summaryrefslogtreecommitdiff
path: root/internal/fusefrontend_reverse
AgeCommit message (Collapse)Author
2018-09-08syscallcompat: untangle OpenNofollow and rename to OpenDirNofollowJakob Unterwurzacher
The function used to do two things: 1) Walk the directory tree in a manner safe from symlink attacks 2) Open the final component in the mode requested by the caller This change drops (2), which was only used once, and lets the caller handle it. This simplifies the function and makes it fit for reuse in forward mode in openBackingPath(), and for using O_PATH on Linux.
2018-08-15fusefrontend_reverse: reject excludes for the root directory ""Jakob Unterwurzacher
This is most likely a mistake by the user. Reject it.
2018-08-11reverse mode: add --exclude optionJakob Unterwurzacher
https://github.com/rfjakob/gocryptfs/issues/235
2018-06-08darwin does not have PATH_MAXJakob Unterwurzacher
Define our own, with the value from Linux.
2018-02-18fusefrontend[_reverse]: move crypto init up to callerJakob Unterwurzacher
Both fusefrontend and fusefrontend_reverse were doing essentially the same thing, move it into main's initFuseFrontend. A side-effect is that we have a reference to cryptocore in main, which will help with wiping the keys on exit (https://github.com/rfjakob/gocryptfs/issues/211).
2018-02-01gccgo: replace syscall.NAME_MAX with unix.NAME_MAXJakob Unterwurzacher
For some reason the syscall.NAME_MAX constant does not exist on gccgo, and it does not hurt us to use unix.NAME_MAX instead. https://github.com/rfjakob/gocryptfs/issues/201
2018-01-17fusefrontend_reverse: use OpenNofollow in virtualFile.GetAttrJakob Unterwurzacher
Makes it robust against symlink races. Final piece, closes https://github.com/rfjakob/gocryptfs/issues/165
2018-01-17fusefrontend_reverse: use OpenNofollow in findLongnameParentJakob Unterwurzacher
Protects findLongnameParent against symlink races. Also add comments to several functions along the way. Reported at https://github.com/rfjakob/gocryptfs/issues/165
2018-01-16Run go fmtJakob Unterwurzacher
2017-12-11fusefrontend_reverse: Use O_DIRECTORY in OpenDir implementationSebastian Lackner
Also get rid of the defer - it is not really necessary here.
2017-12-11fusefrontend_reverse: Reject access to device nodes in newFile functionSebastian Lackner
Steps to reproduce: * Create a regular reverse mount point * Create a file "test" in the original directory * Access the corresponding encrypted directory in the mount point (ls <encrypted dir>) * Quickly delete the file in the original data - instead create a device node * Access the file again, it will access the device node and attempt to read from it Fixes https://github.com/rfjakob/gocryptfs/issues/187
2017-12-07fusefrontend_reverse: Use openBackingDir in GetAttrSebastian Lackner
Also fixes 48bd59f38843e5ebd4e4c9f666f1aea1c9990803 - the directory FD should also be closed in case of an error.
2017-12-07fusefrontend_reverse: Use openBackingDir in ReadlinkSebastian Lackner
2017-12-07fusefrontend_reverse: fix fd leak in GetAttrJakob Unterwurzacher
Fixes https://github.com/rfjakob/gocryptfs/issues/184
2017-12-07fusefrontend_reverse: secure Access against symlink races (somewhat)Jakob Unterwurzacher
Unfortunately, faccessat in Linux ignores AT_SYMLINK_NOFOLLOW, so this is not completely atomic. Given that the information you get from access is not very interesting, it seems good enough. https://github.com/rfjakob/gocryptfs/issues/165
2017-12-06fusefrontend_reverse: secure Readlink against symlink racesJakob Unterwurzacher
...by using Readlinkat. Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165
2017-12-06fusefrontend_reverse: secure GetAttr against symlink racesJakob Unterwurzacher
...by using the OpenNofollow helper & Fstatat. Also introduce a helper to convert from unix.Stat_t to syscall.Stat_t. Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165
2017-12-05fusefrontend_reverse: secure OpenDir against symlink racesJakob Unterwurzacher
...by using the new OpenNofollow helper. The benchmark shows a small but acceptable performance loss: $ ./benchmark-reverse.bash LS: 2.182 CAT: 18.221 Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165
2017-12-02fusefrontend_reverse: secure StatFs agains symlink racesJakob Unterwurzacher
...by ignoring the path that was passed in. https://github.com/rfjakob/gocryptfs/issues/165
2017-12-02fusefrontend_reverse: secure Open against symlink racesJakob Unterwurzacher
...using the new syscallcompat.OpenNofollow helper. This change secures Open() against symlink race attacks as described in https://github.com/rfjakob/gocryptfs/issues/165
2017-11-26reverse: reject too-long symlink target reads with ENAMETOOLONGJakob Unterwurzacher
If the symlink target gets too long due to base64 encoding, we should return ENAMETOOLONG instead of having the kernel reject the data and returning an I/O error to the user. Fixes https://github.com/rfjakob/gocryptfs/issues/167
2017-11-25fusefrontend_reverse: Do not mix up cache information for different directoriesSebastian Lackner
Fixes https://github.com/rfjakob/gocryptfs/issues/168 Steps to reproduce the problem: * Create a regular reverse mount point * Create files with the same very long name in multiple directories - so far everything works as expected, and it will appear with a different name each time, for example, gocryptfs.longname.A in directory A and gocryptfs.longname.B in directory B * Try to access a path with A/gocryptfs.longname.B or B/gocryptfs.longname.A - this should fail, but it actually works. The problem is that the longname cache only uses the path as key and not the dir or divIV. Assume an attacker can directly interact with a reverse mount and knows the relation longname path -> unencoded path in one directory, it allows to test if the same unencoded filename appears in any other directory.
2017-11-22fusefrontend_reverse: Add a missing Close() callSebastian Lackner
2017-10-01fusefrontend_reverse: fix 176-byte namesJakob Unterwurzacher
A file with a name of exactly 176 bytes length caused this error: ls: cannot access ./tmp/dsg/sXSGJLTuZuW1FarwIkJs0w/b6mGjdxIRpaeanTo0rbh0A/QjMRrQZC_4WLhmHI1UOBcA/gocryptfs.longname.QV-UipdDXeUVdl05WruoEzBNPrQCfpu6OzJL0_QnDKY: No such file or directory ls: cannot access ./tmp/dsg/sXSGJLTuZuW1FarwIkJs0w/b6mGjdxIRpaeanTo0rbh0A/QjMRrQZC_4WLhmHI1UOBcA/gocryptfs.longname.QV-UipdDXeUVdl05WruoEzBNPrQCfpu6OzJL0_QnDKY.name: No such file or directory -????????? ? ? ? ? ? gocryptfs.longname.QV-UipdDXeUVdl05WruoEzBNPrQCfpu6OzJL0_QnDKY -????????? ? ? ? ? ? gocryptfs.longname.QV-UipdDXeUVdl05WruoEzBNPrQCfpu6OzJL0_QnDKY.name Root cause was a wrong shortNameMax constant that failed to account for the obligatory padding byte. Fix the constant and also expand the TestLongnameStat test case to test ALL file name lengths from 1-255 bytes. Fixes https://github.com/rfjakob/gocryptfs/issues/143 .
2017-08-11main: purge masterkey from memory as soon as possibleJakob Unterwurzacher
Remove the "Masterkey" field from fusefrontend.Args because it should not be stored longer than neccessary. Instead pass the masterkey as a separate argument to the filesystem initializers. Then overwrite it with zeros immediately so we don't have to wait for garbage collection. Note that the crypto implementation still stores at least a masterkey-derived value, so this change makes it harder, but not impossible, to extract the encryption keys from memory. Suggested at https://github.com/rfjakob/gocryptfs/issues/137
2017-08-06nametransform: add Dir() functionJakob Unterwurzacher
Dir is like filepath.Dir but returns "" instead of ".". This was already implemented in fusefrontend_reverse as saneDir(). We will need it in nametransform for the improved diriv caching.
2017-07-29fusefronted_reverse: fix ino collision between .name and .diriv filesJakob Unterwurzacher
A directory with a long name has two associated virtual files: the .name file and the .diriv files. These used to get the same inode number: $ ls -di1 * */* 33313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw 1000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw/gocryptfs.diriv 1000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw.name With this change we use another prefix (2 instead of 1) for .name files. $ ls -di1 * */* 33313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw 1000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw/gocryptfs.diriv 2000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw.name
2017-07-27fusefrontend_reverse: return ENOENT for undecryptable namesJakob Unterwurzacher
This was working until DecryptName switched to returning EBADMSG instead of EINVAL. Add a test to catch the regression next time.
2017-06-01Implement force_owner option to display ownership as a specific user.Charles Duffy
2017-05-30pathiv: move block IV algorithm into this packageJakob Unterwurzacher
This was implemented in fusefrontend_reverse, but we need it in fusefrontend as well. Move the algorithm into pathiv.BlockIV().
2017-05-30pathiv: move derivedIVContainer into the packageJakob Unterwurzacher
...under the new name "FileIVs". This will also be used by forward mode.
2017-05-30fusefrontend_reverse: move pathiv to its own packageJakob Unterwurzacher
We will also need it in forward mode.
2017-05-25fusefrontend_reverse: store derived values for hard-linked filesJakob Unterwurzacher
With hard links, the path to a file is not unique. This means that the ciphertext data depends on the path that is used to access the files. Fix that by storing the derived values when we encounter a hard-linked file. This means that the first path wins.
2017-04-29fix golint complaintsJakob Unterwurzacher
2017-04-23Add -forcedecodedanim7
Force decode of encrypted files even if the integrity check fails, instead of failing with an IO error. Warning messages are still printed to syslog if corrupted files are encountered. It can be useful to recover files from disks with bad sectors or other corrupted media. Closes https://github.com/rfjakob/gocryptfs/pull/102 .
2017-04-01fusefrontend_reverse: switch to stable inode numbersJakob Unterwurzacher
The volatile inode numbers that we used before cause "find" to complain and error out. Virtual inode numbers are derived from their parent file inode number by adding 10^19, which is hopefully large enough no never cause problems in practice. If the backing directory contains inode numbers higher than that, stat() on these files will return EOVERFLOW. Example directory lising after this change: $ ls -i 926473 gocryptfs.conf 1000000000000926466 gocryptfs.diriv 944878 gocryptfs.longname.hmZojMqC6ns47eyVxLlH2ailKjN9bxfosi3C-FR8mjA 1000000000000944878 gocryptfs.longname.hmZojMqC6ns47eyVxLlH2ailKjN9bxfosi3C-FR8mjA.name 934408 Tdfbf02CKsTaGVYnAsSypA
2017-04-01fusefrontend_reverse: drop unused dirIVAttr functionJakob Unterwurzacher
This has long been replaced by virtualFile.GetAttr().
2017-04-01fusefrontend_reverse: convert fmt.Printf calls to tlogJakob Unterwurzacher
The fmt.Printfs output would end up in the paniclog.
2017-04-01fusefrontend_reverse: add comment to newVirtualFileJakob Unterwurzacher
...and improve and comment variable naming in findLongnameParent. No semantic changes.
2017-03-28fusefrontend_reverse: consistent file owners for .diriv, .name filesdanim7
This PR addresses the Issue #95, about "Confusing file owner for longname files in reverse mode". It affects only the reverse mode, and introduces two modifications: 1) The "gocryptfs.longname.XXXX.name" files are assigned the owner and group of the underlying plaintext file. Therefore it is consistent with the file "gocryptfs.longname.XXXX" that has the encrypted contents of the plaintext file. 2) The two virtual files mentioned above are given -r--r--r-- permissions. This is consistent with the behavior described in function Access in internal/fusefrontend_reverse/rfs.go where all virtual files are always readable. Behavior also observed in point c) in #95 . Issue #95 URL: https://github.com/rfjakob/gocryptfs/issues/95 Pull request URL: https://github.com/rfjakob/gocryptfs/pull/97
2017-03-07Report correct symbolic link dentry sizesM. Vefa Bicakci
Prior to this commit, gocryptfs's reverse mode did not report correct directory entry sizes for symbolic links, where the dentry size needs to be the same as the length of a string containing the target path. This commit corrects this issue and adds a test case to verify the correctness of the implementation. This issue was discovered during the use of a strict file copying program on a reverse-mounted gocryptfs file system.
2017-03-05nametransform: fix Raw64 not affecting symlink targetsJakob Unterwurzacher
The symlink functions incorrectly hardcoded the padded base64 variant.
2017-03-05nametransform: fix Raw64 not affecting longnamesJakob Unterwurzacher
HashLongName() incorrectly hardcoded the call to base64.URLEncoding.
2017-03-05full stack: implement HKDF supportJakob Unterwurzacher
...but keep it disabled by default for new filesystems. We are still missing an example filesystem and CLI arguments to explicitely enable and disable it.
2017-03-05cryptocore: use eme v1.1 interfaceJakob Unterwurzacher
Version 1.1 of the EME package (github.com/rfjakob/eme) added a more convenient interface. Use it. Note that you have to upgrade your EME package (go get -u)!
2017-02-16tests: reverse: check Access() callJakob Unterwurzacher
2017-02-16fusefrontend_reverse: handle .name files in Access()Jakob Unterwurzacher
These were currently passed to decryptPath() were it caused a warning.
2017-01-03reverse: add single-entry path cacheJakob Unterwurzacher
Speeds up the "ls -lR" benchmark from 2.6 seconds to 2.0.
2017-01-03reverse: factor out rDecryptNameJakob Unterwurzacher
This prepares the code for the introduction of a path cache.
2016-12-10Replace all calls to naked panic() with log.Panic()Jakob Unterwurzacher
We want all panics to show up in the syslog.