From 107ffc6f294fff4e512fffef2d428b3528eb3532 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Thu, 16 Aug 2012 16:33:52 -0700 Subject: [PATCH] auth: move Crypto users to use CephContext Globals are bad news. Switch all users to get the CryptoHandler from their cct. Signed-off-by: Sage Weil --- src/auth/Crypto.cc | 40 +++++++++++---------------- src/auth/Crypto.h | 4 +-- src/auth/cephx/CephxClientHandler.cc | 4 +-- src/auth/cephx/CephxKeyServer.cc | 4 +-- src/auth/cephx/CephxProtocol.cc | 26 ++++++++--------- src/auth/cephx/CephxProtocol.h | 28 ++++++++++--------- src/auth/cephx/CephxServiceHandler.cc | 2 +- src/common/ceph_context.cc | 22 ++++++++++++++- src/common/ceph_context.h | 12 ++++++++ src/test/crypto.cc | 10 +++---- src/testcrypto.cc | 4 +-- 11 files changed, 91 insertions(+), 65 deletions(-) diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc index 0e78b8bf35713..5db2ff3b72df3 100644 --- a/src/auth/Crypto.cc +++ b/src/auth/Crypto.cc @@ -58,28 +58,24 @@ static int get_random_bytes(int len, bufferlist& bl) // --------------------------------------------------- -int CryptoNone:: -create(bufferptr& secret) +int CryptoNone::create(bufferptr& secret) { return 0; } -int CryptoNone:: -validate_secret(bufferptr& secret) +int CryptoNone::validate_secret(bufferptr& secret) { return 0; } -void CryptoNone:: -encrypt(const bufferptr& secret, const bufferlist& in, - bufferlist& out, std::string &error) const +void CryptoNone::encrypt(const bufferptr& secret, const bufferlist& in, + bufferlist& out, std::string &error) const { out = in; } -void CryptoNone:: -decrypt(const bufferptr& secret, const bufferlist& in, - bufferlist& out, std::string &error) const +void CryptoNone::decrypt(const bufferptr& secret, const bufferlist& in, + bufferlist& out, std::string &error) const { out = in; } @@ -229,9 +225,8 @@ int CryptoAES::validate_secret(bufferptr& secret) return 0; } -void CryptoAES:: -encrypt(const bufferptr& secret, const bufferlist& in, bufferlist& out, - std::string &error) const +void CryptoAES::encrypt(const bufferptr& secret, const bufferlist& in, bufferlist& out, + std::string &error) const { if (secret.length() < AES_KEY_LEN) { error = "key is too short"; @@ -271,9 +266,8 @@ encrypt(const bufferptr& secret, const bufferlist& in, bufferlist& out, #endif } -void CryptoAES:: -decrypt(const bufferptr& secret, const bufferlist& in, - bufferlist& out, std::string &error) const +void CryptoAES::decrypt(const bufferptr& secret, const bufferlist& in, + bufferlist& out, std::string &error) const { #ifdef USE_CRYPTOPP const unsigned char *key = (const unsigned char *)secret.c_str(); @@ -348,7 +342,7 @@ int CryptoKey::set_secret(CephContext *cct, int type, bufferptr& s) this->type = type; created = ceph_clock_now(cct); - CryptoHandler *h = get_crypto_handler(type); + CryptoHandler *h = cct->get_crypto_handler(type); if (!h) return -EOPNOTSUPP; int ret = h->validate_secret(s); @@ -366,16 +360,15 @@ int CryptoKey::create(CephContext *cct, int t) type = t; created = ceph_clock_now(cct); - CryptoHandler *h = get_crypto_handler(type); + CryptoHandler *h = cct->get_crypto_handler(type); if (!h) return -EOPNOTSUPP; return h->create(secret); } -void CryptoKey:: -encrypt(const bufferlist& in, bufferlist& out, std::string &error) const +void CryptoKey::encrypt(CephContext *cct, const bufferlist& in, bufferlist& out, std::string &error) const { - CryptoHandler *h = get_crypto_handler(type); + CryptoHandler *h = cct->get_crypto_handler(type); if (!h) { ostringstream oss; oss << "CryptoKey::encrypt: key type " << type << " not supported."; @@ -384,10 +377,9 @@ encrypt(const bufferlist& in, bufferlist& out, std::string &error) const h->encrypt(this->secret, in, out, error); } -void CryptoKey:: -decrypt(const bufferlist& in, bufferlist& out, std::string &error) const +void CryptoKey::decrypt(CephContext *cct, const bufferlist& in, bufferlist& out, std::string &error) const { - CryptoHandler *h = get_crypto_handler(type); + CryptoHandler *h = cct->get_crypto_handler(type); if (!h) { ostringstream oss; oss << "CryptoKey::decrypt: key type " << type << " not supported."; diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h index 52fa50e37b799..1176fd1c2cc18 100644 --- a/src/auth/Crypto.h +++ b/src/auth/Crypto.h @@ -77,8 +77,8 @@ public: // -- int create(CephContext *cct, int type); - void encrypt(const bufferlist& in, bufferlist& out, std::string &error) const; - void decrypt(const bufferlist& in, bufferlist& out, std::string &error) const; + void encrypt(CephContext *cct, const bufferlist& in, bufferlist& out, std::string &error) const; + void decrypt(CephContext *cct, const bufferlist& in, bufferlist& out, std::string &error) const; void to_str(std::string& s) const; }; diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc index c8898bd26396e..afad79ce7f3f2 100644 --- a/src/auth/cephx/CephxClientHandler.cc +++ b/src/auth/cephx/CephxClientHandler.cc @@ -50,7 +50,7 @@ int CephxClientHandler::build_request(bufferlist& bl) CephXAuthenticate req; get_random_bytes((char *)&req.client_challenge, sizeof(req.client_challenge)); std::string error; - cephx_calc_client_server_challenge(secret, server_challenge, + cephx_calc_client_server_challenge(cct, secret, server_challenge, req.client_challenge, &req.key, error); if (!error.empty()) { ldout(cct, 20) << "cephx_calc_client_server_challenge error: " << error << dendl; @@ -156,7 +156,7 @@ int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata) CryptoKey secret_key; keyring->get_secret(cct->_conf->name, secret_key); std::string error; - decode_decrypt(secrets, secret_key, indata, error); + decode_decrypt(cct, secrets, secret_key, indata, error); if (error.empty()) { rotating_secrets->set_secrets(secrets); } else { diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index edda1f7b4d2dd..b82de9dbbf91e 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -258,7 +258,7 @@ bool KeyServer::get_service_secret(uint32_t service_id, bool KeyServer::generate_secret(CryptoKey& secret) { bufferptr bp; - CryptoHandler *crypto = get_crypto_handler(CEPH_CRYPTO_AES); + CryptoHandler *crypto = cct->get_crypto_handler(CEPH_CRYPTO_AES); if (!crypto) return false; @@ -359,7 +359,7 @@ bool KeyServer::get_rotating_encrypted(const EntityName& name, RotatingSecrets secrets = rotate_iter->second; std::string error; - encode_encrypt(secrets, specific_key, enc_bl, error); + encode_encrypt(cct, secrets, specific_key, enc_bl, error); if (!error.empty()) return false; diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc index c023c7ae3bc4d..937ad0bc0a549 100644 --- a/src/auth/cephx/CephxProtocol.cc +++ b/src/auth/cephx/CephxProtocol.cc @@ -24,7 +24,7 @@ -void cephx_calc_client_server_challenge(CryptoKey& secret, uint64_t server_challenge, +void cephx_calc_client_server_challenge(CephContext *cct, CryptoKey& secret, uint64_t server_challenge, uint64_t client_challenge, uint64_t *key, std::string &ret) { CephXChallengeBlob b; @@ -33,7 +33,7 @@ void cephx_calc_client_server_challenge(CryptoKey& secret, uint64_t server_chall bufferlist enc; std::string error; - encode_encrypt(b, secret, enc, error); + encode_encrypt(cct, b, secret, enc, error); if (!error.empty()) return; @@ -62,7 +62,7 @@ bool cephx_build_service_ticket_blob(CephContext *cct, CephXSessionAuthInfo& inf << " ticket_info.ticket.name=" << ticket_info.ticket.name.to_str() << dendl; blob.secret_id = info.secret_id; std::string error; - encode_encrypt_enc_bl(ticket_info, info.service_secret, blob.blob, error); + encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, blob.blob, error); if (!error.empty()) { ldout(cct, -1) << "cephx_build_service_ticket_blob failed with error " << error << dendl; @@ -107,7 +107,7 @@ bool cephx_build_service_ticket_reply(CephContext *cct, msg_a.session_key = info.session_key; msg_a.validity = info.validity; std::string error; - encode_encrypt(msg_a, principal_secret, reply, error); + encode_encrypt(cct, msg_a, principal_secret, reply, error); if (!error.empty()) { ldout(cct, -1) << "error encoding encrypted: " << error << dendl; return false; @@ -126,7 +126,7 @@ bool cephx_build_service_ticket_reply(CephContext *cct, ::encode((__u8)should_encrypt_ticket, reply); if (should_encrypt_ticket) { - encode_encrypt(service_ticket_bl, ticket_enc_key, reply, error); + encode_encrypt(cct, service_ticket_bl, ticket_enc_key, reply, error); if (!error.empty()) { ldout(cct, -1) << "error encoding encrypted ticket: " << error << dendl; return false; @@ -150,7 +150,7 @@ bool CephXTicketHandler::verify_service_ticket_reply(CryptoKey& secret, CephXServiceTicket msg_a; std::string error; - decode_decrypt(msg_a, secret, indata, error); + decode_decrypt(cct, msg_a, secret, indata, error); if (!error.empty()) { ldout(cct, 0) << "verify_service_ticket_reply: failed decode_decrypt with secret " << secret << ": " << error << dendl; @@ -164,7 +164,7 @@ bool CephXTicketHandler::verify_service_ticket_reply(CryptoKey& secret, if (ticket_enc) { ldout(cct, 10) << " got encrypted ticket" << dendl; std::string error; - decode_decrypt(service_ticket_bl, session_key, indata, error); + decode_decrypt(cct, service_ticket_bl, session_key, indata, error); if (!error.empty()) { ldout(cct, 10) << "verify_service_ticket_reply: decode_decrypt failed " << "with " << error << dendl; @@ -314,7 +314,7 @@ CephXAuthorizer *CephXTicketHandler::build_authorizer(uint64_t global_id) msg.nonce = a->nonce; std::string error; - encode_encrypt(msg, session_key, a->bl, error); + encode_encrypt(cct, msg, session_key, a->bl, error); if (!error.empty()) { ldout(cct, 0) << "failed to encrypt authorizer: " << error << dendl; delete a; @@ -379,7 +379,7 @@ bool cephx_decode_ticket(CephContext *cct, KeyStore *keys, uint32_t service_id, } std::string error; - decode_decrypt_enc_bl(ticket_info, service_secret, ticket_blob.blob, error); + decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket_blob.blob, error); if (!error.empty()) { ldout(cct, 0) << "ceph_decode_ticket could not decrypt ticket info. error:" << error << dendl; @@ -435,7 +435,7 @@ bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys, } } std::string error; - decode_decrypt_enc_bl(ticket_info, service_secret, ticket.blob, error); + decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error); if (!error.empty()) { ldout(cct, 0) << "verify_authorizer could not decrypt ticket info: error: " << error << dendl; @@ -452,7 +452,7 @@ bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys, // CephXAuthorize CephXAuthorize auth_msg; - decode_decrypt(auth_msg, ticket_info.session_key, indata, error); + decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error); if (!error.empty()) { ldout(cct, 0) << "verify_authorizercould not decrypt authorize request: error: " << error << dendl; @@ -466,7 +466,7 @@ bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys, CephXAuthorizeReply reply; // reply.trans_id = auth_msg.trans_id; reply.nonce_plus_one = auth_msg.nonce + 1; - encode_encrypt(reply, ticket_info.session_key, reply_bl, error); + encode_encrypt(cct, reply, ticket_info.session_key, reply_bl, error); if (!error.empty()) { ldout(cct, 10) << "verify_authorizer: encode_encrypt error: " << error << dendl; return false; @@ -483,7 +483,7 @@ bool CephXAuthorizer::verify_reply(bufferlist::iterator& indata) try { std::string error; - decode_decrypt(reply, session_key, indata, error); + decode_decrypt(cct, reply, session_key, indata, error); if (!error.empty()) { ldout(cct, 0) << "verify_authorizer_reply coudln't decrypt with " << session_key << ": error: " << error << dendl; diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h index 7dfda77788b86..31f256146c9c0 100644 --- a/src/auth/cephx/CephxProtocol.h +++ b/src/auth/cephx/CephxProtocol.h @@ -201,8 +201,9 @@ struct CephXChallengeBlob { }; WRITE_CLASS_ENCODER(CephXChallengeBlob) -void cephx_calc_client_server_challenge(CryptoKey& secret, uint64_t server_challenge, uint64_t client_challenge, - uint64_t *key, std::string &error); +void cephx_calc_client_server_challenge(CephContext *cct, + CryptoKey& secret, uint64_t server_challenge, uint64_t client_challenge, + uint64_t *key, std::string &error); /* @@ -219,10 +220,11 @@ struct CephXSessionAuthInfo { extern bool cephx_build_service_ticket_blob(CephContext *cct, - CephXSessionAuthInfo& ticket_info, CephXTicketBlob& blob); + CephXSessionAuthInfo& ticket_info, CephXTicketBlob& blob); -extern void cephx_build_service_ticket_request(uint32_t keys, - bufferlist& request); +extern void cephx_build_service_ticket_request(CephContext *cct, + uint32_t keys, + bufferlist& request); extern bool cephx_build_service_ticket_reply(CephContext *cct, CryptoKey& principal_secret, @@ -425,13 +427,13 @@ extern bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys, #define AUTH_ENC_MAGIC 0xff009cad8826aa55ull template -void decode_decrypt_enc_bl(T& t, CryptoKey key, bufferlist& bl_enc, +void decode_decrypt_enc_bl(CephContext *cct, T& t, CryptoKey key, bufferlist& bl_enc, std::string &error) { uint64_t magic; bufferlist bl; - key.decrypt(bl_enc, bl, error); + key.decrypt(cct, bl_enc, bl, error); if (!error.empty()) return; @@ -450,7 +452,7 @@ void decode_decrypt_enc_bl(T& t, CryptoKey key, bufferlist& bl_enc, } template -void encode_encrypt_enc_bl(const T& t, const CryptoKey& key, +void encode_encrypt_enc_bl(CephContext *cct, const T& t, const CryptoKey& key, bufferlist& out, std::string &error) { bufferlist bl; @@ -460,24 +462,24 @@ void encode_encrypt_enc_bl(const T& t, const CryptoKey& key, ::encode(magic, bl); ::encode(t, bl); - key.encrypt(bl, out, error); + key.encrypt(cct, bl, out, error); } template -void decode_decrypt(T& t, const CryptoKey key, +void decode_decrypt(CephContext *cct, T& t, const CryptoKey key, bufferlist::iterator& iter, std::string &error) { bufferlist bl_enc; ::decode(bl_enc, iter); - decode_decrypt_enc_bl(t, key, bl_enc, error); + decode_decrypt_enc_bl(cct, t, key, bl_enc, error); } template -void encode_encrypt(const T& t, const CryptoKey& key, +void encode_encrypt(CephContext *cct, const T& t, const CryptoKey& key, bufferlist& out, std::string &error) { bufferlist bl_enc; - encode_encrypt_enc_bl(t, key, bl_enc, error); + encode_encrypt_enc_bl(cct, t, key, bl_enc, error); if (!error.empty()) return; ::encode(bl_enc, out); diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index da7dbf17de7ae..c5d91d98bcac0 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -75,7 +75,7 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist uint64_t expected_key; std::string error; - cephx_calc_client_server_challenge(secret, server_challenge, + cephx_calc_client_server_challenge(cct, secret, server_challenge, req.client_challenge, &expected_key, error); if (!error.empty()) { ldout(cct, 0) << " cephx_calc_client_server_challenge error: " << error << dendl; diff --git a/src/common/ceph_context.cc b/src/common/ceph_context.cc index 97005ac77cfe5..e4345e64d5b71 100644 --- a/src/common/ceph_context.cc +++ b/src/common/ceph_context.cc @@ -25,6 +25,7 @@ #include "common/lockdep.h" #include "common/Formatter.h" #include "log/Log.h" +#include "auth/Crypto.h" #include #include @@ -228,7 +229,9 @@ CephContext::CephContext(uint32_t module_type_) _admin_socket(NULL), _perf_counters_collection(NULL), _perf_counters_conf_obs(NULL), - _heartbeat_map(NULL) + _heartbeat_map(NULL), + _crypto_none(NULL), + _crypto_aes(NULL) { pthread_spin_init(&_service_thread_lock, PTHREAD_PROCESS_SHARED); @@ -254,6 +257,9 @@ CephContext::CephContext(uint32_t module_type_) _admin_socket->register_command("log flush", _admin_hook, "flush log entries to log file"); _admin_socket->register_command("log dump", _admin_hook, "dump recent log entries to log file"); _admin_socket->register_command("log reopen", _admin_hook, "reopen log file"); + + _crypto_none = new CryptoNone; + _crypto_aes = new CryptoAES; } CephContext::~CephContext() @@ -297,6 +303,8 @@ CephContext::~CephContext() delete _conf; pthread_spin_destroy(&_service_thread_lock); + delete _crypto_none; + delete _crypto_aes; } void CephContext::start_service_thread() @@ -362,3 +370,15 @@ AdminSocket *CephContext::get_admin_socket() { return _admin_socket; } + +CryptoHandler *CephContext::get_crypto_handler(int type) +{ + switch (type) { + case CEPH_CRYPTO_NONE: + return _crypto_none; + case CEPH_CRYPTO_AES: + return _crypto_aes; + default: + return NULL; + } +} diff --git a/src/common/ceph_context.h b/src/common/ceph_context.h index bb38053c49a8a..7ace17fa9bd9e 100644 --- a/src/common/ceph_context.h +++ b/src/common/ceph_context.h @@ -27,6 +27,9 @@ class PerfCountersCollection; class md_config_obs_t; class md_config_t; class CephContextHook; +class CryptoNone; +class CryptoAES; +class CryptoHandler; namespace ceph { class HeartbeatMap; @@ -96,6 +99,11 @@ public: */ void do_command(std::string command, std::string args, bufferlist *out); + /** + * get a crypto handler + */ + CryptoHandler *get_crypto_handler(int type); + private: CephContext(const CephContext &rhs); CephContext &operator=(const CephContext &rhs); @@ -126,6 +134,10 @@ private: CephContextHook *_admin_hook; ceph::HeartbeatMap *_heartbeat_map; + + // crypto + CryptoNone *_crypto_none; + CryptoAES *_crypto_aes; }; #endif diff --git a/src/test/crypto.cc b/src/test/crypto.cc index 7c56260b31063..85150ef80a966 100644 --- a/src/test/crypto.cc +++ b/src/test/crypto.cc @@ -17,7 +17,7 @@ public: ::testing::Environment* const crypto_env = ::testing::AddGlobalTestEnvironment(new CryptoEnvironment); TEST(AES, ValidateSecret) { - CryptoHandler *h = get_crypto_handler(CEPH_CRYPTO_AES); + CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); int l; for (l=0; l<16; l++) { @@ -36,7 +36,7 @@ TEST(AES, ValidateSecret) { } TEST(AES, Encrypt) { - CryptoHandler *h = get_crypto_handler(CEPH_CRYPTO_AES); + CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); char secret_s[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, @@ -72,7 +72,7 @@ TEST(AES, Encrypt) { } TEST(AES, Decrypt) { - CryptoHandler *h = get_crypto_handler(CEPH_CRYPTO_AES); + CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); char secret_s[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, @@ -125,7 +125,7 @@ TEST(AES, Loop) { for (int i=0; i<10000; i++) { bufferlist cipher; { - CryptoHandler *h = get_crypto_handler(CEPH_CRYPTO_AES); + CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); std::string error; h->encrypt(secret, plaintext, cipher, error); @@ -134,7 +134,7 @@ TEST(AES, Loop) { plaintext.clear(); { - CryptoHandler *h = get_crypto_handler(CEPH_CRYPTO_AES); + CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); std::string error; h->decrypt(secret, cipher, plaintext, error); ASSERT_EQ(error, ""); diff --git a/src/testcrypto.cc b/src/testcrypto.cc index 3237f3c8b8358..0b7a9d5474250 100644 --- a/src/testcrypto.cc +++ b/src/testcrypto.cc @@ -25,7 +25,7 @@ int main(int argc, char *argv[]) bufferlist enc_out; std::string error; - key.encrypt(enc_in, enc_out, error); + key.encrypt(g_ceph_context, enc_in, enc_out, error); if (!error.empty()) { dout(0) << "couldn't encode! error " << error << dendl; exit(1); @@ -42,7 +42,7 @@ int main(int argc, char *argv[]) dec_in = enc_out; - key.decrypt(dec_in, dec_out, error); + key.decrypt(g_ceph_context, dec_in, dec_out, error); if (!error.empty()) { dout(0) << "couldn't decode! error " << error << dendl; exit(1); -- 2.39.5