RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2024-12-29 15:03:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

rgw: under fips, set flag to allow md5 in select rgw ops - for review

Browse Source 
the ovrrides for review and relevant md5 usage:
```
src/rgw/rgw_crypt.cc:975:      unsigned char key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
    int rgw_s3_prepare_encrypt(...)
        crypt_http_responses["x-amz-server-side-encryption-customer-algorithm"] = "AES256";
        crypt_http_responses["x-amz-server-side-encryption-customer-key-MD5"] = std::string(keymd5);
                                                           ~~~~~~~~~~~~~~~~

src/rgw/rgw_crypt.cc:1225:    uint8_t key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
    int rgw_s3_prepare_decrypt(...)
        crypt_http_responses["x-amz-server-side-encryption-customer-algorithm"] = "AES256";
        crypt_http_responses["x-amz-server-side-encryption-customer-key-MD5"] = keymd5;
                                                           ~~~~~~~~~~~~~~~~

src/rgw/rgw_keystone.cc:40:  unsigned char m[CEPH_CRYPTO_MD5_DIGESTSIZE];
        void TokenCache::add_admin(...)
	  rgw_get_token_id(token.token.id, admin_token_id);
	                                   ~~~~~~~~~~~~~~ md5
	  add_locked(admin_token_id, token);

        void TokenCache::add_barbican(...)
	  rgw_get_token_id(token.token.id, barbican_token_id);
	                                   ~~~~~~~~~~~~~~~~~ md5
	  add_locked(barbican_token_id, token);
```

Signed-off-by: Mark Kogan <mkogan@redhat.com>
This commit is contained in:
Mark Kogan 2021-10-14 14:32:31 +00:00
parent a5df0cfcbe
commit 551e0c8f38
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/rgw/rgw_crypt.cc
View File

@ -972,6 +972,8 @@ int rgw_s3_prepare_encrypt(struct req_state* s,
}
MD5 key_hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
key_hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
unsigned char key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
key_hash.Update(reinterpret_cast<const unsigned char*>(key_bin.c_str()), key_bin.size());
key_hash.Final(key_hash_res);
@ -1222,6 +1224,8 @@ int rgw_s3_prepare_decrypt(struct req_state* s,
}
MD5 key_hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
key_hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
uint8_t key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
key_hash.Update(reinterpret_cast<const unsigned char*>(key_bin.c_str()), key_bin.size());
key_hash.Final(key_hash_res);

2
src/rgw/rgw_keystone.cc
View File

@ -40,6 +40,8 @@ void rgw_get_token_id(const string& token, string& token_id)
unsigned char m[CEPH_CRYPTO_MD5_DIGESTSIZE];
MD5 hash;
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
hash.Update((const unsigned char *)token.c_str(), token.size());
hash.Final(m);