diff options
author | Roberto Sassu <roberto.sassu@polito.it> | 2010-10-06 12:31:06 -0400 |
---|---|---|
committer | Tyler Hicks <tyhicks@linux.vnet.ibm.com> | 2010-10-29 11:31:35 -0400 |
commit | aee683b9e77e17237b0e146025c3d363c9203634 (patch) | |
tree | 79ec9b8a2ff2d2e433bbe7a6959a34aeb75c25b6 | |
parent | 2e21b3f124eceb6ab5a07c8a061adce14ac94e14 (diff) |
ecryptfs: release keys loaded in ecryptfs_keyring_auth_tok_for_sig()
This patch allows keys requested in the function
ecryptfs_keyring_auth_tok_for_sig()to be released when they are no
longer required. In particular keys are directly released in the same
function if the obtained authentication token is not valid.
Further, a new function parameter 'auth_tok_key' has been added to
ecryptfs_find_auth_tok_for_sig() in order to provide callers the key
pointer to be passed to key_put().
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Cc: Dustin Kirkland <kirkland@canonical.com>
Cc: James Morris <jmorris@namei.org>
[Tyler: Initialize auth_tok_key to NULL in ecryptfs_parse_packet_set]
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
-rw-r--r-- | fs/ecryptfs/keystore.c | 34 |
1 files changed, 28 insertions, 6 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index 73811cfa2ea4..b85c6a7770a8 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c | |||
@@ -446,6 +446,7 @@ out: | |||
446 | */ | 446 | */ |
447 | static int | 447 | static int |
448 | ecryptfs_find_auth_tok_for_sig( | 448 | ecryptfs_find_auth_tok_for_sig( |
449 | struct key **auth_tok_key, | ||
449 | struct ecryptfs_auth_tok **auth_tok, | 450 | struct ecryptfs_auth_tok **auth_tok, |
450 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | 451 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, |
451 | char *sig) | 452 | char *sig) |
@@ -453,12 +454,12 @@ ecryptfs_find_auth_tok_for_sig( | |||
453 | struct ecryptfs_global_auth_tok *global_auth_tok; | 454 | struct ecryptfs_global_auth_tok *global_auth_tok; |
454 | int rc = 0; | 455 | int rc = 0; |
455 | 456 | ||
457 | (*auth_tok_key) = NULL; | ||
456 | (*auth_tok) = NULL; | 458 | (*auth_tok) = NULL; |
457 | if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, | 459 | if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, |
458 | mount_crypt_stat, sig)) { | 460 | mount_crypt_stat, sig)) { |
459 | struct key *auth_tok_key; | ||
460 | 461 | ||
461 | rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok, | 462 | rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok, |
462 | sig); | 463 | sig); |
463 | } else | 464 | } else |
464 | (*auth_tok) = global_auth_tok->global_auth_tok; | 465 | (*auth_tok) = global_auth_tok->global_auth_tok; |
@@ -509,6 +510,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, | |||
509 | char *filename, size_t filename_size) | 510 | char *filename, size_t filename_size) |
510 | { | 511 | { |
511 | struct ecryptfs_write_tag_70_packet_silly_stack *s; | 512 | struct ecryptfs_write_tag_70_packet_silly_stack *s; |
513 | struct key *auth_tok_key = NULL; | ||
512 | int rc = 0; | 514 | int rc = 0; |
513 | 515 | ||
514 | s = kmalloc(sizeof(*s), GFP_KERNEL); | 516 | s = kmalloc(sizeof(*s), GFP_KERNEL); |
@@ -606,6 +608,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, | |||
606 | } | 608 | } |
607 | dest[s->i++] = s->cipher_code; | 609 | dest[s->i++] = s->cipher_code; |
608 | rc = ecryptfs_find_auth_tok_for_sig( | 610 | rc = ecryptfs_find_auth_tok_for_sig( |
611 | &auth_tok_key, | ||
609 | &s->auth_tok, mount_crypt_stat, | 612 | &s->auth_tok, mount_crypt_stat, |
610 | mount_crypt_stat->global_default_fnek_sig); | 613 | mount_crypt_stat->global_default_fnek_sig); |
611 | if (rc) { | 614 | if (rc) { |
@@ -753,6 +756,8 @@ out_free_unlock: | |||
753 | out_unlock: | 756 | out_unlock: |
754 | mutex_unlock(s->tfm_mutex); | 757 | mutex_unlock(s->tfm_mutex); |
755 | out: | 758 | out: |
759 | if (auth_tok_key) | ||
760 | key_put(auth_tok_key); | ||
756 | kfree(s); | 761 | kfree(s); |
757 | return rc; | 762 | return rc; |
758 | } | 763 | } |
@@ -798,6 +803,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, | |||
798 | char *data, size_t max_packet_size) | 803 | char *data, size_t max_packet_size) |
799 | { | 804 | { |
800 | struct ecryptfs_parse_tag_70_packet_silly_stack *s; | 805 | struct ecryptfs_parse_tag_70_packet_silly_stack *s; |
806 | struct key *auth_tok_key = NULL; | ||
801 | int rc = 0; | 807 | int rc = 0; |
802 | 808 | ||
803 | (*packet_size) = 0; | 809 | (*packet_size) = 0; |
@@ -910,7 +916,8 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, | |||
910 | * >= ECRYPTFS_MAX_IV_BYTES. */ | 916 | * >= ECRYPTFS_MAX_IV_BYTES. */ |
911 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); | 917 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); |
912 | s->desc.info = s->iv; | 918 | s->desc.info = s->iv; |
913 | rc = ecryptfs_find_auth_tok_for_sig(&s->auth_tok, mount_crypt_stat, | 919 | rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, |
920 | &s->auth_tok, mount_crypt_stat, | ||
914 | s->fnek_sig_hex); | 921 | s->fnek_sig_hex); |
915 | if (rc) { | 922 | if (rc) { |
916 | printk(KERN_ERR "%s: Error attempting to find auth tok for " | 923 | printk(KERN_ERR "%s: Error attempting to find auth tok for " |
@@ -986,6 +993,8 @@ out: | |||
986 | (*filename_size) = 0; | 993 | (*filename_size) = 0; |
987 | (*filename) = NULL; | 994 | (*filename) = NULL; |
988 | } | 995 | } |
996 | if (auth_tok_key) | ||
997 | key_put(auth_tok_key); | ||
989 | kfree(s); | 998 | kfree(s); |
990 | return rc; | 999 | return rc; |
991 | } | 1000 | } |
@@ -1557,14 +1566,19 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, | |||
1557 | ECRYPTFS_VERSION_MAJOR, | 1566 | ECRYPTFS_VERSION_MAJOR, |
1558 | ECRYPTFS_VERSION_MINOR); | 1567 | ECRYPTFS_VERSION_MINOR); |
1559 | rc = -EINVAL; | 1568 | rc = -EINVAL; |
1560 | goto out; | 1569 | goto out_release_key; |
1561 | } | 1570 | } |
1562 | if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD | 1571 | if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD |
1563 | && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { | 1572 | && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { |
1564 | printk(KERN_ERR "Invalid auth_tok structure " | 1573 | printk(KERN_ERR "Invalid auth_tok structure " |
1565 | "returned from key query\n"); | 1574 | "returned from key query\n"); |
1566 | rc = -EINVAL; | 1575 | rc = -EINVAL; |
1567 | goto out; | 1576 | goto out_release_key; |
1577 | } | ||
1578 | out_release_key: | ||
1579 | if (rc) { | ||
1580 | key_put(*auth_tok_key); | ||
1581 | (*auth_tok_key) = NULL; | ||
1568 | } | 1582 | } |
1569 | out: | 1583 | out: |
1570 | return rc; | 1584 | return rc; |
@@ -1688,6 +1702,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, | |||
1688 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; | 1702 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; |
1689 | size_t tag_11_contents_size; | 1703 | size_t tag_11_contents_size; |
1690 | size_t tag_11_packet_size; | 1704 | size_t tag_11_packet_size; |
1705 | struct key *auth_tok_key = NULL; | ||
1691 | int rc = 0; | 1706 | int rc = 0; |
1692 | 1707 | ||
1693 | INIT_LIST_HEAD(&auth_tok_list); | 1708 | INIT_LIST_HEAD(&auth_tok_list); |
@@ -1784,6 +1799,10 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, | |||
1784 | * just one will be sufficient to decrypt to get the FEK. */ | 1799 | * just one will be sufficient to decrypt to get the FEK. */ |
1785 | find_next_matching_auth_tok: | 1800 | find_next_matching_auth_tok: |
1786 | found_auth_tok = 0; | 1801 | found_auth_tok = 0; |
1802 | if (auth_tok_key) { | ||
1803 | key_put(auth_tok_key); | ||
1804 | auth_tok_key = NULL; | ||
1805 | } | ||
1787 | list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { | 1806 | list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { |
1788 | candidate_auth_tok = &auth_tok_list_item->auth_tok; | 1807 | candidate_auth_tok = &auth_tok_list_item->auth_tok; |
1789 | if (unlikely(ecryptfs_verbosity > 0)) { | 1808 | if (unlikely(ecryptfs_verbosity > 0)) { |
@@ -1800,7 +1819,8 @@ find_next_matching_auth_tok: | |||
1800 | rc = -EINVAL; | 1819 | rc = -EINVAL; |
1801 | goto out_wipe_list; | 1820 | goto out_wipe_list; |
1802 | } | 1821 | } |
1803 | ecryptfs_find_auth_tok_for_sig(&matching_auth_tok, | 1822 | ecryptfs_find_auth_tok_for_sig(&auth_tok_key, |
1823 | &matching_auth_tok, | ||
1804 | crypt_stat->mount_crypt_stat, | 1824 | crypt_stat->mount_crypt_stat, |
1805 | candidate_auth_tok_sig); | 1825 | candidate_auth_tok_sig); |
1806 | if (matching_auth_tok) { | 1826 | if (matching_auth_tok) { |
@@ -1866,6 +1886,8 @@ found_matching_auth_tok: | |||
1866 | out_wipe_list: | 1886 | out_wipe_list: |
1867 | wipe_auth_tok_list(&auth_tok_list); | 1887 | wipe_auth_tok_list(&auth_tok_list); |
1868 | out: | 1888 | out: |
1889 | if (auth_tok_key) | ||
1890 | key_put(auth_tok_key); | ||
1869 | return rc; | 1891 | return rc; |
1870 | } | 1892 | } |
1871 | 1893 | ||