aboutsummaryrefslogtreecommitdiffstats
path: root/security/keys
diff options
context:
space:
mode:
authorGlenn Elliott <gelliott@cs.unc.edu>2012-03-04 19:47:13 -0500
committerGlenn Elliott <gelliott@cs.unc.edu>2012-03-04 19:47:13 -0500
commitc71c03bda1e86c9d5198c5d83f712e695c4f2a1e (patch)
treeecb166cb3e2b7e2adb3b5e292245fefd23381ac8 /security/keys
parentea53c912f8a86a8567697115b6a0d8152beee5c8 (diff)
parent6a00f206debf8a5c8899055726ad127dbeeed098 (diff)
Merge branch 'mpi-master' into wip-k-fmlpwip-k-fmlp
Conflicts: litmus/sched_cedf.c
Diffstat (limited to 'security/keys')
-rw-r--r--security/keys/Makefile2
-rw-r--r--security/keys/compat.c67
-rw-r--r--security/keys/encrypted.c902
-rw-r--r--security/keys/encrypted.h54
-rw-r--r--security/keys/gc.c14
-rw-r--r--security/keys/internal.h44
-rw-r--r--security/keys/key.c345
-rw-r--r--security/keys/keyctl.c502
-rw-r--r--security/keys/keyring.c367
-rw-r--r--security/keys/permission.c33
-rw-r--r--security/keys/proc.c19
-rw-r--r--security/keys/process_keys.c150
-rw-r--r--security/keys/request_key.c180
-rw-r--r--security/keys/request_key_auth.c67
-rw-r--r--security/keys/trusted.c1180
-rw-r--r--security/keys/trusted.h134
-rw-r--r--security/keys/user_defined.c53
17 files changed, 3419 insertions, 694 deletions
diff --git a/security/keys/Makefile b/security/keys/Makefile
index 74d5447d7df7..1bf090a885fe 100644
--- a/security/keys/Makefile
+++ b/security/keys/Makefile
@@ -13,6 +13,8 @@ obj-y := \
13 request_key_auth.o \ 13 request_key_auth.o \
14 user_defined.o 14 user_defined.o
15 15
16obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
17obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted.o
16obj-$(CONFIG_KEYS_COMPAT) += compat.o 18obj-$(CONFIG_KEYS_COMPAT) += compat.o
17obj-$(CONFIG_PROC_FS) += proc.o 19obj-$(CONFIG_PROC_FS) += proc.o
18obj-$(CONFIG_SYSCTL) += sysctl.o 20obj-$(CONFIG_SYSCTL) += sysctl.o
diff --git a/security/keys/compat.c b/security/keys/compat.c
index 792c0a611a6d..338b510e9027 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -1,4 +1,4 @@
1/* compat.c: 32-bit compatibility syscall for 64-bit systems 1/* 32-bit compatibility syscall for 64-bit systems
2 * 2 *
3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
@@ -12,15 +12,58 @@
12#include <linux/syscalls.h> 12#include <linux/syscalls.h>
13#include <linux/keyctl.h> 13#include <linux/keyctl.h>
14#include <linux/compat.h> 14#include <linux/compat.h>
15#include <linux/slab.h>
15#include "internal.h" 16#include "internal.h"
16 17
17/*****************************************************************************/
18/* 18/*
19 * the key control system call, 32-bit compatibility version for 64-bit archs 19 * Instantiate a key with the specified compatibility multipart payload and
20 * - this should only be called if the 64-bit arch uses weird pointers in 20 * link the key into the destination keyring if one is given.
21 * 32-bit mode or doesn't guarantee that the top 32-bits of the argument 21 *
22 * registers on taking a 32-bit syscall are zero 22 * The caller must have the appropriate instantiation permit set for this to
23 * - if you can, you should call sys_keyctl directly 23 * work (see keyctl_assume_authority). No other permissions are required.
24 *
25 * If successful, 0 will be returned.
26 */
27long compat_keyctl_instantiate_key_iov(
28 key_serial_t id,
29 const struct compat_iovec __user *_payload_iov,
30 unsigned ioc,
31 key_serial_t ringid)
32{
33 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
34 long ret;
35
36 if (_payload_iov == 0 || ioc == 0)
37 goto no_payload;
38
39 ret = compat_rw_copy_check_uvector(WRITE, _payload_iov, ioc,
40 ARRAY_SIZE(iovstack),
41 iovstack, &iov);
42 if (ret < 0)
43 return ret;
44 if (ret == 0)
45 goto no_payload_free;
46
47 ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
48
49 if (iov != iovstack)
50 kfree(iov);
51 return ret;
52
53no_payload_free:
54 if (iov != iovstack)
55 kfree(iov);
56no_payload:
57 return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid);
58}
59
60/*
61 * The key control system call, 32-bit compatibility version for 64-bit archs
62 *
63 * This should only be called if the 64-bit arch uses weird pointers in 32-bit
64 * mode or doesn't guarantee that the top 32-bits of the argument registers on
65 * taking a 32-bit syscall are zero. If you can, you should call sys_keyctl()
66 * directly.
24 */ 67 */
25asmlinkage long compat_sys_keyctl(u32 option, 68asmlinkage long compat_sys_keyctl(u32 option,
26 u32 arg2, u32 arg3, u32 arg4, u32 arg5) 69 u32 arg2, u32 arg3, u32 arg4, u32 arg5)
@@ -85,8 +128,14 @@ asmlinkage long compat_sys_keyctl(u32 option,
85 case KEYCTL_SESSION_TO_PARENT: 128 case KEYCTL_SESSION_TO_PARENT:
86 return keyctl_session_to_parent(); 129 return keyctl_session_to_parent();
87 130
131 case KEYCTL_REJECT:
132 return keyctl_reject_key(arg2, arg3, arg4, arg5);
133
134 case KEYCTL_INSTANTIATE_IOV:
135 return compat_keyctl_instantiate_key_iov(
136 arg2, compat_ptr(arg3), arg4, arg5);
137
88 default: 138 default:
89 return -EOPNOTSUPP; 139 return -EOPNOTSUPP;
90 } 140 }
91 141}
92} /* end compat_sys_keyctl() */
diff --git a/security/keys/encrypted.c b/security/keys/encrypted.c
new file mode 100644
index 000000000000..b1cba5bf0a5e
--- /dev/null
+++ b/security/keys/encrypted.c
@@ -0,0 +1,902 @@
1/*
2 * Copyright (C) 2010 IBM Corporation
3 *
4 * Author:
5 * Mimi Zohar <zohar@us.ibm.com>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, version 2 of the License.
10 *
11 * See Documentation/security/keys-trusted-encrypted.txt
12 */
13
14#include <linux/uaccess.h>
15#include <linux/module.h>
16#include <linux/init.h>
17#include <linux/slab.h>
18#include <linux/parser.h>
19#include <linux/string.h>
20#include <linux/err.h>
21#include <keys/user-type.h>
22#include <keys/trusted-type.h>
23#include <keys/encrypted-type.h>
24#include <linux/key-type.h>
25#include <linux/random.h>
26#include <linux/rcupdate.h>
27#include <linux/scatterlist.h>
28#include <linux/crypto.h>
29#include <crypto/hash.h>
30#include <crypto/sha.h>
31#include <crypto/aes.h>
32
33#include "encrypted.h"
34
35static const char KEY_TRUSTED_PREFIX[] = "trusted:";
36static const char KEY_USER_PREFIX[] = "user:";
37static const char hash_alg[] = "sha256";
38static const char hmac_alg[] = "hmac(sha256)";
39static const char blkcipher_alg[] = "cbc(aes)";
40static unsigned int ivsize;
41static int blksize;
42
43#define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
44#define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
45#define HASH_SIZE SHA256_DIGEST_SIZE
46#define MAX_DATA_SIZE 4096
47#define MIN_DATA_SIZE 20
48
49struct sdesc {
50 struct shash_desc shash;
51 char ctx[];
52};
53
54static struct crypto_shash *hashalg;
55static struct crypto_shash *hmacalg;
56
57enum {
58 Opt_err = -1, Opt_new, Opt_load, Opt_update
59};
60
61static const match_table_t key_tokens = {
62 {Opt_new, "new"},
63 {Opt_load, "load"},
64 {Opt_update, "update"},
65 {Opt_err, NULL}
66};
67
68static int aes_get_sizes(void)
69{
70 struct crypto_blkcipher *tfm;
71
72 tfm = crypto_alloc_blkcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
73 if (IS_ERR(tfm)) {
74 pr_err("encrypted_key: failed to alloc_cipher (%ld)\n",
75 PTR_ERR(tfm));
76 return PTR_ERR(tfm);
77 }
78 ivsize = crypto_blkcipher_ivsize(tfm);
79 blksize = crypto_blkcipher_blocksize(tfm);
80 crypto_free_blkcipher(tfm);
81 return 0;
82}
83
84/*
85 * valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
86 *
87 * key-type:= "trusted:" | "encrypted:"
88 * desc:= master-key description
89 *
90 * Verify that 'key-type' is valid and that 'desc' exists. On key update,
91 * only the master key description is permitted to change, not the key-type.
92 * The key-type remains constant.
93 *
94 * On success returns 0, otherwise -EINVAL.
95 */
96static int valid_master_desc(const char *new_desc, const char *orig_desc)
97{
98 if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) {
99 if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN)
100 goto out;
101 if (orig_desc)
102 if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN))
103 goto out;
104 } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) {
105 if (strlen(new_desc) == KEY_USER_PREFIX_LEN)
106 goto out;
107 if (orig_desc)
108 if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN))
109 goto out;
110 } else
111 goto out;
112 return 0;
113out:
114 return -EINVAL;
115}
116
117/*
118 * datablob_parse - parse the keyctl data
119 *
120 * datablob format:
121 * new <master-key name> <decrypted data length>
122 * load <master-key name> <decrypted data length> <encrypted iv + data>
123 * update <new-master-key name>
124 *
125 * Tokenizes a copy of the keyctl data, returning a pointer to each token,
126 * which is null terminated.
127 *
128 * On success returns 0, otherwise -EINVAL.
129 */
130static int datablob_parse(char *datablob, char **master_desc,
131 char **decrypted_datalen, char **hex_encoded_iv)
132{
133 substring_t args[MAX_OPT_ARGS];
134 int ret = -EINVAL;
135 int key_cmd;
136 char *p;
137
138 p = strsep(&datablob, " \t");
139 if (!p)
140 return ret;
141 key_cmd = match_token(p, key_tokens, args);
142
143 *master_desc = strsep(&datablob, " \t");
144 if (!*master_desc)
145 goto out;
146
147 if (valid_master_desc(*master_desc, NULL) < 0)
148 goto out;
149
150 if (decrypted_datalen) {
151 *decrypted_datalen = strsep(&datablob, " \t");
152 if (!*decrypted_datalen)
153 goto out;
154 }
155
156 switch (key_cmd) {
157 case Opt_new:
158 if (!decrypted_datalen)
159 break;
160 ret = 0;
161 break;
162 case Opt_load:
163 if (!decrypted_datalen)
164 break;
165 *hex_encoded_iv = strsep(&datablob, " \t");
166 if (!*hex_encoded_iv)
167 break;
168 ret = 0;
169 break;
170 case Opt_update:
171 if (decrypted_datalen)
172 break;
173 ret = 0;
174 break;
175 case Opt_err:
176 break;
177 }
178out:
179 return ret;
180}
181
182/*
183 * datablob_format - format as an ascii string, before copying to userspace
184 */
185static char *datablob_format(struct encrypted_key_payload *epayload,
186 size_t asciiblob_len)
187{
188 char *ascii_buf, *bufp;
189 u8 *iv = epayload->iv;
190 int len;
191 int i;
192
193 ascii_buf = kmalloc(asciiblob_len + 1, GFP_KERNEL);
194 if (!ascii_buf)
195 goto out;
196
197 ascii_buf[asciiblob_len] = '\0';
198
199 /* copy datablob master_desc and datalen strings */
200 len = sprintf(ascii_buf, "%s %s ", epayload->master_desc,
201 epayload->datalen);
202
203 /* convert the hex encoded iv, encrypted-data and HMAC to ascii */
204 bufp = &ascii_buf[len];
205 for (i = 0; i < (asciiblob_len - len) / 2; i++)
206 bufp = pack_hex_byte(bufp, iv[i]);
207out:
208 return ascii_buf;
209}
210
211/*
212 * request_trusted_key - request the trusted key
213 *
214 * Trusted keys are sealed to PCRs and other metadata. Although userspace
215 * manages both trusted/encrypted key-types, like the encrypted key type
216 * data, trusted key type data is not visible decrypted from userspace.
217 */
218static struct key *request_trusted_key(const char *trusted_desc,
219 u8 **master_key, size_t *master_keylen)
220{
221 struct trusted_key_payload *tpayload;
222 struct key *tkey;
223
224 tkey = request_key(&key_type_trusted, trusted_desc, NULL);
225 if (IS_ERR(tkey))
226 goto error;
227
228 down_read(&tkey->sem);
229 tpayload = rcu_dereference(tkey->payload.data);
230 *master_key = tpayload->key;
231 *master_keylen = tpayload->key_len;
232error:
233 return tkey;
234}
235
236/*
237 * request_user_key - request the user key
238 *
239 * Use a user provided key to encrypt/decrypt an encrypted-key.
240 */
241static struct key *request_user_key(const char *master_desc, u8 **master_key,
242 size_t *master_keylen)
243{
244 struct user_key_payload *upayload;
245 struct key *ukey;
246
247 ukey = request_key(&key_type_user, master_desc, NULL);
248 if (IS_ERR(ukey))
249 goto error;
250
251 down_read(&ukey->sem);
252 upayload = rcu_dereference(ukey->payload.data);
253 *master_key = upayload->data;
254 *master_keylen = upayload->datalen;
255error:
256 return ukey;
257}
258
259static struct sdesc *alloc_sdesc(struct crypto_shash *alg)
260{
261 struct sdesc *sdesc;
262 int size;
263
264 size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
265 sdesc = kmalloc(size, GFP_KERNEL);
266 if (!sdesc)
267 return ERR_PTR(-ENOMEM);
268 sdesc->shash.tfm = alg;
269 sdesc->shash.flags = 0x0;
270 return sdesc;
271}
272
273static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
274 const u8 *buf, unsigned int buflen)
275{
276 struct sdesc *sdesc;
277 int ret;
278
279 sdesc = alloc_sdesc(hmacalg);
280 if (IS_ERR(sdesc)) {
281 pr_info("encrypted_key: can't alloc %s\n", hmac_alg);
282 return PTR_ERR(sdesc);
283 }
284
285 ret = crypto_shash_setkey(hmacalg, key, keylen);
286 if (!ret)
287 ret = crypto_shash_digest(&sdesc->shash, buf, buflen, digest);
288 kfree(sdesc);
289 return ret;
290}
291
292static int calc_hash(u8 *digest, const u8 *buf, unsigned int buflen)
293{
294 struct sdesc *sdesc;
295 int ret;
296
297 sdesc = alloc_sdesc(hashalg);
298 if (IS_ERR(sdesc)) {
299 pr_info("encrypted_key: can't alloc %s\n", hash_alg);
300 return PTR_ERR(sdesc);
301 }
302
303 ret = crypto_shash_digest(&sdesc->shash, buf, buflen, digest);
304 kfree(sdesc);
305 return ret;
306}
307
308enum derived_key_type { ENC_KEY, AUTH_KEY };
309
310/* Derive authentication/encryption key from trusted key */
311static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
312 const u8 *master_key, size_t master_keylen)
313{
314 u8 *derived_buf;
315 unsigned int derived_buf_len;
316 int ret;
317
318 derived_buf_len = strlen("AUTH_KEY") + 1 + master_keylen;
319 if (derived_buf_len < HASH_SIZE)
320 derived_buf_len = HASH_SIZE;
321
322 derived_buf = kzalloc(derived_buf_len, GFP_KERNEL);
323 if (!derived_buf) {
324 pr_err("encrypted_key: out of memory\n");
325 return -ENOMEM;
326 }
327 if (key_type)
328 strcpy(derived_buf, "AUTH_KEY");
329 else
330 strcpy(derived_buf, "ENC_KEY");
331
332 memcpy(derived_buf + strlen(derived_buf) + 1, master_key,
333 master_keylen);
334 ret = calc_hash(derived_key, derived_buf, derived_buf_len);
335 kfree(derived_buf);
336 return ret;
337}
338
339static int init_blkcipher_desc(struct blkcipher_desc *desc, const u8 *key,
340 unsigned int key_len, const u8 *iv,
341 unsigned int ivsize)
342{
343 int ret;
344
345 desc->tfm = crypto_alloc_blkcipher(blkcipher_alg, 0, CRYPTO_ALG_ASYNC);
346 if (IS_ERR(desc->tfm)) {
347 pr_err("encrypted_key: failed to load %s transform (%ld)\n",
348 blkcipher_alg, PTR_ERR(desc->tfm));
349 return PTR_ERR(desc->tfm);
350 }
351 desc->flags = 0;
352
353 ret = crypto_blkcipher_setkey(desc->tfm, key, key_len);
354 if (ret < 0) {
355 pr_err("encrypted_key: failed to setkey (%d)\n", ret);
356 crypto_free_blkcipher(desc->tfm);
357 return ret;
358 }
359 crypto_blkcipher_set_iv(desc->tfm, iv, ivsize);
360 return 0;
361}
362
363static struct key *request_master_key(struct encrypted_key_payload *epayload,
364 u8 **master_key, size_t *master_keylen)
365{
366 struct key *mkey = NULL;
367
368 if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX,
369 KEY_TRUSTED_PREFIX_LEN)) {
370 mkey = request_trusted_key(epayload->master_desc +
371 KEY_TRUSTED_PREFIX_LEN,
372 master_key, master_keylen);
373 } else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
374 KEY_USER_PREFIX_LEN)) {
375 mkey = request_user_key(epayload->master_desc +
376 KEY_USER_PREFIX_LEN,
377 master_key, master_keylen);
378 } else
379 goto out;
380
381 if (IS_ERR(mkey))
382 pr_info("encrypted_key: key %s not found",
383 epayload->master_desc);
384 if (mkey)
385 dump_master_key(*master_key, *master_keylen);
386out:
387 return mkey;
388}
389
390/* Before returning data to userspace, encrypt decrypted data. */
391static int derived_key_encrypt(struct encrypted_key_payload *epayload,
392 const u8 *derived_key,
393 unsigned int derived_keylen)
394{
395 struct scatterlist sg_in[2];
396 struct scatterlist sg_out[1];
397 struct blkcipher_desc desc;
398 unsigned int encrypted_datalen;
399 unsigned int padlen;
400 char pad[16];
401 int ret;
402
403 encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
404 padlen = encrypted_datalen - epayload->decrypted_datalen;
405
406 ret = init_blkcipher_desc(&desc, derived_key, derived_keylen,
407 epayload->iv, ivsize);
408 if (ret < 0)
409 goto out;
410 dump_decrypted_data(epayload);
411
412 memset(pad, 0, sizeof pad);
413 sg_init_table(sg_in, 2);
414 sg_set_buf(&sg_in[0], epayload->decrypted_data,
415 epayload->decrypted_datalen);
416 sg_set_buf(&sg_in[1], pad, padlen);
417
418 sg_init_table(sg_out, 1);
419 sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen);
420
421 ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in, encrypted_datalen);
422 crypto_free_blkcipher(desc.tfm);
423 if (ret < 0)
424 pr_err("encrypted_key: failed to encrypt (%d)\n", ret);
425 else
426 dump_encrypted_data(epayload, encrypted_datalen);
427out:
428 return ret;
429}
430
431static int datablob_hmac_append(struct encrypted_key_payload *epayload,
432 const u8 *master_key, size_t master_keylen)
433{
434 u8 derived_key[HASH_SIZE];
435 u8 *digest;
436 int ret;
437
438 ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
439 if (ret < 0)
440 goto out;
441
442 digest = epayload->master_desc + epayload->datablob_len;
443 ret = calc_hmac(digest, derived_key, sizeof derived_key,
444 epayload->master_desc, epayload->datablob_len);
445 if (!ret)
446 dump_hmac(NULL, digest, HASH_SIZE);
447out:
448 return ret;
449}
450
451/* verify HMAC before decrypting encrypted key */
452static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
453 const u8 *master_key, size_t master_keylen)
454{
455 u8 derived_key[HASH_SIZE];
456 u8 digest[HASH_SIZE];
457 int ret;
458
459 ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
460 if (ret < 0)
461 goto out;
462
463 ret = calc_hmac(digest, derived_key, sizeof derived_key,
464 epayload->master_desc, epayload->datablob_len);
465 if (ret < 0)
466 goto out;
467 ret = memcmp(digest, epayload->master_desc + epayload->datablob_len,
468 sizeof digest);
469 if (ret) {
470 ret = -EINVAL;
471 dump_hmac("datablob",
472 epayload->master_desc + epayload->datablob_len,
473 HASH_SIZE);
474 dump_hmac("calc", digest, HASH_SIZE);
475 }
476out:
477 return ret;
478}
479
480static int derived_key_decrypt(struct encrypted_key_payload *epayload,
481 const u8 *derived_key,
482 unsigned int derived_keylen)
483{
484 struct scatterlist sg_in[1];
485 struct scatterlist sg_out[2];
486 struct blkcipher_desc desc;
487 unsigned int encrypted_datalen;
488 char pad[16];
489 int ret;
490
491 encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
492 ret = init_blkcipher_desc(&desc, derived_key, derived_keylen,
493 epayload->iv, ivsize);
494 if (ret < 0)
495 goto out;
496 dump_encrypted_data(epayload, encrypted_datalen);
497
498 memset(pad, 0, sizeof pad);
499 sg_init_table(sg_in, 1);
500 sg_init_table(sg_out, 2);
501 sg_set_buf(sg_in, epayload->encrypted_data, encrypted_datalen);
502 sg_set_buf(&sg_out[0], epayload->decrypted_data,
503 epayload->decrypted_datalen);
504 sg_set_buf(&sg_out[1], pad, sizeof pad);
505
506 ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, encrypted_datalen);
507 crypto_free_blkcipher(desc.tfm);
508 if (ret < 0)
509 goto out;
510 dump_decrypted_data(epayload);
511out:
512 return ret;
513}
514
515/* Allocate memory for decrypted key and datablob. */
516static struct encrypted_key_payload *encrypted_key_alloc(struct key *key,
517 const char *master_desc,
518 const char *datalen)
519{
520 struct encrypted_key_payload *epayload = NULL;
521 unsigned short datablob_len;
522 unsigned short decrypted_datalen;
523 unsigned int encrypted_datalen;
524 long dlen;
525 int ret;
526
527 ret = strict_strtol(datalen, 10, &dlen);
528 if (ret < 0 || dlen < MIN_DATA_SIZE || dlen > MAX_DATA_SIZE)
529 return ERR_PTR(-EINVAL);
530
531 decrypted_datalen = dlen;
532 encrypted_datalen = roundup(decrypted_datalen, blksize);
533
534 datablob_len = strlen(master_desc) + 1 + strlen(datalen) + 1
535 + ivsize + 1 + encrypted_datalen;
536
537 ret = key_payload_reserve(key, decrypted_datalen + datablob_len
538 + HASH_SIZE + 1);
539 if (ret < 0)
540 return ERR_PTR(ret);
541
542 epayload = kzalloc(sizeof(*epayload) + decrypted_datalen +
543 datablob_len + HASH_SIZE + 1, GFP_KERNEL);
544 if (!epayload)
545 return ERR_PTR(-ENOMEM);
546
547 epayload->decrypted_datalen = decrypted_datalen;
548 epayload->datablob_len = datablob_len;
549 return epayload;
550}
551
552static int encrypted_key_decrypt(struct encrypted_key_payload *epayload,
553 const char *hex_encoded_iv)
554{
555 struct key *mkey;
556 u8 derived_key[HASH_SIZE];
557 u8 *master_key;
558 u8 *hmac;
559 const char *hex_encoded_data;
560 unsigned int encrypted_datalen;
561 size_t master_keylen;
562 size_t asciilen;
563 int ret;
564
565 encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
566 asciilen = (ivsize + 1 + encrypted_datalen + HASH_SIZE) * 2;
567 if (strlen(hex_encoded_iv) != asciilen)
568 return -EINVAL;
569
570 hex_encoded_data = hex_encoded_iv + (2 * ivsize) + 2;
571 hex2bin(epayload->iv, hex_encoded_iv, ivsize);
572 hex2bin(epayload->encrypted_data, hex_encoded_data, encrypted_datalen);
573
574 hmac = epayload->master_desc + epayload->datablob_len;
575 hex2bin(hmac, hex_encoded_data + (encrypted_datalen * 2), HASH_SIZE);
576
577 mkey = request_master_key(epayload, &master_key, &master_keylen);
578 if (IS_ERR(mkey))
579 return PTR_ERR(mkey);
580
581 ret = datablob_hmac_verify(epayload, master_key, master_keylen);
582 if (ret < 0) {
583 pr_err("encrypted_key: bad hmac (%d)\n", ret);
584 goto out;
585 }
586
587 ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
588 if (ret < 0)
589 goto out;
590
591 ret = derived_key_decrypt(epayload, derived_key, sizeof derived_key);
592 if (ret < 0)
593 pr_err("encrypted_key: failed to decrypt key (%d)\n", ret);
594out:
595 up_read(&mkey->sem);
596 key_put(mkey);
597 return ret;
598}
599
600static void __ekey_init(struct encrypted_key_payload *epayload,
601 const char *master_desc, const char *datalen)
602{
603 epayload->master_desc = epayload->decrypted_data
604 + epayload->decrypted_datalen;
605 epayload->datalen = epayload->master_desc + strlen(master_desc) + 1;
606 epayload->iv = epayload->datalen + strlen(datalen) + 1;
607 epayload->encrypted_data = epayload->iv + ivsize + 1;
608
609 memcpy(epayload->master_desc, master_desc, strlen(master_desc));
610 memcpy(epayload->datalen, datalen, strlen(datalen));
611}
612
613/*
614 * encrypted_init - initialize an encrypted key
615 *
616 * For a new key, use a random number for both the iv and data
617 * itself. For an old key, decrypt the hex encoded data.
618 */
619static int encrypted_init(struct encrypted_key_payload *epayload,
620 const char *master_desc, const char *datalen,
621 const char *hex_encoded_iv)
622{
623 int ret = 0;
624
625 __ekey_init(epayload, master_desc, datalen);
626 if (!hex_encoded_iv) {
627 get_random_bytes(epayload->iv, ivsize);
628
629 get_random_bytes(epayload->decrypted_data,
630 epayload->decrypted_datalen);
631 } else
632 ret = encrypted_key_decrypt(epayload, hex_encoded_iv);
633 return ret;
634}
635
636/*
637 * encrypted_instantiate - instantiate an encrypted key
638 *
639 * Decrypt an existing encrypted datablob or create a new encrypted key
640 * based on a kernel random number.
641 *
642 * On success, return 0. Otherwise return errno.
643 */
644static int encrypted_instantiate(struct key *key, const void *data,
645 size_t datalen)
646{
647 struct encrypted_key_payload *epayload = NULL;
648 char *datablob = NULL;
649 char *master_desc = NULL;
650 char *decrypted_datalen = NULL;
651 char *hex_encoded_iv = NULL;
652 int ret;
653
654 if (datalen <= 0 || datalen > 32767 || !data)
655 return -EINVAL;
656
657 datablob = kmalloc(datalen + 1, GFP_KERNEL);
658 if (!datablob)
659 return -ENOMEM;
660 datablob[datalen] = 0;
661 memcpy(datablob, data, datalen);
662 ret = datablob_parse(datablob, &master_desc, &decrypted_datalen,
663 &hex_encoded_iv);
664 if (ret < 0)
665 goto out;
666
667 epayload = encrypted_key_alloc(key, master_desc, decrypted_datalen);
668 if (IS_ERR(epayload)) {
669 ret = PTR_ERR(epayload);
670 goto out;
671 }
672 ret = encrypted_init(epayload, master_desc, decrypted_datalen,
673 hex_encoded_iv);
674 if (ret < 0) {
675 kfree(epayload);
676 goto out;
677 }
678
679 rcu_assign_pointer(key->payload.data, epayload);
680out:
681 kfree(datablob);
682 return ret;
683}
684
685static void encrypted_rcu_free(struct rcu_head *rcu)
686{
687 struct encrypted_key_payload *epayload;
688
689 epayload = container_of(rcu, struct encrypted_key_payload, rcu);
690 memset(epayload->decrypted_data, 0, epayload->decrypted_datalen);
691 kfree(epayload);
692}
693
694/*
695 * encrypted_update - update the master key description
696 *
697 * Change the master key description for an existing encrypted key.
698 * The next read will return an encrypted datablob using the new
699 * master key description.
700 *
701 * On success, return 0. Otherwise return errno.
702 */
703static int encrypted_update(struct key *key, const void *data, size_t datalen)
704{
705 struct encrypted_key_payload *epayload = key->payload.data;
706 struct encrypted_key_payload *new_epayload;
707 char *buf;
708 char *new_master_desc = NULL;
709 int ret = 0;
710
711 if (datalen <= 0 || datalen > 32767 || !data)
712 return -EINVAL;
713
714 buf = kmalloc(datalen + 1, GFP_KERNEL);
715 if (!buf)
716 return -ENOMEM;
717
718 buf[datalen] = 0;
719 memcpy(buf, data, datalen);
720 ret = datablob_parse(buf, &new_master_desc, NULL, NULL);
721 if (ret < 0)
722 goto out;
723
724 ret = valid_master_desc(new_master_desc, epayload->master_desc);
725 if (ret < 0)
726 goto out;
727
728 new_epayload = encrypted_key_alloc(key, new_master_desc,
729 epayload->datalen);
730 if (IS_ERR(new_epayload)) {
731 ret = PTR_ERR(new_epayload);
732 goto out;
733 }
734
735 __ekey_init(new_epayload, new_master_desc, epayload->datalen);
736
737 memcpy(new_epayload->iv, epayload->iv, ivsize);
738 memcpy(new_epayload->decrypted_data, epayload->decrypted_data,
739 epayload->decrypted_datalen);
740
741 rcu_assign_pointer(key->payload.data, new_epayload);
742 call_rcu(&epayload->rcu, encrypted_rcu_free);
743out:
744 kfree(buf);
745 return ret;
746}
747
748/*
749 * encrypted_read - format and copy the encrypted data to userspace
750 *
751 * The resulting datablob format is:
752 * <master-key name> <decrypted data length> <encrypted iv> <encrypted data>
753 *
754 * On success, return to userspace the encrypted key datablob size.
755 */
756static long encrypted_read(const struct key *key, char __user *buffer,
757 size_t buflen)
758{
759 struct encrypted_key_payload *epayload;
760 struct key *mkey;
761 u8 *master_key;
762 size_t master_keylen;
763 char derived_key[HASH_SIZE];
764 char *ascii_buf;
765 size_t asciiblob_len;
766 int ret;
767
768 epayload = rcu_dereference_key(key);
769
770 /* returns the hex encoded iv, encrypted-data, and hmac as ascii */
771 asciiblob_len = epayload->datablob_len + ivsize + 1
772 + roundup(epayload->decrypted_datalen, blksize)
773 + (HASH_SIZE * 2);
774
775 if (!buffer || buflen < asciiblob_len)
776 return asciiblob_len;
777
778 mkey = request_master_key(epayload, &master_key, &master_keylen);
779 if (IS_ERR(mkey))
780 return PTR_ERR(mkey);
781
782 ret = get_derived_key(derived_key, ENC_KEY, master_key, master_keylen);
783 if (ret < 0)
784 goto out;
785
786 ret = derived_key_encrypt(epayload, derived_key, sizeof derived_key);
787 if (ret < 0)
788 goto out;
789
790 ret = datablob_hmac_append(epayload, master_key, master_keylen);
791 if (ret < 0)
792 goto out;
793
794 ascii_buf = datablob_format(epayload, asciiblob_len);
795 if (!ascii_buf) {
796 ret = -ENOMEM;
797 goto out;
798 }
799
800 up_read(&mkey->sem);
801 key_put(mkey);
802
803 if (copy_to_user(buffer, ascii_buf, asciiblob_len) != 0)
804 ret = -EFAULT;
805 kfree(ascii_buf);
806
807 return asciiblob_len;
808out:
809 up_read(&mkey->sem);
810 key_put(mkey);
811 return ret;
812}
813
814/*
815 * encrypted_destroy - before freeing the key, clear the decrypted data
816 *
817 * Before freeing the key, clear the memory containing the decrypted
818 * key data.
819 */
820static void encrypted_destroy(struct key *key)
821{
822 struct encrypted_key_payload *epayload = key->payload.data;
823
824 if (!epayload)
825 return;
826
827 memset(epayload->decrypted_data, 0, epayload->decrypted_datalen);
828 kfree(key->payload.data);
829}
830
831struct key_type key_type_encrypted = {
832 .name = "encrypted",
833 .instantiate = encrypted_instantiate,
834 .update = encrypted_update,
835 .match = user_match,
836 .destroy = encrypted_destroy,
837 .describe = user_describe,
838 .read = encrypted_read,
839};
840EXPORT_SYMBOL_GPL(key_type_encrypted);
841
842static void encrypted_shash_release(void)
843{
844 if (hashalg)
845 crypto_free_shash(hashalg);
846 if (hmacalg)
847 crypto_free_shash(hmacalg);
848}
849
850static int __init encrypted_shash_alloc(void)
851{
852 int ret;
853
854 hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
855 if (IS_ERR(hmacalg)) {
856 pr_info("encrypted_key: could not allocate crypto %s\n",
857 hmac_alg);
858 return PTR_ERR(hmacalg);
859 }
860
861 hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC);
862 if (IS_ERR(hashalg)) {
863 pr_info("encrypted_key: could not allocate crypto %s\n",
864 hash_alg);
865 ret = PTR_ERR(hashalg);
866 goto hashalg_fail;
867 }
868
869 return 0;
870
871hashalg_fail:
872 crypto_free_shash(hmacalg);
873 return ret;
874}
875
876static int __init init_encrypted(void)
877{
878 int ret;
879
880 ret = encrypted_shash_alloc();
881 if (ret < 0)
882 return ret;
883 ret = register_key_type(&key_type_encrypted);
884 if (ret < 0)
885 goto out;
886 return aes_get_sizes();
887out:
888 encrypted_shash_release();
889 return ret;
890
891}
892
893static void __exit cleanup_encrypted(void)
894{
895 encrypted_shash_release();
896 unregister_key_type(&key_type_encrypted);
897}
898
899late_initcall(init_encrypted);
900module_exit(cleanup_encrypted);
901
902MODULE_LICENSE("GPL");
diff --git a/security/keys/encrypted.h b/security/keys/encrypted.h
new file mode 100644
index 000000000000..cef5e2f2b7d1
--- /dev/null
+++ b/security/keys/encrypted.h
@@ -0,0 +1,54 @@
1#ifndef __ENCRYPTED_KEY_H
2#define __ENCRYPTED_KEY_H
3
4#define ENCRYPTED_DEBUG 0
5
6#if ENCRYPTED_DEBUG
7static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
8{
9 print_hex_dump(KERN_ERR, "master key: ", DUMP_PREFIX_NONE, 32, 1,
10 master_key, master_keylen, 0);
11}
12
13static inline void dump_decrypted_data(struct encrypted_key_payload *epayload)
14{
15 print_hex_dump(KERN_ERR, "decrypted data: ", DUMP_PREFIX_NONE, 32, 1,
16 epayload->decrypted_data,
17 epayload->decrypted_datalen, 0);
18}
19
20static inline void dump_encrypted_data(struct encrypted_key_payload *epayload,
21 unsigned int encrypted_datalen)
22{
23 print_hex_dump(KERN_ERR, "encrypted data: ", DUMP_PREFIX_NONE, 32, 1,
24 epayload->encrypted_data, encrypted_datalen, 0);
25}
26
27static inline void dump_hmac(const char *str, const u8 *digest,
28 unsigned int hmac_size)
29{
30 if (str)
31 pr_info("encrypted_key: %s", str);
32 print_hex_dump(KERN_ERR, "hmac: ", DUMP_PREFIX_NONE, 32, 1, digest,
33 hmac_size, 0);
34}
35#else
36static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
37{
38}
39
40static inline void dump_decrypted_data(struct encrypted_key_payload *epayload)
41{
42}
43
44static inline void dump_encrypted_data(struct encrypted_key_payload *epayload,
45 unsigned int encrypted_datalen)
46{
47}
48
49static inline void dump_hmac(const char *str, const u8 *digest,
50 unsigned int hmac_size)
51{
52}
53#endif
54#endif
diff --git a/security/keys/gc.c b/security/keys/gc.c
index a46e825cbf02..89df6b5f203c 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -32,8 +32,8 @@ static time_t key_gc_next_run = LONG_MAX;
32static time_t key_gc_new_timer; 32static time_t key_gc_new_timer;
33 33
34/* 34/*
35 * Schedule a garbage collection run 35 * Schedule a garbage collection run.
36 * - precision isn't particularly important 36 * - time precision isn't particularly important
37 */ 37 */
38void key_schedule_gc(time_t gc_at) 38void key_schedule_gc(time_t gc_at)
39{ 39{
@@ -61,8 +61,9 @@ static void key_gc_timer_func(unsigned long data)
61} 61}
62 62
63/* 63/*
64 * Garbage collect pointers from a keyring 64 * Garbage collect pointers from a keyring.
65 * - return true if we altered the keyring 65 *
66 * Return true if we altered the keyring.
66 */ 67 */
67static bool key_gc_keyring(struct key *keyring, time_t limit) 68static bool key_gc_keyring(struct key *keyring, time_t limit)
68 __releases(key_serial_lock) 69 __releases(key_serial_lock)
@@ -107,9 +108,8 @@ do_gc:
107} 108}
108 109
109/* 110/*
110 * Garbage collector for keys 111 * Garbage collector for keys. This involves scanning the keyrings for dead,
111 * - this involves scanning the keyrings for dead, expired and revoked keys 112 * expired and revoked keys that have overstayed their welcome
112 * that have overstayed their welcome
113 */ 113 */
114static void key_garbage_collector(struct work_struct *work) 114static void key_garbage_collector(struct work_struct *work)
115{ 115{
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 56a133d8f37d..f375152a2500 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -1,4 +1,4 @@
1/* internal.h: authentication token and access key management internal defs 1/* Authentication token and access key management internal defs
2 * 2 *
3 * Copyright (C) 2003-5, 2007 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2003-5, 2007 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
@@ -35,10 +35,12 @@ extern struct key_type key_type_user;
35 35
36/*****************************************************************************/ 36/*****************************************************************************/
37/* 37/*
38 * keep track of keys for a user 38 * Keep track of keys for a user.
39 * - this needs to be separate to user_struct to avoid a refcount-loop 39 *
40 * (user_struct pins some keyrings which pin this struct) 40 * This needs to be separate to user_struct to avoid a refcount-loop
41 * - this also keeps track of keys under request from userspace for this UID 41 * (user_struct pins some keyrings which pin this struct).
42 *
43 * We also keep track of keys under request from userspace for this UID here.
42 */ 44 */
43struct key_user { 45struct key_user {
44 struct rb_node node; 46 struct rb_node node;
@@ -62,7 +64,7 @@ extern struct key_user *key_user_lookup(uid_t uid,
62extern void key_user_put(struct key_user *user); 64extern void key_user_put(struct key_user *user);
63 65
64/* 66/*
65 * key quota limits 67 * Key quota limits.
66 * - root has its own separate limits to everyone else 68 * - root has its own separate limits to everyone else
67 */ 69 */
68extern unsigned key_quota_root_maxkeys; 70extern unsigned key_quota_root_maxkeys;
@@ -85,13 +87,13 @@ extern void key_type_put(struct key_type *ktype);
85extern int __key_link_begin(struct key *keyring, 87extern int __key_link_begin(struct key *keyring,
86 const struct key_type *type, 88 const struct key_type *type,
87 const char *description, 89 const char *description,
88 struct keyring_list **_prealloc); 90 unsigned long *_prealloc);
89extern int __key_link_check_live_key(struct key *keyring, struct key *key); 91extern int __key_link_check_live_key(struct key *keyring, struct key *key);
90extern void __key_link(struct key *keyring, struct key *key, 92extern void __key_link(struct key *keyring, struct key *key,
91 struct keyring_list **_prealloc); 93 unsigned long *_prealloc);
92extern void __key_link_end(struct key *keyring, 94extern void __key_link_end(struct key *keyring,
93 struct key_type *type, 95 struct key_type *type,
94 struct keyring_list *prealloc); 96 unsigned long prealloc);
95 97
96extern key_ref_t __keyring_search_one(key_ref_t keyring_ref, 98extern key_ref_t __keyring_search_one(key_ref_t keyring_ref,
97 const struct key_type *type, 99 const struct key_type *type,
@@ -107,11 +109,13 @@ extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
107 const struct cred *cred, 109 const struct cred *cred,
108 struct key_type *type, 110 struct key_type *type,
109 const void *description, 111 const void *description,
110 key_match_func_t match); 112 key_match_func_t match,
113 bool no_state_check);
111 114
112extern key_ref_t search_my_process_keyrings(struct key_type *type, 115extern key_ref_t search_my_process_keyrings(struct key_type *type,
113 const void *description, 116 const void *description,
114 key_match_func_t match, 117 key_match_func_t match,
118 bool no_state_check,
115 const struct cred *cred); 119 const struct cred *cred);
116extern key_ref_t search_process_keyrings(struct key_type *type, 120extern key_ref_t search_process_keyrings(struct key_type *type,
117 const void *description, 121 const void *description,
@@ -146,13 +150,13 @@ extern unsigned key_gc_delay;
146extern void keyring_gc(struct key *keyring, time_t limit); 150extern void keyring_gc(struct key *keyring, time_t limit);
147extern void key_schedule_gc(time_t expiry_at); 151extern void key_schedule_gc(time_t expiry_at);
148 152
149/*
150 * check to see whether permission is granted to use a key in the desired way
151 */
152extern int key_task_permission(const key_ref_t key_ref, 153extern int key_task_permission(const key_ref_t key_ref,
153 const struct cred *cred, 154 const struct cred *cred,
154 key_perm_t perm); 155 key_perm_t perm);
155 156
157/*
158 * Check to see whether permission is granted to use a key in the desired way.
159 */
156static inline int key_permission(const key_ref_t key_ref, key_perm_t perm) 160static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
157{ 161{
158 return key_task_permission(key_ref, current_cred(), perm); 162 return key_task_permission(key_ref, current_cred(), perm);
@@ -168,7 +172,7 @@ static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
168#define KEY_ALL 0x3f /* all the above permissions */ 172#define KEY_ALL 0x3f /* all the above permissions */
169 173
170/* 174/*
171 * request_key authorisation 175 * Authorisation record for request_key().
172 */ 176 */
173struct request_key_auth { 177struct request_key_auth {
174 struct key *target_key; 178 struct key *target_key;
@@ -188,7 +192,7 @@ extern struct key *request_key_auth_new(struct key *target,
188extern struct key *key_get_instantiation_authkey(key_serial_t target_id); 192extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
189 193
190/* 194/*
191 * keyctl functions 195 * keyctl() functions
192 */ 196 */
193extern long keyctl_get_keyring_ID(key_serial_t, int); 197extern long keyctl_get_keyring_ID(key_serial_t, int);
194extern long keyctl_join_session_keyring(const char __user *); 198extern long keyctl_join_session_keyring(const char __user *);
@@ -212,9 +216,17 @@ extern long keyctl_assume_authority(key_serial_t);
212extern long keyctl_get_security(key_serial_t keyid, char __user *buffer, 216extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,
213 size_t buflen); 217 size_t buflen);
214extern long keyctl_session_to_parent(void); 218extern long keyctl_session_to_parent(void);
219extern long keyctl_reject_key(key_serial_t, unsigned, unsigned, key_serial_t);
220extern long keyctl_instantiate_key_iov(key_serial_t,
221 const struct iovec __user *,
222 unsigned, key_serial_t);
223
224extern long keyctl_instantiate_key_common(key_serial_t,
225 const struct iovec __user *,
226 unsigned, size_t, key_serial_t);
215 227
216/* 228/*
217 * debugging key validation 229 * Debugging key validation
218 */ 230 */
219#ifdef KEY_DEBUGGING 231#ifdef KEY_DEBUGGING
220extern void __key_check(const struct key *); 232extern void __key_check(const struct key *);
diff --git a/security/keys/key.c b/security/keys/key.c
index c1eac8084ade..f7f9d93f08d9 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -39,10 +39,10 @@ static DECLARE_RWSEM(key_types_sem);
39static void key_cleanup(struct work_struct *work); 39static void key_cleanup(struct work_struct *work);
40static DECLARE_WORK(key_cleanup_task, key_cleanup); 40static DECLARE_WORK(key_cleanup_task, key_cleanup);
41 41
42/* we serialise key instantiation and link */ 42/* We serialise key instantiation and link */
43DEFINE_MUTEX(key_construction_mutex); 43DEFINE_MUTEX(key_construction_mutex);
44 44
45/* any key who's type gets unegistered will be re-typed to this */ 45/* Any key who's type gets unegistered will be re-typed to this */
46static struct key_type key_type_dead = { 46static struct key_type key_type_dead = {
47 .name = "dead", 47 .name = "dead",
48}; 48};
@@ -56,10 +56,9 @@ void __key_check(const struct key *key)
56} 56}
57#endif 57#endif
58 58
59/*****************************************************************************/
60/* 59/*
61 * get the key quota record for a user, allocating a new record if one doesn't 60 * Get the key quota record for a user, allocating a new record if one doesn't
62 * already exist 61 * already exist.
63 */ 62 */
64struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns) 63struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns)
65{ 64{
@@ -67,7 +66,7 @@ struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns)
67 struct rb_node *parent = NULL; 66 struct rb_node *parent = NULL;
68 struct rb_node **p; 67 struct rb_node **p;
69 68
70 try_again: 69try_again:
71 p = &key_user_tree.rb_node; 70 p = &key_user_tree.rb_node;
72 spin_lock(&key_user_lock); 71 spin_lock(&key_user_lock);
73 72
@@ -124,18 +123,16 @@ struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns)
124 goto out; 123 goto out;
125 124
126 /* okay - we found a user record for this UID */ 125 /* okay - we found a user record for this UID */
127 found: 126found:
128 atomic_inc(&user->usage); 127 atomic_inc(&user->usage);
129 spin_unlock(&key_user_lock); 128 spin_unlock(&key_user_lock);
130 kfree(candidate); 129 kfree(candidate);
131 out: 130out:
132 return user; 131 return user;
132}
133 133
134} /* end key_user_lookup() */
135
136/*****************************************************************************/
137/* 134/*
138 * dispose of a user structure 135 * Dispose of a user structure
139 */ 136 */
140void key_user_put(struct key_user *user) 137void key_user_put(struct key_user *user)
141{ 138{
@@ -146,14 +143,11 @@ void key_user_put(struct key_user *user)
146 143
147 kfree(user); 144 kfree(user);
148 } 145 }
146}
149 147
150} /* end key_user_put() */
151
152/*****************************************************************************/
153/* 148/*
154 * assign a key the next unique serial number 149 * Allocate a serial number for a key. These are assigned randomly to avoid
155 * - these are assigned randomly to avoid security issues through covert 150 * security issues through covert channel problems.
156 * channel problems
157 */ 151 */
158static inline void key_alloc_serial(struct key *key) 152static inline void key_alloc_serial(struct key *key)
159{ 153{
@@ -211,18 +205,36 @@ serial_exists:
211 if (key->serial < xkey->serial) 205 if (key->serial < xkey->serial)
212 goto attempt_insertion; 206 goto attempt_insertion;
213 } 207 }
208}
214 209
215} /* end key_alloc_serial() */ 210/**
216 211 * key_alloc - Allocate a key of the specified type.
217/*****************************************************************************/ 212 * @type: The type of key to allocate.
218/* 213 * @desc: The key description to allow the key to be searched out.
219 * allocate a key of the specified type 214 * @uid: The owner of the new key.
220 * - update the user's quota to reflect the existence of the key 215 * @gid: The group ID for the new key's group permissions.
221 * - called from a key-type operation with key_types_sem read-locked by 216 * @cred: The credentials specifying UID namespace.
222 * key_create_or_update() 217 * @perm: The permissions mask of the new key.
223 * - this prevents unregistration of the key type 218 * @flags: Flags specifying quota properties.
224 * - upon return the key is as yet uninstantiated; the caller needs to either 219 *
225 * instantiate the key or discard it before returning 220 * Allocate a key of the specified type with the attributes given. The key is
221 * returned in an uninstantiated state and the caller needs to instantiate the
222 * key before returning.
223 *
224 * The user's key count quota is updated to reflect the creation of the key and
225 * the user's key data quota has the default for the key type reserved. The
226 * instantiation function should amend this as necessary. If insufficient
227 * quota is available, -EDQUOT will be returned.
228 *
229 * The LSM security modules can prevent a key being created, in which case
230 * -EACCES will be returned.
231 *
232 * Returns a pointer to the new key if successful and an error code otherwise.
233 *
234 * Note that the caller needs to ensure the key type isn't uninstantiated.
235 * Internally this can be done by locking key_types_sem. Externally, this can
236 * be done by either never unregistering the key type, or making sure
237 * key_alloc() calls don't race with module unloading.
226 */ 238 */
227struct key *key_alloc(struct key_type *type, const char *desc, 239struct key *key_alloc(struct key_type *type, const char *desc,
228 uid_t uid, gid_t gid, const struct cred *cred, 240 uid_t uid, gid_t gid, const struct cred *cred,
@@ -237,6 +249,14 @@ struct key *key_alloc(struct key_type *type, const char *desc,
237 if (!desc || !*desc) 249 if (!desc || !*desc)
238 goto error; 250 goto error;
239 251
252 if (type->vet_description) {
253 ret = type->vet_description(desc);
254 if (ret < 0) {
255 key = ERR_PTR(ret);
256 goto error;
257 }
258 }
259
240 desclen = strlen(desc) + 1; 260 desclen = strlen(desc) + 1;
241 quotalen = desclen + type->def_datalen; 261 quotalen = desclen + type->def_datalen;
242 262
@@ -344,14 +364,19 @@ no_quota:
344 key_user_put(user); 364 key_user_put(user);
345 key = ERR_PTR(-EDQUOT); 365 key = ERR_PTR(-EDQUOT);
346 goto error; 366 goto error;
347 367}
348} /* end key_alloc() */
349
350EXPORT_SYMBOL(key_alloc); 368EXPORT_SYMBOL(key_alloc);
351 369
352/*****************************************************************************/ 370/**
353/* 371 * key_payload_reserve - Adjust data quota reservation for the key's payload
354 * reserve an amount of quota for the key's payload 372 * @key: The key to make the reservation for.
373 * @datalen: The amount of data payload the caller now wants.
374 *
375 * Adjust the amount of the owning user's key data quota that a key reserves.
376 * If the amount is increased, then -EDQUOT may be returned if there isn't
377 * enough free quota available.
378 *
379 * If successful, 0 is returned.
355 */ 380 */
356int key_payload_reserve(struct key *key, size_t datalen) 381int key_payload_reserve(struct key *key, size_t datalen)
357{ 382{
@@ -384,22 +409,21 @@ int key_payload_reserve(struct key *key, size_t datalen)
384 key->datalen = datalen; 409 key->datalen = datalen;
385 410
386 return ret; 411 return ret;
387 412}
388} /* end key_payload_reserve() */
389
390EXPORT_SYMBOL(key_payload_reserve); 413EXPORT_SYMBOL(key_payload_reserve);
391 414
392/*****************************************************************************/
393/* 415/*
394 * instantiate a key and link it into the target keyring atomically 416 * Instantiate a key and link it into the target keyring atomically. Must be
395 * - called with the target keyring's semaphore writelocked 417 * called with the target keyring's semaphore writelocked. The target key's
418 * semaphore need not be locked as instantiation is serialised by
419 * key_construction_mutex.
396 */ 420 */
397static int __key_instantiate_and_link(struct key *key, 421static int __key_instantiate_and_link(struct key *key,
398 const void *data, 422 const void *data,
399 size_t datalen, 423 size_t datalen,
400 struct key *keyring, 424 struct key *keyring,
401 struct key *authkey, 425 struct key *authkey,
402 struct keyring_list **_prealloc) 426 unsigned long *_prealloc)
403{ 427{
404 int ret, awaken; 428 int ret, awaken;
405 429
@@ -441,12 +465,23 @@ static int __key_instantiate_and_link(struct key *key,
441 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 465 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT);
442 466
443 return ret; 467 return ret;
468}
444 469
445} /* end __key_instantiate_and_link() */ 470/**
446 471 * key_instantiate_and_link - Instantiate a key and link it into the keyring.
447/*****************************************************************************/ 472 * @key: The key to instantiate.
448/* 473 * @data: The data to use to instantiate the keyring.
449 * instantiate a key and link it into the target keyring atomically 474 * @datalen: The length of @data.
475 * @keyring: Keyring to create a link in on success (or NULL).
476 * @authkey: The authorisation token permitting instantiation.
477 *
478 * Instantiate a key that's in the uninstantiated state using the provided data
479 * and, if successful, link it in to the destination keyring if one is
480 * supplied.
481 *
482 * If successful, 0 is returned, the authorisation token is revoked and anyone
483 * waiting for the key is woken up. If the key was already instantiated,
484 * -EBUSY will be returned.
450 */ 485 */
451int key_instantiate_and_link(struct key *key, 486int key_instantiate_and_link(struct key *key,
452 const void *data, 487 const void *data,
@@ -454,7 +489,7 @@ int key_instantiate_and_link(struct key *key,
454 struct key *keyring, 489 struct key *keyring,
455 struct key *authkey) 490 struct key *authkey)
456{ 491{
457 struct keyring_list *prealloc; 492 unsigned long prealloc;
458 int ret; 493 int ret;
459 494
460 if (keyring) { 495 if (keyring) {
@@ -471,21 +506,38 @@ int key_instantiate_and_link(struct key *key,
471 __key_link_end(keyring, key->type, prealloc); 506 __key_link_end(keyring, key->type, prealloc);
472 507
473 return ret; 508 return ret;
474 509}
475} /* end key_instantiate_and_link() */
476 510
477EXPORT_SYMBOL(key_instantiate_and_link); 511EXPORT_SYMBOL(key_instantiate_and_link);
478 512
479/*****************************************************************************/ 513/**
480/* 514 * key_reject_and_link - Negatively instantiate a key and link it into the keyring.
481 * negatively instantiate a key and link it into the target keyring atomically 515 * @key: The key to instantiate.
516 * @timeout: The timeout on the negative key.
517 * @error: The error to return when the key is hit.
518 * @keyring: Keyring to create a link in on success (or NULL).
519 * @authkey: The authorisation token permitting instantiation.
520 *
521 * Negatively instantiate a key that's in the uninstantiated state and, if
522 * successful, set its timeout and stored error and link it in to the
523 * destination keyring if one is supplied. The key and any links to the key
524 * will be automatically garbage collected after the timeout expires.
525 *
526 * Negative keys are used to rate limit repeated request_key() calls by causing
527 * them to return the stored error code (typically ENOKEY) until the negative
528 * key expires.
529 *
530 * If successful, 0 is returned, the authorisation token is revoked and anyone
531 * waiting for the key is woken up. If the key was already instantiated,
532 * -EBUSY will be returned.
482 */ 533 */
483int key_negate_and_link(struct key *key, 534int key_reject_and_link(struct key *key,
484 unsigned timeout, 535 unsigned timeout,
536 unsigned error,
485 struct key *keyring, 537 struct key *keyring,
486 struct key *authkey) 538 struct key *authkey)
487{ 539{
488 struct keyring_list *prealloc; 540 unsigned long prealloc;
489 struct timespec now; 541 struct timespec now;
490 int ret, awaken, link_ret = 0; 542 int ret, awaken, link_ret = 0;
491 543
@@ -507,6 +559,7 @@ int key_negate_and_link(struct key *key,
507 atomic_inc(&key->user->nikeys); 559 atomic_inc(&key->user->nikeys);
508 set_bit(KEY_FLAG_NEGATIVE, &key->flags); 560 set_bit(KEY_FLAG_NEGATIVE, &key->flags);
509 set_bit(KEY_FLAG_INSTANTIATED, &key->flags); 561 set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
562 key->type_data.reject_error = -error;
510 now = current_kernel_time(); 563 now = current_kernel_time();
511 key->expiry = now.tv_sec + timeout; 564 key->expiry = now.tv_sec + timeout;
512 key_schedule_gc(key->expiry + key_gc_delay); 565 key_schedule_gc(key->expiry + key_gc_delay);
@@ -535,22 +588,22 @@ int key_negate_and_link(struct key *key,
535 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT); 588 wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT);
536 589
537 return ret == 0 ? link_ret : ret; 590 return ret == 0 ? link_ret : ret;
591}
592EXPORT_SYMBOL(key_reject_and_link);
538 593
539} /* end key_negate_and_link() */
540
541EXPORT_SYMBOL(key_negate_and_link);
542
543/*****************************************************************************/
544/* 594/*
545 * do cleaning up in process context so that we don't have to disable 595 * Garbage collect keys in process context so that we don't have to disable
546 * interrupts all over the place 596 * interrupts all over the place.
597 *
598 * key_put() schedules this rather than trying to do the cleanup itself, which
599 * means key_put() doesn't have to sleep.
547 */ 600 */
548static void key_cleanup(struct work_struct *work) 601static void key_cleanup(struct work_struct *work)
549{ 602{
550 struct rb_node *_n; 603 struct rb_node *_n;
551 struct key *key; 604 struct key *key;
552 605
553 go_again: 606go_again:
554 /* look for a dead key in the tree */ 607 /* look for a dead key in the tree */
555 spin_lock(&key_serial_lock); 608 spin_lock(&key_serial_lock);
556 609
@@ -564,7 +617,7 @@ static void key_cleanup(struct work_struct *work)
564 spin_unlock(&key_serial_lock); 617 spin_unlock(&key_serial_lock);
565 return; 618 return;
566 619
567 found_dead_key: 620found_dead_key:
568 /* we found a dead key - once we've removed it from the tree, we can 621 /* we found a dead key - once we've removed it from the tree, we can
569 * drop the lock */ 622 * drop the lock */
570 rb_erase(&key->serial_node, &key_serial_tree); 623 rb_erase(&key->serial_node, &key_serial_tree);
@@ -601,14 +654,15 @@ static void key_cleanup(struct work_struct *work)
601 654
602 /* there may, of course, be more than one key to destroy */ 655 /* there may, of course, be more than one key to destroy */
603 goto go_again; 656 goto go_again;
657}
604 658
605} /* end key_cleanup() */ 659/**
606 660 * key_put - Discard a reference to a key.
607/*****************************************************************************/ 661 * @key: The key to discard a reference from.
608/* 662 *
609 * dispose of a reference to a key 663 * Discard a reference to a key, and when all the references are gone, we
610 * - when all the references are gone, we schedule the cleanup task to come and 664 * schedule the cleanup task to come and pull it out of the tree in process
611 * pull it out of the tree in definite process context 665 * context at some later time.
612 */ 666 */
613void key_put(struct key *key) 667void key_put(struct key *key)
614{ 668{
@@ -618,14 +672,11 @@ void key_put(struct key *key)
618 if (atomic_dec_and_test(&key->usage)) 672 if (atomic_dec_and_test(&key->usage))
619 schedule_work(&key_cleanup_task); 673 schedule_work(&key_cleanup_task);
620 } 674 }
621 675}
622} /* end key_put() */
623
624EXPORT_SYMBOL(key_put); 676EXPORT_SYMBOL(key_put);
625 677
626/*****************************************************************************/
627/* 678/*
628 * find a key by its serial number 679 * Find a key by its serial number.
629 */ 680 */
630struct key *key_lookup(key_serial_t id) 681struct key *key_lookup(key_serial_t id)
631{ 682{
@@ -647,11 +698,11 @@ struct key *key_lookup(key_serial_t id)
647 goto found; 698 goto found;
648 } 699 }
649 700
650 not_found: 701not_found:
651 key = ERR_PTR(-ENOKEY); 702 key = ERR_PTR(-ENOKEY);
652 goto error; 703 goto error;
653 704
654 found: 705found:
655 /* pretend it doesn't exist if it is awaiting deletion */ 706 /* pretend it doesn't exist if it is awaiting deletion */
656 if (atomic_read(&key->usage) == 0) 707 if (atomic_read(&key->usage) == 0)
657 goto not_found; 708 goto not_found;
@@ -661,16 +712,16 @@ struct key *key_lookup(key_serial_t id)
661 */ 712 */
662 atomic_inc(&key->usage); 713 atomic_inc(&key->usage);
663 714
664 error: 715error:
665 spin_unlock(&key_serial_lock); 716 spin_unlock(&key_serial_lock);
666 return key; 717 return key;
718}
667 719
668} /* end key_lookup() */
669
670/*****************************************************************************/
671/* 720/*
672 * find and lock the specified key type against removal 721 * Find and lock the specified key type against removal.
673 * - we return with the sem readlocked 722 *
723 * We return with the sem read-locked if successful. If the type wasn't
724 * available -ENOKEY is returned instead.
674 */ 725 */
675struct key_type *key_type_lookup(const char *type) 726struct key_type *key_type_lookup(const char *type)
676{ 727{
@@ -688,26 +739,23 @@ struct key_type *key_type_lookup(const char *type)
688 up_read(&key_types_sem); 739 up_read(&key_types_sem);
689 ktype = ERR_PTR(-ENOKEY); 740 ktype = ERR_PTR(-ENOKEY);
690 741
691 found_kernel_type: 742found_kernel_type:
692 return ktype; 743 return ktype;
744}
693 745
694} /* end key_type_lookup() */
695
696/*****************************************************************************/
697/* 746/*
698 * unlock a key type 747 * Unlock a key type locked by key_type_lookup().
699 */ 748 */
700void key_type_put(struct key_type *ktype) 749void key_type_put(struct key_type *ktype)
701{ 750{
702 up_read(&key_types_sem); 751 up_read(&key_types_sem);
752}
703 753
704} /* end key_type_put() */
705
706/*****************************************************************************/
707/* 754/*
708 * attempt to update an existing key 755 * Attempt to update an existing key.
709 * - the key has an incremented refcount 756 *
710 * - we need to put the key if we get an error 757 * The key is given to us with an incremented refcount that we need to discard
758 * if we get an error.
711 */ 759 */
712static inline key_ref_t __key_update(key_ref_t key_ref, 760static inline key_ref_t __key_update(key_ref_t key_ref,
713 const void *payload, size_t plen) 761 const void *payload, size_t plen)
@@ -742,13 +790,32 @@ error:
742 key_put(key); 790 key_put(key);
743 key_ref = ERR_PTR(ret); 791 key_ref = ERR_PTR(ret);
744 goto out; 792 goto out;
793}
745 794
746} /* end __key_update() */ 795/**
747 796 * key_create_or_update - Update or create and instantiate a key.
748/*****************************************************************************/ 797 * @keyring_ref: A pointer to the destination keyring with possession flag.
749/* 798 * @type: The type of key.
750 * search the specified keyring for a key of the same description; if one is 799 * @description: The searchable description for the key.
751 * found, update it, otherwise add a new one 800 * @payload: The data to use to instantiate or update the key.
801 * @plen: The length of @payload.
802 * @perm: The permissions mask for a new key.
803 * @flags: The quota flags for a new key.
804 *
805 * Search the destination keyring for a key of the same description and if one
806 * is found, update it, otherwise create and instantiate a new one and create a
807 * link to it from that keyring.
808 *
809 * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be
810 * concocted.
811 *
812 * Returns a pointer to the new key if successful, -ENODEV if the key type
813 * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the
814 * caller isn't permitted to modify the keyring or the LSM did not permit
815 * creation of the key.
816 *
817 * On success, the possession flag from the keyring ref will be tacked on to
818 * the key ref before it is returned.
752 */ 819 */
753key_ref_t key_create_or_update(key_ref_t keyring_ref, 820key_ref_t key_create_or_update(key_ref_t keyring_ref,
754 const char *type, 821 const char *type,
@@ -758,7 +825,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
758 key_perm_t perm, 825 key_perm_t perm,
759 unsigned long flags) 826 unsigned long flags)
760{ 827{
761 struct keyring_list *prealloc; 828 unsigned long prealloc;
762 const struct cred *cred = current_cred(); 829 const struct cred *cred = current_cred();
763 struct key_type *ktype; 830 struct key_type *ktype;
764 struct key *keyring, *key = NULL; 831 struct key *keyring, *key = NULL;
@@ -855,14 +922,21 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
855 922
856 key_ref = __key_update(key_ref, payload, plen); 923 key_ref = __key_update(key_ref, payload, plen);
857 goto error; 924 goto error;
858 925}
859} /* end key_create_or_update() */
860
861EXPORT_SYMBOL(key_create_or_update); 926EXPORT_SYMBOL(key_create_or_update);
862 927
863/*****************************************************************************/ 928/**
864/* 929 * key_update - Update a key's contents.
865 * update a key 930 * @key_ref: The pointer (plus possession flag) to the key.
931 * @payload: The data to be used to update the key.
932 * @plen: The length of @payload.
933 *
934 * Attempt to update the contents of a key with the given payload data. The
935 * caller must be granted Write permission on the key. Negative keys can be
936 * instantiated by this method.
937 *
938 * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key
939 * type does not support updating. The key type may return other errors.
866 */ 940 */
867int key_update(key_ref_t key_ref, const void *payload, size_t plen) 941int key_update(key_ref_t key_ref, const void *payload, size_t plen)
868{ 942{
@@ -891,14 +965,17 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen)
891 965
892 error: 966 error:
893 return ret; 967 return ret;
894 968}
895} /* end key_update() */
896
897EXPORT_SYMBOL(key_update); 969EXPORT_SYMBOL(key_update);
898 970
899/*****************************************************************************/ 971/**
900/* 972 * key_revoke - Revoke a key.
901 * revoke a key 973 * @key: The key to be revoked.
974 *
975 * Mark a key as being revoked and ask the type to free up its resources. The
976 * revocation timeout is set and the key and all its links will be
977 * automatically garbage collected after key_gc_delay amount of time if they
978 * are not manually dealt with first.
902 */ 979 */
903void key_revoke(struct key *key) 980void key_revoke(struct key *key)
904{ 981{
@@ -926,14 +1003,16 @@ void key_revoke(struct key *key)
926 } 1003 }
927 1004
928 up_write(&key->sem); 1005 up_write(&key->sem);
929 1006}
930} /* end key_revoke() */
931
932EXPORT_SYMBOL(key_revoke); 1007EXPORT_SYMBOL(key_revoke);
933 1008
934/*****************************************************************************/ 1009/**
935/* 1010 * register_key_type - Register a type of key.
936 * register a type of key 1011 * @ktype: The new key type.
1012 *
1013 * Register a new key type.
1014 *
1015 * Returns 0 on success or -EEXIST if a type of this name already exists.
937 */ 1016 */
938int register_key_type(struct key_type *ktype) 1017int register_key_type(struct key_type *ktype)
939{ 1018{
@@ -953,17 +1032,19 @@ int register_key_type(struct key_type *ktype)
953 list_add(&ktype->link, &key_types_list); 1032 list_add(&ktype->link, &key_types_list);
954 ret = 0; 1033 ret = 0;
955 1034
956 out: 1035out:
957 up_write(&key_types_sem); 1036 up_write(&key_types_sem);
958 return ret; 1037 return ret;
959 1038}
960} /* end register_key_type() */
961
962EXPORT_SYMBOL(register_key_type); 1039EXPORT_SYMBOL(register_key_type);
963 1040
964/*****************************************************************************/ 1041/**
965/* 1042 * unregister_key_type - Unregister a type of key.
966 * unregister a type of key 1043 * @ktype: The key type.
1044 *
1045 * Unregister a key type and mark all the extant keys of this type as dead.
1046 * Those keys of this type are then destroyed to get rid of their payloads and
1047 * they and their links will be garbage collected as soon as possible.
967 */ 1048 */
968void unregister_key_type(struct key_type *ktype) 1049void unregister_key_type(struct key_type *ktype)
969{ 1050{
@@ -1010,14 +1091,11 @@ void unregister_key_type(struct key_type *ktype)
1010 up_write(&key_types_sem); 1091 up_write(&key_types_sem);
1011 1092
1012 key_schedule_gc(0); 1093 key_schedule_gc(0);
1013 1094}
1014} /* end unregister_key_type() */
1015
1016EXPORT_SYMBOL(unregister_key_type); 1095EXPORT_SYMBOL(unregister_key_type);
1017 1096
1018/*****************************************************************************/
1019/* 1097/*
1020 * initialise the key management stuff 1098 * Initialise the key management state.
1021 */ 1099 */
1022void __init key_init(void) 1100void __init key_init(void)
1023{ 1101{
@@ -1037,5 +1115,4 @@ void __init key_init(void)
1037 1115
1038 rb_insert_color(&root_key_user.node, 1116 rb_insert_color(&root_key_user.node,
1039 &key_user_tree); 1117 &key_user_tree);
1040 1118}
1041} /* end key_init() */
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 60924f6a52db..eca51918c951 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1,4 +1,4 @@
1/* keyctl.c: userspace keyctl operations 1/* Userspace key control operations
2 * 2 *
3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
@@ -31,28 +31,24 @@ static int key_get_type_from_user(char *type,
31 int ret; 31 int ret;
32 32
33 ret = strncpy_from_user(type, _type, len); 33 ret = strncpy_from_user(type, _type, len);
34
35 if (ret < 0) 34 if (ret < 0)
36 return ret; 35 return ret;
37
38 if (ret == 0 || ret >= len) 36 if (ret == 0 || ret >= len)
39 return -EINVAL; 37 return -EINVAL;
40
41 if (type[0] == '.') 38 if (type[0] == '.')
42 return -EPERM; 39 return -EPERM;
43
44 type[len - 1] = '\0'; 40 type[len - 1] = '\0';
45
46 return 0; 41 return 0;
47} 42}
48 43
49/*****************************************************************************/
50/* 44/*
51 * extract the description of a new key from userspace and either add it as a 45 * Extract the description of a new key from userspace and either add it as a
52 * new key to the specified keyring or update a matching key in that keyring 46 * new key to the specified keyring or update a matching key in that keyring.
53 * - the keyring must be writable 47 *
54 * - returns the new key's serial number 48 * The keyring must be writable so that we can attach the key to it.
55 * - implements add_key() 49 *
50 * If successful, the new key's serial number is returned, otherwise an error
51 * code is returned.
56 */ 52 */
57SYSCALL_DEFINE5(add_key, const char __user *, _type, 53SYSCALL_DEFINE5(add_key, const char __user *, _type,
58 const char __user *, _description, 54 const char __user *, _description,
@@ -132,19 +128,20 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
132 kfree(description); 128 kfree(description);
133 error: 129 error:
134 return ret; 130 return ret;
131}
135 132
136} /* end sys_add_key() */
137
138/*****************************************************************************/
139/* 133/*
140 * search the process keyrings for a matching key 134 * Search the process keyrings and keyring trees linked from those for a
141 * - nested keyrings may also be searched if they have Search permission 135 * matching key. Keyrings must have appropriate Search permission to be
142 * - if a key is found, it will be attached to the destination keyring if 136 * searched.
143 * there's one specified 137 *
144 * - /sbin/request-key will be invoked if _callout_info is non-NULL 138 * If a key is found, it will be attached to the destination keyring if there's
145 * - the _callout_info string will be passed to /sbin/request-key 139 * one specified and the serial number of the key will be returned.
146 * - if the _callout_info string is empty, it will be rendered as "-" 140 *
147 * - implements request_key() 141 * If no key is found, /sbin/request-key will be invoked if _callout_info is
142 * non-NULL in an attempt to create a key. The _callout_info string will be
143 * passed to /sbin/request-key to aid with completing the request. If the
144 * _callout_info string is "" then it will be changed to "-".
148 */ 145 */
149SYSCALL_DEFINE4(request_key, const char __user *, _type, 146SYSCALL_DEFINE4(request_key, const char __user *, _type,
150 const char __user *, _description, 147 const char __user *, _description,
@@ -209,8 +206,14 @@ SYSCALL_DEFINE4(request_key, const char __user *, _type,
209 goto error5; 206 goto error5;
210 } 207 }
211 208
209 /* wait for the key to finish being constructed */
210 ret = wait_for_key_construction(key, 1);
211 if (ret < 0)
212 goto error6;
213
212 ret = key->serial; 214 ret = key->serial;
213 215
216error6:
214 key_put(key); 217 key_put(key);
215error5: 218error5:
216 key_type_put(ktype); 219 key_type_put(ktype);
@@ -222,14 +225,14 @@ error2:
222 kfree(description); 225 kfree(description);
223error: 226error:
224 return ret; 227 return ret;
228}
225 229
226} /* end sys_request_key() */
227
228/*****************************************************************************/
229/* 230/*
230 * get the ID of the specified process keyring 231 * Get the ID of the specified process keyring.
231 * - the keyring must have search permission to be found 232 *
232 * - implements keyctl(KEYCTL_GET_KEYRING_ID) 233 * The requested keyring must have search permission to be found.
234 *
235 * If successful, the ID of the requested keyring will be returned.
233 */ 236 */
234long keyctl_get_keyring_ID(key_serial_t id, int create) 237long keyctl_get_keyring_ID(key_serial_t id, int create)
235{ 238{
@@ -248,13 +251,17 @@ long keyctl_get_keyring_ID(key_serial_t id, int create)
248 key_ref_put(key_ref); 251 key_ref_put(key_ref);
249error: 252error:
250 return ret; 253 return ret;
254}
251 255
252} /* end keyctl_get_keyring_ID() */
253
254/*****************************************************************************/
255/* 256/*
256 * join the session keyring 257 * Join a (named) session keyring.
257 * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING) 258 *
259 * Create and join an anonymous session keyring or join a named session
260 * keyring, creating it if necessary. A named session keyring must have Search
261 * permission for it to be joined. Session keyrings without this permit will
262 * be skipped over.
263 *
264 * If successful, the ID of the joined session keyring will be returned.
258 */ 265 */
259long keyctl_join_session_keyring(const char __user *_name) 266long keyctl_join_session_keyring(const char __user *_name)
260{ 267{
@@ -277,14 +284,17 @@ long keyctl_join_session_keyring(const char __user *_name)
277 284
278error: 285error:
279 return ret; 286 return ret;
287}
280 288
281} /* end keyctl_join_session_keyring() */
282
283/*****************************************************************************/
284/* 289/*
285 * update a key's data payload 290 * Update a key's data payload from the given data.
286 * - the key must be writable 291 *
287 * - implements keyctl(KEYCTL_UPDATE) 292 * The key must grant the caller Write permission and the key type must support
293 * updating for this to work. A negative key can be positively instantiated
294 * with this call.
295 *
296 * If successful, 0 will be returned. If the key type does not support
297 * updating, then -EOPNOTSUPP will be returned.
288 */ 298 */
289long keyctl_update_key(key_serial_t id, 299long keyctl_update_key(key_serial_t id,
290 const void __user *_payload, 300 const void __user *_payload,
@@ -326,14 +336,17 @@ error2:
326 kfree(payload); 336 kfree(payload);
327error: 337error:
328 return ret; 338 return ret;
339}
329 340
330} /* end keyctl_update_key() */
331
332/*****************************************************************************/
333/* 341/*
334 * revoke a key 342 * Revoke a key.
335 * - the key must be writable 343 *
336 * - implements keyctl(KEYCTL_REVOKE) 344 * The key must be grant the caller Write or Setattr permission for this to
345 * work. The key type should give up its quota claim when revoked. The key
346 * and any links to the key will be automatically garbage collected after a
347 * certain amount of time (/proc/sys/kernel/keys/gc_delay).
348 *
349 * If successful, 0 is returned.
337 */ 350 */
338long keyctl_revoke_key(key_serial_t id) 351long keyctl_revoke_key(key_serial_t id)
339{ 352{
@@ -358,14 +371,14 @@ long keyctl_revoke_key(key_serial_t id)
358 key_ref_put(key_ref); 371 key_ref_put(key_ref);
359error: 372error:
360 return ret; 373 return ret;
374}
361 375
362} /* end keyctl_revoke_key() */
363
364/*****************************************************************************/
365/* 376/*
366 * clear the specified process keyring 377 * Clear the specified keyring, creating an empty process keyring if one of the
367 * - the keyring must be writable 378 * special keyring IDs is used.
368 * - implements keyctl(KEYCTL_CLEAR) 379 *
380 * The keyring must grant the caller Write permission for this to work. If
381 * successful, 0 will be returned.
369 */ 382 */
370long keyctl_keyring_clear(key_serial_t ringid) 383long keyctl_keyring_clear(key_serial_t ringid)
371{ 384{
@@ -383,15 +396,18 @@ long keyctl_keyring_clear(key_serial_t ringid)
383 key_ref_put(keyring_ref); 396 key_ref_put(keyring_ref);
384error: 397error:
385 return ret; 398 return ret;
399}
386 400
387} /* end keyctl_keyring_clear() */
388
389/*****************************************************************************/
390/* 401/*
391 * link a key into a keyring 402 * Create a link from a keyring to a key if there's no matching key in the
392 * - the keyring must be writable 403 * keyring, otherwise replace the link to the matching key with a link to the
393 * - the key must be linkable 404 * new key.
394 * - implements keyctl(KEYCTL_LINK) 405 *
406 * The key must grant the caller Link permission and the the keyring must grant
407 * the caller Write permission. Furthermore, if an additional link is created,
408 * the keyring's quota will be extended.
409 *
410 * If successful, 0 will be returned.
395 */ 411 */
396long keyctl_keyring_link(key_serial_t id, key_serial_t ringid) 412long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
397{ 413{
@@ -417,15 +433,16 @@ error2:
417 key_ref_put(keyring_ref); 433 key_ref_put(keyring_ref);
418error: 434error:
419 return ret; 435 return ret;
436}
420 437
421} /* end keyctl_keyring_link() */
422
423/*****************************************************************************/
424/* 438/*
425 * unlink the first attachment of a key from a keyring 439 * Unlink a key from a keyring.
426 * - the keyring must be writable 440 *
427 * - we don't need any permissions on the key 441 * The keyring must grant the caller Write permission for this to work; the key
428 * - implements keyctl(KEYCTL_UNLINK) 442 * itself need not grant the caller anything. If the last link to a key is
443 * removed then that key will be scheduled for destruction.
444 *
445 * If successful, 0 will be returned.
429 */ 446 */
430long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 447long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
431{ 448{
@@ -451,19 +468,20 @@ error2:
451 key_ref_put(keyring_ref); 468 key_ref_put(keyring_ref);
452error: 469error:
453 return ret; 470 return ret;
471}
454 472
455} /* end keyctl_keyring_unlink() */
456
457/*****************************************************************************/
458/* 473/*
459 * describe a user key 474 * Return a description of a key to userspace.
460 * - the key must have view permission 475 *
461 * - if there's a buffer, we place up to buflen bytes of data into it 476 * The key must grant the caller View permission for this to work.
462 * - unless there's an error, we return the amount of description available, 477 *
463 * irrespective of how much we may have copied 478 * If there's a buffer, we place up to buflen bytes of data into it formatted
464 * - the description is formatted thus: 479 * in the following way:
480 *
465 * type;uid;gid;perm;description<NUL> 481 * type;uid;gid;perm;description<NUL>
466 * - implements keyctl(KEYCTL_DESCRIBE) 482 *
483 * If successful, we return the amount of description available, irrespective
484 * of how much we may have copied into the buffer.
467 */ 485 */
468long keyctl_describe_key(key_serial_t keyid, 486long keyctl_describe_key(key_serial_t keyid,
469 char __user *buffer, 487 char __user *buffer,
@@ -531,18 +549,17 @@ error2:
531 key_ref_put(key_ref); 549 key_ref_put(key_ref);
532error: 550error:
533 return ret; 551 return ret;
552}
534 553
535} /* end keyctl_describe_key() */
536
537/*****************************************************************************/
538/* 554/*
539 * search the specified keyring for a matching key 555 * Search the specified keyring and any keyrings it links to for a matching
540 * - the start keyring must be searchable 556 * key. Only keyrings that grant the caller Search permission will be searched
541 * - nested keyrings may also be searched if they are searchable 557 * (this includes the starting keyring). Only keys with Search permission can
542 * - only keys with search permission may be found 558 * be found.
543 * - if a key is found, it will be attached to the destination keyring if 559 *
544 * there's one specified 560 * If successful, the found key will be linked to the destination keyring if
545 * - implements keyctl(KEYCTL_SEARCH) 561 * supplied and the key has Link permission, and the found key ID will be
562 * returned.
546 */ 563 */
547long keyctl_keyring_search(key_serial_t ringid, 564long keyctl_keyring_search(key_serial_t ringid,
548 const char __user *_type, 565 const char __user *_type,
@@ -626,18 +643,17 @@ error2:
626 kfree(description); 643 kfree(description);
627error: 644error:
628 return ret; 645 return ret;
646}
629 647
630} /* end keyctl_keyring_search() */
631
632/*****************************************************************************/
633/* 648/*
634 * read a user key's payload 649 * Read a key's payload.
635 * - the keyring must be readable or the key must be searchable from the 650 *
636 * process's keyrings 651 * The key must either grant the caller Read permission, or it must grant the
637 * - if there's a buffer, we place up to buflen bytes of data into it 652 * caller Search permission when searched for from the process keyrings.
638 * - unless there's an error, we return the amount of data in the key, 653 *
639 * irrespective of how much we may have copied 654 * If successful, we place up to buflen bytes of data into the buffer, if one
640 * - implements keyctl(KEYCTL_READ) 655 * is provided, and return the amount of data that is available in the key,
656 * irrespective of how much we copied into the buffer.
641 */ 657 */
642long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) 658long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
643{ 659{
@@ -688,15 +704,22 @@ error2:
688 key_put(key); 704 key_put(key);
689error: 705error:
690 return ret; 706 return ret;
707}
691 708
692} /* end keyctl_read_key() */
693
694/*****************************************************************************/
695/* 709/*
696 * change the ownership of a key 710 * Change the ownership of a key
697 * - the keyring owned by the changer 711 *
698 * - if the uid or gid is -1, then that parameter is not changed 712 * The key must grant the caller Setattr permission for this to work, though
699 * - implements keyctl(KEYCTL_CHOWN) 713 * the key need not be fully instantiated yet. For the UID to be changed, or
714 * for the GID to be changed to a group the caller is not a member of, the
715 * caller must have sysadmin capability. If either uid or gid is -1 then that
716 * attribute is not changed.
717 *
718 * If the UID is to be changed, the new user must have sufficient quota to
719 * accept the key. The quota deduction will be removed from the old user to
720 * the new user should the attribute be changed.
721 *
722 * If successful, 0 will be returned.
700 */ 723 */
701long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) 724long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
702{ 725{
@@ -796,14 +819,14 @@ quota_overrun:
796 zapowner = newowner; 819 zapowner = newowner;
797 ret = -EDQUOT; 820 ret = -EDQUOT;
798 goto error_put; 821 goto error_put;
822}
799 823
800} /* end keyctl_chown_key() */
801
802/*****************************************************************************/
803/* 824/*
804 * change the permission mask on a key 825 * Change the permission mask on a key.
805 * - the keyring owned by the changer 826 *
806 * - implements keyctl(KEYCTL_SETPERM) 827 * The key must grant the caller Setattr permission for this to work, though
828 * the key need not be fully instantiated yet. If the caller does not have
829 * sysadmin capability, it may only change the permission on keys that it owns.
807 */ 830 */
808long keyctl_setperm_key(key_serial_t id, key_perm_t perm) 831long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
809{ 832{
@@ -838,11 +861,11 @@ long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
838 key_put(key); 861 key_put(key);
839error: 862error:
840 return ret; 863 return ret;
841 864}
842} /* end keyctl_setperm_key() */
843 865
844/* 866/*
845 * get the destination keyring for instantiation 867 * Get the destination keyring for instantiation and check that the caller has
868 * Write permission on it.
846 */ 869 */
847static long get_instantiation_keyring(key_serial_t ringid, 870static long get_instantiation_keyring(key_serial_t ringid,
848 struct request_key_auth *rka, 871 struct request_key_auth *rka,
@@ -879,7 +902,7 @@ static long get_instantiation_keyring(key_serial_t ringid,
879} 902}
880 903
881/* 904/*
882 * change the request_key authorisation key on the current process 905 * Change the request_key authorisation key on the current process.
883 */ 906 */
884static int keyctl_change_reqkey_auth(struct key *key) 907static int keyctl_change_reqkey_auth(struct key *key)
885{ 908{
@@ -895,15 +918,35 @@ static int keyctl_change_reqkey_auth(struct key *key)
895 return commit_creds(new); 918 return commit_creds(new);
896} 919}
897 920
898/*****************************************************************************/
899/* 921/*
900 * instantiate the key with the specified payload, and, if one is given, link 922 * Copy the iovec data from userspace
901 * the key into the keyring
902 */ 923 */
903long keyctl_instantiate_key(key_serial_t id, 924static long copy_from_user_iovec(void *buffer, const struct iovec *iov,
904 const void __user *_payload, 925 unsigned ioc)
905 size_t plen, 926{
906 key_serial_t ringid) 927 for (; ioc > 0; ioc--) {
928 if (copy_from_user(buffer, iov->iov_base, iov->iov_len) != 0)
929 return -EFAULT;
930 buffer += iov->iov_len;
931 iov++;
932 }
933 return 0;
934}
935
936/*
937 * Instantiate a key with the specified payload and link the key into the
938 * destination keyring if one is given.
939 *
940 * The caller must have the appropriate instantiation permit set for this to
941 * work (see keyctl_assume_authority). No other permissions are required.
942 *
943 * If successful, 0 will be returned.
944 */
945long keyctl_instantiate_key_common(key_serial_t id,
946 const struct iovec *payload_iov,
947 unsigned ioc,
948 size_t plen,
949 key_serial_t ringid)
907{ 950{
908 const struct cred *cred = current_cred(); 951 const struct cred *cred = current_cred();
909 struct request_key_auth *rka; 952 struct request_key_auth *rka;
@@ -932,7 +975,7 @@ long keyctl_instantiate_key(key_serial_t id,
932 /* pull the payload in if one was supplied */ 975 /* pull the payload in if one was supplied */
933 payload = NULL; 976 payload = NULL;
934 977
935 if (_payload) { 978 if (payload_iov) {
936 ret = -ENOMEM; 979 ret = -ENOMEM;
937 payload = kmalloc(plen, GFP_KERNEL); 980 payload = kmalloc(plen, GFP_KERNEL);
938 if (!payload) { 981 if (!payload) {
@@ -944,8 +987,8 @@ long keyctl_instantiate_key(key_serial_t id,
944 goto error; 987 goto error;
945 } 988 }
946 989
947 ret = -EFAULT; 990 ret = copy_from_user_iovec(payload, payload_iov, ioc);
948 if (copy_from_user(payload, _payload, plen) != 0) 991 if (ret < 0)
949 goto error2; 992 goto error2;
950 } 993 }
951 994
@@ -973,22 +1016,127 @@ error2:
973 vfree(payload); 1016 vfree(payload);
974error: 1017error:
975 return ret; 1018 return ret;
1019}
1020
1021/*
1022 * Instantiate a key with the specified payload and link the key into the
1023 * destination keyring if one is given.
1024 *
1025 * The caller must have the appropriate instantiation permit set for this to
1026 * work (see keyctl_assume_authority). No other permissions are required.
1027 *
1028 * If successful, 0 will be returned.
1029 */
1030long keyctl_instantiate_key(key_serial_t id,
1031 const void __user *_payload,
1032 size_t plen,
1033 key_serial_t ringid)
1034{
1035 if (_payload && plen) {
1036 struct iovec iov[1] = {
1037 [0].iov_base = (void __user *)_payload,
1038 [0].iov_len = plen
1039 };
976 1040
977} /* end keyctl_instantiate_key() */ 1041 return keyctl_instantiate_key_common(id, iov, 1, plen, ringid);
1042 }
1043
1044 return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid);
1045}
978 1046
979/*****************************************************************************/
980/* 1047/*
981 * negatively instantiate the key with the given timeout (in seconds), and, if 1048 * Instantiate a key with the specified multipart payload and link the key into
982 * one is given, link the key into the keyring 1049 * the destination keyring if one is given.
1050 *
1051 * The caller must have the appropriate instantiation permit set for this to
1052 * work (see keyctl_assume_authority). No other permissions are required.
1053 *
1054 * If successful, 0 will be returned.
1055 */
1056long keyctl_instantiate_key_iov(key_serial_t id,
1057 const struct iovec __user *_payload_iov,
1058 unsigned ioc,
1059 key_serial_t ringid)
1060{
1061 struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
1062 long ret;
1063
1064 if (_payload_iov == 0 || ioc == 0)
1065 goto no_payload;
1066
1067 ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc,
1068 ARRAY_SIZE(iovstack), iovstack, &iov);
1069 if (ret < 0)
1070 return ret;
1071 if (ret == 0)
1072 goto no_payload_free;
1073
1074 ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
1075
1076 if (iov != iovstack)
1077 kfree(iov);
1078 return ret;
1079
1080no_payload_free:
1081 if (iov != iovstack)
1082 kfree(iov);
1083no_payload:
1084 return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid);
1085}
1086
1087/*
1088 * Negatively instantiate the key with the given timeout (in seconds) and link
1089 * the key into the destination keyring if one is given.
1090 *
1091 * The caller must have the appropriate instantiation permit set for this to
1092 * work (see keyctl_assume_authority). No other permissions are required.
1093 *
1094 * The key and any links to the key will be automatically garbage collected
1095 * after the timeout expires.
1096 *
1097 * Negative keys are used to rate limit repeated request_key() calls by causing
1098 * them to return -ENOKEY until the negative key expires.
1099 *
1100 * If successful, 0 will be returned.
983 */ 1101 */
984long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid) 1102long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
985{ 1103{
1104 return keyctl_reject_key(id, timeout, ENOKEY, ringid);
1105}
1106
1107/*
1108 * Negatively instantiate the key with the given timeout (in seconds) and error
1109 * code and link the key into the destination keyring if one is given.
1110 *
1111 * The caller must have the appropriate instantiation permit set for this to
1112 * work (see keyctl_assume_authority). No other permissions are required.
1113 *
1114 * The key and any links to the key will be automatically garbage collected
1115 * after the timeout expires.
1116 *
1117 * Negative keys are used to rate limit repeated request_key() calls by causing
1118 * them to return the specified error code until the negative key expires.
1119 *
1120 * If successful, 0 will be returned.
1121 */
1122long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error,
1123 key_serial_t ringid)
1124{
986 const struct cred *cred = current_cred(); 1125 const struct cred *cred = current_cred();
987 struct request_key_auth *rka; 1126 struct request_key_auth *rka;
988 struct key *instkey, *dest_keyring; 1127 struct key *instkey, *dest_keyring;
989 long ret; 1128 long ret;
990 1129
991 kenter("%d,%u,%d", id, timeout, ringid); 1130 kenter("%d,%u,%u,%d", id, timeout, error, ringid);
1131
1132 /* must be a valid error code and mustn't be a kernel special */
1133 if (error <= 0 ||
1134 error >= MAX_ERRNO ||
1135 error == ERESTARTSYS ||
1136 error == ERESTARTNOINTR ||
1137 error == ERESTARTNOHAND ||
1138 error == ERESTART_RESTARTBLOCK)
1139 return -EINVAL;
992 1140
993 /* the appropriate instantiation authorisation key must have been 1141 /* the appropriate instantiation authorisation key must have been
994 * assumed before calling this */ 1142 * assumed before calling this */
@@ -1008,7 +1156,7 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
1008 goto error; 1156 goto error;
1009 1157
1010 /* instantiate the key and link it into a keyring */ 1158 /* instantiate the key and link it into a keyring */
1011 ret = key_negate_and_link(rka->target_key, timeout, 1159 ret = key_reject_and_link(rka->target_key, timeout, error,
1012 dest_keyring, instkey); 1160 dest_keyring, instkey);
1013 1161
1014 key_put(dest_keyring); 1162 key_put(dest_keyring);
@@ -1020,13 +1168,14 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
1020 1168
1021error: 1169error:
1022 return ret; 1170 return ret;
1171}
1023 1172
1024} /* end keyctl_negate_key() */
1025
1026/*****************************************************************************/
1027/* 1173/*
1028 * set the default keyring in which request_key() will cache keys 1174 * Read or set the default keyring in which request_key() will cache keys and
1029 * - return the old setting 1175 * return the old setting.
1176 *
1177 * If a process keyring is specified then this will be created if it doesn't
1178 * yet exist. The old setting will be returned if successful.
1030 */ 1179 */
1031long keyctl_set_reqkey_keyring(int reqkey_defl) 1180long keyctl_set_reqkey_keyring(int reqkey_defl)
1032{ 1181{
@@ -1079,12 +1228,19 @@ set:
1079error: 1228error:
1080 abort_creds(new); 1229 abort_creds(new);
1081 return ret; 1230 return ret;
1231}
1082 1232
1083} /* end keyctl_set_reqkey_keyring() */
1084
1085/*****************************************************************************/
1086/* 1233/*
1087 * set or clear the timeout for a key 1234 * Set or clear the timeout on a key.
1235 *
1236 * Either the key must grant the caller Setattr permission or else the caller
1237 * must hold an instantiation authorisation token for the key.
1238 *
1239 * The timeout is either 0 to clear the timeout, or a number of seconds from
1240 * the current time. The key and any links to the key will be automatically
1241 * garbage collected after the timeout expires.
1242 *
1243 * If successful, 0 is returned.
1088 */ 1244 */
1089long keyctl_set_timeout(key_serial_t id, unsigned timeout) 1245long keyctl_set_timeout(key_serial_t id, unsigned timeout)
1090{ 1246{
@@ -1136,12 +1292,24 @@ okay:
1136 ret = 0; 1292 ret = 0;
1137error: 1293error:
1138 return ret; 1294 return ret;
1295}
1139 1296
1140} /* end keyctl_set_timeout() */
1141
1142/*****************************************************************************/
1143/* 1297/*
1144 * assume the authority to instantiate the specified key 1298 * Assume (or clear) the authority to instantiate the specified key.
1299 *
1300 * This sets the authoritative token currently in force for key instantiation.
1301 * This must be done for a key to be instantiated. It has the effect of making
1302 * available all the keys from the caller of the request_key() that created a
1303 * key to request_key() calls made by the caller of this function.
1304 *
1305 * The caller must have the instantiation key in their process keyrings with a
1306 * Search permission grant available to the caller.
1307 *
1308 * If the ID given is 0, then the setting will be cleared and 0 returned.
1309 *
1310 * If the ID given has a matching an authorisation key, then that key will be
1311 * set and its ID will be returned. The authorisation key can be read to get
1312 * the callout information passed to request_key().
1145 */ 1313 */
1146long keyctl_assume_authority(key_serial_t id) 1314long keyctl_assume_authority(key_serial_t id)
1147{ 1315{
@@ -1178,16 +1346,17 @@ long keyctl_assume_authority(key_serial_t id)
1178 ret = authkey->serial; 1346 ret = authkey->serial;
1179error: 1347error:
1180 return ret; 1348 return ret;
1181 1349}
1182} /* end keyctl_assume_authority() */
1183 1350
1184/* 1351/*
1185 * get the security label of a key 1352 * Get a key's the LSM security label.
1186 * - the key must grant us view permission 1353 *
1187 * - if there's a buffer, we place up to buflen bytes of data into it 1354 * The key must grant the caller View permission for this to work.
1188 * - unless there's an error, we return the amount of information available, 1355 *
1189 * irrespective of how much we may have copied (including the terminal NUL) 1356 * If there's a buffer, then up to buflen bytes of data will be placed into it.
1190 * - implements keyctl(KEYCTL_GET_SECURITY) 1357 *
1358 * If successful, the amount of information available will be returned,
1359 * irrespective of how much was copied (including the terminal NUL).
1191 */ 1360 */
1192long keyctl_get_security(key_serial_t keyid, 1361long keyctl_get_security(key_serial_t keyid,
1193 char __user *buffer, 1362 char __user *buffer,
@@ -1242,10 +1411,16 @@ long keyctl_get_security(key_serial_t keyid,
1242} 1411}
1243 1412
1244/* 1413/*
1245 * attempt to install the calling process's session keyring on the process's 1414 * Attempt to install the calling process's session keyring on the process's
1246 * parent process 1415 * parent process.
1247 * - the keyring must exist and must grant us LINK permission 1416 *
1248 * - implements keyctl(KEYCTL_SESSION_TO_PARENT) 1417 * The keyring must exist and must grant the caller LINK permission, and the
1418 * parent process must be single-threaded and must have the same effective
1419 * ownership as this process and mustn't be SUID/SGID.
1420 *
1421 * The keyring will be emplaced on the parent when it next resumes userspace.
1422 *
1423 * If successful, 0 will be returned.
1249 */ 1424 */
1250long keyctl_session_to_parent(void) 1425long keyctl_session_to_parent(void)
1251{ 1426{
@@ -1348,9 +1523,8 @@ error_keyring:
1348#endif /* !TIF_NOTIFY_RESUME */ 1523#endif /* !TIF_NOTIFY_RESUME */
1349} 1524}
1350 1525
1351/*****************************************************************************/
1352/* 1526/*
1353 * the key control system call 1527 * The key control system call
1354 */ 1528 */
1355SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, 1529SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1356 unsigned long, arg4, unsigned long, arg5) 1530 unsigned long, arg4, unsigned long, arg5)
@@ -1436,8 +1610,20 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1436 case KEYCTL_SESSION_TO_PARENT: 1610 case KEYCTL_SESSION_TO_PARENT:
1437 return keyctl_session_to_parent(); 1611 return keyctl_session_to_parent();
1438 1612
1613 case KEYCTL_REJECT:
1614 return keyctl_reject_key((key_serial_t) arg2,
1615 (unsigned) arg3,
1616 (unsigned) arg4,
1617 (key_serial_t) arg5);
1618
1619 case KEYCTL_INSTANTIATE_IOV:
1620 return keyctl_instantiate_key_iov(
1621 (key_serial_t) arg2,
1622 (const struct iovec __user *) arg3,
1623 (unsigned) arg4,
1624 (key_serial_t) arg5);
1625
1439 default: 1626 default:
1440 return -EOPNOTSUPP; 1627 return -EOPNOTSUPP;
1441 } 1628 }
1442 1629}
1443} /* end sys_keyctl() */
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index d37f713e73ce..a06ffab38568 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -25,14 +25,16 @@
25 (keyring)->payload.subscriptions, \ 25 (keyring)->payload.subscriptions, \
26 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem))) 26 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
27 27
28#define KEY_LINK_FIXQUOTA 1UL
29
28/* 30/*
29 * when plumbing the depths of the key tree, this sets a hard limit set on how 31 * When plumbing the depths of the key tree, this sets a hard limit
30 * deep we're willing to go 32 * set on how deep we're willing to go.
31 */ 33 */
32#define KEYRING_SEARCH_MAX_DEPTH 6 34#define KEYRING_SEARCH_MAX_DEPTH 6
33 35
34/* 36/*
35 * we keep all named keyrings in a hash to speed looking them up 37 * We keep all named keyrings in a hash to speed looking them up.
36 */ 38 */
37#define KEYRING_NAME_HASH_SIZE (1 << 5) 39#define KEYRING_NAME_HASH_SIZE (1 << 5)
38 40
@@ -50,7 +52,9 @@ static inline unsigned keyring_hash(const char *desc)
50} 52}
51 53
52/* 54/*
53 * the keyring type definition 55 * The keyring key type definition. Keyrings are simply keys of this type and
56 * can be treated as ordinary keys in addition to having their own special
57 * operations.
54 */ 58 */
55static int keyring_instantiate(struct key *keyring, 59static int keyring_instantiate(struct key *keyring,
56 const void *data, size_t datalen); 60 const void *data, size_t datalen);
@@ -71,19 +75,17 @@ struct key_type key_type_keyring = {
71 .describe = keyring_describe, 75 .describe = keyring_describe,
72 .read = keyring_read, 76 .read = keyring_read,
73}; 77};
74
75EXPORT_SYMBOL(key_type_keyring); 78EXPORT_SYMBOL(key_type_keyring);
76 79
77/* 80/*
78 * semaphore to serialise link/link calls to prevent two link calls in parallel 81 * Semaphore to serialise link/link calls to prevent two link calls in parallel
79 * introducing a cycle 82 * introducing a cycle.
80 */ 83 */
81static DECLARE_RWSEM(keyring_serialise_link_sem); 84static DECLARE_RWSEM(keyring_serialise_link_sem);
82 85
83/*****************************************************************************/
84/* 86/*
85 * publish the name of a keyring so that it can be found by name (if it has 87 * Publish the name of a keyring so that it can be found by name (if it has
86 * one) 88 * one).
87 */ 89 */
88static void keyring_publish_name(struct key *keyring) 90static void keyring_publish_name(struct key *keyring)
89{ 91{
@@ -102,13 +104,12 @@ static void keyring_publish_name(struct key *keyring)
102 104
103 write_unlock(&keyring_name_lock); 105 write_unlock(&keyring_name_lock);
104 } 106 }
107}
105 108
106} /* end keyring_publish_name() */
107
108/*****************************************************************************/
109/* 109/*
110 * initialise a keyring 110 * Initialise a keyring.
111 * - we object if we were given any data 111 *
112 * Returns 0 on success, -EINVAL if given any data.
112 */ 113 */
113static int keyring_instantiate(struct key *keyring, 114static int keyring_instantiate(struct key *keyring,
114 const void *data, size_t datalen) 115 const void *data, size_t datalen)
@@ -123,23 +124,20 @@ static int keyring_instantiate(struct key *keyring,
123 } 124 }
124 125
125 return ret; 126 return ret;
127}
126 128
127} /* end keyring_instantiate() */
128
129/*****************************************************************************/
130/* 129/*
131 * match keyrings on their name 130 * Match keyrings on their name
132 */ 131 */
133static int keyring_match(const struct key *keyring, const void *description) 132static int keyring_match(const struct key *keyring, const void *description)
134{ 133{
135 return keyring->description && 134 return keyring->description &&
136 strcmp(keyring->description, description) == 0; 135 strcmp(keyring->description, description) == 0;
136}
137 137
138} /* end keyring_match() */
139
140/*****************************************************************************/
141/* 138/*
142 * dispose of the data dangling from the corpse of a keyring 139 * Clean up a keyring when it is destroyed. Unpublish its name if it had one
140 * and dispose of its data.
143 */ 141 */
144static void keyring_destroy(struct key *keyring) 142static void keyring_destroy(struct key *keyring)
145{ 143{
@@ -164,12 +162,10 @@ static void keyring_destroy(struct key *keyring)
164 key_put(klist->keys[loop]); 162 key_put(klist->keys[loop]);
165 kfree(klist); 163 kfree(klist);
166 } 164 }
165}
167 166
168} /* end keyring_destroy() */
169
170/*****************************************************************************/
171/* 167/*
172 * describe the keyring 168 * Describe a keyring for /proc.
173 */ 169 */
174static void keyring_describe(const struct key *keyring, struct seq_file *m) 170static void keyring_describe(const struct key *keyring, struct seq_file *m)
175{ 171{
@@ -180,20 +176,21 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m)
180 else 176 else
181 seq_puts(m, "[anon]"); 177 seq_puts(m, "[anon]");
182 178
183 rcu_read_lock(); 179 if (key_is_instantiated(keyring)) {
184 klist = rcu_dereference(keyring->payload.subscriptions); 180 rcu_read_lock();
185 if (klist) 181 klist = rcu_dereference(keyring->payload.subscriptions);
186 seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys); 182 if (klist)
187 else 183 seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
188 seq_puts(m, ": empty"); 184 else
189 rcu_read_unlock(); 185 seq_puts(m, ": empty");
190 186 rcu_read_unlock();
191} /* end keyring_describe() */ 187 }
188}
192 189
193/*****************************************************************************/
194/* 190/*
195 * read a list of key IDs from the keyring's contents 191 * Read a list of key IDs from the keyring's contents in binary form
196 * - the keyring's semaphore is read-locked 192 *
193 * The keyring's semaphore is read-locked by the caller.
197 */ 194 */
198static long keyring_read(const struct key *keyring, 195static long keyring_read(const struct key *keyring,
199 char __user *buffer, size_t buflen) 196 char __user *buffer, size_t buflen)
@@ -241,12 +238,10 @@ static long keyring_read(const struct key *keyring,
241 238
242error: 239error:
243 return ret; 240 return ret;
241}
244 242
245} /* end keyring_read() */
246
247/*****************************************************************************/
248/* 243/*
249 * allocate a keyring and link into the destination keyring 244 * Allocate a keyring and link into the destination keyring.
250 */ 245 */
251struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, 246struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
252 const struct cred *cred, unsigned long flags, 247 const struct cred *cred, unsigned long flags,
@@ -269,26 +264,50 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
269 } 264 }
270 265
271 return keyring; 266 return keyring;
267}
272 268
273} /* end keyring_alloc() */ 269/**
274 270 * keyring_search_aux - Search a keyring tree for a key matching some criteria
275/*****************************************************************************/ 271 * @keyring_ref: A pointer to the keyring with possession indicator.
276/* 272 * @cred: The credentials to use for permissions checks.
277 * search the supplied keyring tree for a key that matches the criterion 273 * @type: The type of key to search for.
278 * - perform a breadth-then-depth search up to the prescribed limit 274 * @description: Parameter for @match.
279 * - we only find keys on which we have search permission 275 * @match: Function to rule on whether or not a key is the one required.
280 * - we use the supplied match function to see if the description (or other 276 * @no_state_check: Don't check if a matching key is bad
281 * feature of interest) matches 277 *
282 * - we rely on RCU to prevent the keyring lists from disappearing on us 278 * Search the supplied keyring tree for a key that matches the criteria given.
283 * - we return -EAGAIN if we didn't find any matching key 279 * The root keyring and any linked keyrings must grant Search permission to the
284 * - we return -ENOKEY if we only found negative matching keys 280 * caller to be searchable and keys can only be found if they too grant Search
285 * - we propagate the possession attribute from the keyring ref to the key ref 281 * to the caller. The possession flag on the root keyring pointer controls use
282 * of the possessor bits in permissions checking of the entire tree. In
283 * addition, the LSM gets to forbid keyring searches and key matches.
284 *
285 * The search is performed as a breadth-then-depth search up to the prescribed
286 * limit (KEYRING_SEARCH_MAX_DEPTH).
287 *
288 * Keys are matched to the type provided and are then filtered by the match
289 * function, which is given the description to use in any way it sees fit. The
290 * match function may use any attributes of a key that it wishes to to
291 * determine the match. Normally the match function from the key type would be
292 * used.
293 *
294 * RCU is used to prevent the keyring key lists from disappearing without the
295 * need to take lots of locks.
296 *
297 * Returns a pointer to the found key and increments the key usage count if
298 * successful; -EAGAIN if no matching keys were found, or if expired or revoked
299 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
300 * specified keyring wasn't a keyring.
301 *
302 * In the case of a successful return, the possession attribute from
303 * @keyring_ref is propagated to the returned key reference.
286 */ 304 */
287key_ref_t keyring_search_aux(key_ref_t keyring_ref, 305key_ref_t keyring_search_aux(key_ref_t keyring_ref,
288 const struct cred *cred, 306 const struct cred *cred,
289 struct key_type *type, 307 struct key_type *type,
290 const void *description, 308 const void *description,
291 key_match_func_t match) 309 key_match_func_t match,
310 bool no_state_check)
292{ 311{
293 struct { 312 struct {
294 struct keyring_list *keylist; 313 struct keyring_list *keylist;
@@ -330,6 +349,8 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
330 kflags = keyring->flags; 349 kflags = keyring->flags;
331 if (keyring->type == type && match(keyring, description)) { 350 if (keyring->type == type && match(keyring, description)) {
332 key = keyring; 351 key = keyring;
352 if (no_state_check)
353 goto found;
333 354
334 /* check it isn't negative and hasn't expired or been 355 /* check it isn't negative and hasn't expired or been
335 * revoked */ 356 * revoked */
@@ -337,7 +358,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
337 goto error_2; 358 goto error_2;
338 if (key->expiry && now.tv_sec >= key->expiry) 359 if (key->expiry && now.tv_sec >= key->expiry)
339 goto error_2; 360 goto error_2;
340 key_ref = ERR_PTR(-ENOKEY); 361 key_ref = ERR_PTR(key->type_data.reject_error);
341 if (kflags & (1 << KEY_FLAG_NEGATIVE)) 362 if (kflags & (1 << KEY_FLAG_NEGATIVE))
342 goto error_2; 363 goto error_2;
343 goto found; 364 goto found;
@@ -369,11 +390,13 @@ descend:
369 continue; 390 continue;
370 391
371 /* skip revoked keys and expired keys */ 392 /* skip revoked keys and expired keys */
372 if (kflags & (1 << KEY_FLAG_REVOKED)) 393 if (!no_state_check) {
373 continue; 394 if (kflags & (1 << KEY_FLAG_REVOKED))
395 continue;
374 396
375 if (key->expiry && now.tv_sec >= key->expiry) 397 if (key->expiry && now.tv_sec >= key->expiry)
376 continue; 398 continue;
399 }
377 400
378 /* keys that don't match */ 401 /* keys that don't match */
379 if (!match(key, description)) 402 if (!match(key, description))
@@ -384,9 +407,12 @@ descend:
384 cred, KEY_SEARCH) < 0) 407 cred, KEY_SEARCH) < 0)
385 continue; 408 continue;
386 409
410 if (no_state_check)
411 goto found;
412
387 /* we set a different error code if we pass a negative key */ 413 /* we set a different error code if we pass a negative key */
388 if (kflags & (1 << KEY_FLAG_NEGATIVE)) { 414 if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
389 err = -ENOKEY; 415 err = key->type_data.reject_error;
390 continue; 416 continue;
391 } 417 }
392 418
@@ -444,17 +470,16 @@ error_2:
444 rcu_read_unlock(); 470 rcu_read_unlock();
445error: 471error:
446 return key_ref; 472 return key_ref;
473}
447 474
448} /* end keyring_search_aux() */ 475/**
449 476 * keyring_search - Search the supplied keyring tree for a matching key
450/*****************************************************************************/ 477 * @keyring: The root of the keyring tree to be searched.
451/* 478 * @type: The type of keyring we want to find.
452 * search the supplied keyring tree for a key that matches the criterion 479 * @description: The name of the keyring we want to find.
453 * - perform a breadth-then-depth search up to the prescribed limit 480 *
454 * - we only find keys on which we have search permission 481 * As keyring_search_aux() above, but using the current task's credentials and
455 * - we readlock the keyrings as we search down the tree 482 * type's default matching function.
456 * - we return -EAGAIN if we didn't find any matching key
457 * - we return -ENOKEY if we only found negative matching keys
458 */ 483 */
459key_ref_t keyring_search(key_ref_t keyring, 484key_ref_t keyring_search(key_ref_t keyring,
460 struct key_type *type, 485 struct key_type *type,
@@ -464,17 +489,24 @@ key_ref_t keyring_search(key_ref_t keyring,
464 return ERR_PTR(-ENOKEY); 489 return ERR_PTR(-ENOKEY);
465 490
466 return keyring_search_aux(keyring, current->cred, 491 return keyring_search_aux(keyring, current->cred,
467 type, description, type->match); 492 type, description, type->match, false);
468 493}
469} /* end keyring_search() */
470
471EXPORT_SYMBOL(keyring_search); 494EXPORT_SYMBOL(keyring_search);
472 495
473/*****************************************************************************/
474/* 496/*
475 * search the given keyring only (no recursion) 497 * Search the given keyring only (no recursion).
476 * - keyring must be locked by caller 498 *
477 * - caller must guarantee that the keyring is a keyring 499 * The caller must guarantee that the keyring is a keyring and that the
500 * permission is granted to search the keyring as no check is made here.
501 *
502 * RCU is used to make it unnecessary to lock the keyring key list here.
503 *
504 * Returns a pointer to the found key with usage count incremented if
505 * successful and returns -ENOKEY if not found. Revoked keys and keys not
506 * providing the requested permission are skipped over.
507 *
508 * If successful, the possession indicator is propagated from the keyring ref
509 * to the returned key reference.
478 */ 510 */
479key_ref_t __keyring_search_one(key_ref_t keyring_ref, 511key_ref_t __keyring_search_one(key_ref_t keyring_ref,
480 const struct key_type *ktype, 512 const struct key_type *ktype,
@@ -514,14 +546,18 @@ found:
514 atomic_inc(&key->usage); 546 atomic_inc(&key->usage);
515 rcu_read_unlock(); 547 rcu_read_unlock();
516 return make_key_ref(key, possessed); 548 return make_key_ref(key, possessed);
549}
517 550
518} /* end __keyring_search_one() */
519
520/*****************************************************************************/
521/* 551/*
522 * find a keyring with the specified name 552 * Find a keyring with the specified name.
523 * - all named keyrings are searched 553 *
524 * - normally only finds keyrings with search permission for the current process 554 * All named keyrings in the current user namespace are searched, provided they
555 * grant Search permission directly to the caller (unless this check is
556 * skipped). Keyrings whose usage points have reached zero or who have been
557 * revoked are skipped.
558 *
559 * Returns a pointer to the keyring with the keyring's refcount having being
560 * incremented on success. -ENOKEY is returned if a key could not be found.
525 */ 561 */
526struct key *find_keyring_by_name(const char *name, bool skip_perm_check) 562struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
527{ 563{
@@ -569,15 +605,14 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
569out: 605out:
570 read_unlock(&keyring_name_lock); 606 read_unlock(&keyring_name_lock);
571 return keyring; 607 return keyring;
608}
572 609
573} /* end find_keyring_by_name() */
574
575/*****************************************************************************/
576/* 610/*
577 * see if a cycle will will be created by inserting acyclic tree B in acyclic 611 * See if a cycle will will be created by inserting acyclic tree B in acyclic
578 * tree A at the topmost level (ie: as a direct child of A) 612 * tree A at the topmost level (ie: as a direct child of A).
579 * - since we are adding B to A at the top level, checking for cycles should 613 *
580 * just be a matter of seeing if node A is somewhere in tree B 614 * Since we are adding B to A at the top level, checking for cycles should just
615 * be a matter of seeing if node A is somewhere in tree B.
581 */ 616 */
582static int keyring_detect_cycle(struct key *A, struct key *B) 617static int keyring_detect_cycle(struct key *A, struct key *B)
583{ 618{
@@ -657,11 +692,10 @@ too_deep:
657cycle_detected: 692cycle_detected:
658 ret = -EDEADLK; 693 ret = -EDEADLK;
659 goto error; 694 goto error;
660 695}
661} /* end keyring_detect_cycle() */
662 696
663/* 697/*
664 * dispose of a keyring list after the RCU grace period, freeing the unlinked 698 * Dispose of a keyring list after the RCU grace period, freeing the unlinked
665 * key 699 * key
666 */ 700 */
667static void keyring_unlink_rcu_disposal(struct rcu_head *rcu) 701static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
@@ -675,14 +709,14 @@ static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
675} 709}
676 710
677/* 711/*
678 * preallocate memory so that a key can be linked into to a keyring 712 * Preallocate memory so that a key can be linked into to a keyring.
679 */ 713 */
680int __key_link_begin(struct key *keyring, const struct key_type *type, 714int __key_link_begin(struct key *keyring, const struct key_type *type,
681 const char *description, 715 const char *description, unsigned long *_prealloc)
682 struct keyring_list **_prealloc)
683 __acquires(&keyring->sem) 716 __acquires(&keyring->sem)
684{ 717{
685 struct keyring_list *klist, *nklist; 718 struct keyring_list *klist, *nklist;
719 unsigned long prealloc;
686 unsigned max; 720 unsigned max;
687 size_t size; 721 size_t size;
688 int loop, ret; 722 int loop, ret;
@@ -725,6 +759,7 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
725 759
726 /* note replacement slot */ 760 /* note replacement slot */
727 klist->delkey = nklist->delkey = loop; 761 klist->delkey = nklist->delkey = loop;
762 prealloc = (unsigned long)nklist;
728 goto done; 763 goto done;
729 } 764 }
730 } 765 }
@@ -739,6 +774,7 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
739 if (klist && klist->nkeys < klist->maxkeys) { 774 if (klist && klist->nkeys < klist->maxkeys) {
740 /* there's sufficient slack space to append directly */ 775 /* there's sufficient slack space to append directly */
741 nklist = NULL; 776 nklist = NULL;
777 prealloc = KEY_LINK_FIXQUOTA;
742 } else { 778 } else {
743 /* grow the key list */ 779 /* grow the key list */
744 max = 4; 780 max = 4;
@@ -773,8 +809,9 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
773 nklist->keys[nklist->delkey] = NULL; 809 nklist->keys[nklist->delkey] = NULL;
774 } 810 }
775 811
812 prealloc = (unsigned long)nklist | KEY_LINK_FIXQUOTA;
776done: 813done:
777 *_prealloc = nklist; 814 *_prealloc = prealloc;
778 kleave(" = 0"); 815 kleave(" = 0");
779 return 0; 816 return 0;
780 817
@@ -792,10 +829,10 @@ error_krsem:
792} 829}
793 830
794/* 831/*
795 * check already instantiated keys aren't going to be a problem 832 * Check already instantiated keys aren't going to be a problem.
796 * - the caller must have called __key_link_begin() 833 *
797 * - don't need to call this for keys that were created since __key_link_begin() 834 * The caller must have called __key_link_begin(). Don't need to call this for
798 * was called 835 * keys that were created since __key_link_begin() was called.
799 */ 836 */
800int __key_link_check_live_key(struct key *keyring, struct key *key) 837int __key_link_check_live_key(struct key *keyring, struct key *key)
801{ 838{
@@ -807,17 +844,20 @@ int __key_link_check_live_key(struct key *keyring, struct key *key)
807} 844}
808 845
809/* 846/*
810 * link a key into to a keyring 847 * Link a key into to a keyring.
811 * - must be called with __key_link_begin() having being called 848 *
812 * - discard already extant link to matching key if there is one 849 * Must be called with __key_link_begin() having being called. Discards any
850 * already extant link to matching key if there is one, so that each keyring
851 * holds at most one link to any given key of a particular type+description
852 * combination.
813 */ 853 */
814void __key_link(struct key *keyring, struct key *key, 854void __key_link(struct key *keyring, struct key *key,
815 struct keyring_list **_prealloc) 855 unsigned long *_prealloc)
816{ 856{
817 struct keyring_list *klist, *nklist; 857 struct keyring_list *klist, *nklist;
818 858
819 nklist = *_prealloc; 859 nklist = (struct keyring_list *)(*_prealloc & ~KEY_LINK_FIXQUOTA);
820 *_prealloc = NULL; 860 *_prealloc = 0;
821 861
822 kenter("%d,%d,%p", keyring->serial, key->serial, nklist); 862 kenter("%d,%d,%p", keyring->serial, key->serial, nklist);
823 863
@@ -852,34 +892,54 @@ void __key_link(struct key *keyring, struct key *key,
852} 892}
853 893
854/* 894/*
855 * finish linking a key into to a keyring 895 * Finish linking a key into to a keyring.
856 * - must be called with __key_link_begin() having being called 896 *
897 * Must be called with __key_link_begin() having being called.
857 */ 898 */
858void __key_link_end(struct key *keyring, struct key_type *type, 899void __key_link_end(struct key *keyring, struct key_type *type,
859 struct keyring_list *prealloc) 900 unsigned long prealloc)
860 __releases(&keyring->sem) 901 __releases(&keyring->sem)
861{ 902{
862 BUG_ON(type == NULL); 903 BUG_ON(type == NULL);
863 BUG_ON(type->name == NULL); 904 BUG_ON(type->name == NULL);
864 kenter("%d,%s,%p", keyring->serial, type->name, prealloc); 905 kenter("%d,%s,%lx", keyring->serial, type->name, prealloc);
865 906
866 if (type == &key_type_keyring) 907 if (type == &key_type_keyring)
867 up_write(&keyring_serialise_link_sem); 908 up_write(&keyring_serialise_link_sem);
868 909
869 if (prealloc) { 910 if (prealloc) {
870 kfree(prealloc); 911 if (prealloc & KEY_LINK_FIXQUOTA)
871 key_payload_reserve(keyring, 912 key_payload_reserve(keyring,
872 keyring->datalen - KEYQUOTA_LINK_BYTES); 913 keyring->datalen -
914 KEYQUOTA_LINK_BYTES);
915 kfree((struct keyring_list *)(prealloc & ~KEY_LINK_FIXQUOTA));
873 } 916 }
874 up_write(&keyring->sem); 917 up_write(&keyring->sem);
875} 918}
876 919
877/* 920/**
878 * link a key to a keyring 921 * key_link - Link a key to a keyring
922 * @keyring: The keyring to make the link in.
923 * @key: The key to link to.
924 *
925 * Make a link in a keyring to a key, such that the keyring holds a reference
926 * on that key and the key can potentially be found by searching that keyring.
927 *
928 * This function will write-lock the keyring's semaphore and will consume some
929 * of the user's key data quota to hold the link.
930 *
931 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring,
932 * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is
933 * full, -EDQUOT if there is insufficient key data quota remaining to add
934 * another link or -ENOMEM if there's insufficient memory.
935 *
936 * It is assumed that the caller has checked that it is permitted for a link to
937 * be made (the keyring should have Write permission and the key Link
938 * permission).
879 */ 939 */
880int key_link(struct key *keyring, struct key *key) 940int key_link(struct key *keyring, struct key *key)
881{ 941{
882 struct keyring_list *prealloc; 942 unsigned long prealloc;
883 int ret; 943 int ret;
884 944
885 key_check(keyring); 945 key_check(keyring);
@@ -895,12 +955,24 @@ int key_link(struct key *keyring, struct key *key)
895 955
896 return ret; 956 return ret;
897} 957}
898
899EXPORT_SYMBOL(key_link); 958EXPORT_SYMBOL(key_link);
900 959
901/*****************************************************************************/ 960/**
902/* 961 * key_unlink - Unlink the first link to a key from a keyring.
903 * unlink the first link to a key from a keyring 962 * @keyring: The keyring to remove the link from.
963 * @key: The key the link is to.
964 *
965 * Remove a link from a keyring to a key.
966 *
967 * This function will write-lock the keyring's semaphore.
968 *
969 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if
970 * the key isn't linked to by the keyring or -ENOMEM if there's insufficient
971 * memory.
972 *
973 * It is assumed that the caller has checked that it is permitted for a link to
974 * be removed (the keyring should have Write permission; no permissions are
975 * required on the key).
904 */ 976 */
905int key_unlink(struct key *keyring, struct key *key) 977int key_unlink(struct key *keyring, struct key *key)
906{ 978{
@@ -968,15 +1040,12 @@ nomem:
968 ret = -ENOMEM; 1040 ret = -ENOMEM;
969 up_write(&keyring->sem); 1041 up_write(&keyring->sem);
970 goto error; 1042 goto error;
971 1043}
972} /* end key_unlink() */
973
974EXPORT_SYMBOL(key_unlink); 1044EXPORT_SYMBOL(key_unlink);
975 1045
976/*****************************************************************************/
977/* 1046/*
978 * dispose of a keyring list after the RCU grace period, releasing the keys it 1047 * Dispose of a keyring list after the RCU grace period, releasing the keys it
979 * links to 1048 * links to.
980 */ 1049 */
981static void keyring_clear_rcu_disposal(struct rcu_head *rcu) 1050static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
982{ 1051{
@@ -989,13 +1058,15 @@ static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
989 key_put(klist->keys[loop]); 1058 key_put(klist->keys[loop]);
990 1059
991 kfree(klist); 1060 kfree(klist);
1061}
992 1062
993} /* end keyring_clear_rcu_disposal() */ 1063/**
994 1064 * keyring_clear - Clear a keyring
995/*****************************************************************************/ 1065 * @keyring: The keyring to clear.
996/* 1066 *
997 * clear the specified process keyring 1067 * Clear the contents of the specified keyring.
998 * - implements keyctl(KEYCTL_CLEAR) 1068 *
1069 * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring.
999 */ 1070 */
1000int keyring_clear(struct key *keyring) 1071int keyring_clear(struct key *keyring)
1001{ 1072{
@@ -1027,15 +1098,13 @@ int keyring_clear(struct key *keyring)
1027 } 1098 }
1028 1099
1029 return ret; 1100 return ret;
1030 1101}
1031} /* end keyring_clear() */
1032
1033EXPORT_SYMBOL(keyring_clear); 1102EXPORT_SYMBOL(keyring_clear);
1034 1103
1035/*****************************************************************************/
1036/* 1104/*
1037 * dispose of the links from a revoked keyring 1105 * Dispose of the links from a revoked keyring.
1038 * - called with the key sem write-locked 1106 *
1107 * This is called with the key sem write-locked.
1039 */ 1108 */
1040static void keyring_revoke(struct key *keyring) 1109static void keyring_revoke(struct key *keyring)
1041{ 1110{
@@ -1050,11 +1119,10 @@ static void keyring_revoke(struct key *keyring)
1050 rcu_assign_pointer(keyring->payload.subscriptions, NULL); 1119 rcu_assign_pointer(keyring->payload.subscriptions, NULL);
1051 call_rcu(&klist->rcu, keyring_clear_rcu_disposal); 1120 call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
1052 } 1121 }
1053 1122}
1054} /* end keyring_revoke() */
1055 1123
1056/* 1124/*
1057 * Determine whether a key is dead 1125 * Determine whether a key is dead.
1058 */ 1126 */
1059static bool key_is_dead(struct key *key, time_t limit) 1127static bool key_is_dead(struct key *key, time_t limit)
1060{ 1128{
@@ -1063,7 +1131,12 @@ static bool key_is_dead(struct key *key, time_t limit)
1063} 1131}
1064 1132
1065/* 1133/*
1066 * Collect garbage from the contents of a keyring 1134 * Collect garbage from the contents of a keyring, replacing the old list with
1135 * a new one with the pointers all shuffled down.
1136 *
1137 * Dead keys are classed as oned that are flagged as being dead or are revoked,
1138 * expired or negative keys that were revoked or expired before the specified
1139 * limit.
1067 */ 1140 */
1068void keyring_gc(struct key *keyring, time_t limit) 1141void keyring_gc(struct key *keyring, time_t limit)
1069{ 1142{
diff --git a/security/keys/permission.c b/security/keys/permission.c
index 28645502cd0d..c35b5229e3cd 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -1,4 +1,4 @@
1/* permission.c: key permission determination 1/* Key permission checking
2 * 2 *
3 * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
@@ -13,18 +13,19 @@
13#include <linux/security.h> 13#include <linux/security.h>
14#include "internal.h" 14#include "internal.h"
15 15
16/*****************************************************************************/
17/** 16/**
18 * key_task_permission - Check a key can be used 17 * key_task_permission - Check a key can be used
19 * @key_ref: The key to check 18 * @key_ref: The key to check.
20 * @cred: The credentials to use 19 * @cred: The credentials to use.
21 * @perm: The permissions to check for 20 * @perm: The permissions to check for.
22 * 21 *
23 * Check to see whether permission is granted to use a key in the desired way, 22 * Check to see whether permission is granted to use a key in the desired way,
24 * but permit the security modules to override. 23 * but permit the security modules to override.
25 * 24 *
26 * The caller must hold either a ref on cred or must hold the RCU readlock or a 25 * The caller must hold either a ref on cred or must hold the RCU readlock.
27 * spinlock. 26 *
27 * Returns 0 if successful, -EACCES if access is denied based on the
28 * permissions bits or the LSM check.
28 */ 29 */
29int key_task_permission(const key_ref_t key_ref, const struct cred *cred, 30int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
30 key_perm_t perm) 31 key_perm_t perm)
@@ -79,14 +80,16 @@ use_these_perms:
79 80
80 /* let LSM be the final arbiter */ 81 /* let LSM be the final arbiter */
81 return security_key_permission(key_ref, cred, perm); 82 return security_key_permission(key_ref, cred, perm);
82 83}
83} /* end key_task_permission() */
84
85EXPORT_SYMBOL(key_task_permission); 84EXPORT_SYMBOL(key_task_permission);
86 85
87/*****************************************************************************/ 86/**
88/* 87 * key_validate - Validate a key.
89 * validate a key 88 * @key: The key to be validated.
89 *
90 * Check that a key is valid, returning 0 if the key is okay, -EKEYREVOKED if
91 * the key's type has been removed or if the key has been revoked or
92 * -EKEYEXPIRED if the key has expired.
90 */ 93 */
91int key_validate(struct key *key) 94int key_validate(struct key *key)
92{ 95{
@@ -111,7 +114,5 @@ int key_validate(struct key *key)
111 114
112error: 115error:
113 return ret; 116 return ret;
114 117}
115} /* end key_validate() */
116
117EXPORT_SYMBOL(key_validate); 118EXPORT_SYMBOL(key_validate);
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 70373966816e..49bbc97943ad 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -1,4 +1,4 @@
1/* proc.c: proc files for key database enumeration 1/* procfs files for key database enumeration
2 * 2 *
3 * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
@@ -60,9 +60,8 @@ static const struct file_operations proc_key_users_fops = {
60 .release = seq_release, 60 .release = seq_release,
61}; 61};
62 62
63/*****************************************************************************/
64/* 63/*
65 * declare the /proc files 64 * Declare the /proc files.
66 */ 65 */
67static int __init key_proc_init(void) 66static int __init key_proc_init(void)
68{ 67{
@@ -79,14 +78,13 @@ static int __init key_proc_init(void)
79 panic("Cannot create /proc/key-users\n"); 78 panic("Cannot create /proc/key-users\n");
80 79
81 return 0; 80 return 0;
82 81}
83} /* end key_proc_init() */
84 82
85__initcall(key_proc_init); 83__initcall(key_proc_init);
86 84
87/*****************************************************************************/
88/* 85/*
89 * implement "/proc/keys" to provides a list of the keys on the system 86 * Implement "/proc/keys" to provide a list of the keys on the system that
87 * grant View permission to the caller.
90 */ 88 */
91#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS 89#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
92 90
@@ -201,7 +199,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
201 if (key->perm & KEY_POS_VIEW) { 199 if (key->perm & KEY_POS_VIEW) {
202 skey_ref = search_my_process_keyrings(key->type, key, 200 skey_ref = search_my_process_keyrings(key->type, key,
203 lookup_user_key_possessed, 201 lookup_user_key_possessed,
204 cred); 202 true, cred);
205 if (!IS_ERR(skey_ref)) { 203 if (!IS_ERR(skey_ref)) {
206 key_ref_put(skey_ref); 204 key_ref_put(skey_ref);
207 key_ref = make_key_ref(key, 1); 205 key_ref = make_key_ref(key, 1);
@@ -293,9 +291,9 @@ static struct rb_node *key_user_first(struct rb_root *r)
293 return __key_user_next(n); 291 return __key_user_next(n);
294} 292}
295 293
296/*****************************************************************************/
297/* 294/*
298 * implement "/proc/key-users" to provides a list of the key users 295 * Implement "/proc/key-users" to provides a list of the key users and their
296 * quotas.
299 */ 297 */
300static int proc_key_users_open(struct inode *inode, struct file *file) 298static int proc_key_users_open(struct inode *inode, struct file *file)
301{ 299{
@@ -351,5 +349,4 @@ static int proc_key_users_show(struct seq_file *m, void *v)
351 maxbytes); 349 maxbytes);
352 350
353 return 0; 351 return 0;
354
355} 352}
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index f8e7251ae2c8..a3063eb3dc23 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -1,4 +1,4 @@
1/* Management of a process's keyrings 1/* Manage a process's keyrings
2 * 2 *
3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
@@ -21,13 +21,13 @@
21#include <asm/uaccess.h> 21#include <asm/uaccess.h>
22#include "internal.h" 22#include "internal.h"
23 23
24/* session keyring create vs join semaphore */ 24/* Session keyring create vs join semaphore */
25static DEFINE_MUTEX(key_session_mutex); 25static DEFINE_MUTEX(key_session_mutex);
26 26
27/* user keyring creation semaphore */ 27/* User keyring creation semaphore */
28static DEFINE_MUTEX(key_user_keyring_mutex); 28static DEFINE_MUTEX(key_user_keyring_mutex);
29 29
30/* the root user's tracking struct */ 30/* The root user's tracking struct */
31struct key_user root_key_user = { 31struct key_user root_key_user = {
32 .usage = ATOMIC_INIT(3), 32 .usage = ATOMIC_INIT(3),
33 .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock), 33 .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock),
@@ -38,9 +38,8 @@ struct key_user root_key_user = {
38 .user_ns = &init_user_ns, 38 .user_ns = &init_user_ns,
39}; 39};
40 40
41/*****************************************************************************/
42/* 41/*
43 * install user and user session keyrings for a particular UID 42 * Install the user and user session keyrings for the current process's UID.
44 */ 43 */
45int install_user_keyrings(void) 44int install_user_keyrings(void)
46{ 45{
@@ -122,7 +121,8 @@ error:
122} 121}
123 122
124/* 123/*
125 * install a fresh thread keyring directly to new credentials 124 * Install a fresh thread keyring directly to new credentials. This keyring is
125 * allowed to overrun the quota.
126 */ 126 */
127int install_thread_keyring_to_cred(struct cred *new) 127int install_thread_keyring_to_cred(struct cred *new)
128{ 128{
@@ -138,7 +138,7 @@ int install_thread_keyring_to_cred(struct cred *new)
138} 138}
139 139
140/* 140/*
141 * install a fresh thread keyring, discarding the old one 141 * Install a fresh thread keyring, discarding the old one.
142 */ 142 */
143static int install_thread_keyring(void) 143static int install_thread_keyring(void)
144{ 144{
@@ -161,9 +161,10 @@ static int install_thread_keyring(void)
161} 161}
162 162
163/* 163/*
164 * install a process keyring directly to a credentials struct 164 * Install a process keyring directly to a credentials struct.
165 * - returns -EEXIST if there was already a process keyring, 0 if one installed, 165 *
166 * and other -ve on any other error 166 * Returns -EEXIST if there was already a process keyring, 0 if one installed,
167 * and other value on any other error
167 */ 168 */
168int install_process_keyring_to_cred(struct cred *new) 169int install_process_keyring_to_cred(struct cred *new)
169{ 170{
@@ -192,8 +193,11 @@ int install_process_keyring_to_cred(struct cred *new)
192} 193}
193 194
194/* 195/*
195 * make sure a process keyring is installed 196 * Make sure a process keyring is installed for the current process. The
196 * - we 197 * existing process keyring is not replaced.
198 *
199 * Returns 0 if there is a process keyring by the end of this function, some
200 * error otherwise.
197 */ 201 */
198static int install_process_keyring(void) 202static int install_process_keyring(void)
199{ 203{
@@ -207,14 +211,14 @@ static int install_process_keyring(void)
207 ret = install_process_keyring_to_cred(new); 211 ret = install_process_keyring_to_cred(new);
208 if (ret < 0) { 212 if (ret < 0) {
209 abort_creds(new); 213 abort_creds(new);
210 return ret != -EEXIST ?: 0; 214 return ret != -EEXIST ? ret : 0;
211 } 215 }
212 216
213 return commit_creds(new); 217 return commit_creds(new);
214} 218}
215 219
216/* 220/*
217 * install a session keyring directly to a credentials struct 221 * Install a session keyring directly to a credentials struct.
218 */ 222 */
219int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) 223int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
220{ 224{
@@ -254,8 +258,8 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
254} 258}
255 259
256/* 260/*
257 * install a session keyring, discarding the old one 261 * Install a session keyring, discarding the old one. If a keyring is not
258 * - if a keyring is not supplied, an empty one is invented 262 * supplied, an empty one is invented.
259 */ 263 */
260static int install_session_keyring(struct key *keyring) 264static int install_session_keyring(struct key *keyring)
261{ 265{
@@ -275,9 +279,8 @@ static int install_session_keyring(struct key *keyring)
275 return commit_creds(new); 279 return commit_creds(new);
276} 280}
277 281
278/*****************************************************************************/
279/* 282/*
280 * the filesystem user ID changed 283 * Handle the fsuid changing.
281 */ 284 */
282void key_fsuid_changed(struct task_struct *tsk) 285void key_fsuid_changed(struct task_struct *tsk)
283{ 286{
@@ -288,12 +291,10 @@ void key_fsuid_changed(struct task_struct *tsk)
288 tsk->cred->thread_keyring->uid = tsk->cred->fsuid; 291 tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
289 up_write(&tsk->cred->thread_keyring->sem); 292 up_write(&tsk->cred->thread_keyring->sem);
290 } 293 }
294}
291 295
292} /* end key_fsuid_changed() */
293
294/*****************************************************************************/
295/* 296/*
296 * the filesystem group ID changed 297 * Handle the fsgid changing.
297 */ 298 */
298void key_fsgid_changed(struct task_struct *tsk) 299void key_fsgid_changed(struct task_struct *tsk)
299{ 300{
@@ -304,20 +305,33 @@ void key_fsgid_changed(struct task_struct *tsk)
304 tsk->cred->thread_keyring->gid = tsk->cred->fsgid; 305 tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
305 up_write(&tsk->cred->thread_keyring->sem); 306 up_write(&tsk->cred->thread_keyring->sem);
306 } 307 }
308}
307 309
308} /* end key_fsgid_changed() */
309
310/*****************************************************************************/
311/* 310/*
312 * search only my process keyrings for the first matching key 311 * Search the process keyrings attached to the supplied cred for the first
313 * - we use the supplied match function to see if the description (or other 312 * matching key.
314 * feature of interest) matches 313 *
315 * - we return -EAGAIN if we didn't find any matching key 314 * The search criteria are the type and the match function. The description is
316 * - we return -ENOKEY if we found only negative matching keys 315 * given to the match function as a parameter, but doesn't otherwise influence
316 * the search. Typically the match function will compare the description
317 * parameter to the key's description.
318 *
319 * This can only search keyrings that grant Search permission to the supplied
320 * credentials. Keyrings linked to searched keyrings will also be searched if
321 * they grant Search permission too. Keys can only be found if they grant
322 * Search permission to the credentials.
323 *
324 * Returns a pointer to the key with the key usage count incremented if
325 * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only
326 * matched negative keys.
327 *
328 * In the case of a successful return, the possession attribute is set on the
329 * returned key reference.
317 */ 330 */
318key_ref_t search_my_process_keyrings(struct key_type *type, 331key_ref_t search_my_process_keyrings(struct key_type *type,
319 const void *description, 332 const void *description,
320 key_match_func_t match, 333 key_match_func_t match,
334 bool no_state_check,
321 const struct cred *cred) 335 const struct cred *cred)
322{ 336{
323 key_ref_t key_ref, ret, err; 337 key_ref_t key_ref, ret, err;
@@ -337,7 +351,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
337 if (cred->thread_keyring) { 351 if (cred->thread_keyring) {
338 key_ref = keyring_search_aux( 352 key_ref = keyring_search_aux(
339 make_key_ref(cred->thread_keyring, 1), 353 make_key_ref(cred->thread_keyring, 1),
340 cred, type, description, match); 354 cred, type, description, match, no_state_check);
341 if (!IS_ERR(key_ref)) 355 if (!IS_ERR(key_ref))
342 goto found; 356 goto found;
343 357
@@ -358,7 +372,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
358 if (cred->tgcred->process_keyring) { 372 if (cred->tgcred->process_keyring) {
359 key_ref = keyring_search_aux( 373 key_ref = keyring_search_aux(
360 make_key_ref(cred->tgcred->process_keyring, 1), 374 make_key_ref(cred->tgcred->process_keyring, 1),
361 cred, type, description, match); 375 cred, type, description, match, no_state_check);
362 if (!IS_ERR(key_ref)) 376 if (!IS_ERR(key_ref))
363 goto found; 377 goto found;
364 378
@@ -382,7 +396,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
382 make_key_ref(rcu_dereference( 396 make_key_ref(rcu_dereference(
383 cred->tgcred->session_keyring), 397 cred->tgcred->session_keyring),
384 1), 398 1),
385 cred, type, description, match); 399 cred, type, description, match, no_state_check);
386 rcu_read_unlock(); 400 rcu_read_unlock();
387 401
388 if (!IS_ERR(key_ref)) 402 if (!IS_ERR(key_ref))
@@ -404,7 +418,7 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
404 else if (cred->user->session_keyring) { 418 else if (cred->user->session_keyring) {
405 key_ref = keyring_search_aux( 419 key_ref = keyring_search_aux(
406 make_key_ref(cred->user->session_keyring, 1), 420 make_key_ref(cred->user->session_keyring, 1),
407 cred, type, description, match); 421 cred, type, description, match, no_state_check);
408 if (!IS_ERR(key_ref)) 422 if (!IS_ERR(key_ref))
409 goto found; 423 goto found;
410 424
@@ -428,13 +442,13 @@ found:
428 return key_ref; 442 return key_ref;
429} 443}
430 444
431/*****************************************************************************/
432/* 445/*
433 * search the process keyrings for the first matching key 446 * Search the process keyrings attached to the supplied cred for the first
434 * - we use the supplied match function to see if the description (or other 447 * matching key in the manner of search_my_process_keyrings(), but also search
435 * feature of interest) matches 448 * the keys attached to the assumed authorisation key using its credentials if
436 * - we return -EAGAIN if we didn't find any matching key 449 * one is available.
437 * - we return -ENOKEY if we found only negative matching keys 450 *
451 * Return same as search_my_process_keyrings().
438 */ 452 */
439key_ref_t search_process_keyrings(struct key_type *type, 453key_ref_t search_process_keyrings(struct key_type *type,
440 const void *description, 454 const void *description,
@@ -446,7 +460,8 @@ key_ref_t search_process_keyrings(struct key_type *type,
446 460
447 might_sleep(); 461 might_sleep();
448 462
449 key_ref = search_my_process_keyrings(type, description, match, cred); 463 key_ref = search_my_process_keyrings(type, description, match,
464 false, cred);
450 if (!IS_ERR(key_ref)) 465 if (!IS_ERR(key_ref))
451 goto found; 466 goto found;
452 err = key_ref; 467 err = key_ref;
@@ -489,24 +504,33 @@ key_ref_t search_process_keyrings(struct key_type *type,
489 504
490found: 505found:
491 return key_ref; 506 return key_ref;
507}
492 508
493} /* end search_process_keyrings() */
494
495/*****************************************************************************/
496/* 509/*
497 * see if the key we're looking at is the target key 510 * See if the key we're looking at is the target key.
498 */ 511 */
499int lookup_user_key_possessed(const struct key *key, const void *target) 512int lookup_user_key_possessed(const struct key *key, const void *target)
500{ 513{
501 return key == target; 514 return key == target;
515}
502 516
503} /* end lookup_user_key_possessed() */
504
505/*****************************************************************************/
506/* 517/*
507 * lookup a key given a key ID from userspace with a given permissions mask 518 * Look up a key ID given us by userspace with a given permissions mask to get
508 * - don't create special keyrings unless so requested 519 * the key it refers to.
509 * - partially constructed keys aren't found unless requested 520 *
521 * Flags can be passed to request that special keyrings be created if referred
522 * to directly, to permit partially constructed keys to be found and to skip
523 * validity and permission checks on the found key.
524 *
525 * Returns a pointer to the key with an incremented usage count if successful;
526 * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond
527 * to a key or the best found key was a negative key; -EKEYREVOKED or
528 * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the
529 * found key doesn't grant the requested permit or the LSM denied access to it;
530 * or -ENOMEM if a special keyring couldn't be created.
531 *
532 * In the case of a successful return, the possession attribute is set on the
533 * returned key reference.
510 */ 534 */
511key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, 535key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
512 key_perm_t perm) 536 key_perm_t perm)
@@ -711,15 +735,18 @@ invalid_key:
711reget_creds: 735reget_creds:
712 put_cred(cred); 736 put_cred(cred);
713 goto try_again; 737 goto try_again;
738}
714 739
715} /* end lookup_user_key() */
716
717/*****************************************************************************/
718/* 740/*
719 * join the named keyring as the session keyring if possible, or attempt to 741 * Join the named keyring as the session keyring if possible else attempt to
720 * create a new one of that name if not 742 * create a new one of that name and join that.
721 * - if the name is NULL, an empty anonymous keyring is installed instead 743 *
722 * - named session keyring joining is done with a semaphore held 744 * If the name is NULL, an empty anonymous keyring will be installed as the
745 * session keyring.
746 *
747 * Named session keyrings are joined with a semaphore held to prevent the
748 * keyrings from going away whilst the attempt is made to going them and also
749 * to prevent a race in creating compatible session keyrings.
723 */ 750 */
724long join_session_keyring(const char *name) 751long join_session_keyring(const char *name)
725{ 752{
@@ -791,8 +818,8 @@ error:
791} 818}
792 819
793/* 820/*
794 * Replace a process's session keyring when that process resumes userspace on 821 * Replace a process's session keyring on behalf of one of its children when
795 * behalf of one of its children 822 * the target process is about to resume userspace execution.
796 */ 823 */
797void key_replace_session_keyring(void) 824void key_replace_session_keyring(void)
798{ 825{
@@ -820,6 +847,7 @@ void key_replace_session_keyring(void)
820 new-> sgid = old-> sgid; 847 new-> sgid = old-> sgid;
821 new->fsgid = old->fsgid; 848 new->fsgid = old->fsgid;
822 new->user = get_uid(old->user); 849 new->user = get_uid(old->user);
850 new->user_ns = new->user->user_ns;
823 new->group_info = get_group_info(old->group_info); 851 new->group_info = get_group_info(old->group_info);
824 852
825 new->securebits = old->securebits; 853 new->securebits = old->securebits;
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 0088dd8bf68a..82465328c39b 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -8,7 +8,7 @@
8 * as published by the Free Software Foundation; either version 8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version. 9 * 2 of the License, or (at your option) any later version.
10 * 10 *
11 * See Documentation/keys-request-key.txt 11 * See Documentation/security/keys-request-key.txt
12 */ 12 */
13 13
14#include <linux/module.h> 14#include <linux/module.h>
@@ -39,8 +39,14 @@ static int key_wait_bit_intr(void *flags)
39 return signal_pending(current) ? -ERESTARTSYS : 0; 39 return signal_pending(current) ? -ERESTARTSYS : 0;
40} 40}
41 41
42/* 42/**
43 * call to complete the construction of a key 43 * complete_request_key - Complete the construction of a key.
44 * @cons: The key construction record.
45 * @error: The success or failute of the construction.
46 *
47 * Complete the attempt to construct a key. The key will be negated
48 * if an error is indicated. The authorisation key will be revoked
49 * unconditionally.
44 */ 50 */
45void complete_request_key(struct key_construction *cons, int error) 51void complete_request_key(struct key_construction *cons, int error)
46{ 52{
@@ -58,23 +64,32 @@ void complete_request_key(struct key_construction *cons, int error)
58} 64}
59EXPORT_SYMBOL(complete_request_key); 65EXPORT_SYMBOL(complete_request_key);
60 66
61static int umh_keys_init(struct subprocess_info *info) 67/*
68 * Initialise a usermode helper that is going to have a specific session
69 * keyring.
70 *
71 * This is called in context of freshly forked kthread before kernel_execve(),
72 * so we can simply install the desired session_keyring at this point.
73 */
74static int umh_keys_init(struct subprocess_info *info, struct cred *cred)
62{ 75{
63 struct cred *cred = (struct cred*)current_cred();
64 struct key *keyring = info->data; 76 struct key *keyring = info->data;
65 /* 77
66 * This is called in context of freshly forked kthread before
67 * kernel_execve(), we can just change our ->session_keyring.
68 */
69 return install_session_keyring_to_cred(cred, keyring); 78 return install_session_keyring_to_cred(cred, keyring);
70} 79}
71 80
81/*
82 * Clean up a usermode helper with session keyring.
83 */
72static void umh_keys_cleanup(struct subprocess_info *info) 84static void umh_keys_cleanup(struct subprocess_info *info)
73{ 85{
74 struct key *keyring = info->data; 86 struct key *keyring = info->data;
75 key_put(keyring); 87 key_put(keyring);
76} 88}
77 89
90/*
91 * Call a usermode helper with a specific session keyring.
92 */
78static int call_usermodehelper_keys(char *path, char **argv, char **envp, 93static int call_usermodehelper_keys(char *path, char **argv, char **envp,
79 struct key *session_keyring, enum umh_wait wait) 94 struct key *session_keyring, enum umh_wait wait)
80{ 95{
@@ -91,7 +106,7 @@ static int call_usermodehelper_keys(char *path, char **argv, char **envp,
91} 106}
92 107
93/* 108/*
94 * request userspace finish the construction of a key 109 * Request userspace finish the construction of a key
95 * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>" 110 * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
96 */ 111 */
97static int call_sbin_request_key(struct key_construction *cons, 112static int call_sbin_request_key(struct key_construction *cons,
@@ -198,8 +213,9 @@ error_alloc:
198} 213}
199 214
200/* 215/*
201 * call out to userspace for key construction 216 * Call out to userspace for key construction.
202 * - we ignore program failure and go on key status instead 217 *
218 * Program failure is ignored in favour of key status.
203 */ 219 */
204static int construct_key(struct key *key, const void *callout_info, 220static int construct_key(struct key *key, const void *callout_info,
205 size_t callout_len, void *aux, 221 size_t callout_len, void *aux,
@@ -246,9 +262,10 @@ static int construct_key(struct key *key, const void *callout_info,
246} 262}
247 263
248/* 264/*
249 * get the appropriate destination keyring for the request 265 * Get the appropriate destination keyring for the request.
250 * - we return whatever keyring we select with an extra reference upon it which 266 *
251 * the caller must release 267 * The keyring selected is returned with an extra reference upon it which the
268 * caller must release.
252 */ 269 */
253static void construct_get_dest_keyring(struct key **_dest_keyring) 270static void construct_get_dest_keyring(struct key **_dest_keyring)
254{ 271{
@@ -321,9 +338,11 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
321} 338}
322 339
323/* 340/*
324 * allocate a new key in under-construction state and attempt to link it in to 341 * Allocate a new key in under-construction state and attempt to link it in to
325 * the requested place 342 * the requested keyring.
326 * - may return a key that's already under construction instead 343 *
344 * May return a key that's already under construction instead if there was a
345 * race between two thread calling request_key().
327 */ 346 */
328static int construct_alloc_key(struct key_type *type, 347static int construct_alloc_key(struct key_type *type,
329 const char *description, 348 const char *description,
@@ -332,8 +351,8 @@ static int construct_alloc_key(struct key_type *type,
332 struct key_user *user, 351 struct key_user *user,
333 struct key **_key) 352 struct key **_key)
334{ 353{
335 struct keyring_list *prealloc;
336 const struct cred *cred = current_cred(); 354 const struct cred *cred = current_cred();
355 unsigned long prealloc;
337 struct key *key; 356 struct key *key;
338 key_ref_t key_ref; 357 key_ref_t key_ref;
339 int ret; 358 int ret;
@@ -403,7 +422,6 @@ link_check_failed:
403 return ret; 422 return ret;
404 423
405link_prealloc_failed: 424link_prealloc_failed:
406 up_write(&dest_keyring->sem);
407 mutex_unlock(&user->cons_lock); 425 mutex_unlock(&user->cons_lock);
408 kleave(" = %d [prelink]", ret); 426 kleave(" = %d [prelink]", ret);
409 return ret; 427 return ret;
@@ -415,7 +433,7 @@ alloc_failed:
415} 433}
416 434
417/* 435/*
418 * commence key construction 436 * Commence key construction.
419 */ 437 */
420static struct key *construct_key_and_link(struct key_type *type, 438static struct key *construct_key_and_link(struct key_type *type,
421 const char *description, 439 const char *description,
@@ -451,7 +469,7 @@ static struct key *construct_key_and_link(struct key_type *type,
451 } else if (ret == -EINPROGRESS) { 469 } else if (ret == -EINPROGRESS) {
452 ret = 0; 470 ret = 0;
453 } else { 471 } else {
454 key = ERR_PTR(ret); 472 goto couldnt_alloc_key;
455 } 473 }
456 474
457 key_put(dest_keyring); 475 key_put(dest_keyring);
@@ -461,17 +479,38 @@ static struct key *construct_key_and_link(struct key_type *type,
461construction_failed: 479construction_failed:
462 key_negate_and_link(key, key_negative_timeout, NULL, NULL); 480 key_negate_and_link(key, key_negative_timeout, NULL, NULL);
463 key_put(key); 481 key_put(key);
482couldnt_alloc_key:
464 key_put(dest_keyring); 483 key_put(dest_keyring);
465 kleave(" = %d", ret); 484 kleave(" = %d", ret);
466 return ERR_PTR(ret); 485 return ERR_PTR(ret);
467} 486}
468 487
469/* 488/**
470 * request a key 489 * request_key_and_link - Request a key and cache it in a keyring.
471 * - search the process's keyrings 490 * @type: The type of key we want.
472 * - check the list of keys being created or updated 491 * @description: The searchable description of the key.
473 * - call out to userspace for a key if supplementary info was provided 492 * @callout_info: The data to pass to the instantiation upcall (or NULL).
474 * - cache the key in an appropriate keyring 493 * @callout_len: The length of callout_info.
494 * @aux: Auxiliary data for the upcall.
495 * @dest_keyring: Where to cache the key.
496 * @flags: Flags to key_alloc().
497 *
498 * A key matching the specified criteria is searched for in the process's
499 * keyrings and returned with its usage count incremented if found. Otherwise,
500 * if callout_info is not NULL, a key will be allocated and some service
501 * (probably in userspace) will be asked to instantiate it.
502 *
503 * If successfully found or created, the key will be linked to the destination
504 * keyring if one is provided.
505 *
506 * Returns a pointer to the key if successful; -EACCES, -ENOKEY, -EKEYREVOKED
507 * or -EKEYEXPIRED if an inaccessible, negative, revoked or expired key was
508 * found; -ENOKEY if no key was found and no @callout_info was given; -EDQUOT
509 * if insufficient key quota was available to create a new key; or -ENOMEM if
510 * insufficient memory was available.
511 *
512 * If the returned key was created, then it may still be under construction,
513 * and wait_for_key_construction() should be used to wait for that to complete.
475 */ 514 */
476struct key *request_key_and_link(struct key_type *type, 515struct key *request_key_and_link(struct key_type *type,
477 const char *description, 516 const char *description,
@@ -491,8 +530,7 @@ struct key *request_key_and_link(struct key_type *type,
491 dest_keyring, flags); 530 dest_keyring, flags);
492 531
493 /* search all the process keyrings for a key */ 532 /* search all the process keyrings for a key */
494 key_ref = search_process_keyrings(type, description, type->match, 533 key_ref = search_process_keyrings(type, description, type->match, cred);
495 cred);
496 534
497 if (!IS_ERR(key_ref)) { 535 if (!IS_ERR(key_ref)) {
498 key = key_ref_to_ptr(key_ref); 536 key = key_ref_to_ptr(key_ref);
@@ -525,8 +563,16 @@ error:
525 return key; 563 return key;
526} 564}
527 565
528/* 566/**
529 * wait for construction of a key to complete 567 * wait_for_key_construction - Wait for construction of a key to complete
568 * @key: The key being waited for.
569 * @intr: Whether to wait interruptibly.
570 *
571 * Wait for a key to finish being constructed.
572 *
573 * Returns 0 if successful; -ERESTARTSYS if the wait was interrupted; -ENOKEY
574 * if the key was negated; or -EKEYREVOKED or -EKEYEXPIRED if the key was
575 * revoked or expired.
530 */ 576 */
531int wait_for_key_construction(struct key *key, bool intr) 577int wait_for_key_construction(struct key *key, bool intr)
532{ 578{
@@ -538,17 +584,24 @@ int wait_for_key_construction(struct key *key, bool intr)
538 if (ret < 0) 584 if (ret < 0)
539 return ret; 585 return ret;
540 if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) 586 if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
541 return -ENOKEY; 587 return key->type_data.reject_error;
542 return key_validate(key); 588 return key_validate(key);
543} 589}
544EXPORT_SYMBOL(wait_for_key_construction); 590EXPORT_SYMBOL(wait_for_key_construction);
545 591
546/* 592/**
547 * request a key 593 * request_key - Request a key and wait for construction
548 * - search the process's keyrings 594 * @type: Type of key.
549 * - check the list of keys being created or updated 595 * @description: The searchable description of the key.
550 * - call out to userspace for a key if supplementary info was provided 596 * @callout_info: The data to pass to the instantiation upcall (or NULL).
551 * - waits uninterruptible for creation to complete 597 *
598 * As for request_key_and_link() except that it does not add the returned key
599 * to a keyring if found, new keys are always allocated in the user's quota,
600 * the callout_info must be a NUL-terminated string and no auxiliary data can
601 * be passed.
602 *
603 * Furthermore, it then works as wait_for_key_construction() to wait for the
604 * completion of keys undergoing construction with a non-interruptible wait.
552 */ 605 */
553struct key *request_key(struct key_type *type, 606struct key *request_key(struct key_type *type,
554 const char *description, 607 const char *description,
@@ -573,12 +626,19 @@ struct key *request_key(struct key_type *type,
573} 626}
574EXPORT_SYMBOL(request_key); 627EXPORT_SYMBOL(request_key);
575 628
576/* 629/**
577 * request a key with auxiliary data for the upcaller 630 * request_key_with_auxdata - Request a key with auxiliary data for the upcaller
578 * - search the process's keyrings 631 * @type: The type of key we want.
579 * - check the list of keys being created or updated 632 * @description: The searchable description of the key.
580 * - call out to userspace for a key if supplementary info was provided 633 * @callout_info: The data to pass to the instantiation upcall (or NULL).
581 * - waits uninterruptible for creation to complete 634 * @callout_len: The length of callout_info.
635 * @aux: Auxiliary data for the upcall.
636 *
637 * As for request_key_and_link() except that it does not add the returned key
638 * to a keyring if found and new keys are always allocated in the user's quota.
639 *
640 * Furthermore, it then works as wait_for_key_construction() to wait for the
641 * completion of keys undergoing construction with a non-interruptible wait.
582 */ 642 */
583struct key *request_key_with_auxdata(struct key_type *type, 643struct key *request_key_with_auxdata(struct key_type *type,
584 const char *description, 644 const char *description,
@@ -603,10 +663,18 @@ struct key *request_key_with_auxdata(struct key_type *type,
603EXPORT_SYMBOL(request_key_with_auxdata); 663EXPORT_SYMBOL(request_key_with_auxdata);
604 664
605/* 665/*
606 * request a key (allow async construction) 666 * request_key_async - Request a key (allow async construction)
607 * - search the process's keyrings 667 * @type: Type of key.
608 * - check the list of keys being created or updated 668 * @description: The searchable description of the key.
609 * - call out to userspace for a key if supplementary info was provided 669 * @callout_info: The data to pass to the instantiation upcall (or NULL).
670 * @callout_len: The length of callout_info.
671 *
672 * As for request_key_and_link() except that it does not add the returned key
673 * to a keyring if found, new keys are always allocated in the user's quota and
674 * no auxiliary data can be passed.
675 *
676 * The caller should call wait_for_key_construction() to wait for the
677 * completion of the returned key if it is still undergoing construction.
610 */ 678 */
611struct key *request_key_async(struct key_type *type, 679struct key *request_key_async(struct key_type *type,
612 const char *description, 680 const char *description,
@@ -621,9 +689,17 @@ EXPORT_SYMBOL(request_key_async);
621 689
622/* 690/*
623 * request a key with auxiliary data for the upcaller (allow async construction) 691 * request a key with auxiliary data for the upcaller (allow async construction)
624 * - search the process's keyrings 692 * @type: Type of key.
625 * - check the list of keys being created or updated 693 * @description: The searchable description of the key.
626 * - call out to userspace for a key if supplementary info was provided 694 * @callout_info: The data to pass to the instantiation upcall (or NULL).
695 * @callout_len: The length of callout_info.
696 * @aux: Auxiliary data for the upcall.
697 *
698 * As for request_key_and_link() except that it does not add the returned key
699 * to a keyring if found and new keys are always allocated in the user's quota.
700 *
701 * The caller should call wait_for_key_construction() to wait for the
702 * completion of the returned key if it is still undergoing construction.
627 */ 703 */
628struct key *request_key_async_with_auxdata(struct key_type *type, 704struct key *request_key_async_with_auxdata(struct key_type *type,
629 const char *description, 705 const char *description,
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 86747151ee5b..6cff37529b80 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -1,4 +1,4 @@
1/* request_key_auth.c: request key authorisation controlling key def 1/* Request key authorisation token key definition.
2 * 2 *
3 * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
@@ -8,7 +8,7 @@
8 * as published by the Free Software Foundation; either version 8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version. 9 * 2 of the License, or (at your option) any later version.
10 * 10 *
11 * See Documentation/keys-request-key.txt 11 * See Documentation/security/keys-request-key.txt
12 */ 12 */
13 13
14#include <linux/module.h> 14#include <linux/module.h>
@@ -26,7 +26,7 @@ static void request_key_auth_destroy(struct key *);
26static long request_key_auth_read(const struct key *, char __user *, size_t); 26static long request_key_auth_read(const struct key *, char __user *, size_t);
27 27
28/* 28/*
29 * the request-key authorisation key type definition 29 * The request-key authorisation key type definition.
30 */ 30 */
31struct key_type key_type_request_key_auth = { 31struct key_type key_type_request_key_auth = {
32 .name = ".request_key_auth", 32 .name = ".request_key_auth",
@@ -38,9 +38,8 @@ struct key_type key_type_request_key_auth = {
38 .read = request_key_auth_read, 38 .read = request_key_auth_read,
39}; 39};
40 40
41/*****************************************************************************/
42/* 41/*
43 * instantiate a request-key authorisation key 42 * Instantiate a request-key authorisation key.
44 */ 43 */
45static int request_key_auth_instantiate(struct key *key, 44static int request_key_auth_instantiate(struct key *key,
46 const void *data, 45 const void *data,
@@ -48,12 +47,10 @@ static int request_key_auth_instantiate(struct key *key,
48{ 47{
49 key->payload.data = (struct request_key_auth *) data; 48 key->payload.data = (struct request_key_auth *) data;
50 return 0; 49 return 0;
50}
51 51
52} /* end request_key_auth_instantiate() */
53
54/*****************************************************************************/
55/* 52/*
56 * reading a request-key authorisation key retrieves the callout information 53 * Describe an authorisation token.
57 */ 54 */
58static void request_key_auth_describe(const struct key *key, 55static void request_key_auth_describe(const struct key *key,
59 struct seq_file *m) 56 struct seq_file *m)
@@ -62,13 +59,12 @@ static void request_key_auth_describe(const struct key *key,
62 59
63 seq_puts(m, "key:"); 60 seq_puts(m, "key:");
64 seq_puts(m, key->description); 61 seq_puts(m, key->description);
65 seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len); 62 if (key_is_instantiated(key))
66 63 seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len);
67} /* end request_key_auth_describe() */ 64}
68 65
69/*****************************************************************************/
70/* 66/*
71 * read the callout_info data 67 * Read the callout_info data (retrieves the callout information).
72 * - the key's semaphore is read-locked 68 * - the key's semaphore is read-locked
73 */ 69 */
74static long request_key_auth_read(const struct key *key, 70static long request_key_auth_read(const struct key *key,
@@ -91,13 +87,12 @@ static long request_key_auth_read(const struct key *key,
91 } 87 }
92 88
93 return ret; 89 return ret;
90}
94 91
95} /* end request_key_auth_read() */
96
97/*****************************************************************************/
98/* 92/*
99 * handle revocation of an authorisation token key 93 * Handle revocation of an authorisation token key.
100 * - called with the key sem write-locked 94 *
95 * Called with the key sem write-locked.
101 */ 96 */
102static void request_key_auth_revoke(struct key *key) 97static void request_key_auth_revoke(struct key *key)
103{ 98{
@@ -109,12 +104,10 @@ static void request_key_auth_revoke(struct key *key)
109 put_cred(rka->cred); 104 put_cred(rka->cred);
110 rka->cred = NULL; 105 rka->cred = NULL;
111 } 106 }
107}
112 108
113} /* end request_key_auth_revoke() */
114
115/*****************************************************************************/
116/* 109/*
117 * destroy an instantiation authorisation token key 110 * Destroy an instantiation authorisation token key.
118 */ 111 */
119static void request_key_auth_destroy(struct key *key) 112static void request_key_auth_destroy(struct key *key)
120{ 113{
@@ -131,13 +124,11 @@ static void request_key_auth_destroy(struct key *key)
131 key_put(rka->dest_keyring); 124 key_put(rka->dest_keyring);
132 kfree(rka->callout_info); 125 kfree(rka->callout_info);
133 kfree(rka); 126 kfree(rka);
127}
134 128
135} /* end request_key_auth_destroy() */
136
137/*****************************************************************************/
138/* 129/*
139 * create an authorisation token for /sbin/request-key or whoever to gain 130 * Create an authorisation token for /sbin/request-key or whoever to gain
140 * access to the caller's security data 131 * access to the caller's security data.
141 */ 132 */
142struct key *request_key_auth_new(struct key *target, const void *callout_info, 133struct key *request_key_auth_new(struct key *target, const void *callout_info,
143 size_t callout_len, struct key *dest_keyring) 134 size_t callout_len, struct key *dest_keyring)
@@ -228,12 +219,10 @@ error_alloc:
228 kfree(rka); 219 kfree(rka);
229 kleave("= %d", ret); 220 kleave("= %d", ret);
230 return ERR_PTR(ret); 221 return ERR_PTR(ret);
222}
231 223
232} /* end request_key_auth_new() */
233
234/*****************************************************************************/
235/* 224/*
236 * see if an authorisation key is associated with a particular key 225 * See if an authorisation key is associated with a particular key.
237 */ 226 */
238static int key_get_instantiation_authkey_match(const struct key *key, 227static int key_get_instantiation_authkey_match(const struct key *key,
239 const void *_id) 228 const void *_id)
@@ -242,16 +231,11 @@ static int key_get_instantiation_authkey_match(const struct key *key,
242 key_serial_t id = (key_serial_t)(unsigned long) _id; 231 key_serial_t id = (key_serial_t)(unsigned long) _id;
243 232
244 return rka->target_key->serial == id; 233 return rka->target_key->serial == id;
234}
245 235
246} /* end key_get_instantiation_authkey_match() */
247
248/*****************************************************************************/
249/* 236/*
250 * get the authorisation key for instantiation of a specific key if attached to 237 * Search the current process's keyrings for the authorisation key for
251 * the current process's keyrings 238 * instantiation of a key.
252 * - this key is inserted into a keyring and that is set as /sbin/request-key's
253 * session keyring
254 * - a target_id of zero specifies any valid token
255 */ 239 */
256struct key *key_get_instantiation_authkey(key_serial_t target_id) 240struct key *key_get_instantiation_authkey(key_serial_t target_id)
257{ 241{
@@ -278,5 +262,4 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id)
278 262
279error: 263error:
280 return authkey; 264 return authkey;
281 265}
282} /* end key_get_instantiation_authkey() */
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
new file mode 100644
index 000000000000..0c33e2ea1f3c
--- /dev/null
+++ b/security/keys/trusted.c
@@ -0,0 +1,1180 @@
1/*
2 * Copyright (C) 2010 IBM Corporation
3 *
4 * Author:
5 * David Safford <safford@us.ibm.com>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, version 2 of the License.
10 *
11 * See Documentation/security/keys-trusted-encrypted.txt
12 */
13
14#include <linux/uaccess.h>
15#include <linux/module.h>
16#include <linux/init.h>
17#include <linux/slab.h>
18#include <linux/parser.h>
19#include <linux/string.h>
20#include <linux/err.h>
21#include <keys/user-type.h>
22#include <keys/trusted-type.h>
23#include <linux/key-type.h>
24#include <linux/rcupdate.h>
25#include <linux/crypto.h>
26#include <crypto/hash.h>
27#include <crypto/sha.h>
28#include <linux/capability.h>
29#include <linux/tpm.h>
30#include <linux/tpm_command.h>
31
32#include "trusted.h"
33
34static const char hmac_alg[] = "hmac(sha1)";
35static const char hash_alg[] = "sha1";
36
37struct sdesc {
38 struct shash_desc shash;
39 char ctx[];
40};
41
42static struct crypto_shash *hashalg;
43static struct crypto_shash *hmacalg;
44
45static struct sdesc *init_sdesc(struct crypto_shash *alg)
46{
47 struct sdesc *sdesc;
48 int size;
49
50 size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
51 sdesc = kmalloc(size, GFP_KERNEL);
52 if (!sdesc)
53 return ERR_PTR(-ENOMEM);
54 sdesc->shash.tfm = alg;
55 sdesc->shash.flags = 0x0;
56 return sdesc;
57}
58
59static int TSS_sha1(const unsigned char *data, unsigned int datalen,
60 unsigned char *digest)
61{
62 struct sdesc *sdesc;
63 int ret;
64
65 sdesc = init_sdesc(hashalg);
66 if (IS_ERR(sdesc)) {
67 pr_info("trusted_key: can't alloc %s\n", hash_alg);
68 return PTR_ERR(sdesc);
69 }
70
71 ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
72 kfree(sdesc);
73 return ret;
74}
75
76static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
77 unsigned int keylen, ...)
78{
79 struct sdesc *sdesc;
80 va_list argp;
81 unsigned int dlen;
82 unsigned char *data;
83 int ret;
84
85 sdesc = init_sdesc(hmacalg);
86 if (IS_ERR(sdesc)) {
87 pr_info("trusted_key: can't alloc %s\n", hmac_alg);
88 return PTR_ERR(sdesc);
89 }
90
91 ret = crypto_shash_setkey(hmacalg, key, keylen);
92 if (ret < 0)
93 goto out;
94 ret = crypto_shash_init(&sdesc->shash);
95 if (ret < 0)
96 goto out;
97
98 va_start(argp, keylen);
99 for (;;) {
100 dlen = va_arg(argp, unsigned int);
101 if (dlen == 0)
102 break;
103 data = va_arg(argp, unsigned char *);
104 if (data == NULL) {
105 ret = -EINVAL;
106 break;
107 }
108 ret = crypto_shash_update(&sdesc->shash, data, dlen);
109 if (ret < 0)
110 break;
111 }
112 va_end(argp);
113 if (!ret)
114 ret = crypto_shash_final(&sdesc->shash, digest);
115out:
116 kfree(sdesc);
117 return ret;
118}
119
120/*
121 * calculate authorization info fields to send to TPM
122 */
123static int TSS_authhmac(unsigned char *digest, const unsigned char *key,
124 unsigned int keylen, unsigned char *h1,
125 unsigned char *h2, unsigned char h3, ...)
126{
127 unsigned char paramdigest[SHA1_DIGEST_SIZE];
128 struct sdesc *sdesc;
129 unsigned int dlen;
130 unsigned char *data;
131 unsigned char c;
132 int ret;
133 va_list argp;
134
135 sdesc = init_sdesc(hashalg);
136 if (IS_ERR(sdesc)) {
137 pr_info("trusted_key: can't alloc %s\n", hash_alg);
138 return PTR_ERR(sdesc);
139 }
140
141 c = h3;
142 ret = crypto_shash_init(&sdesc->shash);
143 if (ret < 0)
144 goto out;
145 va_start(argp, h3);
146 for (;;) {
147 dlen = va_arg(argp, unsigned int);
148 if (dlen == 0)
149 break;
150 data = va_arg(argp, unsigned char *);
151 if (!data) {
152 ret = -EINVAL;
153 break;
154 }
155 ret = crypto_shash_update(&sdesc->shash, data, dlen);
156 if (ret < 0)
157 break;
158 }
159 va_end(argp);
160 if (!ret)
161 ret = crypto_shash_final(&sdesc->shash, paramdigest);
162 if (!ret)
163 ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE,
164 paramdigest, TPM_NONCE_SIZE, h1,
165 TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
166out:
167 kfree(sdesc);
168 return ret;
169}
170
171/*
172 * verify the AUTH1_COMMAND (Seal) result from TPM
173 */
174static int TSS_checkhmac1(unsigned char *buffer,
175 const uint32_t command,
176 const unsigned char *ononce,
177 const unsigned char *key,
178 unsigned int keylen, ...)
179{
180 uint32_t bufsize;
181 uint16_t tag;
182 uint32_t ordinal;
183 uint32_t result;
184 unsigned char *enonce;
185 unsigned char *continueflag;
186 unsigned char *authdata;
187 unsigned char testhmac[SHA1_DIGEST_SIZE];
188 unsigned char paramdigest[SHA1_DIGEST_SIZE];
189 struct sdesc *sdesc;
190 unsigned int dlen;
191 unsigned int dpos;
192 va_list argp;
193 int ret;
194
195 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
196 tag = LOAD16(buffer, 0);
197 ordinal = command;
198 result = LOAD32N(buffer, TPM_RETURN_OFFSET);
199 if (tag == TPM_TAG_RSP_COMMAND)
200 return 0;
201 if (tag != TPM_TAG_RSP_AUTH1_COMMAND)
202 return -EINVAL;
203 authdata = buffer + bufsize - SHA1_DIGEST_SIZE;
204 continueflag = authdata - 1;
205 enonce = continueflag - TPM_NONCE_SIZE;
206
207 sdesc = init_sdesc(hashalg);
208 if (IS_ERR(sdesc)) {
209 pr_info("trusted_key: can't alloc %s\n", hash_alg);
210 return PTR_ERR(sdesc);
211 }
212 ret = crypto_shash_init(&sdesc->shash);
213 if (ret < 0)
214 goto out;
215 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
216 sizeof result);
217 if (ret < 0)
218 goto out;
219 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
220 sizeof ordinal);
221 if (ret < 0)
222 goto out;
223 va_start(argp, keylen);
224 for (;;) {
225 dlen = va_arg(argp, unsigned int);
226 if (dlen == 0)
227 break;
228 dpos = va_arg(argp, unsigned int);
229 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
230 if (ret < 0)
231 break;
232 }
233 va_end(argp);
234 if (!ret)
235 ret = crypto_shash_final(&sdesc->shash, paramdigest);
236 if (ret < 0)
237 goto out;
238
239 ret = TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest,
240 TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce,
241 1, continueflag, 0, 0);
242 if (ret < 0)
243 goto out;
244
245 if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
246 ret = -EINVAL;
247out:
248 kfree(sdesc);
249 return ret;
250}
251
252/*
253 * verify the AUTH2_COMMAND (unseal) result from TPM
254 */
255static int TSS_checkhmac2(unsigned char *buffer,
256 const uint32_t command,
257 const unsigned char *ononce,
258 const unsigned char *key1,
259 unsigned int keylen1,
260 const unsigned char *key2,
261 unsigned int keylen2, ...)
262{
263 uint32_t bufsize;
264 uint16_t tag;
265 uint32_t ordinal;
266 uint32_t result;
267 unsigned char *enonce1;
268 unsigned char *continueflag1;
269 unsigned char *authdata1;
270 unsigned char *enonce2;
271 unsigned char *continueflag2;
272 unsigned char *authdata2;
273 unsigned char testhmac1[SHA1_DIGEST_SIZE];
274 unsigned char testhmac2[SHA1_DIGEST_SIZE];
275 unsigned char paramdigest[SHA1_DIGEST_SIZE];
276 struct sdesc *sdesc;
277 unsigned int dlen;
278 unsigned int dpos;
279 va_list argp;
280 int ret;
281
282 bufsize = LOAD32(buffer, TPM_SIZE_OFFSET);
283 tag = LOAD16(buffer, 0);
284 ordinal = command;
285 result = LOAD32N(buffer, TPM_RETURN_OFFSET);
286
287 if (tag == TPM_TAG_RSP_COMMAND)
288 return 0;
289 if (tag != TPM_TAG_RSP_AUTH2_COMMAND)
290 return -EINVAL;
291 authdata1 = buffer + bufsize - (SHA1_DIGEST_SIZE + 1
292 + SHA1_DIGEST_SIZE + SHA1_DIGEST_SIZE);
293 authdata2 = buffer + bufsize - (SHA1_DIGEST_SIZE);
294 continueflag1 = authdata1 - 1;
295 continueflag2 = authdata2 - 1;
296 enonce1 = continueflag1 - TPM_NONCE_SIZE;
297 enonce2 = continueflag2 - TPM_NONCE_SIZE;
298
299 sdesc = init_sdesc(hashalg);
300 if (IS_ERR(sdesc)) {
301 pr_info("trusted_key: can't alloc %s\n", hash_alg);
302 return PTR_ERR(sdesc);
303 }
304 ret = crypto_shash_init(&sdesc->shash);
305 if (ret < 0)
306 goto out;
307 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&result,
308 sizeof result);
309 if (ret < 0)
310 goto out;
311 ret = crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal,
312 sizeof ordinal);
313 if (ret < 0)
314 goto out;
315
316 va_start(argp, keylen2);
317 for (;;) {
318 dlen = va_arg(argp, unsigned int);
319 if (dlen == 0)
320 break;
321 dpos = va_arg(argp, unsigned int);
322 ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
323 if (ret < 0)
324 break;
325 }
326 va_end(argp);
327 if (!ret)
328 ret = crypto_shash_final(&sdesc->shash, paramdigest);
329 if (ret < 0)
330 goto out;
331
332 ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE,
333 paramdigest, TPM_NONCE_SIZE, enonce1,
334 TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
335 if (ret < 0)
336 goto out;
337 if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
338 ret = -EINVAL;
339 goto out;
340 }
341 ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE,
342 paramdigest, TPM_NONCE_SIZE, enonce2,
343 TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
344 if (ret < 0)
345 goto out;
346 if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
347 ret = -EINVAL;
348out:
349 kfree(sdesc);
350 return ret;
351}
352
353/*
354 * For key specific tpm requests, we will generate and send our
355 * own TPM command packets using the drivers send function.
356 */
357static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd,
358 size_t buflen)
359{
360 int rc;
361
362 dump_tpm_buf(cmd);
363 rc = tpm_send(chip_num, cmd, buflen);
364 dump_tpm_buf(cmd);
365 if (rc > 0)
366 /* Can't return positive return codes values to keyctl */
367 rc = -EPERM;
368 return rc;
369}
370
371/*
372 * get a random value from TPM
373 */
374static int tpm_get_random(struct tpm_buf *tb, unsigned char *buf, uint32_t len)
375{
376 int ret;
377
378 INIT_BUF(tb);
379 store16(tb, TPM_TAG_RQU_COMMAND);
380 store32(tb, TPM_GETRANDOM_SIZE);
381 store32(tb, TPM_ORD_GETRANDOM);
382 store32(tb, len);
383 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, sizeof tb->data);
384 if (!ret)
385 memcpy(buf, tb->data + TPM_GETRANDOM_SIZE, len);
386 return ret;
387}
388
389static int my_get_random(unsigned char *buf, int len)
390{
391 struct tpm_buf *tb;
392 int ret;
393
394 tb = kmalloc(sizeof *tb, GFP_KERNEL);
395 if (!tb)
396 return -ENOMEM;
397 ret = tpm_get_random(tb, buf, len);
398
399 kfree(tb);
400 return ret;
401}
402
403/*
404 * Lock a trusted key, by extending a selected PCR.
405 *
406 * Prevents a trusted key that is sealed to PCRs from being accessed.
407 * This uses the tpm driver's extend function.
408 */
409static int pcrlock(const int pcrnum)
410{
411 unsigned char hash[SHA1_DIGEST_SIZE];
412 int ret;
413
414 if (!capable(CAP_SYS_ADMIN))
415 return -EPERM;
416 ret = my_get_random(hash, SHA1_DIGEST_SIZE);
417 if (ret < 0)
418 return ret;
419 return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0;
420}
421
422/*
423 * Create an object specific authorisation protocol (OSAP) session
424 */
425static int osap(struct tpm_buf *tb, struct osapsess *s,
426 const unsigned char *key, uint16_t type, uint32_t handle)
427{
428 unsigned char enonce[TPM_NONCE_SIZE];
429 unsigned char ononce[TPM_NONCE_SIZE];
430 int ret;
431
432 ret = tpm_get_random(tb, ononce, TPM_NONCE_SIZE);
433 if (ret < 0)
434 return ret;
435
436 INIT_BUF(tb);
437 store16(tb, TPM_TAG_RQU_COMMAND);
438 store32(tb, TPM_OSAP_SIZE);
439 store32(tb, TPM_ORD_OSAP);
440 store16(tb, type);
441 store32(tb, handle);
442 storebytes(tb, ononce, TPM_NONCE_SIZE);
443
444 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
445 if (ret < 0)
446 return ret;
447
448 s->handle = LOAD32(tb->data, TPM_DATA_OFFSET);
449 memcpy(s->enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)]),
450 TPM_NONCE_SIZE);
451 memcpy(enonce, &(tb->data[TPM_DATA_OFFSET + sizeof(uint32_t) +
452 TPM_NONCE_SIZE]), TPM_NONCE_SIZE);
453 return TSS_rawhmac(s->secret, key, SHA1_DIGEST_SIZE, TPM_NONCE_SIZE,
454 enonce, TPM_NONCE_SIZE, ononce, 0, 0);
455}
456
457/*
458 * Create an object independent authorisation protocol (oiap) session
459 */
460static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
461{
462 int ret;
463
464 INIT_BUF(tb);
465 store16(tb, TPM_TAG_RQU_COMMAND);
466 store32(tb, TPM_OIAP_SIZE);
467 store32(tb, TPM_ORD_OIAP);
468 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
469 if (ret < 0)
470 return ret;
471
472 *handle = LOAD32(tb->data, TPM_DATA_OFFSET);
473 memcpy(nonce, &tb->data[TPM_DATA_OFFSET + sizeof(uint32_t)],
474 TPM_NONCE_SIZE);
475 return 0;
476}
477
478struct tpm_digests {
479 unsigned char encauth[SHA1_DIGEST_SIZE];
480 unsigned char pubauth[SHA1_DIGEST_SIZE];
481 unsigned char xorwork[SHA1_DIGEST_SIZE * 2];
482 unsigned char xorhash[SHA1_DIGEST_SIZE];
483 unsigned char nonceodd[TPM_NONCE_SIZE];
484};
485
486/*
487 * Have the TPM seal(encrypt) the trusted key, possibly based on
488 * Platform Configuration Registers (PCRs). AUTH1 for sealing key.
489 */
490static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
491 uint32_t keyhandle, const unsigned char *keyauth,
492 const unsigned char *data, uint32_t datalen,
493 unsigned char *blob, uint32_t *bloblen,
494 const unsigned char *blobauth,
495 const unsigned char *pcrinfo, uint32_t pcrinfosize)
496{
497 struct osapsess sess;
498 struct tpm_digests *td;
499 unsigned char cont;
500 uint32_t ordinal;
501 uint32_t pcrsize;
502 uint32_t datsize;
503 int sealinfosize;
504 int encdatasize;
505 int storedsize;
506 int ret;
507 int i;
508
509 /* alloc some work space for all the hashes */
510 td = kmalloc(sizeof *td, GFP_KERNEL);
511 if (!td)
512 return -ENOMEM;
513
514 /* get session for sealing key */
515 ret = osap(tb, &sess, keyauth, keytype, keyhandle);
516 if (ret < 0)
517 goto out;
518 dump_sess(&sess);
519
520 /* calculate encrypted authorization value */
521 memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE);
522 memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
523 ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
524 if (ret < 0)
525 goto out;
526
527 ret = tpm_get_random(tb, td->nonceodd, TPM_NONCE_SIZE);
528 if (ret < 0)
529 goto out;
530 ordinal = htonl(TPM_ORD_SEAL);
531 datsize = htonl(datalen);
532 pcrsize = htonl(pcrinfosize);
533 cont = 0;
534
535 /* encrypt data authorization key */
536 for (i = 0; i < SHA1_DIGEST_SIZE; ++i)
537 td->encauth[i] = td->xorhash[i] ^ blobauth[i];
538
539 /* calculate authorization HMAC value */
540 if (pcrinfosize == 0) {
541 /* no pcr info specified */
542 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
543 sess.enonce, td->nonceodd, cont,
544 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
545 td->encauth, sizeof(uint32_t), &pcrsize,
546 sizeof(uint32_t), &datsize, datalen, data, 0,
547 0);
548 } else {
549 /* pcr info specified */
550 ret = TSS_authhmac(td->pubauth, sess.secret, SHA1_DIGEST_SIZE,
551 sess.enonce, td->nonceodd, cont,
552 sizeof(uint32_t), &ordinal, SHA1_DIGEST_SIZE,
553 td->encauth, sizeof(uint32_t), &pcrsize,
554 pcrinfosize, pcrinfo, sizeof(uint32_t),
555 &datsize, datalen, data, 0, 0);
556 }
557 if (ret < 0)
558 goto out;
559
560 /* build and send the TPM request packet */
561 INIT_BUF(tb);
562 store16(tb, TPM_TAG_RQU_AUTH1_COMMAND);
563 store32(tb, TPM_SEAL_SIZE + pcrinfosize + datalen);
564 store32(tb, TPM_ORD_SEAL);
565 store32(tb, keyhandle);
566 storebytes(tb, td->encauth, SHA1_DIGEST_SIZE);
567 store32(tb, pcrinfosize);
568 storebytes(tb, pcrinfo, pcrinfosize);
569 store32(tb, datalen);
570 storebytes(tb, data, datalen);
571 store32(tb, sess.handle);
572 storebytes(tb, td->nonceodd, TPM_NONCE_SIZE);
573 store8(tb, cont);
574 storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE);
575
576 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
577 if (ret < 0)
578 goto out;
579
580 /* calculate the size of the returned Blob */
581 sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
582 encdatasize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t) +
583 sizeof(uint32_t) + sealinfosize);
584 storedsize = sizeof(uint32_t) + sizeof(uint32_t) + sealinfosize +
585 sizeof(uint32_t) + encdatasize;
586
587 /* check the HMAC in the response */
588 ret = TSS_checkhmac1(tb->data, ordinal, td->nonceodd, sess.secret,
589 SHA1_DIGEST_SIZE, storedsize, TPM_DATA_OFFSET, 0,
590 0);
591
592 /* copy the returned blob to caller */
593 if (!ret) {
594 memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
595 *bloblen = storedsize;
596 }
597out:
598 kfree(td);
599 return ret;
600}
601
602/*
603 * use the AUTH2_COMMAND form of unseal, to authorize both key and blob
604 */
605static int tpm_unseal(struct tpm_buf *tb,
606 uint32_t keyhandle, const unsigned char *keyauth,
607 const unsigned char *blob, int bloblen,
608 const unsigned char *blobauth,
609 unsigned char *data, unsigned int *datalen)
610{
611 unsigned char nonceodd[TPM_NONCE_SIZE];
612 unsigned char enonce1[TPM_NONCE_SIZE];
613 unsigned char enonce2[TPM_NONCE_SIZE];
614 unsigned char authdata1[SHA1_DIGEST_SIZE];
615 unsigned char authdata2[SHA1_DIGEST_SIZE];
616 uint32_t authhandle1 = 0;
617 uint32_t authhandle2 = 0;
618 unsigned char cont = 0;
619 uint32_t ordinal;
620 uint32_t keyhndl;
621 int ret;
622
623 /* sessions for unsealing key and data */
624 ret = oiap(tb, &authhandle1, enonce1);
625 if (ret < 0) {
626 pr_info("trusted_key: oiap failed (%d)\n", ret);
627 return ret;
628 }
629 ret = oiap(tb, &authhandle2, enonce2);
630 if (ret < 0) {
631 pr_info("trusted_key: oiap failed (%d)\n", ret);
632 return ret;
633 }
634
635 ordinal = htonl(TPM_ORD_UNSEAL);
636 keyhndl = htonl(SRKHANDLE);
637 ret = tpm_get_random(tb, nonceodd, TPM_NONCE_SIZE);
638 if (ret < 0) {
639 pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
640 return ret;
641 }
642 ret = TSS_authhmac(authdata1, keyauth, TPM_NONCE_SIZE,
643 enonce1, nonceodd, cont, sizeof(uint32_t),
644 &ordinal, bloblen, blob, 0, 0);
645 if (ret < 0)
646 return ret;
647 ret = TSS_authhmac(authdata2, blobauth, TPM_NONCE_SIZE,
648 enonce2, nonceodd, cont, sizeof(uint32_t),
649 &ordinal, bloblen, blob, 0, 0);
650 if (ret < 0)
651 return ret;
652
653 /* build and send TPM request packet */
654 INIT_BUF(tb);
655 store16(tb, TPM_TAG_RQU_AUTH2_COMMAND);
656 store32(tb, TPM_UNSEAL_SIZE + bloblen);
657 store32(tb, TPM_ORD_UNSEAL);
658 store32(tb, keyhandle);
659 storebytes(tb, blob, bloblen);
660 store32(tb, authhandle1);
661 storebytes(tb, nonceodd, TPM_NONCE_SIZE);
662 store8(tb, cont);
663 storebytes(tb, authdata1, SHA1_DIGEST_SIZE);
664 store32(tb, authhandle2);
665 storebytes(tb, nonceodd, TPM_NONCE_SIZE);
666 store8(tb, cont);
667 storebytes(tb, authdata2, SHA1_DIGEST_SIZE);
668
669 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
670 if (ret < 0) {
671 pr_info("trusted_key: authhmac failed (%d)\n", ret);
672 return ret;
673 }
674
675 *datalen = LOAD32(tb->data, TPM_DATA_OFFSET);
676 ret = TSS_checkhmac2(tb->data, ordinal, nonceodd,
677 keyauth, SHA1_DIGEST_SIZE,
678 blobauth, SHA1_DIGEST_SIZE,
679 sizeof(uint32_t), TPM_DATA_OFFSET,
680 *datalen, TPM_DATA_OFFSET + sizeof(uint32_t), 0,
681 0);
682 if (ret < 0) {
683 pr_info("trusted_key: TSS_checkhmac2 failed (%d)\n", ret);
684 return ret;
685 }
686 memcpy(data, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t), *datalen);
687 return 0;
688}
689
690/*
691 * Have the TPM seal(encrypt) the symmetric key
692 */
693static int key_seal(struct trusted_key_payload *p,
694 struct trusted_key_options *o)
695{
696 struct tpm_buf *tb;
697 int ret;
698
699 tb = kzalloc(sizeof *tb, GFP_KERNEL);
700 if (!tb)
701 return -ENOMEM;
702
703 /* include migratable flag at end of sealed key */
704 p->key[p->key_len] = p->migratable;
705
706 ret = tpm_seal(tb, o->keytype, o->keyhandle, o->keyauth,
707 p->key, p->key_len + 1, p->blob, &p->blob_len,
708 o->blobauth, o->pcrinfo, o->pcrinfo_len);
709 if (ret < 0)
710 pr_info("trusted_key: srkseal failed (%d)\n", ret);
711
712 kfree(tb);
713 return ret;
714}
715
716/*
717 * Have the TPM unseal(decrypt) the symmetric key
718 */
719static int key_unseal(struct trusted_key_payload *p,
720 struct trusted_key_options *o)
721{
722 struct tpm_buf *tb;
723 int ret;
724
725 tb = kzalloc(sizeof *tb, GFP_KERNEL);
726 if (!tb)
727 return -ENOMEM;
728
729 ret = tpm_unseal(tb, o->keyhandle, o->keyauth, p->blob, p->blob_len,
730 o->blobauth, p->key, &p->key_len);
731 if (ret < 0)
732 pr_info("trusted_key: srkunseal failed (%d)\n", ret);
733 else
734 /* pull migratable flag out of sealed key */
735 p->migratable = p->key[--p->key_len];
736
737 kfree(tb);
738 return ret;
739}
740
741enum {
742 Opt_err = -1,
743 Opt_new, Opt_load, Opt_update,
744 Opt_keyhandle, Opt_keyauth, Opt_blobauth,
745 Opt_pcrinfo, Opt_pcrlock, Opt_migratable
746};
747
748static const match_table_t key_tokens = {
749 {Opt_new, "new"},
750 {Opt_load, "load"},
751 {Opt_update, "update"},
752 {Opt_keyhandle, "keyhandle=%s"},
753 {Opt_keyauth, "keyauth=%s"},
754 {Opt_blobauth, "blobauth=%s"},
755 {Opt_pcrinfo, "pcrinfo=%s"},
756 {Opt_pcrlock, "pcrlock=%s"},
757 {Opt_migratable, "migratable=%s"},
758 {Opt_err, NULL}
759};
760
761/* can have zero or more token= options */
762static int getoptions(char *c, struct trusted_key_payload *pay,
763 struct trusted_key_options *opt)
764{
765 substring_t args[MAX_OPT_ARGS];
766 char *p = c;
767 int token;
768 int res;
769 unsigned long handle;
770 unsigned long lock;
771
772 while ((p = strsep(&c, " \t"))) {
773 if (*p == '\0' || *p == ' ' || *p == '\t')
774 continue;
775 token = match_token(p, key_tokens, args);
776
777 switch (token) {
778 case Opt_pcrinfo:
779 opt->pcrinfo_len = strlen(args[0].from) / 2;
780 if (opt->pcrinfo_len > MAX_PCRINFO_SIZE)
781 return -EINVAL;
782 hex2bin(opt->pcrinfo, args[0].from, opt->pcrinfo_len);
783 break;
784 case Opt_keyhandle:
785 res = strict_strtoul(args[0].from, 16, &handle);
786 if (res < 0)
787 return -EINVAL;
788 opt->keytype = SEAL_keytype;
789 opt->keyhandle = handle;
790 break;
791 case Opt_keyauth:
792 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
793 return -EINVAL;
794 hex2bin(opt->keyauth, args[0].from, SHA1_DIGEST_SIZE);
795 break;
796 case Opt_blobauth:
797 if (strlen(args[0].from) != 2 * SHA1_DIGEST_SIZE)
798 return -EINVAL;
799 hex2bin(opt->blobauth, args[0].from, SHA1_DIGEST_SIZE);
800 break;
801 case Opt_migratable:
802 if (*args[0].from == '0')
803 pay->migratable = 0;
804 else
805 return -EINVAL;
806 break;
807 case Opt_pcrlock:
808 res = strict_strtoul(args[0].from, 10, &lock);
809 if (res < 0)
810 return -EINVAL;
811 opt->pcrlock = lock;
812 break;
813 default:
814 return -EINVAL;
815 }
816 }
817 return 0;
818}
819
820/*
821 * datablob_parse - parse the keyctl data and fill in the
822 * payload and options structures
823 *
824 * On success returns 0, otherwise -EINVAL.
825 */
826static int datablob_parse(char *datablob, struct trusted_key_payload *p,
827 struct trusted_key_options *o)
828{
829 substring_t args[MAX_OPT_ARGS];
830 long keylen;
831 int ret = -EINVAL;
832 int key_cmd;
833 char *c;
834
835 /* main command */
836 c = strsep(&datablob, " \t");
837 if (!c)
838 return -EINVAL;
839 key_cmd = match_token(c, key_tokens, args);
840 switch (key_cmd) {
841 case Opt_new:
842 /* first argument is key size */
843 c = strsep(&datablob, " \t");
844 if (!c)
845 return -EINVAL;
846 ret = strict_strtol(c, 10, &keylen);
847 if (ret < 0 || keylen < MIN_KEY_SIZE || keylen > MAX_KEY_SIZE)
848 return -EINVAL;
849 p->key_len = keylen;
850 ret = getoptions(datablob, p, o);
851 if (ret < 0)
852 return ret;
853 ret = Opt_new;
854 break;
855 case Opt_load:
856 /* first argument is sealed blob */
857 c = strsep(&datablob, " \t");
858 if (!c)
859 return -EINVAL;
860 p->blob_len = strlen(c) / 2;
861 if (p->blob_len > MAX_BLOB_SIZE)
862 return -EINVAL;
863 hex2bin(p->blob, c, p->blob_len);
864 ret = getoptions(datablob, p, o);
865 if (ret < 0)
866 return ret;
867 ret = Opt_load;
868 break;
869 case Opt_update:
870 /* all arguments are options */
871 ret = getoptions(datablob, p, o);
872 if (ret < 0)
873 return ret;
874 ret = Opt_update;
875 break;
876 case Opt_err:
877 return -EINVAL;
878 break;
879 }
880 return ret;
881}
882
883static struct trusted_key_options *trusted_options_alloc(void)
884{
885 struct trusted_key_options *options;
886
887 options = kzalloc(sizeof *options, GFP_KERNEL);
888 if (options) {
889 /* set any non-zero defaults */
890 options->keytype = SRK_keytype;
891 options->keyhandle = SRKHANDLE;
892 }
893 return options;
894}
895
896static struct trusted_key_payload *trusted_payload_alloc(struct key *key)
897{
898 struct trusted_key_payload *p = NULL;
899 int ret;
900
901 ret = key_payload_reserve(key, sizeof *p);
902 if (ret < 0)
903 return p;
904 p = kzalloc(sizeof *p, GFP_KERNEL);
905 if (p)
906 p->migratable = 1; /* migratable by default */
907 return p;
908}
909
910/*
911 * trusted_instantiate - create a new trusted key
912 *
913 * Unseal an existing trusted blob or, for a new key, get a
914 * random key, then seal and create a trusted key-type key,
915 * adding it to the specified keyring.
916 *
917 * On success, return 0. Otherwise return errno.
918 */
919static int trusted_instantiate(struct key *key, const void *data,
920 size_t datalen)
921{
922 struct trusted_key_payload *payload = NULL;
923 struct trusted_key_options *options = NULL;
924 char *datablob;
925 int ret = 0;
926 int key_cmd;
927
928 if (datalen <= 0 || datalen > 32767 || !data)
929 return -EINVAL;
930
931 datablob = kmalloc(datalen + 1, GFP_KERNEL);
932 if (!datablob)
933 return -ENOMEM;
934 memcpy(datablob, data, datalen);
935 datablob[datalen] = '\0';
936
937 options = trusted_options_alloc();
938 if (!options) {
939 ret = -ENOMEM;
940 goto out;
941 }
942 payload = trusted_payload_alloc(key);
943 if (!payload) {
944 ret = -ENOMEM;
945 goto out;
946 }
947
948 key_cmd = datablob_parse(datablob, payload, options);
949 if (key_cmd < 0) {
950 ret = key_cmd;
951 goto out;
952 }
953
954 dump_payload(payload);
955 dump_options(options);
956
957 switch (key_cmd) {
958 case Opt_load:
959 ret = key_unseal(payload, options);
960 dump_payload(payload);
961 dump_options(options);
962 if (ret < 0)
963 pr_info("trusted_key: key_unseal failed (%d)\n", ret);
964 break;
965 case Opt_new:
966 ret = my_get_random(payload->key, payload->key_len);
967 if (ret < 0) {
968 pr_info("trusted_key: key_create failed (%d)\n", ret);
969 goto out;
970 }
971 ret = key_seal(payload, options);
972 if (ret < 0)
973 pr_info("trusted_key: key_seal failed (%d)\n", ret);
974 break;
975 default:
976 ret = -EINVAL;
977 goto out;
978 }
979 if (!ret && options->pcrlock)
980 ret = pcrlock(options->pcrlock);
981out:
982 kfree(datablob);
983 kfree(options);
984 if (!ret)
985 rcu_assign_pointer(key->payload.data, payload);
986 else
987 kfree(payload);
988 return ret;
989}
990
991static void trusted_rcu_free(struct rcu_head *rcu)
992{
993 struct trusted_key_payload *p;
994
995 p = container_of(rcu, struct trusted_key_payload, rcu);
996 memset(p->key, 0, p->key_len);
997 kfree(p);
998}
999
1000/*
1001 * trusted_update - reseal an existing key with new PCR values
1002 */
1003static int trusted_update(struct key *key, const void *data, size_t datalen)
1004{
1005 struct trusted_key_payload *p = key->payload.data;
1006 struct trusted_key_payload *new_p;
1007 struct trusted_key_options *new_o;
1008 char *datablob;
1009 int ret = 0;
1010
1011 if (!p->migratable)
1012 return -EPERM;
1013 if (datalen <= 0 || datalen > 32767 || !data)
1014 return -EINVAL;
1015
1016 datablob = kmalloc(datalen + 1, GFP_KERNEL);
1017 if (!datablob)
1018 return -ENOMEM;
1019 new_o = trusted_options_alloc();
1020 if (!new_o) {
1021 ret = -ENOMEM;
1022 goto out;
1023 }
1024 new_p = trusted_payload_alloc(key);
1025 if (!new_p) {
1026 ret = -ENOMEM;
1027 goto out;
1028 }
1029
1030 memcpy(datablob, data, datalen);
1031 datablob[datalen] = '\0';
1032 ret = datablob_parse(datablob, new_p, new_o);
1033 if (ret != Opt_update) {
1034 ret = -EINVAL;
1035 kfree(new_p);
1036 goto out;
1037 }
1038 /* copy old key values, and reseal with new pcrs */
1039 new_p->migratable = p->migratable;
1040 new_p->key_len = p->key_len;
1041 memcpy(new_p->key, p->key, p->key_len);
1042 dump_payload(p);
1043 dump_payload(new_p);
1044
1045 ret = key_seal(new_p, new_o);
1046 if (ret < 0) {
1047 pr_info("trusted_key: key_seal failed (%d)\n", ret);
1048 kfree(new_p);
1049 goto out;
1050 }
1051 if (new_o->pcrlock) {
1052 ret = pcrlock(new_o->pcrlock);
1053 if (ret < 0) {
1054 pr_info("trusted_key: pcrlock failed (%d)\n", ret);
1055 kfree(new_p);
1056 goto out;
1057 }
1058 }
1059 rcu_assign_pointer(key->payload.data, new_p);
1060 call_rcu(&p->rcu, trusted_rcu_free);
1061out:
1062 kfree(datablob);
1063 kfree(new_o);
1064 return ret;
1065}
1066
1067/*
1068 * trusted_read - copy the sealed blob data to userspace in hex.
1069 * On success, return to userspace the trusted key datablob size.
1070 */
1071static long trusted_read(const struct key *key, char __user *buffer,
1072 size_t buflen)
1073{
1074 struct trusted_key_payload *p;
1075 char *ascii_buf;
1076 char *bufp;
1077 int i;
1078
1079 p = rcu_dereference_key(key);
1080 if (!p)
1081 return -EINVAL;
1082 if (!buffer || buflen <= 0)
1083 return 2 * p->blob_len;
1084 ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
1085 if (!ascii_buf)
1086 return -ENOMEM;
1087
1088 bufp = ascii_buf;
1089 for (i = 0; i < p->blob_len; i++)
1090 bufp = pack_hex_byte(bufp, p->blob[i]);
1091 if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
1092 kfree(ascii_buf);
1093 return -EFAULT;
1094 }
1095 kfree(ascii_buf);
1096 return 2 * p->blob_len;
1097}
1098
1099/*
1100 * trusted_destroy - before freeing the key, clear the decrypted data
1101 */
1102static void trusted_destroy(struct key *key)
1103{
1104 struct trusted_key_payload *p = key->payload.data;
1105
1106 if (!p)
1107 return;
1108 memset(p->key, 0, p->key_len);
1109 kfree(key->payload.data);
1110}
1111
1112struct key_type key_type_trusted = {
1113 .name = "trusted",
1114 .instantiate = trusted_instantiate,
1115 .update = trusted_update,
1116 .match = user_match,
1117 .destroy = trusted_destroy,
1118 .describe = user_describe,
1119 .read = trusted_read,
1120};
1121
1122EXPORT_SYMBOL_GPL(key_type_trusted);
1123
1124static void trusted_shash_release(void)
1125{
1126 if (hashalg)
1127 crypto_free_shash(hashalg);
1128 if (hmacalg)
1129 crypto_free_shash(hmacalg);
1130}
1131
1132static int __init trusted_shash_alloc(void)
1133{
1134 int ret;
1135
1136 hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
1137 if (IS_ERR(hmacalg)) {
1138 pr_info("trusted_key: could not allocate crypto %s\n",
1139 hmac_alg);
1140 return PTR_ERR(hmacalg);
1141 }
1142
1143 hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC);
1144 if (IS_ERR(hashalg)) {
1145 pr_info("trusted_key: could not allocate crypto %s\n",
1146 hash_alg);
1147 ret = PTR_ERR(hashalg);
1148 goto hashalg_fail;
1149 }
1150
1151 return 0;
1152
1153hashalg_fail:
1154 crypto_free_shash(hmacalg);
1155 return ret;
1156}
1157
1158static int __init init_trusted(void)
1159{
1160 int ret;
1161
1162 ret = trusted_shash_alloc();
1163 if (ret < 0)
1164 return ret;
1165 ret = register_key_type(&key_type_trusted);
1166 if (ret < 0)
1167 trusted_shash_release();
1168 return ret;
1169}
1170
1171static void __exit cleanup_trusted(void)
1172{
1173 trusted_shash_release();
1174 unregister_key_type(&key_type_trusted);
1175}
1176
1177late_initcall(init_trusted);
1178module_exit(cleanup_trusted);
1179
1180MODULE_LICENSE("GPL");
diff --git a/security/keys/trusted.h b/security/keys/trusted.h
new file mode 100644
index 000000000000..3249fbd2b653
--- /dev/null
+++ b/security/keys/trusted.h
@@ -0,0 +1,134 @@
1#ifndef __TRUSTED_KEY_H
2#define __TRUSTED_KEY_H
3
4/* implementation specific TPM constants */
5#define MAX_PCRINFO_SIZE 64
6#define MAX_BUF_SIZE 512
7#define TPM_GETRANDOM_SIZE 14
8#define TPM_OSAP_SIZE 36
9#define TPM_OIAP_SIZE 10
10#define TPM_SEAL_SIZE 87
11#define TPM_UNSEAL_SIZE 104
12#define TPM_SIZE_OFFSET 2
13#define TPM_RETURN_OFFSET 6
14#define TPM_DATA_OFFSET 10
15
16#define LOAD32(buffer, offset) (ntohl(*(uint32_t *)&buffer[offset]))
17#define LOAD32N(buffer, offset) (*(uint32_t *)&buffer[offset])
18#define LOAD16(buffer, offset) (ntohs(*(uint16_t *)&buffer[offset]))
19
20struct tpm_buf {
21 int len;
22 unsigned char data[MAX_BUF_SIZE];
23};
24
25#define INIT_BUF(tb) (tb->len = 0)
26
27struct osapsess {
28 uint32_t handle;
29 unsigned char secret[SHA1_DIGEST_SIZE];
30 unsigned char enonce[TPM_NONCE_SIZE];
31};
32
33/* discrete values, but have to store in uint16_t for TPM use */
34enum {
35 SEAL_keytype = 1,
36 SRK_keytype = 4
37};
38
39struct trusted_key_options {
40 uint16_t keytype;
41 uint32_t keyhandle;
42 unsigned char keyauth[SHA1_DIGEST_SIZE];
43 unsigned char blobauth[SHA1_DIGEST_SIZE];
44 uint32_t pcrinfo_len;
45 unsigned char pcrinfo[MAX_PCRINFO_SIZE];
46 int pcrlock;
47};
48
49#define TPM_DEBUG 0
50
51#if TPM_DEBUG
52static inline void dump_options(struct trusted_key_options *o)
53{
54 pr_info("trusted_key: sealing key type %d\n", o->keytype);
55 pr_info("trusted_key: sealing key handle %0X\n", o->keyhandle);
56 pr_info("trusted_key: pcrlock %d\n", o->pcrlock);
57 pr_info("trusted_key: pcrinfo %d\n", o->pcrinfo_len);
58 print_hex_dump(KERN_INFO, "pcrinfo ", DUMP_PREFIX_NONE,
59 16, 1, o->pcrinfo, o->pcrinfo_len, 0);
60}
61
62static inline void dump_payload(struct trusted_key_payload *p)
63{
64 pr_info("trusted_key: key_len %d\n", p->key_len);
65 print_hex_dump(KERN_INFO, "key ", DUMP_PREFIX_NONE,
66 16, 1, p->key, p->key_len, 0);
67 pr_info("trusted_key: bloblen %d\n", p->blob_len);
68 print_hex_dump(KERN_INFO, "blob ", DUMP_PREFIX_NONE,
69 16, 1, p->blob, p->blob_len, 0);
70 pr_info("trusted_key: migratable %d\n", p->migratable);
71}
72
73static inline void dump_sess(struct osapsess *s)
74{
75 print_hex_dump(KERN_INFO, "trusted-key: handle ", DUMP_PREFIX_NONE,
76 16, 1, &s->handle, 4, 0);
77 pr_info("trusted-key: secret:\n");
78 print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
79 16, 1, &s->secret, SHA1_DIGEST_SIZE, 0);
80 pr_info("trusted-key: enonce:\n");
81 print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE,
82 16, 1, &s->enonce, SHA1_DIGEST_SIZE, 0);
83}
84
85static inline void dump_tpm_buf(unsigned char *buf)
86{
87 int len;
88
89 pr_info("\ntrusted-key: tpm buffer\n");
90 len = LOAD32(buf, TPM_SIZE_OFFSET);
91 print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, buf, len, 0);
92}
93#else
94static inline void dump_options(struct trusted_key_options *o)
95{
96}
97
98static inline void dump_payload(struct trusted_key_payload *p)
99{
100}
101
102static inline void dump_sess(struct osapsess *s)
103{
104}
105
106static inline void dump_tpm_buf(unsigned char *buf)
107{
108}
109#endif
110
111static inline void store8(struct tpm_buf *buf, const unsigned char value)
112{
113 buf->data[buf->len++] = value;
114}
115
116static inline void store16(struct tpm_buf *buf, const uint16_t value)
117{
118 *(uint16_t *) & buf->data[buf->len] = htons(value);
119 buf->len += sizeof value;
120}
121
122static inline void store32(struct tpm_buf *buf, const uint32_t value)
123{
124 *(uint32_t *) & buf->data[buf->len] = htonl(value);
125 buf->len += sizeof value;
126}
127
128static inline void storebytes(struct tpm_buf *buf, const unsigned char *in,
129 const int len)
130{
131 memcpy(buf->data + buf->len, in, len);
132 buf->len += len;
133}
134#endif
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index e9aa07929656..5b366d7af3c4 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -35,7 +35,6 @@ struct key_type key_type_user = {
35 35
36EXPORT_SYMBOL_GPL(key_type_user); 36EXPORT_SYMBOL_GPL(key_type_user);
37 37
38/*****************************************************************************/
39/* 38/*
40 * instantiate a user defined key 39 * instantiate a user defined key
41 */ 40 */
@@ -65,26 +64,10 @@ int user_instantiate(struct key *key, const void *data, size_t datalen)
65 64
66error: 65error:
67 return ret; 66 return ret;
68 67}
69} /* end user_instantiate() */
70 68
71EXPORT_SYMBOL_GPL(user_instantiate); 69EXPORT_SYMBOL_GPL(user_instantiate);
72 70
73/*****************************************************************************/
74/*
75 * dispose of the old data from an updated user defined key
76 */
77static void user_update_rcu_disposal(struct rcu_head *rcu)
78{
79 struct user_key_payload *upayload;
80
81 upayload = container_of(rcu, struct user_key_payload, rcu);
82
83 kfree(upayload);
84
85} /* end user_update_rcu_disposal() */
86
87/*****************************************************************************/
88/* 71/*
89 * update a user defined key 72 * update a user defined key
90 * - the key's semaphore is write-locked 73 * - the key's semaphore is write-locked
@@ -119,28 +102,24 @@ int user_update(struct key *key, const void *data, size_t datalen)
119 key->expiry = 0; 102 key->expiry = 0;
120 } 103 }
121 104
122 call_rcu(&zap->rcu, user_update_rcu_disposal); 105 kfree_rcu(zap, rcu);
123 106
124error: 107error:
125 return ret; 108 return ret;
126 109}
127} /* end user_update() */
128 110
129EXPORT_SYMBOL_GPL(user_update); 111EXPORT_SYMBOL_GPL(user_update);
130 112
131/*****************************************************************************/
132/* 113/*
133 * match users on their name 114 * match users on their name
134 */ 115 */
135int user_match(const struct key *key, const void *description) 116int user_match(const struct key *key, const void *description)
136{ 117{
137 return strcmp(key->description, description) == 0; 118 return strcmp(key->description, description) == 0;
138 119}
139} /* end user_match() */
140 120
141EXPORT_SYMBOL_GPL(user_match); 121EXPORT_SYMBOL_GPL(user_match);
142 122
143/*****************************************************************************/
144/* 123/*
145 * dispose of the links from a revoked keyring 124 * dispose of the links from a revoked keyring
146 * - called with the key sem write-locked 125 * - called with the key sem write-locked
@@ -154,14 +133,12 @@ void user_revoke(struct key *key)
154 133
155 if (upayload) { 134 if (upayload) {
156 rcu_assign_pointer(key->payload.data, NULL); 135 rcu_assign_pointer(key->payload.data, NULL);
157 call_rcu(&upayload->rcu, user_update_rcu_disposal); 136 kfree_rcu(upayload, rcu);
158 } 137 }
159 138}
160} /* end user_revoke() */
161 139
162EXPORT_SYMBOL(user_revoke); 140EXPORT_SYMBOL(user_revoke);
163 141
164/*****************************************************************************/
165/* 142/*
166 * dispose of the data dangling from the corpse of a user key 143 * dispose of the data dangling from the corpse of a user key
167 */ 144 */
@@ -170,26 +147,22 @@ void user_destroy(struct key *key)
170 struct user_key_payload *upayload = key->payload.data; 147 struct user_key_payload *upayload = key->payload.data;
171 148
172 kfree(upayload); 149 kfree(upayload);
173 150}
174} /* end user_destroy() */
175 151
176EXPORT_SYMBOL_GPL(user_destroy); 152EXPORT_SYMBOL_GPL(user_destroy);
177 153
178/*****************************************************************************/
179/* 154/*
180 * describe the user key 155 * describe the user key
181 */ 156 */
182void user_describe(const struct key *key, struct seq_file *m) 157void user_describe(const struct key *key, struct seq_file *m)
183{ 158{
184 seq_puts(m, key->description); 159 seq_puts(m, key->description);
185 160 if (key_is_instantiated(key))
186 seq_printf(m, ": %u", key->datalen); 161 seq_printf(m, ": %u", key->datalen);
187 162}
188} /* end user_describe() */
189 163
190EXPORT_SYMBOL_GPL(user_describe); 164EXPORT_SYMBOL_GPL(user_describe);
191 165
192/*****************************************************************************/
193/* 166/*
194 * read the key data 167 * read the key data
195 * - the key's semaphore is read-locked 168 * - the key's semaphore is read-locked
@@ -199,8 +172,7 @@ long user_read(const struct key *key, char __user *buffer, size_t buflen)
199 struct user_key_payload *upayload; 172 struct user_key_payload *upayload;
200 long ret; 173 long ret;
201 174
202 upayload = rcu_dereference_protected( 175 upayload = rcu_dereference_key(key);
203 key->payload.data, rwsem_is_locked(&((struct key *)key)->sem));
204 ret = upayload->datalen; 176 ret = upayload->datalen;
205 177
206 /* we can return the data as is */ 178 /* we can return the data as is */
@@ -213,7 +185,6 @@ long user_read(const struct key *key, char __user *buffer, size_t buflen)
213 } 185 }
214 186
215 return ret; 187 return ret;
216 188}
217} /* end user_read() */
218 189
219EXPORT_SYMBOL_GPL(user_read); 190EXPORT_SYMBOL_GPL(user_read);
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-15 00:33:57 -0400