* determine the type of error, make appropriate log entries, and
* return an error code.
*/
-int process_request_key_err(long err_code)
+static int process_request_key_err(long err_code)
{
int rc = 0;
* address; zero on error
* @length_size: The number of bytes occupied by the encoded length
*
- * Returns Zero on success
+ * Returns zero on success; non-zero on error
*/
static int parse_packet_length(unsigned char *data, size_t *size,
size_t *length_size)
/**
* write_packet_length
- * @dest: The byte array target into which to write the
- * length. Must have at least 5 bytes allocated.
+ * @dest: The byte array target into which to write the length. Must
+ * have at least 5 bytes allocated.
* @size: The length to write.
- * @packet_size_length: The number of bytes used to encode the
- * packet length is written to this address.
+ * @packet_size_length: The number of bytes used to encode the packet
+ * length is written to this address.
*
* Returns zero on success; non-zero on error.
*/
return rc;
}
+static int
+ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok)
+{
+ int rc = 0;
+
+ (*sig) = NULL;
+ switch (auth_tok->token_type) {
+ case ECRYPTFS_PASSWORD:
+ (*sig) = auth_tok->token.password.signature;
+ break;
+ case ECRYPTFS_PRIVATE_KEY:
+ (*sig) = auth_tok->token.private_key.signature;
+ break;
+ default:
+ printk(KERN_ERR "Cannot get sig for auth_tok of type [%d]\n",
+ auth_tok->token_type);
+ rc = -EINVAL;
+ }
+ return rc;
+}
+
/**
- * decrypt_pki_encrypted_session_key - Decrypt the session key with
- * the given auth_tok.
+ * decrypt_pki_encrypted_session_key - Decrypt the session key with the given auth_tok.
+ * @auth_tok: The key authentication token used to decrypt the session key
+ * @crypt_stat: The cryptographic context
*
- * Returns Zero on success; non-zero error otherwise.
+ * Returns zero on success; non-zero error otherwise.
*/
static int
decrypt_pki_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
size_t netlink_message_length;
int rc;
- if ((rc = ecryptfs_get_auth_tok_sig(&auth_tok_sig, auth_tok))) {
+ rc = ecryptfs_get_auth_tok_sig(&auth_tok_sig, auth_tok);
+ if (rc) {
printk(KERN_ERR "Unrecognized auth tok type: [%d]\n",
auth_tok->token_type);
goto out;
/**
* parse_tag_1_packet
- * @crypt_stat: The cryptographic context to modify based on packet
- * contents.
+ * @crypt_stat: The cryptographic context to modify based on packet contents
* @data: The raw bytes of the packet.
* @auth_tok_list: eCryptfs parses packets into authentication tokens;
- * a new authentication token will be placed at the end
- * of this list for this packet.
+ * a new authentication token will be placed at the
+ * end of this list for this packet.
* @new_auth_tok: Pointer to a pointer to memory that this function
* allocates; sets the memory address of the pointer to
* NULL on error. This object is added to the
* auth_tok_list.
* @packet_size: This function writes the size of the parsed packet
* into this memory location; zero on error.
+ * @max_packet_size: The maximum allowable packet size
*
* Returns zero on success; non-zero on error.
*/
goto out;
}
(*new_auth_tok) = &auth_tok_list_item->auth_tok;
- if ((rc = parse_packet_length(&data[(*packet_size)], &body_size,
- &length_size))) {
+ rc = parse_packet_length(&data[(*packet_size)], &body_size,
+ &length_size);
+ if (rc) {
printk(KERN_WARNING "Error parsing packet length; "
"rc = [%d]\n", rc);
goto out_free;
}
if (unlikely(body_size < (ECRYPTFS_SIG_SIZE + 2))) {
- printk(KERN_WARNING "Invalid body size ([%d])\n", body_size);
+ printk(KERN_WARNING "Invalid body size ([%td])\n", body_size);
rc = -EINVAL;
goto out_free;
}
goto out;
}
(*new_auth_tok) = &auth_tok_list_item->auth_tok;
- if ((rc = parse_packet_length(&data[(*packet_size)], &body_size,
- &length_size))) {
+ rc = parse_packet_length(&data[(*packet_size)], &body_size,
+ &length_size);
+ if (rc) {
printk(KERN_WARNING "Error parsing packet length; rc = [%d]\n",
rc);
goto out_free;
}
if (unlikely(body_size < (ECRYPTFS_SALT_SIZE + 5))) {
- printk(KERN_WARNING "Invalid body size ([%d])\n", body_size);
+ printk(KERN_WARNING "Invalid body size ([%td])\n", body_size);
rc = -EINVAL;
goto out_free;
}
rc = -EINVAL;
goto out;
}
- if ((rc = parse_packet_length(&data[(*packet_size)], &body_size,
- &length_size))) {
+ rc = parse_packet_length(&data[(*packet_size)], &body_size,
+ &length_size);
+ if (rc) {
printk(KERN_WARNING "Invalid tag 11 packet format\n");
goto out;
}
if (body_size < 14) {
- printk(KERN_WARNING "Invalid body size ([%d])\n", body_size);
+ printk(KERN_WARNING "Invalid body size ([%td])\n", body_size);
rc = -EINVAL;
goto out;
}
}
/**
- * decrypt_passphrase_encrypted_session_key - Decrypt the session key
- * with the given auth_tok.
+ * decrypt_passphrase_encrypted_session_key - Decrypt the session key with the given auth_tok.
+ * @auth_tok: The passphrase authentication token to use to encrypt the FEK
+ * @crypt_stat: The cryptographic context
*
- * Returns Zero on success; non-zero error otherwise.
+ * Returns zero on success; non-zero error otherwise
*/
static int
decrypt_passphrase_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
{
struct scatterlist dst_sg;
struct scatterlist src_sg;
- struct mutex *tfm_mutex = NULL;
+ struct mutex *tfm_mutex;
struct blkcipher_desc desc = {
.flags = CRYPTO_TFM_REQ_MAY_SLEEP
};
int rc = 0;
+ sg_init_table(&dst_sg, 1);
+ sg_init_table(&src_sg, 1);
+
if (unlikely(ecryptfs_verbosity > 0)) {
ecryptfs_printk(
KERN_DEBUG, "Session key encryption key (size [%d]):\n",
crypt_stat->cipher, rc);
goto out;
}
- if ((rc = virt_to_scatterlist(auth_tok->session_key.encrypted_key,
- auth_tok->session_key.encrypted_key_size,
- &src_sg, 1)) != 1) {
+ rc = virt_to_scatterlist(auth_tok->session_key.encrypted_key,
+ auth_tok->session_key.encrypted_key_size,
+ &src_sg, 1);
+ if (rc != 1) {
printk(KERN_ERR "Internal error whilst attempting to convert "
"auth_tok->session_key.encrypted_key to scatterlist; "
"expected rc = 1; got rc = [%d]. "
}
auth_tok->session_key.decrypted_key_size =
auth_tok->session_key.encrypted_key_size;
- if ((rc = virt_to_scatterlist(auth_tok->session_key.decrypted_key,
- auth_tok->session_key.decrypted_key_size,
- &dst_sg, 1)) != 1) {
+ rc = virt_to_scatterlist(auth_tok->session_key.decrypted_key,
+ auth_tok->session_key.decrypted_key_size,
+ &dst_sg, 1);
+ if (rc != 1) {
printk(KERN_ERR "Internal error whilst attempting to convert "
"auth_tok->session_key.decrypted_key to scatterlist; "
"expected rc = 1; got rc = [%d]\n", rc);
return rc;
}
-int ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok)
-{
- int rc = 0;
-
- (*sig) = NULL;
- switch (auth_tok->token_type) {
- case ECRYPTFS_PASSWORD:
- (*sig) = auth_tok->token.password.signature;
- break;
- case ECRYPTFS_PRIVATE_KEY:
- (*sig) = auth_tok->token.private_key.signature;
- break;
- default:
- printk(KERN_ERR "Cannot get sig for auth_tok of type [%d]\n",
- auth_tok->token_type);
- rc = -EINVAL;
- }
- return rc;
-}
-
/**
* ecryptfs_parse_packet_set
- * @dest: The header page in memory
- * @version: Version of file format, to guide parsing behavior
+ * @crypt_stat: The cryptographic context
+ * @src: Virtual address of region of memory containing the packets
+ * @ecryptfs_dentry: The eCryptfs dentry associated with the packet set
*
* Get crypt_stat to have the file's session key if the requisite key
* is available to decrypt the session key.
size_t found_auth_tok;
size_t next_packet_is_auth_tok_packet;
struct list_head auth_tok_list;
- struct ecryptfs_auth_tok *matching_auth_tok = NULL;
- struct ecryptfs_auth_tok *candidate_auth_tok = NULL;
+ struct ecryptfs_auth_tok *matching_auth_tok;
+ struct ecryptfs_auth_tok *candidate_auth_tok;
char *candidate_auth_tok_sig;
size_t packet_size;
struct ecryptfs_auth_tok *new_auth_tok;
"Considering cadidate auth tok:\n");
ecryptfs_dump_auth_tok(candidate_auth_tok);
}
- if ((rc = ecryptfs_get_auth_tok_sig(&candidate_auth_tok_sig,
- candidate_auth_tok))) {
+ rc = ecryptfs_get_auth_tok_sig(&candidate_auth_tok_sig,
+ candidate_auth_tok);
+ if (rc) {
printk(KERN_ERR
"Unrecognized candidate auth tok type: [%d]\n",
candidate_auth_tok->token_type);
rc = -EINVAL;
goto out_wipe_list;
}
- if ((rc = ecryptfs_find_auth_tok_for_sig(
- &matching_auth_tok, crypt_stat,
- candidate_auth_tok_sig)))
- rc = 0;
+ ecryptfs_find_auth_tok_for_sig(&matching_auth_tok, crypt_stat,
+ candidate_auth_tok_sig);
if (matching_auth_tok) {
found_auth_tok = 1;
goto found_matching_auth_tok;
/**
* write_tag_1_packet - Write an RFC2440-compatible tag 1 (public key) packet
* @dest: Buffer into which to write the packet
- * @max: Maximum number of bytes that can be writtn
+ * @remaining_bytes: Maximum number of bytes that can be writtn
+ * @auth_tok: The authentication token used for generating the tag 1 packet
+ * @crypt_stat: The cryptographic context
+ * @key_rec: The key record struct for the tag 1 packet
* @packet_size: This function will write the number of bytes that end
* up constituting the packet; set to zero on error
*
+ key_rec->enc_key_size); /* Encrypted key size */
if (max_packet_size > (*remaining_bytes)) {
printk(KERN_ERR "Packet length larger than maximum allowable; "
- "need up to [%d] bytes, but there are only [%d] "
+ "need up to [%td] bytes, but there are only [%td] "
"available\n", max_packet_size, (*remaining_bytes));
rc = -EINVAL;
goto out;
/**
* write_tag_11_packet
* @dest: Target into which Tag 11 packet is to be written
- * @max: Maximum packet length
+ * @remaining_bytes: Maximum packet length
* @contents: Byte array of contents to copy in
* @contents_length: Number of bytes in contents
* @packet_length: Length of the Tag 11 packet written; zero on error
* Returns zero on success; non-zero on error.
*/
static int
-write_tag_11_packet(char *dest, int *remaining_bytes, char *contents,
+write_tag_11_packet(char *dest, size_t *remaining_bytes, char *contents,
size_t contents_length, size_t *packet_length)
{
size_t packet_size_length;
+ contents_length); /* Literal data */
if (max_packet_size > (*remaining_bytes)) {
printk(KERN_ERR "Packet length larger than maximum allowable; "
- "need up to [%d] bytes, but there are only [%d] "
+ "need up to [%td] bytes, but there are only [%td] "
"available\n", max_packet_size, (*remaining_bytes));
rc = -EINVAL;
goto out;
/**
* write_tag_3_packet
* @dest: Buffer into which to write the packet
- * @max: Maximum number of bytes that can be written
+ * @remaining_bytes: Maximum number of bytes that can be written
* @auth_tok: Authentication token
* @crypt_stat: The cryptographic context
* @key_rec: encrypted key
ecryptfs_printk(KERN_DEBUG, "Session key encryption key:\n");
ecryptfs_dump_hex(session_key_encryption_key, 16);
}
- if ((rc = virt_to_scatterlist(crypt_stat->key,
- key_rec->enc_key_size, &src_sg, 1))
- != 1) {
+ rc = virt_to_scatterlist(crypt_stat->key, key_rec->enc_key_size,
+ &src_sg, 1);
+ if (rc != 1) {
ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
"for crypt_stat session key; expected rc = 1; "
"got rc = [%d]. key_rec->enc_key_size = [%d]\n",
rc = -ENOMEM;
goto out;
}
- if ((rc = virt_to_scatterlist(key_rec->enc_key,
- key_rec->enc_key_size, &dst_sg, 1))
- != 1) {
+ rc = virt_to_scatterlist(key_rec->enc_key, key_rec->enc_key_size,
+ &dst_sg, 1);
+ if (rc != 1) {
ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
"for crypt_stat encrypted session key; "
"expected rc = 1; got rc = [%d]. "
+ 1 /* Hash iterations */
+ key_rec->enc_key_size); /* Encrypted key size */
if (max_packet_size > (*remaining_bytes)) {
- printk(KERN_ERR "Packet too large; need up to [%d] bytes, but "
- "there are only [%d] available\n", max_packet_size,
+ printk(KERN_ERR "Packet too large; need up to [%td] bytes, but "
+ "there are only [%td] available\n", max_packet_size,
(*remaining_bytes));
rc = -EINVAL;
goto out;
/**
* ecryptfs_generate_key_packet_set
- * @dest: Virtual address from which to write the key record set
+ * @dest_base: Virtual address from which to write the key record set
* @crypt_stat: The cryptographic context from which the
* authentication tokens will be retrieved
* @ecryptfs_dentry: The dentry, used to retrieve the mount crypt stat
struct ecryptfs_global_auth_tok *new_auth_tok;
int rc = 0;
- new_auth_tok = kmem_cache_alloc(ecryptfs_global_auth_tok_cache,
+ new_auth_tok = kmem_cache_zalloc(ecryptfs_global_auth_tok_cache,
GFP_KERNEL);
if (!new_auth_tok) {
rc = -ENOMEM;