source-git / cryptsetup

Clone
Source Code
GIT

Blame lib/utils_keyring.c

c8 c8s master
  1.   85eaabfc76b8ad3e18ecbeccd9706ad273ef573c
  2.   lib
  3.   utils_keyring.c
Blob History Raw
Packit Service a9384c 
/*
Packit Service a9384c 
 * kernel keyring utilities
Packit Service a9384c 
 *
Packit Service a9384c 
 * Copyright (C) 2016-2020 Red Hat, Inc. All rights reserved.
Packit Service a9384c 
 * Copyright (C) 2016-2020 Ondrej Kozina
Packit Service a9384c 
 *
Packit Service a9384c 
 * This program is free software; you can redistribute it and/or
Packit Service a9384c 
 * modify it under the terms of the GNU General Public License
Packit Service a9384c 
 * as published by the Free Software Foundation; either version 2
Packit Service a9384c 
 * of the License, or (at your option) any later version.
Packit Service a9384c 
 *
Packit Service a9384c 
 * This program is distributed in the hope that it will be useful,
Packit Service a9384c 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
Packit Service a9384c 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
Packit Service a9384c 
 * GNU General Public License for more details.
Packit Service a9384c 
 *
Packit Service a9384c 
 * You should have received a copy of the GNU General Public License
Packit Service a9384c 
 * along with this program; if not, write to the Free Software
Packit Service a9384c 
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Packit Service a9384c 
 */
Packit Service a9384c
Packit Service a9384c 
#include <errno.h>
Packit Service a9384c 
#include <stdio.h>
Packit Service a9384c 
#include <stdlib.h>
Packit Service a9384c 
#include <unistd.h>
Packit Service a9384c 
#include <sys/syscall.h>
Packit Service a9384c
Packit Service a9384c 
#include "libcryptsetup.h"
Packit Service a9384c 
#include "utils_keyring.h"
Packit Service a9384c
Packit Service a9384c 
#ifndef HAVE_KEY_SERIAL_T
Packit Service a9384c 
#define HAVE_KEY_SERIAL_T
Packit Service a9384c 
typedef int32_t key_serial_t;
Packit Service a9384c 
#endif
Packit Service a9384c
Packit Service a9384c 
#ifndef ARRAY_SIZE
Packit Service a9384c 
# define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
Packit Service a9384c 
#endif
Packit Service a9384c
Packit Service a9384c 
#ifdef KERNEL_KEYRING
Packit Service a9384c
Packit Service a9384c 
static const struct {
Packit Service a9384c 
	key_type_t type;
Packit Service a9384c 
	const char *type_name;
Packit Service a9384c 
} key_types[] = {
Packit Service a9384c 
	{ LOGON_KEY,	"logon" },
Packit Service a9384c 
	{ USER_KEY,	"user"	},
Packit Service a9384c 
};
Packit Service a9384c
Packit Service a9384c 
#include <linux/keyctl.h>
Packit Service a9384c
Packit Service a9384c 
/* request_key */
Packit Service a9384c 
static key_serial_t request_key(const char *type,
Packit Service a9384c 
	const char *description,
Packit Service a9384c 
	const char *callout_info,
Packit Service a9384c 
	key_serial_t keyring)
Packit Service a9384c 
{
Packit Service a9384c 
	return syscall(__NR_request_key, type, description, callout_info, keyring);
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
/* add_key */
Packit Service a9384c 
static key_serial_t add_key(const char *type,
Packit Service a9384c 
	const char *description,
Packit Service a9384c 
	const void *payload,
Packit Service a9384c 
	size_t plen,
Packit Service a9384c 
	key_serial_t keyring)
Packit Service a9384c 
{
Packit Service a9384c 
	return syscall(__NR_add_key, type, description, payload, plen, keyring);
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
/* keyctl_read */
Packit Service a9384c 
static long keyctl_read(key_serial_t key, char *buffer, size_t buflen)
Packit Service a9384c 
{
Packit Service a9384c 
	return syscall(__NR_keyctl, KEYCTL_READ, key, buffer, buflen);
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
/* keyctl_revoke */
Packit Service a9384c 
static long keyctl_revoke(key_serial_t key)
Packit Service a9384c 
{
Packit Service a9384c 
	return syscall(__NR_keyctl, KEYCTL_REVOKE, key);
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
/* keyctl_unlink */
Packit Service a9384c 
static long keyctl_unlink(key_serial_t key, key_serial_t keyring)
Packit Service a9384c 
{
Packit Service a9384c 
	return syscall(__NR_keyctl, KEYCTL_UNLINK, key, keyring);
Packit Service a9384c 
}
Packit Service a9384c 
#endif
Packit Service a9384c
Packit Service a9384c 
int keyring_check(void)
Packit Service a9384c 
{
Packit Service a9384c 
#ifdef KERNEL_KEYRING
Packit Service a9384c 
	/* logon type key descriptions must be in format "prefix:description" */
Packit Service a9384c 
	return syscall(__NR_request_key, "logon", "dummy", NULL, 0) == -1l && errno != ENOSYS;
Packit Service a9384c 
#else
Packit Service a9384c 
	return 0;
Packit Service a9384c 
#endif
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
int keyring_add_key_in_thread_keyring(key_type_t ktype, const char *key_desc, const void *key, size_t key_size)
Packit Service a9384c 
{
Packit Service a9384c 
#ifdef KERNEL_KEYRING
Packit Service a9384c 
	key_serial_t kid;
Packit Service a9384c 
	const char *type_name = key_type_name(ktype);
Packit Service a9384c
Packit Service a9384c 
	if (!type_name || !key_desc)
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	kid = add_key(type_name, key_desc, key, key_size, KEY_SPEC_THREAD_KEYRING);
Packit Service a9384c 
	if (kid < 0)
Packit Service a9384c 
		return -errno;
Packit Service a9384c
Packit Service a9384c 
	return 0;
Packit Service a9384c 
#else
Packit Service a9384c 
	return -ENOTSUP;
Packit Service a9384c 
#endif
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
/* currently used in client utilities only */
Packit Service a9384c 
int keyring_add_key_in_user_keyring(key_type_t ktype, const char *key_desc, const void *key, size_t key_size)
Packit Service a9384c 
{
Packit Service a9384c 
#ifdef KERNEL_KEYRING
Packit Service a9384c 
	const char *type_name = key_type_name(ktype);
Packit Service a9384c 
	key_serial_t kid;
Packit Service a9384c
Packit Service a9384c 
	if (!type_name || !key_desc)
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	kid = add_key(type_name, key_desc, key, key_size, KEY_SPEC_USER_KEYRING);
Packit Service a9384c 
	if (kid < 0)
Packit Service a9384c 
		return -errno;
Packit Service a9384c
Packit Service a9384c 
	return 0;
Packit Service a9384c 
#else
Packit Service a9384c 
	return -ENOTSUP;
Packit Service a9384c 
#endif
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
/* alias for the same code */
Packit Service a9384c 
int keyring_get_key(const char *key_desc,
Packit Service a9384c 
		    char **key,
Packit Service a9384c 
		    size_t *key_size)
Packit Service a9384c 
{
Packit Service a9384c 
	return keyring_get_passphrase(key_desc, key, key_size);
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
int keyring_get_passphrase(const char *key_desc,
Packit Service a9384c 
		      char **passphrase,
Packit Service a9384c 
		      size_t *passphrase_len)
Packit Service a9384c 
{
Packit Service a9384c 
#ifdef KERNEL_KEYRING
Packit Service a9384c 
	int err;
Packit Service a9384c 
	key_serial_t kid;
Packit Service a9384c 
	long ret;
Packit Service a9384c 
	char *buf = NULL;
Packit Service a9384c 
	size_t len = 0;
Packit Service a9384c
Packit Service a9384c 
	do
Packit Service a9384c 
		kid = request_key(key_type_name(USER_KEY), key_desc, NULL, 0);
Packit Service a9384c 
	while (kid < 0 && errno == EINTR);
Packit Service a9384c
Packit Service a9384c 
	if (kid < 0)
Packit Service a9384c 
		return -errno;
Packit Service a9384c
Packit Service a9384c 
	/* just get payload size */
Packit Service a9384c 
	ret = keyctl_read(kid, NULL, 0);
Packit Service a9384c 
	if (ret > 0) {
Packit Service a9384c 
		len = ret;
Packit Service a9384c 
		buf = malloc(len);
Packit Service a9384c 
		if (!buf)
Packit Service a9384c 
			return -ENOMEM;
Packit Service a9384c
Packit Service a9384c 
		/* retrieve actual payload data */
Packit Service a9384c 
		ret = keyctl_read(kid, buf, len);
Packit Service a9384c 
	}
Packit Service a9384c
Packit Service a9384c 
	if (ret < 0) {
Packit Service a9384c 
		err = errno;
Packit Service a9384c 
		if (buf)
Packit Service a9384c 
			crypt_safe_memzero(buf, len);
Packit Service a9384c 
		free(buf);
Packit Service a9384c 
		return -err;
Packit Service a9384c 
	}
Packit Service a9384c
Packit Service a9384c 
	*passphrase = buf;
Packit Service a9384c 
	*passphrase_len = len;
Packit Service a9384c
Packit Service a9384c 
	return 0;
Packit Service a9384c 
#else
Packit Service a9384c 
	return -ENOTSUP;
Packit Service a9384c 
#endif
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
static int keyring_revoke_and_unlink_key_type(const char *type_name, const char *key_desc)
Packit Service a9384c 
{
Packit Service a9384c 
#ifdef KERNEL_KEYRING
Packit Service a9384c 
	key_serial_t kid;
Packit Service a9384c
Packit Service a9384c 
	if (!type_name || !key_desc)
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	do
Packit Service a9384c 
		kid = request_key(type_name, key_desc, NULL, 0);
Packit Service a9384c 
	while (kid < 0 && errno == EINTR);
Packit Service a9384c
Packit Service a9384c 
	if (kid < 0)
Packit Service a9384c 
		return 0;
Packit Service a9384c
Packit Service a9384c 
	if (keyctl_revoke(kid))
Packit Service a9384c 
		return -errno;
Packit Service a9384c
Packit Service a9384c 
	/*
Packit Service a9384c 
	 * best effort only. the key could have been linked
Packit Service a9384c 
	 * in some other keyring and its payload is now
Packit Service a9384c 
	 * revoked anyway.
Packit Service a9384c 
	 */
Packit Service a9384c 
	keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING);
Packit Service a9384c 
	keyctl_unlink(kid, KEY_SPEC_PROCESS_KEYRING);
Packit Service a9384c 
	keyctl_unlink(kid, KEY_SPEC_USER_KEYRING);
Packit Service a9384c
Packit Service a9384c 
	return 0;
Packit Service a9384c 
#else
Packit Service a9384c 
	return -ENOTSUP;
Packit Service a9384c 
#endif
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
const char *key_type_name(key_type_t type)
Packit Service a9384c 
{
Packit Service a9384c 
#ifdef KERNEL_KEYRING
Packit Service a9384c 
	unsigned int i;
Packit Service a9384c
Packit Service a9384c 
	for (i = 0; i < ARRAY_SIZE(key_types); i++)
Packit Service a9384c 
		if (type == key_types[i].type)
Packit Service a9384c 
			return key_types[i].type_name;
Packit Service a9384c 
#endif
Packit Service a9384c 
	return NULL;
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
int keyring_revoke_and_unlink_key(key_type_t ktype, const char *key_desc)
Packit Service a9384c 
{
Packit Service a9384c 
	return keyring_revoke_and_unlink_key_type(key_type_name(ktype), key_desc);
Packit Service a9384c 
}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation