aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@polito.it>2010-10-06 12:31:06 -0400
committerTyler Hicks <tyhicks@linux.vnet.ibm.com>2010-10-29 11:31:35 -0400
commitaee683b9e77e17237b0e146025c3d363c9203634 (patch)
tree79ec9b8a2ff2d2e433bbe7a6959a34aeb75c25b6 /fs
parent2e21b3f124eceb6ab5a07c8a061adce14ac94e14 (diff)
ecryptfs: release keys loaded in ecryptfs_keyring_auth_tok_for_sig()
This patch allows keys requested in the function ecryptfs_keyring_auth_tok_for_sig()to be released when they are no longer required. In particular keys are directly released in the same function if the obtained authentication token is not valid. Further, a new function parameter 'auth_tok_key' has been added to ecryptfs_find_auth_tok_for_sig() in order to provide callers the key pointer to be passed to key_put(). Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Cc: Dustin Kirkland <kirkland@canonical.com> Cc: James Morris <jmorris@namei.org> [Tyler: Initialize auth_tok_key to NULL in ecryptfs_parse_packet_set] Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/ecryptfs/keystore.c34
1 files changed, 28 insertions, 6 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index 73811cfa2ea4..b85c6a7770a8 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -446,6 +446,7 @@ out:
446 */ 446 */
447static int 447static int
448ecryptfs_find_auth_tok_for_sig( 448ecryptfs_find_auth_tok_for_sig(
449 struct key **auth_tok_key,
449 struct ecryptfs_auth_tok **auth_tok, 450 struct ecryptfs_auth_tok **auth_tok,
450 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, 451 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
451 char *sig) 452 char *sig)
@@ -453,12 +454,12 @@ ecryptfs_find_auth_tok_for_sig(
453 struct ecryptfs_global_auth_tok *global_auth_tok; 454 struct ecryptfs_global_auth_tok *global_auth_tok;
454 int rc = 0; 455 int rc = 0;
455 456
457 (*auth_tok_key) = NULL;
456 (*auth_tok) = NULL; 458 (*auth_tok) = NULL;
457 if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, 459 if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok,
458 mount_crypt_stat, sig)) { 460 mount_crypt_stat, sig)) {
459 struct key *auth_tok_key;
460 461
461 rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok, 462 rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok,
462 sig); 463 sig);
463 } else 464 } else
464 (*auth_tok) = global_auth_tok->global_auth_tok; 465 (*auth_tok) = global_auth_tok->global_auth_tok;
@@ -509,6 +510,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
509 char *filename, size_t filename_size) 510 char *filename, size_t filename_size)
510{ 511{
511 struct ecryptfs_write_tag_70_packet_silly_stack *s; 512 struct ecryptfs_write_tag_70_packet_silly_stack *s;
513 struct key *auth_tok_key = NULL;
512 int rc = 0; 514 int rc = 0;
513 515
514 s = kmalloc(sizeof(*s), GFP_KERNEL); 516 s = kmalloc(sizeof(*s), GFP_KERNEL);
@@ -606,6 +608,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
606 } 608 }
607 dest[s->i++] = s->cipher_code; 609 dest[s->i++] = s->cipher_code;
608 rc = ecryptfs_find_auth_tok_for_sig( 610 rc = ecryptfs_find_auth_tok_for_sig(
611 &auth_tok_key,
609 &s->auth_tok, mount_crypt_stat, 612 &s->auth_tok, mount_crypt_stat,
610 mount_crypt_stat->global_default_fnek_sig); 613 mount_crypt_stat->global_default_fnek_sig);
611 if (rc) { 614 if (rc) {
@@ -753,6 +756,8 @@ out_free_unlock:
753out_unlock: 756out_unlock:
754 mutex_unlock(s->tfm_mutex); 757 mutex_unlock(s->tfm_mutex);
755out: 758out:
759 if (auth_tok_key)
760 key_put(auth_tok_key);
756 kfree(s); 761 kfree(s);
757 return rc; 762 return rc;
758} 763}
@@ -798,6 +803,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
798 char *data, size_t max_packet_size) 803 char *data, size_t max_packet_size)
799{ 804{
800 struct ecryptfs_parse_tag_70_packet_silly_stack *s; 805 struct ecryptfs_parse_tag_70_packet_silly_stack *s;
806 struct key *auth_tok_key = NULL;
801 int rc = 0; 807 int rc = 0;
802 808
803 (*packet_size) = 0; 809 (*packet_size) = 0;
@@ -910,7 +916,8 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
910 * >= ECRYPTFS_MAX_IV_BYTES. */ 916 * >= ECRYPTFS_MAX_IV_BYTES. */
911 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); 917 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES);
912 s->desc.info = s->iv; 918 s->desc.info = s->iv;
913 rc = ecryptfs_find_auth_tok_for_sig(&s->auth_tok, mount_crypt_stat, 919 rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
920 &s->auth_tok, mount_crypt_stat,
914 s->fnek_sig_hex); 921 s->fnek_sig_hex);
915 if (rc) { 922 if (rc) {
916 printk(KERN_ERR "%s: Error attempting to find auth tok for " 923 printk(KERN_ERR "%s: Error attempting to find auth tok for "
@@ -986,6 +993,8 @@ out:
986 (*filename_size) = 0; 993 (*filename_size) = 0;
987 (*filename) = NULL; 994 (*filename) = NULL;
988 } 995 }
996 if (auth_tok_key)
997 key_put(auth_tok_key);
989 kfree(s); 998 kfree(s);
990 return rc; 999 return rc;
991} 1000}
@@ -1557,14 +1566,19 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
1557 ECRYPTFS_VERSION_MAJOR, 1566 ECRYPTFS_VERSION_MAJOR,
1558 ECRYPTFS_VERSION_MINOR); 1567 ECRYPTFS_VERSION_MINOR);
1559 rc = -EINVAL; 1568 rc = -EINVAL;
1560 goto out; 1569 goto out_release_key;
1561 } 1570 }
1562 if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD 1571 if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD
1563 && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { 1572 && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) {
1564 printk(KERN_ERR "Invalid auth_tok structure " 1573 printk(KERN_ERR "Invalid auth_tok structure "
1565 "returned from key query\n"); 1574 "returned from key query\n");
1566 rc = -EINVAL; 1575 rc = -EINVAL;
1567 goto out; 1576 goto out_release_key;
1577 }
1578out_release_key:
1579 if (rc) {
1580 key_put(*auth_tok_key);
1581 (*auth_tok_key) = NULL;
1568 } 1582 }
1569out: 1583out:
1570 return rc; 1584 return rc;
@@ -1688,6 +1702,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1688 struct ecryptfs_auth_tok_list_item *auth_tok_list_item; 1702 struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
1689 size_t tag_11_contents_size; 1703 size_t tag_11_contents_size;
1690 size_t tag_11_packet_size; 1704 size_t tag_11_packet_size;
1705 struct key *auth_tok_key = NULL;
1691 int rc = 0; 1706 int rc = 0;
1692 1707
1693 INIT_LIST_HEAD(&auth_tok_list); 1708 INIT_LIST_HEAD(&auth_tok_list);
@@ -1784,6 +1799,10 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1784 * just one will be sufficient to decrypt to get the FEK. */ 1799 * just one will be sufficient to decrypt to get the FEK. */
1785find_next_matching_auth_tok: 1800find_next_matching_auth_tok:
1786 found_auth_tok = 0; 1801 found_auth_tok = 0;
1802 if (auth_tok_key) {
1803 key_put(auth_tok_key);
1804 auth_tok_key = NULL;
1805 }
1787 list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { 1806 list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) {
1788 candidate_auth_tok = &auth_tok_list_item->auth_tok; 1807 candidate_auth_tok = &auth_tok_list_item->auth_tok;
1789 if (unlikely(ecryptfs_verbosity > 0)) { 1808 if (unlikely(ecryptfs_verbosity > 0)) {
@@ -1800,7 +1819,8 @@ find_next_matching_auth_tok:
1800 rc = -EINVAL; 1819 rc = -EINVAL;
1801 goto out_wipe_list; 1820 goto out_wipe_list;
1802 } 1821 }
1803 ecryptfs_find_auth_tok_for_sig(&matching_auth_tok, 1822 ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
1823 &matching_auth_tok,
1804 crypt_stat->mount_crypt_stat, 1824 crypt_stat->mount_crypt_stat,
1805 candidate_auth_tok_sig); 1825 candidate_auth_tok_sig);
1806 if (matching_auth_tok) { 1826 if (matching_auth_tok) {
@@ -1866,6 +1886,8 @@ found_matching_auth_tok:
1866out_wipe_list: 1886out_wipe_list:
1867 wipe_auth_tok_list(&auth_tok_list); 1887 wipe_auth_tok_list(&auth_tok_list);
1868out: 1888out:
1889 if (auth_tok_key)
1890 key_put(auth_tok_key);
1869 return rc; 1891 return rc;
1870} 1892}
1871 1893