31a32,68
> static bool fscrypt_valid_enc_modes(u32 contents_mode, u32 filenames_mode)
> {
> if (contents_mode == FSCRYPT_MODE_AES_256_XTS &&
> filenames_mode == FSCRYPT_MODE_AES_256_CTS)
> return true;
>
> if (contents_mode == FSCRYPT_MODE_AES_128_CBC &&
> filenames_mode == FSCRYPT_MODE_AES_128_CTS)
> return true;
>
> if (contents_mode == FSCRYPT_MODE_ADIANTUM &&
> filenames_mode == FSCRYPT_MODE_ADIANTUM)
> return true;
>
> return false;
> }
>
> static bool supported_direct_key_modes(const struct inode *inode,
> u32 contents_mode, u32 filenames_mode)
> {
> const struct fscrypt_mode *mode;
>
> if (contents_mode != filenames_mode) {
> fscrypt_warn(inode,
> "Direct key flag not allowed with different contents and filenames modes");
> return false;
> }
> mode = &fscrypt_modes[contents_mode];
>
> if (mode->ivsize < offsetofend(union fscrypt_iv, nonce)) {
> fscrypt_warn(inode, "Direct key flag not allowed with %s",
> mode->friendly_name);
> return false;
> }
> return true;
> }
>
65a103,171
> static bool fscrypt_supported_v1_policy(const struct fscrypt_policy_v1 *policy,
> const struct inode *inode)
> {
> if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode,
> policy->filenames_encryption_mode)) {
> fscrypt_warn(inode,
> "Unsupported encryption modes (contents %d, filenames %d)",
> policy->contents_encryption_mode,
> policy->filenames_encryption_mode);
> return false;
> }
>
> if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK |
> FSCRYPT_POLICY_FLAG_DIRECT_KEY)) {
> fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)",
> policy->flags);
> return false;
> }
>
> if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) &&
> !supported_direct_key_modes(inode, policy->contents_encryption_mode,
> policy->filenames_encryption_mode))
> return false;
>
> if (IS_CASEFOLDED(inode)) {
> /* With v1, there's no way to derive dirhash keys. */
> fscrypt_warn(inode,
> "v1 policies can't be used on casefolded directories");
> return false;
> }
>
> return true;
> }
>
> static bool fscrypt_supported_v2_policy(const struct fscrypt_policy_v2 *policy,
> const struct inode *inode)
> {
> if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode,
> policy->filenames_encryption_mode)) {
> fscrypt_warn(inode,
> "Unsupported encryption modes (contents %d, filenames %d)",
> policy->contents_encryption_mode,
> policy->filenames_encryption_mode);
> return false;
> }
>
> if (policy->flags & ~FSCRYPT_POLICY_FLAGS_VALID) {
> fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)",
> policy->flags);
> return false;
> }
>
> if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) &&
> !supported_direct_key_modes(inode, policy->contents_encryption_mode,
> policy->filenames_encryption_mode))
> return false;
>
> if ((policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) &&
> !supported_iv_ino_lblk_64_policy(policy, inode))
> return false;
>
> if (memchr_inv(policy->__reserved, 0, sizeof(policy->__reserved))) {
> fscrypt_warn(inode, "Reserved bits set in encryption policy");
> return false;
> }
>
> return true;
> }
>
70,72c176,178
< * settings are supported by this kernel. (But we don't currently don't check
< * for crypto API support here, so attempting to use an algorithm not configured
< * into the crypto API will still fail later.)
---
> * settings are supported by this kernel on the given inode. (But we don't
> * currently don't check for crypto API support here, so attempting to use an
> * algorithm not configured into the crypto API will still fail later.)
80,100c186,189
< case FSCRYPT_POLICY_V1: {
< const struct fscrypt_policy_v1 *policy = &policy_u->v1;
<
< if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode,
< policy->filenames_encryption_mode)) {
< fscrypt_warn(inode,
< "Unsupported encryption modes (contents %d, filenames %d)",
< policy->contents_encryption_mode,
< policy->filenames_encryption_mode);
< return false;
< }
<
< if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK |
< FSCRYPT_POLICY_FLAG_DIRECT_KEY)) {
< fscrypt_warn(inode,
< "Unsupported encryption flags (0x%02x)",
< policy->flags);
< return false;
< }
<
< return true;
---
> case FSCRYPT_POLICY_V1:
> return fscrypt_supported_v1_policy(&policy_u->v1, inode);
> case FSCRYPT_POLICY_V2:
> return fscrypt_supported_v2_policy(&policy_u->v2, inode);
102,134d190
< case FSCRYPT_POLICY_V2: {
< const struct fscrypt_policy_v2 *policy = &policy_u->v2;
<
< if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode,
< policy->filenames_encryption_mode)) {
< fscrypt_warn(inode,
< "Unsupported encryption modes (contents %d, filenames %d)",
< policy->contents_encryption_mode,
< policy->filenames_encryption_mode);
< return false;
< }
<
< if (policy->flags & ~FSCRYPT_POLICY_FLAGS_VALID) {
< fscrypt_warn(inode,
< "Unsupported encryption flags (0x%02x)",
< policy->flags);
< return false;
< }
<
< if ((policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) &&
< !supported_iv_ino_lblk_64_policy(policy, inode))
< return false;
<
< if (memchr_inv(policy->__reserved, 0,
< sizeof(policy->__reserved))) {
< fscrypt_warn(inode,
< "Reserved bits set in encryption policy");
< return false;
< }
<
< return true;
< }
< }
> static bool fscrypt_valid_enc_modes(u32 contents_mode, u32 filenames_mode)
> {
> if (contents_mode == FSCRYPT_MODE_AES_256_XTS &&
> filenames_mode == FSCRYPT_MODE_AES_256_CTS)
> return true;
>
> if (contents_mode == FSCRYPT_MODE_AES_128_CBC &&
> filenames_mode == FSCRYPT_MODE_AES_128_CTS)
> return true;
>
> if (contents_mode == FSCRYPT_MODE_ADIANTUM &&
> filenames_mode == FSCRYPT_MODE_ADIANTUM)
> return true;
>
> return false;
> }
>
> static bool supported_direct_key_modes(const struct inode *inode,
> u32 contents_mode, u32 filenames_mode)
> {
> const struct fscrypt_mode *mode;
>
> if (contents_mode != filenames_mode) {
> fscrypt_warn(inode,
> "Direct key flag not allowed with different contents and filenames modes");
> return false;
> }
> mode = &fscrypt_modes[contents_mode];
>
> if (mode->ivsize < offsetofend(union fscrypt_iv, nonce)) {
> fscrypt_warn(inode, "Direct key flag not allowed with %s",
> mode->friendly_name);
> return false;
> }
> return true;
> }
>
65a103,171
> static bool fscrypt_supported_v1_policy(const struct fscrypt_policy_v1 *policy,
> const struct inode *inode)
> {
> if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode,
> policy->filenames_encryption_mode)) {
> fscrypt_warn(inode,
> "Unsupported encryption modes (contents %d, filenames %d)",
> policy->contents_encryption_mode,
> policy->filenames_encryption_mode);
> return false;
> }
>
> if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK |
> FSCRYPT_POLICY_FLAG_DIRECT_KEY)) {
> fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)",
> policy->flags);
> return false;
> }
>
> if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) &&
> !supported_direct_key_modes(inode, policy->contents_encryption_mode,
> policy->filenames_encryption_mode))
> return false;
>
> if (IS_CASEFOLDED(inode)) {
> /* With v1, there's no way to derive dirhash keys. */
> fscrypt_warn(inode,
> "v1 policies can't be used on casefolded directories");
> return false;
> }
>
> return true;
> }
>
> static bool fscrypt_supported_v2_policy(const struct fscrypt_policy_v2 *policy,
> const struct inode *inode)
> {
> if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode,
> policy->filenames_encryption_mode)) {
> fscrypt_warn(inode,
> "Unsupported encryption modes (contents %d, filenames %d)",
> policy->contents_encryption_mode,
> policy->filenames_encryption_mode);
> return false;
> }
>
> if (policy->flags & ~FSCRYPT_POLICY_FLAGS_VALID) {
> fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)",
> policy->flags);
> return false;
> }
>
> if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) &&
> !supported_direct_key_modes(inode, policy->contents_encryption_mode,
> policy->filenames_encryption_mode))
> return false;
>
> if ((policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) &&
> !supported_iv_ino_lblk_64_policy(policy, inode))
> return false;
>
> if (memchr_inv(policy->__reserved, 0, sizeof(policy->__reserved))) {
> fscrypt_warn(inode, "Reserved bits set in encryption policy");
> return false;
> }
>
> return true;
> }
>
70,72c176,178
< * settings are supported by this kernel. (But we don't currently don't check
< * for crypto API support here, so attempting to use an algorithm not configured
< * into the crypto API will still fail later.)
---
> * settings are supported by this kernel on the given inode. (But we don't
> * currently don't check for crypto API support here, so attempting to use an
> * algorithm not configured into the crypto API will still fail later.)
80,100c186,189
< case FSCRYPT_POLICY_V1: {
< const struct fscrypt_policy_v1 *policy = &policy_u->v1;
<
< if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode,
< policy->filenames_encryption_mode)) {
< fscrypt_warn(inode,
< "Unsupported encryption modes (contents %d, filenames %d)",
< policy->contents_encryption_mode,
< policy->filenames_encryption_mode);
< return false;
< }
<
< if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK |
< FSCRYPT_POLICY_FLAG_DIRECT_KEY)) {
< fscrypt_warn(inode,
< "Unsupported encryption flags (0x%02x)",
< policy->flags);
< return false;
< }
<
< return true;
---
> case FSCRYPT_POLICY_V1:
> return fscrypt_supported_v1_policy(&policy_u->v1, inode);
> case FSCRYPT_POLICY_V2:
> return fscrypt_supported_v2_policy(&policy_u->v2, inode);
102,134d190
< case FSCRYPT_POLICY_V2: {
< const struct fscrypt_policy_v2 *policy = &policy_u->v2;
<
< if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode,
< policy->filenames_encryption_mode)) {
< fscrypt_warn(inode,
< "Unsupported encryption modes (contents %d, filenames %d)",
< policy->contents_encryption_mode,
< policy->filenames_encryption_mode);
< return false;
< }
<
< if (policy->flags & ~FSCRYPT_POLICY_FLAGS_VALID) {
< fscrypt_warn(inode,
< "Unsupported encryption flags (0x%02x)",
< policy->flags);
< return false;
< }
<
< if ((policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) &&
< !supported_iv_ino_lblk_64_policy(policy, inode))
< return false;
<
< if (memchr_inv(policy->__reserved, 0,
< sizeof(policy->__reserved))) {
< fscrypt_warn(inode,
< "Reserved bits set in encryption policy");
< return false;
< }
<
< return true;
< }
< }