| Age | Commit message (Collapse) | Author | 
|---|
|  | As requested in https://github.com/rfjakob/gocryptfs/pull/179 | 
|  | ...and fix the instances where the AT_SYMLINK_NOFOLLOW /
O_NOFOLLOW / O_EXCL flag was missing. | 
|  | Fixes the same problem as described in 72b975867a3b9bdf53fc2da62e2ba4a328d7e4ab,
except for directories instead of device nodes. | 
|  |  | 
|  | Fixes https://github.com/rfjakob/gocryptfs/issues/170
Steps to reproduce the problem:
* Create a regular forward mount point
* Create a file with a shortname and one with a long filename
* Try to run 'mv <shortname> <longname>'
This should actually work and replace the existing file, but instead it
fails with:
    mv: cannot move '<shortname>' to '<longname>': File exists
The problem is the creation of the .name file. If the target already exists
we can safely ignore the EEXIST error and just keep the existing .name file. | 
|  |  | 
|  | The comments were unclear on whether relative or absolute paths
have to be passed. | 
|  | * extend the diriv cache to 100 entries
* add special handling for the immutable root diriv
The better cache allows to shed some complexity from the path
encryption logic (parent-of-parent check).
Mitigates https://github.com/rfjakob/gocryptfs/issues/127 | 
|  | Dir is like filepath.Dir but returns "" instead of ".".
This was already implemented in fusefrontend_reverse as saneDir().
We will need it in nametransform for the improved diriv caching. | 
|  | Needs some space to grow.
renamed:    internal/nametransform/diriv_cache.go -> internal/nametransform/dirivcache/dirivcache.go | 
|  | This operation has been done three time by identical
sections of code. Create a function for it. | 
|  | This should never happen in normal operation and is a sign of
data corruption. Catch it early. | 
|  | This fixes a few issues I have found reviewing the code:
1) Limit the amount of data ReadLongName() will read. Previously,
you could send gocryptfs into out-of-memory by symlinking
gocryptfs.diriv to /dev/zero.
2) Handle the empty input case in unPad16() by returning an
error. Previously, it would panic with an out-of-bounds array
read. It is unclear to me if this could actually be triggered.
3) Reject empty names after base64-decoding in DecryptName().
An empty name crashes emeCipher.Decrypt().
It is unclear to me if B64.DecodeString() can actually return
a non-error empty result, but let's guard against it anyway. | 
|  | When a user calls into a deep directory hierarchy, we often
get a sequence like this from the kernel:
LOOKUP a
LOOKUP a/b
LOOKUP a/b/c
LOOKUP a/b/c/d
The diriv cache was not effective for this pattern, because it
was designed for this:
LOOKUP a/a
LOOKUP a/b
LOOKUP a/c
LOOKUP a/d
By also using the cached entry of the grandparent we can avoid lots
of diriv reads.
This benchmark is against a large encrypted directory hosted on NFS:
Before:
  $ time ls -R nfs-backed-mount > /dev/null
  real	1m35.976s
  user	0m0.248s
  sys	0m0.281s
After:
  $ time ls -R nfs-backed-mount > /dev/null
  real	1m3.670s
  user	0m0.217s
  sys 	0m0.403s | 
|  | nametransform.DecryptName() now always returns syscall.EBADMSG if
the name was invalid.
fusefrontend.OpenDir error messages have been normalized. | 
|  | As reported at https://github.com/rfjakob/gocryptfs/issues/105 ,
the "ioutil.WriteFile(file, iv, 0400)" call causes "permissions denied"
errors on an NFSv4 setup.
"strace"ing diriv creation and gocryptfs.conf creation shows this:
conf (works on the user's NFSv4 mount):
openat(AT_FDCWD, "/tmp/a/gocryptfs.conf.tmp", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, 0400) = 3
diriv (fails):
openat(AT_FDCWD, "/tmp/a/gocryptfs.diriv", O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0400) = 3
This patch creates the diriv file with the same flags that are used for
creating the conf:
openat(AT_FDCWD, "/tmp/a/gocryptfs.diriv", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, 0400) = 3
Closes https://github.com/rfjakob/gocryptfs/issues/105 | 
|  | The symlink functions incorrectly hardcoded the padded
base64 variant. | 
|  | HashLongName() incorrectly hardcoded the call to base64.URLEncoding. | 
|  | Yields a nice reduction in code size. | 
|  | Version 1.1 of the EME package (github.com/rfjakob/eme) added
a more convenient interface. Use it.
Note that you have to upgrade your EME package (go get -u)! | 
|  | We want all panics to show up in the syslog. | 
|  | https://github.com/rfjakob/gocryptfs/issues/64 | 
|  | $ golint ./... | grep -v underscore | grep -v ALL_CAPS
internal/fusefrontend_reverse/rfs.go:52:36: exported func NewFS returns unexported type *fusefrontend_reverse.reverseFS, which can be annoying to use
internal/nametransform/raw64_go1.5.go:10:2: exported const HaveRaw64 should have comment (or a comment on this block) or be unexported | 
|  | Paths in the root directory were encrypted to this:
    foobar -> ./N9vPc0gXUY4PDSt0-muYXQ== | 
|  | Old:
	Nov 06 13:34:38 brikett gocryptfs[16228]: ReadDirIVAt: Read failed: EOF
	Nov 06 13:34:38 brikett gocryptfs[16228]: go-fuse: can't convert error type: EOF
New:
	Nov 06 14:08:43 brikett gocryptfs[17361]: ReadDirIVAt: wanted 16 bytes, got 0. Returning EINVAL. | 
|  | Using raw64 will not work, but at least it will compile. | 
|  | Through base64.RawURLEncoding.
New command-line parameter "-raw64". | 
|  | The Back In Time backup tool (https://github.com/bit-team/backintime)
wants to write directly into the ciphertext dir.
This may cause the cached directory IV to become out-of-date.
Having an expiry time limits the inconstency to one second, like
attr_timeout does for the kernel getattr cache. | 
|  | Simplify the code a bit. | 
|  | Close https://github.com/rfjakob/gocryptfs/issues/54 | 
|  | go-fuse translates errors unknown to it into "function not
implemented", which is wrong in this case. | 
|  |  | 
|  | This happens all the time in reverse mode when somebody stats
an encrypted symlink target. | 
|  |  | 
|  |  | 
|  | The last patch added functionality for generating gocryptfs.longname.*
files, this patch adds support for mapping them back to the full
filenames.
Note that resolving a long name needs a full readdir. A cache
will be implemented later on to improve performance. | 
|  | As ReadDirIV operates on a path anyway, opening the directory
has no clear safety advantage w.r.t. concurrent renames.
If the backing directory is a reverse-mounted gocryptfs filesystem,
each directory open is an OPENDIR, and this causes a full directory
read!
This patch improves the "ls -lR" performance of an
  DIR --> gocryptfs-reverse --> gocryptfs
chain by a factor of ~10.
OPENDIR counts for ls -lR:
  Before 15570
  After   2745 | 
|  | With the generic fmt.Errorf we trigger a warning from go-fuse:
  2016/09/21 21:42:31 can't convert error type: Invalid padding | 
|  | Will be needed by reverse mode. | 
|  |  | 
|  | Also, replace remaining naked syscall.Openat calls. | 
|  | unPad16 returns detailed errors including the position of the
incorrect bytes. Kill a possible padding oracle by lumping
everything into a generic error.
The detailed error is only logged if debug is active. | 
|  | The EMENames feature flag is already mandatory, dropping the command
line option is the final step. | 
|  | As DirIV is now mandatory there is no user for the noiv functions. | 
|  | Let's have shorter names, and merge *_api.go into the "main"
file.
No code changes. | 
|  | tlog is used heavily everywhere and deserves a shorter name.
Renamed using sed magic, without any manual rework:
   find * -type f -exec sed -i 's/toggledlog/tlog/g' {} + | 
|  |  | 
|  | Using dirfd-relative operations allows safe lockless handling
of the ".name" files. | 
|  |  | 
|  | Go 1.4 and older do not support 128-bit IVs which caused
the tests to panic. |