1
2
3
4
5
6
7
8
9
10
11
12#include <crypto/hash.h>
13#include <crypto/skcipher.h>
14#include <linux/fs.h>
15#include <linux/mount.h>
16#include <linux/pagemap.h>
17#include <linux/random.h>
18#include <linux/compiler.h>
19#include <linux/key.h>
20#include <linux/namei.h>
21#include <linux/file.h>
22#include <linux/scatterlist.h>
23#include <linux/slab.h>
24#include <asm/unaligned.h>
25#include <linux/kernel.h>
26#include <linux/xattr.h>
27#include "ecryptfs_kernel.h"
28
29#define DECRYPT 0
30#define ENCRYPT 1
31
32
33
34
35
36
37
38
39void ecryptfs_from_hex(char *dst, char *src, int dst_size)
40{
41 int x;
42 char tmp[3] = { 0, };
43
44 for (x = 0; x < dst_size; x++) {
45 tmp[0] = src[x * 2];
46 tmp[1] = src[x * 2 + 1];
47 dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16);
48 }
49}
50
51static int ecryptfs_hash_digest(struct crypto_shash *tfm,
52 char *src, int len, char *dst)
53{
54 SHASH_DESC_ON_STACK(desc, tfm);
55 int err;
56
57 desc->tfm = tfm;
58 err = crypto_shash_digest(desc, src, len, dst);
59 shash_desc_zero(desc);
60 return err;
61}
62
63
64
65
66
67
68
69
70
71
72
73static int ecryptfs_calculate_md5(char *dst,
74 struct ecryptfs_crypt_stat *crypt_stat,
75 char *src, int len)
76{
77 struct crypto_shash *tfm;
78 int rc = 0;
79
80 tfm = crypt_stat->hash_tfm;
81 rc = ecryptfs_hash_digest(tfm, src, len, dst);
82 if (rc) {
83 printk(KERN_ERR
84 "%s: Error computing crypto hash; rc = [%d]\n",
85 __func__, rc);
86 goto out;
87 }
88out:
89 return rc;
90}
91
92static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name,
93 char *cipher_name,
94 char *chaining_modifier)
95{
96 int cipher_name_len = strlen(cipher_name);
97 int chaining_modifier_len = strlen(chaining_modifier);
98 int algified_name_len;
99 int rc;
100
101 algified_name_len = (chaining_modifier_len + cipher_name_len + 3);
102 (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL);
103 if (!(*algified_name)) {
104 rc = -ENOMEM;
105 goto out;
106 }
107 snprintf((*algified_name), algified_name_len, "%s(%s)",
108 chaining_modifier, cipher_name);
109 rc = 0;
110out:
111 return rc;
112}
113
114
115
116
117
118
119
120
121
122
123
124
125int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat,
126 loff_t offset)
127{
128 int rc = 0;
129 char dst[MD5_DIGEST_SIZE];
130 char src[ECRYPTFS_MAX_IV_BYTES + 16];
131
132 if (unlikely(ecryptfs_verbosity > 0)) {
133 ecryptfs_printk(KERN_DEBUG, "root iv:\n");
134 ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes);
135 }
136
137
138
139
140 memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes);
141 memset((src + crypt_stat->iv_bytes), 0, 16);
142 snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset);
143 if (unlikely(ecryptfs_verbosity > 0)) {
144 ecryptfs_printk(KERN_DEBUG, "source:\n");
145 ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16));
146 }
147 rc = ecryptfs_calculate_md5(dst, crypt_stat, src,
148 (crypt_stat->iv_bytes + 16));
149 if (rc) {
150 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
151 "MD5 while generating IV for a page\n");
152 goto out;
153 }
154 memcpy(iv, dst, crypt_stat->iv_bytes);
155 if (unlikely(ecryptfs_verbosity > 0)) {
156 ecryptfs_printk(KERN_DEBUG, "derived iv:\n");
157 ecryptfs_dump_hex(iv, crypt_stat->iv_bytes);
158 }
159out:
160 return rc;
161}
162
163
164
165
166
167
168
169int ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
170{
171 struct crypto_shash *tfm;
172 int rc;
173
174 tfm = crypto_alloc_shash(ECRYPTFS_DEFAULT_HASH, 0, 0);
175 if (IS_ERR(tfm)) {
176 rc = PTR_ERR(tfm);
177 ecryptfs_printk(KERN_ERR, "Error attempting to "
178 "allocate crypto context; rc = [%d]\n",
179 rc);
180 return rc;
181 }
182
183 memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
184 INIT_LIST_HEAD(&crypt_stat->keysig_list);
185 mutex_init(&crypt_stat->keysig_list_mutex);
186 mutex_init(&crypt_stat->cs_mutex);
187 mutex_init(&crypt_stat->cs_tfm_mutex);
188 crypt_stat->hash_tfm = tfm;
189 crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED;
190
191 return 0;
192}
193
194
195
196
197
198
199
200void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
201{
202 struct ecryptfs_key_sig *key_sig, *key_sig_tmp;
203
204 crypto_free_skcipher(crypt_stat->tfm);
205 crypto_free_shash(crypt_stat->hash_tfm);
206 list_for_each_entry_safe(key_sig, key_sig_tmp,
207 &crypt_stat->keysig_list, crypt_stat_list) {
208 list_del(&key_sig->crypt_stat_list);
209 kmem_cache_free(ecryptfs_key_sig_cache, key_sig);
210 }
211 memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
212}
213
214void ecryptfs_destroy_mount_crypt_stat(
215 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
216{
217 struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp;
218
219 if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED))
220 return;
221 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
222 list_for_each_entry_safe(auth_tok, auth_tok_tmp,
223 &mount_crypt_stat->global_auth_tok_list,
224 mount_crypt_stat_list) {
225 list_del(&auth_tok->mount_crypt_stat_list);
226 if (!(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID))
227 key_put(auth_tok->global_auth_tok_key);
228 kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok);
229 }
230 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
231 memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat));
232}
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg,
248 int sg_size)
249{
250 int i = 0;
251 struct page *pg;
252 int offset;
253 int remainder_of_page;
254
255 sg_init_table(sg, sg_size);
256
257 while (size > 0 && i < sg_size) {
258 pg = virt_to_page(addr);
259 offset = offset_in_page(addr);
260 sg_set_page(&sg[i], pg, 0, offset);
261 remainder_of_page = PAGE_SIZE - offset;
262 if (size >= remainder_of_page) {
263 sg[i].length = remainder_of_page;
264 addr += remainder_of_page;
265 size -= remainder_of_page;
266 } else {
267 sg[i].length = size;
268 addr += size;
269 size = 0;
270 }
271 i++;
272 }
273 if (size > 0)
274 return -ENOMEM;
275 return i;
276}
277
278struct extent_crypt_result {
279 struct completion completion;
280 int rc;
281};
282
283static void extent_crypt_complete(struct crypto_async_request *req, int rc)
284{
285 struct extent_crypt_result *ecr = req->data;
286
287 if (rc == -EINPROGRESS)
288 return;
289
290 ecr->rc = rc;
291 complete(&ecr->completion);
292}
293
294
295
296
297
298
299
300
301
302
303
304
305static int crypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
306 struct scatterlist *dst_sg,
307 struct scatterlist *src_sg, int size,
308 unsigned char *iv, int op)
309{
310 struct skcipher_request *req = NULL;
311 struct extent_crypt_result ecr;
312 int rc = 0;
313
314 BUG_ON(!crypt_stat || !crypt_stat->tfm
315 || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));
316 if (unlikely(ecryptfs_verbosity > 0)) {
317 ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n",
318 crypt_stat->key_size);
319 ecryptfs_dump_hex(crypt_stat->key,
320 crypt_stat->key_size);
321 }
322
323 init_completion(&ecr.completion);
324
325 mutex_lock(&crypt_stat->cs_tfm_mutex);
326 req = skcipher_request_alloc(crypt_stat->tfm, GFP_NOFS);
327 if (!req) {
328 mutex_unlock(&crypt_stat->cs_tfm_mutex);
329 rc = -ENOMEM;
330 goto out;
331 }
332
333 skcipher_request_set_callback(req,
334 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
335 extent_crypt_complete, &ecr);
336
337 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) {
338 rc = crypto_skcipher_setkey(crypt_stat->tfm, crypt_stat->key,
339 crypt_stat->key_size);
340 if (rc) {
341 ecryptfs_printk(KERN_ERR,
342 "Error setting key; rc = [%d]\n",
343 rc);
344 mutex_unlock(&crypt_stat->cs_tfm_mutex);
345 rc = -EINVAL;
346 goto out;
347 }
348 crypt_stat->flags |= ECRYPTFS_KEY_SET;
349 }
350 mutex_unlock(&crypt_stat->cs_tfm_mutex);
351 skcipher_request_set_crypt(req, src_sg, dst_sg, size, iv);
352 rc = op == ENCRYPT ? crypto_skcipher_encrypt(req) :
353 crypto_skcipher_decrypt(req);
354 if (rc == -EINPROGRESS || rc == -EBUSY) {
355 struct extent_crypt_result *ecr = req->base.data;
356
357 wait_for_completion(&ecr->completion);
358 rc = ecr->rc;
359 reinit_completion(&ecr->completion);
360 }
361out:
362 skcipher_request_free(req);
363 return rc;
364}
365
366
367
368
369
370
371static loff_t lower_offset_for_page(struct ecryptfs_crypt_stat *crypt_stat,
372 struct page *page)
373{
374 return ecryptfs_lower_header_size(crypt_stat) +
375 ((loff_t)page->index << PAGE_SHIFT);
376}
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391static int crypt_extent(struct ecryptfs_crypt_stat *crypt_stat,
392 struct page *dst_page,
393 struct page *src_page,
394 unsigned long extent_offset, int op)
395{
396 pgoff_t page_index = op == ENCRYPT ? src_page->index : dst_page->index;
397 loff_t extent_base;
398 char extent_iv[ECRYPTFS_MAX_IV_BYTES];
399 struct scatterlist src_sg, dst_sg;
400 size_t extent_size = crypt_stat->extent_size;
401 int rc;
402
403 extent_base = (((loff_t)page_index) * (PAGE_SIZE / extent_size));
404 rc = ecryptfs_derive_iv(extent_iv, crypt_stat,
405 (extent_base + extent_offset));
406 if (rc) {
407 ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for "
408 "extent [0x%.16llx]; rc = [%d]\n",
409 (unsigned long long)(extent_base + extent_offset), rc);
410 goto out;
411 }
412
413 sg_init_table(&src_sg, 1);
414 sg_init_table(&dst_sg, 1);
415
416 sg_set_page(&src_sg, src_page, extent_size,
417 extent_offset * extent_size);
418 sg_set_page(&dst_sg, dst_page, extent_size,
419 extent_offset * extent_size);
420
421 rc = crypt_scatterlist(crypt_stat, &dst_sg, &src_sg, extent_size,
422 extent_iv, op);
423 if (rc < 0) {
424 printk(KERN_ERR "%s: Error attempting to crypt page with "
425 "page_index = [%ld], extent_offset = [%ld]; "
426 "rc = [%d]\n", __func__, page_index, extent_offset, rc);
427 goto out;
428 }
429 rc = 0;
430out:
431 return rc;
432}
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450int ecryptfs_encrypt_page(struct page *page)
451{
452 struct inode *ecryptfs_inode;
453 struct ecryptfs_crypt_stat *crypt_stat;
454 char *enc_extent_virt;
455 struct page *enc_extent_page = NULL;
456 loff_t extent_offset;
457 loff_t lower_offset;
458 int rc = 0;
459
460 ecryptfs_inode = page->mapping->host;
461 crypt_stat =
462 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
463 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
464 enc_extent_page = alloc_page(GFP_USER);
465 if (!enc_extent_page) {
466 rc = -ENOMEM;
467 ecryptfs_printk(KERN_ERR, "Error allocating memory for "
468 "encrypted extent\n");
469 goto out;
470 }
471
472 for (extent_offset = 0;
473 extent_offset < (PAGE_SIZE / crypt_stat->extent_size);
474 extent_offset++) {
475 rc = crypt_extent(crypt_stat, enc_extent_page, page,
476 extent_offset, ENCRYPT);
477 if (rc) {
478 printk(KERN_ERR "%s: Error encrypting extent; "
479 "rc = [%d]\n", __func__, rc);
480 goto out;
481 }
482 }
483
484 lower_offset = lower_offset_for_page(crypt_stat, page);
485 enc_extent_virt = kmap(enc_extent_page);
486 rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt, lower_offset,
487 PAGE_SIZE);
488 kunmap(enc_extent_page);
489 if (rc < 0) {
490 ecryptfs_printk(KERN_ERR,
491 "Error attempting to write lower page; rc = [%d]\n",
492 rc);
493 goto out;
494 }
495 rc = 0;
496out:
497 if (enc_extent_page) {
498 __free_page(enc_extent_page);
499 }
500 return rc;
501}
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519int ecryptfs_decrypt_page(struct page *page)
520{
521 struct inode *ecryptfs_inode;
522 struct ecryptfs_crypt_stat *crypt_stat;
523 char *page_virt;
524 unsigned long extent_offset;
525 loff_t lower_offset;
526 int rc = 0;
527
528 ecryptfs_inode = page->mapping->host;
529 crypt_stat =
530 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
531 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
532
533 lower_offset = lower_offset_for_page(crypt_stat, page);
534 page_virt = kmap(page);
535 rc = ecryptfs_read_lower(page_virt, lower_offset, PAGE_SIZE,
536 ecryptfs_inode);
537 kunmap(page);
538 if (rc < 0) {
539 ecryptfs_printk(KERN_ERR,
540 "Error attempting to read lower page; rc = [%d]\n",
541 rc);
542 goto out;
543 }
544
545 for (extent_offset = 0;
546 extent_offset < (PAGE_SIZE / crypt_stat->extent_size);
547 extent_offset++) {
548 rc = crypt_extent(crypt_stat, page, page,
549 extent_offset, DECRYPT);
550 if (rc) {
551 printk(KERN_ERR "%s: Error encrypting extent; "
552 "rc = [%d]\n", __func__, rc);
553 goto out;
554 }
555 }
556out:
557 return rc;
558}
559
560#define ECRYPTFS_MAX_SCATTERLIST_LEN 4
561
562
563
564
565
566
567
568
569
570
571int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat)
572{
573 char *full_alg_name;
574 int rc = -EINVAL;
575
576 ecryptfs_printk(KERN_DEBUG,
577 "Initializing cipher [%s]; strlen = [%d]; "
578 "key_size_bits = [%zd]\n",
579 crypt_stat->cipher, (int)strlen(crypt_stat->cipher),
580 crypt_stat->key_size << 3);
581 mutex_lock(&crypt_stat->cs_tfm_mutex);
582 if (crypt_stat->tfm) {
583 rc = 0;
584 goto out_unlock;
585 }
586 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name,
587 crypt_stat->cipher, "cbc");
588 if (rc)
589 goto out_unlock;
590 crypt_stat->tfm = crypto_alloc_skcipher(full_alg_name, 0, 0);
591 if (IS_ERR(crypt_stat->tfm)) {
592 rc = PTR_ERR(crypt_stat->tfm);
593 crypt_stat->tfm = NULL;
594 ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): "
595 "Error initializing cipher [%s]\n",
596 full_alg_name);
597 goto out_free;
598 }
599 crypto_skcipher_set_flags(crypt_stat->tfm,
600 CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
601 rc = 0;
602out_free:
603 kfree(full_alg_name);
604out_unlock:
605 mutex_unlock(&crypt_stat->cs_tfm_mutex);
606 return rc;
607}
608
609static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat)
610{
611 int extent_size_tmp;
612
613 crypt_stat->extent_mask = 0xFFFFFFFF;
614 crypt_stat->extent_shift = 0;
615 if (crypt_stat->extent_size == 0)
616 return;
617 extent_size_tmp = crypt_stat->extent_size;
618 while ((extent_size_tmp & 0x01) == 0) {
619 extent_size_tmp >>= 1;
620 crypt_stat->extent_mask <<= 1;
621 crypt_stat->extent_shift++;
622 }
623}
624
625void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat)
626{
627
628
629 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;
630 set_extent_mask_and_shift(crypt_stat);
631 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES;
632 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
633 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
634 else {
635 if (PAGE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)
636 crypt_stat->metadata_size =
637 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
638 else
639 crypt_stat->metadata_size = PAGE_SIZE;
640 }
641}
642
643
644
645
646
647
648
649int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat)
650{
651 int rc = 0;
652 char dst[MD5_DIGEST_SIZE];
653
654 BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE);
655 BUG_ON(crypt_stat->iv_bytes <= 0);
656 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
657 rc = -EINVAL;
658 ecryptfs_printk(KERN_WARNING, "Session key not valid; "
659 "cannot generate root IV\n");
660 goto out;
661 }
662 rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key,
663 crypt_stat->key_size);
664 if (rc) {
665 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
666 "MD5 while generating root IV\n");
667 goto out;
668 }
669 memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes);
670out:
671 if (rc) {
672 memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes);
673 crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING;
674 }
675 return rc;
676}
677
678static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat)
679{
680 get_random_bytes(crypt_stat->key, crypt_stat->key_size);
681 crypt_stat->flags |= ECRYPTFS_KEY_VALID;
682 ecryptfs_compute_root_iv(crypt_stat);
683 if (unlikely(ecryptfs_verbosity > 0)) {
684 ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n");
685 ecryptfs_dump_hex(crypt_stat->key,
686 crypt_stat->key_size);
687 }
688}
689
690
691
692
693
694
695
696
697
698static void ecryptfs_copy_mount_wide_flags_to_inode_flags(
699 struct ecryptfs_crypt_stat *crypt_stat,
700 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
701{
702 if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED)
703 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
704 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
705 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED;
706 if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
707 crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES;
708 if (mount_crypt_stat->flags
709 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)
710 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK;
711 else if (mount_crypt_stat->flags
712 & ECRYPTFS_GLOBAL_ENCFN_USE_FEK)
713 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK;
714 }
715}
716
717static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs(
718 struct ecryptfs_crypt_stat *crypt_stat,
719 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
720{
721 struct ecryptfs_global_auth_tok *global_auth_tok;
722 int rc = 0;
723
724 mutex_lock(&crypt_stat->keysig_list_mutex);
725 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
726
727 list_for_each_entry(global_auth_tok,
728 &mount_crypt_stat->global_auth_tok_list,
729 mount_crypt_stat_list) {
730 if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK)
731 continue;
732 rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig);
733 if (rc) {
734 printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc);
735 goto out;
736 }
737 }
738
739out:
740 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
741 mutex_unlock(&crypt_stat->keysig_list_mutex);
742 return rc;
743}
744
745
746
747
748
749
750
751
752static void ecryptfs_set_default_crypt_stat_vals(
753 struct ecryptfs_crypt_stat *crypt_stat,
754 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
755{
756 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
757 mount_crypt_stat);
758 ecryptfs_set_default_sizes(crypt_stat);
759 strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER);
760 crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES;
761 crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID);
762 crypt_stat->file_version = ECRYPTFS_FILE_VERSION;
763 crypt_stat->mount_crypt_stat = mount_crypt_stat;
764}
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785int ecryptfs_new_file_context(struct inode *ecryptfs_inode)
786{
787 struct ecryptfs_crypt_stat *crypt_stat =
788 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
789 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
790 &ecryptfs_superblock_to_private(
791 ecryptfs_inode->i_sb)->mount_crypt_stat;
792 int cipher_name_len;
793 int rc = 0;
794
795 ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat);
796 crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID);
797 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
798 mount_crypt_stat);
799 rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat,
800 mount_crypt_stat);
801 if (rc) {
802 printk(KERN_ERR "Error attempting to copy mount-wide key sigs "
803 "to the inode key sigs; rc = [%d]\n", rc);
804 goto out;
805 }
806 cipher_name_len =
807 strlen(mount_crypt_stat->global_default_cipher_name);
808 memcpy(crypt_stat->cipher,
809 mount_crypt_stat->global_default_cipher_name,
810 cipher_name_len);
811 crypt_stat->cipher[cipher_name_len] = '\0';
812 crypt_stat->key_size =
813 mount_crypt_stat->global_default_cipher_key_size;
814 ecryptfs_generate_new_key(crypt_stat);
815 rc = ecryptfs_init_crypt_ctx(crypt_stat);
816 if (rc)
817 ecryptfs_printk(KERN_ERR, "Error initializing cryptographic "
818 "context for cipher [%s]: rc = [%d]\n",
819 crypt_stat->cipher, rc);
820out:
821 return rc;
822}
823
824
825
826
827
828
829
830static int ecryptfs_validate_marker(char *data)
831{
832 u32 m_1, m_2;
833
834 m_1 = get_unaligned_be32(data);
835 m_2 = get_unaligned_be32(data + 4);
836 if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2)
837 return 0;
838 ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; "
839 "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2,
840 MAGIC_ECRYPTFS_MARKER);
841 ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = "
842 "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER));
843 return -EINVAL;
844}
845
846struct ecryptfs_flag_map_elem {
847 u32 file_flag;
848 u32 local_flag;
849};
850
851
852static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = {
853 {0x00000001, ECRYPTFS_ENABLE_HMAC},
854 {0x00000002, ECRYPTFS_ENCRYPTED},
855 {0x00000004, ECRYPTFS_METADATA_IN_XATTR},
856 {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES}
857};
858
859
860
861
862
863
864
865static void ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat,
866 char *page_virt, int *bytes_read)
867{
868 int i;
869 u32 flags;
870
871 flags = get_unaligned_be32(page_virt);
872 for (i = 0; i < ARRAY_SIZE(ecryptfs_flag_map); i++)
873 if (flags & ecryptfs_flag_map[i].file_flag) {
874 crypt_stat->flags |= ecryptfs_flag_map[i].local_flag;
875 } else
876 crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag);
877
878 crypt_stat->file_version = ((flags >> 24) & 0xFF);
879 (*bytes_read) = 4;
880}
881
882
883
884
885
886
887
888
889static void write_ecryptfs_marker(char *page_virt, size_t *written)
890{
891 u32 m_1, m_2;
892
893 get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2));
894 m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER);
895 put_unaligned_be32(m_1, page_virt);
896 page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2);
897 put_unaligned_be32(m_2, page_virt);
898 (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
899}
900
901void ecryptfs_write_crypt_stat_flags(char *page_virt,
902 struct ecryptfs_crypt_stat *crypt_stat,
903 size_t *written)
904{
905 u32 flags = 0;
906 int i;
907
908 for (i = 0; i < ARRAY_SIZE(ecryptfs_flag_map); i++)
909 if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag)
910 flags |= ecryptfs_flag_map[i].file_flag;
911
912 flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000);
913 put_unaligned_be32(flags, page_virt);
914 (*written) = 4;
915}
916
917struct ecryptfs_cipher_code_str_map_elem {
918 char cipher_str[16];
919 u8 cipher_code;
920};
921
922
923
924
925static struct ecryptfs_cipher_code_str_map_elem
926ecryptfs_cipher_code_str_map[] = {
927 {"aes",RFC2440_CIPHER_AES_128 },
928 {"blowfish", RFC2440_CIPHER_BLOWFISH},
929 {"des3_ede", RFC2440_CIPHER_DES3_EDE},
930 {"cast5", RFC2440_CIPHER_CAST_5},
931 {"twofish", RFC2440_CIPHER_TWOFISH},
932 {"cast6", RFC2440_CIPHER_CAST_6},
933 {"aes", RFC2440_CIPHER_AES_192},
934 {"aes", RFC2440_CIPHER_AES_256}
935};
936
937
938
939
940
941
942
943
944u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes)
945{
946 int i;
947 u8 code = 0;
948 struct ecryptfs_cipher_code_str_map_elem *map =
949 ecryptfs_cipher_code_str_map;
950
951 if (strcmp(cipher_name, "aes") == 0) {
952 switch (key_bytes) {
953 case 16:
954 code = RFC2440_CIPHER_AES_128;
955 break;
956 case 24:
957 code = RFC2440_CIPHER_AES_192;
958 break;
959 case 32:
960 code = RFC2440_CIPHER_AES_256;
961 }
962 } else {
963 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
964 if (strcmp(cipher_name, map[i].cipher_str) == 0) {
965 code = map[i].cipher_code;
966 break;
967 }
968 }
969 return code;
970}
971
972
973
974
975
976
977
978
979int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code)
980{
981 int rc = 0;
982 int i;
983
984 str[0] = '\0';
985 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
986 if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code)
987 strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str);
988 if (str[0] == '\0') {
989 ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: "
990 "[%d]\n", cipher_code);
991 rc = -EINVAL;
992 }
993 return rc;
994}
995
996int ecryptfs_read_and_validate_header_region(struct inode *inode)
997{
998 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
999 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1000 int rc;
1001
1002 rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES,
1003 inode);
1004 if (rc < 0)
1005 return rc;
1006 else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1007 return -EINVAL;
1008 rc = ecryptfs_validate_marker(marker);
1009 if (!rc)
1010 ecryptfs_i_size_init(file_size, inode);
1011 return rc;
1012}
1013
1014void
1015ecryptfs_write_header_metadata(char *virt,
1016 struct ecryptfs_crypt_stat *crypt_stat,
1017 size_t *written)
1018{
1019 u32 header_extent_size;
1020 u16 num_header_extents_at_front;
1021
1022 header_extent_size = (u32)crypt_stat->extent_size;
1023 num_header_extents_at_front =
1024 (u16)(crypt_stat->metadata_size / crypt_stat->extent_size);
1025 put_unaligned_be32(header_extent_size, virt);
1026 virt += 4;
1027 put_unaligned_be16(num_header_extents_at_front, virt);
1028 (*written) = 6;
1029}
1030
1031struct kmem_cache *ecryptfs_header_cache;
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064static int ecryptfs_write_headers_virt(char *page_virt, size_t max,
1065 size_t *size,
1066 struct ecryptfs_crypt_stat *crypt_stat,
1067 struct dentry *ecryptfs_dentry)
1068{
1069 int rc;
1070 size_t written;
1071 size_t offset;
1072
1073 offset = ECRYPTFS_FILE_SIZE_BYTES;
1074 write_ecryptfs_marker((page_virt + offset), &written);
1075 offset += written;
1076 ecryptfs_write_crypt_stat_flags((page_virt + offset), crypt_stat,
1077 &written);
1078 offset += written;
1079 ecryptfs_write_header_metadata((page_virt + offset), crypt_stat,
1080 &written);
1081 offset += written;
1082 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat,
1083 ecryptfs_dentry, &written,
1084 max - offset);
1085 if (rc)
1086 ecryptfs_printk(KERN_WARNING, "Error generating key packet "
1087 "set; rc = [%d]\n", rc);
1088 if (size) {
1089 offset += written;
1090 *size = offset;
1091 }
1092 return rc;
1093}
1094
1095static int
1096ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode,
1097 char *virt, size_t virt_len)
1098{
1099 int rc;
1100
1101 rc = ecryptfs_write_lower(ecryptfs_inode, virt,
1102 0, virt_len);
1103 if (rc < 0)
1104 printk(KERN_ERR "%s: Error attempting to write header "
1105 "information to lower file; rc = [%d]\n", __func__, rc);
1106 else
1107 rc = 0;
1108 return rc;
1109}
1110
1111static int
1112ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry,
1113 struct inode *ecryptfs_inode,
1114 char *page_virt, size_t size)
1115{
1116 int rc;
1117 struct dentry *lower_dentry = ecryptfs_dentry_to_lower(ecryptfs_dentry);
1118 struct inode *lower_inode = d_inode(lower_dentry);
1119
1120 if (!(lower_inode->i_opflags & IOP_XATTR)) {
1121 rc = -EOPNOTSUPP;
1122 goto out;
1123 }
1124
1125 inode_lock(lower_inode);
1126 rc = __vfs_setxattr(lower_dentry, lower_inode, ECRYPTFS_XATTR_NAME,
1127 page_virt, size, 0);
1128 if (!rc && ecryptfs_inode)
1129 fsstack_copy_attr_all(ecryptfs_inode, lower_inode);
1130 inode_unlock(lower_inode);
1131out:
1132 return rc;
1133}
1134
1135static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask,
1136 unsigned int order)
1137{
1138 struct page *page;
1139
1140 page = alloc_pages(gfp_mask | __GFP_ZERO, order);
1141 if (page)
1142 return (unsigned long) page_address(page);
1143 return 0;
1144}
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry,
1160 struct inode *ecryptfs_inode)
1161{
1162 struct ecryptfs_crypt_stat *crypt_stat =
1163 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1164 unsigned int order;
1165 char *virt;
1166 size_t virt_len;
1167 size_t size = 0;
1168 int rc = 0;
1169
1170 if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {
1171 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
1172 printk(KERN_ERR "Key is invalid; bailing out\n");
1173 rc = -EINVAL;
1174 goto out;
1175 }
1176 } else {
1177 printk(KERN_WARNING "%s: Encrypted flag not set\n",
1178 __func__);
1179 rc = -EINVAL;
1180 goto out;
1181 }
1182 virt_len = crypt_stat->metadata_size;
1183 order = get_order(virt_len);
1184
1185 virt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order);
1186 if (!virt) {
1187 printk(KERN_ERR "%s: Out of memory\n", __func__);
1188 rc = -ENOMEM;
1189 goto out;
1190 }
1191
1192 rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat,
1193 ecryptfs_dentry);
1194 if (unlikely(rc)) {
1195 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n",
1196 __func__, rc);
1197 goto out_free;
1198 }
1199 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1200 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, ecryptfs_inode,
1201 virt, size);
1202 else
1203 rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt,
1204 virt_len);
1205 if (rc) {
1206 printk(KERN_ERR "%s: Error writing metadata out to lower file; "
1207 "rc = [%d]\n", __func__, rc);
1208 goto out_free;
1209 }
1210out_free:
1211 free_pages((unsigned long)virt, order);
1212out:
1213 return rc;
1214}
1215
1216#define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0
1217#define ECRYPTFS_VALIDATE_HEADER_SIZE 1
1218static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat,
1219 char *virt, int *bytes_read,
1220 int validate_header_size)
1221{
1222 int rc = 0;
1223 u32 header_extent_size;
1224 u16 num_header_extents_at_front;
1225
1226 header_extent_size = get_unaligned_be32(virt);
1227 virt += sizeof(__be32);
1228 num_header_extents_at_front = get_unaligned_be16(virt);
1229 crypt_stat->metadata_size = (((size_t)num_header_extents_at_front
1230 * (size_t)header_extent_size));
1231 (*bytes_read) = (sizeof(__be32) + sizeof(__be16));
1232 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE)
1233 && (crypt_stat->metadata_size
1234 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) {
1235 rc = -EINVAL;
1236 printk(KERN_WARNING "Invalid header size: [%zd]\n",
1237 crypt_stat->metadata_size);
1238 }
1239 return rc;
1240}
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat)
1251{
1252 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
1253}
1254
1255void ecryptfs_i_size_init(const char *page_virt, struct inode *inode)
1256{
1257 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
1258 struct ecryptfs_crypt_stat *crypt_stat;
1259 u64 file_size;
1260
1261 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
1262 mount_crypt_stat =
1263 &ecryptfs_superblock_to_private(inode->i_sb)->mount_crypt_stat;
1264 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) {
1265 file_size = i_size_read(ecryptfs_inode_to_lower(inode));
1266 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1267 file_size += crypt_stat->metadata_size;
1268 } else
1269 file_size = get_unaligned_be64(page_virt);
1270 i_size_write(inode, (loff_t)file_size);
1271 crypt_stat->flags |= ECRYPTFS_I_SIZE_INITIALIZED;
1272}
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286static int ecryptfs_read_headers_virt(char *page_virt,
1287 struct ecryptfs_crypt_stat *crypt_stat,
1288 struct dentry *ecryptfs_dentry,
1289 int validate_header_size)
1290{
1291 int rc = 0;
1292 int offset;
1293 int bytes_read;
1294
1295 ecryptfs_set_default_sizes(crypt_stat);
1296 crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private(
1297 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1298 offset = ECRYPTFS_FILE_SIZE_BYTES;
1299 rc = ecryptfs_validate_marker(page_virt + offset);
1300 if (rc)
1301 goto out;
1302 if (!(crypt_stat->flags & ECRYPTFS_I_SIZE_INITIALIZED))
1303 ecryptfs_i_size_init(page_virt, d_inode(ecryptfs_dentry));
1304 offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
1305 ecryptfs_process_flags(crypt_stat, (page_virt + offset), &bytes_read);
1306 if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) {
1307 ecryptfs_printk(KERN_WARNING, "File version is [%d]; only "
1308 "file version [%d] is supported by this "
1309 "version of eCryptfs\n",
1310 crypt_stat->file_version,
1311 ECRYPTFS_SUPPORTED_FILE_VERSION);
1312 rc = -EINVAL;
1313 goto out;
1314 }
1315 offset += bytes_read;
1316 if (crypt_stat->file_version >= 1) {
1317 rc = parse_header_metadata(crypt_stat, (page_virt + offset),
1318 &bytes_read, validate_header_size);
1319 if (rc) {
1320 ecryptfs_printk(KERN_WARNING, "Error reading header "
1321 "metadata; rc = [%d]\n", rc);
1322 }
1323 offset += bytes_read;
1324 } else
1325 set_default_header_data(crypt_stat);
1326 rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset),
1327 ecryptfs_dentry);
1328out:
1329 return rc;
1330}
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode)
1343{
1344 struct dentry *lower_dentry =
1345 ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_path.dentry;
1346 ssize_t size;
1347 int rc = 0;
1348
1349 size = ecryptfs_getxattr_lower(lower_dentry,
1350 ecryptfs_inode_to_lower(ecryptfs_inode),
1351 ECRYPTFS_XATTR_NAME,
1352 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE);
1353 if (size < 0) {
1354 if (unlikely(ecryptfs_verbosity > 0))
1355 printk(KERN_INFO "Error attempting to read the [%s] "
1356 "xattr from the lower file; return value = "
1357 "[%zd]\n", ECRYPTFS_XATTR_NAME, size);
1358 rc = -EINVAL;
1359 goto out;
1360 }
1361out:
1362 return rc;
1363}
1364
1365int ecryptfs_read_and_validate_xattr_region(struct dentry *dentry,
1366 struct inode *inode)
1367{
1368 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1369 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1370 int rc;
1371
1372 rc = ecryptfs_getxattr_lower(ecryptfs_dentry_to_lower(dentry),
1373 ecryptfs_inode_to_lower(inode),
1374 ECRYPTFS_XATTR_NAME, file_size,
1375 ECRYPTFS_SIZE_AND_MARKER_BYTES);
1376 if (rc < 0)
1377 return rc;
1378 else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1379 return -EINVAL;
1380 rc = ecryptfs_validate_marker(marker);
1381 if (!rc)
1382 ecryptfs_i_size_init(file_size, inode);
1383 return rc;
1384}
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
1399{
1400 int rc;
1401 char *page_virt;
1402 struct inode *ecryptfs_inode = d_inode(ecryptfs_dentry);
1403 struct ecryptfs_crypt_stat *crypt_stat =
1404 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1405 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1406 &ecryptfs_superblock_to_private(
1407 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1408
1409 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
1410 mount_crypt_stat);
1411
1412 page_virt = kmem_cache_alloc(ecryptfs_header_cache, GFP_USER);
1413 if (!page_virt) {
1414 rc = -ENOMEM;
1415 goto out;
1416 }
1417 rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size,
1418 ecryptfs_inode);
1419 if (rc >= 0)
1420 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1421 ecryptfs_dentry,
1422 ECRYPTFS_VALIDATE_HEADER_SIZE);
1423 if (rc) {
1424
1425 memset(page_virt, 0, PAGE_SIZE);
1426 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);
1427 if (rc) {
1428 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1429 "file header region or xattr region, inode %lu\n",
1430 ecryptfs_inode->i_ino);
1431 rc = -EINVAL;
1432 goto out;
1433 }
1434 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1435 ecryptfs_dentry,
1436 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE);
1437 if (rc) {
1438 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1439 "file xattr region either, inode %lu\n",
1440 ecryptfs_inode->i_ino);
1441 rc = -EINVAL;
1442 }
1443 if (crypt_stat->mount_crypt_stat->flags
1444 & ECRYPTFS_XATTR_METADATA_ENABLED) {
1445 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
1446 } else {
1447 printk(KERN_WARNING "Attempt to access file with "
1448 "crypto metadata only in the extended attribute "
1449 "region, but eCryptfs was mounted without "
1450 "xattr support enabled. eCryptfs will not treat "
1451 "this like an encrypted file, inode %lu\n",
1452 ecryptfs_inode->i_ino);
1453 rc = -EINVAL;
1454 }
1455 }
1456out:
1457 if (page_virt) {
1458 memset(page_virt, 0, PAGE_SIZE);
1459 kmem_cache_free(ecryptfs_header_cache, page_virt);
1460 }
1461 return rc;
1462}
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473static int
1474ecryptfs_encrypt_filename(struct ecryptfs_filename *filename,
1475 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
1476{
1477 int rc = 0;
1478
1479 filename->encrypted_filename = NULL;
1480 filename->encrypted_filename_size = 0;
1481 if (mount_crypt_stat && (mount_crypt_stat->flags
1482 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)) {
1483 size_t packet_size;
1484 size_t remaining_bytes;
1485
1486 rc = ecryptfs_write_tag_70_packet(
1487 NULL, NULL,
1488 &filename->encrypted_filename_size,
1489 mount_crypt_stat, NULL,
1490 filename->filename_size);
1491 if (rc) {
1492 printk(KERN_ERR "%s: Error attempting to get packet "
1493 "size for tag 72; rc = [%d]\n", __func__,
1494 rc);
1495 filename->encrypted_filename_size = 0;
1496 goto out;
1497 }
1498 filename->encrypted_filename =
1499 kmalloc(filename->encrypted_filename_size, GFP_KERNEL);
1500 if (!filename->encrypted_filename) {
1501 rc = -ENOMEM;
1502 goto out;
1503 }
1504 remaining_bytes = filename->encrypted_filename_size;
1505 rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename,
1506 &remaining_bytes,
1507 &packet_size,
1508 mount_crypt_stat,
1509 filename->filename,
1510 filename->filename_size);
1511 if (rc) {
1512 printk(KERN_ERR "%s: Error attempting to generate "
1513 "tag 70 packet; rc = [%d]\n", __func__,
1514 rc);
1515 kfree(filename->encrypted_filename);
1516 filename->encrypted_filename = NULL;
1517 filename->encrypted_filename_size = 0;
1518 goto out;
1519 }
1520 filename->encrypted_filename_size = packet_size;
1521 } else {
1522 printk(KERN_ERR "%s: No support for requested filename "
1523 "encryption method in this release\n", __func__);
1524 rc = -EOPNOTSUPP;
1525 goto out;
1526 }
1527out:
1528 return rc;
1529}
1530
1531static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size,
1532 const char *name, size_t name_size)
1533{
1534 int rc = 0;
1535
1536 (*copied_name) = kmalloc((name_size + 1), GFP_KERNEL);
1537 if (!(*copied_name)) {
1538 rc = -ENOMEM;
1539 goto out;
1540 }
1541 memcpy((void *)(*copied_name), (void *)name, name_size);
1542 (*copied_name)[(name_size)] = '\0';
1543
1544
1545
1546 (*copied_name_size) = name_size;
1547out:
1548 return rc;
1549}
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561static int
1562ecryptfs_process_key_cipher(struct crypto_skcipher **key_tfm,
1563 char *cipher_name, size_t *key_size)
1564{
1565 char dummy_key[ECRYPTFS_MAX_KEY_BYTES];
1566 char *full_alg_name = NULL;
1567 int rc;
1568
1569 *key_tfm = NULL;
1570 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) {
1571 rc = -EINVAL;
1572 printk(KERN_ERR "Requested key size is [%zd] bytes; maximum "
1573 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES);
1574 goto out;
1575 }
1576 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name,
1577 "ecb");
1578 if (rc)
1579 goto out;
1580 *key_tfm = crypto_alloc_skcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC);
1581 if (IS_ERR(*key_tfm)) {
1582 rc = PTR_ERR(*key_tfm);
1583 printk(KERN_ERR "Unable to allocate crypto cipher with name "
1584 "[%s]; rc = [%d]\n", full_alg_name, rc);
1585 goto out;
1586 }
1587 crypto_skcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
1588 if (*key_size == 0)
1589 *key_size = crypto_skcipher_default_keysize(*key_tfm);
1590 get_random_bytes(dummy_key, *key_size);
1591 rc = crypto_skcipher_setkey(*key_tfm, dummy_key, *key_size);
1592 if (rc) {
1593 printk(KERN_ERR "Error attempting to set key of size [%zd] for "
1594 "cipher [%s]; rc = [%d]\n", *key_size, full_alg_name,
1595 rc);
1596 rc = -EINVAL;
1597 goto out;
1598 }
1599out:
1600 kfree(full_alg_name);
1601 return rc;
1602}
1603
1604struct kmem_cache *ecryptfs_key_tfm_cache;
1605static struct list_head key_tfm_list;
1606struct mutex key_tfm_list_mutex;
1607
1608int __init ecryptfs_init_crypto(void)
1609{
1610 mutex_init(&key_tfm_list_mutex);
1611 INIT_LIST_HEAD(&key_tfm_list);
1612 return 0;
1613}
1614
1615
1616
1617
1618
1619
1620int ecryptfs_destroy_crypto(void)
1621{
1622 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp;
1623
1624 mutex_lock(&key_tfm_list_mutex);
1625 list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list,
1626 key_tfm_list) {
1627 list_del(&key_tfm->key_tfm_list);
1628 crypto_free_skcipher(key_tfm->key_tfm);
1629 kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm);
1630 }
1631 mutex_unlock(&key_tfm_list_mutex);
1632 return 0;
1633}
1634
1635int
1636ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
1637 size_t key_size)
1638{
1639 struct ecryptfs_key_tfm *tmp_tfm;
1640 int rc = 0;
1641
1642 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1643
1644 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL);
1645 if (key_tfm)
1646 (*key_tfm) = tmp_tfm;
1647 if (!tmp_tfm) {
1648 rc = -ENOMEM;
1649 goto out;
1650 }
1651 mutex_init(&tmp_tfm->key_tfm_mutex);
1652 strncpy(tmp_tfm->cipher_name, cipher_name,
1653 ECRYPTFS_MAX_CIPHER_NAME_SIZE);
1654 tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0';
1655 tmp_tfm->key_size = key_size;
1656 rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm,
1657 tmp_tfm->cipher_name,
1658 &tmp_tfm->key_size);
1659 if (rc) {
1660 printk(KERN_ERR "Error attempting to initialize key TFM "
1661 "cipher with name = [%s]; rc = [%d]\n",
1662 tmp_tfm->cipher_name, rc);
1663 kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm);
1664 if (key_tfm)
1665 (*key_tfm) = NULL;
1666 goto out;
1667 }
1668 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list);
1669out:
1670 return rc;
1671}
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm)
1684{
1685 struct ecryptfs_key_tfm *tmp_key_tfm;
1686
1687 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1688
1689 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) {
1690 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) {
1691 if (key_tfm)
1692 (*key_tfm) = tmp_key_tfm;
1693 return 1;
1694 }
1695 }
1696 if (key_tfm)
1697 (*key_tfm) = NULL;
1698 return 0;
1699}
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_skcipher **tfm,
1713 struct mutex **tfm_mutex,
1714 char *cipher_name)
1715{
1716 struct ecryptfs_key_tfm *key_tfm;
1717 int rc = 0;
1718
1719 (*tfm) = NULL;
1720 (*tfm_mutex) = NULL;
1721
1722 mutex_lock(&key_tfm_list_mutex);
1723 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) {
1724 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0);
1725 if (rc) {
1726 printk(KERN_ERR "Error adding new key_tfm to list; "
1727 "rc = [%d]\n", rc);
1728 goto out;
1729 }
1730 }
1731 (*tfm) = key_tfm->key_tfm;
1732 (*tfm_mutex) = &key_tfm->key_tfm_mutex;
1733out:
1734 mutex_unlock(&key_tfm_list_mutex);
1735 return rc;
1736}
1737
1738
1739static unsigned char *portable_filename_chars = ("-.0123456789ABCD"
1740 "EFGHIJKLMNOPQRST"
1741 "UVWXYZabcdefghij"
1742 "klmnopqrstuvwxyz");
1743
1744
1745
1746static const unsigned char filename_rev_map[256] = {
1747 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1748 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1749 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1750 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1751 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1753 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
1754 0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1755 0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12,
1756 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A,
1757 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22,
1758 0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00,
1759 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
1760 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
1761 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
1762 0x3D, 0x3E, 0x3F
1763};
1764
1765
1766
1767
1768
1769
1770
1771
1772static void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size,
1773 unsigned char *src, size_t src_size)
1774{
1775 size_t num_blocks;
1776 size_t block_num = 0;
1777 size_t dst_offset = 0;
1778 unsigned char last_block[3];
1779
1780 if (src_size == 0) {
1781 (*dst_size) = 0;
1782 goto out;
1783 }
1784 num_blocks = (src_size / 3);
1785 if ((src_size % 3) == 0) {
1786 memcpy(last_block, (&src[src_size - 3]), 3);
1787 } else {
1788 num_blocks++;
1789 last_block[2] = 0x00;
1790 switch (src_size % 3) {
1791 case 1:
1792 last_block[0] = src[src_size - 1];
1793 last_block[1] = 0x00;
1794 break;
1795 case 2:
1796 last_block[0] = src[src_size - 2];
1797 last_block[1] = src[src_size - 1];
1798 }
1799 }
1800 (*dst_size) = (num_blocks * 4);
1801 if (!dst)
1802 goto out;
1803 while (block_num < num_blocks) {
1804 unsigned char *src_block;
1805 unsigned char dst_block[4];
1806
1807 if (block_num == (num_blocks - 1))
1808 src_block = last_block;
1809 else
1810 src_block = &src[block_num * 3];
1811 dst_block[0] = ((src_block[0] >> 2) & 0x3F);
1812 dst_block[1] = (((src_block[0] << 4) & 0x30)
1813 | ((src_block[1] >> 4) & 0x0F));
1814 dst_block[2] = (((src_block[1] << 2) & 0x3C)
1815 | ((src_block[2] >> 6) & 0x03));
1816 dst_block[3] = (src_block[2] & 0x3F);
1817 dst[dst_offset++] = portable_filename_chars[dst_block[0]];
1818 dst[dst_offset++] = portable_filename_chars[dst_block[1]];
1819 dst[dst_offset++] = portable_filename_chars[dst_block[2]];
1820 dst[dst_offset++] = portable_filename_chars[dst_block[3]];
1821 block_num++;
1822 }
1823out:
1824 return;
1825}
1826
1827static size_t ecryptfs_max_decoded_size(size_t encoded_size)
1828{
1829
1830
1831
1832
1833
1834
1835 return ((encoded_size + 1) * 3) / 4;
1836}
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847static void
1848ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
1849 const unsigned char *src, size_t src_size)
1850{
1851 u8 current_bit_offset = 0;
1852 size_t src_byte_offset = 0;
1853 size_t dst_byte_offset = 0;
1854
1855 if (!dst) {
1856 (*dst_size) = ecryptfs_max_decoded_size(src_size);
1857 goto out;
1858 }
1859 while (src_byte_offset < src_size) {
1860 unsigned char src_byte =
1861 filename_rev_map[(int)src[src_byte_offset]];
1862
1863 switch (current_bit_offset) {
1864 case 0:
1865 dst[dst_byte_offset] = (src_byte << 2);
1866 current_bit_offset = 6;
1867 break;
1868 case 6:
1869 dst[dst_byte_offset++] |= (src_byte >> 4);
1870 dst[dst_byte_offset] = ((src_byte & 0xF)
1871 << 4);
1872 current_bit_offset = 4;
1873 break;
1874 case 4:
1875 dst[dst_byte_offset++] |= (src_byte >> 2);
1876 dst[dst_byte_offset] = (src_byte << 6);
1877 current_bit_offset = 2;
1878 break;
1879 case 2:
1880 dst[dst_byte_offset++] |= (src_byte);
1881 current_bit_offset = 0;
1882 break;
1883 }
1884 src_byte_offset++;
1885 }
1886 (*dst_size) = dst_byte_offset;
1887out:
1888 return;
1889}
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906int ecryptfs_encrypt_and_encode_filename(
1907 char **encoded_name,
1908 size_t *encoded_name_size,
1909 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
1910 const char *name, size_t name_size)
1911{
1912 size_t encoded_name_no_prefix_size;
1913 int rc = 0;
1914
1915 (*encoded_name) = NULL;
1916 (*encoded_name_size) = 0;
1917 if (mount_crypt_stat && (mount_crypt_stat->flags
1918 & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) {
1919 struct ecryptfs_filename *filename;
1920
1921 filename = kzalloc(sizeof(*filename), GFP_KERNEL);
1922 if (!filename) {
1923 rc = -ENOMEM;
1924 goto out;
1925 }
1926 filename->filename = (char *)name;
1927 filename->filename_size = name_size;
1928 rc = ecryptfs_encrypt_filename(filename, mount_crypt_stat);
1929 if (rc) {
1930 printk(KERN_ERR "%s: Error attempting to encrypt "
1931 "filename; rc = [%d]\n", __func__, rc);
1932 kfree(filename);
1933 goto out;
1934 }
1935 ecryptfs_encode_for_filename(
1936 NULL, &encoded_name_no_prefix_size,
1937 filename->encrypted_filename,
1938 filename->encrypted_filename_size);
1939 if (mount_crypt_stat
1940 && (mount_crypt_stat->flags
1941 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))
1942 (*encoded_name_size) =
1943 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
1944 + encoded_name_no_prefix_size);
1945 else
1946 (*encoded_name_size) =
1947 (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE
1948 + encoded_name_no_prefix_size);
1949 (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL);
1950 if (!(*encoded_name)) {
1951 rc = -ENOMEM;
1952 kfree(filename->encrypted_filename);
1953 kfree(filename);
1954 goto out;
1955 }
1956 if (mount_crypt_stat
1957 && (mount_crypt_stat->flags
1958 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)) {
1959 memcpy((*encoded_name),
1960 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
1961 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE);
1962 ecryptfs_encode_for_filename(
1963 ((*encoded_name)
1964 + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE),
1965 &encoded_name_no_prefix_size,
1966 filename->encrypted_filename,
1967 filename->encrypted_filename_size);
1968 (*encoded_name_size) =
1969 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
1970 + encoded_name_no_prefix_size);
1971 (*encoded_name)[(*encoded_name_size)] = '\0';
1972 } else {
1973 rc = -EOPNOTSUPP;
1974 }
1975 if (rc) {
1976 printk(KERN_ERR "%s: Error attempting to encode "
1977 "encrypted filename; rc = [%d]\n", __func__,
1978 rc);
1979 kfree((*encoded_name));
1980 (*encoded_name) = NULL;
1981 (*encoded_name_size) = 0;
1982 }
1983 kfree(filename->encrypted_filename);
1984 kfree(filename);
1985 } else {
1986 rc = ecryptfs_copy_filename(encoded_name,
1987 encoded_name_size,
1988 name, name_size);
1989 }
1990out:
1991 return rc;
1992}
1993
1994static bool is_dot_dotdot(const char *name, size_t name_size)
1995{
1996 if (name_size == 1 && name[0] == '.')
1997 return true;
1998 else if (name_size == 2 && name[0] == '.' && name[1] == '.')
1999 return true;
2000
2001 return false;
2002}
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016int ecryptfs_decode_and_decrypt_filename(char **plaintext_name,
2017 size_t *plaintext_name_size,
2018 struct super_block *sb,
2019 const char *name, size_t name_size)
2020{
2021 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2022 &ecryptfs_superblock_to_private(sb)->mount_crypt_stat;
2023 char *decoded_name;
2024 size_t decoded_name_size;
2025 size_t packet_size;
2026 int rc = 0;
2027
2028 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) &&
2029 !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)) {
2030 if (is_dot_dotdot(name, name_size)) {
2031 rc = ecryptfs_copy_filename(plaintext_name,
2032 plaintext_name_size,
2033 name, name_size);
2034 goto out;
2035 }
2036
2037 if (name_size <= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE ||
2038 strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2039 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)) {
2040 rc = -EINVAL;
2041 goto out;
2042 }
2043
2044 name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2045 name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2046 ecryptfs_decode_from_filename(NULL, &decoded_name_size,
2047 name, name_size);
2048 decoded_name = kmalloc(decoded_name_size, GFP_KERNEL);
2049 if (!decoded_name) {
2050 rc = -ENOMEM;
2051 goto out;
2052 }
2053 ecryptfs_decode_from_filename(decoded_name, &decoded_name_size,
2054 name, name_size);
2055 rc = ecryptfs_parse_tag_70_packet(plaintext_name,
2056 plaintext_name_size,
2057 &packet_size,
2058 mount_crypt_stat,
2059 decoded_name,
2060 decoded_name_size);
2061 if (rc) {
2062 ecryptfs_printk(KERN_DEBUG,
2063 "%s: Could not parse tag 70 packet from filename\n",
2064 __func__);
2065 goto out_free;
2066 }
2067 } else {
2068 rc = ecryptfs_copy_filename(plaintext_name,
2069 plaintext_name_size,
2070 name, name_size);
2071 goto out;
2072 }
2073out_free:
2074 kfree(decoded_name);
2075out:
2076 return rc;
2077}
2078
2079#define ENC_NAME_MAX_BLOCKLEN_8_OR_16 143
2080
2081int ecryptfs_set_f_namelen(long *namelen, long lower_namelen,
2082 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
2083{
2084 struct crypto_skcipher *tfm;
2085 struct mutex *tfm_mutex;
2086 size_t cipher_blocksize;
2087 int rc;
2088
2089 if (!(mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) {
2090 (*namelen) = lower_namelen;
2091 return 0;
2092 }
2093
2094 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&tfm, &tfm_mutex,
2095 mount_crypt_stat->global_default_fn_cipher_name);
2096 if (unlikely(rc)) {
2097 (*namelen) = 0;
2098 return rc;
2099 }
2100
2101 mutex_lock(tfm_mutex);
2102 cipher_blocksize = crypto_skcipher_blocksize(tfm);
2103 mutex_unlock(tfm_mutex);
2104
2105
2106 if (lower_namelen == NAME_MAX
2107 && (cipher_blocksize == 8 || cipher_blocksize == 16)) {
2108 (*namelen) = ENC_NAME_MAX_BLOCKLEN_8_OR_16;
2109 return 0;
2110 }
2111
2112
2113 (*namelen) = lower_namelen;
2114 (*namelen) -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2115
2116 (*namelen) = ecryptfs_max_decoded_size(*namelen) - 3;
2117 (*namelen) -= ECRYPTFS_TAG_70_MAX_METADATA_SIZE;
2118 (*namelen) -= ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES;
2119
2120 (*namelen) -= cipher_blocksize - 1;
2121
2122 if ((*namelen) < 0)
2123 (*namelen) = 0;
2124
2125 return 0;
2126}
2127