xref: /openbmc/linux/fs/ubifs/auth.c (revision b60a5b8d)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * This file is part of UBIFS.
4  *
5  * Copyright (C) 2018 Pengutronix, Sascha Hauer <s.hauer@pengutronix.de>
6  */
7 
8 /*
9  * This file implements various helper functions for UBIFS authentication support
10  */
11 
12 #include <linux/crypto.h>
13 #include <crypto/hash.h>
14 #include <crypto/sha.h>
15 #include <crypto/algapi.h>
16 #include <keys/user-type.h>
17 
18 #include "ubifs.h"
19 
20 /**
21  * ubifs_node_calc_hash - calculate the hash of a UBIFS node
22  * @c: UBIFS file-system description object
23  * @node: the node to calculate a hash for
24  * @hash: the returned hash
25  *
26  * Returns 0 for success or a negative error code otherwise.
27  */
28 int __ubifs_node_calc_hash(const struct ubifs_info *c, const void *node,
29 			    u8 *hash)
30 {
31 	const struct ubifs_ch *ch = node;
32 	SHASH_DESC_ON_STACK(shash, c->hash_tfm);
33 	int err;
34 
35 	shash->tfm = c->hash_tfm;
36 	shash->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
37 
38 	err = crypto_shash_digest(shash, node, le32_to_cpu(ch->len), hash);
39 	if (err < 0)
40 		return err;
41 	return 0;
42 }
43 
44 /**
45  * ubifs_hash_calc_hmac - calculate a HMAC from a hash
46  * @c: UBIFS file-system description object
47  * @hash: the node to calculate a HMAC for
48  * @hmac: the returned HMAC
49  *
50  * Returns 0 for success or a negative error code otherwise.
51  */
52 static int ubifs_hash_calc_hmac(const struct ubifs_info *c, const u8 *hash,
53 				 u8 *hmac)
54 {
55 	SHASH_DESC_ON_STACK(shash, c->hmac_tfm);
56 	int err;
57 
58 	shash->tfm = c->hmac_tfm;
59 	shash->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
60 
61 	err = crypto_shash_digest(shash, hash, c->hash_len, hmac);
62 	if (err < 0)
63 		return err;
64 	return 0;
65 }
66 
67 /**
68  * ubifs_prepare_auth_node - Prepare an authentication node
69  * @c: UBIFS file-system description object
70  * @node: the node to calculate a hash for
71  * @hash: input hash of previous nodes
72  *
73  * This function prepares an authentication node for writing onto flash.
74  * It creates a HMAC from the given input hash and writes it to the node.
75  *
76  * Returns 0 for success or a negative error code otherwise.
77  */
78 int ubifs_prepare_auth_node(struct ubifs_info *c, void *node,
79 			     struct shash_desc *inhash)
80 {
81 	SHASH_DESC_ON_STACK(hash_desc, c->hash_tfm);
82 	struct ubifs_auth_node *auth = node;
83 	u8 *hash;
84 	int err;
85 
86 	hash = kmalloc(crypto_shash_descsize(c->hash_tfm), GFP_NOFS);
87 	if (!hash)
88 		return -ENOMEM;
89 
90 	hash_desc->tfm = c->hash_tfm;
91 	hash_desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
92 	ubifs_shash_copy_state(c, inhash, hash_desc);
93 
94 	err = crypto_shash_final(hash_desc, hash);
95 	if (err)
96 		goto out;
97 
98 	err = ubifs_hash_calc_hmac(c, hash, auth->hmac);
99 	if (err)
100 		goto out;
101 
102 	auth->ch.node_type = UBIFS_AUTH_NODE;
103 	ubifs_prepare_node(c, auth, ubifs_auth_node_sz(c), 0);
104 
105 	err = 0;
106 out:
107 	kfree(hash);
108 
109 	return err;
110 }
111 
112 static struct shash_desc *ubifs_get_desc(const struct ubifs_info *c,
113 					 struct crypto_shash *tfm)
114 {
115 	struct shash_desc *desc;
116 	int err;
117 
118 	if (!ubifs_authenticated(c))
119 		return NULL;
120 
121 	desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL);
122 	if (!desc)
123 		return ERR_PTR(-ENOMEM);
124 
125 	desc->tfm = tfm;
126 	desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
127 
128 	err = crypto_shash_init(desc);
129 	if (err) {
130 		kfree(desc);
131 		return ERR_PTR(err);
132 	}
133 
134 	return desc;
135 }
136 
137 /**
138  * __ubifs_hash_get_desc - get a descriptor suitable for hashing a node
139  * @c: UBIFS file-system description object
140  *
141  * This function returns a descriptor suitable for hashing a node. Free after use
142  * with kfree.
143  */
144 struct shash_desc *__ubifs_hash_get_desc(const struct ubifs_info *c)
145 {
146 	return ubifs_get_desc(c, c->hash_tfm);
147 }
148 
149 /**
150  * __ubifs_shash_final - finalize shash
151  * @c: UBIFS file-system description object
152  * @desc: the descriptor
153  * @out: the output hash
154  *
155  * Simple wrapper around crypto_shash_final(), safe to be called with
156  * disabled authentication.
157  */
158 int __ubifs_shash_final(const struct ubifs_info *c, struct shash_desc *desc,
159 			u8 *out)
160 {
161 	if (ubifs_authenticated(c))
162 		return crypto_shash_final(desc, out);
163 
164 	return 0;
165 }
166 
167 /**
168  * ubifs_bad_hash - Report hash mismatches
169  * @c: UBIFS file-system description object
170  * @node: the node
171  * @hash: the expected hash
172  * @lnum: the LEB @node was read from
173  * @offs: offset in LEB @node was read from
174  *
175  * This function reports a hash mismatch when a node has a different hash than
176  * expected.
177  */
178 void ubifs_bad_hash(const struct ubifs_info *c, const void *node, const u8 *hash,
179 		    int lnum, int offs)
180 {
181 	int len = min(c->hash_len, 20);
182 	int cropped = len != c->hash_len;
183 	const char *cont = cropped ? "..." : "";
184 
185 	u8 calc[UBIFS_HASH_ARR_SZ];
186 
187 	__ubifs_node_calc_hash(c, node, calc);
188 
189 	ubifs_err(c, "hash mismatch on node at LEB %d:%d", lnum, offs);
190 	ubifs_err(c, "hash expected:   %*ph%s", len, hash, cont);
191 	ubifs_err(c, "hash calculated: %*ph%s", len, calc, cont);
192 }
193 
194 /**
195  * __ubifs_node_check_hash - check the hash of a node against given hash
196  * @c: UBIFS file-system description object
197  * @node: the node
198  * @expected: the expected hash
199  *
200  * This function calculates a hash over a node and compares it to the given hash.
201  * Returns 0 if both hashes are equal or authentication is disabled, otherwise a
202  * negative error code is returned.
203  */
204 int __ubifs_node_check_hash(const struct ubifs_info *c, const void *node,
205 			    const u8 *expected)
206 {
207 	u8 calc[UBIFS_HASH_ARR_SZ];
208 	int err;
209 
210 	err = __ubifs_node_calc_hash(c, node, calc);
211 	if (err)
212 		return err;
213 
214 	if (ubifs_check_hash(c, expected, calc))
215 		return -EPERM;
216 
217 	return 0;
218 }
219 
220 /**
221  * ubifs_init_authentication - initialize UBIFS authentication support
222  * @c: UBIFS file-system description object
223  *
224  * This function returns 0 for success or a negative error code otherwise.
225  */
226 int ubifs_init_authentication(struct ubifs_info *c)
227 {
228 	struct key *keyring_key;
229 	const struct user_key_payload *ukp;
230 	int err;
231 	char hmac_name[CRYPTO_MAX_ALG_NAME];
232 
233 	if (!c->auth_hash_name) {
234 		ubifs_err(c, "authentication hash name needed with authentication");
235 		return -EINVAL;
236 	}
237 
238 	c->auth_hash_algo = match_string(hash_algo_name, HASH_ALGO__LAST,
239 					 c->auth_hash_name);
240 	if ((int)c->auth_hash_algo < 0) {
241 		ubifs_err(c, "Unknown hash algo %s specified",
242 			  c->auth_hash_name);
243 		return -EINVAL;
244 	}
245 
246 	snprintf(hmac_name, CRYPTO_MAX_ALG_NAME, "hmac(%s)",
247 		 c->auth_hash_name);
248 
249 	keyring_key = request_key(&key_type_logon, c->auth_key_name, NULL);
250 
251 	if (IS_ERR(keyring_key)) {
252 		ubifs_err(c, "Failed to request key: %ld",
253 			  PTR_ERR(keyring_key));
254 		return PTR_ERR(keyring_key);
255 	}
256 
257 	down_read(&keyring_key->sem);
258 
259 	if (keyring_key->type != &key_type_logon) {
260 		ubifs_err(c, "key type must be logon");
261 		err = -ENOKEY;
262 		goto out;
263 	}
264 
265 	ukp = user_key_payload_locked(keyring_key);
266 	if (!ukp) {
267 		/* key was revoked before we acquired its semaphore */
268 		err = -EKEYREVOKED;
269 		goto out;
270 	}
271 
272 	c->hash_tfm = crypto_alloc_shash(c->auth_hash_name, 0, 0);
273 	if (IS_ERR(c->hash_tfm)) {
274 		err = PTR_ERR(c->hash_tfm);
275 		ubifs_err(c, "Can not allocate %s: %d",
276 			  c->auth_hash_name, err);
277 		goto out;
278 	}
279 
280 	c->hash_len = crypto_shash_digestsize(c->hash_tfm);
281 	if (c->hash_len > UBIFS_HASH_ARR_SZ) {
282 		ubifs_err(c, "hash %s is bigger than maximum allowed hash size (%d > %d)",
283 			  c->auth_hash_name, c->hash_len, UBIFS_HASH_ARR_SZ);
284 		err = -EINVAL;
285 		goto out_free_hash;
286 	}
287 
288 	c->hmac_tfm = crypto_alloc_shash(hmac_name, 0, 0);
289 	if (IS_ERR(c->hmac_tfm)) {
290 		err = PTR_ERR(c->hmac_tfm);
291 		ubifs_err(c, "Can not allocate %s: %d", hmac_name, err);
292 		goto out_free_hash;
293 	}
294 
295 	c->hmac_desc_len = crypto_shash_digestsize(c->hmac_tfm);
296 	if (c->hmac_desc_len > UBIFS_HMAC_ARR_SZ) {
297 		ubifs_err(c, "hmac %s is bigger than maximum allowed hmac size (%d > %d)",
298 			  hmac_name, c->hmac_desc_len, UBIFS_HMAC_ARR_SZ);
299 		err = -EINVAL;
300 		goto out_free_hash;
301 	}
302 
303 	err = crypto_shash_setkey(c->hmac_tfm, ukp->data, ukp->datalen);
304 	if (err)
305 		goto out_free_hmac;
306 
307 	c->authenticated = true;
308 
309 	c->log_hash = ubifs_hash_get_desc(c);
310 	if (IS_ERR(c->log_hash))
311 		goto out_free_hmac;
312 
313 	err = 0;
314 
315 out_free_hmac:
316 	if (err)
317 		crypto_free_shash(c->hmac_tfm);
318 out_free_hash:
319 	if (err)
320 		crypto_free_shash(c->hash_tfm);
321 out:
322 	up_read(&keyring_key->sem);
323 	key_put(keyring_key);
324 
325 	return err;
326 }
327 
328 /**
329  * __ubifs_exit_authentication - release resource
330  * @c: UBIFS file-system description object
331  *
332  * This function releases the authentication related resources.
333  */
334 void __ubifs_exit_authentication(struct ubifs_info *c)
335 {
336 	if (!ubifs_authenticated(c))
337 		return;
338 
339 	crypto_free_shash(c->hmac_tfm);
340 	crypto_free_shash(c->hash_tfm);
341 	kfree(c->log_hash);
342 }
343 
344 /**
345  * ubifs_node_calc_hmac - calculate the HMAC of a UBIFS node
346  * @c: UBIFS file-system description object
347  * @node: the node to insert a HMAC into.
348  * @len: the length of the node
349  * @ofs_hmac: the offset in the node where the HMAC is inserted
350  * @hmac: returned HMAC
351  *
352  * This function calculates a HMAC of a UBIFS node. The HMAC is expected to be
353  * embedded into the node, so this area is not covered by the HMAC. Also not
354  * covered is the UBIFS_NODE_MAGIC and the CRC of the node.
355  */
356 static int ubifs_node_calc_hmac(const struct ubifs_info *c, const void *node,
357 				int len, int ofs_hmac, void *hmac)
358 {
359 	SHASH_DESC_ON_STACK(shash, c->hmac_tfm);
360 	int hmac_len = c->hmac_desc_len;
361 	int err;
362 
363 	ubifs_assert(c, ofs_hmac > 8);
364 	ubifs_assert(c, ofs_hmac + hmac_len < len);
365 
366 	shash->tfm = c->hmac_tfm;
367 	shash->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
368 
369 	err = crypto_shash_init(shash);
370 	if (err)
371 		return err;
372 
373 	/* behind common node header CRC up to HMAC begin */
374 	err = crypto_shash_update(shash, node + 8, ofs_hmac - 8);
375 	if (err < 0)
376 		return err;
377 
378 	/* behind HMAC, if any */
379 	if (len - ofs_hmac - hmac_len > 0) {
380 		err = crypto_shash_update(shash, node + ofs_hmac + hmac_len,
381 			    len - ofs_hmac - hmac_len);
382 		if (err < 0)
383 			return err;
384 	}
385 
386 	return crypto_shash_final(shash, hmac);
387 }
388 
389 /**
390  * __ubifs_node_insert_hmac - insert a HMAC into a UBIFS node
391  * @c: UBIFS file-system description object
392  * @node: the node to insert a HMAC into.
393  * @len: the length of the node
394  * @ofs_hmac: the offset in the node where the HMAC is inserted
395  *
396  * This function inserts a HMAC at offset @ofs_hmac into the node given in
397  * @node.
398  *
399  * This function returns 0 for success or a negative error code otherwise.
400  */
401 int __ubifs_node_insert_hmac(const struct ubifs_info *c, void *node, int len,
402 			    int ofs_hmac)
403 {
404 	return ubifs_node_calc_hmac(c, node, len, ofs_hmac, node + ofs_hmac);
405 }
406 
407 /**
408  * __ubifs_node_verify_hmac - verify the HMAC of UBIFS node
409  * @c: UBIFS file-system description object
410  * @node: the node to insert a HMAC into.
411  * @len: the length of the node
412  * @ofs_hmac: the offset in the node where the HMAC is inserted
413  *
414  * This function verifies the HMAC at offset @ofs_hmac of the node given in
415  * @node. Returns 0 if successful or a negative error code otherwise.
416  */
417 int __ubifs_node_verify_hmac(const struct ubifs_info *c, const void *node,
418 			     int len, int ofs_hmac)
419 {
420 	int hmac_len = c->hmac_desc_len;
421 	u8 *hmac;
422 	int err;
423 
424 	hmac = kmalloc(hmac_len, GFP_NOFS);
425 	if (!hmac)
426 		return -ENOMEM;
427 
428 	err = ubifs_node_calc_hmac(c, node, len, ofs_hmac, hmac);
429 	if (err)
430 		return err;
431 
432 	err = crypto_memneq(hmac, node + ofs_hmac, hmac_len);
433 
434 	kfree(hmac);
435 
436 	if (!err)
437 		return 0;
438 
439 	return -EPERM;
440 }
441 
442 int __ubifs_shash_copy_state(const struct ubifs_info *c, struct shash_desc *src,
443 			     struct shash_desc *target)
444 {
445 	u8 *state;
446 	int err;
447 
448 	state = kmalloc(crypto_shash_descsize(src->tfm), GFP_NOFS);
449 	if (!state)
450 		return -ENOMEM;
451 
452 	err = crypto_shash_export(src, state);
453 	if (err)
454 		goto out;
455 
456 	err = crypto_shash_import(target, state);
457 
458 out:
459 	kfree(state);
460 
461 	return err;
462 }
463 
464 /**
465  * ubifs_hmac_wkm - Create a HMAC of the well known message
466  * @c: UBIFS file-system description object
467  * @hmac: The HMAC of the well known message
468  *
469  * This function creates a HMAC of a well known message. This is used
470  * to check if the provided key is suitable to authenticate a UBIFS
471  * image. This is only a convenience to the user to provide a better
472  * error message when the wrong key is provided.
473  *
474  * This function returns 0 for success or a negative error code otherwise.
475  */
476 int ubifs_hmac_wkm(struct ubifs_info *c, u8 *hmac)
477 {
478 	SHASH_DESC_ON_STACK(shash, c->hmac_tfm);
479 	int err;
480 	const char well_known_message[] = "UBIFS";
481 
482 	if (!ubifs_authenticated(c))
483 		return 0;
484 
485 	shash->tfm = c->hmac_tfm;
486 	shash->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
487 
488 	err = crypto_shash_init(shash);
489 	if (err)
490 		return err;
491 
492 	err = crypto_shash_update(shash, well_known_message,
493 				  sizeof(well_known_message) - 1);
494 	if (err < 0)
495 		return err;
496 
497 	err = crypto_shash_final(shash, hmac);
498 	if (err)
499 		return err;
500 	return 0;
501 }
502