1 /** 2 * eCryptfs: Linux filesystem encryption layer 3 * 4 * Copyright (C) 1997-2004 Erez Zadok 5 * Copyright (C) 2001-2004 Stony Brook University 6 * Copyright (C) 2004-2007 International Business Machines Corp. 7 * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com> 8 * Michael C. Thompson <mcthomps@us.ibm.com> 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation; either version 2 of the 13 * License, or (at your option) any later version. 14 * 15 * This program is distributed in the hope that it will be useful, but 16 * WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 * General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License 21 * along with this program; if not, write to the Free Software 22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 23 * 02111-1307, USA. 24 */ 25 26 #include <linux/fs.h> 27 #include <linux/mount.h> 28 #include <linux/pagemap.h> 29 #include <linux/random.h> 30 #include <linux/compiler.h> 31 #include <linux/key.h> 32 #include <linux/namei.h> 33 #include <linux/crypto.h> 34 #include <linux/file.h> 35 #include <linux/scatterlist.h> 36 #include <asm/unaligned.h> 37 #include "ecryptfs_kernel.h" 38 39 static int 40 ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 41 struct page *dst_page, int dst_offset, 42 struct page *src_page, int src_offset, int size, 43 unsigned char *iv); 44 static int 45 ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 46 struct page *dst_page, int dst_offset, 47 struct page *src_page, int src_offset, int size, 48 unsigned char *iv); 49 50 /** 51 * ecryptfs_to_hex 52 * @dst: Buffer to take hex character representation of contents of 53 * src; must be at least of size (src_size * 2) 54 * @src: Buffer to be converted to a hex string respresentation 55 * @src_size: number of bytes to convert 56 */ 57 void ecryptfs_to_hex(char *dst, char *src, size_t src_size) 58 { 59 int x; 60 61 for (x = 0; x < src_size; x++) 62 sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]); 63 } 64 65 /** 66 * ecryptfs_from_hex 67 * @dst: Buffer to take the bytes from src hex; must be at least of 68 * size (src_size / 2) 69 * @src: Buffer to be converted from a hex string respresentation to raw value 70 * @dst_size: size of dst buffer, or number of hex characters pairs to convert 71 */ 72 void ecryptfs_from_hex(char *dst, char *src, int dst_size) 73 { 74 int x; 75 char tmp[3] = { 0, }; 76 77 for (x = 0; x < dst_size; x++) { 78 tmp[0] = src[x * 2]; 79 tmp[1] = src[x * 2 + 1]; 80 dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16); 81 } 82 } 83 84 /** 85 * ecryptfs_calculate_md5 - calculates the md5 of @src 86 * @dst: Pointer to 16 bytes of allocated memory 87 * @crypt_stat: Pointer to crypt_stat struct for the current inode 88 * @src: Data to be md5'd 89 * @len: Length of @src 90 * 91 * Uses the allocated crypto context that crypt_stat references to 92 * generate the MD5 sum of the contents of src. 93 */ 94 static int ecryptfs_calculate_md5(char *dst, 95 struct ecryptfs_crypt_stat *crypt_stat, 96 char *src, int len) 97 { 98 struct scatterlist sg; 99 struct hash_desc desc = { 100 .tfm = crypt_stat->hash_tfm, 101 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 102 }; 103 int rc = 0; 104 105 mutex_lock(&crypt_stat->cs_hash_tfm_mutex); 106 sg_init_one(&sg, (u8 *)src, len); 107 if (!desc.tfm) { 108 desc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0, 109 CRYPTO_ALG_ASYNC); 110 if (IS_ERR(desc.tfm)) { 111 rc = PTR_ERR(desc.tfm); 112 ecryptfs_printk(KERN_ERR, "Error attempting to " 113 "allocate crypto context; rc = [%d]\n", 114 rc); 115 goto out; 116 } 117 crypt_stat->hash_tfm = desc.tfm; 118 } 119 rc = crypto_hash_init(&desc); 120 if (rc) { 121 printk(KERN_ERR 122 "%s: Error initializing crypto hash; rc = [%d]\n", 123 __func__, rc); 124 goto out; 125 } 126 rc = crypto_hash_update(&desc, &sg, len); 127 if (rc) { 128 printk(KERN_ERR 129 "%s: Error updating crypto hash; rc = [%d]\n", 130 __func__, rc); 131 goto out; 132 } 133 rc = crypto_hash_final(&desc, dst); 134 if (rc) { 135 printk(KERN_ERR 136 "%s: Error finalizing crypto hash; rc = [%d]\n", 137 __func__, rc); 138 goto out; 139 } 140 out: 141 mutex_unlock(&crypt_stat->cs_hash_tfm_mutex); 142 return rc; 143 } 144 145 static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name, 146 char *cipher_name, 147 char *chaining_modifier) 148 { 149 int cipher_name_len = strlen(cipher_name); 150 int chaining_modifier_len = strlen(chaining_modifier); 151 int algified_name_len; 152 int rc; 153 154 algified_name_len = (chaining_modifier_len + cipher_name_len + 3); 155 (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL); 156 if (!(*algified_name)) { 157 rc = -ENOMEM; 158 goto out; 159 } 160 snprintf((*algified_name), algified_name_len, "%s(%s)", 161 chaining_modifier, cipher_name); 162 rc = 0; 163 out: 164 return rc; 165 } 166 167 /** 168 * ecryptfs_derive_iv 169 * @iv: destination for the derived iv vale 170 * @crypt_stat: Pointer to crypt_stat struct for the current inode 171 * @offset: Offset of the extent whose IV we are to derive 172 * 173 * Generate the initialization vector from the given root IV and page 174 * offset. 175 * 176 * Returns zero on success; non-zero on error. 177 */ 178 int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat, 179 loff_t offset) 180 { 181 int rc = 0; 182 char dst[MD5_DIGEST_SIZE]; 183 char src[ECRYPTFS_MAX_IV_BYTES + 16]; 184 185 if (unlikely(ecryptfs_verbosity > 0)) { 186 ecryptfs_printk(KERN_DEBUG, "root iv:\n"); 187 ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes); 188 } 189 /* TODO: It is probably secure to just cast the least 190 * significant bits of the root IV into an unsigned long and 191 * add the offset to that rather than go through all this 192 * hashing business. -Halcrow */ 193 memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes); 194 memset((src + crypt_stat->iv_bytes), 0, 16); 195 snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset); 196 if (unlikely(ecryptfs_verbosity > 0)) { 197 ecryptfs_printk(KERN_DEBUG, "source:\n"); 198 ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16)); 199 } 200 rc = ecryptfs_calculate_md5(dst, crypt_stat, src, 201 (crypt_stat->iv_bytes + 16)); 202 if (rc) { 203 ecryptfs_printk(KERN_WARNING, "Error attempting to compute " 204 "MD5 while generating IV for a page\n"); 205 goto out; 206 } 207 memcpy(iv, dst, crypt_stat->iv_bytes); 208 if (unlikely(ecryptfs_verbosity > 0)) { 209 ecryptfs_printk(KERN_DEBUG, "derived iv:\n"); 210 ecryptfs_dump_hex(iv, crypt_stat->iv_bytes); 211 } 212 out: 213 return rc; 214 } 215 216 /** 217 * ecryptfs_init_crypt_stat 218 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 219 * 220 * Initialize the crypt_stat structure. 221 */ 222 void 223 ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) 224 { 225 memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); 226 INIT_LIST_HEAD(&crypt_stat->keysig_list); 227 mutex_init(&crypt_stat->keysig_list_mutex); 228 mutex_init(&crypt_stat->cs_mutex); 229 mutex_init(&crypt_stat->cs_tfm_mutex); 230 mutex_init(&crypt_stat->cs_hash_tfm_mutex); 231 crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED; 232 } 233 234 /** 235 * ecryptfs_destroy_crypt_stat 236 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 237 * 238 * Releases all memory associated with a crypt_stat struct. 239 */ 240 void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) 241 { 242 struct ecryptfs_key_sig *key_sig, *key_sig_tmp; 243 244 if (crypt_stat->tfm) 245 crypto_free_blkcipher(crypt_stat->tfm); 246 if (crypt_stat->hash_tfm) 247 crypto_free_hash(crypt_stat->hash_tfm); 248 mutex_lock(&crypt_stat->keysig_list_mutex); 249 list_for_each_entry_safe(key_sig, key_sig_tmp, 250 &crypt_stat->keysig_list, crypt_stat_list) { 251 list_del(&key_sig->crypt_stat_list); 252 kmem_cache_free(ecryptfs_key_sig_cache, key_sig); 253 } 254 mutex_unlock(&crypt_stat->keysig_list_mutex); 255 memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); 256 } 257 258 void ecryptfs_destroy_mount_crypt_stat( 259 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 260 { 261 struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp; 262 263 if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED)) 264 return; 265 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 266 list_for_each_entry_safe(auth_tok, auth_tok_tmp, 267 &mount_crypt_stat->global_auth_tok_list, 268 mount_crypt_stat_list) { 269 list_del(&auth_tok->mount_crypt_stat_list); 270 mount_crypt_stat->num_global_auth_toks--; 271 if (auth_tok->global_auth_tok_key 272 && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID)) 273 key_put(auth_tok->global_auth_tok_key); 274 kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok); 275 } 276 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 277 memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat)); 278 } 279 280 /** 281 * virt_to_scatterlist 282 * @addr: Virtual address 283 * @size: Size of data; should be an even multiple of the block size 284 * @sg: Pointer to scatterlist array; set to NULL to obtain only 285 * the number of scatterlist structs required in array 286 * @sg_size: Max array size 287 * 288 * Fills in a scatterlist array with page references for a passed 289 * virtual address. 290 * 291 * Returns the number of scatterlist structs in array used 292 */ 293 int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg, 294 int sg_size) 295 { 296 int i = 0; 297 struct page *pg; 298 int offset; 299 int remainder_of_page; 300 301 sg_init_table(sg, sg_size); 302 303 while (size > 0 && i < sg_size) { 304 pg = virt_to_page(addr); 305 offset = offset_in_page(addr); 306 if (sg) 307 sg_set_page(&sg[i], pg, 0, offset); 308 remainder_of_page = PAGE_CACHE_SIZE - offset; 309 if (size >= remainder_of_page) { 310 if (sg) 311 sg[i].length = remainder_of_page; 312 addr += remainder_of_page; 313 size -= remainder_of_page; 314 } else { 315 if (sg) 316 sg[i].length = size; 317 addr += size; 318 size = 0; 319 } 320 i++; 321 } 322 if (size > 0) 323 return -ENOMEM; 324 return i; 325 } 326 327 /** 328 * encrypt_scatterlist 329 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 330 * @dest_sg: Destination of encrypted data 331 * @src_sg: Data to be encrypted 332 * @size: Length of data to be encrypted 333 * @iv: iv to use during encryption 334 * 335 * Returns the number of bytes encrypted; negative value on error 336 */ 337 static int encrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat, 338 struct scatterlist *dest_sg, 339 struct scatterlist *src_sg, int size, 340 unsigned char *iv) 341 { 342 struct blkcipher_desc desc = { 343 .tfm = crypt_stat->tfm, 344 .info = iv, 345 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 346 }; 347 int rc = 0; 348 349 BUG_ON(!crypt_stat || !crypt_stat->tfm 350 || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)); 351 if (unlikely(ecryptfs_verbosity > 0)) { 352 ecryptfs_printk(KERN_DEBUG, "Key size [%d]; key:\n", 353 crypt_stat->key_size); 354 ecryptfs_dump_hex(crypt_stat->key, 355 crypt_stat->key_size); 356 } 357 /* Consider doing this once, when the file is opened */ 358 mutex_lock(&crypt_stat->cs_tfm_mutex); 359 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) { 360 rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key, 361 crypt_stat->key_size); 362 crypt_stat->flags |= ECRYPTFS_KEY_SET; 363 } 364 if (rc) { 365 ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n", 366 rc); 367 mutex_unlock(&crypt_stat->cs_tfm_mutex); 368 rc = -EINVAL; 369 goto out; 370 } 371 ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes.\n", size); 372 crypto_blkcipher_encrypt_iv(&desc, dest_sg, src_sg, size); 373 mutex_unlock(&crypt_stat->cs_tfm_mutex); 374 out: 375 return rc; 376 } 377 378 /** 379 * ecryptfs_lower_offset_for_extent 380 * 381 * Convert an eCryptfs page index into a lower byte offset 382 */ 383 static void ecryptfs_lower_offset_for_extent(loff_t *offset, loff_t extent_num, 384 struct ecryptfs_crypt_stat *crypt_stat) 385 { 386 (*offset) = (crypt_stat->num_header_bytes_at_front 387 + (crypt_stat->extent_size * extent_num)); 388 } 389 390 /** 391 * ecryptfs_encrypt_extent 392 * @enc_extent_page: Allocated page into which to encrypt the data in 393 * @page 394 * @crypt_stat: crypt_stat containing cryptographic context for the 395 * encryption operation 396 * @page: Page containing plaintext data extent to encrypt 397 * @extent_offset: Page extent offset for use in generating IV 398 * 399 * Encrypts one extent of data. 400 * 401 * Return zero on success; non-zero otherwise 402 */ 403 static int ecryptfs_encrypt_extent(struct page *enc_extent_page, 404 struct ecryptfs_crypt_stat *crypt_stat, 405 struct page *page, 406 unsigned long extent_offset) 407 { 408 loff_t extent_base; 409 char extent_iv[ECRYPTFS_MAX_IV_BYTES]; 410 int rc; 411 412 extent_base = (((loff_t)page->index) 413 * (PAGE_CACHE_SIZE / crypt_stat->extent_size)); 414 rc = ecryptfs_derive_iv(extent_iv, crypt_stat, 415 (extent_base + extent_offset)); 416 if (rc) { 417 ecryptfs_printk(KERN_ERR, "Error attempting to " 418 "derive IV for extent [0x%.16x]; " 419 "rc = [%d]\n", (extent_base + extent_offset), 420 rc); 421 goto out; 422 } 423 if (unlikely(ecryptfs_verbosity > 0)) { 424 ecryptfs_printk(KERN_DEBUG, "Encrypting extent " 425 "with iv:\n"); 426 ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes); 427 ecryptfs_printk(KERN_DEBUG, "First 8 bytes before " 428 "encryption:\n"); 429 ecryptfs_dump_hex((char *) 430 (page_address(page) 431 + (extent_offset * crypt_stat->extent_size)), 432 8); 433 } 434 rc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0, 435 page, (extent_offset 436 * crypt_stat->extent_size), 437 crypt_stat->extent_size, extent_iv); 438 if (rc < 0) { 439 printk(KERN_ERR "%s: Error attempting to encrypt page with " 440 "page->index = [%ld], extent_offset = [%ld]; " 441 "rc = [%d]\n", __func__, page->index, extent_offset, 442 rc); 443 goto out; 444 } 445 rc = 0; 446 if (unlikely(ecryptfs_verbosity > 0)) { 447 ecryptfs_printk(KERN_DEBUG, "Encrypt extent [0x%.16x]; " 448 "rc = [%d]\n", (extent_base + extent_offset), 449 rc); 450 ecryptfs_printk(KERN_DEBUG, "First 8 bytes after " 451 "encryption:\n"); 452 ecryptfs_dump_hex((char *)(page_address(enc_extent_page)), 8); 453 } 454 out: 455 return rc; 456 } 457 458 /** 459 * ecryptfs_encrypt_page 460 * @page: Page mapped from the eCryptfs inode for the file; contains 461 * decrypted content that needs to be encrypted (to a temporary 462 * page; not in place) and written out to the lower file 463 * 464 * Encrypt an eCryptfs page. This is done on a per-extent basis. Note 465 * that eCryptfs pages may straddle the lower pages -- for instance, 466 * if the file was created on a machine with an 8K page size 467 * (resulting in an 8K header), and then the file is copied onto a 468 * host with a 32K page size, then when reading page 0 of the eCryptfs 469 * file, 24K of page 0 of the lower file will be read and decrypted, 470 * and then 8K of page 1 of the lower file will be read and decrypted. 471 * 472 * Returns zero on success; negative on error 473 */ 474 int ecryptfs_encrypt_page(struct page *page) 475 { 476 struct inode *ecryptfs_inode; 477 struct ecryptfs_crypt_stat *crypt_stat; 478 char *enc_extent_virt; 479 struct page *enc_extent_page = NULL; 480 loff_t extent_offset; 481 int rc = 0; 482 483 ecryptfs_inode = page->mapping->host; 484 crypt_stat = 485 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 486 if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 487 rc = ecryptfs_write_lower_page_segment(ecryptfs_inode, page, 488 0, PAGE_CACHE_SIZE); 489 if (rc) 490 printk(KERN_ERR "%s: Error attempting to copy " 491 "page at index [%ld]\n", __func__, 492 page->index); 493 goto out; 494 } 495 enc_extent_page = alloc_page(GFP_USER); 496 if (!enc_extent_page) { 497 rc = -ENOMEM; 498 ecryptfs_printk(KERN_ERR, "Error allocating memory for " 499 "encrypted extent\n"); 500 goto out; 501 } 502 enc_extent_virt = kmap(enc_extent_page); 503 for (extent_offset = 0; 504 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); 505 extent_offset++) { 506 loff_t offset; 507 508 rc = ecryptfs_encrypt_extent(enc_extent_page, crypt_stat, page, 509 extent_offset); 510 if (rc) { 511 printk(KERN_ERR "%s: Error encrypting extent; " 512 "rc = [%d]\n", __func__, rc); 513 goto out; 514 } 515 ecryptfs_lower_offset_for_extent( 516 &offset, ((((loff_t)page->index) 517 * (PAGE_CACHE_SIZE 518 / crypt_stat->extent_size)) 519 + extent_offset), crypt_stat); 520 rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt, 521 offset, crypt_stat->extent_size); 522 if (rc) { 523 ecryptfs_printk(KERN_ERR, "Error attempting " 524 "to write lower page; rc = [%d]" 525 "\n", rc); 526 goto out; 527 } 528 } 529 out: 530 if (enc_extent_page) { 531 kunmap(enc_extent_page); 532 __free_page(enc_extent_page); 533 } 534 return rc; 535 } 536 537 static int ecryptfs_decrypt_extent(struct page *page, 538 struct ecryptfs_crypt_stat *crypt_stat, 539 struct page *enc_extent_page, 540 unsigned long extent_offset) 541 { 542 loff_t extent_base; 543 char extent_iv[ECRYPTFS_MAX_IV_BYTES]; 544 int rc; 545 546 extent_base = (((loff_t)page->index) 547 * (PAGE_CACHE_SIZE / crypt_stat->extent_size)); 548 rc = ecryptfs_derive_iv(extent_iv, crypt_stat, 549 (extent_base + extent_offset)); 550 if (rc) { 551 ecryptfs_printk(KERN_ERR, "Error attempting to " 552 "derive IV for extent [0x%.16x]; " 553 "rc = [%d]\n", (extent_base + extent_offset), 554 rc); 555 goto out; 556 } 557 if (unlikely(ecryptfs_verbosity > 0)) { 558 ecryptfs_printk(KERN_DEBUG, "Decrypting extent " 559 "with iv:\n"); 560 ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes); 561 ecryptfs_printk(KERN_DEBUG, "First 8 bytes before " 562 "decryption:\n"); 563 ecryptfs_dump_hex((char *) 564 (page_address(enc_extent_page) 565 + (extent_offset * crypt_stat->extent_size)), 566 8); 567 } 568 rc = ecryptfs_decrypt_page_offset(crypt_stat, page, 569 (extent_offset 570 * crypt_stat->extent_size), 571 enc_extent_page, 0, 572 crypt_stat->extent_size, extent_iv); 573 if (rc < 0) { 574 printk(KERN_ERR "%s: Error attempting to decrypt to page with " 575 "page->index = [%ld], extent_offset = [%ld]; " 576 "rc = [%d]\n", __func__, page->index, extent_offset, 577 rc); 578 goto out; 579 } 580 rc = 0; 581 if (unlikely(ecryptfs_verbosity > 0)) { 582 ecryptfs_printk(KERN_DEBUG, "Decrypt extent [0x%.16x]; " 583 "rc = [%d]\n", (extent_base + extent_offset), 584 rc); 585 ecryptfs_printk(KERN_DEBUG, "First 8 bytes after " 586 "decryption:\n"); 587 ecryptfs_dump_hex((char *)(page_address(page) 588 + (extent_offset 589 * crypt_stat->extent_size)), 8); 590 } 591 out: 592 return rc; 593 } 594 595 /** 596 * ecryptfs_decrypt_page 597 * @page: Page mapped from the eCryptfs inode for the file; data read 598 * and decrypted from the lower file will be written into this 599 * page 600 * 601 * Decrypt an eCryptfs page. This is done on a per-extent basis. Note 602 * that eCryptfs pages may straddle the lower pages -- for instance, 603 * if the file was created on a machine with an 8K page size 604 * (resulting in an 8K header), and then the file is copied onto a 605 * host with a 32K page size, then when reading page 0 of the eCryptfs 606 * file, 24K of page 0 of the lower file will be read and decrypted, 607 * and then 8K of page 1 of the lower file will be read and decrypted. 608 * 609 * Returns zero on success; negative on error 610 */ 611 int ecryptfs_decrypt_page(struct page *page) 612 { 613 struct inode *ecryptfs_inode; 614 struct ecryptfs_crypt_stat *crypt_stat; 615 char *enc_extent_virt; 616 struct page *enc_extent_page = NULL; 617 unsigned long extent_offset; 618 int rc = 0; 619 620 ecryptfs_inode = page->mapping->host; 621 crypt_stat = 622 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 623 if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 624 rc = ecryptfs_read_lower_page_segment(page, page->index, 0, 625 PAGE_CACHE_SIZE, 626 ecryptfs_inode); 627 if (rc) 628 printk(KERN_ERR "%s: Error attempting to copy " 629 "page at index [%ld]\n", __func__, 630 page->index); 631 goto out; 632 } 633 enc_extent_page = alloc_page(GFP_USER); 634 if (!enc_extent_page) { 635 rc = -ENOMEM; 636 ecryptfs_printk(KERN_ERR, "Error allocating memory for " 637 "encrypted extent\n"); 638 goto out; 639 } 640 enc_extent_virt = kmap(enc_extent_page); 641 for (extent_offset = 0; 642 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); 643 extent_offset++) { 644 loff_t offset; 645 646 ecryptfs_lower_offset_for_extent( 647 &offset, ((page->index * (PAGE_CACHE_SIZE 648 / crypt_stat->extent_size)) 649 + extent_offset), crypt_stat); 650 rc = ecryptfs_read_lower(enc_extent_virt, offset, 651 crypt_stat->extent_size, 652 ecryptfs_inode); 653 if (rc) { 654 ecryptfs_printk(KERN_ERR, "Error attempting " 655 "to read lower page; rc = [%d]" 656 "\n", rc); 657 goto out; 658 } 659 rc = ecryptfs_decrypt_extent(page, crypt_stat, enc_extent_page, 660 extent_offset); 661 if (rc) { 662 printk(KERN_ERR "%s: Error encrypting extent; " 663 "rc = [%d]\n", __func__, rc); 664 goto out; 665 } 666 } 667 out: 668 if (enc_extent_page) { 669 kunmap(enc_extent_page); 670 __free_page(enc_extent_page); 671 } 672 return rc; 673 } 674 675 /** 676 * decrypt_scatterlist 677 * @crypt_stat: Cryptographic context 678 * @dest_sg: The destination scatterlist to decrypt into 679 * @src_sg: The source scatterlist to decrypt from 680 * @size: The number of bytes to decrypt 681 * @iv: The initialization vector to use for the decryption 682 * 683 * Returns the number of bytes decrypted; negative value on error 684 */ 685 static int decrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat, 686 struct scatterlist *dest_sg, 687 struct scatterlist *src_sg, int size, 688 unsigned char *iv) 689 { 690 struct blkcipher_desc desc = { 691 .tfm = crypt_stat->tfm, 692 .info = iv, 693 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 694 }; 695 int rc = 0; 696 697 /* Consider doing this once, when the file is opened */ 698 mutex_lock(&crypt_stat->cs_tfm_mutex); 699 rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key, 700 crypt_stat->key_size); 701 if (rc) { 702 ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n", 703 rc); 704 mutex_unlock(&crypt_stat->cs_tfm_mutex); 705 rc = -EINVAL; 706 goto out; 707 } 708 ecryptfs_printk(KERN_DEBUG, "Decrypting [%d] bytes.\n", size); 709 rc = crypto_blkcipher_decrypt_iv(&desc, dest_sg, src_sg, size); 710 mutex_unlock(&crypt_stat->cs_tfm_mutex); 711 if (rc) { 712 ecryptfs_printk(KERN_ERR, "Error decrypting; rc = [%d]\n", 713 rc); 714 goto out; 715 } 716 rc = size; 717 out: 718 return rc; 719 } 720 721 /** 722 * ecryptfs_encrypt_page_offset 723 * @crypt_stat: The cryptographic context 724 * @dst_page: The page to encrypt into 725 * @dst_offset: The offset in the page to encrypt into 726 * @src_page: The page to encrypt from 727 * @src_offset: The offset in the page to encrypt from 728 * @size: The number of bytes to encrypt 729 * @iv: The initialization vector to use for the encryption 730 * 731 * Returns the number of bytes encrypted 732 */ 733 static int 734 ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 735 struct page *dst_page, int dst_offset, 736 struct page *src_page, int src_offset, int size, 737 unsigned char *iv) 738 { 739 struct scatterlist src_sg, dst_sg; 740 741 sg_init_table(&src_sg, 1); 742 sg_init_table(&dst_sg, 1); 743 744 sg_set_page(&src_sg, src_page, size, src_offset); 745 sg_set_page(&dst_sg, dst_page, size, dst_offset); 746 return encrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv); 747 } 748 749 /** 750 * ecryptfs_decrypt_page_offset 751 * @crypt_stat: The cryptographic context 752 * @dst_page: The page to decrypt into 753 * @dst_offset: The offset in the page to decrypt into 754 * @src_page: The page to decrypt from 755 * @src_offset: The offset in the page to decrypt from 756 * @size: The number of bytes to decrypt 757 * @iv: The initialization vector to use for the decryption 758 * 759 * Returns the number of bytes decrypted 760 */ 761 static int 762 ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 763 struct page *dst_page, int dst_offset, 764 struct page *src_page, int src_offset, int size, 765 unsigned char *iv) 766 { 767 struct scatterlist src_sg, dst_sg; 768 769 sg_init_table(&src_sg, 1); 770 sg_set_page(&src_sg, src_page, size, src_offset); 771 772 sg_init_table(&dst_sg, 1); 773 sg_set_page(&dst_sg, dst_page, size, dst_offset); 774 775 return decrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv); 776 } 777 778 #define ECRYPTFS_MAX_SCATTERLIST_LEN 4 779 780 /** 781 * ecryptfs_init_crypt_ctx 782 * @crypt_stat: Uninitilized crypt stats structure 783 * 784 * Initialize the crypto context. 785 * 786 * TODO: Performance: Keep a cache of initialized cipher contexts; 787 * only init if needed 788 */ 789 int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat) 790 { 791 char *full_alg_name; 792 int rc = -EINVAL; 793 794 if (!crypt_stat->cipher) { 795 ecryptfs_printk(KERN_ERR, "No cipher specified\n"); 796 goto out; 797 } 798 ecryptfs_printk(KERN_DEBUG, 799 "Initializing cipher [%s]; strlen = [%d]; " 800 "key_size_bits = [%d]\n", 801 crypt_stat->cipher, (int)strlen(crypt_stat->cipher), 802 crypt_stat->key_size << 3); 803 if (crypt_stat->tfm) { 804 rc = 0; 805 goto out; 806 } 807 mutex_lock(&crypt_stat->cs_tfm_mutex); 808 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, 809 crypt_stat->cipher, "cbc"); 810 if (rc) 811 goto out_unlock; 812 crypt_stat->tfm = crypto_alloc_blkcipher(full_alg_name, 0, 813 CRYPTO_ALG_ASYNC); 814 kfree(full_alg_name); 815 if (IS_ERR(crypt_stat->tfm)) { 816 rc = PTR_ERR(crypt_stat->tfm); 817 ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): " 818 "Error initializing cipher [%s]\n", 819 crypt_stat->cipher); 820 goto out_unlock; 821 } 822 crypto_blkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY); 823 rc = 0; 824 out_unlock: 825 mutex_unlock(&crypt_stat->cs_tfm_mutex); 826 out: 827 return rc; 828 } 829 830 static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat) 831 { 832 int extent_size_tmp; 833 834 crypt_stat->extent_mask = 0xFFFFFFFF; 835 crypt_stat->extent_shift = 0; 836 if (crypt_stat->extent_size == 0) 837 return; 838 extent_size_tmp = crypt_stat->extent_size; 839 while ((extent_size_tmp & 0x01) == 0) { 840 extent_size_tmp >>= 1; 841 crypt_stat->extent_mask <<= 1; 842 crypt_stat->extent_shift++; 843 } 844 } 845 846 void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat) 847 { 848 /* Default values; may be overwritten as we are parsing the 849 * packets. */ 850 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE; 851 set_extent_mask_and_shift(crypt_stat); 852 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES; 853 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) 854 crypt_stat->num_header_bytes_at_front = 0; 855 else { 856 if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE) 857 crypt_stat->num_header_bytes_at_front = 858 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; 859 else 860 crypt_stat->num_header_bytes_at_front = PAGE_CACHE_SIZE; 861 } 862 } 863 864 /** 865 * ecryptfs_compute_root_iv 866 * @crypt_stats 867 * 868 * On error, sets the root IV to all 0's. 869 */ 870 int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat) 871 { 872 int rc = 0; 873 char dst[MD5_DIGEST_SIZE]; 874 875 BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE); 876 BUG_ON(crypt_stat->iv_bytes <= 0); 877 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { 878 rc = -EINVAL; 879 ecryptfs_printk(KERN_WARNING, "Session key not valid; " 880 "cannot generate root IV\n"); 881 goto out; 882 } 883 rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key, 884 crypt_stat->key_size); 885 if (rc) { 886 ecryptfs_printk(KERN_WARNING, "Error attempting to compute " 887 "MD5 while generating root IV\n"); 888 goto out; 889 } 890 memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes); 891 out: 892 if (rc) { 893 memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes); 894 crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING; 895 } 896 return rc; 897 } 898 899 static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat) 900 { 901 get_random_bytes(crypt_stat->key, crypt_stat->key_size); 902 crypt_stat->flags |= ECRYPTFS_KEY_VALID; 903 ecryptfs_compute_root_iv(crypt_stat); 904 if (unlikely(ecryptfs_verbosity > 0)) { 905 ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n"); 906 ecryptfs_dump_hex(crypt_stat->key, 907 crypt_stat->key_size); 908 } 909 } 910 911 /** 912 * ecryptfs_copy_mount_wide_flags_to_inode_flags 913 * @crypt_stat: The inode's cryptographic context 914 * @mount_crypt_stat: The mount point's cryptographic context 915 * 916 * This function propagates the mount-wide flags to individual inode 917 * flags. 918 */ 919 static void ecryptfs_copy_mount_wide_flags_to_inode_flags( 920 struct ecryptfs_crypt_stat *crypt_stat, 921 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 922 { 923 if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED) 924 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; 925 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) 926 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED; 927 } 928 929 static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs( 930 struct ecryptfs_crypt_stat *crypt_stat, 931 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 932 { 933 struct ecryptfs_global_auth_tok *global_auth_tok; 934 int rc = 0; 935 936 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 937 list_for_each_entry(global_auth_tok, 938 &mount_crypt_stat->global_auth_tok_list, 939 mount_crypt_stat_list) { 940 rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig); 941 if (rc) { 942 printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc); 943 mutex_unlock( 944 &mount_crypt_stat->global_auth_tok_list_mutex); 945 goto out; 946 } 947 } 948 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 949 out: 950 return rc; 951 } 952 953 /** 954 * ecryptfs_set_default_crypt_stat_vals 955 * @crypt_stat: The inode's cryptographic context 956 * @mount_crypt_stat: The mount point's cryptographic context 957 * 958 * Default values in the event that policy does not override them. 959 */ 960 static void ecryptfs_set_default_crypt_stat_vals( 961 struct ecryptfs_crypt_stat *crypt_stat, 962 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 963 { 964 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 965 mount_crypt_stat); 966 ecryptfs_set_default_sizes(crypt_stat); 967 strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER); 968 crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES; 969 crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID); 970 crypt_stat->file_version = ECRYPTFS_FILE_VERSION; 971 crypt_stat->mount_crypt_stat = mount_crypt_stat; 972 } 973 974 /** 975 * ecryptfs_new_file_context 976 * @ecryptfs_dentry: The eCryptfs dentry 977 * 978 * If the crypto context for the file has not yet been established, 979 * this is where we do that. Establishing a new crypto context 980 * involves the following decisions: 981 * - What cipher to use? 982 * - What set of authentication tokens to use? 983 * Here we just worry about getting enough information into the 984 * authentication tokens so that we know that they are available. 985 * We associate the available authentication tokens with the new file 986 * via the set of signatures in the crypt_stat struct. Later, when 987 * the headers are actually written out, we may again defer to 988 * userspace to perform the encryption of the session key; for the 989 * foreseeable future, this will be the case with public key packets. 990 * 991 * Returns zero on success; non-zero otherwise 992 */ 993 int ecryptfs_new_file_context(struct dentry *ecryptfs_dentry) 994 { 995 struct ecryptfs_crypt_stat *crypt_stat = 996 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; 997 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 998 &ecryptfs_superblock_to_private( 999 ecryptfs_dentry->d_sb)->mount_crypt_stat; 1000 int cipher_name_len; 1001 int rc = 0; 1002 1003 ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat); 1004 crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID); 1005 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 1006 mount_crypt_stat); 1007 rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat, 1008 mount_crypt_stat); 1009 if (rc) { 1010 printk(KERN_ERR "Error attempting to copy mount-wide key sigs " 1011 "to the inode key sigs; rc = [%d]\n", rc); 1012 goto out; 1013 } 1014 cipher_name_len = 1015 strlen(mount_crypt_stat->global_default_cipher_name); 1016 memcpy(crypt_stat->cipher, 1017 mount_crypt_stat->global_default_cipher_name, 1018 cipher_name_len); 1019 crypt_stat->cipher[cipher_name_len] = '\0'; 1020 crypt_stat->key_size = 1021 mount_crypt_stat->global_default_cipher_key_size; 1022 ecryptfs_generate_new_key(crypt_stat); 1023 rc = ecryptfs_init_crypt_ctx(crypt_stat); 1024 if (rc) 1025 ecryptfs_printk(KERN_ERR, "Error initializing cryptographic " 1026 "context for cipher [%s]: rc = [%d]\n", 1027 crypt_stat->cipher, rc); 1028 out: 1029 return rc; 1030 } 1031 1032 /** 1033 * contains_ecryptfs_marker - check for the ecryptfs marker 1034 * @data: The data block in which to check 1035 * 1036 * Returns one if marker found; zero if not found 1037 */ 1038 static int contains_ecryptfs_marker(char *data) 1039 { 1040 u32 m_1, m_2; 1041 1042 m_1 = get_unaligned_be32(data); 1043 m_2 = get_unaligned_be32(data + 4); 1044 if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2) 1045 return 1; 1046 ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; " 1047 "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2, 1048 MAGIC_ECRYPTFS_MARKER); 1049 ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = " 1050 "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER)); 1051 return 0; 1052 } 1053 1054 struct ecryptfs_flag_map_elem { 1055 u32 file_flag; 1056 u32 local_flag; 1057 }; 1058 1059 /* Add support for additional flags by adding elements here. */ 1060 static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = { 1061 {0x00000001, ECRYPTFS_ENABLE_HMAC}, 1062 {0x00000002, ECRYPTFS_ENCRYPTED}, 1063 {0x00000004, ECRYPTFS_METADATA_IN_XATTR} 1064 }; 1065 1066 /** 1067 * ecryptfs_process_flags 1068 * @crypt_stat: The cryptographic context 1069 * @page_virt: Source data to be parsed 1070 * @bytes_read: Updated with the number of bytes read 1071 * 1072 * Returns zero on success; non-zero if the flag set is invalid 1073 */ 1074 static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat, 1075 char *page_virt, int *bytes_read) 1076 { 1077 int rc = 0; 1078 int i; 1079 u32 flags; 1080 1081 flags = get_unaligned_be32(page_virt); 1082 for (i = 0; i < ((sizeof(ecryptfs_flag_map) 1083 / sizeof(struct ecryptfs_flag_map_elem))); i++) 1084 if (flags & ecryptfs_flag_map[i].file_flag) { 1085 crypt_stat->flags |= ecryptfs_flag_map[i].local_flag; 1086 } else 1087 crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag); 1088 /* Version is in top 8 bits of the 32-bit flag vector */ 1089 crypt_stat->file_version = ((flags >> 24) & 0xFF); 1090 (*bytes_read) = 4; 1091 return rc; 1092 } 1093 1094 /** 1095 * write_ecryptfs_marker 1096 * @page_virt: The pointer to in a page to begin writing the marker 1097 * @written: Number of bytes written 1098 * 1099 * Marker = 0x3c81b7f5 1100 */ 1101 static void write_ecryptfs_marker(char *page_virt, size_t *written) 1102 { 1103 u32 m_1, m_2; 1104 1105 get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2)); 1106 m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER); 1107 put_unaligned_be32(m_1, page_virt); 1108 page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2); 1109 put_unaligned_be32(m_2, page_virt); 1110 (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; 1111 } 1112 1113 static void 1114 write_ecryptfs_flags(char *page_virt, struct ecryptfs_crypt_stat *crypt_stat, 1115 size_t *written) 1116 { 1117 u32 flags = 0; 1118 int i; 1119 1120 for (i = 0; i < ((sizeof(ecryptfs_flag_map) 1121 / sizeof(struct ecryptfs_flag_map_elem))); i++) 1122 if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag) 1123 flags |= ecryptfs_flag_map[i].file_flag; 1124 /* Version is in top 8 bits of the 32-bit flag vector */ 1125 flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000); 1126 put_unaligned_be32(flags, page_virt); 1127 (*written) = 4; 1128 } 1129 1130 struct ecryptfs_cipher_code_str_map_elem { 1131 char cipher_str[16]; 1132 u8 cipher_code; 1133 }; 1134 1135 /* Add support for additional ciphers by adding elements here. The 1136 * cipher_code is whatever OpenPGP applicatoins use to identify the 1137 * ciphers. List in order of probability. */ 1138 static struct ecryptfs_cipher_code_str_map_elem 1139 ecryptfs_cipher_code_str_map[] = { 1140 {"aes",RFC2440_CIPHER_AES_128 }, 1141 {"blowfish", RFC2440_CIPHER_BLOWFISH}, 1142 {"des3_ede", RFC2440_CIPHER_DES3_EDE}, 1143 {"cast5", RFC2440_CIPHER_CAST_5}, 1144 {"twofish", RFC2440_CIPHER_TWOFISH}, 1145 {"cast6", RFC2440_CIPHER_CAST_6}, 1146 {"aes", RFC2440_CIPHER_AES_192}, 1147 {"aes", RFC2440_CIPHER_AES_256} 1148 }; 1149 1150 /** 1151 * ecryptfs_code_for_cipher_string 1152 * @cipher_name: The string alias for the cipher 1153 * @key_bytes: Length of key in bytes; used for AES code selection 1154 * 1155 * Returns zero on no match, or the cipher code on match 1156 */ 1157 u8 ecryptfs_code_for_cipher_string(char *cipher_name, size_t key_bytes) 1158 { 1159 int i; 1160 u8 code = 0; 1161 struct ecryptfs_cipher_code_str_map_elem *map = 1162 ecryptfs_cipher_code_str_map; 1163 1164 if (strcmp(cipher_name, "aes") == 0) { 1165 switch (key_bytes) { 1166 case 16: 1167 code = RFC2440_CIPHER_AES_128; 1168 break; 1169 case 24: 1170 code = RFC2440_CIPHER_AES_192; 1171 break; 1172 case 32: 1173 code = RFC2440_CIPHER_AES_256; 1174 } 1175 } else { 1176 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) 1177 if (strcmp(cipher_name, map[i].cipher_str) == 0) { 1178 code = map[i].cipher_code; 1179 break; 1180 } 1181 } 1182 return code; 1183 } 1184 1185 /** 1186 * ecryptfs_cipher_code_to_string 1187 * @str: Destination to write out the cipher name 1188 * @cipher_code: The code to convert to cipher name string 1189 * 1190 * Returns zero on success 1191 */ 1192 int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code) 1193 { 1194 int rc = 0; 1195 int i; 1196 1197 str[0] = '\0'; 1198 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) 1199 if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code) 1200 strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str); 1201 if (str[0] == '\0') { 1202 ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: " 1203 "[%d]\n", cipher_code); 1204 rc = -EINVAL; 1205 } 1206 return rc; 1207 } 1208 1209 int ecryptfs_read_and_validate_header_region(char *data, 1210 struct inode *ecryptfs_inode) 1211 { 1212 struct ecryptfs_crypt_stat *crypt_stat = 1213 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 1214 int rc; 1215 1216 rc = ecryptfs_read_lower(data, 0, crypt_stat->extent_size, 1217 ecryptfs_inode); 1218 if (rc) { 1219 printk(KERN_ERR "%s: Error reading header region; rc = [%d]\n", 1220 __func__, rc); 1221 goto out; 1222 } 1223 if (!contains_ecryptfs_marker(data + ECRYPTFS_FILE_SIZE_BYTES)) { 1224 rc = -EINVAL; 1225 ecryptfs_printk(KERN_DEBUG, "Valid marker not found\n"); 1226 } 1227 out: 1228 return rc; 1229 } 1230 1231 void 1232 ecryptfs_write_header_metadata(char *virt, 1233 struct ecryptfs_crypt_stat *crypt_stat, 1234 size_t *written) 1235 { 1236 u32 header_extent_size; 1237 u16 num_header_extents_at_front; 1238 1239 header_extent_size = (u32)crypt_stat->extent_size; 1240 num_header_extents_at_front = 1241 (u16)(crypt_stat->num_header_bytes_at_front 1242 / crypt_stat->extent_size); 1243 put_unaligned_be32(header_extent_size, virt); 1244 virt += 4; 1245 put_unaligned_be16(num_header_extents_at_front, virt); 1246 (*written) = 6; 1247 } 1248 1249 struct kmem_cache *ecryptfs_header_cache_1; 1250 struct kmem_cache *ecryptfs_header_cache_2; 1251 1252 /** 1253 * ecryptfs_write_headers_virt 1254 * @page_virt: The virtual address to write the headers to 1255 * @max: The size of memory allocated at page_virt 1256 * @size: Set to the number of bytes written by this function 1257 * @crypt_stat: The cryptographic context 1258 * @ecryptfs_dentry: The eCryptfs dentry 1259 * 1260 * Format version: 1 1261 * 1262 * Header Extent: 1263 * Octets 0-7: Unencrypted file size (big-endian) 1264 * Octets 8-15: eCryptfs special marker 1265 * Octets 16-19: Flags 1266 * Octet 16: File format version number (between 0 and 255) 1267 * Octets 17-18: Reserved 1268 * Octet 19: Bit 1 (lsb): Reserved 1269 * Bit 2: Encrypted? 1270 * Bits 3-8: Reserved 1271 * Octets 20-23: Header extent size (big-endian) 1272 * Octets 24-25: Number of header extents at front of file 1273 * (big-endian) 1274 * Octet 26: Begin RFC 2440 authentication token packet set 1275 * Data Extent 0: 1276 * Lower data (CBC encrypted) 1277 * Data Extent 1: 1278 * Lower data (CBC encrypted) 1279 * ... 1280 * 1281 * Returns zero on success 1282 */ 1283 static int ecryptfs_write_headers_virt(char *page_virt, size_t max, 1284 size_t *size, 1285 struct ecryptfs_crypt_stat *crypt_stat, 1286 struct dentry *ecryptfs_dentry) 1287 { 1288 int rc; 1289 size_t written; 1290 size_t offset; 1291 1292 offset = ECRYPTFS_FILE_SIZE_BYTES; 1293 write_ecryptfs_marker((page_virt + offset), &written); 1294 offset += written; 1295 write_ecryptfs_flags((page_virt + offset), crypt_stat, &written); 1296 offset += written; 1297 ecryptfs_write_header_metadata((page_virt + offset), crypt_stat, 1298 &written); 1299 offset += written; 1300 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat, 1301 ecryptfs_dentry, &written, 1302 max - offset); 1303 if (rc) 1304 ecryptfs_printk(KERN_WARNING, "Error generating key packet " 1305 "set; rc = [%d]\n", rc); 1306 if (size) { 1307 offset += written; 1308 *size = offset; 1309 } 1310 return rc; 1311 } 1312 1313 static int 1314 ecryptfs_write_metadata_to_contents(struct ecryptfs_crypt_stat *crypt_stat, 1315 struct dentry *ecryptfs_dentry, 1316 char *virt) 1317 { 1318 int rc; 1319 1320 rc = ecryptfs_write_lower(ecryptfs_dentry->d_inode, virt, 1321 0, crypt_stat->num_header_bytes_at_front); 1322 if (rc) 1323 printk(KERN_ERR "%s: Error attempting to write header " 1324 "information to lower file; rc = [%d]\n", __func__, 1325 rc); 1326 return rc; 1327 } 1328 1329 static int 1330 ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry, 1331 struct ecryptfs_crypt_stat *crypt_stat, 1332 char *page_virt, size_t size) 1333 { 1334 int rc; 1335 1336 rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt, 1337 size, 0); 1338 return rc; 1339 } 1340 1341 /** 1342 * ecryptfs_write_metadata 1343 * @ecryptfs_dentry: The eCryptfs dentry 1344 * 1345 * Write the file headers out. This will likely involve a userspace 1346 * callout, in which the session key is encrypted with one or more 1347 * public keys and/or the passphrase necessary to do the encryption is 1348 * retrieved via a prompt. Exactly what happens at this point should 1349 * be policy-dependent. 1350 * 1351 * Returns zero on success; non-zero on error 1352 */ 1353 int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry) 1354 { 1355 struct ecryptfs_crypt_stat *crypt_stat = 1356 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; 1357 char *virt; 1358 size_t size = 0; 1359 int rc = 0; 1360 1361 if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 1362 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { 1363 printk(KERN_ERR "Key is invalid; bailing out\n"); 1364 rc = -EINVAL; 1365 goto out; 1366 } 1367 } else { 1368 printk(KERN_WARNING "%s: Encrypted flag not set\n", 1369 __func__); 1370 rc = -EINVAL; 1371 goto out; 1372 } 1373 /* Released in this function */ 1374 virt = (char *)get_zeroed_page(GFP_KERNEL); 1375 if (!virt) { 1376 printk(KERN_ERR "%s: Out of memory\n", __func__); 1377 rc = -ENOMEM; 1378 goto out; 1379 } 1380 rc = ecryptfs_write_headers_virt(virt, PAGE_CACHE_SIZE, &size, 1381 crypt_stat, ecryptfs_dentry); 1382 if (unlikely(rc)) { 1383 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n", 1384 __func__, rc); 1385 goto out_free; 1386 } 1387 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) 1388 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, 1389 crypt_stat, virt, size); 1390 else 1391 rc = ecryptfs_write_metadata_to_contents(crypt_stat, 1392 ecryptfs_dentry, virt); 1393 if (rc) { 1394 printk(KERN_ERR "%s: Error writing metadata out to lower file; " 1395 "rc = [%d]\n", __func__, rc); 1396 goto out_free; 1397 } 1398 out_free: 1399 free_page((unsigned long)virt); 1400 out: 1401 return rc; 1402 } 1403 1404 #define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0 1405 #define ECRYPTFS_VALIDATE_HEADER_SIZE 1 1406 static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat, 1407 char *virt, int *bytes_read, 1408 int validate_header_size) 1409 { 1410 int rc = 0; 1411 u32 header_extent_size; 1412 u16 num_header_extents_at_front; 1413 1414 header_extent_size = get_unaligned_be32(virt); 1415 virt += sizeof(__be32); 1416 num_header_extents_at_front = get_unaligned_be16(virt); 1417 crypt_stat->num_header_bytes_at_front = 1418 (((size_t)num_header_extents_at_front 1419 * (size_t)header_extent_size)); 1420 (*bytes_read) = (sizeof(__be32) + sizeof(__be16)); 1421 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE) 1422 && (crypt_stat->num_header_bytes_at_front 1423 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) { 1424 rc = -EINVAL; 1425 printk(KERN_WARNING "Invalid header size: [%zd]\n", 1426 crypt_stat->num_header_bytes_at_front); 1427 } 1428 return rc; 1429 } 1430 1431 /** 1432 * set_default_header_data 1433 * @crypt_stat: The cryptographic context 1434 * 1435 * For version 0 file format; this function is only for backwards 1436 * compatibility for files created with the prior versions of 1437 * eCryptfs. 1438 */ 1439 static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat) 1440 { 1441 crypt_stat->num_header_bytes_at_front = 1442 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; 1443 } 1444 1445 /** 1446 * ecryptfs_read_headers_virt 1447 * @page_virt: The virtual address into which to read the headers 1448 * @crypt_stat: The cryptographic context 1449 * @ecryptfs_dentry: The eCryptfs dentry 1450 * @validate_header_size: Whether to validate the header size while reading 1451 * 1452 * Read/parse the header data. The header format is detailed in the 1453 * comment block for the ecryptfs_write_headers_virt() function. 1454 * 1455 * Returns zero on success 1456 */ 1457 static int ecryptfs_read_headers_virt(char *page_virt, 1458 struct ecryptfs_crypt_stat *crypt_stat, 1459 struct dentry *ecryptfs_dentry, 1460 int validate_header_size) 1461 { 1462 int rc = 0; 1463 int offset; 1464 int bytes_read; 1465 1466 ecryptfs_set_default_sizes(crypt_stat); 1467 crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private( 1468 ecryptfs_dentry->d_sb)->mount_crypt_stat; 1469 offset = ECRYPTFS_FILE_SIZE_BYTES; 1470 rc = contains_ecryptfs_marker(page_virt + offset); 1471 if (rc == 0) { 1472 rc = -EINVAL; 1473 goto out; 1474 } 1475 offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; 1476 rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset), 1477 &bytes_read); 1478 if (rc) { 1479 ecryptfs_printk(KERN_WARNING, "Error processing flags\n"); 1480 goto out; 1481 } 1482 if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) { 1483 ecryptfs_printk(KERN_WARNING, "File version is [%d]; only " 1484 "file version [%d] is supported by this " 1485 "version of eCryptfs\n", 1486 crypt_stat->file_version, 1487 ECRYPTFS_SUPPORTED_FILE_VERSION); 1488 rc = -EINVAL; 1489 goto out; 1490 } 1491 offset += bytes_read; 1492 if (crypt_stat->file_version >= 1) { 1493 rc = parse_header_metadata(crypt_stat, (page_virt + offset), 1494 &bytes_read, validate_header_size); 1495 if (rc) { 1496 ecryptfs_printk(KERN_WARNING, "Error reading header " 1497 "metadata; rc = [%d]\n", rc); 1498 } 1499 offset += bytes_read; 1500 } else 1501 set_default_header_data(crypt_stat); 1502 rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset), 1503 ecryptfs_dentry); 1504 out: 1505 return rc; 1506 } 1507 1508 /** 1509 * ecryptfs_read_xattr_region 1510 * @page_virt: The vitual address into which to read the xattr data 1511 * @ecryptfs_inode: The eCryptfs inode 1512 * 1513 * Attempts to read the crypto metadata from the extended attribute 1514 * region of the lower file. 1515 * 1516 * Returns zero on success; non-zero on error 1517 */ 1518 int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode) 1519 { 1520 struct dentry *lower_dentry = 1521 ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_dentry; 1522 ssize_t size; 1523 int rc = 0; 1524 1525 size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME, 1526 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE); 1527 if (size < 0) { 1528 if (unlikely(ecryptfs_verbosity > 0)) 1529 printk(KERN_INFO "Error attempting to read the [%s] " 1530 "xattr from the lower file; return value = " 1531 "[%zd]\n", ECRYPTFS_XATTR_NAME, size); 1532 rc = -EINVAL; 1533 goto out; 1534 } 1535 out: 1536 return rc; 1537 } 1538 1539 int ecryptfs_read_and_validate_xattr_region(char *page_virt, 1540 struct dentry *ecryptfs_dentry) 1541 { 1542 int rc; 1543 1544 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_dentry->d_inode); 1545 if (rc) 1546 goto out; 1547 if (!contains_ecryptfs_marker(page_virt + ECRYPTFS_FILE_SIZE_BYTES)) { 1548 printk(KERN_WARNING "Valid data found in [%s] xattr, but " 1549 "the marker is invalid\n", ECRYPTFS_XATTR_NAME); 1550 rc = -EINVAL; 1551 } 1552 out: 1553 return rc; 1554 } 1555 1556 /** 1557 * ecryptfs_read_metadata 1558 * 1559 * Common entry point for reading file metadata. From here, we could 1560 * retrieve the header information from the header region of the file, 1561 * the xattr region of the file, or some other repostory that is 1562 * stored separately from the file itself. The current implementation 1563 * supports retrieving the metadata information from the file contents 1564 * and from the xattr region. 1565 * 1566 * Returns zero if valid headers found and parsed; non-zero otherwise 1567 */ 1568 int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry) 1569 { 1570 int rc = 0; 1571 char *page_virt = NULL; 1572 struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode; 1573 struct ecryptfs_crypt_stat *crypt_stat = 1574 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; 1575 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 1576 &ecryptfs_superblock_to_private( 1577 ecryptfs_dentry->d_sb)->mount_crypt_stat; 1578 1579 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 1580 mount_crypt_stat); 1581 /* Read the first page from the underlying file */ 1582 page_virt = kmem_cache_alloc(ecryptfs_header_cache_1, GFP_USER); 1583 if (!page_virt) { 1584 rc = -ENOMEM; 1585 printk(KERN_ERR "%s: Unable to allocate page_virt\n", 1586 __func__); 1587 goto out; 1588 } 1589 rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size, 1590 ecryptfs_inode); 1591 if (!rc) 1592 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, 1593 ecryptfs_dentry, 1594 ECRYPTFS_VALIDATE_HEADER_SIZE); 1595 if (rc) { 1596 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode); 1597 if (rc) { 1598 printk(KERN_DEBUG "Valid eCryptfs headers not found in " 1599 "file header region or xattr region\n"); 1600 rc = -EINVAL; 1601 goto out; 1602 } 1603 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, 1604 ecryptfs_dentry, 1605 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE); 1606 if (rc) { 1607 printk(KERN_DEBUG "Valid eCryptfs headers not found in " 1608 "file xattr region either\n"); 1609 rc = -EINVAL; 1610 } 1611 if (crypt_stat->mount_crypt_stat->flags 1612 & ECRYPTFS_XATTR_METADATA_ENABLED) { 1613 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; 1614 } else { 1615 printk(KERN_WARNING "Attempt to access file with " 1616 "crypto metadata only in the extended attribute " 1617 "region, but eCryptfs was mounted without " 1618 "xattr support enabled. eCryptfs will not treat " 1619 "this like an encrypted file.\n"); 1620 rc = -EINVAL; 1621 } 1622 } 1623 out: 1624 if (page_virt) { 1625 memset(page_virt, 0, PAGE_CACHE_SIZE); 1626 kmem_cache_free(ecryptfs_header_cache_1, page_virt); 1627 } 1628 return rc; 1629 } 1630 1631 /** 1632 * ecryptfs_encode_filename - converts a plaintext file name to cipher text 1633 * @crypt_stat: The crypt_stat struct associated with the file anem to encode 1634 * @name: The plaintext name 1635 * @length: The length of the plaintext 1636 * @encoded_name: The encypted name 1637 * 1638 * Encrypts and encodes a filename into something that constitutes a 1639 * valid filename for a filesystem, with printable characters. 1640 * 1641 * We assume that we have a properly initialized crypto context, 1642 * pointed to by crypt_stat->tfm. 1643 * 1644 * TODO: Implement filename decoding and decryption here, in place of 1645 * memcpy. We are keeping the framework around for now to (1) 1646 * facilitate testing of the components needed to implement filename 1647 * encryption and (2) to provide a code base from which other 1648 * developers in the community can easily implement this feature. 1649 * 1650 * Returns the length of encoded filename; negative if error 1651 */ 1652 int 1653 ecryptfs_encode_filename(struct ecryptfs_crypt_stat *crypt_stat, 1654 const char *name, int length, char **encoded_name) 1655 { 1656 int error = 0; 1657 1658 (*encoded_name) = kmalloc(length + 2, GFP_KERNEL); 1659 if (!(*encoded_name)) { 1660 error = -ENOMEM; 1661 goto out; 1662 } 1663 /* TODO: Filename encryption is a scheduled feature for a 1664 * future version of eCryptfs. This function is here only for 1665 * the purpose of providing a framework for other developers 1666 * to easily implement filename encryption. Hint: Replace this 1667 * memcpy() with a call to encrypt and encode the 1668 * filename, the set the length accordingly. */ 1669 memcpy((void *)(*encoded_name), (void *)name, length); 1670 (*encoded_name)[length] = '\0'; 1671 error = length + 1; 1672 out: 1673 return error; 1674 } 1675 1676 /** 1677 * ecryptfs_decode_filename - converts the cipher text name to plaintext 1678 * @crypt_stat: The crypt_stat struct associated with the file 1679 * @name: The filename in cipher text 1680 * @length: The length of the cipher text name 1681 * @decrypted_name: The plaintext name 1682 * 1683 * Decodes and decrypts the filename. 1684 * 1685 * We assume that we have a properly initialized crypto context, 1686 * pointed to by crypt_stat->tfm. 1687 * 1688 * TODO: Implement filename decoding and decryption here, in place of 1689 * memcpy. We are keeping the framework around for now to (1) 1690 * facilitate testing of the components needed to implement filename 1691 * encryption and (2) to provide a code base from which other 1692 * developers in the community can easily implement this feature. 1693 * 1694 * Returns the length of decoded filename; negative if error 1695 */ 1696 int 1697 ecryptfs_decode_filename(struct ecryptfs_crypt_stat *crypt_stat, 1698 const char *name, int length, char **decrypted_name) 1699 { 1700 int error = 0; 1701 1702 (*decrypted_name) = kmalloc(length + 2, GFP_KERNEL); 1703 if (!(*decrypted_name)) { 1704 error = -ENOMEM; 1705 goto out; 1706 } 1707 /* TODO: Filename encryption is a scheduled feature for a 1708 * future version of eCryptfs. This function is here only for 1709 * the purpose of providing a framework for other developers 1710 * to easily implement filename encryption. Hint: Replace this 1711 * memcpy() with a call to decode and decrypt the 1712 * filename, the set the length accordingly. */ 1713 memcpy((void *)(*decrypted_name), (void *)name, length); 1714 (*decrypted_name)[length + 1] = '\0'; /* Only for convenience 1715 * in printing out the 1716 * string in debug 1717 * messages */ 1718 error = length; 1719 out: 1720 return error; 1721 } 1722 1723 /** 1724 * ecryptfs_process_key_cipher - Perform key cipher initialization. 1725 * @key_tfm: Crypto context for key material, set by this function 1726 * @cipher_name: Name of the cipher 1727 * @key_size: Size of the key in bytes 1728 * 1729 * Returns zero on success. Any crypto_tfm structs allocated here 1730 * should be released by other functions, such as on a superblock put 1731 * event, regardless of whether this function succeeds for fails. 1732 */ 1733 static int 1734 ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm, 1735 char *cipher_name, size_t *key_size) 1736 { 1737 char dummy_key[ECRYPTFS_MAX_KEY_BYTES]; 1738 char *full_alg_name; 1739 int rc; 1740 1741 *key_tfm = NULL; 1742 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) { 1743 rc = -EINVAL; 1744 printk(KERN_ERR "Requested key size is [%Zd] bytes; maximum " 1745 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES); 1746 goto out; 1747 } 1748 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name, 1749 "ecb"); 1750 if (rc) 1751 goto out; 1752 *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC); 1753 kfree(full_alg_name); 1754 if (IS_ERR(*key_tfm)) { 1755 rc = PTR_ERR(*key_tfm); 1756 printk(KERN_ERR "Unable to allocate crypto cipher with name " 1757 "[%s]; rc = [%d]\n", cipher_name, rc); 1758 goto out; 1759 } 1760 crypto_blkcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY); 1761 if (*key_size == 0) { 1762 struct blkcipher_alg *alg = crypto_blkcipher_alg(*key_tfm); 1763 1764 *key_size = alg->max_keysize; 1765 } 1766 get_random_bytes(dummy_key, *key_size); 1767 rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size); 1768 if (rc) { 1769 printk(KERN_ERR "Error attempting to set key of size [%Zd] for " 1770 "cipher [%s]; rc = [%d]\n", *key_size, cipher_name, rc); 1771 rc = -EINVAL; 1772 goto out; 1773 } 1774 out: 1775 return rc; 1776 } 1777 1778 struct kmem_cache *ecryptfs_key_tfm_cache; 1779 static struct list_head key_tfm_list; 1780 struct mutex key_tfm_list_mutex; 1781 1782 int ecryptfs_init_crypto(void) 1783 { 1784 mutex_init(&key_tfm_list_mutex); 1785 INIT_LIST_HEAD(&key_tfm_list); 1786 return 0; 1787 } 1788 1789 /** 1790 * ecryptfs_destroy_crypto - free all cached key_tfms on key_tfm_list 1791 * 1792 * Called only at module unload time 1793 */ 1794 int ecryptfs_destroy_crypto(void) 1795 { 1796 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp; 1797 1798 mutex_lock(&key_tfm_list_mutex); 1799 list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list, 1800 key_tfm_list) { 1801 list_del(&key_tfm->key_tfm_list); 1802 if (key_tfm->key_tfm) 1803 crypto_free_blkcipher(key_tfm->key_tfm); 1804 kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm); 1805 } 1806 mutex_unlock(&key_tfm_list_mutex); 1807 return 0; 1808 } 1809 1810 int 1811 ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name, 1812 size_t key_size) 1813 { 1814 struct ecryptfs_key_tfm *tmp_tfm; 1815 int rc = 0; 1816 1817 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); 1818 1819 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL); 1820 if (key_tfm != NULL) 1821 (*key_tfm) = tmp_tfm; 1822 if (!tmp_tfm) { 1823 rc = -ENOMEM; 1824 printk(KERN_ERR "Error attempting to allocate from " 1825 "ecryptfs_key_tfm_cache\n"); 1826 goto out; 1827 } 1828 mutex_init(&tmp_tfm->key_tfm_mutex); 1829 strncpy(tmp_tfm->cipher_name, cipher_name, 1830 ECRYPTFS_MAX_CIPHER_NAME_SIZE); 1831 tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; 1832 tmp_tfm->key_size = key_size; 1833 rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm, 1834 tmp_tfm->cipher_name, 1835 &tmp_tfm->key_size); 1836 if (rc) { 1837 printk(KERN_ERR "Error attempting to initialize key TFM " 1838 "cipher with name = [%s]; rc = [%d]\n", 1839 tmp_tfm->cipher_name, rc); 1840 kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm); 1841 if (key_tfm != NULL) 1842 (*key_tfm) = NULL; 1843 goto out; 1844 } 1845 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list); 1846 out: 1847 return rc; 1848 } 1849 1850 /** 1851 * ecryptfs_tfm_exists - Search for existing tfm for cipher_name. 1852 * @cipher_name: the name of the cipher to search for 1853 * @key_tfm: set to corresponding tfm if found 1854 * 1855 * Searches for cached key_tfm matching @cipher_name 1856 * Must be called with &key_tfm_list_mutex held 1857 * Returns 1 if found, with @key_tfm set 1858 * Returns 0 if not found, with @key_tfm set to NULL 1859 */ 1860 int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm) 1861 { 1862 struct ecryptfs_key_tfm *tmp_key_tfm; 1863 1864 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); 1865 1866 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) { 1867 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) { 1868 if (key_tfm) 1869 (*key_tfm) = tmp_key_tfm; 1870 return 1; 1871 } 1872 } 1873 if (key_tfm) 1874 (*key_tfm) = NULL; 1875 return 0; 1876 } 1877 1878 /** 1879 * ecryptfs_get_tfm_and_mutex_for_cipher_name 1880 * 1881 * @tfm: set to cached tfm found, or new tfm created 1882 * @tfm_mutex: set to mutex for cached tfm found, or new tfm created 1883 * @cipher_name: the name of the cipher to search for and/or add 1884 * 1885 * Sets pointers to @tfm & @tfm_mutex matching @cipher_name. 1886 * Searches for cached item first, and creates new if not found. 1887 * Returns 0 on success, non-zero if adding new cipher failed 1888 */ 1889 int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm, 1890 struct mutex **tfm_mutex, 1891 char *cipher_name) 1892 { 1893 struct ecryptfs_key_tfm *key_tfm; 1894 int rc = 0; 1895 1896 (*tfm) = NULL; 1897 (*tfm_mutex) = NULL; 1898 1899 mutex_lock(&key_tfm_list_mutex); 1900 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) { 1901 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0); 1902 if (rc) { 1903 printk(KERN_ERR "Error adding new key_tfm to list; " 1904 "rc = [%d]\n", rc); 1905 goto out; 1906 } 1907 } 1908 (*tfm) = key_tfm->key_tfm; 1909 (*tfm_mutex) = &key_tfm->key_tfm_mutex; 1910 out: 1911 mutex_unlock(&key_tfm_list_mutex); 1912 return rc; 1913 } 1914