Commit 4ca332e1 authored by James Morris's avatar James Morris

Merge tag 'keys-next-20140722' of...

Merge tag 'keys-next-20140722' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next
parents 6d6f3328 633706a2
...@@ -566,6 +566,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. ...@@ -566,6 +566,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
possible to determine what the correct size should be. possible to determine what the correct size should be.
This option provides an override for these situations. This option provides an override for these situations.
ca_keys= [KEYS] This parameter identifies a specific key(s) on
the system trusted keyring to be used for certificate
trust validation.
format: { id:<keyid> | builtin }
ccw_timeout_log [S390] ccw_timeout_log [S390]
See Documentation/s390/CommonIO for details. See Documentation/s390/CommonIO for details.
......
...@@ -1150,20 +1150,24 @@ The structure has a number of fields, some of which are mandatory: ...@@ -1150,20 +1150,24 @@ The structure has a number of fields, some of which are mandatory:
const void *data; const void *data;
size_t datalen; size_t datalen;
size_t quotalen; size_t quotalen;
time_t expiry;
}; };
Before calling the method, the caller will fill in data and datalen with Before calling the method, the caller will fill in data and datalen with
the payload blob parameters; quotalen will be filled in with the default the payload blob parameters; quotalen will be filled in with the default
quota size from the key type and the rest will be cleared. quota size from the key type; expiry will be set to TIME_T_MAX and the
rest will be cleared.
If a description can be proposed from the payload contents, that should be If a description can be proposed from the payload contents, that should be
attached as a string to the description field. This will be used for the attached as a string to the description field. This will be used for the
key description if the caller of add_key() passes NULL or "". key description if the caller of add_key() passes NULL or "".
The method can attach anything it likes to type_data[] and payload. These The method can attach anything it likes to type_data[] and payload. These
are merely passed along to the instantiate() or update() operations. are merely passed along to the instantiate() or update() operations. If
set, the expiry time will be applied to the key if it is instantiated from
this data.
The method should return 0 if success ful or a negative error code The method should return 0 if successful or a negative error code
otherwise. otherwise.
...@@ -1172,7 +1176,9 @@ The structure has a number of fields, some of which are mandatory: ...@@ -1172,7 +1176,9 @@ The structure has a number of fields, some of which are mandatory:
This method is only required if the preparse() method is provided, This method is only required if the preparse() method is provided,
otherwise it is unused. It cleans up anything attached to the otherwise it is unused. It cleans up anything attached to the
description, type_data and payload fields of the key_preparsed_payload description, type_data and payload fields of the key_preparsed_payload
struct as filled in by the preparse() method. struct as filled in by the preparse() method. It will always be called
after preparse() returns successfully, even if instantiate() or update()
succeed.
(*) int (*instantiate)(struct key *key, struct key_preparsed_payload *prep); (*) int (*instantiate)(struct key *key, struct key_preparsed_payload *prep);
......
...@@ -22,7 +22,6 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE ...@@ -22,7 +22,6 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
config PUBLIC_KEY_ALGO_RSA config PUBLIC_KEY_ALGO_RSA
tristate "RSA public-key algorithm" tristate "RSA public-key algorithm"
select MPILIB_EXTRA
select MPILIB select MPILIB
help help
This option enables support for the RSA algorithm (PKCS#1, RFC3447). This option enables support for the RSA algorithm (PKCS#1, RFC3447).
...@@ -33,8 +32,39 @@ config X509_CERTIFICATE_PARSER ...@@ -33,8 +32,39 @@ config X509_CERTIFICATE_PARSER
select ASN1 select ASN1
select OID_REGISTRY select OID_REGISTRY
help help
This option procides support for parsing X.509 format blobs for key This option provides support for parsing X.509 format blobs for key
data and provides the ability to instantiate a crypto key from a data and provides the ability to instantiate a crypto key from a
public key packet found inside the certificate. public key packet found inside the certificate.
config PKCS7_MESSAGE_PARSER
tristate "PKCS#7 message parser"
depends on X509_CERTIFICATE_PARSER
select ASN1
select OID_REGISTRY
help
This option provides support for parsing PKCS#7 format messages for
signature data and provides the ability to verify the signature.
config PKCS7_TEST_KEY
tristate "PKCS#7 testing key type"
depends on PKCS7_MESSAGE_PARSER
select SYSTEM_TRUSTED_KEYRING
help
This option provides a type of key that can be loaded up from a
PKCS#7 message - provided the message is signed by a trusted key. If
it is, the PKCS#7 wrapper is discarded and reading the key returns
just the payload. If it isn't, adding the key will fail with an
error.
This is intended for testing the PKCS#7 parser.
config SIGNED_PE_FILE_VERIFICATION
bool "Support for PE file signature verification"
depends on PKCS7_MESSAGE_PARSER=y
select ASN1
select OID_REGISTRY
help
This option provides support for verifying the signature(s) on a
signed PE binary.
endif # ASYMMETRIC_KEY_TYPE endif # ASYMMETRIC_KEY_TYPE
...@@ -25,3 +25,40 @@ $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h ...@@ -25,3 +25,40 @@ $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h
clean-files += x509-asn1.c x509-asn1.h clean-files += x509-asn1.c x509-asn1.h
clean-files += x509_rsakey-asn1.c x509_rsakey-asn1.h clean-files += x509_rsakey-asn1.c x509_rsakey-asn1.h
#
# PKCS#7 message handling
#
obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o
pkcs7_message-y := \
pkcs7-asn1.o \
pkcs7_parser.o \
pkcs7_trust.o \
pkcs7_verify.o
$(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h
$(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h
clean-files += pkcs7-asn1.c pkcs7-asn1.h
#
# PKCS#7 parser testing key
#
obj-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o
pkcs7_test_key-y := \
pkcs7_key_type.o
#
# Signed PE binary-wrapped key handling
#
obj-$(CONFIG_SIGNED_PE_FILE_VERIFICATION) += verify_signed_pefile.o
verify_signed_pefile-y := \
verify_pefile.o \
mscode_parser.o \
mscode-asn1.o
$(obj)/mscode_parser.o: $(obj)/mscode-asn1.h $(obj)/mscode-asn1.h
$(obj)/mscode-asn1.o: $(obj)/mscode-asn1.c $(obj)/mscode-asn1.h
clean-files += mscode-asn1.c mscode-asn1.h
...@@ -9,6 +9,8 @@ ...@@ -9,6 +9,8 @@
* 2 of the Licence, or (at your option) any later version. * 2 of the Licence, or (at your option) any later version.
*/ */
int asymmetric_keyid_match(const char *kid, const char *id);
static inline const char *asymmetric_key_id(const struct key *key) static inline const char *asymmetric_key_id(const struct key *key)
{ {
return key->type_data.p[1]; return key->type_data.p[1];
......
...@@ -22,6 +22,35 @@ MODULE_LICENSE("GPL"); ...@@ -22,6 +22,35 @@ MODULE_LICENSE("GPL");
static LIST_HEAD(asymmetric_key_parsers); static LIST_HEAD(asymmetric_key_parsers);
static DECLARE_RWSEM(asymmetric_key_parsers_sem); static DECLARE_RWSEM(asymmetric_key_parsers_sem);
/*
* Match asymmetric key id with partial match
* @id: key id to match in a form "id:<id>"
*/
int asymmetric_keyid_match(const char *kid, const char *id)
{
size_t idlen, kidlen;
if (!kid || !id)
return 0;
/* make it possible to use id as in the request: "id:<id>" */
if (strncmp(id, "id:", 3) == 0)
id += 3;
/* Anything after here requires a partial match on the ID string */
idlen = strlen(id);
kidlen = strlen(kid);
if (idlen > kidlen)
return 0;
kid += kidlen - idlen;
if (strcasecmp(id, kid) != 0)
return 0;
return 1;
}
EXPORT_SYMBOL_GPL(asymmetric_keyid_match);
/* /*
* Match asymmetric keys on (part of) their name * Match asymmetric keys on (part of) their name
* We have some shorthand methods for matching keys. We allow: * We have some shorthand methods for matching keys. We allow:
...@@ -34,9 +63,8 @@ static int asymmetric_key_match(const struct key *key, const void *description) ...@@ -34,9 +63,8 @@ static int asymmetric_key_match(const struct key *key, const void *description)
{ {
const struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key); const struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key);
const char *spec = description; const char *spec = description;
const char *id, *kid; const char *id;
ptrdiff_t speclen; ptrdiff_t speclen;
size_t idlen, kidlen;
if (!subtype || !spec || !*spec) if (!subtype || !spec || !*spec)
return 0; return 0;
...@@ -55,23 +83,8 @@ static int asymmetric_key_match(const struct key *key, const void *description) ...@@ -55,23 +83,8 @@ static int asymmetric_key_match(const struct key *key, const void *description)
speclen = id - spec; speclen = id - spec;
id++; id++;
/* Anything after here requires a partial match on the ID string */ if (speclen == 2 && memcmp(spec, "id", 2) == 0)
kid = asymmetric_key_id(key); return asymmetric_keyid_match(asymmetric_key_id(key), id);
if (!kid)
return 0;
idlen = strlen(id);
kidlen = strlen(kid);
if (idlen > kidlen)
return 0;
kid += kidlen - idlen;
if (strcasecmp(id, kid) != 0)
return 0;
if (speclen == 2 &&
memcmp(spec, "id", 2) == 0)
return 1;
if (speclen == subtype->name_len && if (speclen == subtype->name_len &&
memcmp(spec, subtype->name, speclen) == 0) memcmp(spec, subtype->name, speclen) == 0)
...@@ -156,36 +169,13 @@ static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep) ...@@ -156,36 +169,13 @@ static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep)
pr_devel("==>%s()\n", __func__); pr_devel("==>%s()\n", __func__);
if (subtype) { if (subtype) {
subtype->destroy(prep->payload); subtype->destroy(prep->payload[0]);
module_put(subtype->owner); module_put(subtype->owner);
} }
kfree(prep->type_data[1]); kfree(prep->type_data[1]);
kfree(prep->description); kfree(prep->description);
} }
/*
* Instantiate a asymmetric_key defined key. The key was preparsed, so we just
* have to transfer the data here.
*/
static int asymmetric_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
{
int ret;
pr_devel("==>%s()\n", __func__);
ret = key_payload_reserve(key, prep->quotalen);
if (ret == 0) {
key->type_data.p[0] = prep->type_data[0];
key->type_data.p[1] = prep->type_data[1];
key->payload.data = prep->payload;
prep->type_data[0] = NULL;
prep->type_data[1] = NULL;
prep->payload = NULL;
}
pr_devel("<==%s() = %d\n", __func__, ret);
return ret;
}
/* /*
* dispose of the data dangling from the corpse of a asymmetric key * dispose of the data dangling from the corpse of a asymmetric key
*/ */
...@@ -205,7 +195,7 @@ struct key_type key_type_asymmetric = { ...@@ -205,7 +195,7 @@ struct key_type key_type_asymmetric = {
.name = "asymmetric", .name = "asymmetric",
.preparse = asymmetric_key_preparse, .preparse = asymmetric_key_preparse,
.free_preparse = asymmetric_key_free_preparse, .free_preparse = asymmetric_key_free_preparse,
.instantiate = asymmetric_key_instantiate, .instantiate = generic_key_instantiate,
.match = asymmetric_key_match, .match = asymmetric_key_match,
.destroy = asymmetric_key_destroy, .destroy = asymmetric_key_destroy,
.describe = asymmetric_key_describe, .describe = asymmetric_key_describe,
......
--- Microsoft individual code signing data blob parser
---
--- Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
--- Written by David Howells (dhowells@redhat.com)
---
--- This program is free software; you can redistribute it and/or
--- modify it under the terms of the GNU General Public Licence
--- as published by the Free Software Foundation; either version
--- 2 of the Licence, or (at your option) any later version.
---
MSCode ::= SEQUENCE {
type SEQUENCE {
contentType ContentType,
parameters ANY
},
content SEQUENCE {
digestAlgorithm DigestAlgorithmIdentifier,
digest OCTET STRING ({ mscode_note_digest })
}
}
ContentType ::= OBJECT IDENTIFIER ({ mscode_note_content_type })
DigestAlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER ({ mscode_note_digest_algo }),
parameters ANY OPTIONAL
}
/* Parse a Microsoft Individual Code Signing blob
*
* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Licence
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
#define pr_fmt(fmt) "MSCODE: "fmt
#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/err.h>
#include <linux/oid_registry.h>
#include <crypto/pkcs7.h>
#include "verify_pefile.h"
#include "mscode-asn1.h"
/*
* Parse a Microsoft Individual Code Signing blob
*/
int mscode_parse(struct pefile_context *ctx)
{
const void *content_data;
size_t data_len;
int ret;
ret = pkcs7_get_content_data(ctx->pkcs7, &content_data, &data_len, 1);
if (ret) {
pr_debug("PKCS#7 message does not contain data\n");
return ret;
}
pr_devel("Data: %zu [%*ph]\n", data_len, (unsigned)(data_len),
content_data);
return asn1_ber_decoder(&mscode_decoder, ctx, content_data, data_len);
}
/*
* Check the content type OID
*/
int mscode_note_content_type(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
enum OID oid;
oid = look_up_OID(value, vlen);
if (oid == OID__NR) {
char buffer[50];
sprint_oid(value, vlen, buffer, sizeof(buffer));
pr_err("Unknown OID: %s\n", buffer);
return -EBADMSG;
}
/*
* pesign utility had a bug where it was putting
* OID_msIndividualSPKeyPurpose instead of OID_msPeImageDataObjId
* So allow both OIDs.
*/
if (oid != OID_msPeImageDataObjId &&
oid != OID_msIndividualSPKeyPurpose) {
pr_err("Unexpected content type OID %u\n", oid);
return -EBADMSG;
}
return 0;
}
/*
* Note the digest algorithm OID
*/
int mscode_note_digest_algo(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
struct pefile_context *ctx = context;
char buffer[50];
enum OID oid;
oid = look_up_OID(value, vlen);
switch (oid) {
case OID_md4:
ctx->digest_algo = HASH_ALGO_MD4;
break;
case OID_md5:
ctx->digest_algo = HASH_ALGO_MD5;
break;
case OID_sha1:
ctx->digest_algo = HASH_ALGO_SHA1;
break;
case OID_sha256:
ctx->digest_algo = HASH_ALGO_SHA256;
break;
case OID__NR:
sprint_oid(value, vlen, buffer, sizeof(buffer));
pr_err("Unknown OID: %s\n", buffer);
return -EBADMSG;
default:
pr_err("Unsupported content type: %u\n", oid);
return -ENOPKG;
}
return 0;
}
/*
* Note the digest we're guaranteeing with this certificate
*/
int mscode_note_digest(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
struct pefile_context *ctx = context;
ctx->digest = value;
ctx->digest_len = vlen;
return 0;
}
PKCS7ContentInfo ::= SEQUENCE {
contentType ContentType,
content [0] EXPLICIT SignedData OPTIONAL
}
ContentType ::= OBJECT IDENTIFIER ({ pkcs7_note_OID })
SignedData ::= SEQUENCE {
version INTEGER,
digestAlgorithms DigestAlgorithmIdentifiers,
contentInfo ContentInfo,
certificates CHOICE {
certSet [0] IMPLICIT ExtendedCertificatesAndCertificates,
certSequence [2] IMPLICIT Certificates
} OPTIONAL ({ pkcs7_note_certificate_list }),
crls CHOICE {
crlSet [1] IMPLICIT CertificateRevocationLists,
crlSequence [3] IMPLICIT CRLSequence
} OPTIONAL,
signerInfos SignerInfos
}
ContentInfo ::= SEQUENCE {
contentType ContentType,
content [0] EXPLICIT Data OPTIONAL
}
Data ::= ANY ({ pkcs7_note_data })
DigestAlgorithmIdentifiers ::= CHOICE {
daSet SET OF DigestAlgorithmIdentifier,
daSequence SEQUENCE OF DigestAlgorithmIdentifier
}
DigestAlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER ({ pkcs7_note_OID }),
parameters ANY OPTIONAL
}
--
-- Certificates and certificate lists
--
ExtendedCertificatesAndCertificates ::= SET OF ExtendedCertificateOrCertificate
ExtendedCertificateOrCertificate ::= CHOICE {
certificate Certificate, -- X.509
extendedCertificate [0] IMPLICIT ExtendedCertificate -- PKCS#6
}
ExtendedCertificate ::= Certificate -- cheating
Certificates ::= SEQUENCE OF Certificate
CertificateRevocationLists ::= SET OF CertificateList
CertificateList ::= SEQUENCE OF Certificate -- This may be defined incorrectly
CRLSequence ::= SEQUENCE OF CertificateList
Certificate ::= ANY ({ pkcs7_extract_cert }) -- X.509
--
-- Signer information
--
SignerInfos ::= CHOICE {
siSet SET OF SignerInfo,
siSequence SEQUENCE OF SignerInfo
}
SignerInfo ::= SEQUENCE {
version INTEGER,
issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier ({ pkcs7_sig_note_digest_algo }),
authenticatedAttributes CHOICE {
aaSet [0] IMPLICIT SetOfAuthenticatedAttribute
({ pkcs7_sig_note_set_of_authattrs }),
aaSequence [2] EXPLICIT SEQUENCE OF AuthenticatedAttribute
-- Explicit because easier to compute digest on
-- sequence of attributes and then reuse encoded
-- sequence in aaSequence.
} OPTIONAL,
digestEncryptionAlgorithm
DigestEncryptionAlgorithmIdentifier ({ pkcs7_sig_note_pkey_algo }),
encryptedDigest EncryptedDigest,
unauthenticatedAttributes CHOICE {
uaSet [1] IMPLICIT SET OF UnauthenticatedAttribute,
uaSequence [3] IMPLICIT SEQUENCE OF UnauthenticatedAttribute
} OPTIONAL
} ({ pkcs7_note_signed_info })
IssuerAndSerialNumber ::= SEQUENCE {
issuer Name ({ pkcs7_sig_note_issuer }),
serialNumber CertificateSerialNumber ({ pkcs7_sig_note_serial })
}
CertificateSerialNumber ::= INTEGER
SetOfAuthenticatedAttribute ::= SET OF AuthenticatedAttribute
AuthenticatedAttribute ::= SEQUENCE {
type OBJECT IDENTIFIER ({ pkcs7_note_OID }),
values SET OF ANY ({ pkcs7_sig_note_authenticated_attr })
}
UnauthenticatedAttribute ::= SEQUENCE {
type OBJECT IDENTIFIER ({ pkcs7_note_OID }),
values SET OF ANY
}
DigestEncryptionAlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER ({ pkcs7_note_OID }),
parameters ANY OPTIONAL
}
EncryptedDigest ::= OCTET STRING ({ pkcs7_sig_note_signature })
---
--- X.500 Name
---
Name ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::= SET OF AttributeValueAssertion
AttributeValueAssertion ::= SEQUENCE {
attributeType OBJECT IDENTIFIER ({ pkcs7_note_OID }),
attributeValue ANY
}
/* Testing module to load key from trusted PKCS#7 message
*
* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Licence
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
#define pr_fmt(fmt) "PKCS7key: "fmt
#include <linux/key.h>
#include <linux/key-type.h>
#include <crypto/pkcs7.h>
#include <keys/user-type.h>
#include <keys/system_keyring.h>
#include "pkcs7_parser.h"
/*
* Preparse a PKCS#7 wrapped and validated data blob.
*/
static int pkcs7_preparse(struct key_preparsed_payload *prep)
{
struct pkcs7_message *pkcs7;
const void *data, *saved_prep_data;
size_t datalen, saved_prep_datalen;
bool trusted;
int ret;
kenter("");
saved_prep_data = prep->data;
saved_prep_datalen = prep->datalen;
pkcs7 = pkcs7_parse_message(saved_prep_data, saved_prep_datalen);
if (IS_ERR(pkcs7)) {
ret = PTR_ERR(pkcs7);
goto error;
}
ret = pkcs7_verify(pkcs7);
if (ret < 0)
goto error_free;
ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
if (ret < 0)
goto error_free;
if (!trusted)
pr_warn("PKCS#7 message doesn't chain back to a trusted key\n");
ret = pkcs7_get_content_data(pkcs7, &data, &datalen, false);
if (ret < 0)
goto error_free;
prep->data = data;
prep->datalen = datalen;
ret = user_preparse(prep);
prep->data = saved_prep_data;
prep->datalen = saved_prep_datalen;
error_free:
pkcs7_free_message(pkcs7);
error:
kleave(" = %d", ret);
return ret;
}
/*
* user defined keys take an arbitrary string as the description and an
* arbitrary blob of data as the payload
*/
struct key_type key_type_pkcs7 = {
.name = "pkcs7_test",
.def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
.preparse = pkcs7_preparse,
.free_preparse = user_free_preparse,
.instantiate = generic_key_instantiate,
.match = user_match,
.revoke = user_revoke,
.destroy = user_destroy,
.describe = user_describe,
.read = user_read,
};
/*
* Module stuff
*/
static int __init pkcs7_key_init(void)
{
return register_key_type(&key_type_pkcs7);
}
static void __exit pkcs7_key_cleanup(void)
{
unregister_key_type(&key_type_pkcs7);
}
module_init(pkcs7_key_init);
module_exit(pkcs7_key_cleanup);
This diff is collapsed.
/* PKCS#7 crypto data parser internal definitions
*
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Licence
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
#include <linux/oid_registry.h>
#include <crypto/pkcs7.h>
#include "x509_parser.h"
#define kenter(FMT, ...) \
pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
#define kleave(FMT, ...) \
pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
struct pkcs7_signed_info {
struct pkcs7_signed_info *next;
struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
unsigned index;
bool trusted;
/* Message digest - the digest of the Content Data (or NULL) */
const void *msgdigest;
unsigned msgdigest_len;
/* Authenticated Attribute data (or NULL) */
unsigned authattrs_len;
const void *authattrs;
/* Issuing cert serial number and issuer's name */
const void *raw_serial;
unsigned raw_serial_size;
unsigned raw_issuer_size;
const void *raw_issuer;
/* Message signature.
*
* This contains the generated digest of _either_ the Content Data or
* the Authenticated Attributes [RFC2315 9.3]. If the latter, one of
* the attributes contains the digest of the the Content Data within
* it.
*/
struct public_key_signature sig;
};
struct pkcs7_message {
struct x509_certificate *certs; /* Certificate list */
struct x509_certificate *crl; /* Revocation list */
struct pkcs7_signed_info *signed_infos;
/* Content Data (or NULL) */
enum OID data_type; /* Type of Data */
size_t data_len; /* Length of Data */
size_t data_hdrlen; /* Length of Data ASN.1 header */
const void *data; /* Content Data (or 0) */
};
/* Validate the trust chain of a PKCS#7 message.
*
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Licence
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
#define pr_fmt(fmt) "PKCS7: "fmt
#include <linux/kernel.h>
#include <linux/export.h>
#include <linux/slab.h>
#include <linux/err.h>
#include <linux/asn1.h>
#include <linux/key.h>
#include <keys/asymmetric-type.h>
#include "public_key.h"
#include "pkcs7_parser.h"
/*
* Request an asymmetric key.
*/
static struct key *pkcs7_request_asymmetric_key(
struct key *keyring,
const char *signer, size_t signer_len,
const char *authority, size_t auth_len)
{
key_ref_t key;
char *id;
kenter(",%zu,,%zu", signer_len, auth_len);
/* Construct an identifier. */
id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL);
if (!id)
return ERR_PTR(-ENOMEM);
memcpy(id, signer, signer_len);
id[signer_len + 0] = ':';
id[signer_len + 1] = ' ';
memcpy(id + signer_len + 2, authority, auth_len);
id[signer_len + 2 + auth_len] = 0;
pr_debug("Look up: \"%s\"\n", id);
key = keyring_search(make_key_ref(keyring, 1),
&key_type_asymmetric, id);
if (IS_ERR(key))
pr_debug("Request for module key '%s' err %ld\n",
id, PTR_ERR(key));
kfree(id);
if (IS_ERR(key)) {
switch (PTR_ERR(key)) {
/* Hide some search errors */
case -EACCES:
case -ENOTDIR:
case -EAGAIN:
return ERR_PTR(-ENOKEY);
default:
return ERR_CAST(key);
}
}
pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key)));
return key_ref_to_ptr(key);
}
/**
* Check the trust on one PKCS#7 SignedInfo block.
*/
int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
struct pkcs7_signed_info *sinfo,
struct key *trust_keyring)
{
struct public_key_signature *sig = &sinfo->sig;
struct x509_certificate *x509, *last = NULL, *p;
struct key *key;
bool trusted;
int ret;
kenter(",%u,", sinfo->index);
for (x509 = sinfo->signer; x509; x509 = x509->signer) {
if (x509->seen) {
if (x509->verified) {
trusted = x509->trusted;
goto verified;
}
kleave(" = -ENOKEY [cached]");
return -ENOKEY;
}
x509->seen = true;
/* Look to see if this certificate is present in the trusted
* keys.
*/
key = pkcs7_request_asymmetric_key(
trust_keyring,
x509->subject, strlen(x509->subject),
x509->fingerprint, strlen(x509->fingerprint));
if (!IS_ERR(key))
/* One of the X.509 certificates in the PKCS#7 message
* is apparently the same as one we already trust.
* Verify that the trusted variant can also validate
* the signature on the descendant.
*/
goto matched;
if (key == ERR_PTR(-ENOMEM))
return -ENOMEM;
/* Self-signed certificates form roots of their own, and if we
* don't know them, then we can't accept them.
*/
if (x509->next == x509) {
kleave(" = -ENOKEY [unknown self-signed]");
return -ENOKEY;
}
might_sleep();
last = x509;
sig = &last->sig;
}
/* No match - see if the root certificate has a signer amongst the
* trusted keys.
*/
if (!last || !last->issuer || !last->authority) {
kleave(" = -ENOKEY [no backref]");
return -ENOKEY;
}
key = pkcs7_request_asymmetric_key(
trust_keyring,
last->issuer, strlen(last->issuer),
last->authority, strlen(last->authority));
if (IS_ERR(key))
return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY;
x509 = last;
matched:
ret = verify_signature(key, sig);
trusted = test_bit(KEY_FLAG_TRUSTED, &key->flags);
key_put(key);
if (ret < 0) {
if (ret == -ENOMEM)
return ret;
kleave(" = -EKEYREJECTED [verify %d]", ret);
return -EKEYREJECTED;
}
verified:
x509->verified = true;
for (p = sinfo->signer; p != x509; p = p->signer) {
p->verified = true;
p->trusted = trusted;
}
sinfo->trusted = trusted;
kleave(" = 0");
return 0;
}
/**
* pkcs7_validate_trust - Validate PKCS#7 trust chain
* @pkcs7: The PKCS#7 certificate to validate
* @trust_keyring: Signing certificates to use as starting points
* @_trusted: Set to true if trustworth, false otherwise
*
* Validate that the certificate chain inside the PKCS#7 message intersects
* keys we already know and trust.
*
* Returns, in order of descending priority:
*
* (*) -EKEYREJECTED if a signature failed to match for which we have a valid
* key, or:
*
* (*) 0 if at least one signature chain intersects with the keys in the trust
* keyring, or:
*
* (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
* chain.
*
* (*) -ENOKEY if we couldn't find a match for any of the signature chains in
* the message.
*
* May also return -ENOMEM.
*/
int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
struct key *trust_keyring,
bool *_trusted)
{
struct pkcs7_signed_info *sinfo;
struct x509_certificate *p;
int cached_ret = 0, ret;
for (p = pkcs7->certs; p; p = p->next)
p->seen = false;
for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring);
if (ret < 0) {
if (ret == -ENOPKG) {
cached_ret = -ENOPKG;
} else if (ret == -ENOKEY) {
if (cached_ret == 0)
cached_ret = -ENOKEY;
} else {
return ret;
}
}
*_trusted |= sinfo->trusted;
}
return cached_ret;
}
EXPORT_SYMBOL_GPL(pkcs7_validate_trust);
/* Verify the signature on a PKCS#7 message.
*
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Licence
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
#define pr_fmt(fmt) "PKCS7: "fmt
#include <linux/kernel.h>
#include <linux/export.h>
#include <linux/slab.h>
#include <linux/err.h>
#include <linux/asn1.h>
#include <crypto/hash.h>
#include "public_key.h"
#include "pkcs7_parser.h"
/*
* Digest the relevant parts of the PKCS#7 data
*/
static int pkcs7_digest(struct pkcs7_message *pkcs7,
struct pkcs7_signed_info *sinfo)
{
struct crypto_shash *tfm;
struct shash_desc *desc;
size_t digest_size, desc_size;
void *digest;
int ret;
kenter(",%u,%u", sinfo->index, sinfo->sig.pkey_hash_algo);
if (sinfo->sig.pkey_hash_algo >= PKEY_HASH__LAST ||
!hash_algo_name[sinfo->sig.pkey_hash_algo])
return -ENOPKG;
/* Allocate the hashing algorithm we're going to need and find out how
* big the hash operational data will be.
*/
tfm = crypto_alloc_shash(hash_algo_name[sinfo->sig.pkey_hash_algo],
0, 0);
if (IS_ERR(tfm))
return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm);
desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
sinfo->sig.digest_size = digest_size = crypto_shash_digestsize(tfm);
ret = -ENOMEM;
digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
if (!digest)
goto error_no_desc;
desc = digest + digest_size;
desc->tfm = tfm;
desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
/* Digest the message [RFC2315 9.3] */
ret = crypto_shash_init(desc);
if (ret < 0)
goto error;
ret = crypto_shash_finup(desc, pkcs7->data, pkcs7->data_len, digest);
if (ret < 0)
goto error;
pr_devel("MsgDigest = [%*ph]\n", 8, digest);
/* However, if there are authenticated attributes, there must be a
* message digest attribute amongst them which corresponds to the
* digest we just calculated.
*/
if (sinfo->msgdigest) {
u8 tag;
if (sinfo->msgdigest_len != sinfo->sig.digest_size) {
pr_debug("Sig %u: Invalid digest size (%u)\n",
sinfo->index, sinfo->msgdigest_len);
ret = -EBADMSG;
goto error;
}
if (memcmp(digest, sinfo->msgdigest, sinfo->msgdigest_len) != 0) {
pr_debug("Sig %u: Message digest doesn't match\n",
sinfo->index);
ret = -EKEYREJECTED;
goto error;
}
/* We then calculate anew, using the authenticated attributes
* as the contents of the digest instead. Note that we need to
* convert the attributes from a CONT.0 into a SET before we
* hash it.
*/
memset(digest, 0, sinfo->sig.digest_size);
ret = crypto_shash_init(desc);
if (ret < 0)
goto error;
tag = ASN1_CONS_BIT | ASN1_SET;
ret = crypto_shash_update(desc, &tag, 1);
if (ret < 0)
goto error;
ret = crypto_shash_finup(desc, sinfo->authattrs,
sinfo->authattrs_len, digest);
if (ret < 0)
goto error;
pr_devel("AADigest = [%*ph]\n", 8, digest);
}
sinfo->sig.digest = digest;
digest = NULL;
error:
kfree(digest);
error_no_desc:
crypto_free_shash(tfm);
kleave(" = %d", ret);
return ret;
}
/*
* Find the key (X.509 certificate) to use to verify a PKCS#7 message. PKCS#7
* uses the issuer's name and the issuing certificate serial number for
* matching purposes. These must match the certificate issuer's name (not
* subject's name) and the certificate serial number [RFC 2315 6.7].
*/
static int pkcs7_find_key(struct pkcs7_message *pkcs7,
struct pkcs7_signed_info *sinfo)
{
struct x509_certificate *x509;
unsigned certix = 1;
kenter("%u,%u,%u",
sinfo->index, sinfo->raw_serial_size, sinfo->raw_issuer_size);
for (x509 = pkcs7->certs; x509; x509 = x509->next, certix++) {
/* I'm _assuming_ that the generator of the PKCS#7 message will
* encode the fields from the X.509 cert in the same way in the
* PKCS#7 message - but I can't be 100% sure of that. It's
* possible this will need element-by-element comparison.
*/
if (x509->raw_serial_size != sinfo->raw_serial_size ||
memcmp(x509->raw_serial, sinfo->raw_serial,
sinfo->raw_serial_size) != 0)
continue;
pr_devel("Sig %u: Found cert serial match X.509[%u]\n",
sinfo->index, certix);
if (x509->raw_issuer_size != sinfo->raw_issuer_size ||
memcmp(x509->raw_issuer, sinfo->raw_issuer,
sinfo->raw_issuer_size) != 0) {
pr_warn("Sig %u: X.509 subject and PKCS#7 issuer don't match\n",
sinfo->index);
continue;
}
if (x509->pub->pkey_algo != sinfo->sig.pkey_algo) {
pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n",
sinfo->index);
continue;
}
sinfo->signer = x509;
return 0;
}
pr_warn("Sig %u: Issuing X.509 cert not found (#%*ph)\n",
sinfo->index, sinfo->raw_serial_size, sinfo->raw_serial);
return -ENOKEY;
}
/*
* Verify the internal certificate chain as best we can.
*/
static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
struct pkcs7_signed_info *sinfo)
{
struct x509_certificate *x509 = sinfo->signer, *p;
int ret;
kenter("");
for (p = pkcs7->certs; p; p = p->next)
p->seen = false;
for (;;) {
pr_debug("verify %s: %s\n", x509->subject, x509->fingerprint);
x509->seen = true;
ret = x509_get_sig_params(x509);
if (ret < 0)
return ret;
if (x509->issuer)
pr_debug("- issuer %s\n", x509->issuer);
if (x509->authority)
pr_debug("- authkeyid %s\n", x509->authority);
if (!x509->authority ||
(x509->subject &&
strcmp(x509->subject, x509->issuer) == 0)) {
/* If there's no authority certificate specified, then
* the certificate must be self-signed and is the root
* of the chain. Likewise if the cert is its own
* authority.
*/
pr_debug("- no auth?\n");
if (x509->raw_subject_size != x509->raw_issuer_size ||
memcmp(x509->raw_subject, x509->raw_issuer,
x509->raw_issuer_size) != 0)
return 0;
ret = x509_check_signature(x509->pub, x509);
if (ret < 0)
return ret;
x509->signer = x509;
pr_debug("- self-signed\n");
return 0;
}
/* Look through the X.509 certificates in the PKCS#7 message's
* list to see if the next one is there.
*/
pr_debug("- want %s\n", x509->authority);
for (p = pkcs7->certs; p; p = p->next) {
pr_debug("- cmp [%u] %s\n", p->index, p->fingerprint);
if (p->raw_subject_size == x509->raw_issuer_size &&
strcmp(p->fingerprint, x509->authority) == 0 &&
memcmp(p->raw_subject, x509->raw_issuer,
x509->raw_issuer_size) == 0)
goto found_issuer;
}
/* We didn't find the root of this chain */
pr_debug("- top\n");
return 0;
found_issuer:
pr_debug("- issuer %s\n", p->subject);
if (p->seen) {
pr_warn("Sig %u: X.509 chain contains loop\n",
sinfo->index);
return 0;
}
ret = x509_check_signature(p->pub, x509);
if (ret < 0)
return ret;
x509->signer = p;
if (x509 == p) {
pr_debug("- self-signed\n");
return 0;
}
x509 = p;
might_sleep();
}
}
/*
* Verify one signed information block from a PKCS#7 message.
*/
static int pkcs7_verify_one(struct pkcs7_message *pkcs7,
struct pkcs7_signed_info *sinfo)
{
int ret;
kenter(",%u", sinfo->index);
/* First of all, digest the data in the PKCS#7 message and the
* signed information block
*/
ret = pkcs7_digest(pkcs7, sinfo);
if (ret < 0)
return ret;
/* Find the key for the signature */
ret = pkcs7_find_key(pkcs7, sinfo);
if (ret < 0)
return ret;
pr_devel("Using X.509[%u] for sig %u\n",
sinfo->signer->index, sinfo->index);
/* Verify the PKCS#7 binary against the key */
ret = public_key_verify_signature(sinfo->signer->pub, &sinfo->sig);
if (ret < 0)
return ret;
pr_devel("Verified signature %u\n", sinfo->index);
/* Verify the internal certificate chain */
return pkcs7_verify_sig_chain(pkcs7, sinfo);
}
/**
* pkcs7_verify - Verify a PKCS#7 message
* @pkcs7: The PKCS#7 message to be verified
*/
int pkcs7_verify(struct pkcs7_message *pkcs7)
{
struct pkcs7_signed_info *sinfo;
struct x509_certificate *x509;
int ret, n;
kenter("");
for (n = 0, x509 = pkcs7->certs; x509; x509 = x509->next, n++) {
ret = x509_get_sig_params(x509);
if (ret < 0)
return ret;
pr_debug("X.509[%u] %s\n", n, x509->authority);
}
for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
ret = pkcs7_verify_one(pkcs7, sinfo);
if (ret < 0) {
kleave(" = %d", ret);
return ret;
}
}
kleave(" = 0");
return 0;
}
EXPORT_SYMBOL_GPL(pkcs7_verify);
This diff is collapsed.
/* PE Binary parser bits
*
* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Licence
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
#include <linux/verify_pefile.h>
#include <crypto/pkcs7.h>
#include <crypto/hash_info.h>
struct pefile_context {
unsigned header_size;
unsigned image_checksum_offset;
unsigned cert_dirent_offset;
unsigned n_data_dirents;
unsigned n_sections;
unsigned certs_size;
unsigned sig_offset;
unsigned sig_len;
const struct section_header *secs;
struct pkcs7_message *pkcs7;
/* PKCS#7 MS Individual Code Signing content */
const void *digest; /* Digest */
unsigned digest_len; /* Digest length */
enum hash_algo digest_algo; /* Digest algorithm */
};
#define kenter(FMT, ...) \
pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
#define kleave(FMT, ...) \
pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
/*
* mscode_parser.c
*/
extern int mscode_parse(struct pefile_context *ctx);
...@@ -6,7 +6,7 @@ Certificate ::= SEQUENCE { ...@@ -6,7 +6,7 @@ Certificate ::= SEQUENCE {
TBSCertificate ::= SEQUENCE { TBSCertificate ::= SEQUENCE {
version [ 0 ] Version DEFAULT, version [ 0 ] Version DEFAULT,
serialNumber CertificateSerialNumber, serialNumber CertificateSerialNumber ({ x509_note_serial }),
signature AlgorithmIdentifier ({ x509_note_pkey_algo }), signature AlgorithmIdentifier ({ x509_note_pkey_algo }),
issuer Name ({ x509_note_issuer }), issuer Name ({ x509_note_issuer }),
validity Validity, validity Validity,
......
...@@ -11,6 +11,7 @@ ...@@ -11,6 +11,7 @@
#define pr_fmt(fmt) "X.509: "fmt #define pr_fmt(fmt) "X.509: "fmt
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/export.h>
#include <linux/slab.h> #include <linux/slab.h>
#include <linux/err.h> #include <linux/err.h>
#include <linux/oid_registry.h> #include <linux/oid_registry.h>
...@@ -52,6 +53,7 @@ void x509_free_certificate(struct x509_certificate *cert) ...@@ -52,6 +53,7 @@ void x509_free_certificate(struct x509_certificate *cert)
kfree(cert); kfree(cert);
} }
} }
EXPORT_SYMBOL_GPL(x509_free_certificate);
/* /*
* Parse an X.509 certificate * Parse an X.509 certificate
...@@ -97,6 +99,7 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen) ...@@ -97,6 +99,7 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
error_no_cert: error_no_cert:
return ERR_PTR(ret); return ERR_PTR(ret);
} }
EXPORT_SYMBOL_GPL(x509_cert_parse);
/* /*
* Note an OID when we find one for later processing when we know how * Note an OID when we find one for later processing when we know how
...@@ -210,6 +213,19 @@ int x509_note_signature(void *context, size_t hdrlen, ...@@ -210,6 +213,19 @@ int x509_note_signature(void *context, size_t hdrlen,
return 0; return 0;
} }
/*
* Note the certificate serial number
*/
int x509_note_serial(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
struct x509_parse_context *ctx = context;
ctx->cert->raw_serial = value;
ctx->cert->raw_serial_size = vlen;
return 0;
}
/* /*
* Note some of the name segments from which we'll fabricate a name. * Note some of the name segments from which we'll fabricate a name.
*/ */
...@@ -322,6 +338,8 @@ int x509_note_issuer(void *context, size_t hdrlen, ...@@ -322,6 +338,8 @@ int x509_note_issuer(void *context, size_t hdrlen,
const void *value, size_t vlen) const void *value, size_t vlen)
{ {
struct x509_parse_context *ctx = context; struct x509_parse_context *ctx = context;
ctx->cert->raw_issuer = value;
ctx->cert->raw_issuer_size = vlen;
return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen); return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen);
} }
...@@ -330,6 +348,8 @@ int x509_note_subject(void *context, size_t hdrlen, ...@@ -330,6 +348,8 @@ int x509_note_subject(void *context, size_t hdrlen,
const void *value, size_t vlen) const void *value, size_t vlen)
{ {
struct x509_parse_context *ctx = context; struct x509_parse_context *ctx = context;
ctx->cert->raw_subject = value;
ctx->cert->raw_subject_size = vlen;
return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen); return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen);
} }
......
...@@ -14,7 +14,9 @@ ...@@ -14,7 +14,9 @@
struct x509_certificate { struct x509_certificate {
struct x509_certificate *next; struct x509_certificate *next;
struct x509_certificate *signer; /* Certificate that signed this one */
struct public_key *pub; /* Public key details */ struct public_key *pub; /* Public key details */
struct public_key_signature sig; /* Signature parameters */
char *issuer; /* Name of certificate issuer */ char *issuer; /* Name of certificate issuer */
char *subject; /* Name of certificate subject */ char *subject; /* Name of certificate subject */
char *fingerprint; /* Key fingerprint as hex */ char *fingerprint; /* Key fingerprint as hex */
...@@ -25,7 +27,16 @@ struct x509_certificate { ...@@ -25,7 +27,16 @@ struct x509_certificate {
unsigned tbs_size; /* Size of signed data */ unsigned tbs_size; /* Size of signed data */
unsigned raw_sig_size; /* Size of sigature */ unsigned raw_sig_size; /* Size of sigature */
const void *raw_sig; /* Signature data */ const void *raw_sig; /* Signature data */
struct public_key_signature sig; /* Signature parameters */ const void *raw_serial; /* Raw serial number in ASN.1 */
unsigned raw_serial_size;
unsigned raw_issuer_size;
const void *raw_issuer; /* Raw issuer name in ASN.1 */
const void *raw_subject; /* Raw subject name in ASN.1 */
unsigned raw_subject_size;
unsigned index;
bool seen; /* Infinite recursion prevention */
bool verified;
bool trusted;
}; };
/* /*
......
...@@ -18,11 +18,80 @@ ...@@ -18,11 +18,80 @@
#include <linux/asn1_decoder.h> #include <linux/asn1_decoder.h>
#include <keys/asymmetric-subtype.h> #include <keys/asymmetric-subtype.h>
#include <keys/asymmetric-parser.h> #include <keys/asymmetric-parser.h>
#include <keys/system_keyring.h>
#include <crypto/hash.h> #include <crypto/hash.h>
#include "asymmetric_keys.h" #include "asymmetric_keys.h"
#include "public_key.h" #include "public_key.h"
#include "x509_parser.h" #include "x509_parser.h"
static bool use_builtin_keys;
static char *ca_keyid;
#ifndef MODULE
static int __init ca_keys_setup(char *str)
{
if (!str) /* default system keyring */
return 1;
if (strncmp(str, "id:", 3) == 0)
ca_keyid = str; /* owner key 'id:xxxxxx' */
else if (strcmp(str, "builtin") == 0)
use_builtin_keys = true;
return 1;
}
__setup("ca_keys=", ca_keys_setup);
#endif
/*
* Find a key in the given keyring by issuer and authority.
*/
static struct key *x509_request_asymmetric_key(struct key *keyring,
const char *signer,
size_t signer_len,
const char *authority,
size_t auth_len)
{
key_ref_t key;
char *id;
/* Construct an identifier. */
id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL);
if (!id)
return ERR_PTR(-ENOMEM);
memcpy(id, signer, signer_len);
id[signer_len + 0] = ':';
id[signer_len + 1] = ' ';
memcpy(id + signer_len + 2, authority, auth_len);
id[signer_len + 2 + auth_len] = 0;
pr_debug("Look up: \"%s\"\n", id);
key = keyring_search(make_key_ref(keyring, 1),
&key_type_asymmetric, id);
if (IS_ERR(key))
pr_debug("Request for module key '%s' err %ld\n",
id, PTR_ERR(key));
kfree(id);
if (IS_ERR(key)) {
switch (PTR_ERR(key)) {
/* Hide some search errors */
case -EACCES:
case -ENOTDIR:
case -EAGAIN:
return ERR_PTR(-ENOKEY);
default:
return ERR_CAST(key);
}
}
pr_devel("<==%s() = 0 [%x]\n", __func__,
key_serial(key_ref_to_ptr(key)));
return key_ref_to_ptr(key);
}
/* /*
* Set up the signature parameters in an X.509 certificate. This involves * Set up the signature parameters in an X.509 certificate. This involves
* digesting the signed data and extracting the signature. * digesting the signed data and extracting the signature.
...@@ -102,6 +171,40 @@ int x509_check_signature(const struct public_key *pub, ...@@ -102,6 +171,40 @@ int x509_check_signature(const struct public_key *pub,
} }
EXPORT_SYMBOL_GPL(x509_check_signature); EXPORT_SYMBOL_GPL(x509_check_signature);
/*
* Check the new certificate against the ones in the trust keyring. If one of
* those is the signing key and validates the new certificate, then mark the
* new certificate as being trusted.
*
* Return 0 if the new certificate was successfully validated, 1 if we couldn't
* find a matching parent certificate in the trusted list and an error if there
* is a matching certificate but the signature check fails.
*/
static int x509_validate_trust(struct x509_certificate *cert,
struct key *trust_keyring)
{
struct key *key;
int ret = 1;
if (!trust_keyring)
return -EOPNOTSUPP;
if (ca_keyid && !asymmetric_keyid_match(cert->authority, ca_keyid))
return -EPERM;
key = x509_request_asymmetric_key(trust_keyring,
cert->issuer, strlen(cert->issuer),
cert->authority,
strlen(cert->authority));
if (!IS_ERR(key)) {
if (!use_builtin_keys
|| test_bit(KEY_FLAG_BUILTIN, &key->flags))
ret = x509_check_signature(key->payload.data, cert);
key_put(key);
}
return ret;
}
/* /*
* Attempt to parse a data blob for a key as an X509 certificate. * Attempt to parse a data blob for a key as an X509 certificate.
*/ */
...@@ -155,9 +258,13 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) ...@@ -155,9 +258,13 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
/* Check the signature on the key if it appears to be self-signed */ /* Check the signature on the key if it appears to be self-signed */
if (!cert->authority || if (!cert->authority ||
strcmp(cert->fingerprint, cert->authority) == 0) { strcmp(cert->fingerprint, cert->authority) == 0) {
ret = x509_check_signature(cert->pub, cert); ret = x509_check_signature(cert->pub, cert); /* self-signed */
if (ret < 0) if (ret < 0)
goto error_free_cert; goto error_free_cert;
} else if (!prep->trusted) {
ret = x509_validate_trust(cert, get_system_trusted_keyring());
if (!ret)
prep->trusted = 1;
} }
/* Propose a description */ /* Propose a description */
...@@ -177,7 +284,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) ...@@ -177,7 +284,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
__module_get(public_key_subtype.owner); __module_get(public_key_subtype.owner);
prep->type_data[0] = &public_key_subtype; prep->type_data[0] = &public_key_subtype;
prep->type_data[1] = cert->fingerprint; prep->type_data[1] = cert->fingerprint;
prep->payload = cert->pub; prep->payload[0] = cert->pub;
prep->description = desc; prep->description = desc;
prep->quotalen = 100; prep->quotalen = 100;
......
...@@ -174,7 +174,9 @@ static int nfs_map_numeric_to_string(__u32 id, char *buf, size_t buflen) ...@@ -174,7 +174,9 @@ static int nfs_map_numeric_to_string(__u32 id, char *buf, size_t buflen)
static struct key_type key_type_id_resolver = { static struct key_type key_type_id_resolver = {
.name = "id_resolver", .name = "id_resolver",
.instantiate = user_instantiate, .preparse = user_preparse,
.free_preparse = user_free_preparse,
.instantiate = generic_key_instantiate,
.match = user_match, .match = user_match,
.revoke = user_revoke, .revoke = user_revoke,
.destroy = user_destroy, .destroy = user_destroy,
...@@ -282,6 +284,8 @@ static struct key *nfs_idmap_request_key(const char *name, size_t namelen, ...@@ -282,6 +284,8 @@ static struct key *nfs_idmap_request_key(const char *name, size_t namelen,
desc, "", 0, idmap); desc, "", 0, idmap);
mutex_unlock(&idmap->idmap_mutex); mutex_unlock(&idmap->idmap_mutex);
} }
if (!IS_ERR(rkey))
set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
kfree(desc); kfree(desc);
return rkey; return rkey;
...@@ -394,7 +398,9 @@ static const struct rpc_pipe_ops idmap_upcall_ops = { ...@@ -394,7 +398,9 @@ static const struct rpc_pipe_ops idmap_upcall_ops = {
static struct key_type key_type_id_resolver_legacy = { static struct key_type key_type_id_resolver_legacy = {
.name = "id_legacy", .name = "id_legacy",
.instantiate = user_instantiate, .preparse = user_preparse,
.free_preparse = user_free_preparse,
.instantiate = generic_key_instantiate,
.match = user_match, .match = user_match,
.revoke = user_revoke, .revoke = user_revoke,
.destroy = user_destroy, .destroy = user_destroy,
......
/* PKCS#7 crypto data parser
*
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Licence
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
struct key;
struct pkcs7_message;
/*
* pkcs7_parser.c
*/
extern struct pkcs7_message *pkcs7_parse_message(const void *data,
size_t datalen);
extern void pkcs7_free_message(struct pkcs7_message *pkcs7);
extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
const void **_data, size_t *_datalen,
bool want_wrapper);
/*
* pkcs7_trust.c
*/
extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
struct key *trust_keyring,
bool *_trusted);
/*
* pkcs7_verify.c
*/
extern int pkcs7_verify(struct pkcs7_message *pkcs7);
...@@ -16,7 +16,8 @@ ...@@ -16,7 +16,8 @@
extern struct key_type key_type_big_key; extern struct key_type key_type_big_key;
extern int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep); extern int big_key_preparse(struct key_preparsed_payload *prep);
extern void big_key_free_preparse(struct key_preparsed_payload *prep);
extern void big_key_revoke(struct key *key); extern void big_key_revoke(struct key *key);
extern void big_key_destroy(struct key *key); extern void big_key_destroy(struct key *key);
extern void big_key_describe(const struct key *big_key, struct seq_file *m); extern void big_key_describe(const struct key *big_key, struct seq_file *m);
......
...@@ -17,7 +17,15 @@ ...@@ -17,7 +17,15 @@
#include <linux/key.h> #include <linux/key.h>
extern struct key *system_trusted_keyring; extern struct key *system_trusted_keyring;
static inline struct key *get_system_trusted_keyring(void)
{
return system_trusted_keyring;
}
#else
static inline struct key *get_system_trusted_keyring(void)
{
return NULL;
}
#endif #endif
#endif /* _KEYS_SYSTEM_KEYRING_H */ #endif /* _KEYS_SYSTEM_KEYRING_H */
...@@ -37,7 +37,8 @@ extern struct key_type key_type_logon; ...@@ -37,7 +37,8 @@ extern struct key_type key_type_logon;
struct key_preparsed_payload; struct key_preparsed_payload;
extern int user_instantiate(struct key *key, struct key_preparsed_payload *prep); extern int user_preparse(struct key_preparsed_payload *prep);
extern void user_free_preparse(struct key_preparsed_payload *prep);
extern int user_update(struct key *key, struct key_preparsed_payload *prep); extern int user_update(struct key *key, struct key_preparsed_payload *prep);
extern int user_match(const struct key *key, const void *criterion); extern int user_match(const struct key *key, const void *criterion);
extern void user_revoke(struct key *key); extern void user_revoke(struct key *key);
......
...@@ -41,10 +41,11 @@ struct key_construction { ...@@ -41,10 +41,11 @@ struct key_construction {
struct key_preparsed_payload { struct key_preparsed_payload {
char *description; /* Proposed key description (or NULL) */ char *description; /* Proposed key description (or NULL) */
void *type_data[2]; /* Private key-type data */ void *type_data[2]; /* Private key-type data */
void *payload; /* Proposed payload */ void *payload[2]; /* Proposed payload */
const void *data; /* Raw data */ const void *data; /* Raw data */
size_t datalen; /* Raw datalen */ size_t datalen; /* Raw datalen */
size_t quotalen; /* Quota length for proposed payload */ size_t quotalen; /* Quota length for proposed payload */
time_t expiry; /* Expiry time of key */
bool trusted; /* True if key is trusted */ bool trusted; /* True if key is trusted */
}; };
...@@ -159,5 +160,7 @@ static inline int key_negate_and_link(struct key *key, ...@@ -159,5 +160,7 @@ static inline int key_negate_and_link(struct key *key,
return key_reject_and_link(key, timeout, ENOKEY, keyring, instkey); return key_reject_and_link(key, timeout, ENOKEY, keyring, instkey);
} }
extern int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep);
#endif /* CONFIG_KEYS */ #endif /* CONFIG_KEYS */
#endif /* _LINUX_KEY_TYPE_H */ #endif /* _LINUX_KEY_TYPE_H */
...@@ -170,6 +170,8 @@ struct key { ...@@ -170,6 +170,8 @@ struct key {
#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */ #define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */ #define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */ #define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */
#define KEY_FLAG_BUILTIN 10 /* set if key is builtin */
#define KEY_FLAG_ROOT_CAN_INVAL 11 /* set if key can be invalidated by root without permission */
/* the key type and key description string /* the key type and key description string
* - the desc is used to match a key against search criteria * - the desc is used to match a key against search criteria
......
...@@ -52,9 +52,15 @@ enum OID { ...@@ -52,9 +52,15 @@ enum OID {
OID_md4, /* 1.2.840.113549.2.4 */ OID_md4, /* 1.2.840.113549.2.4 */
OID_md5, /* 1.2.840.113549.2.5 */ OID_md5, /* 1.2.840.113549.2.5 */
OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */ /* Microsoft Authenticode & Software Publishing */
OID_msIndirectData, /* 1.3.6.1.4.1.311.2.1.4 */
OID_msPeImageDataObjId, /* 1.3.6.1.4.1.311.2.1.15 */
OID_msIndividualSPKeyPurpose, /* 1.3.6.1.4.1.311.2.1.21 */
OID_msOutlookExpress, /* 1.3.6.1.4.1.311.16.4 */ OID_msOutlookExpress, /* 1.3.6.1.4.1.311.16.4 */
OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */
OID_sha1, /* 1.3.14.3.2.26 */ OID_sha1, /* 1.3.14.3.2.26 */
OID_sha256, /* 2.16.840.1.101.3.4.2.1 */
/* Distinguished Name attribute IDs [RFC 2256] */ /* Distinguished Name attribute IDs [RFC 2256] */
OID_commonName, /* 2.5.4.3 */ OID_commonName, /* 2.5.4.3 */
......
This diff is collapsed.
/* Signed PE file verification
*
* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Licence
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
#ifndef _LINUX_VERIFY_PEFILE_H
#define _LINUX_VERIFY_PEFILE_H
extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
struct key *trusted_keyring, bool *_trusted);
#endif /* _LINUX_VERIFY_PEFILE_H */
...@@ -89,6 +89,7 @@ static __init int load_system_certificate_list(void) ...@@ -89,6 +89,7 @@ static __init int load_system_certificate_list(void)
pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
PTR_ERR(key)); PTR_ERR(key));
} else { } else {
set_bit(KEY_FLAG_BUILTIN, &key_ref_to_ptr(key)->flags);
pr_notice("Loaded X.509 cert '%s'\n", pr_notice("Loaded X.509 cert '%s'\n",
key_ref_to_ptr(key)->description); key_ref_to_ptr(key)->description);
key_ref_put(key); key_ref_put(key);
......
...@@ -451,7 +451,8 @@ config MPILIB ...@@ -451,7 +451,8 @@ config MPILIB
config SIGNATURE config SIGNATURE
tristate tristate
depends on KEYS && CRYPTO depends on KEYS
select CRYPTO
select CRYPTO_SHA1 select CRYPTO_SHA1
select MPILIB select MPILIB
help help
......
...@@ -8,6 +8,7 @@ ...@@ -8,6 +8,7 @@
#include <linux/key-type.h> #include <linux/key-type.h>
#include <keys/ceph-type.h> #include <keys/ceph-type.h>
#include <keys/user-type.h>
#include <linux/ceph/decode.h> #include <linux/ceph/decode.h>
#include "crypto.h" #include "crypto.h"
...@@ -423,8 +424,7 @@ int ceph_encrypt2(struct ceph_crypto_key *secret, void *dst, size_t *dst_len, ...@@ -423,8 +424,7 @@ int ceph_encrypt2(struct ceph_crypto_key *secret, void *dst, size_t *dst_len,
} }
} }
static int ceph_key_instantiate(struct key *key, static int ceph_key_preparse(struct key_preparsed_payload *prep)
struct key_preparsed_payload *prep)
{ {
struct ceph_crypto_key *ckey; struct ceph_crypto_key *ckey;
size_t datalen = prep->datalen; size_t datalen = prep->datalen;
...@@ -435,10 +435,6 @@ static int ceph_key_instantiate(struct key *key, ...@@ -435,10 +435,6 @@ static int ceph_key_instantiate(struct key *key,
if (datalen <= 0 || datalen > 32767 || !prep->data) if (datalen <= 0 || datalen > 32767 || !prep->data)
goto err; goto err;
ret = key_payload_reserve(key, datalen);
if (ret < 0)
goto err;
ret = -ENOMEM; ret = -ENOMEM;
ckey = kmalloc(sizeof(*ckey), GFP_KERNEL); ckey = kmalloc(sizeof(*ckey), GFP_KERNEL);
if (!ckey) if (!ckey)
...@@ -450,7 +446,8 @@ static int ceph_key_instantiate(struct key *key, ...@@ -450,7 +446,8 @@ static int ceph_key_instantiate(struct key *key,
if (ret < 0) if (ret < 0)
goto err_ckey; goto err_ckey;
key->payload.data = ckey; prep->payload[0] = ckey;
prep->quotalen = datalen;
return 0; return 0;
err_ckey: err_ckey:
...@@ -459,12 +456,15 @@ static int ceph_key_instantiate(struct key *key, ...@@ -459,12 +456,15 @@ static int ceph_key_instantiate(struct key *key,
return ret; return ret;
} }
static int ceph_key_match(const struct key *key, const void *description) static void ceph_key_free_preparse(struct key_preparsed_payload *prep)
{ {
return strcmp(key->description, description) == 0; struct ceph_crypto_key *ckey = prep->payload[0];
ceph_crypto_key_destroy(ckey);
kfree(ckey);
} }
static void ceph_key_destroy(struct key *key) { static void ceph_key_destroy(struct key *key)
{
struct ceph_crypto_key *ckey = key->payload.data; struct ceph_crypto_key *ckey = key->payload.data;
ceph_crypto_key_destroy(ckey); ceph_crypto_key_destroy(ckey);
...@@ -473,8 +473,10 @@ static void ceph_key_destroy(struct key *key) { ...@@ -473,8 +473,10 @@ static void ceph_key_destroy(struct key *key) {
struct key_type key_type_ceph = { struct key_type key_type_ceph = {
.name = "ceph", .name = "ceph",
.instantiate = ceph_key_instantiate, .preparse = ceph_key_preparse,
.match = ceph_key_match, .free_preparse = ceph_key_free_preparse,
.instantiate = generic_key_instantiate,
.match = user_match,
.destroy = ceph_key_destroy, .destroy = ceph_key_destroy,
}; };
......
...@@ -46,7 +46,7 @@ const struct cred *dns_resolver_cache; ...@@ -46,7 +46,7 @@ const struct cred *dns_resolver_cache;
#define DNS_ERRORNO_OPTION "dnserror" #define DNS_ERRORNO_OPTION "dnserror"
/* /*
* Instantiate a user defined key for dns_resolver. * Preparse instantiation data for a dns_resolver key.
* *
* The data must be a NUL-terminated string, with the NUL char accounted in * The data must be a NUL-terminated string, with the NUL char accounted in
* datalen. * datalen.
...@@ -58,17 +58,15 @@ const struct cred *dns_resolver_cache; ...@@ -58,17 +58,15 @@ const struct cred *dns_resolver_cache;
* "ip1,ip2,...#foo=bar" * "ip1,ip2,...#foo=bar"
*/ */
static int static int
dns_resolver_instantiate(struct key *key, struct key_preparsed_payload *prep) dns_resolver_preparse(struct key_preparsed_payload *prep)
{ {
struct user_key_payload *upayload; struct user_key_payload *upayload;
unsigned long derrno; unsigned long derrno;
int ret; int ret;
size_t datalen = prep->datalen, result_len = 0; int datalen = prep->datalen, result_len = 0;
const char *data = prep->data, *end, *opt; const char *data = prep->data, *end, *opt;
kenter("%%%d,%s,'%*.*s',%zu", kenter("'%*.*s',%u", datalen, datalen, data, datalen);
key->serial, key->description,
(int)datalen, (int)datalen, data, datalen);
if (datalen <= 1 || !data || data[datalen - 1] != '\0') if (datalen <= 1 || !data || data[datalen - 1] != '\0')
return -EINVAL; return -EINVAL;
...@@ -95,8 +93,7 @@ dns_resolver_instantiate(struct key *key, struct key_preparsed_payload *prep) ...@@ -95,8 +93,7 @@ dns_resolver_instantiate(struct key *key, struct key_preparsed_payload *prep)
opt_len = next_opt - opt; opt_len = next_opt - opt;
if (!opt_len) { if (!opt_len) {
printk(KERN_WARNING printk(KERN_WARNING
"Empty option to dns_resolver key %d\n", "Empty option to dns_resolver key\n");
key->serial);
return -EINVAL; return -EINVAL;
} }
...@@ -125,30 +122,28 @@ dns_resolver_instantiate(struct key *key, struct key_preparsed_payload *prep) ...@@ -125,30 +122,28 @@ dns_resolver_instantiate(struct key *key, struct key_preparsed_payload *prep)
goto bad_option_value; goto bad_option_value;
kdebug("dns error no. = %lu", derrno); kdebug("dns error no. = %lu", derrno);
key->type_data.x[0] = -derrno; prep->type_data[0] = ERR_PTR(-derrno);
continue; continue;
} }
bad_option_value: bad_option_value:
printk(KERN_WARNING printk(KERN_WARNING
"Option '%*.*s' to dns_resolver key %d:" "Option '%*.*s' to dns_resolver key:"
" bad/missing value\n", " bad/missing value\n",
opt_nlen, opt_nlen, opt, key->serial); opt_nlen, opt_nlen, opt);
return -EINVAL; return -EINVAL;
} while (opt = next_opt + 1, opt < end); } while (opt = next_opt + 1, opt < end);
} }
/* don't cache the result if we're caching an error saying there's no /* don't cache the result if we're caching an error saying there's no
* result */ * result */
if (key->type_data.x[0]) { if (prep->type_data[0]) {
kleave(" = 0 [h_error %ld]", key->type_data.x[0]); kleave(" = 0 [h_error %ld]", PTR_ERR(prep->type_data[0]));
return 0; return 0;
} }
kdebug("store result"); kdebug("store result");
ret = key_payload_reserve(key, result_len); prep->quotalen = result_len;
if (ret < 0)
return -EINVAL;
upayload = kmalloc(sizeof(*upayload) + result_len + 1, GFP_KERNEL); upayload = kmalloc(sizeof(*upayload) + result_len + 1, GFP_KERNEL);
if (!upayload) { if (!upayload) {
...@@ -159,12 +154,22 @@ dns_resolver_instantiate(struct key *key, struct key_preparsed_payload *prep) ...@@ -159,12 +154,22 @@ dns_resolver_instantiate(struct key *key, struct key_preparsed_payload *prep)
upayload->datalen = result_len; upayload->datalen = result_len;
memcpy(upayload->data, data, result_len); memcpy(upayload->data, data, result_len);
upayload->data[result_len] = '\0'; upayload->data[result_len] = '\0';
rcu_assign_pointer(key->payload.data, upayload);
prep->payload[0] = upayload;
kleave(" = 0"); kleave(" = 0");
return 0; return 0;
} }
/*
* Clean up the preparse data
*/
static void dns_resolver_free_preparse(struct key_preparsed_payload *prep)
{
pr_devel("==>%s()\n", __func__);
kfree(prep->payload[0]);
}
/* /*
* The description is of the form "[<type>:]<domain_name>" * The description is of the form "[<type>:]<domain_name>"
* *
...@@ -234,7 +239,9 @@ static long dns_resolver_read(const struct key *key, ...@@ -234,7 +239,9 @@ static long dns_resolver_read(const struct key *key,
struct key_type key_type_dns_resolver = { struct key_type key_type_dns_resolver = {
.name = "dns_resolver", .name = "dns_resolver",
.instantiate = dns_resolver_instantiate, .preparse = dns_resolver_preparse,
.free_preparse = dns_resolver_free_preparse,
.instantiate = generic_key_instantiate,
.match = dns_resolver_match, .match = dns_resolver_match,
.revoke = user_revoke, .revoke = user_revoke,
.destroy = user_destroy, .destroy = user_destroy,
......
...@@ -129,6 +129,7 @@ int dns_query(const char *type, const char *name, size_t namelen, ...@@ -129,6 +129,7 @@ int dns_query(const char *type, const char *name, size_t namelen,
} }
down_read(&rkey->sem); down_read(&rkey->sem);
set_bit(KEY_FLAG_ROOT_CAN_INVAL, &rkey->flags);
rkey->perm |= KEY_USR_VIEW; rkey->perm |= KEY_USR_VIEW;
ret = key_validate(rkey); ret = key_validate(rkey);
......
This diff is collapsed.
...@@ -13,7 +13,9 @@ ...@@ -13,7 +13,9 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/err.h> #include <linux/err.h>
#include <linux/sched.h>
#include <linux/rbtree.h> #include <linux/rbtree.h>
#include <linux/cred.h>
#include <linux/key-type.h> #include <linux/key-type.h>
#include <linux/digsig.h> #include <linux/digsig.h>
...@@ -24,7 +26,11 @@ static struct key *keyring[INTEGRITY_KEYRING_MAX]; ...@@ -24,7 +26,11 @@ static struct key *keyring[INTEGRITY_KEYRING_MAX];
static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
"_evm", "_evm",
"_module", "_module",
#ifndef CONFIG_IMA_TRUSTED_KEYRING
"_ima", "_ima",
#else
".ima",
#endif
}; };
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
...@@ -56,3 +62,25 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, ...@@ -56,3 +62,25 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
int integrity_init_keyring(const unsigned int id)
{
const struct cred *cred = current_cred();
int err = 0;
keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
KGIDT_INIT(0), cred,
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_WRITE | KEY_USR_SEARCH),
KEY_ALLOC_NOT_IN_QUOTA, NULL);
if (!IS_ERR(keyring[id]))
set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
else {
err = PTR_ERR(keyring[id]);
pr_info("Can't allocate %s keyring (%d)\n",
keyring_name[id], err);
keyring[id] = NULL;
}
return err;
}
...@@ -123,3 +123,13 @@ config IMA_APPRAISE ...@@ -123,3 +123,13 @@ config IMA_APPRAISE
For more information on integrity appraisal refer to: For more information on integrity appraisal refer to:
<http://linux-ima.sourceforge.net> <http://linux-ima.sourceforge.net>
If unsure, say N. If unsure, say N.
config IMA_TRUSTED_KEYRING
bool "Require all keys on the .ima keyring be signed"
depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
depends on INTEGRITY_ASYMMETRIC_KEYS
select KEYS_DEBUG_PROC_KEYS
default y
help
This option requires that all keys added to the .ima
keyring be signed by a key on the system trusted keyring.
...@@ -249,4 +249,16 @@ static inline int security_filter_rule_match(u32 secid, u32 field, u32 op, ...@@ -249,4 +249,16 @@ static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
return -EINVAL; return -EINVAL;
} }
#endif /* CONFIG_IMA_LSM_RULES */ #endif /* CONFIG_IMA_LSM_RULES */
#ifdef CONFIG_IMA_TRUSTED_KEYRING
static inline int ima_init_keyring(const unsigned int id)
{
return integrity_init_keyring(id);
}
#else
static inline int ima_init_keyring(const unsigned int id)
{
return 0;
}
#endif /* CONFIG_IMA_TRUSTED_KEYRING */
#endif #endif
...@@ -325,8 +325,14 @@ static int __init init_ima(void) ...@@ -325,8 +325,14 @@ static int __init init_ima(void)
hash_setup(CONFIG_IMA_DEFAULT_HASH); hash_setup(CONFIG_IMA_DEFAULT_HASH);
error = ima_init(); error = ima_init();
if (!error) if (error)
goto out;
error = ima_init_keyring(INTEGRITY_KEYRING_IMA);
if (error)
goto out;
ima_initialized = 1; ima_initialized = 1;
out:
return error; return error;
} }
......
...@@ -124,6 +124,7 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode); ...@@ -124,6 +124,7 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen); const char *digest, int digestlen);
int integrity_init_keyring(const unsigned int id);
#else #else
static inline int integrity_digsig_verify(const unsigned int id, static inline int integrity_digsig_verify(const unsigned int id,
...@@ -133,6 +134,10 @@ static inline int integrity_digsig_verify(const unsigned int id, ...@@ -133,6 +134,10 @@ static inline int integrity_digsig_verify(const unsigned int id,
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
static inline int integrity_init_keyring(const unsigned int id)
{
return 0;
}
#endif /* CONFIG_INTEGRITY_SIGNATURE */ #endif /* CONFIG_INTEGRITY_SIGNATURE */
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
......
...@@ -34,7 +34,9 @@ MODULE_LICENSE("GPL"); ...@@ -34,7 +34,9 @@ MODULE_LICENSE("GPL");
struct key_type key_type_big_key = { struct key_type key_type_big_key = {
.name = "big_key", .name = "big_key",
.def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
.instantiate = big_key_instantiate, .preparse = big_key_preparse,
.free_preparse = big_key_free_preparse,
.instantiate = generic_key_instantiate,
.match = user_match, .match = user_match,
.revoke = big_key_revoke, .revoke = big_key_revoke,
.destroy = big_key_destroy, .destroy = big_key_destroy,
...@@ -43,11 +45,11 @@ struct key_type key_type_big_key = { ...@@ -43,11 +45,11 @@ struct key_type key_type_big_key = {
}; };
/* /*
* Instantiate a big key * Preparse a big key
*/ */
int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep) int big_key_preparse(struct key_preparsed_payload *prep)
{ {
struct path *path = (struct path *)&key->payload.data2; struct path *path = (struct path *)&prep->payload;
struct file *file; struct file *file;
ssize_t written; ssize_t written;
size_t datalen = prep->datalen; size_t datalen = prep->datalen;
...@@ -58,11 +60,9 @@ int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep) ...@@ -58,11 +60,9 @@ int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
goto error; goto error;
/* Set an arbitrary quota */ /* Set an arbitrary quota */
ret = key_payload_reserve(key, 16); prep->quotalen = 16;
if (ret < 0)
goto error;
key->type_data.x[1] = datalen; prep->type_data[1] = (void *)(unsigned long)datalen;
if (datalen > BIG_KEY_FILE_THRESHOLD) { if (datalen > BIG_KEY_FILE_THRESHOLD) {
/* Create a shmem file to store the data in. This will permit the data /* Create a shmem file to store the data in. This will permit the data
...@@ -73,7 +73,7 @@ int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep) ...@@ -73,7 +73,7 @@ int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
file = shmem_kernel_file_setup("", datalen, 0); file = shmem_kernel_file_setup("", datalen, 0);
if (IS_ERR(file)) { if (IS_ERR(file)) {
ret = PTR_ERR(file); ret = PTR_ERR(file);
goto err_quota; goto error;
} }
written = kernel_write(file, prep->data, prep->datalen, 0); written = kernel_write(file, prep->data, prep->datalen, 0);
...@@ -93,23 +93,32 @@ int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep) ...@@ -93,23 +93,32 @@ int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
} else { } else {
/* Just store the data in a buffer */ /* Just store the data in a buffer */
void *data = kmalloc(datalen, GFP_KERNEL); void *data = kmalloc(datalen, GFP_KERNEL);
if (!data) { if (!data)
ret = -ENOMEM; return -ENOMEM;
goto err_quota;
}
key->payload.data = memcpy(data, prep->data, prep->datalen); prep->payload[0] = memcpy(data, prep->data, prep->datalen);
} }
return 0; return 0;
err_fput: err_fput:
fput(file); fput(file);
err_quota:
key_payload_reserve(key, 0);
error: error:
return ret; return ret;
} }
/*
* Clear preparsement.
*/
void big_key_free_preparse(struct key_preparsed_payload *prep)
{
if (prep->datalen > BIG_KEY_FILE_THRESHOLD) {
struct path *path = (struct path *)&prep->payload;
path_put(path);
} else {
kfree(prep->payload[0]);
}
}
/* /*
* dispose of the links from a revoked keyring * dispose of the links from a revoked keyring
* - called with the key sem write-locked * - called with the key sem write-locked
......
...@@ -811,7 +811,7 @@ static int encrypted_instantiate(struct key *key, ...@@ -811,7 +811,7 @@ static int encrypted_instantiate(struct key *key,
goto out; goto out;
} }
rcu_assign_keypointer(key, epayload); prep->payload[0] = epayload;
out: out:
kfree(datablob); kfree(datablob);
return ret; return ret;
......
...@@ -437,6 +437,11 @@ static int __key_instantiate_and_link(struct key *key, ...@@ -437,6 +437,11 @@ static int __key_instantiate_and_link(struct key *key,
/* disable the authorisation key */ /* disable the authorisation key */
if (authkey) if (authkey)
key_revoke(authkey); key_revoke(authkey);
if (prep->expiry != TIME_T_MAX) {
key->expiry = prep->expiry;
key_schedule_gc(prep->expiry + key_gc_delay);
}
} }
} }
...@@ -479,6 +484,7 @@ int key_instantiate_and_link(struct key *key, ...@@ -479,6 +484,7 @@ int key_instantiate_and_link(struct key *key,
prep.data = data; prep.data = data;
prep.datalen = datalen; prep.datalen = datalen;
prep.quotalen = key->type->def_datalen; prep.quotalen = key->type->def_datalen;
prep.expiry = TIME_T_MAX;
if (key->type->preparse) { if (key->type->preparse) {
ret = key->type->preparse(&prep); ret = key->type->preparse(&prep);
if (ret < 0) if (ret < 0)
...@@ -488,7 +494,7 @@ int key_instantiate_and_link(struct key *key, ...@@ -488,7 +494,7 @@ int key_instantiate_and_link(struct key *key,
if (keyring) { if (keyring) {
ret = __key_link_begin(keyring, &key->index_key, &edit); ret = __key_link_begin(keyring, &key->index_key, &edit);
if (ret < 0) if (ret < 0)
goto error_free_preparse; goto error;
} }
ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit); ret = __key_instantiate_and_link(key, &prep, keyring, authkey, &edit);
...@@ -496,10 +502,9 @@ int key_instantiate_and_link(struct key *key, ...@@ -496,10 +502,9 @@ int key_instantiate_and_link(struct key *key,
if (keyring) if (keyring)
__key_link_end(keyring, &key->index_key, edit); __key_link_end(keyring, &key->index_key, edit);
error_free_preparse: error:
if (key->type->preparse) if (key->type->preparse)
key->type->free_preparse(&prep); key->type->free_preparse(&prep);
error:
return ret; return ret;
} }
...@@ -811,11 +816,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, ...@@ -811,11 +816,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
prep.datalen = plen; prep.datalen = plen;
prep.quotalen = index_key.type->def_datalen; prep.quotalen = index_key.type->def_datalen;
prep.trusted = flags & KEY_ALLOC_TRUSTED; prep.trusted = flags & KEY_ALLOC_TRUSTED;
prep.expiry = TIME_T_MAX;
if (index_key.type->preparse) { if (index_key.type->preparse) {
ret = index_key.type->preparse(&prep); ret = index_key.type->preparse(&prep);
if (ret < 0) { if (ret < 0) {
key_ref = ERR_PTR(ret); key_ref = ERR_PTR(ret);
goto error_put_type; goto error_free_prep;
} }
if (!index_key.description) if (!index_key.description)
index_key.description = prep.description; index_key.description = prep.description;
...@@ -941,6 +947,7 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen) ...@@ -941,6 +947,7 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen)
prep.data = payload; prep.data = payload;
prep.datalen = plen; prep.datalen = plen;
prep.quotalen = key->type->def_datalen; prep.quotalen = key->type->def_datalen;
prep.expiry = TIME_T_MAX;
if (key->type->preparse) { if (key->type->preparse) {
ret = key->type->preparse(&prep); ret = key->type->preparse(&prep);
if (ret < 0) if (ret < 0)
...@@ -956,9 +963,9 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen) ...@@ -956,9 +963,9 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen)
up_write(&key->sem); up_write(&key->sem);
error:
if (key->type->preparse) if (key->type->preparse)
key->type->free_preparse(&prep); key->type->free_preparse(&prep);
error:
return ret; return ret;
} }
EXPORT_SYMBOL(key_update); EXPORT_SYMBOL(key_update);
...@@ -1023,6 +1030,38 @@ void key_invalidate(struct key *key) ...@@ -1023,6 +1030,38 @@ void key_invalidate(struct key *key)
} }
EXPORT_SYMBOL(key_invalidate); EXPORT_SYMBOL(key_invalidate);
/**
* generic_key_instantiate - Simple instantiation of a key from preparsed data
* @key: The key to be instantiated
* @prep: The preparsed data to load.
*
* Instantiate a key from preparsed data. We assume we can just copy the data
* in directly and clear the old pointers.
*
* This can be pointed to directly by the key type instantiate op pointer.
*/
int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
{
int ret;
pr_devel("==>%s()\n", __func__);
ret = key_payload_reserve(key, prep->quotalen);
if (ret == 0) {
key->type_data.p[0] = prep->type_data[0];
key->type_data.p[1] = prep->type_data[1];
rcu_assign_keypointer(key, prep->payload[0]);
key->payload.data2[1] = prep->payload[1];
prep->type_data[0] = NULL;
prep->type_data[1] = NULL;
prep->payload[0] = NULL;
prep->payload[1] = NULL;
}
pr_devel("<==%s() = %d\n", __func__, ret);
return ret;
}
EXPORT_SYMBOL(generic_key_instantiate);
/** /**
* register_key_type - Register a type of key. * register_key_type - Register a type of key.
* @ktype: The new key type. * @ktype: The new key type.
......
...@@ -37,8 +37,6 @@ static int key_get_type_from_user(char *type, ...@@ -37,8 +37,6 @@ static int key_get_type_from_user(char *type,
return ret; return ret;
if (ret == 0 || ret >= len) if (ret == 0 || ret >= len)
return -EINVAL; return -EINVAL;
if (type[0] == '.')
return -EPERM;
type[len - 1] = '\0'; type[len - 1] = '\0';
return 0; return 0;
} }
...@@ -86,6 +84,10 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type, ...@@ -86,6 +84,10 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
if (!*description) { if (!*description) {
kfree(description); kfree(description);
description = NULL; description = NULL;
} else if ((description[0] == '.') &&
(strncmp(type, "keyring", 7) == 0)) {
ret = -EPERM;
goto error2;
} }
} }
...@@ -404,12 +406,25 @@ long keyctl_invalidate_key(key_serial_t id) ...@@ -404,12 +406,25 @@ long keyctl_invalidate_key(key_serial_t id)
key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH); key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
if (IS_ERR(key_ref)) { if (IS_ERR(key_ref)) {
ret = PTR_ERR(key_ref); ret = PTR_ERR(key_ref);
/* Root is permitted to invalidate certain special keys */
if (capable(CAP_SYS_ADMIN)) {
key_ref = lookup_user_key(id, 0, 0);
if (IS_ERR(key_ref))
goto error; goto error;
if (test_bit(KEY_FLAG_ROOT_CAN_INVAL,
&key_ref_to_ptr(key_ref)->flags))
goto invalidate;
goto error_put;
} }
goto error;
}
invalidate:
key_invalidate(key_ref_to_ptr(key_ref)); key_invalidate(key_ref_to_ptr(key_ref));
ret = 0; ret = 0;
error_put:
key_ref_put(key_ref); key_ref_put(key_ref);
error: error:
kleave(" = %ld", ret); kleave(" = %ld", ret);
......
...@@ -73,6 +73,8 @@ static inline unsigned keyring_hash(const char *desc) ...@@ -73,6 +73,8 @@ static inline unsigned keyring_hash(const char *desc)
* can be treated as ordinary keys in addition to having their own special * can be treated as ordinary keys in addition to having their own special
* operations. * operations.
*/ */
static int keyring_preparse(struct key_preparsed_payload *prep);
static void keyring_free_preparse(struct key_preparsed_payload *prep);
static int keyring_instantiate(struct key *keyring, static int keyring_instantiate(struct key *keyring,
struct key_preparsed_payload *prep); struct key_preparsed_payload *prep);
static void keyring_revoke(struct key *keyring); static void keyring_revoke(struct key *keyring);
...@@ -84,6 +86,8 @@ static long keyring_read(const struct key *keyring, ...@@ -84,6 +86,8 @@ static long keyring_read(const struct key *keyring,
struct key_type key_type_keyring = { struct key_type key_type_keyring = {
.name = "keyring", .name = "keyring",
.def_datalen = 0, .def_datalen = 0,
.preparse = keyring_preparse,
.free_preparse = keyring_free_preparse,
.instantiate = keyring_instantiate, .instantiate = keyring_instantiate,
.match = user_match, .match = user_match,
.revoke = keyring_revoke, .revoke = keyring_revoke,
...@@ -122,6 +126,21 @@ static void keyring_publish_name(struct key *keyring) ...@@ -122,6 +126,21 @@ static void keyring_publish_name(struct key *keyring)
} }
} }
/*
* Preparse a keyring payload
*/
static int keyring_preparse(struct key_preparsed_payload *prep)
{
return prep->datalen != 0 ? -EINVAL : 0;
}
/*
* Free a preparse of a user defined key payload
*/
static void keyring_free_preparse(struct key_preparsed_payload *prep)
{
}
/* /*
* Initialise a keyring. * Initialise a keyring.
* *
...@@ -130,17 +149,10 @@ static void keyring_publish_name(struct key *keyring) ...@@ -130,17 +149,10 @@ static void keyring_publish_name(struct key *keyring)
static int keyring_instantiate(struct key *keyring, static int keyring_instantiate(struct key *keyring,
struct key_preparsed_payload *prep) struct key_preparsed_payload *prep)
{ {
int ret;
ret = -EINVAL;
if (prep->datalen == 0) {
assoc_array_init(&keyring->keys); assoc_array_init(&keyring->keys);
/* make the keyring available by name if it has one */ /* make the keyring available by name if it has one */
keyring_publish_name(keyring); keyring_publish_name(keyring);
ret = 0; return 0;
}
return ret;
} }
/* /*
......
...@@ -20,6 +20,8 @@ ...@@ -20,6 +20,8 @@
#include "internal.h" #include "internal.h"
#include <keys/user-type.h> #include <keys/user-type.h>
static int request_key_auth_preparse(struct key_preparsed_payload *);
static void request_key_auth_free_preparse(struct key_preparsed_payload *);
static int request_key_auth_instantiate(struct key *, static int request_key_auth_instantiate(struct key *,
struct key_preparsed_payload *); struct key_preparsed_payload *);
static void request_key_auth_describe(const struct key *, struct seq_file *); static void request_key_auth_describe(const struct key *, struct seq_file *);
...@@ -33,6 +35,8 @@ static long request_key_auth_read(const struct key *, char __user *, size_t); ...@@ -33,6 +35,8 @@ static long request_key_auth_read(const struct key *, char __user *, size_t);
struct key_type key_type_request_key_auth = { struct key_type key_type_request_key_auth = {
.name = ".request_key_auth", .name = ".request_key_auth",
.def_datalen = sizeof(struct request_key_auth), .def_datalen = sizeof(struct request_key_auth),
.preparse = request_key_auth_preparse,
.free_preparse = request_key_auth_free_preparse,
.instantiate = request_key_auth_instantiate, .instantiate = request_key_auth_instantiate,
.describe = request_key_auth_describe, .describe = request_key_auth_describe,
.revoke = request_key_auth_revoke, .revoke = request_key_auth_revoke,
...@@ -40,6 +44,15 @@ struct key_type key_type_request_key_auth = { ...@@ -40,6 +44,15 @@ struct key_type key_type_request_key_auth = {
.read = request_key_auth_read, .read = request_key_auth_read,
}; };
int request_key_auth_preparse(struct key_preparsed_payload *prep)
{
return 0;
}
void request_key_auth_free_preparse(struct key_preparsed_payload *prep)
{
}
/* /*
* Instantiate a request-key authorisation key. * Instantiate a request-key authorisation key.
*/ */
......
...@@ -27,7 +27,9 @@ static int logon_vet_description(const char *desc); ...@@ -27,7 +27,9 @@ static int logon_vet_description(const char *desc);
struct key_type key_type_user = { struct key_type key_type_user = {
.name = "user", .name = "user",
.def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
.instantiate = user_instantiate, .preparse = user_preparse,
.free_preparse = user_free_preparse,
.instantiate = generic_key_instantiate,
.update = user_update, .update = user_update,
.match = user_match, .match = user_match,
.revoke = user_revoke, .revoke = user_revoke,
...@@ -47,7 +49,9 @@ EXPORT_SYMBOL_GPL(key_type_user); ...@@ -47,7 +49,9 @@ EXPORT_SYMBOL_GPL(key_type_user);
struct key_type key_type_logon = { struct key_type key_type_logon = {
.name = "logon", .name = "logon",
.def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, .def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
.instantiate = user_instantiate, .preparse = user_preparse,
.free_preparse = user_free_preparse,
.instantiate = generic_key_instantiate,
.update = user_update, .update = user_update,
.match = user_match, .match = user_match,
.revoke = user_revoke, .revoke = user_revoke,
...@@ -58,38 +62,37 @@ struct key_type key_type_logon = { ...@@ -58,38 +62,37 @@ struct key_type key_type_logon = {
EXPORT_SYMBOL_GPL(key_type_logon); EXPORT_SYMBOL_GPL(key_type_logon);
/* /*
* instantiate a user defined key * Preparse a user defined key payload
*/ */
int user_instantiate(struct key *key, struct key_preparsed_payload *prep) int user_preparse(struct key_preparsed_payload *prep)
{ {
struct user_key_payload *upayload; struct user_key_payload *upayload;
size_t datalen = prep->datalen; size_t datalen = prep->datalen;
int ret;
ret = -EINVAL;
if (datalen <= 0 || datalen > 32767 || !prep->data) if (datalen <= 0 || datalen > 32767 || !prep->data)
goto error; return -EINVAL;
ret = key_payload_reserve(key, datalen);
if (ret < 0)
goto error;
ret = -ENOMEM;
upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL); upayload = kmalloc(sizeof(*upayload) + datalen, GFP_KERNEL);
if (!upayload) if (!upayload)
goto error; return -ENOMEM;
/* attach the data */ /* attach the data */
prep->quotalen = datalen;
prep->payload[0] = upayload;
upayload->datalen = datalen; upayload->datalen = datalen;
memcpy(upayload->data, prep->data, datalen); memcpy(upayload->data, prep->data, datalen);
rcu_assign_keypointer(key, upayload); return 0;
ret = 0;
error:
return ret;
} }
EXPORT_SYMBOL_GPL(user_preparse);
EXPORT_SYMBOL_GPL(user_instantiate); /*
* Free a preparse of a user defined key payload
*/
void user_free_preparse(struct key_preparsed_payload *prep)
{
kfree(prep->payload[0]);
}
EXPORT_SYMBOL_GPL(user_free_preparse);
/* /*
* update a user defined key * update a user defined key
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment