keyinfo.c 9.99 KB
Newer Older
1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * key management facility for FS encryption support.
4 5 6
 *
 * Copyright (C) 2015, Google, Inc.
 *
7
 * This contains encryption key functions.
8 9 10
 *
 * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015.
 */
11

12 13
#include <keys/user-type.h>
#include <linux/scatterlist.h>
14 15 16
#include <linux/ratelimit.h>
#include <crypto/aes.h>
#include <crypto/sha.h>
17
#include "fscrypt_private.h"
18

19 20
static struct crypto_shash *essiv_hash_tfm;

21 22
static void derive_crypt_complete(struct crypto_async_request *req, int rc)
{
23
	struct fscrypt_completion_result *ecr = req->data;
24 25 26 27 28 29 30 31 32

	if (rc == -EINPROGRESS)
		return;

	ecr->res = rc;
	complete(&ecr->completion);
}

/**
33
 * derive_key_aes() - Derive a key using AES-128-ECB
34
 * @deriving_key: Encryption key used for derivation.
35
 * @source_key:   Source key to which to apply derivation.
36
 * @derived_raw_key:  Derived raw key.
37 38 39
 *
 * Return: Zero on success; non-zero otherwise.
 */
40
static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE],
41 42
				const struct fscrypt_key *source_key,
				u8 derived_raw_key[FS_MAX_KEY_SIZE])
43 44
{
	int res = 0;
45
	struct skcipher_request *req = NULL;
46
	DECLARE_FS_COMPLETION_RESULT(ecr);
47
	struct scatterlist src_sg, dst_sg;
48
	struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
49 50 51 52 53 54

	if (IS_ERR(tfm)) {
		res = PTR_ERR(tfm);
		tfm = NULL;
		goto out;
	}
55 56
	crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY);
	req = skcipher_request_alloc(tfm, GFP_NOFS);
57 58 59 60
	if (!req) {
		res = -ENOMEM;
		goto out;
	}
61
	skcipher_request_set_callback(req,
62 63
			CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
			derive_crypt_complete, &ecr);
64
	res = crypto_skcipher_setkey(tfm, deriving_key,
65
					FS_AES_128_ECB_KEY_SIZE);
66 67 68
	if (res < 0)
		goto out;

69 70 71 72
	sg_init_one(&src_sg, source_key->raw, source_key->size);
	sg_init_one(&dst_sg, derived_raw_key, source_key->size);
	skcipher_request_set_crypt(req, &src_sg, &dst_sg, source_key->size,
				   NULL);
73
	res = crypto_skcipher_encrypt(req);
74 75 76 77 78
	if (res == -EINPROGRESS || res == -EBUSY) {
		wait_for_completion(&ecr.completion);
		res = ecr.res;
	}
out:
79 80
	skcipher_request_free(req);
	crypto_free_skcipher(tfm);
81 82 83
	return res;
}

84 85
static int validate_user_key(struct fscrypt_info *crypt_info,
			struct fscrypt_context *ctx, u8 *raw_key,
86
			const char *prefix, int min_keysize)
87
{
88
	char *description;
89 90 91 92 93
	struct key *keyring_key;
	struct fscrypt_key *master_key;
	const struct user_key_payload *ukp;
	int res;

94 95 96 97
	description = kasprintf(GFP_NOFS, "%s%*phN", prefix,
				FS_KEY_DESCRIPTOR_SIZE,
				ctx->master_key_descriptor);
	if (!description)
98 99
		return -ENOMEM;

100 101
	keyring_key = request_key(&key_type_logon, description, NULL);
	kfree(description);
102 103
	if (IS_ERR(keyring_key))
		return PTR_ERR(keyring_key);
104
	down_read(&keyring_key->sem);
105 106 107 108 109 110 111

	if (keyring_key->type != &key_type_logon) {
		printk_once(KERN_WARNING
				"%s: key type must be logon\n", __func__);
		res = -ENOKEY;
		goto out;
	}
112
	ukp = user_key_payload_locked(keyring_key);
113 114 115 116 117
	if (!ukp) {
		/* key was revoked before we acquired its semaphore */
		res = -EKEYREVOKED;
		goto out;
	}
118 119 120 121 122 123 124
	if (ukp->datalen != sizeof(struct fscrypt_key)) {
		res = -EINVAL;
		goto out;
	}
	master_key = (struct fscrypt_key *)ukp->data;
	BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE);

125 126
	if (master_key->size < min_keysize || master_key->size > FS_MAX_KEY_SIZE
	    || master_key->size % AES_BLOCK_SIZE != 0) {
127 128 129 130 131 132
		printk_once(KERN_WARNING
				"%s: key size incorrect: %d\n",
				__func__, master_key->size);
		res = -ENOKEY;
		goto out;
	}
133
	res = derive_key_aes(ctx->nonce, master_key, raw_key);
134
out:
135
	up_read(&keyring_key->sem);
136 137 138 139
	key_put(keyring_key);
	return res;
}

140 141 142 143 144 145 146 147 148 149 150 151 152 153
static const struct {
	const char *cipher_str;
	int keysize;
} available_modes[] = {
	[FS_ENCRYPTION_MODE_AES_256_XTS] = { "xts(aes)",
					     FS_AES_256_XTS_KEY_SIZE },
	[FS_ENCRYPTION_MODE_AES_256_CTS] = { "cts(cbc(aes))",
					     FS_AES_256_CTS_KEY_SIZE },
	[FS_ENCRYPTION_MODE_AES_128_CBC] = { "cbc(aes)",
					     FS_AES_128_CBC_KEY_SIZE },
	[FS_ENCRYPTION_MODE_AES_128_CTS] = { "cts(cbc(aes))",
					     FS_AES_128_CTS_KEY_SIZE },
};

154 155 156
static int determine_cipher_type(struct fscrypt_info *ci, struct inode *inode,
				 const char **cipher_str_ret, int *keysize_ret)
{
157 158 159 160 161 162 163
	u32 mode;

	if (!fscrypt_valid_enc_modes(ci->ci_data_mode, ci->ci_filename_mode)) {
		pr_warn_ratelimited("fscrypt: inode %lu uses unsupported encryption modes (contents mode %d, filenames mode %d)\n",
				    inode->i_ino,
				    ci->ci_data_mode, ci->ci_filename_mode);
		return -EINVAL;
164 165
	}

166 167 168 169 170 171 172 173
	if (S_ISREG(inode->i_mode)) {
		mode = ci->ci_data_mode;
	} else if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) {
		mode = ci->ci_filename_mode;
	} else {
		WARN_ONCE(1, "fscrypt: filesystem tried to load encryption info for inode %lu, which is not encryptable (file type %d)\n",
			  inode->i_ino, (inode->i_mode & S_IFMT));
		return -EINVAL;
174 175
	}

176 177 178
	*cipher_str_ret = available_modes[mode].cipher_str;
	*keysize_ret = available_modes[mode].keysize;
	return 0;
179 180
}

181
static void put_crypt_info(struct fscrypt_info *ci)
182 183 184 185
{
	if (!ci)
		return;

186
	crypto_free_skcipher(ci->ci_ctfm);
187
	crypto_free_cipher(ci->ci_essiv_tfm);
188
	kmem_cache_free(fscrypt_info_cachep, ci);
189 190
}

191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256
static int derive_essiv_salt(const u8 *key, int keysize, u8 *salt)
{
	struct crypto_shash *tfm = READ_ONCE(essiv_hash_tfm);

	/* init hash transform on demand */
	if (unlikely(!tfm)) {
		struct crypto_shash *prev_tfm;

		tfm = crypto_alloc_shash("sha256", 0, 0);
		if (IS_ERR(tfm)) {
			pr_warn_ratelimited("fscrypt: error allocating SHA-256 transform: %ld\n",
					    PTR_ERR(tfm));
			return PTR_ERR(tfm);
		}
		prev_tfm = cmpxchg(&essiv_hash_tfm, NULL, tfm);
		if (prev_tfm) {
			crypto_free_shash(tfm);
			tfm = prev_tfm;
		}
	}

	{
		SHASH_DESC_ON_STACK(desc, tfm);
		desc->tfm = tfm;
		desc->flags = 0;

		return crypto_shash_digest(desc, key, keysize, salt);
	}
}

static int init_essiv_generator(struct fscrypt_info *ci, const u8 *raw_key,
				int keysize)
{
	int err;
	struct crypto_cipher *essiv_tfm;
	u8 salt[SHA256_DIGEST_SIZE];

	essiv_tfm = crypto_alloc_cipher("aes", 0, 0);
	if (IS_ERR(essiv_tfm))
		return PTR_ERR(essiv_tfm);

	ci->ci_essiv_tfm = essiv_tfm;

	err = derive_essiv_salt(raw_key, keysize, salt);
	if (err)
		goto out;

	/*
	 * Using SHA256 to derive the salt/key will result in AES-256 being
	 * used for IV generation. File contents encryption will still use the
	 * configured keysize (AES-128) nevertheless.
	 */
	err = crypto_cipher_setkey(essiv_tfm, salt, sizeof(salt));
	if (err)
		goto out;

out:
	memzero_explicit(salt, sizeof(salt));
	return err;
}

void __exit fscrypt_essiv_cleanup(void)
{
	crypto_free_shash(essiv_hash_tfm);
}

257
int fscrypt_get_encryption_info(struct inode *inode)
258
{
259 260
	struct fscrypt_info *crypt_info;
	struct fscrypt_context ctx;
261
	struct crypto_skcipher *ctfm;
262
	const char *cipher_str;
263
	int keysize;
264
	u8 *raw_key = NULL;
265 266
	int res;

267 268 269
	if (inode->i_crypt_info)
		return 0;

270
	res = fscrypt_initialize(inode->i_sb->s_cop->flags);
271 272
	if (res)
		return res;
273 274 275

	res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
	if (res < 0) {
276 277
		if (!fscrypt_dummy_context_enabled(inode) ||
		    inode->i_sb->s_cop->is_encrypted(inode))
278
			return res;
279 280
		/* Fake up a context for an unencrypted directory */
		memset(&ctx, 0, sizeof(ctx));
281
		ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1;
282 283
		ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS;
		ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS;
284
		memset(ctx.master_key_descriptor, 0x42, FS_KEY_DESCRIPTOR_SIZE);
285
	} else if (res != sizeof(ctx)) {
286
		return -EINVAL;
287
	}
288 289 290 291 292 293

	if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1)
		return -EINVAL;

	if (ctx.flags & ~FS_POLICY_FLAGS_VALID)
		return -EINVAL;
294

295
	crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS);
296 297 298 299 300 301 302
	if (!crypt_info)
		return -ENOMEM;

	crypt_info->ci_flags = ctx.flags;
	crypt_info->ci_data_mode = ctx.contents_encryption_mode;
	crypt_info->ci_filename_mode = ctx.filenames_encryption_mode;
	crypt_info->ci_ctfm = NULL;
303
	crypt_info->ci_essiv_tfm = NULL;
304 305
	memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor,
				sizeof(crypt_info->ci_master_key));
306

307 308
	res = determine_cipher_type(crypt_info, inode, &cipher_str, &keysize);
	if (res)
309
		goto out;
310

311 312 313 314 315 316 317 318 319
	/*
	 * This cannot be a stack buffer because it is passed to the scatterlist
	 * crypto API as part of key derivation.
	 */
	res = -ENOMEM;
	raw_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS);
	if (!raw_key)
		goto out;

320 321
	res = validate_user_key(crypt_info, &ctx, raw_key, FS_KEY_DESC_PREFIX,
				keysize);
322
	if (res && inode->i_sb->s_cop->key_prefix) {
323
		int res2 = validate_user_key(crypt_info, &ctx, raw_key,
324 325
					     inode->i_sb->s_cop->key_prefix,
					     keysize);
326 327 328 329 330 331
		if (res2) {
			if (res2 == -ENOKEY)
				res = -ENOKEY;
			goto out;
		}
	} else if (res) {
332 333
		goto out;
	}
334
	ctfm = crypto_alloc_skcipher(cipher_str, 0, 0);
335 336
	if (!ctfm || IS_ERR(ctfm)) {
		res = ctfm ? PTR_ERR(ctfm) : -ENOMEM;
337 338
		pr_debug("%s: error %d (inode %lu) allocating crypto tfm\n",
			 __func__, res, inode->i_ino);
339
		goto out;
340
	}
341
	crypt_info->ci_ctfm = ctfm;
342 343
	crypto_skcipher_clear_flags(ctfm, ~0);
	crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY);
344 345 346 347
	/*
	 * if the provided key is longer than keysize, we use the first
	 * keysize bytes of the derived key only
	 */
348
	res = crypto_skcipher_setkey(ctfm, raw_key, keysize);
349 350 351
	if (res)
		goto out;

352 353 354 355 356 357 358 359 360
	if (S_ISREG(inode->i_mode) &&
	    crypt_info->ci_data_mode == FS_ENCRYPTION_MODE_AES_128_CBC) {
		res = init_essiv_generator(crypt_info, raw_key, keysize);
		if (res) {
			pr_debug("%s: error %d (inode %lu) allocating essiv tfm\n",
				 __func__, res, inode->i_ino);
			goto out;
		}
	}
361 362
	if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL)
		crypt_info = NULL;
363
out:
364
	if (res == -ENOKEY)
365
		res = 0;
366
	put_crypt_info(crypt_info);
367
	kzfree(raw_key);
368 369
	return res;
}
370
EXPORT_SYMBOL(fscrypt_get_encryption_info);
371

372
void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci)
373
{
374 375 376 377 378 379
	struct fscrypt_info *prev;

	if (ci == NULL)
		ci = ACCESS_ONCE(inode->i_crypt_info);
	if (ci == NULL)
		return;
380

381 382 383 384 385 386 387
	prev = cmpxchg(&inode->i_crypt_info, ci, NULL);
	if (prev != ci)
		return;

	put_crypt_info(ci);
}
EXPORT_SYMBOL(fscrypt_put_encryption_info);