1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
|
/*
* kernel keyring utilities
*
* Copyright (C) 2016-2023 Red Hat, Inc. All rights reserved.
* Copyright (C) 2016-2023 Ondrej Kozina
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/syscall.h>
#include "libcryptsetup.h"
#include "libcryptsetup_macros.h"
#include "utils_keyring.h"
#ifndef HAVE_KEY_SERIAL_T
#define HAVE_KEY_SERIAL_T
typedef int32_t key_serial_t;
#endif
#ifdef KERNEL_KEYRING
static const struct {
key_type_t type;
const char *type_name;
} key_types[] = {
{ LOGON_KEY, "logon" },
{ USER_KEY, "user" },
};
#include <linux/keyctl.h>
/* request_key */
static key_serial_t request_key(const char *type,
const char *description,
const char *callout_info,
key_serial_t keyring)
{
return syscall(__NR_request_key, type, description, callout_info, keyring);
}
/* add_key */
static key_serial_t add_key(const char *type,
const char *description,
const void *payload,
size_t plen,
key_serial_t keyring)
{
return syscall(__NR_add_key, type, description, payload, plen, keyring);
}
/* keyctl_read */
static long keyctl_read(key_serial_t key, char *buffer, size_t buflen)
{
return syscall(__NR_keyctl, KEYCTL_READ, key, buffer, buflen);
}
/* keyctl_revoke */
static long keyctl_revoke(key_serial_t key)
{
return syscall(__NR_keyctl, KEYCTL_REVOKE, key);
}
/* keyctl_unlink */
static long keyctl_unlink(key_serial_t key, key_serial_t keyring)
{
return syscall(__NR_keyctl, KEYCTL_UNLINK, key, keyring);
}
#endif
int keyring_check(void)
{
#ifdef KERNEL_KEYRING
/* logon type key descriptions must be in format "prefix:description" */
return syscall(__NR_request_key, "logon", "dummy", NULL, 0) == -1l && errno != ENOSYS;
#else
return 0;
#endif
}
int keyring_add_key_in_thread_keyring(key_type_t ktype, const char *key_desc, const void *key, size_t key_size)
{
#ifdef KERNEL_KEYRING
key_serial_t kid;
const char *type_name = key_type_name(ktype);
if (!type_name || !key_desc)
return -EINVAL;
kid = add_key(type_name, key_desc, key, key_size, KEY_SPEC_THREAD_KEYRING);
if (kid < 0)
return -errno;
return 0;
#else
return -ENOTSUP;
#endif
}
/* currently used in client utilities only */
int keyring_add_key_in_user_keyring(key_type_t ktype, const char *key_desc, const void *key, size_t key_size)
{
#ifdef KERNEL_KEYRING
const char *type_name = key_type_name(ktype);
key_serial_t kid;
if (!type_name || !key_desc)
return -EINVAL;
kid = add_key(type_name, key_desc, key, key_size, KEY_SPEC_USER_KEYRING);
if (kid < 0)
return -errno;
return 0;
#else
return -ENOTSUP;
#endif
}
/* alias for the same code */
int keyring_get_key(const char *key_desc,
char **key,
size_t *key_size)
{
return keyring_get_passphrase(key_desc, key, key_size);
}
int keyring_get_passphrase(const char *key_desc,
char **passphrase,
size_t *passphrase_len)
{
#ifdef KERNEL_KEYRING
int err;
key_serial_t kid;
long ret;
char *buf = NULL;
size_t len = 0;
do
kid = request_key(key_type_name(USER_KEY), key_desc, NULL, 0);
while (kid < 0 && errno == EINTR);
if (kid < 0)
return -errno;
/* just get payload size */
ret = keyctl_read(kid, NULL, 0);
if (ret > 0) {
len = ret;
buf = crypt_safe_alloc(len);
if (!buf)
return -ENOMEM;
/* retrieve actual payload data */
ret = keyctl_read(kid, buf, len);
}
if (ret < 0) {
err = errno;
crypt_safe_free(buf);
return -err;
}
*passphrase = buf;
*passphrase_len = len;
return 0;
#else
return -ENOTSUP;
#endif
}
static int keyring_revoke_and_unlink_key_type(const char *type_name, const char *key_desc)
{
#ifdef KERNEL_KEYRING
key_serial_t kid;
if (!type_name || !key_desc)
return -EINVAL;
do
kid = request_key(type_name, key_desc, NULL, 0);
while (kid < 0 && errno == EINTR);
if (kid < 0)
return 0;
if (keyctl_revoke(kid))
return -errno;
/*
* best effort only. the key could have been linked
* in some other keyring and its payload is now
* revoked anyway.
*/
keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING);
keyctl_unlink(kid, KEY_SPEC_PROCESS_KEYRING);
keyctl_unlink(kid, KEY_SPEC_USER_KEYRING);
return 0;
#else
return -ENOTSUP;
#endif
}
const char *key_type_name(key_type_t type)
{
#ifdef KERNEL_KEYRING
unsigned int i;
for (i = 0; i < ARRAY_SIZE(key_types); i++)
if (type == key_types[i].type)
return key_types[i].type_name;
#endif
return NULL;
}
int keyring_revoke_and_unlink_key(key_type_t ktype, const char *key_desc)
{
return keyring_revoke_and_unlink_key_type(key_type_name(ktype), key_desc);
}
|