summaryrefslogtreecommitdiff
path: root/internal/nametransform
AgeCommit message (Collapse)Author
2018-02-01gccgo: replace syscall.NAME_MAX with unix.NAME_MAXJakob Unterwurzacher
For some reason the syscall.NAME_MAX constant does not exist on gccgo, and it does not hurt us to use unix.NAME_MAX instead. https://github.com/rfjakob/gocryptfs/issues/201
2017-12-01fusefrontend: Improve documentation of mkdirWithIv and WriteDirIVSebastian Lackner
As requested in https://github.com/rfjakob/gocryptfs/pull/179
2017-11-30syscallcompat: check that we get NOFOLLOW wherever possibleJakob Unterwurzacher
...and fix the instances where the AT_SYMLINK_NOFOLLOW / O_NOFOLLOW / O_EXCL flag was missing.
2017-11-29fusefrontend: allow_other: close race between mkdir and chownSebastian Lackner
Fixes the same problem as described in 72b975867a3b9bdf53fc2da62e2ba4a328d7e4ab, except for directories instead of device nodes.
2017-11-29syscallcompat: Introduce unlinkat syscall with flags argumentSebastian Lackner
2017-11-25fusefrontend: Fix longname handling for renames with existing targetSebastian Lackner
Fixes https://github.com/rfjakob/gocryptfs/issues/170 Steps to reproduce the problem: * Create a regular forward mount point * Create a file with a shortname and one with a long filename * Try to run 'mv <shortname> <longname>' This should actually work and replace the existing file, but instead it fails with: mv: cannot move '<shortname>' to '<longname>': File exists The problem is the creation of the .name file. If the target already exists we can safely ignore the EEXIST error and just keep the existing .name file.
2017-11-22nametransform: Return error if decrypted name is '.' or '..'Sebastian Lackner
2017-09-03dirivcache: add better function comments + a sanity check on Store()Jakob Unterwurzacher
The comments were unclear on whether relative or absolute paths have to be passed.
2017-08-09nametransform: extend diriv cache to 100 entriesJakob Unterwurzacher
* extend the diriv cache to 100 entries * add special handling for the immutable root diriv The better cache allows to shed some complexity from the path encryption logic (parent-of-parent check). Mitigates https://github.com/rfjakob/gocryptfs/issues/127
2017-08-06nametransform: add Dir() functionJakob Unterwurzacher
Dir is like filepath.Dir but returns "" instead of ".". This was already implemented in fusefrontend_reverse as saneDir(). We will need it in nametransform for the improved diriv caching.
2017-08-06nametransform: move diriv cache into it's own packageJakob Unterwurzacher
Needs some space to grow. renamed: internal/nametransform/diriv_cache.go -> internal/nametransform/dirivcache/dirivcache.go
2017-08-06nametransform: deduplicate code to encryptAndHashName()Jakob Unterwurzacher
This operation has been done three time by identical sections of code. Create a function for it.
2017-05-25nametransform: reject all-zero dirIVJakob Unterwurzacher
This should never happen in normal operation and is a sign of data corruption. Catch it early.
2017-05-23nametransform: harden name decryption against invalid inputJakob Unterwurzacher
This fixes a few issues I have found reviewing the code: 1) Limit the amount of data ReadLongName() will read. Previously, you could send gocryptfs into out-of-memory by symlinking gocryptfs.diriv to /dev/zero. 2) Handle the empty input case in unPad16() by returning an error. Previously, it would panic with an out-of-bounds array read. It is unclear to me if this could actually be triggered. 3) Reject empty names after base64-decoding in DecryptName(). An empty name crashes emeCipher.Decrypt(). It is unclear to me if B64.DecodeString() can actually return a non-error empty result, but let's guard against it anyway.
2017-05-22nametransform: diriv cache: fall back to the grandparentJakob Unterwurzacher
When a user calls into a deep directory hierarchy, we often get a sequence like this from the kernel: LOOKUP a LOOKUP a/b LOOKUP a/b/c LOOKUP a/b/c/d The diriv cache was not effective for this pattern, because it was designed for this: LOOKUP a/a LOOKUP a/b LOOKUP a/c LOOKUP a/d By also using the cached entry of the grandparent we can avoid lots of diriv reads. This benchmark is against a large encrypted directory hosted on NFS: Before: $ time ls -R nfs-backed-mount > /dev/null real 1m35.976s user 0m0.248s sys 0m0.281s After: $ time ls -R nfs-backed-mount > /dev/null real 1m3.670s user 0m0.217s sys 0m0.403s
2017-05-07nametranform, fusefrontend: better errors on invalid namesJakob Unterwurzacher
nametransform.DecryptName() now always returns syscall.EBADMSG if the name was invalid. fusefrontend.OpenDir error messages have been normalized.
2017-04-29nametransform: WriteDirIV: replace ioutil.WriteFileJakob Unterwurzacher
As reported at https://github.com/rfjakob/gocryptfs/issues/105 , the "ioutil.WriteFile(file, iv, 0400)" call causes "permissions denied" errors on an NFSv4 setup. "strace"ing diriv creation and gocryptfs.conf creation shows this: conf (works on the user's NFSv4 mount): openat(AT_FDCWD, "/tmp/a/gocryptfs.conf.tmp", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, 0400) = 3 diriv (fails): openat(AT_FDCWD, "/tmp/a/gocryptfs.diriv", O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0400) = 3 This patch creates the diriv file with the same flags that are used for creating the conf: openat(AT_FDCWD, "/tmp/a/gocryptfs.diriv", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, 0400) = 3 Closes https://github.com/rfjakob/gocryptfs/issues/105
2017-03-05nametransform: fix Raw64 not affecting symlink targetsJakob Unterwurzacher
The symlink functions incorrectly hardcoded the padded base64 variant.
2017-03-05nametransform: fix Raw64 not affecting longnamesJakob Unterwurzacher
HashLongName() incorrectly hardcoded the call to base64.URLEncoding.
2017-03-05Drop Go 1.4 compatability code everywhereJakob Unterwurzacher
Yields a nice reduction in code size.
2017-03-05cryptocore: use eme v1.1 interfaceJakob Unterwurzacher
Version 1.1 of the EME package (github.com/rfjakob/eme) added a more convenient interface. Use it. Note that you have to upgrade your EME package (go get -u)!
2016-12-10Replace all calls to naked panic() with log.Panic()Jakob Unterwurzacher
We want all panics to show up in the syslog.
2016-11-28fusefronted: preserve owner for device nodes and socketsJakob Unterwurzacher
https://github.com/rfjakob/gocryptfs/issues/64
2016-11-10Fix golint warningsJakob Unterwurzacher
$ golint ./... | grep -v underscore | grep -v ALL_CAPS internal/fusefrontend_reverse/rfs.go:52:36: exported func NewFS returns unexported type *fusefrontend_reverse.reverseFS, which can be annoying to use internal/nametransform/raw64_go1.5.go:10:2: exported const HaveRaw64 should have comment (or a comment on this block) or be unexported
2016-11-09nametransform: get rid of leading "./"Jakob Unterwurzacher
Paths in the root directory were encrypted to this: foobar -> ./N9vPc0gXUY4PDSt0-muYXQ==
2016-11-06nametransform: nicer error message on empty gocryptfs.dirivJakob Unterwurzacher
Old: Nov 06 13:34:38 brikett gocryptfs[16228]: ReadDirIVAt: Read failed: EOF Nov 06 13:34:38 brikett gocryptfs[16228]: go-fuse: can't convert error type: EOF New: Nov 06 14:08:43 brikett gocryptfs[17361]: ReadDirIVAt: wanted 16 bytes, got 0. Returning EINVAL.
2016-11-01Add Go 1.4 compatibility layer for raw64Jakob Unterwurzacher
Using raw64 will not work, but at least it will compile.
2016-11-01Add support for unpadded base64 filenames, "-raw64"Jakob Unterwurzacher
Through base64.RawURLEncoding. New command-line parameter "-raw64".
2016-11-01fusefronted: expire dir IV cache after one secondJakob Unterwurzacher
The Back In Time backup tool (https://github.com/bit-team/backintime) wants to write directly into the ciphertext dir. This may cause the cached directory IV to become out-of-date. Having an expiry time limits the inconstency to one second, like attr_timeout does for the kernel getattr cache.
2016-11-01fusefrontend: refactor dirIVCacheJakob Unterwurzacher
Simplify the code a bit.
2016-10-24Fix misspellingsJakob Unterwurzacher
Close https://github.com/rfjakob/gocryptfs/issues/54
2016-10-07nametransform: better error code on invalid diriv lengthJakob Unterwurzacher
go-fuse translates errors unknown to it into "function not implemented", which is wrong in this case.
2016-10-04lint fixesValient Gough
2016-09-25nametransform: downgrade invalid length warningJakob Unterwurzacher
This happens all the time in reverse mode when somebody stats an encrypted symlink target.
2016-09-25nametransform: delete unused function DecryptPathDirIVJakob Unterwurzacher
2016-09-25reverse: add symlink encryption and Readlink supportJakob Unterwurzacher
2016-09-25reverse: resolve long names in Open and GetAttrJakob Unterwurzacher
The last patch added functionality for generating gocryptfs.longname.* files, this patch adds support for mapping them back to the full filenames. Note that resolving a long name needs a full readdir. A cache will be implemented later on to improve performance.
2016-09-25nametransform: implement ReadDirIV without OpenatJakob Unterwurzacher
As ReadDirIV operates on a path anyway, opening the directory has no clear safety advantage w.r.t. concurrent renames. If the backing directory is a reverse-mounted gocryptfs filesystem, each directory open is an OPENDIR, and this causes a full directory read! This patch improves the "ls -lR" performance of an DIR --> gocryptfs-reverse --> gocryptfs chain by a factor of ~10. OPENDIR counts for ls -lR: Before 15570 After 2745
2016-09-25nametransform: return EINVAL on invalid paddingJakob Unterwurzacher
With the generic fmt.Errorf we trigger a warning from go-fuse: 2016/09/21 21:42:31 can't convert error type: Invalid padding
2016-09-25nametransform: export DirIVLen constantJakob Unterwurzacher
Will be needed by reverse mode.
2016-07-06Add godoc comments to all internal packagesJakob Unterwurzacher
2016-07-03syscallcompat: OSX: add Unlinkat wrapperJakob Unterwurzacher
Also, replace remaining naked syscall.Openat calls.
2016-07-03nametransform: hide detailed padding error behind the debug flagJakob Unterwurzacher
unPad16 returns detailed errors including the position of the incorrect bytes. Kill a possible padding oracle by lumping everything into a generic error. The detailed error is only logged if debug is active.
2016-06-23Drop deprecated "-emenames" optionJakob Unterwurzacher
The EMENames feature flag is already mandatory, dropping the command line option is the final step.
2016-06-23nametransform: drop unused noiv functionsJakob Unterwurzacher
As DirIV is now mandatory there is no user for the noiv functions.
2016-06-16Rename nametransform, contentenc source filesJakob Unterwurzacher
Let's have shorter names, and merge *_api.go into the "main" file. No code changes.
2016-06-15Rename internal "toggledlog" package to "tlog"Jakob Unterwurzacher
tlog is used heavily everywhere and deserves a shorter name. Renamed using sed magic, without any manual rework: find * -type f -exec sed -i 's/toggledlog/tlog/g' {} +
2016-06-01nametransform, main: better error messagesJakob Unterwurzacher
2016-04-10longnames: fix fsstress failure, use dirfdJakob Unterwurzacher
Using dirfd-relative operations allows safe lockless handling of the ".name" files.
2016-04-10longnames: use symbolic constants instead of naked intsJakob Unterwurzacher