@@ -82,6 +82,67 @@ static int derive_key_aes(u8 deriving_key[FS_AES_128_ECB_KEY_SIZE],
8282 return res ;
8383}
8484
85+ static int validate_user_key (struct fscrypt_info * crypt_info ,
86+ struct fscrypt_context * ctx , u8 * raw_key ,
87+ u8 * prefix , int prefix_size )
88+ {
89+ u8 * full_key_descriptor ;
90+ struct key * keyring_key ;
91+ struct fscrypt_key * master_key ;
92+ const struct user_key_payload * ukp ;
93+ int full_key_len = prefix_size + (FS_KEY_DESCRIPTOR_SIZE * 2 ) + 1 ;
94+ int res ;
95+
96+ full_key_descriptor = kmalloc (full_key_len , GFP_NOFS );
97+ if (!full_key_descriptor )
98+ return - ENOMEM ;
99+
100+ memcpy (full_key_descriptor , prefix , prefix_size );
101+ sprintf (full_key_descriptor + prefix_size ,
102+ "%*phN" , FS_KEY_DESCRIPTOR_SIZE ,
103+ ctx -> master_key_descriptor );
104+ full_key_descriptor [full_key_len - 1 ] = '\0' ;
105+ keyring_key = request_key (& key_type_logon , full_key_descriptor , NULL );
106+ kfree (full_key_descriptor );
107+ if (IS_ERR (keyring_key ))
108+ return PTR_ERR (keyring_key );
109+
110+ if (keyring_key -> type != & key_type_logon ) {
111+ printk_once (KERN_WARNING
112+ "%s: key type must be logon\n" , __func__ );
113+ res = - ENOKEY ;
114+ goto out ;
115+ }
116+ down_read (& keyring_key -> sem );
117+ ukp = ((struct user_key_payload * )keyring_key -> payload .data );
118+ if (ukp -> datalen != sizeof (struct fscrypt_key )) {
119+ res = - EINVAL ;
120+ up_read (& keyring_key -> sem );
121+ goto out ;
122+ }
123+ master_key = (struct fscrypt_key * )ukp -> data ;
124+ BUILD_BUG_ON (FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE );
125+
126+ if (master_key -> size != FS_AES_256_XTS_KEY_SIZE ) {
127+ printk_once (KERN_WARNING
128+ "%s: key size incorrect: %d\n" ,
129+ __func__ , master_key -> size );
130+ res = - ENOKEY ;
131+ up_read (& keyring_key -> sem );
132+ goto out ;
133+ }
134+ res = derive_key_aes (ctx -> nonce , master_key -> raw , raw_key );
135+ up_read (& keyring_key -> sem );
136+ if (res )
137+ goto out ;
138+
139+ crypt_info -> ci_keyring_key = keyring_key ;
140+ return 0 ;
141+ out :
142+ key_put (keyring_key );
143+ return res ;
144+ }
145+
85146static void put_crypt_info (struct fscrypt_info * ci )
86147{
87148 if (!ci )
@@ -96,12 +157,7 @@ static void put_crypt_info(struct fscrypt_info *ci)
96157int get_crypt_info (struct inode * inode )
97158{
98159 struct fscrypt_info * crypt_info ;
99- u8 full_key_descriptor [FS_KEY_DESC_PREFIX_SIZE +
100- (FS_KEY_DESCRIPTOR_SIZE * 2 ) + 1 ];
101- struct key * keyring_key = NULL ;
102- struct fscrypt_key * master_key ;
103160 struct fscrypt_context ctx ;
104- struct user_key_payload * ukp ;
105161 struct crypto_ablkcipher * ctfm ;
106162 const char * cipher_str ;
107163 u8 raw_key [FS_MAX_KEY_SIZE ];
@@ -172,48 +228,24 @@ int get_crypt_info(struct inode *inode)
172228 memset (raw_key , 0x42 , FS_AES_256_XTS_KEY_SIZE );
173229 goto got_key ;
174230 }
175- memcpy (full_key_descriptor , FS_KEY_DESC_PREFIX ,
176- FS_KEY_DESC_PREFIX_SIZE );
177- sprintf (full_key_descriptor + FS_KEY_DESC_PREFIX_SIZE ,
178- "%*phN" , FS_KEY_DESCRIPTOR_SIZE ,
179- ctx .master_key_descriptor );
180- full_key_descriptor [FS_KEY_DESC_PREFIX_SIZE +
181- (2 * FS_KEY_DESCRIPTOR_SIZE )] = '\0' ;
182- keyring_key = request_key (& key_type_logon , full_key_descriptor , NULL );
183- if (IS_ERR (keyring_key )) {
184- res = PTR_ERR (keyring_key );
185- keyring_key = NULL ;
186- goto out ;
187- }
188- crypt_info -> ci_keyring_key = keyring_key ;
189- if (keyring_key -> type != & key_type_logon ) {
190- printk_once (KERN_WARNING
191- "%s: key type must be logon\n" , __func__ );
192- res = - ENOKEY ;
193- goto out ;
194- }
195- down_read (& keyring_key -> sem );
196- ukp = ((struct user_key_payload * )keyring_key -> payload .data );
197- if (ukp -> datalen != sizeof (struct fscrypt_key )) {
198- res = - EINVAL ;
199- up_read (& keyring_key -> sem );
200- goto out ;
201- }
202- master_key = (struct fscrypt_key * )ukp -> data ;
203- BUILD_BUG_ON (FS_AES_128_ECB_KEY_SIZE != FS_KEY_DERIVATION_NONCE_SIZE );
204231
205- if (master_key -> size != FS_AES_256_XTS_KEY_SIZE ) {
206- printk_once (KERN_WARNING
207- "%s: key size incorrect: %d\n" ,
208- __func__ , master_key -> size );
209- res = - ENOKEY ;
210- up_read (& keyring_key -> sem );
232+ res = validate_user_key (crypt_info , & ctx , raw_key ,
233+ FS_KEY_DESC_PREFIX , FS_KEY_DESC_PREFIX_SIZE );
234+ if (res && inode -> i_sb -> s_cop -> key_prefix ) {
235+ u8 * prefix = NULL ;
236+ int prefix_size , res2 ;
237+
238+ prefix_size = inode -> i_sb -> s_cop -> key_prefix (inode , & prefix );
239+ res2 = validate_user_key (crypt_info , & ctx , raw_key ,
240+ prefix , prefix_size );
241+ if (res2 ) {
242+ if (res2 == - ENOKEY )
243+ res = - ENOKEY ;
244+ goto out ;
245+ }
246+ } else if (res ) {
211247 goto out ;
212248 }
213- res = derive_key_aes (ctx .nonce , master_key -> raw , raw_key );
214- up_read (& keyring_key -> sem );
215- if (res )
216- goto out ;
217249got_key :
218250 ctfm = crypto_alloc_ablkcipher (cipher_str , 0 , 0 );
219251 if (!ctfm || IS_ERR (ctfm )) {
0 commit comments