RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-02-17 16:07:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

common, crypto, build: get rid of NSS entirely.

Browse Source 
Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
This commit is contained in:
Radoslaw Zarzynski 2019-04-23 15:47:52 +02:00
parent ca545e1683
commit 79edb93d06
12 changed files with 13 additions and 718 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CMakeLists.txt
View File

@ -406,13 +406,9 @@ set(CMAKE_REQUIRED_INCLUDES ${CURL_INCLUDE_DIRS})
set(CMAKE_REQUIRED_LIBRARIES ${CURL_LIBRARIES})
CHECK_SYMBOL_EXISTS(curl_multi_wait curl/curl.h HAVE_CURL_MULTI_WAIT)
find_package(NSS REQUIRED)
find_package(NSPR REQUIRED)
find_package(OpenSSL REQUIRED)
# TODO: use NSS only for validation of the OpenSSL-based implementations
set(USE_NSS 1)
set(USE_OPENSSL 1)
set(CRYPTO_LIBS ${NSS_LIBRARIES} ${NSPR_LIBRARIES} OpenSSL::Crypto)
set(CRYPTO_LIBS OpenSSL::Crypto)
option(WITH_DPDK "Enable DPDK messaging" OFF)
if(WITH_DPDK)

104
cmake/modules/FindNSPR.cmake
View File

@ -1,104 +0,0 @@
# - Try to find NSPR
# Once done this will define
#
# NSPR_FOUND - system has NSPR
# NSPR_INCLUDE_DIRS - the NSPR include directory
# NSPR_LIBRARIES - Link these to use NSPR
# NSPR_DEFINITIONS - Compiler switches required for using NSPR
#
# Copyright (c) 2010 Andreas Schneider <asn@redhat.com>
#
# Redistribution and use is allowed according to the terms of the New
# BSD license.
# For details see the accompanying COPYING-CMAKE-SCRIPTS file.
#
if (NSPR_LIBRARIES AND NSPR_INCLUDE_DIRS)
# in cache already
set(NSPR_FOUND TRUE)
else (NSPR_LIBRARIES AND NSPR_INCLUDE_DIRS)
find_package(PkgConfig)
if (PKG_CONFIG_FOUND)
pkg_check_modules(_NSPR nspr)
endif (PKG_CONFIG_FOUND)
find_path(NSPR_INCLUDE_DIR
NAMES
nspr.h
PATHS
${_NSPR_INCLUDEDIR}
/usr/include
/usr/local/include
/opt/local/include
/sw/include
PATH_SUFFIXES
nspr4
nspr
)
find_library(PLDS4_LIBRARY
NAMES
plds4
PATHS
${_NSPR_LIBDIR}
/usr/lib
/usr/local/lib
/opt/local/lib
/sw/lib
)
find_library(PLC4_LIBRARY
NAMES
plc4
PATHS
${_NSPR_LIBDIR}
/usr/lib
/usr/local/lib
/opt/local/lib
/sw/lib
)
find_library(NSPR4_LIBRARY
NAMES
nspr4
PATHS
${_NSPR_LIBDIR}
/usr/lib
/usr/local/lib
/opt/local/lib
/sw/lib
)
set(NSPR_INCLUDE_DIRS
${NSPR_INCLUDE_DIR}
)
if (PLDS4_LIBRARY)
set(NSPR_LIBRARIES
${NSPR_LIBRARIES}
${PLDS4_LIBRARY}
)
endif (PLDS4_LIBRARY)
if (PLC4_LIBRARY)
set(NSPR_LIBRARIES
${NSPR_LIBRARIES}
${PLC4_LIBRARY}
)
endif (PLC4_LIBRARY)
if (NSPR4_LIBRARY)
set(NSPR_LIBRARIES
${NSPR_LIBRARIES}
${NSPR4_LIBRARY}
)
endif (NSPR4_LIBRARY)
include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(NSPR DEFAULT_MSG NSPR_LIBRARIES NSPR_INCLUDE_DIRS)
# show the NSPR_INCLUDE_DIRS and NSPR_LIBRARIES variables only in the advanced view
mark_as_advanced(NSPR_INCLUDE_DIRS NSPR_LIBRARIES)
endif (NSPR_LIBRARIES AND NSPR_INCLUDE_DIRS)

126
cmake/modules/FindNSS.cmake
View File

@ -1,126 +0,0 @@
# - Try to find NSS
# Once done this will define
#
# NSS_FOUND - system has NSS
# NSS_INCLUDE_DIRS - the NSS include directory
# NSS_LIBRARIES - Link these to use NSS
# NSS_DEFINITIONS - Compiler switches required for using NSS
#
# Copyright (c) 2010 Andreas Schneider <asn@redhat.com>
#
# Redistribution and use is allowed according to the terms of the New
# BSD license.
# For details see the accompanying COPYING-CMAKE-SCRIPTS file.
#
if (NSS_LIBRARIES AND NSS_INCLUDE_DIRS)
# in cache already
set(NSS_FOUND TRUE)
else (NSS_LIBRARIES AND NSS_INCLUDE_DIRS)
find_package(PkgConfig)
if (PKG_CONFIG_FOUND)
pkg_check_modules(_NSS nss)
endif (PKG_CONFIG_FOUND)
find_path(NSS_INCLUDE_DIR
NAMES
pk11pub.h
PATHS
${_NSS_INCLUDEDIR}
/usr/include
/usr/local/include
/opt/local/include
/sw/include
/usr/local/include/nss
PATH_SUFFIXES
nss3
nss
)
find_library(SSL3_LIBRARY
NAMES
ssl3
PATHS
${_NSS_LIBDIR}
/usr/lib
/usr/local/lib
/opt/local/lib
/sw/lib
)
find_library(SMIME3_LIBRARY
NAMES
smime3
PATHS
${_NSS_LIBDIR}
/usr/lib
/usr/local/lib
/opt/local/lib
/sw/lib
)
find_library(NSS3_LIBRARY
NAMES
nss3
PATHS
${_NSS_LIBDIR}
/usr/lib
/usr/local/lib
/opt/local/lib
/sw/lib
/usr/lib/x86_64-linux-gnu
)
find_library(NSSUTIL3_LIBRARY
NAMES
nssutil3
PATHS
${_NSS_LIBDIR}
/usr/lib
/usr/local/lib
/opt/local/lib
/sw/lib
)
set(NSS_INCLUDE_DIRS
${NSS_INCLUDE_DIR}
)
if (SSL3_LIBRARY)
set(NSS_LIBRARIES
${NSS_LIBRARIES}
${SSL3_LIBRARY}
)
endif (SSL3_LIBRARY)
if (SMIME3_LIBRARY)
set(NSS_LIBRARIES
${NSS_LIBRARIES}
${SMIME3_LIBRARY}
)
endif (SMIME3_LIBRARY)
if (NSS3_LIBRARY)
set(NSS_LIBRARIES
${NSS_LIBRARIES}
${NSS3_LIBRARY}
)
endif (NSS3_LIBRARY)
if (NSSUTIL3_LIBRARY)
set(NSS_LIBRARIES
${NSS_LIBRARIES}
${NSSUTIL3_LIBRARY}
)
endif (NSSUTIL3_LIBRARY)
include(FindPackageHandleStandardArgs)
message(STATUS "NSS_LIBRARIES: ${NSS_LIBRARIES}")
message(STATUS "NSS_INCLUDE_DIRS: ${NSS_INCLUDE_DIRS}")
find_package_handle_standard_args(NSS DEFAULT_MSG NSS_LIBRARIES NSS_INCLUDE_DIRS)
# show the NSS_INCLUDE_DIRS and NSS_LIBRARIES variables only in the advanced view
mark_as_advanced(NSS_INCLUDE_DIRS NSS_LIBRARIES)
endif (NSS_LIBRARIES AND NSS_INCLUDE_DIRS)

2
src/CMakeLists.txt
View File

@ -179,8 +179,6 @@ if(${ENABLE_COVERAGE})
list(APPEND EXTRALIBS gcov)
endif(${ENABLE_COVERAGE})
include_directories(${NSS_INCLUDE_DIR} ${NSPR_INCLUDE_DIR})
set(GCOV_PREFIX_STRIP 4)
# the src/.git_version file may be written out by make-dist; otherwise

82
src/common/ceph_crypto.cc
View File

@ -16,14 +16,6 @@
#include "common/config.h"
#include "ceph_crypto.h"
#ifdef USE_NSS
// for SECMOD_RestartModules()
#include <secmod.h>
#include <nspr.h>
#endif /*USE_NSS*/
#ifdef USE_OPENSSL
#include <openssl/evp.h>
@ -173,77 +165,13 @@ static void shutdown() {
}
} // namespace ceph::crypto::openssl
#endif /*USE_OPENSSL*/
#ifdef USE_NSS
namespace ceph::crypto::nss {
static pthread_mutex_t crypto_init_mutex = PTHREAD_MUTEX_INITIALIZER;
static uint32_t crypto_refs = 0;
static NSSInitContext *crypto_context = NULL;
static pid_t crypto_init_pid = 0;
static void init(CephContext *cct)
{
pid_t pid = getpid();
pthread_mutex_lock(&crypto_init_mutex);
if (crypto_init_pid != pid) {
if (crypto_init_pid > 0) {
SECMOD_RestartModules(PR_FALSE);
}
crypto_init_pid = pid;
}
if (++crypto_refs == 1) {
NSSInitParameters init_params;
memset(&init_params, 0, sizeof(init_params));
init_params.length = sizeof(init_params);
uint32_t flags = (NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);
if (cct->_conf->nss_db_path.empty()) {
flags |= (NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB);
}
crypto_context = NSS_InitContext(cct->_conf->nss_db_path.c_str(), "", "",
SECMOD_DB, &init_params, flags);
}
pthread_mutex_unlock(&crypto_init_mutex);
ceph_assert_always(crypto_context != NULL);
}
static void shutdown(bool shared)
{
pthread_mutex_lock(&crypto_init_mutex);
ceph_assert_always(crypto_refs > 0);
if (--crypto_refs == 0) {
NSS_ShutdownContext(crypto_context);
if (!shared) {
PR_Cleanup();
}
crypto_context = NULL;
crypto_init_pid = 0;
}
pthread_mutex_unlock(&crypto_init_mutex);
}
ceph::crypto::nss::HMAC::~HMAC()
{
PK11_DestroyContext(ctx, PR_TRUE);
PK11_FreeSymKey(symkey);
PK11_FreeSlot(slot);
}
} // namespace ceph::crypto::nss
#else
# error "No supported crypto implementation found."
#endif /*USE_NSS*/
#endif /*USE_OPENSSL*/
void ceph::crypto::init(CephContext* const cct) {
#ifdef USE_NSS
ceph::crypto::nss::init(cct);
#endif
static_cast<void>(cct);
#ifdef USE_OPENSSL
ceph::crypto::ssl::init();
@ -251,9 +179,7 @@ void ceph::crypto::init(CephContext* const cct) {
}
void ceph::crypto::shutdown(const bool shared) {
#ifdef USE_NSS
ceph::crypto::nss::shutdown(shared);
#endif
static_cast<void>(shared);
#ifdef USE_OPENSSL
ceph::crypto::ssl::shutdown();
@ -286,4 +212,6 @@ void ceph::crypto::ssl::OpenSSLDigest::Final(unsigned char *digest) {
unsigned int s;
EVP_DigestFinal_ex(mpContext, digest, &s);
}
#else
# error "No supported crypto implementation found."
#endif /*USE_OPENSSL*/

186
src/common/ceph_crypto.h
View File

@ -15,24 +15,13 @@
#define CEPH_CRYPTO_SHA256_DIGESTSIZE 32
#define CEPH_CRYPTO_SHA512_DIGESTSIZE 64
#ifdef USE_NSS
// you *must* use CRYPTO_CXXFLAGS in CMakeLists.txt for including this include
# include <nss.h>
# include <pk11pub.h>
// NSS thinks a lot of fairly fundamental operations might potentially
// fail, because it has been written to support e.g. smartcards doing all
// the crypto operations. We don't want to contaminate too much code
// with error checking, and just say these really should never fail.
// This assert MUST NOT be compiled out, even on non-debug builds.
# include "include/ceph_assert.h"
#endif /*USE_NSS*/
#ifdef USE_OPENSSL
#include <openssl/evp.h>
#include <openssl/ossl_typ.h>
#include <openssl/hmac.h>
#include "include/ceph_assert.h"
extern "C" {
const EVP_MD *EVP_md5(void);
const EVP_MD *EVP_sha1(void);
@ -44,15 +33,14 @@ extern "C" {
namespace ceph {
namespace crypto {
void assert_init();
void init(CephContext *cct);
void init(class CephContext* cct);
void shutdown(bool shared=true);
}
}
#ifdef USE_NSS
#ifdef USE_OPENSSL
namespace ceph {
namespace crypto {
class DigestException : public std::runtime_error
{
public:
@ -60,79 +48,6 @@ namespace ceph {
{}
};
namespace nss {
template<size_t DigestSize>
class NSSDigest {
private:
PK11Context *ctx;
public:
static constexpr size_t digest_size = DigestSize;
NSSDigest (SECOidTag _type) {
ctx = PK11_CreateDigestContext(_type);
if (! ctx) {
throw DigestException("PK11_CreateDigestContext() failed");
}
Restart();
}
~NSSDigest () {
PK11_DestroyContext(ctx, PR_TRUE);
}
void Restart() {
SECStatus s;
s = PK11_DigestBegin(ctx);
if (s != SECSuccess) {
throw DigestException("PK11_DigestBegin() failed");
}
}
void Update (const unsigned char *input, size_t length) {
if (length) {
SECStatus s;
s = PK11_DigestOp(ctx, input, length);
if (s != SECSuccess) {
throw DigestException("PK11_DigestOp() failed");
}
}
}
void Final (unsigned char *digest) {
SECStatus s;
unsigned int dummy;
s = PK11_DigestFinal(ctx, digest, &dummy, digest_size);
if (! (s == SECSuccess) &&
(dummy == digest_size)) {
throw DigestException("PK11_DigestFinal() failed");
}
Restart();
}
};
class MD5 : public NSSDigest<CEPH_CRYPTO_MD5_DIGESTSIZE> {
public:
MD5 () : NSSDigest<CEPH_CRYPTO_MD5_DIGESTSIZE>{SEC_OID_MD5} { }
};
class SHA1 : public NSSDigest<CEPH_CRYPTO_SHA1_DIGESTSIZE> {
public:
SHA1 () : NSSDigest<CEPH_CRYPTO_SHA1_DIGESTSIZE>{SEC_OID_SHA1} { }
};
class SHA256 : public NSSDigest<CEPH_CRYPTO_SHA256_DIGESTSIZE> {
public:
SHA256 () : NSSDigest<CEPH_CRYPTO_SHA256_DIGESTSIZE>{SEC_OID_SHA256} { }
};
class SHA512 : public NSSDigest<CEPH_CRYPTO_SHA256_DIGESTSIZE> {
public:
SHA512 () : NSSDigest<CEPH_CRYPTO_SHA256_DIGESTSIZE>{SEC_OID_SHA512} { }
};
}
}
}
#endif /*USE_NSS*/
#ifdef USE_OPENSSL
namespace ceph {
namespace crypto {
namespace ssl {
class OpenSSLDigest {
private:
@ -172,85 +87,8 @@ namespace ceph {
}
}
}
#endif /*USE_OPENSSL*/
#ifdef USE_NSS
namespace ceph {
namespace crypto::nss {
class HMAC {
private:
PK11SlotInfo *slot;
PK11SymKey *symkey;
PK11Context *ctx;
unsigned int digest_size;
public:
HMAC (CK_MECHANISM_TYPE cktype, unsigned int digestsize, const unsigned char *key, size_t length) {
digest_size = digestsize;
slot = PK11_GetBestSlot(cktype, NULL);
if (! slot) {
throw DigestException("PK11_GetBestSlot() failed");
}
SECItem keyItem;
keyItem.type = siBuffer;
keyItem.data = (unsigned char*)key;
keyItem.len = length;
symkey = PK11_ImportSymKey(slot, cktype, PK11_OriginUnwrap,
CKA_SIGN, &keyItem, NULL);
if (! symkey) {
throw DigestException("PK11_ImportSymKey() failed");
}
SECItem param;
param.type = siBuffer;
param.data = NULL;
param.len = 0;
ctx = PK11_CreateContextBySymKey(cktype, CKA_SIGN, symkey, &param);
if (! ctx) {
throw DigestException("PK11_CreateContextBySymKey() failed");
}
Restart();
}
~HMAC ();
void Restart() {
SECStatus s;
s = PK11_DigestBegin(ctx);
if (s != SECSuccess) {
throw DigestException("PK11_DigestBegin() failed");
}
}
void Update (const unsigned char *input, size_t length) {
SECStatus s;
s = PK11_DigestOp(ctx, input, length);
if (s != SECSuccess) {
throw DigestException("PK11_DigestOp() failed");
}
}
void Final (unsigned char *digest) {
SECStatus s;
unsigned int dummy;
s = PK11_DigestFinal(ctx, digest, &dummy, digest_size);
if (! (s == SECSuccess) &&
(dummy == digest_size)) {
throw DigestException("PK11_DigestFinal() failed");
}
Restart();
}
};
class HMACSHA1 : public HMAC {
public:
HMACSHA1 (const unsigned char *key, size_t length) : HMAC(CKM_SHA_1_HMAC, CEPH_CRYPTO_HMACSHA1_DIGESTSIZE, key, length) { }
};
class HMACSHA256 : public HMAC {
public:
HMACSHA256 (const unsigned char *key, size_t length) : HMAC(CKM_SHA256_HMAC, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, key, length) { }
};
}
}
#endif
#ifdef USE_OPENSSL
namespace ceph::crypto::ssl {
# if OPENSSL_VERSION_NUMBER < 0x10100000L
class HMAC {
@ -347,10 +185,8 @@ namespace ceph::crypto::ssl {
}
};
}
#endif /*USE_OPENSSL*/
#if defined(USE_OPENSSL)
namespace ceph {
namespace crypto {
using ceph::crypto::ssl::SHA256;
@ -362,22 +198,10 @@ namespace ceph {
using ceph::crypto::ssl::HMACSHA1;
}
}
#elif defined(USE_NSS)
namespace ceph {
namespace crypto {
using ceph::crypto::nss::SHA256;
using ceph::crypto::nss::MD5;
using ceph::crypto::nss::SHA1;
using ceph::crypto::nss::SHA512;
using ceph::crypto::nss::HMACSHA256;
using ceph::crypto::nss::HMACSHA1;
}
}
#else
// cppcheck-suppress preprocessorErrorDirective
# error "No supported crypto implementation found."
#endif
#endif /*USE_OPENSSL*/
namespace ceph::crypto {
template<class Digest>

2
src/common/legacy_config_opts.h
View File

@ -1245,8 +1245,6 @@ OPTION(rados_mon_op_timeout, OPT_DOUBLE) // how many seconds to wait for a respo
OPTION(rados_osd_op_timeout, OPT_DOUBLE) // how many seconds to wait for a response from osds before returning an error from a rados operation. 0 means no limit.
OPTION(rados_tracing, OPT_BOOL) // true if LTTng-UST tracepoints should be enabled
OPTION(nss_db_path, OPT_STR) // path to nss db
OPTION(rgw_max_chunk_size, OPT_INT)
OPTION(rgw_put_obj_min_window_size, OPT_INT)

4
src/common/options.cc
View File

@ -5293,10 +5293,6 @@ std::vector<Option> get_global_options() {
.set_default(false)
.set_description(""),
Option("nss_db_path", Option::TYPE_STR, Option::LEVEL_ADVANCED)
.set_default("")
.set_description(""),
Option("mgr_module_path", Option::TYPE_STR, Option::LEVEL_ADVANCED)
.set_default(CEPH_DATADIR "/mgr")
.add_service("mgr")

2
src/crimson/CMakeLists.txt
View File

@ -119,7 +119,7 @@ target_link_libraries(crimson-common
crc32
crimson::cflags
${crimson_common_deps}
${NSS_LIBRARIES} ${NSPR_LIBRARIES} OpenSSL::Crypto)
OpenSSL::Crypto)
set(crimson_auth_srcs
auth/KeyRing.cc)

3
src/include/config-h.in.cmake
View File

@ -124,9 +124,6 @@
/* Define if have curl_multi_wait() */
#cmakedefine HAVE_CURL_MULTI_WAIT 1
/* Define if using NSS. */
#cmakedefine USE_NSS
/* Define if using OpenSSL. */
#cmakedefine USE_OPENSSL

184
src/test/crypto.cc
View File

@ -11,11 +11,6 @@
#include "common/ceph_context.h"
#include "global/global_context.h"
#ifdef USE_NSS
# include <nspr.h>
# include <nss.h>
# include <pk11pub.h>
#endif // USE_NSS
class CryptoEnvironment: public ::testing::Environment {
public:
@ -24,185 +19,6 @@ public:
}
};
#ifdef USE_NSS
// when we say AES, we mean AES-128
# define AES_KEY_LEN 16
# define AES_BLOCK_LEN 16
static int nss_aes_operation(CK_ATTRIBUTE_TYPE op,
CK_MECHANISM_TYPE mechanism,
PK11SymKey *key,
SECItem *param,
const bufferlist& in, bufferlist& out,
std::string *error)
{
// sample source said this has to be at least size of input + 8,
// but i see 15 still fail with SEC_ERROR_OUTPUT_LEN
bufferptr out_tmp(in.length()+16);
bufferlist incopy;
SECStatus ret;
int written;
unsigned char *in_buf;
PK11Context *ectx;
ectx = PK11_CreateContextBySymKey(mechanism, op, key, param);
ceph_assert(ectx);
incopy = in; // it's a shallow copy!
in_buf = (unsigned char*)incopy.c_str();
ret = PK11_CipherOp(ectx,
(unsigned char*)out_tmp.c_str(), &written, out_tmp.length(),
in_buf, in.length());
if (ret != SECSuccess) {
PK11_DestroyContext(ectx, PR_TRUE);
if (error) {
ostringstream oss;
oss << "NSS AES failed: " << PR_GetError();
*error = oss.str();
}
return -1;
}
unsigned int written2;
ret = PK11_DigestFinal(ectx,
(unsigned char*)out_tmp.c_str()+written, &written2,
out_tmp.length()-written);
PK11_DestroyContext(ectx, PR_TRUE);
if (ret != SECSuccess) {
if (error) {
ostringstream oss;
oss << "NSS AES final round failed: " << PR_GetError();
*error = oss.str();
}
return -1;
}
out_tmp.set_length(written + written2);
out.append(out_tmp);
return 0;
}
class LegacyCryptoAESKeyHandler : public CryptoKeyHandler {
CK_MECHANISM_TYPE mechanism;
PK11SlotInfo *slot;
PK11SymKey *key;
SECItem *param;
public:
LegacyCryptoAESKeyHandler()
: CryptoKeyHandler(CryptoKeyHandler::BLOCK_SIZE_16B()),
mechanism(CKM_AES_CBC_PAD),
slot(NULL),
key(NULL),
param(NULL) {}
~LegacyCryptoAESKeyHandler() override {
SECITEM_FreeItem(param, PR_TRUE);
if (key)
PK11_FreeSymKey(key);
if (slot)
PK11_FreeSlot(slot);
}
int init(const bufferptr& s, string& err) {
ostringstream oss;
const int ret = init(s, oss);
err = oss.str();
return ret;
}
int init(const bufferptr& s, ostringstream& err) {
secret = s;
slot = PK11_GetBestSlot(mechanism, NULL);
if (!slot) {
err << "cannot find NSS slot to use: " << PR_GetError();
return -1;
}
SECItem keyItem;
keyItem.type = siBuffer;
keyItem.data = (unsigned char*)secret.c_str();
keyItem.len = secret.length();
key = PK11_ImportSymKey(slot, mechanism, PK11_OriginUnwrap, CKA_ENCRYPT,
&keyItem, NULL);
if (!key) {
err << "cannot convert AES key for NSS: " << PR_GetError();
return -1;
}
SECItem ivItem;
ivItem.type = siBuffer;
// losing constness due to SECItem.data; IV should never be
// modified, regardless
ivItem.data = (unsigned char*)CEPH_AES_IV;
ivItem.len = sizeof(CEPH_AES_IV);
param = PK11_ParamFromIV(mechanism, &ivItem);
if (!param) {
err << "cannot set NSS IV param: " << PR_GetError();
return -1;
}
return 0;
}
using CryptoKeyHandler::encrypt;
using CryptoKeyHandler::decrypt;
int encrypt(const bufferlist& in,
bufferlist& out, std::string *error) const override {
return nss_aes_operation(CKA_ENCRYPT, mechanism, key, param, in, out, error);
}
int decrypt(const bufferlist& in,
bufferlist& out, std::string *error) const override {
return nss_aes_operation(CKA_DECRYPT, mechanism, key, param, in, out, error);
}
};
TEST(AES, ValidateLegacy) {
CryptoHandler* const newh = \
g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES);
const char secret_s[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
};
ceph::bufferptr secret(secret_s, sizeof(secret_s));
std::string error;
std::unique_ptr<CryptoKeyHandler> newkh(
newh->get_key_handler(secret, error));
ASSERT_TRUE(error.empty());
LegacyCryptoAESKeyHandler oldkh;
oldkh.init(secret, error);
ASSERT_TRUE(error.empty());
unsigned char plaintext_s[] = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
};
ceph::bufferlist plaintext;
plaintext.append((char *)plaintext_s, sizeof(plaintext_s));
ceph::bufferlist ciphertext;
int r = newkh->encrypt(plaintext, ciphertext, &error);
ASSERT_EQ(r, 0);
ASSERT_EQ(error, "");
ceph::bufferlist restored_plaintext;
r = oldkh.decrypt(ciphertext, restored_plaintext, &error);
ASSERT_EQ(r, 0);
ASSERT_TRUE(error.empty());
ASSERT_EQ(plaintext, restored_plaintext);
}
#else
# warning "NSS is not available. Skipping the AES.ValidateLegacy testcase!"
#endif // USE_NSS
TEST(AES, ValidateSecret) {
CryptoHandler *h = g_ceph_context->get_crypto_handler(CEPH_CRYPTO_AES);
int l;

30
src/test/crypto_init.cc
View File

@ -13,35 +13,7 @@
#include "auth/Crypto.h"
#include "common/ceph_crypto.h"
#ifdef USE_NSS
void *init_crypto(void *p) {
ceph::crypto::init(g_ceph_context);
return NULL;
}
// Tests for a race condition in libnss when calling crypto_init
// multiple times simultaneously from different threads.
TEST(CRYPTO_INIT, NSS_RACE) {
std::vector<const char*> args;
auto cct = global_init(NULL, args, CEPH_ENTITY_TYPE_CLIENT,
CODE_ENVIRONMENT_UTILITY,
CINIT_FLAG_NO_DEFAULT_CONFIG_FILE);
// Most reliably reproduced with more threads than cores.
long n_thread = sysconf(_SC_NPROCESSORS_ONLN) * 2;
pthread_t *ts = (pthread_t*)malloc(n_thread * sizeof(pthread_t));
int i;
for (i = 0; i < n_thread; i++) {
pthread_create(&ts[i], NULL, init_crypto, NULL);
}
for (i = 0; i < n_thread; i++) {
int k;
void *p = (void*)&k;
pthread_join(ts[i], &p);
}
free(ts);
}
#endif
// TODO: ensure OpenSSL init
int main(int argc, char **argv) {
::testing::InitGoogleTest(&argc, argv);