diff options
| author | Roberto Sassu <roberto.sassu@polito.it> | 2010-10-06 12:31:06 -0400 |
|---|---|---|
| committer | Tyler Hicks <tyhicks@linux.vnet.ibm.com> | 2010-10-29 11:31:35 -0400 |
| commit | aee683b9e77e17237b0e146025c3d363c9203634 (patch) | |
| tree | 79ec9b8a2ff2d2e433bbe7a6959a34aeb75c25b6 /fs/ecryptfs | |
| parent | 2e21b3f124eceb6ab5a07c8a061adce14ac94e14 (diff) | |
ecryptfs: release keys loaded in ecryptfs_keyring_auth_tok_for_sig()
This patch allows keys requested in the function
ecryptfs_keyring_auth_tok_for_sig()to be released when they are no
longer required. In particular keys are directly released in the same
function if the obtained authentication token is not valid.
Further, a new function parameter 'auth_tok_key' has been added to
ecryptfs_find_auth_tok_for_sig() in order to provide callers the key
pointer to be passed to key_put().
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Cc: Dustin Kirkland <kirkland@canonical.com>
Cc: James Morris <jmorris@namei.org>
[Tyler: Initialize auth_tok_key to NULL in ecryptfs_parse_packet_set]
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Diffstat (limited to 'fs/ecryptfs')
| -rw-r--r-- | fs/ecryptfs/keystore.c | 34 |
1 files changed, 28 insertions, 6 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index 73811cfa2ea4..b85c6a7770a8 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c | |||
| @@ -446,6 +446,7 @@ out: | |||
| 446 | */ | 446 | */ |
| 447 | static int | 447 | static int |
| 448 | ecryptfs_find_auth_tok_for_sig( | 448 | ecryptfs_find_auth_tok_for_sig( |
| 449 | struct key **auth_tok_key, | ||
| 449 | struct ecryptfs_auth_tok **auth_tok, | 450 | struct ecryptfs_auth_tok **auth_tok, |
| 450 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | 451 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, |
| 451 | char *sig) | 452 | char *sig) |
| @@ -453,12 +454,12 @@ ecryptfs_find_auth_tok_for_sig( | |||
| 453 | struct ecryptfs_global_auth_tok *global_auth_tok; | 454 | struct ecryptfs_global_auth_tok *global_auth_tok; |
| 454 | int rc = 0; | 455 | int rc = 0; |
| 455 | 456 | ||
| 457 | (*auth_tok_key) = NULL; | ||
| 456 | (*auth_tok) = NULL; | 458 | (*auth_tok) = NULL; |
| 457 | if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, | 459 | if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, |
| 458 | mount_crypt_stat, sig)) { | 460 | mount_crypt_stat, sig)) { |
| 459 | struct key *auth_tok_key; | ||
| 460 | 461 | ||
| 461 | rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok, | 462 | rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok, |
| 462 | sig); | 463 | sig); |
| 463 | } else | 464 | } else |
| 464 | (*auth_tok) = global_auth_tok->global_auth_tok; | 465 | (*auth_tok) = global_auth_tok->global_auth_tok; |
| @@ -509,6 +510,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, | |||
| 509 | char *filename, size_t filename_size) | 510 | char *filename, size_t filename_size) |
| 510 | { | 511 | { |
| 511 | struct ecryptfs_write_tag_70_packet_silly_stack *s; | 512 | struct ecryptfs_write_tag_70_packet_silly_stack *s; |
| 513 | struct key *auth_tok_key = NULL; | ||
| 512 | int rc = 0; | 514 | int rc = 0; |
| 513 | 515 | ||
| 514 | s = kmalloc(sizeof(*s), GFP_KERNEL); | 516 | s = kmalloc(sizeof(*s), GFP_KERNEL); |
| @@ -606,6 +608,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, | |||
| 606 | } | 608 | } |
| 607 | dest[s->i++] = s->cipher_code; | 609 | dest[s->i++] = s->cipher_code; |
| 608 | rc = ecryptfs_find_auth_tok_for_sig( | 610 | rc = ecryptfs_find_auth_tok_for_sig( |
| 611 | &auth_tok_key, | ||
| 609 | &s->auth_tok, mount_crypt_stat, | 612 | &s->auth_tok, mount_crypt_stat, |
| 610 | mount_crypt_stat->global_default_fnek_sig); | 613 | mount_crypt_stat->global_default_fnek_sig); |
| 611 | if (rc) { | 614 | if (rc) { |
| @@ -753,6 +756,8 @@ out_free_unlock: | |||
| 753 | out_unlock: | 756 | out_unlock: |
| 754 | mutex_unlock(s->tfm_mutex); | 757 | mutex_unlock(s->tfm_mutex); |
| 755 | out: | 758 | out: |
| 759 | if (auth_tok_key) | ||
| 760 | key_put(auth_tok_key); | ||
| 756 | kfree(s); | 761 | kfree(s); |
| 757 | return rc; | 762 | return rc; |
| 758 | } | 763 | } |
| @@ -798,6 +803,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, | |||
| 798 | char *data, size_t max_packet_size) | 803 | char *data, size_t max_packet_size) |
| 799 | { | 804 | { |
| 800 | struct ecryptfs_parse_tag_70_packet_silly_stack *s; | 805 | struct ecryptfs_parse_tag_70_packet_silly_stack *s; |
| 806 | struct key *auth_tok_key = NULL; | ||
| 801 | int rc = 0; | 807 | int rc = 0; |
| 802 | 808 | ||
| 803 | (*packet_size) = 0; | 809 | (*packet_size) = 0; |
| @@ -910,7 +916,8 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, | |||
| 910 | * >= ECRYPTFS_MAX_IV_BYTES. */ | 916 | * >= ECRYPTFS_MAX_IV_BYTES. */ |
| 911 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); | 917 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); |
| 912 | s->desc.info = s->iv; | 918 | s->desc.info = s->iv; |
| 913 | rc = ecryptfs_find_auth_tok_for_sig(&s->auth_tok, mount_crypt_stat, | 919 | rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, |
| 920 | &s->auth_tok, mount_crypt_stat, | ||
| 914 | s->fnek_sig_hex); | 921 | s->fnek_sig_hex); |
| 915 | if (rc) { | 922 | if (rc) { |
| 916 | printk(KERN_ERR "%s: Error attempting to find auth tok for " | 923 | printk(KERN_ERR "%s: Error attempting to find auth tok for " |
| @@ -986,6 +993,8 @@ out: | |||
| 986 | (*filename_size) = 0; | 993 | (*filename_size) = 0; |
| 987 | (*filename) = NULL; | 994 | (*filename) = NULL; |
| 988 | } | 995 | } |
| 996 | if (auth_tok_key) | ||
| 997 | key_put(auth_tok_key); | ||
| 989 | kfree(s); | 998 | kfree(s); |
| 990 | return rc; | 999 | return rc; |
| 991 | } | 1000 | } |
| @@ -1557,14 +1566,19 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, | |||
| 1557 | ECRYPTFS_VERSION_MAJOR, | 1566 | ECRYPTFS_VERSION_MAJOR, |
| 1558 | ECRYPTFS_VERSION_MINOR); | 1567 | ECRYPTFS_VERSION_MINOR); |
| 1559 | rc = -EINVAL; | 1568 | rc = -EINVAL; |
| 1560 | goto out; | 1569 | goto out_release_key; |
| 1561 | } | 1570 | } |
| 1562 | if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD | 1571 | if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD |
| 1563 | && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { | 1572 | && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { |
| 1564 | printk(KERN_ERR "Invalid auth_tok structure " | 1573 | printk(KERN_ERR "Invalid auth_tok structure " |
| 1565 | "returned from key query\n"); | 1574 | "returned from key query\n"); |
| 1566 | rc = -EINVAL; | 1575 | rc = -EINVAL; |
| 1567 | goto out; | 1576 | goto out_release_key; |
| 1577 | } | ||
| 1578 | out_release_key: | ||
| 1579 | if (rc) { | ||
| 1580 | key_put(*auth_tok_key); | ||
| 1581 | (*auth_tok_key) = NULL; | ||
| 1568 | } | 1582 | } |
| 1569 | out: | 1583 | out: |
| 1570 | return rc; | 1584 | return rc; |
| @@ -1688,6 +1702,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, | |||
| 1688 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; | 1702 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; |
| 1689 | size_t tag_11_contents_size; | 1703 | size_t tag_11_contents_size; |
| 1690 | size_t tag_11_packet_size; | 1704 | size_t tag_11_packet_size; |
| 1705 | struct key *auth_tok_key = NULL; | ||
| 1691 | int rc = 0; | 1706 | int rc = 0; |
| 1692 | 1707 | ||
| 1693 | INIT_LIST_HEAD(&auth_tok_list); | 1708 | INIT_LIST_HEAD(&auth_tok_list); |
| @@ -1784,6 +1799,10 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, | |||
| 1784 | * just one will be sufficient to decrypt to get the FEK. */ | 1799 | * just one will be sufficient to decrypt to get the FEK. */ |
| 1785 | find_next_matching_auth_tok: | 1800 | find_next_matching_auth_tok: |
| 1786 | found_auth_tok = 0; | 1801 | found_auth_tok = 0; |
| 1802 | if (auth_tok_key) { | ||
| 1803 | key_put(auth_tok_key); | ||
| 1804 | auth_tok_key = NULL; | ||
| 1805 | } | ||
| 1787 | list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { | 1806 | list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { |
| 1788 | candidate_auth_tok = &auth_tok_list_item->auth_tok; | 1807 | candidate_auth_tok = &auth_tok_list_item->auth_tok; |
| 1789 | if (unlikely(ecryptfs_verbosity > 0)) { | 1808 | if (unlikely(ecryptfs_verbosity > 0)) { |
| @@ -1800,7 +1819,8 @@ find_next_matching_auth_tok: | |||
| 1800 | rc = -EINVAL; | 1819 | rc = -EINVAL; |
| 1801 | goto out_wipe_list; | 1820 | goto out_wipe_list; |
| 1802 | } | 1821 | } |
| 1803 | ecryptfs_find_auth_tok_for_sig(&matching_auth_tok, | 1822 | ecryptfs_find_auth_tok_for_sig(&auth_tok_key, |
| 1823 | &matching_auth_tok, | ||
| 1804 | crypt_stat->mount_crypt_stat, | 1824 | crypt_stat->mount_crypt_stat, |
| 1805 | candidate_auth_tok_sig); | 1825 | candidate_auth_tok_sig); |
| 1806 | if (matching_auth_tok) { | 1826 | if (matching_auth_tok) { |
| @@ -1866,6 +1886,8 @@ found_matching_auth_tok: | |||
| 1866 | out_wipe_list: | 1886 | out_wipe_list: |
| 1867 | wipe_auth_tok_list(&auth_tok_list); | 1887 | wipe_auth_tok_list(&auth_tok_list); |
| 1868 | out: | 1888 | out: |
| 1889 | if (auth_tok_key) | ||
| 1890 | key_put(auth_tok_key); | ||
| 1869 | return rc; | 1891 | return rc; |
| 1870 | } | 1892 | } |
| 1871 | 1893 | ||