From 6e22a8034332e0a2d8d9e6723ae5eebbdbb425ef Mon Sep 17 00:00:00 2001
From: Yehuda Sadeh <ysadehwe@ibm.com>
Date: Mon, 24 Feb 2025 16:31:42 -0500
Subject: [PATCH] auth: propagate ceph context to encrypt/decrypt

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>
---
 src/auth/Crypto.cc     | 18 ++++++++++--------
 src/auth/Crypto.h      | 24 ++++++++++++++----------
 src/rgw/rgw_rest_s3.cc |  2 +-
 src/rgw/rgw_sts.cc     |  2 +-
 4 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc
index 6f9cf7cb68c..e47997a7be1 100644
--- a/src/auth/Crypto.cc
+++ b/src/auth/Crypto.cc
@@ -150,6 +150,7 @@ int CryptoRandom::open_urandom()
 // interface.
 
 std::size_t CryptoKeyHandler::encrypt(
+  CephContext *cct,
   const CryptoKeyHandler::in_slice_t& in,
   const CryptoKeyHandler::out_slice_t& out) const
 {
@@ -159,7 +160,7 @@ std::size_t CryptoKeyHandler::encrypt(
 
   ceph::bufferlist ciphertext;
   std::string error;
-  const int ret = encrypt(plaintext, ciphertext, &error);
+  const int ret = encrypt(cct, plaintext, ciphertext, &error);
   if (ret != 0 || !error.empty()) {
     throw std::runtime_error(std::move(error));
   }
@@ -174,6 +175,7 @@ std::size_t CryptoKeyHandler::encrypt(
 }
 
 std::size_t CryptoKeyHandler::decrypt(
+  CephContext *cct,
   const CryptoKeyHandler::in_slice_t& in,
   const CryptoKeyHandler::out_slice_t& out) const
 {
@@ -183,7 +185,7 @@ std::size_t CryptoKeyHandler::decrypt(
 
   ceph::bufferlist plaintext;
   std::string error;
-  const int ret = decrypt(ciphertext, plaintext, &error);
+  const int ret = decrypt(cct, ciphertext, plaintext, &error);
   if (ret != 0 || !error.empty()) {
     throw std::runtime_error(std::move(error));
   }
@@ -222,12 +224,12 @@ public:
   using CryptoKeyHandler::encrypt;
   using CryptoKeyHandler::decrypt;
 
-  int encrypt(const bufferlist& in,
+  int encrypt(CephContext *cct, const bufferlist& in,
 	       bufferlist& out, std::string *error) const override {
     out = in;
     return 0;
   }
-  int decrypt(const bufferlist& in,
+  int decrypt(CephContext *cct, const bufferlist& in,
 	      bufferlist& out, std::string *error) const override {
     out = in;
     return 0;
@@ -303,7 +305,7 @@ public:
     return 0;
   }
 
-  int encrypt(const ceph::bufferlist& in,
+  int encrypt(CephContext *cct, const ceph::bufferlist& in,
 	      ceph::bufferlist& out,
               std::string* /* unused */) const override {
     // we need to take into account the PKCS#7 padding. There *always* will
@@ -345,7 +347,7 @@ public:
     return 0;
   }
 
-  int decrypt(const ceph::bufferlist& in,
+  int decrypt(CephContext *cct, const ceph::bufferlist& in,
 	      ceph::bufferlist& out,
 	      std::string* /* unused */) const override {
     // PKCS#7 padding enlarges even empty plain-text to take 16 bytes.
@@ -377,7 +379,7 @@ public:
     return 0;
   }
 
-  std::size_t encrypt(const in_slice_t& in,
+  std::size_t encrypt(CephContext *cct, const in_slice_t& in,
 		      const out_slice_t& out) const override {
     if (out.buf == nullptr) {
       // 16 + p2align(10, 16) -> 16
@@ -418,7 +420,7 @@ public:
     return main_encrypt_size + tail_encrypt_size;
   }
 
-  std::size_t decrypt(const in_slice_t& in,
+  std::size_t decrypt(CephContext *cct, const in_slice_t& in,
 		      const out_slice_t& out) const override {
     if (in.length % AES_BLOCK_LEN != 0 || in.length < AES_BLOCK_LEN) {
       throw std::runtime_error("input not aligned to AES_BLOCK_LEN");
diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h
index cc9557912fa..7153a84d845 100644
--- a/src/auth/Crypto.h
+++ b/src/auth/Crypto.h
@@ -70,16 +70,20 @@ public:
 
   virtual ~CryptoKeyHandler() {}
 
-  virtual int encrypt(const ceph::buffer::list& in,
+  virtual int encrypt(CephContext *cct,
+                      const ceph::buffer::list& in,
 		      ceph::buffer::list& out, std::string *error) const = 0;
-  virtual int decrypt(const ceph::buffer::list& in,
+  virtual int decrypt(CephContext *cct,
+                      const ceph::buffer::list& in,
 		      ceph::buffer::list& out, std::string *error) const = 0;
 
   // TODO: provide nullptr in the out::buf to get/estimate size requirements?
   // Or maybe dedicated methods?
-  virtual std::size_t encrypt(const in_slice_t& in,
+  virtual std::size_t encrypt(CephContext *cct,
+                              const in_slice_t& in,
 			      const out_slice_t& out) const;
-  virtual std::size_t decrypt(const in_slice_t& in,
+  virtual std::size_t decrypt(CephContext *cct,
+                              const in_slice_t& in,
 			      const out_slice_t& out) const;
 
   sha256_digest_t hmac_sha256(const ceph::bufferlist& in) const;
@@ -160,27 +164,27 @@ public:
 	      ceph::buffer::list& out,
 	      std::string *error) const {
     ceph_assert(ckh); // Bad key?
-    return ckh->encrypt(in, out, error);
+    return ckh->encrypt(cct, in, out, error);
   }
   int decrypt(CephContext *cct, const ceph::buffer::list& in,
 	      ceph::buffer::list& out,
 	      std::string *error) const {
     ceph_assert(ckh); // Bad key?
-    return ckh->decrypt(in, out, error);
+    return ckh->decrypt(cct, in, out, error);
   }
 
   using in_slice_t = CryptoKeyHandler::in_slice_t;
   using out_slice_t = CryptoKeyHandler::out_slice_t;
 
-  std::size_t encrypt(CephContext*, const in_slice_t& in,
+  std::size_t encrypt(CephContext *cct, const in_slice_t& in,
 		      const out_slice_t& out) {
     ceph_assert(ckh);
-    return ckh->encrypt(in, out);
+    return ckh->encrypt(cct, in, out);
   }
-  std::size_t decrypt(CephContext*, const in_slice_t& in,
+  std::size_t decrypt(CephContext *cct, const in_slice_t& in,
 		      const out_slice_t& out) {
     ceph_assert(ckh);
-    return ckh->encrypt(in, out);
+    return ckh->encrypt(cct, in, out);
   }
 
   sha256_digest_t hmac_sha256(CephContext*, const ceph::buffer::list& in) {
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 3cff2110cab..728eef2ecc6 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -7193,7 +7193,7 @@ rgw::auth::s3::STSEngine::get_session_token(const DoutPrefixProvider* dpp, const
   buffer::list en_input, dec_output;
   en_input = buffer::list::static_from_string(decodedSessionToken);
 
-  ret = keyhandler->decrypt(en_input, dec_output, &error);
+  ret = keyhandler->decrypt(cct, en_input, dec_output, &error);
   if (ret < 0) {
     ldpp_dout(dpp, 0) << "ERROR: Decryption failed: " << error << dendl;
     return -EPERM;
diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc
index 03e7c6c6401..867cfc544a2 100644
--- a/src/rgw/rgw_sts.cc
+++ b/src/rgw/rgw_sts.cc
@@ -145,7 +145,7 @@ int Credentials::generateCredentials(const DoutPrefixProvider *dpp,
   buffer::list input, enc_output;
   encode(token, input);
 
-  if (ret = keyhandler->encrypt(input, enc_output, &error); ret < 0) {
+  if (ret = keyhandler->encrypt(cct, input, enc_output, &error); ret < 0) {
     ldpp_dout(dpp, 0) << "ERROR: Encrypting session token returned an error !" << dendl;
     return ret;
   }
-- 
2.39.5