Commit b5695d04 authored by Roberto Sassu's avatar Roberto Sassu Committed by Tyler Hicks

eCryptfs: write lock requested keys

A requested key is write locked in order to prevent modifications on the
authentication token while it is being used.
Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
Signed-off-by: default avatarTyler Hicks <tyhicks@linux.vnet.ibm.com>
parent 950983fc
...@@ -516,10 +516,11 @@ ecryptfs_find_global_auth_tok_for_sig( ...@@ -516,10 +516,11 @@ ecryptfs_find_global_auth_tok_for_sig(
goto out_invalid_auth_tok; goto out_invalid_auth_tok;
} }
down_write(&(walker->global_auth_tok_key->sem));
rc = ecryptfs_verify_auth_tok_from_key( rc = ecryptfs_verify_auth_tok_from_key(
walker->global_auth_tok_key, auth_tok); walker->global_auth_tok_key, auth_tok);
if (rc) if (rc)
goto out_invalid_auth_tok; goto out_invalid_auth_tok_unlock;
(*auth_tok_key) = walker->global_auth_tok_key; (*auth_tok_key) = walker->global_auth_tok_key;
key_get(*auth_tok_key); key_get(*auth_tok_key);
...@@ -527,6 +528,8 @@ ecryptfs_find_global_auth_tok_for_sig( ...@@ -527,6 +528,8 @@ ecryptfs_find_global_auth_tok_for_sig(
} }
rc = -ENOENT; rc = -ENOENT;
goto out; goto out;
out_invalid_auth_tok_unlock:
up_write(&(walker->global_auth_tok_key->sem));
out_invalid_auth_tok: out_invalid_auth_tok:
printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig); printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);
walker->flags |= ECRYPTFS_AUTH_TOK_INVALID; walker->flags |= ECRYPTFS_AUTH_TOK_INVALID;
...@@ -869,8 +872,10 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, ...@@ -869,8 +872,10 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
out_unlock: out_unlock:
mutex_unlock(s->tfm_mutex); mutex_unlock(s->tfm_mutex);
out: out:
if (auth_tok_key) if (auth_tok_key) {
up_write(&(auth_tok_key->sem));
key_put(auth_tok_key); key_put(auth_tok_key);
}
kfree(s); kfree(s);
return rc; return rc;
} }
...@@ -1106,8 +1111,10 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, ...@@ -1106,8 +1111,10 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
(*filename_size) = 0; (*filename_size) = 0;
(*filename) = NULL; (*filename) = NULL;
} }
if (auth_tok_key) if (auth_tok_key) {
up_write(&(auth_tok_key->sem));
key_put(auth_tok_key); key_put(auth_tok_key);
}
kfree(s); kfree(s);
return rc; return rc;
} }
...@@ -1638,9 +1645,10 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, ...@@ -1638,9 +1645,10 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
(*auth_tok_key) = NULL; (*auth_tok_key) = NULL;
goto out; goto out;
} }
down_write(&(*auth_tok_key)->sem);
rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok); rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
if (rc) { if (rc) {
up_write(&(*auth_tok_key)->sem);
key_put(*auth_tok_key); key_put(*auth_tok_key);
(*auth_tok_key) = NULL; (*auth_tok_key) = NULL;
goto out; goto out;
...@@ -1865,6 +1873,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, ...@@ -1865,6 +1873,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
find_next_matching_auth_tok: find_next_matching_auth_tok:
found_auth_tok = 0; found_auth_tok = 0;
if (auth_tok_key) { if (auth_tok_key) {
up_write(&(auth_tok_key->sem));
key_put(auth_tok_key); key_put(auth_tok_key);
auth_tok_key = NULL; auth_tok_key = NULL;
} }
...@@ -1951,8 +1960,10 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, ...@@ -1951,8 +1960,10 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
out_wipe_list: out_wipe_list:
wipe_auth_tok_list(&auth_tok_list); wipe_auth_tok_list(&auth_tok_list);
out: out:
if (auth_tok_key) if (auth_tok_key) {
up_write(&(auth_tok_key->sem));
key_put(auth_tok_key); key_put(auth_tok_key);
}
return rc; return rc;
} }
...@@ -2446,6 +2457,7 @@ ecryptfs_generate_key_packet_set(char *dest_base, ...@@ -2446,6 +2457,7 @@ ecryptfs_generate_key_packet_set(char *dest_base,
rc = -EINVAL; rc = -EINVAL;
goto out_free; goto out_free;
} }
up_write(&(auth_tok_key->sem));
key_put(auth_tok_key); key_put(auth_tok_key);
auth_tok_key = NULL; auth_tok_key = NULL;
} }
...@@ -2460,8 +2472,10 @@ ecryptfs_generate_key_packet_set(char *dest_base, ...@@ -2460,8 +2472,10 @@ ecryptfs_generate_key_packet_set(char *dest_base,
out: out:
if (rc) if (rc)
(*len) = 0; (*len) = 0;
if (auth_tok_key) if (auth_tok_key) {
up_write(&(auth_tok_key->sem));
key_put(auth_tok_key); key_put(auth_tok_key);
}
mutex_unlock(&crypt_stat->keysig_list_mutex); mutex_unlock(&crypt_stat->keysig_list_mutex);
return rc; return rc;
......
...@@ -254,8 +254,10 @@ static int ecryptfs_init_global_auth_toks( ...@@ -254,8 +254,10 @@ static int ecryptfs_init_global_auth_toks(
"option: [%s]\n", global_auth_tok->sig); "option: [%s]\n", global_auth_tok->sig);
global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID; global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID;
goto out; goto out;
} else } else {
global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID; global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;
up_write(&(global_auth_tok->global_auth_tok_key)->sem);
}
} }
out: out:
return rc; return rc;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment