Commit 982363c9 authored by Eric Sandeen's avatar Eric Sandeen Committed by Linus Torvalds

ecryptfs: propagate key errors up at mount time

Mounting with invalid key signatures should probably fail, if they were
specifically requested but not available.

Also fix case checks in process_request_key_err() for the right sign of
the errnos, as spotted by Jan Tluka.
Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
Reviewed-by: default avatarJan Tluka <jtluka@redhat.com>
Acked-by: default avatarMichael Halcrow <mhalcrow@us.ibm.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 6c4c17b0
...@@ -44,15 +44,15 @@ static int process_request_key_err(long err_code) ...@@ -44,15 +44,15 @@ static int process_request_key_err(long err_code)
int rc = 0; int rc = 0;
switch (err_code) { switch (err_code) {
case ENOKEY: case -ENOKEY:
ecryptfs_printk(KERN_WARNING, "No key\n"); ecryptfs_printk(KERN_WARNING, "No key\n");
rc = -ENOENT; rc = -ENOENT;
break; break;
case EKEYEXPIRED: case -EKEYEXPIRED:
ecryptfs_printk(KERN_WARNING, "Key expired\n"); ecryptfs_printk(KERN_WARNING, "Key expired\n");
rc = -ETIME; rc = -ETIME;
break; break;
case EKEYREVOKED: case -EKEYREVOKED:
ecryptfs_printk(KERN_WARNING, "Key revoked\n"); ecryptfs_printk(KERN_WARNING, "Key revoked\n");
rc = -EINVAL; rc = -EINVAL;
break; break;
...@@ -963,8 +963,7 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, ...@@ -963,8 +963,7 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) { if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) {
printk(KERN_ERR "Could not find key with description: [%s]\n", printk(KERN_ERR "Could not find key with description: [%s]\n",
sig); sig);
process_request_key_err(PTR_ERR(*auth_tok_key)); rc = process_request_key_err(PTR_ERR(*auth_tok_key));
rc = -EINVAL;
goto out; goto out;
} }
(*auth_tok) = ecryptfs_get_key_payload_data(*auth_tok_key); (*auth_tok) = ecryptfs_get_key_payload_data(*auth_tok_key);
......
...@@ -248,10 +248,11 @@ static int ecryptfs_init_global_auth_toks( ...@@ -248,10 +248,11 @@ static int ecryptfs_init_global_auth_toks(
"session keyring for sig specified in mount " "session keyring for sig specified in mount "
"option: [%s]\n", global_auth_tok->sig); "option: [%s]\n", global_auth_tok->sig);
global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID; global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID;
rc = 0; goto out;
} else } else
global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID; global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;
} }
out:
return rc; return rc;
} }
...@@ -416,7 +417,6 @@ static int ecryptfs_parse_options(struct super_block *sb, char *options) ...@@ -416,7 +417,6 @@ static int ecryptfs_parse_options(struct super_block *sb, char *options)
printk(KERN_WARNING "One or more global auth toks could not " printk(KERN_WARNING "One or more global auth toks could not "
"properly register; rc = [%d]\n", rc); "properly register; rc = [%d]\n", rc);
} }
rc = 0;
out: out:
return rc; return rc;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment