/* * ecryptfs_fill_auth_tok - fill the ecryptfs_auth_tok structure * * Fill the ecryptfs_auth_tok structure with required ecryptfs data. * The source code is inspired to the original function generate_payload() * shipped with the software 'ecryptfs-utils' version 83. * */ int ecryptfs_fill_auth_tok(struct ecryptfs_auth_tok *auth_tok, const char *key_desc) { int major, minor; ecryptfs_get_versions(&major, &minor, NULL); auth_tok->version = (((uint16_t)(major << 8) & 0xFF00) | ((uint16_t)minor & 0x00FF)); auth_tok->token_type = ECRYPTFS_PASSWORD; strncpy((char *)auth_tok->token.password.signature, key_desc, ECRYPTFS_PASSWORD_SIG_SIZE); auth_tok->token.password.session_key_encryption_key_bytes = ECRYPTFS_MAX_KEY_BYTES; /* * Removed auth_tok->token.password.salt and * auth_tok->token.password.session_key_encryption_key * initialization from the original code */ /* TODO: Make the hash parameterizable via policy */ auth_tok->token.password.flags |= ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET; /* The kernel code will encrypt the session key. */ auth_tok->session_key.encrypted_key[0] = 0; auth_tok->session_key.encrypted_key_size = 0; /* Default; subject to change by kernel eCryptfs */ auth_tok->token.password.hash_algo = PGP_DIGEST_ALGO_SHA512; auth_tok->token.password.flags &= ~(ECRYPTFS_PERSISTENT_PASSWORD); return 0; }
/** * @return Zero on success */ int generate_payload(struct ecryptfs_auth_tok *auth_tok, char *passphrase_sig, char *salt, char *session_key_encryption_key) { int rc = 0; int major, minor; memset(auth_tok, 0, sizeof(struct ecryptfs_auth_tok)); ecryptfs_get_versions(&major, &minor, NULL); auth_tok->version = (((uint16_t)(major << 8) & 0xFF00) | ((uint16_t)minor & 0x00FF)); auth_tok->token_type = ECRYPTFS_PASSWORD; strncpy((char *)auth_tok->token.password.signature, passphrase_sig, ECRYPTFS_PASSWORD_SIG_SIZE); memcpy(auth_tok->token.password.salt, salt, ECRYPTFS_SALT_SIZE); memcpy(auth_tok->token.password.session_key_encryption_key, session_key_encryption_key, ECRYPTFS_MAX_KEY_BYTES); /* TODO: Make the hash parameterizable via policy */ auth_tok->token.password.session_key_encryption_key_bytes = ECRYPTFS_MAX_KEY_BYTES; auth_tok->token.password.flags |= ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET; /* The kernel code will encrypt the session key. */ auth_tok->session_key.encrypted_key[0] = 0; auth_tok->session_key.encrypted_key_size = 0; /* Default; subject to change by kernel eCryptfs */ auth_tok->token.password.hash_algo = PGP_DIGEST_ALGO_SHA512; auth_tok->token.password.flags &= ~(ECRYPTFS_PERSISTENT_PASSWORD); return rc; }
int ecryptfs_fill_auth_tok(struct ecryptfs_auth_tok *auth_tok, const char *key_desc) { int major, minor; ecryptfs_get_versions(&major, &minor, NULL); auth_tok->version = (((uint16_t)(major << 8) & 0xFF00) | ((uint16_t)minor & 0x00FF)); auth_tok->token_type = ECRYPTFS_PASSWORD; strncpy((char *)auth_tok->token.password.signature, key_desc, ECRYPTFS_PASSWORD_SIG_SIZE); auth_tok->token.password.session_key_encryption_key_bytes = ECRYPTFS_MAX_KEY_BYTES; auth_tok->token.password.flags |= ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET; auth_tok->session_key.encrypted_key[0] = 0; auth_tok->session_key.encrypted_key_size = 0; auth_tok->token.password.hash_algo = PGP_DIGEST_ALGO_SHA512; auth_tok->token.password.flags &= ~(ECRYPTFS_PERSISTENT_PASSWORD); return 0; }
/** * @auth_tok: A previous call to get_blob() by the callee determined * how much space to allocate at the end of the auth_tok * memory for the blob; this memory is already allocated * and ready to be written into */ int ecryptfs_generate_key_payload(struct ecryptfs_auth_tok *auth_tok, struct ecryptfs_key_mod *key_mod, char *sig, size_t blob_size) { int major, minor; unsigned char *key_data; size_t key_data_len; size_t blob_size_tmp; int rc = 0; memset(auth_tok, 0, sizeof(struct ecryptfs_auth_tok) + blob_size); ecryptfs_get_versions(&major, &minor, NULL); auth_tok->version = (((uint16_t)(major << 8) & 0xFF00) | ((uint16_t)minor & 0x00FF)); auth_tok->token_type = ECRYPTFS_PRIVATE_KEY; if (key_mod->blob == NULL) { if ((rc = (key_mod->ops->get_blob) (auth_tok->token.private_key.data, &blob_size_tmp, key_mod->param_vals, key_mod->num_param_vals))) { syslog(LOG_ERR, "Call into key module's get_blob " "failed; rc = [%d]\n", rc); goto out; } } else { blob_size_tmp = key_mod->blob_size; memcpy(auth_tok->token.private_key.data, key_mod->blob, key_mod->blob_size); } if (blob_size != blob_size_tmp) { rc = -EINVAL; syslog(LOG_ERR, "BUG: blob_size != blob_size_tmp; key module " "is having a hard time getting the two to match between " "get_blob() calls, and this has probably led to memory " "corruption. Bombing out.\n"); exit(1); goto out; } if ((rc = (key_mod->ops->get_key_data) (NULL, &key_data_len, auth_tok->token.private_key.data))) { syslog(LOG_ERR, "Call into key module's get_key_data failed; " "rc = [%d]\n", rc); goto out; } if (key_data_len == 0) { if ((rc = (key_mod->ops->get_key_sig)( (unsigned char *)sig, auth_tok->token.private_key.data))) { syslog(LOG_ERR, "Call into key module's get_key_sig " "failed; rc = [%d]\n", rc); goto out; } } else { if ((key_data = malloc(key_data_len)) == NULL) { rc = -ENOMEM; goto out; } if ((rc = (key_mod->ops->get_key_data) (key_data, &key_data_len, auth_tok->token.private_key.data))) { syslog(LOG_ERR, "Call into key module's get_key_data " "failed; rc = [%d]\n", rc); goto out; } if ((rc = ecryptfs_generate_sig_from_key_data( (unsigned char *)sig, key_data, key_data_len))) { syslog(LOG_ERR, "Error attempting to generate " "signature from key data; rc = [%d]\n", rc); goto out; } if (sig[0] == '\0') { if ((rc = (key_mod->ops->get_key_sig)( (unsigned char *)sig, auth_tok->token.private_key.data))) { syslog(LOG_ERR, "Call into key module's " "get_key_sig failed; rc = [%d]\n", rc); goto out; } } } strncpy(auth_tok->token.private_key.key_mod_alias, key_mod->alias, ECRYPTFS_MAX_KEY_MOD_NAME_BYTES); /* TODO: Get rid of this */ auth_tok->token.private_key.key_size = ECRYPTFS_MAX_KEY_MOD_NAME_BYTES; auth_tok->token.private_key.data_len = blob_size; memcpy(auth_tok->token.private_key.signature, sig, ECRYPTFS_SIG_SIZE_HEX); auth_tok->token.private_key.signature[ECRYPTFS_SIG_SIZE_HEX] = '\0'; out: return rc; }