auth: aes256krb5: add confounder config for unitests

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc
index b701ca2743f94d4800b21467d888013c9171a05c..4cd328b97ae0e089f92d7a0c5c178763ee2a38e1 100644 (file)
--- a/src/auth/Crypto.cc
+++ b/src/auth/Crypto.cc
@@ -745,9 +745,10 @@ public:
     return 0;
   }
 
-  int encrypt(CephContext *cct, const ceph::bufferlist& in,
-             ceph::bufferlist& out,
-              std::string* /* unused */) const override {
+  int encrypt_ext(CephContext *cct, const ceph::bufferlist& in,
+                  const ceph::bufferlist *confounder,
+                  ceph::bufferlist& out,
+                  std::string* /* unused */) const override {
     ldout(cct, 20) << "CryptoAES256KRB5KeyHandler::encrypt()" << dendl;
     // encrypted (confounder | data) | hash
     ceph::bufferptr out_tmp{static_cast<unsigned>(
@@ -757,13 +758,21 @@ public:
     char *aes_enc = out_tmp.c_str();
     int aes_enc_len = AES256KRB5_BLOCK_LEN + in.length();
 
-    /* plaintext confounder */
-    bufferptr confounder(AES256KRB5_BLOCK_LEN);
-    cct->random()->get_bytes(confounder.c_str(), confounder.length());
+    ceph::bufferlist incopy;
+    bufferptr confounder_buf(AES256KRB5_BLOCK_LEN);
+
+    if (!confounder) {
+      cct->random()->get_bytes(confounder_buf.c_str(), confounder_buf.length());
+      incopy.append(confounder_buf);
+    } else {
+      if (confounder->length() != AES256KRB5_BLOCK_LEN) {
+        ldout(cct, 0) << "ERROR: confounder length is expected to be equal to block size (" << AES256KRB5_BLOCK_LEN << ")" << dendl;
+        return -EINVAL;
+      }
+      incopy.append(*confounder);
+    }
 
     // combine confounder with input data
-    ceph::bufferlist incopy;
-    incopy.append(confounder);
     incopy.append(in);
 
     // reinitialize IV each time. It might be unnecessary depending on
@@ -866,6 +875,12 @@ public:
 
     return 0;
   }
+
+  int encrypt(CephContext *cct, const ceph::bufferlist& in,
+             ceph::bufferlist& out,
+              std::string* unused) const override {
+    return encrypt_ext(cct, in, nullptr,  out, unused);
+  }
 };
 
 

diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h
index 4b10234de0e7aed4585a104dadba0cf203d88c47..5d98774f622fb2b82bb9a08860833833a58932ea 100644 (file)
--- a/src/auth/Crypto.h
+++ b/src/auth/Crypto.h
@@ -73,6 +73,14 @@ public:
   virtual int encrypt(CephContext *cct,
                       const ceph::buffer::list& in,
                      ceph::buffer::list& out, std::string *error) const = 0;
+
+  /* should either used internally, or for unitests. Confounder should be nullptr otherwise */
+  virtual int encrypt_ext(CephContext *cct,
+                          const ceph::buffer::list& in,
+                          const ceph::buffer::list *confounder,
+                          ceph::buffer::list& out, std::string *error) const {
+    return -ENOTSUP;
+  }
   virtual int decrypt(CephContext *cct,
                       const ceph::buffer::list& in,
                      ceph::buffer::list& out, std::string *error) const = 0;

diff --git a/src/test/crypto.cc b/src/test/crypto.cc
index d09d301e28303ec282b0ac6eced7352614f8a07e..6ff912935112826e63324ad4d485be79f9575c8e 100644 (file)
--- a/src/test/crypto.cc
+++ b/src/test/crypto.cc
@@ -24,7 +24,7 @@ public:
 };
 
 TEST(AES, ValidateSecret) {
-  CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES);
+  auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
   int l;
 
   for (l=0; l<16; l++) {
@@ -43,7 +43,7 @@ TEST(AES, ValidateSecret) {
 }
 
 TEST(AES, Encrypt) {
-  CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES);
+  auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
   char secret_s[] = {
     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
@@ -83,7 +83,7 @@ TEST(AES, Encrypt) {
 }
 
 TEST(AES, EncryptNoBl) {
-  CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES);
+  auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
   char secret_s[] = {
     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
@@ -127,7 +127,7 @@ TEST(AES, EncryptNoBl) {
 }
 
 TEST(AES, Decrypt) {
-  CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES);
+  auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
   char secret_s[] = {
     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
@@ -167,7 +167,7 @@ TEST(AES, Decrypt) {
 }
 
 TEST(AES, DecryptNoBl) {
-  CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES);
+  auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
   const char secret_s[] = {
     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
@@ -204,7 +204,7 @@ TEST(AES, DecryptNoBl) {
 
 template <std::size_t TextSizeV>
 static void aes_loop_cephx() {
-  CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES);
+  auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
 
   CryptoRandom random;
 
@@ -261,7 +261,7 @@ static void aes_loop(const std::size_t text_size) {
   for (int i=0; i<10000; i++) {
     bufferlist cipher;
     {
-      CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES);
+      auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
 
       std::string error;
       CryptoKeyHandler *kh = h->get_key_handler(secret, error);
@@ -274,7 +274,7 @@ static void aes_loop(const std::size_t text_size) {
     plaintext.clear();
 
     {
-      CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES);
+      auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
       std::string error;
       CryptoKeyHandler *ckh = h->get_key_handler(secret, error);
       int r = ckh->decrypt(g_ceph_context, cipher, plaintext, &error);
@@ -358,7 +358,7 @@ static void dump_buf(string title, const unsigned char *buf, int len)
 
 
 TEST(AES256KRB5, Encrypt) {
-  CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES256KRB5);
+  auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5);
   unsigned char secret_s[] = {
       0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D, 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
       0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0, 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52 };
@@ -370,10 +370,15 @@ TEST(AES256KRB5, Encrypt) {
   bufferlist plaintext;
   plaintext.append((char *)plaintext_s, sizeof(plaintext_s));
 
+  unsigned char confounder_data[] = { 0xB8, 0x0D, 0x32, 0x51, 0xC1, 0xF6, 0x47, 0x14, 0x94, 0x25, 0x6F, 0xFE, 0x71, 0x2D, 0x0B, 0x9A };
+
+  bufferlist confounder;
+  confounder.append((const char *)confounder_data, sizeof(confounder_data));
+
   bufferlist cipher;
   std::string error;
   CryptoKeyHandler *kh = h->get_key_handler(secret, error);
-  int r = kh->encrypt(g_ceph_context, plaintext, cipher, &error);
+  int r = kh->encrypt_ext(g_ceph_context, plaintext, &confounder, cipher, &error);
   ASSERT_EQ(r, 0);
   ASSERT_EQ(error, "");
 
@@ -398,7 +403,7 @@ TEST(AES256KRB5, Encrypt) {
 }
 
 TEST(AES256KRB5, Decrypt) {
-  CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES256KRB5);
+  auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5);
   unsigned char secret_s[] = {
       0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D, 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98,
       0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0, 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52 };