27 Jun, 2011

1 commit

  • This patch introduces a new parameter, called 'format', that defines the
    format of data stored by encrypted keys. The 'default' format identifies
    encrypted keys containing only the symmetric key, while other formats can
    be defined to support additional information. The 'format' parameter is
    written in the datablob produced by commands 'keyctl print' or
    'keyctl pipe' and is integrity protected by the HMAC.

    Signed-off-by: Roberto Sassu
    Acked-by: Gianluca Ramunno
    Acked-by: David Howells
    Signed-off-by: Mimi Zohar

    Roberto Sassu

30 Mar, 2011

1 commit

03 Mar, 2011

1 commit

  • commit 339412841d7 (RxRPC: Allow key payloads to be passed in XDR form)
    broke klog for me. I notice the v1 key struct had a kif_version field

    -struct rxkad_key {
    - u16 security_index; /* RxRPC header security index */
    - u16 ticket_len; /* length of ticket[] */
    - u32 expiry; /* time at which expires */
    - u32 kvno; /* key version number */
    - u8 session_key[8]; /* DES session key */
    - u8 ticket[0]; /* the encrypted ticket */

    +struct rxrpc_key_data_v1 {
    + u32 kif_version; /* 1 */
    + u16 security_index;
    + u16 ticket_length;
    + u32 expiry; /* time_t */
    + u32 kvno;
    + u8 session_key[8];
    + u8 ticket[0];

    However the code in rxrpc_instantiate strips it away:

    data += sizeof(kver);
    datalen -= sizeof(kver);

    Removing kif_version fixes my problem.

    Signed-off-by: Anton Blanchard
    Signed-off-by: David Howells
    Signed-off-by: David S. Miller

    Anton Blanchard

29 Nov, 2010

2 commits

  • Define a new kernel key-type called 'encrypted'. Encrypted keys are kernel
    generated random numbers, which are encrypted/decrypted with a 'trusted'
    symmetric key. Encrypted keys are created/encrypted/decrypted in the kernel.
    Userspace only ever sees/stores encrypted blobs.

    - bug fix: replaced master-key rcu based locking with semaphore
    (reported by David Howells)
    - Removed memset of crypto_shash_digest() digest output
    - Replaced verification of 'key-type:key-desc' using strcspn(), with
    one based on string constants.
    - Moved documentation to Documentation/keys-trusted-encrypted.txt
    - Replace hash with shash (based on comments by David Howells)
    - Make lengths/counts size_t where possible (based on comments by David Howells)
    Could not convert most lengths, as crypto expects 'unsigned int'
    (size_t: on 32 bit is defined as unsigned int, but on 64 bit is unsigned long)
    - Add 'const' where possible (based on comments by David Howells)
    - allocate derived_buf dynamically to support arbitrary length master key
    (fixed by Roberto Sassu)
    - wait until late_initcall for crypto libraries to be registered
    - cleanup security/Kconfig
    - Add missing 'update' keyword (reported/fixed by Roberto Sassu)
    - Free epayload on failure to create key (reported/fixed by Roberto Sassu)
    - Increase the data size limit (requested by Roberto Sassu)
    - Crypto return codes are always 0 on success and negative on failure,
    remove unnecessary tests.
    - Replaced kzalloc() with kmalloc()

    Signed-off-by: Mimi Zohar
    Signed-off-by: David Safford
    Reviewed-by: Roberto Sassu
    Signed-off-by: James Morris

    Mimi Zohar
  • Define a new kernel key-type called 'trusted'. Trusted keys are random
    number symmetric keys, generated and RSA-sealed by the TPM. The TPM
    only unseals the keys, if the boot PCRs and other criteria match.
    Userspace can only ever see encrypted blobs.

    Based on suggestions by Jason Gunthorpe, several new options have been
    added to support additional usages.

    The new options are:
    migratable= designates that the key may/may not ever be updated
    (resealed under a new key, new pcrinfo or new auth.)

    pcrlock=n extends the designated PCR 'n' with a random value,
    so that a key sealed to that PCR may not be unsealed
    again until after a reboot.

    keyhandle= specifies the sealing/unsealing key handle.

    keyauth= specifies the sealing/unsealing key auth.

    blobauth= specifies the sealed data auth.

    Implementation of a kernel reserved locality for trusted keys will be
    investigated for a possible future extension.

    - Updated and added examples to Documentation/keys-trusted-encrypted.txt
    - Moved generic TPM constants to include/linux/tpm_command.h
    (David Howell's suggestion.)
    - trusted_defined.c: replaced kzalloc with kmalloc, added pcrlock failure
    error handling, added const qualifiers where appropriate.
    - moved to late_initcall
    - updated from hash to shash (suggestion by David Howells)
    - reduced worst stack usage (tpm_seal) from 530 to 312 bytes
    - moved documentation to Documentation directory (suggestion by David Howells)
    - all the other code cleanups suggested by David Howells
    - Add pcrlock CAP_SYS_ADMIN dependency (based on comment by Jason Gunthorpe)
    - New options: migratable, pcrlock, keyhandle, keyauth, blobauth (based on
    discussions with Jason Gunthorpe)
    - Free payload on failure to create key(reported/fixed by Roberto Sassu)
    - Updated Kconfig and other descriptions (based on Serge Hallyn's suggestion)
    - Replaced kzalloc() with kmalloc() (reported by Serge Hallyn)

    Signed-off-by: David Safford
    Signed-off-by: Mimi Zohar
    Signed-off-by: James Morris

    Mimi Zohar

06 Aug, 2010

1 commit

  • Separate out the DNS resolver key type from the CIFS filesystem into its own
    module so that it can be made available for general use, including the AFS
    filesystem module.

    This facility makes it possible for the kernel to upcall to userspace to have
    it issue DNS requests, package up the replies and present them to the kernel
    in a useful form. The kernel is then able to cache the DNS replies as keys
    can be retained in keyrings.

    Resolver keys are of type "dns_resolver" and have a case-insensitive
    description that is of the form "[:]". The optional
    indicates the particular DNS lookup and packaging that's required. The
    is the query to be made.

    If isn't given, a basic hostname to IP address lookup is made, and the
    result is stored in the key in the form of a printable string consisting of a
    comma-separated list of IPv4 and IPv6 addresses.

    This key type is supported by userspace helpers driven from /sbin/request-key
    and configured through /etc/request-key.conf. The cifs.upcall utility is
    invoked for UNC path server name to IP address resolution.

    The CIFS functionality is encapsulated by the dns_resolve_unc_to_ip() function,
    which is used to resolve a UNC path to an IP address for CIFS filesystem. This
    part remains in the CIFS module for now.

    See the added Documentation/networking/dns_resolver.txt for more information.

    Signed-off-by: Wang Lei
    Signed-off-by: David Howells
    Acked-by: Jeff Layton
    Signed-off-by: Steve French

    Wang Lei

16 Sep, 2009

1 commit

15 Sep, 2009

2 commits

14 Nov, 2008

1 commit

22 Apr, 2008

1 commit

17 Oct, 2007

1 commit

  • Make request_key() and co fundamentally asynchronous to make it easier for
    NFS to make use of them. There are now accessor functions that do
    asynchronous constructions, a wait function to wait for construction to
    complete, and a completion function for the key type to indicate completion
    of construction.

    Note that the construction queue is now gone. Instead, keys under
    construction are linked in to the appropriate keyring in advance, and that
    anyone encountering one must wait for it to be complete before they can use
    it. This is done automatically for userspace.

    The following auxiliary changes are also made:

    (1) Key type implementation stuff is split from linux/key.h into

    (2) AF_RXRPC provides a way to allocate null rxrpc-type keys so that AFS does
    not need to call key_instantiate_and_link() directly.

    (3) Adjust the debugging macros so that they're -Wformat checked even if
    they are disabled, and make it so they can be enabled simply by defining
    __KDEBUG to be consistent with other code of mine.

    (3) Documentation.

    [alan@lxorguk.ukuu.org.uk: keys: missing word in documentation]
    Signed-off-by: David Howells
    Signed-off-by: Alan Cox
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    David Howells

27 Apr, 2007

1 commit

  • Provide AF_RXRPC sockets that can be used to talk to AFS servers, or serve
    answers to AFS clients. KerberosIV security is fully supported. The patches
    and some example test programs can be found in:


    This will eventually replace the old implementation of kernel-only RxRPC
    currently resident in net/rxrpc/.

    Signed-off-by: David Howells
    Signed-off-by: David S. Miller

    David Howells

27 Jun, 2006

1 commit

  • Cause the keys linked to a keyring to be unlinked from it when revoked and it
    causes the data attached to a user-defined key to be discarded when revoked.

    This frees up most of the quota a key occupied at that point, rather than
    waiting for the key to actually be destroyed.

    Signed-off-by: David Howells
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    David Howells

07 Jan, 2006

1 commit

31 Oct, 2005

1 commit

  • Export user-defined key operations so that those who wish to define their
    own key type based on the user-defined key operations may do so (as has
    been requested).

    The header file created has been placed into include/keys/user-type.h, thus
    creating a directory where other key types may also be placed. Any
    objections to doing this?

    Signed-Off-By: David Howells
    Signed-Off-By: Arjan van de Ven
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    David Howells