On Tue, Apr 15, 2008 at 05:47:50PM -0500, Michael Halcrow wrote:
> If I cannot find out soon why the netlink interface in eCryptfs
> broke, I am likely to just send a patch to disable it in 2.6.24 and
> 2.6.25.
This patch yanks key module support out of eCryptfs. In the event that
the netlink bug with eCryptfs does not get resolved soon, I intend for
this to apply to point releases of 2.6.24 and 2.6.25.
This patch is only a feature-disabling workaround and conflicts with
the patchset that introduces the device handle mechanism for
communicating with the userspace key module daemon. Future kernel
versions will use a regular device handle for communications with the
userspace daemon rather than the netlink interface.
Signed-off-by: Michael Halcrow <mhalcrow@us.ibm.com>
---
 fs/ecryptfs/ecryptfs_kernel.h |    1 -
 fs/ecryptfs/keystore.c        |  422 ++---------------------------------------
 fs/ecryptfs/main.c            |   11 +-
 fs/ecryptfs/messaging.c       |    6 -
 4 files changed, 13 insertions(+), 427 deletions(-)
diff --git a/fs/ecryptfs/ecryptfs_kernel.h b/fs/ecryptfs/ecryptfs_kernel.h
index 5007f78..abff330 100644
--- a/fs/ecryptfs/ecryptfs_kernel.h
+++ b/fs/ecryptfs/ecryptfs_kernel.h
@@ -51,7 +51,6 @@
 #define ECRYPTFS_VERSIONING_MULTKEY               0x00000020
 #define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \
 				  | ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \
-				  | ECRYPTFS_VERSIONING_PUBKEY \
 				  | ECRYPTFS_VERSIONING_XATTR \
 				  | ECRYPTFS_VERSIONING_MULTKEY)
 #define ECRYPTFS_MAX_PASSWORD_LENGTH 64
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index 682b1b2..8f65054 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -273,129 +273,6 @@ out:
 	return rc;
 }
 
-
-static int
-write_tag_66_packet(char *signature, u8 cipher_code,
-		    struct ecryptfs_crypt_stat *crypt_stat, char **packet,
-		    size_t *packet_len)
-{
-	size_t i = 0;
-	size_t j;
-	size_t data_len;
-	size_t checksum = 0;
-	size_t packet_size_len;
-	char *message;
-	int rc;
-
-	/*
-	 *              ***** TAG 66 Packet Format *****
-	 *         | Content Type             | 1 byte       |
-	 *         | Key Identifier Size      | 1 or 2 bytes |
-	 *         | Key Identifier           | arbitrary    |
-	 *         | File Encryption Key Size | 1 or 2 bytes |
-	 *         | File Encryption Key      | arbitrary    |
-	 */
-	data_len = (5 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size);
-	*packet = kmalloc(data_len, GFP_KERNEL);
-	message = *packet;
-	if (!message) {
-		ecryptfs_printk(KERN_ERR, "Unable to allocate memory\n");
-		rc = -ENOMEM;
-		goto out;
-	}
-	message[i++] = ECRYPTFS_TAG_66_PACKET_TYPE;
-	rc = write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX,
-				 &packet_size_len);
-	if (rc) {
-		ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet "
-				"header; cannot generate packet length\n");
-		goto out;
-	}
-	i += packet_size_len;
-	memcpy(&message[i], signature, ECRYPTFS_SIG_SIZE_HEX);
-	i += ECRYPTFS_SIG_SIZE_HEX;
-	/* The encrypted key includes 1 byte cipher code and 2 byte checksum */
-	rc = write_packet_length(&message[i], crypt_stat->key_size + 3,
-				 &packet_size_len);
-	if (rc) {
-		ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet "
-				"header; cannot generate packet length\n");
-		goto out;
-	}
-	i += packet_size_len;
-	message[i++] = cipher_code;
-	memcpy(&message[i], crypt_stat->key, crypt_stat->key_size);
-	i += crypt_stat->key_size;
-	for (j = 0; j < crypt_stat->key_size; j++)
-		checksum += crypt_stat->key[j];
-	message[i++] = (checksum / 256) % 256;
-	message[i++] = (checksum % 256);
-	*packet_len = i;
-out:
-	return rc;
-}
-
-static int
-parse_tag_67_packet(struct ecryptfs_key_record *key_rec,
-		    struct ecryptfs_message *msg)
-{
-	size_t i = 0;
-	char *data;
-	size_t data_len;
-	size_t message_len;
-	int rc;
-
-	/*
-	 *              ***** TAG 65 Packet Format *****
-	 *    | Content Type                       | 1 byte       |
-	 *    | Status Indicator                   | 1 byte       |
-	 *    | Encrypted File Encryption Key Size | 1 or 2 bytes |
-	 *    | Encrypted File Encryption Key      | arbitrary    |
-	 */
-	message_len = msg->data_len;
-	data = msg->data;
-	/* verify that everything through the encrypted FEK size is present */
-	if (message_len < 4) {
-		rc = -EIO;
-		goto out;
-	}
-	if (data[i++] != ECRYPTFS_TAG_67_PACKET_TYPE) {
-		ecryptfs_printk(KERN_ERR, "Type should be ECRYPTFS_TAG_67\n");
-		rc = -EIO;
-		goto out;
-	}
-	if (data[i++]) {
-		ecryptfs_printk(KERN_ERR, "Status indicator has non zero value"
-				" [%d]\n", data[i-1]);
-		rc = -EIO;
-		goto out;
-	}
-	rc = parse_packet_length(&data[i], &key_rec->enc_key_size, &data_len);
-	if (rc) {
-		ecryptfs_printk(KERN_WARNING, "Error parsing packet length; "
-				"rc = [%d]\n", rc);
-		goto out;
-	}
-	i += data_len;
-	if (message_len < (i + key_rec->enc_key_size)) {
-		ecryptfs_printk(KERN_ERR, "message_len [%d]; max len is [%d]\n",
-				message_len, (i + key_rec->enc_key_size));
-		rc = -EIO;
-		goto out;
-	}
-	if (key_rec->enc_key_size > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
-		ecryptfs_printk(KERN_ERR, "Encrypted key_size [%d] larger than "
-				"the maximum key size [%d]\n",
-				key_rec->enc_key_size,
-				ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES);
-		rc = -EIO;
-		goto out;
-	}
-	memcpy(key_rec->enc_key, &data[i], key_rec->enc_key_size);
-out:
-	return rc;
-}
-
 static int
 ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok)
 {
@@ -407,11 +284,11 @@ ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok)
 		(*sig) = auth_tok->token.password.signature;
 		break;
 	case ECRYPTFS_PRIVATE_KEY:
-		(*sig) = auth_tok->token.private_key.signature;
-		break;
+		printk(KERN_ERR "%s: Key module functionality disabled for "
+		       "this kernel\n", __func__);
 	default:
-		printk(KERN_ERR "Cannot get sig for auth_tok of type [%d]\n",
-		       auth_tok->token_type);
+		printk(KERN_ERR "Cannot get valid sig for auth_tok of type "
+		       "[%d]\n", auth_tok->token_type);
 		rc = -EINVAL;
 	}
 	return rc;
@@ -506,137 +383,6 @@ static void wipe_auth_tok_list(struct list_head *auth_tok_list_head)
 struct kmem_cache *ecryptfs_auth_tok_list_item_cache;
 
 /**
- * parse_tag_1_packet
- * @crypt_stat: The cryptographic context to modify based on packet contents
- * @data: The raw bytes of the packet.
- * @auth_tok_list: eCryptfs parses packets into authentication tokens;
- *                 a new authentication token will be placed at the
- *                 end of this list for this packet.
- * @new_auth_tok: Pointer to a pointer to memory that this function
- *                allocates; sets the memory address of the pointer to
- *                NULL on error. This object is added to the
- *                auth_tok_list.
- * @packet_size: This function writes the size of the parsed packet
- *               into this memory location; zero on error.
- * @max_packet_size: The maximum allowable packet size
- *
- * Returns zero on success; non-zero on error.
- */
-static int
-parse_tag_1_packet(struct ecryptfs_crypt_stat *crypt_stat,
-		   unsigned char *data, struct list_head *auth_tok_list,
-		   struct ecryptfs_auth_tok **new_auth_tok,
-		   size_t *packet_size, size_t max_packet_size)
-{
-	size_t body_size;
-	struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
-	size_t length_size;
-	int rc = 0;
-
-	(*packet_size) = 0;
-	(*new_auth_tok) = NULL;
-	/**
-	 * This format is inspired by OpenPGP; see RFC 2440
-	 * packet tag 1
-	 *
-	 * Tag 1 identifier (1 byte)
-	 * Max Tag 1 packet size (max 3 bytes)
-	 * Version (1 byte)
-	 * Key identifier (8 bytes; ECRYPTFS_SIG_SIZE)
-	 * Cipher identifier (1 byte)
-	 * Encrypted key size (arbitrary)
-	 *
-	 * 12 bytes minimum packet size
-	 */
-	if (unlikely(max_packet_size < 12)) {
-		printk(KERN_ERR "Invalid max packet size; must be >=12\n");
-		rc = -EINVAL;
-		goto out;
-	}
-	if (data[(*packet_size)++] != ECRYPTFS_TAG_1_PACKET_TYPE) {
-		printk(KERN_ERR "Enter w/ first byte != 0x%.2x\n",
-		       ECRYPTFS_TAG_1_PACKET_TYPE);
-		rc = -EINVAL;
-		goto out;
-	}
-	/* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or
-	 * at end of function upon failure */
-	auth_tok_list_item =
-		kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache,
-				  GFP_KERNEL);
-	if (!auth_tok_list_item) {
-		printk(KERN_ERR "Unable to allocate memory\n");
-		rc = -ENOMEM;
-		goto out;
-	}
-	(*new_auth_tok) = &auth_tok_list_item->auth_tok;
-	rc = parse_packet_length(&data[(*packet_size)], &body_size,
-				 &length_size);
-	if (rc) {
-		printk(KERN_WARNING "Error parsing packet length; "
-		       "rc = [%d]\n", rc);
-		goto out_free;
-	}
-	if (unlikely(body_size < (ECRYPTFS_SIG_SIZE + 2))) {
-		printk(KERN_WARNING "Invalid body size ([%td])\n", body_size);
-		rc = -EINVAL;
-		goto out_free;
-	}
-	(*packet_size) += length_size;
-	if (unlikely((*packet_size) + body_size > max_packet_size)) {
-		printk(KERN_WARNING "Packet size exceeds max\n");
-		rc = -EINVAL;
-		goto out_free;
-	}
-	if (unlikely(data[(*packet_size)++] != 0x03)) {
-		printk(KERN_WARNING "Unknown version number [%d]\n",
-		       data[(*packet_size) - 1]);
-		rc = -EINVAL;
-		goto out_free;
-	}
-	ecryptfs_to_hex((*new_auth_tok)->token.private_key.signature,
-			&data[(*packet_size)], ECRYPTFS_SIG_SIZE);
-	*packet_size += ECRYPTFS_SIG_SIZE;
-	/* This byte is skipped because the kernel does not need to
-	 * know which public key encryption algorithm was used */
-	(*packet_size)++;
-	(*new_auth_tok)->session_key.encrypted_key
...