fs/crypto/keysetup_v1.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * Key setup for v1 encryption policies
0004  *
0005  * Copyright 2015, 2019 Google LLC
0006  */
0007
0008 /*
0009  * This file implements compatibility functions for the original encryption
0010  * policy version ("v1"), including:
0011  *
0012  * - Deriving per-file encryption keys using the AES-128-ECB based KDF
0013  *   (rather than the new method of using HKDF-SHA512)
0014  *
0015  * - Retrieving fscrypt master keys from process-subscribed keyrings
0016  *   (rather than the new method of using a filesystem-level keyring)
0017  *
0018  * - Handling policies with the DIRECT_KEY flag set using a master key table
0019  *   (rather than the new method of implementing DIRECT_KEY with per-mode keys
0020  *    managed alongside the master keys in the filesystem-level keyring)
0021  */
0022
0023 #include <crypto/algapi.h>
0024 #include <crypto/skcipher.h>
0025 #include <keys/user-type.h>
0026 #include <linux/hashtable.h>
0027 #include <linux/scatterlist.h>
0028
0029 #include "fscrypt_private.h"
0030
0031 /* Table of keys referenced by DIRECT_KEY policies */
0032 static DEFINE_HASHTABLE(fscrypt_direct_keys, 6); /* 6 bits = 64 buckets */
0033 static DEFINE_SPINLOCK(fscrypt_direct_keys_lock);
0034
0035 /*
0036  * v1 key derivation function.  This generates the derived key by encrypting the
0037  * master key with AES-128-ECB using the nonce as the AES key.  This provides a
0038  * unique derived key with sufficient entropy for each inode.  However, it's
0039  * nonstandard, non-extensible, doesn't evenly distribute the entropy from the
0040  * master key, and is trivially reversible: an attacker who compromises a
0041  * derived key can "decrypt" it to get back to the master key, then derive any
0042  * other key.  For all new code, use HKDF instead.
0043  *
0044  * The master key must be at least as long as the derived key.  If the master
0045  * key is longer, then only the first 'derived_keysize' bytes are used.
0046  */
0047 static int derive_key_aes(const u8 *master_key,
0048               const u8 nonce[FSCRYPT_FILE_NONCE_SIZE],
0049               u8 *derived_key, unsigned int derived_keysize)
0050 {
0051     int res = 0;
0052     struct skcipher_request *req = NULL;
0053     DECLARE_CRYPTO_WAIT(wait);
0054     struct scatterlist src_sg, dst_sg;
0055     struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
0056
0057     if (IS_ERR(tfm)) {
0058         res = PTR_ERR(tfm);
0059         tfm = NULL;
0060         goto out;
0061     }
0062     crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
0063     req = skcipher_request_alloc(tfm, GFP_KERNEL);
0064     if (!req) {
0065         res = -ENOMEM;
0066         goto out;
0067     }
0068     skcipher_request_set_callback(req,
0069             CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
0070             crypto_req_done, &wait);
0071     res = crypto_skcipher_setkey(tfm, nonce, FSCRYPT_FILE_NONCE_SIZE);
0072     if (res < 0)
0073         goto out;
0074
0075     sg_init_one(&src_sg, master_key, derived_keysize);
0076     sg_init_one(&dst_sg, derived_key, derived_keysize);
0077     skcipher_request_set_crypt(req, &src_sg, &dst_sg, derived_keysize,
0078                    NULL);
0079     res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
0080 out:
0081     skcipher_request_free(req);
0082     crypto_free_skcipher(tfm);
0083     return res;
0084 }
0085
0086 /*
0087  * Search the current task's subscribed keyrings for a "logon" key with
0088  * description prefix:descriptor, and if found acquire a read lock on it and
0089  * return a pointer to its validated payload in *payload_ret.
0090  */
0091 static struct key *
0092 find_and_lock_process_key(const char *prefix,
0093               const u8 descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE],
0094               unsigned int min_keysize,
0095               const struct fscrypt_key **payload_ret)
0096 {
0097     char *description;
0098     struct key *key;
0099     const struct user_key_payload *ukp;
0100     const struct fscrypt_key *payload;
0101
0102     description = kasprintf(GFP_KERNEL, "%s%*phN", prefix,
0103                 FSCRYPT_KEY_DESCRIPTOR_SIZE, descriptor);
0104     if (!description)
0105         return ERR_PTR(-ENOMEM);
0106
0107     key = request_key(&key_type_logon, description, NULL);
0108     kfree(description);
0109     if (IS_ERR(key))
0110         return key;
0111
0112     down_read(&key->sem);
0113     ukp = user_key_payload_locked(key);
0114
0115     if (!ukp) /* was the key revoked before we acquired its semaphore? */
0116         goto invalid;
0117
0118     payload = (const struct fscrypt_key *)ukp->data;
0119
0120     if (ukp->datalen != sizeof(struct fscrypt_key) ||
0121         payload->size < 1 || payload->size > FSCRYPT_MAX_KEY_SIZE) {
0122         fscrypt_warn(NULL,
0123                  "key with description '%s' has invalid payload",
0124                  key->description);
0125         goto invalid;
0126     }
0127
0128     if (payload->size < min_keysize) {
0129         fscrypt_warn(NULL,
0130                  "key with description '%s' is too short (got %u bytes, need %u+ bytes)",
0131                  key->description, payload->size, min_keysize);
0132         goto invalid;
0133     }
0134
0135     *payload_ret = payload;
0136     return key;
0137
0138 invalid:
0139     up_read(&key->sem);
0140     key_put(key);
0141     return ERR_PTR(-ENOKEY);
0142 }
0143
0144 /* Master key referenced by DIRECT_KEY policy */
0145 struct fscrypt_direct_key {
0146     struct hlist_node       dk_node;
0147     refcount_t          dk_refcount;
0148     const struct fscrypt_mode   *dk_mode;
0149     struct fscrypt_prepared_key dk_key;
0150     u8              dk_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE];
0151     u8              dk_raw[FSCRYPT_MAX_KEY_SIZE];
0152 };
0153
0154 static void free_direct_key(struct fscrypt_direct_key *dk)
0155 {
0156     if (dk) {
0157         fscrypt_destroy_prepared_key(&dk->dk_key);
0158         kfree_sensitive(dk);
0159     }
0160 }
0161
0162 void fscrypt_put_direct_key(struct fscrypt_direct_key *dk)
0163 {
0164     if (!refcount_dec_and_lock(&dk->dk_refcount, &fscrypt_direct_keys_lock))
0165         return;
0166     hash_del(&dk->dk_node);
0167     spin_unlock(&fscrypt_direct_keys_lock);
0168
0169     free_direct_key(dk);
0170 }
0171
0172 /*
0173  * Find/insert the given key into the fscrypt_direct_keys table.  If found, it
0174  * is returned with elevated refcount, and 'to_insert' is freed if non-NULL.  If
0175  * not found, 'to_insert' is inserted and returned if it's non-NULL; otherwise
0176  * NULL is returned.
0177  */
0178 static struct fscrypt_direct_key *
0179 find_or_insert_direct_key(struct fscrypt_direct_key *to_insert,
0180               const u8 *raw_key, const struct fscrypt_info *ci)
0181 {
0182     unsigned long hash_key;
0183     struct fscrypt_direct_key *dk;
0184
0185     /*
0186      * Careful: to avoid potentially leaking secret key bytes via timing
0187      * information, we must key the hash table by descriptor rather than by
0188      * raw key, and use crypto_memneq() when comparing raw keys.
0189      */
0190
0191     BUILD_BUG_ON(sizeof(hash_key) > FSCRYPT_KEY_DESCRIPTOR_SIZE);
0192     memcpy(&hash_key, ci->ci_policy.v1.master_key_descriptor,
0193            sizeof(hash_key));
0194
0195     spin_lock(&fscrypt_direct_keys_lock);
0196     hash_for_each_possible(fscrypt_direct_keys, dk, dk_node, hash_key) {
0197         if (memcmp(ci->ci_policy.v1.master_key_descriptor,
0198                dk->dk_descriptor, FSCRYPT_KEY_DESCRIPTOR_SIZE) != 0)
0199             continue;
0200         if (ci->ci_mode != dk->dk_mode)
0201             continue;
0202         if (!fscrypt_is_key_prepared(&dk->dk_key, ci))
0203             continue;
0204         if (crypto_memneq(raw_key, dk->dk_raw, ci->ci_mode->keysize))
0205             continue;
0206         /* using existing tfm with same (descriptor, mode, raw_key) */
0207         refcount_inc(&dk->dk_refcount);
0208         spin_unlock(&fscrypt_direct_keys_lock);
0209         free_direct_key(to_insert);
0210         return dk;
0211     }
0212     if (to_insert)
0213         hash_add(fscrypt_direct_keys, &to_insert->dk_node, hash_key);
0214     spin_unlock(&fscrypt_direct_keys_lock);
0215     return to_insert;
0216 }
0217
0218 /* Prepare to encrypt directly using the master key in the given mode */
0219 static struct fscrypt_direct_key *
0220 fscrypt_get_direct_key(const struct fscrypt_info *ci, const u8 *raw_key)
0221 {
0222     struct fscrypt_direct_key *dk;
0223     int err;
0224
0225     /* Is there already a tfm for this key? */
0226     dk = find_or_insert_direct_key(NULL, raw_key, ci);
0227     if (dk)
0228         return dk;
0229
0230     /* Nope, allocate one. */
0231     dk = kzalloc(sizeof(*dk), GFP_KERNEL);
0232     if (!dk)
0233         return ERR_PTR(-ENOMEM);
0234     refcount_set(&dk->dk_refcount, 1);
0235     dk->dk_mode = ci->ci_mode;
0236     err = fscrypt_prepare_key(&dk->dk_key, raw_key, ci);
0237     if (err)
0238         goto err_free_dk;
0239     memcpy(dk->dk_descriptor, ci->ci_policy.v1.master_key_descriptor,
0240            FSCRYPT_KEY_DESCRIPTOR_SIZE);
0241     memcpy(dk->dk_raw, raw_key, ci->ci_mode->keysize);
0242
0243     return find_or_insert_direct_key(dk, raw_key, ci);
0244
0245 err_free_dk:
0246     free_direct_key(dk);
0247     return ERR_PTR(err);
0248 }
0249
0250 /* v1 policy, DIRECT_KEY: use the master key directly */
0251 static int setup_v1_file_key_direct(struct fscrypt_info *ci,
0252                     const u8 *raw_master_key)
0253 {
0254     struct fscrypt_direct_key *dk;
0255
0256     dk = fscrypt_get_direct_key(ci, raw_master_key);
0257     if (IS_ERR(dk))
0258         return PTR_ERR(dk);
0259     ci->ci_direct_key = dk;
0260     ci->ci_enc_key = dk->dk_key;
0261     return 0;
0262 }
0263
0264 /* v1 policy, !DIRECT_KEY: derive the file's encryption key */
0265 static int setup_v1_file_key_derived(struct fscrypt_info *ci,
0266                      const u8 *raw_master_key)
0267 {
0268     u8 *derived_key;
0269     int err;
0270
0271     /*
0272      * This cannot be a stack buffer because it will be passed to the
0273      * scatterlist crypto API during derive_key_aes().
0274      */
0275     derived_key = kmalloc(ci->ci_mode->keysize, GFP_KERNEL);
0276     if (!derived_key)
0277         return -ENOMEM;
0278
0279     err = derive_key_aes(raw_master_key, ci->ci_nonce,
0280                  derived_key, ci->ci_mode->keysize);
0281     if (err)
0282         goto out;
0283
0284     err = fscrypt_set_per_file_enc_key(ci, derived_key);
0285 out:
0286     kfree_sensitive(derived_key);
0287     return err;
0288 }
0289
0290 int fscrypt_setup_v1_file_key(struct fscrypt_info *ci, const u8 *raw_master_key)
0291 {
0292     if (ci->ci_policy.v1.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY)
0293         return setup_v1_file_key_direct(ci, raw_master_key);
0294     else
0295         return setup_v1_file_key_derived(ci, raw_master_key);
0296 }
0297
0298 int fscrypt_setup_v1_file_key_via_subscribed_keyrings(struct fscrypt_info *ci)
0299 {
0300     struct key *key;
0301     const struct fscrypt_key *payload;
0302     int err;
0303
0304     key = find_and_lock_process_key(FSCRYPT_KEY_DESC_PREFIX,
0305                     ci->ci_policy.v1.master_key_descriptor,
0306                     ci->ci_mode->keysize, &payload);
0307     if (key == ERR_PTR(-ENOKEY) && ci->ci_inode->i_sb->s_cop->key_prefix) {
0308         key = find_and_lock_process_key(ci->ci_inode->i_sb->s_cop->key_prefix,
0309                         ci->ci_policy.v1.master_key_descriptor,
0310                         ci->ci_mode->keysize, &payload);
0311     }
0312     if (IS_ERR(key))
0313         return PTR_ERR(key);
0314
0315     err = fscrypt_setup_v1_file_key(ci, payload->raw);
0316     up_read(&key->sem);
0317     key_put(key);
0318     return err;
0319 }