New subject: [PATCH v2 2/3] unit: Update key restriction unit tests for modified l_keyring API

Wednesday, 19 April 2017

Now that the restricted keyring patches have been applied to keys-next
and are on track for the v4.12 merge window, ELL needs to be updated for
the final API.

There are two significant changes from the previous API:

1. Key restrictions are now applied in a separate step after a keyring
is created, not at creation time.

2. The first key added to an empty, "chain" restricted keyring no longer
bypasses the signature check.

The latter required a change to l_keyring_new() so that the root key
could be added to a keyring after it is created but before it is
restricted. There's a new l_keyring_restrict() function to restrict an
existing keyring.
---
 ell/key.c | 76 ++++++++++++++++++++++++++++++++++++++++-----------------------
 ell/key.h | 13 ++++++-----
 ell/tls.c | 48 ++++++++++++++++++++++++++++++++++------
 3 files changed, 96 insertions(+), 41 deletions(-)

diff --git a/ell/key.c b/ell/key.c
index db9abb1..fba400f 100644
--- a/ell/key.c
+++ b/ell/key.c
@@ -81,6 +81,10 @@ struct keyctl_pkey_params {
 };
 #endif
 
+#ifndef KEYCTL_RESTRICT_KEYRING
+#define KEYCTL_RESTRICT_KEYRING 29
+#endif
+
 static int32_t internal_keyring;
 
 struct l_key {
@@ -89,7 +93,6 @@ struct l_key {
 };
 
 struct l_keyring {
-	int type;
 	int32_t serial;
 };
 
@@ -208,6 +211,17 @@ static long kernel_dh_compute(int32_t private, int32_t prime, int32_t
base,
 	return result >= 0 ? result : -errno;
 }
 
+static long kernel_restrict_keyring(int32_t serial, const char *keytype,
+					const char *restriction)
+{
+	long result;
+
+	result = syscall(__NR_keyctl, KEYCTL_RESTRICT_KEYRING, serial, keytype,
+				restriction);
+
+	return result >= 0 ? result : -errno;
+}
+
 static long kernel_key_eds(int op, int32_t serial, const char *encoding,
 				const char *hash, const void *in, void *out,
 				size_t len_in, size_t len_out)
@@ -655,32 +669,47 @@ LIB_EXPORT bool l_key_verify(struct l_key *key,
 		(memcmp(data, compare_hash, hash_len) == 0);
 }
 
-LIB_EXPORT struct l_keyring *l_keyring_new(enum l_keyring_type type,
-						const struct l_keyring *trusted)
+LIB_EXPORT struct l_keyring *l_keyring_new(void)
 {
 	struct l_keyring *keyring;
 	char *description;
-	char *payload = NULL;
-	size_t payload_length = 0;
 
 	if (!internal_keyring && !setup_internal_keyring())
 		return NULL;
 
-	switch (type) {
-	case L_KEYRING_SIMPLE:
-		break;
-	case L_KEYRING_TRUSTED_ASYM:
-	case L_KEYRING_TRUSTED_ASYM_CHAIN:
+	keyring = l_new(struct l_keyring, 1);
+	description = l_strdup_printf("ell-keyring-%p", keyring);
+	keyring->serial = kernel_add_key("keyring", description, NULL, 0,
+						internal_keyring);
+	l_free(description);
+
+	if (keyring->serial < 0) {
+		l_free(keyring);
+		return NULL;
+	}
+
+	return keyring;
+}
+
+LIB_EXPORT bool l_keyring_restrict(struct l_keyring *keyring,
+					enum l_keyring_restriction res,
+					const struct l_keyring *trusted)
+{
+	char *restriction = NULL;
+	long result;
+
+	switch (res) {
+	case L_KEYRING_RESTRICT_ASYM:
+	case L_KEYRING_RESTRICT_ASYM_CHAIN:
 	{
 		char *option = "";
 
-		if (type == L_KEYRING_TRUSTED_ASYM_CHAIN)
+		if (res == L_KEYRING_RESTRICT_ASYM_CHAIN)
 			option = ":chain";
 
-		payload = l_strdup_printf(
-			"restrict=asymmetric:key_or_keyring:%d%s",
-			trusted ? trusted->serial : 0, option);
-		payload_length = strlen(payload);
+		restriction = l_strdup_printf("key_or_keyring:%d%s",
+						trusted ? trusted->serial : 0,
+						option);
 
 		break;
 	}
@@ -689,21 +718,12 @@ LIB_EXPORT struct l_keyring *l_keyring_new(enum l_keyring_type
type,
 		return NULL;
 	}
 
-	keyring = l_new(struct l_keyring, 1);
-	keyring->type = type;
-	description = l_strdup_printf("ell-keyring-%p", keyring);
-	keyring->serial = kernel_add_key("keyring", description, payload,
-						payload_length,
-						internal_keyring);
-	l_free(description);
-	l_free(payload);
+	result = kernel_restrict_keyring(keyring->serial, "asymmetric",
+						restriction);
 
-	if (keyring->serial < 0) {
-		l_free(keyring);
-		keyring = NULL;
-	}
+	l_free(restriction);
 
-	return keyring;
+	return result == 0;
 }
 
 LIB_EXPORT void l_keyring_free(struct l_keyring *keyring)
diff --git a/ell/key.h b/ell/key.h
index 35c63eb..717bd44 100644
--- a/ell/key.h
+++ b/ell/key.h
@@ -40,10 +40,9 @@ enum l_key_type {
 	L_KEY_RSA,
 };
 
-enum l_keyring_type {
-	L_KEYRING_SIMPLE = 0,
-	L_KEYRING_TRUSTED_ASYM,
-	L_KEYRING_TRUSTED_ASYM_CHAIN,
+enum l_keyring_restriction {
+	L_KEYRING_RESTRICT_ASYM = 0,
+	L_KEYRING_RESTRICT_ASYM_CHAIN,
 };
 
 enum l_key_cipher_type {
@@ -89,8 +88,10 @@ bool l_key_verify(struct l_key *key, enum l_key_cipher_type cipher,
 			enum l_checksum_type checksum, const void *data,
 			const void *sig, size_t len_data, size_t len_sig);
 
-struct l_keyring *l_keyring_new(enum l_keyring_type type,
-				const struct l_keyring *trust);
+struct l_keyring *l_keyring_new(void);
+
+bool l_keyring_restrict(struct l_keyring *keyring, enum l_keyring_restriction res,
+			const struct l_keyring *trust);
 
 void l_keyring_free(struct l_keyring *keyring);
 void l_keyring_free_norevoke(struct l_keyring *keyring);
diff --git a/ell/tls.c b/ell/tls.c
index 06e3341..6636fbf 100644
--- a/ell/tls.c
+++ b/ell/tls.c
@@ -2469,9 +2469,10 @@ static void tls_key_cleanup(struct l_key **p)
 	l_key_free_norevoke(*p);
 }
 
-static int tls_cert_verify_with_keyring(struct tls_cert *cert,
+static bool tls_cert_verify_with_keyring(struct tls_cert *cert,
 						struct l_keyring *ring,
-						struct tls_cert *root)
+						struct tls_cert *root,
+						struct l_keyring *trusted)
 {
 	if (!cert)
 		return true;
@@ -2488,14 +2489,33 @@ static int tls_cert_verify_with_keyring(struct tls_cert *cert,
 			!memcmp(cert->asn1, root->asn1, root->size))
 		return true;
 
-	if (tls_cert_verify_with_keyring(cert->issuer, ring, root)) {
+	if (tls_cert_verify_with_keyring(cert->issuer, ring, root, trusted)) {
 		L_AUTO_CLEANUP_VAR(struct l_key *, key, tls_key_cleanup);
 
 		key = l_key_new(L_KEY_RSA, cert->asn1, cert->size);
 		if (!key)
 			return false;
 
-		return l_keyring_link(ring, key);
+		if (!l_keyring_link(ring, key))
+			return false;
+
+		if (trusted || cert->issuer)
+			return true;
+
+		/*
+		 * If execution reaches this point, it's known that:
+		 *  * No trusted root key was supplied, so the chain is only
+		 *    being checked against its own root
+		 *  * The keyring 'ring' is not restricted yet
+		 *  * The chain's root cert was just linked in to the
+		 *    previously empty keyring 'ring'.
+		 *
+		 *  By restricting 'ring' now, the rest of the certs in
+		 *  the chain will have their signature validated using 'key'
+		 *  as the root.
+		 */
+		return l_keyring_restrict(ring,	L_KEYRING_RESTRICT_ASYM_CHAIN,
+						trusted);
 	}
 
 	return false;
@@ -2520,7 +2540,7 @@ bool tls_cert_verify_certchain(struct tls_cert *certchain,
 		L_AUTO_CLEANUP_VAR(struct l_key *, ca_key, tls_key_cleanup);
 		ca_key = NULL;
 
-		ca_ring = l_keyring_new(L_KEYRING_SIMPLE, NULL);
+		ca_ring = l_keyring_new();
 		if (!ca_ring)
 			return false;
 
@@ -2529,11 +2549,25 @@ bool tls_cert_verify_certchain(struct tls_cert *certchain,
 			return false;
 	}
 
-	verify_ring = l_keyring_new(L_KEYRING_TRUSTED_ASYM_CHAIN, ca_ring);
+	verify_ring = l_keyring_new();
 	if (!verify_ring)
 		return false;
 
-	return tls_cert_verify_with_keyring(certchain, verify_ring, ca_cert);
+	/*
+	 * If a CA cert was supplied, restrict verify_ring now so
+	 * everything else in certchain is validated against the CA.
+	 * Otherwise, verify_ring will be restricted after the root of
+	 * certchain is added to verify_ring by
+	 * tls_cert_verify_with_keyring().
+	 */
+	if (ca_ring && !l_keyring_restrict(verify_ring,
+						L_KEYRING_RESTRICT_ASYM_CHAIN,
+						ca_ring)) {
+		return false;
+	}
+
+	return tls_cert_verify_with_keyring(certchain, verify_ring, ca_cert,
+						ca_ring);
 }
 
 void tls_cert_free_certchain(struct tls_cert *cert)
-- 
2.12.2


    

2021

2020

2019

2018

2017

2016

2015

2014

[PATCH v2 1/3] key: Use keyring restriction keyctl