diff options
Diffstat (limited to 'src/crypto/openssl')
-rw-r--r-- | src/crypto/openssl/CMakeLists.txt | 14 | ||||
-rw-r--r-- | src/crypto/openssl/openssl_crypto_accel.cc | 104 | ||||
-rw-r--r-- | src/crypto/openssl/openssl_crypto_accel.h | 32 | ||||
-rw-r--r-- | src/crypto/openssl/openssl_crypto_plugin.cc | 32 | ||||
-rw-r--r-- | src/crypto/openssl/openssl_crypto_plugin.h | 36 |
5 files changed, 218 insertions, 0 deletions
diff --git a/src/crypto/openssl/CMakeLists.txt b/src/crypto/openssl/CMakeLists.txt new file mode 100644 index 000000000..6ede1567f --- /dev/null +++ b/src/crypto/openssl/CMakeLists.txt @@ -0,0 +1,14 @@ +## openssl + +set(openssl_crypto_plugin_srcs + openssl_crypto_accel.cc + openssl_crypto_plugin.cc) + +add_library(ceph_crypto_openssl SHARED ${openssl_crypto_plugin_srcs}) +target_link_libraries(ceph_crypto_openssl + PRIVATE OpenSSL::Crypto + $<$<PLATFORM_ID:Windows>:ceph-common>) +target_include_directories(ceph_crypto_openssl PRIVATE ${OPENSSL_INCLUDE_DIR}) +add_dependencies(crypto_plugins ceph_crypto_openssl) +set_target_properties(ceph_crypto_openssl PROPERTIES INSTALL_RPATH "") +install(TARGETS ceph_crypto_openssl DESTINATION ${crypto_plugin_dir}) diff --git a/src/crypto/openssl/openssl_crypto_accel.cc b/src/crypto/openssl/openssl_crypto_accel.cc new file mode 100644 index 000000000..e6ea0fa72 --- /dev/null +++ b/src/crypto/openssl/openssl_crypto_accel.cc @@ -0,0 +1,104 @@ +/* + * Ceph - scalable distributed file system + * + * Copyright (C) 2017 Intel Corporation + * + * Author: Qiaowei Ren <qiaowei.ren@intel.com> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + */ + +#include "crypto/openssl/openssl_crypto_accel.h" +#include <openssl/evp.h> +#include <openssl/engine.h> +#include "common/debug.h" + +// ----------------------------------------------------------------------------- +#define dout_context g_ceph_context +#define dout_subsys ceph_subsys_crypto +#undef dout_prefix +#define dout_prefix _prefix(_dout) + +static std::ostream& +_prefix(std::ostream* _dout) +{ + return *_dout << "OpensslCryptoAccel: "; +} +// ----------------------------------------------------------------------------- + +#define EVP_SUCCESS 1 +#define AES_ENCRYPT 1 +#define AES_DECRYPT 0 + +bool evp_transform(unsigned char* out, const unsigned char* in, size_t size, + const unsigned char* iv, + const unsigned char* key, + ENGINE* engine, + const EVP_CIPHER* const type, + const int encrypt) +{ + using pctx_t = std::unique_ptr<EVP_CIPHER_CTX, decltype(&::EVP_CIPHER_CTX_free)>; + pctx_t pctx{ EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free }; + + if (!pctx) { + derr << "failed to create evp cipher context" << dendl; + return false; + } + + if (EVP_CipherInit_ex(pctx.get(), type, engine, key, iv, encrypt) != EVP_SUCCESS) { + derr << "EVP_CipherInit_ex failed" << dendl; + return false; + } + + if (EVP_CIPHER_CTX_set_padding(pctx.get(), 0) != EVP_SUCCESS) { + derr << "failed to disable PKCS padding" << dendl; + return false; + } + + int len_update = 0; + if (EVP_CipherUpdate(pctx.get(), out, &len_update, in, size) != EVP_SUCCESS) { + derr << "EVP_CipherUpdate failed" << dendl; + return false; + } + + int len_final = 0; + if (EVP_CipherFinal_ex(pctx.get(), out + len_update, &len_final) != EVP_SUCCESS) { + derr << "EVP_CipherFinal_ex failed" << dendl; + return false; + } + + ceph_assert(len_final == 0); + return (len_update + len_final) == static_cast<int>(size); +} + +bool OpenSSLCryptoAccel::cbc_encrypt(unsigned char* out, const unsigned char* in, size_t size, + const unsigned char (&iv)[AES_256_IVSIZE], + const unsigned char (&key)[AES_256_KEYSIZE]) +{ + if ((size % AES_256_IVSIZE) != 0) { + return false; + } + + return evp_transform(out, in, size, const_cast<unsigned char*>(&iv[0]), + const_cast<unsigned char*>(&key[0]), + nullptr, // Hardware acceleration engine can be used in the future + EVP_aes_256_cbc(), AES_ENCRYPT); +} + +bool OpenSSLCryptoAccel::cbc_decrypt(unsigned char* out, const unsigned char* in, size_t size, + const unsigned char (&iv)[AES_256_IVSIZE], + const unsigned char (&key)[AES_256_KEYSIZE]) +{ + if ((size % AES_256_IVSIZE) != 0) { + return false; + } + + return evp_transform(out, in, size, const_cast<unsigned char*>(&iv[0]), + const_cast<unsigned char*>(&key[0]), + nullptr, // Hardware acceleration engine can be used in the future + EVP_aes_256_cbc(), AES_DECRYPT); +} diff --git a/src/crypto/openssl/openssl_crypto_accel.h b/src/crypto/openssl/openssl_crypto_accel.h new file mode 100644 index 000000000..ad90cbece --- /dev/null +++ b/src/crypto/openssl/openssl_crypto_accel.h @@ -0,0 +1,32 @@ +/* + * Ceph - scalable distributed file system + * + * Copyright (C) 2017 Intel Corporation + * + * Author: Qiaowei Ren <qiaowei.ren@intel.com> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + */ + +#ifndef OPENSSL_CRYPTO_ACCEL_H +#define OPENSSL_CRYPTO_ACCEL_H + +#include "crypto/crypto_accel.h" + +class OpenSSLCryptoAccel : public CryptoAccel { + public: + OpenSSLCryptoAccel() {} + virtual ~OpenSSLCryptoAccel() {} + + bool cbc_encrypt(unsigned char* out, const unsigned char* in, size_t size, + const unsigned char (&iv)[AES_256_IVSIZE], + const unsigned char (&key)[AES_256_KEYSIZE]) override; + bool cbc_decrypt(unsigned char* out, const unsigned char* in, size_t size, + const unsigned char (&iv)[AES_256_IVSIZE], + const unsigned char (&key)[AES_256_KEYSIZE]) override; +}; +#endif diff --git a/src/crypto/openssl/openssl_crypto_plugin.cc b/src/crypto/openssl/openssl_crypto_plugin.cc new file mode 100644 index 000000000..e6ecea2fd --- /dev/null +++ b/src/crypto/openssl/openssl_crypto_plugin.cc @@ -0,0 +1,32 @@ +/* + * Ceph - scalable distributed file system + * + * Copyright (C) 2017 Intel Corporation + * + * Author: Qiaowei Ren <qiaowei.ren@intel.com> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + */ + + +#include "crypto/openssl/openssl_crypto_plugin.h" + +#include "ceph_ver.h" + +const char *__ceph_plugin_version() +{ + return CEPH_GIT_NICE_VER; +} + +int __ceph_plugin_init(CephContext *cct, + const std::string& type, + const std::string& name) +{ + auto instance = cct->get_plugin_registry(); + + return instance->add(type, name, new OpenSSLCryptoPlugin(cct)); +} diff --git a/src/crypto/openssl/openssl_crypto_plugin.h b/src/crypto/openssl/openssl_crypto_plugin.h new file mode 100644 index 000000000..408d9ebda --- /dev/null +++ b/src/crypto/openssl/openssl_crypto_plugin.h @@ -0,0 +1,36 @@ +/* + * Ceph - scalable distributed file system + * + * Copyright (C) 2017 Intel Corporation + * + * Author: Qiaowei Ren <qiaowei.ren@intel.com> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + */ + +#ifndef ISAL_CRYPTO_PLUGIN_H +#define ISAL_CRYPTO_PLUGIN_H + +#include "crypto/crypto_plugin.h" +#include "crypto/openssl/openssl_crypto_accel.h" + + +class OpenSSLCryptoPlugin : public CryptoPlugin { + + CryptoAccelRef cryptoaccel; +public: + explicit OpenSSLCryptoPlugin(CephContext* cct) : CryptoPlugin(cct) + {} + int factory(CryptoAccelRef *cs, std::ostream *ss) override { + if (cryptoaccel == nullptr) + cryptoaccel = CryptoAccelRef(new OpenSSLCryptoAccel); + + *cs = cryptoaccel; + return 0; + } +}; +#endif |