Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4ca332e1 authored by James Morris's avatar James Morris
Browse files

Merge tag 'keys-next-20140722' of... 

Merge tag 'keys-next-20140722' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next
parents 6d6f3328 633706a2

Documentation/kernel-parameters.txt

+5 −0
Original line number Diff line number Diff line
@@ -566,6 +566,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. 
			possible to determine what the correct size should be.

			This option provides an override for these situations.



	ca_keys=	[KEYS] This parameter identifies a specific key(s) on

			the system trusted keyring to be used for certificate

			trust validation.

			format: { id:<keyid> | builtin }



	ccw_timeout_log [S390]

			See Documentation/s390/CommonIO for details.

Documentation/security/keys.txt

+10 −4
Original line number Diff line number Diff line
@@ -1150,18 +1150,22 @@ The structure has a number of fields, some of which are mandatory: 
		const void	*data;

		size_t		datalen;

		size_t		quotalen;

		time_t		expiry;

	};



     Before calling the method, the caller will fill in data and datalen with

     the payload blob parameters; quotalen will be filled in with the default

     quota size from the key type and the rest will be cleared.

     quota size from the key type; expiry will be set to TIME_T_MAX and the

     rest will be cleared.



     If a description can be proposed from the payload contents, that should be

     attached as a string to the description field.  This will be used for the

     key description if the caller of add_key() passes NULL or "".



     The method can attach anything it likes to type_data[] and payload.  These

     are merely passed along to the instantiate() or update() operations.

     are merely passed along to the instantiate() or update() operations.  If

     set, the expiry time will be applied to the key if it is instantiated from

     this data.



     The method should return 0 if successful or a negative error code

     otherwise.
@@ -1172,7 +1176,9 @@ The structure has a number of fields, some of which are mandatory: 
     This method is only required if the preparse() method is provided,

     otherwise it is unused.  It cleans up anything attached to the

     description, type_data and payload fields of the key_preparsed_payload

     struct as filled in by the preparse() method.

     struct as filled in by the preparse() method.  It will always be called

     after preparse() returns successfully, even if instantiate() or update()

     succeed.





 (*) int (*instantiate)(struct key *key, struct key_preparsed_payload *prep);

crypto/asymmetric_keys/Kconfig

+32 −2
Original line number Diff line number Diff line
@@ -22,7 +22,6 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE 


config PUBLIC_KEY_ALGO_RSA

	tristate "RSA public-key algorithm"

	select MPILIB_EXTRA

	select MPILIB

	help

	  This option enables support for the RSA algorithm (PKCS#1, RFC3447).
@@ -33,8 +32,39 @@ config X509_CERTIFICATE_PARSER 
	select ASN1

	select OID_REGISTRY

	help

	  This option procides support for parsing X.509 format blobs for key

	  This option provides support for parsing X.509 format blobs for key

	  data and provides the ability to instantiate a crypto key from a

	  public key packet found inside the certificate.



config PKCS7_MESSAGE_PARSER

	tristate "PKCS#7 message parser"

	depends on X509_CERTIFICATE_PARSER

	select ASN1

	select OID_REGISTRY

	help

	  This option provides support for parsing PKCS#7 format messages for

	  signature data and provides the ability to verify the signature.



config PKCS7_TEST_KEY

	tristate "PKCS#7 testing key type"

	depends on PKCS7_MESSAGE_PARSER

	select SYSTEM_TRUSTED_KEYRING

	help

	  This option provides a type of key that can be loaded up from a

	  PKCS#7 message - provided the message is signed by a trusted key.  If

	  it is, the PKCS#7 wrapper is discarded and reading the key returns

	  just the payload.  If it isn't, adding the key will fail with an

	  error.



	  This is intended for testing the PKCS#7 parser.



config SIGNED_PE_FILE_VERIFICATION

	bool "Support for PE file signature verification"

	depends on PKCS7_MESSAGE_PARSER=y

	select ASN1

	select OID_REGISTRY

	help

	  This option provides support for verifying the signature(s) on a

	  signed PE binary.



endif # ASYMMETRIC_KEY_TYPE

crypto/asymmetric_keys/Makefile

+37 −0
Original line number Diff line number Diff line
@@ -25,3 +25,40 @@ $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h 


clean-files	+= x509-asn1.c x509-asn1.h

clean-files	+= x509_rsakey-asn1.c x509_rsakey-asn1.h



#

# PKCS#7 message handling

#

obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o

pkcs7_message-y := \

	pkcs7-asn1.o \

	pkcs7_parser.o \

	pkcs7_trust.o \

	pkcs7_verify.o



$(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h

$(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h



clean-files	+= pkcs7-asn1.c pkcs7-asn1.h



#

# PKCS#7 parser testing key

#

obj-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o

pkcs7_test_key-y := \

	pkcs7_key_type.o



#

# Signed PE binary-wrapped key handling

#

obj-$(CONFIG_SIGNED_PE_FILE_VERIFICATION) += verify_signed_pefile.o



verify_signed_pefile-y := \

	verify_pefile.o \

	mscode_parser.o \

	mscode-asn1.o



$(obj)/mscode_parser.o: $(obj)/mscode-asn1.h $(obj)/mscode-asn1.h

$(obj)/mscode-asn1.o: $(obj)/mscode-asn1.c $(obj)/mscode-asn1.h



clean-files	+= mscode-asn1.c mscode-asn1.h

crypto/asymmetric_keys/asymmetric_keys.h

+2 −0
Original line number Diff line number Diff line
@@ -9,6 +9,8 @@ 
 * 2 of the Licence, or (at your option) any later version.

 */



int asymmetric_keyid_match(const char *kid, const char *id);



static inline const char *asymmetric_key_id(const struct key *key)

{

	return key->type_data.p[1];