]>
Commit | Line | Data |
---|---|---|
0adda907 | 1 | /* |
0b81d077 | 2 | * key management facility for FS encryption support. |
0adda907 JK |
3 | * |
4 | * Copyright (C) 2015, Google, Inc. | |
5 | * | |
0b81d077 | 6 | * This contains encryption key functions. |
0adda907 JK |
7 | * |
8 | * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015. | |
9 | */ | |
0b81d077 | 10 | |
0adda907 | 11 | #include <keys/user-type.h> |
0adda907 | 12 | #include <linux/scatterlist.h> |
b7e7cf7a DW |
13 | #include <linux/ratelimit.h> |
14 | #include <crypto/aes.h> | |
15 | #include <crypto/sha.h> | |
3325bea5 | 16 | #include "fscrypt_private.h" |
0adda907 | 17 | |
b7e7cf7a DW |
18 | static struct crypto_shash *essiv_hash_tfm; |
19 | ||
0adda907 JK |
20 | static void derive_crypt_complete(struct crypto_async_request *req, int rc) |
21 | { | |
0b81d077 | 22 | struct fscrypt_completion_result *ecr = req->data; |
0adda907 JK |
23 | |
24 | if (rc == -EINPROGRESS) | |
25 | return; | |
26 | ||
27 | ecr->res = rc; | |
28 | complete(&ecr->completion); | |
29 | } | |
30 | ||
31 | /** | |
0b81d077 | 32 | * derive_key_aes() - Derive a key using AES-128-ECB |
0fac2d50 | 33 | * @deriving_key: Encryption key used for derivation. |
0adda907 | 34 | * @source_key: Source key to which to apply derivation. |
b7e7cf7a | 35 | * @derived_raw_key: Derived raw key. |
0adda907 JK |
36 | * |
37 | * Return: Zero on success; non-zero otherwise. | |
38 | */ | |
0b81d077 | 39 | static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE], |
b7e7cf7a DW |
40 | const struct fscrypt_key *source_key, |
41 | u8 derived_raw_key[FS_MAX_KEY_SIZE]) | |
0adda907 JK |
42 | { |
43 | int res = 0; | |
d407574e | 44 | struct skcipher_request *req = NULL; |
0b81d077 | 45 | DECLARE_FS_COMPLETION_RESULT(ecr); |
0adda907 | 46 | struct scatterlist src_sg, dst_sg; |
d407574e | 47 | struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); |
0adda907 JK |
48 | |
49 | if (IS_ERR(tfm)) { | |
50 | res = PTR_ERR(tfm); | |
51 | tfm = NULL; | |
52 | goto out; | |
53 | } | |
d407574e LT |
54 | crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY); |
55 | req = skcipher_request_alloc(tfm, GFP_NOFS); | |
0adda907 JK |
56 | if (!req) { |
57 | res = -ENOMEM; | |
58 | goto out; | |
59 | } | |
d407574e | 60 | skcipher_request_set_callback(req, |
0adda907 JK |
61 | CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, |
62 | derive_crypt_complete, &ecr); | |
d407574e | 63 | res = crypto_skcipher_setkey(tfm, deriving_key, |
0b81d077 | 64 | FS_AES_128_ECB_KEY_SIZE); |
0adda907 JK |
65 | if (res < 0) |
66 | goto out; | |
67 | ||
b7e7cf7a DW |
68 | sg_init_one(&src_sg, source_key->raw, source_key->size); |
69 | sg_init_one(&dst_sg, derived_raw_key, source_key->size); | |
70 | skcipher_request_set_crypt(req, &src_sg, &dst_sg, source_key->size, | |
71 | NULL); | |
d407574e | 72 | res = crypto_skcipher_encrypt(req); |
0adda907 | 73 | if (res == -EINPROGRESS || res == -EBUSY) { |
0adda907 JK |
74 | wait_for_completion(&ecr.completion); |
75 | res = ecr.res; | |
76 | } | |
77 | out: | |
d407574e LT |
78 | skcipher_request_free(req); |
79 | crypto_free_skcipher(tfm); | |
0adda907 JK |
80 | return res; |
81 | } | |
82 | ||
b5a7aef1 JK |
83 | static int validate_user_key(struct fscrypt_info *crypt_info, |
84 | struct fscrypt_context *ctx, u8 *raw_key, | |
b7e7cf7a | 85 | const char *prefix, int min_keysize) |
b5a7aef1 | 86 | { |
a5d431ef | 87 | char *description; |
b5a7aef1 JK |
88 | struct key *keyring_key; |
89 | struct fscrypt_key *master_key; | |
90 | const struct user_key_payload *ukp; | |
b5a7aef1 JK |
91 | int res; |
92 | ||
a5d431ef EB |
93 | description = kasprintf(GFP_NOFS, "%s%*phN", prefix, |
94 | FS_KEY_DESCRIPTOR_SIZE, | |
95 | ctx->master_key_descriptor); | |
96 | if (!description) | |
b5a7aef1 JK |
97 | return -ENOMEM; |
98 | ||
a5d431ef EB |
99 | keyring_key = request_key(&key_type_logon, description, NULL); |
100 | kfree(description); | |
b5a7aef1 JK |
101 | if (IS_ERR(keyring_key)) |
102 | return PTR_ERR(keyring_key); | |
1b53cf98 | 103 | down_read(&keyring_key->sem); |
b5a7aef1 JK |
104 | |
105 | if (keyring_key->type != &key_type_logon) { | |
106 | printk_once(KERN_WARNING | |
107 | "%s: key type must be logon\n", __func__); | |
108 | res = -ENOKEY; | |
109 | goto out; | |
110 | } | |
0837e49a | 111 | ukp = user_key_payload_locked(keyring_key); |
b5a7aef1 JK |
112 | if (ukp->datalen != sizeof(struct fscrypt_key)) { |
113 | res = -EINVAL; | |
b5a7aef1 JK |
114 | goto out; |
115 | } | |
116 | master_key = (struct fscrypt_key *)ukp->data; | |
117 | BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE); | |
118 | ||
b7e7cf7a DW |
119 | if (master_key->size < min_keysize || master_key->size > FS_MAX_KEY_SIZE |
120 | || master_key->size % AES_BLOCK_SIZE != 0) { | |
b5a7aef1 JK |
121 | printk_once(KERN_WARNING |
122 | "%s: key size incorrect: %d\n", | |
123 | __func__, master_key->size); | |
124 | res = -ENOKEY; | |
b5a7aef1 JK |
125 | goto out; |
126 | } | |
b7e7cf7a | 127 | res = derive_key_aes(ctx->nonce, master_key, raw_key); |
b5a7aef1 | 128 | out: |
1b53cf98 | 129 | up_read(&keyring_key->sem); |
b5a7aef1 JK |
130 | key_put(keyring_key); |
131 | return res; | |
132 | } | |
133 | ||
b7e7cf7a DW |
134 | static const struct { |
135 | const char *cipher_str; | |
136 | int keysize; | |
137 | } available_modes[] = { | |
138 | [FS_ENCRYPTION_MODE_AES_256_XTS] = { "xts(aes)", | |
139 | FS_AES_256_XTS_KEY_SIZE }, | |
140 | [FS_ENCRYPTION_MODE_AES_256_CTS] = { "cts(cbc(aes))", | |
141 | FS_AES_256_CTS_KEY_SIZE }, | |
142 | [FS_ENCRYPTION_MODE_AES_128_CBC] = { "cbc(aes)", | |
143 | FS_AES_128_CBC_KEY_SIZE }, | |
144 | [FS_ENCRYPTION_MODE_AES_128_CTS] = { "cts(cbc(aes))", | |
145 | FS_AES_128_CTS_KEY_SIZE }, | |
146 | }; | |
147 | ||
8f39850d EB |
148 | static int determine_cipher_type(struct fscrypt_info *ci, struct inode *inode, |
149 | const char **cipher_str_ret, int *keysize_ret) | |
150 | { | |
b7e7cf7a DW |
151 | u32 mode; |
152 | ||
153 | if (!fscrypt_valid_enc_modes(ci->ci_data_mode, ci->ci_filename_mode)) { | |
154 | pr_warn_ratelimited("fscrypt: inode %lu uses unsupported encryption modes (contents mode %d, filenames mode %d)\n", | |
155 | inode->i_ino, | |
156 | ci->ci_data_mode, ci->ci_filename_mode); | |
157 | return -EINVAL; | |
8f39850d EB |
158 | } |
159 | ||
b7e7cf7a DW |
160 | if (S_ISREG(inode->i_mode)) { |
161 | mode = ci->ci_data_mode; | |
162 | } else if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) { | |
163 | mode = ci->ci_filename_mode; | |
164 | } else { | |
165 | WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n", | |
166 | inode->i_ino, (inode->i_mode & S_IFMT)); | |
167 | return -EINVAL; | |
8f39850d EB |
168 | } |
169 | ||
b7e7cf7a DW |
170 | *cipher_str_ret = available_modes[mode].cipher_str; |
171 | *keysize_ret = available_modes[mode].keysize; | |
172 | return 0; | |
8f39850d EB |
173 | } |
174 | ||
0b81d077 | 175 | static void put_crypt_info(struct fscrypt_info *ci) |
0adda907 | 176 | { |
0adda907 JK |
177 | if (!ci) |
178 | return; | |
179 | ||
d407574e | 180 | crypto_free_skcipher(ci->ci_ctfm); |
b7e7cf7a | 181 | crypto_free_cipher(ci->ci_essiv_tfm); |
0b81d077 | 182 | kmem_cache_free(fscrypt_info_cachep, ci); |
0adda907 JK |
183 | } |
184 | ||
b7e7cf7a DW |
185 | static int derive_essiv_salt(const u8 *key, int keysize, u8 *salt) |
186 | { | |
187 | struct crypto_shash *tfm = READ_ONCE(essiv_hash_tfm); | |
188 | ||
189 | /* init hash transform on demand */ | |
190 | if (unlikely(!tfm)) { | |
191 | struct crypto_shash *prev_tfm; | |
192 | ||
193 | tfm = crypto_alloc_shash("sha256", 0, 0); | |
194 | if (IS_ERR(tfm)) { | |
195 | pr_warn_ratelimited("fscrypt: error allocating SHA-256 transform: %ld\n", | |
196 | PTR_ERR(tfm)); | |
197 | return PTR_ERR(tfm); | |
198 | } | |
199 | prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm); | |
200 | if (prev_tfm) { | |
201 | crypto_free_shash(tfm); | |
202 | tfm = prev_tfm; | |
203 | } | |
204 | } | |
205 | ||
206 | { | |
207 | SHASH_DESC_ON_STACK(desc, tfm); | |
208 | desc->tfm = tfm; | |
209 | desc->flags = 0; | |
210 | ||
211 | return crypto_shash_digest(desc, key, keysize, salt); | |
212 | } | |
213 | } | |
214 | ||
215 | static int init_essiv_generator(struct fscrypt_info *ci, const u8 *raw_key, | |
216 | int keysize) | |
217 | { | |
218 | int err; | |
219 | struct crypto_cipher *essiv_tfm; | |
220 | u8 salt[SHA256_DIGEST_SIZE]; | |
221 | ||
222 | essiv_tfm = crypto_alloc_cipher("aes", 0, 0); | |
223 | if (IS_ERR(essiv_tfm)) | |
224 | return PTR_ERR(essiv_tfm); | |
225 | ||
226 | ci->ci_essiv_tfm = essiv_tfm; | |
227 | ||
228 | err = derive_essiv_salt(raw_key, keysize, salt); | |
229 | if (err) | |
230 | goto out; | |
231 | ||
232 | /* | |
233 | * Using SHA256 to derive the salt/key will result in AES-256 being | |
234 | * used for IV generation. File contents encryption will still use the | |
235 | * configured keysize (AES-128) nevertheless. | |
236 | */ | |
237 | err = crypto_cipher_setkey(essiv_tfm, salt, sizeof(salt)); | |
238 | if (err) | |
239 | goto out; | |
240 | ||
241 | out: | |
242 | memzero_explicit(salt, sizeof(salt)); | |
243 | return err; | |
244 | } | |
245 | ||
246 | void __exit fscrypt_essiv_cleanup(void) | |
247 | { | |
248 | crypto_free_shash(essiv_hash_tfm); | |
249 | } | |
250 | ||
1b53cf98 | 251 | int fscrypt_get_encryption_info(struct inode *inode) |
0adda907 | 252 | { |
0b81d077 | 253 | struct fscrypt_info *crypt_info; |
0b81d077 | 254 | struct fscrypt_context ctx; |
d407574e | 255 | struct crypto_skcipher *ctfm; |
26bf3dc7 | 256 | const char *cipher_str; |
8f39850d | 257 | int keysize; |
a6e08912 | 258 | u8 *raw_key = NULL; |
0adda907 JK |
259 | int res; |
260 | ||
1b53cf98 EB |
261 | if (inode->i_crypt_info) |
262 | return 0; | |
263 | ||
f32d7ac2 | 264 | res = fscrypt_initialize(inode->i_sb->s_cop->flags); |
cfc4d971 JK |
265 | if (res) |
266 | return res; | |
0b81d077 | 267 | |
0b81d077 JK |
268 | res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); |
269 | if (res < 0) { | |
5bbdcbbb TT |
270 | if (!fscrypt_dummy_context_enabled(inode) || |
271 | inode->i_sb->s_cop->is_encrypted(inode)) | |
0b81d077 | 272 | return res; |
5bbdcbbb TT |
273 | /* Fake up a context for an unencrypted directory */ |
274 | memset(&ctx, 0, sizeof(ctx)); | |
8f39850d | 275 | ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1; |
0b81d077 JK |
276 | ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS; |
277 | ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS; | |
5bbdcbbb | 278 | memset(ctx.master_key_descriptor, 0x42, FS_KEY_DESCRIPTOR_SIZE); |
0b81d077 | 279 | } else if (res != sizeof(ctx)) { |
0adda907 | 280 | return -EINVAL; |
0b81d077 | 281 | } |
8f39850d EB |
282 | |
283 | if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1) | |
284 | return -EINVAL; | |
285 | ||
286 | if (ctx.flags & ~FS_POLICY_FLAGS_VALID) | |
287 | return -EINVAL; | |
0adda907 | 288 | |
0b81d077 | 289 | crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS); |
0adda907 JK |
290 | if (!crypt_info) |
291 | return -ENOMEM; | |
292 | ||
293 | crypt_info->ci_flags = ctx.flags; | |
294 | crypt_info->ci_data_mode = ctx.contents_encryption_mode; | |
295 | crypt_info->ci_filename_mode = ctx.filenames_encryption_mode; | |
296 | crypt_info->ci_ctfm = NULL; | |
b7e7cf7a | 297 | crypt_info->ci_essiv_tfm = NULL; |
0adda907 JK |
298 | memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor, |
299 | sizeof(crypt_info->ci_master_key)); | |
640778fb | 300 | |
8f39850d EB |
301 | res = determine_cipher_type(crypt_info, inode, &cipher_str, &keysize); |
302 | if (res) | |
26bf3dc7 | 303 | goto out; |
8f39850d | 304 | |
a6e08912 EB |
305 | /* |
306 | * This cannot be a stack buffer because it is passed to the scatterlist | |
307 | * crypto API as part of key derivation. | |
308 | */ | |
309 | res = -ENOMEM; | |
310 | raw_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS); | |
311 | if (!raw_key) | |
312 | goto out; | |
313 | ||
b7e7cf7a DW |
314 | res = validate_user_key(crypt_info, &ctx, raw_key, FS_KEY_DESC_PREFIX, |
315 | keysize); | |
b5a7aef1 | 316 | if (res && inode->i_sb->s_cop->key_prefix) { |
a5d431ef | 317 | int res2 = validate_user_key(crypt_info, &ctx, raw_key, |
b7e7cf7a DW |
318 | inode->i_sb->s_cop->key_prefix, |
319 | keysize); | |
b5a7aef1 JK |
320 | if (res2) { |
321 | if (res2 == -ENOKEY) | |
322 | res = -ENOKEY; | |
323 | goto out; | |
324 | } | |
325 | } else if (res) { | |
66aa3e12 JK |
326 | goto out; |
327 | } | |
d407574e | 328 | ctfm = crypto_alloc_skcipher(cipher_str, 0, 0); |
26bf3dc7 JK |
329 | if (!ctfm || IS_ERR(ctfm)) { |
330 | res = ctfm ? PTR_ERR(ctfm) : -ENOMEM; | |
b7e7cf7a DW |
331 | pr_debug("%s: error %d (inode %lu) allocating crypto tfm\n", |
332 | __func__, res, inode->i_ino); | |
26bf3dc7 | 333 | goto out; |
0adda907 | 334 | } |
26bf3dc7 | 335 | crypt_info->ci_ctfm = ctfm; |
d407574e LT |
336 | crypto_skcipher_clear_flags(ctfm, ~0); |
337 | crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY); | |
b7e7cf7a DW |
338 | /* |
339 | * if the provided key is longer than keysize, we use the first | |
340 | * keysize bytes of the derived key only | |
341 | */ | |
8f39850d | 342 | res = crypto_skcipher_setkey(ctfm, raw_key, keysize); |
26bf3dc7 JK |
343 | if (res) |
344 | goto out; | |
345 | ||
b7e7cf7a DW |
346 | if (S_ISREG(inode->i_mode) && |
347 | crypt_info->ci_data_mode == FS_ENCRYPTION_MODE_AES_128_CBC) { | |
348 | res = init_essiv_generator(crypt_info, raw_key, keysize); | |
349 | if (res) { | |
350 | pr_debug("%s: error %d (inode %lu) allocating essiv tfm\n", | |
351 | __func__, res, inode->i_ino); | |
352 | goto out; | |
353 | } | |
354 | } | |
1b53cf98 EB |
355 | if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL) |
356 | crypt_info = NULL; | |
26bf3dc7 | 357 | out: |
0b81d077 | 358 | if (res == -ENOKEY) |
26bf3dc7 | 359 | res = 0; |
0b81d077 | 360 | put_crypt_info(crypt_info); |
a6e08912 | 361 | kzfree(raw_key); |
0adda907 JK |
362 | return res; |
363 | } | |
1b53cf98 | 364 | EXPORT_SYMBOL(fscrypt_get_encryption_info); |
0adda907 | 365 | |
0b81d077 | 366 | void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci) |
0adda907 | 367 | { |
0b81d077 JK |
368 | struct fscrypt_info *prev; |
369 | ||
370 | if (ci == NULL) | |
371 | ci = ACCESS_ONCE(inode->i_crypt_info); | |
372 | if (ci == NULL) | |
373 | return; | |
0adda907 | 374 | |
0b81d077 JK |
375 | prev = cmpxchg(&inode->i_crypt_info, ci, NULL); |
376 | if (prev != ci) | |
377 | return; | |
378 | ||
379 | put_crypt_info(ci); | |
380 | } | |
381 | EXPORT_SYMBOL(fscrypt_put_encryption_info); |