1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * This is used to derive keys from the fscrypt master keys (or from the
4 * "software secrets" which hardware derives from the fscrypt master keys, in
5 * the case that the fscrypt master keys are hardware-wrapped keys).
6 *
7 * Copyright 2019 Google LLC
8 */
9
10 #include <crypto/hash.h>
11 #include <crypto/hkdf.h>
12 #include <crypto/sha2.h>
13
14 #include "fscrypt_private.h"
15
16 /*
17 * HKDF supports any unkeyed cryptographic hash algorithm, but fscrypt uses
18 * SHA-512 because it is well-established, secure, and reasonably efficient.
19 *
20 * HKDF-SHA256 was also considered, as its 256-bit security strength would be
21 * sufficient here. A 512-bit security strength is "nice to have", though.
22 * Also, on 64-bit CPUs, SHA-512 is usually just as fast as SHA-256. In the
23 * common case of deriving an AES-256-XTS key (512 bits), that can result in
24 * HKDF-SHA512 being much faster than HKDF-SHA256, as the longer digest size of
25 * SHA-512 causes HKDF-Expand to only need to do one iteration rather than two.
26 */
27 #define HKDF_HMAC_ALG "hmac(sha512)"
28 #define HKDF_HASHLEN SHA512_DIGEST_SIZE
29
30 /*
31 * HKDF consists of two steps:
32 *
33 * 1. HKDF-Extract: extract a pseudorandom key of length HKDF_HASHLEN bytes from
34 * the input keying material and optional salt.
35 * 2. HKDF-Expand: expand the pseudorandom key into output keying material of
36 * any length, parameterized by an application-specific info string.
37 *
38 * HKDF-Extract can be skipped if the input is already a pseudorandom key of
39 * length HKDF_HASHLEN bytes. However, cipher modes other than AES-256-XTS take
40 * shorter keys, and we don't want to force users of those modes to provide
41 * unnecessarily long master keys. Thus fscrypt still does HKDF-Extract. No
42 * salt is used, since fscrypt master keys should already be pseudorandom and
43 * there's no way to persist a random salt per master key from kernel mode.
44 */
45
46 /*
47 * Compute HKDF-Extract using the given master key as the input keying material,
48 * and prepare an HMAC transform object keyed by the resulting pseudorandom key.
49 *
50 * Afterwards, the keyed HMAC transform object can be used for HKDF-Expand many
51 * times without having to recompute HKDF-Extract each time.
52 */
fscrypt_init_hkdf(struct fscrypt_hkdf * hkdf,const u8 * master_key,unsigned int master_key_size)53 int fscrypt_init_hkdf(struct fscrypt_hkdf *hkdf, const u8 *master_key,
54 unsigned int master_key_size)
55 {
56 struct crypto_shash *hmac_tfm;
57 static const u8 default_salt[HKDF_HASHLEN];
58 u8 prk[HKDF_HASHLEN];
59 int err;
60
61 hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, FSCRYPT_CRYPTOAPI_MASK);
62 if (IS_ERR(hmac_tfm)) {
63 fscrypt_err(NULL, "Error allocating " HKDF_HMAC_ALG ": %ld",
64 PTR_ERR(hmac_tfm));
65 return PTR_ERR(hmac_tfm);
66 }
67
68 if (WARN_ON_ONCE(crypto_shash_digestsize(hmac_tfm) != sizeof(prk))) {
69 err = -EINVAL;
70 goto err_free_tfm;
71 }
72
73 err = hkdf_extract(hmac_tfm, master_key, master_key_size,
74 default_salt, HKDF_HASHLEN, prk);
75 if (err)
76 goto err_free_tfm;
77
78 err = crypto_shash_setkey(hmac_tfm, prk, sizeof(prk));
79 if (err)
80 goto err_free_tfm;
81
82 hkdf->hmac_tfm = hmac_tfm;
83 goto out;
84
85 err_free_tfm:
86 crypto_free_shash(hmac_tfm);
87 out:
88 memzero_explicit(prk, sizeof(prk));
89 return err;
90 }
91
92 /*
93 * HKDF-Expand (RFC 5869 section 2.3). This expands the pseudorandom key, which
94 * was already keyed into 'hkdf->hmac_tfm' by fscrypt_init_hkdf(), into 'okmlen'
95 * bytes of output keying material parameterized by the application-specific
96 * 'info' of length 'infolen' bytes, prefixed by "fscrypt\0" and the 'context'
97 * byte. This is thread-safe and may be called by multiple threads in parallel.
98 *
99 * ('context' isn't part of the HKDF specification; it's just a prefix fscrypt
100 * adds to its application-specific info strings to guarantee that it doesn't
101 * accidentally repeat an info string when using HKDF for different purposes.)
102 */
fscrypt_hkdf_expand(const struct fscrypt_hkdf * hkdf,u8 context,const u8 * info,unsigned int infolen,u8 * okm,unsigned int okmlen)103 int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, u8 context,
104 const u8 *info, unsigned int infolen,
105 u8 *okm, unsigned int okmlen)
106 {
107 SHASH_DESC_ON_STACK(desc, hkdf->hmac_tfm);
108 u8 *full_info;
109 int err;
110
111 full_info = kzalloc(infolen + 9, GFP_KERNEL);
112 if (!full_info)
113 return -ENOMEM;
114 desc->tfm = hkdf->hmac_tfm;
115
116 memcpy(full_info, "fscrypt\0", 8);
117 full_info[8] = context;
118 memcpy(full_info + 9, info, infolen);
119
120 err = hkdf_expand(hkdf->hmac_tfm, full_info, infolen + 9,
121 okm, okmlen);
122 kfree_sensitive(full_info);
123 return err;
124 }
125
fscrypt_destroy_hkdf(struct fscrypt_hkdf * hkdf)126 void fscrypt_destroy_hkdf(struct fscrypt_hkdf *hkdf)
127 {
128 crypto_free_shash(hkdf->hmac_tfm);
129 }
130