From 4a90754aff4ed7aad0a0c5b30e095770a6e0675d Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Mon, 17 Mar 2025 02:56:32 -0400 Subject: [PATCH] auth: aes256krb5: add confounder config for unitests Signed-off-by: Yehuda Sadeh --- src/auth/Crypto.cc | 31 +++++++++++++++++++++++-------- src/auth/Crypto.h | 8 ++++++++ src/test/crypto.cc | 27 ++++++++++++++++----------- 3 files changed, 47 insertions(+), 19 deletions(-) diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc index b701ca2743f..4cd328b97ae 100644 --- a/src/auth/Crypto.cc +++ b/src/auth/Crypto.cc @@ -745,9 +745,10 @@ public: return 0; } - int encrypt(CephContext *cct, const ceph::bufferlist& in, - ceph::bufferlist& out, - std::string* /* unused */) const override { + int encrypt_ext(CephContext *cct, const ceph::bufferlist& in, + const ceph::bufferlist *confounder, + ceph::bufferlist& out, + std::string* /* unused */) const override { ldout(cct, 20) << "CryptoAES256KRB5KeyHandler::encrypt()" << dendl; // encrypted (confounder | data) | hash ceph::bufferptr out_tmp{static_cast( @@ -757,13 +758,21 @@ public: char *aes_enc = out_tmp.c_str(); int aes_enc_len = AES256KRB5_BLOCK_LEN + in.length(); - /* plaintext confounder */ - bufferptr confounder(AES256KRB5_BLOCK_LEN); - cct->random()->get_bytes(confounder.c_str(), confounder.length()); + ceph::bufferlist incopy; + bufferptr confounder_buf(AES256KRB5_BLOCK_LEN); + + if (!confounder) { + cct->random()->get_bytes(confounder_buf.c_str(), confounder_buf.length()); + incopy.append(confounder_buf); + } else { + if (confounder->length() != AES256KRB5_BLOCK_LEN) { + ldout(cct, 0) << "ERROR: confounder length is expected to be equal to block size (" << AES256KRB5_BLOCK_LEN << ")" << dendl; + return -EINVAL; + } + incopy.append(*confounder); + } // combine confounder with input data - ceph::bufferlist incopy; - incopy.append(confounder); incopy.append(in); // reinitialize IV each time. It might be unnecessary depending on @@ -866,6 +875,12 @@ public: return 0; } + + int encrypt(CephContext *cct, const ceph::bufferlist& in, + ceph::bufferlist& out, + std::string* unused) const override { + return encrypt_ext(cct, in, nullptr, out, unused); + } }; diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h index 4b10234de0e..5d98774f622 100644 --- a/src/auth/Crypto.h +++ b/src/auth/Crypto.h @@ -73,6 +73,14 @@ public: virtual int encrypt(CephContext *cct, const ceph::buffer::list& in, ceph::buffer::list& out, std::string *error) const = 0; + + /* should either used internally, or for unitests. Confounder should be nullptr otherwise */ + virtual int encrypt_ext(CephContext *cct, + const ceph::buffer::list& in, + const ceph::buffer::list *confounder, + ceph::buffer::list& out, std::string *error) const { + return -ENOTSUP; + } virtual int decrypt(CephContext *cct, const ceph::buffer::list& in, ceph::buffer::list& out, std::string *error) const = 0; diff --git a/src/test/crypto.cc b/src/test/crypto.cc index d09d301e283..6ff91293511 100644 --- a/src/test/crypto.cc +++ b/src/test/crypto.cc @@ -24,7 +24,7 @@ public: }; TEST(AES, ValidateSecret) { - CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); + auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES); int l; for (l=0; l<16; l++) { @@ -43,7 +43,7 @@ TEST(AES, ValidateSecret) { } TEST(AES, Encrypt) { - CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); + auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES); char secret_s[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, @@ -83,7 +83,7 @@ TEST(AES, Encrypt) { } TEST(AES, EncryptNoBl) { - CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); + auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES); char secret_s[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, @@ -127,7 +127,7 @@ TEST(AES, EncryptNoBl) { } TEST(AES, Decrypt) { - CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); + auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES); char secret_s[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, @@ -167,7 +167,7 @@ TEST(AES, Decrypt) { } TEST(AES, DecryptNoBl) { - CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); + auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES); const char secret_s[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, @@ -204,7 +204,7 @@ TEST(AES, DecryptNoBl) { template static void aes_loop_cephx() { - CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); + auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES); CryptoRandom random; @@ -261,7 +261,7 @@ static void aes_loop(const std::size_t text_size) { for (int i=0; i<10000; i++) { bufferlist cipher; { - CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); + auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES); std::string error; CryptoKeyHandler *kh = h->get_key_handler(secret, error); @@ -274,7 +274,7 @@ static void aes_loop(const std::size_t text_size) { plaintext.clear(); { - CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES); + auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES); std::string error; CryptoKeyHandler *ckh = h->get_key_handler(secret, error); int r = ckh->decrypt(g_ceph_context, cipher, plaintext, &error); @@ -358,7 +358,7 @@ static void dump_buf(string title, const unsigned char *buf, int len) TEST(AES256KRB5, Encrypt) { - CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES256KRB5); + auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5); unsigned char secret_s[] = { 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D, 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98, 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0, 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52 }; @@ -370,10 +370,15 @@ TEST(AES256KRB5, Encrypt) { bufferlist plaintext; plaintext.append((char *)plaintext_s, sizeof(plaintext_s)); + unsigned char confounder_data[] = { 0xB8, 0x0D, 0x32, 0x51, 0xC1, 0xF6, 0x47, 0x14, 0x94, 0x25, 0x6F, 0xFE, 0x71, 0x2D, 0x0B, 0x9A }; + + bufferlist confounder; + confounder.append((const char *)confounder_data, sizeof(confounder_data)); + bufferlist cipher; std::string error; CryptoKeyHandler *kh = h->get_key_handler(secret, error); - int r = kh->encrypt(g_ceph_context, plaintext, cipher, &error); + int r = kh->encrypt_ext(g_ceph_context, plaintext, &confounder, cipher, &error); ASSERT_EQ(r, 0); ASSERT_EQ(error, ""); @@ -398,7 +403,7 @@ TEST(AES256KRB5, Encrypt) { } TEST(AES256KRB5, Decrypt) { - CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES256KRB5); + auto h = g_ceph_context->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5); unsigned char secret_s[] = { 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D, 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98, 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0, 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52 }; -- 2.39.5