~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/keys/encrypted-keys/encrypted.c

Version: ~ [ linux-5.14-rc3 ] ~ [ linux-5.13.5 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.53 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.135 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.198 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.240 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.276 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.276 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0-only
  2 /*
  3  * Copyright (C) 2010 IBM Corporation
  4  * Copyright (C) 2010 Politecnico di Torino, Italy
  5  *                    TORSEC group -- http://security.polito.it
  6  *
  7  * Authors:
  8  * Mimi Zohar <zohar@us.ibm.com>
  9  * Roberto Sassu <roberto.sassu@polito.it>
 10  *
 11  * See Documentation/security/keys/trusted-encrypted.rst
 12  */
 13 
 14 #include <linux/uaccess.h>
 15 #include <linux/module.h>
 16 #include <linux/init.h>
 17 #include <linux/slab.h>
 18 #include <linux/parser.h>
 19 #include <linux/string.h>
 20 #include <linux/err.h>
 21 #include <keys/user-type.h>
 22 #include <keys/trusted-type.h>
 23 #include <keys/encrypted-type.h>
 24 #include <linux/key-type.h>
 25 #include <linux/random.h>
 26 #include <linux/rcupdate.h>
 27 #include <linux/scatterlist.h>
 28 #include <linux/ctype.h>
 29 #include <crypto/aes.h>
 30 #include <crypto/algapi.h>
 31 #include <crypto/hash.h>
 32 #include <crypto/sha.h>
 33 #include <crypto/skcipher.h>
 34 
 35 #include "encrypted.h"
 36 #include "ecryptfs_format.h"
 37 
 38 static const char KEY_TRUSTED_PREFIX[] = "trusted:";
 39 static const char KEY_USER_PREFIX[] = "user:";
 40 static const char hash_alg[] = "sha256";
 41 static const char hmac_alg[] = "hmac(sha256)";
 42 static const char blkcipher_alg[] = "cbc(aes)";
 43 static const char key_format_default[] = "default";
 44 static const char key_format_ecryptfs[] = "ecryptfs";
 45 static const char key_format_enc32[] = "enc32";
 46 static unsigned int ivsize;
 47 static int blksize;
 48 
 49 #define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
 50 #define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
 51 #define KEY_ECRYPTFS_DESC_LEN 16
 52 #define HASH_SIZE SHA256_DIGEST_SIZE
 53 #define MAX_DATA_SIZE 4096
 54 #define MIN_DATA_SIZE  20
 55 #define KEY_ENC32_PAYLOAD_LEN 32
 56 
 57 static struct crypto_shash *hash_tfm;
 58 
 59 enum {
 60         Opt_new, Opt_load, Opt_update, Opt_err
 61 };
 62 
 63 enum {
 64         Opt_default, Opt_ecryptfs, Opt_enc32, Opt_error
 65 };
 66 
 67 static const match_table_t key_format_tokens = {
 68         {Opt_default, "default"},
 69         {Opt_ecryptfs, "ecryptfs"},
 70         {Opt_enc32, "enc32"},
 71         {Opt_error, NULL}
 72 };
 73 
 74 static const match_table_t key_tokens = {
 75         {Opt_new, "new"},
 76         {Opt_load, "load"},
 77         {Opt_update, "update"},
 78         {Opt_err, NULL}
 79 };
 80 
 81 static int aes_get_sizes(void)
 82 {
 83         struct crypto_skcipher *tfm;
 84 
 85         tfm = crypto_alloc_skcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
 86         if (IS_ERR(tfm)) {
 87                 pr_err("encrypted_key: failed to alloc_cipher (%ld)\n",
 88                        PTR_ERR(tfm));
 89                 return PTR_ERR(tfm);
 90         }
 91         ivsize = crypto_skcipher_ivsize(tfm);
 92         blksize = crypto_skcipher_blocksize(tfm);
 93         crypto_free_skcipher(tfm);
 94         return 0;
 95 }
 96 
 97 /*
 98  * valid_ecryptfs_desc - verify the description of a new/loaded encrypted key
 99  *
100  * The description of a encrypted key with format 'ecryptfs' must contain
101  * exactly 16 hexadecimal characters.
102  *
103  */
104 static int valid_ecryptfs_desc(const char *ecryptfs_desc)
105 {
106         int i;
107 
108         if (strlen(ecryptfs_desc) != KEY_ECRYPTFS_DESC_LEN) {
109                 pr_err("encrypted_key: key description must be %d hexadecimal "
110                        "characters long\n", KEY_ECRYPTFS_DESC_LEN);
111                 return -EINVAL;
112         }
113 
114         for (i = 0; i < KEY_ECRYPTFS_DESC_LEN; i++) {
115                 if (!isxdigit(ecryptfs_desc[i])) {
116                         pr_err("encrypted_key: key description must contain "
117                                "only hexadecimal characters\n");
118                         return -EINVAL;
119                 }
120         }
121 
122         return 0;
123 }
124 
125 /*
126  * valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
127  *
128  * key-type:= "trusted:" | "user:"
129  * desc:= master-key description
130  *
131  * Verify that 'key-type' is valid and that 'desc' exists. On key update,
132  * only the master key description is permitted to change, not the key-type.
133  * The key-type remains constant.
134  *
135  * On success returns 0, otherwise -EINVAL.
136  */
137 static int valid_master_desc(const char *new_desc, const char *orig_desc)
138 {
139         int prefix_len;
140 
141         if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
142                 prefix_len = KEY_TRUSTED_PREFIX_LEN;
143         else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
144                 prefix_len = KEY_USER_PREFIX_LEN;
145         else
146                 return -EINVAL;
147 
148         if (!new_desc[prefix_len])
149                 return -EINVAL;
150 
151         if (orig_desc && strncmp(new_desc, orig_desc, prefix_len))
152                 return -EINVAL;
153 
154         return 0;
155 }
156 
157 /*
158  * datablob_parse - parse the keyctl data
159  *
160  * datablob format:
161  * new [<format>] <master-key name> <decrypted data length>
162  * load [<format>] <master-key name> <decrypted data length>
163  *     <encrypted iv + data>
164  * update <new-master-key name>
165  *
166  * Tokenizes a copy of the keyctl data, returning a pointer to each token,
167  * which is null terminated.
168  *
169  * On success returns 0, otherwise -EINVAL.
170  */
171 static int datablob_parse(char *datablob, const char **format,
172                           char **master_desc, char **decrypted_datalen,
173                           char **hex_encoded_iv)
174 {
175         substring_t args[MAX_OPT_ARGS];
176         int ret = -EINVAL;
177         int key_cmd;
178         int key_format;
179         char *p, *keyword;
180 
181         keyword = strsep(&datablob, " \t");
182         if (!keyword) {
183                 pr_info("encrypted_key: insufficient parameters specified\n");
184                 return ret;
185         }
186         key_cmd = match_token(keyword, key_tokens, args);
187 
188         /* Get optional format: default | ecryptfs */
189         p = strsep(&datablob, " \t");
190         if (!p) {
191                 pr_err("encrypted_key: insufficient parameters specified\n");
192                 return ret;
193         }
194 
195         key_format = match_token(p, key_format_tokens, args);
196         switch (key_format) {
197         case Opt_ecryptfs:
198         case Opt_enc32:
199         case Opt_default:
200                 *format = p;
201                 *master_desc = strsep(&datablob, " \t");
202                 break;
203         case Opt_error:
204                 *master_desc = p;
205                 break;
206         }
207 
208         if (!*master_desc) {
209                 pr_info("encrypted_key: master key parameter is missing\n");
210                 goto out;
211         }
212 
213         if (valid_master_desc(*master_desc, NULL) < 0) {
214                 pr_info("encrypted_key: master key parameter \'%s\' "
215                         "is invalid\n", *master_desc);
216                 goto out;
217         }
218 
219         if (decrypted_datalen) {
220                 *decrypted_datalen = strsep(&datablob, " \t");
221                 if (!*decrypted_datalen) {
222                         pr_info("encrypted_key: keylen parameter is missing\n");
223                         goto out;
224                 }
225         }
226 
227         switch (key_cmd) {
228         case Opt_new:
229                 if (!decrypted_datalen) {
230                         pr_info("encrypted_key: keyword \'%s\' not allowed "
231                                 "when called from .update method\n", keyword);
232                         break;
233                 }
234                 ret = 0;
235                 break;
236         case Opt_load:
237                 if (!decrypted_datalen) {
238                         pr_info("encrypted_key: keyword \'%s\' not allowed "
239                                 "when called from .update method\n", keyword);
240                         break;
241                 }
242                 *hex_encoded_iv = strsep(&datablob, " \t");
243                 if (!*hex_encoded_iv) {
244                         pr_info("encrypted_key: hex blob is missing\n");
245                         break;
246                 }
247                 ret = 0;
248                 break;
249         case Opt_update:
250                 if (decrypted_datalen) {
251                         pr_info("encrypted_key: keyword \'%s\' not allowed "
252                                 "when called from .instantiate method\n",
253                                 keyword);
254                         break;
255                 }
256                 ret = 0;
257                 break;
258         case Opt_err:
259                 pr_info("encrypted_key: keyword \'%s\' not recognized\n",
260                         keyword);
261                 break;
262         }
263 out:
264         return ret;
265 }
266 
267 /*
268  * datablob_format - format as an ascii string, before copying to userspace
269  */
270 static char *datablob_format(struct encrypted_key_payload *epayload,
271                              size_t asciiblob_len)
272 {
273         char *ascii_buf, *bufp;
274         u8 *iv = epayload->iv;
275         int len;
276         int i;
277 
278         ascii_buf = kmalloc(asciiblob_len + 1, GFP_KERNEL);
279         if (!ascii_buf)
280                 goto out;
281 
282         ascii_buf[asciiblob_len] = '\0';
283 
284         /* copy datablob master_desc and datalen strings */
285         len = sprintf(ascii_buf, "%s %s %s ", epayload->format,
286                       epayload->master_desc, epayload->datalen);
287 
288         /* convert the hex encoded iv, encrypted-data and HMAC to ascii */
289         bufp = &ascii_buf[len];
290         for (i = 0; i < (asciiblob_len - len) / 2; i++)
291                 bufp = hex_byte_pack(bufp, iv[i]);
292 out:
293         return ascii_buf;
294 }
295 
296 /*
297  * request_user_key - request the user key
298  *
299  * Use a user provided key to encrypt/decrypt an encrypted-key.
300  */
301 static struct key *request_user_key(const char *master_desc, const u8 **master_key,
302                                     size_t *master_keylen)
303 {
304         const struct user_key_payload *upayload;
305         struct key *ukey;
306 
307         ukey = request_key(&key_type_user, master_desc, NULL);
308         if (IS_ERR(ukey))
309                 goto error;
310 
311         down_read(&ukey->sem);
312         upayload = user_key_payload_locked(ukey);
313         if (!upayload) {
314                 /* key was revoked before we acquired its semaphore */
315                 up_read(&ukey->sem);
316                 key_put(ukey);
317                 ukey = ERR_PTR(-EKEYREVOKED);
318                 goto error;
319         }
320         *master_key = upayload->data;
321         *master_keylen = upayload->datalen;
322 error:
323         return ukey;
324 }
325 
326 static int calc_hash(struct crypto_shash *tfm, u8 *digest,
327                      const u8 *buf, unsigned int buflen)
328 {
329         SHASH_DESC_ON_STACK(desc, tfm);
330         int err;
331 
332         desc->tfm = tfm;
333 
334         err = crypto_shash_digest(desc, buf, buflen, digest);
335         shash_desc_zero(desc);
336         return err;
337 }
338 
339 static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
340                      const u8 *buf, unsigned int buflen)
341 {
342         struct crypto_shash *tfm;
343         int err;
344 
345         tfm = crypto_alloc_shash(hmac_alg, 0, 0);
346         if (IS_ERR(tfm)) {
347                 pr_err("encrypted_key: can't alloc %s transform: %ld\n",
348                        hmac_alg, PTR_ERR(tfm));
349                 return PTR_ERR(tfm);
350         }
351 
352         err = crypto_shash_setkey(tfm, key, keylen);
353         if (!err)
354                 err = calc_hash(tfm, digest, buf, buflen);
355         crypto_free_shash(tfm);
356         return err;
357 }
358 
359 enum derived_key_type { ENC_KEY, AUTH_KEY };
360 
361 /* Derive authentication/encryption key from trusted key */
362 static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
363                            const u8 *master_key, size_t master_keylen)
364 {
365         u8 *derived_buf;
366         unsigned int derived_buf_len;
367         int ret;
368 
369         derived_buf_len = strlen("AUTH_KEY") + 1 + master_keylen;
370         if (derived_buf_len < HASH_SIZE)
371                 derived_buf_len = HASH_SIZE;
372 
373         derived_buf = kzalloc(derived_buf_len, GFP_KERNEL);
374         if (!derived_buf)
375                 return -ENOMEM;
376 
377         if (key_type)
378                 strcpy(derived_buf, "AUTH_KEY");
379         else
380                 strcpy(derived_buf, "ENC_KEY");
381 
382         memcpy(derived_buf + strlen(derived_buf) + 1, master_key,
383                master_keylen);
384         ret = calc_hash(hash_tfm, derived_key, derived_buf, derived_buf_len);
385         kzfree(derived_buf);
386         return ret;
387 }
388 
389 static struct skcipher_request *init_skcipher_req(const u8 *key,
390                                                   unsigned int key_len)
391 {
392         struct skcipher_request *req;
393         struct crypto_skcipher *tfm;
394         int ret;
395 
396         tfm = crypto_alloc_skcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
397         if (IS_ERR(tfm)) {
398                 pr_err("encrypted_key: failed to load %s transform (%ld)\n",
399                        blkcipher_alg, PTR_ERR(tfm));
400                 return ERR_CAST(tfm);
401         }
402 
403         ret = crypto_skcipher_setkey(tfm, key, key_len);
404         if (ret < 0) {
405                 pr_err("encrypted_key: failed to setkey (%d)\n", ret);
406                 crypto_free_skcipher(tfm);
407                 return ERR_PTR(ret);
408         }
409 
410         req = skcipher_request_alloc(tfm, GFP_KERNEL);
411         if (!req) {
412                 pr_err("encrypted_key: failed to allocate request for %s\n",
413                        blkcipher_alg);
414                 crypto_free_skcipher(tfm);
415                 return ERR_PTR(-ENOMEM);
416         }
417 
418         skcipher_request_set_callback(req, 0, NULL, NULL);
419         return req;
420 }
421 
422 static struct key *request_master_key(struct encrypted_key_payload *epayload,
423                                       const u8 **master_key, size_t *master_keylen)
424 {
425         struct key *mkey = ERR_PTR(-EINVAL);
426 
427         if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX,
428                      KEY_TRUSTED_PREFIX_LEN)) {
429                 mkey = request_trusted_key(epayload->master_desc +
430                                            KEY_TRUSTED_PREFIX_LEN,
431                                            master_key, master_keylen);
432         } else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
433                             KEY_USER_PREFIX_LEN)) {
434                 mkey = request_user_key(epayload->master_desc +
435                                         KEY_USER_PREFIX_LEN,
436                                         master_key, master_keylen);
437         } else
438                 goto out;
439 
440         if (IS_ERR(mkey)) {
441                 int ret = PTR_ERR(mkey);
442 
443                 if (ret == -ENOTSUPP)
444                         pr_info("encrypted_key: key %s not supported",
445                                 epayload->master_desc);
446                 else
447                         pr_info("encrypted_key: key %s not found",
448                                 epayload->master_desc);
449                 goto out;
450         }
451 
452         dump_master_key(*master_key, *master_keylen);
453 out:
454         return mkey;
455 }
456 
457 /* Before returning data to userspace, encrypt decrypted data. */
458 static int derived_key_encrypt(struct encrypted_key_payload *epayload,
459                                const u8 *derived_key,
460                                unsigned int derived_keylen)
461 {
462         struct scatterlist sg_in[2];
463         struct scatterlist sg_out[1];
464         struct crypto_skcipher *tfm;
465         struct skcipher_request *req;
466         unsigned int encrypted_datalen;
467         u8 iv[AES_BLOCK_SIZE];
468         int ret;
469 
470         encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
471 
472         req = init_skcipher_req(derived_key, derived_keylen);
473         ret = PTR_ERR(req);
474         if (IS_ERR(req))
475                 goto out;
476         dump_decrypted_data(epayload);
477 
478         sg_init_table(sg_in, 2);
479         sg_set_buf(&sg_in[0], epayload->decrypted_data,
480                    epayload->decrypted_datalen);
481         sg_set_page(&sg_in[1], ZERO_PAGE(0), AES_BLOCK_SIZE, 0);
482 
483         sg_init_table(sg_out, 1);
484         sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen);
485 
486         memcpy(iv, epayload->iv, sizeof(iv));
487         skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
488         ret = crypto_skcipher_encrypt(req);
489         tfm = crypto_skcipher_reqtfm(req);
490         skcipher_request_free(req);
491         crypto_free_skcipher(tfm);
492         if (ret < 0)
493                 pr_err("encrypted_key: failed to encrypt (%d)\n", ret);
494         else
495                 dump_encrypted_data(epayload, encrypted_datalen);
496 out:
497         return ret;
498 }
499 
500 static int datablob_hmac_append(struct encrypted_key_payload *epayload,
501                                 const u8 *master_key, size_t master_keylen)
502 {
503         u8 derived_key[HASH_SIZE];
504         u8 *digest;
505         int ret;
506 
507         ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
508         if (ret < 0)
509                 goto out;
510 
511         digest = epayload->format + epayload->datablob_len;
512         ret = calc_hmac(digest, derived_key, sizeof derived_key,
513                         epayload->format, epayload->datablob_len);
514         if (!ret)
515                 dump_hmac(NULL, digest, HASH_SIZE);
516 out:
517         memzero_explicit(derived_key, sizeof(derived_key));
518         return ret;
519 }
520 
521 /* verify HMAC before decrypting encrypted key */
522 static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
523                                 const u8 *format, const u8 *master_key,
524                                 size_t master_keylen)
525 {
526         u8 derived_key[HASH_SIZE];
527         u8 digest[HASH_SIZE];
528         int ret;
529         char *p;
530         unsigned short len;
531 
532         ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
533         if (ret < 0)
534                 goto out;
535 
536         len = epayload->datablob_len;
537         if (!format) {
538                 p = epayload->master_desc;
539                 len -= strlen(epayload->format) + 1;
540         } else
541                 p = epayload->format;
542 
543         ret = calc_hmac(digest, derived_key, sizeof derived_key, p, len);
544         if (ret < 0)
545                 goto out;
546         ret = crypto_memneq(digest, epayload->format + epayload->datablob_len,
547                             sizeof(digest));
548         if (ret) {
549                 ret = -EINVAL;
550                 dump_hmac("datablob",
551                           epayload->format + epayload->datablob_len,
552                           HASH_SIZE);
553                 dump_hmac("calc", digest, HASH_SIZE);
554         }
555 out:
556         memzero_explicit(derived_key, sizeof(derived_key));
557         return ret;
558 }
559 
560 static int derived_key_decrypt(struct encrypted_key_payload *epayload,
561                                const u8 *derived_key,
562                                unsigned int derived_keylen)
563 {
564         struct scatterlist sg_in[1];
565         struct scatterlist sg_out[2];
566         struct crypto_skcipher *tfm;
567         struct skcipher_request *req;
568         unsigned int encrypted_datalen;
569         u8 iv[AES_BLOCK_SIZE];
570         u8 *pad;
571         int ret;
572 
573         /* Throwaway buffer to hold the unused zero padding at the end */
574         pad = kmalloc(AES_BLOCK_SIZE, GFP_KERNEL);
575         if (!pad)
576                 return -ENOMEM;
577 
578         encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
579         req = init_skcipher_req(derived_key, derived_keylen);
580         ret = PTR_ERR(req);
581         if (IS_ERR(req))
582                 goto out;
583         dump_encrypted_data(epayload, encrypted_datalen);
584 
585         sg_init_table(sg_in, 1);
586         sg_init_table(sg_out, 2);
587         sg_set_buf(sg_in, epayload->encrypted_data, encrypted_datalen);
588         sg_set_buf(&sg_out[0], epayload->decrypted_data,
589                    epayload->decrypted_datalen);
590         sg_set_buf(&sg_out[1], pad, AES_BLOCK_SIZE);
591 
592         memcpy(iv, epayload->iv, sizeof(iv));
593         skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
594         ret = crypto_skcipher_decrypt(req);
595         tfm = crypto_skcipher_reqtfm(req);
596         skcipher_request_free(req);
597         crypto_free_skcipher(tfm);
598         if (ret < 0)
599                 goto out;
600         dump_decrypted_data(epayload);
601 out:
602         kfree(pad);
603         return ret;
604 }
605 
606 /* Allocate memory for decrypted key and datablob. */
607 static struct encrypted_key_payload *encrypted_key_alloc(struct key *key,
608                                                          const char *format,
609                                                          const char *master_desc,
610                                                          const char *datalen)
611 {
612         struct encrypted_key_payload *epayload = NULL;
613         unsigned short datablob_len;
614         unsigned short decrypted_datalen;
615         unsigned short payload_datalen;
616         unsigned int encrypted_datalen;
617         unsigned int format_len;
618         long dlen;
619         int ret;
620 
621         ret = kstrtol(datalen, 10, &dlen);
622         if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
623                 return ERR_PTR(-EINVAL);
624 
625         format_len = (!format) ? strlen(key_format_default) : strlen(format);
626         decrypted_datalen = dlen;
627         payload_datalen = decrypted_datalen;
628         if (format) {
629                 if (!strcmp(format, key_format_ecryptfs)) {
630                         if (dlen != ECRYPTFS_MAX_KEY_BYTES) {
631                                 pr_err("encrypted_key: keylen for the ecryptfs format must be equal to %d bytes\n",
632                                         ECRYPTFS_MAX_KEY_BYTES);
633                                 return ERR_PTR(-EINVAL);
634                         }
635                         decrypted_datalen = ECRYPTFS_MAX_KEY_BYTES;
636                         payload_datalen = sizeof(struct ecryptfs_auth_tok);
637                 } else if (!strcmp(format, key_format_enc32)) {
638                         if (decrypted_datalen != KEY_ENC32_PAYLOAD_LEN) {
639                                 pr_err("encrypted_key: enc32 key payload incorrect length: %d\n",
640                                                 decrypted_datalen);
641                                 return ERR_PTR(-EINVAL);
642                         }
643                 }
644         }
645 
646         encrypted_datalen = roundup(decrypted_datalen, blksize);
647 
648         datablob_len = format_len + 1 + strlen(master_desc) + 1
649             + strlen(datalen) + 1 + ivsize + 1 + encrypted_datalen;
650 
651         ret = key_payload_reserve(key, payload_datalen + datablob_len
652                                   + HASH_SIZE + 1);
653         if (ret < 0)
654                 return ERR_PTR(ret);
655 
656         epayload = kzalloc(sizeof(*epayload) + payload_datalen +
657                            datablob_len + HASH_SIZE + 1, GFP_KERNEL);
658         if (!epayload)
659                 return ERR_PTR(-ENOMEM);
660 
661         epayload->payload_datalen = payload_datalen;
662         epayload->decrypted_datalen = decrypted_datalen;
663         epayload->datablob_len = datablob_len;
664         return epayload;
665 }
666 
667 static int encrypted_key_decrypt(struct encrypted_key_payload *epayload,
668                                  const char *format, const char *hex_encoded_iv)
669 {
670         struct key *mkey;
671         u8 derived_key[HASH_SIZE];
672         const u8 *master_key;
673         u8 *hmac;
674         const char *hex_encoded_data;
675         unsigned int encrypted_datalen;
676         size_t master_keylen;
677         size_t asciilen;
678         int ret;
679 
680         encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
681         asciilen = (ivsize + 1 + encrypted_datalen + HASH_SIZE) * 2;
682         if (strlen(hex_encoded_iv) != asciilen)
683                 return -EINVAL;
684 
685         hex_encoded_data = hex_encoded_iv + (2 * ivsize) + 2;
686         ret = hex2bin(epayload->iv, hex_encoded_iv, ivsize);
687         if (ret < 0)
688                 return -EINVAL;
689         ret = hex2bin(epayload->encrypted_data, hex_encoded_data,
690                       encrypted_datalen);
691         if (ret < 0)
692                 return -EINVAL;
693 
694         hmac = epayload->format + epayload->datablob_len;
695         ret = hex2bin(hmac, hex_encoded_data + (encrypted_datalen * 2),
696                       HASH_SIZE);
697         if (ret < 0)
698                 return -EINVAL;
699 
700         mkey = request_master_key(epayload, &master_key, &master_keylen);
701         if (IS_ERR(mkey))
702                 return PTR_ERR(mkey);
703 
704         ret = datablob_hmac_verify(epayload, format, master_key, master_keylen);
705         if (ret < 0) {
706                 pr_err("encrypted_key: bad hmac (%d)\n", ret);
707                 goto out;
708         }
709 
710         ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
711         if (ret < 0)
712                 goto out;
713 
714         ret = derived_key_decrypt(epayload, derived_key, sizeof derived_key);
715         if (ret < 0)
716                 pr_err("encrypted_key: failed to decrypt key (%d)\n", ret);
717 out:
718         up_read(&mkey->sem);
719         key_put(mkey);
720         memzero_explicit(derived_key, sizeof(derived_key));
721         return ret;
722 }
723 
724 static void __ekey_init(struct encrypted_key_payload *epayload,
725                         const char *format, const char *master_desc,
726                         const char *datalen)
727 {
728         unsigned int format_len;
729 
730         format_len = (!format) ? strlen(key_format_default) : strlen(format);
731         epayload->format = epayload->payload_data + epayload->payload_datalen;
732         epayload->master_desc = epayload->format + format_len + 1;
733         epayload->datalen = epayload->master_desc + strlen(master_desc) + 1;
734         epayload->iv = epayload->datalen + strlen(datalen) + 1;
735         epayload->encrypted_data = epayload->iv + ivsize + 1;
736         epayload->decrypted_data = epayload->payload_data;
737 
738         if (!format)
739                 memcpy(epayload->format, key_format_default, format_len);
740         else {
741                 if (!strcmp(format, key_format_ecryptfs))
742                         epayload->decrypted_data =
743                                 ecryptfs_get_auth_tok_key((struct ecryptfs_auth_tok *)epayload->payload_data);
744 
745                 memcpy(epayload->format, format, format_len);
746         }
747 
748         memcpy(epayload->master_desc, master_desc, strlen(master_desc));
749         memcpy(epayload->datalen, datalen, strlen(datalen));
750 }
751 
752 /*
753  * encrypted_init - initialize an encrypted key
754  *
755  * For a new key, use a random number for both the iv and data
756  * itself.  For an old key, decrypt the hex encoded data.
757  */
758 static int encrypted_init(struct encrypted_key_payload *epayload,
759                           const char *key_desc, const char *format,
760                           const char *master_desc, const char *datalen,
761                           const char *hex_encoded_iv)
762 {
763         int ret = 0;
764 
765         if (format && !strcmp(format, key_format_ecryptfs)) {
766                 ret = valid_ecryptfs_desc(key_desc);
767                 if (ret < 0)
768                         return ret;
769 
770                 ecryptfs_fill_auth_tok((struct ecryptfs_auth_tok *)epayload->payload_data,
771                                        key_desc);
772         }
773 
774         __ekey_init(epayload, format, master_desc, datalen);
775         if (!hex_encoded_iv) {
776                 get_random_bytes(epayload->iv, ivsize);
777 
778                 get_random_bytes(epayload->decrypted_data,
779                                  epayload->decrypted_datalen);
780         } else
781                 ret = encrypted_key_decrypt(epayload, format, hex_encoded_iv);
782         return ret;
783 }
784 
785 /*
786  * encrypted_instantiate - instantiate an encrypted key
787  *
788  * Decrypt an existing encrypted datablob or create a new encrypted key
789  * based on a kernel random number.
790  *
791  * On success, return 0. Otherwise return errno.
792  */
793 static int encrypted_instantiate(struct key *key,
794                                  struct key_preparsed_payload *prep)
795 {
796         struct encrypted_key_payload *epayload = NULL;
797         char *datablob = NULL;
798         const char *format = NULL;
799         char *master_desc = NULL;
800         char *decrypted_datalen = NULL;
801         char *hex_encoded_iv = NULL;
802         size_t datalen = prep->datalen;
803         int ret;
804 
805         if (datalen <= 0 || datalen > 32767 || !prep->data)
806                 return -EINVAL;
807 
808         datablob = kmalloc(datalen + 1, GFP_KERNEL);
809         if (!datablob)
810                 return -ENOMEM;
811         datablob[datalen] = 0;
812         memcpy(datablob, prep->data, datalen);
813         ret = datablob_parse(datablob, &format, &master_desc,
814                              &decrypted_datalen, &hex_encoded_iv);
815         if (ret < 0)
816                 goto out;
817 
818         epayload = encrypted_key_alloc(key, format, master_desc,
819                                        decrypted_datalen);
820         if (IS_ERR(epayload)) {
821                 ret = PTR_ERR(epayload);
822                 goto out;
823         }
824         ret = encrypted_init(epayload, key->description, format, master_desc,
825                              decrypted_datalen, hex_encoded_iv);
826         if (ret < 0) {
827                 kzfree(epayload);
828                 goto out;
829         }
830 
831         rcu_assign_keypointer(key, epayload);
832 out:
833         kzfree(datablob);
834         return ret;
835 }
836 
837 static void encrypted_rcu_free(struct rcu_head *rcu)
838 {
839         struct encrypted_key_payload *epayload;
840 
841         epayload = container_of(rcu, struct encrypted_key_payload, rcu);
842         kzfree(epayload);
843 }
844 
845 /*
846  * encrypted_update - update the master key description
847  *
848  * Change the master key description for an existing encrypted key.
849  * The next read will return an encrypted datablob using the new
850  * master key description.
851  *
852  * On success, return 0. Otherwise return errno.
853  */
854 static int encrypted_update(struct key *key, struct key_preparsed_payload *prep)
855 {
856         struct encrypted_key_payload *epayload = key->payload.data[0];
857         struct encrypted_key_payload *new_epayload;
858         char *buf;
859         char *new_master_desc = NULL;
860         const char *format = NULL;
861         size_t datalen = prep->datalen;
862         int ret = 0;
863 
864         if (key_is_negative(key))
865                 return -ENOKEY;
866         if (datalen <= 0 || datalen > 32767 || !prep->data)
867                 return -EINVAL;
868 
869         buf = kmalloc(datalen + 1, GFP_KERNEL);
870         if (!buf)
871                 return -ENOMEM;
872 
873         buf[datalen] = 0;
874         memcpy(buf, prep->data, datalen);
875         ret = datablob_parse(buf, &format, &new_master_desc, NULL, NULL);
876         if (ret < 0)
877                 goto out;
878 
879         ret = valid_master_desc(new_master_desc, epayload->master_desc);
880         if (ret < 0)
881                 goto out;
882 
883         new_epayload = encrypted_key_alloc(key, epayload->format,
884                                            new_master_desc, epayload->datalen);
885         if (IS_ERR(new_epayload)) {
886                 ret = PTR_ERR(new_epayload);
887                 goto out;
888         }
889 
890         __ekey_init(new_epayload, epayload->format, new_master_desc,
891                     epayload->datalen);
892 
893         memcpy(new_epayload->iv, epayload->iv, ivsize);
894         memcpy(new_epayload->payload_data, epayload->payload_data,
895                epayload->payload_datalen);
896 
897         rcu_assign_keypointer(key, new_epayload);
898         call_rcu(&epayload->rcu, encrypted_rcu_free);
899 out:
900         kzfree(buf);
901         return ret;
902 }
903 
904 /*
905  * encrypted_read - format and copy out the encrypted data
906  *
907  * The resulting datablob format is:
908  * <master-key name> <decrypted data length> <encrypted iv> <encrypted data>
909  *
910  * On success, return to userspace the encrypted key datablob size.
911  */
912 static long encrypted_read(const struct key *key, char *buffer,
913                            size_t buflen)
914 {
915         struct encrypted_key_payload *epayload;
916         struct key *mkey;
917         const u8 *master_key;
918         size_t master_keylen;
919         char derived_key[HASH_SIZE];
920         char *ascii_buf;
921         size_t asciiblob_len;
922         int ret;
923 
924         epayload = dereference_key_locked(key);
925 
926         /* returns the hex encoded iv, encrypted-data, and hmac as ascii */
927         asciiblob_len = epayload->datablob_len + ivsize + 1
928             + roundup(epayload->decrypted_datalen, blksize)
929             + (HASH_SIZE * 2);
930 
931         if (!buffer || buflen < asciiblob_len)
932                 return asciiblob_len;
933 
934         mkey = request_master_key(epayload, &master_key, &master_keylen);
935         if (IS_ERR(mkey))
936                 return PTR_ERR(mkey);
937 
938         ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
939         if (ret < 0)
940                 goto out;
941 
942         ret = derived_key_encrypt(epayload, derived_key, sizeof derived_key);
943         if (ret < 0)
944                 goto out;
945 
946         ret = datablob_hmac_append(epayload, master_key, master_keylen);
947         if (ret < 0)
948                 goto out;
949 
950         ascii_buf = datablob_format(epayload, asciiblob_len);
951         if (!ascii_buf) {
952                 ret = -ENOMEM;
953                 goto out;
954         }
955 
956         up_read(&mkey->sem);
957         key_put(mkey);
958         memzero_explicit(derived_key, sizeof(derived_key));
959 
960         memcpy(buffer, ascii_buf, asciiblob_len);
961         kzfree(ascii_buf);
962 
963         return asciiblob_len;
964 out:
965         up_read(&mkey->sem);
966         key_put(mkey);
967         memzero_explicit(derived_key, sizeof(derived_key));
968         return ret;
969 }
970 
971 /*
972  * encrypted_destroy - clear and free the key's payload
973  */
974 static void encrypted_destroy(struct key *key)
975 {
976         kzfree(key->payload.data[0]);
977 }
978 
979 struct key_type key_type_encrypted = {
980         .name = "encrypted",
981         .instantiate = encrypted_instantiate,
982         .update = encrypted_update,
983         .destroy = encrypted_destroy,
984         .describe = user_describe,
985         .read = encrypted_read,
986 };
987 EXPORT_SYMBOL_GPL(key_type_encrypted);
988 
989 static int __init init_encrypted(void)
990 {
991         int ret;
992 
993         hash_tfm = crypto_alloc_shash(hash_alg, 0, 0);
994         if (IS_ERR(hash_tfm)) {
995                 pr_err("encrypted_key: can't allocate %s transform: %ld\n",
996                        hash_alg, PTR_ERR(hash_tfm));
997                 return PTR_ERR(hash_tfm);
998         }
999 
1000         ret = aes_get_sizes();
1001         if (ret < 0)
1002                 goto out;
1003         ret = register_key_type(&key_type_encrypted);
1004         if (ret < 0)
1005                 goto out;
1006         return 0;
1007 out:
1008         crypto_free_shash(hash_tfm);
1009         return ret;
1010 
1011 }
1012 
1013 static void __exit cleanup_encrypted(void)
1014 {
1015         crypto_free_shash(hash_tfm);
1016         unregister_key_type(&key_type_encrypted);
1017 }
1018 
1019 late_initcall(init_encrypted);
1020 module_exit(cleanup_encrypted);
1021 
1022 MODULE_LICENSE("GPL");
1023 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp