rgw: rgw::auth::s3::get_v4_signature doesn't depend on req_state anymore.

author Radoslaw Zarzynski <rzarzynski@mirantis.com>

Fri, 14 Apr 2017 14:51:54 +0000 (16:51 +0200)

committer Radoslaw Zarzynski <rzarzynski@mirantis.com>

Wed, 7 Jun 2017 10:43:15 +0000 (12:43 +0200)
author Radoslaw Zarzynski <rzarzynski@mirantis.com>
Fri, 14 Apr 2017 14:51:54 +0000 (16:51 +0200)
committer Radoslaw Zarzynski <rzarzynski@mirantis.com>
Wed, 7 Jun 2017 10:43:15 +0000 (12:43 +0200)
diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc

index 5097ed0b73f8b47d7cae83e20b539b7fcd708821..c6b9225632926a38fac157214faf1ceaccdab734 100644 (file)
--- a/src/rgw/rgw_auth_s3.cc
+++ b/src/rgw/rgw_auth_s3.cc
@@ -680,13 +680,14 @@ std::string get_v4_string_to_sign(CephContext* const cct,
  /*
   * calculate the AWS signature version 4
   */
-std::string get_v4_signature(struct req_state* const s,
+std::string get_v4_signature(CephContext* const cct,
                               const std::string& access_key_id,
                               const std::string& date,
                               const std::string& region,
                               const std::string& service,
                               const std::string& string_to_sign,
-                             const std::string& access_key_secret)
+                             const std::string& access_key_secret,
+                             char (&signing_key)[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE])
  {
    std::string secret_key = "AWS4" + access_key_secret;
    char secret_k[secret_key.size() * MAX_UTF8_SZ];
@@ -708,7 +709,7 @@ std::string get_v4_signature(struct req_state* const s,
    char aux[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE * 2 + 1];
    buf_to_hex((unsigned char *) date_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
  
-  ldout(s->cct, 10) << "date_k        = " << string(aux) << dendl;
+  ldout(cct, 10) << "date_k        = " << string(aux) << dendl;
  
    /* region */
  
@@ -717,7 +718,7 @@ std::string get_v4_signature(struct req_state* const s,
  
    buf_to_hex((unsigned char *) region_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
  
-  ldout(s->cct, 10) << "region_k      = " << string(aux) << dendl;
+  ldout(cct, 10) << "region_k      = " << string(aux) << dendl;
  
    /* service */
  
@@ -726,33 +727,30 @@ std::string get_v4_signature(struct req_state* const s,
  
    buf_to_hex((unsigned char *) service_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
  
-  ldout(s->cct, 10) << "service_k     = " << string(aux) << dendl;
+  ldout(cct, 10) << "service_k     = " << string(aux) << dendl;
  
    /* aws4_request */
  
-  char *signing_k = s->aws4_auth->signing_k;
+  calc_hmac_sha256(service_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, "aws4_request", 12, signing_key);
  
-  calc_hmac_sha256(service_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, "aws4_request", 12, signing_k);
+  buf_to_hex((unsigned char *) signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
  
-  buf_to_hex((unsigned char *) signing_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
-
-  ldout(s->cct, 10) << "signing_k     = " << string(aux) << dendl;
-
-  /* TODO(rzarzynski): remove any modification to req_state! */
-  s->aws4_auth->signing_key = aux;
+  ldout(cct, 10) << "signing_k     = " << string(aux) << dendl;
  
    /* new signature */
  
    char signature_k[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE];
-  calc_hmac_sha256(signing_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, string_to_sign.c_str(), string_to_sign.size(), signature_k);
+  calc_hmac_sha256(signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE,
+                   string_to_sign.c_str(), string_to_sign.size(),
+                   signature_k);
  
    buf_to_hex((unsigned char *) signature_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
  
-  ldout(s->cct, 10) << "signature_k   = " << string(aux) << dendl;
+  ldout(cct, 10) << "signature_k   = " << string(aux) << dendl;
  
    std::string signature = string(aux);
  
-  ldout(s->cct, 10) << "new signature = " << signature << dendl;
+  ldout(cct, 10) << "new signature = " << signature << dendl;
  
    return signature;
  }
diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h

index 682f2df0d619153f35011f86d1e79fd448dc2173..70e65bcae664b50adb5a58b4a752ca5651177667 100644 (file)
--- a/src/rgw/rgw_auth_s3.h
+++ b/src/rgw/rgw_auth_s3.h
@@ -206,13 +206,16 @@ std::string get_v4_string_to_sign(CephContext* cct,
                                    const std::string& credential_scope,
                                    const std::string& hashed_qr);
  
-std::string get_v4_signature(struct req_state* s,
+/* TODO(rzarzynski): split the SigningKey calculation into a separated func. */
+std::string get_v4_signature(CephContext* cct,
                               const std::string& access_key_id,
                               const std::string& date,
                               const std::string& region,
                               const std::string& service,
                               const std::string& string_to_sign,
-                             const std::string& access_key_secret);
+                             const std::string& access_key_secret,
+                             /* This is a makeshift-only parameter. It'll be killed soon. */
+                             char (&signing_key)[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]);
  } /* namespace s3 */
  } /* namespace auth */
  } /* namespace rgw */
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h

index e54f4b2d0c3ac0f238fe4700f044812c507d1d75..a0093d7bd6ee514d310f5f5bf5534238f2b2ae22 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1706,8 +1706,7 @@ struct rgw_aws4_auth {
    string new_signature;
    string payload_hash;
    string seed_signature;
-  string signing_key;
-  char signing_k[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE];
+  char signing_key[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE];
    bufferlist bl;
  };
  
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc

index a937fafc6c6701ff823b594564c6c1311972c351..dffa6bbb91cf3694ee5e88f9d1f745de40f191f7 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -1217,7 +1217,7 @@ int RGWPutObj_ObjStore_S3::validate_aws4_single_chunk(char *chunk_str,
    /* new chunk signature */
  
    char signature_k[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE];
-  calc_hmac_sha256(s->aws4_auth->signing_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE,
+  calc_hmac_sha256(s->aws4_auth->signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE,
        string_to_sign.c_str(), string_to_sign.size(), signature_k);
  
    char aux[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE * 2 + 1];
@@ -1225,11 +1225,18 @@ int RGWPutObj_ObjStore_S3::validate_aws4_single_chunk(char *chunk_str,
  
    string new_chunk_signature = string(aux);
  
+  /* FIXME(rzarzynski): clean this up! */
+  buf_to_hex((unsigned char *) s->aws4_auth->signing_key,
+             CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux);
+  std::string signing_key(aux);
+
    ldout(s->cct, 20) << "--------------- aws4 chunk validation" << dendl;
    ldout(s->cct, 20) << "chunk_signature     = " << chunk_signature << dendl;
    ldout(s->cct, 20) << "new_chunk_signature = " << new_chunk_signature << dendl;
-  ldout(s->cct, 20) << "aws4 chunk signing_key    = " << s->aws4_auth->signing_key << dendl;
-  ldout(s->cct, 20) << "aws4 chunk string_to_sign = " << rgw::crypt_sanitize::log_content{string_to_sign.c_str()} << dendl;
+  ldout(s->cct, 20) << "aws4 chunk signing_key    = " << signing_key << dendl;
+  ldout(s->cct, 20) << "aws4 chunk string_to_sign = "
+                    << rgw::crypt_sanitize::log_content{string_to_sign.c_str()}
+                    << dendl;
  
    /* chunk auth ok? */
  
@@ -1750,10 +1757,11 @@ int RGWPostObj_ObjStore_S3::get_policy()
          std::string encoded_policy_str(s->auth.s3_postobj_creds.encoded_policy.c_str(),
                                         s->auth.s3_postobj_creds.encoded_policy.length());
          std::string new_signature_str = \
-          rgw::auth::s3::get_v4_signature(s, s3_access_key, date_cs,
+          rgw::auth::s3::get_v4_signature(s->cct, s3_access_key, date_cs,
                                            region_cs, service_cs,
                                            encoded_policy_str,
-                                          s3_secret_key);
+                                          s3_secret_key,
+                                          s->aws4_auth->signing_key);
  
          ldout(s->cct, 10) << "----------------------------- Verifying signatures" << dendl;
          ldout(s->cct, 10) << "Signature     = " << received_signature_str << dendl;
@@ -3514,9 +3522,9 @@ int RGW_Auth_S3::authorize_v4_complete(RGWRados *store, struct req_state *s, con
    const RGWAccessKey& k = iter->second;
  
    s->aws4_auth->new_signature = \
-    rgw::auth::s3::get_v4_signature(s, s->aws4_auth->access_key_id, date_cs,
+    rgw::auth::s3::get_v4_signature(s->cct, s->aws4_auth->access_key_id, date_cs,
                                      region_cs, service_cs, string_to_sign,
-                                    k.key);
+                                    k.key /* in */, s->aws4_auth->signing_key /* out */);
  
  
    ldout(s->cct, 10) << "----------------------------- Verifying signatures" << dendl;
author	Radoslaw Zarzynski <rzarzynski@mirantis.com>
	Fri, 14 Apr 2017 14:51:54 +0000 (16:51 +0200)
committer	Radoslaw Zarzynski <rzarzynski@mirantis.com>
	Wed, 7 Jun 2017 10:43:15 +0000 (12:43 +0200)
src/rgw/rgw_auth_s3.cc		patch \| blob \| history
src/rgw/rgw_auth_s3.h		patch \| blob \| history
src/rgw/rgw_common.h		patch \| blob \| history
src/rgw/rgw_rest_s3.cc		patch \| blob \| history