eCryptfs

Merge lp:~tyhicks/ecryptfs/reject-empty-passphrases into lp:ecryptfs

  1. reject-empty-passphrases
  2. Merge into trunk
Proposed by Tyler Hicks
Status: Merged
Merged at revision: 853
Proposed branch: lp:~tyhicks/ecryptfs/reject-empty-passphrases
Merge into: lp:ecryptfs
Prerequisite: lp:~tyhicks/ecryptfs/read-v1-wrapped-passphrase-regression
Diff against target: 105 lines (+46/-15) (has conflicts)
4 files modified
debian/changelog (+24/-9)
src/libecryptfs/key_management.c (+3/-3)
src/libecryptfs/main.c (+4/-3)
tests/userspace/wrap-unwrap/test.c (+15/-0)
Text conflict in debian/changelog
To merge this branch: bzr merge lp:~tyhicks/ecryptfs/reject-empty-passphrases
Reviewer Review Type Date Requested Status
eCryptfs Pending
Review via email: mp+254121@code.launchpad.net

Description of the change

While testing the read-v1-wrapped-passphrase-regression branch, I discovered that ecryptfs_wrap_passphrase() and generate_passphrase_sig() will accept zero-length strings as passphrases. I feel like there is no valid use case for using an empty string and that a minimum should be put in place in order to catch errors.

This patch imposes a minimum of 1 valid character in order to be considered a valid passphrase. A higher minimum would be more ideal but this is the first step in catching empty passphrases being incorrectly used.

To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2015-03-25 15:42:30 +0000
3+++ debian/changelog 2015-03-25 17:27:05 +0000
4@@ -7,15 +7,30 @@
5 * debian/control:
6 - build depend on distro-info, which we use in our release script
7
8- [ Tyler Hicks ]
9- * src/libecryptfs/key_management.c:
10- - Fix a regression when reading version 1 wrapped passphrase files. A
11- return code indicating success was always returned even when an error
12- was encountered. The impact is low since the error situation is still
13- caught when validating either the wrapping password's signature or the
14- wrapped passphrase's signature. Thanks to László Böszörményi for
15- catching this mistake.
16-
17+<<<<<<< TREE
18+ [ Tyler Hicks ]
19+ * src/libecryptfs/key_management.c:
20+ - Fix a regression when reading version 1 wrapped passphrase files. A
21+ return code indicating success was always returned even when an error
22+ was encountered. The impact is low since the error situation is still
23+ caught when validating either the wrapping password's signature or the
24+ wrapped passphrase's signature. Thanks to László Böszörményi for
25+ catching this mistake.
26+
27+=======
28+ [ Tyler Hicks ]
29+ * src/libecryptfs/key_management.c:
30+ - Fix a regression when reading version 1 wrapped passphrase files. A
31+ return code indicating success was always returned even when an error
32+ was encountered. The impact is low since the error situation is still
33+ caught when validating either the wrapping password's signature or the
34+ wrapped passphrase's signature. Thanks to László Böszörményi for
35+ catching this mistake.
36+ - Reject empty passphrases passed into ecryptfs_wrap_passphrase()
37+ * src/libecryptfs/main.c:
38+ - Reject empty wrapping passphrases passed into generate_passphrase_sig()
39+
40+>>>>>>> MERGE-SOURCE
41 -- Dustin Kirkland <kirkland@ubuntu.com> Wed, 11 Mar 2015 18:39:43 -0500
42
43 ecryptfs-utils (106) utopic; urgency=medium
44
45=== modified file 'src/libecryptfs/key_management.c'
46--- src/libecryptfs/key_management.c 2015-03-25 15:42:30 +0000
47+++ src/libecryptfs/key_management.c 2015-03-25 17:27:05 +0000
48@@ -587,9 +587,9 @@
49 int rc;
50
51 decrypted_passphrase_bytes = strlen(decrypted_passphrase);
52- if (decrypted_passphrase_bytes > ECRYPTFS_MAX_PASSPHRASE_BYTES) {
53- syslog(LOG_ERR, "Decrypted passphrase is [%d] bytes long; "
54- "[%d] is the max\n", decrypted_passphrase_bytes,
55+ if (decrypted_passphrase_bytes < 1 ||
56+ decrypted_passphrase_bytes > ECRYPTFS_MAX_PASSPHRASE_BYTES) {
57+ syslog(LOG_ERR, "Decrypted passphrase size is invalid; [1] to [%d] is the valid range\n",
58 ECRYPTFS_MAX_PASSPHRASE_BYTES);
59 rc = -EIO;
60 goto out;
61
62=== modified file 'src/libecryptfs/main.c'
63--- src/libecryptfs/main.c 2013-10-25 19:45:09 +0000
64+++ src/libecryptfs/main.c 2015-03-25 17:27:05 +0000
65@@ -224,10 +224,11 @@
66 int rc = 0;
67
68 passphrase_size = strlen(passphrase);
69- if (passphrase_size > ECRYPTFS_MAX_PASSPHRASE_BYTES) {
70+ if (passphrase_size < 1 ||
71+ passphrase_size > ECRYPTFS_MAX_PASSPHRASE_BYTES) {
72 passphrase_sig = NULL;
73- syslog(LOG_ERR, "Passphrase too large (%d bytes)\n",
74- passphrase_size);
75+ syslog(LOG_ERR, "Passphrase size is invalid; [1] to [%d] is the valid range\n",
76+ ECRYPTFS_MAX_PASSPHRASE_BYTES);
77 return -EINVAL;
78 }
79 memcpy(salt_and_passphrase, salt, ECRYPTFS_SALT_SIZE);
80
81=== modified file 'tests/userspace/wrap-unwrap/test.c'
82--- tests/userspace/wrap-unwrap/test.c 2013-10-27 16:52:03 +0000
83+++ tests/userspace/wrap-unwrap/test.c 2015-03-25 17:27:05 +0000
84@@ -106,6 +106,21 @@
85 rc = 1;
86 goto out;
87 }
88+
89+ /* Ensure that an empty passphrase is rejected */
90+ if ((rc = ecryptfs_wrap_passphrase(path, "testwrappw", salt, "")) == 0) {
91+ fprintf(stderr, "ecryptfs_wrap_passphrase() wrapped an empty passphrase\n");
92+ rc = 1;
93+ goto out;
94+ }
95+
96+ /* Ensure that an empty wrapping passphrase is rejected */
97+ if ((rc = ecryptfs_wrap_passphrase(path, "", salt, "testpassphrase")) == 0) {
98+ fprintf(stderr, "ecryptfs_wrap_passphrase() used an empty wrapping passphrase\n");
99+ rc = 1;
100+ goto out;
101+ }
102+
103 rc = 0;
104 out:
105 return rc;

Subscribers

People subscribed via source and target branches