aboutsummaryrefslogtreecommitdiffstats
path: root/fs/ecryptfs/keystore.c
diff options
context:
space:
mode:
authorGlenn Elliott <gelliott@cs.unc.edu>2012-03-04 19:47:13 -0500
committerGlenn Elliott <gelliott@cs.unc.edu>2012-03-04 19:47:13 -0500
commitc71c03bda1e86c9d5198c5d83f712e695c4f2a1e (patch)
treeecb166cb3e2b7e2adb3b5e292245fefd23381ac8 /fs/ecryptfs/keystore.c
parentea53c912f8a86a8567697115b6a0d8152beee5c8 (diff)
parent6a00f206debf8a5c8899055726ad127dbeeed098 (diff)
Merge branch 'mpi-master' into wip-k-fmlpwip-k-fmlp
Conflicts: litmus/sched_cedf.c
Diffstat (limited to 'fs/ecryptfs/keystore.c')
-rw-r--r--fs/ecryptfs/keystore.c365
1 files changed, 231 insertions, 134 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index 73811cfa2ea4..27a7fefb83eb 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -59,12 +59,30 @@ static int process_request_key_err(long err_code)
59 break; 59 break;
60 default: 60 default:
61 ecryptfs_printk(KERN_WARNING, "Unknown error code: " 61 ecryptfs_printk(KERN_WARNING, "Unknown error code: "
62 "[0x%.16x]\n", err_code); 62 "[0x%.16lx]\n", err_code);
63 rc = -EINVAL; 63 rc = -EINVAL;
64 } 64 }
65 return rc; 65 return rc;
66} 66}
67 67
68static int process_find_global_auth_tok_for_sig_err(int err_code)
69{
70 int rc = err_code;
71
72 switch (err_code) {
73 case -ENOENT:
74 ecryptfs_printk(KERN_WARNING, "Missing auth tok\n");
75 break;
76 case -EINVAL:
77 ecryptfs_printk(KERN_WARNING, "Invalid auth tok\n");
78 break;
79 default:
80 rc = process_request_key_err(err_code);
81 break;
82 }
83 return rc;
84}
85
68/** 86/**
69 * ecryptfs_parse_packet_length 87 * ecryptfs_parse_packet_length
70 * @data: Pointer to memory containing length at offset 88 * @data: Pointer to memory containing length at offset
@@ -130,7 +148,7 @@ int ecryptfs_write_packet_length(char *dest, size_t size,
130 } else { 148 } else {
131 rc = -EINVAL; 149 rc = -EINVAL;
132 ecryptfs_printk(KERN_WARNING, 150 ecryptfs_printk(KERN_WARNING,
133 "Unsupported packet size: [%d]\n", size); 151 "Unsupported packet size: [%zd]\n", size);
134 } 152 }
135 return rc; 153 return rc;
136} 154}
@@ -403,27 +421,120 @@ out:
403 return rc; 421 return rc;
404} 422}
405 423
424/**
425 * ecryptfs_verify_version
426 * @version: The version number to confirm
427 *
428 * Returns zero on good version; non-zero otherwise
429 */
430static int ecryptfs_verify_version(u16 version)
431{
432 int rc = 0;
433 unsigned char major;
434 unsigned char minor;
435
436 major = ((version >> 8) & 0xFF);
437 minor = (version & 0xFF);
438 if (major != ECRYPTFS_VERSION_MAJOR) {
439 ecryptfs_printk(KERN_ERR, "Major version number mismatch. "
440 "Expected [%d]; got [%d]\n",
441 ECRYPTFS_VERSION_MAJOR, major);
442 rc = -EINVAL;
443 goto out;
444 }
445 if (minor != ECRYPTFS_VERSION_MINOR) {
446 ecryptfs_printk(KERN_ERR, "Minor version number mismatch. "
447 "Expected [%d]; got [%d]\n",
448 ECRYPTFS_VERSION_MINOR, minor);
449 rc = -EINVAL;
450 goto out;
451 }
452out:
453 return rc;
454}
455
456/**
457 * ecryptfs_verify_auth_tok_from_key
458 * @auth_tok_key: key containing the authentication token
459 * @auth_tok: authentication token
460 *
461 * Returns zero on valid auth tok; -EINVAL otherwise
462 */
463static int
464ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
465 struct ecryptfs_auth_tok **auth_tok)
466{
467 int rc = 0;
468
469 (*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);
470 if (ecryptfs_verify_version((*auth_tok)->version)) {
471 printk(KERN_ERR "Data structure version mismatch. Userspace "
472 "tools must match eCryptfs kernel module with major "
473 "version [%d] and minor version [%d]\n",
474 ECRYPTFS_VERSION_MAJOR, ECRYPTFS_VERSION_MINOR);
475 rc = -EINVAL;
476 goto out;
477 }
478 if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD
479 && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) {
480 printk(KERN_ERR "Invalid auth_tok structure "
481 "returned from key query\n");
482 rc = -EINVAL;
483 goto out;
484 }
485out:
486 return rc;
487}
488
406static int 489static int
407ecryptfs_find_global_auth_tok_for_sig( 490ecryptfs_find_global_auth_tok_for_sig(
408 struct ecryptfs_global_auth_tok **global_auth_tok, 491 struct key **auth_tok_key,
492 struct ecryptfs_auth_tok **auth_tok,
409 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig) 493 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig)
410{ 494{
411 struct ecryptfs_global_auth_tok *walker; 495 struct ecryptfs_global_auth_tok *walker;
412 int rc = 0; 496 int rc = 0;
413 497
414 (*global_auth_tok) = NULL; 498 (*auth_tok_key) = NULL;
499 (*auth_tok) = NULL;
415 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 500 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
416 list_for_each_entry(walker, 501 list_for_each_entry(walker,
417 &mount_crypt_stat->global_auth_tok_list, 502 &mount_crypt_stat->global_auth_tok_list,
418 mount_crypt_stat_list) { 503 mount_crypt_stat_list) {
419 if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX) == 0) { 504 if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX))
420 rc = key_validate(walker->global_auth_tok_key); 505 continue;
421 if (!rc) 506
422 (*global_auth_tok) = walker; 507 if (walker->flags & ECRYPTFS_AUTH_TOK_INVALID) {
508 rc = -EINVAL;
423 goto out; 509 goto out;
424 } 510 }
511
512 rc = key_validate(walker->global_auth_tok_key);
513 if (rc) {
514 if (rc == -EKEYEXPIRED)
515 goto out;
516 goto out_invalid_auth_tok;
517 }
518
519 down_write(&(walker->global_auth_tok_key->sem));
520 rc = ecryptfs_verify_auth_tok_from_key(
521 walker->global_auth_tok_key, auth_tok);
522 if (rc)
523 goto out_invalid_auth_tok_unlock;
524
525 (*auth_tok_key) = walker->global_auth_tok_key;
526 key_get(*auth_tok_key);
527 goto out;
425 } 528 }
426 rc = -EINVAL; 529 rc = -ENOENT;
530 goto out;
531out_invalid_auth_tok_unlock:
532 up_write(&(walker->global_auth_tok_key->sem));
533out_invalid_auth_tok:
534 printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);
535 walker->flags |= ECRYPTFS_AUTH_TOK_INVALID;
536 key_put(walker->global_auth_tok_key);
537 walker->global_auth_tok_key = NULL;
427out: 538out:
428 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 539 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
429 return rc; 540 return rc;
@@ -446,22 +557,28 @@ out:
446 */ 557 */
447static int 558static int
448ecryptfs_find_auth_tok_for_sig( 559ecryptfs_find_auth_tok_for_sig(
560 struct key **auth_tok_key,
449 struct ecryptfs_auth_tok **auth_tok, 561 struct ecryptfs_auth_tok **auth_tok,
450 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, 562 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
451 char *sig) 563 char *sig)
452{ 564{
453 struct ecryptfs_global_auth_tok *global_auth_tok;
454 int rc = 0; 565 int rc = 0;
455 566
456 (*auth_tok) = NULL; 567 rc = ecryptfs_find_global_auth_tok_for_sig(auth_tok_key, auth_tok,
457 if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, 568 mount_crypt_stat, sig);
458 mount_crypt_stat, sig)) { 569 if (rc == -ENOENT) {
459 struct key *auth_tok_key; 570 /* if the flag ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY is set in the
460 571 * mount_crypt_stat structure, we prevent to use auth toks that
461 rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok, 572 * are not inserted through the ecryptfs_add_global_auth_tok
573 * function.
574 */
575 if (mount_crypt_stat->flags
576 & ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY)
577 return -EINVAL;
578
579 rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok,
462 sig); 580 sig);
463 } else 581 }
464 (*auth_tok) = global_auth_tok->global_auth_tok;
465 return rc; 582 return rc;
466} 583}
467 584
@@ -482,8 +599,8 @@ struct ecryptfs_write_tag_70_packet_silly_stack {
482 struct mutex *tfm_mutex; 599 struct mutex *tfm_mutex;
483 char *block_aligned_filename; 600 char *block_aligned_filename;
484 struct ecryptfs_auth_tok *auth_tok; 601 struct ecryptfs_auth_tok *auth_tok;
485 struct scatterlist src_sg; 602 struct scatterlist src_sg[2];
486 struct scatterlist dst_sg; 603 struct scatterlist dst_sg[2];
487 struct blkcipher_desc desc; 604 struct blkcipher_desc desc;
488 char iv[ECRYPTFS_MAX_IV_BYTES]; 605 char iv[ECRYPTFS_MAX_IV_BYTES];
489 char hash[ECRYPTFS_TAG_70_DIGEST_SIZE]; 606 char hash[ECRYPTFS_TAG_70_DIGEST_SIZE];
@@ -509,6 +626,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
509 char *filename, size_t filename_size) 626 char *filename, size_t filename_size)
510{ 627{
511 struct ecryptfs_write_tag_70_packet_silly_stack *s; 628 struct ecryptfs_write_tag_70_packet_silly_stack *s;
629 struct key *auth_tok_key = NULL;
512 int rc = 0; 630 int rc = 0;
513 631
514 s = kmalloc(sizeof(*s), GFP_KERNEL); 632 s = kmalloc(sizeof(*s), GFP_KERNEL);
@@ -520,6 +638,16 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
520 } 638 }
521 s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; 639 s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
522 (*packet_size) = 0; 640 (*packet_size) = 0;
641 rc = ecryptfs_find_auth_tok_for_sig(
642 &auth_tok_key,
643 &s->auth_tok, mount_crypt_stat,
644 mount_crypt_stat->global_default_fnek_sig);
645 if (rc) {
646 printk(KERN_ERR "%s: Error attempting to find auth tok for "
647 "fnek sig [%s]; rc = [%d]\n", __func__,
648 mount_crypt_stat->global_default_fnek_sig, rc);
649 goto out;
650 }
523 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name( 651 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(
524 &s->desc.tfm, 652 &s->desc.tfm,
525 &s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name); 653 &s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name);
@@ -605,15 +733,6 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
605 goto out_free_unlock; 733 goto out_free_unlock;
606 } 734 }
607 dest[s->i++] = s->cipher_code; 735 dest[s->i++] = s->cipher_code;
608 rc = ecryptfs_find_auth_tok_for_sig(
609 &s->auth_tok, mount_crypt_stat,
610 mount_crypt_stat->global_default_fnek_sig);
611 if (rc) {
612 printk(KERN_ERR "%s: Error attempting to find auth tok for "
613 "fnek sig [%s]; rc = [%d]\n", __func__,
614 mount_crypt_stat->global_default_fnek_sig, rc);
615 goto out_free_unlock;
616 }
617 /* TODO: Support other key modules than passphrase for 736 /* TODO: Support other key modules than passphrase for
618 * filename encryption */ 737 * filename encryption */
619 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { 738 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) {
@@ -697,23 +816,21 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
697 memcpy(&s->block_aligned_filename[s->num_rand_bytes], filename, 816 memcpy(&s->block_aligned_filename[s->num_rand_bytes], filename,
698 filename_size); 817 filename_size);
699 rc = virt_to_scatterlist(s->block_aligned_filename, 818 rc = virt_to_scatterlist(s->block_aligned_filename,
700 s->block_aligned_filename_size, &s->src_sg, 1); 819 s->block_aligned_filename_size, s->src_sg, 2);
701 if (rc != 1) { 820 if (rc < 1) {
702 printk(KERN_ERR "%s: Internal error whilst attempting to " 821 printk(KERN_ERR "%s: Internal error whilst attempting to "
703 "convert filename memory to scatterlist; " 822 "convert filename memory to scatterlist; rc = [%d]. "
704 "expected rc = 1; got rc = [%d]. "
705 "block_aligned_filename_size = [%zd]\n", __func__, rc, 823 "block_aligned_filename_size = [%zd]\n", __func__, rc,
706 s->block_aligned_filename_size); 824 s->block_aligned_filename_size);
707 goto out_release_free_unlock; 825 goto out_release_free_unlock;
708 } 826 }
709 rc = virt_to_scatterlist(&dest[s->i], s->block_aligned_filename_size, 827 rc = virt_to_scatterlist(&dest[s->i], s->block_aligned_filename_size,
710 &s->dst_sg, 1); 828 s->dst_sg, 2);
711 if (rc != 1) { 829 if (rc < 1) {
712 printk(KERN_ERR "%s: Internal error whilst attempting to " 830 printk(KERN_ERR "%s: Internal error whilst attempting to "
713 "convert encrypted filename memory to scatterlist; " 831 "convert encrypted filename memory to scatterlist; "
714 "expected rc = 1; got rc = [%d]. " 832 "rc = [%d]. block_aligned_filename_size = [%zd]\n",
715 "block_aligned_filename_size = [%zd]\n", __func__, rc, 833 __func__, rc, s->block_aligned_filename_size);
716 s->block_aligned_filename_size);
717 goto out_release_free_unlock; 834 goto out_release_free_unlock;
718 } 835 }
719 /* The characters in the first block effectively do the job 836 /* The characters in the first block effectively do the job
@@ -736,7 +853,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
736 mount_crypt_stat->global_default_fn_cipher_key_bytes); 853 mount_crypt_stat->global_default_fn_cipher_key_bytes);
737 goto out_release_free_unlock; 854 goto out_release_free_unlock;
738 } 855 }
739 rc = crypto_blkcipher_encrypt_iv(&s->desc, &s->dst_sg, &s->src_sg, 856 rc = crypto_blkcipher_encrypt_iv(&s->desc, s->dst_sg, s->src_sg,
740 s->block_aligned_filename_size); 857 s->block_aligned_filename_size);
741 if (rc) { 858 if (rc) {
742 printk(KERN_ERR "%s: Error attempting to encrypt filename; " 859 printk(KERN_ERR "%s: Error attempting to encrypt filename; "
@@ -753,6 +870,10 @@ out_free_unlock:
753out_unlock: 870out_unlock:
754 mutex_unlock(s->tfm_mutex); 871 mutex_unlock(s->tfm_mutex);
755out: 872out:
873 if (auth_tok_key) {
874 up_write(&(auth_tok_key->sem));
875 key_put(auth_tok_key);
876 }
756 kfree(s); 877 kfree(s);
757 return rc; 878 return rc;
758} 879}
@@ -768,8 +889,8 @@ struct ecryptfs_parse_tag_70_packet_silly_stack {
768 struct mutex *tfm_mutex; 889 struct mutex *tfm_mutex;
769 char *decrypted_filename; 890 char *decrypted_filename;
770 struct ecryptfs_auth_tok *auth_tok; 891 struct ecryptfs_auth_tok *auth_tok;
771 struct scatterlist src_sg; 892 struct scatterlist src_sg[2];
772 struct scatterlist dst_sg; 893 struct scatterlist dst_sg[2];
773 struct blkcipher_desc desc; 894 struct blkcipher_desc desc;
774 char fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX + 1]; 895 char fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX + 1];
775 char iv[ECRYPTFS_MAX_IV_BYTES]; 896 char iv[ECRYPTFS_MAX_IV_BYTES];
@@ -798,6 +919,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
798 char *data, size_t max_packet_size) 919 char *data, size_t max_packet_size)
799{ 920{
800 struct ecryptfs_parse_tag_70_packet_silly_stack *s; 921 struct ecryptfs_parse_tag_70_packet_silly_stack *s;
922 struct key *auth_tok_key = NULL;
801 int rc = 0; 923 int rc = 0;
802 924
803 (*packet_size) = 0; 925 (*packet_size) = 0;
@@ -864,6 +986,15 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
864 __func__, s->cipher_code); 986 __func__, s->cipher_code);
865 goto out; 987 goto out;
866 } 988 }
989 rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
990 &s->auth_tok, mount_crypt_stat,
991 s->fnek_sig_hex);
992 if (rc) {
993 printk(KERN_ERR "%s: Error attempting to find auth tok for "
994 "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex,
995 rc);
996 goto out;
997 }
867 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&s->desc.tfm, 998 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&s->desc.tfm,
868 &s->tfm_mutex, 999 &s->tfm_mutex,
869 s->cipher_string); 1000 s->cipher_string);
@@ -875,13 +1006,12 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
875 } 1006 }
876 mutex_lock(s->tfm_mutex); 1007 mutex_lock(s->tfm_mutex);
877 rc = virt_to_scatterlist(&data[(*packet_size)], 1008 rc = virt_to_scatterlist(&data[(*packet_size)],
878 s->block_aligned_filename_size, &s->src_sg, 1); 1009 s->block_aligned_filename_size, s->src_sg, 2);
879 if (rc != 1) { 1010 if (rc < 1) {
880 printk(KERN_ERR "%s: Internal error whilst attempting to " 1011 printk(KERN_ERR "%s: Internal error whilst attempting to "
881 "convert encrypted filename memory to scatterlist; " 1012 "convert encrypted filename memory to scatterlist; "
882 "expected rc = 1; got rc = [%d]. " 1013 "rc = [%d]. block_aligned_filename_size = [%zd]\n",
883 "block_aligned_filename_size = [%zd]\n", __func__, rc, 1014 __func__, rc, s->block_aligned_filename_size);
884 s->block_aligned_filename_size);
885 goto out_unlock; 1015 goto out_unlock;
886 } 1016 }
887 (*packet_size) += s->block_aligned_filename_size; 1017 (*packet_size) += s->block_aligned_filename_size;
@@ -895,13 +1025,12 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
895 goto out_unlock; 1025 goto out_unlock;
896 } 1026 }
897 rc = virt_to_scatterlist(s->decrypted_filename, 1027 rc = virt_to_scatterlist(s->decrypted_filename,
898 s->block_aligned_filename_size, &s->dst_sg, 1); 1028 s->block_aligned_filename_size, s->dst_sg, 2);
899 if (rc != 1) { 1029 if (rc < 1) {
900 printk(KERN_ERR "%s: Internal error whilst attempting to " 1030 printk(KERN_ERR "%s: Internal error whilst attempting to "
901 "convert decrypted filename memory to scatterlist; " 1031 "convert decrypted filename memory to scatterlist; "
902 "expected rc = 1; got rc = [%d]. " 1032 "rc = [%d]. block_aligned_filename_size = [%zd]\n",
903 "block_aligned_filename_size = [%zd]\n", __func__, rc, 1033 __func__, rc, s->block_aligned_filename_size);
904 s->block_aligned_filename_size);
905 goto out_free_unlock; 1034 goto out_free_unlock;
906 } 1035 }
907 /* The characters in the first block effectively do the job of 1036 /* The characters in the first block effectively do the job of
@@ -910,14 +1039,6 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
910 * >= ECRYPTFS_MAX_IV_BYTES. */ 1039 * >= ECRYPTFS_MAX_IV_BYTES. */
911 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); 1040 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES);
912 s->desc.info = s->iv; 1041 s->desc.info = s->iv;
913 rc = ecryptfs_find_auth_tok_for_sig(&s->auth_tok, mount_crypt_stat,
914 s->fnek_sig_hex);
915 if (rc) {
916 printk(KERN_ERR "%s: Error attempting to find auth tok for "
917 "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex,
918 rc);
919 goto out_free_unlock;
920 }
921 /* TODO: Support other key modules than passphrase for 1042 /* TODO: Support other key modules than passphrase for
922 * filename encryption */ 1043 * filename encryption */
923 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { 1044 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) {
@@ -940,7 +1061,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
940 mount_crypt_stat->global_default_fn_cipher_key_bytes); 1061 mount_crypt_stat->global_default_fn_cipher_key_bytes);
941 goto out_free_unlock; 1062 goto out_free_unlock;
942 } 1063 }
943 rc = crypto_blkcipher_decrypt_iv(&s->desc, &s->dst_sg, &s->src_sg, 1064 rc = crypto_blkcipher_decrypt_iv(&s->desc, s->dst_sg, s->src_sg,
944 s->block_aligned_filename_size); 1065 s->block_aligned_filename_size);
945 if (rc) { 1066 if (rc) {
946 printk(KERN_ERR "%s: Error attempting to decrypt filename; " 1067 printk(KERN_ERR "%s: Error attempting to decrypt filename; "
@@ -986,6 +1107,10 @@ out:
986 (*filename_size) = 0; 1107 (*filename_size) = 0;
987 (*filename) = NULL; 1108 (*filename) = NULL;
988 } 1109 }
1110 if (auth_tok_key) {
1111 up_write(&(auth_tok_key->sem));
1112 key_put(auth_tok_key);
1113 }
989 kfree(s); 1114 kfree(s);
990 return rc; 1115 return rc;
991} 1116}
@@ -1502,38 +1627,6 @@ out:
1502 return rc; 1627 return rc;
1503} 1628}
1504 1629
1505/**
1506 * ecryptfs_verify_version
1507 * @version: The version number to confirm
1508 *
1509 * Returns zero on good version; non-zero otherwise
1510 */
1511static int ecryptfs_verify_version(u16 version)
1512{
1513 int rc = 0;
1514 unsigned char major;
1515 unsigned char minor;
1516
1517 major = ((version >> 8) & 0xFF);
1518 minor = (version & 0xFF);
1519 if (major != ECRYPTFS_VERSION_MAJOR) {
1520 ecryptfs_printk(KERN_ERR, "Major version number mismatch. "
1521 "Expected [%d]; got [%d]\n",
1522 ECRYPTFS_VERSION_MAJOR, major);
1523 rc = -EINVAL;
1524 goto out;
1525 }
1526 if (minor != ECRYPTFS_VERSION_MINOR) {
1527 ecryptfs_printk(KERN_ERR, "Minor version number mismatch. "
1528 "Expected [%d]; got [%d]\n",
1529 ECRYPTFS_VERSION_MINOR, minor);
1530 rc = -EINVAL;
1531 goto out;
1532 }
1533out:
1534 return rc;
1535}
1536
1537int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, 1630int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
1538 struct ecryptfs_auth_tok **auth_tok, 1631 struct ecryptfs_auth_tok **auth_tok,
1539 char *sig) 1632 char *sig)
@@ -1545,25 +1638,15 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
1545 printk(KERN_ERR "Could not find key with description: [%s]\n", 1638 printk(KERN_ERR "Could not find key with description: [%s]\n",
1546 sig); 1639 sig);
1547 rc = process_request_key_err(PTR_ERR(*auth_tok_key)); 1640 rc = process_request_key_err(PTR_ERR(*auth_tok_key));
1641 (*auth_tok_key) = NULL;
1548 goto out; 1642 goto out;
1549 } 1643 }
1550 (*auth_tok) = ecryptfs_get_key_payload_data(*auth_tok_key); 1644 down_write(&(*auth_tok_key)->sem);
1551 if (ecryptfs_verify_version((*auth_tok)->version)) { 1645 rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
1552 printk(KERN_ERR 1646 if (rc) {
1553 "Data structure version mismatch. " 1647 up_write(&(*auth_tok_key)->sem);
1554 "Userspace tools must match eCryptfs " 1648 key_put(*auth_tok_key);
1555 "kernel module with major version [%d] " 1649 (*auth_tok_key) = NULL;
1556 "and minor version [%d]\n",
1557 ECRYPTFS_VERSION_MAJOR,
1558 ECRYPTFS_VERSION_MINOR);
1559 rc = -EINVAL;
1560 goto out;
1561 }
1562 if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD
1563 && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) {
1564 printk(KERN_ERR "Invalid auth_tok structure "
1565 "returned from key query\n");
1566 rc = -EINVAL;
1567 goto out; 1650 goto out;
1568 } 1651 }
1569out: 1652out:
@@ -1649,7 +1732,7 @@ decrypt_passphrase_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
1649 auth_tok->session_key.decrypted_key_size); 1732 auth_tok->session_key.decrypted_key_size);
1650 crypt_stat->flags |= ECRYPTFS_KEY_VALID; 1733 crypt_stat->flags |= ECRYPTFS_KEY_VALID;
1651 if (unlikely(ecryptfs_verbosity > 0)) { 1734 if (unlikely(ecryptfs_verbosity > 0)) {
1652 ecryptfs_printk(KERN_DEBUG, "FEK of size [%d]:\n", 1735 ecryptfs_printk(KERN_DEBUG, "FEK of size [%zd]:\n",
1653 crypt_stat->key_size); 1736 crypt_stat->key_size);
1654 ecryptfs_dump_hex(crypt_stat->key, 1737 ecryptfs_dump_hex(crypt_stat->key,
1655 crypt_stat->key_size); 1738 crypt_stat->key_size);
@@ -1688,6 +1771,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1688 struct ecryptfs_auth_tok_list_item *auth_tok_list_item; 1771 struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
1689 size_t tag_11_contents_size; 1772 size_t tag_11_contents_size;
1690 size_t tag_11_packet_size; 1773 size_t tag_11_packet_size;
1774 struct key *auth_tok_key = NULL;
1691 int rc = 0; 1775 int rc = 0;
1692 1776
1693 INIT_LIST_HEAD(&auth_tok_list); 1777 INIT_LIST_HEAD(&auth_tok_list);
@@ -1730,7 +1814,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1730 if (ECRYPTFS_SIG_SIZE != tag_11_contents_size) { 1814 if (ECRYPTFS_SIG_SIZE != tag_11_contents_size) {
1731 ecryptfs_printk(KERN_ERR, "Expected " 1815 ecryptfs_printk(KERN_ERR, "Expected "
1732 "signature of size [%d]; " 1816 "signature of size [%d]; "
1733 "read size [%d]\n", 1817 "read size [%zd]\n",
1734 ECRYPTFS_SIG_SIZE, 1818 ECRYPTFS_SIG_SIZE,
1735 tag_11_contents_size); 1819 tag_11_contents_size);
1736 rc = -EIO; 1820 rc = -EIO;
@@ -1763,8 +1847,8 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1763 goto out_wipe_list; 1847 goto out_wipe_list;
1764 break; 1848 break;
1765 default: 1849 default:
1766 ecryptfs_printk(KERN_DEBUG, "No packet at offset " 1850 ecryptfs_printk(KERN_DEBUG, "No packet at offset [%zd] "
1767 "[%d] of the file header; hex value of " 1851 "of the file header; hex value of "
1768 "character is [0x%.2x]\n", i, src[i]); 1852 "character is [0x%.2x]\n", i, src[i]);
1769 next_packet_is_auth_tok_packet = 0; 1853 next_packet_is_auth_tok_packet = 0;
1770 } 1854 }
@@ -1784,6 +1868,11 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1784 * just one will be sufficient to decrypt to get the FEK. */ 1868 * just one will be sufficient to decrypt to get the FEK. */
1785find_next_matching_auth_tok: 1869find_next_matching_auth_tok:
1786 found_auth_tok = 0; 1870 found_auth_tok = 0;
1871 if (auth_tok_key) {
1872 up_write(&(auth_tok_key->sem));
1873 key_put(auth_tok_key);
1874 auth_tok_key = NULL;
1875 }
1787 list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { 1876 list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) {
1788 candidate_auth_tok = &auth_tok_list_item->auth_tok; 1877 candidate_auth_tok = &auth_tok_list_item->auth_tok;
1789 if (unlikely(ecryptfs_verbosity > 0)) { 1878 if (unlikely(ecryptfs_verbosity > 0)) {
@@ -1800,10 +1889,11 @@ find_next_matching_auth_tok:
1800 rc = -EINVAL; 1889 rc = -EINVAL;
1801 goto out_wipe_list; 1890 goto out_wipe_list;
1802 } 1891 }
1803 ecryptfs_find_auth_tok_for_sig(&matching_auth_tok, 1892 rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
1893 &matching_auth_tok,
1804 crypt_stat->mount_crypt_stat, 1894 crypt_stat->mount_crypt_stat,
1805 candidate_auth_tok_sig); 1895 candidate_auth_tok_sig);
1806 if (matching_auth_tok) { 1896 if (!rc) {
1807 found_auth_tok = 1; 1897 found_auth_tok = 1;
1808 goto found_matching_auth_tok; 1898 goto found_matching_auth_tok;
1809 } 1899 }
@@ -1835,8 +1925,8 @@ found_matching_auth_tok:
1835 "session key for authentication token with sig " 1925 "session key for authentication token with sig "
1836 "[%.*s]; rc = [%d]. Removing auth tok " 1926 "[%.*s]; rc = [%d]. Removing auth tok "
1837 "candidate from the list and searching for " 1927 "candidate from the list and searching for "
1838 "the next match.\n", candidate_auth_tok_sig, 1928 "the next match.\n", ECRYPTFS_SIG_SIZE_HEX,
1839 ECRYPTFS_SIG_SIZE_HEX, rc); 1929 candidate_auth_tok_sig, rc);
1840 list_for_each_entry_safe(auth_tok_list_item, 1930 list_for_each_entry_safe(auth_tok_list_item,
1841 auth_tok_list_item_tmp, 1931 auth_tok_list_item_tmp,
1842 &auth_tok_list, list) { 1932 &auth_tok_list, list) {
@@ -1866,6 +1956,10 @@ found_matching_auth_tok:
1866out_wipe_list: 1956out_wipe_list:
1867 wipe_auth_tok_list(&auth_tok_list); 1957 wipe_auth_tok_list(&auth_tok_list);
1868out: 1958out:
1959 if (auth_tok_key) {
1960 up_write(&(auth_tok_key->sem));
1961 key_put(auth_tok_key);
1962 }
1869 return rc; 1963 return rc;
1870} 1964}
1871 1965
@@ -2137,7 +2231,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
2137 if (encrypted_session_key_valid) { 2231 if (encrypted_session_key_valid) {
2138 ecryptfs_printk(KERN_DEBUG, "encrypted_session_key_valid != 0; " 2232 ecryptfs_printk(KERN_DEBUG, "encrypted_session_key_valid != 0; "
2139 "using auth_tok->session_key.encrypted_key, " 2233 "using auth_tok->session_key.encrypted_key, "
2140 "where key_rec->enc_key_size = [%d]\n", 2234 "where key_rec->enc_key_size = [%zd]\n",
2141 key_rec->enc_key_size); 2235 key_rec->enc_key_size);
2142 memcpy(key_rec->enc_key, 2236 memcpy(key_rec->enc_key,
2143 auth_tok->session_key.encrypted_key, 2237 auth_tok->session_key.encrypted_key,
@@ -2167,7 +2261,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
2167 if (rc < 1 || rc > 2) { 2261 if (rc < 1 || rc > 2) {
2168 ecryptfs_printk(KERN_ERR, "Error generating scatterlist " 2262 ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
2169 "for crypt_stat session key; expected rc = 1; " 2263 "for crypt_stat session key; expected rc = 1; "
2170 "got rc = [%d]. key_rec->enc_key_size = [%d]\n", 2264 "got rc = [%d]. key_rec->enc_key_size = [%zd]\n",
2171 rc, key_rec->enc_key_size); 2265 rc, key_rec->enc_key_size);
2172 rc = -ENOMEM; 2266 rc = -ENOMEM;
2173 goto out; 2267 goto out;
@@ -2178,7 +2272,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
2178 ecryptfs_printk(KERN_ERR, "Error generating scatterlist " 2272 ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
2179 "for crypt_stat encrypted session key; " 2273 "for crypt_stat encrypted session key; "
2180 "expected rc = 1; got rc = [%d]. " 2274 "expected rc = 1; got rc = [%d]. "
2181 "key_rec->enc_key_size = [%d]\n", rc, 2275 "key_rec->enc_key_size = [%zd]\n", rc,
2182 key_rec->enc_key_size); 2276 key_rec->enc_key_size);
2183 rc = -ENOMEM; 2277 rc = -ENOMEM;
2184 goto out; 2278 goto out;
@@ -2193,7 +2287,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
2193 goto out; 2287 goto out;
2194 } 2288 }
2195 rc = 0; 2289 rc = 0;
2196 ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes of the key\n", 2290 ecryptfs_printk(KERN_DEBUG, "Encrypting [%zd] bytes of the key\n",
2197 crypt_stat->key_size); 2291 crypt_stat->key_size);
2198 rc = crypto_blkcipher_encrypt(&desc, dst_sg, src_sg, 2292 rc = crypto_blkcipher_encrypt(&desc, dst_sg, src_sg,
2199 (*key_rec).enc_key_size); 2293 (*key_rec).enc_key_size);
@@ -2204,7 +2298,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
2204 } 2298 }
2205 ecryptfs_printk(KERN_DEBUG, "This should be the encrypted key:\n"); 2299 ecryptfs_printk(KERN_DEBUG, "This should be the encrypted key:\n");
2206 if (ecryptfs_verbosity > 0) { 2300 if (ecryptfs_verbosity > 0) {
2207 ecryptfs_printk(KERN_DEBUG, "EFEK of size [%d]:\n", 2301 ecryptfs_printk(KERN_DEBUG, "EFEK of size [%zd]:\n",
2208 key_rec->enc_key_size); 2302 key_rec->enc_key_size);
2209 ecryptfs_dump_hex(key_rec->enc_key, 2303 ecryptfs_dump_hex(key_rec->enc_key,
2210 key_rec->enc_key_size); 2304 key_rec->enc_key_size);
@@ -2293,7 +2387,7 @@ ecryptfs_generate_key_packet_set(char *dest_base,
2293 size_t max) 2387 size_t max)
2294{ 2388{
2295 struct ecryptfs_auth_tok *auth_tok; 2389 struct ecryptfs_auth_tok *auth_tok;
2296 struct ecryptfs_global_auth_tok *global_auth_tok; 2390 struct key *auth_tok_key = NULL;
2297 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 2391 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2298 &ecryptfs_superblock_to_private( 2392 &ecryptfs_superblock_to_private(
2299 ecryptfs_dentry->d_sb)->mount_crypt_stat; 2393 ecryptfs_dentry->d_sb)->mount_crypt_stat;
@@ -2312,21 +2406,16 @@ ecryptfs_generate_key_packet_set(char *dest_base,
2312 list_for_each_entry(key_sig, &crypt_stat->keysig_list, 2406 list_for_each_entry(key_sig, &crypt_stat->keysig_list,
2313 crypt_stat_list) { 2407 crypt_stat_list) {
2314 memset(key_rec, 0, sizeof(*key_rec)); 2408 memset(key_rec, 0, sizeof(*key_rec));
2315 rc = ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, 2409 rc = ecryptfs_find_global_auth_tok_for_sig(&auth_tok_key,
2410 &auth_tok,
2316 mount_crypt_stat, 2411 mount_crypt_stat,
2317 key_sig->keysig); 2412 key_sig->keysig);
2318 if (rc) { 2413 if (rc) {
2319 printk(KERN_ERR "Error attempting to get the global " 2414 printk(KERN_WARNING "Unable to retrieve auth tok with "
2320 "auth_tok; rc = [%d]\n", rc); 2415 "sig = [%s]\n", key_sig->keysig);
2416 rc = process_find_global_auth_tok_for_sig_err(rc);
2321 goto out_free; 2417 goto out_free;
2322 } 2418 }
2323 if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID) {
2324 printk(KERN_WARNING
2325 "Skipping invalid auth tok with sig = [%s]\n",
2326 global_auth_tok->sig);
2327 continue;
2328 }
2329 auth_tok = global_auth_tok->global_auth_tok;
2330 if (auth_tok->token_type == ECRYPTFS_PASSWORD) { 2419 if (auth_tok->token_type == ECRYPTFS_PASSWORD) {
2331 rc = write_tag_3_packet((dest_base + (*len)), 2420 rc = write_tag_3_packet((dest_base + (*len)),
2332 &max, auth_tok, 2421 &max, auth_tok,
@@ -2364,6 +2453,9 @@ ecryptfs_generate_key_packet_set(char *dest_base,
2364 rc = -EINVAL; 2453 rc = -EINVAL;
2365 goto out_free; 2454 goto out_free;
2366 } 2455 }
2456 up_write(&(auth_tok_key->sem));
2457 key_put(auth_tok_key);
2458 auth_tok_key = NULL;
2367 } 2459 }
2368 if (likely(max > 0)) { 2460 if (likely(max > 0)) {
2369 dest_base[(*len)] = 0x00; 2461 dest_base[(*len)] = 0x00;
@@ -2376,6 +2468,11 @@ out_free:
2376out: 2468out:
2377 if (rc) 2469 if (rc)
2378 (*len) = 0; 2470 (*len) = 0;
2471 if (auth_tok_key) {
2472 up_write(&(auth_tok_key->sem));
2473 key_put(auth_tok_key);
2474 }
2475
2379 mutex_unlock(&crypt_stat->keysig_list_mutex); 2476 mutex_unlock(&crypt_stat->keysig_list_mutex);
2380 return rc; 2477 return rc;
2381} 2478}
@@ -2393,6 +2490,7 @@ int ecryptfs_add_keysig(struct ecryptfs_crypt_stat *crypt_stat, char *sig)
2393 return -ENOMEM; 2490 return -ENOMEM;
2394 } 2491 }
2395 memcpy(new_key_sig->keysig, sig, ECRYPTFS_SIG_SIZE_HEX); 2492 memcpy(new_key_sig->keysig, sig, ECRYPTFS_SIG_SIZE_HEX);
2493 new_key_sig->keysig[ECRYPTFS_SIG_SIZE_HEX] = '\0';
2396 /* Caller must hold keysig_list_mutex */ 2494 /* Caller must hold keysig_list_mutex */
2397 list_add(&new_key_sig->crypt_stat_list, &crypt_stat->keysig_list); 2495 list_add(&new_key_sig->crypt_stat_list, &crypt_stat->keysig_list);
2398 2496
@@ -2422,7 +2520,6 @@ ecryptfs_add_global_auth_tok(struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
2422 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 2520 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
2423 list_add(&new_auth_tok->mount_crypt_stat_list, 2521 list_add(&new_auth_tok->mount_crypt_stat_list,
2424 &mount_crypt_stat->global_auth_tok_list); 2522 &mount_crypt_stat->global_auth_tok_list);
2425 mount_crypt_stat->num_global_auth_toks++;
2426 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 2523 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
2427out: 2524out:
2428 return rc; 2525 return rc;
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-15 10:56:34 -0400