 resp.encrypted.call_id[1] =
787 (conn->channels[1] ? conn->channels[1]->call_id : 0);
788 resp.encrypted.call_id[2] =
789 (conn->channels[2] ? conn->channels[2]->call_id : 0);
790 resp.encrypted.call_id[3] =
791 (conn->channels[3] ? conn->channels[3]->call_id : 0);
792 resp.encrypted.inc_nonce = htonl(nonce + 1);
793 resp.encrypted.level = htonl(conn->security_level);
794 resp.kvno = htonl(payload->k.kvno);
795 resp.ticket_len = htonl(payload->k.ticket_len);
796
797 /* calculate the response checksum and then do the encryption */
798 rxkad_calc_response_checksum(&resp);
799 rxkad_encrypt_response(conn, &resp, &payload->k);
800 return rxkad_send_response(conn, &sp->hdr, &resp, &payload->k);
801
802protocol_error:
803 *_abort_code = abort_code;
804 _leave(" = -EPROTO [%d]", abort_code);
805 return -EPROTO;
806}
807
808/*
809 * decrypt the kerberos IV ticket in the response
810 */
811static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
812 void *ticket, size_t ticket_len,
813 struct rxrpc_crypt *_session_key,
814 time_t *_expiry,
815 u32 *_abort_code)
816{
817 struct blkcipher_desc desc;
818 struct rxrpc_crypt iv, key;
819 struct scatterlist ssg[1], dsg[1];
820 struct in_addr addr;
821 unsigned life;
822 time_t issue, now;
823 bool little_endian;
824 int ret;
825 u8 *p, *q, *name, *end;
826
827 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
828
829 *_expiry = 0;
830
831 ret = key_validate(conn->server_key);
832 if (ret < 0) {
833 switch (ret) {
834 case -EKEYEXPIRED:
835 *_abort_code = RXKADEXPIRED;
836 goto error;
837 default:
838 *_abort_code = RXKADNOAUTH;
839 goto error;
840 }
841 }
842
843 ASSERT(conn->server_key->payload.data != NULL);
844 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
845
846 memcpy(&iv, &conn->server_key->type_data, sizeof(iv));
847
848 desc.tfm = conn->server_key->payload.data;
849 desc.info = iv.x;
850 desc.flags = 0;
851
852 sg_init_one(&ssg[0], ticket, ticket_len);
853 memcpy(dsg, ssg, sizeof(dsg));
854 crypto_blkcipher_decrypt_iv(&desc, dsg, ssg, ticket_len);
855
856 p = ticket;
857 end = p + ticket_len;
858
859#define Z(size) \
860 ({ \
861 u8 *__str = p; \
862 q = memchr(p, 0, end - p); \
863 if (!q || q - p > (size)) \
864 goto bad_ticket; \
865 for (; p < q; p++) \
866 if (!isprint(*p)) \
867 goto bad_ticket; \
868 p++; \
869 __str; \
870 })
871
872 /* extract the ticket flags */
873 _debug("KIV FLAGS: %x", *p);
874 little_endian = *p & 1;
875 p++;
876
877 /* extract the authentication name */
878 name = Z(ANAME_SZ);
879 _debug("KIV ANAME: %s", name);
880
881 /* extract the principal's instance */
882 name = Z(INST_SZ);
883 _debug("KIV INST : %s", name);
884
885 /* extract the principal's authentication domain */
886 name = Z(REALM_SZ);
887 _debug("KIV REALM: %s", name);
888
889 if (end - p < 4 + 8 + 4 + 2)
890 goto bad_ticket;
891
892 /* get the IPv4 address of the entity that requested the ticket */
893 memcpy(&addr, p, sizeof(addr));
894 p += 4;
895 _debug("KIV ADDR : "NIPQUAD_FMT, NIPQUAD(addr));
896
897 /* get the session key from the ticket */
898 memcpy(&key, p, sizeof(key));
899 p += 8;
900 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
901 memcpy(_session_key, &key, sizeof(key));
902
903 /* get the ticket's lifetime */
904 life = *p++ * 5 * 60;
905 _debug("KIV LIFE : %u", life);
906
907 /* get the issue time of the ticket */
908 if (little_endian) {
909 __le32 stamp;
910 memcpy(&stamp, p, 4);
911 issue = le32_to_cpu(stamp);
912 } else {
913 __be32 stamp;
914 memcpy(&stamp, p, 4);
915 issue = be32_to_cpu(stamp);
916 }
917 p += 4;
918 now = xtime.tv_sec;
919 _debug("KIV ISSUE: %lx [%lx]", issue, now);
920
921 /* check the ticket is in date */
922 if (issue > now) {
923 *_abort_code = RXKADNOAUTH;
924 ret = -EKEYREJECTED;
925 goto error;
926 }
927
928 if (issue < now - life) {
929 *_abort_code = RXKADEXPIRED;
930 ret = -EKEYEXPIRED;
931 goto error;
932 }
933
934 *_expiry = issue + life;
935
936 /* get the service name */
937 name = Z(SNAME_SZ);
938 _debug("KIV SNAME: %s", name);
939
940 /* get the service instance name */
941 name = Z(INST_SZ);
942 _debug("KIV SINST: %s", name);
943
944 ret = 0;
945error:
946 _leave(" = %d", ret);
947 return ret;
948
949bad_ticket:
950 *_abort_code = RXKADBADTICKET;
951 ret = -EBADMSG;
952 goto error;
953}
954
955/*
956 * decrypt the response packet
957 */
958static void rxkad_decrypt_response(struct rxrpc_connection *conn,
959 struct rxkad_response *resp,
960 const struct rxrpc_crypt *session_key)
961{
962 struct blkcipher_desc desc;
963 struct scatterlist ssg[2], dsg[2];
964 struct rxrpc_crypt iv;
965
966 _enter(",,%08x%08x",
967 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
968
969 ASSERT(rxkad_ci != NULL);
970
971 mutex_lock(&rxkad_ci_mutex);
972 if (crypto_blkcipher_setkey(rxkad_ci, session_key->x,
973 sizeof(*session_key)) < 0)
974 BUG();
975
976 memcpy(&iv, session_key, sizeof(iv));
977 desc.tfm = rxkad_ci;
978 desc.info = iv.x;
979 desc.flags = 0;
980
981 rxkad_sg_set_buf2(ssg, &resp->encrypted, sizeof(resp->encrypted));
982 memcpy(dsg, ssg, sizeof(dsg));
983 crypto_blkcipher_decrypt_iv(&desc, dsg, ssg, sizeof(resp->encrypted));
984 mutex_unlock(&rxkad_ci_mutex);
985
986 _leave("");
987}
988
989/*
990 * verify a response
991 */
992static int rxkad_verify_response(struct rxrpc_connection *conn,
993 struct sk_buff *skb,
994 u32 *_abort_code)
995{
996 struct rxkad_response response
997 __attribute__((aligned(8))); /* must be aligned for crypto */
998 struct rxrpc_skb_priv *sp;
999 struct rxrpc_crypt session_key;
1000 time_t expiry;
1001 void *ticket;
1002 u32 abort_code, version, kvno, ticket_len, csum, level;
1003 int ret;
1004
1005 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1006
1007 abort_code = RXKADPACKETSHORT;
1008 if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0)
1009 goto protocol_error;
1010 if (!pskb_pull(skb, sizeof(response)))
1011 BUG();
1012
1013 version = ntohl(response.version);
1014 ticket_len = ntohl(response.ticket_len);
1015 kvno = ntohl(response.kvno);
1016 sp = rxrpc_skb(skb);
1017 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1018 ntohl(sp->hdr.serial), version, kvno, ticket_len);
1019
1020 abort_code = RXKADINCONSISTENCY;
1021 if (version != RXKAD_VERSION)
1022
1023 abort_code = RXKADTICKETLEN;
1024 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1025 goto protocol_error;
1026
1027 abort_code = RXKADUNKNOWNKEY;
1028 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1029 goto protocol_error;
1030
1031 /* extract the kerberos ticket and decrypt and decode it */
1032 ticket = kmalloc(ticket_len, GFP_NOFS);
1033 if (!ticket)
1034 return -ENOMEM;
1035
1036 abort_code = RXKADPACKETSHORT;
1037 if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0)
1038 goto protocol_error_free;
1039
1040 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key,
1041 &expiry, &abort_code);
1042 if (ret < 0) {
1043 *_abort_code = abort_code;
1044 kfree(ticket);
1045 return ret;
1046 }
1047
1048 /* use the session key from inside the ticket to decrypt the
1049 * response */
1050 rxkad_decrypt_response(conn, &response, &session_key);
1051
1052 abort_code = RXKADSEALEDINCON;
1053 if (response.encrypted.epoch != conn->epoch)
1054 goto protocol_error_free;
1055 if (response.encrypted.cid != conn->cid)
1056 goto protocol_error_free;
1057 if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
1058 goto protocol_error_free;
1059 csum = response.encrypted.checksum;
1060 response.encrypted.checksum = 0;
1061 rxkad_calc_response_checksum(&response);
1062 if (response.encrypted.checksum != csum)
1063 goto protocol_error_free;
1064
1065 if (ntohl(response.encrypted.call_id[0]) > INT_MAX ||
1066 ntohl(response.encrypted.call_id[1]) > INT_MAX ||
1067 ntohl(response.encrypted.call_id[2]) > INT_MAX ||
1068 ntohl(response.encrypted.call_id[3]) > INT_MAX)
1069 goto protocol_error_free;
1070
1071 abort_code = RXKADOUTOFSEQUENCE;
1072 if (response.encrypted.inc_nonce != htonl(conn->security_nonce + 1))
1073 goto protocol_error_free;
1074
1075 abort_code = RXKADLEVELFAIL;
1076 level = ntohl(response.encrypted.level);
1077 if (level > RXRPC_SECURITY_ENCRYPT)
1078 goto protocol_error_free;
1079 conn->security_level = level;
1080
1081 /* create a key to hold the security data and expiration time - after
1082 * this the connection security can be handled in exactly the same way
1083 * as for a client connection */
1084 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1085 if (ret < 0) {
1086 kfree(ticket);
1087 return ret;
1088 }
1089
1090 kfree(ticket);
1091 _leave(" = 0");
1092 return 0;
1093
1094protocol_error_free:
1095 kfree(ticket);
1096protocol_error:
1097 *_abort_code = abort_code;
1098 _leave(" = -EPROTO [%d]", abort_code);
1099 return -EPROTO;
1100}
1101
1102/*
1103 * clear the connection security
1104 */
1105static void rxkad_clear(struct rxrpc_connection *conn)
1106{
1107 _enter("");
1108
1109 if (conn->cipher)
1110 crypto_free_blkcipher(conn->cipher);
1111}
1112
1113/*
1114 * RxRPC Kerberos-based security
1115 */
1116static struct rxrpc_security rxkad = {
1117 .owner = THIS_MODULE,
1118 .name = "rxkad",
1119 .security_index = RXKAD_VERSION,
1120 .init_connection_security = rxkad_init_connection_security,
1121 .prime_packet_security = rxkad_prime_packet_security,
1122 .secure_packet = rxkad_secure_packet,
1123 .verify_packet = rxkad_verify_packet,
1124 .issue_challenge = rxkad_issue_challenge,
1125 .respond_to_challenge = rxkad_respond_to_challenge,
1126 .verify_response = rxkad_verify_response,
1127 .clear = rxkad_clear,
1128};
1129
1130static __init int rxkad_init(void)
1131{
1132 _enter("");
1133
1134 /* pin the cipher we need so that the crypto layer doesn't invoke
1135 * keventd to go get it */
1136 rxkad_ci = crypto_alloc_blkcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
1137 if (IS_ERR(rxkad_ci))
1138 return PTR_ERR(rxkad_ci);
1139
1140 return rxrpc_register_security(&rxkad);
1141}
1142
1143module_init(rxkad_init);
1144
1145static __exit void rxkad_exit(void)
1146{
1147 _enter("");
1148
1149 rxrpc_unregister_security(&rxkad);
1150 crypto_free_blkcipher(rxkad_ci);
1151}
1152
1153module_exit(rxkad_exit);
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-11 12:55:49 -0500