mirror of
https://github.com/ceph/ceph
synced 2025-01-01 08:32:24 +00:00
rgw: under fips, set flag to allow md5 in select rgw ops - for review
the ovrrides for review and relevant md5 usage: ``` src/rgw/rgw_crypt.cc:975: unsigned char key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE]; int rgw_s3_prepare_encrypt(...) crypt_http_responses["x-amz-server-side-encryption-customer-algorithm"] = "AES256"; crypt_http_responses["x-amz-server-side-encryption-customer-key-MD5"] = std::string(keymd5); ~~~~~~~~~~~~~~~~ src/rgw/rgw_crypt.cc:1225: uint8_t key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE]; int rgw_s3_prepare_decrypt(...) crypt_http_responses["x-amz-server-side-encryption-customer-algorithm"] = "AES256"; crypt_http_responses["x-amz-server-side-encryption-customer-key-MD5"] = keymd5; ~~~~~~~~~~~~~~~~ src/rgw/rgw_keystone.cc:40: unsigned char m[CEPH_CRYPTO_MD5_DIGESTSIZE]; void TokenCache::add_admin(...) rgw_get_token_id(token.token.id, admin_token_id); ~~~~~~~~~~~~~~ md5 add_locked(admin_token_id, token); void TokenCache::add_barbican(...) rgw_get_token_id(token.token.id, barbican_token_id); ~~~~~~~~~~~~~~~~~ md5 add_locked(barbican_token_id, token); ``` Signed-off-by: Mark Kogan <mkogan@redhat.com>
This commit is contained in:
parent
a5df0cfcbe
commit
551e0c8f38
@ -972,6 +972,8 @@ int rgw_s3_prepare_encrypt(struct req_state* s,
|
||||
}
|
||||
|
||||
MD5 key_hash;
|
||||
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
|
||||
key_hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
unsigned char key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
|
||||
key_hash.Update(reinterpret_cast<const unsigned char*>(key_bin.c_str()), key_bin.size());
|
||||
key_hash.Final(key_hash_res);
|
||||
@ -1222,6 +1224,8 @@ int rgw_s3_prepare_decrypt(struct req_state* s,
|
||||
}
|
||||
|
||||
MD5 key_hash;
|
||||
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
|
||||
key_hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
uint8_t key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
|
||||
key_hash.Update(reinterpret_cast<const unsigned char*>(key_bin.c_str()), key_bin.size());
|
||||
key_hash.Final(key_hash_res);
|
||||
|
@ -40,6 +40,8 @@ void rgw_get_token_id(const string& token, string& token_id)
|
||||
unsigned char m[CEPH_CRYPTO_MD5_DIGESTSIZE];
|
||||
|
||||
MD5 hash;
|
||||
// Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
|
||||
hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
hash.Update((const unsigned char *)token.c_str(), token.size());
|
||||
hash.Final(m);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user