fscrypt updates for 5.14

A couple bug fixes for fs/crypto/:
 
 - Fix handling of major dirhash values that happen to be 0.
 
 - Fix cases where keys were derived differently on big endian systems
   than on little endian systems (affecting some newer features only).
 -----BEGIN PGP SIGNATURE-----
 
 iIoEABYIADIWIQSacvsUNc7UX4ntmEPzXCl4vpKOKwUCYNn+KhQcZWJpZ2dlcnNA
 Z29vZ2xlLmNvbQAKCRDzXCl4vpKOK595AP4hhu5pLLjPv+Okep+k+RTze5MzH9rH
 aXJK2T8J4TwGBgD/Qj+AjgLIJwjxk8mx3FliMsOjBxOIYiIpjHVNZect9AI=
 =+6JI
 -----END PGP SIGNATURE-----

Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt

Pull fscrypt updates from Eric Biggers:
 "A couple bug fixes for fs/crypto/:

   - Fix handling of major dirhash values that happen to be 0.

   - Fix cases where keys were derived differently on big endian systems
     than on little endian systems (affecting some newer features only)"

* tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt:
  fscrypt: fix derivation of SipHash keys on big endian CPUs
  fscrypt: don't ignore minor_hash when hash is 0
This commit is contained in:
Linus Torvalds 2021-06-28 16:20:48 -07:00
commit a58e203530
2 changed files with 35 additions and 15 deletions

View File

@ -344,13 +344,9 @@ int fscrypt_fname_disk_to_usr(const struct inode *inode,
offsetof(struct fscrypt_nokey_name, sha256));
BUILD_BUG_ON(BASE64_CHARS(FSCRYPT_NOKEY_NAME_MAX) > NAME_MAX);
if (hash) {
nokey_name.dirhash[0] = hash;
nokey_name.dirhash[1] = minor_hash;
} else {
nokey_name.dirhash[0] = 0;
nokey_name.dirhash[1] = 0;
}
nokey_name.dirhash[0] = hash;
nokey_name.dirhash[1] = minor_hash;
if (iname->len <= sizeof(nokey_name.bytes)) {
memcpy(nokey_name.bytes, iname->name, iname->len);
size = offsetof(struct fscrypt_nokey_name, bytes[iname->len]);

View File

@ -210,15 +210,40 @@ out_unlock:
return err;
}
/*
* Derive a SipHash key from the given fscrypt master key and the given
* application-specific information string.
*
* Note that the KDF produces a byte array, but the SipHash APIs expect the key
* as a pair of 64-bit words. Therefore, on big endian CPUs we have to do an
* endianness swap in order to get the same results as on little endian CPUs.
*/
static int fscrypt_derive_siphash_key(const struct fscrypt_master_key *mk,
u8 context, const u8 *info,
unsigned int infolen, siphash_key_t *key)
{
int err;
err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, context, info, infolen,
(u8 *)key, sizeof(*key));
if (err)
return err;
BUILD_BUG_ON(sizeof(*key) != 16);
BUILD_BUG_ON(ARRAY_SIZE(key->key) != 2);
le64_to_cpus(&key->key[0]);
le64_to_cpus(&key->key[1]);
return 0;
}
int fscrypt_derive_dirhash_key(struct fscrypt_info *ci,
const struct fscrypt_master_key *mk)
{
int err;
err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, HKDF_CONTEXT_DIRHASH_KEY,
ci->ci_nonce, FSCRYPT_FILE_NONCE_SIZE,
(u8 *)&ci->ci_dirhash_key,
sizeof(ci->ci_dirhash_key));
err = fscrypt_derive_siphash_key(mk, HKDF_CONTEXT_DIRHASH_KEY,
ci->ci_nonce, FSCRYPT_FILE_NONCE_SIZE,
&ci->ci_dirhash_key);
if (err)
return err;
ci->ci_dirhash_key_initialized = true;
@ -253,10 +278,9 @@ static int fscrypt_setup_iv_ino_lblk_32_key(struct fscrypt_info *ci,
if (mk->mk_ino_hash_key_initialized)
goto unlock;
err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf,
HKDF_CONTEXT_INODE_HASH_KEY, NULL, 0,
(u8 *)&mk->mk_ino_hash_key,
sizeof(mk->mk_ino_hash_key));
err = fscrypt_derive_siphash_key(mk,
HKDF_CONTEXT_INODE_HASH_KEY,
NULL, 0, &mk->mk_ino_hash_key);
if (err)
goto unlock;
/* pairs with smp_load_acquire() above */