1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Kerberos-based RxRPC security
18 #include <linux/key-type.h>
21 #include <keys/rxrpc-type.h>
22 #include "ar-internal.h"
57  * The data should be the 8-byte secret key.
63 	if (prep->datalen != 8)  in rxkad_preparse_server_key()
64 		return -EINVAL;  in rxkad_preparse_server_key()
66 	memcpy(&prep->payload.data[2], prep->data, 8);  in rxkad_preparse_server_key()
74 	if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)  in rxkad_preparse_server_key()
77 	prep->payload.data[0] = ci;  in rxkad_preparse_server_key()
85 	if (prep->payload.data[0])  in rxkad_free_preparse_server_key()
86 		crypto_free_skcipher(prep->payload.data[0]);  in rxkad_free_preparse_server_key()
91 	if (key->payload.data[0]) {  in rxkad_destroy_server_key()
92 		crypto_free_skcipher(key->payload.data[0]);  in rxkad_destroy_server_key()
93 		key->payload.data[0] = NULL;  in rxkad_destroy_server_key()
106 	_enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));  in rxkad_init_connection_security()
108 	conn->security_ix = token->security_index;  in rxkad_init_connection_security()
117 	if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,  in rxkad_init_connection_security()
118 				   sizeof(token->kad->session_key)) < 0)  in rxkad_init_connection_security()
121 	switch (conn->params.security_level) {  in rxkad_init_connection_security()
127 		ret = -EKEYREJECTED;  in rxkad_init_connection_security()
135 	conn->rxkad.cipher = ci;  in rxkad_init_connection_security()
153 	switch (call->conn->params.security_level) {  in rxkad_how_much_data()
168 	chunk = buf_size - shdr;  in rxkad_how_much_data()
195 	if (!conn->params.key)  in rxkad_prime_packet_security()
200 		return -ENOMEM;  in rxkad_prime_packet_security()
202 	req = skcipher_request_alloc(&ci->base, GFP_NOFS);  in rxkad_prime_packet_security()
205 		return -ENOMEM;  in rxkad_prime_packet_security()
208 	token = conn->params.key->payload.data[0];  in rxkad_prime_packet_security()
209 	memcpy(&iv, token->kad->session_key, sizeof(iv));  in rxkad_prime_packet_security()
211 	tmpbuf[0] = htonl(conn->proto.epoch);  in rxkad_prime_packet_security()
212 	tmpbuf[1] = htonl(conn->proto.cid);  in rxkad_prime_packet_security()
214 	tmpbuf[3] = htonl(conn->security_ix);  in rxkad_prime_packet_security()
223 	memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));  in rxkad_prime_packet_security()
235 	struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;  in rxkad_get_call_crypto()
236 	struct skcipher_request	*cipher_req = call->cipher_req;  in rxkad_get_call_crypto()
242 		call->cipher_req = cipher_req;  in rxkad_get_call_crypto()
253 	if (call->cipher_req)  in rxkad_free_call_crypto()
254 		skcipher_request_free(call->cipher_req);  in rxkad_free_call_crypto()
255 	call->cipher_req = NULL;  in rxkad_free_call_crypto()
274 	check = sp->hdr.seq ^ call->call_id;  in rxkad_secure_packet_auth()
278 	memcpy(skb->head, &hdr, sizeof(hdr));  in rxkad_secure_packet_auth()
281 	pad = RXKAD_ALIGN - pad;  in rxkad_secure_packet_auth()
282 	pad &= RXKAD_ALIGN - 1;  in rxkad_secure_packet_auth()
289 	sg_init_one(&sg, skb->head, 8);  in rxkad_secure_packet_auth()
290 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);  in rxkad_secure_packet_auth()
322 	check = sp->hdr.seq ^ call->call_id;  in rxkad_secure_packet_encrypt()
326 	memcpy(skb->head, &rxkhdr, sizeof(rxkhdr));  in rxkad_secure_packet_encrypt()
329 	pad = RXKAD_ALIGN - pad;  in rxkad_secure_packet_encrypt()
330 	pad &= RXKAD_ALIGN - 1;  in rxkad_secure_packet_encrypt()
335 	token = call->conn->params.key->payload.data[0];  in rxkad_secure_packet_encrypt()
336 	memcpy(&iv, token->kad->session_key, sizeof(iv));  in rxkad_secure_packet_encrypt()
338 	sg_init_one(&sg[0], skb->head, sizeof(rxkhdr));  in rxkad_secure_packet_encrypt()
339 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);  in rxkad_secure_packet_encrypt()
344 	/* we want to encrypt the skbuff in-place */  in rxkad_secure_packet_encrypt()
345 	err = -EMSGSIZE;  in rxkad_secure_packet_encrypt()
346 	if (skb_shinfo(skb)->nr_frags > 16)  in rxkad_secure_packet_encrypt()
383 	       call->debug_id, key_serial(call->conn->params.key),  in rxkad_secure_packet()
384 	       sp->hdr.seq, data_size);  in rxkad_secure_packet()
386 	if (!call->conn->rxkad.cipher)  in rxkad_secure_packet()
389 	ret = key_validate(call->conn->params.key);  in rxkad_secure_packet()
395 		return -ENOMEM;  in rxkad_secure_packet()
398 	memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));  in rxkad_secure_packet()
401 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);  in rxkad_secure_packet()
402 	x |= sp->hdr.seq & 0x3fffffff;  in rxkad_secure_packet()
403 	call->crypto_buf[0] = htonl(call->call_id);  in rxkad_secure_packet()
404 	call->crypto_buf[1] = htonl(x);  in rxkad_secure_packet()
406 	sg_init_one(&sg, call->crypto_buf, 8);  in rxkad_secure_packet()
407 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);  in rxkad_secure_packet()
413 	y = ntohl(call->crypto_buf[1]);  in rxkad_secure_packet()
417 	sp->hdr.cksum = y;  in rxkad_secure_packet()
419 	switch (call->conn->params.security_level) {  in rxkad_secure_packet()
430 		ret = -EPERM;  in rxkad_secure_packet()
462 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt  in rxkad_verify_packet_1()
473 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);  in rxkad_verify_packet_1()
485 	len -= sizeof(sechdr);  in rxkad_verify_packet_1()
491 	check ^= seq ^ call->call_id;  in rxkad_verify_packet_1()
511 	return -EPROTO;  in rxkad_verify_packet_1()
531 	_enter(",{%d}", skb->len);  in rxkad_verify_packet_2()
539 	/* Decrypt the skbuff in-place.  TODO: We really want to decrypt  in rxkad_verify_packet_2()
543 	nsg = skb_shinfo(skb)->nr_frags + 1;  in rxkad_verify_packet_2()
561 	token = call->conn->params.key->payload.data[0];  in rxkad_verify_packet_2()
562 	memcpy(&iv, token->kad->session_key, sizeof(iv));  in rxkad_verify_packet_2()
564 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);  in rxkad_verify_packet_2()
578 	len -= sizeof(sechdr);  in rxkad_verify_packet_2()
584 	check ^= seq ^ call->call_id;  in rxkad_verify_packet_2()
604 	return -EPROTO;  in rxkad_verify_packet_2()
607 	_leave(" = -ENOMEM");  in rxkad_verify_packet_2()
608 	return -ENOMEM;  in rxkad_verify_packet_2()
627 	       call->debug_id, key_serial(call->conn->params.key), seq);  in rxkad_verify_packet()
629 	if (!call->conn->rxkad.cipher)  in rxkad_verify_packet()
634 		return -ENOMEM;  in rxkad_verify_packet()
637 	memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));  in rxkad_verify_packet()
640 	x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);  in rxkad_verify_packet()
642 	call->crypto_buf[0] = htonl(call->call_id);  in rxkad_verify_packet()
643 	call->crypto_buf[1] = htonl(x);  in rxkad_verify_packet()
645 	sg_init_one(&sg, call->crypto_buf, 8);  in rxkad_verify_packet()
646 	skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);  in rxkad_verify_packet()
652 	y = ntohl(call->crypto_buf[1]);  in rxkad_verify_packet()
663 	switch (call->conn->params.security_level) {  in rxkad_verify_packet()
671 		return -ENOANO;  in rxkad_verify_packet()
677 	return -EPROTO;  in rxkad_verify_packet()
714 	switch (call->conn->params.security_level) {  in rxkad_locate_data()
739 	_enter("{%d}", conn->debug_id);  in rxkad_issue_challenge()
741 	get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));  in rxkad_issue_challenge()
744 	challenge.nonce		= htonl(conn->rxkad.nonce);  in rxkad_issue_challenge()
748 	msg.msg_name	= &conn->params.peer->srx.transport;  in rxkad_issue_challenge()
749 	msg.msg_namelen	= conn->params.peer->srx.transport_len;  in rxkad_issue_challenge()
754 	whdr.epoch	= htonl(conn->proto.epoch);  in rxkad_issue_challenge()
755 	whdr.cid	= htonl(conn->proto.cid);  in rxkad_issue_challenge()
759 	whdr.flags	= conn->out_clientflag;  in rxkad_issue_challenge()
761 	whdr.securityIndex = conn->security_ix;  in rxkad_issue_challenge()
763 	whdr.serviceId	= htons(conn->service_id);  in rxkad_issue_challenge()
772 	serial = atomic_inc_return(&conn->serial);  in rxkad_issue_challenge()
776 	ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);  in rxkad_issue_challenge()
778 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,  in rxkad_issue_challenge()
780 		return -EAGAIN;  in rxkad_issue_challenge()
783 	conn->params.peer->last_tx_at = ktime_get_seconds();  in rxkad_issue_challenge()
784 	trace_rxrpc_tx_packet(conn->debug_id, &whdr,  in rxkad_issue_challenge()
807 	msg.msg_name	= &conn->params.peer->srx.transport;  in rxkad_send_response()
808 	msg.msg_namelen	= conn->params.peer->srx.transport_len;  in rxkad_send_response()
814 	whdr.epoch	= htonl(hdr->epoch);  in rxkad_send_response()
815 	whdr.cid	= htonl(hdr->cid);  in rxkad_send_response()
817 	whdr.flags	= conn->out_clientflag;  in rxkad_send_response()
818 	whdr.securityIndex = hdr->securityIndex;  in rxkad_send_response()
819 	whdr.serviceId	= htons(hdr->serviceId);  in rxkad_send_response()
825 	iov[2].iov_base	= (void *)s2->ticket;  in rxkad_send_response()
826 	iov[2].iov_len	= s2->ticket_len;  in rxkad_send_response()
830 	serial = atomic_inc_return(&conn->serial);  in rxkad_send_response()
834 	ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);  in rxkad_send_response()
836 		trace_rxrpc_tx_fail(conn->debug_id, serial, ret,  in rxkad_send_response()
838 		return -EAGAIN;  in rxkad_send_response()
841 	conn->params.peer->last_tx_at = ktime_get_seconds();  in rxkad_send_response()
855 	for (loop = sizeof(*response); loop > 0; loop--)  in rxkad_calc_response_checksum()
858 	response->encrypted.checksum = htonl(csum);  in rxkad_calc_response_checksum()
872 	req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);  in rxkad_encrypt_response()
874 		return -ENOMEM;  in rxkad_encrypt_response()
877 	memcpy(&iv, s2->session_key, sizeof(iv));  in rxkad_encrypt_response()
880 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));  in rxkad_encrypt_response()
881 	skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);  in rxkad_encrypt_response()
883 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);  in rxkad_encrypt_response()
900 	const char *eproto;  in rxkad_respond_to_challenge()  local
904 	_enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));  in rxkad_respond_to_challenge()
906 	eproto = tracepoint_string("chall_no_key");  in rxkad_respond_to_challenge()
908 	if (!conn->params.key)  in rxkad_respond_to_challenge()
912 	ret = key_validate(conn->params.key);  in rxkad_respond_to_challenge()
916 	eproto = tracepoint_string("chall_short");  in rxkad_respond_to_challenge()
927 	       sp->hdr.serial, version, nonce, min_level);  in rxkad_respond_to_challenge()
929 	eproto = tracepoint_string("chall_ver");  in rxkad_respond_to_challenge()
935 	ret = -EACCES;  in rxkad_respond_to_challenge()
936 	if (conn->params.security_level < min_level)  in rxkad_respond_to_challenge()
939 	token = conn->params.key->payload.data[0];  in rxkad_respond_to_challenge()
944 		return -ENOMEM;  in rxkad_respond_to_challenge()
946 	resp->version			= htonl(RXKAD_VERSION);  in rxkad_respond_to_challenge()
947 	resp->encrypted.epoch		= htonl(conn->proto.epoch);  in rxkad_respond_to_challenge()
948 	resp->encrypted.cid		= htonl(conn->proto.cid);  in rxkad_respond_to_challenge()
949 	resp->encrypted.securityIndex	= htonl(conn->security_ix);  in rxkad_respond_to_challenge()
950 	resp->encrypted.inc_nonce	= htonl(nonce + 1);  in rxkad_respond_to_challenge()
951 	resp->encrypted.level		= htonl(conn->params.security_level);  in rxkad_respond_to_challenge()
952 	resp->kvno			= htonl(token->kad->kvno);  in rxkad_respond_to_challenge()
953 	resp->ticket_len		= htonl(token->kad->ticket_len);  in rxkad_respond_to_challenge()
954 	resp->encrypted.call_id[0]	= htonl(conn->channels[0].call_counter);  in rxkad_respond_to_challenge()
955 	resp->encrypted.call_id[1]	= htonl(conn->channels[1].call_counter);  in rxkad_respond_to_challenge()
956 	resp->encrypted.call_id[2]	= htonl(conn->channels[2].call_counter);  in rxkad_respond_to_challenge()
957 	resp->encrypted.call_id[3]	= htonl(conn->channels[3].call_counter);  in rxkad_respond_to_challenge()
961 	ret = rxkad_encrypt_response(conn, resp, token->kad);  in rxkad_respond_to_challenge()
963 		ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);  in rxkad_respond_to_challenge()
968 	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);  in rxkad_respond_to_challenge()
969 	ret = -EPROTO;  in rxkad_respond_to_challenge()
992 	const char *eproto;  in rxkad_decrypt_ticket()  local
999 	_enter("{%d},{%x}", conn->debug_id, key_serial(server_key));  in rxkad_decrypt_ticket()
1003 	ASSERT(server_key->payload.data[0] != NULL);  in rxkad_decrypt_ticket()
1006 	memcpy(&iv, &server_key->payload.data[2], sizeof(iv));  in rxkad_decrypt_ticket()
1008 	ret = -ENOMEM;  in rxkad_decrypt_ticket()
1009 	req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);  in rxkad_decrypt_ticket()
1025 		eproto = tracepoint_string("rxkad_bad_"#field); \  in rxkad_decrypt_ticket()
1026 		q = memchr(p, 0, end - p);		\  in rxkad_decrypt_ticket()
1027 		if (!q || q - p > (field##_SZ))		\  in rxkad_decrypt_ticket()
1053 	eproto = tracepoint_string("rxkad_bad_len");  in rxkad_decrypt_ticket()
1054 	if (end - p < 4 + 8 + 4 + 2)  in rxkad_decrypt_ticket()
1089 		ret = -EKEYREJECTED;  in rxkad_decrypt_ticket()
1093 	if (issue < now - life) {  in rxkad_decrypt_ticket()
1095 		ret = -EKEYEXPIRED;  in rxkad_decrypt_ticket()
1111 	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);  in rxkad_decrypt_ticket()
1113 	ret = -EPROTO;  in rxkad_decrypt_ticket()
1133 	       ntohl(session_key->n[0]), ntohl(session_key->n[1]));  in rxkad_decrypt_response()
1136 	if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,  in rxkad_decrypt_response()
1143 	sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));  in rxkad_decrypt_response()
1146 	skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);  in rxkad_decrypt_response()
1166 	const char *eproto;  in rxkad_verify_response()  local
1173 	_enter("{%d}", conn->debug_id);  in rxkad_verify_response()
1178 		case -ENOKEY:  in rxkad_verify_response()
1181 		case -EKEYEXPIRED:  in rxkad_verify_response()
1189 				  sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq,  in rxkad_verify_response()
1192 		return -EPROTO;  in rxkad_verify_response()
1195 	ret = -ENOMEM;  in rxkad_verify_response()
1200 	eproto = tracepoint_string("rxkad_rsp_short");  in rxkad_verify_response()
1206 	version = ntohl(response->version);  in rxkad_verify_response()
1207 	ticket_len = ntohl(response->ticket_len);  in rxkad_verify_response()
1208 	kvno = ntohl(response->kvno);  in rxkad_verify_response()
1210 	       sp->hdr.serial, version, kvno, ticket_len);  in rxkad_verify_response()
1212 	eproto = tracepoint_string("rxkad_rsp_ver");  in rxkad_verify_response()
1217 	eproto = tracepoint_string("rxkad_rsp_tktlen");  in rxkad_verify_response()
1222 	eproto = tracepoint_string("rxkad_rsp_unkkey");  in rxkad_verify_response()
1228 	ret = -ENOMEM;  in rxkad_verify_response()
1233 	eproto = tracepoint_string("rxkad_tkt_short");  in rxkad_verify_response()
1248 	eproto = tracepoint_string("rxkad_rsp_param");  in rxkad_verify_response()
1250 	if (ntohl(response->encrypted.epoch) != conn->proto.epoch)  in rxkad_verify_response()
1252 	if (ntohl(response->encrypted.cid) != conn->proto.cid)  in rxkad_verify_response()
1254 	if (ntohl(response->encrypted.securityIndex) != conn->security_ix)  in rxkad_verify_response()
1256 	csum = response->encrypted.checksum;  in rxkad_verify_response()
1257 	response->encrypted.checksum = 0;  in rxkad_verify_response()
1259 	eproto = tracepoint_string("rxkad_rsp_csum");  in rxkad_verify_response()
1260 	if (response->encrypted.checksum != csum)  in rxkad_verify_response()
1263 	spin_lock(&conn->bundle->channel_lock);  in rxkad_verify_response()
1266 		u32 call_id = ntohl(response->encrypted.call_id[i]);  in rxkad_verify_response()
1268 		eproto = tracepoint_string("rxkad_rsp_callid");  in rxkad_verify_response()
1272 		eproto = tracepoint_string("rxkad_rsp_callctr");  in rxkad_verify_response()
1273 		if (call_id < conn->channels[i].call_counter)  in rxkad_verify_response()
1276 		eproto = tracepoint_string("rxkad_rsp_callst");  in rxkad_verify_response()
1277 		if (call_id > conn->channels[i].call_counter) {  in rxkad_verify_response()
1279 				conn->channels[i].call,  in rxkad_verify_response()
1280 				lockdep_is_held(&conn->bundle->channel_lock));  in rxkad_verify_response()
1281 			if (call && call->state < RXRPC_CALL_COMPLETE)  in rxkad_verify_response()
1283 			conn->channels[i].call_counter = call_id;  in rxkad_verify_response()
1286 	spin_unlock(&conn->bundle->channel_lock);  in rxkad_verify_response()
1288 	eproto = tracepoint_string("rxkad_rsp_seq");  in rxkad_verify_response()
1290 	if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1)  in rxkad_verify_response()
1293 	eproto = tracepoint_string("rxkad_rsp_level");  in rxkad_verify_response()
1295 	level = ntohl(response->encrypted.level);  in rxkad_verify_response()
1298 	conn->params.security_level = level;  in rxkad_verify_response()
1300 	/* create a key to hold the security data and expiration time - after  in rxkad_verify_response()
1313 	spin_unlock(&conn->bundle->channel_lock);  in rxkad_verify_response()
1318 	trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);  in rxkad_verify_response()
1321 	return -EPROTO;  in rxkad_verify_response()
1343 	if (conn->rxkad.cipher)  in rxkad_clear()
1344 		crypto_free_sync_skcipher(conn->rxkad.cipher);  in rxkad_clear()
1361 	req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);  in rxkad_init()
1371 	return -ENOMEM;  in rxkad_init()
1384  * RxRPC Kerberos-based security