aboutsummaryrefslogtreecommitdiffstats
path: root/fs/ecryptfs/keystore.c
diff options
context:
space:
mode:
Diffstat (limited to 'fs/ecryptfs/keystore.c')
-rw-r--r--fs/ecryptfs/keystore.c634
1 files changed, 570 insertions, 64 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index 0d713b691941..dafceb5560e5 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -403,6 +403,569 @@ out:
403} 403}
404 404
405static int 405static int
406ecryptfs_find_global_auth_tok_for_sig(
407 struct ecryptfs_global_auth_tok **global_auth_tok,
408 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig)
409{
410 struct ecryptfs_global_auth_tok *walker;
411 int rc = 0;
412
413 (*global_auth_tok) = NULL;
414 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
415 list_for_each_entry(walker,
416 &mount_crypt_stat->global_auth_tok_list,
417 mount_crypt_stat_list) {
418 if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX) == 0) {
419 (*global_auth_tok) = walker;
420 goto out;
421 }
422 }
423 rc = -EINVAL;
424out:
425 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
426 return rc;
427}
428
429/**
430 * ecryptfs_find_auth_tok_for_sig
431 * @auth_tok: Set to the matching auth_tok; NULL if not found
432 * @crypt_stat: inode crypt_stat crypto context
433 * @sig: Sig of auth_tok to find
434 *
435 * For now, this function simply looks at the registered auth_tok's
436 * linked off the mount_crypt_stat, so all the auth_toks that can be
437 * used must be registered at mount time. This function could
438 * potentially try a lot harder to find auth_tok's (e.g., by calling
439 * out to ecryptfsd to dynamically retrieve an auth_tok object) so
440 * that static registration of auth_tok's will no longer be necessary.
441 *
442 * Returns zero on no error; non-zero on error
443 */
444static int
445ecryptfs_find_auth_tok_for_sig(
446 struct ecryptfs_auth_tok **auth_tok,
447 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
448 char *sig)
449{
450 struct ecryptfs_global_auth_tok *global_auth_tok;
451 int rc = 0;
452
453 (*auth_tok) = NULL;
454 if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok,
455 mount_crypt_stat, sig)) {
456 struct key *auth_tok_key;
457
458 rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok,
459 sig);
460 } else
461 (*auth_tok) = global_auth_tok->global_auth_tok;
462 return rc;
463}
464
465/**
466 * write_tag_70_packet can gobble a lot of stack space. We stuff most
467 * of the function's parameters in a kmalloc'd struct to help reduce
468 * eCryptfs' overall stack usage.
469 */
470struct ecryptfs_write_tag_70_packet_silly_stack {
471 u8 cipher_code;
472 size_t max_packet_size;
473 size_t packet_size_len;
474 size_t block_aligned_filename_size;
475 size_t block_size;
476 size_t i;
477 size_t j;
478 size_t num_rand_bytes;
479 struct mutex *tfm_mutex;
480 char *block_aligned_filename;
481 struct ecryptfs_auth_tok *auth_tok;
482 struct scatterlist src_sg;
483 struct scatterlist dst_sg;
484 struct blkcipher_desc desc;
485 char iv[ECRYPTFS_MAX_IV_BYTES];
486 char hash[ECRYPTFS_TAG_70_DIGEST_SIZE];
487 char tmp_hash[ECRYPTFS_TAG_70_DIGEST_SIZE];
488 struct hash_desc hash_desc;
489 struct scatterlist hash_sg;
490};
491
492/**
493 * write_tag_70_packet - Write encrypted filename (EFN) packet against FNEK
494 * @filename: NULL-terminated filename string
495 *
496 * This is the simplest mechanism for achieving filename encryption in
497 * eCryptfs. It encrypts the given filename with the mount-wide
498 * filename encryption key (FNEK) and stores it in a packet to @dest,
499 * which the callee will encode and write directly into the dentry
500 * name.
501 */
502int
503ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
504 size_t *packet_size,
505 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
506 char *filename, size_t filename_size)
507{
508 struct ecryptfs_write_tag_70_packet_silly_stack *s;
509 int rc = 0;
510
511 s = kmalloc(sizeof(*s), GFP_KERNEL);
512 if (!s) {
513 printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc "
514 "[%d] bytes of kernel memory\n", __func__, sizeof(*s));
515 goto out;
516 }
517 s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
518 (*packet_size) = 0;
519 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(
520 &s->desc.tfm,
521 &s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name);
522 if (unlikely(rc)) {
523 printk(KERN_ERR "Internal error whilst attempting to get "
524 "tfm and mutex for cipher name [%s]; rc = [%d]\n",
525 mount_crypt_stat->global_default_fn_cipher_name, rc);
526 goto out;
527 }
528 mutex_lock(s->tfm_mutex);
529 s->block_size = crypto_blkcipher_blocksize(s->desc.tfm);
530 /* Plus one for the \0 separator between the random prefix
531 * and the plaintext filename */
532 s->num_rand_bytes = (ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES + 1);
533 s->block_aligned_filename_size = (s->num_rand_bytes + filename_size);
534 if ((s->block_aligned_filename_size % s->block_size) != 0) {
535 s->num_rand_bytes += (s->block_size
536 - (s->block_aligned_filename_size
537 % s->block_size));
538 s->block_aligned_filename_size = (s->num_rand_bytes
539 + filename_size);
540 }
541 /* Octet 0: Tag 70 identifier
542 * Octets 1-N1: Tag 70 packet size (includes cipher identifier
543 * and block-aligned encrypted filename size)
544 * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE)
545 * Octet N2-N3: Cipher identifier (1 octet)
546 * Octets N3-N4: Block-aligned encrypted filename
547 * - Consists of a minimum number of random characters, a \0
548 * separator, and then the filename */
549 s->max_packet_size = (1 /* Tag 70 identifier */
550 + 3 /* Max Tag 70 packet size */
551 + ECRYPTFS_SIG_SIZE /* FNEK sig */
552 + 1 /* Cipher identifier */
553 + s->block_aligned_filename_size);
554 if (dest == NULL) {
555 (*packet_size) = s->max_packet_size;
556 goto out_unlock;
557 }
558 if (s->max_packet_size > (*remaining_bytes)) {
559 printk(KERN_WARNING "%s: Require [%d] bytes to write; only "
560 "[%d] available\n", __func__, s->max_packet_size,
561 (*remaining_bytes));
562 rc = -EINVAL;
563 goto out_unlock;
564 }
565 s->block_aligned_filename = kzalloc(s->block_aligned_filename_size,
566 GFP_KERNEL);
567 if (!s->block_aligned_filename) {
568 printk(KERN_ERR "%s: Out of kernel memory whilst attempting to "
569 "kzalloc [%Zd] bytes\n", __func__,
570 s->block_aligned_filename_size);
571 rc = -ENOMEM;
572 goto out_unlock;
573 }
574 s->i = 0;
575 dest[s->i++] = ECRYPTFS_TAG_70_PACKET_TYPE;
576 rc = ecryptfs_write_packet_length(&dest[s->i],
577 (ECRYPTFS_SIG_SIZE
578 + 1 /* Cipher code */
579 + s->block_aligned_filename_size),
580 &s->packet_size_len);
581 if (rc) {
582 printk(KERN_ERR "%s: Error generating tag 70 packet "
583 "header; cannot generate packet length; rc = [%d]\n",
584 __func__, rc);
585 goto out_free_unlock;
586 }
587 s->i += s->packet_size_len;
588 ecryptfs_from_hex(&dest[s->i],
589 mount_crypt_stat->global_default_fnek_sig,
590 ECRYPTFS_SIG_SIZE);
591 s->i += ECRYPTFS_SIG_SIZE;
592 s->cipher_code = ecryptfs_code_for_cipher_string(
593 mount_crypt_stat->global_default_fn_cipher_name,
594 mount_crypt_stat->global_default_fn_cipher_key_bytes);
595 if (s->cipher_code == 0) {
596 printk(KERN_WARNING "%s: Unable to generate code for "
597 "cipher [%s] with key bytes [%d]\n", __func__,
598 mount_crypt_stat->global_default_fn_cipher_name,
599 mount_crypt_stat->global_default_fn_cipher_key_bytes);
600 rc = -EINVAL;
601 goto out_free_unlock;
602 }
603 dest[s->i++] = s->cipher_code;
604 rc = ecryptfs_find_auth_tok_for_sig(
605 &s->auth_tok, mount_crypt_stat,
606 mount_crypt_stat->global_default_fnek_sig);
607 if (rc) {
608 printk(KERN_ERR "%s: Error attempting to find auth tok for "
609 "fnek sig [%s]; rc = [%d]\n", __func__,
610 mount_crypt_stat->global_default_fnek_sig, rc);
611 goto out_free_unlock;
612 }
613 /* TODO: Support other key modules than passphrase for
614 * filename encryption */
615 BUG_ON(s->auth_tok->token_type != ECRYPTFS_PASSWORD);
616 sg_init_one(
617 &s->hash_sg,
618 (u8 *)s->auth_tok->token.password.session_key_encryption_key,
619 s->auth_tok->token.password.session_key_encryption_key_bytes);
620 s->hash_desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
621 s->hash_desc.tfm = crypto_alloc_hash(ECRYPTFS_TAG_70_DIGEST, 0,
622 CRYPTO_ALG_ASYNC);
623 if (IS_ERR(s->hash_desc.tfm)) {
624 rc = PTR_ERR(s->hash_desc.tfm);
625 printk(KERN_ERR "%s: Error attempting to "
626 "allocate hash crypto context; rc = [%d]\n",
627 __func__, rc);
628 goto out_free_unlock;
629 }
630 rc = crypto_hash_init(&s->hash_desc);
631 if (rc) {
632 printk(KERN_ERR
633 "%s: Error initializing crypto hash; rc = [%d]\n",
634 __func__, rc);
635 goto out_release_free_unlock;
636 }
637 rc = crypto_hash_update(
638 &s->hash_desc, &s->hash_sg,
639 s->auth_tok->token.password.session_key_encryption_key_bytes);
640 if (rc) {
641 printk(KERN_ERR
642 "%s: Error updating crypto hash; rc = [%d]\n",
643 __func__, rc);
644 goto out_release_free_unlock;
645 }
646 rc = crypto_hash_final(&s->hash_desc, s->hash);
647 if (rc) {
648 printk(KERN_ERR
649 "%s: Error finalizing crypto hash; rc = [%d]\n",
650 __func__, rc);
651 goto out_release_free_unlock;
652 }
653 for (s->j = 0; s->j < (s->num_rand_bytes - 1); s->j++) {
654 s->block_aligned_filename[s->j] =
655 s->hash[(s->j % ECRYPTFS_TAG_70_DIGEST_SIZE)];
656 if ((s->j % ECRYPTFS_TAG_70_DIGEST_SIZE)
657 == (ECRYPTFS_TAG_70_DIGEST_SIZE - 1)) {
658 sg_init_one(&s->hash_sg, (u8 *)s->hash,
659 ECRYPTFS_TAG_70_DIGEST_SIZE);
660 rc = crypto_hash_init(&s->hash_desc);
661 if (rc) {
662 printk(KERN_ERR
663 "%s: Error initializing crypto hash; "
664 "rc = [%d]\n", __func__, rc);
665 goto out_release_free_unlock;
666 }
667 rc = crypto_hash_update(&s->hash_desc, &s->hash_sg,
668 ECRYPTFS_TAG_70_DIGEST_SIZE);
669 if (rc) {
670 printk(KERN_ERR
671 "%s: Error updating crypto hash; "
672 "rc = [%d]\n", __func__, rc);
673 goto out_release_free_unlock;
674 }
675 rc = crypto_hash_final(&s->hash_desc, s->tmp_hash);
676 if (rc) {
677 printk(KERN_ERR
678 "%s: Error finalizing crypto hash; "
679 "rc = [%d]\n", __func__, rc);
680 goto out_release_free_unlock;
681 }
682 memcpy(s->hash, s->tmp_hash,
683 ECRYPTFS_TAG_70_DIGEST_SIZE);
684 }
685 if (s->block_aligned_filename[s->j] == '\0')
686 s->block_aligned_filename[s->j] = ECRYPTFS_NON_NULL;
687 }
688 memcpy(&s->block_aligned_filename[s->num_rand_bytes], filename,
689 filename_size);
690 rc = virt_to_scatterlist(s->block_aligned_filename,
691 s->block_aligned_filename_size, &s->src_sg, 1);
692 if (rc != 1) {
693 printk(KERN_ERR "%s: Internal error whilst attempting to "
694 "convert filename memory to scatterlist; "
695 "expected rc = 1; got rc = [%d]. "
696 "block_aligned_filename_size = [%d]\n", __func__, rc,
697 s->block_aligned_filename_size);
698 goto out_release_free_unlock;
699 }
700 rc = virt_to_scatterlist(&dest[s->i], s->block_aligned_filename_size,
701 &s->dst_sg, 1);
702 if (rc != 1) {
703 printk(KERN_ERR "%s: Internal error whilst attempting to "
704 "convert encrypted filename memory to scatterlist; "
705 "expected rc = 1; got rc = [%d]. "
706 "block_aligned_filename_size = [%d]\n", __func__, rc,
707 s->block_aligned_filename_size);
708 goto out_release_free_unlock;
709 }
710 /* The characters in the first block effectively do the job
711 * of the IV here, so we just use 0's for the IV. Note the
712 * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES
713 * >= ECRYPTFS_MAX_IV_BYTES. */
714 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES);
715 s->desc.info = s->iv;
716 rc = crypto_blkcipher_setkey(
717 s->desc.tfm,
718 s->auth_tok->token.password.session_key_encryption_key,
719 mount_crypt_stat->global_default_fn_cipher_key_bytes);
720 if (rc < 0) {
721 printk(KERN_ERR "%s: Error setting key for crypto context; "
722 "rc = [%d]. s->auth_tok->token.password.session_key_"
723 "encryption_key = [0x%p]; mount_crypt_stat->"
724 "global_default_fn_cipher_key_bytes = [%Zd]\n", __func__,
725 rc,
726 s->auth_tok->token.password.session_key_encryption_key,
727 mount_crypt_stat->global_default_fn_cipher_key_bytes);
728 goto out_release_free_unlock;
729 }
730 rc = crypto_blkcipher_encrypt_iv(&s->desc, &s->dst_sg, &s->src_sg,
731 s->block_aligned_filename_size);
732 if (rc) {
733 printk(KERN_ERR "%s: Error attempting to encrypt filename; "
734 "rc = [%d]\n", __func__, rc);
735 goto out_release_free_unlock;
736 }
737 s->i += s->block_aligned_filename_size;
738 (*packet_size) = s->i;
739 (*remaining_bytes) -= (*packet_size);
740out_release_free_unlock:
741 crypto_free_hash(s->hash_desc.tfm);
742out_free_unlock:
743 memset(s->block_aligned_filename, 0, s->block_aligned_filename_size);
744 kfree(s->block_aligned_filename);
745out_unlock:
746 mutex_unlock(s->tfm_mutex);
747out:
748 kfree(s);
749 return rc;
750}
751
752struct ecryptfs_parse_tag_70_packet_silly_stack {
753 u8 cipher_code;
754 size_t max_packet_size;
755 size_t packet_size_len;
756 size_t parsed_tag_70_packet_size;
757 size_t block_aligned_filename_size;
758 size_t block_size;
759 size_t i;
760 struct mutex *tfm_mutex;
761 char *decrypted_filename;
762 struct ecryptfs_auth_tok *auth_tok;
763 struct scatterlist src_sg;
764 struct scatterlist dst_sg;
765 struct blkcipher_desc desc;
766 char fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX + 1];
767 char iv[ECRYPTFS_MAX_IV_BYTES];
768 char cipher_string[ECRYPTFS_MAX_CIPHER_NAME_SIZE];
769};
770
771/**
772 * parse_tag_70_packet - Parse and process FNEK-encrypted passphrase packet
773 * @filename: This function kmalloc's the memory for the filename
774 */
775int
776ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
777 size_t *packet_size,
778 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
779 char *data, size_t max_packet_size)
780{
781 struct ecryptfs_parse_tag_70_packet_silly_stack *s;
782 int rc = 0;
783
784 (*packet_size) = 0;
785 (*filename_size) = 0;
786 (*filename) = NULL;
787 s = kmalloc(sizeof(*s), GFP_KERNEL);
788 if (!s) {
789 printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc "
790 "[%d] bytes of kernel memory\n", __func__, sizeof(*s));
791 goto out;
792 }
793 s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
794 if (max_packet_size < (1 + 1 + ECRYPTFS_SIG_SIZE + 1 + 1)) {
795 printk(KERN_WARNING "%s: max_packet_size is [%Zd]; it must be "
796 "at least [%d]\n", __func__, max_packet_size,
797 (1 + 1 + ECRYPTFS_SIG_SIZE + 1 + 1));
798 rc = -EINVAL;
799 goto out;
800 }
801 /* Octet 0: Tag 70 identifier
802 * Octets 1-N1: Tag 70 packet size (includes cipher identifier
803 * and block-aligned encrypted filename size)
804 * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE)
805 * Octet N2-N3: Cipher identifier (1 octet)
806 * Octets N3-N4: Block-aligned encrypted filename
807 * - Consists of a minimum number of random numbers, a \0
808 * separator, and then the filename */
809 if (data[(*packet_size)++] != ECRYPTFS_TAG_70_PACKET_TYPE) {
810 printk(KERN_WARNING "%s: Invalid packet tag [0x%.2x]; must be "
811 "tag [0x%.2x]\n", __func__,
812 data[((*packet_size) - 1)], ECRYPTFS_TAG_70_PACKET_TYPE);
813 rc = -EINVAL;
814 goto out;
815 }
816 rc = ecryptfs_parse_packet_length(&data[(*packet_size)],
817 &s->parsed_tag_70_packet_size,
818 &s->packet_size_len);
819 if (rc) {
820 printk(KERN_WARNING "%s: Error parsing packet length; "
821 "rc = [%d]\n", __func__, rc);
822 goto out;
823 }
824 s->block_aligned_filename_size = (s->parsed_tag_70_packet_size
825 - ECRYPTFS_SIG_SIZE - 1);
826 if ((1 + s->packet_size_len + s->parsed_tag_70_packet_size)
827 > max_packet_size) {
828 printk(KERN_WARNING "%s: max_packet_size is [%d]; real packet "
829 "size is [%d]\n", __func__, max_packet_size,
830 (1 + s->packet_size_len + 1
831 + s->block_aligned_filename_size));
832 rc = -EINVAL;
833 goto out;
834 }
835 (*packet_size) += s->packet_size_len;
836 ecryptfs_to_hex(s->fnek_sig_hex, &data[(*packet_size)],
837 ECRYPTFS_SIG_SIZE);
838 s->fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX] = '\0';
839 (*packet_size) += ECRYPTFS_SIG_SIZE;
840 s->cipher_code = data[(*packet_size)++];
841 rc = ecryptfs_cipher_code_to_string(s->cipher_string, s->cipher_code);
842 if (rc) {
843 printk(KERN_WARNING "%s: Cipher code [%d] is invalid\n",
844 __func__, s->cipher_code);
845 goto out;
846 }
847 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&s->desc.tfm,
848 &s->tfm_mutex,
849 s->cipher_string);
850 if (unlikely(rc)) {
851 printk(KERN_ERR "Internal error whilst attempting to get "
852 "tfm and mutex for cipher name [%s]; rc = [%d]\n",
853 s->cipher_string, rc);
854 goto out;
855 }
856 mutex_lock(s->tfm_mutex);
857 rc = virt_to_scatterlist(&data[(*packet_size)],
858 s->block_aligned_filename_size, &s->src_sg, 1);
859 if (rc != 1) {
860 printk(KERN_ERR "%s: Internal error whilst attempting to "
861 "convert encrypted filename memory to scatterlist; "
862 "expected rc = 1; got rc = [%d]. "
863 "block_aligned_filename_size = [%d]\n", __func__, rc,
864 s->block_aligned_filename_size);
865 goto out_unlock;
866 }
867 (*packet_size) += s->block_aligned_filename_size;
868 s->decrypted_filename = kmalloc(s->block_aligned_filename_size,
869 GFP_KERNEL);
870 if (!s->decrypted_filename) {
871 printk(KERN_ERR "%s: Out of memory whilst attempting to "
872 "kmalloc [%d] bytes\n", __func__,
873 s->block_aligned_filename_size);
874 rc = -ENOMEM;
875 goto out_unlock;
876 }
877 rc = virt_to_scatterlist(s->decrypted_filename,
878 s->block_aligned_filename_size, &s->dst_sg, 1);
879 if (rc != 1) {
880 printk(KERN_ERR "%s: Internal error whilst attempting to "
881 "convert decrypted filename memory to scatterlist; "
882 "expected rc = 1; got rc = [%d]. "
883 "block_aligned_filename_size = [%d]\n", __func__, rc,
884 s->block_aligned_filename_size);
885 goto out_free_unlock;
886 }
887 /* The characters in the first block effectively do the job of
888 * the IV here, so we just use 0's for the IV. Note the
889 * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES
890 * >= ECRYPTFS_MAX_IV_BYTES. */
891 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES);
892 s->desc.info = s->iv;
893 rc = ecryptfs_find_auth_tok_for_sig(&s->auth_tok, mount_crypt_stat,
894 s->fnek_sig_hex);
895 if (rc) {
896 printk(KERN_ERR "%s: Error attempting to find auth tok for "
897 "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex,
898 rc);
899 goto out_free_unlock;
900 }
901 /* TODO: Support other key modules than passphrase for
902 * filename encryption */
903 BUG_ON(s->auth_tok->token_type != ECRYPTFS_PASSWORD);
904 rc = crypto_blkcipher_setkey(
905 s->desc.tfm,
906 s->auth_tok->token.password.session_key_encryption_key,
907 mount_crypt_stat->global_default_fn_cipher_key_bytes);
908 if (rc < 0) {
909 printk(KERN_ERR "%s: Error setting key for crypto context; "
910 "rc = [%d]. s->auth_tok->token.password.session_key_"
911 "encryption_key = [0x%p]; mount_crypt_stat->"
912 "global_default_fn_cipher_key_bytes = [%Zd]\n", __func__,
913 rc,
914 s->auth_tok->token.password.session_key_encryption_key,
915 mount_crypt_stat->global_default_fn_cipher_key_bytes);
916 goto out_free_unlock;
917 }
918 rc = crypto_blkcipher_decrypt_iv(&s->desc, &s->dst_sg, &s->src_sg,
919 s->block_aligned_filename_size);
920 if (rc) {
921 printk(KERN_ERR "%s: Error attempting to decrypt filename; "
922 "rc = [%d]\n", __func__, rc);
923 goto out_free_unlock;
924 }
925 s->i = 0;
926 while (s->decrypted_filename[s->i] != '\0'
927 && s->i < s->block_aligned_filename_size)
928 s->i++;
929 if (s->i == s->block_aligned_filename_size) {
930 printk(KERN_WARNING "%s: Invalid tag 70 packet; could not "
931 "find valid separator between random characters and "
932 "the filename\n", __func__);
933 rc = -EINVAL;
934 goto out_free_unlock;
935 }
936 s->i++;
937 (*filename_size) = (s->block_aligned_filename_size - s->i);
938 if (!((*filename_size) > 0 && (*filename_size < PATH_MAX))) {
939 printk(KERN_WARNING "%s: Filename size is [%Zd], which is "
940 "invalid\n", __func__, (*filename_size));
941 rc = -EINVAL;
942 goto out_free_unlock;
943 }
944 (*filename) = kmalloc(((*filename_size) + 1), GFP_KERNEL);
945 if (!(*filename)) {
946 printk(KERN_ERR "%s: Out of memory whilst attempting to "
947 "kmalloc [%d] bytes\n", __func__,
948 ((*filename_size) + 1));
949 rc = -ENOMEM;
950 goto out_free_unlock;
951 }
952 memcpy((*filename), &s->decrypted_filename[s->i], (*filename_size));
953 (*filename)[(*filename_size)] = '\0';
954out_free_unlock:
955 kfree(s->decrypted_filename);
956out_unlock:
957 mutex_unlock(s->tfm_mutex);
958out:
959 if (rc) {
960 (*packet_size) = 0;
961 (*filename_size) = 0;
962 (*filename) = NULL;
963 }
964 kfree(s);
965 return rc;
966}
967
968static int
406ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok) 969ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok)
407{ 970{
408 int rc = 0; 971 int rc = 0;
@@ -897,30 +1460,6 @@ out:
897 return rc; 1460 return rc;
898} 1461}
899 1462
900static int
901ecryptfs_find_global_auth_tok_for_sig(
902 struct ecryptfs_global_auth_tok **global_auth_tok,
903 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig)
904{
905 struct ecryptfs_global_auth_tok *walker;
906 int rc = 0;
907
908 (*global_auth_tok) = NULL;
909 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
910 list_for_each_entry(walker,
911 &mount_crypt_stat->global_auth_tok_list,
912 mount_crypt_stat_list) {
913 if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX) == 0) {
914 (*global_auth_tok) = walker;
915 goto out;
916 }
917 }
918 rc = -EINVAL;
919out:
920 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
921 return rc;
922}
923
924/** 1463/**
925 * ecryptfs_verify_version 1464 * ecryptfs_verify_version
926 * @version: The version number to confirm 1465 * @version: The version number to confirm
@@ -990,43 +1529,6 @@ out:
990} 1529}
991 1530
992/** 1531/**
993 * ecryptfs_find_auth_tok_for_sig
994 * @auth_tok: Set to the matching auth_tok; NULL if not found
995 * @crypt_stat: inode crypt_stat crypto context
996 * @sig: Sig of auth_tok to find
997 *
998 * For now, this function simply looks at the registered auth_tok's
999 * linked off the mount_crypt_stat, so all the auth_toks that can be
1000 * used must be registered at mount time. This function could
1001 * potentially try a lot harder to find auth_tok's (e.g., by calling
1002 * out to ecryptfsd to dynamically retrieve an auth_tok object) so
1003 * that static registration of auth_tok's will no longer be necessary.
1004 *
1005 * Returns zero on no error; non-zero on error
1006 */
1007static int
1008ecryptfs_find_auth_tok_for_sig(
1009 struct ecryptfs_auth_tok **auth_tok,
1010 struct ecryptfs_crypt_stat *crypt_stat, char *sig)
1011{
1012 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1013 crypt_stat->mount_crypt_stat;
1014 struct ecryptfs_global_auth_tok *global_auth_tok;
1015 int rc = 0;
1016
1017 (*auth_tok) = NULL;
1018 if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok,
1019 mount_crypt_stat, sig)) {
1020 struct key *auth_tok_key;
1021
1022 rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok,
1023 sig);
1024 } else
1025 (*auth_tok) = global_auth_tok->global_auth_tok;
1026 return rc;
1027}
1028
1029/**
1030 * decrypt_passphrase_encrypted_session_key - Decrypt the session key with the given auth_tok. 1532 * decrypt_passphrase_encrypted_session_key - Decrypt the session key with the given auth_tok.
1031 * @auth_tok: The passphrase authentication token to use to encrypt the FEK 1533 * @auth_tok: The passphrase authentication token to use to encrypt the FEK
1032 * @crypt_stat: The cryptographic context 1534 * @crypt_stat: The cryptographic context
@@ -1256,7 +1758,8 @@ find_next_matching_auth_tok:
1256 rc = -EINVAL; 1758 rc = -EINVAL;
1257 goto out_wipe_list; 1759 goto out_wipe_list;
1258 } 1760 }
1259 ecryptfs_find_auth_tok_for_sig(&matching_auth_tok, crypt_stat, 1761 ecryptfs_find_auth_tok_for_sig(&matching_auth_tok,
1762 crypt_stat->mount_crypt_stat,
1260 candidate_auth_tok_sig); 1763 candidate_auth_tok_sig);
1261 if (matching_auth_tok) { 1764 if (matching_auth_tok) {
1262 found_auth_tok = 1; 1765 found_auth_tok = 1;
@@ -1336,7 +1839,9 @@ pki_encrypt_session_key(struct ecryptfs_auth_tok *auth_tok,
1336 int rc; 1839 int rc;
1337 1840
1338 rc = write_tag_66_packet(auth_tok->token.private_key.signature, 1841 rc = write_tag_66_packet(auth_tok->token.private_key.signature,
1339 ecryptfs_code_for_cipher_string(crypt_stat), 1842 ecryptfs_code_for_cipher_string(
1843 crypt_stat->cipher,
1844 crypt_stat->key_size),
1340 crypt_stat, &payload, &payload_len); 1845 crypt_stat, &payload, &payload_len);
1341 if (rc) { 1846 if (rc) {
1342 ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n"); 1847 ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n");
@@ -1696,7 +2201,8 @@ encrypted_session_key_set:
1696 dest[(*packet_size)++] = 0x04; /* version 4 */ 2201 dest[(*packet_size)++] = 0x04; /* version 4 */
1697 /* TODO: Break from RFC2440 so that arbitrary ciphers can be 2202 /* TODO: Break from RFC2440 so that arbitrary ciphers can be
1698 * specified with strings */ 2203 * specified with strings */
1699 cipher_code = ecryptfs_code_for_cipher_string(crypt_stat); 2204 cipher_code = ecryptfs_code_for_cipher_string(crypt_stat->cipher,
2205 crypt_stat->key_size);
1700 if (cipher_code == 0) { 2206 if (cipher_code == 0) {
1701 ecryptfs_printk(KERN_WARNING, "Unable to generate code for " 2207 ecryptfs_printk(KERN_WARNING, "Unable to generate code for "
1702 "cipher [%s]\n", crypt_stat->cipher); 2208 "cipher [%s]\n", crypt_stat->cipher);
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-08 22:46:21 -0500