Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...
[linux-3.10.git] / fs / ecryptfs / keystore.c
index 3a61f05..c472533 100644 (file)
@@ -32,6 +32,7 @@
 #include <linux/random.h>
 #include <linux/crypto.h>
 #include <linux/scatterlist.h>
+#include <linux/slab.h>
 #include "ecryptfs_kernel.h"
 
 /**
@@ -58,12 +59,30 @@ static int process_request_key_err(long err_code)
                break;
        default:
                ecryptfs_printk(KERN_WARNING, "Unknown error code: "
-                               "[0x%.16x]\n", err_code);
+                               "[0x%.16lx]\n", err_code);
                rc = -EINVAL;
        }
        return rc;
 }
 
+static int process_find_global_auth_tok_for_sig_err(int err_code)
+{
+       int rc = err_code;
+
+       switch (err_code) {
+       case -ENOENT:
+               ecryptfs_printk(KERN_WARNING, "Missing auth tok\n");
+               break;
+       case -EINVAL:
+               ecryptfs_printk(KERN_WARNING, "Invalid auth tok\n");
+               break;
+       default:
+               rc = process_request_key_err(err_code);
+               break;
+       }
+       return rc;
+}
+
 /**
  * ecryptfs_parse_packet_length
  * @data: Pointer to memory containing length at offset
@@ -129,7 +148,7 @@ int ecryptfs_write_packet_length(char *dest, size_t size,
        } else {
                rc = -EINVAL;
                ecryptfs_printk(KERN_WARNING,
-                               "Unsupported packet size: [%d]\n", size);
+                               "Unsupported packet size: [%zd]\n", size);
        }
        return rc;
 }
@@ -402,25 +421,120 @@ out:
        return rc;
 }
 
+/**
+ * ecryptfs_verify_version
+ * @version: The version number to confirm
+ *
+ * Returns zero on good version; non-zero otherwise
+ */
+static int ecryptfs_verify_version(u16 version)
+{
+       int rc = 0;
+       unsigned char major;
+       unsigned char minor;
+
+       major = ((version >> 8) & 0xFF);
+       minor = (version & 0xFF);
+       if (major != ECRYPTFS_VERSION_MAJOR) {
+               ecryptfs_printk(KERN_ERR, "Major version number mismatch. "
+                               "Expected [%d]; got [%d]\n",
+                               ECRYPTFS_VERSION_MAJOR, major);
+               rc = -EINVAL;
+               goto out;
+       }
+       if (minor != ECRYPTFS_VERSION_MINOR) {
+               ecryptfs_printk(KERN_ERR, "Minor version number mismatch. "
+                               "Expected [%d]; got [%d]\n",
+                               ECRYPTFS_VERSION_MINOR, minor);
+               rc = -EINVAL;
+               goto out;
+       }
+out:
+       return rc;
+}
+
+/**
+ * ecryptfs_verify_auth_tok_from_key
+ * @auth_tok_key: key containing the authentication token
+ * @auth_tok: authentication token
+ *
+ * Returns zero on valid auth tok; -EINVAL otherwise
+ */
+static int
+ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
+                                 struct ecryptfs_auth_tok **auth_tok)
+{
+       int rc = 0;
+
+       (*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);
+       if (ecryptfs_verify_version((*auth_tok)->version)) {
+               printk(KERN_ERR "Data structure version mismatch. Userspace "
+                      "tools must match eCryptfs kernel module with major "
+                      "version [%d] and minor version [%d]\n",
+                      ECRYPTFS_VERSION_MAJOR, ECRYPTFS_VERSION_MINOR);
+               rc = -EINVAL;
+               goto out;
+       }
+       if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD
+           && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) {
+               printk(KERN_ERR "Invalid auth_tok structure "
+                      "returned from key query\n");
+               rc = -EINVAL;
+               goto out;
+       }
+out:
+       return rc;
+}
+
 static int
 ecryptfs_find_global_auth_tok_for_sig(
-       struct ecryptfs_global_auth_tok **global_auth_tok,
+       struct key **auth_tok_key,
+       struct ecryptfs_auth_tok **auth_tok,
        struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig)
 {
        struct ecryptfs_global_auth_tok *walker;
        int rc = 0;
 
-       (*global_auth_tok) = NULL;
+       (*auth_tok_key) = NULL;
+       (*auth_tok) = NULL;
        mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
        list_for_each_entry(walker,
                            &mount_crypt_stat->global_auth_tok_list,
                            mount_crypt_stat_list) {
-               if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX) == 0) {
-                       (*global_auth_tok) = walker;
+               if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX))
+                       continue;
+
+               if (walker->flags & ECRYPTFS_AUTH_TOK_INVALID) {
+                       rc = -EINVAL;
                        goto out;
                }
+
+               rc = key_validate(walker->global_auth_tok_key);
+               if (rc) {
+                       if (rc == -EKEYEXPIRED)
+                               goto out;
+                       goto out_invalid_auth_tok;
+               }
+
+               down_write(&(walker->global_auth_tok_key->sem));
+               rc = ecryptfs_verify_auth_tok_from_key(
+                               walker->global_auth_tok_key, auth_tok);
+               if (rc)
+                       goto out_invalid_auth_tok_unlock;
+
+               (*auth_tok_key) = walker->global_auth_tok_key;
+               key_get(*auth_tok_key);
+               goto out;
        }
-       rc = -EINVAL;
+       rc = -ENOENT;
+       goto out;
+out_invalid_auth_tok_unlock:
+       up_write(&(walker->global_auth_tok_key->sem));
+out_invalid_auth_tok:
+       printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);
+       walker->flags |= ECRYPTFS_AUTH_TOK_INVALID;
+       key_put(walker->global_auth_tok_key);
+       walker->global_auth_tok_key = NULL;
 out:
        mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
        return rc;
@@ -443,22 +557,28 @@ out:
  */
 static int
 ecryptfs_find_auth_tok_for_sig(
+       struct key **auth_tok_key,
        struct ecryptfs_auth_tok **auth_tok,
        struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
        char *sig)
 {
-       struct ecryptfs_global_auth_tok *global_auth_tok;
        int rc = 0;
 
-       (*auth_tok) = NULL;
-       if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok,
-                                                 mount_crypt_stat, sig)) {
-               struct key *auth_tok_key;
-
-               rc = ecryptfs_keyring_auth_tok_for_sig(&auth_tok_key, auth_tok,
+       rc = ecryptfs_find_global_auth_tok_for_sig(auth_tok_key, auth_tok,
+                                                  mount_crypt_stat, sig);
+       if (rc == -ENOENT) {
+               /* if the flag ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY is set in the
+                * mount_crypt_stat structure, we prevent to use auth toks that
+                * are not inserted through the ecryptfs_add_global_auth_tok
+                * function.
+                */
+               if (mount_crypt_stat->flags
+                               & ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY)
+                       return -EINVAL;
+
+               rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok,
                                                       sig);
-       } else
-               (*auth_tok) = global_auth_tok->global_auth_tok;
+       }
        return rc;
 }
 
@@ -479,8 +599,8 @@ struct ecryptfs_write_tag_70_packet_silly_stack {
        struct mutex *tfm_mutex;
        char *block_aligned_filename;
        struct ecryptfs_auth_tok *auth_tok;
-       struct scatterlist src_sg;
-       struct scatterlist dst_sg;
+       struct scatterlist src_sg[2];
+       struct scatterlist dst_sg[2];
        struct blkcipher_desc desc;
        char iv[ECRYPTFS_MAX_IV_BYTES];
        char hash[ECRYPTFS_TAG_70_DIGEST_SIZE];
@@ -506,16 +626,28 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
                             char *filename, size_t filename_size)
 {
        struct ecryptfs_write_tag_70_packet_silly_stack *s;
+       struct key *auth_tok_key = NULL;
        int rc = 0;
 
        s = kmalloc(sizeof(*s), GFP_KERNEL);
        if (!s) {
                printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc "
                       "[%zd] bytes of kernel memory\n", __func__, sizeof(*s));
+               rc = -ENOMEM;
                goto out;
        }
        s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
        (*packet_size) = 0;
+       rc = ecryptfs_find_auth_tok_for_sig(
+               &auth_tok_key,
+               &s->auth_tok, mount_crypt_stat,
+               mount_crypt_stat->global_default_fnek_sig);
+       if (rc) {
+               printk(KERN_ERR "%s: Error attempting to find auth tok for "
+                      "fnek sig [%s]; rc = [%d]\n", __func__,
+                      mount_crypt_stat->global_default_fnek_sig, rc);
+               goto out;
+       }
        rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(
                &s->desc.tfm,
                &s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name);
@@ -601,18 +733,14 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
                goto out_free_unlock;
        }
        dest[s->i++] = s->cipher_code;
-       rc = ecryptfs_find_auth_tok_for_sig(
-               &s->auth_tok, mount_crypt_stat,
-               mount_crypt_stat->global_default_fnek_sig);
-       if (rc) {
-               printk(KERN_ERR "%s: Error attempting to find auth tok for "
-                      "fnek sig [%s]; rc = [%d]\n", __func__,
-                      mount_crypt_stat->global_default_fnek_sig, rc);
-               goto out_free_unlock;
-       }
        /* TODO: Support other key modules than passphrase for
         * filename encryption */
-       BUG_ON(s->auth_tok->token_type != ECRYPTFS_PASSWORD);
+       if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) {
+               rc = -EOPNOTSUPP;
+               printk(KERN_INFO "%s: Filename encryption only supports "
+                      "password tokens\n", __func__);
+               goto out_free_unlock;
+       }
        sg_init_one(
                &s->hash_sg,
                (u8 *)s->auth_tok->token.password.session_key_encryption_key,
@@ -688,23 +816,21 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
        memcpy(&s->block_aligned_filename[s->num_rand_bytes], filename,
               filename_size);
        rc = virt_to_scatterlist(s->block_aligned_filename,
-                                s->block_aligned_filename_size, &s->src_sg, 1);
-       if (rc != 1) {
+                                s->block_aligned_filename_size, s->src_sg, 2);
+       if (rc < 1) {
                printk(KERN_ERR "%s: Internal error whilst attempting to "
-                      "convert filename memory to scatterlist; "
-                      "expected rc = 1; got rc = [%d]. "
+                      "convert filename memory to scatterlist; rc = [%d]. "
                       "block_aligned_filename_size = [%zd]\n", __func__, rc,
                       s->block_aligned_filename_size);
                goto out_release_free_unlock;
        }
        rc = virt_to_scatterlist(&dest[s->i], s->block_aligned_filename_size,
-                                &s->dst_sg, 1);
-       if (rc != 1) {
+                                s->dst_sg, 2);
+       if (rc < 1) {
                printk(KERN_ERR "%s: Internal error whilst attempting to "
                       "convert encrypted filename memory to scatterlist; "
-                      "expected rc = 1; got rc = [%d]. "
-                      "block_aligned_filename_size = [%zd]\n", __func__, rc,
-                      s->block_aligned_filename_size);
+                      "rc = [%d]. block_aligned_filename_size = [%zd]\n",
+                      __func__, rc, s->block_aligned_filename_size);
                goto out_release_free_unlock;
        }
        /* The characters in the first block effectively do the job
@@ -727,7 +853,7 @@ ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
                       mount_crypt_stat->global_default_fn_cipher_key_bytes);
                goto out_release_free_unlock;
        }
-       rc = crypto_blkcipher_encrypt_iv(&s->desc, &s->dst_sg, &s->src_sg,
+       rc = crypto_blkcipher_encrypt_iv(&s->desc, s->dst_sg, s->src_sg,
                                         s->block_aligned_filename_size);
        if (rc) {
                printk(KERN_ERR "%s: Error attempting to encrypt filename; "
@@ -744,6 +870,10 @@ out_free_unlock:
 out_unlock:
        mutex_unlock(s->tfm_mutex);
 out:
+       if (auth_tok_key) {
+               up_write(&(auth_tok_key->sem));
+               key_put(auth_tok_key);
+       }
        kfree(s);
        return rc;
 }
@@ -759,8 +889,8 @@ struct ecryptfs_parse_tag_70_packet_silly_stack {
        struct mutex *tfm_mutex;
        char *decrypted_filename;
        struct ecryptfs_auth_tok *auth_tok;
-       struct scatterlist src_sg;
-       struct scatterlist dst_sg;
+       struct scatterlist src_sg[2];
+       struct scatterlist dst_sg[2];
        struct blkcipher_desc desc;
        char fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX + 1];
        char iv[ECRYPTFS_MAX_IV_BYTES];
@@ -789,6 +919,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
                             char *data, size_t max_packet_size)
 {
        struct ecryptfs_parse_tag_70_packet_silly_stack *s;
+       struct key *auth_tok_key = NULL;
        int rc = 0;
 
        (*packet_size) = 0;
@@ -798,6 +929,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
        if (!s) {
                printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc "
                       "[%zd] bytes of kernel memory\n", __func__, sizeof(*s));
+               rc = -ENOMEM;
                goto out;
        }
        s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
@@ -854,6 +986,15 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
                       __func__, s->cipher_code);
                goto out;
        }
+       rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
+                                           &s->auth_tok, mount_crypt_stat,
+                                           s->fnek_sig_hex);
+       if (rc) {
+               printk(KERN_ERR "%s: Error attempting to find auth tok for "
+                      "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex,
+                      rc);
+               goto out;
+       }
        rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&s->desc.tfm,
                                                        &s->tfm_mutex,
                                                        s->cipher_string);
@@ -865,13 +1006,12 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
        }
        mutex_lock(s->tfm_mutex);
        rc = virt_to_scatterlist(&data[(*packet_size)],
-                                s->block_aligned_filename_size, &s->src_sg, 1);
-       if (rc != 1) {
+                                s->block_aligned_filename_size, s->src_sg, 2);
+       if (rc < 1) {
                printk(KERN_ERR "%s: Internal error whilst attempting to "
                       "convert encrypted filename memory to scatterlist; "
-                      "expected rc = 1; got rc = [%d]. "
-                      "block_aligned_filename_size = [%zd]\n", __func__, rc,
-                      s->block_aligned_filename_size);
+                      "rc = [%d]. block_aligned_filename_size = [%zd]\n",
+                      __func__, rc, s->block_aligned_filename_size);
                goto out_unlock;
        }
        (*packet_size) += s->block_aligned_filename_size;
@@ -885,13 +1025,12 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
                goto out_unlock;
        }
        rc = virt_to_scatterlist(s->decrypted_filename,
-                                s->block_aligned_filename_size, &s->dst_sg, 1);
-       if (rc != 1) {
+                                s->block_aligned_filename_size, s->dst_sg, 2);
+       if (rc < 1) {
                printk(KERN_ERR "%s: Internal error whilst attempting to "
                       "convert decrypted filename memory to scatterlist; "
-                      "expected rc = 1; got rc = [%d]. "
-                      "block_aligned_filename_size = [%zd]\n", __func__, rc,
-                      s->block_aligned_filename_size);
+                      "rc = [%d]. block_aligned_filename_size = [%zd]\n",
+                      __func__, rc, s->block_aligned_filename_size);
                goto out_free_unlock;
        }
        /* The characters in the first block effectively do the job of
@@ -900,17 +1039,14 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
         * >= ECRYPTFS_MAX_IV_BYTES. */
        memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES);
        s->desc.info = s->iv;
-       rc = ecryptfs_find_auth_tok_for_sig(&s->auth_tok, mount_crypt_stat,
-                                           s->fnek_sig_hex);
-       if (rc) {
-               printk(KERN_ERR "%s: Error attempting to find auth tok for "
-                      "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex,
-                      rc);
-               goto out_free_unlock;
-       }
        /* TODO: Support other key modules than passphrase for
         * filename encryption */
-       BUG_ON(s->auth_tok->token_type != ECRYPTFS_PASSWORD);
+       if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) {
+               rc = -EOPNOTSUPP;
+               printk(KERN_INFO "%s: Filename encryption only supports "
+                      "password tokens\n", __func__);
+               goto out_free_unlock;
+       }
        rc = crypto_blkcipher_setkey(
                s->desc.tfm,
                s->auth_tok->token.password.session_key_encryption_key,
@@ -925,7 +1061,7 @@ ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
                       mount_crypt_stat->global_default_fn_cipher_key_bytes);
                goto out_free_unlock;
        }
-       rc = crypto_blkcipher_decrypt_iv(&s->desc, &s->dst_sg, &s->src_sg,
+       rc = crypto_blkcipher_decrypt_iv(&s->desc, s->dst_sg, s->src_sg,
                                         s->block_aligned_filename_size);
        if (rc) {
                printk(KERN_ERR "%s: Error attempting to decrypt filename; "
@@ -971,6 +1107,10 @@ out:
                (*filename_size) = 0;
                (*filename) = NULL;
        }
+       if (auth_tok_key) {
+               up_write(&(auth_tok_key->sem));
+               key_put(auth_tok_key);
+       }
        kfree(s);
        return rc;
 }
@@ -1487,38 +1627,6 @@ out:
        return rc;
 }
 
-/**
- * ecryptfs_verify_version
- * @version: The version number to confirm
- *
- * Returns zero on good version; non-zero otherwise
- */
-static int ecryptfs_verify_version(u16 version)
-{
-       int rc = 0;
-       unsigned char major;
-       unsigned char minor;
-
-       major = ((version >> 8) & 0xFF);
-       minor = (version & 0xFF);
-       if (major != ECRYPTFS_VERSION_MAJOR) {
-               ecryptfs_printk(KERN_ERR, "Major version number mismatch. "
-                               "Expected [%d]; got [%d]\n",
-                               ECRYPTFS_VERSION_MAJOR, major);
-               rc = -EINVAL;
-               goto out;
-       }
-       if (minor != ECRYPTFS_VERSION_MINOR) {
-               ecryptfs_printk(KERN_ERR, "Minor version number mismatch. "
-                               "Expected [%d]; got [%d]\n",
-                               ECRYPTFS_VERSION_MINOR, minor);
-               rc = -EINVAL;
-               goto out;
-       }
-out:
-       return rc;
-}
-
 int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
                                      struct ecryptfs_auth_tok **auth_tok,
                                      char *sig)
@@ -1527,28 +1635,21 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
 
        (*auth_tok_key) = request_key(&key_type_user, sig, NULL);
        if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) {
-               printk(KERN_ERR "Could not find key with description: [%s]\n",
-                      sig);
-               rc = process_request_key_err(PTR_ERR(*auth_tok_key));
-               goto out;
-       }
-       (*auth_tok) = ecryptfs_get_key_payload_data(*auth_tok_key);
-       if (ecryptfs_verify_version((*auth_tok)->version)) {
-               printk(KERN_ERR
-                      "Data structure version mismatch. "
-                      "Userspace tools must match eCryptfs "
-                      "kernel module with major version [%d] "
-                      "and minor version [%d]\n",
-                      ECRYPTFS_VERSION_MAJOR,
-                      ECRYPTFS_VERSION_MINOR);
-               rc = -EINVAL;
-               goto out;
+               (*auth_tok_key) = ecryptfs_get_encrypted_key(sig);
+               if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) {
+                       printk(KERN_ERR "Could not find key with description: [%s]\n",
+                             sig);
+                       rc = process_request_key_err(PTR_ERR(*auth_tok_key));
+                       (*auth_tok_key) = NULL;
+                       goto out;
+               }
        }
-       if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD
-           && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) {
-               printk(KERN_ERR "Invalid auth_tok structure "
-                      "returned from key query\n");
-               rc = -EINVAL;
+       down_write(&(*auth_tok_key)->sem);
+       rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
+       if (rc) {
+               up_write(&(*auth_tok_key)->sem);
+               key_put(*auth_tok_key);
+               (*auth_tok_key) = NULL;
                goto out;
        }
 out:
@@ -1634,7 +1735,7 @@ decrypt_passphrase_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
               auth_tok->session_key.decrypted_key_size);
        crypt_stat->flags |= ECRYPTFS_KEY_VALID;
        if (unlikely(ecryptfs_verbosity > 0)) {
-               ecryptfs_printk(KERN_DEBUG, "FEK of size [%d]:\n",
+               ecryptfs_printk(KERN_DEBUG, "FEK of size [%zd]:\n",
                                crypt_stat->key_size);
                ecryptfs_dump_hex(crypt_stat->key,
                                  crypt_stat->key_size);
@@ -1673,6 +1774,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
        struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
        size_t tag_11_contents_size;
        size_t tag_11_packet_size;
+       struct key *auth_tok_key = NULL;
        int rc = 0;
 
        INIT_LIST_HEAD(&auth_tok_list);
@@ -1715,7 +1817,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
                        if (ECRYPTFS_SIG_SIZE != tag_11_contents_size) {
                                ecryptfs_printk(KERN_ERR, "Expected "
                                                "signature of size [%d]; "
-                                               "read size [%d]\n",
+                                               "read size [%zd]\n",
                                                ECRYPTFS_SIG_SIZE,
                                                tag_11_contents_size);
                                rc = -EIO;
@@ -1748,8 +1850,8 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
                        goto out_wipe_list;
                        break;
                default:
-                       ecryptfs_printk(KERN_DEBUG, "No packet at offset "
-                                       "[%d] of the file header; hex value of "
+                       ecryptfs_printk(KERN_DEBUG, "No packet at offset [%zd] "
+                                       "of the file header; hex value of "
                                        "character is [0x%.2x]\n", i, src[i]);
                        next_packet_is_auth_tok_packet = 0;
                }
@@ -1769,6 +1871,11 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
         * just one will be sufficient to decrypt to get the FEK. */
 find_next_matching_auth_tok:
        found_auth_tok = 0;
+       if (auth_tok_key) {
+               up_write(&(auth_tok_key->sem));
+               key_put(auth_tok_key);
+               auth_tok_key = NULL;
+       }
        list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) {
                candidate_auth_tok = &auth_tok_list_item->auth_tok;
                if (unlikely(ecryptfs_verbosity > 0)) {
@@ -1785,10 +1892,11 @@ find_next_matching_auth_tok:
                        rc = -EINVAL;
                        goto out_wipe_list;
                }
-               ecryptfs_find_auth_tok_for_sig(&matching_auth_tok,
+               rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
+                                              &matching_auth_tok,
                                               crypt_stat->mount_crypt_stat,
                                               candidate_auth_tok_sig);
-               if (matching_auth_tok) {
+               if (!rc) {
                        found_auth_tok = 1;
                        goto found_matching_auth_tok;
                }
@@ -1820,8 +1928,8 @@ found_matching_auth_tok:
                                "session key for authentication token with sig "
                                "[%.*s]; rc = [%d]. Removing auth tok "
                                "candidate from the list and searching for "
-                               "the next match.\n", candidate_auth_tok_sig,
-                               ECRYPTFS_SIG_SIZE_HEX, rc);
+                               "the next match.\n", ECRYPTFS_SIG_SIZE_HEX,
+                               candidate_auth_tok_sig, rc);
                list_for_each_entry_safe(auth_tok_list_item,
                                         auth_tok_list_item_tmp,
                                         &auth_tok_list, list) {
@@ -1851,6 +1959,10 @@ found_matching_auth_tok:
 out_wipe_list:
        wipe_auth_tok_list(&auth_tok_list);
 out:
+       if (auth_tok_key) {
+               up_write(&(auth_tok_key->sem));
+               key_put(auth_tok_key);
+       }
        return rc;
 }
 
@@ -2122,7 +2234,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
        if (encrypted_session_key_valid) {
                ecryptfs_printk(KERN_DEBUG, "encrypted_session_key_valid != 0; "
                                "using auth_tok->session_key.encrypted_key, "
-                               "where key_rec->enc_key_size = [%d]\n",
+                               "where key_rec->enc_key_size = [%zd]\n",
                                key_rec->enc_key_size);
                memcpy(key_rec->enc_key,
                       auth_tok->session_key.encrypted_key,
@@ -2139,7 +2251,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
                       auth_tok->token.password.session_key_encryption_key,
                       crypt_stat->key_size);
                ecryptfs_printk(KERN_DEBUG,
-                               "Cached session key " "encryption key: \n");
+                               "Cached session key encryption key:\n");
                if (ecryptfs_verbosity > 0)
                        ecryptfs_dump_hex(session_key_encryption_key, 16);
        }
@@ -2152,7 +2264,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
        if (rc < 1 || rc > 2) {
                ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
                                "for crypt_stat session key; expected rc = 1; "
-                               "got rc = [%d]. key_rec->enc_key_size = [%d]\n",
+                               "got rc = [%d]. key_rec->enc_key_size = [%zd]\n",
                                rc, key_rec->enc_key_size);
                rc = -ENOMEM;
                goto out;
@@ -2163,7 +2275,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
                ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
                                "for crypt_stat encrypted session key; "
                                "expected rc = 1; got rc = [%d]. "
-                               "key_rec->enc_key_size = [%d]\n", rc,
+                               "key_rec->enc_key_size = [%zd]\n", rc,
                                key_rec->enc_key_size);
                rc = -ENOMEM;
                goto out;
@@ -2178,7 +2290,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
                goto out;
        }
        rc = 0;
-       ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes of the key\n",
+       ecryptfs_printk(KERN_DEBUG, "Encrypting [%zd] bytes of the key\n",
                        crypt_stat->key_size);
        rc = crypto_blkcipher_encrypt(&desc, dst_sg, src_sg,
                                      (*key_rec).enc_key_size);
@@ -2189,7 +2301,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
        }
        ecryptfs_printk(KERN_DEBUG, "This should be the encrypted key:\n");
        if (ecryptfs_verbosity > 0) {
-               ecryptfs_printk(KERN_DEBUG, "EFEK of size [%d]:\n",
+               ecryptfs_printk(KERN_DEBUG, "EFEK of size [%zd]:\n",
                                key_rec->enc_key_size);
                ecryptfs_dump_hex(key_rec->enc_key,
                                  key_rec->enc_key_size);
@@ -2278,7 +2390,7 @@ ecryptfs_generate_key_packet_set(char *dest_base,
                                 size_t max)
 {
        struct ecryptfs_auth_tok *auth_tok;
-       struct ecryptfs_global_auth_tok *global_auth_tok;
+       struct key *auth_tok_key = NULL;
        struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
                &ecryptfs_superblock_to_private(
                        ecryptfs_dentry->d_sb)->mount_crypt_stat;
@@ -2297,21 +2409,16 @@ ecryptfs_generate_key_packet_set(char *dest_base,
        list_for_each_entry(key_sig, &crypt_stat->keysig_list,
                            crypt_stat_list) {
                memset(key_rec, 0, sizeof(*key_rec));
-               rc = ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok,
+               rc = ecryptfs_find_global_auth_tok_for_sig(&auth_tok_key,
+                                                          &auth_tok,
                                                           mount_crypt_stat,
                                                           key_sig->keysig);
                if (rc) {
-                       printk(KERN_ERR "Error attempting to get the global "
-                              "auth_tok; rc = [%d]\n", rc);
+                       printk(KERN_WARNING "Unable to retrieve auth tok with "
+                              "sig = [%s]\n", key_sig->keysig);
+                       rc = process_find_global_auth_tok_for_sig_err(rc);
                        goto out_free;
                }
-               if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID) {
-                       printk(KERN_WARNING
-                              "Skipping invalid auth tok with sig = [%s]\n",
-                              global_auth_tok->sig);
-                       continue;
-               }
-               auth_tok = global_auth_tok->global_auth_tok;
                if (auth_tok->token_type == ECRYPTFS_PASSWORD) {
                        rc = write_tag_3_packet((dest_base + (*len)),
                                                &max, auth_tok,
@@ -2349,6 +2456,9 @@ ecryptfs_generate_key_packet_set(char *dest_base,
                        rc = -EINVAL;
                        goto out_free;
                }
+               up_write(&(auth_tok_key->sem));
+               key_put(auth_tok_key);
+               auth_tok_key = NULL;
        }
        if (likely(max > 0)) {
                dest_base[(*len)] = 0x00;
@@ -2361,6 +2471,11 @@ out_free:
 out:
        if (rc)
                (*len) = 0;
+       if (auth_tok_key) {
+               up_write(&(auth_tok_key->sem));
+               key_put(auth_tok_key);
+       }
+
        mutex_unlock(&crypt_stat->keysig_list_mutex);
        return rc;
 }
@@ -2378,6 +2493,7 @@ int ecryptfs_add_keysig(struct ecryptfs_crypt_stat *crypt_stat, char *sig)
                return -ENOMEM;
        }
        memcpy(new_key_sig->keysig, sig, ECRYPTFS_SIG_SIZE_HEX);
+       new_key_sig->keysig[ECRYPTFS_SIG_SIZE_HEX] = '\0';
        /* Caller must hold keysig_list_mutex */
        list_add(&new_key_sig->crypt_stat_list, &crypt_stat->keysig_list);
 
@@ -2407,7 +2523,6 @@ ecryptfs_add_global_auth_tok(struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
        mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
        list_add(&new_auth_tok->mount_crypt_stat_list,
                 &mount_crypt_stat->global_auth_tok_list);
-       mount_crypt_stat->num_global_auth_toks++;
        mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
 out:
        return rc;