From: Radoslaw Zarzynski Date: Sat, 15 Apr 2017 17:03:24 +0000 (+0200) Subject: rgw: split generation AWSv4's SigningKey into a separate func. X-Git-Tag: v12.1.0~155^2~56 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=195bf5c55578bdf535fa75da40305d75f05e7b49;p=ceph.git rgw: split generation AWSv4's SigningKey into a separate func. Signed-off-by: Radoslaw Zarzynski --- diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index 4c78c3919042..9566db57bcc1 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -705,13 +705,12 @@ parse_cred_scope(std::string credential_scope) } /* - * calculate the AWS signature version 4 + * calculate the SigningKey of AWS auth version 4 */ -std::string get_v4_signature(CephContext* const cct, - const std::string& credential_scope, - const std::string& string_to_sign, - const std::string& access_key_secret, - char (&signing_key)[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]) +std::array +get_v4_signing_key(CephContext* const cct, + const std::string& credential_scope, + const std::string& access_key_secret) { std::string secret_key = "AWS4" + access_key_secret; char secret_k[secret_key.size() * MAX_UTF8_SZ]; @@ -757,20 +756,36 @@ std::string get_v4_signature(CephContext* const cct, ldout(cct, 10) << "service_k = " << string(aux) << dendl; /* aws4_request */ + std::array signing_key = \ + calc_hmac_sha256(service_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, + "aws4_request", 12); - calc_hmac_sha256(service_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, "aws4_request", 12, signing_key); - - buf_to_hex((unsigned char *) signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); + buf_to_hex(signing_key.data(), CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); ldout(cct, 10) << "signing_k = " << string(aux) << dendl; + return signing_key; +} + +/* + * calculate the AWS signature version 4 + + * http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html + */ +std::string get_v4_signature(CephContext* const cct, + const std::array& signing_key, + const std::string& string_to_sign) +{ + /* new signature */ char signature_k[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]; - calc_hmac_sha256(signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, + /* FIXME(rzarzynski): eradicate the reinterpret_cast. */ + calc_hmac_sha256(reinterpret_cast(signing_key.data()), CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, string_to_sign.c_str(), string_to_sign.size(), signature_k); + char aux[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE * 2 + 1]; buf_to_hex((unsigned char *) signature_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); ldout(cct, 10) << "signature_k = " << string(aux) << dendl; diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h index a440628afb2a..2902c1d97e02 100644 --- a/src/rgw/rgw_auth_s3.h +++ b/src/rgw/rgw_auth_s3.h @@ -4,6 +4,7 @@ #ifndef CEPH_RGW_AUTH_S3_H #define CEPH_RGW_AUTH_S3_H +#include #include #include @@ -206,13 +207,14 @@ std::string get_v4_string_to_sign(CephContext* cct, const std::string& credential_scope, const std::string& hashed_qr); -/* TODO(rzarzynski): split the SigningKey calculation into a separated func. */ +std::array +get_v4_signing_key(CephContext* const cct, + const std::string& credential_scope, + const std::string& access_key_secret); + std::string get_v4_signature(CephContext* cct, - const std::string& credential_scope, - const std::string& string_to_sign, - const std::string& access_key_secret, - /* This is a makeshift-only parameter. It'll be killed soon. */ - char (&signing_key)[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]); + const std::array& signing_key, + const std::string& string_to_sign); } /* namespace s3 */ } /* namespace auth */ } /* namespace rgw */ diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index dca06b25053c..a5745fc33fe7 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1707,7 +1707,8 @@ struct rgw_aws4_auth { string signature; string new_signature; string seed_signature; - char signing_key[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]; + std::array signing_key; bufferlist bl; }; diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 3f0b00c272fd..ee43dc858fc2 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -1215,25 +1215,18 @@ int RGWPutObj_ObjStore_S3::validate_aws4_single_chunk(char *chunk_str, string_to_sign.append(hash_chunk_data); /* new chunk signature */ - - char signature_k[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]; - calc_hmac_sha256(s->aws4_auth->signing_key, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, - string_to_sign.c_str(), string_to_sign.size(), signature_k); - - char aux[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE * 2 + 1]; - buf_to_hex((unsigned char *) signature_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - - string new_chunk_signature = string(aux); - - /* FIXME(rzarzynski): clean this up! */ - buf_to_hex((unsigned char *) s->aws4_auth->signing_key, - CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - std::string signing_key(aux); + const auto sighex = buf_to_hex(calc_hmac_sha256(s->aws4_auth->signing_key, + string_to_sign.c_str(), + string_to_sign.size())); + /* FIXME(rzarzynski): std::string here is really unnecessary. */ + std::string new_chunk_signature = std::string(sighex.data(), sighex.size()); ldout(s->cct, 20) << "--------------- aws4 chunk validation" << dendl; ldout(s->cct, 20) << "chunk_signature = " << chunk_signature << dendl; ldout(s->cct, 20) << "new_chunk_signature = " << new_chunk_signature << dendl; - ldout(s->cct, 20) << "aws4 chunk signing_key = " << signing_key << dendl; + ldout(s->cct, 20) << "aws4 chunk signing_key = " + << buf_to_hex(s->aws4_auth->signing_key).data() + << dendl; ldout(s->cct, 20) << "aws4 chunk string_to_sign = " << rgw::crypt_sanitize::log_content{string_to_sign.c_str()} << dendl; @@ -1741,14 +1734,17 @@ int RGWPostObj_ObjStore_S3::get_policy() return -ENOMEM; } + /* FIXME(rzarzynski): clean this up! */ std::string encoded_policy_str(s->auth.s3_postobj_creds.encoded_policy.c_str(), s->auth.s3_postobj_creds.encoded_policy.length()); + + s->aws4_auth->signing_key = \ + rgw::auth::s3::get_v4_signing_key(s->cct, cs_aux, s3_secret_key); + std::string new_signature_str = \ rgw::auth::s3::get_v4_signature(s->cct, - cs_aux, - encoded_policy_str, - s3_secret_key, - s->aws4_auth->signing_key); + s->aws4_auth->signing_key, + encoded_policy_str); ldout(s->cct, 10) << "----------------------------- Verifying signatures" << dendl; ldout(s->cct, 10) << "Signature = " << received_signature_str << dendl; @@ -3493,11 +3489,12 @@ int RGW_Auth_S3::authorize_v4_complete(RGWRados *store, struct req_state *s, con } const RGWAccessKey& k = iter->second; + s->aws4_auth->signing_key = \ + rgw::auth::s3::get_v4_signing_key(s->cct, + s->aws4_auth->credential_scope, k.key); s->aws4_auth->new_signature = \ - rgw::auth::s3::get_v4_signature(s->cct, - s->aws4_auth->credential_scope, - string_to_sign, - k.key /* in */, s->aws4_auth->signing_key /* out */); + rgw::auth::s3::get_v4_signature(s->cct, s->aws4_auth->signing_key, + string_to_sign); ldout(s->cct, 10) << "----------------------------- Verifying signatures" << dendl;