user/sven/linux.git/include/keys, branch leds/HEADLinux Kernel
https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=leds%2FHEAD2014-10-06T14:21:05ZKEYS: Restore partial ID matching functionality for asymmetric keys2014-10-06T14:21:05ZDmitry Kasatkind.kasatkin@samsung.com2014-10-06T14:21:05Zurn:sha1:f1b731dbc2530cab93fcfc5fcb18c9f3a100feeb
Bring back the functionality whereby an asymmetric key can be matched with a
partial match on one of its IDs.
Whilst we're at it, allow for the possibility of having an increased number of
IDs.
Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: David Howells <dhowells@redhat.com>
KEYS: Implement binary asymmetric key ID handling2014-09-16T16:36:11ZDavid Howellsdhowells@redhat.com2014-09-16T16:36:11Zurn:sha1:7901c1a8effbe5f89673bfc09d6e37b8f334f1a7
Implement the first step in using binary key IDs for asymmetric keys rather
than hex string keys.
The previously added match data preparsing will be able to convert hex
criterion strings into binary which can then be compared more rapidly.
Further, we actually want more then one ID string per public key. The problem
is that X.509 certs refer to other X.509 certs by matching Issuer + AuthKeyId
to Subject + SubjKeyId, but PKCS#7 messages match against X.509 Issuer +
SerialNumber.
This patch just provides facilities for a later patch to make use of.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
KEYS: Remove key_type::match in favour of overriding default by match_preparse2014-09-16T16:36:06ZDavid Howellsdhowells@redhat.com2014-09-16T16:36:06Zurn:sha1:c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81
A previous patch added a ->match_preparse() method to the key type. This is
allowed to override the function called by the iteration algorithm.
Therefore, we can just set a default that simply checks for an exact match of
the key description with the original criterion data and allow match_preparse
to override it as needed.
The key_type::match op is then redundant and can be removed, as can the
user_match() function.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
KEYS: Preparse match data2014-09-16T16:36:02ZDavid Howellsdhowells@redhat.com2014-09-16T16:36:02Zurn:sha1:462919591a1791e76042dc5c1e0148715df59beb
Preparse the match data. This provides several advantages:
(1) The preparser can reject invalid criteria up front.
(2) The preparser can convert the criteria to binary data if necessary (the
asymmetric key type really wants to do binary comparison of the key IDs).
(3) The preparser can set the type of search to be performed. This means
that it's not then a one-off setting in the key type.
(4) The preparser can set an appropriate comparator function.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Merge remote-tracking branch 'integrity/next-with-keys' into keys-next2014-07-22T20:54:43ZDavid Howellsdhowells@redhat.com2014-07-22T20:54:43Zurn:sha1:64724cfc6eea920dbaada14f0fb978b1dd31192d
Signed-off-by: David Howells <dhowells@redhat.com>
KEYS: big_key: Use key preparsing2014-07-22T20:46:47ZDavid Howellsdhowells@redhat.com2014-07-18T17:56:36Zurn:sha1:002edaf76f09af658241029817f5ef66f6bef5e4
Make use of key preparsing in the big key type so that quota size determination
can take place prior to keyring locking when a key is being added.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
KEYS: user: Use key preparsing2014-07-22T20:46:17ZDavid Howellsdhowells@redhat.com2014-07-18T17:56:35Zurn:sha1:f9167789df53f22af771fb6690a3d36aa21d74c5
Make use of key preparsing in user-defined and logon keys so that quota size
determination can take place prior to keyring locking when a key is being
added.
Also the idmapper key types need to change to match as they use the
user-defined key type routines.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Acked-by: Jeff Layton <jlayton@primarydata.com>
KEYS: verify a certificate is signed by a 'trusted' key2014-07-17T13:35:15ZMimi Zoharzohar@linux.vnet.ibm.com2013-08-20T18:36:27Zurn:sha1:3be4beaf7c91ec9c6fefa5f11173af37113d10ae
Only public keys, with certificates signed by an existing
'trusted' key on the system trusted keyring, should be added
to a trusted keyring. This patch adds support for verifying
a certificate's signature.
This is derived from David Howells pkcs7_request_asymmetric_key() patch.
Changelog v6:
- on error free key - Dmitry
- validate trust only for not already trusted keys - Dmitry
- formatting cleanup
Changelog:
- define get_system_trusted_keyring() to fix kbuild issues
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
KEYS: Separate the kernel signature checking keyring from module signing2013-09-25T16:17:01ZDavid Howellsdhowells@redhat.com2013-08-30T15:07:30Zurn:sha1:b56e5a17b6b9acd16997960504b9940d0d7984e7
Separate the kernel signature checking keyring from module signing so that it
can be used by code other than the module-signing code.
Signed-off-by: David Howells <dhowells@redhat.com>
KEYS: Implement a big key type that can save to tmpfs2013-09-24T09:35:18ZDavid Howellsdhowells@redhat.com2013-09-24T09:35:18Zurn:sha1:ab3c3587f8cda9083209a61dbe3a4407d3cada10
Implement a big key type that can save its contents to tmpfs and thus
swapspace when memory is tight. This is useful for Kerberos ticket caches.
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Simo Sorce <simo@redhat.com>