mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-26 04:16:39 +00:00
xfrm: redact SA secret with lockdown confidentiality
redact XFRM SA secret in the netlink response to xfrm_get_sa() or dumpall sa. Enable lockdown, confidentiality mode, at boot or at run time. e.g. when enabled: cat /sys/kernel/security/lockdown none integrity [confidentiality] ip xfrm state src 172.16.1.200 dst 172.16.1.100 proto esp spi 0x00000002 reqid 2 mode tunnel replay-window 0 aead rfc4106(gcm(aes)) 0x0000000000000000000000000000000000000000 96 note: the aead secret is redacted. Redacting secret is also a FIPS 140-2 requirement. v1->v2 - add size checks before memset calls v2->v3 - replace spaces with tabs for consistency v3->v4 - use kernel lockdown instead of a /proc setting v4->v5 - remove kconfig option Reviewed-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
Antony Antony
Steffen Klassert
parent
8be33ecfc1
commit
c7a5899eb2
3 changed files with 69 additions and 7 deletions
|
|
@ -127,6 +127,7 @@ enum lockdown_reason {
|
|||
LOCKDOWN_PERF,
|
||||
LOCKDOWN_TRACEFS,
|
||||
LOCKDOWN_XMON_RW,
|
||||
LOCKDOWN_XFRM_SECRET,
|
||||
LOCKDOWN_CONFIDENTIALITY_MAX,
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -848,21 +848,84 @@ static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb
|
|||
return 0;
|
||||
}
|
||||
|
||||
static bool xfrm_redact(void)
|
||||
{
|
||||
return IS_ENABLED(CONFIG_SECURITY) &&
|
||||
security_locked_down(LOCKDOWN_XFRM_SECRET);
|
||||
}
|
||||
|
||||
static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
|
||||
{
|
||||
struct xfrm_algo *algo;
|
||||
struct xfrm_algo_auth *ap;
|
||||
struct nlattr *nla;
|
||||
bool redact_secret = xfrm_redact();
|
||||
|
||||
nla = nla_reserve(skb, XFRMA_ALG_AUTH,
|
||||
sizeof(*algo) + (auth->alg_key_len + 7) / 8);
|
||||
if (!nla)
|
||||
return -EMSGSIZE;
|
||||
|
||||
algo = nla_data(nla);
|
||||
strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name));
|
||||
memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
|
||||
|
||||
if (redact_secret && auth->alg_key_len)
|
||||
memset(algo->alg_key, 0, (auth->alg_key_len + 7) / 8);
|
||||
else
|
||||
memcpy(algo->alg_key, auth->alg_key,
|
||||
(auth->alg_key_len + 7) / 8);
|
||||
algo->alg_key_len = auth->alg_key_len;
|
||||
|
||||
nla = nla_reserve(skb, XFRMA_ALG_AUTH_TRUNC, xfrm_alg_auth_len(auth));
|
||||
if (!nla)
|
||||
return -EMSGSIZE;
|
||||
ap = nla_data(nla);
|
||||
memcpy(ap, auth, sizeof(struct xfrm_algo_auth));
|
||||
if (redact_secret && auth->alg_key_len)
|
||||
memset(ap->alg_key, 0, (auth->alg_key_len + 7) / 8);
|
||||
else
|
||||
memcpy(ap->alg_key, auth->alg_key,
|
||||
(auth->alg_key_len + 7) / 8);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int copy_to_user_aead(struct xfrm_algo_aead *aead, struct sk_buff *skb)
|
||||
{
|
||||
struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_AEAD, aead_len(aead));
|
||||
struct xfrm_algo_aead *ap;
|
||||
bool redact_secret = xfrm_redact();
|
||||
|
||||
if (!nla)
|
||||
return -EMSGSIZE;
|
||||
|
||||
ap = nla_data(nla);
|
||||
memcpy(ap, aead, sizeof(*aead));
|
||||
|
||||
if (redact_secret && aead->alg_key_len)
|
||||
memset(ap->alg_key, 0, (aead->alg_key_len + 7) / 8);
|
||||
else
|
||||
memcpy(ap->alg_key, aead->alg_key,
|
||||
(aead->alg_key_len + 7) / 8);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb)
|
||||
{
|
||||
struct xfrm_algo *ap;
|
||||
bool redact_secret = xfrm_redact();
|
||||
struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_CRYPT,
|
||||
xfrm_alg_len(ealg));
|
||||
if (!nla)
|
||||
return -EMSGSIZE;
|
||||
|
||||
ap = nla_data(nla);
|
||||
memcpy(ap, ealg, sizeof(*ealg));
|
||||
|
||||
if (redact_secret && ealg->alg_key_len)
|
||||
memset(ap->alg_key, 0, (ealg->alg_key_len + 7) / 8);
|
||||
else
|
||||
memcpy(ap->alg_key, ealg->alg_key,
|
||||
(ealg->alg_key_len + 7) / 8);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -906,20 +969,17 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
|
|||
goto out;
|
||||
}
|
||||
if (x->aead) {
|
||||
ret = nla_put(skb, XFRMA_ALG_AEAD, aead_len(x->aead), x->aead);
|
||||
ret = copy_to_user_aead(x->aead, skb);
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
if (x->aalg) {
|
||||
ret = copy_to_user_auth(x->aalg, skb);
|
||||
if (!ret)
|
||||
ret = nla_put(skb, XFRMA_ALG_AUTH_TRUNC,
|
||||
xfrm_alg_auth_len(x->aalg), x->aalg);
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
if (x->ealg) {
|
||||
ret = nla_put(skb, XFRMA_ALG_CRYPT, xfrm_alg_len(x->ealg), x->ealg);
|
||||
ret = copy_to_user_ealg(x->ealg, skb);
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -65,6 +65,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
|
|||
[LOCKDOWN_PERF] = "unsafe use of perf",
|
||||
[LOCKDOWN_TRACEFS] = "use of tracefs",
|
||||
[LOCKDOWN_XMON_RW] = "xmon read and write access",
|
||||
[LOCKDOWN_XFRM_SECRET] = "xfrm SA secret",
|
||||
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue