Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
crypto.c
Go to the documentation of this file.
1 
26 #include <linux/fs.h>
27 #include <linux/mount.h>
28 #include <linux/pagemap.h>
29 #include <linux/random.h>
30 #include <linux/compiler.h>
31 #include <linux/key.h>
32 #include <linux/namei.h>
33 #include <linux/crypto.h>
34 #include <linux/file.h>
35 #include <linux/scatterlist.h>
36 #include <linux/slab.h>
37 #include <asm/unaligned.h>
38 #include "ecryptfs_kernel.h"
39 
40 static int
41 ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
42  struct page *dst_page, int dst_offset,
43  struct page *src_page, int src_offset, int size,
44  unsigned char *iv);
45 static int
46 ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
47  struct page *dst_page, int dst_offset,
48  struct page *src_page, int src_offset, int size,
49  unsigned char *iv);
50 
58 void ecryptfs_to_hex(char *dst, char *src, size_t src_size)
59 {
60  int x;
61 
62  for (x = 0; x < src_size; x++)
63  sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]);
64 }
65 
73 void ecryptfs_from_hex(char *dst, char *src, int dst_size)
74 {
75  int x;
76  char tmp[3] = { 0, };
77 
78  for (x = 0; x < dst_size; x++) {
79  tmp[0] = src[x * 2];
80  tmp[1] = src[x * 2 + 1];
81  dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16);
82  }
83 }
84 
95 static int ecryptfs_calculate_md5(char *dst,
96  struct ecryptfs_crypt_stat *crypt_stat,
97  char *src, int len)
98 {
99  struct scatterlist sg;
100  struct hash_desc desc = {
101  .tfm = crypt_stat->hash_tfm,
102  .flags = CRYPTO_TFM_REQ_MAY_SLEEP
103  };
104  int rc = 0;
105 
106  mutex_lock(&crypt_stat->cs_hash_tfm_mutex);
107  sg_init_one(&sg, (u8 *)src, len);
108  if (!desc.tfm) {
109  desc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0,
110  CRYPTO_ALG_ASYNC);
111  if (IS_ERR(desc.tfm)) {
112  rc = PTR_ERR(desc.tfm);
113  ecryptfs_printk(KERN_ERR, "Error attempting to "
114  "allocate crypto context; rc = [%d]\n",
115  rc);
116  goto out;
117  }
118  crypt_stat->hash_tfm = desc.tfm;
119  }
120  rc = crypto_hash_init(&desc);
121  if (rc) {
122  printk(KERN_ERR
123  "%s: Error initializing crypto hash; rc = [%d]\n",
124  __func__, rc);
125  goto out;
126  }
127  rc = crypto_hash_update(&desc, &sg, len);
128  if (rc) {
129  printk(KERN_ERR
130  "%s: Error updating crypto hash; rc = [%d]\n",
131  __func__, rc);
132  goto out;
133  }
134  rc = crypto_hash_final(&desc, dst);
135  if (rc) {
136  printk(KERN_ERR
137  "%s: Error finalizing crypto hash; rc = [%d]\n",
138  __func__, rc);
139  goto out;
140  }
141 out:
142  mutex_unlock(&crypt_stat->cs_hash_tfm_mutex);
143  return rc;
144 }
145 
146 static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name,
147  char *cipher_name,
148  char *chaining_modifier)
149 {
150  int cipher_name_len = strlen(cipher_name);
151  int chaining_modifier_len = strlen(chaining_modifier);
152  int algified_name_len;
153  int rc;
154 
155  algified_name_len = (chaining_modifier_len + cipher_name_len + 3);
156  (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL);
157  if (!(*algified_name)) {
158  rc = -ENOMEM;
159  goto out;
160  }
161  snprintf((*algified_name), algified_name_len, "%s(%s)",
162  chaining_modifier, cipher_name);
163  rc = 0;
164 out:
165  return rc;
166 }
167 
179 int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat,
180  loff_t offset)
181 {
182  int rc = 0;
183  char dst[MD5_DIGEST_SIZE];
184  char src[ECRYPTFS_MAX_IV_BYTES + 16];
185 
186  if (unlikely(ecryptfs_verbosity > 0)) {
187  ecryptfs_printk(KERN_DEBUG, "root iv:\n");
188  ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes);
189  }
190  /* TODO: It is probably secure to just cast the least
191  * significant bits of the root IV into an unsigned long and
192  * add the offset to that rather than go through all this
193  * hashing business. -Halcrow */
194  memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes);
195  memset((src + crypt_stat->iv_bytes), 0, 16);
196  snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset);
197  if (unlikely(ecryptfs_verbosity > 0)) {
198  ecryptfs_printk(KERN_DEBUG, "source:\n");
199  ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16));
200  }
201  rc = ecryptfs_calculate_md5(dst, crypt_stat, src,
202  (crypt_stat->iv_bytes + 16));
203  if (rc) {
204  ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
205  "MD5 while generating IV for a page\n");
206  goto out;
207  }
208  memcpy(iv, dst, crypt_stat->iv_bytes);
209  if (unlikely(ecryptfs_verbosity > 0)) {
210  ecryptfs_printk(KERN_DEBUG, "derived iv:\n");
211  ecryptfs_dump_hex(iv, crypt_stat->iv_bytes);
212  }
213 out:
214  return rc;
215 }
216 
223 void
224 ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
225 {
226  memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
227  INIT_LIST_HEAD(&crypt_stat->keysig_list);
228  mutex_init(&crypt_stat->keysig_list_mutex);
229  mutex_init(&crypt_stat->cs_mutex);
230  mutex_init(&crypt_stat->cs_tfm_mutex);
231  mutex_init(&crypt_stat->cs_hash_tfm_mutex);
232  crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED;
233 }
234 
241 void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
242 {
243  struct ecryptfs_key_sig *key_sig, *key_sig_tmp;
244 
245  if (crypt_stat->tfm)
246  crypto_free_blkcipher(crypt_stat->tfm);
247  if (crypt_stat->hash_tfm)
248  crypto_free_hash(crypt_stat->hash_tfm);
249  list_for_each_entry_safe(key_sig, key_sig_tmp,
250  &crypt_stat->keysig_list, crypt_stat_list) {
251  list_del(&key_sig->crypt_stat_list);
252  kmem_cache_free(ecryptfs_key_sig_cache, key_sig);
253  }
254  memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
255 }
256 
257 void ecryptfs_destroy_mount_crypt_stat(
258  struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
259 {
260  struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp;
261 
262  if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED))
263  return;
264  mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
265  list_for_each_entry_safe(auth_tok, auth_tok_tmp,
266  &mount_crypt_stat->global_auth_tok_list,
267  mount_crypt_stat_list) {
268  list_del(&auth_tok->mount_crypt_stat_list);
269  if (auth_tok->global_auth_tok_key
270  && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID))
271  key_put(auth_tok->global_auth_tok_key);
272  kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok);
273  }
274  mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
275  memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat));
276 }
277 
291 int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg,
292  int sg_size)
293 {
294  int i = 0;
295  struct page *pg;
296  int offset;
297  int remainder_of_page;
298 
299  sg_init_table(sg, sg_size);
300 
301  while (size > 0 && i < sg_size) {
302  pg = virt_to_page(addr);
303  offset = offset_in_page(addr);
304  if (sg)
305  sg_set_page(&sg[i], pg, 0, offset);
306  remainder_of_page = PAGE_CACHE_SIZE - offset;
307  if (size >= remainder_of_page) {
308  if (sg)
309  sg[i].length = remainder_of_page;
310  addr += remainder_of_page;
311  size -= remainder_of_page;
312  } else {
313  if (sg)
314  sg[i].length = size;
315  addr += size;
316  size = 0;
317  }
318  i++;
319  }
320  if (size > 0)
321  return -ENOMEM;
322  return i;
323 }
324 
335 static int encrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
336  struct scatterlist *dest_sg,
337  struct scatterlist *src_sg, int size,
338  unsigned char *iv)
339 {
340  struct blkcipher_desc desc = {
341  .tfm = crypt_stat->tfm,
342  .info = iv,
343  .flags = CRYPTO_TFM_REQ_MAY_SLEEP
344  };
345  int rc = 0;
346 
347  BUG_ON(!crypt_stat || !crypt_stat->tfm
348  || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));
349  if (unlikely(ecryptfs_verbosity > 0)) {
350  ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n",
351  crypt_stat->key_size);
352  ecryptfs_dump_hex(crypt_stat->key,
353  crypt_stat->key_size);
354  }
355  /* Consider doing this once, when the file is opened */
356  mutex_lock(&crypt_stat->cs_tfm_mutex);
357  if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) {
358  rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key,
359  crypt_stat->key_size);
360  crypt_stat->flags |= ECRYPTFS_KEY_SET;
361  }
362  if (rc) {
363  ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n",
364  rc);
365  mutex_unlock(&crypt_stat->cs_tfm_mutex);
366  rc = -EINVAL;
367  goto out;
368  }
369  ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes.\n", size);
370  crypto_blkcipher_encrypt_iv(&desc, dest_sg, src_sg, size);
371  mutex_unlock(&crypt_stat->cs_tfm_mutex);
372 out:
373  return rc;
374 }
375 
381 static void ecryptfs_lower_offset_for_extent(loff_t *offset, loff_t extent_num,
382  struct ecryptfs_crypt_stat *crypt_stat)
383 {
384  (*offset) = ecryptfs_lower_header_size(crypt_stat)
385  + (crypt_stat->extent_size * extent_num);
386 }
387 
401 static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
402  struct ecryptfs_crypt_stat *crypt_stat,
403  struct page *page,
404  unsigned long extent_offset)
405 {
406  loff_t extent_base;
407  char extent_iv[ECRYPTFS_MAX_IV_BYTES];
408  int rc;
409 
410  extent_base = (((loff_t)page->index)
411  * (PAGE_CACHE_SIZE / crypt_stat->extent_size));
412  rc = ecryptfs_derive_iv(extent_iv, crypt_stat,
413  (extent_base + extent_offset));
414  if (rc) {
415  ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for "
416  "extent [0x%.16llx]; rc = [%d]\n",
417  (unsigned long long)(extent_base + extent_offset), rc);
418  goto out;
419  }
420  rc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0,
421  page, (extent_offset
422  * crypt_stat->extent_size),
423  crypt_stat->extent_size, extent_iv);
424  if (rc < 0) {
425  printk(KERN_ERR "%s: Error attempting to encrypt page with "
426  "page->index = [%ld], extent_offset = [%ld]; "
427  "rc = [%d]\n", __func__, page->index, extent_offset,
428  rc);
429  goto out;
430  }
431  rc = 0;
432 out:
433  return rc;
434 }
435 
452 int ecryptfs_encrypt_page(struct page *page)
453 {
454  struct inode *ecryptfs_inode;
455  struct ecryptfs_crypt_stat *crypt_stat;
456  char *enc_extent_virt;
457  struct page *enc_extent_page = NULL;
458  loff_t extent_offset;
459  int rc = 0;
460 
461  ecryptfs_inode = page->mapping->host;
462  crypt_stat =
463  &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
464  BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
465  enc_extent_page = alloc_page(GFP_USER);
466  if (!enc_extent_page) {
467  rc = -ENOMEM;
468  ecryptfs_printk(KERN_ERR, "Error allocating memory for "
469  "encrypted extent\n");
470  goto out;
471  }
472  enc_extent_virt = kmap(enc_extent_page);
473  for (extent_offset = 0;
474  extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);
475  extent_offset++) {
476  loff_t offset;
477 
478  rc = ecryptfs_encrypt_extent(enc_extent_page, crypt_stat, page,
479  extent_offset);
480  if (rc) {
481  printk(KERN_ERR "%s: Error encrypting extent; "
482  "rc = [%d]\n", __func__, rc);
483  goto out;
484  }
485  ecryptfs_lower_offset_for_extent(
486  &offset, ((((loff_t)page->index)
487  * (PAGE_CACHE_SIZE
488  / crypt_stat->extent_size))
489  + extent_offset), crypt_stat);
490  rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt,
491  offset, crypt_stat->extent_size);
492  if (rc < 0) {
493  ecryptfs_printk(KERN_ERR, "Error attempting "
494  "to write lower page; rc = [%d]"
495  "\n", rc);
496  goto out;
497  }
498  }
499  rc = 0;
500 out:
501  if (enc_extent_page) {
502  kunmap(enc_extent_page);
503  __free_page(enc_extent_page);
504  }
505  return rc;
506 }
507 
508 static int ecryptfs_decrypt_extent(struct page *page,
509  struct ecryptfs_crypt_stat *crypt_stat,
510  struct page *enc_extent_page,
511  unsigned long extent_offset)
512 {
513  loff_t extent_base;
514  char extent_iv[ECRYPTFS_MAX_IV_BYTES];
515  int rc;
516 
517  extent_base = (((loff_t)page->index)
518  * (PAGE_CACHE_SIZE / crypt_stat->extent_size));
519  rc = ecryptfs_derive_iv(extent_iv, crypt_stat,
520  (extent_base + extent_offset));
521  if (rc) {
522  ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for "
523  "extent [0x%.16llx]; rc = [%d]\n",
524  (unsigned long long)(extent_base + extent_offset), rc);
525  goto out;
526  }
527  rc = ecryptfs_decrypt_page_offset(crypt_stat, page,
528  (extent_offset
529  * crypt_stat->extent_size),
530  enc_extent_page, 0,
531  crypt_stat->extent_size, extent_iv);
532  if (rc < 0) {
533  printk(KERN_ERR "%s: Error attempting to decrypt to page with "
534  "page->index = [%ld], extent_offset = [%ld]; "
535  "rc = [%d]\n", __func__, page->index, extent_offset,
536  rc);
537  goto out;
538  }
539  rc = 0;
540 out:
541  return rc;
542 }
543 
560 int ecryptfs_decrypt_page(struct page *page)
561 {
562  struct inode *ecryptfs_inode;
563  struct ecryptfs_crypt_stat *crypt_stat;
564  char *enc_extent_virt;
565  struct page *enc_extent_page = NULL;
566  unsigned long extent_offset;
567  int rc = 0;
568 
569  ecryptfs_inode = page->mapping->host;
570  crypt_stat =
571  &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
572  BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
573  enc_extent_page = alloc_page(GFP_USER);
574  if (!enc_extent_page) {
575  rc = -ENOMEM;
576  ecryptfs_printk(KERN_ERR, "Error allocating memory for "
577  "encrypted extent\n");
578  goto out;
579  }
580  enc_extent_virt = kmap(enc_extent_page);
581  for (extent_offset = 0;
582  extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);
583  extent_offset++) {
584  loff_t offset;
585 
586  ecryptfs_lower_offset_for_extent(
587  &offset, ((page->index * (PAGE_CACHE_SIZE
588  / crypt_stat->extent_size))
589  + extent_offset), crypt_stat);
590  rc = ecryptfs_read_lower(enc_extent_virt, offset,
591  crypt_stat->extent_size,
592  ecryptfs_inode);
593  if (rc < 0) {
594  ecryptfs_printk(KERN_ERR, "Error attempting "
595  "to read lower page; rc = [%d]"
596  "\n", rc);
597  goto out;
598  }
599  rc = ecryptfs_decrypt_extent(page, crypt_stat, enc_extent_page,
600  extent_offset);
601  if (rc) {
602  printk(KERN_ERR "%s: Error encrypting extent; "
603  "rc = [%d]\n", __func__, rc);
604  goto out;
605  }
606  }
607 out:
608  if (enc_extent_page) {
609  kunmap(enc_extent_page);
610  __free_page(enc_extent_page);
611  }
612  return rc;
613 }
614 
625 static int decrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
626  struct scatterlist *dest_sg,
627  struct scatterlist *src_sg, int size,
628  unsigned char *iv)
629 {
630  struct blkcipher_desc desc = {
631  .tfm = crypt_stat->tfm,
632  .info = iv,
633  .flags = CRYPTO_TFM_REQ_MAY_SLEEP
634  };
635  int rc = 0;
636 
637  /* Consider doing this once, when the file is opened */
638  mutex_lock(&crypt_stat->cs_tfm_mutex);
639  rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key,
640  crypt_stat->key_size);
641  if (rc) {
642  ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n",
643  rc);
644  mutex_unlock(&crypt_stat->cs_tfm_mutex);
645  rc = -EINVAL;
646  goto out;
647  }
648  ecryptfs_printk(KERN_DEBUG, "Decrypting [%d] bytes.\n", size);
649  rc = crypto_blkcipher_decrypt_iv(&desc, dest_sg, src_sg, size);
650  mutex_unlock(&crypt_stat->cs_tfm_mutex);
651  if (rc) {
652  ecryptfs_printk(KERN_ERR, "Error decrypting; rc = [%d]\n",
653  rc);
654  goto out;
655  }
656  rc = size;
657 out:
658  return rc;
659 }
660 
673 static int
674 ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
675  struct page *dst_page, int dst_offset,
676  struct page *src_page, int src_offset, int size,
677  unsigned char *iv)
678 {
679  struct scatterlist src_sg, dst_sg;
680 
681  sg_init_table(&src_sg, 1);
682  sg_init_table(&dst_sg, 1);
683 
684  sg_set_page(&src_sg, src_page, size, src_offset);
685  sg_set_page(&dst_sg, dst_page, size, dst_offset);
686  return encrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv);
687 }
688 
701 static int
702 ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat,
703  struct page *dst_page, int dst_offset,
704  struct page *src_page, int src_offset, int size,
705  unsigned char *iv)
706 {
707  struct scatterlist src_sg, dst_sg;
708 
709  sg_init_table(&src_sg, 1);
710  sg_set_page(&src_sg, src_page, size, src_offset);
711 
712  sg_init_table(&dst_sg, 1);
713  sg_set_page(&dst_sg, dst_page, size, dst_offset);
714 
715  return decrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv);
716 }
717 
718 #define ECRYPTFS_MAX_SCATTERLIST_LEN 4
719 
729 int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat)
730 {
731  char *full_alg_name;
732  int rc = -EINVAL;
733 
734  if (!crypt_stat->cipher) {
735  ecryptfs_printk(KERN_ERR, "No cipher specified\n");
736  goto out;
737  }
738  ecryptfs_printk(KERN_DEBUG,
739  "Initializing cipher [%s]; strlen = [%d]; "
740  "key_size_bits = [%zd]\n",
741  crypt_stat->cipher, (int)strlen(crypt_stat->cipher),
742  crypt_stat->key_size << 3);
743  if (crypt_stat->tfm) {
744  rc = 0;
745  goto out;
746  }
747  mutex_lock(&crypt_stat->cs_tfm_mutex);
748  rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name,
749  crypt_stat->cipher, "cbc");
750  if (rc)
751  goto out_unlock;
752  crypt_stat->tfm = crypto_alloc_blkcipher(full_alg_name, 0,
753  CRYPTO_ALG_ASYNC);
754  kfree(full_alg_name);
755  if (IS_ERR(crypt_stat->tfm)) {
756  rc = PTR_ERR(crypt_stat->tfm);
757  crypt_stat->tfm = NULL;
758  ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): "
759  "Error initializing cipher [%s]\n",
760  crypt_stat->cipher);
761  goto out_unlock;
762  }
763  crypto_blkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY);
764  rc = 0;
765 out_unlock:
766  mutex_unlock(&crypt_stat->cs_tfm_mutex);
767 out:
768  return rc;
769 }
770 
771 static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat)
772 {
773  int extent_size_tmp;
774 
775  crypt_stat->extent_mask = 0xFFFFFFFF;
776  crypt_stat->extent_shift = 0;
777  if (crypt_stat->extent_size == 0)
778  return;
779  extent_size_tmp = crypt_stat->extent_size;
780  while ((extent_size_tmp & 0x01) == 0) {
781  extent_size_tmp >>= 1;
782  crypt_stat->extent_mask <<= 1;
783  crypt_stat->extent_shift++;
784  }
785 }
786 
787 void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat)
788 {
789  /* Default values; may be overwritten as we are parsing the
790  * packets. */
791  crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;
792  set_extent_mask_and_shift(crypt_stat);
793  crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES;
794  if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
795  crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
796  else {
797  if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)
798  crypt_stat->metadata_size =
799  ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
800  else
801  crypt_stat->metadata_size = PAGE_CACHE_SIZE;
802  }
803 }
804 
811 int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat)
812 {
813  int rc = 0;
814  char dst[MD5_DIGEST_SIZE];
815 
816  BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE);
817  BUG_ON(crypt_stat->iv_bytes <= 0);
818  if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
819  rc = -EINVAL;
820  ecryptfs_printk(KERN_WARNING, "Session key not valid; "
821  "cannot generate root IV\n");
822  goto out;
823  }
824  rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key,
825  crypt_stat->key_size);
826  if (rc) {
827  ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
828  "MD5 while generating root IV\n");
829  goto out;
830  }
831  memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes);
832 out:
833  if (rc) {
834  memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes);
835  crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING;
836  }
837  return rc;
838 }
839 
840 static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat)
841 {
842  get_random_bytes(crypt_stat->key, crypt_stat->key_size);
843  crypt_stat->flags |= ECRYPTFS_KEY_VALID;
844  ecryptfs_compute_root_iv(crypt_stat);
845  if (unlikely(ecryptfs_verbosity > 0)) {
846  ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n");
847  ecryptfs_dump_hex(crypt_stat->key,
848  crypt_stat->key_size);
849  }
850 }
851 
860 static void ecryptfs_copy_mount_wide_flags_to_inode_flags(
861  struct ecryptfs_crypt_stat *crypt_stat,
862  struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
863 {
864  if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED)
865  crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
866  if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
867  crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED;
868  if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
869  crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES;
870  if (mount_crypt_stat->flags
871  & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)
872  crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK;
873  else if (mount_crypt_stat->flags
874  & ECRYPTFS_GLOBAL_ENCFN_USE_FEK)
875  crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK;
876  }
877 }
878 
879 static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs(
880  struct ecryptfs_crypt_stat *crypt_stat,
881  struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
882 {
883  struct ecryptfs_global_auth_tok *global_auth_tok;
884  int rc = 0;
885 
886  mutex_lock(&crypt_stat->keysig_list_mutex);
887  mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
888 
889  list_for_each_entry(global_auth_tok,
890  &mount_crypt_stat->global_auth_tok_list,
891  mount_crypt_stat_list) {
892  if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK)
893  continue;
894  rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig);
895  if (rc) {
896  printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc);
897  goto out;
898  }
899  }
900 
901 out:
902  mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
903  mutex_unlock(&crypt_stat->keysig_list_mutex);
904  return rc;
905 }
906 
914 static void ecryptfs_set_default_crypt_stat_vals(
915  struct ecryptfs_crypt_stat *crypt_stat,
916  struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
917 {
918  ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
919  mount_crypt_stat);
920  ecryptfs_set_default_sizes(crypt_stat);
921  strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER);
922  crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES;
923  crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID);
924  crypt_stat->file_version = ECRYPTFS_FILE_VERSION;
925  crypt_stat->mount_crypt_stat = mount_crypt_stat;
926 }
927 
947 int ecryptfs_new_file_context(struct inode *ecryptfs_inode)
948 {
949  struct ecryptfs_crypt_stat *crypt_stat =
950  &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
951  struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
952  &ecryptfs_superblock_to_private(
953  ecryptfs_inode->i_sb)->mount_crypt_stat;
954  int cipher_name_len;
955  int rc = 0;
956 
957  ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat);
958  crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID);
959  ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
960  mount_crypt_stat);
961  rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat,
962  mount_crypt_stat);
963  if (rc) {
964  printk(KERN_ERR "Error attempting to copy mount-wide key sigs "
965  "to the inode key sigs; rc = [%d]\n", rc);
966  goto out;
967  }
968  cipher_name_len =
969  strlen(mount_crypt_stat->global_default_cipher_name);
970  memcpy(crypt_stat->cipher,
971  mount_crypt_stat->global_default_cipher_name,
972  cipher_name_len);
973  crypt_stat->cipher[cipher_name_len] = '\0';
974  crypt_stat->key_size =
975  mount_crypt_stat->global_default_cipher_key_size;
976  ecryptfs_generate_new_key(crypt_stat);
977  rc = ecryptfs_init_crypt_ctx(crypt_stat);
978  if (rc)
979  ecryptfs_printk(KERN_ERR, "Error initializing cryptographic "
980  "context for cipher [%s]: rc = [%d]\n",
981  crypt_stat->cipher, rc);
982 out:
983  return rc;
984 }
985 
992 static int ecryptfs_validate_marker(char *data)
993 {
994  u32 m_1, m_2;
995 
996  m_1 = get_unaligned_be32(data);
997  m_2 = get_unaligned_be32(data + 4);
998  if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2)
999  return 0;
1000  ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; "
1001  "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2,
1002  MAGIC_ECRYPTFS_MARKER);
1003  ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = "
1004  "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER));
1005  return -EINVAL;
1006 }
1007 
1008 struct ecryptfs_flag_map_elem {
1009  u32 file_flag;
1010  u32 local_flag;
1011 };
1012 
1013 /* Add support for additional flags by adding elements here. */
1014 static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = {
1015  {0x00000001, ECRYPTFS_ENABLE_HMAC},
1016  {0x00000002, ECRYPTFS_ENCRYPTED},
1017  {0x00000004, ECRYPTFS_METADATA_IN_XATTR},
1018  {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES}
1019 };
1020 
1029 static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat,
1030  char *page_virt, int *bytes_read)
1031 {
1032  int rc = 0;
1033  int i;
1034  u32 flags;
1035 
1036  flags = get_unaligned_be32(page_virt);
1037  for (i = 0; i < ((sizeof(ecryptfs_flag_map)
1038  / sizeof(struct ecryptfs_flag_map_elem))); i++)
1039  if (flags & ecryptfs_flag_map[i].file_flag) {
1040  crypt_stat->flags |= ecryptfs_flag_map[i].local_flag;
1041  } else
1042  crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag);
1043  /* Version is in top 8 bits of the 32-bit flag vector */
1044  crypt_stat->file_version = ((flags >> 24) & 0xFF);
1045  (*bytes_read) = 4;
1046  return rc;
1047 }
1048 
1056 static void write_ecryptfs_marker(char *page_virt, size_t *written)
1057 {
1058  u32 m_1, m_2;
1059 
1060  get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2));
1061  m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER);
1062  put_unaligned_be32(m_1, page_virt);
1063  page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2);
1064  put_unaligned_be32(m_2, page_virt);
1065  (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
1066 }
1067 
1068 void ecryptfs_write_crypt_stat_flags(char *page_virt,
1069  struct ecryptfs_crypt_stat *crypt_stat,
1070  size_t *written)
1071 {
1072  u32 flags = 0;
1073  int i;
1074 
1075  for (i = 0; i < ((sizeof(ecryptfs_flag_map)
1076  / sizeof(struct ecryptfs_flag_map_elem))); i++)
1077  if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag)
1078  flags |= ecryptfs_flag_map[i].file_flag;
1079  /* Version is in top 8 bits of the 32-bit flag vector */
1080  flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000);
1081  put_unaligned_be32(flags, page_virt);
1082  (*written) = 4;
1083 }
1084 
1085 struct ecryptfs_cipher_code_str_map_elem {
1086  char cipher_str[16];
1087  u8 cipher_code;
1088 };
1089 
1090 /* Add support for additional ciphers by adding elements here. The
1091  * cipher_code is whatever OpenPGP applicatoins use to identify the
1092  * ciphers. List in order of probability. */
1093 static struct ecryptfs_cipher_code_str_map_elem
1094 ecryptfs_cipher_code_str_map[] = {
1095  {"aes",RFC2440_CIPHER_AES_128 },
1096  {"blowfish", RFC2440_CIPHER_BLOWFISH},
1097  {"des3_ede", RFC2440_CIPHER_DES3_EDE},
1098  {"cast5", RFC2440_CIPHER_CAST_5},
1099  {"twofish", RFC2440_CIPHER_TWOFISH},
1100  {"cast6", RFC2440_CIPHER_CAST_6},
1101  {"aes", RFC2440_CIPHER_AES_192},
1102  {"aes", RFC2440_CIPHER_AES_256}
1103 };
1104 
1112 u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes)
1113 {
1114  int i;
1115  u8 code = 0;
1116  struct ecryptfs_cipher_code_str_map_elem *map =
1117  ecryptfs_cipher_code_str_map;
1118 
1119  if (strcmp(cipher_name, "aes") == 0) {
1120  switch (key_bytes) {
1121  case 16:
1122  code = RFC2440_CIPHER_AES_128;
1123  break;
1124  case 24:
1125  code = RFC2440_CIPHER_AES_192;
1126  break;
1127  case 32:
1128  code = RFC2440_CIPHER_AES_256;
1129  }
1130  } else {
1131  for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1132  if (strcmp(cipher_name, map[i].cipher_str) == 0) {
1133  code = map[i].cipher_code;
1134  break;
1135  }
1136  }
1137  return code;
1138 }
1139 
1147 int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code)
1148 {
1149  int rc = 0;
1150  int i;
1151 
1152  str[0] = '\0';
1153  for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1154  if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code)
1155  strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str);
1156  if (str[0] == '\0') {
1157  ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: "
1158  "[%d]\n", cipher_code);
1159  rc = -EINVAL;
1160  }
1161  return rc;
1162 }
1163 
1164 int ecryptfs_read_and_validate_header_region(struct inode *inode)
1165 {
1166  u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1167  u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1168  int rc;
1169 
1170  rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES,
1171  inode);
1172  if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1173  return rc >= 0 ? -EINVAL : rc;
1174  rc = ecryptfs_validate_marker(marker);
1175  if (!rc)
1176  ecryptfs_i_size_init(file_size, inode);
1177  return rc;
1178 }
1179 
1180 void
1181 ecryptfs_write_header_metadata(char *virt,
1182  struct ecryptfs_crypt_stat *crypt_stat,
1183  size_t *written)
1184 {
1185  u32 header_extent_size;
1186  u16 num_header_extents_at_front;
1187 
1188  header_extent_size = (u32)crypt_stat->extent_size;
1189  num_header_extents_at_front =
1190  (u16)(crypt_stat->metadata_size / crypt_stat->extent_size);
1191  put_unaligned_be32(header_extent_size, virt);
1192  virt += 4;
1193  put_unaligned_be16(num_header_extents_at_front, virt);
1194  (*written) = 6;
1195 }
1196 
1197 struct kmem_cache *ecryptfs_header_cache;
1198 
1230 static int ecryptfs_write_headers_virt(char *page_virt, size_t max,
1231  size_t *size,
1232  struct ecryptfs_crypt_stat *crypt_stat,
1233  struct dentry *ecryptfs_dentry)
1234 {
1235  int rc;
1236  size_t written;
1237  size_t offset;
1238 
1239  offset = ECRYPTFS_FILE_SIZE_BYTES;
1240  write_ecryptfs_marker((page_virt + offset), &written);
1241  offset += written;
1242  ecryptfs_write_crypt_stat_flags((page_virt + offset), crypt_stat,
1243  &written);
1244  offset += written;
1245  ecryptfs_write_header_metadata((page_virt + offset), crypt_stat,
1246  &written);
1247  offset += written;
1248  rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat,
1249  ecryptfs_dentry, &written,
1250  max - offset);
1251  if (rc)
1252  ecryptfs_printk(KERN_WARNING, "Error generating key packet "
1253  "set; rc = [%d]\n", rc);
1254  if (size) {
1255  offset += written;
1256  *size = offset;
1257  }
1258  return rc;
1259 }
1260 
1261 static int
1262 ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode,
1263  char *virt, size_t virt_len)
1264 {
1265  int rc;
1266 
1267  rc = ecryptfs_write_lower(ecryptfs_inode, virt,
1268  0, virt_len);
1269  if (rc < 0)
1270  printk(KERN_ERR "%s: Error attempting to write header "
1271  "information to lower file; rc = [%d]\n", __func__, rc);
1272  else
1273  rc = 0;
1274  return rc;
1275 }
1276 
1277 static int
1278 ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry,
1279  char *page_virt, size_t size)
1280 {
1281  int rc;
1282 
1283  rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt,
1284  size, 0);
1285  return rc;
1286 }
1287 
1288 static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask,
1289  unsigned int order)
1290 {
1291  struct page *page;
1292 
1293  page = alloc_pages(gfp_mask | __GFP_ZERO, order);
1294  if (page)
1295  return (unsigned long) page_address(page);
1296  return 0;
1297 }
1298 
1312 int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry,
1313  struct inode *ecryptfs_inode)
1314 {
1315  struct ecryptfs_crypt_stat *crypt_stat =
1316  &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1317  unsigned int order;
1318  char *virt;
1319  size_t virt_len;
1320  size_t size = 0;
1321  int rc = 0;
1322 
1323  if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {
1324  if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
1325  printk(KERN_ERR "Key is invalid; bailing out\n");
1326  rc = -EINVAL;
1327  goto out;
1328  }
1329  } else {
1330  printk(KERN_WARNING "%s: Encrypted flag not set\n",
1331  __func__);
1332  rc = -EINVAL;
1333  goto out;
1334  }
1335  virt_len = crypt_stat->metadata_size;
1336  order = get_order(virt_len);
1337  /* Released in this function */
1338  virt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order);
1339  if (!virt) {
1340  printk(KERN_ERR "%s: Out of memory\n", __func__);
1341  rc = -ENOMEM;
1342  goto out;
1343  }
1344  /* Zeroed page ensures the in-header unencrypted i_size is set to 0 */
1345  rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat,
1346  ecryptfs_dentry);
1347  if (unlikely(rc)) {
1348  printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n",
1349  __func__, rc);
1350  goto out_free;
1351  }
1352  if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1353  rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt,
1354  size);
1355  else
1356  rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt,
1357  virt_len);
1358  if (rc) {
1359  printk(KERN_ERR "%s: Error writing metadata out to lower file; "
1360  "rc = [%d]\n", __func__, rc);
1361  goto out_free;
1362  }
1363 out_free:
1364  free_pages((unsigned long)virt, order);
1365 out:
1366  return rc;
1367 }
1368 
1369 #define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0
1370 #define ECRYPTFS_VALIDATE_HEADER_SIZE 1
1371 static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat,
1372  char *virt, int *bytes_read,
1373  int validate_header_size)
1374 {
1375  int rc = 0;
1376  u32 header_extent_size;
1377  u16 num_header_extents_at_front;
1378 
1379  header_extent_size = get_unaligned_be32(virt);
1380  virt += sizeof(__be32);
1381  num_header_extents_at_front = get_unaligned_be16(virt);
1382  crypt_stat->metadata_size = (((size_t)num_header_extents_at_front
1383  * (size_t)header_extent_size));
1384  (*bytes_read) = (sizeof(__be32) + sizeof(__be16));
1385  if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE)
1386  && (crypt_stat->metadata_size
1387  < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) {
1388  rc = -EINVAL;
1389  printk(KERN_WARNING "Invalid header size: [%zd]\n",
1390  crypt_stat->metadata_size);
1391  }
1392  return rc;
1393 }
1394 
1403 static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat)
1404 {
1405  crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
1406 }
1407 
1408 void ecryptfs_i_size_init(const char *page_virt, struct inode *inode)
1409 {
1410  struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
1411  struct ecryptfs_crypt_stat *crypt_stat;
1412  u64 file_size;
1413 
1414  crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
1415  mount_crypt_stat =
1416  &ecryptfs_superblock_to_private(inode->i_sb)->mount_crypt_stat;
1417  if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) {
1418  file_size = i_size_read(ecryptfs_inode_to_lower(inode));
1419  if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1420  file_size += crypt_stat->metadata_size;
1421  } else
1422  file_size = get_unaligned_be64(page_virt);
1423  i_size_write(inode, (loff_t)file_size);
1424  crypt_stat->flags |= ECRYPTFS_I_SIZE_INITIALIZED;
1425 }
1426 
1439 static int ecryptfs_read_headers_virt(char *page_virt,
1440  struct ecryptfs_crypt_stat *crypt_stat,
1441  struct dentry *ecryptfs_dentry,
1442  int validate_header_size)
1443 {
1444  int rc = 0;
1445  int offset;
1446  int bytes_read;
1447 
1448  ecryptfs_set_default_sizes(crypt_stat);
1449  crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private(
1450  ecryptfs_dentry->d_sb)->mount_crypt_stat;
1451  offset = ECRYPTFS_FILE_SIZE_BYTES;
1452  rc = ecryptfs_validate_marker(page_virt + offset);
1453  if (rc)
1454  goto out;
1455  if (!(crypt_stat->flags & ECRYPTFS_I_SIZE_INITIALIZED))
1456  ecryptfs_i_size_init(page_virt, ecryptfs_dentry->d_inode);
1457  offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
1458  rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset),
1459  &bytes_read);
1460  if (rc) {
1461  ecryptfs_printk(KERN_WARNING, "Error processing flags\n");
1462  goto out;
1463  }
1464  if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) {
1465  ecryptfs_printk(KERN_WARNING, "File version is [%d]; only "
1466  "file version [%d] is supported by this "
1467  "version of eCryptfs\n",
1468  crypt_stat->file_version,
1469  ECRYPTFS_SUPPORTED_FILE_VERSION);
1470  rc = -EINVAL;
1471  goto out;
1472  }
1473  offset += bytes_read;
1474  if (crypt_stat->file_version >= 1) {
1475  rc = parse_header_metadata(crypt_stat, (page_virt + offset),
1476  &bytes_read, validate_header_size);
1477  if (rc) {
1478  ecryptfs_printk(KERN_WARNING, "Error reading header "
1479  "metadata; rc = [%d]\n", rc);
1480  }
1481  offset += bytes_read;
1482  } else
1483  set_default_header_data(crypt_stat);
1484  rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset),
1485  ecryptfs_dentry);
1486 out:
1487  return rc;
1488 }
1489 
1500 int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode)
1501 {
1502  struct dentry *lower_dentry =
1503  ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_dentry;
1504  ssize_t size;
1505  int rc = 0;
1506 
1507  size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME,
1508  page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE);
1509  if (size < 0) {
1510  if (unlikely(ecryptfs_verbosity > 0))
1511  printk(KERN_INFO "Error attempting to read the [%s] "
1512  "xattr from the lower file; return value = "
1513  "[%zd]\n", ECRYPTFS_XATTR_NAME, size);
1514  rc = -EINVAL;
1515  goto out;
1516  }
1517 out:
1518  return rc;
1519 }
1520 
1521 int ecryptfs_read_and_validate_xattr_region(struct dentry *dentry,
1522  struct inode *inode)
1523 {
1524  u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1525  u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1526  int rc;
1527 
1528  rc = ecryptfs_getxattr_lower(ecryptfs_dentry_to_lower(dentry),
1529  ECRYPTFS_XATTR_NAME, file_size,
1530  ECRYPTFS_SIZE_AND_MARKER_BYTES);
1531  if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1532  return rc >= 0 ? -EINVAL : rc;
1533  rc = ecryptfs_validate_marker(marker);
1534  if (!rc)
1535  ecryptfs_i_size_init(file_size, inode);
1536  return rc;
1537 }
1538 
1551 int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
1552 {
1553  int rc;
1554  char *page_virt;
1555  struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode;
1556  struct ecryptfs_crypt_stat *crypt_stat =
1557  &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1558  struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1559  &ecryptfs_superblock_to_private(
1560  ecryptfs_dentry->d_sb)->mount_crypt_stat;
1561 
1562  ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
1563  mount_crypt_stat);
1564  /* Read the first page from the underlying file */
1565  page_virt = kmem_cache_alloc(ecryptfs_header_cache, GFP_USER);
1566  if (!page_virt) {
1567  rc = -ENOMEM;
1568  printk(KERN_ERR "%s: Unable to allocate page_virt\n",
1569  __func__);
1570  goto out;
1571  }
1572  rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size,
1573  ecryptfs_inode);
1574  if (rc >= 0)
1575  rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1576  ecryptfs_dentry,
1577  ECRYPTFS_VALIDATE_HEADER_SIZE);
1578  if (rc) {
1579  /* metadata is not in the file header, so try xattrs */
1580  memset(page_virt, 0, PAGE_CACHE_SIZE);
1581  rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);
1582  if (rc) {
1583  printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1584  "file header region or xattr region, inode %lu\n",
1585  ecryptfs_inode->i_ino);
1586  rc = -EINVAL;
1587  goto out;
1588  }
1589  rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1590  ecryptfs_dentry,
1591  ECRYPTFS_DONT_VALIDATE_HEADER_SIZE);
1592  if (rc) {
1593  printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1594  "file xattr region either, inode %lu\n",
1595  ecryptfs_inode->i_ino);
1596  rc = -EINVAL;
1597  }
1598  if (crypt_stat->mount_crypt_stat->flags
1599  & ECRYPTFS_XATTR_METADATA_ENABLED) {
1600  crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
1601  } else {
1602  printk(KERN_WARNING "Attempt to access file with "
1603  "crypto metadata only in the extended attribute "
1604  "region, but eCryptfs was mounted without "
1605  "xattr support enabled. eCryptfs will not treat "
1606  "this like an encrypted file, inode %lu\n",
1607  ecryptfs_inode->i_ino);
1608  rc = -EINVAL;
1609  }
1610  }
1611 out:
1612  if (page_virt) {
1613  memset(page_virt, 0, PAGE_CACHE_SIZE);
1614  kmem_cache_free(ecryptfs_header_cache, page_virt);
1615  }
1616  return rc;
1617 }
1618 
1628 static int
1629 ecryptfs_encrypt_filename(struct ecryptfs_filename *filename,
1630  struct ecryptfs_crypt_stat *crypt_stat,
1631  struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
1632 {
1633  int rc = 0;
1634 
1635  filename->encrypted_filename = NULL;
1636  filename->encrypted_filename_size = 0;
1637  if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
1638  || (mount_crypt_stat && (mount_crypt_stat->flags
1639  & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
1640  size_t packet_size;
1641  size_t remaining_bytes;
1642 
1643  rc = ecryptfs_write_tag_70_packet(
1644  NULL, NULL,
1645  &filename->encrypted_filename_size,
1646  mount_crypt_stat, NULL,
1647  filename->filename_size);
1648  if (rc) {
1649  printk(KERN_ERR "%s: Error attempting to get packet "
1650  "size for tag 72; rc = [%d]\n", __func__,
1651  rc);
1652  filename->encrypted_filename_size = 0;
1653  goto out;
1654  }
1655  filename->encrypted_filename =
1656  kmalloc(filename->encrypted_filename_size, GFP_KERNEL);
1657  if (!filename->encrypted_filename) {
1658  printk(KERN_ERR "%s: Out of memory whilst attempting "
1659  "to kmalloc [%zd] bytes\n", __func__,
1660  filename->encrypted_filename_size);
1661  rc = -ENOMEM;
1662  goto out;
1663  }
1664  remaining_bytes = filename->encrypted_filename_size;
1665  rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename,
1666  &remaining_bytes,
1667  &packet_size,
1668  mount_crypt_stat,
1669  filename->filename,
1670  filename->filename_size);
1671  if (rc) {
1672  printk(KERN_ERR "%s: Error attempting to generate "
1673  "tag 70 packet; rc = [%d]\n", __func__,
1674  rc);
1675  kfree(filename->encrypted_filename);
1676  filename->encrypted_filename = NULL;
1677  filename->encrypted_filename_size = 0;
1678  goto out;
1679  }
1680  filename->encrypted_filename_size = packet_size;
1681  } else {
1682  printk(KERN_ERR "%s: No support for requested filename "
1683  "encryption method in this release\n", __func__);
1684  rc = -EOPNOTSUPP;
1685  goto out;
1686  }
1687 out:
1688  return rc;
1689 }
1690 
1691 static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size,
1692  const char *name, size_t name_size)
1693 {
1694  int rc = 0;
1695 
1696  (*copied_name) = kmalloc((name_size + 1), GFP_KERNEL);
1697  if (!(*copied_name)) {
1698  rc = -ENOMEM;
1699  goto out;
1700  }
1701  memcpy((void *)(*copied_name), (void *)name, name_size);
1702  (*copied_name)[(name_size)] = '\0'; /* Only for convenience
1703  * in printing out the
1704  * string in debug
1705  * messages */
1706  (*copied_name_size) = name_size;
1707 out:
1708  return rc;
1709 }
1710 
1721 static int
1722 ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm,
1723  char *cipher_name, size_t *key_size)
1724 {
1725  char dummy_key[ECRYPTFS_MAX_KEY_BYTES];
1726  char *full_alg_name = NULL;
1727  int rc;
1728 
1729  *key_tfm = NULL;
1730  if (*key_size > ECRYPTFS_MAX_KEY_BYTES) {
1731  rc = -EINVAL;
1732  printk(KERN_ERR "Requested key size is [%zd] bytes; maximum "
1733  "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES);
1734  goto out;
1735  }
1736  rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name,
1737  "ecb");
1738  if (rc)
1739  goto out;
1740  *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC);
1741  if (IS_ERR(*key_tfm)) {
1742  rc = PTR_ERR(*key_tfm);
1743  printk(KERN_ERR "Unable to allocate crypto cipher with name "
1744  "[%s]; rc = [%d]\n", full_alg_name, rc);
1745  goto out;
1746  }
1747  crypto_blkcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY);
1748  if (*key_size == 0) {
1749  struct blkcipher_alg *alg = crypto_blkcipher_alg(*key_tfm);
1750 
1751  *key_size = alg->max_keysize;
1752  }
1753  get_random_bytes(dummy_key, *key_size);
1754  rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size);
1755  if (rc) {
1756  printk(KERN_ERR "Error attempting to set key of size [%zd] for "
1757  "cipher [%s]; rc = [%d]\n", *key_size, full_alg_name,
1758  rc);
1759  rc = -EINVAL;
1760  goto out;
1761  }
1762 out:
1763  kfree(full_alg_name);
1764  return rc;
1765 }
1766 
1767 struct kmem_cache *ecryptfs_key_tfm_cache;
1768 static struct list_head key_tfm_list;
1769 struct mutex key_tfm_list_mutex;
1770 
1771 int __init ecryptfs_init_crypto(void)
1772 {
1773  mutex_init(&key_tfm_list_mutex);
1774  INIT_LIST_HEAD(&key_tfm_list);
1775  return 0;
1776 }
1777 
1783 int ecryptfs_destroy_crypto(void)
1784 {
1785  struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp;
1786 
1787  mutex_lock(&key_tfm_list_mutex);
1788  list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list,
1789  key_tfm_list) {
1790  list_del(&key_tfm->key_tfm_list);
1791  if (key_tfm->key_tfm)
1792  crypto_free_blkcipher(key_tfm->key_tfm);
1793  kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm);
1794  }
1795  mutex_unlock(&key_tfm_list_mutex);
1796  return 0;
1797 }
1798 
1799 int
1800 ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
1801  size_t key_size)
1802 {
1803  struct ecryptfs_key_tfm *tmp_tfm;
1804  int rc = 0;
1805 
1806  BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1807 
1808  tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL);
1809  if (key_tfm != NULL)
1810  (*key_tfm) = tmp_tfm;
1811  if (!tmp_tfm) {
1812  rc = -ENOMEM;
1813  printk(KERN_ERR "Error attempting to allocate from "
1814  "ecryptfs_key_tfm_cache\n");
1815  goto out;
1816  }
1817  mutex_init(&tmp_tfm->key_tfm_mutex);
1818  strncpy(tmp_tfm->cipher_name, cipher_name,
1819  ECRYPTFS_MAX_CIPHER_NAME_SIZE);
1820  tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0';
1821  tmp_tfm->key_size = key_size;
1822  rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm,
1823  tmp_tfm->cipher_name,
1824  &tmp_tfm->key_size);
1825  if (rc) {
1826  printk(KERN_ERR "Error attempting to initialize key TFM "
1827  "cipher with name = [%s]; rc = [%d]\n",
1828  tmp_tfm->cipher_name, rc);
1829  kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm);
1830  if (key_tfm != NULL)
1831  (*key_tfm) = NULL;
1832  goto out;
1833  }
1834  list_add(&tmp_tfm->key_tfm_list, &key_tfm_list);
1835 out:
1836  return rc;
1837 }
1838 
1849 int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm)
1850 {
1851  struct ecryptfs_key_tfm *tmp_key_tfm;
1852 
1853  BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1854 
1855  list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) {
1856  if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) {
1857  if (key_tfm)
1858  (*key_tfm) = tmp_key_tfm;
1859  return 1;
1860  }
1861  }
1862  if (key_tfm)
1863  (*key_tfm) = NULL;
1864  return 0;
1865 }
1866 
1878 int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm,
1879  struct mutex **tfm_mutex,
1880  char *cipher_name)
1881 {
1882  struct ecryptfs_key_tfm *key_tfm;
1883  int rc = 0;
1884 
1885  (*tfm) = NULL;
1886  (*tfm_mutex) = NULL;
1887 
1888  mutex_lock(&key_tfm_list_mutex);
1889  if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) {
1890  rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0);
1891  if (rc) {
1892  printk(KERN_ERR "Error adding new key_tfm to list; "
1893  "rc = [%d]\n", rc);
1894  goto out;
1895  }
1896  }
1897  (*tfm) = key_tfm->key_tfm;
1898  (*tfm_mutex) = &key_tfm->key_tfm_mutex;
1899 out:
1900  mutex_unlock(&key_tfm_list_mutex);
1901  return rc;
1902 }
1903 
1904 /* 64 characters forming a 6-bit target field */
1905 static unsigned char *portable_filename_chars = ("-.0123456789ABCD"
1906  "EFGHIJKLMNOPQRST"
1907  "UVWXYZabcdefghij"
1908  "klmnopqrstuvwxyz");
1909 
1910 /* We could either offset on every reverse map or just pad some 0x00's
1911  * at the front here */
1912 static const unsigned char filename_rev_map[256] = {
1913  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 7 */
1914  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 15 */
1915  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 23 */
1916  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 31 */
1917  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 39 */
1918  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, /* 47 */
1919  0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, /* 55 */
1920  0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 63 */
1921  0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, /* 71 */
1922  0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, /* 79 */
1923  0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, /* 87 */
1924  0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, /* 95 */
1925  0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, /* 103 */
1926  0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, /* 111 */
1927  0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, /* 119 */
1928  0x3D, 0x3E, 0x3F /* 123 - 255 initialized to 0x00 */
1929 };
1930 
1938 void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size,
1939  unsigned char *src, size_t src_size)
1940 {
1941  size_t num_blocks;
1942  size_t block_num = 0;
1943  size_t dst_offset = 0;
1944  unsigned char last_block[3];
1945 
1946  if (src_size == 0) {
1947  (*dst_size) = 0;
1948  goto out;
1949  }
1950  num_blocks = (src_size / 3);
1951  if ((src_size % 3) == 0) {
1952  memcpy(last_block, (&src[src_size - 3]), 3);
1953  } else {
1954  num_blocks++;
1955  last_block[2] = 0x00;
1956  switch (src_size % 3) {
1957  case 1:
1958  last_block[0] = src[src_size - 1];
1959  last_block[1] = 0x00;
1960  break;
1961  case 2:
1962  last_block[0] = src[src_size - 2];
1963  last_block[1] = src[src_size - 1];
1964  }
1965  }
1966  (*dst_size) = (num_blocks * 4);
1967  if (!dst)
1968  goto out;
1969  while (block_num < num_blocks) {
1970  unsigned char *src_block;
1971  unsigned char dst_block[4];
1972 
1973  if (block_num == (num_blocks - 1))
1974  src_block = last_block;
1975  else
1976  src_block = &src[block_num * 3];
1977  dst_block[0] = ((src_block[0] >> 2) & 0x3F);
1978  dst_block[1] = (((src_block[0] << 4) & 0x30)
1979  | ((src_block[1] >> 4) & 0x0F));
1980  dst_block[2] = (((src_block[1] << 2) & 0x3C)
1981  | ((src_block[2] >> 6) & 0x03));
1982  dst_block[3] = (src_block[2] & 0x3F);
1983  dst[dst_offset++] = portable_filename_chars[dst_block[0]];
1984  dst[dst_offset++] = portable_filename_chars[dst_block[1]];
1985  dst[dst_offset++] = portable_filename_chars[dst_block[2]];
1986  dst[dst_offset++] = portable_filename_chars[dst_block[3]];
1987  block_num++;
1988  }
1989 out:
1990  return;
1991 }
1992 
1993 static size_t ecryptfs_max_decoded_size(size_t encoded_size)
1994 {
1995  /* Not exact; conservatively long. Every block of 4
1996  * encoded characters decodes into a block of 3
1997  * decoded characters. This segment of code provides
1998  * the caller with the maximum amount of allocated
1999  * space that @dst will need to point to in a
2000  * subsequent call. */
2001  return ((encoded_size + 1) * 3) / 4;
2002 }
2003 
2013 static void
2014 ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
2015  const unsigned char *src, size_t src_size)
2016 {
2017  u8 current_bit_offset = 0;
2018  size_t src_byte_offset = 0;
2019  size_t dst_byte_offset = 0;
2020 
2021  if (dst == NULL) {
2022  (*dst_size) = ecryptfs_max_decoded_size(src_size);
2023  goto out;
2024  }
2025  while (src_byte_offset < src_size) {
2026  unsigned char src_byte =
2027  filename_rev_map[(int)src[src_byte_offset]];
2028 
2029  switch (current_bit_offset) {
2030  case 0:
2031  dst[dst_byte_offset] = (src_byte << 2);
2032  current_bit_offset = 6;
2033  break;
2034  case 6:
2035  dst[dst_byte_offset++] |= (src_byte >> 4);
2036  dst[dst_byte_offset] = ((src_byte & 0xF)
2037  << 4);
2038  current_bit_offset = 4;
2039  break;
2040  case 4:
2041  dst[dst_byte_offset++] |= (src_byte >> 2);
2042  dst[dst_byte_offset] = (src_byte << 6);
2043  current_bit_offset = 2;
2044  break;
2045  case 2:
2046  dst[dst_byte_offset++] |= (src_byte);
2047  dst[dst_byte_offset] = 0;
2048  current_bit_offset = 0;
2049  break;
2050  }
2051  src_byte_offset++;
2052  }
2053  (*dst_size) = dst_byte_offset;
2054 out:
2055  return;
2056 }
2057 
2073 int ecryptfs_encrypt_and_encode_filename(
2074  char **encoded_name,
2075  size_t *encoded_name_size,
2076  struct ecryptfs_crypt_stat *crypt_stat,
2077  struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
2078  const char *name, size_t name_size)
2079 {
2080  size_t encoded_name_no_prefix_size;
2081  int rc = 0;
2082 
2083  (*encoded_name) = NULL;
2084  (*encoded_name_size) = 0;
2085  if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCRYPT_FILENAMES))
2086  || (mount_crypt_stat && (mount_crypt_stat->flags
2087  & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES))) {
2088  struct ecryptfs_filename *filename;
2089 
2090  filename = kzalloc(sizeof(*filename), GFP_KERNEL);
2091  if (!filename) {
2092  printk(KERN_ERR "%s: Out of memory whilst attempting "
2093  "to kzalloc [%zd] bytes\n", __func__,
2094  sizeof(*filename));
2095  rc = -ENOMEM;
2096  goto out;
2097  }
2098  filename->filename = (char *)name;
2099  filename->filename_size = name_size;
2100  rc = ecryptfs_encrypt_filename(filename, crypt_stat,
2101  mount_crypt_stat);
2102  if (rc) {
2103  printk(KERN_ERR "%s: Error attempting to encrypt "
2104  "filename; rc = [%d]\n", __func__, rc);
2105  kfree(filename);
2106  goto out;
2107  }
2108  ecryptfs_encode_for_filename(
2109  NULL, &encoded_name_no_prefix_size,
2110  filename->encrypted_filename,
2111  filename->encrypted_filename_size);
2112  if ((crypt_stat && (crypt_stat->flags
2113  & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
2114  || (mount_crypt_stat
2115  && (mount_crypt_stat->flags
2116  & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)))
2117  (*encoded_name_size) =
2118  (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2119  + encoded_name_no_prefix_size);
2120  else
2121  (*encoded_name_size) =
2122  (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2123  + encoded_name_no_prefix_size);
2124  (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL);
2125  if (!(*encoded_name)) {
2126  printk(KERN_ERR "%s: Out of memory whilst attempting "
2127  "to kzalloc [%zd] bytes\n", __func__,
2128  (*encoded_name_size));
2129  rc = -ENOMEM;
2130  kfree(filename->encrypted_filename);
2131  kfree(filename);
2132  goto out;
2133  }
2134  if ((crypt_stat && (crypt_stat->flags
2135  & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
2136  || (mount_crypt_stat
2137  && (mount_crypt_stat->flags
2138  & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
2139  memcpy((*encoded_name),
2140  ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2141  ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE);
2142  ecryptfs_encode_for_filename(
2143  ((*encoded_name)
2144  + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE),
2145  &encoded_name_no_prefix_size,
2146  filename->encrypted_filename,
2147  filename->encrypted_filename_size);
2148  (*encoded_name_size) =
2149  (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2150  + encoded_name_no_prefix_size);
2151  (*encoded_name)[(*encoded_name_size)] = '\0';
2152  } else {
2153  rc = -EOPNOTSUPP;
2154  }
2155  if (rc) {
2156  printk(KERN_ERR "%s: Error attempting to encode "
2157  "encrypted filename; rc = [%d]\n", __func__,
2158  rc);
2159  kfree((*encoded_name));
2160  (*encoded_name) = NULL;
2161  (*encoded_name_size) = 0;
2162  }
2163  kfree(filename->encrypted_filename);
2164  kfree(filename);
2165  } else {
2166  rc = ecryptfs_copy_filename(encoded_name,
2167  encoded_name_size,
2168  name, name_size);
2169  }
2170 out:
2171  return rc;
2172 }
2173 
2186 int ecryptfs_decode_and_decrypt_filename(char **plaintext_name,
2187  size_t *plaintext_name_size,
2188  struct dentry *ecryptfs_dir_dentry,
2189  const char *name, size_t name_size)
2190 {
2191  struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2192  &ecryptfs_superblock_to_private(
2193  ecryptfs_dir_dentry->d_sb)->mount_crypt_stat;
2194  char *decoded_name;
2195  size_t decoded_name_size;
2196  size_t packet_size;
2197  int rc = 0;
2198 
2199  if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
2200  && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
2201  && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)
2202  && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2203  ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) {
2204  const char *orig_name = name;
2205  size_t orig_name_size = name_size;
2206 
2207  name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2208  name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2209  ecryptfs_decode_from_filename(NULL, &decoded_name_size,
2210  name, name_size);
2211  decoded_name = kmalloc(decoded_name_size, GFP_KERNEL);
2212  if (!decoded_name) {
2213  printk(KERN_ERR "%s: Out of memory whilst attempting "
2214  "to kmalloc [%zd] bytes\n", __func__,
2215  decoded_name_size);
2216  rc = -ENOMEM;
2217  goto out;
2218  }
2219  ecryptfs_decode_from_filename(decoded_name, &decoded_name_size,
2220  name, name_size);
2221  rc = ecryptfs_parse_tag_70_packet(plaintext_name,
2222  plaintext_name_size,
2223  &packet_size,
2224  mount_crypt_stat,
2225  decoded_name,
2226  decoded_name_size);
2227  if (rc) {
2228  printk(KERN_INFO "%s: Could not parse tag 70 packet "
2229  "from filename; copying through filename "
2230  "as-is\n", __func__);
2231  rc = ecryptfs_copy_filename(plaintext_name,
2232  plaintext_name_size,
2233  orig_name, orig_name_size);
2234  goto out_free;
2235  }
2236  } else {
2237  rc = ecryptfs_copy_filename(plaintext_name,
2238  plaintext_name_size,
2239  name, name_size);
2240  goto out;
2241  }
2242 out_free:
2243  kfree(decoded_name);
2244 out:
2245  return rc;
2246 }
2247 
2248 #define ENC_NAME_MAX_BLOCKLEN_8_OR_16 143
2249 
2250 int ecryptfs_set_f_namelen(long *namelen, long lower_namelen,
2251  struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
2252 {
2253  struct blkcipher_desc desc;
2254  struct mutex *tfm_mutex;
2255  size_t cipher_blocksize;
2256  int rc;
2257 
2258  if (!(mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) {
2259  (*namelen) = lower_namelen;
2260  return 0;
2261  }
2262 
2263  rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex,
2264  mount_crypt_stat->global_default_fn_cipher_name);
2265  if (unlikely(rc)) {
2266  (*namelen) = 0;
2267  return rc;
2268  }
2269 
2270  mutex_lock(tfm_mutex);
2271  cipher_blocksize = crypto_blkcipher_blocksize(desc.tfm);
2272  mutex_unlock(tfm_mutex);
2273 
2274  /* Return an exact amount for the common cases */
2275  if (lower_namelen == NAME_MAX
2276  && (cipher_blocksize == 8 || cipher_blocksize == 16)) {
2277  (*namelen) = ENC_NAME_MAX_BLOCKLEN_8_OR_16;
2278  return 0;
2279  }
2280 
2281  /* Return a safe estimate for the uncommon cases */
2282  (*namelen) = lower_namelen;
2283  (*namelen) -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2284  /* Since this is the max decoded size, subtract 1 "decoded block" len */
2285  (*namelen) = ecryptfs_max_decoded_size(*namelen) - 3;
2286  (*namelen) -= ECRYPTFS_TAG_70_MAX_METADATA_SIZE;
2287  (*namelen) -= ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES;
2288  /* Worst case is that the filename is padded nearly a full block size */
2289  (*namelen) -= cipher_blocksize - 1;
2290 
2291  if ((*namelen) < 0)
2292  (*namelen) = 0;
2293 
2294  return 0;
2295 }
Generated on Thu Jan 10 2013 14:38:52 for Linux Kernel by   doxygen 1.8.2