From 446e6c233aac142aa4f287cd898530a537b9ce6f Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Mon, 24 Feb 2025 16:31:42 -0500 Subject: [PATCH] auth: propagate ceph context to encrypt/decrypt Signed-off-by: Yehuda Sadeh (cherry picked from commit c73c75d34051cef09e9695dcf85a24a4d024faaf) --- src/auth/Crypto.cc | 18 ++++++++++-------- src/auth/Crypto.h | 24 ++++++++++++++---------- src/rgw/rgw_rest_s3.cc | 2 +- src/rgw/rgw_sts.cc | 2 +- 4 files changed, 26 insertions(+), 20 deletions(-) diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc index 5d68d3470bc..dd0fa959ff9 100644 --- a/src/auth/Crypto.cc +++ b/src/auth/Crypto.cc @@ -149,6 +149,7 @@ int CryptoRandom::open_urandom() // interface. std::size_t CryptoKeyHandler::encrypt( + CephContext *cct, const CryptoKeyHandler::in_slice_t& in, const CryptoKeyHandler::out_slice_t& out) const { @@ -158,7 +159,7 @@ std::size_t CryptoKeyHandler::encrypt( ceph::bufferlist ciphertext; std::string error; - const int ret = encrypt(plaintext, ciphertext, &error); + const int ret = encrypt(cct, plaintext, ciphertext, &error); if (ret != 0 || !error.empty()) { throw std::runtime_error(std::move(error)); } @@ -173,6 +174,7 @@ std::size_t CryptoKeyHandler::encrypt( } std::size_t CryptoKeyHandler::decrypt( + CephContext *cct, const CryptoKeyHandler::in_slice_t& in, const CryptoKeyHandler::out_slice_t& out) const { @@ -182,7 +184,7 @@ std::size_t CryptoKeyHandler::decrypt( ceph::bufferlist plaintext; std::string error; - const int ret = decrypt(ciphertext, plaintext, &error); + const int ret = decrypt(cct, ciphertext, plaintext, &error); if (ret != 0 || !error.empty()) { throw std::runtime_error(std::move(error)); } @@ -221,12 +223,12 @@ public: using CryptoKeyHandler::encrypt; using CryptoKeyHandler::decrypt; - int encrypt(const bufferlist& in, + int encrypt(CephContext *cct, const bufferlist& in, bufferlist& out, std::string *error) const override { out = in; return 0; } - int decrypt(const bufferlist& in, + int decrypt(CephContext *cct, const bufferlist& in, bufferlist& out, std::string *error) const override { out = in; return 0; @@ -302,7 +304,7 @@ public: return 0; } - int encrypt(const ceph::bufferlist& in, + int encrypt(CephContext *cct, const ceph::bufferlist& in, ceph::bufferlist& out, std::string* /* unused */) const override { // we need to take into account the PKCS#7 padding. There *always* will @@ -344,7 +346,7 @@ public: return 0; } - int decrypt(const ceph::bufferlist& in, + int decrypt(CephContext *cct, const ceph::bufferlist& in, ceph::bufferlist& out, std::string* /* unused */) const override { // PKCS#7 padding enlarges even empty plain-text to take 16 bytes. @@ -376,7 +378,7 @@ public: return 0; } - std::size_t encrypt(const in_slice_t& in, + std::size_t encrypt(CephContext *cct, const in_slice_t& in, const out_slice_t& out) const override { if (out.buf == nullptr) { // 16 + p2align(10, 16) -> 16 @@ -417,7 +419,7 @@ public: return main_encrypt_size + tail_encrypt_size; } - std::size_t decrypt(const in_slice_t& in, + std::size_t decrypt(CephContext *cct, const in_slice_t& in, const out_slice_t& out) const override { if (in.length % AES_BLOCK_LEN != 0 || in.length < AES_BLOCK_LEN) { throw std::runtime_error("input not aligned to AES_BLOCK_LEN"); diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h index 3ce655a1256..7c5ffc1fef3 100644 --- a/src/auth/Crypto.h +++ b/src/auth/Crypto.h @@ -70,16 +70,20 @@ public: virtual ~CryptoKeyHandler() {} - virtual int encrypt(const ceph::buffer::list& in, + virtual int encrypt(CephContext *cct, + const ceph::buffer::list& in, ceph::buffer::list& out, std::string *error) const = 0; - virtual int decrypt(const ceph::buffer::list& in, + virtual int decrypt(CephContext *cct, + const ceph::buffer::list& in, ceph::buffer::list& out, std::string *error) const = 0; // TODO: provide nullptr in the out::buf to get/estimate size requirements? // Or maybe dedicated methods? - virtual std::size_t encrypt(const in_slice_t& in, + virtual std::size_t encrypt(CephContext *cct, + const in_slice_t& in, const out_slice_t& out) const; - virtual std::size_t decrypt(const in_slice_t& in, + virtual std::size_t decrypt(CephContext *cct, + const in_slice_t& in, const out_slice_t& out) const; sha256_digest_t hmac_sha256(const ceph::bufferlist& in) const; @@ -160,27 +164,27 @@ public: ceph::buffer::list& out, std::string *error) const { ceph_assert(ckh); // Bad key? - return ckh->encrypt(in, out, error); + return ckh->encrypt(cct, in, out, error); } int decrypt(CephContext *cct, const ceph::buffer::list& in, ceph::buffer::list& out, std::string *error) const { ceph_assert(ckh); // Bad key? - return ckh->decrypt(in, out, error); + return ckh->decrypt(cct, in, out, error); } using in_slice_t = CryptoKeyHandler::in_slice_t; using out_slice_t = CryptoKeyHandler::out_slice_t; - std::size_t encrypt(CephContext*, const in_slice_t& in, + std::size_t encrypt(CephContext *cct, const in_slice_t& in, const out_slice_t& out) { ceph_assert(ckh); - return ckh->encrypt(in, out); + return ckh->encrypt(cct, in, out); } - std::size_t decrypt(CephContext*, const in_slice_t& in, + std::size_t decrypt(CephContext *cct, const in_slice_t& in, const out_slice_t& out) { ceph_assert(ckh); - return ckh->encrypt(in, out); + return ckh->encrypt(cct, in, out); } sha256_digest_t hmac_sha256(CephContext*, const ceph::buffer::list& in) { diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 0ff827f22e6..05f9a828843 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -7034,7 +7034,7 @@ rgw::auth::s3::STSEngine::get_session_token(const DoutPrefixProvider* dpp, const buffer::list en_input, dec_output; en_input = buffer::list::static_from_string(decodedSessionToken); - ret = keyhandler->decrypt(en_input, dec_output, &error); + ret = keyhandler->decrypt(cct, en_input, dec_output, &error); if (ret < 0) { ldpp_dout(dpp, 0) << "ERROR: Decryption failed: " << error << dendl; return -EPERM; diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc index 951af012b48..6c025ddd52f 100644 --- a/src/rgw/rgw_sts.cc +++ b/src/rgw/rgw_sts.cc @@ -140,7 +140,7 @@ int Credentials::generateCredentials(const DoutPrefixProvider *dpp, buffer::list input, enc_output; encode(token, input); - if (ret = keyhandler->encrypt(input, enc_output, &error); ret < 0) { + if (ret = keyhandler->encrypt(cct, input, enc_output, &error); ret < 0) { ldpp_dout(dpp, 0) << "ERROR: Encrypting session token returned an error !" << dendl; return ret; } -- 2.39.5