// SPDX-License-Identifier: GPL-2.0-or-later /* Kerberos-based RxRPC security * * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) */ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt #include <crypto/skcipher.h> #include <linux/module.h> #include <linux/net.h> #include <linux/skbuff.h> #include <linux/udp.h> #include <linux/scatterlist.h> #include <linux/ctype.h> #include <linux/slab.h> #include <net/sock.h> #include <net/af_rxrpc.h> #include <keys/rxrpc-type.h> #include "ar-internal.h" #define RXKAD_VERSION 2 #define MAXKRB5TICKETLEN 1024 #define RXKAD_TKT_TYPE_KERBEROS_V5 256 #define ANAME_SZ 40 /* size of authentication name */ #define INST_SZ 40 /* size of principal's instance */ #define REALM_SZ 40 /* size of principal's auth domain */ #define SNAME_SZ 40 /* size of service name */ struct rxkad_level1_hdr { <------>__be32 data_size; /* true data size (excluding padding) */ }; struct rxkad_level2_hdr { <------>__be32 data_size; /* true data size (excluding padding) */ <------>__be32 checksum; /* decrypted data checksum */ }; /* * this holds a pinned cipher so that keventd doesn't get called by the cipher * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE * packets */ static struct crypto_sync_skcipher *rxkad_ci; static struct skcipher_request *rxkad_ci_req; static DEFINE_MUTEX(rxkad_ci_mutex); /* * initialise connection security */ static int rxkad_init_connection_security(struct rxrpc_connection *conn) { <------>struct crypto_sync_skcipher *ci; <------>struct rxrpc_key_token *token; <------>int ret; <------>_enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key)); <------>token = conn->params.key->payload.data[0]; <------>conn->security_ix = token->security_index; <------>ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); <------>if (IS_ERR(ci)) { <------><------>_debug("no cipher"); <------><------>ret = PTR_ERR(ci); <------><------>goto error; <------>} <------>if (crypto_sync_skcipher_setkey(ci, token->kad->session_key, <------><------><------><------> sizeof(token->kad->session_key)) < 0) <------><------>BUG(); <------>switch (conn->params.security_level) { <------>case RXRPC_SECURITY_PLAIN: <------><------>break; <------>case RXRPC_SECURITY_AUTH: <------><------>conn->size_align = 8; <------><------>conn->security_size = sizeof(struct rxkad_level1_hdr); <------><------>break; <------>case RXRPC_SECURITY_ENCRYPT: <------><------>conn->size_align = 8; <------><------>conn->security_size = sizeof(struct rxkad_level2_hdr); <------><------>break; <------>default: <------><------>ret = -EKEYREJECTED; <------><------>goto error; <------>} <------>conn->cipher = ci; <------>ret = 0; error: <------>_leave(" = %d", ret); <------>return ret; } /* * prime the encryption state with the invariant parts of a connection's * description */ static int rxkad_prime_packet_security(struct rxrpc_connection *conn) { <------>struct skcipher_request *req; <------>struct rxrpc_key_token *token; <------>struct scatterlist sg; <------>struct rxrpc_crypt iv; <------>__be32 *tmpbuf; <------>size_t tmpsize = 4 * sizeof(__be32); <------>_enter(""); <------>if (!conn->params.key) <------><------>return 0; <------>tmpbuf = kmalloc(tmpsize, GFP_KERNEL); <------>if (!tmpbuf) <------><------>return -ENOMEM; <------>req = skcipher_request_alloc(&conn->cipher->base, GFP_NOFS); <------>if (!req) { <------><------>kfree(tmpbuf); <------><------>return -ENOMEM; <------>} <------>token = conn->params.key->payload.data[0]; <------>memcpy(&iv, token->kad->session_key, sizeof(iv)); <------>tmpbuf[0] = htonl(conn->proto.epoch); <------>tmpbuf[1] = htonl(conn->proto.cid); <------>tmpbuf[2] = 0; <------>tmpbuf[3] = htonl(conn->security_ix); <------>sg_init_one(&sg, tmpbuf, tmpsize); <------>skcipher_request_set_sync_tfm(req, conn->cipher); <------>skcipher_request_set_callback(req, 0, NULL, NULL); <------>skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x); <------>crypto_skcipher_encrypt(req); <------>skcipher_request_free(req); <------>memcpy(&conn->csum_iv, tmpbuf + 2, sizeof(conn->csum_iv)); <------>kfree(tmpbuf); <------>_leave(" = 0"); <------>return 0; } /* * Allocate and prepare the crypto request on a call. For any particular call, * this is called serially for the packets, so no lock should be necessary. */ static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call) { <------>struct crypto_skcipher *tfm = &call->conn->cipher->base; <------>struct skcipher_request *cipher_req = call->cipher_req; <------>if (!cipher_req) { <------><------>cipher_req = skcipher_request_alloc(tfm, GFP_NOFS); <------><------>if (!cipher_req) <------><------><------>return NULL; <------><------>call->cipher_req = cipher_req; <------>} <------>return cipher_req; } /* * Clean up the crypto on a call. */ static void rxkad_free_call_crypto(struct rxrpc_call *call) { <------>if (call->cipher_req) <------><------>skcipher_request_free(call->cipher_req); <------>call->cipher_req = NULL; } /* * partially encrypt a packet (level 1 security) */ static int rxkad_secure_packet_auth(const struct rxrpc_call *call, <------><------><------><------> struct sk_buff *skb, <------><------><------><------> u32 data_size, <------><------><------><------> void *sechdr, <------><------><------><------> struct skcipher_request *req) { <------>struct rxrpc_skb_priv *sp = rxrpc_skb(skb); <------>struct rxkad_level1_hdr hdr; <------>struct rxrpc_crypt iv; <------>struct scatterlist sg; <------>u16 check; <------>_enter(""); <------>check = sp->hdr.seq ^ call->call_id; <------>data_size |= (u32)check << 16; <------>hdr.data_size = htonl(data_size); <------>memcpy(sechdr, &hdr, sizeof(hdr)); <------>/* start the encryption afresh */ <------>memset(&iv, 0, sizeof(iv)); <------>sg_init_one(&sg, sechdr, 8); <------>skcipher_request_set_sync_tfm(req, call->conn->cipher); <------>skcipher_request_set_callback(req, 0, NULL, NULL); <------>skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); <------>crypto_skcipher_encrypt(req); <------>skcipher_request_zero(req); <------>_leave(" = 0"); <------>return 0; } /* * wholly encrypt a packet (level 2 security) */ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, <------><------><------><------> struct sk_buff *skb, <------><------><------><------> u32 data_size, <------><------><------><------> void *sechdr, <------><------><------><------> struct skcipher_request *req) { <------>const struct rxrpc_key_token *token; <------>struct rxkad_level2_hdr rxkhdr; <------>struct rxrpc_skb_priv *sp; <------>struct rxrpc_crypt iv; <------>struct scatterlist sg[16]; <------>unsigned int len; <------>u16 check; <------>int err; <------>sp = rxrpc_skb(skb); <------>_enter(""); <------>check = sp->hdr.seq ^ call->call_id; <------>rxkhdr.data_size = htonl(data_size | (u32)check << 16); <------>rxkhdr.checksum = 0; <------>memcpy(sechdr, &rxkhdr, sizeof(rxkhdr)); <------>/* encrypt from the session key */ <------>token = call->conn->params.key->payload.data[0]; <------>memcpy(&iv, token->kad->session_key, sizeof(iv)); <------>sg_init_one(&sg[0], sechdr, sizeof(rxkhdr)); <------>skcipher_request_set_sync_tfm(req, call->conn->cipher); <------>skcipher_request_set_callback(req, 0, NULL, NULL); <------>skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x); <------>crypto_skcipher_encrypt(req); <------>/* we want to encrypt the skbuff in-place */ <------>err = -EMSGSIZE; <------>if (skb_shinfo(skb)->nr_frags > 16) <------><------>goto out; <------>len = data_size + call->conn->size_align - 1; <------>len &= ~(call->conn->size_align - 1); <------>sg_init_table(sg, ARRAY_SIZE(sg)); <------>err = skb_to_sgvec(skb, sg, 0, len); <------>if (unlikely(err < 0)) <------><------>goto out; <------>skcipher_request_set_crypt(req, sg, sg, len, iv.x); <------>crypto_skcipher_encrypt(req); <------>_leave(" = 0"); <------>err = 0; out: <------>skcipher_request_zero(req); <------>return err; } /* * checksum an RxRPC packet header */ static int rxkad_secure_packet(struct rxrpc_call *call, <------><------><------> struct sk_buff *skb, <------><------><------> size_t data_size, <------><------><------> void *sechdr) { <------>struct rxrpc_skb_priv *sp; <------>struct skcipher_request *req; <------>struct rxrpc_crypt iv; <------>struct scatterlist sg; <------>u32 x, y; <------>int ret; <------>sp = rxrpc_skb(skb); <------>_enter("{%d{%x}},{#%u},%zu,", <------> call->debug_id, key_serial(call->conn->params.key), <------> sp->hdr.seq, data_size); <------>if (!call->conn->cipher) <------><------>return 0; <------>ret = key_validate(call->conn->params.key); <------>if (ret < 0) <------><------>return ret; <------>req = rxkad_get_call_crypto(call); <------>if (!req) <------><------>return -ENOMEM; <------>/* continue encrypting from where we left off */ <------>memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); <------>/* calculate the security checksum */ <------>x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); <------>x |= sp->hdr.seq & 0x3fffffff; <------>call->crypto_buf[0] = htonl(call->call_id); <------>call->crypto_buf[1] = htonl(x); <------>sg_init_one(&sg, call->crypto_buf, 8); <------>skcipher_request_set_sync_tfm(req, call->conn->cipher); <------>skcipher_request_set_callback(req, 0, NULL, NULL); <------>skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); <------>crypto_skcipher_encrypt(req); <------>skcipher_request_zero(req); <------>y = ntohl(call->crypto_buf[1]); <------>y = (y >> 16) & 0xffff; <------>if (y == 0) <------><------>y = 1; /* zero checksums are not permitted */ <------>sp->hdr.cksum = y; <------>switch (call->conn->params.security_level) { <------>case RXRPC_SECURITY_PLAIN: <------><------>ret = 0; <------><------>break; <------>case RXRPC_SECURITY_AUTH: <------><------>ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr, <------><------><------><------><------> req); <------><------>break; <------>case RXRPC_SECURITY_ENCRYPT: <------><------>ret = rxkad_secure_packet_encrypt(call, skb, data_size, <------><------><------><------><------><------> sechdr, req); <------><------>break; <------>default: <------><------>ret = -EPERM; <------><------>break; <------>} <------>_leave(" = %d [set %hx]", ret, y); <------>return ret; } /* * decrypt partial encryption on a packet (level 1 security) */ static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb, <------><------><------><------> unsigned int offset, unsigned int len, <------><------><------><------> rxrpc_seq_t seq, <------><------><------><------> struct skcipher_request *req) { <------>struct rxkad_level1_hdr sechdr; <------>struct rxrpc_crypt iv; <------>struct scatterlist sg[16]; <------>bool aborted; <------>u32 data_size, buf; <------>u16 check; <------>int ret; <------>_enter(""); <------>if (len < 8) { <------><------>aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H", <------><------><------><------><------> RXKADSEALEDINCON); <------><------>goto protocol_error; <------>} <------>/* Decrypt the skbuff in-place. TODO: We really want to decrypt <------> * directly into the target buffer. <------> */ <------>sg_init_table(sg, ARRAY_SIZE(sg)); <------>ret = skb_to_sgvec(skb, sg, offset, 8); <------>if (unlikely(ret < 0)) <------><------>return ret; <------>/* start the decryption afresh */ <------>memset(&iv, 0, sizeof(iv)); <------>skcipher_request_set_sync_tfm(req, call->conn->cipher); <------>skcipher_request_set_callback(req, 0, NULL, NULL); <------>skcipher_request_set_crypt(req, sg, sg, 8, iv.x); <------>crypto_skcipher_decrypt(req); <------>skcipher_request_zero(req); <------>/* Extract the decrypted packet length */ <------>if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { <------><------>aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1", <------><------><------><------><------> RXKADDATALEN); <------><------>goto protocol_error; <------>} <------>offset += sizeof(sechdr); <------>len -= sizeof(sechdr); <------>buf = ntohl(sechdr.data_size); <------>data_size = buf & 0xffff; <------>check = buf >> 16; <------>check ^= seq ^ call->call_id; <------>check &= 0xffff; <------>if (check != 0) { <------><------>aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C", <------><------><------><------><------> RXKADSEALEDINCON); <------><------>goto protocol_error; <------>} <------>if (data_size > len) { <------><------>aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L", <------><------><------><------><------> RXKADDATALEN); <------><------>goto protocol_error; <------>} <------>_leave(" = 0 [dlen=%x]", data_size); <------>return 0; protocol_error: <------>if (aborted) <------><------>rxrpc_send_abort_packet(call); <------>return -EPROTO; } /* * wholly decrypt a packet (level 2 security) */ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, <------><------><------><------> unsigned int offset, unsigned int len, <------><------><------><------> rxrpc_seq_t seq, <------><------><------><------> struct skcipher_request *req) { <------>const struct rxrpc_key_token *token; <------>struct rxkad_level2_hdr sechdr; <------>struct rxrpc_crypt iv; <------>struct scatterlist _sg[4], *sg; <------>bool aborted; <------>u32 data_size, buf; <------>u16 check; <------>int nsg, ret; <------>_enter(",{%d}", skb->len); <------>if (len < 8) { <------><------>aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H", <------><------><------><------><------> RXKADSEALEDINCON); <------><------>goto protocol_error; <------>} <------>/* Decrypt the skbuff in-place. TODO: We really want to decrypt <------> * directly into the target buffer. <------> */ <------>sg = _sg; <------>nsg = skb_shinfo(skb)->nr_frags; <------>if (nsg <= 4) { <------><------>nsg = 4; <------>} else { <------><------>sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO); <------><------>if (!sg) <------><------><------>goto nomem; <------>} <------>sg_init_table(sg, nsg); <------>ret = skb_to_sgvec(skb, sg, offset, len); <------>if (unlikely(ret < 0)) { <------><------>if (sg != _sg) <------><------><------>kfree(sg); <------><------>return ret; <------>} <------>/* decrypt from the session key */ <------>token = call->conn->params.key->payload.data[0]; <------>memcpy(&iv, token->kad->session_key, sizeof(iv)); <------>skcipher_request_set_sync_tfm(req, call->conn->cipher); <------>skcipher_request_set_callback(req, 0, NULL, NULL); <------>skcipher_request_set_crypt(req, sg, sg, len, iv.x); <------>crypto_skcipher_decrypt(req); <------>skcipher_request_zero(req); <------>if (sg != _sg) <------><------>kfree(sg); <------>/* Extract the decrypted packet length */ <------>if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) { <------><------>aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2", <------><------><------><------><------> RXKADDATALEN); <------><------>goto protocol_error; <------>} <------>offset += sizeof(sechdr); <------>len -= sizeof(sechdr); <------>buf = ntohl(sechdr.data_size); <------>data_size = buf & 0xffff; <------>check = buf >> 16; <------>check ^= seq ^ call->call_id; <------>check &= 0xffff; <------>if (check != 0) { <------><------>aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C", <------><------><------><------><------> RXKADSEALEDINCON); <------><------>goto protocol_error; <------>} <------>if (data_size > len) { <------><------>aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L", <------><------><------><------><------> RXKADDATALEN); <------><------>goto protocol_error; <------>} <------>_leave(" = 0 [dlen=%x]", data_size); <------>return 0; protocol_error: <------>if (aborted) <------><------>rxrpc_send_abort_packet(call); <------>return -EPROTO; nomem: <------>_leave(" = -ENOMEM"); <------>return -ENOMEM; } /* * Verify the security on a received packet or subpacket (if part of a * jumbo packet). */ static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb, <------><------><------> unsigned int offset, unsigned int len, <------><------><------> rxrpc_seq_t seq, u16 expected_cksum) { <------>struct skcipher_request *req; <------>struct rxrpc_crypt iv; <------>struct scatterlist sg; <------>bool aborted; <------>u16 cksum; <------>u32 x, y; <------>_enter("{%d{%x}},{#%u}", <------> call->debug_id, key_serial(call->conn->params.key), seq); <------>if (!call->conn->cipher) <------><------>return 0; <------>req = rxkad_get_call_crypto(call); <------>if (!req) <------><------>return -ENOMEM; <------>/* continue encrypting from where we left off */ <------>memcpy(&iv, call->conn->csum_iv.x, sizeof(iv)); <------>/* validate the security checksum */ <------>x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT); <------>x |= seq & 0x3fffffff; <------>call->crypto_buf[0] = htonl(call->call_id); <------>call->crypto_buf[1] = htonl(x); <------>sg_init_one(&sg, call->crypto_buf, 8); <------>skcipher_request_set_sync_tfm(req, call->conn->cipher); <------>skcipher_request_set_callback(req, 0, NULL, NULL); <------>skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x); <------>crypto_skcipher_encrypt(req); <------>skcipher_request_zero(req); <------>y = ntohl(call->crypto_buf[1]); <------>cksum = (y >> 16) & 0xffff; <------>if (cksum == 0) <------><------>cksum = 1; /* zero checksums are not permitted */ <------>if (cksum != expected_cksum) { <------><------>aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK", <------><------><------><------><------> RXKADSEALEDINCON); <------><------>goto protocol_error; <------>} <------>switch (call->conn->params.security_level) { <------>case RXRPC_SECURITY_PLAIN: <------><------>return 0; <------>case RXRPC_SECURITY_AUTH: <------><------>return rxkad_verify_packet_1(call, skb, offset, len, seq, req); <------>case RXRPC_SECURITY_ENCRYPT: <------><------>return rxkad_verify_packet_2(call, skb, offset, len, seq, req); <------>default: <------><------>return -ENOANO; <------>} protocol_error: <------>if (aborted) <------><------>rxrpc_send_abort_packet(call); <------>return -EPROTO; } /* * Locate the data contained in a packet that was partially encrypted. */ static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb, <------><------><------><------>unsigned int *_offset, unsigned int *_len) { <------>struct rxkad_level1_hdr sechdr; <------>if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) <------><------>BUG(); <------>*_offset += sizeof(sechdr); <------>*_len = ntohl(sechdr.data_size) & 0xffff; } /* * Locate the data contained in a packet that was completely encrypted. */ static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb, <------><------><------><------>unsigned int *_offset, unsigned int *_len) { <------>struct rxkad_level2_hdr sechdr; <------>if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0) <------><------>BUG(); <------>*_offset += sizeof(sechdr); <------>*_len = ntohl(sechdr.data_size) & 0xffff; } /* * Locate the data contained in an already decrypted packet. */ static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb, <------><------><------> unsigned int *_offset, unsigned int *_len) { <------>switch (call->conn->params.security_level) { <------>case RXRPC_SECURITY_AUTH: <------><------>rxkad_locate_data_1(call, skb, _offset, _len); <------><------>return; <------>case RXRPC_SECURITY_ENCRYPT: <------><------>rxkad_locate_data_2(call, skb, _offset, _len); <------><------>return; <------>default: <------><------>return; <------>} } /* * issue a challenge */ static int rxkad_issue_challenge(struct rxrpc_connection *conn) { <------>struct rxkad_challenge challenge; <------>struct rxrpc_wire_header whdr; <------>struct msghdr msg; <------>struct kvec iov[2]; <------>size_t len; <------>u32 serial; <------>int ret; <------>_enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); <------>ret = key_validate(conn->server_key); <------>if (ret < 0) <------><------>return ret; <------>get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce)); <------>challenge.version = htonl(2); <------>challenge.nonce = htonl(conn->security_nonce); <------>challenge.min_level = htonl(0); <------>challenge.__padding = 0; <------>msg.msg_name = &conn->params.peer->srx.transport; <------>msg.msg_namelen = conn->params.peer->srx.transport_len; <------>msg.msg_control = NULL; <------>msg.msg_controllen = 0; <------>msg.msg_flags = 0; <------>whdr.epoch = htonl(conn->proto.epoch); <------>whdr.cid = htonl(conn->proto.cid); <------>whdr.callNumber = 0; <------>whdr.seq = 0; <------>whdr.type = RXRPC_PACKET_TYPE_CHALLENGE; <------>whdr.flags = conn->out_clientflag; <------>whdr.userStatus = 0; <------>whdr.securityIndex = conn->security_ix; <------>whdr._rsvd = 0; <------>whdr.serviceId = htons(conn->service_id); <------>iov[0].iov_base = &whdr; <------>iov[0].iov_len = sizeof(whdr); <------>iov[1].iov_base = &challenge; <------>iov[1].iov_len = sizeof(challenge); <------>len = iov[0].iov_len + iov[1].iov_len; <------>serial = atomic_inc_return(&conn->serial); <------>whdr.serial = htonl(serial); <------>_proto("Tx CHALLENGE %%%u", serial); <------>ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len); <------>if (ret < 0) { <------><------>trace_rxrpc_tx_fail(conn->debug_id, serial, ret, <------><------><------><------> rxrpc_tx_point_rxkad_challenge); <------><------>return -EAGAIN; <------>} <------>conn->params.peer->last_tx_at = ktime_get_seconds(); <------>trace_rxrpc_tx_packet(conn->debug_id, &whdr, <------><------><------> rxrpc_tx_point_rxkad_challenge); <------>_leave(" = 0"); <------>return 0; } /* * send a Kerberos security response */ static int rxkad_send_response(struct rxrpc_connection *conn, <------><------><------> struct rxrpc_host_header *hdr, <------><------><------> struct rxkad_response *resp, <------><------><------> const struct rxkad_key *s2) { <------>struct rxrpc_wire_header whdr; <------>struct msghdr msg; <------>struct kvec iov[3]; <------>size_t len; <------>u32 serial; <------>int ret; <------>_enter(""); <------>msg.msg_name = &conn->params.peer->srx.transport; <------>msg.msg_namelen = conn->params.peer->srx.transport_len; <------>msg.msg_control = NULL; <------>msg.msg_controllen = 0; <------>msg.msg_flags = 0; <------>memset(&whdr, 0, sizeof(whdr)); <------>whdr.epoch = htonl(hdr->epoch); <------>whdr.cid = htonl(hdr->cid); <------>whdr.type = RXRPC_PACKET_TYPE_RESPONSE; <------>whdr.flags = conn->out_clientflag; <------>whdr.securityIndex = hdr->securityIndex; <------>whdr.serviceId = htons(hdr->serviceId); <------>iov[0].iov_base = &whdr; <------>iov[0].iov_len = sizeof(whdr); <------>iov[1].iov_base = resp; <------>iov[1].iov_len = sizeof(*resp); <------>iov[2].iov_base = (void *)s2->ticket; <------>iov[2].iov_len = s2->ticket_len; <------>len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len; <------>serial = atomic_inc_return(&conn->serial); <------>whdr.serial = htonl(serial); <------>_proto("Tx RESPONSE %%%u", serial); <------>ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len); <------>if (ret < 0) { <------><------>trace_rxrpc_tx_fail(conn->debug_id, serial, ret, <------><------><------><------> rxrpc_tx_point_rxkad_response); <------><------>return -EAGAIN; <------>} <------>conn->params.peer->last_tx_at = ktime_get_seconds(); <------>_leave(" = 0"); <------>return 0; } /* * calculate the response checksum */ static void rxkad_calc_response_checksum(struct rxkad_response *response) { <------>u32 csum = 1000003; <------>int loop; <------>u8 *p = (u8 *) response; <------>for (loop = sizeof(*response); loop > 0; loop--) <------><------>csum = csum * 0x10204081 + *p++; <------>response->encrypted.checksum = htonl(csum); } /* * encrypt the response packet */ static int rxkad_encrypt_response(struct rxrpc_connection *conn, <------><------><------><------> struct rxkad_response *resp, <------><------><------><------> const struct rxkad_key *s2) { <------>struct skcipher_request *req; <------>struct rxrpc_crypt iv; <------>struct scatterlist sg[1]; <------>req = skcipher_request_alloc(&conn->cipher->base, GFP_NOFS); <------>if (!req) <------><------>return -ENOMEM; <------>/* continue encrypting from where we left off */ <------>memcpy(&iv, s2->session_key, sizeof(iv)); <------>sg_init_table(sg, 1); <------>sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); <------>skcipher_request_set_sync_tfm(req, conn->cipher); <------>skcipher_request_set_callback(req, 0, NULL, NULL); <------>skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); <------>crypto_skcipher_encrypt(req); <------>skcipher_request_free(req); <------>return 0; } /* * respond to a challenge packet */ static int rxkad_respond_to_challenge(struct rxrpc_connection *conn, <------><------><------><------> struct sk_buff *skb, <------><------><------><------> u32 *_abort_code) { <------>const struct rxrpc_key_token *token; <------>struct rxkad_challenge challenge; <------>struct rxkad_response *resp; <------>struct rxrpc_skb_priv *sp = rxrpc_skb(skb); <------>const char *eproto; <------>u32 version, nonce, min_level, abort_code; <------>int ret; <------>_enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key)); <------>eproto = tracepoint_string("chall_no_key"); <------>abort_code = RX_PROTOCOL_ERROR; <------>if (!conn->params.key) <------><------>goto protocol_error; <------>abort_code = RXKADEXPIRED; <------>ret = key_validate(conn->params.key); <------>if (ret < 0) <------><------>goto other_error; <------>eproto = tracepoint_string("chall_short"); <------>abort_code = RXKADPACKETSHORT; <------>if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), <------><------><------> &challenge, sizeof(challenge)) < 0) <------><------>goto protocol_error; <------>version = ntohl(challenge.version); <------>nonce = ntohl(challenge.nonce); <------>min_level = ntohl(challenge.min_level); <------>_proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }", <------> sp->hdr.serial, version, nonce, min_level); <------>eproto = tracepoint_string("chall_ver"); <------>abort_code = RXKADINCONSISTENCY; <------>if (version != RXKAD_VERSION) <------><------>goto protocol_error; <------>abort_code = RXKADLEVELFAIL; <------>ret = -EACCES; <------>if (conn->params.security_level < min_level) <------><------>goto other_error; <------>token = conn->params.key->payload.data[0]; <------>/* build the response packet */ <------>resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); <------>if (!resp) <------><------>return -ENOMEM; <------>resp->version = htonl(RXKAD_VERSION); <------>resp->encrypted.epoch = htonl(conn->proto.epoch); <------>resp->encrypted.cid = htonl(conn->proto.cid); <------>resp->encrypted.securityIndex = htonl(conn->security_ix); <------>resp->encrypted.inc_nonce = htonl(nonce + 1); <------>resp->encrypted.level = htonl(conn->params.security_level); <------>resp->kvno = htonl(token->kad->kvno); <------>resp->ticket_len = htonl(token->kad->ticket_len); <------>resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter); <------>resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter); <------>resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter); <------>resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter); <------>/* calculate the response checksum and then do the encryption */ <------>rxkad_calc_response_checksum(resp); <------>ret = rxkad_encrypt_response(conn, resp, token->kad); <------>if (ret == 0) <------><------>ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad); <------>kfree(resp); <------>return ret; protocol_error: <------>trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); <------>ret = -EPROTO; other_error: <------>*_abort_code = abort_code; <------>return ret; } /* * decrypt the kerberos IV ticket in the response */ static int rxkad_decrypt_ticket(struct rxrpc_connection *conn, <------><------><------><------>struct sk_buff *skb, <------><------><------><------>void *ticket, size_t ticket_len, <------><------><------><------>struct rxrpc_crypt *_session_key, <------><------><------><------>time64_t *_expiry, <------><------><------><------>u32 *_abort_code) { <------>struct skcipher_request *req; <------>struct rxrpc_skb_priv *sp = rxrpc_skb(skb); <------>struct rxrpc_crypt iv, key; <------>struct scatterlist sg[1]; <------>struct in_addr addr; <------>unsigned int life; <------>const char *eproto; <------>time64_t issue, now; <------>bool little_endian; <------>int ret; <------>u32 abort_code; <------>u8 *p, *q, *name, *end; <------>_enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key)); <------>*_expiry = 0; <------>ret = key_validate(conn->server_key); <------>if (ret < 0) { <------><------>switch (ret) { <------><------>case -EKEYEXPIRED: <------><------><------>abort_code = RXKADEXPIRED; <------><------><------>goto other_error; <------><------>default: <------><------><------>abort_code = RXKADNOAUTH; <------><------><------>goto other_error; <------><------>} <------>} <------>ASSERT(conn->server_key->payload.data[0] != NULL); <------>ASSERTCMP((unsigned long) ticket & 7UL, ==, 0); <------>memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv)); <------>ret = -ENOMEM; <------>req = skcipher_request_alloc(conn->server_key->payload.data[0], <------><------><------><------> GFP_NOFS); <------>if (!req) <------><------>goto temporary_error; <------>sg_init_one(&sg[0], ticket, ticket_len); <------>skcipher_request_set_callback(req, 0, NULL, NULL); <------>skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); <------>crypto_skcipher_decrypt(req); <------>skcipher_request_free(req); <------>p = ticket; <------>end = p + ticket_len; #define Z(field) \ <------>({ \ <------><------>u8 *__str = p; \ <------><------>eproto = tracepoint_string("rxkad_bad_"#field); \ <------><------>q = memchr(p, 0, end - p); \ <------><------>if (!q || q - p > (field##_SZ)) \ <------><------><------>goto bad_ticket; \ <------><------>for (; p < q; p++) \ <------><------><------>if (!isprint(*p)) \ <------><------><------><------>goto bad_ticket; \ <------><------>p++; \ <------><------>__str; \ <------>}) <------>/* extract the ticket flags */ <------>_debug("KIV FLAGS: %x", *p); <------>little_endian = *p & 1; <------>p++; <------>/* extract the authentication name */ <------>name = Z(ANAME); <------>_debug("KIV ANAME: %s", name); <------>/* extract the principal's instance */ <------>name = Z(INST); <------>_debug("KIV INST : %s", name); <------>/* extract the principal's authentication domain */ <------>name = Z(REALM); <------>_debug("KIV REALM: %s", name); <------>eproto = tracepoint_string("rxkad_bad_len"); <------>if (end - p < 4 + 8 + 4 + 2) <------><------>goto bad_ticket; <------>/* get the IPv4 address of the entity that requested the ticket */ <------>memcpy(&addr, p, sizeof(addr)); <------>p += 4; <------>_debug("KIV ADDR : %pI4", &addr); <------>/* get the session key from the ticket */ <------>memcpy(&key, p, sizeof(key)); <------>p += 8; <------>_debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1])); <------>memcpy(_session_key, &key, sizeof(key)); <------>/* get the ticket's lifetime */ <------>life = *p++ * 5 * 60; <------>_debug("KIV LIFE : %u", life); <------>/* get the issue time of the ticket */ <------>if (little_endian) { <------><------>__le32 stamp; <------><------>memcpy(&stamp, p, 4); <------><------>issue = rxrpc_u32_to_time64(le32_to_cpu(stamp)); <------>} else { <------><------>__be32 stamp; <------><------>memcpy(&stamp, p, 4); <------><------>issue = rxrpc_u32_to_time64(be32_to_cpu(stamp)); <------>} <------>p += 4; <------>now = ktime_get_real_seconds(); <------>_debug("KIV ISSUE: %llx [%llx]", issue, now); <------>/* check the ticket is in date */ <------>if (issue > now) { <------><------>abort_code = RXKADNOAUTH; <------><------>ret = -EKEYREJECTED; <------><------>goto other_error; <------>} <------>if (issue < now - life) { <------><------>abort_code = RXKADEXPIRED; <------><------>ret = -EKEYEXPIRED; <------><------>goto other_error; <------>} <------>*_expiry = issue + life; <------>/* get the service name */ <------>name = Z(SNAME); <------>_debug("KIV SNAME: %s", name); <------>/* get the service instance name */ <------>name = Z(INST); <------>_debug("KIV SINST: %s", name); <------>return 0; bad_ticket: <------>trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); <------>abort_code = RXKADBADTICKET; <------>ret = -EPROTO; other_error: <------>*_abort_code = abort_code; <------>return ret; temporary_error: <------>return ret; } /* * decrypt the response packet */ static void rxkad_decrypt_response(struct rxrpc_connection *conn, <------><------><------><------> struct rxkad_response *resp, <------><------><------><------> const struct rxrpc_crypt *session_key) { <------>struct skcipher_request *req = rxkad_ci_req; <------>struct scatterlist sg[1]; <------>struct rxrpc_crypt iv; <------>_enter(",,%08x%08x", <------> ntohl(session_key->n[0]), ntohl(session_key->n[1])); <------>mutex_lock(&rxkad_ci_mutex); <------>if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x, <------><------><------><------><------>sizeof(*session_key)) < 0) <------><------>BUG(); <------>memcpy(&iv, session_key, sizeof(iv)); <------>sg_init_table(sg, 1); <------>sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted)); <------>skcipher_request_set_sync_tfm(req, rxkad_ci); <------>skcipher_request_set_callback(req, 0, NULL, NULL); <------>skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x); <------>crypto_skcipher_decrypt(req); <------>skcipher_request_zero(req); <------>mutex_unlock(&rxkad_ci_mutex); <------>_leave(""); } /* * verify a response */ static int rxkad_verify_response(struct rxrpc_connection *conn, <------><------><------><------> struct sk_buff *skb, <------><------><------><------> u32 *_abort_code) { <------>struct rxkad_response *response; <------>struct rxrpc_skb_priv *sp = rxrpc_skb(skb); <------>struct rxrpc_crypt session_key; <------>const char *eproto; <------>time64_t expiry; <------>void *ticket; <------>u32 abort_code, version, kvno, ticket_len, level; <------>__be32 csum; <------>int ret, i; <------>_enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); <------>ret = -ENOMEM; <------>response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); <------>if (!response) <------><------>goto temporary_error; <------>eproto = tracepoint_string("rxkad_rsp_short"); <------>abort_code = RXKADPACKETSHORT; <------>if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), <------><------><------> response, sizeof(*response)) < 0) <------><------>goto protocol_error; <------>if (!pskb_pull(skb, sizeof(*response))) <------><------>BUG(); <------>version = ntohl(response->version); <------>ticket_len = ntohl(response->ticket_len); <------>kvno = ntohl(response->kvno); <------>_proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", <------> sp->hdr.serial, version, kvno, ticket_len); <------>eproto = tracepoint_string("rxkad_rsp_ver"); <------>abort_code = RXKADINCONSISTENCY; <------>if (version != RXKAD_VERSION) <------><------>goto protocol_error; <------>eproto = tracepoint_string("rxkad_rsp_tktlen"); <------>abort_code = RXKADTICKETLEN; <------>if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) <------><------>goto protocol_error; <------>eproto = tracepoint_string("rxkad_rsp_unkkey"); <------>abort_code = RXKADUNKNOWNKEY; <------>if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) <------><------>goto protocol_error; <------>/* extract the kerberos ticket and decrypt and decode it */ <------>ret = -ENOMEM; <------>ticket = kmalloc(ticket_len, GFP_NOFS); <------>if (!ticket) <------><------>goto temporary_error_free_resp; <------>eproto = tracepoint_string("rxkad_tkt_short"); <------>abort_code = RXKADPACKETSHORT; <------>if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), <------><------><------> ticket, ticket_len) < 0) <------><------>goto protocol_error_free; <------>ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key, <------><------><------><------> &expiry, _abort_code); <------>if (ret < 0) <------><------>goto temporary_error_free_ticket; <------>/* use the session key from inside the ticket to decrypt the <------> * response */ <------>rxkad_decrypt_response(conn, response, &session_key); <------>eproto = tracepoint_string("rxkad_rsp_param"); <------>abort_code = RXKADSEALEDINCON; <------>if (ntohl(response->encrypted.epoch) != conn->proto.epoch) <------><------>goto protocol_error_free; <------>if (ntohl(response->encrypted.cid) != conn->proto.cid) <------><------>goto protocol_error_free; <------>if (ntohl(response->encrypted.securityIndex) != conn->security_ix) <------><------>goto protocol_error_free; <------>csum = response->encrypted.checksum; <------>response->encrypted.checksum = 0; <------>rxkad_calc_response_checksum(response); <------>eproto = tracepoint_string("rxkad_rsp_csum"); <------>if (response->encrypted.checksum != csum) <------><------>goto protocol_error_free; <------>spin_lock(&conn->bundle->channel_lock); <------>for (i = 0; i < RXRPC_MAXCALLS; i++) { <------><------>struct rxrpc_call *call; <------><------>u32 call_id = ntohl(response->encrypted.call_id[i]); <------><------>eproto = tracepoint_string("rxkad_rsp_callid"); <------><------>if (call_id > INT_MAX) <------><------><------>goto protocol_error_unlock; <------><------>eproto = tracepoint_string("rxkad_rsp_callctr"); <------><------>if (call_id < conn->channels[i].call_counter) <------><------><------>goto protocol_error_unlock; <------><------>eproto = tracepoint_string("rxkad_rsp_callst"); <------><------>if (call_id > conn->channels[i].call_counter) { <------><------><------>call = rcu_dereference_protected( <------><------><------><------>conn->channels[i].call, <------><------><------><------>lockdep_is_held(&conn->bundle->channel_lock)); <------><------><------>if (call && call->state < RXRPC_CALL_COMPLETE) <------><------><------><------>goto protocol_error_unlock; <------><------><------>conn->channels[i].call_counter = call_id; <------><------>} <------>} <------>spin_unlock(&conn->bundle->channel_lock); <------>eproto = tracepoint_string("rxkad_rsp_seq"); <------>abort_code = RXKADOUTOFSEQUENCE; <------>if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1) <------><------>goto protocol_error_free; <------>eproto = tracepoint_string("rxkad_rsp_level"); <------>abort_code = RXKADLEVELFAIL; <------>level = ntohl(response->encrypted.level); <------>if (level > RXRPC_SECURITY_ENCRYPT) <------><------>goto protocol_error_free; <------>conn->params.security_level = level; <------>/* create a key to hold the security data and expiration time - after <------> * this the connection security can be handled in exactly the same way <------> * as for a client connection */ <------>ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); <------>if (ret < 0) <------><------>goto temporary_error_free_ticket; <------>kfree(ticket); <------>kfree(response); <------>_leave(" = 0"); <------>return 0; protocol_error_unlock: <------>spin_unlock(&conn->bundle->channel_lock); protocol_error_free: <------>kfree(ticket); protocol_error: <------>kfree(response); <------>trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); <------>*_abort_code = abort_code; <------>return -EPROTO; temporary_error_free_ticket: <------>kfree(ticket); temporary_error_free_resp: <------>kfree(response); temporary_error: <------>/* Ignore the response packet if we got a temporary error such as <------> * ENOMEM. We just want to send the challenge again. Note that we <------> * also come out this way if the ticket decryption fails. <------> */ <------>return ret; } /* * clear the connection security */ static void rxkad_clear(struct rxrpc_connection *conn) { <------>_enter(""); <------>if (conn->cipher) <------><------>crypto_free_sync_skcipher(conn->cipher); } /* * Initialise the rxkad security service. */ static int rxkad_init(void) { <------>struct crypto_sync_skcipher *tfm; <------>struct skcipher_request *req; <------>/* pin the cipher we need so that the crypto layer doesn't invoke <------> * keventd to go get it */ <------>tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0); <------>if (IS_ERR(tfm)) <------><------>return PTR_ERR(tfm); <------>req = skcipher_request_alloc(&tfm->base, GFP_KERNEL); <------>if (!req) <------><------>goto nomem_tfm; <------>rxkad_ci_req = req; <------>rxkad_ci = tfm; <------>return 0; nomem_tfm: <------>crypto_free_sync_skcipher(tfm); <------>return -ENOMEM; } /* * Clean up the rxkad security service. */ static void rxkad_exit(void) { <------>crypto_free_sync_skcipher(rxkad_ci); <------>skcipher_request_free(rxkad_ci_req); } /* * RxRPC Kerberos-based security */ const struct rxrpc_security rxkad = { <------>.name = "rxkad", <------>.security_index = RXRPC_SECURITY_RXKAD, <------>.no_key_abort = RXKADUNKNOWNKEY, <------>.init = rxkad_init, <------>.exit = rxkad_exit, <------>.init_connection_security = rxkad_init_connection_security, <------>.prime_packet_security = rxkad_prime_packet_security, <------>.secure_packet = rxkad_secure_packet, <------>.verify_packet = rxkad_verify_packet, <------>.free_call_crypto = rxkad_free_call_crypto, <------>.locate_data = rxkad_locate_data, <------>.issue_challenge = rxkad_issue_challenge, <------>.respond_to_challenge = rxkad_respond_to_challenge, <------>.verify_response = rxkad_verify_response, <------>.clear = rxkad_clear, };
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags
| Donate