/*
* ecryptfs_fill_auth_tok - fill the ecryptfs_auth_tok structure
*
* Fill the ecryptfs_auth_tok structure with required ecryptfs data.
* The source code is inspired to the original function generate_payload()
* shipped with the software 'ecryptfs-utils' version 83.
*
*/
int ecryptfs_fill_auth_tok(struct ecryptfs_auth_tok *auth_tok,
const char *key_desc)
{
int major, minor;
ecryptfs_get_versions(&major, &minor, NULL);
auth_tok->version = (((uint16_t)(major << 8) & 0xFF00)
| ((uint16_t)minor & 0x00FF));
auth_tok->token_type = ECRYPTFS_PASSWORD;
strncpy((char *)auth_tok->token.password.signature, key_desc,
ECRYPTFS_PASSWORD_SIG_SIZE);
auth_tok->token.password.session_key_encryption_key_bytes =
ECRYPTFS_MAX_KEY_BYTES;
/*
* Removed auth_tok->token.password.salt and
* auth_tok->token.password.session_key_encryption_key
* initialization from the original code
*/
/* TODO: Make the hash parameterizable via policy */
auth_tok->token.password.flags |=
ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET;
/* The kernel code will encrypt the session key. */
auth_tok->session_key.encrypted_key[0] = 0;
auth_tok->session_key.encrypted_key_size = 0;
/* Default; subject to change by kernel eCryptfs */
auth_tok->token.password.hash_algo = PGP_DIGEST_ALGO_SHA512;
auth_tok->token.password.flags &= ~(ECRYPTFS_PERSISTENT_PASSWORD);
return 0;
}
/**
* @return Zero on success
*/
int
generate_payload(struct ecryptfs_auth_tok *auth_tok, char *passphrase_sig,
char *salt, char *session_key_encryption_key)
{
int rc = 0;
int major, minor;
memset(auth_tok, 0, sizeof(struct ecryptfs_auth_tok));
ecryptfs_get_versions(&major, &minor, NULL);
auth_tok->version = (((uint16_t)(major << 8) & 0xFF00)
| ((uint16_t)minor & 0x00FF));
auth_tok->token_type = ECRYPTFS_PASSWORD;
strncpy((char *)auth_tok->token.password.signature, passphrase_sig,
ECRYPTFS_PASSWORD_SIG_SIZE);
memcpy(auth_tok->token.password.salt, salt, ECRYPTFS_SALT_SIZE);
memcpy(auth_tok->token.password.session_key_encryption_key,
session_key_encryption_key, ECRYPTFS_MAX_KEY_BYTES);
/* TODO: Make the hash parameterizable via policy */
auth_tok->token.password.session_key_encryption_key_bytes =
ECRYPTFS_MAX_KEY_BYTES;
auth_tok->token.password.flags |=
ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET;
/* The kernel code will encrypt the session key. */
auth_tok->session_key.encrypted_key[0] = 0;
auth_tok->session_key.encrypted_key_size = 0;
/* Default; subject to change by kernel eCryptfs */
auth_tok->token.password.hash_algo = PGP_DIGEST_ALGO_SHA512;
auth_tok->token.password.flags &= ~(ECRYPTFS_PERSISTENT_PASSWORD);
return rc;
}
int ecryptfs_fill_auth_tok(struct ecryptfs_auth_tok *auth_tok,
const char *key_desc)
{
int major, minor;
ecryptfs_get_versions(&major, &minor, NULL);
auth_tok->version = (((uint16_t)(major << 8) & 0xFF00)
| ((uint16_t)minor & 0x00FF));
auth_tok->token_type = ECRYPTFS_PASSWORD;
strncpy((char *)auth_tok->token.password.signature, key_desc,
ECRYPTFS_PASSWORD_SIG_SIZE);
auth_tok->token.password.session_key_encryption_key_bytes =
ECRYPTFS_MAX_KEY_BYTES;
auth_tok->token.password.flags |=
ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET;
auth_tok->session_key.encrypted_key[0] = 0;
auth_tok->session_key.encrypted_key_size = 0;
auth_tok->token.password.hash_algo = PGP_DIGEST_ALGO_SHA512;
auth_tok->token.password.flags &= ~(ECRYPTFS_PERSISTENT_PASSWORD);
return 0;
}
/**
* @auth_tok: A previous call to get_blob() by the callee determined
* how much space to allocate at the end of the auth_tok
* memory for the blob; this memory is already allocated
* and ready to be written into
*/
int
ecryptfs_generate_key_payload(struct ecryptfs_auth_tok *auth_tok,
struct ecryptfs_key_mod *key_mod,
char *sig, size_t blob_size)
{
int major, minor;
unsigned char *key_data;
size_t key_data_len;
size_t blob_size_tmp;
int rc = 0;
memset(auth_tok, 0, sizeof(struct ecryptfs_auth_tok) + blob_size);
ecryptfs_get_versions(&major, &minor, NULL);
auth_tok->version = (((uint16_t)(major << 8) & 0xFF00)
| ((uint16_t)minor & 0x00FF));
auth_tok->token_type = ECRYPTFS_PRIVATE_KEY;
if (key_mod->blob == NULL) {
if ((rc = (key_mod->ops->get_blob)
(auth_tok->token.private_key.data, &blob_size_tmp,
key_mod->param_vals, key_mod->num_param_vals))) {
syslog(LOG_ERR, "Call into key module's get_blob "
"failed; rc = [%d]\n", rc);
goto out;
}
} else {
blob_size_tmp = key_mod->blob_size;
memcpy(auth_tok->token.private_key.data, key_mod->blob,
key_mod->blob_size);
}
if (blob_size != blob_size_tmp) {
rc = -EINVAL;
syslog(LOG_ERR, "BUG: blob_size != blob_size_tmp; key module "
"is having a hard time getting the two to match between "
"get_blob() calls, and this has probably led to memory "
"corruption. Bombing out.\n");
exit(1);
goto out;
}
if ((rc = (key_mod->ops->get_key_data)
(NULL, &key_data_len, auth_tok->token.private_key.data))) {
syslog(LOG_ERR, "Call into key module's get_key_data failed; "
"rc = [%d]\n", rc);
goto out;
}
if (key_data_len == 0) {
if ((rc = (key_mod->ops->get_key_sig)(
(unsigned char *)sig,
auth_tok->token.private_key.data))) {
syslog(LOG_ERR, "Call into key module's get_key_sig "
"failed; rc = [%d]\n", rc);
goto out;
}
} else {
if ((key_data = malloc(key_data_len)) == NULL) {
rc = -ENOMEM;
goto out;
}
if ((rc = (key_mod->ops->get_key_data)
(key_data, &key_data_len,
auth_tok->token.private_key.data))) {
syslog(LOG_ERR, "Call into key module's get_key_data "
"failed; rc = [%d]\n", rc);
goto out;
}
if ((rc = ecryptfs_generate_sig_from_key_data(
(unsigned char *)sig, key_data, key_data_len))) {
syslog(LOG_ERR, "Error attempting to generate "
"signature from key data; rc = [%d]\n", rc);
goto out;
}
if (sig[0] == '\0') {
if ((rc = (key_mod->ops->get_key_sig)(
(unsigned char *)sig,
auth_tok->token.private_key.data))) {
syslog(LOG_ERR, "Call into key module's "
"get_key_sig failed; rc = [%d]\n", rc);
goto out;
}
}
}
strncpy(auth_tok->token.private_key.key_mod_alias, key_mod->alias,
ECRYPTFS_MAX_KEY_MOD_NAME_BYTES);
/* TODO: Get rid of this */
auth_tok->token.private_key.key_size = ECRYPTFS_MAX_KEY_MOD_NAME_BYTES;
auth_tok->token.private_key.data_len = blob_size;
memcpy(auth_tok->token.private_key.signature, sig,
ECRYPTFS_SIG_SIZE_HEX);
auth_tok->token.private_key.signature[ECRYPTFS_SIG_SIZE_HEX] = '\0';
out:
return rc;
}
