diff options
Diffstat (limited to 'security/keys')
| -rw-r--r-- | security/keys/ecryptfs_format.c | 81 | ||||
| -rw-r--r-- | security/keys/ecryptfs_format.h | 30 | ||||
| -rw-r--r-- | security/keys/encrypted.c | 1049 | ||||
| -rw-r--r-- | security/keys/encrypted.h | 54 |
4 files changed, 1214 insertions, 0 deletions
diff --git a/security/keys/ecryptfs_format.c b/security/keys/ecryptfs_format.c new file mode 100644 index 00000000000..6daa3b6ff9e --- /dev/null +++ b/security/keys/ecryptfs_format.c | |||
| @@ -0,0 +1,81 @@ | |||
| 1 | /* | ||
| 2 | * ecryptfs_format.c: helper functions for the encrypted key type | ||
| 3 | * | ||
| 4 | * Copyright (C) 2006 International Business Machines Corp. | ||
| 5 | * Copyright (C) 2010 Politecnico di Torino, Italy | ||
| 6 | * TORSEC group -- http://security.polito.it | ||
| 7 | * | ||
| 8 | * Authors: | ||
| 9 | * Michael A. Halcrow <mahalcro@us.ibm.com> | ||
| 10 | * Tyler Hicks <tyhicks@ou.edu> | ||
| 11 | * Roberto Sassu <roberto.sassu@polito.it> | ||
| 12 | * | ||
| 13 | * This program is free software; you can redistribute it and/or modify | ||
| 14 | * it under the terms of the GNU General Public License as published by | ||
| 15 | * the Free Software Foundation, version 2 of the License. | ||
| 16 | */ | ||
| 17 | |||
| 18 | #include <linux/module.h> | ||
| 19 | #include "ecryptfs_format.h" | ||
| 20 | |||
| 21 | u8 *ecryptfs_get_auth_tok_key(struct ecryptfs_auth_tok *auth_tok) | ||
| 22 | { | ||
| 23 | return auth_tok->token.password.session_key_encryption_key; | ||
| 24 | } | ||
| 25 | EXPORT_SYMBOL(ecryptfs_get_auth_tok_key); | ||
| 26 | |||
| 27 | /* | ||
| 28 | * ecryptfs_get_versions() | ||
| 29 | * | ||
| 30 | * Source code taken from the software 'ecryptfs-utils' version 83. | ||
| 31 | * | ||
| 32 | */ | ||
| 33 | void ecryptfs_get_versions(int *major, int *minor, int *file_version) | ||
| 34 | { | ||
| 35 | *major = ECRYPTFS_VERSION_MAJOR; | ||
| 36 | *minor = ECRYPTFS_VERSION_MINOR; | ||
| 37 | if (file_version) | ||
| 38 | *file_version = ECRYPTFS_SUPPORTED_FILE_VERSION; | ||
| 39 | } | ||
| 40 | EXPORT_SYMBOL(ecryptfs_get_versions); | ||
| 41 | |||
| 42 | /* | ||
| 43 | * ecryptfs_fill_auth_tok - fill the ecryptfs_auth_tok structure | ||
| 44 | * | ||
| 45 | * Fill the ecryptfs_auth_tok structure with required ecryptfs data. | ||
| 46 | * The source code is inspired to the original function generate_payload() | ||
| 47 | * shipped with the software 'ecryptfs-utils' version 83. | ||
| 48 | * | ||
| 49 | */ | ||
| 50 | int ecryptfs_fill_auth_tok(struct ecryptfs_auth_tok *auth_tok, | ||
| 51 | const char *key_desc) | ||
| 52 | { | ||
| 53 | int major, minor; | ||
| 54 | |||
| 55 | ecryptfs_get_versions(&major, &minor, NULL); | ||
| 56 | auth_tok->version = (((uint16_t)(major << 8) & 0xFF00) | ||
| 57 | | ((uint16_t)minor & 0x00FF)); | ||
| 58 | auth_tok->token_type = ECRYPTFS_PASSWORD; | ||
| 59 | strncpy((char *)auth_tok->token.password.signature, key_desc, | ||
| 60 | ECRYPTFS_PASSWORD_SIG_SIZE); | ||
| 61 | auth_tok->token.password.session_key_encryption_key_bytes = | ||
| 62 | ECRYPTFS_MAX_KEY_BYTES; | ||
| 63 | /* | ||
| 64 | * Removed auth_tok->token.password.salt and | ||
| 65 | * auth_tok->token.password.session_key_encryption_key | ||
| 66 | * initialization from the original code | ||
| 67 | */ | ||
| 68 | /* TODO: Make the hash parameterizable via policy */ | ||
| 69 | auth_tok->token.password.flags |= | ||
| 70 | ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET; | ||
| 71 | /* The kernel code will encrypt the session key. */ | ||
| 72 | auth_tok->session_key.encrypted_key[0] = 0; | ||
| 73 | auth_tok->session_key.encrypted_key_size = 0; | ||
| 74 | /* Default; subject to change by kernel eCryptfs */ | ||
| 75 | auth_tok->token.password.hash_algo = PGP_DIGEST_ALGO_SHA512; | ||
| 76 | auth_tok->token.password.flags &= ~(ECRYPTFS_PERSISTENT_PASSWORD); | ||
| 77 | return 0; | ||
| 78 | } | ||
| 79 | EXPORT_SYMBOL(ecryptfs_fill_auth_tok); | ||
| 80 | |||
| 81 | MODULE_LICENSE("GPL"); | ||
diff --git a/security/keys/ecryptfs_format.h b/security/keys/ecryptfs_format.h new file mode 100644 index 00000000000..40294de238b --- /dev/null +++ b/security/keys/ecryptfs_format.h | |||
| @@ -0,0 +1,30 @@ | |||
| 1 | /* | ||
| 2 | * ecryptfs_format.h: helper functions for the encrypted key type | ||
| 3 | * | ||
| 4 | * Copyright (C) 2006 International Business Machines Corp. | ||
| 5 | * Copyright (C) 2010 Politecnico di Torino, Italy | ||
| 6 | * TORSEC group -- http://security.polito.it | ||
| 7 | * | ||
| 8 | * Authors: | ||
| 9 | * Michael A. Halcrow <mahalcro@us.ibm.com> | ||
| 10 | * Tyler Hicks <tyhicks@ou.edu> | ||
| 11 | * Roberto Sassu <roberto.sassu@polito.it> | ||
| 12 | * | ||
| 13 | * This program is free software; you can redistribute it and/or modify | ||
| 14 | * it under the terms of the GNU General Public License as published by | ||
| 15 | * the Free Software Foundation, version 2 of the License. | ||
| 16 | */ | ||
| 17 | |||
| 18 | #ifndef __KEYS_ECRYPTFS_H | ||
| 19 | #define __KEYS_ECRYPTFS_H | ||
| 20 | |||
| 21 | #include <linux/ecryptfs.h> | ||
| 22 | |||
| 23 | #define PGP_DIGEST_ALGO_SHA512 10 | ||
| 24 | |||
| 25 | u8 *ecryptfs_get_auth_tok_key(struct ecryptfs_auth_tok *auth_tok); | ||
| 26 | void ecryptfs_get_versions(int *major, int *minor, int *file_version); | ||
| 27 | int ecryptfs_fill_auth_tok(struct ecryptfs_auth_tok *auth_tok, | ||
| 28 | const char *key_desc); | ||
| 29 | |||
| 30 | #endif /* __KEYS_ECRYPTFS_H */ | ||
diff --git a/security/keys/encrypted.c b/security/keys/encrypted.c new file mode 100644 index 00000000000..e7eca9ec4c6 --- /dev/null +++ b/security/keys/encrypted.c | |||
| @@ -0,0 +1,1049 @@ | |||
| 1 | /* | ||
| 2 | * Copyright (C) 2010 IBM Corporation | ||
| 3 | * Copyright (C) 2010 Politecnico di Torino, Italy | ||
| 4 | * TORSEC group -- http://security.polito.it | ||
| 5 | * | ||
| 6 | * Authors: | ||
| 7 | * Mimi Zohar <zohar@us.ibm.com> | ||
| 8 | * Roberto Sassu <roberto.sassu@polito.it> | ||
| 9 | * | ||
| 10 | * This program is free software; you can redistribute it and/or modify | ||
| 11 | * it under the terms of the GNU General Public License as published by | ||
| 12 | * the Free Software Foundation, version 2 of the License. | ||
| 13 | * | ||
| 14 | * See Documentation/security/keys-trusted-encrypted.txt | ||
| 15 | */ | ||
| 16 | |||
| 17 | #include <linux/uaccess.h> | ||
| 18 | #include <linux/module.h> | ||
| 19 | #include <linux/init.h> | ||
| 20 | #include <linux/slab.h> | ||
| 21 | #include <linux/parser.h> | ||
| 22 | #include <linux/string.h> | ||
| 23 | #include <linux/err.h> | ||
| 24 | #include <keys/user-type.h> | ||
| 25 | #include <keys/trusted-type.h> | ||
| 26 | #include <keys/encrypted-type.h> | ||
| 27 | #include <linux/key-type.h> | ||
| 28 | #include <linux/random.h> | ||
| 29 | #include <linux/rcupdate.h> | ||
| 30 | #include <linux/scatterlist.h> | ||
| 31 | #include <linux/crypto.h> | ||
| 32 | #include <linux/ctype.h> | ||
| 33 | #include <crypto/hash.h> | ||
| 34 | #include <crypto/sha.h> | ||
| 35 | #include <crypto/aes.h> | ||
| 36 | |||
| 37 | #include "encrypted.h" | ||
| 38 | #include "ecryptfs_format.h" | ||
| 39 | |||
| 40 | static const char KEY_TRUSTED_PREFIX[] = "trusted:"; | ||
| 41 | static const char KEY_USER_PREFIX[] = "user:"; | ||
| 42 | static const char hash_alg[] = "sha256"; | ||
| 43 | static const char hmac_alg[] = "hmac(sha256)"; | ||
| 44 | static const char blkcipher_alg[] = "cbc(aes)"; | ||
| 45 | static const char key_format_default[] = "default"; | ||
| 46 | static const char key_format_ecryptfs[] = "ecryptfs"; | ||
| 47 | static unsigned int ivsize; | ||
| 48 | static int blksize; | ||
| 49 | |||
| 50 | #define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1) | ||
| 51 | #define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1) | ||
| 52 | #define KEY_ECRYPTFS_DESC_LEN 16 | ||
| 53 | #define HASH_SIZE SHA256_DIGEST_SIZE | ||
| 54 | #define MAX_DATA_SIZE 4096 | ||
| 55 | #define MIN_DATA_SIZE 20 | ||
| 56 | |||
| 57 | struct sdesc { | ||
| 58 | struct shash_desc shash; | ||
| 59 | char ctx[]; | ||
| 60 | }; | ||
| 61 | |||
| 62 | static struct crypto_shash *hashalg; | ||
| 63 | static struct crypto_shash *hmacalg; | ||
| 64 | |||
| 65 | enum { | ||
| 66 | Opt_err = -1, Opt_new, Opt_load, Opt_update | ||
| 67 | }; | ||
| 68 | |||
| 69 | enum { | ||
| 70 | Opt_error = -1, Opt_default, Opt_ecryptfs | ||
| 71 | }; | ||
| 72 | |||
| 73 | static const match_table_t key_format_tokens = { | ||
| 74 | {Opt_default, "default"}, | ||
| 75 | {Opt_ecryptfs, "ecryptfs"}, | ||
| 76 | {Opt_error, NULL} | ||
| 77 | }; | ||
| 78 | |||
| 79 | static const match_table_t key_tokens = { | ||
| 80 | {Opt_new, "new"}, | ||
| 81 | {Opt_load, "load"}, | ||
| 82 | {Opt_update, "update"}, | ||
| 83 | {Opt_err, NULL} | ||
| 84 | }; | ||
| 85 | |||
| 86 | static int aes_get_sizes(void) | ||
| 87 | { | ||
| 88 | struct crypto_blkcipher *tfm; | ||
| 89 | |||
| 90 | tfm = crypto_alloc_blkcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC); | ||
| 91 | if (IS_ERR(tfm)) { | ||
| 92 | pr_err("encrypted_key: failed to alloc_cipher (%ld)\n", | ||
| 93 | PTR_ERR(tfm)); | ||
| 94 | return PTR_ERR(tfm); | ||
| 95 | } | ||
| 96 | ivsize = crypto_blkcipher_ivsize(tfm); | ||
| 97 | blksize = crypto_blkcipher_blocksize(tfm); | ||
| 98 | crypto_free_blkcipher(tfm); | ||
| 99 | return 0; | ||
| 100 | } | ||
| 101 | |||
| 102 | /* | ||
