aboutsummaryrefslogtreecommitdiffstats
path: root/fs/ecryptfs/crypto.c
diff options
context:
space:
mode:
Diffstat (limited to 'fs/ecryptfs/crypto.c')
-rw-r--r--fs/ecryptfs/crypto.c514
1 files changed, 432 insertions, 82 deletions
diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
index 6046239465a1..c01e043670e2 100644
--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
@@ -175,8 +175,8 @@ out:
175 * 175 *
176 * Returns zero on success; non-zero on error. 176 * Returns zero on success; non-zero on error.
177 */ 177 */
178static int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat, 178int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat,
179 loff_t offset) 179 loff_t offset)
180{ 180{
181 int rc = 0; 181 int rc = 0;
182 char dst[MD5_DIGEST_SIZE]; 182 char dst[MD5_DIGEST_SIZE];
@@ -924,6 +924,15 @@ static void ecryptfs_copy_mount_wide_flags_to_inode_flags(
924 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; 924 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
925 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) 925 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
926 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED; 926 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED;
927 if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
928 crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES;
929 if (mount_crypt_stat->flags
930 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)
931 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK;
932 else if (mount_crypt_stat->flags
933 & ECRYPTFS_GLOBAL_ENCFN_USE_FEK)
934 crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK;
935 }
927} 936}
928 937
929static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs( 938static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs(
@@ -1060,7 +1069,8 @@ struct ecryptfs_flag_map_elem {
1060static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = { 1069static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = {
1061 {0x00000001, ECRYPTFS_ENABLE_HMAC}, 1070 {0x00000001, ECRYPTFS_ENABLE_HMAC},
1062 {0x00000002, ECRYPTFS_ENCRYPTED}, 1071 {0x00000002, ECRYPTFS_ENCRYPTED},
1063 {0x00000004, ECRYPTFS_METADATA_IN_XATTR} 1072 {0x00000004, ECRYPTFS_METADATA_IN_XATTR},
1073 {0x00000008, ECRYPTFS_ENCRYPT_FILENAMES}
1064}; 1074};
1065 1075
1066/** 1076/**
@@ -1149,19 +1159,20 @@ ecryptfs_cipher_code_str_map[] = {
1149 1159
1150/** 1160/**
1151 * ecryptfs_code_for_cipher_string 1161 * ecryptfs_code_for_cipher_string
1152 * @crypt_stat: The cryptographic context 1162 * @cipher_name: The string alias for the cipher
1163 * @key_bytes: Length of key in bytes; used for AES code selection
1153 * 1164 *
1154 * Returns zero on no match, or the cipher code on match 1165 * Returns zero on no match, or the cipher code on match
1155 */ 1166 */
1156u8 ecryptfs_code_for_cipher_string(struct ecryptfs_crypt_stat *crypt_stat) 1167u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes)
1157{ 1168{
1158 int i; 1169 int i;
1159 u8 code = 0; 1170 u8 code = 0;
1160 struct ecryptfs_cipher_code_str_map_elem *map = 1171 struct ecryptfs_cipher_code_str_map_elem *map =
1161 ecryptfs_cipher_code_str_map; 1172 ecryptfs_cipher_code_str_map;
1162 1173
1163 if (strcmp(crypt_stat->cipher, "aes") == 0) { 1174 if (strcmp(cipher_name, "aes") == 0) {
1164 switch (crypt_stat->key_size) { 1175 switch (key_bytes) {
1165 case 16: 1176 case 16:
1166 code = RFC2440_CIPHER_AES_128; 1177 code = RFC2440_CIPHER_AES_128;
1167 break; 1178 break;
@@ -1173,7 +1184,7 @@ u8 ecryptfs_code_for_cipher_string(struct ecryptfs_crypt_stat *crypt_stat)
1173 } 1184 }
1174 } else { 1185 } else {
1175 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) 1186 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++)
1176 if (strcmp(crypt_stat->cipher, map[i].cipher_str) == 0){ 1187 if (strcmp(cipher_name, map[i].cipher_str) == 0) {
1177 code = map[i].cipher_code; 1188 code = map[i].cipher_code;
1178 break; 1189 break;
1179 } 1190 }
@@ -1212,6 +1223,8 @@ int ecryptfs_read_and_validate_header_region(char *data,
1212 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 1223 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
1213 int rc; 1224 int rc;
1214 1225
1226 if (crypt_stat->extent_size == 0)
1227 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;
1215 rc = ecryptfs_read_lower(data, 0, crypt_stat->extent_size, 1228 rc = ecryptfs_read_lower(data, 0, crypt_stat->extent_size,
1216 ecryptfs_inode); 1229 ecryptfs_inode);
1217 if (rc) { 1230 if (rc) {
@@ -1221,7 +1234,6 @@ int ecryptfs_read_and_validate_header_region(char *data,
1221 } 1234 }
1222 if (!contains_ecryptfs_marker(data + ECRYPTFS_FILE_SIZE_BYTES)) { 1235 if (!contains_ecryptfs_marker(data + ECRYPTFS_FILE_SIZE_BYTES)) {
1223 rc = -EINVAL; 1236 rc = -EINVAL;
1224 ecryptfs_printk(KERN_DEBUG, "Valid marker not found\n");
1225 } 1237 }
1226out: 1238out:
1227 return rc; 1239 return rc;
@@ -1628,95 +1640,95 @@ out:
1628} 1640}
1629 1641
1630/** 1642/**
1631 * ecryptfs_encode_filename - converts a plaintext file name to cipher text 1643 * ecryptfs_encrypt_filename - encrypt filename
1632 * @crypt_stat: The crypt_stat struct associated with the file anem to encode
1633 * @name: The plaintext name
1634 * @length: The length of the plaintext
1635 * @encoded_name: The encypted name
1636 * 1644 *
1637 * Encrypts and encodes a filename into something that constitutes a 1645 * CBC-encrypts the filename. We do not want to encrypt the same
1638 * valid filename for a filesystem, with printable characters. 1646 * filename with the same key and IV, which may happen with hard
1647 * links, so we prepend random bits to each filename.
1639 * 1648 *
1640 * We assume that we have a properly initialized crypto context, 1649 * Returns zero on success; non-zero otherwise
1641 * pointed to by crypt_stat->tfm.
1642 *
1643 * TODO: Implement filename decoding and decryption here, in place of
1644 * memcpy. We are keeping the framework around for now to (1)
1645 * facilitate testing of the components needed to implement filename
1646 * encryption and (2) to provide a code base from which other
1647 * developers in the community can easily implement this feature.
1648 *
1649 * Returns the length of encoded filename; negative if error
1650 */ 1650 */
1651int 1651static int
1652ecryptfs_encode_filename(struct ecryptfs_crypt_stat *crypt_stat, 1652ecryptfs_encrypt_filename(struct ecryptfs_filename *filename,
1653 const char *name, int length, char **encoded_name) 1653 struct ecryptfs_crypt_stat *crypt_stat,
1654 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
1654{ 1655{
1655 int error = 0; 1656 int rc = 0;
1656 1657
1657 (*encoded_name) = kmalloc(length + 2, GFP_KERNEL); 1658 filename->encrypted_filename = NULL;
1658 if (!(*encoded_name)) { 1659 filename->encrypted_filename_size = 0;
1659 error = -ENOMEM; 1660 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
1661 || (mount_crypt_stat && (mount_crypt_stat->flags
1662 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
1663 size_t packet_size;
1664 size_t remaining_bytes;
1665
1666 rc = ecryptfs_write_tag_70_packet(
1667 NULL, NULL,
1668 &filename->encrypted_filename_size,
1669 mount_crypt_stat, NULL,
1670 filename->filename_size);
1671 if (rc) {
1672 printk(KERN_ERR "%s: Error attempting to get packet "
1673 "size for tag 72; rc = [%d]\n", __func__,
1674 rc);
1675 filename->encrypted_filename_size = 0;
1676 goto out;
1677 }
1678 filename->encrypted_filename =
1679 kmalloc(filename->encrypted_filename_size, GFP_KERNEL);
1680 if (!filename->encrypted_filename) {
1681 printk(KERN_ERR "%s: Out of memory whilst attempting "
1682 "to kmalloc [%zd] bytes\n", __func__,
1683 filename->encrypted_filename_size);
1684 rc = -ENOMEM;
1685 goto out;
1686 }
1687 remaining_bytes = filename->encrypted_filename_size;
1688 rc = ecryptfs_write_tag_70_packet(filename->encrypted_filename,
1689 &remaining_bytes,
1690 &packet_size,
1691 mount_crypt_stat,
1692 filename->filename,
1693 filename->filename_size);
1694 if (rc) {
1695 printk(KERN_ERR "%s: Error attempting to generate "
1696 "tag 70 packet; rc = [%d]\n", __func__,
1697 rc);
1698 kfree(filename->encrypted_filename);
1699 filename->encrypted_filename = NULL;
1700 filename->encrypted_filename_size = 0;
1701 goto out;
1702 }
1703 filename->encrypted_filename_size = packet_size;
1704 } else {
1705 printk(KERN_ERR "%s: No support for requested filename "
1706 "encryption method in this release\n", __func__);
1707 rc = -ENOTSUPP;
1660 goto out; 1708 goto out;
1661 } 1709 }
1662 /* TODO: Filename encryption is a scheduled feature for a
1663 * future version of eCryptfs. This function is here only for
1664 * the purpose of providing a framework for other developers
1665 * to easily implement filename encryption. Hint: Replace this
1666 * memcpy() with a call to encrypt and encode the
1667 * filename, the set the length accordingly. */
1668 memcpy((void *)(*encoded_name), (void *)name, length);
1669 (*encoded_name)[length] = '\0';
1670 error = length + 1;
1671out: 1710out:
1672 return error; 1711 return rc;
1673} 1712}
1674 1713
1675/** 1714static int ecryptfs_copy_filename(char **copied_name, size_t *copied_name_size,
1676 * ecryptfs_decode_filename - converts the cipher text name to plaintext 1715 const char *name, size_t name_size)
1677 * @crypt_stat: The crypt_stat struct associated with the file
1678 * @name: The filename in cipher text
1679 * @length: The length of the cipher text name
1680 * @decrypted_name: The plaintext name
1681 *
1682 * Decodes and decrypts the filename.
1683 *
1684 * We assume that we have a properly initialized crypto context,
1685 * pointed to by crypt_stat->tfm.
1686 *
1687 * TODO: Implement filename decoding and decryption here, in place of
1688 * memcpy. We are keeping the framework around for now to (1)
1689 * facilitate testing of the components needed to implement filename
1690 * encryption and (2) to provide a code base from which other
1691 * developers in the community can easily implement this feature.
1692 *
1693 * Returns the length of decoded filename; negative if error
1694 */
1695int
1696ecryptfs_decode_filename(struct ecryptfs_crypt_stat *crypt_stat,
1697 const char *name, int length, char **decrypted_name)
1698{ 1716{
1699 int error = 0; 1717 int rc = 0;
1700 1718
1701 (*decrypted_name) = kmalloc(length + 2, GFP_KERNEL); 1719 (*copied_name) = kmalloc((name_size + 2), GFP_KERNEL);
1702 if (!(*decrypted_name)) { 1720 if (!(*copied_name)) {
1703 error = -ENOMEM; 1721 rc = -ENOMEM;
1704 goto out; 1722 goto out;
1705 } 1723 }
1706 /* TODO: Filename encryption is a scheduled feature for a 1724 memcpy((void *)(*copied_name), (void *)name, name_size);
1707 * future version of eCryptfs. This function is here only for 1725 (*copied_name)[(name_size)] = '\0'; /* Only for convenience
1708 * the purpose of providing a framework for other developers
1709 * to easily implement filename encryption. Hint: Replace this
1710 * memcpy() with a call to decode and decrypt the
1711 * filename, the set the length accordingly. */
1712 memcpy((void *)(*decrypted_name), (void *)name, length);
1713 (*decrypted_name)[length + 1] = '\0'; /* Only for convenience
1714 * in printing out the 1726 * in printing out the
1715 * string in debug 1727 * string in debug
1716 * messages */ 1728 * messages */
1717 error = length; 1729 (*copied_name_size) = (name_size + 1);
1718out: 1730out:
1719 return error; 1731 return rc;
1720} 1732}
1721 1733
1722/** 1734/**
@@ -1740,7 +1752,7 @@ ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm,
1740 *key_tfm = NULL; 1752 *key_tfm = NULL;
1741 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) { 1753 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) {
1742 rc = -EINVAL; 1754 rc = -EINVAL;
1743 printk(KERN_ERR "Requested key size is [%Zd] bytes; maximum " 1755 printk(KERN_ERR "Requested key size is [%zd] bytes; maximum "
1744 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES); 1756 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES);
1745 goto out; 1757 goto out;
1746 } 1758 }
@@ -1765,7 +1777,7 @@ ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm,
1765 get_random_bytes(dummy_key, *key_size); 1777 get_random_bytes(dummy_key, *key_size);
1766 rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size); 1778 rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size);
1767 if (rc) { 1779 if (rc) {
1768 printk(KERN_ERR "Error attempting to set key of size [%Zd] for " 1780 printk(KERN_ERR "Error attempting to set key of size [%zd] for "
1769 "cipher [%s]; rc = [%d]\n", *key_size, cipher_name, rc); 1781 "cipher [%s]; rc = [%d]\n", *key_size, cipher_name, rc);
1770 rc = -EINVAL; 1782 rc = -EINVAL;
1771 goto out; 1783 goto out;
@@ -1910,3 +1922,341 @@ out:
1910 mutex_unlock(&key_tfm_list_mutex); 1922 mutex_unlock(&key_tfm_list_mutex);
1911 return rc; 1923 return rc;
1912} 1924}
1925
1926/* 64 characters forming a 6-bit target field */
1927static unsigned char *portable_filename_chars = ("-.0123456789ABCD"
1928 "EFGHIJKLMNOPQRST"
1929 "UVWXYZabcdefghij"
1930 "klmnopqrstuvwxyz");
1931
1932/* We could either offset on every reverse map or just pad some 0x00's
1933 * at the front here */
1934static const unsigned char filename_rev_map[] = {
1935 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 7 */
1936 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 15 */
1937 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 23 */
1938 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 31 */
1939 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 39 */
1940 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, /* 47 */
1941 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, /* 55 */
1942 0x0A, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 63 */
1943 0x00, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, /* 71 */
1944 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, /* 79 */
1945 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, /* 87 */
1946 0x23, 0x24, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, /* 95 */
1947 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, /* 103 */
1948 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, /* 111 */
1949 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, /* 119 */
1950 0x3D, 0x3E, 0x3F
1951};
1952
1953/**
1954 * ecryptfs_encode_for_filename
1955 * @dst: Destination location for encoded filename
1956 * @dst_size: Size of the encoded filename in bytes
1957 * @src: Source location for the filename to encode
1958 * @src_size: Size of the source in bytes
1959 */
1960void ecryptfs_encode_for_filename(unsigned char *dst, size_t *dst_size,
1961 unsigned char *src, size_t src_size)
1962{
1963 size_t num_blocks;
1964 size_t block_num = 0;
1965 size_t dst_offset = 0;
1966 unsigned char last_block[3];
1967
1968 if (src_size == 0) {
1969 (*dst_size) = 0;
1970 goto out;
1971 }
1972 num_blocks = (src_size / 3);
1973 if ((src_size % 3) == 0) {
1974 memcpy(last_block, (&src[src_size - 3]), 3);
1975 } else {
1976 num_blocks++;
1977 last_block[2] = 0x00;
1978 switch (src_size % 3) {
1979 case 1:
1980 last_block[0] = src[src_size - 1];
1981 last_block[1] = 0x00;
1982 break;
1983 case 2:
1984 last_block[0] = src[src_size - 2];
1985 last_block[1] = src[src_size - 1];
1986 }
1987 }
1988 (*dst_size) = (num_blocks * 4);
1989 if (!dst)
1990 goto out;
1991 while (block_num < num_blocks) {
1992 unsigned char *src_block;
1993 unsigned char dst_block[4];
1994
1995 if (block_num == (num_blocks - 1))
1996 src_block = last_block;
1997 else
1998 src_block = &src[block_num * 3];
1999 dst_block[0] = ((src_block[0] >> 2) & 0x3F);
2000 dst_block[1] = (((src_block[0] << 4) & 0x30)
2001 | ((src_block[1] >> 4) & 0x0F));
2002 dst_block[2] = (((src_block[1] << 2) & 0x3C)
2003 | ((src_block[2] >> 6) & 0x03));
2004 dst_block[3] = (src_block[2] & 0x3F);
2005 dst[dst_offset++] = portable_filename_chars[dst_block[0]];
2006 dst[dst_offset++] = portable_filename_chars[dst_block[1]];
2007 dst[dst_offset++] = portable_filename_chars[dst_block[2]];
2008 dst[dst_offset++] = portable_filename_chars[dst_block[3]];
2009 block_num++;
2010 }
2011out:
2012 return;
2013}
2014
2015/**
2016 * ecryptfs_decode_from_filename
2017 * @dst: If NULL, this function only sets @dst_size and returns. If
2018 * non-NULL, this function decodes the encoded octets in @src
2019 * into the memory that @dst points to.
2020 * @dst_size: Set to the size of the decoded string.
2021 * @src: The encoded set of octets to decode.
2022 * @src_size: The size of the encoded set of octets to decode.
2023 */
2024static void
2025ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
2026 const unsigned char *src, size_t src_size)
2027{
2028 u8 current_bit_offset = 0;
2029 size_t src_byte_offset = 0;
2030 size_t dst_byte_offset = 0;
2031
2032 if (dst == NULL) {
2033 /* Not exact; conservatively long. Every block of 4
2034 * encoded characters decodes into a block of 3
2035 * decoded characters. This segment of code provides
2036 * the caller with the maximum amount of allocated
2037 * space that @dst will need to point to in a
2038 * subsequent call. */
2039 (*dst_size) = (((src_size + 1) * 3) / 4);
2040 goto out;
2041 }
2042 while (src_byte_offset < src_size) {
2043 unsigned char src_byte =
2044 filename_rev_map[(int)src[src_byte_offset]];
2045
2046 switch (current_bit_offset) {
2047 case 0:
2048 dst[dst_byte_offset] = (src_byte << 2);
2049 current_bit_offset = 6;
2050 break;
2051 case 6:
2052 dst[dst_byte_offset++] |= (src_byte >> 4);
2053 dst[dst_byte_offset] = ((src_byte & 0xF)
2054 << 4);
2055 current_bit_offset = 4;
2056 break;
2057 case 4:
2058 dst[dst_byte_offset++] |= (src_byte >> 2);
2059 dst[dst_byte_offset] = (src_byte << 6);
2060 current_bit_offset = 2;
2061 break;
2062 case 2:
2063 dst[dst_byte_offset++] |= (src_byte);
2064 dst[dst_byte_offset] = 0;
2065 current_bit_offset = 0;
2066 break;
2067 }
2068 src_byte_offset++;
2069 }
2070 (*dst_size) = dst_byte_offset;
2071out:
2072 return;
2073}
2074
2075/**
2076 * ecryptfs_encrypt_and_encode_filename - converts a plaintext file name to cipher text
2077 * @crypt_stat: The crypt_stat struct associated with the file anem to encode
2078 * @name: The plaintext name
2079 * @length: The length of the plaintext
2080 * @encoded_name: The encypted name
2081 *
2082 * Encrypts and encodes a filename into something that constitutes a
2083 * valid filename for a filesystem, with printable characters.
2084 *
2085 * We assume that we have a properly initialized crypto context,
2086 * pointed to by crypt_stat->tfm.
2087 *
2088 * Returns zero on success; non-zero on otherwise
2089 */
2090int ecryptfs_encrypt_and_encode_filename(
2091 char **encoded_name,
2092 size_t *encoded_name_size,
2093 struct ecryptfs_crypt_stat *crypt_stat,
2094 struct ecryptfs_mount_crypt_stat *mount_crypt_stat,
2095 const char *name, size_t name_size)
2096{
2097 size_t encoded_name_no_prefix_size;
2098 int rc = 0;
2099
2100 (*encoded_name) = NULL;
2101 (*encoded_name_size) = 0;
2102 if ((crypt_stat && (crypt_stat->flags & ECRYPTFS_ENCRYPT_FILENAMES))
2103 || (mount_crypt_stat && (mount_crypt_stat->flags
2104 & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES))) {
2105 struct ecryptfs_filename *filename;
2106
2107 filename = kzalloc(sizeof(*filename), GFP_KERNEL);
2108 if (!filename) {
2109 printk(KERN_ERR "%s: Out of memory whilst attempting "
2110 "to kzalloc [%zd] bytes\n", __func__,
2111 sizeof(*filename));
2112 rc = -ENOMEM;
2113 goto out;
2114 }
2115 filename->filename = (char *)name;
2116 filename->filename_size = name_size;
2117 rc = ecryptfs_encrypt_filename(filename, crypt_stat,
2118 mount_crypt_stat);
2119 if (rc) {
2120 printk(KERN_ERR "%s: Error attempting to encrypt "
2121 "filename; rc = [%d]\n", __func__, rc);
2122 kfree(filename);
2123 goto out;
2124 }
2125 ecryptfs_encode_for_filename(
2126 NULL, &encoded_name_no_prefix_size,
2127 filename->encrypted_filename,
2128 filename->encrypted_filename_size);
2129 if ((crypt_stat && (crypt_stat->flags
2130 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
2131 || (mount_crypt_stat
2132 && (mount_crypt_stat->flags
2133 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)))
2134 (*encoded_name_size) =
2135 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2136 + encoded_name_no_prefix_size);
2137 else
2138 (*encoded_name_size) =
2139 (ECRYPTFS_FEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2140 + encoded_name_no_prefix_size);
2141 (*encoded_name) = kmalloc((*encoded_name_size) + 1, GFP_KERNEL);
2142 if (!(*encoded_name)) {
2143 printk(KERN_ERR "%s: Out of memory whilst attempting "
2144 "to kzalloc [%zd] bytes\n", __func__,
2145 (*encoded_name_size));
2146 rc = -ENOMEM;
2147 kfree(filename->encrypted_filename);
2148 kfree(filename);
2149 goto out;
2150 }
2151 if ((crypt_stat && (crypt_stat->flags
2152 & ECRYPTFS_ENCFN_USE_MOUNT_FNEK))
2153 || (mount_crypt_stat
2154 && (mount_crypt_stat->flags
2155 & ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK))) {
2156 memcpy((*encoded_name),
2157 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2158 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE);
2159 ecryptfs_encode_for_filename(
2160 ((*encoded_name)
2161 + ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE),
2162 &encoded_name_no_prefix_size,
2163 filename->encrypted_filename,
2164 filename->encrypted_filename_size);
2165 (*encoded_name_size) =
2166 (ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE
2167 + encoded_name_no_prefix_size);
2168 (*encoded_name)[(*encoded_name_size)] = '\0';
2169 (*encoded_name_size)++;
2170 } else {
2171 rc = -ENOTSUPP;
2172 }
2173 if (rc) {
2174 printk(KERN_ERR "%s: Error attempting to encode "
2175 "encrypted filename; rc = [%d]\n", __func__,
2176 rc);
2177 kfree((*encoded_name));
2178 (*encoded_name) = NULL;
2179 (*encoded_name_size) = 0;
2180 }
2181 kfree(filename->encrypted_filename);
2182 kfree(filename);
2183 } else {
2184 rc = ecryptfs_copy_filename(encoded_name,
2185 encoded_name_size,
2186 name, name_size);
2187 }
2188out:
2189 return rc;
2190}
2191
2192/**
2193 * ecryptfs_decode_and_decrypt_filename - converts the encoded cipher text name to decoded plaintext
2194 * @plaintext_name: The plaintext name
2195 * @plaintext_name_size: The plaintext name size
2196 * @ecryptfs_dir_dentry: eCryptfs directory dentry
2197 * @name: The filename in cipher text
2198 * @name_size: The cipher text name size
2199 *
2200 * Decrypts and decodes the filename.
2201 *
2202 * Returns zero on error; non-zero otherwise
2203 */
2204int ecryptfs_decode_and_decrypt_filename(char **plaintext_name,
2205 size_t *plaintext_name_size,
2206 struct dentry *ecryptfs_dir_dentry,
2207 const char *name, size_t name_size)
2208{
2209 char *decoded_name;
2210 size_t decoded_name_size;
2211 size_t packet_size;
2212 int rc = 0;
2213
2214 if ((name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)
2215 && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
2216 ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) {
2217 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
2218 &ecryptfs_superblock_to_private(
2219 ecryptfs_dir_dentry->d_sb)->mount_crypt_stat;
2220 const char *orig_name = name;
2221 size_t orig_name_size = name_size;
2222
2223 name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2224 name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
2225 ecryptfs_decode_from_filename(NULL, &decoded_name_size,
2226 name, name_size);
2227 decoded_name = kmalloc(decoded_name_size, GFP_KERNEL);
2228 if (!decoded_name) {
2229 printk(KERN_ERR "%s: Out of memory whilst attempting "
2230 "to kmalloc [%zd] bytes\n", __func__,
2231 decoded_name_size);
2232 rc = -ENOMEM;
2233 goto out;
2234 }
2235 ecryptfs_decode_from_filename(decoded_name, &decoded_name_size,
2236 name, name_size);
2237 rc = ecryptfs_parse_tag_70_packet(plaintext_name,
2238 plaintext_name_size,
2239 &packet_size,
2240 mount_crypt_stat,
2241 decoded_name,
2242 decoded_name_size);
2243 if (rc) {
2244 printk(KERN_INFO "%s: Could not parse tag 70 packet "
2245 "from filename; copying through filename "
2246 "as-is\n", __func__);
2247 rc = ecryptfs_copy_filename(plaintext_name,
2248 plaintext_name_size,
2249 orig_name, orig_name_size);
2250 goto out_free;
2251 }
2252 } else {
2253 rc = ecryptfs_copy_filename(plaintext_name,
2254 plaintext_name_size,
2255 name, name_size);
2256 goto out;
2257 }
2258out_free:
2259 kfree(decoded_name);
2260out:
2261 return rc;
2262}
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-16 15:11:00 -0500