fscrypt: derive dirhash key for casefolded directories

identifier" is also derived using the KDF.  This value is stored in

the clear, since it is needed to reliably identify the key itself.

Dirhash keys

------------

For directories that are indexed using a secret-keyed dirhash over the

plaintext filenames, the KDF is also used to derive a 128-bit

SipHash-2-4 key per directory in order to hash filenames.  This works

just like deriving a per-file encryption key, except that a different

KDF context is used.  Currently, only casefolded ("case-insensitive")

encrypted directories use this style of hashing.

Encryption modes and usage

==========================

}

EXPORT_SYMBOL(fscrypt_setup_filename);

/**

 * fscrypt_fname_siphash() - calculate the SipHash of a filename

 * @dir: the parent directory

 * @name: the filename to calculate the SipHash of

 *

 * Given a plaintext filename @name and a directory @dir which uses SipHash as

 * its dirhash method and has had its fscrypt key set up, this function

 * calculates the SipHash of that name using the directory's secret dirhash key.

 *

 * Return: the SipHash of @name using the hash key of @dir

 */

u64 fscrypt_fname_siphash(const struct inode *dir, const struct qstr *name)

{

	const struct fscrypt_info *ci = dir->i_crypt_info;

	WARN_ON(!ci->ci_dirhash_key_initialized);

	return siphash(name->name, name->len, &ci->ci_dirhash_key);

}

EXPORT_SYMBOL_GPL(fscrypt_fname_siphash);

/*

 * Validate dentries in encrypted directories to make sure we aren't potentially

 * caching stale dentries after a key has been added.

#define _FSCRYPT_PRIVATE_H

#include <linux/fscrypt.h>

#include <linux/siphash.h>

#include <crypto/hash.h>

#define CONST_STRLEN(str)	(sizeof(str) - 1)

	 */

	struct fscrypt_direct_key *ci_direct_key;

	/*

	 * This inode's hash key for filenames.  This is a 128-bit SipHash-2-4

	 * key.  This is only set for directories that use a keyed dirhash over

	 * the plaintext filenames -- currently just casefolded directories.

	 */

	siphash_key_t ci_dirhash_key;

	bool ci_dirhash_key_initialized;

	/* The encryption policy used by this inode */

	union fscrypt_policy ci_policy;

#define HKDF_CONTEXT_PER_FILE_KEY	2

#define HKDF_CONTEXT_DIRECT_KEY		3

#define HKDF_CONTEXT_IV_INO_LBLK_64_KEY	4

#define HKDF_CONTEXT_DIRHASH_KEY	5

extern int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, u8 context,

			       const u8 *info, unsigned int infolen,

extern int fscrypt_set_derived_key(struct fscrypt_info *ci,

				   const u8 *derived_key);

extern int fscrypt_derive_dirhash_key(struct fscrypt_info *ci,

				      const struct fscrypt_master_key *mk);

/* keysetup_v1.c */

extern void fscrypt_put_direct_key(struct fscrypt_direct_key *dk);

 * Encryption hooks for higher-level filesystem operations.

 */

#include <linux/key.h>

#include "fscrypt_private.h"

/**

			     unsigned int oldflags, unsigned int flags)

{

	struct fscrypt_info *ci;

	struct fscrypt_master_key *mk;

	int err;

	/*

	 * When the CASEFOLD flag is set on an encrypted directory, we must

	 * derive the secret key needed for the dirhash.  This is only possible

	 * if the directory uses a v2 encryption policy.

	 */

	if (IS_ENCRYPTED(inode) && (flags & ~oldflags & FS_CASEFOLD_FL)) {

		err = fscrypt_require_key(inode);

		if (err)

		ci = inode->i_crypt_info;

		if (ci->ci_policy.version != FSCRYPT_POLICY_V2)

			return -EINVAL;

		mk = ci->ci_master_key->payload.data[0];

		down_read(&mk->mk_secret_sem);

		if (is_master_key_secret_present(&mk->mk_secret))

			err = fscrypt_derive_dirhash_key(ci, mk);

		else

			err = -ENOKEY;

		up_read(&mk->mk_secret_sem);

		return err;

	}

	return 0;

}

	return 0;

}

int fscrypt_derive_dirhash_key(struct fscrypt_info *ci,

			       const struct fscrypt_master_key *mk)

{

	int err;

	err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf, HKDF_CONTEXT_DIRHASH_KEY,

				  ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE,

				  (u8 *)&ci->ci_dirhash_key,

				  sizeof(ci->ci_dirhash_key));

	if (err)

		return err;

	ci->ci_dirhash_key_initialized = true;

	return 0;

}

static int fscrypt_setup_v2_file_key(struct fscrypt_info *ci,

				     struct fscrypt_master_key *mk)

{

	u8 derived_key[FSCRYPT_MAX_KEY_SIZE];

	int err;

	if (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) {

		 * This ensures that the master key is consistently used only

		 * for HKDF, avoiding key reuse issues.

		 */

		return setup_per_mode_key(ci, mk, mk->mk_direct_tfms,

		err = setup_per_mode_key(ci, mk, mk->mk_direct_tfms,

					 HKDF_CONTEXT_DIRECT_KEY, false);

	} else if (ci->ci_policy.v2.flags &

		   FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) {

		 * the IVs.  This format is optimized for use with inline

		 * encryption hardware compliant with the UFS or eMMC standards.

		 */

		return setup_per_mode_key(ci, mk, mk->mk_iv_ino_lblk_64_tfms,

					  HKDF_CONTEXT_IV_INO_LBLK_64_KEY,

					  true);

	}

		err = setup_per_mode_key(ci, mk, mk->mk_iv_ino_lblk_64_tfms,

					 HKDF_CONTEXT_IV_INO_LBLK_64_KEY, true);

	} else {

		u8 derived_key[FSCRYPT_MAX_KEY_SIZE];

		err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf,

					  HKDF_CONTEXT_PER_FILE_KEY,

				  ci->ci_nonce, FS_KEY_DERIVATION_NONCE_SIZE,

					  ci->ci_nonce,

					  FS_KEY_DERIVATION_NONCE_SIZE,

					  derived_key, ci->ci_mode->keysize);

		if (err)

			return err;

		err = fscrypt_set_derived_key(ci, derived_key);

		memzero_explicit(derived_key, ci->ci_mode->keysize);

	}

	if (err)

		return err;

	/* Derive a secret dirhash key for directories that need it. */

	if (S_ISDIR(ci->ci_inode->i_mode) && IS_CASEFOLDED(ci->ci_inode)) {

		err = fscrypt_derive_dirhash_key(ci, mk);

		if (err)

			return err;

	}

	return 0;

}

/*

 * Find the master key, then set up the inode's actual encryption key.

 *