linux/security/keys/encrypted-keys/encrypted.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Copyright (C) 2010 IBM Corporation
   4 * Copyright (C) 2010 Politecnico di Torino, Italy
   5 *                    TORSEC group -- https://security.polito.it
   6 *
   7 * Authors:
   8 * Mimi Zohar <zohar@us.ibm.com>
   9 * Roberto Sassu <roberto.sassu@polito.it>
  10 *
  11 * See Documentation/security/keys/trusted-encrypted.rst
  12 */
  13
  14#include <linux/uaccess.h>
  15#include <linux/module.h>
  16#include <linux/init.h>
  17#include <linux/slab.h>
  18#include <linux/parser.h>
  19#include <linux/string.h>
  20#include <linux/err.h>
  21#include <keys/user-type.h>
  22#include <keys/trusted-type.h>
  23#include <keys/encrypted-type.h>
  24#include <linux/key-type.h>
  25#include <linux/random.h>
  26#include <linux/rcupdate.h>
  27#include <linux/scatterlist.h>
  28#include <linux/ctype.h>
  29#include <crypto/aes.h>
  30#include <crypto/algapi.h>
  31#include <crypto/hash.h>
  32#include <crypto/sha2.h>
  33#include <crypto/skcipher.h>
  34
  35#include "encrypted.h"
  36#include "ecryptfs_format.h"
  37
  38static const char KEY_TRUSTED_PREFIX[] = "trusted:";
  39static const char KEY_USER_PREFIX[] = "user:";
  40static const char hash_alg[] = "sha256";
  41static const char hmac_alg[] = "hmac(sha256)";
  42static const char blkcipher_alg[] = "cbc(aes)";
  43static const char key_format_default[] = "default";
  44static const char key_format_ecryptfs[] = "ecryptfs";
  45static const char key_format_enc32[] = "enc32";
  46static unsigned int ivsize;
  47static int blksize;
  48
  49#define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
  50#define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
  51#define KEY_ECRYPTFS_DESC_LEN 16
  52#define HASH_SIZE SHA256_DIGEST_SIZE
  53#define MAX_DATA_SIZE 4096
  54#define MIN_DATA_SIZE  20
  55#define KEY_ENC32_PAYLOAD_LEN 32
  56
  57static struct crypto_shash *hash_tfm;
  58
  59enum {
  60        Opt_new, Opt_load, Opt_update, Opt_err
  61};
  62
  63enum {
  64        Opt_default, Opt_ecryptfs, Opt_enc32, Opt_error
  65};
  66
  67static const match_table_t key_format_tokens = {
  68        {Opt_default, "default"},
  69        {Opt_ecryptfs, "ecryptfs"},
  70        {Opt_enc32, "enc32"},
  71        {Opt_error, NULL}
  72};
  73
  74static const match_table_t key_tokens = {
  75        {Opt_new, "new"},
  76        {Opt_load, "load"},
  77        {Opt_update, "update"},
  78        {Opt_err, NULL}
  79};
  80
  81static int aes_get_sizes(void)
  82{
  83        struct crypto_skcipher *tfm;
  84
  85        tfm = crypto_alloc_skcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
  86        if (IS_ERR(tfm)) {
  87                pr_err("encrypted_key: failed to alloc_cipher (%ld)\n",
  88                       PTR_ERR(tfm));
  89                return PTR_ERR(tfm);
  90        }
  91        ivsize = crypto_skcipher_ivsize(tfm);
  92        blksize = crypto_skcipher_blocksize(tfm);
  93        crypto_free_skcipher(tfm);
  94        return 0;
  95}
  96
  97/*
  98 * valid_ecryptfs_desc - verify the description of a new/loaded encrypted key
  99 *
 100 * The description of a encrypted key with format 'ecryptfs' must contain
 101 * exactly 16 hexadecimal characters.
 102 *
 103 */
 104static int valid_ecryptfs_desc(const char *ecryptfs_desc)
 105{
 106        int i;
 107
 108        if (strlen(ecryptfs_desc) != KEY_ECRYPTFS_DESC_LEN) {
 109                pr_err("encrypted_key: key description must be %d hexadecimal "
 110                       "characters long\n", KEY_ECRYPTFS_DESC_LEN);
 111                return -EINVAL;
 112        }
 113
 114        for (i = 0; i < KEY_ECRYPTFS_DESC_LEN; i++) {
 115                if (!isxdigit(ecryptfs_desc[i])) {
 116                        pr_err("encrypted_key: key description must contain "
 117                               "only hexadecimal characters\n");
 118                        return -EINVAL;
 119                }
 120        }
 121
 122        return 0;
 123}
 124
 125/*
 126 * valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
 127 *
 128 * key-type:= "trusted:" | "user:"
 129 * desc:= master-key description
 130 *
 131 * Verify that 'key-type' is valid and that 'desc' exists. On key update,
 132 * only the master key description is permitted to change, not the key-type.
 133 * The key-type remains constant.
 134 *
 135 * On success returns 0, otherwise -EINVAL.
 136 */
 137static int valid_master_desc(const char *new_desc, const char *orig_desc)
 138{
 139        int prefix_len;
 140
 141        if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
 142                prefix_len = KEY_TRUSTED_PREFIX_LEN;
 143        else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
 144                prefix_len = KEY_USER_PREFIX_LEN;
 145        else
 146                return -EINVAL;
 147
 148        if (!new_desc[prefix_len])
 149                return -EINVAL;
 150
 151        if (orig_desc && strncmp(new_desc, orig_desc, prefix_len))
 152                return -EINVAL;
 153
 154        return 0;
 155}
 156
 157/*
 158 * datablob_parse - parse the keyctl data
 159 *
 160 * datablob format:
 161 * new [<format>] <master-key name> <decrypted data length>
 162 * load [<format>] <master-key name> <decrypted data length>
 163 *     <encrypted iv + data>
 164 * update <new-master-key name>
 165 *
 166 * Tokenizes a copy of the keyctl data, returning a pointer to each token,
 167 * which is null terminated.
 168 *
 169 * On success returns 0, otherwise -EINVAL.
 170 */
 171static int datablob_parse(char *datablob, const char **format,
 172                          char **master_desc, char **decrypted_datalen,
 173                          char **hex_encoded_iv)
 174{
 175        substring_t args[MAX_OPT_ARGS];
 176        int ret = -EINVAL;
 177        int key_cmd;
 178        int key_format;
 179        char *p, *keyword;
 180
 181        keyword = strsep(&datablob, " \t");
 182        if (!keyword) {
 183                pr_info("encrypted_key: insufficient parameters specified\n");
 184                return ret;
 185        }
 186        key_cmd = match_token(keyword, key_tokens, args);
 187
 188        /* Get optional format: default | ecryptfs */
 189        p = strsep(&datablob, " \t");
 190        if (!p) {
 191                pr_err("encrypted_key: insufficient parameters specified\n");
 192                return ret;
 193        }
 194
 195        key_format = match_token(p, key_format_tokens, args);
 196        switch (key_format) {
 197        case Opt_ecryptfs:
 198        case Opt_enc32:
 199        case Opt_default:
 200                *format = p;
 201                *master_desc = strsep(&datablob, " \t");
 202                break;
 203        case Opt_error:
 204                *master_desc = p;
 205                break;
 206        }
 207
 208        if (!*master_desc) {
 209                pr_info("encrypted_key: master key parameter is missing\n");
 210                goto out;
 211        }
 212
 213        if (valid_master_desc(*master_desc, NULL) < 0) {
 214                pr_info("encrypted_key: master key parameter \'%s\' "
 215                        "is invalid\n", *master_desc);
 216                goto out;
 217        }
 218
 219        if (decrypted_datalen) {
 220                *decrypted_datalen = strsep(&datablob, " \t");
 221                if (!*decrypted_datalen) {
 222                        pr_info("encrypted_key: keylen parameter is missing\n");
 223                        goto out;
 224                }
 225        }
 226
 227        switch (key_cmd) {
 228        case Opt_new:
 229                if (!decrypted_datalen) {
 230                        pr_info("encrypted_key: keyword \'%s\' not allowed "
 231                                "when called from .update method\n", keyword);
 232                        break;
 233                }
 234                ret = 0;
 235                break;
 236        case Opt_load:
 237                if (!decrypted_datalen) {
 238                        pr_info("encrypted_key: keyword \'%s\' not allowed "
 239                                "when called from .update method\n", keyword);
 240                        break;
 241                }
 242                *hex_encoded_iv = strsep(&datablob, " \t");
 243                if (!*hex_encoded_iv) {
 244                        pr_info("encrypted_key: hex blob is missing\n");
 245                        break;
 246                }
 247                ret = 0;
 248                break;
 249        case Opt_update:
 250                if (decrypted_datalen) {
 251                        pr_info("encrypted_key: keyword \'%s\' not allowed "
 252                                "when called from .instantiate method\n",
 253                                keyword);
 254                        break;
 255                }
 256                ret = 0;
 257                break;
 258        case Opt_err:
 259                pr_info("encrypted_key: keyword \'%s\' not recognized\n",
 260                        keyword);
 261                break;
 262        }
 263out:
 264        return ret;
 265}
 266
 267/*
 268 * datablob_format - format as an ascii string, before copying to userspace
 269 */
 270static char *datablob_format(struct encrypted_key_payload *epayload,
 271                             size_t asciiblob_len)
 272{
 273        char *ascii_buf, *bufp;
 274        u8 *iv = epayload->iv;
 275        int len;
 276        int i;
 277
 278        ascii_buf = kmalloc(asciiblob_len + 1, GFP_KERNEL);
 279        if (!ascii_buf)
 280                goto out;
 281
 282        ascii_buf[asciiblob_len] = '\0';
 283
 284        /* copy datablob master_desc and datalen strings */
 285        len = sprintf(ascii_buf, "%s %s %s ", epayload->format,
 286                      epayload->master_desc, epayload->datalen);
 287
 288        /* convert the hex encoded iv, encrypted-data and HMAC to ascii */
 289        bufp = &ascii_buf[len];
 290        for (i = 0; i < (asciiblob_len - len) / 2; i++)
 291                bufp = hex_byte_pack(bufp, iv[i]);
 292out:
 293        return ascii_buf;
 294}
 295
 296/*
 297 * request_user_key - request the user key
 298 *
 299 * Use a user provided key to encrypt/decrypt an encrypted-key.
 300 */
 301static struct key *request_user_key(const char *master_desc, const u8 **master_key,
 302                                    size_t *master_keylen)
 303{
 304        const struct user_key_payload *upayload;
 305        struct key *ukey;
 306
 307        ukey = request_key(&key_type_user, master_desc, NULL);
 308        if (IS_ERR(ukey))
 309                goto error;
 310
 311        down_read(&ukey->sem);
 312        upayload = user_key_payload_locked(ukey);
 313        if (!upayload) {
 314                /* key was revoked before we acquired its semaphore */
 315                up_read(&ukey->sem);
 316                key_put(ukey);
 317                ukey = ERR_PTR(-EKEYREVOKED);
 318                goto error;
 319        }
 320        *master_key = upayload->data;
 321        *master_keylen = upayload->datalen;
 322error:
 323        return ukey;
 324}
 325
 326static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
 327                     const u8 *buf, unsigned int buflen)
 328{
 329        struct crypto_shash *tfm;
 330        int err;
 331
 332        tfm = crypto_alloc_shash(hmac_alg, 0, 0);
 333        if (IS_ERR(tfm)) {
 334                pr_err("encrypted_key: can't alloc %s transform: %ld\n",
 335                       hmac_alg, PTR_ERR(tfm));
 336                return PTR_ERR(tfm);
 337        }
 338
 339        err = crypto_shash_setkey(tfm, key, keylen);
 340        if (!err)
 341                err = crypto_shash_tfm_digest(tfm, buf, buflen, digest);
 342        crypto_free_shash(tfm);
 343        return err;
 344}
 345
 346enum derived_key_type { ENC_KEY, AUTH_KEY };
 347
 348/* Derive authentication/encryption key from trusted key */
 349static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
 350                           const u8 *master_key, size_t master_keylen)
 351{
 352        u8 *derived_buf;
 353        unsigned int derived_buf_len;
 354        int ret;
 355
 356        derived_buf_len = strlen("AUTH_KEY") + 1 + master_keylen;
 357        if (derived_buf_len < HASH_SIZE)
 358                derived_buf_len = HASH_SIZE;
 359
 360        derived_buf = kzalloc(derived_buf_len, GFP_KERNEL);
 361        if (!derived_buf)
 362                return -ENOMEM;
 363
 364        if (key_type)
 365                strcpy(derived_buf, "AUTH_KEY");
 366        else
 367                strcpy(derived_buf, "ENC_KEY");
 368
 369        memcpy(derived_buf + strlen(derived_buf) + 1, master_key,
 370               master_keylen);
 371        ret = crypto_shash_tfm_digest(hash_tfm, derived_buf, derived_buf_len,
 372                                      derived_key);
 373        kfree_sensitive(derived_buf);
 374        return ret;
 375}
 376
 377static struct skcipher_request *init_skcipher_req(const u8 *key,
 378                                                  unsigned int key_len)
 379{
 380        struct skcipher_request *req;
 381        struct crypto_skcipher *tfm;
 382        int ret;
 383
 384        tfm = crypto_alloc_skcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
 385        if (IS_ERR(tfm)) {
 386                pr_err("encrypted_key: failed to load %s transform (%ld)\n",
 387                       blkcipher_alg, PTR_ERR(tfm));
 388                return ERR_CAST(tfm);
 389        }
 390
 391        ret = crypto_skcipher_setkey(tfm, key, key_len);
 392        if (ret < 0) {
 393                pr_err("encrypted_key: failed to setkey (%d)\n", ret);
 394                crypto_free_skcipher(tfm);
 395                return ERR_PTR(ret);
 396        }
 397
 398        req = skcipher_request_alloc(tfm, GFP_KERNEL);
 399        if (!req) {
 400                pr_err("encrypted_key: failed to allocate request for %s\n",
 401                       blkcipher_alg);
 402                crypto_free_skcipher(tfm);
 403                return ERR_PTR(-ENOMEM);
 404        }
 405
 406        skcipher_request_set_callback(req, 0, NULL, NULL);
 407        return req;
 408}
 409
 410static struct key *request_master_key(struct encrypted_key_payload *epayload,
 411                                      const u8 **master_key, size_t *master_keylen)
 412{
 413        struct key *mkey = ERR_PTR(-EINVAL);
 414
 415        if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX,
 416                     KEY_TRUSTED_PREFIX_LEN)) {
 417                mkey = request_trusted_key(epayload->master_desc +
 418                                           KEY_TRUSTED_PREFIX_LEN,
 419                                           master_key, master_keylen);
 420        } else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
 421                            KEY_USER_PREFIX_LEN)) {
 422                mkey = request_user_key(epayload->master_desc +
 423                                        KEY_USER_PREFIX_LEN,
 424                                        master_key, master_keylen);
 425        } else
 426                goto out;
 427
 428        if (IS_ERR(mkey)) {
 429                int ret = PTR_ERR(mkey);
 430
 431                if (ret == -ENOTSUPP)
 432                        pr_info("encrypted_key: key %s not supported",
 433                                epayload->master_desc);
 434                else
 435                        pr_info("encrypted_key: key %s not found",
 436                                epayload->master_desc);
 437                goto out;
 438        }
 439
 440        dump_master_key(*master_key, *master_keylen);
 441out:
 442        return mkey;
 443}
 444
 445/* Before returning data to userspace, encrypt decrypted data. */
 446static int derived_key_encrypt(struct encrypted_key_payload *epayload,
 447                               const u8 *derived_key,
 448                               unsigned int derived_keylen)
 449{
 450        struct scatterlist sg_in[2];
 451        struct scatterlist sg_out[1];
 452        struct crypto_skcipher *tfm;
 453        struct skcipher_request *req;
 454        unsigned int encrypted_datalen;
 455        u8 iv[AES_BLOCK_SIZE];
 456        int ret;
 457
 458        encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
 459
 460        req = init_skcipher_req(derived_key, derived_keylen);
 461        ret = PTR_ERR(req);
 462        if (IS_ERR(req))
 463                goto out;
 464        dump_decrypted_data(epayload);
 465
 466        sg_init_table(sg_in, 2);
 467        sg_set_buf(&sg_in[0], epayload->decrypted_data,
 468                   epayload->decrypted_datalen);
 469        sg_set_page(&sg_in[1], ZERO_PAGE(0), AES_BLOCK_SIZE, 0);
 470
 471        sg_init_table(sg_out, 1);
 472        sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen);
 473
 474        memcpy(iv, epayload->iv, sizeof(iv));
 475        skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
 476        ret = crypto_skcipher_encrypt(req);
 477        tfm = crypto_skcipher_reqtfm(req);
 478        skcipher_request_free(req);
 479        crypto_free_skcipher(tfm);
 480        if (ret < 0)
 481                pr_err("encrypted_key: failed to encrypt (%d)\n", ret);
 482        else
 483                dump_encrypted_data(epayload, encrypted_datalen);
 484out:
 485        return ret;
 486}
 487
 488static int datablob_hmac_append(struct encrypted_key_payload *epayload,
 489                                const u8 *master_key, size_t master_keylen)
 490{
 491        u8 derived_key[HASH_SIZE];
 492        u8 *digest;
 493        int ret;
 494
 495        ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
 496        if (ret < 0)
 497                goto out;
 498
 499        digest = epayload->format + epayload->datablob_len;
 500        ret = calc_hmac(digest, derived_key, sizeof derived_key,
 501                        epayload->format, epayload->datablob_len);
 502        if (!ret)
 503                dump_hmac(NULL, digest, HASH_SIZE);
 504out:
 505        memzero_explicit(derived_key, sizeof(derived_key));
 506        return ret;
 507}
 508
 509/* verify HMAC before decrypting encrypted key */
 510static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
 511                                const u8 *format, const u8 *master_key,
 512                                size_t master_keylen)
 513{
 514        u8 derived_key[HASH_SIZE];
 515        u8 digest[HASH_SIZE];
 516        int ret;
 517        char *p;
 518        unsigned short len;
 519
 520        ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
 521        if (ret < 0)
 522                goto out;
 523
 524        len = epayload->datablob_len;
 525        if (!format) {
 526                p = epayload->master_desc;
 527                len -= strlen(epayload->format) + 1;
 528        } else
 529                p = epayload->format;
 530
 531        ret = calc_hmac(digest, derived_key, sizeof derived_key, p, len);
 532        if (ret < 0)
 533                goto out;
 534        ret = crypto_memneq(digest, epayload->format + epayload->datablob_len,
 535                            sizeof(digest));
 536        if (ret) {
 537                ret = -EINVAL;
 538                dump_hmac("datablob",
 539                          epayload->format + epayload->datablob_len,
 540                          HASH_SIZE);
 541                dump_hmac("calc", digest, HASH_SIZE);
 542        }
 543out:
 544        memzero_explicit(derived_key, sizeof(derived_key));
 545        return ret;
 546}
 547
 548static int derived_key_decrypt(struct encrypted_key_payload *epayload,
 549                               const u8 *derived_key,
 550                               unsigned int derived_keylen)
 551{
 552        struct scatterlist sg_in[1];
 553        struct scatterlist sg_out[2];
 554        struct crypto_skcipher *tfm;
 555        struct skcipher_request *req;
 556        unsigned int encrypted_datalen;
 557        u8 iv[AES_BLOCK_SIZE];
 558        u8 *pad;
 559        int ret;
 560
 561        /* Throwaway buffer to hold the unused zero padding at the end */
 562        pad = kmalloc(AES_BLOCK_SIZE, GFP_KERNEL);
 563        if (!pad)
 564                return -ENOMEM;
 565
 566        encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
 567        req = init_skcipher_req(derived_key, derived_keylen);
 568        ret = PTR_ERR(req);
 569        if (IS_ERR(req))
 570                goto out;
 571        dump_encrypted_data(epayload, encrypted_datalen);
 572
 573        sg_init_table(sg_in, 1);
 574        sg_init_table(sg_out, 2);
 575        sg_set_buf(sg_in, epayload->encrypted_data, encrypted_datalen);
 576        sg_set_buf(&sg_out[0], epayload->decrypted_data,
 577                   epayload->decrypted_datalen);
 578        sg_set_buf(&sg_out[1], pad, AES_BLOCK_SIZE);
 579
 580        memcpy(iv, epayload->iv, sizeof(iv));
 581        skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
 582        ret = crypto_skcipher_decrypt(req);
 583        tfm = crypto_skcipher_reqtfm(req);
 584        skcipher_request_free(req);
 585        crypto_free_skcipher(tfm);
 586        if (ret < 0)
 587                goto out;
 588        dump_decrypted_data(epayload);
 589out:
 590        kfree(pad);
 591        return ret;
 592}
 593
 594/* Allocate memory for decrypted key and datablob. */
 595static struct encrypted_key_payload *encrypted_key_alloc(struct key *key,
 596                                                         const char *format,
 597                                                         const char *master_desc,
 598                                                         const char *datalen)
 599{
 600        struct encrypted_key_payload *epayload = NULL;
 601        unsigned short datablob_len;
 602        unsigned short decrypted_datalen;
 603        unsigned short payload_datalen;
 604        unsigned int encrypted_datalen;
 605        unsigned int format_len;
 606        long dlen;
 607        int ret;
 608
 609        ret = kstrtol(datalen, 10, &dlen);
 610        if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
 611                return ERR_PTR(-EINVAL);
 612
 613        format_len = (!format) ? strlen(key_format_default) : strlen(format);
 614        decrypted_datalen = dlen;
 615        payload_datalen = decrypted_datalen;
 616        if (format) {
 617                if (!strcmp(format, key_format_ecryptfs)) {
 618                        if (dlen != ECRYPTFS_MAX_KEY_BYTES) {
 619                                pr_err("encrypted_key: keylen for the ecryptfs format must be equal to %d bytes\n",
 620                                        ECRYPTFS_MAX_KEY_BYTES);
 621                                return ERR_PTR(-EINVAL);
 622                        }
 623                        decrypted_datalen = ECRYPTFS_MAX_KEY_BYTES;
 624                        payload_datalen = sizeof(struct ecryptfs_auth_tok);
 625                } else if (!strcmp(format, key_format_enc32)) {
 626                        if (decrypted_datalen != KEY_ENC32_PAYLOAD_LEN) {
 627                                pr_err("encrypted_key: enc32 key payload incorrect length: %d\n",
 628                                                decrypted_datalen);
 629                                return ERR_PTR(-EINVAL);
 630                        }
 631                }
 632        }
 633
 634        encrypted_datalen = roundup(decrypted_datalen, blksize);
 635
 636        datablob_len = format_len + 1 + strlen(master_desc) + 1
 637            + strlen(datalen) + 1 + ivsize + 1 + encrypted_datalen;
 638
 639        ret = key_payload_reserve(key, payload_datalen + datablob_len
 640                                  + HASH_SIZE + 1);
 641        if (ret < 0)
 642                return ERR_PTR(ret);
 643
 644        epayload = kzalloc(sizeof(*epayload) + payload_datalen +
 645                           datablob_len + HASH_SIZE + 1, GFP_KERNEL);
 646        if (!epayload)
 647                return ERR_PTR(-ENOMEM);
 648
 649        epayload->payload_datalen = payload_datalen;
 650        epayload->decrypted_datalen = decrypted_datalen;
 651        epayload->datablob_len = datablob_len;
 652        return epayload;
 653}
 654
 655static int encrypted_key_decrypt(struct encrypted_key_payload *epayload,
 656                                 const char *format, const char *hex_encoded_iv)
 657{
 658        struct key *mkey;
 659        u8 derived_key[HASH_SIZE];
 660        const u8 *master_key;
 661        u8 *hmac;
 662        const char *hex_encoded_data;
 663        unsigned int encrypted_datalen;
 664        size_t master_keylen;
 665        size_t asciilen;
 666        int ret;
 667
 668        encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
 669        asciilen = (ivsize + 1 + encrypted_datalen + HASH_SIZE) * 2;
 670        if (strlen(hex_encoded_iv) != asciilen)
 671                return -EINVAL;
 672
 673        hex_encoded_data = hex_encoded_iv + (2 * ivsize) + 2;
 674        ret = hex2bin(epayload->iv, hex_encoded_iv, ivsize);
 675        if (ret < 0)
 676                return -EINVAL;
 677        ret = hex2bin(epayload->encrypted_data, hex_encoded_data,
 678                      encrypted_datalen);
 679        if (ret < 0)
 680                return -EINVAL;
 681
 682        hmac = epayload->format + epayload->datablob_len;
 683        ret = hex2bin(hmac, hex_encoded_data + (encrypted_datalen * 2),
 684                      HASH_SIZE);
 685        if (ret < 0)
 686                return -EINVAL;
 687
 688        mkey = request_master_key(epayload, &master_key, &master_keylen);
 689        if (IS_ERR(mkey))
 690                return PTR_ERR(mkey);
 691
 692        ret = datablob_hmac_verify(epayload, format, master_key, master_keylen);
 693        if (ret < 0) {
 694                pr_err("encrypted_key: bad hmac (%d)\n", ret);
 695                goto out;
 696        }
 697
 698        ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
 699        if (ret < 0)
 700                goto out;
 701
 702        ret = derived_key_decrypt(epayload, derived_key, sizeof derived_key);
 703        if (ret < 0)
 704                pr_err("encrypted_key: failed to decrypt key (%d)\n", ret);
 705out:
 706        up_read(&mkey->sem);
 707        key_put(mkey);
 708        memzero_explicit(derived_key, sizeof(derived_key));
 709        return ret;
 710}
 711
 712static void __ekey_init(struct encrypted_key_payload *epayload,
 713                        const char *format, const char *master_desc,
 714                        const char *datalen)
 715{
 716        unsigned int format_len;
 717
 718        format_len = (!format) ? strlen(key_format_default) : strlen(format);
 719        epayload->format = epayload->payload_data + epayload->payload_datalen;
 720        epayload->master_desc = epayload->format + format_len + 1;
 721        epayload->datalen = epayload->master_desc + strlen(master_desc) + 1;
 722        epayload->iv = epayload->datalen + strlen(datalen) + 1;
 723        epayload->encrypted_data = epayload->iv + ivsize + 1;
 724        epayload->decrypted_data = epayload->payload_data;
 725
 726        if (!format)
 727                memcpy(epayload->format, key_format_default, format_len);
 728        else {
 729                if (!strcmp(format, key_format_ecryptfs))
 730                        epayload->decrypted_data =
 731                                ecryptfs_get_auth_tok_key((struct ecryptfs_auth_tok *)epayload->payload_data);
 732
 733                memcpy(epayload->format, format, format_len);
 734        }
 735
 736        memcpy(epayload->master_desc, master_desc, strlen(master_desc));
 737        memcpy(epayload->datalen, datalen, strlen(datalen));
 738}
 739
 740/*
 741 * encrypted_init - initialize an encrypted key
 742 *
 743 * For a new key, use a random number for both the iv and data
 744 * itself.  For an old key, decrypt the hex encoded data.
 745 */
 746static int encrypted_init(struct encrypted_key_payload *epayload,
 747                          const char *key_desc, const char *format,
 748                          const char *master_desc, const char *datalen,
 749                          const char *hex_encoded_iv)
 750{
 751        int ret = 0;
 752
 753        if (format && !strcmp(format, key_format_ecryptfs)) {
 754                ret = valid_ecryptfs_desc(key_desc);
 755                if (ret < 0)
 756                        return ret;
 757
 758                ecryptfs_fill_auth_tok((struct ecryptfs_auth_tok *)epayload->payload_data,
 759                                       key_desc);
 760        }
 761
 762        __ekey_init(epayload, format, master_desc, datalen);
 763        if (!hex_encoded_iv) {
 764                get_random_bytes(epayload->iv, ivsize);
 765
 766                get_random_bytes(epayload->decrypted_data,
 767                                 epayload->decrypted_datalen);
 768        } else
 769                ret = encrypted_key_decrypt(epayload, format, hex_encoded_iv);
 770        return ret;
 771}
 772
 773/*
 774 * encrypted_instantiate - instantiate an encrypted key
 775 *
 776 * Decrypt an existing encrypted datablob or create a new encrypted key
 777 * based on a kernel random number.
 778 *
 779 * On success, return 0. Otherwise return errno.
 780 */
 781static int encrypted_instantiate(struct key *key,
 782                                 struct key_preparsed_payload *prep)
 783{
 784        struct encrypted_key_payload *epayload = NULL;
 785        char *datablob = NULL;
 786        const char *format = NULL;
 787        char *master_desc = NULL;
 788        char *decrypted_datalen = NULL;
 789        char *hex_encoded_iv = NULL;
 790        size_t datalen = prep->datalen;
 791        int ret;
 792
 793        if (datalen <= 0 || datalen > 32767 || !prep->data)
 794                return -EINVAL;
 795
 796        datablob = kmalloc(datalen + 1, GFP_KERNEL);
 797        if (!datablob)
 798                return -ENOMEM;
 799        datablob[datalen] = 0;
 800        memcpy(datablob, prep->data, datalen);
 801        ret = datablob_parse(datablob, &format, &master_desc,
 802                             &decrypted_datalen, &hex_encoded_iv);
 803        if (ret < 0)
 804                goto out;
 805
 806        epayload = encrypted_key_alloc(key, format, master_desc,
 807                                       decrypted_datalen);
 808        if (IS_ERR(epayload)) {
 809                ret = PTR_ERR(epayload);
 810                goto out;
 811        }
 812        ret = encrypted_init(epayload, key->description, format, master_desc,
 813                             decrypted_datalen, hex_encoded_iv);
 814        if (ret < 0) {
 815                kfree_sensitive(epayload);
 816                goto out;
 817        }
 818
 819        rcu_assign_keypointer(key, epayload);
 820out:
 821        kfree_sensitive(datablob);
 822        return ret;
 823}
 824
 825static void encrypted_rcu_free(struct rcu_head *rcu)
 826{
 827        struct encrypted_key_payload *epayload;
 828
 829        epayload = container_of(rcu, struct encrypted_key_payload, rcu);
 830        kfree_sensitive(epayload);
 831}
 832
 833/*
 834 * encrypted_update - update the master key description
 835 *
 836 * Change the master key description for an existing encrypted key.
 837 * The next read will return an encrypted datablob using the new
 838 * master key description.
 839 *
 840 * On success, return 0. Otherwise return errno.
 841 */
 842static int encrypted_update(struct key *key, struct key_preparsed_payload *prep)
 843{
 844        struct encrypted_key_payload *epayload = key->payload.data[0];
 845        struct encrypted_key_payload *new_epayload;
 846        char *buf;
 847        char *new_master_desc = NULL;
 848        const char *format = NULL;
 849        size_t datalen = prep->datalen;
 850        int ret = 0;
 851
 852        if (key_is_negative(key))
 853                return -ENOKEY;
 854        if (datalen <= 0 || datalen > 32767 || !prep->data)
 855                return -EINVAL;
 856
 857        buf = kmalloc(datalen + 1, GFP_KERNEL);
 858        if (!buf)
 859                return -ENOMEM;
 860
 861        buf[datalen] = 0;
 862        memcpy(buf, prep->data, datalen);
 863        ret = datablob_parse(buf, &format, &new_master_desc, NULL, NULL);
 864        if (ret < 0)
 865                goto out;
 866
 867        ret = valid_master_desc(new_master_desc, epayload->master_desc);
 868        if (ret < 0)
 869                goto out;
 870
 871        new_epayload = encrypted_key_alloc(key, epayload->format,
 872                                           new_master_desc, epayload->datalen);
 873        if (IS_ERR(new_epayload)) {
 874                ret = PTR_ERR(new_epayload);
 875                goto out;
 876        }
 877
 878        __ekey_init(new_epayload, epayload->format, new_master_desc,
 879                    epayload->datalen);
 880
 881        memcpy(new_epayload->iv, epayload->iv, ivsize);
 882        memcpy(new_epayload->payload_data, epayload->payload_data,
 883               epayload->payload_datalen);
 884
 885        rcu_assign_keypointer(key, new_epayload);
 886        call_rcu(&epayload->rcu, encrypted_rcu_free);
 887out:
 888        kfree_sensitive(buf);
 889        return ret;
 890}
 891
 892/*
 893 * encrypted_read - format and copy out the encrypted data
 894 *
 895 * The resulting datablob format is:
 896 * <master-key name> <decrypted data length> <encrypted iv> <encrypted data>
 897 *
 898 * On success, return to userspace the encrypted key datablob size.
 899 */
 900static long encrypted_read(const struct key *key, char *buffer,
 901                           size_t buflen)
 902{
 903        struct encrypted_key_payload *epayload;
 904        struct key *mkey;
 905        const u8 *master_key;
 906        size_t master_keylen;
 907        char derived_key[HASH_SIZE];
 908        char *ascii_buf;
 909        size_t asciiblob_len;
 910        int ret;
 911
 912        epayload = dereference_key_locked(key);
 913
 914        /* returns the hex encoded iv, encrypted-data, and hmac as ascii */
 915        asciiblob_len = epayload->datablob_len + ivsize + 1
 916            + roundup(epayload->decrypted_datalen, blksize)
 917            + (HASH_SIZE * 2);
 918
 919        if (!buffer || buflen < asciiblob_len)
 920                return asciiblob_len;
 921
 922        mkey = request_master_key(epayload, &master_key, &master_keylen);
 923        if (IS_ERR(mkey))
 924                return PTR_ERR(mkey);
 925
 926        ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
 927        if (ret < 0)
 928                goto out;
 929
 930        ret = derived_key_encrypt(epayload, derived_key, sizeof derived_key);
 931        if (ret < 0)
 932                goto out;
 933
 934        ret = datablob_hmac_append(epayload, master_key, master_keylen);
 935        if (ret < 0)
 936                goto out;
 937
 938        ascii_buf = datablob_format(epayload, asciiblob_len);
 939        if (!ascii_buf) {
 940                ret = -ENOMEM;
 941                goto out;
 942        }
 943
 944        up_read(&mkey->sem);
 945        key_put(mkey);
 946        memzero_explicit(derived_key, sizeof(derived_key));
 947
 948        memcpy(buffer, ascii_buf, asciiblob_len);
 949        kfree_sensitive(ascii_buf);
 950
 951        return asciiblob_len;
 952out:
 953        up_read(&mkey->sem);
 954        key_put(mkey);
 955        memzero_explicit(derived_key, sizeof(derived_key));
 956        return ret;
 957}
 958
 959/*
 960 * encrypted_destroy - clear and free the key's payload
 961 */
 962static void encrypted_destroy(struct key *key)
 963{
 964        kfree_sensitive(key->payload.data[0]);
 965}
 966
 967struct key_type key_type_encrypted = {
 968        .name = "encrypted",
 969        .instantiate = encrypted_instantiate,
 970        .update = encrypted_update,
 971        .destroy = encrypted_destroy,
 972        .describe = user_describe,
 973        .read = encrypted_read,
 974};
 975EXPORT_SYMBOL_GPL(key_type_encrypted);
 976
 977static int __init init_encrypted(void)
 978{
 979        int ret;
 980
 981        hash_tfm = crypto_alloc_shash(hash_alg, 0, 0);
 982        if (IS_ERR(hash_tfm)) {
 983                pr_err("encrypted_key: can't allocate %s transform: %ld\n",
 984                       hash_alg, PTR_ERR(hash_tfm));
 985                return PTR_ERR(hash_tfm);
 986        }
 987
 988        ret = aes_get_sizes();
 989        if (ret < 0)
 990                goto out;
 991        ret = register_key_type(&key_type_encrypted);
 992        if (ret < 0)
 993                goto out;
 994        return 0;
 995out:
 996        crypto_free_shash(hash_tfm);
 997        return ret;
 998
 999}
1000
1001static void __exit cleanup_encrypted(void)
1002{
1003        crypto_free_shash(hash_tfm);
1004        unregister_key_type(&key_type_encrypted);
1005}
1006
1007late_initcall(init_encrypted);
1008module_exit(cleanup_encrypted);
1009
1010MODULE_LICENSE("GPL");
1011