summaryrefslogtreecommitdiffstats
path: root/cipher-acss.c
blob: a95fa674781efb0009e8fc858092b845988ae44f (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

/*
 * Copyright (c) 2004 The OpenBSD project
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include "includes.h"
#include <openssl/evp.h>

RCSID("$Id: cipher-acss.c,v 1.3 2005/07/17 07:04:47 djm Exp $");

#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)

#include "acss.h"

#define data(ctx) ((EVP_ACSS_KEY *)(ctx)->cipher_data)

typedef struct {
	ACSS_KEY ks;
} EVP_ACSS_KEY;

#define EVP_CTRL_SET_ACSS_MODE          0xff06
#define EVP_CTRL_SET_ACSS_SUBKEY        0xff07

static int
acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
    const unsigned char *iv, int enc)
{
	acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA);
	return 1;
}

static int
acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
    unsigned int inl)
{
	acss(&data(ctx)->ks,inl,in,out);
	return 1;
}

static int
acss_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
{
	switch(type) {
	case EVP_CTRL_SET_ACSS_MODE:
		data(ctx)->ks.mode = arg;
		return 1;
	case EVP_CTRL_SET_ACSS_SUBKEY:
		acss_setsubkey(&data(ctx)->ks,(unsigned char *)ptr);
		return 1;
	default:
		return -1;
	}
}

const EVP_CIPHER *
evp_acss(void)
{
	static EVP_CIPHER acss_cipher;

	memset(&acss_cipher, 0, sizeof(EVP_CIPHER));

	acss_cipher.nid = NID_undef;
	acss_cipher.block_size = 1;
	acss_cipher.key_len = 5;
	acss_cipher.init = acss_init_key;
	acss_cipher.do_cipher = acss_ciph;
	acss_cipher.ctx_size = sizeof(EVP_ACSS_KEY);
	acss_cipher.ctrl = acss_ctrl;

	return (&acss_cipher);
}
#endif
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-08 18:15:56 +0000
">); return ERR_PTR(rc); } if (type == EVM_XATTR_HMAC) { rc = crypto_shash_setkey(*tfm, evmkey, evmkey_len); if (rc) { crypto_free_shash(*tfm); *tfm = NULL; mutex_unlock(&mutex); return ERR_PTR(rc); } } out: mutex_unlock(&mutex); } desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm), GFP_KERNEL); if (!desc) return ERR_PTR(-ENOMEM); desc->tfm = *tfm; desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; rc = crypto_shash_init(desc); if (rc) { kfree(desc); return ERR_PTR(rc); } return desc; } /* Protect against 'cutting & pasting' security.evm xattr, include inode * specific info. * * (Additional directory/file metadata needs to be added for more complete * protection.) */ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode, char *digest) { struct h_misc { unsigned long ino; __u32 generation; uid_t uid; gid_t gid; umode_t mode; } hmac_misc; memset(&hmac_misc, 0, sizeof hmac_misc); hmac_misc.ino = inode->i_ino; hmac_misc.generation = inode->i_generation; hmac_misc.uid = from_kuid(&init_user_ns, inode->i_uid); hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid); hmac_misc.mode = inode->i_mode; crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof hmac_misc); crypto_shash_final(desc, digest); } /* * Calculate the HMAC value across the set of protected security xattrs. * * Instead of retrieving the requested xattr, for performance, calculate * the hmac using the requested xattr value. Don't alloc/free memory for * each xattr, but attempt to re-use the previously allocated memory. */ static int evm_calc_hmac_or_hash(struct dentry *dentry, const char *req_xattr_name, const char *req_xattr_value, size_t req_xattr_value_len, char type, char *digest) { struct inode *inode = dentry->d_inode; struct shash_desc *desc; char **xattrname; size_t xattr_size = 0; char *xattr_value = NULL; int error; int size; if (!inode->i_op || !inode->i_op->getxattr) return -EOPNOTSUPP; desc = init_desc(type); if (IS_ERR(desc)) return PTR_ERR(desc); error = -ENODATA; for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { if ((req_xattr_name && req_xattr_value) && !strcmp(*xattrname, req_xattr_name)) { error = 0; crypto_shash_update(desc, (const u8 *)req_xattr_value, req_xattr_value_len); continue; } size = vfs_getxattr_alloc(dentry, *xattrname, &xattr_value, xattr_size, GFP_NOFS); if (size == -ENOMEM) { error = -ENOMEM; goto out; } if (size < 0) continue; error = 0; xattr_size = size; crypto_shash_update(desc, (const u8 *)xattr_value, xattr_size); } hmac_add_misc(desc, inode, digest); out: kfree(xattr_value); kfree(desc); return error; } int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name, const char *req_xattr_value, size_t req_xattr_value_len, char *digest) { return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value, req_xattr_value_len, EVM_XATTR_HMAC, digest); } int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name, const char *req_xattr_value, size_t req_xattr_value_len, char *digest) { return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value, req_xattr_value_len, IMA_XATTR_DIGEST, digest); } /* * Calculate the hmac and update security.evm xattr * * Expects to be called with i_mutex locked. */ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name, const char *xattr_value, size_t xattr_value_len) { struct inode *inode = dentry->d_inode; struct evm_ima_xattr_data xattr_data; int rc = 0; rc = evm_calc_hmac(dentry, xattr_name, xattr_value, xattr_value_len, xattr_data.digest); if (rc == 0) { xattr_data.type = EVM_XATTR_HMAC; rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM, &xattr_data, sizeof(xattr_data), 0); } else if (rc == -ENODATA && inode->i_op->removexattr) { rc = inode->i_op->removexattr(dentry, XATTR_NAME_EVM); } return rc; } int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr, char *hmac_val) { struct shash_desc *desc; desc = init_desc(EVM_XATTR_HMAC); if (IS_ERR(desc)) { printk(KERN_INFO "init_desc failed\n"); return PTR_ERR(desc); } crypto_shash_update(desc, lsm_xattr->value, lsm_xattr->value_len); hmac_add_misc(desc, inode, hmac_val); kfree(desc); return 0; } /* * Get the key from the TPM for the SHA1-HMAC */ int evm_init_key(void) { struct key *evm_key; struct encrypted_key_payload *ekp; int rc = 0; evm_key = request_key(&key_type_encrypted, EVMKEY, NULL); if (IS_ERR(evm_key)) return -ENOENT; down_read(&evm_key->sem); ekp = evm_key->payload.data; if (ekp->decrypted_datalen > MAX_KEY_SIZE) { rc = -EINVAL; goto out; } memcpy(evmkey, ekp->decrypted_data, ekp->decrypted_datalen); out: /* burn the original key contents */ memset(ekp->decrypted_data, 0, ekp->decrypted_datalen); up_read(&evm_key->sem); key_put(evm_key); return rc; }
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-08 18:15:55 +0000