libgocryptfs/internal/fusefrontend_reverse/rpath.go

package fusefrontend_reverse

import (
	"encoding/base64"
	"path/filepath"
	"strings"
	"syscall"

	"github.com/rfjakob/gocryptfs/internal/nametransform"
	"github.com/rfjakob/gocryptfs/internal/pathiv"
	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
	"github.com/rfjakob/gocryptfs/internal/tlog"
)

// abs basically returns storage dir + "/" + relPath.
// It takes an error parameter so it can directly wrap decryptPath like this:
// a, err := rfs.abs(rfs.decryptPath(relPath))
// abs never generates an error on its own. In other words, abs(p, nil) never
// fails.
func (rfs *ReverseFS) abs(relPath string, err error) (string, error) {
	if err != nil {
		return "", err
	}
	return filepath.Join(rfs.args.Cipherdir, relPath), nil
}

// rDecryptName decrypts the ciphertext name "cName", given the dirIV of the
// directory "cName" lies in. The relative plaintext path to the directory
// "pDir" is used if a "gocryptfs.longname.XYZ.name" must be resolved.
func (rfs *ReverseFS) rDecryptName(cName string, dirIV []byte, pDir string) (pName string, err error) {
	nameType := nametransform.NameType(cName)
	if nameType == nametransform.LongNameNone {
		pName, err = rfs.nameTransform.DecryptName(cName, dirIV)
		if err != nil {
			// We get lots of decrypt requests for names like ".Trash" that
			// are invalid base64. Convert them to ENOENT so the correct
			// error gets returned to the user.
			if _, ok := err.(base64.CorruptInputError); ok {
				return "", syscall.ENOENT
			}
			// Stat attempts on the link target of encrypted symlinks.
			// These are always valid base64 but the length is not a
			// multiple of 16.
			if err == syscall.EBADMSG {
				return "", syscall.ENOENT
			}
			return "", err
		}
	} else if nameType == nametransform.LongNameContent {
		pName, err = rfs.findLongnameParent(pDir, dirIV, cName)
		if err != nil {
			return "", err
		}
	} else {
		// It makes no sense to decrypt a ".name" file. This is a virtual file
		// that has no representation in the plaintext filesystem. ".name"
		// files should have already been handled in virtualfile.go.
		tlog.Warn.Printf("rDecryptName: cannot decrypt virtual file %q", cName)
		return "", syscall.EINVAL
	}
	return pName, nil
}

// decryptPath decrypts a relative ciphertext path to a relative plaintext
// path.
func (rfs *ReverseFS) decryptPath(relPath string) (string, error) {
	if rfs.args.PlaintextNames || relPath == "" {
		return relPath, nil
	}
	// Check if the parent dir is in the cache
	cDir := nametransform.Dir(relPath)
	dirIV, pDir := rPathCache.lookup(cDir)
	if dirIV != nil {
		cName := filepath.Base(relPath)
		pName, err := rfs.rDecryptName(cName, dirIV, pDir)
		if err != nil {
			return "", err
		}
		return filepath.Join(pDir, pName), nil
	}
	parts := strings.Split(relPath, "/")
	var transformedParts []string
	for i := range parts {
		// Start at the top and recurse
		currentCipherDir := filepath.Join(parts[:i]...)
		currentPlainDir := filepath.Join(transformedParts[:i]...)
		dirIV = pathiv.Derive(currentCipherDir, pathiv.PurposeDirIV)
		transformedPart, err := rfs.rDecryptName(parts[i], dirIV, currentPlainDir)
		if err != nil {
			return "", err
		}
		transformedParts = append(transformedParts, transformedPart)
	}
	pRelPath := filepath.Join(transformedParts...)
	rPathCache.store(cDir, dirIV, nametransform.Dir(pRelPath))
	return pRelPath, nil
}

// openBackingDir decrypt the relative ciphertext path "cRelPath", opens
// the directory that contains the target file/dir and returns the fd to
// the directory and the decrypted name of the target file.
// The fd/name pair is intended for use with fchownat and friends.
func (rfs *ReverseFS) openBackingDir(cRelPath string) (dirfd int, pName string, err error) {
	// Decrypt relative path
	pRelPath, err := rfs.decryptPath(cRelPath)
	if err != nil {
		return -1, "", err
	}
	// Open directory, safe against symlink races
	pDir := filepath.Dir(pRelPath)
	dirfd, err = syscallcompat.OpenNofollow(rfs.args.Cipherdir, pDir, syscall.O_RDONLY|syscall.O_DIRECTORY, 0)
	if err != nil {
		return -1, "", err
	}
	pName = filepath.Base(pRelPath)
	return dirfd, pName, nil
}
reverse: add skeleton Compiles but does not do much else. 2016-08-25 00:14:36 +02:00			`package fusefrontend_reverse`

			`import (`
reverse: rename types to reverseXYZ ...to prevent confusion with the forward variants. FS -> reverseFS file -> reverseFile Also add an incomplete read implementation. 2016-08-30 00:23:55 +02:00			`"encoding/base64"`
reverse: add skeleton Compiles but does not do much else. 2016-08-25 00:14:36 +02:00			`"path/filepath"`
			`"strings"`
reverse: rename types to reverseXYZ ...to prevent confusion with the forward variants. FS -> reverseFS file -> reverseFile Also add an incomplete read implementation. 2016-08-30 00:23:55 +02:00			`"syscall"`
reverse: resolve long names in Open and GetAttr The last patch added functionality for generating gocryptfs.longname.* files, this patch adds support for mapping them back to the full filenames. Note that resolving a long name needs a full readdir. A cache will be implemented later on to improve performance. 2016-09-22 23:28:11 +02:00
			`"github.com/rfjakob/gocryptfs/internal/nametransform"`
fusefrontend_reverse: move pathiv to its own package We will also need it in forward mode. 2017-05-28 18:09:02 +02:00			`"github.com/rfjakob/gocryptfs/internal/pathiv"`
fusefrontend_reverse: secure Access against symlink races (somewhat) Unfortunately, faccessat in Linux ignores AT_SYMLINK_NOFOLLOW, so this is not completely atomic. Given that the information you get from access is not very interesting, it seems good enough. https://github.com/rfjakob/gocryptfs/issues/165 2017-12-07 00:08:10 +01:00			`"github.com/rfjakob/gocryptfs/internal/syscallcompat"`
ctlsock: prevent panic on invalid decrypt request 2016-11-10 23:51:47 +01:00			`"github.com/rfjakob/gocryptfs/internal/tlog"`
reverse: add skeleton Compiles but does not do much else. 2016-08-25 00:14:36 +02:00			`)`

fusefrontend_reverse: switch to stable inode numbers The volatile inode numbers that we used before cause "find" to complain and error out. Virtual inode numbers are derived from their parent file inode number by adding 10^19, which is hopefully large enough no never cause problems in practice. If the backing directory contains inode numbers higher than that, stat() on these files will return EOVERFLOW. Example directory lising after this change: $ ls -i 926473 gocryptfs.conf 1000000000000926466 gocryptfs.diriv 944878 gocryptfs.longname.hmZojMqC6ns47eyVxLlH2ailKjN9bxfosi3C-FR8mjA 1000000000000944878 gocryptfs.longname.hmZojMqC6ns47eyVxLlH2ailKjN9bxfosi3C-FR8mjA.name 934408 Tdfbf02CKsTaGVYnAsSypA 2017-04-01 17:19:15 +02:00			`// abs basically returns storage dir + "/" + relPath.`
			`// It takes an error parameter so it can directly wrap decryptPath like this:`
			`// a, err := rfs.abs(rfs.decryptPath(relPath))`
			`// abs never generates an error on its own. In other words, abs(p, nil) never`
			`// fails.`
Fix golint warnings $ golint ./... \| grep -v underscore \| grep -v ALL_CAPS internal/fusefrontend_reverse/rfs.go:52:36: exported func NewFS returns unexported type *fusefrontend_reverse.reverseFS, which can be annoying to use internal/nametransform/raw64_go1.5.go:10:2: exported const HaveRaw64 should have comment (or a comment on this block) or be unexported 2016-11-10 00:38:01 +01:00			`func (rfs *ReverseFS) abs(relPath string, err error) (string, error) {`
reverse: add skeleton Compiles but does not do much else. 2016-08-25 00:14:36 +02:00			`if err != nil {`
			`return "", err`
			`}`
reverse: rename types to reverseXYZ ...to prevent confusion with the forward variants. FS -> reverseFS file -> reverseFile Also add an incomplete read implementation. 2016-08-30 00:23:55 +02:00			`return filepath.Join(rfs.args.Cipherdir, relPath), nil`
reverse: add skeleton Compiles but does not do much else. 2016-08-25 00:14:36 +02:00			`}`

fusefrontend_reverse: use OpenNofollow in findLongnameParent Protects findLongnameParent against symlink races. Also add comments to several functions along the way. Reported at https://github.com/rfjakob/gocryptfs/issues/165 2018-01-17 20:52:52 +01:00			`// rDecryptName decrypts the ciphertext name "cName", given the dirIV of the`
			`// directory "cName" lies in. The relative plaintext path to the directory`
			`// "pDir" is used if a "gocryptfs.longname.XYZ.name" must be resolved.`
reverse: factor out rDecryptName This prepares the code for the introduction of a path cache. 2017-01-03 17:46:11 +01:00			`func (rfs *ReverseFS) rDecryptName(cName string, dirIV []byte, pDir string) (pName string, err error) {`
			`nameType := nametransform.NameType(cName)`
			`if nameType == nametransform.LongNameNone {`
			`pName, err = rfs.nameTransform.DecryptName(cName, dirIV)`
			`if err != nil {`
			`// We get lots of decrypt requests for names like ".Trash" that`
			`// are invalid base64. Convert them to ENOENT so the correct`
			`// error gets returned to the user.`
			`if _, ok := err.(base64.CorruptInputError); ok {`
			`return "", syscall.ENOENT`
			`}`
			`// Stat attempts on the link target of encrypted symlinks.`
			`// These are always valid base64 but the length is not a`
			`// multiple of 16.`
fusefrontend_reverse: return ENOENT for undecryptable names This was working until DecryptName switched to returning EBADMSG instead of EINVAL. Add a test to catch the regression next time. 2017-07-27 20:31:22 +02:00			`if err == syscall.EBADMSG {`
reverse: factor out rDecryptName This prepares the code for the introduction of a path cache. 2017-01-03 17:46:11 +01:00			`return "", syscall.ENOENT`
			`}`
			`return "", err`
			`}`
			`} else if nameType == nametransform.LongNameContent {`
			`pName, err = rfs.findLongnameParent(pDir, dirIV, cName)`
			`if err != nil {`
			`return "", err`
			`}`
			`} else {`
			`// It makes no sense to decrypt a ".name" file. This is a virtual file`
tests: reverse: check Access() call 2017-02-16 21:20:29 +01:00			`// that has no representation in the plaintext filesystem. ".name"`
reverse: factor out rDecryptName This prepares the code for the introduction of a path cache. 2017-01-03 17:46:11 +01:00			`// files should have already been handled in virtualfile.go.`
tests: reverse: check Access() call 2017-02-16 21:20:29 +01:00			`tlog.Warn.Printf("rDecryptName: cannot decrypt virtual file %q", cName)`
reverse: factor out rDecryptName This prepares the code for the introduction of a path cache. 2017-01-03 17:46:11 +01:00			`return "", syscall.EINVAL`
			`}`
			`return pName, nil`
			`}`

fusefrontend_reverse: use OpenNofollow in findLongnameParent Protects findLongnameParent against symlink races. Also add comments to several functions along the way. Reported at https://github.com/rfjakob/gocryptfs/issues/165 2018-01-17 20:52:52 +01:00			`// decryptPath decrypts a relative ciphertext path to a relative plaintext`
			`// path.`
Fix golint warnings $ golint ./... \| grep -v underscore \| grep -v ALL_CAPS internal/fusefrontend_reverse/rfs.go:52:36: exported func NewFS returns unexported type *fusefrontend_reverse.reverseFS, which can be annoying to use internal/nametransform/raw64_go1.5.go:10:2: exported const HaveRaw64 should have comment (or a comment on this block) or be unexported 2016-11-10 00:38:01 +01:00			`func (rfs *ReverseFS) decryptPath(relPath string) (string, error) {`
reverse: rename types to reverseXYZ ...to prevent confusion with the forward variants. FS -> reverseFS file -> reverseFile Also add an incomplete read implementation. 2016-08-30 00:23:55 +02:00			`if rfs.args.PlaintextNames \|\| relPath == "" {`
reverse: add skeleton Compiles but does not do much else. 2016-08-25 00:14:36 +02:00			`return relPath, nil`
			`}`
reverse: add single-entry path cache Speeds up the "ls -lR" benchmark from 2.6 seconds to 2.0. 2017-01-03 18:14:01 +01:00			`// Check if the parent dir is in the cache`
nametransform: add Dir() function Dir is like filepath.Dir but returns "" instead of ".". This was already implemented in fusefrontend_reverse as saneDir(). We will need it in nametransform for the improved diriv caching. 2017-08-06 23:12:27 +02:00			`cDir := nametransform.Dir(relPath)`
reverse: add single-entry path cache Speeds up the "ls -lR" benchmark from 2.6 seconds to 2.0. 2017-01-03 18:14:01 +01:00			`dirIV, pDir := rPathCache.lookup(cDir)`
			`if dirIV != nil {`
			`cName := filepath.Base(relPath)`
			`pName, err := rfs.rDecryptName(cName, dirIV, pDir)`
			`if err != nil {`
			`return "", err`
			`}`
			`return filepath.Join(pDir, pName), nil`
			`}`
reverse: add skeleton Compiles but does not do much else. 2016-08-25 00:14:36 +02:00			`parts := strings.Split(relPath, "/")`
reverse: factor out rDecryptName This prepares the code for the introduction of a path cache. 2017-01-03 17:46:11 +01:00			`var transformedParts []string`
			`for i := range parts {`
reverse: resolve long names in Open and GetAttr The last patch added functionality for generating gocryptfs.longname.* files, this patch adds support for mapping them back to the full filenames. Note that resolving a long name needs a full readdir. A cache will be implemented later on to improve performance. 2016-09-22 23:28:11 +02:00			`// Start at the top and recurse`
reverse: fix longname decoding bug This could have caused spurious ENOENT errors. That it did not cause these errors all the time is interesting and probably because an earlier readdir would place the entry in the cache. This masks the bug. 2016-11-10 23:25:37 +01:00			`currentCipherDir := filepath.Join(parts[:i]...)`
reverse: factor out rDecryptName This prepares the code for the introduction of a path cache. 2017-01-03 17:46:11 +01:00			`currentPlainDir := filepath.Join(transformedParts[:i]...)`
fusefrontend_reverse: move pathiv to its own package We will also need it in forward mode. 2017-05-28 18:09:02 +02:00			`dirIV = pathiv.Derive(currentCipherDir, pathiv.PurposeDirIV)`
reverse: factor out rDecryptName This prepares the code for the introduction of a path cache. 2017-01-03 17:46:11 +01:00			`transformedPart, err := rfs.rDecryptName(parts[i], dirIV, currentPlainDir)`
			`if err != nil {`
			`return "", err`
reverse: add skeleton Compiles but does not do much else. 2016-08-25 00:14:36 +02:00			`}`
			`transformedParts = append(transformedParts, transformedPart)`
			`}`
reverse: add single-entry path cache Speeds up the "ls -lR" benchmark from 2.6 seconds to 2.0. 2017-01-03 18:14:01 +01:00			`pRelPath := filepath.Join(transformedParts...)`
nametransform: add Dir() function Dir is like filepath.Dir but returns "" instead of ".". This was already implemented in fusefrontend_reverse as saneDir(). We will need it in nametransform for the improved diriv caching. 2017-08-06 23:12:27 +02:00			`rPathCache.store(cDir, dirIV, nametransform.Dir(pRelPath))`
reverse: add single-entry path cache Speeds up the "ls -lR" benchmark from 2.6 seconds to 2.0. 2017-01-03 18:14:01 +01:00			`return pRelPath, nil`
reverse: add skeleton Compiles but does not do much else. 2016-08-25 00:14:36 +02:00			`}`
fusefrontend_reverse: secure Access against symlink races (somewhat) Unfortunately, faccessat in Linux ignores AT_SYMLINK_NOFOLLOW, so this is not completely atomic. Given that the information you get from access is not very interesting, it seems good enough. https://github.com/rfjakob/gocryptfs/issues/165 2017-12-07 00:08:10 +01:00
			`// openBackingDir decrypt the relative ciphertext path "cRelPath", opens`
			`// the directory that contains the target file/dir and returns the fd to`
			`// the directory and the decrypted name of the target file.`
			`// The fd/name pair is intended for use with fchownat and friends.`
			`func (rfs *ReverseFS) openBackingDir(cRelPath string) (dirfd int, pName string, err error) {`
			`// Decrypt relative path`
			`pRelPath, err := rfs.decryptPath(cRelPath)`
			`if err != nil {`
			`return -1, "", err`
			`}`
			`// Open directory, safe against symlink races`
			`pDir := filepath.Dir(pRelPath)`
			`dirfd, err = syscallcompat.OpenNofollow(rfs.args.Cipherdir, pDir, syscall.O_RDONLY\|syscall.O_DIRECTORY, 0)`
			`if err != nil {`
			`return -1, "", err`
			`}`
			`pName = filepath.Base(pRelPath)`
			`return dirfd, pName, nil`
			`}`