As you probably noticed by now, eCryptfs public key modules do not work with 2.6.24 because of a problem with netlink. I have no idea why that is happening, and I really do not care to debug it. Instead, I have implemented a real device file (via procfs) for communications with the userspace daemon. I have run some preliminary tests with the patch below, and so far, things look pretty good.
To use the procfs interface:
# insmod ecryptfs.ko ecryptfs_transport=3D3
# ecryptfsd -d procfs
I would really like to just make procfs the default, which will
require a few more changes in the userspace daemon code in order to
auto-detect what the kernel can support.
This patch is also in the procfs GIT branch on kernel.org, which is
currently sync'd with Linus' 2.6.25-rc8 release.
The kernel.org GIT ecryptfs-utils has all the userspace changes to
support procfs communications.
I just got all this working about an hour ago, so do not be surprised
if a bug or two pops up in the near future. In the meantime, if you
really want public key on 2.6.24 and later, this is the way to get
it for now.
Thanks,
Mike
---
Makefile | 2=20
ecryptfs_kernel.h | 85 +++++-
keystore.c | 89 +++----
main.c | 4=20
messaging.c | 472 +++++++++++++++++++++++++------------
netlink.c | 8=20
proc.c | 685
++++++++++++++++++++++++++++++++++++++++++++++++++++++
7 files changed, 1133 insertions(+), 212 deletions(-)
diff --git a/fs/ecryptfs/Makefile b/fs/ecryptfs/Makefile
index 7688570..997f97e 100644
--- a/fs/ecryptfs/Makefile
+++ b/fs/ecryptfs/Makefile
@@ -4,4 +4,4 @@
=20
obj-$(CONFIG_ECRYPT_FS) +=3D ecryptfs.o
=20
-ecryptfs-objs :=3D dentry.o file.o inode.o main.o super.o mmap.o read_writ=
e.o crypto.o keystore.o messaging.o netlink.o debug.o
+ecryptfs-objs :=3D dentry.o file.o inode.o main.o super.o mmap.o read_writ=
e.o crypto.o keystore.o messaging.o netlink.o proc.o debug.o
diff --git a/fs/ecryptfs/ecryptfs_kernel.h b/fs/ecryptfs/ecryptfs_kernel.h
index 5007f78..98c8606 100644
--- a/fs/ecryptfs/ecryptfs_kernel.h
+++ b/fs/ecryptfs/ecryptfs_kernel.h
@@ -4,7 +4,7 @@
*
* Copyright (C) 1997-2003 Erez Zadok
* Copyright (C) 2001-2003 Stony Brook University
- * Copyright (C) 2004-2007 International Business Machines Corp.
+ * Copyright (C) 2004-2008 International Business Machines Corp.
* Author(s): Michael A. Halcrow <[EMAIL PROTECTED]>
* Trevor S. Highland <[EMAIL PROTECTED]>
* Tyler Hicks <[EMAIL PROTECTED]>
@@ -73,16 +73,13 @@
#define ECRYPTFS_DEFAULT_MSG_CTX_ELEMS 32
#define ECRYPTFS_DEFAULT_SEND_TIMEOUT HZ
#define ECRYPTFS_MAX_MSG_CTX_TTL (HZ*3)
-#define ECRYPTFS_NLMSG_HELO 100
-#define ECRYPTFS_NLMSG_QUIT 101
-#define ECRYPTFS_NLMSG_REQUEST 102
-#define ECRYPTFS_NLMSG_RESPONSE 103
#define ECRYPTFS_MAX_PKI_NAME_BYTES 16
#define ECRYPTFS_DEFAULT_NUM_USERS 4
#define ECRYPTFS_MAX_NUM_USERS 32768
#define ECRYPTFS_TRANSPORT_NETLINK 0
#define ECRYPTFS_TRANSPORT_CONNECTOR 1
#define ECRYPTFS_TRANSPORT_RELAYFS 2
+#define ECRYPTFS_TRANSPORT_PROCFS 3
#define ECRYPTFS_DEFAULT_TRANSPORT ECRYPTFS_TRANSPORT_NETLINK
#define ECRYPTFS_XATTR_NAME "user.ecryptfs"
=20
@@ -366,32 +363,74 @@ struct ecryptfs_auth_tok_list_item {
};
=20
struct ecryptfs_message {
+ /* Can never be greater than ecryptfs_message_buf_len */
+ /* Used to find the parent msg_ctx */
+ /* Inherits from msg_ctx->index */
u32 index;
u32 data_len;
u8 data[];
};
=20
struct ecryptfs_msg_ctx {
-#define ECRYPTFS_MSG_CTX_STATE_FREE 0x0001
-#define ECRYPTFS_MSG_CTX_STATE_PENDING 0x0002
-#define ECRYPTFS_MSG_CTX_STATE_DONE 0x0003
- u32 state;
- unsigned int index;
- unsigned int counter;
+#define ECRYPTFS_MSG_CTX_STATE_FREE 0x01
+#define ECRYPTFS_MSG_CTX_STATE_PENDING 0x02
+#define ECRYPTFS_MSG_CTX_STATE_DONE 0x03
+#define ECRYPTFS_MSG_CTX_STATE_NO_REPLY 0x04
+ u8 state;
+#define ECRYPTFS_MSG_HELO 100
+#define ECRYPTFS_MSG_QUIT 101
+#define ECRYPTFS_MSG_REQUEST 102
+#define ECRYPTFS_MSG_RESPONSE 103
+ u8 type;
+ u32 index;
+ /* Counter converts to a sequence number. Each message sent
+ * out for which we expect a response has an associated
+ * sequence number. The response must have the same sequence
+ * number as the counter for the msg_stc for the message to be
+ * valid. */
+ u32 counter;
+ size_t msg_size;
struct ecryptfs_message *msg;
struct task_struct *task;
struct list_head node;
+ struct list_head daemon_out_list;
struct mutex mux;
};
=20
extern unsigned int ecryptfs_transport;
=20
-struct ecryptfs_daemon_id {
+struct ecryptfs_daemon;
+
+struct ecryptfs_proc_handle {
+#define ECRYPTFS_PROC_HANDLE_EXISTS 0x00000001
+#define ECRYPTFS_PROC_HANDLE_OPEN 0x00000002
+ u32 flags;
+ struct proc_dir_entry *proc_dir_entry;
+ struct ecryptfs_daemon *daemon_parent;
+#define ECRYPTFS_PROC_HANDLE_MAX 32
+ char handle[ECRYPTFS_PROC_HANDLE_MAX];
+};
+
+struct ecryptfs_daemon {
+#define ECRYPTFS_DAEMON_IN_READ 0x00000001
+#define ECRYPTFS_DAEMON_IN_POLL 0x00000002
+#define ECRYPTFS_DAEMON_ZOMBIE 0x00000004
+ u32 flags;
+ u32 num_queued_msg_ctx;
pid_t pid;
- uid_t uid;
- struct hlist_node id_chain;
+ uid_t euid;
+ struct task_struct *task;
+ struct mutex mux;
+ struct list_head msg_ctx_out_queue;
+ wait_queue_head_t wait;
+ struct hlist_node euid_chain;
+ struct ecryptfs_proc_handle proc_handle;
};
=20
+extern struct mutex ecryptfs_daemon_hash_mux;
+
+extern struct proc_dir_entry *ecryptfs_proc_dir_entry;
+
static inline struct ecryptfs_file_info *
ecryptfs_file_to_private(struct file *file)
{
@@ -593,13 +632,13 @@ int ecryptfs_init_messaging(unsigned int transport);
void ecryptfs_release_messaging(unsigned int transport);
=20
int ecryptfs_send_netlink(char *data, int data_len,
- struct ecryptfs_msg_ctx *msg_ctx, u16 msg_type,
+ struct ecryptfs_msg_ctx *msg_ctx, u8 msg_type,
u16 msg_flags, pid_t daemon_pid);
int ecryptfs_init_netlink(void);
void ecryptfs_release_netlink(void);
=20
int ecryptfs_send_connector(char *data, int data_len,
- struct ecryptfs_msg_ctx *msg_ctx, u16 msg_type,
+ struct ecryptfs_msg_ctx *msg_ctx, u8 msg_type,
u16 msg_flags, pid_t daemon_pid);
int ecryptfs_init_connector(void);
void ecryptfs_release_connector(void);
@@ -642,5 +681,19 @@ int ecryptfs_read_lower_page_segment(struct page *page=
_for_ecryptfs,
size_t offset_in_page, size_t size,
struct inode *ecryptfs_inode);
struct page *ecryptfs_get_locked_page(struct file *file, loff_t index);
+int ecryptfs_exorcise_daemon(struct ecryptfs_daemon *daemon);
+int ecryptfs_find_daemon_by_euid(struct ecryptfs_daemon **daemon, uid_t eu=
id);
+int ecryptfs_init_ecryptfs_proc(void);
+void ecryptfs_destroy_ecryptfs_proc(void);
+int ecryptfs_parse_packet_length(unsigned char *data, size_t *size,
+ size_t *length_size);
+int ecryptfs_write_packet_length(char *dest, size_t size,
+ size_t *packet_size_length);
+int ecryptfs_send_proc(char *data, size_t data_size,
+ struct ecryptfs_msg_ctx *msg_ctx, u8 msg_type,
+ u16 msg_flags, struct ecryptfs_daemon *daemon);
+void ecryptfs_msg_ctx_alloc_to_free(struct ecryptfs_msg_ctx *msg_ctx);
+int
+ecryptfs_spawn_daemon(struct ecryptfs_daemon **daemon, uid_t euid, pid_t p=
id);
=20
#endif /* #ifndef ECRYPTFS_KERNEL_H */
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index 682b1b2..703ae59 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -65,7 +65,7 @@ static int process_request_key_err(long err_code)
}
=20
/**
- * parse_packet_length
+ * ecryptfs_parse_packet_length
* @data: Pointer to memory containing length at offset
* @size: This function writes the decoded size to this memory
* address; zero on error
@@ -73,8 +73,8 @@ static int process_request_key_err(long err_code)
*
* Returns zero on success; non-zero on error
*/
-static int parse_packet_length(unsigned char *data, size_t *size,
- size_t *length_size)
+int ecryptfs_parse_packet_length(unsigned char *data, size_t *size,
+ size_t *length_size)
{
int rc =3D 0;
=20
@@ -105,7 +105,7 @@ out:
}
=20
/**
- * write_packet_length
+ * ecryptfs_write_packet_length
* @dest: The byte array target into which to write the length. Must
* have at least 5 bytes allocated.
* @size: The length to write.
@@ -114,8 +114,8 @@ out:
*
* Returns zero on success; non-zero on error.
*/
-static int write_packet_length(char *dest, size_t size,
- size_t *packet_size_length)
+int ecryptfs_write_packet_length(char *dest, size_t size,
+ size_t *packet_size_length)
{
int rc =3D 0;
=20
@@ -162,8 +162,8 @@ write_tag_64_packet(char *signature, struct ecryptfs_se=
ssion_key *session_key,
goto out;
}
message[i++] =3D ECRYPTFS_TAG_64_PACKET_TYPE;
- rc =3D write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX,
- &packet_size_len);
+ rc =3D ecryptfs_write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX,
+ &packet_size_len);
if (rc) {
ecryptfs_printk(KERN_ERR, "Error generating tag 64 packet "
"header; cannot generate packet length\n");
@@ -172,8 +172,9 @@ write_tag_64_packet(char *signature, struct ecryptfs_se=
ssion_key *session_key,
i +=3D packet_size_len;
memcpy(&message[i], signature, ECRYPTFS_SIG_SIZE_HEX);
i +=3D ECRYPTFS_SIG_SIZE_HEX;
- rc =3D write_packet_length(&message[i], session_key->encrypted_key_size,
- &packet_size_len);
+ rc =3D ecryptfs_write_packet_length(&message[i],
+ session_key->encrypted_key_size,
+ &packet_size_len);
if (rc) {
ecryptfs_printk(KERN_ERR, "Error generating tag 64 packet "
"header; cannot generate packet length\n");
@@ -225,7 +226,7 @@ parse_tag_65_packet(struct ecryptfs_session_key *sessio=
n_key, u8 *cipher_code,
rc =3D -EIO;
goto out;
}
- rc =3D parse_packet_length(&data[i], &m_size, &data_len);
+ rc =3D ecryptfs_parse_packet_length(&data[i], &m_size, &data_len);
if (rc) {
ecryptfs_printk(KERN_WARNING, "Error parsing packet length; "
"rc =3D [%d]\n", rc);
@@ -304,8 +305,8 @@ write_tag_66_packet(char *signature, u8 cipher_code,
goto out;
}
message[i++] =3D ECRYPTFS_TAG_66_PACKET_TYPE;
- rc =3D write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX,
- &packet_size_len);
+ rc =3D ecryptfs_write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX,
+ &packet_size_len);
if (rc) {
ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet "
"header; cannot generate packet length\n");
@@ -315,8 +316,8 @@ write_tag_66_packet(char *signature, u8 cipher_code,
memcpy(&message[i], signature, ECRYPTFS_SIG_SIZE_HEX);
i +=3D ECRYPTFS_SIG_SIZE_HEX;
/* The encrypted key includes 1 byte cipher code and 2 byte checksum */
- rc =3D write_packet_length(&message[i], crypt_stat->key_size + 3,
- &packet_size_len);
+ rc =3D ecryptfs_write_packet_length(&message[i], crypt_stat->key_size +
3,
+ &packet_size_len);
if (rc) {
ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet "
"header; cannot generate packet length\n");
@@ -357,20 +358,25 @@ parse_tag_67_packet(struct ecryptfs_key_record *key_r=
ec,
/* verify that everything through the encrypted FEK size is present */
if (message_len < 4) {
rc =3D -EIO;
+ printk(KERN_ERR "%s: message_len is [%d]; minimum acceptable "
+ "message length is [%d]\n", __func__, message_len, 4);
goto out;
}
if (data[i++] !=3D ECRYPTFS_TAG_67_PACKET_TYPE) {
- ecryptfs_printk(KERN_ERR, "Type should be ECRYPTFS_TAG_67\n");
rc =3D -EIO;
+ printk(KERN_ERR "%s: Type should be ECRYPTFS_TAG_67\n",
+ __func__);
goto out;
}
if (data[i++]) {
- ecryptfs_printk(KERN_ERR, "Status indicator has non zero value"
- " [%d]\n", data[i-1]);
rc =3D -EIO;
+ printk(KERN_ERR "%s: Status indicator has non zero "
+ "value [%d]\n", __func__, data[i-1]);
+
goto out;
}
- rc =3D parse_packet_length(&data[i], &key_rec->enc_key_size, &data_len);
+ rc =3D ecryptfs_parse_packet_length(&data[i], &key_rec->enc_key_size,
+ &data_len);
if (rc) {
ecryptfs_printk(KERN_WARNING, "Error parsing packet length; "
"rc =3D [%d]\n", rc);
@@ -378,17 +384,17 @@ parse_tag_67_packet(struct ecryptfs_key_record *key_r=
ec,
}
i +=3D data_len;
if (message_len < (i + key_rec->enc_key_size)) {
- ecryptfs_printk(KERN_ERR, "message_len [%d]; max len is [%d]\n",
- message_len, (i + key_rec->enc_key_size));
rc =3D -EIO;
+ printk(KERN_ERR "%s: message_len [%d]; max len is [%d]\n",
+ __func__, message_len, (i + key_rec->enc_key_size));
goto out;
}
if (key_rec->enc_key_size > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
- ecryptfs_printk(KERN_ERR, "Encrypted key_size [%d] larger than "
- "the maximum key size [%d]\n",
- key_rec->enc_key_size,
- ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES);
rc =3D -EIO;
+ printk(KERN_ERR "%s: Encrypted key_size [%d] larger than "
+ "the maximum key size [%d]\n", __func__,
+ key_rec->enc_key_size,
+ ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES);
goto out;
}
memcpy(key_rec->enc_key, &data[i], key_rec->enc_key_size);
@@ -445,7 +451,7 @@ decrypt_pki_encrypted_session_key(struct ecryptfs_auth_=
tok *auth_tok,
rc =3D write_tag_64_packet(auth_tok_sig, &(auth_tok->session_key),
&netlink_message, &netlink_message_length);
if (rc) {
- ecryptfs_printk(KERN_ERR, "Failed to write tag 64 packet");
+ ecryptfs_printk(KERN_ERR, "Failed to write tag 64 packet\n");
goto out;
}
rc =3D ecryptfs_send_message(ecryptfs_transport, netlink_message,
@@ -570,8 +576,8 @@ parse_tag_1_packet(struct ecryptfs_crypt_stat *crypt_st=
at,
goto out;
}
(*new_auth_tok) =3D &auth_tok_list_item->auth_tok;
- rc =3D parse_packet_length(&data[(*packet_size)], &body_size,
- &length_size);
+ rc =3D ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
+ &length_size);
if (rc) {
printk(KERN_WARNING "Error parsing packet length; "
"rc =3D [%d]\n", rc);
@@ -704,8 +710,8 @@ parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_st=
at,
goto out;
}
(*new_auth_tok) =3D &auth_tok_list_item->auth_tok;
- rc =3D parse_packet_length(&data[(*packet_size)], &body_size,
- &length_size);
+ rc =3D ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
+ &length_size);
if (rc) {
printk(KERN_WARNING "Error parsing packet length; rc =3D
[%d]\n",
rc);
@@ -852,8 +858,8 @@ parse_tag_11_packet(unsigned char *data, unsigned char =
*contents,
rc =3D -EINVAL;
goto out;
}
- rc =3D parse_packet_length(&data[(*packet_size)], &body_size,
- &length_size);
+ rc =3D ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
+ &length_size);
if (rc) {
printk(KERN_WARNING "Invalid tag 11 packet format\n");
goto out;
@@ -1405,8 +1411,8 @@ write_tag_1_packet(char *dest, size_t *remaining_byte=
s,
auth_tok->token.private_key.key_size;
rc =3D pki_encrypt_session_key(auth_tok, crypt_stat, key_rec);
if (rc) {
- ecryptfs_printk(KERN_ERR, "Failed to encrypt session key "
- "via a pki");
+ printk(KERN_ERR "Failed to encrypt session key via a key "
+ "module; rc =3D [%d]\n", rc);
goto out;
}
if (ecryptfs_verbosity > 0) {
@@ -1430,8 +1436,9 @@ encrypted_session_key_set:
goto out;
}
dest[(*packet_size)++] =3D ECRYPTFS_TAG_1_PACKET_TYPE;
- rc =3D write_packet_length(&dest[(*packet_size)], (max_packet_size - 4),
- &packet_size_length);
+ rc =3D ecryptfs_write_packet_length(&dest[(*packet_size)],
+ (max_packet_size - 4),
+ &packet_size_length);
if (rc) {
ecryptfs_printk(KERN_ERR, "Error generating tag 1 packet "
"header; cannot generate packet length\n");
@@ -1489,8 +1496,9 @@ write_tag_11_packet(char *dest, size_t *remaining_byt=
es, char *contents,
goto out;
}
dest[(*packet_length)++] =3D ECRYPTFS_TAG_11_PACKET_TYPE;
- rc =3D write_packet_length(&dest[(*packet_length)],
- (max_packet_size - 4), &packet_size_length);
+ rc =3D ecryptfs_write_packet_length(&dest[(*packet_length)],
+ (max_packet_size - 4),
+ &packet_size_length);
if (rc) {
printk(KERN_ERR "Error generating tag 11 packet header; cannot "
"generate packet length. rc =3D [%d]\n", rc);
@@ -1682,8 +1690,9
pgpPB32RjcKGU.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Register now and save $200. Hurry, offer ends at 11:59 p.m., Monday, April 7! Use priority code J8TLD2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ eCryptfs-users mailing list eCryptfs-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-users
