[linux.git] / net / ceph / crypto.c

// SPDX-License-Identifier: GPL-2.0

#include <linux/ceph/ceph_debug.h>

#include <linux/err.h>
#include <linux/scatterlist.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <crypto/aes.h>
#include <crypto/skcipher.h>
#include <linux/key-type.h>
#include <linux/sched/mm.h>

#include <keys/ceph-type.h>
#include <keys/user-type.h>
#include <linux/ceph/decode.h>
#include "crypto.h"

/*
 * Set ->key and ->tfm.  The rest of the key should be filled in before
 * this function is called.
 */
static int set_secret(struct ceph_crypto_key *key, void *buf)
{
	unsigned int noio_flag;
	int ret;

	key->key = NULL;
	key->tfm = NULL;

	switch (key->type) {
	case CEPH_CRYPTO_NONE:
		return 0; /* nothing to do */
	case CEPH_CRYPTO_AES:
		break;
	default:
		return -ENOTSUPP;
	}

	WARN_ON(!key->len);
	key->key = kmemdup(buf, key->len, GFP_NOIO);
	if (!key->key) {
		ret = -ENOMEM;
		goto fail;
	}

	/* crypto_alloc_skcipher() allocates with GFP_KERNEL */
	noio_flag = memalloc_noio_save();
	key->tfm = crypto_alloc_skcipher("cbc(aes)", 0, CRYPTO_ALG_ASYNC);
	memalloc_noio_restore(noio_flag);
	if (IS_ERR(key->tfm)) {
		ret = PTR_ERR(key->tfm);
		key->tfm = NULL;
		goto fail;
	}

	ret = crypto_skcipher_setkey(key->tfm, key->key, key->len);
	if (ret)
		goto fail;

	return 0;

fail:
	ceph_crypto_key_destroy(key);
	return ret;
}

int ceph_crypto_key_clone(struct ceph_crypto_key *dst,
			  const struct ceph_crypto_key *src)
{
	memcpy(dst, src, sizeof(struct ceph_crypto_key));
	return set_secret(dst, src->key);
}

int ceph_crypto_key_encode(struct ceph_crypto_key *key, void **p, void *end)
{
	if (*p + sizeof(u16) + sizeof(key->created) +
	    sizeof(u16) + key->len > end)
		return -ERANGE;
	ceph_encode_16(p, key->type);
	ceph_encode_copy(p, &key->created, sizeof(key->created));
	ceph_encode_16(p, key->len);
	ceph_encode_copy(p, key->key, key->len);
	return 0;
}

int ceph_crypto_key_decode(struct ceph_crypto_key *key, void **p, void *end)
{
	int ret;

	ceph_decode_need(p, end, 2*sizeof(u16) + sizeof(key->created), bad);
	key->type = ceph_decode_16(p);
	ceph_decode_copy(p, &key->created, sizeof(key->created));
	key->len = ceph_decode_16(p);
	ceph_decode_need(p, end, key->len, bad);
	ret = set_secret(key, *p);
	*p += key->len;
	return ret;

bad:
	dout("failed to decode crypto key\n");
	return -EINVAL;
}

int ceph_crypto_key_unarmor(struct ceph_crypto_key *key, const char *inkey)
{
	int inlen = strlen(inkey);
	int blen = inlen * 3 / 4;
	void *buf, *p;
	int ret;

	dout("crypto_key_unarmor %s\n", inkey);
	buf = kmalloc(blen, GFP_NOFS);
	if (!buf)
		return -ENOMEM;
	blen = ceph_unarmor(buf, inkey, inkey+inlen);
	if (blen < 0) {
		kfree(buf);
		return blen;
	}

	p = buf;
	ret = ceph_crypto_key_decode(key, &p, p + blen);
	kfree(buf);
	if (ret)
		return ret;
	dout("crypto_key_unarmor key %p type %d len %d\n", key,
	     key->type, key->len);
	return 0;
}

void ceph_crypto_key_destroy(struct ceph_crypto_key *key)
{
	if (key) {
		kfree(key->key);
		key->key = NULL;
		crypto_free_skcipher(key->tfm);
		key->tfm = NULL;
	}
}

static const u8 *aes_iv = (u8 *)CEPH_AES_IV;

/*
 * Should be used for buffers allocated with ceph_kvmalloc().
 * Currently these are encrypt out-buffer (ceph_buffer) and decrypt
 * in-buffer (msg front).
 *
 * Dispose of @sgt with teardown_sgtable().
 *
 * @prealloc_sg is to avoid memory allocation inside sg_alloc_table()
 * in cases where a single sg is sufficient.  No attempt to reduce the
 * number of sgs by squeezing physically contiguous pages together is
 * made though, for simplicity.
 */
static int setup_sgtable(struct sg_table *sgt, struct scatterlist *prealloc_sg,
			 const void *buf, unsigned int buf_len)
{
	struct scatterlist *sg;
	const bool is_vmalloc = is_vmalloc_addr(buf);
	unsigned int off = offset_in_page(buf);
	unsigned int chunk_cnt = 1;
	unsigned int chunk_len = PAGE_ALIGN(off + buf_len);
	int i;
	int ret;

	if (buf_len == 0) {
		memset(sgt, 0, sizeof(*sgt));
		return -EINVAL;
	}

	if (is_vmalloc) {
		chunk_cnt = chunk_len >> PAGE_SHIFT;
		chunk_len = PAGE_SIZE;
	}

	if (chunk_cnt > 1) {
		ret = sg_alloc_table(sgt, chunk_cnt, GFP_NOFS);
		if (ret)
			return ret;
	} else {
		WARN_ON(chunk_cnt != 1);
		sg_init_table(prealloc_sg, 1);
		sgt->sgl = prealloc_sg;
		sgt->nents = sgt->orig_nents = 1;
	}

	for_each_sg(sgt->sgl, sg, sgt->orig_nents, i) {
		struct page *page;
		unsigned int len = min(chunk_len - off, buf_len);

		if (is_vmalloc)
			page = vmalloc_to_page(buf);
		else
			page = virt_to_page(buf);

		sg_set_page(sg, page, len, off);

		off = 0;
		buf += len;
		buf_len -= len;
	}
	WARN_ON(buf_len != 0);

	return 0;
}

static void teardown_sgtable(struct sg_table *sgt)
{
	if (sgt->orig_nents > 1)
		sg_free_table(sgt);
}

static int ceph_aes_crypt(const struct ceph_crypto_key *key, bool encrypt,
			  void *buf, int buf_len, int in_len, int *pout_len)
{
	SKCIPHER_REQUEST_ON_STACK(req, key->tfm);
	struct sg_table sgt;
	struct scatterlist prealloc_sg;
	char iv[AES_BLOCK_SIZE] __aligned(8);
	int pad_byte = AES_BLOCK_SIZE - (in_len & (AES_BLOCK_SIZE - 1));
	int crypt_len = encrypt ? in_len + pad_byte : in_len;
	int ret;

	WARN_ON(crypt_len > buf_len);
	if (encrypt)
		memset(buf + in_len, pad_byte, pad_byte);
	ret = setup_sgtable(&sgt, &prealloc_sg, buf, crypt_len);
	if (ret)
		return ret;

	memcpy(iv, aes_iv, AES_BLOCK_SIZE);
	skcipher_request_set_tfm(req, key->tfm);
	skcipher_request_set_callback(req, 0, NULL, NULL);
	skcipher_request_set_crypt(req, sgt.sgl, sgt.sgl, crypt_len, iv);

	/*
	print_hex_dump(KERN_ERR, "key: ", DUMP_PREFIX_NONE, 16, 1,
		       key->key, key->len, 1);
	print_hex_dump(KERN_ERR, " in: ", DUMP_PREFIX_NONE, 16, 1,
		       buf, crypt_len, 1);
	*/
	if (encrypt)
		ret = crypto_skcipher_encrypt(req);
	else
		ret = crypto_skcipher_decrypt(req);
	skcipher_request_zero(req);
	if (ret) {
		pr_err("%s %scrypt failed: %d\n", __func__,
		       encrypt ? "en" : "de", ret);
		goto out_sgt;
	}
	/*
	print_hex_dump(KERN_ERR, "out: ", DUMP_PREFIX_NONE, 16, 1,
		       buf, crypt_len, 1);
	*/

	if (encrypt) {
		*pout_len = crypt_len;
	} else {
		pad_byte = *(char *)(buf + in_len - 1);
		if (pad_byte > 0 && pad_byte <= AES_BLOCK_SIZE &&
		    in_len >= pad_byte) {
			*pout_len = in_len - pad_byte;
		} else {
			pr_err("%s got bad padding %d on in_len %d\n",
			       __func__, pad_byte, in_len);
			ret = -EPERM;
			goto out_sgt;
		}
	}

out_sgt:
	teardown_sgtable(&sgt);
	return ret;
}

int ceph_crypt(const struct ceph_crypto_key *key, bool encrypt,
	       void *buf, int buf_len, int in_len, int *pout_len)
{
	switch (key->type) {
	case CEPH_CRYPTO_NONE:
		*pout_len = in_len;
		return 0;
	case CEPH_CRYPTO_AES:
		return ceph_aes_crypt(key, encrypt, buf, buf_len, in_len,
				      pout_len);
	default:
		return -ENOTSUPP;
	}
}

static int ceph_key_preparse(struct key_preparsed_payload *prep)
{
	struct ceph_crypto_key *ckey;
	size_t datalen = prep->datalen;
	int ret;
	void *p;

	ret = -EINVAL;
	if (datalen <= 0 || datalen > 32767 || !prep->data)
		goto err;

	ret = -ENOMEM;
	ckey = kmalloc(sizeof(*ckey), GFP_KERNEL);
	if (!ckey)
		goto err;

	/* TODO ceph_crypto_key_decode should really take const input */
	p = (void *)prep->data;
	ret = ceph_crypto_key_decode(ckey, &p, (char*)prep->data+datalen);
	if (ret < 0)
		goto err_ckey;

	prep->payload.data[0] = ckey;
	prep->quotalen = datalen;
	return 0;

err_ckey:
	kfree(ckey);
err:
	return ret;
}

static void ceph_key_free_preparse(struct key_preparsed_payload *prep)
{
	struct ceph_crypto_key *ckey = prep->payload.data[0];
	ceph_crypto_key_destroy(ckey);
	kfree(ckey);
}

static void ceph_key_destroy(struct key *key)
{
	struct ceph_crypto_key *ckey = key->payload.data[0];

	ceph_crypto_key_destroy(ckey);
	kfree(ckey);
}

struct key_type key_type_ceph = {
	.name		= "ceph",
	.preparse	= ceph_key_preparse,
	.free_preparse	= ceph_key_free_preparse,
	.instantiate	= generic_key_instantiate,
	.destroy	= ceph_key_destroy,
};

int ceph_crypto_init(void) {
	return register_key_type(&key_type_ceph);
}

void ceph_crypto_shutdown(void) {
	unregister_key_type(&key_type_ceph);
}
Commit	Line	Data
b2441318	1	// SPDX-License-Identifier: GPL-2.0
8b6e4f2d	2
3d14c5d2	3	#include <linux/ceph/ceph_debug.h>
8b6e4f2d SW	4
	5	#include <linux/err.h>
	6	#include <linux/scatterlist.h>
7fea24c6	7	#include <linux/sched.h>
5a0e3ad6	8	#include <linux/slab.h>
e59dd982 HX	9	#include <crypto/aes.h>
e59dd982 HX	10	#include <crypto/skcipher.h>
4b2a58ab	11	#include <linux/key-type.h>
5b3cc15a	12	#include <linux/sched/mm.h>
8b6e4f2d	13
4b2a58ab	14	#include <keys/ceph-type.h>
7c3bec0a	15	#include <keys/user-type.h>
3d14c5d2	16	#include <linux/ceph/decode.h>
8b6e4f2d	17	#include "crypto.h"
8b6e4f2d	18
7af3ea18 ID	19	/*
	20	* Set ->key and ->tfm. The rest of the key should be filled in before
	21	* this function is called.
	22	*/
	23	static int set_secret(struct ceph_crypto_key key, void buf)
	24	{
	25	unsigned int noio_flag;
	26	int ret;
	27
	28	key->key = NULL;
	29	key->tfm = NULL;
	30
	31	switch (key->type) {
	32	case CEPH_CRYPTO_NONE:
	33	return 0; /* nothing to do */
	34	case CEPH_CRYPTO_AES:
	35	break;
	36	default:
	37	return -ENOTSUPP;
	38	}
	39
	40	WARN_ON(!key->len);
	41	key->key = kmemdup(buf, key->len, GFP_NOIO);
	42	if (!key->key) {
	43	ret = -ENOMEM;
	44	goto fail;
	45	}
	46
	47	/* crypto_alloc_skcipher() allocates with GFP_KERNEL */
	48	noio_flag = memalloc_noio_save();
	49	key->tfm = crypto_alloc_skcipher("cbc(aes)", 0, CRYPTO_ALG_ASYNC);
	50	memalloc_noio_restore(noio_flag);
	51	if (IS_ERR(key->tfm)) {
	52	ret = PTR_ERR(key->tfm);
	53	key->tfm = NULL;
	54	goto fail;
	55	}
	56
	57	ret = crypto_skcipher_setkey(key->tfm, key->key, key->len);
	58	if (ret)
	59	goto fail;
	60
	61	return 0;
	62
	63	fail:
	64	ceph_crypto_key_destroy(key);
	65	return ret;
	66	}
	67
8323c3aa TV	68	int ceph_crypto_key_clone(struct ceph_crypto_key *dst,
	69	const struct ceph_crypto_key *src)
	70	{
	71	memcpy(dst, src, sizeof(struct ceph_crypto_key));
7af3ea18	72	return set_secret(dst, src->key);
8323c3aa TV	73	}
8323c3aa TV	74
8b6e4f2d SW	75	int ceph_crypto_key_encode(struct ceph_crypto_key key, void p, void end)
	76	{
	77	if (*p + sizeof(u16) + sizeof(key->created) +
	78	sizeof(u16) + key->len > end)
	79	return -ERANGE;
	80	ceph_encode_16(p, key->type);
	81	ceph_encode_copy(p, &key->created, sizeof(key->created));
	82	ceph_encode_16(p, key->len);
	83	ceph_encode_copy(p, key->key, key->len);
	84	return 0;
	85	}
	86
	87	int ceph_crypto_key_decode(struct ceph_crypto_key key, void p, void end)
	88	{
7af3ea18 ID	89	int ret;
7af3ea18 ID	90
8b6e4f2d SW	91	ceph_decode_need(p, end, 2*sizeof(u16) + sizeof(key->created), bad);
	92	key->type = ceph_decode_16(p);
	93	ceph_decode_copy(p, &key->created, sizeof(key->created));
	94	key->len = ceph_decode_16(p);
	95	ceph_decode_need(p, end, key->len, bad);
7af3ea18 ID	96	ret = set_secret(key, *p);
	97	*p += key->len;
	98	return ret;
8b6e4f2d SW	99
	100	bad:
	101	dout("failed to decode crypto key\n");
	102	return -EINVAL;
	103	}
	104
	105	int ceph_crypto_key_unarmor(struct ceph_crypto_key key, const char inkey)
	106	{
	107	int inlen = strlen(inkey);
	108	int blen = inlen * 3 / 4;
	109	void buf, p;
	110	int ret;
	111
	112	dout("crypto_key_unarmor %s\n", inkey);
	113	buf = kmalloc(blen, GFP_NOFS);
	114	if (!buf)
	115	return -ENOMEM;
	116	blen = ceph_unarmor(buf, inkey, inkey+inlen);
	117	if (blen < 0) {
	118	kfree(buf);
	119	return blen;
	120	}
	121
	122	p = buf;
	123	ret = ceph_crypto_key_decode(key, &p, p + blen);
	124	kfree(buf);
	125	if (ret)
	126	return ret;
	127	dout("crypto_key_unarmor key %p type %d len %d\n", key,
	128	key->type, key->len);
	129	return 0;
	130	}
	131
6db2304a ID	132	void ceph_crypto_key_destroy(struct ceph_crypto_key *key)
	133	{
	134	if (key) {
	135	kfree(key->key);
	136	key->key = NULL;
7af3ea18 ID	137	crypto_free_skcipher(key->tfm);
7af3ea18 ID	138	key->tfm = NULL;
6db2304a ID	139	}
	140	}
	141
cbbfe499	142	static const u8 aes_iv = (u8 )CEPH_AES_IV;
8b6e4f2d	143
aaef3170 ID	144	/*
	145	* Should be used for buffers allocated with ceph_kvmalloc().
	146	* Currently these are encrypt out-buffer (ceph_buffer) and decrypt
	147	* in-buffer (msg front).
	148	*
	149	* Dispose of @sgt with teardown_sgtable().
	150	*
	151	* @prealloc_sg is to avoid memory allocation inside sg_alloc_table()
	152	* in cases where a single sg is sufficient. No attempt to reduce the
	153	* number of sgs by squeezing physically contiguous pages together is
	154	* made though, for simplicity.
	155	*/
	156	static int setup_sgtable(struct sg_table sgt, struct scatterlist prealloc_sg,
	157	const void *buf, unsigned int buf_len)
	158	{
	159	struct scatterlist *sg;
	160	const bool is_vmalloc = is_vmalloc_addr(buf);
	161	unsigned int off = offset_in_page(buf);
	162	unsigned int chunk_cnt = 1;
	163	unsigned int chunk_len = PAGE_ALIGN(off + buf_len);
	164	int i;
	165	int ret;
	166
	167	if (buf_len == 0) {
	168	memset(sgt, 0, sizeof(*sgt));
	169	return -EINVAL;
	170	}
	171
	172	if (is_vmalloc) {
	173	chunk_cnt = chunk_len >> PAGE_SHIFT;
	174	chunk_len = PAGE_SIZE;
	175	}
	176
	177	if (chunk_cnt > 1) {
	178	ret = sg_alloc_table(sgt, chunk_cnt, GFP_NOFS);
	179	if (ret)
	180	return ret;
	181	} else {
	182	WARN_ON(chunk_cnt != 1);
	183	sg_init_table(prealloc_sg, 1);
	184	sgt->sgl = prealloc_sg;
	185	sgt->nents = sgt->orig_nents = 1;
	186	}
	187
	188	for_each_sg(sgt->sgl, sg, sgt->orig_nents, i) {
	189	struct page *page;
	190	unsigned int len = min(chunk_len - off, buf_len);
	191
	192	if (is_vmalloc)
	193	page = vmalloc_to_page(buf);
	194	else
	195	page = virt_to_page(buf);
	196
	197	sg_set_page(sg, page, len, off);
	198
	199	off = 0;
	200	buf += len;
	201	buf_len -= len;
	202	}
	203	WARN_ON(buf_len != 0);
	204
	205	return 0;
	206	}
	207
208	static void teardown_sgtable(struct sg_table *sgt)
209	{
210	if (sgt->orig_nents > 1)
211	sg_free_table(sgt);
212	}
213
a45f795c ID	214	static int ceph_aes_crypt(const struct ceph_crypto_key *key, bool encrypt,
	215	void buf, int buf_len, int in_len, int pout_len)
	216	{
7af3ea18	217	SKCIPHER_REQUEST_ON_STACK(req, key->tfm);
a45f795c ID	218	struct sg_table sgt;
a45f795c ID	219	struct scatterlist prealloc_sg;
124f930b	220	char iv[AES_BLOCK_SIZE] __aligned(8);
a45f795c ID	221	int pad_byte = AES_BLOCK_SIZE - (in_len & (AES_BLOCK_SIZE - 1));
	222	int crypt_len = encrypt ? in_len + pad_byte : in_len;
	223	int ret;
	224
a45f795c ID	225	WARN_ON(crypt_len > buf_len);
	226	if (encrypt)
	227	memset(buf + in_len, pad_byte, pad_byte);
	228	ret = setup_sgtable(&sgt, &prealloc_sg, buf, crypt_len);
	229	if (ret)
7af3ea18	230	return ret;
a45f795c	231
a45f795c	232	memcpy(iv, aes_iv, AES_BLOCK_SIZE);
7af3ea18	233	skcipher_request_set_tfm(req, key->tfm);
a45f795c ID	234	skcipher_request_set_callback(req, 0, NULL, NULL);
	235	skcipher_request_set_crypt(req, sgt.sgl, sgt.sgl, crypt_len, iv);
	236
	237	/*
	238	print_hex_dump(KERN_ERR, "key: ", DUMP_PREFIX_NONE, 16, 1,
	239	key->key, key->len, 1);
	240	print_hex_dump(KERN_ERR, " in: ", DUMP_PREFIX_NONE, 16, 1,
	241	buf, crypt_len, 1);
	242	*/
	243	if (encrypt)
	244	ret = crypto_skcipher_encrypt(req);
	245	else
	246	ret = crypto_skcipher_decrypt(req);
	247	skcipher_request_zero(req);
	248	if (ret) {
	249	pr_err("%s %scrypt failed: %d\n", __func__,
	250	encrypt ? "en" : "de", ret);
	251	goto out_sgt;
	252	}
	253	/*
	254	print_hex_dump(KERN_ERR, "out: ", DUMP_PREFIX_NONE, 16, 1,
	255	buf, crypt_len, 1);
	256	*/
	257
	258	if (encrypt) {
	259	*pout_len = crypt_len;
	260	} else {
	261	pad_byte = (char )(buf + in_len - 1);
	262	if (pad_byte > 0 && pad_byte <= AES_BLOCK_SIZE &&
	263	in_len >= pad_byte) {
	264	*pout_len = in_len - pad_byte;
	265	} else {
	266	pr_err("%s got bad padding %d on in_len %d\n",
	267	__func__, pad_byte, in_len);
	268	ret = -EPERM;
	269	goto out_sgt;
	270	}
	271	}
	272
	273	out_sgt:
	274	teardown_sgtable(&sgt);
a45f795c ID	275	return ret;
	276	}
	277
	278	int ceph_crypt(const struct ceph_crypto_key *key, bool encrypt,
	279	void buf, int buf_len, int in_len, int pout_len)
	280	{
	281	switch (key->type) {
	282	case CEPH_CRYPTO_NONE:
	283	*pout_len = in_len;
	284	return 0;
	285	case CEPH_CRYPTO_AES:
	286	return ceph_aes_crypt(key, encrypt, buf, buf_len, in_len,
	287	pout_len);
	288	default:
	289	return -ENOTSUPP;
	290	}
	291	}
	292
efa64c09	293	static int ceph_key_preparse(struct key_preparsed_payload *prep)
4b2a58ab TV	294	{
4b2a58ab TV	295	struct ceph_crypto_key *ckey;
cf7f601c	296	size_t datalen = prep->datalen;
4b2a58ab TV	297	int ret;
	298	void *p;
	299
	300	ret = -EINVAL;
cf7f601c	301	if (datalen <= 0 \|\| datalen > 32767 \|\| !prep->data)
4b2a58ab TV	302	goto err;
4b2a58ab TV	303
4b2a58ab TV	304	ret = -ENOMEM;
	305	ckey = kmalloc(sizeof(*ckey), GFP_KERNEL);
	306	if (!ckey)
	307	goto err;
	308
	309	/* TODO ceph_crypto_key_decode should really take const input */
cf7f601c DH	310	p = (void *)prep->data;
cf7f601c DH	311	ret = ceph_crypto_key_decode(ckey, &p, (char*)prep->data+datalen);
4b2a58ab TV	312	if (ret < 0)
	313	goto err_ckey;
	314
146aa8b1	315	prep->payload.data[0] = ckey;
efa64c09	316	prep->quotalen = datalen;
4b2a58ab TV	317	return 0;
	318
	319	err_ckey:
	320	kfree(ckey);
	321	err:
	322	return ret;
	323	}
	324
efa64c09 DH	325	static void ceph_key_free_preparse(struct key_preparsed_payload *prep)
efa64c09 DH	326	{
146aa8b1	327	struct ceph_crypto_key *ckey = prep->payload.data[0];
efa64c09 DH	328	ceph_crypto_key_destroy(ckey);
	329	kfree(ckey);
	330	}
	331
efa64c09 DH	332	static void ceph_key_destroy(struct key *key)
efa64c09 DH	333	{
146aa8b1	334	struct ceph_crypto_key *ckey = key->payload.data[0];
4b2a58ab TV	335
4b2a58ab TV	336	ceph_crypto_key_destroy(ckey);
f0666b1a	337	kfree(ckey);
4b2a58ab TV	338	}
	339
	340	struct key_type key_type_ceph = {
	341	.name = "ceph",
efa64c09 DH	342	.preparse = ceph_key_preparse,
	343	.free_preparse = ceph_key_free_preparse,
	344	.instantiate = generic_key_instantiate,
4b2a58ab TV	345	.destroy = ceph_key_destroy,
	346	};
	347
	348	int ceph_crypto_init(void) {
	349	return register_key_type(&key_type_ceph);
	350	}
	351
	352	void ceph_crypto_shutdown(void) {
	353	unregister_key_type(&key_type_ceph);
	354	}