aboutsummaryrefslogtreecommitdiffstats
path: root/security/keys
diff options
context:
space:
mode:
Diffstat (limited to 'security/keys')
-rw-r--r--security/keys/ecryptfs_format.c81
-rw-r--r--security/keys/ecryptfs_format.h30
-rw-r--r--security/keys/encrypted.c1049
-rw-r--r--security/keys/encrypted.h54
4 files changed, 1214 insertions, 0 deletions
diff --git a/security/keys/ecryptfs_format.c b/security/keys/ecryptfs_format.c
new file mode 100644
index 00000000000..6daa3b6ff9e
--- /dev/null
+++ b/security/keys/ecryptfs_format.c
@@ -0,0 +1,81 @@
1/*
2 * ecryptfs_format.c: helper functions for the encrypted key type
3 *
4 * Copyright (C) 2006 International Business Machines Corp.
5 * Copyright (C) 2010 Politecnico di Torino, Italy
6 * TORSEC group -- http://security.polito.it
7 *
8 * Authors:
9 * Michael A. Halcrow <mahalcro@us.ibm.com>
10 * Tyler Hicks <tyhicks@ou.edu>
11 * Roberto Sassu <roberto.sassu@polito.it>
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation, version 2 of the License.
16 */
17
18#include <linux/module.h>
19#include "ecryptfs_format.h"
20
21u8 *ecryptfs_get_auth_tok_key(struct ecryptfs_auth_tok *auth_tok)
22{
23 return auth_tok->token.password.session_key_encryption_key;
24}
25EXPORT_SYMBOL(ecryptfs_get_auth_tok_key);
26
27/*
28 * ecryptfs_get_versions()
29 *
30 * Source code taken from the software 'ecryptfs-utils' version 83.
31 *
32 */
33void ecryptfs_get_versions(int *major, int *minor, int *file_version)
34{
35 *major = ECRYPTFS_VERSION_MAJOR;
36 *minor = ECRYPTFS_VERSION_MINOR;
37 if (file_version)
38 *file_version = ECRYPTFS_SUPPORTED_FILE_VERSION;
39}
40EXPORT_SYMBOL(ecryptfs_get_versions);
41
42/*
43 * ecryptfs_fill_auth_tok - fill the ecryptfs_auth_tok structure
44 *
45 * Fill the ecryptfs_auth_tok structure with required ecryptfs data.
46 * The source code is inspired to the original function generate_payload()
47 * shipped with the software 'ecryptfs-utils' version 83.
48 *
49 */
50int ecryptfs_fill_auth_tok(struct ecryptfs_auth_tok *auth_tok,
51 const char *key_desc)
52{
53 int major, minor;
54
55 ecryptfs_get_versions(&major, &minor, NULL);
56 auth_tok->version = (((uint16_t)(major << 8) & 0xFF00)
57 | ((uint16_t)minor & 0x00FF));
58 auth_tok->token_type = ECRYPTFS_PASSWORD;
59 strncpy((char *)auth_tok->token.password.signature, key_desc,
60 ECRYPTFS_PASSWORD_SIG_SIZE);
61 auth_tok->token.password.session_key_encryption_key_bytes =
62 ECRYPTFS_MAX_KEY_BYTES;
63 /*
64 * Removed auth_tok->token.password.salt and
65 * auth_tok->token.password.session_key_encryption_key
66 * initialization from the original code
67 */
68 /* TODO: Make the hash parameterizable via policy */
69 auth_tok->token.password.flags |=
70 ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET;
71 /* The kernel code will encrypt the session key. */
72 auth_tok->session_key.encrypted_key[0] = 0;
73 auth_tok->session_key.encrypted_key_size = 0;
74 /* Default; subject to change by kernel eCryptfs */
75 auth_tok->token.password.hash_algo = PGP_DIGEST_ALGO_SHA512;
76 auth_tok->token.password.flags &= ~(ECRYPTFS_PERSISTENT_PASSWORD);
77 return 0;
78}
79EXPORT_SYMBOL(ecryptfs_fill_auth_tok);
80
81MODULE_LICENSE("GPL");
diff --git a/security/keys/ecryptfs_format.h b/security/keys/ecryptfs_format.h
new file mode 100644
index 00000000000..40294de238b
--- /dev/null
+++ b/security/keys/ecryptfs_format.h
@@ -0,0 +1,30 @@
1/*
2 * ecryptfs_format.h: helper functions for the encrypted key type
3 *
4 * Copyright (C) 2006 International Business Machines Corp.
5 * Copyright (C) 2010 Politecnico di Torino, Italy
6 * TORSEC group -- http://security.polito.it
7 *
8 * Authors:
9 * Michael A. Halcrow <mahalcro@us.ibm.com>
10 * Tyler Hicks <tyhicks@ou.edu>
11 * Roberto Sassu <roberto.sassu@polito.it>
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation, version 2 of the License.
16 */
17
18#ifndef __KEYS_ECRYPTFS_H
19#define __KEYS_ECRYPTFS_H
20
21#include <linux/ecryptfs.h>
22
23#define PGP_DIGEST_ALGO_SHA512 10
24
25u8 *ecryptfs_get_auth_tok_key(struct ecryptfs_auth_tok *auth_tok);
26void ecryptfs_get_versions(int *major, int *minor, int *file_version);
27int ecryptfs_fill_auth_tok(struct ecryptfs_auth_tok *auth_tok,
28 const char *key_desc);
29
30#endif /* __KEYS_ECRYPTFS_H */
diff --git a/security/keys/encrypted.c b/security/keys/encrypted.c
new file mode 100644
index 00000000000..e7eca9ec4c6
--- /dev/null
+++ b/security/keys/encrypted.c
@@ -0,0 +1,1049 @@
1/*
2 * Copyright (C) 2010 IBM Corporation
3 * Copyright (C) 2010 Politecnico di Torino, Italy
4 * TORSEC group -- http://security.polito.it
5 *
6 * Authors:
7 * Mimi Zohar <zohar@us.ibm.com>
8 * Roberto Sassu <roberto.sassu@polito.it>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation, version 2 of the License.
13 *
14 * See Documentation/security/keys-trusted-encrypted.txt
15 */
16
17#include <linux/uaccess.h>
18#include <linux/module.h>
19#include <linux/init.h>
20#include <linux/slab.h>
21#include <linux/parser.h>
22#include <linux/string.h>
23#include <linux/err.h>
24#include <keys/user-type.h>
25#include <keys/trusted-type.h>
26#include <keys/encrypted-type.h>
27#include <linux/key-type.h>
28#include <linux/random.h>
29#include <linux/rcupdate.h>
30#include <linux/scatterlist.h>
31#include <linux/crypto.h>
32#include <linux/ctype.h>
33#include <crypto/hash.h>
34#include <crypto/sha.h>
35#include <crypto/aes.h>
36
37#include "encrypted.h"
38#include "ecryptfs_format.h"
39
40static const char KEY_TRUSTED_PREFIX[] = "trusted:";
41static const char KEY_USER_PREFIX[] = "user:";
42static const char hash_alg[] = "sha256";
43static const char hmac_alg[] = "hmac(sha256)";
44static const char blkcipher_alg[] = "cbc(aes)";
45static const char key_format_default[] = "default";
46static const char key_format_ecryptfs[] = "ecryptfs";
47static unsigned int ivsize;
48static int blksize;
49
50#define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
51#define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
52#define KEY_ECRYPTFS_DESC_LEN 16
53#define HASH_SIZE SHA256_DIGEST_SIZE
54#define MAX_DATA_SIZE 4096
55#define MIN_DATA_SIZE 20
56
57struct sdesc {
58 struct shash_desc shash;
59 char ctx[];
60};
61
62static struct crypto_shash *hashalg;
63static struct crypto_shash *hmacalg;
64
65enum {
66 Opt_err = -1, Opt_new, Opt_load, Opt_update
67};
68
69enum {
70 Opt_error = -1, Opt_default, Opt_ecryptfs
71};
72
73static const match_table_t key_format_tokens = {
74 {Opt_default, "default"},
75 {Opt_ecryptfs, "ecryptfs"},
76 {Opt_error, NULL}
77};
78
79static const match_table_t key_tokens = {
80 {Opt_new, "new"},
81 {Opt_load, "load"},
82 {Opt_update, "update"},
83 {Opt_err, NULL}
84};
85
86static int aes_get_sizes(void)
87{
88 struct crypto_blkcipher *tfm;
89
90 tfm = crypto_alloc_blkcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
91 if (IS_ERR(tfm)) {
92 pr_err("encrypted_key: failed to alloc_cipher (%ld)\n",
93 PTR_ERR(tfm));
94 return PTR_ERR(tfm);
95 }
96 ivsize = crypto_blkcipher_ivsize(tfm);
97 blksize = crypto_blkcipher_blocksize(tfm);
98 crypto_free_blkcipher(tfm);
99 return 0;
100}
101
102/*