lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200818154230.14016-15-krzysztof.struczynski@huawei.com>
Date:   Tue, 18 Aug 2020 17:42:24 +0200
From:   <krzysztof.struczynski@...wei.com>
To:     <linux-integrity@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <containers@...ts.linux-foundation.org>,
        <linux-security-module@...r.kernel.org>
CC:     <zohar@...ux.ibm.com>, <stefanb@...ux.vnet.ibm.com>,
        <sunyuqiong1988@...il.com>, <mkayaalp@...binghamton.edu>,
        <dmitry.kasatkin@...il.com>, <serge@...lyn.com>,
        <jmorris@...ei.org>, <christian@...uner.io>,
        <silviu.vlasceanu@...wei.com>, <roberto.sassu@...wei.com>,
        Krzysztof Struczynski <krzysztof.struczynski@...wei.com>
Subject: [RFC PATCH 24/30] keys: Include key domain tag in the iterative search

From: Krzysztof Struczynski <krzysztof.struczynski@...wei.com>

Add domain tag to the key_match_data. If set, check domain tag in the
default match function and asymmetric keys match functions.

This will allow to use the key domain tag in the search criteria for
the iterative search, not only for the direct lookup that is based on
the index key.

Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@...wei.com>
---
 crypto/asymmetric_keys/asymmetric_type.c | 20 ++++++++++++++++----
 include/linux/key-type.h                 |  1 +
 security/keys/keyring.c                  | 10 +++++++++-
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index 33e77d846caa..177429bc5c7b 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -249,9 +249,15 @@ static bool asymmetric_key_cmp(const struct key *key,
 {
 	const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
 	const struct asymmetric_key_id *match_id = match_data->preparsed;
+	bool match;
 
-	return asymmetric_match_key_ids(kids, match_id,
-					asymmetric_key_id_same);
+	match = asymmetric_match_key_ids(kids, match_id,
+					 asymmetric_key_id_same);
+
+	if (match_data->domain_tag)
+		match &= key->index_key.domain_tag == match_data->domain_tag;
+
+	return match;
 }
 
 /*
@@ -262,9 +268,15 @@ static bool asymmetric_key_cmp_partial(const struct key *key,
 {
 	const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
 	const struct asymmetric_key_id *match_id = match_data->preparsed;
+	bool match;
+
+	match = asymmetric_match_key_ids(kids, match_id,
+					 asymmetric_key_id_partial);
+
+	if (match_data->domain_tag)
+		match &= key->index_key.domain_tag == match_data->domain_tag;
 
-	return asymmetric_match_key_ids(kids, match_id,
-					asymmetric_key_id_partial);
+	return match;
 }
 
 /*
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 2ab2d6d6aeab..c8ea26ab242c 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -55,6 +55,7 @@ struct key_match_data {
 	unsigned	lookup_type;	/* Type of lookup for this search. */
 #define KEYRING_SEARCH_LOOKUP_DIRECT	0x0000	/* Direct lookup by description. */
 #define KEYRING_SEARCH_LOOKUP_ITERATE	0x0001	/* Iterative search. */
+	struct key_tag  *domain_tag;    /* Key domain tag */
 };
 
 /*
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 12583241ff63..7e45e534035f 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -565,7 +565,13 @@ int restrict_link_reject(struct key *keyring,
 bool key_default_cmp(const struct key *key,
 		     const struct key_match_data *match_data)
 {
-	return strcmp(key->description, match_data->raw_data) == 0;
+	bool match;
+
+	match = strcmp(key->description, match_data->raw_data) == 0;
+	if (match_data->domain_tag)
+		match &= key->index_key.domain_tag == match_data->domain_tag;
+
+	return match;
 }
 
 /*
@@ -957,6 +963,8 @@ key_ref_t keyring_search_tag(key_ref_t keyring,
 
 	if (recurse)
 		ctx.flags |= KEYRING_SEARCH_RECURSE;
+	if (domain_tag)
+		ctx.match_data.domain_tag = domain_tag;
 	if (type->match_preparse) {
 		ret = type->match_preparse(&ctx.match_data);
 		if (ret < 0)
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ