Commit aee683b9e77e17237b0e146025c3d363c9203634
Committed by
Tyler Hicks
1 parent
2e21b3f124
Exists in
master
and in
4 other branches
ecryptfs: release keys loaded in ecryptfs_keyring_auth_tok_for_sig()
This patch allows keys requested in the function ecryptfs_keyring_auth_tok_for_sig()to be released when they are no longer required. In particular keys are directly released in the same function if the obtained authentication token is not valid. Further, a new function parameter 'auth_tok_key' has been added to ecryptfs_find_auth_tok_for_sig() in order to provide callers the key pointer to be passed to key_put(). Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Cc: Dustin Kirkland <kirkland@canonical.com> Cc: James Morris <jmorris@namei.org> [Tyler: Initialize auth_tok_key to NULL in ecryptfs_parse_packet_set] Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Showing 1 changed file with 28 additions and 6 deletions Side-by-side Diff
fs/ecryptfs/keystore.c
... | ... | @@ -446,6 +446,7 @@ |
446 | 446 | */ |
447 | 447 | static int |
448 | 448 | ecryptfs_find_auth_tok_for_sig( |
449 | + struct key **auth_tok_key, | |
449 | 450 | struct ecryptfs_auth_tok **auth_tok, |
450 | 451 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, |
451 | 452 | char *sig) |
452 | 453 | |
453 | 454 | |
... | ... | @@ -453,12 +454,12 @@ |
453 | 454 | struct ecryptfs_global_auth_tok *global_auth_tok; |
454 | 455 | int rc = 0; |
455 | 456 | |
457 | + (*auth_tok_key) = NULL; | |
456 | 458 | (*auth_tok) = NULL; |
457 | 459 | if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, |
458 | 460 | mount_crypt_stat, sig)) { |
459 | - struct key *auth_tok_key; | |
460 | 461 | |
461 | - rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok, | |
462 | + rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok, | |
462 | 463 | sig); |
463 | 464 | } else |
464 | 465 | (*auth_tok) = global_auth_tok->global_auth_tok; |
... | ... | @@ -509,6 +510,7 @@ |
509 | 510 | char *filename, size_t filename_size) |
510 | 511 | { |
511 | 512 | struct ecryptfs_write_tag_70_packet_silly_stack *s; |
513 | + struct key *auth_tok_key = NULL; | |
512 | 514 | int rc = 0; |
513 | 515 | |
514 | 516 | s = kmalloc(sizeof(*s), GFP_KERNEL); |
... | ... | @@ -606,6 +608,7 @@ |
606 | 608 | } |
607 | 609 | dest[s->i++] = s->cipher_code; |
608 | 610 | rc = ecryptfs_find_auth_tok_for_sig( |
611 | + &auth_tok_key, | |
609 | 612 | &s->auth_tok, mount_crypt_stat, |
610 | 613 | mount_crypt_stat->global_default_fnek_sig); |
611 | 614 | if (rc) { |
... | ... | @@ -753,6 +756,8 @@ |
753 | 756 | out_unlock: |
754 | 757 | mutex_unlock(s->tfm_mutex); |
755 | 758 | out: |
759 | + if (auth_tok_key) | |
760 | + key_put(auth_tok_key); | |
756 | 761 | kfree(s); |
757 | 762 | return rc; |
758 | 763 | } |
... | ... | @@ -798,6 +803,7 @@ |
798 | 803 | char *data, size_t max_packet_size) |
799 | 804 | { |
800 | 805 | struct ecryptfs_parse_tag_70_packet_silly_stack *s; |
806 | + struct key *auth_tok_key = NULL; | |
801 | 807 | int rc = 0; |
802 | 808 | |
803 | 809 | (*packet_size) = 0; |
... | ... | @@ -910,7 +916,8 @@ |
910 | 916 | * >= ECRYPTFS_MAX_IV_BYTES. */ |
911 | 917 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); |
912 | 918 | s->desc.info = s->iv; |
913 | - rc = ecryptfs_find_auth_tok_for_sig(&s->auth_tok, mount_crypt_stat, | |
919 | + rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, | |
920 | + &s->auth_tok, mount_crypt_stat, | |
914 | 921 | s->fnek_sig_hex); |
915 | 922 | if (rc) { |
916 | 923 | printk(KERN_ERR "%s: Error attempting to find auth tok for " |
... | ... | @@ -986,6 +993,8 @@ |
986 | 993 | (*filename_size) = 0; |
987 | 994 | (*filename) = NULL; |
988 | 995 | } |
996 | + if (auth_tok_key) | |
997 | + key_put(auth_tok_key); | |
989 | 998 | kfree(s); |
990 | 999 | return rc; |
991 | 1000 | } |
992 | 1001 | |
993 | 1002 | |
... | ... | @@ -1557,15 +1566,20 @@ |
1557 | 1566 | ECRYPTFS_VERSION_MAJOR, |
1558 | 1567 | ECRYPTFS_VERSION_MINOR); |
1559 | 1568 | rc = -EINVAL; |
1560 | - goto out; | |
1569 | + goto out_release_key; | |
1561 | 1570 | } |
1562 | 1571 | if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD |
1563 | 1572 | && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { |
1564 | 1573 | printk(KERN_ERR "Invalid auth_tok structure " |
1565 | 1574 | "returned from key query\n"); |
1566 | 1575 | rc = -EINVAL; |
1567 | - goto out; | |
1576 | + goto out_release_key; | |
1568 | 1577 | } |
1578 | +out_release_key: | |
1579 | + if (rc) { | |
1580 | + key_put(*auth_tok_key); | |
1581 | + (*auth_tok_key) = NULL; | |
1582 | + } | |
1569 | 1583 | out: |
1570 | 1584 | return rc; |
1571 | 1585 | } |
... | ... | @@ -1688,6 +1702,7 @@ |
1688 | 1702 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; |
1689 | 1703 | size_t tag_11_contents_size; |
1690 | 1704 | size_t tag_11_packet_size; |
1705 | + struct key *auth_tok_key = NULL; | |
1691 | 1706 | int rc = 0; |
1692 | 1707 | |
1693 | 1708 | INIT_LIST_HEAD(&auth_tok_list); |
... | ... | @@ -1784,6 +1799,10 @@ |
1784 | 1799 | * just one will be sufficient to decrypt to get the FEK. */ |
1785 | 1800 | find_next_matching_auth_tok: |
1786 | 1801 | found_auth_tok = 0; |
1802 | + if (auth_tok_key) { | |
1803 | + key_put(auth_tok_key); | |
1804 | + auth_tok_key = NULL; | |
1805 | + } | |
1787 | 1806 | list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { |
1788 | 1807 | candidate_auth_tok = &auth_tok_list_item->auth_tok; |
1789 | 1808 | if (unlikely(ecryptfs_verbosity > 0)) { |
... | ... | @@ -1800,7 +1819,8 @@ |
1800 | 1819 | rc = -EINVAL; |
1801 | 1820 | goto out_wipe_list; |
1802 | 1821 | } |
1803 | - ecryptfs_find_auth_tok_for_sig(&matching_auth_tok, | |
1822 | + ecryptfs_find_auth_tok_for_sig(&auth_tok_key, | |
1823 | + &matching_auth_tok, | |
1804 | 1824 | crypt_stat->mount_crypt_stat, |
1805 | 1825 | candidate_auth_tok_sig); |
1806 | 1826 | if (matching_auth_tok) { |
... | ... | @@ -1866,6 +1886,8 @@ |
1866 | 1886 | out_wipe_list: |
1867 | 1887 | wipe_auth_tok_list(&auth_tok_list); |
1868 | 1888 | out: |
1889 | + if (auth_tok_key) | |
1890 | + key_put(auth_tok_key); | |
1869 | 1891 | return rc; |
1870 | 1892 | } |
1871 | 1893 |