1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (C) 2010 IBM Corporation
4 * Copyright (C) 2010 Politecnico di Torino, Italy
5 * TORSEC group -- https://security.polito.it
6 *
7 * Authors:
8 * Mimi Zohar <zohar@us.ibm.com>
9 * Roberto Sassu <roberto.sassu@polito.it>
10 *
11 * See Documentation/security/keys/trusted-encrypted.rst
12 */
13
14 #include <linux/uaccess.h>
15 #include <linux/module.h>
16 #include <linux/hex.h>
17 #include <linux/init.h>
18 #include <linux/slab.h>
19 #include <linux/parser.h>
20 #include <linux/string.h>
21 #include <linux/err.h>
22 #include <keys/user-type.h>
23 #include <keys/trusted-type.h>
24 #include <keys/encrypted-type.h>
25 #include <linux/key-type.h>
26 #include <linux/random.h>
27 #include <linux/rcupdate.h>
28 #include <linux/scatterlist.h>
29 #include <linux/ctype.h>
30 #include <crypto/aes.h>
31 #include <crypto/sha2.h>
32 #include <crypto/skcipher.h>
33 #include <crypto/utils.h>
34
35 #include "encrypted.h"
36 #include "ecryptfs_format.h"
37
38 static const char KEY_TRUSTED_PREFIX[] = "trusted:";
39 static const char KEY_USER_PREFIX[] = "user:";
40 static const char blkcipher_alg[] = "cbc(aes)";
41 static const char key_format_default[] = "default";
42 static const char key_format_ecryptfs[] = "ecryptfs";
43 static const char key_format_enc32[] = "enc32";
44 static unsigned int ivsize;
45 static int blksize;
46
47 #define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
48 #define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
49 #define KEY_ECRYPTFS_DESC_LEN 16
50 #define HASH_SIZE SHA256_DIGEST_SIZE
51 #define MAX_DATA_SIZE 4096
52 #define MIN_DATA_SIZE 20
53 #define KEY_ENC32_PAYLOAD_LEN 32
54
55 enum {
56 Opt_new, Opt_load, Opt_update, Opt_err
57 };
58
59 enum {
60 Opt_default, Opt_ecryptfs, Opt_enc32, Opt_error
61 };
62
63 static const match_table_t key_format_tokens = {
64 {Opt_default, "default"},
65 {Opt_ecryptfs, "ecryptfs"},
66 {Opt_enc32, "enc32"},
67 {Opt_error, NULL}
68 };
69
70 static const match_table_t key_tokens = {
71 {Opt_new, "new"},
72 {Opt_load, "load"},
73 {Opt_update, "update"},
74 {Opt_err, NULL}
75 };
76
77 static bool user_decrypted_data = IS_ENABLED(CONFIG_USER_DECRYPTED_DATA);
78 module_param(user_decrypted_data, bool, 0);
79 MODULE_PARM_DESC(user_decrypted_data,
80 "Allow instantiation of encrypted keys using provided decrypted data");
81
aes_get_sizes(void)82 static int aes_get_sizes(void)
83 {
84 struct crypto_skcipher *tfm;
85
86 tfm = crypto_alloc_skcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
87 if (IS_ERR(tfm)) {
88 pr_err("encrypted_key: failed to alloc_cipher (%ld)\n",
89 PTR_ERR(tfm));
90 return PTR_ERR(tfm);
91 }
92 ivsize = crypto_skcipher_ivsize(tfm);
93 blksize = crypto_skcipher_blocksize(tfm);
94 crypto_free_skcipher(tfm);
95 return 0;
96 }
97
98 /*
99 * valid_ecryptfs_desc - verify the description of a new/loaded encrypted key
100 *
101 * The description of a encrypted key with format 'ecryptfs' must contain
102 * exactly 16 hexadecimal characters.
103 *
104 */
valid_ecryptfs_desc(const char * ecryptfs_desc)105 static int valid_ecryptfs_desc(const char *ecryptfs_desc)
106 {
107 int i;
108
109 if (strlen(ecryptfs_desc) != KEY_ECRYPTFS_DESC_LEN) {
110 pr_err("encrypted_key: key description must be %d hexadecimal "
111 "characters long\n", KEY_ECRYPTFS_DESC_LEN);
112 return -EINVAL;
113 }
114
115 for (i = 0; i < KEY_ECRYPTFS_DESC_LEN; i++) {
116 if (!isxdigit(ecryptfs_desc[i])) {
117 pr_err("encrypted_key: key description must contain "
118 "only hexadecimal characters\n");
119 return -EINVAL;
120 }
121 }
122
123 return 0;
124 }
125
126 /*
127 * valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
128 *
129 * key-type:= "trusted:" | "user:"
130 * desc:= master-key description
131 *
132 * Verify that 'key-type' is valid and that 'desc' exists. On key update,
133 * only the master key description is permitted to change, not the key-type.
134 * The key-type remains constant.
135 *
136 * On success returns 0, otherwise -EINVAL.
137 */
valid_master_desc(const char * new_desc,const char * orig_desc)138 static int valid_master_desc(const char *new_desc, const char *orig_desc)
139 {
140 int prefix_len;
141
142 if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
143 prefix_len = KEY_TRUSTED_PREFIX_LEN;
144 else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
145 prefix_len = KEY_USER_PREFIX_LEN;
146 else
147 return -EINVAL;
148
149 if (!new_desc[prefix_len])
150 return -EINVAL;
151
152 if (orig_desc && strncmp(new_desc, orig_desc, prefix_len))
153 return -EINVAL;
154
155 return 0;
156 }
157
158 /*
159 * datablob_parse - parse the keyctl data
160 *
161 * datablob format:
162 * new [<format>] <master-key name> <decrypted data length> [<decrypted data>]
163 * load [<format>] <master-key name> <decrypted data length>
164 * <encrypted iv + data>
165 * update <new-master-key name>
166 *
167 * Tokenizes a copy of the keyctl data, returning a pointer to each token,
168 * which is null terminated.
169 *
170 * On success returns 0, otherwise -EINVAL.
171 */
datablob_parse(char * datablob,const char ** format,char ** master_desc,char ** decrypted_datalen,char ** hex_encoded_iv,char ** decrypted_data)172 static int datablob_parse(char *datablob, const char **format,
173 char **master_desc, char **decrypted_datalen,
174 char **hex_encoded_iv, char **decrypted_data)
175 {
176 substring_t args[MAX_OPT_ARGS];
177 int ret = -EINVAL;
178 int key_cmd;
179 int key_format;
180 char *p, *keyword;
181
182 keyword = strsep(&datablob, " \t");
183 if (!keyword) {
184 pr_info("encrypted_key: insufficient parameters specified\n");
185 return ret;
186 }
187 key_cmd = match_token(keyword, key_tokens, args);
188
189 /* Get optional format: default | ecryptfs */
190 p = strsep(&datablob, " \t");
191 if (!p) {
192 pr_err("encrypted_key: insufficient parameters specified\n");
193 return ret;
194 }
195
196 key_format = match_token(p, key_format_tokens, args);
197 switch (key_format) {
198 case Opt_ecryptfs:
199 case Opt_enc32:
200 case Opt_default:
201 *format = p;
202 *master_desc = strsep(&datablob, " \t");
203 break;
204 case Opt_error:
205 *master_desc = p;
206 break;
207 }
208
209 if (!*master_desc) {
210 pr_info("encrypted_key: master key parameter is missing\n");
211 goto out;
212 }
213
214 if (valid_master_desc(*master_desc, NULL) < 0) {
215 pr_info("encrypted_key: master key parameter \'%s\' "
216 "is invalid\n", *master_desc);
217 goto out;
218 }
219
220 if (decrypted_datalen) {
221 *decrypted_datalen = strsep(&datablob, " \t");
222 if (!*decrypted_datalen) {
223 pr_info("encrypted_key: keylen parameter is missing\n");
224 goto out;
225 }
226 }
227
228 switch (key_cmd) {
229 case Opt_new:
230 if (!decrypted_datalen) {
231 pr_info("encrypted_key: keyword \'%s\' not allowed "
232 "when called from .update method\n", keyword);
233 break;
234 }
235 *decrypted_data = strsep(&datablob, " \t");
236 ret = 0;
237 break;
238 case Opt_load:
239 if (!decrypted_datalen) {
240 pr_info("encrypted_key: keyword \'%s\' not allowed "
241 "when called from .update method\n", keyword);
242 break;
243 }
244 *hex_encoded_iv = strsep(&datablob, " \t");
245 if (!*hex_encoded_iv) {
246 pr_info("encrypted_key: hex blob is missing\n");
247 break;
248 }
249 ret = 0;
250 break;
251 case Opt_update:
252 if (decrypted_datalen) {
253 pr_info("encrypted_key: keyword \'%s\' not allowed "
254 "when called from .instantiate method\n",
255 keyword);
256 break;
257 }
258 ret = 0;
259 break;
260 case Opt_err:
261 pr_info("encrypted_key: keyword \'%s\' not recognized\n",
262 keyword);
263 break;
264 }
265 out:
266 return ret;
267 }
268
269 /*
270 * datablob_format - format as an ascii string, before copying to userspace
271 */
datablob_format(struct encrypted_key_payload * epayload,size_t asciiblob_len)272 static char *datablob_format(struct encrypted_key_payload *epayload,
273 size_t asciiblob_len)
274 {
275 char *ascii_buf, *bufp;
276 u8 *iv = epayload->iv;
277 int len;
278 int i;
279
280 ascii_buf = kmalloc(asciiblob_len + 1, GFP_KERNEL);
281 if (!ascii_buf)
282 goto out;
283
284 ascii_buf[asciiblob_len] = '\0';
285
286 /* copy datablob master_desc and datalen strings */
287 len = sprintf(ascii_buf, "%s %s %s ", epayload->format,
288 epayload->master_desc, epayload->datalen);
289
290 /* convert the hex encoded iv, encrypted-data and HMAC to ascii */
291 bufp = &ascii_buf[len];
292 for (i = 0; i < (asciiblob_len - len) / 2; i++)
293 bufp = hex_byte_pack(bufp, iv[i]);
294 out:
295 return ascii_buf;
296 }
297
298 /*
299 * request_user_key - request the user key
300 *
301 * Use a user provided key to encrypt/decrypt an encrypted-key.
302 */
request_user_key(const char * master_desc,const u8 ** master_key,size_t * master_keylen)303 static struct key *request_user_key(const char *master_desc, const u8 **master_key,
304 size_t *master_keylen)
305 {
306 const struct user_key_payload *upayload;
307 struct key *ukey;
308
309 ukey = request_key(&key_type_user, master_desc, NULL);
310 if (IS_ERR(ukey))
311 goto error;
312
313 down_read(&ukey->sem);
314 upayload = user_key_payload_locked(ukey);
315 if (!upayload) {
316 /* key was revoked before we acquired its semaphore */
317 up_read(&ukey->sem);
318 key_put(ukey);
319 ukey = ERR_PTR(-EKEYREVOKED);
320 goto error;
321 }
322 *master_key = upayload->data;
323 *master_keylen = upayload->datalen;
324 error:
325 return ukey;
326 }
327
328 enum derived_key_type { ENC_KEY, AUTH_KEY };
329
330 /* Derive authentication/encryption key from trusted key */
get_derived_key(u8 * derived_key,enum derived_key_type key_type,const u8 * master_key,size_t master_keylen)331 static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
332 const u8 *master_key, size_t master_keylen)
333 {
334 u8 *derived_buf;
335 unsigned int derived_buf_len;
336
337 derived_buf_len = strlen("AUTH_KEY") + 1 + master_keylen;
338 if (derived_buf_len < HASH_SIZE)
339 derived_buf_len = HASH_SIZE;
340
341 derived_buf = kzalloc(derived_buf_len, GFP_KERNEL);
342 if (!derived_buf)
343 return -ENOMEM;
344
345 if (key_type)
346 strcpy(derived_buf, "AUTH_KEY");
347 else
348 strcpy(derived_buf, "ENC_KEY");
349
350 memcpy(derived_buf + strlen(derived_buf) + 1, master_key,
351 master_keylen);
352 sha256(derived_buf, derived_buf_len, derived_key);
353 kfree_sensitive(derived_buf);
354 return 0;
355 }
356
init_skcipher_req(const u8 * key,unsigned int key_len)357 static struct skcipher_request *init_skcipher_req(const u8 *key,
358 unsigned int key_len)
359 {
360 struct skcipher_request *req;
361 struct crypto_skcipher *tfm;
362 int ret;
363
364 tfm = crypto_alloc_skcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
365 if (IS_ERR(tfm)) {
366 pr_err("encrypted_key: failed to load %s transform (%ld)\n",
367 blkcipher_alg, PTR_ERR(tfm));
368 return ERR_CAST(tfm);
369 }
370
371 ret = crypto_skcipher_setkey(tfm, key, key_len);
372 if (ret < 0) {
373 pr_err("encrypted_key: failed to setkey (%d)\n", ret);
374 crypto_free_skcipher(tfm);
375 return ERR_PTR(ret);
376 }
377
378 req = skcipher_request_alloc(tfm, GFP_KERNEL);
379 if (!req) {
380 pr_err("encrypted_key: failed to allocate request for %s\n",
381 blkcipher_alg);
382 crypto_free_skcipher(tfm);
383 return ERR_PTR(-ENOMEM);
384 }
385
386 skcipher_request_set_callback(req, 0, NULL, NULL);
387 return req;
388 }
389
request_master_key(struct encrypted_key_payload * epayload,const u8 ** master_key,size_t * master_keylen)390 static struct key *request_master_key(struct encrypted_key_payload *epayload,
391 const u8 **master_key, size_t *master_keylen)
392 {
393 struct key *mkey = ERR_PTR(-EINVAL);
394
395 if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX,
396 KEY_TRUSTED_PREFIX_LEN)) {
397 mkey = request_trusted_key(epayload->master_desc +
398 KEY_TRUSTED_PREFIX_LEN,
399 master_key, master_keylen);
400 } else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
401 KEY_USER_PREFIX_LEN)) {
402 mkey = request_user_key(epayload->master_desc +
403 KEY_USER_PREFIX_LEN,
404 master_key, master_keylen);
405 } else
406 goto out;
407
408 if (IS_ERR(mkey)) {
409 int ret = PTR_ERR(mkey);
410
411 if (ret == -ENOTSUPP)
412 pr_info("encrypted_key: key %s not supported",
413 epayload->master_desc);
414 else
415 pr_info("encrypted_key: key %s not found",
416 epayload->master_desc);
417 goto out;
418 }
419
420 dump_master_key(*master_key, *master_keylen);
421 out:
422 return mkey;
423 }
424
425 /* Before returning data to userspace, encrypt decrypted data. */
derived_key_encrypt(struct encrypted_key_payload * epayload,const u8 * derived_key,unsigned int derived_keylen)426 static int derived_key_encrypt(struct encrypted_key_payload *epayload,
427 const u8 *derived_key,
428 unsigned int derived_keylen)
429 {
430 struct scatterlist sg_in[2];
431 struct scatterlist sg_out[1];
432 struct crypto_skcipher *tfm;
433 struct skcipher_request *req;
434 unsigned int encrypted_datalen;
435 u8 iv[AES_BLOCK_SIZE];
436 int ret;
437
438 encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
439
440 req = init_skcipher_req(derived_key, derived_keylen);
441 ret = PTR_ERR(req);
442 if (IS_ERR(req))
443 goto out;
444 dump_decrypted_data(epayload);
445
446 sg_init_table(sg_in, 2);
447 sg_set_buf(&sg_in[0], epayload->decrypted_data,
448 epayload->decrypted_datalen);
449 sg_set_page(&sg_in[1], ZERO_PAGE(0), AES_BLOCK_SIZE, 0);
450
451 sg_init_table(sg_out, 1);
452 sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen);
453
454 memcpy(iv, epayload->iv, sizeof(iv));
455 skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
456 ret = crypto_skcipher_encrypt(req);
457 tfm = crypto_skcipher_reqtfm(req);
458 skcipher_request_free(req);
459 crypto_free_skcipher(tfm);
460 if (ret < 0)
461 pr_err("encrypted_key: failed to encrypt (%d)\n", ret);
462 else
463 dump_encrypted_data(epayload, encrypted_datalen);
464 out:
465 return ret;
466 }
467
datablob_hmac_append(struct encrypted_key_payload * epayload,const u8 * master_key,size_t master_keylen)468 static int datablob_hmac_append(struct encrypted_key_payload *epayload,
469 const u8 *master_key, size_t master_keylen)
470 {
471 u8 derived_key[HASH_SIZE];
472 u8 *digest;
473 int ret;
474
475 ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
476 if (ret < 0)
477 goto out;
478
479 digest = epayload->format + epayload->datablob_len;
480 hmac_sha256_usingrawkey(derived_key, sizeof(derived_key),
481 epayload->format, epayload->datablob_len,
482 digest);
483 dump_hmac(NULL, digest, HASH_SIZE);
484 out:
485 memzero_explicit(derived_key, sizeof(derived_key));
486 return ret;
487 }
488
489 /* verify HMAC before decrypting encrypted key */
datablob_hmac_verify(struct encrypted_key_payload * epayload,const u8 * format,const u8 * master_key,size_t master_keylen)490 static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
491 const u8 *format, const u8 *master_key,
492 size_t master_keylen)
493 {
494 u8 derived_key[HASH_SIZE];
495 u8 digest[HASH_SIZE];
496 int ret;
497 char *p;
498 unsigned short len;
499
500 ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
501 if (ret < 0)
502 goto out;
503
504 len = epayload->datablob_len;
505 if (!format) {
506 p = epayload->master_desc;
507 len -= strlen(epayload->format) + 1;
508 } else
509 p = epayload->format;
510
511 hmac_sha256_usingrawkey(derived_key, sizeof(derived_key), p, len,
512 digest);
513 ret = crypto_memneq(digest, epayload->format + epayload->datablob_len,
514 sizeof(digest));
515 if (ret) {
516 ret = -EINVAL;
517 dump_hmac("datablob",
518 epayload->format + epayload->datablob_len,
519 HASH_SIZE);
520 dump_hmac("calc", digest, HASH_SIZE);
521 }
522 out:
523 memzero_explicit(derived_key, sizeof(derived_key));
524 return ret;
525 }
526
derived_key_decrypt(struct encrypted_key_payload * epayload,const u8 * derived_key,unsigned int derived_keylen)527 static int derived_key_decrypt(struct encrypted_key_payload *epayload,
528 const u8 *derived_key,
529 unsigned int derived_keylen)
530 {
531 struct scatterlist sg_in[1];
532 struct scatterlist sg_out[2];
533 struct crypto_skcipher *tfm;
534 struct skcipher_request *req;
535 unsigned int encrypted_datalen;
536 u8 iv[AES_BLOCK_SIZE];
537 u8 *pad;
538 int ret;
539
540 /* Throwaway buffer to hold the unused zero padding at the end */
541 pad = kmalloc(AES_BLOCK_SIZE, GFP_KERNEL);
542 if (!pad)
543 return -ENOMEM;
544
545 encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
546 req = init_skcipher_req(derived_key, derived_keylen);
547 ret = PTR_ERR(req);
548 if (IS_ERR(req))
549 goto out;
550 dump_encrypted_data(epayload, encrypted_datalen);
551
552 sg_init_table(sg_in, 1);
553 sg_init_table(sg_out, 2);
554 sg_set_buf(sg_in, epayload->encrypted_data, encrypted_datalen);
555 sg_set_buf(&sg_out[0], epayload->decrypted_data,
556 epayload->decrypted_datalen);
557 sg_set_buf(&sg_out[1], pad, AES_BLOCK_SIZE);
558
559 memcpy(iv, epayload->iv, sizeof(iv));
560 skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
561 ret = crypto_skcipher_decrypt(req);
562 tfm = crypto_skcipher_reqtfm(req);
563 skcipher_request_free(req);
564 crypto_free_skcipher(tfm);
565 if (ret < 0)
566 goto out;
567 dump_decrypted_data(epayload);
568 out:
569 kfree(pad);
570 return ret;
571 }
572
573 /* Allocate memory for decrypted key and datablob. */
encrypted_key_alloc(struct key * key,const char * format,const char * master_desc,const char * datalen,const char * decrypted_data)574 static struct encrypted_key_payload *encrypted_key_alloc(struct key *key,
575 const char *format,
576 const char *master_desc,
577 const char *datalen,
578 const char *decrypted_data)
579 {
580 struct encrypted_key_payload *epayload = NULL;
581 unsigned short datablob_len;
582 unsigned short decrypted_datalen;
583 unsigned short payload_datalen;
584 unsigned int encrypted_datalen;
585 unsigned int format_len;
586 long dlen;
587 int i;
588 int ret;
589
590 ret = kstrtol(datalen, 10, &dlen);
591 if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
592 return ERR_PTR(-EINVAL);
593
594 format_len = (!format) ? strlen(key_format_default) : strlen(format);
595 decrypted_datalen = dlen;
596 payload_datalen = decrypted_datalen;
597
598 if (decrypted_data) {
599 if (!user_decrypted_data) {
600 pr_err("encrypted key: instantiation of keys using provided decrypted data is disabled since CONFIG_USER_DECRYPTED_DATA is set to false\n");
601 return ERR_PTR(-EINVAL);
602 }
603 if (strlen(decrypted_data) != decrypted_datalen * 2) {
604 pr_err("encrypted key: decrypted data provided does not match decrypted data length provided\n");
605 return ERR_PTR(-EINVAL);
606 }
607 for (i = 0; i < strlen(decrypted_data); i++) {
608 if (!isxdigit(decrypted_data[i])) {
609 pr_err("encrypted key: decrypted data provided must contain only hexadecimal characters\n");
610 return ERR_PTR(-EINVAL);
611 }
612 }
613 }
614
615 if (format) {
616 if (!strcmp(format, key_format_ecryptfs)) {
617 if (dlen != ECRYPTFS_MAX_KEY_BYTES) {
618 pr_err("encrypted_key: keylen for the ecryptfs format must be equal to %d bytes\n",
619 ECRYPTFS_MAX_KEY_BYTES);
620 return ERR_PTR(-EINVAL);
621 }
622 decrypted_datalen = ECRYPTFS_MAX_KEY_BYTES;
623 payload_datalen = sizeof(struct ecryptfs_auth_tok);
624 } else if (!strcmp(format, key_format_enc32)) {
625 if (decrypted_datalen != KEY_ENC32_PAYLOAD_LEN) {
626 pr_err("encrypted_key: enc32 key payload incorrect length: %d\n",
627 decrypted_datalen);
628 return ERR_PTR(-EINVAL);
629 }
630 }
631 }
632
633 encrypted_datalen = roundup(decrypted_datalen, blksize);
634
635 datablob_len = format_len + 1 + strlen(master_desc) + 1
636 + strlen(datalen) + 1 + ivsize + 1 + encrypted_datalen;
637
638 ret = key_payload_reserve(key, payload_datalen + datablob_len
639 + HASH_SIZE + 1);
640 if (ret < 0)
641 return ERR_PTR(ret);
642
643 epayload = kzalloc(sizeof(*epayload) + payload_datalen +
644 datablob_len + HASH_SIZE + 1, GFP_KERNEL);
645 if (!epayload)
646 return ERR_PTR(-ENOMEM);
647
648 epayload->payload_datalen = payload_datalen;
649 epayload->decrypted_datalen = decrypted_datalen;
650 epayload->datablob_len = datablob_len;
651 return epayload;
652 }
653
encrypted_key_decrypt(struct encrypted_key_payload * epayload,const char * format,const char * hex_encoded_iv)654 static int encrypted_key_decrypt(struct encrypted_key_payload *epayload,
655 const char *format, const char *hex_encoded_iv)
656 {
657 struct key *mkey;
658 u8 derived_key[HASH_SIZE];
659 const u8 *master_key;
660 u8 *hmac;
661 const char *hex_encoded_data;
662 unsigned int encrypted_datalen;
663 size_t master_keylen;
664 size_t asciilen;
665 int ret;
666
667 encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
668 asciilen = (ivsize + 1 + encrypted_datalen + HASH_SIZE) * 2;
669 if (strlen(hex_encoded_iv) != asciilen)
670 return -EINVAL;
671
672 hex_encoded_data = hex_encoded_iv + (2 * ivsize) + 2;
673 ret = hex2bin(epayload->iv, hex_encoded_iv, ivsize);
674 if (ret < 0)
675 return -EINVAL;
676 ret = hex2bin(epayload->encrypted_data, hex_encoded_data,
677 encrypted_datalen);
678 if (ret < 0)
679 return -EINVAL;
680
681 hmac = epayload->format + epayload->datablob_len;
682 ret = hex2bin(hmac, hex_encoded_data + (encrypted_datalen * 2),
683 HASH_SIZE);
684 if (ret < 0)
685 return -EINVAL;
686
687 mkey = request_master_key(epayload, &master_key, &master_keylen);
688 if (IS_ERR(mkey))
689 return PTR_ERR(mkey);
690
691 ret = datablob_hmac_verify(epayload, format, master_key, master_keylen);
692 if (ret < 0) {
693 pr_err("encrypted_key: bad hmac (%d)\n", ret);
694 goto out;
695 }
696
697 ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
698 if (ret < 0)
699 goto out;
700
701 ret = derived_key_decrypt(epayload, derived_key, sizeof derived_key);
702 if (ret < 0)
703 pr_err("encrypted_key: failed to decrypt key (%d)\n", ret);
704 out:
705 up_read(&mkey->sem);
706 key_put(mkey);
707 memzero_explicit(derived_key, sizeof(derived_key));
708 return ret;
709 }
710
__ekey_init(struct encrypted_key_payload * epayload,const char * format,const char * master_desc,const char * datalen)711 static void __ekey_init(struct encrypted_key_payload *epayload,
712 const char *format, const char *master_desc,
713 const char *datalen)
714 {
715 unsigned int format_len;
716
717 format_len = (!format) ? strlen(key_format_default) : strlen(format);
718 epayload->format = epayload->payload_data + epayload->payload_datalen;
719 epayload->master_desc = epayload->format + format_len + 1;
720 epayload->datalen = epayload->master_desc + strlen(master_desc) + 1;
721 epayload->iv = epayload->datalen + strlen(datalen) + 1;
722 epayload->encrypted_data = epayload->iv + ivsize + 1;
723 epayload->decrypted_data = epayload->payload_data;
724
725 if (!format)
726 memcpy(epayload->format, key_format_default, format_len);
727 else {
728 if (!strcmp(format, key_format_ecryptfs))
729 epayload->decrypted_data =
730 ecryptfs_get_auth_tok_key((struct ecryptfs_auth_tok *)epayload->payload_data);
731
732 memcpy(epayload->format, format, format_len);
733 }
734
735 memcpy(epayload->master_desc, master_desc, strlen(master_desc));
736 memcpy(epayload->datalen, datalen, strlen(datalen));
737 }
738
739 /*
740 * encrypted_init - initialize an encrypted key
741 *
742 * For a new key, use either a random number or user-provided decrypted data in
743 * case it is provided. A random number is used for the iv in both cases. For
744 * an old key, decrypt the hex encoded data.
745 */
encrypted_init(struct encrypted_key_payload * epayload,const char * key_desc,const char * format,const char * master_desc,const char * datalen,const char * hex_encoded_iv,const char * decrypted_data)746 static int encrypted_init(struct encrypted_key_payload *epayload,
747 const char *key_desc, const char *format,
748 const char *master_desc, const char *datalen,
749 const char *hex_encoded_iv, const char *decrypted_data)
750 {
751 int ret = 0;
752
753 if (format && !strcmp(format, key_format_ecryptfs)) {
754 ret = valid_ecryptfs_desc(key_desc);
755 if (ret < 0)
756 return ret;
757
758 ecryptfs_fill_auth_tok((struct ecryptfs_auth_tok *)epayload->payload_data,
759 key_desc);
760 }
761
762 __ekey_init(epayload, format, master_desc, datalen);
763 if (hex_encoded_iv) {
764 ret = encrypted_key_decrypt(epayload, format, hex_encoded_iv);
765 } else if (decrypted_data) {
766 get_random_bytes(epayload->iv, ivsize);
767 ret = hex2bin(epayload->decrypted_data, decrypted_data,
768 epayload->decrypted_datalen);
769 } else {
770 get_random_bytes(epayload->iv, ivsize);
771 get_random_bytes(epayload->decrypted_data, epayload->decrypted_datalen);
772 }
773 return ret;
774 }
775
776 /*
777 * encrypted_instantiate - instantiate an encrypted key
778 *
779 * Instantiates the key:
780 * - by decrypting an existing encrypted datablob, or
781 * - by creating a new encrypted key based on a kernel random number, or
782 * - using provided decrypted data.
783 *
784 * On success, return 0. Otherwise return errno.
785 */
encrypted_instantiate(struct key * key,struct key_preparsed_payload * prep)786 static int encrypted_instantiate(struct key *key,
787 struct key_preparsed_payload *prep)
788 {
789 struct encrypted_key_payload *epayload = NULL;
790 char *datablob = NULL;
791 const char *format = NULL;
792 char *master_desc = NULL;
793 char *decrypted_datalen = NULL;
794 char *hex_encoded_iv = NULL;
795 char *decrypted_data = NULL;
796 size_t datalen = prep->datalen;
797 int ret;
798
799 if (datalen == 0 || datalen > 32767 || !prep->data)
800 return -EINVAL;
801
802 datablob = kmalloc(datalen + 1, GFP_KERNEL);
803 if (!datablob)
804 return -ENOMEM;
805 datablob[datalen] = 0;
806 memcpy(datablob, prep->data, datalen);
807 ret = datablob_parse(datablob, &format, &master_desc,
808 &decrypted_datalen, &hex_encoded_iv, &decrypted_data);
809 if (ret < 0)
810 goto out;
811
812 epayload = encrypted_key_alloc(key, format, master_desc,
813 decrypted_datalen, decrypted_data);
814 if (IS_ERR(epayload)) {
815 ret = PTR_ERR(epayload);
816 goto out;
817 }
818 ret = encrypted_init(epayload, key->description, format, master_desc,
819 decrypted_datalen, hex_encoded_iv, decrypted_data);
820 if (ret < 0) {
821 kfree_sensitive(epayload);
822 goto out;
823 }
824
825 rcu_assign_keypointer(key, epayload);
826 out:
827 kfree_sensitive(datablob);
828 return ret;
829 }
830
encrypted_rcu_free(struct rcu_head * rcu)831 static void encrypted_rcu_free(struct rcu_head *rcu)
832 {
833 struct encrypted_key_payload *epayload;
834
835 epayload = container_of(rcu, struct encrypted_key_payload, rcu);
836 kfree_sensitive(epayload);
837 }
838
839 /*
840 * encrypted_update - update the master key description
841 *
842 * Change the master key description for an existing encrypted key.
843 * The next read will return an encrypted datablob using the new
844 * master key description.
845 *
846 * On success, return 0. Otherwise return errno.
847 */
encrypted_update(struct key * key,struct key_preparsed_payload * prep)848 static int encrypted_update(struct key *key, struct key_preparsed_payload *prep)
849 {
850 struct encrypted_key_payload *epayload = key->payload.data[0];
851 struct encrypted_key_payload *new_epayload;
852 char *buf;
853 char *new_master_desc = NULL;
854 const char *format = NULL;
855 size_t datalen = prep->datalen;
856 int ret = 0;
857
858 if (key_is_negative(key))
859 return -ENOKEY;
860 if (datalen == 0 || datalen > 32767 || !prep->data)
861 return -EINVAL;
862
863 buf = kmalloc(datalen + 1, GFP_KERNEL);
864 if (!buf)
865 return -ENOMEM;
866
867 buf[datalen] = 0;
868 memcpy(buf, prep->data, datalen);
869 ret = datablob_parse(buf, &format, &new_master_desc, NULL, NULL, NULL);
870 if (ret < 0)
871 goto out;
872
873 ret = valid_master_desc(new_master_desc, epayload->master_desc);
874 if (ret < 0)
875 goto out;
876
877 new_epayload = encrypted_key_alloc(key, epayload->format,
878 new_master_desc, epayload->datalen, NULL);
879 if (IS_ERR(new_epayload)) {
880 ret = PTR_ERR(new_epayload);
881 goto out;
882 }
883
884 __ekey_init(new_epayload, epayload->format, new_master_desc,
885 epayload->datalen);
886
887 memcpy(new_epayload->iv, epayload->iv, ivsize);
888 memcpy(new_epayload->payload_data, epayload->payload_data,
889 epayload->payload_datalen);
890
891 rcu_assign_keypointer(key, new_epayload);
892 call_rcu(&epayload->rcu, encrypted_rcu_free);
893 out:
894 kfree_sensitive(buf);
895 return ret;
896 }
897
898 /*
899 * encrypted_read - format and copy out the encrypted data
900 *
901 * The resulting datablob format is:
902 * <master-key name> <decrypted data length> <encrypted iv> <encrypted data>
903 *
904 * On success, return to userspace the encrypted key datablob size.
905 */
encrypted_read(const struct key * key,char * buffer,size_t buflen)906 static long encrypted_read(const struct key *key, char *buffer,
907 size_t buflen)
908 {
909 struct encrypted_key_payload *epayload;
910 struct key *mkey;
911 const u8 *master_key;
912 size_t master_keylen;
913 char derived_key[HASH_SIZE];
914 char *ascii_buf;
915 size_t asciiblob_len;
916 int ret;
917
918 epayload = dereference_key_locked(key);
919
920 /* returns the hex encoded iv, encrypted-data, and hmac as ascii */
921 asciiblob_len = epayload->datablob_len + ivsize + 1
922 + roundup(epayload->decrypted_datalen, blksize)
923 + (HASH_SIZE * 2);
924
925 if (!buffer || buflen < asciiblob_len)
926 return asciiblob_len;
927
928 mkey = request_master_key(epayload, &master_key, &master_keylen);
929 if (IS_ERR(mkey))
930 return PTR_ERR(mkey);
931
932 ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
933 if (ret < 0)
934 goto out;
935
936 ret = derived_key_encrypt(epayload, derived_key, sizeof derived_key);
937 if (ret < 0)
938 goto out;
939
940 ret = datablob_hmac_append(epayload, master_key, master_keylen);
941 if (ret < 0)
942 goto out;
943
944 ascii_buf = datablob_format(epayload, asciiblob_len);
945 if (!ascii_buf) {
946 ret = -ENOMEM;
947 goto out;
948 }
949
950 up_read(&mkey->sem);
951 key_put(mkey);
952 memzero_explicit(derived_key, sizeof(derived_key));
953
954 memcpy(buffer, ascii_buf, asciiblob_len);
955 kfree_sensitive(ascii_buf);
956
957 return asciiblob_len;
958 out:
959 up_read(&mkey->sem);
960 key_put(mkey);
961 memzero_explicit(derived_key, sizeof(derived_key));
962 return ret;
963 }
964
965 /*
966 * encrypted_destroy - clear and free the key's payload
967 */
encrypted_destroy(struct key * key)968 static void encrypted_destroy(struct key *key)
969 {
970 kfree_sensitive(key->payload.data[0]);
971 }
972
973 struct key_type key_type_encrypted = {
974 .name = "encrypted",
975 .instantiate = encrypted_instantiate,
976 .update = encrypted_update,
977 .destroy = encrypted_destroy,
978 .describe = user_describe,
979 .read = encrypted_read,
980 };
981 EXPORT_SYMBOL_GPL(key_type_encrypted);
982
init_encrypted(void)983 static int __init init_encrypted(void)
984 {
985 int ret;
986
987 ret = aes_get_sizes();
988 if (ret < 0)
989 return ret;
990 return register_key_type(&key_type_encrypted);
991 }
992
cleanup_encrypted(void)993 static void __exit cleanup_encrypted(void)
994 {
995 unregister_key_type(&key_type_encrypted);
996 }
997
998 late_initcall(init_encrypted);
999 module_exit(cleanup_encrypted);
1000
1001 MODULE_DESCRIPTION("Encrypted key type");
1002 MODULE_LICENSE("GPL");
1003