[linux-2.6-block.git] / fs / crypto / keyinfo.c

/*
 * key management facility for FS encryption support.
 *
 * Copyright (C) 2015, Google, Inc.
 *
 * This contains encryption key functions.
 *
 * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015.
 */

#include <keys/encrypted-type.h>
#include <keys/user-type.h>
#include <linux/random.h>
#include <linux/scatterlist.h>
#include <uapi/linux/keyctl.h>
#include <linux/fscrypto.h>

static void derive_crypt_complete(struct crypto_async_request *req, int rc)
{
	struct fscrypt_completion_result *ecr = req->data;

	if (rc == -EINPROGRESS)
		return;

	ecr->res = rc;
	complete(&ecr->completion);
}

/**
 * derive_key_aes() - Derive a key using AES-128-ECB
 * @deriving_key: Encryption key used for derivation.
 * @source_key:   Source key to which to apply derivation.
 * @derived_key:  Derived key.
 *
 * Return: Zero on success; non-zero otherwise.
 */
static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE],
				u8 source_key[FS_AES_256_XTS_KEY_SIZE],
				u8 derived_key[FS_AES_256_XTS_KEY_SIZE])
{
	int res = 0;
	struct skcipher_request *req = NULL;
	DECLARE_FS_COMPLETION_RESULT(ecr);
	struct scatterlist src_sg, dst_sg;
	struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);

	if (IS_ERR(tfm)) {
		res = PTR_ERR(tfm);
		tfm = NULL;
		goto out;
	}
	crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY);
	req = skcipher_request_alloc(tfm, GFP_NOFS);
	if (!req) {
		res = -ENOMEM;
		goto out;
	}
	skcipher_request_set_callback(req,
			CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
			derive_crypt_complete, &ecr);
	res = crypto_skcipher_setkey(tfm, deriving_key,
					FS_AES_128_ECB_KEY_SIZE);
	if (res < 0)
		goto out;

	sg_init_one(&src_sg, source_key, FS_AES_256_XTS_KEY_SIZE);
	sg_init_one(&dst_sg, derived_key, FS_AES_256_XTS_KEY_SIZE);
	skcipher_request_set_crypt(req, &src_sg, &dst_sg,
					FS_AES_256_XTS_KEY_SIZE, NULL);
	res = crypto_skcipher_encrypt(req);
	if (res == -EINPROGRESS || res == -EBUSY) {
		wait_for_completion(&ecr.completion);
		res = ecr.res;
	}
out:
	skcipher_request_free(req);
	crypto_free_skcipher(tfm);
	return res;
}

static void put_crypt_info(struct fscrypt_info *ci)
{
	if (!ci)
		return;

	key_put(ci->ci_keyring_key);
	crypto_free_skcipher(ci->ci_ctfm);
	kmem_cache_free(fscrypt_info_cachep, ci);
}

int get_crypt_info(struct inode *inode)
{
	struct fscrypt_info *crypt_info;
	u8 full_key_descriptor[FS_KEY_DESC_PREFIX_SIZE +
				(FS_KEY_DESCRIPTOR_SIZE * 2) + 1];
	struct key *keyring_key = NULL;
	struct fscrypt_key *master_key;
	struct fscrypt_context ctx;
	const struct user_key_payload *ukp;
	struct crypto_skcipher *ctfm;
	const char *cipher_str;
	u8 raw_key[FS_MAX_KEY_SIZE];
	u8 mode;
	int res;

	res = fscrypt_initialize();
	if (res)
		return res;

	if (!inode->i_sb->s_cop->get_context)
		return -EOPNOTSUPP;
retry:
	crypt_info = ACCESS_ONCE(inode->i_crypt_info);
	if (crypt_info) {
		if (!crypt_info->ci_keyring_key ||
				key_validate(crypt_info->ci_keyring_key) == 0)
			return 0;
		fscrypt_put_encryption_info(inode, crypt_info);
		goto retry;
	}

	res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
	if (res < 0) {
		if (!fscrypt_dummy_context_enabled(inode))
			return res;
		ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS;
		ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS;
		ctx.flags = 0;
	} else if (res != sizeof(ctx)) {
		return -EINVAL;
	}
	res = 0;

	crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS);
	if (!crypt_info)
		return -ENOMEM;

	crypt_info->ci_flags = ctx.flags;
	crypt_info->ci_data_mode = ctx.contents_encryption_mode;
	crypt_info->ci_filename_mode = ctx.filenames_encryption_mode;
	crypt_info->ci_ctfm = NULL;
	crypt_info->ci_keyring_key = NULL;
	memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor,
				sizeof(crypt_info->ci_master_key));
	if (S_ISREG(inode->i_mode))
		mode = crypt_info->ci_data_mode;
	else if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode))
		mode = crypt_info->ci_filename_mode;
	else
		BUG();

	switch (mode) {
	case FS_ENCRYPTION_MODE_AES_256_XTS:
		cipher_str = "xts(aes)";
		break;
	case FS_ENCRYPTION_MODE_AES_256_CTS:
		cipher_str = "cts(cbc(aes))";
		break;
	default:
		printk_once(KERN_WARNING
			    "%s: unsupported key mode %d (ino %u)\n",
			    __func__, mode, (unsigned) inode->i_ino);
		res = -ENOKEY;
		goto out;
	}
	if (fscrypt_dummy_context_enabled(inode)) {
		memset(raw_key, 0x42, FS_AES_256_XTS_KEY_SIZE);
		goto got_key;
	}
	memcpy(full_key_descriptor, FS_KEY_DESC_PREFIX,
					FS_KEY_DESC_PREFIX_SIZE);
	sprintf(full_key_descriptor + FS_KEY_DESC_PREFIX_SIZE,
					"%*phN", FS_KEY_DESCRIPTOR_SIZE,
					ctx.master_key_descriptor);
	full_key_descriptor[FS_KEY_DESC_PREFIX_SIZE +
					(2 * FS_KEY_DESCRIPTOR_SIZE)] = '\0';
	keyring_key = request_key(&key_type_logon, full_key_descriptor, NULL);
	if (IS_ERR(keyring_key)) {
		res = PTR_ERR(keyring_key);
		keyring_key = NULL;
		goto out;
	}
	crypt_info->ci_keyring_key = keyring_key;
	if (keyring_key->type != &key_type_logon) {
		printk_once(KERN_WARNING
				"%s: key type must be logon\n", __func__);
		res = -ENOKEY;
		goto out;
	}
	down_read(&keyring_key->sem);
	ukp = user_key_payload(keyring_key);
	if (ukp->datalen != sizeof(struct fscrypt_key)) {
		res = -EINVAL;
		up_read(&keyring_key->sem);
		goto out;
	}
	master_key = (struct fscrypt_key *)ukp->data;
	BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE);

	if (master_key->size != FS_AES_256_XTS_KEY_SIZE) {
		printk_once(KERN_WARNING
				"%s: key size incorrect: %d\n",
				__func__, master_key->size);
		res = -ENOKEY;
		up_read(&keyring_key->sem);
		goto out;
	}
	res = derive_key_aes(ctx.nonce, master_key->raw, raw_key);
	up_read(&keyring_key->sem);
	if (res)
		goto out;
got_key:
	ctfm = crypto_alloc_skcipher(cipher_str, 0, 0);
	if (!ctfm || IS_ERR(ctfm)) {
		res = ctfm ? PTR_ERR(ctfm) : -ENOMEM;
		printk(KERN_DEBUG
		       "%s: error %d (inode %u) allocating crypto tfm\n",
		       __func__, res, (unsigned) inode->i_ino);
		goto out;
	}
	crypt_info->ci_ctfm = ctfm;
	crypto_skcipher_clear_flags(ctfm, ~0);
	crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY);
	res = crypto_skcipher_setkey(ctfm, raw_key, fscrypt_key_size(mode));
	if (res)
		goto out;

	memzero_explicit(raw_key, sizeof(raw_key));
	if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) != NULL) {
		put_crypt_info(crypt_info);
		goto retry;
	}
	return 0;

out:
	if (res == -ENOKEY)
		res = 0;
	put_crypt_info(crypt_info);
	memzero_explicit(raw_key, sizeof(raw_key));
	return res;
}

void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci)
{
	struct fscrypt_info *prev;

	if (ci == NULL)
		ci = ACCESS_ONCE(inode->i_crypt_info);
	if (ci == NULL)
		return;

	prev = cmpxchg(&inode->i_crypt_info, ci, NULL);
	if (prev != ci)
		return;

	put_crypt_info(ci);
}
EXPORT_SYMBOL(fscrypt_put_encryption_info);

int fscrypt_get_encryption_info(struct inode *inode)
{
	struct fscrypt_info *ci = inode->i_crypt_info;

	if (!ci ||
		(ci->ci_keyring_key &&
		 (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
					       (1 << KEY_FLAG_REVOKED) |
					       (1 << KEY_FLAG_DEAD)))))
		return get_crypt_info(inode);
	return 0;
}
EXPORT_SYMBOL(fscrypt_get_encryption_info);
Commit	Line	Data
0adda907	1	/*
0b81d077	2	* key management facility for FS encryption support.
0adda907 JK	3	*
	4	* Copyright (C) 2015, Google, Inc.
	5	*
0b81d077	6	* This contains encryption key functions.
0adda907 JK	7	*
	8	* Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015.
	9	*/
0b81d077	10
0adda907 JK	11	#include <keys/encrypted-type.h>
	12	#include <keys/user-type.h>
	13	#include <linux/random.h>
	14	#include <linux/scatterlist.h>
	15	#include <uapi/linux/keyctl.h>
0b81d077	16	#include <linux/fscrypto.h>
0adda907 JK	17
	18	static void derive_crypt_complete(struct crypto_async_request *req, int rc)
	19	{
0b81d077	20	struct fscrypt_completion_result *ecr = req->data;
0adda907 JK	21
	22	if (rc == -EINPROGRESS)
	23	return;
	24
	25	ecr->res = rc;
	26	complete(&ecr->completion);
	27	}
	28
	29	/**
0b81d077	30	* derive_key_aes() - Derive a key using AES-128-ECB
0fac2d50	31	* @deriving_key: Encryption key used for derivation.
0adda907 JK	32	* @source_key: Source key to which to apply derivation.
	33	* @derived_key: Derived key.
	34	*
	35	* Return: Zero on success; non-zero otherwise.
	36	*/
0b81d077 JK	37	static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE],
	38	u8 source_key[FS_AES_256_XTS_KEY_SIZE],
	39	u8 derived_key[FS_AES_256_XTS_KEY_SIZE])
0adda907 JK	40	{
0adda907 JK	41	int res = 0;
d407574e	42	struct skcipher_request *req = NULL;
0b81d077	43	DECLARE_FS_COMPLETION_RESULT(ecr);
0adda907	44	struct scatterlist src_sg, dst_sg;
d407574e	45	struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
0adda907 JK	46
	47	if (IS_ERR(tfm)) {
	48	res = PTR_ERR(tfm);
	49	tfm = NULL;
	50	goto out;
	51	}
d407574e LT	52	crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY);
d407574e LT	53	req = skcipher_request_alloc(tfm, GFP_NOFS);
0adda907 JK	54	if (!req) {
	55	res = -ENOMEM;
	56	goto out;
	57	}
d407574e	58	skcipher_request_set_callback(req,
0adda907 JK	59	CRYPTO_TFM_REQ_MAY_BACKLOG \| CRYPTO_TFM_REQ_MAY_SLEEP,
0adda907 JK	60	derive_crypt_complete, &ecr);
d407574e	61	res = crypto_skcipher_setkey(tfm, deriving_key,
0b81d077	62	FS_AES_128_ECB_KEY_SIZE);
0adda907 JK	63	if (res < 0)
	64	goto out;
	65
0b81d077 JK	66	sg_init_one(&src_sg, source_key, FS_AES_256_XTS_KEY_SIZE);
0b81d077 JK	67	sg_init_one(&dst_sg, derived_key, FS_AES_256_XTS_KEY_SIZE);
d407574e	68	skcipher_request_set_crypt(req, &src_sg, &dst_sg,
0b81d077	69	FS_AES_256_XTS_KEY_SIZE, NULL);
d407574e	70	res = crypto_skcipher_encrypt(req);
0adda907	71	if (res == -EINPROGRESS \|\| res == -EBUSY) {
0adda907 JK	72	wait_for_completion(&ecr.completion);
	73	res = ecr.res;
	74	}
	75	out:
d407574e LT	76	skcipher_request_free(req);
d407574e LT	77	crypto_free_skcipher(tfm);
0adda907 JK	78	return res;
	79	}
	80
0b81d077	81	static void put_crypt_info(struct fscrypt_info *ci)
0adda907	82	{
0adda907 JK	83	if (!ci)
	84	return;
	85
d407574e LT	86	key_put(ci->ci_keyring_key);
d407574e LT	87	crypto_free_skcipher(ci->ci_ctfm);
0b81d077	88	kmem_cache_free(fscrypt_info_cachep, ci);
0adda907 JK	89	}
0adda907 JK	90
0b81d077	91	int get_crypt_info(struct inode *inode)
0adda907	92	{
0b81d077 JK	93	struct fscrypt_info *crypt_info;
	94	u8 full_key_descriptor[FS_KEY_DESC_PREFIX_SIZE +
	95	(FS_KEY_DESCRIPTOR_SIZE * 2) + 1];
0adda907	96	struct key *keyring_key = NULL;
0b81d077 JK	97	struct fscrypt_key *master_key;
0b81d077 JK	98	struct fscrypt_context ctx;
146aa8b1	99	const struct user_key_payload *ukp;
d407574e	100	struct crypto_skcipher *ctfm;
26bf3dc7	101	const char *cipher_str;
0b81d077 JK	102	u8 raw_key[FS_MAX_KEY_SIZE];
0b81d077 JK	103	u8 mode;
0adda907 JK	104	int res;
0adda907 JK	105
0b81d077	106	res = fscrypt_initialize();
cfc4d971 JK	107	if (res)
cfc4d971 JK	108	return res;
0b81d077 JK	109
	110	if (!inode->i_sb->s_cop->get_context)
	111	return -EOPNOTSUPP;
26bf3dc7	112	retry:
0b81d077	113	crypt_info = ACCESS_ONCE(inode->i_crypt_info);
26bf3dc7 JK	114	if (crypt_info) {
	115	if (!crypt_info->ci_keyring_key \|\|
	116	key_validate(crypt_info->ci_keyring_key) == 0)
0adda907	117	return 0;
0b81d077	118	fscrypt_put_encryption_info(inode, crypt_info);
26bf3dc7	119	goto retry;
0adda907 JK	120	}
0adda907 JK	121
0b81d077 JK	122	res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
	123	if (res < 0) {
	124	if (!fscrypt_dummy_context_enabled(inode))
	125	return res;
	126	ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS;
	127	ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS;
	128	ctx.flags = 0;
	129	} else if (res != sizeof(ctx)) {
0adda907	130	return -EINVAL;
0b81d077	131	}
0adda907 JK	132	res = 0;
0adda907 JK	133
0b81d077	134	crypt_info = kmem_cache_alloc(fscrypt_info_cachep, GFP_NOFS);
0adda907 JK	135	if (!crypt_info)
	136	return -ENOMEM;
	137
	138	crypt_info->ci_flags = ctx.flags;
	139	crypt_info->ci_data_mode = ctx.contents_encryption_mode;
	140	crypt_info->ci_filename_mode = ctx.filenames_encryption_mode;
	141	crypt_info->ci_ctfm = NULL;
26bf3dc7	142	crypt_info->ci_keyring_key = NULL;
0adda907 JK	143	memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor,
	144	sizeof(crypt_info->ci_master_key));
	145	if (S_ISREG(inode->i_mode))
26bf3dc7	146	mode = crypt_info->ci_data_mode;
0adda907	147	else if (S_ISDIR(inode->i_mode) \|\| S_ISLNK(inode->i_mode))
26bf3dc7	148	mode = crypt_info->ci_filename_mode;
640778fb	149	else
0adda907	150	BUG();
640778fb	151
26bf3dc7	152	switch (mode) {
0b81d077	153	case FS_ENCRYPTION_MODE_AES_256_XTS:
26bf3dc7 JK	154	cipher_str = "xts(aes)";
26bf3dc7 JK	155	break;
0b81d077	156	case FS_ENCRYPTION_MODE_AES_256_CTS:
26bf3dc7 JK	157	cipher_str = "cts(cbc(aes))";
	158	break;
	159	default:
	160	printk_once(KERN_WARNING
0b81d077 JK	161	"%s: unsupported key mode %d (ino %u)\n",
0b81d077 JK	162	__func__, mode, (unsigned) inode->i_ino);
26bf3dc7 JK	163	res = -ENOKEY;
	164	goto out;
	165	}
0b81d077 JK	166	if (fscrypt_dummy_context_enabled(inode)) {
	167	memset(raw_key, 0x42, FS_AES_256_XTS_KEY_SIZE);
	168	goto got_key;
	169	}
	170	memcpy(full_key_descriptor, FS_KEY_DESC_PREFIX,
	171	FS_KEY_DESC_PREFIX_SIZE);
	172	sprintf(full_key_descriptor + FS_KEY_DESC_PREFIX_SIZE,
	173	"%*phN", FS_KEY_DESCRIPTOR_SIZE,
0adda907	174	ctx.master_key_descriptor);
0b81d077 JK	175	full_key_descriptor[FS_KEY_DESC_PREFIX_SIZE +
0b81d077 JK	176	(2 * FS_KEY_DESCRIPTOR_SIZE)] = '\0';
0adda907 JK	177	keyring_key = request_key(&key_type_logon, full_key_descriptor, NULL);
	178	if (IS_ERR(keyring_key)) {
	179	res = PTR_ERR(keyring_key);
	180	keyring_key = NULL;
	181	goto out;
	182	}
26bf3dc7	183	crypt_info->ci_keyring_key = keyring_key;
66aa3e12	184	if (keyring_key->type != &key_type_logon) {
0b81d077 JK	185	printk_once(KERN_WARNING
0b81d077 JK	186	"%s: key type must be logon\n", __func__);
66aa3e12 JK	187	res = -ENOKEY;
	188	goto out;
	189	}
745e8490	190	down_read(&keyring_key->sem);
146aa8b1	191	ukp = user_key_payload(keyring_key);
0b81d077	192	if (ukp->datalen != sizeof(struct fscrypt_key)) {
0adda907	193	res = -EINVAL;
745e8490	194	up_read(&keyring_key->sem);
0adda907 JK	195	goto out;
0adda907 JK	196	}
0b81d077 JK	197	master_key = (struct fscrypt_key *)ukp->data;
	198	BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE);
	199
	200	if (master_key->size != FS_AES_256_XTS_KEY_SIZE) {
66aa3e12	201	printk_once(KERN_WARNING
0b81d077 JK	202	"%s: key size incorrect: %d\n",
0b81d077 JK	203	__func__, master_key->size);
66aa3e12	204	res = -ENOKEY;
745e8490	205	up_read(&keyring_key->sem);
66aa3e12 JK	206	goto out;
66aa3e12 JK	207	}
0b81d077	208	res = derive_key_aes(ctx.nonce, master_key->raw, raw_key);
745e8490	209	up_read(&keyring_key->sem);
26bf3dc7 JK	210	if (res)
26bf3dc7 JK	211	goto out;
0b81d077	212	got_key:
d407574e	213	ctfm = crypto_alloc_skcipher(cipher_str, 0, 0);
26bf3dc7 JK	214	if (!ctfm \|\| IS_ERR(ctfm)) {
	215	res = ctfm ? PTR_ERR(ctfm) : -ENOMEM;
	216	printk(KERN_DEBUG
	217	"%s: error %d (inode %u) allocating crypto tfm\n",
	218	__func__, res, (unsigned) inode->i_ino);
	219	goto out;
0adda907	220	}
26bf3dc7	221	crypt_info->ci_ctfm = ctfm;
d407574e LT	222	crypto_skcipher_clear_flags(ctfm, ~0);
	223	crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY);
	224	res = crypto_skcipher_setkey(ctfm, raw_key, fscrypt_key_size(mode));
26bf3dc7 JK	225	if (res)
	226	goto out;
	227
	228	memzero_explicit(raw_key, sizeof(raw_key));
0b81d077 JK	229	if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) != NULL) {
0b81d077 JK	230	put_crypt_info(crypt_info);
26bf3dc7 JK	231	goto retry;
	232	}
	233	return 0;
	234
	235	out:
0b81d077	236	if (res == -ENOKEY)
26bf3dc7	237	res = 0;
0b81d077	238	put_crypt_info(crypt_info);
26bf3dc7	239	memzero_explicit(raw_key, sizeof(raw_key));
0adda907 JK	240	return res;
	241	}
	242
0b81d077	243	void fscrypt_put_encryption_info(struct inode inode, struct fscrypt_info ci)
0adda907	244	{
0b81d077 JK	245	struct fscrypt_info *prev;
	246
	247	if (ci == NULL)
	248	ci = ACCESS_ONCE(inode->i_crypt_info);
	249	if (ci == NULL)
	250	return;
0adda907	251
0b81d077 JK	252	prev = cmpxchg(&inode->i_crypt_info, ci, NULL);
	253	if (prev != ci)
	254	return;
	255
	256	put_crypt_info(ci);
	257	}
	258	EXPORT_SYMBOL(fscrypt_put_encryption_info);
	259
	260	int fscrypt_get_encryption_info(struct inode *inode)
	261	{
	262	struct fscrypt_info *ci = inode->i_crypt_info;
	263
	264	if (!ci \|\|
	265	(ci->ci_keyring_key &&
	266	(ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) \|
	267	(1 << KEY_FLAG_REVOKED) \|
	268	(1 << KEY_FLAG_DEAD)))))
	269	return get_crypt_info(inode);
	270	return 0;
0adda907	271	}
0b81d077	272	EXPORT_SYMBOL(fscrypt_get_encryption_info);