1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * This contains functions for filename crypto management 4 * 5 * Copyright (C) 2015, Google, Inc. 6 * Copyright (C) 2015, Motorola Mobility 7 * 8 * Written by Uday Savagaonkar, 2014. 9 * Modified by Jaegeuk Kim, 2015. 10 * 11 * This has not yet undergone a rigorous security audit. 12 */ 13 14 #include <linux/scatterlist.h> 15 #include <linux/ratelimit.h> 16 #include <crypto/skcipher.h> 17 #include "fscrypt_private.h" 18 19 static inline bool fscrypt_is_dot_dotdot(const struct qstr *str) 20 { 21 if (str->len == 1 && str->name[0] == '.') 22 return true; 23 24 if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.') 25 return true; 26 27 return false; 28 } 29 30 /** 31 * fname_encrypt() - encrypt a filename 32 * 33 * The output buffer must be at least as large as the input buffer. 34 * Any extra space is filled with NUL padding before encryption. 35 * 36 * Return: 0 on success, -errno on failure 37 */ 38 int fname_encrypt(struct inode *inode, const struct qstr *iname, 39 u8 *out, unsigned int olen) 40 { 41 struct skcipher_request *req = NULL; 42 DECLARE_CRYPTO_WAIT(wait); 43 struct crypto_skcipher *tfm = inode->i_crypt_info->ci_ctfm; 44 int res = 0; 45 char iv[FS_CRYPTO_BLOCK_SIZE]; 46 struct scatterlist sg; 47 48 /* 49 * Copy the filename to the output buffer for encrypting in-place and 50 * pad it with the needed number of NUL bytes. 51 */ 52 if (WARN_ON(olen < iname->len)) 53 return -ENOBUFS; 54 memcpy(out, iname->name, iname->len); 55 memset(out + iname->len, 0, olen - iname->len); 56 57 /* Initialize the IV */ 58 memset(iv, 0, FS_CRYPTO_BLOCK_SIZE); 59 60 /* Set up the encryption request */ 61 req = skcipher_request_alloc(tfm, GFP_NOFS); 62 if (!req) 63 return -ENOMEM; 64 skcipher_request_set_callback(req, 65 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 66 crypto_req_done, &wait); 67 sg_init_one(&sg, out, olen); 68 skcipher_request_set_crypt(req, &sg, &sg, olen, iv); 69 70 /* Do the encryption */ 71 res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait); 72 skcipher_request_free(req); 73 if (res < 0) { 74 fscrypt_err(inode->i_sb, 75 "Filename encryption failed for inode %lu: %d", 76 inode->i_ino, res); 77 return res; 78 } 79 80 return 0; 81 } 82 83 /** 84 * fname_decrypt() - decrypt a filename 85 * 86 * The caller must have allocated sufficient memory for the @oname string. 87 * 88 * Return: 0 on success, -errno on failure 89 */ 90 static int fname_decrypt(struct inode *inode, 91 const struct fscrypt_str *iname, 92 struct fscrypt_str *oname) 93 { 94 struct skcipher_request *req = NULL; 95 DECLARE_CRYPTO_WAIT(wait); 96 struct scatterlist src_sg, dst_sg; 97 struct crypto_skcipher *tfm = inode->i_crypt_info->ci_ctfm; 98 int res = 0; 99 char iv[FS_CRYPTO_BLOCK_SIZE]; 100 101 /* Allocate request */ 102 req = skcipher_request_alloc(tfm, GFP_NOFS); 103 if (!req) 104 return -ENOMEM; 105 skcipher_request_set_callback(req, 106 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 107 crypto_req_done, &wait); 108 109 /* Initialize IV */ 110 memset(iv, 0, FS_CRYPTO_BLOCK_SIZE); 111 112 /* Create decryption request */ 113 sg_init_one(&src_sg, iname->name, iname->len); 114 sg_init_one(&dst_sg, oname->name, oname->len); 115 skcipher_request_set_crypt(req, &src_sg, &dst_sg, iname->len, iv); 116 res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait); 117 skcipher_request_free(req); 118 if (res < 0) { 119 fscrypt_err(inode->i_sb, 120 "Filename decryption failed for inode %lu: %d", 121 inode->i_ino, res); 122 return res; 123 } 124 125 oname->len = strnlen(oname->name, iname->len); 126 return 0; 127 } 128 129 static const char *lookup_table = 130 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+,"; 131 132 #define BASE64_CHARS(nbytes) DIV_ROUND_UP((nbytes) * 4, 3) 133 134 /** 135 * digest_encode() - 136 * 137 * Encodes the input digest using characters from the set [a-zA-Z0-9_+]. 138 * The encoded string is roughly 4/3 times the size of the input string. 139 */ 140 static int digest_encode(const char *src, int len, char *dst) 141 { 142 int i = 0, bits = 0, ac = 0; 143 char *cp = dst; 144 145 while (i < len) { 146 ac += (((unsigned char) src[i]) << bits); 147 bits += 8; 148 do { 149 *cp++ = lookup_table[ac & 0x3f]; 150 ac >>= 6; 151 bits -= 6; 152 } while (bits >= 6); 153 i++; 154 } 155 if (bits) 156 *cp++ = lookup_table[ac & 0x3f]; 157 return cp - dst; 158 } 159 160 static int digest_decode(const char *src, int len, char *dst) 161 { 162 int i = 0, bits = 0, ac = 0; 163 const char *p; 164 char *cp = dst; 165 166 while (i < len) { 167 p = strchr(lookup_table, src[i]); 168 if (p == NULL || src[i] == 0) 169 return -2; 170 ac += (p - lookup_table) << bits; 171 bits += 6; 172 if (bits >= 8) { 173 *cp++ = ac & 0xff; 174 ac >>= 8; 175 bits -= 8; 176 } 177 i++; 178 } 179 if (ac) 180 return -1; 181 return cp - dst; 182 } 183 184 bool fscrypt_fname_encrypted_size(const struct inode *inode, u32 orig_len, 185 u32 max_len, u32 *encrypted_len_ret) 186 { 187 int padding = 4 << (inode->i_crypt_info->ci_flags & 188 FS_POLICY_FLAGS_PAD_MASK); 189 u32 encrypted_len; 190 191 if (orig_len > max_len) 192 return false; 193 encrypted_len = max(orig_len, (u32)FS_CRYPTO_BLOCK_SIZE); 194 encrypted_len = round_up(encrypted_len, padding); 195 *encrypted_len_ret = min(encrypted_len, max_len); 196 return true; 197 } 198 199 /** 200 * fscrypt_fname_alloc_buffer - allocate a buffer for presented filenames 201 * 202 * Allocate a buffer that is large enough to hold any decrypted or encoded 203 * filename (null-terminated), for the given maximum encrypted filename length. 204 * 205 * Return: 0 on success, -errno on failure 206 */ 207 int fscrypt_fname_alloc_buffer(const struct inode *inode, 208 u32 max_encrypted_len, 209 struct fscrypt_str *crypto_str) 210 { 211 const u32 max_encoded_len = 212 max_t(u32, BASE64_CHARS(FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE), 213 1 + BASE64_CHARS(sizeof(struct fscrypt_digested_name))); 214 u32 max_presented_len; 215 216 max_presented_len = max(max_encoded_len, max_encrypted_len); 217 218 crypto_str->name = kmalloc(max_presented_len + 1, GFP_NOFS); 219 if (!crypto_str->name) 220 return -ENOMEM; 221 crypto_str->len = max_presented_len; 222 return 0; 223 } 224 EXPORT_SYMBOL(fscrypt_fname_alloc_buffer); 225 226 /** 227 * fscrypt_fname_free_buffer - free the buffer for presented filenames 228 * 229 * Free the buffer allocated by fscrypt_fname_alloc_buffer(). 230 */ 231 void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str) 232 { 233 if (!crypto_str) 234 return; 235 kfree(crypto_str->name); 236 crypto_str->name = NULL; 237 } 238 EXPORT_SYMBOL(fscrypt_fname_free_buffer); 239 240 /** 241 * fscrypt_fname_disk_to_usr() - converts a filename from disk space to user 242 * space 243 * 244 * The caller must have allocated sufficient memory for the @oname string. 245 * 246 * If the key is available, we'll decrypt the disk name; otherwise, we'll encode 247 * it for presentation. Short names are directly base64-encoded, while long 248 * names are encoded in fscrypt_digested_name format. 249 * 250 * Return: 0 on success, -errno on failure 251 */ 252 int fscrypt_fname_disk_to_usr(struct inode *inode, 253 u32 hash, u32 minor_hash, 254 const struct fscrypt_str *iname, 255 struct fscrypt_str *oname) 256 { 257 const struct qstr qname = FSTR_TO_QSTR(iname); 258 struct fscrypt_digested_name digested_name; 259 260 if (fscrypt_is_dot_dotdot(&qname)) { 261 oname->name[0] = '.'; 262 oname->name[iname->len - 1] = '.'; 263 oname->len = iname->len; 264 return 0; 265 } 266 267 if (iname->len < FS_CRYPTO_BLOCK_SIZE) 268 return -EUCLEAN; 269 270 if (inode->i_crypt_info) 271 return fname_decrypt(inode, iname, oname); 272 273 if (iname->len <= FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE) { 274 oname->len = digest_encode(iname->name, iname->len, 275 oname->name); 276 return 0; 277 } 278 if (hash) { 279 digested_name.hash = hash; 280 digested_name.minor_hash = minor_hash; 281 } else { 282 digested_name.hash = 0; 283 digested_name.minor_hash = 0; 284 } 285 memcpy(digested_name.digest, 286 FSCRYPT_FNAME_DIGEST(iname->name, iname->len), 287 FSCRYPT_FNAME_DIGEST_SIZE); 288 oname->name[0] = '_'; 289 oname->len = 1 + digest_encode((const char *)&digested_name, 290 sizeof(digested_name), oname->name + 1); 291 return 0; 292 } 293 EXPORT_SYMBOL(fscrypt_fname_disk_to_usr); 294 295 /** 296 * fscrypt_setup_filename() - prepare to search a possibly encrypted directory 297 * @dir: the directory that will be searched 298 * @iname: the user-provided filename being searched for 299 * @lookup: 1 if we're allowed to proceed without the key because it's 300 * ->lookup() or we're finding the dir_entry for deletion; 0 if we cannot 301 * proceed without the key because we're going to create the dir_entry. 302 * @fname: the filename information to be filled in 303 * 304 * Given a user-provided filename @iname, this function sets @fname->disk_name 305 * to the name that would be stored in the on-disk directory entry, if possible. 306 * If the directory is unencrypted this is simply @iname. Else, if we have the 307 * directory's encryption key, then @iname is the plaintext, so we encrypt it to 308 * get the disk_name. 309 * 310 * Else, for keyless @lookup operations, @iname is the presented ciphertext, so 311 * we decode it to get either the ciphertext disk_name (for short names) or the 312 * fscrypt_digested_name (for long names). Non-@lookup operations will be 313 * impossible in this case, so we fail them with ENOKEY. 314 * 315 * If successful, fscrypt_free_filename() must be called later to clean up. 316 * 317 * Return: 0 on success, -errno on failure 318 */ 319 int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname, 320 int lookup, struct fscrypt_name *fname) 321 { 322 int ret; 323 int digested; 324 325 memset(fname, 0, sizeof(struct fscrypt_name)); 326 fname->usr_fname = iname; 327 328 if (!IS_ENCRYPTED(dir) || fscrypt_is_dot_dotdot(iname)) { 329 fname->disk_name.name = (unsigned char *)iname->name; 330 fname->disk_name.len = iname->len; 331 return 0; 332 } 333 ret = fscrypt_get_encryption_info(dir); 334 if (ret) 335 return ret; 336 337 if (dir->i_crypt_info) { 338 if (!fscrypt_fname_encrypted_size(dir, iname->len, 339 dir->i_sb->s_cop->max_namelen, 340 &fname->crypto_buf.len)) 341 return -ENAMETOOLONG; 342 fname->crypto_buf.name = kmalloc(fname->crypto_buf.len, 343 GFP_NOFS); 344 if (!fname->crypto_buf.name) 345 return -ENOMEM; 346 347 ret = fname_encrypt(dir, iname, fname->crypto_buf.name, 348 fname->crypto_buf.len); 349 if (ret) 350 goto errout; 351 fname->disk_name.name = fname->crypto_buf.name; 352 fname->disk_name.len = fname->crypto_buf.len; 353 return 0; 354 } 355 if (!lookup) 356 return -ENOKEY; 357 358 /* 359 * We don't have the key and we are doing a lookup; decode the 360 * user-supplied name 361 */ 362 if (iname->name[0] == '_') { 363 if (iname->len != 364 1 + BASE64_CHARS(sizeof(struct fscrypt_digested_name))) 365 return -ENOENT; 366 digested = 1; 367 } else { 368 if (iname->len > 369 BASE64_CHARS(FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE)) 370 return -ENOENT; 371 digested = 0; 372 } 373 374 fname->crypto_buf.name = 375 kmalloc(max_t(size_t, FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE, 376 sizeof(struct fscrypt_digested_name)), 377 GFP_KERNEL); 378 if (fname->crypto_buf.name == NULL) 379 return -ENOMEM; 380 381 ret = digest_decode(iname->name + digested, iname->len - digested, 382 fname->crypto_buf.name); 383 if (ret < 0) { 384 ret = -ENOENT; 385 goto errout; 386 } 387 fname->crypto_buf.len = ret; 388 if (digested) { 389 const struct fscrypt_digested_name *n = 390 (const void *)fname->crypto_buf.name; 391 fname->hash = n->hash; 392 fname->minor_hash = n->minor_hash; 393 } else { 394 fname->disk_name.name = fname->crypto_buf.name; 395 fname->disk_name.len = fname->crypto_buf.len; 396 } 397 return 0; 398 399 errout: 400 kfree(fname->crypto_buf.name); 401 return ret; 402 } 403 EXPORT_SYMBOL(fscrypt_setup_filename); 404