This patch adds the UPDATE keyword for encrypted key types: prevents updating existent keys if UPDATE is missing and creating new keys when UPDATE is specified. Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxx> --- security/keys/encrypted_defined.c | 31 +++++++++++++++++++++++-------- 1 files changed, 23 insertions(+), 8 deletions(-) diff --git a/security/keys/encrypted_defined.c b/security/keys/encrypted_defined.c index 6b26db6..54c0f0f 100644 --- a/security/keys/encrypted_defined.c +++ b/security/keys/encrypted_defined.c @@ -64,7 +64,8 @@ static int aes_get_sizes(int *ivsize, int *blksize) } enum { - Opt_err = -1, Opt_new = 1, Opt_load, Opt_NEW, Opt_LOAD + Opt_err = -1, Opt_new = 1, Opt_load, + Opt_update, Opt_NEW, Opt_LOAD, Opt_UPDATE }; static match_table_t key_tokens = { @@ -72,6 +73,8 @@ static match_table_t key_tokens = { {Opt_NEW, "NEW"}, {Opt_load, "load"}, {Opt_LOAD, "LOAD"}, + {Opt_update, "update"}, + {Opt_UPDATE, "UPDATE"}, {Opt_err, NULL} }; @@ -81,6 +84,7 @@ static match_table_t key_tokens = { * datablob format: * NEW <master-key name> <decrypted data length> * LOAD <master-key name> <decrypted data length> <encrypted iv + data> + * UPDATE <new-master-key name> * * Tokenizes a copy of the keyctl data, returning a pointer to each token, * which is null terminated. @@ -104,23 +108,36 @@ static int datablob_parse(char *datablob, char **master_desc, *master_desc = strsep(&datablob, " \t"); if (!*master_desc) goto out; - *decrypted_datalen = strsep(&datablob, " \t"); - if (!*decrypted_datalen) - goto out; + + if (decrypted_datalen) { + *decrypted_datalen = strsep(&datablob, " \t"); + if (!*decrypted_datalen) + goto out; + } switch (key_cmd) { case Opt_new: case Opt_NEW: + if (!decrypted_datalen) + break; ret = 0; break; case Opt_load: case Opt_LOAD: + if (!decrypted_datalen) + break; *hex_encoded_iv = strsep(&datablob, " \t"); if (!*hex_encoded_iv) break; *hex_encoded_data = *hex_encoded_iv + (2 * ivsize) + 2; ret = 0; break; + case Opt_update: + case Opt_UPDATE: + if (decrypted_datalen) + break; + ret = 0; + break; case Opt_err: break; } @@ -647,11 +664,9 @@ static int encrypted_update(struct key *key, const void *data, size_t datalen) return -ENOMEM; memcpy(buf, data, datalen); - new_master_desc = strsep(&buf, " \t"); - if (!*new_master_desc) { - ret = -EINVAL; + ret = datablob_parse(buf, &new_master_desc, NULL, NULL, NULL); + if (ret < 0) goto out; - } new_epayload = encrypted_key_alloc(key, new_master_desc, epayload->datalen); -- 1.7.2.3
Attachment:
smime.p7s
Description: S/MIME cryptographic signature