diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2010-10-29 17:15:12 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-10-29 17:15:12 -0400 |
| commit | 12462f2df4d10ea4f6d55b9d438ff788badec3f0 (patch) | |
| tree | 7ef2335c9df9b9cb45aa64c9dfcf8819bdcdf06f /fs/ecryptfs/keystore.c | |
| parent | d2df40857fd57f02906e6ac1484d10cb7accbc86 (diff) | |
| parent | 8747f954817212b4623f9067d4909cbde04b4d89 (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ecryptfs/ecryptfs-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ecryptfs/ecryptfs-2.6:
eCryptfs: Print mount_auth_tok_only param in ecryptfs_show_options
ecryptfs: added ecryptfs_mount_auth_tok_only mount parameter
ecryptfs: checking return code of ecryptfs_find_auth_tok_for_sig()
ecryptfs: release keys loaded in ecryptfs_keyring_auth_tok_for_sig()
eCryptfs: Clear LOOKUP_OPEN flag when creating lower file
ecryptfs: call vfs_setxattr() in ecryptfs_setxattr()
Diffstat (limited to 'fs/ecryptfs/keystore.c')
| -rw-r--r-- | fs/ecryptfs/keystore.c | 45 |
1 files changed, 38 insertions, 7 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index 73811cfa2ea4..b1f6858a5223 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c | |||
| @@ -446,6 +446,7 @@ out: | |||
| 446 | */ | 446 | */ |
| 447 | static int | 447 | static int |
| 448 | ecryptfs_find_auth_tok_for_sig( | 448 | ecryptfs_find_auth_tok_for_sig( |
| 449 | struct key **auth_tok_key, | ||
| 449 | struct ecryptfs_auth_tok **auth_tok, | 450 | struct ecryptfs_auth_tok **auth_tok, |
| 450 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | 451 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, |
| 451 | char *sig) | 452 | char *sig) |
| @@ -453,12 +454,21 @@ ecryptfs_find_auth_tok_for_sig( | |||
| 453 | struct ecryptfs_global_auth_tok *global_auth_tok; | 454 | struct ecryptfs_global_auth_tok *global_auth_tok; |
| 454 | int rc = 0; | 455 | int rc = 0; |
| 455 | 456 | ||
| 457 | (*auth_tok_key) = NULL; | ||
| 456 | (*auth_tok) = NULL; | 458 | (*auth_tok) = NULL; |
| 457 | if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, | 459 | if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, |
| 458 | mount_crypt_stat, sig)) { | 460 | mount_crypt_stat, sig)) { |
| 459 | struct key *auth_tok_key; | ||
| 460 | 461 | ||
| 461 | rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok, | 462 | /* if the flag ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY is set in the |
| 463 | * mount_crypt_stat structure, we prevent to use auth toks that | ||
| 464 | * are not inserted through the ecryptfs_add_global_auth_tok | ||
| 465 | * function. | ||
| 466 | */ | ||
| 467 | if (mount_crypt_stat->flags | ||
| 468 | & ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY) | ||
| 469 | return -EINVAL; | ||
| 470 | |||
| 471 | rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok, | ||
| 462 | sig); | 472 | sig); |
| 463 | } else | 473 | } else |
| 464 | (*auth_tok) = global_auth_tok->global_auth_tok; | 474 | (*auth_tok) = global_auth_tok->global_auth_tok; |
| @@ -509,6 +519,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, | |||
| 509 | char *filename, size_t filename_size) | 519 | char *filename, size_t filename_size) |
| 510 | { | 520 | { |
| 511 | struct ecryptfs_write_tag_70_packet_silly_stack *s; | 521 | struct ecryptfs_write_tag_70_packet_silly_stack *s; |
| 522 | struct key *auth_tok_key = NULL; | ||
| 512 | int rc = 0; | 523 | int rc = 0; |
| 513 | 524 | ||
| 514 | s = kmalloc(sizeof(*s), GFP_KERNEL); | 525 | s = kmalloc(sizeof(*s), GFP_KERNEL); |
| @@ -606,6 +617,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, | |||
| 606 | } | 617 | } |
| 607 | dest[s->i++] = s->cipher_code; | 618 | dest[s->i++] = s->cipher_code; |
| 608 | rc = ecryptfs_find_auth_tok_for_sig( | 619 | rc = ecryptfs_find_auth_tok_for_sig( |
| 620 | &auth_tok_key, | ||
| 609 | &s->auth_tok, mount_crypt_stat, | 621 | &s->auth_tok, mount_crypt_stat, |
| 610 | mount_crypt_stat->global_default_fnek_sig); | 622 | mount_crypt_stat->global_default_fnek_sig); |
| 611 | if (rc) { | 623 | if (rc) { |
| @@ -753,6 +765,8 @@ out_free_unlock: | |||
| 753 | out_unlock: | 765 | out_unlock: |
| 754 | mutex_unlock(s->tfm_mutex); | 766 | mutex_unlock(s->tfm_mutex); |
| 755 | out: | 767 | out: |
| 768 | if (auth_tok_key) | ||
| 769 | key_put(auth_tok_key); | ||
| 756 | kfree(s); | 770 | kfree(s); |
| 757 | return rc; | 771 | return rc; |
| 758 | } | 772 | } |
| @@ -798,6 +812,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, | |||
| 798 | char *data, size_t max_packet_size) | 812 | char *data, size_t max_packet_size) |
| 799 | { | 813 | { |
| 800 | struct ecryptfs_parse_tag_70_packet_silly_stack *s; | 814 | struct ecryptfs_parse_tag_70_packet_silly_stack *s; |
| 815 | struct key *auth_tok_key = NULL; | ||
| 801 | int rc = 0; | 816 | int rc = 0; |
| 802 | 817 | ||
| 803 | (*packet_size) = 0; | 818 | (*packet_size) = 0; |
| @@ -910,7 +925,8 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, | |||
| 910 | * >= ECRYPTFS_MAX_IV_BYTES. */ | 925 | * >= ECRYPTFS_MAX_IV_BYTES. */ |
| 911 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); | 926 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); |
| 912 | s->desc.info = s->iv; | 927 | s->desc.info = s->iv; |
| 913 | rc = ecryptfs_find_auth_tok_for_sig(&s->auth_tok, mount_crypt_stat, | 928 | rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, |
| 929 | &s->auth_tok, mount_crypt_stat, | ||
| 914 | s->fnek_sig_hex); | 930 | s->fnek_sig_hex); |
| 915 | if (rc) { | 931 | if (rc) { |
| 916 | printk(KERN_ERR "%s: Error attempting to find auth tok for " | 932 | printk(KERN_ERR "%s: Error attempting to find auth tok for " |
| @@ -986,6 +1002,8 @@ out: | |||
| 986 | (*filename_size) = 0; | 1002 | (*filename_size) = 0; |
| 987 | (*filename) = NULL; | 1003 | (*filename) = NULL; |
| 988 | } | 1004 | } |
| 1005 | if (auth_tok_key) | ||
| 1006 | key_put(auth_tok_key); | ||
| 989 | kfree(s); | 1007 | kfree(s); |
| 990 | return rc; | 1008 | return rc; |
| 991 | } | 1009 | } |
| @@ -1557,14 +1575,19 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, | |||
| 1557 | ECRYPTFS_VERSION_MAJOR, | 1575 | ECRYPTFS_VERSION_MAJOR, |
| 1558 | ECRYPTFS_VERSION_MINOR); | 1576 | ECRYPTFS_VERSION_MINOR); |
| 1559 | rc = -EINVAL; | 1577 | rc = -EINVAL; |
| 1560 | goto out; | 1578 | goto out_release_key; |
| 1561 | } | 1579 | } |
| 1562 | if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD | 1580 | if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD |
| 1563 | && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { | 1581 | && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { |
| 1564 | printk(KERN_ERR "Invalid auth_tok structure " | 1582 | printk(KERN_ERR "Invalid auth_tok structure " |
| 1565 | "returned from key query\n"); | 1583 | "returned from key query\n"); |
| 1566 | rc = -EINVAL; | 1584 | rc = -EINVAL; |
| 1567 | goto out; | 1585 | goto out_release_key; |
| 1586 | } | ||
| 1587 | out_release_key: | ||
| 1588 | if (rc) { | ||
| 1589 | key_put(*auth_tok_key); | ||
| 1590 | (*auth_tok_key) = NULL; | ||
| 1568 | } | 1591 | } |
| 1569 | out: | 1592 | out: |
| 1570 | return rc; | 1593 | return rc; |
| @@ -1688,6 +1711,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, | |||
| 1688 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; | 1711 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; |
| 1689 | size_t tag_11_contents_size; | 1712 | size_t tag_11_contents_size; |
| 1690 | size_t tag_11_packet_size; | 1713 | size_t tag_11_packet_size; |
| 1714 | struct key *auth_tok_key = NULL; | ||
| 1691 | int rc = 0; | 1715 | int rc = 0; |
| 1692 | 1716 | ||
| 1693 | INIT_LIST_HEAD(&auth_tok_list); | 1717 | INIT_LIST_HEAD(&auth_tok_list); |
| @@ -1784,6 +1808,10 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, | |||
| 1784 | * just one will be sufficient to decrypt to get the FEK. */ | 1808 | * just one will be sufficient to decrypt to get the FEK. */ |
| 1785 | find_next_matching_auth_tok: | 1809 | find_next_matching_auth_tok: |
| 1786 | found_auth_tok = 0; | 1810 | found_auth_tok = 0; |
| 1811 | if (auth_tok_key) { | ||
| 1812 | key_put(auth_tok_key); | ||
| 1813 | auth_tok_key = NULL; | ||
| 1814 | } | ||
| 1787 | list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { | 1815 | list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { |
| 1788 | candidate_auth_tok = &auth_tok_list_item->auth_tok; | 1816 | candidate_auth_tok = &auth_tok_list_item->auth_tok; |
| 1789 | if (unlikely(ecryptfs_verbosity > 0)) { | 1817 | if (unlikely(ecryptfs_verbosity > 0)) { |
| @@ -1800,10 +1828,11 @@ find_next_matching_auth_tok: | |||
| 1800 | rc = -EINVAL; | 1828 | rc = -EINVAL; |
| 1801 | goto out_wipe_list; | 1829 | goto out_wipe_list; |
| 1802 | } | 1830 | } |
| 1803 | ecryptfs_find_auth_tok_for_sig(&matching_auth_tok, | 1831 | rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, |
| 1832 | &matching_auth_tok, | ||
| 1804 | crypt_stat->mount_crypt_stat, | 1833 | crypt_stat->mount_crypt_stat, |
| 1805 | candidate_auth_tok_sig); | 1834 | candidate_auth_tok_sig); |
| 1806 | if (matching_auth_tok) { | 1835 | if (!rc) { |
| 1807 | found_auth_tok = 1; | 1836 | found_auth_tok = 1; |
| 1808 | goto found_matching_auth_tok; | 1837 | goto found_matching_auth_tok; |
| 1809 | } | 1838 | } |
| @@ -1866,6 +1895,8 @@ found_matching_auth_tok: | |||
| 1866 | out_wipe_list: | 1895 | out_wipe_list: |
| 1867 | wipe_auth_tok_list(&auth_tok_list); | 1896 | wipe_auth_tok_list(&auth_tok_list); |
| 1868 | out: | 1897 | out: |
| 1898 | if (auth_tok_key) | ||
| 1899 | key_put(auth_tok_key); | ||
| 1869 | return rc; | 1900 | return rc; |
| 1870 | } | 1901 | } |
| 1871 | 1902 | ||