|
Packit Service |
a9384c |
/*
|
|
Packit Service |
a9384c |
* kernel keyring utilities
|
|
Packit Service |
a9384c |
*
|
|
Packit Service |
a9384c |
* Copyright (C) 2016-2020 Red Hat, Inc. All rights reserved.
|
|
Packit Service |
a9384c |
* Copyright (C) 2016-2020 Ondrej Kozina
|
|
Packit Service |
a9384c |
*
|
|
Packit Service |
a9384c |
* This program is free software; you can redistribute it and/or
|
|
Packit Service |
a9384c |
* modify it under the terms of the GNU General Public License
|
|
Packit Service |
a9384c |
* as published by the Free Software Foundation; either version 2
|
|
Packit Service |
a9384c |
* of the License, or (at your option) any later version.
|
|
Packit Service |
a9384c |
*
|
|
Packit Service |
a9384c |
* This program is distributed in the hope that it will be useful,
|
|
Packit Service |
a9384c |
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
a9384c |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
a9384c |
* GNU General Public License for more details.
|
|
Packit Service |
a9384c |
*
|
|
Packit Service |
a9384c |
* You should have received a copy of the GNU General Public License
|
|
Packit Service |
a9384c |
* along with this program; if not, write to the Free Software
|
|
Packit Service |
a9384c |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
Packit Service |
a9384c |
*/
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
#include <errno.h>
|
|
Packit Service |
a9384c |
#include <stdio.h>
|
|
Packit Service |
a9384c |
#include <stdlib.h>
|
|
Packit Service |
a9384c |
#include <unistd.h>
|
|
Packit Service |
a9384c |
#include <sys/syscall.h>
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
#include "libcryptsetup.h"
|
|
Packit Service |
a9384c |
#include "utils_keyring.h"
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
#ifndef HAVE_KEY_SERIAL_T
|
|
Packit Service |
a9384c |
#define HAVE_KEY_SERIAL_T
|
|
Packit Service |
a9384c |
typedef int32_t key_serial_t;
|
|
Packit Service |
a9384c |
#endif
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
#ifndef ARRAY_SIZE
|
|
Packit Service |
a9384c |
# define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
|
|
Packit Service |
a9384c |
#endif
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
#ifdef KERNEL_KEYRING
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
static const struct {
|
|
Packit Service |
a9384c |
key_type_t type;
|
|
Packit Service |
a9384c |
const char *type_name;
|
|
Packit Service |
a9384c |
} key_types[] = {
|
|
Packit Service |
a9384c |
{ LOGON_KEY, "logon" },
|
|
Packit Service |
a9384c |
{ USER_KEY, "user" },
|
|
Packit Service |
a9384c |
};
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
#include <linux/keyctl.h>
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
/* request_key */
|
|
Packit Service |
a9384c |
static key_serial_t request_key(const char *type,
|
|
Packit Service |
a9384c |
const char *description,
|
|
Packit Service |
a9384c |
const char *callout_info,
|
|
Packit Service |
a9384c |
key_serial_t keyring)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
return syscall(__NR_request_key, type, description, callout_info, keyring);
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
/* add_key */
|
|
Packit Service |
a9384c |
static key_serial_t add_key(const char *type,
|
|
Packit Service |
a9384c |
const char *description,
|
|
Packit Service |
a9384c |
const void *payload,
|
|
Packit Service |
a9384c |
size_t plen,
|
|
Packit Service |
a9384c |
key_serial_t keyring)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
return syscall(__NR_add_key, type, description, payload, plen, keyring);
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
/* keyctl_read */
|
|
Packit Service |
a9384c |
static long keyctl_read(key_serial_t key, char *buffer, size_t buflen)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
return syscall(__NR_keyctl, KEYCTL_READ, key, buffer, buflen);
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
/* keyctl_revoke */
|
|
Packit Service |
a9384c |
static long keyctl_revoke(key_serial_t key)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
return syscall(__NR_keyctl, KEYCTL_REVOKE, key);
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
/* keyctl_unlink */
|
|
Packit Service |
a9384c |
static long keyctl_unlink(key_serial_t key, key_serial_t keyring)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
return syscall(__NR_keyctl, KEYCTL_UNLINK, key, keyring);
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
#endif
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
int keyring_check(void)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
#ifdef KERNEL_KEYRING
|
|
Packit Service |
a9384c |
/* logon type key descriptions must be in format "prefix:description" */
|
|
Packit Service |
a9384c |
return syscall(__NR_request_key, "logon", "dummy", NULL, 0) == -1l && errno != ENOSYS;
|
|
Packit Service |
a9384c |
#else
|
|
Packit Service |
a9384c |
return 0;
|
|
Packit Service |
a9384c |
#endif
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
int keyring_add_key_in_thread_keyring(key_type_t ktype, const char *key_desc, const void *key, size_t key_size)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
#ifdef KERNEL_KEYRING
|
|
Packit Service |
a9384c |
key_serial_t kid;
|
|
Packit Service |
a9384c |
const char *type_name = key_type_name(ktype);
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
if (!type_name || !key_desc)
|
|
Packit Service |
a9384c |
return -EINVAL;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
kid = add_key(type_name, key_desc, key, key_size, KEY_SPEC_THREAD_KEYRING);
|
|
Packit Service |
a9384c |
if (kid < 0)
|
|
Packit Service |
a9384c |
return -errno;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
return 0;
|
|
Packit Service |
a9384c |
#else
|
|
Packit Service |
a9384c |
return -ENOTSUP;
|
|
Packit Service |
a9384c |
#endif
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
/* currently used in client utilities only */
|
|
Packit Service |
a9384c |
int keyring_add_key_in_user_keyring(key_type_t ktype, const char *key_desc, const void *key, size_t key_size)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
#ifdef KERNEL_KEYRING
|
|
Packit Service |
a9384c |
const char *type_name = key_type_name(ktype);
|
|
Packit Service |
a9384c |
key_serial_t kid;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
if (!type_name || !key_desc)
|
|
Packit Service |
a9384c |
return -EINVAL;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
kid = add_key(type_name, key_desc, key, key_size, KEY_SPEC_USER_KEYRING);
|
|
Packit Service |
a9384c |
if (kid < 0)
|
|
Packit Service |
a9384c |
return -errno;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
return 0;
|
|
Packit Service |
a9384c |
#else
|
|
Packit Service |
a9384c |
return -ENOTSUP;
|
|
Packit Service |
a9384c |
#endif
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
/* alias for the same code */
|
|
Packit Service |
a9384c |
int keyring_get_key(const char *key_desc,
|
|
Packit Service |
a9384c |
char **key,
|
|
Packit Service |
a9384c |
size_t *key_size)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
return keyring_get_passphrase(key_desc, key, key_size);
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
int keyring_get_passphrase(const char *key_desc,
|
|
Packit Service |
a9384c |
char **passphrase,
|
|
Packit Service |
a9384c |
size_t *passphrase_len)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
#ifdef KERNEL_KEYRING
|
|
Packit Service |
a9384c |
int err;
|
|
Packit Service |
a9384c |
key_serial_t kid;
|
|
Packit Service |
a9384c |
long ret;
|
|
Packit Service |
a9384c |
char *buf = NULL;
|
|
Packit Service |
a9384c |
size_t len = 0;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
do
|
|
Packit Service |
a9384c |
kid = request_key(key_type_name(USER_KEY), key_desc, NULL, 0);
|
|
Packit Service |
a9384c |
while (kid < 0 && errno == EINTR);
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
if (kid < 0)
|
|
Packit Service |
a9384c |
return -errno;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
/* just get payload size */
|
|
Packit Service |
a9384c |
ret = keyctl_read(kid, NULL, 0);
|
|
Packit Service |
a9384c |
if (ret > 0) {
|
|
Packit Service |
a9384c |
len = ret;
|
|
Packit Service |
a9384c |
buf = malloc(len);
|
|
Packit Service |
a9384c |
if (!buf)
|
|
Packit Service |
a9384c |
return -ENOMEM;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
/* retrieve actual payload data */
|
|
Packit Service |
a9384c |
ret = keyctl_read(kid, buf, len);
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
if (ret < 0) {
|
|
Packit Service |
a9384c |
err = errno;
|
|
Packit Service |
a9384c |
if (buf)
|
|
Packit Service |
a9384c |
crypt_safe_memzero(buf, len);
|
|
Packit Service |
a9384c |
free(buf);
|
|
Packit Service |
a9384c |
return -err;
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
*passphrase = buf;
|
|
Packit Service |
a9384c |
*passphrase_len = len;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
return 0;
|
|
Packit Service |
a9384c |
#else
|
|
Packit Service |
a9384c |
return -ENOTSUP;
|
|
Packit Service |
a9384c |
#endif
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
static int keyring_revoke_and_unlink_key_type(const char *type_name, const char *key_desc)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
#ifdef KERNEL_KEYRING
|
|
Packit Service |
a9384c |
key_serial_t kid;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
if (!type_name || !key_desc)
|
|
Packit Service |
a9384c |
return -EINVAL;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
do
|
|
Packit Service |
a9384c |
kid = request_key(type_name, key_desc, NULL, 0);
|
|
Packit Service |
a9384c |
while (kid < 0 && errno == EINTR);
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
if (kid < 0)
|
|
Packit Service |
a9384c |
return 0;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
if (keyctl_revoke(kid))
|
|
Packit Service |
a9384c |
return -errno;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
/*
|
|
Packit Service |
a9384c |
* best effort only. the key could have been linked
|
|
Packit Service |
a9384c |
* in some other keyring and its payload is now
|
|
Packit Service |
a9384c |
* revoked anyway.
|
|
Packit Service |
a9384c |
*/
|
|
Packit Service |
a9384c |
keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING);
|
|
Packit Service |
a9384c |
keyctl_unlink(kid, KEY_SPEC_PROCESS_KEYRING);
|
|
Packit Service |
a9384c |
keyctl_unlink(kid, KEY_SPEC_USER_KEYRING);
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
return 0;
|
|
Packit Service |
a9384c |
#else
|
|
Packit Service |
a9384c |
return -ENOTSUP;
|
|
Packit Service |
a9384c |
#endif
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
const char *key_type_name(key_type_t type)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
#ifdef KERNEL_KEYRING
|
|
Packit Service |
a9384c |
unsigned int i;
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
for (i = 0; i < ARRAY_SIZE(key_types); i++)
|
|
Packit Service |
a9384c |
if (type == key_types[i].type)
|
|
Packit Service |
a9384c |
return key_types[i].type_name;
|
|
Packit Service |
a9384c |
#endif
|
|
Packit Service |
a9384c |
return NULL;
|
|
Packit Service |
a9384c |
}
|
|
Packit Service |
a9384c |
|
|
Packit Service |
a9384c |
int keyring_revoke_and_unlink_key(key_type_t ktype, const char *key_desc)
|
|
Packit Service |
a9384c |
{
|
|
Packit Service |
a9384c |
return keyring_revoke_and_unlink_key_type(key_type_name(ktype), key_desc);
|
|
Packit Service |
a9384c |
}
|