00d60fd3b9
Provide five keyctl functions that permit userspace to make use of the new key type ops for accessing and driving asymmetric keys. (*) Query an asymmetric key. long keyctl(KEYCTL_PKEY_QUERY, key_serial_t key, unsigned long reserved, struct keyctl_pkey_query *info); Get information about an asymmetric key. The information is returned in the keyctl_pkey_query struct: __u32 supported_ops; A bit mask of flags indicating which ops are supported. This is constructed from a bitwise-OR of: KEYCTL_SUPPORTS_{ENCRYPT,DECRYPT,SIGN,VERIFY} __u32 key_size; The size in bits of the key. __u16 max_data_size; __u16 max_sig_size; __u16 max_enc_size; __u16 max_dec_size; The maximum sizes in bytes of a blob of data to be signed, a signature blob, a blob to be encrypted and a blob to be decrypted. reserved must be set to 0. This is intended for future use to hand over one or more passphrases needed unlock a key. If successful, 0 is returned. If the key is not an asymmetric key, EOPNOTSUPP is returned. (*) Encrypt, decrypt, sign or verify a blob using an asymmetric key. long keyctl(KEYCTL_PKEY_ENCRYPT, const struct keyctl_pkey_params *params, const char *info, const void *in, void *out); long keyctl(KEYCTL_PKEY_DECRYPT, const struct keyctl_pkey_params *params, const char *info, const void *in, void *out); long keyctl(KEYCTL_PKEY_SIGN, const struct keyctl_pkey_params *params, const char *info, const void *in, void *out); long keyctl(KEYCTL_PKEY_VERIFY, const struct keyctl_pkey_params *params, const char *info, const void *in, const void *in2); Use an asymmetric key to perform a public-key cryptographic operation a blob of data. The parameter block pointed to by params contains a number of integer values: __s32 key_id; __u32 in_len; __u32 out_len; __u32 in2_len; For a given operation, the in and out buffers are used as follows: Operation ID in,in_len out,out_len in2,in2_len ======================= =============== =============== =========== KEYCTL_PKEY_ENCRYPT Raw data Encrypted data - KEYCTL_PKEY_DECRYPT Encrypted data Raw data - KEYCTL_PKEY_SIGN Raw data Signature - KEYCTL_PKEY_VERIFY Raw data - Signature info is a string of key=value pairs that supply supplementary information. The __spare space in the parameter block must be set to 0. This is intended, amongst other things, to allow the passing of passphrases required to unlock a key. If successful, encrypt, decrypt and sign all return the amount of data written into the output buffer. Verification returns 0 on success. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Marcel Holtmann <marcel@holtmann.org> Reviewed-by: Marcel Holtmann <marcel@holtmann.org> Reviewed-by: Denis Kenzior <denkenz@gmail.com> Tested-by: Denis Kenzior <denkenz@gmail.com> Signed-off-by: James Morris <james.morris@microsoft.com>
166 lines
4.3 KiB
C
166 lines
4.3 KiB
C
/* 32-bit compatibility syscall for 64-bit systems
|
|
*
|
|
* Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*/
|
|
|
|
#include <linux/syscalls.h>
|
|
#include <linux/keyctl.h>
|
|
#include <linux/compat.h>
|
|
#include <linux/slab.h>
|
|
#include "internal.h"
|
|
|
|
/*
|
|
* Instantiate a key with the specified compatibility multipart payload and
|
|
* link the key into the destination keyring if one is given.
|
|
*
|
|
* The caller must have the appropriate instantiation permit set for this to
|
|
* work (see keyctl_assume_authority). No other permissions are required.
|
|
*
|
|
* If successful, 0 will be returned.
|
|
*/
|
|
static long compat_keyctl_instantiate_key_iov(
|
|
key_serial_t id,
|
|
const struct compat_iovec __user *_payload_iov,
|
|
unsigned ioc,
|
|
key_serial_t ringid)
|
|
{
|
|
struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
|
|
struct iov_iter from;
|
|
long ret;
|
|
|
|
if (!_payload_iov)
|
|
ioc = 0;
|
|
|
|
ret = compat_import_iovec(WRITE, _payload_iov, ioc,
|
|
ARRAY_SIZE(iovstack), &iov,
|
|
&from);
|
|
if (ret < 0)
|
|
return ret;
|
|
|
|
ret = keyctl_instantiate_key_common(id, &from, ringid);
|
|
kfree(iov);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* The key control system call, 32-bit compatibility version for 64-bit archs
|
|
*
|
|
* This should only be called if the 64-bit arch uses weird pointers in 32-bit
|
|
* mode or doesn't guarantee that the top 32-bits of the argument registers on
|
|
* taking a 32-bit syscall are zero. If you can, you should call sys_keyctl()
|
|
* directly.
|
|
*/
|
|
COMPAT_SYSCALL_DEFINE5(keyctl, u32, option,
|
|
u32, arg2, u32, arg3, u32, arg4, u32, arg5)
|
|
{
|
|
switch (option) {
|
|
case KEYCTL_GET_KEYRING_ID:
|
|
return keyctl_get_keyring_ID(arg2, arg3);
|
|
|
|
case KEYCTL_JOIN_SESSION_KEYRING:
|
|
return keyctl_join_session_keyring(compat_ptr(arg2));
|
|
|
|
case KEYCTL_UPDATE:
|
|
return keyctl_update_key(arg2, compat_ptr(arg3), arg4);
|
|
|
|
case KEYCTL_REVOKE:
|
|
return keyctl_revoke_key(arg2);
|
|
|
|
case KEYCTL_DESCRIBE:
|
|
return keyctl_describe_key(arg2, compat_ptr(arg3), arg4);
|
|
|
|
case KEYCTL_CLEAR:
|
|
return keyctl_keyring_clear(arg2);
|
|
|
|
case KEYCTL_LINK:
|
|
return keyctl_keyring_link(arg2, arg3);
|
|
|
|
case KEYCTL_UNLINK:
|
|
return keyctl_keyring_unlink(arg2, arg3);
|
|
|
|
case KEYCTL_SEARCH:
|
|
return keyctl_keyring_search(arg2, compat_ptr(arg3),
|
|
compat_ptr(arg4), arg5);
|
|
|
|
case KEYCTL_READ:
|
|
return keyctl_read_key(arg2, compat_ptr(arg3), arg4);
|
|
|
|
case KEYCTL_CHOWN:
|
|
return keyctl_chown_key(arg2, arg3, arg4);
|
|
|
|
case KEYCTL_SETPERM:
|
|
return keyctl_setperm_key(arg2, arg3);
|
|
|
|
case KEYCTL_INSTANTIATE:
|
|
return keyctl_instantiate_key(arg2, compat_ptr(arg3), arg4,
|
|
arg5);
|
|
|
|
case KEYCTL_NEGATE:
|
|
return keyctl_negate_key(arg2, arg3, arg4);
|
|
|
|
case KEYCTL_SET_REQKEY_KEYRING:
|
|
return keyctl_set_reqkey_keyring(arg2);
|
|
|
|
case KEYCTL_SET_TIMEOUT:
|
|
return keyctl_set_timeout(arg2, arg3);
|
|
|
|
case KEYCTL_ASSUME_AUTHORITY:
|
|
return keyctl_assume_authority(arg2);
|
|
|
|
case KEYCTL_GET_SECURITY:
|
|
return keyctl_get_security(arg2, compat_ptr(arg3), arg4);
|
|
|
|
case KEYCTL_SESSION_TO_PARENT:
|
|
return keyctl_session_to_parent();
|
|
|
|
case KEYCTL_REJECT:
|
|
return keyctl_reject_key(arg2, arg3, arg4, arg5);
|
|
|
|
case KEYCTL_INSTANTIATE_IOV:
|
|
return compat_keyctl_instantiate_key_iov(
|
|
arg2, compat_ptr(arg3), arg4, arg5);
|
|
|
|
case KEYCTL_INVALIDATE:
|
|
return keyctl_invalidate_key(arg2);
|
|
|
|
case KEYCTL_GET_PERSISTENT:
|
|
return keyctl_get_persistent(arg2, arg3);
|
|
|
|
case KEYCTL_DH_COMPUTE:
|
|
return compat_keyctl_dh_compute(compat_ptr(arg2),
|
|
compat_ptr(arg3),
|
|
arg4, compat_ptr(arg5));
|
|
|
|
case KEYCTL_RESTRICT_KEYRING:
|
|
return keyctl_restrict_keyring(arg2, compat_ptr(arg3),
|
|
compat_ptr(arg4));
|
|
|
|
case KEYCTL_PKEY_QUERY:
|
|
if (arg3 != 0)
|
|
return -EINVAL;
|
|
return keyctl_pkey_query(arg2,
|
|
compat_ptr(arg4),
|
|
compat_ptr(arg5));
|
|
|
|
case KEYCTL_PKEY_ENCRYPT:
|
|
case KEYCTL_PKEY_DECRYPT:
|
|
case KEYCTL_PKEY_SIGN:
|
|
return keyctl_pkey_e_d_s(option,
|
|
compat_ptr(arg2), compat_ptr(arg3),
|
|
compat_ptr(arg4), compat_ptr(arg5));
|
|
|
|
case KEYCTL_PKEY_VERIFY:
|
|
return keyctl_pkey_verify(compat_ptr(arg2), compat_ptr(arg3),
|
|
compat_ptr(arg4), compat_ptr(arg5));
|
|
|
|
default:
|
|
return -EOPNOTSUPP;
|
|
}
|
|
}
|