1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26#include <linux/fs.h>
27#include <linux/mount.h>
28#include <linux/pagemap.h>
29#include <linux/random.h>
30#include <linux/compiler.h>
31#include <linux/key.h>
32#include <linux/namei.h>
33#include <linux/crypto.h>
34#include <linux/file.h>
35#include <linux/scatterlist.h>
36#include <asm/unaligned.h>
37#include "ecryptfs_kernel.h"
38
39static int
40ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
41 struct page *dst_page, int dst_offset,
42 struct page *src_page, int src_offset, int size,
43 unsigned char *iv);
44static int
45ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
46 struct page *dst_page, int dst_offset,
47 struct page *src_page, int src_offset, int size,
48 unsigned char *iv);
49
50
51
52
53
54
55
56
57void ecryptfs_to_hex(char *dst, char *src, size_t src_size)
58{
59 int x;
60
61 for (x = 0; x < src_size; x++)
62 sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]);
63}
64
65
66
67
68
69
70
71
72void ecryptfs_from_hex(char *dst, char *src, int dst_size)
73{
74 int x;
75 char tmp[3] = { 0, };
76
77 for (x = 0; x < dst_size; x++) {
78 tmp[0] = src[x * 2];
79 tmp[1] = src[x * 2 + 1];
80 dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16);
81 }
82}
83
84
85
86
87
88
89
90
91
92
93
94static int ecryptfs_calculate_md5(char *dst,
95 struct ecryptfs_crypt_stat *crypt_stat,
96 char *src, int len)
97{
98 struct scatterlist sg;
99 struct hash_desc desc = {
100 .tfm = crypt_stat->hash_tfm,
101 .flags = CRYPTO_TFM_REQ_MAY_SLEEP
102 };
103 int rc = 0;
104
105 mutex_lock(&crypt_stat->cs_hash_tfm_mutex);
106 sg_init_one(&sg, (u8 *)src, len);
107 if (!desc.tfm) {
108 desc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0,
109 CRYPTO_ALG_ASYNC);
110 if (IS_ERR(desc.tfm)) {
111 rc = PTR_ERR(desc.tfm);
112 ecryptfs_printk(KERN_ERR, "Error attempting to "
113 "allocate crypto context; rc = [%d]\n",
114 rc);
115 goto out;
116 }
117 crypt_stat->hash_tfm = desc.tfm;
118 }
119 rc = crypto_hash_init(&desc);
120 if (rc) {
121 printk(KERN_ERR
122 "%s: Error initializing crypto hash; rc = [%d]\n",
123 __func__, rc);
124 goto out;
125 }
126 rc = crypto_hash_update(&desc, &sg, len);
127 if (rc) {
128 printk(KERN_ERR
129 "%s: Error updating crypto hash; rc = [%d]\n",
130 __func__, rc);
131 goto out;
132 }
133 rc = crypto_hash_final(&desc, dst);
134 if (rc) {
135 printk(KERN_ERR
136 "%s: Error finalizing crypto hash; rc = [%d]\n",
137 __func__, rc);
138 goto out;
139 }
140out:
141 mutex_unlock(&crypt_stat->cs_hash_tfm_mutex);
142 return rc;
143}
144
145static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name,
146 char *cipher_name,
147 char *chaining_modifier)
148{
149 int cipher_name_len = strlen(cipher_name);
150 int chaining_modifier_len = strlen(chaining_modifier);
151 int algified_name_len;
152 int rc;
153
154 algified_name_len = (chaining_modifier_len + cipher_name_len + 3);
155 (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL);
156 if (!(*algified_name)) {
157 rc = -ENOMEM;
158 goto out;
159 }
160 snprintf((*algified_name), algified_name_len, "%s(%s)",
161 chaining_modifier, cipher_name);
162 rc = 0;
163out:
164 return rc;
165}
166
167
168
169
170
171
172
173
174
175
176
177
178int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat,
179 loff_t offset)
180{
181 int rc = 0;
182 char dst[MD5_DIGEST_SIZE];
183 char src[ECRYPTFS_MAX_IV_BYTES + 16];
184
185 if (unlikely(ecryptfs_verbosity > 0)) {
186 ecryptfs_printk(KERN_DEBUG, "root iv:\n");
187 ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes);
188 }
189
190
191
192
193 memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes);
194 memset((src + crypt_stat->iv_bytes), 0, 16);
195 snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset);
196 if (unlikely(ecryptfs_verbosity > 0)) {
197 ecryptfs_printk(KERN_DEBUG, "source:\n");
198 ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16));
199 }
200 rc = ecryptfs_calculate_md5(dst, crypt_stat, src,
201 (crypt_stat->iv_bytes + 16));
202 if (rc) {
203 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
204 "MD5 while generating IV for a page\n");
205 goto out;
206 }
207 memcpy(iv, dst, crypt_stat->iv_bytes);
208 if (unlikely(ecryptfs_verbosity > 0)) {
209 ecryptfs_printk(KERN_DEBUG, "derived iv:\n");
210 ecryptfs_dump_hex(iv, crypt_stat->iv_bytes);
211 }
212out:
213 return rc;
214}
215
216
217
218
219
220
221
222void
223ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
224{
225 memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
226 INIT_LIST_HEAD(&crypt_stat->keysig_list);
227 mutex_init(&crypt_stat->keysig_list_mutex);
228 mutex_init(&crypt_stat->cs_mutex);
229 mutex_init(&crypt_stat->cs_tfm_mutex);
230 mutex_init(&crypt_stat->cs_hash_tfm_mutex);
231 crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED;
232}
233
234
235
236
237
238
239
240void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
241{
242 struct ecryptfs_key_sig *key_sig, *key_sig_tmp;
243
244 if (crypt_stat->tfm)
245 crypto_free_blkcipher(crypt_stat->tfm);
246 if (crypt_stat->hash_tfm)
247 crypto_free_hash(crypt_stat->hash_tfm);
248 list_for_each_entry_safe(key_sig, key_sig_tmp,
249 &crypt_stat->keysig_list, crypt_stat_list) {
250 list_del(&key_sig->crypt_stat_list);
251 kmem_cache_free(ecryptfs_key_sig_cache, key_sig);
252 }
253 memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
254}
255
256void ecryptfs_destroy_mount_crypt_stat(
257 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
258{
259 struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp;
260
261 if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED))
262 return;
263 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
264 list_for_each_entry_safe(auth_tok, auth_tok_tmp,
265 &mount_crypt_stat->global_auth_tok_list,
266 mount_crypt_stat_list) {
267 list_del(&auth_tok->mount_crypt_stat_list);
268 mount_crypt_stat->num_global_auth_toks--;
269 if (auth_tok->global_auth_tok_key
270 && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID))
271 key_put(auth_tok->global_auth_tok_key);
272 kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok);
273 }
274 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
275 memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat));
276}
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg,
292 int sg_size)
293{
294 int i = 0;
295 struct page *pg;
296 int offset;
297 int remainder_of_page;
298
299 sg_init_table(sg, sg_size);
300
301 while (size > 0 && i < sg_size) {
302 pg = virt_to_page(addr);
303 offset = offset_in_page(addr);
304 if (sg)
305 sg_set_page(&sg[i], pg, 0, offset);
306 remainder_of_page = PAGE_CACHE_SIZE - offset;
307 if (size >= remainder_of_page) {
308 if (sg)
309 sg[i].length = remainder_of_page;
310 addr += remainder_of_page;
311 size -= remainder_of_page;
312 } else {
313 if (sg)
314 sg[i].length = size;
315 addr += size;
316 size = 0;
317 }
318 i++;
319 }
320 if (size > 0)
321 return -ENOMEM;
322 return i;
323}
324
325
326
327
328
329
330
331
332
333
334
335static int encrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
336 struct scatterlist *dest_sg,
337 struct scatterlist *src_sg, int size,
338 unsigned char *iv)
339{
340 struct blkcipher_desc desc = {
341 .tfm = crypt_stat->tfm,
342 .info = iv,
343 .flags = CRYPTO_TFM_REQ_MAY_SLEEP
344 };
345 int rc = 0;
346
347 BUG_ON(!crypt_stat || !crypt_stat->tfm
348 || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));
349 if (unlikely(ecryptfs_verbosity > 0)) {
350 ecryptfs_printk(KERN_DEBUG, "Key size [%d]; key:\n",
351 crypt_stat->key_size);
352 ecryptfs_dump_hex(crypt_stat->key,
353 crypt_stat->key_size);
354 }
355
356 mutex_lock(&crypt_stat->cs_tfm_mutex);
357 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) {
358 rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key,
359 crypt_stat->key_size);
360 crypt_stat->flags |= ECRYPTFS_KEY_SET;
361 }
362 if (rc) {
363 ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n",
364 rc);
365 mutex_unlock(&crypt_stat->cs_tfm_mutex);
366 rc = -EINVAL;
367 goto out;
368 }
369 ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes.\n", size);
370 crypto_blkcipher_encrypt_iv(&desc, dest_sg, src_sg, size);
371 mutex_unlock(&crypt_stat->cs_tfm_mutex);
372out:
373 return rc;
374}
375
376
377
378
379
380
381static void ecryptfs_lower_offset_for_extent(loff_t *offset, loff_t extent_num,
382 struct ecryptfs_crypt_stat *crypt_stat)
383{
384 (*offset) = (crypt_stat->num_header_bytes_at_front
385 + (crypt_stat->extent_size * extent_num));
386}
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
402 struct ecryptfs_crypt_stat *crypt_stat,
403 struct page *page,
404 unsigned long extent_offset)
405{
406 loff_t extent_base;
407 char extent_iv[ECRYPTFS_MAX_IV_BYTES];
408 int rc;
409
410 extent_base = (((loff_t)page->index)
411 * (PAGE_CACHE_SIZE / crypt_stat->extent_size));
412 rc = ecryptfs_derive_iv(extent_iv, crypt_stat,
413 (extent_base + extent_offset));
414 if (rc) {
415 ecryptfs_printk(KERN_ERR, "Error attempting to "
416 "derive IV for extent [0x%.16x]; "
417 "rc = [%d]\n", (extent_base + extent_offset),
418 rc);
419 goto out;
420 }
421 if (unlikely(ecryptfs_verbosity > 0)) {
422 ecryptfs_printk(KERN_DEBUG, "Encrypting extent "
423 "with iv:\n");
424 ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes);
425 ecryptfs_printk(KERN_DEBUG, "First 8 bytes before "
426 "encryption:\n");
427 ecryptfs_dump_hex((char *)
428 (page_address(page)
429 + (extent_offset * crypt_stat->extent_size)),
430 8);
431 }
432 rc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0,
433 page, (extent_offset
434 * crypt_stat->extent_size),
435 crypt_stat->extent_size, extent_iv);
436 if (rc < 0) {
437 printk(KERN_ERR "%s: Error attempting to encrypt page with "
438 "page->index = [%ld], extent_offset = [%ld]; "
439 "rc = [%d]\n", __func__, page->index, extent_offset,
440 rc);
441 goto out;
442 }
443 rc = 0;
444 if (unlikely(ecryptfs_verbosity > 0)) {
445 ecryptfs_printk(KERN_DEBUG, "Encrypt extent [0x%.16x]; "
446 "rc = [%d]\n", (extent_base + extent_offset),
447 rc);
448 ecryptfs_printk(KERN_DEBUG, "First 8 bytes after "
449 "encryption:\n");
450 ecryptfs_dump_hex((char *)(page_address(enc_extent_page)), 8);
451 }
452out:
453 return rc;
454}
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472int ecryptfs_encrypt_page(struct page *page)
473{
474 struct inode *ecryptfs_inode;
475 struct ecryptfs_crypt_stat *crypt_stat;
476 char *enc_extent_virt;
477 struct page *enc_extent_page = NULL;
478 loff_t extent_offset;
479 int rc = 0;
480
481 ecryptfs_inode = page->mapping->host;
482 crypt_stat =
483 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
484 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
485 enc_extent_page = alloc_page(GFP_USER);
486 if (!enc_extent_page) {
487 rc = -ENOMEM;
488 ecryptfs_printk(KERN_ERR, "Error allocating memory for "
489 "encrypted extent\n");
490 goto out;
491 }
492 enc_extent_virt = kmap(enc_extent_page);
493 for (extent_offset = 0;
494 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);
495 extent_offset++) {
496 loff_t offset;
497
498 rc = ecryptfs_encrypt_extent(enc_extent_page, crypt_stat, page,
499 extent_offset);
500 if (rc) {
501 printk(KERN_ERR "%s: Error encrypting extent; "
502 "rc = [%d]\n", __func__, rc);
503 goto out;
504 }
505 ecryptfs_lower_offset_for_extent(
506 &offset, ((((loff_t)page->index)
507 * (PAGE_CACHE_SIZE
508 / crypt_stat->extent_size))
509 + extent_offset), crypt_stat);
510 rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt,
511 offset, crypt_stat->extent_size);
512 if (rc < 0) {
513 ecryptfs_printk(KERN_ERR, "Error attempting "
514 "to write lower page; rc = [%d]"
515 "\n", rc);
516 goto out;
517 }
518 }
519 rc = 0;
520out:
521 if (enc_extent_page) {
522 kunmap(enc_extent_page);
523 __free_page(enc_extent_page);
524 }
525 return rc;
526}
527
528static int ecryptfs_decrypt_extent(struct page *page,
529 struct ecryptfs_crypt_stat *crypt_stat,
530 struct page *enc_extent_page,
531 unsigned long extent_offset)
532{
533 loff_t extent_base;
534 char extent_iv[ECRYPTFS_MAX_IV_BYTES];
535 int rc;
536
537 extent_base = (((loff_t)page->index)
538 * (PAGE_CACHE_SIZE / crypt_stat->extent_size));
539 rc = ecryptfs_derive_iv(extent_iv, crypt_stat,
540 (extent_base + extent_offset));
541 if (rc) {
542 ecryptfs_printk(KERN_ERR, "Error attempting to "
543 "derive IV for extent [0x%.16x]; "
544 "rc = [%d]\n", (extent_base + extent_offset),
545 rc);
546 goto out;
547 }
548 if (unlikely(ecryptfs_verbosity > 0)) {
549 ecryptfs_printk(KERN_DEBUG, "Decrypting extent "
550 "with iv:\n");
551 ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes);
552 ecryptfs_printk(KERN_DEBUG, "First 8 bytes before "
553 "decryption:\n");
554 ecryptfs_dump_hex((char *)
555 (page_address(enc_extent_page)
556 + (extent_offset * crypt_stat->extent_size)),
557 8);
558 }
559 rc = ecryptfs_decrypt_page_offset(crypt_stat, page,
560 (extent_offset
561 * crypt_stat->extent_size),
562 enc_extent_page, 0,
563 crypt_stat->extent_size, extent_iv);
564 if (rc < 0) {
565 printk(KERN_ERR "%s: Error attempting to decrypt to page with "
566 "page->index = [%ld], extent_offset = [%ld]; "
567 "rc = [%d]\n", __func__, page->index, extent_offset,
568 rc);
569 goto out;
570 }
571 rc = 0;
572 if (unlikely(ecryptfs_verbosity > 0)) {
573 ecryptfs_printk(KERN_DEBUG, "Decrypt extent [0x%.16x]; "
574 "rc = [%d]\n", (extent_base + extent_offset),
575 rc);
576 ecryptfs_printk(KERN_DEBUG, "First 8 bytes after "
577 "decryption:\n");
578 ecryptfs_dump_hex((char *)(page_address(page)
579 + (extent_offset
580 * crypt_stat->extent_size)), 8);
581 }
582out:
583 return rc;
584}
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602int ecryptfs_decrypt_page(struct page *page)
603{
604 struct inode *ecryptfs_inode;
605 struct ecryptfs_crypt_stat *crypt_stat;
606 char *enc_extent_virt;
607 struct page *enc_extent_page = NULL;
608 unsigned long extent_offset;
609 int rc = 0;
610
611 ecryptfs_inode = page->mapping->host;
612 crypt_stat =
613 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
614 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
615 enc_extent_page = alloc_page(GFP_USER);
616 if (!enc_extent_page) {
617 rc = -ENOMEM;
618 ecryptfs_printk(KERN_ERR, "Error allocating memory for "
619 "encrypted extent\n");
620 goto out;
621 }
622 enc_extent_virt = kmap(enc_extent_page);
623 for (extent_offset = 0;
624 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);
625 extent_offset++) {
626 loff_t offset;
627
628 ecryptfs_lower_offset_for_extent(
629 &offset, ((page->index * (PAGE_CACHE_SIZE
630 / crypt_stat->extent_size))
631 + extent_offset), crypt_stat);
632 rc = ecryptfs_read_lower(enc_extent_virt, offset,
633 crypt_stat->extent_size,
634 ecryptfs_inode);
635 if (rc < 0) {
636 ecryptfs_printk(KERN_ERR, "Error attempting "
637 "to read lower page; rc = [%d]"
638 "\n", rc);
639 goto out;
640 }
641 rc = ecryptfs_decrypt_extent(page, crypt_stat, enc_extent_page,
642 extent_offset);
643 if (rc) {
644 printk(KERN_ERR "%s: Error encrypting extent; "
645 "rc = [%d]\n", __func__, rc);
646 goto out;
647 }
648 }
649out:
650 if (enc_extent_page) {
651 kunmap(enc_extent_page);
652 __free_page(enc_extent_page);
653 }
654 return rc;
655}
656
657
658
659
660
661
662
663
664
665
666
667static int decrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
668 struct scatterlist *dest_sg,
669 struct scatterlist *src_sg, int size,
670 unsigned char *iv)
671{
672 struct blkcipher_desc desc = {
673 .tfm = crypt_stat->tfm,
674 .info = iv,
675 .flags = CRYPTO_TFM_REQ_MAY_SLEEP
676 };
677 int rc = 0;
678
679
680 mutex_lock(&crypt_stat->cs_tfm_mutex);
681 rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key,
682 crypt_stat->key_size);
683 if (rc) {
684 ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n",
685 rc);
686 mutex_unlock(&crypt_stat->cs_tfm_mutex);
687 rc = -EINVAL;
688 goto out;
689 }
690 ecryptfs_printk(KERN_DEBUG, "Decrypting [%d] bytes.\n", size);
691 rc = crypto_blkcipher_decrypt_iv(&desc, dest_sg, src_sg, size);
692 mutex_unlock(&crypt_stat->cs_tfm_mutex);
693 if (rc) {
694 ecryptfs_printk(KERN_ERR, "Error decrypting; rc = [%d]\n",
695 rc);
696 goto out;
697 }
698 rc = size;
699out:
700 return rc;
701}
702
703
704
705
706
707
708
709
710
711
712
713
714
715static int
716ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
717 struct page *dst_page, int dst_offset,
718 struct page *src_page, int src_offset, int size,
719 unsigned char *iv)
720{
721 struct scatterlist src_sg, dst_sg;
722
723 sg_init_table(&src_sg, 1);
724 sg_init_table(&dst_sg, 1);
725
726 sg_set_page(&src_sg, src_page, size, src_offset);
727 sg_set_page(&dst_sg, dst_page, size, dst_offset);
728 return encrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv);
729}
730
731
732
733
734
735
736
737
738
739
740
741
742
743static int
744ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
745 struct page *dst_page, int dst_offset,
746 struct page *src_page, int src_offset, int size,
747 unsigned char *iv)
748{
749 struct scatterlist src_sg, dst_sg;
750
751 sg_init_table(&src_sg, 1);
752 sg_set_page(&src_sg, src_page, size, src_offset);
753
754 sg_init_table(&dst_sg, 1);
755 sg_set_page(&dst_sg, dst_page, size, dst_offset);
756
757 return decrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv);
758}
759
760#define ECRYPTFS_MAX_SCATTERLIST_LEN 4
761
762
763
764
765
766
767
768
769
770
771int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat)
772{
773 char *full_alg_name;
774 int rc = -EINVAL;
775
776 if (!crypt_stat->cipher) {
777 ecryptfs_printk(KERN_ERR, "No cipher specified\n");
778 goto out;
779 }
780 ecryptfs_printk(KERN_DEBUG,
781 "Initializing cipher [%s]; strlen = [%d]; "
782 "key_size_bits = [%d]\n",
783 crypt_stat->cipher, (int)strlen(crypt_stat->cipher),
784 crypt_stat->key_size << 3);
785 if (crypt_stat->tfm) {
786 rc = 0;
787 goto out;
788 }
789 mutex_lock(&crypt_stat->cs_tfm_mutex);
790 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name,
791 crypt_stat->cipher, "cbc");
792 if (rc)
793 goto out_unlock;
794 crypt_stat->tfm = crypto_alloc_blkcipher(full_alg_name, 0,
795 CRYPTO_ALG_ASYNC);
796 kfree(full_alg_name);
797 if (IS_ERR(crypt_stat->tfm)) {
798 rc = PTR_ERR(crypt_stat->tfm);
799 crypt_stat->tfm = NULL;
800 ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): "
801 "Error initializing cipher [%s]\n",
802 crypt_stat->cipher);
803 goto out_unlock;
804 }
805 crypto_blkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY);
806 rc = 0;
807out_unlock:
808 mutex_unlock(&crypt_stat->cs_tfm_mutex);
809out:
810 return rc;
811}
812
813static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat)
814{
815 int extent_size_tmp;
816
817 crypt_stat->extent_mask = 0xFFFFFFFF;
818 crypt_stat->extent_shift = 0;
819 if (crypt_stat->extent_size == 0)
820 return;
821 extent_size_tmp = crypt_stat->extent_size;
822 while ((extent_size_tmp & 0x01) == 0) {
823 extent_size_tmp >>= 1;
824 crypt_stat->extent_mask <<= 1;
825 crypt_stat->extent_shift++;
826 }
827}
828
829void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat)
830{
831
832
833 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;
834 set_extent_mask_and_shift(crypt_stat);
835 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES;
836 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
837 crypt_stat->num_header_bytes_at_front = 0;
838 else {
839 if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)
840 crypt_stat->num_header_bytes_at_front =
841 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
842 else
843 crypt_stat->num_header_bytes_at_front = PAGE_CACHE_SIZE;
844 }
845}
846
847
848
849
850
851
852
853int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat)
854{
855 int rc = 0;
856 char dst[MD5_DIGEST_SIZE];
857
858 BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE);
859 BUG_ON(crypt_stat->iv_bytes <= 0);
860 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
861 rc = -EINVAL;
862 ecryptfs_printk(KERN_WARNING, "Session key not valid; "
863 "cannot generate root IV\n");
864 goto out;
865 }
866 rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key,
867 crypt_stat->key_size);
868 if (rc) {
869 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
870 "MD5 while generating root IV\n");
871 goto out;
872 }
873 memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes);
874out:
875 if (rc) {
876 memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes);
877 crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING;
878 }
879 return rc;
880}
881
882static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat)
883{
884 get_random_bytes(crypt_stat->key, crypt_stat->key_size);
885 crypt_stat->flags |= ECRYPTFS_KEY_VALID;
886 ecryptfs_compute_root_iv(crypt_stat);
887 if (unlikely(ecryptfs_verbosity > 0)) {
888 ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n");
889 ecryptfs_dump_hex(crypt_stat->key,
890 crypt_stat->key_size);
891 }
892}
893
894
895
896
897
898
899
900
901
902static void ecryptfs_copy_mount_wide_flags_to_inode_flags(
903 struct ecryptfs_crypt_stat *crypt_stat,
904 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
905{
906 if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED)
907 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
908 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
909 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED;
910 if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
911 crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES;
912 if (mount_crypt_stat->flags
913 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)
914 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK;
915 else if (mount_crypt_stat->flags
916 & ECRYPTFS_GLOBAL_ENCFN_USE_FEK)
917 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK;
918 }
919}
920
921static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs(
922 struct ecryptfs_crypt_stat *crypt_stat,
923 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
924{
925 struct ecryptfs_global_auth_tok *global_auth_tok;
926 int rc = 0;
927
928 mutex_lock(&crypt_stat->keysig_list_mutex);
929 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
930
931 list_for_each_entry(global_auth_tok,
932 &mount_crypt_stat->global_auth_tok_list,
933 mount_crypt_stat_list) {
934 if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK)
935 continue;
936 rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig);
937 if (rc) {
938 printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc);
939 goto out;
940 }
941 }
942
943out:
944 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
945 mutex_unlock(&crypt_stat->keysig_list_mutex);
946 return rc;
947}
948
949
950
951
952
953
954
955
956static void ecryptfs_set_default_crypt_stat_vals(
957 struct ecryptfs_crypt_stat *crypt_stat,
958 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
959{
960 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
961 mount_crypt_stat);
962 ecryptfs_set_default_sizes(crypt_stat);
963 strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER);
964 crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES;
965 crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID);
966 crypt_stat->file_version = ECRYPTFS_FILE_VERSION;
967 crypt_stat->mount_crypt_stat = mount_crypt_stat;
968}
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989int ecryptfs_new_file_context(struct dentry *ecryptfs_dentry)
990{
991 struct ecryptfs_crypt_stat *crypt_stat =
992 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat;
993 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
994 &ecryptfs_superblock_to_private(
995 ecryptfs_dentry->d_sb)->mount_crypt_stat;
996 int cipher_name_len;
997 int rc = 0;
998
999 ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat);
1000 crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID);
1001 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
1002 mount_crypt_stat);
1003 rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat,
1004 mount_crypt_stat);
1005 if (rc) {
1006 printk(KERN_ERR "Error attempting to copy mount-wide key sigs "
1007 "to the inode key sigs; rc = [%d]\n", rc);
1008 goto out;
1009 }
1010 cipher_name_len =
1011 strlen(mount_crypt_stat->global_default_cipher_name);
1012 memcpy(crypt_stat->cipher,
1013 mount_crypt_stat->global_default_cipher_name,
1014 cipher_name_len);
1015 crypt_stat->cipher[cipher_name_len] = '\0';
1016 crypt_stat->key_size =
1017 mount_crypt_stat->global_default_cipher_key_size;
1018 ecryptfs_generate_new_key(crypt_stat);
1019 rc = ecryptfs_init_crypt_ctx(crypt_stat);
1020 if (rc)
1021 ecryptfs_printk(KERN_ERR, "Error initializing cryptographic "
1022 "context for cipher [%s]: rc = [%d]\n",
1023 crypt_stat->cipher, rc);
1024out:
1025 return rc;
1026}
1027
1028
1029
1030
1031
1032
1033
1034static int contains_ecryptfs_marker(char *data)
1035{
1036 u32 m_1, m_2;
1037
1038 m_1 = get_unaligned_be32(data);
1039 m_2 = get_unaligned_be32(data + 4);
1040 if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2)
1041 return 1;
1042 ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; "
1043 "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2,
1044 MAGIC_ECRYPTFS_MARKER);
1045 ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = "
1046 "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER));
1047 return 0;
1048}
1049
1050struct ecryptfs_flag_map_elem {
1051 u32 file_flag;
1052 u32 local_flag;
1053};
1054
1055
1056static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = {
1057 {0x00000001, ECRYPTFS_ENABLE_HMAC},
1058 {0x00000002, ECRYPTFS_ENCRYPTED},
1059 {0x00000004, ECRYPTFS_METADATA_IN_XATTR},
1060 {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES}
1061};
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat,
1072 char *page_virt, int *bytes_read)
1073{
1074 int rc = 0;
1075 int i;
1076 u32 flags;
1077
1078 flags = get_unaligned_be32(page_virt);
1079 for (i = 0; i < ((sizeof(ecryptfs_flag_map)
1080 / sizeof(struct ecryptfs_flag_map_elem))); i++)
1081 if (flags & ecryptfs_flag_map[i].file_flag) {
1082 crypt_stat->flags |= ecryptfs_flag_map[i].local_flag;
1083 } else
1084 crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag);
1085
1086 crypt_stat->file_version = ((flags >> 24) & 0xFF);
1087 (*bytes_read) = 4;
1088 return rc;
1089}
1090
1091
1092
1093
1094
1095
1096
1097
1098static void write_ecryptfs_marker(char *page_virt, size_t *written)
1099{
1100 u32 m_1, m_2;
1101
1102 get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2));
1103 m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER);
1104 put_unaligned_be32(m_1, page_virt);
1105 page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2);
1106 put_unaligned_be32(m_2, page_virt);
1107 (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
1108}
1109
1110static void
1111write_ecryptfs_flags(char *page_virt, struct ecryptfs_crypt_stat *crypt_stat,
1112 size_t *written)
1113{
1114 u32 flags = 0;
1115 int i;
1116
1117 for (i = 0; i < ((sizeof(ecryptfs_flag_map)
1118 / sizeof(struct ecryptfs_flag_map_elem))); i++)
1119 if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag)
1120 flags |= ecryptfs_flag_map[i].file_flag;
1121
1122 flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000);
1123 put_unaligned_be32(flags, page_virt);
1124 (*written) = 4;
1125}
1126
1127struct ecryptfs_cipher_code_str_map_elem {
1128 char cipher_str[16];
1129 u8 cipher_code;
1130};
1131
1132
1133
1134
1135static struct ecryptfs_cipher_code_str_map_elem
1136ecryptfs_cipher_code_str_map[] = {
1137 {"aes",RFC2440_CIPHER_AES_128 },
1138 {"blowfish", RFC2440_CIPHER_BLOWFISH},
1139 {"des3_ede", RFC2440_CIPHER_DES3_EDE},
1140 {"cast5", RFC2440_CIPHER_CAST_5},
1141 {"twofish", RFC2440_CIPHER_TWOFISH},
1142 {"cast6", RFC2440_CIPHER_CAST_6},
1143 {"aes", RFC2440_CIPHER_AES_192},
1144 {"aes", RFC2440_CIPHER_AES_256}
1145};
1146
1147
1148
1149
1150
1151
1152
1153
1154u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes)
1155{
1156 int i;
1157 u8 code = 0;
1158 struct ecryptfs_cipher_code_str_map_elem *map =
1159 ecryptfs_cipher_code_str_map;
1160
1161 if (strcmp(cipher_name, "aes") == 0) {
1162 switch (key_bytes) {
1163 case 16:
1164 code = RFC2440_CIPHER_AES_128;
1165 break;
1166 case 24:
1167 code = RFC2440_CIPHER_AES_192;
1168 break;
1169 case 32:
1170 code = RFC2440_CIPHER_AES_256;
1171 }
1172 } else {
1173 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1174 if (strcmp(cipher_name, map[i].cipher_str) == 0) {
1175 code = map[i].cipher_code;
1176 break;
1177 }
1178 }
1179 return code;
1180}
1181
1182
1183
1184
1185
1186
1187
1188
1189int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code)
1190{
1191 int rc = 0;
1192 int i;
1193
1194 str[0] = '\0';
1195 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1196 if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code)
1197 strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str);
1198 if (str[0] == '\0') {
1199 ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: "
1200 "[%d]\n", cipher_code);
1201 rc = -EINVAL;
1202 }
1203 return rc;
1204}
1205
1206int ecryptfs_read_and_validate_header_region(char *data,
1207 struct inode *ecryptfs_inode)
1208{
1209 struct ecryptfs_crypt_stat *crypt_stat =
1210 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
1211 int rc;
1212
1213 if (crypt_stat->extent_size == 0)
1214 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;
1215 rc = ecryptfs_read_lower(data, 0, crypt_stat->extent_size,
1216 ecryptfs_inode);
1217 if (rc < 0) {
1218 printk(KERN_ERR "%s: Error reading header region; rc = [%d]\n",
1219 __func__, rc);
1220 goto out;
1221 }
1222 if (!contains_ecryptfs_marker(data + ECRYPTFS_FILE_SIZE_BYTES)) {
1223 rc = -EINVAL;
1224 } else
1225 rc = 0;
1226out:
1227 return rc;
1228}
1229
1230void
1231ecryptfs_write_header_metadata(char *virt,
1232 struct ecryptfs_crypt_stat *crypt_stat,
1233 size_t *written)
1234{
1235 u32 header_extent_size;
1236 u16 num_header_extents_at_front;
1237
1238 header_extent_size = (u32)crypt_stat->extent_size;
1239 num_header_extents_at_front =
1240 (u16)(crypt_stat->num_header_bytes_at_front
1241 / crypt_stat->extent_size);
1242 put_unaligned_be32(header_extent_size, virt);
1243 virt += 4;
1244 put_unaligned_be16(num_header_extents_at_front, virt);
1245 (*written) = 6;
1246}
1247
1248struct kmem_cache *ecryptfs_header_cache_1;
1249struct kmem_cache *ecryptfs_header_cache_2;
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282static int ecryptfs_write_headers_virt(char *page_virt, size_t max,
1283 size_t *size,
1284 struct ecryptfs_crypt_stat *crypt_stat,
1285 struct dentry *ecryptfs_dentry)
1286{
1287 int rc;
1288 size_t written;
1289 size_t offset;
1290
1291 offset = ECRYPTFS_FILE_SIZE_BYTES;
1292 write_ecryptfs_marker((page_virt + offset), &written);
1293 offset += written;
1294 write_ecryptfs_flags((page_virt + offset), crypt_stat, &written);
1295 offset += written;
1296 ecryptfs_write_header_metadata((page_virt + offset), crypt_stat,
1297 &written);
1298 offset += written;
1299 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat,
1300 ecryptfs_dentry, &written,
1301 max - offset);
1302 if (rc)
1303 ecryptfs_printk(KERN_WARNING, "Error generating key packet "
1304 "set; rc = [%d]\n", rc);
1305 if (size) {
1306 offset += written;
1307 *size = offset;
1308 }
1309 return rc;
1310}
1311
1312static int
1313ecryptfs_write_metadata_to_contents(struct dentry *ecryptfs_dentry,
1314 char *virt, size_t virt_len)
1315{
1316 int rc;
1317
1318 rc = ecryptfs_write_lower(ecryptfs_dentry->d_inode, virt,
1319 0, virt_len);
1320 if (rc < 0)
1321 printk(KERN_ERR "%s: Error attempting to write header "
1322 "information to lower file; rc = [%d]\n", __func__, rc);
1323 else
1324 rc = 0;
1325 return rc;
1326}
1327
1328static int
1329ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry,
1330 char *page_virt, size_t size)
1331{
1332 int rc;
1333
1334 rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt,
1335 size, 0);
1336 return rc;
1337}
1338
1339static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask,
1340 unsigned int order)
1341{
1342 struct page *page;
1343
1344 page = alloc_pages(gfp_mask | __GFP_ZERO, order);
1345 if (page)
1346 return (unsigned long) page_address(page);
1347 return 0;
1348}
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry)
1363{
1364 struct ecryptfs_crypt_stat *crypt_stat =
1365 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat;
1366 unsigned int order;
1367 char *virt;
1368 size_t virt_len;
1369 size_t size = 0;
1370 int rc = 0;
1371
1372 if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {
1373 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
1374 printk(KERN_ERR "Key is invalid; bailing out\n");
1375 rc = -EINVAL;
1376 goto out;
1377 }
1378 } else {
1379 printk(KERN_WARNING "%s: Encrypted flag not set\n",
1380 __func__);
1381 rc = -EINVAL;
1382 goto out;
1383 }
1384 virt_len = crypt_stat->num_header_bytes_at_front;
1385 order = get_order(virt_len);
1386
1387 virt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order);
1388 if (!virt) {
1389 printk(KERN_ERR "%s: Out of memory\n", __func__);
1390 rc = -ENOMEM;
1391 goto out;
1392 }
1393 rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat,
1394 ecryptfs_dentry);
1395 if (unlikely(rc)) {
1396 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n",
1397 __func__, rc);
1398 goto out_free;
1399 }
1400 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1401 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt,
1402 size);
1403 else
1404 rc = ecryptfs_write_metadata_to_contents(ecryptfs_dentry, virt,
1405 virt_len);
1406 if (rc) {
1407 printk(KERN_ERR "%s: Error writing metadata out to lower file; "
1408 "rc = [%d]\n", __func__, rc);
1409 goto out_free;
1410 }
1411out_free:
1412 free_pages((unsigned long)virt, order);
1413out:
1414 return rc;
1415}
1416
1417#define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0
1418#define ECRYPTFS_VALIDATE_HEADER_SIZE 1
1419static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat,
1420 char *virt, int *bytes_read,
1421 int validate_header_size)
1422{
1423 int rc = 0;
1424 u32 header_extent_size;
1425 u16 num_header_extents_at_front;
1426
1427 header_extent_size = get_unaligned_be32(virt);
1428 virt += sizeof(__be32);
1429 num_header_extents_at_front = get_unaligned_be16(virt);
1430 crypt_stat->num_header_bytes_at_front =
1431 (((size_t)num_header_extents_at_front
1432 * (size_t)header_extent_size));
1433 (*bytes_read) = (sizeof(__be32) + sizeof(__be16));
1434 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE)
1435 && (crypt_stat->num_header_bytes_at_front
1436 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) {
1437 rc = -EINVAL;
1438 printk(KERN_WARNING "Invalid header size: [%zd]\n",
1439 crypt_stat->num_header_bytes_at_front);
1440 }
1441 return rc;
1442}
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat)
1453{
1454 crypt_stat->num_header_bytes_at_front =
1455 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
1456}
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470static int ecryptfs_read_headers_virt(char *page_virt,
1471 struct ecryptfs_crypt_stat *crypt_stat,
1472 struct dentry *ecryptfs_dentry,
1473 int validate_header_size)
1474{
1475 int rc = 0;
1476 int offset;
1477 int bytes_read;
1478
1479 ecryptfs_set_default_sizes(crypt_stat);
1480 crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private(
1481 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1482 offset = ECRYPTFS_FILE_SIZE_BYTES;
1483 rc = contains_ecryptfs_marker(page_virt + offset);
1484 if (rc == 0) {
1485 rc = -EINVAL;
1486 goto out;
1487 }
1488 offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
1489 rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset),
1490 &bytes_read);
1491 if (rc) {
1492 ecryptfs_printk(KERN_WARNING, "Error processing flags\n");
1493 goto out;
1494 }
1495 if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) {
1496 ecryptfs_printk(KERN_WARNING, "File version is [%d]; only "
1497 "file version [%d] is supported by this "
1498 "version of eCryptfs\n",
1499 crypt_stat->file_version,
1500 ECRYPTFS_SUPPORTED_FILE_VERSION);
1501 rc = -EINVAL;
1502 goto out;
1503 }
1504 offset += bytes_read;
1505 if (crypt_stat->file_version >= 1) {
1506 rc = parse_header_metadata(crypt_stat, (page_virt + offset),
1507 &bytes_read, validate_header_size);
1508 if (rc) {
1509 ecryptfs_printk(KERN_WARNING, "Error reading header "
1510 "metadata; rc = [%d]\n", rc);
1511 }
1512 offset += bytes_read;
1513 } else
1514 set_default_header_data(crypt_stat);
1515 rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset),
1516 ecryptfs_dentry);
1517out:
1518 return rc;
1519}
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode)
1532{
1533 struct dentry *lower_dentry =
1534 ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_dentry;
1535 ssize_t size;
1536 int rc = 0;
1537
1538 size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME,
1539 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE);
1540 if (size < 0) {
1541 if (unlikely(ecryptfs_verbosity > 0))
1542 printk(KERN_INFO "Error attempting to read the [%s] "
1543 "xattr from the lower file; return value = "
1544 "[%zd]\n", ECRYPTFS_XATTR_NAME, size);
1545 rc = -EINVAL;
1546 goto out;
1547 }
1548out:
1549 return rc;
1550}
1551
1552int ecryptfs_read_and_validate_xattr_region(char *page_virt,
1553 struct dentry *ecryptfs_dentry)
1554{
1555 int rc;
1556
1557 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_dentry->d_inode);
1558 if (rc)
1559 goto out;
1560 if (!contains_ecryptfs_marker(page_virt + ECRYPTFS_FILE_SIZE_BYTES)) {
1561 printk(KERN_WARNING "Valid data found in [%s] xattr, but "
1562 "the marker is invalid\n", ECRYPTFS_XATTR_NAME);
1563 rc = -EINVAL;
1564 }
1565out:
1566 return rc;
1567}
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
1582{
1583 int rc = 0;
1584 char *page_virt = NULL;
1585 struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode;
1586 struct ecryptfs_crypt_stat *crypt_stat =
1587 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1588 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1589 &ecryptfs_superblock_to_private(
1590 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1591
1592 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
1593 mount_crypt_stat);
1594
1595 page_virt = kmem_cache_alloc(ecryptfs_header_cache_1, GFP_USER);
1596 if (!page_virt) {
1597 rc = -ENOMEM;
1598 printk(KERN_ERR "%s: Unable to allocate page_virt\n",
1599 __func__);
1600 goto out;
1601 }
1602 rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size,
1603 ecryptfs_inode);
1604 if (rc >= 0)
1605 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1606 ecryptfs_dentry,
1607 ECRYPTFS_VALIDATE_HEADER_SIZE);
1608 if (rc) {
1609 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);
1610 if (rc) {
1611 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1612 "file header region or xattr region\n");
1613 rc = -EINVAL;
1614 goto out;
1615 }
1616 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1617 ecryptfs_dentry,
1618 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE);
1619 if (rc) {
1620 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1621 "file xattr region either\n");
1622 rc = -EINVAL;
1623 }
1624 if (crypt_stat->mount_crypt_stat->flags
1625 & ECRYPTFS_XATTR_METADATA_ENABLED) {
1626 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
1627 } else {
1628 printk(KERN_WARNING "Attempt to access file with "
1629 "crypto metadata only in the extended attribute "
1630 "region, but eCryptfs was mounted without "
1631 "xattr support enabled. eCryptfs will not treat "
1632 "this like an encrypted file.\n");
1633 rc = -EINVAL;
1634 }
1635 }
1636out:
1637 if (page_virt) {
1638 memset(page_virt, 0, PAGE_CACHE_SIZE);
1639 kmem_cache_free(ecryptfs_header_cache_1, page_virt);
1640 }
1641 return rc;
1642}
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653static int
1654ecryptfs_encrypt_filename(struct ecryptfs_filename *filename,
1655 struct ecryptfs_crypt_stat *crypt_stat,
1656 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
1657{
1658 int rc = 0;
1659
1660 filename->encrypted_filename = NULL;
1661 filename->encrypted_filename_size = 0;
1662 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
1663 || (mount_crypt_stat && (mount_crypt_stat->flags
1664 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
1665 size_t packet_size;
1666 size_t remaining_bytes;
1667
1668 rc = ecryptfs_write_tag_70_packet(
1669 NULL, NULL,
1670 &filename->encrypted_filename_size,
1671 mount_crypt_stat, NULL,
1672 filename->filename_size);
1673 if (rc) {
1674 printk(KERN_ERR "%s: Error attempting to get packet "
1675 "size for tag 72; rc = [%d]\n", __func__,
1676 rc);
1677 filename->encrypted_filename_size = 0;
1678 goto out;
1679 }
1680 filename->encrypted_filename =
1681 kmalloc(filename->encrypted_filename_size, GFP_KERNEL);
1682 if (!filename->encrypted_filename) {
1683 printk(KERN_ERR "%s: Out of memory whilst attempting "
1684 "to kmalloc [%zd] bytes\n", __func__,
1685 filename->encrypted_filename_size);
1686 rc = -ENOMEM;
1687 goto out;
1688 }
1689 remaining_bytes = filename->encrypted_filename_size;
1690 rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename,
1691 &remaining_bytes,
1692 &packet_size,
1693 mount_crypt_stat,
1694 filename->filename,
1695 filename->filename_size);
1696 if (rc) {
1697 printk(KERN_ERR "%s: Error attempting to generate "
1698 "tag 70 packet; rc = [%d]\n", __func__,
1699 rc);
1700 kfree(filename->encrypted_filename);
1701 filename->encrypted_filename = NULL;
1702 filename->encrypted_filename_size = 0;
1703 goto out;
1704 }
1705 filename->encrypted_filename_size = packet_size;
1706 } else {
1707 printk(KERN_ERR "%s: No support for requested filename "
1708 "encryption method in this release\n", __func__);
1709 rc = -EOPNOTSUPP;
1710 goto out;
1711 }
1712out:
1713 return rc;
1714}
1715
1716static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size,
1717 const char *name, size_t name_size)
1718{
1719 int rc = 0;
1720
1721 (*copied_name) = kmalloc((name_size + 1), GFP_KERNEL);
1722 if (!(*copied_name)) {
1723 rc = -ENOMEM;
1724 goto out;
1725 }
1726 memcpy((void *)(*copied_name), (void *)name, name_size);
1727 (*copied_name)[(name_size)] = '\0';
1728
1729
1730
1731 (*copied_name_size) = name_size;
1732out:
1733 return rc;
1734}
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746static int
1747ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm,
1748 char *cipher_name, size_t *key_size)
1749{
1750 char dummy_key[ECRYPTFS_MAX_KEY_BYTES];
1751 char *full_alg_name;
1752 int rc;
1753
1754 *key_tfm = NULL;
1755 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) {
1756 rc = -EINVAL;
1757 printk(KERN_ERR "Requested key size is [%zd] bytes; maximum "
1758 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES);
1759 goto out;
1760 }
1761 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name,
1762 "ecb");
1763 if (rc)
1764 goto out;
1765 *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC);
1766 kfree(full_alg_name);
1767 if (IS_ERR(*key_tfm)) {
1768 rc = PTR_ERR(*key_tfm);
1769 printk(KERN_ERR "Unable to allocate crypto cipher with name "
1770 "[%s]; rc = [%d]\n", full_alg_name, rc);
1771 goto out;
1772 }
1773 crypto_blkcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY);
1774 if (*key_size == 0) {
1775 struct blkcipher_alg *alg = crypto_blkcipher_alg(*key_tfm);
1776
1777 *key_size = alg->max_keysize;
1778 }
1779 get_random_bytes(dummy_key, *key_size);
1780 rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size);
1781 if (rc) {
1782 printk(KERN_ERR "Error attempting to set key of size [%zd] for "
1783 "cipher [%s]; rc = [%d]\n", *key_size, full_alg_name,
1784 rc);
1785 rc = -EINVAL;
1786 goto out;
1787 }
1788out:
1789 return rc;
1790}
1791
1792struct kmem_cache *ecryptfs_key_tfm_cache;
1793static struct list_head key_tfm_list;
1794struct mutex key_tfm_list_mutex;
1795
1796int ecryptfs_init_crypto(void)
1797{
1798 mutex_init(&key_tfm_list_mutex);
1799 INIT_LIST_HEAD(&key_tfm_list);
1800 return 0;
1801}
1802
1803
1804
1805
1806
1807
1808int ecryptfs_destroy_crypto(void)
1809{
1810 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp;
1811
1812 mutex_lock(&key_tfm_list_mutex);
1813 list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list,
1814 key_tfm_list) {
1815 list_del(&key_tfm->key_tfm_list);
1816 if (key_tfm->key_tfm)
1817 crypto_free_blkcipher(key_tfm->key_tfm);
1818 kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm);
1819 }
1820 mutex_unlock(&key_tfm_list_mutex);
1821 return 0;
1822}
1823
1824int
1825ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
1826 size_t key_size)
1827{
1828 struct ecryptfs_key_tfm *tmp_tfm;
1829 int rc = 0;
1830
1831 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1832
1833 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL);
1834 if (key_tfm != NULL)
1835 (*key_tfm) = tmp_tfm;
1836 if (!tmp_tfm) {
1837 rc = -ENOMEM;
1838 printk(KERN_ERR "Error attempting to allocate from "
1839 "ecryptfs_key_tfm_cache\n");
1840 goto out;
1841 }
1842 mutex_init(&tmp_tfm->key_tfm_mutex);
1843 strncpy(tmp_tfm->cipher_name, cipher_name,
1844 ECRYPTFS_MAX_CIPHER_NAME_SIZE);
1845 tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0';
1846 tmp_tfm->key_size = key_size;
1847 rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm,
1848 tmp_tfm->cipher_name,
1849 &tmp_tfm->key_size);
1850 if (rc) {
1851 printk(KERN_ERR "Error attempting to initialize key TFM "
1852 "cipher with name = [%s]; rc = [%d]\n",
1853 tmp_tfm->cipher_name, rc);
1854 kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm);
1855 if (key_tfm != NULL)
1856 (*key_tfm) = NULL;
1857 goto out;
1858 }
1859 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list);
1860out:
1861 return rc;
1862}
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm)
1875{
1876 struct ecryptfs_key_tfm *tmp_key_tfm;
1877
1878 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1879
1880 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) {
1881 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) {
1882 if (key_tfm)
1883 (*key_tfm) = tmp_key_tfm;
1884 return 1;
1885 }
1886 }
1887 if (key_tfm)
1888 (*key_tfm) = NULL;
1889 return 0;
1890}
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm,
1904 struct mutex **tfm_mutex,
1905 char *cipher_name)
1906{
1907 struct ecryptfs_key_tfm *key_tfm;
1908 int rc = 0;
1909
1910 (*tfm) = NULL;
1911 (*tfm_mutex) = NULL;
1912
1913 mutex_lock(&key_tfm_list_mutex);
1914 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) {
1915 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0);
1916 if (rc) {
1917 printk(KERN_ERR "Error adding new key_tfm to list; "
1918 "rc = [%d]\n", rc);
1919 goto out;
1920 }
1921 }
1922 (*tfm) = key_tfm->key_tfm;
1923 (*tfm_mutex) = &key_tfm->key_tfm_mutex;
1924out:
1925 mutex_unlock(&key_tfm_list_mutex);
1926 return rc;
1927}
1928
1929
1930static unsigned char *portable_filename_chars = ("-.0123456789ABCD"
1931 "EFGHIJKLMNOPQRST"
1932 "UVWXYZabcdefghij"
1933 "klmnopqrstuvwxyz");
1934
1935
1936
1937static const unsigned char filename_rev_map[] = {
1938 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1939 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1940 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1941 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1942 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1943 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1944 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
1945 0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1946 0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12,
1947 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A,
1948 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22,
1949 0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00,
1950 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
1951 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
1952 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
1953 0x3D, 0x3E, 0x3F
1954};
1955
1956
1957
1958
1959
1960
1961
1962
1963void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size,
1964 unsigned char *src, size_t src_size)
1965{
1966 size_t num_blocks;
1967 size_t block_num = 0;
1968 size_t dst_offset = 0;
1969 unsigned char last_block[3];
1970
1971 if (src_size == 0) {
1972 (*dst_size) = 0;
1973 goto out;
1974 }
1975 num_blocks = (src_size / 3);
1976 if ((src_size % 3) == 0) {
1977 memcpy(last_block, (&src[src_size - 3]), 3);
1978 } else {
1979 num_blocks++;
1980 last_block[2] = 0x00;
1981 switch (src_size % 3) {
1982 case 1:
1983 last_block[0] = src[src_size - 1];
1984 last_block[1] = 0x00;
1985 break;
1986 case 2:
1987 last_block[0] = src[src_size - 2];
1988 last_block[1] = src[src_size - 1];
1989 }
1990 }
1991 (*dst_size) = (num_blocks * 4);
1992 if (!dst)
1993 goto out;
1994 while (block_num < num_blocks) {
1995 unsigned char *src_block;
1996 unsigned char dst_block[4];
1997
1998 if (block_num == (num_blocks - 1))
1999 src_block = last_block;
2000 else
2001 src_block = &src[block_num * 3];
2002 dst_block[0] = ((src_block[0] >> 2) & 0x3F);
2003 dst_block[1] = (((src_block[0] << 4) & 0x30)
2004 | ((src_block[1] >> 4) & 0x0F));
2005 dst_block[2] = (((src_block[1] << 2) & 0x3C)
2006 | ((src_block[2] >> 6) & 0x03));
2007 dst_block[3] = (src_block[2] & 0x3F);
2008 dst[dst_offset++] = portable_filename_chars[dst_block[0]];
2009 dst[dst_offset++] = portable_filename_chars[dst_block[1]];
2010 dst[dst_offset++] = portable_filename_chars[dst_block[2]];
2011 dst[dst_offset++] = portable_filename_chars[dst_block[3]];
2012 block_num++;
2013 }
2014out:
2015 return;
2016}
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027static void
2028ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
2029 const unsigned char *src, size_t src_size)
2030{
2031 u8 current_bit_offset = 0;
2032 size_t src_byte_offset = 0;
2033 size_t dst_byte_offset = 0;
2034
2035 if (dst == NULL) {
2036
2037
2038
2039
2040
2041
2042 (*dst_size) = (((src_size + 1) * 3) / 4);
2043 goto out;
2044 }
2045 while (src_byte_offset < src_size) {
2046 unsigned char src_byte =
2047 filename_rev_map[(int)src[src_byte_offset]];
2048
2049 switch (current_bit_offset) {
2050 case 0:
2051 dst[dst_byte_offset] = (src_byte << 2);
2052 current_bit_offset = 6;
2053 break;
2054 case 6:
2055 dst[dst_byte_offset++] |= (src_byte >> 4);
2056 dst[dst_byte_offset] = ((src_byte & 0xF)
2057 << 4);
2058 current_bit_offset = 4;
2059 break;
2060 case 4:
2061 dst[dst_byte_offset++] |= (src_byte >> 2);
2062 dst[dst_byte_offset] = (src_byte << 6);
2063 current_bit_offset = 2;
2064 break;
2065 case 2:
2066 dst[dst_byte_offset++] |= (src_byte);
2067 dst[dst_byte_offset] = 0;
2068 current_bit_offset = 0;
2069 break;
2070 }
2071 src_byte_offset++;
2072 }
2073 (*dst_size) = dst_byte_offset;
2074out:
2075 return;
2076}
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093int ecryptfs_encrypt_and_encode_filename(
2094 char **encoded_name,
2095 size_t *encoded_name_size,
2096 struct ecryptfs_crypt_stat *crypt_stat,
2097 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
2098 const char *name, size_t name_size)
2099{
2100 size_t encoded_name_no_prefix_size;
2101 int rc = 0;
2102
2103 (*encoded_name) = NULL;
2104 (*encoded_name_size) = 0;
2105 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCRYPT_FILENAMES))
2106 || (mount_crypt_stat && (mount_crypt_stat->flags
2107 & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES))) {
2108 struct ecryptfs_filename *filename;
2109
2110 filename = kzalloc(sizeof(*filename), GFP_KERNEL);
2111 if (!filename) {
2112 printk(KERN_ERR "%s: Out of memory whilst attempting "
2113 "to kzalloc [%zd] bytes\n", __func__,
2114 sizeof(*filename));
2115 rc = -ENOMEM;
2116 goto out;
2117 }
2118 filename->filename = (char *)name;
2119 filename->filename_size = name_size;
2120 rc = ecryptfs_encrypt_filename(filename, crypt_stat,
2121 mount_crypt_stat);
2122 if (rc) {
2123 printk(KERN_ERR "%s: Error attempting to encrypt "
2124 "filename; rc = [%d]\n", __func__, rc);
2125 kfree(filename);
2126 goto out;
2127 }
2128 ecryptfs_encode_for_filename(
2129 NULL, &encoded_name_no_prefix_size,
2130 filename->encrypted_filename,
2131 filename->encrypted_filename_size);
2132 if ((crypt_stat && (crypt_stat->flags
2133 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
2134 || (mount_crypt_stat
2135 && (mount_crypt_stat->flags
2136 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)))
2137 (*encoded_name_size) =
2138 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2139 + encoded_name_no_prefix_size);
2140 else
2141 (*encoded_name_size) =
2142 (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2143 + encoded_name_no_prefix_size);
2144 (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL);
2145 if (!(*encoded_name)) {
2146 printk(KERN_ERR "%s: Out of memory whilst attempting "
2147 "to kzalloc [%zd] bytes\n", __func__,
2148 (*encoded_name_size));
2149 rc = -ENOMEM;
2150 kfree(filename->encrypted_filename);
2151 kfree(filename);
2152 goto out;
2153 }
2154 if ((crypt_stat && (crypt_stat->flags
2155 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
2156 || (mount_crypt_stat
2157 && (mount_crypt_stat->flags
2158 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
2159 memcpy((*encoded_name),
2160 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2161 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE);
2162 ecryptfs_encode_for_filename(
2163 ((*encoded_name)
2164 + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE),
2165 &encoded_name_no_prefix_size,
2166 filename->encrypted_filename,
2167 filename->encrypted_filename_size);
2168 (*encoded_name_size) =
2169 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2170 + encoded_name_no_prefix_size);
2171 (*encoded_name)[(*encoded_name_size)] = '\0';
2172 (*encoded_name_size)++;
2173 } else {
2174 rc = -EOPNOTSUPP;
2175 }
2176 if (rc) {
2177 printk(KERN_ERR "%s: Error attempting to encode "
2178 "encrypted filename; rc = [%d]\n", __func__,
2179 rc);
2180 kfree((*encoded_name));
2181 (*encoded_name) = NULL;
2182 (*encoded_name_size) = 0;
2183 }
2184 kfree(filename->encrypted_filename);
2185 kfree(filename);
2186 } else {
2187 rc = ecryptfs_copy_filename(encoded_name,
2188 encoded_name_size,
2189 name, name_size);
2190 }
2191out:
2192 return rc;
2193}
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207int ecryptfs_decode_and_decrypt_filename(char **plaintext_name,
2208 size_t *plaintext_name_size,
2209 struct dentry *ecryptfs_dir_dentry,
2210 const char *name, size_t name_size)
2211{
2212 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2213 &ecryptfs_superblock_to_private(
2214 ecryptfs_dir_dentry->d_sb)->mount_crypt_stat;
2215 char *decoded_name;
2216 size_t decoded_name_size;
2217 size_t packet_size;
2218 int rc = 0;
2219
2220 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
2221 && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
2222 && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)
2223 && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2224 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) {
2225 const char *orig_name = name;
2226 size_t orig_name_size = name_size;
2227
2228 name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2229 name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2230 ecryptfs_decode_from_filename(NULL, &decoded_name_size,
2231 name, name_size);
2232 decoded_name = kmalloc(decoded_name_size, GFP_KERNEL);
2233 if (!decoded_name) {
2234 printk(KERN_ERR "%s: Out of memory whilst attempting "
2235 "to kmalloc [%zd] bytes\n", __func__,
2236 decoded_name_size);
2237 rc = -ENOMEM;
2238 goto out;
2239 }
2240 ecryptfs_decode_from_filename(decoded_name, &decoded_name_size,
2241 name, name_size);
2242 rc = ecryptfs_parse_tag_70_packet(plaintext_name,
2243 plaintext_name_size,
2244 &packet_size,
2245 mount_crypt_stat,
2246 decoded_name,
2247 decoded_name_size);
2248 if (rc) {
2249 printk(KERN_INFO "%s: Could not parse tag 70 packet "
2250 "from filename; copying through filename "
2251 "as-is\n", __func__);
2252 rc = ecryptfs_copy_filename(plaintext_name,
2253 plaintext_name_size,
2254 orig_name, orig_name_size);
2255 goto out_free;
2256 }
2257 } else {
2258 rc = ecryptfs_copy_filename(plaintext_name,
2259 plaintext_name_size,
2260 name, name_size);
2261 goto out;
2262 }
2263out_free:
2264 kfree(decoded_name);
2265out:
2266 return rc;
2267}
2268