Пример #1
0
static int dek_encrypt_dek(int userid, dek_t *plainDek, dek_t *encDek) {
	int ret = 0;
	int key_arr_idx = PERSONA_KEY_ARR_IDX(userid);

	if (!dek_is_persona(userid)) {
		DEK_LOGE("%s invalid userid %d\n", __func__, userid);
		return -EFAULT;
	}
#if DEK_DEBUG
	DEK_LOGD("plainDek from user: "******"aes encrypt failed\n");
			dek_add_to_log(userid, "aes encrypt failed");
			encDek->len = 0;
		} else {
			encDek->len = plainDek->len;
			encDek->type = DEK_TYPE_AES_ENC;
		}
	} else {
#ifdef CONFIG_PUB_CRYPTO
		/*
		 * Do an asymmetric crypto
		 */
		if(SDPK_Dpub[key_arr_idx].len > 0) {
			ret = dh_encryptDEK(plainDek, encDek, &SDPK_Dpub[key_arr_idx]);
		}else{
			DEK_LOGE("SDPK_Dpub for id: %d\n", userid);
			dek_add_to_log(userid, "encrypt failed, no SDPK_Dpub");
			return -EIO;
		}
#else
		DEK_LOGE("pub crypto not supported : %d\n", userid);
		dek_add_to_log(userid, "encrypt failed, no key");
		return -EOPNOTSUPP;
#endif
	}

	if (encDek->len <= 0 || encDek->len > DEK_MAXLEN) {
		DEK_LOGE("dek_encrypt_dek, incorrect len=%d\n", encDek->len);
		zero_out((char *)encDek, sizeof(dek_t));
		return -EFAULT;
	}
#if DEK_DEBUG
	else {
		DEK_LOGD("encDek to user: ");
		dump(encDek->buf, encDek->len);
	}
#endif

	return ret;
}
Пример #2
0
static int dek_decrypt_dek(int persona_id, dek *encDek, dek *plainDek, int type) {
	int key_arr_idx = PERSONA_KEY_ARR_IDX(persona_id);
	unsigned int i;
	unsigned int bsize;

	if (!dek_is_persona(persona_id)) {
		return -EFAULT;
	}
#if DEK_DEBUG
	printk("dek: encDek from user: "******"dek: no master key for id: %d\n", persona_id);
			dek_add_to_log(persona_id, "decrypt failed, persona locked");
			return -EIO;
		}
	} else if (type == DEK_RSA_ENC) {
		printk("dek: Not supported key type: %d\n", type);
		dek_add_to_log(persona_id, "decrypt failed, RSA type not supported");
		return -EFAULT;
	} else {
		printk("dek: wrong decrypt key type: %d\n", type);
		dek_add_to_log(persona_id, "decrypt failed, wrong decrypt key type");
		return -EFAULT;
	}

	if (plainDek->len <= 0 || plainDek->len > DEK_DEK_LEN) {
		printk("dek: dek_decrypt_dek, incorrect len=%d\n", plainDek->len);
		memset(plainDek, 0, sizeof(dek));
		return -EFAULT;
	} else {
#if DEK_DEBUG
		printk("dek: plainDek to user: ");
		dump(plainDek->buf, plainDek->len);
#endif
	}
	return 0;
}
Пример #3
0
static int dek_on_device_unlocked(dek_arg_on_device_unlocked *evt) {
	int key_arr_idx = PERSONA_KEY_ARR_IDX(evt->persona_id);

	/*
	 * TODO : lock needed
	 */

	memcpy(mas_key[key_arr_idx].buf, evt->mas_key.buf, evt->mas_key.len);
	mas_key[key_arr_idx].len = evt->mas_key.len;
	memcpy(priv_key[key_arr_idx].buf, evt->priv_key.buf, evt->priv_key.len);
	priv_key[key_arr_idx].len = evt->priv_key.len;

	tfm[key_arr_idx] = dek_aes_key_setup(evt->mas_key.buf, evt->mas_key.len);
	if (IS_ERR(tfm[key_arr_idx])) {
		printk("dek: error setting up key\n");
		dek_add_to_log(evt->persona_id, "error setting up key");
		tfm[key_arr_idx] = NULL;
	}

#if DEK_DEBUG
	dump_all_keys(key_arr_idx);
#endif

	return 0;
}
Пример #4
0
static int dek_is_persona(int persona_id) {
	if ((persona_id < 100) || (persona_id > 100+DEK_MAX_PERSONA-1)) {
		printk("dek: invalid persona id: %d\n", persona_id);
		dek_add_to_log(persona_id, "Invalid persona id");
		return 0;
	}
	return 1;
}
Пример #5
0
static int dek_is_persona(int userid) {
	if ((userid < 100) || (userid > 100+SDP_MAX_USERS-1)) {
		DEK_LOGE("invalid persona id: %d\n", userid);
		dek_add_to_log(userid, "Invalid persona id");
		return 0;
	}
	return 1;
}
Пример #6
0
static int dek_on_device_unlocked(dek_arg_on_device_unlocked *evt) {
	int userid = evt->userid;
	int key_arr_idx;

	/*
	 * TODO : lock needed
	 */

	if (!dek_is_persona(userid)) {
		DEK_LOGE("%s invalid userid %d\n", __func__, userid);
		return -EFAULT;
	}
	key_arr_idx = PERSONA_KEY_ARR_IDX(userid);

	if((evt->SDPK_sym.len > KEK_MAX_LEN) ||
            (evt->SDPK_Rpri.len > KEK_MAX_LEN) ||
            (evt->SDPK_Dpri.len > KEK_MAX_LEN) ||
			(evt->SDPK_EDpri.len > KEK_MAX_LEN)) {
		DEK_LOGE("%s Invalid args\n", __func__);
		DEK_LOGE("SDPK_sym.len : %d\n", evt->SDPK_sym.len);
		DEK_LOGE("SDPK_Rpri.len : %d\n", evt->SDPK_Rpri.len);
        DEK_LOGE("SDPK_Dpri.len : %d\n", evt->SDPK_Dpri.len);
        DEK_LOGE("SDPK_EDpri.len : %d\n", evt->SDPK_EDpri.len);
		return -EINVAL;
	}

    copy_kek(&SDPK_Rpri[key_arr_idx], &evt->SDPK_Rpri, KEK_TYPE_RSA_PRIV);
    copy_kek(&SDPK_Dpri[key_arr_idx], &evt->SDPK_Dpri, KEK_TYPE_DH_PRIV);
    copy_kek(&SDPK_EDpri[key_arr_idx], &evt->SDPK_EDpri, KEK_TYPE_ECDH256_PRIV);
    copy_kek(&SDPK_sym[key_arr_idx], &evt->SDPK_sym, KEK_TYPE_SYM);

	sdp_tfm[key_arr_idx] = dek_aes_key_setup(evt->SDPK_sym.buf, evt->SDPK_sym.len);
	if (IS_ERR(sdp_tfm[key_arr_idx])) {
		DEK_LOGE("error setting up key\n");
		dek_add_to_log(evt->userid, "error setting up key");
		sdp_tfm[key_arr_idx] = NULL;
	}

#ifdef CONFIG_SDP_KEY_DUMP
	if(get_sdp_sysfs_key_dump()) {
	    dump_all_keys(key_arr_idx);
	}
#endif

	return 0;
}
Пример #7
0
static int dek_encrypt_dek(int persona_id, dek *plainDek, dek *encDek) {
	int ret = 0;
	int key_arr_idx = PERSONA_KEY_ARR_IDX(persona_id);
	unsigned int i;
	unsigned int bsize;

	if (!dek_is_persona(persona_id)) {
		return -EFAULT;
	}
#if DEK_DEBUG
	printk("dek: plainDek from user: "******"dek: no encryption key for id: %d\n", persona_id);
		dek_add_to_log(persona_id, "encrypt failed, no key");
		return -EIO;
	}

	if (encDek->len <= 0 || encDek->len > DEK_DEK_ENC_LEN) {
		printk("dek: dek_encrypt_dek, incorrect len=%d\n", encDek->len);
		memset(encDek, 0, sizeof(dek));
		return -EFAULT;
	}
#if DEK_DEBUG
	else {
		printk("dek: encDek to user: ");
		dump(encDek->buf, encDek->len);
	}
#endif

	return ret;
}
Пример #8
0
static long dek_ioctl_kek(struct file *file,
		unsigned int cmd, unsigned long arg)
{
	unsigned int minor;
	if(!is_container_app() && !is_root()) {
		DEK_LOGE("Current process can't access kek device\n");
		DEK_LOGE("Current process info :: "
				"uid=%u gid=%u euid=%u egid=%u suid=%u sgid=%u "
				"fsuid=%u fsgid=%u\n",
				current_uid(), current_gid(), current_euid(),
				current_egid(), current_suid(), current_sgid(),
				current_fsuid(), current_fsgid());
		dek_add_to_log(000, "Access denied to kek device");
		return -EACCES;
	}

	minor = iminor(file->f_path.dentry->d_inode);
	return dek_do_ioctl_kek(minor, cmd, arg);
}
Пример #9
0
static int dek_on_device_unlocked(dek_arg_on_device_unlocked *evt) {
	int userid = evt->userid;
	int key_arr_idx = PERSONA_KEY_ARR_IDX(userid);

	/*
	 * TODO : lock needed
	 */

	if (!dek_is_persona(userid)) {
		DEK_LOGE("%s invalid userid %d\n", __func__, userid);
		return -EFAULT;
	}

	if((evt->SDPK_sym.len > KEK_MAX_LEN) ||
			(evt->SDPK_Rpri.len > KEK_MAX_LEN) ||
			(evt->SDPK_Dpri.len > KEK_MAX_LEN)) {
		DEK_LOGE("%s Invalid args\n", __func__);
		DEK_LOGE("SDPK_Rpub.len : %d\n", evt->SDPK_sym.len);
		DEK_LOGE("SDPK_Dpub.len : %d\n", evt->SDPK_Rpri.len);
		DEK_LOGE("SDPK_Dpub.len : %d\n", evt->SDPK_Dpri.len);
		return -EINVAL;
	}

	memcpy(SDPK_sym[key_arr_idx].buf, evt->SDPK_sym.buf, evt->SDPK_sym.len);
	SDPK_sym[key_arr_idx].len = evt->SDPK_sym.len;
	memcpy(SDPK_Rpri[key_arr_idx].buf, evt->SDPK_Rpri.buf, evt->SDPK_Rpri.len);
	SDPK_Rpri[key_arr_idx].len = evt->SDPK_Rpri.len;
	memcpy(SDPK_Dpri[key_arr_idx].buf, evt->SDPK_Dpri.buf, evt->SDPK_Dpri.len);
	SDPK_Dpri[key_arr_idx].len = evt->SDPK_Dpri.len;

	sdp_tfm[key_arr_idx] = dek_aes_key_setup(evt->SDPK_sym.buf, evt->SDPK_sym.len);
	if (IS_ERR(sdp_tfm[key_arr_idx])) {
		DEK_LOGE("error setting up key\n");
		dek_add_to_log(evt->userid, "error setting up key");
		sdp_tfm[key_arr_idx] = NULL;
	}

#if DEK_DEBUG
	dump_all_keys(key_arr_idx);
#endif

	return 0;
}
Пример #10
0
static long dek_do_ioctl_evt(unsigned int minor, unsigned int cmd,
		unsigned long arg) {
	long ret = 0;
	void __user *ubuf = (void __user *)arg;
	void *cleanup = NULL;

	switch (cmd) {
	/*
	 * Event while booting.
	 *
	 * This event comes per persona, the driver is responsible to
	 * verify things good whether it's compromised.
	 */
	case DEK_ON_BOOT: {
		dek_arg_on_boot *evt = kzalloc(sizeof(dek_arg_on_boot), GFP_KERNEL);
		cleanup = evt;

		printk("dek: DEK_ON_BOOT\n");
		//memset(&evt, 0, sizeof(dek_arg_on_boot));

		if(copy_from_user(evt, ubuf, sizeof(dek_arg_on_boot))) {
			printk("dek: can't copy from user\n");
			ret = -EFAULT;
			goto err;
		}
		if (!dek_is_persona(evt->persona_id)) {
			ret = -EFAULT;
			goto err;
		}
		ret = dek_on_boot(evt);
		if (ret < 0) {
			dek_add_to_log(evt->persona_id, "Boot failed");
			goto err;
		}
		dek_add_to_log(evt->persona_id, "Booted");
		break;
	}
	/*
	 * Event when device is locked.
	 *
	 * Nullify private key which prevents decryption.
	 */
	case DEK_ON_DEVICE_LOCKED: {
		//dek_arg_on_device_locked evt;
		dek_arg_on_device_locked *evt = kzalloc(sizeof(dek_arg_on_device_locked), GFP_KERNEL);
		cleanup = evt;

		printk("dek: DEK_ON_DEVICE_LOCKED\n");
		//memset(&evt, 0, sizeof(dek_arg_on_device_locked));

		if(copy_from_user(evt, ubuf, sizeof(dek_arg_on_device_locked))) {
			printk("dek: can't copy from user\n");
			ret = -EFAULT;
			goto err;
		}
		if (!dek_is_persona(evt->persona_id)) {
			ret = -EFAULT;
			goto err;
		}
		ret = dek_on_device_locked(evt);
		if (ret < 0) {
			dek_add_to_log(evt->persona_id, "Lock failed");
			goto err;
		}
		dek_add_to_log(evt->persona_id, "Locked");

		printk("dek: after locked for id: %d\n", evt->persona_id);

		break;
	}
	/*
	 * Event when device unlocked.
	 *
	 * Read private key and decrypt with user password.
	 */
	case DEK_ON_DEVICE_UNLOCKED: {
		//dek_arg_on_device_unlocked evt;
		dek_arg_on_device_unlocked *evt = kzalloc(sizeof(dek_arg_on_device_unlocked), GFP_KERNEL);
		cleanup = evt;


		printk("dek: DEK_ON_DEVICE_UNLOCKED\n");
		//memset(&evt, 0, sizeof(dek_arg_on_device_unlocked));

		if(copy_from_user(evt, ubuf, sizeof(dek_arg_on_device_unlocked))) {
			printk("dek: can't copy from user\n");
			ret = -EFAULT;
			goto err;
		}
		if (!dek_is_persona(evt->persona_id)) {
			ret = -EFAULT;
			goto err;
		}
		ret = dek_on_device_unlocked(evt);
		if (ret < 0) {
			dek_add_to_log(evt->persona_id, "Unlock failed");
			goto err;
		}
		dek_add_to_log(evt->persona_id, "Unlocked");

		memset(evt, 0, sizeof(dek_arg_on_device_unlocked));
		break;
	}
	/*
	 * Event when new user(persona) added.
	 *
	 * Generate RSA public key and encrypt private key with given
	 * password. Also pub-key and encryped priv-key have to be stored
	 * in a file system.
	 */
	case DEK_ON_USER_ADDED: {
		//dek_arg_on_user_added evt;
		dek_arg_on_user_added *evt = kzalloc(sizeof(dek_arg_on_user_added), GFP_KERNEL);
		cleanup = evt;

		printk("dek: DEK_ON_USER_ADDED\n");
		//memset(&evt, 0, sizeof(dek_arg_on_user_added));

		if(copy_from_user(evt, ubuf, sizeof(dek_arg_on_user_added))) {
			printk("dek: can't copy from user\n");
			ret = -EFAULT;
			goto err;
		}
		if (!dek_is_persona(evt->persona_id)) {
			ret = -EFAULT;
			goto err;
		}
		ret = dek_on_user_added(evt);
		if (ret < 0) {
			dek_add_to_log(evt->persona_id, "Add user failed");
			goto err;
		}
		dek_add_to_log(evt->persona_id, "Added user");
		break;
	}
	/*
	 * Event when user is removed.
	 *
	 * Remove pub-key file & encrypted priv-key file.
	 */
	case DEK_ON_USER_REMOVED: {
		dek_arg_on_user_removed evt;

		printk("dek: DEK_ON_USER_REMOVED\n");
		memset(&evt, 0, sizeof(dek_arg_on_user_removed));

		if(copy_from_user(&evt, ubuf, sizeof(evt))) {
			printk("dek: can't copy from user\n");
			ret = -EFAULT;
			goto err;
		}
		if (!dek_is_persona(evt.persona_id)) {
			ret = -EFAULT;
			goto err;
		}
		ret = dek_on_user_removed(&evt);
		if (ret < 0) {
			dek_add_to_log(evt.persona_id, "Remove user failed");
			goto err;
		}
		dek_add_to_log(evt.persona_id, "Removed user");
		break;
	}
	/*
	 * Event when password changed.
	 *
	 * Encrypt priv_key with new password and store it.
	 */
	case DEK_ON_CHANGE_PASSWORD: {
		printk("dek: DEK_ON_CHANGE_PASSWORD << deprecated. SKIP\n");
		ret = 0;
		dek_add_to_log(0, "Changed password << deprecated");
		break;
	}
	default:
		printk("dek: case default\n");
		ret = -EINVAL;
		break;
	}

err:
	if (cleanup) {
		kfree(cleanup);
	}
	return ret;
}
Пример #11
0
static long dek_do_ioctl_evt(unsigned int minor, unsigned int cmd,
		unsigned long arg) {
	long ret = 0;
	void __user *ubuf = (void __user *)arg;
	void *cleanup = NULL;
	unsigned int size;

	switch (cmd) {
	/*
	 * Event while booting.
	 *
	 * This event comes per persona, the driver is responsible to
	 * verify things good whether it's compromised.
	 */
	case DEK_ON_BOOT: {
		dek_arg_on_boot *evt = kzalloc(sizeof(dek_arg_on_boot), GFP_KERNEL);
		
		DEK_LOGD("DEK_ON_BOOT\n");

		if (evt == NULL) {
			ret = -ENOMEM;
			goto err;
		}		
		cleanup = evt;
		size = sizeof(dek_arg_on_boot);

		if(copy_from_user(evt, ubuf, size)) {
			DEK_LOGE("can't copy from user evt\n");
			ret = -EFAULT;
			goto err;
		}
		ret = dek_on_boot(evt);
		if (ret < 0) {
			dek_add_to_log(evt->userid, "Boot failed");
			goto err;
		}
		dek_add_to_log(evt->userid, "Booted");
		break;
	}
	/*
	 * Event when device is locked.
	 *
	 * Nullify private key which prevents decryption.
	 */
	case DEK_ON_DEVICE_LOCKED: {
		dek_arg_on_device_locked *evt = kzalloc(sizeof(dek_arg_on_device_locked), GFP_KERNEL);
		
		DEK_LOGD("DEK_ON_DEVICE_LOCKED\n");
		if (evt == NULL) {
			ret = -ENOMEM;
			goto err;
		}		
		cleanup = evt;
		size = sizeof(dek_arg_on_device_locked);

		if(copy_from_user(evt, ubuf, size)) {
			DEK_LOGE("can't copy from user evt\n");
			ret = -EFAULT;
			goto err;
		}
		ret = dek_on_device_locked(evt);
		if (ret < 0) {
			dek_add_to_log(evt->userid, "Lock failed");
			goto err;
		}
		dek_add_to_log(evt->userid, "Locked");
		break;
	}
	/*
	 * Event when device unlocked.
	 *
	 * Read private key and decrypt with user password.
	 */
	case DEK_ON_DEVICE_UNLOCKED: {
		dek_arg_on_device_unlocked *evt = kzalloc(sizeof(dek_arg_on_device_unlocked), GFP_KERNEL);

		DEK_LOGD("DEK_ON_DEVICE_UNLOCKED\n");
		if (evt == NULL) {
			ret = -ENOMEM;
			goto err;
		}		
		cleanup = evt;
		size = sizeof(dek_arg_on_device_unlocked);

		if(copy_from_user(evt, ubuf, size)) {
			DEK_LOGE("can't copy from user evt\n");
			ret = -EFAULT;
			goto err;
		}
		ret = dek_on_device_unlocked(evt);
		if (ret < 0) {
			dek_add_to_log(evt->userid, "Unlock failed");
			goto err;
		}
		dek_add_to_log(evt->userid, "Unlocked");
		break;
	}
	/*
	 * Event when new user(persona) added.
	 *
	 * Generate RSA public key and encrypt private key with given
	 * password. Also pub-key and encryped priv-key have to be stored
	 * in a file system.
	 */
	case DEK_ON_USER_ADDED: {
		dek_arg_on_user_added *evt = kzalloc(sizeof(dek_arg_on_user_added), GFP_KERNEL);

		DEK_LOGD("DEK_ON_USER_ADDED\n");
		if (evt == NULL) {
			ret = -ENOMEM;
			goto err;
		}		
		cleanup = evt;
		size = sizeof(dek_arg_on_user_added);

		if(copy_from_user(evt, ubuf, size)) {
			DEK_LOGE("can't copy from user evt\n");
			ret = -EFAULT;
			goto err;
		}
		ret = dek_on_user_added(evt);
		if (ret < 0) {
			dek_add_to_log(evt->userid, "Add user failed");
			goto err;
		}
		dek_add_to_log(evt->userid, "Added user");
		break;
	}
	/*
	 * Event when user is removed.
	 *
	 * Remove pub-key file & encrypted priv-key file.
	 */
	case DEK_ON_USER_REMOVED: {
		dek_arg_on_user_removed *evt = kzalloc(sizeof(dek_arg_on_user_removed), GFP_KERNEL);
		
		DEK_LOGD("DEK_ON_USER_REMOVED\n");
		if (evt == NULL) {
			ret = -ENOMEM;
			goto err;
		}		
		cleanup = evt;
		size = sizeof(dek_arg_on_user_removed);

		if(copy_from_user(evt, ubuf, size)) {
			DEK_LOGE("can't copy from user evt\n");
			ret = -EFAULT;
			goto err;
		}
		ret = dek_on_user_removed(evt);
		if (ret < 0) {
			dek_add_to_log(evt->userid, "Remove user failed");
			goto err;
		}
		dek_add_to_log(evt->userid, "Removed user");
		break;
	}
	/*
	 * Event when password changed.
	 *
	 * Encrypt SDPK_Rpri with new password and store it.
	 */
	case DEK_ON_CHANGE_PASSWORD: {
		DEK_LOGD("DEK_ON_CHANGE_PASSWORD << deprecated. SKIP\n");
		ret = 0;
		dek_add_to_log(0, "Changed password << deprecated");
		break;
	}

	case DEK_DISK_CACHE_CLEANUP: {
		dek_arg_disk_cache_cleanup *evt = kzalloc(sizeof(dek_arg_disk_cache_cleanup), GFP_KERNEL);

		DEK_LOGD("DEK_DISK_CACHE_CLEANUP\n");
		if (evt == NULL) {
			ret = -ENOMEM;
			goto err;
		}
		cleanup = evt;
		size = sizeof(dek_arg_on_user_removed);

		if(copy_from_user(evt, ubuf, size)) {
			DEK_LOGE("can't copy from user evt\n");
			ret = -EFAULT;
			goto err;
		}
		if (!dek_is_persona(evt->userid)) {
			DEK_LOGE("%s invalid userid %d\n", __func__, evt->userid);
			ret = -EFAULT;
			goto err;
		}

		ecryptfs_mm_drop_cache(evt->userid);
		ret = 0;
		dek_add_to_log(evt->userid, "Disk cache clean up");
		break;
	}
	default:
		DEK_LOGE("%s case default\n", __func__);
		ret = -EINVAL;
		break;
	}

err:
	if (cleanup) {
		zero_out((char *)cleanup, size);
		kfree(cleanup);
	}
	return ret;
}
Пример #12
0
static int dek_decrypt_dek(int userid, dek_t *encDek, dek_t *plainDek) {
	int key_arr_idx;
	int dek_type = encDek->type;

	if (!dek_is_persona(userid)) {
		DEK_LOGE("%s invalid userid %d\n", __func__, userid);
		return -EFAULT;
	}
	key_arr_idx = PERSONA_KEY_ARR_IDX(userid);
#if DEK_DEBUG
	DEK_LOGD("encDek from user: "******"aes decrypt failed\n");
                dek_add_to_log(userid, "aes decrypt failed");
                plainDek->len = 0;
            } else {
                plainDek->len = encDek->len;
                plainDek->type = DEK_TYPE_PLAIN;
            }
        } else {
            DEK_LOGE("no SDPK_sym key for id: %d\n", userid);
            dek_add_to_log(userid, "decrypt failed, persona locked");
            return -EIO;
        }
        return 0;
	}
	case DEK_TYPE_RSA_ENC:
	{
#ifdef CONFIG_PUB_CRYPTO
        if(SDPK_Rpri[key_arr_idx].len > 0) {
            if(rsa_decryptByPair(encDek, plainDek, &SDPK_Rpri[key_arr_idx])){
                DEK_LOGE("rsa_decryptByPair failed");
                return -1;
            }
        }else{
            DEK_LOGE("SDPK_Rpri for id: %d\n", userid);
            dek_add_to_log(userid, "encrypt failed, no SDPK_Rpri");
            return -EIO;
        }
#else
        DEK_LOGE("Not supported key type: %d\n", encDek->type);
        dek_add_to_log(userid, "decrypt failed, DH type not supported");
        return -EOPNOTSUPP;
#endif
        return 0;
	}
	case DEK_TYPE_DH_ENC:
	{
#ifdef CONFIG_PUB_CRYPTO
        if(SDPK_Dpri[key_arr_idx].len > 0) {
            if(dh_decryptEDEK(encDek, plainDek, &SDPK_Dpri[key_arr_idx])){
                DEK_LOGE("dh_decryptEDEK failed");
                return -1;
            }
        }else{
            DEK_LOGE("SDPK_Dpri for id: %d\n", userid);
            dek_add_to_log(userid, "encrypt failed, no SDPK_Dpri");
            return -EIO;
        }
#else
        DEK_LOGE("Not supported key type: %d\n", encDek->type);
        dek_add_to_log(userid, "decrypt failed, DH type not supported");
        return -EOPNOTSUPP;
#endif
        return 0;
	}
	case DEK_TYPE_ECDH256_ENC:
	{
#ifdef CONFIG_PUB_CRYPTO
#if DEK_DEBUG
	    printk("DEK_TYPE_ECDH256_ENC encDek:"); dek_dump(encDek->buf, encDek->len);
#endif
        if(SDPK_EDpri[key_arr_idx].len > 0) {
            if(ecdh_decryptEDEK(encDek, plainDek, &SDPK_EDpri[key_arr_idx])){
                DEK_LOGE("ecdh_decryptEDEK failed");
                return -1;
            }
        }else{
            DEK_LOGE("SDPK_EDpri for id: %d\n", userid);
            dek_add_to_log(userid, "encrypt failed, no SDPK_EDpri");
            return -EIO;
        }
#else
        DEK_LOGE("Not supported key type: %d\n", encDek->type);
        dek_add_to_log(userid, "decrypt failed, ECDH type not supported");
        return -EOPNOTSUPP;
#endif
        return 0;
	}
	default:
	{
        DEK_LOGE("Unsupported edek type: %d\n", encDek->type);
        dek_add_to_log(userid, "decrypt failed, unsupported key type");
        return -EFAULT;
	}
	}
}
Пример #13
0
static int dek_decrypt_dek(int userid, dek_t *encDek, dek_t *plainDek) {
	int key_arr_idx = PERSONA_KEY_ARR_IDX(userid);

	if (!dek_is_persona(userid)) {
		DEK_LOGE("%s invalid userid %d\n", __func__, userid);
		return -EFAULT;
	}
#if DEK_DEBUG
	DEK_LOGD("encDek from user: "******"aes decrypt failed\n");
				dek_add_to_log(userid, "aes decrypt failed");
				plainDek->len = 0;
			} else {
				plainDek->len = encDek->len;
				plainDek->type = DEK_TYPE_PLAIN;
			}
		} else {
			DEK_LOGE("no SDPK_sym key for id: %d\n", userid);
			dek_add_to_log(userid, "decrypt failed, persona locked");
			return -EIO;
		}
	} else if (encDek->type == DEK_TYPE_RSA_ENC) {
		DEK_LOGE("Not supported key type: %d\n", encDek->type);
		dek_add_to_log(userid, "decrypt failed, RSA type not supported");
		return -EFAULT;
	} else if (encDek->type == DEK_TYPE_DH_ENC) {
#ifdef CONFIG_PUB_CRYPTO
		if(SDPK_Dpri[key_arr_idx].len > 0) {
			if(dh_decryptEDEK(encDek, plainDek, &SDPK_Dpri[key_arr_idx])){
			    DEK_LOGE("dh_decryptEDEK failed");
				return -1;
			}
		}else{
			DEK_LOGE("SDPK_Dpri for id: %d\n", userid);
			dek_add_to_log(userid, "encrypt failed, no SDPK_Dpri");
			return -EIO;
		}
#else
		DEK_LOGE("Not supported key type: %d\n", encDek->type);
		dek_add_to_log(userid, "decrypt failed, DH type not supported");
		return -EOPNOTSUPP;
#endif
	} else {
		DEK_LOGE("Unsupported decrypt key type: %d\n", encDek->type);
		dek_add_to_log(userid, "decrypt failed, unsupported key type");
		return -EFAULT;
	}

	if (plainDek->len <= 0 || plainDek->len > DEK_LEN) {
		DEK_LOGE("dek_decrypt_dek, incorrect len=%d\n", plainDek->len);
		zero_out((char *)plainDek, sizeof(dek_t));
		return -EFAULT;
	} else {
#if DEK_DEBUG
		DEK_LOGD("plainDek to user: ");
		dump(plainDek->buf, plainDek->len);
#endif
	}
	return 0;
}