1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
|
// -*- mode:C; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
/*
* Ceph - scalable distributed file system
*
* Copyright (C) 2004-2009 Sage Weil <sage@newdream.net>
*
* This is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License version 2.1, as published by the Free Software
* Foundation. See file COPYING.
*
*/
#ifndef CEPH_AUTH_CRYPTO_H
#define CEPH_AUTH_CRYPTO_H
#include "include/types.h"
#include "include/utime.h"
#include "include/buffer.h"
#include <string>
class CephContext;
class CryptoKeyContext;
namespace ceph { class Formatter; }
/*
* Random byte stream generator suitable for cryptographic use
*/
class CryptoRandom {
public:
CryptoRandom(); // throws on failure
~CryptoRandom();
/// copy up to 256 random bytes into the given buffer. throws on failure
void get_bytes(char *buf, int len);
private:
static int open_urandom();
const int fd;
};
/*
* some per-key context that is specific to a particular crypto backend
*/
class CryptoKeyHandler {
public:
// The maximum size of a single block for all descendants of the class.
static constexpr std::size_t MAX_BLOCK_SIZE {16};
// A descendant pick-ups one from these and passes it to the ctor template.
typedef std::integral_constant<std::size_t, 0> BLOCK_SIZE_0B;
typedef std::integral_constant<std::size_t, 16> BLOCK_SIZE_16B;
struct in_slice_t {
const std::size_t length;
const unsigned char* const buf;
};
struct out_slice_t {
const std::size_t max_length;
unsigned char* const buf;
};
ceph::bufferptr secret;
template <class BlockSizeT>
CryptoKeyHandler(BlockSizeT) {
static_assert(BlockSizeT::value <= MAX_BLOCK_SIZE);
}
virtual ~CryptoKeyHandler() {}
virtual int encrypt(const bufferlist& in,
bufferlist& out, std::string *error) const = 0;
virtual int decrypt(const bufferlist& in,
bufferlist& out, std::string *error) const = 0;
// TODO: provide nullptr in the out::buf to get/estimate size requirements?
// Or maybe dedicated methods?
virtual std::size_t encrypt(const in_slice_t& in,
const out_slice_t& out) const;
virtual std::size_t decrypt(const in_slice_t& in,
const out_slice_t& out) const;
sha256_digest_t hmac_sha256(const ceph::bufferlist& in) const;
};
/*
* match encoding of struct ceph_secret
*/
class CryptoKey {
protected:
__u16 type;
utime_t created;
bufferptr secret; // must set this via set_secret()!
// cache a pointer to the implementation-specific key handler, so we
// don't have to create it for every crypto operation.
mutable std::shared_ptr<CryptoKeyHandler> ckh;
int _set_secret(int type, const bufferptr& s);
public:
CryptoKey() : type(0) { }
CryptoKey(int t, utime_t c, bufferptr& s)
: created(c) {
_set_secret(t, s);
}
~CryptoKey() {
}
void encode(bufferlist& bl) const;
void decode(bufferlist::const_iterator& bl);
int get_type() const { return type; }
utime_t get_created() const { return created; }
void print(std::ostream& out) const;
int set_secret(int type, const bufferptr& s, utime_t created);
const bufferptr& get_secret() { return secret; }
const bufferptr& get_secret() const { return secret; }
bool empty() const { return ckh.get() == nullptr; }
void encode_base64(string& s) const {
bufferlist bl;
encode(bl);
bufferlist e;
bl.encode_base64(e);
e.append('\0');
s = e.c_str();
}
string encode_base64() const {
string s;
encode_base64(s);
return s;
}
void decode_base64(const string& s) {
bufferlist e;
e.append(s);
bufferlist bl;
bl.decode_base64(e);
auto p = std::cbegin(bl);
decode(p);
}
void encode_formatted(string label, Formatter *f, bufferlist &bl);
void encode_plaintext(bufferlist &bl);
// --
int create(CephContext *cct, int type);
int encrypt(CephContext *cct, const bufferlist& in, bufferlist& out,
std::string *error) const {
ceph_assert(ckh); // Bad key?
return ckh->encrypt(in, out, error);
}
int decrypt(CephContext *cct, const bufferlist& in, bufferlist& out,
std::string *error) const {
ceph_assert(ckh); // Bad key?
return ckh->decrypt(in, out, error);
}
using in_slice_t = CryptoKeyHandler::in_slice_t;
using out_slice_t = CryptoKeyHandler::out_slice_t;
std::size_t encrypt(CephContext*, const in_slice_t& in,
const out_slice_t& out) {
ceph_assert(ckh);
return ckh->encrypt(in, out);
}
std::size_t decrypt(CephContext*, const in_slice_t& in,
const out_slice_t& out) {
ceph_assert(ckh);
return ckh->encrypt(in, out);
}
sha256_digest_t hmac_sha256(CephContext*, const ceph::bufferlist& in) {
ceph_assert(ckh);
return ckh->hmac_sha256(in);
}
static constexpr std::size_t get_max_outbuf_size(std::size_t want_size) {
return want_size + CryptoKeyHandler::MAX_BLOCK_SIZE;
}
void to_str(std::string& s) const;
};
WRITE_CLASS_ENCODER(CryptoKey)
static inline ostream& operator<<(ostream& out, const CryptoKey& k)
{
k.print(out);
return out;
}
/*
* Driver for a particular algorithm
*
* To use these functions, you need to call ceph::crypto::init(), see
* common/ceph_crypto.h. common_init_finish does this for you.
*/
class CryptoHandler {
public:
virtual ~CryptoHandler() {}
virtual int get_type() const = 0;
virtual int create(CryptoRandom *random, bufferptr& secret) = 0;
virtual int validate_secret(const bufferptr& secret) = 0;
virtual CryptoKeyHandler *get_key_handler(const bufferptr& secret,
string& error) = 0;
static CryptoHandler *create(int type);
};
#endif
|