diff options
Diffstat (limited to 'fs/ecryptfs/keystore.c')
| -rw-r--r-- | fs/ecryptfs/keystore.c | 64 |
1 files changed, 35 insertions, 29 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index 27a7fefb83e..ac1ad48c237 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c | |||
| @@ -1635,11 +1635,14 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, | |||
| 1635 | 1635 | ||
| 1636 | (*auth_tok_key) = request_key(&key_type_user, sig, NULL); | 1636 | (*auth_tok_key) = request_key(&key_type_user, sig, NULL); |
| 1637 | if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) { | 1637 | if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) { |
| 1638 | printk(KERN_ERR "Could not find key with description: [%s]\n", | 1638 | (*auth_tok_key) = ecryptfs_get_encrypted_key(sig); |
| 1639 | sig); | 1639 | if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) { |
| 1640 | rc = process_request_key_err(PTR_ERR(*auth_tok_key)); | 1640 | printk(KERN_ERR "Could not find key with description: [%s]\n", |
| 1641 | (*auth_tok_key) = NULL; | 1641 | sig); |
| 1642 | goto out; | 1642 | rc = process_request_key_err(PTR_ERR(*auth_tok_key)); |
| 1643 | (*auth_tok_key) = NULL; | ||
| 1644 | goto out; | ||
| 1645 | } | ||
| 1643 | } | 1646 | } |
| 1644 | down_write(&(*auth_tok_key)->sem); | 1647 | down_write(&(*auth_tok_key)->sem); |
| 1645 | rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok); | 1648 | rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok); |
| @@ -1868,11 +1871,6 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, | |||
| 1868 | * just one will be sufficient to decrypt to get the FEK. */ | 1871 | * just one will be sufficient to decrypt to get the FEK. */ |
| 1869 | find_next_matching_auth_tok: | 1872 | find_next_matching_auth_tok: |
| 1870 | found_auth_tok = 0; | 1873 | found_auth_tok = 0; |
| 1871 | if (auth_tok_key) { | ||
| 1872 | up_write(&(auth_tok_key->sem)); | ||
| 1873 | key_put(auth_tok_key); | ||
| 1874 | auth_tok_key = NULL; | ||
| 1875 | } | ||
| 1876 | list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { | 1874 | list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { |
| 1877 | candidate_auth_tok = &auth_tok_list_item->auth_tok; | 1875 | candidate_auth_tok = &auth_tok_list_item->auth_tok; |
| 1878 | if (unlikely(ecryptfs_verbosity > 0)) { | 1876 | if (unlikely(ecryptfs_verbosity > 0)) { |
| @@ -1909,14 +1907,22 @@ found_matching_auth_tok: | |||
| 1909 | memcpy(&(candidate_auth_tok->token.private_key), | 1907 | memcpy(&(candidate_auth_tok->token.private_key), |
| 1910 | &(matching_auth_tok->token.private_key), | 1908 | &(matching_auth_tok->token.private_key), |
| 1911 | sizeof(struct ecryptfs_private_key)); | 1909 | sizeof(struct ecryptfs_private_key)); |
| 1910 | up_write(&(auth_tok_key->sem)); | ||
| 1911 | key_put(auth_tok_key); | ||
| 1912 | rc = decrypt_pki_encrypted_session_key(candidate_auth_tok, | 1912 | rc = decrypt_pki_encrypted_session_key(candidate_auth_tok, |
| 1913 | crypt_stat); | 1913 | crypt_stat); |
| 1914 | } else if (candidate_auth_tok->token_type == ECRYPTFS_PASSWORD) { | 1914 | } else if (candidate_auth_tok->token_type == ECRYPTFS_PASSWORD) { |
| 1915 | memcpy(&(candidate_auth_tok->token.password), | 1915 | memcpy(&(candidate_auth_tok->token.password), |
| 1916 | &(matching_auth_tok->token.password), | 1916 | &(matching_auth_tok->token.password), |
| 1917 | sizeof(struct ecryptfs_password)); | 1917 | sizeof(struct ecryptfs_password)); |
| 1918 | up_write(&(auth_tok_key->sem)); | ||
| 1919 | key_put(auth_tok_key); | ||
| 1918 | rc = decrypt_passphrase_encrypted_session_key( | 1920 | rc = decrypt_passphrase_encrypted_session_key( |
| 1919 | candidate_auth_tok, crypt_stat); | 1921 | candidate_auth_tok, crypt_stat); |
| 1922 | } else { | ||
| 1923 | up_write(&(auth_tok_key->sem)); | ||
| 1924 | key_put(auth_tok_key); | ||
| 1925 | rc = -EINVAL; | ||
| 1920 | } | 1926 | } |
| 1921 | if (rc) { | 1927 | if (rc) { |
| 1922 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp; | 1928 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp; |
| @@ -1956,21 +1962,18 @@ found_matching_auth_tok: | |||
| 1956 | out_wipe_list: | 1962 | out_wipe_list: |
| 1957 | wipe_auth_tok_list(&auth_tok_list); | 1963 | wipe_auth_tok_list(&auth_tok_list); |
| 1958 | out: | 1964 | out: |
| 1959 | if (auth_tok_key) { | ||
| 1960 | up_write(&(auth_tok_key->sem)); | ||
| 1961 | key_put(auth_tok_key); | ||
| 1962 | } | ||
| 1963 | return rc; | 1965 | return rc; |
| 1964 | } | 1966 | } |
| 1965 | 1967 | ||
| 1966 | static int | 1968 | static int |
| 1967 | pki_encrypt_session_key(struct ecryptfs_auth_tok *auth_tok, | 1969 | pki_encrypt_session_key(struct key *auth_tok_key, |
| 1970 | struct ecryptfs_auth_tok *auth_tok, | ||
| 1968 | struct ecryptfs_crypt_stat *crypt_stat, | 1971 | struct ecryptfs_crypt_stat *crypt_stat, |
| 1969 | struct ecryptfs_key_record *key_rec) | 1972 | struct ecryptfs_key_record *key_rec) |
| 1970 | { | 1973 | { |
| 1971 | struct ecryptfs_msg_ctx *msg_ctx = NULL; | 1974 | struct ecryptfs_msg_ctx *msg_ctx = NULL; |
| 1972 | char *payload = NULL; | 1975 | char *payload = NULL; |
| 1973 | size_t payload_len; | 1976 | size_t payload_len = 0; |
| 1974 | struct ecryptfs_message *msg; | 1977 | struct ecryptfs_message *msg; |
| 1975 | int rc; | 1978 | int rc; |
| 1976 | 1979 | ||
| @@ -1979,6 +1982,8 @@ pki_encrypt_session_key(struct ecryptfs_auth_tok *auth_tok, | |||
| 1979 | crypt_stat->cipher, | 1982 | crypt_stat->cipher, |
| 1980 | crypt_stat->key_size), | 1983 | crypt_stat->key_size), |
| 1981 | crypt_stat, &payload, &payload_len); | 1984 | crypt_stat, &payload, &payload_len); |
| 1985 | up_write(&(auth_tok_key->sem)); | ||
| 1986 | key_put(auth_tok_key); | ||
| 1982 | if (rc) { | 1987 | if (rc) { |
| 1983 | ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n"); | 1988 | ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n"); |
| 1984 | goto out; | 1989 | goto out; |
| @@ -2008,6 +2013,8 @@ out: | |||
| 2008 | * write_tag_1_packet - Write an RFC2440-compatible tag 1 (public key) packet | 2013 | * write_tag_1_packet - Write an RFC2440-compatible tag 1 (public key) packet |
| 2009 | * @dest: Buffer into which to write the packet | 2014 | * @dest: Buffer into which to write the packet |
| 2010 | * @remaining_bytes: Maximum number of bytes that can be writtn | 2015 | * @remaining_bytes: Maximum number of bytes that can be writtn |
| 2016 | * @auth_tok_key: The authentication token key to unlock and put when done with | ||
| 2017 | * @auth_tok | ||
| 2011 | * @auth_tok: The authentication token used for generating the tag 1 packet | 2018 | * @auth_tok: The authentication token used for generating the tag 1 packet |
| 2012 | * @crypt_stat: The cryptographic context | 2019 | * @crypt_stat: The cryptographic context |
| 2013 | * @key_rec: The key record struct for the tag 1 packet | 2020 | * @key_rec: The key record struct for the tag 1 packet |
| @@ -2018,7 +2025,7 @@ out: | |||
| 2018 | */ | 2025 | */ |
| 2019 | static int | 2026 | static int |
| 2020 | write_tag_1_packet(char *dest, size_t *remaining_bytes, | 2027 | write_tag_1_packet(char *dest, size_t *remaining_bytes, |
| 2021 | struct ecryptfs_auth_tok *auth_tok, | 2028 | struct key *auth_tok_key, struct ecryptfs_auth_tok *auth_tok, |
| 2022 | struct ecryptfs_crypt_stat *crypt_stat, | 2029 | struct ecryptfs_crypt_stat *crypt_stat, |
| 2023 | struct ecryptfs_key_record *key_rec, size_t *packet_size) | 2030 | struct ecryptfs_key_record *key_rec, size_t *packet_size) |
| 2024 | { | 2031 | { |
| @@ -2039,12 +2046,15 @@ write_tag_1_packet(char *dest, size_t *remaining_bytes, | |||
| 2039 | memcpy(key_rec->enc_key, | 2046 | memcpy(key_rec->enc_key, |
| 2040 | auth_tok->session_key.encrypted_key, | 2047 | auth_tok->session_key.encrypted_key, |
| 2041 | auth_tok->session_key.encrypted_key_size); | 2048 | auth_tok->session_key.encrypted_key_size); |
| 2049 | up_write(&(auth_tok_key->sem)); | ||
| 2050 | key_put(auth_tok_key); | ||
| 2042 | goto encrypted_session_key_set; | 2051 | goto encrypted_session_key_set; |
| 2043 | } | 2052 | } |
| 2044 | if (auth_tok->session_key.encrypted_key_size == 0) | 2053 | if (auth_tok->session_key.encrypted_key_size == 0) |
| 2045 | auth_tok->session_key.encrypted_key_size = | 2054 | auth_tok->session_key.encrypted_key_size = |
| 2046 | auth_tok->token.private_key.key_size; | 2055 | auth_tok->token.private_key.key_size; |
| 2047 | rc = pki_encrypt_session_key(auth_tok, crypt_stat, key_rec); | 2056 | rc = pki_encrypt_session_key(auth_tok_key, auth_tok, crypt_stat, |
| 2057 | key_rec); | ||
| 2048 | if (rc) { | 2058 | if (rc) { |
| 2049 | printk(KERN_ERR "Failed to encrypt session key via a key " | 2059 | printk(KERN_ERR "Failed to encrypt session key via a key " |
| 2050 | "module; rc = [%d]\n", rc); | 2060 | "module; rc = [%d]\n", rc); |
| @@ -2248,7 +2258,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes, | |||
| 2248 | auth_tok->token.password.session_key_encryption_key, | 2258 | auth_tok->token.password.session_key_encryption_key, |
| 2249 | crypt_stat->key_size); | 2259 | crypt_stat->key_size); |
| 2250 | ecryptfs_printk(KERN_DEBUG, | 2260 | ecryptfs_printk(KERN_DEBUG, |
| 2251 | "Cached session key " "encryption key: \n"); | 2261 | "Cached session key encryption key:\n"); |
| 2252 | if (ecryptfs_verbosity > 0) | 2262 | if (ecryptfs_verbosity > 0) |
| 2253 | ecryptfs_dump_hex(session_key_encryption_key, 16); | 2263 | ecryptfs_dump_hex(session_key_encryption_key, 16); |
| 2254 | } | 2264 | } |
| @@ -2421,6 +2431,8 @@ ecryptfs_generate_key_packet_set(char *dest_base, | |||
| 2421 | &max, auth_tok, | 2431 | &max, auth_tok, |
| 2422 | crypt_stat, key_rec, | 2432 | crypt_stat, key_rec, |
| 2423 | &written); | 2433 | &written); |
| 2434 | up_write(&(auth_tok_key->sem)); | ||
| 2435 | key_put(auth_tok_key); | ||
| 2424 | if (rc) { | 2436 | if (rc) { |
| 2425 | ecryptfs_printk(KERN_WARNING, "Error " | 2437 | ecryptfs_printk(KERN_WARNING, "Error " |
| 2426 | "writing tag 3 packet\n"); | 2438 | "writing tag 3 packet\n"); |
| @@ -2438,8 +2450,8 @@ ecryptfs_generate_key_packet_set(char *dest_base, | |||
| 2438 | } | 2450 | } |
| 2439 | (*len) += written; | 2451 | (*len) += written; |
| 2440 | } else if (auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) { | 2452 | } else if (auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) { |
| 2441 | rc = write_tag_1_packet(dest_base + (*len), | 2453 | rc = write_tag_1_packet(dest_base + (*len), &max, |
| 2442 | &max, auth_tok, | 2454 | auth_tok_key, auth_tok, |
| 2443 | crypt_stat, key_rec, &written); | 2455 | crypt_stat, key_rec, &written); |
| 2444 | if (rc) { | 2456 | if (rc) { |
| 2445 | ecryptfs_printk(KERN_WARNING, "Error " | 2457 | ecryptfs_printk(KERN_WARNING, "Error " |
| @@ -2448,14 +2460,13 @@ ecryptfs_generate_key_packet_set(char *dest_base, | |||
| 2448 | } | 2460 | } |
| 2449 | (*len) += written; | 2461 | (*len) += written; |
| 2450 | } else { | 2462 | } else { |
| 2463 | up_write(&(auth_tok_key->sem)); | ||
| 2464 | key_put(auth_tok_key); | ||
| 2451 | ecryptfs_printk(KERN_WARNING, "Unsupported " | 2465 | ecryptfs_printk(KERN_WARNING, "Unsupported " |
| 2452 | "authentication token type\n"); | 2466 | "authentication token type\n"); |
| 2453 | rc = -EINVAL; | 2467 | rc = -EINVAL; |
| 2454 | goto out_free; | 2468 | goto out_free; |
| 2455 | } | 2469 | } |
| 2456 | up_write(&(auth_tok_key->sem)); | ||
| 2457 | key_put(auth_tok_key); | ||
| 2458 | auth_tok_key = NULL; | ||
| 2459 | } | 2470 | } |
| 2460 | if (likely(max > 0)) { | 2471 | if (likely(max > 0)) { |
| 2461 | dest_base[(*len)] = 0x00; | 2472 | dest_base[(*len)] = 0x00; |
| @@ -2468,11 +2479,6 @@ out_free: | |||
| 2468 | out: | 2479 | out: |
| 2469 | if (rc) | 2480 | if (rc) |
| 2470 | (*len) = 0; | 2481 | (*len) = 0; |
| 2471 | if (auth_tok_key) { | ||
| 2472 | up_write(&(auth_tok_key->sem)); | ||
| 2473 | key_put(auth_tok_key); | ||
| 2474 | } | ||
| 2475 | |||
| 2476 | mutex_unlock(&crypt_stat->keysig_list_mutex); | 2482 | mutex_unlock(&crypt_stat->keysig_list_mutex); |
| 2477 | return rc; | 2483 | return rc; |
| 2478 | } | 2484 | } |