mirror of
https://github.com/torvalds/linux.git
synced 2024-11-17 09:31:50 +00:00
471fbbea7f
This adds support for encryption with casefolding. Since the name on disk is case preserving, and also encrypted, we can no longer just recompute the hash on the fly. Additionally, to avoid leaking extra information from the hash of the unencrypted name, we use siphash via an fscrypt v2 policy. The hash is stored at the end of the directory entry for all entries inside of an encrypted and casefolded directory apart from those that deal with '.' and '..'. This way, the change is backwards compatible with existing ext4 filesystems. [ Changed to advertise this feature via the file: /sys/fs/ext4/features/encrypted_casefold -- TYT ] Signed-off-by: Daniel Rosenberg <drosen@google.com> Reviewed-by: Andreas Dilger <adilger@dilger.ca> Link: https://lore.kernel.org/r/20210319073414.1381041-2-drosen@google.com Signed-off-by: Theodore Ts'o <tytso@mit.edu>
320 lines
7.3 KiB
C
320 lines
7.3 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* linux/fs/ext4/hash.c
|
|
*
|
|
* Copyright (C) 2002 by Theodore Ts'o
|
|
*/
|
|
|
|
#include <linux/fs.h>
|
|
#include <linux/unicode.h>
|
|
#include <linux/compiler.h>
|
|
#include <linux/bitops.h>
|
|
#include "ext4.h"
|
|
|
|
#define DELTA 0x9E3779B9
|
|
|
|
static void TEA_transform(__u32 buf[4], __u32 const in[])
|
|
{
|
|
__u32 sum = 0;
|
|
__u32 b0 = buf[0], b1 = buf[1];
|
|
__u32 a = in[0], b = in[1], c = in[2], d = in[3];
|
|
int n = 16;
|
|
|
|
do {
|
|
sum += DELTA;
|
|
b0 += ((b1 << 4)+a) ^ (b1+sum) ^ ((b1 >> 5)+b);
|
|
b1 += ((b0 << 4)+c) ^ (b0+sum) ^ ((b0 >> 5)+d);
|
|
} while (--n);
|
|
|
|
buf[0] += b0;
|
|
buf[1] += b1;
|
|
}
|
|
|
|
/* F, G and H are basic MD4 functions: selection, majority, parity */
|
|
#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
|
|
#define G(x, y, z) (((x) & (y)) + (((x) ^ (y)) & (z)))
|
|
#define H(x, y, z) ((x) ^ (y) ^ (z))
|
|
|
|
/*
|
|
* The generic round function. The application is so specific that
|
|
* we don't bother protecting all the arguments with parens, as is generally
|
|
* good macro practice, in favor of extra legibility.
|
|
* Rotation is separate from addition to prevent recomputation
|
|
*/
|
|
#define ROUND(f, a, b, c, d, x, s) \
|
|
(a += f(b, c, d) + x, a = rol32(a, s))
|
|
#define K1 0
|
|
#define K2 013240474631UL
|
|
#define K3 015666365641UL
|
|
|
|
/*
|
|
* Basic cut-down MD4 transform. Returns only 32 bits of result.
|
|
*/
|
|
static __u32 half_md4_transform(__u32 buf[4], __u32 const in[8])
|
|
{
|
|
__u32 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
|
|
|
|
/* Round 1 */
|
|
ROUND(F, a, b, c, d, in[0] + K1, 3);
|
|
ROUND(F, d, a, b, c, in[1] + K1, 7);
|
|
ROUND(F, c, d, a, b, in[2] + K1, 11);
|
|
ROUND(F, b, c, d, a, in[3] + K1, 19);
|
|
ROUND(F, a, b, c, d, in[4] + K1, 3);
|
|
ROUND(F, d, a, b, c, in[5] + K1, 7);
|
|
ROUND(F, c, d, a, b, in[6] + K1, 11);
|
|
ROUND(F, b, c, d, a, in[7] + K1, 19);
|
|
|
|
/* Round 2 */
|
|
ROUND(G, a, b, c, d, in[1] + K2, 3);
|
|
ROUND(G, d, a, b, c, in[3] + K2, 5);
|
|
ROUND(G, c, d, a, b, in[5] + K2, 9);
|
|
ROUND(G, b, c, d, a, in[7] + K2, 13);
|
|
ROUND(G, a, b, c, d, in[0] + K2, 3);
|
|
ROUND(G, d, a, b, c, in[2] + K2, 5);
|
|
ROUND(G, c, d, a, b, in[4] + K2, 9);
|
|
ROUND(G, b, c, d, a, in[6] + K2, 13);
|
|
|
|
/* Round 3 */
|
|
ROUND(H, a, b, c, d, in[3] + K3, 3);
|
|
ROUND(H, d, a, b, c, in[7] + K3, 9);
|
|
ROUND(H, c, d, a, b, in[2] + K3, 11);
|
|
ROUND(H, b, c, d, a, in[6] + K3, 15);
|
|
ROUND(H, a, b, c, d, in[1] + K3, 3);
|
|
ROUND(H, d, a, b, c, in[5] + K3, 9);
|
|
ROUND(H, c, d, a, b, in[0] + K3, 11);
|
|
ROUND(H, b, c, d, a, in[4] + K3, 15);
|
|
|
|
buf[0] += a;
|
|
buf[1] += b;
|
|
buf[2] += c;
|
|
buf[3] += d;
|
|
|
|
return buf[1]; /* "most hashed" word */
|
|
}
|
|
#undef ROUND
|
|
#undef K1
|
|
#undef K2
|
|
#undef K3
|
|
#undef F
|
|
#undef G
|
|
#undef H
|
|
|
|
/* The old legacy hash */
|
|
static __u32 dx_hack_hash_unsigned(const char *name, int len)
|
|
{
|
|
__u32 hash, hash0 = 0x12a3fe2d, hash1 = 0x37abe8f9;
|
|
const unsigned char *ucp = (const unsigned char *) name;
|
|
|
|
while (len--) {
|
|
hash = hash1 + (hash0 ^ (((int) *ucp++) * 7152373));
|
|
|
|
if (hash & 0x80000000)
|
|
hash -= 0x7fffffff;
|
|
hash1 = hash0;
|
|
hash0 = hash;
|
|
}
|
|
return hash0 << 1;
|
|
}
|
|
|
|
static __u32 dx_hack_hash_signed(const char *name, int len)
|
|
{
|
|
__u32 hash, hash0 = 0x12a3fe2d, hash1 = 0x37abe8f9;
|
|
const signed char *scp = (const signed char *) name;
|
|
|
|
while (len--) {
|
|
hash = hash1 + (hash0 ^ (((int) *scp++) * 7152373));
|
|
|
|
if (hash & 0x80000000)
|
|
hash -= 0x7fffffff;
|
|
hash1 = hash0;
|
|
hash0 = hash;
|
|
}
|
|
return hash0 << 1;
|
|
}
|
|
|
|
static void str2hashbuf_signed(const char *msg, int len, __u32 *buf, int num)
|
|
{
|
|
__u32 pad, val;
|
|
int i;
|
|
const signed char *scp = (const signed char *) msg;
|
|
|
|
pad = (__u32)len | ((__u32)len << 8);
|
|
pad |= pad << 16;
|
|
|
|
val = pad;
|
|
if (len > num*4)
|
|
len = num * 4;
|
|
for (i = 0; i < len; i++) {
|
|
val = ((int) scp[i]) + (val << 8);
|
|
if ((i % 4) == 3) {
|
|
*buf++ = val;
|
|
val = pad;
|
|
num--;
|
|
}
|
|
}
|
|
if (--num >= 0)
|
|
*buf++ = val;
|
|
while (--num >= 0)
|
|
*buf++ = pad;
|
|
}
|
|
|
|
static void str2hashbuf_unsigned(const char *msg, int len, __u32 *buf, int num)
|
|
{
|
|
__u32 pad, val;
|
|
int i;
|
|
const unsigned char *ucp = (const unsigned char *) msg;
|
|
|
|
pad = (__u32)len | ((__u32)len << 8);
|
|
pad |= pad << 16;
|
|
|
|
val = pad;
|
|
if (len > num*4)
|
|
len = num * 4;
|
|
for (i = 0; i < len; i++) {
|
|
val = ((int) ucp[i]) + (val << 8);
|
|
if ((i % 4) == 3) {
|
|
*buf++ = val;
|
|
val = pad;
|
|
num--;
|
|
}
|
|
}
|
|
if (--num >= 0)
|
|
*buf++ = val;
|
|
while (--num >= 0)
|
|
*buf++ = pad;
|
|
}
|
|
|
|
/*
|
|
* Returns the hash of a filename. If len is 0 and name is NULL, then
|
|
* this function can be used to test whether or not a hash version is
|
|
* supported.
|
|
*
|
|
* The seed is an 4 longword (32 bits) "secret" which can be used to
|
|
* uniquify a hash. If the seed is all zero's, then some default seed
|
|
* may be used.
|
|
*
|
|
* A particular hash version specifies whether or not the seed is
|
|
* represented, and whether or not the returned hash is 32 bits or 64
|
|
* bits. 32 bit hashes will return 0 for the minor hash.
|
|
*/
|
|
static int __ext4fs_dirhash(const struct inode *dir, const char *name, int len,
|
|
struct dx_hash_info *hinfo)
|
|
{
|
|
__u32 hash;
|
|
__u32 minor_hash = 0;
|
|
const char *p;
|
|
int i;
|
|
__u32 in[8], buf[4];
|
|
void (*str2hashbuf)(const char *, int, __u32 *, int) =
|
|
str2hashbuf_signed;
|
|
|
|
/* Initialize the default seed for the hash checksum functions */
|
|
buf[0] = 0x67452301;
|
|
buf[1] = 0xefcdab89;
|
|
buf[2] = 0x98badcfe;
|
|
buf[3] = 0x10325476;
|
|
|
|
/* Check to see if the seed is all zero's */
|
|
if (hinfo->seed) {
|
|
for (i = 0; i < 4; i++) {
|
|
if (hinfo->seed[i]) {
|
|
memcpy(buf, hinfo->seed, sizeof(buf));
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
switch (hinfo->hash_version) {
|
|
case DX_HASH_LEGACY_UNSIGNED:
|
|
hash = dx_hack_hash_unsigned(name, len);
|
|
break;
|
|
case DX_HASH_LEGACY:
|
|
hash = dx_hack_hash_signed(name, len);
|
|
break;
|
|
case DX_HASH_HALF_MD4_UNSIGNED:
|
|
str2hashbuf = str2hashbuf_unsigned;
|
|
fallthrough;
|
|
case DX_HASH_HALF_MD4:
|
|
p = name;
|
|
while (len > 0) {
|
|
(*str2hashbuf)(p, len, in, 8);
|
|
half_md4_transform(buf, in);
|
|
len -= 32;
|
|
p += 32;
|
|
}
|
|
minor_hash = buf[2];
|
|
hash = buf[1];
|
|
break;
|
|
case DX_HASH_TEA_UNSIGNED:
|
|
str2hashbuf = str2hashbuf_unsigned;
|
|
fallthrough;
|
|
case DX_HASH_TEA:
|
|
p = name;
|
|
while (len > 0) {
|
|
(*str2hashbuf)(p, len, in, 4);
|
|
TEA_transform(buf, in);
|
|
len -= 16;
|
|
p += 16;
|
|
}
|
|
hash = buf[0];
|
|
minor_hash = buf[1];
|
|
break;
|
|
case DX_HASH_SIPHASH:
|
|
{
|
|
struct qstr qname = QSTR_INIT(name, len);
|
|
__u64 combined_hash;
|
|
|
|
if (fscrypt_has_encryption_key(dir)) {
|
|
combined_hash = fscrypt_fname_siphash(dir, &qname);
|
|
} else {
|
|
ext4_warning_inode(dir, "Siphash requires key");
|
|
return -1;
|
|
}
|
|
|
|
hash = (__u32)(combined_hash >> 32);
|
|
minor_hash = (__u32)combined_hash;
|
|
break;
|
|
}
|
|
default:
|
|
hinfo->hash = 0;
|
|
return -1;
|
|
}
|
|
hash = hash & ~1;
|
|
if (hash == (EXT4_HTREE_EOF_32BIT << 1))
|
|
hash = (EXT4_HTREE_EOF_32BIT - 1) << 1;
|
|
hinfo->hash = hash;
|
|
hinfo->minor_hash = minor_hash;
|
|
return 0;
|
|
}
|
|
|
|
int ext4fs_dirhash(const struct inode *dir, const char *name, int len,
|
|
struct dx_hash_info *hinfo)
|
|
{
|
|
#ifdef CONFIG_UNICODE
|
|
const struct unicode_map *um = dir->i_sb->s_encoding;
|
|
int r, dlen;
|
|
unsigned char *buff;
|
|
struct qstr qstr = {.name = name, .len = len };
|
|
|
|
if (len && IS_CASEFOLDED(dir) && um &&
|
|
(!IS_ENCRYPTED(dir) || fscrypt_has_encryption_key(dir))) {
|
|
buff = kzalloc(sizeof(char) * PATH_MAX, GFP_KERNEL);
|
|
if (!buff)
|
|
return -ENOMEM;
|
|
|
|
dlen = utf8_casefold(um, &qstr, buff, PATH_MAX);
|
|
if (dlen < 0) {
|
|
kfree(buff);
|
|
goto opaque_seq;
|
|
}
|
|
|
|
r = __ext4fs_dirhash(dir, buff, dlen, hinfo);
|
|
|
|
kfree(buff);
|
|
return r;
|
|
}
|
|
opaque_seq:
|
|
#endif
|
|
return __ext4fs_dirhash(dir, name, len, hinfo);
|
|
}
|