RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2024-12-28 22:43:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #43503 from mkogan1/wip-fips-md5

Browse Source 
rgw: under fips, set flag to allow md5 in select rgw ops
This commit is contained in:
Mark Kogan 2021-10-21 17:35:53 +03:00 committed by GitHub
commit 2d0b120983
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 56 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/common/ceph_crypto.cc
View File

@ -196,6 +196,11 @@ void ssl::OpenSSLDigest::Restart() {
EVP_DigestInit_ex(mpContext, mpType, NULL);
}
void ssl::OpenSSLDigest::SetFlags(int flags) {
EVP_MD_CTX_set_flags(mpContext, flags);
this->Restart();
}
void ssl::OpenSSLDigest::Update(const unsigned char *input, size_t length) {
if (length) {
EVP_DigestUpdate(mpContext, const_cast<void *>(reinterpret_cast<const void *>(input)), length);

1
src/common/ceph_crypto.h
View File

@ -52,6 +52,7 @@ namespace TOPNSPC::crypto {
OpenSSLDigest (const EVP_MD *_type);
~OpenSSLDigest ();
void Restart();
void SetFlags(int flags);
void Update (const unsigned char *input, size_t length);
void Final (unsigned char *digest);
};

2
src/rgw/rgw_bucket.cc
View File

@ -1911,6 +1911,8 @@ static void get_md5_digest(const RGWBucketEntryPoint *be, string& md5_digest) {
f->flush(bl);
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
hash.Update((const unsigned char *)bl.c_str(), bl.length());
hash.Final(m);

4
src/rgw/rgw_crypt.cc
View File

@ -972,6 +972,8 @@ int rgw_s3_prepare_encrypt(struct req_state* s,
}
MD5 key_hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
key_hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
unsigned char key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
key_hash.Update(reinterpret_cast<const unsigned char*>(key_bin.c_str()), key_bin.size());
key_hash.Final(key_hash_res);
@ -1222,6 +1224,8 @@ int rgw_s3_prepare_decrypt(struct req_state* s,
}
MD5 key_hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
key_hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
uint8_t key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
key_hash.Update(reinterpret_cast<const unsigned char*>(key_bin.c_str()), key_bin.size());
key_hash.Final(key_hash_res);

10
src/rgw/rgw_etag_verifier.h
View File

@ -30,7 +30,10 @@ protected:
public:
ETagVerifier(CephContext* cct_, rgw::sal::DataProcessor *next)
: Pipe(next), cct(cct_) {}
: Pipe(next), cct(cct_) {
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
}
virtual void calculate_etag() = 0;
std::string get_calculated_etag() { return calculated_etag;}
@ -62,7 +65,10 @@ public:
rgw::sal::DataProcessor *next)
: ETagVerifier(cct, next),
part_ofs(std::move(part_ofs))
{}
{
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
}
int process(bufferlist&& data, uint64_t logical_offset) override;
void calculate_etag() override;

2
src/rgw/rgw_file.h
View File

@ -2517,6 +2517,8 @@ public:
// invoking this classes's header_init()
(void) RGWWriteRequest::header_init();
op = this;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
}
bool only_bucket() override { return true; }

2
src/rgw/rgw_keystone.cc
View File

@ -40,6 +40,8 @@ void rgw_get_token_id(const string& token, string& token_id)
unsigned char m[CEPH_CRYPTO_MD5_DIGESTSIZE];
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
hash.Update((const unsigned char *)token.c_str(), token.size());
hash.Final(m);

14
src/rgw/rgw_op.cc
View File

@ -1674,6 +1674,8 @@ static int iterate_user_manifest_parts(const DoutPrefixProvider *dpp,
rgw::sal::Bucket::ListResults results;
MD5 etag_sum;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
etag_sum.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
do {
static constexpr auto MAX_LIST_OBJS = 100u;
int r = bucket->list(dpp, params, MAX_LIST_OBJS, results, y);
@ -1952,6 +1954,8 @@ int RGWGetObj::handle_slo_manifest(bufferlist& bl, optional_yield y)
map<uint64_t, rgw_slo_part> slo_parts;
MD5 etag_sum;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
etag_sum.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
total_len = 0;
for (const auto& entry : slo_info.entries) {
@ -3829,6 +3833,8 @@ void RGWPutObj::execute(optional_yield y)
char calc_md5[CEPH_CRYPTO_MD5_DIGESTSIZE * 2 + 1];
unsigned char m[CEPH_CRYPTO_MD5_DIGESTSIZE];
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
bufferlist bl, aclbl, bs;
int len;
@ -4302,6 +4308,8 @@ void RGWPostObj::execute(optional_yield y)
char calc_md5[CEPH_CRYPTO_MD5_DIGESTSIZE * 2 + 1];
unsigned char m[CEPH_CRYPTO_MD5_DIGESTSIZE];
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
ceph::buffer::list bl, aclbl;
int len = 0;
@ -5771,6 +5779,8 @@ void RGWPutLC::execute(optional_yield y)
ldpp_dout(this, 15) << "read len=" << data.length() << " data=" << (buf ? buf : "") << dendl;
MD5 data_hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
data_hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
unsigned char data_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
data_hash.Update(reinterpret_cast<const unsigned char*>(buf), data.length());
data_hash.Final(data_hash_res);
@ -6364,6 +6374,8 @@ bool RGWCompleteMultipart::check_previously_completed(const RGWMultiCompleteUplo
string oetag = sattrs[RGW_ATTR_ETAG].to_str();
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
for (const auto& [index, part] : parts->parts) {
std::string partetag = rgw_string_unquote(part);
char petag[CEPH_CRYPTO_MD5_DIGESTSIZE];
@ -7392,6 +7404,8 @@ int RGWBulkUploadOp::handle_file(const std::string_view path,
ssize_t len = 0;
size_t ofs = 0;
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
do {
ceph::bufferlist data;
len = body.get_at_most(s->cct->_conf->rgw_max_chunk_size, data);

2
src/rgw/rgw_putobj_processor.cc
View File

@ -653,6 +653,8 @@ int AppendObjectProcessor::complete(size_t accounted_size, const string &etag, c
//calculate the etag
if (!cur_etag.empty()) {
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
char petag[CEPH_CRYPTO_MD5_DIGESTSIZE];
char final_etag[CEPH_CRYPTO_MD5_DIGESTSIZE];
char final_etag_str[CEPH_CRYPTO_MD5_DIGESTSIZE * 2 + 16];

2
src/rgw/rgw_rados.cc
View File

@ -5335,6 +5335,8 @@ static void generate_fake_tag(const DoutPrefixProvider *dpp, rgw::sal::Store* st
unsigned char md5[CEPH_CRYPTO_MD5_DIGESTSIZE];
char md5_str[CEPH_CRYPTO_MD5_DIGESTSIZE * 2 + 1];
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
hash.Update((const unsigned char *)manifest_bl.c_str(), manifest_bl.length());
map<string, bufferlist>::iterator iter = attrset.find(RGW_ATTR_ETAG);

2
src/rgw/rgw_rest_swift.cc
View File

@ -977,6 +977,8 @@ int RGWPutObj_ObjStore_SWIFT::get_params(optional_yield y)
}
MD5 etag_sum;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
etag_sum.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
uint64_t total_size = 0;
for (auto& entry : slo_info->entries) {
etag_sum.Update((const unsigned char *)entry.etag.c_str(),

2
src/rgw/rgw_sal_rados.cc
View File

@ -2231,6 +2231,8 @@ int RadosMultipartUpload::complete(const DoutPrefixProvider *dpp,
std::string etag;
bufferlist etag_bl;
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
bool truncated;
int ret;

7
src/rgw/rgw_tools.h
View File

@ -111,7 +111,12 @@ class RGWEtag
H hash;
public:
RGWEtag() {}
RGWEtag() {
if constexpr (std::is_same_v<H, MD5>) {
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
}
}
void update(const char *buf, size_t len) {
hash.Update((const unsigned char *)buf, len);

1
src/rgw/rgw_torrent.cc
View File

@ -19,7 +19,6 @@
using namespace std;
using namespace librados;
using namespace boost;
using ceph::crypto::MD5;
using ceph::crypto::SHA1;
seed::seed()

2
src/rgw/rgw_zone.cc
View File

@ -1905,6 +1905,8 @@ static uint32_t gen_short_zone_id(const std::string zone_id)
{
unsigned char md5[CEPH_CRYPTO_MD5_DIGESTSIZE];
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
hash.Update((const unsigned char *)zone_id.c_str(), zone_id.size());
hash.Final(md5);

2
src/rgw/services/svc_zone.cc
View File

@ -565,6 +565,8 @@ int RGWSI_Zone::replace_region_with_zonegroup(const DoutPrefixProvider *dpp, opt
unsigned char md5[CEPH_CRYPTO_MD5_DIGESTSIZE];
char md5_str[CEPH_CRYPTO_MD5_DIGESTSIZE * 2 + 1];
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
hash.Update((const unsigned char *)new_realm_name.c_str(), new_realm_name.length());
hash.Final(md5);
buf_to_hex(md5, CEPH_CRYPTO_MD5_DIGESTSIZE, md5_str);