eCryptfs: write lock requested keys

A requested key is write locked in order to prevent modifications on the authentication token while it is being used. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
author: Roberto Sassu <roberto.sassu@polito.it> 2011-03-21 11:00:55 -0400
committer: Tyler Hicks <tyhicks@linux.vnet.ibm.com> 2011-03-28 02:49:43 -0400
commit: b5695d04634fa4ccca7dcbc05bb4a66522f02e0b (patch)
tree: 568155380ea1b1fa3b9e68f68dd74cdd9d651229 /fs/ecryptfs
parent: 950983fc04e02232e0d25717903461578a755ebb (diff)
2 files changed, 23 insertions, 7 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index d95dd505433e..03e609c45012 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -516,10 +516,11 @@ ecryptfs_find_global_auth_tok_for_sig(
                        goto out_invalid_auth_tok;
                }
+                down_write(&(walker->global_auth_tok_key->sem));
                rc = ecryptfs_verify_auth_tok_from_key(
                                walker->global_auth_tok_key, auth_tok);
                if (rc)
-                        goto out_invalid_auth_tok;
+                        goto out_invalid_auth_tok_unlock;
                (*auth_tok_key) = walker->global_auth_tok_key;
                key_get(*auth_tok_key);
@@ -527,6 +528,8 @@ ecryptfs_find_global_auth_tok_for_sig(
        }
        rc = -ENOENT;
        goto out;
+out_invalid_auth_tok_unlock:
+        up_write(&(walker->global_auth_tok_key->sem));
 out_invalid_auth_tok:
        printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);
        walker->flags |= ECRYPTFS_AUTH_TOK_INVALID;
@@ -869,8 +872,10 @@ out_free_unlock:
 out_unlock:
        mutex_unlock(s->tfm_mutex);
 out:
-        if (auth_tok_key)
+        if (auth_tok_key) {
+                up_write(&(auth_tok_key->sem));
                key_put(auth_tok_key);
+        }
        kfree(s);
        return rc;
 }
@@ -1106,8 +1111,10 @@ out:
                (*filename_size) = 0;
                (*filename) = NULL;
        }
-        if (auth_tok_key)
+        if (auth_tok_key) {
+                up_write(&(auth_tok_key->sem));
                key_put(auth_tok_key);
+        }
        kfree(s);
        return rc;
 }
@@ -1638,9 +1645,10 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
                (*auth_tok_key) = NULL;
                goto out;
        }
+        down_write(&(*auth_tok_key)->sem);
        rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
        if (rc) {
+                up_write(&(*auth_tok_key)->sem);
                key_put(*auth_tok_key);
                (*auth_tok_key) = NULL;
                goto out;
@@ -1865,6 +1873,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
 find_next_matching_auth_tok:
        found_auth_tok = 0;
        if (auth_tok_key) {
+                up_write(&(auth_tok_key->sem));
                key_put(auth_tok_key);
                auth_tok_key = NULL;
        }
@@ -1951,8 +1960,10 @@ found_matching_auth_tok:
 out_wipe_list:
        wipe_auth_tok_list(&auth_tok_list);
 out:
-        if (auth_tok_key)
+        if (auth_tok_key) {
+                up_write(&(auth_tok_key->sem));
                key_put(auth_tok_key);
+        }
        return rc;
 }
@@ -2446,6 +2457,7 @@ ecryptfs_generate_key_packet_set(char *dest_base,
                        rc = -EINVAL;
                        goto out_free;
                }
+                up_write(&(auth_tok_key->sem));
                key_put(auth_tok_key);
                auth_tok_key = NULL;
        }
@@ -2460,8 +2472,10 @@ out_free:
 out:
        if (rc)
                (*len) = 0;
-        if (auth_tok_key)
+        if (auth_tok_key) {
+                up_write(&(auth_tok_key->sem));
                key_put(auth_tok_key);
+        }
        mutex_unlock(&crypt_stat->keysig_list_mutex);
        return rc;
diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
index 520d05f5ad01..c27c0ecf90bc 100644
--- a/fs/ecryptfs/main.c
+++ b/fs/ecryptfs/main.c
@@ -254,8 +254,10 @@ static int ecryptfs_init_global_auth_toks(
                               "option: [%s]\n", global_auth_tok->sig);
                        global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID;
                        goto out;
-                } else
+                } else {
                        global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;
+                        up_write(&(global_auth_tok->global_auth_tok_key)->sem);
+                }
        }
 out:
        return rc;
author	Roberto Sassu <roberto.sassu@polito.it>	2011-03-21 11:00:55 -0400
committer	Tyler Hicks <tyhicks@linux.vnet.ibm.com>	2011-03-28 02:49:43 -0400
commit	b5695d04634fa4ccca7dcbc05bb4a66522f02e0b (patch)
tree	568155380ea1b1fa3b9e68f68dd74cdd9d651229 /fs/ecryptfs
parent	950983fc04e02232e0d25717903461578a755ebb (diff)

diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index d95dd505433e..03e609c45012 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c
@@ -516,10 +516,11 @@ ecryptfs_find_global_auth_tok_for_sig(
516	goto out_invalid_auth_tok;	516	goto out_invalid_auth_tok;
517	}	517	}
518		518
		519	down_write(&(walker->global_auth_tok_key->sem));
519	rc = ecryptfs_verify_auth_tok_from_key(	520	rc = ecryptfs_verify_auth_tok_from_key(
520	walker->global_auth_tok_key, auth_tok);	521	walker->global_auth_tok_key, auth_tok);
521	if (rc)	522	if (rc)
522	goto out_invalid_auth_tok;	523	goto out_invalid_auth_tok_unlock;
523		524
524	(*auth_tok_key) = walker->global_auth_tok_key;	525	(*auth_tok_key) = walker->global_auth_tok_key;
525	key_get(*auth_tok_key);	526	key_get(*auth_tok_key);
@@ -527,6 +528,8 @@ ecryptfs_find_global_auth_tok_for_sig(
527	}	528	}
528	rc = -ENOENT;	529	rc = -ENOENT;
529	goto out;	530	goto out;
		531	out_invalid_auth_tok_unlock:
		532	up_write(&(walker->global_auth_tok_key->sem));
530	out_invalid_auth_tok:	533	out_invalid_auth_tok:
531	printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);	534	printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);
532	walker->flags \|= ECRYPTFS_AUTH_TOK_INVALID;	535	walker->flags \|= ECRYPTFS_AUTH_TOK_INVALID;
@@ -869,8 +872,10 @@ out_free_unlock:
869	out_unlock:	872	out_unlock:
870	mutex_unlock(s->tfm_mutex);	873	mutex_unlock(s->tfm_mutex);
871	out:	874	out:
872	if (auth_tok_key)	875	if (auth_tok_key) {
		876	up_write(&(auth_tok_key->sem));
873	key_put(auth_tok_key);	877	key_put(auth_tok_key);
		878	}
874	kfree(s);	879	kfree(s);
875	return rc;	880	return rc;
876	}	881	}
@@ -1106,8 +1111,10 @@ out:
1106	(*filename_size) = 0;	1111	(*filename_size) = 0;
1107	(*filename) = NULL;	1112	(*filename) = NULL;
1108	}	1113	}
1109	if (auth_tok_key)	1114	if (auth_tok_key) {
		1115	up_write(&(auth_tok_key->sem));
1110	key_put(auth_tok_key);	1116	key_put(auth_tok_key);
		1117	}
1111	kfree(s);	1118	kfree(s);
1112	return rc;	1119	return rc;
1113	}	1120	}
@@ -1638,9 +1645,10 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
1638	(*auth_tok_key) = NULL;	1645	(*auth_tok_key) = NULL;
1639	goto out;	1646	goto out;
1640	}	1647	}
1641		1648	down_write(&(*auth_tok_key)->sem);
1642	rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);	1649	rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
1643	if (rc) {	1650	if (rc) {
		1651	up_write(&(*auth_tok_key)->sem);
1644	key_put(*auth_tok_key);	1652	key_put(*auth_tok_key);
1645	(*auth_tok_key) = NULL;	1653	(*auth_tok_key) = NULL;
1646	goto out;	1654	goto out;
@@ -1865,6 +1873,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1865	find_next_matching_auth_tok:	1873	find_next_matching_auth_tok:
1866	found_auth_tok = 0;	1874	found_auth_tok = 0;
1867	if (auth_tok_key) {	1875	if (auth_tok_key) {
		1876	up_write(&(auth_tok_key->sem));
1868	key_put(auth_tok_key);	1877	key_put(auth_tok_key);
1869	auth_tok_key = NULL;	1878	auth_tok_key = NULL;
1870	}	1879	}
@@ -1951,8 +1960,10 @@ found_matching_auth_tok:
1951	out_wipe_list:	1960	out_wipe_list:
1952	wipe_auth_tok_list(&auth_tok_list);	1961	wipe_auth_tok_list(&auth_tok_list);
1953	out:	1962	out:
1954	if (auth_tok_key)	1963	if (auth_tok_key) {
		1964	up_write(&(auth_tok_key->sem));
1955	key_put(auth_tok_key);	1965	key_put(auth_tok_key);
		1966	}
1956	return rc;	1967	return rc;
1957	}	1968	}
1958		1969
@@ -2446,6 +2457,7 @@ ecryptfs_generate_key_packet_set(char *dest_base,
2446	rc = -EINVAL;	2457	rc = -EINVAL;
2447	goto out_free;	2458	goto out_free;
2448	}	2459	}
		2460	up_write(&(auth_tok_key->sem));
2449	key_put(auth_tok_key);	2461	key_put(auth_tok_key);
2450	auth_tok_key = NULL;	2462	auth_tok_key = NULL;
2451	}	2463	}
@@ -2460,8 +2472,10 @@ out_free:
2460	out:	2472	out:
2461	if (rc)	2473	if (rc)
2462	(*len) = 0;	2474	(*len) = 0;
2463	if (auth_tok_key)	2475	if (auth_tok_key) {
		2476	up_write(&(auth_tok_key->sem));
2464	key_put(auth_tok_key);	2477	key_put(auth_tok_key);
		2478	}
2465		2479
2466	mutex_unlock(&crypt_stat->keysig_list_mutex);	2480	mutex_unlock(&crypt_stat->keysig_list_mutex);
2467	return rc;	2481	return rc;


diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c index 520d05f5ad01..c27c0ecf90bc 100644 --- a/fs/ecryptfs/main.c +++ b/fs/ecryptfs/main.c
@@ -254,8 +254,10 @@ static int ecryptfs_init_global_auth_toks(
254	"option: [%s]\n", global_auth_tok->sig);	254	"option: [%s]\n", global_auth_tok->sig);
255	global_auth_tok->flags \|= ECRYPTFS_AUTH_TOK_INVALID;	255	global_auth_tok->flags \|= ECRYPTFS_AUTH_TOK_INVALID;
256	goto out;	256	goto out;
257	} else	257	} else {
258	global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;	258	global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;
		259	up_write(&(global_auth_tok->global_auth_tok_key)->sem);
		260	}
259	}	261	}
260	out:	262	out:
261	return rc;	263	return rc;