linux/security/keys/encrypted.c
<<
>>
Prefs
   1/*
   2 * Copyright (C) 2010 IBM Corporation
   3 *
   4 * Author:
   5 * Mimi Zohar <zohar@us.ibm.com>
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation, version 2 of the License.
  10 *
  11 * See Documentation/keys-trusted-encrypted.txt
  12 */
  13
  14#include <linux/uaccess.h>
  15#include <linux/module.h>
  16#include <linux/init.h>
  17#include <linux/slab.h>
  18#include <linux/parser.h>
  19#include <linux/string.h>
  20#include <linux/err.h>
  21#include <keys/user-type.h>
  22#include <keys/trusted-type.h>
  23#include <keys/encrypted-type.h>
  24#include <linux/key-type.h>
  25#include <linux/random.h>
  26#include <linux/rcupdate.h>
  27#include <linux/scatterlist.h>
  28#include <linux/crypto.h>
  29#include <crypto/hash.h>
  30#include <crypto/sha.h>
  31#include <crypto/aes.h>
  32
  33#include "encrypted.h"
  34
  35static const char KEY_TRUSTED_PREFIX[] = "trusted:";
  36static const char KEY_USER_PREFIX[] = "user:";
  37static const char hash_alg[] = "sha256";
  38static const char hmac_alg[] = "hmac(sha256)";
  39static const char blkcipher_alg[] = "cbc(aes)";
  40static unsigned int ivsize;
  41static int blksize;
  42
  43#define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
  44#define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
  45#define HASH_SIZE SHA256_DIGEST_SIZE
  46#define MAX_DATA_SIZE 4096
  47#define MIN_DATA_SIZE  20
  48
  49struct sdesc {
  50        struct shash_desc shash;
  51        char ctx[];
  52};
  53
  54static struct crypto_shash *hashalg;
  55static struct crypto_shash *hmacalg;
  56
  57enum {
  58        Opt_err = -1, Opt_new, Opt_load, Opt_update
  59};
  60
  61static const match_table_t key_tokens = {
  62        {Opt_new, "new"},
  63        {Opt_load, "load"},
  64        {Opt_update, "update"},
  65        {Opt_err, NULL}
  66};
  67
  68static int aes_get_sizes(void)
  69{
  70        struct crypto_blkcipher *tfm;
  71
  72        tfm = crypto_alloc_blkcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
  73        if (IS_ERR(tfm)) {
  74                pr_err("encrypted_key: failed to alloc_cipher (%ld)\n",
  75                       PTR_ERR(tfm));
  76                return PTR_ERR(tfm);
  77        }
  78        ivsize = crypto_blkcipher_ivsize(tfm);
  79        blksize = crypto_blkcipher_blocksize(tfm);
  80        crypto_free_blkcipher(tfm);
  81        return 0;
  82}
  83
  84/*
  85 * valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
  86 *
  87 * key-type:= "trusted:" | "encrypted:"
  88 * desc:= master-key description
  89 *
  90 * Verify that 'key-type' is valid and that 'desc' exists. On key update,
  91 * only the master key description is permitted to change, not the key-type.
  92 * The key-type remains constant.
  93 *
  94 * On success returns 0, otherwise -EINVAL.
  95 */
  96static int valid_master_desc(const char *new_desc, const char *orig_desc)
  97{
  98        if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) {
  99                if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN)
 100                        goto out;
 101                if (orig_desc)
 102                        if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN))
 103                                goto out;
 104        } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) {
 105                if (strlen(new_desc) == KEY_USER_PREFIX_LEN)
 106                        goto out;
 107                if (orig_desc)
 108                        if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN))
 109                                goto out;
 110        } else
 111                goto out;
 112        return 0;
 113out:
 114        return -EINVAL;
 115}
 116
 117/*
 118 * datablob_parse - parse the keyctl data
 119 *
 120 * datablob format:
 121 * new <master-key name> <decrypted data length>
 122 * load <master-key name> <decrypted data length> <encrypted iv + data>
 123 * update <new-master-key name>
 124 *
 125 * Tokenizes a copy of the keyctl data, returning a pointer to each token,
 126 * which is null terminated.
 127 *
 128 * On success returns 0, otherwise -EINVAL.
 129 */
 130static int datablob_parse(char *datablob, char **master_desc,
 131                          char **decrypted_datalen, char **hex_encoded_iv)
 132{
 133        substring_t args[MAX_OPT_ARGS];
 134        int ret = -EINVAL;
 135        int key_cmd;
 136        char *p;
 137
 138        p = strsep(&datablob, " \t");
 139        if (!p)
 140                return ret;
 141        key_cmd = match_token(p, key_tokens, args);
 142
 143        *master_desc = strsep(&datablob, " \t");
 144        if (!*master_desc)
 145                goto out;
 146
 147        if (valid_master_desc(*master_desc, NULL) < 0)
 148                goto out;
 149
 150        if (decrypted_datalen) {
 151                *decrypted_datalen = strsep(&datablob, " \t");
 152                if (!*decrypted_datalen)
 153                        goto out;
 154        }
 155
 156        switch (key_cmd) {
 157        case Opt_new:
 158                if (!decrypted_datalen)
 159                        break;
 160                ret = 0;
 161                break;
 162        case Opt_load:
 163                if (!decrypted_datalen)
 164                        break;
 165                *hex_encoded_iv = strsep(&datablob, " \t");
 166                if (!*hex_encoded_iv)
 167                        break;
 168                ret = 0;
 169                break;
 170        case Opt_update:
 171                if (decrypted_datalen)
 172                        break;
 173                ret = 0;
 174                break;
 175        case Opt_err:
 176                break;
 177        }
 178out:
 179        return ret;
 180}
 181
 182/*
 183 * datablob_format - format as an ascii string, before copying to userspace
 184 */
 185static char *datablob_format(struct encrypted_key_payload *epayload,
 186                             size_t asciiblob_len)
 187{
 188        char *ascii_buf, *bufp;
 189        u8 *iv = epayload->iv;
 190        int len;
 191        int i;
 192
 193        ascii_buf = kmalloc(asciiblob_len + 1, GFP_KERNEL);
 194        if (!ascii_buf)
 195                goto out;
 196
 197        ascii_buf[asciiblob_len] = '\0';
 198
 199        /* copy datablob master_desc and datalen strings */
 200        len = sprintf(ascii_buf, "%s %s ", epayload->master_desc,
 201                      epayload->datalen);
 202
 203        /* convert the hex encoded iv, encrypted-data and HMAC to ascii */
 204        bufp = &ascii_buf[len];
 205        for (i = 0; i < (asciiblob_len - len) / 2; i++)
 206                bufp = pack_hex_byte(bufp, iv[i]);
 207out:
 208        return ascii_buf;
 209}
 210
 211/*
 212 * request_trusted_key - request the trusted key
 213 *
 214 * Trusted keys are sealed to PCRs and other metadata. Although userspace
 215 * manages both trusted/encrypted key-types, like the encrypted key type
 216 * data, trusted key type data is not visible decrypted from userspace.
 217 */
 218static struct key *request_trusted_key(const char *trusted_desc,
 219                                       u8 **master_key, size_t *master_keylen)
 220{
 221        struct trusted_key_payload *tpayload;
 222        struct key *tkey;
 223
 224        tkey = request_key(&key_type_trusted, trusted_desc, NULL);
 225        if (IS_ERR(tkey))
 226                goto error;
 227
 228        down_read(&tkey->sem);
 229        tpayload = rcu_dereference(tkey->payload.data);
 230        *master_key = tpayload->key;
 231        *master_keylen = tpayload->key_len;
 232error:
 233        return tkey;
 234}
 235
 236/*
 237 * request_user_key - request the user key
 238 *
 239 * Use a user provided key to encrypt/decrypt an encrypted-key.
 240 */
 241static struct key *request_user_key(const char *master_desc, u8 **master_key,
 242                                    size_t *master_keylen)
 243{
 244        struct user_key_payload *upayload;
 245        struct key *ukey;
 246
 247        ukey = request_key(&key_type_user, master_desc, NULL);
 248        if (IS_ERR(ukey))
 249                goto error;
 250
 251        down_read(&ukey->sem);
 252        upayload = rcu_dereference(ukey->payload.data);
 253        *master_key = upayload->data;
 254        *master_keylen = upayload->datalen;
 255error:
 256        return ukey;
 257}
 258
 259static struct sdesc *alloc_sdesc(struct crypto_shash *alg)
 260{
 261        struct sdesc *sdesc;
 262        int size;
 263
 264        size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
 265        sdesc = kmalloc(size, GFP_KERNEL);
 266        if (!sdesc)
 267                return ERR_PTR(-ENOMEM);
 268        sdesc->shash.tfm = alg;
 269        sdesc->shash.flags = 0x0;
 270        return sdesc;
 271}
 272
 273static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
 274                     const u8 *buf, unsigned int buflen)
 275{
 276        struct sdesc *sdesc;
 277        int ret;
 278
 279        sdesc = alloc_sdesc(hmacalg);
 280        if (IS_ERR(sdesc)) {
 281                pr_info("encrypted_key: can't alloc %s\n", hmac_alg);
 282                return PTR_ERR(sdesc);
 283        }
 284
 285        ret = crypto_shash_setkey(hmacalg, key, keylen);
 286        if (!ret)
 287                ret = crypto_shash_digest(&sdesc->shash, buf, buflen, digest);
 288        kfree(sdesc);
 289        return ret;
 290}
 291
 292static int calc_hash(u8 *digest, const u8 *buf, unsigned int buflen)
 293{
 294        struct sdesc *sdesc;
 295        int ret;
 296
 297        sdesc = alloc_sdesc(hashalg);
 298        if (IS_ERR(sdesc)) {
 299                pr_info("encrypted_key: can't alloc %s\n", hash_alg);
 300                return PTR_ERR(sdesc);
 301        }
 302
 303        ret = crypto_shash_digest(&sdesc->shash, buf, buflen, digest);
 304        kfree(sdesc);
 305        return ret;
 306}
 307
 308enum derived_key_type { ENC_KEY, AUTH_KEY };
 309
 310/* Derive authentication/encryption key from trusted key */
 311static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
 312                           const u8 *master_key, size_t master_keylen)
 313{
 314        u8 *derived_buf;
 315        unsigned int derived_buf_len;
 316        int ret;
 317
 318        derived_buf_len = strlen("AUTH_KEY") + 1 + master_keylen;
 319        if (derived_buf_len < HASH_SIZE)
 320                derived_buf_len = HASH_SIZE;
 321
 322        derived_buf = kzalloc(derived_buf_len, GFP_KERNEL);
 323        if (!derived_buf) {
 324                pr_err("encrypted_key: out of memory\n");
 325                return -ENOMEM;
 326        }
 327        if (key_type)
 328                strcpy(derived_buf, "AUTH_KEY");
 329        else
 330                strcpy(derived_buf, "ENC_KEY");
 331
 332        memcpy(derived_buf + strlen(derived_buf) + 1, master_key,
 333               master_keylen);
 334        ret = calc_hash(derived_key, derived_buf, derived_buf_len);
 335        kfree(derived_buf);
 336        return ret;
 337}
 338
 339static int init_blkcipher_desc(struct blkcipher_desc *desc, const u8 *key,
 340                               unsigned int key_len, const u8 *iv,
 341                               unsigned int ivsize)
 342{
 343        int ret;
 344
 345        desc->tfm = crypto_alloc_blkcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
 346        if (IS_ERR(desc->tfm)) {
 347                pr_err("encrypted_key: failed to load %s transform (%ld)\n",
 348                       blkcipher_alg, PTR_ERR(desc->tfm));
 349                return PTR_ERR(desc->tfm);
 350        }
 351        desc->flags = 0;
 352
 353        ret = crypto_blkcipher_setkey(desc->tfm, key, key_len);
 354        if (ret < 0) {
 355                pr_err("encrypted_key: failed to setkey (%d)\n", ret);
 356                crypto_free_blkcipher(desc->tfm);
 357                return ret;
 358        }
 359        crypto_blkcipher_set_iv(desc->tfm, iv, ivsize);
 360        return 0;
 361}
 362
 363static struct key *request_master_key(struct encrypted_key_payload *epayload,
 364                                      u8 **master_key, size_t *master_keylen)
 365{
 366        struct key *mkey = NULL;
 367
 368        if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX,
 369                     KEY_TRUSTED_PREFIX_LEN)) {
 370                mkey = request_trusted_key(epayload->master_desc +
 371                                           KEY_TRUSTED_PREFIX_LEN,
 372                                           master_key, master_keylen);
 373        } else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
 374                            KEY_USER_PREFIX_LEN)) {
 375                mkey = request_user_key(epayload->master_desc +
 376                                        KEY_USER_PREFIX_LEN,
 377                                        master_key, master_keylen);
 378        } else
 379                goto out;
 380
 381        if (IS_ERR(mkey))
 382                pr_info("encrypted_key: key %s not found",
 383                        epayload->master_desc);
 384        if (mkey)
 385                dump_master_key(*master_key, *master_keylen);
 386out:
 387        return mkey;
 388}
 389
 390/* Before returning data to userspace, encrypt decrypted data. */
 391static int derived_key_encrypt(struct encrypted_key_payload *epayload,
 392                               const u8 *derived_key,
 393                               unsigned int derived_keylen)
 394{
 395        struct scatterlist sg_in[2];
 396        struct scatterlist sg_out[1];
 397        struct blkcipher_desc desc;
 398        unsigned int encrypted_datalen;
 399        unsigned int padlen;
 400        char pad[16];
 401        int ret;
 402
 403        encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
 404        padlen = encrypted_datalen - epayload->decrypted_datalen;
 405
 406        ret = init_blkcipher_desc(&desc, derived_key, derived_keylen,
 407                                  epayload->iv, ivsize);
 408        if (ret < 0)
 409                goto out;
 410        dump_decrypted_data(epayload);
 411
 412        memset(pad, 0, sizeof pad);
 413        sg_init_table(sg_in, 2);
 414        sg_set_buf(&sg_in[0], epayload->decrypted_data,
 415                   epayload->decrypted_datalen);
 416        sg_set_buf(&sg_in[1], pad, padlen);
 417
 418        sg_init_table(sg_out, 1);
 419        sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen);
 420
 421        ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in, encrypted_datalen);
 422        crypto_free_blkcipher(desc.tfm);
 423        if (ret < 0)
 424                pr_err("encrypted_key: failed to encrypt (%d)\n", ret);
 425        else
 426                dump_encrypted_data(epayload, encrypted_datalen);
 427out:
 428        return ret;
 429}
 430
 431static int datablob_hmac_append(struct encrypted_key_payload *epayload,
 432                                const u8 *master_key, size_t master_keylen)
 433{
 434        u8 derived_key[HASH_SIZE];
 435        u8 *digest;
 436        int ret;
 437
 438        ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
 439        if (ret < 0)
 440                goto out;
 441
 442        digest = epayload->master_desc + epayload->datablob_len;
 443        ret = calc_hmac(digest, derived_key, sizeof derived_key,
 444                        epayload->master_desc, epayload->datablob_len);
 445        if (!ret)
 446                dump_hmac(NULL, digest, HASH_SIZE);
 447out:
 448        return ret;
 449}
 450
 451/* verify HMAC before decrypting encrypted key */
 452static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
 453                                const u8 *master_key, size_t master_keylen)
 454{
 455        u8 derived_key[HASH_SIZE];
 456        u8 digest[HASH_SIZE];
 457        int ret;
 458
 459        ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
 460        if (ret < 0)
 461                goto out;
 462
 463        ret = calc_hmac(digest, derived_key, sizeof derived_key,
 464                        epayload->master_desc, epayload->datablob_len);
 465        if (ret < 0)
 466                goto out;
 467        ret = memcmp(digest, epayload->master_desc + epayload->datablob_len,
 468                     sizeof digest);
 469        if (ret) {
 470                ret = -EINVAL;
 471                dump_hmac("datablob",
 472                          epayload->master_desc + epayload->datablob_len,
 473                          HASH_SIZE);
 474                dump_hmac("calc", digest, HASH_SIZE);
 475        }
 476out:
 477        return ret;
 478}
 479
 480static int derived_key_decrypt(struct encrypted_key_payload *epayload,
 481                               const u8 *derived_key,
 482                               unsigned int derived_keylen)
 483{
 484        struct scatterlist sg_in[1];
 485        struct scatterlist sg_out[2];
 486        struct blkcipher_desc desc;
 487        unsigned int encrypted_datalen;
 488        char pad[16];
 489        int ret;
 490
 491        encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
 492        ret = init_blkcipher_desc(&desc, derived_key, derived_keylen,
 493                                  epayload->iv, ivsize);
 494        if (ret < 0)
 495                goto out;
 496        dump_encrypted_data(epayload, encrypted_datalen);
 497
 498        memset(pad, 0, sizeof pad);
 499        sg_init_table(sg_in, 1);
 500        sg_init_table(sg_out, 2);
 501        sg_set_buf(sg_in, epayload->encrypted_data, encrypted_datalen);
 502        sg_set_buf(&sg_out[0], epayload->decrypted_data,
 503                   epayload->decrypted_datalen);
 504        sg_set_buf(&sg_out[1], pad, sizeof pad);
 505
 506        ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, encrypted_datalen);
 507        crypto_free_blkcipher(desc.tfm);
 508        if (ret < 0)
 509                goto out;
 510        dump_decrypted_data(epayload);
 511out:
 512        return ret;
 513}
 514
 515/* Allocate memory for decrypted key and datablob. */
 516static struct encrypted_key_payload *encrypted_key_alloc(struct key *key,
 517                                                         const char *master_desc,
 518                                                         const char *datalen)
 519{
 520        struct encrypted_key_payload *epayload = NULL;
 521        unsigned short datablob_len;
 522        unsigned short decrypted_datalen;
 523        unsigned int encrypted_datalen;
 524        long dlen;
 525        int ret;
 526
 527        ret = strict_strtol(datalen, 10, &dlen);
 528        if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
 529                return ERR_PTR(-EINVAL);
 530
 531        decrypted_datalen = dlen;
 532        encrypted_datalen = roundup(decrypted_datalen, blksize);
 533
 534        datablob_len = strlen(master_desc) + 1 + strlen(datalen) + 1
 535            + ivsize + 1 + encrypted_datalen;
 536
 537        ret = key_payload_reserve(key, decrypted_datalen + datablob_len
 538                                  + HASH_SIZE + 1);
 539        if (ret < 0)
 540                return ERR_PTR(ret);
 541
 542        epayload = kzalloc(sizeof(*epayload) + decrypted_datalen +
 543                           datablob_len + HASH_SIZE + 1, GFP_KERNEL);
 544        if (!epayload)
 545                return ERR_PTR(-ENOMEM);
 546
 547        epayload->decrypted_datalen = decrypted_datalen;
 548        epayload->datablob_len = datablob_len;
 549        return epayload;
 550}
 551
 552static int encrypted_key_decrypt(struct encrypted_key_payload *epayload,
 553                                 const char *hex_encoded_iv)
 554{
 555        struct key *mkey;
 556        u8 derived_key[HASH_SIZE];
 557        u8 *master_key;
 558        u8 *hmac;
 559        const char *hex_encoded_data;
 560        unsigned int encrypted_datalen;
 561        size_t master_keylen;
 562        size_t asciilen;
 563        int ret;
 564
 565        encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
 566        asciilen = (ivsize + 1 + encrypted_datalen + HASH_SIZE) * 2;
 567        if (strlen(hex_encoded_iv) != asciilen)
 568                return -EINVAL;
 569
 570        hex_encoded_data = hex_encoded_iv + (2 * ivsize) + 2;
 571        hex2bin(epayload->iv, hex_encoded_iv, ivsize);
 572        hex2bin(epayload->encrypted_data, hex_encoded_data, encrypted_datalen);
 573
 574        hmac = epayload->master_desc + epayload->datablob_len;
 575        hex2bin(hmac, hex_encoded_data + (encrypted_datalen * 2), HASH_SIZE);
 576
 577        mkey = request_master_key(epayload, &master_key, &master_keylen);
 578        if (IS_ERR(mkey))
 579                return PTR_ERR(mkey);
 580
 581        ret = datablob_hmac_verify(epayload, master_key, master_keylen);
 582        if (ret < 0) {
 583                pr_err("encrypted_key: bad hmac (%d)\n", ret);
 584                goto out;
 585        }
 586
 587        ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
 588        if (ret < 0)
 589                goto out;
 590
 591        ret = derived_key_decrypt(epayload, derived_key, sizeof derived_key);
 592        if (ret < 0)
 593                pr_err("encrypted_key: failed to decrypt key (%d)\n", ret);
 594out:
 595        up_read(&mkey->sem);
 596        key_put(mkey);
 597        return ret;
 598}
 599
 600static void __ekey_init(struct encrypted_key_payload *epayload,
 601                        const char *master_desc, const char *datalen)
 602{
 603        epayload->master_desc = epayload->decrypted_data
 604            + epayload->decrypted_datalen;
 605        epayload->datalen = epayload->master_desc + strlen(master_desc) + 1;
 606        epayload->iv = epayload->datalen + strlen(datalen) + 1;
 607        epayload->encrypted_data = epayload->iv + ivsize + 1;
 608
 609        memcpy(epayload->master_desc, master_desc, strlen(master_desc));
 610        memcpy(epayload->datalen, datalen, strlen(datalen));
 611}
 612
 613/*
 614 * encrypted_init - initialize an encrypted key
 615 *
 616 * For a new key, use a random number for both the iv and data
 617 * itself.  For an old key, decrypt the hex encoded data.
 618 */
 619static int encrypted_init(struct encrypted_key_payload *epayload,
 620                          const char *master_desc, const char *datalen,
 621                          const char *hex_encoded_iv)
 622{
 623        int ret = 0;
 624
 625        __ekey_init(epayload, master_desc, datalen);
 626        if (!hex_encoded_iv) {
 627                get_random_bytes(epayload->iv, ivsize);
 628
 629                get_random_bytes(epayload->decrypted_data,
 630                                 epayload->decrypted_datalen);
 631        } else
 632                ret = encrypted_key_decrypt(epayload, hex_encoded_iv);
 633        return ret;
 634}
 635
 636/*
 637 * encrypted_instantiate - instantiate an encrypted key
 638 *
 639 * Decrypt an existing encrypted datablob or create a new encrypted key
 640 * based on a kernel random number.
 641 *
 642 * On success, return 0. Otherwise return errno.
 643 */
 644static int encrypted_instantiate(struct key *key, const void *data,
 645                                 size_t datalen)
 646{
 647        struct encrypted_key_payload *epayload = NULL;
 648        char *datablob = NULL;
 649        char *master_desc = NULL;
 650        char *decrypted_datalen = NULL;
 651        char *hex_encoded_iv = NULL;
 652        int ret;
 653
 654        if (datalen <= 0 || datalen > 32767 || !data)
 655                return -EINVAL;
 656
 657        datablob = kmalloc(datalen + 1, GFP_KERNEL);
 658        if (!datablob)
 659                return -ENOMEM;
 660        datablob[datalen] = 0;
 661        memcpy(datablob, data, datalen);
 662        ret = datablob_parse(datablob, &master_desc, &decrypted_datalen,
 663                             &hex_encoded_iv);
 664        if (ret < 0)
 665                goto out;
 666
 667        epayload = encrypted_key_alloc(key, master_desc, decrypted_datalen);
 668        if (IS_ERR(epayload)) {
 669                ret = PTR_ERR(epayload);
 670                goto out;
 671        }
 672        ret = encrypted_init(epayload, master_desc, decrypted_datalen,
 673                             hex_encoded_iv);
 674        if (ret < 0) {
 675                kfree(epayload);
 676                goto out;
 677        }
 678
 679        rcu_assign_pointer(key->payload.data, epayload);
 680out:
 681        kfree(datablob);
 682        return ret;
 683}
 684
 685static void encrypted_rcu_free(struct rcu_head *rcu)
 686{
 687        struct encrypted_key_payload *epayload;
 688
 689        epayload = container_of(rcu, struct encrypted_key_payload, rcu);
 690        memset(epayload->decrypted_data, 0, epayload->decrypted_datalen);
 691        kfree(epayload);
 692}
 693
 694/*
 695 * encrypted_update - update the master key description
 696 *
 697 * Change the master key description for an existing encrypted key.
 698 * The next read will return an encrypted datablob using the new
 699 * master key description.
 700 *
 701 * On success, return 0. Otherwise return errno.
 702 */
 703static int encrypted_update(struct key *key, const void *data, size_t datalen)
 704{
 705        struct encrypted_key_payload *epayload = key->payload.data;
 706        struct encrypted_key_payload *new_epayload;
 707        char *buf;
 708        char *new_master_desc = NULL;
 709        int ret = 0;
 710
 711        if (datalen <= 0 || datalen > 32767 || !data)
 712                return -EINVAL;
 713
 714        buf = kmalloc(datalen + 1, GFP_KERNEL);
 715        if (!buf)
 716                return -ENOMEM;
 717
 718        buf[datalen] = 0;
 719        memcpy(buf, data, datalen);
 720        ret = datablob_parse(buf, &new_master_desc, NULL, NULL);
 721        if (ret < 0)
 722                goto out;
 723
 724        ret = valid_master_desc(new_master_desc, epayload->master_desc);
 725        if (ret < 0)
 726                goto out;
 727
 728        new_epayload = encrypted_key_alloc(key, new_master_desc,
 729                                           epayload->datalen);
 730        if (IS_ERR(new_epayload)) {
 731                ret = PTR_ERR(new_epayload);
 732                goto out;
 733        }
 734
 735        __ekey_init(new_epayload, new_master_desc, epayload->datalen);
 736
 737        memcpy(new_epayload->iv, epayload->iv, ivsize);
 738        memcpy(new_epayload->decrypted_data, epayload->decrypted_data,
 739               epayload->decrypted_datalen);
 740
 741        rcu_assign_pointer(key->payload.data, new_epayload);
 742        call_rcu(&epayload->rcu, encrypted_rcu_free);
 743out:
 744        kfree(buf);
 745        return ret;
 746}
 747
 748/*
 749 * encrypted_read - format and copy the encrypted data to userspace
 750 *
 751 * The resulting datablob format is:
 752 * <master-key name> <decrypted data length> <encrypted iv> <encrypted data>
 753 *
 754 * On success, return to userspace the encrypted key datablob size.
 755 */
 756static long encrypted_read(const struct key *key, char __user *buffer,
 757                           size_t buflen)
 758{
 759        struct encrypted_key_payload *epayload;
 760        struct key *mkey;
 761        u8 *master_key;
 762        size_t master_keylen;
 763        char derived_key[HASH_SIZE];
 764        char *ascii_buf;
 765        size_t asciiblob_len;
 766        int ret;
 767
 768        epayload = rcu_dereference_protected(key->payload.data,
 769                                  rwsem_is_locked(&((struct key *)key)->sem));
 770
 771        /* returns the hex encoded iv, encrypted-data, and hmac as ascii */
 772        asciiblob_len = epayload->datablob_len + ivsize + 1
 773            + roundup(epayload->decrypted_datalen, blksize)
 774            + (HASH_SIZE * 2);
 775
 776        if (!buffer || buflen < asciiblob_len)
 777                return asciiblob_len;
 778
 779        mkey = request_master_key(epayload, &master_key, &master_keylen);
 780        if (IS_ERR(mkey))
 781                return PTR_ERR(mkey);
 782
 783        ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
 784        if (ret < 0)
 785                goto out;
 786
 787        ret = derived_key_encrypt(epayload, derived_key, sizeof derived_key);
 788        if (ret < 0)
 789                goto out;
 790
 791        ret = datablob_hmac_append(epayload, master_key, master_keylen);
 792        if (ret < 0)
 793                goto out;
 794
 795        ascii_buf = datablob_format(epayload, asciiblob_len);
 796        if (!ascii_buf) {
 797                ret = -ENOMEM;
 798                goto out;
 799        }
 800
 801        up_read(&mkey->sem);
 802        key_put(mkey);
 803
 804        if (copy_to_user(buffer, ascii_buf, asciiblob_len) != 0)
 805                ret = -EFAULT;
 806        kfree(ascii_buf);
 807
 808        return asciiblob_len;
 809out:
 810        up_read(&mkey->sem);
 811        key_put(mkey);
 812        return ret;
 813}
 814
 815/*
 816 * encrypted_destroy - before freeing the key, clear the decrypted data
 817 *
 818 * Before freeing the key, clear the memory containing the decrypted
 819 * key data.
 820 */
 821static void encrypted_destroy(struct key *key)
 822{
 823        struct encrypted_key_payload *epayload = key->payload.data;
 824
 825        if (!epayload)
 826                return;
 827
 828        memset(epayload->decrypted_data, 0, epayload->decrypted_datalen);
 829        kfree(key->payload.data);
 830}
 831
 832struct key_type key_type_encrypted = {
 833        .name = "encrypted",
 834        .instantiate = encrypted_instantiate,
 835        .update = encrypted_update,
 836        .match = user_match,
 837        .destroy = encrypted_destroy,
 838        .describe = user_describe,
 839        .read = encrypted_read,
 840};
 841EXPORT_SYMBOL_GPL(key_type_encrypted);
 842
 843static void encrypted_shash_release(void)
 844{
 845        if (hashalg)
 846                crypto_free_shash(hashalg);
 847        if (hmacalg)
 848                crypto_free_shash(hmacalg);
 849}
 850
 851static int __init encrypted_shash_alloc(void)
 852{
 853        int ret;
 854
 855        hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
 856        if (IS_ERR(hmacalg)) {
 857                pr_info("encrypted_key: could not allocate crypto %s\n",
 858                        hmac_alg);
 859                return PTR_ERR(hmacalg);
 860        }
 861
 862        hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC);
 863        if (IS_ERR(hashalg)) {
 864                pr_info("encrypted_key: could not allocate crypto %s\n",
 865                        hash_alg);
 866                ret = PTR_ERR(hashalg);
 867                goto hashalg_fail;
 868        }
 869
 870        return 0;
 871
 872hashalg_fail:
 873        crypto_free_shash(hmacalg);
 874        return ret;
 875}
 876
 877static int __init init_encrypted(void)
 878{
 879        int ret;
 880
 881        ret = encrypted_shash_alloc();
 882        if (ret < 0)
 883                return ret;
 884        ret = register_key_type(&key_type_encrypted);
 885        if (ret < 0)
 886                goto out;
 887        return aes_get_sizes();
 888out:
 889        encrypted_shash_release();
 890        return ret;
 891
 892}
 893
 894static void __exit cleanup_encrypted(void)
 895{
 896        encrypted_shash_release();
 897        unregister_key_type(&key_type_encrypted);
 898}
 899
 900late_initcall(init_encrypted);
 901module_exit(cleanup_encrypted);
 902
 903MODULE_LICENSE("GPL");
 904