1
2
3
4
5
6
7
8
9
10
11
12#include <crypto/hash.h>
13#include <crypto/skcipher.h>
14#include <linux/fs.h>
15#include <linux/mount.h>
16#include <linux/pagemap.h>
17#include <linux/random.h>
18#include <linux/compiler.h>
19#include <linux/key.h>
20#include <linux/namei.h>
21#include <linux/file.h>
22#include <linux/scatterlist.h>
23#include <linux/slab.h>
24#include <asm/unaligned.h>
25#include <linux/kernel.h>
26#include <linux/xattr.h>
27#include "ecryptfs_kernel.h"
28
29#define DECRYPT 0
30#define ENCRYPT 1
31
32
33
34
35
36
37
38
39void ecryptfs_from_hex(char *dst, char *src, int dst_size)
40{
41 int x;
42 char tmp[3] = { 0, };
43
44 for (x = 0; x < dst_size; x++) {
45 tmp[0] = src[x * 2];
46 tmp[1] = src[x * 2 + 1];
47 dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16);
48 }
49}
50
51
52
53
54
55
56
57
58
59
60
61static int ecryptfs_calculate_md5(char *dst,
62 struct ecryptfs_crypt_stat *crypt_stat,
63 char *src, int len)
64{
65 int rc = crypto_shash_tfm_digest(crypt_stat->hash_tfm, src, len, dst);
66
67 if (rc) {
68 printk(KERN_ERR
69 "%s: Error computing crypto hash; rc = [%d]\n",
70 __func__, rc);
71 goto out;
72 }
73out:
74 return rc;
75}
76
77static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name,
78 char *cipher_name,
79 char *chaining_modifier)
80{
81 int cipher_name_len = strlen(cipher_name);
82 int chaining_modifier_len = strlen(chaining_modifier);
83 int algified_name_len;
84 int rc;
85
86 algified_name_len = (chaining_modifier_len + cipher_name_len + 3);
87 (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL);
88 if (!(*algified_name)) {
89 rc = -ENOMEM;
90 goto out;
91 }
92 snprintf((*algified_name), algified_name_len, "%s(%s)",
93 chaining_modifier, cipher_name);
94 rc = 0;
95out:
96 return rc;
97}
98
99
100
101
102
103
104
105
106
107
108
109
110int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat,
111 loff_t offset)
112{
113 int rc = 0;
114 char dst[MD5_DIGEST_SIZE];
115 char src[ECRYPTFS_MAX_IV_BYTES + 16];
116
117 if (unlikely(ecryptfs_verbosity > 0)) {
118 ecryptfs_printk(KERN_DEBUG, "root iv:\n");
119 ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes);
120 }
121
122
123
124
125 memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes);
126 memset((src + crypt_stat->iv_bytes), 0, 16);
127 snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset);
128 if (unlikely(ecryptfs_verbosity > 0)) {
129 ecryptfs_printk(KERN_DEBUG, "source:\n");
130 ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16));
131 }
132 rc = ecryptfs_calculate_md5(dst, crypt_stat, src,
133 (crypt_stat->iv_bytes + 16));
134 if (rc) {
135 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
136 "MD5 while generating IV for a page\n");
137 goto out;
138 }
139 memcpy(iv, dst, crypt_stat->iv_bytes);
140 if (unlikely(ecryptfs_verbosity > 0)) {
141 ecryptfs_printk(KERN_DEBUG, "derived iv:\n");
142 ecryptfs_dump_hex(iv, crypt_stat->iv_bytes);
143 }
144out:
145 return rc;
146}
147
148
149
150
151
152
153
154int ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
155{
156 struct crypto_shash *tfm;
157 int rc;
158
159 tfm = crypto_alloc_shash(ECRYPTFS_DEFAULT_HASH, 0, 0);
160 if (IS_ERR(tfm)) {
161 rc = PTR_ERR(tfm);
162 ecryptfs_printk(KERN_ERR, "Error attempting to "
163 "allocate crypto context; rc = [%d]\n",
164 rc);
165 return rc;
166 }
167
168 memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
169 INIT_LIST_HEAD(&crypt_stat->keysig_list);
170 mutex_init(&crypt_stat->keysig_list_mutex);
171 mutex_init(&crypt_stat->cs_mutex);
172 mutex_init(&crypt_stat->cs_tfm_mutex);
173 crypt_stat->hash_tfm = tfm;
174 crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED;
175
176 return 0;
177}
178
179
180
181
182
183
184
185void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
186{
187 struct ecryptfs_key_sig *key_sig, *key_sig_tmp;
188
189 crypto_free_skcipher(crypt_stat->tfm);
190 crypto_free_shash(crypt_stat->hash_tfm);
191 list_for_each_entry_safe(key_sig, key_sig_tmp,
192 &crypt_stat->keysig_list, crypt_stat_list) {
193 list_del(&key_sig->crypt_stat_list);
194 kmem_cache_free(ecryptfs_key_sig_cache, key_sig);
195 }
196 memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
197}
198
199void ecryptfs_destroy_mount_crypt_stat(
200 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
201{
202 struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp;
203
204 if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED))
205 return;
206 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
207 list_for_each_entry_safe(auth_tok, auth_tok_tmp,
208 &mount_crypt_stat->global_auth_tok_list,
209 mount_crypt_stat_list) {
210 list_del(&auth_tok->mount_crypt_stat_list);
211 if (!(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID))
212 key_put(auth_tok->global_auth_tok_key);
213 kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok);
214 }
215 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
216 memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat));
217}
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg,
233 int sg_size)
234{
235 int i = 0;
236 struct page *pg;
237 int offset;
238 int remainder_of_page;
239
240 sg_init_table(sg, sg_size);
241
242 while (size > 0 && i < sg_size) {
243 pg = virt_to_page(addr);
244 offset = offset_in_page(addr);
245 sg_set_page(&sg[i], pg, 0, offset);
246 remainder_of_page = PAGE_SIZE - offset;
247 if (size >= remainder_of_page) {
248 sg[i].length = remainder_of_page;
249 addr += remainder_of_page;
250 size -= remainder_of_page;
251 } else {
252 sg[i].length = size;
253 addr += size;
254 size = 0;
255 }
256 i++;
257 }
258 if (size > 0)
259 return -ENOMEM;
260 return i;
261}
262
263struct extent_crypt_result {
264 struct completion completion;
265 int rc;
266};
267
268static void extent_crypt_complete(struct crypto_async_request *req, int rc)
269{
270 struct extent_crypt_result *ecr = req->data;
271
272 if (rc == -EINPROGRESS)
273 return;
274
275 ecr->rc = rc;
276 complete(&ecr->completion);
277}
278
279
280
281
282
283
284
285
286
287
288
289
290static int crypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
291 struct scatterlist *dst_sg,
292 struct scatterlist *src_sg, int size,
293 unsigned char *iv, int op)
294{
295 struct skcipher_request *req = NULL;
296 struct extent_crypt_result ecr;
297 int rc = 0;
298
299 if (unlikely(ecryptfs_verbosity > 0)) {
300 ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n",
301 crypt_stat->key_size);
302 ecryptfs_dump_hex(crypt_stat->key,
303 crypt_stat->key_size);
304 }
305
306 init_completion(&ecr.completion);
307
308 mutex_lock(&crypt_stat->cs_tfm_mutex);
309 req = skcipher_request_alloc(crypt_stat->tfm, GFP_NOFS);
310 if (!req) {
311 mutex_unlock(&crypt_stat->cs_tfm_mutex);
312 rc = -ENOMEM;
313 goto out;
314 }
315
316 skcipher_request_set_callback(req,
317 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
318 extent_crypt_complete, &ecr);
319
320 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) {
321 rc = crypto_skcipher_setkey(crypt_stat->tfm, crypt_stat->key,
322 crypt_stat->key_size);
323 if (rc) {
324 ecryptfs_printk(KERN_ERR,
325 "Error setting key; rc = [%d]\n",
326 rc);
327 mutex_unlock(&crypt_stat->cs_tfm_mutex);
328 rc = -EINVAL;
329 goto out;
330 }
331 crypt_stat->flags |= ECRYPTFS_KEY_SET;
332 }
333 mutex_unlock(&crypt_stat->cs_tfm_mutex);
334 skcipher_request_set_crypt(req, src_sg, dst_sg, size, iv);
335 rc = op == ENCRYPT ? crypto_skcipher_encrypt(req) :
336 crypto_skcipher_decrypt(req);
337 if (rc == -EINPROGRESS || rc == -EBUSY) {
338 struct extent_crypt_result *ecr = req->base.data;
339
340 wait_for_completion(&ecr->completion);
341 rc = ecr->rc;
342 reinit_completion(&ecr->completion);
343 }
344out:
345 skcipher_request_free(req);
346 return rc;
347}
348
349
350
351
352
353
354static loff_t lower_offset_for_page(struct ecryptfs_crypt_stat *crypt_stat,
355 struct page *page)
356{
357 return ecryptfs_lower_header_size(crypt_stat) +
358 ((loff_t)page->index << PAGE_SHIFT);
359}
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374static int crypt_extent(struct ecryptfs_crypt_stat *crypt_stat,
375 struct page *dst_page,
376 struct page *src_page,
377 unsigned long extent_offset, int op)
378{
379 pgoff_t page_index = op == ENCRYPT ? src_page->index : dst_page->index;
380 loff_t extent_base;
381 char extent_iv[ECRYPTFS_MAX_IV_BYTES];
382 struct scatterlist src_sg, dst_sg;
383 size_t extent_size = crypt_stat->extent_size;
384 int rc;
385
386 extent_base = (((loff_t)page_index) * (PAGE_SIZE / extent_size));
387 rc = ecryptfs_derive_iv(extent_iv, crypt_stat,
388 (extent_base + extent_offset));
389 if (rc) {
390 ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for "
391 "extent [0x%.16llx]; rc = [%d]\n",
392 (unsigned long long)(extent_base + extent_offset), rc);
393 goto out;
394 }
395
396 sg_init_table(&src_sg, 1);
397 sg_init_table(&dst_sg, 1);
398
399 sg_set_page(&src_sg, src_page, extent_size,
400 extent_offset * extent_size);
401 sg_set_page(&dst_sg, dst_page, extent_size,
402 extent_offset * extent_size);
403
404 rc = crypt_scatterlist(crypt_stat, &dst_sg, &src_sg, extent_size,
405 extent_iv, op);
406 if (rc < 0) {
407 printk(KERN_ERR "%s: Error attempting to crypt page with "
408 "page_index = [%ld], extent_offset = [%ld]; "
409 "rc = [%d]\n", __func__, page_index, extent_offset, rc);
410 goto out;
411 }
412 rc = 0;
413out:
414 return rc;
415}
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433int ecryptfs_encrypt_page(struct page *page)
434{
435 struct inode *ecryptfs_inode;
436 struct ecryptfs_crypt_stat *crypt_stat;
437 char *enc_extent_virt;
438 struct page *enc_extent_page = NULL;
439 loff_t extent_offset;
440 loff_t lower_offset;
441 int rc = 0;
442
443 ecryptfs_inode = page->mapping->host;
444 crypt_stat =
445 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
446 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
447 enc_extent_page = alloc_page(GFP_USER);
448 if (!enc_extent_page) {
449 rc = -ENOMEM;
450 ecryptfs_printk(KERN_ERR, "Error allocating memory for "
451 "encrypted extent\n");
452 goto out;
453 }
454
455 for (extent_offset = 0;
456 extent_offset < (PAGE_SIZE / crypt_stat->extent_size);
457 extent_offset++) {
458 rc = crypt_extent(crypt_stat, enc_extent_page, page,
459 extent_offset, ENCRYPT);
460 if (rc) {
461 printk(KERN_ERR "%s: Error encrypting extent; "
462 "rc = [%d]\n", __func__, rc);
463 goto out;
464 }
465 }
466
467 lower_offset = lower_offset_for_page(crypt_stat, page);
468 enc_extent_virt = kmap(enc_extent_page);
469 rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt, lower_offset,
470 PAGE_SIZE);
471 kunmap(enc_extent_page);
472 if (rc < 0) {
473 ecryptfs_printk(KERN_ERR,
474 "Error attempting to write lower page; rc = [%d]\n",
475 rc);
476 goto out;
477 }
478 rc = 0;
479out:
480 if (enc_extent_page) {
481 __free_page(enc_extent_page);
482 }
483 return rc;
484}
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502int ecryptfs_decrypt_page(struct page *page)
503{
504 struct inode *ecryptfs_inode;
505 struct ecryptfs_crypt_stat *crypt_stat;
506 char *page_virt;
507 unsigned long extent_offset;
508 loff_t lower_offset;
509 int rc = 0;
510
511 ecryptfs_inode = page->mapping->host;
512 crypt_stat =
513 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
514 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
515
516 lower_offset = lower_offset_for_page(crypt_stat, page);
517 page_virt = kmap(page);
518 rc = ecryptfs_read_lower(page_virt, lower_offset, PAGE_SIZE,
519 ecryptfs_inode);
520 kunmap(page);
521 if (rc < 0) {
522 ecryptfs_printk(KERN_ERR,
523 "Error attempting to read lower page; rc = [%d]\n",
524 rc);
525 goto out;
526 }
527
528 for (extent_offset = 0;
529 extent_offset < (PAGE_SIZE / crypt_stat->extent_size);
530 extent_offset++) {
531 rc = crypt_extent(crypt_stat, page, page,
532 extent_offset, DECRYPT);
533 if (rc) {
534 printk(KERN_ERR "%s: Error decrypting extent; "
535 "rc = [%d]\n", __func__, rc);
536 goto out;
537 }
538 }
539out:
540 return rc;
541}
542
543#define ECRYPTFS_MAX_SCATTERLIST_LEN 4
544
545
546
547
548
549
550
551
552
553
554int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat)
555{
556 char *full_alg_name;
557 int rc = -EINVAL;
558
559 ecryptfs_printk(KERN_DEBUG,
560 "Initializing cipher [%s]; strlen = [%d]; "
561 "key_size_bits = [%zd]\n",
562 crypt_stat->cipher, (int)strlen(crypt_stat->cipher),
563 crypt_stat->key_size << 3);
564 mutex_lock(&crypt_stat->cs_tfm_mutex);
565 if (crypt_stat->tfm) {
566 rc = 0;
567 goto out_unlock;
568 }
569 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name,
570 crypt_stat->cipher, "cbc");
571 if (rc)
572 goto out_unlock;
573 crypt_stat->tfm = crypto_alloc_skcipher(full_alg_name, 0, 0);
574 if (IS_ERR(crypt_stat->tfm)) {
575 rc = PTR_ERR(crypt_stat->tfm);
576 crypt_stat->tfm = NULL;
577 ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): "
578 "Error initializing cipher [%s]\n",
579 full_alg_name);
580 goto out_free;
581 }
582 crypto_skcipher_set_flags(crypt_stat->tfm,
583 CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
584 rc = 0;
585out_free:
586 kfree(full_alg_name);
587out_unlock:
588 mutex_unlock(&crypt_stat->cs_tfm_mutex);
589 return rc;
590}
591
592static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat)
593{
594 int extent_size_tmp;
595
596 crypt_stat->extent_mask = 0xFFFFFFFF;
597 crypt_stat->extent_shift = 0;
598 if (crypt_stat->extent_size == 0)
599 return;
600 extent_size_tmp = crypt_stat->extent_size;
601 while ((extent_size_tmp & 0x01) == 0) {
602 extent_size_tmp >>= 1;
603 crypt_stat->extent_mask <<= 1;
604 crypt_stat->extent_shift++;
605 }
606}
607
608void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat)
609{
610
611
612 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;
613 set_extent_mask_and_shift(crypt_stat);
614 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES;
615 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
616 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
617 else {
618 if (PAGE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)
619 crypt_stat->metadata_size =
620 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
621 else
622 crypt_stat->metadata_size = PAGE_SIZE;
623 }
624}
625
626
627
628
629
630
631int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat)
632{
633 int rc = 0;
634 char dst[MD5_DIGEST_SIZE];
635
636 BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE);
637 BUG_ON(crypt_stat->iv_bytes <= 0);
638 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
639 rc = -EINVAL;
640 ecryptfs_printk(KERN_WARNING, "Session key not valid; "
641 "cannot generate root IV\n");
642 goto out;
643 }
644 rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key,
645 crypt_stat->key_size);
646 if (rc) {
647 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
648 "MD5 while generating root IV\n");
649 goto out;
650 }
651 memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes);
652out:
653 if (rc) {
654 memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes);
655 crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING;
656 }
657 return rc;
658}
659
660static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat)
661{
662 get_random_bytes(crypt_stat->key, crypt_stat->key_size);
663 crypt_stat->flags |= ECRYPTFS_KEY_VALID;
664 ecryptfs_compute_root_iv(crypt_stat);
665 if (unlikely(ecryptfs_verbosity > 0)) {
666 ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n");
667 ecryptfs_dump_hex(crypt_stat->key,
668 crypt_stat->key_size);
669 }
670}
671
672
673
674
675
676
677
678
679
680static void ecryptfs_copy_mount_wide_flags_to_inode_flags(
681 struct ecryptfs_crypt_stat *crypt_stat,
682 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
683{
684 if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED)
685 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
686 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
687 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED;
688 if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
689 crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES;
690 if (mount_crypt_stat->flags
691 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)
692 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK;
693 else if (mount_crypt_stat->flags
694 & ECRYPTFS_GLOBAL_ENCFN_USE_FEK)
695 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK;
696 }
697}
698
699static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs(
700 struct ecryptfs_crypt_stat *crypt_stat,
701 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
702{
703 struct ecryptfs_global_auth_tok *global_auth_tok;
704 int rc = 0;
705
706 mutex_lock(&crypt_stat->keysig_list_mutex);
707 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
708
709 list_for_each_entry(global_auth_tok,
710 &mount_crypt_stat->global_auth_tok_list,
711 mount_crypt_stat_list) {
712 if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK)
713 continue;
714 rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig);
715 if (rc) {
716 printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc);
717 goto out;
718 }
719 }
720
721out:
722 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
723 mutex_unlock(&crypt_stat->keysig_list_mutex);
724 return rc;
725}
726
727
728
729
730
731
732
733
734static void ecryptfs_set_default_crypt_stat_vals(
735 struct ecryptfs_crypt_stat *crypt_stat,
736 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
737{
738 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
739 mount_crypt_stat);
740 ecryptfs_set_default_sizes(crypt_stat);
741 strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER);
742 crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES;
743 crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID);
744 crypt_stat->file_version = ECRYPTFS_FILE_VERSION;
745 crypt_stat->mount_crypt_stat = mount_crypt_stat;
746}
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767int ecryptfs_new_file_context(struct inode *ecryptfs_inode)
768{
769 struct ecryptfs_crypt_stat *crypt_stat =
770 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
771 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
772 &ecryptfs_superblock_to_private(
773 ecryptfs_inode->i_sb)->mount_crypt_stat;
774 int cipher_name_len;
775 int rc = 0;
776
777 ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat);
778 crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID);
779 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
780 mount_crypt_stat);
781 rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat,
782 mount_crypt_stat);
783 if (rc) {
784 printk(KERN_ERR "Error attempting to copy mount-wide key sigs "
785 "to the inode key sigs; rc = [%d]\n", rc);
786 goto out;
787 }
788 cipher_name_len =
789 strlen(mount_crypt_stat->global_default_cipher_name);
790 memcpy(crypt_stat->cipher,
791 mount_crypt_stat->global_default_cipher_name,
792 cipher_name_len);
793 crypt_stat->cipher[cipher_name_len] = '\0';
794 crypt_stat->key_size =
795 mount_crypt_stat->global_default_cipher_key_size;
796 ecryptfs_generate_new_key(crypt_stat);
797 rc = ecryptfs_init_crypt_ctx(crypt_stat);
798 if (rc)
799 ecryptfs_printk(KERN_ERR, "Error initializing cryptographic "
800 "context for cipher [%s]: rc = [%d]\n",
801 crypt_stat->cipher, rc);
802out:
803 return rc;
804}
805
806
807
808
809
810
811
812static int ecryptfs_validate_marker(char *data)
813{
814 u32 m_1, m_2;
815
816 m_1 = get_unaligned_be32(data);
817 m_2 = get_unaligned_be32(data + 4);
818 if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2)
819 return 0;
820 ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; "
821 "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2,
822 MAGIC_ECRYPTFS_MARKER);
823 ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = "
824 "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER));
825 return -EINVAL;
826}
827
828struct ecryptfs_flag_map_elem {
829 u32 file_flag;
830 u32 local_flag;
831};
832
833
834static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = {
835 {0x00000001, ECRYPTFS_ENABLE_HMAC},
836 {0x00000002, ECRYPTFS_ENCRYPTED},
837 {0x00000004, ECRYPTFS_METADATA_IN_XATTR},
838 {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES}
839};
840
841
842
843
844
845
846
847static void ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat,
848 char *page_virt, int *bytes_read)
849{
850 int i;
851 u32 flags;
852
853 flags = get_unaligned_be32(page_virt);
854 for (i = 0; i < ARRAY_SIZE(ecryptfs_flag_map); i++)
855 if (flags & ecryptfs_flag_map[i].file_flag) {
856 crypt_stat->flags |= ecryptfs_flag_map[i].local_flag;
857 } else
858 crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag);
859
860 crypt_stat->file_version = ((flags >> 24) & 0xFF);
861 (*bytes_read) = 4;
862}
863
864
865
866
867
868
869
870
871static void write_ecryptfs_marker(char *page_virt, size_t *written)
872{
873 u32 m_1, m_2;
874
875 get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2));
876 m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER);
877 put_unaligned_be32(m_1, page_virt);
878 page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2);
879 put_unaligned_be32(m_2, page_virt);
880 (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
881}
882
883void ecryptfs_write_crypt_stat_flags(char *page_virt,
884 struct ecryptfs_crypt_stat *crypt_stat,
885 size_t *written)
886{
887 u32 flags = 0;
888 int i;
889
890 for (i = 0; i < ARRAY_SIZE(ecryptfs_flag_map); i++)
891 if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag)
892 flags |= ecryptfs_flag_map[i].file_flag;
893
894 flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000);
895 put_unaligned_be32(flags, page_virt);
896 (*written) = 4;
897}
898
899struct ecryptfs_cipher_code_str_map_elem {
900 char cipher_str[16];
901 u8 cipher_code;
902};
903
904
905
906
907static struct ecryptfs_cipher_code_str_map_elem
908ecryptfs_cipher_code_str_map[] = {
909 {"aes",RFC2440_CIPHER_AES_128 },
910 {"blowfish", RFC2440_CIPHER_BLOWFISH},
911 {"des3_ede", RFC2440_CIPHER_DES3_EDE},
912 {"cast5", RFC2440_CIPHER_CAST_5},
913 {"twofish", RFC2440_CIPHER_TWOFISH},
914 {"cast6", RFC2440_CIPHER_CAST_6},
915 {"aes", RFC2440_CIPHER_AES_192},
916 {"aes", RFC2440_CIPHER_AES_256}
917};
918
919
920
921
922
923
924
925
926u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes)
927{
928 int i;
929 u8 code = 0;
930 struct ecryptfs_cipher_code_str_map_elem *map =
931 ecryptfs_cipher_code_str_map;
932
933 if (strcmp(cipher_name, "aes") == 0) {
934 switch (key_bytes) {
935 case 16:
936 code = RFC2440_CIPHER_AES_128;
937 break;
938 case 24:
939 code = RFC2440_CIPHER_AES_192;
940 break;
941 case 32:
942 code = RFC2440_CIPHER_AES_256;
943 }
944 } else {
945 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
946 if (strcmp(cipher_name, map[i].cipher_str) == 0) {
947 code = map[i].cipher_code;
948 break;
949 }
950 }
951 return code;
952}
953
954
955
956
957
958
959
960
961int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code)
962{
963 int rc = 0;
964 int i;
965
966 str[0] = '\0';
967 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
968 if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code)
969 strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str);
970 if (str[0] == '\0') {
971 ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: "
972 "[%d]\n", cipher_code);
973 rc = -EINVAL;
974 }
975 return rc;
976}
977
978int ecryptfs_read_and_validate_header_region(struct inode *inode)
979{
980 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
981 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
982 int rc;
983
984 rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES,
985 inode);
986 if (rc < 0)
987 return rc;
988 else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
989 return -EINVAL;
990 rc = ecryptfs_validate_marker(marker);
991 if (!rc)
992 ecryptfs_i_size_init(file_size, inode);
993 return rc;
994}
995
996void
997ecryptfs_write_header_metadata(char *virt,
998 struct ecryptfs_crypt_stat *crypt_stat,
999 size_t *written)
1000{
1001 u32 header_extent_size;
1002 u16 num_header_extents_at_front;
1003
1004 header_extent_size = (u32)crypt_stat->extent_size;
1005 num_header_extents_at_front =
1006 (u16)(crypt_stat->metadata_size / crypt_stat->extent_size);
1007 put_unaligned_be32(header_extent_size, virt);
1008 virt += 4;
1009 put_unaligned_be16(num_header_extents_at_front, virt);
1010 (*written) = 6;
1011}
1012
1013struct kmem_cache *ecryptfs_header_cache;
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046static int ecryptfs_write_headers_virt(char *page_virt, size_t max,
1047 size_t *size,
1048 struct ecryptfs_crypt_stat *crypt_stat,
1049 struct dentry *ecryptfs_dentry)
1050{
1051 int rc;
1052 size_t written;
1053 size_t offset;
1054
1055 offset = ECRYPTFS_FILE_SIZE_BYTES;
1056 write_ecryptfs_marker((page_virt + offset), &written);
1057 offset += written;
1058 ecryptfs_write_crypt_stat_flags((page_virt + offset), crypt_stat,
1059 &written);
1060 offset += written;
1061 ecryptfs_write_header_metadata((page_virt + offset), crypt_stat,
1062 &written);
1063 offset += written;
1064 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat,
1065 ecryptfs_dentry, &written,
1066 max - offset);
1067 if (rc)
1068 ecryptfs_printk(KERN_WARNING, "Error generating key packet "
1069 "set; rc = [%d]\n", rc);
1070 if (size) {
1071 offset += written;
1072 *size = offset;
1073 }
1074 return rc;
1075}
1076
1077static int
1078ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode,
1079 char *virt, size_t virt_len)
1080{
1081 int rc;
1082
1083 rc = ecryptfs_write_lower(ecryptfs_inode, virt,
1084 0, virt_len);
1085 if (rc < 0)
1086 printk(KERN_ERR "%s: Error attempting to write header "
1087 "information to lower file; rc = [%d]\n", __func__, rc);
1088 else
1089 rc = 0;
1090 return rc;
1091}
1092
1093static int
1094ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry,
1095 struct inode *ecryptfs_inode,
1096 char *page_virt, size_t size)
1097{
1098 int rc;
1099 struct dentry *lower_dentry = ecryptfs_dentry_to_lower(ecryptfs_dentry);
1100 struct inode *lower_inode = d_inode(lower_dentry);
1101
1102 if (!(lower_inode->i_opflags & IOP_XATTR)) {
1103 rc = -EOPNOTSUPP;
1104 goto out;
1105 }
1106
1107 inode_lock(lower_inode);
1108 rc = __vfs_setxattr(&init_user_ns, lower_dentry, lower_inode,
1109 ECRYPTFS_XATTR_NAME, page_virt, size, 0);
1110 if (!rc && ecryptfs_inode)
1111 fsstack_copy_attr_all(ecryptfs_inode, lower_inode);
1112 inode_unlock(lower_inode);
1113out:
1114 return rc;
1115}
1116
1117static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask,
1118 unsigned int order)
1119{
1120 struct page *page;
1121
1122 page = alloc_pages(gfp_mask | __GFP_ZERO, order);
1123 if (page)
1124 return (unsigned long) page_address(page);
1125 return 0;
1126}
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry,
1142 struct inode *ecryptfs_inode)
1143{
1144 struct ecryptfs_crypt_stat *crypt_stat =
1145 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1146 unsigned int order;
1147 char *virt;
1148 size_t virt_len;
1149 size_t size = 0;
1150 int rc = 0;
1151
1152 if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {
1153 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
1154 printk(KERN_ERR "Key is invalid; bailing out\n");
1155 rc = -EINVAL;
1156 goto out;
1157 }
1158 } else {
1159 printk(KERN_WARNING "%s: Encrypted flag not set\n",
1160 __func__);
1161 rc = -EINVAL;
1162 goto out;
1163 }
1164 virt_len = crypt_stat->metadata_size;
1165 order = get_order(virt_len);
1166
1167 virt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order);
1168 if (!virt) {
1169 printk(KERN_ERR "%s: Out of memory\n", __func__);
1170 rc = -ENOMEM;
1171 goto out;
1172 }
1173
1174 rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat,
1175 ecryptfs_dentry);
1176 if (unlikely(rc)) {
1177 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n",
1178 __func__, rc);
1179 goto out_free;
1180 }
1181 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1182 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, ecryptfs_inode,
1183 virt, size);
1184 else
1185 rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt,
1186 virt_len);
1187 if (rc) {
1188 printk(KERN_ERR "%s: Error writing metadata out to lower file; "
1189 "rc = [%d]\n", __func__, rc);
1190 goto out_free;
1191 }
1192out_free:
1193 free_pages((unsigned long)virt, order);
1194out:
1195 return rc;
1196}
1197
1198#define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0
1199#define ECRYPTFS_VALIDATE_HEADER_SIZE 1
1200static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat,
1201 char *virt, int *bytes_read,
1202 int validate_header_size)
1203{
1204 int rc = 0;
1205 u32 header_extent_size;
1206 u16 num_header_extents_at_front;
1207
1208 header_extent_size = get_unaligned_be32(virt);
1209 virt += sizeof(__be32);
1210 num_header_extents_at_front = get_unaligned_be16(virt);
1211 crypt_stat->metadata_size = (((size_t)num_header_extents_at_front
1212 * (size_t)header_extent_size));
1213 (*bytes_read) = (sizeof(__be32) + sizeof(__be16));
1214 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE)
1215 && (crypt_stat->metadata_size
1216 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) {
1217 rc = -EINVAL;
1218 printk(KERN_WARNING "Invalid header size: [%zd]\n",
1219 crypt_stat->metadata_size);
1220 }
1221 return rc;
1222}
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat)
1233{
1234 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
1235}
1236
1237void ecryptfs_i_size_init(const char *page_virt, struct inode *inode)
1238{
1239 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
1240 struct ecryptfs_crypt_stat *crypt_stat;
1241 u64 file_size;
1242
1243 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
1244 mount_crypt_stat =
1245 &ecryptfs_superblock_to_private(inode->i_sb)->mount_crypt_stat;
1246 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) {
1247 file_size = i_size_read(ecryptfs_inode_to_lower(inode));
1248 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1249 file_size += crypt_stat->metadata_size;
1250 } else
1251 file_size = get_unaligned_be64(page_virt);
1252 i_size_write(inode, (loff_t)file_size);
1253 crypt_stat->flags |= ECRYPTFS_I_SIZE_INITIALIZED;
1254}
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268static int ecryptfs_read_headers_virt(char *page_virt,
1269 struct ecryptfs_crypt_stat *crypt_stat,
1270 struct dentry *ecryptfs_dentry,
1271 int validate_header_size)
1272{
1273 int rc = 0;
1274 int offset;
1275 int bytes_read;
1276
1277 ecryptfs_set_default_sizes(crypt_stat);
1278 crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private(
1279 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1280 offset = ECRYPTFS_FILE_SIZE_BYTES;
1281 rc = ecryptfs_validate_marker(page_virt + offset);
1282 if (rc)
1283 goto out;
1284 if (!(crypt_stat->flags & ECRYPTFS_I_SIZE_INITIALIZED))
1285 ecryptfs_i_size_init(page_virt, d_inode(ecryptfs_dentry));
1286 offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
1287 ecryptfs_process_flags(crypt_stat, (page_virt + offset), &bytes_read);
1288 if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) {
1289 ecryptfs_printk(KERN_WARNING, "File version is [%d]; only "
1290 "file version [%d] is supported by this "
1291 "version of eCryptfs\n",
1292 crypt_stat->file_version,
1293 ECRYPTFS_SUPPORTED_FILE_VERSION);
1294 rc = -EINVAL;
1295 goto out;
1296 }
1297 offset += bytes_read;
1298 if (crypt_stat->file_version >= 1) {
1299 rc = parse_header_metadata(crypt_stat, (page_virt + offset),
1300 &bytes_read, validate_header_size);
1301 if (rc) {
1302 ecryptfs_printk(KERN_WARNING, "Error reading header "
1303 "metadata; rc = [%d]\n", rc);
1304 }
1305 offset += bytes_read;
1306 } else
1307 set_default_header_data(crypt_stat);
1308 rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset),
1309 ecryptfs_dentry);
1310out:
1311 return rc;
1312}
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode)
1325{
1326 struct dentry *lower_dentry =
1327 ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_path.dentry;
1328 ssize_t size;
1329 int rc = 0;
1330
1331 size = ecryptfs_getxattr_lower(lower_dentry,
1332 ecryptfs_inode_to_lower(ecryptfs_inode),
1333 ECRYPTFS_XATTR_NAME,
1334 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE);
1335 if (size < 0) {
1336 if (unlikely(ecryptfs_verbosity > 0))
1337 printk(KERN_INFO "Error attempting to read the [%s] "
1338 "xattr from the lower file; return value = "
1339 "[%zd]\n", ECRYPTFS_XATTR_NAME, size);
1340 rc = -EINVAL;
1341 goto out;
1342 }
1343out:
1344 return rc;
1345}
1346
1347int ecryptfs_read_and_validate_xattr_region(struct dentry *dentry,
1348 struct inode *inode)
1349{
1350 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1351 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1352 int rc;
1353
1354 rc = ecryptfs_getxattr_lower(ecryptfs_dentry_to_lower(dentry),
1355 ecryptfs_inode_to_lower(inode),
1356 ECRYPTFS_XATTR_NAME, file_size,
1357 ECRYPTFS_SIZE_AND_MARKER_BYTES);
1358 if (rc < 0)
1359 return rc;
1360 else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1361 return -EINVAL;
1362 rc = ecryptfs_validate_marker(marker);
1363 if (!rc)
1364 ecryptfs_i_size_init(file_size, inode);
1365 return rc;
1366}
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
1381{
1382 int rc;
1383 char *page_virt;
1384 struct inode *ecryptfs_inode = d_inode(ecryptfs_dentry);
1385 struct ecryptfs_crypt_stat *crypt_stat =
1386 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1387 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1388 &ecryptfs_superblock_to_private(
1389 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1390
1391 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
1392 mount_crypt_stat);
1393
1394 page_virt = kmem_cache_alloc(ecryptfs_header_cache, GFP_USER);
1395 if (!page_virt) {
1396 rc = -ENOMEM;
1397 goto out;
1398 }
1399 rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size,
1400 ecryptfs_inode);
1401 if (rc >= 0)
1402 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1403 ecryptfs_dentry,
1404 ECRYPTFS_VALIDATE_HEADER_SIZE);
1405 if (rc) {
1406
1407 memset(page_virt, 0, PAGE_SIZE);
1408 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);
1409 if (rc) {
1410 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1411 "file header region or xattr region, inode %lu\n",
1412 ecryptfs_inode->i_ino);
1413 rc = -EINVAL;
1414 goto out;
1415 }
1416 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1417 ecryptfs_dentry,
1418 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE);
1419 if (rc) {
1420 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1421 "file xattr region either, inode %lu\n",
1422 ecryptfs_inode->i_ino);
1423 rc = -EINVAL;
1424 }
1425 if (crypt_stat->mount_crypt_stat->flags
1426 & ECRYPTFS_XATTR_METADATA_ENABLED) {
1427 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
1428 } else {
1429 printk(KERN_WARNING "Attempt to access file with "
1430 "crypto metadata only in the extended attribute "
1431 "region, but eCryptfs was mounted without "
1432 "xattr support enabled. eCryptfs will not treat "
1433 "this like an encrypted file, inode %lu\n",
1434 ecryptfs_inode->i_ino);
1435 rc = -EINVAL;
1436 }
1437 }
1438out:
1439 if (page_virt) {
1440 memset(page_virt, 0, PAGE_SIZE);
1441 kmem_cache_free(ecryptfs_header_cache, page_virt);
1442 }
1443 return rc;
1444}
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455static int
1456ecryptfs_encrypt_filename(struct ecryptfs_filename *filename,
1457 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
1458{
1459 int rc = 0;
1460
1461 filename->encrypted_filename = NULL;
1462 filename->encrypted_filename_size = 0;
1463 if (mount_crypt_stat && (mount_crypt_stat->flags
1464 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)) {
1465 size_t packet_size;
1466 size_t remaining_bytes;
1467
1468 rc = ecryptfs_write_tag_70_packet(
1469 NULL, NULL,
1470 &filename->encrypted_filename_size,
1471 mount_crypt_stat, NULL,
1472 filename->filename_size);
1473 if (rc) {
1474 printk(KERN_ERR "%s: Error attempting to get packet "
1475 "size for tag 72; rc = [%d]\n", __func__,
1476 rc);
1477 filename->encrypted_filename_size = 0;
1478 goto out;
1479 }
1480 filename->encrypted_filename =
1481 kmalloc(filename->encrypted_filename_size, GFP_KERNEL);
1482 if (!filename->encrypted_filename) {
1483 rc = -ENOMEM;
1484 goto out;
1485 }
1486 remaining_bytes = filename->encrypted_filename_size;
1487 rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename,
1488 &remaining_bytes,
1489 &packet_size,
1490 mount_crypt_stat,
1491 filename->filename,
1492 filename->filename_size);
1493 if (rc) {
1494 printk(KERN_ERR "%s: Error attempting to generate "
1495 "tag 70 packet; rc = [%d]\n", __func__,
1496 rc);
1497 kfree(filename->encrypted_filename);
1498 filename->encrypted_filename = NULL;
1499 filename->encrypted_filename_size = 0;
1500 goto out;
1501 }
1502 filename->encrypted_filename_size = packet_size;
1503 } else {
1504 printk(KERN_ERR "%s: No support for requested filename "
1505 "encryption method in this release\n", __func__);
1506 rc = -EOPNOTSUPP;
1507 goto out;
1508 }
1509out:
1510 return rc;
1511}
1512
1513static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size,
1514 const char *name, size_t name_size)
1515{
1516 int rc = 0;
1517
1518 (*copied_name) = kmalloc((name_size + 1), GFP_KERNEL);
1519 if (!(*copied_name)) {
1520 rc = -ENOMEM;
1521 goto out;
1522 }
1523 memcpy((void *)(*copied_name), (void *)name, name_size);
1524 (*copied_name)[(name_size)] = '\0';
1525
1526
1527
1528 (*copied_name_size) = name_size;
1529out:
1530 return rc;
1531}
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543static int
1544ecryptfs_process_key_cipher(struct crypto_skcipher **key_tfm,
1545 char *cipher_name, size_t *key_size)
1546{
1547 char dummy_key[ECRYPTFS_MAX_KEY_BYTES];
1548 char *full_alg_name = NULL;
1549 int rc;
1550
1551 *key_tfm = NULL;
1552 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) {
1553 rc = -EINVAL;
1554 printk(KERN_ERR "Requested key size is [%zd] bytes; maximum "
1555 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES);
1556 goto out;
1557 }
1558 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name,
1559 "ecb");
1560 if (rc)
1561 goto out;
1562 *key_tfm = crypto_alloc_skcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC);
1563 if (IS_ERR(*key_tfm)) {
1564 rc = PTR_ERR(*key_tfm);
1565 printk(KERN_ERR "Unable to allocate crypto cipher with name "
1566 "[%s]; rc = [%d]\n", full_alg_name, rc);
1567 goto out;
1568 }
1569 crypto_skcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
1570 if (*key_size == 0)
1571 *key_size = crypto_skcipher_max_keysize(*key_tfm);
1572 get_random_bytes(dummy_key, *key_size);
1573 rc = crypto_skcipher_setkey(*key_tfm, dummy_key, *key_size);
1574 if (rc) {
1575 printk(KERN_ERR "Error attempting to set key of size [%zd] for "
1576 "cipher [%s]; rc = [%d]\n", *key_size, full_alg_name,
1577 rc);
1578 rc = -EINVAL;
1579 goto out;
1580 }
1581out:
1582 kfree(full_alg_name);
1583 return rc;
1584}
1585
1586struct kmem_cache *ecryptfs_key_tfm_cache;
1587static struct list_head key_tfm_list;
1588DEFINE_MUTEX(key_tfm_list_mutex);
1589
1590int __init ecryptfs_init_crypto(void)
1591{
1592 INIT_LIST_HEAD(&key_tfm_list);
1593 return 0;
1594}
1595
1596
1597
1598
1599
1600
1601int ecryptfs_destroy_crypto(void)
1602{
1603 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp;
1604
1605 mutex_lock(&key_tfm_list_mutex);
1606 list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list,
1607 key_tfm_list) {
1608 list_del(&key_tfm->key_tfm_list);
1609 crypto_free_skcipher(key_tfm->key_tfm);
1610 kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm);
1611 }
1612 mutex_unlock(&key_tfm_list_mutex);
1613 return 0;
1614}
1615
1616int
1617ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
1618 size_t key_size)
1619{
1620 struct ecryptfs_key_tfm *tmp_tfm;
1621 int rc = 0;
1622
1623 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1624
1625 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL);
1626 if (key_tfm)
1627 (*key_tfm) = tmp_tfm;
1628 if (!tmp_tfm) {
1629 rc = -ENOMEM;
1630 goto out;
1631 }
1632 mutex_init(&tmp_tfm->key_tfm_mutex);
1633 strncpy(tmp_tfm->cipher_name, cipher_name,
1634 ECRYPTFS_MAX_CIPHER_NAME_SIZE);
1635 tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0';
1636 tmp_tfm->key_size = key_size;
1637 rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm,
1638 tmp_tfm->cipher_name,
1639 &tmp_tfm->key_size);
1640 if (rc) {
1641 printk(KERN_ERR "Error attempting to initialize key TFM "
1642 "cipher with name = [%s]; rc = [%d]\n",
1643 tmp_tfm->cipher_name, rc);
1644 kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm);
1645 if (key_tfm)
1646 (*key_tfm) = NULL;
1647 goto out;
1648 }
1649 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list);
1650out:
1651 return rc;
1652}
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm)
1665{
1666 struct ecryptfs_key_tfm *tmp_key_tfm;
1667
1668 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1669
1670 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) {
1671 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) {
1672 if (key_tfm)
1673 (*key_tfm) = tmp_key_tfm;
1674 return 1;
1675 }
1676 }
1677 if (key_tfm)
1678 (*key_tfm) = NULL;
1679 return 0;
1680}
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_skcipher **tfm,
1694 struct mutex **tfm_mutex,
1695 char *cipher_name)
1696{
1697 struct ecryptfs_key_tfm *key_tfm;
1698 int rc = 0;
1699
1700 (*tfm) = NULL;
1701 (*tfm_mutex) = NULL;
1702
1703 mutex_lock(&key_tfm_list_mutex);
1704 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) {
1705 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0);
1706 if (rc) {
1707 printk(KERN_ERR "Error adding new key_tfm to list; "
1708 "rc = [%d]\n", rc);
1709 goto out;
1710 }
1711 }
1712 (*tfm) = key_tfm->key_tfm;
1713 (*tfm_mutex) = &key_tfm->key_tfm_mutex;
1714out:
1715 mutex_unlock(&key_tfm_list_mutex);
1716 return rc;
1717}
1718
1719
1720static unsigned char *portable_filename_chars = ("-.0123456789ABCD"
1721 "EFGHIJKLMNOPQRST"
1722 "UVWXYZabcdefghij"
1723 "klmnopqrstuvwxyz");
1724
1725
1726
1727static const unsigned char filename_rev_map[256] = {
1728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1729 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1731 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1732 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1733 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
1734 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
1735 0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1736 0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12,
1737 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A,
1738 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22,
1739 0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00,
1740 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
1741 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
1742 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
1743 0x3D, 0x3E, 0x3F
1744};
1745
1746
1747
1748
1749
1750
1751
1752
1753static void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size,
1754 unsigned char *src, size_t src_size)
1755{
1756 size_t num_blocks;
1757 size_t block_num = 0;
1758 size_t dst_offset = 0;
1759 unsigned char last_block[3];
1760
1761 if (src_size == 0) {
1762 (*dst_size) = 0;
1763 goto out;
1764 }
1765 num_blocks = (src_size / 3);
1766 if ((src_size % 3) == 0) {
1767 memcpy(last_block, (&src[src_size - 3]), 3);
1768 } else {
1769 num_blocks++;
1770 last_block[2] = 0x00;
1771 switch (src_size % 3) {
1772 case 1:
1773 last_block[0] = src[src_size - 1];
1774 last_block[1] = 0x00;
1775 break;
1776 case 2:
1777 last_block[0] = src[src_size - 2];
1778 last_block[1] = src[src_size - 1];
1779 }
1780 }
1781 (*dst_size) = (num_blocks * 4);
1782 if (!dst)
1783 goto out;
1784 while (block_num < num_blocks) {
1785 unsigned char *src_block;
1786 unsigned char dst_block[4];
1787
1788 if (block_num == (num_blocks - 1))
1789 src_block = last_block;
1790 else
1791 src_block = &src[block_num * 3];
1792 dst_block[0] = ((src_block[0] >> 2) & 0x3F);
1793 dst_block[1] = (((src_block[0] << 4) & 0x30)
1794 | ((src_block[1] >> 4) & 0x0F));
1795 dst_block[2] = (((src_block[1] << 2) & 0x3C)
1796 | ((src_block[2] >> 6) & 0x03));
1797 dst_block[3] = (src_block[2] & 0x3F);
1798 dst[dst_offset++] = portable_filename_chars[dst_block[0]];
1799 dst[dst_offset++] = portable_filename_chars[dst_block[1]];
1800 dst[dst_offset++] = portable_filename_chars[dst_block[2]];
1801 dst[dst_offset++] = portable_filename_chars[dst_block[3]];
1802 block_num++;
1803 }
1804out:
1805 return;
1806}
1807
1808static size_t ecryptfs_max_decoded_size(size_t encoded_size)
1809{
1810
1811
1812
1813
1814
1815
1816 return ((encoded_size + 1) * 3) / 4;
1817}
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828static void
1829ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
1830 const unsigned char *src, size_t src_size)
1831{
1832 u8 current_bit_offset = 0;
1833 size_t src_byte_offset = 0;
1834 size_t dst_byte_offset = 0;
1835
1836 if (!dst) {
1837 (*dst_size) = ecryptfs_max_decoded_size(src_size);
1838 goto out;
1839 }
1840 while (src_byte_offset < src_size) {
1841 unsigned char src_byte =
1842 filename_rev_map[(int)src[src_byte_offset]];
1843
1844 switch (current_bit_offset) {
1845 case 0:
1846 dst[dst_byte_offset] = (src_byte << 2);
1847 current_bit_offset = 6;
1848 break;
1849 case 6:
1850 dst[dst_byte_offset++] |= (src_byte >> 4);
1851 dst[dst_byte_offset] = ((src_byte & 0xF)
1852 << 4);
1853 current_bit_offset = 4;
1854 break;
1855 case 4:
1856 dst[dst_byte_offset++] |= (src_byte >> 2);
1857 dst[dst_byte_offset] = (src_byte << 6);
1858 current_bit_offset = 2;
1859 break;
1860 case 2:
1861 dst[dst_byte_offset++] |= (src_byte);
1862 current_bit_offset = 0;
1863 break;
1864 }
1865 src_byte_offset++;
1866 }
1867 (*dst_size) = dst_byte_offset;
1868out:
1869 return;
1870}
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888int ecryptfs_encrypt_and_encode_filename(
1889 char **encoded_name,
1890 size_t *encoded_name_size,
1891 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
1892 const char *name, size_t name_size)
1893{
1894 size_t encoded_name_no_prefix_size;
1895 int rc = 0;
1896
1897 (*encoded_name) = NULL;
1898 (*encoded_name_size) = 0;
1899 if (mount_crypt_stat && (mount_crypt_stat->flags
1900 & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) {
1901 struct ecryptfs_filename *filename;
1902
1903 filename = kzalloc(sizeof(*filename), GFP_KERNEL);
1904 if (!filename) {
1905 rc = -ENOMEM;
1906 goto out;
1907 }
1908 filename->filename = (char *)name;
1909 filename->filename_size = name_size;
1910 rc = ecryptfs_encrypt_filename(filename, mount_crypt_stat);
1911 if (rc) {
1912 printk(KERN_ERR "%s: Error attempting to encrypt "
1913 "filename; rc = [%d]\n", __func__, rc);
1914 kfree(filename);
1915 goto out;
1916 }
1917 ecryptfs_encode_for_filename(
1918 NULL, &encoded_name_no_prefix_size,
1919 filename->encrypted_filename,
1920 filename->encrypted_filename_size);
1921 if (mount_crypt_stat
1922 && (mount_crypt_stat->flags
1923 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))
1924 (*encoded_name_size) =
1925 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
1926 + encoded_name_no_prefix_size);
1927 else
1928 (*encoded_name_size) =
1929 (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE
1930 + encoded_name_no_prefix_size);
1931 (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL);
1932 if (!(*encoded_name)) {
1933 rc = -ENOMEM;
1934 kfree(filename->encrypted_filename);
1935 kfree(filename);
1936 goto out;
1937 }
1938 if (mount_crypt_stat
1939 && (mount_crypt_stat->flags
1940 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)) {
1941 memcpy((*encoded_name),
1942 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
1943 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE);
1944 ecryptfs_encode_for_filename(
1945 ((*encoded_name)
1946 + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE),
1947 &encoded_name_no_prefix_size,
1948 filename->encrypted_filename,
1949 filename->encrypted_filename_size);
1950 (*encoded_name_size) =
1951 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
1952 + encoded_name_no_prefix_size);
1953 (*encoded_name)[(*encoded_name_size)] = '\0';
1954 } else {
1955 rc = -EOPNOTSUPP;
1956 }
1957 if (rc) {
1958 printk(KERN_ERR "%s: Error attempting to encode "
1959 "encrypted filename; rc = [%d]\n", __func__,
1960 rc);
1961 kfree((*encoded_name));
1962 (*encoded_name) = NULL;
1963 (*encoded_name_size) = 0;
1964 }
1965 kfree(filename->encrypted_filename);
1966 kfree(filename);
1967 } else {
1968 rc = ecryptfs_copy_filename(encoded_name,
1969 encoded_name_size,
1970 name, name_size);
1971 }
1972out:
1973 return rc;
1974}
1975
1976static bool is_dot_dotdot(const char *name, size_t name_size)
1977{
1978 if (name_size == 1 && name[0] == '.')
1979 return true;
1980 else if (name_size == 2 && name[0] == '.' && name[1] == '.')
1981 return true;
1982
1983 return false;
1984}
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998int ecryptfs_decode_and_decrypt_filename(char **plaintext_name,
1999 size_t *plaintext_name_size,
2000 struct super_block *sb,
2001 const char *name, size_t name_size)
2002{
2003 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2004 &ecryptfs_superblock_to_private(sb)->mount_crypt_stat;
2005 char *decoded_name;
2006 size_t decoded_name_size;
2007 size_t packet_size;
2008 int rc = 0;
2009
2010 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) &&
2011 !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)) {
2012 if (is_dot_dotdot(name, name_size)) {
2013 rc = ecryptfs_copy_filename(plaintext_name,
2014 plaintext_name_size,
2015 name, name_size);
2016 goto out;
2017 }
2018
2019 if (name_size <= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE ||
2020 strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2021 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)) {
2022 rc = -EINVAL;
2023 goto out;
2024 }
2025
2026 name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2027 name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2028 ecryptfs_decode_from_filename(NULL, &decoded_name_size,
2029 name, name_size);
2030 decoded_name = kmalloc(decoded_name_size, GFP_KERNEL);
2031 if (!decoded_name) {
2032 rc = -ENOMEM;
2033 goto out;
2034 }
2035 ecryptfs_decode_from_filename(decoded_name, &decoded_name_size,
2036 name, name_size);
2037 rc = ecryptfs_parse_tag_70_packet(plaintext_name,
2038 plaintext_name_size,
2039 &packet_size,
2040 mount_crypt_stat,
2041 decoded_name,
2042 decoded_name_size);
2043 if (rc) {
2044 ecryptfs_printk(KERN_DEBUG,
2045 "%s: Could not parse tag 70 packet from filename\n",
2046 __func__);
2047 goto out_free;
2048 }
2049 } else {
2050 rc = ecryptfs_copy_filename(plaintext_name,
2051 plaintext_name_size,
2052 name, name_size);
2053 goto out;
2054 }
2055out_free:
2056 kfree(decoded_name);
2057out:
2058 return rc;
2059}
2060
2061#define ENC_NAME_MAX_BLOCKLEN_8_OR_16 143
2062
2063int ecryptfs_set_f_namelen(long *namelen, long lower_namelen,
2064 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
2065{
2066 struct crypto_skcipher *tfm;
2067 struct mutex *tfm_mutex;
2068 size_t cipher_blocksize;
2069 int rc;
2070
2071 if (!(mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) {
2072 (*namelen) = lower_namelen;
2073 return 0;
2074 }
2075
2076 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&tfm, &tfm_mutex,
2077 mount_crypt_stat->global_default_fn_cipher_name);
2078 if (unlikely(rc)) {
2079 (*namelen) = 0;
2080 return rc;
2081 }
2082
2083 mutex_lock(tfm_mutex);
2084 cipher_blocksize = crypto_skcipher_blocksize(tfm);
2085 mutex_unlock(tfm_mutex);
2086
2087
2088 if (lower_namelen == NAME_MAX
2089 && (cipher_blocksize == 8 || cipher_blocksize == 16)) {
2090 (*namelen) = ENC_NAME_MAX_BLOCKLEN_8_OR_16;
2091 return 0;
2092 }
2093
2094
2095 (*namelen) = lower_namelen;
2096 (*namelen) -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2097
2098 (*namelen) = ecryptfs_max_decoded_size(*namelen) - 3;
2099 (*namelen) -= ECRYPTFS_TAG_70_MAX_METADATA_SIZE;
2100 (*namelen) -= ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES;
2101
2102 (*namelen) -= cipher_blocksize - 1;
2103
2104 if ((*namelen) < 0)
2105 (*namelen) = 0;
2106
2107 return 0;
2108}
2109