aboutsummaryrefslogtreecommitdiffstats
path: root/fs/ecryptfs/keystore.c
diff options
context:
space:
mode:
authorMichael Halcrow <mhalcrow@us.ibm.com>2007-10-16 04:27:53 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-10-16 12:43:10 -0400
commitf4aad16adfb8f0a2d666fdf8af4bd0dff2ce75e4 (patch)
tree42e7f191d1a3a1e1375af24acc5c336b30c5c4d1 /fs/ecryptfs/keystore.c
parentcce76f9b9696a59974be9ed43478c000c57e597a (diff)
eCryptfs: add key list structure; search keyring
Add support structures for handling multiple keys. The list in crypt_stat contains the key identifiers for all of the keys that should be used for encrypting each file's File Encryption Key (FEK). For now, each inode inherits this list from the mount-wide crypt_stat struct, via the ecryptfs_copy_mount_wide_sigs_to_inode_sigs() function. This patch also removes the global key tfm from the mount-wide crypt_stat struct, instead keeping a list of tfm's meant for dealing with the various inode FEK's. eCryptfs will now search the user's keyring for FEK's parsed from the existing file metadata, so the user can make keys available at any time before or after mounting. Now that multiple FEK packets can be written to the file metadata, we need to be more meticulous about size limits. The updates to the code for writing out packets to the file metadata makes sizes and limits more explicit, uniformly expressed, and (hopefully) easier to follow. Signed-off-by: Michael Halcrow <mhalcrow@us.ibm.com> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/ecryptfs/keystore.c')
-rw-r--r--fs/ecryptfs/keystore.c743
1 files changed, 465 insertions, 278 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index b550dea8eee6..a1764fe3318c 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -402,20 +402,24 @@ out:
402 * 402 *
403 * Returns Zero on success; non-zero error otherwise. 403 * Returns Zero on success; non-zero error otherwise.
404 */ 404 */
405static int decrypt_pki_encrypted_session_key( 405static int
406 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, 406decrypt_pki_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
407 struct ecryptfs_auth_tok *auth_tok, 407 struct ecryptfs_crypt_stat *crypt_stat)
408 struct ecryptfs_crypt_stat *crypt_stat)
409{ 408{
410 u16 cipher_code = 0; 409 u16 cipher_code = 0;
411 struct ecryptfs_msg_ctx *msg_ctx; 410 struct ecryptfs_msg_ctx *msg_ctx;
412 struct ecryptfs_message *msg = NULL; 411 struct ecryptfs_message *msg = NULL;
412 char *auth_tok_sig;
413 char *netlink_message; 413 char *netlink_message;
414 size_t netlink_message_length; 414 size_t netlink_message_length;
415 int rc; 415 int rc;
416 416
417 rc = write_tag_64_packet(mount_crypt_stat->global_auth_tok_sig, 417 if ((rc = ecryptfs_get_auth_tok_sig(&auth_tok_sig, auth_tok))) {
418 &(auth_tok->session_key), 418 printk(KERN_ERR "Unrecognized auth tok type: [%d]\n",
419 auth_tok->token_type);
420 goto out;
421 }
422 rc = write_tag_64_packet(auth_tok_sig, &(auth_tok->session_key),
419 &netlink_message, &netlink_message_length); 423 &netlink_message, &netlink_message_length);
420 if (rc) { 424 if (rc) {
421 ecryptfs_printk(KERN_ERR, "Failed to write tag 64 packet"); 425 ecryptfs_printk(KERN_ERR, "Failed to write tag 64 packet");
@@ -921,126 +925,241 @@ out:
921 return rc; 925 return rc;
922} 926}
923 927
928static int
929ecryptfs_find_global_auth_tok_for_sig(
930 struct ecryptfs_global_auth_tok **global_auth_tok,
931 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig)
932{
933 struct ecryptfs_global_auth_tok *walker;
934 int rc = 0;
935
936 (*global_auth_tok) = NULL;
937 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
938 list_for_each_entry(walker,
939 &mount_crypt_stat->global_auth_tok_list,
940 mount_crypt_stat_list) {
941 if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX) == 0) {
942 (*global_auth_tok) = walker;
943 goto out;
944 }
945 }
946 rc = -EINVAL;
947out:
948 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
949 return rc;
950}
951
924/** 952/**
925 * decrypt_session_key - Decrypt the session key with the given auth_tok. 953 * ecryptfs_verify_version
954 * @version: The version number to confirm
955 *
956 * Returns zero on good version; non-zero otherwise
957 */
958static int ecryptfs_verify_version(u16 version)
959{
960 int rc = 0;
961 unsigned char major;
962 unsigned char minor;
963
964 major = ((version >> 8) & 0xFF);
965 minor = (version & 0xFF);
966 if (major != ECRYPTFS_VERSION_MAJOR) {
967 ecryptfs_printk(KERN_ERR, "Major version number mismatch. "
968 "Expected [%d]; got [%d]\n",
969 ECRYPTFS_VERSION_MAJOR, major);
970 rc = -EINVAL;
971 goto out;
972 }
973 if (minor != ECRYPTFS_VERSION_MINOR) {
974 ecryptfs_printk(KERN_ERR, "Minor version number mismatch. "
975 "Expected [%d]; got [%d]\n",
976 ECRYPTFS_VERSION_MINOR, minor);
977 rc = -EINVAL;
978 goto out;
979 }
980out:
981 return rc;
982}
983
984int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
985 struct ecryptfs_auth_tok **auth_tok,
986 char *sig)
987{
988 int rc = 0;
989
990 (*auth_tok_key) = request_key(&key_type_user, sig, NULL);
991 if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) {
992 printk(KERN_ERR "Could not find key with description: [%s]\n",
993 sig);
994 process_request_key_err(PTR_ERR(*auth_tok_key));
995 rc = -EINVAL;
996 goto out;
997 }
998 (*auth_tok) = ecryptfs_get_key_payload_data(*auth_tok_key);
999 if (ecryptfs_verify_version((*auth_tok)->version)) {
1000 printk(KERN_ERR
1001 "Data structure version mismatch. "
1002 "Userspace tools must match eCryptfs "
1003 "kernel module with major version [%d] "
1004 "and minor version [%d]\n",
1005 ECRYPTFS_VERSION_MAJOR,
1006 ECRYPTFS_VERSION_MINOR);
1007 rc = -EINVAL;
1008 goto out;
1009 }
1010 if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD
1011 && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) {
1012 printk(KERN_ERR "Invalid auth_tok structure "
1013 "returned from key query\n");
1014 rc = -EINVAL;
1015 goto out;
1016 }
1017out:
1018 return rc;
1019}
1020
1021/**
1022 * ecryptfs_find_auth_tok_for_sig
1023 * @auth_tok: Set to the matching auth_tok; NULL if not found
1024 * @crypt_stat: inode crypt_stat crypto context
1025 * @sig: Sig of auth_tok to find
1026 *
1027 * For now, this function simply looks at the registered auth_tok's
1028 * linked off the mount_crypt_stat, so all the auth_toks that can be
1029 * used must be registered at mount time. This function could
1030 * potentially try a lot harder to find auth_tok's (e.g., by calling
1031 * out to ecryptfsd to dynamically retrieve an auth_tok object) so
1032 * that static registration of auth_tok's will no longer be necessary.
1033 *
1034 * Returns zero on no error; non-zero on error
1035 */
1036static int
1037ecryptfs_find_auth_tok_for_sig(
1038 struct ecryptfs_auth_tok **auth_tok,
1039 struct ecryptfs_crypt_stat *crypt_stat, char *sig)
1040{
1041 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1042 crypt_stat->mount_crypt_stat;
1043 struct ecryptfs_global_auth_tok *global_auth_tok;
1044 int rc = 0;
1045
1046 (*auth_tok) = NULL;
1047 if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok,
1048 mount_crypt_stat, sig)) {
1049 struct key *auth_tok_key;
1050
1051 rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok,
1052 sig);
1053 } else
1054 (*auth_tok) = global_auth_tok->global_auth_tok;
1055 return rc;
1056}
1057
1058/**
1059 * decrypt_passphrase_encrypted_session_key - Decrypt the session key
1060 * with the given auth_tok.
926 * 1061 *
927 * Returns Zero on success; non-zero error otherwise. 1062 * Returns Zero on success; non-zero error otherwise.
928 */ 1063 */
929static int decrypt_session_key(struct ecryptfs_auth_tok *auth_tok, 1064static int
930 struct ecryptfs_crypt_stat *crypt_stat) 1065decrypt_passphrase_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
1066 struct ecryptfs_crypt_stat *crypt_stat)
931{ 1067{
932 struct ecryptfs_password *password_s_ptr; 1068 struct scatterlist dst_sg;
933 struct scatterlist src_sg[2], dst_sg[2]; 1069 struct scatterlist src_sg;
934 struct mutex *tfm_mutex = NULL; 1070 struct mutex *tfm_mutex = NULL;
935 char *encrypted_session_key;
936 char *session_key;
937 struct blkcipher_desc desc = { 1071 struct blkcipher_desc desc = {
938 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 1072 .flags = CRYPTO_TFM_REQ_MAY_SLEEP
939 }; 1073 };
940 int rc = 0; 1074 int rc = 0;
941 1075
942 password_s_ptr = &auth_tok->token.password; 1076 if (unlikely(ecryptfs_verbosity > 0)) {
943 if (password_s_ptr->flags & ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET) 1077 ecryptfs_printk(
944 ecryptfs_printk(KERN_DEBUG, "Session key encryption key " 1078 KERN_DEBUG, "Session key encryption key (size [%d]):\n",
945 "set; skipping key generation\n"); 1079 auth_tok->token.password.session_key_encryption_key_bytes);
946 ecryptfs_printk(KERN_DEBUG, "Session key encryption key (size [%d])" 1080 ecryptfs_dump_hex(
947 ":\n", 1081 auth_tok->token.password.session_key_encryption_key,
948 password_s_ptr->session_key_encryption_key_bytes); 1082 auth_tok->token.password.session_key_encryption_key_bytes);
949 if (ecryptfs_verbosity > 0) 1083 }
950 ecryptfs_dump_hex(password_s_ptr->session_key_encryption_key, 1084 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex,
951 password_s_ptr-> 1085 crypt_stat->cipher);
952 session_key_encryption_key_bytes); 1086 if (unlikely(rc)) {
953 if (!strcmp(crypt_stat->cipher, 1087 printk(KERN_ERR "Internal error whilst attempting to get "
954 crypt_stat->mount_crypt_stat->global_default_cipher_name) 1088 "tfm and mutex for cipher name [%s]; rc = [%d]\n",
955 && crypt_stat->mount_crypt_stat->global_key_tfm) { 1089 crypt_stat->cipher, rc);
956 desc.tfm = crypt_stat->mount_crypt_stat->global_key_tfm; 1090 goto out;
957 tfm_mutex = &crypt_stat->mount_crypt_stat->global_key_tfm_mutex;
958 } else {
959 char *full_alg_name;
960
961 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name,
962 crypt_stat->cipher,
963 "ecb");
964 if (rc)
965 goto out;
966 desc.tfm = crypto_alloc_blkcipher(full_alg_name, 0,
967 CRYPTO_ALG_ASYNC);
968 kfree(full_alg_name);
969 if (IS_ERR(desc.tfm)) {
970 rc = PTR_ERR(desc.tfm);
971 printk(KERN_ERR "Error allocating crypto context; "
972 "rc = [%d]\n", rc);
973 goto out;
974 }
975 crypto_blkcipher_set_flags(desc.tfm, CRYPTO_TFM_REQ_WEAK_KEY);
976 } 1091 }
977 if (tfm_mutex) 1092 if ((rc = virt_to_scatterlist(auth_tok->session_key.encrypted_key,
978 mutex_lock(tfm_mutex); 1093 auth_tok->session_key.encrypted_key_size,
979 rc = crypto_blkcipher_setkey(desc.tfm, 1094 &src_sg, 1)) != 1) {
980 password_s_ptr->session_key_encryption_key, 1095 printk(KERN_ERR "Internal error whilst attempting to convert "
981 crypt_stat->key_size); 1096 "auth_tok->session_key.encrypted_key to scatterlist; "
982 if (rc < 0) { 1097 "expected rc = 1; got rc = [%d]. "
1098 "auth_tok->session_key.encrypted_key_size = [%d]\n", rc,
1099 auth_tok->session_key.encrypted_key_size);
1100 goto out;
1101 }
1102 auth_tok->session_key.decrypted_key_size =
1103 auth_tok->session_key.encrypted_key_size;
1104 if ((rc = virt_to_scatterlist(auth_tok->session_key.decrypted_key,
1105 auth_tok->session_key.decrypted_key_size,
1106 &dst_sg, 1)) != 1) {
1107 printk(KERN_ERR "Internal error whilst attempting to convert "
1108 "auth_tok->session_key.decrypted_key to scatterlist; "
1109 "expected rc = 1; got rc = [%d]\n", rc);
1110 goto out;
1111 }
1112 mutex_lock(tfm_mutex);
1113 rc = crypto_blkcipher_setkey(
1114 desc.tfm, auth_tok->token.password.session_key_encryption_key,
1115 crypt_stat->key_size);
1116 if (unlikely(rc < 0)) {
1117 mutex_unlock(tfm_mutex);
983 printk(KERN_ERR "Error setting key for crypto context\n"); 1118 printk(KERN_ERR "Error setting key for crypto context\n");
984 rc = -EINVAL; 1119 rc = -EINVAL;
985 goto out_free_tfm; 1120 goto out;
986 }
987 /* TODO: virt_to_scatterlist */
988 encrypted_session_key = (char *)__get_free_page(GFP_KERNEL);
989 if (!encrypted_session_key) {
990 ecryptfs_printk(KERN_ERR, "Out of memory\n");
991 rc = -ENOMEM;
992 goto out_free_tfm;
993 } 1121 }
994 session_key = (char *)__get_free_page(GFP_KERNEL); 1122 rc = crypto_blkcipher_decrypt(&desc, &dst_sg, &src_sg,
995 if (!session_key) {
996 kfree(encrypted_session_key);
997 ecryptfs_printk(KERN_ERR, "Out of memory\n");
998 rc = -ENOMEM;
999 goto out_free_tfm;
1000 }
1001 memcpy(encrypted_session_key, auth_tok->session_key.encrypted_key,
1002 auth_tok->session_key.encrypted_key_size);
1003 src_sg[0].page = virt_to_page(encrypted_session_key);
1004 src_sg[0].offset = 0;
1005 BUG_ON(auth_tok->session_key.encrypted_key_size > PAGE_CACHE_SIZE);
1006 src_sg[0].length = auth_tok->session_key.encrypted_key_size;
1007 dst_sg[0].page = virt_to_page(session_key);
1008 dst_sg[0].offset = 0;
1009 auth_tok->session_key.decrypted_key_size =
1010 auth_tok->session_key.encrypted_key_size;
1011 dst_sg[0].length = auth_tok->session_key.encrypted_key_size;
1012 rc = crypto_blkcipher_decrypt(&desc, dst_sg, src_sg,
1013 auth_tok->session_key.encrypted_key_size); 1123 auth_tok->session_key.encrypted_key_size);
1014 if (rc) { 1124 mutex_unlock(tfm_mutex);
1125 if (unlikely(rc)) {
1015 printk(KERN_ERR "Error decrypting; rc = [%d]\n", rc); 1126 printk(KERN_ERR "Error decrypting; rc = [%d]\n", rc);
1016 goto out_free_memory; 1127 goto out;
1017 } 1128 }
1018 auth_tok->session_key.decrypted_key_size =
1019 auth_tok->session_key.encrypted_key_size;
1020 memcpy(auth_tok->session_key.decrypted_key, session_key,
1021 auth_tok->session_key.decrypted_key_size);
1022 auth_tok->session_key.flags |= ECRYPTFS_CONTAINS_DECRYPTED_KEY; 1129 auth_tok->session_key.flags |= ECRYPTFS_CONTAINS_DECRYPTED_KEY;
1023 memcpy(crypt_stat->key, auth_tok->session_key.decrypted_key, 1130 memcpy(crypt_stat->key, auth_tok->session_key.decrypted_key,
1024 auth_tok->session_key.decrypted_key_size); 1131 auth_tok->session_key.decrypted_key_size);
1025 crypt_stat->flags |= ECRYPTFS_KEY_VALID; 1132 crypt_stat->flags |= ECRYPTFS_KEY_VALID;
1026 ecryptfs_printk(KERN_DEBUG, "Decrypted session key:\n"); 1133 if (unlikely(ecryptfs_verbosity > 0)) {
1027 if (ecryptfs_verbosity > 0) 1134 ecryptfs_printk(KERN_DEBUG, "FEK of size [%d]:\n",
1135 crypt_stat->key_size);
1028 ecryptfs_dump_hex(crypt_stat->key, 1136 ecryptfs_dump_hex(crypt_stat->key,
1029 crypt_stat->key_size); 1137 crypt_stat->key_size);
1030out_free_memory: 1138 }
1031 memset(encrypted_session_key, 0, PAGE_CACHE_SIZE);
1032 free_page((unsigned long)encrypted_session_key);
1033 memset(session_key, 0, PAGE_CACHE_SIZE);
1034 free_page((unsigned long)session_key);
1035out_free_tfm:
1036 if (tfm_mutex)
1037 mutex_unlock(tfm_mutex);
1038 else
1039 crypto_free_blkcipher(desc.tfm);
1040out: 1139out:
1041 return rc; 1140 return rc;
1042} 1141}
1043 1142
1143int ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok)
1144{
1145 int rc = 0;
1146
1147 (*sig) = NULL;
1148 switch (auth_tok->token_type) {
1149 case ECRYPTFS_PASSWORD:
1150 (*sig) = auth_tok->token.password.signature;
1151 break;
1152 case ECRYPTFS_PRIVATE_KEY:
1153 (*sig) = auth_tok->token.private_key.signature;
1154 break;
1155 default:
1156 printk(KERN_ERR "Cannot get sig for auth_tok of type [%d]\n",
1157 auth_tok->token_type);
1158 rc = -EINVAL;
1159 }
1160 return rc;
1161}
1162
1044/** 1163/**
1045 * ecryptfs_parse_packet_set 1164 * ecryptfs_parse_packet_set
1046 * @dest: The header page in memory 1165 * @dest: The header page in memory
@@ -1058,25 +1177,22 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1058 struct dentry *ecryptfs_dentry) 1177 struct dentry *ecryptfs_dentry)
1059{ 1178{
1060 size_t i = 0; 1179 size_t i = 0;
1061 size_t found_auth_tok = 0; 1180 size_t found_auth_tok;
1062 size_t next_packet_is_auth_tok_packet; 1181 size_t next_packet_is_auth_tok_packet;
1063 char sig[ECRYPTFS_SIG_SIZE_HEX];
1064 struct list_head auth_tok_list; 1182 struct list_head auth_tok_list;
1065 struct list_head *walker; 1183 struct ecryptfs_auth_tok *matching_auth_tok = NULL;
1066 struct ecryptfs_auth_tok *chosen_auth_tok = NULL;
1067 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1068 &ecryptfs_superblock_to_private(
1069 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1070 struct ecryptfs_auth_tok *candidate_auth_tok = NULL; 1184 struct ecryptfs_auth_tok *candidate_auth_tok = NULL;
1185 char *candidate_auth_tok_sig;
1071 size_t packet_size; 1186 size_t packet_size;
1072 struct ecryptfs_auth_tok *new_auth_tok; 1187 struct ecryptfs_auth_tok *new_auth_tok;
1073 unsigned char sig_tmp_space[ECRYPTFS_SIG_SIZE]; 1188 unsigned char sig_tmp_space[ECRYPTFS_SIG_SIZE];
1189 struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
1074 size_t tag_11_contents_size; 1190 size_t tag_11_contents_size;
1075 size_t tag_11_packet_size; 1191 size_t tag_11_packet_size;
1076 int rc = 0; 1192 int rc = 0;
1077 1193
1078 INIT_LIST_HEAD(&auth_tok_list); 1194 INIT_LIST_HEAD(&auth_tok_list);
1079 /* Parse the header to find as many packets as we can, these will be 1195 /* Parse the header to find as many packets as we can; these will be
1080 * added the our &auth_tok_list */ 1196 * added the our &auth_tok_list */
1081 next_packet_is_auth_tok_packet = 1; 1197 next_packet_is_auth_tok_packet = 1;
1082 while (next_packet_is_auth_tok_packet) { 1198 while (next_packet_is_auth_tok_packet) {
@@ -1155,73 +1271,86 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1155 } 1271 }
1156 } 1272 }
1157 if (list_empty(&auth_tok_list)) { 1273 if (list_empty(&auth_tok_list)) {
1158 rc = -EINVAL; /* Do not support non-encrypted files in 1274 printk(KERN_ERR "The lower file appears to be a non-encrypted "
1159 * the 0.1 release */ 1275 "eCryptfs file; this is not supported in this version "
1276 "of the eCryptfs kernel module\n");
1277 rc = -EINVAL;
1160 goto out; 1278 goto out;
1161 } 1279 }
1162 /* If we have a global auth tok, then we should try to use 1280 /* auth_tok_list contains the set of authentication tokens
1163 * it */ 1281 * parsed from the metadata. We need to find a matching
1164 if (mount_crypt_stat->global_auth_tok) { 1282 * authentication token that has the secret component(s)
1165 memcpy(sig, mount_crypt_stat->global_auth_tok_sig, 1283 * necessary to decrypt the EFEK in the auth_tok parsed from
1166 ECRYPTFS_SIG_SIZE_HEX); 1284 * the metadata. There may be several potential matches, but
1167 chosen_auth_tok = mount_crypt_stat->global_auth_tok; 1285 * just one will be sufficient to decrypt to get the FEK. */
1168 } else 1286find_next_matching_auth_tok:
1169 BUG(); /* We should always have a global auth tok in 1287 found_auth_tok = 0;
1170 * the 0.1 release */ 1288 list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) {
1171 /* Scan list to see if our chosen_auth_tok works */
1172 list_for_each(walker, &auth_tok_list) {
1173 struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
1174 auth_tok_list_item =
1175 list_entry(walker, struct ecryptfs_auth_tok_list_item,
1176 list);
1177 candidate_auth_tok = &auth_tok_list_item->auth_tok; 1289 candidate_auth_tok = &auth_tok_list_item->auth_tok;
1178 if (unlikely(ecryptfs_verbosity > 0)) { 1290 if (unlikely(ecryptfs_verbosity > 0)) {
1179 ecryptfs_printk(KERN_DEBUG, 1291 ecryptfs_printk(KERN_DEBUG,
1180 "Considering cadidate auth tok:\n"); 1292 "Considering cadidate auth tok:\n");
1181 ecryptfs_dump_auth_tok(candidate_auth_tok); 1293 ecryptfs_dump_auth_tok(candidate_auth_tok);
1182 } 1294 }
1183 /* TODO: Replace ECRYPTFS_SIG_SIZE_HEX w/ dynamic value */ 1295 if ((rc = ecryptfs_get_auth_tok_sig(&candidate_auth_tok_sig,
1184 if (candidate_auth_tok->token_type == ECRYPTFS_PASSWORD 1296 candidate_auth_tok))) {
1185 && !strncmp(candidate_auth_tok->token.password.signature, 1297 printk(KERN_ERR
1186 sig, ECRYPTFS_SIG_SIZE_HEX)) { 1298 "Unrecognized candidate auth tok type: [%d]\n",
1187 found_auth_tok = 1; 1299 candidate_auth_tok->token_type);
1188 goto leave_list; 1300 rc = -EINVAL;
1189 /* TODO: Transfer the common salt into the 1301 goto out_wipe_list;
1190 * crypt_stat salt */ 1302 }
1191 } else if ((candidate_auth_tok->token_type 1303 if ((rc = ecryptfs_find_auth_tok_for_sig(
1192 == ECRYPTFS_PRIVATE_KEY) 1304 &matching_auth_tok, crypt_stat,
1193 && !strncmp(candidate_auth_tok->token.private_key.signature, 1305 candidate_auth_tok_sig)))
1194 sig, ECRYPTFS_SIG_SIZE_HEX)) { 1306 rc = 0;
1307 if (matching_auth_tok) {
1195 found_auth_tok = 1; 1308 found_auth_tok = 1;
1196 goto leave_list; 1309 goto found_matching_auth_tok;
1197 } 1310 }
1198 } 1311 }
1199 if (!found_auth_tok) { 1312 if (!found_auth_tok) {
1200 ecryptfs_printk(KERN_ERR, "Could not find authentication " 1313 ecryptfs_printk(KERN_ERR, "Could not find a usable "
1201 "token on temporary list for sig [%.*s]\n", 1314 "authentication token\n");
1202 ECRYPTFS_SIG_SIZE_HEX, sig);
1203 rc = -EIO; 1315 rc = -EIO;
1204 goto out_wipe_list; 1316 goto out_wipe_list;
1205 } 1317 }
1206leave_list: 1318found_matching_auth_tok:
1207 rc = -ENOTSUPP;
1208 if (candidate_auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) { 1319 if (candidate_auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) {
1209 memcpy(&(candidate_auth_tok->token.private_key), 1320 memcpy(&(candidate_auth_tok->token.private_key),
1210 &(chosen_auth_tok->token.private_key), 1321 &(matching_auth_tok->token.private_key),
1211 sizeof(struct ecryptfs_private_key)); 1322 sizeof(struct ecryptfs_private_key));
1212 rc = decrypt_pki_encrypted_session_key(mount_crypt_stat, 1323 rc = decrypt_pki_encrypted_session_key(candidate_auth_tok,
1213 candidate_auth_tok,
1214 crypt_stat); 1324 crypt_stat);
1215 } else if (candidate_auth_tok->token_type == ECRYPTFS_PASSWORD) { 1325 } else if (candidate_auth_tok->token_type == ECRYPTFS_PASSWORD) {
1216 memcpy(&(candidate_auth_tok->token.password), 1326 memcpy(&(candidate_auth_tok->token.password),
1217 &(chosen_auth_tok->token.password), 1327 &(matching_auth_tok->token.password),
1218 sizeof(struct ecryptfs_password)); 1328 sizeof(struct ecryptfs_password));
1219 rc = decrypt_session_key(candidate_auth_tok, crypt_stat); 1329 rc = decrypt_passphrase_encrypted_session_key(
1330 candidate_auth_tok, crypt_stat);
1220 } 1331 }
1221 if (rc) { 1332 if (rc) {
1222 ecryptfs_printk(KERN_ERR, "Error decrypting the " 1333 struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp;
1223 "session key; rc = [%d]\n", rc); 1334
1224 goto out_wipe_list; 1335 ecryptfs_printk(KERN_WARNING, "Error decrypting the "
1336 "session key for authentication token with sig "
1337 "[%.*s]; rc = [%d]. Removing auth tok "
1338 "candidate from the list and searching for "
1339 "the next match.\n", candidate_auth_tok_sig,
1340 ECRYPTFS_SIG_SIZE_HEX, rc);
1341 list_for_each_entry_safe(auth_tok_list_item,
1342 auth_tok_list_item_tmp,
1343 &auth_tok_list, list) {
1344 if (candidate_auth_tok
1345 == &auth_tok_list_item->auth_tok) {
1346 list_del(&auth_tok_list_item->list);
1347 kmem_cache_free(
1348 ecryptfs_auth_tok_list_item_cache,
1349 auth_tok_list_item);
1350 goto find_next_matching_auth_tok;
1351 }
1352 }
1353 BUG();
1225 } 1354 }
1226 rc = ecryptfs_compute_root_iv(crypt_stat); 1355 rc = ecryptfs_compute_root_iv(crypt_stat);
1227 if (rc) { 1356 if (rc) {
@@ -1240,6 +1369,7 @@ out_wipe_list:
1240out: 1369out:
1241 return rc; 1370 return rc;
1242} 1371}
1372
1243static int 1373static int
1244pki_encrypt_session_key(struct ecryptfs_auth_tok *auth_tok, 1374pki_encrypt_session_key(struct ecryptfs_auth_tok *auth_tok,
1245 struct ecryptfs_crypt_stat *crypt_stat, 1375 struct ecryptfs_crypt_stat *crypt_stat,
@@ -1291,15 +1421,15 @@ out:
1291 * Returns zero on success; non-zero on error. 1421 * Returns zero on success; non-zero on error.
1292 */ 1422 */
1293static int 1423static int
1294write_tag_1_packet(char *dest, size_t max, struct ecryptfs_auth_tok *auth_tok, 1424write_tag_1_packet(char *dest, size_t *remaining_bytes,
1425 struct ecryptfs_auth_tok *auth_tok,
1295 struct ecryptfs_crypt_stat *crypt_stat, 1426 struct ecryptfs_crypt_stat *crypt_stat,
1296 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
1297 struct ecryptfs_key_record *key_rec, size_t *packet_size) 1427 struct ecryptfs_key_record *key_rec, size_t *packet_size)
1298{ 1428{
1299 size_t i; 1429 size_t i;
1300 size_t encrypted_session_key_valid = 0; 1430 size_t encrypted_session_key_valid = 0;
1301 size_t key_rec_size;
1302 size_t packet_size_length; 1431 size_t packet_size_length;
1432 size_t max_packet_size;
1303 int rc = 0; 1433 int rc = 0;
1304 1434
1305 (*packet_size) = 0; 1435 (*packet_size) = 0;
@@ -1329,37 +1459,23 @@ write_tag_1_packet(char *dest, size_t max, struct ecryptfs_auth_tok *auth_tok,
1329 ecryptfs_dump_hex(key_rec->enc_key, key_rec->enc_key_size); 1459 ecryptfs_dump_hex(key_rec->enc_key, key_rec->enc_key_size);
1330 } 1460 }
1331encrypted_session_key_set: 1461encrypted_session_key_set:
1332 /* Now we have a valid key_rec. Append it to the 1462 /* This format is inspired by OpenPGP; see RFC 2440
1333 * key_rec set. */ 1463 * packet tag 1 */
1334 key_rec_size = (sizeof(struct ecryptfs_key_record) 1464 max_packet_size = (1 /* Tag 1 identifier */
1335 - ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 1465 + 3 /* Max Tag 1 packet size */
1336 + (key_rec->enc_key_size)); 1466 + 1 /* Version */
1337 /* TODO: Include a packet size limit as a parameter to this 1467 + ECRYPTFS_SIG_SIZE /* Key identifier */
1338 * function once we have multi-packet headers (for versions 1468 + 1 /* Cipher identifier */
1339 * later than 0.1 */ 1469 + key_rec->enc_key_size); /* Encrypted key size */
1340 if (key_rec_size >= ECRYPTFS_MAX_KEYSET_SIZE) { 1470 if (max_packet_size > (*remaining_bytes)) {
1341 ecryptfs_printk(KERN_ERR, "Keyset too large\n"); 1471 printk(KERN_ERR "Packet length larger than maximum allowable; "
1342 rc = -EINVAL; 1472 "need up to [%d] bytes, but there are only [%d] "
1343 goto out; 1473 "available\n", max_packet_size, (*remaining_bytes));
1344 }
1345 /* ***** TAG 1 Packet Format *****
1346 * | version number | 1 byte |
1347 * | key ID | 8 bytes |
1348 * | public key algorithm | 1 byte |
1349 * | encrypted session key | arbitrary |
1350 */
1351 if ((0x02 + ECRYPTFS_SIG_SIZE + key_rec->enc_key_size) >= max) {
1352 ecryptfs_printk(KERN_ERR,
1353 "Authentication token is too large\n");
1354 rc = -EINVAL; 1474 rc = -EINVAL;
1355 goto out; 1475 goto out;
1356 } 1476 }
1357 dest[(*packet_size)++] = ECRYPTFS_TAG_1_PACKET_TYPE; 1477 dest[(*packet_size)++] = ECRYPTFS_TAG_1_PACKET_TYPE;
1358 /* This format is inspired by OpenPGP; see RFC 2440 1478 rc = write_packet_length(&dest[(*packet_size)], (max_packet_size - 4),
1359 * packet tag 1 */
1360 rc = write_packet_length(&dest[(*packet_size)],
1361 (0x02 + ECRYPTFS_SIG_SIZE +
1362 key_rec->enc_key_size),
1363 &packet_size_length); 1479 &packet_size_length);
1364 if (rc) { 1480 if (rc) {
1365 ecryptfs_printk(KERN_ERR, "Error generating tag 1 packet " 1481 ecryptfs_printk(KERN_ERR, "Error generating tag 1 packet "
@@ -1377,6 +1493,8 @@ encrypted_session_key_set:
1377out: 1493out:
1378 if (rc) 1494 if (rc)
1379 (*packet_size) = 0; 1495 (*packet_size) = 0;
1496 else
1497 (*remaining_bytes) -= (*packet_size);
1380 return rc; 1498 return rc;
1381} 1499}
1382 1500
@@ -1448,19 +1566,22 @@ write_tag_11_packet(char *dest, int max, char *contents, size_t contents_length,
1448 * Returns zero on success; non-zero on error. 1566 * Returns zero on success; non-zero on error.
1449 */ 1567 */
1450static int 1568static int
1451write_tag_3_packet(char *dest, size_t max, struct ecryptfs_auth_tok *auth_tok, 1569write_tag_3_packet(char *dest, size_t *remaining_bytes,
1570 struct ecryptfs_auth_tok *auth_tok,
1452 struct ecryptfs_crypt_stat *crypt_stat, 1571 struct ecryptfs_crypt_stat *crypt_stat,
1453 struct ecryptfs_key_record *key_rec, size_t *packet_size) 1572 struct ecryptfs_key_record *key_rec, size_t *packet_size)
1454{ 1573{
1455 size_t i; 1574 size_t i;
1456 size_t encrypted_session_key_valid = 0; 1575 size_t encrypted_session_key_valid = 0;
1457 char session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; 1576 char session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
1458 struct scatterlist dest_sg[2]; 1577 struct scatterlist dst_sg;
1459 struct scatterlist src_sg[2]; 1578 struct scatterlist src_sg;
1460 struct mutex *tfm_mutex = NULL; 1579 struct mutex *tfm_mutex = NULL;
1461 size_t key_rec_size;
1462 size_t packet_size_length;
1463 size_t cipher_code; 1580 size_t cipher_code;
1581 size_t packet_size_length;
1582 size_t max_packet_size;
1583 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1584 crypt_stat->mount_crypt_stat;
1464 struct blkcipher_desc desc = { 1585 struct blkcipher_desc desc = {
1465 .tfm = NULL, 1586 .tfm = NULL,
1466 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 1587 .flags = CRYPTO_TFM_REQ_MAY_SLEEP
@@ -1470,16 +1591,25 @@ write_tag_3_packet(char *dest, size_t max, struct ecryptfs_auth_tok *auth_tok,
1470 (*packet_size) = 0; 1591 (*packet_size) = 0;
1471 ecryptfs_from_hex(key_rec->sig, auth_tok->token.password.signature, 1592 ecryptfs_from_hex(key_rec->sig, auth_tok->token.password.signature,
1472 ECRYPTFS_SIG_SIZE); 1593 ECRYPTFS_SIG_SIZE);
1473 encrypted_session_key_valid = 0; 1594 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex,
1474 for (i = 0; i < crypt_stat->key_size; i++) 1595 crypt_stat->cipher);
1475 encrypted_session_key_valid |= 1596 if (unlikely(rc)) {
1476 auth_tok->session_key.encrypted_key[i]; 1597 printk(KERN_ERR "Internal error whilst attempting to get "
1477 if (encrypted_session_key_valid) { 1598 "tfm and mutex for cipher name [%s]; rc = [%d]\n",
1478 memcpy(key_rec->enc_key, 1599 crypt_stat->cipher, rc);
1479 auth_tok->session_key.encrypted_key, 1600 goto out;
1480 auth_tok->session_key.encrypted_key_size); 1601 }
1481 goto encrypted_session_key_set; 1602 if (mount_crypt_stat->global_default_cipher_key_size == 0) {
1603 struct blkcipher_alg *alg = crypto_blkcipher_alg(desc.tfm);
1604
1605 printk(KERN_WARNING "No key size specified at mount; "
1606 "defaulting to [%d]\n", alg->max_keysize);
1607 mount_crypt_stat->global_default_cipher_key_size =
1608 alg->max_keysize;
1482 } 1609 }
1610 if (crypt_stat->key_size == 0)
1611 crypt_stat->key_size =
1612 mount_crypt_stat->global_default_cipher_key_size;
1483 if (auth_tok->session_key.encrypted_key_size == 0) 1613 if (auth_tok->session_key.encrypted_key_size == 0)
1484 auth_tok->session_key.encrypted_key_size = 1614 auth_tok->session_key.encrypted_key_size =
1485 crypt_stat->key_size; 1615 crypt_stat->key_size;
@@ -1487,9 +1617,24 @@ write_tag_3_packet(char *dest, size_t max, struct ecryptfs_auth_tok *auth_tok,
1487 && strcmp("aes", crypt_stat->cipher) == 0) { 1617 && strcmp("aes", crypt_stat->cipher) == 0) {
1488 memset((crypt_stat->key + 24), 0, 8); 1618 memset((crypt_stat->key + 24), 0, 8);
1489 auth_tok->session_key.encrypted_key_size = 32; 1619 auth_tok->session_key.encrypted_key_size = 32;
1490 } 1620 } else
1621 auth_tok->session_key.encrypted_key_size = crypt_stat->key_size;
1491 key_rec->enc_key_size = 1622 key_rec->enc_key_size =
1492 auth_tok->session_key.encrypted_key_size; 1623 auth_tok->session_key.encrypted_key_size;
1624 encrypted_session_key_valid = 0;
1625 for (i = 0; i < auth_tok->session_key.encrypted_key_size; i++)
1626 encrypted_session_key_valid |=
1627 auth_tok->session_key.encrypted_key[i];
1628 if (encrypted_session_key_valid) {
1629 ecryptfs_printk(KERN_DEBUG, "encrypted_session_key_valid != 0; "
1630 "using auth_tok->session_key.encrypted_key, "
1631 "where key_rec->enc_key_size = [%d]\n",
1632 key_rec->enc_key_size);
1633 memcpy(key_rec->enc_key,
1634 auth_tok->session_key.encrypted_key,
1635 key_rec->enc_key_size);
1636 goto encrypted_session_key_set;
1637 }
1493 if (auth_tok->token.password.flags & 1638 if (auth_tok->token.password.flags &
1494 ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET) { 1639 ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET) {
1495 ecryptfs_printk(KERN_DEBUG, "Using previously generated " 1640 ecryptfs_printk(KERN_DEBUG, "Using previously generated "
@@ -1508,54 +1653,32 @@ write_tag_3_packet(char *dest, size_t max, struct ecryptfs_auth_tok *auth_tok,
1508 ecryptfs_printk(KERN_DEBUG, "Session key encryption key:\n"); 1653 ecryptfs_printk(KERN_DEBUG, "Session key encryption key:\n");
1509 ecryptfs_dump_hex(session_key_encryption_key, 16); 1654 ecryptfs_dump_hex(session_key_encryption_key, 16);
1510 } 1655 }
1511 rc = virt_to_scatterlist(crypt_stat->key, 1656 if ((rc = virt_to_scatterlist(crypt_stat->key,
1512 key_rec->enc_key_size, src_sg, 2); 1657 key_rec->enc_key_size, &src_sg, 1))
1513 if (!rc) { 1658 != 1) {
1514 ecryptfs_printk(KERN_ERR, "Error generating scatterlist " 1659 ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
1515 "for crypt_stat session key\n"); 1660 "for crypt_stat session key; expected rc = 1; "
1661 "got rc = [%d]. key_rec->enc_key_size = [%d]\n",
1662 rc, key_rec->enc_key_size);
1516 rc = -ENOMEM; 1663 rc = -ENOMEM;
1517 goto out; 1664 goto out;
1518 } 1665 }
1519 rc = virt_to_scatterlist(key_rec->enc_key, 1666 if ((rc = virt_to_scatterlist(key_rec->enc_key,
1520 key_rec->enc_key_size, dest_sg, 2); 1667 key_rec->enc_key_size, &dst_sg, 1))
1521 if (!rc) { 1668 != 1) {
1522 ecryptfs_printk(KERN_ERR, "Error generating scatterlist " 1669 ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
1523 "for crypt_stat encrypted session key\n"); 1670 "for crypt_stat encrypted session key; "
1671 "expected rc = 1; got rc = [%d]. "
1672 "key_rec->enc_key_size = [%d]\n", rc,
1673 key_rec->enc_key_size);
1524 rc = -ENOMEM; 1674 rc = -ENOMEM;
1525 goto out; 1675 goto out;
1526 } 1676 }
1527 if (!strcmp(crypt_stat->cipher, 1677 mutex_lock(tfm_mutex);
1528 crypt_stat->mount_crypt_stat->global_default_cipher_name)
1529 && crypt_stat->mount_crypt_stat->global_key_tfm) {
1530 desc.tfm = crypt_stat->mount_crypt_stat->global_key_tfm;
1531 tfm_mutex = &crypt_stat->mount_crypt_stat->global_key_tfm_mutex;
1532 } else {
1533 char *full_alg_name;
1534
1535 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name,
1536 crypt_stat->cipher,
1537 "ecb");
1538 if (rc)
1539 goto out;
1540 desc.tfm = crypto_alloc_blkcipher(full_alg_name, 0,
1541 CRYPTO_ALG_ASYNC);
1542 kfree(full_alg_name);
1543 if (IS_ERR(desc.tfm)) {
1544 rc = PTR_ERR(desc.tfm);
1545 ecryptfs_printk(KERN_ERR, "Could not initialize crypto "
1546 "context for cipher [%s]; rc = [%d]\n",
1547 crypt_stat->cipher, rc);
1548 goto out;
1549 }
1550 crypto_blkcipher_set_flags(desc.tfm, CRYPTO_TFM_REQ_WEAK_KEY);
1551 }
1552 if (tfm_mutex)
1553 mutex_lock(tfm_mutex);
1554 rc = crypto_blkcipher_setkey(desc.tfm, session_key_encryption_key, 1678 rc = crypto_blkcipher_setkey(desc.tfm, session_key_encryption_key,
1555 crypt_stat->key_size); 1679 crypt_stat->key_size);
1556 if (rc < 0) { 1680 if (rc < 0) {
1557 if (tfm_mutex) 1681 mutex_unlock(tfm_mutex);
1558 mutex_unlock(tfm_mutex);
1559 ecryptfs_printk(KERN_ERR, "Error setting key for crypto " 1682 ecryptfs_printk(KERN_ERR, "Error setting key for crypto "
1560 "context; rc = [%d]\n", rc); 1683 "context; rc = [%d]\n", rc);
1561 goto out; 1684 goto out;
@@ -1563,56 +1686,53 @@ write_tag_3_packet(char *dest, size_t max, struct ecryptfs_auth_tok *auth_tok,
1563 rc = 0; 1686 rc = 0;
1564 ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes of the key\n", 1687 ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes of the key\n",
1565 crypt_stat->key_size); 1688 crypt_stat->key_size);
1566 rc = crypto_blkcipher_encrypt(&desc, dest_sg, src_sg, 1689 rc = crypto_blkcipher_encrypt(&desc, &dst_sg, &src_sg,
1567 (*key_rec).enc_key_size); 1690 (*key_rec).enc_key_size);
1691 mutex_unlock(tfm_mutex);
1568 if (rc) { 1692 if (rc) {
1569 printk(KERN_ERR "Error encrypting; rc = [%d]\n", rc); 1693 printk(KERN_ERR "Error encrypting; rc = [%d]\n", rc);
1570 goto out; 1694 goto out;
1571 } 1695 }
1572 if (tfm_mutex)
1573 mutex_unlock(tfm_mutex);
1574 ecryptfs_printk(KERN_DEBUG, "This should be the encrypted key:\n"); 1696 ecryptfs_printk(KERN_DEBUG, "This should be the encrypted key:\n");
1575 if (ecryptfs_verbosity > 0) 1697 if (ecryptfs_verbosity > 0) {
1698 ecryptfs_printk(KERN_DEBUG, "EFEK of size [%d]:\n",
1699 key_rec->enc_key_size);
1576 ecryptfs_dump_hex(key_rec->enc_key, 1700 ecryptfs_dump_hex(key_rec->enc_key,
1577 key_rec->enc_key_size); 1701 key_rec->enc_key_size);
1578encrypted_session_key_set:
1579 /* Now we have a valid key_rec. Append it to the
1580 * key_rec set. */
1581 key_rec_size = (sizeof(struct ecryptfs_key_record)
1582 - ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES
1583 + (key_rec->enc_key_size));
1584 /* TODO: Include a packet size limit as a parameter to this
1585 * function once we have multi-packet headers (for versions
1586 * later than 0.1 */
1587 if (key_rec_size >= ECRYPTFS_MAX_KEYSET_SIZE) {
1588 ecryptfs_printk(KERN_ERR, "Keyset too large\n");
1589 rc = -EINVAL;
1590 goto out;
1591 } 1702 }
1592 /* TODO: Packet size limit */ 1703encrypted_session_key_set:
1593 /* We have 5 bytes of surrounding packet data */ 1704 /* This format is inspired by OpenPGP; see RFC 2440
1594 if ((0x05 + ECRYPTFS_SALT_SIZE 1705 * packet tag 3 */
1595 + key_rec->enc_key_size) >= max) { 1706 max_packet_size = (1 /* Tag 3 identifier */
1596 ecryptfs_printk(KERN_ERR, "Authentication token is too " 1707 + 3 /* Max Tag 3 packet size */
1597 "large\n"); 1708 + 1 /* Version */
1709 + 1 /* Cipher code */
1710 + 1 /* S2K specifier */
1711 + 1 /* Hash identifier */
1712 + ECRYPTFS_SALT_SIZE /* Salt */
1713 + 1 /* Hash iterations */
1714 + key_rec->enc_key_size); /* Encrypted key size */
1715 if (max_packet_size > (*remaining_bytes)) {
1716 printk(KERN_ERR "Packet too large; need up to [%d] bytes, but "
1717 "there are only [%d] available\n", max_packet_size,
1718 (*remaining_bytes));
1598 rc = -EINVAL; 1719 rc = -EINVAL;
1599 goto out; 1720 goto out;
1600 } 1721 }
1601 /* This format is inspired by OpenPGP; see RFC 2440
1602 * packet tag 3 */
1603 dest[(*packet_size)++] = ECRYPTFS_TAG_3_PACKET_TYPE; 1722 dest[(*packet_size)++] = ECRYPTFS_TAG_3_PACKET_TYPE;
1604 /* ver+cipher+s2k+hash+salt+iter+enc_key */ 1723 /* Chop off the Tag 3 identifier(1) and Tag 3 packet size(3)
1605 rc = write_packet_length(&dest[(*packet_size)], 1724 * to get the number of octets in the actual Tag 3 packet */
1606 (0x05 + ECRYPTFS_SALT_SIZE 1725 rc = write_packet_length(&dest[(*packet_size)], (max_packet_size - 4),
1607 + key_rec->enc_key_size),
1608 &packet_size_length); 1726 &packet_size_length);
1609 if (rc) { 1727 if (rc) {
1610 ecryptfs_printk(KERN_ERR, "Error generating tag 3 packet " 1728 printk(KERN_ERR "Error generating tag 3 packet header; cannot "
1611 "header; cannot generate packet length\n"); 1729 "generate packet length. rc = [%d]\n", rc);
1612 goto out; 1730 goto out;
1613 } 1731 }
1614 (*packet_size) += packet_size_length; 1732 (*packet_size) += packet_size_length;
1615 dest[(*packet_size)++] = 0x04; /* version 4 */ 1733 dest[(*packet_size)++] = 0x04; /* version 4 */
1734 /* TODO: Break from RFC2440 so that arbitrary ciphers can be
1735 * specified with strings */
1616 cipher_code = ecryptfs_code_for_cipher_string(crypt_stat); 1736 cipher_code = ecryptfs_code_for_cipher_string(crypt_stat);
1617 if (cipher_code == 0) { 1737 if (cipher_code == 0) {
1618 ecryptfs_printk(KERN_WARNING, "Unable to generate code for " 1738 ecryptfs_printk(KERN_WARNING, "Unable to generate code for "
@@ -1631,10 +1751,10 @@ encrypted_session_key_set:
1631 key_rec->enc_key_size); 1751 key_rec->enc_key_size);
1632 (*packet_size) += key_rec->enc_key_size; 1752 (*packet_size) += key_rec->enc_key_size;
1633out: 1753out:
1634 if (desc.tfm && !tfm_mutex)
1635 crypto_free_blkcipher(desc.tfm);
1636 if (rc) 1754 if (rc)
1637 (*packet_size) = 0; 1755 (*packet_size) = 0;
1756 else
1757 (*remaining_bytes) -= (*packet_size);
1638 return rc; 1758 return rc;
1639} 1759}
1640 1760
@@ -1662,24 +1782,43 @@ ecryptfs_generate_key_packet_set(char *dest_base,
1662 size_t max) 1782 size_t max)
1663{ 1783{
1664 struct ecryptfs_auth_tok *auth_tok; 1784 struct ecryptfs_auth_tok *auth_tok;
1785 struct ecryptfs_global_auth_tok *global_auth_tok;
1665 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 1786 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1666 &ecryptfs_superblock_to_private( 1787 &ecryptfs_superblock_to_private(
1667 ecryptfs_dentry->d_sb)->mount_crypt_stat; 1788 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1668 size_t written; 1789 size_t written;
1669 struct ecryptfs_key_record *key_rec; 1790 struct ecryptfs_key_record *key_rec;
1791 struct ecryptfs_key_sig *key_sig;
1670 int rc = 0; 1792 int rc = 0;
1671 1793
1672 (*len) = 0; 1794 (*len) = 0;
1795 mutex_lock(&crypt_stat->keysig_list_mutex);
1673 key_rec = kmem_cache_alloc(ecryptfs_key_record_cache, GFP_KERNEL); 1796 key_rec = kmem_cache_alloc(ecryptfs_key_record_cache, GFP_KERNEL);
1674 if (!key_rec) { 1797 if (!key_rec) {
1675 rc = -ENOMEM; 1798 rc = -ENOMEM;
1676 goto out; 1799 goto out;
1677 } 1800 }
1678 if (mount_crypt_stat->global_auth_tok) { 1801 list_for_each_entry(key_sig, &crypt_stat->keysig_list,
1679 auth_tok = mount_crypt_stat->global_auth_tok; 1802 crypt_stat_list) {
1803 memset(key_rec, 0, sizeof(*key_rec));
1804 rc = ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok,
1805 mount_crypt_stat,
1806 key_sig->keysig);
1807 if (rc) {
1808 printk(KERN_ERR "Error attempting to get the global "
1809 "auth_tok; rc = [%d]\n", rc);
1810 goto out_free;
1811 }
1812 if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID) {
1813 printk(KERN_WARNING
1814 "Skipping invalid auth tok with sig = [%s]\n",
1815 global_auth_tok->sig);
1816 continue;
1817 }
1818 auth_tok = global_auth_tok->global_auth_tok;
1680 if (auth_tok->token_type == ECRYPTFS_PASSWORD) { 1819 if (auth_tok->token_type == ECRYPTFS_PASSWORD) {
1681 rc = write_tag_3_packet((dest_base + (*len)), 1820 rc = write_tag_3_packet((dest_base + (*len)),
1682 max, auth_tok, 1821 &max, auth_tok,
1683 crypt_stat, key_rec, 1822 crypt_stat, key_rec,
1684 &written); 1823 &written);
1685 if (rc) { 1824 if (rc) {
@@ -1689,10 +1828,9 @@ ecryptfs_generate_key_packet_set(char *dest_base,
1689 } 1828 }
1690 (*len) += written; 1829 (*len) += written;
1691 /* Write auth tok signature packet */ 1830 /* Write auth tok signature packet */
1692 rc = write_tag_11_packet( 1831 rc = write_tag_11_packet((dest_base + (*len)), &max,
1693 (dest_base + (*len)), 1832 key_rec->sig,
1694 (max - (*len)), 1833 ECRYPTFS_SIG_SIZE, &written);
1695 key_rec->sig, ECRYPTFS_SIG_SIZE, &written);
1696 if (rc) { 1834 if (rc) {
1697 ecryptfs_printk(KERN_ERR, "Error writing " 1835 ecryptfs_printk(KERN_ERR, "Error writing "
1698 "auth tok signature packet\n"); 1836 "auth tok signature packet\n");
@@ -1701,9 +1839,8 @@ ecryptfs_generate_key_packet_set(char *dest_base,
1701 (*len) += written; 1839 (*len) += written;
1702 } else if (auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) { 1840 } else if (auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) {
1703 rc = write_tag_1_packet(dest_base + (*len), 1841 rc = write_tag_1_packet(dest_base + (*len),
1704 max, auth_tok, 1842 &max, auth_tok,
1705 crypt_stat,mount_crypt_stat, 1843 crypt_stat, key_rec, &written);
1706 key_rec, &written);
1707 if (rc) { 1844 if (rc) {
1708 ecryptfs_printk(KERN_WARNING, "Error " 1845 ecryptfs_printk(KERN_WARNING, "Error "
1709 "writing tag 1 packet\n"); 1846 "writing tag 1 packet\n");
@@ -1716,19 +1853,69 @@ ecryptfs_generate_key_packet_set(char *dest_base,
1716 rc = -EINVAL; 1853 rc = -EINVAL;
1717 goto out_free; 1854 goto out_free;
1718 } 1855 }
1719 } else 1856 }
1720 BUG(); 1857 if (likely(max > 0)) {
1721 if (likely((max - (*len)) > 0)) {
1722 dest_base[(*len)] = 0x00; 1858 dest_base[(*len)] = 0x00;
1723 } else { 1859 } else {
1724 ecryptfs_printk(KERN_ERR, "Error writing boundary byte\n"); 1860 ecryptfs_printk(KERN_ERR, "Error writing boundary byte\n");
1725 rc = -EIO; 1861 rc = -EIO;
1726 } 1862 }
1727
1728out_free: 1863out_free:
1729 kmem_cache_free(ecryptfs_key_record_cache, key_rec); 1864 kmem_cache_free(ecryptfs_key_record_cache, key_rec);
1730out: 1865out:
1731 if (rc) 1866 if (rc)
1732 (*len) = 0; 1867 (*len) = 0;
1868 mutex_unlock(&crypt_stat->keysig_list_mutex);
1869 return rc;
1870}
1871
1872struct kmem_cache *ecryptfs_key_sig_cache;
1873
1874int ecryptfs_add_keysig(struct ecryptfs_crypt_stat *crypt_stat, char *sig)
1875{
1876 struct ecryptfs_key_sig *new_key_sig;
1877 int rc = 0;
1878
1879 new_key_sig = kmem_cache_alloc(ecryptfs_key_sig_cache, GFP_KERNEL);
1880 if (!new_key_sig) {
1881 rc = -ENOMEM;
1882 printk(KERN_ERR
1883 "Error allocating from ecryptfs_key_sig_cache\n");
1884 goto out;
1885 }
1886 memcpy(new_key_sig->keysig, sig, ECRYPTFS_SIG_SIZE_HEX);
1887 mutex_lock(&crypt_stat->keysig_list_mutex);
1888 list_add(&new_key_sig->crypt_stat_list, &crypt_stat->keysig_list);
1889 mutex_unlock(&crypt_stat->keysig_list_mutex);
1890out:
1733 return rc; 1891 return rc;
1734} 1892}
1893
1894struct kmem_cache *ecryptfs_global_auth_tok_cache;
1895
1896int
1897ecryptfs_add_global_auth_tok(struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
1898 char *sig)
1899{
1900 struct ecryptfs_global_auth_tok *new_auth_tok;
1901 int rc = 0;
1902
1903 new_auth_tok = kmem_cache_alloc(ecryptfs_global_auth_tok_cache,
1904 GFP_KERNEL);
1905 if (!new_auth_tok) {
1906 rc = -ENOMEM;
1907 printk(KERN_ERR "Error allocating from "
1908 "ecryptfs_global_auth_tok_cache\n");
1909 goto out;
1910 }
1911 memcpy(new_auth_tok->sig, sig, ECRYPTFS_SIG_SIZE_HEX);
1912 new_auth_tok->sig[ECRYPTFS_SIG_SIZE_HEX] = '\0';
1913 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
1914 list_add(&new_auth_tok->mount_crypt_stat_list,
1915 &mount_crypt_stat->global_auth_tok_list);
1916 mount_crypt_stat->num_global_auth_toks++;
1917 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
1918out:
1919 return rc;
1920}
1921
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-03 02:10:39 -0500