diff options
Diffstat (limited to 'fs/ecryptfs')
-rw-r--r-- | fs/ecryptfs/crypto.c | 11 | ||||
-rw-r--r-- | fs/ecryptfs/ecryptfs_kernel.h | 38 | ||||
-rw-r--r-- | fs/ecryptfs/keystore.c | 634 |
3 files changed, 613 insertions, 70 deletions
diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c index 6046239465a1..485732751f09 100644 --- a/fs/ecryptfs/crypto.c +++ b/fs/ecryptfs/crypto.c | |||
@@ -1149,19 +1149,20 @@ ecryptfs_cipher_code_str_map[] = { | |||
1149 | 1149 | ||
1150 | /** | 1150 | /** |
1151 | * ecryptfs_code_for_cipher_string | 1151 | * ecryptfs_code_for_cipher_string |
1152 | * @crypt_stat: The cryptographic context | 1152 | * @cipher_name: The string alias for the cipher |
1153 | * @key_bytes: Length of key in bytes; used for AES code selection | ||
1153 | * | 1154 | * |
1154 | * Returns zero on no match, or the cipher code on match | 1155 | * Returns zero on no match, or the cipher code on match |
1155 | */ | 1156 | */ |
1156 | u8 ecryptfs_code_for_cipher_string(struct ecryptfs_crypt_stat *crypt_stat) | 1157 | u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes) |
1157 | { | 1158 | { |
1158 | int i; | 1159 | int i; |
1159 | u8 code = 0; | 1160 | u8 code = 0; |
1160 | struct ecryptfs_cipher_code_str_map_elem *map = | 1161 | struct ecryptfs_cipher_code_str_map_elem *map = |
1161 | ecryptfs_cipher_code_str_map; | 1162 | ecryptfs_cipher_code_str_map; |
1162 | 1163 | ||
1163 | if (strcmp(crypt_stat->cipher, "aes") == 0) { | 1164 | if (strcmp(cipher_name, "aes") == 0) { |
1164 | switch (crypt_stat->key_size) { | 1165 | switch (key_bytes) { |
1165 | case 16: | 1166 | case 16: |
1166 | code = RFC2440_CIPHER_AES_128; | 1167 | code = RFC2440_CIPHER_AES_128; |
1167 | break; | 1168 | break; |
@@ -1173,7 +1174,7 @@ u8 ecryptfs_code_for_cipher_string(struct ecryptfs_crypt_stat *crypt_stat) | |||
1173 | } | 1174 | } |
1174 | } else { | 1175 | } else { |
1175 | for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) | 1176 | for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) |
1176 | if (strcmp(crypt_stat->cipher, map[i].cipher_str) == 0){ | 1177 | if (strcmp(cipher_name, map[i].cipher_str) == 0) { |
1177 | code = map[i].cipher_code; | 1178 | code = map[i].cipher_code; |
1178 | break; | 1179 | break; |
1179 | } | 1180 | } |
diff --git a/fs/ecryptfs/ecryptfs_kernel.h b/fs/ecryptfs/ecryptfs_kernel.h index a75026d35d16..76a95bd8819b 100644 --- a/fs/ecryptfs/ecryptfs_kernel.h +++ b/fs/ecryptfs/ecryptfs_kernel.h | |||
@@ -199,6 +199,7 @@ ecryptfs_get_key_payload_data(struct key *key) | |||
199 | #define ECRYPTFS_DEFAULT_CIPHER "aes" | 199 | #define ECRYPTFS_DEFAULT_CIPHER "aes" |
200 | #define ECRYPTFS_DEFAULT_KEY_BYTES 16 | 200 | #define ECRYPTFS_DEFAULT_KEY_BYTES 16 |
201 | #define ECRYPTFS_DEFAULT_HASH "md5" | 201 | #define ECRYPTFS_DEFAULT_HASH "md5" |
202 | #define ECRYPTFS_TAG_70_DIGEST ECRYPTFS_DEFAULT_HASH | ||
202 | #define ECRYPTFS_TAG_1_PACKET_TYPE 0x01 | 203 | #define ECRYPTFS_TAG_1_PACKET_TYPE 0x01 |
203 | #define ECRYPTFS_TAG_3_PACKET_TYPE 0x8C | 204 | #define ECRYPTFS_TAG_3_PACKET_TYPE 0x8C |
204 | #define ECRYPTFS_TAG_11_PACKET_TYPE 0xED | 205 | #define ECRYPTFS_TAG_11_PACKET_TYPE 0xED |
@@ -206,7 +207,25 @@ ecryptfs_get_key_payload_data(struct key *key) | |||
206 | #define ECRYPTFS_TAG_65_PACKET_TYPE 0x41 | 207 | #define ECRYPTFS_TAG_65_PACKET_TYPE 0x41 |
207 | #define ECRYPTFS_TAG_66_PACKET_TYPE 0x42 | 208 | #define ECRYPTFS_TAG_66_PACKET_TYPE 0x42 |
208 | #define ECRYPTFS_TAG_67_PACKET_TYPE 0x43 | 209 | #define ECRYPTFS_TAG_67_PACKET_TYPE 0x43 |
210 | #define ECRYPTFS_TAG_70_PACKET_TYPE 0x46 /* FNEK-encrypted filename | ||
211 | * as dentry name */ | ||
212 | #define ECRYPTFS_TAG_71_PACKET_TYPE 0x47 /* FNEK-encrypted filename in | ||
213 | * metadata */ | ||
214 | #define ECRYPTFS_TAG_72_PACKET_TYPE 0x48 /* FEK-encrypted filename as | ||
215 | * dentry name */ | ||
216 | #define ECRYPTFS_TAG_73_PACKET_TYPE 0x49 /* FEK-encrypted filename as | ||
217 | * metadata */ | ||
218 | /* Constraint: ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES >= | ||
219 | * ECRYPTFS_MAX_IV_BYTES */ | ||
220 | #define ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES 16 | ||
221 | #define ECRYPTFS_NON_NULL 0x42 /* A reasonable substitute for NULL */ | ||
209 | #define MD5_DIGEST_SIZE 16 | 222 | #define MD5_DIGEST_SIZE 16 |
223 | #define ECRYPTFS_TAG_70_DIGEST_SIZE MD5_DIGEST_SIZE | ||
224 | #define ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX "ECRYPTFS_FEK_ENCRYPTED." | ||
225 | #define ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE 23 | ||
226 | #define ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX "ECRYPTFS_FNEK_ENCRYPTED." | ||
227 | #define ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE 24 | ||
228 | #define ECRYPTFS_ENCRYPTED_DENTRY_NAME_LEN (18 + 1 + 4 + 1 + 32) | ||
210 | 229 | ||
211 | struct ecryptfs_key_sig { | 230 | struct ecryptfs_key_sig { |
212 | struct list_head crypt_stat_list; | 231 | struct list_head crypt_stat_list; |
@@ -332,13 +351,20 @@ struct ecryptfs_mount_crypt_stat { | |||
332 | #define ECRYPTFS_XATTR_METADATA_ENABLED 0x00000002 | 351 | #define ECRYPTFS_XATTR_METADATA_ENABLED 0x00000002 |
333 | #define ECRYPTFS_ENCRYPTED_VIEW_ENABLED 0x00000004 | 352 | #define ECRYPTFS_ENCRYPTED_VIEW_ENABLED 0x00000004 |
334 | #define ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED 0x00000008 | 353 | #define ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED 0x00000008 |
354 | #define ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES 0x00000010 | ||
355 | #define ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK 0x00000020 | ||
356 | #define ECRYPTFS_GLOBAL_ENCFN_USE_FEK 0x00000040 | ||
335 | u32 flags; | 357 | u32 flags; |
336 | struct list_head global_auth_tok_list; | 358 | struct list_head global_auth_tok_list; |
337 | struct mutex global_auth_tok_list_mutex; | 359 | struct mutex global_auth_tok_list_mutex; |
338 | size_t num_global_auth_toks; | 360 | size_t num_global_auth_toks; |
339 | size_t global_default_cipher_key_size; | 361 | size_t global_default_cipher_key_size; |
362 | size_t global_default_fn_cipher_key_bytes; | ||
340 | unsigned char global_default_cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE | 363 | unsigned char global_default_cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE |
341 | + 1]; | 364 | + 1]; |
365 | unsigned char global_default_fn_cipher_name[ | ||
366 | ECRYPTFS_MAX_CIPHER_NAME_SIZE + 1]; | ||
367 | char global_default_fnek_sig[ECRYPTFS_SIG_SIZE_HEX + 1]; | ||
342 | }; | 368 | }; |
343 | 369 | ||
344 | /* superblock private data. */ | 370 | /* superblock private data. */ |
@@ -599,7 +625,7 @@ int ecryptfs_read_and_validate_header_region(char *data, | |||
599 | struct inode *ecryptfs_inode); | 625 | struct inode *ecryptfs_inode); |
600 | int ecryptfs_read_and_validate_xattr_region(char *page_virt, | 626 | int ecryptfs_read_and_validate_xattr_region(char *page_virt, |
601 | struct dentry *ecryptfs_dentry); | 627 | struct dentry *ecryptfs_dentry); |
602 | u8 ecryptfs_code_for_cipher_string(struct ecryptfs_crypt_stat *crypt_stat); | 628 | u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes); |
603 | int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code); | 629 | int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code); |
604 | void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat); | 630 | void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat); |
605 | int ecryptfs_generate_key_packet_set(char *dest_base, | 631 | int ecryptfs_generate_key_packet_set(char *dest_base, |
@@ -694,5 +720,15 @@ int ecryptfs_privileged_open(struct file **lower_file, | |||
694 | struct vfsmount *lower_mnt, | 720 | struct vfsmount *lower_mnt, |
695 | const struct cred *cred); | 721 | const struct cred *cred); |
696 | int ecryptfs_init_persistent_file(struct dentry *ecryptfs_dentry); | 722 | int ecryptfs_init_persistent_file(struct dentry *ecryptfs_dentry); |
723 | int | ||
724 | ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, | ||
725 | size_t *packet_size, | ||
726 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | ||
727 | char *filename, size_t filename_size); | ||
728 | int | ||
729 | ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, | ||
730 | size_t *packet_size, | ||
731 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | ||
732 | char *data, size_t max_packet_size); | ||
697 | 733 | ||
698 | #endif /* #ifndef ECRYPTFS_KERNEL_H */ | 734 | #endif /* #ifndef ECRYPTFS_KERNEL_H */ |
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index 0d713b691941..dafceb5560e5 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c | |||
@@ -403,6 +403,569 @@ out: | |||
403 | } | 403 | } |
404 | 404 | ||
405 | static int | 405 | static int |
406 | ecryptfs_find_global_auth_tok_for_sig( | ||
407 | struct ecryptfs_global_auth_tok **global_auth_tok, | ||
408 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig) | ||
409 | { | ||
410 | struct ecryptfs_global_auth_tok *walker; | ||
411 | int rc = 0; | ||
412 | |||
413 | (*global_auth_tok) = NULL; | ||
414 | mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); | ||
415 | list_for_each_entry(walker, | ||
416 | &mount_crypt_stat->global_auth_tok_list, | ||
417 | mount_crypt_stat_list) { | ||
418 | if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX) == 0) { | ||
419 | (*global_auth_tok) = walker; | ||
420 | goto out; | ||
421 | } | ||
422 | } | ||
423 | rc = -EINVAL; | ||
424 | out: | ||
425 | mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); | ||
426 | return rc; | ||
427 | } | ||
428 | |||
429 | /** | ||
430 | * ecryptfs_find_auth_tok_for_sig | ||
431 | * @auth_tok: Set to the matching auth_tok; NULL if not found | ||
432 | * @crypt_stat: inode crypt_stat crypto context | ||
433 | * @sig: Sig of auth_tok to find | ||
434 | * | ||
435 | * For now, this function simply looks at the registered auth_tok's | ||
436 | * linked off the mount_crypt_stat, so all the auth_toks that can be | ||
437 | * used must be registered at mount time. This function could | ||
438 | * potentially try a lot harder to find auth_tok's (e.g., by calling | ||
439 | * out to ecryptfsd to dynamically retrieve an auth_tok object) so | ||
440 | * that static registration of auth_tok's will no longer be necessary. | ||
441 | * | ||
442 | * Returns zero on no error; non-zero on error | ||
443 | */ | ||
444 | static int | ||
445 | ecryptfs_find_auth_tok_for_sig( | ||
446 | struct ecryptfs_auth_tok **auth_tok, | ||
447 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | ||
448 | char *sig) | ||
449 | { | ||
450 | struct ecryptfs_global_auth_tok *global_auth_tok; | ||
451 | int rc = 0; | ||
452 | |||
453 | (*auth_tok) = NULL; | ||
454 | if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, | ||
455 | mount_crypt_stat, sig)) { | ||
456 | struct key *auth_tok_key; | ||
457 | |||
458 | rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok, | ||
459 | sig); | ||
460 | } else | ||
461 | (*auth_tok) = global_auth_tok->global_auth_tok; | ||
462 | return rc; | ||
463 | } | ||
464 | |||
465 | /** | ||
466 | * write_tag_70_packet can gobble a lot of stack space. We stuff most | ||
467 | * of the function's parameters in a kmalloc'd struct to help reduce | ||
468 | * eCryptfs' overall stack usage. | ||
469 | */ | ||
470 | struct ecryptfs_write_tag_70_packet_silly_stack { | ||
471 | u8 cipher_code; | ||
472 | size_t max_packet_size; | ||
473 | size_t packet_size_len; | ||
474 | size_t block_aligned_filename_size; | ||
475 | size_t block_size; | ||
476 | size_t i; | ||
477 | size_t j; | ||
478 | size_t num_rand_bytes; | ||
479 | struct mutex *tfm_mutex; | ||
480 | char *block_aligned_filename; | ||
481 | struct ecryptfs_auth_tok *auth_tok; | ||
482 | struct scatterlist src_sg; | ||
483 | struct scatterlist dst_sg; | ||
484 | struct blkcipher_desc desc; | ||
485 | char iv[ECRYPTFS_MAX_IV_BYTES]; | ||
486 | char hash[ECRYPTFS_TAG_70_DIGEST_SIZE]; | ||
487 | char tmp_hash[ECRYPTFS_TAG_70_DIGEST_SIZE]; | ||
488 | struct hash_desc hash_desc; | ||
489 | struct scatterlist hash_sg; | ||
490 | }; | ||
491 | |||
492 | /** | ||
493 | * write_tag_70_packet - Write encrypted filename (EFN) packet against FNEK | ||
494 | * @filename: NULL-terminated filename string | ||
495 | * | ||
496 | * This is the simplest mechanism for achieving filename encryption in | ||
497 | * eCryptfs. It encrypts the given filename with the mount-wide | ||
498 | * filename encryption key (FNEK) and stores it in a packet to @dest, | ||
499 | * which the callee will encode and write directly into the dentry | ||
500 | * name. | ||
501 | */ | ||
502 | int | ||
503 | ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, | ||
504 | size_t *packet_size, | ||
505 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | ||
506 | char *filename, size_t filename_size) | ||
507 | { | ||
508 | struct ecryptfs_write_tag_70_packet_silly_stack *s; | ||
509 | int rc = 0; | ||
510 | |||
511 | s = kmalloc(sizeof(*s), GFP_KERNEL); | ||
512 | if (!s) { | ||
513 | printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc " | ||
514 | "[%d] bytes of kernel memory\n", __func__, sizeof(*s)); | ||
515 | goto out; | ||
516 | } | ||
517 | s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; | ||
518 | (*packet_size) = 0; | ||
519 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name( | ||
520 | &s->desc.tfm, | ||
521 | &s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name); | ||
522 | if (unlikely(rc)) { | ||
523 | printk(KERN_ERR "Internal error whilst attempting to get " | ||
524 | "tfm and mutex for cipher name [%s]; rc = [%d]\n", | ||
525 | mount_crypt_stat->global_default_fn_cipher_name, rc); | ||
526 | goto out; | ||
527 | } | ||
528 | mutex_lock(s->tfm_mutex); | ||
529 | s->block_size = crypto_blkcipher_blocksize(s->desc.tfm); | ||
530 | /* Plus one for the \0 separator between the random prefix | ||
531 | * and the plaintext filename */ | ||
532 | s->num_rand_bytes = (ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES + 1); | ||
533 | s->block_aligned_filename_size = (s->num_rand_bytes + filename_size); | ||
534 | if ((s->block_aligned_filename_size % s->block_size) != 0) { | ||
535 | s->num_rand_bytes += (s->block_size | ||
536 | - (s->block_aligned_filename_size | ||
537 | % s->block_size)); | ||
538 | s->block_aligned_filename_size = (s->num_rand_bytes | ||
539 | + filename_size); | ||
540 | } | ||
541 | /* Octet 0: Tag 70 identifier | ||
542 | * Octets 1-N1: Tag 70 packet size (includes cipher identifier | ||
543 | * and block-aligned encrypted filename size) | ||
544 | * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE) | ||
545 | * Octet N2-N3: Cipher identifier (1 octet) | ||
546 | * Octets N3-N4: Block-aligned encrypted filename | ||
547 | * - Consists of a minimum number of random characters, a \0 | ||
548 | * separator, and then the filename */ | ||
549 | s->max_packet_size = (1 /* Tag 70 identifier */ | ||
550 | + 3 /* Max Tag 70 packet size */ | ||
551 | + ECRYPTFS_SIG_SIZE /* FNEK sig */ | ||
552 | + 1 /* Cipher identifier */ | ||
553 | + s->block_aligned_filename_size); | ||
554 | if (dest == NULL) { | ||
555 | (*packet_size) = s->max_packet_size; | ||
556 | goto out_unlock; | ||
557 | } | ||
558 | if (s->max_packet_size > (*remaining_bytes)) { | ||
559 | printk(KERN_WARNING "%s: Require [%d] bytes to write; only " | ||
560 | "[%d] available\n", __func__, s->max_packet_size, | ||
561 | (*remaining_bytes)); | ||
562 | rc = -EINVAL; | ||
563 | goto out_unlock; | ||
564 | } | ||
565 | s->block_aligned_filename = kzalloc(s->block_aligned_filename_size, | ||
566 | GFP_KERNEL); | ||
567 | if (!s->block_aligned_filename) { | ||
568 | printk(KERN_ERR "%s: Out of kernel memory whilst attempting to " | ||
569 | "kzalloc [%Zd] bytes\n", __func__, | ||
570 | s->block_aligned_filename_size); | ||
571 | rc = -ENOMEM; | ||
572 | goto out_unlock; | ||
573 | } | ||
574 | s->i = 0; | ||
575 | dest[s->i++] = ECRYPTFS_TAG_70_PACKET_TYPE; | ||
576 | rc = ecryptfs_write_packet_length(&dest[s->i], | ||
577 | (ECRYPTFS_SIG_SIZE | ||
578 | + 1 /* Cipher code */ | ||
579 | + s->block_aligned_filename_size), | ||
580 | &s->packet_size_len); | ||
581 | if (rc) { | ||
582 | printk(KERN_ERR "%s: Error generating tag 70 packet " | ||
583 | "header; cannot generate packet length; rc = [%d]\n", | ||
584 | __func__, rc); | ||
585 | goto out_free_unlock; | ||
586 | } | ||
587 | s->i += s->packet_size_len; | ||
588 | ecryptfs_from_hex(&dest[s->i], | ||
589 | mount_crypt_stat->global_default_fnek_sig, | ||
590 | ECRYPTFS_SIG_SIZE); | ||
591 | s->i += ECRYPTFS_SIG_SIZE; | ||
592 | s->cipher_code = ecryptfs_code_for_cipher_string( | ||
593 | mount_crypt_stat->global_default_fn_cipher_name, | ||
594 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | ||
595 | if (s->cipher_code == 0) { | ||
596 | printk(KERN_WARNING "%s: Unable to generate code for " | ||
597 | "cipher [%s] with key bytes [%d]\n", __func__, | ||
598 | mount_crypt_stat->global_default_fn_cipher_name, | ||
599 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | ||
600 | rc = -EINVAL; | ||
601 | goto out_free_unlock; | ||
602 | } | ||
603 | dest[s->i++] = s->cipher_code; | ||
604 | rc = ecryptfs_find_auth_tok_for_sig( | ||
605 | &s->auth_tok, mount_crypt_stat, | ||
606 | mount_crypt_stat->global_default_fnek_sig); | ||
607 | if (rc) { | ||
608 | printk(KERN_ERR "%s: Error attempting to find auth tok for " | ||
609 | "fnek sig [%s]; rc = [%d]\n", __func__, | ||
610 | mount_crypt_stat->global_default_fnek_sig, rc); | ||
611 | goto out_free_unlock; | ||
612 | } | ||
613 | /* TODO: Support other key modules than passphrase for | ||
614 | * filename encryption */ | ||
615 | BUG_ON(s->auth_tok->token_type != ECRYPTFS_PASSWORD); | ||
616 | sg_init_one( | ||
617 | &s->hash_sg, | ||
618 | (u8 *)s->auth_tok->token.password.session_key_encryption_key, | ||
619 | s->auth_tok->token.password.session_key_encryption_key_bytes); | ||
620 | s->hash_desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; | ||
621 | s->hash_desc.tfm = crypto_alloc_hash(ECRYPTFS_TAG_70_DIGEST, 0, | ||
622 | CRYPTO_ALG_ASYNC); | ||
623 | if (IS_ERR(s->hash_desc.tfm)) { | ||
624 | rc = PTR_ERR(s->hash_desc.tfm); | ||
625 | printk(KERN_ERR "%s: Error attempting to " | ||
626 | "allocate hash crypto context; rc = [%d]\n", | ||
627 | __func__, rc); | ||
628 | goto out_free_unlock; | ||
629 | } | ||
630 | rc = crypto_hash_init(&s->hash_desc); | ||
631 | if (rc) { | ||
632 | printk(KERN_ERR | ||
633 | "%s: Error initializing crypto hash; rc = [%d]\n", | ||
634 | __func__, rc); | ||
635 | goto out_release_free_unlock; | ||
636 | } | ||
637 | rc = crypto_hash_update( | ||
638 | &s->hash_desc, &s->hash_sg, | ||
639 | s->auth_tok->token.password.session_key_encryption_key_bytes); | ||
640 | if (rc) { | ||
641 | printk(KERN_ERR | ||
642 | "%s: Error updating crypto hash; rc = [%d]\n", | ||
643 | __func__, rc); | ||
644 | goto out_release_free_unlock; | ||
645 | } | ||
646 | rc = crypto_hash_final(&s->hash_desc, s->hash); | ||
647 | if (rc) { | ||
648 | printk(KERN_ERR | ||
649 | "%s: Error finalizing crypto hash; rc = [%d]\n", | ||
650 | __func__, rc); | ||
651 | goto out_release_free_unlock; | ||
652 | } | ||
653 | for (s->j = 0; s->j < (s->num_rand_bytes - 1); s->j++) { | ||
654 | s->block_aligned_filename[s->j] = | ||
655 | s->hash[(s->j % ECRYPTFS_TAG_70_DIGEST_SIZE)]; | ||
656 | if ((s->j % ECRYPTFS_TAG_70_DIGEST_SIZE) | ||
657 | == (ECRYPTFS_TAG_70_DIGEST_SIZE - 1)) { | ||
658 | sg_init_one(&s->hash_sg, (u8 *)s->hash, | ||
659 | ECRYPTFS_TAG_70_DIGEST_SIZE); | ||
660 | rc = crypto_hash_init(&s->hash_desc); | ||
661 | if (rc) { | ||
662 | printk(KERN_ERR | ||
663 | "%s: Error initializing crypto hash; " | ||
664 | "rc = [%d]\n", __func__, rc); | ||
665 | goto out_release_free_unlock; | ||
666 | } | ||
667 | rc = crypto_hash_update(&s->hash_desc, &s->hash_sg, | ||
668 | ECRYPTFS_TAG_70_DIGEST_SIZE); | ||
669 | if (rc) { | ||
670 | printk(KERN_ERR | ||
671 | "%s: Error updating crypto hash; " | ||
672 | "rc = [%d]\n", __func__, rc); | ||
673 | goto out_release_free_unlock; | ||
674 | } | ||
675 | rc = crypto_hash_final(&s->hash_desc, s->tmp_hash); | ||
676 | if (rc) { | ||
677 | printk(KERN_ERR | ||
678 | "%s: Error finalizing crypto hash; " | ||
679 | "rc = [%d]\n", __func__, rc); | ||
680 | goto out_release_free_unlock; | ||
681 | } | ||
682 | memcpy(s->hash, s->tmp_hash, | ||
683 | ECRYPTFS_TAG_70_DIGEST_SIZE); | ||
684 | } | ||
685 | if (s->block_aligned_filename[s->j] == '\0') | ||
686 | s->block_aligned_filename[s->j] = ECRYPTFS_NON_NULL; | ||
687 | } | ||
688 | memcpy(&s->block_aligned_filename[s->num_rand_bytes], filename, | ||
689 | filename_size); | ||
690 | rc = virt_to_scatterlist(s->block_aligned_filename, | ||
691 | s->block_aligned_filename_size, &s->src_sg, 1); | ||
692 | if (rc != 1) { | ||
693 | printk(KERN_ERR "%s: Internal error whilst attempting to " | ||
694 | "convert filename memory to scatterlist; " | ||
695 | "expected rc = 1; got rc = [%d]. " | ||
696 | "block_aligned_filename_size = [%d]\n", __func__, rc, | ||
697 | s->block_aligned_filename_size); | ||
698 | goto out_release_free_unlock; | ||
699 | } | ||
700 | rc = virt_to_scatterlist(&dest[s->i], s->block_aligned_filename_size, | ||
701 | &s->dst_sg, 1); | ||
702 | if (rc != 1) { | ||
703 | printk(KERN_ERR "%s: Internal error whilst attempting to " | ||
704 | "convert encrypted filename memory to scatterlist; " | ||
705 | "expected rc = 1; got rc = [%d]. " | ||
706 | "block_aligned_filename_size = [%d]\n", __func__, rc, | ||
707 | s->block_aligned_filename_size); | ||
708 | goto out_release_free_unlock; | ||
709 | } | ||
710 | /* The characters in the first block effectively do the job | ||
711 | * of the IV here, so we just use 0's for the IV. Note the | ||
712 | * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES | ||
713 | * >= ECRYPTFS_MAX_IV_BYTES. */ | ||
714 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); | ||
715 | s->desc.info = s->iv; | ||
716 | rc = crypto_blkcipher_setkey( | ||
717 | s->desc.tfm, | ||
718 | s->auth_tok->token.password.session_key_encryption_key, | ||
719 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | ||
720 | if (rc < 0) { | ||
721 | printk(KERN_ERR "%s: Error setting key for crypto context; " | ||
722 | "rc = [%d]. s->auth_tok->token.password.session_key_" | ||
723 | "encryption_key = [0x%p]; mount_crypt_stat->" | ||
724 | "global_default_fn_cipher_key_bytes = [%Zd]\n", __func__, | ||
725 | rc, | ||
726 | s->auth_tok->token.password.session_key_encryption_key, | ||
727 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | ||
728 | goto out_release_free_unlock; | ||
729 | } | ||
730 | rc = crypto_blkcipher_encrypt_iv(&s->desc, &s->dst_sg, &s->src_sg, | ||
731 | s->block_aligned_filename_size); | ||
732 | if (rc) { | ||
733 | printk(KERN_ERR "%s: Error attempting to encrypt filename; " | ||
734 | "rc = [%d]\n", __func__, rc); | ||
735 | goto out_release_free_unlock; | ||
736 | } | ||
737 | s->i += s->block_aligned_filename_size; | ||
738 | (*packet_size) = s->i; | ||
739 | (*remaining_bytes) -= (*packet_size); | ||
740 | out_release_free_unlock: | ||
741 | crypto_free_hash(s->hash_desc.tfm); | ||
742 | out_free_unlock: | ||
743 | memset(s->block_aligned_filename, 0, s->block_aligned_filename_size); | ||
744 | kfree(s->block_aligned_filename); | ||
745 | out_unlock: | ||
746 | mutex_unlock(s->tfm_mutex); | ||
747 | out: | ||
748 | kfree(s); | ||
749 | return rc; | ||
750 | } | ||
751 | |||
752 | struct ecryptfs_parse_tag_70_packet_silly_stack { | ||
753 | u8 cipher_code; | ||
754 | size_t max_packet_size; | ||
755 | size_t packet_size_len; | ||
756 | size_t parsed_tag_70_packet_size; | ||
757 | size_t block_aligned_filename_size; | ||
758 | size_t block_size; | ||
759 | size_t i; | ||
760 | struct mutex *tfm_mutex; | ||
761 | char *decrypted_filename; | ||
762 | struct ecryptfs_auth_tok *auth_tok; | ||
763 | struct scatterlist src_sg; | ||
764 | struct scatterlist dst_sg; | ||
765 | struct blkcipher_desc desc; | ||
766 | char fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX + 1]; | ||
767 | char iv[ECRYPTFS_MAX_IV_BYTES]; | ||
768 | char cipher_string[ECRYPTFS_MAX_CIPHER_NAME_SIZE]; | ||
769 | }; | ||
770 | |||
771 | /** | ||
772 | * parse_tag_70_packet - Parse and process FNEK-encrypted passphrase packet | ||
773 | * @filename: This function kmalloc's the memory for the filename | ||
774 | */ | ||
775 | int | ||
776 | ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, | ||
777 | size_t *packet_size, | ||
778 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | ||
779 | char *data, size_t max_packet_size) | ||
780 | { | ||
781 | struct ecryptfs_parse_tag_70_packet_silly_stack *s; | ||
782 | int rc = 0; | ||
783 | |||
784 | (*packet_size) = 0; | ||
785 | (*filename_size) = 0; | ||
786 | (*filename) = NULL; | ||
787 | s = kmalloc(sizeof(*s), GFP_KERNEL); | ||
788 | if (!s) { | ||
789 | printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc " | ||
790 | "[%d] bytes of kernel memory\n", __func__, sizeof(*s)); | ||
791 | goto out; | ||
792 | } | ||
793 | s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; | ||
794 | if (max_packet_size < (1 + 1 + ECRYPTFS_SIG_SIZE + 1 + 1)) { | ||
795 | printk(KERN_WARNING "%s: max_packet_size is [%Zd]; it must be " | ||
796 | "at least [%d]\n", __func__, max_packet_size, | ||
797 | (1 + 1 + ECRYPTFS_SIG_SIZE + 1 + 1)); | ||
798 | rc = -EINVAL; | ||
799 | goto out; | ||
800 | } | ||
801 | /* Octet 0: Tag 70 identifier | ||
802 | * Octets 1-N1: Tag 70 packet size (includes cipher identifier | ||
803 | * and block-aligned encrypted filename size) | ||
804 | * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE) | ||
805 | * Octet N2-N3: Cipher identifier (1 octet) | ||
806 | * Octets N3-N4: Block-aligned encrypted filename | ||
807 | * - Consists of a minimum number of random numbers, a \0 | ||
808 | * separator, and then the filename */ | ||
809 | if (data[(*packet_size)++] != ECRYPTFS_TAG_70_PACKET_TYPE) { | ||
810 | printk(KERN_WARNING "%s: Invalid packet tag [0x%.2x]; must be " | ||
811 | "tag [0x%.2x]\n", __func__, | ||
812 | data[((*packet_size) - 1)], ECRYPTFS_TAG_70_PACKET_TYPE); | ||
813 | rc = -EINVAL; | ||
814 | goto out; | ||
815 | } | ||
816 | rc = ecryptfs_parse_packet_length(&data[(*packet_size)], | ||
817 | &s->parsed_tag_70_packet_size, | ||
818 | &s->packet_size_len); | ||
819 | if (rc) { | ||
820 | printk(KERN_WARNING "%s: Error parsing packet length; " | ||
821 | "rc = [%d]\n", __func__, rc); | ||
822 | goto out; | ||
823 | } | ||
824 | s->block_aligned_filename_size = (s->parsed_tag_70_packet_size | ||
825 | - ECRYPTFS_SIG_SIZE - 1); | ||
826 | if ((1 + s->packet_size_len + s->parsed_tag_70_packet_size) | ||
827 | > max_packet_size) { | ||
828 | printk(KERN_WARNING "%s: max_packet_size is [%d]; real packet " | ||
829 | "size is [%d]\n", __func__, max_packet_size, | ||
830 | (1 + s->packet_size_len + 1 | ||
831 | + s->block_aligned_filename_size)); | ||
832 | rc = -EINVAL; | ||
833 | goto out; | ||
834 | } | ||
835 | (*packet_size) += s->packet_size_len; | ||
836 | ecryptfs_to_hex(s->fnek_sig_hex, &data[(*packet_size)], | ||
837 | ECRYPTFS_SIG_SIZE); | ||
838 | s->fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX] = '\0'; | ||
839 | (*packet_size) += ECRYPTFS_SIG_SIZE; | ||
840 | s->cipher_code = data[(*packet_size)++]; | ||
841 | rc = ecryptfs_cipher_code_to_string(s->cipher_string, s->cipher_code); | ||
842 | if (rc) { | ||
843 | printk(KERN_WARNING "%s: Cipher code [%d] is invalid\n", | ||
844 | __func__, s->cipher_code); | ||
845 | goto out; | ||
846 | } | ||
847 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&s->desc.tfm, | ||
848 | &s->tfm_mutex, | ||
849 | s->cipher_string); | ||
850 | if (unlikely(rc)) { | ||
851 | printk(KERN_ERR "Internal error whilst attempting to get " | ||
852 | "tfm and mutex for cipher name [%s]; rc = [%d]\n", | ||
853 | s->cipher_string, rc); | ||
854 | goto out; | ||
855 | } | ||
856 | mutex_lock(s->tfm_mutex); | ||
857 | rc = virt_to_scatterlist(&data[(*packet_size)], | ||
858 | s->block_aligned_filename_size, &s->src_sg, 1); | ||
859 | if (rc != 1) { | ||
860 | printk(KERN_ERR "%s: Internal error whilst attempting to " | ||
861 | "convert encrypted filename memory to scatterlist; " | ||
862 | "expected rc = 1; got rc = [%d]. " | ||
863 | "block_aligned_filename_size = [%d]\n", __func__, rc, | ||
864 | s->block_aligned_filename_size); | ||
865 | goto out_unlock; | ||
866 | } | ||
867 | (*packet_size) += s->block_aligned_filename_size; | ||
868 | s->decrypted_filename = kmalloc(s->block_aligned_filename_size, | ||
869 | GFP_KERNEL); | ||
870 | if (!s->decrypted_filename) { | ||
871 | printk(KERN_ERR "%s: Out of memory whilst attempting to " | ||
872 | "kmalloc [%d] bytes\n", __func__, | ||
873 | s->block_aligned_filename_size); | ||
874 | rc = -ENOMEM; | ||
875 | goto out_unlock; | ||
876 | } | ||
877 | rc = virt_to_scatterlist(s->decrypted_filename, | ||
878 | s->block_aligned_filename_size, &s->dst_sg, 1); | ||
879 | if (rc != 1) { | ||
880 | printk(KERN_ERR "%s: Internal error whilst attempting to " | ||
881 | "convert decrypted filename memory to scatterlist; " | ||
882 | "expected rc = 1; got rc = [%d]. " | ||
883 | "block_aligned_filename_size = [%d]\n", __func__, rc, | ||
884 | s->block_aligned_filename_size); | ||
885 | goto out_free_unlock; | ||
886 | } | ||
887 | /* The characters in the first block effectively do the job of | ||
888 | * the IV here, so we just use 0's for the IV. Note the | ||
889 | * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES | ||
890 | * >= ECRYPTFS_MAX_IV_BYTES. */ | ||
891 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); | ||
892 | s->desc.info = s->iv; | ||
893 | rc = ecryptfs_find_auth_tok_for_sig(&s->auth_tok, mount_crypt_stat, | ||
894 | s->fnek_sig_hex); | ||
895 | if (rc) { | ||
896 | printk(KERN_ERR "%s: Error attempting to find auth tok for " | ||
897 | "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex, | ||
898 | rc); | ||
899 | goto out_free_unlock; | ||
900 | } | ||
901 | /* TODO: Support other key modules than passphrase for | ||
902 | * filename encryption */ | ||
903 | BUG_ON(s->auth_tok->token_type != ECRYPTFS_PASSWORD); | ||
904 | rc = crypto_blkcipher_setkey( | ||
905 | s->desc.tfm, | ||
906 | s->auth_tok->token.password.session_key_encryption_key, | ||
907 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | ||
908 | if (rc < 0) { | ||
909 | printk(KERN_ERR "%s: Error setting key for crypto context; " | ||
910 | "rc = [%d]. s->auth_tok->token.password.session_key_" | ||
911 | "encryption_key = [0x%p]; mount_crypt_stat->" | ||
912 | "global_default_fn_cipher_key_bytes = [%Zd]\n", __func__, | ||
913 | rc, | ||
914 | s->auth_tok->token.password.session_key_encryption_key, | ||
915 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | ||
916 | goto out_free_unlock; | ||
917 | } | ||
918 | rc = crypto_blkcipher_decrypt_iv(&s->desc, &s->dst_sg, &s->src_sg, | ||
919 | s->block_aligned_filename_size); | ||
920 | if (rc) { | ||
921 | printk(KERN_ERR "%s: Error attempting to decrypt filename; " | ||
922 | "rc = [%d]\n", __func__, rc); | ||
923 | goto out_free_unlock; | ||
924 | } | ||
925 | s->i = 0; | ||
926 | while (s->decrypted_filename[s->i] != '\0' | ||
927 | && s->i < s->block_aligned_filename_size) | ||
928 | s->i++; | ||
929 | if (s->i == s->block_aligned_filename_size) { | ||
930 | printk(KERN_WARNING "%s: Invalid tag 70 packet; could not " | ||
931 | "find valid separator between random characters and " | ||
932 | "the filename\n", __func__); | ||
933 | rc = -EINVAL; | ||
934 | goto out_free_unlock; | ||
935 | } | ||
936 | s->i++; | ||
937 | (*filename_size) = (s->block_aligned_filename_size - s->i); | ||
938 | if (!((*filename_size) > 0 && (*filename_size < PATH_MAX))) { | ||
939 | printk(KERN_WARNING "%s: Filename size is [%Zd], which is " | ||
940 | "invalid\n", __func__, (*filename_size)); | ||
941 | rc = -EINVAL; | ||
942 | goto out_free_unlock; | ||
943 | } | ||
944 | (*filename) = kmalloc(((*filename_size) + 1), GFP_KERNEL); | ||
945 | if (!(*filename)) { | ||
946 | printk(KERN_ERR "%s: Out of memory whilst attempting to " | ||
947 | "kmalloc [%d] bytes\n", __func__, | ||
948 | ((*filename_size) + 1)); | ||
949 | rc = -ENOMEM; | ||
950 | goto out_free_unlock; | ||
951 | } | ||
952 | memcpy((*filename), &s->decrypted_filename[s->i], (*filename_size)); | ||
953 | (*filename)[(*filename_size)] = '\0'; | ||
954 | out_free_unlock: | ||
955 | kfree(s->decrypted_filename); | ||
956 | out_unlock: | ||
957 | mutex_unlock(s->tfm_mutex); | ||
958 | out: | ||
959 | if (rc) { | ||
960 | (*packet_size) = 0; | ||
961 | (*filename_size) = 0; | ||
962 | (*filename) = NULL; | ||
963 | } | ||
964 | kfree(s); | ||
965 | return rc; | ||
966 | } | ||
967 | |||
968 | static int | ||
406 | ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok) | 969 | ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok) |
407 | { | 970 | { |
408 | int rc = 0; | 971 | int rc = 0; |
@@ -897,30 +1460,6 @@ out: | |||
897 | return rc; | 1460 | return rc; |
898 | } | 1461 | } |
899 | 1462 | ||
900 | static int | ||
901 | ecryptfs_find_global_auth_tok_for_sig( | ||
902 | struct ecryptfs_global_auth_tok **global_auth_tok, | ||
903 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig) | ||
904 | { | ||
905 | struct ecryptfs_global_auth_tok *walker; | ||
906 | int rc = 0; | ||
907 | |||
908 | (*global_auth_tok) = NULL; | ||
909 | mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); | ||
910 | list_for_each_entry(walker, | ||
911 | &mount_crypt_stat->global_auth_tok_list, | ||
912 | mount_crypt_stat_list) { | ||
913 | if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX) == 0) { | ||
914 | (*global_auth_tok) = walker; | ||
915 | goto out; | ||
916 | } | ||
917 | } | ||
918 | rc = -EINVAL; | ||
919 | out: | ||
920 | mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); | ||
921 | return rc; | ||
922 | } | ||
923 | |||
924 | /** | 1463 | /** |
925 | * ecryptfs_verify_version | 1464 | * ecryptfs_verify_version |
926 | * @version: The version number to confirm | 1465 | * @version: The version number to confirm |
@@ -990,43 +1529,6 @@ out: | |||
990 | } | 1529 | } |
991 | 1530 | ||
992 | /** | 1531 | /** |
993 | * ecryptfs_find_auth_tok_for_sig | ||
994 | * @auth_tok: Set to the matching auth_tok; NULL if not found | ||
995 | * @crypt_stat: inode crypt_stat crypto context | ||
996 | * @sig: Sig of auth_tok to find | ||
997 | * | ||
998 | * For now, this function simply looks at the registered auth_tok's | ||
999 | * linked off the mount_crypt_stat, so all the auth_toks that can be | ||
1000 | * used must be registered at mount time. This function could | ||
1001 | * potentially try a lot harder to find auth_tok's (e.g., by calling | ||
1002 | * out to ecryptfsd to dynamically retrieve an auth_tok object) so | ||
1003 | * that static registration of auth_tok's will no longer be necessary. | ||
1004 | * | ||
1005 | * Returns zero on no error; non-zero on error | ||
1006 | */ | ||
1007 | static int | ||
1008 | ecryptfs_find_auth_tok_for_sig( | ||
1009 | struct ecryptfs_auth_tok **auth_tok, | ||
1010 | struct ecryptfs_crypt_stat *crypt_stat, char *sig) | ||
1011 | { | ||
1012 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = | ||
1013 | crypt_stat->mount_crypt_stat; | ||
1014 | struct ecryptfs_global_auth_tok *global_auth_tok; | ||
1015 | int rc = 0; | ||
1016 | |||
1017 | (*auth_tok) = NULL; | ||
1018 | if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, | ||
1019 | mount_crypt_stat, sig)) { | ||
1020 | struct key *auth_tok_key; | ||
1021 | |||
1022 | rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok, | ||
1023 | sig); | ||
1024 | } else | ||
1025 | (*auth_tok) = global_auth_tok->global_auth_tok; | ||
1026 | return rc; | ||
1027 | } | ||
1028 | |||
1029 | /** | ||
1030 | * decrypt_passphrase_encrypted_session_key - Decrypt the session key with the given auth_tok. | 1532 | * decrypt_passphrase_encrypted_session_key - Decrypt the session key with the given auth_tok. |
1031 | * @auth_tok: The passphrase authentication token to use to encrypt the FEK | 1533 | * @auth_tok: The passphrase authentication token to use to encrypt the FEK |
1032 | * @crypt_stat: The cryptographic context | 1534 | * @crypt_stat: The cryptographic context |
@@ -1256,7 +1758,8 @@ find_next_matching_auth_tok: | |||
1256 | rc = -EINVAL; | 1758 | rc = -EINVAL; |
1257 | goto out_wipe_list; | 1759 | goto out_wipe_list; |
1258 | } | 1760 | } |
1259 | ecryptfs_find_auth_tok_for_sig(&matching_auth_tok, crypt_stat, | 1761 | ecryptfs_find_auth_tok_for_sig(&matching_auth_tok, |
1762 | crypt_stat->mount_crypt_stat, | ||
1260 | candidate_auth_tok_sig); | 1763 | candidate_auth_tok_sig); |
1261 | if (matching_auth_tok) { | 1764 | if (matching_auth_tok) { |
1262 | found_auth_tok = 1; | 1765 | found_auth_tok = 1; |
@@ -1336,7 +1839,9 @@ pki_encrypt_session_key(struct ecryptfs_auth_tok *auth_tok, | |||
1336 | int rc; | 1839 | int rc; |
1337 | 1840 | ||
1338 | rc = write_tag_66_packet(auth_tok->token.private_key.signature, | 1841 | rc = write_tag_66_packet(auth_tok->token.private_key.signature, |
1339 | ecryptfs_code_for_cipher_string(crypt_stat), | 1842 | ecryptfs_code_for_cipher_string( |
1843 | crypt_stat->cipher, | ||
1844 | crypt_stat->key_size), | ||
1340 | crypt_stat, &payload, &payload_len); | 1845 | crypt_stat, &payload, &payload_len); |
1341 | if (rc) { | 1846 | if (rc) { |
1342 | ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n"); | 1847 | ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n"); |
@@ -1696,7 +2201,8 @@ encrypted_session_key_set: | |||
1696 | dest[(*packet_size)++] = 0x04; /* version 4 */ | 2201 | dest[(*packet_size)++] = 0x04; /* version 4 */ |
1697 | /* TODO: Break from RFC2440 so that arbitrary ciphers can be | 2202 | /* TODO: Break from RFC2440 so that arbitrary ciphers can be |
1698 | * specified with strings */ | 2203 | * specified with strings */ |
1699 | cipher_code = ecryptfs_code_for_cipher_string(crypt_stat); | 2204 | cipher_code = ecryptfs_code_for_cipher_string(crypt_stat->cipher, |
2205 | crypt_stat->key_size); | ||
1700 | if (cipher_code == 0) { | 2206 | if (cipher_code == 0) { |
1701 | ecryptfs_printk(KERN_WARNING, "Unable to generate code for " | 2207 | ecryptfs_printk(KERN_WARNING, "Unable to generate code for " |
1702 | "cipher [%s]\n", crypt_stat->cipher); | 2208 | "cipher [%s]\n", crypt_stat->cipher); |