4 files changed, 168 insertions, 0 deletions
diff --git a/Documentation/security/keys/core.rst b/Documentation/security/keys/core.rst
index 9ce7256c6edb..c144978479d5 100644
--- a/Documentation/security/keys/core.rst
+++ b/Documentation/security/keys/core.rst
@@ -1483,6 +1483,112 @@ The structure has a number of fields, some of which are mandatory:
     attempted key link operation. If there is no match, -EINVAL is returned.
+  *  ``int (*asym_eds_op)(struct kernel_pkey_params *params,
+                          const void *in, void *out);``
+     ``int (*asym_verify_signature)(struct kernel_pkey_params *params,
+                                    const void *in, const void *in2);``
+     These methods are optional.  If provided the first allows a key to be
+     used to encrypt, decrypt or sign a blob of data, and the second allows a
+     key to verify a signature.
+     In all cases, the following information is provided in the params block::
+        struct kernel_pkey_params {
+                struct key      *key;
+                const char      *encoding;
+                const char      *hash_algo;
+                char            *info;
+                __u32           in_len;
+                union {
+                        __u32   out_len;
+                        __u32   in2_len;
+                };
+                enum kernel_pkey_operation op : 8;
+        };
+     This includes the key to be used; a string indicating the encoding to use
+     (for instance, "pkcs1" may be used with an RSA key to indicate
+     RSASSA-PKCS1-v1.5 or RSAES-PKCS1-v1.5 encoding or "raw" if no encoding);
+     the name of the hash algorithm used to generate the data for a signature
+     (if appropriate); the sizes of the input and output (or second input)
+     buffers; and the ID of the operation to be performed.
+     For a given operation ID, the input and output buffers are used as
+     follows::
+        Operation ID            in,in_len       out,out_len     in2,in2_len
+        ======================= =============== =============== ===============
+        kernel_pkey_encrypt     Raw data        Encrypted data  -
+        kernel_pkey_decrypt     Encrypted data  Raw data        -
+        kernel_pkey_sign        Raw data        Signature       -
+        kernel_pkey_verify      Raw data        -               Signature
+     asym_eds_op() deals with encryption, decryption and signature creation as
+     specified by params->op.  Note that params->op is also set for
+     asym_verify_signature().
+     Encrypting and signature creation both take raw data in the input buffer
+     and return the encrypted result in the output buffer.  Padding may have
+     been added if an encoding was set.  In the case of signature creation,
+     depending on the encoding, the padding created may need to indicate the
+     digest algorithm - the name of which should be supplied in hash_algo.
+     Decryption takes encrypted data in the input buffer and returns the raw
+     data in the output buffer.  Padding will get checked and stripped off if
+     an encoding was set.
+     Verification takes raw data in the input buffer and the signature in the
+     second input buffer and checks that the one matches the other.  Padding
+     will be validated.  Depending on the encoding, the digest algorithm used
+     to generate the raw data may need to be indicated in hash_algo.
+     If successful, asym_eds_op() should return the number of bytes written
+     into the output buffer.  asym_verify_signature() should return 0.
+     A variety of errors may be returned, including EOPNOTSUPP if the operation
+     is not supported; EKEYREJECTED if verification fails; ENOPKG if the
+     required crypto isn't available.
+  *  ``int (*asym_query)(const struct kernel_pkey_params *params,
+                         struct kernel_pkey_query *info);``
+     This method is optional.  If provided it allows information about the
+     public or asymmetric key held in the key to be determined.
+     The parameter block is as for asym_eds_op() and co. but in_len and out_len
+     are unused.  The encoding and hash_algo fields should be used to reduce
+     the returned buffer/data sizes as appropriate.
+     If successful, the following information is filled in::
+        struct kernel_pkey_query {
+                __u32           supported_ops;
+                __u32           key_size;
+                __u16           max_data_size;
+                __u16           max_sig_size;
+                __u16           max_enc_size;
+                __u16           max_dec_size;
+        };
+     The supported_ops field will contain a bitmask indicating what operations
+     are supported by the key, including encryption of a blob, decryption of a
+     blob, signing a blob and verifying the signature on a blob.  The following
+     constants are defined for this::
+        KEYCTL_SUPPORTS_{ENCRYPT,DECRYPT,SIGN,VERIFY}
+     The key_size field is the size of the key in bits.  max_data_size and
+     max_sig_size are the maximum raw data and signature sizes for creation and
+     verification of a signature; max_enc_size and max_dec_size are the maximum
+     raw data and signature sizes for encryption and decryption.  The
+     max_*_size fields are measured in bytes.
+     If successful, 0 will be returned.  If the key doesn't support this,
+     EOPNOTSUPP will be returned.
 Request-Key Callback Service
 ============================
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 05d8fb5a06c4..bc9af551fc83 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -17,6 +17,9 @@
 #ifdef CONFIG_KEYS
+struct kernel_pkey_query;
+struct kernel_pkey_params;
 /*
 * key under-construction record
 * - passed to the request_key actor if supplied
@@ -155,6 +158,14 @@ struct key_type {
         */
        struct key_restriction *(*lookup_restriction)(const char *params);
+        /* Asymmetric key accessor functions. */
+        int (*asym_query)(const struct kernel_pkey_params *params,
+                          struct kernel_pkey_query *info);
+        int (*asym_eds_op)(struct kernel_pkey_params *params,
+                           const void *in, void *out);
+        int (*asym_verify_signature)(struct kernel_pkey_params *params,
+                                     const void *in, const void *in2);
        /* internal fields */
        struct list_head        link;           /* link in types list */
        struct lock_class_key   lock_class;     /* key->sem lock class */
diff --git a/include/linux/keyctl.h b/include/linux/keyctl.h
new file mode 100644
index 000000000000..c7c48c79ce0e
--- /dev/null
+++ b/include/linux/keyctl.h
@@ -0,0 +1,46 @@
+/* keyctl kernel bits
+ *
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#ifndef __LINUX_KEYCTL_H
+#define __LINUX_KEYCTL_H
+#include <uapi/linux/keyctl.h>
+struct kernel_pkey_query {
+        __u32           supported_ops;  /* Which ops are supported */
+        __u32           key_size;       /* Size of the key in bits */
+        __u16           max_data_size;  /* Maximum size of raw data to sign in bytes */
+        __u16           max_sig_size;   /* Maximum size of signature in bytes */
+        __u16           max_enc_size;   /* Maximum size of encrypted blob in bytes */
+        __u16           max_dec_size;   /* Maximum size of decrypted blob in bytes */
+};
+enum kernel_pkey_operation {
+        kernel_pkey_encrypt,
+        kernel_pkey_decrypt,
+        kernel_pkey_sign,
+        kernel_pkey_verify,
+};
+struct kernel_pkey_params {
+        struct key      *key;
+        const char      *encoding;      /* Encoding (eg. "oaep" or "raw" for none) */
+        const char      *hash_algo;     /* Digest algorithm used (eg. "sha1") or NULL if N/A */
+        char            *info;          /* Modified info string to be released later */
+        __u32           in_len;         /* Input data size */
+        union {
+                __u32   out_len;        /* Output buffer size (enc/dec/sign) */
+                __u32   in2_len;        /* 2nd input data size (verify) */
+        };
+        enum kernel_pkey_operation op : 8;
+};
+#endif /* __LINUX_KEYCTL_H */
diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h
index 0f3cb13db8e9..1d1e9f2877af 100644
--- a/include/uapi/linux/keyctl.h
+++ b/include/uapi/linux/keyctl.h
@@ -82,4 +82,9 @@ struct keyctl_kdf_params {
        __u32 __spare[8];
 };
+#define KEYCTL_SUPPORTS_ENCRYPT         0x01
+#define KEYCTL_SUPPORTS_DECRYPT         0x02
+#define KEYCTL_SUPPORTS_SIGN            0x04
+#define KEYCTL_SUPPORTS_VERIFY          0x08
 #endif /*  _LINUX_KEYCTL_H */

diff --git a/Documentation/security/keys/core.rst b/Documentation/security/keys/core.rst index 9ce7256c6edb..c144978479d5 100644 --- a/Documentation/security/keys/core.rst +++ b/Documentation/security/keys/core.rst
@@ -1483,6 +1483,112 @@ The structure has a number of fields, some of which are mandatory:
1483	attempted key link operation. If there is no match, -EINVAL is returned.	1483	attempted key link operation. If there is no match, -EINVAL is returned.
1484		1484
1485		1485
		1486	* ``int (asym_eds_op)(struct kernel_pkey_params params,
		1487	const void in, void out);``
		1488	``int (asym_verify_signature)(struct kernel_pkey_params params,
		1489	const void in, const void in2);``
		1490
		1491	These methods are optional. If provided the first allows a key to be
		1492	used to encrypt, decrypt or sign a blob of data, and the second allows a
		1493	key to verify a signature.
		1494
		1495	In all cases, the following information is provided in the params block::
		1496
		1497	struct kernel_pkey_params {
		1498	struct key *key;
		1499	const char *encoding;
		1500	const char *hash_algo;
		1501	char *info;
		1502	__u32 in_len;
		1503	union {
		1504	__u32 out_len;
		1505	__u32 in2_len;
		1506	};
		1507	enum kernel_pkey_operation op : 8;
		1508	};
		1509
		1510	This includes the key to be used; a string indicating the encoding to use
		1511	(for instance, "pkcs1" may be used with an RSA key to indicate
		1512	RSASSA-PKCS1-v1.5 or RSAES-PKCS1-v1.5 encoding or "raw" if no encoding);
		1513	the name of the hash algorithm used to generate the data for a signature
		1514	(if appropriate); the sizes of the input and output (or second input)
		1515	buffers; and the ID of the operation to be performed.
		1516
		1517	For a given operation ID, the input and output buffers are used as
		1518	follows::
		1519
		1520	Operation ID in,in_len out,out_len in2,in2_len
		1521	======================= =============== =============== ===============
		1522	kernel_pkey_encrypt Raw data Encrypted data -
		1523	kernel_pkey_decrypt Encrypted data Raw data -
		1524	kernel_pkey_sign Raw data Signature -
		1525	kernel_pkey_verify Raw data - Signature
		1526
		1527	asym_eds_op() deals with encryption, decryption and signature creation as
		1528	specified by params->op. Note that params->op is also set for
		1529	asym_verify_signature().
		1530
		1531	Encrypting and signature creation both take raw data in the input buffer
		1532	and return the encrypted result in the output buffer. Padding may have
		1533	been added if an encoding was set. In the case of signature creation,
		1534	depending on the encoding, the padding created may need to indicate the
		1535	digest algorithm - the name of which should be supplied in hash_algo.
		1536
		1537	Decryption takes encrypted data in the input buffer and returns the raw
		1538	data in the output buffer. Padding will get checked and stripped off if
		1539	an encoding was set.
		1540
		1541	Verification takes raw data in the input buffer and the signature in the
		1542	second input buffer and checks that the one matches the other. Padding
		1543	will be validated. Depending on the encoding, the digest algorithm used
		1544	to generate the raw data may need to be indicated in hash_algo.
		1545
		1546	If successful, asym_eds_op() should return the number of bytes written
		1547	into the output buffer. asym_verify_signature() should return 0.
		1548
		1549	A variety of errors may be returned, including EOPNOTSUPP if the operation
		1550	is not supported; EKEYREJECTED if verification fails; ENOPKG if the
		1551	required crypto isn't available.
		1552
		1553
		1554	* ``int (asym_query)(const struct kernel_pkey_params params,
		1555	struct kernel_pkey_query *info);``
		1556
		1557	This method is optional. If provided it allows information about the
		1558	public or asymmetric key held in the key to be determined.
		1559
		1560	The parameter block is as for asym_eds_op() and co. but in_len and out_len
		1561	are unused. The encoding and hash_algo fields should be used to reduce
		1562	the returned buffer/data sizes as appropriate.
		1563
		1564	If successful, the following information is filled in::
		1565
		1566	struct kernel_pkey_query {
		1567	__u32 supported_ops;
		1568	__u32 key_size;
		1569	__u16 max_data_size;
		1570	__u16 max_sig_size;
		1571	__u16 max_enc_size;
		1572	__u16 max_dec_size;
		1573	};
		1574
		1575	The supported_ops field will contain a bitmask indicating what operations
		1576	are supported by the key, including encryption of a blob, decryption of a
		1577	blob, signing a blob and verifying the signature on a blob. The following
		1578	constants are defined for this::
		1579
		1580	KEYCTL_SUPPORTS_{ENCRYPT,DECRYPT,SIGN,VERIFY}
		1581
		1582	The key_size field is the size of the key in bits. max_data_size and
		1583	max_sig_size are the maximum raw data and signature sizes for creation and
		1584	verification of a signature; max_enc_size and max_dec_size are the maximum
		1585	raw data and signature sizes for encryption and decryption. The
		1586	max_*_size fields are measured in bytes.
		1587
		1588	If successful, 0 will be returned. If the key doesn't support this,
		1589	EOPNOTSUPP will be returned.
		1590
		1591
1486	Request-Key Callback Service	1592	Request-Key Callback Service
1487	============================	1593	============================
1488		1594


diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 05d8fb5a06c4..bc9af551fc83 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h
@@ -17,6 +17,9 @@
17		17
18	#ifdef CONFIG_KEYS	18	#ifdef CONFIG_KEYS
19		19
		20	struct kernel_pkey_query;
		21	struct kernel_pkey_params;
		22
20	/*	23	/*
21	* key under-construction record	24	* key under-construction record
22	* - passed to the request_key actor if supplied	25	* - passed to the request_key actor if supplied
@@ -155,6 +158,14 @@ struct key_type {
155	*/	158	*/
156	struct key_restriction (lookup_restriction)(const char *params);	159	struct key_restriction (lookup_restriction)(const char *params);
157		160
		161	/* Asymmetric key accessor functions. */
		162	int (asym_query)(const struct kernel_pkey_params params,
		163	struct kernel_pkey_query *info);
		164	int (asym_eds_op)(struct kernel_pkey_params params,
		165	const void in, void out);
		166	int (asym_verify_signature)(struct kernel_pkey_params params,
		167	const void in, const void in2);
		168
158	/* internal fields */	169	/* internal fields */
159	struct list_head link; /* link in types list */	170	struct list_head link; /* link in types list */
160	struct lock_class_key lock_class; /* key->sem lock class */	171	struct lock_class_key lock_class; /* key->sem lock class */


diff --git a/include/linux/keyctl.h b/include/linux/keyctl.h new file mode 100644 index 000000000000..c7c48c79ce0e --- /dev/null +++ b/include/linux/keyctl.h
@@ -0,0 +1,46 @@
		1	/* keyctl kernel bits
		2	*
		3	* Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
		4	* Written by David Howells (dhowells@redhat.com)
		5	*
		6	* This program is free software; you can redistribute it and/or
		7	* modify it under the terms of the GNU General Public Licence
		8	* as published by the Free Software Foundation; either version
		9	* 2 of the Licence, or (at your option) any later version.
		10	*/
		11
		12	#ifndef __LINUX_KEYCTL_H
		13	#define __LINUX_KEYCTL_H
		14
		15	#include <uapi/linux/keyctl.h>
		16
		17	struct kernel_pkey_query {
		18	__u32 supported_ops; /* Which ops are supported */
		19	__u32 key_size; /* Size of the key in bits */
		20	__u16 max_data_size; /* Maximum size of raw data to sign in bytes */
		21	__u16 max_sig_size; /* Maximum size of signature in bytes */
		22	__u16 max_enc_size; /* Maximum size of encrypted blob in bytes */
		23	__u16 max_dec_size; /* Maximum size of decrypted blob in bytes */
		24	};
		25
		26	enum kernel_pkey_operation {
		27	kernel_pkey_encrypt,
		28	kernel_pkey_decrypt,
		29	kernel_pkey_sign,
		30	kernel_pkey_verify,
		31	};
		32
		33	struct kernel_pkey_params {
		34	struct key *key;
		35	const char encoding; / Encoding (eg. "oaep" or "raw" for none) */
		36	const char hash_algo; / Digest algorithm used (eg. "sha1") or NULL if N/A */
		37	char info; / Modified info string to be released later */
		38	__u32 in_len; /* Input data size */
		39	union {
		40	__u32 out_len; /* Output buffer size (enc/dec/sign) */
		41	__u32 in2_len; /* 2nd input data size (verify) */
		42	};
		43	enum kernel_pkey_operation op : 8;
		44	};
		45
		46	#endif /* __LINUX_KEYCTL_H */


diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h index 0f3cb13db8e9..1d1e9f2877af 100644 --- a/include/uapi/linux/keyctl.h +++ b/include/uapi/linux/keyctl.h
@@ -82,4 +82,9 @@ struct keyctl_kdf_params {
82	__u32 __spare[8];	82	__u32 __spare[8];
83	};	83	};
84		84
		85	#define KEYCTL_SUPPORTS_ENCRYPT 0x01
		86	#define KEYCTL_SUPPORTS_DECRYPT 0x02
		87	#define KEYCTL_SUPPORTS_SIGN 0x04
		88	#define KEYCTL_SUPPORTS_VERIFY 0x08
		89
85	#endif /* _LINUX_KEYCTL_H */	90	#endif /* _LINUX_KEYCTL_H */