socsvn commit: r289827 - in soc2013/def/crashdump-head: sbin/cryptcore sys/kern sys/sys
def at FreeBSD.org
def at FreeBSD.org
Mon Aug 17 15:27:29 UTC 2015
Author: def
Date: Mon Aug 17 15:27:26 2015
New Revision: 289827
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=289827
Log:
Use only one sysctl to setup EKCD.
Modified:
soc2013/def/crashdump-head/sbin/cryptcore/cryptcore.c
soc2013/def/crashdump-head/sys/kern/kern_shutdown.c
soc2013/def/crashdump-head/sys/sys/kerneldump.h
Modified: soc2013/def/crashdump-head/sbin/cryptcore/cryptcore.c
==============================================================================
--- soc2013/def/crashdump-head/sbin/cryptcore/cryptcore.c Mon Aug 17 13:07:12 2015 (r289826)
+++ soc2013/def/crashdump-head/sbin/cryptcore/cryptcore.c Mon Aug 17 15:27:26 2015 (r289827)
@@ -30,10 +30,10 @@
static void
cryptcore_genkey(const char *pubkeyfile)
{
- uint8_t key[KERNELDUMP_KEY_SIZE];
- uint8_t *encryptedkey;
FILE *fp;
+ struct kerneldumpsetup *kds;
RSA *pubkey;
+ size_t kdssize;
int pubkeysize;
PJDLOG_ASSERT(pubkeyfile != NULL);
@@ -51,13 +51,14 @@
pjdlog_exitx(1, "Unable to read data from %s.", pubkeyfile);
pubkeysize = RSA_size(pubkey);
- encryptedkey = calloc(1, pubkeysize);
- if (encryptedkey == NULL)
- pjdlog_exit(1, "Unable to allocate encrypted key");
-
- arc4random_buf(key, sizeof(key));
- if (RSA_public_encrypt(sizeof(key), key, encryptedkey, pubkey,
- RSA_PKCS1_PADDING) != pubkeysize) {
+ kdssize = sizeof(*kds) + pubkeysize;
+ kds = calloc(1, kdssize);
+ if (kds == NULL)
+ pjdlog_exit(1, "Unable to allocate kernel dump setup");
+
+ arc4random_buf(kds->kds_key, sizeof(kds->kds_key));
+ if (RSA_public_encrypt(sizeof(kds->kds_key), kds->kds_key,
+ kds->kds_encryptedkey, pubkey, RSA_PKCS1_PADDING) != pubkeysize) {
pjdlog_errno(LOG_ERR, "Unable to encrypt the one-time key");
goto failed;
}
@@ -65,25 +66,20 @@
/*
* From this moment on keys have to be erased before exit.
*/
- if (sysctlbyname("security.ekcd.key", NULL, NULL, key,
- KERNELDUMP_KEY_SIZE) != 0) {
+ if (sysctlbyname("security.ekcd.setup", NULL, NULL,
+ kds, kdssize) != 0) {
pjdlog_errno(LOG_ERR, "Unable to set key");
goto failed;
}
- if (sysctlbyname("security.ekcd.encryptedkey", NULL, NULL,
- encryptedkey, pubkeysize) != 0) {
- pjdlog_errno(LOG_ERR, "Unable to set encrypted key");
- goto failed;
- }
- bzero(key, sizeof(key));
- free(encryptedkey);
+ bzero(kds, kdssize);
+ free(kds);
RSA_free(pubkey);
return;
failed:
- bzero(key, sizeof(key));
- free(encryptedkey);
+ bzero(kds, kdssize);
+ free(kds);
RSA_free(pubkey);
exit(1);
}
Modified: soc2013/def/crashdump-head/sys/kern/kern_shutdown.c
==============================================================================
--- soc2013/def/crashdump-head/sys/kern/kern_shutdown.c Mon Aug 17 13:07:12 2015 (r289826)
+++ soc2013/def/crashdump-head/sys/kern/kern_shutdown.c Mon Aug 17 15:27:26 2015 (r289827)
@@ -159,8 +159,7 @@
static struct kerneldumpkey *dumpkey;
static int kerneldump_sysctl_enable(SYSCTL_HANDLER_ARGS);
-static int kerneldump_sysctl_key(SYSCTL_HANDLER_ARGS);
-static int kerneldump_sysctl_encryptedkey(SYSCTL_HANDLER_ARGS);
+static int kerneldump_sysctl_setup(SYSCTL_HANDLER_ARGS);
SYSCTL_NODE(_security, OID_AUTO, ekcd, CTLFLAG_RW, 0,
"Encrypted kernel crash dumps");
@@ -168,11 +167,8 @@
SYSCTL_PROC(_security_ekcd, OID_AUTO, enable, CTLTYPE_INT | CTLFLAG_RW, NULL, 0,
kerneldump_sysctl_enable, "I", "Enable encrypted kernel crash dumps");
-SYSCTL_PROC(_security_ekcd, OID_AUTO, key, CTLTYPE_OPAQUE | CTLFLAG_WR, NULL, 0,
- kerneldump_sysctl_key, "", "Key");
-
-SYSCTL_PROC(_security_ekcd, OID_AUTO, encryptedkey, CTLTYPE_OPAQUE | CTLFLAG_WR,
- NULL, 0, kerneldump_sysctl_encryptedkey, "", "Encrypted key");
+SYSCTL_PROC(_security_ekcd, OID_AUTO, setup, CTLTYPE_OPAQUE | CTLFLAG_WR, NULL,
+ 0, kerneldump_sysctl_setup, "", "Setup");
#endif /* EKCD */
/*
@@ -884,6 +880,9 @@
kdc->kdc_lastoffset = 0;
kdc->kdc_lastlength = 0;
+ di->kdc = kdc;
+ di->kdk = kdk;
+
return (0);
}
@@ -901,47 +900,36 @@
if (error != 0)
return (error);
- if (enable == 1)
- dumper.kdk = dumpkey;
- else
+ if (enable == 0) {
+ free(dumpkey, M_KDK);
+ dumpkey = NULL;
dumper.kdk = NULL;
+ }
return (0);
}
static int
-kerneldump_sysctl_key(SYSCTL_HANDLER_ARGS)
+kerneldump_sysctl_setup(SYSCTL_HANDLER_ARGS)
{
+ struct kerneldumpsetup kds;
+ struct kerneldumpkey *kdk;
+ size_t kdksize;
int error;
if (req->newptr == NULL)
return (EPERM);
- error = sysctl_handle_opaque(oidp, dumpcrypto.kdc_key,
- sizeof(dumpcrypto.kdc_key), req);
+ error = sysctl_handle_opaque(oidp, &kds, sizeof(kds), req);
if (error != 0)
return (error);
+ bcopy(kds.kds_key, dumpcrypto.kdc_key, sizeof(dumpcrypto.kdc_key));
arc4rand(dumpcrypto.kdc_iv, sizeof(dumpcrypto.kdc_iv), 0);
- return (kerneldump_crypto_init(&dumper, &dumpcrypto, dumpkey));
-}
-
-static int
-kerneldump_sysctl_encryptedkey(SYSCTL_HANDLER_ARGS)
-{
- struct kerneldumpkey *kdk;
- size_t encryptedkeylen, kdksize;
- int error;
-
- if (req->newptr == NULL)
- return (EPERM);
-
- encryptedkeylen = req->newlen;
- kdksize = ((sizeof(*kdk) + encryptedkeylen +
+ kdksize = ((sizeof(*kdk) + kds.kds_encryptedkeylen +
KERNELDUMP_BLOCK_SIZE - 1) / KERNELDUMP_BLOCK_SIZE) *
KERNELDUMP_BLOCK_SIZE;
-
kdk = (struct kerneldumpkey *)malloc(kdksize, M_KDK, M_WAITOK);
if (kdk == NULL)
return (ENOMEM);
@@ -950,7 +938,7 @@
kdk->kdk_algorithm = CRYPTO_AES_CBC;
kdk->kdk_keysize = KERNELDUMP_KEY_SIZE;
bcopy(dumpcrypto.kdc_iv, kdk->kdk_iv, sizeof(kdk->kdk_iv));
- kdk->kdk_encryptedkeylen = encryptedkeylen;
+ kdk->kdk_encryptedkeylen = kds.kds_encryptedkeylen;
error = sysctl_handle_opaque(oidp, kdk->kdk_encryptedkey,
kdk->kdk_encryptedkeylen, req);
@@ -963,7 +951,7 @@
dumpkey = kdk;
dumper.kdk = dumpkey;
- return (0);
+ return (kerneldump_crypto_init(&dumper, &dumpcrypto, dumpkey));
}
#endif /* EKCD */
Modified: soc2013/def/crashdump-head/sys/sys/kerneldump.h
==============================================================================
--- soc2013/def/crashdump-head/sys/sys/kerneldump.h Mon Aug 17 13:07:12 2015 (r289826)
+++ soc2013/def/crashdump-head/sys/sys/kerneldump.h Mon Aug 17 15:27:26 2015 (r289827)
@@ -91,6 +91,12 @@
uint32_t parity;
};
+struct kerneldumpsetup {
+ uint8_t kds_key[KERNELDUMP_KEY_SIZE];
+ uint32_t kds_encryptedkeylen;
+ uint8_t kds_encryptedkey[];
+};
+
struct kerneldumpkey {
uint32_t kdk_size;
uint8_t kdk_algorithm;
More information about the svn-soc-all
mailing list