aboutsummaryrefslogtreecommitdiff
path: root/internal/nametransform
AgeCommit message (Collapse)Author
2020-08-02v2api/reverse: implement Lookup for longnameJakob Unterwurzacher
2020-06-06badname: stop trying to decrypt at length 22Jakob Unterwurzacher
At least 16 bytes due to AES --> at least 22 characters in base64
2020-06-06Added auto decryption of invalid file namesDerDonut
Changed invalid file decoding and decryption. Function DecryptName now shortens the filename until the filename is decodable and decryptable. Will work with valid **and** invalid Base64URL delimiter (valid delimiter [0-9a-zA-z_\\-]. If the filename is not decryptable at all, it returns the original cipher name with flag suffix Changed cli tests to generate decryptable and undecryptable file names with correct encrypted content. Replacing #474, extends #393
2020-05-10Fix spelling mistakes found by misspellJakob Unterwurzacher
https://github.com/client9/misspell
2020-04-18nametransform: update comment & simplify testsJakob Unterwurzacher
The comment still mentioned CBC, which has been removed a long time ago. The test definition can be rewritten using slice literals, saving sume stuttering.
2020-02-28Show undecryptable filenames if they match supplied globorcas
Resolves https://github.com/rfjakob/gocryptfs/issues/393
2019-03-30forward mode: create gocryptfs.diriv files with 0440 permissionsJakob Unterwurzacher
Makes it easier to share an encrypted folder via a network drive. https://github.com/rfjakob/gocryptfs/issues/387
2019-03-26reverse mode: support wildcard exclude (--exclude-wildcard)Eduardo M KALINOWSKI
This adds support for gitignore-like wildcards and exclude patters in reverse mode. It (somewhat) fixes #273: no regexp support, but the syntax should be powerful enough to satisfy most needs. Also, since adding a lot of --exclude options can be tedious, it adds the --exclude-from option to read patterns from a file (or files).
2019-02-17nametransform: reject names longer than 255 charsJakob Unterwurzacher
Looks like we allowed creating longer names by accident. Fix that, and add a test that verifies it.
2019-01-09nametransform: Create *.name files with 0400 permission.Sebastian Lackner
Similar to gocryptfs.iv files they are never modified.
2019-01-04nametransform: ReadDirIVAt: return raw syscall errorJakob Unterwurzacher
Otherwise this can happen, as triggered by xfstests generic/011: go-fuse: can't convert error type: openat failed: too many open files The app then gets a misleading "Function not implemented" error.
2019-01-04A few more spelling fixes.Sebastian Lackner
Found with the 'codespell' utility.
2019-01-03nametransform: Add implicit syscall.O_RDONLY flag.Sebastian Lackner
2019-01-03fusefrontend: add dirCacheJakob Unterwurzacher
2019-01-03nametransform: simplify WriteDirIV to WriteDirIVAtJakob Unterwurzacher
Un-spaghettify the function and let the callers open the directory.
2019-01-02fusefronted: make EncryptPath symlink-safeJakob Unterwurzacher
Finally allows us to delete EncryptPathDirIV.
2019-01-02nametransform: fix possible incomplete read in ReadLongNameAtJakob Unterwurzacher
Pread() needs retry logic, so instead of implementing it ourselves, use os.File. Reported by @slackner at https://github.com/rfjakob/gocryptfs/commit/c09bf1f2284706232642431c75fa1f3d8500a9d0#r31813394
2019-01-01nametransform: rename WriteLongName() -> WriteLongNameAt()Jakob Unterwurzacher
And also rename DeleteLongName() -> DeleteLongNameAt(). The naming follow the names open the openat() etc syscalls.
2019-01-01fusefrontend: make OpenDir() symlink-safeJakob Unterwurzacher
Interestingly, little or no performance impact: $ ./benchmark.bash Testing gocryptfs at /tmp/benchmark.bash.39W: gocryptfs v1.6-42-g30c2349-dirty; go-fuse v20170619-66-g6df8ddc; 2018-11-04 go1.11 Downloading linux-3.0.tar.gz /tmp/linux-3.0.tar.gz 100%[=========================================================================>] 92.20M 2.93MB/s in 31s 2018-11-04 21:44:44 URL:https://cdn.kernel.org/pub/linux/kernel/v3.0/linux-3.0.tar.gz [96675825/96675825] -> "/tmp/linux-3.0.tar.gz" [1] WRITE: 262144000 bytes (262 MB, 250 MiB) copied, 1.1808 s, 222 MB/s READ: 262144000 bytes (262 MB, 250 MiB) copied, 0.866438 s, 303 MB/s UNTAR: 24.745 MD5: 12.050 LS: 3.525 RM: 9.544 Note: kernel has been updated: $ uname -a Linux brikett 4.18.16-200.fc28.x86_64 #1 SMP Sat Oct 20 23:53:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
2019-01-01fusefrontend: mark a few more functions as symlink-safe / unsafeJakob Unterwurzacher
2019-01-01fusefrontend: make openBackingDir() symlink-safeJakob Unterwurzacher
openBackingDir() used encryptPath(), which is not symlink-safe itself. Drop encryptPath() and implement our own directory walk. Adds three seconds to untar and two seconds to rm: $ ./benchmark.bash Testing gocryptfs at /tmp/benchmark.bash.MzG: gocryptfs v1.6-36-g8fb3c2f-dirty; go-fuse v20170619-66-g6df8ddc; 2018-10-14 go1.11 WRITE: 262144000 bytes (262 MB, 250 MiB) copied, 1.25078 s, 210 MB/s READ: 262144000 bytes (262 MB, 250 MiB) copied, 1.0318 s, 254 MB/s UNTAR: 20.941 MD5: 11.568 LS: 1.638 RM: 5.337
2019-01-01fusefrontend: make DecryptPath() symlink-safeJakob Unterwurzacher
DecryptPath is now symlink-safe through the use of *at() functions.
2019-01-01nametransform: comments: directly link to ioutil.WriteFile fixJakob Unterwurzacher
So the reader does not have to read through the whole ticket. The commit message has a nice summary of the problem.
2019-01-01nametransform: Delete incomplete longname files on error.Sebastian Lackner
2018-12-27Assorted spelling fixes.Sebastian Lackner
Mostly detected with the 'codespell' utility, but also includes some manual grammar fixes.
2018-09-23fusefrontend: get rid of os.File* wrappingJakob Unterwurzacher
Directly use int file descriptors for the dirfd and get rid of one level of indirection.
2018-07-15fusefrontend: doWrite: delete file header if first write failsJakob Unterwurzacher
xfstests generic/083 fills the filesystem almost completely while running fsstress in parallel. In fsck, these would show up: readFileID 2580: incomplete file, got 18 instead of 19 bytes This could happen when writing the file header works, but writing the actual data fails. Now we kill the header again by truncating the file to zero.
2018-07-15WriteDirIV: delete incomplete gocryptfs.diriv file if write failsJakob Unterwurzacher
If the underlying filesystem is full, writing to gocryptfs.diriv may fail, and later fsck show this: OpenDir "xyz": could not read gocryptfs.diriv: wanted 16 bytes, got 0 Uncovered by xfstests generic/083. Also fixes a fd leak in the error path.
2018-04-02fsck: clean up log outputJakob Unterwurzacher
Make sure we get only 1 warning output per problem. Also, add new corruption types to broken_fs_v1.4.
2018-02-01gccgo: replace syscall.NAME_MAX with unix.NAME_MAXJakob Unterwurzacher
For some reason the syscall.NAME_MAX constant does not exist on gccgo, and it does not hurt us to use unix.NAME_MAX instead. https://github.com/rfjakob/gocryptfs/issues/201
2017-12-01fusefrontend: Improve documentation of mkdirWithIv and WriteDirIVSebastian Lackner
As requested in https://github.com/rfjakob/gocryptfs/pull/179
2017-11-30syscallcompat: check that we get NOFOLLOW wherever possibleJakob Unterwurzacher
...and fix the instances where the AT_SYMLINK_NOFOLLOW / O_NOFOLLOW / O_EXCL flag was missing.
2017-11-29fusefrontend: allow_other: close race between mkdir and chownSebastian Lackner
Fixes the same problem as described in 72b975867a3b9bdf53fc2da62e2ba4a328d7e4ab, except for directories instead of device nodes.
2017-11-29syscallcompat: Introduce unlinkat syscall with flags argumentSebastian Lackner
2017-11-25fusefrontend: Fix longname handling for renames with existing targetSebastian Lackner
Fixes https://github.com/rfjakob/gocryptfs/issues/170 Steps to reproduce the problem: * Create a regular forward mount point * Create a file with a shortname and one with a long filename * Try to run 'mv <shortname> <longname>' This should actually work and replace the existing file, but instead it fails with: mv: cannot move '<shortname>' to '<longname>': File exists The problem is the creation of the .name file. If the target already exists we can safely ignore the EEXIST error and just keep the existing .name file.
2017-11-22nametransform: Return error if decrypted name is '.' or '..'Sebastian Lackner
2017-09-03dirivcache: add better function comments + a sanity check on Store()Jakob Unterwurzacher
The comments were unclear on whether relative or absolute paths have to be passed.
2017-08-09nametransform: extend diriv cache to 100 entriesJakob Unterwurzacher
* extend the diriv cache to 100 entries * add special handling for the immutable root diriv The better cache allows to shed some complexity from the path encryption logic (parent-of-parent check). Mitigates https://github.com/rfjakob/gocryptfs/issues/127
2017-08-06nametransform: add Dir() functionJakob Unterwurzacher
Dir is like filepath.Dir but returns "" instead of ".". This was already implemented in fusefrontend_reverse as saneDir(). We will need it in nametransform for the improved diriv caching.
2017-08-06nametransform: move diriv cache into it's own packageJakob Unterwurzacher
Needs some space to grow. renamed: internal/nametransform/diriv_cache.go -> internal/nametransform/dirivcache/dirivcache.go
2017-08-06nametransform: deduplicate code to encryptAndHashName()Jakob Unterwurzacher
This operation has been done three time by identical sections of code. Create a function for it.
2017-05-25nametransform: reject all-zero dirIVJakob Unterwurzacher
This should never happen in normal operation and is a sign of data corruption. Catch it early.
2017-05-23nametransform: harden name decryption against invalid inputJakob Unterwurzacher
This fixes a few issues I have found reviewing the code: 1) Limit the amount of data ReadLongName() will read. Previously, you could send gocryptfs into out-of-memory by symlinking gocryptfs.diriv to /dev/zero. 2) Handle the empty input case in unPad16() by returning an error. Previously, it would panic with an out-of-bounds array read. It is unclear to me if this could actually be triggered. 3) Reject empty names after base64-decoding in DecryptName(). An empty name crashes emeCipher.Decrypt(). It is unclear to me if B64.DecodeString() can actually return a non-error empty result, but let's guard against it anyway.
2017-05-22nametransform: diriv cache: fall back to the grandparentJakob Unterwurzacher
When a user calls into a deep directory hierarchy, we often get a sequence like this from the kernel: LOOKUP a LOOKUP a/b LOOKUP a/b/c LOOKUP a/b/c/d The diriv cache was not effective for this pattern, because it was designed for this: LOOKUP a/a LOOKUP a/b LOOKUP a/c LOOKUP a/d By also using the cached entry of the grandparent we can avoid lots of diriv reads. This benchmark is against a large encrypted directory hosted on NFS: Before: $ time ls -R nfs-backed-mount > /dev/null real 1m35.976s user 0m0.248s sys 0m0.281s After: $ time ls -R nfs-backed-mount > /dev/null real 1m3.670s user 0m0.217s sys 0m0.403s
2017-05-07nametranform, fusefrontend: better errors on invalid namesJakob Unterwurzacher
nametransform.DecryptName() now always returns syscall.EBADMSG if the name was invalid. fusefrontend.OpenDir error messages have been normalized.
2017-04-29nametransform: WriteDirIV: replace ioutil.WriteFileJakob Unterwurzacher
As reported at https://github.com/rfjakob/gocryptfs/issues/105 , the "ioutil.WriteFile(file, iv, 0400)" call causes "permissions denied" errors on an NFSv4 setup. "strace"ing diriv creation and gocryptfs.conf creation shows this: conf (works on the user's NFSv4 mount): openat(AT_FDCWD, "/tmp/a/gocryptfs.conf.tmp", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, 0400) = 3 diriv (fails): openat(AT_FDCWD, "/tmp/a/gocryptfs.diriv", O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0400) = 3 This patch creates the diriv file with the same flags that are used for creating the conf: openat(AT_FDCWD, "/tmp/a/gocryptfs.diriv", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, 0400) = 3 Closes https://github.com/rfjakob/gocryptfs/issues/105
2017-03-05nametransform: fix Raw64 not affecting symlink targetsJakob Unterwurzacher
The symlink functions incorrectly hardcoded the padded base64 variant.
2017-03-05nametransform: fix Raw64 not affecting longnamesJakob Unterwurzacher
HashLongName() incorrectly hardcoded the call to base64.URLEncoding.
2017-03-05Drop Go 1.4 compatability code everywhereJakob Unterwurzacher
Yields a nice reduction in code size.
2017-03-05cryptocore: use eme v1.1 interfaceJakob Unterwurzacher
Version 1.1 of the EME package (github.com/rfjakob/eme) added a more convenient interface. Use it. Note that you have to upgrade your EME package (go get -u)!