1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * This file is part of UBIFS. |
4 | * |
5 | * Copyright (C) 2018 Pengutronix, Sascha Hauer <s.hauer@pengutronix.de> |
6 | */ |
7 | |
8 | /* |
9 | * This file implements various helper functions for UBIFS authentication support |
10 | */ |
11 | |
12 | #include <linux/verification.h> |
13 | #include <crypto/hash.h> |
14 | #include <crypto/utils.h> |
15 | #include <keys/user-type.h> |
16 | #include <keys/asymmetric-type.h> |
17 | |
18 | #include "ubifs.h" |
19 | |
20 | /** |
21 | * ubifs_node_calc_hash - calculate the hash of a UBIFS node |
22 | * @c: UBIFS file-system description object |
23 | * @node: the node to calculate a hash for |
24 | * @hash: the returned hash |
25 | * |
26 | * Returns 0 for success or a negative error code otherwise. |
27 | */ |
28 | int __ubifs_node_calc_hash(const struct ubifs_info *c, const void *node, |
29 | u8 *hash) |
30 | { |
31 | const struct ubifs_ch *ch = node; |
32 | |
33 | return crypto_shash_tfm_digest(tfm: c->hash_tfm, data: node, le32_to_cpu(ch->len), |
34 | out: hash); |
35 | } |
36 | |
37 | /** |
38 | * ubifs_hash_calc_hmac - calculate a HMAC from a hash |
39 | * @c: UBIFS file-system description object |
40 | * @hash: the node to calculate a HMAC for |
41 | * @hmac: the returned HMAC |
42 | * |
43 | * Returns 0 for success or a negative error code otherwise. |
44 | */ |
45 | static int ubifs_hash_calc_hmac(const struct ubifs_info *c, const u8 *hash, |
46 | u8 *hmac) |
47 | { |
48 | return crypto_shash_tfm_digest(tfm: c->hmac_tfm, data: hash, len: c->hash_len, out: hmac); |
49 | } |
50 | |
51 | /** |
52 | * ubifs_prepare_auth_node - Prepare an authentication node |
53 | * @c: UBIFS file-system description object |
54 | * @node: the node to calculate a hash for |
55 | * @inhash: input hash of previous nodes |
56 | * |
57 | * This function prepares an authentication node for writing onto flash. |
58 | * It creates a HMAC from the given input hash and writes it to the node. |
59 | * |
60 | * Returns 0 for success or a negative error code otherwise. |
61 | */ |
62 | int ubifs_prepare_auth_node(struct ubifs_info *c, void *node, |
63 | struct shash_desc *inhash) |
64 | { |
65 | struct ubifs_auth_node *auth = node; |
66 | u8 hash[UBIFS_HASH_ARR_SZ]; |
67 | int err; |
68 | |
69 | { |
70 | SHASH_DESC_ON_STACK(hash_desc, c->hash_tfm); |
71 | |
72 | hash_desc->tfm = c->hash_tfm; |
73 | ubifs_shash_copy_state(c, src: inhash, target: hash_desc); |
74 | |
75 | err = crypto_shash_final(desc: hash_desc, out: hash); |
76 | if (err) |
77 | return err; |
78 | } |
79 | |
80 | err = ubifs_hash_calc_hmac(c, hash, hmac: auth->hmac); |
81 | if (err) |
82 | return err; |
83 | |
84 | auth->ch.node_type = UBIFS_AUTH_NODE; |
85 | ubifs_prepare_node(c, buf: auth, len: ubifs_auth_node_sz(c), pad: 0); |
86 | return 0; |
87 | } |
88 | |
89 | static struct shash_desc *ubifs_get_desc(const struct ubifs_info *c, |
90 | struct crypto_shash *tfm) |
91 | { |
92 | struct shash_desc *desc; |
93 | int err; |
94 | |
95 | if (!ubifs_authenticated(c)) |
96 | return NULL; |
97 | |
98 | desc = kmalloc(size: sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); |
99 | if (!desc) |
100 | return ERR_PTR(error: -ENOMEM); |
101 | |
102 | desc->tfm = tfm; |
103 | |
104 | err = crypto_shash_init(desc); |
105 | if (err) { |
106 | kfree(objp: desc); |
107 | return ERR_PTR(error: err); |
108 | } |
109 | |
110 | return desc; |
111 | } |
112 | |
113 | /** |
114 | * __ubifs_hash_get_desc - get a descriptor suitable for hashing a node |
115 | * @c: UBIFS file-system description object |
116 | * |
117 | * This function returns a descriptor suitable for hashing a node. Free after use |
118 | * with kfree. |
119 | */ |
120 | struct shash_desc *__ubifs_hash_get_desc(const struct ubifs_info *c) |
121 | { |
122 | return ubifs_get_desc(c, tfm: c->hash_tfm); |
123 | } |
124 | |
125 | /** |
126 | * ubifs_bad_hash - Report hash mismatches |
127 | * @c: UBIFS file-system description object |
128 | * @node: the node |
129 | * @hash: the expected hash |
130 | * @lnum: the LEB @node was read from |
131 | * @offs: offset in LEB @node was read from |
132 | * |
133 | * This function reports a hash mismatch when a node has a different hash than |
134 | * expected. |
135 | */ |
136 | void ubifs_bad_hash(const struct ubifs_info *c, const void *node, const u8 *hash, |
137 | int lnum, int offs) |
138 | { |
139 | int len = min(c->hash_len, 20); |
140 | int cropped = len != c->hash_len; |
141 | const char *cont = cropped ? "..." : "" ; |
142 | |
143 | u8 calc[UBIFS_HASH_ARR_SZ]; |
144 | |
145 | __ubifs_node_calc_hash(c, node, hash: calc); |
146 | |
147 | ubifs_err(c, fmt: "hash mismatch on node at LEB %d:%d" , lnum, offs); |
148 | ubifs_err(c, fmt: "hash expected: %*ph%s" , len, hash, cont); |
149 | ubifs_err(c, fmt: "hash calculated: %*ph%s" , len, calc, cont); |
150 | } |
151 | |
152 | /** |
153 | * __ubifs_node_check_hash - check the hash of a node against given hash |
154 | * @c: UBIFS file-system description object |
155 | * @node: the node |
156 | * @expected: the expected hash |
157 | * |
158 | * This function calculates a hash over a node and compares it to the given hash. |
159 | * Returns 0 if both hashes are equal or authentication is disabled, otherwise a |
160 | * negative error code is returned. |
161 | */ |
162 | int __ubifs_node_check_hash(const struct ubifs_info *c, const void *node, |
163 | const u8 *expected) |
164 | { |
165 | u8 calc[UBIFS_HASH_ARR_SZ]; |
166 | int err; |
167 | |
168 | err = __ubifs_node_calc_hash(c, node, hash: calc); |
169 | if (err) |
170 | return err; |
171 | |
172 | if (ubifs_check_hash(c, expected, got: calc)) |
173 | return -EPERM; |
174 | |
175 | return 0; |
176 | } |
177 | |
178 | /** |
179 | * ubifs_sb_verify_signature - verify the signature of a superblock |
180 | * @c: UBIFS file-system description object |
181 | * @sup: The superblock node |
182 | * |
183 | * To support offline signed images the superblock can be signed with a |
184 | * PKCS#7 signature. The signature is placed directly behind the superblock |
185 | * node in an ubifs_sig_node. |
186 | * |
187 | * Returns 0 when the signature can be successfully verified or a negative |
188 | * error code if not. |
189 | */ |
190 | int ubifs_sb_verify_signature(struct ubifs_info *c, |
191 | const struct ubifs_sb_node *sup) |
192 | { |
193 | int err; |
194 | struct ubifs_scan_leb *sleb; |
195 | struct ubifs_scan_node *snod; |
196 | const struct ubifs_sig_node *signode; |
197 | |
198 | sleb = ubifs_scan(c, UBIFS_SB_LNUM, UBIFS_SB_NODE_SZ, sbuf: c->sbuf, quiet: 0); |
199 | if (IS_ERR(ptr: sleb)) { |
200 | err = PTR_ERR(ptr: sleb); |
201 | return err; |
202 | } |
203 | |
204 | if (sleb->nodes_cnt == 0) { |
205 | ubifs_err(c, fmt: "Unable to find signature node" ); |
206 | err = -EINVAL; |
207 | goto out_destroy; |
208 | } |
209 | |
210 | snod = list_first_entry(&sleb->nodes, struct ubifs_scan_node, list); |
211 | |
212 | if (snod->type != UBIFS_SIG_NODE) { |
213 | ubifs_err(c, fmt: "Signature node is of wrong type" ); |
214 | err = -EINVAL; |
215 | goto out_destroy; |
216 | } |
217 | |
218 | signode = snod->node; |
219 | |
220 | if (le32_to_cpu(signode->len) > snod->len + sizeof(struct ubifs_sig_node)) { |
221 | ubifs_err(c, fmt: "invalid signature len %d" , le32_to_cpu(signode->len)); |
222 | err = -EINVAL; |
223 | goto out_destroy; |
224 | } |
225 | |
226 | if (le32_to_cpu(signode->type) != UBIFS_SIGNATURE_TYPE_PKCS7) { |
227 | ubifs_err(c, fmt: "Signature type %d is not supported\n" , |
228 | le32_to_cpu(signode->type)); |
229 | err = -EINVAL; |
230 | goto out_destroy; |
231 | } |
232 | |
233 | err = verify_pkcs7_signature(data: sup, len: sizeof(struct ubifs_sb_node), |
234 | raw_pkcs7: signode->sig, le32_to_cpu(signode->len), |
235 | NULL, usage: VERIFYING_UNSPECIFIED_SIGNATURE, |
236 | NULL, NULL); |
237 | |
238 | if (err) |
239 | ubifs_err(c, fmt: "Failed to verify signature" ); |
240 | else |
241 | ubifs_msg(c, fmt: "Successfully verified super block signature" ); |
242 | |
243 | out_destroy: |
244 | ubifs_scan_destroy(sleb); |
245 | |
246 | return err; |
247 | } |
248 | |
249 | /** |
250 | * ubifs_init_authentication - initialize UBIFS authentication support |
251 | * @c: UBIFS file-system description object |
252 | * |
253 | * This function returns 0 for success or a negative error code otherwise. |
254 | */ |
255 | int ubifs_init_authentication(struct ubifs_info *c) |
256 | { |
257 | struct key *keyring_key; |
258 | const struct user_key_payload *ukp; |
259 | int err; |
260 | char hmac_name[CRYPTO_MAX_ALG_NAME]; |
261 | |
262 | if (!c->auth_hash_name) { |
263 | ubifs_err(c, fmt: "authentication hash name needed with authentication" ); |
264 | return -EINVAL; |
265 | } |
266 | |
267 | c->auth_hash_algo = match_string(array: hash_algo_name, n: HASH_ALGO__LAST, |
268 | string: c->auth_hash_name); |
269 | if ((int)c->auth_hash_algo < 0) { |
270 | ubifs_err(c, fmt: "Unknown hash algo %s specified" , |
271 | c->auth_hash_name); |
272 | return -EINVAL; |
273 | } |
274 | |
275 | snprintf(buf: hmac_name, CRYPTO_MAX_ALG_NAME, fmt: "hmac(%s)" , |
276 | c->auth_hash_name); |
277 | |
278 | keyring_key = request_key(type: &key_type_logon, description: c->auth_key_name, NULL); |
279 | |
280 | if (IS_ERR(ptr: keyring_key)) { |
281 | ubifs_err(c, fmt: "Failed to request key: %ld" , |
282 | PTR_ERR(ptr: keyring_key)); |
283 | return PTR_ERR(ptr: keyring_key); |
284 | } |
285 | |
286 | down_read(sem: &keyring_key->sem); |
287 | |
288 | if (keyring_key->type != &key_type_logon) { |
289 | ubifs_err(c, fmt: "key type must be logon" ); |
290 | err = -ENOKEY; |
291 | goto out; |
292 | } |
293 | |
294 | ukp = user_key_payload_locked(key: keyring_key); |
295 | if (!ukp) { |
296 | /* key was revoked before we acquired its semaphore */ |
297 | err = -EKEYREVOKED; |
298 | goto out; |
299 | } |
300 | |
301 | c->hash_tfm = crypto_alloc_shash(alg_name: c->auth_hash_name, type: 0, mask: 0); |
302 | if (IS_ERR(ptr: c->hash_tfm)) { |
303 | err = PTR_ERR(ptr: c->hash_tfm); |
304 | ubifs_err(c, fmt: "Can not allocate %s: %d" , |
305 | c->auth_hash_name, err); |
306 | goto out; |
307 | } |
308 | |
309 | c->hash_len = crypto_shash_digestsize(tfm: c->hash_tfm); |
310 | if (c->hash_len > UBIFS_HASH_ARR_SZ) { |
311 | ubifs_err(c, fmt: "hash %s is bigger than maximum allowed hash size (%d > %d)" , |
312 | c->auth_hash_name, c->hash_len, UBIFS_HASH_ARR_SZ); |
313 | err = -EINVAL; |
314 | goto out_free_hash; |
315 | } |
316 | |
317 | c->hmac_tfm = crypto_alloc_shash(alg_name: hmac_name, type: 0, mask: 0); |
318 | if (IS_ERR(ptr: c->hmac_tfm)) { |
319 | err = PTR_ERR(ptr: c->hmac_tfm); |
320 | ubifs_err(c, fmt: "Can not allocate %s: %d" , hmac_name, err); |
321 | goto out_free_hash; |
322 | } |
323 | |
324 | c->hmac_desc_len = crypto_shash_digestsize(tfm: c->hmac_tfm); |
325 | if (c->hmac_desc_len > UBIFS_HMAC_ARR_SZ) { |
326 | ubifs_err(c, fmt: "hmac %s is bigger than maximum allowed hmac size (%d > %d)" , |
327 | hmac_name, c->hmac_desc_len, UBIFS_HMAC_ARR_SZ); |
328 | err = -EINVAL; |
329 | goto out_free_hmac; |
330 | } |
331 | |
332 | err = crypto_shash_setkey(tfm: c->hmac_tfm, key: ukp->data, keylen: ukp->datalen); |
333 | if (err) |
334 | goto out_free_hmac; |
335 | |
336 | c->authenticated = true; |
337 | |
338 | c->log_hash = ubifs_hash_get_desc(c); |
339 | if (IS_ERR(ptr: c->log_hash)) { |
340 | err = PTR_ERR(ptr: c->log_hash); |
341 | goto out_free_hmac; |
342 | } |
343 | |
344 | err = 0; |
345 | |
346 | out_free_hmac: |
347 | if (err) |
348 | crypto_free_shash(tfm: c->hmac_tfm); |
349 | out_free_hash: |
350 | if (err) |
351 | crypto_free_shash(tfm: c->hash_tfm); |
352 | out: |
353 | up_read(sem: &keyring_key->sem); |
354 | key_put(key: keyring_key); |
355 | |
356 | return err; |
357 | } |
358 | |
359 | /** |
360 | * __ubifs_exit_authentication - release resource |
361 | * @c: UBIFS file-system description object |
362 | * |
363 | * This function releases the authentication related resources. |
364 | */ |
365 | void __ubifs_exit_authentication(struct ubifs_info *c) |
366 | { |
367 | if (!ubifs_authenticated(c)) |
368 | return; |
369 | |
370 | crypto_free_shash(tfm: c->hmac_tfm); |
371 | crypto_free_shash(tfm: c->hash_tfm); |
372 | kfree(objp: c->log_hash); |
373 | } |
374 | |
375 | /** |
376 | * ubifs_node_calc_hmac - calculate the HMAC of a UBIFS node |
377 | * @c: UBIFS file-system description object |
378 | * @node: the node to insert a HMAC into. |
379 | * @len: the length of the node |
380 | * @ofs_hmac: the offset in the node where the HMAC is inserted |
381 | * @hmac: returned HMAC |
382 | * |
383 | * This function calculates a HMAC of a UBIFS node. The HMAC is expected to be |
384 | * embedded into the node, so this area is not covered by the HMAC. Also not |
385 | * covered is the UBIFS_NODE_MAGIC and the CRC of the node. |
386 | */ |
387 | static int ubifs_node_calc_hmac(const struct ubifs_info *c, const void *node, |
388 | int len, int ofs_hmac, void *hmac) |
389 | { |
390 | SHASH_DESC_ON_STACK(shash, c->hmac_tfm); |
391 | int hmac_len = c->hmac_desc_len; |
392 | int err; |
393 | |
394 | ubifs_assert(c, ofs_hmac > 8); |
395 | ubifs_assert(c, ofs_hmac + hmac_len < len); |
396 | |
397 | shash->tfm = c->hmac_tfm; |
398 | |
399 | err = crypto_shash_init(desc: shash); |
400 | if (err) |
401 | return err; |
402 | |
403 | /* behind common node header CRC up to HMAC begin */ |
404 | err = crypto_shash_update(desc: shash, data: node + 8, len: ofs_hmac - 8); |
405 | if (err < 0) |
406 | return err; |
407 | |
408 | /* behind HMAC, if any */ |
409 | if (len - ofs_hmac - hmac_len > 0) { |
410 | err = crypto_shash_update(desc: shash, data: node + ofs_hmac + hmac_len, |
411 | len: len - ofs_hmac - hmac_len); |
412 | if (err < 0) |
413 | return err; |
414 | } |
415 | |
416 | return crypto_shash_final(desc: shash, out: hmac); |
417 | } |
418 | |
419 | /** |
420 | * __ubifs_node_insert_hmac - insert a HMAC into a UBIFS node |
421 | * @c: UBIFS file-system description object |
422 | * @node: the node to insert a HMAC into. |
423 | * @len: the length of the node |
424 | * @ofs_hmac: the offset in the node where the HMAC is inserted |
425 | * |
426 | * This function inserts a HMAC at offset @ofs_hmac into the node given in |
427 | * @node. |
428 | * |
429 | * This function returns 0 for success or a negative error code otherwise. |
430 | */ |
431 | int __ubifs_node_insert_hmac(const struct ubifs_info *c, void *node, int len, |
432 | int ofs_hmac) |
433 | { |
434 | return ubifs_node_calc_hmac(c, node, len, ofs_hmac, hmac: node + ofs_hmac); |
435 | } |
436 | |
437 | /** |
438 | * __ubifs_node_verify_hmac - verify the HMAC of UBIFS node |
439 | * @c: UBIFS file-system description object |
440 | * @node: the node to insert a HMAC into. |
441 | * @len: the length of the node |
442 | * @ofs_hmac: the offset in the node where the HMAC is inserted |
443 | * |
444 | * This function verifies the HMAC at offset @ofs_hmac of the node given in |
445 | * @node. Returns 0 if successful or a negative error code otherwise. |
446 | */ |
447 | int __ubifs_node_verify_hmac(const struct ubifs_info *c, const void *node, |
448 | int len, int ofs_hmac) |
449 | { |
450 | int hmac_len = c->hmac_desc_len; |
451 | u8 *hmac; |
452 | int err; |
453 | |
454 | hmac = kmalloc(size: hmac_len, GFP_NOFS); |
455 | if (!hmac) |
456 | return -ENOMEM; |
457 | |
458 | err = ubifs_node_calc_hmac(c, node, len, ofs_hmac, hmac); |
459 | if (err) { |
460 | kfree(objp: hmac); |
461 | return err; |
462 | } |
463 | |
464 | err = crypto_memneq(a: hmac, b: node + ofs_hmac, size: hmac_len); |
465 | |
466 | kfree(objp: hmac); |
467 | |
468 | if (!err) |
469 | return 0; |
470 | |
471 | return -EPERM; |
472 | } |
473 | |
474 | int __ubifs_shash_copy_state(const struct ubifs_info *c, struct shash_desc *src, |
475 | struct shash_desc *target) |
476 | { |
477 | u8 *state; |
478 | int err; |
479 | |
480 | state = kmalloc(size: crypto_shash_descsize(tfm: src->tfm), GFP_NOFS); |
481 | if (!state) |
482 | return -ENOMEM; |
483 | |
484 | err = crypto_shash_export(desc: src, out: state); |
485 | if (err) |
486 | goto out; |
487 | |
488 | err = crypto_shash_import(desc: target, in: state); |
489 | |
490 | out: |
491 | kfree(objp: state); |
492 | |
493 | return err; |
494 | } |
495 | |
496 | /** |
497 | * ubifs_hmac_wkm - Create a HMAC of the well known message |
498 | * @c: UBIFS file-system description object |
499 | * @hmac: The HMAC of the well known message |
500 | * |
501 | * This function creates a HMAC of a well known message. This is used |
502 | * to check if the provided key is suitable to authenticate a UBIFS |
503 | * image. This is only a convenience to the user to provide a better |
504 | * error message when the wrong key is provided. |
505 | * |
506 | * This function returns 0 for success or a negative error code otherwise. |
507 | */ |
508 | int ubifs_hmac_wkm(struct ubifs_info *c, u8 *hmac) |
509 | { |
510 | SHASH_DESC_ON_STACK(shash, c->hmac_tfm); |
511 | int err; |
512 | const char well_known_message[] = "UBIFS" ; |
513 | |
514 | if (!ubifs_authenticated(c)) |
515 | return 0; |
516 | |
517 | shash->tfm = c->hmac_tfm; |
518 | |
519 | err = crypto_shash_init(desc: shash); |
520 | if (err) |
521 | return err; |
522 | |
523 | err = crypto_shash_update(desc: shash, data: well_known_message, |
524 | len: sizeof(well_known_message) - 1); |
525 | if (err < 0) |
526 | return err; |
527 | |
528 | err = crypto_shash_final(desc: shash, out: hmac); |
529 | if (err) |
530 | return err; |
531 | return 0; |
532 | } |
533 | |
534 | /* |
535 | * ubifs_hmac_zero - test if a HMAC is zero |
536 | * @c: UBIFS file-system description object |
537 | * @hmac: the HMAC to test |
538 | * |
539 | * This function tests if a HMAC is zero and returns true if it is |
540 | * and false otherwise. |
541 | */ |
542 | bool ubifs_hmac_zero(struct ubifs_info *c, const u8 *hmac) |
543 | { |
544 | return !memchr_inv(p: hmac, c: 0, size: c->hmac_desc_len); |
545 | } |
546 | |