git-server-git.apps.pok.os.sepia.ceph.com Git

author	Radoslaw Zarzynski <rzarzyns@redhat.com>
	Tue, 12 Mar 2019 14:17:43 +0000 (15:17 +0100)
committer	Radoslaw Zarzynski <rzarzyns@redhat.com>
	Wed, 27 Mar 2019 21:20:08 +0000 (17:20 -0400)
commit	1f969449a2db1d2f5b0b6ca5a82c3e36bfd24354
tree	79b435474075a118ce9fdccb0d9536caa46ad1b5	tree \| snapshot
parent	c302dceb99413c241bcff5f5f8b943c30ad5c1b8	commit \| diff

auth, rgw, common: switch to PK11_ImportSymKey_FIPS wrapper.

PK11_ImportSymKey() is a part of NSS API that becomes unavailable
in the FIPS mode. Apparently NSS targets stricter restrictions
than those coming from Level 1 of FIPS 140-2. In the consequence,
loading a symmetric key from plain keyring or key db (which Ceph
needs to do due to architectural reasons) fails.

The same issue affected corosync and this patchset deals with it
the same way like already followed by corosync [1]:
a raw crypto key is in-memory wrapped with fresh, random wrapping
key just before being imported via PK11_UnwrapSymKey(). Of course,
this effectively lowers to FIPS level 1. Still, this would be no
different from what OpenSSL (to which we are currently migrating
in master) gives in the matter.

The patch can be *roughly* verified in following steps:
  1. mkdir ./nssdb
  2. certutil -N -d ./nssdb --empty-password
  3. modutil -dbdir ./nssdb -fips true
  4. ../src/vstart.sh -l -n -b -o "nss_db_path=/work/ceph-3/build/nssdb"

This fix is dedicated to Luminous. In master we're switching to OpenSSL.

[1] 5dadebd21862074deaeb9a337fc9e49f5e9f692a in corosync's public repo.

Fixes: http://tracker.ceph.com/issues/38843
Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com>

src/auth/Crypto.cc		diff \| blob \| history
src/common/ceph_crypto.h		diff \| blob \| history
src/rgw/rgw_crypt.cc		diff \| blob \| history