From: Radoslaw Zarzynski Date: Fri, 14 Apr 2017 14:51:54 +0000 (+0200) Subject: rgw: rgw::auth::s3::get_v4_signature doesn't depend on req_state anymore. X-Git-Tag: v12.1.0~155^2~60 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0b6adc66ed463580a33a83c119844cac556d05f3;p=ceph.git rgw: rgw::auth::s3::get_v4_signature doesn't depend on req_state anymore. Signed-off-by: Radoslaw Zarzynski --- diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index 5097ed0b73f8..c6b922563292 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -680,13 +680,14 @@ std::string get_v4_string_to_sign(CephContext* const cct, /* * calculate the AWS signature version 4 */ -std::string get_v4_signature(struct req_state* const s, +std::string get_v4_signature(CephContext* const cct, const std::string& access_key_id, const std::string& date, const std::string& region, const std::string& service, const std::string& string_to_sign, - const std::string& access_key_secret) + const std::string& access_key_secret, + char (&signing_key)[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]) { std::string secret_key = "AWS4" + access_key_secret; char secret_k[secret_key.size() * MAX_UTF8_SZ]; @@ -708,7 +709,7 @@ std::string get_v4_signature(struct req_state* const s, char aux[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE * 2 + 1]; buf_to_hex((unsigned char *) date_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - ldout(s->cct, 10) << "date_k = " << string(aux) << dendl; + ldout(cct, 10) << "date_k = " << string(aux) << dendl; /* region */ @@ -717,7 +718,7 @@ std::string get_v4_signature(struct req_state* const s, buf_to_hex((unsigned char *) region_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - ldout(s->cct, 10) << "region_k = " << string(aux) << dendl; + ldout(cct, 10) << "region_k = " << string(aux) << dendl; /* service */ @@ -726,33 +727,30 @@ std::string get_v4_signature(struct req_state* const s, buf_to_hex((unsigned char *) service_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - ldout(s->cct, 10) << "service_k = " << string(aux) << dendl; + ldout(cct, 10) << "service_k = " << string(aux) << dendl; /* aws4_request */ - char *signing_k = s->aws4_auth->signing_k; + calc_hmac_sha256(service_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, "aws4_request", 12, signing_key); - calc_hmac_sha256(service_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, "aws4_request", 12, signing_k); + buf_to_hex((unsigned char *) signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - buf_to_hex((unsigned char *) signing_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - - ldout(s->cct, 10) << "signing_k = " << string(aux) << dendl; - - /* TODO(rzarzynski): remove any modification to req_state! */ - s->aws4_auth->signing_key = aux; + ldout(cct, 10) << "signing_k = " << string(aux) << dendl; /* new signature */ char signature_k[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]; - calc_hmac_sha256(signing_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, string_to_sign.c_str(), string_to_sign.size(), signature_k); + calc_hmac_sha256(signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, + string_to_sign.c_str(), string_to_sign.size(), + signature_k); buf_to_hex((unsigned char *) signature_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - ldout(s->cct, 10) << "signature_k = " << string(aux) << dendl; + ldout(cct, 10) << "signature_k = " << string(aux) << dendl; std::string signature = string(aux); - ldout(s->cct, 10) << "new signature = " << signature << dendl; + ldout(cct, 10) << "new signature = " << signature << dendl; return signature; } diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h index 682f2df0d619..70e65bcae664 100644 --- a/src/rgw/rgw_auth_s3.h +++ b/src/rgw/rgw_auth_s3.h @@ -206,13 +206,16 @@ std::string get_v4_string_to_sign(CephContext* cct, const std::string& credential_scope, const std::string& hashed_qr); -std::string get_v4_signature(struct req_state* s, +/* TODO(rzarzynski): split the SigningKey calculation into a separated func. */ +std::string get_v4_signature(CephContext* cct, const std::string& access_key_id, const std::string& date, const std::string& region, const std::string& service, const std::string& string_to_sign, - const std::string& access_key_secret); + const std::string& access_key_secret, + /* This is a makeshift-only parameter. It'll be killed soon. */ + char (&signing_key)[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]); } /* namespace s3 */ } /* namespace auth */ } /* namespace rgw */ diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index e54f4b2d0c3a..a0093d7bd6ee 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1706,8 +1706,7 @@ struct rgw_aws4_auth { string new_signature; string payload_hash; string seed_signature; - string signing_key; - char signing_k[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]; + char signing_key[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]; bufferlist bl; }; diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index a937fafc6c67..dffa6bbb91cf 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -1217,7 +1217,7 @@ int RGWPutObj_ObjStore_S3::validate_aws4_single_chunk(char *chunk_str, /* new chunk signature */ char signature_k[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]; - calc_hmac_sha256(s->aws4_auth->signing_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, + calc_hmac_sha256(s->aws4_auth->signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, string_to_sign.c_str(), string_to_sign.size(), signature_k); char aux[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE * 2 + 1]; @@ -1225,11 +1225,18 @@ int RGWPutObj_ObjStore_S3::validate_aws4_single_chunk(char *chunk_str, string new_chunk_signature = string(aux); + /* FIXME(rzarzynski): clean this up! */ + buf_to_hex((unsigned char *) s->aws4_auth->signing_key, + CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); + std::string signing_key(aux); + ldout(s->cct, 20) << "--------------- aws4 chunk validation" << dendl; ldout(s->cct, 20) << "chunk_signature = " << chunk_signature << dendl; ldout(s->cct, 20) << "new_chunk_signature = " << new_chunk_signature << dendl; - ldout(s->cct, 20) << "aws4 chunk signing_key = " << s->aws4_auth->signing_key << dendl; - ldout(s->cct, 20) << "aws4 chunk string_to_sign = " << rgw::crypt_sanitize::log_content{string_to_sign.c_str()} << dendl; + ldout(s->cct, 20) << "aws4 chunk signing_key = " << signing_key << dendl; + ldout(s->cct, 20) << "aws4 chunk string_to_sign = " + << rgw::crypt_sanitize::log_content{string_to_sign.c_str()} + << dendl; /* chunk auth ok? */ @@ -1750,10 +1757,11 @@ int RGWPostObj_ObjStore_S3::get_policy() std::string encoded_policy_str(s->auth.s3_postobj_creds.encoded_policy.c_str(), s->auth.s3_postobj_creds.encoded_policy.length()); std::string new_signature_str = \ - rgw::auth::s3::get_v4_signature(s, s3_access_key, date_cs, + rgw::auth::s3::get_v4_signature(s->cct, s3_access_key, date_cs, region_cs, service_cs, encoded_policy_str, - s3_secret_key); + s3_secret_key, + s->aws4_auth->signing_key); ldout(s->cct, 10) << "----------------------------- Verifying signatures" << dendl; ldout(s->cct, 10) << "Signature = " << received_signature_str << dendl; @@ -3514,9 +3522,9 @@ int RGW_Auth_S3::authorize_v4_complete(RGWRados *store, struct req_state *s, con const RGWAccessKey& k = iter->second; s->aws4_auth->new_signature = \ - rgw::auth::s3::get_v4_signature(s, s->aws4_auth->access_key_id, date_cs, + rgw::auth::s3::get_v4_signature(s->cct, s->aws4_auth->access_key_id, date_cs, region_cs, service_cs, string_to_sign, - k.key); + k.key /* in */, s->aws4_auth->signing_key /* out */); ldout(s->cct, 10) << "----------------------------- Verifying signatures" << dendl;