Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/fs/ceph/crypto.h
49231 views
1
/* SPDX-License-Identifier: GPL-2.0 */

2
/*

3
 * Ceph fscrypt functionality

4
 */

5


6
#ifndef _CEPH_CRYPTO_H

7
#define _CEPH_CRYPTO_H

8


9
#include <crypto/sha2.h>

10
#include <linux/fscrypt.h>

11
#include <linux/base64.h>

12


13
#define CEPH_FSCRYPT_BLOCK_SHIFT   12

14
#define CEPH_FSCRYPT_BLOCK_SIZE    (_AC(1, UL) << CEPH_FSCRYPT_BLOCK_SHIFT)

15
#define CEPH_FSCRYPT_BLOCK_MASK	   (~(CEPH_FSCRYPT_BLOCK_SIZE-1))

16


17
struct ceph_fs_client;

18
struct ceph_acl_sec_ctx;

19
struct ceph_mds_request;

20


21
struct ceph_fname {

22
	struct inode	*dir;

23
	char		*name;		// b64 encoded, possibly hashed

24
	unsigned char	*ctext;		// binary crypttext (if any)

25
	u32		name_len;	// length of name buffer

26
	u32		ctext_len;	// length of crypttext

27
	bool		no_copy;

28
};

29


30
/*

31
 * Header for the encrypted file when truncating the size, this

32
 * will be sent to MDS, and the MDS will update the encrypted

33
 * last block and then truncate the size.

34
 */

35
struct ceph_fscrypt_truncate_size_header {

36
	__u8  ver;

37
	__u8  compat;

38


39
	/*

40
	 * It will be sizeof(assert_ver + file_offset + block_size)

41
	 * if the last block is empty when it's located in a file

42
	 * hole. Or the data_len will plus CEPH_FSCRYPT_BLOCK_SIZE.

43
	 */

44
	__le32 data_len;

45


46
	__le64 change_attr;

47
	__le64 file_offset;

48
	__le32 block_size;

49
} __packed;

50


51
struct ceph_fscrypt_auth {

52
	__le32	cfa_version;

53
	__le32	cfa_blob_len;

54
	u8	cfa_blob[FSCRYPT_SET_CONTEXT_MAX_SIZE];

55
} __packed;

56


57
#define CEPH_FSCRYPT_AUTH_VERSION	1

58
static inline u32 ceph_fscrypt_auth_len(struct ceph_fscrypt_auth *fa)

59
{

60
	u32 ctxsize = le32_to_cpu(fa->cfa_blob_len);

61


62
	return offsetof(struct ceph_fscrypt_auth, cfa_blob) + ctxsize;

63
}

64


65
#ifdef CONFIG_FS_ENCRYPTION

66
/*

67
 * We want to encrypt filenames when creating them, but the encrypted

68
 * versions of those names may have illegal characters in them. To mitigate

69
 * that, we base64 encode them, but that gives us a result that can exceed

70
 * NAME_MAX.

71
 *

72
 * Follow a similar scheme to fscrypt itself, and cap the filename to a

73
 * smaller size. If the ciphertext name is longer than the value below, then

74
 * sha256 hash the remaining bytes.

75
 *

76
 * For the fscrypt_nokey_name struct the dirhash[2] member is useless in ceph

77
 * so the corresponding struct will be:

78
 *

79
 * struct fscrypt_ceph_nokey_name {

80
 *	u8 bytes[157];

81
 *	u8 sha256[SHA256_DIGEST_SIZE];

82
 * }; // 180 bytes => 240 bytes base64-encoded, which is <= NAME_MAX (255)

83
 *

84
 * (240 bytes is the maximum size allowed for snapshot names to take into

85
 *  account the format: '_<SNAPSHOT-NAME>_<INODE-NUMBER>'.)

86
 *

87
 * Note that for long names that end up having their tail portion hashed, we

88
 * must also store the full encrypted name (in the dentry's alternate_name

89
 * field).

90
 */

91
#define CEPH_NOHASH_NAME_MAX (180 - SHA256_DIGEST_SIZE)

92


93
void ceph_fscrypt_set_ops(struct super_block *sb);

94


95
void ceph_fscrypt_free_dummy_policy(struct ceph_fs_client *fsc);

96


97
int ceph_fscrypt_prepare_context(struct inode *dir, struct inode *inode,

98
				 struct ceph_acl_sec_ctx *as);

99
void ceph_fscrypt_as_ctx_to_req(struct ceph_mds_request *req,

100
				struct ceph_acl_sec_ctx *as);

101
int ceph_encode_encrypted_dname(struct inode *parent, char *buf, int len);

102


103
static inline int ceph_fname_alloc_buffer(struct inode *parent,

104
					  struct fscrypt_str *fname)

105
{

106
	if (!IS_ENCRYPTED(parent))

107
		return 0;

108
	return fscrypt_fname_alloc_buffer(NAME_MAX, fname);

109
}

110


111
static inline void ceph_fname_free_buffer(struct inode *parent,

112
					  struct fscrypt_str *fname)

113
{

114
	if (IS_ENCRYPTED(parent))

115
		fscrypt_fname_free_buffer(fname);

116
}

117


118
int ceph_fname_to_usr(const struct ceph_fname *fname, struct fscrypt_str *tname,

119
		      struct fscrypt_str *oname, bool *is_nokey);

120
int ceph_fscrypt_prepare_readdir(struct inode *dir);

121


122
static inline unsigned int ceph_fscrypt_blocks(u64 off, u64 len)

123
{

124
	/* crypto blocks cannot span more than one page */

125
	BUILD_BUG_ON(CEPH_FSCRYPT_BLOCK_SHIFT > PAGE_SHIFT);

126


127
	return ((off+len+CEPH_FSCRYPT_BLOCK_SIZE-1) >> CEPH_FSCRYPT_BLOCK_SHIFT) -

128
		(off >> CEPH_FSCRYPT_BLOCK_SHIFT);

129
}

130


131
/*

132
 * If we have an encrypted inode then we must adjust the offset and

133
 * range of the on-the-wire read to cover an entire encryption block.

134
 * The copy will be done using the original offset and length, after

135
 * we've decrypted the result.

136
 */

137
static inline void ceph_fscrypt_adjust_off_and_len(struct inode *inode,

138
						   u64 *off, u64 *len)

139
{

140
	if (IS_ENCRYPTED(inode)) {

141
		*len = ceph_fscrypt_blocks(*off, *len) * CEPH_FSCRYPT_BLOCK_SIZE;

142
		*off &= CEPH_FSCRYPT_BLOCK_MASK;

143
	}

144
}

145


146
int ceph_fscrypt_decrypt_block_inplace(const struct inode *inode,

147
				  struct page *page, unsigned int len,

148
				  unsigned int offs, u64 lblk_num);

149
int ceph_fscrypt_encrypt_block_inplace(const struct inode *inode,

150
				  struct page *page, unsigned int len,

151
				  unsigned int offs, u64 lblk_num);

152
int ceph_fscrypt_decrypt_pages(struct inode *inode, struct page **page,

153
			       u64 off, int len);

154
int ceph_fscrypt_decrypt_extents(struct inode *inode, struct page **page,

155
				 u64 off, struct ceph_sparse_extent *map,

156
				 u32 ext_cnt);

157
int ceph_fscrypt_encrypt_pages(struct inode *inode, struct page **page, u64 off,

158
			       int len);

159


160
static inline struct page *ceph_fscrypt_pagecache_page(struct page *page)

161
{

162
	return fscrypt_is_bounce_page(page) ? fscrypt_pagecache_page(page) : page;

163
}

164


165
#else /* CONFIG_FS_ENCRYPTION */

166


167
static inline void ceph_fscrypt_set_ops(struct super_block *sb)

168
{

169
}

170


171
static inline void ceph_fscrypt_free_dummy_policy(struct ceph_fs_client *fsc)

172
{

173
}

174


175
static inline int ceph_fscrypt_prepare_context(struct inode *dir,

176
					       struct inode *inode,

177
					       struct ceph_acl_sec_ctx *as)

178
{

179
	if (IS_ENCRYPTED(dir))

180
		return -EOPNOTSUPP;

181
	return 0;

182
}

183


184
static inline void ceph_fscrypt_as_ctx_to_req(struct ceph_mds_request *req,

185
						struct ceph_acl_sec_ctx *as_ctx)

186
{

187
}

188


189
static inline int ceph_encode_encrypted_dname(struct inode *parent, char *buf,

190
					      int len)

191
{

192
	return len;

193
}

194


195
static inline int ceph_fname_alloc_buffer(struct inode *parent,

196
					  struct fscrypt_str *fname)

197
{

198
	return 0;

199
}

200


201
static inline void ceph_fname_free_buffer(struct inode *parent,

202
					  struct fscrypt_str *fname)

203
{

204
}

205


206
static inline int ceph_fname_to_usr(const struct ceph_fname *fname,

207
				    struct fscrypt_str *tname,

208
				    struct fscrypt_str *oname, bool *is_nokey)

209
{

210
	oname->name = fname->name;

211
	oname->len = fname->name_len;

212
	return 0;

213
}

214


215
static inline int ceph_fscrypt_prepare_readdir(struct inode *dir)

216
{

217
	return 0;

218
}

219


220
static inline void ceph_fscrypt_adjust_off_and_len(struct inode *inode,

221
						   u64 *off, u64 *len)

222
{

223
}

224


225
static inline int ceph_fscrypt_decrypt_block_inplace(const struct inode *inode,

226
					  struct page *page, unsigned int len,

227
					  unsigned int offs, u64 lblk_num)

228
{

229
	return 0;

230
}

231


232
static inline int ceph_fscrypt_encrypt_block_inplace(const struct inode *inode,

233
					  struct page *page, unsigned int len,

234
					  unsigned int offs, u64 lblk_num)

235
{

236
	return 0;

237
}

238


239
static inline int ceph_fscrypt_decrypt_pages(struct inode *inode,

240
					     struct page **page, u64 off,

241
					     int len)

242
{

243
	return 0;

244
}

245


246
static inline int ceph_fscrypt_decrypt_extents(struct inode *inode,

247
					       struct page **page, u64 off,

248
					       struct ceph_sparse_extent *map,

249
					       u32 ext_cnt)

250
{

251
	return 0;

252
}

253


254
static inline int ceph_fscrypt_encrypt_pages(struct inode *inode,

255
					     struct page **page, u64 off,

256
					     int len)

257
{

258
	return 0;

259
}

260


261
static inline struct page *ceph_fscrypt_pagecache_page(struct page *page)

262
{

263
	return page;

264
}

265
#endif /* CONFIG_FS_ENCRYPTION */

266


267
static inline loff_t ceph_fscrypt_page_offset(struct page *page)

268
{

269
	return page_offset(ceph_fscrypt_pagecache_page(page));

270
}

271


272
#endif /* _CEPH_CRYPTO_H */

273


274