From 82da4fb3c8988a8ea2d200a72b5312d9ce1eb947 Mon Sep 17 00:00:00 2001 From: Omri Zeneva Date: Mon, 21 Jun 2021 10:55:54 +0300 Subject: [PATCH] dpp was added instead of ldout and lderr calls Signed-off-by: Omri Zeneva --- src/rgw/rgw_crypt.cc | 100 +++++++++++++++++--------------- src/rgw/rgw_crypt.h | 12 ++-- src/rgw/rgw_kms.cc | 25 ++++---- src/rgw/rgw_kms.h | 6 +- src/rgw/rgw_rest_s3.cc | 10 ++-- src/test/rgw/test_rgw_crypto.cc | 69 +++++++++++++--------- 6 files changed, 126 insertions(+), 96 deletions(-) diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc index fe82ecd40a6c1..243d2badf556e 100644 --- a/src/rgw/rgw_crypt.cc +++ b/src/rgw/rgw_crypt.cc @@ -33,15 +33,15 @@ using namespace rgw; template class canonical_char_sorter { private: + const DoutPrefixProvider *dpp; const icu::Normalizer2* normalizer; CephContext *cct; - public: - canonical_char_sorter(CephContext *cct) : cct(cct) { + canonical_char_sorter(const DoutPrefixProvider *dpp, CephContext *cct) : dpp(dpp), cct(cct) { UErrorCode status = U_ZERO_ERROR; normalizer = icu::Normalizer2::getNFCInstance(status); if (U_FAILURE(status)) { -lderr(cct) << "ERROR: can't get nfc instance, error = " << status << dendl; + ldpp_dout(this->dpp, -1) << "ERROR: can't get nfc instance, error = " << status << dendl; normalizer = 0; } } @@ -80,7 +80,7 @@ canonical_char_sorter::make_string_canonical (rapidjson::Value &v, rapidjson: const icu::UnicodeString aw{icu::UnicodeString::fromUTF8(as)}; icu::UnicodeString an{normalizer->normalize(aw, status)}; if (U_FAILURE(status)) { - ldout(cct, 5) << "conversion error; code=" << status << + ldpp_dout(this->dpp, 5) << "conversion error; code=" << status << " on string " << as << dendl; return false; } @@ -228,7 +228,7 @@ mec_option options { mec_option::empty }; rgw_obj obj; std::ostringstream oss; - canonical_char_sorter ccs{s->cct}; + canonical_char_sorter ccs{s, s->cct}; obj.bucket.tenant = get_tenant_or_id(s); obj.bucket.name = s->bucket->get_name(); @@ -265,20 +265,20 @@ mec_option::empty }; rapidjson::StringBuffer buf; rapidjson::Writer writer(buf); if (!add_object_to_context(obj, d)) { - lderr(s->cct) << "ERROR: can't add default value to context" << dendl; + ldpp_dout(s, -1) << "ERROR: can't add default value to context" << dendl; s->err.message = "context: internal error adding defaults"; return -ERR_INVALID_REQUEST; } b = make_everything_canonical(d, allocator, ccs, options) == mec_error::success; if (!b) { - lderr(s->cct) << "ERROR: can't make canonical json <" + ldpp_dout(s, -1) << "ERROR: can't make canonical json <" << context << ">" << dendl; s->err.message = "context: can't make canonical"; return -ERR_INVALID_REQUEST; } b = sort_and_write(d, writer, ccs); if (!b) { - ldout(s->cct, 5) << "format error <" << context + ldpp_dout(s, 5) << "format error <" << context << ">: partial.results=" << buf.GetString() << dendl; s->err.message = "unable to reformat json"; return -ERR_INVALID_REQUEST; @@ -288,7 +288,7 @@ mec_option::empty }; } -CryptoAccelRef get_crypto_accel(CephContext *cct) +CryptoAccelRef get_crypto_accel(const DoutPrefixProvider* dpp, CephContext *cct) { CryptoAccelRef ca_impl = nullptr; stringstream ss; @@ -297,12 +297,12 @@ CryptoAccelRef get_crypto_accel(CephContext *cct) CryptoPlugin *factory = dynamic_cast(reg->get_with_load("crypto", crypto_accel_type)); if (factory == nullptr) { - lderr(cct) << __func__ << " cannot load crypto accelerator of type " << crypto_accel_type << dendl; + ldpp_dout(dpp, -1) << __func__ << " cannot load crypto accelerator of type " << crypto_accel_type << dendl; return nullptr; } int err = factory->factory(&ca_impl, &ss); if (err) { - lderr(cct) << __func__ << " factory return error " << err << + ldpp_dout(dpp, -1) << __func__ << " factory return error " << err << " with description: " << ss.str() << dendl; } return ca_impl; @@ -311,7 +311,8 @@ CryptoAccelRef get_crypto_accel(CephContext *cct) template static inline -bool evp_sym_transform(CephContext* const cct, +bool evp_sym_transform(const DoutPrefixProvider* dpp, + CephContext* const cct, const EVP_CIPHER* const type, unsigned char* const out, const unsigned char* const in, @@ -330,7 +331,7 @@ bool evp_sym_transform(CephContext* const cct, if (1 != EVP_CipherInit_ex(pctx.get(), type, nullptr, nullptr, nullptr, encrypt)) { - ldout(cct, 5) << "EVP: failed to 1st initialization stage" << dendl; + ldpp_dout(dpp, 5) << "EVP: failed to 1st initialization stage" << dendl; return false; } @@ -342,13 +343,13 @@ bool evp_sym_transform(CephContext* const cct, ceph_assert(EVP_CIPHER_CTX_key_length(pctx.get()) == KeySizeV); if (1 != EVP_CipherInit_ex(pctx.get(), nullptr, nullptr, key, iv, encrypt)) { - ldout(cct, 5) << "EVP: failed to 2nd initialization stage" << dendl; + ldpp_dout(dpp, 5) << "EVP: failed to 2nd initialization stage" << dendl; return false; } // disable padding if (1 != EVP_CIPHER_CTX_set_padding(pctx.get(), 0)) { - ldout(cct, 5) << "EVP: cannot disable PKCS padding" << dendl; + ldpp_dout(dpp, 5) << "EVP: cannot disable PKCS padding" << dendl; return false; } @@ -356,14 +357,14 @@ bool evp_sym_transform(CephContext* const cct, int written = 0; ceph_assert(size <= static_cast(std::numeric_limits::max())); if (1 != EVP_CipherUpdate(pctx.get(), out, &written, in, size)) { - ldout(cct, 5) << "EVP: EVP_CipherUpdate failed" << dendl; + ldpp_dout(dpp, 5) << "EVP: EVP_CipherUpdate failed" << dendl; return false; } int finally_written = 0; static_assert(sizeof(*out) == 1); if (1 != EVP_CipherFinal_ex(pctx.get(), out + written, &finally_written)) { - ldout(cct, 5) << "EVP: EVP_CipherFinal_ex failed" << dendl; + ldpp_dout(dpp, 5) << "EVP: EVP_CipherFinal_ex failed" << dendl; return false; } @@ -403,12 +404,13 @@ public: static const size_t AES_256_KEYSIZE = 256 / 8; static const size_t AES_256_IVSIZE = 128 / 8; static const size_t CHUNK_SIZE = 4096; + const DoutPrefixProvider* dpp; private: static const uint8_t IV[AES_256_IVSIZE]; CephContext* cct; uint8_t key[AES_256_KEYSIZE]; public: - explicit AES_256_CBC(CephContext* cct): cct(cct) { + explicit AES_256_CBC(const DoutPrefixProvider* dpp, CephContext* cct): dpp(dpp), cct(cct) { } ~AES_256_CBC() { ::ceph::crypto::zeroize_for_security(key, AES_256_KEYSIZE); @@ -432,7 +434,7 @@ public: bool encrypt) { return evp_sym_transform( - cct, EVP_aes_256_cbc(), out, in, size, iv, key, encrypt); + dpp, cct, EVP_aes_256_cbc(), out, in, size, iv, key, encrypt); } bool cbc_transform(unsigned char* out, @@ -446,7 +448,7 @@ public: CryptoAccelRef crypto_accel; if (! failed_to_get_crypto.load()) { - crypto_accel = get_crypto_accel(cct); + crypto_accel = get_crypto_accel(this->dpp, cct); if (!crypto_accel) failed_to_get_crypto = true; } @@ -518,11 +520,11 @@ public: } } if (result) { - ldout(cct, 25) << "Encrypted " << size << " bytes"<< dendl; + ldpp_dout(this->dpp, 25) << "Encrypted " << size << " bytes"<< dendl; buf.set_length(size); output.append(buf); } else { - ldout(cct, 5) << "Failed to encrypt" << dendl; + ldpp_dout(this->dpp, 5) << "Failed to encrypt" << dendl; } return result; } @@ -573,11 +575,11 @@ public: } } if (result) { - ldout(cct, 25) << "Decrypted " << size << " bytes"<< dendl; + ldpp_dout(this->dpp, 25) << "Decrypted " << size << " bytes"<< dendl; buf.set_length(size); output.append(buf); } else { - ldout(cct, 5) << "Failed to decrypt" << dendl; + ldpp_dout(this->dpp, 5) << "Failed to decrypt" << dendl; } return result; } @@ -599,9 +601,9 @@ public: }; -std::unique_ptr AES_256_CBC_create(CephContext* cct, const uint8_t* key, size_t len) +std::unique_ptr AES_256_CBC_create(const DoutPrefixProvider* dpp, CephContext* cct, const uint8_t* key, size_t len) { - auto cbc = std::unique_ptr(new AES_256_CBC(cct)); + auto cbc = std::unique_ptr(new AES_256_CBC(dpp, cct)); cbc->set_key(key, AES_256_KEYSIZE); return cbc; } @@ -611,7 +613,8 @@ const uint8_t AES_256_CBC::IV[AES_256_CBC::AES_256_IVSIZE] = { 'a', 'e', 's', '2', '5', '6', 'i', 'v', '_', 'c', 't', 'r', '1', '3', '3', '7' }; -bool AES_256_ECB_encrypt(CephContext* cct, +bool AES_256_ECB_encrypt(const DoutPrefixProvider* dpp, + CephContext* cct, const uint8_t* key, size_t key_size, const uint8_t* data_in, @@ -620,19 +623,22 @@ bool AES_256_ECB_encrypt(CephContext* cct, { if (key_size == AES_256_KEYSIZE) { return evp_sym_transform( - cct, EVP_aes_256_ecb(), data_out, data_in, data_size, + dpp, cct, EVP_aes_256_ecb(), data_out, data_in, data_size, nullptr /* no IV in ECB */, key, true /* encrypt */); } else { - ldout(cct, 5) << "Key size must be 256 bits long" << dendl; + ldpp_dout(dpp, 5) << "Key size must be 256 bits long" << dendl; return false; } } -RGWGetObj_BlockDecrypt::RGWGetObj_BlockDecrypt(CephContext* cct, +RGWGetObj_BlockDecrypt::RGWGetObj_BlockDecrypt(const DoutPrefixProvider *dpp, + CephContext* cct, RGWGetObj_Filter* next, - std::unique_ptr crypt): + std::unique_ptr crypt) + : RGWGetObj_Filter(next), + dpp(dpp), cct(cct), crypt(std::move(crypt)), enc_begin_skip(0), @@ -712,7 +718,7 @@ int RGWGetObj_BlockDecrypt::fixup_range(off_t& bl_ofs, off_t& bl_end) { bl_ofs = bl_ofs & ~(block_size - 1); bl_end = ( bl_end & ~(block_size - 1) ) + (block_size - 1); } - ldout(cct, 20) << "fixup_range [" << inp_ofs << "," << inp_end + ldpp_dout(this->dpp, 20) << "fixup_range [" << inp_ofs << "," << inp_end << "] => [" << bl_ofs << "," << bl_end << "]" << dendl; return 0; } @@ -735,7 +741,7 @@ int RGWGetObj_BlockDecrypt::process(bufferlist& in, size_t part_ofs, size_t size } int RGWGetObj_BlockDecrypt::handle_data(bufferlist& bl, off_t bl_ofs, off_t bl_len) { - ldout(cct, 25) << "Decrypt " << bl_len << " bytes" << dendl; + ldpp_dout(this->dpp, 25) << "Decrypt " << bl_len << " bytes" << dendl; bl.begin(bl_ofs).copy(bl_len, cache); int res = 0; @@ -766,7 +772,7 @@ int RGWGetObj_BlockDecrypt::handle_data(bufferlist& bl, off_t bl_ofs, off_t bl_l * flush remainder of data to output */ int RGWGetObj_BlockDecrypt::flush() { - ldout(cct, 25) << "Decrypt flushing " << cache.length() << " bytes" << dendl; + ldpp_dout(this->dpp, 25) << "Decrypt flushing " << cache.length() << " bytes" << dendl; int res = 0; size_t part_ofs = ofs; for (size_t part : parts_len) { @@ -790,10 +796,12 @@ int RGWGetObj_BlockDecrypt::flush() { return res; } -RGWPutObj_BlockEncrypt::RGWPutObj_BlockEncrypt(CephContext* cct, +RGWPutObj_BlockEncrypt::RGWPutObj_BlockEncrypt(const DoutPrefixProvider *dpp, + CephContext* cct, rgw::sal::DataProcessor *next, std::unique_ptr crypt) : Pipe(next), + dpp(dpp), cct(cct), crypt(std::move(crypt)), block_size(this->crypt->get_block_size()) @@ -802,7 +810,7 @@ RGWPutObj_BlockEncrypt::RGWPutObj_BlockEncrypt(CephContext* cct, int RGWPutObj_BlockEncrypt::process(bufferlist&& data, uint64_t logical_offset) { - ldout(cct, 25) << "Encrypt " << data.length() << " bytes" << dendl; + ldpp_dout(this->dpp, 25) << "Encrypt " << data.length() << " bytes" << dendl; // adjust logical offset to beginning of cached data ceph_assert(logical_offset >= cache.length()); @@ -978,7 +986,7 @@ int rgw_s3_prepare_encrypt(struct req_state* s, set_attr(attrs, RGW_ATTR_CRYPT_KEYMD5, keymd5_bin); if (block_crypt) { - auto aes = std::unique_ptr(new AES_256_CBC(s->cct)); + auto aes = std::unique_ptr(new AES_256_CBC(s, s->cct)); aes->set_key(reinterpret_cast(key_bin.c_str()), AES_256_KEYSIZE); *block_crypt = std::move(aes); } @@ -1042,7 +1050,7 @@ int rgw_s3_prepare_encrypt(struct req_state* s, set_attr(attrs, RGW_ATTR_CRYPT_KEYSEL, key_selector); set_attr(attrs, RGW_ATTR_CRYPT_CONTEXT, cooked_context); std::string actual_key; - res = make_actual_key_from_kms(s->cct, attrs, actual_key); + res = make_actual_key_from_kms(s, s->cct, attrs, actual_key); if (res != 0) { ldpp_dout(s, 5) << "ERROR: failed to retrieve actual key from key_id: " << key_id << dendl; s->err.message = "Failed to retrieve the actual key, kms-keyid: " + std::string(key_id); @@ -1056,7 +1064,7 @@ int rgw_s3_prepare_encrypt(struct req_state* s, } if (block_crypt) { - auto aes = std::unique_ptr(new AES_256_CBC(s->cct)); + auto aes = std::unique_ptr(new AES_256_CBC(s, s->cct)); aes->set_key(reinterpret_cast(actual_key.c_str()), AES_256_KEYSIZE); *block_crypt = std::move(aes); } @@ -1115,7 +1123,7 @@ int rgw_s3_prepare_encrypt(struct req_state* s, set_attr(attrs, RGW_ATTR_CRYPT_KEYSEL, key_selector); uint8_t actual_key[AES_256_KEYSIZE]; - if (AES_256_ECB_encrypt(s->cct, + if (AES_256_ECB_encrypt(s, s->cct, reinterpret_cast(master_encryption_key.c_str()), AES_256_KEYSIZE, reinterpret_cast(key_selector.c_str()), actual_key, AES_256_KEYSIZE) != true) { @@ -1123,7 +1131,7 @@ int rgw_s3_prepare_encrypt(struct req_state* s, return -EIO; } if (block_crypt) { - auto aes = std::unique_ptr(new AES_256_CBC(s->cct)); + auto aes = std::unique_ptr(new AES_256_CBC(s, s->cct)); aes->set_key(reinterpret_cast(actual_key), AES_256_KEYSIZE); *block_crypt = std::move(aes); } @@ -1223,7 +1231,7 @@ int rgw_s3_prepare_decrypt(struct req_state* s, s->err.message = "The calculated MD5 hash of the key did not match the hash that was provided."; return -EINVAL; } - auto aes = std::unique_ptr(new AES_256_CBC(s->cct)); + auto aes = std::unique_ptr(new AES_256_CBC(s, s->cct)); aes->set_key(reinterpret_cast(key_bin.c_str()), AES_256_CBC::AES_256_KEYSIZE); if (block_crypt) *block_crypt = std::move(aes); @@ -1241,7 +1249,7 @@ int rgw_s3_prepare_decrypt(struct req_state* s, /* try to retrieve actual key */ std::string key_id = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYID); std::string actual_key; - res = reconstitute_actual_key_from_kms(s->cct, attrs, actual_key); + res = reconstitute_actual_key_from_kms(s, s->cct, attrs, actual_key); if (res != 0) { ldpp_dout(s, 10) << "ERROR: failed to retrieve actual key from key_id: " << key_id << dendl; s->err.message = "Failed to retrieve the actual key, kms-keyid: " + key_id; @@ -1254,7 +1262,7 @@ int rgw_s3_prepare_decrypt(struct req_state* s, return -ERR_INVALID_ACCESS_KEY; } - auto aes = std::unique_ptr(new AES_256_CBC(s->cct)); + auto aes = std::unique_ptr(new AES_256_CBC(s, s->cct)); aes->set_key(reinterpret_cast(actual_key.c_str()), AES_256_KEYSIZE); actual_key.replace(0, actual_key.length(), actual_key.length(), '\000'); if (block_crypt) *block_crypt = std::move(aes); @@ -1286,7 +1294,7 @@ int rgw_s3_prepare_decrypt(struct req_state* s, return -EIO; } uint8_t actual_key[AES_256_KEYSIZE]; - if (AES_256_ECB_encrypt(s->cct, + if (AES_256_ECB_encrypt(s, s->cct, reinterpret_cast(master_encryption_key.c_str()), AES_256_KEYSIZE, reinterpret_cast(attr_key_selector.c_str()), @@ -1294,7 +1302,7 @@ int rgw_s3_prepare_decrypt(struct req_state* s, ::ceph::crypto::zeroize_for_security(actual_key, sizeof(actual_key)); return -EIO; } - auto aes = std::unique_ptr(new AES_256_CBC(s->cct)); + auto aes = std::unique_ptr(new AES_256_CBC(s, s->cct)); aes->set_key(actual_key, AES_256_KEYSIZE); ::ceph::crypto::zeroize_for_security(actual_key, sizeof(actual_key)); if (block_crypt) *block_crypt = std::move(aes); diff --git a/src/rgw/rgw_crypt.h b/src/rgw/rgw_crypt.h index f5f46522560e6..45d46faffb9a0 100644 --- a/src/rgw/rgw_crypt.h +++ b/src/rgw/rgw_crypt.h @@ -80,7 +80,8 @@ public: }; static const size_t AES_256_KEYSIZE = 256 / 8; -bool AES_256_ECB_encrypt(CephContext* cct, +bool AES_256_ECB_encrypt(const DoutPrefixProvider* dpp, + CephContext* cct, const uint8_t* key, size_t key_size, const uint8_t* data_in, @@ -88,8 +89,8 @@ bool AES_256_ECB_encrypt(CephContext* cct, size_t data_size); class RGWGetObj_BlockDecrypt : public RGWGetObj_Filter { + const DoutPrefixProvider *dpp; CephContext* cct; - std::unique_ptr crypt; /**< already configured stateless BlockCrypt for operations when enough data is accumulated */ off_t enc_begin_skip; /**< amount of data to skip from beginning of received data */ @@ -103,7 +104,8 @@ class RGWGetObj_BlockDecrypt : public RGWGetObj_Filter { protected: std::vector parts_len; /**< size of parts of multipart object, parsed from manifest */ public: - RGWGetObj_BlockDecrypt(CephContext* cct, + RGWGetObj_BlockDecrypt(const DoutPrefixProvider *dpp, + CephContext* cct, RGWGetObj_Filter* next, std::unique_ptr crypt); virtual ~RGWGetObj_BlockDecrypt(); @@ -121,13 +123,15 @@ public: class RGWPutObj_BlockEncrypt : public rgw::putobj::Pipe { + const DoutPrefixProvider *dpp; CephContext* cct; std::unique_ptr crypt; /**< already configured stateless BlockCrypt for operations when enough data is accumulated */ bufferlist cache; /**< stores extra data that could not (yet) be processed by BlockCrypt */ const size_t block_size; /**< snapshot of \ref BlockCrypt.get_block_size() */ public: - RGWPutObj_BlockEncrypt(CephContext* cct, + RGWPutObj_BlockEncrypt(const DoutPrefixProvider *dpp, + CephContext* cct, rgw::sal::DataProcessor *next, std::unique_ptr crypt); diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc index 9b62c689795db..fb2573af2c28e 100644 --- a/src/rgw/rgw_kms.cc +++ b/src/rgw/rgw_kms.cc @@ -741,7 +741,8 @@ static map get_str_map(const string &str) { } -static int get_actual_key_from_conf(CephContext *cct, +static int get_actual_key_from_conf(const DoutPrefixProvider* dpp, + CephContext *cct, std::string_view key_id, std::string_view key_selector, std::string& actual_key) @@ -759,7 +760,7 @@ static int get_actual_key_from_conf(CephContext *cct, try { master_key = from_base64((*it).second); } catch (std::exception&) { - ldout(cct, 5) << "ERROR: get_actual_key_from_conf invalid encryption key id " + ldpp_dout(dpp, 5) << "ERROR: get_actual_key_from_conf invalid encryption key id " << "which contains character that is not base64 encoded." << dendl; return -EINVAL; @@ -767,7 +768,7 @@ static int get_actual_key_from_conf(CephContext *cct, if (master_key.length() == AES_256_KEYSIZE) { uint8_t _actual_key[AES_256_KEYSIZE]; - if (AES_256_ECB_encrypt(cct, + if (AES_256_ECB_encrypt(dpp, cct, reinterpret_cast(master_key.c_str()), AES_256_KEYSIZE, reinterpret_cast(key_selector.data()), _actual_key, AES_256_KEYSIZE)) { @@ -777,7 +778,7 @@ static int get_actual_key_from_conf(CephContext *cct, } ::ceph::crypto::zeroize_for_security(_actual_key, sizeof(_actual_key)); } else { - ldout(cct, 20) << "Wrong size for key=" << key_id << dendl; + ldpp_dout(dpp, 20) << "Wrong size for key=" << key_id << dendl; res = -EIO; } @@ -943,15 +944,16 @@ static int get_actual_key_from_kmip(CephContext *cct, } -int reconstitute_actual_key_from_kms(CephContext *cct, +int reconstitute_actual_key_from_kms(const DoutPrefixProvider* dpp, + CephContext *cct, map& attrs, std::string& actual_key) { std::string key_id = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYID); std::string kms_backend { cct->_conf->rgw_crypt_s3_kms_backend }; - ldout(cct, 20) << "Getting KMS encryption key for key " << key_id << dendl; - ldout(cct, 20) << "SSE-KMS backend is " << kms_backend << dendl; + ldpp_dout(dpp, 20) << "Getting KMS encryption key for key " << key_id << dendl; + ldpp_dout(dpp, 20) << "SSE-KMS backend is " << kms_backend << dendl; if (RGW_SSE_KMS_BACKEND_BARBICAN == kms_backend) { return get_actual_key_from_barbican(cct, key_id, actual_key); @@ -967,19 +969,20 @@ int reconstitute_actual_key_from_kms(CephContext *cct, if (RGW_SSE_KMS_BACKEND_TESTING == kms_backend) { std::string key_selector = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYSEL); - return get_actual_key_from_conf(cct, key_id, key_selector, actual_key); + return get_actual_key_from_conf(dpp, cct, key_id, key_selector, actual_key); } - ldout(cct, 0) << "ERROR: Invalid rgw_crypt_s3_kms_backend: " << kms_backend << dendl; + ldpp_dout(dpp, 0) << "ERROR: Invalid rgw_crypt_s3_kms_backend: " << kms_backend << dendl; return -EINVAL; } -int make_actual_key_from_kms(CephContext *cct, +int make_actual_key_from_kms(const DoutPrefixProvider* dpp, + CephContext *cct, map& attrs, std::string& actual_key) { std::string kms_backend { cct->_conf->rgw_crypt_s3_kms_backend }; if (RGW_SSE_KMS_BACKEND_VAULT == kms_backend) return make_actual_key_from_vault(cct, attrs, actual_key); - return reconstitute_actual_key_from_kms(cct, attrs, actual_key); + return reconstitute_actual_key_from_kms(dpp, cct, attrs, actual_key); } diff --git a/src/rgw/rgw_kms.h b/src/rgw/rgw_kms.h index f4e750699120f..3ce03e83ab912 100644 --- a/src/rgw/rgw_kms.h +++ b/src/rgw/rgw_kms.h @@ -31,10 +31,12 @@ static const std::string RGW_SSE_KMS_KMIP_SE_KV = "kv"; * TODO * \return */ -int make_actual_key_from_kms(CephContext *cct, +int make_actual_key_from_kms(const DoutPrefixProvider* dpp, + CephContext *cct, std::map& attrs, std::string& actual_key); -int reconstitute_actual_key_from_kms(CephContext *cct, +int reconstitute_actual_key_from_kms(const DoutPrefixProvider* dpp, + CephContext *cct, std::map& attrs, std::string& actual_key); diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 4ca77ee6ddf5f..153f9070c4d7a 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -450,7 +450,7 @@ int RGWGetObj_ObjStore_S3::get_decrypt_filter(std::unique_ptr res = rgw_s3_prepare_decrypt(s, attrs, &block_crypt, crypt_http_responses); if (res == 0) { if (block_crypt != nullptr) { - auto f = std::make_unique(s->cct, cb, std::move(block_crypt)); + auto f = std::make_unique(s, s->cct, cb, std::move(block_crypt)); if (manifest_bl != nullptr) { res = f->read_manifest(this, *manifest_bl); if (res == 0) { @@ -2555,7 +2555,7 @@ int RGWPutObj_ObjStore_S3::get_decrypt_filter( res = rgw_s3_prepare_decrypt(s, attrs, &block_crypt, crypt_http_responses_unused); if (res == 0) { if (block_crypt != nullptr) { - auto f = std::unique_ptr(new RGWGetObj_BlockDecrypt(s->cct, cb, std::move(block_crypt))); + auto f = std::unique_ptr(new RGWGetObj_BlockDecrypt(s, s->cct, cb, std::move(block_crypt))); //RGWGetObj_BlockDecrypt* f = new RGWGetObj_BlockDecrypt(s->cct, cb, std::move(block_crypt)); if (f != nullptr) { if (manifest_bl != nullptr) { @@ -2588,7 +2588,7 @@ int RGWPutObj_ObjStore_S3::get_encrypt_filter( * We use crypto mode that configured as if we were decrypting. */ res = rgw_s3_prepare_decrypt(s, obj->get_attrs(), &block_crypt, crypt_http_responses); if (res == 0 && block_crypt != nullptr) - filter->reset(new RGWPutObj_BlockEncrypt(s->cct, cb, std::move(block_crypt))); + filter->reset(new RGWPutObj_BlockEncrypt(s, s->cct, cb, std::move(block_crypt))); } /* it is ok, to not have encryption at all */ } @@ -2597,7 +2597,7 @@ int RGWPutObj_ObjStore_S3::get_encrypt_filter( std::unique_ptr block_crypt; res = rgw_s3_prepare_encrypt(s, attrs, nullptr, &block_crypt, crypt_http_responses); if (res == 0 && block_crypt != nullptr) { - filter->reset(new RGWPutObj_BlockEncrypt(s->cct, cb, std::move(block_crypt))); + filter->reset(new RGWPutObj_BlockEncrypt(s, s->cct, cb, std::move(block_crypt))); } } return res; @@ -3131,7 +3131,7 @@ int RGWPostObj_ObjStore_S3::get_encrypt_filter( int res = rgw_s3_prepare_encrypt(s, attrs, &parts, &block_crypt, crypt_http_responses); if (res == 0 && block_crypt != nullptr) { - filter->reset(new RGWPutObj_BlockEncrypt(s->cct, cb, std::move(block_crypt))); + filter->reset(new RGWPutObj_BlockEncrypt(s, s->cct, cb, std::move(block_crypt))); } return res; } diff --git a/src/test/rgw/test_rgw_crypto.cc b/src/test/rgw/test_rgw_crypto.cc index edf24f41bb68e..cccedce3b8b3b 100644 --- a/src/test/rgw/test_rgw_crypto.cc +++ b/src/test/rgw/test_rgw_crypto.cc @@ -24,8 +24,7 @@ using namespace std; -std::unique_ptr AES_256_CBC_create(CephContext* cct, const uint8_t* key, size_t len); - +std::unique_ptr AES_256_CBC_create(const DoutPrefixProvider *dpp, CephContext* cct, const uint8_t* key, size_t len); class ut_get_sink : public RGWGetObj_Filter { std::stringstream sink; @@ -92,9 +91,9 @@ public: } }; - TEST(TestRGWCrypto, verify_AES_256_CBC_identity) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); //create some input for encryption const off_t test_range = 1024*1024; buffer::ptr buf(test_range); @@ -112,7 +111,7 @@ TEST(TestRGWCrypto, verify_AES_256_CBC_identity) for(size_t i=0;iget_block_size(); @@ -147,6 +146,7 @@ TEST(TestRGWCrypto, verify_AES_256_CBC_identity) TEST(TestRGWCrypto, verify_AES_256_CBC_identity_2) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); //create some input for encryption const off_t test_range = 1024*1024; buffer::ptr buf(test_range); @@ -164,7 +164,7 @@ TEST(TestRGWCrypto, verify_AES_256_CBC_identity_2) for(size_t i=0;iget_block_size(); @@ -195,6 +195,7 @@ TEST(TestRGWCrypto, verify_AES_256_CBC_identity_2) TEST(TestRGWCrypto, verify_AES_256_CBC_identity_3) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); //create some input for encryption const off_t test_range = 1024*1024; buffer::ptr buf(test_range); @@ -212,7 +213,7 @@ TEST(TestRGWCrypto, verify_AES_256_CBC_identity_3) for(size_t i=0;iget_block_size(); @@ -272,6 +273,7 @@ TEST(TestRGWCrypto, verify_AES_256_CBC_identity_3) TEST(TestRGWCrypto, verify_AES_256_CBC_size_0_15) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); //create some input for encryption const off_t test_range = 1024*1024; buffer::ptr buf(test_range); @@ -289,7 +291,7 @@ TEST(TestRGWCrypto, verify_AES_256_CBC_size_0_15) for(size_t i=0;iget_block_size(); @@ -321,6 +323,7 @@ TEST(TestRGWCrypto, verify_AES_256_CBC_size_0_15) TEST(TestRGWCrypto, verify_AES_256_CBC_identity_last_block) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); //create some input for encryption const off_t test_range = 1024*1024; buffer::ptr buf(test_range); @@ -338,7 +341,7 @@ TEST(TestRGWCrypto, verify_AES_256_CBC_identity_last_block) for(size_t i=0;iget_block_size(); @@ -397,6 +400,7 @@ TEST(TestRGWCrypto, verify_AES_256_CBC_identity_last_block) TEST(TestRGWCrypto, verify_RGWGetObj_BlockDecrypt_ranges) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); //create some input for encryption const off_t test_range = 1024*1024; bufferptr buf(test_range); @@ -411,7 +415,7 @@ TEST(TestRGWCrypto, verify_RGWGetObj_BlockDecrypt_ranges) for(size_t i=0;iencrypt(input, 0, test_range, encrypted, 0)); @@ -420,9 +424,9 @@ TEST(TestRGWCrypto, verify_RGWGetObj_BlockDecrypt_ranges) for (off_t r = 93; r < 150; r++ ) { ut_get_sink get_sink; - auto cbc = AES_256_CBC_create(g_ceph_context, &key[0], 32); + auto cbc = AES_256_CBC_create(&no_dpp, g_ceph_context, &key[0], 32); ASSERT_NE(cbc.get(), nullptr); - RGWGetObj_BlockDecrypt decrypt(g_ceph_context, &get_sink, std::move(cbc) ); + RGWGetObj_BlockDecrypt decrypt(&no_dpp, g_ceph_context, &get_sink, std::move(cbc)); //random ranges off_t begin = (r/3)*r*(r+13)*(r+23)*(r+53)*(r+71) % test_range; @@ -443,6 +447,7 @@ TEST(TestRGWCrypto, verify_RGWGetObj_BlockDecrypt_ranges) TEST(TestRGWCrypto, verify_RGWGetObj_BlockDecrypt_chunks) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); //create some input for encryption const off_t test_range = 1024*1024; bufferptr buf(test_range); @@ -457,7 +462,7 @@ TEST(TestRGWCrypto, verify_RGWGetObj_BlockDecrypt_chunks) for(size_t i=0;iencrypt(input, 0, test_range, encrypted, 0)); @@ -465,9 +470,9 @@ TEST(TestRGWCrypto, verify_RGWGetObj_BlockDecrypt_chunks) for (off_t r = 93; r < 150; r++ ) { ut_get_sink get_sink; - auto cbc = AES_256_CBC_create(g_ceph_context, &key[0], 32); + auto cbc = AES_256_CBC_create(&no_dpp, g_ceph_context, &key[0], 32); ASSERT_NE(cbc.get(), nullptr); - RGWGetObj_BlockDecrypt decrypt(g_ceph_context, &get_sink, std::move(cbc) ); + RGWGetObj_BlockDecrypt decrypt(&no_dpp, g_ceph_context, &get_sink, std::move(cbc)); //random off_t begin = (r/3)*r*(r+13)*(r+23)*(r+53)*(r+71) % test_range; @@ -509,9 +514,10 @@ range_t fixup_range(RGWGetObj_BlockDecrypt *decrypt, off_t ofs, off_t end) TEST(TestRGWCrypto, check_RGWGetObj_BlockDecrypt_fixup) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); ut_get_sink get_sink; auto nonecrypt = std::unique_ptr(new BlockCryptNone); - RGWGetObj_BlockDecrypt decrypt(g_ceph_context, &get_sink, + RGWGetObj_BlockDecrypt decrypt(&no_dpp, g_ceph_context, &get_sink, std::move(nonecrypt)); ASSERT_EQ(fixup_range(&decrypt,0,0), range_t(0,255)); ASSERT_EQ(fixup_range(&decrypt,1,256), range_t(0,511)); @@ -549,10 +555,11 @@ const size_t obj_size = 30*1024*1024; TEST(TestRGWCrypto, check_RGWGetObj_BlockDecrypt_fixup_simple) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); ut_get_sink get_sink; auto nonecrypt = std::make_unique(4096); - TestRGWGetObj_BlockDecrypt decrypt(g_ceph_context, &get_sink, + TestRGWGetObj_BlockDecrypt decrypt(&no_dpp, g_ceph_context, &get_sink, std::move(nonecrypt)); decrypt.set_parts_len(create_mp_parts(obj_size, part_size)); ASSERT_EQ(fixup_range(&decrypt,0,0), range_t(0,4095)); @@ -579,10 +586,11 @@ TEST(TestRGWCrypto, check_RGWGetObj_BlockDecrypt_fixup_simple) TEST(TestRGWCrypto, check_RGWGetObj_BlockDecrypt_fixup_non_aligned_obj_size) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); ut_get_sink get_sink; auto nonecrypt = std::make_unique(4096); - TestRGWGetObj_BlockDecrypt decrypt(g_ceph_context, &get_sink, + TestRGWGetObj_BlockDecrypt decrypt(&no_dpp, g_ceph_context, &get_sink, std::move(nonecrypt)); auto na_obj_size = obj_size + 1; decrypt.set_parts_len(create_mp_parts(na_obj_size, part_size)); @@ -606,10 +614,11 @@ TEST(TestRGWCrypto, check_RGWGetObj_BlockDecrypt_fixup_non_aligned_obj_size) TEST(TestRGWCrypto, check_RGWGetObj_BlockDecrypt_fixup_non_aligned_part_size) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); ut_get_sink get_sink; auto nonecrypt = std::make_unique(4096); - TestRGWGetObj_BlockDecrypt decrypt(g_ceph_context, &get_sink, + TestRGWGetObj_BlockDecrypt decrypt(&no_dpp, g_ceph_context, &get_sink, std::move(nonecrypt)); auto na_part_size = part_size + 1; decrypt.set_parts_len(create_mp_parts(obj_size, na_part_size)); @@ -639,10 +648,11 @@ TEST(TestRGWCrypto, check_RGWGetObj_BlockDecrypt_fixup_non_aligned_part_size) TEST(TestRGWCrypto, check_RGWGetObj_BlockDecrypt_fixup_non_aligned) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); ut_get_sink get_sink; auto nonecrypt = std::make_unique(4096); - TestRGWGetObj_BlockDecrypt decrypt(g_ceph_context, &get_sink, + TestRGWGetObj_BlockDecrypt decrypt(&no_dpp, g_ceph_context, &get_sink, std::move(nonecrypt)); auto na_part_size = part_size + 1; auto na_obj_size = obj_size + 7; // (6*(5MiB + 1) + 1) for the last 1B overflow @@ -668,10 +678,11 @@ TEST(TestRGWCrypto, check_RGWGetObj_BlockDecrypt_fixup_non_aligned) TEST(TestRGWCrypto, check_RGWGetObj_BlockDecrypt_fixup_invalid_ranges) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); ut_get_sink get_sink; auto nonecrypt = std::make_unique(4096); - TestRGWGetObj_BlockDecrypt decrypt(g_ceph_context, &get_sink, + TestRGWGetObj_BlockDecrypt decrypt(&no_dpp, g_ceph_context, &get_sink, std::move(nonecrypt)); decrypt.set_parts_len(create_mp_parts(obj_size, part_size)); @@ -690,6 +701,7 @@ TEST(TestRGWCrypto, check_RGWGetObj_BlockDecrypt_fixup_invalid_ranges) TEST(TestRGWCrypto, verify_RGWPutObj_BlockEncrypt_chunks) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); //create some input for encryption const off_t test_range = 1024*1024; bufferptr buf(test_range); @@ -707,10 +719,10 @@ TEST(TestRGWCrypto, verify_RGWPutObj_BlockEncrypt_chunks) for (off_t r = 93; r < 150; r++ ) { ut_put_sink put_sink; - auto cbc = AES_256_CBC_create(g_ceph_context, &key[0], 32); + auto cbc = AES_256_CBC_create(&no_dpp, g_ceph_context, &key[0], 32); ASSERT_NE(cbc.get(), nullptr); - RGWPutObj_BlockEncrypt encrypt(g_ceph_context, &put_sink, - std::move(cbc) ); + RGWPutObj_BlockEncrypt encrypt(&no_dpp, g_ceph_context, &put_sink, + std::move(cbc)); off_t test_size = (r/5)*(r+7)*(r+13)*(r+101)*(r*103) % (test_range - 1) + 1; off_t pos = 0; @@ -731,7 +743,7 @@ TEST(TestRGWCrypto, verify_RGWPutObj_BlockEncrypt_chunks) ASSERT_EQ(put_sink.get_sink().length(), static_cast(test_size)); - cbc = AES_256_CBC_create(g_ceph_context, &key[0], 32); + cbc = AES_256_CBC_create(&no_dpp, g_ceph_context, &key[0], 32); ASSERT_NE(cbc.get(), nullptr); bufferlist encrypted; @@ -748,6 +760,7 @@ TEST(TestRGWCrypto, verify_RGWPutObj_BlockEncrypt_chunks) TEST(TestRGWCrypto, verify_Encrypt_Decrypt) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); uint8_t key[32]; for(size_t i=0;i