From patchwork Wed Jul 26 18:19:25 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9865645 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9D7826038F for ; Wed, 26 Jul 2017 18:22:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 962CF287BA for ; Wed, 26 Jul 2017 18:22:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8A6C7287B5; Wed, 26 Jul 2017 18:22:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 332C3287B5 for ; Wed, 26 Jul 2017 18:22:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751445AbdGZSWX (ORCPT ); Wed, 26 Jul 2017 14:22:23 -0400 Received: from mail-pg0-f68.google.com ([74.125.83.68]:33929 "EHLO mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750897AbdGZSWR (ORCPT ); Wed, 26 Jul 2017 14:22:17 -0400 Received: by mail-pg0-f68.google.com with SMTP id v190so18066798pgv.1; Wed, 26 Jul 2017 11:22:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Pb/Y8i7cb7DVZnKeepdggLXolNDLHYtJ04bnFRxxIKo=; b=H0Rbas8TD/gJ+nXnoS2pgosj7mJc53CPEVUQk20TtWs7qJy+Mc4ZxIfuVhKmR0/3o2 V3BZmnRyG2AJR1s+2Nmy3AvEsgQ7vS3HDQ/BucJeAqi1mBmTDKuU0ybiYDPadXjrs4iz 4YHvLYPeb0L5O9A3JG+CMziRBFai9ViYKPQZNEQF7ED4qV45u/bSuKihZpSr9PbClrQq rjkBex4SD9xhNx5Eewb/HBq9ME1RHTKQbFh6n4vnZtDPG+lVpDMa1v1qvQMJ7yRyby1T c6EFcUCfEJ0jpYRJ1KLiaqrkrSNClKJAdj/DxtlkbfngNdx2ST8rZoca9Ol3cQGQOCN9 /MVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Pb/Y8i7cb7DVZnKeepdggLXolNDLHYtJ04bnFRxxIKo=; b=RC1ZYQTxYkfQkSwqXwl9BqRxbA6gSWFFGMUH8PhN5UaxJgslx+nZqhxvPgk+ciJobI ChHbccIFNnBYrPROgxC2BnIKAmT8K9gXPNdcPfYeGE3V27XRMzEccQhRoXsu/4rJ+liS CUP/Cn//8FePka97EWa39OdqH96FsR4zLy6EYtGYQcakXV/L6/cgj8ydP2sE9er/sHHl wcI6NlScsstEHud+VSZbT9/CKfrOChW+MluSP6SXJhN5NLyM7lpetpNVSmJNWJaAtcEA tpA6DmQuukkex+toz8Uq9SrL4roqDKzEPbIHSyaTttB51BNkB72joIeKbbMsDkVAZGaN yOJQ== X-Gm-Message-State: AIVw112Ddz97eDTo5nxLPui+N8eCozknNUWeefNTviwcrWC6rD49i924 4I9wvVH5ECCvbKRoSqo= X-Received: by 10.84.241.142 with SMTP id b14mr1772747pll.270.1501093336318; Wed, 26 Jul 2017 11:22:16 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id b4sm28394064pgc.9.2017.07.26.11.22.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 26 Jul 2017 11:22:15 -0700 (PDT) From: Eric Biggers To: linux-fscrypt@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-mtd@lists.infradead.org, linux-crypto@vger.kernel.org, "Theodore Y . Ts'o" , Jaegeuk Kim , Alex Cope , Michael Halcrow , Eric Biggers Subject: [PATCH v2 3/7] fscrypt: use HKDF-SHA512 to derive the per-inode encryption keys Date: Wed, 26 Jul 2017 11:19:25 -0700 Message-Id: <20170726181929.99880-4-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.0.rc0.400.g1c36432dff-goog In-Reply-To: <20170726181929.99880-1-ebiggers3@gmail.com> References: <20170726181929.99880-1-ebiggers3@gmail.com> Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers By design, the keys which userspace provides in the keyring are not used to encrypt data directly. Instead, a KDF (Key Derivation Function) is used to derive a unique encryption key for each inode, given a "master" key and a nonce. The current KDF encrypts the master key with AES-128-ECB using the nonce as the AES key. This KDF is ad-hoc and is not specified in any standard. While it does generate unique derived keys with sufficient entropy, it has several disadvantages: - It's reversible: an attacker who compromises a derived key, e.g. using a side channel attack, can "decrypt" it to get back to the master key. - It's not very extensible because it cannot easily be used to derive other key material that may be needed and it ties the length of the derived key closely to the length of the master key. - It doesn't evenly distribute the entropy from the master key. For example, the first 16 bytes of each derived key depend only on the first 16 bytes of the master key. - It uses a public value as an AES key, which is unusual. Ciphers are rarely evaluated under a threat model where the keys are public and the messages are secret. Solve all these problems for v2 encryption policies by changing the KDF to HKDF with SHA-512 as the underlying hash function. To derive each inode's encryption key, HKDF is executed with the master key as the input key material, a fixed salt, and the per-inode nonce prefixed with a context byte as the application-specific information string. Unlike the current KDF, HKDF has been formally published and standardized [1][2], is nonreversible, can be used to derive any number and length of secret and/or non-secret keys, and evenly distributes the entropy from the master key (excepting limits inherent to not using a random salt). Note that this introduces a dependency on the security and implementation of SHA-512, whereas before we were using only AES for both key derivation and encryption. However, by using HMAC rather than the hash function directly, HKDF is designed to remain secure even if various classes of attacks, e.g. collision attacks, are found against the underlying unkeyed hash function. Even HMAC-MD5 is still considered secure in practice, despite MD5 itself having been heavily compromised. We *could* avoid introducing a hash function by instantiating HKDF-Expand with CMAC-AES256 as the pseudorandom function rather than HMAC-SHA512. This would work; however, the HKDF specification doesn't explicitly allow a non-HMAC pseudorandom function, so it would be less standard. It would also require skipping HKDF-Extract and changing the API to accept only 32-byte master keys (since otherwise HKDF-Extract using CMAC-AES would produce a pseudorandom key only 16 bytes long which is only enough for AES-128, not AES-256). HKDF-SHA512 can require more "crypto work" per key derivation when compared to the current KDF. However, later in this series, we'll start caching the HMAC transform for each master key, which will actually make the real-world performance about the same or even significantly better than the AES-based KDF as currently implemented. Also, each KDF can actually be executed on the order of 1 million times per second, so KDF performance probably isn't actually the bottleneck in practice anyway. References: [1] Krawczyk (2010). "Cryptographic Extraction and Key Derivation: The HKDF Scheme". https://eprint.iacr.org/2010/264.pdf [2] RFC 5869. "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)". https://tools.ietf.org/html/rfc5869 Signed-off-by: Eric Biggers --- fs/crypto/Kconfig | 2 + fs/crypto/fscrypt_private.h | 13 ++ fs/crypto/keyinfo.c | 484 +++++++++++++++++++++++++++++++++++--------- 3 files changed, 403 insertions(+), 96 deletions(-) diff --git a/fs/crypto/Kconfig b/fs/crypto/Kconfig index 02b7d91c9231..bbd4e38b293c 100644 --- a/fs/crypto/Kconfig +++ b/fs/crypto/Kconfig @@ -8,6 +8,8 @@ config FS_ENCRYPTION select CRYPTO_CTS select CRYPTO_CTR select CRYPTO_SHA256 + select CRYPTO_SHA512 + select CRYPTO_HMAC select KEYS help Enable encryption of files and directories. This diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h index 4b0205accae9..b5881cb26e8f 100644 --- a/fs/crypto/fscrypt_private.h +++ b/fs/crypto/fscrypt_private.h @@ -89,6 +89,13 @@ fscrypt_valid_context_format(const struct fscrypt_context *ctx, int size) return size >= 1 && size == fscrypt_context_size(ctx); } +/* + * fscrypt_master_key - an in-use master key + */ +struct fscrypt_master_key { + struct crypto_shash *mk_hmac; +}; + /* * fscrypt_info - the "encryption key" for an inode * @@ -102,6 +109,12 @@ struct fscrypt_info { struct crypto_skcipher *ci_ctfm; struct crypto_cipher *ci_essiv_tfm; + /* + * The master key with which this inode was "unlocked" + * (only set for inodes that use a v2+ encryption policy) + */ + struct fscrypt_master_key *ci_master_key; + /* * Cached fields from the fscrypt_context needed for encryption policy * inheritance and enforcement diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c index 5591fd24e4b2..3164e1c74196 100644 --- a/fs/crypto/keyinfo.c +++ b/fs/crypto/keyinfo.c @@ -6,17 +6,311 @@ * This contains encryption key functions. * * Written by Michael Halcrow, Ildar Muslukhov, and Uday Savagaonkar, 2015. + * HKDF support added by Eric Biggers, 2017. + * + * The implementation and usage of HKDF should conform to RFC-5869 ("HMAC-based + * Extract-and-Expand Key Derivation Function"). */ #include #include #include #include +#include #include #include "fscrypt_private.h" static struct crypto_shash *essiv_hash_tfm; +/* + * Any unkeyed cryptographic hash algorithm can be used with HKDF, but we use + * SHA-512 because it is reasonably secure and efficient; and since it produces + * a 64-byte digest, deriving an AES-256-XTS key preserves all 64 bytes of + * entropy from the master key and requires only one iteration of HKDF-Expand. + */ +#define HKDF_HMAC_ALG "hmac(sha512)" +#define HKDF_HASHLEN SHA512_DIGEST_SIZE + +/* + * The list of contexts in which we use HKDF to derive additional keys from a + * master key. The values in this list are used as the first byte of the + * application-specific info string to guarantee that info strings are never + * repeated between contexts. + * + * Keys derived with different info strings are cryptographically isolated from + * each other --- knowledge of one derived key doesn't reveal any others. + */ +#define HKDF_CONTEXT_PER_FILE_KEY 1 + +/* + * HKDF consists of two steps: + * + * 1. HKDF-Extract: extract a fixed-length pseudorandom key from the + * input keying material and optional salt. + * 2. HKDF-Expand: expand the pseudorandom key into output keying material of + * any length, parameterized by an application-specific info string. + * + * HKDF-Extract can be skipped if the input is already a good pseudorandom key + * that is at least as long as the hash. While the fscrypt master keys should + * already be good pseudorandom keys, when using encryption algorithms that use + * short keys (e.g. AES-128-CBC) we'd like to permit the master key to be + * shorter than HKDF_HASHLEN bytes. Thus, we still must do HKDF-Extract. + * + * Ideally, HKDF-Extract would be passed a random salt for each distinct input + * key. Details about the advantages of a random salt can be found in the HKDF + * paper (Krawczyk, 2010; "Cryptographic Extraction and Key Derivation: The HKDF + * Scheme"). However, we do not have the ability to store a salt on a + * per-master-key basis. Thus, we have to use a fixed salt. This is sufficient + * as long as the master keys are already pseudorandom and are long enough to + * make dictionary attacks infeasible. This should be the case if userspace + * used a cryptographically secure random number generator, e.g. /dev/urandom, + * to generate the master keys and it was initialized with sufficient entropy. + * + * For the fixed salt we use "fscrypt_hkdf_salt" rather than default of all 0's + * defined by RFC-5869. This is only to be slightly more robust against + * userspace (unwisely) reusing the master keys for different purposes. + * Logically, it's more likely that the keys would be passed to unsalted + * HKDF-SHA512 than specifically to "fscrypt_hkdf_salt"-salted HKDF-SHA512. + * (Of course, a random salt would be better for this purpose.) + */ + +#define HKDF_SALT "fscrypt_hkdf_salt" +#define HKDF_SALT_LEN (sizeof(HKDF_SALT) - 1) + +/* + * HKDF-Extract (RFC-5869 section 2.2). This extracts a pseudorandom key 'prk' + * from the input key material 'ikm' and a salt. See explanation above for why + * we use a fixed salt. + */ +static int hkdf_extract(struct crypto_shash *hmac, + const u8 *ikm, unsigned int ikmlen, + u8 prk[HKDF_HASHLEN]) +{ + SHASH_DESC_ON_STACK(desc, hmac); + int err; + + desc->tfm = hmac; + desc->flags = 0; + + err = crypto_shash_setkey(hmac, HKDF_SALT, HKDF_SALT_LEN); + if (err) + goto out; + + err = crypto_shash_digest(desc, ikm, ikmlen, prk); +out: + shash_desc_zero(desc); + return err; +} + +/* + * HKDF-Expand (RFC-5869 section 2.3). This expands the pseudorandom key, which + * has already been keyed into 'hmac', into 'okmlen' bytes of output keying + * material, parameterized by the application-specific information string of + * 'info' prefixed with the 'context' byte. ('context' isn't part of the HKDF + * specification; it's just a prefix we add to our application-specific info + * strings to guarantee that we don't accidentally repeat an info string when + * using HKDF for different purposes.) + */ +static int hkdf_expand(struct crypto_shash *hmac, u8 context, + const u8 *info, unsigned int infolen, + u8 *okm, unsigned int okmlen) +{ + SHASH_DESC_ON_STACK(desc, hmac); + int err; + const u8 *prev = NULL; + unsigned int i; + u8 counter = 1; + u8 tmp[HKDF_HASHLEN]; + + desc->tfm = hmac; + desc->flags = 0; + + if (unlikely(okmlen > 255 * HKDF_HASHLEN)) + return -EINVAL; + + for (i = 0; i < okmlen; i += HKDF_HASHLEN) { + + err = crypto_shash_init(desc); + if (err) + goto out; + + if (prev) { + err = crypto_shash_update(desc, prev, HKDF_HASHLEN); + if (err) + goto out; + } + + err = crypto_shash_update(desc, &context, 1); + if (err) + goto out; + + err = crypto_shash_update(desc, info, infolen); + if (err) + goto out; + + if (okmlen - i < HKDF_HASHLEN) { + err = crypto_shash_finup(desc, &counter, 1, tmp); + if (err) + goto out; + memcpy(&okm[i], tmp, okmlen - i); + memzero_explicit(tmp, sizeof(tmp)); + } else { + err = crypto_shash_finup(desc, &counter, 1, &okm[i]); + if (err) + goto out; + } + counter++; + prev = &okm[i]; + } + err = 0; +out: + shash_desc_zero(desc); + return err; +} + +static void put_master_key(struct fscrypt_master_key *k) +{ + if (!k) + return; + + crypto_free_shash(k->mk_hmac); + kzfree(k); +} + +/* + * Allocate an fscrypt_master_key, given the keyring key payload. This includes + * allocating and keying an HMAC transform so that we can efficiently derive the + * per-inode encryption keys with HKDF-Expand later. + */ +static struct fscrypt_master_key * +alloc_master_key(const struct fscrypt_key *payload) +{ + struct fscrypt_master_key *k; + int err; + u8 prk[HKDF_HASHLEN]; + + k = kzalloc(sizeof(*k), GFP_NOFS); + if (!k) + return ERR_PTR(-ENOMEM); + + k->mk_hmac = crypto_alloc_shash(HKDF_HMAC_ALG, 0, 0); + if (IS_ERR(k->mk_hmac)) { + err = PTR_ERR(k->mk_hmac); + k->mk_hmac = NULL; + pr_warn("fscrypt: error allocating " HKDF_HMAC_ALG ": %d\n", + err); + goto fail; + } + + BUG_ON(crypto_shash_digestsize(k->mk_hmac) != sizeof(prk)); + + err = hkdf_extract(k->mk_hmac, payload->raw, payload->size, prk); + if (err) + goto fail; + + err = crypto_shash_setkey(k->mk_hmac, prk, sizeof(prk)); + if (err) + goto fail; +out: + memzero_explicit(prk, sizeof(prk)); + return k; + +fail: + put_master_key(k); + k = ERR_PTR(err); + goto out; +} + +static void release_keyring_key(struct key *keyring_key) +{ + up_read(&keyring_key->sem); + key_put(keyring_key); +} + +/* + * Find, lock, and validate the master key with the keyring description + * prefix:descriptor. It must be released with release_keyring_key() later. + */ +static struct key * +find_and_lock_keyring_key(const char *prefix, + const u8 descriptor[FS_KEY_DESCRIPTOR_SIZE], + unsigned int min_keysize, + const struct fscrypt_key **payload_ret) +{ + char *description; + struct key *keyring_key; + const struct user_key_payload *ukp; + const struct fscrypt_key *payload; + + description = kasprintf(GFP_NOFS, "%s%*phN", prefix, + FS_KEY_DESCRIPTOR_SIZE, descriptor); + if (!description) + return ERR_PTR(-ENOMEM); + + keyring_key = request_key(&key_type_logon, description, NULL); + if (IS_ERR(keyring_key)) + goto out; + + down_read(&keyring_key->sem); + ukp = user_key_payload_locked(keyring_key); + payload = (const struct fscrypt_key *)ukp->data; + + if (ukp->datalen != sizeof(struct fscrypt_key) || + payload->size == 0 || payload->size > FS_MAX_KEY_SIZE) { + pr_warn_ratelimited("fscrypt: key '%s' has invalid payload\n", + description); + goto invalid; + } + + /* + * With the legacy AES-based KDF the master key must be at least as long + * as the derived key. With HKDF we could accept a shorter master key; + * however, that would mean the derived key wouldn't contain as much + * entropy as intended. So don't allow it in either case. + */ + if (payload->size < min_keysize) { + pr_warn_ratelimited("fscrypt: key '%s' is too short (got %u bytes, wanted %u+ bytes)\n", + description, payload->size, min_keysize); + goto invalid; + } + + *payload_ret = payload; +out: + kfree(description); + return keyring_key; + +invalid: + release_keyring_key(keyring_key); + keyring_key = ERR_PTR(-ENOKEY); + goto out; +} + +static struct fscrypt_master_key * +load_master_key_from_keyring(const struct inode *inode, + const u8 descriptor[FS_KEY_DESCRIPTOR_SIZE], + unsigned int min_keysize) +{ + struct key *keyring_key; + const struct fscrypt_key *payload; + struct fscrypt_master_key *master_key; + + keyring_key = find_and_lock_keyring_key(FS_KEY_DESC_PREFIX, descriptor, + min_keysize, &payload); + if (keyring_key == ERR_PTR(-ENOKEY) && inode->i_sb->s_cop->key_prefix) { + keyring_key = find_and_lock_keyring_key( + inode->i_sb->s_cop->key_prefix, + descriptor, min_keysize, &payload); + } + if (IS_ERR(keyring_key)) + return ERR_CAST(keyring_key); + + master_key = alloc_master_key(payload); + + release_keyring_key(keyring_key); + + return master_key; +} + static void derive_crypt_complete(struct crypto_async_request *req, int rc) { struct fscrypt_completion_result *ecr = req->data; @@ -28,107 +322,100 @@ static void derive_crypt_complete(struct crypto_async_request *req, int rc) complete(&ecr->completion); } -/** - * derive_key_aes() - Derive a key using AES-128-ECB - * @deriving_key: Encryption key used for derivation. - * @source_key: Source key to which to apply derivation. - * @derived_raw_key: Derived raw key. - * - * Return: Zero on success; non-zero otherwise. +/* + * Legacy key derivation function. This generates the derived key by encrypting + * the master key with AES-128-ECB using the nonce as the AES key. This + * provides a unique derived key for each inode, but it's nonstandard, isn't + * very extensible, and has the weakness that it's trivially reversible: an + * attacker who compromises a derived key, e.g. with a side channel attack, can + * "decrypt" it to get back to the master key, then derive any other key. */ -static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE], - const struct fscrypt_key *source_key, - u8 derived_raw_key[FS_MAX_KEY_SIZE]) +static int derive_key_aes(const struct fscrypt_key *master_key, + const struct fscrypt_context *ctx, + u8 *derived_key, unsigned int derived_keysize) { - int res = 0; + int err; struct skcipher_request *req = NULL; DECLARE_FS_COMPLETION_RESULT(ecr); struct scatterlist src_sg, dst_sg; - struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); + struct crypto_skcipher *tfm; + + tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); + if (IS_ERR(tfm)) + return PTR_ERR(tfm); - if (IS_ERR(tfm)) { - res = PTR_ERR(tfm); - tfm = NULL; - goto out; - } crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_WEAK_KEY); req = skcipher_request_alloc(tfm, GFP_NOFS); if (!req) { - res = -ENOMEM; + err = -ENOMEM; goto out; } skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, derive_crypt_complete, &ecr); - res = crypto_skcipher_setkey(tfm, deriving_key, - FS_AES_128_ECB_KEY_SIZE); - if (res < 0) + + BUILD_BUG_ON(sizeof(ctx->nonce) != FS_AES_128_ECB_KEY_SIZE); + err = crypto_skcipher_setkey(tfm, ctx->nonce, sizeof(ctx->nonce)); + if (err) goto out; - sg_init_one(&src_sg, source_key->raw, source_key->size); - sg_init_one(&dst_sg, derived_raw_key, source_key->size); - skcipher_request_set_crypt(req, &src_sg, &dst_sg, source_key->size, + sg_init_one(&src_sg, master_key->raw, derived_keysize); + sg_init_one(&dst_sg, derived_key, derived_keysize); + skcipher_request_set_crypt(req, &src_sg, &dst_sg, derived_keysize, NULL); - res = crypto_skcipher_encrypt(req); - if (res == -EINPROGRESS || res == -EBUSY) { + err = crypto_skcipher_encrypt(req); + if (err == -EINPROGRESS || err == -EBUSY) { wait_for_completion(&ecr.completion); - res = ecr.res; + err = ecr.res; } out: skcipher_request_free(req); crypto_free_skcipher(tfm); - return res; + return err; } -static int validate_user_key(struct fscrypt_info *crypt_info, - struct fscrypt_context *ctx, u8 *raw_key, - const char *prefix, int min_keysize) +/* + * HKDF-based key derivation function. This uses HKDF-SHA512 to derive a unique + * encryption key for each inode, using the inode's nonce prefixed with a + * context byte as the application-specific information string. This is more + * flexible than the legacy AES-based KDF and has the advantage that it's + * non-reversible: an attacker who compromises a derived key cannot calculate + * the master key or any other derived keys. + */ +static int derive_key_hkdf(const struct fscrypt_master_key *master_key, + const struct fscrypt_context *ctx, + u8 *derived_key, unsigned int derived_keysize) { - char *description; - struct key *keyring_key; - struct fscrypt_key *master_key; - const struct user_key_payload *ukp; - int res; + return hkdf_expand(master_key->mk_hmac, HKDF_CONTEXT_PER_FILE_KEY, + ctx->nonce, sizeof(ctx->nonce), + derived_key, derived_keysize); +} - description = kasprintf(GFP_NOFS, "%s%*phN", prefix, - FS_KEY_DESCRIPTOR_SIZE, - ctx->master_key_descriptor); - if (!description) - return -ENOMEM; +static int find_and_derive_key_v1(const struct inode *inode, + const struct fscrypt_context *ctx, + u8 *derived_key, unsigned int derived_keysize) +{ + struct key *keyring_key; + const struct fscrypt_key *payload; + int err; - keyring_key = request_key(&key_type_logon, description, NULL); - kfree(description); + keyring_key = find_and_lock_keyring_key(FS_KEY_DESC_PREFIX, + ctx->master_key_descriptor, + derived_keysize, &payload); + if (keyring_key == ERR_PTR(-ENOKEY) && inode->i_sb->s_cop->key_prefix) { + keyring_key = find_and_lock_keyring_key( + inode->i_sb->s_cop->key_prefix, + ctx->master_key_descriptor, + derived_keysize, &payload); + } if (IS_ERR(keyring_key)) return PTR_ERR(keyring_key); - down_read(&keyring_key->sem); - if (keyring_key->type != &key_type_logon) { - printk_once(KERN_WARNING - "%s: key type must be logon\n", __func__); - res = -ENOKEY; - goto out; - } - ukp = user_key_payload_locked(keyring_key); - if (ukp->datalen != sizeof(struct fscrypt_key)) { - res = -EINVAL; - goto out; - } - master_key = (struct fscrypt_key *)ukp->data; - BUILD_BUG_ON(FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE); - - if (master_key->size < min_keysize || master_key->size > FS_MAX_KEY_SIZE - || master_key->size % AES_BLOCK_SIZE != 0) { - printk_once(KERN_WARNING - "%s: key size incorrect: %d\n", - __func__, master_key->size); - res = -ENOKEY; - goto out; - } - res = derive_key_aes(ctx->nonce, master_key, raw_key); -out: - up_read(&keyring_key->sem); - key_put(keyring_key); - return res; + err = derive_key_aes(payload, ctx, derived_key, derived_keysize); + + release_keyring_key(keyring_key); + + return err; } static const struct { @@ -179,6 +466,7 @@ static void put_crypt_info(struct fscrypt_info *ci) crypto_free_skcipher(ci->ci_ctfm); crypto_free_cipher(ci->ci_essiv_tfm); + put_master_key(ci->ci_master_key); kmem_cache_free(fscrypt_info_cachep, ci); } @@ -254,8 +542,8 @@ int fscrypt_get_encryption_info(struct inode *inode) struct fscrypt_context ctx; struct crypto_skcipher *ctfm; const char *cipher_str; - int keysize; - u8 *raw_key = NULL; + unsigned int derived_keysize; + u8 *derived_key = NULL; int res; if (inode->i_crypt_info) @@ -296,33 +584,40 @@ int fscrypt_get_encryption_info(struct inode *inode) memcpy(crypt_info->ci_master_key_descriptor, ctx.master_key_descriptor, FS_KEY_DESCRIPTOR_SIZE); - res = determine_cipher_type(crypt_info, inode, &cipher_str, &keysize); + res = determine_cipher_type(crypt_info, inode, &cipher_str, + &derived_keysize); if (res) goto out; /* - * This cannot be a stack buffer because it is passed to the scatterlist - * crypto API as part of key derivation. + * This cannot be a stack buffer because it may be passed to the + * scatterlist crypto API during key derivation. */ res = -ENOMEM; - raw_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS); - if (!raw_key) + derived_key = kmalloc(FS_MAX_KEY_SIZE, GFP_NOFS); + if (!derived_key) goto out; - res = validate_user_key(crypt_info, &ctx, raw_key, FS_KEY_DESC_PREFIX, - keysize); - if (res && inode->i_sb->s_cop->key_prefix) { - int res2 = validate_user_key(crypt_info, &ctx, raw_key, - inode->i_sb->s_cop->key_prefix, - keysize); - if (res2) { - if (res2 == -ENOKEY) - res = -ENOKEY; + if (ctx.version == FSCRYPT_CONTEXT_V1) { + res = find_and_derive_key_v1(inode, &ctx, derived_key, + derived_keysize); + } else { + crypt_info->ci_master_key = + load_master_key_from_keyring(inode, + ctx.master_key_descriptor, + derived_keysize); + if (IS_ERR(crypt_info->ci_master_key)) { + res = PTR_ERR(crypt_info->ci_master_key); + crypt_info->ci_master_key = NULL; goto out; } - } else if (res) { - goto out; + + res = derive_key_hkdf(crypt_info->ci_master_key, &ctx, + derived_key, derived_keysize); } + if (res) + goto out; + ctfm = crypto_alloc_skcipher(cipher_str, 0, 0); if (!ctfm || IS_ERR(ctfm)) { res = ctfm ? PTR_ERR(ctfm) : -ENOMEM; @@ -333,17 +628,14 @@ int fscrypt_get_encryption_info(struct inode *inode) crypt_info->ci_ctfm = ctfm; crypto_skcipher_clear_flags(ctfm, ~0); crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_REQ_WEAK_KEY); - /* - * if the provided key is longer than keysize, we use the first - * keysize bytes of the derived key only - */ - res = crypto_skcipher_setkey(ctfm, raw_key, keysize); + res = crypto_skcipher_setkey(ctfm, derived_key, derived_keysize); if (res) goto out; if (S_ISREG(inode->i_mode) && crypt_info->ci_data_mode == FS_ENCRYPTION_MODE_AES_128_CBC) { - res = init_essiv_generator(crypt_info, raw_key, keysize); + res = init_essiv_generator(crypt_info, derived_key, + derived_keysize); if (res) { pr_debug("%s: error %d (inode %lu) allocating essiv tfm\n", __func__, res, inode->i_ino); @@ -356,7 +648,7 @@ int fscrypt_get_encryption_info(struct inode *inode) if (res == -ENOKEY) res = 0; put_crypt_info(crypt_info); - kzfree(raw_key); + kzfree(derived_key); return res; } EXPORT_SYMBOL(fscrypt_get_encryption_info);