This patch adds the UPDATE keyword for encrypted key types:
prevents updating existent keys if UPDATE is missing and creating
new keys when UPDATE is specified.
Signed-off-by: Roberto Sassu <[email protected]>
---
security/keys/encrypted_defined.c | 31 +++++++++++++++++++++++--------
1 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/security/keys/encrypted_defined.c b/security/keys/encrypted_defined.c
index 6b26db6..54c0f0f 100644
--- a/security/keys/encrypted_defined.c
+++ b/security/keys/encrypted_defined.c
@@ -64,7 +64,8 @@ static int aes_get_sizes(int *ivsize, int *blksize)
}
enum {
- Opt_err = -1, Opt_new = 1, Opt_load, Opt_NEW, Opt_LOAD
+ Opt_err = -1, Opt_new = 1, Opt_load,
+ Opt_update, Opt_NEW, Opt_LOAD, Opt_UPDATE
};
static match_table_t key_tokens = {
@@ -72,6 +73,8 @@ static match_table_t key_tokens = {
{Opt_NEW, "NEW"},
{Opt_load, "load"},
{Opt_LOAD, "LOAD"},
+ {Opt_update, "update"},
+ {Opt_UPDATE, "UPDATE"},
{Opt_err, NULL}
};
@@ -81,6 +84,7 @@ static match_table_t key_tokens = {
* datablob format:
* NEW <master-key name> <decrypted data length>
* LOAD <master-key name> <decrypted data length> <encrypted iv + data>
+ * UPDATE <new-master-key name>
*
* Tokenizes a copy of the keyctl data, returning a pointer to each token,
* which is null terminated.
@@ -104,23 +108,36 @@ static int datablob_parse(char *datablob, char **master_desc,
*master_desc = strsep(&datablob, " \t");
if (!*master_desc)
goto out;
- *decrypted_datalen = strsep(&datablob, " \t");
- if (!*decrypted_datalen)
- goto out;
+
+ if (decrypted_datalen) {
+ *decrypted_datalen = strsep(&datablob, " \t");
+ if (!*decrypted_datalen)
+ goto out;
+ }
switch (key_cmd) {
case Opt_new:
case Opt_NEW:
+ if (!decrypted_datalen)
+ break;
ret = 0;
break;
case Opt_load:
case Opt_LOAD:
+ if (!decrypted_datalen)
+ break;
*hex_encoded_iv = strsep(&datablob, " \t");
if (!*hex_encoded_iv)
break;
*hex_encoded_data = *hex_encoded_iv + (2 * ivsize) + 2;
ret = 0;
break;
+ case Opt_update:
+ case Opt_UPDATE:
+ if (decrypted_datalen)
+ break;
+ ret = 0;
+ break;
case Opt_err:
break;
}
@@ -647,11 +664,9 @@ static int encrypted_update(struct key *key, const void *data, size_t datalen)
return -ENOMEM;
memcpy(buf, data, datalen);
- new_master_desc = strsep(&buf, " \t");
- if (!*new_master_desc) {
- ret = -EINVAL;
+ ret = datablob_parse(buf, &new_master_desc, NULL, NULL, NULL);
+ if (ret < 0)
goto out;
- }
new_epayload = encrypted_key_alloc(key, new_master_desc,
epayload->datalen);
--
1.7.2.3
Nice! This patch applies cleanly to the trusted/encrypted patch set
posted today.
thanks,
Acked-by: Mimi Zohar <[email protected]>
On Thu, 2010-10-07 at 14:29 +0200, Roberto Sassu wrote:
> This patch adds the UPDATE keyword for encrypted key types:
> prevents updating existent keys if UPDATE is missing and creating
> new keys when UPDATE is specified.
>
> Signed-off-by: Roberto Sassu <[email protected]>
> ---
> security/keys/encrypted_defined.c | 31 +++++++++++++++++++++++--------
> 1 files changed, 23 insertions(+), 8 deletions(-)
>
> diff --git a/security/keys/encrypted_defined.c b/security/keys/encrypted_defined.c
> index 6b26db6..54c0f0f 100644
> --- a/security/keys/encrypted_defined.c
> +++ b/security/keys/encrypted_defined.c
> @@ -64,7 +64,8 @@ static int aes_get_sizes(int *ivsize, int *blksize)
> }
>
> enum {
> - Opt_err = -1, Opt_new = 1, Opt_load, Opt_NEW, Opt_LOAD
> + Opt_err = -1, Opt_new = 1, Opt_load,
> + Opt_update, Opt_NEW, Opt_LOAD, Opt_UPDATE
> };
>
> static match_table_t key_tokens = {
> @@ -72,6 +73,8 @@ static match_table_t key_tokens = {
> {Opt_NEW, "NEW"},
> {Opt_load, "load"},
> {Opt_LOAD, "LOAD"},
> + {Opt_update, "update"},
> + {Opt_UPDATE, "UPDATE"},
> {Opt_err, NULL}
> };
>
> @@ -81,6 +84,7 @@ static match_table_t key_tokens = {
> * datablob format:
> * NEW <master-key name> <decrypted data length>
> * LOAD <master-key name> <decrypted data length> <encrypted iv + data>
> + * UPDATE <new-master-key name>
> *
> * Tokenizes a copy of the keyctl data, returning a pointer to each token,
> * which is null terminated.
> @@ -104,23 +108,36 @@ static int datablob_parse(char *datablob, char **master_desc,
> *master_desc = strsep(&datablob, " \t");
> if (!*master_desc)
> goto out;
> - *decrypted_datalen = strsep(&datablob, " \t");
> - if (!*decrypted_datalen)
> - goto out;
> +
> + if (decrypted_datalen) {
> + *decrypted_datalen = strsep(&datablob, " \t");
> + if (!*decrypted_datalen)
> + goto out;
> + }
>
> switch (key_cmd) {
> case Opt_new:
> case Opt_NEW:
> + if (!decrypted_datalen)
> + break;
> ret = 0;
> break;
> case Opt_load:
> case Opt_LOAD:
> + if (!decrypted_datalen)
> + break;
> *hex_encoded_iv = strsep(&datablob, " \t");
> if (!*hex_encoded_iv)
> break;
> *hex_encoded_data = *hex_encoded_iv + (2 * ivsize) + 2;
> ret = 0;
> break;
> + case Opt_update:
> + case Opt_UPDATE:
> + if (decrypted_datalen)
> + break;
> + ret = 0;
> + break;
> case Opt_err:
> break;
> }
> @@ -647,11 +664,9 @@ static int encrypted_update(struct key *key, const void *data, size_t datalen)
> return -ENOMEM;
>
> memcpy(buf, data, datalen);
> - new_master_desc = strsep(&buf, " \t");
> - if (!*new_master_desc) {
> - ret = -EINVAL;
> + ret = datablob_parse(buf, &new_master_desc, NULL, NULL, NULL);
> + if (ret < 0)
> goto out;
> - }
>
> new_epayload = encrypted_key_alloc(key, new_master_desc,
> epayload->datalen);