[v4,01/21] fscrypt: expose fscrypt_nokey_name

Message ID	a122b3391a6a07270e3c7422cc358f7fcf898ee3.1666651724.git.sweettea-kernel@dorminy.me (mailing list archive)
State	Superseded
Headers	show Return-Path: <linux-fscrypt-owner@kernel.org> From: Sweet Tea Dorminy <sweettea-kernel@dorminy.me> To: "Theodore Y. Ts'o" <tytso@mit.edu>, Jaegeuk Kim <jaegeuk@kernel.org>, Eric Biggers <ebiggers@kernel.org>, Chris Mason <clm@fb.com>, Josef Bacik <josef@toxicpanda.com>, David Sterba <dsterba@suse.com>, linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org, kernel-team@meta.com Cc: Omar Sandoval <osandov@osandov.com>, Sweet Tea Dorminy <sweettea-kernel@dorminy.me> Subject: [PATCH v4 01/21] fscrypt: expose fscrypt_nokey_name Date: Mon, 24 Oct 2022 19:13:11 -0400 Message-Id: <a122b3391a6a07270e3c7422cc358f7fcf898ee3.1666651724.git.sweettea-kernel@dorminy.me> In-Reply-To: <cover.1666651724.git.sweettea-kernel@dorminy.me> References: <cover.1666651724.git.sweettea-kernel@dorminy.me> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	btrfs: add fscrypt integration \| expand [v4,00/21] btrfs: add fscrypt integration [v4,01/21] fscrypt: expose fscrypt_nokey_name [v4,02/21] fscrypt: add fscrypt_have_same_policy() to check inode compatibility [v4,03/21] fscrypt: allow fscrypt_generate_iv() to distinguish filenames [v4,04/21] fscrypt: add extent-based encryption [v4,05/21] fscrypt: direct key policies for extent-based encryption [v4,06/21] fscrypt: document btrfs' fscrypt quirks. [v4,07/21] btrfs: use struct qstr instead of name and namelen [v4,08/21] btrfs: setup qstrings from dentrys using fscrypt helper [v4,09/21] btrfs: use struct fscrypt_str instead of struct qstr [v4,10/21] btrfs: store directory encryption state [v4,11/21] btrfs: disable various operations on encrypted inodes [v4,12/21] btrfs: start using fscrypt hooks [v4,13/21] btrfs: add fscrypt_context items [v4,14/21] btrfs: translate btrfs encryption flags and encrypted inode flag [v4,15/21] btrfs: store a fscrypt extent context per normal file extent [v4,16/21] btrfs: encrypt normal file extent data if appropriate [v4,17/21] btrfs: Add new FEATURE_INCOMPAT_ENCRYPT feature flag. [v4,18/21] btrfs: implement fscrypt ioctls [v4,19/21] btrfs: permit searching for nokey names for removal [v4,20/21] btrfs: use correct name hash for nokey names [v4,21/21] btrfs: encrypt verity items

diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c index 12bd61d20f69..6c092a1533f7 100644 --- a/fs/crypto/fname.c +++ b/fs/crypto/fname.c @@ -14,7 +14,6 @@ #include <linux/namei.h> #include <linux/scatterlist.h> #include <crypto/hash.h> -#include <crypto/sha2.h> #include <crypto/skcipher.h> #include "fscrypt_private.h" @@ -26,43 +25,7 @@ #define FSCRYPT_FNAME_MIN_MSG_LEN 16 /* - * struct fscrypt_nokey_name - identifier for directory entry when key is absent - * - * When userspace lists an encrypted directory without access to the key, the - * filesystem must present a unique "no-key name" for each filename that allows - * it to find the directory entry again if requested. Naively, that would just - * mean using the ciphertext filenames. However, since the ciphertext filenames - * can contain illegal characters ('\0' and '/'), they must be encoded in some - * way. We use base64url. But that can cause names to exceed NAME_MAX (255 - * bytes), so we also need to use a strong hash to abbreviate long names. - * - * The filesystem may also need another kind of hash, the "dirhash", to quickly - * find the directory entry. Since filesystems normally compute the dirhash - * over the on-disk filename (i.e. the ciphertext), it's not computable from - * no-key names that abbreviate the ciphertext using the strong hash to fit in - * NAME_MAX. It's also not computable if it's a keyed hash taken over the - * plaintext (but it may still be available in the on-disk directory entry); - * casefolded directories use this type of dirhash. At least in these cases, - * each no-key name must include the name's dirhash too. - * - * To meet all these requirements, we base64url-encode the following - * variable-length structure. It contains the dirhash, or 0's if the filesystem - * didn't provide one; up to 149 bytes of the ciphertext name; and for - * ciphertexts longer than 149 bytes, also the SHA-256 of the remaining bytes. - * - * This ensures that each no-key name contains everything needed to find the - * directory entry again, contains only legal characters, doesn't exceed - * NAME_MAX, is unambiguous unless there's a SHA-256 collision, and that we only - * take the performance hit of SHA-256 on very long filenames (which are rare). - */ -struct fscrypt_nokey_name { - u32 dirhash[2]; - u8 bytes[149]; - u8 sha256[SHA256_DIGEST_SIZE]; -}; /* 189 bytes => 252 bytes base64url-encoded, which is <= NAME_MAX (255) */ - -/* - * Decoded size of max-size no-key name, i.e. a name that was abbreviated using + * Decoded size of max-size nokey name, i.e. a name that was abbreviated using * the strong hash and thus includes the 'sha256' field. This isn't simply * sizeof(struct fscrypt_nokey_name), as the padding at the end isn't included. */ diff --git a/include/linux/fscrypt.h b/include/linux/fscrypt.h index cad78b569c7e..4cdff7c15544 100644 --- a/include/linux/fscrypt.h +++ b/include/linux/fscrypt.h @@ -16,6 +16,7 @@ #include <linux/fs.h> #include <linux/mm.h> #include <linux/slab.h> +#include <crypto/sha2.h> #include <uapi/linux/fscrypt.h> /* @@ -54,6 +55,42 @@ struct fscrypt_name { #define fname_name(p) ((p)->disk_name.name) #define fname_len(p) ((p)->disk_name.len) +/* + * struct fscrypt_nokey_name - identifier for directory entry when key is absent + * + * When userspace lists an encrypted directory without access to the key, the + * filesystem must present a unique "no-key name" for each filename that allows + * it to find the directory entry again if requested. Naively, that would just + * mean using the ciphertext filenames. However, since the ciphertext filenames + * can contain illegal characters ('\0' and '/'), they must be encoded in some + * way. We use base64url. But that can cause names to exceed NAME_MAX (255 + * bytes), so we also need to use a strong hash to abbreviate long names. + * + * The filesystem may also need another kind of hash, the "dirhash", to quickly + * find the directory entry. Since filesystems normally compute the dirhash + * over the on-disk filename (i.e. the ciphertext), it's not computable from + * no-key names that abbreviate the ciphertext using the strong hash to fit in + * NAME_MAX. It's also not computable if it's a keyed hash taken over the + * plaintext (but it may still be available in the on-disk directory entry); + * casefolded directories use this type of dirhash. At least in these cases, + * each no-key name must include the name's dirhash too. + * + * To meet all these requirements, we base64url-encode the following + * variable-length structure. It contains the dirhash, or 0's if the filesystem + * didn't provide one; up to 149 bytes of the ciphertext name; and for + * ciphertexts longer than 149 bytes, also the SHA-256 of the remaining bytes. + * + * This ensures that each no-key name contains everything needed to find the + * directory entry again, contains only legal characters, doesn't exceed + * NAME_MAX, is unambiguous unless there's a SHA-256 collision, and that we only + * take the performance hit of SHA-256 on very long filenames (which are rare). + */ +struct fscrypt_nokey_name { + u32 dirhash[2]; + u8 bytes[149]; + u8 sha256[SHA256_DIGEST_SIZE]; +}; /* 189 bytes => 252 bytes base64url-encoded, which is <= NAME_MAX (255) */ + /* Maximum value for the third parameter of fscrypt_operations.set_context(). */ #define FSCRYPT_SET_CONTEXT_MAX_SIZE 40

[v4,01/21] fscrypt: expose fscrypt_nokey_name

Commit Message

Patch