[PATCH 5/5] Audit type-specific crypto operations

Tue, 23 Nov 2010 04:51:29 -0800 

Signed-off-by: Miloslav Trmač <m...@redhat.com>
---
 crypto/af_alg.c         |   14 ++++++++++++++
 crypto/algif_hash.c     |   27 +++++++++++++++++++++++----
 crypto/algif_skcipher.c |   15 +++++++++++++++
 include/crypto/if_alg.h |    6 ++++++
 4 files changed, 58 insertions(+), 4 deletions(-)

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index fc1b0f7..450d51a 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -542,6 +542,20 @@ void af_alg_complete(struct crypto_async_request *req, int 
err)
 }
 EXPORT_SYMBOL_GPL(af_alg_complete);
 
+#ifdef CONFIG_AUDIT
+int af_alg_audit_crypto_op(struct sock *sk, const char *operation, int ctx2)
+{
+       struct alg_sock *ask = alg_sk(sk);
+       struct alg_sock *parent_ask = alg_sk(ask->parent);
+       const char *alg_name;
+
+       alg_name = parent_ask->type->alg_name(parent_ask->private);
+       return audit_log_crypto_op(AUDIT_CRYPTO_OP_CTX_OP, parent_ask->id,
+                                  ask->id, ctx2, alg_name, operation);
+}
+EXPORT_SYMBOL_GPL(af_alg_audit_crypto_op);
+#endif
+
 static int __init af_alg_init(void)
 {
        int err = proto_register(&alg_proto, 0);
diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index 3a61e9d..7e3ffd1 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -46,6 +46,10 @@ static int hash_sendmsg(struct kiocb *unused, struct socket 
*sock,
        long copied = 0;
        int err;
 
+       err = af_alg_audit_crypto_op(sk, "hash-input", -1);
+       if (err)
+               return err;
+
        if (limit > sk->sk_sndbuf)
                limit = sk->sk_sndbuf;
 
@@ -112,6 +116,10 @@ static ssize_t hash_sendpage(struct socket *sock, struct 
page *page,
        struct hash_ctx *ctx = ask->private;
        int err;
 
+       err = af_alg_audit_crypto_op(sk, "hash-input", -1);
+       if (err)
+               return err;
+
        lock_sock(sk);
        sg_init_table(ctx->sgl.sg, 1);
        sg_set_page(ctx->sgl.sg, page, size, offset);
@@ -154,6 +162,10 @@ static int hash_recvmsg(struct kiocb *unused, struct 
socket *sock,
        unsigned ds = crypto_ahash_digestsize(crypto_ahash_reqtfm(&ctx->req));
        int err;
 
+       err = af_alg_audit_crypto_op(sk, "hash-output", -1);
+       if (err)
+               return err;
+
        if (len > ds)
                len = ds;
        else if (len < ds)
@@ -202,12 +214,19 @@ static int hash_accept(struct socket *sock, struct socket 
*newsock, int flags)
        ctx2 = ask2->private;
        ctx2->more = 1;
 
+       err = af_alg_audit_crypto_op(sk, "hash-clone", ask2->id);
+       if (err)
+               goto error_sk2;
+
        err = crypto_ahash_import(&ctx2->req, state);
-       if (err) {
-               sock_orphan(sk2);
-               sock_put(sk2);
-       }
+       if (err)
+               goto error_sk2;
+
+       return err;
 
+error_sk2:
+       sock_orphan(sk2);
+       sock_put(sk2);
        return err;
 }
 
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index e14c8be..f69a109 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -283,6 +283,11 @@ static int skcipher_sendmsg(struct kiocb *unused, struct 
socket *sock,
                        memcpy(ctx->iv, con.iv->iv, ivsize);
        }
 
+       err = af_alg_audit_crypto_op(sk, ctx->enc ? "encrypt-input"
+                                    : "decrypt-input", -1);
+       if (err)
+               goto unlock;
+
        limit = max_t(int, sk->sk_sndbuf, PAGE_SIZE);
        limit -= ctx->used;
 
@@ -384,6 +389,11 @@ static ssize_t skcipher_sendpage(struct socket *sock, 
struct page *page,
        int err = -EINVAL;
        int limit;
 
+       err = af_alg_audit_crypto_op(sk, ctx->enc ? "encrypt-input"
+                                    : "decrypt-input", -1);
+       if (err)
+               return err;
+
        lock_sock(sk);
        if (!ctx->more && ctx->used)
                goto unlock;
@@ -443,6 +453,11 @@ static int skcipher_recvmsg(struct kiocb *unused, struct 
socket *sock,
        int used;
        long copied = 0;
 
+       err = af_alg_audit_crypto_op(sk, ctx->enc ? "encrypt-output"
+                                    : "decrypt-output", -1);
+       if (err)
+               return err;
+
        lock_sock(sk);
        for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
             iovlen--, iov++) {
diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h
index 092c599..6650ae5 100644
--- a/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -80,6 +80,12 @@ int af_alg_cmsg_send(struct msghdr *msg, struct 
af_alg_control *con);
 int af_alg_wait_for_completion(int err, struct af_alg_completion *completion);
 void af_alg_complete(struct crypto_async_request *req, int err);
 
+#ifdef CONFIG_AUDIT
+int af_alg_audit_crypto_op(struct sock *sk, const char *operation, int ctx2);
+#else
+#define af_alg_audit_crypto_op(sk, operation, ctx2) (0)
+#endif
+
 static inline struct alg_sock *alg_sk(struct sock *sk)
 {
        return (struct alg_sock *)sk;
-- 
1.7.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to