ecryptfs: release keys loaded in ecryptfs_keyring_auth_tok_for_sig()

This patch allows keys requested in the function ecryptfs_keyring_auth_tok_for_sig()to be released when they are no longer required. In particular keys are directly released in the same function if the obtained authentication token is not valid. Further, a new function parameter 'auth_tok_key' has been added to ecryptfs_find_auth_tok_for_sig() in order to provide callers the key pointer to be passed to key_put(). Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Cc: Dustin Kirkland <kirkland@canonical.com> Cc: James Morris <jmorris@namei.org> [Tyler: Initialize auth_tok_key to NULL in ecryptfs_parse_packet_set] Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>

ecryptfs: release keys loaded in ecryptfs_keyring_auth_tok_for_sig()
This patch allows keys requested in the function ecryptfs_keyring_auth_tok_for_sig()to be released when they are no longer required. In particular keys are directly released in the same function if the obtained authentication token is not valid. Further, a new function parameter 'auth_tok_key' has been added to ecryptfs_find_auth_tok_for_sig() in order to provide callers the key pointer to be passed to key_put(). Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Cc: Dustin Kirkland <kirkland@canonical.com> Cc: James Morris <jmorris@namei.org> [Tyler: Initialize auth_tok_key to NULL in ecryptfs_parse_packet_set] Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Roberto Sassu · Tyler Hicks
1 parent 2e21b3f124
Showing 1 changed file with 28 additions and 6 deletions Side-by-side Diff
fs/ecryptfs/keystore.c
@@ -446,6 +446,7 @@
  */
 static int
 ecryptfs_find_auth_tok_for_sig(
+	struct key **auth_tok_key,
 	struct ecryptfs_auth_tok **auth_tok,
 	struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
 	char *sig)
  
  
@@ -453,12 +454,12 @@
 	struct ecryptfs_global_auth_tok *global_auth_tok;
 	int rc = 0;
  
+	(*auth_tok_key) = NULL;
 	(*auth_tok) = NULL;
 	if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok,
 						  mount_crypt_stat, sig)) {
-		struct key *auth_tok_key;
  
-		rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok,
+		rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok,
 						       sig);
 	} else
 		(*auth_tok) = global_auth_tok->global_auth_tok;
@@ -509,6 +510,7 @@
 			     char *filename, size_t filename_size)
 {
 	struct ecryptfs_write_tag_70_packet_silly_stack *s;
+	struct key *auth_tok_key = NULL;
 	int rc = 0;
  
 	s = kmalloc(sizeof(*s), GFP_KERNEL);
@@ -606,6 +608,7 @@
 	}
 	dest[s->i++] = s->cipher_code;
 	rc = ecryptfs_find_auth_tok_for_sig(
+		&auth_tok_key,
 		&s->auth_tok, mount_crypt_stat,
 		mount_crypt_stat->global_default_fnek_sig);
 	if (rc) {
@@ -753,6 +756,8 @@
 out_unlock:
 	mutex_unlock(s->tfm_mutex);
 out:
+	if (auth_tok_key)
+		key_put(auth_tok_key);
 	kfree(s);
 	return rc;
 }
@@ -798,6 +803,7 @@
 			     char *data, size_t max_packet_size)
 {
 	struct ecryptfs_parse_tag_70_packet_silly_stack *s;
+	struct key *auth_tok_key = NULL;
 	int rc = 0;
  
 	(*packet_size) = 0;
@@ -910,7 +916,8 @@
 	 * >= ECRYPTFS_MAX_IV_BYTES. */
 	memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES);
 	s->desc.info = s->iv;
-	rc = ecryptfs_find_auth_tok_for_sig(&s->auth_tok, mount_crypt_stat,
+	rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
+					    &s->auth_tok, mount_crypt_stat,
 					    s->fnek_sig_hex);
 	if (rc) {
 		printk(KERN_ERR "%s: Error attempting to find auth tok for "
@@ -986,6 +993,8 @@
 		(*filename_size) = 0;
 		(*filename) = NULL;
 	}
+	if (auth_tok_key)
+		key_put(auth_tok_key);
 	kfree(s);
 	return rc;
 }
  
  
@@ -1557,15 +1566,20 @@
 		       ECRYPTFS_VERSION_MAJOR,
 		       ECRYPTFS_VERSION_MINOR);
 		rc = -EINVAL;
-		goto out;
+		goto out_release_key;
 	}
 	if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD
 	    && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) {
 		printk(KERN_ERR "Invalid auth_tok structure "
 		       "returned from key query\n");
 		rc = -EINVAL;
-		goto out;
+		goto out_release_key;
 	}
+out_release_key:
+	if (rc) {
+		key_put(*auth_tok_key);
+		(*auth_tok_key) = NULL;
+	}
 out:
 	return rc;
 }
@@ -1688,6 +1702,7 @@
 	struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
 	size_t tag_11_contents_size;
 	size_t tag_11_packet_size;
+	struct key *auth_tok_key = NULL;
 	int rc = 0;
  
 	INIT_LIST_HEAD(&auth_tok_list);
@@ -1784,6 +1799,10 @@
 	 * just one will be sufficient to decrypt to get the FEK. */
 find_next_matching_auth_tok:
 	found_auth_tok = 0;
+	if (auth_tok_key) {
+		key_put(auth_tok_key);
+		auth_tok_key = NULL;
+	}
 	list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) {
 		candidate_auth_tok = &auth_tok_list_item->auth_tok;
 		if (unlikely(ecryptfs_verbosity > 0)) {
@@ -1800,7 +1819,8 @@
 			rc = -EINVAL;
 			goto out_wipe_list;
 		}
-		ecryptfs_find_auth_tok_for_sig(&matching_auth_tok,
+		ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
+					       &matching_auth_tok,
 					       crypt_stat->mount_crypt_stat,
 					       candidate_auth_tok_sig);
 		if (matching_auth_tok) {
@@ -1866,6 +1886,8 @@
 out_wipe_list:
 	wipe_auth_tok_list(&auth_tok_list);
 out:
+	if (auth_tok_key)
+		key_put(auth_tok_key);
 	return rc;
 }
...	...	@@ -446,6 +446,7 @@
446	446	*/
447	447	static int
448	448	ecryptfs_find_auth_tok_for_sig(
	449	+ struct key **auth_tok_key,
449	450	struct ecryptfs_auth_tok **auth_tok,
450	451	struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
451	452	char *sig)
452	453
453	454
...	...	@@ -453,12 +454,12 @@
453	454	struct ecryptfs_global_auth_tok *global_auth_tok;
454	455	int rc = 0;
455	456
	457	+ (*auth_tok_key) = NULL;
456	458	(*auth_tok) = NULL;
457	459	if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok,
458	460	mount_crypt_stat, sig)) {
459		- struct key *auth_tok_key;
460	461
461		- rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok,
	462	+ rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok,
462	463	sig);
463	464	} else
464	465	(*auth_tok) = global_auth_tok->global_auth_tok;
...	...	@@ -509,6 +510,7 @@
509	510	char *filename, size_t filename_size)
510	511	{
511	512	struct ecryptfs_write_tag_70_packet_silly_stack *s;
	513	+ struct key *auth_tok_key = NULL;
512	514	int rc = 0;
513	515
514	516	s = kmalloc(sizeof(*s), GFP_KERNEL);
...	...	@@ -606,6 +608,7 @@
606	608	}
607	609	dest[s->i++] = s->cipher_code;
608	610	rc = ecryptfs_find_auth_tok_for_sig(
	611	+ &auth_tok_key,
609	612	&s->auth_tok, mount_crypt_stat,
610	613	mount_crypt_stat->global_default_fnek_sig);
611	614	if (rc) {
...	...	@@ -753,6 +756,8 @@
753	756	out_unlock:
754	757	mutex_unlock(s->tfm_mutex);
755	758	out:
	759	+ if (auth_tok_key)
	760	+ key_put(auth_tok_key);
756	761	kfree(s);
757	762	return rc;
758	763	}
...	...	@@ -798,6 +803,7 @@
798	803	char *data, size_t max_packet_size)
799	804	{
800	805	struct ecryptfs_parse_tag_70_packet_silly_stack *s;
	806	+ struct key *auth_tok_key = NULL;
801	807	int rc = 0;
802	808
803	809	(*packet_size) = 0;
...	...	@@ -910,7 +916,8 @@
910	916	* >= ECRYPTFS_MAX_IV_BYTES. */
911	917	memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES);
912	918	s->desc.info = s->iv;
913		- rc = ecryptfs_find_auth_tok_for_sig(&s->auth_tok, mount_crypt_stat,
	919	+ rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
	920	+ &s->auth_tok, mount_crypt_stat,
914	921	s->fnek_sig_hex);
915	922	if (rc) {
916	923	printk(KERN_ERR "%s: Error attempting to find auth tok for "
...	...	@@ -986,6 +993,8 @@
986	993	(*filename_size) = 0;
987	994	(*filename) = NULL;
988	995	}
	996	+ if (auth_tok_key)
	997	+ key_put(auth_tok_key);
989	998	kfree(s);
990	999	return rc;
991	1000	}
992	1001
993	1002
...	...	@@ -1557,15 +1566,20 @@
1557	1566	ECRYPTFS_VERSION_MAJOR,
1558	1567	ECRYPTFS_VERSION_MINOR);
1559	1568	rc = -EINVAL;
1560		- goto out;
	1569	+ goto out_release_key;
1561	1570	}
1562	1571	if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD
1563	1572	&& (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) {
1564	1573	printk(KERN_ERR "Invalid auth_tok structure "
1565	1574	"returned from key query\n");
1566	1575	rc = -EINVAL;
1567		- goto out;
	1576	+ goto out_release_key;
1568	1577	}
	1578	+out_release_key:
	1579	+ if (rc) {
	1580	+ key_put(*auth_tok_key);
	1581	+ (*auth_tok_key) = NULL;
	1582	+ }
1569	1583	out:
1570	1584	return rc;
1571	1585	}
...	...	@@ -1688,6 +1702,7 @@
1688	1702	struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
1689	1703	size_t tag_11_contents_size;
1690	1704	size_t tag_11_packet_size;
	1705	+ struct key *auth_tok_key = NULL;
1691	1706	int rc = 0;
1692	1707
1693	1708	INIT_LIST_HEAD(&auth_tok_list);
...	...	@@ -1784,6 +1799,10 @@
1784	1799	* just one will be sufficient to decrypt to get the FEK. */
1785	1800	find_next_matching_auth_tok:
1786	1801	found_auth_tok = 0;
	1802	+ if (auth_tok_key) {
	1803	+ key_put(auth_tok_key);
	1804	+ auth_tok_key = NULL;
	1805	+ }
1787	1806	list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) {
1788	1807	candidate_auth_tok = &auth_tok_list_item->auth_tok;
1789	1808	if (unlikely(ecryptfs_verbosity > 0)) {
...	...	@@ -1800,7 +1819,8 @@
1800	1819	rc = -EINVAL;
1801	1820	goto out_wipe_list;
1802	1821	}
1803		- ecryptfs_find_auth_tok_for_sig(&matching_auth_tok,
	1822	+ ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
	1823	+ &matching_auth_tok,
1804	1824	crypt_stat->mount_crypt_stat,
1805	1825	candidate_auth_tok_sig);
1806	1826	if (matching_auth_tok) {
...	...	@@ -1866,6 +1886,8 @@
1866	1886	out_wipe_list:
1867	1887	wipe_auth_tok_list(&auth_tok_list);
1868	1888	out:
	1889	+ if (auth_tok_key)
	1890	+ key_put(auth_tok_key);
1869	1891	return rc;
1870	1892	}
1871	1893