1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * Copyright (C) 2010 IBM Corporation |
4 | * Copyright (C) 2010 Politecnico di Torino, Italy |
5 | * TORSEC group -- https://security.polito.it |
6 | * |
7 | * Authors: |
8 | * Mimi Zohar <zohar@us.ibm.com> |
9 | * Roberto Sassu <roberto.sassu@polito.it> |
10 | * |
11 | * See Documentation/security/keys/trusted-encrypted.rst |
12 | */ |
13 | |
14 | #include <linux/uaccess.h> |
15 | #include <linux/module.h> |
16 | #include <linux/init.h> |
17 | #include <linux/slab.h> |
18 | #include <linux/parser.h> |
19 | #include <linux/string.h> |
20 | #include <linux/err.h> |
21 | #include <keys/user-type.h> |
22 | #include <keys/trusted-type.h> |
23 | #include <keys/encrypted-type.h> |
24 | #include <linux/key-type.h> |
25 | #include <linux/random.h> |
26 | #include <linux/rcupdate.h> |
27 | #include <linux/scatterlist.h> |
28 | #include <linux/ctype.h> |
29 | #include <crypto/aes.h> |
30 | #include <crypto/hash.h> |
31 | #include <crypto/sha2.h> |
32 | #include <crypto/skcipher.h> |
33 | #include <crypto/utils.h> |
34 | |
35 | #include "encrypted.h" |
36 | #include "ecryptfs_format.h" |
37 | |
38 | static const char KEY_TRUSTED_PREFIX[] = "trusted:" ; |
39 | static const char KEY_USER_PREFIX[] = "user:" ; |
40 | static const char hash_alg[] = "sha256" ; |
41 | static const char hmac_alg[] = "hmac(sha256)" ; |
42 | static const char blkcipher_alg[] = "cbc(aes)" ; |
43 | static const char key_format_default[] = "default" ; |
44 | static const char key_format_ecryptfs[] = "ecryptfs" ; |
45 | static const char key_format_enc32[] = "enc32" ; |
46 | static unsigned int ivsize; |
47 | static int blksize; |
48 | |
49 | #define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1) |
50 | #define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1) |
51 | #define KEY_ECRYPTFS_DESC_LEN 16 |
52 | #define HASH_SIZE SHA256_DIGEST_SIZE |
53 | #define MAX_DATA_SIZE 4096 |
54 | #define MIN_DATA_SIZE 20 |
55 | #define KEY_ENC32_PAYLOAD_LEN 32 |
56 | |
57 | static struct crypto_shash *hash_tfm; |
58 | |
59 | enum { |
60 | Opt_new, Opt_load, Opt_update, Opt_err |
61 | }; |
62 | |
63 | enum { |
64 | Opt_default, Opt_ecryptfs, Opt_enc32, Opt_error |
65 | }; |
66 | |
67 | static const match_table_t key_format_tokens = { |
68 | {Opt_default, "default" }, |
69 | {Opt_ecryptfs, "ecryptfs" }, |
70 | {Opt_enc32, "enc32" }, |
71 | {Opt_error, NULL} |
72 | }; |
73 | |
74 | static const match_table_t key_tokens = { |
75 | {Opt_new, "new" }, |
76 | {Opt_load, "load" }, |
77 | {Opt_update, "update" }, |
78 | {Opt_err, NULL} |
79 | }; |
80 | |
81 | static bool user_decrypted_data = IS_ENABLED(CONFIG_USER_DECRYPTED_DATA); |
82 | module_param(user_decrypted_data, bool, 0); |
83 | MODULE_PARM_DESC(user_decrypted_data, |
84 | "Allow instantiation of encrypted keys using provided decrypted data" ); |
85 | |
86 | static int aes_get_sizes(void) |
87 | { |
88 | struct crypto_skcipher *tfm; |
89 | |
90 | tfm = crypto_alloc_skcipher(alg_name: blkcipher_alg, type: 0, CRYPTO_ALG_ASYNC); |
91 | if (IS_ERR(ptr: tfm)) { |
92 | pr_err("encrypted_key: failed to alloc_cipher (%ld)\n" , |
93 | PTR_ERR(tfm)); |
94 | return PTR_ERR(ptr: tfm); |
95 | } |
96 | ivsize = crypto_skcipher_ivsize(tfm); |
97 | blksize = crypto_skcipher_blocksize(tfm); |
98 | crypto_free_skcipher(tfm); |
99 | return 0; |
100 | } |
101 | |
102 | /* |
103 | * valid_ecryptfs_desc - verify the description of a new/loaded encrypted key |
104 | * |
105 | * The description of a encrypted key with format 'ecryptfs' must contain |
106 | * exactly 16 hexadecimal characters. |
107 | * |
108 | */ |
109 | static int valid_ecryptfs_desc(const char *ecryptfs_desc) |
110 | { |
111 | int i; |
112 | |
113 | if (strlen(ecryptfs_desc) != KEY_ECRYPTFS_DESC_LEN) { |
114 | pr_err("encrypted_key: key description must be %d hexadecimal " |
115 | "characters long\n" , KEY_ECRYPTFS_DESC_LEN); |
116 | return -EINVAL; |
117 | } |
118 | |
119 | for (i = 0; i < KEY_ECRYPTFS_DESC_LEN; i++) { |
120 | if (!isxdigit(ecryptfs_desc[i])) { |
121 | pr_err("encrypted_key: key description must contain " |
122 | "only hexadecimal characters\n" ); |
123 | return -EINVAL; |
124 | } |
125 | } |
126 | |
127 | return 0; |
128 | } |
129 | |
130 | /* |
131 | * valid_master_desc - verify the 'key-type:desc' of a new/updated master-key |
132 | * |
133 | * key-type:= "trusted:" | "user:" |
134 | * desc:= master-key description |
135 | * |
136 | * Verify that 'key-type' is valid and that 'desc' exists. On key update, |
137 | * only the master key description is permitted to change, not the key-type. |
138 | * The key-type remains constant. |
139 | * |
140 | * On success returns 0, otherwise -EINVAL. |
141 | */ |
142 | static int valid_master_desc(const char *new_desc, const char *orig_desc) |
143 | { |
144 | int prefix_len; |
145 | |
146 | if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) |
147 | prefix_len = KEY_TRUSTED_PREFIX_LEN; |
148 | else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) |
149 | prefix_len = KEY_USER_PREFIX_LEN; |
150 | else |
151 | return -EINVAL; |
152 | |
153 | if (!new_desc[prefix_len]) |
154 | return -EINVAL; |
155 | |
156 | if (orig_desc && strncmp(new_desc, orig_desc, prefix_len)) |
157 | return -EINVAL; |
158 | |
159 | return 0; |
160 | } |
161 | |
162 | /* |
163 | * datablob_parse - parse the keyctl data |
164 | * |
165 | * datablob format: |
166 | * new [<format>] <master-key name> <decrypted data length> [<decrypted data>] |
167 | * load [<format>] <master-key name> <decrypted data length> |
168 | * <encrypted iv + data> |
169 | * update <new-master-key name> |
170 | * |
171 | * Tokenizes a copy of the keyctl data, returning a pointer to each token, |
172 | * which is null terminated. |
173 | * |
174 | * On success returns 0, otherwise -EINVAL. |
175 | */ |
176 | static int datablob_parse(char *datablob, const char **format, |
177 | char **master_desc, char **decrypted_datalen, |
178 | char **hex_encoded_iv, char **decrypted_data) |
179 | { |
180 | substring_t args[MAX_OPT_ARGS]; |
181 | int ret = -EINVAL; |
182 | int key_cmd; |
183 | int key_format; |
184 | char *p, *keyword; |
185 | |
186 | keyword = strsep(&datablob, " \t" ); |
187 | if (!keyword) { |
188 | pr_info("encrypted_key: insufficient parameters specified\n" ); |
189 | return ret; |
190 | } |
191 | key_cmd = match_token(keyword, table: key_tokens, args); |
192 | |
193 | /* Get optional format: default | ecryptfs */ |
194 | p = strsep(&datablob, " \t" ); |
195 | if (!p) { |
196 | pr_err("encrypted_key: insufficient parameters specified\n" ); |
197 | return ret; |
198 | } |
199 | |
200 | key_format = match_token(p, table: key_format_tokens, args); |
201 | switch (key_format) { |
202 | case Opt_ecryptfs: |
203 | case Opt_enc32: |
204 | case Opt_default: |
205 | *format = p; |
206 | *master_desc = strsep(&datablob, " \t" ); |
207 | break; |
208 | case Opt_error: |
209 | *master_desc = p; |
210 | break; |
211 | } |
212 | |
213 | if (!*master_desc) { |
214 | pr_info("encrypted_key: master key parameter is missing\n" ); |
215 | goto out; |
216 | } |
217 | |
218 | if (valid_master_desc(new_desc: *master_desc, NULL) < 0) { |
219 | pr_info("encrypted_key: master key parameter \'%s\' " |
220 | "is invalid\n" , *master_desc); |
221 | goto out; |
222 | } |
223 | |
224 | if (decrypted_datalen) { |
225 | *decrypted_datalen = strsep(&datablob, " \t" ); |
226 | if (!*decrypted_datalen) { |
227 | pr_info("encrypted_key: keylen parameter is missing\n" ); |
228 | goto out; |
229 | } |
230 | } |
231 | |
232 | switch (key_cmd) { |
233 | case Opt_new: |
234 | if (!decrypted_datalen) { |
235 | pr_info("encrypted_key: keyword \'%s\' not allowed " |
236 | "when called from .update method\n" , keyword); |
237 | break; |
238 | } |
239 | *decrypted_data = strsep(&datablob, " \t" ); |
240 | ret = 0; |
241 | break; |
242 | case Opt_load: |
243 | if (!decrypted_datalen) { |
244 | pr_info("encrypted_key: keyword \'%s\' not allowed " |
245 | "when called from .update method\n" , keyword); |
246 | break; |
247 | } |
248 | *hex_encoded_iv = strsep(&datablob, " \t" ); |
249 | if (!*hex_encoded_iv) { |
250 | pr_info("encrypted_key: hex blob is missing\n" ); |
251 | break; |
252 | } |
253 | ret = 0; |
254 | break; |
255 | case Opt_update: |
256 | if (decrypted_datalen) { |
257 | pr_info("encrypted_key: keyword \'%s\' not allowed " |
258 | "when called from .instantiate method\n" , |
259 | keyword); |
260 | break; |
261 | } |
262 | ret = 0; |
263 | break; |
264 | case Opt_err: |
265 | pr_info("encrypted_key: keyword \'%s\' not recognized\n" , |
266 | keyword); |
267 | break; |
268 | } |
269 | out: |
270 | return ret; |
271 | } |
272 | |
273 | /* |
274 | * datablob_format - format as an ascii string, before copying to userspace |
275 | */ |
276 | static char *datablob_format(struct encrypted_key_payload *epayload, |
277 | size_t asciiblob_len) |
278 | { |
279 | char *ascii_buf, *bufp; |
280 | u8 *iv = epayload->iv; |
281 | int len; |
282 | int i; |
283 | |
284 | ascii_buf = kmalloc(size: asciiblob_len + 1, GFP_KERNEL); |
285 | if (!ascii_buf) |
286 | goto out; |
287 | |
288 | ascii_buf[asciiblob_len] = '\0'; |
289 | |
290 | /* copy datablob master_desc and datalen strings */ |
291 | len = sprintf(buf: ascii_buf, fmt: "%s %s %s " , epayload->format, |
292 | epayload->master_desc, epayload->datalen); |
293 | |
294 | /* convert the hex encoded iv, encrypted-data and HMAC to ascii */ |
295 | bufp = &ascii_buf[len]; |
296 | for (i = 0; i < (asciiblob_len - len) / 2; i++) |
297 | bufp = hex_byte_pack(buf: bufp, byte: iv[i]); |
298 | out: |
299 | return ascii_buf; |
300 | } |
301 | |
302 | /* |
303 | * request_user_key - request the user key |
304 | * |
305 | * Use a user provided key to encrypt/decrypt an encrypted-key. |
306 | */ |
307 | static struct key *request_user_key(const char *master_desc, const u8 **master_key, |
308 | size_t *master_keylen) |
309 | { |
310 | const struct user_key_payload *upayload; |
311 | struct key *ukey; |
312 | |
313 | ukey = request_key(type: &key_type_user, description: master_desc, NULL); |
314 | if (IS_ERR(ptr: ukey)) |
315 | goto error; |
316 | |
317 | down_read(sem: &ukey->sem); |
318 | upayload = user_key_payload_locked(key: ukey); |
319 | if (!upayload) { |
320 | /* key was revoked before we acquired its semaphore */ |
321 | up_read(sem: &ukey->sem); |
322 | key_put(key: ukey); |
323 | ukey = ERR_PTR(error: -EKEYREVOKED); |
324 | goto error; |
325 | } |
326 | *master_key = upayload->data; |
327 | *master_keylen = upayload->datalen; |
328 | error: |
329 | return ukey; |
330 | } |
331 | |
332 | static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen, |
333 | const u8 *buf, unsigned int buflen) |
334 | { |
335 | struct crypto_shash *tfm; |
336 | int err; |
337 | |
338 | tfm = crypto_alloc_shash(alg_name: hmac_alg, type: 0, mask: 0); |
339 | if (IS_ERR(ptr: tfm)) { |
340 | pr_err("encrypted_key: can't alloc %s transform: %ld\n" , |
341 | hmac_alg, PTR_ERR(tfm)); |
342 | return PTR_ERR(ptr: tfm); |
343 | } |
344 | |
345 | err = crypto_shash_setkey(tfm, key, keylen); |
346 | if (!err) |
347 | err = crypto_shash_tfm_digest(tfm, data: buf, len: buflen, out: digest); |
348 | crypto_free_shash(tfm); |
349 | return err; |
350 | } |
351 | |
352 | enum derived_key_type { ENC_KEY, AUTH_KEY }; |
353 | |
354 | /* Derive authentication/encryption key from trusted key */ |
355 | static int get_derived_key(u8 *derived_key, enum derived_key_type key_type, |
356 | const u8 *master_key, size_t master_keylen) |
357 | { |
358 | u8 *derived_buf; |
359 | unsigned int derived_buf_len; |
360 | int ret; |
361 | |
362 | derived_buf_len = strlen("AUTH_KEY" ) + 1 + master_keylen; |
363 | if (derived_buf_len < HASH_SIZE) |
364 | derived_buf_len = HASH_SIZE; |
365 | |
366 | derived_buf = kzalloc(size: derived_buf_len, GFP_KERNEL); |
367 | if (!derived_buf) |
368 | return -ENOMEM; |
369 | |
370 | if (key_type) |
371 | strcpy(p: derived_buf, q: "AUTH_KEY" ); |
372 | else |
373 | strcpy(p: derived_buf, q: "ENC_KEY" ); |
374 | |
375 | memcpy(derived_buf + strlen(derived_buf) + 1, master_key, |
376 | master_keylen); |
377 | ret = crypto_shash_tfm_digest(tfm: hash_tfm, data: derived_buf, len: derived_buf_len, |
378 | out: derived_key); |
379 | kfree_sensitive(objp: derived_buf); |
380 | return ret; |
381 | } |
382 | |
383 | static struct skcipher_request *init_skcipher_req(const u8 *key, |
384 | unsigned int key_len) |
385 | { |
386 | struct skcipher_request *req; |
387 | struct crypto_skcipher *tfm; |
388 | int ret; |
389 | |
390 | tfm = crypto_alloc_skcipher(alg_name: blkcipher_alg, type: 0, CRYPTO_ALG_ASYNC); |
391 | if (IS_ERR(ptr: tfm)) { |
392 | pr_err("encrypted_key: failed to load %s transform (%ld)\n" , |
393 | blkcipher_alg, PTR_ERR(tfm)); |
394 | return ERR_CAST(ptr: tfm); |
395 | } |
396 | |
397 | ret = crypto_skcipher_setkey(tfm, key, keylen: key_len); |
398 | if (ret < 0) { |
399 | pr_err("encrypted_key: failed to setkey (%d)\n" , ret); |
400 | crypto_free_skcipher(tfm); |
401 | return ERR_PTR(error: ret); |
402 | } |
403 | |
404 | req = skcipher_request_alloc(tfm, GFP_KERNEL); |
405 | if (!req) { |
406 | pr_err("encrypted_key: failed to allocate request for %s\n" , |
407 | blkcipher_alg); |
408 | crypto_free_skcipher(tfm); |
409 | return ERR_PTR(error: -ENOMEM); |
410 | } |
411 | |
412 | skcipher_request_set_callback(req, flags: 0, NULL, NULL); |
413 | return req; |
414 | } |
415 | |
416 | static struct key *request_master_key(struct encrypted_key_payload *epayload, |
417 | const u8 **master_key, size_t *master_keylen) |
418 | { |
419 | struct key *mkey = ERR_PTR(error: -EINVAL); |
420 | |
421 | if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX, |
422 | KEY_TRUSTED_PREFIX_LEN)) { |
423 | mkey = request_trusted_key(trusted_desc: epayload->master_desc + |
424 | KEY_TRUSTED_PREFIX_LEN, |
425 | master_key, master_keylen); |
426 | } else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX, |
427 | KEY_USER_PREFIX_LEN)) { |
428 | mkey = request_user_key(master_desc: epayload->master_desc + |
429 | KEY_USER_PREFIX_LEN, |
430 | master_key, master_keylen); |
431 | } else |
432 | goto out; |
433 | |
434 | if (IS_ERR(ptr: mkey)) { |
435 | int ret = PTR_ERR(ptr: mkey); |
436 | |
437 | if (ret == -ENOTSUPP) |
438 | pr_info("encrypted_key: key %s not supported" , |
439 | epayload->master_desc); |
440 | else |
441 | pr_info("encrypted_key: key %s not found" , |
442 | epayload->master_desc); |
443 | goto out; |
444 | } |
445 | |
446 | dump_master_key(master_key: *master_key, master_keylen: *master_keylen); |
447 | out: |
448 | return mkey; |
449 | } |
450 | |
451 | /* Before returning data to userspace, encrypt decrypted data. */ |
452 | static int derived_key_encrypt(struct encrypted_key_payload *epayload, |
453 | const u8 *derived_key, |
454 | unsigned int derived_keylen) |
455 | { |
456 | struct scatterlist sg_in[2]; |
457 | struct scatterlist sg_out[1]; |
458 | struct crypto_skcipher *tfm; |
459 | struct skcipher_request *req; |
460 | unsigned int encrypted_datalen; |
461 | u8 iv[AES_BLOCK_SIZE]; |
462 | int ret; |
463 | |
464 | encrypted_datalen = roundup(epayload->decrypted_datalen, blksize); |
465 | |
466 | req = init_skcipher_req(key: derived_key, key_len: derived_keylen); |
467 | ret = PTR_ERR(ptr: req); |
468 | if (IS_ERR(ptr: req)) |
469 | goto out; |
470 | dump_decrypted_data(epayload); |
471 | |
472 | sg_init_table(sg_in, 2); |
473 | sg_set_buf(sg: &sg_in[0], buf: epayload->decrypted_data, |
474 | buflen: epayload->decrypted_datalen); |
475 | sg_set_page(sg: &sg_in[1], ZERO_PAGE(0), AES_BLOCK_SIZE, offset: 0); |
476 | |
477 | sg_init_table(sg_out, 1); |
478 | sg_set_buf(sg: sg_out, buf: epayload->encrypted_data, buflen: encrypted_datalen); |
479 | |
480 | memcpy(iv, epayload->iv, sizeof(iv)); |
481 | skcipher_request_set_crypt(req, src: sg_in, dst: sg_out, cryptlen: encrypted_datalen, iv); |
482 | ret = crypto_skcipher_encrypt(req); |
483 | tfm = crypto_skcipher_reqtfm(req); |
484 | skcipher_request_free(req); |
485 | crypto_free_skcipher(tfm); |
486 | if (ret < 0) |
487 | pr_err("encrypted_key: failed to encrypt (%d)\n" , ret); |
488 | else |
489 | dump_encrypted_data(epayload, encrypted_datalen); |
490 | out: |
491 | return ret; |
492 | } |
493 | |
494 | static int datablob_hmac_append(struct encrypted_key_payload *epayload, |
495 | const u8 *master_key, size_t master_keylen) |
496 | { |
497 | u8 derived_key[HASH_SIZE]; |
498 | u8 *digest; |
499 | int ret; |
500 | |
501 | ret = get_derived_key(derived_key, key_type: AUTH_KEY, master_key, master_keylen); |
502 | if (ret < 0) |
503 | goto out; |
504 | |
505 | digest = epayload->format + epayload->datablob_len; |
506 | ret = calc_hmac(digest, key: derived_key, keylen: sizeof derived_key, |
507 | buf: epayload->format, buflen: epayload->datablob_len); |
508 | if (!ret) |
509 | dump_hmac(NULL, digest, HASH_SIZE); |
510 | out: |
511 | memzero_explicit(s: derived_key, count: sizeof(derived_key)); |
512 | return ret; |
513 | } |
514 | |
515 | /* verify HMAC before decrypting encrypted key */ |
516 | static int datablob_hmac_verify(struct encrypted_key_payload *epayload, |
517 | const u8 *format, const u8 *master_key, |
518 | size_t master_keylen) |
519 | { |
520 | u8 derived_key[HASH_SIZE]; |
521 | u8 digest[HASH_SIZE]; |
522 | int ret; |
523 | char *p; |
524 | unsigned short len; |
525 | |
526 | ret = get_derived_key(derived_key, key_type: AUTH_KEY, master_key, master_keylen); |
527 | if (ret < 0) |
528 | goto out; |
529 | |
530 | len = epayload->datablob_len; |
531 | if (!format) { |
532 | p = epayload->master_desc; |
533 | len -= strlen(epayload->format) + 1; |
534 | } else |
535 | p = epayload->format; |
536 | |
537 | ret = calc_hmac(digest, key: derived_key, keylen: sizeof derived_key, buf: p, buflen: len); |
538 | if (ret < 0) |
539 | goto out; |
540 | ret = crypto_memneq(a: digest, b: epayload->format + epayload->datablob_len, |
541 | size: sizeof(digest)); |
542 | if (ret) { |
543 | ret = -EINVAL; |
544 | dump_hmac(str: "datablob" , |
545 | digest: epayload->format + epayload->datablob_len, |
546 | HASH_SIZE); |
547 | dump_hmac(str: "calc" , digest, HASH_SIZE); |
548 | } |
549 | out: |
550 | memzero_explicit(s: derived_key, count: sizeof(derived_key)); |
551 | return ret; |
552 | } |
553 | |
554 | static int derived_key_decrypt(struct encrypted_key_payload *epayload, |
555 | const u8 *derived_key, |
556 | unsigned int derived_keylen) |
557 | { |
558 | struct scatterlist sg_in[1]; |
559 | struct scatterlist sg_out[2]; |
560 | struct crypto_skcipher *tfm; |
561 | struct skcipher_request *req; |
562 | unsigned int encrypted_datalen; |
563 | u8 iv[AES_BLOCK_SIZE]; |
564 | u8 *pad; |
565 | int ret; |
566 | |
567 | /* Throwaway buffer to hold the unused zero padding at the end */ |
568 | pad = kmalloc(AES_BLOCK_SIZE, GFP_KERNEL); |
569 | if (!pad) |
570 | return -ENOMEM; |
571 | |
572 | encrypted_datalen = roundup(epayload->decrypted_datalen, blksize); |
573 | req = init_skcipher_req(key: derived_key, key_len: derived_keylen); |
574 | ret = PTR_ERR(ptr: req); |
575 | if (IS_ERR(ptr: req)) |
576 | goto out; |
577 | dump_encrypted_data(epayload, encrypted_datalen); |
578 | |
579 | sg_init_table(sg_in, 1); |
580 | sg_init_table(sg_out, 2); |
581 | sg_set_buf(sg: sg_in, buf: epayload->encrypted_data, buflen: encrypted_datalen); |
582 | sg_set_buf(sg: &sg_out[0], buf: epayload->decrypted_data, |
583 | buflen: epayload->decrypted_datalen); |
584 | sg_set_buf(sg: &sg_out[1], buf: pad, AES_BLOCK_SIZE); |
585 | |
586 | memcpy(iv, epayload->iv, sizeof(iv)); |
587 | skcipher_request_set_crypt(req, src: sg_in, dst: sg_out, cryptlen: encrypted_datalen, iv); |
588 | ret = crypto_skcipher_decrypt(req); |
589 | tfm = crypto_skcipher_reqtfm(req); |
590 | skcipher_request_free(req); |
591 | crypto_free_skcipher(tfm); |
592 | if (ret < 0) |
593 | goto out; |
594 | dump_decrypted_data(epayload); |
595 | out: |
596 | kfree(objp: pad); |
597 | return ret; |
598 | } |
599 | |
600 | /* Allocate memory for decrypted key and datablob. */ |
601 | static struct encrypted_key_payload *encrypted_key_alloc(struct key *key, |
602 | const char *format, |
603 | const char *master_desc, |
604 | const char *datalen, |
605 | const char *decrypted_data) |
606 | { |
607 | struct encrypted_key_payload *epayload = NULL; |
608 | unsigned short datablob_len; |
609 | unsigned short decrypted_datalen; |
610 | unsigned short payload_datalen; |
611 | unsigned int encrypted_datalen; |
612 | unsigned int format_len; |
613 | long dlen; |
614 | int i; |
615 | int ret; |
616 | |
617 | ret = kstrtol(s: datalen, base: 10, res: &dlen); |
618 | if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE) |
619 | return ERR_PTR(error: -EINVAL); |
620 | |
621 | format_len = (!format) ? strlen(key_format_default) : strlen(format); |
622 | decrypted_datalen = dlen; |
623 | payload_datalen = decrypted_datalen; |
624 | |
625 | if (decrypted_data) { |
626 | if (!user_decrypted_data) { |
627 | pr_err("encrypted key: instantiation of keys using provided decrypted data is disabled since CONFIG_USER_DECRYPTED_DATA is set to false\n" ); |
628 | return ERR_PTR(error: -EINVAL); |
629 | } |
630 | if (strlen(decrypted_data) != decrypted_datalen * 2) { |
631 | pr_err("encrypted key: decrypted data provided does not match decrypted data length provided\n" ); |
632 | return ERR_PTR(error: -EINVAL); |
633 | } |
634 | for (i = 0; i < strlen(decrypted_data); i++) { |
635 | if (!isxdigit(decrypted_data[i])) { |
636 | pr_err("encrypted key: decrypted data provided must contain only hexadecimal characters\n" ); |
637 | return ERR_PTR(error: -EINVAL); |
638 | } |
639 | } |
640 | } |
641 | |
642 | if (format) { |
643 | if (!strcmp(format, key_format_ecryptfs)) { |
644 | if (dlen != ECRYPTFS_MAX_KEY_BYTES) { |
645 | pr_err("encrypted_key: keylen for the ecryptfs format must be equal to %d bytes\n" , |
646 | ECRYPTFS_MAX_KEY_BYTES); |
647 | return ERR_PTR(error: -EINVAL); |
648 | } |
649 | decrypted_datalen = ECRYPTFS_MAX_KEY_BYTES; |
650 | payload_datalen = sizeof(struct ecryptfs_auth_tok); |
651 | } else if (!strcmp(format, key_format_enc32)) { |
652 | if (decrypted_datalen != KEY_ENC32_PAYLOAD_LEN) { |
653 | pr_err("encrypted_key: enc32 key payload incorrect length: %d\n" , |
654 | decrypted_datalen); |
655 | return ERR_PTR(error: -EINVAL); |
656 | } |
657 | } |
658 | } |
659 | |
660 | encrypted_datalen = roundup(decrypted_datalen, blksize); |
661 | |
662 | datablob_len = format_len + 1 + strlen(master_desc) + 1 |
663 | + strlen(datalen) + 1 + ivsize + 1 + encrypted_datalen; |
664 | |
665 | ret = key_payload_reserve(key, datalen: payload_datalen + datablob_len |
666 | + HASH_SIZE + 1); |
667 | if (ret < 0) |
668 | return ERR_PTR(error: ret); |
669 | |
670 | epayload = kzalloc(size: sizeof(*epayload) + payload_datalen + |
671 | datablob_len + HASH_SIZE + 1, GFP_KERNEL); |
672 | if (!epayload) |
673 | return ERR_PTR(error: -ENOMEM); |
674 | |
675 | epayload->payload_datalen = payload_datalen; |
676 | epayload->decrypted_datalen = decrypted_datalen; |
677 | epayload->datablob_len = datablob_len; |
678 | return epayload; |
679 | } |
680 | |
681 | static int encrypted_key_decrypt(struct encrypted_key_payload *epayload, |
682 | const char *format, const char *hex_encoded_iv) |
683 | { |
684 | struct key *mkey; |
685 | u8 derived_key[HASH_SIZE]; |
686 | const u8 *master_key; |
687 | u8 *hmac; |
688 | const char *hex_encoded_data; |
689 | unsigned int encrypted_datalen; |
690 | size_t master_keylen; |
691 | size_t asciilen; |
692 | int ret; |
693 | |
694 | encrypted_datalen = roundup(epayload->decrypted_datalen, blksize); |
695 | asciilen = (ivsize + 1 + encrypted_datalen + HASH_SIZE) * 2; |
696 | if (strlen(hex_encoded_iv) != asciilen) |
697 | return -EINVAL; |
698 | |
699 | hex_encoded_data = hex_encoded_iv + (2 * ivsize) + 2; |
700 | ret = hex2bin(dst: epayload->iv, src: hex_encoded_iv, count: ivsize); |
701 | if (ret < 0) |
702 | return -EINVAL; |
703 | ret = hex2bin(dst: epayload->encrypted_data, src: hex_encoded_data, |
704 | count: encrypted_datalen); |
705 | if (ret < 0) |
706 | return -EINVAL; |
707 | |
708 | hmac = epayload->format + epayload->datablob_len; |
709 | ret = hex2bin(dst: hmac, src: hex_encoded_data + (encrypted_datalen * 2), |
710 | HASH_SIZE); |
711 | if (ret < 0) |
712 | return -EINVAL; |
713 | |
714 | mkey = request_master_key(epayload, master_key: &master_key, master_keylen: &master_keylen); |
715 | if (IS_ERR(ptr: mkey)) |
716 | return PTR_ERR(ptr: mkey); |
717 | |
718 | ret = datablob_hmac_verify(epayload, format, master_key, master_keylen); |
719 | if (ret < 0) { |
720 | pr_err("encrypted_key: bad hmac (%d)\n" , ret); |
721 | goto out; |
722 | } |
723 | |
724 | ret = get_derived_key(derived_key, key_type: ENC_KEY, master_key, master_keylen); |
725 | if (ret < 0) |
726 | goto out; |
727 | |
728 | ret = derived_key_decrypt(epayload, derived_key, derived_keylen: sizeof derived_key); |
729 | if (ret < 0) |
730 | pr_err("encrypted_key: failed to decrypt key (%d)\n" , ret); |
731 | out: |
732 | up_read(sem: &mkey->sem); |
733 | key_put(key: mkey); |
734 | memzero_explicit(s: derived_key, count: sizeof(derived_key)); |
735 | return ret; |
736 | } |
737 | |
738 | static void __ekey_init(struct encrypted_key_payload *epayload, |
739 | const char *format, const char *master_desc, |
740 | const char *datalen) |
741 | { |
742 | unsigned int format_len; |
743 | |
744 | format_len = (!format) ? strlen(key_format_default) : strlen(format); |
745 | epayload->format = epayload->payload_data + epayload->payload_datalen; |
746 | epayload->master_desc = epayload->format + format_len + 1; |
747 | epayload->datalen = epayload->master_desc + strlen(master_desc) + 1; |
748 | epayload->iv = epayload->datalen + strlen(datalen) + 1; |
749 | epayload->encrypted_data = epayload->iv + ivsize + 1; |
750 | epayload->decrypted_data = epayload->payload_data; |
751 | |
752 | if (!format) |
753 | memcpy(epayload->format, key_format_default, format_len); |
754 | else { |
755 | if (!strcmp(format, key_format_ecryptfs)) |
756 | epayload->decrypted_data = |
757 | ecryptfs_get_auth_tok_key(auth_tok: (struct ecryptfs_auth_tok *)epayload->payload_data); |
758 | |
759 | memcpy(epayload->format, format, format_len); |
760 | } |
761 | |
762 | memcpy(epayload->master_desc, master_desc, strlen(master_desc)); |
763 | memcpy(epayload->datalen, datalen, strlen(datalen)); |
764 | } |
765 | |
766 | /* |
767 | * encrypted_init - initialize an encrypted key |
768 | * |
769 | * For a new key, use either a random number or user-provided decrypted data in |
770 | * case it is provided. A random number is used for the iv in both cases. For |
771 | * an old key, decrypt the hex encoded data. |
772 | */ |
773 | static int encrypted_init(struct encrypted_key_payload *epayload, |
774 | const char *key_desc, const char *format, |
775 | const char *master_desc, const char *datalen, |
776 | const char *hex_encoded_iv, const char *decrypted_data) |
777 | { |
778 | int ret = 0; |
779 | |
780 | if (format && !strcmp(format, key_format_ecryptfs)) { |
781 | ret = valid_ecryptfs_desc(ecryptfs_desc: key_desc); |
782 | if (ret < 0) |
783 | return ret; |
784 | |
785 | ecryptfs_fill_auth_tok(auth_tok: (struct ecryptfs_auth_tok *)epayload->payload_data, |
786 | key_desc); |
787 | } |
788 | |
789 | __ekey_init(epayload, format, master_desc, datalen); |
790 | if (hex_encoded_iv) { |
791 | ret = encrypted_key_decrypt(epayload, format, hex_encoded_iv); |
792 | } else if (decrypted_data) { |
793 | get_random_bytes(buf: epayload->iv, len: ivsize); |
794 | ret = hex2bin(dst: epayload->decrypted_data, src: decrypted_data, |
795 | count: epayload->decrypted_datalen); |
796 | } else { |
797 | get_random_bytes(buf: epayload->iv, len: ivsize); |
798 | get_random_bytes(buf: epayload->decrypted_data, len: epayload->decrypted_datalen); |
799 | } |
800 | return ret; |
801 | } |
802 | |
803 | /* |
804 | * encrypted_instantiate - instantiate an encrypted key |
805 | * |
806 | * Instantiates the key: |
807 | * - by decrypting an existing encrypted datablob, or |
808 | * - by creating a new encrypted key based on a kernel random number, or |
809 | * - using provided decrypted data. |
810 | * |
811 | * On success, return 0. Otherwise return errno. |
812 | */ |
813 | static int encrypted_instantiate(struct key *key, |
814 | struct key_preparsed_payload *prep) |
815 | { |
816 | struct encrypted_key_payload *epayload = NULL; |
817 | char *datablob = NULL; |
818 | const char *format = NULL; |
819 | char *master_desc = NULL; |
820 | char *decrypted_datalen = NULL; |
821 | char *hex_encoded_iv = NULL; |
822 | char *decrypted_data = NULL; |
823 | size_t datalen = prep->datalen; |
824 | int ret; |
825 | |
826 | if (datalen <= 0 || datalen > 32767 || !prep->data) |
827 | return -EINVAL; |
828 | |
829 | datablob = kmalloc(size: datalen + 1, GFP_KERNEL); |
830 | if (!datablob) |
831 | return -ENOMEM; |
832 | datablob[datalen] = 0; |
833 | memcpy(datablob, prep->data, datalen); |
834 | ret = datablob_parse(datablob, format: &format, master_desc: &master_desc, |
835 | decrypted_datalen: &decrypted_datalen, hex_encoded_iv: &hex_encoded_iv, decrypted_data: &decrypted_data); |
836 | if (ret < 0) |
837 | goto out; |
838 | |
839 | epayload = encrypted_key_alloc(key, format, master_desc, |
840 | datalen: decrypted_datalen, decrypted_data); |
841 | if (IS_ERR(ptr: epayload)) { |
842 | ret = PTR_ERR(ptr: epayload); |
843 | goto out; |
844 | } |
845 | ret = encrypted_init(epayload, key_desc: key->description, format, master_desc, |
846 | datalen: decrypted_datalen, hex_encoded_iv, decrypted_data); |
847 | if (ret < 0) { |
848 | kfree_sensitive(objp: epayload); |
849 | goto out; |
850 | } |
851 | |
852 | rcu_assign_keypointer(key, epayload); |
853 | out: |
854 | kfree_sensitive(objp: datablob); |
855 | return ret; |
856 | } |
857 | |
858 | static void encrypted_rcu_free(struct rcu_head *rcu) |
859 | { |
860 | struct encrypted_key_payload *epayload; |
861 | |
862 | epayload = container_of(rcu, struct encrypted_key_payload, rcu); |
863 | kfree_sensitive(objp: epayload); |
864 | } |
865 | |
866 | /* |
867 | * encrypted_update - update the master key description |
868 | * |
869 | * Change the master key description for an existing encrypted key. |
870 | * The next read will return an encrypted datablob using the new |
871 | * master key description. |
872 | * |
873 | * On success, return 0. Otherwise return errno. |
874 | */ |
875 | static int encrypted_update(struct key *key, struct key_preparsed_payload *prep) |
876 | { |
877 | struct encrypted_key_payload *epayload = key->payload.data[0]; |
878 | struct encrypted_key_payload *new_epayload; |
879 | char *buf; |
880 | char *new_master_desc = NULL; |
881 | const char *format = NULL; |
882 | size_t datalen = prep->datalen; |
883 | int ret = 0; |
884 | |
885 | if (key_is_negative(key)) |
886 | return -ENOKEY; |
887 | if (datalen <= 0 || datalen > 32767 || !prep->data) |
888 | return -EINVAL; |
889 | |
890 | buf = kmalloc(size: datalen + 1, GFP_KERNEL); |
891 | if (!buf) |
892 | return -ENOMEM; |
893 | |
894 | buf[datalen] = 0; |
895 | memcpy(buf, prep->data, datalen); |
896 | ret = datablob_parse(datablob: buf, format: &format, master_desc: &new_master_desc, NULL, NULL, NULL); |
897 | if (ret < 0) |
898 | goto out; |
899 | |
900 | ret = valid_master_desc(new_desc: new_master_desc, orig_desc: epayload->master_desc); |
901 | if (ret < 0) |
902 | goto out; |
903 | |
904 | new_epayload = encrypted_key_alloc(key, format: epayload->format, |
905 | master_desc: new_master_desc, datalen: epayload->datalen, NULL); |
906 | if (IS_ERR(ptr: new_epayload)) { |
907 | ret = PTR_ERR(ptr: new_epayload); |
908 | goto out; |
909 | } |
910 | |
911 | __ekey_init(epayload: new_epayload, format: epayload->format, master_desc: new_master_desc, |
912 | datalen: epayload->datalen); |
913 | |
914 | memcpy(new_epayload->iv, epayload->iv, ivsize); |
915 | memcpy(new_epayload->payload_data, epayload->payload_data, |
916 | epayload->payload_datalen); |
917 | |
918 | rcu_assign_keypointer(key, new_epayload); |
919 | call_rcu(head: &epayload->rcu, func: encrypted_rcu_free); |
920 | out: |
921 | kfree_sensitive(objp: buf); |
922 | return ret; |
923 | } |
924 | |
925 | /* |
926 | * encrypted_read - format and copy out the encrypted data |
927 | * |
928 | * The resulting datablob format is: |
929 | * <master-key name> <decrypted data length> <encrypted iv> <encrypted data> |
930 | * |
931 | * On success, return to userspace the encrypted key datablob size. |
932 | */ |
933 | static long encrypted_read(const struct key *key, char *buffer, |
934 | size_t buflen) |
935 | { |
936 | struct encrypted_key_payload *epayload; |
937 | struct key *mkey; |
938 | const u8 *master_key; |
939 | size_t master_keylen; |
940 | char derived_key[HASH_SIZE]; |
941 | char *ascii_buf; |
942 | size_t asciiblob_len; |
943 | int ret; |
944 | |
945 | epayload = dereference_key_locked(key); |
946 | |
947 | /* returns the hex encoded iv, encrypted-data, and hmac as ascii */ |
948 | asciiblob_len = epayload->datablob_len + ivsize + 1 |
949 | + roundup(epayload->decrypted_datalen, blksize) |
950 | + (HASH_SIZE * 2); |
951 | |
952 | if (!buffer || buflen < asciiblob_len) |
953 | return asciiblob_len; |
954 | |
955 | mkey = request_master_key(epayload, master_key: &master_key, master_keylen: &master_keylen); |
956 | if (IS_ERR(ptr: mkey)) |
957 | return PTR_ERR(ptr: mkey); |
958 | |
959 | ret = get_derived_key(derived_key, key_type: ENC_KEY, master_key, master_keylen); |
960 | if (ret < 0) |
961 | goto out; |
962 | |
963 | ret = derived_key_encrypt(epayload, derived_key, derived_keylen: sizeof derived_key); |
964 | if (ret < 0) |
965 | goto out; |
966 | |
967 | ret = datablob_hmac_append(epayload, master_key, master_keylen); |
968 | if (ret < 0) |
969 | goto out; |
970 | |
971 | ascii_buf = datablob_format(epayload, asciiblob_len); |
972 | if (!ascii_buf) { |
973 | ret = -ENOMEM; |
974 | goto out; |
975 | } |
976 | |
977 | up_read(sem: &mkey->sem); |
978 | key_put(key: mkey); |
979 | memzero_explicit(s: derived_key, count: sizeof(derived_key)); |
980 | |
981 | memcpy(buffer, ascii_buf, asciiblob_len); |
982 | kfree_sensitive(objp: ascii_buf); |
983 | |
984 | return asciiblob_len; |
985 | out: |
986 | up_read(sem: &mkey->sem); |
987 | key_put(key: mkey); |
988 | memzero_explicit(s: derived_key, count: sizeof(derived_key)); |
989 | return ret; |
990 | } |
991 | |
992 | /* |
993 | * encrypted_destroy - clear and free the key's payload |
994 | */ |
995 | static void encrypted_destroy(struct key *key) |
996 | { |
997 | kfree_sensitive(objp: key->payload.data[0]); |
998 | } |
999 | |
1000 | struct key_type key_type_encrypted = { |
1001 | .name = "encrypted" , |
1002 | .instantiate = encrypted_instantiate, |
1003 | .update = encrypted_update, |
1004 | .destroy = encrypted_destroy, |
1005 | .describe = user_describe, |
1006 | .read = encrypted_read, |
1007 | }; |
1008 | EXPORT_SYMBOL_GPL(key_type_encrypted); |
1009 | |
1010 | static int __init init_encrypted(void) |
1011 | { |
1012 | int ret; |
1013 | |
1014 | hash_tfm = crypto_alloc_shash(alg_name: hash_alg, type: 0, mask: 0); |
1015 | if (IS_ERR(ptr: hash_tfm)) { |
1016 | pr_err("encrypted_key: can't allocate %s transform: %ld\n" , |
1017 | hash_alg, PTR_ERR(hash_tfm)); |
1018 | return PTR_ERR(ptr: hash_tfm); |
1019 | } |
1020 | |
1021 | ret = aes_get_sizes(); |
1022 | if (ret < 0) |
1023 | goto out; |
1024 | ret = register_key_type(ktype: &key_type_encrypted); |
1025 | if (ret < 0) |
1026 | goto out; |
1027 | return 0; |
1028 | out: |
1029 | crypto_free_shash(tfm: hash_tfm); |
1030 | return ret; |
1031 | |
1032 | } |
1033 | |
1034 | static void __exit cleanup_encrypted(void) |
1035 | { |
1036 | crypto_free_shash(tfm: hash_tfm); |
1037 | unregister_key_type(ktype: &key_type_encrypted); |
1038 | } |
1039 | |
1040 | late_initcall(init_encrypted); |
1041 | module_exit(cleanup_encrypted); |
1042 | |
1043 | MODULE_LICENSE("GPL" ); |
1044 | |