From 51a92d357aebc84b45cf8c90061319d22b170bb5 Mon Sep 17 00:00:00 2001
From: Miloslav Trmač <mitr@redhat.com>
Date: Tue, 24 Aug 2010 20:43:13 +0200
Subject: Reject prohibited key flags immediately

Silently ignoring user's requests is unexpected.
---
 examples/ncr.c | 18 ++++++++----------
 ncr-int.h      |  2 +-
 ncr-key-wrap.c | 13 +++++++++++--
 ncr-key.c      | 41 ++++++++++++++++++++++++++++++-----------
 4 files changed, 50 insertions(+), 24 deletions(-)

diff --git a/examples/ncr.c b/examples/ncr.c
index 5169a149e31..7de67ee9a61 100644
--- a/examples/ncr.c
+++ b/examples/ncr.c
@@ -240,12 +240,18 @@ test_ncr_wrap_key(int cfd)
 	keydata.idata = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F";
 	keydata.idata_size = 16;
 
-	if (ioctl(cfd, NCRIO_KEY_IMPORT, &keydata)) {
+	ret = ioctl(cfd, NCRIO_KEY_IMPORT, &keydata);
+	if (geteuid() == 0 && ret) {
 		fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
 		perror("ioctl(NCRIO_KEY_IMPORT)");
 		return 1;
 	}
 
+	if (geteuid() != 0) {
+		/* cannot test further */
+		fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+		return 0;
+	}
 
 	/* convert it to key */
 	if (ioctl(cfd, NCRIO_KEY_INIT, &key2)) {
@@ -279,19 +285,11 @@ test_ncr_wrap_key(int cfd)
 	kwrap.io = data;
 	kwrap.io_size = sizeof(data);
 
-	ret = ioctl(cfd, NCRIO_KEY_WRAP, &kwrap);
-	
-	if (geteuid() == 0 && ret) {
+	if (ioctl(cfd, NCRIO_KEY_WRAP, &kwrap)) {
 		fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
 		perror("ioctl(NCRIO_KEY_WRAP)");
 		return 1;
 	}
-	
-	if (geteuid() != 0) {
-		/* cannot test further */
-		fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
-		return 0;
-	}
 
 	data_size = kwrap.io_size;
 
diff --git a/ncr-int.h b/ncr-int.h
index 6277619b257..03ad298b4d1 100644
--- a/ncr-int.h
+++ b/ncr-int.h
@@ -110,7 +110,7 @@ long ncr_ioctl(struct ncr_lists *lst, unsigned int cmd, unsigned long arg);
 int ncr_key_derive(struct ncr_lists *lst, void __user* arg);
 
 void ncr_key_clear(struct key_item_st* item);
-void ncr_key_assign_flags(struct key_item_st* item, unsigned int flags);
+int ncr_key_assign_flags(struct key_item_st *item, unsigned int flags);
 
 /* key handling */
 int ncr_key_init(struct ncr_lists *lst, void __user* arg);
diff --git a/ncr-key-wrap.c b/ncr-key-wrap.c
index 93103b5a9a5..eea252ee85c 100644
--- a/ncr-key-wrap.c
+++ b/ncr-key-wrap.c
@@ -455,12 +455,17 @@ const uint8_t * iv = wrap_st->params.params.cipher.iv;
 		goto cleanup;
 	}
 
+	ret = ncr_key_assign_flags(output, wrap_st->wrapped_key_flags);
+	if (ret != 0) {
+		err();
+		goto cleanup;
+	}
+
 	memset(&output->key, 0, sizeof(output->key));
 	for (i=0;i<n;i++) {
 		memcpy(&output->key.secret.data[i*8], R[i], sizeof(R[i]));
 	}
 	output->key.secret.size = n*8;
-	ncr_key_assign_flags(output, wrap_st->wrapped_key_flags);
 	output->type = NCR_KEY_TYPE_SECRET;
 
 	ret = 0;
@@ -864,7 +869,11 @@ static int key_from_packed_data(ncr_algorithm_t algorithm, unsigned int flags,
 	}
 
 	key->type = key->algorithm->key_type;
-	ncr_key_assign_flags(key, flags);
+	ret = ncr_key_assign_flags(key, flags);
+	if (ret != 0) {
+		err();
+		return ret;
+	}
 
 	if (key->type == NCR_KEY_TYPE_SECRET) {
 		if (data_size > NCR_CIPHER_MAX_KEY_LEN) {
diff --git a/ncr-key.c b/ncr-key.c
index 8f74ade80e3..3860f7f54f4 100644
--- a/ncr-key.c
+++ b/ncr-key.c
@@ -309,13 +309,12 @@ fail:
 	
 }
 
-void ncr_key_assign_flags(struct key_item_st* item, unsigned int flags)
+int ncr_key_assign_flags(struct key_item_st* item, unsigned int flags)
 {
-	if (current_euid()==0) {
-		item->flags = flags;
-	} else {
-		item->flags = flags & (~(NCR_KEY_FLAG_WRAPPING));
-	}
+	if (current_euid() != 0 && (flags & NCR_KEY_FLAG_WRAPPING) != 0)
+		return -EPERM;
+	item->flags = flags;
+	return 0;
 }
 
 /* "imports" a key from a data item. If the key is not exportable
@@ -363,7 +362,11 @@ size_t tmp_size;
 		ret = -EINVAL;
 		goto fail;
 	}
-	ncr_key_assign_flags(item, data.flags);
+	ret = ncr_key_assign_flags(item, data.flags);
+	if (ret < 0) {
+		err();
+		goto fail;
+	}
 
 	if (data.key_id_size > MAX_KEY_ID_SIZE) {
 		err();
@@ -451,7 +454,11 @@ size_t size;
 	ncr_key_clear(item);
 
 	/* we generate only secret keys */
-	ncr_key_assign_flags(item, gen.params.keyflags);
+	ret = ncr_key_assign_flags(item, gen.params.keyflags);
+	if (ret < 0) {
+		err();
+		goto fail;
+	}
 
 	algo = _ncr_algo_to_properties(gen.params.algorithm);
 	if (algo == NULL) {
@@ -669,8 +676,16 @@ int ret;
 	}
 	public->type = public->algorithm->key_type;
 	private->type = NCR_KEY_TYPE_PRIVATE;
-	ncr_key_assign_flags(private, gen.params.keyflags);
-	ncr_key_assign_flags(public, gen.params.keyflags);
+	ret = ncr_key_assign_flags(private, gen.params.keyflags);
+	if (ret < 0) {
+		err();
+		goto fail;
+	}
+	ret = ncr_key_assign_flags(public, gen.params.keyflags);
+	if (ret < 0) {
+		err();
+		goto fail;
+	}
 
 	public->flags |= (NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
 	
@@ -736,7 +751,11 @@ struct key_item_st* newkey = NULL;
 
 	ncr_key_clear(newkey);
 
-	ncr_key_assign_flags(newkey, data.keyflags);
+	ret = ncr_key_assign_flags(newkey, data.keyflags);
+	if (ret < 0) {
+		err();
+		goto fail;
+	}
 
 	switch (key->type) {
 		case NCR_KEY_TYPE_PUBLIC:
-- 
cgit