Signed-off-by: Miloslav Trmač <mitr(a)redhat.com>
---
crypto/af_alg.c | 14 ++++++++++++++
crypto/algif_hash.c | 27 +++++++++++++++++++++++----
crypto/algif_skcipher.c | 15 +++++++++++++++
include/crypto/if_alg.h | 6 ++++++
4 files changed, 58 insertions(+), 4 deletions(-)
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index fc1b0f7..450d51a 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -542,6 +542,20 @@ void af_alg_complete(struct crypto_async_request *req, int err)
}
EXPORT_SYMBOL_GPL(af_alg_complete);
+#ifdef CONFIG_AUDIT
+int af_alg_audit_crypto_op(struct sock *sk, const char *operation, int ctx2)
+{
+ struct alg_sock *ask = alg_sk(sk);
+ struct alg_sock *parent_ask = alg_sk(ask->parent);
+ const char *alg_name;
+
+ alg_name = parent_ask->type->alg_name(parent_ask->private);
+ return audit_log_crypto_op(AUDIT_CRYPTO_OP_CTX_OP, parent_ask->id,
+ ask->id, ctx2, alg_name, operation);
+}
+EXPORT_SYMBOL_GPL(af_alg_audit_crypto_op);
+#endif
+
static int __init af_alg_init(void)
{
int err = proto_register(&alg_proto, 0);
diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index 3a61e9d..7e3ffd1 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -46,6 +46,10 @@ static int hash_sendmsg(struct kiocb *unused, struct socket *sock,
long copied = 0;
int err;
+ err = af_alg_audit_crypto_op(sk, "hash-input", -1);
+ if (err)
+ return err;
+
if (limit > sk->sk_sndbuf)
limit = sk->sk_sndbuf;
@@ -112,6 +116,10 @@ static ssize_t hash_sendpage(struct socket *sock, struct page *page,
struct hash_ctx *ctx = ask->private;
int err;
+ err = af_alg_audit_crypto_op(sk, "hash-input", -1);
+ if (err)
+ return err;
+
lock_sock(sk);
sg_init_table(ctx->sgl.sg, 1);
sg_set_page(ctx->sgl.sg, page, size, offset);
@@ -154,6 +162,10 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock,
unsigned ds = crypto_ahash_digestsize(crypto_ahash_reqtfm(&ctx->req));
int err;
+ err = af_alg_audit_crypto_op(sk, "hash-output", -1);
+ if (err)
+ return err;
+
if (len > ds)
len = ds;
else if (len < ds)
@@ -202,12 +214,19 @@ static int hash_accept(struct socket *sock, struct socket *newsock,
int flags)
ctx2 = ask2->private;
ctx2->more = 1;
+ err = af_alg_audit_crypto_op(sk, "hash-clone", ask2->id);
+ if (err)
+ goto error_sk2;
+
err = crypto_ahash_import(&ctx2->req, state);
- if (err) {
- sock_orphan(sk2);
- sock_put(sk2);
- }
+ if (err)
+ goto error_sk2;
+
+ return err;
+error_sk2:
+ sock_orphan(sk2);
+ sock_put(sk2);
return err;
}
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index e14c8be..f69a109 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -283,6 +283,11 @@ static int skcipher_sendmsg(struct kiocb *unused, struct socket
*sock,
memcpy(ctx->iv, con.iv->iv, ivsize);
}
+ err = af_alg_audit_crypto_op(sk, ctx->enc ? "encrypt-input"
+ : "decrypt-input", -1);
+ if (err)
+ goto unlock;
+
limit = max_t(int, sk->sk_sndbuf, PAGE_SIZE);
limit -= ctx->used;
@@ -384,6 +389,11 @@ static ssize_t skcipher_sendpage(struct socket *sock, struct page
*page,
int err = -EINVAL;
int limit;
+ err = af_alg_audit_crypto_op(sk, ctx->enc ? "encrypt-input"
+ : "decrypt-input", -1);
+ if (err)
+ return err;
+
lock_sock(sk);
if (!ctx->more && ctx->used)
goto unlock;
@@ -443,6 +453,11 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket
*sock,
int used;
long copied = 0;
+ err = af_alg_audit_crypto_op(sk, ctx->enc ? "encrypt-output"
+ : "decrypt-output", -1);
+ if (err)
+ return err;
+
lock_sock(sk);
for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
iovlen--, iov++) {
diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h
index 092c599..6650ae5 100644
--- a/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -80,6 +80,12 @@ int af_alg_cmsg_send(struct msghdr *msg, struct af_alg_control *con);
int af_alg_wait_for_completion(int err, struct af_alg_completion *completion);
void af_alg_complete(struct crypto_async_request *req, int err);
+#ifdef CONFIG_AUDIT
+int af_alg_audit_crypto_op(struct sock *sk, const char *operation, int ctx2);
+#else
+#define af_alg_audit_crypto_op(sk, operation, ctx2) (0)
+#endif
+
static inline struct alg_sock *alg_sk(struct sock *sk)
{
return (struct alg_sock *)sk;
--
1.7.3.2