aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitignore14
-rw-r--r--Documentation/crypto/asymmetric-keys.txt312
-rw-r--r--Documentation/kernel-parameters.txt6
-rw-r--r--Documentation/security/keys.txt50
-rw-r--r--Makefile6
-rw-r--r--arch/Kconfig19
-rw-r--r--arch/alpha/Kconfig2
-rw-r--r--arch/alpha/include/asm/module.h10
-rw-r--r--arch/arm/Kconfig2
-rw-r--r--arch/arm/include/asm/module.h8
-rw-r--r--arch/avr32/Kconfig2
-rw-r--r--arch/avr32/include/asm/module.h6
-rw-r--r--arch/blackfin/Kconfig2
-rw-r--r--arch/blackfin/include/asm/module.h4
-rw-r--r--arch/c6x/Kconfig1
-rw-r--r--arch/c6x/include/asm/module.h12
-rw-r--r--arch/cris/Kconfig1
-rw-r--r--arch/cris/include/asm/Kbuild1
-rw-r--r--arch/cris/include/asm/module.h9
-rw-r--r--arch/frv/include/asm/module.h8
-rw-r--r--arch/h8300/Kconfig1
-rw-r--r--arch/h8300/include/asm/Kbuild1
-rw-r--r--arch/h8300/include/asm/module.h11
-rw-r--r--arch/hexagon/Kconfig1
-rw-r--r--arch/ia64/Kconfig2
-rw-r--r--arch/ia64/include/asm/module.h6
-rw-r--r--arch/m32r/Kconfig1
-rw-r--r--arch/m32r/include/asm/Kbuild1
-rw-r--r--arch/m32r/include/asm/module.h10
-rw-r--r--arch/m32r/kernel/module.c15
-rw-r--r--arch/m68k/Kconfig3
-rw-r--r--arch/m68k/include/asm/module.h6
-rw-r--r--arch/microblaze/Kconfig1
-rw-r--r--arch/mips/Kconfig3
-rw-r--r--arch/mips/include/asm/module.h10
-rw-r--r--arch/mips/kernel/Makefile1
-rw-r--r--arch/mips/kernel/module-rela.c145
-rw-r--r--arch/mips/kernel/module.c121
-rw-r--r--arch/mn10300/Kconfig1
-rw-r--r--arch/mn10300/include/asm/module.h7
-rw-r--r--arch/openrisc/Kconfig1
-rw-r--r--arch/parisc/Kconfig2
-rw-r--r--arch/parisc/include/asm/module.h16
-rw-r--r--arch/powerpc/Kconfig2
-rw-r--r--arch/powerpc/include/asm/module.h7
-rw-r--r--arch/s390/Kconfig2
-rw-r--r--arch/s390/include/asm/module.h18
-rw-r--r--arch/score/Kconfig2
-rw-r--r--arch/score/include/asm/module.h6
-rw-r--r--arch/score/kernel/module.c10
-rw-r--r--arch/sh/Kconfig2
-rw-r--r--arch/sh/include/asm/module.h14
-rw-r--r--arch/sparc/Kconfig1
-rw-r--r--arch/sparc/include/asm/Kbuild1
-rw-r--r--arch/sparc/include/asm/module.h24
-rw-r--r--arch/tile/Kconfig1
-rw-r--r--arch/unicore32/Kconfig1
-rw-r--r--arch/x86/Kconfig2
-rw-r--r--arch/x86/um/Kconfig2
-rw-r--r--arch/xtensa/include/asm/module.h9
-rw-r--r--crypto/Kconfig1
-rw-r--r--crypto/Makefile1
-rw-r--r--crypto/asymmetric_keys/.gitignore1
-rw-r--r--crypto/asymmetric_keys/Kconfig38
-rw-r--r--crypto/asymmetric_keys/Makefile27
-rw-r--r--crypto/asymmetric_keys/asymmetric_keys.h15
-rw-r--r--crypto/asymmetric_keys/asymmetric_type.c274
-rw-r--r--crypto/asymmetric_keys/public_key.c108
-rw-r--r--crypto/asymmetric_keys/public_key.h30
-rw-r--r--crypto/asymmetric_keys/rsa.c277
-rw-r--r--crypto/asymmetric_keys/signature.c49
-rw-r--r--crypto/asymmetric_keys/x509.asn160
-rw-r--r--crypto/asymmetric_keys/x509_cert_parser.c496
-rw-r--r--crypto/asymmetric_keys/x509_parser.h36
-rw-r--r--crypto/asymmetric_keys/x509_public_key.c239
-rw-r--r--crypto/asymmetric_keys/x509_rsakey.asn14
-rw-r--r--fs/cifs/cifs_spnego.c6
-rw-r--r--fs/cifs/cifsacl.c8
-rw-r--r--include/asm-generic/bitops/count_zeros.h57
-rw-r--r--include/asm-generic/module.h40
-rw-r--r--include/crypto/public_key.h108
-rw-r--r--include/keys/asymmetric-parser.h37
-rw-r--r--include/keys/asymmetric-subtype.h55
-rw-r--r--include/keys/asymmetric-type.h25
-rw-r--r--include/keys/user-type.h6
-rw-r--r--include/linux/asn1.h67
-rw-r--r--include/linux/asn1_ber_bytecode.h87
-rw-r--r--include/linux/asn1_decoder.h24
-rw-r--r--include/linux/key-type.h35
-rw-r--r--include/linux/module.h8
-rw-r--r--include/linux/moduleloader.h36
-rw-r--r--include/linux/mpi.h1
-rw-r--r--include/linux/oid_registry.h92
-rw-r--r--init/Kconfig68
-rw-r--r--kernel/Makefile77
-rw-r--r--kernel/modsign_pubkey.c113
-rw-r--r--kernel/module-internal.h15
-rw-r--r--kernel/module.c157
-rw-r--r--kernel/module_signing.c243
-rw-r--r--lib/.gitignore2
-rw-r--r--lib/Kconfig5
-rw-r--r--lib/Makefile18
-rw-r--r--lib/asn1_decoder.c487
-rwxr-xr-xlib/build_OID_registry209
-rw-r--r--lib/mpi/Makefile1
-rw-r--r--lib/mpi/longlong.h138
-rw-r--r--lib/mpi/mpi-bit.c2
-rw-r--r--lib/mpi/mpi-cmp.c70
-rw-r--r--lib/mpi/mpi-pow.c4
-rw-r--r--lib/mpi/mpicoder.c55
-rw-r--r--lib/oid_registry.c170
-rw-r--r--net/ceph/crypto.c9
-rw-r--r--net/dns_resolver/dns_key.c6
-rw-r--r--net/rxrpc/ar-key.c40
-rw-r--r--scripts/.gitignore1
-rw-r--r--scripts/Makefile2
-rw-r--r--scripts/Makefile.build11
-rw-r--r--scripts/Makefile.modpost77
-rw-r--r--scripts/asn1_compiler.c1545
-rw-r--r--scripts/sign-file115
-rwxr-xr-xscripts/x509keyid268
-rw-r--r--security/keys/encrypted-keys/encrypted.c16
-rw-r--r--security/keys/key.c114
-rw-r--r--security/keys/keyctl.c18
-rw-r--r--security/keys/keyring.c6
-rw-r--r--security/keys/request_key_auth.c8
-rw-r--r--security/keys/trusted.c16
-rw-r--r--security/keys/user_defined.c14
128 files changed, 6799 insertions, 594 deletions
diff --git a/.gitignore b/.gitignore
index 57af07cf7e6..0f2f40f7191 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,10 @@
*.o.*
*.a
*.s
+*.ko.unsigned
+*.ko.stripped
+*.ko.stripped.dig
+*.ko.stripped.sig
*.ko
*.so
*.so.dbg
@@ -84,3 +88,13 @@ GTAGS
*.orig
*~
\#*#
+
+#
+# Leavings from module signing
+#
+extra_certificates
+signing_key.priv
+signing_key.x509
+signing_key.x509.keyid
+signing_key.x509.signer
+x509.genkey
diff --git a/Documentation/crypto/asymmetric-keys.txt b/Documentation/crypto/asymmetric-keys.txt
new file mode 100644
index 00000000000..b7675904a74
--- /dev/null
+++ b/Documentation/crypto/asymmetric-keys.txt
@@ -0,0 +1,312 @@
+ =============================================
+ ASYMMETRIC / PUBLIC-KEY CRYPTOGRAPHY KEY TYPE
+ =============================================
+
+Contents:
+
+ - Overview.
+ - Key identification.
+ - Accessing asymmetric keys.
+ - Signature verification.
+ - Asymmetric key subtypes.
+ - Instantiation data parsers.
+
+
+========
+OVERVIEW
+========
+
+The "asymmetric" key type is designed to be a container for the keys used in
+public-key cryptography, without imposing any particular restrictions on the
+form or mechanism of the cryptography or form of the key.
+
+The asymmetric key is given a subtype that defines what sort of data is
+associated with the key and provides operations to describe and destroy it.
+However, no requirement is made that the key data actually be stored in the
+key.
+
+A completely in-kernel key retention and operation subtype can be defined, but
+it would also be possible to provide access to cryptographic hardware (such as
+a TPM) that might be used to both retain the relevant key and perform
+operations using that key. In such a case, the asymmetric key would then
+merely be an interface to the TPM driver.
+
+Also provided is the concept of a data parser. Data parsers are responsible
+for extracting information from the blobs of data passed to the instantiation
+function. The first data parser that recognises the blob gets to set the
+subtype of the key and define the operations that can be done on that key.
+
+A data parser may interpret the data blob as containing the bits representing a
+key, or it may interpret it as a reference to a key held somewhere else in the
+system (for example, a TPM).
+
+
+==================
+KEY IDENTIFICATION
+==================
+
+If a key is added with an empty name, the instantiation data parsers are given
+the opportunity to pre-parse a key and to determine the description the key
+should be given from the content of the key.
+
+This can then be used to refer to the key, either by complete match or by
+partial match. The key type may also use other criteria to refer to a key.
+
+The asymmetric key type's match function can then perform a wider range of
+comparisons than just the straightforward comparison of the description with
+the criterion string:
+
+ (1) If the criterion string is of the form "id:<hexdigits>" then the match
+ function will examine a key's fingerprint to see if the hex digits given
+ after the "id:" match the tail. For instance:
+
+ keyctl search @s asymmetric id:5acc2142
+
+ will match a key with fingerprint:
+
+ 1A00 2040 7601 7889 DE11 882C 3823 04AD 5ACC 2142
+
+ (2) If the criterion string is of the form "<subtype>:<hexdigits>" then the
+ match will match the ID as in (1), but with the added restriction that
+ only keys of the specified subtype (e.g. tpm) will be matched. For
+ instance:
+
+ keyctl search @s asymmetric tpm:5acc2142
+
+Looking in /proc/keys, the last 8 hex digits of the key fingerprint are
+displayed, along with the subtype:
+
+ 1a39e171 I----- 1 perm 3f010000 0 0 asymmetri modsign.0: DSA 5acc2142 []
+
+
+=========================
+ACCESSING ASYMMETRIC KEYS
+=========================
+
+For general access to asymmetric keys from within the kernel, the following
+inclusion is required:
+
+ #include <crypto/public_key.h>
+
+This gives access to functions for dealing with asymmetric / public keys.
+Three enums are defined there for representing public-key cryptography
+algorithms:
+
+ enum pkey_algo
+
+digest algorithms used by those:
+
+ enum pkey_hash_algo
+