git://ftp.safe.ca / safe / jmp / linux-2.6 / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
nfsd4: reshuffle lease-setting code to allow reuse
[safe/jmp/linux-2.6] / fs / ecryptfs / keystore.c
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index e6a96e8..a0a7847 100644 (file)
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -416,7 +416,9 @@ ecryptfs_find_global_auth_tok_for_sig(
                            &mount_crypt_stat->global_auth_tok_list,
                            mount_crypt_stat_list) {
                if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX) == 0) {
-                       (*global_auth_tok) = walker;
+                       rc = key_validate(walker->global_auth_tok_key);
+                       if (!rc)
+                               (*global_auth_tok) = walker;
                        goto out;
                }
        }
@@ -556,8 +558,8 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
                goto out_unlock;
        }
        if (s->max_packet_size > (*remaining_bytes)) {
-               printk(KERN_WARNING "%s: Require [%d] bytes to write; only "
-                      "[%d] available\n", __func__, s->max_packet_size,
+               printk(KERN_WARNING "%s: Require [%zd] bytes to write; only "
+                      "[%zd] available\n", __func__, s->max_packet_size,
                       (*remaining_bytes));
                rc = -EINVAL;
                goto out_unlock;
@@ -594,7 +596,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
                mount_crypt_stat->global_default_fn_cipher_key_bytes);
        if (s->cipher_code == 0) {
                printk(KERN_WARNING "%s: Unable to generate code for "
-                      "cipher [%s] with key bytes [%d]\n", __func__,
+                      "cipher [%s] with key bytes [%zd]\n", __func__,
                       mount_crypt_stat->global_default_fn_cipher_name,
                       mount_crypt_stat->global_default_fn_cipher_key_bytes);
                rc = -EINVAL;
@@ -612,7 +614,12 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
        }
        /* TODO: Support other key modules than passphrase for
         * filename encryption */
-       BUG_ON(s->auth_tok->token_type != ECRYPTFS_PASSWORD);
+       if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) {
+               rc = -EOPNOTSUPP;
+               printk(KERN_INFO "%s: Filename encryption only supports "
+                      "password tokens\n", __func__);
+               goto out_free_unlock;
+       }
        sg_init_one(
                &s->hash_sg,
                (u8 *)s->auth_tok->token.password.session_key_encryption_key,
@@ -693,7 +700,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
                printk(KERN_ERR "%s: Internal error whilst attempting to "
                       "convert filename memory to scatterlist; "
                       "expected rc = 1; got rc = [%d]. "
-                      "block_aligned_filename_size = [%d]\n", __func__, rc,
+                      "block_aligned_filename_size = [%zd]\n", __func__, rc,
                       s->block_aligned_filename_size);
                goto out_release_free_unlock;
        }
@@ -703,7 +710,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
                printk(KERN_ERR "%s: Internal error whilst attempting to "
                       "convert encrypted filename memory to scatterlist; "
                       "expected rc = 1; got rc = [%d]. "
-                      "block_aligned_filename_size = [%d]\n", __func__, rc,
+                      "block_aligned_filename_size = [%zd]\n", __func__, rc,
                       s->block_aligned_filename_size);
                goto out_release_free_unlock;
        }
@@ -740,8 +747,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
 out_release_free_unlock:
        crypto_free_hash(s->hash_desc.tfm);
 out_free_unlock:
-       memset(s->block_aligned_filename, 0, s->block_aligned_filename_size);
-       kfree(s->block_aligned_filename);
+       kzfree(s->block_aligned_filename);
 out_unlock:
        mutex_unlock(s->tfm_mutex);
 out:
@@ -771,6 +777,17 @@ struct ecryptfs_parse_tag_70_packet_silly_stack {
 /**
  * parse_tag_70_packet - Parse and process FNEK-encrypted passphrase packet
  * @filename: This function kmalloc's the memory for the filename
+ * @filename_size: This function sets this to the amount of memory
+ *                 kmalloc'd for the filename
+ * @packet_size: This function sets this to the the number of octets
+ *               in the packet parsed
+ * @mount_crypt_stat: The mount-wide cryptographic context
+ * @data: The memory location containing the start of the tag 70
+ *        packet
+ * @max_packet_size: The maximum legal size of the packet to be parsed
+ *                   from @data
+ *
+ * Returns zero on success; non-zero otherwise
  */
 int
 ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
@@ -787,7 +804,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
        s = kmalloc(sizeof(*s), GFP_KERNEL);
        if (!s) {
                printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc "
-                      "[%d] bytes of kernel memory\n", __func__, sizeof(*s));
+                      "[%zd] bytes of kernel memory\n", __func__, sizeof(*s));
                goto out;
        }
        s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
@@ -825,8 +842,8 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
                                          - ECRYPTFS_SIG_SIZE - 1);
        if ((1 + s->packet_size_len + s->parsed_tag_70_packet_size)
            > max_packet_size) {
-               printk(KERN_WARNING "%s: max_packet_size is [%d]; real packet "
-                      "size is [%d]\n", __func__, max_packet_size,
+               printk(KERN_WARNING "%s: max_packet_size is [%zd]; real packet "
+                      "size is [%zd]\n", __func__, max_packet_size,
                       (1 + s->packet_size_len + 1
                        + s->block_aligned_filename_size));
                rc = -EINVAL;
@@ -860,7 +877,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
                printk(KERN_ERR "%s: Internal error whilst attempting to "
                       "convert encrypted filename memory to scatterlist; "
                       "expected rc = 1; got rc = [%d]. "
-                      "block_aligned_filename_size = [%d]\n", __func__, rc,
+                      "block_aligned_filename_size = [%zd]\n", __func__, rc,
                       s->block_aligned_filename_size);
                goto out_unlock;
        }
@@ -869,7 +886,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
                                        GFP_KERNEL);
        if (!s->decrypted_filename) {
                printk(KERN_ERR "%s: Out of memory whilst attempting to "
-                      "kmalloc [%d] bytes\n", __func__,
+                      "kmalloc [%zd] bytes\n", __func__,
                       s->block_aligned_filename_size);
                rc = -ENOMEM;
                goto out_unlock;
@@ -880,7 +897,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
                printk(KERN_ERR "%s: Internal error whilst attempting to "
                       "convert decrypted filename memory to scatterlist; "
                       "expected rc = 1; got rc = [%d]. "
-                      "block_aligned_filename_size = [%d]\n", __func__, rc,
+                      "block_aligned_filename_size = [%zd]\n", __func__, rc,
                       s->block_aligned_filename_size);
                goto out_free_unlock;
        }
@@ -900,7 +917,12 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
        }
        /* TODO: Support other key modules than passphrase for
         * filename encryption */
-       BUG_ON(s->auth_tok->token_type != ECRYPTFS_PASSWORD);
+       if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) {
+               rc = -EOPNOTSUPP;
+               printk(KERN_INFO "%s: Filename encryption only supports "
+                      "password tokens\n", __func__);
+               goto out_free_unlock;
+       }
        rc = crypto_blkcipher_setkey(
                s->desc.tfm,
                s->auth_tok->token.password.session_key_encryption_key,
@@ -944,7 +966,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
        (*filename) = kmalloc(((*filename_size) + 1), GFP_KERNEL);
        if (!(*filename)) {
                printk(KERN_ERR "%s: Out of memory whilst attempting to "
-                      "kmalloc [%d] bytes\n", __func__,
+                      "kmalloc [%zd] bytes\n", __func__,
                       ((*filename_size) + 1));
                rc = -ENOMEM;
                goto out_free_unlock;
@@ -1293,14 +1315,23 @@ parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat,
        }
        (*new_auth_tok)->session_key.encrypted_key_size =
                (body_size - (ECRYPTFS_SALT_SIZE + 5));
+       if ((*new_auth_tok)->session_key.encrypted_key_size
+           > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
+               printk(KERN_WARNING "Tag 3 packet contains key larger "
+                      "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
+               rc = -EINVAL;
+               goto out_free;
+       }
        if (unlikely(data[(*packet_size)++] != 0x04)) {
                printk(KERN_WARNING "Unknown version number [%d]\n",
                       data[(*packet_size) - 1]);
                rc = -EINVAL;
                goto out_free;
        }
-       ecryptfs_cipher_code_to_string(crypt_stat->cipher,
-                                      (u16)data[(*packet_size)]);
+       rc = ecryptfs_cipher_code_to_string(crypt_stat->cipher,
+                                           (u16)data[(*packet_size)]);
+       if (rc)
+               goto out_free;
        /* A little extra work to differentiate among the AES key
         * sizes; see RFC2440 */
        switch(data[(*packet_size)++]) {
@@ -1311,7 +1342,9 @@ parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat,
                crypt_stat->key_size =
                        (*new_auth_tok)->session_key.encrypted_key_size;
        }
-       ecryptfs_init_crypt_ctx(crypt_stat);
+       rc = ecryptfs_init_crypt_ctx(crypt_stat);
+       if (rc)
+               goto out_free;
        if (unlikely(data[(*packet_size)++] != 0x03)) {
                printk(KERN_WARNING "Only S2K ID 3 is currently supported\n");
                rc = -ENOSYS;
@@ -1439,6 +1472,12 @@ parse_tag_11_packet(unsigned char *data, unsigned char *contents,
                rc = -EINVAL;
                goto out;
        }
+       if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
+               printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
+                      "expected size\n");
+               rc = -EINVAL;
+               goto out;
+       }
        if (data[(*packet_size)++] != 0x62) {
                printk(KERN_WARNING "Unrecognizable packet\n");
                rc = -EINVAL;
@@ -2343,28 +2382,25 @@ struct kmem_cache *ecryptfs_key_sig_cache;
 int ecryptfs_add_keysig(struct ecryptfs_crypt_stat *crypt_stat, char *sig)
 {
        struct ecryptfs_key_sig *new_key_sig;
-       int rc = 0;
 
        new_key_sig = kmem_cache_alloc(ecryptfs_key_sig_cache, GFP_KERNEL);
        if (!new_key_sig) {
-               rc = -ENOMEM;
                printk(KERN_ERR
                       "Error allocating from ecryptfs_key_sig_cache\n");
-               goto out;
+               return -ENOMEM;
        }
        memcpy(new_key_sig->keysig, sig, ECRYPTFS_SIG_SIZE_HEX);
-       mutex_lock(&crypt_stat->keysig_list_mutex);
+       /* Caller must hold keysig_list_mutex */
        list_add(&new_key_sig->crypt_stat_list, &crypt_stat->keysig_list);
-       mutex_unlock(&crypt_stat->keysig_list_mutex);
-out:
-       return rc;
+
+       return 0;
 }
 
 struct kmem_cache *ecryptfs_global_auth_tok_cache;
 
 int
 ecryptfs_add_global_auth_tok(struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
-                            char *sig)
+                            char *sig, u32 global_auth_tok_flags)
 {
        struct ecryptfs_global_auth_tok *new_auth_tok;
        int rc = 0;
@@ -2378,6 +2414,7 @@ ecryptfs_add_global_auth_tok(struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
                goto out;
        }
        memcpy(new_auth_tok->sig, sig, ECRYPTFS_SIG_SIZE_HEX);
+       new_auth_tok->flags = global_auth_tok_flags;
        new_auth_tok->sig[ECRYPTFS_SIG_SIZE_HEX] = '\0';
        mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
        list_add(&new_auth_tok->mount_crypt_stat_list,
Full containers within linux kernel