From patchwork Wed Apr 19 00:10:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 752041 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3w72Sl06QKz9s0m for ; Wed, 19 Apr 2017 10:10:15 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="mM9uSXbA"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757689AbdDSAKK (ORCPT ); Tue, 18 Apr 2017 20:10:10 -0400 Received: from mail-pg0-f67.google.com ([74.125.83.67]:33798 "EHLO mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757418AbdDSAKI (ORCPT ); Tue, 18 Apr 2017 20:10:08 -0400 Received: by mail-pg0-f67.google.com with SMTP id o123so1353508pga.1; Tue, 18 Apr 2017 17:10:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=Ff+SbbgsVLzNUwIH11csZTRur/1Kjle9H66XBnxo0iY=; b=mM9uSXbAbzjS+YDbHmroi0nLre9fbVdgK7Vgj7iNKy/UfwEvrwKO4djWwMYzJqp1bU yHDM5a/6W57dROky09QuamedtA2vOatTq9Lio830uBGuGVxtow7qI9zNJ+6FvjgN1zHk cj7opwkuwDEz26r+caiQpP+TMT5xGOevHI9T1Lx+ETnnpyFHeHPRwRGVkcrGlTivB/MN a28F2uT0Uzi3jiiEaRZ4SEHulagMnU6Vq1zNwjY/rRZhHTktBvg95lhAbzWsP4xDTfZX mvPGbon7Uv9SmN1hFP0LPprEU/MKMjcGbrbGfC1AKMwtaVGvX+UeFZRc6tUAXcsW6Hn3 S6LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Ff+SbbgsVLzNUwIH11csZTRur/1Kjle9H66XBnxo0iY=; b=YNuCUVn2efsCFEcm7x94A/7N95XujG+S+tlQzuPr+pD5C5FimlC/imyBruLRsxi3eb E++RbZ7g6gFBNl8k2JYoW/19B1nzonRAKYT7Q+K3TC8expsbXeviOz1Z6RJrGZi1KNKA Fh8F3822zayeZXMKVhDNwcl9hzS2BOXibvQhe7PL+QsOI1HJB3UpYzXs7Kk5ll6Tggbm LE9kGWnvlbjobaOq2uEgZWLetJJxPV0FR7Kum6Ev7JtZu7qtYO9DAuSXwSX/6GZLTnuY GHzaCAJBhldDjkweTfGKuzFIJzqfiwDOL1578H+aFS00R0MhYBNw3sEl+pPOzJvdmwn9 ThOg== X-Gm-Message-State: AN3rC/4BrnSbtkopopBNfHT3OHcDiOcLS6kmEoE50xTr9c/MBMO++xC9 rhU237Xcs/c0Ew== X-Received: by 10.99.114.80 with SMTP id c16mr93107pgn.121.1492560607511; Tue, 18 Apr 2017 17:10:07 -0700 (PDT) Received: from gmail.com ([2620:0:1008:13:e15c:3606:b57:e891]) by smtp.gmail.com with ESMTPSA id 202sm601249pfz.36.2017.04.18.17.10.06 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Tue, 18 Apr 2017 17:10:06 -0700 (PDT) Date: Tue, 18 Apr 2017 17:10:05 -0700 From: Eric Biggers To: Gwendal Grignou Cc: tytso@mit.edu, ebiggers@google.com, linux-ext4@vger.kernel.org, linux-fscrypt@vger.kernel.org, kinaba@chromium.org, hashimoto@chromium.org, linux-f2fs-devel@lists.sourceforge.net, linux-mtd@lists.infradead.org Subject: Re: [PATCH] fscrypt: use 32 bytes of encrypted filename Message-ID: <20170419001005.GA143911@gmail.com> References: <20170418210642.6039-1-gwendal@chromium.org> <20170418230136.GA96152@gmail.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20170418230136.GA96152@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Tue, Apr 18, 2017 at 04:01:36PM -0700, Eric Biggers wrote: > > Strangely, f2fs and ubifs do not use the bytes from the filename at all when > trying to find a specific directory entry in this case. So this patch doesn't > really affect them. This seems unreliable; perhaps we should introduce a > function like "fscrypt_name_matches()" which all the filesystems could call? > Can any of the f2fs and ubifs developers explain why they don't look at any > bytes from the filename? > Just to give some ideas, here's an untested patch which does this and also updates F2FS to start checking the filename. UBIFS seemed more difficult so I didn't touch it yet. Of course, this would need to be split into a few different patches if we actually wanted to go with it. diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c index 37b49894c762..1fc19a265924 100644 --- a/fs/crypto/fname.c +++ b/fs/crypto/fname.c @@ -160,12 +160,14 @@ static const char *lookup_table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+,"; /** - * digest_encode() - + * base64_encode() - * - * Encodes the input digest using characters from the set [a-zA-Z0-9_+]. - * The encoded string is roughly 4/3 times the size of the input string. + * Encode the input data using characters from the set [A-Za-z0-9+,]. + * + * Return: the length of the encoded string. This will be 4/3 times the size of + * the input string, rounded up. */ -static int digest_encode(const char *src, int len, char *dst) +static int base64_encode(const char *src, int len, char *dst) { int i = 0, bits = 0, ac = 0; char *cp = dst; @@ -185,7 +187,9 @@ static int digest_encode(const char *src, int len, char *dst) return cp - dst; } -static int digest_decode(const char *src, int len, char *dst) +#define BASE64_CHARS(nbytes) DIV_ROUND_UP((nbytes) * 4, 3) + +static int base64_decode(const char *src, int len, char *dst) { int i = 0, bits = 0, ac = 0; const char *p; @@ -274,7 +278,7 @@ int fscrypt_fname_disk_to_usr(struct inode *inode, struct fscrypt_str *oname) { const struct qstr qname = FSTR_TO_QSTR(iname); - char buf[24]; + char buf[8 + FS_FNAME_CRYPTO_DIGEST_SIZE]; if (fscrypt_is_dot_dotdot(&qname)) { oname->name[0] = '.'; @@ -289,20 +293,35 @@ int fscrypt_fname_disk_to_usr(struct inode *inode, if (inode->i_crypt_info) return fname_decrypt(inode, iname, oname); + /* Key is unavailable. Encode the name without decrypting it. */ + if (iname->len <= FS_FNAME_CRYPTO_DIGEST_SIZE) { - oname->len = digest_encode(iname->name, iname->len, + /* Short name: base64-encode the ciphertext directly */ + oname->len = base64_encode(iname->name, iname->len, oname->name); return 0; } + + /* + * Long name. We can't simply base64-encode the full ciphertext, since + * the resulting length may exceed NAME_MAX. Instead, base64-encode a + * filesystem-provided cookie ('hash' and 'minor_hash') followed by the + * last two ciphertext blocks. It's assumed this is sufficient to + * identify the directory entry on ->lookup(). It's not actually + * guaranteed, but with CBC or CBC-CTS mode encryption, it's good enough + * since the unused blocks will affect the used ones. + */ + if (hash) { memcpy(buf, &hash, 4); memcpy(buf + 4, &minor_hash, 4); } else { memset(buf, 0, 8); } - memcpy(buf + 8, iname->name + iname->len - 16, 16); + memcpy(buf + 8, iname->name + iname->len - FS_FNAME_CRYPTO_DIGEST_SIZE, + FS_FNAME_CRYPTO_DIGEST_SIZE); oname->name[0] = '_'; - oname->len = 1 + digest_encode(buf, 24, oname->name + 1); + oname->len = 1 + base64_encode(buf, sizeof(buf), oname->name + 1); return 0; } EXPORT_SYMBOL(fscrypt_fname_disk_to_usr); @@ -373,17 +392,21 @@ int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname, * We don't have the key and we are doing a lookup; decode the * user-supplied name */ - if (iname->name[0] == '_') + if (iname->name[0] == '_') { bigname = 1; - if ((bigname && (iname->len != 33)) || (!bigname && (iname->len > 43))) + if (iname->len != + BASE64_CHARS(1 + 8 + FS_FNAME_CRYPTO_DIGEST_SIZE)) + return -ENOENT; + } else if (iname->len > BASE64_CHARS(FS_FNAME_CRYPTO_DIGEST_SIZE)) return -ENOENT; - fname->crypto_buf.name = kmalloc(32, GFP_KERNEL); + fname->crypto_buf.name = kmalloc(8 + FS_FNAME_CRYPTO_DIGEST_SIZE, + GFP_KERNEL); if (fname->crypto_buf.name == NULL) return -ENOMEM; - ret = digest_decode(iname->name + bigname, iname->len - bigname, - fname->crypto_buf.name); + ret = base64_decode(iname->name + bigname, iname->len - bigname, + fname->crypto_buf.name); if (ret < 0) { ret = -ENOENT; goto errout; diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h index e39696e64494..f1f15b84e02f 100644 --- a/fs/crypto/fscrypt_private.h +++ b/fs/crypto/fscrypt_private.h @@ -13,8 +13,6 @@ #include -#define FS_FNAME_CRYPTO_DIGEST_SIZE 32 - /* Encryption parameters */ #define FS_XTS_TWEAK_SIZE 16 #define FS_AES_128_ECB_KEY_SIZE 16 diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 07e5e1405771..d1618835de12 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -1237,37 +1237,23 @@ static void dx_insert_block(struct dx_frame *frame, u32 hash, ext4_lblk_t block) } /* - * NOTE! unlike strncmp, ext4_match returns 1 for success, 0 for failure. + * Determine whether the filename being looked up matches the given dir_entry. * - * `len <= EXT4_NAME_LEN' is guaranteed by caller. - * `de != NULL' is guaranteed by caller. + * Return: true if the entry matches, otherwise false. */ -static inline int ext4_match(struct ext4_filename *fname, - struct ext4_dir_entry_2 *de) +static inline bool ext4_match(const struct ext4_filename *fname, + const struct ext4_dir_entry_2 *de) { - const void *name = fname_name(fname); - u32 len = fname_len(fname); + const struct fscrypt_str *crypto_buf = NULL; if (!de->inode) return 0; #ifdef CONFIG_EXT4_FS_ENCRYPTION - if (unlikely(!name)) { - if (fname->usr_fname->name[0] == '_') { - int ret; - if (de->name_len < 16) - return 0; - ret = memcmp(de->name + de->name_len - 16, - fname->crypto_buf.name + 8, 16); - return (ret == 0) ? 1 : 0; - } - name = fname->crypto_buf.name; - len = fname->crypto_buf.len; - } + crypto_buf = &fname->crypto_buf; #endif - if (de->name_len != len) - return 0; - return (memcmp(de->name, name, len) == 0) ? 1 : 0; + return fscrypt_match_dirent(fname->usr_fname, &fname->disk_name, + crypto_buf, de->name, de->name_len); } /* @@ -1289,12 +1275,7 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, /* this code is executed quadratically often */ /* do minimal checking `by hand' */ if ((char *) de + de->name_len <= dlimit) { - res = ext4_match(fname, de); - if (res < 0) { - res = -1; - goto return_result; - } - if (res > 0) { + if (ext4_match(fname, de)) { /* found a match - just to be sure, do * a full check */ if (ext4_check_dir_entry(dir, NULL, de, bh, @@ -1843,11 +1824,7 @@ int ext4_find_dest_de(struct inode *dir, struct inode *inode, res = -EFSCORRUPTED; goto return_result; } - /* Provide crypto context and crypto buffer to ext4 match */ - res = ext4_match(fname, de); - if (res < 0) - goto return_result; - if (res > 0) { + if (ext4_match(fname, de)) { res = -EEXIST; goto return_result; } diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c index 8d5c62b07b28..07b80d78a9f6 100644 --- a/fs/f2fs/dir.c +++ b/fs/f2fs/dir.c @@ -111,8 +111,6 @@ struct f2fs_dir_entry *find_target_dentry(struct fscrypt_name *fname, struct f2fs_dir_entry *de; unsigned long bit_pos = 0; int max_len = 0; - struct fscrypt_str de_name = FSTR_INIT(NULL, 0); - struct fscrypt_str *name = &fname->disk_name; if (max_slots) *max_slots = 0; @@ -130,17 +128,10 @@ struct f2fs_dir_entry *find_target_dentry(struct fscrypt_name *fname, continue; } - /* encrypted case */ - de_name.name = d->filename[bit_pos]; - de_name.len = le16_to_cpu(de->name_len); - - /* show encrypted name */ - if (fname->hash) { - if (de->hash_code == cpu_to_le32(fname->hash)) - goto found; - } else if (de_name.len == name->len && - de->hash_code == namehash && - !memcmp(de_name.name, name->name, name->len)) + if ((fname->hash == 0 || + fname->hash == le32_to_cpu(de->hash_code)) && + fscrypt_name_matches(fname, d->filename[bit_pos], + le16_to_cpu(de->name_len))) goto found; if (max_slots && max_len > *max_slots) diff --git a/include/linux/fscrypt_notsupp.h b/include/linux/fscrypt_notsupp.h index 3511ca798804..4034976bea93 100644 --- a/include/linux/fscrypt_notsupp.h +++ b/include/linux/fscrypt_notsupp.h @@ -147,6 +147,24 @@ static inline int fscrypt_fname_usr_to_disk(struct inode *inode, return -EOPNOTSUPP; } +static inline bool fscrypt_match_dirent(const struct qstr *usr_fname, + const struct fscrypt_str *disk_name, + const struct fscrypt_str *crypto_buf, + const char *de_name, u32 de_name_len) +{ + /* Encryption support disabled; use standard comparison. */ + if (de_name_len != disk_name->len) + return false; + return !memcmp(de_name, disk_name->name, disk_name->len); +} + +static inline bool fscrypt_name_matches(const struct fscrypt_name *fname, + const char *de_name, u32 de_name_len) +{ + return fscrypt_match_dirent(fname->usr_fname, &fname->disk_name, + &fname->crypto_buf, de_name, de_name_len); +} + /* bio.c */ static inline void fscrypt_decrypt_bio_pages(struct fscrypt_ctx *ctx, struct bio *bio) diff --git a/include/linux/fscrypt_supp.h b/include/linux/fscrypt_supp.h index a140f47e9b27..e3c9aa7209a1 100644 --- a/include/linux/fscrypt_supp.h +++ b/include/linux/fscrypt_supp.h @@ -57,6 +57,63 @@ extern int fscrypt_fname_disk_to_usr(struct inode *, u32, u32, extern int fscrypt_fname_usr_to_disk(struct inode *, const struct qstr *, struct fscrypt_str *); +/* + * Number of bytes of ciphertext from the end of the filename which the + * filesystem includes when encoding long encrypted filenames for presentation + * to userspace without the key. + */ +#define FS_FNAME_CRYPTO_DIGEST_SIZE (2 * FS_CRYPTO_BLOCK_SIZE) + +/** + * fscrypt_match_dirent() - does the directory entry match the name being looked up? + * + * This is like fscrypt_name_matches(), but for filesystems which don't use the + * fscrypt_name structure. (We probably should make all filesystems do the same + * thing...) + */ +static inline bool fscrypt_match_dirent(const struct qstr *usr_fname, + const struct fscrypt_str *disk_name, + const struct fscrypt_str *crypto_buf, + const char *de_name, u32 de_name_len) +{ + if (unlikely(!disk_name->name)) { + if (WARN_ON_ONCE(usr_fname->name[0] != '_')) + return false; + if (de_name_len < FS_FNAME_CRYPTO_DIGEST_SIZE) + return false; + return !memcmp(de_name + de_name_len - FS_FNAME_CRYPTO_DIGEST_SIZE, + crypto_buf->name + 8, + FS_FNAME_CRYPTO_DIGEST_SIZE); + } + + if (de_name_len != disk_name->len) + return false; + return !memcmp(de_name, disk_name->name, disk_name->len); +} + +/** + * fscrypt_name_matches() - does the directory entry match the name being looked up? + * @fname: the name being looked up + * @de_name: the name from the directory entry + * @de_name_len: the length of @de_name in bytes + * + * Normally @fname->disk_name will be set, and in that case we simply compare + * that to the directory entry. The only exception is that if we don't have the + * key for an encrypted directory and a filename in it is very long, then the + * filename presented to userspace will only have the last + * FS_FNAME_CRYPTO_DIGEST_SIZE bytes of ciphertext encoded in it, so we can only + * compare that portion. Note that despite this limit, due to the use of + * CBC-CTS encryption there should not be any collisions. + * + * Return: true if the name matches, otherwise false. + */ +static inline bool fscrypt_name_matches(const struct fscrypt_name *fname, + const char *de_name, u32 de_name_len) +{ + return fscrypt_match_dirent(fname->usr_fname, &fname->disk_name, + &fname->crypto_buf, de_name, de_name_len); +} + /* bio.c */ extern void fscrypt_decrypt_bio_pages(struct fscrypt_ctx *, struct bio *); extern void fscrypt_pullback_bio_page(struct page **, bool);