1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26#include <linux/fs.h>
27#include <linux/mount.h>
28#include <linux/pagemap.h>
29#include <linux/random.h>
30#include <linux/compiler.h>
31#include <linux/key.h>
32#include <linux/namei.h>
33#include <linux/crypto.h>
34#include <linux/file.h>
35#include <linux/scatterlist.h>
36#include <linux/slab.h>
37#include <asm/unaligned.h>
38#include "ecryptfs_kernel.h"
39
40static int
41ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
42 struct page *dst_page, int dst_offset,
43 struct page *src_page, int src_offset, int size,
44 unsigned char *iv);
45static int
46ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
47 struct page *dst_page, int dst_offset,
48 struct page *src_page, int src_offset, int size,
49 unsigned char *iv);
50
51
52
53
54
55
56
57
58void ecryptfs_to_hex(char *dst, char *src, size_t src_size)
59{
60 int x;
61
62 for (x = 0; x < src_size; x++)
63 sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]);
64}
65
66
67
68
69
70
71
72
73void ecryptfs_from_hex(char *dst, char *src, int dst_size)
74{
75 int x;
76 char tmp[3] = { 0, };
77
78 for (x = 0; x < dst_size; x++) {
79 tmp[0] = src[x * 2];
80 tmp[1] = src[x * 2 + 1];
81 dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16);
82 }
83}
84
85
86
87
88
89
90
91
92
93
94
95static int ecryptfs_calculate_md5(char *dst,
96 struct ecryptfs_crypt_stat *crypt_stat,
97 char *src, int len)
98{
99 struct scatterlist sg;
100 struct hash_desc desc = {
101 .tfm = crypt_stat->hash_tfm,
102 .flags = CRYPTO_TFM_REQ_MAY_SLEEP
103 };
104 int rc = 0;
105
106 mutex_lock(&crypt_stat->cs_hash_tfm_mutex);
107 sg_init_one(&sg, (u8 *)src, len);
108 if (!desc.tfm) {
109 desc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0,
110 CRYPTO_ALG_ASYNC);
111 if (IS_ERR(desc.tfm)) {
112 rc = PTR_ERR(desc.tfm);
113 ecryptfs_printk(KERN_ERR, "Error attempting to "
114 "allocate crypto context; rc = [%d]\n",
115 rc);
116 goto out;
117 }
118 crypt_stat->hash_tfm = desc.tfm;
119 }
120 rc = crypto_hash_init(&desc);
121 if (rc) {
122 printk(KERN_ERR
123 "%s: Error initializing crypto hash; rc = [%d]\n",
124 __func__, rc);
125 goto out;
126 }
127 rc = crypto_hash_update(&desc, &sg, len);
128 if (rc) {
129 printk(KERN_ERR
130 "%s: Error updating crypto hash; rc = [%d]\n",
131 __func__, rc);
132 goto out;
133 }
134 rc = crypto_hash_final(&desc, dst);
135 if (rc) {
136 printk(KERN_ERR
137 "%s: Error finalizing crypto hash; rc = [%d]\n",
138 __func__, rc);
139 goto out;
140 }
141out:
142 mutex_unlock(&crypt_stat->cs_hash_tfm_mutex);
143 return rc;
144}
145
146static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name,
147 char *cipher_name,
148 char *chaining_modifier)
149{
150 int cipher_name_len = strlen(cipher_name);
151 int chaining_modifier_len = strlen(chaining_modifier);
152 int algified_name_len;
153 int rc;
154
155 algified_name_len = (chaining_modifier_len + cipher_name_len + 3);
156 (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL);
157 if (!(*algified_name)) {
158 rc = -ENOMEM;
159 goto out;
160 }
161 snprintf((*algified_name), algified_name_len, "%s(%s)",
162 chaining_modifier, cipher_name);
163 rc = 0;
164out:
165 return rc;
166}
167
168
169
170
171
172
173
174
175
176
177
178
179int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat,
180 loff_t offset)
181{
182 int rc = 0;
183 char dst[MD5_DIGEST_SIZE];
184 char src[ECRYPTFS_MAX_IV_BYTES + 16];
185
186 if (unlikely(ecryptfs_verbosity > 0)) {
187 ecryptfs_printk(KERN_DEBUG, "root iv:\n");
188 ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes);
189 }
190
191
192
193
194 memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes);
195 memset((src + crypt_stat->iv_bytes), 0, 16);
196 snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset);
197 if (unlikely(ecryptfs_verbosity > 0)) {
198 ecryptfs_printk(KERN_DEBUG, "source:\n");
199 ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16));
200 }
201 rc = ecryptfs_calculate_md5(dst, crypt_stat, src,
202 (crypt_stat->iv_bytes + 16));
203 if (rc) {
204 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
205 "MD5 while generating IV for a page\n");
206 goto out;
207 }
208 memcpy(iv, dst, crypt_stat->iv_bytes);
209 if (unlikely(ecryptfs_verbosity > 0)) {
210 ecryptfs_printk(KERN_DEBUG, "derived iv:\n");
211 ecryptfs_dump_hex(iv, crypt_stat->iv_bytes);
212 }
213out:
214 return rc;
215}
216
217
218
219
220
221
222
223void
224ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
225{
226 memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
227 INIT_LIST_HEAD(&crypt_stat->keysig_list);
228 mutex_init(&crypt_stat->keysig_list_mutex);
229 mutex_init(&crypt_stat->cs_mutex);
230 mutex_init(&crypt_stat->cs_tfm_mutex);
231 mutex_init(&crypt_stat->cs_hash_tfm_mutex);
232 crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED;
233}
234
235
236
237
238
239
240
241void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
242{
243 struct ecryptfs_key_sig *key_sig, *key_sig_tmp;
244
245 if (crypt_stat->tfm)
246 crypto_free_ablkcipher(crypt_stat->tfm);
247 if (crypt_stat->hash_tfm)
248 crypto_free_hash(crypt_stat->hash_tfm);
249 list_for_each_entry_safe(key_sig, key_sig_tmp,
250 &crypt_stat->keysig_list, crypt_stat_list) {
251 list_del(&key_sig->crypt_stat_list);
252 kmem_cache_free(ecryptfs_key_sig_cache, key_sig);
253 }
254 memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
255}
256
257void ecryptfs_destroy_mount_crypt_stat(
258 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
259{
260 struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp;
261
262 if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED))
263 return;
264 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
265 list_for_each_entry_safe(auth_tok, auth_tok_tmp,
266 &mount_crypt_stat->global_auth_tok_list,
267 mount_crypt_stat_list) {
268 list_del(&auth_tok->mount_crypt_stat_list);
269 if (auth_tok->global_auth_tok_key
270 && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID))
271 key_put(auth_tok->global_auth_tok_key);
272 kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok);
273 }
274 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
275 memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat));
276}
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg,
292 int sg_size)
293{
294 int i = 0;
295 struct page *pg;
296 int offset;
297 int remainder_of_page;
298
299 sg_init_table(sg, sg_size);
300
301 while (size > 0 && i < sg_size) {
302 pg = virt_to_page(addr);
303 offset = offset_in_page(addr);
304 sg_set_page(&sg[i], pg, 0, offset);
305 remainder_of_page = PAGE_CACHE_SIZE - offset;
306 if (size >= remainder_of_page) {
307 sg[i].length = remainder_of_page;
308 addr += remainder_of_page;
309 size -= remainder_of_page;
310 } else {
311 sg[i].length = size;
312 addr += size;
313 size = 0;
314 }
315 i++;
316 }
317 if (size > 0)
318 return -ENOMEM;
319 return i;
320}
321
322struct extent_crypt_result {
323 struct completion completion;
324 int rc;
325};
326
327static void extent_crypt_complete(struct crypto_async_request *req, int rc)
328{
329 struct extent_crypt_result *ecr = req->data;
330
331 if (rc == -EINPROGRESS)
332 return;
333
334 ecr->rc = rc;
335 complete(&ecr->completion);
336}
337
338
339
340
341
342
343
344
345
346
347
348static int encrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
349 struct scatterlist *dest_sg,
350 struct scatterlist *src_sg, int size,
351 unsigned char *iv)
352{
353 struct ablkcipher_request *req = NULL;
354 struct extent_crypt_result ecr;
355 int rc = 0;
356
357 BUG_ON(!crypt_stat || !crypt_stat->tfm
358 || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));
359 if (unlikely(ecryptfs_verbosity > 0)) {
360 ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n",
361 crypt_stat->key_size);
362 ecryptfs_dump_hex(crypt_stat->key,
363 crypt_stat->key_size);
364 }
365
366 init_completion(&ecr.completion);
367
368 mutex_lock(&crypt_stat->cs_tfm_mutex);
369 req = ablkcipher_request_alloc(crypt_stat->tfm, GFP_NOFS);
370 if (!req) {
371 mutex_unlock(&crypt_stat->cs_tfm_mutex);
372 rc = -ENOMEM;
373 goto out;
374 }
375
376 ablkcipher_request_set_callback(req,
377 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
378 extent_crypt_complete, &ecr);
379
380 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) {
381 rc = crypto_ablkcipher_setkey(crypt_stat->tfm, crypt_stat->key,
382 crypt_stat->key_size);
383 if (rc) {
384 ecryptfs_printk(KERN_ERR,
385 "Error setting key; rc = [%d]\n",
386 rc);
387 mutex_unlock(&crypt_stat->cs_tfm_mutex);
388 rc = -EINVAL;
389 goto out;
390 }
391 crypt_stat->flags |= ECRYPTFS_KEY_SET;
392 }
393 mutex_unlock(&crypt_stat->cs_tfm_mutex);
394 ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes.\n", size);
395 ablkcipher_request_set_crypt(req, src_sg, dest_sg, size, iv);
396 rc = crypto_ablkcipher_encrypt(req);
397 if (rc == -EINPROGRESS || rc == -EBUSY) {
398 struct extent_crypt_result *ecr = req->base.data;
399
400 wait_for_completion(&ecr->completion);
401 rc = ecr->rc;
402 INIT_COMPLETION(ecr->completion);
403 }
404out:
405 ablkcipher_request_free(req);
406 return rc;
407}
408
409
410
411
412
413
414static void ecryptfs_lower_offset_for_extent(loff_t *offset, loff_t extent_num,
415 struct ecryptfs_crypt_stat *crypt_stat)
416{
417 (*offset) = ecryptfs_lower_header_size(crypt_stat)
418 + (crypt_stat->extent_size * extent_num);
419}
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
435 struct ecryptfs_crypt_stat *crypt_stat,
436 struct page *page,
437 unsigned long extent_offset)
438{
439 loff_t extent_base;
440 char extent_iv[ECRYPTFS_MAX_IV_BYTES];
441 int rc;
442
443 extent_base = (((loff_t)page->index)
444 * (PAGE_CACHE_SIZE / crypt_stat->extent_size));
445 rc = ecryptfs_derive_iv(extent_iv, crypt_stat,
446 (extent_base + extent_offset));
447 if (rc) {
448 ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for "
449 "extent [0x%.16llx]; rc = [%d]\n",
450 (unsigned long long)(extent_base + extent_offset), rc);
451 goto out;
452 }
453 rc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0,
454 page, (extent_offset
455 * crypt_stat->extent_size),
456 crypt_stat->extent_size, extent_iv);
457 if (rc < 0) {
458 printk(KERN_ERR "%s: Error attempting to encrypt page with "
459 "page->index = [%ld], extent_offset = [%ld]; "
460 "rc = [%d]\n", __func__, page->index, extent_offset,
461 rc);
462 goto out;
463 }
464 rc = 0;
465out:
466 return rc;
467}
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485int ecryptfs_encrypt_page(struct page *page)
486{
487 struct inode *ecryptfs_inode;
488 struct ecryptfs_crypt_stat *crypt_stat;
489 char *enc_extent_virt;
490 struct page *enc_extent_page = NULL;
491 loff_t extent_offset;
492 int rc = 0;
493
494 ecryptfs_inode = page->mapping->host;
495 crypt_stat =
496 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
497 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
498 enc_extent_page = alloc_page(GFP_USER);
499 if (!enc_extent_page) {
500 rc = -ENOMEM;
501 ecryptfs_printk(KERN_ERR, "Error allocating memory for "
502 "encrypted extent\n");
503 goto out;
504 }
505 enc_extent_virt = kmap(enc_extent_page);
506 for (extent_offset = 0;
507 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);
508 extent_offset++) {
509 loff_t offset;
510
511 rc = ecryptfs_encrypt_extent(enc_extent_page, crypt_stat, page,
512 extent_offset);
513 if (rc) {
514 printk(KERN_ERR "%s: Error encrypting extent; "
515 "rc = [%d]\n", __func__, rc);
516 goto out;
517 }
518 ecryptfs_lower_offset_for_extent(
519 &offset, ((((loff_t)page->index)
520 * (PAGE_CACHE_SIZE
521 / crypt_stat->extent_size))
522 + extent_offset), crypt_stat);
523 rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt,
524 offset, crypt_stat->extent_size);
525 if (rc < 0) {
526 ecryptfs_printk(KERN_ERR, "Error attempting "
527 "to write lower page; rc = [%d]"
528 "\n", rc);
529 goto out;
530 }
531 }
532 rc = 0;
533out:
534 if (enc_extent_page) {
535 kunmap(enc_extent_page);
536 __free_page(enc_extent_page);
537 }
538 return rc;
539}
540
541static int ecryptfs_decrypt_extent(struct page *page,
542 struct ecryptfs_crypt_stat *crypt_stat,
543 struct page *enc_extent_page,
544 unsigned long extent_offset)
545{
546 loff_t extent_base;
547 char extent_iv[ECRYPTFS_MAX_IV_BYTES];
548 int rc;
549
550 extent_base = (((loff_t)page->index)
551 * (PAGE_CACHE_SIZE / crypt_stat->extent_size));
552 rc = ecryptfs_derive_iv(extent_iv, crypt_stat,
553 (extent_base + extent_offset));
554 if (rc) {
555 ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for "
556 "extent [0x%.16llx]; rc = [%d]\n",
557 (unsigned long long)(extent_base + extent_offset), rc);
558 goto out;
559 }
560 rc = ecryptfs_decrypt_page_offset(crypt_stat, page,
561 (extent_offset
562 * crypt_stat->extent_size),
563 enc_extent_page, 0,
564 crypt_stat->extent_size, extent_iv);
565 if (rc < 0) {
566 printk(KERN_ERR "%s: Error attempting to decrypt to page with "
567 "page->index = [%ld], extent_offset = [%ld]; "
568 "rc = [%d]\n", __func__, page->index, extent_offset,
569 rc);
570 goto out;
571 }
572 rc = 0;
573out:
574 return rc;
575}
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593int ecryptfs_decrypt_page(struct page *page)
594{
595 struct inode *ecryptfs_inode;
596 struct ecryptfs_crypt_stat *crypt_stat;
597 char *enc_extent_virt;
598 struct page *enc_extent_page = NULL;
599 unsigned long extent_offset;
600 int rc = 0;
601
602 ecryptfs_inode = page->mapping->host;
603 crypt_stat =
604 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
605 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
606 enc_extent_page = alloc_page(GFP_USER);
607 if (!enc_extent_page) {
608 rc = -ENOMEM;
609 ecryptfs_printk(KERN_ERR, "Error allocating memory for "
610 "encrypted extent\n");
611 goto out;
612 }
613 enc_extent_virt = kmap(enc_extent_page);
614 for (extent_offset = 0;
615 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);
616 extent_offset++) {
617 loff_t offset;
618
619 ecryptfs_lower_offset_for_extent(
620 &offset, ((page->index * (PAGE_CACHE_SIZE
621 / crypt_stat->extent_size))
622 + extent_offset), crypt_stat);
623 rc = ecryptfs_read_lower(enc_extent_virt, offset,
624 crypt_stat->extent_size,
625 ecryptfs_inode);
626 if (rc < 0) {
627 ecryptfs_printk(KERN_ERR, "Error attempting "
628 "to read lower page; rc = [%d]"
629 "\n", rc);
630 goto out;
631 }
632 rc = ecryptfs_decrypt_extent(page, crypt_stat, enc_extent_page,
633 extent_offset);
634 if (rc) {
635 printk(KERN_ERR "%s: Error encrypting extent; "
636 "rc = [%d]\n", __func__, rc);
637 goto out;
638 }
639 }
640out:
641 if (enc_extent_page) {
642 kunmap(enc_extent_page);
643 __free_page(enc_extent_page);
644 }
645 return rc;
646}
647
648
649
650
651
652
653
654
655
656
657
658static int decrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
659 struct scatterlist *dest_sg,
660 struct scatterlist *src_sg, int size,
661 unsigned char *iv)
662{
663 struct ablkcipher_request *req = NULL;
664 struct extent_crypt_result ecr;
665 int rc = 0;
666
667 BUG_ON(!crypt_stat || !crypt_stat->tfm
668 || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));
669 if (unlikely(ecryptfs_verbosity > 0)) {
670 ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n",
671 crypt_stat->key_size);
672 ecryptfs_dump_hex(crypt_stat->key,
673 crypt_stat->key_size);
674 }
675
676 init_completion(&ecr.completion);
677
678 mutex_lock(&crypt_stat->cs_tfm_mutex);
679 req = ablkcipher_request_alloc(crypt_stat->tfm, GFP_NOFS);
680 if (!req) {
681 mutex_unlock(&crypt_stat->cs_tfm_mutex);
682 rc = -ENOMEM;
683 goto out;
684 }
685
686 ablkcipher_request_set_callback(req,
687 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
688 extent_crypt_complete, &ecr);
689
690 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) {
691 rc = crypto_ablkcipher_setkey(crypt_stat->tfm, crypt_stat->key,
692 crypt_stat->key_size);
693 if (rc) {
694 ecryptfs_printk(KERN_ERR,
695 "Error setting key; rc = [%d]\n",
696 rc);
697 mutex_unlock(&crypt_stat->cs_tfm_mutex);
698 rc = -EINVAL;
699 goto out;
700 }
701 crypt_stat->flags |= ECRYPTFS_KEY_SET;
702 }
703 mutex_unlock(&crypt_stat->cs_tfm_mutex);
704 ecryptfs_printk(KERN_DEBUG, "Decrypting [%d] bytes.\n", size);
705 ablkcipher_request_set_crypt(req, src_sg, dest_sg, size, iv);
706 rc = crypto_ablkcipher_decrypt(req);
707 if (rc == -EINPROGRESS || rc == -EBUSY) {
708 struct extent_crypt_result *ecr = req->base.data;
709
710 wait_for_completion(&ecr->completion);
711 rc = ecr->rc;
712 INIT_COMPLETION(ecr->completion);
713 }
714out:
715 ablkcipher_request_free(req);
716 return rc;
717
718}
719
720
721
722
723
724
725
726
727
728
729
730
731
732static int
733ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
734 struct page *dst_page, int dst_offset,
735 struct page *src_page, int src_offset, int size,
736 unsigned char *iv)
737{
738 struct scatterlist src_sg, dst_sg;
739
740 sg_init_table(&src_sg, 1);
741 sg_init_table(&dst_sg, 1);
742
743 sg_set_page(&src_sg, src_page, size, src_offset);
744 sg_set_page(&dst_sg, dst_page, size, dst_offset);
745 return encrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv);
746}
747
748
749
750
751
752
753
754
755
756
757
758
759
760static int
761ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
762 struct page *dst_page, int dst_offset,
763 struct page *src_page, int src_offset, int size,
764 unsigned char *iv)
765{
766 struct scatterlist src_sg, dst_sg;
767
768 sg_init_table(&src_sg, 1);
769 sg_set_page(&src_sg, src_page, size, src_offset);
770
771 sg_init_table(&dst_sg, 1);
772 sg_set_page(&dst_sg, dst_page, size, dst_offset);
773
774 return decrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv);
775}
776
777#define ECRYPTFS_MAX_SCATTERLIST_LEN 4
778
779
780
781
782
783
784
785
786
787
788int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat)
789{
790 char *full_alg_name;
791 int rc = -EINVAL;
792
793 if (!crypt_stat->cipher) {
794 ecryptfs_printk(KERN_ERR, "No cipher specified\n");
795 goto out;
796 }
797 ecryptfs_printk(KERN_DEBUG,
798 "Initializing cipher [%s]; strlen = [%d]; "
799 "key_size_bits = [%zd]\n",
800 crypt_stat->cipher, (int)strlen(crypt_stat->cipher),
801 crypt_stat->key_size << 3);
802 if (crypt_stat->tfm) {
803 rc = 0;
804 goto out;
805 }
806 mutex_lock(&crypt_stat->cs_tfm_mutex);
807 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name,
808 crypt_stat->cipher, "cbc");
809 if (rc)
810 goto out_unlock;
811 crypt_stat->tfm = crypto_alloc_ablkcipher(full_alg_name, 0, 0);
812 kfree(full_alg_name);
813 if (IS_ERR(crypt_stat->tfm)) {
814 rc = PTR_ERR(crypt_stat->tfm);
815 crypt_stat->tfm = NULL;
816 ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): "
817 "Error initializing cipher [%s]\n",
818 crypt_stat->cipher);
819 goto out_unlock;
820 }
821 crypto_ablkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY);
822 rc = 0;
823out_unlock:
824 mutex_unlock(&crypt_stat->cs_tfm_mutex);
825out:
826 return rc;
827}
828
829static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat)
830{
831 int extent_size_tmp;
832
833 crypt_stat->extent_mask = 0xFFFFFFFF;
834 crypt_stat->extent_shift = 0;
835 if (crypt_stat->extent_size == 0)
836 return;
837 extent_size_tmp = crypt_stat->extent_size;
838 while ((extent_size_tmp & 0x01) == 0) {
839 extent_size_tmp >>= 1;
840 crypt_stat->extent_mask <<= 1;
841 crypt_stat->extent_shift++;
842 }
843}
844
845void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat)
846{
847
848
849 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;
850 set_extent_mask_and_shift(crypt_stat);
851 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES;
852 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
853 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
854 else {
855 if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)
856 crypt_stat->metadata_size =
857 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
858 else
859 crypt_stat->metadata_size = PAGE_CACHE_SIZE;
860 }
861}
862
863
864
865
866
867
868
869int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat)
870{
871 int rc = 0;
872 char dst[MD5_DIGEST_SIZE];
873
874 BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE);
875 BUG_ON(crypt_stat->iv_bytes <= 0);
876 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
877 rc = -EINVAL;
878 ecryptfs_printk(KERN_WARNING, "Session key not valid; "
879 "cannot generate root IV\n");
880 goto out;
881 }
882 rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key,
883 crypt_stat->key_size);
884 if (rc) {
885 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
886 "MD5 while generating root IV\n");
887 goto out;
888 }
889 memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes);
890out:
891 if (rc) {
892 memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes);
893 crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING;
894 }
895 return rc;
896}
897
898static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat)
899{
900 get_random_bytes(crypt_stat->key, crypt_stat->key_size);
901 crypt_stat->flags |= ECRYPTFS_KEY_VALID;
902 ecryptfs_compute_root_iv(crypt_stat);
903 if (unlikely(ecryptfs_verbosity > 0)) {
904 ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n");
905 ecryptfs_dump_hex(crypt_stat->key,
906 crypt_stat->key_size);
907 }
908}
909
910
911
912
913
914
915
916
917
918static void ecryptfs_copy_mount_wide_flags_to_inode_flags(
919 struct ecryptfs_crypt_stat *crypt_stat,
920 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
921{
922 if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED)
923 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
924 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
925 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED;
926 if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
927 crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES;
928 if (mount_crypt_stat->flags
929 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)
930 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK;
931 else if (mount_crypt_stat->flags
932 & ECRYPTFS_GLOBAL_ENCFN_USE_FEK)
933 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK;
934 }
935}
936
937static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs(
938 struct ecryptfs_crypt_stat *crypt_stat,
939 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
940{
941 struct ecryptfs_global_auth_tok *global_auth_tok;
942 int rc = 0;
943
944 mutex_lock(&crypt_stat->keysig_list_mutex);
945 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
946
947 list_for_each_entry(global_auth_tok,
948 &mount_crypt_stat->global_auth_tok_list,
949 mount_crypt_stat_list) {
950 if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK)
951 continue;
952 rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig);
953 if (rc) {
954 printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc);
955 goto out;
956 }
957 }
958
959out:
960 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
961 mutex_unlock(&crypt_stat->keysig_list_mutex);
962 return rc;
963}
964
965
966
967
968
969
970
971
972static void ecryptfs_set_default_crypt_stat_vals(
973 struct ecryptfs_crypt_stat *crypt_stat,
974 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
975{
976 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
977 mount_crypt_stat);
978 ecryptfs_set_default_sizes(crypt_stat);
979 strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER);
980 crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES;
981 crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID);
982 crypt_stat->file_version = ECRYPTFS_FILE_VERSION;
983 crypt_stat->mount_crypt_stat = mount_crypt_stat;
984}
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005int ecryptfs_new_file_context(struct inode *ecryptfs_inode)
1006{
1007 struct ecryptfs_crypt_stat *crypt_stat =
1008 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1009 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1010 &ecryptfs_superblock_to_private(
1011 ecryptfs_inode->i_sb)->mount_crypt_stat;
1012 int cipher_name_len;
1013 int rc = 0;
1014
1015 ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat);
1016 crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID);
1017 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
1018 mount_crypt_stat);
1019 rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat,
1020 mount_crypt_stat);
1021 if (rc) {
1022 printk(KERN_ERR "Error attempting to copy mount-wide key sigs "
1023 "to the inode key sigs; rc = [%d]\n", rc);
1024 goto out;
1025 }
1026 cipher_name_len =
1027 strlen(mount_crypt_stat->global_default_cipher_name);
1028 memcpy(crypt_stat->cipher,
1029 mount_crypt_stat->global_default_cipher_name,
1030 cipher_name_len);
1031 crypt_stat->cipher[cipher_name_len] = '\0';
1032 crypt_stat->key_size =
1033 mount_crypt_stat->global_default_cipher_key_size;
1034 ecryptfs_generate_new_key(crypt_stat);
1035 rc = ecryptfs_init_crypt_ctx(crypt_stat);
1036 if (rc)
1037 ecryptfs_printk(KERN_ERR, "Error initializing cryptographic "
1038 "context for cipher [%s]: rc = [%d]\n",
1039 crypt_stat->cipher, rc);
1040out:
1041 return rc;
1042}
1043
1044
1045
1046
1047
1048
1049
1050static int ecryptfs_validate_marker(char *data)
1051{
1052 u32 m_1, m_2;
1053
1054 m_1 = get_unaligned_be32(data);
1055 m_2 = get_unaligned_be32(data + 4);
1056 if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2)
1057 return 0;
1058 ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; "
1059 "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2,
1060 MAGIC_ECRYPTFS_MARKER);
1061 ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = "
1062 "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER));
1063 return -EINVAL;
1064}
1065
1066struct ecryptfs_flag_map_elem {
1067 u32 file_flag;
1068 u32 local_flag;
1069};
1070
1071
1072static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = {
1073 {0x00000001, ECRYPTFS_ENABLE_HMAC},
1074 {0x00000002, ECRYPTFS_ENCRYPTED},
1075 {0x00000004, ECRYPTFS_METADATA_IN_XATTR},
1076 {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES}
1077};
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat,
1088 char *page_virt, int *bytes_read)
1089{
1090 int rc = 0;
1091 int i;
1092 u32 flags;
1093
1094 flags = get_unaligned_be32(page_virt);
1095 for (i = 0; i < ((sizeof(ecryptfs_flag_map)
1096 / sizeof(struct ecryptfs_flag_map_elem))); i++)
1097 if (flags & ecryptfs_flag_map[i].file_flag) {
1098 crypt_stat->flags |= ecryptfs_flag_map[i].local_flag;
1099 } else
1100 crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag);
1101
1102 crypt_stat->file_version = ((flags >> 24) & 0xFF);
1103 (*bytes_read) = 4;
1104 return rc;
1105}
1106
1107
1108
1109
1110
1111
1112
1113
1114static void write_ecryptfs_marker(char *page_virt, size_t *written)
1115{
1116 u32 m_1, m_2;
1117
1118 get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2));
1119 m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER);
1120 put_unaligned_be32(m_1, page_virt);
1121 page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2);
1122 put_unaligned_be32(m_2, page_virt);
1123 (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
1124}
1125
1126void ecryptfs_write_crypt_stat_flags(char *page_virt,
1127 struct ecryptfs_crypt_stat *crypt_stat,
1128 size_t *written)
1129{
1130 u32 flags = 0;
1131 int i;
1132
1133 for (i = 0; i < ((sizeof(ecryptfs_flag_map)
1134 / sizeof(struct ecryptfs_flag_map_elem))); i++)
1135 if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag)
1136 flags |= ecryptfs_flag_map[i].file_flag;
1137
1138 flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000);
1139 put_unaligned_be32(flags, page_virt);
1140 (*written) = 4;
1141}
1142
1143struct ecryptfs_cipher_code_str_map_elem {
1144 char cipher_str[16];
1145 u8 cipher_code;
1146};
1147
1148
1149
1150
1151static struct ecryptfs_cipher_code_str_map_elem
1152ecryptfs_cipher_code_str_map[] = {
1153 {"aes",RFC2440_CIPHER_AES_128 },
1154 {"blowfish", RFC2440_CIPHER_BLOWFISH},
1155 {"des3_ede", RFC2440_CIPHER_DES3_EDE},
1156 {"cast5", RFC2440_CIPHER_CAST_5},
1157 {"twofish", RFC2440_CIPHER_TWOFISH},
1158 {"cast6", RFC2440_CIPHER_CAST_6},
1159 {"aes", RFC2440_CIPHER_AES_192},
1160 {"aes", RFC2440_CIPHER_AES_256}
1161};
1162
1163
1164
1165
1166
1167
1168
1169
1170u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes)
1171{
1172 int i;
1173 u8 code = 0;
1174 struct ecryptfs_cipher_code_str_map_elem *map =
1175 ecryptfs_cipher_code_str_map;
1176
1177 if (strcmp(cipher_name, "aes") == 0) {
1178 switch (key_bytes) {
1179 case 16:
1180 code = RFC2440_CIPHER_AES_128;
1181 break;
1182 case 24:
1183 code = RFC2440_CIPHER_AES_192;
1184 break;
1185 case 32:
1186 code = RFC2440_CIPHER_AES_256;
1187 }
1188 } else {
1189 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1190 if (strcmp(cipher_name, map[i].cipher_str) == 0) {
1191 code = map[i].cipher_code;
1192 break;
1193 }
1194 }
1195 return code;
1196}
1197
1198
1199
1200
1201
1202
1203
1204
1205int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code)
1206{
1207 int rc = 0;
1208 int i;
1209
1210 str[0] = '\0';
1211 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1212 if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code)
1213 strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str);
1214 if (str[0] == '\0') {
1215 ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: "
1216 "[%d]\n", cipher_code);
1217 rc = -EINVAL;
1218 }
1219 return rc;
1220}
1221
1222int ecryptfs_read_and_validate_header_region(struct inode *inode)
1223{
1224 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1225 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1226 int rc;
1227
1228 rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES,
1229 inode);
1230 if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1231 return rc >= 0 ? -EINVAL : rc;
1232 rc = ecryptfs_validate_marker(marker);
1233 if (!rc)
1234 ecryptfs_i_size_init(file_size, inode);
1235 return rc;
1236}
1237
1238void
1239ecryptfs_write_header_metadata(char *virt,
1240 struct ecryptfs_crypt_stat *crypt_stat,
1241 size_t *written)
1242{
1243 u32 header_extent_size;
1244 u16 num_header_extents_at_front;
1245
1246 header_extent_size = (u32)crypt_stat->extent_size;
1247 num_header_extents_at_front =
1248 (u16)(crypt_stat->metadata_size / crypt_stat->extent_size);
1249 put_unaligned_be32(header_extent_size, virt);
1250 virt += 4;
1251 put_unaligned_be16(num_header_extents_at_front, virt);
1252 (*written) = 6;
1253}
1254
1255struct kmem_cache *ecryptfs_header_cache;
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288static int ecryptfs_write_headers_virt(char *page_virt, size_t max,
1289 size_t *size,
1290 struct ecryptfs_crypt_stat *crypt_stat,
1291 struct dentry *ecryptfs_dentry)
1292{
1293 int rc;
1294 size_t written;
1295 size_t offset;
1296
1297 offset = ECRYPTFS_FILE_SIZE_BYTES;
1298 write_ecryptfs_marker((page_virt + offset), &written);
1299 offset += written;
1300 ecryptfs_write_crypt_stat_flags((page_virt + offset), crypt_stat,
1301 &written);
1302 offset += written;
1303 ecryptfs_write_header_metadata((page_virt + offset), crypt_stat,
1304 &written);
1305 offset += written;
1306 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat,
1307 ecryptfs_dentry, &written,
1308 max - offset);
1309 if (rc)
1310 ecryptfs_printk(KERN_WARNING, "Error generating key packet "
1311 "set; rc = [%d]\n", rc);
1312 if (size) {
1313 offset += written;
1314 *size = offset;
1315 }
1316 return rc;
1317}
1318
1319static int
1320ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode,
1321 char *virt, size_t virt_len)
1322{
1323 int rc;
1324
1325 rc = ecryptfs_write_lower(ecryptfs_inode, virt,
1326 0, virt_len);
1327 if (rc < 0)
1328 printk(KERN_ERR "%s: Error attempting to write header "
1329 "information to lower file; rc = [%d]\n", __func__, rc);
1330 else
1331 rc = 0;
1332 return rc;
1333}
1334
1335static int
1336ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry,
1337 char *page_virt, size_t size)
1338{
1339 int rc;
1340
1341 rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt,
1342 size, 0);
1343 return rc;
1344}
1345
1346static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask,
1347 unsigned int order)
1348{
1349 struct page *page;
1350
1351 page = alloc_pages(gfp_mask | __GFP_ZERO, order);
1352 if (page)
1353 return (unsigned long) page_address(page);
1354 return 0;
1355}
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry,
1371 struct inode *ecryptfs_inode)
1372{
1373 struct ecryptfs_crypt_stat *crypt_stat =
1374 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1375 unsigned int order;
1376 char *virt;
1377 size_t virt_len;
1378 size_t size = 0;
1379 int rc = 0;
1380
1381 if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {
1382 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
1383 printk(KERN_ERR "Key is invalid; bailing out\n");
1384 rc = -EINVAL;
1385 goto out;
1386 }
1387 } else {
1388 printk(KERN_WARNING "%s: Encrypted flag not set\n",
1389 __func__);
1390 rc = -EINVAL;
1391 goto out;
1392 }
1393 virt_len = crypt_stat->metadata_size;
1394 order = get_order(virt_len);
1395
1396 virt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order);
1397 if (!virt) {
1398 printk(KERN_ERR "%s: Out of memory\n", __func__);
1399 rc = -ENOMEM;
1400 goto out;
1401 }
1402
1403 rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat,
1404 ecryptfs_dentry);
1405 if (unlikely(rc)) {
1406 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n",
1407 __func__, rc);
1408 goto out_free;
1409 }
1410 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1411 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt,
1412 size);
1413 else
1414 rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt,
1415 virt_len);
1416 if (rc) {
1417 printk(KERN_ERR "%s: Error writing metadata out to lower file; "
1418 "rc = [%d]\n", __func__, rc);
1419 goto out_free;
1420 }
1421out_free:
1422 free_pages((unsigned long)virt, order);
1423out:
1424 return rc;
1425}
1426
1427#define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0
1428#define ECRYPTFS_VALIDATE_HEADER_SIZE 1
1429static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat,
1430 char *virt, int *bytes_read,
1431 int validate_header_size)
1432{
1433 int rc = 0;
1434 u32 header_extent_size;
1435 u16 num_header_extents_at_front;
1436
1437 header_extent_size = get_unaligned_be32(virt);
1438 virt += sizeof(__be32);
1439 num_header_extents_at_front = get_unaligned_be16(virt);
1440 crypt_stat->metadata_size = (((size_t)num_header_extents_at_front
1441 * (size_t)header_extent_size));
1442 (*bytes_read) = (sizeof(__be32) + sizeof(__be16));
1443 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE)
1444 && (crypt_stat->metadata_size
1445 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) {
1446 rc = -EINVAL;
1447 printk(KERN_WARNING "Invalid header size: [%zd]\n",
1448 crypt_stat->metadata_size);
1449 }
1450 return rc;
1451}
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat)
1462{
1463 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
1464}
1465
1466void ecryptfs_i_size_init(const char *page_virt, struct inode *inode)
1467{
1468 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
1469 struct ecryptfs_crypt_stat *crypt_stat;
1470 u64 file_size;
1471
1472 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
1473 mount_crypt_stat =
1474 &ecryptfs_superblock_to_private(inode->i_sb)->mount_crypt_stat;
1475 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) {
1476 file_size = i_size_read(ecryptfs_inode_to_lower(inode));
1477 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1478 file_size += crypt_stat->metadata_size;
1479 } else
1480 file_size = get_unaligned_be64(page_virt);
1481 i_size_write(inode, (loff_t)file_size);
1482 crypt_stat->flags |= ECRYPTFS_I_SIZE_INITIALIZED;
1483}
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497static int ecryptfs_read_headers_virt(char *page_virt,
1498 struct ecryptfs_crypt_stat *crypt_stat,
1499 struct dentry *ecryptfs_dentry,
1500 int validate_header_size)
1501{
1502 int rc = 0;
1503 int offset;
1504 int bytes_read;
1505
1506 ecryptfs_set_default_sizes(crypt_stat);
1507 crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private(
1508 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1509 offset = ECRYPTFS_FILE_SIZE_BYTES;
1510 rc = ecryptfs_validate_marker(page_virt + offset);
1511 if (rc)
1512 goto out;
1513 if (!(crypt_stat->flags & ECRYPTFS_I_SIZE_INITIALIZED))
1514 ecryptfs_i_size_init(page_virt, ecryptfs_dentry->d_inode);
1515 offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
1516 rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset),
1517 &bytes_read);
1518 if (rc) {
1519 ecryptfs_printk(KERN_WARNING, "Error processing flags\n");
1520 goto out;
1521 }
1522 if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) {
1523 ecryptfs_printk(KERN_WARNING, "File version is [%d]; only "
1524 "file version [%d] is supported by this "
1525 "version of eCryptfs\n",
1526 crypt_stat->file_version,
1527 ECRYPTFS_SUPPORTED_FILE_VERSION);
1528 rc = -EINVAL;
1529 goto out;
1530 }
1531 offset += bytes_read;
1532 if (crypt_stat->file_version >= 1) {
1533 rc = parse_header_metadata(crypt_stat, (page_virt + offset),
1534 &bytes_read, validate_header_size);
1535 if (rc) {
1536 ecryptfs_printk(KERN_WARNING, "Error reading header "
1537 "metadata; rc = [%d]\n", rc);
1538 }
1539 offset += bytes_read;
1540 } else
1541 set_default_header_data(crypt_stat);
1542 rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset),
1543 ecryptfs_dentry);
1544out:
1545 return rc;
1546}
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode)
1559{
1560 struct dentry *lower_dentry =
1561 ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_dentry;
1562 ssize_t size;
1563 int rc = 0;
1564
1565 size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME,
1566 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE);
1567 if (size < 0) {
1568 if (unlikely(ecryptfs_verbosity > 0))
1569 printk(KERN_INFO "Error attempting to read the [%s] "
1570 "xattr from the lower file; return value = "
1571 "[%zd]\n", ECRYPTFS_XATTR_NAME, size);
1572 rc = -EINVAL;
1573 goto out;
1574 }
1575out:
1576 return rc;
1577}
1578
1579int ecryptfs_read_and_validate_xattr_region(struct dentry *dentry,
1580 struct inode *inode)
1581{
1582 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1583 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1584 int rc;
1585
1586 rc = ecryptfs_getxattr_lower(ecryptfs_dentry_to_lower(dentry),
1587 ECRYPTFS_XATTR_NAME, file_size,
1588 ECRYPTFS_SIZE_AND_MARKER_BYTES);
1589 if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1590 return rc >= 0 ? -EINVAL : rc;
1591 rc = ecryptfs_validate_marker(marker);
1592 if (!rc)
1593 ecryptfs_i_size_init(file_size, inode);
1594 return rc;
1595}
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
1610{
1611 int rc;
1612 char *page_virt;
1613 struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode;
1614 struct ecryptfs_crypt_stat *crypt_stat =
1615 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1616 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1617 &ecryptfs_superblock_to_private(
1618 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1619
1620 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
1621 mount_crypt_stat);
1622
1623 page_virt = kmem_cache_alloc(ecryptfs_header_cache, GFP_USER);
1624 if (!page_virt) {
1625 rc = -ENOMEM;
1626 printk(KERN_ERR "%s: Unable to allocate page_virt\n",
1627 __func__);
1628 goto out;
1629 }
1630 rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size,
1631 ecryptfs_inode);
1632 if (rc >= 0)
1633 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1634 ecryptfs_dentry,
1635 ECRYPTFS_VALIDATE_HEADER_SIZE);
1636 if (rc) {
1637
1638 memset(page_virt, 0, PAGE_CACHE_SIZE);
1639 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);
1640 if (rc) {
1641 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1642 "file header region or xattr region, inode %lu\n",
1643 ecryptfs_inode->i_ino);
1644 rc = -EINVAL;
1645 goto out;
1646 }
1647 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1648 ecryptfs_dentry,
1649 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE);
1650 if (rc) {
1651 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1652 "file xattr region either, inode %lu\n",
1653 ecryptfs_inode->i_ino);
1654 rc = -EINVAL;
1655 }
1656 if (crypt_stat->mount_crypt_stat->flags
1657 & ECRYPTFS_XATTR_METADATA_ENABLED) {
1658 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
1659 } else {
1660 printk(KERN_WARNING "Attempt to access file with "
1661 "crypto metadata only in the extended attribute "
1662 "region, but eCryptfs was mounted without "
1663 "xattr support enabled. eCryptfs will not treat "
1664 "this like an encrypted file, inode %lu\n",
1665 ecryptfs_inode->i_ino);
1666 rc = -EINVAL;
1667 }
1668 }
1669out:
1670 if (page_virt) {
1671 memset(page_virt, 0, PAGE_CACHE_SIZE);
1672 kmem_cache_free(ecryptfs_header_cache, page_virt);
1673 }
1674 return rc;
1675}
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686static int
1687ecryptfs_encrypt_filename(struct ecryptfs_filename *filename,
1688 struct ecryptfs_crypt_stat *crypt_stat,
1689 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
1690{
1691 int rc = 0;
1692
1693 filename->encrypted_filename = NULL;
1694 filename->encrypted_filename_size = 0;
1695 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
1696 || (mount_crypt_stat && (mount_crypt_stat->flags
1697 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
1698 size_t packet_size;
1699 size_t remaining_bytes;
1700
1701 rc = ecryptfs_write_tag_70_packet(
1702 NULL, NULL,
1703 &filename->encrypted_filename_size,
1704 mount_crypt_stat, NULL,
1705 filename->filename_size);
1706 if (rc) {
1707 printk(KERN_ERR "%s: Error attempting to get packet "
1708 "size for tag 72; rc = [%d]\n", __func__,
1709 rc);
1710 filename->encrypted_filename_size = 0;
1711 goto out;
1712 }
1713 filename->encrypted_filename =
1714 kmalloc(filename->encrypted_filename_size, GFP_KERNEL);
1715 if (!filename->encrypted_filename) {
1716 printk(KERN_ERR "%s: Out of memory whilst attempting "
1717 "to kmalloc [%zd] bytes\n", __func__,
1718 filename->encrypted_filename_size);
1719 rc = -ENOMEM;
1720 goto out;
1721 }
1722 remaining_bytes = filename->encrypted_filename_size;
1723 rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename,
1724 &remaining_bytes,
1725 &packet_size,
1726 mount_crypt_stat,
1727 filename->filename,
1728 filename->filename_size);
1729 if (rc) {
1730 printk(KERN_ERR "%s: Error attempting to generate "
1731 "tag 70 packet; rc = [%d]\n", __func__,
1732 rc);
1733 kfree(filename->encrypted_filename);
1734 filename->encrypted_filename = NULL;
1735 filename->encrypted_filename_size = 0;
1736 goto out;
1737 }
1738 filename->encrypted_filename_size = packet_size;
1739 } else {
1740 printk(KERN_ERR "%s: No support for requested filename "
1741 "encryption method in this release\n", __func__);
1742 rc = -EOPNOTSUPP;
1743 goto out;
1744 }
1745out:
1746 return rc;
1747}
1748
1749static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size,
1750 const char *name, size_t name_size)
1751{
1752 int rc = 0;
1753
1754 (*copied_name) = kmalloc((name_size + 1), GFP_KERNEL);
1755 if (!(*copied_name)) {
1756 rc = -ENOMEM;
1757 goto out;
1758 }
1759 memcpy((void *)(*copied_name), (void *)name, name_size);
1760 (*copied_name)[(name_size)] = '\0';
1761
1762
1763
1764 (*copied_name_size) = name_size;
1765out:
1766 return rc;
1767}
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779static int
1780ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm,
1781 char *cipher_name, size_t *key_size)
1782{
1783 char dummy_key[ECRYPTFS_MAX_KEY_BYTES];
1784 char *full_alg_name = NULL;
1785 int rc;
1786
1787 *key_tfm = NULL;
1788 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) {
1789 rc = -EINVAL;
1790 printk(KERN_ERR "Requested key size is [%zd] bytes; maximum "
1791 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES);
1792 goto out;
1793 }
1794 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name,
1795 "ecb");
1796 if (rc)
1797 goto out;
1798 *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC);
1799 if (IS_ERR(*key_tfm)) {
1800 rc = PTR_ERR(*key_tfm);
1801 printk(KERN_ERR "Unable to allocate crypto cipher with name "
1802 "[%s]; rc = [%d]\n", full_alg_name, rc);
1803 goto out;
1804 }
1805 crypto_blkcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY);
1806 if (*key_size == 0) {
1807 struct blkcipher_alg *alg = crypto_blkcipher_alg(*key_tfm);
1808
1809 *key_size = alg->max_keysize;
1810 }
1811 get_random_bytes(dummy_key, *key_size);
1812 rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size);
1813 if (rc) {
1814 printk(KERN_ERR "Error attempting to set key of size [%zd] for "
1815 "cipher [%s]; rc = [%d]\n", *key_size, full_alg_name,
1816 rc);
1817 rc = -EINVAL;
1818 goto out;
1819 }
1820out:
1821 kfree(full_alg_name);
1822 return rc;
1823}
1824
1825struct kmem_cache *ecryptfs_key_tfm_cache;
1826static struct list_head key_tfm_list;
1827struct mutex key_tfm_list_mutex;
1828
1829int __init ecryptfs_init_crypto(void)
1830{
1831 mutex_init(&key_tfm_list_mutex);
1832 INIT_LIST_HEAD(&key_tfm_list);
1833 return 0;
1834}
1835
1836
1837
1838
1839
1840
1841int ecryptfs_destroy_crypto(void)
1842{
1843 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp;
1844
1845 mutex_lock(&key_tfm_list_mutex);
1846 list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list,
1847 key_tfm_list) {
1848 list_del(&key_tfm->key_tfm_list);
1849 if (key_tfm->key_tfm)
1850 crypto_free_blkcipher(key_tfm->key_tfm);
1851 kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm);
1852 }
1853 mutex_unlock(&key_tfm_list_mutex);
1854 return 0;
1855}
1856
1857int
1858ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
1859 size_t key_size)
1860{
1861 struct ecryptfs_key_tfm *tmp_tfm;
1862 int rc = 0;
1863
1864 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1865
1866 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL);
1867 if (key_tfm != NULL)
1868 (*key_tfm) = tmp_tfm;
1869 if (!tmp_tfm) {
1870 rc = -ENOMEM;
1871 printk(KERN_ERR "Error attempting to allocate from "
1872 "ecryptfs_key_tfm_cache\n");
1873 goto out;
1874 }
1875 mutex_init(&tmp_tfm->key_tfm_mutex);
1876 strncpy(tmp_tfm->cipher_name, cipher_name,
1877 ECRYPTFS_MAX_CIPHER_NAME_SIZE);
1878 tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0';
1879 tmp_tfm->key_size = key_size;
1880 rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm,
1881 tmp_tfm->cipher_name,
1882 &tmp_tfm->key_size);
1883 if (rc) {
1884 printk(KERN_ERR "Error attempting to initialize key TFM "
1885 "cipher with name = [%s]; rc = [%d]\n",
1886 tmp_tfm->cipher_name, rc);
1887 kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm);
1888 if (key_tfm != NULL)
1889 (*key_tfm) = NULL;
1890 goto out;
1891 }
1892 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list);
1893out:
1894 return rc;
1895}
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm)
1908{
1909 struct ecryptfs_key_tfm *tmp_key_tfm;
1910
1911 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1912
1913 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) {
1914 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) {
1915 if (key_tfm)
1916 (*key_tfm) = tmp_key_tfm;
1917 return 1;
1918 }
1919 }
1920 if (key_tfm)
1921 (*key_tfm) = NULL;
1922 return 0;
1923}
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm,
1937 struct mutex **tfm_mutex,
1938 char *cipher_name)
1939{
1940 struct ecryptfs_key_tfm *key_tfm;
1941 int rc = 0;
1942
1943 (*tfm) = NULL;
1944 (*tfm_mutex) = NULL;
1945
1946 mutex_lock(&key_tfm_list_mutex);
1947 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) {
1948 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0);
1949 if (rc) {
1950 printk(KERN_ERR "Error adding new key_tfm to list; "
1951 "rc = [%d]\n", rc);
1952 goto out;
1953 }
1954 }
1955 (*tfm) = key_tfm->key_tfm;
1956 (*tfm_mutex) = &key_tfm->key_tfm_mutex;
1957out:
1958 mutex_unlock(&key_tfm_list_mutex);
1959 return rc;
1960}
1961
1962
1963static unsigned char *portable_filename_chars = ("-.0123456789ABCD"
1964 "EFGHIJKLMNOPQRST"
1965 "UVWXYZabcdefghij"
1966 "klmnopqrstuvwxyz");
1967
1968
1969
1970static const unsigned char filename_rev_map[256] = {
1971 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1972 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1973 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1974 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1975 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1976 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1977 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
1978 0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1979 0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12,
1980 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A,
1981 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22,
1982 0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00,
1983 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
1984 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
1985 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
1986 0x3D, 0x3E, 0x3F
1987};
1988
1989
1990
1991
1992
1993
1994
1995
1996static void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size,
1997 unsigned char *src, size_t src_size)
1998{
1999 size_t num_blocks;
2000 size_t block_num = 0;
2001 size_t dst_offset = 0;
2002 unsigned char last_block[3];
2003
2004 if (src_size == 0) {
2005 (*dst_size) = 0;
2006 goto out;
2007 }
2008 num_blocks = (src_size / 3);
2009 if ((src_size % 3) == 0) {
2010 memcpy(last_block, (&src[src_size - 3]), 3);
2011 } else {
2012 num_blocks++;
2013 last_block[2] = 0x00;
2014 switch (src_size % 3) {
2015 case 1:
2016 last_block[0] = src[src_size - 1];
2017 last_block[1] = 0x00;
2018 break;
2019 case 2:
2020 last_block[0] = src[src_size - 2];
2021 last_block[1] = src[src_size - 1];
2022 }
2023 }
2024 (*dst_size) = (num_blocks * 4);
2025 if (!dst)
2026 goto out;
2027 while (block_num < num_blocks) {
2028 unsigned char *src_block;
2029 unsigned char dst_block[4];
2030
2031 if (block_num == (num_blocks - 1))
2032 src_block = last_block;
2033 else
2034 src_block = &src[block_num * 3];
2035 dst_block[0] = ((src_block[0] >> 2) & 0x3F);
2036 dst_block[1] = (((src_block[0] << 4) & 0x30)
2037 | ((src_block[1] >> 4) & 0x0F));
2038 dst_block[2] = (((src_block[1] << 2) & 0x3C)
2039 | ((src_block[2] >> 6) & 0x03));
2040 dst_block[3] = (src_block[2] & 0x3F);
2041 dst[dst_offset++] = portable_filename_chars[dst_block[0]];
2042 dst[dst_offset++] = portable_filename_chars[dst_block[1]];
2043 dst[dst_offset++] = portable_filename_chars[dst_block[2]];
2044 dst[dst_offset++] = portable_filename_chars[dst_block[3]];
2045 block_num++;
2046 }
2047out:
2048 return;
2049}
2050
2051static size_t ecryptfs_max_decoded_size(size_t encoded_size)
2052{
2053
2054
2055
2056
2057
2058
2059 return ((encoded_size + 1) * 3) / 4;
2060}
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071static void
2072ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
2073 const unsigned char *src, size_t src_size)
2074{
2075 u8 current_bit_offset = 0;
2076 size_t src_byte_offset = 0;
2077 size_t dst_byte_offset = 0;
2078
2079 if (dst == NULL) {
2080 (*dst_size) = ecryptfs_max_decoded_size(src_size);
2081 goto out;
2082 }
2083 while (src_byte_offset < src_size) {
2084 unsigned char src_byte =
2085 filename_rev_map[(int)src[src_byte_offset]];
2086
2087 switch (current_bit_offset) {
2088 case 0:
2089 dst[dst_byte_offset] = (src_byte << 2);
2090 current_bit_offset = 6;
2091 break;
2092 case 6:
2093 dst[dst_byte_offset++] |= (src_byte >> 4);
2094 dst[dst_byte_offset] = ((src_byte & 0xF)
2095 << 4);
2096 current_bit_offset = 4;
2097 break;
2098 case 4:
2099 dst[dst_byte_offset++] |= (src_byte >> 2);
2100 dst[dst_byte_offset] = (src_byte << 6);
2101 current_bit_offset = 2;
2102 break;
2103 case 2:
2104 dst[dst_byte_offset++] |= (src_byte);
2105 dst[dst_byte_offset] = 0;
2106 current_bit_offset = 0;
2107 break;
2108 }
2109 src_byte_offset++;
2110 }
2111 (*dst_size) = dst_byte_offset;
2112out:
2113 return;
2114}
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131int ecryptfs_encrypt_and_encode_filename(
2132 char **encoded_name,
2133 size_t *encoded_name_size,
2134 struct ecryptfs_crypt_stat *crypt_stat,
2135 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
2136 const char *name, size_t name_size)
2137{
2138 size_t encoded_name_no_prefix_size;
2139 int rc = 0;
2140
2141 (*encoded_name) = NULL;
2142 (*encoded_name_size) = 0;
2143 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCRYPT_FILENAMES))
2144 || (mount_crypt_stat && (mount_crypt_stat->flags
2145 & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES))) {
2146 struct ecryptfs_filename *filename;
2147
2148 filename = kzalloc(sizeof(*filename), GFP_KERNEL);
2149 if (!filename) {
2150 printk(KERN_ERR "%s: Out of memory whilst attempting "
2151 "to kzalloc [%zd] bytes\n", __func__,
2152 sizeof(*filename));
2153 rc = -ENOMEM;
2154 goto out;
2155 }
2156 filename->filename = (char *)name;
2157 filename->filename_size = name_size;
2158 rc = ecryptfs_encrypt_filename(filename, crypt_stat,
2159 mount_crypt_stat);
2160 if (rc) {
2161 printk(KERN_ERR "%s: Error attempting to encrypt "
2162 "filename; rc = [%d]\n", __func__, rc);
2163 kfree(filename);
2164 goto out;
2165 }
2166 ecryptfs_encode_for_filename(
2167 NULL, &encoded_name_no_prefix_size,
2168 filename->encrypted_filename,
2169 filename->encrypted_filename_size);
2170 if ((crypt_stat && (crypt_stat->flags
2171 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
2172 || (mount_crypt_stat
2173 && (mount_crypt_stat->flags
2174 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)))
2175 (*encoded_name_size) =
2176 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2177 + encoded_name_no_prefix_size);
2178 else
2179 (*encoded_name_size) =
2180 (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2181 + encoded_name_no_prefix_size);
2182 (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL);
2183 if (!(*encoded_name)) {
2184 printk(KERN_ERR "%s: Out of memory whilst attempting "
2185 "to kzalloc [%zd] bytes\n", __func__,
2186 (*encoded_name_size));
2187 rc = -ENOMEM;
2188 kfree(filename->encrypted_filename);
2189 kfree(filename);
2190 goto out;
2191 }
2192 if ((crypt_stat && (crypt_stat->flags
2193 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
2194 || (mount_crypt_stat
2195 && (mount_crypt_stat->flags
2196 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
2197 memcpy((*encoded_name),
2198 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2199 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE);
2200 ecryptfs_encode_for_filename(
2201 ((*encoded_name)
2202 + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE),
2203 &encoded_name_no_prefix_size,
2204 filename->encrypted_filename,
2205 filename->encrypted_filename_size);
2206 (*encoded_name_size) =
2207 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2208 + encoded_name_no_prefix_size);
2209 (*encoded_name)[(*encoded_name_size)] = '\0';
2210 } else {
2211 rc = -EOPNOTSUPP;
2212 }
2213 if (rc) {
2214 printk(KERN_ERR "%s: Error attempting to encode "
2215 "encrypted filename; rc = [%d]\n", __func__,
2216 rc);
2217 kfree((*encoded_name));
2218 (*encoded_name) = NULL;
2219 (*encoded_name_size) = 0;
2220 }
2221 kfree(filename->encrypted_filename);
2222 kfree(filename);
2223 } else {
2224 rc = ecryptfs_copy_filename(encoded_name,
2225 encoded_name_size,
2226 name, name_size);
2227 }
2228out:
2229 return rc;
2230}
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244int ecryptfs_decode_and_decrypt_filename(char **plaintext_name,
2245 size_t *plaintext_name_size,
2246 struct dentry *ecryptfs_dir_dentry,
2247 const char *name, size_t name_size)
2248{
2249 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2250 &ecryptfs_superblock_to_private(
2251 ecryptfs_dir_dentry->d_sb)->mount_crypt_stat;
2252 char *decoded_name;
2253 size_t decoded_name_size;
2254 size_t packet_size;
2255 int rc = 0;
2256
2257 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
2258 && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
2259 && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)
2260 && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2261 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) {
2262 const char *orig_name = name;
2263 size_t orig_name_size = name_size;
2264
2265 name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2266 name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2267 ecryptfs_decode_from_filename(NULL, &decoded_name_size,
2268 name, name_size);
2269 decoded_name = kmalloc(decoded_name_size, GFP_KERNEL);
2270 if (!decoded_name) {
2271 printk(KERN_ERR "%s: Out of memory whilst attempting "
2272 "to kmalloc [%zd] bytes\n", __func__,
2273 decoded_name_size);
2274 rc = -ENOMEM;
2275 goto out;
2276 }
2277 ecryptfs_decode_from_filename(decoded_name, &decoded_name_size,
2278 name, name_size);
2279 rc = ecryptfs_parse_tag_70_packet(plaintext_name,
2280 plaintext_name_size,
2281 &packet_size,
2282 mount_crypt_stat,
2283 decoded_name,
2284 decoded_name_size);
2285 if (rc) {
2286 printk(KERN_INFO "%s: Could not parse tag 70 packet "
2287 "from filename; copying through filename "
2288 "as-is\n", __func__);
2289 rc = ecryptfs_copy_filename(plaintext_name,
2290 plaintext_name_size,
2291 orig_name, orig_name_size);
2292 goto out_free;
2293 }
2294 } else {
2295 rc = ecryptfs_copy_filename(plaintext_name,
2296 plaintext_name_size,
2297 name, name_size);
2298 goto out;
2299 }
2300out_free:
2301 kfree(decoded_name);
2302out:
2303 return rc;
2304}
2305
2306#define ENC_NAME_MAX_BLOCKLEN_8_OR_16 143
2307
2308int ecryptfs_set_f_namelen(long *namelen, long lower_namelen,
2309 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
2310{
2311 struct blkcipher_desc desc;
2312 struct mutex *tfm_mutex;
2313 size_t cipher_blocksize;
2314 int rc;
2315
2316 if (!(mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) {
2317 (*namelen) = lower_namelen;
2318 return 0;
2319 }
2320
2321 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex,
2322 mount_crypt_stat->global_default_fn_cipher_name);
2323 if (unlikely(rc)) {
2324 (*namelen) = 0;
2325 return rc;
2326 }
2327
2328 mutex_lock(tfm_mutex);
2329 cipher_blocksize = crypto_blkcipher_blocksize(desc.tfm);
2330 mutex_unlock(tfm_mutex);
2331
2332
2333 if (lower_namelen == NAME_MAX
2334 && (cipher_blocksize == 8 || cipher_blocksize == 16)) {
2335 (*namelen) = ENC_NAME_MAX_BLOCKLEN_8_OR_16;
2336 return 0;
2337 }
2338
2339
2340 (*namelen) = lower_namelen;
2341 (*namelen) -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2342
2343 (*namelen) = ecryptfs_max_decoded_size(*namelen) - 3;
2344 (*namelen) -= ECRYPTFS_TAG_70_MAX_METADATA_SIZE;
2345 (*namelen) -= ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES;
2346
2347 (*namelen) -= cipher_blocksize - 1;
2348
2349 if ((*namelen) < 0)
2350 (*namelen) = 0;
2351
2352 return 0;
2353}
2354