xref: /openbmc/linux/fs/ceph/crypto.h (revision 94af0470924c6368b07f9125fde29d6698ed1558) 
12d332d5bSJeff Layton /* SPDX-License-Identifier: GPL-2.0 */
22d332d5bSJeff Layton /*
32d332d5bSJeff Layton  * Ceph fscrypt functionality
42d332d5bSJeff Layton  */
52d332d5bSJeff Layton 
62d332d5bSJeff Layton #ifndef _CEPH_CRYPTO_H
72d332d5bSJeff Layton #define _CEPH_CRYPTO_H
82d332d5bSJeff Layton 
93fd945a7SJeff Layton #include <crypto/sha2.h>
102d332d5bSJeff Layton #include <linux/fscrypt.h>
112d332d5bSJeff Layton 
12*94af0470SJeff Layton #define CEPH_FSCRYPT_BLOCK_SHIFT   12
13*94af0470SJeff Layton #define CEPH_FSCRYPT_BLOCK_SIZE    (_AC(1, UL) << CEPH_FSCRYPT_BLOCK_SHIFT)
14*94af0470SJeff Layton #define CEPH_FSCRYPT_BLOCK_MASK	   (~(CEPH_FSCRYPT_BLOCK_SIZE-1))
15*94af0470SJeff Layton 
166b5717bdSJeff Layton struct ceph_fs_client;
176b5717bdSJeff Layton struct ceph_acl_sec_ctx;
186b5717bdSJeff Layton struct ceph_mds_request;
196b5717bdSJeff Layton 
20457117f0SJeff Layton struct ceph_fname {
21457117f0SJeff Layton 	struct inode	*dir;
22457117f0SJeff Layton 	char		*name;		// b64 encoded, possibly hashed
23457117f0SJeff Layton 	unsigned char	*ctext;		// binary crypttext (if any)
24457117f0SJeff Layton 	u32		name_len;	// length of name buffer
25457117f0SJeff Layton 	u32		ctext_len;	// length of crypttext
26af9ffa6dSXiubo Li 	bool		no_copy;
27457117f0SJeff Layton };
28457117f0SJeff Layton 
292d332d5bSJeff Layton struct ceph_fscrypt_auth {
302d332d5bSJeff Layton 	__le32	cfa_version;
312d332d5bSJeff Layton 	__le32	cfa_blob_len;
322d332d5bSJeff Layton 	u8	cfa_blob[FSCRYPT_SET_CONTEXT_MAX_SIZE];
332d332d5bSJeff Layton } __packed;
342d332d5bSJeff Layton 
352d332d5bSJeff Layton #define CEPH_FSCRYPT_AUTH_VERSION	1
362d332d5bSJeff Layton static inline u32 ceph_fscrypt_auth_len(struct ceph_fscrypt_auth *fa)
372d332d5bSJeff Layton {
382d332d5bSJeff Layton 	u32 ctxsize = le32_to_cpu(fa->cfa_blob_len);
392d332d5bSJeff Layton 
402d332d5bSJeff Layton 	return offsetof(struct ceph_fscrypt_auth, cfa_blob) + ctxsize;
412d332d5bSJeff Layton }
422d332d5bSJeff Layton 
432d332d5bSJeff Layton #ifdef CONFIG_FS_ENCRYPTION
4464e86f63SLuís Henriques /*
4564e86f63SLuís Henriques  * We want to encrypt filenames when creating them, but the encrypted
4664e86f63SLuís Henriques  * versions of those names may have illegal characters in them. To mitigate
4764e86f63SLuís Henriques  * that, we base64 encode them, but that gives us a result that can exceed
4864e86f63SLuís Henriques  * NAME_MAX.
4964e86f63SLuís Henriques  *
5064e86f63SLuís Henriques  * Follow a similar scheme to fscrypt itself, and cap the filename to a
5164e86f63SLuís Henriques  * smaller size. If the ciphertext name is longer than the value below, then
5264e86f63SLuís Henriques  * sha256 hash the remaining bytes.
5364e86f63SLuís Henriques  *
5464e86f63SLuís Henriques  * For the fscrypt_nokey_name struct the dirhash[2] member is useless in ceph
5564e86f63SLuís Henriques  * so the corresponding struct will be:
5664e86f63SLuís Henriques  *
5764e86f63SLuís Henriques  * struct fscrypt_ceph_nokey_name {
5864e86f63SLuís Henriques  *	u8 bytes[157];
5964e86f63SLuís Henriques  *	u8 sha256[SHA256_DIGEST_SIZE];
6064e86f63SLuís Henriques  * }; // 180 bytes => 240 bytes base64-encoded, which is <= NAME_MAX (255)
6164e86f63SLuís Henriques  *
6264e86f63SLuís Henriques  * (240 bytes is the maximum size allowed for snapshot names to take into
6364e86f63SLuís Henriques  *  account the format: '_<SNAPSHOT-NAME>_<INODE-NUMBER>'.)
6464e86f63SLuís Henriques  *
6564e86f63SLuís Henriques  * Note that for long names that end up having their tail portion hashed, we
6664e86f63SLuís Henriques  * must also store the full encrypted name (in the dentry's alternate_name
6764e86f63SLuís Henriques  * field).
6864e86f63SLuís Henriques  */
6964e86f63SLuís Henriques #define CEPH_NOHASH_NAME_MAX (180 - SHA256_DIGEST_SIZE)
7064e86f63SLuís Henriques 
7164e86f63SLuís Henriques #define CEPH_BASE64_CHARS(nbytes) DIV_ROUND_UP((nbytes) * 4, 3)
7264e86f63SLuís Henriques 
7364e86f63SLuís Henriques int ceph_base64_encode(const u8 *src, int srclen, char *dst);
7464e86f63SLuís Henriques int ceph_base64_decode(const char *src, int srclen, u8 *dst);
7564e86f63SLuís Henriques 
762d332d5bSJeff Layton void ceph_fscrypt_set_ops(struct super_block *sb);
772d332d5bSJeff Layton 
786b5717bdSJeff Layton void ceph_fscrypt_free_dummy_policy(struct ceph_fs_client *fsc);
796b5717bdSJeff Layton 
806b5717bdSJeff Layton int ceph_fscrypt_prepare_context(struct inode *dir, struct inode *inode,
816b5717bdSJeff Layton 				 struct ceph_acl_sec_ctx *as);
826b5717bdSJeff Layton void ceph_fscrypt_as_ctx_to_req(struct ceph_mds_request *req,
836b5717bdSJeff Layton 				struct ceph_acl_sec_ctx *as);
84af9ffa6dSXiubo Li int ceph_encode_encrypted_dname(const struct inode *parent,
85af9ffa6dSXiubo Li 				struct qstr *d_name, char *buf);
863fd945a7SJeff Layton int ceph_encode_encrypted_fname(const struct inode *parent,
873fd945a7SJeff Layton 				struct dentry *dentry, char *buf);
886b5717bdSJeff Layton 
89457117f0SJeff Layton static inline int ceph_fname_alloc_buffer(struct inode *parent,
90457117f0SJeff Layton 					  struct fscrypt_str *fname)
91457117f0SJeff Layton {
92457117f0SJeff Layton 	if (!IS_ENCRYPTED(parent))
93457117f0SJeff Layton 		return 0;
94457117f0SJeff Layton 	return fscrypt_fname_alloc_buffer(NAME_MAX, fname);
95457117f0SJeff Layton }
96457117f0SJeff Layton 
97457117f0SJeff Layton static inline void ceph_fname_free_buffer(struct inode *parent,
98457117f0SJeff Layton 					  struct fscrypt_str *fname)
99457117f0SJeff Layton {
100457117f0SJeff Layton 	if (IS_ENCRYPTED(parent))
101457117f0SJeff Layton 		fscrypt_fname_free_buffer(fname);
102457117f0SJeff Layton }
103457117f0SJeff Layton 
104457117f0SJeff Layton int ceph_fname_to_usr(const struct ceph_fname *fname, struct fscrypt_str *tname,
105457117f0SJeff Layton 		      struct fscrypt_str *oname, bool *is_nokey);
106457117f0SJeff Layton 
1072d332d5bSJeff Layton #else /* CONFIG_FS_ENCRYPTION */
1082d332d5bSJeff Layton 
1092d332d5bSJeff Layton static inline void ceph_fscrypt_set_ops(struct super_block *sb)
1102d332d5bSJeff Layton {
1112d332d5bSJeff Layton }
1122d332d5bSJeff Layton 
1136b5717bdSJeff Layton static inline void ceph_fscrypt_free_dummy_policy(struct ceph_fs_client *fsc)
1146b5717bdSJeff Layton {
1156b5717bdSJeff Layton }
1166b5717bdSJeff Layton 
1176b5717bdSJeff Layton static inline int ceph_fscrypt_prepare_context(struct inode *dir,
1186b5717bdSJeff Layton 					       struct inode *inode,
1196b5717bdSJeff Layton 					       struct ceph_acl_sec_ctx *as)
1206b5717bdSJeff Layton {
1216b5717bdSJeff Layton 	if (IS_ENCRYPTED(dir))
1226b5717bdSJeff Layton 		return -EOPNOTSUPP;
1236b5717bdSJeff Layton 	return 0;
1246b5717bdSJeff Layton }
1256b5717bdSJeff Layton 
1266b5717bdSJeff Layton static inline void ceph_fscrypt_as_ctx_to_req(struct ceph_mds_request *req,
1276b5717bdSJeff Layton 						struct ceph_acl_sec_ctx *as_ctx)
1286b5717bdSJeff Layton {
1296b5717bdSJeff Layton }
1303fd945a7SJeff Layton 
131af9ffa6dSXiubo Li static inline int ceph_encode_encrypted_dname(const struct inode *parent,
132af9ffa6dSXiubo Li 					      struct qstr *d_name, char *buf)
133af9ffa6dSXiubo Li {
134af9ffa6dSXiubo Li 	memcpy(buf, d_name->name, d_name->len);
135af9ffa6dSXiubo Li 	return d_name->len;
136af9ffa6dSXiubo Li }
137af9ffa6dSXiubo Li 
1383fd945a7SJeff Layton static inline int ceph_encode_encrypted_fname(const struct inode *parent,
1393fd945a7SJeff Layton 					      struct dentry *dentry, char *buf)
1403fd945a7SJeff Layton {
1413fd945a7SJeff Layton 	return -EOPNOTSUPP;
1423fd945a7SJeff Layton }
143457117f0SJeff Layton 
144457117f0SJeff Layton static inline int ceph_fname_alloc_buffer(struct inode *parent,
145457117f0SJeff Layton 					  struct fscrypt_str *fname)
146457117f0SJeff Layton {
147457117f0SJeff Layton 	return 0;
148457117f0SJeff Layton }
149457117f0SJeff Layton 
150457117f0SJeff Layton static inline void ceph_fname_free_buffer(struct inode *parent,
151457117f0SJeff Layton 					  struct fscrypt_str *fname)
152457117f0SJeff Layton {
153457117f0SJeff Layton }
154457117f0SJeff Layton 
155457117f0SJeff Layton static inline int ceph_fname_to_usr(const struct ceph_fname *fname,
156457117f0SJeff Layton 				    struct fscrypt_str *tname,
157457117f0SJeff Layton 				    struct fscrypt_str *oname, bool *is_nokey)
158457117f0SJeff Layton {
159457117f0SJeff Layton 	oname->name = fname->name;
160457117f0SJeff Layton 	oname->len = fname->name_len;
161457117f0SJeff Layton 	return 0;
162457117f0SJeff Layton }
1632d332d5bSJeff Layton #endif /* CONFIG_FS_ENCRYPTION */
1642d332d5bSJeff Layton 
1652d332d5bSJeff Layton #endif
166