rxgk_app.c 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /* Application-specific bits for GSSAPI-based RxRPC security
  3. *
  4. * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved.
  5. * Written by David Howells (dhowells@redhat.com)
  6. */
  7. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  8. #include <linux/net.h>
  9. #include <linux/skbuff.h>
  10. #include <linux/slab.h>
  11. #include <linux/key-type.h>
  12. #include "ar-internal.h"
  13. #include "rxgk_common.h"
  14. /*
  15. * Decode a default-style YFS ticket in a response and turn it into an
  16. * rxrpc-type key.
  17. *
  18. * struct rxgk_key {
  19. * afs_uint32 enctype;
  20. * opaque key<>;
  21. * };
  22. *
  23. * struct RXGK_AuthName {
  24. * afs_int32 kind;
  25. * opaque data<AUTHDATAMAX>;
  26. * opaque display<AUTHPRINTABLEMAX>;
  27. * };
  28. *
  29. * struct RXGK_Token {
  30. * rxgk_key K0;
  31. * RXGK_Level level;
  32. * rxgkTime starttime;
  33. * afs_int32 lifetime;
  34. * afs_int32 bytelife;
  35. * rxgkTime expirationtime;
  36. * struct RXGK_AuthName identities<>;
  37. * };
  38. */
  39. int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
  40. unsigned int ticket_offset, unsigned int ticket_len,
  41. struct key **_key)
  42. {
  43. struct rxrpc_key_token *token;
  44. const struct cred *cred = current_cred(); // TODO - use socket creds
  45. struct key *key;
  46. size_t pre_ticket_len, payload_len;
  47. unsigned int klen, enctype;
  48. void *payload, *ticket;
  49. __be32 *t, *p, *q, tmp[2];
  50. int ret;
  51. _enter("");
  52. if (ticket_len < 10 * sizeof(__be32))
  53. return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
  54. rxgk_abort_resp_short_yfs_tkt);
  55. /* Get the session key length */
  56. ret = skb_copy_bits(skb, ticket_offset, tmp, sizeof(tmp));
  57. if (ret < 0)
  58. return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
  59. rxgk_abort_resp_short_yfs_klen);
  60. enctype = ntohl(tmp[0]);
  61. klen = ntohl(tmp[1]);
  62. if (klen > ticket_len - 10 * sizeof(__be32))
  63. return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
  64. rxgk_abort_resp_short_yfs_key);
  65. pre_ticket_len = ((5 + 14) * sizeof(__be32) +
  66. xdr_round_up(klen) +
  67. sizeof(__be32));
  68. payload_len = pre_ticket_len + xdr_round_up(ticket_len);
  69. payload = kzalloc(payload_len, GFP_NOFS);
  70. if (!payload)
  71. return -ENOMEM;
  72. /* We need to fill out the XDR form for a key payload that we can pass
  73. * to add_key(). Start by copying in the ticket so that we can parse
  74. * it.
  75. */
  76. ticket = payload + pre_ticket_len;
  77. ret = skb_copy_bits(skb, ticket_offset, ticket, ticket_len);
  78. if (ret < 0) {
  79. ret = rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
  80. rxgk_abort_resp_short_yfs_tkt);
  81. goto error;
  82. }
  83. /* Fill out the form header. */
  84. p = payload;
  85. p[0] = htonl(0); /* Flags */
  86. p[1] = htonl(1); /* len(cellname) */
  87. p[2] = htonl(0x20000000); /* Cellname " " */
  88. p[3] = htonl(1); /* #tokens */
  89. p[4] = htonl(15 * sizeof(__be32) + xdr_round_up(klen) +
  90. xdr_round_up(ticket_len)); /* Token len */
  91. /* Now fill in the body. Most of this we can just scrape directly from
  92. * the ticket.
  93. */
  94. t = ticket + sizeof(__be32) * 2 + xdr_round_up(klen);
  95. q = payload + 5 * sizeof(__be32);
  96. q[0] = htonl(RXRPC_SECURITY_YFS_RXGK);
  97. q[1] = t[1]; /* begintime - msw */
  98. q[2] = t[2]; /* - lsw */
  99. q[3] = t[5]; /* endtime - msw */
  100. q[4] = t[6]; /* - lsw */
  101. q[5] = 0; /* level - msw */
  102. q[6] = t[0]; /* - lsw */
  103. q[7] = 0; /* lifetime - msw */
  104. q[8] = t[3]; /* - lsw */
  105. q[9] = 0; /* bytelife - msw */
  106. q[10] = t[4]; /* - lsw */
  107. q[11] = 0; /* enctype - msw */
  108. q[12] = htonl(enctype); /* - lsw */
  109. q[13] = htonl(klen); /* Key length */
  110. q += 14;
  111. memcpy(q, ticket + sizeof(__be32) * 2, klen);
  112. q += xdr_round_up(klen) / 4;
  113. q[0] = htonl(ticket_len);
  114. q++;
  115. if (WARN_ON((unsigned long)q != (unsigned long)ticket)) {
  116. ret = -EIO;
  117. goto error;
  118. }
  119. /* Ticket read in with skb_copy_bits above */
  120. q += xdr_round_up(ticket_len) / 4;
  121. if (WARN_ON((unsigned long)q - (unsigned long)payload != payload_len)) {
  122. ret = -EIO;
  123. goto error;
  124. }
  125. /* Now turn that into a key. */
  126. key = key_alloc(&key_type_rxrpc, "x",
  127. GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, // TODO: Use socket owner
  128. KEY_USR_VIEW,
  129. KEY_ALLOC_NOT_IN_QUOTA, NULL);
  130. if (IS_ERR(key)) {
  131. _leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key));
  132. ret = PTR_ERR(key);
  133. goto error;
  134. }
  135. _debug("key %d", key_serial(key));
  136. ret = key_instantiate_and_link(key, payload, payload_len, NULL, NULL);
  137. if (ret < 0)
  138. goto error_key;
  139. token = key->payload.data[0];
  140. token->no_leak_key = true;
  141. *_key = key;
  142. key = NULL;
  143. ret = 0;
  144. goto error;
  145. error_key:
  146. key_put(key);
  147. error:
  148. kfree_sensitive(payload);
  149. _leave(" = %d", ret);
  150. return ret;
  151. }
  152. /*
  153. * Extract the token and set up a session key from the details.
  154. *
  155. * struct RXGK_TokenContainer {
  156. * afs_int32 kvno;
  157. * afs_int32 enctype;
  158. * opaque encrypted_token<>;
  159. * };
  160. *
  161. * [tools.ietf.org/html/draft-wilkinson-afs3-rxgk-afs-08 sec 6.1]
  162. */
  163. int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
  164. unsigned int token_offset, unsigned int token_len,
  165. struct key **_key)
  166. {
  167. const struct krb5_enctype *krb5;
  168. const struct krb5_buffer *server_secret;
  169. struct crypto_aead *token_enc = NULL;
  170. struct key *server_key;
  171. unsigned int ticket_offset, ticket_len;
  172. u32 kvno, enctype;
  173. int ret, ec = 0;
  174. struct {
  175. __be32 kvno;
  176. __be32 enctype;
  177. __be32 token_len;
  178. } container;
  179. if (token_len < sizeof(container))
  180. goto short_packet;
  181. /* Decode the RXGK_TokenContainer object. This tells us which server
  182. * key we should be using. We can then fetch the key, get the secret
  183. * and set up the crypto to extract the token.
  184. */
  185. if (skb_copy_bits(skb, token_offset, &container, sizeof(container)) < 0)
  186. goto short_packet;
  187. kvno = ntohl(container.kvno);
  188. enctype = ntohl(container.enctype);
  189. ticket_len = ntohl(container.token_len);
  190. ticket_offset = token_offset + sizeof(container);
  191. if (xdr_round_up(ticket_len) > token_len - sizeof(container))
  192. goto short_packet;
  193. _debug("KVNO %u", kvno);
  194. _debug("ENC %u", enctype);
  195. _debug("TLEN %u", ticket_len);
  196. server_key = rxrpc_look_up_server_security(conn, skb, kvno, enctype);
  197. if (IS_ERR(server_key))
  198. goto cant_get_server_key;
  199. down_read(&server_key->sem);
  200. server_secret = (const void *)&server_key->payload.data[2];
  201. ret = rxgk_set_up_token_cipher(server_secret, &token_enc, enctype, &krb5, GFP_NOFS);
  202. up_read(&server_key->sem);
  203. key_put(server_key);
  204. if (ret < 0)
  205. goto cant_get_token;
  206. /* We can now decrypt and parse the token/ticket. This allows us to
  207. * gain access to K0, from which we can derive the transport key and
  208. * thence decode the authenticator.
  209. */
  210. ret = rxgk_decrypt_skb(krb5, token_enc, skb,
  211. &ticket_offset, &ticket_len, &ec);
  212. crypto_free_aead(token_enc);
  213. token_enc = NULL;
  214. if (ret < 0) {
  215. if (ret != -ENOMEM)
  216. return rxrpc_abort_conn(conn, skb, ec, ret,
  217. rxgk_abort_resp_tok_dec);
  218. }
  219. ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
  220. ticket_len, _key);
  221. if (ret < 0)
  222. goto cant_get_token;
  223. _leave(" = 0");
  224. return ret;
  225. cant_get_server_key:
  226. ret = PTR_ERR(server_key);
  227. switch (ret) {
  228. case -ENOMEM:
  229. goto temporary_error;
  230. case -ENOKEY:
  231. case -EKEYREJECTED:
  232. case -EKEYEXPIRED:
  233. case -EKEYREVOKED:
  234. case -EPERM:
  235. return rxrpc_abort_conn(conn, skb, RXGK_BADKEYNO, -EKEYREJECTED,
  236. rxgk_abort_resp_tok_nokey);
  237. default:
  238. return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EKEYREJECTED,
  239. rxgk_abort_resp_tok_keyerr);
  240. }
  241. cant_get_token:
  242. switch (ret) {
  243. case -ENOMEM:
  244. goto temporary_error;
  245. case -EINVAL:
  246. return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EKEYREJECTED,
  247. rxgk_abort_resp_tok_internal_error);
  248. case -ENOPKG:
  249. return rxrpc_abort_conn(conn, skb, KRB5_PROG_KEYTYPE_NOSUPP,
  250. -EKEYREJECTED, rxgk_abort_resp_tok_nopkg);
  251. }
  252. temporary_error:
  253. /* Ignore the response packet if we got a temporary error such as
  254. * ENOMEM. We just want to send the challenge again. Note that we
  255. * also come out this way if the ticket decryption fails.
  256. */
  257. return ret;
  258. short_packet:
  259. return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO,
  260. rxgk_abort_resp_tok_short);
  261. }