1 /** 2 * eCryptfs: Linux filesystem encryption layer 3 * 4 * Copyright (C) 1997-2004 Erez Zadok 5 * Copyright (C) 2001-2004 Stony Brook University 6 * Copyright (C) 2004-2007 International Business Machines Corp. 7 * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com> 8 * Michael C. Thompson <mcthomps@us.ibm.com> 9 * 10 * This program is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU General Public License as 12 * published by the Free Software Foundation; either version 2 of the 13 * License, or (at your option) any later version. 14 * 15 * This program is distributed in the hope that it will be useful, but 16 * WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 * General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License 21 * along with this program; if not, write to the Free Software 22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 23 * 02111-1307, USA. 24 */ 25 26 #include <linux/fs.h> 27 #include <linux/mount.h> 28 #include <linux/pagemap.h> 29 #include <linux/random.h> 30 #include <linux/compiler.h> 31 #include <linux/key.h> 32 #include <linux/namei.h> 33 #include <linux/crypto.h> 34 #include <linux/file.h> 35 #include <linux/scatterlist.h> 36 #include <asm/unaligned.h> 37 #include "ecryptfs_kernel.h" 38 39 static int 40 ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 41 struct page *dst_page, int dst_offset, 42 struct page *src_page, int src_offset, int size, 43 unsigned char *iv); 44 static int 45 ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 46 struct page *dst_page, int dst_offset, 47 struct page *src_page, int src_offset, int size, 48 unsigned char *iv); 49 50 /** 51 * ecryptfs_to_hex 52 * @dst: Buffer to take hex character representation of contents of 53 * src; must be at least of size (src_size * 2) 54 * @src: Buffer to be converted to a hex string respresentation 55 * @src_size: number of bytes to convert 56 */ 57 void ecryptfs_to_hex(char *dst, char *src, size_t src_size) 58 { 59 int x; 60 61 for (x = 0; x < src_size; x++) 62 sprintf(&dst[x * 2], "%.2x", (unsigned char)src[x]); 63 } 64 65 /** 66 * ecryptfs_from_hex 67 * @dst: Buffer to take the bytes from src hex; must be at least of 68 * size (src_size / 2) 69 * @src: Buffer to be converted from a hex string respresentation to raw value 70 * @dst_size: size of dst buffer, or number of hex characters pairs to convert 71 */ 72 void ecryptfs_from_hex(char *dst, char *src, int dst_size) 73 { 74 int x; 75 char tmp[3] = { 0, }; 76 77 for (x = 0; x < dst_size; x++) { 78 tmp[0] = src[x * 2]; 79 tmp[1] = src[x * 2 + 1]; 80 dst[x] = (unsigned char)simple_strtol(tmp, NULL, 16); 81 } 82 } 83 84 /** 85 * ecryptfs_calculate_md5 - calculates the md5 of @src 86 * @dst: Pointer to 16 bytes of allocated memory 87 * @crypt_stat: Pointer to crypt_stat struct for the current inode 88 * @src: Data to be md5'd 89 * @len: Length of @src 90 * 91 * Uses the allocated crypto context that crypt_stat references to 92 * generate the MD5 sum of the contents of src. 93 */ 94 static int ecryptfs_calculate_md5(char *dst, 95 struct ecryptfs_crypt_stat *crypt_stat, 96 char *src, int len) 97 { 98 struct scatterlist sg; 99 struct hash_desc desc = { 100 .tfm = crypt_stat->hash_tfm, 101 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 102 }; 103 int rc = 0; 104 105 mutex_lock(&crypt_stat->cs_hash_tfm_mutex); 106 sg_init_one(&sg, (u8 *)src, len); 107 if (!desc.tfm) { 108 desc.tfm = crypto_alloc_hash(ECRYPTFS_DEFAULT_HASH, 0, 109 CRYPTO_ALG_ASYNC); 110 if (IS_ERR(desc.tfm)) { 111 rc = PTR_ERR(desc.tfm); 112 ecryptfs_printk(KERN_ERR, "Error attempting to " 113 "allocate crypto context; rc = [%d]\n", 114 rc); 115 goto out; 116 } 117 crypt_stat->hash_tfm = desc.tfm; 118 } 119 rc = crypto_hash_init(&desc); 120 if (rc) { 121 printk(KERN_ERR 122 "%s: Error initializing crypto hash; rc = [%d]\n", 123 __func__, rc); 124 goto out; 125 } 126 rc = crypto_hash_update(&desc, &sg, len); 127 if (rc) { 128 printk(KERN_ERR 129 "%s: Error updating crypto hash; rc = [%d]\n", 130 __func__, rc); 131 goto out; 132 } 133 rc = crypto_hash_final(&desc, dst); 134 if (rc) { 135 printk(KERN_ERR 136 "%s: Error finalizing crypto hash; rc = [%d]\n", 137 __func__, rc); 138 goto out; 139 } 140 out: 141 mutex_unlock(&crypt_stat->cs_hash_tfm_mutex); 142 return rc; 143 } 144 145 static int ecryptfs_crypto_api_algify_cipher_name(char **algified_name, 146 char *cipher_name, 147 char *chaining_modifier) 148 { 149 int cipher_name_len = strlen(cipher_name); 150 int chaining_modifier_len = strlen(chaining_modifier); 151 int algified_name_len; 152 int rc; 153 154 algified_name_len = (chaining_modifier_len + cipher_name_len + 3); 155 (*algified_name) = kmalloc(algified_name_len, GFP_KERNEL); 156 if (!(*algified_name)) { 157 rc = -ENOMEM; 158 goto out; 159 } 160 snprintf((*algified_name), algified_name_len, "%s(%s)", 161 chaining_modifier, cipher_name); 162 rc = 0; 163 out: 164 return rc; 165 } 166 167 /** 168 * ecryptfs_derive_iv 169 * @iv: destination for the derived iv vale 170 * @crypt_stat: Pointer to crypt_stat struct for the current inode 171 * @offset: Offset of the extent whose IV we are to derive 172 * 173 * Generate the initialization vector from the given root IV and page 174 * offset. 175 * 176 * Returns zero on success; non-zero on error. 177 */ 178 static int ecryptfs_derive_iv(char *iv, struct ecryptfs_crypt_stat *crypt_stat, 179 loff_t offset) 180 { 181 int rc = 0; 182 char dst[MD5_DIGEST_SIZE]; 183 char src[ECRYPTFS_MAX_IV_BYTES + 16]; 184 185 if (unlikely(ecryptfs_verbosity > 0)) { 186 ecryptfs_printk(KERN_DEBUG, "root iv:\n"); 187 ecryptfs_dump_hex(crypt_stat->root_iv, crypt_stat->iv_bytes); 188 } 189 /* TODO: It is probably secure to just cast the least 190 * significant bits of the root IV into an unsigned long and 191 * add the offset to that rather than go through all this 192 * hashing business. -Halcrow */ 193 memcpy(src, crypt_stat->root_iv, crypt_stat->iv_bytes); 194 memset((src + crypt_stat->iv_bytes), 0, 16); 195 snprintf((src + crypt_stat->iv_bytes), 16, "%lld", offset); 196 if (unlikely(ecryptfs_verbosity > 0)) { 197 ecryptfs_printk(KERN_DEBUG, "source:\n"); 198 ecryptfs_dump_hex(src, (crypt_stat->iv_bytes + 16)); 199 } 200 rc = ecryptfs_calculate_md5(dst, crypt_stat, src, 201 (crypt_stat->iv_bytes + 16)); 202 if (rc) { 203 ecryptfs_printk(KERN_WARNING, "Error attempting to compute " 204 "MD5 while generating IV for a page\n"); 205 goto out; 206 } 207 memcpy(iv, dst, crypt_stat->iv_bytes); 208 if (unlikely(ecryptfs_verbosity > 0)) { 209 ecryptfs_printk(KERN_DEBUG, "derived iv:\n"); 210 ecryptfs_dump_hex(iv, crypt_stat->iv_bytes); 211 } 212 out: 213 return rc; 214 } 215 216 /** 217 * ecryptfs_init_crypt_stat 218 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 219 * 220 * Initialize the crypt_stat structure. 221 */ 222 void 223 ecryptfs_init_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) 224 { 225 memset((void *)crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); 226 INIT_LIST_HEAD(&crypt_stat->keysig_list); 227 mutex_init(&crypt_stat->keysig_list_mutex); 228 mutex_init(&crypt_stat->cs_mutex); 229 mutex_init(&crypt_stat->cs_tfm_mutex); 230 mutex_init(&crypt_stat->cs_hash_tfm_mutex); 231 crypt_stat->flags |= ECRYPTFS_STRUCT_INITIALIZED; 232 } 233 234 /** 235 * ecryptfs_destroy_crypt_stat 236 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 237 * 238 * Releases all memory associated with a crypt_stat struct. 239 */ 240 void ecryptfs_destroy_crypt_stat(struct ecryptfs_crypt_stat *crypt_stat) 241 { 242 struct ecryptfs_key_sig *key_sig, *key_sig_tmp; 243 244 if (crypt_stat->tfm) 245 crypto_free_blkcipher(crypt_stat->tfm); 246 if (crypt_stat->hash_tfm) 247 crypto_free_hash(crypt_stat->hash_tfm); 248 mutex_lock(&crypt_stat->keysig_list_mutex); 249 list_for_each_entry_safe(key_sig, key_sig_tmp, 250 &crypt_stat->keysig_list, crypt_stat_list) { 251 list_del(&key_sig->crypt_stat_list); 252 kmem_cache_free(ecryptfs_key_sig_cache, key_sig); 253 } 254 mutex_unlock(&crypt_stat->keysig_list_mutex); 255 memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat)); 256 } 257 258 void ecryptfs_destroy_mount_crypt_stat( 259 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 260 { 261 struct ecryptfs_global_auth_tok *auth_tok, *auth_tok_tmp; 262 263 if (!(mount_crypt_stat->flags & ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED)) 264 return; 265 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 266 list_for_each_entry_safe(auth_tok, auth_tok_tmp, 267 &mount_crypt_stat->global_auth_tok_list, 268 mount_crypt_stat_list) { 269 list_del(&auth_tok->mount_crypt_stat_list); 270 mount_crypt_stat->num_global_auth_toks--; 271 if (auth_tok->global_auth_tok_key 272 && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID)) 273 key_put(auth_tok->global_auth_tok_key); 274 kmem_cache_free(ecryptfs_global_auth_tok_cache, auth_tok); 275 } 276 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 277 memset(mount_crypt_stat, 0, sizeof(struct ecryptfs_mount_crypt_stat)); 278 } 279 280 /** 281 * virt_to_scatterlist 282 * @addr: Virtual address 283 * @size: Size of data; should be an even multiple of the block size 284 * @sg: Pointer to scatterlist array; set to NULL to obtain only 285 * the number of scatterlist structs required in array 286 * @sg_size: Max array size 287 * 288 * Fills in a scatterlist array with page references for a passed 289 * virtual address. 290 * 291 * Returns the number of scatterlist structs in array used 292 */ 293 int virt_to_scatterlist(const void *addr, int size, struct scatterlist *sg, 294 int sg_size) 295 { 296 int i = 0; 297 struct page *pg; 298 int offset; 299 int remainder_of_page; 300 301 sg_init_table(sg, sg_size); 302 303 while (size > 0 && i < sg_size) { 304 pg = virt_to_page(addr); 305 offset = offset_in_page(addr); 306 if (sg) 307 sg_set_page(&sg[i], pg, 0, offset); 308 remainder_of_page = PAGE_CACHE_SIZE - offset; 309 if (size >= remainder_of_page) { 310 if (sg) 311 sg[i].length = remainder_of_page; 312 addr += remainder_of_page; 313 size -= remainder_of_page; 314 } else { 315 if (sg) 316 sg[i].length = size; 317 addr += size; 318 size = 0; 319 } 320 i++; 321 } 322 if (size > 0) 323 return -ENOMEM; 324 return i; 325 } 326 327 /** 328 * encrypt_scatterlist 329 * @crypt_stat: Pointer to the crypt_stat struct to initialize. 330 * @dest_sg: Destination of encrypted data 331 * @src_sg: Data to be encrypted 332 * @size: Length of data to be encrypted 333 * @iv: iv to use during encryption 334 * 335 * Returns the number of bytes encrypted; negative value on error 336 */ 337 static int encrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat, 338 struct scatterlist *dest_sg, 339 struct scatterlist *src_sg, int size, 340 unsigned char *iv) 341 { 342 struct blkcipher_desc desc = { 343 .tfm = crypt_stat->tfm, 344 .info = iv, 345 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 346 }; 347 int rc = 0; 348 349 BUG_ON(!crypt_stat || !crypt_stat->tfm 350 || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)); 351 if (unlikely(ecryptfs_verbosity > 0)) { 352 ecryptfs_printk(KERN_DEBUG, "Key size [%d]; key:\n", 353 crypt_stat->key_size); 354 ecryptfs_dump_hex(crypt_stat->key, 355 crypt_stat->key_size); 356 } 357 /* Consider doing this once, when the file is opened */ 358 mutex_lock(&crypt_stat->cs_tfm_mutex); 359 if (!(crypt_stat->flags & ECRYPTFS_KEY_SET)) { 360 rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key, 361 crypt_stat->key_size); 362 crypt_stat->flags |= ECRYPTFS_KEY_SET; 363 } 364 if (rc) { 365 ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n", 366 rc); 367 mutex_unlock(&crypt_stat->cs_tfm_mutex); 368 rc = -EINVAL; 369 goto out; 370 } 371 ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes.\n", size); 372 crypto_blkcipher_encrypt_iv(&desc, dest_sg, src_sg, size); 373 mutex_unlock(&crypt_stat->cs_tfm_mutex); 374 out: 375 return rc; 376 } 377 378 /** 379 * ecryptfs_lower_offset_for_extent 380 * 381 * Convert an eCryptfs page index into a lower byte offset 382 */ 383 static void ecryptfs_lower_offset_for_extent(loff_t *offset, loff_t extent_num, 384 struct ecryptfs_crypt_stat *crypt_stat) 385 { 386 (*offset) = (crypt_stat->num_header_bytes_at_front 387 + (crypt_stat->extent_size * extent_num)); 388 } 389 390 /** 391 * ecryptfs_encrypt_extent 392 * @enc_extent_page: Allocated page into which to encrypt the data in 393 * @page 394 * @crypt_stat: crypt_stat containing cryptographic context for the 395 * encryption operation 396 * @page: Page containing plaintext data extent to encrypt 397 * @extent_offset: Page extent offset for use in generating IV 398 * 399 * Encrypts one extent of data. 400 * 401 * Return zero on success; non-zero otherwise 402 */ 403 static int ecryptfs_encrypt_extent(struct page *enc_extent_page, 404 struct ecryptfs_crypt_stat *crypt_stat, 405 struct page *page, 406 unsigned long extent_offset) 407 { 408 loff_t extent_base; 409 char extent_iv[ECRYPTFS_MAX_IV_BYTES]; 410 int rc; 411 412 extent_base = (((loff_t)page->index) 413 * (PAGE_CACHE_SIZE / crypt_stat->extent_size)); 414 rc = ecryptfs_derive_iv(extent_iv, crypt_stat, 415 (extent_base + extent_offset)); 416 if (rc) { 417 ecryptfs_printk(KERN_ERR, "Error attempting to " 418 "derive IV for extent [0x%.16x]; " 419 "rc = [%d]\n", (extent_base + extent_offset), 420 rc); 421 goto out; 422 } 423 if (unlikely(ecryptfs_verbosity > 0)) { 424 ecryptfs_printk(KERN_DEBUG, "Encrypting extent " 425 "with iv:\n"); 426 ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes); 427 ecryptfs_printk(KERN_DEBUG, "First 8 bytes before " 428 "encryption:\n"); 429 ecryptfs_dump_hex((char *) 430 (page_address(page) 431 + (extent_offset * crypt_stat->extent_size)), 432 8); 433 } 434 rc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0, 435 page, (extent_offset 436 * crypt_stat->extent_size), 437 crypt_stat->extent_size, extent_iv); 438 if (rc < 0) { 439 printk(KERN_ERR "%s: Error attempting to encrypt page with " 440 "page->index = [%ld], extent_offset = [%ld]; " 441 "rc = [%d]\n", __func__, page->index, extent_offset, 442 rc); 443 goto out; 444 } 445 rc = 0; 446 if (unlikely(ecryptfs_verbosity > 0)) { 447 ecryptfs_printk(KERN_DEBUG, "Encrypt extent [0x%.16x]; " 448 "rc = [%d]\n", (extent_base + extent_offset), 449 rc); 450 ecryptfs_printk(KERN_DEBUG, "First 8 bytes after " 451 "encryption:\n"); 452 ecryptfs_dump_hex((char *)(page_address(enc_extent_page)), 8); 453 } 454 out: 455 return rc; 456 } 457 458 /** 459 * ecryptfs_encrypt_page 460 * @page: Page mapped from the eCryptfs inode for the file; contains 461 * decrypted content that needs to be encrypted (to a temporary 462 * page; not in place) and written out to the lower file 463 * 464 * Encrypt an eCryptfs page. This is done on a per-extent basis. Note 465 * that eCryptfs pages may straddle the lower pages -- for instance, 466 * if the file was created on a machine with an 8K page size 467 * (resulting in an 8K header), and then the file is copied onto a 468 * host with a 32K page size, then when reading page 0 of the eCryptfs 469 * file, 24K of page 0 of the lower file will be read and decrypted, 470 * and then 8K of page 1 of the lower file will be read and decrypted. 471 * 472 * Returns zero on success; negative on error 473 */ 474 int ecryptfs_encrypt_page(struct page *page) 475 { 476 struct inode *ecryptfs_inode; 477 struct ecryptfs_crypt_stat *crypt_stat; 478 char *enc_extent_virt = NULL; 479 struct page *enc_extent_page; 480 loff_t extent_offset; 481 int rc = 0; 482 483 ecryptfs_inode = page->mapping->host; 484 crypt_stat = 485 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 486 if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 487 rc = ecryptfs_write_lower_page_segment(ecryptfs_inode, page, 488 0, PAGE_CACHE_SIZE); 489 if (rc) 490 printk(KERN_ERR "%s: Error attempting to copy " 491 "page at index [%ld]\n", __func__, 492 page->index); 493 goto out; 494 } 495 enc_extent_virt = kmalloc(PAGE_CACHE_SIZE, GFP_USER); 496 if (!enc_extent_virt) { 497 rc = -ENOMEM; 498 ecryptfs_printk(KERN_ERR, "Error allocating memory for " 499 "encrypted extent\n"); 500 goto out; 501 } 502 enc_extent_page = virt_to_page(enc_extent_virt); 503 for (extent_offset = 0; 504 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); 505 extent_offset++) { 506 loff_t offset; 507 508 rc = ecryptfs_encrypt_extent(enc_extent_page, crypt_stat, page, 509 extent_offset); 510 if (rc) { 511 printk(KERN_ERR "%s: Error encrypting extent; " 512 "rc = [%d]\n", __func__, rc); 513 goto out; 514 } 515 ecryptfs_lower_offset_for_extent( 516 &offset, ((((loff_t)page->index) 517 * (PAGE_CACHE_SIZE 518 / crypt_stat->extent_size)) 519 + extent_offset), crypt_stat); 520 rc = ecryptfs_write_lower(ecryptfs_inode, enc_extent_virt, 521 offset, crypt_stat->extent_size); 522 if (rc) { 523 ecryptfs_printk(KERN_ERR, "Error attempting " 524 "to write lower page; rc = [%d]" 525 "\n", rc); 526 goto out; 527 } 528 } 529 out: 530 kfree(enc_extent_virt); 531 return rc; 532 } 533 534 static int ecryptfs_decrypt_extent(struct page *page, 535 struct ecryptfs_crypt_stat *crypt_stat, 536 struct page *enc_extent_page, 537 unsigned long extent_offset) 538 { 539 loff_t extent_base; 540 char extent_iv[ECRYPTFS_MAX_IV_BYTES]; 541 int rc; 542 543 extent_base = (((loff_t)page->index) 544 * (PAGE_CACHE_SIZE / crypt_stat->extent_size)); 545 rc = ecryptfs_derive_iv(extent_iv, crypt_stat, 546 (extent_base + extent_offset)); 547 if (rc) { 548 ecryptfs_printk(KERN_ERR, "Error attempting to " 549 "derive IV for extent [0x%.16x]; " 550 "rc = [%d]\n", (extent_base + extent_offset), 551 rc); 552 goto out; 553 } 554 if (unlikely(ecryptfs_verbosity > 0)) { 555 ecryptfs_printk(KERN_DEBUG, "Decrypting extent " 556 "with iv:\n"); 557 ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes); 558 ecryptfs_printk(KERN_DEBUG, "First 8 bytes before " 559 "decryption:\n"); 560 ecryptfs_dump_hex((char *) 561 (page_address(enc_extent_page) 562 + (extent_offset * crypt_stat->extent_size)), 563 8); 564 } 565 rc = ecryptfs_decrypt_page_offset(crypt_stat, page, 566 (extent_offset 567 * crypt_stat->extent_size), 568 enc_extent_page, 0, 569 crypt_stat->extent_size, extent_iv); 570 if (rc < 0) { 571 printk(KERN_ERR "%s: Error attempting to decrypt to page with " 572 "page->index = [%ld], extent_offset = [%ld]; " 573 "rc = [%d]\n", __func__, page->index, extent_offset, 574 rc); 575 goto out; 576 } 577 rc = 0; 578 if (unlikely(ecryptfs_verbosity > 0)) { 579 ecryptfs_printk(KERN_DEBUG, "Decrypt extent [0x%.16x]; " 580 "rc = [%d]\n", (extent_base + extent_offset), 581 rc); 582 ecryptfs_printk(KERN_DEBUG, "First 8 bytes after " 583 "decryption:\n"); 584 ecryptfs_dump_hex((char *)(page_address(page) 585 + (extent_offset 586 * crypt_stat->extent_size)), 8); 587 } 588 out: 589 return rc; 590 } 591 592 /** 593 * ecryptfs_decrypt_page 594 * @page: Page mapped from the eCryptfs inode for the file; data read 595 * and decrypted from the lower file will be written into this 596 * page 597 * 598 * Decrypt an eCryptfs page. This is done on a per-extent basis. Note 599 * that eCryptfs pages may straddle the lower pages -- for instance, 600 * if the file was created on a machine with an 8K page size 601 * (resulting in an 8K header), and then the file is copied onto a 602 * host with a 32K page size, then when reading page 0 of the eCryptfs 603 * file, 24K of page 0 of the lower file will be read and decrypted, 604 * and then 8K of page 1 of the lower file will be read and decrypted. 605 * 606 * Returns zero on success; negative on error 607 */ 608 int ecryptfs_decrypt_page(struct page *page) 609 { 610 struct inode *ecryptfs_inode; 611 struct ecryptfs_crypt_stat *crypt_stat; 612 char *enc_extent_virt = NULL; 613 struct page *enc_extent_page; 614 unsigned long extent_offset; 615 int rc = 0; 616 617 ecryptfs_inode = page->mapping->host; 618 crypt_stat = 619 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 620 if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 621 rc = ecryptfs_read_lower_page_segment(page, page->index, 0, 622 PAGE_CACHE_SIZE, 623 ecryptfs_inode); 624 if (rc) 625 printk(KERN_ERR "%s: Error attempting to copy " 626 "page at index [%ld]\n", __func__, 627 page->index); 628 goto out; 629 } 630 enc_extent_virt = kmalloc(PAGE_CACHE_SIZE, GFP_USER); 631 if (!enc_extent_virt) { 632 rc = -ENOMEM; 633 ecryptfs_printk(KERN_ERR, "Error allocating memory for " 634 "encrypted extent\n"); 635 goto out; 636 } 637 enc_extent_page = virt_to_page(enc_extent_virt); 638 for (extent_offset = 0; 639 extent_offset < (PAGE_CACHE_SIZE / crypt_stat->extent_size); 640 extent_offset++) { 641 loff_t offset; 642 643 ecryptfs_lower_offset_for_extent( 644 &offset, ((page->index * (PAGE_CACHE_SIZE 645 / crypt_stat->extent_size)) 646 + extent_offset), crypt_stat); 647 rc = ecryptfs_read_lower(enc_extent_virt, offset, 648 crypt_stat->extent_size, 649 ecryptfs_inode); 650 if (rc) { 651 ecryptfs_printk(KERN_ERR, "Error attempting " 652 "to read lower page; rc = [%d]" 653 "\n", rc); 654 goto out; 655 } 656 rc = ecryptfs_decrypt_extent(page, crypt_stat, enc_extent_page, 657 extent_offset); 658 if (rc) { 659 printk(KERN_ERR "%s: Error encrypting extent; " 660 "rc = [%d]\n", __func__, rc); 661 goto out; 662 } 663 } 664 out: 665 kfree(enc_extent_virt); 666 return rc; 667 } 668 669 /** 670 * decrypt_scatterlist 671 * @crypt_stat: Cryptographic context 672 * @dest_sg: The destination scatterlist to decrypt into 673 * @src_sg: The source scatterlist to decrypt from 674 * @size: The number of bytes to decrypt 675 * @iv: The initialization vector to use for the decryption 676 * 677 * Returns the number of bytes decrypted; negative value on error 678 */ 679 static int decrypt_scatterlist(struct ecryptfs_crypt_stat *crypt_stat, 680 struct scatterlist *dest_sg, 681 struct scatterlist *src_sg, int size, 682 unsigned char *iv) 683 { 684 struct blkcipher_desc desc = { 685 .tfm = crypt_stat->tfm, 686 .info = iv, 687 .flags = CRYPTO_TFM_REQ_MAY_SLEEP 688 }; 689 int rc = 0; 690 691 /* Consider doing this once, when the file is opened */ 692 mutex_lock(&crypt_stat->cs_tfm_mutex); 693 rc = crypto_blkcipher_setkey(crypt_stat->tfm, crypt_stat->key, 694 crypt_stat->key_size); 695 if (rc) { 696 ecryptfs_printk(KERN_ERR, "Error setting key; rc = [%d]\n", 697 rc); 698 mutex_unlock(&crypt_stat->cs_tfm_mutex); 699 rc = -EINVAL; 700 goto out; 701 } 702 ecryptfs_printk(KERN_DEBUG, "Decrypting [%d] bytes.\n", size); 703 rc = crypto_blkcipher_decrypt_iv(&desc, dest_sg, src_sg, size); 704 mutex_unlock(&crypt_stat->cs_tfm_mutex); 705 if (rc) { 706 ecryptfs_printk(KERN_ERR, "Error decrypting; rc = [%d]\n", 707 rc); 708 goto out; 709 } 710 rc = size; 711 out: 712 return rc; 713 } 714 715 /** 716 * ecryptfs_encrypt_page_offset 717 * @crypt_stat: The cryptographic context 718 * @dst_page: The page to encrypt into 719 * @dst_offset: The offset in the page to encrypt into 720 * @src_page: The page to encrypt from 721 * @src_offset: The offset in the page to encrypt from 722 * @size: The number of bytes to encrypt 723 * @iv: The initialization vector to use for the encryption 724 * 725 * Returns the number of bytes encrypted 726 */ 727 static int 728 ecryptfs_encrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 729 struct page *dst_page, int dst_offset, 730 struct page *src_page, int src_offset, int size, 731 unsigned char *iv) 732 { 733 struct scatterlist src_sg, dst_sg; 734 735 sg_init_table(&src_sg, 1); 736 sg_init_table(&dst_sg, 1); 737 738 sg_set_page(&src_sg, src_page, size, src_offset); 739 sg_set_page(&dst_sg, dst_page, size, dst_offset); 740 return encrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv); 741 } 742 743 /** 744 * ecryptfs_decrypt_page_offset 745 * @crypt_stat: The cryptographic context 746 * @dst_page: The page to decrypt into 747 * @dst_offset: The offset in the page to decrypt into 748 * @src_page: The page to decrypt from 749 * @src_offset: The offset in the page to decrypt from 750 * @size: The number of bytes to decrypt 751 * @iv: The initialization vector to use for the decryption 752 * 753 * Returns the number of bytes decrypted 754 */ 755 static int 756 ecryptfs_decrypt_page_offset(struct ecryptfs_crypt_stat *crypt_stat, 757 struct page *dst_page, int dst_offset, 758 struct page *src_page, int src_offset, int size, 759 unsigned char *iv) 760 { 761 struct scatterlist src_sg, dst_sg; 762 763 sg_init_table(&src_sg, 1); 764 sg_set_page(&src_sg, src_page, size, src_offset); 765 766 sg_init_table(&dst_sg, 1); 767 sg_set_page(&dst_sg, dst_page, size, dst_offset); 768 769 return decrypt_scatterlist(crypt_stat, &dst_sg, &src_sg, size, iv); 770 } 771 772 #define ECRYPTFS_MAX_SCATTERLIST_LEN 4 773 774 /** 775 * ecryptfs_init_crypt_ctx 776 * @crypt_stat: Uninitilized crypt stats structure 777 * 778 * Initialize the crypto context. 779 * 780 * TODO: Performance: Keep a cache of initialized cipher contexts; 781 * only init if needed 782 */ 783 int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat) 784 { 785 char *full_alg_name; 786 int rc = -EINVAL; 787 788 if (!crypt_stat->cipher) { 789 ecryptfs_printk(KERN_ERR, "No cipher specified\n"); 790 goto out; 791 } 792 ecryptfs_printk(KERN_DEBUG, 793 "Initializing cipher [%s]; strlen = [%d]; " 794 "key_size_bits = [%d]\n", 795 crypt_stat->cipher, (int)strlen(crypt_stat->cipher), 796 crypt_stat->key_size << 3); 797 if (crypt_stat->tfm) { 798 rc = 0; 799 goto out; 800 } 801 mutex_lock(&crypt_stat->cs_tfm_mutex); 802 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, 803 crypt_stat->cipher, "cbc"); 804 if (rc) 805 goto out_unlock; 806 crypt_stat->tfm = crypto_alloc_blkcipher(full_alg_name, 0, 807 CRYPTO_ALG_ASYNC); 808 kfree(full_alg_name); 809 if (IS_ERR(crypt_stat->tfm)) { 810 rc = PTR_ERR(crypt_stat->tfm); 811 ecryptfs_printk(KERN_ERR, "cryptfs: init_crypt_ctx(): " 812 "Error initializing cipher [%s]\n", 813 crypt_stat->cipher); 814 goto out_unlock; 815 } 816 crypto_blkcipher_set_flags(crypt_stat->tfm, CRYPTO_TFM_REQ_WEAK_KEY); 817 rc = 0; 818 out_unlock: 819 mutex_unlock(&crypt_stat->cs_tfm_mutex); 820 out: 821 return rc; 822 } 823 824 static void set_extent_mask_and_shift(struct ecryptfs_crypt_stat *crypt_stat) 825 { 826 int extent_size_tmp; 827 828 crypt_stat->extent_mask = 0xFFFFFFFF; 829 crypt_stat->extent_shift = 0; 830 if (crypt_stat->extent_size == 0) 831 return; 832 extent_size_tmp = crypt_stat->extent_size; 833 while ((extent_size_tmp & 0x01) == 0) { 834 extent_size_tmp >>= 1; 835 crypt_stat->extent_mask <<= 1; 836 crypt_stat->extent_shift++; 837 } 838 } 839 840 void ecryptfs_set_default_sizes(struct ecryptfs_crypt_stat *crypt_stat) 841 { 842 /* Default values; may be overwritten as we are parsing the 843 * packets. */ 844 crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE; 845 set_extent_mask_and_shift(crypt_stat); 846 crypt_stat->iv_bytes = ECRYPTFS_DEFAULT_IV_BYTES; 847 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) 848 crypt_stat->num_header_bytes_at_front = 0; 849 else { 850 if (PAGE_CACHE_SIZE <= ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE) 851 crypt_stat->num_header_bytes_at_front = 852 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; 853 else 854 crypt_stat->num_header_bytes_at_front = PAGE_CACHE_SIZE; 855 } 856 } 857 858 /** 859 * ecryptfs_compute_root_iv 860 * @crypt_stats 861 * 862 * On error, sets the root IV to all 0's. 863 */ 864 int ecryptfs_compute_root_iv(struct ecryptfs_crypt_stat *crypt_stat) 865 { 866 int rc = 0; 867 char dst[MD5_DIGEST_SIZE]; 868 869 BUG_ON(crypt_stat->iv_bytes > MD5_DIGEST_SIZE); 870 BUG_ON(crypt_stat->iv_bytes <= 0); 871 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { 872 rc = -EINVAL; 873 ecryptfs_printk(KERN_WARNING, "Session key not valid; " 874 "cannot generate root IV\n"); 875 goto out; 876 } 877 rc = ecryptfs_calculate_md5(dst, crypt_stat, crypt_stat->key, 878 crypt_stat->key_size); 879 if (rc) { 880 ecryptfs_printk(KERN_WARNING, "Error attempting to compute " 881 "MD5 while generating root IV\n"); 882 goto out; 883 } 884 memcpy(crypt_stat->root_iv, dst, crypt_stat->iv_bytes); 885 out: 886 if (rc) { 887 memset(crypt_stat->root_iv, 0, crypt_stat->iv_bytes); 888 crypt_stat->flags |= ECRYPTFS_SECURITY_WARNING; 889 } 890 return rc; 891 } 892 893 static void ecryptfs_generate_new_key(struct ecryptfs_crypt_stat *crypt_stat) 894 { 895 get_random_bytes(crypt_stat->key, crypt_stat->key_size); 896 crypt_stat->flags |= ECRYPTFS_KEY_VALID; 897 ecryptfs_compute_root_iv(crypt_stat); 898 if (unlikely(ecryptfs_verbosity > 0)) { 899 ecryptfs_printk(KERN_DEBUG, "Generated new session key:\n"); 900 ecryptfs_dump_hex(crypt_stat->key, 901 crypt_stat->key_size); 902 } 903 } 904 905 /** 906 * ecryptfs_copy_mount_wide_flags_to_inode_flags 907 * @crypt_stat: The inode's cryptographic context 908 * @mount_crypt_stat: The mount point's cryptographic context 909 * 910 * This function propagates the mount-wide flags to individual inode 911 * flags. 912 */ 913 static void ecryptfs_copy_mount_wide_flags_to_inode_flags( 914 struct ecryptfs_crypt_stat *crypt_stat, 915 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 916 { 917 if (mount_crypt_stat->flags & ECRYPTFS_XATTR_METADATA_ENABLED) 918 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; 919 if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) 920 crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED; 921 } 922 923 static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs( 924 struct ecryptfs_crypt_stat *crypt_stat, 925 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 926 { 927 struct ecryptfs_global_auth_tok *global_auth_tok; 928 int rc = 0; 929 930 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 931 list_for_each_entry(global_auth_tok, 932 &mount_crypt_stat->global_auth_tok_list, 933 mount_crypt_stat_list) { 934 rc = ecryptfs_add_keysig(crypt_stat, global_auth_tok->sig); 935 if (rc) { 936 printk(KERN_ERR "Error adding keysig; rc = [%d]\n", rc); 937 mutex_unlock( 938 &mount_crypt_stat->global_auth_tok_list_mutex); 939 goto out; 940 } 941 } 942 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 943 out: 944 return rc; 945 } 946 947 /** 948 * ecryptfs_set_default_crypt_stat_vals 949 * @crypt_stat: The inode's cryptographic context 950 * @mount_crypt_stat: The mount point's cryptographic context 951 * 952 * Default values in the event that policy does not override them. 953 */ 954 static void ecryptfs_set_default_crypt_stat_vals( 955 struct ecryptfs_crypt_stat *crypt_stat, 956 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 957 { 958 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 959 mount_crypt_stat); 960 ecryptfs_set_default_sizes(crypt_stat); 961 strcpy(crypt_stat->cipher, ECRYPTFS_DEFAULT_CIPHER); 962 crypt_stat->key_size = ECRYPTFS_DEFAULT_KEY_BYTES; 963 crypt_stat->flags &= ~(ECRYPTFS_KEY_VALID); 964 crypt_stat->file_version = ECRYPTFS_FILE_VERSION; 965 crypt_stat->mount_crypt_stat = mount_crypt_stat; 966 } 967 968 /** 969 * ecryptfs_new_file_context 970 * @ecryptfs_dentry: The eCryptfs dentry 971 * 972 * If the crypto context for the file has not yet been established, 973 * this is where we do that. Establishing a new crypto context 974 * involves the following decisions: 975 * - What cipher to use? 976 * - What set of authentication tokens to use? 977 * Here we just worry about getting enough information into the 978 * authentication tokens so that we know that they are available. 979 * We associate the available authentication tokens with the new file 980 * via the set of signatures in the crypt_stat struct. Later, when 981 * the headers are actually written out, we may again defer to 982 * userspace to perform the encryption of the session key; for the 983 * foreseeable future, this will be the case with public key packets. 984 * 985 * Returns zero on success; non-zero otherwise 986 */ 987 int ecryptfs_new_file_context(struct dentry *ecryptfs_dentry) 988 { 989 struct ecryptfs_crypt_stat *crypt_stat = 990 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; 991 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 992 &ecryptfs_superblock_to_private( 993 ecryptfs_dentry->d_sb)->mount_crypt_stat; 994 int cipher_name_len; 995 int rc = 0; 996 997 ecryptfs_set_default_crypt_stat_vals(crypt_stat, mount_crypt_stat); 998 crypt_stat->flags |= (ECRYPTFS_ENCRYPTED | ECRYPTFS_KEY_VALID); 999 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 1000 mount_crypt_stat); 1001 rc = ecryptfs_copy_mount_wide_sigs_to_inode_sigs(crypt_stat, 1002 mount_crypt_stat); 1003 if (rc) { 1004 printk(KERN_ERR "Error attempting to copy mount-wide key sigs " 1005 "to the inode key sigs; rc = [%d]\n", rc); 1006 goto out; 1007 } 1008 cipher_name_len = 1009 strlen(mount_crypt_stat->global_default_cipher_name); 1010 memcpy(crypt_stat->cipher, 1011 mount_crypt_stat->global_default_cipher_name, 1012 cipher_name_len); 1013 crypt_stat->cipher[cipher_name_len] = '\0'; 1014 crypt_stat->key_size = 1015 mount_crypt_stat->global_default_cipher_key_size; 1016 ecryptfs_generate_new_key(crypt_stat); 1017 rc = ecryptfs_init_crypt_ctx(crypt_stat); 1018 if (rc) 1019 ecryptfs_printk(KERN_ERR, "Error initializing cryptographic " 1020 "context for cipher [%s]: rc = [%d]\n", 1021 crypt_stat->cipher, rc); 1022 out: 1023 return rc; 1024 } 1025 1026 /** 1027 * contains_ecryptfs_marker - check for the ecryptfs marker 1028 * @data: The data block in which to check 1029 * 1030 * Returns one if marker found; zero if not found 1031 */ 1032 static int contains_ecryptfs_marker(char *data) 1033 { 1034 u32 m_1, m_2; 1035 1036 m_1 = get_unaligned_be32(data); 1037 m_2 = get_unaligned_be32(data + 4); 1038 if ((m_1 ^ MAGIC_ECRYPTFS_MARKER) == m_2) 1039 return 1; 1040 ecryptfs_printk(KERN_DEBUG, "m_1 = [0x%.8x]; m_2 = [0x%.8x]; " 1041 "MAGIC_ECRYPTFS_MARKER = [0x%.8x]\n", m_1, m_2, 1042 MAGIC_ECRYPTFS_MARKER); 1043 ecryptfs_printk(KERN_DEBUG, "(m_1 ^ MAGIC_ECRYPTFS_MARKER) = " 1044 "[0x%.8x]\n", (m_1 ^ MAGIC_ECRYPTFS_MARKER)); 1045 return 0; 1046 } 1047 1048 struct ecryptfs_flag_map_elem { 1049 u32 file_flag; 1050 u32 local_flag; 1051 }; 1052 1053 /* Add support for additional flags by adding elements here. */ 1054 static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = { 1055 {0x00000001, ECRYPTFS_ENABLE_HMAC}, 1056 {0x00000002, ECRYPTFS_ENCRYPTED}, 1057 {0x00000004, ECRYPTFS_METADATA_IN_XATTR} 1058 }; 1059 1060 /** 1061 * ecryptfs_process_flags 1062 * @crypt_stat: The cryptographic context 1063 * @page_virt: Source data to be parsed 1064 * @bytes_read: Updated with the number of bytes read 1065 * 1066 * Returns zero on success; non-zero if the flag set is invalid 1067 */ 1068 static int ecryptfs_process_flags(struct ecryptfs_crypt_stat *crypt_stat, 1069 char *page_virt, int *bytes_read) 1070 { 1071 int rc = 0; 1072 int i; 1073 u32 flags; 1074 1075 flags = get_unaligned_be32(page_virt); 1076 for (i = 0; i < ((sizeof(ecryptfs_flag_map) 1077 / sizeof(struct ecryptfs_flag_map_elem))); i++) 1078 if (flags & ecryptfs_flag_map[i].file_flag) { 1079 crypt_stat->flags |= ecryptfs_flag_map[i].local_flag; 1080 } else 1081 crypt_stat->flags &= ~(ecryptfs_flag_map[i].local_flag); 1082 /* Version is in top 8 bits of the 32-bit flag vector */ 1083 crypt_stat->file_version = ((flags >> 24) & 0xFF); 1084 (*bytes_read) = 4; 1085 return rc; 1086 } 1087 1088 /** 1089 * write_ecryptfs_marker 1090 * @page_virt: The pointer to in a page to begin writing the marker 1091 * @written: Number of bytes written 1092 * 1093 * Marker = 0x3c81b7f5 1094 */ 1095 static void write_ecryptfs_marker(char *page_virt, size_t *written) 1096 { 1097 u32 m_1, m_2; 1098 1099 get_random_bytes(&m_1, (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2)); 1100 m_2 = (m_1 ^ MAGIC_ECRYPTFS_MARKER); 1101 put_unaligned_be32(m_1, page_virt); 1102 page_virt += (MAGIC_ECRYPTFS_MARKER_SIZE_BYTES / 2); 1103 put_unaligned_be32(m_2, page_virt); 1104 (*written) = MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; 1105 } 1106 1107 static void 1108 write_ecryptfs_flags(char *page_virt, struct ecryptfs_crypt_stat *crypt_stat, 1109 size_t *written) 1110 { 1111 u32 flags = 0; 1112 int i; 1113 1114 for (i = 0; i < ((sizeof(ecryptfs_flag_map) 1115 / sizeof(struct ecryptfs_flag_map_elem))); i++) 1116 if (crypt_stat->flags & ecryptfs_flag_map[i].local_flag) 1117 flags |= ecryptfs_flag_map[i].file_flag; 1118 /* Version is in top 8 bits of the 32-bit flag vector */ 1119 flags |= ((((u8)crypt_stat->file_version) << 24) & 0xFF000000); 1120 put_unaligned_be32(flags, page_virt); 1121 (*written) = 4; 1122 } 1123 1124 struct ecryptfs_cipher_code_str_map_elem { 1125 char cipher_str[16]; 1126 u8 cipher_code; 1127 }; 1128 1129 /* Add support for additional ciphers by adding elements here. The 1130 * cipher_code is whatever OpenPGP applicatoins use to identify the 1131 * ciphers. List in order of probability. */ 1132 static struct ecryptfs_cipher_code_str_map_elem 1133 ecryptfs_cipher_code_str_map[] = { 1134 {"aes",RFC2440_CIPHER_AES_128 }, 1135 {"blowfish", RFC2440_CIPHER_BLOWFISH}, 1136 {"des3_ede", RFC2440_CIPHER_DES3_EDE}, 1137 {"cast5", RFC2440_CIPHER_CAST_5}, 1138 {"twofish", RFC2440_CIPHER_TWOFISH}, 1139 {"cast6", RFC2440_CIPHER_CAST_6}, 1140 {"aes", RFC2440_CIPHER_AES_192}, 1141 {"aes", RFC2440_CIPHER_AES_256} 1142 }; 1143 1144 /** 1145 * ecryptfs_code_for_cipher_string 1146 * @crypt_stat: The cryptographic context 1147 * 1148 * Returns zero on no match, or the cipher code on match 1149 */ 1150 u8 ecryptfs_code_for_cipher_string(struct ecryptfs_crypt_stat *crypt_stat) 1151 { 1152 int i; 1153 u8 code = 0; 1154 struct ecryptfs_cipher_code_str_map_elem *map = 1155 ecryptfs_cipher_code_str_map; 1156 1157 if (strcmp(crypt_stat->cipher, "aes") == 0) { 1158 switch (crypt_stat->key_size) { 1159 case 16: 1160 code = RFC2440_CIPHER_AES_128; 1161 break; 1162 case 24: 1163 code = RFC2440_CIPHER_AES_192; 1164 break; 1165 case 32: 1166 code = RFC2440_CIPHER_AES_256; 1167 } 1168 } else { 1169 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) 1170 if (strcmp(crypt_stat->cipher, map[i].cipher_str) == 0){ 1171 code = map[i].cipher_code; 1172 break; 1173 } 1174 } 1175 return code; 1176 } 1177 1178 /** 1179 * ecryptfs_cipher_code_to_string 1180 * @str: Destination to write out the cipher name 1181 * @cipher_code: The code to convert to cipher name string 1182 * 1183 * Returns zero on success 1184 */ 1185 int ecryptfs_cipher_code_to_string(char *str, u8 cipher_code) 1186 { 1187 int rc = 0; 1188 int i; 1189 1190 str[0] = '\0'; 1191 for (i = 0; i < ARRAY_SIZE(ecryptfs_cipher_code_str_map); i++) 1192 if (cipher_code == ecryptfs_cipher_code_str_map[i].cipher_code) 1193 strcpy(str, ecryptfs_cipher_code_str_map[i].cipher_str); 1194 if (str[0] == '\0') { 1195 ecryptfs_printk(KERN_WARNING, "Cipher code not recognized: " 1196 "[%d]\n", cipher_code); 1197 rc = -EINVAL; 1198 } 1199 return rc; 1200 } 1201 1202 int ecryptfs_read_and_validate_header_region(char *data, 1203 struct inode *ecryptfs_inode) 1204 { 1205 struct ecryptfs_crypt_stat *crypt_stat = 1206 &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); 1207 int rc; 1208 1209 rc = ecryptfs_read_lower(data, 0, crypt_stat->extent_size, 1210 ecryptfs_inode); 1211 if (rc) { 1212 printk(KERN_ERR "%s: Error reading header region; rc = [%d]\n", 1213 __func__, rc); 1214 goto out; 1215 } 1216 if (!contains_ecryptfs_marker(data + ECRYPTFS_FILE_SIZE_BYTES)) { 1217 rc = -EINVAL; 1218 ecryptfs_printk(KERN_DEBUG, "Valid marker not found\n"); 1219 } 1220 out: 1221 return rc; 1222 } 1223 1224 void 1225 ecryptfs_write_header_metadata(char *virt, 1226 struct ecryptfs_crypt_stat *crypt_stat, 1227 size_t *written) 1228 { 1229 u32 header_extent_size; 1230 u16 num_header_extents_at_front; 1231 1232 header_extent_size = (u32)crypt_stat->extent_size; 1233 num_header_extents_at_front = 1234 (u16)(crypt_stat->num_header_bytes_at_front 1235 / crypt_stat->extent_size); 1236 put_unaligned_be32(header_extent_size, virt); 1237 virt += 4; 1238 put_unaligned_be16(num_header_extents_at_front, virt); 1239 (*written) = 6; 1240 } 1241 1242 struct kmem_cache *ecryptfs_header_cache_1; 1243 struct kmem_cache *ecryptfs_header_cache_2; 1244 1245 /** 1246 * ecryptfs_write_headers_virt 1247 * @page_virt: The virtual address to write the headers to 1248 * @size: Set to the number of bytes written by this function 1249 * @crypt_stat: The cryptographic context 1250 * @ecryptfs_dentry: The eCryptfs dentry 1251 * 1252 * Format version: 1 1253 * 1254 * Header Extent: 1255 * Octets 0-7: Unencrypted file size (big-endian) 1256 * Octets 8-15: eCryptfs special marker 1257 * Octets 16-19: Flags 1258 * Octet 16: File format version number (between 0 and 255) 1259 * Octets 17-18: Reserved 1260 * Octet 19: Bit 1 (lsb): Reserved 1261 * Bit 2: Encrypted? 1262 * Bits 3-8: Reserved 1263 * Octets 20-23: Header extent size (big-endian) 1264 * Octets 24-25: Number of header extents at front of file 1265 * (big-endian) 1266 * Octet 26: Begin RFC 2440 authentication token packet set 1267 * Data Extent 0: 1268 * Lower data (CBC encrypted) 1269 * Data Extent 1: 1270 * Lower data (CBC encrypted) 1271 * ... 1272 * 1273 * Returns zero on success 1274 */ 1275 static int ecryptfs_write_headers_virt(char *page_virt, size_t *size, 1276 struct ecryptfs_crypt_stat *crypt_stat, 1277 struct dentry *ecryptfs_dentry) 1278 { 1279 int rc; 1280 size_t written; 1281 size_t offset; 1282 1283 offset = ECRYPTFS_FILE_SIZE_BYTES; 1284 write_ecryptfs_marker((page_virt + offset), &written); 1285 offset += written; 1286 write_ecryptfs_flags((page_virt + offset), crypt_stat, &written); 1287 offset += written; 1288 ecryptfs_write_header_metadata((page_virt + offset), crypt_stat, 1289 &written); 1290 offset += written; 1291 rc = ecryptfs_generate_key_packet_set((page_virt + offset), crypt_stat, 1292 ecryptfs_dentry, &written, 1293 PAGE_CACHE_SIZE - offset); 1294 if (rc) 1295 ecryptfs_printk(KERN_WARNING, "Error generating key packet " 1296 "set; rc = [%d]\n", rc); 1297 if (size) { 1298 offset += written; 1299 *size = offset; 1300 } 1301 return rc; 1302 } 1303 1304 static int 1305 ecryptfs_write_metadata_to_contents(struct ecryptfs_crypt_stat *crypt_stat, 1306 struct dentry *ecryptfs_dentry, 1307 char *virt) 1308 { 1309 int rc; 1310 1311 rc = ecryptfs_write_lower(ecryptfs_dentry->d_inode, virt, 1312 0, crypt_stat->num_header_bytes_at_front); 1313 if (rc) 1314 printk(KERN_ERR "%s: Error attempting to write header " 1315 "information to lower file; rc = [%d]\n", __func__, 1316 rc); 1317 return rc; 1318 } 1319 1320 static int 1321 ecryptfs_write_metadata_to_xattr(struct dentry *ecryptfs_dentry, 1322 struct ecryptfs_crypt_stat *crypt_stat, 1323 char *page_virt, size_t size) 1324 { 1325 int rc; 1326 1327 rc = ecryptfs_setxattr(ecryptfs_dentry, ECRYPTFS_XATTR_NAME, page_virt, 1328 size, 0); 1329 return rc; 1330 } 1331 1332 /** 1333 * ecryptfs_write_metadata 1334 * @ecryptfs_dentry: The eCryptfs dentry 1335 * 1336 * Write the file headers out. This will likely involve a userspace 1337 * callout, in which the session key is encrypted with one or more 1338 * public keys and/or the passphrase necessary to do the encryption is 1339 * retrieved via a prompt. Exactly what happens at this point should 1340 * be policy-dependent. 1341 * 1342 * Returns zero on success; non-zero on error 1343 */ 1344 int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry) 1345 { 1346 struct ecryptfs_crypt_stat *crypt_stat = 1347 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; 1348 char *virt; 1349 size_t size = 0; 1350 int rc = 0; 1351 1352 if (likely(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 1353 if (!(crypt_stat->flags & ECRYPTFS_KEY_VALID)) { 1354 printk(KERN_ERR "Key is invalid; bailing out\n"); 1355 rc = -EINVAL; 1356 goto out; 1357 } 1358 } else { 1359 printk(KERN_WARNING "%s: Encrypted flag not set\n", 1360 __func__); 1361 rc = -EINVAL; 1362 goto out; 1363 } 1364 /* Released in this function */ 1365 virt = kzalloc(crypt_stat->num_header_bytes_at_front, GFP_KERNEL); 1366 if (!virt) { 1367 printk(KERN_ERR "%s: Out of memory\n", __func__); 1368 rc = -ENOMEM; 1369 goto out; 1370 } 1371 rc = ecryptfs_write_headers_virt(virt, &size, crypt_stat, 1372 ecryptfs_dentry); 1373 if (unlikely(rc)) { 1374 printk(KERN_ERR "%s: Error whilst writing headers; rc = [%d]\n", 1375 __func__, rc); 1376 goto out_free; 1377 } 1378 if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR) 1379 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, 1380 crypt_stat, virt, size); 1381 else 1382 rc = ecryptfs_write_metadata_to_contents(crypt_stat, 1383 ecryptfs_dentry, virt); 1384 if (rc) { 1385 printk(KERN_ERR "%s: Error writing metadata out to lower file; " 1386 "rc = [%d]\n", __func__, rc); 1387 goto out_free; 1388 } 1389 out_free: 1390 memset(virt, 0, crypt_stat->num_header_bytes_at_front); 1391 kfree(virt); 1392 out: 1393 return rc; 1394 } 1395 1396 #define ECRYPTFS_DONT_VALIDATE_HEADER_SIZE 0 1397 #define ECRYPTFS_VALIDATE_HEADER_SIZE 1 1398 static int parse_header_metadata(struct ecryptfs_crypt_stat *crypt_stat, 1399 char *virt, int *bytes_read, 1400 int validate_header_size) 1401 { 1402 int rc = 0; 1403 u32 header_extent_size; 1404 u16 num_header_extents_at_front; 1405 1406 header_extent_size = get_unaligned_be32(virt); 1407 virt += sizeof(__be32); 1408 num_header_extents_at_front = get_unaligned_be16(virt); 1409 crypt_stat->num_header_bytes_at_front = 1410 (((size_t)num_header_extents_at_front 1411 * (size_t)header_extent_size)); 1412 (*bytes_read) = (sizeof(__be32) + sizeof(__be16)); 1413 if ((validate_header_size == ECRYPTFS_VALIDATE_HEADER_SIZE) 1414 && (crypt_stat->num_header_bytes_at_front 1415 < ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE)) { 1416 rc = -EINVAL; 1417 printk(KERN_WARNING "Invalid header size: [%zd]\n", 1418 crypt_stat->num_header_bytes_at_front); 1419 } 1420 return rc; 1421 } 1422 1423 /** 1424 * set_default_header_data 1425 * @crypt_stat: The cryptographic context 1426 * 1427 * For version 0 file format; this function is only for backwards 1428 * compatibility for files created with the prior versions of 1429 * eCryptfs. 1430 */ 1431 static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat) 1432 { 1433 crypt_stat->num_header_bytes_at_front = 1434 ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE; 1435 } 1436 1437 /** 1438 * ecryptfs_read_headers_virt 1439 * @page_virt: The virtual address into which to read the headers 1440 * @crypt_stat: The cryptographic context 1441 * @ecryptfs_dentry: The eCryptfs dentry 1442 * @validate_header_size: Whether to validate the header size while reading 1443 * 1444 * Read/parse the header data. The header format is detailed in the 1445 * comment block for the ecryptfs_write_headers_virt() function. 1446 * 1447 * Returns zero on success 1448 */ 1449 static int ecryptfs_read_headers_virt(char *page_virt, 1450 struct ecryptfs_crypt_stat *crypt_stat, 1451 struct dentry *ecryptfs_dentry, 1452 int validate_header_size) 1453 { 1454 int rc = 0; 1455 int offset; 1456 int bytes_read; 1457 1458 ecryptfs_set_default_sizes(crypt_stat); 1459 crypt_stat->mount_crypt_stat = &ecryptfs_superblock_to_private( 1460 ecryptfs_dentry->d_sb)->mount_crypt_stat; 1461 offset = ECRYPTFS_FILE_SIZE_BYTES; 1462 rc = contains_ecryptfs_marker(page_virt + offset); 1463 if (rc == 0) { 1464 rc = -EINVAL; 1465 goto out; 1466 } 1467 offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES; 1468 rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset), 1469 &bytes_read); 1470 if (rc) { 1471 ecryptfs_printk(KERN_WARNING, "Error processing flags\n"); 1472 goto out; 1473 } 1474 if (crypt_stat->file_version > ECRYPTFS_SUPPORTED_FILE_VERSION) { 1475 ecryptfs_printk(KERN_WARNING, "File version is [%d]; only " 1476 "file version [%d] is supported by this " 1477 "version of eCryptfs\n", 1478 crypt_stat->file_version, 1479 ECRYPTFS_SUPPORTED_FILE_VERSION); 1480 rc = -EINVAL; 1481 goto out; 1482 } 1483 offset += bytes_read; 1484 if (crypt_stat->file_version >= 1) { 1485 rc = parse_header_metadata(crypt_stat, (page_virt + offset), 1486 &bytes_read, validate_header_size); 1487 if (rc) { 1488 ecryptfs_printk(KERN_WARNING, "Error reading header " 1489 "metadata; rc = [%d]\n", rc); 1490 } 1491 offset += bytes_read; 1492 } else 1493 set_default_header_data(crypt_stat); 1494 rc = ecryptfs_parse_packet_set(crypt_stat, (page_virt + offset), 1495 ecryptfs_dentry); 1496 out: 1497 return rc; 1498 } 1499 1500 /** 1501 * ecryptfs_read_xattr_region 1502 * @page_virt: The vitual address into which to read the xattr data 1503 * @ecryptfs_inode: The eCryptfs inode 1504 * 1505 * Attempts to read the crypto metadata from the extended attribute 1506 * region of the lower file. 1507 * 1508 * Returns zero on success; non-zero on error 1509 */ 1510 int ecryptfs_read_xattr_region(char *page_virt, struct inode *ecryptfs_inode) 1511 { 1512 struct dentry *lower_dentry = 1513 ecryptfs_inode_to_private(ecryptfs_inode)->lower_file->f_dentry; 1514 ssize_t size; 1515 int rc = 0; 1516 1517 size = ecryptfs_getxattr_lower(lower_dentry, ECRYPTFS_XATTR_NAME, 1518 page_virt, ECRYPTFS_DEFAULT_EXTENT_SIZE); 1519 if (size < 0) { 1520 if (unlikely(ecryptfs_verbosity > 0)) 1521 printk(KERN_INFO "Error attempting to read the [%s] " 1522 "xattr from the lower file; return value = " 1523 "[%zd]\n", ECRYPTFS_XATTR_NAME, size); 1524 rc = -EINVAL; 1525 goto out; 1526 } 1527 out: 1528 return rc; 1529 } 1530 1531 int ecryptfs_read_and_validate_xattr_region(char *page_virt, 1532 struct dentry *ecryptfs_dentry) 1533 { 1534 int rc; 1535 1536 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_dentry->d_inode); 1537 if (rc) 1538 goto out; 1539 if (!contains_ecryptfs_marker(page_virt + ECRYPTFS_FILE_SIZE_BYTES)) { 1540 printk(KERN_WARNING "Valid data found in [%s] xattr, but " 1541 "the marker is invalid\n", ECRYPTFS_XATTR_NAME); 1542 rc = -EINVAL; 1543 } 1544 out: 1545 return rc; 1546 } 1547 1548 /** 1549 * ecryptfs_read_metadata 1550 * 1551 * Common entry point for reading file metadata. From here, we could 1552 * retrieve the header information from the header region of the file, 1553 * the xattr region of the file, or some other repostory that is 1554 * stored separately from the file itself. The current implementation 1555 * supports retrieving the metadata information from the file contents 1556 * and from the xattr region. 1557 * 1558 * Returns zero if valid headers found and parsed; non-zero otherwise 1559 */ 1560 int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry) 1561 { 1562 int rc = 0; 1563 char *page_virt = NULL; 1564 struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode; 1565 struct ecryptfs_crypt_stat *crypt_stat = 1566 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; 1567 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 1568 &ecryptfs_superblock_to_private( 1569 ecryptfs_dentry->d_sb)->mount_crypt_stat; 1570 1571 ecryptfs_copy_mount_wide_flags_to_inode_flags(crypt_stat, 1572 mount_crypt_stat); 1573 /* Read the first page from the underlying file */ 1574 page_virt = kmem_cache_alloc(ecryptfs_header_cache_1, GFP_USER); 1575 if (!page_virt) { 1576 rc = -ENOMEM; 1577 printk(KERN_ERR "%s: Unable to allocate page_virt\n", 1578 __func__); 1579 goto out; 1580 } 1581 rc = ecryptfs_read_lower(page_virt, 0, crypt_stat->extent_size, 1582 ecryptfs_inode); 1583 if (!rc) 1584 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, 1585 ecryptfs_dentry, 1586 ECRYPTFS_VALIDATE_HEADER_SIZE); 1587 if (rc) { 1588 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode); 1589 if (rc) { 1590 printk(KERN_DEBUG "Valid eCryptfs headers not found in " 1591 "file header region or xattr region\n"); 1592 rc = -EINVAL; 1593 goto out; 1594 } 1595 rc = ecryptfs_read_headers_virt(page_virt, crypt_stat, 1596 ecryptfs_dentry, 1597 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE); 1598 if (rc) { 1599 printk(KERN_DEBUG "Valid eCryptfs headers not found in " 1600 "file xattr region either\n"); 1601 rc = -EINVAL; 1602 } 1603 if (crypt_stat->mount_crypt_stat->flags 1604 & ECRYPTFS_XATTR_METADATA_ENABLED) { 1605 crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; 1606 } else { 1607 printk(KERN_WARNING "Attempt to access file with " 1608 "crypto metadata only in the extended attribute " 1609 "region, but eCryptfs was mounted without " 1610 "xattr support enabled. eCryptfs will not treat " 1611 "this like an encrypted file.\n"); 1612 rc = -EINVAL; 1613 } 1614 } 1615 out: 1616 if (page_virt) { 1617 memset(page_virt, 0, PAGE_CACHE_SIZE); 1618 kmem_cache_free(ecryptfs_header_cache_1, page_virt); 1619 } 1620 return rc; 1621 } 1622 1623 /** 1624 * ecryptfs_encode_filename - converts a plaintext file name to cipher text 1625 * @crypt_stat: The crypt_stat struct associated with the file anem to encode 1626 * @name: The plaintext name 1627 * @length: The length of the plaintext 1628 * @encoded_name: The encypted name 1629 * 1630 * Encrypts and encodes a filename into something that constitutes a 1631 * valid filename for a filesystem, with printable characters. 1632 * 1633 * We assume that we have a properly initialized crypto context, 1634 * pointed to by crypt_stat->tfm. 1635 * 1636 * TODO: Implement filename decoding and decryption here, in place of 1637 * memcpy. We are keeping the framework around for now to (1) 1638 * facilitate testing of the components needed to implement filename 1639 * encryption and (2) to provide a code base from which other 1640 * developers in the community can easily implement this feature. 1641 * 1642 * Returns the length of encoded filename; negative if error 1643 */ 1644 int 1645 ecryptfs_encode_filename(struct ecryptfs_crypt_stat *crypt_stat, 1646 const char *name, int length, char **encoded_name) 1647 { 1648 int error = 0; 1649 1650 (*encoded_name) = kmalloc(length + 2, GFP_KERNEL); 1651 if (!(*encoded_name)) { 1652 error = -ENOMEM; 1653 goto out; 1654 } 1655 /* TODO: Filename encryption is a scheduled feature for a 1656 * future version of eCryptfs. This function is here only for 1657 * the purpose of providing a framework for other developers 1658 * to easily implement filename encryption. Hint: Replace this 1659 * memcpy() with a call to encrypt and encode the 1660 * filename, the set the length accordingly. */ 1661 memcpy((void *)(*encoded_name), (void *)name, length); 1662 (*encoded_name)[length] = '\0'; 1663 error = length + 1; 1664 out: 1665 return error; 1666 } 1667 1668 /** 1669 * ecryptfs_decode_filename - converts the cipher text name to plaintext 1670 * @crypt_stat: The crypt_stat struct associated with the file 1671 * @name: The filename in cipher text 1672 * @length: The length of the cipher text name 1673 * @decrypted_name: The plaintext name 1674 * 1675 * Decodes and decrypts the filename. 1676 * 1677 * We assume that we have a properly initialized crypto context, 1678 * pointed to by crypt_stat->tfm. 1679 * 1680 * TODO: Implement filename decoding and decryption here, in place of 1681 * memcpy. We are keeping the framework around for now to (1) 1682 * facilitate testing of the components needed to implement filename 1683 * encryption and (2) to provide a code base from which other 1684 * developers in the community can easily implement this feature. 1685 * 1686 * Returns the length of decoded filename; negative if error 1687 */ 1688 int 1689 ecryptfs_decode_filename(struct ecryptfs_crypt_stat *crypt_stat, 1690 const char *name, int length, char **decrypted_name) 1691 { 1692 int error = 0; 1693 1694 (*decrypted_name) = kmalloc(length + 2, GFP_KERNEL); 1695 if (!(*decrypted_name)) { 1696 error = -ENOMEM; 1697 goto out; 1698 } 1699 /* TODO: Filename encryption is a scheduled feature for a 1700 * future version of eCryptfs. This function is here only for 1701 * the purpose of providing a framework for other developers 1702 * to easily implement filename encryption. Hint: Replace this 1703 * memcpy() with a call to decode and decrypt the 1704 * filename, the set the length accordingly. */ 1705 memcpy((void *)(*decrypted_name), (void *)name, length); 1706 (*decrypted_name)[length + 1] = '\0'; /* Only for convenience 1707 * in printing out the 1708 * string in debug 1709 * messages */ 1710 error = length; 1711 out: 1712 return error; 1713 } 1714 1715 /** 1716 * ecryptfs_process_key_cipher - Perform key cipher initialization. 1717 * @key_tfm: Crypto context for key material, set by this function 1718 * @cipher_name: Name of the cipher 1719 * @key_size: Size of the key in bytes 1720 * 1721 * Returns zero on success. Any crypto_tfm structs allocated here 1722 * should be released by other functions, such as on a superblock put 1723 * event, regardless of whether this function succeeds for fails. 1724 */ 1725 static int 1726 ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm, 1727 char *cipher_name, size_t *key_size) 1728 { 1729 char dummy_key[ECRYPTFS_MAX_KEY_BYTES]; 1730 char *full_alg_name; 1731 int rc; 1732 1733 *key_tfm = NULL; 1734 if (*key_size > ECRYPTFS_MAX_KEY_BYTES) { 1735 rc = -EINVAL; 1736 printk(KERN_ERR "Requested key size is [%Zd] bytes; maximum " 1737 "allowable is [%d]\n", *key_size, ECRYPTFS_MAX_KEY_BYTES); 1738 goto out; 1739 } 1740 rc = ecryptfs_crypto_api_algify_cipher_name(&full_alg_name, cipher_name, 1741 "ecb"); 1742 if (rc) 1743 goto out; 1744 *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC); 1745 kfree(full_alg_name); 1746 if (IS_ERR(*key_tfm)) { 1747 rc = PTR_ERR(*key_tfm); 1748 printk(KERN_ERR "Unable to allocate crypto cipher with name " 1749 "[%s]; rc = [%d]\n", cipher_name, rc); 1750 goto out; 1751 } 1752 crypto_blkcipher_set_flags(*key_tfm, CRYPTO_TFM_REQ_WEAK_KEY); 1753 if (*key_size == 0) { 1754 struct blkcipher_alg *alg = crypto_blkcipher_alg(*key_tfm); 1755 1756 *key_size = alg->max_keysize; 1757 } 1758 get_random_bytes(dummy_key, *key_size); 1759 rc = crypto_blkcipher_setkey(*key_tfm, dummy_key, *key_size); 1760 if (rc) { 1761 printk(KERN_ERR "Error attempting to set key of size [%Zd] for " 1762 "cipher [%s]; rc = [%d]\n", *key_size, cipher_name, rc); 1763 rc = -EINVAL; 1764 goto out; 1765 } 1766 out: 1767 return rc; 1768 } 1769 1770 struct kmem_cache *ecryptfs_key_tfm_cache; 1771 static struct list_head key_tfm_list; 1772 struct mutex key_tfm_list_mutex; 1773 1774 int ecryptfs_init_crypto(void) 1775 { 1776 mutex_init(&key_tfm_list_mutex); 1777 INIT_LIST_HEAD(&key_tfm_list); 1778 return 0; 1779 } 1780 1781 /** 1782 * ecryptfs_destroy_crypto - free all cached key_tfms on key_tfm_list 1783 * 1784 * Called only at module unload time 1785 */ 1786 int ecryptfs_destroy_crypto(void) 1787 { 1788 struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp; 1789 1790 mutex_lock(&key_tfm_list_mutex); 1791 list_for_each_entry_safe(key_tfm, key_tfm_tmp, &key_tfm_list, 1792 key_tfm_list) { 1793 list_del(&key_tfm->key_tfm_list); 1794 if (key_tfm->key_tfm) 1795 crypto_free_blkcipher(key_tfm->key_tfm); 1796 kmem_cache_free(ecryptfs_key_tfm_cache, key_tfm); 1797 } 1798 mutex_unlock(&key_tfm_list_mutex); 1799 return 0; 1800 } 1801 1802 int 1803 ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name, 1804 size_t key_size) 1805 { 1806 struct ecryptfs_key_tfm *tmp_tfm; 1807 int rc = 0; 1808 1809 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); 1810 1811 tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL); 1812 if (key_tfm != NULL) 1813 (*key_tfm) = tmp_tfm; 1814 if (!tmp_tfm) { 1815 rc = -ENOMEM; 1816 printk(KERN_ERR "Error attempting to allocate from " 1817 "ecryptfs_key_tfm_cache\n"); 1818 goto out; 1819 } 1820 mutex_init(&tmp_tfm->key_tfm_mutex); 1821 strncpy(tmp_tfm->cipher_name, cipher_name, 1822 ECRYPTFS_MAX_CIPHER_NAME_SIZE); 1823 tmp_tfm->cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; 1824 tmp_tfm->key_size = key_size; 1825 rc = ecryptfs_process_key_cipher(&tmp_tfm->key_tfm, 1826 tmp_tfm->cipher_name, 1827 &tmp_tfm->key_size); 1828 if (rc) { 1829 printk(KERN_ERR "Error attempting to initialize key TFM " 1830 "cipher with name = [%s]; rc = [%d]\n", 1831 tmp_tfm->cipher_name, rc); 1832 kmem_cache_free(ecryptfs_key_tfm_cache, tmp_tfm); 1833 if (key_tfm != NULL) 1834 (*key_tfm) = NULL; 1835 goto out; 1836 } 1837 list_add(&tmp_tfm->key_tfm_list, &key_tfm_list); 1838 out: 1839 return rc; 1840 } 1841 1842 /** 1843 * ecryptfs_tfm_exists - Search for existing tfm for cipher_name. 1844 * @cipher_name: the name of the cipher to search for 1845 * @key_tfm: set to corresponding tfm if found 1846 * 1847 * Searches for cached key_tfm matching @cipher_name 1848 * Must be called with &key_tfm_list_mutex held 1849 * Returns 1 if found, with @key_tfm set 1850 * Returns 0 if not found, with @key_tfm set to NULL 1851 */ 1852 int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm) 1853 { 1854 struct ecryptfs_key_tfm *tmp_key_tfm; 1855 1856 BUG_ON(!mutex_is_locked(&key_tfm_list_mutex)); 1857 1858 list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) { 1859 if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) { 1860 if (key_tfm) 1861 (*key_tfm) = tmp_key_tfm; 1862 return 1; 1863 } 1864 } 1865 if (key_tfm) 1866 (*key_tfm) = NULL; 1867 return 0; 1868 } 1869 1870 /** 1871 * ecryptfs_get_tfm_and_mutex_for_cipher_name 1872 * 1873 * @tfm: set to cached tfm found, or new tfm created 1874 * @tfm_mutex: set to mutex for cached tfm found, or new tfm created 1875 * @cipher_name: the name of the cipher to search for and/or add 1876 * 1877 * Sets pointers to @tfm & @tfm_mutex matching @cipher_name. 1878 * Searches for cached item first, and creates new if not found. 1879 * Returns 0 on success, non-zero if adding new cipher failed 1880 */ 1881 int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm, 1882 struct mutex **tfm_mutex, 1883 char *cipher_name) 1884 { 1885 struct ecryptfs_key_tfm *key_tfm; 1886 int rc = 0; 1887 1888 (*tfm) = NULL; 1889 (*tfm_mutex) = NULL; 1890 1891 mutex_lock(&key_tfm_list_mutex); 1892 if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) { 1893 rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0); 1894 if (rc) { 1895 printk(KERN_ERR "Error adding new key_tfm to list; " 1896 "rc = [%d]\n", rc); 1897 goto out; 1898 } 1899 } 1900 (*tfm) = key_tfm->key_tfm; 1901 (*tfm_mutex) = &key_tfm->key_tfm_mutex; 1902 out: 1903 mutex_unlock(&key_tfm_list_mutex); 1904 return rc; 1905 } 1906