From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Alasdair Kergon <agk@redhat.com>,
Mike Snitzer <snitzer@redhat.com>,
dm-devel@redhat.com, Song Liu <song@kernel.org>,
Richard Weinberger <richard@nod.at>
Cc: kernel@pengutronix.de, Ahmad Fatoum <a.fatoum@pengutronix.de>,
linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org,
keyrings@vger.kernel.org, linux-mtd@lists.infradead.org,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org
Subject: [RFC PATCH v1 2/4] dm: crypt: use new key_extract_material helper
Date: Thu, 22 Jul 2021 11:18:00 +0200 [thread overview]
Message-ID: <7ac4a9ae0a3c2dfdf41611f3fe78fe63a6e57b94.1626945419.git-series.a.fatoum@pengutronix.de> (raw)
In-Reply-To: <cover.b2fdd70b830d12853b12a12e32ceb0c8162c1346.1626945419.git-series.a.fatoum@pengutronix.de>
There is a common function now to extract key material out of a few
different key types, which includes all types currently supported by
dm-crypt. Make use of it.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
To: David Howells <dhowells@redhat.com>
To: Jarkko Sakkinen <jarkko@kernel.org>
To: James Morris <jmorris@namei.org>
To: "Serge E. Hallyn" <serge@hallyn.com>
To: Alasdair Kergon <agk@redhat.com>
To: Mike Snitzer <snitzer@redhat.com>
To: dm-devel@redhat.com
To: Song Liu <song@kernel.org>
To: Richard Weinberger <richard@nod.at>
Cc: linux-kernel@vger.kernel.org
Cc: linux-raid@vger.kernel.org
Cc: keyrings@vger.kernel.org
Cc: linux-mtd@lists.infradead.org
Cc: linux-security-module@vger.kernel.org
Cc: linux-integrity@vger.kernel.org
---
drivers/md/dm-crypt.c | 65 ++++++--------------------------------------
1 file changed, 9 insertions(+), 56 deletions(-)
diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
index 50f4cbd600d5..576d6b7ce231 100644
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -2421,61 +2421,14 @@ static bool contains_whitespace(const char *str)
return false;
}
-static int set_key_user(struct crypt_config *cc, struct key *key)
-{
- const struct user_key_payload *ukp;
-
- ukp = user_key_payload_locked(key);
- if (!ukp)
- return -EKEYREVOKED;
-
- if (cc->key_size != ukp->datalen)
- return -EINVAL;
-
- memcpy(cc->key, ukp->data, cc->key_size);
-
- return 0;
-}
-
-static int set_key_encrypted(struct crypt_config *cc, struct key *key)
-{
- const struct encrypted_key_payload *ekp;
-
- ekp = key->payload.data[0];
- if (!ekp)
- return -EKEYREVOKED;
-
- if (cc->key_size != ekp->decrypted_datalen)
- return -EINVAL;
-
- memcpy(cc->key, ekp->decrypted_data, cc->key_size);
-
- return 0;
-}
-
-static int set_key_trusted(struct crypt_config *cc, struct key *key)
-{
- const struct trusted_key_payload *tkp;
-
- tkp = key->payload.data[0];
- if (!tkp)
- return -EKEYREVOKED;
-
- if (cc->key_size != tkp->key_len)
- return -EINVAL;
-
- memcpy(cc->key, tkp->key, cc->key_size);
-
- return 0;
-}
-
static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string)
{
char *new_key_string, *key_desc;
int ret;
+ unsigned int len;
struct key_type *type;
struct key *key;
- int (*set_key)(struct crypt_config *cc, struct key *key);
+ const void *key_material;
/*
* Reject key_string with whitespace. dm core currently lacks code for
@@ -2493,18 +2446,14 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string
if (!strncmp(key_string, "logon:", key_desc - key_string + 1)) {
type = &key_type_logon;
- set_key = set_key_user;
} else if (!strncmp(key_string, "user:", key_desc - key_string + 1)) {
type = &key_type_user;
- set_key = set_key_user;
} else if (IS_ENABLED(CONFIG_ENCRYPTED_KEYS) &&
!strncmp(key_string, "encrypted:", key_desc - key_string + 1)) {
type = &key_type_encrypted;
- set_key = set_key_encrypted;
} else if (IS_ENABLED(CONFIG_TRUSTED_KEYS) &&
!strncmp(key_string, "trusted:", key_desc - key_string + 1)) {
type = &key_type_trusted;
- set_key = set_key_trusted;
} else {
return -EINVAL;
}
@@ -2521,14 +2470,18 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string
down_read(&key->sem);
- ret = set_key(cc, key);
- if (ret < 0) {
+ key_material = key_extract_material(key, &len);
+ if (!IS_ERR(key_material) && len != cc->key_size)
+ key_material = ERR_PTR(-EINVAL);
+ if (IS_ERR(key_material)) {
up_read(&key->sem);
key_put(key);
kfree_sensitive(new_key_string);
- return ret;
+ return PTR_ERR(key_material);
}
+ memcpy(cc->key, key_material, len);
+
up_read(&key->sem);
key_put(key);
--
git-series 0.9.1
next prev parent reply other threads:[~2021-07-22 9:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-22 9:17 [RFC PATCH v1 0/4] keys: introduce key_extract_material helper Ahmad Fatoum
2021-07-22 9:17 ` [RFC PATCH v1 1/4] " Ahmad Fatoum
2021-07-22 9:18 ` Ahmad Fatoum [this message]
2021-07-22 9:18 ` [RFC PATCH v1 3/4] ubifs: auth: remove never hit key type error check Ahmad Fatoum
2021-07-22 9:18 ` [RFC PATCH v1 4/4] ubifs: auth: consult encrypted and trusted keys if no logon key was found Ahmad Fatoum
2021-08-06 10:53 ` [RFC PATCH v1 0/4] keys: introduce key_extract_material helper Ahmad Fatoum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7ac4a9ae0a3c2dfdf41611f3fe78fe63a6e57b94.1626945419.git-series.a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=agk@redhat.com \
--cc=dhowells@redhat.com \
--cc=dm-devel@redhat.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=kernel@pengutronix.de \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-raid@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=richard@nod.at \
--cc=serge@hallyn.com \
--cc=snitzer@redhat.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).