1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Application-specific bits for GSSAPI-based RxRPC security
3 *
4 * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
7
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9
10 #include <linux/net.h>
11 #include <linux/skbuff.h>
12 #include <linux/slab.h>
13 #include <linux/key-type.h>
14 #include "ar-internal.h"
15 #include "rxgk_common.h"
16
17 /*
18 * Decode a default-style YFS ticket in a response and turn it into an
19 * rxrpc-type key.
20 *
21 * struct rxgk_key {
22 * afs_uint32 enctype;
23 * opaque key<>;
24 * };
25 *
26 * struct RXGK_AuthName {
27 * afs_int32 kind;
28 * opaque data<AUTHDATAMAX>;
29 * opaque display<AUTHPRINTABLEMAX>;
30 * };
31 *
32 * struct RXGK_Token {
33 * rxgk_key K0;
34 * RXGK_Level level;
35 * rxgkTime starttime;
36 * afs_int32 lifetime;
37 * afs_int32 bytelife;
38 * rxgkTime expirationtime;
39 * struct RXGK_AuthName identities<>;
40 * };
41 */
rxgk_yfs_decode_ticket(struct rxrpc_connection * conn,struct sk_buff * skb,unsigned int ticket_offset,unsigned int ticket_len,struct key ** _key)42 int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
43 unsigned int ticket_offset, unsigned int ticket_len,
44 struct key **_key)
45 {
46 struct rxrpc_key_token *token;
47 const struct cred *cred = current_cred(); // TODO - use socket creds
48 struct key *key;
49 size_t pre_ticket_len, payload_len;
50 unsigned int klen, enctype;
51 void *payload, *ticket;
52 __be32 *t, *p, *q, tmp[2];
53 int ret;
54
55 _enter("");
56
57 /* Get the session key length */
58 ret = skb_copy_bits(skb, ticket_offset, tmp, sizeof(tmp));
59 if (ret < 0)
60 return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
61 rxgk_abort_resp_short_yfs_klen);
62 enctype = ntohl(tmp[0]);
63 klen = ntohl(tmp[1]);
64
65 if (klen > ticket_len - 10 * sizeof(__be32))
66 return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
67 rxgk_abort_resp_short_yfs_key);
68
69 pre_ticket_len = ((5 + 14) * sizeof(__be32) +
70 xdr_round_up(klen) +
71 sizeof(__be32));
72 payload_len = pre_ticket_len + xdr_round_up(ticket_len);
73
74 payload = kzalloc(payload_len, GFP_NOFS);
75 if (!payload)
76 return -ENOMEM;
77
78 /* We need to fill out the XDR form for a key payload that we can pass
79 * to add_key(). Start by copying in the ticket so that we can parse
80 * it.
81 */
82 ticket = payload + pre_ticket_len;
83 ret = skb_copy_bits(skb, ticket_offset, ticket, ticket_len);
84 if (ret < 0) {
85 ret = rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
86 rxgk_abort_resp_short_yfs_tkt);
87 goto error;
88 }
89
90 /* Fill out the form header. */
91 p = payload;
92 p[0] = htonl(0); /* Flags */
93 p[1] = htonl(1); /* len(cellname) */
94 p[2] = htonl(0x20000000); /* Cellname " " */
95 p[3] = htonl(1); /* #tokens */
96 p[4] = htonl(15 * sizeof(__be32) + xdr_round_up(klen) +
97 xdr_round_up(ticket_len)); /* Token len */
98
99 /* Now fill in the body. Most of this we can just scrape directly from
100 * the ticket.
101 */
102 t = ticket + sizeof(__be32) * 2 + xdr_round_up(klen);
103 q = payload + 5 * sizeof(__be32);
104 q[0] = htonl(RXRPC_SECURITY_YFS_RXGK);
105 q[1] = t[1]; /* begintime - msw */
106 q[2] = t[2]; /* - lsw */
107 q[3] = t[5]; /* endtime - msw */
108 q[4] = t[6]; /* - lsw */
109 q[5] = 0; /* level - msw */
110 q[6] = t[0]; /* - lsw */
111 q[7] = 0; /* lifetime - msw */
112 q[8] = t[3]; /* - lsw */
113 q[9] = 0; /* bytelife - msw */
114 q[10] = t[4]; /* - lsw */
115 q[11] = 0; /* enctype - msw */
116 q[12] = htonl(enctype); /* - lsw */
117 q[13] = htonl(klen); /* Key length */
118
119 q += 14;
120
121 memcpy(q, ticket + sizeof(__be32) * 2, klen);
122 q += xdr_round_up(klen) / 4;
123 q[0] = htonl(ticket_len);
124 q++;
125 if (WARN_ON((unsigned long)q != (unsigned long)ticket)) {
126 ret = -EIO;
127 goto error;
128 }
129
130 /* Ticket read in with skb_copy_bits above */
131 q += xdr_round_up(ticket_len) / 4;
132 if (WARN_ON((unsigned long)q - (unsigned long)payload != payload_len)) {
133 ret = -EIO;
134 goto error;
135 }
136
137 /* Now turn that into a key. */
138 key = key_alloc(&key_type_rxrpc, "x",
139 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, // TODO: Use socket owner
140 KEY_USR_VIEW,
141 KEY_ALLOC_NOT_IN_QUOTA, NULL);
142 if (IS_ERR(key)) {
143 _leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key));
144 ret = PTR_ERR(key);
145 goto error;
146 }
147
148 _debug("key %d", key_serial(key));
149
150 ret = key_instantiate_and_link(key, payload, payload_len, NULL, NULL);
151 if (ret < 0)
152 goto error_key;
153
154 token = key->payload.data[0];
155 token->no_leak_key = true;
156 *_key = key;
157 key = NULL;
158 ret = 0;
159 goto error;
160
161 error_key:
162 key_put(key);
163 error:
164 kfree_sensitive(payload);
165 _leave(" = %d", ret);
166 return ret;
167 }
168
169 /*
170 * Extract the token and set up a session key from the details.
171 *
172 * struct RXGK_TokenContainer {
173 * afs_int32 kvno;
174 * afs_int32 enctype;
175 * opaque encrypted_token<>;
176 * };
177 *
178 * [tools.ietf.org/html/draft-wilkinson-afs3-rxgk-afs-08 sec 6.1]
179 */
rxgk_extract_token(struct rxrpc_connection * conn,struct sk_buff * skb,unsigned int token_offset,unsigned int token_len,struct key ** _key)180 int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
181 unsigned int token_offset, unsigned int token_len,
182 struct key **_key)
183 {
184 const struct krb5_enctype *krb5;
185 const struct krb5_buffer *server_secret;
186 struct crypto_aead *token_enc = NULL;
187 struct key *server_key;
188 unsigned int ticket_offset, ticket_len;
189 u32 kvno, enctype;
190 int ret, ec;
191
192 struct {
193 __be32 kvno;
194 __be32 enctype;
195 __be32 token_len;
196 } container;
197
198 /* Decode the RXGK_TokenContainer object. This tells us which server
199 * key we should be using. We can then fetch the key, get the secret
200 * and set up the crypto to extract the token.
201 */
202 if (skb_copy_bits(skb, token_offset, &container, sizeof(container)) < 0)
203 return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO,
204 rxgk_abort_resp_tok_short);
205
206 kvno = ntohl(container.kvno);
207 enctype = ntohl(container.enctype);
208 ticket_len = ntohl(container.token_len);
209 ticket_offset = token_offset + sizeof(container);
210
211 if (xdr_round_up(ticket_len) > token_len - 3 * 4)
212 return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO,
213 rxgk_abort_resp_tok_short);
214
215 _debug("KVNO %u", kvno);
216 _debug("ENC %u", enctype);
217 _debug("TLEN %u", ticket_len);
218
219 server_key = rxrpc_look_up_server_security(conn, skb, kvno, enctype);
220 if (IS_ERR(server_key))
221 goto cant_get_server_key;
222
223 down_read(&server_key->sem);
224 server_secret = (const void *)&server_key->payload.data[2];
225 ret = rxgk_set_up_token_cipher(server_secret, &token_enc, enctype, &krb5, GFP_NOFS);
226 up_read(&server_key->sem);
227 key_put(server_key);
228 if (ret < 0)
229 goto cant_get_token;
230
231 /* We can now decrypt and parse the token/ticket. This allows us to
232 * gain access to K0, from which we can derive the transport key and
233 * thence decode the authenticator.
234 */
235 ret = rxgk_decrypt_skb(krb5, token_enc, skb,
236 &ticket_offset, &ticket_len, &ec);
237 crypto_free_aead(token_enc);
238 token_enc = NULL;
239 if (ret < 0)
240 return rxrpc_abort_conn(conn, skb, ec, ret,
241 rxgk_abort_resp_tok_dec);
242
243 ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
244 ticket_len, _key);
245 if (ret < 0)
246 goto cant_get_token;
247
248 _leave(" = 0");
249 return ret;
250
251 cant_get_server_key:
252 ret = PTR_ERR(server_key);
253 switch (ret) {
254 case -ENOMEM:
255 goto temporary_error;
256 case -ENOKEY:
257 case -EKEYREJECTED:
258 case -EKEYEXPIRED:
259 case -EKEYREVOKED:
260 case -EPERM:
261 return rxrpc_abort_conn(conn, skb, RXGK_BADKEYNO, -EKEYREJECTED,
262 rxgk_abort_resp_tok_nokey);
263 default:
264 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EKEYREJECTED,
265 rxgk_abort_resp_tok_keyerr);
266 }
267
268 cant_get_token:
269 switch (ret) {
270 case -ENOMEM:
271 goto temporary_error;
272 case -EINVAL:
273 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EKEYREJECTED,
274 rxgk_abort_resp_tok_internal_error);
275 case -ENOPKG:
276 return rxrpc_abort_conn(conn, skb, KRB5_PROG_KEYTYPE_NOSUPP,
277 -EKEYREJECTED, rxgk_abort_resp_tok_nopkg);
278 }
279
280 temporary_error:
281 /* Ignore the response packet if we got a temporary error such as
282 * ENOMEM. We just want to send the challenge again. Note that we
283 * also come out this way if the ticket decryption fails.
284 */
285 return ret;
286 }
287