1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26#include <linux/fs.h>
27#include <linux/mount.h>
28#include <linux/pagemap.h>
29#include <linux/random.h>
30#include <linux/compiler.h>
31#include <linux/key.h>
32#include <linux/namei.h>
33#include <linux/crypto.h>
34#include <linux/file.h>
35#include <linux/scatterlist.h>
36#include <linux/slab.h>
37#include <asm/unaligned.h>
38#include "ecryptfs_kernel.h"
39
40#define DECRYPT 0
41#define ENCRYPT 1
42
43
44
45
46
47
48
49
50void ecryptfs_to_hex(char *dst, char *src, size_t src_size)
51{
52 int x;
53
54 for (x = 0; x < src_size; x++)
55 sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]);
56}
57
58
59
60
61
62
63
64
65void ecryptfs_from_hex(char *dst, char *src, int dst_size)
66{
67 int x;
68 char tmp[3] = { 0, };
69
70 for (x = 0; x < dst_size; x++) {
71 tmp[0] = src[x * 2];
72 tmp[1] = src[x * 2 + 1];
73 dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16);
74 }
75}
76
77
78
79
80
81
82
83
84
85
86
87static int ecryptfs_calculate_md5(char *dst,
88 struct ecryptfs_crypt_stat *crypt_stat,
89 char *src, int len)
90{
91 struct scatterlist sg;
92 struct hash_desc desc = {
93 .tfm = crypt_stat->hash_tfm,
94 .flags = CRYPTO_TFM_REQ_MAY_SLEEP
95 };
96 int rc = 0;
97
98 mutex_lock(&crypt_stat->cs_hash_tfm_mutex);
99 sg_init_one(&sg, (u8 *)src, len);
100 if (!desc.tfm) {
101 desc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0,
102 CRYPTO_ALG_ASYNC);
103 if (IS_ERR(desc.tfm)) {
104 rc = PTR_ERR(desc.tfm);
105 ecryptfs_printk(KERN_ERR, "Error attempting to "
106 "allocate crypto context; rc = [%d]\n",
107 rc);
108 goto out;
109 }
110 crypt_stat->hash_tfm = desc.tfm;
111 }
112 rc = crypto_hash_init(&desc);
113 if (rc) {
114 printk(KERN_ERR
115 "%s: Error initializing crypto hash; rc = [%d]\n",
116 __func__, rc);
117 goto out;
118 }
119 rc = crypto_hash_update(&desc, &sg, len);
120 if (rc) {
121 printk(KERN_ERR
122 "%s: Error updating crypto hash; rc = [%d]\n",
123 __func__, rc);
124 goto out;
125 }
126 rc = crypto_hash_final(&desc, dst);
127 if (rc) {
128 printk(KERN_ERR
129 "%s: Error finalizing crypto hash; rc = [%d]\n",
130 __func__, rc);
131 goto out;
132 }
133out:
134 mutex_unlock(&crypt_stat->cs_hash_tfm_mutex);
135 return rc;
136}
137
138static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name,
139 char *cipher_name,
140 char *chaining_modifier)
141{
142 int cipher_name_len = strlen(cipher_name);
143 int chaining_modifier_len = strlen(chaining_modifier);
144 int algified_name_len;
145 int rc;
146
147 algified_name_len = (chaining_modifier_len + cipher_name_len + 3);
148 (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL);
149 if (!(*algified_name)) {
150 rc = -ENOMEM;
151 goto out;
152 }
153 snprintf((*algified_name), algified_name_len, "%s(%s)",
154 chaining_modifier, cipher_name);
155 rc = 0;
156out:
157 return rc;
158}
159
160
161
162
163
164
165
166
167
168
169
170
171int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat,
172 loff_t offset)
173{
174 int rc = 0;
175 char dst[MD5_DIGEST_SIZE];
176 char src[ECRYPTFS_MAX_IV_BYTES + 16];
177
178 if (unlikely(ecryptfs_verbosity > 0)) {
179 ecryptfs_printk(KERN_DEBUG, "root iv:\n");
180 ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes);
181 }
182
183
184
185
186 memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes);
187 memset((src + crypt_stat->iv_bytes), 0, 16);
188 snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset);
189 if (unlikely(ecryptfs_verbosity > 0)) {
190 ecryptfs_printk(KERN_DEBUG, "source:\n");
191 ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16));
192 }
193 rc = ecryptfs_calculate_md5(dst, crypt_stat, src,
194 (crypt_stat->iv_bytes + 16));
195 if (rc) {
196 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
197 "MD5 while generating IV for a page\n");
198 goto out;
199 }
200 memcpy(iv, dst, crypt_stat->iv_bytes);
201 if (unlikely(ecryptfs_verbosity > 0)) {
202 ecryptfs_printk(KERN_DEBUG, "derived iv:\n");
203 ecryptfs_dump_hex(iv, crypt_stat->iv_bytes);
204 }
205out:
206 return rc;
207}
208
209
210
211
212
213
214
215void
216ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
217{
218 memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
219 INIT_LIST_HEAD(&crypt_stat->keysig_list);
220 mutex_init(&crypt_stat->keysig_list_mutex);
221 mutex_init(&crypt_stat->cs_mutex);
222 mutex_init(&crypt_stat->cs_tfm_mutex);
223 mutex_init(&crypt_stat->cs_hash_tfm_mutex);
224 crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED;
225}
226
227
228
229
230
231
232
233void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
234{
235 struct ecryptfs_key_sig *key_sig, *key_sig_tmp;
236
237 if (crypt_stat->tfm)
238 crypto_free_ablkcipher(crypt_stat->tfm);
239 if (crypt_stat->hash_tfm)
240 crypto_free_hash(crypt_stat->hash_tfm);
241 list_for_each_entry_safe(key_sig, key_sig_tmp,
242 &crypt_stat->keysig_list, crypt_stat_list) {
243 list_del(&key_sig->crypt_stat_list);
244 kmem_cache_free(ecryptfs_key_sig_cache, key_sig);
245 }
246 memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
247}
248
249void ecryptfs_destroy_mount_crypt_stat(
250 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
251{
252 struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp;
253
254 if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED))
255 return;
256 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
257 list_for_each_entry_safe(auth_tok, auth_tok_tmp,
258 &mount_crypt_stat->global_auth_tok_list,
259 mount_crypt_stat_list) {
260 list_del(&auth_tok->mount_crypt_stat_list);
261 if (auth_tok->global_auth_tok_key
262 && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID))
263 key_put(auth_tok->global_auth_tok_key);
264 kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok);
265 }
266 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
267 memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat));
268}
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg,
284 int sg_size)
285{
286 int i = 0;
287 struct page *pg;
288 int offset;
289 int remainder_of_page;
290
291 sg_init_table(sg, sg_size);
292
293 while (size > 0 && i < sg_size) {
294 pg = virt_to_page(addr);
295 offset = offset_in_page(addr);
296 sg_set_page(&sg[i], pg, 0, offset);
297 remainder_of_page = PAGE_CACHE_SIZE - offset;
298 if (size >= remainder_of_page) {
299 sg[i].length = remainder_of_page;
300 addr += remainder_of_page;
301 size -= remainder_of_page;
302 } else {
303 sg[i].length = size;
304 addr += size;
305 size = 0;
306 }
307 i++;
308 }
309 if (size > 0)
310 return -ENOMEM;
311 return i;
312}
313
314struct extent_crypt_result {
315 struct completion completion;
316 int rc;
317};
318
319static void extent_crypt_complete(struct crypto_async_request *req, int rc)
320{
321 struct extent_crypt_result *ecr = req->data;
322
323 if (rc == -EINPROGRESS)
324 return;
325
326 ecr->rc = rc;
327 complete(&ecr->completion);
328}
329
330
331
332
333
334
335
336
337
338
339
340
341static int crypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
342 struct scatterlist *dst_sg,
343 struct scatterlist *src_sg, int size,
344 unsigned char *iv, int op)
345{
346 struct ablkcipher_request *req = NULL;
347 struct extent_crypt_result ecr;
348 int rc = 0;
349
350 BUG_ON(!crypt_stat || !crypt_stat->tfm
351 || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));
352 if (unlikely(ecryptfs_verbosity > 0)) {
353 ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n",
354 crypt_stat->key_size);
355 ecryptfs_dump_hex(crypt_stat->key,
356 crypt_stat->key_size);
357 }
358
359 init_completion(&ecr.completion);
360
361 mutex_lock(&crypt_stat->cs_tfm_mutex);
362 req = ablkcipher_request_alloc(crypt_stat->tfm, GFP_NOFS);
363 if (!req) {
364 mutex_unlock(&crypt_stat->cs_tfm_mutex);
365 rc = -ENOMEM;
366 goto out;
367 }
368
369 ablkcipher_request_set_callback(req,
370 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
371 extent_crypt_complete, &ecr);
372
373 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) {
374 rc = crypto_ablkcipher_setkey(crypt_stat->tfm, crypt_stat->key,
375 crypt_stat->key_size);
376 if (rc) {
377 ecryptfs_printk(KERN_ERR,
378 "Error setting key; rc = [%d]\n",
379 rc);
380 mutex_unlock(&crypt_stat->cs_tfm_mutex);
381 rc = -EINVAL;
382 goto out;
383 }
384 crypt_stat->flags |= ECRYPTFS_KEY_SET;
385 }
386 mutex_unlock(&crypt_stat->cs_tfm_mutex);
387 ablkcipher_request_set_crypt(req, src_sg, dst_sg, size, iv);
388 rc = op == ENCRYPT ? crypto_ablkcipher_encrypt(req) :
389 crypto_ablkcipher_decrypt(req);
390 if (rc == -EINPROGRESS || rc == -EBUSY) {
391 struct extent_crypt_result *ecr = req->base.data;
392
393 wait_for_completion(&ecr->completion);
394 rc = ecr->rc;
395 INIT_COMPLETION(ecr->completion);
396 }
397out:
398 ablkcipher_request_free(req);
399 return rc;
400}
401
402
403
404
405
406
407static loff_t lower_offset_for_page(struct ecryptfs_crypt_stat *crypt_stat,
408 struct page *page)
409{
410 return ecryptfs_lower_header_size(crypt_stat) +
411 (page->index << PAGE_CACHE_SHIFT);
412}
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427static int crypt_extent(struct ecryptfs_crypt_stat *crypt_stat,
428 struct page *dst_page,
429 struct page *src_page,
430 unsigned long extent_offset, int op)
431{
432 pgoff_t page_index = op == ENCRYPT ? src_page->index : dst_page->index;
433 loff_t extent_base;
434 char extent_iv[ECRYPTFS_MAX_IV_BYTES];
435 struct scatterlist src_sg, dst_sg;
436 size_t extent_size = crypt_stat->extent_size;
437 int rc;
438
439 extent_base = (((loff_t)page_index) * (PAGE_CACHE_SIZE / extent_size));
440 rc = ecryptfs_derive_iv(extent_iv, crypt_stat,
441 (extent_base + extent_offset));
442 if (rc) {
443 ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for "
444 "extent [0x%.16llx]; rc = [%d]\n",
445 (unsigned long long)(extent_base + extent_offset), rc);
446 goto out;
447 }
448
449 sg_init_table(&src_sg, 1);
450 sg_init_table(&dst_sg, 1);
451
452 sg_set_page(&src_sg, src_page, extent_size,
453 extent_offset * extent_size);
454 sg_set_page(&dst_sg, dst_page, extent_size,
455 extent_offset * extent_size);
456
457 rc = crypt_scatterlist(crypt_stat, &dst_sg, &src_sg, extent_size,
458 extent_iv, op);
459 if (rc < 0) {
460 printk(KERN_ERR "%s: Error attempting to crypt page with "
461 "page_index = [%ld], extent_offset = [%ld]; "
462 "rc = [%d]\n", __func__, page_index, extent_offset, rc);
463 goto out;
464 }
465 rc = 0;
466out:
467 return rc;
468}
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486int ecryptfs_encrypt_page(struct page *page)
487{
488 struct inode *ecryptfs_inode;
489 struct ecryptfs_crypt_stat *crypt_stat;
490 char *enc_extent_virt;
491 struct page *enc_extent_page = NULL;
492 loff_t extent_offset;
493 loff_t lower_offset;
494 int rc = 0;
495
496 ecryptfs_inode = page->mapping->host;
497 crypt_stat =
498 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
499 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
500 enc_extent_page = alloc_page(GFP_USER);
501 if (!enc_extent_page) {
502 rc = -ENOMEM;
503 ecryptfs_printk(KERN_ERR, "Error allocating memory for "
504 "encrypted extent\n");
505 goto out;
506 }
507
508 for (extent_offset = 0;
509 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);
510 extent_offset++) {
511 rc = crypt_extent(crypt_stat, enc_extent_page, page,
512 extent_offset, ENCRYPT);
513 if (rc) {
514 printk(KERN_ERR "%s: Error encrypting extent; "
515 "rc = [%d]\n", __func__, rc);
516 goto out;
517 }
518 }
519
520 lower_offset = lower_offset_for_page(crypt_stat, page);
521 enc_extent_virt = kmap(enc_extent_page);
522 rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt, lower_offset,
523 PAGE_CACHE_SIZE);
524 kunmap(enc_extent_page);
525 if (rc < 0) {
526 ecryptfs_printk(KERN_ERR,
527 "Error attempting to write lower page; rc = [%d]\n",
528 rc);
529 goto out;
530 }
531 rc = 0;
532out:
533 if (enc_extent_page) {
534 __free_page(enc_extent_page);
535 }
536 return rc;
537}
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555int ecryptfs_decrypt_page(struct page *page)
556{
557 struct inode *ecryptfs_inode;
558 struct ecryptfs_crypt_stat *crypt_stat;
559 char *page_virt;
560 unsigned long extent_offset;
561 loff_t lower_offset;
562 int rc = 0;
563
564 ecryptfs_inode = page->mapping->host;
565 crypt_stat =
566 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
567 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
568
569 lower_offset = lower_offset_for_page(crypt_stat, page);
570 page_virt = kmap(page);
571 rc = ecryptfs_read_lower(page_virt, lower_offset, PAGE_CACHE_SIZE,
572 ecryptfs_inode);
573 kunmap(page);
574 if (rc < 0) {
575 ecryptfs_printk(KERN_ERR,
576 "Error attempting to read lower page; rc = [%d]\n",
577 rc);
578 goto out;
579 }
580
581 for (extent_offset = 0;
582 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);
583 extent_offset++) {
584 rc = crypt_extent(crypt_stat, page, page,
585 extent_offset, DECRYPT);
586 if (rc) {
587 printk(KERN_ERR "%s: Error encrypting extent; "
588 "rc = [%d]\n", __func__, rc);
589 goto out;
590 }
591 }
592out:
593 return rc;
594}
595
596#define ECRYPTFS_MAX_SCATTERLIST_LEN 4
597
598
599
600
601
602
603
604
605
606
607int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat)
608{
609 char *full_alg_name;
610 int rc = -EINVAL;
611
612 if (!crypt_stat->cipher) {
613 ecryptfs_printk(KERN_ERR, "No cipher specified\n");
614 goto out;
615 }
616 ecryptfs_printk(KERN_DEBUG,
617 "Initializing cipher [%s]; strlen = [%d]; "
618 "key_size_bits = [%zd]\n",
619 crypt_stat->cipher, (int)strlen(crypt_stat->cipher),
620 crypt_stat->key_size << 3);
621 if (crypt_stat->tfm) {
622 rc = 0;
623 goto out;
624 }
625 mutex_lock(&crypt_stat->cs_tfm_mutex);
626 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name,
627 crypt_stat->cipher, "cbc");
628 if (rc)
629 goto out_unlock;
630 crypt_stat->tfm = crypto_alloc_ablkcipher(full_alg_name, 0, 0);
631 kfree(full_alg_name);
632 if (IS_ERR(crypt_stat->tfm)) {
633 rc = PTR_ERR(crypt_stat->tfm);
634 crypt_stat->tfm = NULL;
635 ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): "
636 "Error initializing cipher [%s]\n",
637 crypt_stat->cipher);
638 goto out_unlock;
639 }
640 crypto_ablkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY);
641 rc = 0;
642out_unlock:
643 mutex_unlock(&crypt_stat->cs_tfm_mutex);
644out:
645 return rc;
646}
647
648static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat)
649{
650 int extent_size_tmp;
651
652 crypt_stat->extent_mask = 0xFFFFFFFF;
653 crypt_stat->extent_shift = 0;
654 if (crypt_stat->extent_size == 0)
655 return;
656 extent_size_tmp = crypt_stat->extent_size;
657 while ((extent_size_tmp & 0x01) == 0) {
658 extent_size_tmp >>= 1;
659 crypt_stat->extent_mask <<= 1;
660 crypt_stat->extent_shift++;
661 }
662}
663
664void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat)
665{
666
667
668 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;
669 set_extent_mask_and_shift(crypt_stat);
670 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES;
671 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
672 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
673 else {
674 if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)
675 crypt_stat->metadata_size =
676 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
677 else
678 crypt_stat->metadata_size = PAGE_CACHE_SIZE;
679 }
680}
681
682
683
684
685
686
687
688int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat)
689{
690 int rc = 0;
691 char dst[MD5_DIGEST_SIZE];
692
693 BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE);
694 BUG_ON(crypt_stat->iv_bytes <= 0);
695 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
696 rc = -EINVAL;
697 ecryptfs_printk(KERN_WARNING, "Session key not valid; "
698 "cannot generate root IV\n");
699 goto out;
700 }
701 rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key,
702 crypt_stat->key_size);
703 if (rc) {
704 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
705 "MD5 while generating root IV\n");
706 goto out;
707 }
708 memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes);
709out:
710 if (rc) {
711 memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes);
712 crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING;
713 }
714 return rc;
715}
716
717static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat)
718{
719 get_random_bytes(crypt_stat->key, crypt_stat->key_size);
720 crypt_stat->flags |= ECRYPTFS_KEY_VALID;
721 ecryptfs_compute_root_iv(crypt_stat);
722 if (unlikely(ecryptfs_verbosity > 0)) {
723 ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n");
724 ecryptfs_dump_hex(crypt_stat->key,
725 crypt_stat->key_size);
726 }
727}
728
729
730
731
732
733
734
735
736
737static void ecryptfs_copy_mount_wide_flags_to_inode_flags(
738 struct ecryptfs_crypt_stat *crypt_stat,
739 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
740{
741 if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED)
742 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
743 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
744 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED;
745 if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
746 crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES;
747 if (mount_crypt_stat->flags
748 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)
749 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK;
750 else if (mount_crypt_stat->flags
751 & ECRYPTFS_GLOBAL_ENCFN_USE_FEK)
752 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK;
753 }
754}
755
756static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs(
757 struct ecryptfs_crypt_stat *crypt_stat,
758 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
759{
760 struct ecryptfs_global_auth_tok *global_auth_tok;
761 int rc = 0;
762
763 mutex_lock(&crypt_stat->keysig_list_mutex);
764 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
765
766 list_for_each_entry(global_auth_tok,
767 &mount_crypt_stat->global_auth_tok_list,
768 mount_crypt_stat_list) {
769 if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK)
770 continue;
771 rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig);
772 if (rc) {
773 printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc);
774 goto out;
775 }
776 }
777
778out:
779 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
780 mutex_unlock(&crypt_stat->keysig_list_mutex);
781 return rc;
782}
783
784
785
786
787
788
789
790
791static void ecryptfs_set_default_crypt_stat_vals(
792 struct ecryptfs_crypt_stat *crypt_stat,
793 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
794{
795 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
796 mount_crypt_stat);
797 ecryptfs_set_default_sizes(crypt_stat);
798 strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER);
799 crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES;
800 crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID);
801 crypt_stat->file_version = ECRYPTFS_FILE_VERSION;
802 crypt_stat->mount_crypt_stat = mount_crypt_stat;
803}
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824int ecryptfs_new_file_context(struct inode *ecryptfs_inode)
825{
826 struct ecryptfs_crypt_stat *crypt_stat =
827 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
828 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
829 &ecryptfs_superblock_to_private(
830 ecryptfs_inode->i_sb)->mount_crypt_stat;
831 int cipher_name_len;
832 int rc = 0;
833
834 ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat);
835 crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID);
836 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
837 mount_crypt_stat);
838 rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat,
839 mount_crypt_stat);
840 if (rc) {
841 printk(KERN_ERR "Error attempting to copy mount-wide key sigs "
842 "to the inode key sigs; rc = [%d]\n", rc);
843 goto out;
844 }
845 cipher_name_len =
846 strlen(mount_crypt_stat->global_default_cipher_name);
847 memcpy(crypt_stat->cipher,
848 mount_crypt_stat->global_default_cipher_name,
849 cipher_name_len);
850 crypt_stat->cipher[cipher_name_len] = '\0';
851 crypt_stat->key_size =
852 mount_crypt_stat->global_default_cipher_key_size;
853 ecryptfs_generate_new_key(crypt_stat);
854 rc = ecryptfs_init_crypt_ctx(crypt_stat);
855 if (rc)
856 ecryptfs_printk(KERN_ERR, "Error initializing cryptographic "
857 "context for cipher [%s]: rc = [%d]\n",
858 crypt_stat->cipher, rc);
859out:
860 return rc;
861}
862
863
864
865
866
867
868
869static int ecryptfs_validate_marker(char *data)
870{
871 u32 m_1, m_2;
872
873 m_1 = get_unaligned_be32(data);
874 m_2 = get_unaligned_be32(data + 4);
875 if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2)
876 return 0;
877 ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; "
878 "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2,
879 MAGIC_ECRYPTFS_MARKER);
880 ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = "
881 "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER));
882 return -EINVAL;
883}
884
885struct ecryptfs_flag_map_elem {
886 u32 file_flag;
887 u32 local_flag;
888};
889
890
891static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = {
892 {0x00000001, ECRYPTFS_ENABLE_HMAC},
893 {0x00000002, ECRYPTFS_ENCRYPTED},
894 {0x00000004, ECRYPTFS_METADATA_IN_XATTR},
895 {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES}
896};
897
898
899
900
901
902
903
904
905
906static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat,
907 char *page_virt, int *bytes_read)
908{
909 int rc = 0;
910 int i;
911 u32 flags;
912
913 flags = get_unaligned_be32(page_virt);
914 for (i = 0; i < ((sizeof(ecryptfs_flag_map)
915 / sizeof(struct ecryptfs_flag_map_elem))); i++)
916 if (flags & ecryptfs_flag_map[i].file_flag) {
917 crypt_stat->flags |= ecryptfs_flag_map[i].local_flag;
918 } else
919 crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag);
920
921 crypt_stat->file_version = ((flags >> 24) & 0xFF);
922 (*bytes_read) = 4;
923 return rc;
924}
925
926
927
928
929
930
931
932
933static void write_ecryptfs_marker(char *page_virt, size_t *written)
934{
935 u32 m_1, m_2;
936
937 get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2));
938 m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER);
939 put_unaligned_be32(m_1, page_virt);
940 page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2);
941 put_unaligned_be32(m_2, page_virt);
942 (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
943}
944
945void ecryptfs_write_crypt_stat_flags(char *page_virt,
946 struct ecryptfs_crypt_stat *crypt_stat,
947 size_t *written)
948{
949 u32 flags = 0;
950 int i;
951
952 for (i = 0; i < ((sizeof(ecryptfs_flag_map)
953 / sizeof(struct ecryptfs_flag_map_elem))); i++)
954 if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag)
955 flags |= ecryptfs_flag_map[i].file_flag;
956
957 flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000);
958 put_unaligned_be32(flags, page_virt);
959 (*written) = 4;
960}
961
962struct ecryptfs_cipher_code_str_map_elem {
963 char cipher_str[16];
964 u8 cipher_code;
965};
966
967
968
969
970static struct ecryptfs_cipher_code_str_map_elem
971ecryptfs_cipher_code_str_map[] = {
972 {"aes",RFC2440_CIPHER_AES_128 },
973 {"blowfish", RFC2440_CIPHER_BLOWFISH},
974 {"des3_ede", RFC2440_CIPHER_DES3_EDE},
975 {"cast5", RFC2440_CIPHER_CAST_5},
976 {"twofish", RFC2440_CIPHER_TWOFISH},
977 {"cast6", RFC2440_CIPHER_CAST_6},
978 {"aes", RFC2440_CIPHER_AES_192},
979 {"aes", RFC2440_CIPHER_AES_256}
980};
981
982
983
984
985
986
987
988
989u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes)
990{
991 int i;
992 u8 code = 0;
993 struct ecryptfs_cipher_code_str_map_elem *map =
994 ecryptfs_cipher_code_str_map;
995
996 if (strcmp(cipher_name, "aes") == 0) {
997 switch (key_bytes) {
998 case 16:
999 code = RFC2440_CIPHER_AES_128;
1000 break;
1001 case 24:
1002 code = RFC2440_CIPHER_AES_192;
1003 break;
1004 case 32:
1005 code = RFC2440_CIPHER_AES_256;
1006 }
1007 } else {
1008 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1009 if (strcmp(cipher_name, map[i].cipher_str) == 0) {
1010 code = map[i].cipher_code;
1011 break;
1012 }
1013 }
1014 return code;
1015}
1016
1017
1018
1019
1020
1021
1022
1023
1024int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code)
1025{
1026 int rc = 0;
1027 int i;
1028
1029 str[0] = '\0';
1030 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1031 if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code)
1032 strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str);
1033 if (str[0] == '\0') {
1034 ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: "
1035 "[%d]\n", cipher_code);
1036 rc = -EINVAL;
1037 }
1038 return rc;
1039}
1040
1041int ecryptfs_read_and_validate_header_region(struct inode *inode)
1042{
1043 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1044 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1045 int rc;
1046
1047 rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES,
1048 inode);
1049 if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1050 return rc >= 0 ? -EINVAL : rc;
1051 rc = ecryptfs_validate_marker(marker);
1052 if (!rc)
1053 ecryptfs_i_size_init(file_size, inode);
1054 return rc;
1055}
1056
1057void
1058ecryptfs_write_header_metadata(char *virt,
1059 struct ecryptfs_crypt_stat *crypt_stat,
1060 size_t *written)
1061{
1062 u32 header_extent_size;
1063 u16 num_header_extents_at_front;
1064
1065 header_extent_size = (u32)crypt_stat->extent_size;
1066 num_header_extents_at_front =
1067 (u16)(crypt_stat->metadata_size / crypt_stat->extent_size);
1068 put_unaligned_be32(header_extent_size, virt);
1069 virt += 4;
1070 put_unaligned_be16(num_header_extents_at_front, virt);
1071 (*written) = 6;
1072}
1073
1074struct kmem_cache *ecryptfs_header_cache;
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107static int ecryptfs_write_headers_virt(char *page_virt, size_t max,
1108 size_t *size,
1109 struct ecryptfs_crypt_stat *crypt_stat,
1110 struct dentry *ecryptfs_dentry)
1111{
1112 int rc;
1113 size_t written;
1114 size_t offset;
1115
1116 offset = ECRYPTFS_FILE_SIZE_BYTES;
1117 write_ecryptfs_marker((page_virt + offset), &written);
1118 offset += written;
1119 ecryptfs_write_crypt_stat_flags((page_virt + offset), crypt_stat,
1120 &written);
1121 offset += written;
1122 ecryptfs_write_header_metadata((page_virt + offset), crypt_stat,
1123 &written);
1124 offset += written;
1125 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat,
1126 ecryptfs_dentry, &written,
1127 max - offset);
1128 if (rc)
1129 ecryptfs_printk(KERN_WARNING, "Error generating key packet "
1130 "set; rc = [%d]\n", rc);
1131 if (size) {
1132 offset += written;
1133 *size = offset;
1134 }
1135 return rc;
1136}
1137
1138static int
1139ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode,
1140 char *virt, size_t virt_len)
1141{
1142 int rc;
1143
1144 rc = ecryptfs_write_lower(ecryptfs_inode, virt,
1145 0, virt_len);
1146 if (rc < 0)
1147 printk(KERN_ERR "%s: Error attempting to write header "
1148 "information to lower file; rc = [%d]\n", __func__, rc);
1149 else
1150 rc = 0;
1151 return rc;
1152}
1153
1154static int
1155ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry,
1156 char *page_virt, size_t size)
1157{
1158 int rc;
1159
1160 rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt,
1161 size, 0);
1162 return rc;
1163}
1164
1165static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask,
1166 unsigned int order)
1167{
1168 struct page *page;
1169
1170 page = alloc_pages(gfp_mask | __GFP_ZERO, order);
1171 if (page)
1172 return (unsigned long) page_address(page);
1173 return 0;
1174}
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry,
1190 struct inode *ecryptfs_inode)
1191{
1192 struct ecryptfs_crypt_stat *crypt_stat =
1193 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1194 unsigned int order;
1195 char *virt;
1196 size_t virt_len;
1197 size_t size = 0;
1198 int rc = 0;
1199
1200 if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {
1201 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
1202 printk(KERN_ERR "Key is invalid; bailing out\n");
1203 rc = -EINVAL;
1204 goto out;
1205 }
1206 } else {
1207 printk(KERN_WARNING "%s: Encrypted flag not set\n",
1208 __func__);
1209 rc = -EINVAL;
1210 goto out;
1211 }
1212 virt_len = crypt_stat->metadata_size;
1213 order = get_order(virt_len);
1214
1215 virt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order);
1216 if (!virt) {
1217 printk(KERN_ERR "%s: Out of memory\n", __func__);
1218 rc = -ENOMEM;
1219 goto out;
1220 }
1221
1222 rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat,
1223 ecryptfs_dentry);
1224 if (unlikely(rc)) {
1225 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n",
1226 __func__, rc);
1227 goto out_free;
1228 }
1229 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1230 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt,
1231 size);
1232 else
1233 rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt,
1234 virt_len);
1235 if (rc) {
1236 printk(KERN_ERR "%s: Error writing metadata out to lower file; "
1237 "rc = [%d]\n", __func__, rc);
1238 goto out_free;
1239 }
1240out_free:
1241 free_pages((unsigned long)virt, order);
1242out:
1243 return rc;
1244}
1245
1246#define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0
1247#define ECRYPTFS_VALIDATE_HEADER_SIZE 1
1248static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat,
1249 char *virt, int *bytes_read,
1250 int validate_header_size)
1251{
1252 int rc = 0;
1253 u32 header_extent_size;
1254 u16 num_header_extents_at_front;
1255
1256 header_extent_size = get_unaligned_be32(virt);
1257 virt += sizeof(__be32);
1258 num_header_extents_at_front = get_unaligned_be16(virt);
1259 crypt_stat->metadata_size = (((size_t)num_header_extents_at_front
1260 * (size_t)header_extent_size));
1261 (*bytes_read) = (sizeof(__be32) + sizeof(__be16));
1262 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE)
1263 && (crypt_stat->metadata_size
1264 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) {
1265 rc = -EINVAL;
1266 printk(KERN_WARNING "Invalid header size: [%zd]\n",
1267 crypt_stat->metadata_size);
1268 }
1269 return rc;
1270}
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat)
1281{
1282 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
1283}
1284
1285void ecryptfs_i_size_init(const char *page_virt, struct inode *inode)
1286{
1287 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
1288 struct ecryptfs_crypt_stat *crypt_stat;
1289 u64 file_size;
1290
1291 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
1292 mount_crypt_stat =
1293 &ecryptfs_superblock_to_private(inode->i_sb)->mount_crypt_stat;
1294 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) {
1295 file_size = i_size_read(ecryptfs_inode_to_lower(inode));
1296 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1297 file_size += crypt_stat->metadata_size;
1298 } else
1299 file_size = get_unaligned_be64(page_virt);
1300 i_size_write(inode, (loff_t)file_size);
1301 crypt_stat->flags |= ECRYPTFS_I_SIZE_INITIALIZED;
1302}
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316static int ecryptfs_read_headers_virt(char *page_virt,
1317 struct ecryptfs_crypt_stat *crypt_stat,
1318 struct dentry *ecryptfs_dentry,
1319 int validate_header_size)
1320{
1321 int rc = 0;
1322 int offset;
1323 int bytes_read;
1324
1325 ecryptfs_set_default_sizes(crypt_stat);
1326 crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private(
1327 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1328 offset = ECRYPTFS_FILE_SIZE_BYTES;
1329 rc = ecryptfs_validate_marker(page_virt + offset);
1330 if (rc)
1331 goto out;
1332 if (!(crypt_stat->flags & ECRYPTFS_I_SIZE_INITIALIZED))
1333 ecryptfs_i_size_init(page_virt, ecryptfs_dentry->d_inode);
1334 offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
1335 rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset),
1336 &bytes_read);
1337 if (rc) {
1338 ecryptfs_printk(KERN_WARNING, "Error processing flags\n");
1339 goto out;
1340 }
1341 if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) {
1342 ecryptfs_printk(KERN_WARNING, "File version is [%d]; only "
1343 "file version [%d] is supported by this "
1344 "version of eCryptfs\n",
1345 crypt_stat->file_version,
1346 ECRYPTFS_SUPPORTED_FILE_VERSION);
1347 rc = -EINVAL;
1348 goto out;
1349 }
1350 offset += bytes_read;
1351 if (crypt_stat->file_version >= 1) {
1352 rc = parse_header_metadata(crypt_stat, (page_virt + offset),
1353 &bytes_read, validate_header_size);
1354 if (rc) {
1355 ecryptfs_printk(KERN_WARNING, "Error reading header "
1356 "metadata; rc = [%d]\n", rc);
1357 }
1358 offset += bytes_read;
1359 } else
1360 set_default_header_data(crypt_stat);
1361 rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset),
1362 ecryptfs_dentry);
1363out:
1364 return rc;
1365}
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode)
1378{
1379 struct dentry *lower_dentry =
1380 ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_dentry;
1381 ssize_t size;
1382 int rc = 0;
1383
1384 size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME,
1385 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE);
1386 if (size < 0) {
1387 if (unlikely(ecryptfs_verbosity > 0))
1388 printk(KERN_INFO "Error attempting to read the [%s] "
1389 "xattr from the lower file; return value = "
1390 "[%zd]\n", ECRYPTFS_XATTR_NAME, size);
1391 rc = -EINVAL;
1392 goto out;
1393 }
1394out:
1395 return rc;
1396}
1397
1398int ecryptfs_read_and_validate_xattr_region(struct dentry *dentry,
1399 struct inode *inode)
1400{
1401 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1402 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1403 int rc;
1404
1405 rc = ecryptfs_getxattr_lower(ecryptfs_dentry_to_lower(dentry),
1406 ECRYPTFS_XATTR_NAME, file_size,
1407 ECRYPTFS_SIZE_AND_MARKER_BYTES);
1408 if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1409 return rc >= 0 ? -EINVAL : rc;
1410 rc = ecryptfs_validate_marker(marker);
1411 if (!rc)
1412 ecryptfs_i_size_init(file_size, inode);
1413 return rc;
1414}
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
1429{
1430 int rc;
1431 char *page_virt;
1432 struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode;
1433 struct ecryptfs_crypt_stat *crypt_stat =
1434 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1435 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1436 &ecryptfs_superblock_to_private(
1437 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1438
1439 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
1440 mount_crypt_stat);
1441
1442 page_virt = kmem_cache_alloc(ecryptfs_header_cache, GFP_USER);
1443 if (!page_virt) {
1444 rc = -ENOMEM;
1445 printk(KERN_ERR "%s: Unable to allocate page_virt\n",
1446 __func__);
1447 goto out;
1448 }
1449 rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size,
1450 ecryptfs_inode);
1451 if (rc >= 0)
1452 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1453 ecryptfs_dentry,
1454 ECRYPTFS_VALIDATE_HEADER_SIZE);
1455 if (rc) {
1456
1457 memset(page_virt, 0, PAGE_CACHE_SIZE);
1458 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);
1459 if (rc) {
1460 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1461 "file header region or xattr region, inode %lu\n",
1462 ecryptfs_inode->i_ino);
1463 rc = -EINVAL;
1464 goto out;
1465 }
1466 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1467 ecryptfs_dentry,
1468 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE);
1469 if (rc) {
1470 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1471 "file xattr region either, inode %lu\n",
1472 ecryptfs_inode->i_ino);
1473 rc = -EINVAL;
1474 }
1475 if (crypt_stat->mount_crypt_stat->flags
1476 & ECRYPTFS_XATTR_METADATA_ENABLED) {
1477 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
1478 } else {
1479 printk(KERN_WARNING "Attempt to access file with "
1480 "crypto metadata only in the extended attribute "
1481 "region, but eCryptfs was mounted without "
1482 "xattr support enabled. eCryptfs will not treat "
1483 "this like an encrypted file, inode %lu\n",
1484 ecryptfs_inode->i_ino);
1485 rc = -EINVAL;
1486 }
1487 }
1488out:
1489 if (page_virt) {
1490 memset(page_virt, 0, PAGE_CACHE_SIZE);
1491 kmem_cache_free(ecryptfs_header_cache, page_virt);
1492 }
1493 return rc;
1494}
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505static int
1506ecryptfs_encrypt_filename(struct ecryptfs_filename *filename,
1507 struct ecryptfs_crypt_stat *crypt_stat,
1508 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
1509{
1510 int rc = 0;
1511
1512 filename->encrypted_filename = NULL;
1513 filename->encrypted_filename_size = 0;
1514 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
1515 || (mount_crypt_stat && (mount_crypt_stat->flags
1516 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
1517 size_t packet_size;
1518 size_t remaining_bytes;
1519
1520 rc = ecryptfs_write_tag_70_packet(
1521 NULL, NULL,
1522 &filename->encrypted_filename_size,
1523 mount_crypt_stat, NULL,
1524 filename->filename_size);
1525 if (rc) {
1526 printk(KERN_ERR "%s: Error attempting to get packet "
1527 "size for tag 72; rc = [%d]\n", __func__,
1528 rc);
1529 filename->encrypted_filename_size = 0;
1530 goto out;
1531 }
1532 filename->encrypted_filename =
1533 kmalloc(filename->encrypted_filename_size, GFP_KERNEL);
1534 if (!filename->encrypted_filename) {
1535 printk(KERN_ERR "%s: Out of memory whilst attempting "
1536 "to kmalloc [%zd] bytes\n", __func__,
1537 filename->encrypted_filename_size);
1538 rc = -ENOMEM;
1539 goto out;
1540 }
1541 remaining_bytes = filename->encrypted_filename_size;
1542 rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename,
1543 &remaining_bytes,
1544 &packet_size,
1545 mount_crypt_stat,
1546 filename->filename,
1547 filename->filename_size);
1548 if (rc) {
1549 printk(KERN_ERR "%s: Error attempting to generate "
1550 "tag 70 packet; rc = [%d]\n", __func__,
1551 rc);
1552 kfree(filename->encrypted_filename);
1553 filename->encrypted_filename = NULL;
1554 filename->encrypted_filename_size = 0;
1555 goto out;
1556 }
1557 filename->encrypted_filename_size = packet_size;
1558 } else {
1559 printk(KERN_ERR "%s: No support for requested filename "
1560 "encryption method in this release\n", __func__);
1561 rc = -EOPNOTSUPP;
1562 goto out;
1563 }
1564out:
1565 return rc;
1566}
1567
1568static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size,
1569 const char *name, size_t name_size)
1570{
1571 int rc = 0;
1572
1573 (*copied_name) = kmalloc((name_size + 1), GFP_KERNEL);
1574 if (!(*copied_name)) {
1575 rc = -ENOMEM;
1576 goto out;
1577 }
1578 memcpy((void *)(*copied_name), (void *)name, name_size);
1579 (*copied_name)[(name_size)] = '\0';
1580
1581
1582
1583 (*copied_name_size) = name_size;
1584out:
1585 return rc;
1586}
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598static int
1599ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm,
1600 char *cipher_name, size_t *key_size)
1601{
1602 char dummy_key[ECRYPTFS_MAX_KEY_BYTES];
1603 char *full_alg_name = NULL;
1604 int rc;
1605
1606 *key_tfm = NULL;
1607 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) {
1608 rc = -EINVAL;
1609 printk(KERN_ERR "Requested key size is [%zd] bytes; maximum "
1610 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES);
1611 goto out;
1612 }
1613 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name,
1614 "ecb");
1615 if (rc)
1616 goto out;
1617 *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC);
1618 if (IS_ERR(*key_tfm)) {
1619 rc = PTR_ERR(*key_tfm);
1620 printk(KERN_ERR "Unable to allocate crypto cipher with name "
1621 "[%s]; rc = [%d]\n", full_alg_name, rc);
1622 goto out;
1623 }
1624 crypto_blkcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY);
1625 if (*key_size == 0) {
1626 struct blkcipher_alg *alg = crypto_blkcipher_alg(*key_tfm);
1627
1628 *key_size = alg->max_keysize;
1629 }
1630 get_random_bytes(dummy_key, *key_size);
1631 rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size);
1632 if (rc) {
1633 printk(KERN_ERR "Error attempting to set key of size [%zd] for "
1634 "cipher [%s]; rc = [%d]\n", *key_size, full_alg_name,
1635 rc);
1636 rc = -EINVAL;
1637 goto out;
1638 }
1639out:
1640 kfree(full_alg_name);
1641 return rc;
1642}
1643
1644struct kmem_cache *ecryptfs_key_tfm_cache;
1645static struct list_head key_tfm_list;
1646struct mutex key_tfm_list_mutex;
1647
1648int __init ecryptfs_init_crypto(void)
1649{
1650 mutex_init(&key_tfm_list_mutex);
1651 INIT_LIST_HEAD(&key_tfm_list);
1652 return 0;
1653}
1654
1655
1656
1657
1658
1659
1660int ecryptfs_destroy_crypto(void)
1661{
1662 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp;
1663
1664 mutex_lock(&key_tfm_list_mutex);
1665 list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list,
1666 key_tfm_list) {
1667 list_del(&key_tfm->key_tfm_list);
1668 if (key_tfm->key_tfm)
1669 crypto_free_blkcipher(key_tfm->key_tfm);
1670 kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm);
1671 }
1672 mutex_unlock(&key_tfm_list_mutex);
1673 return 0;
1674}
1675
1676int
1677ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
1678 size_t key_size)
1679{
1680 struct ecryptfs_key_tfm *tmp_tfm;
1681 int rc = 0;
1682
1683 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1684
1685 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL);
1686 if (key_tfm != NULL)
1687 (*key_tfm) = tmp_tfm;
1688 if (!tmp_tfm) {
1689 rc = -ENOMEM;
1690 printk(KERN_ERR "Error attempting to allocate from "
1691 "ecryptfs_key_tfm_cache\n");
1692 goto out;
1693 }
1694 mutex_init(&tmp_tfm->key_tfm_mutex);
1695 strncpy(tmp_tfm->cipher_name, cipher_name,
1696 ECRYPTFS_MAX_CIPHER_NAME_SIZE);
1697 tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0';
1698 tmp_tfm->key_size = key_size;
1699 rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm,
1700 tmp_tfm->cipher_name,
1701 &tmp_tfm->key_size);
1702 if (rc) {
1703 printk(KERN_ERR "Error attempting to initialize key TFM "
1704 "cipher with name = [%s]; rc = [%d]\n",
1705 tmp_tfm->cipher_name, rc);
1706 kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm);
1707 if (key_tfm != NULL)
1708 (*key_tfm) = NULL;
1709 goto out;
1710 }
1711 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list);
1712out:
1713 return rc;
1714}
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm)
1727{
1728 struct ecryptfs_key_tfm *tmp_key_tfm;
1729
1730 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1731
1732 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) {
1733 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) {
1734 if (key_tfm)
1735 (*key_tfm) = tmp_key_tfm;
1736 return 1;
1737 }
1738 }
1739 if (key_tfm)
1740 (*key_tfm) = NULL;
1741 return 0;
1742}
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm,
1756 struct mutex **tfm_mutex,
1757 char *cipher_name)
1758{
1759 struct ecryptfs_key_tfm *key_tfm;
1760 int rc = 0;
1761
1762 (*tfm) = NULL;
1763 (*tfm_mutex) = NULL;
1764
1765 mutex_lock(&key_tfm_list_mutex);
1766 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) {
1767 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0);
1768 if (rc) {
1769 printk(KERN_ERR "Error adding new key_tfm to list; "
1770 "rc = [%d]\n", rc);
1771 goto out;
1772 }
1773 }
1774 (*tfm) = key_tfm->key_tfm;
1775 (*tfm_mutex) = &key_tfm->key_tfm_mutex;
1776out:
1777 mutex_unlock(&key_tfm_list_mutex);
1778 return rc;
1779}
1780
1781
1782static unsigned char *portable_filename_chars = ("-.0123456789ABCD"
1783 "EFGHIJKLMNOPQRST"
1784 "UVWXYZabcdefghij"
1785 "klmnopqrstuvwxyz");
1786
1787
1788
1789static const unsigned char filename_rev_map[256] = {
1790 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1791 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1792 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1794 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1796 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
1797 0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1798 0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12,
1799 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A,
1800 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22,
1801 0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00,
1802 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
1803 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
1804 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
1805 0x3D, 0x3E, 0x3F
1806};
1807
1808
1809
1810
1811
1812
1813
1814
1815static void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size,
1816 unsigned char *src, size_t src_size)
1817{
1818 size_t num_blocks;
1819 size_t block_num = 0;
1820 size_t dst_offset = 0;
1821 unsigned char last_block[3];
1822
1823 if (src_size == 0) {
1824 (*dst_size) = 0;
1825 goto out;
1826 }
1827 num_blocks = (src_size / 3);
1828 if ((src_size % 3) == 0) {
1829 memcpy(last_block, (&src[src_size - 3]), 3);
1830 } else {
1831 num_blocks++;
1832 last_block[2] = 0x00;
1833 switch (src_size % 3) {
1834 case 1:
1835 last_block[0] = src[src_size - 1];
1836 last_block[1] = 0x00;
1837 break;
1838 case 2:
1839 last_block[0] = src[src_size - 2];
1840 last_block[1] = src[src_size - 1];
1841 }
1842 }
1843 (*dst_size) = (num_blocks * 4);
1844 if (!dst)
1845 goto out;
1846 while (block_num < num_blocks) {
1847 unsigned char *src_block;
1848 unsigned char dst_block[4];
1849
1850 if (block_num == (num_blocks - 1))
1851 src_block = last_block;
1852 else
1853 src_block = &src[block_num * 3];
1854 dst_block[0] = ((src_block[0] >> 2) & 0x3F);
1855 dst_block[1] = (((src_block[0] << 4) & 0x30)
1856 | ((src_block[1] >> 4) & 0x0F));
1857 dst_block[2] = (((src_block[1] << 2) & 0x3C)
1858 | ((src_block[2] >> 6) & 0x03));
1859 dst_block[3] = (src_block[2] & 0x3F);
1860 dst[dst_offset++] = portable_filename_chars[dst_block[0]];
1861 dst[dst_offset++] = portable_filename_chars[dst_block[1]];
1862 dst[dst_offset++] = portable_filename_chars[dst_block[2]];
1863 dst[dst_offset++] = portable_filename_chars[dst_block[3]];
1864 block_num++;
1865 }
1866out:
1867 return;
1868}
1869
1870static size_t ecryptfs_max_decoded_size(size_t encoded_size)
1871{
1872
1873
1874
1875
1876
1877
1878 return ((encoded_size + 1) * 3) / 4;
1879}
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890static void
1891ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
1892 const unsigned char *src, size_t src_size)
1893{
1894 u8 current_bit_offset = 0;
1895 size_t src_byte_offset = 0;
1896 size_t dst_byte_offset = 0;
1897
1898 if (dst == NULL) {
1899 (*dst_size) = ecryptfs_max_decoded_size(src_size);
1900 goto out;
1901 }
1902 while (src_byte_offset < src_size) {
1903 unsigned char src_byte =
1904 filename_rev_map[(int)src[src_byte_offset]];
1905
1906 switch (current_bit_offset) {
1907 case 0:
1908 dst[dst_byte_offset] = (src_byte << 2);
1909 current_bit_offset = 6;
1910 break;
1911 case 6:
1912 dst[dst_byte_offset++] |= (src_byte >> 4);
1913 dst[dst_byte_offset] = ((src_byte & 0xF)
1914 << 4);
1915 current_bit_offset = 4;
1916 break;
1917 case 4:
1918 dst[dst_byte_offset++] |= (src_byte >> 2);
1919 dst[dst_byte_offset] = (src_byte << 6);
1920 current_bit_offset = 2;
1921 break;
1922 case 2:
1923 dst[dst_byte_offset++] |= (src_byte);
1924 dst[dst_byte_offset] = 0;
1925 current_bit_offset = 0;
1926 break;
1927 }
1928 src_byte_offset++;
1929 }
1930 (*dst_size) = dst_byte_offset;
1931out:
1932 return;
1933}
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950int ecryptfs_encrypt_and_encode_filename(
1951 char **encoded_name,
1952 size_t *encoded_name_size,
1953 struct ecryptfs_crypt_stat *crypt_stat,
1954 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
1955 const char *name, size_t name_size)
1956{
1957 size_t encoded_name_no_prefix_size;
1958 int rc = 0;
1959
1960 (*encoded_name) = NULL;
1961 (*encoded_name_size) = 0;
1962 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCRYPT_FILENAMES))
1963 || (mount_crypt_stat && (mount_crypt_stat->flags
1964 & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES))) {
1965 struct ecryptfs_filename *filename;
1966
1967 filename = kzalloc(sizeof(*filename), GFP_KERNEL);
1968 if (!filename) {
1969 printk(KERN_ERR "%s: Out of memory whilst attempting "
1970 "to kzalloc [%zd] bytes\n", __func__,
1971 sizeof(*filename));
1972 rc = -ENOMEM;
1973 goto out;
1974 }
1975 filename->filename = (char *)name;
1976 filename->filename_size = name_size;
1977 rc = ecryptfs_encrypt_filename(filename, crypt_stat,
1978 mount_crypt_stat);
1979 if (rc) {
1980 printk(KERN_ERR "%s: Error attempting to encrypt "
1981 "filename; rc = [%d]\n", __func__, rc);
1982 kfree(filename);
1983 goto out;
1984 }
1985 ecryptfs_encode_for_filename(
1986 NULL, &encoded_name_no_prefix_size,
1987 filename->encrypted_filename,
1988 filename->encrypted_filename_size);
1989 if ((crypt_stat && (crypt_stat->flags
1990 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
1991 || (mount_crypt_stat
1992 && (mount_crypt_stat->flags
1993 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)))
1994 (*encoded_name_size) =
1995 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
1996 + encoded_name_no_prefix_size);
1997 else
1998 (*encoded_name_size) =
1999 (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2000 + encoded_name_no_prefix_size);
2001 (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL);
2002 if (!(*encoded_name)) {
2003 printk(KERN_ERR "%s: Out of memory whilst attempting "
2004 "to kzalloc [%zd] bytes\n", __func__,
2005 (*encoded_name_size));
2006 rc = -ENOMEM;
2007 kfree(filename->encrypted_filename);
2008 kfree(filename);
2009 goto out;
2010 }
2011 if ((crypt_stat && (crypt_stat->flags
2012 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
2013 || (mount_crypt_stat
2014 && (mount_crypt_stat->flags
2015 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
2016 memcpy((*encoded_name),
2017 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2018 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE);
2019 ecryptfs_encode_for_filename(
2020 ((*encoded_name)
2021 + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE),
2022 &encoded_name_no_prefix_size,
2023 filename->encrypted_filename,
2024 filename->encrypted_filename_size);
2025 (*encoded_name_size) =
2026 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2027 + encoded_name_no_prefix_size);
2028 (*encoded_name)[(*encoded_name_size)] = '\0';
2029 } else {
2030 rc = -EOPNOTSUPP;
2031 }
2032 if (rc) {
2033 printk(KERN_ERR "%s: Error attempting to encode "
2034 "encrypted filename; rc = [%d]\n", __func__,
2035 rc);
2036 kfree((*encoded_name));
2037 (*encoded_name) = NULL;
2038 (*encoded_name_size) = 0;
2039 }
2040 kfree(filename->encrypted_filename);
2041 kfree(filename);
2042 } else {
2043 rc = ecryptfs_copy_filename(encoded_name,
2044 encoded_name_size,
2045 name, name_size);
2046 }
2047out:
2048 return rc;
2049}
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063int ecryptfs_decode_and_decrypt_filename(char **plaintext_name,
2064 size_t *plaintext_name_size,
2065 struct super_block *sb,
2066 const char *name, size_t name_size)
2067{
2068 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2069 &ecryptfs_superblock_to_private(sb)->mount_crypt_stat;
2070 char *decoded_name;
2071 size_t decoded_name_size;
2072 size_t packet_size;
2073 int rc = 0;
2074
2075 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
2076 && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
2077 && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)
2078 && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2079 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) {
2080 const char *orig_name = name;
2081 size_t orig_name_size = name_size;
2082
2083 name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2084 name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2085 ecryptfs_decode_from_filename(NULL, &decoded_name_size,
2086 name, name_size);
2087 decoded_name = kmalloc(decoded_name_size, GFP_KERNEL);
2088 if (!decoded_name) {
2089 printk(KERN_ERR "%s: Out of memory whilst attempting "
2090 "to kmalloc [%zd] bytes\n", __func__,
2091 decoded_name_size);
2092 rc = -ENOMEM;
2093 goto out;
2094 }
2095 ecryptfs_decode_from_filename(decoded_name, &decoded_name_size,
2096 name, name_size);
2097 rc = ecryptfs_parse_tag_70_packet(plaintext_name,
2098 plaintext_name_size,
2099 &packet_size,
2100 mount_crypt_stat,
2101 decoded_name,
2102 decoded_name_size);
2103 if (rc) {
2104 printk(KERN_INFO "%s: Could not parse tag 70 packet "
2105 "from filename; copying through filename "
2106 "as-is\n", __func__);
2107 rc = ecryptfs_copy_filename(plaintext_name,
2108 plaintext_name_size,
2109 orig_name, orig_name_size);
2110 goto out_free;
2111 }
2112 } else {
2113 rc = ecryptfs_copy_filename(plaintext_name,
2114 plaintext_name_size,
2115 name, name_size);
2116 goto out;
2117 }
2118out_free:
2119 kfree(decoded_name);
2120out:
2121 return rc;
2122}
2123
2124#define ENC_NAME_MAX_BLOCKLEN_8_OR_16 143
2125
2126int ecryptfs_set_f_namelen(long *namelen, long lower_namelen,
2127 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
2128{
2129 struct blkcipher_desc desc;
2130 struct mutex *tfm_mutex;
2131 size_t cipher_blocksize;
2132 int rc;
2133
2134 if (!(mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) {
2135 (*namelen) = lower_namelen;
2136 return 0;
2137 }
2138
2139 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex,
2140 mount_crypt_stat->global_default_fn_cipher_name);
2141 if (unlikely(rc)) {
2142 (*namelen) = 0;
2143 return rc;
2144 }
2145
2146 mutex_lock(tfm_mutex);
2147 cipher_blocksize = crypto_blkcipher_blocksize(desc.tfm);
2148 mutex_unlock(tfm_mutex);
2149
2150
2151 if (lower_namelen == NAME_MAX
2152 && (cipher_blocksize == 8 || cipher_blocksize == 16)) {
2153 (*namelen) = ENC_NAME_MAX_BLOCKLEN_8_OR_16;
2154 return 0;
2155 }
2156
2157
2158 (*namelen) = lower_namelen;
2159 (*namelen) -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2160
2161 (*namelen) = ecryptfs_max_decoded_size(*namelen) - 3;
2162 (*namelen) -= ECRYPTFS_TAG_70_MAX_METADATA_SIZE;
2163 (*namelen) -= ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES;
2164
2165 (*namelen) -= cipher_blocksize - 1;
2166
2167 if ((*namelen) < 0)
2168 (*namelen) = 0;
2169
2170 return 0;
2171}
2172