diff options
| author | Jakob Unterwurzacher | 2021-06-02 14:21:30 +0200 |
|---|---|---|
| committer | Jakob Unterwurzacher | 2021-06-02 14:29:48 +0200 |
| commit | 04858ddd222bbf7156f33f99cfb293a9b1e15ec8 (patch) | |
| tree | 732cbf83c9d842a911d515abbad7c153c4159354 /internal/nametransform/names.go | |
| parent | 242cdf966f262b2e20785eb0ff49ac55a8bd4636 (diff) | |
nametransform: check name validity on encryption
xfstests generic/523 discovered that we allowed to set
xattrs with "/" in the name, but did not allow to read
them later.
With this change we do not allow to set them in the first
place.
Diffstat (limited to 'internal/nametransform/names.go')
| -rw-r--r-- | internal/nametransform/names.go | 27 |
1 files changed, 11 insertions, 16 deletions
diff --git a/internal/nametransform/names.go b/internal/nametransform/names.go index 119d592..ca28230 100644 --- a/internal/nametransform/names.go +++ b/internal/nametransform/names.go @@ -2,7 +2,6 @@ package nametransform import ( - "bytes" "crypto/aes" "encoding/base64" "path/filepath" @@ -21,7 +20,7 @@ const ( // NameTransformer is an interface used to transform filenames. type NameTransformer interface { DecryptName(cipherName string, iv []byte) (string, error) - EncryptName(plainName string, iv []byte) string + EncryptName(plainName string, iv []byte) (string, error) EncryptAndHashName(name string, iv []byte) (string, error) // HashLongName - take the hash of a long string "name" and return // "gocryptfs.longname.[sha256]" @@ -99,22 +98,14 @@ func (n *NameTransform) decryptName(cipherName string, iv []byte) (string, error bin = n.emeCipher.Decrypt(iv, bin) bin, err = unPad16(bin) if err != nil { - tlog.Debug.Printf("DecryptName: unPad16 error detail: %v", err) - // unPad16 returns detailed errors including the position of the - // incorrect bytes. Kill the padding oracle by lumping everything into - // a generic error. + tlog.Warn.Printf("DecryptName %q: unPad16 error: %v", cipherName, err) return "", syscall.EBADMSG } - // A name can never contain a null byte or "/". Make sure we never return those - // to the kernel, even when we read a corrupted (or fuzzed) filesystem. - if bytes.Contains(bin, []byte{0}) || bytes.Contains(bin, []byte("/")) { - return "", syscall.EBADMSG - } - // The name should never be "." or "..". - if bytes.Equal(bin, []byte(".")) || bytes.Equal(bin, []byte("..")) { + plain := string(bin) + if err := IsValidName(plain); err != nil { + tlog.Warn.Printf("DecryptName %q: invalid name after decryption: %v", cipherName, err) return "", syscall.EBADMSG } - plain := string(bin) return plain, err } @@ -123,12 +114,16 @@ func (n *NameTransform) decryptName(cipherName string, iv []byte) (string, error // // This function is exported because in some cases, fusefrontend needs access // to the full (not hashed) name if longname is used. -func (n *NameTransform) EncryptName(plainName string, iv []byte) (cipherName64 string) { +func (n *NameTransform) EncryptName(plainName string, iv []byte) (cipherName64 string, err error) { + if err := IsValidName(plainName); err != nil { + tlog.Warn.Printf("EncryptName %q: invalid plainName: %v", plainName, err) + return "", syscall.EBADMSG + } bin := []byte(plainName) bin = pad16(bin) bin = n.emeCipher.Encrypt(iv, bin) cipherName64 = n.B64.EncodeToString(bin) - return cipherName64 + return cipherName64, nil } // B64EncodeToString returns a Base64-encoded string |