crypto.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520
  1. // SPDX-License-Identifier: GPL-2.0
  2. #include <linux/ceph/ceph_debug.h>
  3. #include <linux/err.h>
  4. #include <linux/scatterlist.h>
  5. #include <linux/sched.h>
  6. #include <linux/slab.h>
  7. #include <crypto/aes.h>
  8. #include <crypto/krb5.h>
  9. #include <crypto/skcipher.h>
  10. #include <linux/key-type.h>
  11. #include <linux/sched/mm.h>
  12. #include <keys/ceph-type.h>
  13. #include <keys/user-type.h>
  14. #include <linux/ceph/decode.h>
  15. #include "crypto.h"
  16. static int set_aes_tfm(struct ceph_crypto_key *key)
  17. {
  18. unsigned int noio_flag;
  19. int ret;
  20. noio_flag = memalloc_noio_save();
  21. key->aes_tfm = crypto_alloc_sync_skcipher("cbc(aes)", 0, 0);
  22. memalloc_noio_restore(noio_flag);
  23. if (IS_ERR(key->aes_tfm)) {
  24. ret = PTR_ERR(key->aes_tfm);
  25. key->aes_tfm = NULL;
  26. return ret;
  27. }
  28. ret = crypto_sync_skcipher_setkey(key->aes_tfm, key->key, key->len);
  29. if (ret)
  30. return ret;
  31. return 0;
  32. }
  33. static int set_krb5_tfms(struct ceph_crypto_key *key, const u32 *key_usages,
  34. int key_usage_cnt)
  35. {
  36. struct krb5_buffer TK = { .len = key->len, .data = key->key };
  37. unsigned int noio_flag;
  38. int ret = 0;
  39. int i;
  40. if (WARN_ON_ONCE(key_usage_cnt > ARRAY_SIZE(key->krb5_tfms)))
  41. return -EINVAL;
  42. key->krb5_type = crypto_krb5_find_enctype(
  43. KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192);
  44. if (!key->krb5_type)
  45. return -ENOPKG;
  46. /*
  47. * Despite crypto_krb5_prepare_encryption() taking a gfp mask,
  48. * crypto_alloc_aead() inside of it allocates with GFP_KERNEL.
  49. */
  50. noio_flag = memalloc_noio_save();
  51. for (i = 0; i < key_usage_cnt; i++) {
  52. key->krb5_tfms[i] = crypto_krb5_prepare_encryption(
  53. key->krb5_type, &TK, key_usages[i],
  54. GFP_NOIO);
  55. if (IS_ERR(key->krb5_tfms[i])) {
  56. ret = PTR_ERR(key->krb5_tfms[i]);
  57. key->krb5_tfms[i] = NULL;
  58. goto out_flag;
  59. }
  60. }
  61. out_flag:
  62. memalloc_noio_restore(noio_flag);
  63. return ret;
  64. }
  65. int ceph_crypto_key_prepare(struct ceph_crypto_key *key,
  66. const u32 *key_usages, int key_usage_cnt)
  67. {
  68. switch (key->type) {
  69. case CEPH_CRYPTO_NONE:
  70. return 0; /* nothing to do */
  71. case CEPH_CRYPTO_AES:
  72. return set_aes_tfm(key);
  73. case CEPH_CRYPTO_AES256KRB5:
  74. hmac_sha256_preparekey(&key->hmac_key, key->key, key->len);
  75. return set_krb5_tfms(key, key_usages, key_usage_cnt);
  76. default:
  77. return -ENOTSUPP;
  78. }
  79. }
  80. /*
  81. * @dst should be zeroed before this function is called.
  82. */
  83. int ceph_crypto_key_clone(struct ceph_crypto_key *dst,
  84. const struct ceph_crypto_key *src)
  85. {
  86. dst->type = src->type;
  87. dst->created = src->created;
  88. dst->len = src->len;
  89. dst->key = kmemdup(src->key, src->len, GFP_NOIO);
  90. if (!dst->key)
  91. return -ENOMEM;
  92. return 0;
  93. }
  94. /*
  95. * @key should be zeroed before this function is called.
  96. */
  97. int ceph_crypto_key_decode(struct ceph_crypto_key *key, void **p, void *end)
  98. {
  99. ceph_decode_need(p, end, 2*sizeof(u16) + sizeof(key->created), bad);
  100. key->type = ceph_decode_16(p);
  101. ceph_decode_copy(p, &key->created, sizeof(key->created));
  102. key->len = ceph_decode_16(p);
  103. ceph_decode_need(p, end, key->len, bad);
  104. if (key->len > CEPH_MAX_KEY_LEN) {
  105. pr_err("secret too big %d\n", key->len);
  106. return -EINVAL;
  107. }
  108. key->key = kmemdup(*p, key->len, GFP_NOIO);
  109. if (!key->key)
  110. return -ENOMEM;
  111. memzero_explicit(*p, key->len);
  112. *p += key->len;
  113. return 0;
  114. bad:
  115. dout("failed to decode crypto key\n");
  116. return -EINVAL;
  117. }
  118. int ceph_crypto_key_unarmor(struct ceph_crypto_key *key, const char *inkey)
  119. {
  120. int inlen = strlen(inkey);
  121. int blen = inlen * 3 / 4;
  122. void *buf, *p;
  123. int ret;
  124. dout("crypto_key_unarmor %s\n", inkey);
  125. buf = kmalloc(blen, GFP_NOFS);
  126. if (!buf)
  127. return -ENOMEM;
  128. blen = ceph_unarmor(buf, inkey, inkey+inlen);
  129. if (blen < 0) {
  130. kfree(buf);
  131. return blen;
  132. }
  133. p = buf;
  134. ret = ceph_crypto_key_decode(key, &p, p + blen);
  135. kfree(buf);
  136. if (ret)
  137. return ret;
  138. dout("crypto_key_unarmor key %p type %d len %d\n", key,
  139. key->type, key->len);
  140. return 0;
  141. }
  142. void ceph_crypto_key_destroy(struct ceph_crypto_key *key)
  143. {
  144. int i;
  145. if (!key)
  146. return;
  147. kfree_sensitive(key->key);
  148. key->key = NULL;
  149. if (key->type == CEPH_CRYPTO_AES) {
  150. if (key->aes_tfm) {
  151. crypto_free_sync_skcipher(key->aes_tfm);
  152. key->aes_tfm = NULL;
  153. }
  154. } else if (key->type == CEPH_CRYPTO_AES256KRB5) {
  155. memzero_explicit(&key->hmac_key, sizeof(key->hmac_key));
  156. for (i = 0; i < ARRAY_SIZE(key->krb5_tfms); i++) {
  157. if (key->krb5_tfms[i]) {
  158. crypto_free_aead(key->krb5_tfms[i]);
  159. key->krb5_tfms[i] = NULL;
  160. }
  161. }
  162. }
  163. }
  164. static const u8 *aes_iv = (u8 *)CEPH_AES_IV;
  165. /*
  166. * Should be used for buffers allocated with kvmalloc().
  167. * Currently these are encrypt out-buffer (ceph_buffer) and decrypt
  168. * in-buffer (msg front).
  169. *
  170. * Dispose of @sgt with teardown_sgtable().
  171. *
  172. * @prealloc_sg is to avoid memory allocation inside sg_alloc_table()
  173. * in cases where a single sg is sufficient. No attempt to reduce the
  174. * number of sgs by squeezing physically contiguous pages together is
  175. * made though, for simplicity.
  176. */
  177. static int setup_sgtable(struct sg_table *sgt, struct scatterlist *prealloc_sg,
  178. const void *buf, unsigned int buf_len)
  179. {
  180. struct scatterlist *sg;
  181. const bool is_vmalloc = is_vmalloc_addr(buf);
  182. unsigned int off = offset_in_page(buf);
  183. unsigned int chunk_cnt = 1;
  184. unsigned int chunk_len = PAGE_ALIGN(off + buf_len);
  185. int i;
  186. int ret;
  187. if (buf_len == 0) {
  188. memset(sgt, 0, sizeof(*sgt));
  189. return -EINVAL;
  190. }
  191. if (is_vmalloc) {
  192. chunk_cnt = chunk_len >> PAGE_SHIFT;
  193. chunk_len = PAGE_SIZE;
  194. }
  195. if (chunk_cnt > 1) {
  196. ret = sg_alloc_table(sgt, chunk_cnt, GFP_NOFS);
  197. if (ret)
  198. return ret;
  199. } else {
  200. WARN_ON(chunk_cnt != 1);
  201. sg_init_table(prealloc_sg, 1);
  202. sgt->sgl = prealloc_sg;
  203. sgt->nents = sgt->orig_nents = 1;
  204. }
  205. for_each_sg(sgt->sgl, sg, sgt->orig_nents, i) {
  206. struct page *page;
  207. unsigned int len = min(chunk_len - off, buf_len);
  208. if (is_vmalloc)
  209. page = vmalloc_to_page(buf);
  210. else
  211. page = virt_to_page(buf);
  212. sg_set_page(sg, page, len, off);
  213. off = 0;
  214. buf += len;
  215. buf_len -= len;
  216. }
  217. WARN_ON(buf_len != 0);
  218. return 0;
  219. }
  220. static void teardown_sgtable(struct sg_table *sgt)
  221. {
  222. if (sgt->orig_nents > 1)
  223. sg_free_table(sgt);
  224. }
  225. static int ceph_aes_crypt(const struct ceph_crypto_key *key, bool encrypt,
  226. void *buf, int buf_len, int in_len, int *pout_len)
  227. {
  228. SYNC_SKCIPHER_REQUEST_ON_STACK(req, key->aes_tfm);
  229. struct sg_table sgt;
  230. struct scatterlist prealloc_sg;
  231. char iv[AES_BLOCK_SIZE] __aligned(8);
  232. int pad_byte = AES_BLOCK_SIZE - (in_len & (AES_BLOCK_SIZE - 1));
  233. int crypt_len = encrypt ? in_len + pad_byte : in_len;
  234. int ret;
  235. WARN_ON(crypt_len > buf_len);
  236. if (encrypt)
  237. memset(buf + in_len, pad_byte, pad_byte);
  238. ret = setup_sgtable(&sgt, &prealloc_sg, buf, crypt_len);
  239. if (ret)
  240. return ret;
  241. memcpy(iv, aes_iv, AES_BLOCK_SIZE);
  242. skcipher_request_set_sync_tfm(req, key->aes_tfm);
  243. skcipher_request_set_callback(req, 0, NULL, NULL);
  244. skcipher_request_set_crypt(req, sgt.sgl, sgt.sgl, crypt_len, iv);
  245. /*
  246. print_hex_dump(KERN_ERR, "key: ", DUMP_PREFIX_NONE, 16, 1,
  247. key->key, key->len, 1);
  248. print_hex_dump(KERN_ERR, " in: ", DUMP_PREFIX_NONE, 16, 1,
  249. buf, crypt_len, 1);
  250. */
  251. if (encrypt)
  252. ret = crypto_skcipher_encrypt(req);
  253. else
  254. ret = crypto_skcipher_decrypt(req);
  255. skcipher_request_zero(req);
  256. if (ret) {
  257. pr_err("%s %scrypt failed: %d\n", __func__,
  258. encrypt ? "en" : "de", ret);
  259. goto out_sgt;
  260. }
  261. /*
  262. print_hex_dump(KERN_ERR, "out: ", DUMP_PREFIX_NONE, 16, 1,
  263. buf, crypt_len, 1);
  264. */
  265. if (encrypt) {
  266. *pout_len = crypt_len;
  267. } else {
  268. pad_byte = *(char *)(buf + in_len - 1);
  269. if (pad_byte > 0 && pad_byte <= AES_BLOCK_SIZE &&
  270. in_len >= pad_byte) {
  271. *pout_len = in_len - pad_byte;
  272. } else {
  273. pr_err("%s got bad padding %d on in_len %d\n",
  274. __func__, pad_byte, in_len);
  275. ret = -EPERM;
  276. goto out_sgt;
  277. }
  278. }
  279. out_sgt:
  280. teardown_sgtable(&sgt);
  281. return ret;
  282. }
  283. static int ceph_krb5_encrypt(const struct ceph_crypto_key *key, int usage_slot,
  284. void *buf, int buf_len, int in_len, int *pout_len)
  285. {
  286. struct sg_table sgt;
  287. struct scatterlist prealloc_sg;
  288. int ret;
  289. if (WARN_ON_ONCE(usage_slot >= ARRAY_SIZE(key->krb5_tfms)))
  290. return -EINVAL;
  291. ret = setup_sgtable(&sgt, &prealloc_sg, buf, buf_len);
  292. if (ret)
  293. return ret;
  294. ret = crypto_krb5_encrypt(key->krb5_type, key->krb5_tfms[usage_slot],
  295. sgt.sgl, sgt.nents, buf_len, AES_BLOCK_SIZE,
  296. in_len, false);
  297. if (ret < 0) {
  298. pr_err("%s encrypt failed: %d\n", __func__, ret);
  299. goto out_sgt;
  300. }
  301. *pout_len = ret;
  302. ret = 0;
  303. out_sgt:
  304. teardown_sgtable(&sgt);
  305. return ret;
  306. }
  307. static int ceph_krb5_decrypt(const struct ceph_crypto_key *key, int usage_slot,
  308. void *buf, int buf_len, int in_len, int *pout_len)
  309. {
  310. struct sg_table sgt;
  311. struct scatterlist prealloc_sg;
  312. size_t data_off = 0;
  313. size_t data_len = in_len;
  314. int ret;
  315. if (WARN_ON_ONCE(usage_slot >= ARRAY_SIZE(key->krb5_tfms)))
  316. return -EINVAL;
  317. ret = setup_sgtable(&sgt, &prealloc_sg, buf, in_len);
  318. if (ret)
  319. return ret;
  320. ret = crypto_krb5_decrypt(key->krb5_type, key->krb5_tfms[usage_slot],
  321. sgt.sgl, sgt.nents, &data_off, &data_len);
  322. if (ret) {
  323. pr_err("%s decrypt failed: %d\n", __func__, ret);
  324. goto out_sgt;
  325. }
  326. WARN_ON(data_off != AES_BLOCK_SIZE);
  327. *pout_len = data_len;
  328. out_sgt:
  329. teardown_sgtable(&sgt);
  330. return ret;
  331. }
  332. int ceph_crypt(const struct ceph_crypto_key *key, int usage_slot, bool encrypt,
  333. void *buf, int buf_len, int in_len, int *pout_len)
  334. {
  335. switch (key->type) {
  336. case CEPH_CRYPTO_NONE:
  337. *pout_len = in_len;
  338. return 0;
  339. case CEPH_CRYPTO_AES:
  340. return ceph_aes_crypt(key, encrypt, buf, buf_len, in_len,
  341. pout_len);
  342. case CEPH_CRYPTO_AES256KRB5:
  343. return encrypt ?
  344. ceph_krb5_encrypt(key, usage_slot, buf, buf_len, in_len,
  345. pout_len) :
  346. ceph_krb5_decrypt(key, usage_slot, buf, buf_len, in_len,
  347. pout_len);
  348. default:
  349. return -ENOTSUPP;
  350. }
  351. }
  352. int ceph_crypt_data_offset(const struct ceph_crypto_key *key)
  353. {
  354. switch (key->type) {
  355. case CEPH_CRYPTO_NONE:
  356. case CEPH_CRYPTO_AES:
  357. return 0;
  358. case CEPH_CRYPTO_AES256KRB5:
  359. /* confounder */
  360. return AES_BLOCK_SIZE;
  361. default:
  362. BUG();
  363. }
  364. }
  365. int ceph_crypt_buflen(const struct ceph_crypto_key *key, int data_len)
  366. {
  367. switch (key->type) {
  368. case CEPH_CRYPTO_NONE:
  369. return data_len;
  370. case CEPH_CRYPTO_AES:
  371. /* PKCS#7 padding at the end */
  372. return data_len + AES_BLOCK_SIZE -
  373. (data_len & (AES_BLOCK_SIZE - 1));
  374. case CEPH_CRYPTO_AES256KRB5:
  375. /* confounder at the beginning and 192-bit HMAC at the end */
  376. return AES_BLOCK_SIZE + data_len + 24;
  377. default:
  378. BUG();
  379. }
  380. }
  381. void ceph_hmac_sha256(const struct ceph_crypto_key *key, const void *buf,
  382. int buf_len, u8 hmac[SHA256_DIGEST_SIZE])
  383. {
  384. switch (key->type) {
  385. case CEPH_CRYPTO_NONE:
  386. case CEPH_CRYPTO_AES:
  387. memset(hmac, 0, SHA256_DIGEST_SIZE);
  388. return;
  389. case CEPH_CRYPTO_AES256KRB5:
  390. hmac_sha256(&key->hmac_key, buf, buf_len, hmac);
  391. return;
  392. default:
  393. BUG();
  394. }
  395. }
  396. static int ceph_key_preparse(struct key_preparsed_payload *prep)
  397. {
  398. struct ceph_crypto_key *ckey;
  399. size_t datalen = prep->datalen;
  400. int ret;
  401. void *p;
  402. ret = -EINVAL;
  403. if (datalen <= 0 || datalen > 32767 || !prep->data)
  404. goto err;
  405. ret = -ENOMEM;
  406. ckey = kzalloc_obj(*ckey);
  407. if (!ckey)
  408. goto err;
  409. /* TODO ceph_crypto_key_decode should really take const input */
  410. p = (void *)prep->data;
  411. ret = ceph_crypto_key_decode(ckey, &p, (char*)prep->data+datalen);
  412. if (ret < 0)
  413. goto err_ckey;
  414. prep->payload.data[0] = ckey;
  415. prep->quotalen = datalen;
  416. return 0;
  417. err_ckey:
  418. kfree(ckey);
  419. err:
  420. return ret;
  421. }
  422. static void ceph_key_free_preparse(struct key_preparsed_payload *prep)
  423. {
  424. struct ceph_crypto_key *ckey = prep->payload.data[0];
  425. ceph_crypto_key_destroy(ckey);
  426. kfree(ckey);
  427. }
  428. static void ceph_key_destroy(struct key *key)
  429. {
  430. struct ceph_crypto_key *ckey = key->payload.data[0];
  431. ceph_crypto_key_destroy(ckey);
  432. kfree(ckey);
  433. }
  434. struct key_type key_type_ceph = {
  435. .name = "ceph",
  436. .preparse = ceph_key_preparse,
  437. .free_preparse = ceph_key_free_preparse,
  438. .instantiate = generic_key_instantiate,
  439. .destroy = ceph_key_destroy,
  440. };
  441. int __init ceph_crypto_init(void)
  442. {
  443. return register_key_type(&key_type_ceph);
  444. }
  445. void ceph_crypto_shutdown(void)
  446. {
  447. unregister_key_type(&key_type_ceph);
  448. }