~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/keys/encrypted-keys/encrypted.c

Version: ~ [ linux-5.15-rc5 ] ~ [ linux-5.14.11 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.72 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.152 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.210 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.250 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.286 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.288 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Copyright (C) 2010 IBM Corporation
  3  * Copyright (C) 2010 Politecnico di Torino, Italy
  4  *                    TORSEC group -- http://security.polito.it
  5  *
  6  * Authors:
  7  * Mimi Zohar <zohar@us.ibm.com>
  8  * Roberto Sassu <roberto.sassu@polito.it>
  9  *
 10  * This program is free software; you can redistribute it and/or modify
 11  * it under the terms of the GNU General Public License as published by
 12  * the Free Software Foundation, version 2 of the License.
 13  *
 14  * See Documentation/security/keys-trusted-encrypted.txt
 15  */
 16 
 17 #include <linux/uaccess.h>
 18 #include <linux/module.h>
 19 #include <linux/init.h>
 20 #include <linux/slab.h>
 21 #include <linux/parser.h>
 22 #include <linux/string.h>
 23 #include <linux/err.h>
 24 #include <keys/user-type.h>
 25 #include <keys/trusted-type.h>
 26 #include <keys/encrypted-type.h>
 27 #include <linux/key-type.h>
 28 #include <linux/random.h>
 29 #include <linux/rcupdate.h>
 30 #include <linux/scatterlist.h>
 31 #include <linux/ctype.h>
 32 #include <crypto/hash.h>
 33 #include <crypto/sha.h>
 34 #include <crypto/skcipher.h>
 35 
 36 #include "encrypted.h"
 37 #include "ecryptfs_format.h"
 38 
 39 static const char KEY_TRUSTED_PREFIX[] = "trusted:";
 40 static const char KEY_USER_PREFIX[] = "user:";
 41 static const char hash_alg[] = "sha256";
 42 static const char hmac_alg[] = "hmac(sha256)";
 43 static const char blkcipher_alg[] = "cbc(aes)";
 44 static const char key_format_default[] = "default";
 45 static const char key_format_ecryptfs[] = "ecryptfs";
 46 static unsigned int ivsize;
 47 static int blksize;
 48 
 49 #define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
 50 #define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
 51 #define KEY_ECRYPTFS_DESC_LEN 16
 52 #define HASH_SIZE SHA256_DIGEST_SIZE
 53 #define MAX_DATA_SIZE 4096
 54 #define MIN_DATA_SIZE  20
 55 
 56 struct sdesc {
 57         struct shash_desc shash;
 58         char ctx[];
 59 };
 60 
 61 static struct crypto_shash *hashalg;
 62 static struct crypto_shash *hmacalg;
 63 
 64 enum {
 65         Opt_err = -1, Opt_new, Opt_load, Opt_update
 66 };
 67 
 68 enum {
 69         Opt_error = -1, Opt_default, Opt_ecryptfs
 70 };
 71 
 72 static const match_table_t key_format_tokens = {
 73         {Opt_default, "default"},
 74         {Opt_ecryptfs, "ecryptfs"},
 75         {Opt_error, NULL}
 76 };
 77 
 78 static const match_table_t key_tokens = {
 79         {Opt_new, "new"},
 80         {Opt_load, "load"},
 81         {Opt_update, "update"},
 82         {Opt_err, NULL}
 83 };
 84 
 85 static int aes_get_sizes(void)
 86 {
 87         struct crypto_skcipher *tfm;
 88 
 89         tfm = crypto_alloc_skcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
 90         if (IS_ERR(tfm)) {
 91                 pr_err("encrypted_key: failed to alloc_cipher (%ld)\n",
 92                        PTR_ERR(tfm));
 93                 return PTR_ERR(tfm);
 94         }
 95         ivsize = crypto_skcipher_ivsize(tfm);
 96         blksize = crypto_skcipher_blocksize(tfm);
 97         crypto_free_skcipher(tfm);
 98         return 0;
 99 }
100 
101 /*
102  * valid_ecryptfs_desc - verify the description of a new/loaded encrypted key
103  *
104  * The description of a encrypted key with format 'ecryptfs' must contain
105  * exactly 16 hexadecimal characters.
106  *
107  */
108 static int valid_ecryptfs_desc(const char *ecryptfs_desc)
109 {
110         int i;
111 
112         if (strlen(ecryptfs_desc) != KEY_ECRYPTFS_DESC_LEN) {
113                 pr_err("encrypted_key: key description must be %d hexadecimal "
114                        "characters long\n", KEY_ECRYPTFS_DESC_LEN);
115                 return -EINVAL;
116         }
117 
118         for (i = 0; i < KEY_ECRYPTFS_DESC_LEN; i++) {
119                 if (!isxdigit(ecryptfs_desc[i])) {
120                         pr_err("encrypted_key: key description must contain "
121                                "only hexadecimal characters\n");
122                         return -EINVAL;
123                 }
124         }
125 
126         return 0;
127 }
128 
129 /*
130  * valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
131  *
132  * key-type:= "trusted:" | "user:"
133  * desc:= master-key description
134  *
135  * Verify that 'key-type' is valid and that 'desc' exists. On key update,
136  * only the master key description is permitted to change, not the key-type.
137  * The key-type remains constant.
138  *
139  * On success returns 0, otherwise -EINVAL.
140  */
141 static int valid_master_desc(const char *new_desc, const char *orig_desc)
142 {
143         if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) {
144                 if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN)
145                         goto out;
146                 if (orig_desc)
147                         if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN))
148                                 goto out;
149         } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) {
150                 if (strlen(new_desc) == KEY_USER_PREFIX_LEN)
151                         goto out;
152                 if (orig_desc)
153                         if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN))
154                                 goto out;
155         } else
156                 goto out;
157         return 0;
158 out:
159         return -EINVAL;
160 }
161 
162 /*
163  * datablob_parse - parse the keyctl data
164  *
165  * datablob format:
166  * new [<format>] <master-key name> <decrypted data length>
167  * load [<format>] <master-key name> <decrypted data length>
168  *     <encrypted iv + data>
169  * update <new-master-key name>
170  *
171  * Tokenizes a copy of the keyctl data, returning a pointer to each token,
172  * which is null terminated.
173  *
174  * On success returns 0, otherwise -EINVAL.
175  */
176 static int datablob_parse(char *datablob, const char **format,
177                           char **master_desc, char **decrypted_datalen,
178                           char **hex_encoded_iv)
179 {
180         substring_t args[MAX_OPT_ARGS];
181         int ret = -EINVAL;
182         int key_cmd;
183         int key_format;
184         char *p, *keyword;
185 
186         keyword = strsep(&datablob, " \t");
187         if (!keyword) {
188                 pr_info("encrypted_key: insufficient parameters specified\n");
189                 return ret;
190         }
191         key_cmd = match_token(keyword, key_tokens, args);
192 
193         /* Get optional format: default | ecryptfs */
194         p = strsep(&datablob, " \t");
195         if (!p) {
196                 pr_err("encrypted_key: insufficient parameters specified\n");
197                 return ret;
198         }
199 
200         key_format = match_token(p, key_format_tokens, args);
201         switch (key_format) {
202         case Opt_ecryptfs:
203         case Opt_default:
204                 *format = p;
205                 *master_desc = strsep(&datablob, " \t");
206                 break;
207         case Opt_error:
208                 *master_desc = p;
209                 break;
210         }
211 
212         if (!*master_desc) {
213                 pr_info("encrypted_key: master key parameter is missing\n");
214                 goto out;
215         }
216 
217         if (valid_master_desc(*master_desc, NULL) < 0) {
218                 pr_info("encrypted_key: master key parameter \'%s\' "
219                         "is invalid\n", *master_desc);
220                 goto out;
221         }
222 
223         if (decrypted_datalen) {
224                 *decrypted_datalen = strsep(&datablob, " \t");
225                 if (!*decrypted_datalen) {
226                         pr_info("encrypted_key: keylen parameter is missing\n");
227                         goto out;
228                 }
229         }
230 
231         switch (key_cmd) {
232         case Opt_new:
233                 if (!decrypted_datalen) {
234                         pr_info("encrypted_key: keyword \'%s\' not allowed "
235                                 "when called from .update method\n", keyword);
236                         break;
237                 }
238                 ret = 0;
239                 break;
240         case Opt_load:
241                 if (!decrypted_datalen) {
242                         pr_info("encrypted_key: keyword \'%s\' not allowed "
243                                 "when called from .update method\n", keyword);
244                         break;
245                 }
246                 *hex_encoded_iv = strsep(&datablob, " \t");
247                 if (!*hex_encoded_iv) {
248                         pr_info("encrypted_key: hex blob is missing\n");
249                         break;
250                 }
251                 ret = 0;
252                 break;
253         case Opt_update:
254                 if (decrypted_datalen) {
255                         pr_info("encrypted_key: keyword \'%s\' not allowed "
256                                 "when called from .instantiate method\n",
257                                 keyword);
258                         break;
259                 }
260                 ret = 0;
261                 break;
262         case Opt_err:
263                 pr_info("encrypted_key: keyword \'%s\' not recognized\n",
264                         keyword);
265                 break;
266         }
267 out:
268         return ret;
269 }
270 
271 /*
272  * datablob_format - format as an ascii string, before copying to userspace
273  */
274 static char *datablob_format(struct encrypted_key_payload *epayload,
275                              size_t asciiblob_len)
276 {
277         char *ascii_buf, *bufp;
278         u8 *iv = epayload->iv;
279         int len;
280         int i;
281 
282         ascii_buf = kmalloc(asciiblob_len + 1, GFP_KERNEL);
283         if (!ascii_buf)
284                 goto out;
285 
286         ascii_buf[asciiblob_len] = '\0';
287 
288         /* copy datablob master_desc and datalen strings */
289         len = sprintf(ascii_buf, "%s %s %s ", epayload->format,
290                       epayload->master_desc, epayload->datalen);
291 
292         /* convert the hex encoded iv, encrypted-data and HMAC to ascii */
293         bufp = &ascii_buf[len];
294         for (i = 0; i < (asciiblob_len - len) / 2; i++)
295                 bufp = hex_byte_pack(bufp, iv[i]);
296 out:
297         return ascii_buf;
298 }
299 
300 /*
301  * request_user_key - request the user key
302  *
303  * Use a user provided key to encrypt/decrypt an encrypted-key.
304  */
305 static struct key *request_user_key(const char *master_desc, const u8 **master_key,
306                                     size_t *master_keylen)
307 {
308         const struct user_key_payload *upayload;
309         struct key *ukey;
310 
311         ukey = request_key(&key_type_user, master_desc, NULL);
312         if (IS_ERR(ukey))
313                 goto error;
314 
315         down_read(&ukey->sem);
316         upayload = user_key_payload(ukey);
317         *master_key = upayload->data;
318         *master_keylen = upayload->datalen;
319 error:
320         return ukey;
321 }
322 
323 static struct sdesc *alloc_sdesc(struct crypto_shash *alg)
324 {
325         struct sdesc *sdesc;
326         int size;
327 
328         size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
329         sdesc = kmalloc(size, GFP_KERNEL);
330         if (!sdesc)
331                 return ERR_PTR(-ENOMEM);
332         sdesc->shash.tfm = alg;
333         sdesc->shash.flags = 0x0;
334         return sdesc;
335 }
336 
337 static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
338                      const u8 *buf, unsigned int buflen)
339 {
340         struct sdesc *sdesc;
341         int ret;
342 
343         sdesc = alloc_sdesc(hmacalg);
344         if (IS_ERR(sdesc)) {
345                 pr_info("encrypted_key: can't alloc %s\n", hmac_alg);
346                 return PTR_ERR(sdesc);
347         }
348 
349         ret = crypto_shash_setkey(hmacalg, key, keylen);
350         if (!ret)
351                 ret = crypto_shash_digest(&sdesc->shash, buf, buflen, digest);
352         kfree(sdesc);
353         return ret;
354 }
355 
356 static int calc_hash(u8 *digest, const u8 *buf, unsigned int buflen)
357 {
358         struct sdesc *sdesc;
359         int ret;
360 
361         sdesc = alloc_sdesc(hashalg);
362         if (IS_ERR(sdesc)) {
363                 pr_info("encrypted_key: can't alloc %s\n", hash_alg);
364                 return PTR_ERR(sdesc);
365         }
366 
367         ret = crypto_shash_digest(&sdesc->shash, buf, buflen, digest);
368         kfree(sdesc);
369         return ret;
370 }
371 
372 enum derived_key_type { ENC_KEY, AUTH_KEY };
373 
374 /* Derive authentication/encryption key from trusted key */
375 static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
376                            const u8 *master_key, size_t master_keylen)
377 {
378         u8 *derived_buf;
379         unsigned int derived_buf_len;
380         int ret;
381 
382         derived_buf_len = strlen("AUTH_KEY") + 1 + master_keylen;
383         if (derived_buf_len < HASH_SIZE)
384                 derived_buf_len = HASH_SIZE;
385 
386         derived_buf = kzalloc(derived_buf_len, GFP_KERNEL);
387         if (!derived_buf) {
388                 pr_err("encrypted_key: out of memory\n");
389                 return -ENOMEM;
390         }
391         if (key_type)
392                 strcpy(derived_buf, "AUTH_KEY");
393         else
394                 strcpy(derived_buf, "ENC_KEY");
395 
396         memcpy(derived_buf + strlen(derived_buf) + 1, master_key,
397                master_keylen);
398         ret = calc_hash(derived_key, derived_buf, derived_buf_len);
399         kfree(derived_buf);
400         return ret;
401 }
402 
403 static struct skcipher_request *init_skcipher_req(const u8 *key,
404                                                   unsigned int key_len)
405 {
406         struct skcipher_request *req;
407         struct crypto_skcipher *tfm;
408         int ret;
409 
410         tfm = crypto_alloc_skcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
411         if (IS_ERR(tfm)) {
412                 pr_err("encrypted_key: failed to load %s transform (%ld)\n",
413                        blkcipher_alg, PTR_ERR(tfm));
414                 return ERR_CAST(tfm);
415         }
416 
417         ret = crypto_skcipher_setkey(tfm, key, key_len);
418         if (ret < 0) {
419                 pr_err("encrypted_key: failed to setkey (%d)\n", ret);
420                 crypto_free_skcipher(tfm);
421                 return ERR_PTR(ret);
422         }
423 
424         req = skcipher_request_alloc(tfm, GFP_KERNEL);
425         if (!req) {
426                 pr_err("encrypted_key: failed to allocate request for %s\n",
427                        blkcipher_alg);
428                 crypto_free_skcipher(tfm);
429                 return ERR_PTR(-ENOMEM);
430         }
431 
432         skcipher_request_set_callback(req, 0, NULL, NULL);
433         return req;
434 }
435 
436 static struct key *request_master_key(struct encrypted_key_payload *epayload,
437                                       const u8 **master_key, size_t *master_keylen)
438 {
439         struct key *mkey = NULL;
440 
441         if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX,
442                      KEY_TRUSTED_PREFIX_LEN)) {
443                 mkey = request_trusted_key(epayload->master_desc +
444                                            KEY_TRUSTED_PREFIX_LEN,
445                                            master_key, master_keylen);
446         } else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
447                             KEY_USER_PREFIX_LEN)) {
448                 mkey = request_user_key(epayload->master_desc +
449                                         KEY_USER_PREFIX_LEN,
450                                         master_key, master_keylen);
451         } else
452                 goto out;
453 
454         if (IS_ERR(mkey)) {
455                 int ret = PTR_ERR(mkey);
456 
457                 if (ret == -ENOTSUPP)
458                         pr_info("encrypted_key: key %s not supported",
459                                 epayload->master_desc);
460                 else
461                         pr_info("encrypted_key: key %s not found",
462                                 epayload->master_desc);
463                 goto out;
464         }
465 
466         dump_master_key(*master_key, *master_keylen);
467 out:
468         return mkey;
469 }
470 
471 /* Before returning data to userspace, encrypt decrypted data. */
472 static int derived_key_encrypt(struct encrypted_key_payload *epayload,
473                                const u8 *derived_key,
474                                unsigned int derived_keylen)
475 {
476         struct scatterlist sg_in[2];
477         struct scatterlist sg_out[1];
478         struct crypto_skcipher *tfm;
479         struct skcipher_request *req;
480         unsigned int encrypted_datalen;
481         unsigned int padlen;
482         char pad[16];
483         int ret;
484 
485         encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
486         padlen = encrypted_datalen - epayload->decrypted_datalen;
487 
488         req = init_skcipher_req(derived_key, derived_keylen);
489         ret = PTR_ERR(req);
490         if (IS_ERR(req))
491                 goto out;
492         dump_decrypted_data(epayload);
493 
494         memset(pad, 0, sizeof pad);
495         sg_init_table(sg_in, 2);
496         sg_set_buf(&sg_in[0], epayload->decrypted_data,
497                    epayload->decrypted_datalen);
498         sg_set_buf(&sg_in[1], pad, padlen);
499 
500         sg_init_table(sg_out, 1);
501         sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen);
502 
503         skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen,
504                                    epayload->iv);
505         ret = crypto_skcipher_encrypt(req);
506         tfm = crypto_skcipher_reqtfm(req);
507         skcipher_request_free(req);
508         crypto_free_skcipher(tfm);
509         if (ret < 0)
510                 pr_err("encrypted_key: failed to encrypt (%d)\n", ret);
511         else
512                 dump_encrypted_data(epayload, encrypted_datalen);
513 out:
514         return ret;
515 }
516 
517 static int datablob_hmac_append(struct encrypted_key_payload *epayload,
518                                 const u8 *master_key, size_t master_keylen)
519 {
520         u8 derived_key[HASH_SIZE];
521         u8 *digest;
522         int ret;
523 
524         ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
525         if (ret < 0)
526                 goto out;
527 
528         digest = epayload->format + epayload->datablob_len;
529         ret = calc_hmac(digest, derived_key, sizeof derived_key,
530                         epayload->format, epayload->datablob_len);
531         if (!ret)
532                 dump_hmac(NULL, digest, HASH_SIZE);
533 out:
534         return ret;
535 }
536 
537 /* verify HMAC before decrypting encrypted key */
538 static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
539                                 const u8 *format, const u8 *master_key,
540                                 size_t master_keylen)
541 {
542         u8 derived_key[HASH_SIZE];
543         u8 digest[HASH_SIZE];
544         int ret;
545         char *p;
546         unsigned short len;
547 
548         ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
549         if (ret < 0)
550                 goto out;
551 
552         len = epayload->datablob_len;
553         if (!format) {
554                 p = epayload->master_desc;
555                 len -= strlen(epayload->format) + 1;
556         } else
557                 p = epayload->format;
558 
559         ret = calc_hmac(digest, derived_key, sizeof derived_key, p, len);
560         if (ret < 0)
561                 goto out;
562         ret = memcmp(digest, epayload->format + epayload->datablob_len,
563                      sizeof digest);
564         if (ret) {
565                 ret = -EINVAL;
566                 dump_hmac("datablob",
567                           epayload->format + epayload->datablob_len,
568                           HASH_SIZE);
569                 dump_hmac("calc", digest, HASH_SIZE);
570         }
571 out:
572         return ret;
573 }
574 
575 static int derived_key_decrypt(struct encrypted_key_payload *epayload,
576                                const u8 *derived_key,
577                                unsigned int derived_keylen)
578 {
579         struct scatterlist sg_in[1];
580         struct scatterlist sg_out[2];
581         struct crypto_skcipher *tfm;
582         struct skcipher_request *req;
583         unsigned int encrypted_datalen;
584         char pad[16];
585         int ret;
586 
587         encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
588         req = init_skcipher_req(derived_key, derived_keylen);
589         ret = PTR_ERR(req);
590         if (IS_ERR(req))
591                 goto out;
592         dump_encrypted_data(epayload, encrypted_datalen);
593 
594         memset(pad, 0, sizeof pad);
595         sg_init_table(sg_in, 1);
596         sg_init_table(sg_out, 2);
597         sg_set_buf(sg_in, epayload->encrypted_data, encrypted_datalen);
598         sg_set_buf(&sg_out[0], epayload->decrypted_data,
599                    epayload->decrypted_datalen);
600         sg_set_buf(&sg_out[1], pad, sizeof pad);
601 
602         skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen,
603                                    epayload->iv);
604         ret = crypto_skcipher_decrypt(req);
605         tfm = crypto_skcipher_reqtfm(req);
606         skcipher_request_free(req);
607         crypto_free_skcipher(tfm);
608         if (ret < 0)
609                 goto out;
610         dump_decrypted_data(epayload);
611 out:
612         return ret;
613 }
614 
615 /* Allocate memory for decrypted key and datablob. */
616 static struct encrypted_key_payload *encrypted_key_alloc(struct key *key,
617                                                          const char *format,
618                                                          const char *master_desc,
619                                                          const char *datalen)
620 {
621         struct encrypted_key_payload *epayload = NULL;
622         unsigned short datablob_len;
623         unsigned short decrypted_datalen;
624         unsigned short payload_datalen;
625         unsigned int encrypted_datalen;
626         unsigned int format_len;
627         long dlen;
628         int ret;
629 
630         ret = kstrtol(datalen, 10, &dlen);
631         if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
632                 return ERR_PTR(-EINVAL);
633 
634         format_len = (!format) ? strlen(key_format_default) : strlen(format);
635         decrypted_datalen = dlen;
636         payload_datalen = decrypted_datalen;
637         if (format && !strcmp(format, key_format_ecryptfs)) {
638                 if (dlen != ECRYPTFS_MAX_KEY_BYTES) {
639                         pr_err("encrypted_key: keylen for the ecryptfs format "
640                                "must be equal to %d bytes\n",
641                                ECRYPTFS_MAX_KEY_BYTES);
642                         return ERR_PTR(-EINVAL);
643                 }
644                 decrypted_datalen = ECRYPTFS_MAX_KEY_BYTES;
645                 payload_datalen = sizeof(struct ecryptfs_auth_tok);
646         }
647 
648         encrypted_datalen = roundup(decrypted_datalen, blksize);
649 
650         datablob_len = format_len + 1 + strlen(master_desc) + 1
651             + strlen(datalen) + 1 + ivsize + 1 + encrypted_datalen;
652 
653         ret = key_payload_reserve(key, payload_datalen + datablob_len
654                                   + HASH_SIZE + 1);
655         if (ret < 0)
656                 return ERR_PTR(ret);
657 
658         epayload = kzalloc(sizeof(*epayload) + payload_datalen +
659                            datablob_len + HASH_SIZE + 1, GFP_KERNEL);
660         if (!epayload)
661                 return ERR_PTR(-ENOMEM);
662 
663         epayload->payload_datalen = payload_datalen;
664         epayload->decrypted_datalen = decrypted_datalen;
665         epayload->datablob_len = datablob_len;
666         return epayload;
667 }
668 
669 static int encrypted_key_decrypt(struct encrypted_key_payload *epayload,
670                                  const char *format, const char *hex_encoded_iv)
671 {
672         struct key *mkey;
673         u8 derived_key[HASH_SIZE];
674         const u8 *master_key;
675         u8 *hmac;
676         const char *hex_encoded_data;
677         unsigned int encrypted_datalen;
678         size_t master_keylen;
679         size_t asciilen;
680         int ret;
681 
682         encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
683         asciilen = (ivsize + 1 + encrypted_datalen + HASH_SIZE) * 2;
684         if (strlen(hex_encoded_iv) != asciilen)
685                 return -EINVAL;
686 
687         hex_encoded_data = hex_encoded_iv + (2 * ivsize) + 2;
688         ret = hex2bin(epayload->iv, hex_encoded_iv, ivsize);
689         if (ret < 0)
690                 return -EINVAL;
691         ret = hex2bin(epayload->encrypted_data, hex_encoded_data,
692                       encrypted_datalen);
693         if (ret < 0)
694                 return -EINVAL;
695 
696         hmac = epayload->format + epayload->datablob_len;
697         ret = hex2bin(hmac, hex_encoded_data + (encrypted_datalen * 2),
698                       HASH_SIZE);
699         if (ret < 0)
700                 return -EINVAL;
701 
702         mkey = request_master_key(epayload, &master_key, &master_keylen);
703         if (IS_ERR(mkey))
704                 return PTR_ERR(mkey);
705 
706         ret = datablob_hmac_verify(epayload, format, master_key, master_keylen);
707         if (ret < 0) {
708                 pr_err("encrypted_key: bad hmac (%d)\n", ret);
709                 goto out;
710         }
711 
712         ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
713         if (ret < 0)
714                 goto out;
715 
716         ret = derived_key_decrypt(epayload, derived_key, sizeof derived_key);
717         if (ret < 0)
718                 pr_err("encrypted_key: failed to decrypt key (%d)\n", ret);
719 out:
720         up_read(&mkey->sem);
721         key_put(mkey);
722         return ret;
723 }
724 
725 static void __ekey_init(struct encrypted_key_payload *epayload,
726                         const char *format, const char *master_desc,
727                         const char *datalen)
728 {
729         unsigned int format_len;
730 
731         format_len = (!format) ? strlen(key_format_default) : strlen(format);
732         epayload->format = epayload->payload_data + epayload->payload_datalen;
733         epayload->master_desc = epayload->format + format_len + 1;
734         epayload->datalen = epayload->master_desc + strlen(master_desc) + 1;
735         epayload->iv = epayload->datalen + strlen(datalen) + 1;
736         epayload->encrypted_data = epayload->iv + ivsize + 1;
737         epayload->decrypted_data = epayload->payload_data;
738 
739         if (!format)
740                 memcpy(epayload->format, key_format_default, format_len);
741         else {
742                 if (!strcmp(format, key_format_ecryptfs))
743                         epayload->decrypted_data =
744                                 ecryptfs_get_auth_tok_key((struct ecryptfs_auth_tok *)epayload->payload_data);
745 
746                 memcpy(epayload->format, format, format_len);
747         }
748 
749         memcpy(epayload->master_desc, master_desc, strlen(master_desc));
750         memcpy(epayload->datalen, datalen, strlen(datalen));
751 }
752 
753 /*
754  * encrypted_init - initialize an encrypted key
755  *
756  * For a new key, use a random number for both the iv and data
757  * itself.  For an old key, decrypt the hex encoded data.
758  */
759 static int encrypted_init(struct encrypted_key_payload *epayload,
760                           const char *key_desc, const char *format,
761                           const char *master_desc, const char *datalen,
762                           const char *hex_encoded_iv)
763 {
764         int ret = 0;
765 
766         if (format && !strcmp(format, key_format_ecryptfs)) {
767                 ret = valid_ecryptfs_desc(key_desc);
768                 if (ret < 0)
769                         return ret;
770 
771                 ecryptfs_fill_auth_tok((struct ecryptfs_auth_tok *)epayload->payload_data,
772                                        key_desc);
773         }
774 
775         __ekey_init(epayload, format, master_desc, datalen);
776         if (!hex_encoded_iv) {
777                 get_random_bytes(epayload->iv, ivsize);
778 
779                 get_random_bytes(epayload->decrypted_data,
780                                  epayload->decrypted_datalen);
781         } else
782                 ret = encrypted_key_decrypt(epayload, format, hex_encoded_iv);
783         return ret;
784 }
785 
786 /*
787  * encrypted_instantiate - instantiate an encrypted key
788  *
789  * Decrypt an existing encrypted datablob or create a new encrypted key
790  * based on a kernel random number.
791  *
792  * On success, return 0. Otherwise return errno.
793  */
794 static int encrypted_instantiate(struct key *key,
795                                  struct key_preparsed_payload *prep)
796 {
797         struct encrypted_key_payload *epayload = NULL;
798         char *datablob = NULL;
799         const char *format = NULL;
800         char *master_desc = NULL;
801         char *decrypted_datalen = NULL;
802         char *hex_encoded_iv = NULL;
803         size_t datalen = prep->datalen;
804         int ret;
805 
806         if (datalen <= 0 || datalen > 32767 || !prep->data)
807                 return -EINVAL;
808 
809         datablob = kmalloc(datalen + 1, GFP_KERNEL);
810         if (!datablob)
811                 return -ENOMEM;
812         datablob[datalen] = 0;
813         memcpy(datablob, prep->data, datalen);
814         ret = datablob_parse(datablob, &format, &master_desc,
815                              &decrypted_datalen, &hex_encoded_iv);
816         if (ret < 0)
817                 goto out;
818 
819         epayload = encrypted_key_alloc(key, format, master_desc,
820                                        decrypted_datalen);
821         if (IS_ERR(epayload)) {
822                 ret = PTR_ERR(epayload);
823                 goto out;
824         }
825         ret = encrypted_init(epayload, key->description, format, master_desc,
826                              decrypted_datalen, hex_encoded_iv);
827         if (ret < 0) {
828                 kfree(epayload);
829                 goto out;
830         }
831 
832         rcu_assign_keypointer(key, epayload);
833 out:
834         kfree(datablob);
835         return ret;
836 }
837 
838 static void encrypted_rcu_free(struct rcu_head *rcu)
839 {
840         struct encrypted_key_payload *epayload;
841 
842         epayload = container_of(rcu, struct encrypted_key_payload, rcu);
843         memset(epayload->decrypted_data, 0, epayload->decrypted_datalen);
844         kfree(epayload);
845 }
846 
847 /*
848  * encrypted_update - update the master key description
849  *
850  * Change the master key description for an existing encrypted key.
851  * The next read will return an encrypted datablob using the new
852  * master key description.
853  *
854  * On success, return 0. Otherwise return errno.
855  */
856 static int encrypted_update(struct key *key, struct key_preparsed_payload *prep)
857 {
858         struct encrypted_key_payload *epayload = key->payload.data[0];
859         struct encrypted_key_payload *new_epayload;
860         char *buf;
861         char *new_master_desc = NULL;
862         const char *format = NULL;
863         size_t datalen = prep->datalen;
864         int ret = 0;
865 
866         if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
867                 return -ENOKEY;
868         if (datalen <= 0 || datalen > 32767 || !prep->data)
869                 return -EINVAL;
870 
871         buf = kmalloc(datalen + 1, GFP_KERNEL);
872         if (!buf)
873                 return -ENOMEM;
874 
875         buf[datalen] = 0;
876         memcpy(buf, prep->data, datalen);
877         ret = datablob_parse(buf, &format, &new_master_desc, NULL, NULL);
878         if (ret < 0)
879                 goto out;
880 
881         ret = valid_master_desc(new_master_desc, epayload->master_desc);
882         if (ret < 0)
883                 goto out;
884 
885         new_epayload = encrypted_key_alloc(key, epayload->format,
886                                            new_master_desc, epayload->datalen);
887         if (IS_ERR(new_epayload)) {
888                 ret = PTR_ERR(new_epayload);
889                 goto out;
890         }
891 
892         __ekey_init(new_epayload, epayload->format, new_master_desc,
893                     epayload->datalen);
894 
895         memcpy(new_epayload->iv, epayload->iv, ivsize);
896         memcpy(new_epayload->payload_data, epayload->payload_data,
897                epayload->payload_datalen);
898 
899         rcu_assign_keypointer(key, new_epayload);
900         call_rcu(&epayload->rcu, encrypted_rcu_free);
901 out:
902         kfree(buf);
903         return ret;
904 }
905 
906 /*
907  * encrypted_read - format and copy the encrypted data to userspace
908  *
909  * The resulting datablob format is:
910  * <master-key name> <decrypted data length> <encrypted iv> <encrypted data>
911  *
912  * On success, return to userspace the encrypted key datablob size.
913  */
914 static long encrypted_read(const struct key *key, char __user *buffer,
915                            size_t buflen)
916 {
917         struct encrypted_key_payload *epayload;
918         struct key *mkey;
919         const u8 *master_key;
920         size_t master_keylen;
921         char derived_key[HASH_SIZE];
922         char *ascii_buf;
923         size_t asciiblob_len;
924         int ret;
925 
926         epayload = rcu_dereference_key(key);
927 
928         /* returns the hex encoded iv, encrypted-data, and hmac as ascii */
929         asciiblob_len = epayload->datablob_len + ivsize + 1
930             + roundup(epayload->decrypted_datalen, blksize)
931             + (HASH_SIZE * 2);
932 
933         if (!buffer || buflen < asciiblob_len)
934                 return asciiblob_len;
935 
936         mkey = request_master_key(epayload, &master_key, &master_keylen);
937         if (IS_ERR(mkey))
938                 return PTR_ERR(mkey);
939 
940         ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
941         if (ret < 0)
942                 goto out;
943 
944         ret = derived_key_encrypt(epayload, derived_key, sizeof derived_key);
945         if (ret < 0)
946                 goto out;
947 
948         ret = datablob_hmac_append(epayload, master_key, master_keylen);
949         if (ret < 0)
950                 goto out;
951 
952         ascii_buf = datablob_format(epayload, asciiblob_len);
953         if (!ascii_buf) {
954                 ret = -ENOMEM;
955                 goto out;
956         }
957 
958         up_read(&mkey->sem);
959         key_put(mkey);
960 
961         if (copy_to_user(buffer, ascii_buf, asciiblob_len) != 0)
962                 ret = -EFAULT;
963         kfree(ascii_buf);
964 
965         return asciiblob_len;
966 out:
967         up_read(&mkey->sem);
968         key_put(mkey);
969         return ret;
970 }
971 
972 /*
973  * encrypted_destroy - before freeing the key, clear the decrypted data
974  *
975  * Before freeing the key, clear the memory containing the decrypted
976  * key data.
977  */
978 static void encrypted_destroy(struct key *key)
979 {
980         struct encrypted_key_payload *epayload = key->payload.data[0];
981 
982         if (!epayload)
983                 return;
984 
985         memset(epayload->decrypted_data, 0, epayload->decrypted_datalen);
986         kfree(key->payload.data[0]);
987 }
988 
989 struct key_type key_type_encrypted = {
990         .name = "encrypted",
991         .instantiate = encrypted_instantiate,
992         .update = encrypted_update,
993         .destroy = encrypted_destroy,
994         .describe = user_describe,
995         .read = encrypted_read,
996 };
997 EXPORT_SYMBOL_GPL(key_type_encrypted);
998 
999 static void encrypted_shash_release(void)
1000 {
1001         if (hashalg)
1002                 crypto_free_shash(hashalg);
1003         if (hmacalg)
1004                 crypto_free_shash(hmacalg);
1005 }
1006 
1007 static int __init encrypted_shash_alloc(void)
1008 {
1009         int ret;
1010 
1011         hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
1012         if (IS_ERR(hmacalg)) {
1013                 pr_info("encrypted_key: could not allocate crypto %s\n",
1014                         hmac_alg);
1015                 return PTR_ERR(hmacalg);
1016         }
1017 
1018         hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC);
1019         if (IS_ERR(hashalg)) {
1020                 pr_info("encrypted_key: could not allocate crypto %s\n",
1021                         hash_alg);
1022                 ret = PTR_ERR(hashalg);
1023                 goto hashalg_fail;
1024         }
1025 
1026         return 0;
1027 
1028 hashalg_fail:
1029         crypto_free_shash(hmacalg);
1030         return ret;
1031 }
1032 
1033 static int __init init_encrypted(void)
1034 {
1035         int ret;
1036 
1037         ret = encrypted_shash_alloc();
1038         if (ret < 0)
1039                 return ret;
1040         ret = aes_get_sizes();
1041         if (ret < 0)
1042                 goto out;
1043         ret = register_key_type(&key_type_encrypted);
1044         if (ret < 0)
1045                 goto out;
1046         return 0;
1047 out:
1048         encrypted_shash_release();
1049         return ret;
1050 
1051 }
1052 
1053 static void __exit cleanup_encrypted(void)
1054 {
1055         encrypted_shash_release();
1056         unregister_key_type(&key_type_encrypted);
1057 }
1058 
1059 late_initcall(init_encrypted);
1060 module_exit(cleanup_encrypted);
1061 
1062 MODULE_LICENSE("GPL");
1063 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp