1 /** 2 * eCryptfs: Linux filesystem encryption layer 3 * 4 * Copyright (C) 1997-2004 Erez Zadok 5 * Copyright (C) 2001-2004 Stony Brook University 6 * Copyright (C) 2004-2007 International Business Machines Corp. 7 * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com> 8 * Michael C. Thompson <mcthomps@us.ibm.com> 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation; either version 2 of the 13 * License, or (at your option) any later version. 14 * 15 * This program is distributed in the hope that it will be useful, but 16 * WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 * General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License 21 * along with this program; if not, write to the Free Software 22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 23 * 02111-1307, USA. 24 */ 25 26 #include <linux/fs.h> 27 #include <linux/mount.h> 28 #include <linux/pagemap.h> 29 #include <linux/random.h> 30 #include <linux/compiler.h> 31 #include <linux/key.h> 32 #include <linux/namei.h> 33 #include <linux/crypto.h> 34 #include <linux/file.h> 35 #include <linux/scatterlist.h> 36 #include "ecryptfs_kernel.h" 37 38 static int 39 ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 40 struct page *dst_page, int dst_offset, 41 struct page *src_page, int src_offset, int size, 42 unsigned char *iv); 43 static int 44 ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 45 struct page *dst_page, int dst_offset, 46 struct page *src_page, int src_offset, int size, 47 unsigned char *iv); 48 49 /** 50 * ecryptfs_to_hex 51 * @dst: Buffer to take hex character representation of contents of 52 * src; must be at least of size (src_size * 2) 53 * @src: Buffer to be converted to a hex string respresentation 54 * @src_size: number of bytes to convert 55 */ 56 void ecryptfs_to_hex(char *dst, char *src, size_t src_size) 57 { 58 int x; 59 60 for (x = 0; x < src_size; x++) 61 sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]); 62 } 63 64 /** 65 * ecryptfs_from_hex 66 * @dst: Buffer to take the bytes from src hex; must be at least of 67 * size (src_size / 2) 68 * @src: Buffer to be converted from a hex string respresentation to raw value 69 * @dst_size: size of dst buffer, or number of hex characters pairs to convert 70 */ 71 void ecryptfs_from_hex(char *dst, char *src, int dst_size) 72 { 73 int x; 74 char tmp[3] = { 0, }; 75 76 for (x = 0; x < dst_size; x++) { 77 tmp[0] = src[x * 2]; 78 tmp[1] = src[x * 2 + 1]; 79 dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16); 80 } 81 } 82 83 /** 84 * ecryptfs_calculate_md5 - calculates the md5 of @src 85 * @dst: Pointer to 16 bytes of allocated memory 86 * @crypt_stat: Pointer to crypt_stat struct for the current inode 87 * @src: Data to be md5'd 88 * @len: Length of @src 89 * 90 * Uses the allocated crypto context that crypt_stat references to 91 * generate the MD5 sum of the contents of src. 92 */ 93 static int ecryptfs_calculate_md5(char *dst, 94 struct ecryptfs_crypt_stat *crypt_stat, 95 char *src, int len) 96 { 97 struct scatterlist sg; 98 struct hash_desc desc = { 99 .tfm = crypt_stat->hash_tfm, 100 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 101 }; 102 int rc = 0; 103 104 mutex_lock(&crypt_stat->cs_hash_tfm_mutex); 105 sg_init_one(&sg, (u8 *)src, len); 106 if (!desc.tfm) { 107 desc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0, 108 CRYPTO_ALG_ASYNC); 109 if (IS_ERR(desc.tfm)) { 110 rc = PTR_ERR(desc.tfm); 111 ecryptfs_printk(KERN_ERR, "Error attempting to " 112 "allocate crypto context; rc = [%d]\n", 113 rc); 114 goto out; 115 } 116 crypt_stat->hash_tfm = desc.tfm; 117 } 118 rc = crypto_hash_init(&desc); 119 if (rc) { 120 printk(KERN_ERR 121 "%s: Error initializing crypto hash; rc = [%d]\n", 122 __func__, rc); 123 goto out; 124 } 125 rc = crypto_hash_update(&desc, &sg, len); 126 if (rc) { 127 printk(KERN_ERR 128 "%s: Error updating crypto hash; rc = [%d]\n", 129 __func__, rc); 130 goto out; 131 } 132 rc = crypto_hash_final(&desc, dst); 133 if (rc) { 134 printk(KERN_ERR 135 "%s: Error finalizing crypto hash; rc = [%d]\n", 136 __func__, rc); 137 goto out; 138 } 139 out: 140 mutex_unlock(&crypt_stat->cs_hash_tfm_mutex); 141 return rc; 142 } 143 144 static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name, 145 char *cipher_name, 146 char *chaining_modifier) 147 { 148 int cipher_name_len = strlen(cipher_name); 149 int chaining_modifier_len = strlen(chaining_modifier); 150 int algified_name_len; 151 int rc; 152 153 algified_name_len = (chaining_modifier_len + cipher_name_len + 3); 154 (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL); 155 if (!(*algified_name)) { 156 rc = -ENOMEM; 157 goto out; 158 } 159 snprintf((*algified_name), algified_name_len, "%s(%s)", 160 chaining_modifier, cipher_name); 161 rc = 0; 162 out: 163 return rc; 164 } 165 166 /** 167 * ecryptfs_derive_iv 168 * @iv: destination for the derived iv vale 169 * @crypt_stat: Pointer to crypt_stat struct for the current inode 170 * @offset: Offset of the extent whose IV we are to derive 171 * 172 * Generate the initialization vector from the given root IV and page 173 * offset. 174 * 175 * Returns zero on success; non-zero on error. 176 */ 177 static int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat, 178 loff_t offset) 179 { 180 int rc = 0; 181 char dst[MD5_DIGEST_SIZE]; 182 char src[ECRYPTFS_MAX_IV_BYTES + 16]; 183 184 if (unlikely(ecryptfs_verbosity > 0)) { 185 ecryptfs_printk(KERN_DEBUG, "root iv:\n"); 186 ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes); 187 } 188 /* TODO: It is probably secure to just cast the least 189 * significant bits of the root IV into an unsigned long and 190 * add the offset to that rather than go through all this 191 * hashing business. -Halcrow */ 192 memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes); 193 memset((src + crypt_stat->iv_bytes), 0, 16); 194 snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset); 195 if (unlikely(ecryptfs_verbosity > 0)) { 196 ecryptfs_printk(KERN_DEBUG, "source:\n"); 197 ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16)); 198 } 199 rc = ecryptfs_calculate_md5(dst, crypt_stat, src, 200 (crypt_stat->iv_bytes + 16)); 201 if (rc) { 202 ecryptfs_printk(KERN_WARNING, "Error attempting to compute " 203 "MD5 while generating IV for a page\n"); 204 goto out; 205 } 206 memcpy(iv, dst, crypt_stat->iv_bytes); 207 if (unlikely(ecryptfs_verbosity > 0)) { 208 ecryptfs_printk(KERN_DEBUG, "derived iv:\n"); 209 ecryptfs_dump_hex(iv, crypt_stat->iv_bytes); 210 } 211 out: 212 return rc; 213 } 214 215 /** 216 * ecryptfs_init_crypt_stat 217 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 218 * 219 * Initialize the crypt_stat structure. 220 */ 221 void 222 ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) 223 { 224 memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); 225 INIT_LIST_HEAD(&crypt_stat->keysig_list); 226 mutex_init(&crypt_stat->keysig_list_mutex); 227 mutex_init(&crypt_stat->cs_mutex); 228 mutex_init(&crypt_stat->cs_tfm_mutex); 229 mutex_init(&crypt_stat->cs_hash_tfm_mutex); 230 crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED; 231 } 232 233 /** 234 * ecryptfs_destroy_crypt_stat 235 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 236 * 237 * Releases all memory associated with a crypt_stat struct. 238 */ 239 void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) 240 { 241 struct ecryptfs_key_sig *key_sig, *key_sig_tmp; 242 243 if (crypt_stat->tfm) 244 crypto_free_blkcipher(crypt_stat->tfm); 245 if (crypt_stat->hash_tfm) 246 crypto_free_hash(crypt_stat->hash_tfm); 247 mutex_lock(&crypt_stat->keysig_list_mutex); 248 list_for_each_entry_safe(key_sig, key_sig_tmp, 249 &crypt_stat->keysig_list, crypt_stat_list) { 250 list_del(&key_sig->crypt_stat_list); 251 kmem_cache_free(ecryptfs_key_sig_cache, key_sig); 252 } 253 mutex_unlock(&crypt_stat->keysig_list_mutex); 254 memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); 255 } 256 257 void ecryptfs_destroy_mount_crypt_stat( 258 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 259 { 260 struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp; 261 262 if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED)) 263 return; 264 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 265 list_for_each_entry_safe(auth_tok, auth_tok_tmp, 266 &mount_crypt_stat->global_auth_tok_list, 267 mount_crypt_stat_list) { 268 list_del(&auth_tok->mount_crypt_stat_list); 269 mount_crypt_stat->num_global_auth_toks--; 270 if (auth_tok->global_auth_tok_key 271 && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID)) 272 key_put(auth_tok->global_auth_tok_key); 273 kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok); 274 } 275 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 276 memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat)); 277 } 278 279 /** 280 * virt_to_scatterlist 281 * @addr: Virtual address 282 * @size: Size of data; should be an even multiple of the block size 283 * @sg: Pointer to scatterlist array; set to NULL to obtain only 284 * the number of scatterlist structs required in array 285 * @sg_size: Max array size 286 * 287 * Fills in a scatterlist array with page references for a passed 288 * virtual address. 289 * 290 * Returns the number of scatterlist structs in array used 291 */ 292 int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg, 293 int sg_size) 294 { 295 int i = 0; 296 struct page *pg; 297 int offset; 298 int remainder_of_page; 299 300 sg_init_table(sg, sg_size); 301 302 while (size > 0 && i < sg_size) { 303 pg = virt_to_page(addr); 304 offset = offset_in_page(addr); 305 if (sg) 306 sg_set_page(&sg[i], pg, 0, offset); 307 remainder_of_page = PAGE_CACHE_SIZE - offset; 308 if (size >= remainder_of_page) { 309 if (sg) 310 sg[i].length = remainder_of_page; 311 addr += remainder_of_page; 312 size -= remainder_of_page; 313 } else { 314 if (sg) 315 sg[i].length = size; 316 addr += size; 317 size = 0; 318 } 319 i++; 320 } 321 if (size > 0) 322 return -ENOMEM; 323 return i; 324 } 325 326 /** 327 * encrypt_scatterlist 328 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 329 * @dest_sg: Destination of encrypted data 330 * @src_sg: Data to be encrypted 331 * @size: Length of data to be encrypted 332 * @iv: iv to use during encryption 333 * 334 * Returns the number of bytes encrypted; negative value on error 335 */ 336 static int encrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat, 337 struct scatterlist *dest_sg, 338 struct scatterlist *src_sg, int size, 339 unsigned char *iv) 340 { 341 struct blkcipher_desc desc = { 342 .tfm = crypt_stat->tfm, 343 .info = iv, 344 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 345 }; 346 int rc = 0; 347 348 BUG_ON(!crypt_stat || !crypt_stat->tfm 349 || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)); 350 if (unlikely(ecryptfs_verbosity > 0)) { 351 ecryptfs_printk(KERN_DEBUG, "Key size [%d]; key:\n", 352 crypt_stat->key_size); 353 ecryptfs_dump_hex(crypt_stat->key, 354 crypt_stat->key_size); 355 } 356 /* Consider doing this once, when the file is opened */ 357 mutex_lock(&crypt_stat->cs_tfm_mutex); 358 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) { 359 rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key, 360 crypt_stat->key_size); 361 crypt_stat->flags |= ECRYPTFS_KEY_SET; 362 } 363 if (rc) { 364 ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n", 365 rc); 366 mutex_unlock(&crypt_stat->cs_tfm_mutex); 367 rc = -EINVAL; 368 goto out; 369 } 370 ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes.\n", size); 371 crypto_blkcipher_encrypt_iv(&desc, dest_sg, src_sg, size); 372 mutex_unlock(&crypt_stat->cs_tfm_mutex); 373 out: 374 return rc; 375 } 376 377 /** 378 * ecryptfs_lower_offset_for_extent 379 * 380 * Convert an eCryptfs page index into a lower byte offset 381 */ 382 static void ecryptfs_lower_offset_for_extent(loff_t *offset, loff_t extent_num, 383 struct ecryptfs_crypt_stat *crypt_stat) 384 { 385 (*offset) = (crypt_stat->num_header_bytes_at_front 386 + (crypt_stat->extent_size * extent_num)); 387 } 388 389 /** 390 * ecryptfs_encrypt_extent 391 * @enc_extent_page: Allocated page into which to encrypt the data in 392 * @page 393 * @crypt_stat: crypt_stat containing cryptographic context for the 394 * encryption operation 395 * @page: Page containing plaintext data extent to encrypt 396 * @extent_offset: Page extent offset for use in generating IV 397 * 398 * Encrypts one extent of data. 399 * 400 * Return zero on success; non-zero otherwise 401 */ 402 static int ecryptfs_encrypt_extent(struct page *enc_extent_page, 403 struct ecryptfs_crypt_stat *crypt_stat, 404 struct page *page, 405 unsigned long extent_offset) 406 { 407 loff_t extent_base; 408 char extent_iv[ECRYPTFS_MAX_IV_BYTES]; 409 int rc; 410 411 extent_base = (((loff_t)page->index) 412 * (PAGE_CACHE_SIZE / crypt_stat->extent_size)); 413 rc = ecryptfs_derive_iv(extent_iv, crypt_stat, 414 (extent_base + extent_offset)); 415 if (rc) { 416 ecryptfs_printk(KERN_ERR, "Error attempting to " 417 "derive IV for extent [0x%.16x]; " 418 "rc = [%d]\n", (extent_base + extent_offset), 419 rc); 420 goto out; 421 } 422 if (unlikely(ecryptfs_verbosity > 0)) { 423 ecryptfs_printk(KERN_DEBUG, "Encrypting extent " 424 "with iv:\n"); 425 ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes); 426 ecryptfs_printk(KERN_DEBUG, "First 8 bytes before " 427 "encryption:\n"); 428 ecryptfs_dump_hex((char *) 429 (page_address(page) 430 + (extent_offset * crypt_stat->extent_size)), 431 8); 432 } 433 rc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0, 434 page, (extent_offset 435 * crypt_stat->extent_size), 436 crypt_stat->extent_size, extent_iv); 437 if (rc < 0) { 438 printk(KERN_ERR "%s: Error attempting to encrypt page with " 439 "page->index = [%ld], extent_offset = [%ld]; " 440 "rc = [%d]\n", __func__, page->index, extent_offset, 441 rc); 442 goto out; 443 } 444 rc = 0; 445 if (unlikely(ecryptfs_verbosity > 0)) { 446 ecryptfs_printk(KERN_DEBUG, "Encrypt extent [0x%.16x]; " 447 "rc = [%d]\n", (extent_base + extent_offset), 448 rc); 449 ecryptfs_printk(KERN_DEBUG, "First 8 bytes after " 450 "encryption:\n"); 451 ecryptfs_dump_hex((char *)(page_address(enc_extent_page)), 8); 452 } 453 out: 454 return rc; 455 } 456 457 /** 458 * ecryptfs_encrypt_page 459 * @page: Page mapped from the eCryptfs inode for the file; contains 460 * decrypted content that needs to be encrypted (to a temporary 461 * page; not in place) and written out to the lower file 462 * 463 * Encrypt an eCryptfs page. This is done on a per-extent basis. Note 464 * that eCryptfs pages may straddle the lower pages -- for instance, 465 * if the file was created on a machine with an 8K page size 466 * (resulting in an 8K header), and then the file is copied onto a 467 * host with a 32K page size, then when reading page 0 of the eCryptfs 468 * file, 24K of page 0 of the lower file will be read and decrypted, 469 * and then 8K of page 1 of the lower file will be read and decrypted. 470 * 471 * Returns zero on success; negative on error 472 */ 473 int ecryptfs_encrypt_page(struct page *page) 474 { 475 struct inode *ecryptfs_inode; 476 struct ecryptfs_crypt_stat *crypt_stat; 477 char *enc_extent_virt = NULL; 478 struct page *enc_extent_page; 479 loff_t extent_offset; 480 int rc = 0; 481 482 ecryptfs_inode = page->mapping->host; 483 crypt_stat = 484 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 485 if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 486 rc = ecryptfs_write_lower_page_segment(ecryptfs_inode, page, 487 0, PAGE_CACHE_SIZE); 488 if (rc) 489 printk(KERN_ERR "%s: Error attempting to copy " 490 "page at index [%ld]\n", __func__, 491 page->index); 492 goto out; 493 } 494 enc_extent_virt = kmalloc(PAGE_CACHE_SIZE, GFP_USER); 495 if (!enc_extent_virt) { 496 rc = -ENOMEM; 497 ecryptfs_printk(KERN_ERR, "Error allocating memory for " 498 "encrypted extent\n"); 499 goto out; 500 } 501 enc_extent_page = virt_to_page(enc_extent_virt); 502 for (extent_offset = 0; 503 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); 504 extent_offset++) { 505 loff_t offset; 506 507 rc = ecryptfs_encrypt_extent(enc_extent_page, crypt_stat, page, 508 extent_offset); 509 if (rc) { 510 printk(KERN_ERR "%s: Error encrypting extent; " 511 "rc = [%d]\n", __func__, rc); 512 goto out; 513 } 514 ecryptfs_lower_offset_for_extent( 515 &offset, ((((loff_t)page->index) 516 * (PAGE_CACHE_SIZE 517 / crypt_stat->extent_size)) 518 + extent_offset), crypt_stat); 519 rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt, 520 offset, crypt_stat->extent_size); 521 if (rc) { 522 ecryptfs_printk(KERN_ERR, "Error attempting " 523 "to write lower page; rc = [%d]" 524 "\n", rc); 525 goto out; 526 } 527 } 528 out: 529 kfree(enc_extent_virt); 530 return rc; 531 } 532 533 static int ecryptfs_decrypt_extent(struct page *page, 534 struct ecryptfs_crypt_stat *crypt_stat, 535 struct page *enc_extent_page, 536 unsigned long extent_offset) 537 { 538 loff_t extent_base; 539 char extent_iv[ECRYPTFS_MAX_IV_BYTES]; 540 int rc; 541 542 extent_base = (((loff_t)page->index) 543 * (PAGE_CACHE_SIZE / crypt_stat->extent_size)); 544 rc = ecryptfs_derive_iv(extent_iv, crypt_stat, 545 (extent_base + extent_offset)); 546 if (rc) { 547 ecryptfs_printk(KERN_ERR, "Error attempting to " 548 "derive IV for extent [0x%.16x]; " 549 "rc = [%d]\n", (extent_base + extent_offset), 550 rc); 551 goto out; 552 } 553 if (unlikely(ecryptfs_verbosity > 0)) { 554 ecryptfs_printk(KERN_DEBUG, "Decrypting extent " 555 "with iv:\n"); 556 ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes); 557 ecryptfs_printk(KERN_DEBUG, "First 8 bytes before " 558 "decryption:\n"); 559 ecryptfs_dump_hex((char *) 560 (page_address(enc_extent_page) 561 + (extent_offset * crypt_stat->extent_size)), 562 8); 563 } 564 rc = ecryptfs_decrypt_page_offset(crypt_stat, page, 565 (extent_offset 566 * crypt_stat->extent_size), 567 enc_extent_page, 0, 568 crypt_stat->extent_size, extent_iv); 569 if (rc < 0) { 570 printk(KERN_ERR "%s: Error attempting to decrypt to page with " 571 "page->index = [%ld], extent_offset = [%ld]; " 572 "rc = [%d]\n", __func__, page->index, extent_offset, 573 rc); 574 goto out; 575 } 576 rc = 0; 577 if (unlikely(ecryptfs_verbosity > 0)) { 578 ecryptfs_printk(KERN_DEBUG, "Decrypt extent [0x%.16x]; " 579 "rc = [%d]\n", (extent_base + extent_offset), 580 rc); 581 ecryptfs_printk(KERN_DEBUG, "First 8 bytes after " 582 "decryption:\n"); 583 ecryptfs_dump_hex((char *)(page_address(page) 584 + (extent_offset 585 * crypt_stat->extent_size)), 8); 586 } 587 out: 588 return rc; 589 } 590 591 /** 592 * ecryptfs_decrypt_page 593 * @page: Page mapped from the eCryptfs inode for the file; data read 594 * and decrypted from the lower file will be written into this 595 * page 596 * 597 * Decrypt an eCryptfs page. This is done on a per-extent basis. Note 598 * that eCryptfs pages may straddle the lower pages -- for instance, 599 * if the file was created on a machine with an 8K page size 600 * (resulting in an 8K header), and then the file is copied onto a 601 * host with a 32K page size, then when reading page 0 of the eCryptfs 602 * file, 24K of page 0 of the lower file will be read and decrypted, 603 * and then 8K of page 1 of the lower file will be read and decrypted. 604 * 605 * Returns zero on success; negative on error 606 */ 607 int ecryptfs_decrypt_page(struct page *page) 608 { 609 struct inode *ecryptfs_inode; 610 struct ecryptfs_crypt_stat *crypt_stat; 611 char *enc_extent_virt = NULL; 612 struct page *enc_extent_page; 613 unsigned long extent_offset; 614 int rc = 0; 615 616 ecryptfs_inode = page->mapping->host; 617 crypt_stat = 618 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 619 if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 620 rc = ecryptfs_read_lower_page_segment(page, page->index, 0, 621 PAGE_CACHE_SIZE, 622 ecryptfs_inode); 623 if (rc) 624 printk(KERN_ERR "%s: Error attempting to copy " 625 "page at index [%ld]\n", __func__, 626 page->index); 627 goto out; 628 } 629 enc_extent_virt = kmalloc(PAGE_CACHE_SIZE, GFP_USER); 630 if (!enc_extent_virt) { 631 rc = -ENOMEM; 632 ecryptfs_printk(KERN_ERR, "Error allocating memory for " 633 "encrypted extent\n"); 634 goto out; 635 } 636 enc_extent_page = virt_to_page(enc_extent_virt); 637 for (extent_offset = 0; 638 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); 639 extent_offset++) { 640 loff_t offset; 641 642 ecryptfs_lower_offset_for_extent( 643 &offset, ((page->index * (PAGE_CACHE_SIZE 644 / crypt_stat->extent_size)) 645 + extent_offset), crypt_stat); 646 rc = ecryptfs_read_lower(enc_extent_virt, offset, 647 crypt_stat->extent_size, 648 ecryptfs_inode); 649 if (rc) { 650 ecryptfs_printk(KERN_ERR, "Error attempting " 651 "to read lower page; rc = [%d]" 652 "\n", rc); 653 goto out; 654 } 655 rc = ecryptfs_decrypt_extent(page, crypt_stat, enc_extent_page, 656 extent_offset); 657 if (rc) { 658 printk(KERN_ERR "%s: Error encrypting extent; " 659 "rc = [%d]\n", __func__, rc); 660 goto out; 661 } 662 } 663 out: 664 kfree(enc_extent_virt); 665 return rc; 666 } 667 668 /** 669 * decrypt_scatterlist 670 * @crypt_stat: Cryptographic context 671 * @dest_sg: The destination scatterlist to decrypt into 672 * @src_sg: The source scatterlist to decrypt from 673 * @size: The number of bytes to decrypt 674 * @iv: The initialization vector to use for the decryption 675 * 676 * Returns the number of bytes decrypted; negative value on error 677 */ 678 static int decrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat, 679 struct scatterlist *dest_sg, 680 struct scatterlist *src_sg, int size, 681 unsigned char *iv) 682 { 683 struct blkcipher_desc desc = { 684 .tfm = crypt_stat->tfm, 685 .info = iv, 686 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 687 }; 688 int rc = 0; 689 690 /* Consider doing this once, when the file is opened */ 691 mutex_lock(&crypt_stat->cs_tfm_mutex); 692 rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key, 693 crypt_stat->key_size); 694 if (rc) { 695 ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n", 696 rc); 697 mutex_unlock(&crypt_stat->cs_tfm_mutex); 698 rc = -EINVAL; 699 goto out; 700 } 701 ecryptfs_printk(KERN_DEBUG, "Decrypting [%d] bytes.\n", size); 702 rc = crypto_blkcipher_decrypt_iv(&desc, dest_sg, src_sg, size); 703 mutex_unlock(&crypt_stat->cs_tfm_mutex); 704 if (rc) { 705 ecryptfs_printk(KERN_ERR, "Error decrypting; rc = [%d]\n", 706 rc); 707 goto out; 708 } 709 rc = size; 710 out: 711 return rc; 712 } 713 714 /** 715 * ecryptfs_encrypt_page_offset 716 * @crypt_stat: The cryptographic context 717 * @dst_page: The page to encrypt into 718 * @dst_offset: The offset in the page to encrypt into 719 * @src_page: The page to encrypt from 720 * @src_offset: The offset in the page to encrypt from 721 * @size: The number of bytes to encrypt 722 * @iv: The initialization vector to use for the encryption 723 * 724 * Returns the number of bytes encrypted 725 */ 726 static int 727 ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 728 struct page *dst_page, int dst_offset, 729 struct page *src_page, int src_offset, int size, 730 unsigned char *iv) 731 { 732 struct scatterlist src_sg, dst_sg; 733 734 sg_init_table(&src_sg, 1); 735 sg_init_table(&dst_sg, 1); 736 737 sg_set_page(&src_sg, src_page, size, src_offset); 738 sg_set_page(&dst_sg, dst_page, size, dst_offset); 739 return encrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv); 740 } 741 742 /** 743 * ecryptfs_decrypt_page_offset 744 * @crypt_stat: The cryptographic context 745 * @dst_page: The page to decrypt into 746 * @dst_offset: The offset in the page to decrypt into 747 * @src_page: The page to decrypt from 748 * @src_offset: The offset in the page to decrypt from 749 * @size: The number of bytes to decrypt 750 * @iv: The initialization vector to use for the decryption 751 * 752 * Returns the number of bytes decrypted 753 */ 754 static int 755 ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 756 struct page *dst_page, int dst_offset, 757 struct page *src_page, int src_offset, int size, 758 unsigned char *iv) 759 { 760 struct scatterlist src_sg, dst_sg; 761 762 sg_init_table(&src_sg, 1); 763 sg_set_page(&src_sg, src_page, size, src_offset); 764 765 sg_init_table(&dst_sg, 1); 766 sg_set_page(&dst_sg, dst_page, size, dst_offset); 767 768 return decrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv); 769 } 770 771 #define ECRYPTFS_MAX_SCATTERLIST_LEN 4 772 773 /** 774 * ecryptfs_init_crypt_ctx 775 * @crypt_stat: Uninitilized crypt stats structure 776 * 777 * Initialize the crypto context. 778 * 779 * TODO: Performance: Keep a cache of initialized cipher contexts; 780 * only init if needed 781 */ 782 int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat) 783 { 784 char *full_alg_name; 785 int rc = -EINVAL; 786 787 if (!crypt_stat->cipher) { 788 ecryptfs_printk(KERN_ERR, "No cipher specified\n"); 789 goto out; 790 } 791 ecryptfs_printk(KERN_DEBUG, 792 "Initializing cipher [%s]; strlen = [%d]; " 793 "key_size_bits = [%d]\n", 794 crypt_stat->cipher, (int)strlen(crypt_stat->cipher), 795 crypt_stat->key_size << 3); 796 if (crypt_stat->tfm) { 797 rc = 0; 798 goto out; 799 } 800 mutex_lock(&crypt_stat->cs_tfm_mutex); 801 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, 802 crypt_stat->cipher, "cbc"); 803 if (rc) 804 goto out_unlock; 805 crypt_stat->tfm = crypto_alloc_blkcipher(full_alg_name, 0, 806 CRYPTO_ALG_ASYNC); 807 kfree(full_alg_name); 808 if (IS_ERR(crypt_stat->tfm)) { 809 rc = PTR_ERR(crypt_stat->tfm); 810 ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): " 811 "Error initializing cipher [%s]\n", 812 crypt_stat->cipher); 813 goto out_unlock; 814 } 815 crypto_blkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY); 816 rc = 0; 817 out_unlock: 818 mutex_unlock(&crypt_stat->cs_tfm_mutex); 819 out: 820 return rc; 821 } 822 823 static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat) 824 { 825 int extent_size_tmp; 826 827 crypt_stat->extent_mask = 0xFFFFFFFF; 828 crypt_stat->extent_shift = 0; 829 if (crypt_stat->extent_size == 0) 830 return; 831 extent_size_tmp = crypt_stat->extent_size; 832 while ((extent_size_tmp & 0x01) == 0) { 833 extent_size_tmp >>= 1; 834 crypt_stat->extent_mask <<= 1; 835 crypt_stat->extent_shift++; 836 } 837 } 838 839 void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat) 840 { 841 /* Default values; may be overwritten as we are parsing the 842 * packets. */ 843 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE; 844 set_extent_mask_and_shift(crypt_stat); 845 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES; 846 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) 847 crypt_stat->num_header_bytes_at_front = 0; 848 else { 849 if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE) 850 crypt_stat->num_header_bytes_at_front = 851 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; 852 else 853 crypt_stat->num_header_bytes_at_front = PAGE_CACHE_SIZE; 854 } 855 } 856 857 /** 858 * ecryptfs_compute_root_iv 859 * @crypt_stats 860 * 861 * On error, sets the root IV to all 0's. 862 */ 863 int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat) 864 { 865 int rc = 0; 866 char dst[MD5_DIGEST_SIZE]; 867 868 BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE); 869 BUG_ON(crypt_stat->iv_bytes <= 0); 870 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { 871 rc = -EINVAL; 872 ecryptfs_printk(KERN_WARNING, "Session key not valid; " 873 "cannot generate root IV\n"); 874 goto out; 875 } 876 rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key, 877 crypt_stat->key_size); 878 if (rc) { 879 ecryptfs_printk(KERN_WARNING, "Error attempting to compute " 880 "MD5 while generating root IV\n"); 881 goto out; 882 } 883 memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes); 884 out: 885 if (rc) { 886 memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes); 887 crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING; 888 } 889 return rc; 890 } 891 892 static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat) 893 { 894 get_random_bytes(crypt_stat->key, crypt_stat->key_size); 895 crypt_stat->flags |= ECRYPTFS_KEY_VALID; 896 ecryptfs_compute_root_iv(crypt_stat); 897 if (unlikely(ecryptfs_verbosity > 0)) { 898 ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n"); 899 ecryptfs_dump_hex(crypt_stat->key, 900 crypt_stat->key_size); 901 } 902 } 903 904 /** 905 * ecryptfs_copy_mount_wide_flags_to_inode_flags 906 * @crypt_stat: The inode's cryptographic context 907 * @mount_crypt_stat: The mount point's cryptographic context 908 * 909 * This function propagates the mount-wide flags to individual inode 910 * flags. 911 */ 912 static void ecryptfs_copy_mount_wide_flags_to_inode_flags( 913 struct ecryptfs_crypt_stat *crypt_stat, 914 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 915 { 916 if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED) 917 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; 918 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) 919 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED; 920 } 921 922 static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs( 923 struct ecryptfs_crypt_stat *crypt_stat, 924 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 925 { 926 struct ecryptfs_global_auth_tok *global_auth_tok; 927 int rc = 0; 928 929 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 930 list_for_each_entry(global_auth_tok, 931 &mount_crypt_stat->global_auth_tok_list, 932 mount_crypt_stat_list) { 933 rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig); 934 if (rc) { 935 printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc); 936 mutex_unlock( 937 &mount_crypt_stat->global_auth_tok_list_mutex); 938 goto out; 939 } 940 } 941 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 942 out: 943 return rc; 944 } 945 946 /** 947 * ecryptfs_set_default_crypt_stat_vals 948 * @crypt_stat: The inode's cryptographic context 949 * @mount_crypt_stat: The mount point's cryptographic context 950 * 951 * Default values in the event that policy does not override them. 952 */ 953 static void ecryptfs_set_default_crypt_stat_vals( 954 struct ecryptfs_crypt_stat *crypt_stat, 955 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 956 { 957 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 958 mount_crypt_stat); 959 ecryptfs_set_default_sizes(crypt_stat); 960 strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER); 961 crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES; 962 crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID); 963 crypt_stat->file_version = ECRYPTFS_FILE_VERSION; 964 crypt_stat->mount_crypt_stat = mount_crypt_stat; 965 } 966 967 /** 968 * ecryptfs_new_file_context 969 * @ecryptfs_dentry: The eCryptfs dentry 970 * 971 * If the crypto context for the file has not yet been established, 972 * this is where we do that. Establishing a new crypto context 973 * involves the following decisions: 974 * - What cipher to use? 975 * - What set of authentication tokens to use? 976 * Here we just worry about getting enough information into the 977 * authentication tokens so that we know that they are available. 978 * We associate the available authentication tokens with the new file 979 * via the set of signatures in the crypt_stat struct. Later, when 980 * the headers are actually written out, we may again defer to 981 * userspace to perform the encryption of the session key; for the 982 * foreseeable future, this will be the case with public key packets. 983 * 984 * Returns zero on success; non-zero otherwise 985 */ 986 int ecryptfs_new_file_context(struct dentry *ecryptfs_dentry) 987 { 988 struct ecryptfs_crypt_stat *crypt_stat = 989 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; 990 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 991 &ecryptfs_superblock_to_private( 992 ecryptfs_dentry->d_sb)->mount_crypt_stat; 993 int cipher_name_len; 994 int rc = 0; 995 996 ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat); 997 crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID); 998 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 999 mount_crypt_stat); 1000 rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat, 1001 mount_crypt_stat); 1002 if (rc) { 1003 printk(KERN_ERR "Error attempting to copy mount-wide key sigs " 1004 "to the inode key sigs; rc = [%d]\n", rc); 1005 goto out; 1006 } 1007 cipher_name_len = 1008 strlen(mount_crypt_stat->global_default_cipher_name); 1009 memcpy(crypt_stat->cipher, 1010 mount_crypt_stat->global_default_cipher_name, 1011 cipher_name_len); 1012 crypt_stat->cipher[cipher_name_len] = '\0'; 1013 crypt_stat->key_size = 1014 mount_crypt_stat->global_default_cipher_key_size; 1015 ecryptfs_generate_new_key(crypt_stat); 1016 rc = ecryptfs_init_crypt_ctx(crypt_stat); 1017 if (rc) 1018 ecryptfs_printk(KERN_ERR, "Error initializing cryptographic " 1019 "context for cipher [%s]: rc = [%d]\n", 1020 crypt_stat->cipher, rc); 1021 out: 1022 return rc; 1023 } 1024 1025 /** 1026 * contains_ecryptfs_marker - check for the ecryptfs marker 1027 * @data: The data block in which to check 1028 * 1029 * Returns one if marker found; zero if not found 1030 */ 1031 static int contains_ecryptfs_marker(char *data) 1032 { 1033 u32 m_1, m_2; 1034 1035 memcpy(&m_1, data, 4); 1036 m_1 = be32_to_cpu(m_1); 1037 memcpy(&m_2, (data + 4), 4); 1038 m_2 = be32_to_cpu(m_2); 1039 if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2) 1040 return 1; 1041 ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; " 1042 "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2, 1043 MAGIC_ECRYPTFS_MARKER); 1044 ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = " 1045 "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER)); 1046 return 0; 1047 } 1048 1049 struct ecryptfs_flag_map_elem { 1050 u32 file_flag; 1051 u32 local_flag; 1052 }; 1053 1054 /* Add support for additional flags by adding elements here. */ 1055 static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = { 1056 {0x00000001, ECRYPTFS_ENABLE_HMAC}, 1057 {0x00000002, ECRYPTFS_ENCRYPTED}, 1058 {0x00000004, ECRYPTFS_METADATA_IN_XATTR} 1059 }; 1060 1061 /** 1062 * ecryptfs_process_flags 1063 * @crypt_stat: The cryptographic context 1064 * @page_virt: Source data to be parsed 1065 * @bytes_read: Updated with the number of bytes read 1066 * 1067 * Returns zero on success; non-zero if the flag set is invalid 1068 */ 1069 static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat, 1070 char *page_virt, int *bytes_read) 1071 { 1072 int rc = 0; 1073 int i; 1074 u32 flags; 1075 1076 memcpy(&flags, page_virt, 4); 1077 flags = be32_to_cpu(flags); 1078 for (i = 0; i < ((sizeof(ecryptfs_flag_map) 1079 / sizeof(struct ecryptfs_flag_map_elem))); i++) 1080 if (flags & ecryptfs_flag_map[i].file_flag) { 1081 crypt_stat->flags |= ecryptfs_flag_map[i].local_flag; 1082 } else 1083 crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag); 1084 /* Version is in top 8 bits of the 32-bit flag vector */ 1085 crypt_stat->file_version = ((flags >> 24) & 0xFF); 1086 (*bytes_read) = 4; 1087 return rc; 1088 } 1089 1090 /** 1091 * write_ecryptfs_marker 1092 * @page_virt: The pointer to in a page to begin writing the marker 1093 * @written: Number of bytes written 1094 * 1095 * Marker = 0x3c81b7f5 1096 */ 1097 static void write_ecryptfs_marker(char *page_virt, size_t *written) 1098 { 1099 u32 m_1, m_2; 1100 1101 get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2)); 1102 m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER); 1103 m_1 = cpu_to_be32(m_1); 1104 memcpy(page_virt, &m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2)); 1105 m_2 = cpu_to_be32(m_2); 1106 memcpy(page_virt + (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2), &m_2, 1107 (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2)); 1108 (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; 1109 } 1110 1111 static void 1112 write_ecryptfs_flags(char *page_virt, struct ecryptfs_crypt_stat *crypt_stat, 1113 size_t *written) 1114 { 1115 u32 flags = 0; 1116 int i; 1117 1118 for (i = 0; i < ((sizeof(ecryptfs_flag_map) 1119 / sizeof(struct ecryptfs_flag_map_elem))); i++) 1120 if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag) 1121 flags |= ecryptfs_flag_map[i].file_flag; 1122 /* Version is in top 8 bits of the 32-bit flag vector */ 1123 flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000); 1124 flags = cpu_to_be32(flags); 1125 memcpy(page_virt, &flags, 4); 1126 (*written) = 4; 1127 } 1128 1129 struct ecryptfs_cipher_code_str_map_elem { 1130 char cipher_str[16]; 1131 u8 cipher_code; 1132 }; 1133 1134 /* Add support for additional ciphers by adding elements here. The 1135 * cipher_code is whatever OpenPGP applicatoins use to identify the 1136 * ciphers. List in order of probability. */ 1137 static struct ecryptfs_cipher_code_str_map_elem 1138 ecryptfs_cipher_code_str_map[] = { 1139 {"aes",RFC2440_CIPHER_AES_128 }, 1140 {"blowfish", RFC2440_CIPHER_BLOWFISH}, 1141 {"des3_ede", RFC2440_CIPHER_DES3_EDE}, 1142 {"cast5", RFC2440_CIPHER_CAST_5}, 1143 {"twofish", RFC2440_CIPHER_TWOFISH}, 1144 {"cast6", RFC2440_CIPHER_CAST_6}, 1145 {"aes", RFC2440_CIPHER_AES_192}, 1146 {"aes", RFC2440_CIPHER_AES_256} 1147 }; 1148 1149 /** 1150 * ecryptfs_code_for_cipher_string 1151 * @crypt_stat: The cryptographic context 1152 * 1153 * Returns zero on no match, or the cipher code on match 1154 */ 1155 u8 ecryptfs_code_for_cipher_string(struct ecryptfs_crypt_stat *crypt_stat) 1156 { 1157 int i; 1158 u8 code = 0; 1159 struct ecryptfs_cipher_code_str_map_elem *map = 1160 ecryptfs_cipher_code_str_map; 1161 1162 if (strcmp(crypt_stat->cipher, "aes") == 0) { 1163 switch (crypt_stat->key_size) { 1164 case 16: 1165 code = RFC2440_CIPHER_AES_128; 1166 break; 1167 case 24: 1168 code = RFC2440_CIPHER_AES_192; 1169 break; 1170 case 32: 1171 code = RFC2440_CIPHER_AES_256; 1172 } 1173 } else { 1174 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) 1175 if (strcmp(crypt_stat->cipher, map[i].cipher_str) == 0){ 1176 code = map[i].cipher_code; 1177 break; 1178 } 1179 } 1180 return code; 1181 } 1182 1183 /** 1184 * ecryptfs_cipher_code_to_string 1185 * @str: Destination to write out the cipher name 1186 * @cipher_code: The code to convert to cipher name string 1187 * 1188 * Returns zero on success 1189 */ 1190 int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code) 1191 { 1192 int rc = 0; 1193 int i; 1194 1195 str[0] = '\0'; 1196 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) 1197 if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code) 1198 strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str); 1199 if (str[0] == '\0') { 1200 ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: " 1201 "[%d]\n", cipher_code); 1202 rc = -EINVAL; 1203 } 1204 return rc; 1205 } 1206 1207 int ecryptfs_read_and_validate_header_region(char *data, 1208 struct inode *ecryptfs_inode) 1209 { 1210 struct ecryptfs_crypt_stat *crypt_stat = 1211 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 1212 int rc; 1213 1214 rc = ecryptfs_read_lower(data, 0, crypt_stat->extent_size, 1215 ecryptfs_inode); 1216 if (rc) { 1217 printk(KERN_ERR "%s: Error reading header region; rc = [%d]\n", 1218 __func__, rc); 1219 goto out; 1220 } 1221 if (!contains_ecryptfs_marker(data + ECRYPTFS_FILE_SIZE_BYTES)) { 1222 rc = -EINVAL; 1223 ecryptfs_printk(KERN_DEBUG, "Valid marker not found\n"); 1224 } 1225 out: 1226 return rc; 1227 } 1228 1229 void 1230 ecryptfs_write_header_metadata(char *virt, 1231 struct ecryptfs_crypt_stat *crypt_stat, 1232 size_t *written) 1233 { 1234 u32 header_extent_size; 1235 u16 num_header_extents_at_front; 1236 1237 header_extent_size = (u32)crypt_stat->extent_size; 1238 num_header_extents_at_front = 1239 (u16)(crypt_stat->num_header_bytes_at_front 1240 / crypt_stat->extent_size); 1241 header_extent_size = cpu_to_be32(header_extent_size); 1242 memcpy(virt, &header_extent_size, 4); 1243 virt += 4; 1244 num_header_extents_at_front = cpu_to_be16(num_header_extents_at_front); 1245 memcpy(virt, &num_header_extents_at_front, 2); 1246 (*written) = 6; 1247 } 1248 1249 struct kmem_cache *ecryptfs_header_cache_1; 1250 struct kmem_cache *ecryptfs_header_cache_2; 1251 1252 /** 1253 * ecryptfs_write_headers_virt 1254 * @page_virt: The virtual address to write the headers to 1255 * @size: Set to the number of bytes written by this function 1256 * @crypt_stat: The cryptographic context 1257 * @ecryptfs_dentry: The eCryptfs dentry 1258 * 1259 * Format version: 1 1260 * 1261 * Header Extent: 1262 * Octets 0-7: Unencrypted file size (big-endian) 1263 * Octets 8-15: eCryptfs special marker 1264 * Octets 16-19: Flags 1265 * Octet 16: File format version number (between 0 and 255) 1266 * Octets 17-18: Reserved 1267 * Octet 19: Bit 1 (lsb): Reserved 1268 * Bit 2: Encrypted? 1269 * Bits 3-8: Reserved 1270 * Octets 20-23: Header extent size (big-endian) 1271 * Octets 24-25: Number of header extents at front of file 1272 * (big-endian) 1273 * Octet 26: Begin RFC 2440 authentication token packet set 1274 * Data Extent 0: 1275 * Lower data (CBC encrypted) 1276 * Data Extent 1: 1277 * Lower data (CBC encrypted) 1278 * ... 1279 * 1280 * Returns zero on success 1281 */ 1282 static int ecryptfs_write_headers_virt(char *page_virt, size_t *size, 1283 struct ecryptfs_crypt_stat *crypt_stat, 1284 struct dentry *ecryptfs_dentry) 1285 { 1286 int rc; 1287 size_t written; 1288 size_t offset; 1289 1290 offset = ECRYPTFS_FILE_SIZE_BYTES; 1291 write_ecryptfs_marker((page_virt + offset), &written); 1292 offset += written; 1293 write_ecryptfs_flags((page_virt + offset), crypt_stat, &written); 1294 offset += written; 1295 ecryptfs_write_header_metadata((page_virt + offset), crypt_stat, 1296 &written); 1297 offset += written; 1298 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat, 1299 ecryptfs_dentry, &written, 1300 PAGE_CACHE_SIZE - offset); 1301 if (rc) 1302 ecryptfs_printk(KERN_WARNING, "Error generating key packet " 1303 "set; rc = [%d]\n", rc); 1304 if (size) { 1305 offset += written; 1306 *size = offset; 1307 } 1308 return rc; 1309 } 1310 1311 static int 1312 ecryptfs_write_metadata_to_contents(struct ecryptfs_crypt_stat *crypt_stat, 1313 struct dentry *ecryptfs_dentry, 1314 char *virt) 1315 { 1316 int rc; 1317 1318 rc = ecryptfs_write_lower(ecryptfs_dentry->d_inode, virt, 1319 0, crypt_stat->num_header_bytes_at_front); 1320 if (rc) 1321 printk(KERN_ERR "%s: Error attempting to write header " 1322 "information to lower file; rc = [%d]\n", __func__, 1323 rc); 1324 return rc; 1325 } 1326 1327 static int 1328 ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry, 1329 struct ecryptfs_crypt_stat *crypt_stat, 1330 char *page_virt, size_t size) 1331 { 1332 int rc; 1333 1334 rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt, 1335 size, 0); 1336 return rc; 1337 } 1338 1339 /** 1340 * ecryptfs_write_metadata 1341 * @ecryptfs_dentry: The eCryptfs dentry 1342 * 1343 * Write the file headers out. This will likely involve a userspace 1344 * callout, in which the session key is encrypted with one or more 1345 * public keys and/or the passphrase necessary to do the encryption is 1346 * retrieved via a prompt. Exactly what happens at this point should 1347 * be policy-dependent. 1348 * 1349 * Returns zero on success; non-zero on error 1350 */ 1351 int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry) 1352 { 1353 struct ecryptfs_crypt_stat *crypt_stat = 1354 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; 1355 char *virt; 1356 size_t size = 0; 1357 int rc = 0; 1358 1359 if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 1360 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { 1361 printk(KERN_ERR "Key is invalid; bailing out\n"); 1362 rc = -EINVAL; 1363 goto out; 1364 } 1365 } else { 1366 printk(KERN_WARNING "%s: Encrypted flag not set\n", 1367 __func__); 1368 rc = -EINVAL; 1369 goto out; 1370 } 1371 /* Released in this function */ 1372 virt = kzalloc(crypt_stat->num_header_bytes_at_front, GFP_KERNEL); 1373 if (!virt) { 1374 printk(KERN_ERR "%s: Out of memory\n", __func__); 1375 rc = -ENOMEM; 1376 goto out; 1377 } 1378 rc = ecryptfs_write_headers_virt(virt, &size, crypt_stat, 1379 ecryptfs_dentry); 1380 if (unlikely(rc)) { 1381 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n", 1382 __func__, rc); 1383 goto out_free; 1384 } 1385 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) 1386 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, 1387 crypt_stat, virt, size); 1388 else 1389 rc = ecryptfs_write_metadata_to_contents(crypt_stat, 1390 ecryptfs_dentry, virt); 1391 if (rc) { 1392 printk(KERN_ERR "%s: Error writing metadata out to lower file; " 1393 "rc = [%d]\n", __func__, rc); 1394 goto out_free; 1395 } 1396 out_free: 1397 memset(virt, 0, crypt_stat->num_header_bytes_at_front); 1398 kfree(virt); 1399 out: 1400 return rc; 1401 } 1402 1403 #define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0 1404 #define ECRYPTFS_VALIDATE_HEADER_SIZE 1 1405 static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat, 1406 char *virt, int *bytes_read, 1407 int validate_header_size) 1408 { 1409 int rc = 0; 1410 u32 header_extent_size; 1411 u16 num_header_extents_at_front; 1412 1413 memcpy(&header_extent_size, virt, sizeof(u32)); 1414 header_extent_size = be32_to_cpu(header_extent_size); 1415 virt += sizeof(u32); 1416 memcpy(&num_header_extents_at_front, virt, sizeof(u16)); 1417 num_header_extents_at_front = be16_to_cpu(num_header_extents_at_front); 1418 crypt_stat->num_header_bytes_at_front = 1419 (((size_t)num_header_extents_at_front 1420 * (size_t)header_extent_size)); 1421 (*bytes_read) = (sizeof(u32) + sizeof(u16)); 1422 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE) 1423 && (crypt_stat->num_header_bytes_at_front 1424 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) { 1425 rc = -EINVAL; 1426 printk(KERN_WARNING "Invalid header size: [%zd]\n", 1427 crypt_stat->num_header_bytes_at_front); 1428 } 1429 return rc; 1430 } 1431 1432 /** 1433 * set_default_header_data 1434 * @crypt_stat: The cryptographic context 1435 * 1436 * For version 0 file format; this function is only for backwards 1437 * compatibility for files created with the prior versions of 1438 * eCryptfs. 1439 */ 1440 static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat) 1441 { 1442 crypt_stat->num_header_bytes_at_front = 1443 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; 1444 } 1445 1446 /** 1447 * ecryptfs_read_headers_virt 1448 * @page_virt: The virtual address into which to read the headers 1449 * @crypt_stat: The cryptographic context 1450 * @ecryptfs_dentry: The eCryptfs dentry 1451 * @validate_header_size: Whether to validate the header size while reading 1452 * 1453 * Read/parse the header data. The header format is detailed in the 1454 * comment block for the ecryptfs_write_headers_virt() function. 1455 * 1456 * Returns zero on success 1457 */ 1458 static int ecryptfs_read_headers_virt(char *page_virt, 1459 struct ecryptfs_crypt_stat *crypt_stat, 1460 struct dentry *ecryptfs_dentry, 1461 int validate_header_size) 1462 { 1463 int rc = 0; 1464 int offset; 1465 int bytes_read; 1466 1467 ecryptfs_set_default_sizes(crypt_stat); 1468 crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private( 1469 ecryptfs_dentry->d_sb)->mount_crypt_stat; 1470 offset = ECRYPTFS_FILE_SIZE_BYTES; 1471 rc = contains_ecryptfs_marker(page_virt + offset); 1472 if (rc == 0) { 1473 rc = -EINVAL; 1474 goto out; 1475 } 1476 offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; 1477 rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset), 1478 &bytes_read); 1479 if (rc) { 1480 ecryptfs_printk(KERN_WARNING, "Error processing flags\n"); 1481 goto out; 1482 } 1483 if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) { 1484 ecryptfs_printk(KERN_WARNING, "File version is [%d]; only " 1485 "file version [%d] is supported by this " 1486 "version of eCryptfs\n", 1487 crypt_stat->file_version, 1488 ECRYPTFS_SUPPORTED_FILE_VERSION); 1489 rc = -EINVAL; 1490 goto out; 1491 } 1492 offset += bytes_read; 1493 if (crypt_stat->file_version >= 1) { 1494 rc = parse_header_metadata(crypt_stat, (page_virt + offset), 1495 &bytes_read, validate_header_size); 1496 if (rc) { 1497 ecryptfs_printk(KERN_WARNING, "Error reading header " 1498 "metadata; rc = [%d]\n", rc); 1499 } 1500 offset += bytes_read; 1501 } else 1502 set_default_header_data(crypt_stat); 1503 rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset), 1504 ecryptfs_dentry); 1505 out: 1506 return rc; 1507 } 1508 1509 /** 1510 * ecryptfs_read_xattr_region 1511 * @page_virt: The vitual address into which to read the xattr data 1512 * @ecryptfs_inode: The eCryptfs inode 1513 * 1514 * Attempts to read the crypto metadata from the extended attribute 1515 * region of the lower file. 1516 * 1517 * Returns zero on success; non-zero on error 1518 */ 1519 int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode) 1520 { 1521 struct dentry *lower_dentry = 1522 ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_dentry; 1523 ssize_t size; 1524 int rc = 0; 1525 1526 size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME, 1527 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE); 1528 if (size < 0) { 1529 if (unlikely(ecryptfs_verbosity > 0)) 1530 printk(KERN_INFO "Error attempting to read the [%s] " 1531 "xattr from the lower file; return value = " 1532 "[%zd]\n", ECRYPTFS_XATTR_NAME, size); 1533 rc = -EINVAL; 1534 goto out; 1535 } 1536 out: 1537 return rc; 1538 } 1539 1540 int ecryptfs_read_and_validate_xattr_region(char *page_virt, 1541 struct dentry *ecryptfs_dentry) 1542 { 1543 int rc; 1544 1545 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_dentry->d_inode); 1546 if (rc) 1547 goto out; 1548 if (!contains_ecryptfs_marker(page_virt + ECRYPTFS_FILE_SIZE_BYTES)) { 1549 printk(KERN_WARNING "Valid data found in [%s] xattr, but " 1550 "the marker is invalid\n", ECRYPTFS_XATTR_NAME); 1551 rc = -EINVAL; 1552 } 1553 out: 1554 return rc; 1555 } 1556 1557 /** 1558 * ecryptfs_read_metadata 1559 * 1560 * Common entry point for reading file metadata. From here, we could 1561 * retrieve the header information from the header region of the file, 1562 * the xattr region of the file, or some other repostory that is 1563 * stored separately from the file itself. The current implementation 1564 * supports retrieving the metadata information from the file contents 1565 * and from the xattr region. 1566 * 1567 * Returns zero if valid headers found and parsed; non-zero otherwise 1568 */ 1569 int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry) 1570 { 1571 int rc = 0; 1572 char *page_virt = NULL; 1573 struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode; 1574 struct ecryptfs_crypt_stat *crypt_stat = 1575 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; 1576 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 1577 &ecryptfs_superblock_to_private( 1578 ecryptfs_dentry->d_sb)->mount_crypt_stat; 1579 1580 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 1581 mount_crypt_stat); 1582 /* Read the first page from the underlying file */ 1583 page_virt = kmem_cache_alloc(ecryptfs_header_cache_1, GFP_USER); 1584 if (!page_virt) { 1585 rc = -ENOMEM; 1586 printk(KERN_ERR "%s: Unable to allocate page_virt\n", 1587 __func__); 1588 goto out; 1589 } 1590 rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size, 1591 ecryptfs_inode); 1592 if (!rc) 1593 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, 1594 ecryptfs_dentry, 1595 ECRYPTFS_VALIDATE_HEADER_SIZE); 1596 if (rc) { 1597 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode); 1598 if (rc) { 1599 printk(KERN_DEBUG "Valid eCryptfs headers not found in " 1600 "file header region or xattr region\n"); 1601 rc = -EINVAL; 1602 goto out; 1603 } 1604 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, 1605 ecryptfs_dentry, 1606 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE); 1607 if (rc) { 1608 printk(KERN_DEBUG "Valid eCryptfs headers not found in " 1609 "file xattr region either\n"); 1610 rc = -EINVAL; 1611 } 1612 if (crypt_stat->mount_crypt_stat->flags 1613 & ECRYPTFS_XATTR_METADATA_ENABLED) { 1614 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; 1615 } else { 1616 printk(KERN_WARNING "Attempt to access file with " 1617 "crypto metadata only in the extended attribute " 1618 "region, but eCryptfs was mounted without " 1619 "xattr support enabled. eCryptfs will not treat " 1620 "this like an encrypted file.\n"); 1621 rc = -EINVAL; 1622 } 1623 } 1624 out: 1625 if (page_virt) { 1626 memset(page_virt, 0, PAGE_CACHE_SIZE); 1627 kmem_cache_free(ecryptfs_header_cache_1, page_virt); 1628 } 1629 return rc; 1630 } 1631 1632 /** 1633 * ecryptfs_encode_filename - converts a plaintext file name to cipher text 1634 * @crypt_stat: The crypt_stat struct associated with the file anem to encode 1635 * @name: The plaintext name 1636 * @length: The length of the plaintext 1637 * @encoded_name: The encypted name 1638 * 1639 * Encrypts and encodes a filename into something that constitutes a 1640 * valid filename for a filesystem, with printable characters. 1641 * 1642 * We assume that we have a properly initialized crypto context, 1643 * pointed to by crypt_stat->tfm. 1644 * 1645 * TODO: Implement filename decoding and decryption here, in place of 1646 * memcpy. We are keeping the framework around for now to (1) 1647 * facilitate testing of the components needed to implement filename 1648 * encryption and (2) to provide a code base from which other 1649 * developers in the community can easily implement this feature. 1650 * 1651 * Returns the length of encoded filename; negative if error 1652 */ 1653 int 1654 ecryptfs_encode_filename(struct ecryptfs_crypt_stat *crypt_stat, 1655 const char *name, int length, char **encoded_name) 1656 { 1657 int error = 0; 1658 1659 (*encoded_name) = kmalloc(length + 2, GFP_KERNEL); 1660 if (!(*encoded_name)) { 1661 error = -ENOMEM; 1662 goto out; 1663 } 1664 /* TODO: Filename encryption is a scheduled feature for a 1665 * future version of eCryptfs. This function is here only for 1666 * the purpose of providing a framework for other developers 1667 * to easily implement filename encryption. Hint: Replace this 1668 * memcpy() with a call to encrypt and encode the 1669 * filename, the set the length accordingly. */ 1670 memcpy((void *)(*encoded_name), (void *)name, length); 1671 (*encoded_name)[length] = '\0'; 1672 error = length + 1; 1673 out: 1674 return error; 1675 } 1676 1677 /** 1678 * ecryptfs_decode_filename - converts the cipher text name to plaintext 1679 * @crypt_stat: The crypt_stat struct associated with the file 1680 * @name: The filename in cipher text 1681 * @length: The length of the cipher text name 1682 * @decrypted_name: The plaintext name 1683 * 1684 * Decodes and decrypts the filename. 1685 * 1686 * We assume that we have a properly initialized crypto context, 1687 * pointed to by crypt_stat->tfm. 1688 * 1689 * TODO: Implement filename decoding and decryption here, in place of 1690 * memcpy. We are keeping the framework around for now to (1) 1691 * facilitate testing of the components needed to implement filename 1692 * encryption and (2) to provide a code base from which other 1693 * developers in the community can easily implement this feature. 1694 * 1695 * Returns the length of decoded filename; negative if error 1696 */ 1697 int 1698 ecryptfs_decode_filename(struct ecryptfs_crypt_stat *crypt_stat, 1699 const char *name, int length, char **decrypted_name) 1700 { 1701 int error = 0; 1702 1703 (*decrypted_name) = kmalloc(length + 2, GFP_KERNEL); 1704 if (!(*decrypted_name)) { 1705 error = -ENOMEM; 1706 goto out; 1707 } 1708 /* TODO: Filename encryption is a scheduled feature for a 1709 * future version of eCryptfs. This function is here only for 1710 * the purpose of providing a framework for other developers 1711 * to easily implement filename encryption. Hint: Replace this 1712 * memcpy() with a call to decode and decrypt the 1713 * filename, the set the length accordingly. */ 1714 memcpy((void *)(*decrypted_name), (void *)name, length); 1715 (*decrypted_name)[length + 1] = '\0'; /* Only for convenience 1716 * in printing out the 1717 * string in debug 1718 * messages */ 1719 error = length; 1720 out: 1721 return error; 1722 } 1723 1724 /** 1725 * ecryptfs_process_key_cipher - Perform key cipher initialization. 1726 * @key_tfm: Crypto context for key material, set by this function 1727 * @cipher_name: Name of the cipher 1728 * @key_size: Size of the key in bytes 1729 * 1730 * Returns zero on success. Any crypto_tfm structs allocated here 1731 * should be released by other functions, such as on a superblock put 1732 * event, regardless of whether this function succeeds for fails. 1733 */ 1734 static int 1735 ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm, 1736 char *cipher_name, size_t *key_size) 1737 { 1738 char dummy_key[ECRYPTFS_MAX_KEY_BYTES]; 1739 char *full_alg_name; 1740 int rc; 1741 1742 *key_tfm = NULL; 1743 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) { 1744 rc = -EINVAL; 1745 printk(KERN_ERR "Requested key size is [%Zd] bytes; maximum " 1746 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES); 1747 goto out; 1748 } 1749 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name, 1750 "ecb"); 1751 if (rc) 1752 goto out; 1753 *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC); 1754 kfree(full_alg_name); 1755 if (IS_ERR(*key_tfm)) { 1756 rc = PTR_ERR(*key_tfm); 1757 printk(KERN_ERR "Unable to allocate crypto cipher with name " 1758 "[%s]; rc = [%d]\n", cipher_name, rc); 1759 goto out; 1760 } 1761 crypto_blkcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY); 1762 if (*key_size == 0) { 1763 struct blkcipher_alg *alg = crypto_blkcipher_alg(*key_tfm); 1764 1765 *key_size = alg->max_keysize; 1766 } 1767 get_random_bytes(dummy_key, *key_size); 1768 rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size); 1769 if (rc) { 1770 printk(KERN_ERR "Error attempting to set key of size [%Zd] for " 1771 "cipher [%s]; rc = [%d]\n", *key_size, cipher_name, rc); 1772 rc = -EINVAL; 1773 goto out; 1774 } 1775 out: 1776 return rc; 1777 } 1778 1779 struct kmem_cache *ecryptfs_key_tfm_cache; 1780 static struct list_head key_tfm_list; 1781 struct mutex key_tfm_list_mutex; 1782 1783 int ecryptfs_init_crypto(void) 1784 { 1785 mutex_init(&key_tfm_list_mutex); 1786 INIT_LIST_HEAD(&key_tfm_list); 1787 return 0; 1788 } 1789 1790 /** 1791 * ecryptfs_destroy_crypto - free all cached key_tfms on key_tfm_list 1792 * 1793 * Called only at module unload time 1794 */ 1795 int ecryptfs_destroy_crypto(void) 1796 { 1797 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp; 1798 1799 mutex_lock(&key_tfm_list_mutex); 1800 list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list, 1801 key_tfm_list) { 1802 list_del(&key_tfm->key_tfm_list); 1803 if (key_tfm->key_tfm) 1804 crypto_free_blkcipher(key_tfm->key_tfm); 1805 kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm); 1806 } 1807 mutex_unlock(&key_tfm_list_mutex); 1808 return 0; 1809 } 1810 1811 int 1812 ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name, 1813 size_t key_size) 1814 { 1815 struct ecryptfs_key_tfm *tmp_tfm; 1816 int rc = 0; 1817 1818 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); 1819 1820 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL); 1821 if (key_tfm != NULL) 1822 (*key_tfm) = tmp_tfm; 1823 if (!tmp_tfm) { 1824 rc = -ENOMEM; 1825 printk(KERN_ERR "Error attempting to allocate from " 1826 "ecryptfs_key_tfm_cache\n"); 1827 goto out; 1828 } 1829 mutex_init(&tmp_tfm->key_tfm_mutex); 1830 strncpy(tmp_tfm->cipher_name, cipher_name, 1831 ECRYPTFS_MAX_CIPHER_NAME_SIZE); 1832 tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; 1833 tmp_tfm->key_size = key_size; 1834 rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm, 1835 tmp_tfm->cipher_name, 1836 &tmp_tfm->key_size); 1837 if (rc) { 1838 printk(KERN_ERR "Error attempting to initialize key TFM " 1839 "cipher with name = [%s]; rc = [%d]\n", 1840 tmp_tfm->cipher_name, rc); 1841 kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm); 1842 if (key_tfm != NULL) 1843 (*key_tfm) = NULL; 1844 goto out; 1845 } 1846 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list); 1847 out: 1848 return rc; 1849 } 1850 1851 /** 1852 * ecryptfs_tfm_exists - Search for existing tfm for cipher_name. 1853 * @cipher_name: the name of the cipher to search for 1854 * @key_tfm: set to corresponding tfm if found 1855 * 1856 * Searches for cached key_tfm matching @cipher_name 1857 * Must be called with &key_tfm_list_mutex held 1858 * Returns 1 if found, with @key_tfm set 1859 * Returns 0 if not found, with @key_tfm set to NULL 1860 */ 1861 int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm) 1862 { 1863 struct ecryptfs_key_tfm *tmp_key_tfm; 1864 1865 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); 1866 1867 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) { 1868 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) { 1869 if (key_tfm) 1870 (*key_tfm) = tmp_key_tfm; 1871 return 1; 1872 } 1873 } 1874 if (key_tfm) 1875 (*key_tfm) = NULL; 1876 return 0; 1877 } 1878 1879 /** 1880 * ecryptfs_get_tfm_and_mutex_for_cipher_name 1881 * 1882 * @tfm: set to cached tfm found, or new tfm created 1883 * @tfm_mutex: set to mutex for cached tfm found, or new tfm created 1884 * @cipher_name: the name of the cipher to search for and/or add 1885 * 1886 * Sets pointers to @tfm & @tfm_mutex matching @cipher_name. 1887 * Searches for cached item first, and creates new if not found. 1888 * Returns 0 on success, non-zero if adding new cipher failed 1889 */ 1890 int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm, 1891 struct mutex **tfm_mutex, 1892 char *cipher_name) 1893 { 1894 struct ecryptfs_key_tfm *key_tfm; 1895 int rc = 0; 1896 1897 (*tfm) = NULL; 1898 (*tfm_mutex) = NULL; 1899 1900 mutex_lock(&key_tfm_list_mutex); 1901 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) { 1902 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0); 1903 if (rc) { 1904 printk(KERN_ERR "Error adding new key_tfm to list; " 1905 "rc = [%d]\n", rc); 1906 goto out; 1907 } 1908 } 1909 mutex_unlock(&key_tfm_list_mutex); 1910 (*tfm) = key_tfm->key_tfm; 1911 (*tfm_mutex) = &key_tfm->key_tfm_mutex; 1912 out: 1913 return rc; 1914 } 1915