aboutsummaryrefslogtreecommitdiffstats
path: root/fs/ecryptfs/crypto.c
diff options
context:
space:
mode:
Diffstat (limited to 'fs/ecryptfs/crypto.c')
-rw-r--r--fs/ecryptfs/crypto.c191
1 files changed, 103 insertions, 88 deletions
diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
index f8ef0af919e7..a066e109ad9c 100644
--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
@@ -355,8 +355,11 @@ static int encrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat,
355 } 355 }
356 /* Consider doing this once, when the file is opened */ 356 /* Consider doing this once, when the file is opened */
357 mutex_lock(&crypt_stat->cs_tfm_mutex); 357 mutex_lock(&crypt_stat->cs_tfm_mutex);
358 rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key, 358 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) {
359 crypt_stat->key_size); 359 rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key,
360 crypt_stat->key_size);
361 crypt_stat->flags |= ECRYPTFS_KEY_SET;
362 }
360 if (rc) { 363 if (rc) {
361 ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n", 364 ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n",
362 rc); 365 rc);
@@ -376,11 +379,10 @@ out:
376 * 379 *
377 * Convert an eCryptfs page index into a lower byte offset 380 * Convert an eCryptfs page index into a lower byte offset
378 */ 381 */
379void ecryptfs_lower_offset_for_extent(loff_t *offset, loff_t extent_num, 382static void ecryptfs_lower_offset_for_extent(loff_t *offset, loff_t extent_num,
380 struct ecryptfs_crypt_stat *crypt_stat) 383 struct ecryptfs_crypt_stat *crypt_stat)
381{ 384{
382 (*offset) = ((crypt_stat->extent_size 385 (*offset) = (crypt_stat->num_header_bytes_at_front
383 * crypt_stat->num_header_extents_at_front)
384 + (crypt_stat->extent_size * extent_num)); 386 + (crypt_stat->extent_size * extent_num));
385} 387}
386 388
@@ -842,15 +844,13 @@ void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat)
842 set_extent_mask_and_shift(crypt_stat); 844 set_extent_mask_and_shift(crypt_stat);
843 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES; 845 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES;
844 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) 846 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
845 crypt_stat->num_header_extents_at_front = 0; 847 crypt_stat->num_header_bytes_at_front = 0;
846 else { 848 else {
847 if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE) 849 if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)
848 crypt_stat->num_header_extents_at_front = 850 crypt_stat->num_header_bytes_at_front =
849 (ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE 851 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
850 / crypt_stat->extent_size);
851 else 852 else
852 crypt_stat->num_header_extents_at_front = 853 crypt_stat->num_header_bytes_at_front = PAGE_CACHE_SIZE;
853 (PAGE_CACHE_SIZE / crypt_stat->extent_size);
854 } 854 }
855} 855}
856 856
@@ -1128,7 +1128,7 @@ write_ecryptfs_flags(char *page_virt, struct ecryptfs_crypt_stat *crypt_stat,
1128 1128
1129struct ecryptfs_cipher_code_str_map_elem { 1129struct ecryptfs_cipher_code_str_map_elem {
1130 char cipher_str[16]; 1130 char cipher_str[16];
1131 u16 cipher_code; 1131 u8 cipher_code;
1132}; 1132};
1133 1133
1134/* Add support for additional ciphers by adding elements here. The 1134/* Add support for additional ciphers by adding elements here. The
@@ -1152,10 +1152,10 @@ ecryptfs_cipher_code_str_map[] = {
1152 * 1152 *
1153 * Returns zero on no match, or the cipher code on match 1153 * Returns zero on no match, or the cipher code on match
1154 */ 1154 */
1155u16 ecryptfs_code_for_cipher_string(struct ecryptfs_crypt_stat *crypt_stat) 1155u8 ecryptfs_code_for_cipher_string(struct ecryptfs_crypt_stat *crypt_stat)
1156{ 1156{
1157 int i; 1157 int i;
1158 u16 code = 0; 1158 u8 code = 0;
1159 struct ecryptfs_cipher_code_str_map_elem *map = 1159 struct ecryptfs_cipher_code_str_map_elem *map =
1160 ecryptfs_cipher_code_str_map; 1160 ecryptfs_cipher_code_str_map;
1161 1161
@@ -1187,7 +1187,7 @@ u16 ecryptfs_code_for_cipher_string(struct ecryptfs_crypt_stat *crypt_stat)
1187 * 1187 *
1188 * Returns zero on success 1188 * Returns zero on success
1189 */ 1189 */
1190int ecryptfs_cipher_code_to_string(char *str, u16 cipher_code) 1190int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code)
1191{ 1191{
1192 int rc = 0; 1192 int rc = 0;
1193 int i; 1193 int i;
@@ -1236,7 +1236,8 @@ ecryptfs_write_header_metadata(char *virt,
1236 1236
1237 header_extent_size = (u32)crypt_stat->extent_size; 1237 header_extent_size = (u32)crypt_stat->extent_size;
1238 num_header_extents_at_front = 1238 num_header_extents_at_front =
1239 (u16)crypt_stat->num_header_extents_at_front; 1239 (u16)(crypt_stat->num_header_bytes_at_front
1240 / crypt_stat->extent_size);
1240 header_extent_size = cpu_to_be32(header_extent_size); 1241 header_extent_size = cpu_to_be32(header_extent_size);
1241 memcpy(virt, &header_extent_size, 4); 1242 memcpy(virt, &header_extent_size, 4);
1242 virt += 4; 1243 virt += 4;
@@ -1311,40 +1312,16 @@ static int ecryptfs_write_headers_virt(char *page_virt, size_t *size,
1311static int 1312static int
1312ecryptfs_write_metadata_to_contents(struct ecryptfs_crypt_stat *crypt_stat, 1313ecryptfs_write_metadata_to_contents(struct ecryptfs_crypt_stat *crypt_stat,
1313 struct dentry *ecryptfs_dentry, 1314 struct dentry *ecryptfs_dentry,
1314 char *page_virt) 1315 char *virt)
1315{ 1316{
1316 int current_header_page;
1317 int header_pages;
1318 int rc; 1317 int rc;
1319 1318
1320 rc = ecryptfs_write_lower(ecryptfs_dentry->d_inode, page_virt, 1319 rc = ecryptfs_write_lower(ecryptfs_dentry->d_inode, virt,
1321 0, PAGE_CACHE_SIZE); 1320 0, crypt_stat->num_header_bytes_at_front);
1322 if (rc) { 1321 if (rc)
1323 printk(KERN_ERR "%s: Error attempting to write header " 1322 printk(KERN_ERR "%s: Error attempting to write header "
1324 "information to lower file; rc = [%d]\n", __FUNCTION__, 1323 "information to lower file; rc = [%d]\n", __FUNCTION__,
1325 rc); 1324 rc);
1326 goto out;
1327 }
1328 header_pages = ((crypt_stat->extent_size
1329 * crypt_stat->num_header_extents_at_front)
1330 / PAGE_CACHE_SIZE);
1331 memset(page_virt, 0, PAGE_CACHE_SIZE);
1332 current_header_page = 1;
1333 while (current_header_page < header_pages) {
1334 loff_t offset;
1335
1336 offset = (((loff_t)current_header_page) << PAGE_CACHE_SHIFT);
1337 if ((rc = ecryptfs_write_lower(ecryptfs_dentry->d_inode,
1338 page_virt, offset,
1339 PAGE_CACHE_SIZE))) {
1340 printk(KERN_ERR "%s: Error attempting to write header "
1341 "information to lower file; rc = [%d]\n",
1342 __FUNCTION__, rc);
1343 goto out;
1344 }
1345 current_header_page++;
1346 }
1347out:
1348 return rc; 1325 return rc;
1349} 1326}
1350 1327
@@ -1370,15 +1347,13 @@ ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry,
1370 * retrieved via a prompt. Exactly what happens at this point should 1347 * retrieved via a prompt. Exactly what happens at this point should
1371 * be policy-dependent. 1348 * be policy-dependent.
1372 * 1349 *
1373 * TODO: Support header information spanning multiple pages
1374 *
1375 * Returns zero on success; non-zero on error 1350 * Returns zero on success; non-zero on error
1376 */ 1351 */
1377int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry) 1352int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry)
1378{ 1353{
1379 struct ecryptfs_crypt_stat *crypt_stat = 1354 struct ecryptfs_crypt_stat *crypt_stat =
1380 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; 1355 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat;
1381 char *page_virt; 1356 char *virt;
1382 size_t size = 0; 1357 size_t size = 0;
1383 int rc = 0; 1358 int rc = 0;
1384 1359
@@ -1389,40 +1364,39 @@ int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry)
1389 goto out; 1364 goto out;
1390 } 1365 }
1391 } else { 1366 } else {
1367 printk(KERN_WARNING "%s: Encrypted flag not set\n",
1368 __FUNCTION__);
1392 rc = -EINVAL; 1369 rc = -EINVAL;
1393 ecryptfs_printk(KERN_WARNING,
1394 "Called with crypt_stat->encrypted == 0\n");
1395 goto out; 1370 goto out;
1396 } 1371 }
1397 /* Released in this function */ 1372 /* Released in this function */
1398 page_virt = kmem_cache_zalloc(ecryptfs_header_cache_0, GFP_USER); 1373 virt = kzalloc(crypt_stat->num_header_bytes_at_front, GFP_KERNEL);
1399 if (!page_virt) { 1374 if (!virt) {
1400 ecryptfs_printk(KERN_ERR, "Out of memory\n"); 1375 printk(KERN_ERR "%s: Out of memory\n", __FUNCTION__);
1401 rc = -ENOMEM; 1376 rc = -ENOMEM;
1402 goto out; 1377 goto out;
1403 } 1378 }
1404 rc = ecryptfs_write_headers_virt(page_virt, &size, crypt_stat, 1379 rc = ecryptfs_write_headers_virt(virt, &size, crypt_stat,
1405 ecryptfs_dentry); 1380 ecryptfs_dentry);
1406 if (unlikely(rc)) { 1381 if (unlikely(rc)) {
1407 ecryptfs_printk(KERN_ERR, "Error whilst writing headers\n"); 1382 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n",
1408 memset(page_virt, 0, PAGE_CACHE_SIZE); 1383 __FUNCTION__, rc);
1409 goto out_free; 1384 goto out_free;
1410 } 1385 }
1411 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) 1386 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
1412 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, 1387 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry,
1413 crypt_stat, page_virt, 1388 crypt_stat, virt, size);
1414 size);
1415 else 1389 else
1416 rc = ecryptfs_write_metadata_to_contents(crypt_stat, 1390 rc = ecryptfs_write_metadata_to_contents(crypt_stat,
1417 ecryptfs_dentry, 1391 ecryptfs_dentry, virt);
1418 page_virt);
1419 if (rc) { 1392 if (rc) {
1420 printk(KERN_ERR "Error writing metadata out to lower file; " 1393 printk(KERN_ERR "%s: Error writing metadata out to lower file; "
1421 "rc = [%d]\n", rc); 1394 "rc = [%d]\n", __FUNCTION__, rc);
1422 goto out_free; 1395 goto out_free;
1423 } 1396 }
1424out_free: 1397out_free:
1425 kmem_cache_free(ecryptfs_header_cache_0, page_virt); 1398 memset(virt, 0, crypt_stat->num_header_bytes_at_front);
1399 kfree(virt);
1426out: 1400out:
1427 return rc; 1401 return rc;
1428} 1402}
@@ -1442,16 +1416,16 @@ static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat,
1442 virt += sizeof(u32); 1416 virt += sizeof(u32);
1443 memcpy(&num_header_extents_at_front, virt, sizeof(u16)); 1417 memcpy(&num_header_extents_at_front, virt, sizeof(u16));
1444 num_header_extents_at_front = be16_to_cpu(num_header_extents_at_front); 1418 num_header_extents_at_front = be16_to_cpu(num_header_extents_at_front);
1445 crypt_stat->num_header_extents_at_front = 1419 crypt_stat->num_header_bytes_at_front =
1446 (int)num_header_extents_at_front; 1420 (((size_t)num_header_extents_at_front
1421 * (size_t)header_extent_size));
1447 (*bytes_read) = (sizeof(u32) + sizeof(u16)); 1422 (*bytes_read) = (sizeof(u32) + sizeof(u16));
1448 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE) 1423 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE)
1449 && ((crypt_stat->extent_size 1424 && (crypt_stat->num_header_bytes_at_front
1450 * crypt_stat->num_header_extents_at_front)
1451 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) { 1425 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) {
1452 rc = -EINVAL; 1426 rc = -EINVAL;
1453 printk(KERN_WARNING "Invalid number of header extents: [%zd]\n", 1427 printk(KERN_WARNING "Invalid header size: [%zd]\n",
1454 crypt_stat->num_header_extents_at_front); 1428 crypt_stat->num_header_bytes_at_front);
1455 } 1429 }
1456 return rc; 1430 return rc;
1457} 1431}
@@ -1466,7 +1440,8 @@ static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat,
1466 */ 1440 */
1467static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat) 1441static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat)
1468{ 1442{
1469 crypt_stat->num_header_extents_at_front = 2; 1443 crypt_stat->num_header_bytes_at_front =
1444 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
1470} 1445}
1471 1446
1472/** 1447/**
@@ -1552,9 +1527,10 @@ int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode)
1552 size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME, 1527 size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME,
1553 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE); 1528 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE);
1554 if (size < 0) { 1529 if (size < 0) {
1555 printk(KERN_ERR "Error attempting to read the [%s] " 1530 if (unlikely(ecryptfs_verbosity > 0))
1556 "xattr from the lower file; return value = [%zd]\n", 1531 printk(KERN_INFO "Error attempting to read the [%s] "
1557 ECRYPTFS_XATTR_NAME, size); 1532 "xattr from the lower file; return value = "
1533 "[%zd]\n", ECRYPTFS_XATTR_NAME, size);
1558 rc = -EINVAL; 1534 rc = -EINVAL;
1559 goto out; 1535 goto out;
1560 } 1536 }
@@ -1802,7 +1778,7 @@ out:
1802} 1778}
1803 1779
1804struct kmem_cache *ecryptfs_key_tfm_cache; 1780struct kmem_cache *ecryptfs_key_tfm_cache;
1805struct list_head key_tfm_list; 1781static struct list_head key_tfm_list;
1806struct mutex key_tfm_list_mutex; 1782struct mutex key_tfm_list_mutex;
1807 1783
1808int ecryptfs_init_crypto(void) 1784int ecryptfs_init_crypto(void)
@@ -1812,6 +1788,11 @@ int ecryptfs_init_crypto(void)
1812 return 0; 1788 return 0;
1813} 1789}
1814 1790
1791/**
1792 * ecryptfs_destroy_crypto - free all cached key_tfms on key_tfm_list
1793 *
1794 * Called only at module unload time
1795 */
1815int ecryptfs_destroy_crypto(void) 1796int ecryptfs_destroy_crypto(void)
1816{ 1797{
1817 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp; 1798 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp;
@@ -1835,6 +1816,8 @@ ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
1835 struct ecryptfs_key_tfm *tmp_tfm; 1816 struct ecryptfs_key_tfm *tmp_tfm;
1836 int rc = 0; 1817 int rc = 0;
1837 1818
1819 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1820
1838 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL); 1821 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL);
1839 if (key_tfm != NULL) 1822 if (key_tfm != NULL)
1840 (*key_tfm) = tmp_tfm; 1823 (*key_tfm) = tmp_tfm;
@@ -1861,13 +1844,50 @@ ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
1861 (*key_tfm) = NULL; 1844 (*key_tfm) = NULL;
1862 goto out; 1845 goto out;
1863 } 1846 }
1864 mutex_lock(&key_tfm_list_mutex);
1865 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list); 1847 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list);
1866 mutex_unlock(&key_tfm_list_mutex);
1867out: 1848out:
1868 return rc; 1849 return rc;
1869} 1850}
1870 1851
1852/**
1853 * ecryptfs_tfm_exists - Search for existing tfm for cipher_name.
1854 * @cipher_name: the name of the cipher to search for
1855 * @key_tfm: set to corresponding tfm if found
1856 *
1857 * Searches for cached key_tfm matching @cipher_name
1858 * Must be called with &key_tfm_list_mutex held
1859 * Returns 1 if found, with @key_tfm set
1860 * Returns 0 if not found, with @key_tfm set to NULL
1861 */
1862int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm)
1863{
1864 struct ecryptfs_key_tfm *tmp_key_tfm;
1865
1866 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
1867
1868 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) {
1869 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) {
1870 if (key_tfm)
1871 (*key_tfm) = tmp_key_tfm;
1872 return 1;
1873 }
1874 }
1875 if (key_tfm)
1876 (*key_tfm) = NULL;
1877 return 0;
1878}
1879
1880/**
1881 * ecryptfs_get_tfm_and_mutex_for_cipher_name
1882 *
1883 * @tfm: set to cached tfm found, or new tfm created
1884 * @tfm_mutex: set to mutex for cached tfm found, or new tfm created
1885 * @cipher_name: the name of the cipher to search for and/or add
1886 *
1887 * Sets pointers to @tfm & @tfm_mutex matching @cipher_name.
1888 * Searches for cached item first, and creates new if not found.
1889 * Returns 0 on success, non-zero if adding new cipher failed
1890 */
1871int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm, 1891int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm,
1872 struct mutex **tfm_mutex, 1892 struct mutex **tfm_mutex,
1873 char *cipher_name) 1893 char *cipher_name)
@@ -1877,22 +1897,17 @@ int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm,
1877 1897
1878 (*tfm) = NULL; 1898 (*tfm) = NULL;
1879 (*tfm_mutex) = NULL; 1899 (*tfm_mutex) = NULL;
1900
1880 mutex_lock(&key_tfm_list_mutex); 1901 mutex_lock(&key_tfm_list_mutex);
1881 list_for_each_entry(key_tfm, &key_tfm_list, key_tfm_list) { 1902 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) {
1882 if (strcmp(key_tfm->cipher_name, cipher_name) == 0) { 1903 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0);
1883 (*tfm) = key_tfm->key_tfm; 1904 if (rc) {
1884 (*tfm_mutex) = &key_tfm->key_tfm_mutex; 1905 printk(KERN_ERR "Error adding new key_tfm to list; "
1885 mutex_unlock(&key_tfm_list_mutex); 1906 "rc = [%d]\n", rc);
1886 goto out; 1907 goto out;
1887 } 1908 }
1888 } 1909 }
1889 mutex_unlock(&key_tfm_list_mutex); 1910 mutex_unlock(&key_tfm_list_mutex);
1890 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0);
1891 if (rc) {
1892 printk(KERN_ERR "Error adding new key_tfm to list; rc = [%d]\n",
1893 rc);
1894 goto out;
1895 }
1896 (*tfm) = key_tfm->key_tfm; 1911 (*tfm) = key_tfm->key_tfm;
1897 (*tfm_mutex) = &key_tfm->key_tfm_mutex; 1912 (*tfm_mutex) = &key_tfm->key_tfm_mutex;
1898out: 1913out:
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-29 04:06:52 -0500