1 /* Kerberos-based RxRPC security
3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
12 #include <crypto/skcipher.h>
13 #include <linux/module.h>
14 #include <linux/net.h>
15 #include <linux/skbuff.h>
16 #include <linux/udp.h>
17 #include <linux/scatterlist.h>
18 #include <linux/ctype.h>
19 #include <linux/slab.h>
21 #include <net/af_rxrpc.h>
22 #include <keys/rxrpc-type.h>
23 #include "ar-internal.h"
25 #define RXKAD_VERSION 2
26 #define MAXKRB5TICKETLEN 1024
27 #define RXKAD_TKT_TYPE_KERBEROS_V5 256
28 #define ANAME_SZ 40 /* size of authentication name */
29 #define INST_SZ 40 /* size of principal's instance */
30 #define REALM_SZ 40 /* size of principal's auth domain */
31 #define SNAME_SZ 40 /* size of service name */
33 struct rxkad_level1_hdr {
34 __be32 data_size; /* true data size (excluding padding) */
37 struct rxkad_level2_hdr {
38 __be32 data_size; /* true data size (excluding padding) */
39 __be32 checksum; /* decrypted data checksum */
43 * this holds a pinned cipher so that keventd doesn't get called by the cipher
44 * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
47 static struct crypto_skcipher *rxkad_ci;
48 static DEFINE_MUTEX(rxkad_ci_mutex);
51 * initialise connection security
53 static int rxkad_init_connection_security(struct rxrpc_connection *conn)
55 struct crypto_skcipher *ci;
56 struct rxrpc_key_token *token;
59 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->key));
61 token = conn->key->payload.data[0];
62 conn->security_ix = token->security_index;
64 ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
71 if (crypto_skcipher_setkey(ci, token->kad->session_key,
72 sizeof(token->kad->session_key)) < 0)
75 switch (conn->security_level) {
76 case RXRPC_SECURITY_PLAIN:
78 case RXRPC_SECURITY_AUTH:
80 conn->security_size = sizeof(struct rxkad_level1_hdr);
81 conn->header_size += sizeof(struct rxkad_level1_hdr);
83 case RXRPC_SECURITY_ENCRYPT:
85 conn->security_size = sizeof(struct rxkad_level2_hdr);
86 conn->header_size += sizeof(struct rxkad_level2_hdr);
101 * prime the encryption state with the invariant parts of a connection's
104 static void rxkad_prime_packet_security(struct rxrpc_connection *conn)
106 struct rxrpc_key_token *token;
107 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
108 struct scatterlist sg[2];
109 struct rxrpc_crypt iv;
112 } tmpbuf __attribute__((aligned(16))); /* must all be in same page */
119 token = conn->key->payload.data[0];
120 memcpy(&iv, token->kad->session_key, sizeof(iv));
122 tmpbuf.x[0] = htonl(conn->epoch);
123 tmpbuf.x[1] = htonl(conn->cid);
125 tmpbuf.x[3] = htonl(conn->security_ix);
127 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
128 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
130 skcipher_request_set_tfm(req, conn->cipher);
131 skcipher_request_set_callback(req, 0, NULL, NULL);
132 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x);
134 crypto_skcipher_encrypt(req);
135 skcipher_request_zero(req);
137 memcpy(&conn->csum_iv, &tmpbuf.x[2], sizeof(conn->csum_iv));
138 ASSERTCMP((u32 __force)conn->csum_iv.n[0], ==, (u32 __force)tmpbuf.x[2]);
144 * partially encrypt a packet (level 1 security)
146 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
151 struct rxrpc_skb_priv *sp;
152 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
153 struct rxrpc_crypt iv;
154 struct scatterlist sg[2];
156 struct rxkad_level1_hdr hdr;
157 __be32 first; /* first four bytes of data and padding */
158 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */
165 check = sp->hdr.seq ^ sp->hdr.callNumber;
166 data_size |= (u32)check << 16;
168 tmpbuf.hdr.data_size = htonl(data_size);
169 memcpy(&tmpbuf.first, sechdr + 4, sizeof(tmpbuf.first));
171 /* start the encryption afresh */
172 memset(&iv, 0, sizeof(iv));
174 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
175 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
177 skcipher_request_set_tfm(req, call->conn->cipher);
178 skcipher_request_set_callback(req, 0, NULL, NULL);
179 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x);
181 crypto_skcipher_encrypt(req);
182 skcipher_request_zero(req);
184 memcpy(sechdr, &tmpbuf, sizeof(tmpbuf));
191 * wholly encrypt a packet (level 2 security)
193 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
198 const struct rxrpc_key_token *token;
199 struct rxkad_level2_hdr rxkhdr
200 __attribute__((aligned(8))); /* must be all on one page */
201 struct rxrpc_skb_priv *sp;
202 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
203 struct rxrpc_crypt iv;
204 struct scatterlist sg[16];
205 struct sk_buff *trailer;
215 check = sp->hdr.seq ^ sp->hdr.callNumber;
217 rxkhdr.data_size = htonl(data_size | (u32)check << 16);
220 /* encrypt from the session key */
221 token = call->conn->key->payload.data[0];
222 memcpy(&iv, token->kad->session_key, sizeof(iv));
224 sg_init_one(&sg[0], sechdr, sizeof(rxkhdr));
225 sg_init_one(&sg[1], &rxkhdr, sizeof(rxkhdr));
227 skcipher_request_set_tfm(req, call->conn->cipher);
228 skcipher_request_set_callback(req, 0, NULL, NULL);
229 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(rxkhdr), iv.x);
231 crypto_skcipher_encrypt(req);
233 /* we want to encrypt the skbuff in-place */
234 nsg = skb_cow_data(skb, 0, &trailer);
236 if (nsg < 0 || nsg > 16)
239 len = data_size + call->conn->size_align - 1;
240 len &= ~(call->conn->size_align - 1);
242 sg_init_table(sg, nsg);
243 skb_to_sgvec(skb, sg, 0, len);
245 skcipher_request_set_crypt(req, sg, sg, len, iv.x);
247 crypto_skcipher_encrypt(req);
253 skcipher_request_zero(req);
258 * checksum an RxRPC packet header
260 static int rxkad_secure_packet(const struct rxrpc_call *call,
265 struct rxrpc_skb_priv *sp;
266 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
267 struct rxrpc_crypt iv;
268 struct scatterlist sg[2];
271 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */
277 _enter("{%d{%x}},{#%u},%zu,",
278 call->debug_id, key_serial(call->conn->key), sp->hdr.seq,
281 if (!call->conn->cipher)
284 ret = key_validate(call->conn->key);
288 /* continue encrypting from where we left off */
289 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
291 /* calculate the security checksum */
292 x = call->channel << (32 - RXRPC_CIDSHIFT);
293 x |= sp->hdr.seq & 0x3fffffff;
294 tmpbuf.x[0] = htonl(sp->hdr.callNumber);
295 tmpbuf.x[1] = htonl(x);
297 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
298 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
300 skcipher_request_set_tfm(req, call->conn->cipher);
301 skcipher_request_set_callback(req, 0, NULL, NULL);
302 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x);
304 crypto_skcipher_encrypt(req);
305 skcipher_request_zero(req);
307 y = ntohl(tmpbuf.x[1]);
308 y = (y >> 16) & 0xffff;
310 y = 1; /* zero checksums are not permitted */
313 switch (call->conn->security_level) {
314 case RXRPC_SECURITY_PLAIN:
317 case RXRPC_SECURITY_AUTH:
318 ret = rxkad_secure_packet_auth(call, skb, data_size, sechdr);
320 case RXRPC_SECURITY_ENCRYPT:
321 ret = rxkad_secure_packet_encrypt(call, skb, data_size,
329 _leave(" = %d [set %hx]", ret, y);
334 * decrypt partial encryption on a packet (level 1 security)
336 static int rxkad_verify_packet_auth(const struct rxrpc_call *call,
340 struct rxkad_level1_hdr sechdr;
341 struct rxrpc_skb_priv *sp;
342 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
343 struct rxrpc_crypt iv;
344 struct scatterlist sg[16];
345 struct sk_buff *trailer;
354 /* we want to decrypt the skbuff in-place */
355 nsg = skb_cow_data(skb, 0, &trailer);
356 if (nsg < 0 || nsg > 16)
359 sg_init_table(sg, nsg);
360 skb_to_sgvec(skb, sg, 0, 8);
362 /* start the decryption afresh */
363 memset(&iv, 0, sizeof(iv));
365 skcipher_request_set_tfm(req, call->conn->cipher);
366 skcipher_request_set_callback(req, 0, NULL, NULL);
367 skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
369 crypto_skcipher_decrypt(req);
370 skcipher_request_zero(req);
372 /* remove the decrypted packet length */
373 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
375 if (!skb_pull(skb, sizeof(sechdr)))
378 buf = ntohl(sechdr.data_size);
379 data_size = buf & 0xffff;
382 check ^= sp->hdr.seq ^ sp->hdr.callNumber;
385 *_abort_code = RXKADSEALEDINCON;
389 /* shorten the packet to remove the padding */
390 if (data_size > skb->len)
392 else if (data_size < skb->len)
393 skb->len = data_size;
395 _leave(" = 0 [dlen=%x]", data_size);
399 *_abort_code = RXKADDATALEN;
401 _leave(" = -EPROTO");
405 _leave(" = -ENOMEM");
410 * wholly decrypt a packet (level 2 security)
412 static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call,
416 const struct rxrpc_key_token *token;
417 struct rxkad_level2_hdr sechdr;
418 struct rxrpc_skb_priv *sp;
419 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
420 struct rxrpc_crypt iv;
421 struct scatterlist _sg[4], *sg;
422 struct sk_buff *trailer;
427 _enter(",{%d}", skb->len);
431 /* we want to decrypt the skbuff in-place */
432 nsg = skb_cow_data(skb, 0, &trailer);
437 if (unlikely(nsg > 4)) {
438 sg = kmalloc(sizeof(*sg) * nsg, GFP_NOIO);
443 sg_init_table(sg, nsg);
444 skb_to_sgvec(skb, sg, 0, skb->len);
446 /* decrypt from the session key */
447 token = call->conn->key->payload.data[0];
448 memcpy(&iv, token->kad->session_key, sizeof(iv));
450 skcipher_request_set_tfm(req, call->conn->cipher);
451 skcipher_request_set_callback(req, 0, NULL, NULL);
452 skcipher_request_set_crypt(req, sg, sg, skb->len, iv.x);
454 crypto_skcipher_decrypt(req);
455 skcipher_request_zero(req);
459 /* remove the decrypted packet length */
460 if (skb_copy_bits(skb, 0, &sechdr, sizeof(sechdr)) < 0)
462 if (!skb_pull(skb, sizeof(sechdr)))
465 buf = ntohl(sechdr.data_size);
466 data_size = buf & 0xffff;
469 check ^= sp->hdr.seq ^ sp->hdr.callNumber;
472 *_abort_code = RXKADSEALEDINCON;
476 /* shorten the packet to remove the padding */
477 if (data_size > skb->len)
479 else if (data_size < skb->len)
480 skb->len = data_size;
482 _leave(" = 0 [dlen=%x]", data_size);
486 *_abort_code = RXKADDATALEN;
488 _leave(" = -EPROTO");
492 _leave(" = -ENOMEM");
497 * verify the security on a received packet
499 static int rxkad_verify_packet(const struct rxrpc_call *call,
503 SKCIPHER_REQUEST_ON_STACK(req, call->conn->cipher);
504 struct rxrpc_skb_priv *sp;
505 struct rxrpc_crypt iv;
506 struct scatterlist sg[2];
509 } tmpbuf __attribute__((aligned(8))); /* must all be in same page */
516 _enter("{%d{%x}},{#%u}",
517 call->debug_id, key_serial(call->conn->key), sp->hdr.seq);
519 if (!call->conn->cipher)
522 if (sp->hdr.securityIndex != RXRPC_SECURITY_RXKAD) {
523 *_abort_code = RXKADINCONSISTENCY;
524 _leave(" = -EPROTO [not rxkad]");
528 /* continue encrypting from where we left off */
529 memcpy(&iv, call->conn->csum_iv.x, sizeof(iv));
531 /* validate the security checksum */
532 x = call->channel << (32 - RXRPC_CIDSHIFT);
533 x |= sp->hdr.seq & 0x3fffffff;
534 tmpbuf.x[0] = htonl(call->call_id);
535 tmpbuf.x[1] = htonl(x);
537 sg_init_one(&sg[0], &tmpbuf, sizeof(tmpbuf));
538 sg_init_one(&sg[1], &tmpbuf, sizeof(tmpbuf));
540 skcipher_request_set_tfm(req, call->conn->cipher);
541 skcipher_request_set_callback(req, 0, NULL, NULL);
542 skcipher_request_set_crypt(req, &sg[1], &sg[0], sizeof(tmpbuf), iv.x);
544 crypto_skcipher_encrypt(req);
545 skcipher_request_zero(req);
547 y = ntohl(tmpbuf.x[1]);
548 cksum = (y >> 16) & 0xffff;
550 cksum = 1; /* zero checksums are not permitted */
552 if (sp->hdr.cksum != cksum) {
553 *_abort_code = RXKADSEALEDINCON;
554 _leave(" = -EPROTO [csum failed]");
558 switch (call->conn->security_level) {
559 case RXRPC_SECURITY_PLAIN:
562 case RXRPC_SECURITY_AUTH:
563 ret = rxkad_verify_packet_auth(call, skb, _abort_code);
565 case RXRPC_SECURITY_ENCRYPT:
566 ret = rxkad_verify_packet_encrypt(call, skb, _abort_code);
573 _leave(" = %d", ret);
580 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
582 struct rxkad_challenge challenge;
583 struct rxrpc_wire_header whdr;
590 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
592 ret = key_validate(conn->key);
596 get_random_bytes(&conn->security_nonce, sizeof(conn->security_nonce));
598 challenge.version = htonl(2);
599 challenge.nonce = htonl(conn->security_nonce);
600 challenge.min_level = htonl(0);
601 challenge.__padding = 0;
603 msg.msg_name = &conn->trans->peer->srx.transport.sin;
604 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin);
605 msg.msg_control = NULL;
606 msg.msg_controllen = 0;
609 whdr.epoch = htonl(conn->epoch);
610 whdr.cid = htonl(conn->cid);
613 whdr.type = RXRPC_PACKET_TYPE_CHALLENGE;
614 whdr.flags = conn->out_clientflag;
616 whdr.securityIndex = conn->security_ix;
618 whdr.serviceId = htons(conn->service_id);
620 iov[0].iov_base = &whdr;
621 iov[0].iov_len = sizeof(whdr);
622 iov[1].iov_base = &challenge;
623 iov[1].iov_len = sizeof(challenge);
625 len = iov[0].iov_len + iov[1].iov_len;
627 serial = atomic_inc_return(&conn->serial);
628 whdr.serial = htonl(serial);
629 _proto("Tx CHALLENGE %%%u", serial);
631 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
633 _debug("sendmsg failed: %d", ret);
642 * send a Kerberos security response
644 static int rxkad_send_response(struct rxrpc_connection *conn,
645 struct rxrpc_host_header *hdr,
646 struct rxkad_response *resp,
647 const struct rxkad_key *s2)
649 struct rxrpc_wire_header whdr;
658 msg.msg_name = &conn->trans->peer->srx.transport.sin;
659 msg.msg_namelen = sizeof(conn->trans->peer->srx.transport.sin);
660 msg.msg_control = NULL;
661 msg.msg_controllen = 0;
664 memset(&whdr, 0, sizeof(whdr));
665 whdr.epoch = htonl(hdr->epoch);
666 whdr.cid = htonl(hdr->cid);
667 whdr.type = RXRPC_PACKET_TYPE_RESPONSE;
668 whdr.flags = conn->out_clientflag;
669 whdr.securityIndex = hdr->securityIndex;
670 whdr.serviceId = htons(hdr->serviceId);
672 iov[0].iov_base = &whdr;
673 iov[0].iov_len = sizeof(whdr);
674 iov[1].iov_base = resp;
675 iov[1].iov_len = sizeof(*resp);
676 iov[2].iov_base = (void *)s2->ticket;
677 iov[2].iov_len = s2->ticket_len;
679 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
681 serial = atomic_inc_return(&conn->serial);
682 whdr.serial = htonl(serial);
683 _proto("Tx RESPONSE %%%u", serial);
685 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
687 _debug("sendmsg failed: %d", ret);
696 * calculate the response checksum
698 static void rxkad_calc_response_checksum(struct rxkad_response *response)
702 u8 *p = (u8 *) response;
704 for (loop = sizeof(*response); loop > 0; loop--)
705 csum = csum * 0x10204081 + *p++;
707 response->encrypted.checksum = htonl(csum);
711 * load a scatterlist with a potentially split-page buffer
713 static void rxkad_sg_set_buf2(struct scatterlist sg[2],
714 void *buf, size_t buflen)
718 sg_init_table(sg, 2);
720 sg_set_buf(&sg[0], buf, buflen);
721 if (sg[0].offset + buflen > PAGE_SIZE) {
722 /* the buffer was split over two pages */
723 sg[0].length = PAGE_SIZE - sg[0].offset;
724 sg_set_buf(&sg[1], buf + sg[0].length, buflen - sg[0].length);
728 sg_mark_end(&sg[nsg - 1]);
730 ASSERTCMP(sg[0].length + sg[1].length, ==, buflen);
734 * encrypt the response packet
736 static void rxkad_encrypt_response(struct rxrpc_connection *conn,
737 struct rxkad_response *resp,
738 const struct rxkad_key *s2)
740 SKCIPHER_REQUEST_ON_STACK(req, conn->cipher);
741 struct rxrpc_crypt iv;
742 struct scatterlist sg[2];
744 /* continue encrypting from where we left off */
745 memcpy(&iv, s2->session_key, sizeof(iv));
747 rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted));
749 skcipher_request_set_tfm(req, conn->cipher);
750 skcipher_request_set_callback(req, 0, NULL, NULL);
751 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
753 crypto_skcipher_encrypt(req);
754 skcipher_request_zero(req);
758 * respond to a challenge packet
760 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
764 const struct rxrpc_key_token *token;
765 struct rxkad_challenge challenge;
766 struct rxkad_response resp
767 __attribute__((aligned(8))); /* must be aligned for crypto */
768 struct rxrpc_skb_priv *sp;
769 u32 version, nonce, min_level, abort_code;
772 _enter("{%d,%x}", conn->debug_id, key_serial(conn->key));
775 _leave(" = -EPROTO [no key]");
779 ret = key_validate(conn->key);
781 *_abort_code = RXKADEXPIRED;
785 abort_code = RXKADPACKETSHORT;
787 if (skb_copy_bits(skb, 0, &challenge, sizeof(challenge)) < 0)
790 version = ntohl(challenge.version);
791 nonce = ntohl(challenge.nonce);
792 min_level = ntohl(challenge.min_level);
794 _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
795 sp->hdr.serial, version, nonce, min_level);
797 abort_code = RXKADINCONSISTENCY;
798 if (version != RXKAD_VERSION)
801 abort_code = RXKADLEVELFAIL;
802 if (conn->security_level < min_level)
805 token = conn->key->payload.data[0];
807 /* build the response packet */
808 memset(&resp, 0, sizeof(resp));
810 resp.version = htonl(RXKAD_VERSION);
811 resp.encrypted.epoch = htonl(conn->epoch);
812 resp.encrypted.cid = htonl(conn->cid);
813 resp.encrypted.securityIndex = htonl(conn->security_ix);
814 resp.encrypted.inc_nonce = htonl(nonce + 1);
815 resp.encrypted.level = htonl(conn->security_level);
816 resp.kvno = htonl(token->kad->kvno);
817 resp.ticket_len = htonl(token->kad->ticket_len);
819 resp.encrypted.call_id[0] =
820 htonl(conn->channels[0] ? conn->channels[0]->call_id : 0);
821 resp.encrypted.call_id[1] =
822 htonl(conn->channels[1] ? conn->channels[1]->call_id : 0);
823 resp.encrypted.call_id[2] =
824 htonl(conn->channels[2] ? conn->channels[2]->call_id : 0);
825 resp.encrypted.call_id[3] =
826 htonl(conn->channels[3] ? conn->channels[3]->call_id : 0);
828 /* calculate the response checksum and then do the encryption */
829 rxkad_calc_response_checksum(&resp);
830 rxkad_encrypt_response(conn, &resp, token->kad);
831 return rxkad_send_response(conn, &sp->hdr, &resp, token->kad);
834 *_abort_code = abort_code;
835 _leave(" = -EPROTO [%d]", abort_code);
840 * decrypt the kerberos IV ticket in the response
842 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
843 void *ticket, size_t ticket_len,
844 struct rxrpc_crypt *_session_key,
848 struct skcipher_request *req;
849 struct rxrpc_crypt iv, key;
850 struct scatterlist sg[1];
856 u8 *p, *q, *name, *end;
858 _enter("{%d},{%x}", conn->debug_id, key_serial(conn->server_key));
862 ret = key_validate(conn->server_key);
866 *_abort_code = RXKADEXPIRED;
869 *_abort_code = RXKADNOAUTH;
874 ASSERT(conn->server_key->payload.data[0] != NULL);
875 ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
877 memcpy(&iv, &conn->server_key->payload.data[2], sizeof(iv));
879 req = skcipher_request_alloc(conn->server_key->payload.data[0],
882 *_abort_code = RXKADNOAUTH;
887 sg_init_one(&sg[0], ticket, ticket_len);
889 skcipher_request_set_callback(req, 0, NULL, NULL);
890 skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
892 crypto_skcipher_decrypt(req);
893 skcipher_request_free(req);
896 end = p + ticket_len;
901 q = memchr(p, 0, end - p); \
902 if (!q || q - p > (size)) \
911 /* extract the ticket flags */
912 _debug("KIV FLAGS: %x", *p);
913 little_endian = *p & 1;
916 /* extract the authentication name */
918 _debug("KIV ANAME: %s", name);
920 /* extract the principal's instance */
922 _debug("KIV INST : %s", name);
924 /* extract the principal's authentication domain */
926 _debug("KIV REALM: %s", name);
928 if (end - p < 4 + 8 + 4 + 2)
931 /* get the IPv4 address of the entity that requested the ticket */
932 memcpy(&addr, p, sizeof(addr));
934 _debug("KIV ADDR : %pI4", &addr);
936 /* get the session key from the ticket */
937 memcpy(&key, p, sizeof(key));
939 _debug("KIV KEY : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
940 memcpy(_session_key, &key, sizeof(key));
942 /* get the ticket's lifetime */
943 life = *p++ * 5 * 60;
944 _debug("KIV LIFE : %u", life);
946 /* get the issue time of the ticket */
949 memcpy(&stamp, p, 4);
950 issue = le32_to_cpu(stamp);
953 memcpy(&stamp, p, 4);
954 issue = be32_to_cpu(stamp);
958 _debug("KIV ISSUE: %lx [%lx]", issue, now);
960 /* check the ticket is in date */
962 *_abort_code = RXKADNOAUTH;
967 if (issue < now - life) {
968 *_abort_code = RXKADEXPIRED;
973 *_expiry = issue + life;
975 /* get the service name */
977 _debug("KIV SNAME: %s", name);
979 /* get the service instance name */
981 _debug("KIV SINST: %s", name);
985 _leave(" = %d", ret);
989 *_abort_code = RXKADBADTICKET;
995 * decrypt the response packet
997 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
998 struct rxkad_response *resp,
999 const struct rxrpc_crypt *session_key)
1001 SKCIPHER_REQUEST_ON_STACK(req, rxkad_ci);
1002 struct scatterlist sg[2];
1003 struct rxrpc_crypt iv;
1005 _enter(",,%08x%08x",
1006 ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1008 ASSERT(rxkad_ci != NULL);
1010 mutex_lock(&rxkad_ci_mutex);
1011 if (crypto_skcipher_setkey(rxkad_ci, session_key->x,
1012 sizeof(*session_key)) < 0)
1015 memcpy(&iv, session_key, sizeof(iv));
1017 rxkad_sg_set_buf2(sg, &resp->encrypted, sizeof(resp->encrypted));
1019 skcipher_request_set_tfm(req, rxkad_ci);
1020 skcipher_request_set_callback(req, 0, NULL, NULL);
1021 skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1023 crypto_skcipher_decrypt(req);
1024 skcipher_request_zero(req);
1026 mutex_unlock(&rxkad_ci_mutex);
1034 static int rxkad_verify_response(struct rxrpc_connection *conn,
1035 struct sk_buff *skb,
1038 struct rxkad_response response
1039 __attribute__((aligned(8))); /* must be aligned for crypto */
1040 struct rxrpc_skb_priv *sp;
1041 struct rxrpc_crypt session_key;
1044 u32 abort_code, version, kvno, ticket_len, level;
1048 _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key));
1050 abort_code = RXKADPACKETSHORT;
1051 if (skb_copy_bits(skb, 0, &response, sizeof(response)) < 0)
1052 goto protocol_error;
1053 if (!pskb_pull(skb, sizeof(response)))
1056 version = ntohl(response.version);
1057 ticket_len = ntohl(response.ticket_len);
1058 kvno = ntohl(response.kvno);
1059 sp = rxrpc_skb(skb);
1060 _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1061 sp->hdr.serial, version, kvno, ticket_len);
1063 abort_code = RXKADINCONSISTENCY;
1064 if (version != RXKAD_VERSION)
1065 goto protocol_error;
1067 abort_code = RXKADTICKETLEN;
1068 if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1069 goto protocol_error;
1071 abort_code = RXKADUNKNOWNKEY;
1072 if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1073 goto protocol_error;
1075 /* extract the kerberos ticket and decrypt and decode it */
1076 ticket = kmalloc(ticket_len, GFP_NOFS);
1080 abort_code = RXKADPACKETSHORT;
1081 if (skb_copy_bits(skb, 0, ticket, ticket_len) < 0)
1082 goto protocol_error_free;
1084 ret = rxkad_decrypt_ticket(conn, ticket, ticket_len, &session_key,
1085 &expiry, &abort_code);
1087 *_abort_code = abort_code;
1092 /* use the session key from inside the ticket to decrypt the
1094 rxkad_decrypt_response(conn, &response, &session_key);
1096 abort_code = RXKADSEALEDINCON;
1097 if (ntohl(response.encrypted.epoch) != conn->epoch)
1098 goto protocol_error_free;
1099 if (ntohl(response.encrypted.cid) != conn->cid)
1100 goto protocol_error_free;
1101 if (ntohl(response.encrypted.securityIndex) != conn->security_ix)
1102 goto protocol_error_free;
1103 csum = response.encrypted.checksum;
1104 response.encrypted.checksum = 0;
1105 rxkad_calc_response_checksum(&response);
1106 if (response.encrypted.checksum != csum)
1107 goto protocol_error_free;
1109 if (ntohl(response.encrypted.call_id[0]) > INT_MAX ||
1110 ntohl(response.encrypted.call_id[1]) > INT_MAX ||
1111 ntohl(response.encrypted.call_id[2]) > INT_MAX ||
1112 ntohl(response.encrypted.call_id[3]) > INT_MAX)
1113 goto protocol_error_free;
1115 abort_code = RXKADOUTOFSEQUENCE;
1116 if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1)
1117 goto protocol_error_free;
1119 abort_code = RXKADLEVELFAIL;
1120 level = ntohl(response.encrypted.level);
1121 if (level > RXRPC_SECURITY_ENCRYPT)
1122 goto protocol_error_free;
1123 conn->security_level = level;
1125 /* create a key to hold the security data and expiration time - after
1126 * this the connection security can be handled in exactly the same way
1127 * as for a client connection */
1128 ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1138 protocol_error_free:
1141 *_abort_code = abort_code;
1142 _leave(" = -EPROTO [%d]", abort_code);
1147 * clear the connection security
1149 static void rxkad_clear(struct rxrpc_connection *conn)
1154 crypto_free_skcipher(conn->cipher);
1158 * Initialise the rxkad security service.
1160 static int rxkad_init(void)
1162 /* pin the cipher we need so that the crypto layer doesn't invoke
1163 * keventd to go get it */
1164 rxkad_ci = crypto_alloc_skcipher("pcbc(fcrypt)", 0, CRYPTO_ALG_ASYNC);
1165 if (IS_ERR(rxkad_ci))
1166 return PTR_ERR(rxkad_ci);
1171 * Clean up the rxkad security service.
1173 static void rxkad_exit(void)
1176 crypto_free_skcipher(rxkad_ci);
1180 * RxRPC Kerberos-based security
1182 const struct rxrpc_security rxkad = {
1184 .security_index = RXRPC_SECURITY_RXKAD,
1187 .init_connection_security = rxkad_init_connection_security,
1188 .prime_packet_security = rxkad_prime_packet_security,
1189 .secure_packet = rxkad_secure_packet,
1190 .verify_packet = rxkad_verify_packet,
1191 .issue_challenge = rxkad_issue_challenge,
1192 .respond_to_challenge = rxkad_respond_to_challenge,
1193 .verify_response = rxkad_verify_response,
1194 .clear = rxkad_clear,