2
* Userspace side of netlink communications with eCryptfs kernel
5
* Copyright (C) 2004-2006 International Business Machines Corp.
6
* Author(s): Trevor S. Highland <trevor.highland@gmail.com>
8
* This program is free software; you can redistribute it and/or
9
* modify it under the terms of the GNU General Public License as
10
* published by the Free Software Foundation; either version 2 of the
11
* License, or (at your option) any later version.
13
* This program is distributed in the hope that it will be useful, but
14
* WITHOUT ANY WARRANTY; without even the implied warranty of
15
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16
* General Public License for more details.
18
* You should have received a copy of the GNU General Public License
19
* along with this program; if not, write to the Free Software
20
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
34
#include "../include/ecryptfs.h"
36
#define ECRYPTFS_PACKET_STATUS_GOOD 0
37
#define ECRYPTFS_PACKET_STATUS_BAD -1
41
* @dest: The byte array target into which to write the
42
* length. Must have at least 5 bytes allocated.
43
* @size: The length to write.
44
* @packet_size_length: The number of bytes used to encode the
45
* packet length is written to this address.
47
* Returns zero on success; non-zero on error.
50
write_packet_length(char *dest, size_t size, size_t *packet_size_length)
56
(*packet_size_length) = 1;
57
} else if (size < 65536) {
58
dest[0] = (((size - 192) / 256) + 192);
59
dest[1] = ((size - 192) % 256);
60
(*packet_size_length) = 2;
63
syslog(LOG_ERR, "Unsupported packet size: [%d]\n",
71
* @data: Pointer to memory containing length at offset
72
* @size: This function writes the decoded size to this memory
73
* address; zero on error
74
* @length_size: The number of bytes occupied by the encoded length
76
* Returns Zero on success
78
static int parse_packet_length(unsigned char *data, size_t *size,
89
} else if (data[0] < 224) {
91
(*size) = ((data[0] - 192) * 256);
92
(*size) += (data[1] + 192);
94
} else if (data[0] == 255) {
95
/* Five-byte length; we're not supposed to see this */
97
syslog(LOG_ERR, "Five-byte packet length not "
102
syslog(LOG_ERR, "Error parsing packet length\n");
111
* @encrypted_key: This function will allocate this memory and encrypt
113
* @encrypted_key_size: The size of the encrypted key; note that the
114
* actual amount of memory allocated by this
115
* function may be more than this
117
* @auth_tok: The authentication token structure in the user session
118
* keyring; this contains the key module state blob
120
* @decrypted_key_size:
124
* Called from parse_packet()
127
key_mod_encrypt(char **encrypted_key, size_t *encrypted_key_size,
128
struct ecryptfs_ctx *ctx, struct ecryptfs_auth_tok *auth_tok,
129
char *decrypted_key, size_t decrypted_key_size)
131
struct ecryptfs_key_mod *key_mod;
134
if (ecryptfs_find_key_mod(&key_mod, ctx,
135
auth_tok->token.private_key.key_mod_alias)) {
137
syslog(LOG_ERR, "Failed to locate desired key module\n");
140
/* TODO: Include support for a hint rather than just a blob */
141
if ((rc = key_mod->ops->encrypt(NULL, encrypted_key_size, decrypted_key,
143
auth_tok->token.private_key.data,
144
ECRYPTFS_BLOB_TYPE_BLOB))) {
145
syslog(LOG_ERR, "Error attempting to get encrypted key size "
146
"from key module; rc = [%d]\n", rc);
149
if ((*encrypted_key_size) == 0) {
151
syslog(LOG_ERR, "Encrypted key size reported by key module "
152
"encrypt function is 0\n");
155
/* The first call just told us how much memory to
156
* allocate. The actual key size may be less, so we don't
157
* worry about ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES until the
159
if (((*encrypted_key) = malloc(*encrypted_key_size)) == NULL) {
161
syslog(LOG_ERR, "Failed to allocate memory: [%s]\n",
165
if ((rc = key_mod->ops->encrypt((*encrypted_key), encrypted_key_size,
166
decrypted_key, decrypted_key_size,
167
auth_tok->token.private_key.data,
168
ECRYPTFS_BLOB_TYPE_BLOB))) {
169
syslog(LOG_ERR, "Failed to encrypt key; rc = [%d]\n", rc);
172
if ((*encrypted_key_size) > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
174
syslog(LOG_ERR, "Encrypted key size reported by key module "
175
"encrypt function is [%d]; max is [%d]\n",
176
(*encrypted_key_size), ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES);
177
free(*encrypted_key);
178
(*encrypted_key_size) = 0;
186
key_mod_decrypt(char **decrypted_key, size_t *decrypted_key_size,
187
struct ecryptfs_ctx *ctx, struct ecryptfs_auth_tok *auth_tok,
188
char *encrypted_key, size_t encrypted_key_size)
190
struct ecryptfs_key_mod *key_mod;
193
if (ecryptfs_find_key_mod(&key_mod, ctx,
194
auth_tok->token.private_key.key_mod_alias)) {
196
syslog(LOG_ERR, "Failed to locate desired key module\n");
199
if ((rc = key_mod->ops->decrypt(NULL, decrypted_key_size,
200
encrypted_key, encrypted_key_size,
201
auth_tok->token.private_key.data,
202
ECRYPTFS_BLOB_TYPE_BLOB))) {
203
syslog(LOG_ERR, "Failed to get size for decrypted key\n");
206
if ((*decrypted_key_size) == 0) {
208
syslog(LOG_ERR, "Decrypted key size reported by key module "
209
"decrypt function is 0\n");
212
/* The first call just told us how much memory to
213
* allocate. The actual key size may be less, so we don't
214
* worry about ECRYPTFS_MAX_KEY_BYTES until the second
216
if (((*decrypted_key) = malloc(*decrypted_key_size)) == NULL) {
218
syslog(LOG_ERR, "Failed to allocate memory\n");
221
if ((rc = key_mod->ops->decrypt(*decrypted_key, decrypted_key_size,
222
encrypted_key, encrypted_key_size,
223
auth_tok->token.private_key.data,
224
ECRYPTFS_BLOB_TYPE_BLOB))) {
225
syslog(LOG_ERR, "Failed to decrypt key\n");
228
if ((*decrypted_key_size) > ECRYPTFS_MAX_KEY_BYTES) {
230
syslog(LOG_ERR, "Decrypted key size reported by key module "
231
"decrypt function is [%d]; max is [%d]\n",
232
(*decrypted_key_size), ECRYPTFS_MAX_KEY_BYTES);
233
free(*decrypted_key);
234
(*decrypted_key_size) = 0;
241
static int write_failure_packet(size_t tag,
242
struct ecryptfs_netlink_message **reply)
248
*reply = malloc(sizeof(struct ecryptfs_netlink_message) + 2);
251
syslog(LOG_ERR, "Failed to allocate memory: %s\n",
255
data = (*reply)->data;
257
data[i++] = ECRYPTFS_PACKET_STATUS_BAD;
258
(*reply)->data_len = i;
263
static int write_tag_65_packet(unsigned char *key, size_t key_size,
264
struct ecryptfs_netlink_message **reply)
272
data_len = key_size + 4;
273
*reply = malloc(sizeof(struct ecryptfs_netlink_message) + data_len);
276
syslog(LOG_ERR, "Failed to allocate memory: %s\n",
280
data = (*reply)->data;
281
data[i++] = ECRYPTFS_TAG_65_PACKET;
282
data[i++] = ECRYPTFS_PACKET_STATUS_GOOD;
283
rc = write_packet_length(&data[i], key_size, &length_size);
285
syslog(LOG_ERR, "Invalid packet format\n");
289
memcpy(&data[i], key, key_size);
291
(*reply)->data_len = i;
297
write_tag_67_packet(char *key, size_t key_size,
298
struct ecryptfs_netlink_message **reply)
306
data_len = key_size + 4;
307
*reply = malloc(sizeof(struct ecryptfs_netlink_message) + data_len);
310
syslog(LOG_ERR, "Failed to allocate memory: %s\n",
314
data = (*reply)->data;
315
data[i++] = ECRYPTFS_TAG_67_PACKET;
316
data[i++] = ECRYPTFS_PACKET_STATUS_GOOD;
317
rc = write_packet_length(&data[i], key_size, &length_size);
319
syslog(LOG_ERR, "Invalid packet format\n");
323
memcpy(&data[i], key, key_size);
325
(*reply)->data_len = data_len;
330
int parse_packet(struct ecryptfs_ctx *ctx,
331
struct ecryptfs_netlink_message *emsg,
332
struct ecryptfs_netlink_message **reply)
334
struct ecryptfs_auth_tok *auth_tok = NULL;
340
unsigned char *signature;
341
unsigned char packet_type;
343
char *key_out = NULL;
344
key_serial_t key_sub;
347
packet_type = emsg->data[i++];
348
if ((rc = parse_packet_length(&emsg->data[i], &data_size,
350
syslog(LOG_ERR, "Invalid packet format\n");
354
signature = malloc(data_size + 1);
357
syslog(LOG_ERR, "Failed to allocate memory: %s\n",
361
memcpy(signature, &emsg->data[i], data_size);
362
signature[data_size] = '\0';
364
rc = parse_packet_length(&emsg->data[i], &key_size, &length_size);
366
syslog(LOG_ERR, "Invalid packet format\n");
370
if ((key = malloc(key_size)) == NULL) {
372
syslog(LOG_ERR, "Failed to allocate memory\n");
375
memcpy(key, &emsg->data[i], key_size);
377
key_sub = request_key("user", signature, NULL, KEY_SPEC_USER_KEYRING);
379
syslog(LOG_ERR, "Could not find key with signature: "
380
"[%s]\n", signature);
384
rc = keyctl_read_alloc(key_sub, (void **)(&auth_tok));
385
switch (packet_type) {
386
case ECRYPTFS_TAG_64_PACKET:
387
if ((rc = key_mod_decrypt(&key_out, &key_out_size, ctx,
388
auth_tok, key, key_size))) {
389
syslog(LOG_ERR, "Failed to decrypt key; rc = [%d]\n",
391
rc = write_failure_packet(ECRYPTFS_TAG_65_PACKET,reply);
394
if ((rc = write_tag_65_packet(key_out, key_out_size, reply))) {
395
syslog(LOG_ERR, "Failed to write decrypted "
396
"key via tag 65 packet\n");
400
case ECRYPTFS_TAG_66_PACKET:
401
rc = key_mod_encrypt(&key_out, &key_out_size, ctx, auth_tok,
404
syslog(LOG_ERR, "Failed to encrypt public "
408
rc = write_tag_67_packet(key_out, key_out_size, reply);
410
syslog(LOG_ERR, "Failed to write encrypted "
411
"key to tag 67 packet\n");
416
syslog(LOG_ERR, "Unrecognized packet type: [%d]\n",
424
memset(auth_tok, 0, (sizeof(struct ecryptfs_auth_tok)
425
+ auth_tok->token.private_key.data_len));
429
if(packet_type == ECRYPTFS_TAG_66_PACKET)
430
rc = write_failure_packet(ECRYPTFS_TAG_67_PACKET, reply);
432
rc = write_failure_packet(ECRYPTFS_TAG_65_PACKET, reply);
437
memset(auth_tok, 0, (sizeof(struct ecryptfs_auth_tok)
438
+ auth_tok->token.private_key.data_len));