int e4crypt_delete_user_key(const char *user_handle) { SLOGD("e4crypt_delete_user_key(\"%s\")", user_handle); auto key_path = get_key_path(DATA_MNT_POINT, user_handle); auto key = e4crypt_get_key(key_path, false); auto ext4_key = fill_key(key); auto ref = keyname(generate_key_ref(ext4_key.raw, ext4_key.size)); auto key_serial = keyctl_search(e4crypt_keyring(), "logon", ref.c_str(), 0); if (keyctl_revoke(key_serial) == 0) { SLOGD("Revoked key with serial %ld ref %s\n", key_serial, ref.c_str()); } else { SLOGE("Failed to revoke key with serial %ld ref %s: %s\n", key_serial, ref.c_str(), strerror(errno)); } int pid = fork(); if (pid < 0) { SLOGE("Unable to fork: %s", strerror(errno)); return -1; } if (pid == 0) { SLOGD("Forked for secdiscard"); execl("/system/bin/secdiscard", "/system/bin/secdiscard", key_path.c_str(), NULL); SLOGE("Unable to launch secdiscard on %s: %s\n", key_path.c_str(), strerror(errno)); exit(-1); } // ext4enc:TODO reap the zombie return 0; }
static int lookup_reauthorize_secret (const char *user, char **secret) { char *buffer = NULL; char *name = NULL; key_serial_t key; int ret; if (asprintf (&name, "reauthorize/secret/%s", user) < 0) { message ("failed to allocate secret name"); ret = -ENOMEM; goto out; } key = keyctl_search (KEY_SPEC_SESSION_KEYRING, "user", name, 0); if (key < 0) { /* missing key is not an error */ if (errno == ENOKEY) { ret = 0; *secret = NULL; goto out; } ret = -errno; message ("failed to lookup reauthorize secret key: %s: %m", name); goto out; } if (keyctl_describe_alloc (key, &buffer) < 0) { ret = -errno; message ("couldn't describe reauthorize secret key: %s: %m", name); goto out; } if (strncmp (buffer, "user;0;0;001f0000;", 18) != 0) { ret = -EPERM; message ("kernel reauthorize secret key has invalid permissions: %s: %s", name, buffer); goto out; } /* null-terminates */ if (keyctl_read_alloc (key, (void **)secret) < 0) { ret = -errno; message ("couldn't read kernel reauthorize secret key: %s: %m", name); goto out; } ret = 0; out: free (buffer); free (name); return ret; }
int ecryptfs_add_auth_tok_to_keyring(struct ecryptfs_auth_tok *auth_tok, char *auth_tok_sig) { int rc; rc = (int)keyctl_search(KEY_SPEC_USER_KEYRING, "user", auth_tok_sig, 0); if (rc != -1) { /* we already have this key in keyring; we're done */ rc = 1; goto out; } else if ((rc == -1) && (errno != ENOKEY)) { int errnum = errno; syslog(LOG_ERR, "keyctl_search failed: %m errno=[%d]\n", errnum); rc = (errnum < 0) ? errnum : errnum * -1; goto out; } rc = add_key("user", auth_tok_sig, (void *)auth_tok, sizeof(struct ecryptfs_auth_tok), KEY_SPEC_USER_KEYRING); if (rc == -1) { rc = -errno; syslog(LOG_ERR, "Error adding key with sig [%s]; rc = [%d] " "\"%m\"\n", auth_tok_sig, rc); if (rc == -EDQUOT) syslog(LOG_WARNING, "Error adding key to keyring - keyring is full\n"); goto out; } rc = 0; out: return rc; }
rpmRC rpmkuFindPubkey(pgpDigParams sigp, /*@out@*/ rpmiob * iobp) { if (iobp != NULL) *iobp = NULL; #if defined(HAVE_KEYUTILS_H) if (_kuCache) { /*@observer@*/ static const char krprefix[] = "rpm:gpg:pubkey:"; key_serial_t keyring = (key_serial_t) _kuKeyring; char krfp[32]; char * krn = (char *) alloca(strlen(krprefix) + sizeof("12345678")); long key; int xx; (void) snprintf(krfp, sizeof(krfp), "%08X", pgpGrab(sigp->signid+4, 4)); krfp[sizeof(krfp)-1] = '\0'; *krn = '\0'; (void) stpcpy( stpcpy(krn, krprefix), krfp); key = keyctl_search(keyring, "user", krn, 0); xx = keyctl_read(key, NULL, 0); if (xx > 0) { rpmiob iob = rpmiobNew(xx); xx = keyctl_read(key, (char *)iob->b, iob->blen); if (xx > 0) { #ifdef NOTYET pubkeysource = xstrdup(krn); _kuCache = 0; /* XXX don't bother caching. */ #endif } else iob = rpmiobFree(iob); if (iob != NULL && iobp != NULL) { *iobp = iob; return RPMRC_OK; } else { iob = rpmiobFree(iob); return RPMRC_NOTFOUND; } } else return RPMRC_NOTFOUND; } else #endif /* HAVE_KEYUTILS_H */ return RPMRC_NOTFOUND; }
const char * rpmkuPassPhrase(const char * passPhrase) { const char * pw; #if defined(HAVE_KEYUTILS_H) if (passPhrase && !strcmp(passPhrase, "@u user rpm:passwd")) { key_serial_t keyring = (key_serial_t) _kuKeyring; long key; int xx; /*@-moduncon@*/ key = keyctl_search(keyring, "user", "rpm:passwd", 0); pw = NULL; xx = keyctl_read_alloc(key, (void **)&pw); /*@=moduncon@*/ if (xx < 0) pw = NULL; } else #endif /* HAVE_KEYUTILS_H */ pw = xstrdup(passPhrase); return pw; }
int ecryptfs_remove_auth_tok_from_keyring(char *auth_tok_sig) { int rc; rc = (int)keyctl_search(KEY_SPEC_USER_KEYRING, "user", auth_tok_sig, 0); if (rc < 0) { rc = errno; syslog(LOG_ERR, "Failed to find key with sig [%s]: %m\n", auth_tok_sig); goto out; } rc = keyctl_unlink(rc, KEY_SPEC_USER_KEYRING); if (rc < 0) { rc = errno; syslog(LOG_ERR, "Failed to unlink key with sig [%s]: %s\n", auth_tok_sig, strerror(rc)); goto out; } rc = 0; out: return rc; }
// Get the keyring we store all keys in static key_serial_t e4crypt_keyring() { return keyctl_search(KEY_SPEC_SESSION_KEYRING, "keyring", "e4crypt", 0); }