Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code ยป

Commit 298647e31af52e795867a399fa049cebd88067ff

Authored by Linus Torvalds
2 parents 5c68eac68b 942080643b
Exists in ti-lsk-linux-4.1.y and in 10 other branches dlt-processor-sdk-linux-03.00.00.04, processor-sdk-linux-02.00.01, smarc-ti-lsk-linux-4.1.y, smarct3x-processor-sdk-04.01.00.06, smarct3x-processor-sdk-linux-02.00.01, smarct3x-processor-sdk-linux-03.00.00.04, smarct4x-800-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-04.01.00.06, smarct4x-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-linux-03.00.00.04

Merge tag 'ecryptfs-3.19-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel… 

…/git/tyhicks/ecryptfs

Pull eCryptfs fixes from Tyler Hicks:
 "Fixes for filename decryption and encrypted view plus a cleanup

   - The filename decryption routines were, at times, writing a zero
     byte one character past the end of the filename buffer

   - The encrypted view feature attempted, and failed, to roll its own
     form of enforcing a read-only mount instead of letting the VFS
     enforce it"

* tag 'ecryptfs-3.19-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs:
  eCryptfs: Remove buggy and unnecessary write in file name decode routine
  eCryptfs: Remove unnecessary casts when parsing packet lengths
  eCryptfs: Force RO mount when encrypted view is enabled

Showing 4 changed files Inline Diff

fs/ecryptfs/crypto.c
Diff comments   View file @ 298647e
1 /** 1 /**
2 * eCryptfs: Linux filesystem encryption layer 2 * eCryptfs: Linux filesystem encryption layer
3 * 3 *
4 * Copyright (C) 1997-2004 Erez Zadok 4 * Copyright (C) 1997-2004 Erez Zadok
5 * Copyright (C) 2001-2004 Stony Brook University 5 * Copyright (C) 2001-2004 Stony Brook University
6 * Copyright (C) 2004-2007 International Business Machines Corp. 6 * Copyright (C) 2004-2007 International Business Machines Corp.
7 * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com> 7 * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com>
8 * Michael C. Thompson <mcthomps@us.ibm.com> 8 * Michael C. Thompson <mcthomps@us.ibm.com>
9 * 9 *
10 * This program is free software; you can redistribute it and/or 10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as 11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation; either version 2 of the 12 * published by the Free Software Foundation; either version 2 of the
13 * License, or (at your option) any later version. 13 * License, or (at your option) any later version.
14 * 14 *
15 * This program is distributed in the hope that it will be useful, but 15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of 16 * WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 * General Public License for more details. 18 * General Public License for more details.
19 * 19 *
20 * You should have received a copy of the GNU General Public License 20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software 21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
23 * 02111-1307, USA. 23 * 02111-1307, USA.
24 */ 24 */
25 25
26 #include <linux/fs.h> 26 #include <linux/fs.h>
27 #include <linux/mount.h> 27 #include <linux/mount.h>
28 #include <linux/pagemap.h> 28 #include <linux/pagemap.h>
29 #include <linux/random.h> 29 #include <linux/random.h>
30 #include <linux/compiler.h> 30 #include <linux/compiler.h>
31 #include <linux/key.h> 31 #include <linux/key.h>
32 #include <linux/namei.h> 32 #include <linux/namei.h>
33 #include <linux/crypto.h> 33 #include <linux/crypto.h>
34 #include <linux/file.h> 34 #include <linux/file.h>
35 #include <linux/scatterlist.h> 35 #include <linux/scatterlist.h>
36 #include <linux/slab.h> 36 #include <linux/slab.h>
37 #include <asm/unaligned.h> 37 #include <asm/unaligned.h>
38 #include "ecryptfs_kernel.h" 38 #include "ecryptfs_kernel.h"
39 39
40 #define DECRYPT 0 40 #define DECRYPT 0
41 #define ENCRYPT 1 41 #define ENCRYPT 1
42 42
43 /** 43 /**
44 * ecryptfs_to_hex 44 * ecryptfs_to_hex
45 * @dst: Buffer to take hex character representation of contents of 45 * @dst: Buffer to take hex character representation of contents of
46 * src; must be at least of size (src_size * 2) 46 * src; must be at least of size (src_size * 2)
47 * @src: Buffer to be converted to a hex string respresentation 47 * @src: Buffer to be converted to a hex string respresentation
48 * @src_size: number of bytes to convert 48 * @src_size: number of bytes to convert
49 */ 49 */
50 void ecryptfs_to_hex(char *dst, char *src, size_t src_size) 50 void ecryptfs_to_hex(char *dst, char *src, size_t src_size)
51 { 51 {
52 int x; 52 int x;
53 53
54 for (x = 0; x < src_size; x++) 54 for (x = 0; x < src_size; x++)
55 sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]); 55 sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]);
56 } 56 }
57 57
58 /** 58 /**
59 * ecryptfs_from_hex 59 * ecryptfs_from_hex
60 * @dst: Buffer to take the bytes from src hex; must be at least of 60 * @dst: Buffer to take the bytes from src hex; must be at least of
61 * size (src_size / 2) 61 * size (src_size / 2)
62 * @src: Buffer to be converted from a hex string respresentation to raw value 62 * @src: Buffer to be converted from a hex string respresentation to raw value
63 * @dst_size: size of dst buffer, or number of hex characters pairs to convert 63 * @dst_size: size of dst buffer, or number of hex characters pairs to convert
64 */ 64 */
65 void ecryptfs_from_hex(char *dst, char *src, int dst_size) 65 void ecryptfs_from_hex(char *dst, char *src, int dst_size)
66 { 66 {
67 int x; 67 int x;
68 char tmp[3] = { 0, }; 68 char tmp[3] = { 0, };
69 69
70 for (x = 0; x < dst_size; x++) { 70 for (x = 0; x < dst_size; x++) {
71 tmp[0] = src[x * 2]; 71 tmp[0] = src[x * 2];
72 tmp[1] = src[x * 2 + 1]; 72 tmp[1] = src[x * 2 + 1];
73 dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16); 73 dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16);
74 } 74 }
75 } 75 }
76 76
77 /** 77 /**
78 * ecryptfs_calculate_md5 - calculates the md5 of @src 78 * ecryptfs_calculate_md5 - calculates the md5 of @src
79 * @dst: Pointer to 16 bytes of allocated memory 79 * @dst: Pointer to 16 bytes of allocated memory
80 * @crypt_stat: Pointer to crypt_stat struct for the current inode 80 * @crypt_stat: Pointer to crypt_stat struct for the current inode
81 * @src: Data to be md5'd 81 * @src: Data to be md5'd
82 * @len: Length of @src 82 * @len: Length of @src
83 * 83 *
84 * Uses the allocated crypto context that crypt_stat references to 84 * Uses the allocated crypto context that crypt_stat references to
85 * generate the MD5 sum of the contents of src. 85 * generate the MD5 sum of the contents of src.
86 */ 86 */
87 static int ecryptfs_calculate_md5(char *dst, 87 static int ecryptfs_calculate_md5(char *dst,
88 struct ecryptfs_crypt_stat *crypt_stat, 88 struct ecryptfs_crypt_stat *crypt_stat,
89 char *src, int len) 89 char *src, int len)
90 { 90 {
91 struct scatterlist sg; 91 struct scatterlist sg;
92 struct hash_desc desc = { 92 struct hash_desc desc = {
93 .tfm = crypt_stat->hash_tfm, 93 .tfm = crypt_stat->hash_tfm,
94 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 94 .flags = CRYPTO_TFM_REQ_MAY_SLEEP
95 }; 95 };
96 int rc = 0; 96 int rc = 0;
97 97
98 mutex_lock(&crypt_stat->cs_hash_tfm_mutex); 98 mutex_lock(&crypt_stat->cs_hash_tfm_mutex);
99 sg_init_one(&sg, (u8 *)src, len); 99 sg_init_one(&sg, (u8 *)src, len);
100 if (!desc.tfm) { 100 if (!desc.tfm) {
101 desc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0, 101 desc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0,
102 CRYPTO_ALG_ASYNC); 102 CRYPTO_ALG_ASYNC);
103 if (IS_ERR(desc.tfm)) { 103 if (IS_ERR(desc.tfm)) {
104 rc = PTR_ERR(desc.tfm); 104 rc = PTR_ERR(desc.tfm);
105 ecryptfs_printk(KERN_ERR, "Error attempting to " 105 ecryptfs_printk(KERN_ERR, "Error attempting to "
106 "allocate crypto context; rc = [%d]\n", 106 "allocate crypto context; rc = [%d]\n",
107 rc); 107 rc);
108 goto out; 108 goto out;
109 } 109 }
110 crypt_stat->hash_tfm = desc.tfm; 110 crypt_stat->hash_tfm = desc.tfm;
111 } 111 }
112 rc = crypto_hash_init(&desc); 112 rc = crypto_hash_init(&desc);
113 if (rc) { 113 if (rc) {
114 printk(KERN_ERR 114 printk(KERN_ERR
115 "%s: Error initializing crypto hash; rc = [%d]\n", 115 "%s: Error initializing crypto hash; rc = [%d]\n",
116 __func__, rc); 116 __func__, rc);
117 goto out; 117 goto out;
118 } 118 }
119 rc = crypto_hash_update(&desc, &sg, len); 119 rc = crypto_hash_update(&desc, &sg, len);
120 if (rc) { 120 if (rc) {
121 printk(KERN_ERR 121 printk(KERN_ERR
122 "%s: Error updating crypto hash; rc = [%d]\n", 122 "%s: Error updating crypto hash; rc = [%d]\n",
123 __func__, rc); 123 __func__, rc);
124 goto out; 124 goto out;
125 } 125 }
126 rc = crypto_hash_final(&desc, dst); 126 rc = crypto_hash_final(&desc, dst);
127 if (rc) { 127 if (rc) {
128 printk(KERN_ERR 128 printk(KERN_ERR
129 "%s: Error finalizing crypto hash; rc = [%d]\n", 129 "%s: Error finalizing crypto hash; rc = [%d]\n",
130 __func__, rc); 130 __func__, rc);
131 goto out; 131 goto out;
132 } 132 }
133 out: 133 out:
134 mutex_unlock(&crypt_stat->cs_hash_tfm_mutex); 134 mutex_unlock(&crypt_stat->cs_hash_tfm_mutex);
135 return rc; 135 return rc;
136 } 136 }
137 137
138 static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name, 138 static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name,
139 char *cipher_name, 139 char *cipher_name,
140 char *chaining_modifier) 140 char *chaining_modifier)
141 { 141 {
142 int cipher_name_len = strlen(cipher_name); 142 int cipher_name_len = strlen(cipher_name);
143 int chaining_modifier_len = strlen(chaining_modifier); 143 int chaining_modifier_len = strlen(chaining_modifier);
144 int algified_name_len; 144 int algified_name_len;
145 int rc; 145 int rc;
146 146
147 algified_name_len = (chaining_modifier_len + cipher_name_len + 3); 147 algified_name_len = (chaining_modifier_len + cipher_name_len + 3);
148 (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL); 148 (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL);
149 if (!(*algified_name)) { 149 if (!(*algified_name)) {
150 rc = -ENOMEM; 150 rc = -ENOMEM;
151 goto out; 151 goto out;
152 } 152 }
153 snprintf((*algified_name), algified_name_len, "%s(%s)", 153 snprintf((*algified_name), algified_name_len, "%s(%s)",
154 chaining_modifier, cipher_name); 154 chaining_modifier, cipher_name);
155 rc = 0; 155 rc = 0;
156 out: 156 out:
157 return rc; 157 return rc;
158 } 158 }
159 159
160 /** 160 /**
161 * ecryptfs_derive_iv 161 * ecryptfs_derive_iv
162 * @iv: destination for the derived iv vale 162 * @iv: destination for the derived iv vale
163 * @crypt_stat: Pointer to crypt_stat struct for the current inode 163 * @crypt_stat: Pointer to crypt_stat struct for the current inode
164 * @offset: Offset of the extent whose IV we are to derive 164 * @offset: Offset of the extent whose IV we are to derive
165 * 165 *
166 * Generate the initialization vector from the given root IV and page 166 * Generate the initialization vector from the given root IV and page
167 * offset. 167 * offset.
168 * 168 *
169 * Returns zero on success; non-zero on error. 169 * Returns zero on success; non-zero on error.
170 */ 170 */
171 int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat, 171 int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat,
172 loff_t offset) 172 loff_t offset)
173 { 173 {
174 int rc = 0; 174 int rc = 0;
175 char dst[MD5_DIGEST_SIZE]; 175 char dst[MD5_DIGEST_SIZE];
176 char src[ECRYPTFS_MAX_IV_BYTES + 16]; 176 char src[ECRYPTFS_MAX_IV_BYTES + 16];
177 177
178 if (unlikely(ecryptfs_verbosity > 0)) { 178 if (unlikely(ecryptfs_verbosity > 0)) {
179 ecryptfs_printk(KERN_DEBUG, "root iv:\n"); 179 ecryptfs_printk(KERN_DEBUG, "root iv:\n");
180 ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes); 180 ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes);
181 } 181 }
182 /* TODO: It is probably secure to just cast the least 182 /* TODO: It is probably secure to just cast the least
183 * significant bits of the root IV into an unsigned long and 183 * significant bits of the root IV into an unsigned long and
184 * add the offset to that rather than go through all this 184 * add the offset to that rather than go through all this
185 * hashing business. -Halcrow */ 185 * hashing business. -Halcrow */
186 memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes); 186 memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes);
187 memset((src + crypt_stat->iv_bytes), 0, 16); 187 memset((src + crypt_stat->iv_bytes), 0, 16);
188 snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset); 188 snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset);
189 if (unlikely(ecryptfs_verbosity > 0)) { 189 if (unlikely(ecryptfs_verbosity > 0)) {
190 ecryptfs_printk(KERN_DEBUG, "source:\n"); 190 ecryptfs_printk(KERN_DEBUG, "source:\n");
191 ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16)); 191 ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16));
192 } 192 }
193 rc = ecryptfs_calculate_md5(dst, crypt_stat, src, 193 rc = ecryptfs_calculate_md5(dst, crypt_stat, src,
194 (crypt_stat->iv_bytes + 16)); 194 (crypt_stat->iv_bytes + 16));
195 if (rc) { 195 if (rc) {
196 ecryptfs_printk(KERN_WARNING, "Error attempting to compute " 196 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
197 "MD5 while generating IV for a page\n"); 197 "MD5 while generating IV for a page\n");
198 goto out; 198 goto out;
199 } 199 }
200 memcpy(iv, dst, crypt_stat->iv_bytes); 200 memcpy(iv, dst, crypt_stat->iv_bytes);
201 if (unlikely(ecryptfs_verbosity > 0)) { 201 if (unlikely(ecryptfs_verbosity > 0)) {
202 ecryptfs_printk(KERN_DEBUG, "derived iv:\n"); 202 ecryptfs_printk(KERN_DEBUG, "derived iv:\n");
203 ecryptfs_dump_hex(iv, crypt_stat->iv_bytes); 203 ecryptfs_dump_hex(iv, crypt_stat->iv_bytes);
204 } 204 }
205 out: 205 out:
206 return rc; 206 return rc;
207 } 207 }
208 208
209 /** 209 /**
210 * ecryptfs_init_crypt_stat 210 * ecryptfs_init_crypt_stat
211 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 211 * @crypt_stat: Pointer to the crypt_stat struct to initialize.
212 * 212 *
213 * Initialize the crypt_stat structure. 213 * Initialize the crypt_stat structure.
214 */ 214 */
215 void 215 void
216 ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) 216 ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
217 { 217 {
218 memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); 218 memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
219 INIT_LIST_HEAD(&crypt_stat->keysig_list); 219 INIT_LIST_HEAD(&crypt_stat->keysig_list);
220 mutex_init(&crypt_stat->keysig_list_mutex); 220 mutex_init(&crypt_stat->keysig_list_mutex);
221 mutex_init(&crypt_stat->cs_mutex); 221 mutex_init(&crypt_stat->cs_mutex);
222 mutex_init(&crypt_stat->cs_tfm_mutex); 222 mutex_init(&crypt_stat->cs_tfm_mutex);
223 mutex_init(&crypt_stat->cs_hash_tfm_mutex); 223 mutex_init(&crypt_stat->cs_hash_tfm_mutex);
224 crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED; 224 crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED;
225 } 225 }
226 226
227 /** 227 /**
228 * ecryptfs_destroy_crypt_stat 228 * ecryptfs_destroy_crypt_stat
229 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 229 * @crypt_stat: Pointer to the crypt_stat struct to initialize.
230 * 230 *
231 * Releases all memory associated with a crypt_stat struct. 231 * Releases all memory associated with a crypt_stat struct.
232 */ 232 */
233 void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) 233 void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat)
234 { 234 {
235 struct ecryptfs_key_sig *key_sig, *key_sig_tmp; 235 struct ecryptfs_key_sig *key_sig, *key_sig_tmp;
236 236
237 if (crypt_stat->tfm) 237 if (crypt_stat->tfm)
238 crypto_free_ablkcipher(crypt_stat->tfm); 238 crypto_free_ablkcipher(crypt_stat->tfm);
239 if (crypt_stat->hash_tfm) 239 if (crypt_stat->hash_tfm)
240 crypto_free_hash(crypt_stat->hash_tfm); 240 crypto_free_hash(crypt_stat->hash_tfm);
241 list_for_each_entry_safe(key_sig, key_sig_tmp, 241 list_for_each_entry_safe(key_sig, key_sig_tmp,
242 &crypt_stat->keysig_list, crypt_stat_list) { 242 &crypt_stat->keysig_list, crypt_stat_list) {
243 list_del(&key_sig->crypt_stat_list); 243 list_del(&key_sig->crypt_stat_list);
244 kmem_cache_free(ecryptfs_key_sig_cache, key_sig); 244 kmem_cache_free(ecryptfs_key_sig_cache, key_sig);
245 } 245 }
246 memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); 246 memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));
247 } 247 }
248 248
249 void ecryptfs_destroy_mount_crypt_stat( 249 void ecryptfs_destroy_mount_crypt_stat(
250 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 250 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
251 { 251 {
252 struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp; 252 struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp;
253 253
254 if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED)) 254 if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED))
255 return; 255 return;
256 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 256 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
257 list_for_each_entry_safe(auth_tok, auth_tok_tmp, 257 list_for_each_entry_safe(auth_tok, auth_tok_tmp,
258 &mount_crypt_stat->global_auth_tok_list, 258 &mount_crypt_stat->global_auth_tok_list,
259 mount_crypt_stat_list) { 259 mount_crypt_stat_list) {
260 list_del(&auth_tok->mount_crypt_stat_list); 260 list_del(&auth_tok->mount_crypt_stat_list);
261 if (auth_tok->global_auth_tok_key 261 if (auth_tok->global_auth_tok_key
262 && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID)) 262 && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID))
263 key_put(auth_tok->global_auth_tok_key); 263 key_put(auth_tok->global_auth_tok_key);
264 kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok); 264 kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok);
265 } 265 }
266 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 266 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
267 memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat)); 267 memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat));
268 } 268 }
269 269
270 /** 270 /**
271 * virt_to_scatterlist 271 * virt_to_scatterlist
272 * @addr: Virtual address 272 * @addr: Virtual address
273 * @size: Size of data; should be an even multiple of the block size 273 * @size: Size of data; should be an even multiple of the block size
274 * @sg: Pointer to scatterlist array; set to NULL to obtain only 274 * @sg: Pointer to scatterlist array; set to NULL to obtain only
275 * the number of scatterlist structs required in array 275 * the number of scatterlist structs required in array
276 * @sg_size: Max array size 276 * @sg_size: Max array size
277 * 277 *
278 * Fills in a scatterlist array with page references for a passed 278 * Fills in a scatterlist array with page references for a passed
279 * virtual address. 279 * virtual address.
280 * 280 *
281 * Returns the number of scatterlist structs in array used 281 * Returns the number of scatterlist structs in array used
282 */ 282 */
283 int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg, 283 int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg,
284 int sg_size) 284 int sg_size)
285 { 285 {
286 int i = 0; 286 int i = 0;
287 struct page *pg; 287 struct page *pg;
288 int offset; 288 int offset;
289 int remainder_of_page; 289 int remainder_of_page;
290 290
291 sg_init_table(sg, sg_size); 291 sg_init_table(sg, sg_size);
292 292
293 while (size > 0 && i < sg_size) { 293 while (size > 0 && i < sg_size) {
294 pg = virt_to_page(addr); 294 pg = virt_to_page(addr);
295 offset = offset_in_page(addr); 295 offset = offset_in_page(addr);
296 sg_set_page(&sg[i], pg, 0, offset); 296 sg_set_page(&sg[i], pg, 0, offset);
297 remainder_of_page = PAGE_CACHE_SIZE - offset; 297 remainder_of_page = PAGE_CACHE_SIZE - offset;
298 if (size >= remainder_of_page) { 298 if (size >= remainder_of_page) {
299 sg[i].length = remainder_of_page; 299 sg[i].length = remainder_of_page;
300 addr += remainder_of_page; 300 addr += remainder_of_page;
301 size -= remainder_of_page; 301 size -= remainder_of_page;
302 } else { 302 } else {
303 sg[i].length = size; 303 sg[i].length = size;
304 addr += size; 304 addr += size;
305 size = 0; 305 size = 0;
306 } 306 }
307 i++; 307 i++;
308 } 308 }
309 if (size > 0) 309 if (size > 0)
310 return -ENOMEM; 310 return -ENOMEM;
311 return i; 311 return i;
312 } 312 }
313 313
314 struct extent_crypt_result { 314 struct extent_crypt_result {
315 struct completion completion; 315 struct completion completion;
316 int rc; 316 int rc;
317 }; 317 };
318 318
319 static void extent_crypt_complete(struct crypto_async_request *req, int rc) 319 static void extent_crypt_complete(struct crypto_async_request *req, int rc)
320 { 320 {
321 struct extent_crypt_result *ecr = req->data; 321 struct extent_crypt_result *ecr = req->data;
322 322
323 if (rc == -EINPROGRESS) 323 if (rc == -EINPROGRESS)
324 return; 324 return;
325 325
326 ecr->rc = rc; 326 ecr->rc = rc;
327 complete(&ecr->completion); 327 complete(&ecr->completion);
328 } 328 }
329 329
330 /** 330 /**
331 * crypt_scatterlist 331 * crypt_scatterlist
332 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 332 * @crypt_stat: Pointer to the crypt_stat struct to initialize.
333 * @dst_sg: Destination of the data after performing the crypto operation 333 * @dst_sg: Destination of the data after performing the crypto operation
334 * @src_sg: Data to be encrypted or decrypted 334 * @src_sg: Data to be encrypted or decrypted
335 * @size: Length of data 335 * @size: Length of data
336 * @iv: IV to use 336 * @iv: IV to use
337 * @op: ENCRYPT or DECRYPT to indicate the desired operation 337 * @op: ENCRYPT or DECRYPT to indicate the desired operation
338 * 338 *
339 * Returns the number of bytes encrypted or decrypted; negative value on error 339 * Returns the number of bytes encrypted or decrypted; negative value on error
340 */ 340 */
341 static int crypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat, 341 static int crypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
342 struct scatterlist *dst_sg, 342 struct scatterlist *dst_sg,
343 struct scatterlist *src_sg, int size, 343 struct scatterlist *src_sg, int size,
344 unsigned char *iv, int op) 344 unsigned char *iv, int op)
345 { 345 {
346 struct ablkcipher_request *req = NULL; 346 struct ablkcipher_request *req = NULL;
347 struct extent_crypt_result ecr; 347 struct extent_crypt_result ecr;
348 int rc = 0; 348 int rc = 0;
349 349
350 BUG_ON(!crypt_stat || !crypt_stat->tfm 350 BUG_ON(!crypt_stat || !crypt_stat->tfm
351 || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)); 351 || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED));
352 if (unlikely(ecryptfs_verbosity > 0)) { 352 if (unlikely(ecryptfs_verbosity > 0)) {
353 ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n", 353 ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n",
354 crypt_stat->key_size); 354 crypt_stat->key_size);
355 ecryptfs_dump_hex(crypt_stat->key, 355 ecryptfs_dump_hex(crypt_stat->key,
356 crypt_stat->key_size); 356 crypt_stat->key_size);
357 } 357 }
358 358
359 init_completion(&ecr.completion); 359 init_completion(&ecr.completion);
360 360
361 mutex_lock(&crypt_stat->cs_tfm_mutex); 361 mutex_lock(&crypt_stat->cs_tfm_mutex);
362 req = ablkcipher_request_alloc(crypt_stat->tfm, GFP_NOFS); 362 req = ablkcipher_request_alloc(crypt_stat->tfm, GFP_NOFS);
363 if (!req) { 363 if (!req) {
364 mutex_unlock(&crypt_stat->cs_tfm_mutex); 364 mutex_unlock(&crypt_stat->cs_tfm_mutex);
365 rc = -ENOMEM; 365 rc = -ENOMEM;
366 goto out; 366 goto out;
367 } 367 }
368 368
369 ablkcipher_request_set_callback(req, 369 ablkcipher_request_set_callback(req,
370 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 370 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
371 extent_crypt_complete, &ecr); 371 extent_crypt_complete, &ecr);
372 /* Consider doing this once, when the file is opened */ 372 /* Consider doing this once, when the file is opened */
373 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) { 373 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) {
374 rc = crypto_ablkcipher_setkey(crypt_stat->tfm, crypt_stat->key, 374 rc = crypto_ablkcipher_setkey(crypt_stat->tfm, crypt_stat->key,
375 crypt_stat->key_size); 375 crypt_stat->key_size);
376 if (rc) { 376 if (rc) {
377 ecryptfs_printk(KERN_ERR, 377 ecryptfs_printk(KERN_ERR,
378 "Error setting key; rc = [%d]\n", 378 "Error setting key; rc = [%d]\n",
379 rc); 379 rc);
380 mutex_unlock(&crypt_stat->cs_tfm_mutex); 380 mutex_unlock(&crypt_stat->cs_tfm_mutex);
381 rc = -EINVAL; 381 rc = -EINVAL;
382 goto out; 382 goto out;
383 } 383 }
384 crypt_stat->flags |= ECRYPTFS_KEY_SET; 384 crypt_stat->flags |= ECRYPTFS_KEY_SET;
385 } 385 }
386 mutex_unlock(&crypt_stat->cs_tfm_mutex); 386 mutex_unlock(&crypt_stat->cs_tfm_mutex);
387 ablkcipher_request_set_crypt(req, src_sg, dst_sg, size, iv); 387 ablkcipher_request_set_crypt(req, src_sg, dst_sg, size, iv);
388 rc = op == ENCRYPT ? crypto_ablkcipher_encrypt(req) : 388 rc = op == ENCRYPT ? crypto_ablkcipher_encrypt(req) :
389 crypto_ablkcipher_decrypt(req); 389 crypto_ablkcipher_decrypt(req);
390 if (rc == -EINPROGRESS || rc == -EBUSY) { 390 if (rc == -EINPROGRESS || rc == -EBUSY) {
391 struct extent_crypt_result *ecr = req->base.data; 391 struct extent_crypt_result *ecr = req->base.data;
392 392
393 wait_for_completion(&ecr->completion); 393 wait_for_completion(&ecr->completion);
394 rc = ecr->rc; 394 rc = ecr->rc;
395 reinit_completion(&ecr->completion); 395 reinit_completion(&ecr->completion);
396 } 396 }
397 out: 397 out:
398 ablkcipher_request_free(req); 398 ablkcipher_request_free(req);
399 return rc; 399 return rc;
400 } 400 }
401 401
402 /** 402 /**
403 * lower_offset_for_page 403 * lower_offset_for_page
404 * 404 *
405 * Convert an eCryptfs page index into a lower byte offset 405 * Convert an eCryptfs page index into a lower byte offset
406 */ 406 */
407 static loff_t lower_offset_for_page(struct ecryptfs_crypt_stat *crypt_stat, 407 static loff_t lower_offset_for_page(struct ecryptfs_crypt_stat *crypt_stat,
408 struct page *page) 408 struct page *page)
409 { 409 {
410 return ecryptfs_lower_header_size(crypt_stat) + 410 return ecryptfs_lower_header_size(crypt_stat) +
411 ((loff_t)page->index << PAGE_CACHE_SHIFT); 411 ((loff_t)page->index << PAGE_CACHE_SHIFT);
412 } 412 }
413 413
414 /** 414 /**
415 * crypt_extent 415 * crypt_extent
416 * @crypt_stat: crypt_stat containing cryptographic context for the 416 * @crypt_stat: crypt_stat containing cryptographic context for the
417 * encryption operation 417 * encryption operation
418 * @dst_page: The page to write the result into 418 * @dst_page: The page to write the result into
419 * @src_page: The page to read from 419 * @src_page: The page to read from
420 * @extent_offset: Page extent offset for use in generating IV 420 * @extent_offset: Page extent offset for use in generating IV
421 * @op: ENCRYPT or DECRYPT to indicate the desired operation 421 * @op: ENCRYPT or DECRYPT to indicate the desired operation
422 * 422 *
423 * Encrypts or decrypts one extent of data. 423 * Encrypts or decrypts one extent of data.
424 * 424 *
425 * Return zero on success; non-zero otherwise 425 * Return zero on success; non-zero otherwise
426 */ 426 */
427 static int crypt_extent(struct ecryptfs_crypt_stat *crypt_stat, 427 static int crypt_extent(struct ecryptfs_crypt_stat *crypt_stat,
428 struct page *dst_page, 428 struct page *dst_page,
429 struct page *src_page, 429 struct page *src_page,
430 unsigned long extent_offset, int op) 430 unsigned long extent_offset, int op)
431 { 431 {
432 pgoff_t page_index = op == ENCRYPT ? src_page->index : dst_page->index; 432 pgoff_t page_index = op == ENCRYPT ? src_page->index : dst_page->index;
433 loff_t extent_base; 433 loff_t extent_base;
434 char extent_iv[ECRYPTFS_MAX_IV_BYTES]; 434 char extent_iv[ECRYPTFS_MAX_IV_BYTES];
435 struct scatterlist src_sg, dst_sg; 435 struct scatterlist src_sg, dst_sg;
436 size_t extent_size = crypt_stat->extent_size; 436 size_t extent_size = crypt_stat->extent_size;
437 int rc; 437 int rc;
438 438
439 extent_base = (((loff_t)page_index) * (PAGE_CACHE_SIZE / extent_size)); 439 extent_base = (((loff_t)page_index) * (PAGE_CACHE_SIZE / extent_size));
440 rc = ecryptfs_derive_iv(extent_iv, crypt_stat, 440 rc = ecryptfs_derive_iv(extent_iv, crypt_stat,
441 (extent_base + extent_offset)); 441 (extent_base + extent_offset));
442 if (rc) { 442 if (rc) {
443 ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for " 443 ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for "
444 "extent [0x%.16llx]; rc = [%d]\n", 444 "extent [0x%.16llx]; rc = [%d]\n",
445 (unsigned long long)(extent_base + extent_offset), rc); 445 (unsigned long long)(extent_base + extent_offset), rc);
446 goto out; 446 goto out;
447 } 447 }
448 448
449 sg_init_table(&src_sg, 1); 449 sg_init_table(&src_sg, 1);
450 sg_init_table(&dst_sg, 1); 450 sg_init_table(&dst_sg, 1);
451 451
452 sg_set_page(&src_sg, src_page, extent_size, 452 sg_set_page(&src_sg, src_page, extent_size,
453 extent_offset * extent_size); 453 extent_offset * extent_size);
454 sg_set_page(&dst_sg, dst_page, extent_size, 454 sg_set_page(&dst_sg, dst_page, extent_size,
455 extent_offset * extent_size); 455 extent_offset * extent_size);
456 456
457 rc = crypt_scatterlist(crypt_stat, &dst_sg, &src_sg, extent_size, 457 rc = crypt_scatterlist(crypt_stat, &dst_sg, &src_sg, extent_size,
458 extent_iv, op); 458 extent_iv, op);
459 if (rc < 0) { 459 if (rc < 0) {
460 printk(KERN_ERR "%s: Error attempting to crypt page with " 460 printk(KERN_ERR "%s: Error attempting to crypt page with "
461 "page_index = [%ld], extent_offset = [%ld]; " 461 "page_index = [%ld], extent_offset = [%ld]; "
462 "rc = [%d]\n", __func__, page_index, extent_offset, rc); 462 "rc = [%d]\n", __func__, page_index, extent_offset, rc);
463 goto out; 463 goto out;
464 } 464 }
465 rc = 0; 465 rc = 0;
466 out: 466 out:
467 return rc; 467 return rc;
468 } 468 }
469 469
470 /** 470 /**
471 * ecryptfs_encrypt_page 471 * ecryptfs_encrypt_page
472 * @page: Page mapped from the eCryptfs inode for the file; contains 472 * @page: Page mapped from the eCryptfs inode for the file; contains
473 * decrypted content that needs to be encrypted (to a temporary 473 * decrypted content that needs to be encrypted (to a temporary
474 * page; not in place) and written out to the lower file 474 * page; not in place) and written out to the lower file
475 * 475 *
476 * Encrypt an eCryptfs page. This is done on a per-extent basis. Note 476 * Encrypt an eCryptfs page. This is done on a per-extent basis. Note
477 * that eCryptfs pages may straddle the lower pages -- for instance, 477 * that eCryptfs pages may straddle the lower pages -- for instance,
478 * if the file was created on a machine with an 8K page size 478 * if the file was created on a machine with an 8K page size
479 * (resulting in an 8K header), and then the file is copied onto a 479 * (resulting in an 8K header), and then the file is copied onto a
480 * host with a 32K page size, then when reading page 0 of the eCryptfs 480 * host with a 32K page size, then when reading page 0 of the eCryptfs
481 * file, 24K of page 0 of the lower file will be read and decrypted, 481 * file, 24K of page 0 of the lower file will be read and decrypted,
482 * and then 8K of page 1 of the lower file will be read and decrypted. 482 * and then 8K of page 1 of the lower file will be read and decrypted.
483 * 483 *
484 * Returns zero on success; negative on error 484 * Returns zero on success; negative on error
485 */ 485 */
486 int ecryptfs_encrypt_page(struct page *page) 486 int ecryptfs_encrypt_page(struct page *page)
487 { 487 {
488 struct inode *ecryptfs_inode; 488 struct inode *ecryptfs_inode;
489 struct ecryptfs_crypt_stat *crypt_stat; 489 struct ecryptfs_crypt_stat *crypt_stat;
490 char *enc_extent_virt; 490 char *enc_extent_virt;
491 struct page *enc_extent_page = NULL; 491 struct page *enc_extent_page = NULL;
492 loff_t extent_offset; 492 loff_t extent_offset;
493 loff_t lower_offset; 493 loff_t lower_offset;
494 int rc = 0; 494 int rc = 0;
495 495
496 ecryptfs_inode = page->mapping->host; 496 ecryptfs_inode = page->mapping->host;
497 crypt_stat = 497 crypt_stat =
498 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 498 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
499 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)); 499 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
500 enc_extent_page = alloc_page(GFP_USER); 500 enc_extent_page = alloc_page(GFP_USER);
501 if (!enc_extent_page) { 501 if (!enc_extent_page) {
502 rc = -ENOMEM; 502 rc = -ENOMEM;
503 ecryptfs_printk(KERN_ERR, "Error allocating memory for " 503 ecryptfs_printk(KERN_ERR, "Error allocating memory for "
504 "encrypted extent\n"); 504 "encrypted extent\n");
505 goto out; 505 goto out;
506 } 506 }
507 507
508 for (extent_offset = 0; 508 for (extent_offset = 0;
509 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); 509 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);
510 extent_offset++) { 510 extent_offset++) {
511 rc = crypt_extent(crypt_stat, enc_extent_page, page, 511 rc = crypt_extent(crypt_stat, enc_extent_page, page,
512 extent_offset, ENCRYPT); 512 extent_offset, ENCRYPT);
513 if (rc) { 513 if (rc) {
514 printk(KERN_ERR "%s: Error encrypting extent; " 514 printk(KERN_ERR "%s: Error encrypting extent; "
515 "rc = [%d]\n", __func__, rc); 515 "rc = [%d]\n", __func__, rc);
516 goto out; 516 goto out;
517 } 517 }
518 } 518 }
519 519
520 lower_offset = lower_offset_for_page(crypt_stat, page); 520 lower_offset = lower_offset_for_page(crypt_stat, page);
521 enc_extent_virt = kmap(enc_extent_page); 521 enc_extent_virt = kmap(enc_extent_page);
522 rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt, lower_offset, 522 rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt, lower_offset,
523 PAGE_CACHE_SIZE); 523 PAGE_CACHE_SIZE);
524 kunmap(enc_extent_page); 524 kunmap(enc_extent_page);
525 if (rc < 0) { 525 if (rc < 0) {
526 ecryptfs_printk(KERN_ERR, 526 ecryptfs_printk(KERN_ERR,
527 "Error attempting to write lower page; rc = [%d]\n", 527 "Error attempting to write lower page; rc = [%d]\n",
528 rc); 528 rc);
529 goto out; 529 goto out;
530 } 530 }
531 rc = 0; 531 rc = 0;
532 out: 532 out:
533 if (enc_extent_page) { 533 if (enc_extent_page) {
534 __free_page(enc_extent_page); 534 __free_page(enc_extent_page);
535 } 535 }
536 return rc; 536 return rc;
537 } 537 }
538 538
539 /** 539 /**
540 * ecryptfs_decrypt_page 540 * ecryptfs_decrypt_page
541 * @page: Page mapped from the eCryptfs inode for the file; data read 541 * @page: Page mapped from the eCryptfs inode for the file; data read
542 * and decrypted from the lower file will be written into this 542 * and decrypted from the lower file will be written into this
543 * page 543 * page
544 * 544 *
545 * Decrypt an eCryptfs page. This is done on a per-extent basis. Note 545 * Decrypt an eCryptfs page. This is done on a per-extent basis. Note
546 * that eCryptfs pages may straddle the lower pages -- for instance, 546 * that eCryptfs pages may straddle the lower pages -- for instance,
547 * if the file was created on a machine with an 8K page size 547 * if the file was created on a machine with an 8K page size
548 * (resulting in an 8K header), and then the file is copied onto a 548 * (resulting in an 8K header), and then the file is copied onto a
549 * host with a 32K page size, then when reading page 0 of the eCryptfs 549 * host with a 32K page size, then when reading page 0 of the eCryptfs
550 * file, 24K of page 0 of the lower file will be read and decrypted, 550 * file, 24K of page 0 of the lower file will be read and decrypted,
551 * and then 8K of page 1 of the lower file will be read and decrypted. 551 * and then 8K of page 1 of the lower file will be read and decrypted.
552 * 552 *
553 * Returns zero on success; negative on error 553 * Returns zero on success; negative on error
554 */ 554 */
555 int ecryptfs_decrypt_page(struct page *page) 555 int ecryptfs_decrypt_page(struct page *page)
556 { 556 {
557 struct inode *ecryptfs_inode; 557 struct inode *ecryptfs_inode;
558 struct ecryptfs_crypt_stat *crypt_stat; 558 struct ecryptfs_crypt_stat *crypt_stat;
559 char *page_virt; 559 char *page_virt;
560 unsigned long extent_offset; 560 unsigned long extent_offset;
561 loff_t lower_offset; 561 loff_t lower_offset;
562 int rc = 0; 562 int rc = 0;
563 563
564 ecryptfs_inode = page->mapping->host; 564 ecryptfs_inode = page->mapping->host;
565 crypt_stat = 565 crypt_stat =
566 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 566 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
567 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)); 567 BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED));
568 568
569 lower_offset = lower_offset_for_page(crypt_stat, page); 569 lower_offset = lower_offset_for_page(crypt_stat, page);
570 page_virt = kmap(page); 570 page_virt = kmap(page);
571 rc = ecryptfs_read_lower(page_virt, lower_offset, PAGE_CACHE_SIZE, 571 rc = ecryptfs_read_lower(page_virt, lower_offset, PAGE_CACHE_SIZE,
572 ecryptfs_inode); 572 ecryptfs_inode);
573 kunmap(page); 573 kunmap(page);
574 if (rc < 0) { 574 if (rc < 0) {
575 ecryptfs_printk(KERN_ERR, 575 ecryptfs_printk(KERN_ERR,
576 "Error attempting to read lower page; rc = [%d]\n", 576 "Error attempting to read lower page; rc = [%d]\n",
577 rc); 577 rc);
578 goto out; 578 goto out;
579 } 579 }
580 580
581 for (extent_offset = 0; 581 for (extent_offset = 0;
582 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); 582 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size);
583 extent_offset++) { 583 extent_offset++) {
584 rc = crypt_extent(crypt_stat, page, page, 584 rc = crypt_extent(crypt_stat, page, page,
585 extent_offset, DECRYPT); 585 extent_offset, DECRYPT);
586 if (rc) { 586 if (rc) {
587 printk(KERN_ERR "%s: Error encrypting extent; " 587 printk(KERN_ERR "%s: Error encrypting extent; "
588 "rc = [%d]\n", __func__, rc); 588 "rc = [%d]\n", __func__, rc);
589 goto out; 589 goto out;
590 } 590 }
591 } 591 }
592 out: 592 out:
593 return rc; 593 return rc;
594 } 594 }
595 595
596 #define ECRYPTFS_MAX_SCATTERLIST_LEN 4 596 #define ECRYPTFS_MAX_SCATTERLIST_LEN 4
597 597
598 /** 598 /**
599 * ecryptfs_init_crypt_ctx 599 * ecryptfs_init_crypt_ctx
600 * @crypt_stat: Uninitialized crypt stats structure 600 * @crypt_stat: Uninitialized crypt stats structure
601 * 601 *
602 * Initialize the crypto context. 602 * Initialize the crypto context.
603 * 603 *
604 * TODO: Performance: Keep a cache of initialized cipher contexts; 604 * TODO: Performance: Keep a cache of initialized cipher contexts;
605 * only init if needed 605 * only init if needed
606 */ 606 */
607 int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat) 607 int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat)
608 { 608 {
609 char *full_alg_name; 609 char *full_alg_name;
610 int rc = -EINVAL; 610 int rc = -EINVAL;
611 611
612 ecryptfs_printk(KERN_DEBUG, 612 ecryptfs_printk(KERN_DEBUG,
613 "Initializing cipher [%s]; strlen = [%d]; " 613 "Initializing cipher [%s]; strlen = [%d]; "
614 "key_size_bits = [%zd]\n", 614 "key_size_bits = [%zd]\n",
615 crypt_stat->cipher, (int)strlen(crypt_stat->cipher), 615 crypt_stat->cipher, (int)strlen(crypt_stat->cipher),
616 crypt_stat->key_size << 3); 616 crypt_stat->key_size << 3);
617 mutex_lock(&crypt_stat->cs_tfm_mutex); 617 mutex_lock(&crypt_stat->cs_tfm_mutex);
618 if (crypt_stat->tfm) { 618 if (crypt_stat->tfm) {
619 rc = 0; 619 rc = 0;
620 goto out_unlock; 620 goto out_unlock;
621 } 621 }
622 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, 622 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name,
623 crypt_stat->cipher, "cbc"); 623 crypt_stat->cipher, "cbc");
624 if (rc) 624 if (rc)
625 goto out_unlock; 625 goto out_unlock;
626 crypt_stat->tfm = crypto_alloc_ablkcipher(full_alg_name, 0, 0); 626 crypt_stat->tfm = crypto_alloc_ablkcipher(full_alg_name, 0, 0);
627 if (IS_ERR(crypt_stat->tfm)) { 627 if (IS_ERR(crypt_stat->tfm)) {
628 rc = PTR_ERR(crypt_stat->tfm); 628 rc = PTR_ERR(crypt_stat->tfm);
629 crypt_stat->tfm = NULL; 629 crypt_stat->tfm = NULL;
630 ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): " 630 ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): "
631 "Error initializing cipher [%s]\n", 631 "Error initializing cipher [%s]\n",
632 full_alg_name); 632 full_alg_name);
633 goto out_free; 633 goto out_free;
634 } 634 }
635 crypto_ablkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY); 635 crypto_ablkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY);
636 rc = 0; 636 rc = 0;
637 out_free: 637 out_free:
638 kfree(full_alg_name); 638 kfree(full_alg_name);
639 out_unlock: 639 out_unlock:
640 mutex_unlock(&crypt_stat->cs_tfm_mutex); 640 mutex_unlock(&crypt_stat->cs_tfm_mutex);
641 return rc; 641 return rc;
642 } 642 }
643 643
644 static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat) 644 static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat)
645 { 645 {
646 int extent_size_tmp; 646 int extent_size_tmp;
647 647
648 crypt_stat->extent_mask = 0xFFFFFFFF; 648 crypt_stat->extent_mask = 0xFFFFFFFF;
649 crypt_stat->extent_shift = 0; 649 crypt_stat->extent_shift = 0;
650 if (crypt_stat->extent_size == 0) 650 if (crypt_stat->extent_size == 0)
651 return; 651 return;
652 extent_size_tmp = crypt_stat->extent_size; 652 extent_size_tmp = crypt_stat->extent_size;
653 while ((extent_size_tmp & 0x01) == 0) { 653 while ((extent_size_tmp & 0x01) == 0) {
654 extent_size_tmp >>= 1; 654 extent_size_tmp >>= 1;
655 crypt_stat->extent_mask <<= 1; 655 crypt_stat->extent_mask <<= 1;
656 crypt_stat->extent_shift++; 656 crypt_stat->extent_shift++;
657 } 657 }
658 } 658 }
659 659
660 void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat) 660 void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat)
661 { 661 {
662 /* Default values; may be overwritten as we are parsing the 662 /* Default values; may be overwritten as we are parsing the
663 * packets. */ 663 * packets. */
664 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE; 664 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;
665 set_extent_mask_and_shift(crypt_stat); 665 set_extent_mask_and_shift(crypt_stat);
666 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES; 666 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES;
667 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) 667 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
668 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; 668 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
669 else { 669 else {
670 if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE) 670 if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)
671 crypt_stat->metadata_size = 671 crypt_stat->metadata_size =
672 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; 672 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
673 else 673 else
674 crypt_stat->metadata_size = PAGE_CACHE_SIZE; 674 crypt_stat->metadata_size = PAGE_CACHE_SIZE;
675 } 675 }
676 } 676 }
677 677
678 /** 678 /**
679 * ecryptfs_compute_root_iv 679 * ecryptfs_compute_root_iv
680 * @crypt_stats 680 * @crypt_stats
681 * 681 *
682 * On error, sets the root IV to all 0's. 682 * On error, sets the root IV to all 0's.
683 */ 683 */
684 int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat) 684 int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat)
685 { 685 {
686 int rc = 0; 686 int rc = 0;
687 char dst[MD5_DIGEST_SIZE]; 687 char dst[MD5_DIGEST_SIZE];
688 688
689 BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE); 689 BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE);
690 BUG_ON(crypt_stat->iv_bytes <= 0); 690 BUG_ON(crypt_stat->iv_bytes <= 0);
691 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { 691 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
692 rc = -EINVAL; 692 rc = -EINVAL;
693 ecryptfs_printk(KERN_WARNING, "Session key not valid; " 693 ecryptfs_printk(KERN_WARNING, "Session key not valid; "
694 "cannot generate root IV\n"); 694 "cannot generate root IV\n");
695 goto out; 695 goto out;
696 } 696 }
697 rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key, 697 rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key,
698 crypt_stat->key_size); 698 crypt_stat->key_size);
699 if (rc) { 699 if (rc) {
700 ecryptfs_printk(KERN_WARNING, "Error attempting to compute " 700 ecryptfs_printk(KERN_WARNING, "Error attempting to compute "
701 "MD5 while generating root IV\n"); 701 "MD5 while generating root IV\n");
702 goto out; 702 goto out;
703 } 703 }
704 memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes); 704 memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes);
705 out: 705 out:
706 if (rc) { 706 if (rc) {
707 memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes); 707 memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes);
708 crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING; 708 crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING;
709 } 709 }
710 return rc; 710 return rc;
711 } 711 }
712 712
713 static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat) 713 static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat)
714 { 714 {
715 get_random_bytes(crypt_stat->key, crypt_stat->key_size); 715 get_random_bytes(crypt_stat->key, crypt_stat->key_size);
716 crypt_stat->flags |= ECRYPTFS_KEY_VALID; 716 crypt_stat->flags |= ECRYPTFS_KEY_VALID;
717 ecryptfs_compute_root_iv(crypt_stat); 717 ecryptfs_compute_root_iv(crypt_stat);
718 if (unlikely(ecryptfs_verbosity > 0)) { 718 if (unlikely(ecryptfs_verbosity > 0)) {
719 ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n"); 719 ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n");
720 ecryptfs_dump_hex(crypt_stat->key, 720 ecryptfs_dump_hex(crypt_stat->key,
721 crypt_stat->key_size); 721 crypt_stat->key_size);
722 } 722 }
723 } 723 }
724 724
725 /** 725 /**
726 * ecryptfs_copy_mount_wide_flags_to_inode_flags 726 * ecryptfs_copy_mount_wide_flags_to_inode_flags
727 * @crypt_stat: The inode's cryptographic context 727 * @crypt_stat: The inode's cryptographic context
728 * @mount_crypt_stat: The mount point's cryptographic context 728 * @mount_crypt_stat: The mount point's cryptographic context
729 * 729 *
730 * This function propagates the mount-wide flags to individual inode 730 * This function propagates the mount-wide flags to individual inode
731 * flags. 731 * flags.
732 */ 732 */
733 static void ecryptfs_copy_mount_wide_flags_to_inode_flags( 733 static void ecryptfs_copy_mount_wide_flags_to_inode_flags(
734 struct ecryptfs_crypt_stat *crypt_stat, 734 struct ecryptfs_crypt_stat *crypt_stat,
735 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 735 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
736 { 736 {
737 if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED) 737 if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED)
738 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; 738 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
739 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) 739 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
740 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED; 740 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED;
741 if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) { 741 if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
742 crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES; 742 crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES;
743 if (mount_crypt_stat->flags 743 if (mount_crypt_stat->flags
744 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK) 744 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)
745 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK; 745 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK;
746 else if (mount_crypt_stat->flags 746 else if (mount_crypt_stat->flags
747 & ECRYPTFS_GLOBAL_ENCFN_USE_FEK) 747 & ECRYPTFS_GLOBAL_ENCFN_USE_FEK)
748 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK; 748 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK;
749 } 749 }
750 } 750 }
751 751
752 static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs( 752 static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs(
753 struct ecryptfs_crypt_stat *crypt_stat, 753 struct ecryptfs_crypt_stat *crypt_stat,
754 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 754 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
755 { 755 {
756 struct ecryptfs_global_auth_tok *global_auth_tok; 756 struct ecryptfs_global_auth_tok *global_auth_tok;
757 int rc = 0; 757 int rc = 0;
758 758
759 mutex_lock(&crypt_stat->keysig_list_mutex); 759 mutex_lock(&crypt_stat->keysig_list_mutex);
760 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 760 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
761 761
762 list_for_each_entry(global_auth_tok, 762 list_for_each_entry(global_auth_tok,
763 &mount_crypt_stat->global_auth_tok_list, 763 &mount_crypt_stat->global_auth_tok_list,
764 mount_crypt_stat_list) { 764 mount_crypt_stat_list) {
765 if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK) 765 if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK)
766 continue; 766 continue;
767 rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig); 767 rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig);
768 if (rc) { 768 if (rc) {
769 printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc); 769 printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc);
770 goto out; 770 goto out;
771 } 771 }
772 } 772 }
773 773
774 out: 774 out:
775 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 775 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
776 mutex_unlock(&crypt_stat->keysig_list_mutex); 776 mutex_unlock(&crypt_stat->keysig_list_mutex);
777 return rc; 777 return rc;
778 } 778 }
779 779
780 /** 780 /**
781 * ecryptfs_set_default_crypt_stat_vals 781 * ecryptfs_set_default_crypt_stat_vals
782 * @crypt_stat: The inode's cryptographic context 782 * @crypt_stat: The inode's cryptographic context
783 * @mount_crypt_stat: The mount point's cryptographic context 783 * @mount_crypt_stat: The mount point's cryptographic context
784 * 784 *
785 * Default values in the event that policy does not override them. 785 * Default values in the event that policy does not override them.
786 */ 786 */
787 static void ecryptfs_set_default_crypt_stat_vals( 787 static void ecryptfs_set_default_crypt_stat_vals(
788 struct ecryptfs_crypt_stat *crypt_stat, 788 struct ecryptfs_crypt_stat *crypt_stat,
789 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 789 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
790 { 790 {
791 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 791 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
792 mount_crypt_stat); 792 mount_crypt_stat);
793 ecryptfs_set_default_sizes(crypt_stat); 793 ecryptfs_set_default_sizes(crypt_stat);
794 strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER); 794 strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER);
795 crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES; 795 crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES;
796 crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID); 796 crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID);
797 crypt_stat->file_version = ECRYPTFS_FILE_VERSION; 797 crypt_stat->file_version = ECRYPTFS_FILE_VERSION;
798 crypt_stat->mount_crypt_stat = mount_crypt_stat; 798 crypt_stat->mount_crypt_stat = mount_crypt_stat;
799 } 799 }
800 800
801 /** 801 /**
802 * ecryptfs_new_file_context 802 * ecryptfs_new_file_context
803 * @ecryptfs_inode: The eCryptfs inode 803 * @ecryptfs_inode: The eCryptfs inode
804 * 804 *
805 * If the crypto context for the file has not yet been established, 805 * If the crypto context for the file has not yet been established,
806 * this is where we do that. Establishing a new crypto context 806 * this is where we do that. Establishing a new crypto context
807 * involves the following decisions: 807 * involves the following decisions:
808 * - What cipher to use? 808 * - What cipher to use?
809 * - What set of authentication tokens to use? 809 * - What set of authentication tokens to use?
810 * Here we just worry about getting enough information into the 810 * Here we just worry about getting enough information into the
811 * authentication tokens so that we know that they are available. 811 * authentication tokens so that we know that they are available.
812 * We associate the available authentication tokens with the new file 812 * We associate the available authentication tokens with the new file
813 * via the set of signatures in the crypt_stat struct. Later, when 813 * via the set of signatures in the crypt_stat struct. Later, when
814 * the headers are actually written out, we may again defer to 814 * the headers are actually written out, we may again defer to
815 * userspace to perform the encryption of the session key; for the 815 * userspace to perform the encryption of the session key; for the
816 * foreseeable future, this will be the case with public key packets. 816 * foreseeable future, this will be the case with public key packets.
817 * 817 *
818 * Returns zero on success; non-zero otherwise 818 * Returns zero on success; non-zero otherwise
819 */ 819 */
820 int ecryptfs_new_file_context(struct inode *ecryptfs_inode) 820 int ecryptfs_new_file_context(struct inode *ecryptfs_inode)
821 { 821 {
822 struct ecryptfs_crypt_stat *crypt_stat = 822 struct ecryptfs_crypt_stat *crypt_stat =
823 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; 823 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
824 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 824 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
825 &ecryptfs_superblock_to_private( 825 &ecryptfs_superblock_to_private(
826 ecryptfs_inode->i_sb)->mount_crypt_stat; 826 ecryptfs_inode->i_sb)->mount_crypt_stat;
827 int cipher_name_len; 827 int cipher_name_len;
828 int rc = 0; 828 int rc = 0;
829 829
830 ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat); 830 ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat);
831 crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID); 831 crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID);
832 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 832 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
833 mount_crypt_stat); 833 mount_crypt_stat);
834 rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat, 834 rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat,
835 mount_crypt_stat); 835 mount_crypt_stat);
836 if (rc) { 836 if (rc) {
837 printk(KERN_ERR "Error attempting to copy mount-wide key sigs " 837 printk(KERN_ERR "Error attempting to copy mount-wide key sigs "
838 "to the inode key sigs; rc = [%d]\n", rc); 838 "to the inode key sigs; rc = [%d]\n", rc);
839 goto out; 839 goto out;
840 } 840 }
841 cipher_name_len = 841 cipher_name_len =
842 strlen(mount_crypt_stat->global_default_cipher_name); 842 strlen(mount_crypt_stat->global_default_cipher_name);
843 memcpy(crypt_stat->cipher, 843 memcpy(crypt_stat->cipher,
844 mount_crypt_stat->global_default_cipher_name, 844 mount_crypt_stat->global_default_cipher_name,
845 cipher_name_len); 845 cipher_name_len);
846 crypt_stat->cipher[cipher_name_len] = '\0'; 846 crypt_stat->cipher[cipher_name_len] = '\0';
847 crypt_stat->key_size = 847 crypt_stat->key_size =
848 mount_crypt_stat->global_default_cipher_key_size; 848 mount_crypt_stat->global_default_cipher_key_size;
849 ecryptfs_generate_new_key(crypt_stat); 849 ecryptfs_generate_new_key(crypt_stat);
850 rc = ecryptfs_init_crypt_ctx(crypt_stat); 850 rc = ecryptfs_init_crypt_ctx(crypt_stat);
851 if (rc) 851 if (rc)
852 ecryptfs_printk(KERN_ERR, "Error initializing cryptographic " 852 ecryptfs_printk(KERN_ERR, "Error initializing cryptographic "
853 "context for cipher [%s]: rc = [%d]\n", 853 "context for cipher [%s]: rc = [%d]\n",
854 crypt_stat->cipher, rc); 854 crypt_stat->cipher, rc);
855 out: 855 out:
856 return rc; 856 return rc;
857 } 857 }
858 858
859 /** 859 /**
860 * ecryptfs_validate_marker - check for the ecryptfs marker 860 * ecryptfs_validate_marker - check for the ecryptfs marker
861 * @data: The data block in which to check 861 * @data: The data block in which to check
862 * 862 *
863 * Returns zero if marker found; -EINVAL if not found 863 * Returns zero if marker found; -EINVAL if not found
864 */ 864 */
865 static int ecryptfs_validate_marker(char *data) 865 static int ecryptfs_validate_marker(char *data)
866 { 866 {
867 u32 m_1, m_2; 867 u32 m_1, m_2;
868 868
869 m_1 = get_unaligned_be32(data); 869 m_1 = get_unaligned_be32(data);
870 m_2 = get_unaligned_be32(data + 4); 870 m_2 = get_unaligned_be32(data + 4);
871 if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2) 871 if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2)
872 return 0; 872 return 0;
873 ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; " 873 ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; "
874 "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2, 874 "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2,
875 MAGIC_ECRYPTFS_MARKER); 875 MAGIC_ECRYPTFS_MARKER);
876 ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = " 876 ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = "
877 "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER)); 877 "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER));
878 return -EINVAL; 878 return -EINVAL;
879 } 879 }
880 880
881 struct ecryptfs_flag_map_elem { 881 struct ecryptfs_flag_map_elem {
882 u32 file_flag; 882 u32 file_flag;
883 u32 local_flag; 883 u32 local_flag;
884 }; 884 };
885 885
886 /* Add support for additional flags by adding elements here. */ 886 /* Add support for additional flags by adding elements here. */
887 static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = { 887 static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = {
888 {0x00000001, ECRYPTFS_ENABLE_HMAC}, 888 {0x00000001, ECRYPTFS_ENABLE_HMAC},
889 {0x00000002, ECRYPTFS_ENCRYPTED}, 889 {0x00000002, ECRYPTFS_ENCRYPTED},
890 {0x00000004, ECRYPTFS_METADATA_IN_XATTR}, 890 {0x00000004, ECRYPTFS_METADATA_IN_XATTR},
891 {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES} 891 {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES}
892 }; 892 };
893 893
894 /** 894 /**
895 * ecryptfs_process_flags 895 * ecryptfs_process_flags
896 * @crypt_stat: The cryptographic context 896 * @crypt_stat: The cryptographic context
897 * @page_virt: Source data to be parsed 897 * @page_virt: Source data to be parsed
898 * @bytes_read: Updated with the number of bytes read 898 * @bytes_read: Updated with the number of bytes read
899 * 899 *
900 * Returns zero on success; non-zero if the flag set is invalid 900 * Returns zero on success; non-zero if the flag set is invalid
901 */ 901 */
902 static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat, 902 static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat,
903 char *page_virt, int *bytes_read) 903 char *page_virt, int *bytes_read)
904 { 904 {
905 int rc = 0; 905 int rc = 0;
906 int i; 906 int i;
907 u32 flags; 907 u32 flags;
908 908
909 flags = get_unaligned_be32(page_virt); 909 flags = get_unaligned_be32(page_virt);
910 for (i = 0; i < ((sizeof(ecryptfs_flag_map) 910 for (i = 0; i < ((sizeof(ecryptfs_flag_map)
911 / sizeof(struct ecryptfs_flag_map_elem))); i++) 911 / sizeof(struct ecryptfs_flag_map_elem))); i++)
912 if (flags & ecryptfs_flag_map[i].file_flag) { 912 if (flags & ecryptfs_flag_map[i].file_flag) {
913 crypt_stat->flags |= ecryptfs_flag_map[i].local_flag; 913 crypt_stat->flags |= ecryptfs_flag_map[i].local_flag;
914 } else 914 } else
915 crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag); 915 crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag);
916 /* Version is in top 8 bits of the 32-bit flag vector */ 916 /* Version is in top 8 bits of the 32-bit flag vector */
917 crypt_stat->file_version = ((flags >> 24) & 0xFF); 917 crypt_stat->file_version = ((flags >> 24) & 0xFF);
918 (*bytes_read) = 4; 918 (*bytes_read) = 4;
919 return rc; 919 return rc;
920 } 920 }
921 921
922 /** 922 /**
923 * write_ecryptfs_marker 923 * write_ecryptfs_marker
924 * @page_virt: The pointer to in a page to begin writing the marker 924 * @page_virt: The pointer to in a page to begin writing the marker
925 * @written: Number of bytes written 925 * @written: Number of bytes written
926 * 926 *
927 * Marker = 0x3c81b7f5 927 * Marker = 0x3c81b7f5
928 */ 928 */
929 static void write_ecryptfs_marker(char *page_virt, size_t *written) 929 static void write_ecryptfs_marker(char *page_virt, size_t *written)
930 { 930 {
931 u32 m_1, m_2; 931 u32 m_1, m_2;
932 932
933 get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2)); 933 get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2));
934 m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER); 934 m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER);
935 put_unaligned_be32(m_1, page_virt); 935 put_unaligned_be32(m_1, page_virt);
936 page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2); 936 page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2);
937 put_unaligned_be32(m_2, page_virt); 937 put_unaligned_be32(m_2, page_virt);
938 (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; 938 (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
939 } 939 }
940 940
941 void ecryptfs_write_crypt_stat_flags(char *page_virt, 941 void ecryptfs_write_crypt_stat_flags(char *page_virt,
942 struct ecryptfs_crypt_stat *crypt_stat, 942 struct ecryptfs_crypt_stat *crypt_stat,
943 size_t *written) 943 size_t *written)
944 { 944 {
945 u32 flags = 0; 945 u32 flags = 0;
946 int i; 946 int i;
947 947
948 for (i = 0; i < ((sizeof(ecryptfs_flag_map) 948 for (i = 0; i < ((sizeof(ecryptfs_flag_map)
949 / sizeof(struct ecryptfs_flag_map_elem))); i++) 949 / sizeof(struct ecryptfs_flag_map_elem))); i++)
950 if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag) 950 if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag)
951 flags |= ecryptfs_flag_map[i].file_flag; 951 flags |= ecryptfs_flag_map[i].file_flag;
952 /* Version is in top 8 bits of the 32-bit flag vector */ 952 /* Version is in top 8 bits of the 32-bit flag vector */
953 flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000); 953 flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000);
954 put_unaligned_be32(flags, page_virt); 954 put_unaligned_be32(flags, page_virt);
955 (*written) = 4; 955 (*written) = 4;
956 } 956 }
957 957
958 struct ecryptfs_cipher_code_str_map_elem { 958 struct ecryptfs_cipher_code_str_map_elem {
959 char cipher_str[16]; 959 char cipher_str[16];
960 u8 cipher_code; 960 u8 cipher_code;
961 }; 961 };
962 962
963 /* Add support for additional ciphers by adding elements here. The 963 /* Add support for additional ciphers by adding elements here. The
964 * cipher_code is whatever OpenPGP applicatoins use to identify the 964 * cipher_code is whatever OpenPGP applicatoins use to identify the
965 * ciphers. List in order of probability. */ 965 * ciphers. List in order of probability. */
966 static struct ecryptfs_cipher_code_str_map_elem 966 static struct ecryptfs_cipher_code_str_map_elem
967 ecryptfs_cipher_code_str_map[] = { 967 ecryptfs_cipher_code_str_map[] = {
968 {"aes",RFC2440_CIPHER_AES_128 }, 968 {"aes",RFC2440_CIPHER_AES_128 },
969 {"blowfish", RFC2440_CIPHER_BLOWFISH}, 969 {"blowfish", RFC2440_CIPHER_BLOWFISH},
970 {"des3_ede", RFC2440_CIPHER_DES3_EDE}, 970 {"des3_ede", RFC2440_CIPHER_DES3_EDE},
971 {"cast5", RFC2440_CIPHER_CAST_5}, 971 {"cast5", RFC2440_CIPHER_CAST_5},
972 {"twofish", RFC2440_CIPHER_TWOFISH}, 972 {"twofish", RFC2440_CIPHER_TWOFISH},
973 {"cast6", RFC2440_CIPHER_CAST_6}, 973 {"cast6", RFC2440_CIPHER_CAST_6},
974 {"aes", RFC2440_CIPHER_AES_192}, 974 {"aes", RFC2440_CIPHER_AES_192},
975 {"aes", RFC2440_CIPHER_AES_256} 975 {"aes", RFC2440_CIPHER_AES_256}
976 }; 976 };
977 977
978 /** 978 /**
979 * ecryptfs_code_for_cipher_string 979 * ecryptfs_code_for_cipher_string
980 * @cipher_name: The string alias for the cipher 980 * @cipher_name: The string alias for the cipher
981 * @key_bytes: Length of key in bytes; used for AES code selection 981 * @key_bytes: Length of key in bytes; used for AES code selection
982 * 982 *
983 * Returns zero on no match, or the cipher code on match 983 * Returns zero on no match, or the cipher code on match
984 */ 984 */
985 u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes) 985 u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes)
986 { 986 {
987 int i; 987 int i;
988 u8 code = 0; 988 u8 code = 0;
989 struct ecryptfs_cipher_code_str_map_elem *map = 989 struct ecryptfs_cipher_code_str_map_elem *map =
990 ecryptfs_cipher_code_str_map; 990 ecryptfs_cipher_code_str_map;
991 991
992 if (strcmp(cipher_name, "aes") == 0) { 992 if (strcmp(cipher_name, "aes") == 0) {
993 switch (key_bytes) { 993 switch (key_bytes) {
994 case 16: 994 case 16:
995 code = RFC2440_CIPHER_AES_128; 995 code = RFC2440_CIPHER_AES_128;
996 break; 996 break;
997 case 24: 997 case 24:
998 code = RFC2440_CIPHER_AES_192; 998 code = RFC2440_CIPHER_AES_192;
999 break; 999 break;
1000 case 32: 1000 case 32:
1001 code = RFC2440_CIPHER_AES_256; 1001 code = RFC2440_CIPHER_AES_256;
1002 } 1002 }
1003 } else { 1003 } else {
1004 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) 1004 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1005 if (strcmp(cipher_name, map[i].cipher_str) == 0) { 1005 if (strcmp(cipher_name, map[i].cipher_str) == 0) {
1006 code = map[i].cipher_code; 1006 code = map[i].cipher_code;
1007 break; 1007 break;
1008 } 1008 }
1009 } 1009 }
1010 return code; 1010 return code;
1011 } 1011 }
1012 1012
1013 /** 1013 /**
1014 * ecryptfs_cipher_code_to_string 1014 * ecryptfs_cipher_code_to_string
1015 * @str: Destination to write out the cipher name 1015 * @str: Destination to write out the cipher name
1016 * @cipher_code: The code to convert to cipher name string 1016 * @cipher_code: The code to convert to cipher name string
1017 * 1017 *
1018 * Returns zero on success 1018 * Returns zero on success
1019 */ 1019 */
1020 int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code) 1020 int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code)
1021 { 1021 {
1022 int rc = 0; 1022 int rc = 0;
1023 int i; 1023 int i;
1024 1024
1025 str[0] = '\0'; 1025 str[0] = '\0';
1026 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) 1026 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1027 if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code) 1027 if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code)
1028 strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str); 1028 strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str);
1029 if (str[0] == '\0') { 1029 if (str[0] == '\0') {
1030 ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: " 1030 ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: "
1031 "[%d]\n", cipher_code); 1031 "[%d]\n", cipher_code);
1032 rc = -EINVAL; 1032 rc = -EINVAL;
1033 } 1033 }
1034 return rc; 1034 return rc;
1035 } 1035 }
1036 1036
1037 int ecryptfs_read_and_validate_header_region(struct inode *inode) 1037 int ecryptfs_read_and_validate_header_region(struct inode *inode)
1038 { 1038 {
1039 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES]; 1039 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1040 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES; 1040 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1041 int rc; 1041 int rc;
1042 1042
1043 rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES, 1043 rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES,
1044 inode); 1044 inode);
1045 if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES) 1045 if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1046 return rc >= 0 ? -EINVAL : rc; 1046 return rc >= 0 ? -EINVAL : rc;
1047 rc = ecryptfs_validate_marker(marker); 1047 rc = ecryptfs_validate_marker(marker);
1048 if (!rc) 1048 if (!rc)
1049 ecryptfs_i_size_init(file_size, inode); 1049 ecryptfs_i_size_init(file_size, inode);
1050 return rc; 1050 return rc;
1051 } 1051 }
1052 1052
1053 void 1053 void
1054 ecryptfs_write_header_metadata(char *virt, 1054 ecryptfs_write_header_metadata(char *virt,
1055 struct ecryptfs_crypt_stat *crypt_stat, 1055 struct ecryptfs_crypt_stat *crypt_stat,
1056 size_t *written) 1056 size_t *written)
1057 { 1057 {
1058 u32 header_extent_size; 1058 u32 header_extent_size;
1059 u16 num_header_extents_at_front; 1059 u16 num_header_extents_at_front;
1060 1060
1061 header_extent_size = (u32)crypt_stat->extent_size; 1061 header_extent_size = (u32)crypt_stat->extent_size;
1062 num_header_extents_at_front = 1062 num_header_extents_at_front =
1063 (u16)(crypt_stat->metadata_size / crypt_stat->extent_size); 1063 (u16)(crypt_stat->metadata_size / crypt_stat->extent_size);
1064 put_unaligned_be32(header_extent_size, virt); 1064 put_unaligned_be32(header_extent_size, virt);
1065 virt += 4; 1065 virt += 4;
1066 put_unaligned_be16(num_header_extents_at_front, virt); 1066 put_unaligned_be16(num_header_extents_at_front, virt);
1067 (*written) = 6; 1067 (*written) = 6;
1068 } 1068 }
1069 1069
1070 struct kmem_cache *ecryptfs_header_cache; 1070 struct kmem_cache *ecryptfs_header_cache;
1071 1071
1072 /** 1072 /**
1073 * ecryptfs_write_headers_virt 1073 * ecryptfs_write_headers_virt
1074 * @page_virt: The virtual address to write the headers to 1074 * @page_virt: The virtual address to write the headers to
1075 * @max: The size of memory allocated at page_virt 1075 * @max: The size of memory allocated at page_virt
1076 * @size: Set to the number of bytes written by this function 1076 * @size: Set to the number of bytes written by this function
1077 * @crypt_stat: The cryptographic context 1077 * @crypt_stat: The cryptographic context
1078 * @ecryptfs_dentry: The eCryptfs dentry 1078 * @ecryptfs_dentry: The eCryptfs dentry
1079 * 1079 *
1080 * Format version: 1 1080 * Format version: 1
1081 * 1081 *
1082 * Header Extent: 1082 * Header Extent:
1083 * Octets 0-7: Unencrypted file size (big-endian) 1083 * Octets 0-7: Unencrypted file size (big-endian)
1084 * Octets 8-15: eCryptfs special marker 1084 * Octets 8-15: eCryptfs special marker
1085 * Octets 16-19: Flags 1085 * Octets 16-19: Flags
1086 * Octet 16: File format version number (between 0 and 255) 1086 * Octet 16: File format version number (between 0 and 255)
1087 * Octets 17-18: Reserved 1087 * Octets 17-18: Reserved
1088 * Octet 19: Bit 1 (lsb): Reserved 1088 * Octet 19: Bit 1 (lsb): Reserved
1089 * Bit 2: Encrypted? 1089 * Bit 2: Encrypted?
1090 * Bits 3-8: Reserved 1090 * Bits 3-8: Reserved
1091 * Octets 20-23: Header extent size (big-endian) 1091 * Octets 20-23: Header extent size (big-endian)
1092 * Octets 24-25: Number of header extents at front of file 1092 * Octets 24-25: Number of header extents at front of file
1093 * (big-endian) 1093 * (big-endian)
1094 * Octet 26: Begin RFC 2440 authentication token packet set 1094 * Octet 26: Begin RFC 2440 authentication token packet set
1095 * Data Extent 0: 1095 * Data Extent 0:
1096 * Lower data (CBC encrypted) 1096 * Lower data (CBC encrypted)
1097 * Data Extent 1: 1097 * Data Extent 1:
1098 * Lower data (CBC encrypted) 1098 * Lower data (CBC encrypted)
1099 * ... 1099 * ...
1100 * 1100 *
1101 * Returns zero on success 1101 * Returns zero on success
1102 */ 1102 */
1103 static int ecryptfs_write_headers_virt(char *page_virt, size_t max, 1103 static int ecryptfs_write_headers_virt(char *page_virt, size_t max,
1104 size_t *size, 1104 size_t *size,
1105 struct ecryptfs_crypt_stat *crypt_stat, 1105 struct ecryptfs_crypt_stat *crypt_stat,
1106 struct dentry *ecryptfs_dentry) 1106 struct dentry *ecryptfs_dentry)
1107 { 1107 {
1108 int rc; 1108 int rc;
1109 size_t written; 1109 size_t written;
1110 size_t offset; 1110 size_t offset;
1111 1111
1112 offset = ECRYPTFS_FILE_SIZE_BYTES; 1112 offset = ECRYPTFS_FILE_SIZE_BYTES;
1113 write_ecryptfs_marker((page_virt + offset), &written); 1113 write_ecryptfs_marker((page_virt + offset), &written);
1114 offset += written; 1114 offset += written;
1115 ecryptfs_write_crypt_stat_flags((page_virt + offset), crypt_stat, 1115 ecryptfs_write_crypt_stat_flags((page_virt + offset), crypt_stat,
1116 &written); 1116 &written);
1117 offset += written; 1117 offset += written;
1118 ecryptfs_write_header_metadata((page_virt + offset), crypt_stat, 1118 ecryptfs_write_header_metadata((page_virt + offset), crypt_stat,
1119 &written); 1119 &written);
1120 offset += written; 1120 offset += written;
1121 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat, 1121 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat,
1122 ecryptfs_dentry, &written, 1122 ecryptfs_dentry, &written,
1123 max - offset); 1123 max - offset);
1124 if (rc) 1124 if (rc)
1125 ecryptfs_printk(KERN_WARNING, "Error generating key packet " 1125 ecryptfs_printk(KERN_WARNING, "Error generating key packet "
1126 "set; rc = [%d]\n", rc); 1126 "set; rc = [%d]\n", rc);
1127 if (size) { 1127 if (size) {
1128 offset += written; 1128 offset += written;
1129 *size = offset; 1129 *size = offset;
1130 } 1130 }
1131 return rc; 1131 return rc;
1132 } 1132 }
1133 1133
1134 static int 1134 static int
1135 ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode, 1135 ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode,
1136 char *virt, size_t virt_len) 1136 char *virt, size_t virt_len)
1137 { 1137 {
1138 int rc; 1138 int rc;
1139 1139
1140 rc = ecryptfs_write_lower(ecryptfs_inode, virt, 1140 rc = ecryptfs_write_lower(ecryptfs_inode, virt,
1141 0, virt_len); 1141 0, virt_len);
1142 if (rc < 0) 1142 if (rc < 0)
1143 printk(KERN_ERR "%s: Error attempting to write header " 1143 printk(KERN_ERR "%s: Error attempting to write header "
1144 "information to lower file; rc = [%d]\n", __func__, rc); 1144 "information to lower file; rc = [%d]\n", __func__, rc);
1145 else 1145 else
1146 rc = 0; 1146 rc = 0;
1147 return rc; 1147 return rc;
1148 } 1148 }
1149 1149
1150 static int 1150 static int
1151 ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry, 1151 ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry,
1152 char *page_virt, size_t size) 1152 char *page_virt, size_t size)
1153 { 1153 {
1154 int rc; 1154 int rc;
1155 1155
1156 rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt, 1156 rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt,
1157 size, 0); 1157 size, 0);
1158 return rc; 1158 return rc;
1159 } 1159 }
1160 1160
1161 static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask, 1161 static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask,
1162 unsigned int order) 1162 unsigned int order)
1163 { 1163 {
1164 struct page *page; 1164 struct page *page;
1165 1165
1166 page = alloc_pages(gfp_mask | __GFP_ZERO, order); 1166 page = alloc_pages(gfp_mask | __GFP_ZERO, order);
1167 if (page) 1167 if (page)
1168 return (unsigned long) page_address(page); 1168 return (unsigned long) page_address(page);
1169 return 0; 1169 return 0;
1170 } 1170 }
1171 1171
1172 /** 1172 /**
1173 * ecryptfs_write_metadata 1173 * ecryptfs_write_metadata
1174 * @ecryptfs_dentry: The eCryptfs dentry, which should be negative 1174 * @ecryptfs_dentry: The eCryptfs dentry, which should be negative
1175 * @ecryptfs_inode: The newly created eCryptfs inode 1175 * @ecryptfs_inode: The newly created eCryptfs inode
1176 * 1176 *
1177 * Write the file headers out. This will likely involve a userspace 1177 * Write the file headers out. This will likely involve a userspace
1178 * callout, in which the session key is encrypted with one or more 1178 * callout, in which the session key is encrypted with one or more
1179 * public keys and/or the passphrase necessary to do the encryption is 1179 * public keys and/or the passphrase necessary to do the encryption is
1180 * retrieved via a prompt. Exactly what happens at this point should 1180 * retrieved via a prompt. Exactly what happens at this point should
1181 * be policy-dependent. 1181 * be policy-dependent.
1182 * 1182 *
1183 * Returns zero on success; non-zero on error 1183 * Returns zero on success; non-zero on error
1184 */ 1184 */
1185 int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry, 1185 int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry,
1186 struct inode *ecryptfs_inode) 1186 struct inode *ecryptfs_inode)
1187 { 1187 {
1188 struct ecryptfs_crypt_stat *crypt_stat = 1188 struct ecryptfs_crypt_stat *crypt_stat =
1189 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; 1189 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1190 unsigned int order; 1190 unsigned int order;
1191 char *virt; 1191 char *virt;
1192 size_t virt_len; 1192 size_t virt_len;
1193 size_t size = 0; 1193 size_t size = 0;
1194 int rc = 0; 1194 int rc = 0;
1195 1195
1196 if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 1196 if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {
1197 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { 1197 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) {
1198 printk(KERN_ERR "Key is invalid; bailing out\n"); 1198 printk(KERN_ERR "Key is invalid; bailing out\n");
1199 rc = -EINVAL; 1199 rc = -EINVAL;
1200 goto out; 1200 goto out;
1201 } 1201 }
1202 } else { 1202 } else {
1203 printk(KERN_WARNING "%s: Encrypted flag not set\n", 1203 printk(KERN_WARNING "%s: Encrypted flag not set\n",
1204 __func__); 1204 __func__);
1205 rc = -EINVAL; 1205 rc = -EINVAL;
1206 goto out; 1206 goto out;
1207 } 1207 }
1208 virt_len = crypt_stat->metadata_size; 1208 virt_len = crypt_stat->metadata_size;
1209 order = get_order(virt_len); 1209 order = get_order(virt_len);
1210 /* Released in this function */ 1210 /* Released in this function */
1211 virt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order); 1211 virt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order);
1212 if (!virt) { 1212 if (!virt) {
1213 printk(KERN_ERR "%s: Out of memory\n", __func__); 1213 printk(KERN_ERR "%s: Out of memory\n", __func__);
1214 rc = -ENOMEM; 1214 rc = -ENOMEM;
1215 goto out; 1215 goto out;
1216 } 1216 }
1217 /* Zeroed page ensures the in-header unencrypted i_size is set to 0 */ 1217 /* Zeroed page ensures the in-header unencrypted i_size is set to 0 */
1218 rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat, 1218 rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat,
1219 ecryptfs_dentry); 1219 ecryptfs_dentry);
1220 if (unlikely(rc)) { 1220 if (unlikely(rc)) {
1221 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n", 1221 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n",
1222 __func__, rc); 1222 __func__, rc);
1223 goto out_free; 1223 goto out_free;
1224 } 1224 }
1225 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) 1225 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1226 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt, 1226 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt,
1227 size); 1227 size);
1228 else 1228 else
1229 rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt, 1229 rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt,
1230 virt_len); 1230 virt_len);
1231 if (rc) { 1231 if (rc) {
1232 printk(KERN_ERR "%s: Error writing metadata out to lower file; " 1232 printk(KERN_ERR "%s: Error writing metadata out to lower file; "
1233 "rc = [%d]\n", __func__, rc); 1233 "rc = [%d]\n", __func__, rc);
1234 goto out_free; 1234 goto out_free;
1235 } 1235 }
1236 out_free: 1236 out_free:
1237 free_pages((unsigned long)virt, order); 1237 free_pages((unsigned long)virt, order);
1238 out: 1238 out:
1239 return rc; 1239 return rc;
1240 } 1240 }
1241 1241
1242 #define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0 1242 #define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0
1243 #define ECRYPTFS_VALIDATE_HEADER_SIZE 1 1243 #define ECRYPTFS_VALIDATE_HEADER_SIZE 1
1244 static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat, 1244 static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat,
1245 char *virt, int *bytes_read, 1245 char *virt, int *bytes_read,
1246 int validate_header_size) 1246 int validate_header_size)
1247 { 1247 {
1248 int rc = 0; 1248 int rc = 0;
1249 u32 header_extent_size; 1249 u32 header_extent_size;
1250 u16 num_header_extents_at_front; 1250 u16 num_header_extents_at_front;
1251 1251
1252 header_extent_size = get_unaligned_be32(virt); 1252 header_extent_size = get_unaligned_be32(virt);
1253 virt += sizeof(__be32); 1253 virt += sizeof(__be32);
1254 num_header_extents_at_front = get_unaligned_be16(virt); 1254 num_header_extents_at_front = get_unaligned_be16(virt);
1255 crypt_stat->metadata_size = (((size_t)num_header_extents_at_front 1255 crypt_stat->metadata_size = (((size_t)num_header_extents_at_front
1256 * (size_t)header_extent_size)); 1256 * (size_t)header_extent_size));
1257 (*bytes_read) = (sizeof(__be32) + sizeof(__be16)); 1257 (*bytes_read) = (sizeof(__be32) + sizeof(__be16));
1258 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE) 1258 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE)
1259 && (crypt_stat->metadata_size 1259 && (crypt_stat->metadata_size
1260 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) { 1260 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) {
1261 rc = -EINVAL; 1261 rc = -EINVAL;
1262 printk(KERN_WARNING "Invalid header size: [%zd]\n", 1262 printk(KERN_WARNING "Invalid header size: [%zd]\n",
1263 crypt_stat->metadata_size); 1263 crypt_stat->metadata_size);
1264 } 1264 }
1265 return rc; 1265 return rc;
1266 } 1266 }
1267 1267
1268 /** 1268 /**
1269 * set_default_header_data 1269 * set_default_header_data
1270 * @crypt_stat: The cryptographic context 1270 * @crypt_stat: The cryptographic context
1271 * 1271 *
1272 * For version 0 file format; this function is only for backwards 1272 * For version 0 file format; this function is only for backwards
1273 * compatibility for files created with the prior versions of 1273 * compatibility for files created with the prior versions of
1274 * eCryptfs. 1274 * eCryptfs.
1275 */ 1275 */
1276 static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat) 1276 static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat)
1277 { 1277 {
1278 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; 1278 crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
1279 } 1279 }
1280 1280
1281 void ecryptfs_i_size_init(const char *page_virt, struct inode *inode) 1281 void ecryptfs_i_size_init(const char *page_virt, struct inode *inode)
1282 { 1282 {
1283 struct ecryptfs_mount_crypt_stat *mount_crypt_stat; 1283 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
1284 struct ecryptfs_crypt_stat *crypt_stat; 1284 struct ecryptfs_crypt_stat *crypt_stat;
1285 u64 file_size; 1285 u64 file_size;
1286 1286
1287 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat; 1287 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
1288 mount_crypt_stat = 1288 mount_crypt_stat =
1289 &ecryptfs_superblock_to_private(inode->i_sb)->mount_crypt_stat; 1289 &ecryptfs_superblock_to_private(inode->i_sb)->mount_crypt_stat;
1290 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) { 1290 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) {
1291 file_size = i_size_read(ecryptfs_inode_to_lower(inode)); 1291 file_size = i_size_read(ecryptfs_inode_to_lower(inode));
1292 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) 1292 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1293 file_size += crypt_stat->metadata_size; 1293 file_size += crypt_stat->metadata_size;
1294 } else 1294 } else
1295 file_size = get_unaligned_be64(page_virt); 1295 file_size = get_unaligned_be64(page_virt);
1296 i_size_write(inode, (loff_t)file_size); 1296 i_size_write(inode, (loff_t)file_size);
1297 crypt_stat->flags |= ECRYPTFS_I_SIZE_INITIALIZED; 1297 crypt_stat->flags |= ECRYPTFS_I_SIZE_INITIALIZED;
1298 } 1298 }
1299 1299
1300 /** 1300 /**
1301 * ecryptfs_read_headers_virt 1301 * ecryptfs_read_headers_virt
1302 * @page_virt: The virtual address into which to read the headers 1302 * @page_virt: The virtual address into which to read the headers
1303 * @crypt_stat: The cryptographic context 1303 * @crypt_stat: The cryptographic context
1304 * @ecryptfs_dentry: The eCryptfs dentry 1304 * @ecryptfs_dentry: The eCryptfs dentry
1305 * @validate_header_size: Whether to validate the header size while reading 1305 * @validate_header_size: Whether to validate the header size while reading
1306 * 1306 *
1307 * Read/parse the header data. The header format is detailed in the 1307 * Read/parse the header data. The header format is detailed in the
1308 * comment block for the ecryptfs_write_headers_virt() function. 1308 * comment block for the ecryptfs_write_headers_virt() function.
1309 * 1309 *
1310 * Returns zero on success 1310 * Returns zero on success
1311 */ 1311 */
1312 static int ecryptfs_read_headers_virt(char *page_virt, 1312 static int ecryptfs_read_headers_virt(char *page_virt,
1313 struct ecryptfs_crypt_stat *crypt_stat, 1313 struct ecryptfs_crypt_stat *crypt_stat,
1314 struct dentry *ecryptfs_dentry, 1314 struct dentry *ecryptfs_dentry,
1315 int validate_header_size) 1315 int validate_header_size)
1316 { 1316 {
1317 int rc = 0; 1317 int rc = 0;
1318 int offset; 1318 int offset;
1319 int bytes_read; 1319 int bytes_read;
1320 1320
1321 ecryptfs_set_default_sizes(crypt_stat); 1321 ecryptfs_set_default_sizes(crypt_stat);
1322 crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private( 1322 crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private(
1323 ecryptfs_dentry->d_sb)->mount_crypt_stat; 1323 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1324 offset = ECRYPTFS_FILE_SIZE_BYTES; 1324 offset = ECRYPTFS_FILE_SIZE_BYTES;
1325 rc = ecryptfs_validate_marker(page_virt + offset); 1325 rc = ecryptfs_validate_marker(page_virt + offset);
1326 if (rc) 1326 if (rc)
1327 goto out; 1327 goto out;
1328 if (!(crypt_stat->flags & ECRYPTFS_I_SIZE_INITIALIZED)) 1328 if (!(crypt_stat->flags & ECRYPTFS_I_SIZE_INITIALIZED))
1329 ecryptfs_i_size_init(page_virt, ecryptfs_dentry->d_inode); 1329 ecryptfs_i_size_init(page_virt, ecryptfs_dentry->d_inode);
1330 offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; 1330 offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
1331 rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset), 1331 rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset),
1332 &bytes_read); 1332 &bytes_read);
1333 if (rc) { 1333 if (rc) {
1334 ecryptfs_printk(KERN_WARNING, "Error processing flags\n"); 1334 ecryptfs_printk(KERN_WARNING, "Error processing flags\n");
1335 goto out; 1335 goto out;
1336 } 1336 }
1337 if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) { 1337 if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) {
1338 ecryptfs_printk(KERN_WARNING, "File version is [%d]; only " 1338 ecryptfs_printk(KERN_WARNING, "File version is [%d]; only "
1339 "file version [%d] is supported by this " 1339 "file version [%d] is supported by this "
1340 "version of eCryptfs\n", 1340 "version of eCryptfs\n",
1341 crypt_stat->file_version, 1341 crypt_stat->file_version,
1342 ECRYPTFS_SUPPORTED_FILE_VERSION); 1342 ECRYPTFS_SUPPORTED_FILE_VERSION);
1343 rc = -EINVAL; 1343 rc = -EINVAL;
1344 goto out; 1344 goto out;
1345 } 1345 }
1346 offset += bytes_read; 1346 offset += bytes_read;
1347 if (crypt_stat->file_version >= 1) { 1347 if (crypt_stat->file_version >= 1) {
1348 rc = parse_header_metadata(crypt_stat, (page_virt + offset), 1348 rc = parse_header_metadata(crypt_stat, (page_virt + offset),
1349 &bytes_read, validate_header_size); 1349 &bytes_read, validate_header_size);
1350 if (rc) { 1350 if (rc) {
1351 ecryptfs_printk(KERN_WARNING, "Error reading header " 1351 ecryptfs_printk(KERN_WARNING, "Error reading header "
1352 "metadata; rc = [%d]\n", rc); 1352 "metadata; rc = [%d]\n", rc);
1353 } 1353 }
1354 offset += bytes_read; 1354 offset += bytes_read;
1355 } else 1355 } else
1356 set_default_header_data(crypt_stat); 1356 set_default_header_data(crypt_stat);
1357 rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset), 1357 rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset),
1358 ecryptfs_dentry); 1358 ecryptfs_dentry);
1359 out: 1359 out:
1360 return rc; 1360 return rc;
1361 } 1361 }
1362 1362
1363 /** 1363 /**
1364 * ecryptfs_read_xattr_region 1364 * ecryptfs_read_xattr_region
1365 * @page_virt: The vitual address into which to read the xattr data 1365 * @page_virt: The vitual address into which to read the xattr data
1366 * @ecryptfs_inode: The eCryptfs inode 1366 * @ecryptfs_inode: The eCryptfs inode
1367 * 1367 *
1368 * Attempts to read the crypto metadata from the extended attribute 1368 * Attempts to read the crypto metadata from the extended attribute
1369 * region of the lower file. 1369 * region of the lower file.
1370 * 1370 *
1371 * Returns zero on success; non-zero on error 1371 * Returns zero on success; non-zero on error
1372 */ 1372 */
1373 int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode) 1373 int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode)
1374 { 1374 {
1375 struct dentry *lower_dentry = 1375 struct dentry *lower_dentry =
1376 ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_path.dentry; 1376 ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_path.dentry;
1377 ssize_t size; 1377 ssize_t size;
1378 int rc = 0; 1378 int rc = 0;
1379 1379
1380 size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME, 1380 size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME,
1381 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE); 1381 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE);
1382 if (size < 0) { 1382 if (size < 0) {
1383 if (unlikely(ecryptfs_verbosity > 0)) 1383 if (unlikely(ecryptfs_verbosity > 0))
1384 printk(KERN_INFO "Error attempting to read the [%s] " 1384 printk(KERN_INFO "Error attempting to read the [%s] "
1385 "xattr from the lower file; return value = " 1385 "xattr from the lower file; return value = "
1386 "[%zd]\n", ECRYPTFS_XATTR_NAME, size); 1386 "[%zd]\n", ECRYPTFS_XATTR_NAME, size);
1387 rc = -EINVAL; 1387 rc = -EINVAL;
1388 goto out; 1388 goto out;
1389 } 1389 }
1390 out: 1390 out:
1391 return rc; 1391 return rc;
1392 } 1392 }
1393 1393
1394 int ecryptfs_read_and_validate_xattr_region(struct dentry *dentry, 1394 int ecryptfs_read_and_validate_xattr_region(struct dentry *dentry,
1395 struct inode *inode) 1395 struct inode *inode)
1396 { 1396 {
1397 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES]; 1397 u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES];
1398 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES; 1398 u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES;
1399 int rc; 1399 int rc;
1400 1400
1401 rc = ecryptfs_getxattr_lower(ecryptfs_dentry_to_lower(dentry), 1401 rc = ecryptfs_getxattr_lower(ecryptfs_dentry_to_lower(dentry),
1402 ECRYPTFS_XATTR_NAME, file_size, 1402 ECRYPTFS_XATTR_NAME, file_size,
1403 ECRYPTFS_SIZE_AND_MARKER_BYTES); 1403 ECRYPTFS_SIZE_AND_MARKER_BYTES);
1404 if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES) 1404 if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
1405 return rc >= 0 ? -EINVAL : rc; 1405 return rc >= 0 ? -EINVAL : rc;
1406 rc = ecryptfs_validate_marker(marker); 1406 rc = ecryptfs_validate_marker(marker);
1407 if (!rc) 1407 if (!rc)
1408 ecryptfs_i_size_init(file_size, inode); 1408 ecryptfs_i_size_init(file_size, inode);
1409 return rc; 1409 return rc;
1410 } 1410 }
1411 1411
1412 /** 1412 /**
1413 * ecryptfs_read_metadata 1413 * ecryptfs_read_metadata
1414 * 1414 *
1415 * Common entry point for reading file metadata. From here, we could 1415 * Common entry point for reading file metadata. From here, we could
1416 * retrieve the header information from the header region of the file, 1416 * retrieve the header information from the header region of the file,
1417 * the xattr region of the file, or some other repostory that is 1417 * the xattr region of the file, or some other repostory that is
1418 * stored separately from the file itself. The current implementation 1418 * stored separately from the file itself. The current implementation
1419 * supports retrieving the metadata information from the file contents 1419 * supports retrieving the metadata information from the file contents
1420 * and from the xattr region. 1420 * and from the xattr region.
1421 * 1421 *
1422 * Returns zero if valid headers found and parsed; non-zero otherwise 1422 * Returns zero if valid headers found and parsed; non-zero otherwise
1423 */ 1423 */
1424 int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry) 1424 int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
1425 { 1425 {
1426 int rc; 1426 int rc;
1427 char *page_virt; 1427 char *page_virt;
1428 struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode; 1428 struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode;
1429 struct ecryptfs_crypt_stat *crypt_stat = 1429 struct ecryptfs_crypt_stat *crypt_stat =
1430 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; 1430 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1431 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 1431 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
1432 &ecryptfs_superblock_to_private( 1432 &ecryptfs_superblock_to_private(
1433 ecryptfs_dentry->d_sb)->mount_crypt_stat; 1433 ecryptfs_dentry->d_sb)->mount_crypt_stat;
1434 1434
1435 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 1435 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat,
1436 mount_crypt_stat); 1436 mount_crypt_stat);
1437 /* Read the first page from the underlying file */ 1437 /* Read the first page from the underlying file */
1438 page_virt = kmem_cache_alloc(ecryptfs_header_cache, GFP_USER); 1438 page_virt = kmem_cache_alloc(ecryptfs_header_cache, GFP_USER);
1439 if (!page_virt) { 1439 if (!page_virt) {
1440 rc = -ENOMEM; 1440 rc = -ENOMEM;
1441 printk(KERN_ERR "%s: Unable to allocate page_virt\n", 1441 printk(KERN_ERR "%s: Unable to allocate page_virt\n",
1442 __func__); 1442 __func__);
1443 goto out; 1443 goto out;
1444 } 1444 }
1445 rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size, 1445 rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size,
1446 ecryptfs_inode); 1446 ecryptfs_inode);
1447 if (rc >= 0) 1447 if (rc >= 0)
1448 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, 1448 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1449 ecryptfs_dentry, 1449 ecryptfs_dentry,
1450 ECRYPTFS_VALIDATE_HEADER_SIZE); 1450 ECRYPTFS_VALIDATE_HEADER_SIZE);
1451 if (rc) { 1451 if (rc) {
1452 /* metadata is not in the file header, so try xattrs */ 1452 /* metadata is not in the file header, so try xattrs */
1453 memset(page_virt, 0, PAGE_CACHE_SIZE); 1453 memset(page_virt, 0, PAGE_CACHE_SIZE);
1454 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode); 1454 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);
1455 if (rc) { 1455 if (rc) {
1456 printk(KERN_DEBUG "Valid eCryptfs headers not found in " 1456 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1457 "file header region or xattr region, inode %lu\n", 1457 "file header region or xattr region, inode %lu\n",
1458 ecryptfs_inode->i_ino); 1458 ecryptfs_inode->i_ino);
1459 rc = -EINVAL; 1459 rc = -EINVAL;
1460 goto out; 1460 goto out;
1461 } 1461 }
1462 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, 1462 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat,
1463 ecryptfs_dentry, 1463 ecryptfs_dentry,
1464 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE); 1464 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE);
1465 if (rc) { 1465 if (rc) {
1466 printk(KERN_DEBUG "Valid eCryptfs headers not found in " 1466 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1467 "file xattr region either, inode %lu\n", 1467 "file xattr region either, inode %lu\n",
1468 ecryptfs_inode->i_ino); 1468 ecryptfs_inode->i_ino);
1469 rc = -EINVAL; 1469 rc = -EINVAL;
1470 } 1470 }
1471 if (crypt_stat->mount_crypt_stat->flags 1471 if (crypt_stat->mount_crypt_stat->flags
1472 & ECRYPTFS_XATTR_METADATA_ENABLED) { 1472 & ECRYPTFS_XATTR_METADATA_ENABLED) {
1473 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; 1473 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
1474 } else { 1474 } else {
1475 printk(KERN_WARNING "Attempt to access file with " 1475 printk(KERN_WARNING "Attempt to access file with "
1476 "crypto metadata only in the extended attribute " 1476 "crypto metadata only in the extended attribute "
1477 "region, but eCryptfs was mounted without " 1477 "region, but eCryptfs was mounted without "
1478 "xattr support enabled. eCryptfs will not treat " 1478 "xattr support enabled. eCryptfs will not treat "
1479 "this like an encrypted file, inode %lu\n", 1479 "this like an encrypted file, inode %lu\n",
1480 ecryptfs_inode->i_ino); 1480 ecryptfs_inode->i_ino);
1481 rc = -EINVAL; 1481 rc = -EINVAL;
1482 } 1482 }
1483 } 1483 }
1484 out: 1484 out:
1485 if (page_virt) { 1485 if (page_virt) {
1486 memset(page_virt, 0, PAGE_CACHE_SIZE); 1486 memset(page_virt, 0, PAGE_CACHE_SIZE);
1487 kmem_cache_free(ecryptfs_header_cache, page_virt); 1487 kmem_cache_free(ecryptfs_header_cache, page_virt);
1488 } 1488 }
1489 return rc; 1489 return rc;
1490 } 1490 }
1491 1491
1492 /** 1492 /**
1493 * ecryptfs_encrypt_filename - encrypt filename 1493 * ecryptfs_encrypt_filename - encrypt filename
1494 * 1494 *
1495 * CBC-encrypts the filename. We do not want to encrypt the same 1495 * CBC-encrypts the filename. We do not want to encrypt the same
1496 * filename with the same key and IV, which may happen with hard 1496 * filename with the same key and IV, which may happen with hard
1497 * links, so we prepend random bits to each filename. 1497 * links, so we prepend random bits to each filename.
1498 * 1498 *
1499 * Returns zero on success; non-zero otherwise 1499 * Returns zero on success; non-zero otherwise
1500 */ 1500 */
1501 static int 1501 static int
1502 ecryptfs_encrypt_filename(struct ecryptfs_filename *filename, 1502 ecryptfs_encrypt_filename(struct ecryptfs_filename *filename,
1503 struct ecryptfs_crypt_stat *crypt_stat, 1503 struct ecryptfs_crypt_stat *crypt_stat,
1504 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 1504 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
1505 { 1505 {
1506 int rc = 0; 1506 int rc = 0;
1507 1507
1508 filename->encrypted_filename = NULL; 1508 filename->encrypted_filename = NULL;
1509 filename->encrypted_filename_size = 0; 1509 filename->encrypted_filename_size = 0;
1510 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCFN_USE_MOUNT_FNEK)) 1510 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
1511 || (mount_crypt_stat && (mount_crypt_stat->flags 1511 || (mount_crypt_stat && (mount_crypt_stat->flags
1512 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) { 1512 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
1513 size_t packet_size; 1513 size_t packet_size;
1514 size_t remaining_bytes; 1514 size_t remaining_bytes;
1515 1515
1516 rc = ecryptfs_write_tag_70_packet( 1516 rc = ecryptfs_write_tag_70_packet(
1517 NULL, NULL, 1517 NULL, NULL,
1518 &filename->encrypted_filename_size, 1518 &filename->encrypted_filename_size,
1519 mount_crypt_stat, NULL, 1519 mount_crypt_stat, NULL,
1520 filename->filename_size); 1520 filename->filename_size);
1521 if (rc) { 1521 if (rc) {
1522 printk(KERN_ERR "%s: Error attempting to get packet " 1522 printk(KERN_ERR "%s: Error attempting to get packet "
1523 "size for tag 72; rc = [%d]\n", __func__, 1523 "size for tag 72; rc = [%d]\n", __func__,
1524 rc); 1524 rc);
1525 filename->encrypted_filename_size = 0; 1525 filename->encrypted_filename_size = 0;
1526 goto out; 1526 goto out;
1527 } 1527 }
1528 filename->encrypted_filename = 1528 filename->encrypted_filename =
1529 kmalloc(filename->encrypted_filename_size, GFP_KERNEL); 1529 kmalloc(filename->encrypted_filename_size, GFP_KERNEL);
1530 if (!filename->encrypted_filename) { 1530 if (!filename->encrypted_filename) {
1531 printk(KERN_ERR "%s: Out of memory whilst attempting " 1531 printk(KERN_ERR "%s: Out of memory whilst attempting "
1532 "to kmalloc [%zd] bytes\n", __func__, 1532 "to kmalloc [%zd] bytes\n", __func__,
1533 filename->encrypted_filename_size); 1533 filename->encrypted_filename_size);
1534 rc = -ENOMEM; 1534 rc = -ENOMEM;
1535 goto out; 1535 goto out;
1536 } 1536 }
1537 remaining_bytes = filename->encrypted_filename_size; 1537 remaining_bytes = filename->encrypted_filename_size;
1538 rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename, 1538 rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename,
1539 &remaining_bytes, 1539 &remaining_bytes,
1540 &packet_size, 1540 &packet_size,
1541 mount_crypt_stat, 1541 mount_crypt_stat,
1542 filename->filename, 1542 filename->filename,
1543 filename->filename_size); 1543 filename->filename_size);
1544 if (rc) { 1544 if (rc) {
1545 printk(KERN_ERR "%s: Error attempting to generate " 1545 printk(KERN_ERR "%s: Error attempting to generate "
1546 "tag 70 packet; rc = [%d]\n", __func__, 1546 "tag 70 packet; rc = [%d]\n", __func__,
1547 rc); 1547 rc);
1548 kfree(filename->encrypted_filename); 1548 kfree(filename->encrypted_filename);
1549 filename->encrypted_filename = NULL; 1549 filename->encrypted_filename = NULL;
1550 filename->encrypted_filename_size = 0; 1550 filename->encrypted_filename_size = 0;
1551 goto out; 1551 goto out;
1552 } 1552 }
1553 filename->encrypted_filename_size = packet_size; 1553 filename->encrypted_filename_size = packet_size;
1554 } else { 1554 } else {
1555 printk(KERN_ERR "%s: No support for requested filename " 1555 printk(KERN_ERR "%s: No support for requested filename "
1556 "encryption method in this release\n", __func__); 1556 "encryption method in this release\n", __func__);
1557 rc = -EOPNOTSUPP; 1557 rc = -EOPNOTSUPP;
1558 goto out; 1558 goto out;
1559 } 1559 }
1560 out: 1560 out:
1561 return rc; 1561 return rc;
1562 } 1562 }
1563 1563
1564 static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size, 1564 static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size,
1565 const char *name, size_t name_size) 1565 const char *name, size_t name_size)
1566 { 1566 {
1567 int rc = 0; 1567 int rc = 0;
1568 1568
1569 (*copied_name) = kmalloc((name_size + 1), GFP_KERNEL); 1569 (*copied_name) = kmalloc((name_size + 1), GFP_KERNEL);
1570 if (!(*copied_name)) { 1570 if (!(*copied_name)) {
1571 rc = -ENOMEM; 1571 rc = -ENOMEM;
1572 goto out; 1572 goto out;
1573 } 1573 }
1574 memcpy((void *)(*copied_name), (void *)name, name_size); 1574 memcpy((void *)(*copied_name), (void *)name, name_size);
1575 (*copied_name)[(name_size)] = '\0'; /* Only for convenience 1575 (*copied_name)[(name_size)] = '\0'; /* Only for convenience
1576 * in printing out the 1576 * in printing out the
1577 * string in debug 1577 * string in debug
1578 * messages */ 1578 * messages */
1579 (*copied_name_size) = name_size; 1579 (*copied_name_size) = name_size;
1580 out: 1580 out:
1581 return rc; 1581 return rc;
1582 } 1582 }
1583 1583
1584 /** 1584 /**
1585 * ecryptfs_process_key_cipher - Perform key cipher initialization. 1585 * ecryptfs_process_key_cipher - Perform key cipher initialization.
1586 * @key_tfm: Crypto context for key material, set by this function 1586 * @key_tfm: Crypto context for key material, set by this function
1587 * @cipher_name: Name of the cipher 1587 * @cipher_name: Name of the cipher
1588 * @key_size: Size of the key in bytes 1588 * @key_size: Size of the key in bytes
1589 * 1589 *
1590 * Returns zero on success. Any crypto_tfm structs allocated here 1590 * Returns zero on success. Any crypto_tfm structs allocated here
1591 * should be released by other functions, such as on a superblock put 1591 * should be released by other functions, such as on a superblock put
1592 * event, regardless of whether this function succeeds for fails. 1592 * event, regardless of whether this function succeeds for fails.
1593 */ 1593 */
1594 static int 1594 static int
1595 ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm, 1595 ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm,
1596 char *cipher_name, size_t *key_size) 1596 char *cipher_name, size_t *key_size)
1597 { 1597 {
1598 char dummy_key[ECRYPTFS_MAX_KEY_BYTES]; 1598 char dummy_key[ECRYPTFS_MAX_KEY_BYTES];
1599 char *full_alg_name = NULL; 1599 char *full_alg_name = NULL;
1600 int rc; 1600 int rc;
1601 1601
1602 *key_tfm = NULL; 1602 *key_tfm = NULL;
1603 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) { 1603 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) {
1604 rc = -EINVAL; 1604 rc = -EINVAL;
1605 printk(KERN_ERR "Requested key size is [%zd] bytes; maximum " 1605 printk(KERN_ERR "Requested key size is [%zd] bytes; maximum "
1606 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES); 1606 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES);
1607 goto out; 1607 goto out;
1608 } 1608 }
1609 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name, 1609 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name,
1610 "ecb"); 1610 "ecb");
1611 if (rc) 1611 if (rc)
1612 goto out; 1612 goto out;
1613 *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC); 1613 *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC);
1614 if (IS_ERR(*key_tfm)) { 1614 if (IS_ERR(*key_tfm)) {
1615 rc = PTR_ERR(*key_tfm); 1615 rc = PTR_ERR(*key_tfm);
1616 printk(KERN_ERR "Unable to allocate crypto cipher with name " 1616 printk(KERN_ERR "Unable to allocate crypto cipher with name "
1617 "[%s]; rc = [%d]\n", full_alg_name, rc); 1617 "[%s]; rc = [%d]\n", full_alg_name, rc);
1618 goto out; 1618 goto out;
1619 } 1619 }
1620 crypto_blkcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY); 1620 crypto_blkcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY);
1621 if (*key_size == 0) { 1621 if (*key_size == 0) {
1622 struct blkcipher_alg *alg = crypto_blkcipher_alg(*key_tfm); 1622 struct blkcipher_alg *alg = crypto_blkcipher_alg(*key_tfm);
1623 1623
1624 *key_size = alg->max_keysize; 1624 *key_size = alg->max_keysize;
1625 } 1625 }
1626 get_random_bytes(dummy_key, *key_size); 1626 get_random_bytes(dummy_key, *key_size);
1627 rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size); 1627 rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size);
1628 if (rc) { 1628 if (rc) {
1629 printk(KERN_ERR "Error attempting to set key of size [%zd] for " 1629 printk(KERN_ERR "Error attempting to set key of size [%zd] for "
1630 "cipher [%s]; rc = [%d]\n", *key_size, full_alg_name, 1630 "cipher [%s]; rc = [%d]\n", *key_size, full_alg_name,
1631 rc); 1631 rc);
1632 rc = -EINVAL; 1632 rc = -EINVAL;
1633 goto out; 1633 goto out;
1634 } 1634 }
1635 out: 1635 out:
1636 kfree(full_alg_name); 1636 kfree(full_alg_name);
1637 return rc; 1637 return rc;
1638 } 1638 }
1639 1639
1640 struct kmem_cache *ecryptfs_key_tfm_cache; 1640 struct kmem_cache *ecryptfs_key_tfm_cache;
1641 static struct list_head key_tfm_list; 1641 static struct list_head key_tfm_list;
1642 struct mutex key_tfm_list_mutex; 1642 struct mutex key_tfm_list_mutex;
1643 1643
1644 int __init ecryptfs_init_crypto(void) 1644 int __init ecryptfs_init_crypto(void)
1645 { 1645 {
1646 mutex_init(&key_tfm_list_mutex); 1646 mutex_init(&key_tfm_list_mutex);
1647 INIT_LIST_HEAD(&key_tfm_list); 1647 INIT_LIST_HEAD(&key_tfm_list);
1648 return 0; 1648 return 0;
1649 } 1649 }
1650 1650
1651 /** 1651 /**
1652 * ecryptfs_destroy_crypto - free all cached key_tfms on key_tfm_list 1652 * ecryptfs_destroy_crypto - free all cached key_tfms on key_tfm_list
1653 * 1653 *
1654 * Called only at module unload time 1654 * Called only at module unload time
1655 */ 1655 */
1656 int ecryptfs_destroy_crypto(void) 1656 int ecryptfs_destroy_crypto(void)
1657 { 1657 {
1658 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp; 1658 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp;
1659 1659
1660 mutex_lock(&key_tfm_list_mutex); 1660 mutex_lock(&key_tfm_list_mutex);
1661 list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list, 1661 list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list,
1662 key_tfm_list) { 1662 key_tfm_list) {
1663 list_del(&key_tfm->key_tfm_list); 1663 list_del(&key_tfm->key_tfm_list);
1664 if (key_tfm->key_tfm) 1664 if (key_tfm->key_tfm)
1665 crypto_free_blkcipher(key_tfm->key_tfm); 1665 crypto_free_blkcipher(key_tfm->key_tfm);
1666 kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm); 1666 kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm);
1667 } 1667 }
1668 mutex_unlock(&key_tfm_list_mutex); 1668 mutex_unlock(&key_tfm_list_mutex);
1669 return 0; 1669 return 0;
1670 } 1670 }
1671 1671
1672 int 1672 int
1673 ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name, 1673 ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
1674 size_t key_size) 1674 size_t key_size)
1675 { 1675 {
1676 struct ecryptfs_key_tfm *tmp_tfm; 1676 struct ecryptfs_key_tfm *tmp_tfm;
1677 int rc = 0; 1677 int rc = 0;
1678 1678
1679 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); 1679 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1680 1680
1681 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL); 1681 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL);
1682 if (key_tfm != NULL) 1682 if (key_tfm != NULL)
1683 (*key_tfm) = tmp_tfm; 1683 (*key_tfm) = tmp_tfm;
1684 if (!tmp_tfm) { 1684 if (!tmp_tfm) {
1685 rc = -ENOMEM; 1685 rc = -ENOMEM;
1686 printk(KERN_ERR "Error attempting to allocate from " 1686 printk(KERN_ERR "Error attempting to allocate from "
1687 "ecryptfs_key_tfm_cache\n"); 1687 "ecryptfs_key_tfm_cache\n");
1688 goto out; 1688 goto out;
1689 } 1689 }
1690 mutex_init(&tmp_tfm->key_tfm_mutex); 1690 mutex_init(&tmp_tfm->key_tfm_mutex);
1691 strncpy(tmp_tfm->cipher_name, cipher_name, 1691 strncpy(tmp_tfm->cipher_name, cipher_name,
1692 ECRYPTFS_MAX_CIPHER_NAME_SIZE); 1692 ECRYPTFS_MAX_CIPHER_NAME_SIZE);
1693 tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; 1693 tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0';
1694 tmp_tfm->key_size = key_size; 1694 tmp_tfm->key_size = key_size;
1695 rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm, 1695 rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm,
1696 tmp_tfm->cipher_name, 1696 tmp_tfm->cipher_name,
1697 &tmp_tfm->key_size); 1697 &tmp_tfm->key_size);
1698 if (rc) { 1698 if (rc) {
1699 printk(KERN_ERR "Error attempting to initialize key TFM " 1699 printk(KERN_ERR "Error attempting to initialize key TFM "
1700 "cipher with name = [%s]; rc = [%d]\n", 1700 "cipher with name = [%s]; rc = [%d]\n",
1701 tmp_tfm->cipher_name, rc); 1701 tmp_tfm->cipher_name, rc);
1702 kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm); 1702 kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm);
1703 if (key_tfm != NULL) 1703 if (key_tfm != NULL)
1704 (*key_tfm) = NULL; 1704 (*key_tfm) = NULL;
1705 goto out; 1705 goto out;
1706 } 1706 }
1707 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list); 1707 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list);
1708 out: 1708 out:
1709 return rc; 1709 return rc;
1710 } 1710 }
1711 1711
1712 /** 1712 /**
1713 * ecryptfs_tfm_exists - Search for existing tfm for cipher_name. 1713 * ecryptfs_tfm_exists - Search for existing tfm for cipher_name.
1714 * @cipher_name: the name of the cipher to search for 1714 * @cipher_name: the name of the cipher to search for
1715 * @key_tfm: set to corresponding tfm if found 1715 * @key_tfm: set to corresponding tfm if found
1716 * 1716 *
1717 * Searches for cached key_tfm matching @cipher_name 1717 * Searches for cached key_tfm matching @cipher_name
1718 * Must be called with &key_tfm_list_mutex held 1718 * Must be called with &key_tfm_list_mutex held
1719 * Returns 1 if found, with @key_tfm set 1719 * Returns 1 if found, with @key_tfm set
1720 * Returns 0 if not found, with @key_tfm set to NULL 1720 * Returns 0 if not found, with @key_tfm set to NULL
1721 */ 1721 */
1722 int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm) 1722 int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm)
1723 { 1723 {
1724 struct ecryptfs_key_tfm *tmp_key_tfm; 1724 struct ecryptfs_key_tfm *tmp_key_tfm;
1725 1725
1726 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); 1726 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1727 1727
1728 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) { 1728 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) {
1729 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) { 1729 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) {
1730 if (key_tfm) 1730 if (key_tfm)
1731 (*key_tfm) = tmp_key_tfm; 1731 (*key_tfm) = tmp_key_tfm;
1732 return 1; 1732 return 1;
1733 } 1733 }
1734 } 1734 }
1735 if (key_tfm) 1735 if (key_tfm)
1736 (*key_tfm) = NULL; 1736 (*key_tfm) = NULL;
1737 return 0; 1737 return 0;
1738 } 1738 }
1739 1739
1740 /** 1740 /**
1741 * ecryptfs_get_tfm_and_mutex_for_cipher_name 1741 * ecryptfs_get_tfm_and_mutex_for_cipher_name
1742 * 1742 *
1743 * @tfm: set to cached tfm found, or new tfm created 1743 * @tfm: set to cached tfm found, or new tfm created
1744 * @tfm_mutex: set to mutex for cached tfm found, or new tfm created 1744 * @tfm_mutex: set to mutex for cached tfm found, or new tfm created
1745 * @cipher_name: the name of the cipher to search for and/or add 1745 * @cipher_name: the name of the cipher to search for and/or add
1746 * 1746 *
1747 * Sets pointers to @tfm & @tfm_mutex matching @cipher_name. 1747 * Sets pointers to @tfm & @tfm_mutex matching @cipher_name.
1748 * Searches for cached item first, and creates new if not found. 1748 * Searches for cached item first, and creates new if not found.
1749 * Returns 0 on success, non-zero if adding new cipher failed 1749 * Returns 0 on success, non-zero if adding new cipher failed
1750 */ 1750 */
1751 int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm, 1751 int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm,
1752 struct mutex **tfm_mutex, 1752 struct mutex **tfm_mutex,
1753 char *cipher_name) 1753 char *cipher_name)
1754 { 1754 {
1755 struct ecryptfs_key_tfm *key_tfm; 1755 struct ecryptfs_key_tfm *key_tfm;
1756 int rc = 0; 1756 int rc = 0;
1757 1757
1758 (*tfm) = NULL; 1758 (*tfm) = NULL;
1759 (*tfm_mutex) = NULL; 1759 (*tfm_mutex) = NULL;
1760 1760
1761 mutex_lock(&key_tfm_list_mutex); 1761 mutex_lock(&key_tfm_list_mutex);
1762 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) { 1762 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) {
1763 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0); 1763 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0);
1764 if (rc) { 1764 if (rc) {
1765 printk(KERN_ERR "Error adding new key_tfm to list; " 1765 printk(KERN_ERR "Error adding new key_tfm to list; "
1766 "rc = [%d]\n", rc); 1766 "rc = [%d]\n", rc);
1767 goto out; 1767 goto out;
1768 } 1768 }
1769 } 1769 }
1770 (*tfm) = key_tfm->key_tfm; 1770 (*tfm) = key_tfm->key_tfm;
1771 (*tfm_mutex) = &key_tfm->key_tfm_mutex; 1771 (*tfm_mutex) = &key_tfm->key_tfm_mutex;
1772 out: 1772 out:
1773 mutex_unlock(&key_tfm_list_mutex); 1773 mutex_unlock(&key_tfm_list_mutex);
1774 return rc; 1774 return rc;
1775 } 1775 }
1776 1776
1777 /* 64 characters forming a 6-bit target field */ 1777 /* 64 characters forming a 6-bit target field */
1778 static unsigned char *portable_filename_chars = ("-.0123456789ABCD" 1778 static unsigned char *portable_filename_chars = ("-.0123456789ABCD"
1779 "EFGHIJKLMNOPQRST" 1779 "EFGHIJKLMNOPQRST"
1780 "UVWXYZabcdefghij" 1780 "UVWXYZabcdefghij"
1781 "klmnopqrstuvwxyz"); 1781 "klmnopqrstuvwxyz");
1782 1782
1783 /* We could either offset on every reverse map or just pad some 0x00's 1783 /* We could either offset on every reverse map or just pad some 0x00's
1784 * at the front here */ 1784 * at the front here */
1785 static const unsigned char filename_rev_map[256] = { 1785 static const unsigned char filename_rev_map[256] = {
1786 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 7 */ 1786 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 7 */
1787 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 15 */ 1787 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 15 */
1788 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 23 */ 1788 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 23 */
1789 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 31 */ 1789 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 31 */
1790 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 39 */ 1790 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 39 */
1791 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, /* 47 */ 1791 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, /* 47 */
1792 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, /* 55 */ 1792 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, /* 55 */
1793 0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 63 */ 1793 0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 63 */
1794 0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, /* 71 */ 1794 0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, /* 71 */
1795 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, /* 79 */ 1795 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, /* 79 */
1796 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, /* 87 */ 1796 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, /* 87 */
1797 0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, /* 95 */ 1797 0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, /* 95 */
1798 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, /* 103 */ 1798 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, /* 103 */
1799 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, /* 111 */ 1799 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, /* 111 */
1800 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, /* 119 */ 1800 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, /* 119 */
1801 0x3D, 0x3E, 0x3F /* 123 - 255 initialized to 0x00 */ 1801 0x3D, 0x3E, 0x3F /* 123 - 255 initialized to 0x00 */
1802 }; 1802 };
1803 1803
1804 /** 1804 /**
1805 * ecryptfs_encode_for_filename 1805 * ecryptfs_encode_for_filename
1806 * @dst: Destination location for encoded filename 1806 * @dst: Destination location for encoded filename
1807 * @dst_size: Size of the encoded filename in bytes 1807 * @dst_size: Size of the encoded filename in bytes
1808 * @src: Source location for the filename to encode 1808 * @src: Source location for the filename to encode
1809 * @src_size: Size of the source in bytes 1809 * @src_size: Size of the source in bytes
1810 */ 1810 */
1811 static void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size, 1811 static void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size,
1812 unsigned char *src, size_t src_size) 1812 unsigned char *src, size_t src_size)
1813 { 1813 {
1814 size_t num_blocks; 1814 size_t num_blocks;
1815 size_t block_num = 0; 1815 size_t block_num = 0;
1816 size_t dst_offset = 0; 1816 size_t dst_offset = 0;
1817 unsigned char last_block[3]; 1817 unsigned char last_block[3];
1818 1818
1819 if (src_size == 0) { 1819 if (src_size == 0) {
1820 (*dst_size) = 0; 1820 (*dst_size) = 0;
1821 goto out; 1821 goto out;
1822 } 1822 }
1823 num_blocks = (src_size / 3); 1823 num_blocks = (src_size / 3);
1824 if ((src_size % 3) == 0) { 1824 if ((src_size % 3) == 0) {
1825 memcpy(last_block, (&src[src_size - 3]), 3); 1825 memcpy(last_block, (&src[src_size - 3]), 3);
1826 } else { 1826 } else {
1827 num_blocks++; 1827 num_blocks++;
1828 last_block[2] = 0x00; 1828 last_block[2] = 0x00;
1829 switch (src_size % 3) { 1829 switch (src_size % 3) {
1830 case 1: 1830 case 1:
1831 last_block[0] = src[src_size - 1]; 1831 last_block[0] = src[src_size - 1];
1832 last_block[1] = 0x00; 1832 last_block[1] = 0x00;
1833 break; 1833 break;
1834 case 2: 1834 case 2:
1835 last_block[0] = src[src_size - 2]; 1835 last_block[0] = src[src_size - 2];
1836 last_block[1] = src[src_size - 1]; 1836 last_block[1] = src[src_size - 1];
1837 } 1837 }
1838 } 1838 }
1839 (*dst_size) = (num_blocks * 4); 1839 (*dst_size) = (num_blocks * 4);
1840 if (!dst) 1840 if (!dst)
1841 goto out; 1841 goto out;
1842 while (block_num < num_blocks) { 1842 while (block_num < num_blocks) {
1843 unsigned char *src_block; 1843 unsigned char *src_block;
1844 unsigned char dst_block[4]; 1844 unsigned char dst_block[4];
1845 1845
1846 if (block_num == (num_blocks - 1)) 1846 if (block_num == (num_blocks - 1))
1847 src_block = last_block; 1847 src_block = last_block;
1848 else 1848 else
1849 src_block = &src[block_num * 3]; 1849 src_block = &src[block_num * 3];
1850 dst_block[0] = ((src_block[0] >> 2) & 0x3F); 1850 dst_block[0] = ((src_block[0] >> 2) & 0x3F);
1851 dst_block[1] = (((src_block[0] << 4) & 0x30) 1851 dst_block[1] = (((src_block[0] << 4) & 0x30)
1852 | ((src_block[1] >> 4) & 0x0F)); 1852 | ((src_block[1] >> 4) & 0x0F));
1853 dst_block[2] = (((src_block[1] << 2) & 0x3C) 1853 dst_block[2] = (((src_block[1] << 2) & 0x3C)
1854 | ((src_block[2] >> 6) & 0x03)); 1854 | ((src_block[2] >> 6) & 0x03));
1855 dst_block[3] = (src_block[2] & 0x3F); 1855 dst_block[3] = (src_block[2] & 0x3F);
1856 dst[dst_offset++] = portable_filename_chars[dst_block[0]]; 1856 dst[dst_offset++] = portable_filename_chars[dst_block[0]];
1857 dst[dst_offset++] = portable_filename_chars[dst_block[1]]; 1857 dst[dst_offset++] = portable_filename_chars[dst_block[1]];
1858 dst[dst_offset++] = portable_filename_chars[dst_block[2]]; 1858 dst[dst_offset++] = portable_filename_chars[dst_block[2]];
1859 dst[dst_offset++] = portable_filename_chars[dst_block[3]]; 1859 dst[dst_offset++] = portable_filename_chars[dst_block[3]];
1860 block_num++; 1860 block_num++;
1861 } 1861 }
1862 out: 1862 out:
1863 return; 1863 return;
1864 } 1864 }
1865 1865
1866 static size_t ecryptfs_max_decoded_size(size_t encoded_size) 1866 static size_t ecryptfs_max_decoded_size(size_t encoded_size)
1867 { 1867 {
1868 /* Not exact; conservatively long. Every block of 4 1868 /* Not exact; conservatively long. Every block of 4
1869 * encoded characters decodes into a block of 3 1869 * encoded characters decodes into a block of 3
1870 * decoded characters. This segment of code provides 1870 * decoded characters. This segment of code provides
1871 * the caller with the maximum amount of allocated 1871 * the caller with the maximum amount of allocated
1872 * space that @dst will need to point to in a 1872 * space that @dst will need to point to in a
1873 * subsequent call. */ 1873 * subsequent call. */
1874 return ((encoded_size + 1) * 3) / 4; 1874 return ((encoded_size + 1) * 3) / 4;
1875 } 1875 }
1876 1876
1877 /** 1877 /**
1878 * ecryptfs_decode_from_filename 1878 * ecryptfs_decode_from_filename
1879 * @dst: If NULL, this function only sets @dst_size and returns. If 1879 * @dst: If NULL, this function only sets @dst_size and returns. If
1880 * non-NULL, this function decodes the encoded octets in @src 1880 * non-NULL, this function decodes the encoded octets in @src
1881 * into the memory that @dst points to. 1881 * into the memory that @dst points to.
1882 * @dst_size: Set to the size of the decoded string. 1882 * @dst_size: Set to the size of the decoded string.
1883 * @src: The encoded set of octets to decode. 1883 * @src: The encoded set of octets to decode.
1884 * @src_size: The size of the encoded set of octets to decode. 1884 * @src_size: The size of the encoded set of octets to decode.
1885 */ 1885 */
1886 static void 1886 static void
1887 ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size, 1887 ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
1888 const unsigned char *src, size_t src_size) 1888 const unsigned char *src, size_t src_size)
1889 { 1889 {
1890 u8 current_bit_offset = 0; 1890 u8 current_bit_offset = 0;
1891 size_t src_byte_offset = 0; 1891 size_t src_byte_offset = 0;
1892 size_t dst_byte_offset = 0; 1892 size_t dst_byte_offset = 0;
1893 1893
1894 if (dst == NULL) { 1894 if (dst == NULL) {
1895 (*dst_size) = ecryptfs_max_decoded_size(src_size); 1895 (*dst_size) = ecryptfs_max_decoded_size(src_size);
1896 goto out; 1896 goto out;
1897 } 1897 }
1898 while (src_byte_offset < src_size) { 1898 while (src_byte_offset < src_size) {
1899 unsigned char src_byte = 1899 unsigned char src_byte =
1900 filename_rev_map[(int)src[src_byte_offset]]; 1900 filename_rev_map[(int)src[src_byte_offset]];
1901 1901
1902 switch (current_bit_offset) { 1902 switch (current_bit_offset) {
1903 case 0: 1903 case 0:
1904 dst[dst_byte_offset] = (src_byte << 2); 1904 dst[dst_byte_offset] = (src_byte << 2);
1905 current_bit_offset = 6; 1905 current_bit_offset = 6;
1906 break; 1906 break;
1907 case 6: 1907 case 6:
1908 dst[dst_byte_offset++] |= (src_byte >> 4); 1908 dst[dst_byte_offset++] |= (src_byte >> 4);
1909 dst[dst_byte_offset] = ((src_byte & 0xF) 1909 dst[dst_byte_offset] = ((src_byte & 0xF)
1910 << 4); 1910 << 4);
1911 current_bit_offset = 4; 1911 current_bit_offset = 4;
1912 break; 1912 break;
1913 case 4: 1913 case 4:
1914 dst[dst_byte_offset++] |= (src_byte >> 2); 1914 dst[dst_byte_offset++] |= (src_byte >> 2);
1915 dst[dst_byte_offset] = (src_byte << 6); 1915 dst[dst_byte_offset] = (src_byte << 6);
1916 current_bit_offset = 2; 1916 current_bit_offset = 2;
1917 break; 1917 break;
1918 case 2: 1918 case 2:
1919 dst[dst_byte_offset++] |= (src_byte); 1919 dst[dst_byte_offset++] |= (src_byte);
1920 dst[dst_byte_offset] = 0;
1921 current_bit_offset = 0; 1920 current_bit_offset = 0;
1922 break; 1921 break;
1923 } 1922 }
1924 src_byte_offset++; 1923 src_byte_offset++;
1925 } 1924 }
1926 (*dst_size) = dst_byte_offset; 1925 (*dst_size) = dst_byte_offset;
1927 out: 1926 out:
1928 return; 1927 return;
1929 } 1928 }
1930 1929
1931 /** 1930 /**
1932 * ecryptfs_encrypt_and_encode_filename - converts a plaintext file name to cipher text 1931 * ecryptfs_encrypt_and_encode_filename - converts a plaintext file name to cipher text
1933 * @crypt_stat: The crypt_stat struct associated with the file anem to encode 1932 * @crypt_stat: The crypt_stat struct associated with the file anem to encode
1934 * @name: The plaintext name 1933 * @name: The plaintext name
1935 * @length: The length of the plaintext 1934 * @length: The length of the plaintext
1936 * @encoded_name: The encypted name 1935 * @encoded_name: The encypted name
1937 * 1936 *
1938 * Encrypts and encodes a filename into something that constitutes a 1937 * Encrypts and encodes a filename into something that constitutes a
1939 * valid filename for a filesystem, with printable characters. 1938 * valid filename for a filesystem, with printable characters.
1940 * 1939 *
1941 * We assume that we have a properly initialized crypto context, 1940 * We assume that we have a properly initialized crypto context,
1942 * pointed to by crypt_stat->tfm. 1941 * pointed to by crypt_stat->tfm.
1943 * 1942 *
1944 * Returns zero on success; non-zero on otherwise 1943 * Returns zero on success; non-zero on otherwise
1945 */ 1944 */
1946 int ecryptfs_encrypt_and_encode_filename( 1945 int ecryptfs_encrypt_and_encode_filename(
1947 char **encoded_name, 1946 char **encoded_name,
1948 size_t *encoded_name_size, 1947 size_t *encoded_name_size,
1949 struct ecryptfs_crypt_stat *crypt_stat, 1948 struct ecryptfs_crypt_stat *crypt_stat,
1950 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, 1949 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
1951 const char *name, size_t name_size) 1950 const char *name, size_t name_size)
1952 { 1951 {
1953 size_t encoded_name_no_prefix_size; 1952 size_t encoded_name_no_prefix_size;
1954 int rc = 0; 1953 int rc = 0;
1955 1954
1956 (*encoded_name) = NULL; 1955 (*encoded_name) = NULL;
1957 (*encoded_name_size) = 0; 1956 (*encoded_name_size) = 0;
1958 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCRYPT_FILENAMES)) 1957 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCRYPT_FILENAMES))
1959 || (mount_crypt_stat && (mount_crypt_stat->flags 1958 || (mount_crypt_stat && (mount_crypt_stat->flags
1960 & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES))) { 1959 & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES))) {
1961 struct ecryptfs_filename *filename; 1960 struct ecryptfs_filename *filename;
1962 1961
1963 filename = kzalloc(sizeof(*filename), GFP_KERNEL); 1962 filename = kzalloc(sizeof(*filename), GFP_KERNEL);
1964 if (!filename) { 1963 if (!filename) {
1965 printk(KERN_ERR "%s: Out of memory whilst attempting " 1964 printk(KERN_ERR "%s: Out of memory whilst attempting "
1966 "to kzalloc [%zd] bytes\n", __func__, 1965 "to kzalloc [%zd] bytes\n", __func__,
1967 sizeof(*filename)); 1966 sizeof(*filename));
1968 rc = -ENOMEM; 1967 rc = -ENOMEM;
1969 goto out; 1968 goto out;
1970 } 1969 }
1971 filename->filename = (char *)name; 1970 filename->filename = (char *)name;
1972 filename->filename_size = name_size; 1971 filename->filename_size = name_size;
1973 rc = ecryptfs_encrypt_filename(filename, crypt_stat, 1972 rc = ecryptfs_encrypt_filename(filename, crypt_stat,
1974 mount_crypt_stat); 1973 mount_crypt_stat);
1975 if (rc) { 1974 if (rc) {
1976 printk(KERN_ERR "%s: Error attempting to encrypt " 1975 printk(KERN_ERR "%s: Error attempting to encrypt "
1977 "filename; rc = [%d]\n", __func__, rc); 1976 "filename; rc = [%d]\n", __func__, rc);
1978 kfree(filename); 1977 kfree(filename);
1979 goto out; 1978 goto out;
1980 } 1979 }
1981 ecryptfs_encode_for_filename( 1980 ecryptfs_encode_for_filename(
1982 NULL, &encoded_name_no_prefix_size, 1981 NULL, &encoded_name_no_prefix_size,
1983 filename->encrypted_filename, 1982 filename->encrypted_filename,
1984 filename->encrypted_filename_size); 1983 filename->encrypted_filename_size);
1985 if ((crypt_stat && (crypt_stat->flags 1984 if ((crypt_stat && (crypt_stat->flags
1986 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK)) 1985 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
1987 || (mount_crypt_stat 1986 || (mount_crypt_stat
1988 && (mount_crypt_stat->flags 1987 && (mount_crypt_stat->flags
1989 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) 1988 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)))
1990 (*encoded_name_size) = 1989 (*encoded_name_size) =
1991 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE 1990 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
1992 + encoded_name_no_prefix_size); 1991 + encoded_name_no_prefix_size);
1993 else 1992 else
1994 (*encoded_name_size) = 1993 (*encoded_name_size) =
1995 (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE 1994 (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE
1996 + encoded_name_no_prefix_size); 1995 + encoded_name_no_prefix_size);
1997 (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL); 1996 (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL);
1998 if (!(*encoded_name)) { 1997 if (!(*encoded_name)) {
1999 printk(KERN_ERR "%s: Out of memory whilst attempting " 1998 printk(KERN_ERR "%s: Out of memory whilst attempting "
2000 "to kzalloc [%zd] bytes\n", __func__, 1999 "to kzalloc [%zd] bytes\n", __func__,
2001 (*encoded_name_size)); 2000 (*encoded_name_size));
2002 rc = -ENOMEM; 2001 rc = -ENOMEM;
2003 kfree(filename->encrypted_filename); 2002 kfree(filename->encrypted_filename);
2004 kfree(filename); 2003 kfree(filename);
2005 goto out; 2004 goto out;
2006 } 2005 }
2007 if ((crypt_stat && (crypt_stat->flags 2006 if ((crypt_stat && (crypt_stat->flags
2008 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK)) 2007 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
2009 || (mount_crypt_stat 2008 || (mount_crypt_stat
2010 && (mount_crypt_stat->flags 2009 && (mount_crypt_stat->flags
2011 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) { 2010 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
2012 memcpy((*encoded_name), 2011 memcpy((*encoded_name),
2013 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX, 2012 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2014 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE); 2013 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE);
2015 ecryptfs_encode_for_filename( 2014 ecryptfs_encode_for_filename(
2016 ((*encoded_name) 2015 ((*encoded_name)
2017 + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE), 2016 + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE),
2018 &encoded_name_no_prefix_size, 2017 &encoded_name_no_prefix_size,
2019 filename->encrypted_filename, 2018 filename->encrypted_filename,
2020 filename->encrypted_filename_size); 2019 filename->encrypted_filename_size);
2021 (*encoded_name_size) = 2020 (*encoded_name_size) =
2022 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE 2021 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2023 + encoded_name_no_prefix_size); 2022 + encoded_name_no_prefix_size);
2024 (*encoded_name)[(*encoded_name_size)] = '\0'; 2023 (*encoded_name)[(*encoded_name_size)] = '\0';
2025 } else { 2024 } else {
2026 rc = -EOPNOTSUPP; 2025 rc = -EOPNOTSUPP;
2027 } 2026 }
2028 if (rc) { 2027 if (rc) {
2029 printk(KERN_ERR "%s: Error attempting to encode " 2028 printk(KERN_ERR "%s: Error attempting to encode "
2030 "encrypted filename; rc = [%d]\n", __func__, 2029 "encrypted filename; rc = [%d]\n", __func__,
2031 rc); 2030 rc);
2032 kfree((*encoded_name)); 2031 kfree((*encoded_name));
2033 (*encoded_name) = NULL; 2032 (*encoded_name) = NULL;
2034 (*encoded_name_size) = 0; 2033 (*encoded_name_size) = 0;
2035 } 2034 }
2036 kfree(filename->encrypted_filename); 2035 kfree(filename->encrypted_filename);
2037 kfree(filename); 2036 kfree(filename);
2038 } else { 2037 } else {
2039 rc = ecryptfs_copy_filename(encoded_name, 2038 rc = ecryptfs_copy_filename(encoded_name,
2040 encoded_name_size, 2039 encoded_name_size,
2041 name, name_size); 2040 name, name_size);
2042 } 2041 }
2043 out: 2042 out:
2044 return rc; 2043 return rc;
2045 } 2044 }
2046 2045
2047 /** 2046 /**
2048 * ecryptfs_decode_and_decrypt_filename - converts the encoded cipher text name to decoded plaintext 2047 * ecryptfs_decode_and_decrypt_filename - converts the encoded cipher text name to decoded plaintext
2049 * @plaintext_name: The plaintext name 2048 * @plaintext_name: The plaintext name
2050 * @plaintext_name_size: The plaintext name size 2049 * @plaintext_name_size: The plaintext name size
2051 * @ecryptfs_dir_dentry: eCryptfs directory dentry 2050 * @ecryptfs_dir_dentry: eCryptfs directory dentry
2052 * @name: The filename in cipher text 2051 * @name: The filename in cipher text
2053 * @name_size: The cipher text name size 2052 * @name_size: The cipher text name size
2054 * 2053 *
2055 * Decrypts and decodes the filename. 2054 * Decrypts and decodes the filename.
2056 * 2055 *
2057 * Returns zero on error; non-zero otherwise 2056 * Returns zero on error; non-zero otherwise
2058 */ 2057 */
2059 int ecryptfs_decode_and_decrypt_filename(char **plaintext_name, 2058 int ecryptfs_decode_and_decrypt_filename(char **plaintext_name,
2060 size_t *plaintext_name_size, 2059 size_t *plaintext_name_size,
2061 struct super_block *sb, 2060 struct super_block *sb,
2062 const char *name, size_t name_size) 2061 const char *name, size_t name_size)
2063 { 2062 {
2064 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 2063 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2065 &ecryptfs_superblock_to_private(sb)->mount_crypt_stat; 2064 &ecryptfs_superblock_to_private(sb)->mount_crypt_stat;
2066 char *decoded_name; 2065 char *decoded_name;
2067 size_t decoded_name_size; 2066 size_t decoded_name_size;
2068 size_t packet_size; 2067 size_t packet_size;
2069 int rc = 0; 2068 int rc = 0;
2070 2069
2071 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) 2070 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
2072 && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) 2071 && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
2073 && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) 2072 && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)
2074 && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX, 2073 && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2075 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) { 2074 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) {
2076 const char *orig_name = name; 2075 const char *orig_name = name;
2077 size_t orig_name_size = name_size; 2076 size_t orig_name_size = name_size;
2078 2077
2079 name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; 2078 name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2080 name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; 2079 name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2081 ecryptfs_decode_from_filename(NULL, &decoded_name_size, 2080 ecryptfs_decode_from_filename(NULL, &decoded_name_size,
2082 name, name_size); 2081 name, name_size);
2083 decoded_name = kmalloc(decoded_name_size, GFP_KERNEL); 2082 decoded_name = kmalloc(decoded_name_size, GFP_KERNEL);
2084 if (!decoded_name) { 2083 if (!decoded_name) {
2085 printk(KERN_ERR "%s: Out of memory whilst attempting " 2084 printk(KERN_ERR "%s: Out of memory whilst attempting "
2086 "to kmalloc [%zd] bytes\n", __func__, 2085 "to kmalloc [%zd] bytes\n", __func__,
2087 decoded_name_size); 2086 decoded_name_size);
2088 rc = -ENOMEM; 2087 rc = -ENOMEM;
2089 goto out; 2088 goto out;
2090 } 2089 }
2091 ecryptfs_decode_from_filename(decoded_name, &decoded_name_size, 2090 ecryptfs_decode_from_filename(decoded_name, &decoded_name_size,
2092 name, name_size); 2091 name, name_size);
2093 rc = ecryptfs_parse_tag_70_packet(plaintext_name, 2092 rc = ecryptfs_parse_tag_70_packet(plaintext_name,
2094 plaintext_name_size, 2093 plaintext_name_size,
2095 &packet_size, 2094 &packet_size,
2096 mount_crypt_stat, 2095 mount_crypt_stat,
2097 decoded_name, 2096 decoded_name,
2098 decoded_name_size); 2097 decoded_name_size);
2099 if (rc) { 2098 if (rc) {
2100 printk(KERN_INFO "%s: Could not parse tag 70 packet " 2099 printk(KERN_INFO "%s: Could not parse tag 70 packet "
2101 "from filename; copying through filename " 2100 "from filename; copying through filename "
2102 "as-is\n", __func__); 2101 "as-is\n", __func__);
2103 rc = ecryptfs_copy_filename(plaintext_name, 2102 rc = ecryptfs_copy_filename(plaintext_name,
2104 plaintext_name_size, 2103 plaintext_name_size,
2105 orig_name, orig_name_size); 2104 orig_name, orig_name_size);
2106 goto out_free; 2105 goto out_free;
2107 } 2106 }
2108 } else { 2107 } else {
2109 rc = ecryptfs_copy_filename(plaintext_name, 2108 rc = ecryptfs_copy_filename(plaintext_name,
2110 plaintext_name_size, 2109 plaintext_name_size,
2111 name, name_size); 2110 name, name_size);
2112 goto out; 2111 goto out;
2113 } 2112 }
2114 out_free: 2113 out_free:
2115 kfree(decoded_name); 2114 kfree(decoded_name);
2116 out: 2115 out:
2117 return rc; 2116 return rc;
2118 } 2117 }
2119 2118
2120 #define ENC_NAME_MAX_BLOCKLEN_8_OR_16 143 2119 #define ENC_NAME_MAX_BLOCKLEN_8_OR_16 143
2121 2120
2122 int ecryptfs_set_f_namelen(long *namelen, long lower_namelen, 2121 int ecryptfs_set_f_namelen(long *namelen, long lower_namelen,
2123 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 2122 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
2124 { 2123 {
2125 struct blkcipher_desc desc; 2124 struct blkcipher_desc desc;
2126 struct mutex *tfm_mutex; 2125 struct mutex *tfm_mutex;
2127 size_t cipher_blocksize; 2126 size_t cipher_blocksize;
2128 int rc; 2127 int rc;
2129 2128
2130 if (!(mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) { 2129 if (!(mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) {
2131 (*namelen) = lower_namelen; 2130 (*namelen) = lower_namelen;
2132 return 0; 2131 return 0;
2133 } 2132 }
2134 2133
2135 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex, 2134 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex,
2136 mount_crypt_stat->global_default_fn_cipher_name); 2135 mount_crypt_stat->global_default_fn_cipher_name);
2137 if (unlikely(rc)) { 2136 if (unlikely(rc)) {
2138 (*namelen) = 0; 2137 (*namelen) = 0;
2139 return rc; 2138 return rc;
2140 } 2139 }
2141 2140
2142 mutex_lock(tfm_mutex); 2141 mutex_lock(tfm_mutex);
2143 cipher_blocksize = crypto_blkcipher_blocksize(desc.tfm); 2142 cipher_blocksize = crypto_blkcipher_blocksize(desc.tfm);
2144 mutex_unlock(tfm_mutex); 2143 mutex_unlock(tfm_mutex);
2145 2144
2146 /* Return an exact amount for the common cases */ 2145 /* Return an exact amount for the common cases */
2147 if (lower_namelen == NAME_MAX 2146 if (lower_namelen == NAME_MAX
2148 && (cipher_blocksize == 8 || cipher_blocksize == 16)) { 2147 && (cipher_blocksize == 8 || cipher_blocksize == 16)) {
2149 (*namelen) = ENC_NAME_MAX_BLOCKLEN_8_OR_16; 2148 (*namelen) = ENC_NAME_MAX_BLOCKLEN_8_OR_16;
2150 return 0; 2149 return 0;
2151 } 2150 }
2152 2151
2153 /* Return a safe estimate for the uncommon cases */ 2152 /* Return a safe estimate for the uncommon cases */
2154 (*namelen) = lower_namelen; 2153 (*namelen) = lower_namelen;
2155 (*namelen) -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; 2154 (*namelen) -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2156 /* Since this is the max decoded size, subtract 1 "decoded block" len */ 2155 /* Since this is the max decoded size, subtract 1 "decoded block" len */
2157 (*namelen) = ecryptfs_max_decoded_size(*namelen) - 3; 2156 (*namelen) = ecryptfs_max_decoded_size(*namelen) - 3;
2158 (*namelen) -= ECRYPTFS_TAG_70_MAX_METADATA_SIZE; 2157 (*namelen) -= ECRYPTFS_TAG_70_MAX_METADATA_SIZE;
2159 (*namelen) -= ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES; 2158 (*namelen) -= ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES;
2160 /* Worst case is that the filename is padded nearly a full block size */ 2159 /* Worst case is that the filename is padded nearly a full block size */
2161 (*namelen) -= cipher_blocksize - 1; 2160 (*namelen) -= cipher_blocksize - 1;
2162 2161
2163 if ((*namelen) < 0) 2162 if ((*namelen) < 0)
2164 (*namelen) = 0; 2163 (*namelen) = 0;
2165 2164
2166 return 0; 2165 return 0;
2167 } 2166 }
2168 2167
1 /** 1 /**
2 * eCryptfs: Linux filesystem encryption layer 2 * eCryptfs: Linux filesystem encryption layer
3 * 3 *
4 * Copyright (C) 1997-2004 Erez Zadok 4 * Copyright (C) 1997-2004 Erez Zadok
5 * Copyright (C) 2001-2004 Stony Brook University 5 * Copyright (C) 2001-2004 Stony Brook University
6 * Copyright (C) 2004-2007 International Business Machines Corp. 6 * Copyright (C) 2004-2007 International Business Machines Corp.
7 * Author(s): Michael A. Halcrow <mhalcrow@us.ibm.com> 7 * Author(s): Michael A. Halcrow <mhalcrow@us.ibm.com>
8 * Michael C. Thompson <mcthomps@us.ibm.com> 8 * Michael C. Thompson <mcthomps@us.ibm.com>
9 * 9 *
10 * This program is free software; you can redistribute it and/or 10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as 11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation; either version 2 of the 12 * published by the Free Software Foundation; either version 2 of the
13 * License, or (at your option) any later version. 13 * License, or (at your option) any later version.
14 * 14 *
15 * This program is distributed in the hope that it will be useful, but 15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of 16 * WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 * General Public License for more details. 18 * General Public License for more details.
19 * 19 *
20 * You should have received a copy of the GNU General Public License 20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software 21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
23 * 02111-1307, USA. 23 * 02111-1307, USA.
24 */ 24 */
25 25
26 #include <linux/file.h> 26 #include <linux/file.h>
27 #include <linux/poll.h> 27 #include <linux/poll.h>
28 #include <linux/slab.h> 28 #include <linux/slab.h>
29 #include <linux/mount.h> 29 #include <linux/mount.h>
30 #include <linux/pagemap.h> 30 #include <linux/pagemap.h>
31 #include <linux/security.h> 31 #include <linux/security.h>
32 #include <linux/compat.h> 32 #include <linux/compat.h>
33 #include <linux/fs_stack.h> 33 #include <linux/fs_stack.h>
34 #include <linux/aio.h> 34 #include <linux/aio.h>
35 #include "ecryptfs_kernel.h" 35 #include "ecryptfs_kernel.h"
36 36
37 /** 37 /**
38 * ecryptfs_read_update_atime 38 * ecryptfs_read_update_atime
39 * 39 *
40 * generic_file_read updates the atime of upper layer inode. But, it 40 * generic_file_read updates the atime of upper layer inode. But, it
41 * doesn't give us a chance to update the atime of the lower layer 41 * doesn't give us a chance to update the atime of the lower layer
42 * inode. This function is a wrapper to generic_file_read. It 42 * inode. This function is a wrapper to generic_file_read. It
43 * updates the atime of the lower level inode if generic_file_read 43 * updates the atime of the lower level inode if generic_file_read
44 * returns without any errors. This is to be used only for file reads. 44 * returns without any errors. This is to be used only for file reads.
45 * The function to be used for directory reads is ecryptfs_read. 45 * The function to be used for directory reads is ecryptfs_read.
46 */ 46 */
47 static ssize_t ecryptfs_read_update_atime(struct kiocb *iocb, 47 static ssize_t ecryptfs_read_update_atime(struct kiocb *iocb,
48 struct iov_iter *to) 48 struct iov_iter *to)
49 { 49 {
50 ssize_t rc; 50 ssize_t rc;
51 struct path *path; 51 struct path *path;
52 struct file *file = iocb->ki_filp; 52 struct file *file = iocb->ki_filp;
53 53
54 rc = generic_file_read_iter(iocb, to); 54 rc = generic_file_read_iter(iocb, to);
55 /* 55 /*
56 * Even though this is a async interface, we need to wait 56 * Even though this is a async interface, we need to wait
57 * for IO to finish to update atime 57 * for IO to finish to update atime
58 */ 58 */
59 if (-EIOCBQUEUED == rc) 59 if (-EIOCBQUEUED == rc)
60 rc = wait_on_sync_kiocb(iocb); 60 rc = wait_on_sync_kiocb(iocb);
61 if (rc >= 0) { 61 if (rc >= 0) {
62 path = ecryptfs_dentry_to_lower_path(file->f_path.dentry); 62 path = ecryptfs_dentry_to_lower_path(file->f_path.dentry);
63 touch_atime(path); 63 touch_atime(path);
64 } 64 }
65 return rc; 65 return rc;
66 } 66 }
67 67
68 struct ecryptfs_getdents_callback { 68 struct ecryptfs_getdents_callback {
69 struct dir_context ctx; 69 struct dir_context ctx;
70 struct dir_context *caller; 70 struct dir_context *caller;
71 struct super_block *sb; 71 struct super_block *sb;
72 int filldir_called; 72 int filldir_called;
73 int entries_written; 73 int entries_written;
74 }; 74 };
75 75
76 /* Inspired by generic filldir in fs/readdir.c */ 76 /* Inspired by generic filldir in fs/readdir.c */
77 static int 77 static int
78 ecryptfs_filldir(struct dir_context *ctx, const char *lower_name, 78 ecryptfs_filldir(struct dir_context *ctx, const char *lower_name,
79 int lower_namelen, loff_t offset, u64 ino, unsigned int d_type) 79 int lower_namelen, loff_t offset, u64 ino, unsigned int d_type)
80 { 80 {
81 struct ecryptfs_getdents_callback *buf = 81 struct ecryptfs_getdents_callback *buf =
82 container_of(ctx, struct ecryptfs_getdents_callback, ctx); 82 container_of(ctx, struct ecryptfs_getdents_callback, ctx);
83 size_t name_size; 83 size_t name_size;
84 char *name; 84 char *name;
85 int rc; 85 int rc;
86 86
87 buf->filldir_called++; 87 buf->filldir_called++;
88 rc = ecryptfs_decode_and_decrypt_filename(&name, &name_size, 88 rc = ecryptfs_decode_and_decrypt_filename(&name, &name_size,
89 buf->sb, lower_name, 89 buf->sb, lower_name,
90 lower_namelen); 90 lower_namelen);
91 if (rc) { 91 if (rc) {
92 printk(KERN_ERR "%s: Error attempting to decode and decrypt " 92 printk(KERN_ERR "%s: Error attempting to decode and decrypt "
93 "filename [%s]; rc = [%d]\n", __func__, lower_name, 93 "filename [%s]; rc = [%d]\n", __func__, lower_name,
94 rc); 94 rc);
95 goto out; 95 goto out;
96 } 96 }
97 buf->caller->pos = buf->ctx.pos; 97 buf->caller->pos = buf->ctx.pos;
98 rc = !dir_emit(buf->caller, name, name_size, ino, d_type); 98 rc = !dir_emit(buf->caller, name, name_size, ino, d_type);
99 kfree(name); 99 kfree(name);
100 if (!rc) 100 if (!rc)
101 buf->entries_written++; 101 buf->entries_written++;
102 out: 102 out:
103 return rc; 103 return rc;
104 } 104 }
105 105
106 /** 106 /**
107 * ecryptfs_readdir 107 * ecryptfs_readdir
108 * @file: The eCryptfs directory file 108 * @file: The eCryptfs directory file
109 * @ctx: The actor to feed the entries to 109 * @ctx: The actor to feed the entries to
110 */ 110 */
111 static int ecryptfs_readdir(struct file *file, struct dir_context *ctx) 111 static int ecryptfs_readdir(struct file *file, struct dir_context *ctx)
112 { 112 {
113 int rc; 113 int rc;
114 struct file *lower_file; 114 struct file *lower_file;
115 struct inode *inode = file_inode(file); 115 struct inode *inode = file_inode(file);
116 struct ecryptfs_getdents_callback buf = { 116 struct ecryptfs_getdents_callback buf = {
117 .ctx.actor = ecryptfs_filldir, 117 .ctx.actor = ecryptfs_filldir,
118 .caller = ctx, 118 .caller = ctx,
119 .sb = inode->i_sb, 119 .sb = inode->i_sb,
120 }; 120 };
121 lower_file = ecryptfs_file_to_lower(file); 121 lower_file = ecryptfs_file_to_lower(file);
122 lower_file->f_pos = ctx->pos; 122 lower_file->f_pos = ctx->pos;
123 rc = iterate_dir(lower_file, &buf.ctx); 123 rc = iterate_dir(lower_file, &buf.ctx);
124 ctx->pos = buf.ctx.pos; 124 ctx->pos = buf.ctx.pos;
125 if (rc < 0) 125 if (rc < 0)
126 goto out; 126 goto out;
127 if (buf.filldir_called && !buf.entries_written) 127 if (buf.filldir_called && !buf.entries_written)
128 goto out; 128 goto out;
129 if (rc >= 0) 129 if (rc >= 0)
130 fsstack_copy_attr_atime(inode, 130 fsstack_copy_attr_atime(inode,
131 file_inode(lower_file)); 131 file_inode(lower_file));
132 out: 132 out:
133 return rc; 133 return rc;
134 } 134 }
135 135
136 struct kmem_cache *ecryptfs_file_info_cache; 136 struct kmem_cache *ecryptfs_file_info_cache;
137 137
138 static int read_or_initialize_metadata(struct dentry *dentry) 138 static int read_or_initialize_metadata(struct dentry *dentry)
139 { 139 {
140 struct inode *inode = dentry->d_inode; 140 struct inode *inode = dentry->d_inode;
141 struct ecryptfs_mount_crypt_stat *mount_crypt_stat; 141 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
142 struct ecryptfs_crypt_stat *crypt_stat; 142 struct ecryptfs_crypt_stat *crypt_stat;
143 int rc; 143 int rc;
144 144
145 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat; 145 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
146 mount_crypt_stat = &ecryptfs_superblock_to_private( 146 mount_crypt_stat = &ecryptfs_superblock_to_private(
147 inode->i_sb)->mount_crypt_stat; 147 inode->i_sb)->mount_crypt_stat;
148 mutex_lock(&crypt_stat->cs_mutex); 148 mutex_lock(&crypt_stat->cs_mutex);
149 149
150 if (crypt_stat->flags & ECRYPTFS_POLICY_APPLIED && 150 if (crypt_stat->flags & ECRYPTFS_POLICY_APPLIED &&
151 crypt_stat->flags & ECRYPTFS_KEY_VALID) { 151 crypt_stat->flags & ECRYPTFS_KEY_VALID) {
152 rc = 0; 152 rc = 0;
153 goto out; 153 goto out;
154 } 154 }
155 155
156 rc = ecryptfs_read_metadata(dentry); 156 rc = ecryptfs_read_metadata(dentry);
157 if (!rc) 157 if (!rc)
158 goto out; 158 goto out;
159 159
160 if (mount_crypt_stat->flags & ECRYPTFS_PLAINTEXT_PASSTHROUGH_ENABLED) { 160 if (mount_crypt_stat->flags & ECRYPTFS_PLAINTEXT_PASSTHROUGH_ENABLED) {
161 crypt_stat->flags &= ~(ECRYPTFS_I_SIZE_INITIALIZED 161 crypt_stat->flags &= ~(ECRYPTFS_I_SIZE_INITIALIZED
162 | ECRYPTFS_ENCRYPTED); 162 | ECRYPTFS_ENCRYPTED);
163 rc = 0; 163 rc = 0;
164 goto out; 164 goto out;
165 } 165 }
166 166
167 if (!(mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED) && 167 if (!(mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED) &&
168 !i_size_read(ecryptfs_inode_to_lower(inode))) { 168 !i_size_read(ecryptfs_inode_to_lower(inode))) {
169 rc = ecryptfs_initialize_file(dentry, inode); 169 rc = ecryptfs_initialize_file(dentry, inode);
170 if (!rc) 170 if (!rc)
171 goto out; 171 goto out;
172 } 172 }
173 173
174 rc = -EIO; 174 rc = -EIO;
175 out: 175 out:
176 mutex_unlock(&crypt_stat->cs_mutex); 176 mutex_unlock(&crypt_stat->cs_mutex);
177 return rc; 177 return rc;
178 } 178 }
179 179
180 /** 180 /**
181 * ecryptfs_open 181 * ecryptfs_open
182 * @inode: inode speciying file to open 182 * @inode: inode speciying file to open
183 * @file: Structure to return filled in 183 * @file: Structure to return filled in
184 * 184 *
185 * Opens the file specified by inode. 185 * Opens the file specified by inode.
186 * 186 *
187 * Returns zero on success; non-zero otherwise 187 * Returns zero on success; non-zero otherwise
188 */ 188 */
189 static int ecryptfs_open(struct inode *inode, struct file *file) 189 static int ecryptfs_open(struct inode *inode, struct file *file)
190 { 190 {
191 int rc = 0; 191 int rc = 0;
192 struct ecryptfs_crypt_stat *crypt_stat = NULL; 192 struct ecryptfs_crypt_stat *crypt_stat = NULL;
193 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
194 struct dentry *ecryptfs_dentry = file->f_path.dentry; 193 struct dentry *ecryptfs_dentry = file->f_path.dentry;
195 /* Private value of ecryptfs_dentry allocated in 194 /* Private value of ecryptfs_dentry allocated in
196 * ecryptfs_lookup() */ 195 * ecryptfs_lookup() */
197 struct ecryptfs_file_info *file_info; 196 struct ecryptfs_file_info *file_info;
198 197
199 mount_crypt_stat = &ecryptfs_superblock_to_private(
200 ecryptfs_dentry->d_sb)->mount_crypt_stat;
201 if ((mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
202 && ((file->f_flags & O_WRONLY) || (file->f_flags & O_RDWR)
203 || (file->f_flags & O_CREAT) || (file->f_flags & O_TRUNC)
204 || (file->f_flags & O_APPEND))) {
205 printk(KERN_WARNING "Mount has encrypted view enabled; "
206 "files may only be read\n");
207 rc = -EPERM;
208 goto out;
209 }
210 /* Released in ecryptfs_release or end of function if failure */ 198 /* Released in ecryptfs_release or end of function if failure */
211 file_info = kmem_cache_zalloc(ecryptfs_file_info_cache, GFP_KERNEL); 199 file_info = kmem_cache_zalloc(ecryptfs_file_info_cache, GFP_KERNEL);
212 ecryptfs_set_file_private(file, file_info); 200 ecryptfs_set_file_private(file, file_info);
213 if (!file_info) { 201 if (!file_info) {
214 ecryptfs_printk(KERN_ERR, 202 ecryptfs_printk(KERN_ERR,
215 "Error attempting to allocate memory\n"); 203 "Error attempting to allocate memory\n");
216 rc = -ENOMEM; 204 rc = -ENOMEM;
217 goto out; 205 goto out;
218 } 206 }
219 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat; 207 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
220 mutex_lock(&crypt_stat->cs_mutex); 208 mutex_lock(&crypt_stat->cs_mutex);
221 if (!(crypt_stat->flags & ECRYPTFS_POLICY_APPLIED)) { 209 if (!(crypt_stat->flags & ECRYPTFS_POLICY_APPLIED)) {
222 ecryptfs_printk(KERN_DEBUG, "Setting flags for stat...\n"); 210 ecryptfs_printk(KERN_DEBUG, "Setting flags for stat...\n");
223 /* Policy code enabled in future release */ 211 /* Policy code enabled in future release */
224 crypt_stat->flags |= (ECRYPTFS_POLICY_APPLIED 212 crypt_stat->flags |= (ECRYPTFS_POLICY_APPLIED
225 | ECRYPTFS_ENCRYPTED); 213 | ECRYPTFS_ENCRYPTED);
226 } 214 }
227 mutex_unlock(&crypt_stat->cs_mutex); 215 mutex_unlock(&crypt_stat->cs_mutex);
228 rc = ecryptfs_get_lower_file(ecryptfs_dentry, inode); 216 rc = ecryptfs_get_lower_file(ecryptfs_dentry, inode);
229 if (rc) { 217 if (rc) {
230 printk(KERN_ERR "%s: Error attempting to initialize " 218 printk(KERN_ERR "%s: Error attempting to initialize "
231 "the lower file for the dentry with name " 219 "the lower file for the dentry with name "
232 "[%pd]; rc = [%d]\n", __func__, 220 "[%pd]; rc = [%d]\n", __func__,
233 ecryptfs_dentry, rc); 221 ecryptfs_dentry, rc);
234 goto out_free; 222 goto out_free;
235 } 223 }
236 if ((ecryptfs_inode_to_private(inode)->lower_file->f_flags & O_ACCMODE) 224 if ((ecryptfs_inode_to_private(inode)->lower_file->f_flags & O_ACCMODE)
237 == O_RDONLY && (file->f_flags & O_ACCMODE) != O_RDONLY) { 225 == O_RDONLY && (file->f_flags & O_ACCMODE) != O_RDONLY) {
238 rc = -EPERM; 226 rc = -EPERM;
239 printk(KERN_WARNING "%s: Lower file is RO; eCryptfs " 227 printk(KERN_WARNING "%s: Lower file is RO; eCryptfs "
240 "file must hence be opened RO\n", __func__); 228 "file must hence be opened RO\n", __func__);
241 goto out_put; 229 goto out_put;
242 } 230 }
243 ecryptfs_set_file_lower( 231 ecryptfs_set_file_lower(
244 file, ecryptfs_inode_to_private(inode)->lower_file); 232 file, ecryptfs_inode_to_private(inode)->lower_file);
245 if (S_ISDIR(ecryptfs_dentry->d_inode->i_mode)) { 233 if (S_ISDIR(ecryptfs_dentry->d_inode->i_mode)) {
246 ecryptfs_printk(KERN_DEBUG, "This is a directory\n"); 234 ecryptfs_printk(KERN_DEBUG, "This is a directory\n");
247 mutex_lock(&crypt_stat->cs_mutex); 235 mutex_lock(&crypt_stat->cs_mutex);
248 crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED); 236 crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED);
249 mutex_unlock(&crypt_stat->cs_mutex); 237 mutex_unlock(&crypt_stat->cs_mutex);
250 rc = 0; 238 rc = 0;
251 goto out; 239 goto out;
252 } 240 }
253 rc = read_or_initialize_metadata(ecryptfs_dentry); 241 rc = read_or_initialize_metadata(ecryptfs_dentry);
254 if (rc) 242 if (rc)
255 goto out_put; 243 goto out_put;
256 ecryptfs_printk(KERN_DEBUG, "inode w/ addr = [0x%p], i_ino = " 244 ecryptfs_printk(KERN_DEBUG, "inode w/ addr = [0x%p], i_ino = "
257 "[0x%.16lx] size: [0x%.16llx]\n", inode, inode->i_ino, 245 "[0x%.16lx] size: [0x%.16llx]\n", inode, inode->i_ino,
258 (unsigned long long)i_size_read(inode)); 246 (unsigned long long)i_size_read(inode));
259 goto out; 247 goto out;
260 out_put: 248 out_put:
261 ecryptfs_put_lower_file(inode); 249 ecryptfs_put_lower_file(inode);
262 out_free: 250 out_free:
263 kmem_cache_free(ecryptfs_file_info_cache, 251 kmem_cache_free(ecryptfs_file_info_cache,
264 ecryptfs_file_to_private(file)); 252 ecryptfs_file_to_private(file));
265 out: 253 out:
266 return rc; 254 return rc;
267 } 255 }
268 256
269 static int ecryptfs_flush(struct file *file, fl_owner_t td) 257 static int ecryptfs_flush(struct file *file, fl_owner_t td)
270 { 258 {
271 struct file *lower_file = ecryptfs_file_to_lower(file); 259 struct file *lower_file = ecryptfs_file_to_lower(file);
272 260
273 if (lower_file->f_op->flush) { 261 if (lower_file->f_op->flush) {
274 filemap_write_and_wait(file->f_mapping); 262 filemap_write_and_wait(file->f_mapping);
275 return lower_file->f_op->flush(lower_file, td); 263 return lower_file->f_op->flush(lower_file, td);
276 } 264 }
277 265
278 return 0; 266 return 0;
279 } 267 }
280 268
281 static int ecryptfs_release(struct inode *inode, struct file *file) 269 static int ecryptfs_release(struct inode *inode, struct file *file)
282 { 270 {
283 ecryptfs_put_lower_file(inode); 271 ecryptfs_put_lower_file(inode);
284 kmem_cache_free(ecryptfs_file_info_cache, 272 kmem_cache_free(ecryptfs_file_info_cache,
285 ecryptfs_file_to_private(file)); 273 ecryptfs_file_to_private(file));
286 return 0; 274 return 0;
287 } 275 }
288 276
289 static int 277 static int
290 ecryptfs_fsync(struct file *file, loff_t start, loff_t end, int datasync) 278 ecryptfs_fsync(struct file *file, loff_t start, loff_t end, int datasync)
291 { 279 {
292 int rc; 280 int rc;
293 281
294 rc = filemap_write_and_wait(file->f_mapping); 282 rc = filemap_write_and_wait(file->f_mapping);
295 if (rc) 283 if (rc)
296 return rc; 284 return rc;
297 285
298 return vfs_fsync(ecryptfs_file_to_lower(file), datasync); 286 return vfs_fsync(ecryptfs_file_to_lower(file), datasync);
299 } 287 }
300 288
301 static int ecryptfs_fasync(int fd, struct file *file, int flag) 289 static int ecryptfs_fasync(int fd, struct file *file, int flag)
302 { 290 {
303 int rc = 0; 291 int rc = 0;
304 struct file *lower_file = NULL; 292 struct file *lower_file = NULL;
305 293
306 lower_file = ecryptfs_file_to_lower(file); 294 lower_file = ecryptfs_file_to_lower(file);
307 if (lower_file->f_op->fasync) 295 if (lower_file->f_op->fasync)
308 rc = lower_file->f_op->fasync(fd, lower_file, flag); 296 rc = lower_file->f_op->fasync(fd, lower_file, flag);
309 return rc; 297 return rc;
310 } 298 }
311 299
312 static long 300 static long
313 ecryptfs_unlocked_ioctl(struct file *file, unsigned int cmd, unsigned long arg) 301 ecryptfs_unlocked_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
314 { 302 {
315 struct file *lower_file = ecryptfs_file_to_lower(file); 303 struct file *lower_file = ecryptfs_file_to_lower(file);
316 long rc = -ENOTTY; 304 long rc = -ENOTTY;
317 305
318 if (lower_file->f_op->unlocked_ioctl) 306 if (lower_file->f_op->unlocked_ioctl)
319 rc = lower_file->f_op->unlocked_ioctl(lower_file, cmd, arg); 307 rc = lower_file->f_op->unlocked_ioctl(lower_file, cmd, arg);
320 return rc; 308 return rc;
321 } 309 }
322 310
323 #ifdef CONFIG_COMPAT 311 #ifdef CONFIG_COMPAT
324 static long 312 static long
325 ecryptfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) 313 ecryptfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
326 { 314 {
327 struct file *lower_file = ecryptfs_file_to_lower(file); 315 struct file *lower_file = ecryptfs_file_to_lower(file);
328 long rc = -ENOIOCTLCMD; 316 long rc = -ENOIOCTLCMD;
329 317
330 if (lower_file->f_op->compat_ioctl) 318 if (lower_file->f_op->compat_ioctl)
331 rc = lower_file->f_op->compat_ioctl(lower_file, cmd, arg); 319 rc = lower_file->f_op->compat_ioctl(lower_file, cmd, arg);
332 return rc; 320 return rc;
333 } 321 }
334 #endif 322 #endif
335 323
336 const struct file_operations ecryptfs_dir_fops = { 324 const struct file_operations ecryptfs_dir_fops = {
337 .iterate = ecryptfs_readdir, 325 .iterate = ecryptfs_readdir,
338 .read = generic_read_dir, 326 .read = generic_read_dir,
339 .unlocked_ioctl = ecryptfs_unlocked_ioctl, 327 .unlocked_ioctl = ecryptfs_unlocked_ioctl,
340 #ifdef CONFIG_COMPAT 328 #ifdef CONFIG_COMPAT
341 .compat_ioctl = ecryptfs_compat_ioctl, 329 .compat_ioctl = ecryptfs_compat_ioctl,
342 #endif 330 #endif
343 .open = ecryptfs_open, 331 .open = ecryptfs_open,
344 .flush = ecryptfs_flush, 332 .flush = ecryptfs_flush,
345 .release = ecryptfs_release, 333 .release = ecryptfs_release,
346 .fsync = ecryptfs_fsync, 334 .fsync = ecryptfs_fsync,
347 .fasync = ecryptfs_fasync, 335 .fasync = ecryptfs_fasync,
348 .splice_read = generic_file_splice_read, 336 .splice_read = generic_file_splice_read,
349 .llseek = default_llseek, 337 .llseek = default_llseek,
350 }; 338 };
351 339
352 const struct file_operations ecryptfs_main_fops = { 340 const struct file_operations ecryptfs_main_fops = {
353 .llseek = generic_file_llseek, 341 .llseek = generic_file_llseek,
354 .read = new_sync_read, 342 .read = new_sync_read,
355 .read_iter = ecryptfs_read_update_atime, 343 .read_iter = ecryptfs_read_update_atime,
356 .write = new_sync_write, 344 .write = new_sync_write,
357 .write_iter = generic_file_write_iter, 345 .write_iter = generic_file_write_iter,
358 .iterate = ecryptfs_readdir, 346 .iterate = ecryptfs_readdir,
359 .unlocked_ioctl = ecryptfs_unlocked_ioctl, 347 .unlocked_ioctl = ecryptfs_unlocked_ioctl,
360 #ifdef CONFIG_COMPAT 348 #ifdef CONFIG_COMPAT
361 .compat_ioctl = ecryptfs_compat_ioctl, 349 .compat_ioctl = ecryptfs_compat_ioctl,
362 #endif 350 #endif
363 .mmap = generic_file_mmap, 351 .mmap = generic_file_mmap,
364 .open = ecryptfs_open, 352 .open = ecryptfs_open,
365 .flush = ecryptfs_flush, 353 .flush = ecryptfs_flush,
366 .release = ecryptfs_release, 354 .release = ecryptfs_release,
367 .fsync = ecryptfs_fsync, 355 .fsync = ecryptfs_fsync,
368 .fasync = ecryptfs_fasync, 356 .fasync = ecryptfs_fasync,
369 .splice_read = generic_file_splice_read, 357 .splice_read = generic_file_splice_read,
370 }; 358 };
371 359
fs/ecryptfs/keystore.c
Diff comments   View file @ 298647e
1 /** 1 /**
2 * eCryptfs: Linux filesystem encryption layer 2 * eCryptfs: Linux filesystem encryption layer
3 * In-kernel key management code. Includes functions to parse and 3 * In-kernel key management code. Includes functions to parse and
4 * write authentication token-related packets with the underlying 4 * write authentication token-related packets with the underlying
5 * file. 5 * file.
6 * 6 *
7 * Copyright (C) 2004-2006 International Business Machines Corp. 7 * Copyright (C) 2004-2006 International Business Machines Corp.
8 * Author(s): Michael A. Halcrow <mhalcrow@us.ibm.com> 8 * Author(s): Michael A. Halcrow <mhalcrow@us.ibm.com>
9 * Michael C. Thompson <mcthomps@us.ibm.com> 9 * Michael C. Thompson <mcthomps@us.ibm.com>
10 * Trevor S. Highland <trevor.highland@gmail.com> 10 * Trevor S. Highland <trevor.highland@gmail.com>
11 * 11 *
12 * This program is free software; you can redistribute it and/or 12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License as 13 * modify it under the terms of the GNU General Public License as
14 * published by the Free Software Foundation; either version 2 of the 14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version. 15 * License, or (at your option) any later version.
16 * 16 *
17 * This program is distributed in the hope that it will be useful, but 17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of 18 * WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 * General Public License for more details. 20 * General Public License for more details.
21 * 21 *
22 * You should have received a copy of the GNU General Public License 22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software 23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
25 * 02111-1307, USA. 25 * 02111-1307, USA.
26 */ 26 */
27 27
28 #include <linux/string.h> 28 #include <linux/string.h>
29 #include <linux/pagemap.h> 29 #include <linux/pagemap.h>
30 #include <linux/key.h> 30 #include <linux/key.h>
31 #include <linux/random.h> 31 #include <linux/random.h>
32 #include <linux/crypto.h> 32 #include <linux/crypto.h>
33 #include <linux/scatterlist.h> 33 #include <linux/scatterlist.h>
34 #include <linux/slab.h> 34 #include <linux/slab.h>
35 #include "ecryptfs_kernel.h" 35 #include "ecryptfs_kernel.h"
36 36
37 /** 37 /**
38 * request_key returned an error instead of a valid key address; 38 * request_key returned an error instead of a valid key address;
39 * determine the type of error, make appropriate log entries, and 39 * determine the type of error, make appropriate log entries, and
40 * return an error code. 40 * return an error code.
41 */ 41 */
42 static int process_request_key_err(long err_code) 42 static int process_request_key_err(long err_code)
43 { 43 {
44 int rc = 0; 44 int rc = 0;
45 45
46 switch (err_code) { 46 switch (err_code) {
47 case -ENOKEY: 47 case -ENOKEY:
48 ecryptfs_printk(KERN_WARNING, "No key\n"); 48 ecryptfs_printk(KERN_WARNING, "No key\n");
49 rc = -ENOENT; 49 rc = -ENOENT;
50 break; 50 break;
51 case -EKEYEXPIRED: 51 case -EKEYEXPIRED:
52 ecryptfs_printk(KERN_WARNING, "Key expired\n"); 52 ecryptfs_printk(KERN_WARNING, "Key expired\n");
53 rc = -ETIME; 53 rc = -ETIME;
54 break; 54 break;
55 case -EKEYREVOKED: 55 case -EKEYREVOKED:
56 ecryptfs_printk(KERN_WARNING, "Key revoked\n"); 56 ecryptfs_printk(KERN_WARNING, "Key revoked\n");
57 rc = -EINVAL; 57 rc = -EINVAL;
58 break; 58 break;
59 default: 59 default:
60 ecryptfs_printk(KERN_WARNING, "Unknown error code: " 60 ecryptfs_printk(KERN_WARNING, "Unknown error code: "
61 "[0x%.16lx]\n", err_code); 61 "[0x%.16lx]\n", err_code);
62 rc = -EINVAL; 62 rc = -EINVAL;
63 } 63 }
64 return rc; 64 return rc;
65 } 65 }
66 66
67 static int process_find_global_auth_tok_for_sig_err(int err_code) 67 static int process_find_global_auth_tok_for_sig_err(int err_code)
68 { 68 {
69 int rc = err_code; 69 int rc = err_code;
70 70
71 switch (err_code) { 71 switch (err_code) {
72 case -ENOENT: 72 case -ENOENT:
73 ecryptfs_printk(KERN_WARNING, "Missing auth tok\n"); 73 ecryptfs_printk(KERN_WARNING, "Missing auth tok\n");
74 break; 74 break;
75 case -EINVAL: 75 case -EINVAL:
76 ecryptfs_printk(KERN_WARNING, "Invalid auth tok\n"); 76 ecryptfs_printk(KERN_WARNING, "Invalid auth tok\n");
77 break; 77 break;
78 default: 78 default:
79 rc = process_request_key_err(err_code); 79 rc = process_request_key_err(err_code);
80 break; 80 break;
81 } 81 }
82 return rc; 82 return rc;
83 } 83 }
84 84
85 /** 85 /**
86 * ecryptfs_parse_packet_length 86 * ecryptfs_parse_packet_length
87 * @data: Pointer to memory containing length at offset 87 * @data: Pointer to memory containing length at offset
88 * @size: This function writes the decoded size to this memory 88 * @size: This function writes the decoded size to this memory
89 * address; zero on error 89 * address; zero on error
90 * @length_size: The number of bytes occupied by the encoded length 90 * @length_size: The number of bytes occupied by the encoded length
91 * 91 *
92 * Returns zero on success; non-zero on error 92 * Returns zero on success; non-zero on error
93 */ 93 */
94 int ecryptfs_parse_packet_length(unsigned char *data, size_t *size, 94 int ecryptfs_parse_packet_length(unsigned char *data, size_t *size,
95 size_t *length_size) 95 size_t *length_size)
96 { 96 {
97 int rc = 0; 97 int rc = 0;
98 98
99 (*length_size) = 0; 99 (*length_size) = 0;
100 (*size) = 0; 100 (*size) = 0;
101 if (data[0] < 192) { 101 if (data[0] < 192) {
102 /* One-byte length */ 102 /* One-byte length */
103 (*size) = (unsigned char)data[0]; 103 (*size) = data[0];
104 (*length_size) = 1; 104 (*length_size) = 1;
105 } else if (data[0] < 224) { 105 } else if (data[0] < 224) {
106 /* Two-byte length */ 106 /* Two-byte length */
107 (*size) = (((unsigned char)(data[0]) - 192) * 256); 107 (*size) = (data[0] - 192) * 256;
108 (*size) += ((unsigned char)(data[1]) + 192); 108 (*size) += data[1] + 192;
109 (*length_size) = 2; 109 (*length_size) = 2;
110 } else if (data[0] == 255) { 110 } else if (data[0] == 255) {
111 /* If support is added, adjust ECRYPTFS_MAX_PKT_LEN_SIZE */ 111 /* If support is added, adjust ECRYPTFS_MAX_PKT_LEN_SIZE */
112 ecryptfs_printk(KERN_ERR, "Five-byte packet length not " 112 ecryptfs_printk(KERN_ERR, "Five-byte packet length not "
113 "supported\n"); 113 "supported\n");
114 rc = -EINVAL; 114 rc = -EINVAL;
115 goto out; 115 goto out;
116 } else { 116 } else {
117 ecryptfs_printk(KERN_ERR, "Error parsing packet length\n"); 117 ecryptfs_printk(KERN_ERR, "Error parsing packet length\n");
118 rc = -EINVAL; 118 rc = -EINVAL;
119 goto out; 119 goto out;
120 } 120 }
121 out: 121 out:
122 return rc; 122 return rc;
123 } 123 }
124 124
125 /** 125 /**
126 * ecryptfs_write_packet_length 126 * ecryptfs_write_packet_length
127 * @dest: The byte array target into which to write the length. Must 127 * @dest: The byte array target into which to write the length. Must
128 * have at least ECRYPTFS_MAX_PKT_LEN_SIZE bytes allocated. 128 * have at least ECRYPTFS_MAX_PKT_LEN_SIZE bytes allocated.
129 * @size: The length to write. 129 * @size: The length to write.
130 * @packet_size_length: The number of bytes used to encode the packet 130 * @packet_size_length: The number of bytes used to encode the packet
131 * length is written to this address. 131 * length is written to this address.
132 * 132 *
133 * Returns zero on success; non-zero on error. 133 * Returns zero on success; non-zero on error.
134 */ 134 */
135 int ecryptfs_write_packet_length(char *dest, size_t size, 135 int ecryptfs_write_packet_length(char *dest, size_t size,
136 size_t *packet_size_length) 136 size_t *packet_size_length)
137 { 137 {
138 int rc = 0; 138 int rc = 0;
139 139
140 if (size < 192) { 140 if (size < 192) {
141 dest[0] = size; 141 dest[0] = size;
142 (*packet_size_length) = 1; 142 (*packet_size_length) = 1;
143 } else if (size < 65536) { 143 } else if (size < 65536) {
144 dest[0] = (((size - 192) / 256) + 192); 144 dest[0] = (((size - 192) / 256) + 192);
145 dest[1] = ((size - 192) % 256); 145 dest[1] = ((size - 192) % 256);
146 (*packet_size_length) = 2; 146 (*packet_size_length) = 2;
147 } else { 147 } else {
148 /* If support is added, adjust ECRYPTFS_MAX_PKT_LEN_SIZE */ 148 /* If support is added, adjust ECRYPTFS_MAX_PKT_LEN_SIZE */
149 rc = -EINVAL; 149 rc = -EINVAL;
150 ecryptfs_printk(KERN_WARNING, 150 ecryptfs_printk(KERN_WARNING,
151 "Unsupported packet size: [%zd]\n", size); 151 "Unsupported packet size: [%zd]\n", size);
152 } 152 }
153 return rc; 153 return rc;
154 } 154 }
155 155
156 static int 156 static int
157 write_tag_64_packet(char *signature, struct ecryptfs_session_key *session_key, 157 write_tag_64_packet(char *signature, struct ecryptfs_session_key *session_key,
158 char **packet, size_t *packet_len) 158 char **packet, size_t *packet_len)
159 { 159 {
160 size_t i = 0; 160 size_t i = 0;
161 size_t data_len; 161 size_t data_len;
162 size_t packet_size_len; 162 size_t packet_size_len;
163 char *message; 163 char *message;
164 int rc; 164 int rc;
165 165
166 /* 166 /*
167 * ***** TAG 64 Packet Format ***** 167 * ***** TAG 64 Packet Format *****
168 * | Content Type | 1 byte | 168 * | Content Type | 1 byte |
169 * | Key Identifier Size | 1 or 2 bytes | 169 * | Key Identifier Size | 1 or 2 bytes |
170 * | Key Identifier | arbitrary | 170 * | Key Identifier | arbitrary |
171 * | Encrypted File Encryption Key Size | 1 or 2 bytes | 171 * | Encrypted File Encryption Key Size | 1 or 2 bytes |
172 * | Encrypted File Encryption Key | arbitrary | 172 * | Encrypted File Encryption Key | arbitrary |
173 */ 173 */
174 data_len = (5 + ECRYPTFS_SIG_SIZE_HEX 174 data_len = (5 + ECRYPTFS_SIG_SIZE_HEX
175 + session_key->encrypted_key_size); 175 + session_key->encrypted_key_size);
176 *packet = kmalloc(data_len, GFP_KERNEL); 176 *packet = kmalloc(data_len, GFP_KERNEL);
177 message = *packet; 177 message = *packet;
178 if (!message) { 178 if (!message) {
179 ecryptfs_printk(KERN_ERR, "Unable to allocate memory\n"); 179 ecryptfs_printk(KERN_ERR, "Unable to allocate memory\n");
180 rc = -ENOMEM; 180 rc = -ENOMEM;
181 goto out; 181 goto out;
182 } 182 }
183 message[i++] = ECRYPTFS_TAG_64_PACKET_TYPE; 183 message[i++] = ECRYPTFS_TAG_64_PACKET_TYPE;
184 rc = ecryptfs_write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX, 184 rc = ecryptfs_write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX,
185 &packet_size_len); 185 &packet_size_len);
186 if (rc) { 186 if (rc) {
187 ecryptfs_printk(KERN_ERR, "Error generating tag 64 packet " 187 ecryptfs_printk(KERN_ERR, "Error generating tag 64 packet "
188 "header; cannot generate packet length\n"); 188 "header; cannot generate packet length\n");
189 goto out; 189 goto out;
190 } 190 }
191 i += packet_size_len; 191 i += packet_size_len;
192 memcpy(&message[i], signature, ECRYPTFS_SIG_SIZE_HEX); 192 memcpy(&message[i], signature, ECRYPTFS_SIG_SIZE_HEX);
193 i += ECRYPTFS_SIG_SIZE_HEX; 193 i += ECRYPTFS_SIG_SIZE_HEX;
194 rc = ecryptfs_write_packet_length(&message[i], 194 rc = ecryptfs_write_packet_length(&message[i],
195 session_key->encrypted_key_size, 195 session_key->encrypted_key_size,
196 &packet_size_len); 196 &packet_size_len);
197 if (rc) { 197 if (rc) {
198 ecryptfs_printk(KERN_ERR, "Error generating tag 64 packet " 198 ecryptfs_printk(KERN_ERR, "Error generating tag 64 packet "
199 "header; cannot generate packet length\n"); 199 "header; cannot generate packet length\n");
200 goto out; 200 goto out;
201 } 201 }
202 i += packet_size_len; 202 i += packet_size_len;
203 memcpy(&message[i], session_key->encrypted_key, 203 memcpy(&message[i], session_key->encrypted_key,
204 session_key->encrypted_key_size); 204 session_key->encrypted_key_size);
205 i += session_key->encrypted_key_size; 205 i += session_key->encrypted_key_size;
206 *packet_len = i; 206 *packet_len = i;
207 out: 207 out:
208 return rc; 208 return rc;
209 } 209 }
210 210
211 static int 211 static int
212 parse_tag_65_packet(struct ecryptfs_session_key *session_key, u8 *cipher_code, 212 parse_tag_65_packet(struct ecryptfs_session_key *session_key, u8 *cipher_code,
213 struct ecryptfs_message *msg) 213 struct ecryptfs_message *msg)
214 { 214 {
215 size_t i = 0; 215 size_t i = 0;
216 char *data; 216 char *data;
217 size_t data_len; 217 size_t data_len;
218 size_t m_size; 218 size_t m_size;
219 size_t message_len; 219 size_t message_len;
220 u16 checksum = 0; 220 u16 checksum = 0;
221 u16 expected_checksum = 0; 221 u16 expected_checksum = 0;
222 int rc; 222 int rc;
223 223
224 /* 224 /*
225 * ***** TAG 65 Packet Format ***** 225 * ***** TAG 65 Packet Format *****
226 * | Content Type | 1 byte | 226 * | Content Type | 1 byte |
227 * | Status Indicator | 1 byte | 227 * | Status Indicator | 1 byte |
228 * | File Encryption Key Size | 1 or 2 bytes | 228 * | File Encryption Key Size | 1 or 2 bytes |
229 * | File Encryption Key | arbitrary | 229 * | File Encryption Key | arbitrary |
230 */ 230 */
231 message_len = msg->data_len; 231 message_len = msg->data_len;
232 data = msg->data; 232 data = msg->data;
233 if (message_len < 4) { 233 if (message_len < 4) {
234 rc = -EIO; 234 rc = -EIO;
235 goto out; 235 goto out;
236 } 236 }
237 if (data[i++] != ECRYPTFS_TAG_65_PACKET_TYPE) { 237 if (data[i++] != ECRYPTFS_TAG_65_PACKET_TYPE) {
238 ecryptfs_printk(KERN_ERR, "Type should be ECRYPTFS_TAG_65\n"); 238 ecryptfs_printk(KERN_ERR, "Type should be ECRYPTFS_TAG_65\n");
239 rc = -EIO; 239 rc = -EIO;
240 goto out; 240 goto out;
241 } 241 }
242 if (data[i++]) { 242 if (data[i++]) {
243 ecryptfs_printk(KERN_ERR, "Status indicator has non-zero value " 243 ecryptfs_printk(KERN_ERR, "Status indicator has non-zero value "
244 "[%d]\n", data[i-1]); 244 "[%d]\n", data[i-1]);
245 rc = -EIO; 245 rc = -EIO;
246 goto out; 246 goto out;
247 } 247 }
248 rc = ecryptfs_parse_packet_length(&data[i], &m_size, &data_len); 248 rc = ecryptfs_parse_packet_length(&data[i], &m_size, &data_len);
249 if (rc) { 249 if (rc) {
250 ecryptfs_printk(KERN_WARNING, "Error parsing packet length; " 250 ecryptfs_printk(KERN_WARNING, "Error parsing packet length; "
251 "rc = [%d]\n", rc); 251 "rc = [%d]\n", rc);
252 goto out; 252 goto out;
253 } 253 }
254 i += data_len; 254 i += data_len;
255 if (message_len < (i + m_size)) { 255 if (message_len < (i + m_size)) {
256 ecryptfs_printk(KERN_ERR, "The message received from ecryptfsd " 256 ecryptfs_printk(KERN_ERR, "The message received from ecryptfsd "
257 "is shorter than expected\n"); 257 "is shorter than expected\n");
258 rc = -EIO; 258 rc = -EIO;
259 goto out; 259 goto out;
260 } 260 }
261 if (m_size < 3) { 261 if (m_size < 3) {
262 ecryptfs_printk(KERN_ERR, 262 ecryptfs_printk(KERN_ERR,
263 "The decrypted key is not long enough to " 263 "The decrypted key is not long enough to "
264 "include a cipher code and checksum\n"); 264 "include a cipher code and checksum\n");
265 rc = -EIO; 265 rc = -EIO;
266 goto out; 266 goto out;
267 } 267 }
268 *cipher_code = data[i++]; 268 *cipher_code = data[i++];
269 /* The decrypted key includes 1 byte cipher code and 2 byte checksum */ 269 /* The decrypted key includes 1 byte cipher code and 2 byte checksum */
270 session_key->decrypted_key_size = m_size - 3; 270 session_key->decrypted_key_size = m_size - 3;
271 if (session_key->decrypted_key_size > ECRYPTFS_MAX_KEY_BYTES) { 271 if (session_key->decrypted_key_size > ECRYPTFS_MAX_KEY_BYTES) {
272 ecryptfs_printk(KERN_ERR, "key_size [%d] larger than " 272 ecryptfs_printk(KERN_ERR, "key_size [%d] larger than "
273 "the maximum key size [%d]\n", 273 "the maximum key size [%d]\n",
274 session_key->decrypted_key_size, 274 session_key->decrypted_key_size,
275 ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES); 275 ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES);
276 rc = -EIO; 276 rc = -EIO;
277 goto out; 277 goto out;
278 } 278 }
279 memcpy(session_key->decrypted_key, &data[i], 279 memcpy(session_key->decrypted_key, &data[i],
280 session_key->decrypted_key_size); 280 session_key->decrypted_key_size);
281 i += session_key->decrypted_key_size; 281 i += session_key->decrypted_key_size;
282 expected_checksum += (unsigned char)(data[i++]) << 8; 282 expected_checksum += (unsigned char)(data[i++]) << 8;
283 expected_checksum += (unsigned char)(data[i++]); 283 expected_checksum += (unsigned char)(data[i++]);
284 for (i = 0; i < session_key->decrypted_key_size; i++) 284 for (i = 0; i < session_key->decrypted_key_size; i++)
285 checksum += session_key->decrypted_key[i]; 285 checksum += session_key->decrypted_key[i];
286 if (expected_checksum != checksum) { 286 if (expected_checksum != checksum) {
287 ecryptfs_printk(KERN_ERR, "Invalid checksum for file " 287 ecryptfs_printk(KERN_ERR, "Invalid checksum for file "
288 "encryption key; expected [%x]; calculated " 288 "encryption key; expected [%x]; calculated "
289 "[%x]\n", expected_checksum, checksum); 289 "[%x]\n", expected_checksum, checksum);
290 rc = -EIO; 290 rc = -EIO;
291 } 291 }
292 out: 292 out:
293 return rc; 293 return rc;
294 } 294 }
295 295
296 296
297 static int 297 static int
298 write_tag_66_packet(char *signature, u8 cipher_code, 298 write_tag_66_packet(char *signature, u8 cipher_code,
299 struct ecryptfs_crypt_stat *crypt_stat, char **packet, 299 struct ecryptfs_crypt_stat *crypt_stat, char **packet,
300 size_t *packet_len) 300 size_t *packet_len)
301 { 301 {
302 size_t i = 0; 302 size_t i = 0;
303 size_t j; 303 size_t j;
304 size_t data_len; 304 size_t data_len;
305 size_t checksum = 0; 305 size_t checksum = 0;
306 size_t packet_size_len; 306 size_t packet_size_len;
307 char *message; 307 char *message;
308 int rc; 308 int rc;
309 309
310 /* 310 /*
311 * ***** TAG 66 Packet Format ***** 311 * ***** TAG 66 Packet Format *****
312 * | Content Type | 1 byte | 312 * | Content Type | 1 byte |
313 * | Key Identifier Size | 1 or 2 bytes | 313 * | Key Identifier Size | 1 or 2 bytes |
314 * | Key Identifier | arbitrary | 314 * | Key Identifier | arbitrary |
315 * | File Encryption Key Size | 1 or 2 bytes | 315 * | File Encryption Key Size | 1 or 2 bytes |
316 * | File Encryption Key | arbitrary | 316 * | File Encryption Key | arbitrary |
317 */ 317 */
318 data_len = (5 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size); 318 data_len = (5 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size);
319 *packet = kmalloc(data_len, GFP_KERNEL); 319 *packet = kmalloc(data_len, GFP_KERNEL);
320 message = *packet; 320 message = *packet;
321 if (!message) { 321 if (!message) {
322 ecryptfs_printk(KERN_ERR, "Unable to allocate memory\n"); 322 ecryptfs_printk(KERN_ERR, "Unable to allocate memory\n");
323 rc = -ENOMEM; 323 rc = -ENOMEM;
324 goto out; 324 goto out;
325 } 325 }
326 message[i++] = ECRYPTFS_TAG_66_PACKET_TYPE; 326 message[i++] = ECRYPTFS_TAG_66_PACKET_TYPE;
327 rc = ecryptfs_write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX, 327 rc = ecryptfs_write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX,
328 &packet_size_len); 328 &packet_size_len);
329 if (rc) { 329 if (rc) {
330 ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet " 330 ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet "
331 "header; cannot generate packet length\n"); 331 "header; cannot generate packet length\n");
332 goto out; 332 goto out;
333 } 333 }
334 i += packet_size_len; 334 i += packet_size_len;
335 memcpy(&message[i], signature, ECRYPTFS_SIG_SIZE_HEX); 335 memcpy(&message[i], signature, ECRYPTFS_SIG_SIZE_HEX);
336 i += ECRYPTFS_SIG_SIZE_HEX; 336 i += ECRYPTFS_SIG_SIZE_HEX;
337 /* The encrypted key includes 1 byte cipher code and 2 byte checksum */ 337 /* The encrypted key includes 1 byte cipher code and 2 byte checksum */
338 rc = ecryptfs_write_packet_length(&message[i], crypt_stat->key_size + 3, 338 rc = ecryptfs_write_packet_length(&message[i], crypt_stat->key_size + 3,
339 &packet_size_len); 339 &packet_size_len);
340 if (rc) { 340 if (rc) {
341 ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet " 341 ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet "
342 "header; cannot generate packet length\n"); 342 "header; cannot generate packet length\n");
343 goto out; 343 goto out;
344 } 344 }
345 i += packet_size_len; 345 i += packet_size_len;
346 message[i++] = cipher_code; 346 message[i++] = cipher_code;
347 memcpy(&message[i], crypt_stat->key, crypt_stat->key_size); 347 memcpy(&message[i], crypt_stat->key, crypt_stat->key_size);
348 i += crypt_stat->key_size; 348 i += crypt_stat->key_size;
349 for (j = 0; j < crypt_stat->key_size; j++) 349 for (j = 0; j < crypt_stat->key_size; j++)
350 checksum += crypt_stat->key[j]; 350 checksum += crypt_stat->key[j];
351 message[i++] = (checksum / 256) % 256; 351 message[i++] = (checksum / 256) % 256;
352 message[i++] = (checksum % 256); 352 message[i++] = (checksum % 256);
353 *packet_len = i; 353 *packet_len = i;
354 out: 354 out:
355 return rc; 355 return rc;
356 } 356 }
357 357
358 static int 358 static int
359 parse_tag_67_packet(struct ecryptfs_key_record *key_rec, 359 parse_tag_67_packet(struct ecryptfs_key_record *key_rec,
360 struct ecryptfs_message *msg) 360 struct ecryptfs_message *msg)
361 { 361 {
362 size_t i = 0; 362 size_t i = 0;
363 char *data; 363 char *data;
364 size_t data_len; 364 size_t data_len;
365 size_t message_len; 365 size_t message_len;
366 int rc; 366 int rc;
367 367
368 /* 368 /*
369 * ***** TAG 65 Packet Format ***** 369 * ***** TAG 65 Packet Format *****
370 * | Content Type | 1 byte | 370 * | Content Type | 1 byte |
371 * | Status Indicator | 1 byte | 371 * | Status Indicator | 1 byte |
372 * | Encrypted File Encryption Key Size | 1 or 2 bytes | 372 * | Encrypted File Encryption Key Size | 1 or 2 bytes |
373 * | Encrypted File Encryption Key | arbitrary | 373 * | Encrypted File Encryption Key | arbitrary |
374 */ 374 */
375 message_len = msg->data_len; 375 message_len = msg->data_len;
376 data = msg->data; 376 data = msg->data;
377 /* verify that everything through the encrypted FEK size is present */ 377 /* verify that everything through the encrypted FEK size is present */
378 if (message_len < 4) { 378 if (message_len < 4) {
379 rc = -EIO; 379 rc = -EIO;
380 printk(KERN_ERR "%s: message_len is [%zd]; minimum acceptable " 380 printk(KERN_ERR "%s: message_len is [%zd]; minimum acceptable "
381 "message length is [%d]\n", __func__, message_len, 4); 381 "message length is [%d]\n", __func__, message_len, 4);
382 goto out; 382 goto out;
383 } 383 }
384 if (data[i++] != ECRYPTFS_TAG_67_PACKET_TYPE) { 384 if (data[i++] != ECRYPTFS_TAG_67_PACKET_TYPE) {
385 rc = -EIO; 385 rc = -EIO;
386 printk(KERN_ERR "%s: Type should be ECRYPTFS_TAG_67\n", 386 printk(KERN_ERR "%s: Type should be ECRYPTFS_TAG_67\n",
387 __func__); 387 __func__);
388 goto out; 388 goto out;
389 } 389 }
390 if (data[i++]) { 390 if (data[i++]) {
391 rc = -EIO; 391 rc = -EIO;
392 printk(KERN_ERR "%s: Status indicator has non zero " 392 printk(KERN_ERR "%s: Status indicator has non zero "
393 "value [%d]\n", __func__, data[i-1]); 393 "value [%d]\n", __func__, data[i-1]);
394 394
395 goto out; 395 goto out;
396 } 396 }
397 rc = ecryptfs_parse_packet_length(&data[i], &key_rec->enc_key_size, 397 rc = ecryptfs_parse_packet_length(&data[i], &key_rec->enc_key_size,
398 &data_len); 398 &data_len);
399 if (rc) { 399 if (rc) {
400 ecryptfs_printk(KERN_WARNING, "Error parsing packet length; " 400 ecryptfs_printk(KERN_WARNING, "Error parsing packet length; "
401 "rc = [%d]\n", rc); 401 "rc = [%d]\n", rc);
402 goto out; 402 goto out;
403 } 403 }
404 i += data_len; 404 i += data_len;
405 if (message_len < (i + key_rec->enc_key_size)) { 405 if (message_len < (i + key_rec->enc_key_size)) {
406 rc = -EIO; 406 rc = -EIO;
407 printk(KERN_ERR "%s: message_len [%zd]; max len is [%zd]\n", 407 printk(KERN_ERR "%s: message_len [%zd]; max len is [%zd]\n",
408 __func__, message_len, (i + key_rec->enc_key_size)); 408 __func__, message_len, (i + key_rec->enc_key_size));
409 goto out; 409 goto out;
410 } 410 }
411 if (key_rec->enc_key_size > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { 411 if (key_rec->enc_key_size > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
412 rc = -EIO; 412 rc = -EIO;
413 printk(KERN_ERR "%s: Encrypted key_size [%zd] larger than " 413 printk(KERN_ERR "%s: Encrypted key_size [%zd] larger than "
414 "the maximum key size [%d]\n", __func__, 414 "the maximum key size [%d]\n", __func__,
415 key_rec->enc_key_size, 415 key_rec->enc_key_size,
416 ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES); 416 ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES);
417 goto out; 417 goto out;
418 } 418 }
419 memcpy(key_rec->enc_key, &data[i], key_rec->enc_key_size); 419 memcpy(key_rec->enc_key, &data[i], key_rec->enc_key_size);
420 out: 420 out:
421 return rc; 421 return rc;
422 } 422 }
423 423
424 /** 424 /**
425 * ecryptfs_verify_version 425 * ecryptfs_verify_version
426 * @version: The version number to confirm 426 * @version: The version number to confirm
427 * 427 *
428 * Returns zero on good version; non-zero otherwise 428 * Returns zero on good version; non-zero otherwise
429 */ 429 */
430 static int ecryptfs_verify_version(u16 version) 430 static int ecryptfs_verify_version(u16 version)
431 { 431 {
432 int rc = 0; 432 int rc = 0;
433 unsigned char major; 433 unsigned char major;
434 unsigned char minor; 434 unsigned char minor;
435 435
436 major = ((version >> 8) & 0xFF); 436 major = ((version >> 8) & 0xFF);
437 minor = (version & 0xFF); 437 minor = (version & 0xFF);
438 if (major != ECRYPTFS_VERSION_MAJOR) { 438 if (major != ECRYPTFS_VERSION_MAJOR) {
439 ecryptfs_printk(KERN_ERR, "Major version number mismatch. " 439 ecryptfs_printk(KERN_ERR, "Major version number mismatch. "
440 "Expected [%d]; got [%d]\n", 440 "Expected [%d]; got [%d]\n",
441 ECRYPTFS_VERSION_MAJOR, major); 441 ECRYPTFS_VERSION_MAJOR, major);
442 rc = -EINVAL; 442 rc = -EINVAL;
443 goto out; 443 goto out;
444 } 444 }
445 if (minor != ECRYPTFS_VERSION_MINOR) { 445 if (minor != ECRYPTFS_VERSION_MINOR) {
446 ecryptfs_printk(KERN_ERR, "Minor version number mismatch. " 446 ecryptfs_printk(KERN_ERR, "Minor version number mismatch. "
447 "Expected [%d]; got [%d]\n", 447 "Expected [%d]; got [%d]\n",
448 ECRYPTFS_VERSION_MINOR, minor); 448 ECRYPTFS_VERSION_MINOR, minor);
449 rc = -EINVAL; 449 rc = -EINVAL;
450 goto out; 450 goto out;
451 } 451 }
452 out: 452 out:
453 return rc; 453 return rc;
454 } 454 }
455 455
456 /** 456 /**
457 * ecryptfs_verify_auth_tok_from_key 457 * ecryptfs_verify_auth_tok_from_key
458 * @auth_tok_key: key containing the authentication token 458 * @auth_tok_key: key containing the authentication token
459 * @auth_tok: authentication token 459 * @auth_tok: authentication token
460 * 460 *
461 * Returns zero on valid auth tok; -EINVAL otherwise 461 * Returns zero on valid auth tok; -EINVAL otherwise
462 */ 462 */
463 static int 463 static int
464 ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key, 464 ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key,
465 struct ecryptfs_auth_tok **auth_tok) 465 struct ecryptfs_auth_tok **auth_tok)
466 { 466 {
467 int rc = 0; 467 int rc = 0;
468 468
469 (*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key); 469 (*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key);
470 if (ecryptfs_verify_version((*auth_tok)->version)) { 470 if (ecryptfs_verify_version((*auth_tok)->version)) {
471 printk(KERN_ERR "Data structure version mismatch. Userspace " 471 printk(KERN_ERR "Data structure version mismatch. Userspace "
472 "tools must match eCryptfs kernel module with major " 472 "tools must match eCryptfs kernel module with major "
473 "version [%d] and minor version [%d]\n", 473 "version [%d] and minor version [%d]\n",
474 ECRYPTFS_VERSION_MAJOR, ECRYPTFS_VERSION_MINOR); 474 ECRYPTFS_VERSION_MAJOR, ECRYPTFS_VERSION_MINOR);
475 rc = -EINVAL; 475 rc = -EINVAL;
476 goto out; 476 goto out;
477 } 477 }
478 if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD 478 if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD
479 && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { 479 && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) {
480 printk(KERN_ERR "Invalid auth_tok structure " 480 printk(KERN_ERR "Invalid auth_tok structure "
481 "returned from key query\n"); 481 "returned from key query\n");
482 rc = -EINVAL; 482 rc = -EINVAL;
483 goto out; 483 goto out;
484 } 484 }
485 out: 485 out:
486 return rc; 486 return rc;
487 } 487 }
488 488
489 static int 489 static int
490 ecryptfs_find_global_auth_tok_for_sig( 490 ecryptfs_find_global_auth_tok_for_sig(
491 struct key **auth_tok_key, 491 struct key **auth_tok_key,
492 struct ecryptfs_auth_tok **auth_tok, 492 struct ecryptfs_auth_tok **auth_tok,
493 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig) 493 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig)
494 { 494 {
495 struct ecryptfs_global_auth_tok *walker; 495 struct ecryptfs_global_auth_tok *walker;
496 int rc = 0; 496 int rc = 0;
497 497
498 (*auth_tok_key) = NULL; 498 (*auth_tok_key) = NULL;
499 (*auth_tok) = NULL; 499 (*auth_tok) = NULL;
500 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 500 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
501 list_for_each_entry(walker, 501 list_for_each_entry(walker,
502 &mount_crypt_stat->global_auth_tok_list, 502 &mount_crypt_stat->global_auth_tok_list,
503 mount_crypt_stat_list) { 503 mount_crypt_stat_list) {
504 if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX)) 504 if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX))
505 continue; 505 continue;
506 506
507 if (walker->flags & ECRYPTFS_AUTH_TOK_INVALID) { 507 if (walker->flags & ECRYPTFS_AUTH_TOK_INVALID) {
508 rc = -EINVAL; 508 rc = -EINVAL;
509 goto out; 509 goto out;
510 } 510 }
511 511
512 rc = key_validate(walker->global_auth_tok_key); 512 rc = key_validate(walker->global_auth_tok_key);
513 if (rc) { 513 if (rc) {
514 if (rc == -EKEYEXPIRED) 514 if (rc == -EKEYEXPIRED)
515 goto out; 515 goto out;
516 goto out_invalid_auth_tok; 516 goto out_invalid_auth_tok;
517 } 517 }
518 518
519 down_write(&(walker->global_auth_tok_key->sem)); 519 down_write(&(walker->global_auth_tok_key->sem));
520 rc = ecryptfs_verify_auth_tok_from_key( 520 rc = ecryptfs_verify_auth_tok_from_key(
521 walker->global_auth_tok_key, auth_tok); 521 walker->global_auth_tok_key, auth_tok);
522 if (rc) 522 if (rc)
523 goto out_invalid_auth_tok_unlock; 523 goto out_invalid_auth_tok_unlock;
524 524
525 (*auth_tok_key) = walker->global_auth_tok_key; 525 (*auth_tok_key) = walker->global_auth_tok_key;
526 key_get(*auth_tok_key); 526 key_get(*auth_tok_key);
527 goto out; 527 goto out;
528 } 528 }
529 rc = -ENOENT; 529 rc = -ENOENT;
530 goto out; 530 goto out;
531 out_invalid_auth_tok_unlock: 531 out_invalid_auth_tok_unlock:
532 up_write(&(walker->global_auth_tok_key->sem)); 532 up_write(&(walker->global_auth_tok_key->sem));
533 out_invalid_auth_tok: 533 out_invalid_auth_tok:
534 printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig); 534 printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);
535 walker->flags |= ECRYPTFS_AUTH_TOK_INVALID; 535 walker->flags |= ECRYPTFS_AUTH_TOK_INVALID;
536 key_put(walker->global_auth_tok_key); 536 key_put(walker->global_auth_tok_key);
537 walker->global_auth_tok_key = NULL; 537 walker->global_auth_tok_key = NULL;
538 out: 538 out:
539 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 539 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
540 return rc; 540 return rc;
541 } 541 }
542 542
543 /** 543 /**
544 * ecryptfs_find_auth_tok_for_sig 544 * ecryptfs_find_auth_tok_for_sig
545 * @auth_tok: Set to the matching auth_tok; NULL if not found 545 * @auth_tok: Set to the matching auth_tok; NULL if not found
546 * @crypt_stat: inode crypt_stat crypto context 546 * @crypt_stat: inode crypt_stat crypto context
547 * @sig: Sig of auth_tok to find 547 * @sig: Sig of auth_tok to find
548 * 548 *
549 * For now, this function simply looks at the registered auth_tok's 549 * For now, this function simply looks at the registered auth_tok's
550 * linked off the mount_crypt_stat, so all the auth_toks that can be 550 * linked off the mount_crypt_stat, so all the auth_toks that can be
551 * used must be registered at mount time. This function could 551 * used must be registered at mount time. This function could
552 * potentially try a lot harder to find auth_tok's (e.g., by calling 552 * potentially try a lot harder to find auth_tok's (e.g., by calling
553 * out to ecryptfsd to dynamically retrieve an auth_tok object) so 553 * out to ecryptfsd to dynamically retrieve an auth_tok object) so
554 * that static registration of auth_tok's will no longer be necessary. 554 * that static registration of auth_tok's will no longer be necessary.
555 * 555 *
556 * Returns zero on no error; non-zero on error 556 * Returns zero on no error; non-zero on error
557 */ 557 */
558 static int 558 static int
559 ecryptfs_find_auth_tok_for_sig( 559 ecryptfs_find_auth_tok_for_sig(
560 struct key **auth_tok_key, 560 struct key **auth_tok_key,
561 struct ecryptfs_auth_tok **auth_tok, 561 struct ecryptfs_auth_tok **auth_tok,
562 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, 562 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
563 char *sig) 563 char *sig)
564 { 564 {
565 int rc = 0; 565 int rc = 0;
566 566
567 rc = ecryptfs_find_global_auth_tok_for_sig(auth_tok_key, auth_tok, 567 rc = ecryptfs_find_global_auth_tok_for_sig(auth_tok_key, auth_tok,
568 mount_crypt_stat, sig); 568 mount_crypt_stat, sig);
569 if (rc == -ENOENT) { 569 if (rc == -ENOENT) {
570 /* if the flag ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY is set in the 570 /* if the flag ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY is set in the
571 * mount_crypt_stat structure, we prevent to use auth toks that 571 * mount_crypt_stat structure, we prevent to use auth toks that
572 * are not inserted through the ecryptfs_add_global_auth_tok 572 * are not inserted through the ecryptfs_add_global_auth_tok
573 * function. 573 * function.
574 */ 574 */
575 if (mount_crypt_stat->flags 575 if (mount_crypt_stat->flags
576 & ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY) 576 & ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY)
577 return -EINVAL; 577 return -EINVAL;
578 578
579 rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok, 579 rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok,
580 sig); 580 sig);
581 } 581 }
582 return rc; 582 return rc;
583 } 583 }
584 584
585 /** 585 /**
586 * write_tag_70_packet can gobble a lot of stack space. We stuff most 586 * write_tag_70_packet can gobble a lot of stack space. We stuff most
587 * of the function's parameters in a kmalloc'd struct to help reduce 587 * of the function's parameters in a kmalloc'd struct to help reduce
588 * eCryptfs' overall stack usage. 588 * eCryptfs' overall stack usage.
589 */ 589 */
590 struct ecryptfs_write_tag_70_packet_silly_stack { 590 struct ecryptfs_write_tag_70_packet_silly_stack {
591 u8 cipher_code; 591 u8 cipher_code;
592 size_t max_packet_size; 592 size_t max_packet_size;
593 size_t packet_size_len; 593 size_t packet_size_len;
594 size_t block_aligned_filename_size; 594 size_t block_aligned_filename_size;
595 size_t block_size; 595 size_t block_size;
596 size_t i; 596 size_t i;
597 size_t j; 597 size_t j;
598 size_t num_rand_bytes; 598 size_t num_rand_bytes;
599 struct mutex *tfm_mutex; 599 struct mutex *tfm_mutex;
600 char *block_aligned_filename; 600 char *block_aligned_filename;
601 struct ecryptfs_auth_tok *auth_tok; 601 struct ecryptfs_auth_tok *auth_tok;
602 struct scatterlist src_sg[2]; 602 struct scatterlist src_sg[2];
603 struct scatterlist dst_sg[2]; 603 struct scatterlist dst_sg[2];
604 struct blkcipher_desc desc; 604 struct blkcipher_desc desc;
605 char iv[ECRYPTFS_MAX_IV_BYTES]; 605 char iv[ECRYPTFS_MAX_IV_BYTES];
606 char hash[ECRYPTFS_TAG_70_DIGEST_SIZE]; 606 char hash[ECRYPTFS_TAG_70_DIGEST_SIZE];
607 char tmp_hash[ECRYPTFS_TAG_70_DIGEST_SIZE]; 607 char tmp_hash[ECRYPTFS_TAG_70_DIGEST_SIZE];
608 struct hash_desc hash_desc; 608 struct hash_desc hash_desc;
609 struct scatterlist hash_sg; 609 struct scatterlist hash_sg;
610 }; 610 };
611 611
612 /** 612 /**
613 * write_tag_70_packet - Write encrypted filename (EFN) packet against FNEK 613 * write_tag_70_packet - Write encrypted filename (EFN) packet against FNEK
614 * @filename: NULL-terminated filename string 614 * @filename: NULL-terminated filename string
615 * 615 *
616 * This is the simplest mechanism for achieving filename encryption in 616 * This is the simplest mechanism for achieving filename encryption in
617 * eCryptfs. It encrypts the given filename with the mount-wide 617 * eCryptfs. It encrypts the given filename with the mount-wide
618 * filename encryption key (FNEK) and stores it in a packet to @dest, 618 * filename encryption key (FNEK) and stores it in a packet to @dest,
619 * which the callee will encode and write directly into the dentry 619 * which the callee will encode and write directly into the dentry
620 * name. 620 * name.
621 */ 621 */
622 int 622 int
623 ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, 623 ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes,
624 size_t *packet_size, 624 size_t *packet_size,
625 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, 625 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
626 char *filename, size_t filename_size) 626 char *filename, size_t filename_size)
627 { 627 {
628 struct ecryptfs_write_tag_70_packet_silly_stack *s; 628 struct ecryptfs_write_tag_70_packet_silly_stack *s;
629 struct key *auth_tok_key = NULL; 629 struct key *auth_tok_key = NULL;
630 int rc = 0; 630 int rc = 0;
631 631
632 s = kmalloc(sizeof(*s), GFP_KERNEL); 632 s = kmalloc(sizeof(*s), GFP_KERNEL);
633 if (!s) { 633 if (!s) {
634 printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc " 634 printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc "
635 "[%zd] bytes of kernel memory\n", __func__, sizeof(*s)); 635 "[%zd] bytes of kernel memory\n", __func__, sizeof(*s));
636 rc = -ENOMEM; 636 rc = -ENOMEM;
637 goto out; 637 goto out;
638 } 638 }
639 s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; 639 s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
640 (*packet_size) = 0; 640 (*packet_size) = 0;
641 rc = ecryptfs_find_auth_tok_for_sig( 641 rc = ecryptfs_find_auth_tok_for_sig(
642 &auth_tok_key, 642 &auth_tok_key,
643 &s->auth_tok, mount_crypt_stat, 643 &s->auth_tok, mount_crypt_stat,
644 mount_crypt_stat->global_default_fnek_sig); 644 mount_crypt_stat->global_default_fnek_sig);
645 if (rc) { 645 if (rc) {
646 printk(KERN_ERR "%s: Error attempting to find auth tok for " 646 printk(KERN_ERR "%s: Error attempting to find auth tok for "
647 "fnek sig [%s]; rc = [%d]\n", __func__, 647 "fnek sig [%s]; rc = [%d]\n", __func__,
648 mount_crypt_stat->global_default_fnek_sig, rc); 648 mount_crypt_stat->global_default_fnek_sig, rc);
649 goto out; 649 goto out;
650 } 650 }
651 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name( 651 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(
652 &s->desc.tfm, 652 &s->desc.tfm,
653 &s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name); 653 &s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name);
654 if (unlikely(rc)) { 654 if (unlikely(rc)) {
655 printk(KERN_ERR "Internal error whilst attempting to get " 655 printk(KERN_ERR "Internal error whilst attempting to get "
656 "tfm and mutex for cipher name [%s]; rc = [%d]\n", 656 "tfm and mutex for cipher name [%s]; rc = [%d]\n",
657 mount_crypt_stat->global_default_fn_cipher_name, rc); 657 mount_crypt_stat->global_default_fn_cipher_name, rc);
658 goto out; 658 goto out;
659 } 659 }
660 mutex_lock(s->tfm_mutex); 660 mutex_lock(s->tfm_mutex);
661 s->block_size = crypto_blkcipher_blocksize(s->desc.tfm); 661 s->block_size = crypto_blkcipher_blocksize(s->desc.tfm);
662 /* Plus one for the \0 separator between the random prefix 662 /* Plus one for the \0 separator between the random prefix
663 * and the plaintext filename */ 663 * and the plaintext filename */
664 s->num_rand_bytes = (ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES + 1); 664 s->num_rand_bytes = (ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES + 1);
665 s->block_aligned_filename_size = (s->num_rand_bytes + filename_size); 665 s->block_aligned_filename_size = (s->num_rand_bytes + filename_size);
666 if ((s->block_aligned_filename_size % s->block_size) != 0) { 666 if ((s->block_aligned_filename_size % s->block_size) != 0) {
667 s->num_rand_bytes += (s->block_size 667 s->num_rand_bytes += (s->block_size
668 - (s->block_aligned_filename_size 668 - (s->block_aligned_filename_size
669 % s->block_size)); 669 % s->block_size));
670 s->block_aligned_filename_size = (s->num_rand_bytes 670 s->block_aligned_filename_size = (s->num_rand_bytes
671 + filename_size); 671 + filename_size);
672 } 672 }
673 /* Octet 0: Tag 70 identifier 673 /* Octet 0: Tag 70 identifier
674 * Octets 1-N1: Tag 70 packet size (includes cipher identifier 674 * Octets 1-N1: Tag 70 packet size (includes cipher identifier
675 * and block-aligned encrypted filename size) 675 * and block-aligned encrypted filename size)
676 * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE) 676 * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE)
677 * Octet N2-N3: Cipher identifier (1 octet) 677 * Octet N2-N3: Cipher identifier (1 octet)
678 * Octets N3-N4: Block-aligned encrypted filename 678 * Octets N3-N4: Block-aligned encrypted filename
679 * - Consists of a minimum number of random characters, a \0 679 * - Consists of a minimum number of random characters, a \0
680 * separator, and then the filename */ 680 * separator, and then the filename */
681 s->max_packet_size = (ECRYPTFS_TAG_70_MAX_METADATA_SIZE 681 s->max_packet_size = (ECRYPTFS_TAG_70_MAX_METADATA_SIZE
682 + s->block_aligned_filename_size); 682 + s->block_aligned_filename_size);
683 if (dest == NULL) { 683 if (dest == NULL) {
684 (*packet_size) = s->max_packet_size; 684 (*packet_size) = s->max_packet_size;
685 goto out_unlock; 685 goto out_unlock;
686 } 686 }
687 if (s->max_packet_size > (*remaining_bytes)) { 687 if (s->max_packet_size > (*remaining_bytes)) {
688 printk(KERN_WARNING "%s: Require [%zd] bytes to write; only " 688 printk(KERN_WARNING "%s: Require [%zd] bytes to write; only "
689 "[%zd] available\n", __func__, s->max_packet_size, 689 "[%zd] available\n", __func__, s->max_packet_size,
690 (*remaining_bytes)); 690 (*remaining_bytes));
691 rc = -EINVAL; 691 rc = -EINVAL;
692 goto out_unlock; 692 goto out_unlock;
693 } 693 }
694 s->block_aligned_filename = kzalloc(s->block_aligned_filename_size, 694 s->block_aligned_filename = kzalloc(s->block_aligned_filename_size,
695 GFP_KERNEL); 695 GFP_KERNEL);
696 if (!s->block_aligned_filename) { 696 if (!s->block_aligned_filename) {
697 printk(KERN_ERR "%s: Out of kernel memory whilst attempting to " 697 printk(KERN_ERR "%s: Out of kernel memory whilst attempting to "
698 "kzalloc [%zd] bytes\n", __func__, 698 "kzalloc [%zd] bytes\n", __func__,
699 s->block_aligned_filename_size); 699 s->block_aligned_filename_size);
700 rc = -ENOMEM; 700 rc = -ENOMEM;
701 goto out_unlock; 701 goto out_unlock;
702 } 702 }
703 s->i = 0; 703 s->i = 0;
704 dest[s->i++] = ECRYPTFS_TAG_70_PACKET_TYPE; 704 dest[s->i++] = ECRYPTFS_TAG_70_PACKET_TYPE;
705 rc = ecryptfs_write_packet_length(&dest[s->i], 705 rc = ecryptfs_write_packet_length(&dest[s->i],
706 (ECRYPTFS_SIG_SIZE 706 (ECRYPTFS_SIG_SIZE
707 + 1 /* Cipher code */ 707 + 1 /* Cipher code */
708 + s->block_aligned_filename_size), 708 + s->block_aligned_filename_size),
709 &s->packet_size_len); 709 &s->packet_size_len);
710 if (rc) { 710 if (rc) {
711 printk(KERN_ERR "%s: Error generating tag 70 packet " 711 printk(KERN_ERR "%s: Error generating tag 70 packet "
712 "header; cannot generate packet length; rc = [%d]\n", 712 "header; cannot generate packet length; rc = [%d]\n",
713 __func__, rc); 713 __func__, rc);
714 goto out_free_unlock; 714 goto out_free_unlock;
715 } 715 }
716 s->i += s->packet_size_len; 716 s->i += s->packet_size_len;
717 ecryptfs_from_hex(&dest[s->i], 717 ecryptfs_from_hex(&dest[s->i],
718 mount_crypt_stat->global_default_fnek_sig, 718 mount_crypt_stat->global_default_fnek_sig,
719 ECRYPTFS_SIG_SIZE); 719 ECRYPTFS_SIG_SIZE);
720 s->i += ECRYPTFS_SIG_SIZE; 720 s->i += ECRYPTFS_SIG_SIZE;
721 s->cipher_code = ecryptfs_code_for_cipher_string( 721 s->cipher_code = ecryptfs_code_for_cipher_string(
722 mount_crypt_stat->global_default_fn_cipher_name, 722 mount_crypt_stat->global_default_fn_cipher_name,
723 mount_crypt_stat->global_default_fn_cipher_key_bytes); 723 mount_crypt_stat->global_default_fn_cipher_key_bytes);
724 if (s->cipher_code == 0) { 724 if (s->cipher_code == 0) {
725 printk(KERN_WARNING "%s: Unable to generate code for " 725 printk(KERN_WARNING "%s: Unable to generate code for "
726 "cipher [%s] with key bytes [%zd]\n", __func__, 726 "cipher [%s] with key bytes [%zd]\n", __func__,
727 mount_crypt_stat->global_default_fn_cipher_name, 727 mount_crypt_stat->global_default_fn_cipher_name,
728 mount_crypt_stat->global_default_fn_cipher_key_bytes); 728 mount_crypt_stat->global_default_fn_cipher_key_bytes);
729 rc = -EINVAL; 729 rc = -EINVAL;
730 goto out_free_unlock; 730 goto out_free_unlock;
731 } 731 }
732 dest[s->i++] = s->cipher_code; 732 dest[s->i++] = s->cipher_code;
733 /* TODO: Support other key modules than passphrase for 733 /* TODO: Support other key modules than passphrase for
734 * filename encryption */ 734 * filename encryption */
735 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { 735 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) {
736 rc = -EOPNOTSUPP; 736 rc = -EOPNOTSUPP;
737 printk(KERN_INFO "%s: Filename encryption only supports " 737 printk(KERN_INFO "%s: Filename encryption only supports "
738 "password tokens\n", __func__); 738 "password tokens\n", __func__);
739 goto out_free_unlock; 739 goto out_free_unlock;
740 } 740 }
741 sg_init_one( 741 sg_init_one(
742 &s->hash_sg, 742 &s->hash_sg,
743 (u8 *)s->auth_tok->token.password.session_key_encryption_key, 743 (u8 *)s->auth_tok->token.password.session_key_encryption_key,
744 s->auth_tok->token.password.session_key_encryption_key_bytes); 744 s->auth_tok->token.password.session_key_encryption_key_bytes);
745 s->hash_desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; 745 s->hash_desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
746 s->hash_desc.tfm = crypto_alloc_hash(ECRYPTFS_TAG_70_DIGEST, 0, 746 s->hash_desc.tfm = crypto_alloc_hash(ECRYPTFS_TAG_70_DIGEST, 0,
747 CRYPTO_ALG_ASYNC); 747 CRYPTO_ALG_ASYNC);
748 if (IS_ERR(s->hash_desc.tfm)) { 748 if (IS_ERR(s->hash_desc.tfm)) {
749 rc = PTR_ERR(s->hash_desc.tfm); 749 rc = PTR_ERR(s->hash_desc.tfm);
750 printk(KERN_ERR "%s: Error attempting to " 750 printk(KERN_ERR "%s: Error attempting to "
751 "allocate hash crypto context; rc = [%d]\n", 751 "allocate hash crypto context; rc = [%d]\n",
752 __func__, rc); 752 __func__, rc);
753 goto out_free_unlock; 753 goto out_free_unlock;
754 } 754 }
755 rc = crypto_hash_init(&s->hash_desc); 755 rc = crypto_hash_init(&s->hash_desc);
756 if (rc) { 756 if (rc) {
757 printk(KERN_ERR 757 printk(KERN_ERR
758 "%s: Error initializing crypto hash; rc = [%d]\n", 758 "%s: Error initializing crypto hash; rc = [%d]\n",
759 __func__, rc); 759 __func__, rc);
760 goto out_release_free_unlock; 760 goto out_release_free_unlock;
761 } 761 }
762 rc = crypto_hash_update( 762 rc = crypto_hash_update(
763 &s->hash_desc, &s->hash_sg, 763 &s->hash_desc, &s->hash_sg,
764 s->auth_tok->token.password.session_key_encryption_key_bytes); 764 s->auth_tok->token.password.session_key_encryption_key_bytes);
765 if (rc) { 765 if (rc) {
766 printk(KERN_ERR 766 printk(KERN_ERR
767 "%s: Error updating crypto hash; rc = [%d]\n", 767 "%s: Error updating crypto hash; rc = [%d]\n",
768 __func__, rc); 768 __func__, rc);
769 goto out_release_free_unlock; 769 goto out_release_free_unlock;
770 } 770 }
771 rc = crypto_hash_final(&s->hash_desc, s->hash); 771 rc = crypto_hash_final(&s->hash_desc, s->hash);
772 if (rc) { 772 if (rc) {
773 printk(KERN_ERR 773 printk(KERN_ERR
774 "%s: Error finalizing crypto hash; rc = [%d]\n", 774 "%s: Error finalizing crypto hash; rc = [%d]\n",
775 __func__, rc); 775 __func__, rc);
776 goto out_release_free_unlock; 776 goto out_release_free_unlock;
777 } 777 }
778 for (s->j = 0; s->j < (s->num_rand_bytes - 1); s->j++) { 778 for (s->j = 0; s->j < (s->num_rand_bytes - 1); s->j++) {
779 s->block_aligned_filename[s->j] = 779 s->block_aligned_filename[s->j] =
780 s->hash[(s->j % ECRYPTFS_TAG_70_DIGEST_SIZE)]; 780 s->hash[(s->j % ECRYPTFS_TAG_70_DIGEST_SIZE)];
781 if ((s->j % ECRYPTFS_TAG_70_DIGEST_SIZE) 781 if ((s->j % ECRYPTFS_TAG_70_DIGEST_SIZE)
782 == (ECRYPTFS_TAG_70_DIGEST_SIZE - 1)) { 782 == (ECRYPTFS_TAG_70_DIGEST_SIZE - 1)) {
783 sg_init_one(&s->hash_sg, (u8 *)s->hash, 783 sg_init_one(&s->hash_sg, (u8 *)s->hash,
784 ECRYPTFS_TAG_70_DIGEST_SIZE); 784 ECRYPTFS_TAG_70_DIGEST_SIZE);
785 rc = crypto_hash_init(&s->hash_desc); 785 rc = crypto_hash_init(&s->hash_desc);
786 if (rc) { 786 if (rc) {
787 printk(KERN_ERR 787 printk(KERN_ERR
788 "%s: Error initializing crypto hash; " 788 "%s: Error initializing crypto hash; "
789 "rc = [%d]\n", __func__, rc); 789 "rc = [%d]\n", __func__, rc);
790 goto out_release_free_unlock; 790 goto out_release_free_unlock;
791 } 791 }
792 rc = crypto_hash_update(&s->hash_desc, &s->hash_sg, 792 rc = crypto_hash_update(&s->hash_desc, &s->hash_sg,
793 ECRYPTFS_TAG_70_DIGEST_SIZE); 793 ECRYPTFS_TAG_70_DIGEST_SIZE);
794 if (rc) { 794 if (rc) {
795 printk(KERN_ERR 795 printk(KERN_ERR
796 "%s: Error updating crypto hash; " 796 "%s: Error updating crypto hash; "
797 "rc = [%d]\n", __func__, rc); 797 "rc = [%d]\n", __func__, rc);
798 goto out_release_free_unlock; 798 goto out_release_free_unlock;
799 } 799 }
800 rc = crypto_hash_final(&s->hash_desc, s->tmp_hash); 800 rc = crypto_hash_final(&s->hash_desc, s->tmp_hash);
801 if (rc) { 801 if (rc) {
802 printk(KERN_ERR 802 printk(KERN_ERR
803 "%s: Error finalizing crypto hash; " 803 "%s: Error finalizing crypto hash; "
804 "rc = [%d]\n", __func__, rc); 804 "rc = [%d]\n", __func__, rc);
805 goto out_release_free_unlock; 805 goto out_release_free_unlock;
806 } 806 }
807 memcpy(s->hash, s->tmp_hash, 807 memcpy(s->hash, s->tmp_hash,
808 ECRYPTFS_TAG_70_DIGEST_SIZE); 808 ECRYPTFS_TAG_70_DIGEST_SIZE);
809 } 809 }
810 if (s->block_aligned_filename[s->j] == '\0') 810 if (s->block_aligned_filename[s->j] == '\0')
811 s->block_aligned_filename[s->j] = ECRYPTFS_NON_NULL; 811 s->block_aligned_filename[s->j] = ECRYPTFS_NON_NULL;
812 } 812 }
813 memcpy(&s->block_aligned_filename[s->num_rand_bytes], filename, 813 memcpy(&s->block_aligned_filename[s->num_rand_bytes], filename,
814 filename_size); 814 filename_size);
815 rc = virt_to_scatterlist(s->block_aligned_filename, 815 rc = virt_to_scatterlist(s->block_aligned_filename,
816 s->block_aligned_filename_size, s->src_sg, 2); 816 s->block_aligned_filename_size, s->src_sg, 2);
817 if (rc < 1) { 817 if (rc < 1) {
818 printk(KERN_ERR "%s: Internal error whilst attempting to " 818 printk(KERN_ERR "%s: Internal error whilst attempting to "
819 "convert filename memory to scatterlist; rc = [%d]. " 819 "convert filename memory to scatterlist; rc = [%d]. "
820 "block_aligned_filename_size = [%zd]\n", __func__, rc, 820 "block_aligned_filename_size = [%zd]\n", __func__, rc,
821 s->block_aligned_filename_size); 821 s->block_aligned_filename_size);
822 goto out_release_free_unlock; 822 goto out_release_free_unlock;
823 } 823 }
824 rc = virt_to_scatterlist(&dest[s->i], s->block_aligned_filename_size, 824 rc = virt_to_scatterlist(&dest[s->i], s->block_aligned_filename_size,
825 s->dst_sg, 2); 825 s->dst_sg, 2);
826 if (rc < 1) { 826 if (rc < 1) {
827 printk(KERN_ERR "%s: Internal error whilst attempting to " 827 printk(KERN_ERR "%s: Internal error whilst attempting to "
828 "convert encrypted filename memory to scatterlist; " 828 "convert encrypted filename memory to scatterlist; "
829 "rc = [%d]. block_aligned_filename_size = [%zd]\n", 829 "rc = [%d]. block_aligned_filename_size = [%zd]\n",
830 __func__, rc, s->block_aligned_filename_size); 830 __func__, rc, s->block_aligned_filename_size);
831 goto out_release_free_unlock; 831 goto out_release_free_unlock;
832 } 832 }
833 /* The characters in the first block effectively do the job 833 /* The characters in the first block effectively do the job
834 * of the IV here, so we just use 0's for the IV. Note the 834 * of the IV here, so we just use 0's for the IV. Note the
835 * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES 835 * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES
836 * >= ECRYPTFS_MAX_IV_BYTES. */ 836 * >= ECRYPTFS_MAX_IV_BYTES. */
837 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); 837 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES);
838 s->desc.info = s->iv; 838 s->desc.info = s->iv;
839 rc = crypto_blkcipher_setkey( 839 rc = crypto_blkcipher_setkey(
840 s->desc.tfm, 840 s->desc.tfm,
841 s->auth_tok->token.password.session_key_encryption_key, 841 s->auth_tok->token.password.session_key_encryption_key,
842 mount_crypt_stat->global_default_fn_cipher_key_bytes); 842 mount_crypt_stat->global_default_fn_cipher_key_bytes);
843 if (rc < 0) { 843 if (rc < 0) {
844 printk(KERN_ERR "%s: Error setting key for crypto context; " 844 printk(KERN_ERR "%s: Error setting key for crypto context; "
845 "rc = [%d]. s->auth_tok->token.password.session_key_" 845 "rc = [%d]. s->auth_tok->token.password.session_key_"
846 "encryption_key = [0x%p]; mount_crypt_stat->" 846 "encryption_key = [0x%p]; mount_crypt_stat->"
847 "global_default_fn_cipher_key_bytes = [%zd]\n", __func__, 847 "global_default_fn_cipher_key_bytes = [%zd]\n", __func__,
848 rc, 848 rc,
849 s->auth_tok->token.password.session_key_encryption_key, 849 s->auth_tok->token.password.session_key_encryption_key,
850 mount_crypt_stat->global_default_fn_cipher_key_bytes); 850 mount_crypt_stat->global_default_fn_cipher_key_bytes);
851 goto out_release_free_unlock; 851 goto out_release_free_unlock;
852 } 852 }
853 rc = crypto_blkcipher_encrypt_iv(&s->desc, s->dst_sg, s->src_sg, 853 rc = crypto_blkcipher_encrypt_iv(&s->desc, s->dst_sg, s->src_sg,
854 s->block_aligned_filename_size); 854 s->block_aligned_filename_size);
855 if (rc) { 855 if (rc) {
856 printk(KERN_ERR "%s: Error attempting to encrypt filename; " 856 printk(KERN_ERR "%s: Error attempting to encrypt filename; "
857 "rc = [%d]\n", __func__, rc); 857 "rc = [%d]\n", __func__, rc);
858 goto out_release_free_unlock; 858 goto out_release_free_unlock;
859 } 859 }
860 s->i += s->block_aligned_filename_size; 860 s->i += s->block_aligned_filename_size;
861 (*packet_size) = s->i; 861 (*packet_size) = s->i;
862 (*remaining_bytes) -= (*packet_size); 862 (*remaining_bytes) -= (*packet_size);
863 out_release_free_unlock: 863 out_release_free_unlock:
864 crypto_free_hash(s->hash_desc.tfm); 864 crypto_free_hash(s->hash_desc.tfm);
865 out_free_unlock: 865 out_free_unlock:
866 kzfree(s->block_aligned_filename); 866 kzfree(s->block_aligned_filename);
867 out_unlock: 867 out_unlock:
868 mutex_unlock(s->tfm_mutex); 868 mutex_unlock(s->tfm_mutex);
869 out: 869 out:
870 if (auth_tok_key) { 870 if (auth_tok_key) {
871 up_write(&(auth_tok_key->sem)); 871 up_write(&(auth_tok_key->sem));
872 key_put(auth_tok_key); 872 key_put(auth_tok_key);
873 } 873 }
874 kfree(s); 874 kfree(s);
875 return rc; 875 return rc;
876 } 876 }
877 877
878 struct ecryptfs_parse_tag_70_packet_silly_stack { 878 struct ecryptfs_parse_tag_70_packet_silly_stack {
879 u8 cipher_code; 879 u8 cipher_code;
880 size_t max_packet_size; 880 size_t max_packet_size;
881 size_t packet_size_len; 881 size_t packet_size_len;
882 size_t parsed_tag_70_packet_size; 882 size_t parsed_tag_70_packet_size;
883 size_t block_aligned_filename_size; 883 size_t block_aligned_filename_size;
884 size_t block_size; 884 size_t block_size;
885 size_t i; 885 size_t i;
886 struct mutex *tfm_mutex; 886 struct mutex *tfm_mutex;
887 char *decrypted_filename; 887 char *decrypted_filename;
888 struct ecryptfs_auth_tok *auth_tok; 888 struct ecryptfs_auth_tok *auth_tok;
889 struct scatterlist src_sg[2]; 889 struct scatterlist src_sg[2];
890 struct scatterlist dst_sg[2]; 890 struct scatterlist dst_sg[2];
891 struct blkcipher_desc desc; 891 struct blkcipher_desc desc;
892 char fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX + 1]; 892 char fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX + 1];
893 char iv[ECRYPTFS_MAX_IV_BYTES]; 893 char iv[ECRYPTFS_MAX_IV_BYTES];
894 char cipher_string[ECRYPTFS_MAX_CIPHER_NAME_SIZE]; 894 char cipher_string[ECRYPTFS_MAX_CIPHER_NAME_SIZE];
895 }; 895 };
896 896
897 /** 897 /**
898 * parse_tag_70_packet - Parse and process FNEK-encrypted passphrase packet 898 * parse_tag_70_packet - Parse and process FNEK-encrypted passphrase packet
899 * @filename: This function kmalloc's the memory for the filename 899 * @filename: This function kmalloc's the memory for the filename
900 * @filename_size: This function sets this to the amount of memory 900 * @filename_size: This function sets this to the amount of memory
901 * kmalloc'd for the filename 901 * kmalloc'd for the filename
902 * @packet_size: This function sets this to the the number of octets 902 * @packet_size: This function sets this to the the number of octets
903 * in the packet parsed 903 * in the packet parsed
904 * @mount_crypt_stat: The mount-wide cryptographic context 904 * @mount_crypt_stat: The mount-wide cryptographic context
905 * @data: The memory location containing the start of the tag 70 905 * @data: The memory location containing the start of the tag 70
906 * packet 906 * packet
907 * @max_packet_size: The maximum legal size of the packet to be parsed 907 * @max_packet_size: The maximum legal size of the packet to be parsed
908 * from @data 908 * from @data
909 * 909 *
910 * Returns zero on success; non-zero otherwise 910 * Returns zero on success; non-zero otherwise
911 */ 911 */
912 int 912 int
913 ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, 913 ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size,
914 size_t *packet_size, 914 size_t *packet_size,
915 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, 915 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
916 char *data, size_t max_packet_size) 916 char *data, size_t max_packet_size)
917 { 917 {
918 struct ecryptfs_parse_tag_70_packet_silly_stack *s; 918 struct ecryptfs_parse_tag_70_packet_silly_stack *s;
919 struct key *auth_tok_key = NULL; 919 struct key *auth_tok_key = NULL;
920 int rc = 0; 920 int rc = 0;
921 921
922 (*packet_size) = 0; 922 (*packet_size) = 0;
923 (*filename_size) = 0; 923 (*filename_size) = 0;
924 (*filename) = NULL; 924 (*filename) = NULL;
925 s = kmalloc(sizeof(*s), GFP_KERNEL); 925 s = kmalloc(sizeof(*s), GFP_KERNEL);
926 if (!s) { 926 if (!s) {
927 printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc " 927 printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc "
928 "[%zd] bytes of kernel memory\n", __func__, sizeof(*s)); 928 "[%zd] bytes of kernel memory\n", __func__, sizeof(*s));
929 rc = -ENOMEM; 929 rc = -ENOMEM;
930 goto out; 930 goto out;
931 } 931 }
932 s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; 932 s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
933 if (max_packet_size < ECRYPTFS_TAG_70_MIN_METADATA_SIZE) { 933 if (max_packet_size < ECRYPTFS_TAG_70_MIN_METADATA_SIZE) {
934 printk(KERN_WARNING "%s: max_packet_size is [%zd]; it must be " 934 printk(KERN_WARNING "%s: max_packet_size is [%zd]; it must be "
935 "at least [%d]\n", __func__, max_packet_size, 935 "at least [%d]\n", __func__, max_packet_size,
936 ECRYPTFS_TAG_70_MIN_METADATA_SIZE); 936 ECRYPTFS_TAG_70_MIN_METADATA_SIZE);
937 rc = -EINVAL; 937 rc = -EINVAL;
938 goto out; 938 goto out;
939 } 939 }
940 /* Octet 0: Tag 70 identifier 940 /* Octet 0: Tag 70 identifier
941 * Octets 1-N1: Tag 70 packet size (includes cipher identifier 941 * Octets 1-N1: Tag 70 packet size (includes cipher identifier
942 * and block-aligned encrypted filename size) 942 * and block-aligned encrypted filename size)
943 * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE) 943 * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE)
944 * Octet N2-N3: Cipher identifier (1 octet) 944 * Octet N2-N3: Cipher identifier (1 octet)
945 * Octets N3-N4: Block-aligned encrypted filename 945 * Octets N3-N4: Block-aligned encrypted filename
946 * - Consists of a minimum number of random numbers, a \0 946 * - Consists of a minimum number of random numbers, a \0
947 * separator, and then the filename */ 947 * separator, and then the filename */
948 if (data[(*packet_size)++] != ECRYPTFS_TAG_70_PACKET_TYPE) { 948 if (data[(*packet_size)++] != ECRYPTFS_TAG_70_PACKET_TYPE) {
949 printk(KERN_WARNING "%s: Invalid packet tag [0x%.2x]; must be " 949 printk(KERN_WARNING "%s: Invalid packet tag [0x%.2x]; must be "
950 "tag [0x%.2x]\n", __func__, 950 "tag [0x%.2x]\n", __func__,
951 data[((*packet_size) - 1)], ECRYPTFS_TAG_70_PACKET_TYPE); 951 data[((*packet_size) - 1)], ECRYPTFS_TAG_70_PACKET_TYPE);
952 rc = -EINVAL; 952 rc = -EINVAL;
953 goto out; 953 goto out;
954 } 954 }
955 rc = ecryptfs_parse_packet_length(&data[(*packet_size)], 955 rc = ecryptfs_parse_packet_length(&data[(*packet_size)],
956 &s->parsed_tag_70_packet_size, 956 &s->parsed_tag_70_packet_size,
957 &s->packet_size_len); 957 &s->packet_size_len);
958 if (rc) { 958 if (rc) {
959 printk(KERN_WARNING "%s: Error parsing packet length; " 959 printk(KERN_WARNING "%s: Error parsing packet length; "
960 "rc = [%d]\n", __func__, rc); 960 "rc = [%d]\n", __func__, rc);
961 goto out; 961 goto out;
962 } 962 }
963 s->block_aligned_filename_size = (s->parsed_tag_70_packet_size 963 s->block_aligned_filename_size = (s->parsed_tag_70_packet_size
964 - ECRYPTFS_SIG_SIZE - 1); 964 - ECRYPTFS_SIG_SIZE - 1);
965 if ((1 + s->packet_size_len + s->parsed_tag_70_packet_size) 965 if ((1 + s->packet_size_len + s->parsed_tag_70_packet_size)
966 > max_packet_size) { 966 > max_packet_size) {
967 printk(KERN_WARNING "%s: max_packet_size is [%zd]; real packet " 967 printk(KERN_WARNING "%s: max_packet_size is [%zd]; real packet "
968 "size is [%zd]\n", __func__, max_packet_size, 968 "size is [%zd]\n", __func__, max_packet_size,
969 (1 + s->packet_size_len + 1 969 (1 + s->packet_size_len + 1
970 + s->block_aligned_filename_size)); 970 + s->block_aligned_filename_size));
971 rc = -EINVAL; 971 rc = -EINVAL;
972 goto out; 972 goto out;
973 } 973 }
974 (*packet_size) += s->packet_size_len; 974 (*packet_size) += s->packet_size_len;
975 ecryptfs_to_hex(s->fnek_sig_hex, &data[(*packet_size)], 975 ecryptfs_to_hex(s->fnek_sig_hex, &data[(*packet_size)],
976 ECRYPTFS_SIG_SIZE); 976 ECRYPTFS_SIG_SIZE);
977 s->fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX] = '\0'; 977 s->fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX] = '\0';
978 (*packet_size) += ECRYPTFS_SIG_SIZE; 978 (*packet_size) += ECRYPTFS_SIG_SIZE;
979 s->cipher_code = data[(*packet_size)++]; 979 s->cipher_code = data[(*packet_size)++];
980 rc = ecryptfs_cipher_code_to_string(s->cipher_string, s->cipher_code); 980 rc = ecryptfs_cipher_code_to_string(s->cipher_string, s->cipher_code);
981 if (rc) { 981 if (rc) {
982 printk(KERN_WARNING "%s: Cipher code [%d] is invalid\n", 982 printk(KERN_WARNING "%s: Cipher code [%d] is invalid\n",
983 __func__, s->cipher_code); 983 __func__, s->cipher_code);
984 goto out; 984 goto out;
985 } 985 }
986 rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, 986 rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
987 &s->auth_tok, mount_crypt_stat, 987 &s->auth_tok, mount_crypt_stat,
988 s->fnek_sig_hex); 988 s->fnek_sig_hex);
989 if (rc) { 989 if (rc) {
990 printk(KERN_ERR "%s: Error attempting to find auth tok for " 990 printk(KERN_ERR "%s: Error attempting to find auth tok for "
991 "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex, 991 "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex,
992 rc); 992 rc);
993 goto out; 993 goto out;
994 } 994 }
995 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&s->desc.tfm, 995 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&s->desc.tfm,
996 &s->tfm_mutex, 996 &s->tfm_mutex,
997 s->cipher_string); 997 s->cipher_string);
998 if (unlikely(rc)) { 998 if (unlikely(rc)) {
999 printk(KERN_ERR "Internal error whilst attempting to get " 999 printk(KERN_ERR "Internal error whilst attempting to get "
1000 "tfm and mutex for cipher name [%s]; rc = [%d]\n", 1000 "tfm and mutex for cipher name [%s]; rc = [%d]\n",
1001 s->cipher_string, rc); 1001 s->cipher_string, rc);
1002 goto out; 1002 goto out;
1003 } 1003 }
1004 mutex_lock(s->tfm_mutex); 1004 mutex_lock(s->tfm_mutex);
1005 rc = virt_to_scatterlist(&data[(*packet_size)], 1005 rc = virt_to_scatterlist(&data[(*packet_size)],
1006 s->block_aligned_filename_size, s->src_sg, 2); 1006 s->block_aligned_filename_size, s->src_sg, 2);
1007 if (rc < 1) { 1007 if (rc < 1) {
1008 printk(KERN_ERR "%s: Internal error whilst attempting to " 1008 printk(KERN_ERR "%s: Internal error whilst attempting to "
1009 "convert encrypted filename memory to scatterlist; " 1009 "convert encrypted filename memory to scatterlist; "
1010 "rc = [%d]. block_aligned_filename_size = [%zd]\n", 1010 "rc = [%d]. block_aligned_filename_size = [%zd]\n",
1011 __func__, rc, s->block_aligned_filename_size); 1011 __func__, rc, s->block_aligned_filename_size);
1012 goto out_unlock; 1012 goto out_unlock;
1013 } 1013 }
1014 (*packet_size) += s->block_aligned_filename_size; 1014 (*packet_size) += s->block_aligned_filename_size;
1015 s->decrypted_filename = kmalloc(s->block_aligned_filename_size, 1015 s->decrypted_filename = kmalloc(s->block_aligned_filename_size,
1016 GFP_KERNEL); 1016 GFP_KERNEL);
1017 if (!s->decrypted_filename) { 1017 if (!s->decrypted_filename) {
1018 printk(KERN_ERR "%s: Out of memory whilst attempting to " 1018 printk(KERN_ERR "%s: Out of memory whilst attempting to "
1019 "kmalloc [%zd] bytes\n", __func__, 1019 "kmalloc [%zd] bytes\n", __func__,
1020 s->block_aligned_filename_size); 1020 s->block_aligned_filename_size);
1021 rc = -ENOMEM; 1021 rc = -ENOMEM;
1022 goto out_unlock; 1022 goto out_unlock;
1023 } 1023 }
1024 rc = virt_to_scatterlist(s->decrypted_filename, 1024 rc = virt_to_scatterlist(s->decrypted_filename,
1025 s->block_aligned_filename_size, s->dst_sg, 2); 1025 s->block_aligned_filename_size, s->dst_sg, 2);
1026 if (rc < 1) { 1026 if (rc < 1) {
1027 printk(KERN_ERR "%s: Internal error whilst attempting to " 1027 printk(KERN_ERR "%s: Internal error whilst attempting to "
1028 "convert decrypted filename memory to scatterlist; " 1028 "convert decrypted filename memory to scatterlist; "
1029 "rc = [%d]. block_aligned_filename_size = [%zd]\n", 1029 "rc = [%d]. block_aligned_filename_size = [%zd]\n",
1030 __func__, rc, s->block_aligned_filename_size); 1030 __func__, rc, s->block_aligned_filename_size);
1031 goto out_free_unlock; 1031 goto out_free_unlock;
1032 } 1032 }
1033 /* The characters in the first block effectively do the job of 1033 /* The characters in the first block effectively do the job of
1034 * the IV here, so we just use 0's for the IV. Note the 1034 * the IV here, so we just use 0's for the IV. Note the
1035 * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES 1035 * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES
1036 * >= ECRYPTFS_MAX_IV_BYTES. */ 1036 * >= ECRYPTFS_MAX_IV_BYTES. */
1037 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); 1037 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES);
1038 s->desc.info = s->iv; 1038 s->desc.info = s->iv;
1039 /* TODO: Support other key modules than passphrase for 1039 /* TODO: Support other key modules than passphrase for
1040 * filename encryption */ 1040 * filename encryption */
1041 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { 1041 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) {
1042 rc = -EOPNOTSUPP; 1042 rc = -EOPNOTSUPP;
1043 printk(KERN_INFO "%s: Filename encryption only supports " 1043 printk(KERN_INFO "%s: Filename encryption only supports "
1044 "password tokens\n", __func__); 1044 "password tokens\n", __func__);
1045 goto out_free_unlock; 1045 goto out_free_unlock;
1046 } 1046 }
1047 rc = crypto_blkcipher_setkey( 1047 rc = crypto_blkcipher_setkey(
1048 s->desc.tfm, 1048 s->desc.tfm,
1049 s->auth_tok->token.password.session_key_encryption_key, 1049 s->auth_tok->token.password.session_key_encryption_key,
1050 mount_crypt_stat->global_default_fn_cipher_key_bytes); 1050 mount_crypt_stat->global_default_fn_cipher_key_bytes);
1051 if (rc < 0) { 1051 if (rc < 0) {
1052 printk(KERN_ERR "%s: Error setting key for crypto context; " 1052 printk(KERN_ERR "%s: Error setting key for crypto context; "
1053 "rc = [%d]. s->auth_tok->token.password.session_key_" 1053 "rc = [%d]. s->auth_tok->token.password.session_key_"
1054 "encryption_key = [0x%p]; mount_crypt_stat->" 1054 "encryption_key = [0x%p]; mount_crypt_stat->"
1055 "global_default_fn_cipher_key_bytes = [%zd]\n", __func__, 1055 "global_default_fn_cipher_key_bytes = [%zd]\n", __func__,
1056 rc, 1056 rc,
1057 s->auth_tok->token.password.session_key_encryption_key, 1057 s->auth_tok->token.password.session_key_encryption_key,
1058 mount_crypt_stat->global_default_fn_cipher_key_bytes); 1058 mount_crypt_stat->global_default_fn_cipher_key_bytes);
1059 goto out_free_unlock; 1059 goto out_free_unlock;
1060 } 1060 }
1061 rc = crypto_blkcipher_decrypt_iv(&s->desc, s->dst_sg, s->src_sg, 1061 rc = crypto_blkcipher_decrypt_iv(&s->desc, s->dst_sg, s->src_sg,
1062 s->block_aligned_filename_size); 1062 s->block_aligned_filename_size);
1063 if (rc) { 1063 if (rc) {
1064 printk(KERN_ERR "%s: Error attempting to decrypt filename; " 1064 printk(KERN_ERR "%s: Error attempting to decrypt filename; "
1065 "rc = [%d]\n", __func__, rc); 1065 "rc = [%d]\n", __func__, rc);
1066 goto out_free_unlock; 1066 goto out_free_unlock;
1067 } 1067 }
1068 s->i = 0; 1068 s->i = 0;
1069 while (s->decrypted_filename[s->i] != '\0' 1069 while (s->decrypted_filename[s->i] != '\0'
1070 && s->i < s->block_aligned_filename_size) 1070 && s->i < s->block_aligned_filename_size)
1071 s->i++; 1071 s->i++;
1072 if (s->i == s->block_aligned_filename_size) { 1072 if (s->i == s->block_aligned_filename_size) {
1073 printk(KERN_WARNING "%s: Invalid tag 70 packet; could not " 1073 printk(KERN_WARNING "%s: Invalid tag 70 packet; could not "
1074 "find valid separator between random characters and " 1074 "find valid separator between random characters and "
1075 "the filename\n", __func__); 1075 "the filename\n", __func__);
1076 rc = -EINVAL; 1076 rc = -EINVAL;
1077 goto out_free_unlock; 1077 goto out_free_unlock;
1078 } 1078 }
1079 s->i++; 1079 s->i++;
1080 (*filename_size) = (s->block_aligned_filename_size - s->i); 1080 (*filename_size) = (s->block_aligned_filename_size - s->i);
1081 if (!((*filename_size) > 0 && (*filename_size < PATH_MAX))) { 1081 if (!((*filename_size) > 0 && (*filename_size < PATH_MAX))) {
1082 printk(KERN_WARNING "%s: Filename size is [%zd], which is " 1082 printk(KERN_WARNING "%s: Filename size is [%zd], which is "
1083 "invalid\n", __func__, (*filename_size)); 1083 "invalid\n", __func__, (*filename_size));
1084 rc = -EINVAL; 1084 rc = -EINVAL;
1085 goto out_free_unlock; 1085 goto out_free_unlock;
1086 } 1086 }
1087 (*filename) = kmalloc(((*filename_size) + 1), GFP_KERNEL); 1087 (*filename) = kmalloc(((*filename_size) + 1), GFP_KERNEL);
1088 if (!(*filename)) { 1088 if (!(*filename)) {
1089 printk(KERN_ERR "%s: Out of memory whilst attempting to " 1089 printk(KERN_ERR "%s: Out of memory whilst attempting to "
1090 "kmalloc [%zd] bytes\n", __func__, 1090 "kmalloc [%zd] bytes\n", __func__,
1091 ((*filename_size) + 1)); 1091 ((*filename_size) + 1));
1092 rc = -ENOMEM; 1092 rc = -ENOMEM;
1093 goto out_free_unlock; 1093 goto out_free_unlock;
1094 } 1094 }
1095 memcpy((*filename), &s->decrypted_filename[s->i], (*filename_size)); 1095 memcpy((*filename), &s->decrypted_filename[s->i], (*filename_size));
1096 (*filename)[(*filename_size)] = '\0'; 1096 (*filename)[(*filename_size)] = '\0';
1097 out_free_unlock: 1097 out_free_unlock:
1098 kfree(s->decrypted_filename); 1098 kfree(s->decrypted_filename);
1099 out_unlock: 1099 out_unlock:
1100 mutex_unlock(s->tfm_mutex); 1100 mutex_unlock(s->tfm_mutex);
1101 out: 1101 out:
1102 if (rc) { 1102 if (rc) {
1103 (*packet_size) = 0; 1103 (*packet_size) = 0;
1104 (*filename_size) = 0; 1104 (*filename_size) = 0;
1105 (*filename) = NULL; 1105 (*filename) = NULL;
1106 } 1106 }
1107 if (auth_tok_key) { 1107 if (auth_tok_key) {
1108 up_write(&(auth_tok_key->sem)); 1108 up_write(&(auth_tok_key->sem));
1109 key_put(auth_tok_key); 1109 key_put(auth_tok_key);
1110 } 1110 }
1111 kfree(s); 1111 kfree(s);
1112 return rc; 1112 return rc;
1113 } 1113 }
1114 1114
1115 static int 1115 static int
1116 ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok) 1116 ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok)
1117 { 1117 {
1118 int rc = 0; 1118 int rc = 0;
1119 1119
1120 (*sig) = NULL; 1120 (*sig) = NULL;
1121 switch (auth_tok->token_type) { 1121 switch (auth_tok->token_type) {
1122 case ECRYPTFS_PASSWORD: 1122 case ECRYPTFS_PASSWORD:
1123 (*sig) = auth_tok->token.password.signature; 1123 (*sig) = auth_tok->token.password.signature;
1124 break; 1124 break;
1125 case ECRYPTFS_PRIVATE_KEY: 1125 case ECRYPTFS_PRIVATE_KEY:
1126 (*sig) = auth_tok->token.private_key.signature; 1126 (*sig) = auth_tok->token.private_key.signature;
1127 break; 1127 break;
1128 default: 1128 default:
1129 printk(KERN_ERR "Cannot get sig for auth_tok of type [%d]\n", 1129 printk(KERN_ERR "Cannot get sig for auth_tok of type [%d]\n",
1130 auth_tok->token_type); 1130 auth_tok->token_type);
1131 rc = -EINVAL; 1131 rc = -EINVAL;
1132 } 1132 }
1133 return rc; 1133 return rc;
1134 } 1134 }
1135 1135
1136 /** 1136 /**
1137 * decrypt_pki_encrypted_session_key - Decrypt the session key with the given auth_tok. 1137 * decrypt_pki_encrypted_session_key - Decrypt the session key with the given auth_tok.
1138 * @auth_tok: The key authentication token used to decrypt the session key 1138 * @auth_tok: The key authentication token used to decrypt the session key
1139 * @crypt_stat: The cryptographic context 1139 * @crypt_stat: The cryptographic context
1140 * 1140 *
1141 * Returns zero on success; non-zero error otherwise. 1141 * Returns zero on success; non-zero error otherwise.
1142 */ 1142 */
1143 static int 1143 static int
1144 decrypt_pki_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok, 1144 decrypt_pki_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
1145 struct ecryptfs_crypt_stat *crypt_stat) 1145 struct ecryptfs_crypt_stat *crypt_stat)
1146 { 1146 {
1147 u8 cipher_code = 0; 1147 u8 cipher_code = 0;
1148 struct ecryptfs_msg_ctx *msg_ctx; 1148 struct ecryptfs_msg_ctx *msg_ctx;
1149 struct ecryptfs_message *msg = NULL; 1149 struct ecryptfs_message *msg = NULL;
1150 char *auth_tok_sig; 1150 char *auth_tok_sig;
1151 char *payload = NULL; 1151 char *payload = NULL;
1152 size_t payload_len = 0; 1152 size_t payload_len = 0;
1153 int rc; 1153 int rc;
1154 1154
1155 rc = ecryptfs_get_auth_tok_sig(&auth_tok_sig, auth_tok); 1155 rc = ecryptfs_get_auth_tok_sig(&auth_tok_sig, auth_tok);
1156 if (rc) { 1156 if (rc) {
1157 printk(KERN_ERR "Unrecognized auth tok type: [%d]\n", 1157 printk(KERN_ERR "Unrecognized auth tok type: [%d]\n",
1158 auth_tok->token_type); 1158 auth_tok->token_type);
1159 goto out; 1159 goto out;
1160 } 1160 }
1161 rc = write_tag_64_packet(auth_tok_sig, &(auth_tok->session_key), 1161 rc = write_tag_64_packet(auth_tok_sig, &(auth_tok->session_key),
1162 &payload, &payload_len); 1162 &payload, &payload_len);
1163 if (rc) { 1163 if (rc) {
1164 ecryptfs_printk(KERN_ERR, "Failed to write tag 64 packet\n"); 1164 ecryptfs_printk(KERN_ERR, "Failed to write tag 64 packet\n");
1165 goto out; 1165 goto out;
1166 } 1166 }
1167 rc = ecryptfs_send_message(payload, payload_len, &msg_ctx); 1167 rc = ecryptfs_send_message(payload, payload_len, &msg_ctx);
1168 if (rc) { 1168 if (rc) {
1169 ecryptfs_printk(KERN_ERR, "Error sending message to " 1169 ecryptfs_printk(KERN_ERR, "Error sending message to "
1170 "ecryptfsd: %d\n", rc); 1170 "ecryptfsd: %d\n", rc);
1171 goto out; 1171 goto out;
1172 } 1172 }
1173 rc = ecryptfs_wait_for_response(msg_ctx, &msg); 1173 rc = ecryptfs_wait_for_response(msg_ctx, &msg);
1174 if (rc) { 1174 if (rc) {
1175 ecryptfs_printk(KERN_ERR, "Failed to receive tag 65 packet " 1175 ecryptfs_printk(KERN_ERR, "Failed to receive tag 65 packet "
1176 "from the user space daemon\n"); 1176 "from the user space daemon\n");
1177 rc = -EIO; 1177 rc = -EIO;
1178 goto out; 1178 goto out;
1179 } 1179 }
1180 rc = parse_tag_65_packet(&(auth_tok->session_key), 1180 rc = parse_tag_65_packet(&(auth_tok->session_key),
1181 &cipher_code, msg); 1181 &cipher_code, msg);
1182 if (rc) { 1182 if (rc) {
1183 printk(KERN_ERR "Failed to parse tag 65 packet; rc = [%d]\n", 1183 printk(KERN_ERR "Failed to parse tag 65 packet; rc = [%d]\n",
1184 rc); 1184 rc);
1185 goto out; 1185 goto out;
1186 } 1186 }
1187 auth_tok->session_key.flags |= ECRYPTFS_CONTAINS_DECRYPTED_KEY; 1187 auth_tok->session_key.flags |= ECRYPTFS_CONTAINS_DECRYPTED_KEY;
1188 memcpy(crypt_stat->key, auth_tok->session_key.decrypted_key, 1188 memcpy(crypt_stat->key, auth_tok->session_key.decrypted_key,
1189 auth_tok->session_key.decrypted_key_size); 1189 auth_tok->session_key.decrypted_key_size);
1190 crypt_stat->key_size = auth_tok->session_key.decrypted_key_size; 1190 crypt_stat->key_size = auth_tok->session_key.decrypted_key_size;
1191 rc = ecryptfs_cipher_code_to_string(crypt_stat->cipher, cipher_code); 1191 rc = ecryptfs_cipher_code_to_string(crypt_stat->cipher, cipher_code);
1192 if (rc) { 1192 if (rc) {
1193 ecryptfs_printk(KERN_ERR, "Cipher code [%d] is invalid\n", 1193 ecryptfs_printk(KERN_ERR, "Cipher code [%d] is invalid\n",
1194 cipher_code) 1194 cipher_code)
1195 goto out; 1195 goto out;
1196 } 1196 }
1197 crypt_stat->flags |= ECRYPTFS_KEY_VALID; 1197 crypt_stat->flags |= ECRYPTFS_KEY_VALID;
1198 if (ecryptfs_verbosity > 0) { 1198 if (ecryptfs_verbosity > 0) {
1199 ecryptfs_printk(KERN_DEBUG, "Decrypted session key:\n"); 1199 ecryptfs_printk(KERN_DEBUG, "Decrypted session key:\n");
1200 ecryptfs_dump_hex(crypt_stat->key, 1200 ecryptfs_dump_hex(crypt_stat->key,
1201 crypt_stat->key_size); 1201 crypt_stat->key_size);
1202 } 1202 }
1203 out: 1203 out:
1204 kfree(msg); 1204 kfree(msg);
1205 kfree(payload); 1205 kfree(payload);
1206 return rc; 1206 return rc;
1207 } 1207 }
1208 1208
1209 static void wipe_auth_tok_list(struct list_head *auth_tok_list_head) 1209 static void wipe_auth_tok_list(struct list_head *auth_tok_list_head)
1210 { 1210 {
1211 struct ecryptfs_auth_tok_list_item *auth_tok_list_item; 1211 struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
1212 struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp; 1212 struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp;
1213 1213
1214 list_for_each_entry_safe(auth_tok_list_item, auth_tok_list_item_tmp, 1214 list_for_each_entry_safe(auth_tok_list_item, auth_tok_list_item_tmp,
1215 auth_tok_list_head, list) { 1215 auth_tok_list_head, list) {
1216 list_del(&auth_tok_list_item->list); 1216 list_del(&auth_tok_list_item->list);
1217 kmem_cache_free(ecryptfs_auth_tok_list_item_cache, 1217 kmem_cache_free(ecryptfs_auth_tok_list_item_cache,
1218 auth_tok_list_item); 1218 auth_tok_list_item);
1219 } 1219 }
1220 } 1220 }
1221 1221
1222 struct kmem_cache *ecryptfs_auth_tok_list_item_cache; 1222 struct kmem_cache *ecryptfs_auth_tok_list_item_cache;
1223 1223
1224 /** 1224 /**
1225 * parse_tag_1_packet 1225 * parse_tag_1_packet
1226 * @crypt_stat: The cryptographic context to modify based on packet contents 1226 * @crypt_stat: The cryptographic context to modify based on packet contents
1227 * @data: The raw bytes of the packet. 1227 * @data: The raw bytes of the packet.
1228 * @auth_tok_list: eCryptfs parses packets into authentication tokens; 1228 * @auth_tok_list: eCryptfs parses packets into authentication tokens;
1229 * a new authentication token will be placed at the 1229 * a new authentication token will be placed at the
1230 * end of this list for this packet. 1230 * end of this list for this packet.
1231 * @new_auth_tok: Pointer to a pointer to memory that this function 1231 * @new_auth_tok: Pointer to a pointer to memory that this function
1232 * allocates; sets the memory address of the pointer to 1232 * allocates; sets the memory address of the pointer to
1233 * NULL on error. This object is added to the 1233 * NULL on error. This object is added to the
1234 * auth_tok_list. 1234 * auth_tok_list.
1235 * @packet_size: This function writes the size of the parsed packet 1235 * @packet_size: This function writes the size of the parsed packet
1236 * into this memory location; zero on error. 1236 * into this memory location; zero on error.
1237 * @max_packet_size: The maximum allowable packet size 1237 * @max_packet_size: The maximum allowable packet size
1238 * 1238 *
1239 * Returns zero on success; non-zero on error. 1239 * Returns zero on success; non-zero on error.
1240 */ 1240 */
1241 static int 1241 static int
1242 parse_tag_1_packet(struct ecryptfs_crypt_stat *crypt_stat, 1242 parse_tag_1_packet(struct ecryptfs_crypt_stat *crypt_stat,
1243 unsigned char *data, struct list_head *auth_tok_list, 1243 unsigned char *data, struct list_head *auth_tok_list,
1244 struct ecryptfs_auth_tok **new_auth_tok, 1244 struct ecryptfs_auth_tok **new_auth_tok,
1245 size_t *packet_size, size_t max_packet_size) 1245 size_t *packet_size, size_t max_packet_size)
1246 { 1246 {
1247 size_t body_size; 1247 size_t body_size;
1248 struct ecryptfs_auth_tok_list_item *auth_tok_list_item; 1248 struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
1249 size_t length_size; 1249 size_t length_size;
1250 int rc = 0; 1250 int rc = 0;
1251 1251
1252 (*packet_size) = 0; 1252 (*packet_size) = 0;
1253 (*new_auth_tok) = NULL; 1253 (*new_auth_tok) = NULL;
1254 /** 1254 /**
1255 * This format is inspired by OpenPGP; see RFC 2440 1255 * This format is inspired by OpenPGP; see RFC 2440
1256 * packet tag 1 1256 * packet tag 1
1257 * 1257 *
1258 * Tag 1 identifier (1 byte) 1258 * Tag 1 identifier (1 byte)
1259 * Max Tag 1 packet size (max 3 bytes) 1259 * Max Tag 1 packet size (max 3 bytes)
1260 * Version (1 byte) 1260 * Version (1 byte)
1261 * Key identifier (8 bytes; ECRYPTFS_SIG_SIZE) 1261 * Key identifier (8 bytes; ECRYPTFS_SIG_SIZE)
1262 * Cipher identifier (1 byte) 1262 * Cipher identifier (1 byte)
1263 * Encrypted key size (arbitrary) 1263 * Encrypted key size (arbitrary)
1264 * 1264 *
1265 * 12 bytes minimum packet size 1265 * 12 bytes minimum packet size
1266 */ 1266 */
1267 if (unlikely(max_packet_size < 12)) { 1267 if (unlikely(max_packet_size < 12)) {
1268 printk(KERN_ERR "Invalid max packet size; must be >=12\n"); 1268 printk(KERN_ERR "Invalid max packet size; must be >=12\n");
1269 rc = -EINVAL; 1269 rc = -EINVAL;
1270 goto out; 1270 goto out;
1271 } 1271 }
1272 if (data[(*packet_size)++] != ECRYPTFS_TAG_1_PACKET_TYPE) { 1272 if (data[(*packet_size)++] != ECRYPTFS_TAG_1_PACKET_TYPE) {
1273 printk(KERN_ERR "Enter w/ first byte != 0x%.2x\n", 1273 printk(KERN_ERR "Enter w/ first byte != 0x%.2x\n",
1274 ECRYPTFS_TAG_1_PACKET_TYPE); 1274 ECRYPTFS_TAG_1_PACKET_TYPE);
1275 rc = -EINVAL; 1275 rc = -EINVAL;
1276 goto out; 1276 goto out;
1277 } 1277 }
1278 /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or 1278 /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or
1279 * at end of function upon failure */ 1279 * at end of function upon failure */
1280 auth_tok_list_item = 1280 auth_tok_list_item =
1281 kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, 1281 kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache,
1282 GFP_KERNEL); 1282 GFP_KERNEL);
1283 if (!auth_tok_list_item) { 1283 if (!auth_tok_list_item) {
1284 printk(KERN_ERR "Unable to allocate memory\n"); 1284 printk(KERN_ERR "Unable to allocate memory\n");
1285 rc = -ENOMEM; 1285 rc = -ENOMEM;
1286 goto out; 1286 goto out;
1287 } 1287 }
1288 (*new_auth_tok) = &auth_tok_list_item->auth_tok; 1288 (*new_auth_tok) = &auth_tok_list_item->auth_tok;
1289 rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, 1289 rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
1290 &length_size); 1290 &length_size);
1291 if (rc) { 1291 if (rc) {
1292 printk(KERN_WARNING "Error parsing packet length; " 1292 printk(KERN_WARNING "Error parsing packet length; "
1293 "rc = [%d]\n", rc); 1293 "rc = [%d]\n", rc);
1294 goto out_free; 1294 goto out_free;
1295 } 1295 }
1296 if (unlikely(body_size < (ECRYPTFS_SIG_SIZE + 2))) { 1296 if (unlikely(body_size < (ECRYPTFS_SIG_SIZE + 2))) {
1297 printk(KERN_WARNING "Invalid body size ([%td])\n", body_size); 1297 printk(KERN_WARNING "Invalid body size ([%td])\n", body_size);
1298 rc = -EINVAL; 1298 rc = -EINVAL;
1299 goto out_free; 1299 goto out_free;
1300 } 1300 }
1301 (*packet_size) += length_size; 1301 (*packet_size) += length_size;
1302 if (unlikely((*packet_size) + body_size > max_packet_size)) { 1302 if (unlikely((*packet_size) + body_size > max_packet_size)) {
1303 printk(KERN_WARNING "Packet size exceeds max\n"); 1303 printk(KERN_WARNING "Packet size exceeds max\n");
1304 rc = -EINVAL; 1304 rc = -EINVAL;
1305 goto out_free; 1305 goto out_free;
1306 } 1306 }
1307 if (unlikely(data[(*packet_size)++] != 0x03)) { 1307 if (unlikely(data[(*packet_size)++] != 0x03)) {
1308 printk(KERN_WARNING "Unknown version number [%d]\n", 1308 printk(KERN_WARNING "Unknown version number [%d]\n",
1309 data[(*packet_size) - 1]); 1309 data[(*packet_size) - 1]);
1310 rc = -EINVAL; 1310 rc = -EINVAL;
1311 goto out_free; 1311 goto out_free;
1312 } 1312 }
1313 ecryptfs_to_hex((*new_auth_tok)->token.private_key.signature, 1313 ecryptfs_to_hex((*new_auth_tok)->token.private_key.signature,
1314 &data[(*packet_size)], ECRYPTFS_SIG_SIZE); 1314 &data[(*packet_size)], ECRYPTFS_SIG_SIZE);
1315 *packet_size += ECRYPTFS_SIG_SIZE; 1315 *packet_size += ECRYPTFS_SIG_SIZE;
1316 /* This byte is skipped because the kernel does not need to 1316 /* This byte is skipped because the kernel does not need to
1317 * know which public key encryption algorithm was used */ 1317 * know which public key encryption algorithm was used */
1318 (*packet_size)++; 1318 (*packet_size)++;
1319 (*new_auth_tok)->session_key.encrypted_key_size = 1319 (*new_auth_tok)->session_key.encrypted_key_size =
1320 body_size - (ECRYPTFS_SIG_SIZE + 2); 1320 body_size - (ECRYPTFS_SIG_SIZE + 2);
1321 if ((*new_auth_tok)->session_key.encrypted_key_size 1321 if ((*new_auth_tok)->session_key.encrypted_key_size
1322 > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { 1322 > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
1323 printk(KERN_WARNING "Tag 1 packet contains key larger " 1323 printk(KERN_WARNING "Tag 1 packet contains key larger "
1324 "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES"); 1324 "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES");
1325 rc = -EINVAL; 1325 rc = -EINVAL;
1326 goto out; 1326 goto out;
1327 } 1327 }
1328 memcpy((*new_auth_tok)->session_key.encrypted_key, 1328 memcpy((*new_auth_tok)->session_key.encrypted_key,
1329 &data[(*packet_size)], (body_size - (ECRYPTFS_SIG_SIZE + 2))); 1329 &data[(*packet_size)], (body_size - (ECRYPTFS_SIG_SIZE + 2)));
1330 (*packet_size) += (*new_auth_tok)->session_key.encrypted_key_size; 1330 (*packet_size) += (*new_auth_tok)->session_key.encrypted_key_size;
1331 (*new_auth_tok)->session_key.flags &= 1331 (*new_auth_tok)->session_key.flags &=
1332 ~ECRYPTFS_CONTAINS_DECRYPTED_KEY; 1332 ~ECRYPTFS_CONTAINS_DECRYPTED_KEY;
1333 (*new_auth_tok)->session_key.flags |= 1333 (*new_auth_tok)->session_key.flags |=
1334 ECRYPTFS_CONTAINS_ENCRYPTED_KEY; 1334 ECRYPTFS_CONTAINS_ENCRYPTED_KEY;
1335 (*new_auth_tok)->token_type = ECRYPTFS_PRIVATE_KEY; 1335 (*new_auth_tok)->token_type = ECRYPTFS_PRIVATE_KEY;
1336 (*new_auth_tok)->flags = 0; 1336 (*new_auth_tok)->flags = 0;
1337 (*new_auth_tok)->session_key.flags &= 1337 (*new_auth_tok)->session_key.flags &=
1338 ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT); 1338 ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT);
1339 (*new_auth_tok)->session_key.flags &= 1339 (*new_auth_tok)->session_key.flags &=
1340 ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT); 1340 ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT);
1341 list_add(&auth_tok_list_item->list, auth_tok_list); 1341 list_add(&auth_tok_list_item->list, auth_tok_list);
1342 goto out; 1342 goto out;
1343 out_free: 1343 out_free:
1344 (*new_auth_tok) = NULL; 1344 (*new_auth_tok) = NULL;
1345 memset(auth_tok_list_item, 0, 1345 memset(auth_tok_list_item, 0,
1346 sizeof(struct ecryptfs_auth_tok_list_item)); 1346 sizeof(struct ecryptfs_auth_tok_list_item));
1347 kmem_cache_free(ecryptfs_auth_tok_list_item_cache, 1347 kmem_cache_free(ecryptfs_auth_tok_list_item_cache,
1348 auth_tok_list_item); 1348 auth_tok_list_item);
1349 out: 1349 out:
1350 if (rc) 1350 if (rc)
1351 (*packet_size) = 0; 1351 (*packet_size) = 0;
1352 return rc; 1352 return rc;
1353 } 1353 }
1354 1354
1355 /** 1355 /**
1356 * parse_tag_3_packet 1356 * parse_tag_3_packet
1357 * @crypt_stat: The cryptographic context to modify based on packet 1357 * @crypt_stat: The cryptographic context to modify based on packet
1358 * contents. 1358 * contents.
1359 * @data: The raw bytes of the packet. 1359 * @data: The raw bytes of the packet.
1360 * @auth_tok_list: eCryptfs parses packets into authentication tokens; 1360 * @auth_tok_list: eCryptfs parses packets into authentication tokens;
1361 * a new authentication token will be placed at the end 1361 * a new authentication token will be placed at the end
1362 * of this list for this packet. 1362 * of this list for this packet.
1363 * @new_auth_tok: Pointer to a pointer to memory that this function 1363 * @new_auth_tok: Pointer to a pointer to memory that this function
1364 * allocates; sets the memory address of the pointer to 1364 * allocates; sets the memory address of the pointer to
1365 * NULL on error. This object is added to the 1365 * NULL on error. This object is added to the
1366 * auth_tok_list. 1366 * auth_tok_list.
1367 * @packet_size: This function writes the size of the parsed packet 1367 * @packet_size: This function writes the size of the parsed packet
1368 * into this memory location; zero on error. 1368 * into this memory location; zero on error.
1369 * @max_packet_size: maximum number of bytes to parse 1369 * @max_packet_size: maximum number of bytes to parse
1370 * 1370 *
1371 * Returns zero on success; non-zero on error. 1371 * Returns zero on success; non-zero on error.
1372 */ 1372 */
1373 static int 1373 static int
1374 parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat, 1374 parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat,
1375 unsigned char *data, struct list_head *auth_tok_list, 1375 unsigned char *data, struct list_head *auth_tok_list,
1376 struct ecryptfs_auth_tok **new_auth_tok, 1376 struct ecryptfs_auth_tok **new_auth_tok,
1377 size_t *packet_size, size_t max_packet_size) 1377 size_t *packet_size, size_t max_packet_size)
1378 { 1378 {
1379 size_t body_size; 1379 size_t body_size;
1380 struct ecryptfs_auth_tok_list_item *auth_tok_list_item; 1380 struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
1381 size_t length_size; 1381 size_t length_size;
1382 int rc = 0; 1382 int rc = 0;
1383 1383
1384 (*packet_size) = 0; 1384 (*packet_size) = 0;
1385 (*new_auth_tok) = NULL; 1385 (*new_auth_tok) = NULL;
1386 /** 1386 /**
1387 *This format is inspired by OpenPGP; see RFC 2440 1387 *This format is inspired by OpenPGP; see RFC 2440
1388 * packet tag 3 1388 * packet tag 3
1389 * 1389 *
1390 * Tag 3 identifier (1 byte) 1390 * Tag 3 identifier (1 byte)
1391 * Max Tag 3 packet size (max 3 bytes) 1391 * Max Tag 3 packet size (max 3 bytes)
1392 * Version (1 byte) 1392 * Version (1 byte)
1393 * Cipher code (1 byte) 1393 * Cipher code (1 byte)
1394 * S2K specifier (1 byte) 1394 * S2K specifier (1 byte)
1395 * Hash identifier (1 byte) 1395 * Hash identifier (1 byte)
1396 * Salt (ECRYPTFS_SALT_SIZE) 1396 * Salt (ECRYPTFS_SALT_SIZE)
1397 * Hash iterations (1 byte) 1397 * Hash iterations (1 byte)
1398 * Encrypted key (arbitrary) 1398 * Encrypted key (arbitrary)
1399 * 1399 *
1400 * (ECRYPTFS_SALT_SIZE + 7) minimum packet size 1400 * (ECRYPTFS_SALT_SIZE + 7) minimum packet size
1401 */ 1401 */
1402 if (max_packet_size < (ECRYPTFS_SALT_SIZE + 7)) { 1402 if (max_packet_size < (ECRYPTFS_SALT_SIZE + 7)) {
1403 printk(KERN_ERR "Max packet size too large\n"); 1403 printk(KERN_ERR "Max packet size too large\n");
1404 rc = -EINVAL; 1404 rc = -EINVAL;
1405 goto out; 1405 goto out;
1406 } 1406 }
1407 if (data[(*packet_size)++] != ECRYPTFS_TAG_3_PACKET_TYPE) { 1407 if (data[(*packet_size)++] != ECRYPTFS_TAG_3_PACKET_TYPE) {
1408 printk(KERN_ERR "First byte != 0x%.2x; invalid packet\n", 1408 printk(KERN_ERR "First byte != 0x%.2x; invalid packet\n",
1409 ECRYPTFS_TAG_3_PACKET_TYPE); 1409 ECRYPTFS_TAG_3_PACKET_TYPE);
1410 rc = -EINVAL; 1410 rc = -EINVAL;
1411 goto out; 1411 goto out;
1412 } 1412 }
1413 /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or 1413 /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or
1414 * at end of function upon failure */ 1414 * at end of function upon failure */
1415 auth_tok_list_item = 1415 auth_tok_list_item =
1416 kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, GFP_KERNEL); 1416 kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, GFP_KERNEL);
1417 if (!auth_tok_list_item) { 1417 if (!auth_tok_list_item) {
1418 printk(KERN_ERR "Unable to allocate memory\n"); 1418 printk(KERN_ERR "Unable to allocate memory\n");
1419 rc = -ENOMEM; 1419 rc = -ENOMEM;
1420 goto out; 1420 goto out;
1421 } 1421 }
1422 (*new_auth_tok) = &auth_tok_list_item->auth_tok; 1422 (*new_auth_tok) = &auth_tok_list_item->auth_tok;
1423 rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, 1423 rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
1424 &length_size); 1424 &length_size);
1425 if (rc) { 1425 if (rc) {
1426 printk(KERN_WARNING "Error parsing packet length; rc = [%d]\n", 1426 printk(KERN_WARNING "Error parsing packet length; rc = [%d]\n",
1427 rc); 1427 rc);
1428 goto out_free; 1428 goto out_free;
1429 } 1429 }
1430 if (unlikely(body_size < (ECRYPTFS_SALT_SIZE + 5))) { 1430 if (unlikely(body_size < (ECRYPTFS_SALT_SIZE + 5))) {
1431 printk(KERN_WARNING "Invalid body size ([%td])\n", body_size); 1431 printk(KERN_WARNING "Invalid body size ([%td])\n", body_size);
1432 rc = -EINVAL; 1432 rc = -EINVAL;
1433 goto out_free; 1433 goto out_free;
1434 } 1434 }
1435 (*packet_size) += length_size; 1435 (*packet_size) += length_size;
1436 if (unlikely((*packet_size) + body_size > max_packet_size)) { 1436 if (unlikely((*packet_size) + body_size > max_packet_size)) {
1437 printk(KERN_ERR "Packet size exceeds max\n"); 1437 printk(KERN_ERR "Packet size exceeds max\n");
1438 rc = -EINVAL; 1438 rc = -EINVAL;
1439 goto out_free; 1439 goto out_free;
1440 } 1440 }
1441 (*new_auth_tok)->session_key.encrypted_key_size = 1441 (*new_auth_tok)->session_key.encrypted_key_size =
1442 (body_size - (ECRYPTFS_SALT_SIZE + 5)); 1442 (body_size - (ECRYPTFS_SALT_SIZE + 5));
1443 if ((*new_auth_tok)->session_key.encrypted_key_size 1443 if ((*new_auth_tok)->session_key.encrypted_key_size
1444 > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { 1444 > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
1445 printk(KERN_WARNING "Tag 3 packet contains key larger " 1445 printk(KERN_WARNING "Tag 3 packet contains key larger "
1446 "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n"); 1446 "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
1447 rc = -EINVAL; 1447 rc = -EINVAL;
1448 goto out_free; 1448 goto out_free;
1449 } 1449 }
1450 if (unlikely(data[(*packet_size)++] != 0x04)) { 1450 if (unlikely(data[(*packet_size)++] != 0x04)) {
1451 printk(KERN_WARNING "Unknown version number [%d]\n", 1451 printk(KERN_WARNING "Unknown version number [%d]\n",
1452 data[(*packet_size) - 1]); 1452 data[(*packet_size) - 1]);
1453 rc = -EINVAL; 1453 rc = -EINVAL;
1454 goto out_free; 1454 goto out_free;
1455 } 1455 }
1456 rc = ecryptfs_cipher_code_to_string(crypt_stat->cipher, 1456 rc = ecryptfs_cipher_code_to_string(crypt_stat->cipher,
1457 (u16)data[(*packet_size)]); 1457 (u16)data[(*packet_size)]);
1458 if (rc) 1458 if (rc)
1459 goto out_free; 1459 goto out_free;
1460 /* A little extra work to differentiate among the AES key 1460 /* A little extra work to differentiate among the AES key
1461 * sizes; see RFC2440 */ 1461 * sizes; see RFC2440 */
1462 switch(data[(*packet_size)++]) { 1462 switch(data[(*packet_size)++]) {
1463 case RFC2440_CIPHER_AES_192: 1463 case RFC2440_CIPHER_AES_192:
1464 crypt_stat->key_size = 24; 1464 crypt_stat->key_size = 24;
1465 break; 1465 break;
1466 default: 1466 default:
1467 crypt_stat->key_size = 1467 crypt_stat->key_size =
1468 (*new_auth_tok)->session_key.encrypted_key_size; 1468 (*new_auth_tok)->session_key.encrypted_key_size;
1469 } 1469 }
1470 rc = ecryptfs_init_crypt_ctx(crypt_stat); 1470 rc = ecryptfs_init_crypt_ctx(crypt_stat);
1471 if (rc) 1471 if (rc)
1472 goto out_free; 1472 goto out_free;
1473 if (unlikely(data[(*packet_size)++] != 0x03)) { 1473 if (unlikely(data[(*packet_size)++] != 0x03)) {
1474 printk(KERN_WARNING "Only S2K ID 3 is currently supported\n"); 1474 printk(KERN_WARNING "Only S2K ID 3 is currently supported\n");
1475 rc = -ENOSYS; 1475 rc = -ENOSYS;
1476 goto out_free; 1476 goto out_free;
1477 } 1477 }
1478 /* TODO: finish the hash mapping */ 1478 /* TODO: finish the hash mapping */
1479 switch (data[(*packet_size)++]) { 1479 switch (data[(*packet_size)++]) {
1480 case 0x01: /* See RFC2440 for these numbers and their mappings */ 1480 case 0x01: /* See RFC2440 for these numbers and their mappings */
1481 /* Choose MD5 */ 1481 /* Choose MD5 */
1482 memcpy((*new_auth_tok)->token.password.salt, 1482 memcpy((*new_auth_tok)->token.password.salt,
1483 &data[(*packet_size)], ECRYPTFS_SALT_SIZE); 1483 &data[(*packet_size)], ECRYPTFS_SALT_SIZE);
1484 (*packet_size) += ECRYPTFS_SALT_SIZE; 1484 (*packet_size) += ECRYPTFS_SALT_SIZE;
1485 /* This conversion was taken straight from RFC2440 */ 1485 /* This conversion was taken straight from RFC2440 */
1486 (*new_auth_tok)->token.password.hash_iterations = 1486 (*new_auth_tok)->token.password.hash_iterations =
1487 ((u32) 16 + (data[(*packet_size)] & 15)) 1487 ((u32) 16 + (data[(*packet_size)] & 15))
1488 << ((data[(*packet_size)] >> 4) + 6); 1488 << ((data[(*packet_size)] >> 4) + 6);
1489 (*packet_size)++; 1489 (*packet_size)++;
1490 /* Friendly reminder: 1490 /* Friendly reminder:
1491 * (*new_auth_tok)->session_key.encrypted_key_size = 1491 * (*new_auth_tok)->session_key.encrypted_key_size =
1492 * (body_size - (ECRYPTFS_SALT_SIZE + 5)); */ 1492 * (body_size - (ECRYPTFS_SALT_SIZE + 5)); */
1493 memcpy((*new_auth_tok)->session_key.encrypted_key, 1493 memcpy((*new_auth_tok)->session_key.encrypted_key,
1494 &data[(*packet_size)], 1494 &data[(*packet_size)],
1495 (*new_auth_tok)->session_key.encrypted_key_size); 1495 (*new_auth_tok)->session_key.encrypted_key_size);
1496 (*packet_size) += 1496 (*packet_size) +=
1497 (*new_auth_tok)->session_key.encrypted_key_size; 1497 (*new_auth_tok)->session_key.encrypted_key_size;
1498 (*new_auth_tok)->session_key.flags &= 1498 (*new_auth_tok)->session_key.flags &=
1499 ~ECRYPTFS_CONTAINS_DECRYPTED_KEY; 1499 ~ECRYPTFS_CONTAINS_DECRYPTED_KEY;
1500 (*new_auth_tok)->session_key.flags |= 1500 (*new_auth_tok)->session_key.flags |=
1501 ECRYPTFS_CONTAINS_ENCRYPTED_KEY; 1501 ECRYPTFS_CONTAINS_ENCRYPTED_KEY;
1502 (*new_auth_tok)->token.password.hash_algo = 0x01; /* MD5 */ 1502 (*new_auth_tok)->token.password.hash_algo = 0x01; /* MD5 */
1503 break; 1503 break;
1504 default: 1504 default:
1505 ecryptfs_printk(KERN_ERR, "Unsupported hash algorithm: " 1505 ecryptfs_printk(KERN_ERR, "Unsupported hash algorithm: "
1506 "[%d]\n", data[(*packet_size) - 1]); 1506 "[%d]\n", data[(*packet_size) - 1]);
1507 rc = -ENOSYS; 1507 rc = -ENOSYS;
1508 goto out_free; 1508 goto out_free;
1509 } 1509 }
1510 (*new_auth_tok)->token_type = ECRYPTFS_PASSWORD; 1510 (*new_auth_tok)->token_type = ECRYPTFS_PASSWORD;
1511 /* TODO: Parametarize; we might actually want userspace to 1511 /* TODO: Parametarize; we might actually want userspace to
1512 * decrypt the session key. */ 1512 * decrypt the session key. */
1513 (*new_auth_tok)->session_key.flags &= 1513 (*new_auth_tok)->session_key.flags &=
1514 ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT); 1514 ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT);
1515 (*new_auth_tok)->session_key.flags &= 1515 (*new_auth_tok)->session_key.flags &=
1516 ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT); 1516 ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT);
1517 list_add(&auth_tok_list_item->list, auth_tok_list); 1517 list_add(&auth_tok_list_item->list, auth_tok_list);
1518 goto out; 1518 goto out;
1519 out_free: 1519 out_free:
1520 (*new_auth_tok) = NULL; 1520 (*new_auth_tok) = NULL;
1521 memset(auth_tok_list_item, 0, 1521 memset(auth_tok_list_item, 0,
1522 sizeof(struct ecryptfs_auth_tok_list_item)); 1522 sizeof(struct ecryptfs_auth_tok_list_item));
1523 kmem_cache_free(ecryptfs_auth_tok_list_item_cache, 1523 kmem_cache_free(ecryptfs_auth_tok_list_item_cache,
1524 auth_tok_list_item); 1524 auth_tok_list_item);
1525 out: 1525 out:
1526 if (rc) 1526 if (rc)
1527 (*packet_size) = 0; 1527 (*packet_size) = 0;
1528 return rc; 1528 return rc;
1529 } 1529 }
1530 1530
1531 /** 1531 /**
1532 * parse_tag_11_packet 1532 * parse_tag_11_packet
1533 * @data: The raw bytes of the packet 1533 * @data: The raw bytes of the packet
1534 * @contents: This function writes the data contents of the literal 1534 * @contents: This function writes the data contents of the literal
1535 * packet into this memory location 1535 * packet into this memory location
1536 * @max_contents_bytes: The maximum number of bytes that this function 1536 * @max_contents_bytes: The maximum number of bytes that this function
1537 * is allowed to write into contents 1537 * is allowed to write into contents
1538 * @tag_11_contents_size: This function writes the size of the parsed 1538 * @tag_11_contents_size: This function writes the size of the parsed
1539 * contents into this memory location; zero on 1539 * contents into this memory location; zero on
1540 * error 1540 * error
1541 * @packet_size: This function writes the size of the parsed packet 1541 * @packet_size: This function writes the size of the parsed packet
1542 * into this memory location; zero on error 1542 * into this memory location; zero on error
1543 * @max_packet_size: maximum number of bytes to parse 1543 * @max_packet_size: maximum number of bytes to parse
1544 * 1544 *
1545 * Returns zero on success; non-zero on error. 1545 * Returns zero on success; non-zero on error.
1546 */ 1546 */
1547 static int 1547 static int
1548 parse_tag_11_packet(unsigned char *data, unsigned char *contents, 1548 parse_tag_11_packet(unsigned char *data, unsigned char *contents,
1549 size_t max_contents_bytes, size_t *tag_11_contents_size, 1549 size_t max_contents_bytes, size_t *tag_11_contents_size,
1550 size_t *packet_size, size_t max_packet_size) 1550 size_t *packet_size, size_t max_packet_size)
1551 { 1551 {
1552 size_t body_size; 1552 size_t body_size;
1553 size_t length_size; 1553 size_t length_size;
1554 int rc = 0; 1554 int rc = 0;
1555 1555
1556 (*packet_size) = 0; 1556 (*packet_size) = 0;
1557 (*tag_11_contents_size) = 0; 1557 (*tag_11_contents_size) = 0;
1558 /* This format is inspired by OpenPGP; see RFC 2440 1558 /* This format is inspired by OpenPGP; see RFC 2440
1559 * packet tag 11 1559 * packet tag 11
1560 * 1560 *
1561 * Tag 11 identifier (1 byte) 1561 * Tag 11 identifier (1 byte)
1562 * Max Tag 11 packet size (max 3 bytes) 1562 * Max Tag 11 packet size (max 3 bytes)
1563 * Binary format specifier (1 byte) 1563 * Binary format specifier (1 byte)
1564 * Filename length (1 byte) 1564 * Filename length (1 byte)
1565 * Filename ("_CONSOLE") (8 bytes) 1565 * Filename ("_CONSOLE") (8 bytes)
1566 * Modification date (4 bytes) 1566 * Modification date (4 bytes)
1567 * Literal data (arbitrary) 1567 * Literal data (arbitrary)
1568 * 1568 *
1569 * We need at least 16 bytes of data for the packet to even be 1569 * We need at least 16 bytes of data for the packet to even be
1570 * valid. 1570 * valid.
1571 */ 1571 */
1572 if (max_packet_size < 16) { 1572 if (max_packet_size < 16) {
1573 printk(KERN_ERR "Maximum packet size too small\n"); 1573 printk(KERN_ERR "Maximum packet size too small\n");
1574 rc = -EINVAL; 1574 rc = -EINVAL;
1575 goto out; 1575 goto out;
1576 } 1576 }
1577 if (data[(*packet_size)++] != ECRYPTFS_TAG_11_PACKET_TYPE) { 1577 if (data[(*packet_size)++] != ECRYPTFS_TAG_11_PACKET_TYPE) {
1578 printk(KERN_WARNING "Invalid tag 11 packet format\n"); 1578 printk(KERN_WARNING "Invalid tag 11 packet format\n");
1579 rc = -EINVAL; 1579 rc = -EINVAL;
1580 goto out; 1580 goto out;
1581 } 1581 }
1582 rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, 1582 rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size,
1583 &length_size); 1583 &length_size);
1584 if (rc) { 1584 if (rc) {
1585 printk(KERN_WARNING "Invalid tag 11 packet format\n"); 1585 printk(KERN_WARNING "Invalid tag 11 packet format\n");
1586 goto out; 1586 goto out;
1587 } 1587 }
1588 if (body_size < 14) { 1588 if (body_size < 14) {
1589 printk(KERN_WARNING "Invalid body size ([%td])\n", body_size); 1589 printk(KERN_WARNING "Invalid body size ([%td])\n", body_size);
1590 rc = -EINVAL; 1590 rc = -EINVAL;
1591 goto out; 1591 goto out;
1592 } 1592 }
1593 (*packet_size) += length_size; 1593 (*packet_size) += length_size;
1594 (*tag_11_contents_size) = (body_size - 14); 1594 (*tag_11_contents_size) = (body_size - 14);
1595 if (unlikely((*packet_size) + body_size + 1 > max_packet_size)) { 1595 if (unlikely((*packet_size) + body_size + 1 > max_packet_size)) {
1596 printk(KERN_ERR "Packet size exceeds max\n"); 1596 printk(KERN_ERR "Packet size exceeds max\n");
1597 rc = -EINVAL; 1597 rc = -EINVAL;
1598 goto out; 1598 goto out;
1599 } 1599 }
1600 if (unlikely((*tag_11_contents_size) > max_contents_bytes)) { 1600 if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
1601 printk(KERN_ERR "Literal data section in tag 11 packet exceeds " 1601 printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
1602 "expected size\n"); 1602 "expected size\n");
1603 rc = -EINVAL; 1603 rc = -EINVAL;
1604 goto out; 1604 goto out;
1605 } 1605 }
1606 if (data[(*packet_size)++] != 0x62) { 1606 if (data[(*packet_size)++] != 0x62) {
1607 printk(KERN_WARNING "Unrecognizable packet\n"); 1607 printk(KERN_WARNING "Unrecognizable packet\n");
1608 rc = -EINVAL; 1608 rc = -EINVAL;
1609 goto out; 1609 goto out;
1610 } 1610 }
1611 if (data[(*packet_size)++] != 0x08) { 1611 if (data[(*packet_size)++] != 0x08) {
1612 printk(KERN_WARNING "Unrecognizable packet\n"); 1612 printk(KERN_WARNING "Unrecognizable packet\n");
1613 rc = -EINVAL; 1613 rc = -EINVAL;
1614 goto out; 1614 goto out;
1615 } 1615 }
1616 (*packet_size) += 12; /* Ignore filename and modification date */ 1616 (*packet_size) += 12; /* Ignore filename and modification date */
1617 memcpy(contents, &data[(*packet_size)], (*tag_11_contents_size)); 1617 memcpy(contents, &data[(*packet_size)], (*tag_11_contents_size));
1618 (*packet_size) += (*tag_11_contents_size); 1618 (*packet_size) += (*tag_11_contents_size);
1619 out: 1619 out:
1620 if (rc) { 1620 if (rc) {
1621 (*packet_size) = 0; 1621 (*packet_size) = 0;
1622 (*tag_11_contents_size) = 0; 1622 (*tag_11_contents_size) = 0;
1623 } 1623 }
1624 return rc; 1624 return rc;
1625 } 1625 }
1626 1626
1627 int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, 1627 int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
1628 struct ecryptfs_auth_tok **auth_tok, 1628 struct ecryptfs_auth_tok **auth_tok,
1629 char *sig) 1629 char *sig)
1630 { 1630 {
1631 int rc = 0; 1631 int rc = 0;
1632 1632
1633 (*auth_tok_key) = request_key(&key_type_user, sig, NULL); 1633 (*auth_tok_key) = request_key(&key_type_user, sig, NULL);
1634 if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) { 1634 if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) {
1635 (*auth_tok_key) = ecryptfs_get_encrypted_key(sig); 1635 (*auth_tok_key) = ecryptfs_get_encrypted_key(sig);
1636 if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) { 1636 if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) {
1637 printk(KERN_ERR "Could not find key with description: [%s]\n", 1637 printk(KERN_ERR "Could not find key with description: [%s]\n",
1638 sig); 1638 sig);
1639 rc = process_request_key_err(PTR_ERR(*auth_tok_key)); 1639 rc = process_request_key_err(PTR_ERR(*auth_tok_key));
1640 (*auth_tok_key) = NULL; 1640 (*auth_tok_key) = NULL;
1641 goto out; 1641 goto out;
1642 } 1642 }
1643 } 1643 }
1644 down_write(&(*auth_tok_key)->sem); 1644 down_write(&(*auth_tok_key)->sem);
1645 rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok); 1645 rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
1646 if (rc) { 1646 if (rc) {
1647 up_write(&(*auth_tok_key)->sem); 1647 up_write(&(*auth_tok_key)->sem);
1648 key_put(*auth_tok_key); 1648 key_put(*auth_tok_key);
1649 (*auth_tok_key) = NULL; 1649 (*auth_tok_key) = NULL;
1650 goto out; 1650 goto out;
1651 } 1651 }
1652 out: 1652 out:
1653 return rc; 1653 return rc;
1654 } 1654 }
1655 1655
1656 /** 1656 /**
1657 * decrypt_passphrase_encrypted_session_key - Decrypt the session key with the given auth_tok. 1657 * decrypt_passphrase_encrypted_session_key - Decrypt the session key with the given auth_tok.
1658 * @auth_tok: The passphrase authentication token to use to encrypt the FEK 1658 * @auth_tok: The passphrase authentication token to use to encrypt the FEK
1659 * @crypt_stat: The cryptographic context 1659 * @crypt_stat: The cryptographic context
1660 * 1660 *
1661 * Returns zero on success; non-zero error otherwise 1661 * Returns zero on success; non-zero error otherwise
1662 */ 1662 */
1663 static int 1663 static int
1664 decrypt_passphrase_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok, 1664 decrypt_passphrase_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
1665 struct ecryptfs_crypt_stat *crypt_stat) 1665 struct ecryptfs_crypt_stat *crypt_stat)
1666 { 1666 {
1667 struct scatterlist dst_sg[2]; 1667 struct scatterlist dst_sg[2];
1668 struct scatterlist src_sg[2]; 1668 struct scatterlist src_sg[2];
1669 struct mutex *tfm_mutex; 1669 struct mutex *tfm_mutex;
1670 struct blkcipher_desc desc = { 1670 struct blkcipher_desc desc = {
1671 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 1671 .flags = CRYPTO_TFM_REQ_MAY_SLEEP
1672 }; 1672 };
1673 int rc = 0; 1673 int rc = 0;
1674 1674
1675 if (unlikely(ecryptfs_verbosity > 0)) { 1675 if (unlikely(ecryptfs_verbosity > 0)) {
1676 ecryptfs_printk( 1676 ecryptfs_printk(
1677 KERN_DEBUG, "Session key encryption key (size [%d]):\n", 1677 KERN_DEBUG, "Session key encryption key (size [%d]):\n",
1678 auth_tok->token.password.session_key_encryption_key_bytes); 1678 auth_tok->token.password.session_key_encryption_key_bytes);
1679 ecryptfs_dump_hex( 1679 ecryptfs_dump_hex(
1680 auth_tok->token.password.session_key_encryption_key, 1680 auth_tok->token.password.session_key_encryption_key,
1681 auth_tok->token.password.session_key_encryption_key_bytes); 1681 auth_tok->token.password.session_key_encryption_key_bytes);
1682 } 1682 }
1683 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex, 1683 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex,
1684 crypt_stat->cipher); 1684 crypt_stat->cipher);
1685 if (unlikely(rc)) { 1685 if (unlikely(rc)) {
1686 printk(KERN_ERR "Internal error whilst attempting to get " 1686 printk(KERN_ERR "Internal error whilst attempting to get "
1687 "tfm and mutex for cipher name [%s]; rc = [%d]\n", 1687 "tfm and mutex for cipher name [%s]; rc = [%d]\n",
1688 crypt_stat->cipher, rc); 1688 crypt_stat->cipher, rc);
1689 goto out; 1689 goto out;
1690 } 1690 }
1691 rc = virt_to_scatterlist(auth_tok->session_key.encrypted_key, 1691 rc = virt_to_scatterlist(auth_tok->session_key.encrypted_key,
1692 auth_tok->session_key.encrypted_key_size, 1692 auth_tok->session_key.encrypted_key_size,
1693 src_sg, 2); 1693 src_sg, 2);
1694 if (rc < 1 || rc > 2) { 1694 if (rc < 1 || rc > 2) {
1695 printk(KERN_ERR "Internal error whilst attempting to convert " 1695 printk(KERN_ERR "Internal error whilst attempting to convert "
1696 "auth_tok->session_key.encrypted_key to scatterlist; " 1696 "auth_tok->session_key.encrypted_key to scatterlist; "
1697 "expected rc = 1; got rc = [%d]. " 1697 "expected rc = 1; got rc = [%d]. "
1698 "auth_tok->session_key.encrypted_key_size = [%d]\n", rc, 1698 "auth_tok->session_key.encrypted_key_size = [%d]\n", rc,
1699 auth_tok->session_key.encrypted_key_size); 1699 auth_tok->session_key.encrypted_key_size);
1700 goto out; 1700 goto out;
1701 } 1701 }
1702 auth_tok->session_key.decrypted_key_size = 1702 auth_tok->session_key.decrypted_key_size =
1703 auth_tok->session_key.encrypted_key_size; 1703 auth_tok->session_key.encrypted_key_size;
1704 rc = virt_to_scatterlist(auth_tok->session_key.decrypted_key, 1704 rc = virt_to_scatterlist(auth_tok->session_key.decrypted_key,
1705 auth_tok->session_key.decrypted_key_size, 1705 auth_tok->session_key.decrypted_key_size,
1706 dst_sg, 2); 1706 dst_sg, 2);
1707 if (rc < 1 || rc > 2) { 1707 if (rc < 1 || rc > 2) {
1708 printk(KERN_ERR "Internal error whilst attempting to convert " 1708 printk(KERN_ERR "Internal error whilst attempting to convert "
1709 "auth_tok->session_key.decrypted_key to scatterlist; " 1709 "auth_tok->session_key.decrypted_key to scatterlist; "
1710 "expected rc = 1; got rc = [%d]\n", rc); 1710 "expected rc = 1; got rc = [%d]\n", rc);
1711 goto out; 1711 goto out;
1712 } 1712 }
1713 mutex_lock(tfm_mutex); 1713 mutex_lock(tfm_mutex);
1714 rc = crypto_blkcipher_setkey( 1714 rc = crypto_blkcipher_setkey(
1715 desc.tfm, auth_tok->token.password.session_key_encryption_key, 1715 desc.tfm, auth_tok->token.password.session_key_encryption_key,
1716 crypt_stat->key_size); 1716 crypt_stat->key_size);
1717 if (unlikely(rc < 0)) { 1717 if (unlikely(rc < 0)) {
1718 mutex_unlock(tfm_mutex); 1718 mutex_unlock(tfm_mutex);
1719 printk(KERN_ERR "Error setting key for crypto context\n"); 1719 printk(KERN_ERR "Error setting key for crypto context\n");
1720 rc = -EINVAL; 1720 rc = -EINVAL;
1721 goto out; 1721 goto out;
1722 } 1722 }
1723 rc = crypto_blkcipher_decrypt(&desc, dst_sg, src_sg, 1723 rc = crypto_blkcipher_decrypt(&desc, dst_sg, src_sg,
1724 auth_tok->session_key.encrypted_key_size); 1724 auth_tok->session_key.encrypted_key_size);
1725 mutex_unlock(tfm_mutex); 1725 mutex_unlock(tfm_mutex);
1726 if (unlikely(rc)) { 1726 if (unlikely(rc)) {
1727 printk(KERN_ERR "Error decrypting; rc = [%d]\n", rc); 1727 printk(KERN_ERR "Error decrypting; rc = [%d]\n", rc);
1728 goto out; 1728 goto out;
1729 } 1729 }
1730 auth_tok->session_key.flags |= ECRYPTFS_CONTAINS_DECRYPTED_KEY; 1730 auth_tok->session_key.flags |= ECRYPTFS_CONTAINS_DECRYPTED_KEY;
1731 memcpy(crypt_stat->key, auth_tok->session_key.decrypted_key, 1731 memcpy(crypt_stat->key, auth_tok->session_key.decrypted_key,
1732 auth_tok->session_key.decrypted_key_size); 1732 auth_tok->session_key.decrypted_key_size);
1733 crypt_stat->flags |= ECRYPTFS_KEY_VALID; 1733 crypt_stat->flags |= ECRYPTFS_KEY_VALID;
1734 if (unlikely(ecryptfs_verbosity > 0)) { 1734 if (unlikely(ecryptfs_verbosity > 0)) {
1735 ecryptfs_printk(KERN_DEBUG, "FEK of size [%zd]:\n", 1735 ecryptfs_printk(KERN_DEBUG, "FEK of size [%zd]:\n",
1736 crypt_stat->key_size); 1736 crypt_stat->key_size);
1737 ecryptfs_dump_hex(crypt_stat->key, 1737 ecryptfs_dump_hex(crypt_stat->key,
1738 crypt_stat->key_size); 1738 crypt_stat->key_size);
1739 } 1739 }
1740 out: 1740 out:
1741 return rc; 1741 return rc;
1742 } 1742 }
1743 1743
1744 /** 1744 /**
1745 * ecryptfs_parse_packet_set 1745 * ecryptfs_parse_packet_set
1746 * @crypt_stat: The cryptographic context 1746 * @crypt_stat: The cryptographic context
1747 * @src: Virtual address of region of memory containing the packets 1747 * @src: Virtual address of region of memory containing the packets
1748 * @ecryptfs_dentry: The eCryptfs dentry associated with the packet set 1748 * @ecryptfs_dentry: The eCryptfs dentry associated with the packet set
1749 * 1749 *
1750 * Get crypt_stat to have the file's session key if the requisite key 1750 * Get crypt_stat to have the file's session key if the requisite key
1751 * is available to decrypt the session key. 1751 * is available to decrypt the session key.
1752 * 1752 *
1753 * Returns Zero if a valid authentication token was retrieved and 1753 * Returns Zero if a valid authentication token was retrieved and
1754 * processed; negative value for file not encrypted or for error 1754 * processed; negative value for file not encrypted or for error
1755 * conditions. 1755 * conditions.
1756 */ 1756 */
1757 int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, 1757 int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1758 unsigned char *src, 1758 unsigned char *src,
1759 struct dentry *ecryptfs_dentry) 1759 struct dentry *ecryptfs_dentry)
1760 { 1760 {
1761 size_t i = 0; 1761 size_t i = 0;
1762 size_t found_auth_tok; 1762 size_t found_auth_tok;
1763 size_t next_packet_is_auth_tok_packet; 1763 size_t next_packet_is_auth_tok_packet;
1764 struct list_head auth_tok_list; 1764 struct list_head auth_tok_list;
1765 struct ecryptfs_auth_tok *matching_auth_tok; 1765 struct ecryptfs_auth_tok *matching_auth_tok;
1766 struct ecryptfs_auth_tok *candidate_auth_tok; 1766 struct ecryptfs_auth_tok *candidate_auth_tok;
1767 char *candidate_auth_tok_sig; 1767 char *candidate_auth_tok_sig;
1768 size_t packet_size; 1768 size_t packet_size;
1769 struct ecryptfs_auth_tok *new_auth_tok; 1769 struct ecryptfs_auth_tok *new_auth_tok;
1770 unsigned char sig_tmp_space[ECRYPTFS_SIG_SIZE]; 1770 unsigned char sig_tmp_space[ECRYPTFS_SIG_SIZE];
1771 struct ecryptfs_auth_tok_list_item *auth_tok_list_item; 1771 struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
1772 size_t tag_11_contents_size; 1772 size_t tag_11_contents_size;
1773 size_t tag_11_packet_size; 1773 size_t tag_11_packet_size;
1774 struct key *auth_tok_key = NULL; 1774 struct key *auth_tok_key = NULL;
1775 int rc = 0; 1775 int rc = 0;
1776 1776
1777 INIT_LIST_HEAD(&auth_tok_list); 1777 INIT_LIST_HEAD(&auth_tok_list);
1778 /* Parse the header to find as many packets as we can; these will be 1778 /* Parse the header to find as many packets as we can; these will be
1779 * added the our &auth_tok_list */ 1779 * added the our &auth_tok_list */
1780 next_packet_is_auth_tok_packet = 1; 1780 next_packet_is_auth_tok_packet = 1;
1781 while (next_packet_is_auth_tok_packet) { 1781 while (next_packet_is_auth_tok_packet) {
1782 size_t max_packet_size = ((PAGE_CACHE_SIZE - 8) - i); 1782 size_t max_packet_size = ((PAGE_CACHE_SIZE - 8) - i);
1783 1783
1784 switch (src[i]) { 1784 switch (src[i]) {
1785 case ECRYPTFS_TAG_3_PACKET_TYPE: 1785 case ECRYPTFS_TAG_3_PACKET_TYPE:
1786 rc = parse_tag_3_packet(crypt_stat, 1786 rc = parse_tag_3_packet(crypt_stat,
1787 (unsigned char *)&src[i], 1787 (unsigned char *)&src[i],
1788 &auth_tok_list, &new_auth_tok, 1788 &auth_tok_list, &new_auth_tok,
1789 &packet_size, max_packet_size); 1789 &packet_size, max_packet_size);
1790 if (rc) { 1790 if (rc) {
1791 ecryptfs_printk(KERN_ERR, "Error parsing " 1791 ecryptfs_printk(KERN_ERR, "Error parsing "
1792 "tag 3 packet\n"); 1792 "tag 3 packet\n");
1793 rc = -EIO; 1793 rc = -EIO;
1794 goto out_wipe_list; 1794 goto out_wipe_list;
1795 } 1795 }
1796 i += packet_size; 1796 i += packet_size;
1797 rc = parse_tag_11_packet((unsigned char *)&src[i], 1797 rc = parse_tag_11_packet((unsigned char *)&src[i],
1798 sig_tmp_space, 1798 sig_tmp_space,
1799 ECRYPTFS_SIG_SIZE, 1799 ECRYPTFS_SIG_SIZE,
1800 &tag_11_contents_size, 1800 &tag_11_contents_size,
1801 &tag_11_packet_size, 1801 &tag_11_packet_size,
1802 max_packet_size); 1802 max_packet_size);
1803 if (rc) { 1803 if (rc) {
1804 ecryptfs_printk(KERN_ERR, "No valid " 1804 ecryptfs_printk(KERN_ERR, "No valid "
1805 "(ecryptfs-specific) literal " 1805 "(ecryptfs-specific) literal "
1806 "packet containing " 1806 "packet containing "
1807 "authentication token " 1807 "authentication token "
1808 "signature found after " 1808 "signature found after "
1809 "tag 3 packet\n"); 1809 "tag 3 packet\n");
1810 rc = -EIO; 1810 rc = -EIO;
1811 goto out_wipe_list; 1811 goto out_wipe_list;
1812 } 1812 }
1813 i += tag_11_packet_size; 1813 i += tag_11_packet_size;
1814 if (ECRYPTFS_SIG_SIZE != tag_11_contents_size) { 1814 if (ECRYPTFS_SIG_SIZE != tag_11_contents_size) {
1815 ecryptfs_printk(KERN_ERR, "Expected " 1815 ecryptfs_printk(KERN_ERR, "Expected "
1816 "signature of size [%d]; " 1816 "signature of size [%d]; "
1817 "read size [%zd]\n", 1817 "read size [%zd]\n",
1818 ECRYPTFS_SIG_SIZE, 1818 ECRYPTFS_SIG_SIZE,
1819 tag_11_contents_size); 1819 tag_11_contents_size);
1820 rc = -EIO; 1820 rc = -EIO;
1821 goto out_wipe_list; 1821 goto out_wipe_list;
1822 } 1822 }
1823 ecryptfs_to_hex(new_auth_tok->token.password.signature, 1823 ecryptfs_to_hex(new_auth_tok->token.password.signature,
1824 sig_tmp_space, tag_11_contents_size); 1824 sig_tmp_space, tag_11_contents_size);
1825 new_auth_tok->token.password.signature[ 1825 new_auth_tok->token.password.signature[
1826 ECRYPTFS_PASSWORD_SIG_SIZE] = '\0'; 1826 ECRYPTFS_PASSWORD_SIG_SIZE] = '\0';
1827 crypt_stat->flags |= ECRYPTFS_ENCRYPTED; 1827 crypt_stat->flags |= ECRYPTFS_ENCRYPTED;
1828 break; 1828 break;
1829 case ECRYPTFS_TAG_1_PACKET_TYPE: 1829 case ECRYPTFS_TAG_1_PACKET_TYPE:
1830 rc = parse_tag_1_packet(crypt_stat, 1830 rc = parse_tag_1_packet(crypt_stat,
1831 (unsigned char *)&src[i], 1831 (unsigned char *)&src[i],
1832 &auth_tok_list, &new_auth_tok, 1832 &auth_tok_list, &new_auth_tok,
1833 &packet_size, max_packet_size); 1833 &packet_size, max_packet_size);
1834 if (rc) { 1834 if (rc) {
1835 ecryptfs_printk(KERN_ERR, "Error parsing " 1835 ecryptfs_printk(KERN_ERR, "Error parsing "
1836 "tag 1 packet\n"); 1836 "tag 1 packet\n");
1837 rc = -EIO; 1837 rc = -EIO;
1838 goto out_wipe_list; 1838 goto out_wipe_list;
1839 } 1839 }
1840 i += packet_size; 1840 i += packet_size;
1841 crypt_stat->flags |= ECRYPTFS_ENCRYPTED; 1841 crypt_stat->flags |= ECRYPTFS_ENCRYPTED;
1842 break; 1842 break;
1843 case ECRYPTFS_TAG_11_PACKET_TYPE: 1843 case ECRYPTFS_TAG_11_PACKET_TYPE:
1844 ecryptfs_printk(KERN_WARNING, "Invalid packet set " 1844 ecryptfs_printk(KERN_WARNING, "Invalid packet set "
1845 "(Tag 11 not allowed by itself)\n"); 1845 "(Tag 11 not allowed by itself)\n");
1846 rc = -EIO; 1846 rc = -EIO;
1847 goto out_wipe_list; 1847 goto out_wipe_list;
1848 default: 1848 default:
1849 ecryptfs_printk(KERN_DEBUG, "No packet at offset [%zd] " 1849 ecryptfs_printk(KERN_DEBUG, "No packet at offset [%zd] "
1850 "of the file header; hex value of " 1850 "of the file header; hex value of "
1851 "character is [0x%.2x]\n", i, src[i]); 1851 "character is [0x%.2x]\n", i, src[i]);
1852 next_packet_is_auth_tok_packet = 0; 1852 next_packet_is_auth_tok_packet = 0;
1853 } 1853 }
1854 } 1854 }
1855 if (list_empty(&auth_tok_list)) { 1855 if (list_empty(&auth_tok_list)) {
1856 printk(KERN_ERR "The lower file appears to be a non-encrypted " 1856 printk(KERN_ERR "The lower file appears to be a non-encrypted "
1857 "eCryptfs file; this is not supported in this version " 1857 "eCryptfs file; this is not supported in this version "
1858 "of the eCryptfs kernel module\n"); 1858 "of the eCryptfs kernel module\n");
1859 rc = -EINVAL; 1859 rc = -EINVAL;
1860 goto out; 1860 goto out;
1861 } 1861 }
1862 /* auth_tok_list contains the set of authentication tokens 1862 /* auth_tok_list contains the set of authentication tokens
1863 * parsed from the metadata. We need to find a matching 1863 * parsed from the metadata. We need to find a matching
1864 * authentication token that has the secret component(s) 1864 * authentication token that has the secret component(s)
1865 * necessary to decrypt the EFEK in the auth_tok parsed from 1865 * necessary to decrypt the EFEK in the auth_tok parsed from
1866 * the metadata. There may be several potential matches, but 1866 * the metadata. There may be several potential matches, but
1867 * just one will be sufficient to decrypt to get the FEK. */ 1867 * just one will be sufficient to decrypt to get the FEK. */
1868 find_next_matching_auth_tok: 1868 find_next_matching_auth_tok:
1869 found_auth_tok = 0; 1869 found_auth_tok = 0;
1870 list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { 1870 list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) {
1871 candidate_auth_tok = &auth_tok_list_item->auth_tok; 1871 candidate_auth_tok = &auth_tok_list_item->auth_tok;
1872 if (unlikely(ecryptfs_verbosity > 0)) { 1872 if (unlikely(ecryptfs_verbosity > 0)) {
1873 ecryptfs_printk(KERN_DEBUG, 1873 ecryptfs_printk(KERN_DEBUG,
1874 "Considering cadidate auth tok:\n"); 1874 "Considering cadidate auth tok:\n");
1875 ecryptfs_dump_auth_tok(candidate_auth_tok); 1875 ecryptfs_dump_auth_tok(candidate_auth_tok);
1876 } 1876 }
1877 rc = ecryptfs_get_auth_tok_sig(&candidate_auth_tok_sig, 1877 rc = ecryptfs_get_auth_tok_sig(&candidate_auth_tok_sig,
1878 candidate_auth_tok); 1878 candidate_auth_tok);
1879 if (rc) { 1879 if (rc) {
1880 printk(KERN_ERR 1880 printk(KERN_ERR
1881 "Unrecognized candidate auth tok type: [%d]\n", 1881 "Unrecognized candidate auth tok type: [%d]\n",
1882 candidate_auth_tok->token_type); 1882 candidate_auth_tok->token_type);
1883 rc = -EINVAL; 1883 rc = -EINVAL;
1884 goto out_wipe_list; 1884 goto out_wipe_list;
1885 } 1885 }
1886 rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, 1886 rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key,
1887 &matching_auth_tok, 1887 &matching_auth_tok,
1888 crypt_stat->mount_crypt_stat, 1888 crypt_stat->mount_crypt_stat,
1889 candidate_auth_tok_sig); 1889 candidate_auth_tok_sig);
1890 if (!rc) { 1890 if (!rc) {
1891 found_auth_tok = 1; 1891 found_auth_tok = 1;
1892 goto found_matching_auth_tok; 1892 goto found_matching_auth_tok;
1893 } 1893 }
1894 } 1894 }
1895 if (!found_auth_tok) { 1895 if (!found_auth_tok) {
1896 ecryptfs_printk(KERN_ERR, "Could not find a usable " 1896 ecryptfs_printk(KERN_ERR, "Could not find a usable "
1897 "authentication token\n"); 1897 "authentication token\n");
1898 rc = -EIO; 1898 rc = -EIO;
1899 goto out_wipe_list; 1899 goto out_wipe_list;
1900 } 1900 }
1901 found_matching_auth_tok: 1901 found_matching_auth_tok:
1902 if (candidate_auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) { 1902 if (candidate_auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) {
1903 memcpy(&(candidate_auth_tok->token.private_key), 1903 memcpy(&(candidate_auth_tok->token.private_key),
1904 &(matching_auth_tok->token.private_key), 1904 &(matching_auth_tok->token.private_key),
1905 sizeof(struct ecryptfs_private_key)); 1905 sizeof(struct ecryptfs_private_key));
1906 up_write(&(auth_tok_key->sem)); 1906 up_write(&(auth_tok_key->sem));
1907 key_put(auth_tok_key); 1907 key_put(auth_tok_key);
1908 rc = decrypt_pki_encrypted_session_key(candidate_auth_tok, 1908 rc = decrypt_pki_encrypted_session_key(candidate_auth_tok,
1909 crypt_stat); 1909 crypt_stat);
1910 } else if (candidate_auth_tok->token_type == ECRYPTFS_PASSWORD) { 1910 } else if (candidate_auth_tok->token_type == ECRYPTFS_PASSWORD) {
1911 memcpy(&(candidate_auth_tok->token.password), 1911 memcpy(&(candidate_auth_tok->token.password),
1912 &(matching_auth_tok->token.password), 1912 &(matching_auth_tok->token.password),
1913 sizeof(struct ecryptfs_password)); 1913 sizeof(struct ecryptfs_password));
1914 up_write(&(auth_tok_key->sem)); 1914 up_write(&(auth_tok_key->sem));
1915 key_put(auth_tok_key); 1915 key_put(auth_tok_key);
1916 rc = decrypt_passphrase_encrypted_session_key( 1916 rc = decrypt_passphrase_encrypted_session_key(
1917 candidate_auth_tok, crypt_stat); 1917 candidate_auth_tok, crypt_stat);
1918 } else { 1918 } else {
1919 up_write(&(auth_tok_key->sem)); 1919 up_write(&(auth_tok_key->sem));
1920 key_put(auth_tok_key); 1920 key_put(auth_tok_key);
1921 rc = -EINVAL; 1921 rc = -EINVAL;
1922 } 1922 }
1923 if (rc) { 1923 if (rc) {
1924 struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp; 1924 struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp;
1925 1925
1926 ecryptfs_printk(KERN_WARNING, "Error decrypting the " 1926 ecryptfs_printk(KERN_WARNING, "Error decrypting the "
1927 "session key for authentication token with sig " 1927 "session key for authentication token with sig "
1928 "[%.*s]; rc = [%d]. Removing auth tok " 1928 "[%.*s]; rc = [%d]. Removing auth tok "
1929 "candidate from the list and searching for " 1929 "candidate from the list and searching for "
1930 "the next match.\n", ECRYPTFS_SIG_SIZE_HEX, 1930 "the next match.\n", ECRYPTFS_SIG_SIZE_HEX,
1931 candidate_auth_tok_sig, rc); 1931 candidate_auth_tok_sig, rc);
1932 list_for_each_entry_safe(auth_tok_list_item, 1932 list_for_each_entry_safe(auth_tok_list_item,
1933 auth_tok_list_item_tmp, 1933 auth_tok_list_item_tmp,
1934 &auth_tok_list, list) { 1934 &auth_tok_list, list) {
1935 if (candidate_auth_tok 1935 if (candidate_auth_tok
1936 == &auth_tok_list_item->auth_tok) { 1936 == &auth_tok_list_item->auth_tok) {
1937 list_del(&auth_tok_list_item->list); 1937 list_del(&auth_tok_list_item->list);
1938 kmem_cache_free( 1938 kmem_cache_free(
1939 ecryptfs_auth_tok_list_item_cache, 1939 ecryptfs_auth_tok_list_item_cache,
1940 auth_tok_list_item); 1940 auth_tok_list_item);
1941 goto find_next_matching_auth_tok; 1941 goto find_next_matching_auth_tok;
1942 } 1942 }
1943 } 1943 }
1944 BUG(); 1944 BUG();
1945 } 1945 }
1946 rc = ecryptfs_compute_root_iv(crypt_stat); 1946 rc = ecryptfs_compute_root_iv(crypt_stat);
1947 if (rc) { 1947 if (rc) {
1948 ecryptfs_printk(KERN_ERR, "Error computing " 1948 ecryptfs_printk(KERN_ERR, "Error computing "
1949 "the root IV\n"); 1949 "the root IV\n");
1950 goto out_wipe_list; 1950 goto out_wipe_list;
1951 } 1951 }
1952 rc = ecryptfs_init_crypt_ctx(crypt_stat); 1952 rc = ecryptfs_init_crypt_ctx(crypt_stat);
1953 if (rc) { 1953 if (rc) {
1954 ecryptfs_printk(KERN_ERR, "Error initializing crypto " 1954 ecryptfs_printk(KERN_ERR, "Error initializing crypto "
1955 "context for cipher [%s]; rc = [%d]\n", 1955 "context for cipher [%s]; rc = [%d]\n",
1956 crypt_stat->cipher, rc); 1956 crypt_stat->cipher, rc);
1957 } 1957 }
1958 out_wipe_list: 1958 out_wipe_list:
1959 wipe_auth_tok_list(&auth_tok_list); 1959 wipe_auth_tok_list(&auth_tok_list);
1960 out: 1960 out:
1961 return rc; 1961 return rc;
1962 } 1962 }
1963 1963
1964 static int 1964 static int
1965 pki_encrypt_session_key(struct key *auth_tok_key, 1965 pki_encrypt_session_key(struct key *auth_tok_key,
1966 struct ecryptfs_auth_tok *auth_tok, 1966 struct ecryptfs_auth_tok *auth_tok,
1967 struct ecryptfs_crypt_stat *crypt_stat, 1967 struct ecryptfs_crypt_stat *crypt_stat,
1968 struct ecryptfs_key_record *key_rec) 1968 struct ecryptfs_key_record *key_rec)
1969 { 1969 {
1970 struct ecryptfs_msg_ctx *msg_ctx = NULL; 1970 struct ecryptfs_msg_ctx *msg_ctx = NULL;
1971 char *payload = NULL; 1971 char *payload = NULL;
1972 size_t payload_len = 0; 1972 size_t payload_len = 0;
1973 struct ecryptfs_message *msg; 1973 struct ecryptfs_message *msg;
1974 int rc; 1974 int rc;
1975 1975
1976 rc = write_tag_66_packet(auth_tok->token.private_key.signature, 1976 rc = write_tag_66_packet(auth_tok->token.private_key.signature,
1977 ecryptfs_code_for_cipher_string( 1977 ecryptfs_code_for_cipher_string(
1978 crypt_stat->cipher, 1978 crypt_stat->cipher,
1979 crypt_stat->key_size), 1979 crypt_stat->key_size),
1980 crypt_stat, &payload, &payload_len); 1980 crypt_stat, &payload, &payload_len);
1981 up_write(&(auth_tok_key->sem)); 1981 up_write(&(auth_tok_key->sem));
1982 key_put(auth_tok_key); 1982 key_put(auth_tok_key);
1983 if (rc) { 1983 if (rc) {
1984 ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n"); 1984 ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n");
1985 goto out; 1985 goto out;
1986 } 1986 }
1987 rc = ecryptfs_send_message(payload, payload_len, &msg_ctx); 1987 rc = ecryptfs_send_message(payload, payload_len, &msg_ctx);
1988 if (rc) { 1988 if (rc) {
1989 ecryptfs_printk(KERN_ERR, "Error sending message to " 1989 ecryptfs_printk(KERN_ERR, "Error sending message to "
1990 "ecryptfsd: %d\n", rc); 1990 "ecryptfsd: %d\n", rc);
1991 goto out; 1991 goto out;
1992 } 1992 }
1993 rc = ecryptfs_wait_for_response(msg_ctx, &msg); 1993 rc = ecryptfs_wait_for_response(msg_ctx, &msg);
1994 if (rc) { 1994 if (rc) {
1995 ecryptfs_printk(KERN_ERR, "Failed to receive tag 67 packet " 1995 ecryptfs_printk(KERN_ERR, "Failed to receive tag 67 packet "
1996 "from the user space daemon\n"); 1996 "from the user space daemon\n");
1997 rc = -EIO; 1997 rc = -EIO;
1998 goto out; 1998 goto out;
1999 } 1999 }
2000 rc = parse_tag_67_packet(key_rec, msg); 2000 rc = parse_tag_67_packet(key_rec, msg);
2001 if (rc) 2001 if (rc)
2002 ecryptfs_printk(KERN_ERR, "Error parsing tag 67 packet\n"); 2002 ecryptfs_printk(KERN_ERR, "Error parsing tag 67 packet\n");
2003 kfree(msg); 2003 kfree(msg);
2004 out: 2004 out:
2005 kfree(payload); 2005 kfree(payload);
2006 return rc; 2006 return rc;
2007 } 2007 }
2008 /** 2008 /**
2009 * write_tag_1_packet - Write an RFC2440-compatible tag 1 (public key) packet 2009 * write_tag_1_packet - Write an RFC2440-compatible tag 1 (public key) packet
2010 * @dest: Buffer into which to write the packet 2010 * @dest: Buffer into which to write the packet
2011 * @remaining_bytes: Maximum number of bytes that can be writtn 2011 * @remaining_bytes: Maximum number of bytes that can be writtn
2012 * @auth_tok_key: The authentication token key to unlock and put when done with 2012 * @auth_tok_key: The authentication token key to unlock and put when done with
2013 * @auth_tok 2013 * @auth_tok
2014 * @auth_tok: The authentication token used for generating the tag 1 packet 2014 * @auth_tok: The authentication token used for generating the tag 1 packet
2015 * @crypt_stat: The cryptographic context 2015 * @crypt_stat: The cryptographic context
2016 * @key_rec: The key record struct for the tag 1 packet 2016 * @key_rec: The key record struct for the tag 1 packet
2017 * @packet_size: This function will write the number of bytes that end 2017 * @packet_size: This function will write the number of bytes that end
2018 * up constituting the packet; set to zero on error 2018 * up constituting the packet; set to zero on error
2019 * 2019 *
2020 * Returns zero on success; non-zero on error. 2020 * Returns zero on success; non-zero on error.
2021 */ 2021 */
2022 static int 2022 static int
2023 write_tag_1_packet(char *dest, size_t *remaining_bytes, 2023 write_tag_1_packet(char *dest, size_t *remaining_bytes,
2024 struct key *auth_tok_key, struct ecryptfs_auth_tok *auth_tok, 2024 struct key *auth_tok_key, struct ecryptfs_auth_tok *auth_tok,
2025 struct ecryptfs_crypt_stat *crypt_stat, 2025 struct ecryptfs_crypt_stat *crypt_stat,
2026 struct ecryptfs_key_record *key_rec, size_t *packet_size) 2026 struct ecryptfs_key_record *key_rec, size_t *packet_size)
2027 { 2027 {
2028 size_t i; 2028 size_t i;
2029 size_t encrypted_session_key_valid = 0; 2029 size_t encrypted_session_key_valid = 0;
2030 size_t packet_size_length; 2030 size_t packet_size_length;
2031 size_t max_packet_size; 2031 size_t max_packet_size;
2032 int rc = 0; 2032 int rc = 0;
2033 2033
2034 (*packet_size) = 0; 2034 (*packet_size) = 0;
2035 ecryptfs_from_hex(key_rec->sig, auth_tok->token.private_key.signature, 2035 ecryptfs_from_hex(key_rec->sig, auth_tok->token.private_key.signature,
2036 ECRYPTFS_SIG_SIZE); 2036 ECRYPTFS_SIG_SIZE);
2037 encrypted_session_key_valid = 0; 2037 encrypted_session_key_valid = 0;
2038 for (i = 0; i < crypt_stat->key_size; i++) 2038 for (i = 0; i < crypt_stat->key_size; i++)
2039 encrypted_session_key_valid |= 2039 encrypted_session_key_valid |=
2040 auth_tok->session_key.encrypted_key[i]; 2040 auth_tok->session_key.encrypted_key[i];
2041 if (encrypted_session_key_valid) { 2041 if (encrypted_session_key_valid) {
2042 memcpy(key_rec->enc_key, 2042 memcpy(key_rec->enc_key,
2043 auth_tok->session_key.encrypted_key, 2043 auth_tok->session_key.encrypted_key,
2044 auth_tok->session_key.encrypted_key_size); 2044 auth_tok->session_key.encrypted_key_size);
2045 up_write(&(auth_tok_key->sem)); 2045 up_write(&(auth_tok_key->sem));
2046 key_put(auth_tok_key); 2046 key_put(auth_tok_key);
2047 goto encrypted_session_key_set; 2047 goto encrypted_session_key_set;
2048 } 2048 }
2049 if (auth_tok->session_key.encrypted_key_size == 0) 2049 if (auth_tok->session_key.encrypted_key_size == 0)
2050 auth_tok->session_key.encrypted_key_size = 2050 auth_tok->session_key.encrypted_key_size =
2051 auth_tok->token.private_key.key_size; 2051 auth_tok->token.private_key.key_size;
2052 rc = pki_encrypt_session_key(auth_tok_key, auth_tok, crypt_stat, 2052 rc = pki_encrypt_session_key(auth_tok_key, auth_tok, crypt_stat,
2053 key_rec); 2053 key_rec);
2054 if (rc) { 2054 if (rc) {
2055 printk(KERN_ERR "Failed to encrypt session key via a key " 2055 printk(KERN_ERR "Failed to encrypt session key via a key "
2056 "module; rc = [%d]\n", rc); 2056 "module; rc = [%d]\n", rc);
2057 goto out; 2057 goto out;
2058 } 2058 }
2059 if (ecryptfs_verbosity > 0) { 2059 if (ecryptfs_verbosity > 0) {
2060 ecryptfs_printk(KERN_DEBUG, "Encrypted key:\n"); 2060 ecryptfs_printk(KERN_DEBUG, "Encrypted key:\n");
2061 ecryptfs_dump_hex(key_rec->enc_key, key_rec->enc_key_size); 2061 ecryptfs_dump_hex(key_rec->enc_key, key_rec->enc_key_size);
2062 } 2062 }
2063 encrypted_session_key_set: 2063 encrypted_session_key_set:
2064 /* This format is inspired by OpenPGP; see RFC 2440 2064 /* This format is inspired by OpenPGP; see RFC 2440
2065 * packet tag 1 */ 2065 * packet tag 1 */
2066 max_packet_size = (1 /* Tag 1 identifier */ 2066 max_packet_size = (1 /* Tag 1 identifier */
2067 + 3 /* Max Tag 1 packet size */ 2067 + 3 /* Max Tag 1 packet size */
2068 + 1 /* Version */ 2068 + 1 /* Version */
2069 + ECRYPTFS_SIG_SIZE /* Key identifier */ 2069 + ECRYPTFS_SIG_SIZE /* Key identifier */
2070 + 1 /* Cipher identifier */ 2070 + 1 /* Cipher identifier */
2071 + key_rec->enc_key_size); /* Encrypted key size */ 2071 + key_rec->enc_key_size); /* Encrypted key size */
2072 if (max_packet_size > (*remaining_bytes)) { 2072 if (max_packet_size > (*remaining_bytes)) {
2073 printk(KERN_ERR "Packet length larger than maximum allowable; " 2073 printk(KERN_ERR "Packet length larger than maximum allowable; "
2074 "need up to [%td] bytes, but there are only [%td] " 2074 "need up to [%td] bytes, but there are only [%td] "
2075 "available\n", max_packet_size, (*remaining_bytes)); 2075 "available\n", max_packet_size, (*remaining_bytes));
2076 rc = -EINVAL; 2076 rc = -EINVAL;
2077 goto out; 2077 goto out;
2078 } 2078 }
2079 dest[(*packet_size)++] = ECRYPTFS_TAG_1_PACKET_TYPE; 2079 dest[(*packet_size)++] = ECRYPTFS_TAG_1_PACKET_TYPE;
2080 rc = ecryptfs_write_packet_length(&dest[(*packet_size)], 2080 rc = ecryptfs_write_packet_length(&dest[(*packet_size)],
2081 (max_packet_size - 4), 2081 (max_packet_size - 4),
2082 &packet_size_length); 2082 &packet_size_length);
2083 if (rc) { 2083 if (rc) {
2084 ecryptfs_printk(KERN_ERR, "Error generating tag 1 packet " 2084 ecryptfs_printk(KERN_ERR, "Error generating tag 1 packet "
2085 "header; cannot generate packet length\n"); 2085 "header; cannot generate packet length\n");
2086 goto out; 2086 goto out;
2087 } 2087 }
2088 (*packet_size) += packet_size_length; 2088 (*packet_size) += packet_size_length;
2089 dest[(*packet_size)++] = 0x03; /* version 3 */ 2089 dest[(*packet_size)++] = 0x03; /* version 3 */
2090 memcpy(&dest[(*packet_size)], key_rec->sig, ECRYPTFS_SIG_SIZE); 2090 memcpy(&dest[(*packet_size)], key_rec->sig, ECRYPTFS_SIG_SIZE);
2091 (*packet_size) += ECRYPTFS_SIG_SIZE; 2091 (*packet_size) += ECRYPTFS_SIG_SIZE;
2092 dest[(*packet_size)++] = RFC2440_CIPHER_RSA; 2092 dest[(*packet_size)++] = RFC2440_CIPHER_RSA;
2093 memcpy(&dest[(*packet_size)], key_rec->enc_key, 2093 memcpy(&dest[(*packet_size)], key_rec->enc_key,
2094 key_rec->enc_key_size); 2094 key_rec->enc_key_size);
2095 (*packet_size) += key_rec->enc_key_size; 2095 (*packet_size) += key_rec->enc_key_size;
2096 out: 2096 out:
2097 if (rc) 2097 if (rc)
2098 (*packet_size) = 0; 2098 (*packet_size) = 0;
2099 else 2099 else
2100 (*remaining_bytes) -= (*packet_size); 2100 (*remaining_bytes) -= (*packet_size);
2101 return rc; 2101 return rc;
2102 } 2102 }
2103 2103
2104 /** 2104 /**
2105 * write_tag_11_packet 2105 * write_tag_11_packet
2106 * @dest: Target into which Tag 11 packet is to be written 2106 * @dest: Target into which Tag 11 packet is to be written
2107 * @remaining_bytes: Maximum packet length 2107 * @remaining_bytes: Maximum packet length
2108 * @contents: Byte array of contents to copy in 2108 * @contents: Byte array of contents to copy in
2109 * @contents_length: Number of bytes in contents 2109 * @contents_length: Number of bytes in contents
2110 * @packet_length: Length of the Tag 11 packet written; zero on error 2110 * @packet_length: Length of the Tag 11 packet written; zero on error
2111 * 2111 *
2112 * Returns zero on success; non-zero on error. 2112 * Returns zero on success; non-zero on error.
2113 */ 2113 */
2114 static int 2114 static int
2115 write_tag_11_packet(char *dest, size_t *remaining_bytes, char *contents, 2115 write_tag_11_packet(char *dest, size_t *remaining_bytes, char *contents,
2116 size_t contents_length, size_t *packet_length) 2116 size_t contents_length, size_t *packet_length)
2117 { 2117 {
2118 size_t packet_size_length; 2118 size_t packet_size_length;
2119 size_t max_packet_size; 2119 size_t max_packet_size;
2120 int rc = 0; 2120 int rc = 0;
2121 2121
2122 (*packet_length) = 0; 2122 (*packet_length) = 0;
2123 /* This format is inspired by OpenPGP; see RFC 2440 2123 /* This format is inspired by OpenPGP; see RFC 2440
2124 * packet tag 11 */ 2124 * packet tag 11 */
2125 max_packet_size = (1 /* Tag 11 identifier */ 2125 max_packet_size = (1 /* Tag 11 identifier */
2126 + 3 /* Max Tag 11 packet size */ 2126 + 3 /* Max Tag 11 packet size */
2127 + 1 /* Binary format specifier */ 2127 + 1 /* Binary format specifier */
2128 + 1 /* Filename length */ 2128 + 1 /* Filename length */
2129 + 8 /* Filename ("_CONSOLE") */ 2129 + 8 /* Filename ("_CONSOLE") */
2130 + 4 /* Modification date */ 2130 + 4 /* Modification date */
2131 + contents_length); /* Literal data */ 2131 + contents_length); /* Literal data */
2132 if (max_packet_size > (*remaining_bytes)) { 2132 if (max_packet_size > (*remaining_bytes)) {
2133 printk(KERN_ERR "Packet length larger than maximum allowable; " 2133 printk(KERN_ERR "Packet length larger than maximum allowable; "
2134 "need up to [%td] bytes, but there are only [%td] " 2134 "need up to [%td] bytes, but there are only [%td] "
2135 "available\n", max_packet_size, (*remaining_bytes)); 2135 "available\n", max_packet_size, (*remaining_bytes));
2136 rc = -EINVAL; 2136 rc = -EINVAL;
2137 goto out; 2137 goto out;
2138 } 2138 }
2139 dest[(*packet_length)++] = ECRYPTFS_TAG_11_PACKET_TYPE; 2139 dest[(*packet_length)++] = ECRYPTFS_TAG_11_PACKET_TYPE;
2140 rc = ecryptfs_write_packet_length(&dest[(*packet_length)], 2140 rc = ecryptfs_write_packet_length(&dest[(*packet_length)],
2141 (max_packet_size - 4), 2141 (max_packet_size - 4),
2142 &packet_size_length); 2142 &packet_size_length);
2143 if (rc) { 2143 if (rc) {
2144 printk(KERN_ERR "Error generating tag 11 packet header; cannot " 2144 printk(KERN_ERR "Error generating tag 11 packet header; cannot "
2145 "generate packet length. rc = [%d]\n", rc); 2145 "generate packet length. rc = [%d]\n", rc);
2146 goto out; 2146 goto out;
2147 } 2147 }
2148 (*packet_length) += packet_size_length; 2148 (*packet_length) += packet_size_length;
2149 dest[(*packet_length)++] = 0x62; /* binary data format specifier */ 2149 dest[(*packet_length)++] = 0x62; /* binary data format specifier */
2150 dest[(*packet_length)++] = 8; 2150 dest[(*packet_length)++] = 8;
2151 memcpy(&dest[(*packet_length)], "_CONSOLE", 8); 2151 memcpy(&dest[(*packet_length)], "_CONSOLE", 8);
2152 (*packet_length) += 8; 2152 (*packet_length) += 8;
2153 memset(&dest[(*packet_length)], 0x00, 4); 2153 memset(&dest[(*packet_length)], 0x00, 4);
2154 (*packet_length) += 4; 2154 (*packet_length) += 4;
2155 memcpy(&dest[(*packet_length)], contents, contents_length); 2155 memcpy(&dest[(*packet_length)], contents, contents_length);
2156 (*packet_length) += contents_length; 2156 (*packet_length) += contents_length;
2157 out: 2157 out:
2158 if (rc) 2158 if (rc)
2159 (*packet_length) = 0; 2159 (*packet_length) = 0;
2160 else 2160 else
2161 (*remaining_bytes) -= (*packet_length); 2161 (*remaining_bytes) -= (*packet_length);
2162 return rc; 2162 return rc;
2163 } 2163 }
2164 2164
2165 /** 2165 /**
2166 * write_tag_3_packet 2166 * write_tag_3_packet
2167 * @dest: Buffer into which to write the packet 2167 * @dest: Buffer into which to write the packet
2168 * @remaining_bytes: Maximum number of bytes that can be written 2168 * @remaining_bytes: Maximum number of bytes that can be written
2169 * @auth_tok: Authentication token 2169 * @auth_tok: Authentication token
2170 * @crypt_stat: The cryptographic context 2170 * @crypt_stat: The cryptographic context
2171 * @key_rec: encrypted key 2171 * @key_rec: encrypted key
2172 * @packet_size: This function will write the number of bytes that end 2172 * @packet_size: This function will write the number of bytes that end
2173 * up constituting the packet; set to zero on error 2173 * up constituting the packet; set to zero on error
2174 * 2174 *
2175 * Returns zero on success; non-zero on error. 2175 * Returns zero on success; non-zero on error.
2176 */ 2176 */
2177 static int 2177 static int
2178 write_tag_3_packet(char *dest, size_t *remaining_bytes, 2178 write_tag_3_packet(char *dest, size_t *remaining_bytes,
2179 struct ecryptfs_auth_tok *auth_tok, 2179 struct ecryptfs_auth_tok *auth_tok,
2180 struct ecryptfs_crypt_stat *crypt_stat, 2180 struct ecryptfs_crypt_stat *crypt_stat,
2181 struct ecryptfs_key_record *key_rec, size_t *packet_size) 2181 struct ecryptfs_key_record *key_rec, size_t *packet_size)
2182 { 2182 {
2183 size_t i; 2183 size_t i;
2184 size_t encrypted_session_key_valid = 0; 2184 size_t encrypted_session_key_valid = 0;
2185 char session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; 2185 char session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
2186 struct scatterlist dst_sg[2]; 2186 struct scatterlist dst_sg[2];
2187 struct scatterlist src_sg[2]; 2187 struct scatterlist src_sg[2];
2188 struct mutex *tfm_mutex = NULL; 2188 struct mutex *tfm_mutex = NULL;
2189 u8 cipher_code; 2189 u8 cipher_code;
2190 size_t packet_size_length; 2190 size_t packet_size_length;
2191 size_t max_packet_size; 2191 size_t max_packet_size;
2192 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 2192 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2193 crypt_stat->mount_crypt_stat; 2193 crypt_stat->mount_crypt_stat;
2194 struct blkcipher_desc desc = { 2194 struct blkcipher_desc desc = {
2195 .tfm = NULL, 2195 .tfm = NULL,
2196 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 2196 .flags = CRYPTO_TFM_REQ_MAY_SLEEP
2197 }; 2197 };
2198 int rc = 0; 2198 int rc = 0;
2199 2199
2200 (*packet_size) = 0; 2200 (*packet_size) = 0;
2201 ecryptfs_from_hex(key_rec->sig, auth_tok->token.password.signature, 2201 ecryptfs_from_hex(key_rec->sig, auth_tok->token.password.signature,
2202 ECRYPTFS_SIG_SIZE); 2202 ECRYPTFS_SIG_SIZE);
2203 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex, 2203 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex,
2204 crypt_stat->cipher); 2204 crypt_stat->cipher);
2205 if (unlikely(rc)) { 2205 if (unlikely(rc)) {
2206 printk(KERN_ERR "Internal error whilst attempting to get " 2206 printk(KERN_ERR "Internal error whilst attempting to get "
2207 "tfm and mutex for cipher name [%s]; rc = [%d]\n", 2207 "tfm and mutex for cipher name [%s]; rc = [%d]\n",
2208 crypt_stat->cipher, rc); 2208 crypt_stat->cipher, rc);
2209 goto out; 2209 goto out;
2210 } 2210 }
2211 if (mount_crypt_stat->global_default_cipher_key_size == 0) { 2211 if (mount_crypt_stat->global_default_cipher_key_size == 0) {
2212 struct blkcipher_alg *alg = crypto_blkcipher_alg(desc.tfm); 2212 struct blkcipher_alg *alg = crypto_blkcipher_alg(desc.tfm);
2213 2213
2214 printk(KERN_WARNING "No key size specified at mount; " 2214 printk(KERN_WARNING "No key size specified at mount; "
2215 "defaulting to [%d]\n", alg->max_keysize); 2215 "defaulting to [%d]\n", alg->max_keysize);
2216 mount_crypt_stat->global_default_cipher_key_size = 2216 mount_crypt_stat->global_default_cipher_key_size =
2217 alg->max_keysize; 2217 alg->max_keysize;
2218 } 2218 }
2219 if (crypt_stat->key_size == 0) 2219 if (crypt_stat->key_size == 0)
2220 crypt_stat->key_size = 2220 crypt_stat->key_size =
2221 mount_crypt_stat->global_default_cipher_key_size; 2221 mount_crypt_stat->global_default_cipher_key_size;
2222 if (auth_tok->session_key.encrypted_key_size == 0) 2222 if (auth_tok->session_key.encrypted_key_size == 0)
2223 auth_tok->session_key.encrypted_key_size = 2223 auth_tok->session_key.encrypted_key_size =
2224 crypt_stat->key_size; 2224 crypt_stat->key_size;
2225 if (crypt_stat->key_size == 24 2225 if (crypt_stat->key_size == 24
2226 && strcmp("aes", crypt_stat->cipher) == 0) { 2226 && strcmp("aes", crypt_stat->cipher) == 0) {
2227 memset((crypt_stat->key + 24), 0, 8); 2227 memset((crypt_stat->key + 24), 0, 8);
2228 auth_tok->session_key.encrypted_key_size = 32; 2228 auth_tok->session_key.encrypted_key_size = 32;
2229 } else 2229 } else
2230 auth_tok->session_key.encrypted_key_size = crypt_stat->key_size; 2230 auth_tok->session_key.encrypted_key_size = crypt_stat->key_size;
2231 key_rec->enc_key_size = 2231 key_rec->enc_key_size =
2232 auth_tok->session_key.encrypted_key_size; 2232 auth_tok->session_key.encrypted_key_size;
2233 encrypted_session_key_valid = 0; 2233 encrypted_session_key_valid = 0;
2234 for (i = 0; i < auth_tok->session_key.encrypted_key_size; i++) 2234 for (i = 0; i < auth_tok->session_key.encrypted_key_size; i++)
2235 encrypted_session_key_valid |= 2235 encrypted_session_key_valid |=
2236 auth_tok->session_key.encrypted_key[i]; 2236 auth_tok->session_key.encrypted_key[i];
2237 if (encrypted_session_key_valid) { 2237 if (encrypted_session_key_valid) {
2238 ecryptfs_printk(KERN_DEBUG, "encrypted_session_key_valid != 0; " 2238 ecryptfs_printk(KERN_DEBUG, "encrypted_session_key_valid != 0; "
2239 "using auth_tok->session_key.encrypted_key, " 2239 "using auth_tok->session_key.encrypted_key, "
2240 "where key_rec->enc_key_size = [%zd]\n", 2240 "where key_rec->enc_key_size = [%zd]\n",
2241 key_rec->enc_key_size); 2241 key_rec->enc_key_size);
2242 memcpy(key_rec->enc_key, 2242 memcpy(key_rec->enc_key,
2243 auth_tok->session_key.encrypted_key, 2243 auth_tok->session_key.encrypted_key,
2244 key_rec->enc_key_size); 2244 key_rec->enc_key_size);
2245 goto encrypted_session_key_set; 2245 goto encrypted_session_key_set;
2246 } 2246 }
2247 if (auth_tok->token.password.flags & 2247 if (auth_tok->token.password.flags &
2248 ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET) { 2248 ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET) {
2249 ecryptfs_printk(KERN_DEBUG, "Using previously generated " 2249 ecryptfs_printk(KERN_DEBUG, "Using previously generated "
2250 "session key encryption key of size [%d]\n", 2250 "session key encryption key of size [%d]\n",
2251 auth_tok->token.password. 2251 auth_tok->token.password.
2252 session_key_encryption_key_bytes); 2252 session_key_encryption_key_bytes);
2253 memcpy(session_key_encryption_key, 2253 memcpy(session_key_encryption_key,
2254 auth_tok->token.password.session_key_encryption_key, 2254 auth_tok->token.password.session_key_encryption_key,
2255 crypt_stat->key_size); 2255 crypt_stat->key_size);
2256 ecryptfs_printk(KERN_DEBUG, 2256 ecryptfs_printk(KERN_DEBUG,
2257 "Cached session key encryption key:\n"); 2257 "Cached session key encryption key:\n");
2258 if (ecryptfs_verbosity > 0) 2258 if (ecryptfs_verbosity > 0)
2259 ecryptfs_dump_hex(session_key_encryption_key, 16); 2259 ecryptfs_dump_hex(session_key_encryption_key, 16);
2260 } 2260 }
2261 if (unlikely(ecryptfs_verbosity > 0)) { 2261 if (unlikely(ecryptfs_verbosity > 0)) {
2262 ecryptfs_printk(KERN_DEBUG, "Session key encryption key:\n"); 2262 ecryptfs_printk(KERN_DEBUG, "Session key encryption key:\n");
2263 ecryptfs_dump_hex(session_key_encryption_key, 16); 2263 ecryptfs_dump_hex(session_key_encryption_key, 16);
2264 } 2264 }
2265 rc = virt_to_scatterlist(crypt_stat->key, key_rec->enc_key_size, 2265 rc = virt_to_scatterlist(crypt_stat->key, key_rec->enc_key_size,
2266 src_sg, 2); 2266 src_sg, 2);
2267 if (rc < 1 || rc > 2) { 2267 if (rc < 1 || rc > 2) {
2268 ecryptfs_printk(KERN_ERR, "Error generating scatterlist " 2268 ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
2269 "for crypt_stat session key; expected rc = 1; " 2269 "for crypt_stat session key; expected rc = 1; "
2270 "got rc = [%d]. key_rec->enc_key_size = [%zd]\n", 2270 "got rc = [%d]. key_rec->enc_key_size = [%zd]\n",
2271 rc, key_rec->enc_key_size); 2271 rc, key_rec->enc_key_size);
2272 rc = -ENOMEM; 2272 rc = -ENOMEM;
2273 goto out; 2273 goto out;
2274 } 2274 }
2275 rc = virt_to_scatterlist(key_rec->enc_key, key_rec->enc_key_size, 2275 rc = virt_to_scatterlist(key_rec->enc_key, key_rec->enc_key_size,
2276 dst_sg, 2); 2276 dst_sg, 2);
2277 if (rc < 1 || rc > 2) { 2277 if (rc < 1 || rc > 2) {
2278 ecryptfs_printk(KERN_ERR, "Error generating scatterlist " 2278 ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
2279 "for crypt_stat encrypted session key; " 2279 "for crypt_stat encrypted session key; "
2280 "expected rc = 1; got rc = [%d]. " 2280 "expected rc = 1; got rc = [%d]. "
2281 "key_rec->enc_key_size = [%zd]\n", rc, 2281 "key_rec->enc_key_size = [%zd]\n", rc,
2282 key_rec->enc_key_size); 2282 key_rec->enc_key_size);
2283 rc = -ENOMEM; 2283 rc = -ENOMEM;
2284 goto out; 2284 goto out;
2285 } 2285 }
2286 mutex_lock(tfm_mutex); 2286 mutex_lock(tfm_mutex);
2287 rc = crypto_blkcipher_setkey(desc.tfm, session_key_encryption_key, 2287 rc = crypto_blkcipher_setkey(desc.tfm, session_key_encryption_key,
2288 crypt_stat->key_size); 2288 crypt_stat->key_size);
2289 if (rc < 0) { 2289 if (rc < 0) {
2290 mutex_unlock(tfm_mutex); 2290 mutex_unlock(tfm_mutex);
2291 ecryptfs_printk(KERN_ERR, "Error setting key for crypto " 2291 ecryptfs_printk(KERN_ERR, "Error setting key for crypto "
2292 "context; rc = [%d]\n", rc); 2292 "context; rc = [%d]\n", rc);
2293 goto out; 2293 goto out;
2294 } 2294 }
2295 rc = 0; 2295 rc = 0;
2296 ecryptfs_printk(KERN_DEBUG, "Encrypting [%zd] bytes of the key\n", 2296 ecryptfs_printk(KERN_DEBUG, "Encrypting [%zd] bytes of the key\n",
2297 crypt_stat->key_size); 2297 crypt_stat->key_size);
2298 rc = crypto_blkcipher_encrypt(&desc, dst_sg, src_sg, 2298 rc = crypto_blkcipher_encrypt(&desc, dst_sg, src_sg,
2299 (*key_rec).enc_key_size); 2299 (*key_rec).enc_key_size);
2300 mutex_unlock(tfm_mutex); 2300 mutex_unlock(tfm_mutex);
2301 if (rc) { 2301 if (rc) {
2302 printk(KERN_ERR "Error encrypting; rc = [%d]\n", rc); 2302 printk(KERN_ERR "Error encrypting; rc = [%d]\n", rc);
2303 goto out; 2303 goto out;
2304 } 2304 }
2305 ecryptfs_printk(KERN_DEBUG, "This should be the encrypted key:\n"); 2305 ecryptfs_printk(KERN_DEBUG, "This should be the encrypted key:\n");
2306 if (ecryptfs_verbosity > 0) { 2306 if (ecryptfs_verbosity > 0) {
2307 ecryptfs_printk(KERN_DEBUG, "EFEK of size [%zd]:\n", 2307 ecryptfs_printk(KERN_DEBUG, "EFEK of size [%zd]:\n",
2308 key_rec->enc_key_size); 2308 key_rec->enc_key_size);
2309 ecryptfs_dump_hex(key_rec->enc_key, 2309 ecryptfs_dump_hex(key_rec->enc_key,
2310 key_rec->enc_key_size); 2310 key_rec->enc_key_size);
2311 } 2311 }
2312 encrypted_session_key_set: 2312 encrypted_session_key_set:
2313 /* This format is inspired by OpenPGP; see RFC 2440 2313 /* This format is inspired by OpenPGP; see RFC 2440
2314 * packet tag 3 */ 2314 * packet tag 3 */
2315 max_packet_size = (1 /* Tag 3 identifier */ 2315 max_packet_size = (1 /* Tag 3 identifier */
2316 + 3 /* Max Tag 3 packet size */ 2316 + 3 /* Max Tag 3 packet size */
2317 + 1 /* Version */ 2317 + 1 /* Version */
2318 + 1 /* Cipher code */ 2318 + 1 /* Cipher code */
2319 + 1 /* S2K specifier */ 2319 + 1 /* S2K specifier */
2320 + 1 /* Hash identifier */ 2320 + 1 /* Hash identifier */
2321 + ECRYPTFS_SALT_SIZE /* Salt */ 2321 + ECRYPTFS_SALT_SIZE /* Salt */
2322 + 1 /* Hash iterations */ 2322 + 1 /* Hash iterations */
2323 + key_rec->enc_key_size); /* Encrypted key size */ 2323 + key_rec->enc_key_size); /* Encrypted key size */
2324 if (max_packet_size > (*remaining_bytes)) { 2324 if (max_packet_size > (*remaining_bytes)) {
2325 printk(KERN_ERR "Packet too large; need up to [%td] bytes, but " 2325 printk(KERN_ERR "Packet too large; need up to [%td] bytes, but "
2326 "there are only [%td] available\n", max_packet_size, 2326 "there are only [%td] available\n", max_packet_size,
2327 (*remaining_bytes)); 2327 (*remaining_bytes));
2328 rc = -EINVAL; 2328 rc = -EINVAL;
2329 goto out; 2329 goto out;
2330 } 2330 }
2331 dest[(*packet_size)++] = ECRYPTFS_TAG_3_PACKET_TYPE; 2331 dest[(*packet_size)++] = ECRYPTFS_TAG_3_PACKET_TYPE;
2332 /* Chop off the Tag 3 identifier(1) and Tag 3 packet size(3) 2332 /* Chop off the Tag 3 identifier(1) and Tag 3 packet size(3)
2333 * to get the number of octets in the actual Tag 3 packet */ 2333 * to get the number of octets in the actual Tag 3 packet */
2334 rc = ecryptfs_write_packet_length(&dest[(*packet_size)], 2334 rc = ecryptfs_write_packet_length(&dest[(*packet_size)],
2335 (max_packet_size - 4), 2335 (max_packet_size - 4),
2336 &packet_size_length); 2336 &packet_size_length);
2337 if (rc) { 2337 if (rc) {
2338 printk(KERN_ERR "Error generating tag 3 packet header; cannot " 2338 printk(KERN_ERR "Error generating tag 3 packet header; cannot "
2339 "generate packet length. rc = [%d]\n", rc); 2339 "generate packet length. rc = [%d]\n", rc);
2340 goto out; 2340 goto out;
2341 } 2341 }
2342 (*packet_size) += packet_size_length; 2342 (*packet_size) += packet_size_length;
2343 dest[(*packet_size)++] = 0x04; /* version 4 */ 2343 dest[(*packet_size)++] = 0x04; /* version 4 */
2344 /* TODO: Break from RFC2440 so that arbitrary ciphers can be 2344 /* TODO: Break from RFC2440 so that arbitrary ciphers can be
2345 * specified with strings */ 2345 * specified with strings */
2346 cipher_code = ecryptfs_code_for_cipher_string(crypt_stat->cipher, 2346 cipher_code = ecryptfs_code_for_cipher_string(crypt_stat->cipher,
2347 crypt_stat->key_size); 2347 crypt_stat->key_size);
2348 if (cipher_code == 0) { 2348 if (cipher_code == 0) {
2349 ecryptfs_printk(KERN_WARNING, "Unable to generate code for " 2349 ecryptfs_printk(KERN_WARNING, "Unable to generate code for "
2350 "cipher [%s]\n", crypt_stat->cipher); 2350 "cipher [%s]\n", crypt_stat->cipher);
2351 rc = -EINVAL; 2351 rc = -EINVAL;
2352 goto out; 2352 goto out;
2353 } 2353 }
2354 dest[(*packet_size)++] = cipher_code; 2354 dest[(*packet_size)++] = cipher_code;
2355 dest[(*packet_size)++] = 0x03; /* S2K */ 2355 dest[(*packet_size)++] = 0x03; /* S2K */
2356 dest[(*packet_size)++] = 0x01; /* MD5 (TODO: parameterize) */ 2356 dest[(*packet_size)++] = 0x01; /* MD5 (TODO: parameterize) */
2357 memcpy(&dest[(*packet_size)], auth_tok->token.password.salt, 2357 memcpy(&dest[(*packet_size)], auth_tok->token.password.salt,
2358 ECRYPTFS_SALT_SIZE); 2358 ECRYPTFS_SALT_SIZE);
2359 (*packet_size) += ECRYPTFS_SALT_SIZE; /* salt */ 2359 (*packet_size) += ECRYPTFS_SALT_SIZE; /* salt */
2360 dest[(*packet_size)++] = 0x60; /* hash iterations (65536) */ 2360 dest[(*packet_size)++] = 0x60; /* hash iterations (65536) */
2361 memcpy(&dest[(*packet_size)], key_rec->enc_key, 2361 memcpy(&dest[(*packet_size)], key_rec->enc_key,
2362 key_rec->enc_key_size); 2362 key_rec->enc_key_size);
2363 (*packet_size) += key_rec->enc_key_size; 2363 (*packet_size) += key_rec->enc_key_size;
2364 out: 2364 out:
2365 if (rc) 2365 if (rc)
2366 (*packet_size) = 0; 2366 (*packet_size) = 0;
2367 else 2367 else
2368 (*remaining_bytes) -= (*packet_size); 2368 (*remaining_bytes) -= (*packet_size);
2369 return rc; 2369 return rc;
2370 } 2370 }
2371 2371
2372 struct kmem_cache *ecryptfs_key_record_cache; 2372 struct kmem_cache *ecryptfs_key_record_cache;
2373 2373
2374 /** 2374 /**
2375 * ecryptfs_generate_key_packet_set 2375 * ecryptfs_generate_key_packet_set
2376 * @dest_base: Virtual address from which to write the key record set 2376 * @dest_base: Virtual address from which to write the key record set
2377 * @crypt_stat: The cryptographic context from which the 2377 * @crypt_stat: The cryptographic context from which the
2378 * authentication tokens will be retrieved 2378 * authentication tokens will be retrieved
2379 * @ecryptfs_dentry: The dentry, used to retrieve the mount crypt stat 2379 * @ecryptfs_dentry: The dentry, used to retrieve the mount crypt stat
2380 * for the global parameters 2380 * for the global parameters
2381 * @len: The amount written 2381 * @len: The amount written
2382 * @max: The maximum amount of data allowed to be written 2382 * @max: The maximum amount of data allowed to be written
2383 * 2383 *
2384 * Generates a key packet set and writes it to the virtual address 2384 * Generates a key packet set and writes it to the virtual address
2385 * passed in. 2385 * passed in.
2386 * 2386 *
2387 * Returns zero on success; non-zero on error. 2387 * Returns zero on success; non-zero on error.
2388 */ 2388 */
2389 int 2389 int
2390 ecryptfs_generate_key_packet_set(char *dest_base, 2390 ecryptfs_generate_key_packet_set(char *dest_base,
2391 struct ecryptfs_crypt_stat *crypt_stat, 2391 struct ecryptfs_crypt_stat *crypt_stat,
2392 struct dentry *ecryptfs_dentry, size_t *len, 2392 struct dentry *ecryptfs_dentry, size_t *len,
2393 size_t max) 2393 size_t max)
2394 { 2394 {
2395 struct ecryptfs_auth_tok *auth_tok; 2395 struct ecryptfs_auth_tok *auth_tok;
2396 struct key *auth_tok_key = NULL; 2396 struct key *auth_tok_key = NULL;
2397 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 2397 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2398 &ecryptfs_superblock_to_private( 2398 &ecryptfs_superblock_to_private(
2399 ecryptfs_dentry->d_sb)->mount_crypt_stat; 2399 ecryptfs_dentry->d_sb)->mount_crypt_stat;
2400 size_t written; 2400 size_t written;
2401 struct ecryptfs_key_record *key_rec; 2401 struct ecryptfs_key_record *key_rec;
2402 struct ecryptfs_key_sig *key_sig; 2402 struct ecryptfs_key_sig *key_sig;
2403 int rc = 0; 2403 int rc = 0;
2404 2404
2405 (*len) = 0; 2405 (*len) = 0;
2406 mutex_lock(&crypt_stat->keysig_list_mutex); 2406 mutex_lock(&crypt_stat->keysig_list_mutex);
2407 key_rec = kmem_cache_alloc(ecryptfs_key_record_cache, GFP_KERNEL); 2407 key_rec = kmem_cache_alloc(ecryptfs_key_record_cache, GFP_KERNEL);
2408 if (!key_rec) { 2408 if (!key_rec) {
2409 rc = -ENOMEM; 2409 rc = -ENOMEM;
2410 goto out; 2410 goto out;
2411 } 2411 }
2412 list_for_each_entry(key_sig, &crypt_stat->keysig_list, 2412 list_for_each_entry(key_sig, &crypt_stat->keysig_list,
2413 crypt_stat_list) { 2413 crypt_stat_list) {
2414 memset(key_rec, 0, sizeof(*key_rec)); 2414 memset(key_rec, 0, sizeof(*key_rec));
2415 rc = ecryptfs_find_global_auth_tok_for_sig(&auth_tok_key, 2415 rc = ecryptfs_find_global_auth_tok_for_sig(&auth_tok_key,
2416 &auth_tok, 2416 &auth_tok,
2417 mount_crypt_stat, 2417 mount_crypt_stat,
2418 key_sig->keysig); 2418 key_sig->keysig);
2419 if (rc) { 2419 if (rc) {
2420 printk(KERN_WARNING "Unable to retrieve auth tok with " 2420 printk(KERN_WARNING "Unable to retrieve auth tok with "
2421 "sig = [%s]\n", key_sig->keysig); 2421 "sig = [%s]\n", key_sig->keysig);
2422 rc = process_find_global_auth_tok_for_sig_err(rc); 2422 rc = process_find_global_auth_tok_for_sig_err(rc);
2423 goto out_free; 2423 goto out_free;
2424 } 2424 }
2425 if (auth_tok->token_type == ECRYPTFS_PASSWORD) { 2425 if (auth_tok->token_type == ECRYPTFS_PASSWORD) {
2426 rc = write_tag_3_packet((dest_base + (*len)), 2426 rc = write_tag_3_packet((dest_base + (*len)),
2427 &max, auth_tok, 2427 &max, auth_tok,
2428 crypt_stat, key_rec, 2428 crypt_stat, key_rec,
2429 &written); 2429 &written);
2430 up_write(&(auth_tok_key->sem)); 2430 up_write(&(auth_tok_key->sem));
2431 key_put(auth_tok_key); 2431 key_put(auth_tok_key);
2432 if (rc) { 2432 if (rc) {
2433 ecryptfs_printk(KERN_WARNING, "Error " 2433 ecryptfs_printk(KERN_WARNING, "Error "
2434 "writing tag 3 packet\n"); 2434 "writing tag 3 packet\n");
2435 goto out_free; 2435 goto out_free;
2436 } 2436 }
2437 (*len) += written; 2437 (*len) += written;
2438 /* Write auth tok signature packet */ 2438 /* Write auth tok signature packet */
2439 rc = write_tag_11_packet((dest_base + (*len)), &max, 2439 rc = write_tag_11_packet((dest_base + (*len)), &max,
2440 key_rec->sig, 2440 key_rec->sig,
2441 ECRYPTFS_SIG_SIZE, &written); 2441 ECRYPTFS_SIG_SIZE, &written);
2442 if (rc) { 2442 if (rc) {
2443 ecryptfs_printk(KERN_ERR, "Error writing " 2443 ecryptfs_printk(KERN_ERR, "Error writing "
2444 "auth tok signature packet\n"); 2444 "auth tok signature packet\n");
2445 goto out_free; 2445 goto out_free;
2446 } 2446 }
2447 (*len) += written; 2447 (*len) += written;
2448 } else if (auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) { 2448 } else if (auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) {
2449 rc = write_tag_1_packet(dest_base + (*len), &max, 2449 rc = write_tag_1_packet(dest_base + (*len), &max,
2450 auth_tok_key, auth_tok, 2450 auth_tok_key, auth_tok,
2451 crypt_stat, key_rec, &written); 2451 crypt_stat, key_rec, &written);
2452 if (rc) { 2452 if (rc) {
2453 ecryptfs_printk(KERN_WARNING, "Error " 2453 ecryptfs_printk(KERN_WARNING, "Error "
2454 "writing tag 1 packet\n"); 2454 "writing tag 1 packet\n");
2455 goto out_free; 2455 goto out_free;
2456 } 2456 }
2457 (*len) += written; 2457 (*len) += written;
2458 } else { 2458 } else {
2459 up_write(&(auth_tok_key->sem)); 2459 up_write(&(auth_tok_key->sem));
2460 key_put(auth_tok_key); 2460 key_put(auth_tok_key);
2461 ecryptfs_printk(KERN_WARNING, "Unsupported " 2461 ecryptfs_printk(KERN_WARNING, "Unsupported "
2462 "authentication token type\n"); 2462 "authentication token type\n");
2463 rc = -EINVAL; 2463 rc = -EINVAL;
2464 goto out_free; 2464 goto out_free;
2465 } 2465 }
2466 } 2466 }
2467 if (likely(max > 0)) { 2467 if (likely(max > 0)) {
2468 dest_base[(*len)] = 0x00; 2468 dest_base[(*len)] = 0x00;
2469 } else { 2469 } else {
2470 ecryptfs_printk(KERN_ERR, "Error writing boundary byte\n"); 2470 ecryptfs_printk(KERN_ERR, "Error writing boundary byte\n");
2471 rc = -EIO; 2471 rc = -EIO;
2472 } 2472 }
2473 out_free: 2473 out_free:
2474 kmem_cache_free(ecryptfs_key_record_cache, key_rec); 2474 kmem_cache_free(ecryptfs_key_record_cache, key_rec);
2475 out: 2475 out:
2476 if (rc) 2476 if (rc)
2477 (*len) = 0; 2477 (*len) = 0;
2478 mutex_unlock(&crypt_stat->keysig_list_mutex); 2478 mutex_unlock(&crypt_stat->keysig_list_mutex);
2479 return rc; 2479 return rc;
2480 } 2480 }
2481 2481
2482 struct kmem_cache *ecryptfs_key_sig_cache; 2482 struct kmem_cache *ecryptfs_key_sig_cache;
2483 2483
2484 int ecryptfs_add_keysig(struct ecryptfs_crypt_stat *crypt_stat, char *sig) 2484 int ecryptfs_add_keysig(struct ecryptfs_crypt_stat *crypt_stat, char *sig)
2485 { 2485 {
2486 struct ecryptfs_key_sig *new_key_sig; 2486 struct ecryptfs_key_sig *new_key_sig;
2487 2487
2488 new_key_sig = kmem_cache_alloc(ecryptfs_key_sig_cache, GFP_KERNEL); 2488 new_key_sig = kmem_cache_alloc(ecryptfs_key_sig_cache, GFP_KERNEL);
2489 if (!new_key_sig) { 2489 if (!new_key_sig) {
2490 printk(KERN_ERR 2490 printk(KERN_ERR
2491 "Error allocating from ecryptfs_key_sig_cache\n"); 2491 "Error allocating from ecryptfs_key_sig_cache\n");
2492 return -ENOMEM; 2492 return -ENOMEM;
2493 } 2493 }
2494 memcpy(new_key_sig->keysig, sig, ECRYPTFS_SIG_SIZE_HEX); 2494 memcpy(new_key_sig->keysig, sig, ECRYPTFS_SIG_SIZE_HEX);
2495 new_key_sig->keysig[ECRYPTFS_SIG_SIZE_HEX] = '\0'; 2495 new_key_sig->keysig[ECRYPTFS_SIG_SIZE_HEX] = '\0';
2496 /* Caller must hold keysig_list_mutex */ 2496 /* Caller must hold keysig_list_mutex */
2497 list_add(&new_key_sig->crypt_stat_list, &crypt_stat->keysig_list); 2497 list_add(&new_key_sig->crypt_stat_list, &crypt_stat->keysig_list);
2498 2498
2499 return 0; 2499 return 0;
2500 } 2500 }
2501 2501
2502 struct kmem_cache *ecryptfs_global_auth_tok_cache; 2502 struct kmem_cache *ecryptfs_global_auth_tok_cache;
2503 2503
2504 int 2504 int
2505 ecryptfs_add_global_auth_tok(struct ecryptfs_mount_crypt_stat *mount_crypt_stat, 2505 ecryptfs_add_global_auth_tok(struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
2506 char *sig, u32 global_auth_tok_flags) 2506 char *sig, u32 global_auth_tok_flags)
2507 { 2507 {
2508 struct ecryptfs_global_auth_tok *new_auth_tok; 2508 struct ecryptfs_global_auth_tok *new_auth_tok;
2509 int rc = 0; 2509 int rc = 0;
2510 2510
2511 new_auth_tok = kmem_cache_zalloc(ecryptfs_global_auth_tok_cache, 2511 new_auth_tok = kmem_cache_zalloc(ecryptfs_global_auth_tok_cache,
2512 GFP_KERNEL); 2512 GFP_KERNEL);
2513 if (!new_auth_tok) { 2513 if (!new_auth_tok) {
2514 rc = -ENOMEM; 2514 rc = -ENOMEM;
2515 printk(KERN_ERR "Error allocating from " 2515 printk(KERN_ERR "Error allocating from "
2516 "ecryptfs_global_auth_tok_cache\n"); 2516 "ecryptfs_global_auth_tok_cache\n");
2517 goto out; 2517 goto out;
2518 } 2518 }
2519 memcpy(new_auth_tok->sig, sig, ECRYPTFS_SIG_SIZE_HEX); 2519 memcpy(new_auth_tok->sig, sig, ECRYPTFS_SIG_SIZE_HEX);
2520 new_auth_tok->flags = global_auth_tok_flags; 2520 new_auth_tok->flags = global_auth_tok_flags;
2521 new_auth_tok->sig[ECRYPTFS_SIG_SIZE_HEX] = '\0'; 2521 new_auth_tok->sig[ECRYPTFS_SIG_SIZE_HEX] = '\0';
2522 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 2522 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex);
2523 list_add(&new_auth_tok->mount_crypt_stat_list, 2523 list_add(&new_auth_tok->mount_crypt_stat_list,
2524 &mount_crypt_stat->global_auth_tok_list); 2524 &mount_crypt_stat->global_auth_tok_list);
2525 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 2525 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex);
2526 out: 2526 out:
2527 return rc; 2527 return rc;
2528 } 2528 }
2529 2529
2530 2530
1 /** 1 /**
2 * eCryptfs: Linux filesystem encryption layer 2 * eCryptfs: Linux filesystem encryption layer
3 * 3 *
4 * Copyright (C) 1997-2003 Erez Zadok 4 * Copyright (C) 1997-2003 Erez Zadok
5 * Copyright (C) 2001-2003 Stony Brook University 5 * Copyright (C) 2001-2003 Stony Brook University
6 * Copyright (C) 2004-2007 International Business Machines Corp. 6 * Copyright (C) 2004-2007 International Business Machines Corp.
7 * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com> 7 * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com>
8 * Michael C. Thompson <mcthomps@us.ibm.com> 8 * Michael C. Thompson <mcthomps@us.ibm.com>
9 * Tyler Hicks <tyhicks@ou.edu> 9 * Tyler Hicks <tyhicks@ou.edu>
10 * 10 *
11 * This program is free software; you can redistribute it and/or 11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License as 12 * modify it under the terms of the GNU General Public License as
13 * published by the Free Software Foundation; either version 2 of the 13 * published by the Free Software Foundation; either version 2 of the
14 * License, or (at your option) any later version. 14 * License, or (at your option) any later version.
15 * 15 *
16 * This program is distributed in the hope that it will be useful, but 16 * This program is distributed in the hope that it will be useful, but
17 * WITHOUT ANY WARRANTY; without even the implied warranty of 17 * WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 * General Public License for more details. 19 * General Public License for more details.
20 * 20 *
21 * You should have received a copy of the GNU General Public License 21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software 22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
24 * 02111-1307, USA. 24 * 02111-1307, USA.
25 */ 25 */
26 26
27 #include <linux/dcache.h> 27 #include <linux/dcache.h>
28 #include <linux/file.h> 28 #include <linux/file.h>
29 #include <linux/module.h> 29 #include <linux/module.h>
30 #include <linux/namei.h> 30 #include <linux/namei.h>
31 #include <linux/skbuff.h> 31 #include <linux/skbuff.h>
32 #include <linux/crypto.h> 32 #include <linux/crypto.h>
33 #include <linux/mount.h> 33 #include <linux/mount.h>
34 #include <linux/pagemap.h> 34 #include <linux/pagemap.h>
35 #include <linux/key.h> 35 #include <linux/key.h>
36 #include <linux/parser.h> 36 #include <linux/parser.h>
37 #include <linux/fs_stack.h> 37 #include <linux/fs_stack.h>
38 #include <linux/slab.h> 38 #include <linux/slab.h>
39 #include <linux/magic.h> 39 #include <linux/magic.h>
40 #include "ecryptfs_kernel.h" 40 #include "ecryptfs_kernel.h"
41 41
42 /** 42 /**
43 * Module parameter that defines the ecryptfs_verbosity level. 43 * Module parameter that defines the ecryptfs_verbosity level.
44 */ 44 */
45 int ecryptfs_verbosity = 0; 45 int ecryptfs_verbosity = 0;
46 46
47 module_param(ecryptfs_verbosity, int, 0); 47 module_param(ecryptfs_verbosity, int, 0);
48 MODULE_PARM_DESC(ecryptfs_verbosity, 48 MODULE_PARM_DESC(ecryptfs_verbosity,
49 "Initial verbosity level (0 or 1; defaults to " 49 "Initial verbosity level (0 or 1; defaults to "
50 "0, which is Quiet)"); 50 "0, which is Quiet)");
51 51
52 /** 52 /**
53 * Module parameter that defines the number of message buffer elements 53 * Module parameter that defines the number of message buffer elements
54 */ 54 */
55 unsigned int ecryptfs_message_buf_len = ECRYPTFS_DEFAULT_MSG_CTX_ELEMS; 55 unsigned int ecryptfs_message_buf_len = ECRYPTFS_DEFAULT_MSG_CTX_ELEMS;
56 56
57 module_param(ecryptfs_message_buf_len, uint, 0); 57 module_param(ecryptfs_message_buf_len, uint, 0);
58 MODULE_PARM_DESC(ecryptfs_message_buf_len, 58 MODULE_PARM_DESC(ecryptfs_message_buf_len,
59 "Number of message buffer elements"); 59 "Number of message buffer elements");
60 60
61 /** 61 /**
62 * Module parameter that defines the maximum guaranteed amount of time to wait 62 * Module parameter that defines the maximum guaranteed amount of time to wait
63 * for a response from ecryptfsd. The actual sleep time will be, more than 63 * for a response from ecryptfsd. The actual sleep time will be, more than
64 * likely, a small amount greater than this specified value, but only less if 64 * likely, a small amount greater than this specified value, but only less if
65 * the message successfully arrives. 65 * the message successfully arrives.
66 */ 66 */
67 signed long ecryptfs_message_wait_timeout = ECRYPTFS_MAX_MSG_CTX_TTL / HZ; 67 signed long ecryptfs_message_wait_timeout = ECRYPTFS_MAX_MSG_CTX_TTL / HZ;
68 68
69 module_param(ecryptfs_message_wait_timeout, long, 0); 69 module_param(ecryptfs_message_wait_timeout, long, 0);
70 MODULE_PARM_DESC(ecryptfs_message_wait_timeout, 70 MODULE_PARM_DESC(ecryptfs_message_wait_timeout,
71 "Maximum number of seconds that an operation will " 71 "Maximum number of seconds that an operation will "
72 "sleep while waiting for a message response from " 72 "sleep while waiting for a message response from "
73 "userspace"); 73 "userspace");
74 74
75 /** 75 /**
76 * Module parameter that is an estimate of the maximum number of users 76 * Module parameter that is an estimate of the maximum number of users
77 * that will be concurrently using eCryptfs. Set this to the right 77 * that will be concurrently using eCryptfs. Set this to the right
78 * value to balance performance and memory use. 78 * value to balance performance and memory use.
79 */ 79 */
80 unsigned int ecryptfs_number_of_users = ECRYPTFS_DEFAULT_NUM_USERS; 80 unsigned int ecryptfs_number_of_users = ECRYPTFS_DEFAULT_NUM_USERS;
81 81
82 module_param(ecryptfs_number_of_users, uint, 0); 82 module_param(ecryptfs_number_of_users, uint, 0);
83 MODULE_PARM_DESC(ecryptfs_number_of_users, "An estimate of the number of " 83 MODULE_PARM_DESC(ecryptfs_number_of_users, "An estimate of the number of "
84 "concurrent users of eCryptfs"); 84 "concurrent users of eCryptfs");
85 85
86 void __ecryptfs_printk(const char *fmt, ...) 86 void __ecryptfs_printk(const char *fmt, ...)
87 { 87 {
88 va_list args; 88 va_list args;
89 va_start(args, fmt); 89 va_start(args, fmt);
90 if (fmt[1] == '7') { /* KERN_DEBUG */ 90 if (fmt[1] == '7') { /* KERN_DEBUG */
91 if (ecryptfs_verbosity >= 1) 91 if (ecryptfs_verbosity >= 1)
92 vprintk(fmt, args); 92 vprintk(fmt, args);
93 } else 93 } else
94 vprintk(fmt, args); 94 vprintk(fmt, args);
95 va_end(args); 95 va_end(args);
96 } 96 }
97 97
98 /** 98 /**
99 * ecryptfs_init_lower_file 99 * ecryptfs_init_lower_file
100 * @ecryptfs_dentry: Fully initialized eCryptfs dentry object, with 100 * @ecryptfs_dentry: Fully initialized eCryptfs dentry object, with
101 * the lower dentry and the lower mount set 101 * the lower dentry and the lower mount set
102 * 102 *
103 * eCryptfs only ever keeps a single open file for every lower 103 * eCryptfs only ever keeps a single open file for every lower
104 * inode. All I/O operations to the lower inode occur through that 104 * inode. All I/O operations to the lower inode occur through that
105 * file. When the first eCryptfs dentry that interposes with the first 105 * file. When the first eCryptfs dentry that interposes with the first
106 * lower dentry for that inode is created, this function creates the 106 * lower dentry for that inode is created, this function creates the
107 * lower file struct and associates it with the eCryptfs 107 * lower file struct and associates it with the eCryptfs
108 * inode. When all eCryptfs files associated with the inode are released, the 108 * inode. When all eCryptfs files associated with the inode are released, the
109 * file is closed. 109 * file is closed.
110 * 110 *
111 * The lower file will be opened with read/write permissions, if 111 * The lower file will be opened with read/write permissions, if
112 * possible. Otherwise, it is opened read-only. 112 * possible. Otherwise, it is opened read-only.
113 * 113 *
114 * This function does nothing if a lower file is already 114 * This function does nothing if a lower file is already
115 * associated with the eCryptfs inode. 115 * associated with the eCryptfs inode.
116 * 116 *
117 * Returns zero on success; non-zero otherwise 117 * Returns zero on success; non-zero otherwise
118 */ 118 */
119 static int ecryptfs_init_lower_file(struct dentry *dentry, 119 static int ecryptfs_init_lower_file(struct dentry *dentry,
120 struct file **lower_file) 120 struct file **lower_file)
121 { 121 {
122 const struct cred *cred = current_cred(); 122 const struct cred *cred = current_cred();
123 struct path *path = ecryptfs_dentry_to_lower_path(dentry); 123 struct path *path = ecryptfs_dentry_to_lower_path(dentry);
124 int rc; 124 int rc;
125 125
126 rc = ecryptfs_privileged_open(lower_file, path->dentry, path->mnt, 126 rc = ecryptfs_privileged_open(lower_file, path->dentry, path->mnt,
127 cred); 127 cred);
128 if (rc) { 128 if (rc) {
129 printk(KERN_ERR "Error opening lower file " 129 printk(KERN_ERR "Error opening lower file "
130 "for lower_dentry [0x%p] and lower_mnt [0x%p]; " 130 "for lower_dentry [0x%p] and lower_mnt [0x%p]; "
131 "rc = [%d]\n", path->dentry, path->mnt, rc); 131 "rc = [%d]\n", path->dentry, path->mnt, rc);
132 (*lower_file) = NULL; 132 (*lower_file) = NULL;
133 } 133 }
134 return rc; 134 return rc;
135 } 135 }
136 136
137 int ecryptfs_get_lower_file(struct dentry *dentry, struct inode *inode) 137 int ecryptfs_get_lower_file(struct dentry *dentry, struct inode *inode)
138 { 138 {
139 struct ecryptfs_inode_info *inode_info; 139 struct ecryptfs_inode_info *inode_info;
140 int count, rc = 0; 140 int count, rc = 0;
141 141
142 inode_info = ecryptfs_inode_to_private(inode); 142 inode_info = ecryptfs_inode_to_private(inode);
143 mutex_lock(&inode_info->lower_file_mutex); 143 mutex_lock(&inode_info->lower_file_mutex);
144 count = atomic_inc_return(&inode_info->lower_file_count); 144 count = atomic_inc_return(&inode_info->lower_file_count);
145 if (WARN_ON_ONCE(count < 1)) 145 if (WARN_ON_ONCE(count < 1))
146 rc = -EINVAL; 146 rc = -EINVAL;
147 else if (count == 1) { 147 else if (count == 1) {
148 rc = ecryptfs_init_lower_file(dentry, 148 rc = ecryptfs_init_lower_file(dentry,
149 &inode_info->lower_file); 149 &inode_info->lower_file);
150 if (rc) 150 if (rc)
151 atomic_set(&inode_info->lower_file_count, 0); 151 atomic_set(&inode_info->lower_file_count, 0);
152 } 152 }
153 mutex_unlock(&inode_info->lower_file_mutex); 153 mutex_unlock(&inode_info->lower_file_mutex);
154 return rc; 154 return rc;
155 } 155 }
156 156
157 void ecryptfs_put_lower_file(struct inode *inode) 157 void ecryptfs_put_lower_file(struct inode *inode)
158 { 158 {
159 struct ecryptfs_inode_info *inode_info; 159 struct ecryptfs_inode_info *inode_info;
160 160
161 inode_info = ecryptfs_inode_to_private(inode); 161 inode_info = ecryptfs_inode_to_private(inode);
162 if (atomic_dec_and_mutex_lock(&inode_info->lower_file_count, 162 if (atomic_dec_and_mutex_lock(&inode_info->lower_file_count,
163 &inode_info->lower_file_mutex)) { 163 &inode_info->lower_file_mutex)) {
164 filemap_write_and_wait(inode->i_mapping); 164 filemap_write_and_wait(inode->i_mapping);
165 fput(inode_info->lower_file); 165 fput(inode_info->lower_file);
166 inode_info->lower_file = NULL; 166 inode_info->lower_file = NULL;
167 mutex_unlock(&inode_info->lower_file_mutex); 167 mutex_unlock(&inode_info->lower_file_mutex);
168 } 168 }
169 } 169 }
170 170
171 enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig, 171 enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig,
172 ecryptfs_opt_cipher, ecryptfs_opt_ecryptfs_cipher, 172 ecryptfs_opt_cipher, ecryptfs_opt_ecryptfs_cipher,
173 ecryptfs_opt_ecryptfs_key_bytes, 173 ecryptfs_opt_ecryptfs_key_bytes,
174 ecryptfs_opt_passthrough, ecryptfs_opt_xattr_metadata, 174 ecryptfs_opt_passthrough, ecryptfs_opt_xattr_metadata,
175 ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig, 175 ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig,
176 ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes, 176 ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes,
177 ecryptfs_opt_unlink_sigs, ecryptfs_opt_mount_auth_tok_only, 177 ecryptfs_opt_unlink_sigs, ecryptfs_opt_mount_auth_tok_only,
178 ecryptfs_opt_check_dev_ruid, 178 ecryptfs_opt_check_dev_ruid,
179 ecryptfs_opt_err }; 179 ecryptfs_opt_err };
180 180
181 static const match_table_t tokens = { 181 static const match_table_t tokens = {
182 {ecryptfs_opt_sig, "sig=%s"}, 182 {ecryptfs_opt_sig, "sig=%s"},
183 {ecryptfs_opt_ecryptfs_sig, "ecryptfs_sig=%s"}, 183 {ecryptfs_opt_ecryptfs_sig, "ecryptfs_sig=%s"},
184 {ecryptfs_opt_cipher, "cipher=%s"}, 184 {ecryptfs_opt_cipher, "cipher=%s"},
185 {ecryptfs_opt_ecryptfs_cipher, "ecryptfs_cipher=%s"}, 185 {ecryptfs_opt_ecryptfs_cipher, "ecryptfs_cipher=%s"},
186 {ecryptfs_opt_ecryptfs_key_bytes, "ecryptfs_key_bytes=%u"}, 186 {ecryptfs_opt_ecryptfs_key_bytes, "ecryptfs_key_bytes=%u"},
187 {ecryptfs_opt_passthrough, "ecryptfs_passthrough"}, 187 {ecryptfs_opt_passthrough, "ecryptfs_passthrough"},
188 {ecryptfs_opt_xattr_metadata, "ecryptfs_xattr_metadata"}, 188 {ecryptfs_opt_xattr_metadata, "ecryptfs_xattr_metadata"},
189 {ecryptfs_opt_encrypted_view, "ecryptfs_encrypted_view"}, 189 {ecryptfs_opt_encrypted_view, "ecryptfs_encrypted_view"},
190 {ecryptfs_opt_fnek_sig, "ecryptfs_fnek_sig=%s"}, 190 {ecryptfs_opt_fnek_sig, "ecryptfs_fnek_sig=%s"},
191 {ecryptfs_opt_fn_cipher, "ecryptfs_fn_cipher=%s"}, 191 {ecryptfs_opt_fn_cipher, "ecryptfs_fn_cipher=%s"},
192 {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"}, 192 {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"},
193 {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"}, 193 {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"},
194 {ecryptfs_opt_mount_auth_tok_only, "ecryptfs_mount_auth_tok_only"}, 194 {ecryptfs_opt_mount_auth_tok_only, "ecryptfs_mount_auth_tok_only"},
195 {ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"}, 195 {ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"},
196 {ecryptfs_opt_err, NULL} 196 {ecryptfs_opt_err, NULL}
197 }; 197 };
198 198
199 static int ecryptfs_init_global_auth_toks( 199 static int ecryptfs_init_global_auth_toks(
200 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 200 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
201 { 201 {
202 struct ecryptfs_global_auth_tok *global_auth_tok; 202 struct ecryptfs_global_auth_tok *global_auth_tok;
203 struct ecryptfs_auth_tok *auth_tok; 203 struct ecryptfs_auth_tok *auth_tok;
204 int rc = 0; 204 int rc = 0;
205 205
206 list_for_each_entry(global_auth_tok, 206 list_for_each_entry(global_auth_tok,
207 &mount_crypt_stat->global_auth_tok_list, 207 &mount_crypt_stat->global_auth_tok_list,
208 mount_crypt_stat_list) { 208 mount_crypt_stat_list) {
209 rc = ecryptfs_keyring_auth_tok_for_sig( 209 rc = ecryptfs_keyring_auth_tok_for_sig(
210 &global_auth_tok->global_auth_tok_key, &auth_tok, 210 &global_auth_tok->global_auth_tok_key, &auth_tok,
211 global_auth_tok->sig); 211 global_auth_tok->sig);
212 if (rc) { 212 if (rc) {
213 printk(KERN_ERR "Could not find valid key in user " 213 printk(KERN_ERR "Could not find valid key in user "
214 "session keyring for sig specified in mount " 214 "session keyring for sig specified in mount "
215 "option: [%s]\n", global_auth_tok->sig); 215 "option: [%s]\n", global_auth_tok->sig);
216 global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID; 216 global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID;
217 goto out; 217 goto out;
218 } else { 218 } else {
219 global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID; 219 global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;
220 up_write(&(global_auth_tok->global_auth_tok_key)->sem); 220 up_write(&(global_auth_tok->global_auth_tok_key)->sem);
221 } 221 }
222 } 222 }
223 out: 223 out:
224 return rc; 224 return rc;
225 } 225 }
226 226
227 static void ecryptfs_init_mount_crypt_stat( 227 static void ecryptfs_init_mount_crypt_stat(
228 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 228 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
229 { 229 {
230 memset((void *)mount_crypt_stat, 0, 230 memset((void *)mount_crypt_stat, 0,
231 sizeof(struct ecryptfs_mount_crypt_stat)); 231 sizeof(struct ecryptfs_mount_crypt_stat));
232 INIT_LIST_HEAD(&mount_crypt_stat->global_auth_tok_list); 232 INIT_LIST_HEAD(&mount_crypt_stat->global_auth_tok_list);
233 mutex_init(&mount_crypt_stat->global_auth_tok_list_mutex); 233 mutex_init(&mount_crypt_stat->global_auth_tok_list_mutex);
234 mount_crypt_stat->flags |= ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED; 234 mount_crypt_stat->flags |= ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED;
235 } 235 }
236 236
237 /** 237 /**
238 * ecryptfs_parse_options 238 * ecryptfs_parse_options
239 * @sb: The ecryptfs super block 239 * @sb: The ecryptfs super block
240 * @options: The options passed to the kernel 240 * @options: The options passed to the kernel
241 * @check_ruid: set to 1 if device uid should be checked against the ruid 241 * @check_ruid: set to 1 if device uid should be checked against the ruid
242 * 242 *
243 * Parse mount options: 243 * Parse mount options:
244 * debug=N - ecryptfs_verbosity level for debug output 244 * debug=N - ecryptfs_verbosity level for debug output
245 * sig=XXX - description(signature) of the key to use 245 * sig=XXX - description(signature) of the key to use
246 * 246 *
247 * Returns the dentry object of the lower-level (lower/interposed) 247 * Returns the dentry object of the lower-level (lower/interposed)
248 * directory; We want to mount our stackable file system on top of 248 * directory; We want to mount our stackable file system on top of
249 * that lower directory. 249 * that lower directory.
250 * 250 *
251 * The signature of the key to use must be the description of a key 251 * The signature of the key to use must be the description of a key
252 * already in the keyring. Mounting will fail if the key can not be 252 * already in the keyring. Mounting will fail if the key can not be
253 * found. 253 * found.
254 * 254 *
255 * Returns zero on success; non-zero on error 255 * Returns zero on success; non-zero on error
256 */ 256 */
257 static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options, 257 static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options,
258 uid_t *check_ruid) 258 uid_t *check_ruid)
259 { 259 {
260 char *p; 260 char *p;
261 int rc = 0; 261 int rc = 0;
262 int sig_set = 0; 262 int sig_set = 0;
263 int cipher_name_set = 0; 263 int cipher_name_set = 0;
264 int fn_cipher_name_set = 0; 264 int fn_cipher_name_set = 0;
265 int cipher_key_bytes; 265 int cipher_key_bytes;
266 int cipher_key_bytes_set = 0; 266 int cipher_key_bytes_set = 0;
267 int fn_cipher_key_bytes; 267 int fn_cipher_key_bytes;
268 int fn_cipher_key_bytes_set = 0; 268 int fn_cipher_key_bytes_set = 0;
269 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 269 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
270 &sbi->mount_crypt_stat; 270 &sbi->mount_crypt_stat;
271 substring_t args[MAX_OPT_ARGS]; 271 substring_t args[MAX_OPT_ARGS];
272 int token; 272 int token;
273 char *sig_src; 273 char *sig_src;
274 char *cipher_name_dst; 274 char *cipher_name_dst;
275 char *cipher_name_src; 275 char *cipher_name_src;
276 char *fn_cipher_name_dst; 276 char *fn_cipher_name_dst;
277 char *fn_cipher_name_src; 277 char *fn_cipher_name_src;
278 char *fnek_dst; 278 char *fnek_dst;
279 char *fnek_src; 279 char *fnek_src;
280 char *cipher_key_bytes_src; 280 char *cipher_key_bytes_src;
281 char *fn_cipher_key_bytes_src; 281 char *fn_cipher_key_bytes_src;
282 u8 cipher_code; 282 u8 cipher_code;
283 283
284 *check_ruid = 0; 284 *check_ruid = 0;
285 285
286 if (!options) { 286 if (!options) {
287 rc = -EINVAL; 287 rc = -EINVAL;
288 goto out; 288 goto out;
289 } 289 }
290 ecryptfs_init_mount_crypt_stat(mount_crypt_stat); 290 ecryptfs_init_mount_crypt_stat(mount_crypt_stat);
291 while ((p = strsep(&options, ",")) != NULL) { 291 while ((p = strsep(&options, ",")) != NULL) {
292 if (!*p) 292 if (!*p)
293 continue; 293 continue;
294 token = match_token(p, tokens, args); 294 token = match_token(p, tokens, args);
295 switch (token) { 295 switch (token) {
296 case ecryptfs_opt_sig: 296 case ecryptfs_opt_sig:
297 case ecryptfs_opt_ecryptfs_sig: 297 case ecryptfs_opt_ecryptfs_sig:
298 sig_src = args[0].from; 298 sig_src = args[0].from;
299 rc = ecryptfs_add_global_auth_tok(mount_crypt_stat, 299 rc = ecryptfs_add_global_auth_tok(mount_crypt_stat,
300 sig_src, 0); 300 sig_src, 0);
301 if (rc) { 301 if (rc) {
302 printk(KERN_ERR "Error attempting to register " 302 printk(KERN_ERR "Error attempting to register "
303 "global sig; rc = [%d]\n", rc); 303 "global sig; rc = [%d]\n", rc);
304 goto out; 304 goto out;
305 } 305 }
306 sig_set = 1; 306 sig_set = 1;
307 break; 307 break;
308 case ecryptfs_opt_cipher: 308 case ecryptfs_opt_cipher:
309 case ecryptfs_opt_ecryptfs_cipher: 309 case ecryptfs_opt_ecryptfs_cipher:
310 cipher_name_src = args[0].from; 310 cipher_name_src = args[0].from;
311 cipher_name_dst = 311 cipher_name_dst =
312 mount_crypt_stat-> 312 mount_crypt_stat->
313 global_default_cipher_name; 313 global_default_cipher_name;
314 strncpy(cipher_name_dst, cipher_name_src, 314 strncpy(cipher_name_dst, cipher_name_src,
315 ECRYPTFS_MAX_CIPHER_NAME_SIZE); 315 ECRYPTFS_MAX_CIPHER_NAME_SIZE);
316 cipher_name_dst[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; 316 cipher_name_dst[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0';
317 cipher_name_set = 1; 317 cipher_name_set = 1;
318 break; 318 break;
319 case ecryptfs_opt_ecryptfs_key_bytes: 319 case ecryptfs_opt_ecryptfs_key_bytes:
320 cipher_key_bytes_src = args[0].from; 320 cipher_key_bytes_src = args[0].from;
321 cipher_key_bytes = 321 cipher_key_bytes =
322 (int)simple_strtol(cipher_key_bytes_src, 322 (int)simple_strtol(cipher_key_bytes_src,
323 &cipher_key_bytes_src, 0); 323 &cipher_key_bytes_src, 0);
324 mount_crypt_stat->global_default_cipher_key_size = 324 mount_crypt_stat->global_default_cipher_key_size =
325 cipher_key_bytes; 325 cipher_key_bytes;
326 cipher_key_bytes_set = 1; 326 cipher_key_bytes_set = 1;
327 break; 327 break;
328 case ecryptfs_opt_passthrough: 328 case ecryptfs_opt_passthrough:
329 mount_crypt_stat->flags |= 329 mount_crypt_stat->flags |=
330 ECRYPTFS_PLAINTEXT_PASSTHROUGH_ENABLED; 330 ECRYPTFS_PLAINTEXT_PASSTHROUGH_ENABLED;
331 break; 331 break;
332 case ecryptfs_opt_xattr_metadata: 332 case ecryptfs_opt_xattr_metadata:
333 mount_crypt_stat->flags |= 333 mount_crypt_stat->flags |=
334 ECRYPTFS_XATTR_METADATA_ENABLED; 334 ECRYPTFS_XATTR_METADATA_ENABLED;
335 break; 335 break;
336 case ecryptfs_opt_encrypted_view: 336 case ecryptfs_opt_encrypted_view:
337 mount_crypt_stat->flags |= 337 mount_crypt_stat->flags |=
338 ECRYPTFS_XATTR_METADATA_ENABLED; 338 ECRYPTFS_XATTR_METADATA_ENABLED;
339 mount_crypt_stat->flags |= 339 mount_crypt_stat->flags |=
340 ECRYPTFS_ENCRYPTED_VIEW_ENABLED; 340 ECRYPTFS_ENCRYPTED_VIEW_ENABLED;
341 break; 341 break;
342 case ecryptfs_opt_fnek_sig: 342 case ecryptfs_opt_fnek_sig:
343 fnek_src = args[0].from; 343 fnek_src = args[0].from;
344 fnek_dst = 344 fnek_dst =
345 mount_crypt_stat->global_default_fnek_sig; 345 mount_crypt_stat->global_default_fnek_sig;
346 strncpy(fnek_dst, fnek_src, ECRYPTFS_SIG_SIZE_HEX); 346 strncpy(fnek_dst, fnek_src, ECRYPTFS_SIG_SIZE_HEX);
347 mount_crypt_stat->global_default_fnek_sig[ 347 mount_crypt_stat->global_default_fnek_sig[
348 ECRYPTFS_SIG_SIZE_HEX] = '\0'; 348 ECRYPTFS_SIG_SIZE_HEX] = '\0';
349 rc = ecryptfs_add_global_auth_tok( 349 rc = ecryptfs_add_global_auth_tok(
350 mount_crypt_stat, 350 mount_crypt_stat,
351 mount_crypt_stat->global_default_fnek_sig, 351 mount_crypt_stat->global_default_fnek_sig,
352 ECRYPTFS_AUTH_TOK_FNEK); 352 ECRYPTFS_AUTH_TOK_FNEK);
353 if (rc) { 353 if (rc) {
354 printk(KERN_ERR "Error attempting to register " 354 printk(KERN_ERR "Error attempting to register "
355 "global fnek sig [%s]; rc = [%d]\n", 355 "global fnek sig [%s]; rc = [%d]\n",
356 mount_crypt_stat->global_default_fnek_sig, 356 mount_crypt_stat->global_default_fnek_sig,
357 rc); 357 rc);
358 goto out; 358 goto out;
359 } 359 }
360 mount_crypt_stat->flags |= 360 mount_crypt_stat->flags |=
361 (ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES 361 (ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES
362 | ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK); 362 | ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK);
363 break; 363 break;
364 case ecryptfs_opt_fn_cipher: 364 case ecryptfs_opt_fn_cipher:
365 fn_cipher_name_src = args[0].from; 365 fn_cipher_name_src = args[0].from;
366 fn_cipher_name_dst = 366 fn_cipher_name_dst =
367 mount_crypt_stat->global_default_fn_cipher_name; 367 mount_crypt_stat->global_default_fn_cipher_name;
368 strncpy(fn_cipher_name_dst, fn_cipher_name_src, 368 strncpy(fn_cipher_name_dst, fn_cipher_name_src,
369 ECRYPTFS_MAX_CIPHER_NAME_SIZE); 369 ECRYPTFS_MAX_CIPHER_NAME_SIZE);
370 mount_crypt_stat->global_default_fn_cipher_name[ 370 mount_crypt_stat->global_default_fn_cipher_name[
371 ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; 371 ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0';
372 fn_cipher_name_set = 1; 372 fn_cipher_name_set = 1;
373 break; 373 break;
374 case ecryptfs_opt_fn_cipher_key_bytes: 374 case ecryptfs_opt_fn_cipher_key_bytes:
375 fn_cipher_key_bytes_src = args[0].from; 375 fn_cipher_key_bytes_src = args[0].from;
376 fn_cipher_key_bytes = 376 fn_cipher_key_bytes =
377 (int)simple_strtol(fn_cipher_key_bytes_src, 377 (int)simple_strtol(fn_cipher_key_bytes_src,
378 &fn_cipher_key_bytes_src, 0); 378 &fn_cipher_key_bytes_src, 0);
379 mount_crypt_stat->global_default_fn_cipher_key_bytes = 379 mount_crypt_stat->global_default_fn_cipher_key_bytes =
380 fn_cipher_key_bytes; 380 fn_cipher_key_bytes;
381 fn_cipher_key_bytes_set = 1; 381 fn_cipher_key_bytes_set = 1;
382 break; 382 break;
383 case ecryptfs_opt_unlink_sigs: 383 case ecryptfs_opt_unlink_sigs:
384 mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS; 384 mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS;
385 break; 385 break;
386 case ecryptfs_opt_mount_auth_tok_only: 386 case ecryptfs_opt_mount_auth_tok_only:
387 mount_crypt_stat->flags |= 387 mount_crypt_stat->flags |=
388 ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY; 388 ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY;
389 break; 389 break;
390 case ecryptfs_opt_check_dev_ruid: 390 case ecryptfs_opt_check_dev_ruid:
391 *check_ruid = 1; 391 *check_ruid = 1;
392 break; 392 break;
393 case ecryptfs_opt_err: 393 case ecryptfs_opt_err:
394 default: 394 default:
395 printk(KERN_WARNING 395 printk(KERN_WARNING
396 "%s: eCryptfs: unrecognized option [%s]\n", 396 "%s: eCryptfs: unrecognized option [%s]\n",
397 __func__, p); 397 __func__, p);
398 } 398 }
399 } 399 }
400 if (!sig_set) { 400 if (!sig_set) {
401 rc = -EINVAL; 401 rc = -EINVAL;
402 ecryptfs_printk(KERN_ERR, "You must supply at least one valid " 402 ecryptfs_printk(KERN_ERR, "You must supply at least one valid "
403 "auth tok signature as a mount " 403 "auth tok signature as a mount "
404 "parameter; see the eCryptfs README\n"); 404 "parameter; see the eCryptfs README\n");
405 goto out; 405 goto out;
406 } 406 }
407 if (!cipher_name_set) { 407 if (!cipher_name_set) {
408 int cipher_name_len = strlen(ECRYPTFS_DEFAULT_CIPHER); 408 int cipher_name_len = strlen(ECRYPTFS_DEFAULT_CIPHER);
409 409
410 BUG_ON(cipher_name_len >= ECRYPTFS_MAX_CIPHER_NAME_SIZE); 410 BUG_ON(cipher_name_len >= ECRYPTFS_MAX_CIPHER_NAME_SIZE);
411 strcpy(mount_crypt_stat->global_default_cipher_name, 411 strcpy(mount_crypt_stat->global_default_cipher_name,
412 ECRYPTFS_DEFAULT_CIPHER); 412 ECRYPTFS_DEFAULT_CIPHER);
413 } 413 }
414 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) 414 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
415 && !fn_cipher_name_set) 415 && !fn_cipher_name_set)
416 strcpy(mount_crypt_stat->global_default_fn_cipher_name, 416 strcpy(mount_crypt_stat->global_default_fn_cipher_name,
417 mount_crypt_stat->global_default_cipher_name); 417 mount_crypt_stat->global_default_cipher_name);
418 if (!cipher_key_bytes_set) 418 if (!cipher_key_bytes_set)
419 mount_crypt_stat->global_default_cipher_key_size = 0; 419 mount_crypt_stat->global_default_cipher_key_size = 0;
420 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) 420 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
421 && !fn_cipher_key_bytes_set) 421 && !fn_cipher_key_bytes_set)
422 mount_crypt_stat->global_default_fn_cipher_key_bytes = 422 mount_crypt_stat->global_default_fn_cipher_key_bytes =
423 mount_crypt_stat->global_default_cipher_key_size; 423 mount_crypt_stat->global_default_cipher_key_size;
424 424
425 cipher_code = ecryptfs_code_for_cipher_string( 425 cipher_code = ecryptfs_code_for_cipher_string(
426 mount_crypt_stat->global_default_cipher_name, 426 mount_crypt_stat->global_default_cipher_name,
427 mount_crypt_stat->global_default_cipher_key_size); 427 mount_crypt_stat->global_default_cipher_key_size);
428 if (!cipher_code) { 428 if (!cipher_code) {
429 ecryptfs_printk(KERN_ERR, 429 ecryptfs_printk(KERN_ERR,
430 "eCryptfs doesn't support cipher: %s", 430 "eCryptfs doesn't support cipher: %s",
431 mount_crypt_stat->global_default_cipher_name); 431 mount_crypt_stat->global_default_cipher_name);
432 rc = -EINVAL; 432 rc = -EINVAL;
433 goto out; 433 goto out;
434 } 434 }
435 435
436 mutex_lock(&key_tfm_list_mutex); 436 mutex_lock(&key_tfm_list_mutex);
437 if (!ecryptfs_tfm_exists(mount_crypt_stat->global_default_cipher_name, 437 if (!ecryptfs_tfm_exists(mount_crypt_stat->global_default_cipher_name,
438 NULL)) { 438 NULL)) {
439 rc = ecryptfs_add_new_key_tfm( 439 rc = ecryptfs_add_new_key_tfm(
440 NULL, mount_crypt_stat->global_default_cipher_name, 440 NULL, mount_crypt_stat->global_default_cipher_name,
441 mount_crypt_stat->global_default_cipher_key_size); 441 mount_crypt_stat->global_default_cipher_key_size);
442 if (rc) { 442 if (rc) {
443 printk(KERN_ERR "Error attempting to initialize " 443 printk(KERN_ERR "Error attempting to initialize "
444 "cipher with name = [%s] and key size = [%td]; " 444 "cipher with name = [%s] and key size = [%td]; "
445 "rc = [%d]\n", 445 "rc = [%d]\n",
446 mount_crypt_stat->global_default_cipher_name, 446 mount_crypt_stat->global_default_cipher_name,
447 mount_crypt_stat->global_default_cipher_key_size, 447 mount_crypt_stat->global_default_cipher_key_size,
448 rc); 448 rc);
449 rc = -EINVAL; 449 rc = -EINVAL;
450 mutex_unlock(&key_tfm_list_mutex); 450 mutex_unlock(&key_tfm_list_mutex);
451 goto out; 451 goto out;
452 } 452 }
453 } 453 }
454 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) 454 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
455 && !ecryptfs_tfm_exists( 455 && !ecryptfs_tfm_exists(
456 mount_crypt_stat->global_default_fn_cipher_name, NULL)) { 456 mount_crypt_stat->global_default_fn_cipher_name, NULL)) {
457 rc = ecryptfs_add_new_key_tfm( 457 rc = ecryptfs_add_new_key_tfm(
458 NULL, mount_crypt_stat->global_default_fn_cipher_name, 458 NULL, mount_crypt_stat->global_default_fn_cipher_name,
459 mount_crypt_stat->global_default_fn_cipher_key_bytes); 459 mount_crypt_stat->global_default_fn_cipher_key_bytes);
460 if (rc) { 460 if (rc) {
461 printk(KERN_ERR "Error attempting to initialize " 461 printk(KERN_ERR "Error attempting to initialize "
462 "cipher with name = [%s] and key size = [%td]; " 462 "cipher with name = [%s] and key size = [%td]; "
463 "rc = [%d]\n", 463 "rc = [%d]\n",
464 mount_crypt_stat->global_default_fn_cipher_name, 464 mount_crypt_stat->global_default_fn_cipher_name,
465 mount_crypt_stat->global_default_fn_cipher_key_bytes, 465 mount_crypt_stat->global_default_fn_cipher_key_bytes,
466 rc); 466 rc);
467 rc = -EINVAL; 467 rc = -EINVAL;
468 mutex_unlock(&key_tfm_list_mutex); 468 mutex_unlock(&key_tfm_list_mutex);
469 goto out; 469 goto out;
470 } 470 }
471 } 471 }
472 mutex_unlock(&key_tfm_list_mutex); 472 mutex_unlock(&key_tfm_list_mutex);
473 rc = ecryptfs_init_global_auth_toks(mount_crypt_stat); 473 rc = ecryptfs_init_global_auth_toks(mount_crypt_stat);
474 if (rc) 474 if (rc)
475 printk(KERN_WARNING "One or more global auth toks could not " 475 printk(KERN_WARNING "One or more global auth toks could not "
476 "properly register; rc = [%d]\n", rc); 476 "properly register; rc = [%d]\n", rc);
477 out: 477 out:
478 return rc; 478 return rc;
479 } 479 }
480 480
481 struct kmem_cache *ecryptfs_sb_info_cache; 481 struct kmem_cache *ecryptfs_sb_info_cache;
482 static struct file_system_type ecryptfs_fs_type; 482 static struct file_system_type ecryptfs_fs_type;
483 483
484 /** 484 /**
485 * ecryptfs_get_sb 485 * ecryptfs_get_sb
486 * @fs_type 486 * @fs_type
487 * @flags 487 * @flags
488 * @dev_name: The path to mount over 488 * @dev_name: The path to mount over
489 * @raw_data: The options passed into the kernel 489 * @raw_data: The options passed into the kernel
490 */ 490 */
491 static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags, 491 static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags,
492 const char *dev_name, void *raw_data) 492 const char *dev_name, void *raw_data)
493 { 493 {
494 struct super_block *s; 494 struct super_block *s;
495 struct ecryptfs_sb_info *sbi; 495 struct ecryptfs_sb_info *sbi;
496 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
496 struct ecryptfs_dentry_info *root_info; 497 struct ecryptfs_dentry_info *root_info;
497 const char *err = "Getting sb failed"; 498 const char *err = "Getting sb failed";
498 struct inode *inode; 499 struct inode *inode;
499 struct path path; 500 struct path path;
500 uid_t check_ruid; 501 uid_t check_ruid;
501 int rc; 502 int rc;
502 503
503 sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL); 504 sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL);
504 if (!sbi) { 505 if (!sbi) {
505 rc = -ENOMEM; 506 rc = -ENOMEM;
506 goto out; 507 goto out;
507 } 508 }
508 509
509 rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid); 510 rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid);
510 if (rc) { 511 if (rc) {
511 err = "Error parsing options"; 512 err = "Error parsing options";
512 goto out; 513 goto out;
513 } 514 }
515 mount_crypt_stat = &sbi->mount_crypt_stat;
514 516
515 s = sget(fs_type, NULL, set_anon_super, flags, NULL); 517 s = sget(fs_type, NULL, set_anon_super, flags, NULL);
516 if (IS_ERR(s)) { 518 if (IS_ERR(s)) {
517 rc = PTR_ERR(s); 519 rc = PTR_ERR(s);
518 goto out; 520 goto out;
519 } 521 }
520 522
521 rc = bdi_setup_and_register(&sbi->bdi, "ecryptfs", BDI_CAP_MAP_COPY); 523 rc = bdi_setup_and_register(&sbi->bdi, "ecryptfs", BDI_CAP_MAP_COPY);
522 if (rc) 524 if (rc)
523 goto out1; 525 goto out1;
524 526
525 ecryptfs_set_superblock_private(s, sbi); 527 ecryptfs_set_superblock_private(s, sbi);
526 s->s_bdi = &sbi->bdi; 528 s->s_bdi = &sbi->bdi;
527 529
528 /* ->kill_sb() will take care of sbi after that point */ 530 /* ->kill_sb() will take care of sbi after that point */
529 sbi = NULL; 531 sbi = NULL;
530 s->s_op = &ecryptfs_sops; 532 s->s_op = &ecryptfs_sops;
531 s->s_d_op = &ecryptfs_dops; 533 s->s_d_op = &ecryptfs_dops;
532 534
533 err = "Reading sb failed"; 535 err = "Reading sb failed";
534 rc = kern_path(dev_name, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path); 536 rc = kern_path(dev_name, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path);
535 if (rc) { 537 if (rc) {
536 ecryptfs_printk(KERN_WARNING, "kern_path() failed\n"); 538 ecryptfs_printk(KERN_WARNING, "kern_path() failed\n");
537 goto out1; 539 goto out1;
538 } 540 }
539 if (path.dentry->d_sb->s_type == &ecryptfs_fs_type) { 541 if (path.dentry->d_sb->s_type == &ecryptfs_fs_type) {
540 rc = -EINVAL; 542 rc = -EINVAL;
541 printk(KERN_ERR "Mount on filesystem of type " 543 printk(KERN_ERR "Mount on filesystem of type "
542 "eCryptfs explicitly disallowed due to " 544 "eCryptfs explicitly disallowed due to "
543 "known incompatibilities\n"); 545 "known incompatibilities\n");
544 goto out_free; 546 goto out_free;
545 } 547 }
546 548
547 if (check_ruid && !uid_eq(path.dentry->d_inode->i_uid, current_uid())) { 549 if (check_ruid && !uid_eq(path.dentry->d_inode->i_uid, current_uid())) {
548 rc = -EPERM; 550 rc = -EPERM;
549 printk(KERN_ERR "Mount of device (uid: %d) not owned by " 551 printk(KERN_ERR "Mount of device (uid: %d) not owned by "
550 "requested user (uid: %d)\n", 552 "requested user (uid: %d)\n",
551 i_uid_read(path.dentry->d_inode), 553 i_uid_read(path.dentry->d_inode),
552 from_kuid(&init_user_ns, current_uid())); 554 from_kuid(&init_user_ns, current_uid()));
553 goto out_free; 555 goto out_free;
554 } 556 }
555 557
556 ecryptfs_set_superblock_lower(s, path.dentry->d_sb); 558 ecryptfs_set_superblock_lower(s, path.dentry->d_sb);
557 559
558 /** 560 /**
559 * Set the POSIX ACL flag based on whether they're enabled in the lower 561 * Set the POSIX ACL flag based on whether they're enabled in the lower
560 * mount. Force a read-only eCryptfs mount if the lower mount is ro. 562 * mount.
561 * Allow a ro eCryptfs mount even when the lower mount is rw.
562 */ 563 */
563 s->s_flags = flags & ~MS_POSIXACL; 564 s->s_flags = flags & ~MS_POSIXACL;
564 s->s_flags |= path.dentry->d_sb->s_flags & (MS_RDONLY | MS_POSIXACL); 565 s->s_flags |= path.dentry->d_sb->s_flags & MS_POSIXACL;
566
567 /**
568 * Force a read-only eCryptfs mount when:
569 * 1) The lower mount is ro
570 * 2) The ecryptfs_encrypted_view mount option is specified
571 */
572 if (path.dentry->d_sb->s_flags & MS_RDONLY ||
573 mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
574 s->s_flags |= MS_RDONLY;
565 575
566 s->s_maxbytes = path.dentry->d_sb->s_maxbytes; 576 s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
567 s->s_blocksize = path.dentry->d_sb->s_blocksize; 577 s->s_blocksize = path.dentry->d_sb->s_blocksize;
568 s->s_magic = ECRYPTFS_SUPER_MAGIC; 578 s->s_magic = ECRYPTFS_SUPER_MAGIC;
569 s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1; 579 s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
570 580
571 rc = -EINVAL; 581 rc = -EINVAL;
572 if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { 582 if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
573 pr_err("eCryptfs: maximum fs stacking depth exceeded\n"); 583 pr_err("eCryptfs: maximum fs stacking depth exceeded\n");
574 goto out_free; 584 goto out_free;
575 } 585 }
576 586
577 inode = ecryptfs_get_inode(path.dentry->d_inode, s); 587 inode = ecryptfs_get_inode(path.dentry->d_inode, s);
578 rc = PTR_ERR(inode); 588 rc = PTR_ERR(inode);
579 if (IS_ERR(inode)) 589 if (IS_ERR(inode))
580 goto out_free; 590 goto out_free;
581 591
582 s->s_root = d_make_root(inode); 592 s->s_root = d_make_root(inode);
583 if (!s->s_root) { 593 if (!s->s_root) {
584 rc = -ENOMEM; 594 rc = -ENOMEM;
585 goto out_free; 595 goto out_free;
586 } 596 }
587 597
588 rc = -ENOMEM; 598 rc = -ENOMEM;
589 root_info = kmem_cache_zalloc(ecryptfs_dentry_info_cache, GFP_KERNEL); 599 root_info = kmem_cache_zalloc(ecryptfs_dentry_info_cache, GFP_KERNEL);
590 if (!root_info) 600 if (!root_info)
591 goto out_free; 601 goto out_free;
592 602
593 /* ->kill_sb() will take care of root_info */ 603 /* ->kill_sb() will take care of root_info */
594 ecryptfs_set_dentry_private(s->s_root, root_info); 604 ecryptfs_set_dentry_private(s->s_root, root_info);
595 root_info->lower_path = path; 605 root_info->lower_path = path;
596 606
597 s->s_flags |= MS_ACTIVE; 607 s->s_flags |= MS_ACTIVE;
598 return dget(s->s_root); 608 return dget(s->s_root);
599 609
600 out_free: 610 out_free:
601 path_put(&path); 611 path_put(&path);
602 out1: 612 out1:
603 deactivate_locked_super(s); 613 deactivate_locked_super(s);
604 out: 614 out:
605 if (sbi) { 615 if (sbi) {
606 ecryptfs_destroy_mount_crypt_stat(&sbi->mount_crypt_stat); 616 ecryptfs_destroy_mount_crypt_stat(&sbi->mount_crypt_stat);
607 kmem_cache_free(ecryptfs_sb_info_cache, sbi); 617 kmem_cache_free(ecryptfs_sb_info_cache, sbi);
608 } 618 }
609 printk(KERN_ERR "%s; rc = [%d]\n", err, rc); 619 printk(KERN_ERR "%s; rc = [%d]\n", err, rc);
610 return ERR_PTR(rc); 620 return ERR_PTR(rc);
611 } 621 }
612 622
613 /** 623 /**
614 * ecryptfs_kill_block_super 624 * ecryptfs_kill_block_super
615 * @sb: The ecryptfs super block 625 * @sb: The ecryptfs super block
616 * 626 *
617 * Used to bring the superblock down and free the private data. 627 * Used to bring the superblock down and free the private data.
618 */ 628 */
619 static void ecryptfs_kill_block_super(struct super_block *sb) 629 static void ecryptfs_kill_block_super(struct super_block *sb)
620 { 630 {
621 struct ecryptfs_sb_info *sb_info = ecryptfs_superblock_to_private(sb); 631 struct ecryptfs_sb_info *sb_info = ecryptfs_superblock_to_private(sb);
622 kill_anon_super(sb); 632 kill_anon_super(sb);
623 if (!sb_info) 633 if (!sb_info)
624 return; 634 return;
625 ecryptfs_destroy_mount_crypt_stat(&sb_info->mount_crypt_stat); 635 ecryptfs_destroy_mount_crypt_stat(&sb_info->mount_crypt_stat);
626 bdi_destroy(&sb_info->bdi); 636 bdi_destroy(&sb_info->bdi);
627 kmem_cache_free(ecryptfs_sb_info_cache, sb_info); 637 kmem_cache_free(ecryptfs_sb_info_cache, sb_info);
628 } 638 }
629 639
630 static struct file_system_type ecryptfs_fs_type = { 640 static struct file_system_type ecryptfs_fs_type = {
631 .owner = THIS_MODULE, 641 .owner = THIS_MODULE,
632 .name = "ecryptfs", 642 .name = "ecryptfs",
633 .mount = ecryptfs_mount, 643 .mount = ecryptfs_mount,
634 .kill_sb = ecryptfs_kill_block_super, 644 .kill_sb = ecryptfs_kill_block_super,
635 .fs_flags = 0 645 .fs_flags = 0
636 }; 646 };
637 MODULE_ALIAS_FS("ecryptfs"); 647 MODULE_ALIAS_FS("ecryptfs");
638 648
639 /** 649 /**
640 * inode_info_init_once 650 * inode_info_init_once
641 * 651 *
642 * Initializes the ecryptfs_inode_info_cache when it is created 652 * Initializes the ecryptfs_inode_info_cache when it is created
643 */ 653 */
644 static void 654 static void
645 inode_info_init_once(void *vptr) 655 inode_info_init_once(void *vptr)
646 { 656 {
647 struct ecryptfs_inode_info *ei = (struct ecryptfs_inode_info *)vptr; 657 struct ecryptfs_inode_info *ei = (struct ecryptfs_inode_info *)vptr;
648 658
649 inode_init_once(&ei->vfs_inode); 659 inode_init_once(&ei->vfs_inode);
650 } 660 }
651 661
652 static struct ecryptfs_cache_info { 662 static struct ecryptfs_cache_info {
653 struct kmem_cache **cache; 663 struct kmem_cache **cache;
654 const char *name; 664 const char *name;
655 size_t size; 665 size_t size;
656 void (*ctor)(void *obj); 666 void (*ctor)(void *obj);
657 } ecryptfs_cache_infos[] = { 667 } ecryptfs_cache_infos[] = {
658 { 668 {
659 .cache = &ecryptfs_auth_tok_list_item_cache, 669 .cache = &ecryptfs_auth_tok_list_item_cache,
660 .name = "ecryptfs_auth_tok_list_item", 670 .name = "ecryptfs_auth_tok_list_item",
661 .size = sizeof(struct ecryptfs_auth_tok_list_item), 671 .size = sizeof(struct ecryptfs_auth_tok_list_item),
662 }, 672 },
663 { 673 {
664 .cache = &ecryptfs_file_info_cache, 674 .cache = &ecryptfs_file_info_cache,
665 .name = "ecryptfs_file_cache", 675 .name = "ecryptfs_file_cache",
666 .size = sizeof(struct ecryptfs_file_info), 676 .size = sizeof(struct ecryptfs_file_info),
667 }, 677 },
668 { 678 {
669 .cache = &ecryptfs_dentry_info_cache, 679 .cache = &ecryptfs_dentry_info_cache,
670 .name = "ecryptfs_dentry_info_cache", 680 .name = "ecryptfs_dentry_info_cache",
671 .size = sizeof(struct ecryptfs_dentry_info), 681 .size = sizeof(struct ecryptfs_dentry_info),
672 }, 682 },
673 { 683 {
674 .cache = &ecryptfs_inode_info_cache, 684 .cache = &ecryptfs_inode_info_cache,
675 .name = "ecryptfs_inode_cache", 685 .name = "ecryptfs_inode_cache",
676 .size = sizeof(struct ecryptfs_inode_info), 686 .size = sizeof(struct ecryptfs_inode_info),
677 .ctor = inode_info_init_once, 687 .ctor = inode_info_init_once,
678 }, 688 },
679 { 689 {
680 .cache = &ecryptfs_sb_info_cache, 690 .cache = &ecryptfs_sb_info_cache,
681 .name = "ecryptfs_sb_cache", 691 .name = "ecryptfs_sb_cache",
682 .size = sizeof(struct ecryptfs_sb_info), 692 .size = sizeof(struct ecryptfs_sb_info),
683 }, 693 },
684 { 694 {
685 .cache = &ecryptfs_header_cache, 695 .cache = &ecryptfs_header_cache,
686 .name = "ecryptfs_headers", 696 .name = "ecryptfs_headers",
687 .size = PAGE_CACHE_SIZE, 697 .size = PAGE_CACHE_SIZE,
688 }, 698 },
689 { 699 {
690 .cache = &ecryptfs_xattr_cache, 700 .cache = &ecryptfs_xattr_cache,
691 .name = "ecryptfs_xattr_cache", 701 .name = "ecryptfs_xattr_cache",
692 .size = PAGE_CACHE_SIZE, 702 .size = PAGE_CACHE_SIZE,
693 }, 703 },
694 { 704 {
695 .cache = &ecryptfs_key_record_cache, 705 .cache = &ecryptfs_key_record_cache,
696 .name = "ecryptfs_key_record_cache", 706 .name = "ecryptfs_key_record_cache",
697 .size = sizeof(struct ecryptfs_key_record), 707 .size = sizeof(struct ecryptfs_key_record),
698 }, 708 },
699 { 709 {
700 .cache = &ecryptfs_key_sig_cache, 710 .cache = &ecryptfs_key_sig_cache,
701 .name = "ecryptfs_key_sig_cache", 711 .name = "ecryptfs_key_sig_cache",
702 .size = sizeof(struct ecryptfs_key_sig), 712 .size = sizeof(struct ecryptfs_key_sig),
703 }, 713 },
704 { 714 {
705 .cache = &ecryptfs_global_auth_tok_cache, 715 .cache = &ecryptfs_global_auth_tok_cache,
706 .name = "ecryptfs_global_auth_tok_cache", 716 .name = "ecryptfs_global_auth_tok_cache",
707 .size = sizeof(struct ecryptfs_global_auth_tok), 717 .size = sizeof(struct ecryptfs_global_auth_tok),
708 }, 718 },
709 { 719 {
710 .cache = &ecryptfs_key_tfm_cache, 720 .cache = &ecryptfs_key_tfm_cache,
711 .name = "ecryptfs_key_tfm_cache", 721 .name = "ecryptfs_key_tfm_cache",
712 .size = sizeof(struct ecryptfs_key_tfm), 722 .size = sizeof(struct ecryptfs_key_tfm),
713 }, 723 },
714 }; 724 };
715 725
716 static void ecryptfs_free_kmem_caches(void) 726 static void ecryptfs_free_kmem_caches(void)
717 { 727 {
718 int i; 728 int i;
719 729
720 /* 730 /*
721 * Make sure all delayed rcu free inodes are flushed before we 731 * Make sure all delayed rcu free inodes are flushed before we
722 * destroy cache. 732 * destroy cache.
723 */ 733 */
724 rcu_barrier(); 734 rcu_barrier();
725 735
726 for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) { 736 for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) {
727 struct ecryptfs_cache_info *info; 737 struct ecryptfs_cache_info *info;
728 738
729 info = &ecryptfs_cache_infos[i]; 739 info = &ecryptfs_cache_infos[i];
730 if (*(info->cache)) 740 if (*(info->cache))
731 kmem_cache_destroy(*(info->cache)); 741 kmem_cache_destroy(*(info->cache));
732 } 742 }
733 } 743 }
734 744
735 /** 745 /**
736 * ecryptfs_init_kmem_caches 746 * ecryptfs_init_kmem_caches
737 * 747 *
738 * Returns zero on success; non-zero otherwise 748 * Returns zero on success; non-zero otherwise
739 */ 749 */
740 static int ecryptfs_init_kmem_caches(void) 750 static int ecryptfs_init_kmem_caches(void)
741 { 751 {
742 int i; 752 int i;
743 753
744 for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) { 754 for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) {
745 struct ecryptfs_cache_info *info; 755 struct ecryptfs_cache_info *info;
746 756
747 info = &ecryptfs_cache_infos[i]; 757 info = &ecryptfs_cache_infos[i];
748 *(info->cache) = kmem_cache_create(info->name, info->size, 758 *(info->cache) = kmem_cache_create(info->name, info->size,
749 0, SLAB_HWCACHE_ALIGN, info->ctor); 759 0, SLAB_HWCACHE_ALIGN, info->ctor);
750 if (!*(info->cache)) { 760 if (!*(info->cache)) {
751 ecryptfs_free_kmem_caches(); 761 ecryptfs_free_kmem_caches();
752 ecryptfs_printk(KERN_WARNING, "%s: " 762 ecryptfs_printk(KERN_WARNING, "%s: "
753 "kmem_cache_create failed\n", 763 "kmem_cache_create failed\n",
754 info->name); 764 info->name);
755 return -ENOMEM; 765 return -ENOMEM;
756 } 766 }
757 } 767 }
758 return 0; 768 return 0;
759 } 769 }
760 770
761 static struct kobject *ecryptfs_kobj; 771 static struct kobject *ecryptfs_kobj;
762 772
763 static ssize_t version_show(struct kobject *kobj, 773 static ssize_t version_show(struct kobject *kobj,
764 struct kobj_attribute *attr, char *buff) 774 struct kobj_attribute *attr, char *buff)
765 { 775 {
766 return snprintf(buff, PAGE_SIZE, "%d\n", ECRYPTFS_VERSIONING_MASK); 776 return snprintf(buff, PAGE_SIZE, "%d\n", ECRYPTFS_VERSIONING_MASK);
767 } 777 }
768 778
769 static struct kobj_attribute version_attr = __ATTR_RO(version); 779 static struct kobj_attribute version_attr = __ATTR_RO(version);
770 780
771 static struct attribute *attributes[] = { 781 static struct attribute *attributes[] = {
772 &version_attr.attr, 782 &version_attr.attr,
773 NULL, 783 NULL,
774 }; 784 };
775 785
776 static struct attribute_group attr_group = { 786 static struct attribute_group attr_group = {
777 .attrs = attributes, 787 .attrs = attributes,
778 }; 788 };
779 789
780 static int do_sysfs_registration(void) 790 static int do_sysfs_registration(void)
781 { 791 {
782 int rc; 792 int rc;
783 793
784 ecryptfs_kobj = kobject_create_and_add("ecryptfs", fs_kobj); 794 ecryptfs_kobj = kobject_create_and_add("ecryptfs", fs_kobj);
785 if (!ecryptfs_kobj) { 795 if (!ecryptfs_kobj) {
786 printk(KERN_ERR "Unable to create ecryptfs kset\n"); 796 printk(KERN_ERR "Unable to create ecryptfs kset\n");
787 rc = -ENOMEM; 797 rc = -ENOMEM;
788 goto out; 798 goto out;
789 } 799 }
790 rc = sysfs_create_group(ecryptfs_kobj, &attr_group); 800 rc = sysfs_create_group(ecryptfs_kobj, &attr_group);
791 if (rc) { 801 if (rc) {
792 printk(KERN_ERR 802 printk(KERN_ERR
793 "Unable to create ecryptfs version attributes\n"); 803 "Unable to create ecryptfs version attributes\n");
794 kobject_put(ecryptfs_kobj); 804 kobject_put(ecryptfs_kobj);
795 } 805 }
796 out: 806 out:
797 return rc; 807 return rc;
798 } 808 }
799 809
800 static void do_sysfs_unregistration(void) 810 static void do_sysfs_unregistration(void)
801 { 811 {
802 sysfs_remove_group(ecryptfs_kobj, &attr_group); 812 sysfs_remove_group(ecryptfs_kobj, &attr_group);
803 kobject_put(ecryptfs_kobj); 813 kobject_put(ecryptfs_kobj);
804 } 814 }
805 815
806 static int __init ecryptfs_init(void) 816 static int __init ecryptfs_init(void)
807 { 817 {
808 int rc; 818 int rc;
809 819
810 if (ECRYPTFS_DEFAULT_EXTENT_SIZE > PAGE_CACHE_SIZE) { 820 if (ECRYPTFS_DEFAULT_EXTENT_SIZE > PAGE_CACHE_SIZE) {
811 rc = -EINVAL; 821 rc = -EINVAL;
812 ecryptfs_printk(KERN_ERR, "The eCryptfs extent size is " 822 ecryptfs_printk(KERN_ERR, "The eCryptfs extent size is "
813 "larger than the host's page size, and so " 823 "larger than the host's page size, and so "
814 "eCryptfs cannot run on this system. The " 824 "eCryptfs cannot run on this system. The "
815 "default eCryptfs extent size is [%u] bytes; " 825 "default eCryptfs extent size is [%u] bytes; "
816 "the page size is [%lu] bytes.\n", 826 "the page size is [%lu] bytes.\n",
817 ECRYPTFS_DEFAULT_EXTENT_SIZE, 827 ECRYPTFS_DEFAULT_EXTENT_SIZE,
818 (unsigned long)PAGE_CACHE_SIZE); 828 (unsigned long)PAGE_CACHE_SIZE);
819 goto out; 829 goto out;
820 } 830 }
821 rc = ecryptfs_init_kmem_caches(); 831 rc = ecryptfs_init_kmem_caches();
822 if (rc) { 832 if (rc) {
823 printk(KERN_ERR 833 printk(KERN_ERR
824 "Failed to allocate one or more kmem_cache objects\n"); 834 "Failed to allocate one or more kmem_cache objects\n");
825 goto out; 835 goto out;
826 } 836 }
827 rc = do_sysfs_registration(); 837 rc = do_sysfs_registration();
828 if (rc) { 838 if (rc) {
829 printk(KERN_ERR "sysfs registration failed\n"); 839 printk(KERN_ERR "sysfs registration failed\n");
830 goto out_free_kmem_caches; 840 goto out_free_kmem_caches;
831 } 841 }
832 rc = ecryptfs_init_kthread(); 842 rc = ecryptfs_init_kthread();
833 if (rc) { 843 if (rc) {
834 printk(KERN_ERR "%s: kthread initialization failed; " 844 printk(KERN_ERR "%s: kthread initialization failed; "
835 "rc = [%d]\n", __func__, rc); 845 "rc = [%d]\n", __func__, rc);
836 goto out_do_sysfs_unregistration; 846 goto out_do_sysfs_unregistration;
837 } 847 }
838 rc = ecryptfs_init_messaging(); 848 rc = ecryptfs_init_messaging();
839 if (rc) { 849 if (rc) {
840 printk(KERN_ERR "Failure occurred while attempting to " 850 printk(KERN_ERR "Failure occurred while attempting to "
841 "initialize the communications channel to " 851 "initialize the communications channel to "
842 "ecryptfsd\n"); 852 "ecryptfsd\n");
843 goto out_destroy_kthread; 853 goto out_destroy_kthread;
844 } 854 }
845 rc = ecryptfs_init_crypto(); 855 rc = ecryptfs_init_crypto();
846 if (rc) { 856 if (rc) {
847 printk(KERN_ERR "Failure whilst attempting to init crypto; " 857 printk(KERN_ERR "Failure whilst attempting to init crypto; "
848 "rc = [%d]\n", rc); 858 "rc = [%d]\n", rc);
849 goto out_release_messaging; 859 goto out_release_messaging;
850 } 860 }
851 rc = register_filesystem(&ecryptfs_fs_type); 861 rc = register_filesystem(&ecryptfs_fs_type);
852 if (rc) { 862 if (rc) {
853 printk(KERN_ERR "Failed to register filesystem\n"); 863 printk(KERN_ERR "Failed to register filesystem\n");
854 goto out_destroy_crypto; 864 goto out_destroy_crypto;
855 } 865 }
856 if (ecryptfs_verbosity > 0) 866 if (ecryptfs_verbosity > 0)
857 printk(KERN_CRIT "eCryptfs verbosity set to %d. Secret values " 867 printk(KERN_CRIT "eCryptfs verbosity set to %d. Secret values "
858 "will be written to the syslog!\n", ecryptfs_verbosity); 868 "will be written to the syslog!\n", ecryptfs_verbosity);
859 869
860 goto out; 870 goto out;
861 out_destroy_crypto: 871 out_destroy_crypto:
862 ecryptfs_destroy_crypto(); 872 ecryptfs_destroy_crypto();
863 out_release_messaging: 873 out_release_messaging:
864 ecryptfs_release_messaging(); 874 ecryptfs_release_messaging();
865 out_destroy_kthread: 875 out_destroy_kthread:
866 ecryptfs_destroy_kthread(); 876 ecryptfs_destroy_kthread();
867 out_do_sysfs_unregistration: 877 out_do_sysfs_unregistration:
868 do_sysfs_unregistration(); 878 do_sysfs_unregistration();
869 out_free_kmem_caches: 879 out_free_kmem_caches:
870 ecryptfs_free_kmem_caches(); 880 ecryptfs_free_kmem_caches();
871 out: 881 out:
872 return rc; 882 return rc;
873 } 883 }
874 884
875 static void __exit ecryptfs_exit(void) 885 static void __exit ecryptfs_exit(void)
876 { 886 {
877 int rc; 887 int rc;
878 888
879 rc = ecryptfs_destroy_crypto(); 889 rc = ecryptfs_destroy_crypto();
880 if (rc) 890 if (rc)
881 printk(KERN_ERR "Failure whilst attempting to destroy crypto; " 891 printk(KERN_ERR "Failure whilst attempting to destroy crypto; "
882 "rc = [%d]\n", rc); 892 "rc = [%d]\n", rc);
883 ecryptfs_release_messaging(); 893 ecryptfs_release_messaging();
884 ecryptfs_destroy_kthread(); 894 ecryptfs_destroy_kthread();
885 do_sysfs_unregistration(); 895 do_sysfs_unregistration();
886 unregister_filesystem(&ecryptfs_fs_type); 896 unregister_filesystem(&ecryptfs_fs_type);
887 ecryptfs_free_kmem_caches(); 897 ecryptfs_free_kmem_caches();
888 } 898 }
889 899
890 MODULE_AUTHOR("Michael A. Halcrow <mhalcrow@us.ibm.com>"); 900 MODULE_AUTHOR("Michael A. Halcrow <mhalcrow@us.ibm.com>");
891 MODULE_DESCRIPTION("eCryptfs"); 901 MODULE_DESCRIPTION("eCryptfs");
892 902
893 MODULE_LICENSE("GPL"); 903 MODULE_LICENSE("GPL");
894 904
895 module_init(ecryptfs_init) 905 module_init(ecryptfs_init)
896 module_exit(ecryptfs_exit) 906 module_exit(ecryptfs_exit)