From: Mike Halcrow <mhalcrow@us.ibm.com>
To: Andrew Morton <akpm@osdl.org>
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Mike Halcrow <mhalcrow@us.ibm.com>,
Mike Halcrow <mike@halcrow.us>
Subject: [PATCH 2/12] Support for larger maximum key size
Date: Tue, 20 Jun 2006 16:22:59 -0500 [thread overview]
Message-ID: <E1FsngZ-00078k-Jc@localhost.localdomain> (raw)
In-Reply-To: <20060620212134.GB18701@us.ibm.com>
Support for larger maximum key size. Necessary for future patches that
will enable cipher selection and keysize specification. Increments the
version number because ECRYPTFS_MAX_KEY_BYTES changes, which changes a
struct that is accessed in both userspace and kernel space.
Note that with this patch, users must upgrade their userspace utility
package to one prefixed ``ecryptfs-util-git-2.6.17-rc6-mm2++'' or
higher (see the eCryptfs SourceForge page for userspace utilities).
Signed-off-by: Michael Halcrow <mhalcrow@us.ibm.com>
---
fs/ecryptfs/ecryptfs_kernel.h | 4 ++--
fs/ecryptfs/keystore.c | 34 ++++++++++++++++++----------------
2 files changed, 20 insertions(+), 18 deletions(-)
d13ab4035bb6c56bfb7d82523069324523e99f62
diff --git a/fs/ecryptfs/ecryptfs_kernel.h b/fs/ecryptfs/ecryptfs_kernel.h
index 8e35dbd..1fd6039 100644
--- a/fs/ecryptfs/ecryptfs_kernel.h
+++ b/fs/ecryptfs/ecryptfs_kernel.h
@@ -32,7 +32,7 @@ #include <linux/scatterlist.h>
/* Version verification for shared data structures w/ userspace */
#define ECRYPTFS_VERSION_MAJOR 0x00
-#define ECRYPTFS_VERSION_MINOR 0x01
+#define ECRYPTFS_VERSION_MINOR 0x02
#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x01
#define ECRYPTFS_MAX_PASSWORD_LENGTH 64
@@ -45,7 +45,7 @@ #define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS
#define ECRYPTFS_SIG_SIZE 8
#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
-#define ECRYPTFS_MAX_KEY_BYTES 16
+#define ECRYPTFS_MAX_KEY_BYTES 64
#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
#define ECRYPTFS_DEFAULT_IV_BYTES 16
#define ECRYPTFS_FILE_VERSION 0x01
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index c250888..a83914c 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -486,8 +486,17 @@ static int decrypt_session_key(struct ec
rc = -ENOMEM;
goto out;
}
+ if (password_s_ptr->session_key_encryption_key_bytes
+ < crypto_tfm_alg_min_keysize(tfm)) {
+ printk(KERN_WARNING "Session key encryption key is [%d] bytes; "
+ "minimum keysize for selected cipher is [%d] bytes.\n",
+ password_s_ptr->session_key_encryption_key_bytes,
+ crypto_tfm_alg_min_keysize(tfm));
+ rc = -EINVAL;
+ goto out;
+ }
crypto_cipher_setkey(tfm, password_s_ptr->session_key_encryption_key,
- password_s_ptr->session_key_encryption_key_bytes);
+ (crypt_stat->key_size_bits / 8));
/* TODO: virt_to_scatterlist */
encrypted_session_key = (char *)__get_free_page(GFP_KERNEL);
if (!encrypted_session_key) {
@@ -806,24 +815,18 @@ write_tag_3_packet(char *dest, int max,
ECRYPTFS_SIG_SIZE);
(*key_rec).enc_key_size_bits = crypt_stat->key_size_bits;
encrypted_session_key_valid = 0;
- if (auth_tok->session_key.encrypted_key_size == 0)
- auth_tok->session_key.encrypted_key_size =
- ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES;
- for (i = 0; i < auth_tok->session_key.encrypted_key_size; i++)
+ for (i = 0; i < (crypt_stat->key_size_bits / 8); i++)
encrypted_session_key_valid |=
auth_tok->session_key.encrypted_key[i];
- if (auth_tok->session_key.encrypted_key_size == 0) {
- ecryptfs_printk(KERN_WARNING, "auth_tok->session_key."
- "encrypted_key_size == 0");
- auth_tok->session_key.encrypted_key_size =
- ECRYPTFS_DEFAULT_KEY_BYTES;
- }
if (encrypted_session_key_valid) {
memcpy((*key_rec).enc_key,
auth_tok->session_key.encrypted_key,
auth_tok->session_key.encrypted_key_size);
goto encrypted_session_key_set;
}
+ if (auth_tok->session_key.encrypted_key_size == 0)
+ auth_tok->session_key.encrypted_key_size =
+ (crypt_stat->key_size_bits / 8);
if (ECRYPTFS_CHECK_FLAG(auth_tok->token.password.flags,
ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET)) {
ecryptfs_printk(KERN_DEBUG, "Using previously generated "
@@ -832,8 +835,7 @@ write_tag_3_packet(char *dest, int max,
session_key_encryption_key_bytes);
memcpy(session_key_encryption_key,
auth_tok->token.password.session_key_encryption_key,
- auth_tok->token.password.
- session_key_encryption_key_bytes);
+ (crypt_stat->key_size_bits / 8));
ecryptfs_printk(KERN_DEBUG,
"Cached session key " "encryption key: \n");
if (ecryptfs_verbosity > 0)
@@ -870,7 +872,7 @@ write_tag_3_packet(char *dest, int max,
goto out;
}
rc = crypto_cipher_setkey(tfm, session_key_encryption_key,
- ECRYPTFS_DEFAULT_KEY_BYTES);
+ (crypt_stat->key_size_bits / 8));
if (rc < 0) {
ecryptfs_printk(KERN_ERR, "Error setting key for crypto "
"context\n");
@@ -880,7 +882,7 @@ write_tag_3_packet(char *dest, int max,
ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes of the key\n",
crypt_stat->key_size_bits / 8);
crypto_cipher_encrypt(tfm, dest_sg, src_sg,
- crypt_stat->key_size_bits / 8);
+ (crypt_stat->key_size_bits / 8));
ecryptfs_printk(KERN_DEBUG, "This should be the encrypted key:\n");
if (ecryptfs_verbosity > 0)
ecryptfs_dump_hex((*key_rec).enc_key,
@@ -889,7 +891,7 @@ encrypted_session_key_set:
/* Now we have a valid key_rec. Append it to the
* key_rec set. */
key_rec_size = (sizeof(struct ecryptfs_key_record)
- - ECRYPTFS_MAX_KEY_BYTES
+ - ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES
+ ((*key_rec).enc_key_size_bits / 8) );
/* TODO: Include a packet size limit as a parameter to this
* function once we have multi-packet headers (for versions
--
1.3.3
next prev parent reply other threads:[~2006-06-20 21:23 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-20 21:21 [PATCH 0/12] eCryptfs minor fixes; support for cipher/key size selection Michael Halcrow
2006-06-20 21:22 ` [PATCH 1/12] asm/scatterlist.h -> linux/scatterlist.h Mike Halcrow
2006-06-20 21:22 ` Mike Halcrow [this message]
2006-06-21 14:49 ` [PATCH 2/12] Support for larger maximum key size Timothy R. Chavez
2006-06-21 15:50 ` Michael Halcrow
2006-06-20 21:23 ` [PATCH 3/12] Add codes for additional ciphers Mike Halcrow
2006-06-21 15:08 ` Timothy R. Chavez
2006-06-20 21:23 ` [PATCH 4/12] Unencrypted key size based on encrypted key size Mike Halcrow
2006-06-20 21:23 ` [PATCH 5/12] Packet and key management update for variable " Mike Halcrow
2006-06-20 21:23 ` [PATCH 6/12] Add ecryptfs_ prefix to mount options; key size parameter Mike Halcrow
2006-06-20 21:23 ` [PATCH 7/12] Set the key size from the default for the mount Mike Halcrow
2006-06-20 21:23 ` [PATCH 8/12] Check for weak keys Mike Halcrow
2006-06-20 21:24 ` [PATCH 9/12] Add #define values for cipher codes from RFC2440 (OpenPGP) Mike Halcrow
2006-06-20 21:24 ` [PATCH 10/12] Convert bits to bytes Mike Halcrow
2006-06-20 21:24 ` [PATCH 11/12] More elegant AES key size manipulation Mike Halcrow
2006-06-20 21:24 ` [PATCH 12/12] More intelligent use of TFM objects Mike Halcrow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1FsngZ-00078k-Jc@localhost.localdomain \
--to=mhalcrow@us.ibm.com \
--cc=akpm@osdl.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mike@halcrow.us \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.