]>
Commit | Line | Data |
---|---|---|
0adda907 | 1 | /* |
0b81d077 | 2 | * key management facility for FS encryption support. |
0adda907 JK |
3 | * |
4 | * Copyright (C) 2015, Google, Inc. | |
5 | * | |
0b81d077 | 6 | * This contains encryption key functions. |
0adda907 JK |
7 | * |
8 | * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015. | |
9 | */ | |
0b81d077 | 10 | |
0adda907 | 11 | #include <keys/user-type.h> |
0adda907 | 12 | #include <linux/scatterlist.h> |
b7e7cf7a DW |
13 | #include <linux/ratelimit.h> |
14 | #include <crypto/aes.h> | |
15 | #include <crypto/sha.h> | |
3325bea5 | 16 | #include "fscrypt_private.h" |
0adda907 | 17 | |
b7e7cf7a DW |
18 | static struct crypto_shash *essiv_hash_tfm; |
19 | ||
0adda907 JK |
20 | static void derive_crypt_complete(struct crypto_async_request *req, int rc) |
21 | { | |
0b81d077 | 22 | struct fscrypt_completion_result *ecr = req->data; |
0adda907 JK |
23 | |
24 | if (rc == -EINPROGRESS) | |
25 | return; | |
26 | ||
27 | ecr->res = rc; | |
28 | complete(&ecr->completion); | |
29 | } | |
30 | ||
31 | /** | |
0b81d077 | 32 | * derive_key_aes() - Derive a key using AES-128-ECB |
0fac2d50 | 33 | * @deriving_key: Encryption key used for derivation. |
0adda907 | 34 | * @source_key: Source key to which to apply derivation. |
b7e7cf7a | 35 | * @derived_raw_key: Derived raw key. |
0adda907 JK |
36 | * |
37 | * Return: Zero on success; non-zero otherwise. | |
38 | */ | |
0b81d077 | 39 | static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE], |
b7e7cf7a DW |
40 | const struct fscrypt_key *source_key, |
41 | u8 derived_raw_key[FS_MAX_KEY_SIZE]) | |
0adda907 JK |
42 | { |
43 | int res = 0; | |
d407574e | 44 | struct skcipher_request *req = NULL; |
0b81d077 | 45 | DECLARE_FS_COMPLETION_RESULT(ecr); |
0adda907 | 46 | struct scatterlist src_sg, dst_sg; |
d407574e | 47 | struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); |
0adda907 JK |
48 | |
49 | if (IS_ERR(tfm)) { | |
50 | res = PTR_ERR(tfm); | |
51 | tfm = NULL; | |
52 | goto out; | |
53 | } | |
d407574e LT |
54 | crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY); |
55 | req = skcipher_request_alloc(tfm, GFP_NOFS); | |
0adda907 JK |
56 | if (!req) { |
57 | res = -ENOMEM; | |
58 | goto out; | |
59 | } | |
d407574e | 60 | skcipher_request_set_callback(req, |
0adda907 JK |
61 | CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, |
62 | derive_crypt_complete, &ecr); | |
d407574e | 63 | res = crypto_skcipher_setkey(tfm, deriving_key, |
0b81d077 | 64 | FS_AES_128_ECB_KEY_SIZE); |
0adda907 JK |
65 | if (res < 0) |
66 | goto out; | |
67 | ||
b7e7cf7a DW |
68 | sg_init_one(&src_sg, source_key->raw, source_key->size); |
69 | sg_init_one(&dst_sg, derived_raw_key, source_key->size); | |
70 | skcipher_request_set_crypt(req, &src_sg, &dst_sg, source_key->size, | |
71 | NULL); | |
d407574e | 72 | res = crypto_skcipher_encrypt(req); |
0adda907 | 73 | if (res == -EINPROGRESS || res == -EBUSY) { |
0adda907 JK |
74 | wait_for_completion(&ecr.completion); |
75 | res = ecr.res; | |
76 | } | |
77 | out: | |
d407574e LT |
78 | skcipher_request_free(req); |
79 | crypto_free_skcipher(tfm); | |
0adda907 JK |
80 | return res; |
81 | } | |
82 | ||
b5a7aef1 JK |
83 | static int validate_user_key(struct fscrypt_info *crypt_info, |
84 | struct fscrypt_context *ctx, u8 *raw_key, | |
b7e7cf7a | 85 | const char *prefix, int min_keysize) |
b5a7aef1 | 86 | { |
a5d431ef | 87 | char *description; |
b5a7aef1 JK |
88 | struct key *keyring_key; |
89 | struct fscrypt_key *master_key; | |
90 | const struct user_key_payload *ukp; | |
b5a7aef1 JK |
91 | int res; |
92 | ||
a5d431ef EB |
93 | description = kasprintf(GFP_NOFS, "%s%*phN", prefix, |
94 | FS_KEY_DESCRIPTOR_SIZE, | |
95 | ctx->master_key_descriptor); | |
96 | if (!description) | |
b5a7aef1 JK |
97 | return -ENOMEM; |
98 | ||
a5d431ef EB |
99 | keyring_key = request_key(&key_type_logon, description, NULL); |
100 | kfree(description); | |
b5a7aef1 JK |
101 | if (IS_ERR(keyring_key)) |
102 | return PTR_ERR(keyring_key); | |
1b53cf98 | 103 | down_read(&keyring_key->sem); |
b5a7aef1 JK |
104 | |
105 | if (keyring_key->type != &key_type_logon) { | |
106 | printk_once(KERN_WARNING | |
107 | "%s: key type must be logon\n", __func__); | |
108 | res = -ENOKEY; | |
109 | goto out; | |
110 | } | |
0837e49a | 111 | ukp = user_key_payload_locked(keyring_key); |
3ec6d5ae EB |
112 | if (!ukp) { |
113 | /* key was revoked before we acquired its semaphore */ | |
114 | res = -EKEYREVOKED; | |
115 | goto out; | |
116 | } | |
b5a7aef1 JK |
117 | if (ukp->datalen != sizeof(struct fscrypt_key)) { |
118 | res = -EINVAL; | |
b5a7aef1 JK |
119 | goto out; |
120 | } | |
121 | master_key = (struct fscrypt_key *)ukp->data; | |
122 | BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE); | |
123 | ||
b7e7cf7a DW |
124 | if (master_key->size < min_keysize || master_key->size > FS_MAX_KEY_SIZE |
125 | || master_key->size % AES_BLOCK_SIZE != 0) { | |
b5a7aef1 JK |
126 | printk_once(KERN_WARNING |
127 | "%s: key size incorrect: %d\n", | |
128 | __func__, master_key->size); | |
129 | res = -ENOKEY; | |
b5a7aef1 JK |
130 | goto out; |
131 | } | |
b7e7cf7a | 132 | res = derive_key_aes(ctx->nonce, master_key, raw_key); |
b5a7aef1 | 133 | out: |
1b53cf98 | 134 | up_read(&keyring_key->sem); |
b5a7aef1 JK |
135 | key_put(keyring_key); |
136 | return res; | |
137 | } | |
138 | ||
b7e7cf7a DW |
139 | static const struct { |
140 | const char *cipher_str; | |
141 | int keysize; | |
142 | } available_modes[] = { | |
143 | [FS_ENCRYPTION_MODE_AES_256_XTS] = { "xts(aes)", | |
144 | FS_AES_256_XTS_KEY_SIZE }, | |
145 | [FS_ENCRYPTION_MODE_AES_256_CTS] = { "cts(cbc(aes))", | |
146 | FS_AES_256_CTS_KEY_SIZE }, | |
147 | [FS_ENCRYPTION_MODE_AES_128_CBC] = { "cbc(aes)", | |
148 | FS_AES_128_CBC_KEY_SIZE }, | |
149 | [FS_ENCRYPTION_MODE_AES_128_CTS] = { "cts(cbc(aes))", | |
150 | FS_AES_128_CTS_KEY_SIZE }, | |
151 | }; | |
152 | ||
8f39850d EB |
153 | static int determine_cipher_type(struct fscrypt_info *ci, struct inode *inode, |
154 | const char **cipher_str_ret, int *keysize_ret) | |
155 | { | |
b7e7cf7a DW |
156 | u32 mode; |
157 | ||
158 | if (!fscrypt_valid_enc_modes(ci->ci_data_mode, ci->ci_filename_mode)) { | |
159 | pr_warn_ratelimited("fscrypt: inode %lu uses unsupported encryption modes (contents mode %d, filenames mode %d)\n", | |
160 | inode->i_ino, | |
161 | ci->ci_data_mode, ci->ci_filename_mode); | |
162 | return -EINVAL; | |
8f39850d EB |
163 | } |
164 | ||
b7e7cf7a DW |
165 | if (S_ISREG(inode->i_mode)) { |
166 | mode = ci->ci_data_mode; | |
167 | } else if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) { | |
168 | mode = ci->ci_filename_mode; | |
169 | } else { | |
170 | WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n", | |
171 | inode->i_ino, (inode->i_mode & S_IFMT)); | |
172 | return -EINVAL; | |
8f39850d EB |
173 | } |
174 | ||
b7e7cf7a DW |
175 | *cipher_str_ret = available_modes[mode].cipher_str; |
176 | *keysize_ret = available_modes[mode].keysize; | |
177 | return 0; | |
8f39850d EB |
178 | } |
179 | ||
0b81d077 | 180 | static void put_crypt_info(struct fscrypt_info *ci) |
0adda907 | 181 | { |
0adda907 JK |
182 | if (!ci) |
183 | return; | |
184 | ||
d407574e | 185 | crypto_free_skcipher(ci->ci_ctfm); |
b7e7cf7a | 186 | crypto_free_cipher(ci->ci_essiv_tfm); |
0b81d077 | 187 | kmem_cache_free(fscrypt_info_cachep, ci); |
0adda907 JK |
188 | } |
189 | ||
b7e7cf7a DW |
190 | static int derive_essiv_salt(const u8 *key, int keysize, u8 *salt) |
191 | { | |
192 | struct crypto_shash *tfm = READ_ONCE(essiv_hash_tfm); | |
193 | ||
194 | /* init hash transform on demand */ | |
195 | if (unlikely(!tfm)) { | |
196 | struct crypto_shash *prev_tfm; | |
197 | ||
198 | tfm = crypto_alloc_shash("sha256", 0, 0); | |
199 | if (IS_ERR(tfm)) { | |
200 | pr_warn_ratelimited("fscrypt: error allocating SHA-256 transform: %ld\n", | |
201 | PTR_ERR(tfm)); | |
202 | return PTR_ERR(tfm); | |
203 | } | |
204 | prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm); | |
205 | if (prev_tfm) { | |
206 | crypto_free_shash(tfm); | |
207 | tfm = prev_tfm; | |
208 | } | |
209 | } | |
210 | ||
211 | { | |
212 | SHASH_DESC_ON_STACK(desc, tfm); | |
213 | desc->tfm = tfm; | |
214 | desc->flags = 0; | |
215 | ||
216 | return crypto_shash_digest(desc, key, keysize, salt); | |
217 | } | |
218 | } | |
219 | ||
220 | static int init_essiv_generator(struct fscrypt_info *ci, const u8 *raw_key, | |
221 | int keysize) | |
222 | { | |
223 | int err; | |
224 | struct crypto_cipher *essiv_tfm; | |
225 | u8 salt[SHA256_DIGEST_SIZE]; | |
226 | ||
227 | essiv_tfm = crypto_alloc_cipher("aes", 0, 0); | |
228 | if (IS_ERR(essiv_tfm)) | |
229 | return PTR_ERR(essiv_tfm); | |
230 | ||
231 | ci->ci_essiv_tfm = essiv_tfm; | |
232 | ||
233 | err = derive_essiv_salt(raw_key, keysize, salt); | |
234 | if (err) | |
235 | goto out; | |
236 | ||
237 | /* | |
238 | * Using SHA256 to derive the salt/key will result in AES-256 being | |
239 | * used for IV generation. File contents encryption will still use the | |
240 | * configured keysize (AES-128) nevertheless. | |
241 | */ | |
242 | err = crypto_cipher_setkey(essiv_tfm, salt, sizeof(salt)); | |
243 | if (err) | |
244 | goto out; | |
245 | ||
246 | out: | |
247 | memzero_explicit(salt, sizeof(salt)); | |
248 | return err; | |
249 | } | |
250 | ||
251 | void __exit fscrypt_essiv_cleanup(void) | |
252 | { | |
253 | crypto_free_shash(essiv_hash_tfm); | |
254 | } | |
255 | ||
1b53cf98 | 256 | int fscrypt_get_encryption_info(struct inode *inode) |
0adda907 | 257 | { |
0b81d077 | 258 | struct fscrypt_info *crypt_info; |
0b81d077 | 259 | struct fscrypt_context ctx; |
d407574e | 260 | struct crypto_skcipher *ctfm; |
26bf3dc7 | 261 | const char *cipher_str; |
8f39850d | 262 | int keysize; |
a6e08912 | 263 | u8 *raw_key = NULL; |
0adda907 JK |
264 | int res; |
265 | ||
1b53cf98 EB |
266 | if (inode->i_crypt_info) |
267 | return 0; | |
268 | ||
f32d7ac2 | 269 | res = fscrypt_initialize(inode->i_sb->s_cop->flags); |
cfc4d971 JK |
270 | if (res) |
271 | return res; | |
0b81d077 | 272 | |
0b81d077 JK |
273 | res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); |
274 | if (res < 0) { | |
5bbdcbbb TT |
275 | if (!fscrypt_dummy_context_enabled(inode) || |
276 | inode->i_sb->s_cop->is_encrypted(inode)) | |
0b81d077 | 277 | return res; |
5bbdcbbb TT |
278 | /* Fake up a context for an unencrypted directory */ |
279 | memset(&ctx, 0, sizeof(ctx)); | |
8f39850d | 280 | ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1; |
0b81d077 JK |
281 | ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS; |
282 | ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS; | |
5bbdcbbb | 283 | memset(ctx.master_key_descriptor, 0x42, FS_KEY_DESCRIPTOR_SIZE); |
0b81d077 | 284 | } else if (res != sizeof(ctx)) { |
0adda907 | 285 | return -EINVAL; |
0b81d077 | 286 | } |
8f39850d EB |
287 | |
288 | if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1) | |
289 | return -EINVAL; | |
290 | ||
291 | if (ctx.flags & ~FS_POLICY_FLAGS_VALID) | |
292 | return -EINVAL; | |
0adda907 | 293 | |
0b81d077 | 294 | crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS); |
0adda907 JK |
295 | if (!crypt_info) |
296 | return -ENOMEM; | |
297 | ||
298 | crypt_info->ci_flags = ctx.flags; | |
299 | crypt_info->ci_data_mode = ctx.contents_encryption_mode; | |
300 | crypt_info->ci_filename_mode = ctx.filenames_encryption_mode; | |
301 | crypt_info->ci_ctfm = NULL; | |
b7e7cf7a | 302 | crypt_info->ci_essiv_tfm = NULL; |
0adda907 JK |
303 | memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor, |
304 | sizeof(crypt_info->ci_master_key)); | |
640778fb | 305 | |
8f39850d EB |
306 | res = determine_cipher_type(crypt_info, inode, &cipher_str, &keysize); |
307 | if (res) | |
26bf3dc7 | 308 | goto out; |
8f39850d | 309 | |
a6e08912 EB |
310 | /* |
311 | * This cannot be a stack buffer because it is passed to the scatterlist | |
312 | * crypto API as part of key derivation. | |
313 | */ | |
314 | res = -ENOMEM; | |
315 | raw_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS); | |
316 | if (!raw_key) | |
317 | goto out; | |
318 | ||
b7e7cf7a DW |
319 | res = validate_user_key(crypt_info, &ctx, raw_key, FS_KEY_DESC_PREFIX, |
320 | keysize); | |
b5a7aef1 | 321 | if (res && inode->i_sb->s_cop->key_prefix) { |
a5d431ef | 322 | int res2 = validate_user_key(crypt_info, &ctx, raw_key, |
b7e7cf7a DW |
323 | inode->i_sb->s_cop->key_prefix, |
324 | keysize); | |
b5a7aef1 JK |
325 | if (res2) { |
326 | if (res2 == -ENOKEY) | |
327 | res = -ENOKEY; | |
328 | goto out; | |
329 | } | |
330 | } else if (res) { | |
66aa3e12 JK |
331 | goto out; |
332 | } | |
d407574e | 333 | ctfm = crypto_alloc_skcipher(cipher_str, 0, 0); |
26bf3dc7 JK |
334 | if (!ctfm || IS_ERR(ctfm)) { |
335 | res = ctfm ? PTR_ERR(ctfm) : -ENOMEM; | |
b7e7cf7a DW |
336 | pr_debug("%s: error %d (inode %lu) allocating crypto tfm\n", |
337 | __func__, res, inode->i_ino); | |
26bf3dc7 | 338 | goto out; |
0adda907 | 339 | } |
26bf3dc7 | 340 | crypt_info->ci_ctfm = ctfm; |
d407574e LT |
341 | crypto_skcipher_clear_flags(ctfm, ~0); |
342 | crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY); | |
b7e7cf7a DW |
343 | /* |
344 | * if the provided key is longer than keysize, we use the first | |
345 | * keysize bytes of the derived key only | |
346 | */ | |
8f39850d | 347 | res = crypto_skcipher_setkey(ctfm, raw_key, keysize); |
26bf3dc7 JK |
348 | if (res) |
349 | goto out; | |
350 | ||
b7e7cf7a DW |
351 | if (S_ISREG(inode->i_mode) && |
352 | crypt_info->ci_data_mode == FS_ENCRYPTION_MODE_AES_128_CBC) { | |
353 | res = init_essiv_generator(crypt_info, raw_key, keysize); | |
354 | if (res) { | |
355 | pr_debug("%s: error %d (inode %lu) allocating essiv tfm\n", | |
356 | __func__, res, inode->i_ino); | |
357 | goto out; | |
358 | } | |
359 | } | |
1b53cf98 EB |
360 | if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL) |
361 | crypt_info = NULL; | |
26bf3dc7 | 362 | out: |
0b81d077 | 363 | if (res == -ENOKEY) |
26bf3dc7 | 364 | res = 0; |
0b81d077 | 365 | put_crypt_info(crypt_info); |
a6e08912 | 366 | kzfree(raw_key); |
0adda907 JK |
367 | return res; |
368 | } | |
1b53cf98 | 369 | EXPORT_SYMBOL(fscrypt_get_encryption_info); |
0adda907 | 370 | |
0b81d077 | 371 | void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci) |
0adda907 | 372 | { |
0b81d077 JK |
373 | struct fscrypt_info *prev; |
374 | ||
375 | if (ci == NULL) | |
376 | ci = ACCESS_ONCE(inode->i_crypt_info); | |
377 | if (ci == NULL) | |
378 | return; | |
0adda907 | 379 | |
0b81d077 JK |
380 | prev = cmpxchg(&inode->i_crypt_info, ci, NULL); |
381 | if (prev != ci) | |
382 | return; | |
383 | ||
384 | put_crypt_info(ci); | |
385 | } | |
386 | EXPORT_SYMBOL(fscrypt_put_encryption_info); |