Commit 298647e31af52e795867a399fa049cebd88067ff
Exists in
ti-lsk-linux-4.1.y
and in
10 other branches
Merge tag 'ecryptfs-3.19-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel…
…/git/tyhicks/ecryptfs Pull eCryptfs fixes from Tyler Hicks: "Fixes for filename decryption and encrypted view plus a cleanup - The filename decryption routines were, at times, writing a zero byte one character past the end of the filename buffer - The encrypted view feature attempted, and failed, to roll its own form of enforcing a read-only mount instead of letting the VFS enforce it" * tag 'ecryptfs-3.19-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs: eCryptfs: Remove buggy and unnecessary write in file name decode routine eCryptfs: Remove unnecessary casts when parsing packet lengths eCryptfs: Force RO mount when encrypted view is enabled
Showing 4 changed files Inline Diff
fs/ecryptfs/crypto.c
1 | /** | 1 | /** |
2 | * eCryptfs: Linux filesystem encryption layer | 2 | * eCryptfs: Linux filesystem encryption layer |
3 | * | 3 | * |
4 | * Copyright (C) 1997-2004 Erez Zadok | 4 | * Copyright (C) 1997-2004 Erez Zadok |
5 | * Copyright (C) 2001-2004 Stony Brook University | 5 | * Copyright (C) 2001-2004 Stony Brook University |
6 | * Copyright (C) 2004-2007 International Business Machines Corp. | 6 | * Copyright (C) 2004-2007 International Business Machines Corp. |
7 | * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com> | 7 | * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com> |
8 | * Michael C. Thompson <mcthomps@us.ibm.com> | 8 | * Michael C. Thompson <mcthomps@us.ibm.com> |
9 | * | 9 | * |
10 | * This program is free software; you can redistribute it and/or | 10 | * This program is free software; you can redistribute it and/or |
11 | * modify it under the terms of the GNU General Public License as | 11 | * modify it under the terms of the GNU General Public License as |
12 | * published by the Free Software Foundation; either version 2 of the | 12 | * published by the Free Software Foundation; either version 2 of the |
13 | * License, or (at your option) any later version. | 13 | * License, or (at your option) any later version. |
14 | * | 14 | * |
15 | * This program is distributed in the hope that it will be useful, but | 15 | * This program is distributed in the hope that it will be useful, but |
16 | * WITHOUT ANY WARRANTY; without even the implied warranty of | 16 | * WITHOUT ANY WARRANTY; without even the implied warranty of |
17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
18 | * General Public License for more details. | 18 | * General Public License for more details. |
19 | * | 19 | * |
20 | * You should have received a copy of the GNU General Public License | 20 | * You should have received a copy of the GNU General Public License |
21 | * along with this program; if not, write to the Free Software | 21 | * along with this program; if not, write to the Free Software |
22 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | 22 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA |
23 | * 02111-1307, USA. | 23 | * 02111-1307, USA. |
24 | */ | 24 | */ |
25 | 25 | ||
26 | #include <linux/fs.h> | 26 | #include <linux/fs.h> |
27 | #include <linux/mount.h> | 27 | #include <linux/mount.h> |
28 | #include <linux/pagemap.h> | 28 | #include <linux/pagemap.h> |
29 | #include <linux/random.h> | 29 | #include <linux/random.h> |
30 | #include <linux/compiler.h> | 30 | #include <linux/compiler.h> |
31 | #include <linux/key.h> | 31 | #include <linux/key.h> |
32 | #include <linux/namei.h> | 32 | #include <linux/namei.h> |
33 | #include <linux/crypto.h> | 33 | #include <linux/crypto.h> |
34 | #include <linux/file.h> | 34 | #include <linux/file.h> |
35 | #include <linux/scatterlist.h> | 35 | #include <linux/scatterlist.h> |
36 | #include <linux/slab.h> | 36 | #include <linux/slab.h> |
37 | #include <asm/unaligned.h> | 37 | #include <asm/unaligned.h> |
38 | #include "ecryptfs_kernel.h" | 38 | #include "ecryptfs_kernel.h" |
39 | 39 | ||
40 | #define DECRYPT 0 | 40 | #define DECRYPT 0 |
41 | #define ENCRYPT 1 | 41 | #define ENCRYPT 1 |
42 | 42 | ||
43 | /** | 43 | /** |
44 | * ecryptfs_to_hex | 44 | * ecryptfs_to_hex |
45 | * @dst: Buffer to take hex character representation of contents of | 45 | * @dst: Buffer to take hex character representation of contents of |
46 | * src; must be at least of size (src_size * 2) | 46 | * src; must be at least of size (src_size * 2) |
47 | * @src: Buffer to be converted to a hex string respresentation | 47 | * @src: Buffer to be converted to a hex string respresentation |
48 | * @src_size: number of bytes to convert | 48 | * @src_size: number of bytes to convert |
49 | */ | 49 | */ |
50 | void ecryptfs_to_hex(char *dst, char *src, size_t src_size) | 50 | void ecryptfs_to_hex(char *dst, char *src, size_t src_size) |
51 | { | 51 | { |
52 | int x; | 52 | int x; |
53 | 53 | ||
54 | for (x = 0; x < src_size; x++) | 54 | for (x = 0; x < src_size; x++) |
55 | sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]); | 55 | sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]); |
56 | } | 56 | } |
57 | 57 | ||
58 | /** | 58 | /** |
59 | * ecryptfs_from_hex | 59 | * ecryptfs_from_hex |
60 | * @dst: Buffer to take the bytes from src hex; must be at least of | 60 | * @dst: Buffer to take the bytes from src hex; must be at least of |
61 | * size (src_size / 2) | 61 | * size (src_size / 2) |
62 | * @src: Buffer to be converted from a hex string respresentation to raw value | 62 | * @src: Buffer to be converted from a hex string respresentation to raw value |
63 | * @dst_size: size of dst buffer, or number of hex characters pairs to convert | 63 | * @dst_size: size of dst buffer, or number of hex characters pairs to convert |
64 | */ | 64 | */ |
65 | void ecryptfs_from_hex(char *dst, char *src, int dst_size) | 65 | void ecryptfs_from_hex(char *dst, char *src, int dst_size) |
66 | { | 66 | { |
67 | int x; | 67 | int x; |
68 | char tmp[3] = { 0, }; | 68 | char tmp[3] = { 0, }; |
69 | 69 | ||
70 | for (x = 0; x < dst_size; x++) { | 70 | for (x = 0; x < dst_size; x++) { |
71 | tmp[0] = src[x * 2]; | 71 | tmp[0] = src[x * 2]; |
72 | tmp[1] = src[x * 2 + 1]; | 72 | tmp[1] = src[x * 2 + 1]; |
73 | dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16); | 73 | dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16); |
74 | } | 74 | } |
75 | } | 75 | } |
76 | 76 | ||
77 | /** | 77 | /** |
78 | * ecryptfs_calculate_md5 - calculates the md5 of @src | 78 | * ecryptfs_calculate_md5 - calculates the md5 of @src |
79 | * @dst: Pointer to 16 bytes of allocated memory | 79 | * @dst: Pointer to 16 bytes of allocated memory |
80 | * @crypt_stat: Pointer to crypt_stat struct for the current inode | 80 | * @crypt_stat: Pointer to crypt_stat struct for the current inode |
81 | * @src: Data to be md5'd | 81 | * @src: Data to be md5'd |
82 | * @len: Length of @src | 82 | * @len: Length of @src |
83 | * | 83 | * |
84 | * Uses the allocated crypto context that crypt_stat references to | 84 | * Uses the allocated crypto context that crypt_stat references to |
85 | * generate the MD5 sum of the contents of src. | 85 | * generate the MD5 sum of the contents of src. |
86 | */ | 86 | */ |
87 | static int ecryptfs_calculate_md5(char *dst, | 87 | static int ecryptfs_calculate_md5(char *dst, |
88 | struct ecryptfs_crypt_stat *crypt_stat, | 88 | struct ecryptfs_crypt_stat *crypt_stat, |
89 | char *src, int len) | 89 | char *src, int len) |
90 | { | 90 | { |
91 | struct scatterlist sg; | 91 | struct scatterlist sg; |
92 | struct hash_desc desc = { | 92 | struct hash_desc desc = { |
93 | .tfm = crypt_stat->hash_tfm, | 93 | .tfm = crypt_stat->hash_tfm, |
94 | .flags = CRYPTO_TFM_REQ_MAY_SLEEP | 94 | .flags = CRYPTO_TFM_REQ_MAY_SLEEP |
95 | }; | 95 | }; |
96 | int rc = 0; | 96 | int rc = 0; |
97 | 97 | ||
98 | mutex_lock(&crypt_stat->cs_hash_tfm_mutex); | 98 | mutex_lock(&crypt_stat->cs_hash_tfm_mutex); |
99 | sg_init_one(&sg, (u8 *)src, len); | 99 | sg_init_one(&sg, (u8 *)src, len); |
100 | if (!desc.tfm) { | 100 | if (!desc.tfm) { |
101 | desc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0, | 101 | desc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0, |
102 | CRYPTO_ALG_ASYNC); | 102 | CRYPTO_ALG_ASYNC); |
103 | if (IS_ERR(desc.tfm)) { | 103 | if (IS_ERR(desc.tfm)) { |
104 | rc = PTR_ERR(desc.tfm); | 104 | rc = PTR_ERR(desc.tfm); |
105 | ecryptfs_printk(KERN_ERR, "Error attempting to " | 105 | ecryptfs_printk(KERN_ERR, "Error attempting to " |
106 | "allocate crypto context; rc = [%d]\n", | 106 | "allocate crypto context; rc = [%d]\n", |
107 | rc); | 107 | rc); |
108 | goto out; | 108 | goto out; |
109 | } | 109 | } |
110 | crypt_stat->hash_tfm = desc.tfm; | 110 | crypt_stat->hash_tfm = desc.tfm; |
111 | } | 111 | } |
112 | rc = crypto_hash_init(&desc); | 112 | rc = crypto_hash_init(&desc); |
113 | if (rc) { | 113 | if (rc) { |
114 | printk(KERN_ERR | 114 | printk(KERN_ERR |
115 | "%s: Error initializing crypto hash; rc = [%d]\n", | 115 | "%s: Error initializing crypto hash; rc = [%d]\n", |
116 | __func__, rc); | 116 | __func__, rc); |
117 | goto out; | 117 | goto out; |
118 | } | 118 | } |
119 | rc = crypto_hash_update(&desc, &sg, len); | 119 | rc = crypto_hash_update(&desc, &sg, len); |
120 | if (rc) { | 120 | if (rc) { |
121 | printk(KERN_ERR | 121 | printk(KERN_ERR |
122 | "%s: Error updating crypto hash; rc = [%d]\n", | 122 | "%s: Error updating crypto hash; rc = [%d]\n", |
123 | __func__, rc); | 123 | __func__, rc); |
124 | goto out; | 124 | goto out; |
125 | } | 125 | } |
126 | rc = crypto_hash_final(&desc, dst); | 126 | rc = crypto_hash_final(&desc, dst); |
127 | if (rc) { | 127 | if (rc) { |
128 | printk(KERN_ERR | 128 | printk(KERN_ERR |
129 | "%s: Error finalizing crypto hash; rc = [%d]\n", | 129 | "%s: Error finalizing crypto hash; rc = [%d]\n", |
130 | __func__, rc); | 130 | __func__, rc); |
131 | goto out; | 131 | goto out; |
132 | } | 132 | } |
133 | out: | 133 | out: |
134 | mutex_unlock(&crypt_stat->cs_hash_tfm_mutex); | 134 | mutex_unlock(&crypt_stat->cs_hash_tfm_mutex); |
135 | return rc; | 135 | return rc; |
136 | } | 136 | } |
137 | 137 | ||
138 | static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name, | 138 | static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name, |
139 | char *cipher_name, | 139 | char *cipher_name, |
140 | char *chaining_modifier) | 140 | char *chaining_modifier) |
141 | { | 141 | { |
142 | int cipher_name_len = strlen(cipher_name); | 142 | int cipher_name_len = strlen(cipher_name); |
143 | int chaining_modifier_len = strlen(chaining_modifier); | 143 | int chaining_modifier_len = strlen(chaining_modifier); |
144 | int algified_name_len; | 144 | int algified_name_len; |
145 | int rc; | 145 | int rc; |
146 | 146 | ||
147 | algified_name_len = (chaining_modifier_len + cipher_name_len + 3); | 147 | algified_name_len = (chaining_modifier_len + cipher_name_len + 3); |
148 | (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL); | 148 | (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL); |
149 | if (!(*algified_name)) { | 149 | if (!(*algified_name)) { |
150 | rc = -ENOMEM; | 150 | rc = -ENOMEM; |
151 | goto out; | 151 | goto out; |
152 | } | 152 | } |
153 | snprintf((*algified_name), algified_name_len, "%s(%s)", | 153 | snprintf((*algified_name), algified_name_len, "%s(%s)", |
154 | chaining_modifier, cipher_name); | 154 | chaining_modifier, cipher_name); |
155 | rc = 0; | 155 | rc = 0; |
156 | out: | 156 | out: |
157 | return rc; | 157 | return rc; |
158 | } | 158 | } |
159 | 159 | ||
160 | /** | 160 | /** |
161 | * ecryptfs_derive_iv | 161 | * ecryptfs_derive_iv |
162 | * @iv: destination for the derived iv vale | 162 | * @iv: destination for the derived iv vale |
163 | * @crypt_stat: Pointer to crypt_stat struct for the current inode | 163 | * @crypt_stat: Pointer to crypt_stat struct for the current inode |
164 | * @offset: Offset of the extent whose IV we are to derive | 164 | * @offset: Offset of the extent whose IV we are to derive |
165 | * | 165 | * |
166 | * Generate the initialization vector from the given root IV and page | 166 | * Generate the initialization vector from the given root IV and page |
167 | * offset. | 167 | * offset. |
168 | * | 168 | * |
169 | * Returns zero on success; non-zero on error. | 169 | * Returns zero on success; non-zero on error. |
170 | */ | 170 | */ |
171 | int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat, | 171 | int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat, |
172 | loff_t offset) | 172 | loff_t offset) |
173 | { | 173 | { |
174 | int rc = 0; | 174 | int rc = 0; |
175 | char dst[MD5_DIGEST_SIZE]; | 175 | char dst[MD5_DIGEST_SIZE]; |
176 | char src[ECRYPTFS_MAX_IV_BYTES + 16]; | 176 | char src[ECRYPTFS_MAX_IV_BYTES + 16]; |
177 | 177 | ||
178 | if (unlikely(ecryptfs_verbosity > 0)) { | 178 | if (unlikely(ecryptfs_verbosity > 0)) { |
179 | ecryptfs_printk(KERN_DEBUG, "root iv:\n"); | 179 | ecryptfs_printk(KERN_DEBUG, "root iv:\n"); |
180 | ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes); | 180 | ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes); |
181 | } | 181 | } |
182 | /* TODO: It is probably secure to just cast the least | 182 | /* TODO: It is probably secure to just cast the least |
183 | * significant bits of the root IV into an unsigned long and | 183 | * significant bits of the root IV into an unsigned long and |
184 | * add the offset to that rather than go through all this | 184 | * add the offset to that rather than go through all this |
185 | * hashing business. -Halcrow */ | 185 | * hashing business. -Halcrow */ |
186 | memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes); | 186 | memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes); |
187 | memset((src + crypt_stat->iv_bytes), 0, 16); | 187 | memset((src + crypt_stat->iv_bytes), 0, 16); |
188 | snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset); | 188 | snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset); |
189 | if (unlikely(ecryptfs_verbosity > 0)) { | 189 | if (unlikely(ecryptfs_verbosity > 0)) { |
190 | ecryptfs_printk(KERN_DEBUG, "source:\n"); | 190 | ecryptfs_printk(KERN_DEBUG, "source:\n"); |
191 | ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16)); | 191 | ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16)); |
192 | } | 192 | } |
193 | rc = ecryptfs_calculate_md5(dst, crypt_stat, src, | 193 | rc = ecryptfs_calculate_md5(dst, crypt_stat, src, |
194 | (crypt_stat->iv_bytes + 16)); | 194 | (crypt_stat->iv_bytes + 16)); |
195 | if (rc) { | 195 | if (rc) { |
196 | ecryptfs_printk(KERN_WARNING, "Error attempting to compute " | 196 | ecryptfs_printk(KERN_WARNING, "Error attempting to compute " |
197 | "MD5 while generating IV for a page\n"); | 197 | "MD5 while generating IV for a page\n"); |
198 | goto out; | 198 | goto out; |
199 | } | 199 | } |
200 | memcpy(iv, dst, crypt_stat->iv_bytes); | 200 | memcpy(iv, dst, crypt_stat->iv_bytes); |
201 | if (unlikely(ecryptfs_verbosity > 0)) { | 201 | if (unlikely(ecryptfs_verbosity > 0)) { |
202 | ecryptfs_printk(KERN_DEBUG, "derived iv:\n"); | 202 | ecryptfs_printk(KERN_DEBUG, "derived iv:\n"); |
203 | ecryptfs_dump_hex(iv, crypt_stat->iv_bytes); | 203 | ecryptfs_dump_hex(iv, crypt_stat->iv_bytes); |
204 | } | 204 | } |
205 | out: | 205 | out: |
206 | return rc; | 206 | return rc; |
207 | } | 207 | } |
208 | 208 | ||
209 | /** | 209 | /** |
210 | * ecryptfs_init_crypt_stat | 210 | * ecryptfs_init_crypt_stat |
211 | * @crypt_stat: Pointer to the crypt_stat struct to initialize. | 211 | * @crypt_stat: Pointer to the crypt_stat struct to initialize. |
212 | * | 212 | * |
213 | * Initialize the crypt_stat structure. | 213 | * Initialize the crypt_stat structure. |
214 | */ | 214 | */ |
215 | void | 215 | void |
216 | ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) | 216 | ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) |
217 | { | 217 | { |
218 | memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); | 218 | memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); |
219 | INIT_LIST_HEAD(&crypt_stat->keysig_list); | 219 | INIT_LIST_HEAD(&crypt_stat->keysig_list); |
220 | mutex_init(&crypt_stat->keysig_list_mutex); | 220 | mutex_init(&crypt_stat->keysig_list_mutex); |
221 | mutex_init(&crypt_stat->cs_mutex); | 221 | mutex_init(&crypt_stat->cs_mutex); |
222 | mutex_init(&crypt_stat->cs_tfm_mutex); | 222 | mutex_init(&crypt_stat->cs_tfm_mutex); |
223 | mutex_init(&crypt_stat->cs_hash_tfm_mutex); | 223 | mutex_init(&crypt_stat->cs_hash_tfm_mutex); |
224 | crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED; | 224 | crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED; |
225 | } | 225 | } |
226 | 226 | ||
227 | /** | 227 | /** |
228 | * ecryptfs_destroy_crypt_stat | 228 | * ecryptfs_destroy_crypt_stat |
229 | * @crypt_stat: Pointer to the crypt_stat struct to initialize. | 229 | * @crypt_stat: Pointer to the crypt_stat struct to initialize. |
230 | * | 230 | * |
231 | * Releases all memory associated with a crypt_stat struct. | 231 | * Releases all memory associated with a crypt_stat struct. |
232 | */ | 232 | */ |
233 | void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) | 233 | void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) |
234 | { | 234 | { |
235 | struct ecryptfs_key_sig *key_sig, *key_sig_tmp; | 235 | struct ecryptfs_key_sig *key_sig, *key_sig_tmp; |
236 | 236 | ||
237 | if (crypt_stat->tfm) | 237 | if (crypt_stat->tfm) |
238 | crypto_free_ablkcipher(crypt_stat->tfm); | 238 | crypto_free_ablkcipher(crypt_stat->tfm); |
239 | if (crypt_stat->hash_tfm) | 239 | if (crypt_stat->hash_tfm) |
240 | crypto_free_hash(crypt_stat->hash_tfm); | 240 | crypto_free_hash(crypt_stat->hash_tfm); |
241 | list_for_each_entry_safe(key_sig, key_sig_tmp, | 241 | list_for_each_entry_safe(key_sig, key_sig_tmp, |
242 | &crypt_stat->keysig_list, crypt_stat_list) { | 242 | &crypt_stat->keysig_list, crypt_stat_list) { |
243 | list_del(&key_sig->crypt_stat_list); | 243 | list_del(&key_sig->crypt_stat_list); |
244 | kmem_cache_free(ecryptfs_key_sig_cache, key_sig); | 244 | kmem_cache_free(ecryptfs_key_sig_cache, key_sig); |
245 | } | 245 | } |
246 | memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); | 246 | memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); |
247 | } | 247 | } |
248 | 248 | ||
249 | void ecryptfs_destroy_mount_crypt_stat( | 249 | void ecryptfs_destroy_mount_crypt_stat( |
250 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) | 250 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) |
251 | { | 251 | { |
252 | struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp; | 252 | struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp; |
253 | 253 | ||
254 | if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED)) | 254 | if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED)) |
255 | return; | 255 | return; |
256 | mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); | 256 | mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); |
257 | list_for_each_entry_safe(auth_tok, auth_tok_tmp, | 257 | list_for_each_entry_safe(auth_tok, auth_tok_tmp, |
258 | &mount_crypt_stat->global_auth_tok_list, | 258 | &mount_crypt_stat->global_auth_tok_list, |
259 | mount_crypt_stat_list) { | 259 | mount_crypt_stat_list) { |
260 | list_del(&auth_tok->mount_crypt_stat_list); | 260 | list_del(&auth_tok->mount_crypt_stat_list); |
261 | if (auth_tok->global_auth_tok_key | 261 | if (auth_tok->global_auth_tok_key |
262 | && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID)) | 262 | && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID)) |
263 | key_put(auth_tok->global_auth_tok_key); | 263 | key_put(auth_tok->global_auth_tok_key); |
264 | kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok); | 264 | kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok); |
265 | } | 265 | } |
266 | mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); | 266 | mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); |
267 | memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat)); | 267 | memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat)); |
268 | } | 268 | } |
269 | 269 | ||
270 | /** | 270 | /** |
271 | * virt_to_scatterlist | 271 | * virt_to_scatterlist |
272 | * @addr: Virtual address | 272 | * @addr: Virtual address |
273 | * @size: Size of data; should be an even multiple of the block size | 273 | * @size: Size of data; should be an even multiple of the block size |
274 | * @sg: Pointer to scatterlist array; set to NULL to obtain only | 274 | * @sg: Pointer to scatterlist array; set to NULL to obtain only |
275 | * the number of scatterlist structs required in array | 275 | * the number of scatterlist structs required in array |
276 | * @sg_size: Max array size | 276 | * @sg_size: Max array size |
277 | * | 277 | * |
278 | * Fills in a scatterlist array with page references for a passed | 278 | * Fills in a scatterlist array with page references for a passed |
279 | * virtual address. | 279 | * virtual address. |
280 | * | 280 | * |
281 | * Returns the number of scatterlist structs in array used | 281 | * Returns the number of scatterlist structs in array used |
282 | */ | 282 | */ |
283 | int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg, | 283 | int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg, |
284 | int sg_size) | 284 | int sg_size) |
285 | { | 285 | { |
286 | int i = 0; | 286 | int i = 0; |
287 | struct page *pg; | 287 | struct page *pg; |
288 | int offset; | 288 | int offset; |
289 | int remainder_of_page; | 289 | int remainder_of_page; |
290 | 290 | ||
291 | sg_init_table(sg, sg_size); | 291 | sg_init_table(sg, sg_size); |
292 | 292 | ||
293 | while (size > 0 && i < sg_size) { | 293 | while (size > 0 && i < sg_size) { |
294 | pg = virt_to_page(addr); | 294 | pg = virt_to_page(addr); |
295 | offset = offset_in_page(addr); | 295 | offset = offset_in_page(addr); |
296 | sg_set_page(&sg[i], pg, 0, offset); | 296 | sg_set_page(&sg[i], pg, 0, offset); |
297 | remainder_of_page = PAGE_CACHE_SIZE - offset; | 297 | remainder_of_page = PAGE_CACHE_SIZE - offset; |
298 | if (size >= remainder_of_page) { | 298 | if (size >= remainder_of_page) { |
299 | sg[i].length = remainder_of_page; | 299 | sg[i].length = remainder_of_page; |
300 | addr += remainder_of_page; | 300 | addr += remainder_of_page; |
301 | size -= remainder_of_page; | 301 | size -= remainder_of_page; |
302 | } else { | 302 | } else { |
303 | sg[i].length = size; | 303 | sg[i].length = size; |
304 | addr += size; | 304 | addr += size; |
305 | size = 0; | 305 | size = 0; |
306 | } | 306 | } |
307 | i++; | 307 | i++; |
308 | } | 308 | } |
309 | if (size > 0) | 309 | if (size > 0) |
310 | return -ENOMEM; | 310 | return -ENOMEM; |
311 | return i; | 311 | return i; |
312 | } | 312 | } |
313 | 313 | ||
314 | struct extent_crypt_result { | 314 | struct extent_crypt_result { |
315 | struct completion completion; | 315 | struct completion completion; |
316 | int rc; | 316 | int rc; |
317 | }; | 317 | }; |
318 | 318 | ||
319 | static void extent_crypt_complete(struct crypto_async_request *req, int rc) | 319 | static void extent_crypt_complete(struct crypto_async_request *req, int rc) |
320 | { | 320 | { |
321 | struct extent_crypt_result *ecr = req->data; | 321 | struct extent_crypt_result *ecr = req->data; |
322 | 322 | ||
323 | if (rc == -EINPROGRESS) | 323 | if (rc == -EINPROGRESS) |
324 | return; | 324 | return; |
325 | 325 | ||
326 | ecr->rc = rc; | 326 | ecr->rc = rc; |
327 | complete(&ecr->completion); | 327 | complete(&ecr->completion); |
328 | } | 328 | } |
329 | 329 | ||
330 | /** | 330 | /** |
331 | * crypt_scatterlist | 331 | * crypt_scatterlist |
332 | * @crypt_stat: Pointer to the crypt_stat struct to initialize. | 332 | * @crypt_stat: Pointer to the crypt_stat struct to initialize. |
333 | * @dst_sg: Destination of the data after performing the crypto operation | 333 | * @dst_sg: Destination of the data after performing the crypto operation |
334 | * @src_sg: Data to be encrypted or decrypted | 334 | * @src_sg: Data to be encrypted or decrypted |
335 | * @size: Length of data | 335 | * @size: Length of data |
336 | * @iv: IV to use | 336 | * @iv: IV to use |
337 | * @op: ENCRYPT or DECRYPT to indicate the desired operation | 337 | * @op: ENCRYPT or DECRYPT to indicate the desired operation |
338 | * | 338 | * |
339 | * Returns the number of bytes encrypted or decrypted; negative value on error | 339 | * Returns the number of bytes encrypted or decrypted; negative value on error |
340 | */ | 340 | */ |
341 | static int crypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat, | 341 | static int crypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat, |
342 | struct scatterlist *dst_sg, | 342 | struct scatterlist *dst_sg, |
343 | struct scatterlist *src_sg, int size, | 343 | struct scatterlist *src_sg, int size, |
344 | unsigned char *iv, int op) | 344 | unsigned char *iv, int op) |
345 | { | 345 | { |
346 | struct ablkcipher_request *req = NULL; | 346 | struct ablkcipher_request *req = NULL; |
347 | struct extent_crypt_result ecr; | 347 | struct extent_crypt_result ecr; |
348 | int rc = 0; | 348 | int rc = 0; |
349 | 349 | ||
350 | BUG_ON(!crypt_stat || !crypt_stat->tfm | 350 | BUG_ON(!crypt_stat || !crypt_stat->tfm |
351 | || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)); | 351 | || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)); |
352 | if (unlikely(ecryptfs_verbosity > 0)) { | 352 | if (unlikely(ecryptfs_verbosity > 0)) { |
353 | ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n", | 353 | ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n", |
354 | crypt_stat->key_size); | 354 | crypt_stat->key_size); |
355 | ecryptfs_dump_hex(crypt_stat->key, | 355 | ecryptfs_dump_hex(crypt_stat->key, |
356 | crypt_stat->key_size); | 356 | crypt_stat->key_size); |
357 | } | 357 | } |
358 | 358 | ||
359 | init_completion(&ecr.completion); | 359 | init_completion(&ecr.completion); |
360 | 360 | ||
361 | mutex_lock(&crypt_stat->cs_tfm_mutex); | 361 | mutex_lock(&crypt_stat->cs_tfm_mutex); |
362 | req = ablkcipher_request_alloc(crypt_stat->tfm, GFP_NOFS); | 362 | req = ablkcipher_request_alloc(crypt_stat->tfm, GFP_NOFS); |
363 | if (!req) { | 363 | if (!req) { |
364 | mutex_unlock(&crypt_stat->cs_tfm_mutex); | 364 | mutex_unlock(&crypt_stat->cs_tfm_mutex); |
365 | rc = -ENOMEM; | 365 | rc = -ENOMEM; |
366 | goto out; | 366 | goto out; |
367 | } | 367 | } |
368 | 368 | ||
369 | ablkcipher_request_set_callback(req, | 369 | ablkcipher_request_set_callback(req, |
370 | CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, | 370 | CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, |
371 | extent_crypt_complete, &ecr); | 371 | extent_crypt_complete, &ecr); |
372 | /* Consider doing this once, when the file is opened */ | 372 | /* Consider doing this once, when the file is opened */ |
373 | if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) { | 373 | if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) { |
374 | rc = crypto_ablkcipher_setkey(crypt_stat->tfm, crypt_stat->key, | 374 | rc = crypto_ablkcipher_setkey(crypt_stat->tfm, crypt_stat->key, |
375 | crypt_stat->key_size); | 375 | crypt_stat->key_size); |
376 | if (rc) { | 376 | if (rc) { |
377 | ecryptfs_printk(KERN_ERR, | 377 | ecryptfs_printk(KERN_ERR, |
378 | "Error setting key; rc = [%d]\n", | 378 | "Error setting key; rc = [%d]\n", |
379 | rc); | 379 | rc); |
380 | mutex_unlock(&crypt_stat->cs_tfm_mutex); | 380 | mutex_unlock(&crypt_stat->cs_tfm_mutex); |
381 | rc = -EINVAL; | 381 | rc = -EINVAL; |
382 | goto out; | 382 | goto out; |
383 | } | 383 | } |
384 | crypt_stat->flags |= ECRYPTFS_KEY_SET; | 384 | crypt_stat->flags |= ECRYPTFS_KEY_SET; |
385 | } | 385 | } |
386 | mutex_unlock(&crypt_stat->cs_tfm_mutex); | 386 | mutex_unlock(&crypt_stat->cs_tfm_mutex); |
387 | ablkcipher_request_set_crypt(req, src_sg, dst_sg, size, iv); | 387 | ablkcipher_request_set_crypt(req, src_sg, dst_sg, size, iv); |
388 | rc = op == ENCRYPT ? crypto_ablkcipher_encrypt(req) : | 388 | rc = op == ENCRYPT ? crypto_ablkcipher_encrypt(req) : |
389 | crypto_ablkcipher_decrypt(req); | 389 | crypto_ablkcipher_decrypt(req); |
390 | if (rc == -EINPROGRESS || rc == -EBUSY) { | 390 | if (rc == -EINPROGRESS || rc == -EBUSY) { |
391 | struct extent_crypt_result *ecr = req->base.data; | 391 | struct extent_crypt_result *ecr = req->base.data; |
392 | 392 | ||
393 | wait_for_completion(&ecr->completion); | 393 | wait_for_completion(&ecr->completion); |
394 | rc = ecr->rc; | 394 | rc = ecr->rc; |
395 | reinit_completion(&ecr->completion); | 395 | reinit_completion(&ecr->completion); |
396 | } | 396 | } |
397 | out: | 397 | out: |
398 | ablkcipher_request_free(req); | 398 | ablkcipher_request_free(req); |
399 | return rc; | 399 | return rc; |
400 | } | 400 | } |
401 | 401 | ||
402 | /** | 402 | /** |
403 | * lower_offset_for_page | 403 | * lower_offset_for_page |
404 | * | 404 | * |
405 | * Convert an eCryptfs page index into a lower byte offset | 405 | * Convert an eCryptfs page index into a lower byte offset |
406 | */ | 406 | */ |
407 | static loff_t lower_offset_for_page(struct ecryptfs_crypt_stat *crypt_stat, | 407 | static loff_t lower_offset_for_page(struct ecryptfs_crypt_stat *crypt_stat, |
408 | struct page *page) | 408 | struct page *page) |
409 | { | 409 | { |
410 | return ecryptfs_lower_header_size(crypt_stat) + | 410 | return ecryptfs_lower_header_size(crypt_stat) + |
411 | ((loff_t)page->index << PAGE_CACHE_SHIFT); | 411 | ((loff_t)page->index << PAGE_CACHE_SHIFT); |
412 | } | 412 | } |
413 | 413 | ||
414 | /** | 414 | /** |
415 | * crypt_extent | 415 | * crypt_extent |
416 | * @crypt_stat: crypt_stat containing cryptographic context for the | 416 | * @crypt_stat: crypt_stat containing cryptographic context for the |
417 | * encryption operation | 417 | * encryption operation |
418 | * @dst_page: The page to write the result into | 418 | * @dst_page: The page to write the result into |
419 | * @src_page: The page to read from | 419 | * @src_page: The page to read from |
420 | * @extent_offset: Page extent offset for use in generating IV | 420 | * @extent_offset: Page extent offset for use in generating IV |
421 | * @op: ENCRYPT or DECRYPT to indicate the desired operation | 421 | * @op: ENCRYPT or DECRYPT to indicate the desired operation |
422 | * | 422 | * |
423 | * Encrypts or decrypts one extent of data. | 423 | * Encrypts or decrypts one extent of data. |
424 | * | 424 | * |
425 | * Return zero on success; non-zero otherwise | 425 | * Return zero on success; non-zero otherwise |
426 | */ | 426 | */ |
427 | static int crypt_extent(struct ecryptfs_crypt_stat *crypt_stat, | 427 | static int crypt_extent(struct ecryptfs_crypt_stat *crypt_stat, |
428 | struct page *dst_page, | 428 | struct page *dst_page, |
429 | struct page *src_page, | 429 | struct page *src_page, |
430 | unsigned long extent_offset, int op) | 430 | unsigned long extent_offset, int op) |
431 | { | 431 | { |
432 | pgoff_t page_index = op == ENCRYPT ? src_page->index : dst_page->index; | 432 | pgoff_t page_index = op == ENCRYPT ? src_page->index : dst_page->index; |
433 | loff_t extent_base; | 433 | loff_t extent_base; |
434 | char extent_iv[ECRYPTFS_MAX_IV_BYTES]; | 434 | char extent_iv[ECRYPTFS_MAX_IV_BYTES]; |
435 | struct scatterlist src_sg, dst_sg; | 435 | struct scatterlist src_sg, dst_sg; |
436 | size_t extent_size = crypt_stat->extent_size; | 436 | size_t extent_size = crypt_stat->extent_size; |
437 | int rc; | 437 | int rc; |
438 | 438 | ||
439 | extent_base = (((loff_t)page_index) * (PAGE_CACHE_SIZE / extent_size)); | 439 | extent_base = (((loff_t)page_index) * (PAGE_CACHE_SIZE / extent_size)); |
440 | rc = ecryptfs_derive_iv(extent_iv, crypt_stat, | 440 | rc = ecryptfs_derive_iv(extent_iv, crypt_stat, |
441 | (extent_base + extent_offset)); | 441 | (extent_base + extent_offset)); |
442 | if (rc) { | 442 | if (rc) { |
443 | ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for " | 443 | ecryptfs_printk(KERN_ERR, "Error attempting to derive IV for " |
444 | "extent [0x%.16llx]; rc = [%d]\n", | 444 | "extent [0x%.16llx]; rc = [%d]\n", |
445 | (unsigned long long)(extent_base + extent_offset), rc); | 445 | (unsigned long long)(extent_base + extent_offset), rc); |
446 | goto out; | 446 | goto out; |
447 | } | 447 | } |
448 | 448 | ||
449 | sg_init_table(&src_sg, 1); | 449 | sg_init_table(&src_sg, 1); |
450 | sg_init_table(&dst_sg, 1); | 450 | sg_init_table(&dst_sg, 1); |
451 | 451 | ||
452 | sg_set_page(&src_sg, src_page, extent_size, | 452 | sg_set_page(&src_sg, src_page, extent_size, |
453 | extent_offset * extent_size); | 453 | extent_offset * extent_size); |
454 | sg_set_page(&dst_sg, dst_page, extent_size, | 454 | sg_set_page(&dst_sg, dst_page, extent_size, |
455 | extent_offset * extent_size); | 455 | extent_offset * extent_size); |
456 | 456 | ||
457 | rc = crypt_scatterlist(crypt_stat, &dst_sg, &src_sg, extent_size, | 457 | rc = crypt_scatterlist(crypt_stat, &dst_sg, &src_sg, extent_size, |
458 | extent_iv, op); | 458 | extent_iv, op); |
459 | if (rc < 0) { | 459 | if (rc < 0) { |
460 | printk(KERN_ERR "%s: Error attempting to crypt page with " | 460 | printk(KERN_ERR "%s: Error attempting to crypt page with " |
461 | "page_index = [%ld], extent_offset = [%ld]; " | 461 | "page_index = [%ld], extent_offset = [%ld]; " |
462 | "rc = [%d]\n", __func__, page_index, extent_offset, rc); | 462 | "rc = [%d]\n", __func__, page_index, extent_offset, rc); |
463 | goto out; | 463 | goto out; |
464 | } | 464 | } |
465 | rc = 0; | 465 | rc = 0; |
466 | out: | 466 | out: |
467 | return rc; | 467 | return rc; |
468 | } | 468 | } |
469 | 469 | ||
470 | /** | 470 | /** |
471 | * ecryptfs_encrypt_page | 471 | * ecryptfs_encrypt_page |
472 | * @page: Page mapped from the eCryptfs inode for the file; contains | 472 | * @page: Page mapped from the eCryptfs inode for the file; contains |
473 | * decrypted content that needs to be encrypted (to a temporary | 473 | * decrypted content that needs to be encrypted (to a temporary |
474 | * page; not in place) and written out to the lower file | 474 | * page; not in place) and written out to the lower file |
475 | * | 475 | * |
476 | * Encrypt an eCryptfs page. This is done on a per-extent basis. Note | 476 | * Encrypt an eCryptfs page. This is done on a per-extent basis. Note |
477 | * that eCryptfs pages may straddle the lower pages -- for instance, | 477 | * that eCryptfs pages may straddle the lower pages -- for instance, |
478 | * if the file was created on a machine with an 8K page size | 478 | * if the file was created on a machine with an 8K page size |
479 | * (resulting in an 8K header), and then the file is copied onto a | 479 | * (resulting in an 8K header), and then the file is copied onto a |
480 | * host with a 32K page size, then when reading page 0 of the eCryptfs | 480 | * host with a 32K page size, then when reading page 0 of the eCryptfs |
481 | * file, 24K of page 0 of the lower file will be read and decrypted, | 481 | * file, 24K of page 0 of the lower file will be read and decrypted, |
482 | * and then 8K of page 1 of the lower file will be read and decrypted. | 482 | * and then 8K of page 1 of the lower file will be read and decrypted. |
483 | * | 483 | * |
484 | * Returns zero on success; negative on error | 484 | * Returns zero on success; negative on error |
485 | */ | 485 | */ |
486 | int ecryptfs_encrypt_page(struct page *page) | 486 | int ecryptfs_encrypt_page(struct page *page) |
487 | { | 487 | { |
488 | struct inode *ecryptfs_inode; | 488 | struct inode *ecryptfs_inode; |
489 | struct ecryptfs_crypt_stat *crypt_stat; | 489 | struct ecryptfs_crypt_stat *crypt_stat; |
490 | char *enc_extent_virt; | 490 | char *enc_extent_virt; |
491 | struct page *enc_extent_page = NULL; | 491 | struct page *enc_extent_page = NULL; |
492 | loff_t extent_offset; | 492 | loff_t extent_offset; |
493 | loff_t lower_offset; | 493 | loff_t lower_offset; |
494 | int rc = 0; | 494 | int rc = 0; |
495 | 495 | ||
496 | ecryptfs_inode = page->mapping->host; | 496 | ecryptfs_inode = page->mapping->host; |
497 | crypt_stat = | 497 | crypt_stat = |
498 | &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); | 498 | &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); |
499 | BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)); | 499 | BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)); |
500 | enc_extent_page = alloc_page(GFP_USER); | 500 | enc_extent_page = alloc_page(GFP_USER); |
501 | if (!enc_extent_page) { | 501 | if (!enc_extent_page) { |
502 | rc = -ENOMEM; | 502 | rc = -ENOMEM; |
503 | ecryptfs_printk(KERN_ERR, "Error allocating memory for " | 503 | ecryptfs_printk(KERN_ERR, "Error allocating memory for " |
504 | "encrypted extent\n"); | 504 | "encrypted extent\n"); |
505 | goto out; | 505 | goto out; |
506 | } | 506 | } |
507 | 507 | ||
508 | for (extent_offset = 0; | 508 | for (extent_offset = 0; |
509 | extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); | 509 | extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); |
510 | extent_offset++) { | 510 | extent_offset++) { |
511 | rc = crypt_extent(crypt_stat, enc_extent_page, page, | 511 | rc = crypt_extent(crypt_stat, enc_extent_page, page, |
512 | extent_offset, ENCRYPT); | 512 | extent_offset, ENCRYPT); |
513 | if (rc) { | 513 | if (rc) { |
514 | printk(KERN_ERR "%s: Error encrypting extent; " | 514 | printk(KERN_ERR "%s: Error encrypting extent; " |
515 | "rc = [%d]\n", __func__, rc); | 515 | "rc = [%d]\n", __func__, rc); |
516 | goto out; | 516 | goto out; |
517 | } | 517 | } |
518 | } | 518 | } |
519 | 519 | ||
520 | lower_offset = lower_offset_for_page(crypt_stat, page); | 520 | lower_offset = lower_offset_for_page(crypt_stat, page); |
521 | enc_extent_virt = kmap(enc_extent_page); | 521 | enc_extent_virt = kmap(enc_extent_page); |
522 | rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt, lower_offset, | 522 | rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt, lower_offset, |
523 | PAGE_CACHE_SIZE); | 523 | PAGE_CACHE_SIZE); |
524 | kunmap(enc_extent_page); | 524 | kunmap(enc_extent_page); |
525 | if (rc < 0) { | 525 | if (rc < 0) { |
526 | ecryptfs_printk(KERN_ERR, | 526 | ecryptfs_printk(KERN_ERR, |
527 | "Error attempting to write lower page; rc = [%d]\n", | 527 | "Error attempting to write lower page; rc = [%d]\n", |
528 | rc); | 528 | rc); |
529 | goto out; | 529 | goto out; |
530 | } | 530 | } |
531 | rc = 0; | 531 | rc = 0; |
532 | out: | 532 | out: |
533 | if (enc_extent_page) { | 533 | if (enc_extent_page) { |
534 | __free_page(enc_extent_page); | 534 | __free_page(enc_extent_page); |
535 | } | 535 | } |
536 | return rc; | 536 | return rc; |
537 | } | 537 | } |
538 | 538 | ||
539 | /** | 539 | /** |
540 | * ecryptfs_decrypt_page | 540 | * ecryptfs_decrypt_page |
541 | * @page: Page mapped from the eCryptfs inode for the file; data read | 541 | * @page: Page mapped from the eCryptfs inode for the file; data read |
542 | * and decrypted from the lower file will be written into this | 542 | * and decrypted from the lower file will be written into this |
543 | * page | 543 | * page |
544 | * | 544 | * |
545 | * Decrypt an eCryptfs page. This is done on a per-extent basis. Note | 545 | * Decrypt an eCryptfs page. This is done on a per-extent basis. Note |
546 | * that eCryptfs pages may straddle the lower pages -- for instance, | 546 | * that eCryptfs pages may straddle the lower pages -- for instance, |
547 | * if the file was created on a machine with an 8K page size | 547 | * if the file was created on a machine with an 8K page size |
548 | * (resulting in an 8K header), and then the file is copied onto a | 548 | * (resulting in an 8K header), and then the file is copied onto a |
549 | * host with a 32K page size, then when reading page 0 of the eCryptfs | 549 | * host with a 32K page size, then when reading page 0 of the eCryptfs |
550 | * file, 24K of page 0 of the lower file will be read and decrypted, | 550 | * file, 24K of page 0 of the lower file will be read and decrypted, |
551 | * and then 8K of page 1 of the lower file will be read and decrypted. | 551 | * and then 8K of page 1 of the lower file will be read and decrypted. |
552 | * | 552 | * |
553 | * Returns zero on success; negative on error | 553 | * Returns zero on success; negative on error |
554 | */ | 554 | */ |
555 | int ecryptfs_decrypt_page(struct page *page) | 555 | int ecryptfs_decrypt_page(struct page *page) |
556 | { | 556 | { |
557 | struct inode *ecryptfs_inode; | 557 | struct inode *ecryptfs_inode; |
558 | struct ecryptfs_crypt_stat *crypt_stat; | 558 | struct ecryptfs_crypt_stat *crypt_stat; |
559 | char *page_virt; | 559 | char *page_virt; |
560 | unsigned long extent_offset; | 560 | unsigned long extent_offset; |
561 | loff_t lower_offset; | 561 | loff_t lower_offset; |
562 | int rc = 0; | 562 | int rc = 0; |
563 | 563 | ||
564 | ecryptfs_inode = page->mapping->host; | 564 | ecryptfs_inode = page->mapping->host; |
565 | crypt_stat = | 565 | crypt_stat = |
566 | &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); | 566 | &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); |
567 | BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)); | 567 | BUG_ON(!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)); |
568 | 568 | ||
569 | lower_offset = lower_offset_for_page(crypt_stat, page); | 569 | lower_offset = lower_offset_for_page(crypt_stat, page); |
570 | page_virt = kmap(page); | 570 | page_virt = kmap(page); |
571 | rc = ecryptfs_read_lower(page_virt, lower_offset, PAGE_CACHE_SIZE, | 571 | rc = ecryptfs_read_lower(page_virt, lower_offset, PAGE_CACHE_SIZE, |
572 | ecryptfs_inode); | 572 | ecryptfs_inode); |
573 | kunmap(page); | 573 | kunmap(page); |
574 | if (rc < 0) { | 574 | if (rc < 0) { |
575 | ecryptfs_printk(KERN_ERR, | 575 | ecryptfs_printk(KERN_ERR, |
576 | "Error attempting to read lower page; rc = [%d]\n", | 576 | "Error attempting to read lower page; rc = [%d]\n", |
577 | rc); | 577 | rc); |
578 | goto out; | 578 | goto out; |
579 | } | 579 | } |
580 | 580 | ||
581 | for (extent_offset = 0; | 581 | for (extent_offset = 0; |
582 | extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); | 582 | extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); |
583 | extent_offset++) { | 583 | extent_offset++) { |
584 | rc = crypt_extent(crypt_stat, page, page, | 584 | rc = crypt_extent(crypt_stat, page, page, |
585 | extent_offset, DECRYPT); | 585 | extent_offset, DECRYPT); |
586 | if (rc) { | 586 | if (rc) { |
587 | printk(KERN_ERR "%s: Error encrypting extent; " | 587 | printk(KERN_ERR "%s: Error encrypting extent; " |
588 | "rc = [%d]\n", __func__, rc); | 588 | "rc = [%d]\n", __func__, rc); |
589 | goto out; | 589 | goto out; |
590 | } | 590 | } |
591 | } | 591 | } |
592 | out: | 592 | out: |
593 | return rc; | 593 | return rc; |
594 | } | 594 | } |
595 | 595 | ||
596 | #define ECRYPTFS_MAX_SCATTERLIST_LEN 4 | 596 | #define ECRYPTFS_MAX_SCATTERLIST_LEN 4 |
597 | 597 | ||
598 | /** | 598 | /** |
599 | * ecryptfs_init_crypt_ctx | 599 | * ecryptfs_init_crypt_ctx |
600 | * @crypt_stat: Uninitialized crypt stats structure | 600 | * @crypt_stat: Uninitialized crypt stats structure |
601 | * | 601 | * |
602 | * Initialize the crypto context. | 602 | * Initialize the crypto context. |
603 | * | 603 | * |
604 | * TODO: Performance: Keep a cache of initialized cipher contexts; | 604 | * TODO: Performance: Keep a cache of initialized cipher contexts; |
605 | * only init if needed | 605 | * only init if needed |
606 | */ | 606 | */ |
607 | int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat) | 607 | int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat) |
608 | { | 608 | { |
609 | char *full_alg_name; | 609 | char *full_alg_name; |
610 | int rc = -EINVAL; | 610 | int rc = -EINVAL; |
611 | 611 | ||
612 | ecryptfs_printk(KERN_DEBUG, | 612 | ecryptfs_printk(KERN_DEBUG, |
613 | "Initializing cipher [%s]; strlen = [%d]; " | 613 | "Initializing cipher [%s]; strlen = [%d]; " |
614 | "key_size_bits = [%zd]\n", | 614 | "key_size_bits = [%zd]\n", |
615 | crypt_stat->cipher, (int)strlen(crypt_stat->cipher), | 615 | crypt_stat->cipher, (int)strlen(crypt_stat->cipher), |
616 | crypt_stat->key_size << 3); | 616 | crypt_stat->key_size << 3); |
617 | mutex_lock(&crypt_stat->cs_tfm_mutex); | 617 | mutex_lock(&crypt_stat->cs_tfm_mutex); |
618 | if (crypt_stat->tfm) { | 618 | if (crypt_stat->tfm) { |
619 | rc = 0; | 619 | rc = 0; |
620 | goto out_unlock; | 620 | goto out_unlock; |
621 | } | 621 | } |
622 | rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, | 622 | rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, |
623 | crypt_stat->cipher, "cbc"); | 623 | crypt_stat->cipher, "cbc"); |
624 | if (rc) | 624 | if (rc) |
625 | goto out_unlock; | 625 | goto out_unlock; |
626 | crypt_stat->tfm = crypto_alloc_ablkcipher(full_alg_name, 0, 0); | 626 | crypt_stat->tfm = crypto_alloc_ablkcipher(full_alg_name, 0, 0); |
627 | if (IS_ERR(crypt_stat->tfm)) { | 627 | if (IS_ERR(crypt_stat->tfm)) { |
628 | rc = PTR_ERR(crypt_stat->tfm); | 628 | rc = PTR_ERR(crypt_stat->tfm); |
629 | crypt_stat->tfm = NULL; | 629 | crypt_stat->tfm = NULL; |
630 | ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): " | 630 | ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): " |
631 | "Error initializing cipher [%s]\n", | 631 | "Error initializing cipher [%s]\n", |
632 | full_alg_name); | 632 | full_alg_name); |
633 | goto out_free; | 633 | goto out_free; |
634 | } | 634 | } |
635 | crypto_ablkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY); | 635 | crypto_ablkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY); |
636 | rc = 0; | 636 | rc = 0; |
637 | out_free: | 637 | out_free: |
638 | kfree(full_alg_name); | 638 | kfree(full_alg_name); |
639 | out_unlock: | 639 | out_unlock: |
640 | mutex_unlock(&crypt_stat->cs_tfm_mutex); | 640 | mutex_unlock(&crypt_stat->cs_tfm_mutex); |
641 | return rc; | 641 | return rc; |
642 | } | 642 | } |
643 | 643 | ||
644 | static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat) | 644 | static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat) |
645 | { | 645 | { |
646 | int extent_size_tmp; | 646 | int extent_size_tmp; |
647 | 647 | ||
648 | crypt_stat->extent_mask = 0xFFFFFFFF; | 648 | crypt_stat->extent_mask = 0xFFFFFFFF; |
649 | crypt_stat->extent_shift = 0; | 649 | crypt_stat->extent_shift = 0; |
650 | if (crypt_stat->extent_size == 0) | 650 | if (crypt_stat->extent_size == 0) |
651 | return; | 651 | return; |
652 | extent_size_tmp = crypt_stat->extent_size; | 652 | extent_size_tmp = crypt_stat->extent_size; |
653 | while ((extent_size_tmp & 0x01) == 0) { | 653 | while ((extent_size_tmp & 0x01) == 0) { |
654 | extent_size_tmp >>= 1; | 654 | extent_size_tmp >>= 1; |
655 | crypt_stat->extent_mask <<= 1; | 655 | crypt_stat->extent_mask <<= 1; |
656 | crypt_stat->extent_shift++; | 656 | crypt_stat->extent_shift++; |
657 | } | 657 | } |
658 | } | 658 | } |
659 | 659 | ||
660 | void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat) | 660 | void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat) |
661 | { | 661 | { |
662 | /* Default values; may be overwritten as we are parsing the | 662 | /* Default values; may be overwritten as we are parsing the |
663 | * packets. */ | 663 | * packets. */ |
664 | crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE; | 664 | crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE; |
665 | set_extent_mask_and_shift(crypt_stat); | 665 | set_extent_mask_and_shift(crypt_stat); |
666 | crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES; | 666 | crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES; |
667 | if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) | 667 | if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) |
668 | crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; | 668 | crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; |
669 | else { | 669 | else { |
670 | if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE) | 670 | if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE) |
671 | crypt_stat->metadata_size = | 671 | crypt_stat->metadata_size = |
672 | ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; | 672 | ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; |
673 | else | 673 | else |
674 | crypt_stat->metadata_size = PAGE_CACHE_SIZE; | 674 | crypt_stat->metadata_size = PAGE_CACHE_SIZE; |
675 | } | 675 | } |
676 | } | 676 | } |
677 | 677 | ||
678 | /** | 678 | /** |
679 | * ecryptfs_compute_root_iv | 679 | * ecryptfs_compute_root_iv |
680 | * @crypt_stats | 680 | * @crypt_stats |
681 | * | 681 | * |
682 | * On error, sets the root IV to all 0's. | 682 | * On error, sets the root IV to all 0's. |
683 | */ | 683 | */ |
684 | int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat) | 684 | int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat) |
685 | { | 685 | { |
686 | int rc = 0; | 686 | int rc = 0; |
687 | char dst[MD5_DIGEST_SIZE]; | 687 | char dst[MD5_DIGEST_SIZE]; |
688 | 688 | ||
689 | BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE); | 689 | BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE); |
690 | BUG_ON(crypt_stat->iv_bytes <= 0); | 690 | BUG_ON(crypt_stat->iv_bytes <= 0); |
691 | if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { | 691 | if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { |
692 | rc = -EINVAL; | 692 | rc = -EINVAL; |
693 | ecryptfs_printk(KERN_WARNING, "Session key not valid; " | 693 | ecryptfs_printk(KERN_WARNING, "Session key not valid; " |
694 | "cannot generate root IV\n"); | 694 | "cannot generate root IV\n"); |
695 | goto out; | 695 | goto out; |
696 | } | 696 | } |
697 | rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key, | 697 | rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key, |
698 | crypt_stat->key_size); | 698 | crypt_stat->key_size); |
699 | if (rc) { | 699 | if (rc) { |
700 | ecryptfs_printk(KERN_WARNING, "Error attempting to compute " | 700 | ecryptfs_printk(KERN_WARNING, "Error attempting to compute " |
701 | "MD5 while generating root IV\n"); | 701 | "MD5 while generating root IV\n"); |
702 | goto out; | 702 | goto out; |
703 | } | 703 | } |
704 | memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes); | 704 | memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes); |
705 | out: | 705 | out: |
706 | if (rc) { | 706 | if (rc) { |
707 | memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes); | 707 | memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes); |
708 | crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING; | 708 | crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING; |
709 | } | 709 | } |
710 | return rc; | 710 | return rc; |
711 | } | 711 | } |
712 | 712 | ||
713 | static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat) | 713 | static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat) |
714 | { | 714 | { |
715 | get_random_bytes(crypt_stat->key, crypt_stat->key_size); | 715 | get_random_bytes(crypt_stat->key, crypt_stat->key_size); |
716 | crypt_stat->flags |= ECRYPTFS_KEY_VALID; | 716 | crypt_stat->flags |= ECRYPTFS_KEY_VALID; |
717 | ecryptfs_compute_root_iv(crypt_stat); | 717 | ecryptfs_compute_root_iv(crypt_stat); |
718 | if (unlikely(ecryptfs_verbosity > 0)) { | 718 | if (unlikely(ecryptfs_verbosity > 0)) { |
719 | ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n"); | 719 | ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n"); |
720 | ecryptfs_dump_hex(crypt_stat->key, | 720 | ecryptfs_dump_hex(crypt_stat->key, |
721 | crypt_stat->key_size); | 721 | crypt_stat->key_size); |
722 | } | 722 | } |
723 | } | 723 | } |
724 | 724 | ||
725 | /** | 725 | /** |
726 | * ecryptfs_copy_mount_wide_flags_to_inode_flags | 726 | * ecryptfs_copy_mount_wide_flags_to_inode_flags |
727 | * @crypt_stat: The inode's cryptographic context | 727 | * @crypt_stat: The inode's cryptographic context |
728 | * @mount_crypt_stat: The mount point's cryptographic context | 728 | * @mount_crypt_stat: The mount point's cryptographic context |
729 | * | 729 | * |
730 | * This function propagates the mount-wide flags to individual inode | 730 | * This function propagates the mount-wide flags to individual inode |
731 | * flags. | 731 | * flags. |
732 | */ | 732 | */ |
733 | static void ecryptfs_copy_mount_wide_flags_to_inode_flags( | 733 | static void ecryptfs_copy_mount_wide_flags_to_inode_flags( |
734 | struct ecryptfs_crypt_stat *crypt_stat, | 734 | struct ecryptfs_crypt_stat *crypt_stat, |
735 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) | 735 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) |
736 | { | 736 | { |
737 | if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED) | 737 | if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED) |
738 | crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; | 738 | crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; |
739 | if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) | 739 | if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) |
740 | crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED; | 740 | crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED; |
741 | if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) { | 741 | if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) { |
742 | crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES; | 742 | crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES; |
743 | if (mount_crypt_stat->flags | 743 | if (mount_crypt_stat->flags |
744 | & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK) | 744 | & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK) |
745 | crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK; | 745 | crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK; |
746 | else if (mount_crypt_stat->flags | 746 | else if (mount_crypt_stat->flags |
747 | & ECRYPTFS_GLOBAL_ENCFN_USE_FEK) | 747 | & ECRYPTFS_GLOBAL_ENCFN_USE_FEK) |
748 | crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK; | 748 | crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK; |
749 | } | 749 | } |
750 | } | 750 | } |
751 | 751 | ||
752 | static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs( | 752 | static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs( |
753 | struct ecryptfs_crypt_stat *crypt_stat, | 753 | struct ecryptfs_crypt_stat *crypt_stat, |
754 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) | 754 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) |
755 | { | 755 | { |
756 | struct ecryptfs_global_auth_tok *global_auth_tok; | 756 | struct ecryptfs_global_auth_tok *global_auth_tok; |
757 | int rc = 0; | 757 | int rc = 0; |
758 | 758 | ||
759 | mutex_lock(&crypt_stat->keysig_list_mutex); | 759 | mutex_lock(&crypt_stat->keysig_list_mutex); |
760 | mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); | 760 | mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); |
761 | 761 | ||
762 | list_for_each_entry(global_auth_tok, | 762 | list_for_each_entry(global_auth_tok, |
763 | &mount_crypt_stat->global_auth_tok_list, | 763 | &mount_crypt_stat->global_auth_tok_list, |
764 | mount_crypt_stat_list) { | 764 | mount_crypt_stat_list) { |
765 | if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK) | 765 | if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_FNEK) |
766 | continue; | 766 | continue; |
767 | rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig); | 767 | rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig); |
768 | if (rc) { | 768 | if (rc) { |
769 | printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc); | 769 | printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc); |
770 | goto out; | 770 | goto out; |
771 | } | 771 | } |
772 | } | 772 | } |
773 | 773 | ||
774 | out: | 774 | out: |
775 | mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); | 775 | mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); |
776 | mutex_unlock(&crypt_stat->keysig_list_mutex); | 776 | mutex_unlock(&crypt_stat->keysig_list_mutex); |
777 | return rc; | 777 | return rc; |
778 | } | 778 | } |
779 | 779 | ||
780 | /** | 780 | /** |
781 | * ecryptfs_set_default_crypt_stat_vals | 781 | * ecryptfs_set_default_crypt_stat_vals |
782 | * @crypt_stat: The inode's cryptographic context | 782 | * @crypt_stat: The inode's cryptographic context |
783 | * @mount_crypt_stat: The mount point's cryptographic context | 783 | * @mount_crypt_stat: The mount point's cryptographic context |
784 | * | 784 | * |
785 | * Default values in the event that policy does not override them. | 785 | * Default values in the event that policy does not override them. |
786 | */ | 786 | */ |
787 | static void ecryptfs_set_default_crypt_stat_vals( | 787 | static void ecryptfs_set_default_crypt_stat_vals( |
788 | struct ecryptfs_crypt_stat *crypt_stat, | 788 | struct ecryptfs_crypt_stat *crypt_stat, |
789 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) | 789 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) |
790 | { | 790 | { |
791 | ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, | 791 | ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, |
792 | mount_crypt_stat); | 792 | mount_crypt_stat); |
793 | ecryptfs_set_default_sizes(crypt_stat); | 793 | ecryptfs_set_default_sizes(crypt_stat); |
794 | strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER); | 794 | strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER); |
795 | crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES; | 795 | crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES; |
796 | crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID); | 796 | crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID); |
797 | crypt_stat->file_version = ECRYPTFS_FILE_VERSION; | 797 | crypt_stat->file_version = ECRYPTFS_FILE_VERSION; |
798 | crypt_stat->mount_crypt_stat = mount_crypt_stat; | 798 | crypt_stat->mount_crypt_stat = mount_crypt_stat; |
799 | } | 799 | } |
800 | 800 | ||
801 | /** | 801 | /** |
802 | * ecryptfs_new_file_context | 802 | * ecryptfs_new_file_context |
803 | * @ecryptfs_inode: The eCryptfs inode | 803 | * @ecryptfs_inode: The eCryptfs inode |
804 | * | 804 | * |
805 | * If the crypto context for the file has not yet been established, | 805 | * If the crypto context for the file has not yet been established, |
806 | * this is where we do that. Establishing a new crypto context | 806 | * this is where we do that. Establishing a new crypto context |
807 | * involves the following decisions: | 807 | * involves the following decisions: |
808 | * - What cipher to use? | 808 | * - What cipher to use? |
809 | * - What set of authentication tokens to use? | 809 | * - What set of authentication tokens to use? |
810 | * Here we just worry about getting enough information into the | 810 | * Here we just worry about getting enough information into the |
811 | * authentication tokens so that we know that they are available. | 811 | * authentication tokens so that we know that they are available. |
812 | * We associate the available authentication tokens with the new file | 812 | * We associate the available authentication tokens with the new file |
813 | * via the set of signatures in the crypt_stat struct. Later, when | 813 | * via the set of signatures in the crypt_stat struct. Later, when |
814 | * the headers are actually written out, we may again defer to | 814 | * the headers are actually written out, we may again defer to |
815 | * userspace to perform the encryption of the session key; for the | 815 | * userspace to perform the encryption of the session key; for the |
816 | * foreseeable future, this will be the case with public key packets. | 816 | * foreseeable future, this will be the case with public key packets. |
817 | * | 817 | * |
818 | * Returns zero on success; non-zero otherwise | 818 | * Returns zero on success; non-zero otherwise |
819 | */ | 819 | */ |
820 | int ecryptfs_new_file_context(struct inode *ecryptfs_inode) | 820 | int ecryptfs_new_file_context(struct inode *ecryptfs_inode) |
821 | { | 821 | { |
822 | struct ecryptfs_crypt_stat *crypt_stat = | 822 | struct ecryptfs_crypt_stat *crypt_stat = |
823 | &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; | 823 | &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; |
824 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = | 824 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = |
825 | &ecryptfs_superblock_to_private( | 825 | &ecryptfs_superblock_to_private( |
826 | ecryptfs_inode->i_sb)->mount_crypt_stat; | 826 | ecryptfs_inode->i_sb)->mount_crypt_stat; |
827 | int cipher_name_len; | 827 | int cipher_name_len; |
828 | int rc = 0; | 828 | int rc = 0; |
829 | 829 | ||
830 | ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat); | 830 | ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat); |
831 | crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID); | 831 | crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID); |
832 | ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, | 832 | ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, |
833 | mount_crypt_stat); | 833 | mount_crypt_stat); |
834 | rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat, | 834 | rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat, |
835 | mount_crypt_stat); | 835 | mount_crypt_stat); |
836 | if (rc) { | 836 | if (rc) { |
837 | printk(KERN_ERR "Error attempting to copy mount-wide key sigs " | 837 | printk(KERN_ERR "Error attempting to copy mount-wide key sigs " |
838 | "to the inode key sigs; rc = [%d]\n", rc); | 838 | "to the inode key sigs; rc = [%d]\n", rc); |
839 | goto out; | 839 | goto out; |
840 | } | 840 | } |
841 | cipher_name_len = | 841 | cipher_name_len = |
842 | strlen(mount_crypt_stat->global_default_cipher_name); | 842 | strlen(mount_crypt_stat->global_default_cipher_name); |
843 | memcpy(crypt_stat->cipher, | 843 | memcpy(crypt_stat->cipher, |
844 | mount_crypt_stat->global_default_cipher_name, | 844 | mount_crypt_stat->global_default_cipher_name, |
845 | cipher_name_len); | 845 | cipher_name_len); |
846 | crypt_stat->cipher[cipher_name_len] = '\0'; | 846 | crypt_stat->cipher[cipher_name_len] = '\0'; |
847 | crypt_stat->key_size = | 847 | crypt_stat->key_size = |
848 | mount_crypt_stat->global_default_cipher_key_size; | 848 | mount_crypt_stat->global_default_cipher_key_size; |
849 | ecryptfs_generate_new_key(crypt_stat); | 849 | ecryptfs_generate_new_key(crypt_stat); |
850 | rc = ecryptfs_init_crypt_ctx(crypt_stat); | 850 | rc = ecryptfs_init_crypt_ctx(crypt_stat); |
851 | if (rc) | 851 | if (rc) |
852 | ecryptfs_printk(KERN_ERR, "Error initializing cryptographic " | 852 | ecryptfs_printk(KERN_ERR, "Error initializing cryptographic " |
853 | "context for cipher [%s]: rc = [%d]\n", | 853 | "context for cipher [%s]: rc = [%d]\n", |
854 | crypt_stat->cipher, rc); | 854 | crypt_stat->cipher, rc); |
855 | out: | 855 | out: |
856 | return rc; | 856 | return rc; |
857 | } | 857 | } |
858 | 858 | ||
859 | /** | 859 | /** |
860 | * ecryptfs_validate_marker - check for the ecryptfs marker | 860 | * ecryptfs_validate_marker - check for the ecryptfs marker |
861 | * @data: The data block in which to check | 861 | * @data: The data block in which to check |
862 | * | 862 | * |
863 | * Returns zero if marker found; -EINVAL if not found | 863 | * Returns zero if marker found; -EINVAL if not found |
864 | */ | 864 | */ |
865 | static int ecryptfs_validate_marker(char *data) | 865 | static int ecryptfs_validate_marker(char *data) |
866 | { | 866 | { |
867 | u32 m_1, m_2; | 867 | u32 m_1, m_2; |
868 | 868 | ||
869 | m_1 = get_unaligned_be32(data); | 869 | m_1 = get_unaligned_be32(data); |
870 | m_2 = get_unaligned_be32(data + 4); | 870 | m_2 = get_unaligned_be32(data + 4); |
871 | if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2) | 871 | if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2) |
872 | return 0; | 872 | return 0; |
873 | ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; " | 873 | ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; " |
874 | "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2, | 874 | "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2, |
875 | MAGIC_ECRYPTFS_MARKER); | 875 | MAGIC_ECRYPTFS_MARKER); |
876 | ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = " | 876 | ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = " |
877 | "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER)); | 877 | "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER)); |
878 | return -EINVAL; | 878 | return -EINVAL; |
879 | } | 879 | } |
880 | 880 | ||
881 | struct ecryptfs_flag_map_elem { | 881 | struct ecryptfs_flag_map_elem { |
882 | u32 file_flag; | 882 | u32 file_flag; |
883 | u32 local_flag; | 883 | u32 local_flag; |
884 | }; | 884 | }; |
885 | 885 | ||
886 | /* Add support for additional flags by adding elements here. */ | 886 | /* Add support for additional flags by adding elements here. */ |
887 | static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = { | 887 | static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = { |
888 | {0x00000001, ECRYPTFS_ENABLE_HMAC}, | 888 | {0x00000001, ECRYPTFS_ENABLE_HMAC}, |
889 | {0x00000002, ECRYPTFS_ENCRYPTED}, | 889 | {0x00000002, ECRYPTFS_ENCRYPTED}, |
890 | {0x00000004, ECRYPTFS_METADATA_IN_XATTR}, | 890 | {0x00000004, ECRYPTFS_METADATA_IN_XATTR}, |
891 | {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES} | 891 | {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES} |
892 | }; | 892 | }; |
893 | 893 | ||
894 | /** | 894 | /** |
895 | * ecryptfs_process_flags | 895 | * ecryptfs_process_flags |
896 | * @crypt_stat: The cryptographic context | 896 | * @crypt_stat: The cryptographic context |
897 | * @page_virt: Source data to be parsed | 897 | * @page_virt: Source data to be parsed |
898 | * @bytes_read: Updated with the number of bytes read | 898 | * @bytes_read: Updated with the number of bytes read |
899 | * | 899 | * |
900 | * Returns zero on success; non-zero if the flag set is invalid | 900 | * Returns zero on success; non-zero if the flag set is invalid |
901 | */ | 901 | */ |
902 | static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat, | 902 | static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat, |
903 | char *page_virt, int *bytes_read) | 903 | char *page_virt, int *bytes_read) |
904 | { | 904 | { |
905 | int rc = 0; | 905 | int rc = 0; |
906 | int i; | 906 | int i; |
907 | u32 flags; | 907 | u32 flags; |
908 | 908 | ||
909 | flags = get_unaligned_be32(page_virt); | 909 | flags = get_unaligned_be32(page_virt); |
910 | for (i = 0; i < ((sizeof(ecryptfs_flag_map) | 910 | for (i = 0; i < ((sizeof(ecryptfs_flag_map) |
911 | / sizeof(struct ecryptfs_flag_map_elem))); i++) | 911 | / sizeof(struct ecryptfs_flag_map_elem))); i++) |
912 | if (flags & ecryptfs_flag_map[i].file_flag) { | 912 | if (flags & ecryptfs_flag_map[i].file_flag) { |
913 | crypt_stat->flags |= ecryptfs_flag_map[i].local_flag; | 913 | crypt_stat->flags |= ecryptfs_flag_map[i].local_flag; |
914 | } else | 914 | } else |
915 | crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag); | 915 | crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag); |
916 | /* Version is in top 8 bits of the 32-bit flag vector */ | 916 | /* Version is in top 8 bits of the 32-bit flag vector */ |
917 | crypt_stat->file_version = ((flags >> 24) & 0xFF); | 917 | crypt_stat->file_version = ((flags >> 24) & 0xFF); |
918 | (*bytes_read) = 4; | 918 | (*bytes_read) = 4; |
919 | return rc; | 919 | return rc; |
920 | } | 920 | } |
921 | 921 | ||
922 | /** | 922 | /** |
923 | * write_ecryptfs_marker | 923 | * write_ecryptfs_marker |
924 | * @page_virt: The pointer to in a page to begin writing the marker | 924 | * @page_virt: The pointer to in a page to begin writing the marker |
925 | * @written: Number of bytes written | 925 | * @written: Number of bytes written |
926 | * | 926 | * |
927 | * Marker = 0x3c81b7f5 | 927 | * Marker = 0x3c81b7f5 |
928 | */ | 928 | */ |
929 | static void write_ecryptfs_marker(char *page_virt, size_t *written) | 929 | static void write_ecryptfs_marker(char *page_virt, size_t *written) |
930 | { | 930 | { |
931 | u32 m_1, m_2; | 931 | u32 m_1, m_2; |
932 | 932 | ||
933 | get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2)); | 933 | get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2)); |
934 | m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER); | 934 | m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER); |
935 | put_unaligned_be32(m_1, page_virt); | 935 | put_unaligned_be32(m_1, page_virt); |
936 | page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2); | 936 | page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2); |
937 | put_unaligned_be32(m_2, page_virt); | 937 | put_unaligned_be32(m_2, page_virt); |
938 | (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; | 938 | (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; |
939 | } | 939 | } |
940 | 940 | ||
941 | void ecryptfs_write_crypt_stat_flags(char *page_virt, | 941 | void ecryptfs_write_crypt_stat_flags(char *page_virt, |
942 | struct ecryptfs_crypt_stat *crypt_stat, | 942 | struct ecryptfs_crypt_stat *crypt_stat, |
943 | size_t *written) | 943 | size_t *written) |
944 | { | 944 | { |
945 | u32 flags = 0; | 945 | u32 flags = 0; |
946 | int i; | 946 | int i; |
947 | 947 | ||
948 | for (i = 0; i < ((sizeof(ecryptfs_flag_map) | 948 | for (i = 0; i < ((sizeof(ecryptfs_flag_map) |
949 | / sizeof(struct ecryptfs_flag_map_elem))); i++) | 949 | / sizeof(struct ecryptfs_flag_map_elem))); i++) |
950 | if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag) | 950 | if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag) |
951 | flags |= ecryptfs_flag_map[i].file_flag; | 951 | flags |= ecryptfs_flag_map[i].file_flag; |
952 | /* Version is in top 8 bits of the 32-bit flag vector */ | 952 | /* Version is in top 8 bits of the 32-bit flag vector */ |
953 | flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000); | 953 | flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000); |
954 | put_unaligned_be32(flags, page_virt); | 954 | put_unaligned_be32(flags, page_virt); |
955 | (*written) = 4; | 955 | (*written) = 4; |
956 | } | 956 | } |
957 | 957 | ||
958 | struct ecryptfs_cipher_code_str_map_elem { | 958 | struct ecryptfs_cipher_code_str_map_elem { |
959 | char cipher_str[16]; | 959 | char cipher_str[16]; |
960 | u8 cipher_code; | 960 | u8 cipher_code; |
961 | }; | 961 | }; |
962 | 962 | ||
963 | /* Add support for additional ciphers by adding elements here. The | 963 | /* Add support for additional ciphers by adding elements here. The |
964 | * cipher_code is whatever OpenPGP applicatoins use to identify the | 964 | * cipher_code is whatever OpenPGP applicatoins use to identify the |
965 | * ciphers. List in order of probability. */ | 965 | * ciphers. List in order of probability. */ |
966 | static struct ecryptfs_cipher_code_str_map_elem | 966 | static struct ecryptfs_cipher_code_str_map_elem |
967 | ecryptfs_cipher_code_str_map[] = { | 967 | ecryptfs_cipher_code_str_map[] = { |
968 | {"aes",RFC2440_CIPHER_AES_128 }, | 968 | {"aes",RFC2440_CIPHER_AES_128 }, |
969 | {"blowfish", RFC2440_CIPHER_BLOWFISH}, | 969 | {"blowfish", RFC2440_CIPHER_BLOWFISH}, |
970 | {"des3_ede", RFC2440_CIPHER_DES3_EDE}, | 970 | {"des3_ede", RFC2440_CIPHER_DES3_EDE}, |
971 | {"cast5", RFC2440_CIPHER_CAST_5}, | 971 | {"cast5", RFC2440_CIPHER_CAST_5}, |
972 | {"twofish", RFC2440_CIPHER_TWOFISH}, | 972 | {"twofish", RFC2440_CIPHER_TWOFISH}, |
973 | {"cast6", RFC2440_CIPHER_CAST_6}, | 973 | {"cast6", RFC2440_CIPHER_CAST_6}, |
974 | {"aes", RFC2440_CIPHER_AES_192}, | 974 | {"aes", RFC2440_CIPHER_AES_192}, |
975 | {"aes", RFC2440_CIPHER_AES_256} | 975 | {"aes", RFC2440_CIPHER_AES_256} |
976 | }; | 976 | }; |
977 | 977 | ||
978 | /** | 978 | /** |
979 | * ecryptfs_code_for_cipher_string | 979 | * ecryptfs_code_for_cipher_string |
980 | * @cipher_name: The string alias for the cipher | 980 | * @cipher_name: The string alias for the cipher |
981 | * @key_bytes: Length of key in bytes; used for AES code selection | 981 | * @key_bytes: Length of key in bytes; used for AES code selection |
982 | * | 982 | * |
983 | * Returns zero on no match, or the cipher code on match | 983 | * Returns zero on no match, or the cipher code on match |
984 | */ | 984 | */ |
985 | u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes) | 985 | u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes) |
986 | { | 986 | { |
987 | int i; | 987 | int i; |
988 | u8 code = 0; | 988 | u8 code = 0; |
989 | struct ecryptfs_cipher_code_str_map_elem *map = | 989 | struct ecryptfs_cipher_code_str_map_elem *map = |
990 | ecryptfs_cipher_code_str_map; | 990 | ecryptfs_cipher_code_str_map; |
991 | 991 | ||
992 | if (strcmp(cipher_name, "aes") == 0) { | 992 | if (strcmp(cipher_name, "aes") == 0) { |
993 | switch (key_bytes) { | 993 | switch (key_bytes) { |
994 | case 16: | 994 | case 16: |
995 | code = RFC2440_CIPHER_AES_128; | 995 | code = RFC2440_CIPHER_AES_128; |
996 | break; | 996 | break; |
997 | case 24: | 997 | case 24: |
998 | code = RFC2440_CIPHER_AES_192; | 998 | code = RFC2440_CIPHER_AES_192; |
999 | break; | 999 | break; |
1000 | case 32: | 1000 | case 32: |
1001 | code = RFC2440_CIPHER_AES_256; | 1001 | code = RFC2440_CIPHER_AES_256; |
1002 | } | 1002 | } |
1003 | } else { | 1003 | } else { |
1004 | for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) | 1004 | for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) |
1005 | if (strcmp(cipher_name, map[i].cipher_str) == 0) { | 1005 | if (strcmp(cipher_name, map[i].cipher_str) == 0) { |
1006 | code = map[i].cipher_code; | 1006 | code = map[i].cipher_code; |
1007 | break; | 1007 | break; |
1008 | } | 1008 | } |
1009 | } | 1009 | } |
1010 | return code; | 1010 | return code; |
1011 | } | 1011 | } |
1012 | 1012 | ||
1013 | /** | 1013 | /** |
1014 | * ecryptfs_cipher_code_to_string | 1014 | * ecryptfs_cipher_code_to_string |
1015 | * @str: Destination to write out the cipher name | 1015 | * @str: Destination to write out the cipher name |
1016 | * @cipher_code: The code to convert to cipher name string | 1016 | * @cipher_code: The code to convert to cipher name string |
1017 | * | 1017 | * |
1018 | * Returns zero on success | 1018 | * Returns zero on success |
1019 | */ | 1019 | */ |
1020 | int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code) | 1020 | int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code) |
1021 | { | 1021 | { |
1022 | int rc = 0; | 1022 | int rc = 0; |
1023 | int i; | 1023 | int i; |
1024 | 1024 | ||
1025 | str[0] = '\0'; | 1025 | str[0] = '\0'; |
1026 | for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) | 1026 | for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) |
1027 | if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code) | 1027 | if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code) |
1028 | strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str); | 1028 | strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str); |
1029 | if (str[0] == '\0') { | 1029 | if (str[0] == '\0') { |
1030 | ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: " | 1030 | ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: " |
1031 | "[%d]\n", cipher_code); | 1031 | "[%d]\n", cipher_code); |
1032 | rc = -EINVAL; | 1032 | rc = -EINVAL; |
1033 | } | 1033 | } |
1034 | return rc; | 1034 | return rc; |
1035 | } | 1035 | } |
1036 | 1036 | ||
1037 | int ecryptfs_read_and_validate_header_region(struct inode *inode) | 1037 | int ecryptfs_read_and_validate_header_region(struct inode *inode) |
1038 | { | 1038 | { |
1039 | u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES]; | 1039 | u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES]; |
1040 | u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES; | 1040 | u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES; |
1041 | int rc; | 1041 | int rc; |
1042 | 1042 | ||
1043 | rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES, | 1043 | rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES, |
1044 | inode); | 1044 | inode); |
1045 | if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES) | 1045 | if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES) |
1046 | return rc >= 0 ? -EINVAL : rc; | 1046 | return rc >= 0 ? -EINVAL : rc; |
1047 | rc = ecryptfs_validate_marker(marker); | 1047 | rc = ecryptfs_validate_marker(marker); |
1048 | if (!rc) | 1048 | if (!rc) |
1049 | ecryptfs_i_size_init(file_size, inode); | 1049 | ecryptfs_i_size_init(file_size, inode); |
1050 | return rc; | 1050 | return rc; |
1051 | } | 1051 | } |
1052 | 1052 | ||
1053 | void | 1053 | void |
1054 | ecryptfs_write_header_metadata(char *virt, | 1054 | ecryptfs_write_header_metadata(char *virt, |
1055 | struct ecryptfs_crypt_stat *crypt_stat, | 1055 | struct ecryptfs_crypt_stat *crypt_stat, |
1056 | size_t *written) | 1056 | size_t *written) |
1057 | { | 1057 | { |
1058 | u32 header_extent_size; | 1058 | u32 header_extent_size; |
1059 | u16 num_header_extents_at_front; | 1059 | u16 num_header_extents_at_front; |
1060 | 1060 | ||
1061 | header_extent_size = (u32)crypt_stat->extent_size; | 1061 | header_extent_size = (u32)crypt_stat->extent_size; |
1062 | num_header_extents_at_front = | 1062 | num_header_extents_at_front = |
1063 | (u16)(crypt_stat->metadata_size / crypt_stat->extent_size); | 1063 | (u16)(crypt_stat->metadata_size / crypt_stat->extent_size); |
1064 | put_unaligned_be32(header_extent_size, virt); | 1064 | put_unaligned_be32(header_extent_size, virt); |
1065 | virt += 4; | 1065 | virt += 4; |
1066 | put_unaligned_be16(num_header_extents_at_front, virt); | 1066 | put_unaligned_be16(num_header_extents_at_front, virt); |
1067 | (*written) = 6; | 1067 | (*written) = 6; |
1068 | } | 1068 | } |
1069 | 1069 | ||
1070 | struct kmem_cache *ecryptfs_header_cache; | 1070 | struct kmem_cache *ecryptfs_header_cache; |
1071 | 1071 | ||
1072 | /** | 1072 | /** |
1073 | * ecryptfs_write_headers_virt | 1073 | * ecryptfs_write_headers_virt |
1074 | * @page_virt: The virtual address to write the headers to | 1074 | * @page_virt: The virtual address to write the headers to |
1075 | * @max: The size of memory allocated at page_virt | 1075 | * @max: The size of memory allocated at page_virt |
1076 | * @size: Set to the number of bytes written by this function | 1076 | * @size: Set to the number of bytes written by this function |
1077 | * @crypt_stat: The cryptographic context | 1077 | * @crypt_stat: The cryptographic context |
1078 | * @ecryptfs_dentry: The eCryptfs dentry | 1078 | * @ecryptfs_dentry: The eCryptfs dentry |
1079 | * | 1079 | * |
1080 | * Format version: 1 | 1080 | * Format version: 1 |
1081 | * | 1081 | * |
1082 | * Header Extent: | 1082 | * Header Extent: |
1083 | * Octets 0-7: Unencrypted file size (big-endian) | 1083 | * Octets 0-7: Unencrypted file size (big-endian) |
1084 | * Octets 8-15: eCryptfs special marker | 1084 | * Octets 8-15: eCryptfs special marker |
1085 | * Octets 16-19: Flags | 1085 | * Octets 16-19: Flags |
1086 | * Octet 16: File format version number (between 0 and 255) | 1086 | * Octet 16: File format version number (between 0 and 255) |
1087 | * Octets 17-18: Reserved | 1087 | * Octets 17-18: Reserved |
1088 | * Octet 19: Bit 1 (lsb): Reserved | 1088 | * Octet 19: Bit 1 (lsb): Reserved |
1089 | * Bit 2: Encrypted? | 1089 | * Bit 2: Encrypted? |
1090 | * Bits 3-8: Reserved | 1090 | * Bits 3-8: Reserved |
1091 | * Octets 20-23: Header extent size (big-endian) | 1091 | * Octets 20-23: Header extent size (big-endian) |
1092 | * Octets 24-25: Number of header extents at front of file | 1092 | * Octets 24-25: Number of header extents at front of file |
1093 | * (big-endian) | 1093 | * (big-endian) |
1094 | * Octet 26: Begin RFC 2440 authentication token packet set | 1094 | * Octet 26: Begin RFC 2440 authentication token packet set |
1095 | * Data Extent 0: | 1095 | * Data Extent 0: |
1096 | * Lower data (CBC encrypted) | 1096 | * Lower data (CBC encrypted) |
1097 | * Data Extent 1: | 1097 | * Data Extent 1: |
1098 | * Lower data (CBC encrypted) | 1098 | * Lower data (CBC encrypted) |
1099 | * ... | 1099 | * ... |
1100 | * | 1100 | * |
1101 | * Returns zero on success | 1101 | * Returns zero on success |
1102 | */ | 1102 | */ |
1103 | static int ecryptfs_write_headers_virt(char *page_virt, size_t max, | 1103 | static int ecryptfs_write_headers_virt(char *page_virt, size_t max, |
1104 | size_t *size, | 1104 | size_t *size, |
1105 | struct ecryptfs_crypt_stat *crypt_stat, | 1105 | struct ecryptfs_crypt_stat *crypt_stat, |
1106 | struct dentry *ecryptfs_dentry) | 1106 | struct dentry *ecryptfs_dentry) |
1107 | { | 1107 | { |
1108 | int rc; | 1108 | int rc; |
1109 | size_t written; | 1109 | size_t written; |
1110 | size_t offset; | 1110 | size_t offset; |
1111 | 1111 | ||
1112 | offset = ECRYPTFS_FILE_SIZE_BYTES; | 1112 | offset = ECRYPTFS_FILE_SIZE_BYTES; |
1113 | write_ecryptfs_marker((page_virt + offset), &written); | 1113 | write_ecryptfs_marker((page_virt + offset), &written); |
1114 | offset += written; | 1114 | offset += written; |
1115 | ecryptfs_write_crypt_stat_flags((page_virt + offset), crypt_stat, | 1115 | ecryptfs_write_crypt_stat_flags((page_virt + offset), crypt_stat, |
1116 | &written); | 1116 | &written); |
1117 | offset += written; | 1117 | offset += written; |
1118 | ecryptfs_write_header_metadata((page_virt + offset), crypt_stat, | 1118 | ecryptfs_write_header_metadata((page_virt + offset), crypt_stat, |
1119 | &written); | 1119 | &written); |
1120 | offset += written; | 1120 | offset += written; |
1121 | rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat, | 1121 | rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat, |
1122 | ecryptfs_dentry, &written, | 1122 | ecryptfs_dentry, &written, |
1123 | max - offset); | 1123 | max - offset); |
1124 | if (rc) | 1124 | if (rc) |
1125 | ecryptfs_printk(KERN_WARNING, "Error generating key packet " | 1125 | ecryptfs_printk(KERN_WARNING, "Error generating key packet " |
1126 | "set; rc = [%d]\n", rc); | 1126 | "set; rc = [%d]\n", rc); |
1127 | if (size) { | 1127 | if (size) { |
1128 | offset += written; | 1128 | offset += written; |
1129 | *size = offset; | 1129 | *size = offset; |
1130 | } | 1130 | } |
1131 | return rc; | 1131 | return rc; |
1132 | } | 1132 | } |
1133 | 1133 | ||
1134 | static int | 1134 | static int |
1135 | ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode, | 1135 | ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode, |
1136 | char *virt, size_t virt_len) | 1136 | char *virt, size_t virt_len) |
1137 | { | 1137 | { |
1138 | int rc; | 1138 | int rc; |
1139 | 1139 | ||
1140 | rc = ecryptfs_write_lower(ecryptfs_inode, virt, | 1140 | rc = ecryptfs_write_lower(ecryptfs_inode, virt, |
1141 | 0, virt_len); | 1141 | 0, virt_len); |
1142 | if (rc < 0) | 1142 | if (rc < 0) |
1143 | printk(KERN_ERR "%s: Error attempting to write header " | 1143 | printk(KERN_ERR "%s: Error attempting to write header " |
1144 | "information to lower file; rc = [%d]\n", __func__, rc); | 1144 | "information to lower file; rc = [%d]\n", __func__, rc); |
1145 | else | 1145 | else |
1146 | rc = 0; | 1146 | rc = 0; |
1147 | return rc; | 1147 | return rc; |
1148 | } | 1148 | } |
1149 | 1149 | ||
1150 | static int | 1150 | static int |
1151 | ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry, | 1151 | ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry, |
1152 | char *page_virt, size_t size) | 1152 | char *page_virt, size_t size) |
1153 | { | 1153 | { |
1154 | int rc; | 1154 | int rc; |
1155 | 1155 | ||
1156 | rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt, | 1156 | rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt, |
1157 | size, 0); | 1157 | size, 0); |
1158 | return rc; | 1158 | return rc; |
1159 | } | 1159 | } |
1160 | 1160 | ||
1161 | static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask, | 1161 | static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask, |
1162 | unsigned int order) | 1162 | unsigned int order) |
1163 | { | 1163 | { |
1164 | struct page *page; | 1164 | struct page *page; |
1165 | 1165 | ||
1166 | page = alloc_pages(gfp_mask | __GFP_ZERO, order); | 1166 | page = alloc_pages(gfp_mask | __GFP_ZERO, order); |
1167 | if (page) | 1167 | if (page) |
1168 | return (unsigned long) page_address(page); | 1168 | return (unsigned long) page_address(page); |
1169 | return 0; | 1169 | return 0; |
1170 | } | 1170 | } |
1171 | 1171 | ||
1172 | /** | 1172 | /** |
1173 | * ecryptfs_write_metadata | 1173 | * ecryptfs_write_metadata |
1174 | * @ecryptfs_dentry: The eCryptfs dentry, which should be negative | 1174 | * @ecryptfs_dentry: The eCryptfs dentry, which should be negative |
1175 | * @ecryptfs_inode: The newly created eCryptfs inode | 1175 | * @ecryptfs_inode: The newly created eCryptfs inode |
1176 | * | 1176 | * |
1177 | * Write the file headers out. This will likely involve a userspace | 1177 | * Write the file headers out. This will likely involve a userspace |
1178 | * callout, in which the session key is encrypted with one or more | 1178 | * callout, in which the session key is encrypted with one or more |
1179 | * public keys and/or the passphrase necessary to do the encryption is | 1179 | * public keys and/or the passphrase necessary to do the encryption is |
1180 | * retrieved via a prompt. Exactly what happens at this point should | 1180 | * retrieved via a prompt. Exactly what happens at this point should |
1181 | * be policy-dependent. | 1181 | * be policy-dependent. |
1182 | * | 1182 | * |
1183 | * Returns zero on success; non-zero on error | 1183 | * Returns zero on success; non-zero on error |
1184 | */ | 1184 | */ |
1185 | int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry, | 1185 | int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry, |
1186 | struct inode *ecryptfs_inode) | 1186 | struct inode *ecryptfs_inode) |
1187 | { | 1187 | { |
1188 | struct ecryptfs_crypt_stat *crypt_stat = | 1188 | struct ecryptfs_crypt_stat *crypt_stat = |
1189 | &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; | 1189 | &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; |
1190 | unsigned int order; | 1190 | unsigned int order; |
1191 | char *virt; | 1191 | char *virt; |
1192 | size_t virt_len; | 1192 | size_t virt_len; |
1193 | size_t size = 0; | 1193 | size_t size = 0; |
1194 | int rc = 0; | 1194 | int rc = 0; |
1195 | 1195 | ||
1196 | if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { | 1196 | if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { |
1197 | if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { | 1197 | if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { |
1198 | printk(KERN_ERR "Key is invalid; bailing out\n"); | 1198 | printk(KERN_ERR "Key is invalid; bailing out\n"); |
1199 | rc = -EINVAL; | 1199 | rc = -EINVAL; |
1200 | goto out; | 1200 | goto out; |
1201 | } | 1201 | } |
1202 | } else { | 1202 | } else { |
1203 | printk(KERN_WARNING "%s: Encrypted flag not set\n", | 1203 | printk(KERN_WARNING "%s: Encrypted flag not set\n", |
1204 | __func__); | 1204 | __func__); |
1205 | rc = -EINVAL; | 1205 | rc = -EINVAL; |
1206 | goto out; | 1206 | goto out; |
1207 | } | 1207 | } |
1208 | virt_len = crypt_stat->metadata_size; | 1208 | virt_len = crypt_stat->metadata_size; |
1209 | order = get_order(virt_len); | 1209 | order = get_order(virt_len); |
1210 | /* Released in this function */ | 1210 | /* Released in this function */ |
1211 | virt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order); | 1211 | virt = (char *)ecryptfs_get_zeroed_pages(GFP_KERNEL, order); |
1212 | if (!virt) { | 1212 | if (!virt) { |
1213 | printk(KERN_ERR "%s: Out of memory\n", __func__); | 1213 | printk(KERN_ERR "%s: Out of memory\n", __func__); |
1214 | rc = -ENOMEM; | 1214 | rc = -ENOMEM; |
1215 | goto out; | 1215 | goto out; |
1216 | } | 1216 | } |
1217 | /* Zeroed page ensures the in-header unencrypted i_size is set to 0 */ | 1217 | /* Zeroed page ensures the in-header unencrypted i_size is set to 0 */ |
1218 | rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat, | 1218 | rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat, |
1219 | ecryptfs_dentry); | 1219 | ecryptfs_dentry); |
1220 | if (unlikely(rc)) { | 1220 | if (unlikely(rc)) { |
1221 | printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n", | 1221 | printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n", |
1222 | __func__, rc); | 1222 | __func__, rc); |
1223 | goto out_free; | 1223 | goto out_free; |
1224 | } | 1224 | } |
1225 | if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) | 1225 | if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) |
1226 | rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt, | 1226 | rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt, |
1227 | size); | 1227 | size); |
1228 | else | 1228 | else |
1229 | rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt, | 1229 | rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt, |
1230 | virt_len); | 1230 | virt_len); |
1231 | if (rc) { | 1231 | if (rc) { |
1232 | printk(KERN_ERR "%s: Error writing metadata out to lower file; " | 1232 | printk(KERN_ERR "%s: Error writing metadata out to lower file; " |
1233 | "rc = [%d]\n", __func__, rc); | 1233 | "rc = [%d]\n", __func__, rc); |
1234 | goto out_free; | 1234 | goto out_free; |
1235 | } | 1235 | } |
1236 | out_free: | 1236 | out_free: |
1237 | free_pages((unsigned long)virt, order); | 1237 | free_pages((unsigned long)virt, order); |
1238 | out: | 1238 | out: |
1239 | return rc; | 1239 | return rc; |
1240 | } | 1240 | } |
1241 | 1241 | ||
1242 | #define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0 | 1242 | #define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0 |
1243 | #define ECRYPTFS_VALIDATE_HEADER_SIZE 1 | 1243 | #define ECRYPTFS_VALIDATE_HEADER_SIZE 1 |
1244 | static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat, | 1244 | static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat, |
1245 | char *virt, int *bytes_read, | 1245 | char *virt, int *bytes_read, |
1246 | int validate_header_size) | 1246 | int validate_header_size) |
1247 | { | 1247 | { |
1248 | int rc = 0; | 1248 | int rc = 0; |
1249 | u32 header_extent_size; | 1249 | u32 header_extent_size; |
1250 | u16 num_header_extents_at_front; | 1250 | u16 num_header_extents_at_front; |
1251 | 1251 | ||
1252 | header_extent_size = get_unaligned_be32(virt); | 1252 | header_extent_size = get_unaligned_be32(virt); |
1253 | virt += sizeof(__be32); | 1253 | virt += sizeof(__be32); |
1254 | num_header_extents_at_front = get_unaligned_be16(virt); | 1254 | num_header_extents_at_front = get_unaligned_be16(virt); |
1255 | crypt_stat->metadata_size = (((size_t)num_header_extents_at_front | 1255 | crypt_stat->metadata_size = (((size_t)num_header_extents_at_front |
1256 | * (size_t)header_extent_size)); | 1256 | * (size_t)header_extent_size)); |
1257 | (*bytes_read) = (sizeof(__be32) + sizeof(__be16)); | 1257 | (*bytes_read) = (sizeof(__be32) + sizeof(__be16)); |
1258 | if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE) | 1258 | if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE) |
1259 | && (crypt_stat->metadata_size | 1259 | && (crypt_stat->metadata_size |
1260 | < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) { | 1260 | < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) { |
1261 | rc = -EINVAL; | 1261 | rc = -EINVAL; |
1262 | printk(KERN_WARNING "Invalid header size: [%zd]\n", | 1262 | printk(KERN_WARNING "Invalid header size: [%zd]\n", |
1263 | crypt_stat->metadata_size); | 1263 | crypt_stat->metadata_size); |
1264 | } | 1264 | } |
1265 | return rc; | 1265 | return rc; |
1266 | } | 1266 | } |
1267 | 1267 | ||
1268 | /** | 1268 | /** |
1269 | * set_default_header_data | 1269 | * set_default_header_data |
1270 | * @crypt_stat: The cryptographic context | 1270 | * @crypt_stat: The cryptographic context |
1271 | * | 1271 | * |
1272 | * For version 0 file format; this function is only for backwards | 1272 | * For version 0 file format; this function is only for backwards |
1273 | * compatibility for files created with the prior versions of | 1273 | * compatibility for files created with the prior versions of |
1274 | * eCryptfs. | 1274 | * eCryptfs. |
1275 | */ | 1275 | */ |
1276 | static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat) | 1276 | static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat) |
1277 | { | 1277 | { |
1278 | crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; | 1278 | crypt_stat->metadata_size = ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; |
1279 | } | 1279 | } |
1280 | 1280 | ||
1281 | void ecryptfs_i_size_init(const char *page_virt, struct inode *inode) | 1281 | void ecryptfs_i_size_init(const char *page_virt, struct inode *inode) |
1282 | { | 1282 | { |
1283 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat; | 1283 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat; |
1284 | struct ecryptfs_crypt_stat *crypt_stat; | 1284 | struct ecryptfs_crypt_stat *crypt_stat; |
1285 | u64 file_size; | 1285 | u64 file_size; |
1286 | 1286 | ||
1287 | crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat; | 1287 | crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat; |
1288 | mount_crypt_stat = | 1288 | mount_crypt_stat = |
1289 | &ecryptfs_superblock_to_private(inode->i_sb)->mount_crypt_stat; | 1289 | &ecryptfs_superblock_to_private(inode->i_sb)->mount_crypt_stat; |
1290 | if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) { | 1290 | if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) { |
1291 | file_size = i_size_read(ecryptfs_inode_to_lower(inode)); | 1291 | file_size = i_size_read(ecryptfs_inode_to_lower(inode)); |
1292 | if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) | 1292 | if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) |
1293 | file_size += crypt_stat->metadata_size; | 1293 | file_size += crypt_stat->metadata_size; |
1294 | } else | 1294 | } else |
1295 | file_size = get_unaligned_be64(page_virt); | 1295 | file_size = get_unaligned_be64(page_virt); |
1296 | i_size_write(inode, (loff_t)file_size); | 1296 | i_size_write(inode, (loff_t)file_size); |
1297 | crypt_stat->flags |= ECRYPTFS_I_SIZE_INITIALIZED; | 1297 | crypt_stat->flags |= ECRYPTFS_I_SIZE_INITIALIZED; |
1298 | } | 1298 | } |
1299 | 1299 | ||
1300 | /** | 1300 | /** |
1301 | * ecryptfs_read_headers_virt | 1301 | * ecryptfs_read_headers_virt |
1302 | * @page_virt: The virtual address into which to read the headers | 1302 | * @page_virt: The virtual address into which to read the headers |
1303 | * @crypt_stat: The cryptographic context | 1303 | * @crypt_stat: The cryptographic context |
1304 | * @ecryptfs_dentry: The eCryptfs dentry | 1304 | * @ecryptfs_dentry: The eCryptfs dentry |
1305 | * @validate_header_size: Whether to validate the header size while reading | 1305 | * @validate_header_size: Whether to validate the header size while reading |
1306 | * | 1306 | * |
1307 | * Read/parse the header data. The header format is detailed in the | 1307 | * Read/parse the header data. The header format is detailed in the |
1308 | * comment block for the ecryptfs_write_headers_virt() function. | 1308 | * comment block for the ecryptfs_write_headers_virt() function. |
1309 | * | 1309 | * |
1310 | * Returns zero on success | 1310 | * Returns zero on success |
1311 | */ | 1311 | */ |
1312 | static int ecryptfs_read_headers_virt(char *page_virt, | 1312 | static int ecryptfs_read_headers_virt(char *page_virt, |
1313 | struct ecryptfs_crypt_stat *crypt_stat, | 1313 | struct ecryptfs_crypt_stat *crypt_stat, |
1314 | struct dentry *ecryptfs_dentry, | 1314 | struct dentry *ecryptfs_dentry, |
1315 | int validate_header_size) | 1315 | int validate_header_size) |
1316 | { | 1316 | { |
1317 | int rc = 0; | 1317 | int rc = 0; |
1318 | int offset; | 1318 | int offset; |
1319 | int bytes_read; | 1319 | int bytes_read; |
1320 | 1320 | ||
1321 | ecryptfs_set_default_sizes(crypt_stat); | 1321 | ecryptfs_set_default_sizes(crypt_stat); |
1322 | crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private( | 1322 | crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private( |
1323 | ecryptfs_dentry->d_sb)->mount_crypt_stat; | 1323 | ecryptfs_dentry->d_sb)->mount_crypt_stat; |
1324 | offset = ECRYPTFS_FILE_SIZE_BYTES; | 1324 | offset = ECRYPTFS_FILE_SIZE_BYTES; |
1325 | rc = ecryptfs_validate_marker(page_virt + offset); | 1325 | rc = ecryptfs_validate_marker(page_virt + offset); |
1326 | if (rc) | 1326 | if (rc) |
1327 | goto out; | 1327 | goto out; |
1328 | if (!(crypt_stat->flags & ECRYPTFS_I_SIZE_INITIALIZED)) | 1328 | if (!(crypt_stat->flags & ECRYPTFS_I_SIZE_INITIALIZED)) |
1329 | ecryptfs_i_size_init(page_virt, ecryptfs_dentry->d_inode); | 1329 | ecryptfs_i_size_init(page_virt, ecryptfs_dentry->d_inode); |
1330 | offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; | 1330 | offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; |
1331 | rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset), | 1331 | rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset), |
1332 | &bytes_read); | 1332 | &bytes_read); |
1333 | if (rc) { | 1333 | if (rc) { |
1334 | ecryptfs_printk(KERN_WARNING, "Error processing flags\n"); | 1334 | ecryptfs_printk(KERN_WARNING, "Error processing flags\n"); |
1335 | goto out; | 1335 | goto out; |
1336 | } | 1336 | } |
1337 | if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) { | 1337 | if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) { |
1338 | ecryptfs_printk(KERN_WARNING, "File version is [%d]; only " | 1338 | ecryptfs_printk(KERN_WARNING, "File version is [%d]; only " |
1339 | "file version [%d] is supported by this " | 1339 | "file version [%d] is supported by this " |
1340 | "version of eCryptfs\n", | 1340 | "version of eCryptfs\n", |
1341 | crypt_stat->file_version, | 1341 | crypt_stat->file_version, |
1342 | ECRYPTFS_SUPPORTED_FILE_VERSION); | 1342 | ECRYPTFS_SUPPORTED_FILE_VERSION); |
1343 | rc = -EINVAL; | 1343 | rc = -EINVAL; |
1344 | goto out; | 1344 | goto out; |
1345 | } | 1345 | } |
1346 | offset += bytes_read; | 1346 | offset += bytes_read; |
1347 | if (crypt_stat->file_version >= 1) { | 1347 | if (crypt_stat->file_version >= 1) { |
1348 | rc = parse_header_metadata(crypt_stat, (page_virt + offset), | 1348 | rc = parse_header_metadata(crypt_stat, (page_virt + offset), |
1349 | &bytes_read, validate_header_size); | 1349 | &bytes_read, validate_header_size); |
1350 | if (rc) { | 1350 | if (rc) { |
1351 | ecryptfs_printk(KERN_WARNING, "Error reading header " | 1351 | ecryptfs_printk(KERN_WARNING, "Error reading header " |
1352 | "metadata; rc = [%d]\n", rc); | 1352 | "metadata; rc = [%d]\n", rc); |
1353 | } | 1353 | } |
1354 | offset += bytes_read; | 1354 | offset += bytes_read; |
1355 | } else | 1355 | } else |
1356 | set_default_header_data(crypt_stat); | 1356 | set_default_header_data(crypt_stat); |
1357 | rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset), | 1357 | rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset), |
1358 | ecryptfs_dentry); | 1358 | ecryptfs_dentry); |
1359 | out: | 1359 | out: |
1360 | return rc; | 1360 | return rc; |
1361 | } | 1361 | } |
1362 | 1362 | ||
1363 | /** | 1363 | /** |
1364 | * ecryptfs_read_xattr_region | 1364 | * ecryptfs_read_xattr_region |
1365 | * @page_virt: The vitual address into which to read the xattr data | 1365 | * @page_virt: The vitual address into which to read the xattr data |
1366 | * @ecryptfs_inode: The eCryptfs inode | 1366 | * @ecryptfs_inode: The eCryptfs inode |
1367 | * | 1367 | * |
1368 | * Attempts to read the crypto metadata from the extended attribute | 1368 | * Attempts to read the crypto metadata from the extended attribute |
1369 | * region of the lower file. | 1369 | * region of the lower file. |
1370 | * | 1370 | * |
1371 | * Returns zero on success; non-zero on error | 1371 | * Returns zero on success; non-zero on error |
1372 | */ | 1372 | */ |
1373 | int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode) | 1373 | int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode) |
1374 | { | 1374 | { |
1375 | struct dentry *lower_dentry = | 1375 | struct dentry *lower_dentry = |
1376 | ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_path.dentry; | 1376 | ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_path.dentry; |
1377 | ssize_t size; | 1377 | ssize_t size; |
1378 | int rc = 0; | 1378 | int rc = 0; |
1379 | 1379 | ||
1380 | size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME, | 1380 | size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME, |
1381 | page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE); | 1381 | page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE); |
1382 | if (size < 0) { | 1382 | if (size < 0) { |
1383 | if (unlikely(ecryptfs_verbosity > 0)) | 1383 | if (unlikely(ecryptfs_verbosity > 0)) |
1384 | printk(KERN_INFO "Error attempting to read the [%s] " | 1384 | printk(KERN_INFO "Error attempting to read the [%s] " |
1385 | "xattr from the lower file; return value = " | 1385 | "xattr from the lower file; return value = " |
1386 | "[%zd]\n", ECRYPTFS_XATTR_NAME, size); | 1386 | "[%zd]\n", ECRYPTFS_XATTR_NAME, size); |
1387 | rc = -EINVAL; | 1387 | rc = -EINVAL; |
1388 | goto out; | 1388 | goto out; |
1389 | } | 1389 | } |
1390 | out: | 1390 | out: |
1391 | return rc; | 1391 | return rc; |
1392 | } | 1392 | } |
1393 | 1393 | ||
1394 | int ecryptfs_read_and_validate_xattr_region(struct dentry *dentry, | 1394 | int ecryptfs_read_and_validate_xattr_region(struct dentry *dentry, |
1395 | struct inode *inode) | 1395 | struct inode *inode) |
1396 | { | 1396 | { |
1397 | u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES]; | 1397 | u8 file_size[ECRYPTFS_SIZE_AND_MARKER_BYTES]; |
1398 | u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES; | 1398 | u8 *marker = file_size + ECRYPTFS_FILE_SIZE_BYTES; |
1399 | int rc; | 1399 | int rc; |
1400 | 1400 | ||
1401 | rc = ecryptfs_getxattr_lower(ecryptfs_dentry_to_lower(dentry), | 1401 | rc = ecryptfs_getxattr_lower(ecryptfs_dentry_to_lower(dentry), |
1402 | ECRYPTFS_XATTR_NAME, file_size, | 1402 | ECRYPTFS_XATTR_NAME, file_size, |
1403 | ECRYPTFS_SIZE_AND_MARKER_BYTES); | 1403 | ECRYPTFS_SIZE_AND_MARKER_BYTES); |
1404 | if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES) | 1404 | if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES) |
1405 | return rc >= 0 ? -EINVAL : rc; | 1405 | return rc >= 0 ? -EINVAL : rc; |
1406 | rc = ecryptfs_validate_marker(marker); | 1406 | rc = ecryptfs_validate_marker(marker); |
1407 | if (!rc) | 1407 | if (!rc) |
1408 | ecryptfs_i_size_init(file_size, inode); | 1408 | ecryptfs_i_size_init(file_size, inode); |
1409 | return rc; | 1409 | return rc; |
1410 | } | 1410 | } |
1411 | 1411 | ||
1412 | /** | 1412 | /** |
1413 | * ecryptfs_read_metadata | 1413 | * ecryptfs_read_metadata |
1414 | * | 1414 | * |
1415 | * Common entry point for reading file metadata. From here, we could | 1415 | * Common entry point for reading file metadata. From here, we could |
1416 | * retrieve the header information from the header region of the file, | 1416 | * retrieve the header information from the header region of the file, |
1417 | * the xattr region of the file, or some other repostory that is | 1417 | * the xattr region of the file, or some other repostory that is |
1418 | * stored separately from the file itself. The current implementation | 1418 | * stored separately from the file itself. The current implementation |
1419 | * supports retrieving the metadata information from the file contents | 1419 | * supports retrieving the metadata information from the file contents |
1420 | * and from the xattr region. | 1420 | * and from the xattr region. |
1421 | * | 1421 | * |
1422 | * Returns zero if valid headers found and parsed; non-zero otherwise | 1422 | * Returns zero if valid headers found and parsed; non-zero otherwise |
1423 | */ | 1423 | */ |
1424 | int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry) | 1424 | int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry) |
1425 | { | 1425 | { |
1426 | int rc; | 1426 | int rc; |
1427 | char *page_virt; | 1427 | char *page_virt; |
1428 | struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode; | 1428 | struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode; |
1429 | struct ecryptfs_crypt_stat *crypt_stat = | 1429 | struct ecryptfs_crypt_stat *crypt_stat = |
1430 | &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; | 1430 | &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; |
1431 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = | 1431 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = |
1432 | &ecryptfs_superblock_to_private( | 1432 | &ecryptfs_superblock_to_private( |
1433 | ecryptfs_dentry->d_sb)->mount_crypt_stat; | 1433 | ecryptfs_dentry->d_sb)->mount_crypt_stat; |
1434 | 1434 | ||
1435 | ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, | 1435 | ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, |
1436 | mount_crypt_stat); | 1436 | mount_crypt_stat); |
1437 | /* Read the first page from the underlying file */ | 1437 | /* Read the first page from the underlying file */ |
1438 | page_virt = kmem_cache_alloc(ecryptfs_header_cache, GFP_USER); | 1438 | page_virt = kmem_cache_alloc(ecryptfs_header_cache, GFP_USER); |
1439 | if (!page_virt) { | 1439 | if (!page_virt) { |
1440 | rc = -ENOMEM; | 1440 | rc = -ENOMEM; |
1441 | printk(KERN_ERR "%s: Unable to allocate page_virt\n", | 1441 | printk(KERN_ERR "%s: Unable to allocate page_virt\n", |
1442 | __func__); | 1442 | __func__); |
1443 | goto out; | 1443 | goto out; |
1444 | } | 1444 | } |
1445 | rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size, | 1445 | rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size, |
1446 | ecryptfs_inode); | 1446 | ecryptfs_inode); |
1447 | if (rc >= 0) | 1447 | if (rc >= 0) |
1448 | rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, | 1448 | rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, |
1449 | ecryptfs_dentry, | 1449 | ecryptfs_dentry, |
1450 | ECRYPTFS_VALIDATE_HEADER_SIZE); | 1450 | ECRYPTFS_VALIDATE_HEADER_SIZE); |
1451 | if (rc) { | 1451 | if (rc) { |
1452 | /* metadata is not in the file header, so try xattrs */ | 1452 | /* metadata is not in the file header, so try xattrs */ |
1453 | memset(page_virt, 0, PAGE_CACHE_SIZE); | 1453 | memset(page_virt, 0, PAGE_CACHE_SIZE); |
1454 | rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode); | 1454 | rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode); |
1455 | if (rc) { | 1455 | if (rc) { |
1456 | printk(KERN_DEBUG "Valid eCryptfs headers not found in " | 1456 | printk(KERN_DEBUG "Valid eCryptfs headers not found in " |
1457 | "file header region or xattr region, inode %lu\n", | 1457 | "file header region or xattr region, inode %lu\n", |
1458 | ecryptfs_inode->i_ino); | 1458 | ecryptfs_inode->i_ino); |
1459 | rc = -EINVAL; | 1459 | rc = -EINVAL; |
1460 | goto out; | 1460 | goto out; |
1461 | } | 1461 | } |
1462 | rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, | 1462 | rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, |
1463 | ecryptfs_dentry, | 1463 | ecryptfs_dentry, |
1464 | ECRYPTFS_DONT_VALIDATE_HEADER_SIZE); | 1464 | ECRYPTFS_DONT_VALIDATE_HEADER_SIZE); |
1465 | if (rc) { | 1465 | if (rc) { |
1466 | printk(KERN_DEBUG "Valid eCryptfs headers not found in " | 1466 | printk(KERN_DEBUG "Valid eCryptfs headers not found in " |
1467 | "file xattr region either, inode %lu\n", | 1467 | "file xattr region either, inode %lu\n", |
1468 | ecryptfs_inode->i_ino); | 1468 | ecryptfs_inode->i_ino); |
1469 | rc = -EINVAL; | 1469 | rc = -EINVAL; |
1470 | } | 1470 | } |
1471 | if (crypt_stat->mount_crypt_stat->flags | 1471 | if (crypt_stat->mount_crypt_stat->flags |
1472 | & ECRYPTFS_XATTR_METADATA_ENABLED) { | 1472 | & ECRYPTFS_XATTR_METADATA_ENABLED) { |
1473 | crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; | 1473 | crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; |
1474 | } else { | 1474 | } else { |
1475 | printk(KERN_WARNING "Attempt to access file with " | 1475 | printk(KERN_WARNING "Attempt to access file with " |
1476 | "crypto metadata only in the extended attribute " | 1476 | "crypto metadata only in the extended attribute " |
1477 | "region, but eCryptfs was mounted without " | 1477 | "region, but eCryptfs was mounted without " |
1478 | "xattr support enabled. eCryptfs will not treat " | 1478 | "xattr support enabled. eCryptfs will not treat " |
1479 | "this like an encrypted file, inode %lu\n", | 1479 | "this like an encrypted file, inode %lu\n", |
1480 | ecryptfs_inode->i_ino); | 1480 | ecryptfs_inode->i_ino); |
1481 | rc = -EINVAL; | 1481 | rc = -EINVAL; |
1482 | } | 1482 | } |
1483 | } | 1483 | } |
1484 | out: | 1484 | out: |
1485 | if (page_virt) { | 1485 | if (page_virt) { |
1486 | memset(page_virt, 0, PAGE_CACHE_SIZE); | 1486 | memset(page_virt, 0, PAGE_CACHE_SIZE); |
1487 | kmem_cache_free(ecryptfs_header_cache, page_virt); | 1487 | kmem_cache_free(ecryptfs_header_cache, page_virt); |
1488 | } | 1488 | } |
1489 | return rc; | 1489 | return rc; |
1490 | } | 1490 | } |
1491 | 1491 | ||
1492 | /** | 1492 | /** |
1493 | * ecryptfs_encrypt_filename - encrypt filename | 1493 | * ecryptfs_encrypt_filename - encrypt filename |
1494 | * | 1494 | * |
1495 | * CBC-encrypts the filename. We do not want to encrypt the same | 1495 | * CBC-encrypts the filename. We do not want to encrypt the same |
1496 | * filename with the same key and IV, which may happen with hard | 1496 | * filename with the same key and IV, which may happen with hard |
1497 | * links, so we prepend random bits to each filename. | 1497 | * links, so we prepend random bits to each filename. |
1498 | * | 1498 | * |
1499 | * Returns zero on success; non-zero otherwise | 1499 | * Returns zero on success; non-zero otherwise |
1500 | */ | 1500 | */ |
1501 | static int | 1501 | static int |
1502 | ecryptfs_encrypt_filename(struct ecryptfs_filename *filename, | 1502 | ecryptfs_encrypt_filename(struct ecryptfs_filename *filename, |
1503 | struct ecryptfs_crypt_stat *crypt_stat, | 1503 | struct ecryptfs_crypt_stat *crypt_stat, |
1504 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) | 1504 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) |
1505 | { | 1505 | { |
1506 | int rc = 0; | 1506 | int rc = 0; |
1507 | 1507 | ||
1508 | filename->encrypted_filename = NULL; | 1508 | filename->encrypted_filename = NULL; |
1509 | filename->encrypted_filename_size = 0; | 1509 | filename->encrypted_filename_size = 0; |
1510 | if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCFN_USE_MOUNT_FNEK)) | 1510 | if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCFN_USE_MOUNT_FNEK)) |
1511 | || (mount_crypt_stat && (mount_crypt_stat->flags | 1511 | || (mount_crypt_stat && (mount_crypt_stat->flags |
1512 | & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) { | 1512 | & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) { |
1513 | size_t packet_size; | 1513 | size_t packet_size; |
1514 | size_t remaining_bytes; | 1514 | size_t remaining_bytes; |
1515 | 1515 | ||
1516 | rc = ecryptfs_write_tag_70_packet( | 1516 | rc = ecryptfs_write_tag_70_packet( |
1517 | NULL, NULL, | 1517 | NULL, NULL, |
1518 | &filename->encrypted_filename_size, | 1518 | &filename->encrypted_filename_size, |
1519 | mount_crypt_stat, NULL, | 1519 | mount_crypt_stat, NULL, |
1520 | filename->filename_size); | 1520 | filename->filename_size); |
1521 | if (rc) { | 1521 | if (rc) { |
1522 | printk(KERN_ERR "%s: Error attempting to get packet " | 1522 | printk(KERN_ERR "%s: Error attempting to get packet " |
1523 | "size for tag 72; rc = [%d]\n", __func__, | 1523 | "size for tag 72; rc = [%d]\n", __func__, |
1524 | rc); | 1524 | rc); |
1525 | filename->encrypted_filename_size = 0; | 1525 | filename->encrypted_filename_size = 0; |
1526 | goto out; | 1526 | goto out; |
1527 | } | 1527 | } |
1528 | filename->encrypted_filename = | 1528 | filename->encrypted_filename = |
1529 | kmalloc(filename->encrypted_filename_size, GFP_KERNEL); | 1529 | kmalloc(filename->encrypted_filename_size, GFP_KERNEL); |
1530 | if (!filename->encrypted_filename) { | 1530 | if (!filename->encrypted_filename) { |
1531 | printk(KERN_ERR "%s: Out of memory whilst attempting " | 1531 | printk(KERN_ERR "%s: Out of memory whilst attempting " |
1532 | "to kmalloc [%zd] bytes\n", __func__, | 1532 | "to kmalloc [%zd] bytes\n", __func__, |
1533 | filename->encrypted_filename_size); | 1533 | filename->encrypted_filename_size); |
1534 | rc = -ENOMEM; | 1534 | rc = -ENOMEM; |
1535 | goto out; | 1535 | goto out; |
1536 | } | 1536 | } |
1537 | remaining_bytes = filename->encrypted_filename_size; | 1537 | remaining_bytes = filename->encrypted_filename_size; |
1538 | rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename, | 1538 | rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename, |
1539 | &remaining_bytes, | 1539 | &remaining_bytes, |
1540 | &packet_size, | 1540 | &packet_size, |
1541 | mount_crypt_stat, | 1541 | mount_crypt_stat, |
1542 | filename->filename, | 1542 | filename->filename, |
1543 | filename->filename_size); | 1543 | filename->filename_size); |
1544 | if (rc) { | 1544 | if (rc) { |
1545 | printk(KERN_ERR "%s: Error attempting to generate " | 1545 | printk(KERN_ERR "%s: Error attempting to generate " |
1546 | "tag 70 packet; rc = [%d]\n", __func__, | 1546 | "tag 70 packet; rc = [%d]\n", __func__, |
1547 | rc); | 1547 | rc); |
1548 | kfree(filename->encrypted_filename); | 1548 | kfree(filename->encrypted_filename); |
1549 | filename->encrypted_filename = NULL; | 1549 | filename->encrypted_filename = NULL; |
1550 | filename->encrypted_filename_size = 0; | 1550 | filename->encrypted_filename_size = 0; |
1551 | goto out; | 1551 | goto out; |
1552 | } | 1552 | } |
1553 | filename->encrypted_filename_size = packet_size; | 1553 | filename->encrypted_filename_size = packet_size; |
1554 | } else { | 1554 | } else { |
1555 | printk(KERN_ERR "%s: No support for requested filename " | 1555 | printk(KERN_ERR "%s: No support for requested filename " |
1556 | "encryption method in this release\n", __func__); | 1556 | "encryption method in this release\n", __func__); |
1557 | rc = -EOPNOTSUPP; | 1557 | rc = -EOPNOTSUPP; |
1558 | goto out; | 1558 | goto out; |
1559 | } | 1559 | } |
1560 | out: | 1560 | out: |
1561 | return rc; | 1561 | return rc; |
1562 | } | 1562 | } |
1563 | 1563 | ||
1564 | static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size, | 1564 | static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size, |
1565 | const char *name, size_t name_size) | 1565 | const char *name, size_t name_size) |
1566 | { | 1566 | { |
1567 | int rc = 0; | 1567 | int rc = 0; |
1568 | 1568 | ||
1569 | (*copied_name) = kmalloc((name_size + 1), GFP_KERNEL); | 1569 | (*copied_name) = kmalloc((name_size + 1), GFP_KERNEL); |
1570 | if (!(*copied_name)) { | 1570 | if (!(*copied_name)) { |
1571 | rc = -ENOMEM; | 1571 | rc = -ENOMEM; |
1572 | goto out; | 1572 | goto out; |
1573 | } | 1573 | } |
1574 | memcpy((void *)(*copied_name), (void *)name, name_size); | 1574 | memcpy((void *)(*copied_name), (void *)name, name_size); |
1575 | (*copied_name)[(name_size)] = '\0'; /* Only for convenience | 1575 | (*copied_name)[(name_size)] = '\0'; /* Only for convenience |
1576 | * in printing out the | 1576 | * in printing out the |
1577 | * string in debug | 1577 | * string in debug |
1578 | * messages */ | 1578 | * messages */ |
1579 | (*copied_name_size) = name_size; | 1579 | (*copied_name_size) = name_size; |
1580 | out: | 1580 | out: |
1581 | return rc; | 1581 | return rc; |
1582 | } | 1582 | } |
1583 | 1583 | ||
1584 | /** | 1584 | /** |
1585 | * ecryptfs_process_key_cipher - Perform key cipher initialization. | 1585 | * ecryptfs_process_key_cipher - Perform key cipher initialization. |
1586 | * @key_tfm: Crypto context for key material, set by this function | 1586 | * @key_tfm: Crypto context for key material, set by this function |
1587 | * @cipher_name: Name of the cipher | 1587 | * @cipher_name: Name of the cipher |
1588 | * @key_size: Size of the key in bytes | 1588 | * @key_size: Size of the key in bytes |
1589 | * | 1589 | * |
1590 | * Returns zero on success. Any crypto_tfm structs allocated here | 1590 | * Returns zero on success. Any crypto_tfm structs allocated here |
1591 | * should be released by other functions, such as on a superblock put | 1591 | * should be released by other functions, such as on a superblock put |
1592 | * event, regardless of whether this function succeeds for fails. | 1592 | * event, regardless of whether this function succeeds for fails. |
1593 | */ | 1593 | */ |
1594 | static int | 1594 | static int |
1595 | ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm, | 1595 | ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm, |
1596 | char *cipher_name, size_t *key_size) | 1596 | char *cipher_name, size_t *key_size) |
1597 | { | 1597 | { |
1598 | char dummy_key[ECRYPTFS_MAX_KEY_BYTES]; | 1598 | char dummy_key[ECRYPTFS_MAX_KEY_BYTES]; |
1599 | char *full_alg_name = NULL; | 1599 | char *full_alg_name = NULL; |
1600 | int rc; | 1600 | int rc; |
1601 | 1601 | ||
1602 | *key_tfm = NULL; | 1602 | *key_tfm = NULL; |
1603 | if (*key_size > ECRYPTFS_MAX_KEY_BYTES) { | 1603 | if (*key_size > ECRYPTFS_MAX_KEY_BYTES) { |
1604 | rc = -EINVAL; | 1604 | rc = -EINVAL; |
1605 | printk(KERN_ERR "Requested key size is [%zd] bytes; maximum " | 1605 | printk(KERN_ERR "Requested key size is [%zd] bytes; maximum " |
1606 | "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES); | 1606 | "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES); |
1607 | goto out; | 1607 | goto out; |
1608 | } | 1608 | } |
1609 | rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name, | 1609 | rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name, |
1610 | "ecb"); | 1610 | "ecb"); |
1611 | if (rc) | 1611 | if (rc) |
1612 | goto out; | 1612 | goto out; |
1613 | *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC); | 1613 | *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC); |
1614 | if (IS_ERR(*key_tfm)) { | 1614 | if (IS_ERR(*key_tfm)) { |
1615 | rc = PTR_ERR(*key_tfm); | 1615 | rc = PTR_ERR(*key_tfm); |
1616 | printk(KERN_ERR "Unable to allocate crypto cipher with name " | 1616 | printk(KERN_ERR "Unable to allocate crypto cipher with name " |
1617 | "[%s]; rc = [%d]\n", full_alg_name, rc); | 1617 | "[%s]; rc = [%d]\n", full_alg_name, rc); |
1618 | goto out; | 1618 | goto out; |
1619 | } | 1619 | } |
1620 | crypto_blkcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY); | 1620 | crypto_blkcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY); |
1621 | if (*key_size == 0) { | 1621 | if (*key_size == 0) { |
1622 | struct blkcipher_alg *alg = crypto_blkcipher_alg(*key_tfm); | 1622 | struct blkcipher_alg *alg = crypto_blkcipher_alg(*key_tfm); |
1623 | 1623 | ||
1624 | *key_size = alg->max_keysize; | 1624 | *key_size = alg->max_keysize; |
1625 | } | 1625 | } |
1626 | get_random_bytes(dummy_key, *key_size); | 1626 | get_random_bytes(dummy_key, *key_size); |
1627 | rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size); | 1627 | rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size); |
1628 | if (rc) { | 1628 | if (rc) { |
1629 | printk(KERN_ERR "Error attempting to set key of size [%zd] for " | 1629 | printk(KERN_ERR "Error attempting to set key of size [%zd] for " |
1630 | "cipher [%s]; rc = [%d]\n", *key_size, full_alg_name, | 1630 | "cipher [%s]; rc = [%d]\n", *key_size, full_alg_name, |
1631 | rc); | 1631 | rc); |
1632 | rc = -EINVAL; | 1632 | rc = -EINVAL; |
1633 | goto out; | 1633 | goto out; |
1634 | } | 1634 | } |
1635 | out: | 1635 | out: |
1636 | kfree(full_alg_name); | 1636 | kfree(full_alg_name); |
1637 | return rc; | 1637 | return rc; |
1638 | } | 1638 | } |
1639 | 1639 | ||
1640 | struct kmem_cache *ecryptfs_key_tfm_cache; | 1640 | struct kmem_cache *ecryptfs_key_tfm_cache; |
1641 | static struct list_head key_tfm_list; | 1641 | static struct list_head key_tfm_list; |
1642 | struct mutex key_tfm_list_mutex; | 1642 | struct mutex key_tfm_list_mutex; |
1643 | 1643 | ||
1644 | int __init ecryptfs_init_crypto(void) | 1644 | int __init ecryptfs_init_crypto(void) |
1645 | { | 1645 | { |
1646 | mutex_init(&key_tfm_list_mutex); | 1646 | mutex_init(&key_tfm_list_mutex); |
1647 | INIT_LIST_HEAD(&key_tfm_list); | 1647 | INIT_LIST_HEAD(&key_tfm_list); |
1648 | return 0; | 1648 | return 0; |
1649 | } | 1649 | } |
1650 | 1650 | ||
1651 | /** | 1651 | /** |
1652 | * ecryptfs_destroy_crypto - free all cached key_tfms on key_tfm_list | 1652 | * ecryptfs_destroy_crypto - free all cached key_tfms on key_tfm_list |
1653 | * | 1653 | * |
1654 | * Called only at module unload time | 1654 | * Called only at module unload time |
1655 | */ | 1655 | */ |
1656 | int ecryptfs_destroy_crypto(void) | 1656 | int ecryptfs_destroy_crypto(void) |
1657 | { | 1657 | { |
1658 | struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp; | 1658 | struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp; |
1659 | 1659 | ||
1660 | mutex_lock(&key_tfm_list_mutex); | 1660 | mutex_lock(&key_tfm_list_mutex); |
1661 | list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list, | 1661 | list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list, |
1662 | key_tfm_list) { | 1662 | key_tfm_list) { |
1663 | list_del(&key_tfm->key_tfm_list); | 1663 | list_del(&key_tfm->key_tfm_list); |
1664 | if (key_tfm->key_tfm) | 1664 | if (key_tfm->key_tfm) |
1665 | crypto_free_blkcipher(key_tfm->key_tfm); | 1665 | crypto_free_blkcipher(key_tfm->key_tfm); |
1666 | kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm); | 1666 | kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm); |
1667 | } | 1667 | } |
1668 | mutex_unlock(&key_tfm_list_mutex); | 1668 | mutex_unlock(&key_tfm_list_mutex); |
1669 | return 0; | 1669 | return 0; |
1670 | } | 1670 | } |
1671 | 1671 | ||
1672 | int | 1672 | int |
1673 | ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name, | 1673 | ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name, |
1674 | size_t key_size) | 1674 | size_t key_size) |
1675 | { | 1675 | { |
1676 | struct ecryptfs_key_tfm *tmp_tfm; | 1676 | struct ecryptfs_key_tfm *tmp_tfm; |
1677 | int rc = 0; | 1677 | int rc = 0; |
1678 | 1678 | ||
1679 | BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); | 1679 | BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); |
1680 | 1680 | ||
1681 | tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL); | 1681 | tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL); |
1682 | if (key_tfm != NULL) | 1682 | if (key_tfm != NULL) |
1683 | (*key_tfm) = tmp_tfm; | 1683 | (*key_tfm) = tmp_tfm; |
1684 | if (!tmp_tfm) { | 1684 | if (!tmp_tfm) { |
1685 | rc = -ENOMEM; | 1685 | rc = -ENOMEM; |
1686 | printk(KERN_ERR "Error attempting to allocate from " | 1686 | printk(KERN_ERR "Error attempting to allocate from " |
1687 | "ecryptfs_key_tfm_cache\n"); | 1687 | "ecryptfs_key_tfm_cache\n"); |
1688 | goto out; | 1688 | goto out; |
1689 | } | 1689 | } |
1690 | mutex_init(&tmp_tfm->key_tfm_mutex); | 1690 | mutex_init(&tmp_tfm->key_tfm_mutex); |
1691 | strncpy(tmp_tfm->cipher_name, cipher_name, | 1691 | strncpy(tmp_tfm->cipher_name, cipher_name, |
1692 | ECRYPTFS_MAX_CIPHER_NAME_SIZE); | 1692 | ECRYPTFS_MAX_CIPHER_NAME_SIZE); |
1693 | tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; | 1693 | tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; |
1694 | tmp_tfm->key_size = key_size; | 1694 | tmp_tfm->key_size = key_size; |
1695 | rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm, | 1695 | rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm, |
1696 | tmp_tfm->cipher_name, | 1696 | tmp_tfm->cipher_name, |
1697 | &tmp_tfm->key_size); | 1697 | &tmp_tfm->key_size); |
1698 | if (rc) { | 1698 | if (rc) { |
1699 | printk(KERN_ERR "Error attempting to initialize key TFM " | 1699 | printk(KERN_ERR "Error attempting to initialize key TFM " |
1700 | "cipher with name = [%s]; rc = [%d]\n", | 1700 | "cipher with name = [%s]; rc = [%d]\n", |
1701 | tmp_tfm->cipher_name, rc); | 1701 | tmp_tfm->cipher_name, rc); |
1702 | kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm); | 1702 | kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm); |
1703 | if (key_tfm != NULL) | 1703 | if (key_tfm != NULL) |
1704 | (*key_tfm) = NULL; | 1704 | (*key_tfm) = NULL; |
1705 | goto out; | 1705 | goto out; |
1706 | } | 1706 | } |
1707 | list_add(&tmp_tfm->key_tfm_list, &key_tfm_list); | 1707 | list_add(&tmp_tfm->key_tfm_list, &key_tfm_list); |
1708 | out: | 1708 | out: |
1709 | return rc; | 1709 | return rc; |
1710 | } | 1710 | } |
1711 | 1711 | ||
1712 | /** | 1712 | /** |
1713 | * ecryptfs_tfm_exists - Search for existing tfm for cipher_name. | 1713 | * ecryptfs_tfm_exists - Search for existing tfm for cipher_name. |
1714 | * @cipher_name: the name of the cipher to search for | 1714 | * @cipher_name: the name of the cipher to search for |
1715 | * @key_tfm: set to corresponding tfm if found | 1715 | * @key_tfm: set to corresponding tfm if found |
1716 | * | 1716 | * |
1717 | * Searches for cached key_tfm matching @cipher_name | 1717 | * Searches for cached key_tfm matching @cipher_name |
1718 | * Must be called with &key_tfm_list_mutex held | 1718 | * Must be called with &key_tfm_list_mutex held |
1719 | * Returns 1 if found, with @key_tfm set | 1719 | * Returns 1 if found, with @key_tfm set |
1720 | * Returns 0 if not found, with @key_tfm set to NULL | 1720 | * Returns 0 if not found, with @key_tfm set to NULL |
1721 | */ | 1721 | */ |
1722 | int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm) | 1722 | int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm) |
1723 | { | 1723 | { |
1724 | struct ecryptfs_key_tfm *tmp_key_tfm; | 1724 | struct ecryptfs_key_tfm *tmp_key_tfm; |
1725 | 1725 | ||
1726 | BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); | 1726 | BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); |
1727 | 1727 | ||
1728 | list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) { | 1728 | list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) { |
1729 | if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) { | 1729 | if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) { |
1730 | if (key_tfm) | 1730 | if (key_tfm) |
1731 | (*key_tfm) = tmp_key_tfm; | 1731 | (*key_tfm) = tmp_key_tfm; |
1732 | return 1; | 1732 | return 1; |
1733 | } | 1733 | } |
1734 | } | 1734 | } |
1735 | if (key_tfm) | 1735 | if (key_tfm) |
1736 | (*key_tfm) = NULL; | 1736 | (*key_tfm) = NULL; |
1737 | return 0; | 1737 | return 0; |
1738 | } | 1738 | } |
1739 | 1739 | ||
1740 | /** | 1740 | /** |
1741 | * ecryptfs_get_tfm_and_mutex_for_cipher_name | 1741 | * ecryptfs_get_tfm_and_mutex_for_cipher_name |
1742 | * | 1742 | * |
1743 | * @tfm: set to cached tfm found, or new tfm created | 1743 | * @tfm: set to cached tfm found, or new tfm created |
1744 | * @tfm_mutex: set to mutex for cached tfm found, or new tfm created | 1744 | * @tfm_mutex: set to mutex for cached tfm found, or new tfm created |
1745 | * @cipher_name: the name of the cipher to search for and/or add | 1745 | * @cipher_name: the name of the cipher to search for and/or add |
1746 | * | 1746 | * |
1747 | * Sets pointers to @tfm & @tfm_mutex matching @cipher_name. | 1747 | * Sets pointers to @tfm & @tfm_mutex matching @cipher_name. |
1748 | * Searches for cached item first, and creates new if not found. | 1748 | * Searches for cached item first, and creates new if not found. |
1749 | * Returns 0 on success, non-zero if adding new cipher failed | 1749 | * Returns 0 on success, non-zero if adding new cipher failed |
1750 | */ | 1750 | */ |
1751 | int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm, | 1751 | int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm, |
1752 | struct mutex **tfm_mutex, | 1752 | struct mutex **tfm_mutex, |
1753 | char *cipher_name) | 1753 | char *cipher_name) |
1754 | { | 1754 | { |
1755 | struct ecryptfs_key_tfm *key_tfm; | 1755 | struct ecryptfs_key_tfm *key_tfm; |
1756 | int rc = 0; | 1756 | int rc = 0; |
1757 | 1757 | ||
1758 | (*tfm) = NULL; | 1758 | (*tfm) = NULL; |
1759 | (*tfm_mutex) = NULL; | 1759 | (*tfm_mutex) = NULL; |
1760 | 1760 | ||
1761 | mutex_lock(&key_tfm_list_mutex); | 1761 | mutex_lock(&key_tfm_list_mutex); |
1762 | if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) { | 1762 | if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) { |
1763 | rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0); | 1763 | rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0); |
1764 | if (rc) { | 1764 | if (rc) { |
1765 | printk(KERN_ERR "Error adding new key_tfm to list; " | 1765 | printk(KERN_ERR "Error adding new key_tfm to list; " |
1766 | "rc = [%d]\n", rc); | 1766 | "rc = [%d]\n", rc); |
1767 | goto out; | 1767 | goto out; |
1768 | } | 1768 | } |
1769 | } | 1769 | } |
1770 | (*tfm) = key_tfm->key_tfm; | 1770 | (*tfm) = key_tfm->key_tfm; |
1771 | (*tfm_mutex) = &key_tfm->key_tfm_mutex; | 1771 | (*tfm_mutex) = &key_tfm->key_tfm_mutex; |
1772 | out: | 1772 | out: |
1773 | mutex_unlock(&key_tfm_list_mutex); | 1773 | mutex_unlock(&key_tfm_list_mutex); |
1774 | return rc; | 1774 | return rc; |
1775 | } | 1775 | } |
1776 | 1776 | ||
1777 | /* 64 characters forming a 6-bit target field */ | 1777 | /* 64 characters forming a 6-bit target field */ |
1778 | static unsigned char *portable_filename_chars = ("-.0123456789ABCD" | 1778 | static unsigned char *portable_filename_chars = ("-.0123456789ABCD" |
1779 | "EFGHIJKLMNOPQRST" | 1779 | "EFGHIJKLMNOPQRST" |
1780 | "UVWXYZabcdefghij" | 1780 | "UVWXYZabcdefghij" |
1781 | "klmnopqrstuvwxyz"); | 1781 | "klmnopqrstuvwxyz"); |
1782 | 1782 | ||
1783 | /* We could either offset on every reverse map or just pad some 0x00's | 1783 | /* We could either offset on every reverse map or just pad some 0x00's |
1784 | * at the front here */ | 1784 | * at the front here */ |
1785 | static const unsigned char filename_rev_map[256] = { | 1785 | static const unsigned char filename_rev_map[256] = { |
1786 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 7 */ | 1786 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 7 */ |
1787 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 15 */ | 1787 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 15 */ |
1788 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 23 */ | 1788 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 23 */ |
1789 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 31 */ | 1789 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 31 */ |
1790 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 39 */ | 1790 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 39 */ |
1791 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, /* 47 */ | 1791 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, /* 47 */ |
1792 | 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, /* 55 */ | 1792 | 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, /* 55 */ |
1793 | 0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 63 */ | 1793 | 0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 63 */ |
1794 | 0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, /* 71 */ | 1794 | 0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, /* 71 */ |
1795 | 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, /* 79 */ | 1795 | 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, /* 79 */ |
1796 | 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, /* 87 */ | 1796 | 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, /* 87 */ |
1797 | 0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, /* 95 */ | 1797 | 0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, /* 95 */ |
1798 | 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, /* 103 */ | 1798 | 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, /* 103 */ |
1799 | 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, /* 111 */ | 1799 | 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, /* 111 */ |
1800 | 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, /* 119 */ | 1800 | 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, /* 119 */ |
1801 | 0x3D, 0x3E, 0x3F /* 123 - 255 initialized to 0x00 */ | 1801 | 0x3D, 0x3E, 0x3F /* 123 - 255 initialized to 0x00 */ |
1802 | }; | 1802 | }; |
1803 | 1803 | ||
1804 | /** | 1804 | /** |
1805 | * ecryptfs_encode_for_filename | 1805 | * ecryptfs_encode_for_filename |
1806 | * @dst: Destination location for encoded filename | 1806 | * @dst: Destination location for encoded filename |
1807 | * @dst_size: Size of the encoded filename in bytes | 1807 | * @dst_size: Size of the encoded filename in bytes |
1808 | * @src: Source location for the filename to encode | 1808 | * @src: Source location for the filename to encode |
1809 | * @src_size: Size of the source in bytes | 1809 | * @src_size: Size of the source in bytes |
1810 | */ | 1810 | */ |
1811 | static void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size, | 1811 | static void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size, |
1812 | unsigned char *src, size_t src_size) | 1812 | unsigned char *src, size_t src_size) |
1813 | { | 1813 | { |
1814 | size_t num_blocks; | 1814 | size_t num_blocks; |
1815 | size_t block_num = 0; | 1815 | size_t block_num = 0; |
1816 | size_t dst_offset = 0; | 1816 | size_t dst_offset = 0; |
1817 | unsigned char last_block[3]; | 1817 | unsigned char last_block[3]; |
1818 | 1818 | ||
1819 | if (src_size == 0) { | 1819 | if (src_size == 0) { |
1820 | (*dst_size) = 0; | 1820 | (*dst_size) = 0; |
1821 | goto out; | 1821 | goto out; |
1822 | } | 1822 | } |
1823 | num_blocks = (src_size / 3); | 1823 | num_blocks = (src_size / 3); |
1824 | if ((src_size % 3) == 0) { | 1824 | if ((src_size % 3) == 0) { |
1825 | memcpy(last_block, (&src[src_size - 3]), 3); | 1825 | memcpy(last_block, (&src[src_size - 3]), 3); |
1826 | } else { | 1826 | } else { |
1827 | num_blocks++; | 1827 | num_blocks++; |
1828 | last_block[2] = 0x00; | 1828 | last_block[2] = 0x00; |
1829 | switch (src_size % 3) { | 1829 | switch (src_size % 3) { |
1830 | case 1: | 1830 | case 1: |
1831 | last_block[0] = src[src_size - 1]; | 1831 | last_block[0] = src[src_size - 1]; |
1832 | last_block[1] = 0x00; | 1832 | last_block[1] = 0x00; |
1833 | break; | 1833 | break; |
1834 | case 2: | 1834 | case 2: |
1835 | last_block[0] = src[src_size - 2]; | 1835 | last_block[0] = src[src_size - 2]; |
1836 | last_block[1] = src[src_size - 1]; | 1836 | last_block[1] = src[src_size - 1]; |
1837 | } | 1837 | } |
1838 | } | 1838 | } |
1839 | (*dst_size) = (num_blocks * 4); | 1839 | (*dst_size) = (num_blocks * 4); |
1840 | if (!dst) | 1840 | if (!dst) |
1841 | goto out; | 1841 | goto out; |
1842 | while (block_num < num_blocks) { | 1842 | while (block_num < num_blocks) { |
1843 | unsigned char *src_block; | 1843 | unsigned char *src_block; |
1844 | unsigned char dst_block[4]; | 1844 | unsigned char dst_block[4]; |
1845 | 1845 | ||
1846 | if (block_num == (num_blocks - 1)) | 1846 | if (block_num == (num_blocks - 1)) |
1847 | src_block = last_block; | 1847 | src_block = last_block; |
1848 | else | 1848 | else |
1849 | src_block = &src[block_num * 3]; | 1849 | src_block = &src[block_num * 3]; |
1850 | dst_block[0] = ((src_block[0] >> 2) & 0x3F); | 1850 | dst_block[0] = ((src_block[0] >> 2) & 0x3F); |
1851 | dst_block[1] = (((src_block[0] << 4) & 0x30) | 1851 | dst_block[1] = (((src_block[0] << 4) & 0x30) |
1852 | | ((src_block[1] >> 4) & 0x0F)); | 1852 | | ((src_block[1] >> 4) & 0x0F)); |
1853 | dst_block[2] = (((src_block[1] << 2) & 0x3C) | 1853 | dst_block[2] = (((src_block[1] << 2) & 0x3C) |
1854 | | ((src_block[2] >> 6) & 0x03)); | 1854 | | ((src_block[2] >> 6) & 0x03)); |
1855 | dst_block[3] = (src_block[2] & 0x3F); | 1855 | dst_block[3] = (src_block[2] & 0x3F); |
1856 | dst[dst_offset++] = portable_filename_chars[dst_block[0]]; | 1856 | dst[dst_offset++] = portable_filename_chars[dst_block[0]]; |
1857 | dst[dst_offset++] = portable_filename_chars[dst_block[1]]; | 1857 | dst[dst_offset++] = portable_filename_chars[dst_block[1]]; |
1858 | dst[dst_offset++] = portable_filename_chars[dst_block[2]]; | 1858 | dst[dst_offset++] = portable_filename_chars[dst_block[2]]; |
1859 | dst[dst_offset++] = portable_filename_chars[dst_block[3]]; | 1859 | dst[dst_offset++] = portable_filename_chars[dst_block[3]]; |
1860 | block_num++; | 1860 | block_num++; |
1861 | } | 1861 | } |
1862 | out: | 1862 | out: |
1863 | return; | 1863 | return; |
1864 | } | 1864 | } |
1865 | 1865 | ||
1866 | static size_t ecryptfs_max_decoded_size(size_t encoded_size) | 1866 | static size_t ecryptfs_max_decoded_size(size_t encoded_size) |
1867 | { | 1867 | { |
1868 | /* Not exact; conservatively long. Every block of 4 | 1868 | /* Not exact; conservatively long. Every block of 4 |
1869 | * encoded characters decodes into a block of 3 | 1869 | * encoded characters decodes into a block of 3 |
1870 | * decoded characters. This segment of code provides | 1870 | * decoded characters. This segment of code provides |
1871 | * the caller with the maximum amount of allocated | 1871 | * the caller with the maximum amount of allocated |
1872 | * space that @dst will need to point to in a | 1872 | * space that @dst will need to point to in a |
1873 | * subsequent call. */ | 1873 | * subsequent call. */ |
1874 | return ((encoded_size + 1) * 3) / 4; | 1874 | return ((encoded_size + 1) * 3) / 4; |
1875 | } | 1875 | } |
1876 | 1876 | ||
1877 | /** | 1877 | /** |
1878 | * ecryptfs_decode_from_filename | 1878 | * ecryptfs_decode_from_filename |
1879 | * @dst: If NULL, this function only sets @dst_size and returns. If | 1879 | * @dst: If NULL, this function only sets @dst_size and returns. If |
1880 | * non-NULL, this function decodes the encoded octets in @src | 1880 | * non-NULL, this function decodes the encoded octets in @src |
1881 | * into the memory that @dst points to. | 1881 | * into the memory that @dst points to. |
1882 | * @dst_size: Set to the size of the decoded string. | 1882 | * @dst_size: Set to the size of the decoded string. |
1883 | * @src: The encoded set of octets to decode. | 1883 | * @src: The encoded set of octets to decode. |
1884 | * @src_size: The size of the encoded set of octets to decode. | 1884 | * @src_size: The size of the encoded set of octets to decode. |
1885 | */ | 1885 | */ |
1886 | static void | 1886 | static void |
1887 | ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size, | 1887 | ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size, |
1888 | const unsigned char *src, size_t src_size) | 1888 | const unsigned char *src, size_t src_size) |
1889 | { | 1889 | { |
1890 | u8 current_bit_offset = 0; | 1890 | u8 current_bit_offset = 0; |
1891 | size_t src_byte_offset = 0; | 1891 | size_t src_byte_offset = 0; |
1892 | size_t dst_byte_offset = 0; | 1892 | size_t dst_byte_offset = 0; |
1893 | 1893 | ||
1894 | if (dst == NULL) { | 1894 | if (dst == NULL) { |
1895 | (*dst_size) = ecryptfs_max_decoded_size(src_size); | 1895 | (*dst_size) = ecryptfs_max_decoded_size(src_size); |
1896 | goto out; | 1896 | goto out; |
1897 | } | 1897 | } |
1898 | while (src_byte_offset < src_size) { | 1898 | while (src_byte_offset < src_size) { |
1899 | unsigned char src_byte = | 1899 | unsigned char src_byte = |
1900 | filename_rev_map[(int)src[src_byte_offset]]; | 1900 | filename_rev_map[(int)src[src_byte_offset]]; |
1901 | 1901 | ||
1902 | switch (current_bit_offset) { | 1902 | switch (current_bit_offset) { |
1903 | case 0: | 1903 | case 0: |
1904 | dst[dst_byte_offset] = (src_byte << 2); | 1904 | dst[dst_byte_offset] = (src_byte << 2); |
1905 | current_bit_offset = 6; | 1905 | current_bit_offset = 6; |
1906 | break; | 1906 | break; |
1907 | case 6: | 1907 | case 6: |
1908 | dst[dst_byte_offset++] |= (src_byte >> 4); | 1908 | dst[dst_byte_offset++] |= (src_byte >> 4); |
1909 | dst[dst_byte_offset] = ((src_byte & 0xF) | 1909 | dst[dst_byte_offset] = ((src_byte & 0xF) |
1910 | << 4); | 1910 | << 4); |
1911 | current_bit_offset = 4; | 1911 | current_bit_offset = 4; |
1912 | break; | 1912 | break; |
1913 | case 4: | 1913 | case 4: |
1914 | dst[dst_byte_offset++] |= (src_byte >> 2); | 1914 | dst[dst_byte_offset++] |= (src_byte >> 2); |
1915 | dst[dst_byte_offset] = (src_byte << 6); | 1915 | dst[dst_byte_offset] = (src_byte << 6); |
1916 | current_bit_offset = 2; | 1916 | current_bit_offset = 2; |
1917 | break; | 1917 | break; |
1918 | case 2: | 1918 | case 2: |
1919 | dst[dst_byte_offset++] |= (src_byte); | 1919 | dst[dst_byte_offset++] |= (src_byte); |
1920 | dst[dst_byte_offset] = 0; | ||
1921 | current_bit_offset = 0; | 1920 | current_bit_offset = 0; |
1922 | break; | 1921 | break; |
1923 | } | 1922 | } |
1924 | src_byte_offset++; | 1923 | src_byte_offset++; |
1925 | } | 1924 | } |
1926 | (*dst_size) = dst_byte_offset; | 1925 | (*dst_size) = dst_byte_offset; |
1927 | out: | 1926 | out: |
1928 | return; | 1927 | return; |
1929 | } | 1928 | } |
1930 | 1929 | ||
1931 | /** | 1930 | /** |
1932 | * ecryptfs_encrypt_and_encode_filename - converts a plaintext file name to cipher text | 1931 | * ecryptfs_encrypt_and_encode_filename - converts a plaintext file name to cipher text |
1933 | * @crypt_stat: The crypt_stat struct associated with the file anem to encode | 1932 | * @crypt_stat: The crypt_stat struct associated with the file anem to encode |
1934 | * @name: The plaintext name | 1933 | * @name: The plaintext name |
1935 | * @length: The length of the plaintext | 1934 | * @length: The length of the plaintext |
1936 | * @encoded_name: The encypted name | 1935 | * @encoded_name: The encypted name |
1937 | * | 1936 | * |
1938 | * Encrypts and encodes a filename into something that constitutes a | 1937 | * Encrypts and encodes a filename into something that constitutes a |
1939 | * valid filename for a filesystem, with printable characters. | 1938 | * valid filename for a filesystem, with printable characters. |
1940 | * | 1939 | * |
1941 | * We assume that we have a properly initialized crypto context, | 1940 | * We assume that we have a properly initialized crypto context, |
1942 | * pointed to by crypt_stat->tfm. | 1941 | * pointed to by crypt_stat->tfm. |
1943 | * | 1942 | * |
1944 | * Returns zero on success; non-zero on otherwise | 1943 | * Returns zero on success; non-zero on otherwise |
1945 | */ | 1944 | */ |
1946 | int ecryptfs_encrypt_and_encode_filename( | 1945 | int ecryptfs_encrypt_and_encode_filename( |
1947 | char **encoded_name, | 1946 | char **encoded_name, |
1948 | size_t *encoded_name_size, | 1947 | size_t *encoded_name_size, |
1949 | struct ecryptfs_crypt_stat *crypt_stat, | 1948 | struct ecryptfs_crypt_stat *crypt_stat, |
1950 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | 1949 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, |
1951 | const char *name, size_t name_size) | 1950 | const char *name, size_t name_size) |
1952 | { | 1951 | { |
1953 | size_t encoded_name_no_prefix_size; | 1952 | size_t encoded_name_no_prefix_size; |
1954 | int rc = 0; | 1953 | int rc = 0; |
1955 | 1954 | ||
1956 | (*encoded_name) = NULL; | 1955 | (*encoded_name) = NULL; |
1957 | (*encoded_name_size) = 0; | 1956 | (*encoded_name_size) = 0; |
1958 | if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCRYPT_FILENAMES)) | 1957 | if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCRYPT_FILENAMES)) |
1959 | || (mount_crypt_stat && (mount_crypt_stat->flags | 1958 | || (mount_crypt_stat && (mount_crypt_stat->flags |
1960 | & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES))) { | 1959 | & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES))) { |
1961 | struct ecryptfs_filename *filename; | 1960 | struct ecryptfs_filename *filename; |
1962 | 1961 | ||
1963 | filename = kzalloc(sizeof(*filename), GFP_KERNEL); | 1962 | filename = kzalloc(sizeof(*filename), GFP_KERNEL); |
1964 | if (!filename) { | 1963 | if (!filename) { |
1965 | printk(KERN_ERR "%s: Out of memory whilst attempting " | 1964 | printk(KERN_ERR "%s: Out of memory whilst attempting " |
1966 | "to kzalloc [%zd] bytes\n", __func__, | 1965 | "to kzalloc [%zd] bytes\n", __func__, |
1967 | sizeof(*filename)); | 1966 | sizeof(*filename)); |
1968 | rc = -ENOMEM; | 1967 | rc = -ENOMEM; |
1969 | goto out; | 1968 | goto out; |
1970 | } | 1969 | } |
1971 | filename->filename = (char *)name; | 1970 | filename->filename = (char *)name; |
1972 | filename->filename_size = name_size; | 1971 | filename->filename_size = name_size; |
1973 | rc = ecryptfs_encrypt_filename(filename, crypt_stat, | 1972 | rc = ecryptfs_encrypt_filename(filename, crypt_stat, |
1974 | mount_crypt_stat); | 1973 | mount_crypt_stat); |
1975 | if (rc) { | 1974 | if (rc) { |
1976 | printk(KERN_ERR "%s: Error attempting to encrypt " | 1975 | printk(KERN_ERR "%s: Error attempting to encrypt " |
1977 | "filename; rc = [%d]\n", __func__, rc); | 1976 | "filename; rc = [%d]\n", __func__, rc); |
1978 | kfree(filename); | 1977 | kfree(filename); |
1979 | goto out; | 1978 | goto out; |
1980 | } | 1979 | } |
1981 | ecryptfs_encode_for_filename( | 1980 | ecryptfs_encode_for_filename( |
1982 | NULL, &encoded_name_no_prefix_size, | 1981 | NULL, &encoded_name_no_prefix_size, |
1983 | filename->encrypted_filename, | 1982 | filename->encrypted_filename, |
1984 | filename->encrypted_filename_size); | 1983 | filename->encrypted_filename_size); |
1985 | if ((crypt_stat && (crypt_stat->flags | 1984 | if ((crypt_stat && (crypt_stat->flags |
1986 | & ECRYPTFS_ENCFN_USE_MOUNT_FNEK)) | 1985 | & ECRYPTFS_ENCFN_USE_MOUNT_FNEK)) |
1987 | || (mount_crypt_stat | 1986 | || (mount_crypt_stat |
1988 | && (mount_crypt_stat->flags | 1987 | && (mount_crypt_stat->flags |
1989 | & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) | 1988 | & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) |
1990 | (*encoded_name_size) = | 1989 | (*encoded_name_size) = |
1991 | (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE | 1990 | (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE |
1992 | + encoded_name_no_prefix_size); | 1991 | + encoded_name_no_prefix_size); |
1993 | else | 1992 | else |
1994 | (*encoded_name_size) = | 1993 | (*encoded_name_size) = |
1995 | (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE | 1994 | (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE |
1996 | + encoded_name_no_prefix_size); | 1995 | + encoded_name_no_prefix_size); |
1997 | (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL); | 1996 | (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL); |
1998 | if (!(*encoded_name)) { | 1997 | if (!(*encoded_name)) { |
1999 | printk(KERN_ERR "%s: Out of memory whilst attempting " | 1998 | printk(KERN_ERR "%s: Out of memory whilst attempting " |
2000 | "to kzalloc [%zd] bytes\n", __func__, | 1999 | "to kzalloc [%zd] bytes\n", __func__, |
2001 | (*encoded_name_size)); | 2000 | (*encoded_name_size)); |
2002 | rc = -ENOMEM; | 2001 | rc = -ENOMEM; |
2003 | kfree(filename->encrypted_filename); | 2002 | kfree(filename->encrypted_filename); |
2004 | kfree(filename); | 2003 | kfree(filename); |
2005 | goto out; | 2004 | goto out; |
2006 | } | 2005 | } |
2007 | if ((crypt_stat && (crypt_stat->flags | 2006 | if ((crypt_stat && (crypt_stat->flags |
2008 | & ECRYPTFS_ENCFN_USE_MOUNT_FNEK)) | 2007 | & ECRYPTFS_ENCFN_USE_MOUNT_FNEK)) |
2009 | || (mount_crypt_stat | 2008 | || (mount_crypt_stat |
2010 | && (mount_crypt_stat->flags | 2009 | && (mount_crypt_stat->flags |
2011 | & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) { | 2010 | & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) { |
2012 | memcpy((*encoded_name), | 2011 | memcpy((*encoded_name), |
2013 | ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX, | 2012 | ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX, |
2014 | ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE); | 2013 | ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE); |
2015 | ecryptfs_encode_for_filename( | 2014 | ecryptfs_encode_for_filename( |
2016 | ((*encoded_name) | 2015 | ((*encoded_name) |
2017 | + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE), | 2016 | + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE), |
2018 | &encoded_name_no_prefix_size, | 2017 | &encoded_name_no_prefix_size, |
2019 | filename->encrypted_filename, | 2018 | filename->encrypted_filename, |
2020 | filename->encrypted_filename_size); | 2019 | filename->encrypted_filename_size); |
2021 | (*encoded_name_size) = | 2020 | (*encoded_name_size) = |
2022 | (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE | 2021 | (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE |
2023 | + encoded_name_no_prefix_size); | 2022 | + encoded_name_no_prefix_size); |
2024 | (*encoded_name)[(*encoded_name_size)] = '\0'; | 2023 | (*encoded_name)[(*encoded_name_size)] = '\0'; |
2025 | } else { | 2024 | } else { |
2026 | rc = -EOPNOTSUPP; | 2025 | rc = -EOPNOTSUPP; |
2027 | } | 2026 | } |
2028 | if (rc) { | 2027 | if (rc) { |
2029 | printk(KERN_ERR "%s: Error attempting to encode " | 2028 | printk(KERN_ERR "%s: Error attempting to encode " |
2030 | "encrypted filename; rc = [%d]\n", __func__, | 2029 | "encrypted filename; rc = [%d]\n", __func__, |
2031 | rc); | 2030 | rc); |
2032 | kfree((*encoded_name)); | 2031 | kfree((*encoded_name)); |
2033 | (*encoded_name) = NULL; | 2032 | (*encoded_name) = NULL; |
2034 | (*encoded_name_size) = 0; | 2033 | (*encoded_name_size) = 0; |
2035 | } | 2034 | } |
2036 | kfree(filename->encrypted_filename); | 2035 | kfree(filename->encrypted_filename); |
2037 | kfree(filename); | 2036 | kfree(filename); |
2038 | } else { | 2037 | } else { |
2039 | rc = ecryptfs_copy_filename(encoded_name, | 2038 | rc = ecryptfs_copy_filename(encoded_name, |
2040 | encoded_name_size, | 2039 | encoded_name_size, |
2041 | name, name_size); | 2040 | name, name_size); |
2042 | } | 2041 | } |
2043 | out: | 2042 | out: |
2044 | return rc; | 2043 | return rc; |
2045 | } | 2044 | } |
2046 | 2045 | ||
2047 | /** | 2046 | /** |
2048 | * ecryptfs_decode_and_decrypt_filename - converts the encoded cipher text name to decoded plaintext | 2047 | * ecryptfs_decode_and_decrypt_filename - converts the encoded cipher text name to decoded plaintext |
2049 | * @plaintext_name: The plaintext name | 2048 | * @plaintext_name: The plaintext name |
2050 | * @plaintext_name_size: The plaintext name size | 2049 | * @plaintext_name_size: The plaintext name size |
2051 | * @ecryptfs_dir_dentry: eCryptfs directory dentry | 2050 | * @ecryptfs_dir_dentry: eCryptfs directory dentry |
2052 | * @name: The filename in cipher text | 2051 | * @name: The filename in cipher text |
2053 | * @name_size: The cipher text name size | 2052 | * @name_size: The cipher text name size |
2054 | * | 2053 | * |
2055 | * Decrypts and decodes the filename. | 2054 | * Decrypts and decodes the filename. |
2056 | * | 2055 | * |
2057 | * Returns zero on error; non-zero otherwise | 2056 | * Returns zero on error; non-zero otherwise |
2058 | */ | 2057 | */ |
2059 | int ecryptfs_decode_and_decrypt_filename(char **plaintext_name, | 2058 | int ecryptfs_decode_and_decrypt_filename(char **plaintext_name, |
2060 | size_t *plaintext_name_size, | 2059 | size_t *plaintext_name_size, |
2061 | struct super_block *sb, | 2060 | struct super_block *sb, |
2062 | const char *name, size_t name_size) | 2061 | const char *name, size_t name_size) |
2063 | { | 2062 | { |
2064 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = | 2063 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = |
2065 | &ecryptfs_superblock_to_private(sb)->mount_crypt_stat; | 2064 | &ecryptfs_superblock_to_private(sb)->mount_crypt_stat; |
2066 | char *decoded_name; | 2065 | char *decoded_name; |
2067 | size_t decoded_name_size; | 2066 | size_t decoded_name_size; |
2068 | size_t packet_size; | 2067 | size_t packet_size; |
2069 | int rc = 0; | 2068 | int rc = 0; |
2070 | 2069 | ||
2071 | if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) | 2070 | if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) |
2072 | && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) | 2071 | && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) |
2073 | && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) | 2072 | && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) |
2074 | && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX, | 2073 | && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX, |
2075 | ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) { | 2074 | ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) { |
2076 | const char *orig_name = name; | 2075 | const char *orig_name = name; |
2077 | size_t orig_name_size = name_size; | 2076 | size_t orig_name_size = name_size; |
2078 | 2077 | ||
2079 | name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; | 2078 | name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; |
2080 | name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; | 2079 | name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; |
2081 | ecryptfs_decode_from_filename(NULL, &decoded_name_size, | 2080 | ecryptfs_decode_from_filename(NULL, &decoded_name_size, |
2082 | name, name_size); | 2081 | name, name_size); |
2083 | decoded_name = kmalloc(decoded_name_size, GFP_KERNEL); | 2082 | decoded_name = kmalloc(decoded_name_size, GFP_KERNEL); |
2084 | if (!decoded_name) { | 2083 | if (!decoded_name) { |
2085 | printk(KERN_ERR "%s: Out of memory whilst attempting " | 2084 | printk(KERN_ERR "%s: Out of memory whilst attempting " |
2086 | "to kmalloc [%zd] bytes\n", __func__, | 2085 | "to kmalloc [%zd] bytes\n", __func__, |
2087 | decoded_name_size); | 2086 | decoded_name_size); |
2088 | rc = -ENOMEM; | 2087 | rc = -ENOMEM; |
2089 | goto out; | 2088 | goto out; |
2090 | } | 2089 | } |
2091 | ecryptfs_decode_from_filename(decoded_name, &decoded_name_size, | 2090 | ecryptfs_decode_from_filename(decoded_name, &decoded_name_size, |
2092 | name, name_size); | 2091 | name, name_size); |
2093 | rc = ecryptfs_parse_tag_70_packet(plaintext_name, | 2092 | rc = ecryptfs_parse_tag_70_packet(plaintext_name, |
2094 | plaintext_name_size, | 2093 | plaintext_name_size, |
2095 | &packet_size, | 2094 | &packet_size, |
2096 | mount_crypt_stat, | 2095 | mount_crypt_stat, |
2097 | decoded_name, | 2096 | decoded_name, |
2098 | decoded_name_size); | 2097 | decoded_name_size); |
2099 | if (rc) { | 2098 | if (rc) { |
2100 | printk(KERN_INFO "%s: Could not parse tag 70 packet " | 2099 | printk(KERN_INFO "%s: Could not parse tag 70 packet " |
2101 | "from filename; copying through filename " | 2100 | "from filename; copying through filename " |
2102 | "as-is\n", __func__); | 2101 | "as-is\n", __func__); |
2103 | rc = ecryptfs_copy_filename(plaintext_name, | 2102 | rc = ecryptfs_copy_filename(plaintext_name, |
2104 | plaintext_name_size, | 2103 | plaintext_name_size, |
2105 | orig_name, orig_name_size); | 2104 | orig_name, orig_name_size); |
2106 | goto out_free; | 2105 | goto out_free; |
2107 | } | 2106 | } |
2108 | } else { | 2107 | } else { |
2109 | rc = ecryptfs_copy_filename(plaintext_name, | 2108 | rc = ecryptfs_copy_filename(plaintext_name, |
2110 | plaintext_name_size, | 2109 | plaintext_name_size, |
2111 | name, name_size); | 2110 | name, name_size); |
2112 | goto out; | 2111 | goto out; |
2113 | } | 2112 | } |
2114 | out_free: | 2113 | out_free: |
2115 | kfree(decoded_name); | 2114 | kfree(decoded_name); |
2116 | out: | 2115 | out: |
2117 | return rc; | 2116 | return rc; |
2118 | } | 2117 | } |
2119 | 2118 | ||
2120 | #define ENC_NAME_MAX_BLOCKLEN_8_OR_16 143 | 2119 | #define ENC_NAME_MAX_BLOCKLEN_8_OR_16 143 |
2121 | 2120 | ||
2122 | int ecryptfs_set_f_namelen(long *namelen, long lower_namelen, | 2121 | int ecryptfs_set_f_namelen(long *namelen, long lower_namelen, |
2123 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) | 2122 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) |
2124 | { | 2123 | { |
2125 | struct blkcipher_desc desc; | 2124 | struct blkcipher_desc desc; |
2126 | struct mutex *tfm_mutex; | 2125 | struct mutex *tfm_mutex; |
2127 | size_t cipher_blocksize; | 2126 | size_t cipher_blocksize; |
2128 | int rc; | 2127 | int rc; |
2129 | 2128 | ||
2130 | if (!(mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) { | 2129 | if (!(mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) { |
2131 | (*namelen) = lower_namelen; | 2130 | (*namelen) = lower_namelen; |
2132 | return 0; | 2131 | return 0; |
2133 | } | 2132 | } |
2134 | 2133 | ||
2135 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex, | 2134 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex, |
2136 | mount_crypt_stat->global_default_fn_cipher_name); | 2135 | mount_crypt_stat->global_default_fn_cipher_name); |
2137 | if (unlikely(rc)) { | 2136 | if (unlikely(rc)) { |
2138 | (*namelen) = 0; | 2137 | (*namelen) = 0; |
2139 | return rc; | 2138 | return rc; |
2140 | } | 2139 | } |
2141 | 2140 | ||
2142 | mutex_lock(tfm_mutex); | 2141 | mutex_lock(tfm_mutex); |
2143 | cipher_blocksize = crypto_blkcipher_blocksize(desc.tfm); | 2142 | cipher_blocksize = crypto_blkcipher_blocksize(desc.tfm); |
2144 | mutex_unlock(tfm_mutex); | 2143 | mutex_unlock(tfm_mutex); |
2145 | 2144 | ||
2146 | /* Return an exact amount for the common cases */ | 2145 | /* Return an exact amount for the common cases */ |
2147 | if (lower_namelen == NAME_MAX | 2146 | if (lower_namelen == NAME_MAX |
2148 | && (cipher_blocksize == 8 || cipher_blocksize == 16)) { | 2147 | && (cipher_blocksize == 8 || cipher_blocksize == 16)) { |
2149 | (*namelen) = ENC_NAME_MAX_BLOCKLEN_8_OR_16; | 2148 | (*namelen) = ENC_NAME_MAX_BLOCKLEN_8_OR_16; |
2150 | return 0; | 2149 | return 0; |
2151 | } | 2150 | } |
2152 | 2151 | ||
2153 | /* Return a safe estimate for the uncommon cases */ | 2152 | /* Return a safe estimate for the uncommon cases */ |
2154 | (*namelen) = lower_namelen; | 2153 | (*namelen) = lower_namelen; |
2155 | (*namelen) -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; | 2154 | (*namelen) -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; |
2156 | /* Since this is the max decoded size, subtract 1 "decoded block" len */ | 2155 | /* Since this is the max decoded size, subtract 1 "decoded block" len */ |
2157 | (*namelen) = ecryptfs_max_decoded_size(*namelen) - 3; | 2156 | (*namelen) = ecryptfs_max_decoded_size(*namelen) - 3; |
2158 | (*namelen) -= ECRYPTFS_TAG_70_MAX_METADATA_SIZE; | 2157 | (*namelen) -= ECRYPTFS_TAG_70_MAX_METADATA_SIZE; |
2159 | (*namelen) -= ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES; | 2158 | (*namelen) -= ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES; |
2160 | /* Worst case is that the filename is padded nearly a full block size */ | 2159 | /* Worst case is that the filename is padded nearly a full block size */ |
2161 | (*namelen) -= cipher_blocksize - 1; | 2160 | (*namelen) -= cipher_blocksize - 1; |
2162 | 2161 | ||
2163 | if ((*namelen) < 0) | 2162 | if ((*namelen) < 0) |
2164 | (*namelen) = 0; | 2163 | (*namelen) = 0; |
2165 | 2164 | ||
2166 | return 0; | 2165 | return 0; |
2167 | } | 2166 | } |
2168 | 2167 |
fs/ecryptfs/file.c
1 | /** | 1 | /** |
2 | * eCryptfs: Linux filesystem encryption layer | 2 | * eCryptfs: Linux filesystem encryption layer |
3 | * | 3 | * |
4 | * Copyright (C) 1997-2004 Erez Zadok | 4 | * Copyright (C) 1997-2004 Erez Zadok |
5 | * Copyright (C) 2001-2004 Stony Brook University | 5 | * Copyright (C) 2001-2004 Stony Brook University |
6 | * Copyright (C) 2004-2007 International Business Machines Corp. | 6 | * Copyright (C) 2004-2007 International Business Machines Corp. |
7 | * Author(s): Michael A. Halcrow <mhalcrow@us.ibm.com> | 7 | * Author(s): Michael A. Halcrow <mhalcrow@us.ibm.com> |
8 | * Michael C. Thompson <mcthomps@us.ibm.com> | 8 | * Michael C. Thompson <mcthomps@us.ibm.com> |
9 | * | 9 | * |
10 | * This program is free software; you can redistribute it and/or | 10 | * This program is free software; you can redistribute it and/or |
11 | * modify it under the terms of the GNU General Public License as | 11 | * modify it under the terms of the GNU General Public License as |
12 | * published by the Free Software Foundation; either version 2 of the | 12 | * published by the Free Software Foundation; either version 2 of the |
13 | * License, or (at your option) any later version. | 13 | * License, or (at your option) any later version. |
14 | * | 14 | * |
15 | * This program is distributed in the hope that it will be useful, but | 15 | * This program is distributed in the hope that it will be useful, but |
16 | * WITHOUT ANY WARRANTY; without even the implied warranty of | 16 | * WITHOUT ANY WARRANTY; without even the implied warranty of |
17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
18 | * General Public License for more details. | 18 | * General Public License for more details. |
19 | * | 19 | * |
20 | * You should have received a copy of the GNU General Public License | 20 | * You should have received a copy of the GNU General Public License |
21 | * along with this program; if not, write to the Free Software | 21 | * along with this program; if not, write to the Free Software |
22 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | 22 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA |
23 | * 02111-1307, USA. | 23 | * 02111-1307, USA. |
24 | */ | 24 | */ |
25 | 25 | ||
26 | #include <linux/file.h> | 26 | #include <linux/file.h> |
27 | #include <linux/poll.h> | 27 | #include <linux/poll.h> |
28 | #include <linux/slab.h> | 28 | #include <linux/slab.h> |
29 | #include <linux/mount.h> | 29 | #include <linux/mount.h> |
30 | #include <linux/pagemap.h> | 30 | #include <linux/pagemap.h> |
31 | #include <linux/security.h> | 31 | #include <linux/security.h> |
32 | #include <linux/compat.h> | 32 | #include <linux/compat.h> |
33 | #include <linux/fs_stack.h> | 33 | #include <linux/fs_stack.h> |
34 | #include <linux/aio.h> | 34 | #include <linux/aio.h> |
35 | #include "ecryptfs_kernel.h" | 35 | #include "ecryptfs_kernel.h" |
36 | 36 | ||
37 | /** | 37 | /** |
38 | * ecryptfs_read_update_atime | 38 | * ecryptfs_read_update_atime |
39 | * | 39 | * |
40 | * generic_file_read updates the atime of upper layer inode. But, it | 40 | * generic_file_read updates the atime of upper layer inode. But, it |
41 | * doesn't give us a chance to update the atime of the lower layer | 41 | * doesn't give us a chance to update the atime of the lower layer |
42 | * inode. This function is a wrapper to generic_file_read. It | 42 | * inode. This function is a wrapper to generic_file_read. It |
43 | * updates the atime of the lower level inode if generic_file_read | 43 | * updates the atime of the lower level inode if generic_file_read |
44 | * returns without any errors. This is to be used only for file reads. | 44 | * returns without any errors. This is to be used only for file reads. |
45 | * The function to be used for directory reads is ecryptfs_read. | 45 | * The function to be used for directory reads is ecryptfs_read. |
46 | */ | 46 | */ |
47 | static ssize_t ecryptfs_read_update_atime(struct kiocb *iocb, | 47 | static ssize_t ecryptfs_read_update_atime(struct kiocb *iocb, |
48 | struct iov_iter *to) | 48 | struct iov_iter *to) |
49 | { | 49 | { |
50 | ssize_t rc; | 50 | ssize_t rc; |
51 | struct path *path; | 51 | struct path *path; |
52 | struct file *file = iocb->ki_filp; | 52 | struct file *file = iocb->ki_filp; |
53 | 53 | ||
54 | rc = generic_file_read_iter(iocb, to); | 54 | rc = generic_file_read_iter(iocb, to); |
55 | /* | 55 | /* |
56 | * Even though this is a async interface, we need to wait | 56 | * Even though this is a async interface, we need to wait |
57 | * for IO to finish to update atime | 57 | * for IO to finish to update atime |
58 | */ | 58 | */ |
59 | if (-EIOCBQUEUED == rc) | 59 | if (-EIOCBQUEUED == rc) |
60 | rc = wait_on_sync_kiocb(iocb); | 60 | rc = wait_on_sync_kiocb(iocb); |
61 | if (rc >= 0) { | 61 | if (rc >= 0) { |
62 | path = ecryptfs_dentry_to_lower_path(file->f_path.dentry); | 62 | path = ecryptfs_dentry_to_lower_path(file->f_path.dentry); |
63 | touch_atime(path); | 63 | touch_atime(path); |
64 | } | 64 | } |
65 | return rc; | 65 | return rc; |
66 | } | 66 | } |
67 | 67 | ||
68 | struct ecryptfs_getdents_callback { | 68 | struct ecryptfs_getdents_callback { |
69 | struct dir_context ctx; | 69 | struct dir_context ctx; |
70 | struct dir_context *caller; | 70 | struct dir_context *caller; |
71 | struct super_block *sb; | 71 | struct super_block *sb; |
72 | int filldir_called; | 72 | int filldir_called; |
73 | int entries_written; | 73 | int entries_written; |
74 | }; | 74 | }; |
75 | 75 | ||
76 | /* Inspired by generic filldir in fs/readdir.c */ | 76 | /* Inspired by generic filldir in fs/readdir.c */ |
77 | static int | 77 | static int |
78 | ecryptfs_filldir(struct dir_context *ctx, const char *lower_name, | 78 | ecryptfs_filldir(struct dir_context *ctx, const char *lower_name, |
79 | int lower_namelen, loff_t offset, u64 ino, unsigned int d_type) | 79 | int lower_namelen, loff_t offset, u64 ino, unsigned int d_type) |
80 | { | 80 | { |
81 | struct ecryptfs_getdents_callback *buf = | 81 | struct ecryptfs_getdents_callback *buf = |
82 | container_of(ctx, struct ecryptfs_getdents_callback, ctx); | 82 | container_of(ctx, struct ecryptfs_getdents_callback, ctx); |
83 | size_t name_size; | 83 | size_t name_size; |
84 | char *name; | 84 | char *name; |
85 | int rc; | 85 | int rc; |
86 | 86 | ||
87 | buf->filldir_called++; | 87 | buf->filldir_called++; |
88 | rc = ecryptfs_decode_and_decrypt_filename(&name, &name_size, | 88 | rc = ecryptfs_decode_and_decrypt_filename(&name, &name_size, |
89 | buf->sb, lower_name, | 89 | buf->sb, lower_name, |
90 | lower_namelen); | 90 | lower_namelen); |
91 | if (rc) { | 91 | if (rc) { |
92 | printk(KERN_ERR "%s: Error attempting to decode and decrypt " | 92 | printk(KERN_ERR "%s: Error attempting to decode and decrypt " |
93 | "filename [%s]; rc = [%d]\n", __func__, lower_name, | 93 | "filename [%s]; rc = [%d]\n", __func__, lower_name, |
94 | rc); | 94 | rc); |
95 | goto out; | 95 | goto out; |
96 | } | 96 | } |
97 | buf->caller->pos = buf->ctx.pos; | 97 | buf->caller->pos = buf->ctx.pos; |
98 | rc = !dir_emit(buf->caller, name, name_size, ino, d_type); | 98 | rc = !dir_emit(buf->caller, name, name_size, ino, d_type); |
99 | kfree(name); | 99 | kfree(name); |
100 | if (!rc) | 100 | if (!rc) |
101 | buf->entries_written++; | 101 | buf->entries_written++; |
102 | out: | 102 | out: |
103 | return rc; | 103 | return rc; |
104 | } | 104 | } |
105 | 105 | ||
106 | /** | 106 | /** |
107 | * ecryptfs_readdir | 107 | * ecryptfs_readdir |
108 | * @file: The eCryptfs directory file | 108 | * @file: The eCryptfs directory file |
109 | * @ctx: The actor to feed the entries to | 109 | * @ctx: The actor to feed the entries to |
110 | */ | 110 | */ |
111 | static int ecryptfs_readdir(struct file *file, struct dir_context *ctx) | 111 | static int ecryptfs_readdir(struct file *file, struct dir_context *ctx) |
112 | { | 112 | { |
113 | int rc; | 113 | int rc; |
114 | struct file *lower_file; | 114 | struct file *lower_file; |
115 | struct inode *inode = file_inode(file); | 115 | struct inode *inode = file_inode(file); |
116 | struct ecryptfs_getdents_callback buf = { | 116 | struct ecryptfs_getdents_callback buf = { |
117 | .ctx.actor = ecryptfs_filldir, | 117 | .ctx.actor = ecryptfs_filldir, |
118 | .caller = ctx, | 118 | .caller = ctx, |
119 | .sb = inode->i_sb, | 119 | .sb = inode->i_sb, |
120 | }; | 120 | }; |
121 | lower_file = ecryptfs_file_to_lower(file); | 121 | lower_file = ecryptfs_file_to_lower(file); |
122 | lower_file->f_pos = ctx->pos; | 122 | lower_file->f_pos = ctx->pos; |
123 | rc = iterate_dir(lower_file, &buf.ctx); | 123 | rc = iterate_dir(lower_file, &buf.ctx); |
124 | ctx->pos = buf.ctx.pos; | 124 | ctx->pos = buf.ctx.pos; |
125 | if (rc < 0) | 125 | if (rc < 0) |
126 | goto out; | 126 | goto out; |
127 | if (buf.filldir_called && !buf.entries_written) | 127 | if (buf.filldir_called && !buf.entries_written) |
128 | goto out; | 128 | goto out; |
129 | if (rc >= 0) | 129 | if (rc >= 0) |
130 | fsstack_copy_attr_atime(inode, | 130 | fsstack_copy_attr_atime(inode, |
131 | file_inode(lower_file)); | 131 | file_inode(lower_file)); |
132 | out: | 132 | out: |
133 | return rc; | 133 | return rc; |
134 | } | 134 | } |
135 | 135 | ||
136 | struct kmem_cache *ecryptfs_file_info_cache; | 136 | struct kmem_cache *ecryptfs_file_info_cache; |
137 | 137 | ||
138 | static int read_or_initialize_metadata(struct dentry *dentry) | 138 | static int read_or_initialize_metadata(struct dentry *dentry) |
139 | { | 139 | { |
140 | struct inode *inode = dentry->d_inode; | 140 | struct inode *inode = dentry->d_inode; |
141 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat; | 141 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat; |
142 | struct ecryptfs_crypt_stat *crypt_stat; | 142 | struct ecryptfs_crypt_stat *crypt_stat; |
143 | int rc; | 143 | int rc; |
144 | 144 | ||
145 | crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat; | 145 | crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat; |
146 | mount_crypt_stat = &ecryptfs_superblock_to_private( | 146 | mount_crypt_stat = &ecryptfs_superblock_to_private( |
147 | inode->i_sb)->mount_crypt_stat; | 147 | inode->i_sb)->mount_crypt_stat; |
148 | mutex_lock(&crypt_stat->cs_mutex); | 148 | mutex_lock(&crypt_stat->cs_mutex); |
149 | 149 | ||
150 | if (crypt_stat->flags & ECRYPTFS_POLICY_APPLIED && | 150 | if (crypt_stat->flags & ECRYPTFS_POLICY_APPLIED && |
151 | crypt_stat->flags & ECRYPTFS_KEY_VALID) { | 151 | crypt_stat->flags & ECRYPTFS_KEY_VALID) { |
152 | rc = 0; | 152 | rc = 0; |
153 | goto out; | 153 | goto out; |
154 | } | 154 | } |
155 | 155 | ||
156 | rc = ecryptfs_read_metadata(dentry); | 156 | rc = ecryptfs_read_metadata(dentry); |
157 | if (!rc) | 157 | if (!rc) |
158 | goto out; | 158 | goto out; |
159 | 159 | ||
160 | if (mount_crypt_stat->flags & ECRYPTFS_PLAINTEXT_PASSTHROUGH_ENABLED) { | 160 | if (mount_crypt_stat->flags & ECRYPTFS_PLAINTEXT_PASSTHROUGH_ENABLED) { |
161 | crypt_stat->flags &= ~(ECRYPTFS_I_SIZE_INITIALIZED | 161 | crypt_stat->flags &= ~(ECRYPTFS_I_SIZE_INITIALIZED |
162 | | ECRYPTFS_ENCRYPTED); | 162 | | ECRYPTFS_ENCRYPTED); |
163 | rc = 0; | 163 | rc = 0; |
164 | goto out; | 164 | goto out; |
165 | } | 165 | } |
166 | 166 | ||
167 | if (!(mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED) && | 167 | if (!(mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED) && |
168 | !i_size_read(ecryptfs_inode_to_lower(inode))) { | 168 | !i_size_read(ecryptfs_inode_to_lower(inode))) { |
169 | rc = ecryptfs_initialize_file(dentry, inode); | 169 | rc = ecryptfs_initialize_file(dentry, inode); |
170 | if (!rc) | 170 | if (!rc) |
171 | goto out; | 171 | goto out; |
172 | } | 172 | } |
173 | 173 | ||
174 | rc = -EIO; | 174 | rc = -EIO; |
175 | out: | 175 | out: |
176 | mutex_unlock(&crypt_stat->cs_mutex); | 176 | mutex_unlock(&crypt_stat->cs_mutex); |
177 | return rc; | 177 | return rc; |
178 | } | 178 | } |
179 | 179 | ||
180 | /** | 180 | /** |
181 | * ecryptfs_open | 181 | * ecryptfs_open |
182 | * @inode: inode speciying file to open | 182 | * @inode: inode speciying file to open |
183 | * @file: Structure to return filled in | 183 | * @file: Structure to return filled in |
184 | * | 184 | * |
185 | * Opens the file specified by inode. | 185 | * Opens the file specified by inode. |
186 | * | 186 | * |
187 | * Returns zero on success; non-zero otherwise | 187 | * Returns zero on success; non-zero otherwise |
188 | */ | 188 | */ |
189 | static int ecryptfs_open(struct inode *inode, struct file *file) | 189 | static int ecryptfs_open(struct inode *inode, struct file *file) |
190 | { | 190 | { |
191 | int rc = 0; | 191 | int rc = 0; |
192 | struct ecryptfs_crypt_stat *crypt_stat = NULL; | 192 | struct ecryptfs_crypt_stat *crypt_stat = NULL; |
193 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat; | ||
194 | struct dentry *ecryptfs_dentry = file->f_path.dentry; | 193 | struct dentry *ecryptfs_dentry = file->f_path.dentry; |
195 | /* Private value of ecryptfs_dentry allocated in | 194 | /* Private value of ecryptfs_dentry allocated in |
196 | * ecryptfs_lookup() */ | 195 | * ecryptfs_lookup() */ |
197 | struct ecryptfs_file_info *file_info; | 196 | struct ecryptfs_file_info *file_info; |
198 | 197 | ||
199 | mount_crypt_stat = &ecryptfs_superblock_to_private( | ||
200 | ecryptfs_dentry->d_sb)->mount_crypt_stat; | ||
201 | if ((mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) | ||
202 | && ((file->f_flags & O_WRONLY) || (file->f_flags & O_RDWR) | ||
203 | || (file->f_flags & O_CREAT) || (file->f_flags & O_TRUNC) | ||
204 | || (file->f_flags & O_APPEND))) { | ||
205 | printk(KERN_WARNING "Mount has encrypted view enabled; " | ||
206 | "files may only be read\n"); | ||
207 | rc = -EPERM; | ||
208 | goto out; | ||
209 | } | ||
210 | /* Released in ecryptfs_release or end of function if failure */ | 198 | /* Released in ecryptfs_release or end of function if failure */ |
211 | file_info = kmem_cache_zalloc(ecryptfs_file_info_cache, GFP_KERNEL); | 199 | file_info = kmem_cache_zalloc(ecryptfs_file_info_cache, GFP_KERNEL); |
212 | ecryptfs_set_file_private(file, file_info); | 200 | ecryptfs_set_file_private(file, file_info); |
213 | if (!file_info) { | 201 | if (!file_info) { |
214 | ecryptfs_printk(KERN_ERR, | 202 | ecryptfs_printk(KERN_ERR, |
215 | "Error attempting to allocate memory\n"); | 203 | "Error attempting to allocate memory\n"); |
216 | rc = -ENOMEM; | 204 | rc = -ENOMEM; |
217 | goto out; | 205 | goto out; |
218 | } | 206 | } |
219 | crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat; | 207 | crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat; |
220 | mutex_lock(&crypt_stat->cs_mutex); | 208 | mutex_lock(&crypt_stat->cs_mutex); |
221 | if (!(crypt_stat->flags & ECRYPTFS_POLICY_APPLIED)) { | 209 | if (!(crypt_stat->flags & ECRYPTFS_POLICY_APPLIED)) { |
222 | ecryptfs_printk(KERN_DEBUG, "Setting flags for stat...\n"); | 210 | ecryptfs_printk(KERN_DEBUG, "Setting flags for stat...\n"); |
223 | /* Policy code enabled in future release */ | 211 | /* Policy code enabled in future release */ |
224 | crypt_stat->flags |= (ECRYPTFS_POLICY_APPLIED | 212 | crypt_stat->flags |= (ECRYPTFS_POLICY_APPLIED |
225 | | ECRYPTFS_ENCRYPTED); | 213 | | ECRYPTFS_ENCRYPTED); |
226 | } | 214 | } |
227 | mutex_unlock(&crypt_stat->cs_mutex); | 215 | mutex_unlock(&crypt_stat->cs_mutex); |
228 | rc = ecryptfs_get_lower_file(ecryptfs_dentry, inode); | 216 | rc = ecryptfs_get_lower_file(ecryptfs_dentry, inode); |
229 | if (rc) { | 217 | if (rc) { |
230 | printk(KERN_ERR "%s: Error attempting to initialize " | 218 | printk(KERN_ERR "%s: Error attempting to initialize " |
231 | "the lower file for the dentry with name " | 219 | "the lower file for the dentry with name " |
232 | "[%pd]; rc = [%d]\n", __func__, | 220 | "[%pd]; rc = [%d]\n", __func__, |
233 | ecryptfs_dentry, rc); | 221 | ecryptfs_dentry, rc); |
234 | goto out_free; | 222 | goto out_free; |
235 | } | 223 | } |
236 | if ((ecryptfs_inode_to_private(inode)->lower_file->f_flags & O_ACCMODE) | 224 | if ((ecryptfs_inode_to_private(inode)->lower_file->f_flags & O_ACCMODE) |
237 | == O_RDONLY && (file->f_flags & O_ACCMODE) != O_RDONLY) { | 225 | == O_RDONLY && (file->f_flags & O_ACCMODE) != O_RDONLY) { |
238 | rc = -EPERM; | 226 | rc = -EPERM; |
239 | printk(KERN_WARNING "%s: Lower file is RO; eCryptfs " | 227 | printk(KERN_WARNING "%s: Lower file is RO; eCryptfs " |
240 | "file must hence be opened RO\n", __func__); | 228 | "file must hence be opened RO\n", __func__); |
241 | goto out_put; | 229 | goto out_put; |
242 | } | 230 | } |
243 | ecryptfs_set_file_lower( | 231 | ecryptfs_set_file_lower( |
244 | file, ecryptfs_inode_to_private(inode)->lower_file); | 232 | file, ecryptfs_inode_to_private(inode)->lower_file); |
245 | if (S_ISDIR(ecryptfs_dentry->d_inode->i_mode)) { | 233 | if (S_ISDIR(ecryptfs_dentry->d_inode->i_mode)) { |
246 | ecryptfs_printk(KERN_DEBUG, "This is a directory\n"); | 234 | ecryptfs_printk(KERN_DEBUG, "This is a directory\n"); |
247 | mutex_lock(&crypt_stat->cs_mutex); | 235 | mutex_lock(&crypt_stat->cs_mutex); |
248 | crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED); | 236 | crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED); |
249 | mutex_unlock(&crypt_stat->cs_mutex); | 237 | mutex_unlock(&crypt_stat->cs_mutex); |
250 | rc = 0; | 238 | rc = 0; |
251 | goto out; | 239 | goto out; |
252 | } | 240 | } |
253 | rc = read_or_initialize_metadata(ecryptfs_dentry); | 241 | rc = read_or_initialize_metadata(ecryptfs_dentry); |
254 | if (rc) | 242 | if (rc) |
255 | goto out_put; | 243 | goto out_put; |
256 | ecryptfs_printk(KERN_DEBUG, "inode w/ addr = [0x%p], i_ino = " | 244 | ecryptfs_printk(KERN_DEBUG, "inode w/ addr = [0x%p], i_ino = " |
257 | "[0x%.16lx] size: [0x%.16llx]\n", inode, inode->i_ino, | 245 | "[0x%.16lx] size: [0x%.16llx]\n", inode, inode->i_ino, |
258 | (unsigned long long)i_size_read(inode)); | 246 | (unsigned long long)i_size_read(inode)); |
259 | goto out; | 247 | goto out; |
260 | out_put: | 248 | out_put: |
261 | ecryptfs_put_lower_file(inode); | 249 | ecryptfs_put_lower_file(inode); |
262 | out_free: | 250 | out_free: |
263 | kmem_cache_free(ecryptfs_file_info_cache, | 251 | kmem_cache_free(ecryptfs_file_info_cache, |
264 | ecryptfs_file_to_private(file)); | 252 | ecryptfs_file_to_private(file)); |
265 | out: | 253 | out: |
266 | return rc; | 254 | return rc; |
267 | } | 255 | } |
268 | 256 | ||
269 | static int ecryptfs_flush(struct file *file, fl_owner_t td) | 257 | static int ecryptfs_flush(struct file *file, fl_owner_t td) |
270 | { | 258 | { |
271 | struct file *lower_file = ecryptfs_file_to_lower(file); | 259 | struct file *lower_file = ecryptfs_file_to_lower(file); |
272 | 260 | ||
273 | if (lower_file->f_op->flush) { | 261 | if (lower_file->f_op->flush) { |
274 | filemap_write_and_wait(file->f_mapping); | 262 | filemap_write_and_wait(file->f_mapping); |
275 | return lower_file->f_op->flush(lower_file, td); | 263 | return lower_file->f_op->flush(lower_file, td); |
276 | } | 264 | } |
277 | 265 | ||
278 | return 0; | 266 | return 0; |
279 | } | 267 | } |
280 | 268 | ||
281 | static int ecryptfs_release(struct inode *inode, struct file *file) | 269 | static int ecryptfs_release(struct inode *inode, struct file *file) |
282 | { | 270 | { |
283 | ecryptfs_put_lower_file(inode); | 271 | ecryptfs_put_lower_file(inode); |
284 | kmem_cache_free(ecryptfs_file_info_cache, | 272 | kmem_cache_free(ecryptfs_file_info_cache, |
285 | ecryptfs_file_to_private(file)); | 273 | ecryptfs_file_to_private(file)); |
286 | return 0; | 274 | return 0; |
287 | } | 275 | } |
288 | 276 | ||
289 | static int | 277 | static int |
290 | ecryptfs_fsync(struct file *file, loff_t start, loff_t end, int datasync) | 278 | ecryptfs_fsync(struct file *file, loff_t start, loff_t end, int datasync) |
291 | { | 279 | { |
292 | int rc; | 280 | int rc; |
293 | 281 | ||
294 | rc = filemap_write_and_wait(file->f_mapping); | 282 | rc = filemap_write_and_wait(file->f_mapping); |
295 | if (rc) | 283 | if (rc) |
296 | return rc; | 284 | return rc; |
297 | 285 | ||
298 | return vfs_fsync(ecryptfs_file_to_lower(file), datasync); | 286 | return vfs_fsync(ecryptfs_file_to_lower(file), datasync); |
299 | } | 287 | } |
300 | 288 | ||
301 | static int ecryptfs_fasync(int fd, struct file *file, int flag) | 289 | static int ecryptfs_fasync(int fd, struct file *file, int flag) |
302 | { | 290 | { |
303 | int rc = 0; | 291 | int rc = 0; |
304 | struct file *lower_file = NULL; | 292 | struct file *lower_file = NULL; |
305 | 293 | ||
306 | lower_file = ecryptfs_file_to_lower(file); | 294 | lower_file = ecryptfs_file_to_lower(file); |
307 | if (lower_file->f_op->fasync) | 295 | if (lower_file->f_op->fasync) |
308 | rc = lower_file->f_op->fasync(fd, lower_file, flag); | 296 | rc = lower_file->f_op->fasync(fd, lower_file, flag); |
309 | return rc; | 297 | return rc; |
310 | } | 298 | } |
311 | 299 | ||
312 | static long | 300 | static long |
313 | ecryptfs_unlocked_ioctl(struct file *file, unsigned int cmd, unsigned long arg) | 301 | ecryptfs_unlocked_ioctl(struct file *file, unsigned int cmd, unsigned long arg) |
314 | { | 302 | { |
315 | struct file *lower_file = ecryptfs_file_to_lower(file); | 303 | struct file *lower_file = ecryptfs_file_to_lower(file); |
316 | long rc = -ENOTTY; | 304 | long rc = -ENOTTY; |
317 | 305 | ||
318 | if (lower_file->f_op->unlocked_ioctl) | 306 | if (lower_file->f_op->unlocked_ioctl) |
319 | rc = lower_file->f_op->unlocked_ioctl(lower_file, cmd, arg); | 307 | rc = lower_file->f_op->unlocked_ioctl(lower_file, cmd, arg); |
320 | return rc; | 308 | return rc; |
321 | } | 309 | } |
322 | 310 | ||
323 | #ifdef CONFIG_COMPAT | 311 | #ifdef CONFIG_COMPAT |
324 | static long | 312 | static long |
325 | ecryptfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) | 313 | ecryptfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) |
326 | { | 314 | { |
327 | struct file *lower_file = ecryptfs_file_to_lower(file); | 315 | struct file *lower_file = ecryptfs_file_to_lower(file); |
328 | long rc = -ENOIOCTLCMD; | 316 | long rc = -ENOIOCTLCMD; |
329 | 317 | ||
330 | if (lower_file->f_op->compat_ioctl) | 318 | if (lower_file->f_op->compat_ioctl) |
331 | rc = lower_file->f_op->compat_ioctl(lower_file, cmd, arg); | 319 | rc = lower_file->f_op->compat_ioctl(lower_file, cmd, arg); |
332 | return rc; | 320 | return rc; |
333 | } | 321 | } |
334 | #endif | 322 | #endif |
335 | 323 | ||
336 | const struct file_operations ecryptfs_dir_fops = { | 324 | const struct file_operations ecryptfs_dir_fops = { |
337 | .iterate = ecryptfs_readdir, | 325 | .iterate = ecryptfs_readdir, |
338 | .read = generic_read_dir, | 326 | .read = generic_read_dir, |
339 | .unlocked_ioctl = ecryptfs_unlocked_ioctl, | 327 | .unlocked_ioctl = ecryptfs_unlocked_ioctl, |
340 | #ifdef CONFIG_COMPAT | 328 | #ifdef CONFIG_COMPAT |
341 | .compat_ioctl = ecryptfs_compat_ioctl, | 329 | .compat_ioctl = ecryptfs_compat_ioctl, |
342 | #endif | 330 | #endif |
343 | .open = ecryptfs_open, | 331 | .open = ecryptfs_open, |
344 | .flush = ecryptfs_flush, | 332 | .flush = ecryptfs_flush, |
345 | .release = ecryptfs_release, | 333 | .release = ecryptfs_release, |
346 | .fsync = ecryptfs_fsync, | 334 | .fsync = ecryptfs_fsync, |
347 | .fasync = ecryptfs_fasync, | 335 | .fasync = ecryptfs_fasync, |
348 | .splice_read = generic_file_splice_read, | 336 | .splice_read = generic_file_splice_read, |
349 | .llseek = default_llseek, | 337 | .llseek = default_llseek, |
350 | }; | 338 | }; |
351 | 339 | ||
352 | const struct file_operations ecryptfs_main_fops = { | 340 | const struct file_operations ecryptfs_main_fops = { |
353 | .llseek = generic_file_llseek, | 341 | .llseek = generic_file_llseek, |
354 | .read = new_sync_read, | 342 | .read = new_sync_read, |
355 | .read_iter = ecryptfs_read_update_atime, | 343 | .read_iter = ecryptfs_read_update_atime, |
356 | .write = new_sync_write, | 344 | .write = new_sync_write, |
357 | .write_iter = generic_file_write_iter, | 345 | .write_iter = generic_file_write_iter, |
358 | .iterate = ecryptfs_readdir, | 346 | .iterate = ecryptfs_readdir, |
359 | .unlocked_ioctl = ecryptfs_unlocked_ioctl, | 347 | .unlocked_ioctl = ecryptfs_unlocked_ioctl, |
360 | #ifdef CONFIG_COMPAT | 348 | #ifdef CONFIG_COMPAT |
361 | .compat_ioctl = ecryptfs_compat_ioctl, | 349 | .compat_ioctl = ecryptfs_compat_ioctl, |
362 | #endif | 350 | #endif |
363 | .mmap = generic_file_mmap, | 351 | .mmap = generic_file_mmap, |
364 | .open = ecryptfs_open, | 352 | .open = ecryptfs_open, |
365 | .flush = ecryptfs_flush, | 353 | .flush = ecryptfs_flush, |
366 | .release = ecryptfs_release, | 354 | .release = ecryptfs_release, |
367 | .fsync = ecryptfs_fsync, | 355 | .fsync = ecryptfs_fsync, |
368 | .fasync = ecryptfs_fasync, | 356 | .fasync = ecryptfs_fasync, |
369 | .splice_read = generic_file_splice_read, | 357 | .splice_read = generic_file_splice_read, |
370 | }; | 358 | }; |
371 | 359 |
fs/ecryptfs/keystore.c
1 | /** | 1 | /** |
2 | * eCryptfs: Linux filesystem encryption layer | 2 | * eCryptfs: Linux filesystem encryption layer |
3 | * In-kernel key management code. Includes functions to parse and | 3 | * In-kernel key management code. Includes functions to parse and |
4 | * write authentication token-related packets with the underlying | 4 | * write authentication token-related packets with the underlying |
5 | * file. | 5 | * file. |
6 | * | 6 | * |
7 | * Copyright (C) 2004-2006 International Business Machines Corp. | 7 | * Copyright (C) 2004-2006 International Business Machines Corp. |
8 | * Author(s): Michael A. Halcrow <mhalcrow@us.ibm.com> | 8 | * Author(s): Michael A. Halcrow <mhalcrow@us.ibm.com> |
9 | * Michael C. Thompson <mcthomps@us.ibm.com> | 9 | * Michael C. Thompson <mcthomps@us.ibm.com> |
10 | * Trevor S. Highland <trevor.highland@gmail.com> | 10 | * Trevor S. Highland <trevor.highland@gmail.com> |
11 | * | 11 | * |
12 | * This program is free software; you can redistribute it and/or | 12 | * This program is free software; you can redistribute it and/or |
13 | * modify it under the terms of the GNU General Public License as | 13 | * modify it under the terms of the GNU General Public License as |
14 | * published by the Free Software Foundation; either version 2 of the | 14 | * published by the Free Software Foundation; either version 2 of the |
15 | * License, or (at your option) any later version. | 15 | * License, or (at your option) any later version. |
16 | * | 16 | * |
17 | * This program is distributed in the hope that it will be useful, but | 17 | * This program is distributed in the hope that it will be useful, but |
18 | * WITHOUT ANY WARRANTY; without even the implied warranty of | 18 | * WITHOUT ANY WARRANTY; without even the implied warranty of |
19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | 19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
20 | * General Public License for more details. | 20 | * General Public License for more details. |
21 | * | 21 | * |
22 | * You should have received a copy of the GNU General Public License | 22 | * You should have received a copy of the GNU General Public License |
23 | * along with this program; if not, write to the Free Software | 23 | * along with this program; if not, write to the Free Software |
24 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | 24 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA |
25 | * 02111-1307, USA. | 25 | * 02111-1307, USA. |
26 | */ | 26 | */ |
27 | 27 | ||
28 | #include <linux/string.h> | 28 | #include <linux/string.h> |
29 | #include <linux/pagemap.h> | 29 | #include <linux/pagemap.h> |
30 | #include <linux/key.h> | 30 | #include <linux/key.h> |
31 | #include <linux/random.h> | 31 | #include <linux/random.h> |
32 | #include <linux/crypto.h> | 32 | #include <linux/crypto.h> |
33 | #include <linux/scatterlist.h> | 33 | #include <linux/scatterlist.h> |
34 | #include <linux/slab.h> | 34 | #include <linux/slab.h> |
35 | #include "ecryptfs_kernel.h" | 35 | #include "ecryptfs_kernel.h" |
36 | 36 | ||
37 | /** | 37 | /** |
38 | * request_key returned an error instead of a valid key address; | 38 | * request_key returned an error instead of a valid key address; |
39 | * determine the type of error, make appropriate log entries, and | 39 | * determine the type of error, make appropriate log entries, and |
40 | * return an error code. | 40 | * return an error code. |
41 | */ | 41 | */ |
42 | static int process_request_key_err(long err_code) | 42 | static int process_request_key_err(long err_code) |
43 | { | 43 | { |
44 | int rc = 0; | 44 | int rc = 0; |
45 | 45 | ||
46 | switch (err_code) { | 46 | switch (err_code) { |
47 | case -ENOKEY: | 47 | case -ENOKEY: |
48 | ecryptfs_printk(KERN_WARNING, "No key\n"); | 48 | ecryptfs_printk(KERN_WARNING, "No key\n"); |
49 | rc = -ENOENT; | 49 | rc = -ENOENT; |
50 | break; | 50 | break; |
51 | case -EKEYEXPIRED: | 51 | case -EKEYEXPIRED: |
52 | ecryptfs_printk(KERN_WARNING, "Key expired\n"); | 52 | ecryptfs_printk(KERN_WARNING, "Key expired\n"); |
53 | rc = -ETIME; | 53 | rc = -ETIME; |
54 | break; | 54 | break; |
55 | case -EKEYREVOKED: | 55 | case -EKEYREVOKED: |
56 | ecryptfs_printk(KERN_WARNING, "Key revoked\n"); | 56 | ecryptfs_printk(KERN_WARNING, "Key revoked\n"); |
57 | rc = -EINVAL; | 57 | rc = -EINVAL; |
58 | break; | 58 | break; |
59 | default: | 59 | default: |
60 | ecryptfs_printk(KERN_WARNING, "Unknown error code: " | 60 | ecryptfs_printk(KERN_WARNING, "Unknown error code: " |
61 | "[0x%.16lx]\n", err_code); | 61 | "[0x%.16lx]\n", err_code); |
62 | rc = -EINVAL; | 62 | rc = -EINVAL; |
63 | } | 63 | } |
64 | return rc; | 64 | return rc; |
65 | } | 65 | } |
66 | 66 | ||
67 | static int process_find_global_auth_tok_for_sig_err(int err_code) | 67 | static int process_find_global_auth_tok_for_sig_err(int err_code) |
68 | { | 68 | { |
69 | int rc = err_code; | 69 | int rc = err_code; |
70 | 70 | ||
71 | switch (err_code) { | 71 | switch (err_code) { |
72 | case -ENOENT: | 72 | case -ENOENT: |
73 | ecryptfs_printk(KERN_WARNING, "Missing auth tok\n"); | 73 | ecryptfs_printk(KERN_WARNING, "Missing auth tok\n"); |
74 | break; | 74 | break; |
75 | case -EINVAL: | 75 | case -EINVAL: |
76 | ecryptfs_printk(KERN_WARNING, "Invalid auth tok\n"); | 76 | ecryptfs_printk(KERN_WARNING, "Invalid auth tok\n"); |
77 | break; | 77 | break; |
78 | default: | 78 | default: |
79 | rc = process_request_key_err(err_code); | 79 | rc = process_request_key_err(err_code); |
80 | break; | 80 | break; |
81 | } | 81 | } |
82 | return rc; | 82 | return rc; |
83 | } | 83 | } |
84 | 84 | ||
85 | /** | 85 | /** |
86 | * ecryptfs_parse_packet_length | 86 | * ecryptfs_parse_packet_length |
87 | * @data: Pointer to memory containing length at offset | 87 | * @data: Pointer to memory containing length at offset |
88 | * @size: This function writes the decoded size to this memory | 88 | * @size: This function writes the decoded size to this memory |
89 | * address; zero on error | 89 | * address; zero on error |
90 | * @length_size: The number of bytes occupied by the encoded length | 90 | * @length_size: The number of bytes occupied by the encoded length |
91 | * | 91 | * |
92 | * Returns zero on success; non-zero on error | 92 | * Returns zero on success; non-zero on error |
93 | */ | 93 | */ |
94 | int ecryptfs_parse_packet_length(unsigned char *data, size_t *size, | 94 | int ecryptfs_parse_packet_length(unsigned char *data, size_t *size, |
95 | size_t *length_size) | 95 | size_t *length_size) |
96 | { | 96 | { |
97 | int rc = 0; | 97 | int rc = 0; |
98 | 98 | ||
99 | (*length_size) = 0; | 99 | (*length_size) = 0; |
100 | (*size) = 0; | 100 | (*size) = 0; |
101 | if (data[0] < 192) { | 101 | if (data[0] < 192) { |
102 | /* One-byte length */ | 102 | /* One-byte length */ |
103 | (*size) = (unsigned char)data[0]; | 103 | (*size) = data[0]; |
104 | (*length_size) = 1; | 104 | (*length_size) = 1; |
105 | } else if (data[0] < 224) { | 105 | } else if (data[0] < 224) { |
106 | /* Two-byte length */ | 106 | /* Two-byte length */ |
107 | (*size) = (((unsigned char)(data[0]) - 192) * 256); | 107 | (*size) = (data[0] - 192) * 256; |
108 | (*size) += ((unsigned char)(data[1]) + 192); | 108 | (*size) += data[1] + 192; |
109 | (*length_size) = 2; | 109 | (*length_size) = 2; |
110 | } else if (data[0] == 255) { | 110 | } else if (data[0] == 255) { |
111 | /* If support is added, adjust ECRYPTFS_MAX_PKT_LEN_SIZE */ | 111 | /* If support is added, adjust ECRYPTFS_MAX_PKT_LEN_SIZE */ |
112 | ecryptfs_printk(KERN_ERR, "Five-byte packet length not " | 112 | ecryptfs_printk(KERN_ERR, "Five-byte packet length not " |
113 | "supported\n"); | 113 | "supported\n"); |
114 | rc = -EINVAL; | 114 | rc = -EINVAL; |
115 | goto out; | 115 | goto out; |
116 | } else { | 116 | } else { |
117 | ecryptfs_printk(KERN_ERR, "Error parsing packet length\n"); | 117 | ecryptfs_printk(KERN_ERR, "Error parsing packet length\n"); |
118 | rc = -EINVAL; | 118 | rc = -EINVAL; |
119 | goto out; | 119 | goto out; |
120 | } | 120 | } |
121 | out: | 121 | out: |
122 | return rc; | 122 | return rc; |
123 | } | 123 | } |
124 | 124 | ||
125 | /** | 125 | /** |
126 | * ecryptfs_write_packet_length | 126 | * ecryptfs_write_packet_length |
127 | * @dest: The byte array target into which to write the length. Must | 127 | * @dest: The byte array target into which to write the length. Must |
128 | * have at least ECRYPTFS_MAX_PKT_LEN_SIZE bytes allocated. | 128 | * have at least ECRYPTFS_MAX_PKT_LEN_SIZE bytes allocated. |
129 | * @size: The length to write. | 129 | * @size: The length to write. |
130 | * @packet_size_length: The number of bytes used to encode the packet | 130 | * @packet_size_length: The number of bytes used to encode the packet |
131 | * length is written to this address. | 131 | * length is written to this address. |
132 | * | 132 | * |
133 | * Returns zero on success; non-zero on error. | 133 | * Returns zero on success; non-zero on error. |
134 | */ | 134 | */ |
135 | int ecryptfs_write_packet_length(char *dest, size_t size, | 135 | int ecryptfs_write_packet_length(char *dest, size_t size, |
136 | size_t *packet_size_length) | 136 | size_t *packet_size_length) |
137 | { | 137 | { |
138 | int rc = 0; | 138 | int rc = 0; |
139 | 139 | ||
140 | if (size < 192) { | 140 | if (size < 192) { |
141 | dest[0] = size; | 141 | dest[0] = size; |
142 | (*packet_size_length) = 1; | 142 | (*packet_size_length) = 1; |
143 | } else if (size < 65536) { | 143 | } else if (size < 65536) { |
144 | dest[0] = (((size - 192) / 256) + 192); | 144 | dest[0] = (((size - 192) / 256) + 192); |
145 | dest[1] = ((size - 192) % 256); | 145 | dest[1] = ((size - 192) % 256); |
146 | (*packet_size_length) = 2; | 146 | (*packet_size_length) = 2; |
147 | } else { | 147 | } else { |
148 | /* If support is added, adjust ECRYPTFS_MAX_PKT_LEN_SIZE */ | 148 | /* If support is added, adjust ECRYPTFS_MAX_PKT_LEN_SIZE */ |
149 | rc = -EINVAL; | 149 | rc = -EINVAL; |
150 | ecryptfs_printk(KERN_WARNING, | 150 | ecryptfs_printk(KERN_WARNING, |
151 | "Unsupported packet size: [%zd]\n", size); | 151 | "Unsupported packet size: [%zd]\n", size); |
152 | } | 152 | } |
153 | return rc; | 153 | return rc; |
154 | } | 154 | } |
155 | 155 | ||
156 | static int | 156 | static int |
157 | write_tag_64_packet(char *signature, struct ecryptfs_session_key *session_key, | 157 | write_tag_64_packet(char *signature, struct ecryptfs_session_key *session_key, |
158 | char **packet, size_t *packet_len) | 158 | char **packet, size_t *packet_len) |
159 | { | 159 | { |
160 | size_t i = 0; | 160 | size_t i = 0; |
161 | size_t data_len; | 161 | size_t data_len; |
162 | size_t packet_size_len; | 162 | size_t packet_size_len; |
163 | char *message; | 163 | char *message; |
164 | int rc; | 164 | int rc; |
165 | 165 | ||
166 | /* | 166 | /* |
167 | * ***** TAG 64 Packet Format ***** | 167 | * ***** TAG 64 Packet Format ***** |
168 | * | Content Type | 1 byte | | 168 | * | Content Type | 1 byte | |
169 | * | Key Identifier Size | 1 or 2 bytes | | 169 | * | Key Identifier Size | 1 or 2 bytes | |
170 | * | Key Identifier | arbitrary | | 170 | * | Key Identifier | arbitrary | |
171 | * | Encrypted File Encryption Key Size | 1 or 2 bytes | | 171 | * | Encrypted File Encryption Key Size | 1 or 2 bytes | |
172 | * | Encrypted File Encryption Key | arbitrary | | 172 | * | Encrypted File Encryption Key | arbitrary | |
173 | */ | 173 | */ |
174 | data_len = (5 + ECRYPTFS_SIG_SIZE_HEX | 174 | data_len = (5 + ECRYPTFS_SIG_SIZE_HEX |
175 | + session_key->encrypted_key_size); | 175 | + session_key->encrypted_key_size); |
176 | *packet = kmalloc(data_len, GFP_KERNEL); | 176 | *packet = kmalloc(data_len, GFP_KERNEL); |
177 | message = *packet; | 177 | message = *packet; |
178 | if (!message) { | 178 | if (!message) { |
179 | ecryptfs_printk(KERN_ERR, "Unable to allocate memory\n"); | 179 | ecryptfs_printk(KERN_ERR, "Unable to allocate memory\n"); |
180 | rc = -ENOMEM; | 180 | rc = -ENOMEM; |
181 | goto out; | 181 | goto out; |
182 | } | 182 | } |
183 | message[i++] = ECRYPTFS_TAG_64_PACKET_TYPE; | 183 | message[i++] = ECRYPTFS_TAG_64_PACKET_TYPE; |
184 | rc = ecryptfs_write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX, | 184 | rc = ecryptfs_write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX, |
185 | &packet_size_len); | 185 | &packet_size_len); |
186 | if (rc) { | 186 | if (rc) { |
187 | ecryptfs_printk(KERN_ERR, "Error generating tag 64 packet " | 187 | ecryptfs_printk(KERN_ERR, "Error generating tag 64 packet " |
188 | "header; cannot generate packet length\n"); | 188 | "header; cannot generate packet length\n"); |
189 | goto out; | 189 | goto out; |
190 | } | 190 | } |
191 | i += packet_size_len; | 191 | i += packet_size_len; |
192 | memcpy(&message[i], signature, ECRYPTFS_SIG_SIZE_HEX); | 192 | memcpy(&message[i], signature, ECRYPTFS_SIG_SIZE_HEX); |
193 | i += ECRYPTFS_SIG_SIZE_HEX; | 193 | i += ECRYPTFS_SIG_SIZE_HEX; |
194 | rc = ecryptfs_write_packet_length(&message[i], | 194 | rc = ecryptfs_write_packet_length(&message[i], |
195 | session_key->encrypted_key_size, | 195 | session_key->encrypted_key_size, |
196 | &packet_size_len); | 196 | &packet_size_len); |
197 | if (rc) { | 197 | if (rc) { |
198 | ecryptfs_printk(KERN_ERR, "Error generating tag 64 packet " | 198 | ecryptfs_printk(KERN_ERR, "Error generating tag 64 packet " |
199 | "header; cannot generate packet length\n"); | 199 | "header; cannot generate packet length\n"); |
200 | goto out; | 200 | goto out; |
201 | } | 201 | } |
202 | i += packet_size_len; | 202 | i += packet_size_len; |
203 | memcpy(&message[i], session_key->encrypted_key, | 203 | memcpy(&message[i], session_key->encrypted_key, |
204 | session_key->encrypted_key_size); | 204 | session_key->encrypted_key_size); |
205 | i += session_key->encrypted_key_size; | 205 | i += session_key->encrypted_key_size; |
206 | *packet_len = i; | 206 | *packet_len = i; |
207 | out: | 207 | out: |
208 | return rc; | 208 | return rc; |
209 | } | 209 | } |
210 | 210 | ||
211 | static int | 211 | static int |
212 | parse_tag_65_packet(struct ecryptfs_session_key *session_key, u8 *cipher_code, | 212 | parse_tag_65_packet(struct ecryptfs_session_key *session_key, u8 *cipher_code, |
213 | struct ecryptfs_message *msg) | 213 | struct ecryptfs_message *msg) |
214 | { | 214 | { |
215 | size_t i = 0; | 215 | size_t i = 0; |
216 | char *data; | 216 | char *data; |
217 | size_t data_len; | 217 | size_t data_len; |
218 | size_t m_size; | 218 | size_t m_size; |
219 | size_t message_len; | 219 | size_t message_len; |
220 | u16 checksum = 0; | 220 | u16 checksum = 0; |
221 | u16 expected_checksum = 0; | 221 | u16 expected_checksum = 0; |
222 | int rc; | 222 | int rc; |
223 | 223 | ||
224 | /* | 224 | /* |
225 | * ***** TAG 65 Packet Format ***** | 225 | * ***** TAG 65 Packet Format ***** |
226 | * | Content Type | 1 byte | | 226 | * | Content Type | 1 byte | |
227 | * | Status Indicator | 1 byte | | 227 | * | Status Indicator | 1 byte | |
228 | * | File Encryption Key Size | 1 or 2 bytes | | 228 | * | File Encryption Key Size | 1 or 2 bytes | |
229 | * | File Encryption Key | arbitrary | | 229 | * | File Encryption Key | arbitrary | |
230 | */ | 230 | */ |
231 | message_len = msg->data_len; | 231 | message_len = msg->data_len; |
232 | data = msg->data; | 232 | data = msg->data; |
233 | if (message_len < 4) { | 233 | if (message_len < 4) { |
234 | rc = -EIO; | 234 | rc = -EIO; |
235 | goto out; | 235 | goto out; |
236 | } | 236 | } |
237 | if (data[i++] != ECRYPTFS_TAG_65_PACKET_TYPE) { | 237 | if (data[i++] != ECRYPTFS_TAG_65_PACKET_TYPE) { |
238 | ecryptfs_printk(KERN_ERR, "Type should be ECRYPTFS_TAG_65\n"); | 238 | ecryptfs_printk(KERN_ERR, "Type should be ECRYPTFS_TAG_65\n"); |
239 | rc = -EIO; | 239 | rc = -EIO; |
240 | goto out; | 240 | goto out; |
241 | } | 241 | } |
242 | if (data[i++]) { | 242 | if (data[i++]) { |
243 | ecryptfs_printk(KERN_ERR, "Status indicator has non-zero value " | 243 | ecryptfs_printk(KERN_ERR, "Status indicator has non-zero value " |
244 | "[%d]\n", data[i-1]); | 244 | "[%d]\n", data[i-1]); |
245 | rc = -EIO; | 245 | rc = -EIO; |
246 | goto out; | 246 | goto out; |
247 | } | 247 | } |
248 | rc = ecryptfs_parse_packet_length(&data[i], &m_size, &data_len); | 248 | rc = ecryptfs_parse_packet_length(&data[i], &m_size, &data_len); |
249 | if (rc) { | 249 | if (rc) { |
250 | ecryptfs_printk(KERN_WARNING, "Error parsing packet length; " | 250 | ecryptfs_printk(KERN_WARNING, "Error parsing packet length; " |
251 | "rc = [%d]\n", rc); | 251 | "rc = [%d]\n", rc); |
252 | goto out; | 252 | goto out; |
253 | } | 253 | } |
254 | i += data_len; | 254 | i += data_len; |
255 | if (message_len < (i + m_size)) { | 255 | if (message_len < (i + m_size)) { |
256 | ecryptfs_printk(KERN_ERR, "The message received from ecryptfsd " | 256 | ecryptfs_printk(KERN_ERR, "The message received from ecryptfsd " |
257 | "is shorter than expected\n"); | 257 | "is shorter than expected\n"); |
258 | rc = -EIO; | 258 | rc = -EIO; |
259 | goto out; | 259 | goto out; |
260 | } | 260 | } |
261 | if (m_size < 3) { | 261 | if (m_size < 3) { |
262 | ecryptfs_printk(KERN_ERR, | 262 | ecryptfs_printk(KERN_ERR, |
263 | "The decrypted key is not long enough to " | 263 | "The decrypted key is not long enough to " |
264 | "include a cipher code and checksum\n"); | 264 | "include a cipher code and checksum\n"); |
265 | rc = -EIO; | 265 | rc = -EIO; |
266 | goto out; | 266 | goto out; |
267 | } | 267 | } |
268 | *cipher_code = data[i++]; | 268 | *cipher_code = data[i++]; |
269 | /* The decrypted key includes 1 byte cipher code and 2 byte checksum */ | 269 | /* The decrypted key includes 1 byte cipher code and 2 byte checksum */ |
270 | session_key->decrypted_key_size = m_size - 3; | 270 | session_key->decrypted_key_size = m_size - 3; |
271 | if (session_key->decrypted_key_size > ECRYPTFS_MAX_KEY_BYTES) { | 271 | if (session_key->decrypted_key_size > ECRYPTFS_MAX_KEY_BYTES) { |
272 | ecryptfs_printk(KERN_ERR, "key_size [%d] larger than " | 272 | ecryptfs_printk(KERN_ERR, "key_size [%d] larger than " |
273 | "the maximum key size [%d]\n", | 273 | "the maximum key size [%d]\n", |
274 | session_key->decrypted_key_size, | 274 | session_key->decrypted_key_size, |
275 | ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES); | 275 | ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES); |
276 | rc = -EIO; | 276 | rc = -EIO; |
277 | goto out; | 277 | goto out; |
278 | } | 278 | } |
279 | memcpy(session_key->decrypted_key, &data[i], | 279 | memcpy(session_key->decrypted_key, &data[i], |
280 | session_key->decrypted_key_size); | 280 | session_key->decrypted_key_size); |
281 | i += session_key->decrypted_key_size; | 281 | i += session_key->decrypted_key_size; |
282 | expected_checksum += (unsigned char)(data[i++]) << 8; | 282 | expected_checksum += (unsigned char)(data[i++]) << 8; |
283 | expected_checksum += (unsigned char)(data[i++]); | 283 | expected_checksum += (unsigned char)(data[i++]); |
284 | for (i = 0; i < session_key->decrypted_key_size; i++) | 284 | for (i = 0; i < session_key->decrypted_key_size; i++) |
285 | checksum += session_key->decrypted_key[i]; | 285 | checksum += session_key->decrypted_key[i]; |
286 | if (expected_checksum != checksum) { | 286 | if (expected_checksum != checksum) { |
287 | ecryptfs_printk(KERN_ERR, "Invalid checksum for file " | 287 | ecryptfs_printk(KERN_ERR, "Invalid checksum for file " |
288 | "encryption key; expected [%x]; calculated " | 288 | "encryption key; expected [%x]; calculated " |
289 | "[%x]\n", expected_checksum, checksum); | 289 | "[%x]\n", expected_checksum, checksum); |
290 | rc = -EIO; | 290 | rc = -EIO; |
291 | } | 291 | } |
292 | out: | 292 | out: |
293 | return rc; | 293 | return rc; |
294 | } | 294 | } |
295 | 295 | ||
296 | 296 | ||
297 | static int | 297 | static int |
298 | write_tag_66_packet(char *signature, u8 cipher_code, | 298 | write_tag_66_packet(char *signature, u8 cipher_code, |
299 | struct ecryptfs_crypt_stat *crypt_stat, char **packet, | 299 | struct ecryptfs_crypt_stat *crypt_stat, char **packet, |
300 | size_t *packet_len) | 300 | size_t *packet_len) |
301 | { | 301 | { |
302 | size_t i = 0; | 302 | size_t i = 0; |
303 | size_t j; | 303 | size_t j; |
304 | size_t data_len; | 304 | size_t data_len; |
305 | size_t checksum = 0; | 305 | size_t checksum = 0; |
306 | size_t packet_size_len; | 306 | size_t packet_size_len; |
307 | char *message; | 307 | char *message; |
308 | int rc; | 308 | int rc; |
309 | 309 | ||
310 | /* | 310 | /* |
311 | * ***** TAG 66 Packet Format ***** | 311 | * ***** TAG 66 Packet Format ***** |
312 | * | Content Type | 1 byte | | 312 | * | Content Type | 1 byte | |
313 | * | Key Identifier Size | 1 or 2 bytes | | 313 | * | Key Identifier Size | 1 or 2 bytes | |
314 | * | Key Identifier | arbitrary | | 314 | * | Key Identifier | arbitrary | |
315 | * | File Encryption Key Size | 1 or 2 bytes | | 315 | * | File Encryption Key Size | 1 or 2 bytes | |
316 | * | File Encryption Key | arbitrary | | 316 | * | File Encryption Key | arbitrary | |
317 | */ | 317 | */ |
318 | data_len = (5 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size); | 318 | data_len = (5 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size); |
319 | *packet = kmalloc(data_len, GFP_KERNEL); | 319 | *packet = kmalloc(data_len, GFP_KERNEL); |
320 | message = *packet; | 320 | message = *packet; |
321 | if (!message) { | 321 | if (!message) { |
322 | ecryptfs_printk(KERN_ERR, "Unable to allocate memory\n"); | 322 | ecryptfs_printk(KERN_ERR, "Unable to allocate memory\n"); |
323 | rc = -ENOMEM; | 323 | rc = -ENOMEM; |
324 | goto out; | 324 | goto out; |
325 | } | 325 | } |
326 | message[i++] = ECRYPTFS_TAG_66_PACKET_TYPE; | 326 | message[i++] = ECRYPTFS_TAG_66_PACKET_TYPE; |
327 | rc = ecryptfs_write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX, | 327 | rc = ecryptfs_write_packet_length(&message[i], ECRYPTFS_SIG_SIZE_HEX, |
328 | &packet_size_len); | 328 | &packet_size_len); |
329 | if (rc) { | 329 | if (rc) { |
330 | ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet " | 330 | ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet " |
331 | "header; cannot generate packet length\n"); | 331 | "header; cannot generate packet length\n"); |
332 | goto out; | 332 | goto out; |
333 | } | 333 | } |
334 | i += packet_size_len; | 334 | i += packet_size_len; |
335 | memcpy(&message[i], signature, ECRYPTFS_SIG_SIZE_HEX); | 335 | memcpy(&message[i], signature, ECRYPTFS_SIG_SIZE_HEX); |
336 | i += ECRYPTFS_SIG_SIZE_HEX; | 336 | i += ECRYPTFS_SIG_SIZE_HEX; |
337 | /* The encrypted key includes 1 byte cipher code and 2 byte checksum */ | 337 | /* The encrypted key includes 1 byte cipher code and 2 byte checksum */ |
338 | rc = ecryptfs_write_packet_length(&message[i], crypt_stat->key_size + 3, | 338 | rc = ecryptfs_write_packet_length(&message[i], crypt_stat->key_size + 3, |
339 | &packet_size_len); | 339 | &packet_size_len); |
340 | if (rc) { | 340 | if (rc) { |
341 | ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet " | 341 | ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet " |
342 | "header; cannot generate packet length\n"); | 342 | "header; cannot generate packet length\n"); |
343 | goto out; | 343 | goto out; |
344 | } | 344 | } |
345 | i += packet_size_len; | 345 | i += packet_size_len; |
346 | message[i++] = cipher_code; | 346 | message[i++] = cipher_code; |
347 | memcpy(&message[i], crypt_stat->key, crypt_stat->key_size); | 347 | memcpy(&message[i], crypt_stat->key, crypt_stat->key_size); |
348 | i += crypt_stat->key_size; | 348 | i += crypt_stat->key_size; |
349 | for (j = 0; j < crypt_stat->key_size; j++) | 349 | for (j = 0; j < crypt_stat->key_size; j++) |
350 | checksum += crypt_stat->key[j]; | 350 | checksum += crypt_stat->key[j]; |
351 | message[i++] = (checksum / 256) % 256; | 351 | message[i++] = (checksum / 256) % 256; |
352 | message[i++] = (checksum % 256); | 352 | message[i++] = (checksum % 256); |
353 | *packet_len = i; | 353 | *packet_len = i; |
354 | out: | 354 | out: |
355 | return rc; | 355 | return rc; |
356 | } | 356 | } |
357 | 357 | ||
358 | static int | 358 | static int |
359 | parse_tag_67_packet(struct ecryptfs_key_record *key_rec, | 359 | parse_tag_67_packet(struct ecryptfs_key_record *key_rec, |
360 | struct ecryptfs_message *msg) | 360 | struct ecryptfs_message *msg) |
361 | { | 361 | { |
362 | size_t i = 0; | 362 | size_t i = 0; |
363 | char *data; | 363 | char *data; |
364 | size_t data_len; | 364 | size_t data_len; |
365 | size_t message_len; | 365 | size_t message_len; |
366 | int rc; | 366 | int rc; |
367 | 367 | ||
368 | /* | 368 | /* |
369 | * ***** TAG 65 Packet Format ***** | 369 | * ***** TAG 65 Packet Format ***** |
370 | * | Content Type | 1 byte | | 370 | * | Content Type | 1 byte | |
371 | * | Status Indicator | 1 byte | | 371 | * | Status Indicator | 1 byte | |
372 | * | Encrypted File Encryption Key Size | 1 or 2 bytes | | 372 | * | Encrypted File Encryption Key Size | 1 or 2 bytes | |
373 | * | Encrypted File Encryption Key | arbitrary | | 373 | * | Encrypted File Encryption Key | arbitrary | |
374 | */ | 374 | */ |
375 | message_len = msg->data_len; | 375 | message_len = msg->data_len; |
376 | data = msg->data; | 376 | data = msg->data; |
377 | /* verify that everything through the encrypted FEK size is present */ | 377 | /* verify that everything through the encrypted FEK size is present */ |
378 | if (message_len < 4) { | 378 | if (message_len < 4) { |
379 | rc = -EIO; | 379 | rc = -EIO; |
380 | printk(KERN_ERR "%s: message_len is [%zd]; minimum acceptable " | 380 | printk(KERN_ERR "%s: message_len is [%zd]; minimum acceptable " |
381 | "message length is [%d]\n", __func__, message_len, 4); | 381 | "message length is [%d]\n", __func__, message_len, 4); |
382 | goto out; | 382 | goto out; |
383 | } | 383 | } |
384 | if (data[i++] != ECRYPTFS_TAG_67_PACKET_TYPE) { | 384 | if (data[i++] != ECRYPTFS_TAG_67_PACKET_TYPE) { |
385 | rc = -EIO; | 385 | rc = -EIO; |
386 | printk(KERN_ERR "%s: Type should be ECRYPTFS_TAG_67\n", | 386 | printk(KERN_ERR "%s: Type should be ECRYPTFS_TAG_67\n", |
387 | __func__); | 387 | __func__); |
388 | goto out; | 388 | goto out; |
389 | } | 389 | } |
390 | if (data[i++]) { | 390 | if (data[i++]) { |
391 | rc = -EIO; | 391 | rc = -EIO; |
392 | printk(KERN_ERR "%s: Status indicator has non zero " | 392 | printk(KERN_ERR "%s: Status indicator has non zero " |
393 | "value [%d]\n", __func__, data[i-1]); | 393 | "value [%d]\n", __func__, data[i-1]); |
394 | 394 | ||
395 | goto out; | 395 | goto out; |
396 | } | 396 | } |
397 | rc = ecryptfs_parse_packet_length(&data[i], &key_rec->enc_key_size, | 397 | rc = ecryptfs_parse_packet_length(&data[i], &key_rec->enc_key_size, |
398 | &data_len); | 398 | &data_len); |
399 | if (rc) { | 399 | if (rc) { |
400 | ecryptfs_printk(KERN_WARNING, "Error parsing packet length; " | 400 | ecryptfs_printk(KERN_WARNING, "Error parsing packet length; " |
401 | "rc = [%d]\n", rc); | 401 | "rc = [%d]\n", rc); |
402 | goto out; | 402 | goto out; |
403 | } | 403 | } |
404 | i += data_len; | 404 | i += data_len; |
405 | if (message_len < (i + key_rec->enc_key_size)) { | 405 | if (message_len < (i + key_rec->enc_key_size)) { |
406 | rc = -EIO; | 406 | rc = -EIO; |
407 | printk(KERN_ERR "%s: message_len [%zd]; max len is [%zd]\n", | 407 | printk(KERN_ERR "%s: message_len [%zd]; max len is [%zd]\n", |
408 | __func__, message_len, (i + key_rec->enc_key_size)); | 408 | __func__, message_len, (i + key_rec->enc_key_size)); |
409 | goto out; | 409 | goto out; |
410 | } | 410 | } |
411 | if (key_rec->enc_key_size > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { | 411 | if (key_rec->enc_key_size > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { |
412 | rc = -EIO; | 412 | rc = -EIO; |
413 | printk(KERN_ERR "%s: Encrypted key_size [%zd] larger than " | 413 | printk(KERN_ERR "%s: Encrypted key_size [%zd] larger than " |
414 | "the maximum key size [%d]\n", __func__, | 414 | "the maximum key size [%d]\n", __func__, |
415 | key_rec->enc_key_size, | 415 | key_rec->enc_key_size, |
416 | ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES); | 416 | ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES); |
417 | goto out; | 417 | goto out; |
418 | } | 418 | } |
419 | memcpy(key_rec->enc_key, &data[i], key_rec->enc_key_size); | 419 | memcpy(key_rec->enc_key, &data[i], key_rec->enc_key_size); |
420 | out: | 420 | out: |
421 | return rc; | 421 | return rc; |
422 | } | 422 | } |
423 | 423 | ||
424 | /** | 424 | /** |
425 | * ecryptfs_verify_version | 425 | * ecryptfs_verify_version |
426 | * @version: The version number to confirm | 426 | * @version: The version number to confirm |
427 | * | 427 | * |
428 | * Returns zero on good version; non-zero otherwise | 428 | * Returns zero on good version; non-zero otherwise |
429 | */ | 429 | */ |
430 | static int ecryptfs_verify_version(u16 version) | 430 | static int ecryptfs_verify_version(u16 version) |
431 | { | 431 | { |
432 | int rc = 0; | 432 | int rc = 0; |
433 | unsigned char major; | 433 | unsigned char major; |
434 | unsigned char minor; | 434 | unsigned char minor; |
435 | 435 | ||
436 | major = ((version >> 8) & 0xFF); | 436 | major = ((version >> 8) & 0xFF); |
437 | minor = (version & 0xFF); | 437 | minor = (version & 0xFF); |
438 | if (major != ECRYPTFS_VERSION_MAJOR) { | 438 | if (major != ECRYPTFS_VERSION_MAJOR) { |
439 | ecryptfs_printk(KERN_ERR, "Major version number mismatch. " | 439 | ecryptfs_printk(KERN_ERR, "Major version number mismatch. " |
440 | "Expected [%d]; got [%d]\n", | 440 | "Expected [%d]; got [%d]\n", |
441 | ECRYPTFS_VERSION_MAJOR, major); | 441 | ECRYPTFS_VERSION_MAJOR, major); |
442 | rc = -EINVAL; | 442 | rc = -EINVAL; |
443 | goto out; | 443 | goto out; |
444 | } | 444 | } |
445 | if (minor != ECRYPTFS_VERSION_MINOR) { | 445 | if (minor != ECRYPTFS_VERSION_MINOR) { |
446 | ecryptfs_printk(KERN_ERR, "Minor version number mismatch. " | 446 | ecryptfs_printk(KERN_ERR, "Minor version number mismatch. " |
447 | "Expected [%d]; got [%d]\n", | 447 | "Expected [%d]; got [%d]\n", |
448 | ECRYPTFS_VERSION_MINOR, minor); | 448 | ECRYPTFS_VERSION_MINOR, minor); |
449 | rc = -EINVAL; | 449 | rc = -EINVAL; |
450 | goto out; | 450 | goto out; |
451 | } | 451 | } |
452 | out: | 452 | out: |
453 | return rc; | 453 | return rc; |
454 | } | 454 | } |
455 | 455 | ||
456 | /** | 456 | /** |
457 | * ecryptfs_verify_auth_tok_from_key | 457 | * ecryptfs_verify_auth_tok_from_key |
458 | * @auth_tok_key: key containing the authentication token | 458 | * @auth_tok_key: key containing the authentication token |
459 | * @auth_tok: authentication token | 459 | * @auth_tok: authentication token |
460 | * | 460 | * |
461 | * Returns zero on valid auth tok; -EINVAL otherwise | 461 | * Returns zero on valid auth tok; -EINVAL otherwise |
462 | */ | 462 | */ |
463 | static int | 463 | static int |
464 | ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key, | 464 | ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key, |
465 | struct ecryptfs_auth_tok **auth_tok) | 465 | struct ecryptfs_auth_tok **auth_tok) |
466 | { | 466 | { |
467 | int rc = 0; | 467 | int rc = 0; |
468 | 468 | ||
469 | (*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key); | 469 | (*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key); |
470 | if (ecryptfs_verify_version((*auth_tok)->version)) { | 470 | if (ecryptfs_verify_version((*auth_tok)->version)) { |
471 | printk(KERN_ERR "Data structure version mismatch. Userspace " | 471 | printk(KERN_ERR "Data structure version mismatch. Userspace " |
472 | "tools must match eCryptfs kernel module with major " | 472 | "tools must match eCryptfs kernel module with major " |
473 | "version [%d] and minor version [%d]\n", | 473 | "version [%d] and minor version [%d]\n", |
474 | ECRYPTFS_VERSION_MAJOR, ECRYPTFS_VERSION_MINOR); | 474 | ECRYPTFS_VERSION_MAJOR, ECRYPTFS_VERSION_MINOR); |
475 | rc = -EINVAL; | 475 | rc = -EINVAL; |
476 | goto out; | 476 | goto out; |
477 | } | 477 | } |
478 | if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD | 478 | if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD |
479 | && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { | 479 | && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { |
480 | printk(KERN_ERR "Invalid auth_tok structure " | 480 | printk(KERN_ERR "Invalid auth_tok structure " |
481 | "returned from key query\n"); | 481 | "returned from key query\n"); |
482 | rc = -EINVAL; | 482 | rc = -EINVAL; |
483 | goto out; | 483 | goto out; |
484 | } | 484 | } |
485 | out: | 485 | out: |
486 | return rc; | 486 | return rc; |
487 | } | 487 | } |
488 | 488 | ||
489 | static int | 489 | static int |
490 | ecryptfs_find_global_auth_tok_for_sig( | 490 | ecryptfs_find_global_auth_tok_for_sig( |
491 | struct key **auth_tok_key, | 491 | struct key **auth_tok_key, |
492 | struct ecryptfs_auth_tok **auth_tok, | 492 | struct ecryptfs_auth_tok **auth_tok, |
493 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig) | 493 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig) |
494 | { | 494 | { |
495 | struct ecryptfs_global_auth_tok *walker; | 495 | struct ecryptfs_global_auth_tok *walker; |
496 | int rc = 0; | 496 | int rc = 0; |
497 | 497 | ||
498 | (*auth_tok_key) = NULL; | 498 | (*auth_tok_key) = NULL; |
499 | (*auth_tok) = NULL; | 499 | (*auth_tok) = NULL; |
500 | mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); | 500 | mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); |
501 | list_for_each_entry(walker, | 501 | list_for_each_entry(walker, |
502 | &mount_crypt_stat->global_auth_tok_list, | 502 | &mount_crypt_stat->global_auth_tok_list, |
503 | mount_crypt_stat_list) { | 503 | mount_crypt_stat_list) { |
504 | if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX)) | 504 | if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX)) |
505 | continue; | 505 | continue; |
506 | 506 | ||
507 | if (walker->flags & ECRYPTFS_AUTH_TOK_INVALID) { | 507 | if (walker->flags & ECRYPTFS_AUTH_TOK_INVALID) { |
508 | rc = -EINVAL; | 508 | rc = -EINVAL; |
509 | goto out; | 509 | goto out; |
510 | } | 510 | } |
511 | 511 | ||
512 | rc = key_validate(walker->global_auth_tok_key); | 512 | rc = key_validate(walker->global_auth_tok_key); |
513 | if (rc) { | 513 | if (rc) { |
514 | if (rc == -EKEYEXPIRED) | 514 | if (rc == -EKEYEXPIRED) |
515 | goto out; | 515 | goto out; |
516 | goto out_invalid_auth_tok; | 516 | goto out_invalid_auth_tok; |
517 | } | 517 | } |
518 | 518 | ||
519 | down_write(&(walker->global_auth_tok_key->sem)); | 519 | down_write(&(walker->global_auth_tok_key->sem)); |
520 | rc = ecryptfs_verify_auth_tok_from_key( | 520 | rc = ecryptfs_verify_auth_tok_from_key( |
521 | walker->global_auth_tok_key, auth_tok); | 521 | walker->global_auth_tok_key, auth_tok); |
522 | if (rc) | 522 | if (rc) |
523 | goto out_invalid_auth_tok_unlock; | 523 | goto out_invalid_auth_tok_unlock; |
524 | 524 | ||
525 | (*auth_tok_key) = walker->global_auth_tok_key; | 525 | (*auth_tok_key) = walker->global_auth_tok_key; |
526 | key_get(*auth_tok_key); | 526 | key_get(*auth_tok_key); |
527 | goto out; | 527 | goto out; |
528 | } | 528 | } |
529 | rc = -ENOENT; | 529 | rc = -ENOENT; |
530 | goto out; | 530 | goto out; |
531 | out_invalid_auth_tok_unlock: | 531 | out_invalid_auth_tok_unlock: |
532 | up_write(&(walker->global_auth_tok_key->sem)); | 532 | up_write(&(walker->global_auth_tok_key->sem)); |
533 | out_invalid_auth_tok: | 533 | out_invalid_auth_tok: |
534 | printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig); | 534 | printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig); |
535 | walker->flags |= ECRYPTFS_AUTH_TOK_INVALID; | 535 | walker->flags |= ECRYPTFS_AUTH_TOK_INVALID; |
536 | key_put(walker->global_auth_tok_key); | 536 | key_put(walker->global_auth_tok_key); |
537 | walker->global_auth_tok_key = NULL; | 537 | walker->global_auth_tok_key = NULL; |
538 | out: | 538 | out: |
539 | mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); | 539 | mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); |
540 | return rc; | 540 | return rc; |
541 | } | 541 | } |
542 | 542 | ||
543 | /** | 543 | /** |
544 | * ecryptfs_find_auth_tok_for_sig | 544 | * ecryptfs_find_auth_tok_for_sig |
545 | * @auth_tok: Set to the matching auth_tok; NULL if not found | 545 | * @auth_tok: Set to the matching auth_tok; NULL if not found |
546 | * @crypt_stat: inode crypt_stat crypto context | 546 | * @crypt_stat: inode crypt_stat crypto context |
547 | * @sig: Sig of auth_tok to find | 547 | * @sig: Sig of auth_tok to find |
548 | * | 548 | * |
549 | * For now, this function simply looks at the registered auth_tok's | 549 | * For now, this function simply looks at the registered auth_tok's |
550 | * linked off the mount_crypt_stat, so all the auth_toks that can be | 550 | * linked off the mount_crypt_stat, so all the auth_toks that can be |
551 | * used must be registered at mount time. This function could | 551 | * used must be registered at mount time. This function could |
552 | * potentially try a lot harder to find auth_tok's (e.g., by calling | 552 | * potentially try a lot harder to find auth_tok's (e.g., by calling |
553 | * out to ecryptfsd to dynamically retrieve an auth_tok object) so | 553 | * out to ecryptfsd to dynamically retrieve an auth_tok object) so |
554 | * that static registration of auth_tok's will no longer be necessary. | 554 | * that static registration of auth_tok's will no longer be necessary. |
555 | * | 555 | * |
556 | * Returns zero on no error; non-zero on error | 556 | * Returns zero on no error; non-zero on error |
557 | */ | 557 | */ |
558 | static int | 558 | static int |
559 | ecryptfs_find_auth_tok_for_sig( | 559 | ecryptfs_find_auth_tok_for_sig( |
560 | struct key **auth_tok_key, | 560 | struct key **auth_tok_key, |
561 | struct ecryptfs_auth_tok **auth_tok, | 561 | struct ecryptfs_auth_tok **auth_tok, |
562 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | 562 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, |
563 | char *sig) | 563 | char *sig) |
564 | { | 564 | { |
565 | int rc = 0; | 565 | int rc = 0; |
566 | 566 | ||
567 | rc = ecryptfs_find_global_auth_tok_for_sig(auth_tok_key, auth_tok, | 567 | rc = ecryptfs_find_global_auth_tok_for_sig(auth_tok_key, auth_tok, |
568 | mount_crypt_stat, sig); | 568 | mount_crypt_stat, sig); |
569 | if (rc == -ENOENT) { | 569 | if (rc == -ENOENT) { |
570 | /* if the flag ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY is set in the | 570 | /* if the flag ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY is set in the |
571 | * mount_crypt_stat structure, we prevent to use auth toks that | 571 | * mount_crypt_stat structure, we prevent to use auth toks that |
572 | * are not inserted through the ecryptfs_add_global_auth_tok | 572 | * are not inserted through the ecryptfs_add_global_auth_tok |
573 | * function. | 573 | * function. |
574 | */ | 574 | */ |
575 | if (mount_crypt_stat->flags | 575 | if (mount_crypt_stat->flags |
576 | & ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY) | 576 | & ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY) |
577 | return -EINVAL; | 577 | return -EINVAL; |
578 | 578 | ||
579 | rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok, | 579 | rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok, |
580 | sig); | 580 | sig); |
581 | } | 581 | } |
582 | return rc; | 582 | return rc; |
583 | } | 583 | } |
584 | 584 | ||
585 | /** | 585 | /** |
586 | * write_tag_70_packet can gobble a lot of stack space. We stuff most | 586 | * write_tag_70_packet can gobble a lot of stack space. We stuff most |
587 | * of the function's parameters in a kmalloc'd struct to help reduce | 587 | * of the function's parameters in a kmalloc'd struct to help reduce |
588 | * eCryptfs' overall stack usage. | 588 | * eCryptfs' overall stack usage. |
589 | */ | 589 | */ |
590 | struct ecryptfs_write_tag_70_packet_silly_stack { | 590 | struct ecryptfs_write_tag_70_packet_silly_stack { |
591 | u8 cipher_code; | 591 | u8 cipher_code; |
592 | size_t max_packet_size; | 592 | size_t max_packet_size; |
593 | size_t packet_size_len; | 593 | size_t packet_size_len; |
594 | size_t block_aligned_filename_size; | 594 | size_t block_aligned_filename_size; |
595 | size_t block_size; | 595 | size_t block_size; |
596 | size_t i; | 596 | size_t i; |
597 | size_t j; | 597 | size_t j; |
598 | size_t num_rand_bytes; | 598 | size_t num_rand_bytes; |
599 | struct mutex *tfm_mutex; | 599 | struct mutex *tfm_mutex; |
600 | char *block_aligned_filename; | 600 | char *block_aligned_filename; |
601 | struct ecryptfs_auth_tok *auth_tok; | 601 | struct ecryptfs_auth_tok *auth_tok; |
602 | struct scatterlist src_sg[2]; | 602 | struct scatterlist src_sg[2]; |
603 | struct scatterlist dst_sg[2]; | 603 | struct scatterlist dst_sg[2]; |
604 | struct blkcipher_desc desc; | 604 | struct blkcipher_desc desc; |
605 | char iv[ECRYPTFS_MAX_IV_BYTES]; | 605 | char iv[ECRYPTFS_MAX_IV_BYTES]; |
606 | char hash[ECRYPTFS_TAG_70_DIGEST_SIZE]; | 606 | char hash[ECRYPTFS_TAG_70_DIGEST_SIZE]; |
607 | char tmp_hash[ECRYPTFS_TAG_70_DIGEST_SIZE]; | 607 | char tmp_hash[ECRYPTFS_TAG_70_DIGEST_SIZE]; |
608 | struct hash_desc hash_desc; | 608 | struct hash_desc hash_desc; |
609 | struct scatterlist hash_sg; | 609 | struct scatterlist hash_sg; |
610 | }; | 610 | }; |
611 | 611 | ||
612 | /** | 612 | /** |
613 | * write_tag_70_packet - Write encrypted filename (EFN) packet against FNEK | 613 | * write_tag_70_packet - Write encrypted filename (EFN) packet against FNEK |
614 | * @filename: NULL-terminated filename string | 614 | * @filename: NULL-terminated filename string |
615 | * | 615 | * |
616 | * This is the simplest mechanism for achieving filename encryption in | 616 | * This is the simplest mechanism for achieving filename encryption in |
617 | * eCryptfs. It encrypts the given filename with the mount-wide | 617 | * eCryptfs. It encrypts the given filename with the mount-wide |
618 | * filename encryption key (FNEK) and stores it in a packet to @dest, | 618 | * filename encryption key (FNEK) and stores it in a packet to @dest, |
619 | * which the callee will encode and write directly into the dentry | 619 | * which the callee will encode and write directly into the dentry |
620 | * name. | 620 | * name. |
621 | */ | 621 | */ |
622 | int | 622 | int |
623 | ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, | 623 | ecryptfs_write_tag_70_packet(char *dest, size_t *remaining_bytes, |
624 | size_t *packet_size, | 624 | size_t *packet_size, |
625 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | 625 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, |
626 | char *filename, size_t filename_size) | 626 | char *filename, size_t filename_size) |
627 | { | 627 | { |
628 | struct ecryptfs_write_tag_70_packet_silly_stack *s; | 628 | struct ecryptfs_write_tag_70_packet_silly_stack *s; |
629 | struct key *auth_tok_key = NULL; | 629 | struct key *auth_tok_key = NULL; |
630 | int rc = 0; | 630 | int rc = 0; |
631 | 631 | ||
632 | s = kmalloc(sizeof(*s), GFP_KERNEL); | 632 | s = kmalloc(sizeof(*s), GFP_KERNEL); |
633 | if (!s) { | 633 | if (!s) { |
634 | printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc " | 634 | printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc " |
635 | "[%zd] bytes of kernel memory\n", __func__, sizeof(*s)); | 635 | "[%zd] bytes of kernel memory\n", __func__, sizeof(*s)); |
636 | rc = -ENOMEM; | 636 | rc = -ENOMEM; |
637 | goto out; | 637 | goto out; |
638 | } | 638 | } |
639 | s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; | 639 | s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; |
640 | (*packet_size) = 0; | 640 | (*packet_size) = 0; |
641 | rc = ecryptfs_find_auth_tok_for_sig( | 641 | rc = ecryptfs_find_auth_tok_for_sig( |
642 | &auth_tok_key, | 642 | &auth_tok_key, |
643 | &s->auth_tok, mount_crypt_stat, | 643 | &s->auth_tok, mount_crypt_stat, |
644 | mount_crypt_stat->global_default_fnek_sig); | 644 | mount_crypt_stat->global_default_fnek_sig); |
645 | if (rc) { | 645 | if (rc) { |
646 | printk(KERN_ERR "%s: Error attempting to find auth tok for " | 646 | printk(KERN_ERR "%s: Error attempting to find auth tok for " |
647 | "fnek sig [%s]; rc = [%d]\n", __func__, | 647 | "fnek sig [%s]; rc = [%d]\n", __func__, |
648 | mount_crypt_stat->global_default_fnek_sig, rc); | 648 | mount_crypt_stat->global_default_fnek_sig, rc); |
649 | goto out; | 649 | goto out; |
650 | } | 650 | } |
651 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name( | 651 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name( |
652 | &s->desc.tfm, | 652 | &s->desc.tfm, |
653 | &s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name); | 653 | &s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name); |
654 | if (unlikely(rc)) { | 654 | if (unlikely(rc)) { |
655 | printk(KERN_ERR "Internal error whilst attempting to get " | 655 | printk(KERN_ERR "Internal error whilst attempting to get " |
656 | "tfm and mutex for cipher name [%s]; rc = [%d]\n", | 656 | "tfm and mutex for cipher name [%s]; rc = [%d]\n", |
657 | mount_crypt_stat->global_default_fn_cipher_name, rc); | 657 | mount_crypt_stat->global_default_fn_cipher_name, rc); |
658 | goto out; | 658 | goto out; |
659 | } | 659 | } |
660 | mutex_lock(s->tfm_mutex); | 660 | mutex_lock(s->tfm_mutex); |
661 | s->block_size = crypto_blkcipher_blocksize(s->desc.tfm); | 661 | s->block_size = crypto_blkcipher_blocksize(s->desc.tfm); |
662 | /* Plus one for the \0 separator between the random prefix | 662 | /* Plus one for the \0 separator between the random prefix |
663 | * and the plaintext filename */ | 663 | * and the plaintext filename */ |
664 | s->num_rand_bytes = (ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES + 1); | 664 | s->num_rand_bytes = (ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES + 1); |
665 | s->block_aligned_filename_size = (s->num_rand_bytes + filename_size); | 665 | s->block_aligned_filename_size = (s->num_rand_bytes + filename_size); |
666 | if ((s->block_aligned_filename_size % s->block_size) != 0) { | 666 | if ((s->block_aligned_filename_size % s->block_size) != 0) { |
667 | s->num_rand_bytes += (s->block_size | 667 | s->num_rand_bytes += (s->block_size |
668 | - (s->block_aligned_filename_size | 668 | - (s->block_aligned_filename_size |
669 | % s->block_size)); | 669 | % s->block_size)); |
670 | s->block_aligned_filename_size = (s->num_rand_bytes | 670 | s->block_aligned_filename_size = (s->num_rand_bytes |
671 | + filename_size); | 671 | + filename_size); |
672 | } | 672 | } |
673 | /* Octet 0: Tag 70 identifier | 673 | /* Octet 0: Tag 70 identifier |
674 | * Octets 1-N1: Tag 70 packet size (includes cipher identifier | 674 | * Octets 1-N1: Tag 70 packet size (includes cipher identifier |
675 | * and block-aligned encrypted filename size) | 675 | * and block-aligned encrypted filename size) |
676 | * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE) | 676 | * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE) |
677 | * Octet N2-N3: Cipher identifier (1 octet) | 677 | * Octet N2-N3: Cipher identifier (1 octet) |
678 | * Octets N3-N4: Block-aligned encrypted filename | 678 | * Octets N3-N4: Block-aligned encrypted filename |
679 | * - Consists of a minimum number of random characters, a \0 | 679 | * - Consists of a minimum number of random characters, a \0 |
680 | * separator, and then the filename */ | 680 | * separator, and then the filename */ |
681 | s->max_packet_size = (ECRYPTFS_TAG_70_MAX_METADATA_SIZE | 681 | s->max_packet_size = (ECRYPTFS_TAG_70_MAX_METADATA_SIZE |
682 | + s->block_aligned_filename_size); | 682 | + s->block_aligned_filename_size); |
683 | if (dest == NULL) { | 683 | if (dest == NULL) { |
684 | (*packet_size) = s->max_packet_size; | 684 | (*packet_size) = s->max_packet_size; |
685 | goto out_unlock; | 685 | goto out_unlock; |
686 | } | 686 | } |
687 | if (s->max_packet_size > (*remaining_bytes)) { | 687 | if (s->max_packet_size > (*remaining_bytes)) { |
688 | printk(KERN_WARNING "%s: Require [%zd] bytes to write; only " | 688 | printk(KERN_WARNING "%s: Require [%zd] bytes to write; only " |
689 | "[%zd] available\n", __func__, s->max_packet_size, | 689 | "[%zd] available\n", __func__, s->max_packet_size, |
690 | (*remaining_bytes)); | 690 | (*remaining_bytes)); |
691 | rc = -EINVAL; | 691 | rc = -EINVAL; |
692 | goto out_unlock; | 692 | goto out_unlock; |
693 | } | 693 | } |
694 | s->block_aligned_filename = kzalloc(s->block_aligned_filename_size, | 694 | s->block_aligned_filename = kzalloc(s->block_aligned_filename_size, |
695 | GFP_KERNEL); | 695 | GFP_KERNEL); |
696 | if (!s->block_aligned_filename) { | 696 | if (!s->block_aligned_filename) { |
697 | printk(KERN_ERR "%s: Out of kernel memory whilst attempting to " | 697 | printk(KERN_ERR "%s: Out of kernel memory whilst attempting to " |
698 | "kzalloc [%zd] bytes\n", __func__, | 698 | "kzalloc [%zd] bytes\n", __func__, |
699 | s->block_aligned_filename_size); | 699 | s->block_aligned_filename_size); |
700 | rc = -ENOMEM; | 700 | rc = -ENOMEM; |
701 | goto out_unlock; | 701 | goto out_unlock; |
702 | } | 702 | } |
703 | s->i = 0; | 703 | s->i = 0; |
704 | dest[s->i++] = ECRYPTFS_TAG_70_PACKET_TYPE; | 704 | dest[s->i++] = ECRYPTFS_TAG_70_PACKET_TYPE; |
705 | rc = ecryptfs_write_packet_length(&dest[s->i], | 705 | rc = ecryptfs_write_packet_length(&dest[s->i], |
706 | (ECRYPTFS_SIG_SIZE | 706 | (ECRYPTFS_SIG_SIZE |
707 | + 1 /* Cipher code */ | 707 | + 1 /* Cipher code */ |
708 | + s->block_aligned_filename_size), | 708 | + s->block_aligned_filename_size), |
709 | &s->packet_size_len); | 709 | &s->packet_size_len); |
710 | if (rc) { | 710 | if (rc) { |
711 | printk(KERN_ERR "%s: Error generating tag 70 packet " | 711 | printk(KERN_ERR "%s: Error generating tag 70 packet " |
712 | "header; cannot generate packet length; rc = [%d]\n", | 712 | "header; cannot generate packet length; rc = [%d]\n", |
713 | __func__, rc); | 713 | __func__, rc); |
714 | goto out_free_unlock; | 714 | goto out_free_unlock; |
715 | } | 715 | } |
716 | s->i += s->packet_size_len; | 716 | s->i += s->packet_size_len; |
717 | ecryptfs_from_hex(&dest[s->i], | 717 | ecryptfs_from_hex(&dest[s->i], |
718 | mount_crypt_stat->global_default_fnek_sig, | 718 | mount_crypt_stat->global_default_fnek_sig, |
719 | ECRYPTFS_SIG_SIZE); | 719 | ECRYPTFS_SIG_SIZE); |
720 | s->i += ECRYPTFS_SIG_SIZE; | 720 | s->i += ECRYPTFS_SIG_SIZE; |
721 | s->cipher_code = ecryptfs_code_for_cipher_string( | 721 | s->cipher_code = ecryptfs_code_for_cipher_string( |
722 | mount_crypt_stat->global_default_fn_cipher_name, | 722 | mount_crypt_stat->global_default_fn_cipher_name, |
723 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | 723 | mount_crypt_stat->global_default_fn_cipher_key_bytes); |
724 | if (s->cipher_code == 0) { | 724 | if (s->cipher_code == 0) { |
725 | printk(KERN_WARNING "%s: Unable to generate code for " | 725 | printk(KERN_WARNING "%s: Unable to generate code for " |
726 | "cipher [%s] with key bytes [%zd]\n", __func__, | 726 | "cipher [%s] with key bytes [%zd]\n", __func__, |
727 | mount_crypt_stat->global_default_fn_cipher_name, | 727 | mount_crypt_stat->global_default_fn_cipher_name, |
728 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | 728 | mount_crypt_stat->global_default_fn_cipher_key_bytes); |
729 | rc = -EINVAL; | 729 | rc = -EINVAL; |
730 | goto out_free_unlock; | 730 | goto out_free_unlock; |
731 | } | 731 | } |
732 | dest[s->i++] = s->cipher_code; | 732 | dest[s->i++] = s->cipher_code; |
733 | /* TODO: Support other key modules than passphrase for | 733 | /* TODO: Support other key modules than passphrase for |
734 | * filename encryption */ | 734 | * filename encryption */ |
735 | if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { | 735 | if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { |
736 | rc = -EOPNOTSUPP; | 736 | rc = -EOPNOTSUPP; |
737 | printk(KERN_INFO "%s: Filename encryption only supports " | 737 | printk(KERN_INFO "%s: Filename encryption only supports " |
738 | "password tokens\n", __func__); | 738 | "password tokens\n", __func__); |
739 | goto out_free_unlock; | 739 | goto out_free_unlock; |
740 | } | 740 | } |
741 | sg_init_one( | 741 | sg_init_one( |
742 | &s->hash_sg, | 742 | &s->hash_sg, |
743 | (u8 *)s->auth_tok->token.password.session_key_encryption_key, | 743 | (u8 *)s->auth_tok->token.password.session_key_encryption_key, |
744 | s->auth_tok->token.password.session_key_encryption_key_bytes); | 744 | s->auth_tok->token.password.session_key_encryption_key_bytes); |
745 | s->hash_desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; | 745 | s->hash_desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; |
746 | s->hash_desc.tfm = crypto_alloc_hash(ECRYPTFS_TAG_70_DIGEST, 0, | 746 | s->hash_desc.tfm = crypto_alloc_hash(ECRYPTFS_TAG_70_DIGEST, 0, |
747 | CRYPTO_ALG_ASYNC); | 747 | CRYPTO_ALG_ASYNC); |
748 | if (IS_ERR(s->hash_desc.tfm)) { | 748 | if (IS_ERR(s->hash_desc.tfm)) { |
749 | rc = PTR_ERR(s->hash_desc.tfm); | 749 | rc = PTR_ERR(s->hash_desc.tfm); |
750 | printk(KERN_ERR "%s: Error attempting to " | 750 | printk(KERN_ERR "%s: Error attempting to " |
751 | "allocate hash crypto context; rc = [%d]\n", | 751 | "allocate hash crypto context; rc = [%d]\n", |
752 | __func__, rc); | 752 | __func__, rc); |
753 | goto out_free_unlock; | 753 | goto out_free_unlock; |
754 | } | 754 | } |
755 | rc = crypto_hash_init(&s->hash_desc); | 755 | rc = crypto_hash_init(&s->hash_desc); |
756 | if (rc) { | 756 | if (rc) { |
757 | printk(KERN_ERR | 757 | printk(KERN_ERR |
758 | "%s: Error initializing crypto hash; rc = [%d]\n", | 758 | "%s: Error initializing crypto hash; rc = [%d]\n", |
759 | __func__, rc); | 759 | __func__, rc); |
760 | goto out_release_free_unlock; | 760 | goto out_release_free_unlock; |
761 | } | 761 | } |
762 | rc = crypto_hash_update( | 762 | rc = crypto_hash_update( |
763 | &s->hash_desc, &s->hash_sg, | 763 | &s->hash_desc, &s->hash_sg, |
764 | s->auth_tok->token.password.session_key_encryption_key_bytes); | 764 | s->auth_tok->token.password.session_key_encryption_key_bytes); |
765 | if (rc) { | 765 | if (rc) { |
766 | printk(KERN_ERR | 766 | printk(KERN_ERR |
767 | "%s: Error updating crypto hash; rc = [%d]\n", | 767 | "%s: Error updating crypto hash; rc = [%d]\n", |
768 | __func__, rc); | 768 | __func__, rc); |
769 | goto out_release_free_unlock; | 769 | goto out_release_free_unlock; |
770 | } | 770 | } |
771 | rc = crypto_hash_final(&s->hash_desc, s->hash); | 771 | rc = crypto_hash_final(&s->hash_desc, s->hash); |
772 | if (rc) { | 772 | if (rc) { |
773 | printk(KERN_ERR | 773 | printk(KERN_ERR |
774 | "%s: Error finalizing crypto hash; rc = [%d]\n", | 774 | "%s: Error finalizing crypto hash; rc = [%d]\n", |
775 | __func__, rc); | 775 | __func__, rc); |
776 | goto out_release_free_unlock; | 776 | goto out_release_free_unlock; |
777 | } | 777 | } |
778 | for (s->j = 0; s->j < (s->num_rand_bytes - 1); s->j++) { | 778 | for (s->j = 0; s->j < (s->num_rand_bytes - 1); s->j++) { |
779 | s->block_aligned_filename[s->j] = | 779 | s->block_aligned_filename[s->j] = |
780 | s->hash[(s->j % ECRYPTFS_TAG_70_DIGEST_SIZE)]; | 780 | s->hash[(s->j % ECRYPTFS_TAG_70_DIGEST_SIZE)]; |
781 | if ((s->j % ECRYPTFS_TAG_70_DIGEST_SIZE) | 781 | if ((s->j % ECRYPTFS_TAG_70_DIGEST_SIZE) |
782 | == (ECRYPTFS_TAG_70_DIGEST_SIZE - 1)) { | 782 | == (ECRYPTFS_TAG_70_DIGEST_SIZE - 1)) { |
783 | sg_init_one(&s->hash_sg, (u8 *)s->hash, | 783 | sg_init_one(&s->hash_sg, (u8 *)s->hash, |
784 | ECRYPTFS_TAG_70_DIGEST_SIZE); | 784 | ECRYPTFS_TAG_70_DIGEST_SIZE); |
785 | rc = crypto_hash_init(&s->hash_desc); | 785 | rc = crypto_hash_init(&s->hash_desc); |
786 | if (rc) { | 786 | if (rc) { |
787 | printk(KERN_ERR | 787 | printk(KERN_ERR |
788 | "%s: Error initializing crypto hash; " | 788 | "%s: Error initializing crypto hash; " |
789 | "rc = [%d]\n", __func__, rc); | 789 | "rc = [%d]\n", __func__, rc); |
790 | goto out_release_free_unlock; | 790 | goto out_release_free_unlock; |
791 | } | 791 | } |
792 | rc = crypto_hash_update(&s->hash_desc, &s->hash_sg, | 792 | rc = crypto_hash_update(&s->hash_desc, &s->hash_sg, |
793 | ECRYPTFS_TAG_70_DIGEST_SIZE); | 793 | ECRYPTFS_TAG_70_DIGEST_SIZE); |
794 | if (rc) { | 794 | if (rc) { |
795 | printk(KERN_ERR | 795 | printk(KERN_ERR |
796 | "%s: Error updating crypto hash; " | 796 | "%s: Error updating crypto hash; " |
797 | "rc = [%d]\n", __func__, rc); | 797 | "rc = [%d]\n", __func__, rc); |
798 | goto out_release_free_unlock; | 798 | goto out_release_free_unlock; |
799 | } | 799 | } |
800 | rc = crypto_hash_final(&s->hash_desc, s->tmp_hash); | 800 | rc = crypto_hash_final(&s->hash_desc, s->tmp_hash); |
801 | if (rc) { | 801 | if (rc) { |
802 | printk(KERN_ERR | 802 | printk(KERN_ERR |
803 | "%s: Error finalizing crypto hash; " | 803 | "%s: Error finalizing crypto hash; " |
804 | "rc = [%d]\n", __func__, rc); | 804 | "rc = [%d]\n", __func__, rc); |
805 | goto out_release_free_unlock; | 805 | goto out_release_free_unlock; |
806 | } | 806 | } |
807 | memcpy(s->hash, s->tmp_hash, | 807 | memcpy(s->hash, s->tmp_hash, |
808 | ECRYPTFS_TAG_70_DIGEST_SIZE); | 808 | ECRYPTFS_TAG_70_DIGEST_SIZE); |
809 | } | 809 | } |
810 | if (s->block_aligned_filename[s->j] == '\0') | 810 | if (s->block_aligned_filename[s->j] == '\0') |
811 | s->block_aligned_filename[s->j] = ECRYPTFS_NON_NULL; | 811 | s->block_aligned_filename[s->j] = ECRYPTFS_NON_NULL; |
812 | } | 812 | } |
813 | memcpy(&s->block_aligned_filename[s->num_rand_bytes], filename, | 813 | memcpy(&s->block_aligned_filename[s->num_rand_bytes], filename, |
814 | filename_size); | 814 | filename_size); |
815 | rc = virt_to_scatterlist(s->block_aligned_filename, | 815 | rc = virt_to_scatterlist(s->block_aligned_filename, |
816 | s->block_aligned_filename_size, s->src_sg, 2); | 816 | s->block_aligned_filename_size, s->src_sg, 2); |
817 | if (rc < 1) { | 817 | if (rc < 1) { |
818 | printk(KERN_ERR "%s: Internal error whilst attempting to " | 818 | printk(KERN_ERR "%s: Internal error whilst attempting to " |
819 | "convert filename memory to scatterlist; rc = [%d]. " | 819 | "convert filename memory to scatterlist; rc = [%d]. " |
820 | "block_aligned_filename_size = [%zd]\n", __func__, rc, | 820 | "block_aligned_filename_size = [%zd]\n", __func__, rc, |
821 | s->block_aligned_filename_size); | 821 | s->block_aligned_filename_size); |
822 | goto out_release_free_unlock; | 822 | goto out_release_free_unlock; |
823 | } | 823 | } |
824 | rc = virt_to_scatterlist(&dest[s->i], s->block_aligned_filename_size, | 824 | rc = virt_to_scatterlist(&dest[s->i], s->block_aligned_filename_size, |
825 | s->dst_sg, 2); | 825 | s->dst_sg, 2); |
826 | if (rc < 1) { | 826 | if (rc < 1) { |
827 | printk(KERN_ERR "%s: Internal error whilst attempting to " | 827 | printk(KERN_ERR "%s: Internal error whilst attempting to " |
828 | "convert encrypted filename memory to scatterlist; " | 828 | "convert encrypted filename memory to scatterlist; " |
829 | "rc = [%d]. block_aligned_filename_size = [%zd]\n", | 829 | "rc = [%d]. block_aligned_filename_size = [%zd]\n", |
830 | __func__, rc, s->block_aligned_filename_size); | 830 | __func__, rc, s->block_aligned_filename_size); |
831 | goto out_release_free_unlock; | 831 | goto out_release_free_unlock; |
832 | } | 832 | } |
833 | /* The characters in the first block effectively do the job | 833 | /* The characters in the first block effectively do the job |
834 | * of the IV here, so we just use 0's for the IV. Note the | 834 | * of the IV here, so we just use 0's for the IV. Note the |
835 | * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES | 835 | * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES |
836 | * >= ECRYPTFS_MAX_IV_BYTES. */ | 836 | * >= ECRYPTFS_MAX_IV_BYTES. */ |
837 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); | 837 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); |
838 | s->desc.info = s->iv; | 838 | s->desc.info = s->iv; |
839 | rc = crypto_blkcipher_setkey( | 839 | rc = crypto_blkcipher_setkey( |
840 | s->desc.tfm, | 840 | s->desc.tfm, |
841 | s->auth_tok->token.password.session_key_encryption_key, | 841 | s->auth_tok->token.password.session_key_encryption_key, |
842 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | 842 | mount_crypt_stat->global_default_fn_cipher_key_bytes); |
843 | if (rc < 0) { | 843 | if (rc < 0) { |
844 | printk(KERN_ERR "%s: Error setting key for crypto context; " | 844 | printk(KERN_ERR "%s: Error setting key for crypto context; " |
845 | "rc = [%d]. s->auth_tok->token.password.session_key_" | 845 | "rc = [%d]. s->auth_tok->token.password.session_key_" |
846 | "encryption_key = [0x%p]; mount_crypt_stat->" | 846 | "encryption_key = [0x%p]; mount_crypt_stat->" |
847 | "global_default_fn_cipher_key_bytes = [%zd]\n", __func__, | 847 | "global_default_fn_cipher_key_bytes = [%zd]\n", __func__, |
848 | rc, | 848 | rc, |
849 | s->auth_tok->token.password.session_key_encryption_key, | 849 | s->auth_tok->token.password.session_key_encryption_key, |
850 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | 850 | mount_crypt_stat->global_default_fn_cipher_key_bytes); |
851 | goto out_release_free_unlock; | 851 | goto out_release_free_unlock; |
852 | } | 852 | } |
853 | rc = crypto_blkcipher_encrypt_iv(&s->desc, s->dst_sg, s->src_sg, | 853 | rc = crypto_blkcipher_encrypt_iv(&s->desc, s->dst_sg, s->src_sg, |
854 | s->block_aligned_filename_size); | 854 | s->block_aligned_filename_size); |
855 | if (rc) { | 855 | if (rc) { |
856 | printk(KERN_ERR "%s: Error attempting to encrypt filename; " | 856 | printk(KERN_ERR "%s: Error attempting to encrypt filename; " |
857 | "rc = [%d]\n", __func__, rc); | 857 | "rc = [%d]\n", __func__, rc); |
858 | goto out_release_free_unlock; | 858 | goto out_release_free_unlock; |
859 | } | 859 | } |
860 | s->i += s->block_aligned_filename_size; | 860 | s->i += s->block_aligned_filename_size; |
861 | (*packet_size) = s->i; | 861 | (*packet_size) = s->i; |
862 | (*remaining_bytes) -= (*packet_size); | 862 | (*remaining_bytes) -= (*packet_size); |
863 | out_release_free_unlock: | 863 | out_release_free_unlock: |
864 | crypto_free_hash(s->hash_desc.tfm); | 864 | crypto_free_hash(s->hash_desc.tfm); |
865 | out_free_unlock: | 865 | out_free_unlock: |
866 | kzfree(s->block_aligned_filename); | 866 | kzfree(s->block_aligned_filename); |
867 | out_unlock: | 867 | out_unlock: |
868 | mutex_unlock(s->tfm_mutex); | 868 | mutex_unlock(s->tfm_mutex); |
869 | out: | 869 | out: |
870 | if (auth_tok_key) { | 870 | if (auth_tok_key) { |
871 | up_write(&(auth_tok_key->sem)); | 871 | up_write(&(auth_tok_key->sem)); |
872 | key_put(auth_tok_key); | 872 | key_put(auth_tok_key); |
873 | } | 873 | } |
874 | kfree(s); | 874 | kfree(s); |
875 | return rc; | 875 | return rc; |
876 | } | 876 | } |
877 | 877 | ||
878 | struct ecryptfs_parse_tag_70_packet_silly_stack { | 878 | struct ecryptfs_parse_tag_70_packet_silly_stack { |
879 | u8 cipher_code; | 879 | u8 cipher_code; |
880 | size_t max_packet_size; | 880 | size_t max_packet_size; |
881 | size_t packet_size_len; | 881 | size_t packet_size_len; |
882 | size_t parsed_tag_70_packet_size; | 882 | size_t parsed_tag_70_packet_size; |
883 | size_t block_aligned_filename_size; | 883 | size_t block_aligned_filename_size; |
884 | size_t block_size; | 884 | size_t block_size; |
885 | size_t i; | 885 | size_t i; |
886 | struct mutex *tfm_mutex; | 886 | struct mutex *tfm_mutex; |
887 | char *decrypted_filename; | 887 | char *decrypted_filename; |
888 | struct ecryptfs_auth_tok *auth_tok; | 888 | struct ecryptfs_auth_tok *auth_tok; |
889 | struct scatterlist src_sg[2]; | 889 | struct scatterlist src_sg[2]; |
890 | struct scatterlist dst_sg[2]; | 890 | struct scatterlist dst_sg[2]; |
891 | struct blkcipher_desc desc; | 891 | struct blkcipher_desc desc; |
892 | char fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX + 1]; | 892 | char fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX + 1]; |
893 | char iv[ECRYPTFS_MAX_IV_BYTES]; | 893 | char iv[ECRYPTFS_MAX_IV_BYTES]; |
894 | char cipher_string[ECRYPTFS_MAX_CIPHER_NAME_SIZE]; | 894 | char cipher_string[ECRYPTFS_MAX_CIPHER_NAME_SIZE]; |
895 | }; | 895 | }; |
896 | 896 | ||
897 | /** | 897 | /** |
898 | * parse_tag_70_packet - Parse and process FNEK-encrypted passphrase packet | 898 | * parse_tag_70_packet - Parse and process FNEK-encrypted passphrase packet |
899 | * @filename: This function kmalloc's the memory for the filename | 899 | * @filename: This function kmalloc's the memory for the filename |
900 | * @filename_size: This function sets this to the amount of memory | 900 | * @filename_size: This function sets this to the amount of memory |
901 | * kmalloc'd for the filename | 901 | * kmalloc'd for the filename |
902 | * @packet_size: This function sets this to the the number of octets | 902 | * @packet_size: This function sets this to the the number of octets |
903 | * in the packet parsed | 903 | * in the packet parsed |
904 | * @mount_crypt_stat: The mount-wide cryptographic context | 904 | * @mount_crypt_stat: The mount-wide cryptographic context |
905 | * @data: The memory location containing the start of the tag 70 | 905 | * @data: The memory location containing the start of the tag 70 |
906 | * packet | 906 | * packet |
907 | * @max_packet_size: The maximum legal size of the packet to be parsed | 907 | * @max_packet_size: The maximum legal size of the packet to be parsed |
908 | * from @data | 908 | * from @data |
909 | * | 909 | * |
910 | * Returns zero on success; non-zero otherwise | 910 | * Returns zero on success; non-zero otherwise |
911 | */ | 911 | */ |
912 | int | 912 | int |
913 | ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, | 913 | ecryptfs_parse_tag_70_packet(char **filename, size_t *filename_size, |
914 | size_t *packet_size, | 914 | size_t *packet_size, |
915 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | 915 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat, |
916 | char *data, size_t max_packet_size) | 916 | char *data, size_t max_packet_size) |
917 | { | 917 | { |
918 | struct ecryptfs_parse_tag_70_packet_silly_stack *s; | 918 | struct ecryptfs_parse_tag_70_packet_silly_stack *s; |
919 | struct key *auth_tok_key = NULL; | 919 | struct key *auth_tok_key = NULL; |
920 | int rc = 0; | 920 | int rc = 0; |
921 | 921 | ||
922 | (*packet_size) = 0; | 922 | (*packet_size) = 0; |
923 | (*filename_size) = 0; | 923 | (*filename_size) = 0; |
924 | (*filename) = NULL; | 924 | (*filename) = NULL; |
925 | s = kmalloc(sizeof(*s), GFP_KERNEL); | 925 | s = kmalloc(sizeof(*s), GFP_KERNEL); |
926 | if (!s) { | 926 | if (!s) { |
927 | printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc " | 927 | printk(KERN_ERR "%s: Out of memory whilst trying to kmalloc " |
928 | "[%zd] bytes of kernel memory\n", __func__, sizeof(*s)); | 928 | "[%zd] bytes of kernel memory\n", __func__, sizeof(*s)); |
929 | rc = -ENOMEM; | 929 | rc = -ENOMEM; |
930 | goto out; | 930 | goto out; |
931 | } | 931 | } |
932 | s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; | 932 | s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; |
933 | if (max_packet_size < ECRYPTFS_TAG_70_MIN_METADATA_SIZE) { | 933 | if (max_packet_size < ECRYPTFS_TAG_70_MIN_METADATA_SIZE) { |
934 | printk(KERN_WARNING "%s: max_packet_size is [%zd]; it must be " | 934 | printk(KERN_WARNING "%s: max_packet_size is [%zd]; it must be " |
935 | "at least [%d]\n", __func__, max_packet_size, | 935 | "at least [%d]\n", __func__, max_packet_size, |
936 | ECRYPTFS_TAG_70_MIN_METADATA_SIZE); | 936 | ECRYPTFS_TAG_70_MIN_METADATA_SIZE); |
937 | rc = -EINVAL; | 937 | rc = -EINVAL; |
938 | goto out; | 938 | goto out; |
939 | } | 939 | } |
940 | /* Octet 0: Tag 70 identifier | 940 | /* Octet 0: Tag 70 identifier |
941 | * Octets 1-N1: Tag 70 packet size (includes cipher identifier | 941 | * Octets 1-N1: Tag 70 packet size (includes cipher identifier |
942 | * and block-aligned encrypted filename size) | 942 | * and block-aligned encrypted filename size) |
943 | * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE) | 943 | * Octets N1-N2: FNEK sig (ECRYPTFS_SIG_SIZE) |
944 | * Octet N2-N3: Cipher identifier (1 octet) | 944 | * Octet N2-N3: Cipher identifier (1 octet) |
945 | * Octets N3-N4: Block-aligned encrypted filename | 945 | * Octets N3-N4: Block-aligned encrypted filename |
946 | * - Consists of a minimum number of random numbers, a \0 | 946 | * - Consists of a minimum number of random numbers, a \0 |
947 | * separator, and then the filename */ | 947 | * separator, and then the filename */ |
948 | if (data[(*packet_size)++] != ECRYPTFS_TAG_70_PACKET_TYPE) { | 948 | if (data[(*packet_size)++] != ECRYPTFS_TAG_70_PACKET_TYPE) { |
949 | printk(KERN_WARNING "%s: Invalid packet tag [0x%.2x]; must be " | 949 | printk(KERN_WARNING "%s: Invalid packet tag [0x%.2x]; must be " |
950 | "tag [0x%.2x]\n", __func__, | 950 | "tag [0x%.2x]\n", __func__, |
951 | data[((*packet_size) - 1)], ECRYPTFS_TAG_70_PACKET_TYPE); | 951 | data[((*packet_size) - 1)], ECRYPTFS_TAG_70_PACKET_TYPE); |
952 | rc = -EINVAL; | 952 | rc = -EINVAL; |
953 | goto out; | 953 | goto out; |
954 | } | 954 | } |
955 | rc = ecryptfs_parse_packet_length(&data[(*packet_size)], | 955 | rc = ecryptfs_parse_packet_length(&data[(*packet_size)], |
956 | &s->parsed_tag_70_packet_size, | 956 | &s->parsed_tag_70_packet_size, |
957 | &s->packet_size_len); | 957 | &s->packet_size_len); |
958 | if (rc) { | 958 | if (rc) { |
959 | printk(KERN_WARNING "%s: Error parsing packet length; " | 959 | printk(KERN_WARNING "%s: Error parsing packet length; " |
960 | "rc = [%d]\n", __func__, rc); | 960 | "rc = [%d]\n", __func__, rc); |
961 | goto out; | 961 | goto out; |
962 | } | 962 | } |
963 | s->block_aligned_filename_size = (s->parsed_tag_70_packet_size | 963 | s->block_aligned_filename_size = (s->parsed_tag_70_packet_size |
964 | - ECRYPTFS_SIG_SIZE - 1); | 964 | - ECRYPTFS_SIG_SIZE - 1); |
965 | if ((1 + s->packet_size_len + s->parsed_tag_70_packet_size) | 965 | if ((1 + s->packet_size_len + s->parsed_tag_70_packet_size) |
966 | > max_packet_size) { | 966 | > max_packet_size) { |
967 | printk(KERN_WARNING "%s: max_packet_size is [%zd]; real packet " | 967 | printk(KERN_WARNING "%s: max_packet_size is [%zd]; real packet " |
968 | "size is [%zd]\n", __func__, max_packet_size, | 968 | "size is [%zd]\n", __func__, max_packet_size, |
969 | (1 + s->packet_size_len + 1 | 969 | (1 + s->packet_size_len + 1 |
970 | + s->block_aligned_filename_size)); | 970 | + s->block_aligned_filename_size)); |
971 | rc = -EINVAL; | 971 | rc = -EINVAL; |
972 | goto out; | 972 | goto out; |
973 | } | 973 | } |
974 | (*packet_size) += s->packet_size_len; | 974 | (*packet_size) += s->packet_size_len; |
975 | ecryptfs_to_hex(s->fnek_sig_hex, &data[(*packet_size)], | 975 | ecryptfs_to_hex(s->fnek_sig_hex, &data[(*packet_size)], |
976 | ECRYPTFS_SIG_SIZE); | 976 | ECRYPTFS_SIG_SIZE); |
977 | s->fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX] = '\0'; | 977 | s->fnek_sig_hex[ECRYPTFS_SIG_SIZE_HEX] = '\0'; |
978 | (*packet_size) += ECRYPTFS_SIG_SIZE; | 978 | (*packet_size) += ECRYPTFS_SIG_SIZE; |
979 | s->cipher_code = data[(*packet_size)++]; | 979 | s->cipher_code = data[(*packet_size)++]; |
980 | rc = ecryptfs_cipher_code_to_string(s->cipher_string, s->cipher_code); | 980 | rc = ecryptfs_cipher_code_to_string(s->cipher_string, s->cipher_code); |
981 | if (rc) { | 981 | if (rc) { |
982 | printk(KERN_WARNING "%s: Cipher code [%d] is invalid\n", | 982 | printk(KERN_WARNING "%s: Cipher code [%d] is invalid\n", |
983 | __func__, s->cipher_code); | 983 | __func__, s->cipher_code); |
984 | goto out; | 984 | goto out; |
985 | } | 985 | } |
986 | rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, | 986 | rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, |
987 | &s->auth_tok, mount_crypt_stat, | 987 | &s->auth_tok, mount_crypt_stat, |
988 | s->fnek_sig_hex); | 988 | s->fnek_sig_hex); |
989 | if (rc) { | 989 | if (rc) { |
990 | printk(KERN_ERR "%s: Error attempting to find auth tok for " | 990 | printk(KERN_ERR "%s: Error attempting to find auth tok for " |
991 | "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex, | 991 | "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex, |
992 | rc); | 992 | rc); |
993 | goto out; | 993 | goto out; |
994 | } | 994 | } |
995 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&s->desc.tfm, | 995 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&s->desc.tfm, |
996 | &s->tfm_mutex, | 996 | &s->tfm_mutex, |
997 | s->cipher_string); | 997 | s->cipher_string); |
998 | if (unlikely(rc)) { | 998 | if (unlikely(rc)) { |
999 | printk(KERN_ERR "Internal error whilst attempting to get " | 999 | printk(KERN_ERR "Internal error whilst attempting to get " |
1000 | "tfm and mutex for cipher name [%s]; rc = [%d]\n", | 1000 | "tfm and mutex for cipher name [%s]; rc = [%d]\n", |
1001 | s->cipher_string, rc); | 1001 | s->cipher_string, rc); |
1002 | goto out; | 1002 | goto out; |
1003 | } | 1003 | } |
1004 | mutex_lock(s->tfm_mutex); | 1004 | mutex_lock(s->tfm_mutex); |
1005 | rc = virt_to_scatterlist(&data[(*packet_size)], | 1005 | rc = virt_to_scatterlist(&data[(*packet_size)], |
1006 | s->block_aligned_filename_size, s->src_sg, 2); | 1006 | s->block_aligned_filename_size, s->src_sg, 2); |
1007 | if (rc < 1) { | 1007 | if (rc < 1) { |
1008 | printk(KERN_ERR "%s: Internal error whilst attempting to " | 1008 | printk(KERN_ERR "%s: Internal error whilst attempting to " |
1009 | "convert encrypted filename memory to scatterlist; " | 1009 | "convert encrypted filename memory to scatterlist; " |
1010 | "rc = [%d]. block_aligned_filename_size = [%zd]\n", | 1010 | "rc = [%d]. block_aligned_filename_size = [%zd]\n", |
1011 | __func__, rc, s->block_aligned_filename_size); | 1011 | __func__, rc, s->block_aligned_filename_size); |
1012 | goto out_unlock; | 1012 | goto out_unlock; |
1013 | } | 1013 | } |
1014 | (*packet_size) += s->block_aligned_filename_size; | 1014 | (*packet_size) += s->block_aligned_filename_size; |
1015 | s->decrypted_filename = kmalloc(s->block_aligned_filename_size, | 1015 | s->decrypted_filename = kmalloc(s->block_aligned_filename_size, |
1016 | GFP_KERNEL); | 1016 | GFP_KERNEL); |
1017 | if (!s->decrypted_filename) { | 1017 | if (!s->decrypted_filename) { |
1018 | printk(KERN_ERR "%s: Out of memory whilst attempting to " | 1018 | printk(KERN_ERR "%s: Out of memory whilst attempting to " |
1019 | "kmalloc [%zd] bytes\n", __func__, | 1019 | "kmalloc [%zd] bytes\n", __func__, |
1020 | s->block_aligned_filename_size); | 1020 | s->block_aligned_filename_size); |
1021 | rc = -ENOMEM; | 1021 | rc = -ENOMEM; |
1022 | goto out_unlock; | 1022 | goto out_unlock; |
1023 | } | 1023 | } |
1024 | rc = virt_to_scatterlist(s->decrypted_filename, | 1024 | rc = virt_to_scatterlist(s->decrypted_filename, |
1025 | s->block_aligned_filename_size, s->dst_sg, 2); | 1025 | s->block_aligned_filename_size, s->dst_sg, 2); |
1026 | if (rc < 1) { | 1026 | if (rc < 1) { |
1027 | printk(KERN_ERR "%s: Internal error whilst attempting to " | 1027 | printk(KERN_ERR "%s: Internal error whilst attempting to " |
1028 | "convert decrypted filename memory to scatterlist; " | 1028 | "convert decrypted filename memory to scatterlist; " |
1029 | "rc = [%d]. block_aligned_filename_size = [%zd]\n", | 1029 | "rc = [%d]. block_aligned_filename_size = [%zd]\n", |
1030 | __func__, rc, s->block_aligned_filename_size); | 1030 | __func__, rc, s->block_aligned_filename_size); |
1031 | goto out_free_unlock; | 1031 | goto out_free_unlock; |
1032 | } | 1032 | } |
1033 | /* The characters in the first block effectively do the job of | 1033 | /* The characters in the first block effectively do the job of |
1034 | * the IV here, so we just use 0's for the IV. Note the | 1034 | * the IV here, so we just use 0's for the IV. Note the |
1035 | * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES | 1035 | * constraint that ECRYPTFS_FILENAME_MIN_RANDOM_PREPEND_BYTES |
1036 | * >= ECRYPTFS_MAX_IV_BYTES. */ | 1036 | * >= ECRYPTFS_MAX_IV_BYTES. */ |
1037 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); | 1037 | memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); |
1038 | s->desc.info = s->iv; | 1038 | s->desc.info = s->iv; |
1039 | /* TODO: Support other key modules than passphrase for | 1039 | /* TODO: Support other key modules than passphrase for |
1040 | * filename encryption */ | 1040 | * filename encryption */ |
1041 | if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { | 1041 | if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { |
1042 | rc = -EOPNOTSUPP; | 1042 | rc = -EOPNOTSUPP; |
1043 | printk(KERN_INFO "%s: Filename encryption only supports " | 1043 | printk(KERN_INFO "%s: Filename encryption only supports " |
1044 | "password tokens\n", __func__); | 1044 | "password tokens\n", __func__); |
1045 | goto out_free_unlock; | 1045 | goto out_free_unlock; |
1046 | } | 1046 | } |
1047 | rc = crypto_blkcipher_setkey( | 1047 | rc = crypto_blkcipher_setkey( |
1048 | s->desc.tfm, | 1048 | s->desc.tfm, |
1049 | s->auth_tok->token.password.session_key_encryption_key, | 1049 | s->auth_tok->token.password.session_key_encryption_key, |
1050 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | 1050 | mount_crypt_stat->global_default_fn_cipher_key_bytes); |
1051 | if (rc < 0) { | 1051 | if (rc < 0) { |
1052 | printk(KERN_ERR "%s: Error setting key for crypto context; " | 1052 | printk(KERN_ERR "%s: Error setting key for crypto context; " |
1053 | "rc = [%d]. s->auth_tok->token.password.session_key_" | 1053 | "rc = [%d]. s->auth_tok->token.password.session_key_" |
1054 | "encryption_key = [0x%p]; mount_crypt_stat->" | 1054 | "encryption_key = [0x%p]; mount_crypt_stat->" |
1055 | "global_default_fn_cipher_key_bytes = [%zd]\n", __func__, | 1055 | "global_default_fn_cipher_key_bytes = [%zd]\n", __func__, |
1056 | rc, | 1056 | rc, |
1057 | s->auth_tok->token.password.session_key_encryption_key, | 1057 | s->auth_tok->token.password.session_key_encryption_key, |
1058 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | 1058 | mount_crypt_stat->global_default_fn_cipher_key_bytes); |
1059 | goto out_free_unlock; | 1059 | goto out_free_unlock; |
1060 | } | 1060 | } |
1061 | rc = crypto_blkcipher_decrypt_iv(&s->desc, s->dst_sg, s->src_sg, | 1061 | rc = crypto_blkcipher_decrypt_iv(&s->desc, s->dst_sg, s->src_sg, |
1062 | s->block_aligned_filename_size); | 1062 | s->block_aligned_filename_size); |
1063 | if (rc) { | 1063 | if (rc) { |
1064 | printk(KERN_ERR "%s: Error attempting to decrypt filename; " | 1064 | printk(KERN_ERR "%s: Error attempting to decrypt filename; " |
1065 | "rc = [%d]\n", __func__, rc); | 1065 | "rc = [%d]\n", __func__, rc); |
1066 | goto out_free_unlock; | 1066 | goto out_free_unlock; |
1067 | } | 1067 | } |
1068 | s->i = 0; | 1068 | s->i = 0; |
1069 | while (s->decrypted_filename[s->i] != '\0' | 1069 | while (s->decrypted_filename[s->i] != '\0' |
1070 | && s->i < s->block_aligned_filename_size) | 1070 | && s->i < s->block_aligned_filename_size) |
1071 | s->i++; | 1071 | s->i++; |
1072 | if (s->i == s->block_aligned_filename_size) { | 1072 | if (s->i == s->block_aligned_filename_size) { |
1073 | printk(KERN_WARNING "%s: Invalid tag 70 packet; could not " | 1073 | printk(KERN_WARNING "%s: Invalid tag 70 packet; could not " |
1074 | "find valid separator between random characters and " | 1074 | "find valid separator between random characters and " |
1075 | "the filename\n", __func__); | 1075 | "the filename\n", __func__); |
1076 | rc = -EINVAL; | 1076 | rc = -EINVAL; |
1077 | goto out_free_unlock; | 1077 | goto out_free_unlock; |
1078 | } | 1078 | } |
1079 | s->i++; | 1079 | s->i++; |
1080 | (*filename_size) = (s->block_aligned_filename_size - s->i); | 1080 | (*filename_size) = (s->block_aligned_filename_size - s->i); |
1081 | if (!((*filename_size) > 0 && (*filename_size < PATH_MAX))) { | 1081 | if (!((*filename_size) > 0 && (*filename_size < PATH_MAX))) { |
1082 | printk(KERN_WARNING "%s: Filename size is [%zd], which is " | 1082 | printk(KERN_WARNING "%s: Filename size is [%zd], which is " |
1083 | "invalid\n", __func__, (*filename_size)); | 1083 | "invalid\n", __func__, (*filename_size)); |
1084 | rc = -EINVAL; | 1084 | rc = -EINVAL; |
1085 | goto out_free_unlock; | 1085 | goto out_free_unlock; |
1086 | } | 1086 | } |
1087 | (*filename) = kmalloc(((*filename_size) + 1), GFP_KERNEL); | 1087 | (*filename) = kmalloc(((*filename_size) + 1), GFP_KERNEL); |
1088 | if (!(*filename)) { | 1088 | if (!(*filename)) { |
1089 | printk(KERN_ERR "%s: Out of memory whilst attempting to " | 1089 | printk(KERN_ERR "%s: Out of memory whilst attempting to " |
1090 | "kmalloc [%zd] bytes\n", __func__, | 1090 | "kmalloc [%zd] bytes\n", __func__, |
1091 | ((*filename_size) + 1)); | 1091 | ((*filename_size) + 1)); |
1092 | rc = -ENOMEM; | 1092 | rc = -ENOMEM; |
1093 | goto out_free_unlock; | 1093 | goto out_free_unlock; |
1094 | } | 1094 | } |
1095 | memcpy((*filename), &s->decrypted_filename[s->i], (*filename_size)); | 1095 | memcpy((*filename), &s->decrypted_filename[s->i], (*filename_size)); |
1096 | (*filename)[(*filename_size)] = '\0'; | 1096 | (*filename)[(*filename_size)] = '\0'; |
1097 | out_free_unlock: | 1097 | out_free_unlock: |
1098 | kfree(s->decrypted_filename); | 1098 | kfree(s->decrypted_filename); |
1099 | out_unlock: | 1099 | out_unlock: |
1100 | mutex_unlock(s->tfm_mutex); | 1100 | mutex_unlock(s->tfm_mutex); |
1101 | out: | 1101 | out: |
1102 | if (rc) { | 1102 | if (rc) { |
1103 | (*packet_size) = 0; | 1103 | (*packet_size) = 0; |
1104 | (*filename_size) = 0; | 1104 | (*filename_size) = 0; |
1105 | (*filename) = NULL; | 1105 | (*filename) = NULL; |
1106 | } | 1106 | } |
1107 | if (auth_tok_key) { | 1107 | if (auth_tok_key) { |
1108 | up_write(&(auth_tok_key->sem)); | 1108 | up_write(&(auth_tok_key->sem)); |
1109 | key_put(auth_tok_key); | 1109 | key_put(auth_tok_key); |
1110 | } | 1110 | } |
1111 | kfree(s); | 1111 | kfree(s); |
1112 | return rc; | 1112 | return rc; |
1113 | } | 1113 | } |
1114 | 1114 | ||
1115 | static int | 1115 | static int |
1116 | ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok) | 1116 | ecryptfs_get_auth_tok_sig(char **sig, struct ecryptfs_auth_tok *auth_tok) |
1117 | { | 1117 | { |
1118 | int rc = 0; | 1118 | int rc = 0; |
1119 | 1119 | ||
1120 | (*sig) = NULL; | 1120 | (*sig) = NULL; |
1121 | switch (auth_tok->token_type) { | 1121 | switch (auth_tok->token_type) { |
1122 | case ECRYPTFS_PASSWORD: | 1122 | case ECRYPTFS_PASSWORD: |
1123 | (*sig) = auth_tok->token.password.signature; | 1123 | (*sig) = auth_tok->token.password.signature; |
1124 | break; | 1124 | break; |
1125 | case ECRYPTFS_PRIVATE_KEY: | 1125 | case ECRYPTFS_PRIVATE_KEY: |
1126 | (*sig) = auth_tok->token.private_key.signature; | 1126 | (*sig) = auth_tok->token.private_key.signature; |
1127 | break; | 1127 | break; |
1128 | default: | 1128 | default: |
1129 | printk(KERN_ERR "Cannot get sig for auth_tok of type [%d]\n", | 1129 | printk(KERN_ERR "Cannot get sig for auth_tok of type [%d]\n", |
1130 | auth_tok->token_type); | 1130 | auth_tok->token_type); |
1131 | rc = -EINVAL; | 1131 | rc = -EINVAL; |
1132 | } | 1132 | } |
1133 | return rc; | 1133 | return rc; |
1134 | } | 1134 | } |
1135 | 1135 | ||
1136 | /** | 1136 | /** |
1137 | * decrypt_pki_encrypted_session_key - Decrypt the session key with the given auth_tok. | 1137 | * decrypt_pki_encrypted_session_key - Decrypt the session key with the given auth_tok. |
1138 | * @auth_tok: The key authentication token used to decrypt the session key | 1138 | * @auth_tok: The key authentication token used to decrypt the session key |
1139 | * @crypt_stat: The cryptographic context | 1139 | * @crypt_stat: The cryptographic context |
1140 | * | 1140 | * |
1141 | * Returns zero on success; non-zero error otherwise. | 1141 | * Returns zero on success; non-zero error otherwise. |
1142 | */ | 1142 | */ |
1143 | static int | 1143 | static int |
1144 | decrypt_pki_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok, | 1144 | decrypt_pki_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok, |
1145 | struct ecryptfs_crypt_stat *crypt_stat) | 1145 | struct ecryptfs_crypt_stat *crypt_stat) |
1146 | { | 1146 | { |
1147 | u8 cipher_code = 0; | 1147 | u8 cipher_code = 0; |
1148 | struct ecryptfs_msg_ctx *msg_ctx; | 1148 | struct ecryptfs_msg_ctx *msg_ctx; |
1149 | struct ecryptfs_message *msg = NULL; | 1149 | struct ecryptfs_message *msg = NULL; |
1150 | char *auth_tok_sig; | 1150 | char *auth_tok_sig; |
1151 | char *payload = NULL; | 1151 | char *payload = NULL; |
1152 | size_t payload_len = 0; | 1152 | size_t payload_len = 0; |
1153 | int rc; | 1153 | int rc; |
1154 | 1154 | ||
1155 | rc = ecryptfs_get_auth_tok_sig(&auth_tok_sig, auth_tok); | 1155 | rc = ecryptfs_get_auth_tok_sig(&auth_tok_sig, auth_tok); |
1156 | if (rc) { | 1156 | if (rc) { |
1157 | printk(KERN_ERR "Unrecognized auth tok type: [%d]\n", | 1157 | printk(KERN_ERR "Unrecognized auth tok type: [%d]\n", |
1158 | auth_tok->token_type); | 1158 | auth_tok->token_type); |
1159 | goto out; | 1159 | goto out; |
1160 | } | 1160 | } |
1161 | rc = write_tag_64_packet(auth_tok_sig, &(auth_tok->session_key), | 1161 | rc = write_tag_64_packet(auth_tok_sig, &(auth_tok->session_key), |
1162 | &payload, &payload_len); | 1162 | &payload, &payload_len); |
1163 | if (rc) { | 1163 | if (rc) { |
1164 | ecryptfs_printk(KERN_ERR, "Failed to write tag 64 packet\n"); | 1164 | ecryptfs_printk(KERN_ERR, "Failed to write tag 64 packet\n"); |
1165 | goto out; | 1165 | goto out; |
1166 | } | 1166 | } |
1167 | rc = ecryptfs_send_message(payload, payload_len, &msg_ctx); | 1167 | rc = ecryptfs_send_message(payload, payload_len, &msg_ctx); |
1168 | if (rc) { | 1168 | if (rc) { |
1169 | ecryptfs_printk(KERN_ERR, "Error sending message to " | 1169 | ecryptfs_printk(KERN_ERR, "Error sending message to " |
1170 | "ecryptfsd: %d\n", rc); | 1170 | "ecryptfsd: %d\n", rc); |
1171 | goto out; | 1171 | goto out; |
1172 | } | 1172 | } |
1173 | rc = ecryptfs_wait_for_response(msg_ctx, &msg); | 1173 | rc = ecryptfs_wait_for_response(msg_ctx, &msg); |
1174 | if (rc) { | 1174 | if (rc) { |
1175 | ecryptfs_printk(KERN_ERR, "Failed to receive tag 65 packet " | 1175 | ecryptfs_printk(KERN_ERR, "Failed to receive tag 65 packet " |
1176 | "from the user space daemon\n"); | 1176 | "from the user space daemon\n"); |
1177 | rc = -EIO; | 1177 | rc = -EIO; |
1178 | goto out; | 1178 | goto out; |
1179 | } | 1179 | } |
1180 | rc = parse_tag_65_packet(&(auth_tok->session_key), | 1180 | rc = parse_tag_65_packet(&(auth_tok->session_key), |
1181 | &cipher_code, msg); | 1181 | &cipher_code, msg); |
1182 | if (rc) { | 1182 | if (rc) { |
1183 | printk(KERN_ERR "Failed to parse tag 65 packet; rc = [%d]\n", | 1183 | printk(KERN_ERR "Failed to parse tag 65 packet; rc = [%d]\n", |
1184 | rc); | 1184 | rc); |
1185 | goto out; | 1185 | goto out; |
1186 | } | 1186 | } |
1187 | auth_tok->session_key.flags |= ECRYPTFS_CONTAINS_DECRYPTED_KEY; | 1187 | auth_tok->session_key.flags |= ECRYPTFS_CONTAINS_DECRYPTED_KEY; |
1188 | memcpy(crypt_stat->key, auth_tok->session_key.decrypted_key, | 1188 | memcpy(crypt_stat->key, auth_tok->session_key.decrypted_key, |
1189 | auth_tok->session_key.decrypted_key_size); | 1189 | auth_tok->session_key.decrypted_key_size); |
1190 | crypt_stat->key_size = auth_tok->session_key.decrypted_key_size; | 1190 | crypt_stat->key_size = auth_tok->session_key.decrypted_key_size; |
1191 | rc = ecryptfs_cipher_code_to_string(crypt_stat->cipher, cipher_code); | 1191 | rc = ecryptfs_cipher_code_to_string(crypt_stat->cipher, cipher_code); |
1192 | if (rc) { | 1192 | if (rc) { |
1193 | ecryptfs_printk(KERN_ERR, "Cipher code [%d] is invalid\n", | 1193 | ecryptfs_printk(KERN_ERR, "Cipher code [%d] is invalid\n", |
1194 | cipher_code) | 1194 | cipher_code) |
1195 | goto out; | 1195 | goto out; |
1196 | } | 1196 | } |
1197 | crypt_stat->flags |= ECRYPTFS_KEY_VALID; | 1197 | crypt_stat->flags |= ECRYPTFS_KEY_VALID; |
1198 | if (ecryptfs_verbosity > 0) { | 1198 | if (ecryptfs_verbosity > 0) { |
1199 | ecryptfs_printk(KERN_DEBUG, "Decrypted session key:\n"); | 1199 | ecryptfs_printk(KERN_DEBUG, "Decrypted session key:\n"); |
1200 | ecryptfs_dump_hex(crypt_stat->key, | 1200 | ecryptfs_dump_hex(crypt_stat->key, |
1201 | crypt_stat->key_size); | 1201 | crypt_stat->key_size); |
1202 | } | 1202 | } |
1203 | out: | 1203 | out: |
1204 | kfree(msg); | 1204 | kfree(msg); |
1205 | kfree(payload); | 1205 | kfree(payload); |
1206 | return rc; | 1206 | return rc; |
1207 | } | 1207 | } |
1208 | 1208 | ||
1209 | static void wipe_auth_tok_list(struct list_head *auth_tok_list_head) | 1209 | static void wipe_auth_tok_list(struct list_head *auth_tok_list_head) |
1210 | { | 1210 | { |
1211 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; | 1211 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; |
1212 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp; | 1212 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp; |
1213 | 1213 | ||
1214 | list_for_each_entry_safe(auth_tok_list_item, auth_tok_list_item_tmp, | 1214 | list_for_each_entry_safe(auth_tok_list_item, auth_tok_list_item_tmp, |
1215 | auth_tok_list_head, list) { | 1215 | auth_tok_list_head, list) { |
1216 | list_del(&auth_tok_list_item->list); | 1216 | list_del(&auth_tok_list_item->list); |
1217 | kmem_cache_free(ecryptfs_auth_tok_list_item_cache, | 1217 | kmem_cache_free(ecryptfs_auth_tok_list_item_cache, |
1218 | auth_tok_list_item); | 1218 | auth_tok_list_item); |
1219 | } | 1219 | } |
1220 | } | 1220 | } |
1221 | 1221 | ||
1222 | struct kmem_cache *ecryptfs_auth_tok_list_item_cache; | 1222 | struct kmem_cache *ecryptfs_auth_tok_list_item_cache; |
1223 | 1223 | ||
1224 | /** | 1224 | /** |
1225 | * parse_tag_1_packet | 1225 | * parse_tag_1_packet |
1226 | * @crypt_stat: The cryptographic context to modify based on packet contents | 1226 | * @crypt_stat: The cryptographic context to modify based on packet contents |
1227 | * @data: The raw bytes of the packet. | 1227 | * @data: The raw bytes of the packet. |
1228 | * @auth_tok_list: eCryptfs parses packets into authentication tokens; | 1228 | * @auth_tok_list: eCryptfs parses packets into authentication tokens; |
1229 | * a new authentication token will be placed at the | 1229 | * a new authentication token will be placed at the |
1230 | * end of this list for this packet. | 1230 | * end of this list for this packet. |
1231 | * @new_auth_tok: Pointer to a pointer to memory that this function | 1231 | * @new_auth_tok: Pointer to a pointer to memory that this function |
1232 | * allocates; sets the memory address of the pointer to | 1232 | * allocates; sets the memory address of the pointer to |
1233 | * NULL on error. This object is added to the | 1233 | * NULL on error. This object is added to the |
1234 | * auth_tok_list. | 1234 | * auth_tok_list. |
1235 | * @packet_size: This function writes the size of the parsed packet | 1235 | * @packet_size: This function writes the size of the parsed packet |
1236 | * into this memory location; zero on error. | 1236 | * into this memory location; zero on error. |
1237 | * @max_packet_size: The maximum allowable packet size | 1237 | * @max_packet_size: The maximum allowable packet size |
1238 | * | 1238 | * |
1239 | * Returns zero on success; non-zero on error. | 1239 | * Returns zero on success; non-zero on error. |
1240 | */ | 1240 | */ |
1241 | static int | 1241 | static int |
1242 | parse_tag_1_packet(struct ecryptfs_crypt_stat *crypt_stat, | 1242 | parse_tag_1_packet(struct ecryptfs_crypt_stat *crypt_stat, |
1243 | unsigned char *data, struct list_head *auth_tok_list, | 1243 | unsigned char *data, struct list_head *auth_tok_list, |
1244 | struct ecryptfs_auth_tok **new_auth_tok, | 1244 | struct ecryptfs_auth_tok **new_auth_tok, |
1245 | size_t *packet_size, size_t max_packet_size) | 1245 | size_t *packet_size, size_t max_packet_size) |
1246 | { | 1246 | { |
1247 | size_t body_size; | 1247 | size_t body_size; |
1248 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; | 1248 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; |
1249 | size_t length_size; | 1249 | size_t length_size; |
1250 | int rc = 0; | 1250 | int rc = 0; |
1251 | 1251 | ||
1252 | (*packet_size) = 0; | 1252 | (*packet_size) = 0; |
1253 | (*new_auth_tok) = NULL; | 1253 | (*new_auth_tok) = NULL; |
1254 | /** | 1254 | /** |
1255 | * This format is inspired by OpenPGP; see RFC 2440 | 1255 | * This format is inspired by OpenPGP; see RFC 2440 |
1256 | * packet tag 1 | 1256 | * packet tag 1 |
1257 | * | 1257 | * |
1258 | * Tag 1 identifier (1 byte) | 1258 | * Tag 1 identifier (1 byte) |
1259 | * Max Tag 1 packet size (max 3 bytes) | 1259 | * Max Tag 1 packet size (max 3 bytes) |
1260 | * Version (1 byte) | 1260 | * Version (1 byte) |
1261 | * Key identifier (8 bytes; ECRYPTFS_SIG_SIZE) | 1261 | * Key identifier (8 bytes; ECRYPTFS_SIG_SIZE) |
1262 | * Cipher identifier (1 byte) | 1262 | * Cipher identifier (1 byte) |
1263 | * Encrypted key size (arbitrary) | 1263 | * Encrypted key size (arbitrary) |
1264 | * | 1264 | * |
1265 | * 12 bytes minimum packet size | 1265 | * 12 bytes minimum packet size |
1266 | */ | 1266 | */ |
1267 | if (unlikely(max_packet_size < 12)) { | 1267 | if (unlikely(max_packet_size < 12)) { |
1268 | printk(KERN_ERR "Invalid max packet size; must be >=12\n"); | 1268 | printk(KERN_ERR "Invalid max packet size; must be >=12\n"); |
1269 | rc = -EINVAL; | 1269 | rc = -EINVAL; |
1270 | goto out; | 1270 | goto out; |
1271 | } | 1271 | } |
1272 | if (data[(*packet_size)++] != ECRYPTFS_TAG_1_PACKET_TYPE) { | 1272 | if (data[(*packet_size)++] != ECRYPTFS_TAG_1_PACKET_TYPE) { |
1273 | printk(KERN_ERR "Enter w/ first byte != 0x%.2x\n", | 1273 | printk(KERN_ERR "Enter w/ first byte != 0x%.2x\n", |
1274 | ECRYPTFS_TAG_1_PACKET_TYPE); | 1274 | ECRYPTFS_TAG_1_PACKET_TYPE); |
1275 | rc = -EINVAL; | 1275 | rc = -EINVAL; |
1276 | goto out; | 1276 | goto out; |
1277 | } | 1277 | } |
1278 | /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or | 1278 | /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or |
1279 | * at end of function upon failure */ | 1279 | * at end of function upon failure */ |
1280 | auth_tok_list_item = | 1280 | auth_tok_list_item = |
1281 | kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, | 1281 | kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, |
1282 | GFP_KERNEL); | 1282 | GFP_KERNEL); |
1283 | if (!auth_tok_list_item) { | 1283 | if (!auth_tok_list_item) { |
1284 | printk(KERN_ERR "Unable to allocate memory\n"); | 1284 | printk(KERN_ERR "Unable to allocate memory\n"); |
1285 | rc = -ENOMEM; | 1285 | rc = -ENOMEM; |
1286 | goto out; | 1286 | goto out; |
1287 | } | 1287 | } |
1288 | (*new_auth_tok) = &auth_tok_list_item->auth_tok; | 1288 | (*new_auth_tok) = &auth_tok_list_item->auth_tok; |
1289 | rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, | 1289 | rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, |
1290 | &length_size); | 1290 | &length_size); |
1291 | if (rc) { | 1291 | if (rc) { |
1292 | printk(KERN_WARNING "Error parsing packet length; " | 1292 | printk(KERN_WARNING "Error parsing packet length; " |
1293 | "rc = [%d]\n", rc); | 1293 | "rc = [%d]\n", rc); |
1294 | goto out_free; | 1294 | goto out_free; |
1295 | } | 1295 | } |
1296 | if (unlikely(body_size < (ECRYPTFS_SIG_SIZE + 2))) { | 1296 | if (unlikely(body_size < (ECRYPTFS_SIG_SIZE + 2))) { |
1297 | printk(KERN_WARNING "Invalid body size ([%td])\n", body_size); | 1297 | printk(KERN_WARNING "Invalid body size ([%td])\n", body_size); |
1298 | rc = -EINVAL; | 1298 | rc = -EINVAL; |
1299 | goto out_free; | 1299 | goto out_free; |
1300 | } | 1300 | } |
1301 | (*packet_size) += length_size; | 1301 | (*packet_size) += length_size; |
1302 | if (unlikely((*packet_size) + body_size > max_packet_size)) { | 1302 | if (unlikely((*packet_size) + body_size > max_packet_size)) { |
1303 | printk(KERN_WARNING "Packet size exceeds max\n"); | 1303 | printk(KERN_WARNING "Packet size exceeds max\n"); |
1304 | rc = -EINVAL; | 1304 | rc = -EINVAL; |
1305 | goto out_free; | 1305 | goto out_free; |
1306 | } | 1306 | } |
1307 | if (unlikely(data[(*packet_size)++] != 0x03)) { | 1307 | if (unlikely(data[(*packet_size)++] != 0x03)) { |
1308 | printk(KERN_WARNING "Unknown version number [%d]\n", | 1308 | printk(KERN_WARNING "Unknown version number [%d]\n", |
1309 | data[(*packet_size) - 1]); | 1309 | data[(*packet_size) - 1]); |
1310 | rc = -EINVAL; | 1310 | rc = -EINVAL; |
1311 | goto out_free; | 1311 | goto out_free; |
1312 | } | 1312 | } |
1313 | ecryptfs_to_hex((*new_auth_tok)->token.private_key.signature, | 1313 | ecryptfs_to_hex((*new_auth_tok)->token.private_key.signature, |
1314 | &data[(*packet_size)], ECRYPTFS_SIG_SIZE); | 1314 | &data[(*packet_size)], ECRYPTFS_SIG_SIZE); |
1315 | *packet_size += ECRYPTFS_SIG_SIZE; | 1315 | *packet_size += ECRYPTFS_SIG_SIZE; |
1316 | /* This byte is skipped because the kernel does not need to | 1316 | /* This byte is skipped because the kernel does not need to |
1317 | * know which public key encryption algorithm was used */ | 1317 | * know which public key encryption algorithm was used */ |
1318 | (*packet_size)++; | 1318 | (*packet_size)++; |
1319 | (*new_auth_tok)->session_key.encrypted_key_size = | 1319 | (*new_auth_tok)->session_key.encrypted_key_size = |
1320 | body_size - (ECRYPTFS_SIG_SIZE + 2); | 1320 | body_size - (ECRYPTFS_SIG_SIZE + 2); |
1321 | if ((*new_auth_tok)->session_key.encrypted_key_size | 1321 | if ((*new_auth_tok)->session_key.encrypted_key_size |
1322 | > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { | 1322 | > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { |
1323 | printk(KERN_WARNING "Tag 1 packet contains key larger " | 1323 | printk(KERN_WARNING "Tag 1 packet contains key larger " |
1324 | "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES"); | 1324 | "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES"); |
1325 | rc = -EINVAL; | 1325 | rc = -EINVAL; |
1326 | goto out; | 1326 | goto out; |
1327 | } | 1327 | } |
1328 | memcpy((*new_auth_tok)->session_key.encrypted_key, | 1328 | memcpy((*new_auth_tok)->session_key.encrypted_key, |
1329 | &data[(*packet_size)], (body_size - (ECRYPTFS_SIG_SIZE + 2))); | 1329 | &data[(*packet_size)], (body_size - (ECRYPTFS_SIG_SIZE + 2))); |
1330 | (*packet_size) += (*new_auth_tok)->session_key.encrypted_key_size; | 1330 | (*packet_size) += (*new_auth_tok)->session_key.encrypted_key_size; |
1331 | (*new_auth_tok)->session_key.flags &= | 1331 | (*new_auth_tok)->session_key.flags &= |
1332 | ~ECRYPTFS_CONTAINS_DECRYPTED_KEY; | 1332 | ~ECRYPTFS_CONTAINS_DECRYPTED_KEY; |
1333 | (*new_auth_tok)->session_key.flags |= | 1333 | (*new_auth_tok)->session_key.flags |= |
1334 | ECRYPTFS_CONTAINS_ENCRYPTED_KEY; | 1334 | ECRYPTFS_CONTAINS_ENCRYPTED_KEY; |
1335 | (*new_auth_tok)->token_type = ECRYPTFS_PRIVATE_KEY; | 1335 | (*new_auth_tok)->token_type = ECRYPTFS_PRIVATE_KEY; |
1336 | (*new_auth_tok)->flags = 0; | 1336 | (*new_auth_tok)->flags = 0; |
1337 | (*new_auth_tok)->session_key.flags &= | 1337 | (*new_auth_tok)->session_key.flags &= |
1338 | ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT); | 1338 | ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT); |
1339 | (*new_auth_tok)->session_key.flags &= | 1339 | (*new_auth_tok)->session_key.flags &= |
1340 | ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT); | 1340 | ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT); |
1341 | list_add(&auth_tok_list_item->list, auth_tok_list); | 1341 | list_add(&auth_tok_list_item->list, auth_tok_list); |
1342 | goto out; | 1342 | goto out; |
1343 | out_free: | 1343 | out_free: |
1344 | (*new_auth_tok) = NULL; | 1344 | (*new_auth_tok) = NULL; |
1345 | memset(auth_tok_list_item, 0, | 1345 | memset(auth_tok_list_item, 0, |
1346 | sizeof(struct ecryptfs_auth_tok_list_item)); | 1346 | sizeof(struct ecryptfs_auth_tok_list_item)); |
1347 | kmem_cache_free(ecryptfs_auth_tok_list_item_cache, | 1347 | kmem_cache_free(ecryptfs_auth_tok_list_item_cache, |
1348 | auth_tok_list_item); | 1348 | auth_tok_list_item); |
1349 | out: | 1349 | out: |
1350 | if (rc) | 1350 | if (rc) |
1351 | (*packet_size) = 0; | 1351 | (*packet_size) = 0; |
1352 | return rc; | 1352 | return rc; |
1353 | } | 1353 | } |
1354 | 1354 | ||
1355 | /** | 1355 | /** |
1356 | * parse_tag_3_packet | 1356 | * parse_tag_3_packet |
1357 | * @crypt_stat: The cryptographic context to modify based on packet | 1357 | * @crypt_stat: The cryptographic context to modify based on packet |
1358 | * contents. | 1358 | * contents. |
1359 | * @data: The raw bytes of the packet. | 1359 | * @data: The raw bytes of the packet. |
1360 | * @auth_tok_list: eCryptfs parses packets into authentication tokens; | 1360 | * @auth_tok_list: eCryptfs parses packets into authentication tokens; |
1361 | * a new authentication token will be placed at the end | 1361 | * a new authentication token will be placed at the end |
1362 | * of this list for this packet. | 1362 | * of this list for this packet. |
1363 | * @new_auth_tok: Pointer to a pointer to memory that this function | 1363 | * @new_auth_tok: Pointer to a pointer to memory that this function |
1364 | * allocates; sets the memory address of the pointer to | 1364 | * allocates; sets the memory address of the pointer to |
1365 | * NULL on error. This object is added to the | 1365 | * NULL on error. This object is added to the |
1366 | * auth_tok_list. | 1366 | * auth_tok_list. |
1367 | * @packet_size: This function writes the size of the parsed packet | 1367 | * @packet_size: This function writes the size of the parsed packet |
1368 | * into this memory location; zero on error. | 1368 | * into this memory location; zero on error. |
1369 | * @max_packet_size: maximum number of bytes to parse | 1369 | * @max_packet_size: maximum number of bytes to parse |
1370 | * | 1370 | * |
1371 | * Returns zero on success; non-zero on error. | 1371 | * Returns zero on success; non-zero on error. |
1372 | */ | 1372 | */ |
1373 | static int | 1373 | static int |
1374 | parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat, | 1374 | parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat, |
1375 | unsigned char *data, struct list_head *auth_tok_list, | 1375 | unsigned char *data, struct list_head *auth_tok_list, |
1376 | struct ecryptfs_auth_tok **new_auth_tok, | 1376 | struct ecryptfs_auth_tok **new_auth_tok, |
1377 | size_t *packet_size, size_t max_packet_size) | 1377 | size_t *packet_size, size_t max_packet_size) |
1378 | { | 1378 | { |
1379 | size_t body_size; | 1379 | size_t body_size; |
1380 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; | 1380 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; |
1381 | size_t length_size; | 1381 | size_t length_size; |
1382 | int rc = 0; | 1382 | int rc = 0; |
1383 | 1383 | ||
1384 | (*packet_size) = 0; | 1384 | (*packet_size) = 0; |
1385 | (*new_auth_tok) = NULL; | 1385 | (*new_auth_tok) = NULL; |
1386 | /** | 1386 | /** |
1387 | *This format is inspired by OpenPGP; see RFC 2440 | 1387 | *This format is inspired by OpenPGP; see RFC 2440 |
1388 | * packet tag 3 | 1388 | * packet tag 3 |
1389 | * | 1389 | * |
1390 | * Tag 3 identifier (1 byte) | 1390 | * Tag 3 identifier (1 byte) |
1391 | * Max Tag 3 packet size (max 3 bytes) | 1391 | * Max Tag 3 packet size (max 3 bytes) |
1392 | * Version (1 byte) | 1392 | * Version (1 byte) |
1393 | * Cipher code (1 byte) | 1393 | * Cipher code (1 byte) |
1394 | * S2K specifier (1 byte) | 1394 | * S2K specifier (1 byte) |
1395 | * Hash identifier (1 byte) | 1395 | * Hash identifier (1 byte) |
1396 | * Salt (ECRYPTFS_SALT_SIZE) | 1396 | * Salt (ECRYPTFS_SALT_SIZE) |
1397 | * Hash iterations (1 byte) | 1397 | * Hash iterations (1 byte) |
1398 | * Encrypted key (arbitrary) | 1398 | * Encrypted key (arbitrary) |
1399 | * | 1399 | * |
1400 | * (ECRYPTFS_SALT_SIZE + 7) minimum packet size | 1400 | * (ECRYPTFS_SALT_SIZE + 7) minimum packet size |
1401 | */ | 1401 | */ |
1402 | if (max_packet_size < (ECRYPTFS_SALT_SIZE + 7)) { | 1402 | if (max_packet_size < (ECRYPTFS_SALT_SIZE + 7)) { |
1403 | printk(KERN_ERR "Max packet size too large\n"); | 1403 | printk(KERN_ERR "Max packet size too large\n"); |
1404 | rc = -EINVAL; | 1404 | rc = -EINVAL; |
1405 | goto out; | 1405 | goto out; |
1406 | } | 1406 | } |
1407 | if (data[(*packet_size)++] != ECRYPTFS_TAG_3_PACKET_TYPE) { | 1407 | if (data[(*packet_size)++] != ECRYPTFS_TAG_3_PACKET_TYPE) { |
1408 | printk(KERN_ERR "First byte != 0x%.2x; invalid packet\n", | 1408 | printk(KERN_ERR "First byte != 0x%.2x; invalid packet\n", |
1409 | ECRYPTFS_TAG_3_PACKET_TYPE); | 1409 | ECRYPTFS_TAG_3_PACKET_TYPE); |
1410 | rc = -EINVAL; | 1410 | rc = -EINVAL; |
1411 | goto out; | 1411 | goto out; |
1412 | } | 1412 | } |
1413 | /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or | 1413 | /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or |
1414 | * at end of function upon failure */ | 1414 | * at end of function upon failure */ |
1415 | auth_tok_list_item = | 1415 | auth_tok_list_item = |
1416 | kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, GFP_KERNEL); | 1416 | kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, GFP_KERNEL); |
1417 | if (!auth_tok_list_item) { | 1417 | if (!auth_tok_list_item) { |
1418 | printk(KERN_ERR "Unable to allocate memory\n"); | 1418 | printk(KERN_ERR "Unable to allocate memory\n"); |
1419 | rc = -ENOMEM; | 1419 | rc = -ENOMEM; |
1420 | goto out; | 1420 | goto out; |
1421 | } | 1421 | } |
1422 | (*new_auth_tok) = &auth_tok_list_item->auth_tok; | 1422 | (*new_auth_tok) = &auth_tok_list_item->auth_tok; |
1423 | rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, | 1423 | rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, |
1424 | &length_size); | 1424 | &length_size); |
1425 | if (rc) { | 1425 | if (rc) { |
1426 | printk(KERN_WARNING "Error parsing packet length; rc = [%d]\n", | 1426 | printk(KERN_WARNING "Error parsing packet length; rc = [%d]\n", |
1427 | rc); | 1427 | rc); |
1428 | goto out_free; | 1428 | goto out_free; |
1429 | } | 1429 | } |
1430 | if (unlikely(body_size < (ECRYPTFS_SALT_SIZE + 5))) { | 1430 | if (unlikely(body_size < (ECRYPTFS_SALT_SIZE + 5))) { |
1431 | printk(KERN_WARNING "Invalid body size ([%td])\n", body_size); | 1431 | printk(KERN_WARNING "Invalid body size ([%td])\n", body_size); |
1432 | rc = -EINVAL; | 1432 | rc = -EINVAL; |
1433 | goto out_free; | 1433 | goto out_free; |
1434 | } | 1434 | } |
1435 | (*packet_size) += length_size; | 1435 | (*packet_size) += length_size; |
1436 | if (unlikely((*packet_size) + body_size > max_packet_size)) { | 1436 | if (unlikely((*packet_size) + body_size > max_packet_size)) { |
1437 | printk(KERN_ERR "Packet size exceeds max\n"); | 1437 | printk(KERN_ERR "Packet size exceeds max\n"); |
1438 | rc = -EINVAL; | 1438 | rc = -EINVAL; |
1439 | goto out_free; | 1439 | goto out_free; |
1440 | } | 1440 | } |
1441 | (*new_auth_tok)->session_key.encrypted_key_size = | 1441 | (*new_auth_tok)->session_key.encrypted_key_size = |
1442 | (body_size - (ECRYPTFS_SALT_SIZE + 5)); | 1442 | (body_size - (ECRYPTFS_SALT_SIZE + 5)); |
1443 | if ((*new_auth_tok)->session_key.encrypted_key_size | 1443 | if ((*new_auth_tok)->session_key.encrypted_key_size |
1444 | > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { | 1444 | > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) { |
1445 | printk(KERN_WARNING "Tag 3 packet contains key larger " | 1445 | printk(KERN_WARNING "Tag 3 packet contains key larger " |
1446 | "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n"); | 1446 | "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n"); |
1447 | rc = -EINVAL; | 1447 | rc = -EINVAL; |
1448 | goto out_free; | 1448 | goto out_free; |
1449 | } | 1449 | } |
1450 | if (unlikely(data[(*packet_size)++] != 0x04)) { | 1450 | if (unlikely(data[(*packet_size)++] != 0x04)) { |
1451 | printk(KERN_WARNING "Unknown version number [%d]\n", | 1451 | printk(KERN_WARNING "Unknown version number [%d]\n", |
1452 | data[(*packet_size) - 1]); | 1452 | data[(*packet_size) - 1]); |
1453 | rc = -EINVAL; | 1453 | rc = -EINVAL; |
1454 | goto out_free; | 1454 | goto out_free; |
1455 | } | 1455 | } |
1456 | rc = ecryptfs_cipher_code_to_string(crypt_stat->cipher, | 1456 | rc = ecryptfs_cipher_code_to_string(crypt_stat->cipher, |
1457 | (u16)data[(*packet_size)]); | 1457 | (u16)data[(*packet_size)]); |
1458 | if (rc) | 1458 | if (rc) |
1459 | goto out_free; | 1459 | goto out_free; |
1460 | /* A little extra work to differentiate among the AES key | 1460 | /* A little extra work to differentiate among the AES key |
1461 | * sizes; see RFC2440 */ | 1461 | * sizes; see RFC2440 */ |
1462 | switch(data[(*packet_size)++]) { | 1462 | switch(data[(*packet_size)++]) { |
1463 | case RFC2440_CIPHER_AES_192: | 1463 | case RFC2440_CIPHER_AES_192: |
1464 | crypt_stat->key_size = 24; | 1464 | crypt_stat->key_size = 24; |
1465 | break; | 1465 | break; |
1466 | default: | 1466 | default: |
1467 | crypt_stat->key_size = | 1467 | crypt_stat->key_size = |
1468 | (*new_auth_tok)->session_key.encrypted_key_size; | 1468 | (*new_auth_tok)->session_key.encrypted_key_size; |
1469 | } | 1469 | } |
1470 | rc = ecryptfs_init_crypt_ctx(crypt_stat); | 1470 | rc = ecryptfs_init_crypt_ctx(crypt_stat); |
1471 | if (rc) | 1471 | if (rc) |
1472 | goto out_free; | 1472 | goto out_free; |
1473 | if (unlikely(data[(*packet_size)++] != 0x03)) { | 1473 | if (unlikely(data[(*packet_size)++] != 0x03)) { |
1474 | printk(KERN_WARNING "Only S2K ID 3 is currently supported\n"); | 1474 | printk(KERN_WARNING "Only S2K ID 3 is currently supported\n"); |
1475 | rc = -ENOSYS; | 1475 | rc = -ENOSYS; |
1476 | goto out_free; | 1476 | goto out_free; |
1477 | } | 1477 | } |
1478 | /* TODO: finish the hash mapping */ | 1478 | /* TODO: finish the hash mapping */ |
1479 | switch (data[(*packet_size)++]) { | 1479 | switch (data[(*packet_size)++]) { |
1480 | case 0x01: /* See RFC2440 for these numbers and their mappings */ | 1480 | case 0x01: /* See RFC2440 for these numbers and their mappings */ |
1481 | /* Choose MD5 */ | 1481 | /* Choose MD5 */ |
1482 | memcpy((*new_auth_tok)->token.password.salt, | 1482 | memcpy((*new_auth_tok)->token.password.salt, |
1483 | &data[(*packet_size)], ECRYPTFS_SALT_SIZE); | 1483 | &data[(*packet_size)], ECRYPTFS_SALT_SIZE); |
1484 | (*packet_size) += ECRYPTFS_SALT_SIZE; | 1484 | (*packet_size) += ECRYPTFS_SALT_SIZE; |
1485 | /* This conversion was taken straight from RFC2440 */ | 1485 | /* This conversion was taken straight from RFC2440 */ |
1486 | (*new_auth_tok)->token.password.hash_iterations = | 1486 | (*new_auth_tok)->token.password.hash_iterations = |
1487 | ((u32) 16 + (data[(*packet_size)] & 15)) | 1487 | ((u32) 16 + (data[(*packet_size)] & 15)) |
1488 | << ((data[(*packet_size)] >> 4) + 6); | 1488 | << ((data[(*packet_size)] >> 4) + 6); |
1489 | (*packet_size)++; | 1489 | (*packet_size)++; |
1490 | /* Friendly reminder: | 1490 | /* Friendly reminder: |
1491 | * (*new_auth_tok)->session_key.encrypted_key_size = | 1491 | * (*new_auth_tok)->session_key.encrypted_key_size = |
1492 | * (body_size - (ECRYPTFS_SALT_SIZE + 5)); */ | 1492 | * (body_size - (ECRYPTFS_SALT_SIZE + 5)); */ |
1493 | memcpy((*new_auth_tok)->session_key.encrypted_key, | 1493 | memcpy((*new_auth_tok)->session_key.encrypted_key, |
1494 | &data[(*packet_size)], | 1494 | &data[(*packet_size)], |
1495 | (*new_auth_tok)->session_key.encrypted_key_size); | 1495 | (*new_auth_tok)->session_key.encrypted_key_size); |
1496 | (*packet_size) += | 1496 | (*packet_size) += |
1497 | (*new_auth_tok)->session_key.encrypted_key_size; | 1497 | (*new_auth_tok)->session_key.encrypted_key_size; |
1498 | (*new_auth_tok)->session_key.flags &= | 1498 | (*new_auth_tok)->session_key.flags &= |
1499 | ~ECRYPTFS_CONTAINS_DECRYPTED_KEY; | 1499 | ~ECRYPTFS_CONTAINS_DECRYPTED_KEY; |
1500 | (*new_auth_tok)->session_key.flags |= | 1500 | (*new_auth_tok)->session_key.flags |= |
1501 | ECRYPTFS_CONTAINS_ENCRYPTED_KEY; | 1501 | ECRYPTFS_CONTAINS_ENCRYPTED_KEY; |
1502 | (*new_auth_tok)->token.password.hash_algo = 0x01; /* MD5 */ | 1502 | (*new_auth_tok)->token.password.hash_algo = 0x01; /* MD5 */ |
1503 | break; | 1503 | break; |
1504 | default: | 1504 | default: |
1505 | ecryptfs_printk(KERN_ERR, "Unsupported hash algorithm: " | 1505 | ecryptfs_printk(KERN_ERR, "Unsupported hash algorithm: " |
1506 | "[%d]\n", data[(*packet_size) - 1]); | 1506 | "[%d]\n", data[(*packet_size) - 1]); |
1507 | rc = -ENOSYS; | 1507 | rc = -ENOSYS; |
1508 | goto out_free; | 1508 | goto out_free; |
1509 | } | 1509 | } |
1510 | (*new_auth_tok)->token_type = ECRYPTFS_PASSWORD; | 1510 | (*new_auth_tok)->token_type = ECRYPTFS_PASSWORD; |
1511 | /* TODO: Parametarize; we might actually want userspace to | 1511 | /* TODO: Parametarize; we might actually want userspace to |
1512 | * decrypt the session key. */ | 1512 | * decrypt the session key. */ |
1513 | (*new_auth_tok)->session_key.flags &= | 1513 | (*new_auth_tok)->session_key.flags &= |
1514 | ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT); | 1514 | ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT); |
1515 | (*new_auth_tok)->session_key.flags &= | 1515 | (*new_auth_tok)->session_key.flags &= |
1516 | ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT); | 1516 | ~(ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT); |
1517 | list_add(&auth_tok_list_item->list, auth_tok_list); | 1517 | list_add(&auth_tok_list_item->list, auth_tok_list); |
1518 | goto out; | 1518 | goto out; |
1519 | out_free: | 1519 | out_free: |
1520 | (*new_auth_tok) = NULL; | 1520 | (*new_auth_tok) = NULL; |
1521 | memset(auth_tok_list_item, 0, | 1521 | memset(auth_tok_list_item, 0, |
1522 | sizeof(struct ecryptfs_auth_tok_list_item)); | 1522 | sizeof(struct ecryptfs_auth_tok_list_item)); |
1523 | kmem_cache_free(ecryptfs_auth_tok_list_item_cache, | 1523 | kmem_cache_free(ecryptfs_auth_tok_list_item_cache, |
1524 | auth_tok_list_item); | 1524 | auth_tok_list_item); |
1525 | out: | 1525 | out: |
1526 | if (rc) | 1526 | if (rc) |
1527 | (*packet_size) = 0; | 1527 | (*packet_size) = 0; |
1528 | return rc; | 1528 | return rc; |
1529 | } | 1529 | } |
1530 | 1530 | ||
1531 | /** | 1531 | /** |
1532 | * parse_tag_11_packet | 1532 | * parse_tag_11_packet |
1533 | * @data: The raw bytes of the packet | 1533 | * @data: The raw bytes of the packet |
1534 | * @contents: This function writes the data contents of the literal | 1534 | * @contents: This function writes the data contents of the literal |
1535 | * packet into this memory location | 1535 | * packet into this memory location |
1536 | * @max_contents_bytes: The maximum number of bytes that this function | 1536 | * @max_contents_bytes: The maximum number of bytes that this function |
1537 | * is allowed to write into contents | 1537 | * is allowed to write into contents |
1538 | * @tag_11_contents_size: This function writes the size of the parsed | 1538 | * @tag_11_contents_size: This function writes the size of the parsed |
1539 | * contents into this memory location; zero on | 1539 | * contents into this memory location; zero on |
1540 | * error | 1540 | * error |
1541 | * @packet_size: This function writes the size of the parsed packet | 1541 | * @packet_size: This function writes the size of the parsed packet |
1542 | * into this memory location; zero on error | 1542 | * into this memory location; zero on error |
1543 | * @max_packet_size: maximum number of bytes to parse | 1543 | * @max_packet_size: maximum number of bytes to parse |
1544 | * | 1544 | * |
1545 | * Returns zero on success; non-zero on error. | 1545 | * Returns zero on success; non-zero on error. |
1546 | */ | 1546 | */ |
1547 | static int | 1547 | static int |
1548 | parse_tag_11_packet(unsigned char *data, unsigned char *contents, | 1548 | parse_tag_11_packet(unsigned char *data, unsigned char *contents, |
1549 | size_t max_contents_bytes, size_t *tag_11_contents_size, | 1549 | size_t max_contents_bytes, size_t *tag_11_contents_size, |
1550 | size_t *packet_size, size_t max_packet_size) | 1550 | size_t *packet_size, size_t max_packet_size) |
1551 | { | 1551 | { |
1552 | size_t body_size; | 1552 | size_t body_size; |
1553 | size_t length_size; | 1553 | size_t length_size; |
1554 | int rc = 0; | 1554 | int rc = 0; |
1555 | 1555 | ||
1556 | (*packet_size) = 0; | 1556 | (*packet_size) = 0; |
1557 | (*tag_11_contents_size) = 0; | 1557 | (*tag_11_contents_size) = 0; |
1558 | /* This format is inspired by OpenPGP; see RFC 2440 | 1558 | /* This format is inspired by OpenPGP; see RFC 2440 |
1559 | * packet tag 11 | 1559 | * packet tag 11 |
1560 | * | 1560 | * |
1561 | * Tag 11 identifier (1 byte) | 1561 | * Tag 11 identifier (1 byte) |
1562 | * Max Tag 11 packet size (max 3 bytes) | 1562 | * Max Tag 11 packet size (max 3 bytes) |
1563 | * Binary format specifier (1 byte) | 1563 | * Binary format specifier (1 byte) |
1564 | * Filename length (1 byte) | 1564 | * Filename length (1 byte) |
1565 | * Filename ("_CONSOLE") (8 bytes) | 1565 | * Filename ("_CONSOLE") (8 bytes) |
1566 | * Modification date (4 bytes) | 1566 | * Modification date (4 bytes) |
1567 | * Literal data (arbitrary) | 1567 | * Literal data (arbitrary) |
1568 | * | 1568 | * |
1569 | * We need at least 16 bytes of data for the packet to even be | 1569 | * We need at least 16 bytes of data for the packet to even be |
1570 | * valid. | 1570 | * valid. |
1571 | */ | 1571 | */ |
1572 | if (max_packet_size < 16) { | 1572 | if (max_packet_size < 16) { |
1573 | printk(KERN_ERR "Maximum packet size too small\n"); | 1573 | printk(KERN_ERR "Maximum packet size too small\n"); |
1574 | rc = -EINVAL; | 1574 | rc = -EINVAL; |
1575 | goto out; | 1575 | goto out; |
1576 | } | 1576 | } |
1577 | if (data[(*packet_size)++] != ECRYPTFS_TAG_11_PACKET_TYPE) { | 1577 | if (data[(*packet_size)++] != ECRYPTFS_TAG_11_PACKET_TYPE) { |
1578 | printk(KERN_WARNING "Invalid tag 11 packet format\n"); | 1578 | printk(KERN_WARNING "Invalid tag 11 packet format\n"); |
1579 | rc = -EINVAL; | 1579 | rc = -EINVAL; |
1580 | goto out; | 1580 | goto out; |
1581 | } | 1581 | } |
1582 | rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, | 1582 | rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, |
1583 | &length_size); | 1583 | &length_size); |
1584 | if (rc) { | 1584 | if (rc) { |
1585 | printk(KERN_WARNING "Invalid tag 11 packet format\n"); | 1585 | printk(KERN_WARNING "Invalid tag 11 packet format\n"); |
1586 | goto out; | 1586 | goto out; |
1587 | } | 1587 | } |
1588 | if (body_size < 14) { | 1588 | if (body_size < 14) { |
1589 | printk(KERN_WARNING "Invalid body size ([%td])\n", body_size); | 1589 | printk(KERN_WARNING "Invalid body size ([%td])\n", body_size); |
1590 | rc = -EINVAL; | 1590 | rc = -EINVAL; |
1591 | goto out; | 1591 | goto out; |
1592 | } | 1592 | } |
1593 | (*packet_size) += length_size; | 1593 | (*packet_size) += length_size; |
1594 | (*tag_11_contents_size) = (body_size - 14); | 1594 | (*tag_11_contents_size) = (body_size - 14); |
1595 | if (unlikely((*packet_size) + body_size + 1 > max_packet_size)) { | 1595 | if (unlikely((*packet_size) + body_size + 1 > max_packet_size)) { |
1596 | printk(KERN_ERR "Packet size exceeds max\n"); | 1596 | printk(KERN_ERR "Packet size exceeds max\n"); |
1597 | rc = -EINVAL; | 1597 | rc = -EINVAL; |
1598 | goto out; | 1598 | goto out; |
1599 | } | 1599 | } |
1600 | if (unlikely((*tag_11_contents_size) > max_contents_bytes)) { | 1600 | if (unlikely((*tag_11_contents_size) > max_contents_bytes)) { |
1601 | printk(KERN_ERR "Literal data section in tag 11 packet exceeds " | 1601 | printk(KERN_ERR "Literal data section in tag 11 packet exceeds " |
1602 | "expected size\n"); | 1602 | "expected size\n"); |
1603 | rc = -EINVAL; | 1603 | rc = -EINVAL; |
1604 | goto out; | 1604 | goto out; |
1605 | } | 1605 | } |
1606 | if (data[(*packet_size)++] != 0x62) { | 1606 | if (data[(*packet_size)++] != 0x62) { |
1607 | printk(KERN_WARNING "Unrecognizable packet\n"); | 1607 | printk(KERN_WARNING "Unrecognizable packet\n"); |
1608 | rc = -EINVAL; | 1608 | rc = -EINVAL; |
1609 | goto out; | 1609 | goto out; |
1610 | } | 1610 | } |
1611 | if (data[(*packet_size)++] != 0x08) { | 1611 | if (data[(*packet_size)++] != 0x08) { |
1612 | printk(KERN_WARNING "Unrecognizable packet\n"); | 1612 | printk(KERN_WARNING "Unrecognizable packet\n"); |
1613 | rc = -EINVAL; | 1613 | rc = -EINVAL; |
1614 | goto out; | 1614 | goto out; |
1615 | } | 1615 | } |
1616 | (*packet_size) += 12; /* Ignore filename and modification date */ | 1616 | (*packet_size) += 12; /* Ignore filename and modification date */ |
1617 | memcpy(contents, &data[(*packet_size)], (*tag_11_contents_size)); | 1617 | memcpy(contents, &data[(*packet_size)], (*tag_11_contents_size)); |
1618 | (*packet_size) += (*tag_11_contents_size); | 1618 | (*packet_size) += (*tag_11_contents_size); |
1619 | out: | 1619 | out: |
1620 | if (rc) { | 1620 | if (rc) { |
1621 | (*packet_size) = 0; | 1621 | (*packet_size) = 0; |
1622 | (*tag_11_contents_size) = 0; | 1622 | (*tag_11_contents_size) = 0; |
1623 | } | 1623 | } |
1624 | return rc; | 1624 | return rc; |
1625 | } | 1625 | } |
1626 | 1626 | ||
1627 | int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, | 1627 | int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, |
1628 | struct ecryptfs_auth_tok **auth_tok, | 1628 | struct ecryptfs_auth_tok **auth_tok, |
1629 | char *sig) | 1629 | char *sig) |
1630 | { | 1630 | { |
1631 | int rc = 0; | 1631 | int rc = 0; |
1632 | 1632 | ||
1633 | (*auth_tok_key) = request_key(&key_type_user, sig, NULL); | 1633 | (*auth_tok_key) = request_key(&key_type_user, sig, NULL); |
1634 | if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) { | 1634 | if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) { |
1635 | (*auth_tok_key) = ecryptfs_get_encrypted_key(sig); | 1635 | (*auth_tok_key) = ecryptfs_get_encrypted_key(sig); |
1636 | if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) { | 1636 | if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) { |
1637 | printk(KERN_ERR "Could not find key with description: [%s]\n", | 1637 | printk(KERN_ERR "Could not find key with description: [%s]\n", |
1638 | sig); | 1638 | sig); |
1639 | rc = process_request_key_err(PTR_ERR(*auth_tok_key)); | 1639 | rc = process_request_key_err(PTR_ERR(*auth_tok_key)); |
1640 | (*auth_tok_key) = NULL; | 1640 | (*auth_tok_key) = NULL; |
1641 | goto out; | 1641 | goto out; |
1642 | } | 1642 | } |
1643 | } | 1643 | } |
1644 | down_write(&(*auth_tok_key)->sem); | 1644 | down_write(&(*auth_tok_key)->sem); |
1645 | rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok); | 1645 | rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok); |
1646 | if (rc) { | 1646 | if (rc) { |
1647 | up_write(&(*auth_tok_key)->sem); | 1647 | up_write(&(*auth_tok_key)->sem); |
1648 | key_put(*auth_tok_key); | 1648 | key_put(*auth_tok_key); |
1649 | (*auth_tok_key) = NULL; | 1649 | (*auth_tok_key) = NULL; |
1650 | goto out; | 1650 | goto out; |
1651 | } | 1651 | } |
1652 | out: | 1652 | out: |
1653 | return rc; | 1653 | return rc; |
1654 | } | 1654 | } |
1655 | 1655 | ||
1656 | /** | 1656 | /** |
1657 | * decrypt_passphrase_encrypted_session_key - Decrypt the session key with the given auth_tok. | 1657 | * decrypt_passphrase_encrypted_session_key - Decrypt the session key with the given auth_tok. |
1658 | * @auth_tok: The passphrase authentication token to use to encrypt the FEK | 1658 | * @auth_tok: The passphrase authentication token to use to encrypt the FEK |
1659 | * @crypt_stat: The cryptographic context | 1659 | * @crypt_stat: The cryptographic context |
1660 | * | 1660 | * |
1661 | * Returns zero on success; non-zero error otherwise | 1661 | * Returns zero on success; non-zero error otherwise |
1662 | */ | 1662 | */ |
1663 | static int | 1663 | static int |
1664 | decrypt_passphrase_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok, | 1664 | decrypt_passphrase_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok, |
1665 | struct ecryptfs_crypt_stat *crypt_stat) | 1665 | struct ecryptfs_crypt_stat *crypt_stat) |
1666 | { | 1666 | { |
1667 | struct scatterlist dst_sg[2]; | 1667 | struct scatterlist dst_sg[2]; |
1668 | struct scatterlist src_sg[2]; | 1668 | struct scatterlist src_sg[2]; |
1669 | struct mutex *tfm_mutex; | 1669 | struct mutex *tfm_mutex; |
1670 | struct blkcipher_desc desc = { | 1670 | struct blkcipher_desc desc = { |
1671 | .flags = CRYPTO_TFM_REQ_MAY_SLEEP | 1671 | .flags = CRYPTO_TFM_REQ_MAY_SLEEP |
1672 | }; | 1672 | }; |
1673 | int rc = 0; | 1673 | int rc = 0; |
1674 | 1674 | ||
1675 | if (unlikely(ecryptfs_verbosity > 0)) { | 1675 | if (unlikely(ecryptfs_verbosity > 0)) { |
1676 | ecryptfs_printk( | 1676 | ecryptfs_printk( |
1677 | KERN_DEBUG, "Session key encryption key (size [%d]):\n", | 1677 | KERN_DEBUG, "Session key encryption key (size [%d]):\n", |
1678 | auth_tok->token.password.session_key_encryption_key_bytes); | 1678 | auth_tok->token.password.session_key_encryption_key_bytes); |
1679 | ecryptfs_dump_hex( | 1679 | ecryptfs_dump_hex( |
1680 | auth_tok->token.password.session_key_encryption_key, | 1680 | auth_tok->token.password.session_key_encryption_key, |
1681 | auth_tok->token.password.session_key_encryption_key_bytes); | 1681 | auth_tok->token.password.session_key_encryption_key_bytes); |
1682 | } | 1682 | } |
1683 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex, | 1683 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex, |
1684 | crypt_stat->cipher); | 1684 | crypt_stat->cipher); |
1685 | if (unlikely(rc)) { | 1685 | if (unlikely(rc)) { |
1686 | printk(KERN_ERR "Internal error whilst attempting to get " | 1686 | printk(KERN_ERR "Internal error whilst attempting to get " |
1687 | "tfm and mutex for cipher name [%s]; rc = [%d]\n", | 1687 | "tfm and mutex for cipher name [%s]; rc = [%d]\n", |
1688 | crypt_stat->cipher, rc); | 1688 | crypt_stat->cipher, rc); |
1689 | goto out; | 1689 | goto out; |
1690 | } | 1690 | } |
1691 | rc = virt_to_scatterlist(auth_tok->session_key.encrypted_key, | 1691 | rc = virt_to_scatterlist(auth_tok->session_key.encrypted_key, |
1692 | auth_tok->session_key.encrypted_key_size, | 1692 | auth_tok->session_key.encrypted_key_size, |
1693 | src_sg, 2); | 1693 | src_sg, 2); |
1694 | if (rc < 1 || rc > 2) { | 1694 | if (rc < 1 || rc > 2) { |
1695 | printk(KERN_ERR "Internal error whilst attempting to convert " | 1695 | printk(KERN_ERR "Internal error whilst attempting to convert " |
1696 | "auth_tok->session_key.encrypted_key to scatterlist; " | 1696 | "auth_tok->session_key.encrypted_key to scatterlist; " |
1697 | "expected rc = 1; got rc = [%d]. " | 1697 | "expected rc = 1; got rc = [%d]. " |
1698 | "auth_tok->session_key.encrypted_key_size = [%d]\n", rc, | 1698 | "auth_tok->session_key.encrypted_key_size = [%d]\n", rc, |
1699 | auth_tok->session_key.encrypted_key_size); | 1699 | auth_tok->session_key.encrypted_key_size); |
1700 | goto out; | 1700 | goto out; |
1701 | } | 1701 | } |
1702 | auth_tok->session_key.decrypted_key_size = | 1702 | auth_tok->session_key.decrypted_key_size = |
1703 | auth_tok->session_key.encrypted_key_size; | 1703 | auth_tok->session_key.encrypted_key_size; |
1704 | rc = virt_to_scatterlist(auth_tok->session_key.decrypted_key, | 1704 | rc = virt_to_scatterlist(auth_tok->session_key.decrypted_key, |
1705 | auth_tok->session_key.decrypted_key_size, | 1705 | auth_tok->session_key.decrypted_key_size, |
1706 | dst_sg, 2); | 1706 | dst_sg, 2); |
1707 | if (rc < 1 || rc > 2) { | 1707 | if (rc < 1 || rc > 2) { |
1708 | printk(KERN_ERR "Internal error whilst attempting to convert " | 1708 | printk(KERN_ERR "Internal error whilst attempting to convert " |
1709 | "auth_tok->session_key.decrypted_key to scatterlist; " | 1709 | "auth_tok->session_key.decrypted_key to scatterlist; " |
1710 | "expected rc = 1; got rc = [%d]\n", rc); | 1710 | "expected rc = 1; got rc = [%d]\n", rc); |
1711 | goto out; | 1711 | goto out; |
1712 | } | 1712 | } |
1713 | mutex_lock(tfm_mutex); | 1713 | mutex_lock(tfm_mutex); |
1714 | rc = crypto_blkcipher_setkey( | 1714 | rc = crypto_blkcipher_setkey( |
1715 | desc.tfm, auth_tok->token.password.session_key_encryption_key, | 1715 | desc.tfm, auth_tok->token.password.session_key_encryption_key, |
1716 | crypt_stat->key_size); | 1716 | crypt_stat->key_size); |
1717 | if (unlikely(rc < 0)) { | 1717 | if (unlikely(rc < 0)) { |
1718 | mutex_unlock(tfm_mutex); | 1718 | mutex_unlock(tfm_mutex); |
1719 | printk(KERN_ERR "Error setting key for crypto context\n"); | 1719 | printk(KERN_ERR "Error setting key for crypto context\n"); |
1720 | rc = -EINVAL; | 1720 | rc = -EINVAL; |
1721 | goto out; | 1721 | goto out; |
1722 | } | 1722 | } |
1723 | rc = crypto_blkcipher_decrypt(&desc, dst_sg, src_sg, | 1723 | rc = crypto_blkcipher_decrypt(&desc, dst_sg, src_sg, |
1724 | auth_tok->session_key.encrypted_key_size); | 1724 | auth_tok->session_key.encrypted_key_size); |
1725 | mutex_unlock(tfm_mutex); | 1725 | mutex_unlock(tfm_mutex); |
1726 | if (unlikely(rc)) { | 1726 | if (unlikely(rc)) { |
1727 | printk(KERN_ERR "Error decrypting; rc = [%d]\n", rc); | 1727 | printk(KERN_ERR "Error decrypting; rc = [%d]\n", rc); |
1728 | goto out; | 1728 | goto out; |
1729 | } | 1729 | } |
1730 | auth_tok->session_key.flags |= ECRYPTFS_CONTAINS_DECRYPTED_KEY; | 1730 | auth_tok->session_key.flags |= ECRYPTFS_CONTAINS_DECRYPTED_KEY; |
1731 | memcpy(crypt_stat->key, auth_tok->session_key.decrypted_key, | 1731 | memcpy(crypt_stat->key, auth_tok->session_key.decrypted_key, |
1732 | auth_tok->session_key.decrypted_key_size); | 1732 | auth_tok->session_key.decrypted_key_size); |
1733 | crypt_stat->flags |= ECRYPTFS_KEY_VALID; | 1733 | crypt_stat->flags |= ECRYPTFS_KEY_VALID; |
1734 | if (unlikely(ecryptfs_verbosity > 0)) { | 1734 | if (unlikely(ecryptfs_verbosity > 0)) { |
1735 | ecryptfs_printk(KERN_DEBUG, "FEK of size [%zd]:\n", | 1735 | ecryptfs_printk(KERN_DEBUG, "FEK of size [%zd]:\n", |
1736 | crypt_stat->key_size); | 1736 | crypt_stat->key_size); |
1737 | ecryptfs_dump_hex(crypt_stat->key, | 1737 | ecryptfs_dump_hex(crypt_stat->key, |
1738 | crypt_stat->key_size); | 1738 | crypt_stat->key_size); |
1739 | } | 1739 | } |
1740 | out: | 1740 | out: |
1741 | return rc; | 1741 | return rc; |
1742 | } | 1742 | } |
1743 | 1743 | ||
1744 | /** | 1744 | /** |
1745 | * ecryptfs_parse_packet_set | 1745 | * ecryptfs_parse_packet_set |
1746 | * @crypt_stat: The cryptographic context | 1746 | * @crypt_stat: The cryptographic context |
1747 | * @src: Virtual address of region of memory containing the packets | 1747 | * @src: Virtual address of region of memory containing the packets |
1748 | * @ecryptfs_dentry: The eCryptfs dentry associated with the packet set | 1748 | * @ecryptfs_dentry: The eCryptfs dentry associated with the packet set |
1749 | * | 1749 | * |
1750 | * Get crypt_stat to have the file's session key if the requisite key | 1750 | * Get crypt_stat to have the file's session key if the requisite key |
1751 | * is available to decrypt the session key. | 1751 | * is available to decrypt the session key. |
1752 | * | 1752 | * |
1753 | * Returns Zero if a valid authentication token was retrieved and | 1753 | * Returns Zero if a valid authentication token was retrieved and |
1754 | * processed; negative value for file not encrypted or for error | 1754 | * processed; negative value for file not encrypted or for error |
1755 | * conditions. | 1755 | * conditions. |
1756 | */ | 1756 | */ |
1757 | int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, | 1757 | int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, |
1758 | unsigned char *src, | 1758 | unsigned char *src, |
1759 | struct dentry *ecryptfs_dentry) | 1759 | struct dentry *ecryptfs_dentry) |
1760 | { | 1760 | { |
1761 | size_t i = 0; | 1761 | size_t i = 0; |
1762 | size_t found_auth_tok; | 1762 | size_t found_auth_tok; |
1763 | size_t next_packet_is_auth_tok_packet; | 1763 | size_t next_packet_is_auth_tok_packet; |
1764 | struct list_head auth_tok_list; | 1764 | struct list_head auth_tok_list; |
1765 | struct ecryptfs_auth_tok *matching_auth_tok; | 1765 | struct ecryptfs_auth_tok *matching_auth_tok; |
1766 | struct ecryptfs_auth_tok *candidate_auth_tok; | 1766 | struct ecryptfs_auth_tok *candidate_auth_tok; |
1767 | char *candidate_auth_tok_sig; | 1767 | char *candidate_auth_tok_sig; |
1768 | size_t packet_size; | 1768 | size_t packet_size; |
1769 | struct ecryptfs_auth_tok *new_auth_tok; | 1769 | struct ecryptfs_auth_tok *new_auth_tok; |
1770 | unsigned char sig_tmp_space[ECRYPTFS_SIG_SIZE]; | 1770 | unsigned char sig_tmp_space[ECRYPTFS_SIG_SIZE]; |
1771 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; | 1771 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item; |
1772 | size_t tag_11_contents_size; | 1772 | size_t tag_11_contents_size; |
1773 | size_t tag_11_packet_size; | 1773 | size_t tag_11_packet_size; |
1774 | struct key *auth_tok_key = NULL; | 1774 | struct key *auth_tok_key = NULL; |
1775 | int rc = 0; | 1775 | int rc = 0; |
1776 | 1776 | ||
1777 | INIT_LIST_HEAD(&auth_tok_list); | 1777 | INIT_LIST_HEAD(&auth_tok_list); |
1778 | /* Parse the header to find as many packets as we can; these will be | 1778 | /* Parse the header to find as many packets as we can; these will be |
1779 | * added the our &auth_tok_list */ | 1779 | * added the our &auth_tok_list */ |
1780 | next_packet_is_auth_tok_packet = 1; | 1780 | next_packet_is_auth_tok_packet = 1; |
1781 | while (next_packet_is_auth_tok_packet) { | 1781 | while (next_packet_is_auth_tok_packet) { |
1782 | size_t max_packet_size = ((PAGE_CACHE_SIZE - 8) - i); | 1782 | size_t max_packet_size = ((PAGE_CACHE_SIZE - 8) - i); |
1783 | 1783 | ||
1784 | switch (src[i]) { | 1784 | switch (src[i]) { |
1785 | case ECRYPTFS_TAG_3_PACKET_TYPE: | 1785 | case ECRYPTFS_TAG_3_PACKET_TYPE: |
1786 | rc = parse_tag_3_packet(crypt_stat, | 1786 | rc = parse_tag_3_packet(crypt_stat, |
1787 | (unsigned char *)&src[i], | 1787 | (unsigned char *)&src[i], |
1788 | &auth_tok_list, &new_auth_tok, | 1788 | &auth_tok_list, &new_auth_tok, |
1789 | &packet_size, max_packet_size); | 1789 | &packet_size, max_packet_size); |
1790 | if (rc) { | 1790 | if (rc) { |
1791 | ecryptfs_printk(KERN_ERR, "Error parsing " | 1791 | ecryptfs_printk(KERN_ERR, "Error parsing " |
1792 | "tag 3 packet\n"); | 1792 | "tag 3 packet\n"); |
1793 | rc = -EIO; | 1793 | rc = -EIO; |
1794 | goto out_wipe_list; | 1794 | goto out_wipe_list; |
1795 | } | 1795 | } |
1796 | i += packet_size; | 1796 | i += packet_size; |
1797 | rc = parse_tag_11_packet((unsigned char *)&src[i], | 1797 | rc = parse_tag_11_packet((unsigned char *)&src[i], |
1798 | sig_tmp_space, | 1798 | sig_tmp_space, |
1799 | ECRYPTFS_SIG_SIZE, | 1799 | ECRYPTFS_SIG_SIZE, |
1800 | &tag_11_contents_size, | 1800 | &tag_11_contents_size, |
1801 | &tag_11_packet_size, | 1801 | &tag_11_packet_size, |
1802 | max_packet_size); | 1802 | max_packet_size); |
1803 | if (rc) { | 1803 | if (rc) { |
1804 | ecryptfs_printk(KERN_ERR, "No valid " | 1804 | ecryptfs_printk(KERN_ERR, "No valid " |
1805 | "(ecryptfs-specific) literal " | 1805 | "(ecryptfs-specific) literal " |
1806 | "packet containing " | 1806 | "packet containing " |
1807 | "authentication token " | 1807 | "authentication token " |
1808 | "signature found after " | 1808 | "signature found after " |
1809 | "tag 3 packet\n"); | 1809 | "tag 3 packet\n"); |
1810 | rc = -EIO; | 1810 | rc = -EIO; |
1811 | goto out_wipe_list; | 1811 | goto out_wipe_list; |
1812 | } | 1812 | } |
1813 | i += tag_11_packet_size; | 1813 | i += tag_11_packet_size; |
1814 | if (ECRYPTFS_SIG_SIZE != tag_11_contents_size) { | 1814 | if (ECRYPTFS_SIG_SIZE != tag_11_contents_size) { |
1815 | ecryptfs_printk(KERN_ERR, "Expected " | 1815 | ecryptfs_printk(KERN_ERR, "Expected " |
1816 | "signature of size [%d]; " | 1816 | "signature of size [%d]; " |
1817 | "read size [%zd]\n", | 1817 | "read size [%zd]\n", |
1818 | ECRYPTFS_SIG_SIZE, | 1818 | ECRYPTFS_SIG_SIZE, |
1819 | tag_11_contents_size); | 1819 | tag_11_contents_size); |
1820 | rc = -EIO; | 1820 | rc = -EIO; |
1821 | goto out_wipe_list; | 1821 | goto out_wipe_list; |
1822 | } | 1822 | } |
1823 | ecryptfs_to_hex(new_auth_tok->token.password.signature, | 1823 | ecryptfs_to_hex(new_auth_tok->token.password.signature, |
1824 | sig_tmp_space, tag_11_contents_size); | 1824 | sig_tmp_space, tag_11_contents_size); |
1825 | new_auth_tok->token.password.signature[ | 1825 | new_auth_tok->token.password.signature[ |
1826 | ECRYPTFS_PASSWORD_SIG_SIZE] = '\0'; | 1826 | ECRYPTFS_PASSWORD_SIG_SIZE] = '\0'; |
1827 | crypt_stat->flags |= ECRYPTFS_ENCRYPTED; | 1827 | crypt_stat->flags |= ECRYPTFS_ENCRYPTED; |
1828 | break; | 1828 | break; |
1829 | case ECRYPTFS_TAG_1_PACKET_TYPE: | 1829 | case ECRYPTFS_TAG_1_PACKET_TYPE: |
1830 | rc = parse_tag_1_packet(crypt_stat, | 1830 | rc = parse_tag_1_packet(crypt_stat, |
1831 | (unsigned char *)&src[i], | 1831 | (unsigned char *)&src[i], |
1832 | &auth_tok_list, &new_auth_tok, | 1832 | &auth_tok_list, &new_auth_tok, |
1833 | &packet_size, max_packet_size); | 1833 | &packet_size, max_packet_size); |
1834 | if (rc) { | 1834 | if (rc) { |
1835 | ecryptfs_printk(KERN_ERR, "Error parsing " | 1835 | ecryptfs_printk(KERN_ERR, "Error parsing " |
1836 | "tag 1 packet\n"); | 1836 | "tag 1 packet\n"); |
1837 | rc = -EIO; | 1837 | rc = -EIO; |
1838 | goto out_wipe_list; | 1838 | goto out_wipe_list; |
1839 | } | 1839 | } |
1840 | i += packet_size; | 1840 | i += packet_size; |
1841 | crypt_stat->flags |= ECRYPTFS_ENCRYPTED; | 1841 | crypt_stat->flags |= ECRYPTFS_ENCRYPTED; |
1842 | break; | 1842 | break; |
1843 | case ECRYPTFS_TAG_11_PACKET_TYPE: | 1843 | case ECRYPTFS_TAG_11_PACKET_TYPE: |
1844 | ecryptfs_printk(KERN_WARNING, "Invalid packet set " | 1844 | ecryptfs_printk(KERN_WARNING, "Invalid packet set " |
1845 | "(Tag 11 not allowed by itself)\n"); | 1845 | "(Tag 11 not allowed by itself)\n"); |
1846 | rc = -EIO; | 1846 | rc = -EIO; |
1847 | goto out_wipe_list; | 1847 | goto out_wipe_list; |
1848 | default: | 1848 | default: |
1849 | ecryptfs_printk(KERN_DEBUG, "No packet at offset [%zd] " | 1849 | ecryptfs_printk(KERN_DEBUG, "No packet at offset [%zd] " |
1850 | "of the file header; hex value of " | 1850 | "of the file header; hex value of " |
1851 | "character is [0x%.2x]\n", i, src[i]); | 1851 | "character is [0x%.2x]\n", i, src[i]); |
1852 | next_packet_is_auth_tok_packet = 0; | 1852 | next_packet_is_auth_tok_packet = 0; |
1853 | } | 1853 | } |
1854 | } | 1854 | } |
1855 | if (list_empty(&auth_tok_list)) { | 1855 | if (list_empty(&auth_tok_list)) { |
1856 | printk(KERN_ERR "The lower file appears to be a non-encrypted " | 1856 | printk(KERN_ERR "The lower file appears to be a non-encrypted " |
1857 | "eCryptfs file; this is not supported in this version " | 1857 | "eCryptfs file; this is not supported in this version " |
1858 | "of the eCryptfs kernel module\n"); | 1858 | "of the eCryptfs kernel module\n"); |
1859 | rc = -EINVAL; | 1859 | rc = -EINVAL; |
1860 | goto out; | 1860 | goto out; |
1861 | } | 1861 | } |
1862 | /* auth_tok_list contains the set of authentication tokens | 1862 | /* auth_tok_list contains the set of authentication tokens |
1863 | * parsed from the metadata. We need to find a matching | 1863 | * parsed from the metadata. We need to find a matching |
1864 | * authentication token that has the secret component(s) | 1864 | * authentication token that has the secret component(s) |
1865 | * necessary to decrypt the EFEK in the auth_tok parsed from | 1865 | * necessary to decrypt the EFEK in the auth_tok parsed from |
1866 | * the metadata. There may be several potential matches, but | 1866 | * the metadata. There may be several potential matches, but |
1867 | * just one will be sufficient to decrypt to get the FEK. */ | 1867 | * just one will be sufficient to decrypt to get the FEK. */ |
1868 | find_next_matching_auth_tok: | 1868 | find_next_matching_auth_tok: |
1869 | found_auth_tok = 0; | 1869 | found_auth_tok = 0; |
1870 | list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { | 1870 | list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { |
1871 | candidate_auth_tok = &auth_tok_list_item->auth_tok; | 1871 | candidate_auth_tok = &auth_tok_list_item->auth_tok; |
1872 | if (unlikely(ecryptfs_verbosity > 0)) { | 1872 | if (unlikely(ecryptfs_verbosity > 0)) { |
1873 | ecryptfs_printk(KERN_DEBUG, | 1873 | ecryptfs_printk(KERN_DEBUG, |
1874 | "Considering cadidate auth tok:\n"); | 1874 | "Considering cadidate auth tok:\n"); |
1875 | ecryptfs_dump_auth_tok(candidate_auth_tok); | 1875 | ecryptfs_dump_auth_tok(candidate_auth_tok); |
1876 | } | 1876 | } |
1877 | rc = ecryptfs_get_auth_tok_sig(&candidate_auth_tok_sig, | 1877 | rc = ecryptfs_get_auth_tok_sig(&candidate_auth_tok_sig, |
1878 | candidate_auth_tok); | 1878 | candidate_auth_tok); |
1879 | if (rc) { | 1879 | if (rc) { |
1880 | printk(KERN_ERR | 1880 | printk(KERN_ERR |
1881 | "Unrecognized candidate auth tok type: [%d]\n", | 1881 | "Unrecognized candidate auth tok type: [%d]\n", |
1882 | candidate_auth_tok->token_type); | 1882 | candidate_auth_tok->token_type); |
1883 | rc = -EINVAL; | 1883 | rc = -EINVAL; |
1884 | goto out_wipe_list; | 1884 | goto out_wipe_list; |
1885 | } | 1885 | } |
1886 | rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, | 1886 | rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, |
1887 | &matching_auth_tok, | 1887 | &matching_auth_tok, |
1888 | crypt_stat->mount_crypt_stat, | 1888 | crypt_stat->mount_crypt_stat, |
1889 | candidate_auth_tok_sig); | 1889 | candidate_auth_tok_sig); |
1890 | if (!rc) { | 1890 | if (!rc) { |
1891 | found_auth_tok = 1; | 1891 | found_auth_tok = 1; |
1892 | goto found_matching_auth_tok; | 1892 | goto found_matching_auth_tok; |
1893 | } | 1893 | } |
1894 | } | 1894 | } |
1895 | if (!found_auth_tok) { | 1895 | if (!found_auth_tok) { |
1896 | ecryptfs_printk(KERN_ERR, "Could not find a usable " | 1896 | ecryptfs_printk(KERN_ERR, "Could not find a usable " |
1897 | "authentication token\n"); | 1897 | "authentication token\n"); |
1898 | rc = -EIO; | 1898 | rc = -EIO; |
1899 | goto out_wipe_list; | 1899 | goto out_wipe_list; |
1900 | } | 1900 | } |
1901 | found_matching_auth_tok: | 1901 | found_matching_auth_tok: |
1902 | if (candidate_auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) { | 1902 | if (candidate_auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) { |
1903 | memcpy(&(candidate_auth_tok->token.private_key), | 1903 | memcpy(&(candidate_auth_tok->token.private_key), |
1904 | &(matching_auth_tok->token.private_key), | 1904 | &(matching_auth_tok->token.private_key), |
1905 | sizeof(struct ecryptfs_private_key)); | 1905 | sizeof(struct ecryptfs_private_key)); |
1906 | up_write(&(auth_tok_key->sem)); | 1906 | up_write(&(auth_tok_key->sem)); |
1907 | key_put(auth_tok_key); | 1907 | key_put(auth_tok_key); |
1908 | rc = decrypt_pki_encrypted_session_key(candidate_auth_tok, | 1908 | rc = decrypt_pki_encrypted_session_key(candidate_auth_tok, |
1909 | crypt_stat); | 1909 | crypt_stat); |
1910 | } else if (candidate_auth_tok->token_type == ECRYPTFS_PASSWORD) { | 1910 | } else if (candidate_auth_tok->token_type == ECRYPTFS_PASSWORD) { |
1911 | memcpy(&(candidate_auth_tok->token.password), | 1911 | memcpy(&(candidate_auth_tok->token.password), |
1912 | &(matching_auth_tok->token.password), | 1912 | &(matching_auth_tok->token.password), |
1913 | sizeof(struct ecryptfs_password)); | 1913 | sizeof(struct ecryptfs_password)); |
1914 | up_write(&(auth_tok_key->sem)); | 1914 | up_write(&(auth_tok_key->sem)); |
1915 | key_put(auth_tok_key); | 1915 | key_put(auth_tok_key); |
1916 | rc = decrypt_passphrase_encrypted_session_key( | 1916 | rc = decrypt_passphrase_encrypted_session_key( |
1917 | candidate_auth_tok, crypt_stat); | 1917 | candidate_auth_tok, crypt_stat); |
1918 | } else { | 1918 | } else { |
1919 | up_write(&(auth_tok_key->sem)); | 1919 | up_write(&(auth_tok_key->sem)); |
1920 | key_put(auth_tok_key); | 1920 | key_put(auth_tok_key); |
1921 | rc = -EINVAL; | 1921 | rc = -EINVAL; |
1922 | } | 1922 | } |
1923 | if (rc) { | 1923 | if (rc) { |
1924 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp; | 1924 | struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp; |
1925 | 1925 | ||
1926 | ecryptfs_printk(KERN_WARNING, "Error decrypting the " | 1926 | ecryptfs_printk(KERN_WARNING, "Error decrypting the " |
1927 | "session key for authentication token with sig " | 1927 | "session key for authentication token with sig " |
1928 | "[%.*s]; rc = [%d]. Removing auth tok " | 1928 | "[%.*s]; rc = [%d]. Removing auth tok " |
1929 | "candidate from the list and searching for " | 1929 | "candidate from the list and searching for " |
1930 | "the next match.\n", ECRYPTFS_SIG_SIZE_HEX, | 1930 | "the next match.\n", ECRYPTFS_SIG_SIZE_HEX, |
1931 | candidate_auth_tok_sig, rc); | 1931 | candidate_auth_tok_sig, rc); |
1932 | list_for_each_entry_safe(auth_tok_list_item, | 1932 | list_for_each_entry_safe(auth_tok_list_item, |
1933 | auth_tok_list_item_tmp, | 1933 | auth_tok_list_item_tmp, |
1934 | &auth_tok_list, list) { | 1934 | &auth_tok_list, list) { |
1935 | if (candidate_auth_tok | 1935 | if (candidate_auth_tok |
1936 | == &auth_tok_list_item->auth_tok) { | 1936 | == &auth_tok_list_item->auth_tok) { |
1937 | list_del(&auth_tok_list_item->list); | 1937 | list_del(&auth_tok_list_item->list); |
1938 | kmem_cache_free( | 1938 | kmem_cache_free( |
1939 | ecryptfs_auth_tok_list_item_cache, | 1939 | ecryptfs_auth_tok_list_item_cache, |
1940 | auth_tok_list_item); | 1940 | auth_tok_list_item); |
1941 | goto find_next_matching_auth_tok; | 1941 | goto find_next_matching_auth_tok; |
1942 | } | 1942 | } |
1943 | } | 1943 | } |
1944 | BUG(); | 1944 | BUG(); |
1945 | } | 1945 | } |
1946 | rc = ecryptfs_compute_root_iv(crypt_stat); | 1946 | rc = ecryptfs_compute_root_iv(crypt_stat); |
1947 | if (rc) { | 1947 | if (rc) { |
1948 | ecryptfs_printk(KERN_ERR, "Error computing " | 1948 | ecryptfs_printk(KERN_ERR, "Error computing " |
1949 | "the root IV\n"); | 1949 | "the root IV\n"); |
1950 | goto out_wipe_list; | 1950 | goto out_wipe_list; |
1951 | } | 1951 | } |
1952 | rc = ecryptfs_init_crypt_ctx(crypt_stat); | 1952 | rc = ecryptfs_init_crypt_ctx(crypt_stat); |
1953 | if (rc) { | 1953 | if (rc) { |
1954 | ecryptfs_printk(KERN_ERR, "Error initializing crypto " | 1954 | ecryptfs_printk(KERN_ERR, "Error initializing crypto " |
1955 | "context for cipher [%s]; rc = [%d]\n", | 1955 | "context for cipher [%s]; rc = [%d]\n", |
1956 | crypt_stat->cipher, rc); | 1956 | crypt_stat->cipher, rc); |
1957 | } | 1957 | } |
1958 | out_wipe_list: | 1958 | out_wipe_list: |
1959 | wipe_auth_tok_list(&auth_tok_list); | 1959 | wipe_auth_tok_list(&auth_tok_list); |
1960 | out: | 1960 | out: |
1961 | return rc; | 1961 | return rc; |
1962 | } | 1962 | } |
1963 | 1963 | ||
1964 | static int | 1964 | static int |
1965 | pki_encrypt_session_key(struct key *auth_tok_key, | 1965 | pki_encrypt_session_key(struct key *auth_tok_key, |
1966 | struct ecryptfs_auth_tok *auth_tok, | 1966 | struct ecryptfs_auth_tok *auth_tok, |
1967 | struct ecryptfs_crypt_stat *crypt_stat, | 1967 | struct ecryptfs_crypt_stat *crypt_stat, |
1968 | struct ecryptfs_key_record *key_rec) | 1968 | struct ecryptfs_key_record *key_rec) |
1969 | { | 1969 | { |
1970 | struct ecryptfs_msg_ctx *msg_ctx = NULL; | 1970 | struct ecryptfs_msg_ctx *msg_ctx = NULL; |
1971 | char *payload = NULL; | 1971 | char *payload = NULL; |
1972 | size_t payload_len = 0; | 1972 | size_t payload_len = 0; |
1973 | struct ecryptfs_message *msg; | 1973 | struct ecryptfs_message *msg; |
1974 | int rc; | 1974 | int rc; |
1975 | 1975 | ||
1976 | rc = write_tag_66_packet(auth_tok->token.private_key.signature, | 1976 | rc = write_tag_66_packet(auth_tok->token.private_key.signature, |
1977 | ecryptfs_code_for_cipher_string( | 1977 | ecryptfs_code_for_cipher_string( |
1978 | crypt_stat->cipher, | 1978 | crypt_stat->cipher, |
1979 | crypt_stat->key_size), | 1979 | crypt_stat->key_size), |
1980 | crypt_stat, &payload, &payload_len); | 1980 | crypt_stat, &payload, &payload_len); |
1981 | up_write(&(auth_tok_key->sem)); | 1981 | up_write(&(auth_tok_key->sem)); |
1982 | key_put(auth_tok_key); | 1982 | key_put(auth_tok_key); |
1983 | if (rc) { | 1983 | if (rc) { |
1984 | ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n"); | 1984 | ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n"); |
1985 | goto out; | 1985 | goto out; |
1986 | } | 1986 | } |
1987 | rc = ecryptfs_send_message(payload, payload_len, &msg_ctx); | 1987 | rc = ecryptfs_send_message(payload, payload_len, &msg_ctx); |
1988 | if (rc) { | 1988 | if (rc) { |
1989 | ecryptfs_printk(KERN_ERR, "Error sending message to " | 1989 | ecryptfs_printk(KERN_ERR, "Error sending message to " |
1990 | "ecryptfsd: %d\n", rc); | 1990 | "ecryptfsd: %d\n", rc); |
1991 | goto out; | 1991 | goto out; |
1992 | } | 1992 | } |
1993 | rc = ecryptfs_wait_for_response(msg_ctx, &msg); | 1993 | rc = ecryptfs_wait_for_response(msg_ctx, &msg); |
1994 | if (rc) { | 1994 | if (rc) { |
1995 | ecryptfs_printk(KERN_ERR, "Failed to receive tag 67 packet " | 1995 | ecryptfs_printk(KERN_ERR, "Failed to receive tag 67 packet " |
1996 | "from the user space daemon\n"); | 1996 | "from the user space daemon\n"); |
1997 | rc = -EIO; | 1997 | rc = -EIO; |
1998 | goto out; | 1998 | goto out; |
1999 | } | 1999 | } |
2000 | rc = parse_tag_67_packet(key_rec, msg); | 2000 | rc = parse_tag_67_packet(key_rec, msg); |
2001 | if (rc) | 2001 | if (rc) |
2002 | ecryptfs_printk(KERN_ERR, "Error parsing tag 67 packet\n"); | 2002 | ecryptfs_printk(KERN_ERR, "Error parsing tag 67 packet\n"); |
2003 | kfree(msg); | 2003 | kfree(msg); |
2004 | out: | 2004 | out: |
2005 | kfree(payload); | 2005 | kfree(payload); |
2006 | return rc; | 2006 | return rc; |
2007 | } | 2007 | } |
2008 | /** | 2008 | /** |
2009 | * write_tag_1_packet - Write an RFC2440-compatible tag 1 (public key) packet | 2009 | * write_tag_1_packet - Write an RFC2440-compatible tag 1 (public key) packet |
2010 | * @dest: Buffer into which to write the packet | 2010 | * @dest: Buffer into which to write the packet |
2011 | * @remaining_bytes: Maximum number of bytes that can be writtn | 2011 | * @remaining_bytes: Maximum number of bytes that can be writtn |
2012 | * @auth_tok_key: The authentication token key to unlock and put when done with | 2012 | * @auth_tok_key: The authentication token key to unlock and put when done with |
2013 | * @auth_tok | 2013 | * @auth_tok |
2014 | * @auth_tok: The authentication token used for generating the tag 1 packet | 2014 | * @auth_tok: The authentication token used for generating the tag 1 packet |
2015 | * @crypt_stat: The cryptographic context | 2015 | * @crypt_stat: The cryptographic context |
2016 | * @key_rec: The key record struct for the tag 1 packet | 2016 | * @key_rec: The key record struct for the tag 1 packet |
2017 | * @packet_size: This function will write the number of bytes that end | 2017 | * @packet_size: This function will write the number of bytes that end |
2018 | * up constituting the packet; set to zero on error | 2018 | * up constituting the packet; set to zero on error |
2019 | * | 2019 | * |
2020 | * Returns zero on success; non-zero on error. | 2020 | * Returns zero on success; non-zero on error. |
2021 | */ | 2021 | */ |
2022 | static int | 2022 | static int |
2023 | write_tag_1_packet(char *dest, size_t *remaining_bytes, | 2023 | write_tag_1_packet(char *dest, size_t *remaining_bytes, |
2024 | struct key *auth_tok_key, struct ecryptfs_auth_tok *auth_tok, | 2024 | struct key *auth_tok_key, struct ecryptfs_auth_tok *auth_tok, |
2025 | struct ecryptfs_crypt_stat *crypt_stat, | 2025 | struct ecryptfs_crypt_stat *crypt_stat, |
2026 | struct ecryptfs_key_record *key_rec, size_t *packet_size) | 2026 | struct ecryptfs_key_record *key_rec, size_t *packet_size) |
2027 | { | 2027 | { |
2028 | size_t i; | 2028 | size_t i; |
2029 | size_t encrypted_session_key_valid = 0; | 2029 | size_t encrypted_session_key_valid = 0; |
2030 | size_t packet_size_length; | 2030 | size_t packet_size_length; |
2031 | size_t max_packet_size; | 2031 | size_t max_packet_size; |
2032 | int rc = 0; | 2032 | int rc = 0; |
2033 | 2033 | ||
2034 | (*packet_size) = 0; | 2034 | (*packet_size) = 0; |
2035 | ecryptfs_from_hex(key_rec->sig, auth_tok->token.private_key.signature, | 2035 | ecryptfs_from_hex(key_rec->sig, auth_tok->token.private_key.signature, |
2036 | ECRYPTFS_SIG_SIZE); | 2036 | ECRYPTFS_SIG_SIZE); |
2037 | encrypted_session_key_valid = 0; | 2037 | encrypted_session_key_valid = 0; |
2038 | for (i = 0; i < crypt_stat->key_size; i++) | 2038 | for (i = 0; i < crypt_stat->key_size; i++) |
2039 | encrypted_session_key_valid |= | 2039 | encrypted_session_key_valid |= |
2040 | auth_tok->session_key.encrypted_key[i]; | 2040 | auth_tok->session_key.encrypted_key[i]; |
2041 | if (encrypted_session_key_valid) { | 2041 | if (encrypted_session_key_valid) { |
2042 | memcpy(key_rec->enc_key, | 2042 | memcpy(key_rec->enc_key, |
2043 | auth_tok->session_key.encrypted_key, | 2043 | auth_tok->session_key.encrypted_key, |
2044 | auth_tok->session_key.encrypted_key_size); | 2044 | auth_tok->session_key.encrypted_key_size); |
2045 | up_write(&(auth_tok_key->sem)); | 2045 | up_write(&(auth_tok_key->sem)); |
2046 | key_put(auth_tok_key); | 2046 | key_put(auth_tok_key); |
2047 | goto encrypted_session_key_set; | 2047 | goto encrypted_session_key_set; |
2048 | } | 2048 | } |
2049 | if (auth_tok->session_key.encrypted_key_size == 0) | 2049 | if (auth_tok->session_key.encrypted_key_size == 0) |
2050 | auth_tok->session_key.encrypted_key_size = | 2050 | auth_tok->session_key.encrypted_key_size = |
2051 | auth_tok->token.private_key.key_size; | 2051 | auth_tok->token.private_key.key_size; |
2052 | rc = pki_encrypt_session_key(auth_tok_key, auth_tok, crypt_stat, | 2052 | rc = pki_encrypt_session_key(auth_tok_key, auth_tok, crypt_stat, |
2053 | key_rec); | 2053 | key_rec); |
2054 | if (rc) { | 2054 | if (rc) { |
2055 | printk(KERN_ERR "Failed to encrypt session key via a key " | 2055 | printk(KERN_ERR "Failed to encrypt session key via a key " |
2056 | "module; rc = [%d]\n", rc); | 2056 | "module; rc = [%d]\n", rc); |
2057 | goto out; | 2057 | goto out; |
2058 | } | 2058 | } |
2059 | if (ecryptfs_verbosity > 0) { | 2059 | if (ecryptfs_verbosity > 0) { |
2060 | ecryptfs_printk(KERN_DEBUG, "Encrypted key:\n"); | 2060 | ecryptfs_printk(KERN_DEBUG, "Encrypted key:\n"); |
2061 | ecryptfs_dump_hex(key_rec->enc_key, key_rec->enc_key_size); | 2061 | ecryptfs_dump_hex(key_rec->enc_key, key_rec->enc_key_size); |
2062 | } | 2062 | } |
2063 | encrypted_session_key_set: | 2063 | encrypted_session_key_set: |
2064 | /* This format is inspired by OpenPGP; see RFC 2440 | 2064 | /* This format is inspired by OpenPGP; see RFC 2440 |
2065 | * packet tag 1 */ | 2065 | * packet tag 1 */ |
2066 | max_packet_size = (1 /* Tag 1 identifier */ | 2066 | max_packet_size = (1 /* Tag 1 identifier */ |
2067 | + 3 /* Max Tag 1 packet size */ | 2067 | + 3 /* Max Tag 1 packet size */ |
2068 | + 1 /* Version */ | 2068 | + 1 /* Version */ |
2069 | + ECRYPTFS_SIG_SIZE /* Key identifier */ | 2069 | + ECRYPTFS_SIG_SIZE /* Key identifier */ |
2070 | + 1 /* Cipher identifier */ | 2070 | + 1 /* Cipher identifier */ |
2071 | + key_rec->enc_key_size); /* Encrypted key size */ | 2071 | + key_rec->enc_key_size); /* Encrypted key size */ |
2072 | if (max_packet_size > (*remaining_bytes)) { | 2072 | if (max_packet_size > (*remaining_bytes)) { |
2073 | printk(KERN_ERR "Packet length larger than maximum allowable; " | 2073 | printk(KERN_ERR "Packet length larger than maximum allowable; " |
2074 | "need up to [%td] bytes, but there are only [%td] " | 2074 | "need up to [%td] bytes, but there are only [%td] " |
2075 | "available\n", max_packet_size, (*remaining_bytes)); | 2075 | "available\n", max_packet_size, (*remaining_bytes)); |
2076 | rc = -EINVAL; | 2076 | rc = -EINVAL; |
2077 | goto out; | 2077 | goto out; |
2078 | } | 2078 | } |
2079 | dest[(*packet_size)++] = ECRYPTFS_TAG_1_PACKET_TYPE; | 2079 | dest[(*packet_size)++] = ECRYPTFS_TAG_1_PACKET_TYPE; |
2080 | rc = ecryptfs_write_packet_length(&dest[(*packet_size)], | 2080 | rc = ecryptfs_write_packet_length(&dest[(*packet_size)], |
2081 | (max_packet_size - 4), | 2081 | (max_packet_size - 4), |
2082 | &packet_size_length); | 2082 | &packet_size_length); |
2083 | if (rc) { | 2083 | if (rc) { |
2084 | ecryptfs_printk(KERN_ERR, "Error generating tag 1 packet " | 2084 | ecryptfs_printk(KERN_ERR, "Error generating tag 1 packet " |
2085 | "header; cannot generate packet length\n"); | 2085 | "header; cannot generate packet length\n"); |
2086 | goto out; | 2086 | goto out; |
2087 | } | 2087 | } |
2088 | (*packet_size) += packet_size_length; | 2088 | (*packet_size) += packet_size_length; |
2089 | dest[(*packet_size)++] = 0x03; /* version 3 */ | 2089 | dest[(*packet_size)++] = 0x03; /* version 3 */ |
2090 | memcpy(&dest[(*packet_size)], key_rec->sig, ECRYPTFS_SIG_SIZE); | 2090 | memcpy(&dest[(*packet_size)], key_rec->sig, ECRYPTFS_SIG_SIZE); |
2091 | (*packet_size) += ECRYPTFS_SIG_SIZE; | 2091 | (*packet_size) += ECRYPTFS_SIG_SIZE; |
2092 | dest[(*packet_size)++] = RFC2440_CIPHER_RSA; | 2092 | dest[(*packet_size)++] = RFC2440_CIPHER_RSA; |
2093 | memcpy(&dest[(*packet_size)], key_rec->enc_key, | 2093 | memcpy(&dest[(*packet_size)], key_rec->enc_key, |
2094 | key_rec->enc_key_size); | 2094 | key_rec->enc_key_size); |
2095 | (*packet_size) += key_rec->enc_key_size; | 2095 | (*packet_size) += key_rec->enc_key_size; |
2096 | out: | 2096 | out: |
2097 | if (rc) | 2097 | if (rc) |
2098 | (*packet_size) = 0; | 2098 | (*packet_size) = 0; |
2099 | else | 2099 | else |
2100 | (*remaining_bytes) -= (*packet_size); | 2100 | (*remaining_bytes) -= (*packet_size); |
2101 | return rc; | 2101 | return rc; |
2102 | } | 2102 | } |
2103 | 2103 | ||
2104 | /** | 2104 | /** |
2105 | * write_tag_11_packet | 2105 | * write_tag_11_packet |
2106 | * @dest: Target into which Tag 11 packet is to be written | 2106 | * @dest: Target into which Tag 11 packet is to be written |
2107 | * @remaining_bytes: Maximum packet length | 2107 | * @remaining_bytes: Maximum packet length |
2108 | * @contents: Byte array of contents to copy in | 2108 | * @contents: Byte array of contents to copy in |
2109 | * @contents_length: Number of bytes in contents | 2109 | * @contents_length: Number of bytes in contents |
2110 | * @packet_length: Length of the Tag 11 packet written; zero on error | 2110 | * @packet_length: Length of the Tag 11 packet written; zero on error |
2111 | * | 2111 | * |
2112 | * Returns zero on success; non-zero on error. | 2112 | * Returns zero on success; non-zero on error. |
2113 | */ | 2113 | */ |
2114 | static int | 2114 | static int |
2115 | write_tag_11_packet(char *dest, size_t *remaining_bytes, char *contents, | 2115 | write_tag_11_packet(char *dest, size_t *remaining_bytes, char *contents, |
2116 | size_t contents_length, size_t *packet_length) | 2116 | size_t contents_length, size_t *packet_length) |
2117 | { | 2117 | { |
2118 | size_t packet_size_length; | 2118 | size_t packet_size_length; |
2119 | size_t max_packet_size; | 2119 | size_t max_packet_size; |
2120 | int rc = 0; | 2120 | int rc = 0; |
2121 | 2121 | ||
2122 | (*packet_length) = 0; | 2122 | (*packet_length) = 0; |
2123 | /* This format is inspired by OpenPGP; see RFC 2440 | 2123 | /* This format is inspired by OpenPGP; see RFC 2440 |
2124 | * packet tag 11 */ | 2124 | * packet tag 11 */ |
2125 | max_packet_size = (1 /* Tag 11 identifier */ | 2125 | max_packet_size = (1 /* Tag 11 identifier */ |
2126 | + 3 /* Max Tag 11 packet size */ | 2126 | + 3 /* Max Tag 11 packet size */ |
2127 | + 1 /* Binary format specifier */ | 2127 | + 1 /* Binary format specifier */ |
2128 | + 1 /* Filename length */ | 2128 | + 1 /* Filename length */ |
2129 | + 8 /* Filename ("_CONSOLE") */ | 2129 | + 8 /* Filename ("_CONSOLE") */ |
2130 | + 4 /* Modification date */ | 2130 | + 4 /* Modification date */ |
2131 | + contents_length); /* Literal data */ | 2131 | + contents_length); /* Literal data */ |
2132 | if (max_packet_size > (*remaining_bytes)) { | 2132 | if (max_packet_size > (*remaining_bytes)) { |
2133 | printk(KERN_ERR "Packet length larger than maximum allowable; " | 2133 | printk(KERN_ERR "Packet length larger than maximum allowable; " |
2134 | "need up to [%td] bytes, but there are only [%td] " | 2134 | "need up to [%td] bytes, but there are only [%td] " |
2135 | "available\n", max_packet_size, (*remaining_bytes)); | 2135 | "available\n", max_packet_size, (*remaining_bytes)); |
2136 | rc = -EINVAL; | 2136 | rc = -EINVAL; |
2137 | goto out; | 2137 | goto out; |
2138 | } | 2138 | } |
2139 | dest[(*packet_length)++] = ECRYPTFS_TAG_11_PACKET_TYPE; | 2139 | dest[(*packet_length)++] = ECRYPTFS_TAG_11_PACKET_TYPE; |
2140 | rc = ecryptfs_write_packet_length(&dest[(*packet_length)], | 2140 | rc = ecryptfs_write_packet_length(&dest[(*packet_length)], |
2141 | (max_packet_size - 4), | 2141 | (max_packet_size - 4), |
2142 | &packet_size_length); | 2142 | &packet_size_length); |
2143 | if (rc) { | 2143 | if (rc) { |
2144 | printk(KERN_ERR "Error generating tag 11 packet header; cannot " | 2144 | printk(KERN_ERR "Error generating tag 11 packet header; cannot " |
2145 | "generate packet length. rc = [%d]\n", rc); | 2145 | "generate packet length. rc = [%d]\n", rc); |
2146 | goto out; | 2146 | goto out; |
2147 | } | 2147 | } |
2148 | (*packet_length) += packet_size_length; | 2148 | (*packet_length) += packet_size_length; |
2149 | dest[(*packet_length)++] = 0x62; /* binary data format specifier */ | 2149 | dest[(*packet_length)++] = 0x62; /* binary data format specifier */ |
2150 | dest[(*packet_length)++] = 8; | 2150 | dest[(*packet_length)++] = 8; |
2151 | memcpy(&dest[(*packet_length)], "_CONSOLE", 8); | 2151 | memcpy(&dest[(*packet_length)], "_CONSOLE", 8); |
2152 | (*packet_length) += 8; | 2152 | (*packet_length) += 8; |
2153 | memset(&dest[(*packet_length)], 0x00, 4); | 2153 | memset(&dest[(*packet_length)], 0x00, 4); |
2154 | (*packet_length) += 4; | 2154 | (*packet_length) += 4; |
2155 | memcpy(&dest[(*packet_length)], contents, contents_length); | 2155 | memcpy(&dest[(*packet_length)], contents, contents_length); |
2156 | (*packet_length) += contents_length; | 2156 | (*packet_length) += contents_length; |
2157 | out: | 2157 | out: |
2158 | if (rc) | 2158 | if (rc) |
2159 | (*packet_length) = 0; | 2159 | (*packet_length) = 0; |
2160 | else | 2160 | else |
2161 | (*remaining_bytes) -= (*packet_length); | 2161 | (*remaining_bytes) -= (*packet_length); |
2162 | return rc; | 2162 | return rc; |
2163 | } | 2163 | } |
2164 | 2164 | ||
2165 | /** | 2165 | /** |
2166 | * write_tag_3_packet | 2166 | * write_tag_3_packet |
2167 | * @dest: Buffer into which to write the packet | 2167 | * @dest: Buffer into which to write the packet |
2168 | * @remaining_bytes: Maximum number of bytes that can be written | 2168 | * @remaining_bytes: Maximum number of bytes that can be written |
2169 | * @auth_tok: Authentication token | 2169 | * @auth_tok: Authentication token |
2170 | * @crypt_stat: The cryptographic context | 2170 | * @crypt_stat: The cryptographic context |
2171 | * @key_rec: encrypted key | 2171 | * @key_rec: encrypted key |
2172 | * @packet_size: This function will write the number of bytes that end | 2172 | * @packet_size: This function will write the number of bytes that end |
2173 | * up constituting the packet; set to zero on error | 2173 | * up constituting the packet; set to zero on error |
2174 | * | 2174 | * |
2175 | * Returns zero on success; non-zero on error. | 2175 | * Returns zero on success; non-zero on error. |
2176 | */ | 2176 | */ |
2177 | static int | 2177 | static int |
2178 | write_tag_3_packet(char *dest, size_t *remaining_bytes, | 2178 | write_tag_3_packet(char *dest, size_t *remaining_bytes, |
2179 | struct ecryptfs_auth_tok *auth_tok, | 2179 | struct ecryptfs_auth_tok *auth_tok, |
2180 | struct ecryptfs_crypt_stat *crypt_stat, | 2180 | struct ecryptfs_crypt_stat *crypt_stat, |
2181 | struct ecryptfs_key_record *key_rec, size_t *packet_size) | 2181 | struct ecryptfs_key_record *key_rec, size_t *packet_size) |
2182 | { | 2182 | { |
2183 | size_t i; | 2183 | size_t i; |
2184 | size_t encrypted_session_key_valid = 0; | 2184 | size_t encrypted_session_key_valid = 0; |
2185 | char session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; | 2185 | char session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; |
2186 | struct scatterlist dst_sg[2]; | 2186 | struct scatterlist dst_sg[2]; |
2187 | struct scatterlist src_sg[2]; | 2187 | struct scatterlist src_sg[2]; |
2188 | struct mutex *tfm_mutex = NULL; | 2188 | struct mutex *tfm_mutex = NULL; |
2189 | u8 cipher_code; | 2189 | u8 cipher_code; |
2190 | size_t packet_size_length; | 2190 | size_t packet_size_length; |
2191 | size_t max_packet_size; | 2191 | size_t max_packet_size; |
2192 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = | 2192 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = |
2193 | crypt_stat->mount_crypt_stat; | 2193 | crypt_stat->mount_crypt_stat; |
2194 | struct blkcipher_desc desc = { | 2194 | struct blkcipher_desc desc = { |
2195 | .tfm = NULL, | 2195 | .tfm = NULL, |
2196 | .flags = CRYPTO_TFM_REQ_MAY_SLEEP | 2196 | .flags = CRYPTO_TFM_REQ_MAY_SLEEP |
2197 | }; | 2197 | }; |
2198 | int rc = 0; | 2198 | int rc = 0; |
2199 | 2199 | ||
2200 | (*packet_size) = 0; | 2200 | (*packet_size) = 0; |
2201 | ecryptfs_from_hex(key_rec->sig, auth_tok->token.password.signature, | 2201 | ecryptfs_from_hex(key_rec->sig, auth_tok->token.password.signature, |
2202 | ECRYPTFS_SIG_SIZE); | 2202 | ECRYPTFS_SIG_SIZE); |
2203 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex, | 2203 | rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&desc.tfm, &tfm_mutex, |
2204 | crypt_stat->cipher); | 2204 | crypt_stat->cipher); |
2205 | if (unlikely(rc)) { | 2205 | if (unlikely(rc)) { |
2206 | printk(KERN_ERR "Internal error whilst attempting to get " | 2206 | printk(KERN_ERR "Internal error whilst attempting to get " |
2207 | "tfm and mutex for cipher name [%s]; rc = [%d]\n", | 2207 | "tfm and mutex for cipher name [%s]; rc = [%d]\n", |
2208 | crypt_stat->cipher, rc); | 2208 | crypt_stat->cipher, rc); |
2209 | goto out; | 2209 | goto out; |
2210 | } | 2210 | } |
2211 | if (mount_crypt_stat->global_default_cipher_key_size == 0) { | 2211 | if (mount_crypt_stat->global_default_cipher_key_size == 0) { |
2212 | struct blkcipher_alg *alg = crypto_blkcipher_alg(desc.tfm); | 2212 | struct blkcipher_alg *alg = crypto_blkcipher_alg(desc.tfm); |
2213 | 2213 | ||
2214 | printk(KERN_WARNING "No key size specified at mount; " | 2214 | printk(KERN_WARNING "No key size specified at mount; " |
2215 | "defaulting to [%d]\n", alg->max_keysize); | 2215 | "defaulting to [%d]\n", alg->max_keysize); |
2216 | mount_crypt_stat->global_default_cipher_key_size = | 2216 | mount_crypt_stat->global_default_cipher_key_size = |
2217 | alg->max_keysize; | 2217 | alg->max_keysize; |
2218 | } | 2218 | } |
2219 | if (crypt_stat->key_size == 0) | 2219 | if (crypt_stat->key_size == 0) |
2220 | crypt_stat->key_size = | 2220 | crypt_stat->key_size = |
2221 | mount_crypt_stat->global_default_cipher_key_size; | 2221 | mount_crypt_stat->global_default_cipher_key_size; |
2222 | if (auth_tok->session_key.encrypted_key_size == 0) | 2222 | if (auth_tok->session_key.encrypted_key_size == 0) |
2223 | auth_tok->session_key.encrypted_key_size = | 2223 | auth_tok->session_key.encrypted_key_size = |
2224 | crypt_stat->key_size; | 2224 | crypt_stat->key_size; |
2225 | if (crypt_stat->key_size == 24 | 2225 | if (crypt_stat->key_size == 24 |
2226 | && strcmp("aes", crypt_stat->cipher) == 0) { | 2226 | && strcmp("aes", crypt_stat->cipher) == 0) { |
2227 | memset((crypt_stat->key + 24), 0, 8); | 2227 | memset((crypt_stat->key + 24), 0, 8); |
2228 | auth_tok->session_key.encrypted_key_size = 32; | 2228 | auth_tok->session_key.encrypted_key_size = 32; |
2229 | } else | 2229 | } else |
2230 | auth_tok->session_key.encrypted_key_size = crypt_stat->key_size; | 2230 | auth_tok->session_key.encrypted_key_size = crypt_stat->key_size; |
2231 | key_rec->enc_key_size = | 2231 | key_rec->enc_key_size = |
2232 | auth_tok->session_key.encrypted_key_size; | 2232 | auth_tok->session_key.encrypted_key_size; |
2233 | encrypted_session_key_valid = 0; | 2233 | encrypted_session_key_valid = 0; |
2234 | for (i = 0; i < auth_tok->session_key.encrypted_key_size; i++) | 2234 | for (i = 0; i < auth_tok->session_key.encrypted_key_size; i++) |
2235 | encrypted_session_key_valid |= | 2235 | encrypted_session_key_valid |= |
2236 | auth_tok->session_key.encrypted_key[i]; | 2236 | auth_tok->session_key.encrypted_key[i]; |
2237 | if (encrypted_session_key_valid) { | 2237 | if (encrypted_session_key_valid) { |
2238 | ecryptfs_printk(KERN_DEBUG, "encrypted_session_key_valid != 0; " | 2238 | ecryptfs_printk(KERN_DEBUG, "encrypted_session_key_valid != 0; " |
2239 | "using auth_tok->session_key.encrypted_key, " | 2239 | "using auth_tok->session_key.encrypted_key, " |
2240 | "where key_rec->enc_key_size = [%zd]\n", | 2240 | "where key_rec->enc_key_size = [%zd]\n", |
2241 | key_rec->enc_key_size); | 2241 | key_rec->enc_key_size); |
2242 | memcpy(key_rec->enc_key, | 2242 | memcpy(key_rec->enc_key, |
2243 | auth_tok->session_key.encrypted_key, | 2243 | auth_tok->session_key.encrypted_key, |
2244 | key_rec->enc_key_size); | 2244 | key_rec->enc_key_size); |
2245 | goto encrypted_session_key_set; | 2245 | goto encrypted_session_key_set; |
2246 | } | 2246 | } |
2247 | if (auth_tok->token.password.flags & | 2247 | if (auth_tok->token.password.flags & |
2248 | ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET) { | 2248 | ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET) { |
2249 | ecryptfs_printk(KERN_DEBUG, "Using previously generated " | 2249 | ecryptfs_printk(KERN_DEBUG, "Using previously generated " |
2250 | "session key encryption key of size [%d]\n", | 2250 | "session key encryption key of size [%d]\n", |
2251 | auth_tok->token.password. | 2251 | auth_tok->token.password. |
2252 | session_key_encryption_key_bytes); | 2252 | session_key_encryption_key_bytes); |
2253 | memcpy(session_key_encryption_key, | 2253 | memcpy(session_key_encryption_key, |
2254 | auth_tok->token.password.session_key_encryption_key, | 2254 | auth_tok->token.password.session_key_encryption_key, |
2255 | crypt_stat->key_size); | 2255 | crypt_stat->key_size); |
2256 | ecryptfs_printk(KERN_DEBUG, | 2256 | ecryptfs_printk(KERN_DEBUG, |
2257 | "Cached session key encryption key:\n"); | 2257 | "Cached session key encryption key:\n"); |
2258 | if (ecryptfs_verbosity > 0) | 2258 | if (ecryptfs_verbosity > 0) |
2259 | ecryptfs_dump_hex(session_key_encryption_key, 16); | 2259 | ecryptfs_dump_hex(session_key_encryption_key, 16); |
2260 | } | 2260 | } |
2261 | if (unlikely(ecryptfs_verbosity > 0)) { | 2261 | if (unlikely(ecryptfs_verbosity > 0)) { |
2262 | ecryptfs_printk(KERN_DEBUG, "Session key encryption key:\n"); | 2262 | ecryptfs_printk(KERN_DEBUG, "Session key encryption key:\n"); |
2263 | ecryptfs_dump_hex(session_key_encryption_key, 16); | 2263 | ecryptfs_dump_hex(session_key_encryption_key, 16); |
2264 | } | 2264 | } |
2265 | rc = virt_to_scatterlist(crypt_stat->key, key_rec->enc_key_size, | 2265 | rc = virt_to_scatterlist(crypt_stat->key, key_rec->enc_key_size, |
2266 | src_sg, 2); | 2266 | src_sg, 2); |
2267 | if (rc < 1 || rc > 2) { | 2267 | if (rc < 1 || rc > 2) { |
2268 | ecryptfs_printk(KERN_ERR, "Error generating scatterlist " | 2268 | ecryptfs_printk(KERN_ERR, "Error generating scatterlist " |
2269 | "for crypt_stat session key; expected rc = 1; " | 2269 | "for crypt_stat session key; expected rc = 1; " |
2270 | "got rc = [%d]. key_rec->enc_key_size = [%zd]\n", | 2270 | "got rc = [%d]. key_rec->enc_key_size = [%zd]\n", |
2271 | rc, key_rec->enc_key_size); | 2271 | rc, key_rec->enc_key_size); |
2272 | rc = -ENOMEM; | 2272 | rc = -ENOMEM; |
2273 | goto out; | 2273 | goto out; |
2274 | } | 2274 | } |
2275 | rc = virt_to_scatterlist(key_rec->enc_key, key_rec->enc_key_size, | 2275 | rc = virt_to_scatterlist(key_rec->enc_key, key_rec->enc_key_size, |
2276 | dst_sg, 2); | 2276 | dst_sg, 2); |
2277 | if (rc < 1 || rc > 2) { | 2277 | if (rc < 1 || rc > 2) { |
2278 | ecryptfs_printk(KERN_ERR, "Error generating scatterlist " | 2278 | ecryptfs_printk(KERN_ERR, "Error generating scatterlist " |
2279 | "for crypt_stat encrypted session key; " | 2279 | "for crypt_stat encrypted session key; " |
2280 | "expected rc = 1; got rc = [%d]. " | 2280 | "expected rc = 1; got rc = [%d]. " |
2281 | "key_rec->enc_key_size = [%zd]\n", rc, | 2281 | "key_rec->enc_key_size = [%zd]\n", rc, |
2282 | key_rec->enc_key_size); | 2282 | key_rec->enc_key_size); |
2283 | rc = -ENOMEM; | 2283 | rc = -ENOMEM; |
2284 | goto out; | 2284 | goto out; |
2285 | } | 2285 | } |
2286 | mutex_lock(tfm_mutex); | 2286 | mutex_lock(tfm_mutex); |
2287 | rc = crypto_blkcipher_setkey(desc.tfm, session_key_encryption_key, | 2287 | rc = crypto_blkcipher_setkey(desc.tfm, session_key_encryption_key, |
2288 | crypt_stat->key_size); | 2288 | crypt_stat->key_size); |
2289 | if (rc < 0) { | 2289 | if (rc < 0) { |
2290 | mutex_unlock(tfm_mutex); | 2290 | mutex_unlock(tfm_mutex); |
2291 | ecryptfs_printk(KERN_ERR, "Error setting key for crypto " | 2291 | ecryptfs_printk(KERN_ERR, "Error setting key for crypto " |
2292 | "context; rc = [%d]\n", rc); | 2292 | "context; rc = [%d]\n", rc); |
2293 | goto out; | 2293 | goto out; |
2294 | } | 2294 | } |
2295 | rc = 0; | 2295 | rc = 0; |
2296 | ecryptfs_printk(KERN_DEBUG, "Encrypting [%zd] bytes of the key\n", | 2296 | ecryptfs_printk(KERN_DEBUG, "Encrypting [%zd] bytes of the key\n", |
2297 | crypt_stat->key_size); | 2297 | crypt_stat->key_size); |
2298 | rc = crypto_blkcipher_encrypt(&desc, dst_sg, src_sg, | 2298 | rc = crypto_blkcipher_encrypt(&desc, dst_sg, src_sg, |
2299 | (*key_rec).enc_key_size); | 2299 | (*key_rec).enc_key_size); |
2300 | mutex_unlock(tfm_mutex); | 2300 | mutex_unlock(tfm_mutex); |
2301 | if (rc) { | 2301 | if (rc) { |
2302 | printk(KERN_ERR "Error encrypting; rc = [%d]\n", rc); | 2302 | printk(KERN_ERR "Error encrypting; rc = [%d]\n", rc); |
2303 | goto out; | 2303 | goto out; |
2304 | } | 2304 | } |
2305 | ecryptfs_printk(KERN_DEBUG, "This should be the encrypted key:\n"); | 2305 | ecryptfs_printk(KERN_DEBUG, "This should be the encrypted key:\n"); |
2306 | if (ecryptfs_verbosity > 0) { | 2306 | if (ecryptfs_verbosity > 0) { |
2307 | ecryptfs_printk(KERN_DEBUG, "EFEK of size [%zd]:\n", | 2307 | ecryptfs_printk(KERN_DEBUG, "EFEK of size [%zd]:\n", |
2308 | key_rec->enc_key_size); | 2308 | key_rec->enc_key_size); |
2309 | ecryptfs_dump_hex(key_rec->enc_key, | 2309 | ecryptfs_dump_hex(key_rec->enc_key, |
2310 | key_rec->enc_key_size); | 2310 | key_rec->enc_key_size); |
2311 | } | 2311 | } |
2312 | encrypted_session_key_set: | 2312 | encrypted_session_key_set: |
2313 | /* This format is inspired by OpenPGP; see RFC 2440 | 2313 | /* This format is inspired by OpenPGP; see RFC 2440 |
2314 | * packet tag 3 */ | 2314 | * packet tag 3 */ |
2315 | max_packet_size = (1 /* Tag 3 identifier */ | 2315 | max_packet_size = (1 /* Tag 3 identifier */ |
2316 | + 3 /* Max Tag 3 packet size */ | 2316 | + 3 /* Max Tag 3 packet size */ |
2317 | + 1 /* Version */ | 2317 | + 1 /* Version */ |
2318 | + 1 /* Cipher code */ | 2318 | + 1 /* Cipher code */ |
2319 | + 1 /* S2K specifier */ | 2319 | + 1 /* S2K specifier */ |
2320 | + 1 /* Hash identifier */ | 2320 | + 1 /* Hash identifier */ |
2321 | + ECRYPTFS_SALT_SIZE /* Salt */ | 2321 | + ECRYPTFS_SALT_SIZE /* Salt */ |
2322 | + 1 /* Hash iterations */ | 2322 | + 1 /* Hash iterations */ |
2323 | + key_rec->enc_key_size); /* Encrypted key size */ | 2323 | + key_rec->enc_key_size); /* Encrypted key size */ |
2324 | if (max_packet_size > (*remaining_bytes)) { | 2324 | if (max_packet_size > (*remaining_bytes)) { |
2325 | printk(KERN_ERR "Packet too large; need up to [%td] bytes, but " | 2325 | printk(KERN_ERR "Packet too large; need up to [%td] bytes, but " |
2326 | "there are only [%td] available\n", max_packet_size, | 2326 | "there are only [%td] available\n", max_packet_size, |
2327 | (*remaining_bytes)); | 2327 | (*remaining_bytes)); |
2328 | rc = -EINVAL; | 2328 | rc = -EINVAL; |
2329 | goto out; | 2329 | goto out; |
2330 | } | 2330 | } |
2331 | dest[(*packet_size)++] = ECRYPTFS_TAG_3_PACKET_TYPE; | 2331 | dest[(*packet_size)++] = ECRYPTFS_TAG_3_PACKET_TYPE; |
2332 | /* Chop off the Tag 3 identifier(1) and Tag 3 packet size(3) | 2332 | /* Chop off the Tag 3 identifier(1) and Tag 3 packet size(3) |
2333 | * to get the number of octets in the actual Tag 3 packet */ | 2333 | * to get the number of octets in the actual Tag 3 packet */ |
2334 | rc = ecryptfs_write_packet_length(&dest[(*packet_size)], | 2334 | rc = ecryptfs_write_packet_length(&dest[(*packet_size)], |
2335 | (max_packet_size - 4), | 2335 | (max_packet_size - 4), |
2336 | &packet_size_length); | 2336 | &packet_size_length); |
2337 | if (rc) { | 2337 | if (rc) { |
2338 | printk(KERN_ERR "Error generating tag 3 packet header; cannot " | 2338 | printk(KERN_ERR "Error generating tag 3 packet header; cannot " |
2339 | "generate packet length. rc = [%d]\n", rc); | 2339 | "generate packet length. rc = [%d]\n", rc); |
2340 | goto out; | 2340 | goto out; |
2341 | } | 2341 | } |
2342 | (*packet_size) += packet_size_length; | 2342 | (*packet_size) += packet_size_length; |
2343 | dest[(*packet_size)++] = 0x04; /* version 4 */ | 2343 | dest[(*packet_size)++] = 0x04; /* version 4 */ |
2344 | /* TODO: Break from RFC2440 so that arbitrary ciphers can be | 2344 | /* TODO: Break from RFC2440 so that arbitrary ciphers can be |
2345 | * specified with strings */ | 2345 | * specified with strings */ |
2346 | cipher_code = ecryptfs_code_for_cipher_string(crypt_stat->cipher, | 2346 | cipher_code = ecryptfs_code_for_cipher_string(crypt_stat->cipher, |
2347 | crypt_stat->key_size); | 2347 | crypt_stat->key_size); |
2348 | if (cipher_code == 0) { | 2348 | if (cipher_code == 0) { |
2349 | ecryptfs_printk(KERN_WARNING, "Unable to generate code for " | 2349 | ecryptfs_printk(KERN_WARNING, "Unable to generate code for " |
2350 | "cipher [%s]\n", crypt_stat->cipher); | 2350 | "cipher [%s]\n", crypt_stat->cipher); |
2351 | rc = -EINVAL; | 2351 | rc = -EINVAL; |
2352 | goto out; | 2352 | goto out; |
2353 | } | 2353 | } |
2354 | dest[(*packet_size)++] = cipher_code; | 2354 | dest[(*packet_size)++] = cipher_code; |
2355 | dest[(*packet_size)++] = 0x03; /* S2K */ | 2355 | dest[(*packet_size)++] = 0x03; /* S2K */ |
2356 | dest[(*packet_size)++] = 0x01; /* MD5 (TODO: parameterize) */ | 2356 | dest[(*packet_size)++] = 0x01; /* MD5 (TODO: parameterize) */ |
2357 | memcpy(&dest[(*packet_size)], auth_tok->token.password.salt, | 2357 | memcpy(&dest[(*packet_size)], auth_tok->token.password.salt, |
2358 | ECRYPTFS_SALT_SIZE); | 2358 | ECRYPTFS_SALT_SIZE); |
2359 | (*packet_size) += ECRYPTFS_SALT_SIZE; /* salt */ | 2359 | (*packet_size) += ECRYPTFS_SALT_SIZE; /* salt */ |
2360 | dest[(*packet_size)++] = 0x60; /* hash iterations (65536) */ | 2360 | dest[(*packet_size)++] = 0x60; /* hash iterations (65536) */ |
2361 | memcpy(&dest[(*packet_size)], key_rec->enc_key, | 2361 | memcpy(&dest[(*packet_size)], key_rec->enc_key, |
2362 | key_rec->enc_key_size); | 2362 | key_rec->enc_key_size); |
2363 | (*packet_size) += key_rec->enc_key_size; | 2363 | (*packet_size) += key_rec->enc_key_size; |
2364 | out: | 2364 | out: |
2365 | if (rc) | 2365 | if (rc) |
2366 | (*packet_size) = 0; | 2366 | (*packet_size) = 0; |
2367 | else | 2367 | else |
2368 | (*remaining_bytes) -= (*packet_size); | 2368 | (*remaining_bytes) -= (*packet_size); |
2369 | return rc; | 2369 | return rc; |
2370 | } | 2370 | } |
2371 | 2371 | ||
2372 | struct kmem_cache *ecryptfs_key_record_cache; | 2372 | struct kmem_cache *ecryptfs_key_record_cache; |
2373 | 2373 | ||
2374 | /** | 2374 | /** |
2375 | * ecryptfs_generate_key_packet_set | 2375 | * ecryptfs_generate_key_packet_set |
2376 | * @dest_base: Virtual address from which to write the key record set | 2376 | * @dest_base: Virtual address from which to write the key record set |
2377 | * @crypt_stat: The cryptographic context from which the | 2377 | * @crypt_stat: The cryptographic context from which the |
2378 | * authentication tokens will be retrieved | 2378 | * authentication tokens will be retrieved |
2379 | * @ecryptfs_dentry: The dentry, used to retrieve the mount crypt stat | 2379 | * @ecryptfs_dentry: The dentry, used to retrieve the mount crypt stat |
2380 | * for the global parameters | 2380 | * for the global parameters |
2381 | * @len: The amount written | 2381 | * @len: The amount written |
2382 | * @max: The maximum amount of data allowed to be written | 2382 | * @max: The maximum amount of data allowed to be written |
2383 | * | 2383 | * |
2384 | * Generates a key packet set and writes it to the virtual address | 2384 | * Generates a key packet set and writes it to the virtual address |
2385 | * passed in. | 2385 | * passed in. |
2386 | * | 2386 | * |
2387 | * Returns zero on success; non-zero on error. | 2387 | * Returns zero on success; non-zero on error. |
2388 | */ | 2388 | */ |
2389 | int | 2389 | int |
2390 | ecryptfs_generate_key_packet_set(char *dest_base, | 2390 | ecryptfs_generate_key_packet_set(char *dest_base, |
2391 | struct ecryptfs_crypt_stat *crypt_stat, | 2391 | struct ecryptfs_crypt_stat *crypt_stat, |
2392 | struct dentry *ecryptfs_dentry, size_t *len, | 2392 | struct dentry *ecryptfs_dentry, size_t *len, |
2393 | size_t max) | 2393 | size_t max) |
2394 | { | 2394 | { |
2395 | struct ecryptfs_auth_tok *auth_tok; | 2395 | struct ecryptfs_auth_tok *auth_tok; |
2396 | struct key *auth_tok_key = NULL; | 2396 | struct key *auth_tok_key = NULL; |
2397 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = | 2397 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = |
2398 | &ecryptfs_superblock_to_private( | 2398 | &ecryptfs_superblock_to_private( |
2399 | ecryptfs_dentry->d_sb)->mount_crypt_stat; | 2399 | ecryptfs_dentry->d_sb)->mount_crypt_stat; |
2400 | size_t written; | 2400 | size_t written; |
2401 | struct ecryptfs_key_record *key_rec; | 2401 | struct ecryptfs_key_record *key_rec; |
2402 | struct ecryptfs_key_sig *key_sig; | 2402 | struct ecryptfs_key_sig *key_sig; |
2403 | int rc = 0; | 2403 | int rc = 0; |
2404 | 2404 | ||
2405 | (*len) = 0; | 2405 | (*len) = 0; |
2406 | mutex_lock(&crypt_stat->keysig_list_mutex); | 2406 | mutex_lock(&crypt_stat->keysig_list_mutex); |
2407 | key_rec = kmem_cache_alloc(ecryptfs_key_record_cache, GFP_KERNEL); | 2407 | key_rec = kmem_cache_alloc(ecryptfs_key_record_cache, GFP_KERNEL); |
2408 | if (!key_rec) { | 2408 | if (!key_rec) { |
2409 | rc = -ENOMEM; | 2409 | rc = -ENOMEM; |
2410 | goto out; | 2410 | goto out; |
2411 | } | 2411 | } |
2412 | list_for_each_entry(key_sig, &crypt_stat->keysig_list, | 2412 | list_for_each_entry(key_sig, &crypt_stat->keysig_list, |
2413 | crypt_stat_list) { | 2413 | crypt_stat_list) { |
2414 | memset(key_rec, 0, sizeof(*key_rec)); | 2414 | memset(key_rec, 0, sizeof(*key_rec)); |
2415 | rc = ecryptfs_find_global_auth_tok_for_sig(&auth_tok_key, | 2415 | rc = ecryptfs_find_global_auth_tok_for_sig(&auth_tok_key, |
2416 | &auth_tok, | 2416 | &auth_tok, |
2417 | mount_crypt_stat, | 2417 | mount_crypt_stat, |
2418 | key_sig->keysig); | 2418 | key_sig->keysig); |
2419 | if (rc) { | 2419 | if (rc) { |
2420 | printk(KERN_WARNING "Unable to retrieve auth tok with " | 2420 | printk(KERN_WARNING "Unable to retrieve auth tok with " |
2421 | "sig = [%s]\n", key_sig->keysig); | 2421 | "sig = [%s]\n", key_sig->keysig); |
2422 | rc = process_find_global_auth_tok_for_sig_err(rc); | 2422 | rc = process_find_global_auth_tok_for_sig_err(rc); |
2423 | goto out_free; | 2423 | goto out_free; |
2424 | } | 2424 | } |
2425 | if (auth_tok->token_type == ECRYPTFS_PASSWORD) { | 2425 | if (auth_tok->token_type == ECRYPTFS_PASSWORD) { |
2426 | rc = write_tag_3_packet((dest_base + (*len)), | 2426 | rc = write_tag_3_packet((dest_base + (*len)), |
2427 | &max, auth_tok, | 2427 | &max, auth_tok, |
2428 | crypt_stat, key_rec, | 2428 | crypt_stat, key_rec, |
2429 | &written); | 2429 | &written); |
2430 | up_write(&(auth_tok_key->sem)); | 2430 | up_write(&(auth_tok_key->sem)); |
2431 | key_put(auth_tok_key); | 2431 | key_put(auth_tok_key); |
2432 | if (rc) { | 2432 | if (rc) { |
2433 | ecryptfs_printk(KERN_WARNING, "Error " | 2433 | ecryptfs_printk(KERN_WARNING, "Error " |
2434 | "writing tag 3 packet\n"); | 2434 | "writing tag 3 packet\n"); |
2435 | goto out_free; | 2435 | goto out_free; |
2436 | } | 2436 | } |
2437 | (*len) += written; | 2437 | (*len) += written; |
2438 | /* Write auth tok signature packet */ | 2438 | /* Write auth tok signature packet */ |
2439 | rc = write_tag_11_packet((dest_base + (*len)), &max, | 2439 | rc = write_tag_11_packet((dest_base + (*len)), &max, |
2440 | key_rec->sig, | 2440 | key_rec->sig, |
2441 | ECRYPTFS_SIG_SIZE, &written); | 2441 | ECRYPTFS_SIG_SIZE, &written); |
2442 | if (rc) { | 2442 | if (rc) { |
2443 | ecryptfs_printk(KERN_ERR, "Error writing " | 2443 | ecryptfs_printk(KERN_ERR, "Error writing " |
2444 | "auth tok signature packet\n"); | 2444 | "auth tok signature packet\n"); |
2445 | goto out_free; | 2445 | goto out_free; |
2446 | } | 2446 | } |
2447 | (*len) += written; | 2447 | (*len) += written; |
2448 | } else if (auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) { | 2448 | } else if (auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) { |
2449 | rc = write_tag_1_packet(dest_base + (*len), &max, | 2449 | rc = write_tag_1_packet(dest_base + (*len), &max, |
2450 | auth_tok_key, auth_tok, | 2450 | auth_tok_key, auth_tok, |
2451 | crypt_stat, key_rec, &written); | 2451 | crypt_stat, key_rec, &written); |
2452 | if (rc) { | 2452 | if (rc) { |
2453 | ecryptfs_printk(KERN_WARNING, "Error " | 2453 | ecryptfs_printk(KERN_WARNING, "Error " |
2454 | "writing tag 1 packet\n"); | 2454 | "writing tag 1 packet\n"); |
2455 | goto out_free; | 2455 | goto out_free; |
2456 | } | 2456 | } |
2457 | (*len) += written; | 2457 | (*len) += written; |
2458 | } else { | 2458 | } else { |
2459 | up_write(&(auth_tok_key->sem)); | 2459 | up_write(&(auth_tok_key->sem)); |
2460 | key_put(auth_tok_key); | 2460 | key_put(auth_tok_key); |
2461 | ecryptfs_printk(KERN_WARNING, "Unsupported " | 2461 | ecryptfs_printk(KERN_WARNING, "Unsupported " |
2462 | "authentication token type\n"); | 2462 | "authentication token type\n"); |
2463 | rc = -EINVAL; | 2463 | rc = -EINVAL; |
2464 | goto out_free; | 2464 | goto out_free; |
2465 | } | 2465 | } |
2466 | } | 2466 | } |
2467 | if (likely(max > 0)) { | 2467 | if (likely(max > 0)) { |
2468 | dest_base[(*len)] = 0x00; | 2468 | dest_base[(*len)] = 0x00; |
2469 | } else { | 2469 | } else { |
2470 | ecryptfs_printk(KERN_ERR, "Error writing boundary byte\n"); | 2470 | ecryptfs_printk(KERN_ERR, "Error writing boundary byte\n"); |
2471 | rc = -EIO; | 2471 | rc = -EIO; |
2472 | } | 2472 | } |
2473 | out_free: | 2473 | out_free: |
2474 | kmem_cache_free(ecryptfs_key_record_cache, key_rec); | 2474 | kmem_cache_free(ecryptfs_key_record_cache, key_rec); |
2475 | out: | 2475 | out: |
2476 | if (rc) | 2476 | if (rc) |
2477 | (*len) = 0; | 2477 | (*len) = 0; |
2478 | mutex_unlock(&crypt_stat->keysig_list_mutex); | 2478 | mutex_unlock(&crypt_stat->keysig_list_mutex); |
2479 | return rc; | 2479 | return rc; |
2480 | } | 2480 | } |
2481 | 2481 | ||
2482 | struct kmem_cache *ecryptfs_key_sig_cache; | 2482 | struct kmem_cache *ecryptfs_key_sig_cache; |
2483 | 2483 | ||
2484 | int ecryptfs_add_keysig(struct ecryptfs_crypt_stat *crypt_stat, char *sig) | 2484 | int ecryptfs_add_keysig(struct ecryptfs_crypt_stat *crypt_stat, char *sig) |
2485 | { | 2485 | { |
2486 | struct ecryptfs_key_sig *new_key_sig; | 2486 | struct ecryptfs_key_sig *new_key_sig; |
2487 | 2487 | ||
2488 | new_key_sig = kmem_cache_alloc(ecryptfs_key_sig_cache, GFP_KERNEL); | 2488 | new_key_sig = kmem_cache_alloc(ecryptfs_key_sig_cache, GFP_KERNEL); |
2489 | if (!new_key_sig) { | 2489 | if (!new_key_sig) { |
2490 | printk(KERN_ERR | 2490 | printk(KERN_ERR |
2491 | "Error allocating from ecryptfs_key_sig_cache\n"); | 2491 | "Error allocating from ecryptfs_key_sig_cache\n"); |
2492 | return -ENOMEM; | 2492 | return -ENOMEM; |
2493 | } | 2493 | } |
2494 | memcpy(new_key_sig->keysig, sig, ECRYPTFS_SIG_SIZE_HEX); | 2494 | memcpy(new_key_sig->keysig, sig, ECRYPTFS_SIG_SIZE_HEX); |
2495 | new_key_sig->keysig[ECRYPTFS_SIG_SIZE_HEX] = '\0'; | 2495 | new_key_sig->keysig[ECRYPTFS_SIG_SIZE_HEX] = '\0'; |
2496 | /* Caller must hold keysig_list_mutex */ | 2496 | /* Caller must hold keysig_list_mutex */ |
2497 | list_add(&new_key_sig->crypt_stat_list, &crypt_stat->keysig_list); | 2497 | list_add(&new_key_sig->crypt_stat_list, &crypt_stat->keysig_list); |
2498 | 2498 | ||
2499 | return 0; | 2499 | return 0; |
2500 | } | 2500 | } |
2501 | 2501 | ||
2502 | struct kmem_cache *ecryptfs_global_auth_tok_cache; | 2502 | struct kmem_cache *ecryptfs_global_auth_tok_cache; |
2503 | 2503 | ||
2504 | int | 2504 | int |
2505 | ecryptfs_add_global_auth_tok(struct ecryptfs_mount_crypt_stat *mount_crypt_stat, | 2505 | ecryptfs_add_global_auth_tok(struct ecryptfs_mount_crypt_stat *mount_crypt_stat, |
2506 | char *sig, u32 global_auth_tok_flags) | 2506 | char *sig, u32 global_auth_tok_flags) |
2507 | { | 2507 | { |
2508 | struct ecryptfs_global_auth_tok *new_auth_tok; | 2508 | struct ecryptfs_global_auth_tok *new_auth_tok; |
2509 | int rc = 0; | 2509 | int rc = 0; |
2510 | 2510 | ||
2511 | new_auth_tok = kmem_cache_zalloc(ecryptfs_global_auth_tok_cache, | 2511 | new_auth_tok = kmem_cache_zalloc(ecryptfs_global_auth_tok_cache, |
2512 | GFP_KERNEL); | 2512 | GFP_KERNEL); |
2513 | if (!new_auth_tok) { | 2513 | if (!new_auth_tok) { |
2514 | rc = -ENOMEM; | 2514 | rc = -ENOMEM; |
2515 | printk(KERN_ERR "Error allocating from " | 2515 | printk(KERN_ERR "Error allocating from " |
2516 | "ecryptfs_global_auth_tok_cache\n"); | 2516 | "ecryptfs_global_auth_tok_cache\n"); |
2517 | goto out; | 2517 | goto out; |
2518 | } | 2518 | } |
2519 | memcpy(new_auth_tok->sig, sig, ECRYPTFS_SIG_SIZE_HEX); | 2519 | memcpy(new_auth_tok->sig, sig, ECRYPTFS_SIG_SIZE_HEX); |
2520 | new_auth_tok->flags = global_auth_tok_flags; | 2520 | new_auth_tok->flags = global_auth_tok_flags; |
2521 | new_auth_tok->sig[ECRYPTFS_SIG_SIZE_HEX] = '\0'; | 2521 | new_auth_tok->sig[ECRYPTFS_SIG_SIZE_HEX] = '\0'; |
2522 | mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); | 2522 | mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); |
2523 | list_add(&new_auth_tok->mount_crypt_stat_list, | 2523 | list_add(&new_auth_tok->mount_crypt_stat_list, |
2524 | &mount_crypt_stat->global_auth_tok_list); | 2524 | &mount_crypt_stat->global_auth_tok_list); |
2525 | mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); | 2525 | mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); |
2526 | out: | 2526 | out: |
2527 | return rc; | 2527 | return rc; |
2528 | } | 2528 | } |
2529 | 2529 | ||
2530 | 2530 |
fs/ecryptfs/main.c
1 | /** | 1 | /** |
2 | * eCryptfs: Linux filesystem encryption layer | 2 | * eCryptfs: Linux filesystem encryption layer |
3 | * | 3 | * |
4 | * Copyright (C) 1997-2003 Erez Zadok | 4 | * Copyright (C) 1997-2003 Erez Zadok |
5 | * Copyright (C) 2001-2003 Stony Brook University | 5 | * Copyright (C) 2001-2003 Stony Brook University |
6 | * Copyright (C) 2004-2007 International Business Machines Corp. | 6 | * Copyright (C) 2004-2007 International Business Machines Corp. |
7 | * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com> | 7 | * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com> |
8 | * Michael C. Thompson <mcthomps@us.ibm.com> | 8 | * Michael C. Thompson <mcthomps@us.ibm.com> |
9 | * Tyler Hicks <tyhicks@ou.edu> | 9 | * Tyler Hicks <tyhicks@ou.edu> |
10 | * | 10 | * |
11 | * This program is free software; you can redistribute it and/or | 11 | * This program is free software; you can redistribute it and/or |
12 | * modify it under the terms of the GNU General Public License as | 12 | * modify it under the terms of the GNU General Public License as |
13 | * published by the Free Software Foundation; either version 2 of the | 13 | * published by the Free Software Foundation; either version 2 of the |
14 | * License, or (at your option) any later version. | 14 | * License, or (at your option) any later version. |
15 | * | 15 | * |
16 | * This program is distributed in the hope that it will be useful, but | 16 | * This program is distributed in the hope that it will be useful, but |
17 | * WITHOUT ANY WARRANTY; without even the implied warranty of | 17 | * WITHOUT ANY WARRANTY; without even the implied warranty of |
18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
19 | * General Public License for more details. | 19 | * General Public License for more details. |
20 | * | 20 | * |
21 | * You should have received a copy of the GNU General Public License | 21 | * You should have received a copy of the GNU General Public License |
22 | * along with this program; if not, write to the Free Software | 22 | * along with this program; if not, write to the Free Software |
23 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | 23 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA |
24 | * 02111-1307, USA. | 24 | * 02111-1307, USA. |
25 | */ | 25 | */ |
26 | 26 | ||
27 | #include <linux/dcache.h> | 27 | #include <linux/dcache.h> |
28 | #include <linux/file.h> | 28 | #include <linux/file.h> |
29 | #include <linux/module.h> | 29 | #include <linux/module.h> |
30 | #include <linux/namei.h> | 30 | #include <linux/namei.h> |
31 | #include <linux/skbuff.h> | 31 | #include <linux/skbuff.h> |
32 | #include <linux/crypto.h> | 32 | #include <linux/crypto.h> |
33 | #include <linux/mount.h> | 33 | #include <linux/mount.h> |
34 | #include <linux/pagemap.h> | 34 | #include <linux/pagemap.h> |
35 | #include <linux/key.h> | 35 | #include <linux/key.h> |
36 | #include <linux/parser.h> | 36 | #include <linux/parser.h> |
37 | #include <linux/fs_stack.h> | 37 | #include <linux/fs_stack.h> |
38 | #include <linux/slab.h> | 38 | #include <linux/slab.h> |
39 | #include <linux/magic.h> | 39 | #include <linux/magic.h> |
40 | #include "ecryptfs_kernel.h" | 40 | #include "ecryptfs_kernel.h" |
41 | 41 | ||
42 | /** | 42 | /** |
43 | * Module parameter that defines the ecryptfs_verbosity level. | 43 | * Module parameter that defines the ecryptfs_verbosity level. |
44 | */ | 44 | */ |
45 | int ecryptfs_verbosity = 0; | 45 | int ecryptfs_verbosity = 0; |
46 | 46 | ||
47 | module_param(ecryptfs_verbosity, int, 0); | 47 | module_param(ecryptfs_verbosity, int, 0); |
48 | MODULE_PARM_DESC(ecryptfs_verbosity, | 48 | MODULE_PARM_DESC(ecryptfs_verbosity, |
49 | "Initial verbosity level (0 or 1; defaults to " | 49 | "Initial verbosity level (0 or 1; defaults to " |
50 | "0, which is Quiet)"); | 50 | "0, which is Quiet)"); |
51 | 51 | ||
52 | /** | 52 | /** |
53 | * Module parameter that defines the number of message buffer elements | 53 | * Module parameter that defines the number of message buffer elements |
54 | */ | 54 | */ |
55 | unsigned int ecryptfs_message_buf_len = ECRYPTFS_DEFAULT_MSG_CTX_ELEMS; | 55 | unsigned int ecryptfs_message_buf_len = ECRYPTFS_DEFAULT_MSG_CTX_ELEMS; |
56 | 56 | ||
57 | module_param(ecryptfs_message_buf_len, uint, 0); | 57 | module_param(ecryptfs_message_buf_len, uint, 0); |
58 | MODULE_PARM_DESC(ecryptfs_message_buf_len, | 58 | MODULE_PARM_DESC(ecryptfs_message_buf_len, |
59 | "Number of message buffer elements"); | 59 | "Number of message buffer elements"); |
60 | 60 | ||
61 | /** | 61 | /** |
62 | * Module parameter that defines the maximum guaranteed amount of time to wait | 62 | * Module parameter that defines the maximum guaranteed amount of time to wait |
63 | * for a response from ecryptfsd. The actual sleep time will be, more than | 63 | * for a response from ecryptfsd. The actual sleep time will be, more than |
64 | * likely, a small amount greater than this specified value, but only less if | 64 | * likely, a small amount greater than this specified value, but only less if |
65 | * the message successfully arrives. | 65 | * the message successfully arrives. |
66 | */ | 66 | */ |
67 | signed long ecryptfs_message_wait_timeout = ECRYPTFS_MAX_MSG_CTX_TTL / HZ; | 67 | signed long ecryptfs_message_wait_timeout = ECRYPTFS_MAX_MSG_CTX_TTL / HZ; |
68 | 68 | ||
69 | module_param(ecryptfs_message_wait_timeout, long, 0); | 69 | module_param(ecryptfs_message_wait_timeout, long, 0); |
70 | MODULE_PARM_DESC(ecryptfs_message_wait_timeout, | 70 | MODULE_PARM_DESC(ecryptfs_message_wait_timeout, |
71 | "Maximum number of seconds that an operation will " | 71 | "Maximum number of seconds that an operation will " |
72 | "sleep while waiting for a message response from " | 72 | "sleep while waiting for a message response from " |
73 | "userspace"); | 73 | "userspace"); |
74 | 74 | ||
75 | /** | 75 | /** |
76 | * Module parameter that is an estimate of the maximum number of users | 76 | * Module parameter that is an estimate of the maximum number of users |
77 | * that will be concurrently using eCryptfs. Set this to the right | 77 | * that will be concurrently using eCryptfs. Set this to the right |
78 | * value to balance performance and memory use. | 78 | * value to balance performance and memory use. |
79 | */ | 79 | */ |
80 | unsigned int ecryptfs_number_of_users = ECRYPTFS_DEFAULT_NUM_USERS; | 80 | unsigned int ecryptfs_number_of_users = ECRYPTFS_DEFAULT_NUM_USERS; |
81 | 81 | ||
82 | module_param(ecryptfs_number_of_users, uint, 0); | 82 | module_param(ecryptfs_number_of_users, uint, 0); |
83 | MODULE_PARM_DESC(ecryptfs_number_of_users, "An estimate of the number of " | 83 | MODULE_PARM_DESC(ecryptfs_number_of_users, "An estimate of the number of " |
84 | "concurrent users of eCryptfs"); | 84 | "concurrent users of eCryptfs"); |
85 | 85 | ||
86 | void __ecryptfs_printk(const char *fmt, ...) | 86 | void __ecryptfs_printk(const char *fmt, ...) |
87 | { | 87 | { |
88 | va_list args; | 88 | va_list args; |
89 | va_start(args, fmt); | 89 | va_start(args, fmt); |
90 | if (fmt[1] == '7') { /* KERN_DEBUG */ | 90 | if (fmt[1] == '7') { /* KERN_DEBUG */ |
91 | if (ecryptfs_verbosity >= 1) | 91 | if (ecryptfs_verbosity >= 1) |
92 | vprintk(fmt, args); | 92 | vprintk(fmt, args); |
93 | } else | 93 | } else |
94 | vprintk(fmt, args); | 94 | vprintk(fmt, args); |
95 | va_end(args); | 95 | va_end(args); |
96 | } | 96 | } |
97 | 97 | ||
98 | /** | 98 | /** |
99 | * ecryptfs_init_lower_file | 99 | * ecryptfs_init_lower_file |
100 | * @ecryptfs_dentry: Fully initialized eCryptfs dentry object, with | 100 | * @ecryptfs_dentry: Fully initialized eCryptfs dentry object, with |
101 | * the lower dentry and the lower mount set | 101 | * the lower dentry and the lower mount set |
102 | * | 102 | * |
103 | * eCryptfs only ever keeps a single open file for every lower | 103 | * eCryptfs only ever keeps a single open file for every lower |
104 | * inode. All I/O operations to the lower inode occur through that | 104 | * inode. All I/O operations to the lower inode occur through that |
105 | * file. When the first eCryptfs dentry that interposes with the first | 105 | * file. When the first eCryptfs dentry that interposes with the first |
106 | * lower dentry for that inode is created, this function creates the | 106 | * lower dentry for that inode is created, this function creates the |
107 | * lower file struct and associates it with the eCryptfs | 107 | * lower file struct and associates it with the eCryptfs |
108 | * inode. When all eCryptfs files associated with the inode are released, the | 108 | * inode. When all eCryptfs files associated with the inode are released, the |
109 | * file is closed. | 109 | * file is closed. |
110 | * | 110 | * |
111 | * The lower file will be opened with read/write permissions, if | 111 | * The lower file will be opened with read/write permissions, if |
112 | * possible. Otherwise, it is opened read-only. | 112 | * possible. Otherwise, it is opened read-only. |
113 | * | 113 | * |
114 | * This function does nothing if a lower file is already | 114 | * This function does nothing if a lower file is already |
115 | * associated with the eCryptfs inode. | 115 | * associated with the eCryptfs inode. |
116 | * | 116 | * |
117 | * Returns zero on success; non-zero otherwise | 117 | * Returns zero on success; non-zero otherwise |
118 | */ | 118 | */ |
119 | static int ecryptfs_init_lower_file(struct dentry *dentry, | 119 | static int ecryptfs_init_lower_file(struct dentry *dentry, |
120 | struct file **lower_file) | 120 | struct file **lower_file) |
121 | { | 121 | { |
122 | const struct cred *cred = current_cred(); | 122 | const struct cred *cred = current_cred(); |
123 | struct path *path = ecryptfs_dentry_to_lower_path(dentry); | 123 | struct path *path = ecryptfs_dentry_to_lower_path(dentry); |
124 | int rc; | 124 | int rc; |
125 | 125 | ||
126 | rc = ecryptfs_privileged_open(lower_file, path->dentry, path->mnt, | 126 | rc = ecryptfs_privileged_open(lower_file, path->dentry, path->mnt, |
127 | cred); | 127 | cred); |
128 | if (rc) { | 128 | if (rc) { |
129 | printk(KERN_ERR "Error opening lower file " | 129 | printk(KERN_ERR "Error opening lower file " |
130 | "for lower_dentry [0x%p] and lower_mnt [0x%p]; " | 130 | "for lower_dentry [0x%p] and lower_mnt [0x%p]; " |
131 | "rc = [%d]\n", path->dentry, path->mnt, rc); | 131 | "rc = [%d]\n", path->dentry, path->mnt, rc); |
132 | (*lower_file) = NULL; | 132 | (*lower_file) = NULL; |
133 | } | 133 | } |
134 | return rc; | 134 | return rc; |
135 | } | 135 | } |
136 | 136 | ||
137 | int ecryptfs_get_lower_file(struct dentry *dentry, struct inode *inode) | 137 | int ecryptfs_get_lower_file(struct dentry *dentry, struct inode *inode) |
138 | { | 138 | { |
139 | struct ecryptfs_inode_info *inode_info; | 139 | struct ecryptfs_inode_info *inode_info; |
140 | int count, rc = 0; | 140 | int count, rc = 0; |
141 | 141 | ||
142 | inode_info = ecryptfs_inode_to_private(inode); | 142 | inode_info = ecryptfs_inode_to_private(inode); |
143 | mutex_lock(&inode_info->lower_file_mutex); | 143 | mutex_lock(&inode_info->lower_file_mutex); |
144 | count = atomic_inc_return(&inode_info->lower_file_count); | 144 | count = atomic_inc_return(&inode_info->lower_file_count); |
145 | if (WARN_ON_ONCE(count < 1)) | 145 | if (WARN_ON_ONCE(count < 1)) |
146 | rc = -EINVAL; | 146 | rc = -EINVAL; |
147 | else if (count == 1) { | 147 | else if (count == 1) { |
148 | rc = ecryptfs_init_lower_file(dentry, | 148 | rc = ecryptfs_init_lower_file(dentry, |
149 | &inode_info->lower_file); | 149 | &inode_info->lower_file); |
150 | if (rc) | 150 | if (rc) |
151 | atomic_set(&inode_info->lower_file_count, 0); | 151 | atomic_set(&inode_info->lower_file_count, 0); |
152 | } | 152 | } |
153 | mutex_unlock(&inode_info->lower_file_mutex); | 153 | mutex_unlock(&inode_info->lower_file_mutex); |
154 | return rc; | 154 | return rc; |
155 | } | 155 | } |
156 | 156 | ||
157 | void ecryptfs_put_lower_file(struct inode *inode) | 157 | void ecryptfs_put_lower_file(struct inode *inode) |
158 | { | 158 | { |
159 | struct ecryptfs_inode_info *inode_info; | 159 | struct ecryptfs_inode_info *inode_info; |
160 | 160 | ||
161 | inode_info = ecryptfs_inode_to_private(inode); | 161 | inode_info = ecryptfs_inode_to_private(inode); |
162 | if (atomic_dec_and_mutex_lock(&inode_info->lower_file_count, | 162 | if (atomic_dec_and_mutex_lock(&inode_info->lower_file_count, |
163 | &inode_info->lower_file_mutex)) { | 163 | &inode_info->lower_file_mutex)) { |
164 | filemap_write_and_wait(inode->i_mapping); | 164 | filemap_write_and_wait(inode->i_mapping); |
165 | fput(inode_info->lower_file); | 165 | fput(inode_info->lower_file); |
166 | inode_info->lower_file = NULL; | 166 | inode_info->lower_file = NULL; |
167 | mutex_unlock(&inode_info->lower_file_mutex); | 167 | mutex_unlock(&inode_info->lower_file_mutex); |
168 | } | 168 | } |
169 | } | 169 | } |
170 | 170 | ||
171 | enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig, | 171 | enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig, |
172 | ecryptfs_opt_cipher, ecryptfs_opt_ecryptfs_cipher, | 172 | ecryptfs_opt_cipher, ecryptfs_opt_ecryptfs_cipher, |
173 | ecryptfs_opt_ecryptfs_key_bytes, | 173 | ecryptfs_opt_ecryptfs_key_bytes, |
174 | ecryptfs_opt_passthrough, ecryptfs_opt_xattr_metadata, | 174 | ecryptfs_opt_passthrough, ecryptfs_opt_xattr_metadata, |
175 | ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig, | 175 | ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig, |
176 | ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes, | 176 | ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes, |
177 | ecryptfs_opt_unlink_sigs, ecryptfs_opt_mount_auth_tok_only, | 177 | ecryptfs_opt_unlink_sigs, ecryptfs_opt_mount_auth_tok_only, |
178 | ecryptfs_opt_check_dev_ruid, | 178 | ecryptfs_opt_check_dev_ruid, |
179 | ecryptfs_opt_err }; | 179 | ecryptfs_opt_err }; |
180 | 180 | ||
181 | static const match_table_t tokens = { | 181 | static const match_table_t tokens = { |
182 | {ecryptfs_opt_sig, "sig=%s"}, | 182 | {ecryptfs_opt_sig, "sig=%s"}, |
183 | {ecryptfs_opt_ecryptfs_sig, "ecryptfs_sig=%s"}, | 183 | {ecryptfs_opt_ecryptfs_sig, "ecryptfs_sig=%s"}, |
184 | {ecryptfs_opt_cipher, "cipher=%s"}, | 184 | {ecryptfs_opt_cipher, "cipher=%s"}, |
185 | {ecryptfs_opt_ecryptfs_cipher, "ecryptfs_cipher=%s"}, | 185 | {ecryptfs_opt_ecryptfs_cipher, "ecryptfs_cipher=%s"}, |
186 | {ecryptfs_opt_ecryptfs_key_bytes, "ecryptfs_key_bytes=%u"}, | 186 | {ecryptfs_opt_ecryptfs_key_bytes, "ecryptfs_key_bytes=%u"}, |
187 | {ecryptfs_opt_passthrough, "ecryptfs_passthrough"}, | 187 | {ecryptfs_opt_passthrough, "ecryptfs_passthrough"}, |
188 | {ecryptfs_opt_xattr_metadata, "ecryptfs_xattr_metadata"}, | 188 | {ecryptfs_opt_xattr_metadata, "ecryptfs_xattr_metadata"}, |
189 | {ecryptfs_opt_encrypted_view, "ecryptfs_encrypted_view"}, | 189 | {ecryptfs_opt_encrypted_view, "ecryptfs_encrypted_view"}, |
190 | {ecryptfs_opt_fnek_sig, "ecryptfs_fnek_sig=%s"}, | 190 | {ecryptfs_opt_fnek_sig, "ecryptfs_fnek_sig=%s"}, |
191 | {ecryptfs_opt_fn_cipher, "ecryptfs_fn_cipher=%s"}, | 191 | {ecryptfs_opt_fn_cipher, "ecryptfs_fn_cipher=%s"}, |
192 | {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"}, | 192 | {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"}, |
193 | {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"}, | 193 | {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"}, |
194 | {ecryptfs_opt_mount_auth_tok_only, "ecryptfs_mount_auth_tok_only"}, | 194 | {ecryptfs_opt_mount_auth_tok_only, "ecryptfs_mount_auth_tok_only"}, |
195 | {ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"}, | 195 | {ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"}, |
196 | {ecryptfs_opt_err, NULL} | 196 | {ecryptfs_opt_err, NULL} |
197 | }; | 197 | }; |
198 | 198 | ||
199 | static int ecryptfs_init_global_auth_toks( | 199 | static int ecryptfs_init_global_auth_toks( |
200 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) | 200 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) |
201 | { | 201 | { |
202 | struct ecryptfs_global_auth_tok *global_auth_tok; | 202 | struct ecryptfs_global_auth_tok *global_auth_tok; |
203 | struct ecryptfs_auth_tok *auth_tok; | 203 | struct ecryptfs_auth_tok *auth_tok; |
204 | int rc = 0; | 204 | int rc = 0; |
205 | 205 | ||
206 | list_for_each_entry(global_auth_tok, | 206 | list_for_each_entry(global_auth_tok, |
207 | &mount_crypt_stat->global_auth_tok_list, | 207 | &mount_crypt_stat->global_auth_tok_list, |
208 | mount_crypt_stat_list) { | 208 | mount_crypt_stat_list) { |
209 | rc = ecryptfs_keyring_auth_tok_for_sig( | 209 | rc = ecryptfs_keyring_auth_tok_for_sig( |
210 | &global_auth_tok->global_auth_tok_key, &auth_tok, | 210 | &global_auth_tok->global_auth_tok_key, &auth_tok, |
211 | global_auth_tok->sig); | 211 | global_auth_tok->sig); |
212 | if (rc) { | 212 | if (rc) { |
213 | printk(KERN_ERR "Could not find valid key in user " | 213 | printk(KERN_ERR "Could not find valid key in user " |
214 | "session keyring for sig specified in mount " | 214 | "session keyring for sig specified in mount " |
215 | "option: [%s]\n", global_auth_tok->sig); | 215 | "option: [%s]\n", global_auth_tok->sig); |
216 | global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID; | 216 | global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID; |
217 | goto out; | 217 | goto out; |
218 | } else { | 218 | } else { |
219 | global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID; | 219 | global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID; |
220 | up_write(&(global_auth_tok->global_auth_tok_key)->sem); | 220 | up_write(&(global_auth_tok->global_auth_tok_key)->sem); |
221 | } | 221 | } |
222 | } | 222 | } |
223 | out: | 223 | out: |
224 | return rc; | 224 | return rc; |
225 | } | 225 | } |
226 | 226 | ||
227 | static void ecryptfs_init_mount_crypt_stat( | 227 | static void ecryptfs_init_mount_crypt_stat( |
228 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) | 228 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat) |
229 | { | 229 | { |
230 | memset((void *)mount_crypt_stat, 0, | 230 | memset((void *)mount_crypt_stat, 0, |
231 | sizeof(struct ecryptfs_mount_crypt_stat)); | 231 | sizeof(struct ecryptfs_mount_crypt_stat)); |
232 | INIT_LIST_HEAD(&mount_crypt_stat->global_auth_tok_list); | 232 | INIT_LIST_HEAD(&mount_crypt_stat->global_auth_tok_list); |
233 | mutex_init(&mount_crypt_stat->global_auth_tok_list_mutex); | 233 | mutex_init(&mount_crypt_stat->global_auth_tok_list_mutex); |
234 | mount_crypt_stat->flags |= ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED; | 234 | mount_crypt_stat->flags |= ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED; |
235 | } | 235 | } |
236 | 236 | ||
237 | /** | 237 | /** |
238 | * ecryptfs_parse_options | 238 | * ecryptfs_parse_options |
239 | * @sb: The ecryptfs super block | 239 | * @sb: The ecryptfs super block |
240 | * @options: The options passed to the kernel | 240 | * @options: The options passed to the kernel |
241 | * @check_ruid: set to 1 if device uid should be checked against the ruid | 241 | * @check_ruid: set to 1 if device uid should be checked against the ruid |
242 | * | 242 | * |
243 | * Parse mount options: | 243 | * Parse mount options: |
244 | * debug=N - ecryptfs_verbosity level for debug output | 244 | * debug=N - ecryptfs_verbosity level for debug output |
245 | * sig=XXX - description(signature) of the key to use | 245 | * sig=XXX - description(signature) of the key to use |
246 | * | 246 | * |
247 | * Returns the dentry object of the lower-level (lower/interposed) | 247 | * Returns the dentry object of the lower-level (lower/interposed) |
248 | * directory; We want to mount our stackable file system on top of | 248 | * directory; We want to mount our stackable file system on top of |
249 | * that lower directory. | 249 | * that lower directory. |
250 | * | 250 | * |
251 | * The signature of the key to use must be the description of a key | 251 | * The signature of the key to use must be the description of a key |
252 | * already in the keyring. Mounting will fail if the key can not be | 252 | * already in the keyring. Mounting will fail if the key can not be |
253 | * found. | 253 | * found. |
254 | * | 254 | * |
255 | * Returns zero on success; non-zero on error | 255 | * Returns zero on success; non-zero on error |
256 | */ | 256 | */ |
257 | static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options, | 257 | static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options, |
258 | uid_t *check_ruid) | 258 | uid_t *check_ruid) |
259 | { | 259 | { |
260 | char *p; | 260 | char *p; |
261 | int rc = 0; | 261 | int rc = 0; |
262 | int sig_set = 0; | 262 | int sig_set = 0; |
263 | int cipher_name_set = 0; | 263 | int cipher_name_set = 0; |
264 | int fn_cipher_name_set = 0; | 264 | int fn_cipher_name_set = 0; |
265 | int cipher_key_bytes; | 265 | int cipher_key_bytes; |
266 | int cipher_key_bytes_set = 0; | 266 | int cipher_key_bytes_set = 0; |
267 | int fn_cipher_key_bytes; | 267 | int fn_cipher_key_bytes; |
268 | int fn_cipher_key_bytes_set = 0; | 268 | int fn_cipher_key_bytes_set = 0; |
269 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = | 269 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat = |
270 | &sbi->mount_crypt_stat; | 270 | &sbi->mount_crypt_stat; |
271 | substring_t args[MAX_OPT_ARGS]; | 271 | substring_t args[MAX_OPT_ARGS]; |
272 | int token; | 272 | int token; |
273 | char *sig_src; | 273 | char *sig_src; |
274 | char *cipher_name_dst; | 274 | char *cipher_name_dst; |
275 | char *cipher_name_src; | 275 | char *cipher_name_src; |
276 | char *fn_cipher_name_dst; | 276 | char *fn_cipher_name_dst; |
277 | char *fn_cipher_name_src; | 277 | char *fn_cipher_name_src; |
278 | char *fnek_dst; | 278 | char *fnek_dst; |
279 | char *fnek_src; | 279 | char *fnek_src; |
280 | char *cipher_key_bytes_src; | 280 | char *cipher_key_bytes_src; |
281 | char *fn_cipher_key_bytes_src; | 281 | char *fn_cipher_key_bytes_src; |
282 | u8 cipher_code; | 282 | u8 cipher_code; |
283 | 283 | ||
284 | *check_ruid = 0; | 284 | *check_ruid = 0; |
285 | 285 | ||
286 | if (!options) { | 286 | if (!options) { |
287 | rc = -EINVAL; | 287 | rc = -EINVAL; |
288 | goto out; | 288 | goto out; |
289 | } | 289 | } |
290 | ecryptfs_init_mount_crypt_stat(mount_crypt_stat); | 290 | ecryptfs_init_mount_crypt_stat(mount_crypt_stat); |
291 | while ((p = strsep(&options, ",")) != NULL) { | 291 | while ((p = strsep(&options, ",")) != NULL) { |
292 | if (!*p) | 292 | if (!*p) |
293 | continue; | 293 | continue; |
294 | token = match_token(p, tokens, args); | 294 | token = match_token(p, tokens, args); |
295 | switch (token) { | 295 | switch (token) { |
296 | case ecryptfs_opt_sig: | 296 | case ecryptfs_opt_sig: |
297 | case ecryptfs_opt_ecryptfs_sig: | 297 | case ecryptfs_opt_ecryptfs_sig: |
298 | sig_src = args[0].from; | 298 | sig_src = args[0].from; |
299 | rc = ecryptfs_add_global_auth_tok(mount_crypt_stat, | 299 | rc = ecryptfs_add_global_auth_tok(mount_crypt_stat, |
300 | sig_src, 0); | 300 | sig_src, 0); |
301 | if (rc) { | 301 | if (rc) { |
302 | printk(KERN_ERR "Error attempting to register " | 302 | printk(KERN_ERR "Error attempting to register " |
303 | "global sig; rc = [%d]\n", rc); | 303 | "global sig; rc = [%d]\n", rc); |
304 | goto out; | 304 | goto out; |
305 | } | 305 | } |
306 | sig_set = 1; | 306 | sig_set = 1; |
307 | break; | 307 | break; |
308 | case ecryptfs_opt_cipher: | 308 | case ecryptfs_opt_cipher: |
309 | case ecryptfs_opt_ecryptfs_cipher: | 309 | case ecryptfs_opt_ecryptfs_cipher: |
310 | cipher_name_src = args[0].from; | 310 | cipher_name_src = args[0].from; |
311 | cipher_name_dst = | 311 | cipher_name_dst = |
312 | mount_crypt_stat-> | 312 | mount_crypt_stat-> |
313 | global_default_cipher_name; | 313 | global_default_cipher_name; |
314 | strncpy(cipher_name_dst, cipher_name_src, | 314 | strncpy(cipher_name_dst, cipher_name_src, |
315 | ECRYPTFS_MAX_CIPHER_NAME_SIZE); | 315 | ECRYPTFS_MAX_CIPHER_NAME_SIZE); |
316 | cipher_name_dst[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; | 316 | cipher_name_dst[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; |
317 | cipher_name_set = 1; | 317 | cipher_name_set = 1; |
318 | break; | 318 | break; |
319 | case ecryptfs_opt_ecryptfs_key_bytes: | 319 | case ecryptfs_opt_ecryptfs_key_bytes: |
320 | cipher_key_bytes_src = args[0].from; | 320 | cipher_key_bytes_src = args[0].from; |
321 | cipher_key_bytes = | 321 | cipher_key_bytes = |
322 | (int)simple_strtol(cipher_key_bytes_src, | 322 | (int)simple_strtol(cipher_key_bytes_src, |
323 | &cipher_key_bytes_src, 0); | 323 | &cipher_key_bytes_src, 0); |
324 | mount_crypt_stat->global_default_cipher_key_size = | 324 | mount_crypt_stat->global_default_cipher_key_size = |
325 | cipher_key_bytes; | 325 | cipher_key_bytes; |
326 | cipher_key_bytes_set = 1; | 326 | cipher_key_bytes_set = 1; |
327 | break; | 327 | break; |
328 | case ecryptfs_opt_passthrough: | 328 | case ecryptfs_opt_passthrough: |
329 | mount_crypt_stat->flags |= | 329 | mount_crypt_stat->flags |= |
330 | ECRYPTFS_PLAINTEXT_PASSTHROUGH_ENABLED; | 330 | ECRYPTFS_PLAINTEXT_PASSTHROUGH_ENABLED; |
331 | break; | 331 | break; |
332 | case ecryptfs_opt_xattr_metadata: | 332 | case ecryptfs_opt_xattr_metadata: |
333 | mount_crypt_stat->flags |= | 333 | mount_crypt_stat->flags |= |
334 | ECRYPTFS_XATTR_METADATA_ENABLED; | 334 | ECRYPTFS_XATTR_METADATA_ENABLED; |
335 | break; | 335 | break; |
336 | case ecryptfs_opt_encrypted_view: | 336 | case ecryptfs_opt_encrypted_view: |
337 | mount_crypt_stat->flags |= | 337 | mount_crypt_stat->flags |= |
338 | ECRYPTFS_XATTR_METADATA_ENABLED; | 338 | ECRYPTFS_XATTR_METADATA_ENABLED; |
339 | mount_crypt_stat->flags |= | 339 | mount_crypt_stat->flags |= |
340 | ECRYPTFS_ENCRYPTED_VIEW_ENABLED; | 340 | ECRYPTFS_ENCRYPTED_VIEW_ENABLED; |
341 | break; | 341 | break; |
342 | case ecryptfs_opt_fnek_sig: | 342 | case ecryptfs_opt_fnek_sig: |
343 | fnek_src = args[0].from; | 343 | fnek_src = args[0].from; |
344 | fnek_dst = | 344 | fnek_dst = |
345 | mount_crypt_stat->global_default_fnek_sig; | 345 | mount_crypt_stat->global_default_fnek_sig; |
346 | strncpy(fnek_dst, fnek_src, ECRYPTFS_SIG_SIZE_HEX); | 346 | strncpy(fnek_dst, fnek_src, ECRYPTFS_SIG_SIZE_HEX); |
347 | mount_crypt_stat->global_default_fnek_sig[ | 347 | mount_crypt_stat->global_default_fnek_sig[ |
348 | ECRYPTFS_SIG_SIZE_HEX] = '\0'; | 348 | ECRYPTFS_SIG_SIZE_HEX] = '\0'; |
349 | rc = ecryptfs_add_global_auth_tok( | 349 | rc = ecryptfs_add_global_auth_tok( |
350 | mount_crypt_stat, | 350 | mount_crypt_stat, |
351 | mount_crypt_stat->global_default_fnek_sig, | 351 | mount_crypt_stat->global_default_fnek_sig, |
352 | ECRYPTFS_AUTH_TOK_FNEK); | 352 | ECRYPTFS_AUTH_TOK_FNEK); |
353 | if (rc) { | 353 | if (rc) { |
354 | printk(KERN_ERR "Error attempting to register " | 354 | printk(KERN_ERR "Error attempting to register " |
355 | "global fnek sig [%s]; rc = [%d]\n", | 355 | "global fnek sig [%s]; rc = [%d]\n", |
356 | mount_crypt_stat->global_default_fnek_sig, | 356 | mount_crypt_stat->global_default_fnek_sig, |
357 | rc); | 357 | rc); |
358 | goto out; | 358 | goto out; |
359 | } | 359 | } |
360 | mount_crypt_stat->flags |= | 360 | mount_crypt_stat->flags |= |
361 | (ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES | 361 | (ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES |
362 | | ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK); | 362 | | ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK); |
363 | break; | 363 | break; |
364 | case ecryptfs_opt_fn_cipher: | 364 | case ecryptfs_opt_fn_cipher: |
365 | fn_cipher_name_src = args[0].from; | 365 | fn_cipher_name_src = args[0].from; |
366 | fn_cipher_name_dst = | 366 | fn_cipher_name_dst = |
367 | mount_crypt_stat->global_default_fn_cipher_name; | 367 | mount_crypt_stat->global_default_fn_cipher_name; |
368 | strncpy(fn_cipher_name_dst, fn_cipher_name_src, | 368 | strncpy(fn_cipher_name_dst, fn_cipher_name_src, |
369 | ECRYPTFS_MAX_CIPHER_NAME_SIZE); | 369 | ECRYPTFS_MAX_CIPHER_NAME_SIZE); |
370 | mount_crypt_stat->global_default_fn_cipher_name[ | 370 | mount_crypt_stat->global_default_fn_cipher_name[ |
371 | ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; | 371 | ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; |
372 | fn_cipher_name_set = 1; | 372 | fn_cipher_name_set = 1; |
373 | break; | 373 | break; |
374 | case ecryptfs_opt_fn_cipher_key_bytes: | 374 | case ecryptfs_opt_fn_cipher_key_bytes: |
375 | fn_cipher_key_bytes_src = args[0].from; | 375 | fn_cipher_key_bytes_src = args[0].from; |
376 | fn_cipher_key_bytes = | 376 | fn_cipher_key_bytes = |
377 | (int)simple_strtol(fn_cipher_key_bytes_src, | 377 | (int)simple_strtol(fn_cipher_key_bytes_src, |
378 | &fn_cipher_key_bytes_src, 0); | 378 | &fn_cipher_key_bytes_src, 0); |
379 | mount_crypt_stat->global_default_fn_cipher_key_bytes = | 379 | mount_crypt_stat->global_default_fn_cipher_key_bytes = |
380 | fn_cipher_key_bytes; | 380 | fn_cipher_key_bytes; |
381 | fn_cipher_key_bytes_set = 1; | 381 | fn_cipher_key_bytes_set = 1; |
382 | break; | 382 | break; |
383 | case ecryptfs_opt_unlink_sigs: | 383 | case ecryptfs_opt_unlink_sigs: |
384 | mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS; | 384 | mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS; |
385 | break; | 385 | break; |
386 | case ecryptfs_opt_mount_auth_tok_only: | 386 | case ecryptfs_opt_mount_auth_tok_only: |
387 | mount_crypt_stat->flags |= | 387 | mount_crypt_stat->flags |= |
388 | ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY; | 388 | ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY; |
389 | break; | 389 | break; |
390 | case ecryptfs_opt_check_dev_ruid: | 390 | case ecryptfs_opt_check_dev_ruid: |
391 | *check_ruid = 1; | 391 | *check_ruid = 1; |
392 | break; | 392 | break; |
393 | case ecryptfs_opt_err: | 393 | case ecryptfs_opt_err: |
394 | default: | 394 | default: |
395 | printk(KERN_WARNING | 395 | printk(KERN_WARNING |
396 | "%s: eCryptfs: unrecognized option [%s]\n", | 396 | "%s: eCryptfs: unrecognized option [%s]\n", |
397 | __func__, p); | 397 | __func__, p); |
398 | } | 398 | } |
399 | } | 399 | } |
400 | if (!sig_set) { | 400 | if (!sig_set) { |
401 | rc = -EINVAL; | 401 | rc = -EINVAL; |
402 | ecryptfs_printk(KERN_ERR, "You must supply at least one valid " | 402 | ecryptfs_printk(KERN_ERR, "You must supply at least one valid " |
403 | "auth tok signature as a mount " | 403 | "auth tok signature as a mount " |
404 | "parameter; see the eCryptfs README\n"); | 404 | "parameter; see the eCryptfs README\n"); |
405 | goto out; | 405 | goto out; |
406 | } | 406 | } |
407 | if (!cipher_name_set) { | 407 | if (!cipher_name_set) { |
408 | int cipher_name_len = strlen(ECRYPTFS_DEFAULT_CIPHER); | 408 | int cipher_name_len = strlen(ECRYPTFS_DEFAULT_CIPHER); |
409 | 409 | ||
410 | BUG_ON(cipher_name_len >= ECRYPTFS_MAX_CIPHER_NAME_SIZE); | 410 | BUG_ON(cipher_name_len >= ECRYPTFS_MAX_CIPHER_NAME_SIZE); |
411 | strcpy(mount_crypt_stat->global_default_cipher_name, | 411 | strcpy(mount_crypt_stat->global_default_cipher_name, |
412 | ECRYPTFS_DEFAULT_CIPHER); | 412 | ECRYPTFS_DEFAULT_CIPHER); |
413 | } | 413 | } |
414 | if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) | 414 | if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) |
415 | && !fn_cipher_name_set) | 415 | && !fn_cipher_name_set) |
416 | strcpy(mount_crypt_stat->global_default_fn_cipher_name, | 416 | strcpy(mount_crypt_stat->global_default_fn_cipher_name, |
417 | mount_crypt_stat->global_default_cipher_name); | 417 | mount_crypt_stat->global_default_cipher_name); |
418 | if (!cipher_key_bytes_set) | 418 | if (!cipher_key_bytes_set) |
419 | mount_crypt_stat->global_default_cipher_key_size = 0; | 419 | mount_crypt_stat->global_default_cipher_key_size = 0; |
420 | if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) | 420 | if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) |
421 | && !fn_cipher_key_bytes_set) | 421 | && !fn_cipher_key_bytes_set) |
422 | mount_crypt_stat->global_default_fn_cipher_key_bytes = | 422 | mount_crypt_stat->global_default_fn_cipher_key_bytes = |
423 | mount_crypt_stat->global_default_cipher_key_size; | 423 | mount_crypt_stat->global_default_cipher_key_size; |
424 | 424 | ||
425 | cipher_code = ecryptfs_code_for_cipher_string( | 425 | cipher_code = ecryptfs_code_for_cipher_string( |
426 | mount_crypt_stat->global_default_cipher_name, | 426 | mount_crypt_stat->global_default_cipher_name, |
427 | mount_crypt_stat->global_default_cipher_key_size); | 427 | mount_crypt_stat->global_default_cipher_key_size); |
428 | if (!cipher_code) { | 428 | if (!cipher_code) { |
429 | ecryptfs_printk(KERN_ERR, | 429 | ecryptfs_printk(KERN_ERR, |
430 | "eCryptfs doesn't support cipher: %s", | 430 | "eCryptfs doesn't support cipher: %s", |
431 | mount_crypt_stat->global_default_cipher_name); | 431 | mount_crypt_stat->global_default_cipher_name); |
432 | rc = -EINVAL; | 432 | rc = -EINVAL; |
433 | goto out; | 433 | goto out; |
434 | } | 434 | } |
435 | 435 | ||
436 | mutex_lock(&key_tfm_list_mutex); | 436 | mutex_lock(&key_tfm_list_mutex); |
437 | if (!ecryptfs_tfm_exists(mount_crypt_stat->global_default_cipher_name, | 437 | if (!ecryptfs_tfm_exists(mount_crypt_stat->global_default_cipher_name, |
438 | NULL)) { | 438 | NULL)) { |
439 | rc = ecryptfs_add_new_key_tfm( | 439 | rc = ecryptfs_add_new_key_tfm( |
440 | NULL, mount_crypt_stat->global_default_cipher_name, | 440 | NULL, mount_crypt_stat->global_default_cipher_name, |
441 | mount_crypt_stat->global_default_cipher_key_size); | 441 | mount_crypt_stat->global_default_cipher_key_size); |
442 | if (rc) { | 442 | if (rc) { |
443 | printk(KERN_ERR "Error attempting to initialize " | 443 | printk(KERN_ERR "Error attempting to initialize " |
444 | "cipher with name = [%s] and key size = [%td]; " | 444 | "cipher with name = [%s] and key size = [%td]; " |
445 | "rc = [%d]\n", | 445 | "rc = [%d]\n", |
446 | mount_crypt_stat->global_default_cipher_name, | 446 | mount_crypt_stat->global_default_cipher_name, |
447 | mount_crypt_stat->global_default_cipher_key_size, | 447 | mount_crypt_stat->global_default_cipher_key_size, |
448 | rc); | 448 | rc); |
449 | rc = -EINVAL; | 449 | rc = -EINVAL; |
450 | mutex_unlock(&key_tfm_list_mutex); | 450 | mutex_unlock(&key_tfm_list_mutex); |
451 | goto out; | 451 | goto out; |
452 | } | 452 | } |
453 | } | 453 | } |
454 | if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) | 454 | if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) |
455 | && !ecryptfs_tfm_exists( | 455 | && !ecryptfs_tfm_exists( |
456 | mount_crypt_stat->global_default_fn_cipher_name, NULL)) { | 456 | mount_crypt_stat->global_default_fn_cipher_name, NULL)) { |
457 | rc = ecryptfs_add_new_key_tfm( | 457 | rc = ecryptfs_add_new_key_tfm( |
458 | NULL, mount_crypt_stat->global_default_fn_cipher_name, | 458 | NULL, mount_crypt_stat->global_default_fn_cipher_name, |
459 | mount_crypt_stat->global_default_fn_cipher_key_bytes); | 459 | mount_crypt_stat->global_default_fn_cipher_key_bytes); |
460 | if (rc) { | 460 | if (rc) { |
461 | printk(KERN_ERR "Error attempting to initialize " | 461 | printk(KERN_ERR "Error attempting to initialize " |
462 | "cipher with name = [%s] and key size = [%td]; " | 462 | "cipher with name = [%s] and key size = [%td]; " |
463 | "rc = [%d]\n", | 463 | "rc = [%d]\n", |
464 | mount_crypt_stat->global_default_fn_cipher_name, | 464 | mount_crypt_stat->global_default_fn_cipher_name, |
465 | mount_crypt_stat->global_default_fn_cipher_key_bytes, | 465 | mount_crypt_stat->global_default_fn_cipher_key_bytes, |
466 | rc); | 466 | rc); |
467 | rc = -EINVAL; | 467 | rc = -EINVAL; |
468 | mutex_unlock(&key_tfm_list_mutex); | 468 | mutex_unlock(&key_tfm_list_mutex); |
469 | goto out; | 469 | goto out; |
470 | } | 470 | } |
471 | } | 471 | } |
472 | mutex_unlock(&key_tfm_list_mutex); | 472 | mutex_unlock(&key_tfm_list_mutex); |
473 | rc = ecryptfs_init_global_auth_toks(mount_crypt_stat); | 473 | rc = ecryptfs_init_global_auth_toks(mount_crypt_stat); |
474 | if (rc) | 474 | if (rc) |
475 | printk(KERN_WARNING "One or more global auth toks could not " | 475 | printk(KERN_WARNING "One or more global auth toks could not " |
476 | "properly register; rc = [%d]\n", rc); | 476 | "properly register; rc = [%d]\n", rc); |
477 | out: | 477 | out: |
478 | return rc; | 478 | return rc; |
479 | } | 479 | } |
480 | 480 | ||
481 | struct kmem_cache *ecryptfs_sb_info_cache; | 481 | struct kmem_cache *ecryptfs_sb_info_cache; |
482 | static struct file_system_type ecryptfs_fs_type; | 482 | static struct file_system_type ecryptfs_fs_type; |
483 | 483 | ||
484 | /** | 484 | /** |
485 | * ecryptfs_get_sb | 485 | * ecryptfs_get_sb |
486 | * @fs_type | 486 | * @fs_type |
487 | * @flags | 487 | * @flags |
488 | * @dev_name: The path to mount over | 488 | * @dev_name: The path to mount over |
489 | * @raw_data: The options passed into the kernel | 489 | * @raw_data: The options passed into the kernel |
490 | */ | 490 | */ |
491 | static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags, | 491 | static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags, |
492 | const char *dev_name, void *raw_data) | 492 | const char *dev_name, void *raw_data) |
493 | { | 493 | { |
494 | struct super_block *s; | 494 | struct super_block *s; |
495 | struct ecryptfs_sb_info *sbi; | 495 | struct ecryptfs_sb_info *sbi; |
496 | struct ecryptfs_mount_crypt_stat *mount_crypt_stat; | ||
496 | struct ecryptfs_dentry_info *root_info; | 497 | struct ecryptfs_dentry_info *root_info; |
497 | const char *err = "Getting sb failed"; | 498 | const char *err = "Getting sb failed"; |
498 | struct inode *inode; | 499 | struct inode *inode; |
499 | struct path path; | 500 | struct path path; |
500 | uid_t check_ruid; | 501 | uid_t check_ruid; |
501 | int rc; | 502 | int rc; |
502 | 503 | ||
503 | sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL); | 504 | sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL); |
504 | if (!sbi) { | 505 | if (!sbi) { |
505 | rc = -ENOMEM; | 506 | rc = -ENOMEM; |
506 | goto out; | 507 | goto out; |
507 | } | 508 | } |
508 | 509 | ||
509 | rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid); | 510 | rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid); |
510 | if (rc) { | 511 | if (rc) { |
511 | err = "Error parsing options"; | 512 | err = "Error parsing options"; |
512 | goto out; | 513 | goto out; |
513 | } | 514 | } |
515 | mount_crypt_stat = &sbi->mount_crypt_stat; | ||
514 | 516 | ||
515 | s = sget(fs_type, NULL, set_anon_super, flags, NULL); | 517 | s = sget(fs_type, NULL, set_anon_super, flags, NULL); |
516 | if (IS_ERR(s)) { | 518 | if (IS_ERR(s)) { |
517 | rc = PTR_ERR(s); | 519 | rc = PTR_ERR(s); |
518 | goto out; | 520 | goto out; |
519 | } | 521 | } |
520 | 522 | ||
521 | rc = bdi_setup_and_register(&sbi->bdi, "ecryptfs", BDI_CAP_MAP_COPY); | 523 | rc = bdi_setup_and_register(&sbi->bdi, "ecryptfs", BDI_CAP_MAP_COPY); |
522 | if (rc) | 524 | if (rc) |
523 | goto out1; | 525 | goto out1; |
524 | 526 | ||
525 | ecryptfs_set_superblock_private(s, sbi); | 527 | ecryptfs_set_superblock_private(s, sbi); |
526 | s->s_bdi = &sbi->bdi; | 528 | s->s_bdi = &sbi->bdi; |
527 | 529 | ||
528 | /* ->kill_sb() will take care of sbi after that point */ | 530 | /* ->kill_sb() will take care of sbi after that point */ |
529 | sbi = NULL; | 531 | sbi = NULL; |
530 | s->s_op = &ecryptfs_sops; | 532 | s->s_op = &ecryptfs_sops; |
531 | s->s_d_op = &ecryptfs_dops; | 533 | s->s_d_op = &ecryptfs_dops; |
532 | 534 | ||
533 | err = "Reading sb failed"; | 535 | err = "Reading sb failed"; |
534 | rc = kern_path(dev_name, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path); | 536 | rc = kern_path(dev_name, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path); |
535 | if (rc) { | 537 | if (rc) { |
536 | ecryptfs_printk(KERN_WARNING, "kern_path() failed\n"); | 538 | ecryptfs_printk(KERN_WARNING, "kern_path() failed\n"); |
537 | goto out1; | 539 | goto out1; |
538 | } | 540 | } |
539 | if (path.dentry->d_sb->s_type == &ecryptfs_fs_type) { | 541 | if (path.dentry->d_sb->s_type == &ecryptfs_fs_type) { |
540 | rc = -EINVAL; | 542 | rc = -EINVAL; |
541 | printk(KERN_ERR "Mount on filesystem of type " | 543 | printk(KERN_ERR "Mount on filesystem of type " |
542 | "eCryptfs explicitly disallowed due to " | 544 | "eCryptfs explicitly disallowed due to " |
543 | "known incompatibilities\n"); | 545 | "known incompatibilities\n"); |
544 | goto out_free; | 546 | goto out_free; |
545 | } | 547 | } |
546 | 548 | ||
547 | if (check_ruid && !uid_eq(path.dentry->d_inode->i_uid, current_uid())) { | 549 | if (check_ruid && !uid_eq(path.dentry->d_inode->i_uid, current_uid())) { |
548 | rc = -EPERM; | 550 | rc = -EPERM; |
549 | printk(KERN_ERR "Mount of device (uid: %d) not owned by " | 551 | printk(KERN_ERR "Mount of device (uid: %d) not owned by " |
550 | "requested user (uid: %d)\n", | 552 | "requested user (uid: %d)\n", |
551 | i_uid_read(path.dentry->d_inode), | 553 | i_uid_read(path.dentry->d_inode), |
552 | from_kuid(&init_user_ns, current_uid())); | 554 | from_kuid(&init_user_ns, current_uid())); |
553 | goto out_free; | 555 | goto out_free; |
554 | } | 556 | } |
555 | 557 | ||
556 | ecryptfs_set_superblock_lower(s, path.dentry->d_sb); | 558 | ecryptfs_set_superblock_lower(s, path.dentry->d_sb); |
557 | 559 | ||
558 | /** | 560 | /** |
559 | * Set the POSIX ACL flag based on whether they're enabled in the lower | 561 | * Set the POSIX ACL flag based on whether they're enabled in the lower |
560 | * mount. Force a read-only eCryptfs mount if the lower mount is ro. | 562 | * mount. |
561 | * Allow a ro eCryptfs mount even when the lower mount is rw. | ||
562 | */ | 563 | */ |
563 | s->s_flags = flags & ~MS_POSIXACL; | 564 | s->s_flags = flags & ~MS_POSIXACL; |
564 | s->s_flags |= path.dentry->d_sb->s_flags & (MS_RDONLY | MS_POSIXACL); | 565 | s->s_flags |= path.dentry->d_sb->s_flags & MS_POSIXACL; |
566 | |||
567 | /** | ||
568 | * Force a read-only eCryptfs mount when: | ||
569 | * 1) The lower mount is ro | ||
570 | * 2) The ecryptfs_encrypted_view mount option is specified | ||
571 | */ | ||
572 | if (path.dentry->d_sb->s_flags & MS_RDONLY || | ||
573 | mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) | ||
574 | s->s_flags |= MS_RDONLY; | ||
565 | 575 | ||
566 | s->s_maxbytes = path.dentry->d_sb->s_maxbytes; | 576 | s->s_maxbytes = path.dentry->d_sb->s_maxbytes; |
567 | s->s_blocksize = path.dentry->d_sb->s_blocksize; | 577 | s->s_blocksize = path.dentry->d_sb->s_blocksize; |
568 | s->s_magic = ECRYPTFS_SUPER_MAGIC; | 578 | s->s_magic = ECRYPTFS_SUPER_MAGIC; |
569 | s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1; | 579 | s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1; |
570 | 580 | ||
571 | rc = -EINVAL; | 581 | rc = -EINVAL; |
572 | if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { | 582 | if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { |
573 | pr_err("eCryptfs: maximum fs stacking depth exceeded\n"); | 583 | pr_err("eCryptfs: maximum fs stacking depth exceeded\n"); |
574 | goto out_free; | 584 | goto out_free; |
575 | } | 585 | } |
576 | 586 | ||
577 | inode = ecryptfs_get_inode(path.dentry->d_inode, s); | 587 | inode = ecryptfs_get_inode(path.dentry->d_inode, s); |
578 | rc = PTR_ERR(inode); | 588 | rc = PTR_ERR(inode); |
579 | if (IS_ERR(inode)) | 589 | if (IS_ERR(inode)) |
580 | goto out_free; | 590 | goto out_free; |
581 | 591 | ||
582 | s->s_root = d_make_root(inode); | 592 | s->s_root = d_make_root(inode); |
583 | if (!s->s_root) { | 593 | if (!s->s_root) { |
584 | rc = -ENOMEM; | 594 | rc = -ENOMEM; |
585 | goto out_free; | 595 | goto out_free; |
586 | } | 596 | } |
587 | 597 | ||
588 | rc = -ENOMEM; | 598 | rc = -ENOMEM; |
589 | root_info = kmem_cache_zalloc(ecryptfs_dentry_info_cache, GFP_KERNEL); | 599 | root_info = kmem_cache_zalloc(ecryptfs_dentry_info_cache, GFP_KERNEL); |
590 | if (!root_info) | 600 | if (!root_info) |
591 | goto out_free; | 601 | goto out_free; |
592 | 602 | ||
593 | /* ->kill_sb() will take care of root_info */ | 603 | /* ->kill_sb() will take care of root_info */ |
594 | ecryptfs_set_dentry_private(s->s_root, root_info); | 604 | ecryptfs_set_dentry_private(s->s_root, root_info); |
595 | root_info->lower_path = path; | 605 | root_info->lower_path = path; |
596 | 606 | ||
597 | s->s_flags |= MS_ACTIVE; | 607 | s->s_flags |= MS_ACTIVE; |
598 | return dget(s->s_root); | 608 | return dget(s->s_root); |
599 | 609 | ||
600 | out_free: | 610 | out_free: |
601 | path_put(&path); | 611 | path_put(&path); |
602 | out1: | 612 | out1: |
603 | deactivate_locked_super(s); | 613 | deactivate_locked_super(s); |
604 | out: | 614 | out: |
605 | if (sbi) { | 615 | if (sbi) { |
606 | ecryptfs_destroy_mount_crypt_stat(&sbi->mount_crypt_stat); | 616 | ecryptfs_destroy_mount_crypt_stat(&sbi->mount_crypt_stat); |
607 | kmem_cache_free(ecryptfs_sb_info_cache, sbi); | 617 | kmem_cache_free(ecryptfs_sb_info_cache, sbi); |
608 | } | 618 | } |
609 | printk(KERN_ERR "%s; rc = [%d]\n", err, rc); | 619 | printk(KERN_ERR "%s; rc = [%d]\n", err, rc); |
610 | return ERR_PTR(rc); | 620 | return ERR_PTR(rc); |
611 | } | 621 | } |
612 | 622 | ||
613 | /** | 623 | /** |
614 | * ecryptfs_kill_block_super | 624 | * ecryptfs_kill_block_super |
615 | * @sb: The ecryptfs super block | 625 | * @sb: The ecryptfs super block |
616 | * | 626 | * |
617 | * Used to bring the superblock down and free the private data. | 627 | * Used to bring the superblock down and free the private data. |
618 | */ | 628 | */ |
619 | static void ecryptfs_kill_block_super(struct super_block *sb) | 629 | static void ecryptfs_kill_block_super(struct super_block *sb) |
620 | { | 630 | { |
621 | struct ecryptfs_sb_info *sb_info = ecryptfs_superblock_to_private(sb); | 631 | struct ecryptfs_sb_info *sb_info = ecryptfs_superblock_to_private(sb); |
622 | kill_anon_super(sb); | 632 | kill_anon_super(sb); |
623 | if (!sb_info) | 633 | if (!sb_info) |
624 | return; | 634 | return; |
625 | ecryptfs_destroy_mount_crypt_stat(&sb_info->mount_crypt_stat); | 635 | ecryptfs_destroy_mount_crypt_stat(&sb_info->mount_crypt_stat); |
626 | bdi_destroy(&sb_info->bdi); | 636 | bdi_destroy(&sb_info->bdi); |
627 | kmem_cache_free(ecryptfs_sb_info_cache, sb_info); | 637 | kmem_cache_free(ecryptfs_sb_info_cache, sb_info); |
628 | } | 638 | } |
629 | 639 | ||
630 | static struct file_system_type ecryptfs_fs_type = { | 640 | static struct file_system_type ecryptfs_fs_type = { |
631 | .owner = THIS_MODULE, | 641 | .owner = THIS_MODULE, |
632 | .name = "ecryptfs", | 642 | .name = "ecryptfs", |
633 | .mount = ecryptfs_mount, | 643 | .mount = ecryptfs_mount, |
634 | .kill_sb = ecryptfs_kill_block_super, | 644 | .kill_sb = ecryptfs_kill_block_super, |
635 | .fs_flags = 0 | 645 | .fs_flags = 0 |
636 | }; | 646 | }; |
637 | MODULE_ALIAS_FS("ecryptfs"); | 647 | MODULE_ALIAS_FS("ecryptfs"); |
638 | 648 | ||
639 | /** | 649 | /** |
640 | * inode_info_init_once | 650 | * inode_info_init_once |
641 | * | 651 | * |
642 | * Initializes the ecryptfs_inode_info_cache when it is created | 652 | * Initializes the ecryptfs_inode_info_cache when it is created |
643 | */ | 653 | */ |
644 | static void | 654 | static void |
645 | inode_info_init_once(void *vptr) | 655 | inode_info_init_once(void *vptr) |
646 | { | 656 | { |
647 | struct ecryptfs_inode_info *ei = (struct ecryptfs_inode_info *)vptr; | 657 | struct ecryptfs_inode_info *ei = (struct ecryptfs_inode_info *)vptr; |
648 | 658 | ||
649 | inode_init_once(&ei->vfs_inode); | 659 | inode_init_once(&ei->vfs_inode); |
650 | } | 660 | } |
651 | 661 | ||
652 | static struct ecryptfs_cache_info { | 662 | static struct ecryptfs_cache_info { |
653 | struct kmem_cache **cache; | 663 | struct kmem_cache **cache; |
654 | const char *name; | 664 | const char *name; |
655 | size_t size; | 665 | size_t size; |
656 | void (*ctor)(void *obj); | 666 | void (*ctor)(void *obj); |
657 | } ecryptfs_cache_infos[] = { | 667 | } ecryptfs_cache_infos[] = { |
658 | { | 668 | { |
659 | .cache = &ecryptfs_auth_tok_list_item_cache, | 669 | .cache = &ecryptfs_auth_tok_list_item_cache, |
660 | .name = "ecryptfs_auth_tok_list_item", | 670 | .name = "ecryptfs_auth_tok_list_item", |
661 | .size = sizeof(struct ecryptfs_auth_tok_list_item), | 671 | .size = sizeof(struct ecryptfs_auth_tok_list_item), |
662 | }, | 672 | }, |
663 | { | 673 | { |
664 | .cache = &ecryptfs_file_info_cache, | 674 | .cache = &ecryptfs_file_info_cache, |
665 | .name = "ecryptfs_file_cache", | 675 | .name = "ecryptfs_file_cache", |
666 | .size = sizeof(struct ecryptfs_file_info), | 676 | .size = sizeof(struct ecryptfs_file_info), |
667 | }, | 677 | }, |
668 | { | 678 | { |
669 | .cache = &ecryptfs_dentry_info_cache, | 679 | .cache = &ecryptfs_dentry_info_cache, |
670 | .name = "ecryptfs_dentry_info_cache", | 680 | .name = "ecryptfs_dentry_info_cache", |
671 | .size = sizeof(struct ecryptfs_dentry_info), | 681 | .size = sizeof(struct ecryptfs_dentry_info), |
672 | }, | 682 | }, |
673 | { | 683 | { |
674 | .cache = &ecryptfs_inode_info_cache, | 684 | .cache = &ecryptfs_inode_info_cache, |
675 | .name = "ecryptfs_inode_cache", | 685 | .name = "ecryptfs_inode_cache", |
676 | .size = sizeof(struct ecryptfs_inode_info), | 686 | .size = sizeof(struct ecryptfs_inode_info), |
677 | .ctor = inode_info_init_once, | 687 | .ctor = inode_info_init_once, |
678 | }, | 688 | }, |
679 | { | 689 | { |
680 | .cache = &ecryptfs_sb_info_cache, | 690 | .cache = &ecryptfs_sb_info_cache, |
681 | .name = "ecryptfs_sb_cache", | 691 | .name = "ecryptfs_sb_cache", |
682 | .size = sizeof(struct ecryptfs_sb_info), | 692 | .size = sizeof(struct ecryptfs_sb_info), |
683 | }, | 693 | }, |
684 | { | 694 | { |
685 | .cache = &ecryptfs_header_cache, | 695 | .cache = &ecryptfs_header_cache, |
686 | .name = "ecryptfs_headers", | 696 | .name = "ecryptfs_headers", |
687 | .size = PAGE_CACHE_SIZE, | 697 | .size = PAGE_CACHE_SIZE, |
688 | }, | 698 | }, |
689 | { | 699 | { |
690 | .cache = &ecryptfs_xattr_cache, | 700 | .cache = &ecryptfs_xattr_cache, |
691 | .name = "ecryptfs_xattr_cache", | 701 | .name = "ecryptfs_xattr_cache", |
692 | .size = PAGE_CACHE_SIZE, | 702 | .size = PAGE_CACHE_SIZE, |
693 | }, | 703 | }, |
694 | { | 704 | { |
695 | .cache = &ecryptfs_key_record_cache, | 705 | .cache = &ecryptfs_key_record_cache, |
696 | .name = "ecryptfs_key_record_cache", | 706 | .name = "ecryptfs_key_record_cache", |
697 | .size = sizeof(struct ecryptfs_key_record), | 707 | .size = sizeof(struct ecryptfs_key_record), |
698 | }, | 708 | }, |
699 | { | 709 | { |
700 | .cache = &ecryptfs_key_sig_cache, | 710 | .cache = &ecryptfs_key_sig_cache, |
701 | .name = "ecryptfs_key_sig_cache", | 711 | .name = "ecryptfs_key_sig_cache", |
702 | .size = sizeof(struct ecryptfs_key_sig), | 712 | .size = sizeof(struct ecryptfs_key_sig), |
703 | }, | 713 | }, |
704 | { | 714 | { |
705 | .cache = &ecryptfs_global_auth_tok_cache, | 715 | .cache = &ecryptfs_global_auth_tok_cache, |
706 | .name = "ecryptfs_global_auth_tok_cache", | 716 | .name = "ecryptfs_global_auth_tok_cache", |
707 | .size = sizeof(struct ecryptfs_global_auth_tok), | 717 | .size = sizeof(struct ecryptfs_global_auth_tok), |
708 | }, | 718 | }, |
709 | { | 719 | { |
710 | .cache = &ecryptfs_key_tfm_cache, | 720 | .cache = &ecryptfs_key_tfm_cache, |
711 | .name = "ecryptfs_key_tfm_cache", | 721 | .name = "ecryptfs_key_tfm_cache", |
712 | .size = sizeof(struct ecryptfs_key_tfm), | 722 | .size = sizeof(struct ecryptfs_key_tfm), |
713 | }, | 723 | }, |
714 | }; | 724 | }; |
715 | 725 | ||
716 | static void ecryptfs_free_kmem_caches(void) | 726 | static void ecryptfs_free_kmem_caches(void) |
717 | { | 727 | { |
718 | int i; | 728 | int i; |
719 | 729 | ||
720 | /* | 730 | /* |
721 | * Make sure all delayed rcu free inodes are flushed before we | 731 | * Make sure all delayed rcu free inodes are flushed before we |
722 | * destroy cache. | 732 | * destroy cache. |
723 | */ | 733 | */ |
724 | rcu_barrier(); | 734 | rcu_barrier(); |
725 | 735 | ||
726 | for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) { | 736 | for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) { |
727 | struct ecryptfs_cache_info *info; | 737 | struct ecryptfs_cache_info *info; |
728 | 738 | ||
729 | info = &ecryptfs_cache_infos[i]; | 739 | info = &ecryptfs_cache_infos[i]; |
730 | if (*(info->cache)) | 740 | if (*(info->cache)) |
731 | kmem_cache_destroy(*(info->cache)); | 741 | kmem_cache_destroy(*(info->cache)); |
732 | } | 742 | } |
733 | } | 743 | } |
734 | 744 | ||
735 | /** | 745 | /** |
736 | * ecryptfs_init_kmem_caches | 746 | * ecryptfs_init_kmem_caches |
737 | * | 747 | * |
738 | * Returns zero on success; non-zero otherwise | 748 | * Returns zero on success; non-zero otherwise |
739 | */ | 749 | */ |
740 | static int ecryptfs_init_kmem_caches(void) | 750 | static int ecryptfs_init_kmem_caches(void) |
741 | { | 751 | { |
742 | int i; | 752 | int i; |
743 | 753 | ||
744 | for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) { | 754 | for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) { |
745 | struct ecryptfs_cache_info *info; | 755 | struct ecryptfs_cache_info *info; |
746 | 756 | ||
747 | info = &ecryptfs_cache_infos[i]; | 757 | info = &ecryptfs_cache_infos[i]; |
748 | *(info->cache) = kmem_cache_create(info->name, info->size, | 758 | *(info->cache) = kmem_cache_create(info->name, info->size, |
749 | 0, SLAB_HWCACHE_ALIGN, info->ctor); | 759 | 0, SLAB_HWCACHE_ALIGN, info->ctor); |
750 | if (!*(info->cache)) { | 760 | if (!*(info->cache)) { |
751 | ecryptfs_free_kmem_caches(); | 761 | ecryptfs_free_kmem_caches(); |
752 | ecryptfs_printk(KERN_WARNING, "%s: " | 762 | ecryptfs_printk(KERN_WARNING, "%s: " |
753 | "kmem_cache_create failed\n", | 763 | "kmem_cache_create failed\n", |
754 | info->name); | 764 | info->name); |
755 | return -ENOMEM; | 765 | return -ENOMEM; |
756 | } | 766 | } |
757 | } | 767 | } |
758 | return 0; | 768 | return 0; |
759 | } | 769 | } |
760 | 770 | ||
761 | static struct kobject *ecryptfs_kobj; | 771 | static struct kobject *ecryptfs_kobj; |
762 | 772 | ||
763 | static ssize_t version_show(struct kobject *kobj, | 773 | static ssize_t version_show(struct kobject *kobj, |
764 | struct kobj_attribute *attr, char *buff) | 774 | struct kobj_attribute *attr, char *buff) |
765 | { | 775 | { |
766 | return snprintf(buff, PAGE_SIZE, "%d\n", ECRYPTFS_VERSIONING_MASK); | 776 | return snprintf(buff, PAGE_SIZE, "%d\n", ECRYPTFS_VERSIONING_MASK); |
767 | } | 777 | } |
768 | 778 | ||
769 | static struct kobj_attribute version_attr = __ATTR_RO(version); | 779 | static struct kobj_attribute version_attr = __ATTR_RO(version); |
770 | 780 | ||
771 | static struct attribute *attributes[] = { | 781 | static struct attribute *attributes[] = { |
772 | &version_attr.attr, | 782 | &version_attr.attr, |
773 | NULL, | 783 | NULL, |
774 | }; | 784 | }; |
775 | 785 | ||
776 | static struct attribute_group attr_group = { | 786 | static struct attribute_group attr_group = { |
777 | .attrs = attributes, | 787 | .attrs = attributes, |
778 | }; | 788 | }; |
779 | 789 | ||
780 | static int do_sysfs_registration(void) | 790 | static int do_sysfs_registration(void) |
781 | { | 791 | { |
782 | int rc; | 792 | int rc; |
783 | 793 | ||
784 | ecryptfs_kobj = kobject_create_and_add("ecryptfs", fs_kobj); | 794 | ecryptfs_kobj = kobject_create_and_add("ecryptfs", fs_kobj); |
785 | if (!ecryptfs_kobj) { | 795 | if (!ecryptfs_kobj) { |
786 | printk(KERN_ERR "Unable to create ecryptfs kset\n"); | 796 | printk(KERN_ERR "Unable to create ecryptfs kset\n"); |
787 | rc = -ENOMEM; | 797 | rc = -ENOMEM; |
788 | goto out; | 798 | goto out; |
789 | } | 799 | } |
790 | rc = sysfs_create_group(ecryptfs_kobj, &attr_group); | 800 | rc = sysfs_create_group(ecryptfs_kobj, &attr_group); |
791 | if (rc) { | 801 | if (rc) { |
792 | printk(KERN_ERR | 802 | printk(KERN_ERR |
793 | "Unable to create ecryptfs version attributes\n"); | 803 | "Unable to create ecryptfs version attributes\n"); |
794 | kobject_put(ecryptfs_kobj); | 804 | kobject_put(ecryptfs_kobj); |
795 | } | 805 | } |
796 | out: | 806 | out: |
797 | return rc; | 807 | return rc; |
798 | } | 808 | } |
799 | 809 | ||
800 | static void do_sysfs_unregistration(void) | 810 | static void do_sysfs_unregistration(void) |
801 | { | 811 | { |
802 | sysfs_remove_group(ecryptfs_kobj, &attr_group); | 812 | sysfs_remove_group(ecryptfs_kobj, &attr_group); |
803 | kobject_put(ecryptfs_kobj); | 813 | kobject_put(ecryptfs_kobj); |
804 | } | 814 | } |
805 | 815 | ||
806 | static int __init ecryptfs_init(void) | 816 | static int __init ecryptfs_init(void) |
807 | { | 817 | { |
808 | int rc; | 818 | int rc; |
809 | 819 | ||
810 | if (ECRYPTFS_DEFAULT_EXTENT_SIZE > PAGE_CACHE_SIZE) { | 820 | if (ECRYPTFS_DEFAULT_EXTENT_SIZE > PAGE_CACHE_SIZE) { |
811 | rc = -EINVAL; | 821 | rc = -EINVAL; |
812 | ecryptfs_printk(KERN_ERR, "The eCryptfs extent size is " | 822 | ecryptfs_printk(KERN_ERR, "The eCryptfs extent size is " |
813 | "larger than the host's page size, and so " | 823 | "larger than the host's page size, and so " |
814 | "eCryptfs cannot run on this system. The " | 824 | "eCryptfs cannot run on this system. The " |
815 | "default eCryptfs extent size is [%u] bytes; " | 825 | "default eCryptfs extent size is [%u] bytes; " |
816 | "the page size is [%lu] bytes.\n", | 826 | "the page size is [%lu] bytes.\n", |
817 | ECRYPTFS_DEFAULT_EXTENT_SIZE, | 827 | ECRYPTFS_DEFAULT_EXTENT_SIZE, |
818 | (unsigned long)PAGE_CACHE_SIZE); | 828 | (unsigned long)PAGE_CACHE_SIZE); |
819 | goto out; | 829 | goto out; |
820 | } | 830 | } |
821 | rc = ecryptfs_init_kmem_caches(); | 831 | rc = ecryptfs_init_kmem_caches(); |
822 | if (rc) { | 832 | if (rc) { |
823 | printk(KERN_ERR | 833 | printk(KERN_ERR |
824 | "Failed to allocate one or more kmem_cache objects\n"); | 834 | "Failed to allocate one or more kmem_cache objects\n"); |
825 | goto out; | 835 | goto out; |
826 | } | 836 | } |
827 | rc = do_sysfs_registration(); | 837 | rc = do_sysfs_registration(); |
828 | if (rc) { | 838 | if (rc) { |
829 | printk(KERN_ERR "sysfs registration failed\n"); | 839 | printk(KERN_ERR "sysfs registration failed\n"); |
830 | goto out_free_kmem_caches; | 840 | goto out_free_kmem_caches; |
831 | } | 841 | } |
832 | rc = ecryptfs_init_kthread(); | 842 | rc = ecryptfs_init_kthread(); |
833 | if (rc) { | 843 | if (rc) { |
834 | printk(KERN_ERR "%s: kthread initialization failed; " | 844 | printk(KERN_ERR "%s: kthread initialization failed; " |
835 | "rc = [%d]\n", __func__, rc); | 845 | "rc = [%d]\n", __func__, rc); |
836 | goto out_do_sysfs_unregistration; | 846 | goto out_do_sysfs_unregistration; |
837 | } | 847 | } |
838 | rc = ecryptfs_init_messaging(); | 848 | rc = ecryptfs_init_messaging(); |
839 | if (rc) { | 849 | if (rc) { |
840 | printk(KERN_ERR "Failure occurred while attempting to " | 850 | printk(KERN_ERR "Failure occurred while attempting to " |
841 | "initialize the communications channel to " | 851 | "initialize the communications channel to " |
842 | "ecryptfsd\n"); | 852 | "ecryptfsd\n"); |
843 | goto out_destroy_kthread; | 853 | goto out_destroy_kthread; |
844 | } | 854 | } |
845 | rc = ecryptfs_init_crypto(); | 855 | rc = ecryptfs_init_crypto(); |
846 | if (rc) { | 856 | if (rc) { |
847 | printk(KERN_ERR "Failure whilst attempting to init crypto; " | 857 | printk(KERN_ERR "Failure whilst attempting to init crypto; " |
848 | "rc = [%d]\n", rc); | 858 | "rc = [%d]\n", rc); |
849 | goto out_release_messaging; | 859 | goto out_release_messaging; |
850 | } | 860 | } |
851 | rc = register_filesystem(&ecryptfs_fs_type); | 861 | rc = register_filesystem(&ecryptfs_fs_type); |
852 | if (rc) { | 862 | if (rc) { |
853 | printk(KERN_ERR "Failed to register filesystem\n"); | 863 | printk(KERN_ERR "Failed to register filesystem\n"); |
854 | goto out_destroy_crypto; | 864 | goto out_destroy_crypto; |
855 | } | 865 | } |
856 | if (ecryptfs_verbosity > 0) | 866 | if (ecryptfs_verbosity > 0) |
857 | printk(KERN_CRIT "eCryptfs verbosity set to %d. Secret values " | 867 | printk(KERN_CRIT "eCryptfs verbosity set to %d. Secret values " |
858 | "will be written to the syslog!\n", ecryptfs_verbosity); | 868 | "will be written to the syslog!\n", ecryptfs_verbosity); |
859 | 869 | ||
860 | goto out; | 870 | goto out; |
861 | out_destroy_crypto: | 871 | out_destroy_crypto: |
862 | ecryptfs_destroy_crypto(); | 872 | ecryptfs_destroy_crypto(); |
863 | out_release_messaging: | 873 | out_release_messaging: |
864 | ecryptfs_release_messaging(); | 874 | ecryptfs_release_messaging(); |
865 | out_destroy_kthread: | 875 | out_destroy_kthread: |
866 | ecryptfs_destroy_kthread(); | 876 | ecryptfs_destroy_kthread(); |
867 | out_do_sysfs_unregistration: | 877 | out_do_sysfs_unregistration: |
868 | do_sysfs_unregistration(); | 878 | do_sysfs_unregistration(); |
869 | out_free_kmem_caches: | 879 | out_free_kmem_caches: |
870 | ecryptfs_free_kmem_caches(); | 880 | ecryptfs_free_kmem_caches(); |
871 | out: | 881 | out: |
872 | return rc; | 882 | return rc; |
873 | } | 883 | } |
874 | 884 | ||
875 | static void __exit ecryptfs_exit(void) | 885 | static void __exit ecryptfs_exit(void) |
876 | { | 886 | { |
877 | int rc; | 887 | int rc; |
878 | 888 | ||
879 | rc = ecryptfs_destroy_crypto(); | 889 | rc = ecryptfs_destroy_crypto(); |
880 | if (rc) | 890 | if (rc) |
881 | printk(KERN_ERR "Failure whilst attempting to destroy crypto; " | 891 | printk(KERN_ERR "Failure whilst attempting to destroy crypto; " |
882 | "rc = [%d]\n", rc); | 892 | "rc = [%d]\n", rc); |
883 | ecryptfs_release_messaging(); | 893 | ecryptfs_release_messaging(); |
884 | ecryptfs_destroy_kthread(); | 894 | ecryptfs_destroy_kthread(); |
885 | do_sysfs_unregistration(); | 895 | do_sysfs_unregistration(); |
886 | unregister_filesystem(&ecryptfs_fs_type); | 896 | unregister_filesystem(&ecryptfs_fs_type); |
887 | ecryptfs_free_kmem_caches(); | 897 | ecryptfs_free_kmem_caches(); |
888 | } | 898 | } |
889 | 899 | ||
890 | MODULE_AUTHOR("Michael A. Halcrow <mhalcrow@us.ibm.com>"); | 900 | MODULE_AUTHOR("Michael A. Halcrow <mhalcrow@us.ibm.com>"); |
891 | MODULE_DESCRIPTION("eCryptfs"); | 901 | MODULE_DESCRIPTION("eCryptfs"); |
892 | 902 | ||
893 | MODULE_LICENSE("GPL"); | 903 | MODULE_LICENSE("GPL"); |
894 | 904 | ||
895 | module_init(ecryptfs_init) | 905 | module_init(ecryptfs_init) |
896 | module_exit(ecryptfs_exit) | 906 | module_exit(ecryptfs_exit) |