1 /* Kerberos-based RxRPC security
3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
12 #include <crypto/skcipher.h>
13 #include <linux/module.h>
14 #include <linux/net.h>
15 #include <linux/skbuff.h>
16 #include <linux/udp.h>
17 #include <linux/scatterlist.h>
18 #include <linux/ctype.h>
19 #include <linux/slab.h>
21 #include <net/af_rxrpc.h>
22 #include <keys/rxrpc-type.h>
23 #define rxrpc_debug rxkad_debug
24 #include "ar-internal.h"
26 #define RXKAD_VERSION 2
27 #define MAXKRB5TICKETLEN 1024
28 #define RXKAD_TKT_TYPE_KERBEROS_V5 256
29 #define ANAME_SZ 40 /* size of authentication name */
30 #define INST_SZ 40 /* size of principal's instance */
31 #define REALM_SZ 40 /* size of principal's auth domain */
32 #define SNAME_SZ 40 /* size of service name */
34 unsigned int rxrpc_debug
;
35 module_param_named(debug
, rxrpc_debug
, uint
, S_IWUSR
| S_IRUGO
);
36 MODULE_PARM_DESC(debug
, "rxkad debugging mask");
38 struct rxkad_level1_hdr
{
39 __be32 data_size
; /* true data size (excluding padding) */
42 struct rxkad_level2_hdr
{
43 __be32 data_size
; /* true data size (excluding padding) */
44 __be32 checksum
; /* decrypted data checksum */
47 MODULE_DESCRIPTION("RxRPC network protocol type-2 security (Kerberos 4)");
48 MODULE_AUTHOR("Red Hat, Inc.");
49 MODULE_LICENSE("GPL");
52 * this holds a pinned cipher so that keventd doesn't get called by the cipher
53 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
56 static struct crypto_skcipher
*rxkad_ci
;
57 static DEFINE_MUTEX(rxkad_ci_mutex
);
60 * initialise connection security
62 static int rxkad_init_connection_security(struct rxrpc_connection
*conn
)
64 struct crypto_skcipher
*ci
;
65 struct rxrpc_key_token
*token
;
68 _enter("{%d},{%x}", conn
->debug_id
, key_serial(conn
->key
));
70 token
= conn
->key
->payload
.data
[0];
71 conn
->security_ix
= token
->security_index
;
73 ci
= crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC
);
80 if (crypto_skcipher_setkey(ci
, token
->kad
->session_key
,
81 sizeof(token
->kad
->session_key
)) < 0)
84 switch (conn
->security_level
) {
85 case RXRPC_SECURITY_PLAIN
:
87 case RXRPC_SECURITY_AUTH
:
89 conn
->security_size
= sizeof(struct rxkad_level1_hdr
);
90 conn
->header_size
+= sizeof(struct rxkad_level1_hdr
);
92 case RXRPC_SECURITY_ENCRYPT
:
94 conn
->security_size
= sizeof(struct rxkad_level2_hdr
);
95 conn
->header_size
+= sizeof(struct rxkad_level2_hdr
);
105 _leave(" = %d", ret
);
110 * prime the encryption state with the invariant parts of a connection's
113 static void rxkad_prime_packet_security(struct rxrpc_connection
*conn
)
115 struct rxrpc_key_token
*token
;
116 SKCIPHER_REQUEST_ON_STACK(req
, conn
->cipher
);
117 struct scatterlist sg
[2];
118 struct rxrpc_crypt iv
;
121 } tmpbuf
__attribute__((aligned(16))); /* must all be in same page */
128 token
= conn
->key
->payload
.data
[0];
129 memcpy(&iv
, token
->kad
->session_key
, sizeof(iv
));
131 tmpbuf
.x
[0] = conn
->epoch
;
132 tmpbuf
.x
[1] = conn
->cid
;
134 tmpbuf
.x
[3] = htonl(conn
->security_ix
);
136 sg_init_one(&sg
[0], &tmpbuf
, sizeof(tmpbuf
));
137 sg_init_one(&sg
[1], &tmpbuf
, sizeof(tmpbuf
));
139 skcipher_request_set_tfm(req
, conn
->cipher
);
140 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
141 skcipher_request_set_crypt(req
, &sg
[1], &sg
[0], sizeof(tmpbuf
), iv
.x
);
143 crypto_skcipher_encrypt(req
);
144 skcipher_request_zero(req
);
146 memcpy(&conn
->csum_iv
, &tmpbuf
.x
[2], sizeof(conn
->csum_iv
));
147 ASSERTCMP(conn
->csum_iv
.n
[0], ==, tmpbuf
.x
[2]);
153 * partially encrypt a packet (level 1 security)
155 static int rxkad_secure_packet_auth(const struct rxrpc_call
*call
,
160 struct rxrpc_skb_priv
*sp
;
161 SKCIPHER_REQUEST_ON_STACK(req
, call
->conn
->cipher
);
162 struct rxrpc_crypt iv
;
163 struct scatterlist sg
[2];
165 struct rxkad_level1_hdr hdr
;
166 __be32 first
; /* first four bytes of data and padding */
167 } tmpbuf
__attribute__((aligned(8))); /* must all be in same page */
174 check
= ntohl(sp
->hdr
.seq
^ sp
->hdr
.callNumber
);
175 data_size
|= (u32
) check
<< 16;
177 tmpbuf
.hdr
.data_size
= htonl(data_size
);
178 memcpy(&tmpbuf
.first
, sechdr
+ 4, sizeof(tmpbuf
.first
));
180 /* start the encryption afresh */
181 memset(&iv
, 0, sizeof(iv
));
183 sg_init_one(&sg
[0], &tmpbuf
, sizeof(tmpbuf
));
184 sg_init_one(&sg
[1], &tmpbuf
, sizeof(tmpbuf
));
186 skcipher_request_set_tfm(req
, call
->conn
->cipher
);
187 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
188 skcipher_request_set_crypt(req
, &sg
[1], &sg
[0], sizeof(tmpbuf
), iv
.x
);
190 crypto_skcipher_encrypt(req
);
191 skcipher_request_zero(req
);
193 memcpy(sechdr
, &tmpbuf
, sizeof(tmpbuf
));
200 * wholly encrypt a packet (level 2 security)
202 static int rxkad_secure_packet_encrypt(const struct rxrpc_call
*call
,
207 const struct rxrpc_key_token
*token
;
208 struct rxkad_level2_hdr rxkhdr
209 __attribute__((aligned(8))); /* must be all on one page */
210 struct rxrpc_skb_priv
*sp
;
211 SKCIPHER_REQUEST_ON_STACK(req
, call
->conn
->cipher
);
212 struct rxrpc_crypt iv
;
213 struct scatterlist sg
[16];
214 struct sk_buff
*trailer
;
224 check
= ntohl(sp
->hdr
.seq
^ sp
->hdr
.callNumber
);
226 rxkhdr
.data_size
= htonl(data_size
| (u32
) check
<< 16);
229 /* encrypt from the session key */
230 token
= call
->conn
->key
->payload
.data
[0];
231 memcpy(&iv
, token
->kad
->session_key
, sizeof(iv
));
233 sg_init_one(&sg
[0], sechdr
, sizeof(rxkhdr
));
234 sg_init_one(&sg
[1], &rxkhdr
, sizeof(rxkhdr
));
236 skcipher_request_set_tfm(req
, call
->conn
->cipher
);
237 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
238 skcipher_request_set_crypt(req
, &sg
[1], &sg
[0], sizeof(rxkhdr
), iv
.x
);
240 crypto_skcipher_encrypt(req
);
242 /* we want to encrypt the skbuff in-place */
243 nsg
= skb_cow_data(skb
, 0, &trailer
);
245 if (nsg
< 0 || nsg
> 16)
248 len
= data_size
+ call
->conn
->size_align
- 1;
249 len
&= ~(call
->conn
->size_align
- 1);
251 sg_init_table(sg
, nsg
);
252 skb_to_sgvec(skb
, sg
, 0, len
);
254 skcipher_request_set_crypt(req
, sg
, sg
, len
, iv
.x
);
256 crypto_skcipher_encrypt(req
);
262 skcipher_request_zero(req
);
267 * checksum an RxRPC packet header
269 static int rxkad_secure_packet(const struct rxrpc_call
*call
,
274 struct rxrpc_skb_priv
*sp
;
275 SKCIPHER_REQUEST_ON_STACK(req
, call
->conn
->cipher
);
276 struct rxrpc_crypt iv
;
277 struct scatterlist sg
[2];
280 } tmpbuf
__attribute__((aligned(8))); /* must all be in same page */
287 _enter("{%d{%x}},{#%u},%zu,",
288 call
->debug_id
, key_serial(call
->conn
->key
), ntohl(sp
->hdr
.seq
),
291 if (!call
->conn
->cipher
)
294 ret
= key_validate(call
->conn
->key
);
298 /* continue encrypting from where we left off */
299 memcpy(&iv
, call
->conn
->csum_iv
.x
, sizeof(iv
));
301 /* calculate the security checksum */
302 x
= htonl(call
->channel
<< (32 - RXRPC_CIDSHIFT
));
303 x
|= sp
->hdr
.seq
& cpu_to_be32(0x3fffffff);
304 tmpbuf
.x
[0] = sp
->hdr
.callNumber
;
307 sg_init_one(&sg
[0], &tmpbuf
, sizeof(tmpbuf
));
308 sg_init_one(&sg
[1], &tmpbuf
, sizeof(tmpbuf
));
310 skcipher_request_set_tfm(req
, call
->conn
->cipher
);
311 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
312 skcipher_request_set_crypt(req
, &sg
[1], &sg
[0], sizeof(tmpbuf
), iv
.x
);
314 crypto_skcipher_encrypt(req
);
315 skcipher_request_zero(req
);
317 y
= ntohl(tmpbuf
.x
[1]);
318 y
= (y
>> 16) & 0xffff;
320 y
= 1; /* zero checksums are not permitted */
321 sp
->hdr
.cksum
= htons(y
);
323 switch (call
->conn
->security_level
) {
324 case RXRPC_SECURITY_PLAIN
:
327 case RXRPC_SECURITY_AUTH
:
328 ret
= rxkad_secure_packet_auth(call
, skb
, data_size
, sechdr
);
330 case RXRPC_SECURITY_ENCRYPT
:
331 ret
= rxkad_secure_packet_encrypt(call
, skb
, data_size
,
339 _leave(" = %d [set %hx]", ret
, y
);
344 * decrypt partial encryption on a packet (level 1 security)
346 static int rxkad_verify_packet_auth(const struct rxrpc_call
*call
,
350 struct rxkad_level1_hdr sechdr
;
351 struct rxrpc_skb_priv
*sp
;
352 SKCIPHER_REQUEST_ON_STACK(req
, call
->conn
->cipher
);
353 struct rxrpc_crypt iv
;
354 struct scatterlist sg
[16];
355 struct sk_buff
*trailer
;
364 /* we want to decrypt the skbuff in-place */
365 nsg
= skb_cow_data(skb
, 0, &trailer
);
366 if (nsg
< 0 || nsg
> 16)
369 sg_init_table(sg
, nsg
);
370 skb_to_sgvec(skb
, sg
, 0, 8);
372 /* start the decryption afresh */
373 memset(&iv
, 0, sizeof(iv
));
375 skcipher_request_set_tfm(req
, call
->conn
->cipher
);
376 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
377 skcipher_request_set_crypt(req
, sg
, sg
, 8, iv
.x
);
379 crypto_skcipher_decrypt(req
);
380 skcipher_request_zero(req
);
382 /* remove the decrypted packet length */
383 if (skb_copy_bits(skb
, 0, &sechdr
, sizeof(sechdr
)) < 0)
385 if (!skb_pull(skb
, sizeof(sechdr
)))
388 buf
= ntohl(sechdr
.data_size
);
389 data_size
= buf
& 0xffff;
392 check
^= ntohl(sp
->hdr
.seq
^ sp
->hdr
.callNumber
);
395 *_abort_code
= RXKADSEALEDINCON
;
399 /* shorten the packet to remove the padding */
400 if (data_size
> skb
->len
)
402 else if (data_size
< skb
->len
)
403 skb
->len
= data_size
;
405 _leave(" = 0 [dlen=%x]", data_size
);
409 *_abort_code
= RXKADDATALEN
;
411 _leave(" = -EPROTO");
415 _leave(" = -ENOMEM");
420 * wholly decrypt a packet (level 2 security)
422 static int rxkad_verify_packet_encrypt(const struct rxrpc_call
*call
,
426 const struct rxrpc_key_token
*token
;
427 struct rxkad_level2_hdr sechdr
;
428 struct rxrpc_skb_priv
*sp
;
429 SKCIPHER_REQUEST_ON_STACK(req
, call
->conn
->cipher
);
430 struct rxrpc_crypt iv
;
431 struct scatterlist _sg
[4], *sg
;
432 struct sk_buff
*trailer
;
437 _enter(",{%d}", skb
->len
);
441 /* we want to decrypt the skbuff in-place */
442 nsg
= skb_cow_data(skb
, 0, &trailer
);
447 if (unlikely(nsg
> 4)) {
448 sg
= kmalloc(sizeof(*sg
) * nsg
, GFP_NOIO
);
453 sg_init_table(sg
, nsg
);
454 skb_to_sgvec(skb
, sg
, 0, skb
->len
);
456 /* decrypt from the session key */
457 token
= call
->conn
->key
->payload
.data
[0];
458 memcpy(&iv
, token
->kad
->session_key
, sizeof(iv
));
460 skcipher_request_set_tfm(req
, call
->conn
->cipher
);
461 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
462 skcipher_request_set_crypt(req
, sg
, sg
, skb
->len
, iv
.x
);
464 crypto_skcipher_decrypt(req
);
465 skcipher_request_zero(req
);
469 /* remove the decrypted packet length */
470 if (skb_copy_bits(skb
, 0, &sechdr
, sizeof(sechdr
)) < 0)
472 if (!skb_pull(skb
, sizeof(sechdr
)))
475 buf
= ntohl(sechdr
.data_size
);
476 data_size
= buf
& 0xffff;
479 check
^= ntohl(sp
->hdr
.seq
^ sp
->hdr
.callNumber
);
482 *_abort_code
= RXKADSEALEDINCON
;
486 /* shorten the packet to remove the padding */
487 if (data_size
> skb
->len
)
489 else if (data_size
< skb
->len
)
490 skb
->len
= data_size
;
492 _leave(" = 0 [dlen=%x]", data_size
);
496 *_abort_code
= RXKADDATALEN
;
498 _leave(" = -EPROTO");
502 _leave(" = -ENOMEM");
507 * verify the security on a received packet
509 static int rxkad_verify_packet(const struct rxrpc_call
*call
,
513 SKCIPHER_REQUEST_ON_STACK(req
, call
->conn
->cipher
);
514 struct rxrpc_skb_priv
*sp
;
515 struct rxrpc_crypt iv
;
516 struct scatterlist sg
[2];
519 } tmpbuf
__attribute__((aligned(8))); /* must all be in same page */
527 _enter("{%d{%x}},{#%u}",
528 call
->debug_id
, key_serial(call
->conn
->key
),
531 if (!call
->conn
->cipher
)
534 if (sp
->hdr
.securityIndex
!= RXRPC_SECURITY_RXKAD
) {
535 *_abort_code
= RXKADINCONSISTENCY
;
536 _leave(" = -EPROTO [not rxkad]");
540 /* continue encrypting from where we left off */
541 memcpy(&iv
, call
->conn
->csum_iv
.x
, sizeof(iv
));
543 /* validate the security checksum */
544 x
= htonl(call
->channel
<< (32 - RXRPC_CIDSHIFT
));
545 x
|= sp
->hdr
.seq
& cpu_to_be32(0x3fffffff);
546 tmpbuf
.x
[0] = call
->call_id
;
549 sg_init_one(&sg
[0], &tmpbuf
, sizeof(tmpbuf
));
550 sg_init_one(&sg
[1], &tmpbuf
, sizeof(tmpbuf
));
552 skcipher_request_set_tfm(req
, call
->conn
->cipher
);
553 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
554 skcipher_request_set_crypt(req
, &sg
[1], &sg
[0], sizeof(tmpbuf
), iv
.x
);
556 crypto_skcipher_encrypt(req
);
557 skcipher_request_zero(req
);
559 y
= ntohl(tmpbuf
.x
[1]);
560 y
= (y
>> 16) & 0xffff;
562 y
= 1; /* zero checksums are not permitted */
565 if (sp
->hdr
.cksum
!= cksum
) {
566 *_abort_code
= RXKADSEALEDINCON
;
567 _leave(" = -EPROTO [csum failed]");
571 switch (call
->conn
->security_level
) {
572 case RXRPC_SECURITY_PLAIN
:
575 case RXRPC_SECURITY_AUTH
:
576 ret
= rxkad_verify_packet_auth(call
, skb
, _abort_code
);
578 case RXRPC_SECURITY_ENCRYPT
:
579 ret
= rxkad_verify_packet_encrypt(call
, skb
, _abort_code
);
586 _leave(" = %d", ret
);
593 static int rxkad_issue_challenge(struct rxrpc_connection
*conn
)
595 struct rxkad_challenge challenge
;
596 struct rxrpc_header hdr
;
602 _enter("{%d,%x}", conn
->debug_id
, key_serial(conn
->key
));
604 ret
= key_validate(conn
->key
);
608 get_random_bytes(&conn
->security_nonce
, sizeof(conn
->security_nonce
));
610 challenge
.version
= htonl(2);
611 challenge
.nonce
= htonl(conn
->security_nonce
);
612 challenge
.min_level
= htonl(0);
613 challenge
.__padding
= 0;
615 msg
.msg_name
= &conn
->trans
->peer
->srx
.transport
.sin
;
616 msg
.msg_namelen
= sizeof(conn
->trans
->peer
->srx
.transport
.sin
);
617 msg
.msg_control
= NULL
;
618 msg
.msg_controllen
= 0;
621 hdr
.epoch
= conn
->epoch
;
625 hdr
.type
= RXRPC_PACKET_TYPE_CHALLENGE
;
626 hdr
.flags
= conn
->out_clientflag
;
628 hdr
.securityIndex
= conn
->security_ix
;
630 hdr
.serviceId
= conn
->service_id
;
632 iov
[0].iov_base
= &hdr
;
633 iov
[0].iov_len
= sizeof(hdr
);
634 iov
[1].iov_base
= &challenge
;
635 iov
[1].iov_len
= sizeof(challenge
);
637 len
= iov
[0].iov_len
+ iov
[1].iov_len
;
639 hdr
.serial
= htonl(atomic_inc_return(&conn
->serial
));
640 _proto("Tx CHALLENGE %%%u", ntohl(hdr
.serial
));
642 ret
= kernel_sendmsg(conn
->trans
->local
->socket
, &msg
, iov
, 2, len
);
644 _debug("sendmsg failed: %d", ret
);
653 * send a Kerberos security response
655 static int rxkad_send_response(struct rxrpc_connection
*conn
,
656 struct rxrpc_header
*hdr
,
657 struct rxkad_response
*resp
,
658 const struct rxkad_key
*s2
)
667 msg
.msg_name
= &conn
->trans
->peer
->srx
.transport
.sin
;
668 msg
.msg_namelen
= sizeof(conn
->trans
->peer
->srx
.transport
.sin
);
669 msg
.msg_control
= NULL
;
670 msg
.msg_controllen
= 0;
673 hdr
->epoch
= conn
->epoch
;
675 hdr
->type
= RXRPC_PACKET_TYPE_RESPONSE
;
676 hdr
->flags
= conn
->out_clientflag
;
680 iov
[0].iov_base
= hdr
;
681 iov
[0].iov_len
= sizeof(*hdr
);
682 iov
[1].iov_base
= resp
;
683 iov
[1].iov_len
= sizeof(*resp
);
684 iov
[2].iov_base
= (void *) s2
->ticket
;
685 iov
[2].iov_len
= s2
->ticket_len
;
687 len
= iov
[0].iov_len
+ iov
[1].iov_len
+ iov
[2].iov_len
;
689 hdr
->serial
= htonl(atomic_inc_return(&conn
->serial
));
690 _proto("Tx RESPONSE %%%u", ntohl(hdr
->serial
));
692 ret
= kernel_sendmsg(conn
->trans
->local
->socket
, &msg
, iov
, 3, len
);
694 _debug("sendmsg failed: %d", ret
);
703 * calculate the response checksum
705 static void rxkad_calc_response_checksum(struct rxkad_response
*response
)
709 u8
*p
= (u8
*) response
;
711 for (loop
= sizeof(*response
); loop
> 0; loop
--)
712 csum
= csum
* 0x10204081 + *p
++;
714 response
->encrypted
.checksum
= htonl(csum
);
718 * load a scatterlist with a potentially split-page buffer
720 static void rxkad_sg_set_buf2(struct scatterlist sg
[2],
721 void *buf
, size_t buflen
)
725 sg_init_table(sg
, 2);
727 sg_set_buf(&sg
[0], buf
, buflen
);
728 if (sg
[0].offset
+ buflen
> PAGE_SIZE
) {
729 /* the buffer was split over two pages */
730 sg
[0].length
= PAGE_SIZE
- sg
[0].offset
;
731 sg_set_buf(&sg
[1], buf
+ sg
[0].length
, buflen
- sg
[0].length
);
735 sg_mark_end(&sg
[nsg
- 1]);
737 ASSERTCMP(sg
[0].length
+ sg
[1].length
, ==, buflen
);
741 * encrypt the response packet
743 static void rxkad_encrypt_response(struct rxrpc_connection
*conn
,
744 struct rxkad_response
*resp
,
745 const struct rxkad_key
*s2
)
747 SKCIPHER_REQUEST_ON_STACK(req
, conn
->cipher
);
748 struct rxrpc_crypt iv
;
749 struct scatterlist sg
[2];
751 /* continue encrypting from where we left off */
752 memcpy(&iv
, s2
->session_key
, sizeof(iv
));
754 rxkad_sg_set_buf2(sg
, &resp
->encrypted
, sizeof(resp
->encrypted
));
756 skcipher_request_set_tfm(req
, conn
->cipher
);
757 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
758 skcipher_request_set_crypt(req
, sg
, sg
, sizeof(resp
->encrypted
), iv
.x
);
760 crypto_skcipher_encrypt(req
);
761 skcipher_request_zero(req
);
765 * respond to a challenge packet
767 static int rxkad_respond_to_challenge(struct rxrpc_connection
*conn
,
771 const struct rxrpc_key_token
*token
;
772 struct rxkad_challenge challenge
;
773 struct rxkad_response resp
774 __attribute__((aligned(8))); /* must be aligned for crypto */
775 struct rxrpc_skb_priv
*sp
;
776 u32 version
, nonce
, min_level
, abort_code
;
779 _enter("{%d,%x}", conn
->debug_id
, key_serial(conn
->key
));
782 _leave(" = -EPROTO [no key]");
786 ret
= key_validate(conn
->key
);
788 *_abort_code
= RXKADEXPIRED
;
792 abort_code
= RXKADPACKETSHORT
;
794 if (skb_copy_bits(skb
, 0, &challenge
, sizeof(challenge
)) < 0)
797 version
= ntohl(challenge
.version
);
798 nonce
= ntohl(challenge
.nonce
);
799 min_level
= ntohl(challenge
.min_level
);
801 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
802 ntohl(sp
->hdr
.serial
), version
, nonce
, min_level
);
804 abort_code
= RXKADINCONSISTENCY
;
805 if (version
!= RXKAD_VERSION
)
808 abort_code
= RXKADLEVELFAIL
;
809 if (conn
->security_level
< min_level
)
812 token
= conn
->key
->payload
.data
[0];
814 /* build the response packet */
815 memset(&resp
, 0, sizeof(resp
));
817 resp
.version
= RXKAD_VERSION
;
818 resp
.encrypted
.epoch
= conn
->epoch
;
819 resp
.encrypted
.cid
= conn
->cid
;
820 resp
.encrypted
.securityIndex
= htonl(conn
->security_ix
);
821 resp
.encrypted
.call_id
[0] =
822 (conn
->channels
[0] ? conn
->channels
[0]->call_id
: 0);
823 resp
.encrypted
.call_id
[1] =
824 (conn
->channels
[1] ? conn
->channels
[1]->call_id
: 0);
825 resp
.encrypted
.call_id
[2] =
826 (conn
->channels
[2] ? conn
->channels
[2]->call_id
: 0);
827 resp
.encrypted
.call_id
[3] =
828 (conn
->channels
[3] ? conn
->channels
[3]->call_id
: 0);
829 resp
.encrypted
.inc_nonce
= htonl(nonce
+ 1);
830 resp
.encrypted
.level
= htonl(conn
->security_level
);
831 resp
.kvno
= htonl(token
->kad
->kvno
);
832 resp
.ticket_len
= htonl(token
->kad
->ticket_len
);
834 /* calculate the response checksum and then do the encryption */
835 rxkad_calc_response_checksum(&resp
);
836 rxkad_encrypt_response(conn
, &resp
, token
->kad
);
837 return rxkad_send_response(conn
, &sp
->hdr
, &resp
, token
->kad
);
840 *_abort_code
= abort_code
;
841 _leave(" = -EPROTO [%d]", abort_code
);
846 * decrypt the kerberos IV ticket in the response
848 static int rxkad_decrypt_ticket(struct rxrpc_connection
*conn
,
849 void *ticket
, size_t ticket_len
,
850 struct rxrpc_crypt
*_session_key
,
854 struct skcipher_request
*req
;
855 struct rxrpc_crypt iv
, key
;
856 struct scatterlist sg
[1];
862 u8
*p
, *q
, *name
, *end
;
864 _enter("{%d},{%x}", conn
->debug_id
, key_serial(conn
->server_key
));
868 ret
= key_validate(conn
->server_key
);
872 *_abort_code
= RXKADEXPIRED
;
875 *_abort_code
= RXKADNOAUTH
;
880 ASSERT(conn
->server_key
->payload
.data
[0] != NULL
);
881 ASSERTCMP((unsigned long) ticket
& 7UL, ==, 0);
883 memcpy(&iv
, &conn
->server_key
->payload
.data
[2], sizeof(iv
));
885 req
= skcipher_request_alloc(conn
->server_key
->payload
.data
[0],
888 *_abort_code
= RXKADNOAUTH
;
893 sg_init_one(&sg
[0], ticket
, ticket_len
);
895 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
896 skcipher_request_set_crypt(req
, sg
, sg
, ticket_len
, iv
.x
);
898 crypto_skcipher_decrypt(req
);
899 skcipher_request_free(req
);
902 end
= p
+ ticket_len
;
907 q = memchr(p, 0, end - p); \
908 if (!q || q - p > (size)) \
917 /* extract the ticket flags */
918 _debug("KIV FLAGS: %x", *p
);
919 little_endian
= *p
& 1;
922 /* extract the authentication name */
924 _debug("KIV ANAME: %s", name
);
926 /* extract the principal's instance */
928 _debug("KIV INST : %s", name
);
930 /* extract the principal's authentication domain */
932 _debug("KIV REALM: %s", name
);
934 if (end
- p
< 4 + 8 + 4 + 2)
937 /* get the IPv4 address of the entity that requested the ticket */
938 memcpy(&addr
, p
, sizeof(addr
));
940 _debug("KIV ADDR : %pI4", &addr
);
942 /* get the session key from the ticket */
943 memcpy(&key
, p
, sizeof(key
));
945 _debug("KIV KEY : %08x %08x", ntohl(key
.n
[0]), ntohl(key
.n
[1]));
946 memcpy(_session_key
, &key
, sizeof(key
));
948 /* get the ticket's lifetime */
949 life
= *p
++ * 5 * 60;
950 _debug("KIV LIFE : %u", life
);
952 /* get the issue time of the ticket */
955 memcpy(&stamp
, p
, 4);
956 issue
= le32_to_cpu(stamp
);
959 memcpy(&stamp
, p
, 4);
960 issue
= be32_to_cpu(stamp
);
964 _debug("KIV ISSUE: %lx [%lx]", issue
, now
);
966 /* check the ticket is in date */
968 *_abort_code
= RXKADNOAUTH
;
973 if (issue
< now
- life
) {
974 *_abort_code
= RXKADEXPIRED
;
979 *_expiry
= issue
+ life
;
981 /* get the service name */
983 _debug("KIV SNAME: %s", name
);
985 /* get the service instance name */
987 _debug("KIV SINST: %s", name
);
991 _leave(" = %d", ret
);
995 *_abort_code
= RXKADBADTICKET
;
1001 * decrypt the response packet
1003 static void rxkad_decrypt_response(struct rxrpc_connection
*conn
,
1004 struct rxkad_response
*resp
,
1005 const struct rxrpc_crypt
*session_key
)
1007 SKCIPHER_REQUEST_ON_STACK(req
, rxkad_ci
);
1008 struct scatterlist sg
[2];
1009 struct rxrpc_crypt iv
;
1011 _enter(",,%08x%08x",
1012 ntohl(session_key
->n
[0]), ntohl(session_key
->n
[1]));
1014 ASSERT(rxkad_ci
!= NULL
);
1016 mutex_lock(&rxkad_ci_mutex
);
1017 if (crypto_skcipher_setkey(rxkad_ci
, session_key
->x
,
1018 sizeof(*session_key
)) < 0)
1021 memcpy(&iv
, session_key
, sizeof(iv
));
1023 rxkad_sg_set_buf2(sg
, &resp
->encrypted
, sizeof(resp
->encrypted
));
1025 skcipher_request_set_tfm(req
, rxkad_ci
);
1026 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
1027 skcipher_request_set_crypt(req
, sg
, sg
, sizeof(resp
->encrypted
), iv
.x
);
1029 crypto_skcipher_decrypt(req
);
1030 skcipher_request_zero(req
);
1032 mutex_unlock(&rxkad_ci_mutex
);
1040 static int rxkad_verify_response(struct rxrpc_connection
*conn
,
1041 struct sk_buff
*skb
,
1044 struct rxkad_response response
1045 __attribute__((aligned(8))); /* must be aligned for crypto */
1046 struct rxrpc_skb_priv
*sp
;
1047 struct rxrpc_crypt session_key
;
1050 u32 abort_code
, version
, kvno
, ticket_len
, level
;
1054 _enter("{%d,%x}", conn
->debug_id
, key_serial(conn
->server_key
));
1056 abort_code
= RXKADPACKETSHORT
;
1057 if (skb_copy_bits(skb
, 0, &response
, sizeof(response
)) < 0)
1058 goto protocol_error
;
1059 if (!pskb_pull(skb
, sizeof(response
)))
1062 version
= ntohl(response
.version
);
1063 ticket_len
= ntohl(response
.ticket_len
);
1064 kvno
= ntohl(response
.kvno
);
1065 sp
= rxrpc_skb(skb
);
1066 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1067 ntohl(sp
->hdr
.serial
), version
, kvno
, ticket_len
);
1069 abort_code
= RXKADINCONSISTENCY
;
1070 if (version
!= RXKAD_VERSION
)
1071 goto protocol_error
;
1073 abort_code
= RXKADTICKETLEN
;
1074 if (ticket_len
< 4 || ticket_len
> MAXKRB5TICKETLEN
)
1075 goto protocol_error
;
1077 abort_code
= RXKADUNKNOWNKEY
;
1078 if (kvno
>= RXKAD_TKT_TYPE_KERBEROS_V5
)
1079 goto protocol_error
;
1081 /* extract the kerberos ticket and decrypt and decode it */
1082 ticket
= kmalloc(ticket_len
, GFP_NOFS
);
1086 abort_code
= RXKADPACKETSHORT
;
1087 if (skb_copy_bits(skb
, 0, ticket
, ticket_len
) < 0)
1088 goto protocol_error_free
;
1090 ret
= rxkad_decrypt_ticket(conn
, ticket
, ticket_len
, &session_key
,
1091 &expiry
, &abort_code
);
1093 *_abort_code
= abort_code
;
1098 /* use the session key from inside the ticket to decrypt the
1100 rxkad_decrypt_response(conn
, &response
, &session_key
);
1102 abort_code
= RXKADSEALEDINCON
;
1103 if (response
.encrypted
.epoch
!= conn
->epoch
)
1104 goto protocol_error_free
;
1105 if (response
.encrypted
.cid
!= conn
->cid
)
1106 goto protocol_error_free
;
1107 if (ntohl(response
.encrypted
.securityIndex
) != conn
->security_ix
)
1108 goto protocol_error_free
;
1109 csum
= response
.encrypted
.checksum
;
1110 response
.encrypted
.checksum
= 0;
1111 rxkad_calc_response_checksum(&response
);
1112 if (response
.encrypted
.checksum
!= csum
)
1113 goto protocol_error_free
;
1115 if (ntohl(response
.encrypted
.call_id
[0]) > INT_MAX
||
1116 ntohl(response
.encrypted
.call_id
[1]) > INT_MAX
||
1117 ntohl(response
.encrypted
.call_id
[2]) > INT_MAX
||
1118 ntohl(response
.encrypted
.call_id
[3]) > INT_MAX
)
1119 goto protocol_error_free
;
1121 abort_code
= RXKADOUTOFSEQUENCE
;
1122 if (response
.encrypted
.inc_nonce
!= htonl(conn
->security_nonce
+ 1))
1123 goto protocol_error_free
;
1125 abort_code
= RXKADLEVELFAIL
;
1126 level
= ntohl(response
.encrypted
.level
);
1127 if (level
> RXRPC_SECURITY_ENCRYPT
)
1128 goto protocol_error_free
;
1129 conn
->security_level
= level
;
1131 /* create a key to hold the security data and expiration time - after
1132 * this the connection security can be handled in exactly the same way
1133 * as for a client connection */
1134 ret
= rxrpc_get_server_data_key(conn
, &session_key
, expiry
, kvno
);
1144 protocol_error_free
:
1147 *_abort_code
= abort_code
;
1148 _leave(" = -EPROTO [%d]", abort_code
);
1153 * clear the connection security
1155 static void rxkad_clear(struct rxrpc_connection
*conn
)
1160 crypto_free_skcipher(conn
->cipher
);
1164 * RxRPC Kerberos-based security
1166 static struct rxrpc_security rxkad
= {
1167 .owner
= THIS_MODULE
,
1169 .security_index
= RXRPC_SECURITY_RXKAD
,
1170 .init_connection_security
= rxkad_init_connection_security
,
1171 .prime_packet_security
= rxkad_prime_packet_security
,
1172 .secure_packet
= rxkad_secure_packet
,
1173 .verify_packet
= rxkad_verify_packet
,
1174 .issue_challenge
= rxkad_issue_challenge
,
1175 .respond_to_challenge
= rxkad_respond_to_challenge
,
1176 .verify_response
= rxkad_verify_response
,
1177 .clear
= rxkad_clear
,
1180 static __init
int rxkad_init(void)
1184 /* pin the cipher we need so that the crypto layer doesn't invoke
1185 * keventd to go get it */
1186 rxkad_ci
= crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC
);
1187 if (IS_ERR(rxkad_ci
))
1188 return PTR_ERR(rxkad_ci
);
1190 return rxrpc_register_security(&rxkad
);
1193 module_init(rxkad_init
);
1195 static __exit
void rxkad_exit(void)
1199 rxrpc_unregister_security(&rxkad
);
1200 crypto_free_skcipher(rxkad_ci
);
1203 module_exit(rxkad_exit
);