rgw/sts: changes for using new AES256KRB5 cryptohandler

for encrypting/decrypting session tokens.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit 2a20d43fb4b3fc04ea03b911da71d600ba0d6837)

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 38c6e22dc38660ef9932f0c4b0f989ac1fdaff14..1432b3d7795a91ea430ba9e258a4554c3be41469 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -7143,20 +7143,29 @@ rgw::auth::s3::STSEngine::get_session_token(const DoutPrefixProvider* dpp, const
     return -EINVAL;
   }
 
-  auto cryptohandler = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
-  if (! cryptohandler) {
-    return -EINVAL;
-  }
   string secret_s = cct->_conf->rgw_sts_key;
   if (secret_s.empty()) {
     ldpp_dout(dpp, 1) << "ERROR: rgw sts key not set" << dendl;
     return -EINVAL;
   }
+
+  auto cryptohandler = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5);
+  if (! cryptohandler) {
+    return -EINVAL;
+  }
   buffer::ptr secret(secret_s.c_str(), secret_s.length());
   int ret = 0;
   if (ret = cryptohandler->validate_secret(secret); ret < 0) {
-    ldpp_dout(dpp, 0) << "ERROR: Invalid secret key" << dendl;
-    return -EINVAL;
+    ldpp_dout(dpp, 0) << "Invalid AES256KRB5 secret key, trying AES key validation" << dendl;
+    //Fallback to old style AES
+    cryptohandler = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
+    if (! cryptohandler) {
+      return -EINVAL;
+    }
+    if (ret = cryptohandler->validate_secret(secret); ret < 0) {
+      ldpp_dout(dpp, 0) << "Invalid AES secret key" << dendl;
+      return -EINVAL;
+    }
   }
   string error;
   std::unique_ptr<CryptoKeyHandler> keyhandler(cryptohandler->get_key_handler(secret, error));

diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc
index 4186f2caf149af4a2cd2c53cf66c5ddd83975f53..a4621f3368a9f6d0a626ea88842545b00e7dbd44 100644 (file)
--- a/src/rgw/rgw_sts.cc
+++ b/src/rgw/rgw_sts.cc
@@ -72,9 +72,9 @@ int Credentials::generateCredentials(const DoutPrefixProvider *dpp,
   expiration = ceph::to_iso_8601(exp);
 
   //Session Token - Encrypt using AES
-  auto cryptohandler = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
+  auto cryptohandler = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5);
   if (! cryptohandler) {
-    ldpp_dout(dpp, 0) << "ERROR: No AES crypto handler found !" << dendl;
+    ldpp_dout(dpp, 0) << "ERROR: No AES256KRB5 crypto handler found !" << dendl;
     return -EINVAL;
   }
   string secret_s = cct->_conf->rgw_sts_key;
@@ -86,7 +86,7 @@ int Credentials::generateCredentials(const DoutPrefixProvider *dpp,
   buffer::ptr secret(secret_s.c_str(), secret_s.length());
   int ret = 0;
   if (ret = cryptohandler->validate_secret(secret); ret < 0) {
-    ldpp_dout(dpp, 0) << "ERROR: Invalid rgw sts key, please ensure it is an alphanumeric key of length 16" << dendl;
+    ldpp_dout(dpp, 0) << "ERROR: Invalid rgw sts key, please ensure it is an alphanumeric key of minimum length 32" << dendl;
     return ret;
   }
   string error;