aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@polito.it>2011-03-21 11:00:55 -0400
committerTyler Hicks <tyhicks@linux.vnet.ibm.com>2011-03-28 02:49:43 -0400
commitb5695d04634fa4ccca7dcbc05bb4a66522f02e0b (patch)
tree568155380ea1b1fa3b9e68f68dd74cdd9d651229 /fs
parent950983fc04e02232e0d25717903461578a755ebb (diff)
eCryptfs: write lock requested keys
A requested key is write locked in order to prevent modifications on the authentication token while it is being used. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/ecryptfs/keystore.c26
-rw-r--r--fs/ecryptfs/main.c4
2 files changed, 23 insertions, 7 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index d95dd505433e..03e609c45012 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -516,10 +516,11 @@ ecryptfs_find_global_auth_tok_for_sig(
516 goto out_invalid_auth_tok; 516 goto out_invalid_auth_tok;
517 } 517 }
518 518
519 down_write(&(walker->global_auth_tok_key->sem));
519 rc = ecryptfs_verify_auth_tok_from_key( 520 rc = ecryptfs_verify_auth_tok_from_key(
520 walker->global_auth_tok_key, auth_tok); 521 walker->global_auth_tok_key, auth_tok);
521 if (rc) 522 if (rc)
522 goto out_invalid_auth_tok; 523 goto out_invalid_auth_tok_unlock;
523 524
524 (*auth_tok_key) = walker->global_auth_tok_key; 525 (*auth_tok_key) = walker->global_auth_tok_key;
525 key_get(*auth_tok_key); 526 key_get(*auth_tok_key);
@@ -527,6 +528,8 @@ ecryptfs_find_global_auth_tok_for_sig(
527 } 528 }
528 rc = -ENOENT; 529 rc = -ENOENT;
529 goto out; 530 goto out;
531out_invalid_auth_tok_unlock:
532 up_write(&(walker->global_auth_tok_key->sem));
530out_invalid_auth_tok: 533out_invalid_auth_tok:
531 printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig); 534 printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);
532 walker->flags |= ECRYPTFS_AUTH_TOK_INVALID; 535 walker->flags |= ECRYPTFS_AUTH_TOK_INVALID;
@@ -869,8 +872,10 @@ out_free_unlock:
869out_unlock: 872out_unlock:
870 mutex_unlock(s->tfm_mutex); 873 mutex_unlock(s->tfm_mutex);
871out: 874out:
872 if (auth_tok_key) 875 if (auth_tok_key) {
876 up_write(&(auth_tok_key->sem));
873 key_put(auth_tok_key); 877 key_put(auth_tok_key);
878 }
874 kfree(s); 879 kfree(s);
875 return rc; 880 return rc;
876} 881}
@@ -1106,8 +1111,10 @@ out:
1106 (*filename_size) = 0; 1111 (*filename_size) = 0;
1107 (*filename) = NULL; 1112 (*filename) = NULL;
1108 } 1113 }
1109 if (auth_tok_key) 1114 if (auth_tok_key) {
1115 up_write(&(auth_tok_key->sem));
1110 key_put(auth_tok_key); 1116 key_put(auth_tok_key);
1117 }
1111 kfree(s); 1118 kfree(s);
1112 return rc; 1119 return rc;
1113} 1120}
@@ -1638,9 +1645,10 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
1638 (*auth_tok_key) = NULL; 1645 (*auth_tok_key) = NULL;
1639 goto out; 1646 goto out;
1640 } 1647 }
1641 1648 down_write(&(*auth_tok_key)->sem);
1642 rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok); 1649 rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
1643 if (rc) { 1650 if (rc) {
1651 up_write(&(*auth_tok_key)->sem);
1644 key_put(*auth_tok_key); 1652 key_put(*auth_tok_key);
1645 (*auth_tok_key) = NULL; 1653 (*auth_tok_key) = NULL;
1646 goto out; 1654 goto out;
@@ -1865,6 +1873,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1865find_next_matching_auth_tok: 1873find_next_matching_auth_tok:
1866 found_auth_tok = 0; 1874 found_auth_tok = 0;
1867 if (auth_tok_key) { 1875 if (auth_tok_key) {
1876 up_write(&(auth_tok_key->sem));
1868 key_put(auth_tok_key); 1877 key_put(auth_tok_key);
1869 auth_tok_key = NULL; 1878 auth_tok_key = NULL;
1870 } 1879 }
@@ -1951,8 +1960,10 @@ found_matching_auth_tok:
1951out_wipe_list: 1960out_wipe_list:
1952 wipe_auth_tok_list(&auth_tok_list); 1961 wipe_auth_tok_list(&auth_tok_list);
1953out: 1962out:
1954 if (auth_tok_key) 1963 if (auth_tok_key) {
1964 up_write(&(auth_tok_key->sem));
1955 key_put(auth_tok_key); 1965 key_put(auth_tok_key);
1966 }
1956 return rc; 1967 return rc;
1957} 1968}
1958 1969
@@ -2446,6 +2457,7 @@ ecryptfs_generate_key_packet_set(char *dest_base,
2446 rc = -EINVAL; 2457 rc = -EINVAL;
2447 goto out_free; 2458 goto out_free;
2448 } 2459 }
2460 up_write(&(auth_tok_key->sem));
2449 key_put(auth_tok_key); 2461 key_put(auth_tok_key);
2450 auth_tok_key = NULL; 2462 auth_tok_key = NULL;
2451 } 2463 }
@@ -2460,8 +2472,10 @@ out_free:
2460out: 2472out:
2461 if (rc) 2473 if (rc)
2462 (*len) = 0; 2474 (*len) = 0;
2463 if (auth_tok_key) 2475 if (auth_tok_key) {
2476 up_write(&(auth_tok_key->sem));
2464 key_put(auth_tok_key); 2477 key_put(auth_tok_key);
2478 }
2465 2479
2466 mutex_unlock(&crypt_stat->keysig_list_mutex); 2480 mutex_unlock(&crypt_stat->keysig_list_mutex);
2467 return rc; 2481 return rc;
diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
index 520d05f5ad01..c27c0ecf90bc 100644
--- a/fs/ecryptfs/main.c
+++ b/fs/ecryptfs/main.c
@@ -254,8 +254,10 @@ static int ecryptfs_init_global_auth_toks(
254 "option: [%s]\n", global_auth_tok->sig); 254 "option: [%s]\n", global_auth_tok->sig);
255 global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID; 255 global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID;
256 goto out; 256 goto out;
257 } else 257 } else {
258 global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID; 258 global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;
259 up_write(&(global_auth_tok->global_auth_tok_key)->sem);
260 }
259 } 261 }
260out: 262out:
261 return rc; 263 return rc;