1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26#include <crypto/hash.h>
27#include <crypto/skcipher.h>
28#include <linux/fs.h>
29#include <linux/mount.h>
30#include <linux/pagemap.h>
31#include <linux/random.h>
32#include <linux/compiler.h>
33#include <linux/key.h>
34#include <linux/namei.h>
35#include <linux/file.h>
36#include <linux/scatterlist.h>
37#include <linux/slab.h>
38#include <asm/unaligned.h>
39#include "ecryptfs_kernel.h"
40
41#define DECRYPT 0
42#define ENCRYPT 1
43
44
45
46
47
48
49
50
51void ecryptfs_to_hex(char *dst, char *src, size_t src_size)
52{
53 int x;
54
55 for (x = 0; x < src_size; x++)
56 sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]);
57}
58
59
60
61
62
63
64
65
66void ecryptfs_from_hex(char *dst, char *src, int dst_size)
67{
68 int x;
69 char tmp[3] = { 0, };
70
71 for (x = 0; x < dst_size; x++) {
72 tmp[0] = src[x * 2];
73 tmp[1] = src[x * 2 + 1];
74 dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16);
75 }
76}
77
78static int ecryptfs_hash_digest(struct crypto_shash *tfm,
79 char *src, int len, char *dst)
80{
81 SHASH_DESC_ON_STACK(desc, tfm);
82 int err;
83
84 desc->tfm = tfm;
85 desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
86 err = crypto_shash_digest(desc, src, len, dst);
87 shash_desc_zero(desc);
88 return err;
89}
90
91
92
93
94
95
96
97
98
99
100
101static int ecryptfs_calculate_md5(char *dst,
102 struct ecryptfs_crypt_stat *crypt_stat,
103 char *src, int len)
104{
105 struct crypto_shash *tfm;
106 int rc = 0;
107
108 mutex_lock(&crypt_stat->cs_hash_tfm_mutex);
109 tfm = crypt_stat->hash_tfm;
110 if (!tfm) {
111 tfm = crypto_alloc_shash(ECRYPTFS_DEFAULT_HASH, 0, 0);
112 if (IS_ERR(tfm)) {
113 rc = PTR_ERR(tfm);
114 ecryptfs_printk(KERN_ERR, "Error attempting to "
115 "allocate crypto context; rc = [%d]\n",
116 rc);
117 goto out;
118 }
119 crypt_stat->hash_tfm = tfm;
120 }
121 rc = ecryptfs_hash_digest(tfm, src, len, dst);
122 if (rc) {
123 printk(KERN_ERR
124 "%s: Error computing crypto hash; rc = [%d]\n",
125 __func__, rc);
126 goto out;
127 }
128out:
129 mutex_unlock(&crypt_stat->cs_hash_tfm_mutex);
130 return rc;
131}
132
133static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name,
134 char *cipher_name,
135 char *chaining_modifier)
136{
137 int cipher_name_len = strlen(cipher_name);
138 int chaining_modifier_len = strlen(chaining_modifier);
139 int algified_name_len;
140 int rc;
141
142 algified_name_len = (chaining_modifier_len + cipher_name_len + 3);
143 (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL);
144 if (!(*algified_name)) {
145 rc = -ENOMEM;
146 goto out;
147 }
148 snprintf((*algified_name), algified_name_len, "%s(%s)",
149 chaining_modifier, cipher_name);
150 rc = 0;
151out:
152 return rc;
153}
154
155
156
157
158
159
160
161
162
163
164
165
166int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat,
167 loff_t offset)
168{
169 int rc = 0;
170 char dst[MD5_DIGEST_SIZE];
171 char src[ECRYPTFS_MAX_IV_BYTES + 16];
172
173 if (unlikely(ecryptfs_verbosity > 0)) {
174 ecryptfs_printk(KERN_DEBUG, "root iv:\n");
175 ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes);
176 }
177
178
179
180
181 memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes);
182 memset((src + crypt_stat->iv_bytes), 0, 16);
183 snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset);
184 if (unlikely(ecryptfs_verbosity > 0)) {
185 ecryptfs_printk(KERN_DEBUG, "source:\n");
186 ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16));
187 }
188 rc = ecryptfs_calculate_md5(dst, crypt_stat, src,
189 (crypt_stat->iv_bytes + 16));
190 if (rc) {
191 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
192 "MD5 while generating IV for a page\n");
193 goto out;
194 }
195 memcpy(iv, dst, crypt_stat->iv_bytes);
196 if (unlikely(ecryptfs_verbosity > 0)) {
197 ecryptfs_printk(KERN_DEBUG, "derived iv:\n");
198 ecryptfs_dump_hex(iv, crypt_stat->iv_bytes);
199 }
200out:
201 return rc;
202}
203
204
205
206
207
208
209
210void
211ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
212{
213 memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
214 INIT_LIST_HEAD(&crypt_stat->keysig_list);
215 mutex_init(&crypt_stat->keysig_list_mutex);
216 mutex_init(&crypt_stat->cs_mutex);
217 mutex_init(&crypt_stat->cs_tfm_mutex);
218 mutex_init(&crypt_stat->cs_hash_tfm_mutex);
219 crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED;
220}
221
222
223
224
225
226
227
228void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
229{
230 struct ecryptfs_key_sig *key_sig, *key_sig_tmp;
231
232 crypto_free_skcipher(crypt_stat->tfm);
233 crypto_free_shash(crypt_stat->hash_tfm);
234 list_for_each_entry_safe(key_sig, key_sig_tmp,
235 &crypt_stat->keysig_list, crypt_stat_list) {
236 list_del(&key_sig->crypt_stat_list);
237 kmem_cache_free(ecryptfs_key_sig_cache, key_sig);
238 }
239 memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
240}
241
242void ecryptfs_destroy_mount_crypt_stat(
243 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
244{
245 struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp;
246
247 if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED))
248 return;
249 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
250 list_for_each_entry_safe(auth_tok, auth_tok_tmp,
251 &mount_crypt_stat->global_auth_tok_list,
252 mount_crypt_stat_list) {
253 list_del(&auth_tok->mount_crypt_stat_list);
254 if (!(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID))
255 key_put(auth_tok->global_auth_tok_key);
256 kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok);
257 }
258 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
259 memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat));
260}
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg,
276 int sg_size)
277{
278 int i = 0;
279 struct page *pg;
280 int offset;
281 int remainder_of_page;
282
283 sg_init_table(sg, sg_size);
284
285 while (size > 0 && i < sg_size) {
286 pg = virt_to_page(addr);
287 offset = offset_in_page(addr);
288 sg_set_page(&sg[i], pg, 0, offset);
289 remainder_of_page = PAGE_SIZE - offset;
290 if (size >= remainder_of_page) {
291 sg[i].length = remainder_of_page;
292 addr += remainder_of_page;
293 size -= remainder_of_page;
294 } else {
295 sg[i].length = size;
296 addr += size;
297 size = 0;
298 }
299 i++;
300 }
301 if (size > 0)
302 return -ENOMEM;
303 return i;
304}
305
306struct extent_crypt_result {
307 struct completion completion;
308 int rc;
309};
310
311static void extent_crypt_complete(struct crypto_async_request *req, int rc)
312{
313 struct extent_crypt_result *ecr = req->data;
314
315 if (rc == -EINPROGRESS)
316 return;
317
318 ecr->rc = rc;
319 complete(&ecr->completion);
320}
321
322
323
324
325
326
327
328
329
330
331
332
333static int crypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
334 struct scatterlist *dst_sg,
335 struct scatterlist *src_sg, int size,
336 unsigned char *iv, int op)
337{
338 struct skcipher_request *req = NULL;
339 struct extent_crypt_result ecr;
340 int rc = 0;
341
342 BUG_ON(!crypt_stat || !crypt_stat->tfm
343 || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));
344 if (unlikely(ecryptfs_verbosity > 0)) {
345 ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n",
346 crypt_stat->key_size);
347 ecryptfs_dump_hex(crypt_stat->key,
348 crypt_stat->key_size);
349 }
350
351 init_completion(&ecr.completion);
352
353 mutex_lock(&crypt_stat->cs_tfm_mutex);
354 req = skcipher_request_alloc(crypt_stat->tfm, GFP_NOFS);
355 if (!req) {
356 mutex_unlock(&crypt_stat->cs_tfm_mutex);
357 rc = -ENOMEM;
358 goto out;
359 }
360
361 skcipher_request_set_callback(req,
362 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
363 extent_crypt_complete, &ecr);
364
365 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) {
366 rc = crypto_skcipher_setkey(crypt_stat->tfm, crypt_stat->key,
367 crypt_stat->key_size);
368 if (rc) {
369 ecryptfs_printk(KERN_ERR,
370 "Error setting key; rc = [%d]\n",
371 rc);
372 mutex_unlock(&crypt_stat->cs_tfm_mutex);
373 rc = -EINVAL;
374 goto out;
375 }
376 crypt_stat->flags |= ECRYPTFS_KEY_SET;
377 }
378 mutex_unlock(&crypt_stat->cs_tfm_mutex);
379 skcipher_request_set_crypt(req, src_sg, dst_sg, size, iv);
380 rc = op == ENCRYPT ? crypto_skcipher_encrypt(req) :
381 crypto_skcipher_decrypt(req);
382 if (rc == -EINPROGRESS || rc == -EBUSY) {
383 struct extent_crypt_result *ecr = req->base.data;
384
385 wait_for_completion(&ecr->completion);
386 rc = ecr->rc;
387 reinit_completion(&ecr->completion);
388 }
389out:
390 skcipher_request_free(req);
391 return rc;
392}
393
394
395
396
397
398
399static loff_t lower_offset_for_page(struct ecryptfs_crypt_stat *crypt_stat,
400 struct page *page)
401{
402 return ecryptfs_lower_header_size(crypt_stat) +
403 ((loff_t)page->index << PAGE_SHIFT);
404}
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419static int crypt_extent(struct ecryptfs_crypt_stat *crypt_stat,
420 struct page *dst_page,
421 struct page *src_page,
422 unsigned long extent_offset, int op)
423{
424 pgoff_t page_index = op == ENCRYPT ? src_page->index : dst_page->index;
425 loff_t extent_base;
426 char extent_iv[ECRYPTFS_MAX_IV_BYTES];
427 struct scatterlist src_sg, dst_sg;
428 size_t extent_size = crypt_stat->extent_size;
429 int rc;
430
431 extent_base = (((loff_t)page_index) * (PAGE_SIZE / extent_size));
432 rc = ecryptfs_derive_iv(extent_iv, crypt_stat,
433 (extent_base + extent_offset));
434 if (rc) {
435 ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for "
436 "extent [0x%.16llx]; rc = [%d]\n",
437 (unsigned long long)(extent_base + extent_offset), rc);
438 goto out;
439 }
440
441 sg_init_table(&src_sg, 1);
442 sg_init_table(&dst_sg, 1);
443
444 sg_set_page(&src_sg, src_page, extent_size,
445 extent_offset * extent_size);
446 sg_set_page(&dst_sg, dst_page, extent_size,
447 extent_offset * extent_size);
448
449 rc = crypt_scatterlist(crypt_stat, &dst_sg, &src_sg, extent_size,
450 extent_iv, op);
451 if (rc < 0) {
452 printk(KERN_ERR "%s: Error attempting to crypt page with "
453 "page_index = [%ld], extent_offset = [%ld]; "
454 "rc = [%d]\n", __func__, page_index, extent_offset, rc);
455 goto out;
456 }
457 rc = 0;
458out:
459 return rc;
460}
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478int ecryptfs_encrypt_page(struct page *page)
479{
480 struct inode *ecryptfs_inode;
481 struct ecryptfs_crypt_stat *crypt_stat;
482 char *enc_extent_virt;
483 struct page *enc_extent_page = NULL;
484 loff_t extent_offset;
485 loff_t lower_offset;
486 int rc = 0;
487
488 ecryptfs_inode = page->mapping->host;
489 crypt_stat =
490 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
491 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
492 enc_extent_page = alloc_page(GFP_USER);
493 if (!enc_extent_page) {
494 rc = -ENOMEM;
495 ecryptfs_printk(KERN_ERR, "Error allocating memory for "
496 "encrypted extent\n");
497 goto out;
498 }
499
500 for (extent_offset = 0;
501 extent_offset < (PAGE_SIZE / crypt_stat->extent_size);
502 extent_offset++) {
503 rc = crypt_extent(crypt_stat, enc_extent_page, page,
504 extent_offset, ENCRYPT);
505 if (rc) {
506 printk(KERN_ERR "%s: Error encrypting extent; "
507 "rc = [%d]\n", __func__, rc);
508 goto out;
509 }
510 }
511
512 lower_offset = lower_offset_for_page(crypt_stat, page);
513 enc_extent_virt = kmap(enc_extent_page);
514 rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt, lower_offset,
515 PAGE_SIZE);
516 kunmap(enc_extent_page);
517 if (rc < 0) {
518 ecryptfs_printk(KERN_ERR,
519 "Error attempting to write lower page; rc = [%d]\n",
520 rc);
521 goto out;
522 }
523 rc = 0;
524out:
525 if (enc_extent_page) {
526 __free_page(enc_extent_page);
527 }
528 return rc;
529}
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547int ecryptfs_decrypt_page(struct page *page)
548{
549 struct inode *ecryptfs_inode;
550 struct ecryptfs_crypt_stat *crypt_stat;
551 char *page_virt;
552 unsigned long extent_offset;
553 loff_t lower_offset;
554 int rc = 0;
555
556 ecryptfs_inode = page->mapping->host;
557 crypt_stat =
558 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
559 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
560
561 lower_offset = lower_offset_for_page(crypt_stat, page);
562 page_virt = kmap(page);
563 rc = ecryptfs_read_lower(page_virt, lower_offset, PAGE_SIZE,
564 ecryptfs_inode);
565 kunmap(page);
566 if (rc < 0) {
567 ecryptfs_printk(KERN_ERR,
568 "Error attempting to read lower page; rc = [%d]\n",
569 rc);
570 goto out;
571 }
572
573 for (extent_offset = 0;
574 extent_offset < (PAGE_SIZE / crypt_stat->extent_size);
575 extent_offset++) {
576 rc = crypt_extent(crypt_stat, page, page,
577 extent_offset, DECRYPT);
578 if (rc) {
579 printk(KERN_ERR "%s: Error encrypting extent; "
580 "rc = [%d]\n", __func__, rc);
581 goto out;
582 }
583 }
584out:
585 return rc;
586}
587
588#define ECRYPTFS_MAX_SCATTERLIST_LEN 4
589
590
591
592
593
594
595
596
597
598
599int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat)
600{
601 char *full_alg_name;
602 int rc = -EINVAL;
603
604 ecryptfs_printk(KERN_DEBUG,
605 "Initializing cipher [%s]; strlen = [%d]; "
606 "key_size_bits = [%zd]\n",
607 crypt_stat->cipher, (int)strlen(crypt_stat->cipher),
608 crypt_stat->key_size << 3);
609 mutex_lock(&crypt_stat->cs_tfm_mutex);
610 if (crypt_stat->tfm) {
611 rc = 0;
612 goto out_unlock;
613 }
614 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name,
615 crypt_stat->cipher, "cbc");
616 if (rc)
617 goto out_unlock;
618 crypt_stat->tfm = crypto_alloc_skcipher(full_alg_name, 0, 0);
619 if (IS_ERR(crypt_stat->tfm)) {
620 rc = PTR_ERR(crypt_stat->tfm);
621 crypt_stat->tfm = NULL;
622 ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): "
623 "Error initializing cipher [%s]\n",
624 full_alg_name);
625 goto out_free;
626 }
627 crypto_skcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY);
628 rc = 0;
629out_free:
630 kfree(full_alg_name);
631out_unlock:
632 mutex_unlock(&crypt_stat->cs_tfm_mutex);
633 return rc;
634}
635
636static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat)
637{
638 int extent_size_tmp;
639
640 crypt_stat->extent_mask = 0xFFFFFFFF;
641 crypt_stat->extent_shift = 0;
642 if (crypt_stat->extent_size == 0)
643 return;
644 extent_size_tmp = crypt_stat->extent_size;
645 while ((extent_size_tmp & 0x01) == 0) {
646 extent_size_tmp >>= 1;
647 crypt_stat->extent_mask <<= 1;
648 crypt_stat->extent_shift++;
649 }
650}
651
652void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat)
653{
654
655
656 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;
657 set_extent_mask_and_shift(crypt_stat);
658 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES;
659 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
660 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
661 else {
662 if (PAGE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)
663 crypt_stat->metadata_size =
664 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
665 else
666 crypt_stat->metadata_size = PAGE_SIZE;
667 }
668}
669
670
671
672
673
674
675
676int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat)
677{
678 int rc = 0;
679 char dst[MD5_DIGEST_SIZE];
680
681 BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE);
682 BUG_ON(crypt_stat->iv_bytes <= 0);
683 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
684 rc = -EINVAL;
685 ecryptfs_printk(KERN_WARNING, "Session key not valid; "
686 "cannot generate root IV\n");
687 goto out;
688 }
689 rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key,
690 crypt_stat->key_size);
691 if (rc) {
692 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
693 "MD5 while generating root IV\n");
694 goto out;
695 }
696 memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes);
697out:
698 if (rc) {
699 memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes);
700 crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING;
701 }
702 return rc;
703}
704
705static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat)
706{
707 get_random_bytes(crypt_stat->key, crypt_stat->key_size);
708 crypt_stat->flags |= ECRYPTFS_KEY_VALID;
709 ecryptfs_compute_root_iv(crypt_stat);
710 if (unlikely(ecryptfs_verbosity > 0)) {
711 ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n");
712 ecryptfs_dump_hex(crypt_stat->key,
713 crypt_stat->key_size);
714 }
715}
716
717
718
719
720
721
722
723
724
725static void ecryptfs_copy_mount_wide_flags_to_inode_flags(
726 struct ecryptfs_crypt_stat *crypt_stat,
727 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
728{
729 if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED)
730 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
731 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
732 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED;
733 if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
734 crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES;
735 if (mount_crypt_stat->flags
736 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)
737 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK;
738 else if (mount_crypt_stat->flags
739 & ECRYPTFS_GLOBAL_ENCFN_USE_FEK)
740 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK;
741 }
742}
743
744static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs(
745 struct ecryptfs_crypt_stat *crypt_stat,
746 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
747{
748 struct ecryptfs_global_auth_tok *global_auth_tok;
749 int rc = 0;
750
751 mutex_lock(&crypt_stat->keysig_list_mutex);
752 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
753
754 list_for_each_entry(global_auth_tok,
755 &mount_crypt_stat->global_auth_tok_list,
756 mount_crypt_stat_list) {
757 if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK)
758 continue;
759 rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig);
760 if (rc) {
761 printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc);
762 goto out;
763 }
764 }
765
766out:
767 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
768 mutex_unlock(&crypt_stat->keysig_list_mutex);
769 return rc;
770}
771
772
773
774
775
776
777
778
779static void ecryptfs_set_default_crypt_stat_vals(
780 struct ecryptfs_crypt_stat *crypt_stat,
781 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
782{
783 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
784 mount_crypt_stat);
785 ecryptfs_set_default_sizes(crypt_stat);
786 strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER);
787 crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES;
788 crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID);
789 crypt_stat->file_version = ECRYPTFS_FILE_VERSION;
790 crypt_stat->mount_crypt_stat = mount_crypt_stat;
791}
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812int ecryptfs_new_file_context(struct inode *ecryptfs_inode)
813{
814 struct ecryptfs_crypt_stat *crypt_stat =
815 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
816 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
817 &ecryptfs_superblock_to_private(
818 ecryptfs_inode->i_sb)->mount_crypt_stat;
819 int cipher_name_len;
820 int rc = 0;
821
822 ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat);
823 crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID);
824 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
825 mount_crypt_stat);
826 rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat,
827 mount_crypt_stat);
828 if (rc) {
829 printk(KERN_ERR "Error attempting to copy mount-wide key sigs "
830 "to the inode key sigs; rc = [%d]\n", rc);
831 goto out;
832 }
833 cipher_name_len =
834 strlen(mount_crypt_stat->global_default_cipher_name);
835 memcpy(crypt_stat->cipher,
836 mount_crypt_stat->global_default_cipher_name,
837 cipher_name_len);
838 crypt_stat->cipher[cipher_name_len] = '\0';
839 crypt_stat->key_size =
840 mount_crypt_stat->global_default_cipher_key_size;
841 ecryptfs_generate_new_key(crypt_stat);
842 rc = ecryptfs_init_crypt_ctx(crypt_stat);
843 if (rc)
844 ecryptfs_printk(KERN_ERR, "Error initializing cryptographic "
845 "context for cipher [%s]: rc = [%d]\n",
846 crypt_stat->cipher, rc);
847out:
848 return rc;
849}
850
851
852
853
854
855
856
857static int ecryptfs_validate_marker(char *data)
858{
859 u32 m_1, m_2;
860
861 m_1 = get_unaligned_be32(data);
862 m_2 = get_unaligned_be32(data + 4);
863 if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2)
864 return 0;
865 ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; "
866 "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2,
867 MAGIC_ECRYPTFS_MARKER);
868 ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = "
869 "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER));
870 return -EINVAL;
871}
872
873struct ecryptfs_flag_map_elem {
874 u32 file_flag;
875 u32 local_flag;
876};
877
878
879static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = {
880 {0x00000001, ECRYPTFS_ENABLE_HMAC},
881 {0x00000002, ECRYPTFS_ENCRYPTED},
882 {0x00000004, ECRYPTFS_METADATA_IN_XATTR},
883 {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES}
884};
885
886
887
888
889
890
891
892
893
894static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat,
895 char *page_virt, int *bytes_read)
896{
897 int rc = 0;
898 int i;
899 u32 flags;
900
901 flags = get_unaligned_be32(page_virt);
902 for (i = 0; i < ((sizeof(ecryptfs_flag_map)
903 / sizeof(struct ecryptfs_flag_map_elem))); i++)
904 if (flags & ecryptfs_flag_map[i].file_flag) {
905 crypt_stat->flags |= ecryptfs_flag_map[i].local_flag;
906 } else
907 crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag);
908
909 crypt_stat->file_version = ((flags >> 24) & 0xFF);
910 (*bytes_read) = 4;
911 return rc;
912}
913
914
915
916
917
918
919
920
921static void write_ecryptfs_marker(char *page_virt, size_t *written)
922{
923 u32 m_1, m_2;
924
925 get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2));
926 m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER);
927 put_unaligned_be32(m_1, page_virt);
928 page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2);
929 put_unaligned_be32(m_2, page_virt);
930 (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
931}
932
933void ecryptfs_write_crypt_stat_flags(char *page_virt,
934 struct ecryptfs_crypt_stat *crypt_stat,
935 size_t *written)
936{
937 u32 flags = 0;
938 int i;
939
940 for (i = 0; i < ((sizeof(ecryptfs_flag_map)
941 / sizeof(struct ecryptfs_flag_map_elem))); i++)
942 if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag)
943 flags |= ecryptfs_flag_map[i].file_flag;
944
945 flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000);
946 put_unaligned_be32(flags, page_virt);
947 (*written) = 4;
948}
949
950struct ecryptfs_cipher_code_str_map_elem {
951 char cipher_str[16];
952 u8 cipher_code;
953};
954
955
956
957
958static struct ecryptfs_cipher_code_str_map_elem
959ecryptfs_cipher_code_str_map[] = {
960 {"aes",RFC2440_CIPHER_AES_128 },
961 {"blowfish", RFC2440_CIPHER_BLOWFISH},
962 {"des3_ede", RFC2440_CIPHER_DES3_EDE},
963 {"cast5", RFC2440_CIPHER_CAST_5},
964 {"twofish", RFC2440_CIPHER_TWOFISH},
965 {"cast6", RFC2440_CIPHER_CAST_6},
966 {"aes", RFC2440_CIPHER_AES_192},
967 {"aes", RFC2440_CIPHER_AES_256}
968};
969
970
971
972
973
974
975
976
977u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes)
978{
979 int i;
980 u8 code = 0;
981 struct ecryptfs_cipher_code_str_map_elem *map =
982 ecryptfs_cipher_code_str_map;
983
984 if (strcmp(cipher_name, "aes") == 0) {
985 switch (key_bytes) {
986 case 16:
987 code = RFC2440_CIPHER_AES_128;
988 break;
989 case 24:
990 code = RFC2440_CIPHER_AES_192;
991 break;
992 case 32:
993 code = RFC2440_CIPHER_AES_256;
994 }
995 } else {
996 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
997 if (strcmp(cipher_name, map[i].cipher_str) == 0) {
998 code = map[i].cipher_code;
999 break;
1000 }
1001 }
1002 return code;
1003}
1004
1005
1006
1007
1008
1009
1010
1011
1012int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code)
1013{
1014 int rc = 0;
1015 int i;
1016
1017 str[0] = '\0';
1018 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1019 if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code)
1020 strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str);
1021 if (str[0] == '\0') {
1022 ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: "
1023 "[%d]\n", cipher_code);
1024 rc = -EINVAL;
1025 }
1026 return rc;
1027}
1028
1029int ecryptfs_read_and_validate_header_region(struct inode *inode)
1030{
1031 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1032 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1033 int rc;
1034
1035 rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES,
1036 inode);
1037 if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1038 return rc >= 0 ? -EINVAL : rc;
1039 rc = ecryptfs_validate_marker(marker);
1040 if (!rc)
1041 ecryptfs_i_size_init(file_size, inode);
1042 return rc;
1043}
1044
1045void
1046ecryptfs_write_header_metadata(char *virt,
1047 struct ecryptfs_crypt_stat *crypt_stat,
1048 size_t *written)
1049{
1050 u32 header_extent_size;
1051 u16 num_header_extents_at_front;
1052
1053 header_extent_size = (u32)crypt_stat->extent_size;
1054 num_header_extents_at_front =
1055 (u16)(crypt_stat->metadata_size / crypt_stat->extent_size);
1056 put_unaligned_be32(header_extent_size, virt);
1057 virt += 4;
1058 put_unaligned_be16(num_header_extents_at_front, virt);
1059 (*written) = 6;
1060}
1061
1062struct kmem_cache *ecryptfs_header_cache;
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095static int ecryptfs_write_headers_virt(char *page_virt, size_t max,
1096 size_t *size,
1097 struct ecryptfs_crypt_stat *crypt_stat,
1098 struct dentry *ecryptfs_dentry)
1099{
1100 int rc;
1101 size_t written;
1102 size_t offset;
1103
1104 offset = ECRYPTFS_FILE_SIZE_BYTES;
1105 write_ecryptfs_marker((page_virt + offset), &written);
1106 offset += written;
1107 ecryptfs_write_crypt_stat_flags((page_virt + offset), crypt_stat,
1108 &written);
1109 offset += written;
1110 ecryptfs_write_header_metadata((page_virt + offset), crypt_stat,
1111 &written);
1112 offset += written;
1113 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat,
1114 ecryptfs_dentry, &written,
1115 max - offset);
1116 if (rc)
1117 ecryptfs_printk(KERN_WARNING, "Error generating key packet "
1118 "set; rc = [%d]\n", rc);
1119 if (size) {
1120 offset += written;
1121 *size = offset;
1122 }
1123 return rc;
1124}
1125
1126static int
1127ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode,
1128 char *virt, size_t virt_len)
1129{
1130 int rc;
1131
1132 rc = ecryptfs_write_lower(ecryptfs_inode, virt,
1133 0, virt_len);
1134 if (rc < 0)
1135 printk(KERN_ERR "%s: Error attempting to write header "
1136 "information to lower file; rc = [%d]\n", __func__, rc);
1137 else
1138 rc = 0;
1139 return rc;
1140}
1141
1142static int
1143ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry,
1144 char *page_virt, size_t size)
1145{
1146 int rc;
1147
1148 rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt,
1149 size, 0);
1150 return rc;
1151}
1152
1153static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask,
1154 unsigned int order)
1155{
1156 struct page *page;
1157
1158 page = alloc_pages(gfp_mask | __GFP_ZERO, order);
1159 if (page)
1160 return (unsigned long) page_address(page);
1161 return 0;
1162}
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry,
1178 struct inode *ecryptfs_inode)
1179{
1180 struct ecryptfs_crypt_stat *crypt_stat =
1181 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1182 unsigned int order;
1183 char *virt;
1184 size_t virt_len;
1185 size_t size = 0;
1186 int rc = 0;
1187
1188 if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {
1189 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
1190 printk(KERN_ERR "Key is invalid; bailing out\n");
1191 rc = -EINVAL;
1192 goto out;
1193 }
1194 } else {
1195 printk(KERN_WARNING "%s: Encrypted flag not set\n",
1196 __func__);
1197 rc = -EINVAL;
1198 goto out;
1199 }
1200 virt_len = crypt_stat->metadata_size;
1201 order = get_order(virt_len);
1202
1203 virt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order);
1204 if (!virt) {
1205 printk(KERN_ERR "%s: Out of memory\n", __func__);
1206 rc = -ENOMEM;
1207 goto out;
1208 }
1209
1210 rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat,
1211 ecryptfs_dentry);
1212 if (unlikely(rc)) {
1213 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n",
1214 __func__, rc);
1215 goto out_free;
1216 }
1217 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1218 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt,
1219 size);
1220 else
1221 rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt,
1222 virt_len);
1223 if (rc) {
1224 printk(KERN_ERR "%s: Error writing metadata out to lower file; "
1225 "rc = [%d]\n", __func__, rc);
1226 goto out_free;
1227 }
1228out_free:
1229 free_pages((unsigned long)virt, order);
1230out:
1231 return rc;
1232}
1233
1234#define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0
1235#define ECRYPTFS_VALIDATE_HEADER_SIZE 1
1236static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat,
1237 char *virt, int *bytes_read,
1238 int validate_header_size)
1239{
1240 int rc = 0;
1241 u32 header_extent_size;
1242 u16 num_header_extents_at_front;
1243
1244 header_extent_size = get_unaligned_be32(virt);
1245 virt += sizeof(__be32);
1246 num_header_extents_at_front = get_unaligned_be16(virt);
1247 crypt_stat->metadata_size = (((size_t)num_header_extents_at_front
1248 * (size_t)header_extent_size));
1249 (*bytes_read) = (sizeof(__be32) + sizeof(__be16));
1250 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE)
1251 && (crypt_stat->metadata_size
1252 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) {
1253 rc = -EINVAL;
1254 printk(KERN_WARNING "Invalid header size: [%zd]\n",
1255 crypt_stat->metadata_size);
1256 }
1257 return rc;
1258}
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat)
1269{
1270 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
1271}
1272
1273void ecryptfs_i_size_init(const char *page_virt, struct inode *inode)
1274{
1275 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
1276 struct ecryptfs_crypt_stat *crypt_stat;
1277 u64 file_size;
1278
1279 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
1280 mount_crypt_stat =
1281 &ecryptfs_superblock_to_private(inode->i_sb)->mount_crypt_stat;
1282 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) {
1283 file_size = i_size_read(ecryptfs_inode_to_lower(inode));
1284 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1285 file_size += crypt_stat->metadata_size;
1286 } else
1287 file_size = get_unaligned_be64(page_virt);
1288 i_size_write(inode, (loff_t)file_size);
1289 crypt_stat->flags |= ECRYPTFS_I_SIZE_INITIALIZED;
1290}
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304static int ecryptfs_read_headers_virt(char *page_virt,
1305 struct ecryptfs_crypt_stat *crypt_stat,
1306 struct dentry *ecryptfs_dentry,
1307 int validate_header_size)
1308{
1309 int rc = 0;
1310 int offset;
1311 int bytes_read;
1312
1313 ecryptfs_set_default_sizes(crypt_stat);
1314 crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private(
1315 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1316 offset = ECRYPTFS_FILE_SIZE_BYTES;
1317 rc = ecryptfs_validate_marker(page_virt + offset);
1318 if (rc)
1319 goto out;
1320 if (!(crypt_stat->flags & ECRYPTFS_I_SIZE_INITIALIZED))
1321 ecryptfs_i_size_init(page_virt, d_inode(ecryptfs_dentry));
1322 offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
1323 rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset),
1324 &bytes_read);
1325 if (rc) {
1326 ecryptfs_printk(KERN_WARNING, "Error processing flags\n");
1327 goto out;
1328 }
1329 if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) {
1330 ecryptfs_printk(KERN_WARNING, "File version is [%d]; only "
1331 "file version [%d] is supported by this "
1332 "version of eCryptfs\n",
1333 crypt_stat->file_version,
1334 ECRYPTFS_SUPPORTED_FILE_VERSION);
1335 rc = -EINVAL;
1336 goto out;
1337 }
1338 offset += bytes_read;
1339 if (crypt_stat->file_version >= 1) {
1340 rc = parse_header_metadata(crypt_stat, (page_virt + offset),
1341 &bytes_read, validate_header_size);
1342 if (rc) {
1343 ecryptfs_printk(KERN_WARNING, "Error reading header "
1344 "metadata; rc = [%d]\n", rc);
1345 }
1346 offset += bytes_read;
1347 } else
1348 set_default_header_data(crypt_stat);
1349 rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset),
1350 ecryptfs_dentry);
1351out:
1352 return rc;
1353}
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode)
1366{
1367 struct dentry *lower_dentry =
1368 ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_path.dentry;
1369 ssize_t size;
1370 int rc = 0;
1371
1372 size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME,
1373 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE);
1374 if (size < 0) {
1375 if (unlikely(ecryptfs_verbosity > 0))
1376 printk(KERN_INFO "Error attempting to read the [%s] "
1377 "xattr from the lower file; return value = "
1378 "[%zd]\n", ECRYPTFS_XATTR_NAME, size);
1379 rc = -EINVAL;
1380 goto out;
1381 }
1382out:
1383 return rc;
1384}
1385
1386int ecryptfs_read_and_validate_xattr_region(struct dentry *dentry,
1387 struct inode *inode)
1388{
1389 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1390 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1391 int rc;
1392
1393 rc = ecryptfs_getxattr_lower(ecryptfs_dentry_to_lower(dentry),
1394 ECRYPTFS_XATTR_NAME, file_size,
1395 ECRYPTFS_SIZE_AND_MARKER_BYTES);
1396 if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1397 return rc >= 0 ? -EINVAL : rc;
1398 rc = ecryptfs_validate_marker(marker);
1399 if (!rc)
1400 ecryptfs_i_size_init(file_size, inode);
1401 return rc;
1402}
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
1417{
1418 int rc;
1419 char *page_virt;
1420 struct inode *ecryptfs_inode = d_inode(ecryptfs_dentry);
1421 struct ecryptfs_crypt_stat *crypt_stat =
1422 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1423 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1424 &ecryptfs_superblock_to_private(
1425 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1426
1427 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
1428 mount_crypt_stat);
1429
1430 page_virt = kmem_cache_alloc(ecryptfs_header_cache, GFP_USER);
1431 if (!page_virt) {
1432 rc = -ENOMEM;
1433 printk(KERN_ERR "%s: Unable to allocate page_virt\n",
1434 __func__);
1435 goto out;
1436 }
1437 rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size,
1438 ecryptfs_inode);
1439 if (rc >= 0)
1440 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1441 ecryptfs_dentry,
1442 ECRYPTFS_VALIDATE_HEADER_SIZE);
1443 if (rc) {
1444
1445 memset(page_virt, 0, PAGE_SIZE);
1446 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);
1447 if (rc) {
1448 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1449 "file header region or xattr region, inode %lu\n",
1450 ecryptfs_inode->i_ino);
1451 rc = -EINVAL;
1452 goto out;
1453 }
1454 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1455 ecryptfs_dentry,
1456 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE);
1457 if (rc) {
1458 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1459 "file xattr region either, inode %lu\n",
1460 ecryptfs_inode->i_ino);
1461 rc = -EINVAL;
1462 }
1463 if (crypt_stat->mount_crypt_stat->flags
1464 & ECRYPTFS_XATTR_METADATA_ENABLED) {
1465 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
1466 } else {
1467 printk(KERN_WARNING "Attempt to access file with "
1468 "crypto metadata only in the extended attribute "
1469 "region, but eCryptfs was mounted without "
1470 "xattr support enabled. eCryptfs will not treat "
1471 "this like an encrypted file, inode %lu\n",
1472 ecryptfs_inode->i_ino);
1473 rc = -EINVAL;
1474 }
1475 }
1476out:
1477 if (page_virt) {
1478 memset(page_virt, 0, PAGE_SIZE);
1479 kmem_cache_free(ecryptfs_header_cache, page_virt);
1480 }
1481 return rc;
1482}
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493static int
1494ecryptfs_encrypt_filename(struct ecryptfs_filename *filename,
1495 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
1496{
1497 int rc = 0;
1498
1499 filename->encrypted_filename = NULL;
1500 filename->encrypted_filename_size = 0;
1501 if (mount_crypt_stat && (mount_crypt_stat->flags
1502 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)) {
1503 size_t packet_size;
1504 size_t remaining_bytes;
1505
1506 rc = ecryptfs_write_tag_70_packet(
1507 NULL, NULL,
1508 &filename->encrypted_filename_size,
1509 mount_crypt_stat, NULL,
1510 filename->filename_size);
1511 if (rc) {
1512 printk(KERN_ERR "%s: Error attempting to get packet "
1513 "size for tag 72; rc = [%d]\n", __func__,
1514 rc);
1515 filename->encrypted_filename_size = 0;
1516 goto out;
1517 }
1518 filename->encrypted_filename =
1519 kmalloc(filename->encrypted_filename_size, GFP_KERNEL);
1520 if (!filename->encrypted_filename) {
1521 printk(KERN_ERR "%s: Out of memory whilst attempting "
1522 "to kmalloc [%zd] bytes\n", __func__,
1523 filename->encrypted_filename_size);
1524 rc = -ENOMEM;
1525 goto out;
1526 }
1527 remaining_bytes = filename->encrypted_filename_size;
1528 rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename,
1529 &remaining_bytes,
1530 &packet_size,
1531 mount_crypt_stat,
1532 filename->filename,
1533 filename->filename_size);
1534 if (rc) {
1535 printk(KERN_ERR "%s: Error attempting to generate "
1536 "tag 70 packet; rc = [%d]\n", __func__,
1537 rc);
1538 kfree(filename->encrypted_filename);
1539 filename->encrypted_filename = NULL;
1540 filename->encrypted_filename_size = 0;
1541 goto out;
1542 }
1543 filename->encrypted_filename_size = packet_size;
1544 } else {
1545 printk(KERN_ERR "%s: No support for requested filename "
1546 "encryption method in this release\n", __func__);
1547 rc = -EOPNOTSUPP;
1548 goto out;
1549 }
1550out:
1551 return rc;
1552}
1553
1554static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size,
1555 const char *name, size_t name_size)
1556{
1557 int rc = 0;
1558
1559 (*copied_name) = kmalloc((name_size + 1), GFP_KERNEL);
1560 if (!(*copied_name)) {
1561 rc = -ENOMEM;
1562 goto out;
1563 }
1564 memcpy((void *)(*copied_name), (void *)name, name_size);
1565 (*copied_name)[(name_size)] = '\0';
1566
1567
1568
1569 (*copied_name_size) = name_size;
1570out:
1571 return rc;
1572}
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584static int
1585ecryptfs_process_key_cipher(struct crypto_skcipher **key_tfm,
1586 char *cipher_name, size_t *key_size)
1587{
1588 char dummy_key[ECRYPTFS_MAX_KEY_BYTES];
1589 char *full_alg_name = NULL;
1590 int rc;
1591
1592 *key_tfm = NULL;
1593 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) {
1594 rc = -EINVAL;
1595 printk(KERN_ERR "Requested key size is [%zd] bytes; maximum "
1596 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES);
1597 goto out;
1598 }
1599 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name,
1600 "ecb");
1601 if (rc)
1602 goto out;
1603 *key_tfm = crypto_alloc_skcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC);
1604 if (IS_ERR(*key_tfm)) {
1605 rc = PTR_ERR(*key_tfm);
1606 printk(KERN_ERR "Unable to allocate crypto cipher with name "
1607 "[%s]; rc = [%d]\n", full_alg_name, rc);
1608 goto out;
1609 }
1610 crypto_skcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY);
1611 if (*key_size == 0)
1612 *key_size = crypto_skcipher_default_keysize(*key_tfm);
1613 get_random_bytes(dummy_key, *key_size);
1614 rc = crypto_skcipher_setkey(*key_tfm, dummy_key, *key_size);
1615 if (rc) {
1616 printk(KERN_ERR "Error attempting to set key of size [%zd] for "
1617 "cipher [%s]; rc = [%d]\n", *key_size, full_alg_name,
1618 rc);
1619 rc = -EINVAL;
1620 goto out;
1621 }
1622out:
1623 kfree(full_alg_name);
1624 return rc;
1625}
1626
1627struct kmem_cache *ecryptfs_key_tfm_cache;
1628static struct list_head key_tfm_list;
1629struct mutex key_tfm_list_mutex;
1630
1631int __init ecryptfs_init_crypto(void)
1632{
1633 mutex_init(&key_tfm_list_mutex);
1634 INIT_LIST_HEAD(&key_tfm_list);
1635 return 0;
1636}
1637
1638
1639
1640
1641
1642
1643int ecryptfs_destroy_crypto(void)
1644{
1645 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp;
1646
1647 mutex_lock(&key_tfm_list_mutex);
1648 list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list,
1649 key_tfm_list) {
1650 list_del(&key_tfm->key_tfm_list);
1651 crypto_free_skcipher(key_tfm->key_tfm);
1652 kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm);
1653 }
1654 mutex_unlock(&key_tfm_list_mutex);
1655 return 0;
1656}
1657
1658int
1659ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
1660 size_t key_size)
1661{
1662 struct ecryptfs_key_tfm *tmp_tfm;
1663 int rc = 0;
1664
1665 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1666
1667 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL);
1668 if (key_tfm != NULL)
1669 (*key_tfm) = tmp_tfm;
1670 if (!tmp_tfm) {
1671 rc = -ENOMEM;
1672 printk(KERN_ERR "Error attempting to allocate from "
1673 "ecryptfs_key_tfm_cache\n");
1674 goto out;
1675 }
1676 mutex_init(&tmp_tfm->key_tfm_mutex);
1677 strncpy(tmp_tfm->cipher_name, cipher_name,
1678 ECRYPTFS_MAX_CIPHER_NAME_SIZE);
1679 tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0';
1680 tmp_tfm->key_size = key_size;
1681 rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm,
1682 tmp_tfm->cipher_name,
1683 &tmp_tfm->key_size);
1684 if (rc) {
1685 printk(KERN_ERR "Error attempting to initialize key TFM "
1686 "cipher with name = [%s]; rc = [%d]\n",
1687 tmp_tfm->cipher_name, rc);
1688 kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm);
1689 if (key_tfm != NULL)
1690 (*key_tfm) = NULL;
1691 goto out;
1692 }
1693 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list);
1694out:
1695 return rc;
1696}
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm)
1709{
1710 struct ecryptfs_key_tfm *tmp_key_tfm;
1711
1712 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1713
1714 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) {
1715 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) {
1716 if (key_tfm)
1717 (*key_tfm) = tmp_key_tfm;
1718 return 1;
1719 }
1720 }
1721 if (key_tfm)
1722 (*key_tfm) = NULL;
1723 return 0;
1724}
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_skcipher **tfm,
1738 struct mutex **tfm_mutex,
1739 char *cipher_name)
1740{
1741 struct ecryptfs_key_tfm *key_tfm;
1742 int rc = 0;
1743
1744 (*tfm) = NULL;
1745 (*tfm_mutex) = NULL;
1746
1747 mutex_lock(&key_tfm_list_mutex);
1748 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) {
1749 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0);
1750 if (rc) {
1751 printk(KERN_ERR "Error adding new key_tfm to list; "
1752 "rc = [%d]\n", rc);
1753 goto out;
1754 }
1755 }
1756 (*tfm) = key_tfm->key_tfm;
1757 (*tfm_mutex) = &key_tfm->key_tfm_mutex;
1758out:
1759 mutex_unlock(&key_tfm_list_mutex);
1760 return rc;
1761}
1762
1763
1764static unsigned char *portable_filename_chars = ("-.0123456789ABCD"
1765 "EFGHIJKLMNOPQRST"
1766 "UVWXYZabcdefghij"
1767 "klmnopqrstuvwxyz");
1768
1769
1770
1771static const unsigned char filename_rev_map[256] = {
1772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1773 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1774 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1778 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
1779 0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1780 0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12,
1781 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A,
1782 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22,
1783 0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00,
1784 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
1785 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
1786 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
1787 0x3D, 0x3E, 0x3F
1788};
1789
1790
1791
1792
1793
1794
1795
1796
1797static void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size,
1798 unsigned char *src, size_t src_size)
1799{
1800 size_t num_blocks;
1801 size_t block_num = 0;
1802 size_t dst_offset = 0;
1803 unsigned char last_block[3];
1804
1805 if (src_size == 0) {
1806 (*dst_size) = 0;
1807 goto out;
1808 }
1809 num_blocks = (src_size / 3);
1810 if ((src_size % 3) == 0) {
1811 memcpy(last_block, (&src[src_size - 3]), 3);
1812 } else {
1813 num_blocks++;
1814 last_block[2] = 0x00;
1815 switch (src_size % 3) {
1816 case 1:
1817 last_block[0] = src[src_size - 1];
1818 last_block[1] = 0x00;
1819 break;
1820 case 2:
1821 last_block[0] = src[src_size - 2];
1822 last_block[1] = src[src_size - 1];
1823 }
1824 }
1825 (*dst_size) = (num_blocks * 4);
1826 if (!dst)
1827 goto out;
1828 while (block_num < num_blocks) {
1829 unsigned char *src_block;
1830 unsigned char dst_block[4];
1831
1832 if (block_num == (num_blocks - 1))
1833 src_block = last_block;
1834 else
1835 src_block = &src[block_num * 3];
1836 dst_block[0] = ((src_block[0] >> 2) & 0x3F);
1837 dst_block[1] = (((src_block[0] << 4) & 0x30)
1838 | ((src_block[1] >> 4) & 0x0F));
1839 dst_block[2] = (((src_block[1] << 2) & 0x3C)
1840 | ((src_block[2] >> 6) & 0x03));
1841 dst_block[3] = (src_block[2] & 0x3F);
1842 dst[dst_offset++] = portable_filename_chars[dst_block[0]];
1843 dst[dst_offset++] = portable_filename_chars[dst_block[1]];
1844 dst[dst_offset++] = portable_filename_chars[dst_block[2]];
1845 dst[dst_offset++] = portable_filename_chars[dst_block[3]];
1846 block_num++;
1847 }
1848out:
1849 return;
1850}
1851
1852static size_t ecryptfs_max_decoded_size(size_t encoded_size)
1853{
1854
1855
1856
1857
1858
1859
1860 return ((encoded_size + 1) * 3) / 4;
1861}
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872static void
1873ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
1874 const unsigned char *src, size_t src_size)
1875{
1876 u8 current_bit_offset = 0;
1877 size_t src_byte_offset = 0;
1878 size_t dst_byte_offset = 0;
1879
1880 if (dst == NULL) {
1881 (*dst_size) = ecryptfs_max_decoded_size(src_size);
1882 goto out;
1883 }
1884 while (src_byte_offset < src_size) {
1885 unsigned char src_byte =
1886 filename_rev_map[(int)src[src_byte_offset]];
1887
1888 switch (current_bit_offset) {
1889 case 0:
1890 dst[dst_byte_offset] = (src_byte << 2);
1891 current_bit_offset = 6;
1892 break;
1893 case 6:
1894 dst[dst_byte_offset++] |= (src_byte >> 4);
1895 dst[dst_byte_offset] = ((src_byte & 0xF)
1896 << 4);
1897 current_bit_offset = 4;
1898 break;
1899 case 4:
1900 dst[dst_byte_offset++] |= (src_byte >> 2);
1901 dst[dst_byte_offset] = (src_byte << 6);
1902 current_bit_offset = 2;
1903 break;
1904 case 2:
1905 dst[dst_byte_offset++] |= (src_byte);
1906 current_bit_offset = 0;
1907 break;
1908 }
1909 src_byte_offset++;
1910 }
1911 (*dst_size) = dst_byte_offset;
1912out:
1913 return;
1914}
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931int ecryptfs_encrypt_and_encode_filename(
1932 char **encoded_name,
1933 size_t *encoded_name_size,
1934 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
1935 const char *name, size_t name_size)
1936{
1937 size_t encoded_name_no_prefix_size;
1938 int rc = 0;
1939
1940 (*encoded_name) = NULL;
1941 (*encoded_name_size) = 0;
1942 if (mount_crypt_stat && (mount_crypt_stat->flags
1943 & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) {
1944 struct ecryptfs_filename *filename;
1945
1946 filename = kzalloc(sizeof(*filename), GFP_KERNEL);
1947 if (!filename) {
1948 printk(KERN_ERR "%s: Out of memory whilst attempting "
1949 "to kzalloc [%zd] bytes\n", __func__,
1950 sizeof(*filename));
1951 rc = -ENOMEM;
1952 goto out;
1953 }
1954 filename->filename = (char *)name;
1955 filename->filename_size = name_size;
1956 rc = ecryptfs_encrypt_filename(filename, mount_crypt_stat);
1957 if (rc) {
1958 printk(KERN_ERR "%s: Error attempting to encrypt "
1959 "filename; rc = [%d]\n", __func__, rc);
1960 kfree(filename);
1961 goto out;
1962 }
1963 ecryptfs_encode_for_filename(
1964 NULL, &encoded_name_no_prefix_size,
1965 filename->encrypted_filename,
1966 filename->encrypted_filename_size);
1967 if (mount_crypt_stat
1968 && (mount_crypt_stat->flags
1969 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))
1970 (*encoded_name_size) =
1971 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
1972 + encoded_name_no_prefix_size);
1973 else
1974 (*encoded_name_size) =
1975 (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE
1976 + encoded_name_no_prefix_size);
1977 (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL);
1978 if (!(*encoded_name)) {
1979 printk(KERN_ERR "%s: Out of memory whilst attempting "
1980 "to kzalloc [%zd] bytes\n", __func__,
1981 (*encoded_name_size));
1982 rc = -ENOMEM;
1983 kfree(filename->encrypted_filename);
1984 kfree(filename);
1985 goto out;
1986 }
1987 if (mount_crypt_stat
1988 && (mount_crypt_stat->flags
1989 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)) {
1990 memcpy((*encoded_name),
1991 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
1992 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE);
1993 ecryptfs_encode_for_filename(
1994 ((*encoded_name)
1995 + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE),
1996 &encoded_name_no_prefix_size,
1997 filename->encrypted_filename,
1998 filename->encrypted_filename_size);
1999 (*encoded_name_size) =
2000 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2001 + encoded_name_no_prefix_size);
2002 (*encoded_name)[(*encoded_name_size)] = '\0';
2003 } else {
2004 rc = -EOPNOTSUPP;
2005 }
2006 if (rc) {
2007 printk(KERN_ERR "%s: Error attempting to encode "
2008 "encrypted filename; rc = [%d]\n", __func__,
2009 rc);
2010 kfree((*encoded_name));
2011 (*encoded_name) = NULL;
2012 (*encoded_name_size) = 0;
2013 }
2014 kfree(filename->encrypted_filename);
2015 kfree(filename);
2016 } else {
2017 rc = ecryptfs_copy_filename(encoded_name,
2018 encoded_name_size,
2019 name, name_size);
2020 }
2021out:
2022 return rc;
2023}
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037int ecryptfs_decode_and_decrypt_filename(char **plaintext_name,
2038 size_t *plaintext_name_size,
2039 struct super_block *sb,
2040 const char *name, size_t name_size)
2041{
2042 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2043 &ecryptfs_superblock_to_private(sb)->mount_crypt_stat;
2044 char *decoded_name;
2045 size_t decoded_name_size;
2046 size_t packet_size;
2047 int rc = 0;
2048
2049 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
2050 && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
2051 && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)
2052 && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2053 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) {
2054 const char *orig_name = name;
2055 size_t orig_name_size = name_size;
2056
2057 name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2058 name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2059 ecryptfs_decode_from_filename(NULL, &decoded_name_size,
2060 name, name_size);
2061 decoded_name = kmalloc(decoded_name_size, GFP_KERNEL);
2062 if (!decoded_name) {
2063 printk(KERN_ERR "%s: Out of memory whilst attempting "
2064 "to kmalloc [%zd] bytes\n", __func__,
2065 decoded_name_size);
2066 rc = -ENOMEM;
2067 goto out;
2068 }
2069 ecryptfs_decode_from_filename(decoded_name, &decoded_name_size,
2070 name, name_size);
2071 rc = ecryptfs_parse_tag_70_packet(plaintext_name,
2072 plaintext_name_size,
2073 &packet_size,
2074 mount_crypt_stat,
2075 decoded_name,
2076 decoded_name_size);
2077 if (rc) {
2078 printk(KERN_INFO "%s: Could not parse tag 70 packet "
2079 "from filename; copying through filename "
2080 "as-is\n", __func__);
2081 rc = ecryptfs_copy_filename(plaintext_name,
2082 plaintext_name_size,
2083 orig_name, orig_name_size);
2084 goto out_free;
2085 }
2086 } else {
2087 rc = ecryptfs_copy_filename(plaintext_name,
2088 plaintext_name_size,
2089 name, name_size);
2090 goto out;
2091 }
2092out_free:
2093 kfree(decoded_name);
2094out:
2095 return rc;
2096}
2097
2098#define ENC_NAME_MAX_BLOCKLEN_8_OR_16 143
2099
2100int ecryptfs_set_f_namelen(long *namelen, long lower_namelen,
2101 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
2102{
2103 struct crypto_skcipher *tfm;
2104 struct mutex *tfm_mutex;
2105 size_t cipher_blocksize;
2106 int rc;
2107
2108 if (!(mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) {
2109 (*namelen) = lower_namelen;
2110 return 0;
2111 }
2112
2113 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&tfm, &tfm_mutex,
2114 mount_crypt_stat->global_default_fn_cipher_name);
2115 if (unlikely(rc)) {
2116 (*namelen) = 0;
2117 return rc;
2118 }
2119
2120 mutex_lock(tfm_mutex);
2121 cipher_blocksize = crypto_skcipher_blocksize(tfm);
2122 mutex_unlock(tfm_mutex);
2123
2124
2125 if (lower_namelen == NAME_MAX
2126 && (cipher_blocksize == 8 || cipher_blocksize == 16)) {
2127 (*namelen) = ENC_NAME_MAX_BLOCKLEN_8_OR_16;
2128 return 0;
2129 }
2130
2131
2132 (*namelen) = lower_namelen;
2133 (*namelen) -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2134
2135 (*namelen) = ecryptfs_max_decoded_size(*namelen) - 3;
2136 (*namelen) -= ECRYPTFS_TAG_70_MAX_METADATA_SIZE;
2137 (*namelen) -= ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES;
2138
2139 (*namelen) -= cipher_blocksize - 1;
2140
2141 if ((*namelen) < 0)
2142 (*namelen) = 0;
2143
2144 return 0;
2145}
2146