425
* ecryptfs_verify_version
426
* @version: The version number to confirm
428
* Returns zero on good version; non-zero otherwise
430
static int ecryptfs_verify_version(u16 version)
436
major = ((version >> 8) & 0xFF);
437
minor = (version & 0xFF);
438
if (major != ECRYPTFS_VERSION_MAJOR) {
439
ecryptfs_printk(KERN_ERR, "Major version number mismatch. "
440
"Expected [%d]; got [%d]\n",
441
ECRYPTFS_VERSION_MAJOR, major);
445
if (minor != ECRYPTFS_VERSION_MINOR) {
446
ecryptfs_printk(KERN_ERR, "Minor version number mismatch. "
447
"Expected [%d]; got [%d]\n",
448
ECRYPTFS_VERSION_MINOR, minor);
457
* ecryptfs_verify_auth_tok_from_key
458
* @auth_tok_key: key containing the authentication token
459
* @auth_tok: authentication token
461
* Returns zero on valid auth tok; -EINVAL otherwise
464
ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
465
struct ecryptfs_auth_tok **auth_tok)
469
(*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);
470
if (ecryptfs_verify_version((*auth_tok)->version)) {
471
printk(KERN_ERR "Data structure version mismatch. Userspace "
472
"tools must match eCryptfs kernel module with major "
473
"version [%d] and minor version [%d]\n",
474
ECRYPTFS_VERSION_MAJOR, ECRYPTFS_VERSION_MINOR);
478
if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD
479
&& (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) {
480
printk(KERN_ERR "Invalid auth_tok structure "
481
"returned from key query\n");
407
490
ecryptfs_find_global_auth_tok_for_sig(
408
struct ecryptfs_global_auth_tok **global_auth_tok,
491
struct key **auth_tok_key,
492
struct ecryptfs_auth_tok **auth_tok,
409
493
struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig)
411
495
struct ecryptfs_global_auth_tok *walker;
414
(*global_auth_tok) = NULL;
498
(*auth_tok_key) = NULL;
415
500
mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
416
501
list_for_each_entry(walker,
417
502
&mount_crypt_stat->global_auth_tok_list,
418
503
mount_crypt_stat_list) {
419
if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX) == 0) {
420
rc = key_validate(walker->global_auth_tok_key);
422
(*global_auth_tok) = walker;
504
if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX))
507
if (walker->flags & ECRYPTFS_AUTH_TOK_INVALID) {
512
rc = key_validate(walker->global_auth_tok_key);
514
if (rc == -EKEYEXPIRED)
516
goto out_invalid_auth_tok;
519
down_write(&(walker->global_auth_tok_key->sem));
520
rc = ecryptfs_verify_auth_tok_from_key(
521
walker->global_auth_tok_key, auth_tok);
523
goto out_invalid_auth_tok_unlock;
525
(*auth_tok_key) = walker->global_auth_tok_key;
526
key_get(*auth_tok_key);
531
out_invalid_auth_tok_unlock:
532
up_write(&(walker->global_auth_tok_key->sem));
533
out_invalid_auth_tok:
534
printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);
535
walker->flags |= ECRYPTFS_AUTH_TOK_INVALID;
536
key_put(walker->global_auth_tok_key);
537
walker->global_auth_tok_key = NULL;
428
539
mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
451
562
struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
454
struct ecryptfs_global_auth_tok *global_auth_tok;
457
(*auth_tok_key) = NULL;
459
if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok,
460
mount_crypt_stat, sig)) {
567
rc = ecryptfs_find_global_auth_tok_for_sig(auth_tok_key, auth_tok,
568
mount_crypt_stat, sig);
462
570
/* if the flag ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY is set in the
463
571
* mount_crypt_stat structure, we prevent to use auth toks that
464
572
* are not inserted through the ecryptfs_add_global_auth_tok
532
639
s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
533
640
(*packet_size) = 0;
641
rc = ecryptfs_find_auth_tok_for_sig(
643
&s->auth_tok, mount_crypt_stat,
644
mount_crypt_stat->global_default_fnek_sig);
646
printk(KERN_ERR "%s: Error attempting to find auth tok for "
647
"fnek sig [%s]; rc = [%d]\n", __func__,
648
mount_crypt_stat->global_default_fnek_sig, rc);
534
651
rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(
536
653
&s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name);
616
733
goto out_free_unlock;
618
735
dest[s->i++] = s->cipher_code;
619
rc = ecryptfs_find_auth_tok_for_sig(
621
&s->auth_tok, mount_crypt_stat,
622
mount_crypt_stat->global_default_fnek_sig);
624
printk(KERN_ERR "%s: Error attempting to find auth tok for "
625
"fnek sig [%s]; rc = [%d]\n", __func__,
626
mount_crypt_stat->global_default_fnek_sig, rc);
627
goto out_free_unlock;
629
736
/* TODO: Support other key modules than passphrase for
630
737
* filename encryption */
631
738
if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) {
709
816
memcpy(&s->block_aligned_filename[s->num_rand_bytes], filename,
711
818
rc = virt_to_scatterlist(s->block_aligned_filename,
712
s->block_aligned_filename_size, &s->src_sg, 1);
819
s->block_aligned_filename_size, s->src_sg, 2);
714
821
printk(KERN_ERR "%s: Internal error whilst attempting to "
715
"convert filename memory to scatterlist; "
716
"expected rc = 1; got rc = [%d]. "
822
"convert filename memory to scatterlist; rc = [%d]. "
717
823
"block_aligned_filename_size = [%zd]\n", __func__, rc,
718
824
s->block_aligned_filename_size);
719
825
goto out_release_free_unlock;
721
827
rc = virt_to_scatterlist(&dest[s->i], s->block_aligned_filename_size,
724
830
printk(KERN_ERR "%s: Internal error whilst attempting to "
725
831
"convert encrypted filename memory to scatterlist; "
726
"expected rc = 1; got rc = [%d]. "
727
"block_aligned_filename_size = [%zd]\n", __func__, rc,
728
s->block_aligned_filename_size);
832
"rc = [%d]. block_aligned_filename_size = [%zd]\n",
833
__func__, rc, s->block_aligned_filename_size);
729
834
goto out_release_free_unlock;
731
836
/* The characters in the first block effectively do the job
891
1007
mutex_lock(s->tfm_mutex);
892
1008
rc = virt_to_scatterlist(&data[(*packet_size)],
893
s->block_aligned_filename_size, &s->src_sg, 1);
1009
s->block_aligned_filename_size, s->src_sg, 2);
895
1011
printk(KERN_ERR "%s: Internal error whilst attempting to "
896
1012
"convert encrypted filename memory to scatterlist; "
897
"expected rc = 1; got rc = [%d]. "
898
"block_aligned_filename_size = [%zd]\n", __func__, rc,
899
s->block_aligned_filename_size);
1013
"rc = [%d]. block_aligned_filename_size = [%zd]\n",
1014
__func__, rc, s->block_aligned_filename_size);
900
1015
goto out_unlock;
902
1017
(*packet_size) += s->block_aligned_filename_size;
910
1025
goto out_unlock;
912
1027
rc = virt_to_scatterlist(s->decrypted_filename,
913
s->block_aligned_filename_size, &s->dst_sg, 1);
1028
s->block_aligned_filename_size, s->dst_sg, 2);
915
1030
printk(KERN_ERR "%s: Internal error whilst attempting to "
916
1031
"convert decrypted filename memory to scatterlist; "
917
"expected rc = 1; got rc = [%d]. "
918
"block_aligned_filename_size = [%zd]\n", __func__, rc,
919
s->block_aligned_filename_size);
1032
"rc = [%d]. block_aligned_filename_size = [%zd]\n",
1033
__func__, rc, s->block_aligned_filename_size);
920
1034
goto out_free_unlock;
922
1036
/* The characters in the first block effectively do the job of
925
1039
* >= ECRYPTFS_MAX_IV_BYTES. */
926
1040
memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES);
927
1041
s->desc.info = s->iv;
928
rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
929
&s->auth_tok, mount_crypt_stat,
932
printk(KERN_ERR "%s: Error attempting to find auth tok for "
933
"fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex,
935
goto out_free_unlock;
937
1042
/* TODO: Support other key modules than passphrase for
938
1043
* filename encryption */
939
1044
if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) {
1524
* ecryptfs_verify_version
1525
* @version: The version number to confirm
1527
* Returns zero on good version; non-zero otherwise
1529
static int ecryptfs_verify_version(u16 version)
1532
unsigned char major;
1533
unsigned char minor;
1535
major = ((version >> 8) & 0xFF);
1536
minor = (version & 0xFF);
1537
if (major != ECRYPTFS_VERSION_MAJOR) {
1538
ecryptfs_printk(KERN_ERR, "Major version number mismatch. "
1539
"Expected [%d]; got [%d]\n",
1540
ECRYPTFS_VERSION_MAJOR, major);
1544
if (minor != ECRYPTFS_VERSION_MINOR) {
1545
ecryptfs_printk(KERN_ERR, "Minor version number mismatch. "
1546
"Expected [%d]; got [%d]\n",
1547
ECRYPTFS_VERSION_MINOR, minor);
1555
1630
int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
1556
1631
struct ecryptfs_auth_tok **auth_tok,
1566
1641
(*auth_tok_key) = NULL;
1569
(*auth_tok) = ecryptfs_get_key_payload_data(*auth_tok_key);
1570
if (ecryptfs_verify_version((*auth_tok)->version)) {
1572
"Data structure version mismatch. "
1573
"Userspace tools must match eCryptfs "
1574
"kernel module with major version [%d] "
1575
"and minor version [%d]\n",
1576
ECRYPTFS_VERSION_MAJOR,
1577
ECRYPTFS_VERSION_MINOR);
1579
goto out_release_key;
1581
if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD
1582
&& (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) {
1583
printk(KERN_ERR "Invalid auth_tok structure "
1584
"returned from key query\n");
1586
goto out_release_key;
1644
down_write(&(*auth_tok_key)->sem);
1645
rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
1647
up_write(&(*auth_tok_key)->sem);
1590
1648
key_put(*auth_tok_key);
1591
1649
(*auth_tok_key) = NULL;
2344
2406
list_for_each_entry(key_sig, &crypt_stat->keysig_list,
2345
2407
crypt_stat_list) {
2346
2408
memset(key_rec, 0, sizeof(*key_rec));
2347
rc = ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok,
2409
rc = ecryptfs_find_global_auth_tok_for_sig(&auth_tok_key,
2348
2411
mount_crypt_stat,
2349
2412
key_sig->keysig);
2351
printk(KERN_ERR "Error attempting to get the global "
2352
"auth_tok; rc = [%d]\n", rc);
2414
printk(KERN_WARNING "Unable to retrieve auth tok with "
2415
"sig = [%s]\n", key_sig->keysig);
2416
rc = process_find_global_auth_tok_for_sig_err(rc);
2355
if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID) {
2357
"Skipping invalid auth tok with sig = [%s]\n",
2358
global_auth_tok->sig);
2361
auth_tok = global_auth_tok->global_auth_tok;
2362
2419
if (auth_tok->token_type == ECRYPTFS_PASSWORD) {
2363
2420
rc = write_tag_3_packet((dest_base + (*len)),
2364
2421
&max, auth_tok,