]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * key management facility for FS encryption support. | |
3 | * | |
4 | * Copyright (C) 2015, Google, Inc. | |
5 | * | |
6 | * This contains encryption key functions. | |
7 | * | |
8 | * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015. | |
9 | */ | |
10 | ||
11 | #include <keys/user-type.h> | |
12 | #include <linux/scatterlist.h> | |
13 | #include <linux/ratelimit.h> | |
14 | #include <crypto/aes.h> | |
15 | #include <crypto/sha.h> | |
16 | #include "fscrypt_private.h" | |
17 | ||
18 | static struct crypto_shash *essiv_hash_tfm; | |
19 | ||
20 | static void derive_crypt_complete(struct crypto_async_request *req, int rc) | |
21 | { | |
22 | struct fscrypt_completion_result *ecr = req->data; | |
23 | ||
24 | if (rc == -EINPROGRESS) | |
25 | return; | |
26 | ||
27 | ecr->res = rc; | |
28 | complete(&ecr->completion); | |
29 | } | |
30 | ||
31 | /** | |
32 | * derive_key_aes() - Derive a key using AES-128-ECB | |
33 | * @deriving_key: Encryption key used for derivation. | |
34 | * @source_key: Source key to which to apply derivation. | |
35 | * @derived_raw_key: Derived raw key. | |
36 | * | |
37 | * Return: Zero on success; non-zero otherwise. | |
38 | */ | |
39 | static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE], | |
40 | const struct fscrypt_key *source_key, | |
41 | u8 derived_raw_key[FS_MAX_KEY_SIZE]) | |
42 | { | |
43 | int res = 0; | |
44 | struct skcipher_request *req = NULL; | |
45 | DECLARE_FS_COMPLETION_RESULT(ecr); | |
46 | struct scatterlist src_sg, dst_sg; | |
47 | struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); | |
48 | ||
49 | if (IS_ERR(tfm)) { | |
50 | res = PTR_ERR(tfm); | |
51 | tfm = NULL; | |
52 | goto out; | |
53 | } | |
54 | crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY); | |
55 | req = skcipher_request_alloc(tfm, GFP_NOFS); | |
56 | if (!req) { | |
57 | res = -ENOMEM; | |
58 | goto out; | |
59 | } | |
60 | skcipher_request_set_callback(req, | |
61 | CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, | |
62 | derive_crypt_complete, &ecr); | |
63 | res = crypto_skcipher_setkey(tfm, deriving_key, | |
64 | FS_AES_128_ECB_KEY_SIZE); | |
65 | if (res < 0) | |
66 | goto out; | |
67 | ||
68 | sg_init_one(&src_sg, source_key->raw, source_key->size); | |
69 | sg_init_one(&dst_sg, derived_raw_key, source_key->size); | |
70 | skcipher_request_set_crypt(req, &src_sg, &dst_sg, source_key->size, | |
71 | NULL); | |
72 | res = crypto_skcipher_encrypt(req); | |
73 | if (res == -EINPROGRESS || res == -EBUSY) { | |
74 | wait_for_completion(&ecr.completion); | |
75 | res = ecr.res; | |
76 | } | |
77 | out: | |
78 | skcipher_request_free(req); | |
79 | crypto_free_skcipher(tfm); | |
80 | return res; | |
81 | } | |
82 | ||
83 | static int validate_user_key(struct fscrypt_info *crypt_info, | |
84 | struct fscrypt_context *ctx, u8 *raw_key, | |
85 | const char *prefix, int min_keysize) | |
86 | { | |
87 | char *description; | |
88 | struct key *keyring_key; | |
89 | struct fscrypt_key *master_key; | |
90 | const struct user_key_payload *ukp; | |
91 | int res; | |
92 | ||
93 | description = kasprintf(GFP_NOFS, "%s%*phN", prefix, | |
94 | FS_KEY_DESCRIPTOR_SIZE, | |
95 | ctx->master_key_descriptor); | |
96 | if (!description) | |
97 | return -ENOMEM; | |
98 | ||
99 | keyring_key = request_key(&key_type_logon, description, NULL); | |
100 | kfree(description); | |
101 | if (IS_ERR(keyring_key)) | |
102 | return PTR_ERR(keyring_key); | |
103 | down_read(&keyring_key->sem); | |
104 | ||
105 | if (keyring_key->type != &key_type_logon) { | |
106 | printk_once(KERN_WARNING | |
107 | "%s: key type must be logon\n", __func__); | |
108 | res = -ENOKEY; | |
109 | goto out; | |
110 | } | |
111 | ukp = user_key_payload_locked(keyring_key); | |
112 | if (!ukp) { | |
113 | /* key was revoked before we acquired its semaphore */ | |
114 | res = -EKEYREVOKED; | |
115 | goto out; | |
116 | } | |
117 | if (ukp->datalen != sizeof(struct fscrypt_key)) { | |
118 | res = -EINVAL; | |
119 | goto out; | |
120 | } | |
121 | master_key = (struct fscrypt_key *)ukp->data; | |
122 | BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE); | |
123 | ||
124 | if (master_key->size < min_keysize || master_key->size > FS_MAX_KEY_SIZE | |
125 | || master_key->size % AES_BLOCK_SIZE != 0) { | |
126 | printk_once(KERN_WARNING | |
127 | "%s: key size incorrect: %d\n", | |
128 | __func__, master_key->size); | |
129 | res = -ENOKEY; | |
130 | goto out; | |
131 | } | |
132 | res = derive_key_aes(ctx->nonce, master_key, raw_key); | |
133 | out: | |
134 | up_read(&keyring_key->sem); | |
135 | key_put(keyring_key); | |
136 | return res; | |
137 | } | |
138 | ||
139 | static const struct { | |
140 | const char *cipher_str; | |
141 | int keysize; | |
142 | } available_modes[] = { | |
143 | [FS_ENCRYPTION_MODE_AES_256_XTS] = { "xts(aes)", | |
144 | FS_AES_256_XTS_KEY_SIZE }, | |
145 | [FS_ENCRYPTION_MODE_AES_256_CTS] = { "cts(cbc(aes))", | |
146 | FS_AES_256_CTS_KEY_SIZE }, | |
147 | [FS_ENCRYPTION_MODE_AES_128_CBC] = { "cbc(aes)", | |
148 | FS_AES_128_CBC_KEY_SIZE }, | |
149 | [FS_ENCRYPTION_MODE_AES_128_CTS] = { "cts(cbc(aes))", | |
150 | FS_AES_128_CTS_KEY_SIZE }, | |
151 | }; | |
152 | ||
153 | static int determine_cipher_type(struct fscrypt_info *ci, struct inode *inode, | |
154 | const char **cipher_str_ret, int *keysize_ret) | |
155 | { | |
156 | u32 mode; | |
157 | ||
158 | if (!fscrypt_valid_enc_modes(ci->ci_data_mode, ci->ci_filename_mode)) { | |
159 | pr_warn_ratelimited("fscrypt: inode %lu uses unsupported encryption modes (contents mode %d, filenames mode %d)\n", | |
160 | inode->i_ino, | |
161 | ci->ci_data_mode, ci->ci_filename_mode); | |
162 | return -EINVAL; | |
163 | } | |
164 | ||
165 | if (S_ISREG(inode->i_mode)) { | |
166 | mode = ci->ci_data_mode; | |
167 | } else if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) { | |
168 | mode = ci->ci_filename_mode; | |
169 | } else { | |
170 | WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n", | |
171 | inode->i_ino, (inode->i_mode & S_IFMT)); | |
172 | return -EINVAL; | |
173 | } | |
174 | ||
175 | *cipher_str_ret = available_modes[mode].cipher_str; | |
176 | *keysize_ret = available_modes[mode].keysize; | |
177 | return 0; | |
178 | } | |
179 | ||
180 | static void put_crypt_info(struct fscrypt_info *ci) | |
181 | { | |
182 | if (!ci) | |
183 | return; | |
184 | ||
185 | crypto_free_skcipher(ci->ci_ctfm); | |
186 | crypto_free_cipher(ci->ci_essiv_tfm); | |
187 | kmem_cache_free(fscrypt_info_cachep, ci); | |
188 | } | |
189 | ||
190 | static int derive_essiv_salt(const u8 *key, int keysize, u8 *salt) | |
191 | { | |
192 | struct crypto_shash *tfm = READ_ONCE(essiv_hash_tfm); | |
193 | ||
194 | /* init hash transform on demand */ | |
195 | if (unlikely(!tfm)) { | |
196 | struct crypto_shash *prev_tfm; | |
197 | ||
198 | tfm = crypto_alloc_shash("sha256", 0, 0); | |
199 | if (IS_ERR(tfm)) { | |
200 | pr_warn_ratelimited("fscrypt: error allocating SHA-256 transform: %ld\n", | |
201 | PTR_ERR(tfm)); | |
202 | return PTR_ERR(tfm); | |
203 | } | |
204 | prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm); | |
205 | if (prev_tfm) { | |
206 | crypto_free_shash(tfm); | |
207 | tfm = prev_tfm; | |
208 | } | |
209 | } | |
210 | ||
211 | { | |
212 | SHASH_DESC_ON_STACK(desc, tfm); | |
213 | desc->tfm = tfm; | |
214 | desc->flags = 0; | |
215 | ||
216 | return crypto_shash_digest(desc, key, keysize, salt); | |
217 | } | |
218 | } | |
219 | ||
220 | static int init_essiv_generator(struct fscrypt_info *ci, const u8 *raw_key, | |
221 | int keysize) | |
222 | { | |
223 | int err; | |
224 | struct crypto_cipher *essiv_tfm; | |
225 | u8 salt[SHA256_DIGEST_SIZE]; | |
226 | ||
227 | essiv_tfm = crypto_alloc_cipher("aes", 0, 0); | |
228 | if (IS_ERR(essiv_tfm)) | |
229 | return PTR_ERR(essiv_tfm); | |
230 | ||
231 | ci->ci_essiv_tfm = essiv_tfm; | |
232 | ||
233 | err = derive_essiv_salt(raw_key, keysize, salt); | |
234 | if (err) | |
235 | goto out; | |
236 | ||
237 | /* | |
238 | * Using SHA256 to derive the salt/key will result in AES-256 being | |
239 | * used for IV generation. File contents encryption will still use the | |
240 | * configured keysize (AES-128) nevertheless. | |
241 | */ | |
242 | err = crypto_cipher_setkey(essiv_tfm, salt, sizeof(salt)); | |
243 | if (err) | |
244 | goto out; | |
245 | ||
246 | out: | |
247 | memzero_explicit(salt, sizeof(salt)); | |
248 | return err; | |
249 | } | |
250 | ||
251 | void __exit fscrypt_essiv_cleanup(void) | |
252 | { | |
253 | crypto_free_shash(essiv_hash_tfm); | |
254 | } | |
255 | ||
256 | int fscrypt_get_encryption_info(struct inode *inode) | |
257 | { | |
258 | struct fscrypt_info *crypt_info; | |
259 | struct fscrypt_context ctx; | |
260 | struct crypto_skcipher *ctfm; | |
261 | const char *cipher_str; | |
262 | int keysize; | |
263 | u8 *raw_key = NULL; | |
264 | int res; | |
265 | ||
266 | if (inode->i_crypt_info) | |
267 | return 0; | |
268 | ||
269 | res = fscrypt_initialize(inode->i_sb->s_cop->flags); | |
270 | if (res) | |
271 | return res; | |
272 | ||
273 | res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); | |
274 | if (res < 0) { | |
275 | if (!fscrypt_dummy_context_enabled(inode) || | |
276 | inode->i_sb->s_cop->is_encrypted(inode)) | |
277 | return res; | |
278 | /* Fake up a context for an unencrypted directory */ | |
279 | memset(&ctx, 0, sizeof(ctx)); | |
280 | ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1; | |
281 | ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS; | |
282 | ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS; | |
283 | memset(ctx.master_key_descriptor, 0x42, FS_KEY_DESCRIPTOR_SIZE); | |
284 | } else if (res != sizeof(ctx)) { | |
285 | return -EINVAL; | |
286 | } | |
287 | ||
288 | if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1) | |
289 | return -EINVAL; | |
290 | ||
291 | if (ctx.flags & ~FS_POLICY_FLAGS_VALID) | |
292 | return -EINVAL; | |
293 | ||
294 | crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS); | |
295 | if (!crypt_info) | |
296 | return -ENOMEM; | |
297 | ||
298 | crypt_info->ci_flags = ctx.flags; | |
299 | crypt_info->ci_data_mode = ctx.contents_encryption_mode; | |
300 | crypt_info->ci_filename_mode = ctx.filenames_encryption_mode; | |
301 | crypt_info->ci_ctfm = NULL; | |
302 | crypt_info->ci_essiv_tfm = NULL; | |
303 | memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor, | |
304 | sizeof(crypt_info->ci_master_key)); | |
305 | ||
306 | res = determine_cipher_type(crypt_info, inode, &cipher_str, &keysize); | |
307 | if (res) | |
308 | goto out; | |
309 | ||
310 | /* | |
311 | * This cannot be a stack buffer because it is passed to the scatterlist | |
312 | * crypto API as part of key derivation. | |
313 | */ | |
314 | res = -ENOMEM; | |
315 | raw_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS); | |
316 | if (!raw_key) | |
317 | goto out; | |
318 | ||
319 | res = validate_user_key(crypt_info, &ctx, raw_key, FS_KEY_DESC_PREFIX, | |
320 | keysize); | |
321 | if (res && inode->i_sb->s_cop->key_prefix) { | |
322 | int res2 = validate_user_key(crypt_info, &ctx, raw_key, | |
323 | inode->i_sb->s_cop->key_prefix, | |
324 | keysize); | |
325 | if (res2) { | |
326 | if (res2 == -ENOKEY) | |
327 | res = -ENOKEY; | |
328 | goto out; | |
329 | } | |
330 | } else if (res) { | |
331 | goto out; | |
332 | } | |
333 | ctfm = crypto_alloc_skcipher(cipher_str, 0, 0); | |
334 | if (!ctfm || IS_ERR(ctfm)) { | |
335 | res = ctfm ? PTR_ERR(ctfm) : -ENOMEM; | |
336 | pr_debug("%s: error %d (inode %lu) allocating crypto tfm\n", | |
337 | __func__, res, inode->i_ino); | |
338 | goto out; | |
339 | } | |
340 | crypt_info->ci_ctfm = ctfm; | |
341 | crypto_skcipher_clear_flags(ctfm, ~0); | |
342 | crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY); | |
343 | /* | |
344 | * if the provided key is longer than keysize, we use the first | |
345 | * keysize bytes of the derived key only | |
346 | */ | |
347 | res = crypto_skcipher_setkey(ctfm, raw_key, keysize); | |
348 | if (res) | |
349 | goto out; | |
350 | ||
351 | if (S_ISREG(inode->i_mode) && | |
352 | crypt_info->ci_data_mode == FS_ENCRYPTION_MODE_AES_128_CBC) { | |
353 | res = init_essiv_generator(crypt_info, raw_key, keysize); | |
354 | if (res) { | |
355 | pr_debug("%s: error %d (inode %lu) allocating essiv tfm\n", | |
356 | __func__, res, inode->i_ino); | |
357 | goto out; | |
358 | } | |
359 | } | |
360 | if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL) | |
361 | crypt_info = NULL; | |
362 | out: | |
363 | if (res == -ENOKEY) | |
364 | res = 0; | |
365 | put_crypt_info(crypt_info); | |
366 | kzfree(raw_key); | |
367 | return res; | |
368 | } | |
369 | EXPORT_SYMBOL(fscrypt_get_encryption_info); | |
370 | ||
371 | void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci) | |
372 | { | |
373 | struct fscrypt_info *prev; | |
374 | ||
375 | if (ci == NULL) | |
376 | ci = ACCESS_ONCE(inode->i_crypt_info); | |
377 | if (ci == NULL) | |
378 | return; | |
379 | ||
380 | prev = cmpxchg(&inode->i_crypt_info, ci, NULL); | |
381 | if (prev != ci) | |
382 | return; | |
383 | ||
384 | put_crypt_info(ci); | |
385 | } | |
386 | EXPORT_SYMBOL(fscrypt_put_encryption_info); |