| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Joe Richey <joerichey@google.com>
[ebiggers: moved the new checks from PassphraseHash to CheckValidity]
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
|
ErrKeyLock:
Rename to ErrMlockUlimit for clarity.
ErrGetrandomFail:
ErrKeyAlloc:
ErrKeyFree:
ErrNegativeLength:
Replace these with one-off unnamed errors because these were all
returned in only one place and were never checked for. Also
these were all either wrapped backwards or discarded an
underlying error, so fix that too.
|
|
Linux v5.4 and later supports v2 encryption policies. These have
several advantages over v1 encryption policies:
- Their encryption keys can be added/removed to/from the filesystem by
non-root users, thus gaining the benefits of the filesystem keyring
while also retaining support for non-root use.
- They use a more standard, secure, and flexible key derivation
function. Because of this, some future kernel-level fscrypt features
will be implemented for v2 policies only.
- They prevent a denial-of-service attack where a user could associate
the wrong key with another user's encrypted files.
Prepare the fscrypt tool to support v2 encryption policies by:
- Adding a policy_version field to the EncryptionOptions, i.e. to the
config file and to the policy metadata files.
- Using the kernel-specified algorithm to compute the key descriptor for
v2 policies.
- Handling setting and getting v2 policies.
Actually adding/removing the keys for v2 policies to/from the kernel is
left for the next patch.
|
|
In preparation for introducing support for the new filesystem-level
keyrings, move the existing user keyring management code from
security/keyring.go and crypto/crypto.go into a new package, 'keyring'.
This package provides functions AddEncryptionKey, RemoveEncryptionKey,
and GetEncryptionKeyStatus which delegate to either the filesystem
keyring (added by a later patch) or to the user keyring. This provides
a common interface to both types of keyrings, to the extent possible.
|
|
Use the new name for fscrypt constants and structures which have been
given a new name.
Also use the named constant for the DIRECT_KEY fscrypt policy flag.
No change in behavior. This is just preparing for future work.
|
|
These were found by a combination of manual review and a custom script
that checks for common errors.
Also removed an outdated sentence from the comment for setupBefore().
|
|
Use the golang library for the hashing function instead of the reference
C implementation. This removes the dependancy on libargon2. As we are no
longer doing our own error checking, we also eliminate those tests.
|
|
|
|
|
|
|
|
|
|
|
|
Instead of using the service+descriptor parameters (which are always
combined in the same way), use a single description parameter.
|
|
This commit changes all the internal import paths from `fscrypt/foo` to
`github.com/google/fscrypt/foo` so that it can be built once we release
externaly. The documentation in README.md is updated accordingly.
Also, the README has a note noting that we do not make any guarantees
about project stability before 1.0 (when it ships with Ubuntu).
Change-Id: I6ba86e442c74057c8a06ba32a42e17f94833e280
|
|
This commit makes the callbacks for getting keys easier to understand.
Functions which need keys now take a KeyFunc callback. This callback
contains a ProtectorInfo parameter (basically a read-only version of
metadata.ProtectorData) and a boolean which indicates if the call is
being retried. The documentation is also updated to say which functions
will retry the KeyFunc.
For selecting a protector, there is now an OptionFunc callback which
takes a slice of ProtectorOptions. A ProtectorOption is a ProtectorInfo
along with additional information about a linked filesystem (if
applicable).
This commit also adds in methods for getting the protector options for a
specific filesystem or policy. It also adds a function for getting the
policy descriptor for a specific path.
Change-Id: I41e0d94ffd44e7166b0c5cf1b5d18437960bdf90
|
|
This commit adds in the FindPolicyKey and RemovePolicyKey functions to
complement the InsertPolicyKey function. The existing functions were
also refactored slightly.
Change-Id: Iabd275f2186a9e3023d5efd44c772966123e3657
|
|
This changes the crypto package so it now builds in light of the changes
to the util and metadata package. This commit also improves the error
handling, adds tests, and makes it so recovery keys now correspond to
Policy keys (as they are used to recover a directory in the absence of
any metadata).
The only feature addition here is the ability to compute descriptors.
For backwards compatibility, we keep the same descriptor algorithm used
before (double SHA512).
Change-Id: Ia2b53c6e85ce65c57595e6823d3c4c92219bc8dc
|
|
This commit adds in the PassphraseHash function which hashes the
provided passphrase (in key form) using Argon2id. This cost parameters
for Argon2id and that salt are both fed into the function. It also
includes tests and benchmarks for the passphrase hashing.
Change-Id: I060db3e71213c756d45ce5603a0a59d3d7a1e609
|
|
This commit adds in the concept of recovery codes: human-readable
strings that contain the necessary information to rederive a
cryptographic key. These keys look like:
73PZBXVP-DKJX7SKV-NNTFIC7A-QEGRPZUX-4K5ORRH2-MTKMKP3B-HFCA====
They are input or output directly to a io.Reader or io.Writer
respectively. This prevents the data from passing through unsecured
memory before it gets to its destination. Of course, if the provided
io.Reader or io.Writer is insecure, there is nothing we can do. In most
cases the provided io.Reader or io.Writer will be stdin or stdout. In
some rare cases you might want to pipe the output to another key.
This commit also adds tests and benchmarks for encoding/decoding
recovery codes. It also tests that encoding/decoding will fail in the
correct situations. A benchmark is also added to measure the effect of
locking the keys in memory.
Change-Id: Ifa0bc4c08582789785cf1cdd9a4acfe76c79534f
|
|
This commit adds in the ability to use the WrappedKeyData from the
metadata package to wrap and unwrap cryptographic keys of any length.
This makes use of several cryptographic primitives:
- Unsalted, SHA256-based HKDF for key stretching
- AES256 in CTR mode for encryption
- SHA256-based HMAC for authentication
Note that the key wrapping/unwrapping uses an "Encrypt then MAC" scheme
for doing authenticated unwrapping. This means we can detect if bogus
metadata has been given. This package also standardizes the length for
fscrypt's internal keys.
This CL is the first to add benchmarks, which can be run with:
go test -bench=. ./...
Change-Id: I2e5fc23a8a8cc36b17ccb3f26f03edcaccc517e1
|
|
This commit adds in RandReader, a cryptographically secure io.Reader
that will fail when the os has insufficient randomness. This is done
using the getrandom() syscall in non-blocking mode.
see: http://man7.org/linux/man-pages/man2/getrandom.2.html
Any kernel new enough to have filesystem encryption will also have this
syscall.
This RandReader is preferable to the one provided by the standard
library in crypto/rand. See the bugs:
https://github.com/golang/go/issues/11833
https://github.com/golang/go/issues/19274
This will be removed when go updates the crypto/rand implementation.
Change-Id: Icccaf07bc6011b95cd31a5c268e7486807dcffe2
|
|
This commit adds in the ability to insert Keys into the kernel keyring
from go code. This is done via a patched version of x/sys/unix. We
also expose the specific requirements for keys that will be placed in
the keyring, namely PolicyKeyLen. The legacy services are also exposed.
Change-Id: I177928c9aa676cae13b749042b9a3996e7490f68
|
|
This commit adds in the crypto package, which will hold all
of the security primitives for fscrypt. This first component deals with
securely handling keys in memory. To do this in a consistent way across
fscrypt, we introduce the Key struct.
Any sensitive memory (like keys, passwords, or recovery tokens) in
fscrypt will be held in a Key. No code outside of the crypto package
should access the Key's data directly. Convenience functions and methods
are provided to construct keys from io.Readers (either with fixed length
or with variable length) and to access information about the Keys.
The most important property of Keys is that the data is locked in memory
on construction, and the data is unlocked and wiped when Wipe is called.
This happens either by something like "defer key.Wipe()" or through the
finalizer.
Change-Id: Ice76335f3975efb439b3f1ab605ef34cb7fcb4d6
|
