Commit | Line | Data |
---|---|---|
b2441318 | 1 | // SPDX-License-Identifier: GPL-2.0 |
6b3bd08f | 2 | /* |
0b81d077 | 3 | * This contains functions for filename crypto management |
6b3bd08f JK |
4 | * |
5 | * Copyright (C) 2015, Google, Inc. | |
6 | * Copyright (C) 2015, Motorola Mobility | |
7 | * | |
6b3bd08f | 8 | * Written by Uday Savagaonkar, 2014. |
0b81d077 | 9 | * Modified by Jaegeuk Kim, 2015. |
6b3bd08f JK |
10 | * |
11 | * This has not yet undergone a rigorous security audit. | |
12 | */ | |
0b81d077 | 13 | |
2ebdef6d | 14 | #include <linux/namei.h> |
6b3bd08f | 15 | #include <linux/scatterlist.h> |
edc440e3 DR |
16 | #include <crypto/hash.h> |
17 | #include <crypto/sha.h> | |
a575784c | 18 | #include <crypto/skcipher.h> |
3325bea5 | 19 | #include "fscrypt_private.h" |
6b3bd08f | 20 | |
d2fe9754 | 21 | /* |
edc440e3 DR |
22 | * struct fscrypt_nokey_name - identifier for directory entry when key is absent |
23 | * | |
24 | * When userspace lists an encrypted directory without access to the key, the | |
25 | * filesystem must present a unique "no-key name" for each filename that allows | |
26 | * it to find the directory entry again if requested. Naively, that would just | |
27 | * mean using the ciphertext filenames. However, since the ciphertext filenames | |
28 | * can contain illegal characters ('\0' and '/'), they must be encoded in some | |
29 | * way. We use base64. But that can cause names to exceed NAME_MAX (255 | |
30 | * bytes), so we also need to use a strong hash to abbreviate long names. | |
31 | * | |
32 | * The filesystem may also need another kind of hash, the "dirhash", to quickly | |
33 | * find the directory entry. Since filesystems normally compute the dirhash | |
34 | * over the on-disk filename (i.e. the ciphertext), it's not computable from | |
35 | * no-key names that abbreviate the ciphertext using the strong hash to fit in | |
36 | * NAME_MAX. It's also not computable if it's a keyed hash taken over the | |
37 | * plaintext (but it may still be available in the on-disk directory entry); | |
38 | * casefolded directories use this type of dirhash. At least in these cases, | |
39 | * each no-key name must include the name's dirhash too. | |
40 | * | |
41 | * To meet all these requirements, we base64-encode the following | |
42 | * variable-length structure. It contains the dirhash, or 0's if the filesystem | |
43 | * didn't provide one; up to 149 bytes of the ciphertext name; and for | |
44 | * ciphertexts longer than 149 bytes, also the SHA-256 of the remaining bytes. | |
45 | * | |
46 | * This ensures that each no-key name contains everything needed to find the | |
47 | * directory entry again, contains only legal characters, doesn't exceed | |
48 | * NAME_MAX, is unambiguous unless there's a SHA-256 collision, and that we only | |
49 | * take the performance hit of SHA-256 on very long filenames (which are rare). | |
50 | */ | |
51 | struct fscrypt_nokey_name { | |
52 | u32 dirhash[2]; | |
53 | u8 bytes[149]; | |
54 | u8 sha256[SHA256_DIGEST_SIZE]; | |
55 | }; /* 189 bytes => 252 bytes base64-encoded, which is <= NAME_MAX (255) */ | |
56 | ||
57 | /* | |
58 | * Decoded size of max-size nokey name, i.e. a name that was abbreviated using | |
59 | * the strong hash and thus includes the 'sha256' field. This isn't simply | |
60 | * sizeof(struct fscrypt_nokey_name), as the padding at the end isn't included. | |
61 | */ | |
62 | #define FSCRYPT_NOKEY_NAME_MAX offsetofend(struct fscrypt_nokey_name, sha256) | |
63 | ||
bd0d97b7 | 64 | static void fscrypt_do_sha256(const u8 *data, unsigned int data_len, u8 *result) |
edc440e3 | 65 | { |
bd0d97b7 | 66 | struct sha256_state sctx; |
edc440e3 | 67 | |
bd0d97b7 EB |
68 | sha256_init(&sctx); |
69 | sha256_update(&sctx, data, data_len); | |
70 | sha256_final(&sctx, result); | |
edc440e3 DR |
71 | } |
72 | ||
dcf0db9e EB |
73 | static inline bool fscrypt_is_dot_dotdot(const struct qstr *str) |
74 | { | |
75 | if (str->len == 1 && str->name[0] == '.') | |
76 | return true; | |
77 | ||
78 | if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.') | |
79 | return true; | |
80 | ||
81 | return false; | |
82 | } | |
83 | ||
6b3bd08f | 84 | /** |
1b3b827e | 85 | * fscrypt_fname_encrypt() - encrypt a filename |
d2fe9754 EB |
86 | * @inode: inode of the parent directory (for regular filenames) |
87 | * or of the symlink (for symlink targets) | |
88 | * @iname: the filename to encrypt | |
89 | * @out: (output) the encrypted filename | |
90 | * @olen: size of the encrypted filename. It must be at least @iname->len. | |
91 | * Any extra space is filled with NUL padding before encryption. | |
ef1eb3aa EB |
92 | * |
93 | * Return: 0 on success, -errno on failure | |
6b3bd08f | 94 | */ |
1b3b827e EB |
95 | int fscrypt_fname_encrypt(const struct inode *inode, const struct qstr *iname, |
96 | u8 *out, unsigned int olen) | |
6b3bd08f | 97 | { |
2731a944 | 98 | struct skcipher_request *req = NULL; |
d0082e1a | 99 | DECLARE_CRYPTO_WAIT(wait); |
8a4ab0b8 | 100 | const struct fscrypt_info *ci = inode->i_crypt_info; |
5fee3609 | 101 | struct crypto_skcipher *tfm = ci->ci_enc_key.tfm; |
8094c3ce | 102 | union fscrypt_iv iv; |
08ae877f | 103 | struct scatterlist sg; |
8094c3ce | 104 | int res; |
6b3bd08f | 105 | |
08ae877f EB |
106 | /* |
107 | * Copy the filename to the output buffer for encrypting in-place and | |
108 | * pad it with the needed number of NUL bytes. | |
109 | */ | |
50c961de | 110 | if (WARN_ON(olen < iname->len)) |
76e81d6d | 111 | return -ENOBUFS; |
50c961de EB |
112 | memcpy(out, iname->name, iname->len); |
113 | memset(out + iname->len, 0, olen - iname->len); | |
6b3bd08f | 114 | |
08ae877f | 115 | /* Initialize the IV */ |
8094c3ce | 116 | fscrypt_generate_iv(&iv, 0, ci); |
6b3bd08f | 117 | |
08ae877f | 118 | /* Set up the encryption request */ |
2731a944 | 119 | req = skcipher_request_alloc(tfm, GFP_NOFS); |
c90fd775 | 120 | if (!req) |
6b3bd08f | 121 | return -ENOMEM; |
2731a944 | 122 | skcipher_request_set_callback(req, |
6b3bd08f | 123 | CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, |
d0082e1a | 124 | crypto_req_done, &wait); |
50c961de | 125 | sg_init_one(&sg, out, olen); |
8094c3ce | 126 | skcipher_request_set_crypt(req, &sg, &sg, olen, &iv); |
6b3bd08f | 127 | |
08ae877f | 128 | /* Do the encryption */ |
d0082e1a | 129 | res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait); |
2731a944 | 130 | skcipher_request_free(req); |
ef1eb3aa | 131 | if (res < 0) { |
886da8b3 | 132 | fscrypt_err(inode, "Filename encryption failed: %d", res); |
ef1eb3aa EB |
133 | return res; |
134 | } | |
0b81d077 | 135 | |
ef1eb3aa | 136 | return 0; |
6b3bd08f JK |
137 | } |
138 | ||
ef1eb3aa EB |
139 | /** |
140 | * fname_decrypt() - decrypt a filename | |
d2fe9754 EB |
141 | * @inode: inode of the parent directory (for regular filenames) |
142 | * or of the symlink (for symlink targets) | |
143 | * @iname: the encrypted filename to decrypt | |
144 | * @oname: (output) the decrypted filename. The caller must have allocated | |
145 | * enough space for this, e.g. using fscrypt_fname_alloc_buffer(). | |
ef1eb3aa EB |
146 | * |
147 | * Return: 0 on success, -errno on failure | |
6b3bd08f | 148 | */ |
8a4ab0b8 EB |
149 | static int fname_decrypt(const struct inode *inode, |
150 | const struct fscrypt_str *iname, | |
151 | struct fscrypt_str *oname) | |
6b3bd08f | 152 | { |
2731a944 | 153 | struct skcipher_request *req = NULL; |
d0082e1a | 154 | DECLARE_CRYPTO_WAIT(wait); |
6b3bd08f | 155 | struct scatterlist src_sg, dst_sg; |
8a4ab0b8 | 156 | const struct fscrypt_info *ci = inode->i_crypt_info; |
5fee3609 | 157 | struct crypto_skcipher *tfm = ci->ci_enc_key.tfm; |
8094c3ce EB |
158 | union fscrypt_iv iv; |
159 | int res; | |
6b3bd08f | 160 | |
6b3bd08f | 161 | /* Allocate request */ |
2731a944 | 162 | req = skcipher_request_alloc(tfm, GFP_NOFS); |
c90fd775 | 163 | if (!req) |
6b3bd08f | 164 | return -ENOMEM; |
2731a944 | 165 | skcipher_request_set_callback(req, |
6b3bd08f | 166 | CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, |
d0082e1a | 167 | crypto_req_done, &wait); |
6b3bd08f JK |
168 | |
169 | /* Initialize IV */ | |
8094c3ce | 170 | fscrypt_generate_iv(&iv, 0, ci); |
6b3bd08f JK |
171 | |
172 | /* Create decryption request */ | |
173 | sg_init_one(&src_sg, iname->name, iname->len); | |
174 | sg_init_one(&dst_sg, oname->name, oname->len); | |
8094c3ce | 175 | skcipher_request_set_crypt(req, &src_sg, &dst_sg, iname->len, &iv); |
d0082e1a | 176 | res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait); |
2731a944 | 177 | skcipher_request_free(req); |
6b3bd08f | 178 | if (res < 0) { |
886da8b3 | 179 | fscrypt_err(inode, "Filename decryption failed: %d", res); |
6b3bd08f JK |
180 | return res; |
181 | } | |
182 | ||
183 | oname->len = strnlen(oname->name, iname->len); | |
ef1eb3aa | 184 | return 0; |
6b3bd08f JK |
185 | } |
186 | ||
1c5100a2 | 187 | static const char lookup_table[65] = |
6b3bd08f JK |
188 | "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+,"; |
189 | ||
17159420 EB |
190 | #define BASE64_CHARS(nbytes) DIV_ROUND_UP((nbytes) * 4, 3) |
191 | ||
6b3bd08f | 192 | /** |
d2fe9754 EB |
193 | * base64_encode() - base64-encode some bytes |
194 | * @src: the bytes to encode | |
195 | * @len: number of bytes to encode | |
196 | * @dst: (output) the base64-encoded string. Not NUL-terminated. | |
6b3bd08f | 197 | * |
1c5100a2 | 198 | * Encodes the input string using characters from the set [A-Za-z0-9+,]. |
6b3bd08f | 199 | * The encoded string is roughly 4/3 times the size of the input string. |
1c5100a2 EB |
200 | * |
201 | * Return: length of the encoded string | |
6b3bd08f | 202 | */ |
1c5100a2 | 203 | static int base64_encode(const u8 *src, int len, char *dst) |
6b3bd08f | 204 | { |
1c5100a2 | 205 | int i, bits = 0, ac = 0; |
6b3bd08f JK |
206 | char *cp = dst; |
207 | ||
1c5100a2 EB |
208 | for (i = 0; i < len; i++) { |
209 | ac += src[i] << bits; | |
6b3bd08f JK |
210 | bits += 8; |
211 | do { | |
212 | *cp++ = lookup_table[ac & 0x3f]; | |
213 | ac >>= 6; | |
214 | bits -= 6; | |
215 | } while (bits >= 6); | |
6b3bd08f JK |
216 | } |
217 | if (bits) | |
218 | *cp++ = lookup_table[ac & 0x3f]; | |
219 | return cp - dst; | |
220 | } | |
221 | ||
1c5100a2 | 222 | static int base64_decode(const char *src, int len, u8 *dst) |
6b3bd08f | 223 | { |
1c5100a2 | 224 | int i, bits = 0, ac = 0; |
6b3bd08f | 225 | const char *p; |
1c5100a2 | 226 | u8 *cp = dst; |
6b3bd08f | 227 | |
1c5100a2 | 228 | for (i = 0; i < len; i++) { |
6b3bd08f JK |
229 | p = strchr(lookup_table, src[i]); |
230 | if (p == NULL || src[i] == 0) | |
231 | return -2; | |
232 | ac += (p - lookup_table) << bits; | |
233 | bits += 6; | |
234 | if (bits >= 8) { | |
235 | *cp++ = ac & 0xff; | |
236 | ac >>= 8; | |
237 | bits -= 8; | |
238 | } | |
6b3bd08f JK |
239 | } |
240 | if (ac) | |
241 | return -1; | |
242 | return cp - dst; | |
243 | } | |
244 | ||
b9db0b4a EB |
245 | bool fscrypt_fname_encrypted_size(const struct inode *inode, u32 orig_len, |
246 | u32 max_len, u32 *encrypted_len_ret) | |
6b3bd08f | 247 | { |
5dae460c EB |
248 | const struct fscrypt_info *ci = inode->i_crypt_info; |
249 | int padding = 4 << (fscrypt_policy_flags(&ci->ci_policy) & | |
3b6df59b | 250 | FSCRYPT_POLICY_FLAGS_PAD_MASK); |
b9db0b4a EB |
251 | u32 encrypted_len; |
252 | ||
253 | if (orig_len > max_len) | |
254 | return false; | |
255 | encrypted_len = max(orig_len, (u32)FS_CRYPTO_BLOCK_SIZE); | |
256 | encrypted_len = round_up(encrypted_len, padding); | |
257 | *encrypted_len_ret = min(encrypted_len, max_len); | |
258 | return true; | |
6b3bd08f JK |
259 | } |
260 | ||
261 | /** | |
d2fe9754 EB |
262 | * fscrypt_fname_alloc_buffer() - allocate a buffer for presented filenames |
263 | * @inode: inode of the parent directory (for regular filenames) | |
264 | * or of the symlink (for symlink targets) | |
265 | * @max_encrypted_len: maximum length of encrypted filenames the buffer will be | |
266 | * used to present | |
267 | * @crypto_str: (output) buffer to allocate | |
6b3bd08f | 268 | * |
2cbadadc EB |
269 | * Allocate a buffer that is large enough to hold any decrypted or encoded |
270 | * filename (null-terminated), for the given maximum encrypted filename length. | |
271 | * | |
272 | * Return: 0 on success, -errno on failure | |
6b3bd08f | 273 | */ |
0b93e1b9 | 274 | int fscrypt_fname_alloc_buffer(const struct inode *inode, |
2cbadadc EB |
275 | u32 max_encrypted_len, |
276 | struct fscrypt_str *crypto_str) | |
6b3bd08f | 277 | { |
edc440e3 | 278 | const u32 max_encoded_len = BASE64_CHARS(FSCRYPT_NOKEY_NAME_MAX); |
2cbadadc | 279 | u32 max_presented_len; |
6b3bd08f | 280 | |
2cbadadc | 281 | max_presented_len = max(max_encoded_len, max_encrypted_len); |
17159420 | 282 | |
2cbadadc EB |
283 | crypto_str->name = kmalloc(max_presented_len + 1, GFP_NOFS); |
284 | if (!crypto_str->name) | |
6b3bd08f | 285 | return -ENOMEM; |
2cbadadc | 286 | crypto_str->len = max_presented_len; |
6b3bd08f JK |
287 | return 0; |
288 | } | |
0b81d077 | 289 | EXPORT_SYMBOL(fscrypt_fname_alloc_buffer); |
6b3bd08f JK |
290 | |
291 | /** | |
d2fe9754 EB |
292 | * fscrypt_fname_free_buffer() - free a buffer for presented filenames |
293 | * @crypto_str: the buffer to free | |
6b3bd08f | 294 | * |
d2fe9754 | 295 | * Free a buffer that was allocated by fscrypt_fname_alloc_buffer(). |
6b3bd08f | 296 | */ |
0b81d077 | 297 | void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str) |
6b3bd08f JK |
298 | { |
299 | if (!crypto_str) | |
300 | return; | |
301 | kfree(crypto_str->name); | |
302 | crypto_str->name = NULL; | |
303 | } | |
0b81d077 | 304 | EXPORT_SYMBOL(fscrypt_fname_free_buffer); |
6b3bd08f JK |
305 | |
306 | /** | |
d2fe9754 EB |
307 | * fscrypt_fname_disk_to_usr() - convert an encrypted filename to |
308 | * user-presentable form | |
309 | * @inode: inode of the parent directory (for regular filenames) | |
310 | * or of the symlink (for symlink targets) | |
311 | * @hash: first part of the name's dirhash, if applicable. This only needs to | |
312 | * be provided if the filename is located in an indexed directory whose | |
313 | * encryption key may be unavailable. Not needed for symlink targets. | |
314 | * @minor_hash: second part of the name's dirhash, if applicable | |
315 | * @iname: encrypted filename to convert. May also be "." or "..", which | |
316 | * aren't actually encrypted. | |
317 | * @oname: output buffer for the user-presentable filename. The caller must | |
318 | * have allocated enough space for this, e.g. using | |
319 | * fscrypt_fname_alloc_buffer(). | |
ef1eb3aa | 320 | * |
edc440e3 DR |
321 | * If the key is available, we'll decrypt the disk name. Otherwise, we'll |
322 | * encode it for presentation in fscrypt_nokey_name format. | |
323 | * See struct fscrypt_nokey_name for details. | |
17159420 | 324 | * |
ef1eb3aa | 325 | * Return: 0 on success, -errno on failure |
6b3bd08f | 326 | */ |
8a4ab0b8 EB |
327 | int fscrypt_fname_disk_to_usr(const struct inode *inode, |
328 | u32 hash, u32 minor_hash, | |
329 | const struct fscrypt_str *iname, | |
330 | struct fscrypt_str *oname) | |
6b3bd08f JK |
331 | { |
332 | const struct qstr qname = FSTR_TO_QSTR(iname); | |
edc440e3 DR |
333 | struct fscrypt_nokey_name nokey_name; |
334 | u32 size; /* size of the unencoded no-key name */ | |
6b3bd08f | 335 | |
0b81d077 | 336 | if (fscrypt_is_dot_dotdot(&qname)) { |
6b3bd08f JK |
337 | oname->name[0] = '.'; |
338 | oname->name[iname->len - 1] = '.'; | |
339 | oname->len = iname->len; | |
ef1eb3aa | 340 | return 0; |
6b3bd08f JK |
341 | } |
342 | ||
0b81d077 | 343 | if (iname->len < FS_CRYPTO_BLOCK_SIZE) |
1dafa51d | 344 | return -EUCLEAN; |
6b3bd08f | 345 | |
e37a784d | 346 | if (fscrypt_has_encryption_key(inode)) |
0b81d077 JK |
347 | return fname_decrypt(inode, iname, oname); |
348 | ||
edc440e3 DR |
349 | /* |
350 | * Sanity check that struct fscrypt_nokey_name doesn't have padding | |
351 | * between fields and that its encoded size never exceeds NAME_MAX. | |
352 | */ | |
353 | BUILD_BUG_ON(offsetofend(struct fscrypt_nokey_name, dirhash) != | |
354 | offsetof(struct fscrypt_nokey_name, bytes)); | |
355 | BUILD_BUG_ON(offsetofend(struct fscrypt_nokey_name, bytes) != | |
356 | offsetof(struct fscrypt_nokey_name, sha256)); | |
357 | BUILD_BUG_ON(BASE64_CHARS(FSCRYPT_NOKEY_NAME_MAX) > NAME_MAX); | |
358 | ||
6b3bd08f | 359 | if (hash) { |
edc440e3 DR |
360 | nokey_name.dirhash[0] = hash; |
361 | nokey_name.dirhash[1] = minor_hash; | |
0b81d077 | 362 | } else { |
edc440e3 DR |
363 | nokey_name.dirhash[0] = 0; |
364 | nokey_name.dirhash[1] = 0; | |
0b81d077 | 365 | } |
edc440e3 DR |
366 | if (iname->len <= sizeof(nokey_name.bytes)) { |
367 | memcpy(nokey_name.bytes, iname->name, iname->len); | |
368 | size = offsetof(struct fscrypt_nokey_name, bytes[iname->len]); | |
369 | } else { | |
370 | memcpy(nokey_name.bytes, iname->name, sizeof(nokey_name.bytes)); | |
371 | /* Compute strong hash of remaining part of name. */ | |
bd0d97b7 EB |
372 | fscrypt_do_sha256(&iname->name[sizeof(nokey_name.bytes)], |
373 | iname->len - sizeof(nokey_name.bytes), | |
374 | nokey_name.sha256); | |
edc440e3 DR |
375 | size = FSCRYPT_NOKEY_NAME_MAX; |
376 | } | |
377 | oname->len = base64_encode((const u8 *)&nokey_name, size, oname->name); | |
ef1eb3aa | 378 | return 0; |
6b3bd08f | 379 | } |
0b81d077 | 380 | EXPORT_SYMBOL(fscrypt_fname_disk_to_usr); |
6b3bd08f | 381 | |
17159420 EB |
382 | /** |
383 | * fscrypt_setup_filename() - prepare to search a possibly encrypted directory | |
384 | * @dir: the directory that will be searched | |
385 | * @iname: the user-provided filename being searched for | |
386 | * @lookup: 1 if we're allowed to proceed without the key because it's | |
387 | * ->lookup() or we're finding the dir_entry for deletion; 0 if we cannot | |
388 | * proceed without the key because we're going to create the dir_entry. | |
389 | * @fname: the filename information to be filled in | |
390 | * | |
391 | * Given a user-provided filename @iname, this function sets @fname->disk_name | |
392 | * to the name that would be stored in the on-disk directory entry, if possible. | |
393 | * If the directory is unencrypted this is simply @iname. Else, if we have the | |
394 | * directory's encryption key, then @iname is the plaintext, so we encrypt it to | |
395 | * get the disk_name. | |
396 | * | |
397 | * Else, for keyless @lookup operations, @iname is the presented ciphertext, so | |
edc440e3 | 398 | * we decode it to get the fscrypt_nokey_name. Non-@lookup operations will be |
17159420 EB |
399 | * impossible in this case, so we fail them with ENOKEY. |
400 | * | |
401 | * If successful, fscrypt_free_filename() must be called later to clean up. | |
402 | * | |
403 | * Return: 0 on success, -errno on failure | |
404 | */ | |
0b81d077 JK |
405 | int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname, |
406 | int lookup, struct fscrypt_name *fname) | |
6b3bd08f | 407 | { |
edc440e3 | 408 | struct fscrypt_nokey_name *nokey_name; |
17159420 | 409 | int ret; |
6b3bd08f | 410 | |
0b81d077 | 411 | memset(fname, 0, sizeof(struct fscrypt_name)); |
6b3bd08f JK |
412 | fname->usr_fname = iname; |
413 | ||
e0428a26 | 414 | if (!IS_ENCRYPTED(dir) || fscrypt_is_dot_dotdot(iname)) { |
6b3bd08f JK |
415 | fname->disk_name.name = (unsigned char *)iname->name; |
416 | fname->disk_name.len = iname->len; | |
7bf4b557 | 417 | return 0; |
6b3bd08f | 418 | } |
1b53cf98 | 419 | ret = fscrypt_get_encryption_info(dir); |
17bfde60 | 420 | if (ret) |
6b3bd08f | 421 | return ret; |
0b81d077 | 422 | |
e37a784d | 423 | if (fscrypt_has_encryption_key(dir)) { |
b9db0b4a | 424 | if (!fscrypt_fname_encrypted_size(dir, iname->len, |
e12ee683 | 425 | dir->i_sb->s_cop->max_namelen, |
b9db0b4a | 426 | &fname->crypto_buf.len)) |
50c961de | 427 | return -ENAMETOOLONG; |
50c961de EB |
428 | fname->crypto_buf.name = kmalloc(fname->crypto_buf.len, |
429 | GFP_NOFS); | |
430 | if (!fname->crypto_buf.name) | |
431 | return -ENOMEM; | |
432 | ||
1b3b827e EB |
433 | ret = fscrypt_fname_encrypt(dir, iname, fname->crypto_buf.name, |
434 | fname->crypto_buf.len); | |
ef1eb3aa | 435 | if (ret) |
e5e0906b | 436 | goto errout; |
6b3bd08f JK |
437 | fname->disk_name.name = fname->crypto_buf.name; |
438 | fname->disk_name.len = fname->crypto_buf.len; | |
7bf4b557 | 439 | return 0; |
6b3bd08f | 440 | } |
e5e0906b | 441 | if (!lookup) |
54475f53 | 442 | return -ENOKEY; |
b01531db | 443 | fname->is_ciphertext_name = true; |
6b3bd08f | 444 | |
0b81d077 JK |
445 | /* |
446 | * We don't have the key and we are doing a lookup; decode the | |
6b3bd08f JK |
447 | * user-supplied name |
448 | */ | |
e5e0906b | 449 | |
edc440e3 DR |
450 | if (iname->len > BASE64_CHARS(FSCRYPT_NOKEY_NAME_MAX)) |
451 | return -ENOENT; | |
452 | ||
453 | fname->crypto_buf.name = kmalloc(FSCRYPT_NOKEY_NAME_MAX, GFP_KERNEL); | |
e5e0906b JK |
454 | if (fname->crypto_buf.name == NULL) |
455 | return -ENOMEM; | |
0b81d077 | 456 | |
edc440e3 DR |
457 | ret = base64_decode(iname->name, iname->len, fname->crypto_buf.name); |
458 | if (ret < (int)offsetof(struct fscrypt_nokey_name, bytes[1]) || | |
459 | (ret > offsetof(struct fscrypt_nokey_name, sha256) && | |
460 | ret != FSCRYPT_NOKEY_NAME_MAX)) { | |
6b3bd08f | 461 | ret = -ENOENT; |
e5e0906b | 462 | goto errout; |
6b3bd08f JK |
463 | } |
464 | fname->crypto_buf.len = ret; | |
edc440e3 DR |
465 | |
466 | nokey_name = (void *)fname->crypto_buf.name; | |
467 | fname->hash = nokey_name->dirhash[0]; | |
468 | fname->minor_hash = nokey_name->dirhash[1]; | |
469 | if (ret != FSCRYPT_NOKEY_NAME_MAX) { | |
470 | /* The full ciphertext filename is available. */ | |
471 | fname->disk_name.name = nokey_name->bytes; | |
472 | fname->disk_name.len = | |
473 | ret - offsetof(struct fscrypt_nokey_name, bytes); | |
6b3bd08f | 474 | } |
7bf4b557 | 475 | return 0; |
0b81d077 | 476 | |
e5e0906b | 477 | errout: |
50c961de | 478 | kfree(fname->crypto_buf.name); |
6b3bd08f JK |
479 | return ret; |
480 | } | |
0b81d077 | 481 | EXPORT_SYMBOL(fscrypt_setup_filename); |
2ebdef6d | 482 | |
edc440e3 DR |
483 | /** |
484 | * fscrypt_match_name() - test whether the given name matches a directory entry | |
485 | * @fname: the name being searched for | |
486 | * @de_name: the name from the directory entry | |
487 | * @de_name_len: the length of @de_name in bytes | |
488 | * | |
489 | * Normally @fname->disk_name will be set, and in that case we simply compare | |
490 | * that to the name stored in the directory entry. The only exception is that | |
491 | * if we don't have the key for an encrypted directory and the name we're | |
492 | * looking for is very long, then we won't have the full disk_name and instead | |
493 | * we'll need to match against a fscrypt_nokey_name that includes a strong hash. | |
494 | * | |
495 | * Return: %true if the name matches, otherwise %false. | |
496 | */ | |
497 | bool fscrypt_match_name(const struct fscrypt_name *fname, | |
498 | const u8 *de_name, u32 de_name_len) | |
499 | { | |
500 | const struct fscrypt_nokey_name *nokey_name = | |
501 | (const void *)fname->crypto_buf.name; | |
502 | u8 sha256[SHA256_DIGEST_SIZE]; | |
503 | ||
504 | if (likely(fname->disk_name.name)) { | |
505 | if (de_name_len != fname->disk_name.len) | |
506 | return false; | |
507 | return !memcmp(de_name, fname->disk_name.name, de_name_len); | |
508 | } | |
509 | if (de_name_len <= sizeof(nokey_name->bytes)) | |
510 | return false; | |
511 | if (memcmp(de_name, nokey_name->bytes, sizeof(nokey_name->bytes))) | |
512 | return false; | |
bd0d97b7 EB |
513 | fscrypt_do_sha256(&de_name[sizeof(nokey_name->bytes)], |
514 | de_name_len - sizeof(nokey_name->bytes), sha256); | |
edc440e3 DR |
515 | return !memcmp(sha256, nokey_name->sha256, sizeof(sha256)); |
516 | } | |
517 | EXPORT_SYMBOL_GPL(fscrypt_match_name); | |
518 | ||
aa408f83 DR |
519 | /** |
520 | * fscrypt_fname_siphash() - calculate the SipHash of a filename | |
521 | * @dir: the parent directory | |
522 | * @name: the filename to calculate the SipHash of | |
523 | * | |
524 | * Given a plaintext filename @name and a directory @dir which uses SipHash as | |
525 | * its dirhash method and has had its fscrypt key set up, this function | |
526 | * calculates the SipHash of that name using the directory's secret dirhash key. | |
527 | * | |
528 | * Return: the SipHash of @name using the hash key of @dir | |
529 | */ | |
530 | u64 fscrypt_fname_siphash(const struct inode *dir, const struct qstr *name) | |
531 | { | |
532 | const struct fscrypt_info *ci = dir->i_crypt_info; | |
533 | ||
534 | WARN_ON(!ci->ci_dirhash_key_initialized); | |
535 | ||
536 | return siphash(name->name, name->len, &ci->ci_dirhash_key); | |
537 | } | |
538 | EXPORT_SYMBOL_GPL(fscrypt_fname_siphash); | |
539 | ||
2ebdef6d EB |
540 | /* |
541 | * Validate dentries in encrypted directories to make sure we aren't potentially | |
542 | * caching stale dentries after a key has been added. | |
543 | */ | |
544 | static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags) | |
545 | { | |
546 | struct dentry *dir; | |
547 | int err; | |
548 | int valid; | |
549 | ||
550 | /* | |
551 | * Plaintext names are always valid, since fscrypt doesn't support | |
552 | * reverting to ciphertext names without evicting the directory's inode | |
553 | * -- which implies eviction of the dentries in the directory. | |
554 | */ | |
555 | if (!(dentry->d_flags & DCACHE_ENCRYPTED_NAME)) | |
556 | return 1; | |
557 | ||
558 | /* | |
559 | * Ciphertext name; valid if the directory's key is still unavailable. | |
560 | * | |
561 | * Although fscrypt forbids rename() on ciphertext names, we still must | |
562 | * use dget_parent() here rather than use ->d_parent directly. That's | |
563 | * because a corrupted fs image may contain directory hard links, which | |
564 | * the VFS handles by moving the directory's dentry tree in the dcache | |
565 | * each time ->lookup() finds the directory and it already has a dentry | |
566 | * elsewhere. Thus ->d_parent can be changing, and we must safely grab | |
567 | * a reference to some ->d_parent to prevent it from being freed. | |
568 | */ | |
569 | ||
570 | if (flags & LOOKUP_RCU) | |
571 | return -ECHILD; | |
572 | ||
573 | dir = dget_parent(dentry); | |
574 | err = fscrypt_get_encryption_info(d_inode(dir)); | |
575 | valid = !fscrypt_has_encryption_key(d_inode(dir)); | |
576 | dput(dir); | |
577 | ||
578 | if (err < 0) | |
579 | return err; | |
580 | ||
581 | return valid; | |
582 | } | |
583 | ||
584 | const struct dentry_operations fscrypt_d_ops = { | |
585 | .d_revalidate = fscrypt_d_revalidate, | |
586 | }; |