1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * This contains functions for filename crypto management 4 * 5 * Copyright (C) 2015, Google, Inc. 6 * Copyright (C) 2015, Motorola Mobility 7 * 8 * Written by Uday Savagaonkar, 2014. 9 * Modified by Jaegeuk Kim, 2015. 10 * 11 * This has not yet undergone a rigorous security audit. 12 */ 13 14 #include <linux/scatterlist.h> 15 #include <linux/ratelimit.h> 16 #include <crypto/skcipher.h> 17 #include "fscrypt_private.h" 18 19 static inline bool fscrypt_is_dot_dotdot(const struct qstr *str) 20 { 21 if (str->len == 1 && str->name[0] == '.') 22 return true; 23 24 if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.') 25 return true; 26 27 return false; 28 } 29 30 /** 31 * fname_encrypt() - encrypt a filename 32 * 33 * The output buffer must be at least as large as the input buffer. 34 * Any extra space is filled with NUL padding before encryption. 35 * 36 * Return: 0 on success, -errno on failure 37 */ 38 int fname_encrypt(struct inode *inode, const struct qstr *iname, 39 u8 *out, unsigned int olen) 40 { 41 struct skcipher_request *req = NULL; 42 DECLARE_CRYPTO_WAIT(wait); 43 struct fscrypt_info *ci = inode->i_crypt_info; 44 struct crypto_skcipher *tfm = ci->ci_ctfm; 45 union fscrypt_iv iv; 46 struct scatterlist sg; 47 int res; 48 49 /* 50 * Copy the filename to the output buffer for encrypting in-place and 51 * pad it with the needed number of NUL bytes. 52 */ 53 if (WARN_ON(olen < iname->len)) 54 return -ENOBUFS; 55 memcpy(out, iname->name, iname->len); 56 memset(out + iname->len, 0, olen - iname->len); 57 58 /* Initialize the IV */ 59 fscrypt_generate_iv(&iv, 0, ci); 60 61 /* Set up the encryption request */ 62 req = skcipher_request_alloc(tfm, GFP_NOFS); 63 if (!req) 64 return -ENOMEM; 65 skcipher_request_set_callback(req, 66 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 67 crypto_req_done, &wait); 68 sg_init_one(&sg, out, olen); 69 skcipher_request_set_crypt(req, &sg, &sg, olen, &iv); 70 71 /* Do the encryption */ 72 res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait); 73 skcipher_request_free(req); 74 if (res < 0) { 75 fscrypt_err(inode->i_sb, 76 "Filename encryption failed for inode %lu: %d", 77 inode->i_ino, res); 78 return res; 79 } 80 81 return 0; 82 } 83 84 /** 85 * fname_decrypt() - decrypt a filename 86 * 87 * The caller must have allocated sufficient memory for the @oname string. 88 * 89 * Return: 0 on success, -errno on failure 90 */ 91 static int fname_decrypt(struct inode *inode, 92 const struct fscrypt_str *iname, 93 struct fscrypt_str *oname) 94 { 95 struct skcipher_request *req = NULL; 96 DECLARE_CRYPTO_WAIT(wait); 97 struct scatterlist src_sg, dst_sg; 98 struct fscrypt_info *ci = inode->i_crypt_info; 99 struct crypto_skcipher *tfm = ci->ci_ctfm; 100 union fscrypt_iv iv; 101 int res; 102 103 /* Allocate request */ 104 req = skcipher_request_alloc(tfm, GFP_NOFS); 105 if (!req) 106 return -ENOMEM; 107 skcipher_request_set_callback(req, 108 CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, 109 crypto_req_done, &wait); 110 111 /* Initialize IV */ 112 fscrypt_generate_iv(&iv, 0, ci); 113 114 /* Create decryption request */ 115 sg_init_one(&src_sg, iname->name, iname->len); 116 sg_init_one(&dst_sg, oname->name, oname->len); 117 skcipher_request_set_crypt(req, &src_sg, &dst_sg, iname->len, &iv); 118 res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait); 119 skcipher_request_free(req); 120 if (res < 0) { 121 fscrypt_err(inode->i_sb, 122 "Filename decryption failed for inode %lu: %d", 123 inode->i_ino, res); 124 return res; 125 } 126 127 oname->len = strnlen(oname->name, iname->len); 128 return 0; 129 } 130 131 static const char *lookup_table = 132 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+,"; 133 134 #define BASE64_CHARS(nbytes) DIV_ROUND_UP((nbytes) * 4, 3) 135 136 /** 137 * digest_encode() - 138 * 139 * Encodes the input digest using characters from the set [a-zA-Z0-9_+]. 140 * The encoded string is roughly 4/3 times the size of the input string. 141 */ 142 static int digest_encode(const char *src, int len, char *dst) 143 { 144 int i = 0, bits = 0, ac = 0; 145 char *cp = dst; 146 147 while (i < len) { 148 ac += (((unsigned char) src[i]) << bits); 149 bits += 8; 150 do { 151 *cp++ = lookup_table[ac & 0x3f]; 152 ac >>= 6; 153 bits -= 6; 154 } while (bits >= 6); 155 i++; 156 } 157 if (bits) 158 *cp++ = lookup_table[ac & 0x3f]; 159 return cp - dst; 160 } 161 162 static int digest_decode(const char *src, int len, char *dst) 163 { 164 int i = 0, bits = 0, ac = 0; 165 const char *p; 166 char *cp = dst; 167 168 while (i < len) { 169 p = strchr(lookup_table, src[i]); 170 if (p == NULL || src[i] == 0) 171 return -2; 172 ac += (p - lookup_table) << bits; 173 bits += 6; 174 if (bits >= 8) { 175 *cp++ = ac & 0xff; 176 ac >>= 8; 177 bits -= 8; 178 } 179 i++; 180 } 181 if (ac) 182 return -1; 183 return cp - dst; 184 } 185 186 bool fscrypt_fname_encrypted_size(const struct inode *inode, u32 orig_len, 187 u32 max_len, u32 *encrypted_len_ret) 188 { 189 int padding = 4 << (inode->i_crypt_info->ci_flags & 190 FS_POLICY_FLAGS_PAD_MASK); 191 u32 encrypted_len; 192 193 if (orig_len > max_len) 194 return false; 195 encrypted_len = max(orig_len, (u32)FS_CRYPTO_BLOCK_SIZE); 196 encrypted_len = round_up(encrypted_len, padding); 197 *encrypted_len_ret = min(encrypted_len, max_len); 198 return true; 199 } 200 201 /** 202 * fscrypt_fname_alloc_buffer - allocate a buffer for presented filenames 203 * 204 * Allocate a buffer that is large enough to hold any decrypted or encoded 205 * filename (null-terminated), for the given maximum encrypted filename length. 206 * 207 * Return: 0 on success, -errno on failure 208 */ 209 int fscrypt_fname_alloc_buffer(const struct inode *inode, 210 u32 max_encrypted_len, 211 struct fscrypt_str *crypto_str) 212 { 213 const u32 max_encoded_len = 214 max_t(u32, BASE64_CHARS(FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE), 215 1 + BASE64_CHARS(sizeof(struct fscrypt_digested_name))); 216 u32 max_presented_len; 217 218 max_presented_len = max(max_encoded_len, max_encrypted_len); 219 220 crypto_str->name = kmalloc(max_presented_len + 1, GFP_NOFS); 221 if (!crypto_str->name) 222 return -ENOMEM; 223 crypto_str->len = max_presented_len; 224 return 0; 225 } 226 EXPORT_SYMBOL(fscrypt_fname_alloc_buffer); 227 228 /** 229 * fscrypt_fname_free_buffer - free the buffer for presented filenames 230 * 231 * Free the buffer allocated by fscrypt_fname_alloc_buffer(). 232 */ 233 void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str) 234 { 235 if (!crypto_str) 236 return; 237 kfree(crypto_str->name); 238 crypto_str->name = NULL; 239 } 240 EXPORT_SYMBOL(fscrypt_fname_free_buffer); 241 242 /** 243 * fscrypt_fname_disk_to_usr() - converts a filename from disk space to user 244 * space 245 * 246 * The caller must have allocated sufficient memory for the @oname string. 247 * 248 * If the key is available, we'll decrypt the disk name; otherwise, we'll encode 249 * it for presentation. Short names are directly base64-encoded, while long 250 * names are encoded in fscrypt_digested_name format. 251 * 252 * Return: 0 on success, -errno on failure 253 */ 254 int fscrypt_fname_disk_to_usr(struct inode *inode, 255 u32 hash, u32 minor_hash, 256 const struct fscrypt_str *iname, 257 struct fscrypt_str *oname) 258 { 259 const struct qstr qname = FSTR_TO_QSTR(iname); 260 struct fscrypt_digested_name digested_name; 261 262 if (fscrypt_is_dot_dotdot(&qname)) { 263 oname->name[0] = '.'; 264 oname->name[iname->len - 1] = '.'; 265 oname->len = iname->len; 266 return 0; 267 } 268 269 if (iname->len < FS_CRYPTO_BLOCK_SIZE) 270 return -EUCLEAN; 271 272 if (fscrypt_has_encryption_key(inode)) 273 return fname_decrypt(inode, iname, oname); 274 275 if (iname->len <= FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE) { 276 oname->len = digest_encode(iname->name, iname->len, 277 oname->name); 278 return 0; 279 } 280 if (hash) { 281 digested_name.hash = hash; 282 digested_name.minor_hash = minor_hash; 283 } else { 284 digested_name.hash = 0; 285 digested_name.minor_hash = 0; 286 } 287 memcpy(digested_name.digest, 288 FSCRYPT_FNAME_DIGEST(iname->name, iname->len), 289 FSCRYPT_FNAME_DIGEST_SIZE); 290 oname->name[0] = '_'; 291 oname->len = 1 + digest_encode((const char *)&digested_name, 292 sizeof(digested_name), oname->name + 1); 293 return 0; 294 } 295 EXPORT_SYMBOL(fscrypt_fname_disk_to_usr); 296 297 /** 298 * fscrypt_setup_filename() - prepare to search a possibly encrypted directory 299 * @dir: the directory that will be searched 300 * @iname: the user-provided filename being searched for 301 * @lookup: 1 if we're allowed to proceed without the key because it's 302 * ->lookup() or we're finding the dir_entry for deletion; 0 if we cannot 303 * proceed without the key because we're going to create the dir_entry. 304 * @fname: the filename information to be filled in 305 * 306 * Given a user-provided filename @iname, this function sets @fname->disk_name 307 * to the name that would be stored in the on-disk directory entry, if possible. 308 * If the directory is unencrypted this is simply @iname. Else, if we have the 309 * directory's encryption key, then @iname is the plaintext, so we encrypt it to 310 * get the disk_name. 311 * 312 * Else, for keyless @lookup operations, @iname is the presented ciphertext, so 313 * we decode it to get either the ciphertext disk_name (for short names) or the 314 * fscrypt_digested_name (for long names). Non-@lookup operations will be 315 * impossible in this case, so we fail them with ENOKEY. 316 * 317 * If successful, fscrypt_free_filename() must be called later to clean up. 318 * 319 * Return: 0 on success, -errno on failure 320 */ 321 int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname, 322 int lookup, struct fscrypt_name *fname) 323 { 324 int ret; 325 int digested; 326 327 memset(fname, 0, sizeof(struct fscrypt_name)); 328 fname->usr_fname = iname; 329 330 if (!IS_ENCRYPTED(dir) || fscrypt_is_dot_dotdot(iname)) { 331 fname->disk_name.name = (unsigned char *)iname->name; 332 fname->disk_name.len = iname->len; 333 return 0; 334 } 335 ret = fscrypt_get_encryption_info(dir); 336 if (ret) 337 return ret; 338 339 if (fscrypt_has_encryption_key(dir)) { 340 if (!fscrypt_fname_encrypted_size(dir, iname->len, 341 dir->i_sb->s_cop->max_namelen, 342 &fname->crypto_buf.len)) 343 return -ENAMETOOLONG; 344 fname->crypto_buf.name = kmalloc(fname->crypto_buf.len, 345 GFP_NOFS); 346 if (!fname->crypto_buf.name) 347 return -ENOMEM; 348 349 ret = fname_encrypt(dir, iname, fname->crypto_buf.name, 350 fname->crypto_buf.len); 351 if (ret) 352 goto errout; 353 fname->disk_name.name = fname->crypto_buf.name; 354 fname->disk_name.len = fname->crypto_buf.len; 355 return 0; 356 } 357 if (!lookup) 358 return -ENOKEY; 359 fname->is_ciphertext_name = true; 360 361 /* 362 * We don't have the key and we are doing a lookup; decode the 363 * user-supplied name 364 */ 365 if (iname->name[0] == '_') { 366 if (iname->len != 367 1 + BASE64_CHARS(sizeof(struct fscrypt_digested_name))) 368 return -ENOENT; 369 digested = 1; 370 } else { 371 if (iname->len > 372 BASE64_CHARS(FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE)) 373 return -ENOENT; 374 digested = 0; 375 } 376 377 fname->crypto_buf.name = 378 kmalloc(max_t(size_t, FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE, 379 sizeof(struct fscrypt_digested_name)), 380 GFP_KERNEL); 381 if (fname->crypto_buf.name == NULL) 382 return -ENOMEM; 383 384 ret = digest_decode(iname->name + digested, iname->len - digested, 385 fname->crypto_buf.name); 386 if (ret < 0) { 387 ret = -ENOENT; 388 goto errout; 389 } 390 fname->crypto_buf.len = ret; 391 if (digested) { 392 const struct fscrypt_digested_name *n = 393 (const void *)fname->crypto_buf.name; 394 fname->hash = n->hash; 395 fname->minor_hash = n->minor_hash; 396 } else { 397 fname->disk_name.name = fname->crypto_buf.name; 398 fname->disk_name.len = fname->crypto_buf.len; 399 } 400 return 0; 401 402 errout: 403 kfree(fname->crypto_buf.name); 404 return ret; 405 } 406 EXPORT_SYMBOL(fscrypt_setup_filename); 407