1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Application-specific bits for GSSAPI-based RxRPC security 3 * 4 * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 10 #include <linux/net.h> 11 #include <linux/skbuff.h> 12 #include <linux/slab.h> 13 #include <linux/key-type.h> 14 #include "ar-internal.h" 15 #include "rxgk_common.h" 16 17 /* 18 * Decode a default-style YFS ticket in a response and turn it into an 19 * rxrpc-type key. 20 * 21 * struct rxgk_key { 22 * afs_uint32 enctype; 23 * opaque key<>; 24 * }; 25 * 26 * struct RXGK_AuthName { 27 * afs_int32 kind; 28 * opaque data<AUTHDATAMAX>; 29 * opaque display<AUTHPRINTABLEMAX>; 30 * }; 31 * 32 * struct RXGK_Token { 33 * rxgk_key K0; 34 * RXGK_Level level; 35 * rxgkTime starttime; 36 * afs_int32 lifetime; 37 * afs_int32 bytelife; 38 * rxgkTime expirationtime; 39 * struct RXGK_AuthName identities<>; 40 * }; 41 */ 42 int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb, 43 unsigned int ticket_offset, unsigned int ticket_len, 44 struct key **_key) 45 { 46 struct rxrpc_key_token *token; 47 const struct cred *cred = current_cred(); // TODO - use socket creds 48 struct key *key; 49 size_t pre_ticket_len, payload_len; 50 unsigned int klen, enctype; 51 void *payload, *ticket; 52 __be32 *t, *p, *q, tmp[2]; 53 int ret; 54 55 _enter(""); 56 57 /* Get the session key length */ 58 ret = skb_copy_bits(skb, ticket_offset, tmp, sizeof(tmp)); 59 if (ret < 0) 60 return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO, 61 rxgk_abort_resp_short_yfs_klen); 62 enctype = ntohl(tmp[0]); 63 klen = ntohl(tmp[1]); 64 65 if (klen > ticket_len - 10 * sizeof(__be32)) 66 return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO, 67 rxgk_abort_resp_short_yfs_key); 68 69 pre_ticket_len = ((5 + 14) * sizeof(__be32) + 70 xdr_round_up(klen) + 71 sizeof(__be32)); 72 payload_len = pre_ticket_len + xdr_round_up(ticket_len); 73 74 payload = kzalloc(payload_len, GFP_NOFS); 75 if (!payload) 76 return -ENOMEM; 77 78 /* We need to fill out the XDR form for a key payload that we can pass 79 * to add_key(). Start by copying in the ticket so that we can parse 80 * it. 81 */ 82 ticket = payload + pre_ticket_len; 83 ret = skb_copy_bits(skb, ticket_offset, ticket, ticket_len); 84 if (ret < 0) { 85 ret = rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO, 86 rxgk_abort_resp_short_yfs_tkt); 87 goto error; 88 } 89 90 /* Fill out the form header. */ 91 p = payload; 92 p[0] = htonl(0); /* Flags */ 93 p[1] = htonl(1); /* len(cellname) */ 94 p[2] = htonl(0x20000000); /* Cellname " " */ 95 p[3] = htonl(1); /* #tokens */ 96 p[4] = htonl(15 * sizeof(__be32) + xdr_round_up(klen) + 97 xdr_round_up(ticket_len)); /* Token len */ 98 99 /* Now fill in the body. Most of this we can just scrape directly from 100 * the ticket. 101 */ 102 t = ticket + sizeof(__be32) * 2 + xdr_round_up(klen); 103 q = payload + 5 * sizeof(__be32); 104 q[0] = htonl(RXRPC_SECURITY_YFS_RXGK); 105 q[1] = t[1]; /* begintime - msw */ 106 q[2] = t[2]; /* - lsw */ 107 q[3] = t[5]; /* endtime - msw */ 108 q[4] = t[6]; /* - lsw */ 109 q[5] = 0; /* level - msw */ 110 q[6] = t[0]; /* - lsw */ 111 q[7] = 0; /* lifetime - msw */ 112 q[8] = t[3]; /* - lsw */ 113 q[9] = 0; /* bytelife - msw */ 114 q[10] = t[4]; /* - lsw */ 115 q[11] = 0; /* enctype - msw */ 116 q[12] = htonl(enctype); /* - lsw */ 117 q[13] = htonl(klen); /* Key length */ 118 119 q += 14; 120 121 memcpy(q, ticket + sizeof(__be32) * 2, klen); 122 q += xdr_round_up(klen) / 4; 123 q[0] = htonl(ticket_len); 124 q++; 125 if (WARN_ON((unsigned long)q != (unsigned long)ticket)) { 126 ret = -EIO; 127 goto error; 128 } 129 130 /* Ticket read in with skb_copy_bits above */ 131 q += xdr_round_up(ticket_len) / 4; 132 if (WARN_ON((unsigned long)q - (unsigned long)payload != payload_len)) { 133 ret = -EIO; 134 goto error; 135 } 136 137 /* Now turn that into a key. */ 138 key = key_alloc(&key_type_rxrpc, "x", 139 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred, // TODO: Use socket owner 140 KEY_USR_VIEW, 141 KEY_ALLOC_NOT_IN_QUOTA, NULL); 142 if (IS_ERR(key)) { 143 _leave(" = -ENOMEM [alloc %ld]", PTR_ERR(key)); 144 ret = PTR_ERR(key); 145 goto error; 146 } 147 148 _debug("key %d", key_serial(key)); 149 150 ret = key_instantiate_and_link(key, payload, payload_len, NULL, NULL); 151 if (ret < 0) 152 goto error_key; 153 154 token = key->payload.data[0]; 155 token->no_leak_key = true; 156 *_key = key; 157 key = NULL; 158 ret = 0; 159 goto error; 160 161 error_key: 162 key_put(key); 163 error: 164 kfree_sensitive(payload); 165 _leave(" = %d", ret); 166 return ret; 167 } 168 169 /* 170 * Extract the token and set up a session key from the details. 171 * 172 * struct RXGK_TokenContainer { 173 * afs_int32 kvno; 174 * afs_int32 enctype; 175 * opaque encrypted_token<>; 176 * }; 177 * 178 * [tools.ietf.org/html/draft-wilkinson-afs3-rxgk-afs-08 sec 6.1] 179 */ 180 int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb, 181 unsigned int token_offset, unsigned int token_len, 182 struct key **_key) 183 { 184 const struct krb5_enctype *krb5; 185 const struct krb5_buffer *server_secret; 186 struct crypto_aead *token_enc = NULL; 187 struct key *server_key; 188 unsigned int ticket_offset, ticket_len; 189 u32 kvno, enctype; 190 int ret, ec; 191 192 struct { 193 __be32 kvno; 194 __be32 enctype; 195 __be32 token_len; 196 } container; 197 198 /* Decode the RXGK_TokenContainer object. This tells us which server 199 * key we should be using. We can then fetch the key, get the secret 200 * and set up the crypto to extract the token. 201 */ 202 if (skb_copy_bits(skb, token_offset, &container, sizeof(container)) < 0) 203 return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO, 204 rxgk_abort_resp_tok_short); 205 206 kvno = ntohl(container.kvno); 207 enctype = ntohl(container.enctype); 208 ticket_len = ntohl(container.token_len); 209 ticket_offset = token_offset + sizeof(container); 210 211 if (xdr_round_up(ticket_len) > token_len - 3 * 4) 212 return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO, 213 rxgk_abort_resp_tok_short); 214 215 _debug("KVNO %u", kvno); 216 _debug("ENC %u", enctype); 217 _debug("TLEN %u", ticket_len); 218 219 server_key = rxrpc_look_up_server_security(conn, skb, kvno, enctype); 220 if (IS_ERR(server_key)) 221 goto cant_get_server_key; 222 223 down_read(&server_key->sem); 224 server_secret = (const void *)&server_key->payload.data[2]; 225 ret = rxgk_set_up_token_cipher(server_secret, &token_enc, enctype, &krb5, GFP_NOFS); 226 up_read(&server_key->sem); 227 key_put(server_key); 228 if (ret < 0) 229 goto cant_get_token; 230 231 /* We can now decrypt and parse the token/ticket. This allows us to 232 * gain access to K0, from which we can derive the transport key and 233 * thence decode the authenticator. 234 */ 235 ret = rxgk_decrypt_skb(krb5, token_enc, skb, 236 &ticket_offset, &ticket_len, &ec); 237 crypto_free_aead(token_enc); 238 token_enc = NULL; 239 if (ret < 0) 240 return rxrpc_abort_conn(conn, skb, ec, ret, 241 rxgk_abort_resp_tok_dec); 242 243 ret = conn->security->default_decode_ticket(conn, skb, ticket_offset, 244 ticket_len, _key); 245 if (ret < 0) 246 goto cant_get_token; 247 248 _leave(" = 0"); 249 return ret; 250 251 cant_get_server_key: 252 ret = PTR_ERR(server_key); 253 switch (ret) { 254 case -ENOMEM: 255 goto temporary_error; 256 case -ENOKEY: 257 case -EKEYREJECTED: 258 case -EKEYEXPIRED: 259 case -EKEYREVOKED: 260 case -EPERM: 261 return rxrpc_abort_conn(conn, skb, RXGK_BADKEYNO, -EKEYREJECTED, 262 rxgk_abort_resp_tok_nokey); 263 default: 264 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EKEYREJECTED, 265 rxgk_abort_resp_tok_keyerr); 266 } 267 268 cant_get_token: 269 switch (ret) { 270 case -ENOMEM: 271 goto temporary_error; 272 case -EINVAL: 273 return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EKEYREJECTED, 274 rxgk_abort_resp_tok_internal_error); 275 case -ENOPKG: 276 return rxrpc_abort_conn(conn, skb, KRB5_PROG_KEYTYPE_NOSUPP, 277 -EKEYREJECTED, rxgk_abort_resp_tok_nopkg); 278 } 279 280 temporary_error: 281 /* Ignore the response packet if we got a temporary error such as 282 * ENOMEM. We just want to send the challenge again. Note that we 283 * also come out this way if the ticket decryption fails. 284 */ 285 return ret; 286 } 287