| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add keyctl commands and library functions to handle the setting and removal
of watches on keys for notifications of change events. Five keyctl
commands are defined:
(1) keyctl watch <key>
Watch the specified key for changes, logging notifications to stdout.
(2) keyctl watch_session [-n <name>] <notifylog> <gclog> <fd> prog [<arg>...]
Create a new session keyring and attach a watch to it that an
auxiliary logging process monitors. The nominated program is run with
the session program with the arguments given.
The session keyring can be given a name. The logging process will log
synchronous events to file notifylog and asynchronous events to file
gclog.
The specified file descriptor will be attached to the watch_queue and
left open across the exec. This can be made use of by the next few
commands.
(3) keyctl watch_add <fd> <key>
(4) keyctl watch_rm <fd> <key>
Add/remove a watch on the specified key to/from the given watch_queue
derived from watch_session.
(5) keyctl watch_sync <fd>
Wait for the logging process that's watching the given watch_queue to
synchronise.
Commands (2) to (5) are primarily provided for the testsuite's purposes.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
| |
This reverts commit 1aafbdcf1d60c5c9eb34fe404f9a9195c8ea415e which was from
the wrong branch and expects /dev/watch_queue to be available.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add keyctl commands and library functions to handle the setting and removal
of watches on keys for notifications of change events. Five keyctl
commands are defined:
(1) keyctl watch <key>
Watch the specified key for changes, logging notifications to stdout.
(2) keyctl watch_session [-n <name>] <notifylog> <gclog> <fd> prog [<arg>...]
Create a new session keyring and attach a watch to it that an
auxiliary logging process monitors. The nominated program is run with
the session program with the arguments given.
The session keyring can be given a name. The logging process will log
synchronous events to file notifylog and asynchronous events to file
gclog.
The specified file descriptor will be attached to the watch_queue and
left open across the exec. This can be made use of by the next few
commands.
(3) keyctl watch_add <fd> <key>
(4) keyctl watch_rm <fd> <key>
Add/remove a watch on the specified key to/from the given watch_queue
derived from watch_session.
(5) keyctl watch_sync <fd>
Wait for the logging process that's watching the given watch_queue to
synchronise.
Commands (2) to (5) are primarily provided for the testsuite's purposes.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
| |
Open API version KEYUTILS_1.10 in the shared library.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
| |
Provide the ability to query the capabilities of the keyrings subsystem.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
| |
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
| |
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add encryption, decryption, signature creation and signature verification
public key operations. Example usage:
j=`openssl pkcs8 -in ~/pkcs7/firmwarekey2.priv -topk8 -nocrypt -outform DER | \
keyctl padd asymmetric foo @s`
echo -n abcdefghijklmnopqrst >/tmp/data
keyctl pkey_encrypt $j 0 /tmp/data enc=pkcs1 >/tmp/enc
keyctl pkey_decrypt $j 0 /tmp/enc enc=pkcs1 >/tmp/dec
cmp /tmp/data /tmp/dec
keyctl pkey_sign $j 0 /tmp/data enc=pkcs1 hash=sha1 >/tmp/sig
keyctl pkey_verify $j 0 /tmp/data /tmp/sig enc=pkcs1 hash=sha1
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-and-tested-by: Denis Kenzior <denkenz@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The dh_compute code now allows the following options:
- no KDF support / output of raw DH shared secret:
dh_compute <private> <prime> <base>
- KDF support without "other information" string:
dh_compute_kdf <private> <prime> <base> <output length> <hash_type>
- KDF support with "other information string:
dh_compute_kdf_oi <private> <prime> <base> <output length> <hash_type>
where the OI string is provided on STDIN.
The test to verify the code is based on a test vector used for the CAVS
testing of SP800-56A.
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
| |
New symbols go into the libkeyutils.so.1.7 API.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
| |
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
|
| |
New symbols should go in a new library minor version, so move
keyctl_get_persistent and find_key_by_type_and_desc to 1.5.
Reported-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a function to find a key by its type and name, even if the key is not in
the process's thread, process or session keyrings (ie. it is not 'possessed'
by the process).
This looks in two places:
(1) Firstly, it looks in the processes attached keyrings so that possessed
keys are prioritised over non-possessed keys.
(2) Secondly, it scans /proc/keys, looking for a key matching the name. It
uses keyctl_describe() to check the name because the key description in
/proc/keys may have extra information appended by the type - but this
cannot be distinguished from keys that have stuff that looks like the
extra information embedded in the description.
Signed-off-by: David Howells <dhowells@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a pair of depth-first recursive key scanning functions to the library.
The first applies the named function to all the accessible keys in the keyring
tree rooted at key:
int recursive_key_scan(key_serial_t key,
recursive_key_scanner_t func,
void *data);
The second is the same as the first, with the calling process's session
keyring as the root keyring:
int recursive_key_session_scan(recursive_key_scanner_t func,
void *data);
Both functions take a pointer to a callback function to be applied and a data
item to pass to it. The callback function should fit the following template:
typedef int (*recursive_key_scanner_t)(
key_serial_t parent, key_serial_t key,
char *desc, int desc_len,
void *data);
The parameters are: the keyring currently being scanned (parent); the key
linked to by the current slot in that keyring (key); the raw description of
that key (desc) as fetched by keyctl_describe or NULL if it couldn't be
fetched; the length of the raw description (desc_len) or -1 if
keyctl_describe_alloc() returned an error; and the data passed to whichever
scanning function was called.
Keyrings must grant View and Read permission to be iterated through. Target
keys need not grant any permissions to have the callback function applied.
The return value of the scanning functions is the sum of the return values of
the callback function applied to each key. Errors are ignored.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
| |
Support the keyctl op to instantiate a key from payload data in an iovec rather
than a flat buffer, providing it as keyctl_instantiate_iov().
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
|
| |
Support the negate key with specific rejection error keyctl op, providing it
as keyctl_reject().
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
|
|
|
| |
Move to version 1.3, including versioning the new functions in the library.
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
- Add build dependency on glibc-kernheaders with key management syscall
- Add data pipe-in facility for keyctl request2
- Rename library and header file "keyutil" -> "keyutils" for consistency
- Fix shared library version naming to same way as glibc.
- Add versioning for shared library symbols
- Create new keyutils-libs package and install library and main symlink there
- Install base library symlink in /usr/lib and place in devel package
- Added a keyutils archive library
- Shorten displayed key permissions list to just those we actually have
- Add data pipe-in facilities for keyctl add, update and instantiate
|