From 79edb93d06a1e0aef734c48f85a6085d088c829a Mon Sep 17 00:00:00 2001 From: Radoslaw Zarzynski Date: Tue, 23 Apr 2019 15:47:52 +0200 Subject: [PATCH] common, crypto, build: get rid of NSS entirely. Signed-off-by: Radoslaw Zarzynski --- CMakeLists.txt | 6 +- cmake/modules/FindNSPR.cmake | 104 ------------------ cmake/modules/FindNSS.cmake | 126 ---------------------- src/CMakeLists.txt | 2 - src/common/ceph_crypto.cc | 82 +------------- src/common/ceph_crypto.h | 186 +------------------------------- src/common/legacy_config_opts.h | 2 - src/common/options.cc | 4 - src/crimson/CMakeLists.txt | 2 +- src/include/config-h.in.cmake | 3 - src/test/crypto.cc | 184 ------------------------------- src/test/crypto_init.cc | 30 +----- 12 files changed, 13 insertions(+), 718 deletions(-) delete mode 100644 cmake/modules/FindNSPR.cmake delete mode 100644 cmake/modules/FindNSS.cmake diff --git a/CMakeLists.txt b/CMakeLists.txt index 050dfe059b4..15cc7c135d6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -406,13 +406,9 @@ set(CMAKE_REQUIRED_INCLUDES ${CURL_INCLUDE_DIRS}) set(CMAKE_REQUIRED_LIBRARIES ${CURL_LIBRARIES}) CHECK_SYMBOL_EXISTS(curl_multi_wait curl/curl.h HAVE_CURL_MULTI_WAIT) -find_package(NSS REQUIRED) -find_package(NSPR REQUIRED) find_package(OpenSSL REQUIRED) -# TODO: use NSS only for validation of the OpenSSL-based implementations -set(USE_NSS 1) set(USE_OPENSSL 1) -set(CRYPTO_LIBS ${NSS_LIBRARIES} ${NSPR_LIBRARIES} OpenSSL::Crypto) +set(CRYPTO_LIBS OpenSSL::Crypto) option(WITH_DPDK "Enable DPDK messaging" OFF) if(WITH_DPDK) diff --git a/cmake/modules/FindNSPR.cmake b/cmake/modules/FindNSPR.cmake deleted file mode 100644 index 94d6a062c5c..00000000000 --- a/cmake/modules/FindNSPR.cmake +++ /dev/null @@ -1,104 +0,0 @@ -# - Try to find NSPR -# Once done this will define -# -# NSPR_FOUND - system has NSPR -# NSPR_INCLUDE_DIRS - the NSPR include directory -# NSPR_LIBRARIES - Link these to use NSPR -# NSPR_DEFINITIONS - Compiler switches required for using NSPR -# -# Copyright (c) 2010 Andreas Schneider -# -# Redistribution and use is allowed according to the terms of the New -# BSD license. -# For details see the accompanying COPYING-CMAKE-SCRIPTS file. -# - - -if (NSPR_LIBRARIES AND NSPR_INCLUDE_DIRS) - # in cache already - set(NSPR_FOUND TRUE) -else (NSPR_LIBRARIES AND NSPR_INCLUDE_DIRS) - find_package(PkgConfig) - if (PKG_CONFIG_FOUND) - pkg_check_modules(_NSPR nspr) - endif (PKG_CONFIG_FOUND) - - find_path(NSPR_INCLUDE_DIR - NAMES - nspr.h - PATHS - ${_NSPR_INCLUDEDIR} - /usr/include - /usr/local/include - /opt/local/include - /sw/include - PATH_SUFFIXES - nspr4 - nspr - ) - - find_library(PLDS4_LIBRARY - NAMES - plds4 - PATHS - ${_NSPR_LIBDIR} - /usr/lib - /usr/local/lib - /opt/local/lib - /sw/lib - ) - - find_library(PLC4_LIBRARY - NAMES - plc4 - PATHS - ${_NSPR_LIBDIR} - /usr/lib - /usr/local/lib - /opt/local/lib - /sw/lib - ) - - find_library(NSPR4_LIBRARY - NAMES - nspr4 - PATHS - ${_NSPR_LIBDIR} - /usr/lib - /usr/local/lib - /opt/local/lib - /sw/lib - ) - - set(NSPR_INCLUDE_DIRS - ${NSPR_INCLUDE_DIR} - ) - - if (PLDS4_LIBRARY) - set(NSPR_LIBRARIES - ${NSPR_LIBRARIES} - ${PLDS4_LIBRARY} - ) - endif (PLDS4_LIBRARY) - - if (PLC4_LIBRARY) - set(NSPR_LIBRARIES - ${NSPR_LIBRARIES} - ${PLC4_LIBRARY} - ) - endif (PLC4_LIBRARY) - - if (NSPR4_LIBRARY) - set(NSPR_LIBRARIES - ${NSPR_LIBRARIES} - ${NSPR4_LIBRARY} - ) - endif (NSPR4_LIBRARY) - - include(FindPackageHandleStandardArgs) - find_package_handle_standard_args(NSPR DEFAULT_MSG NSPR_LIBRARIES NSPR_INCLUDE_DIRS) - - # show the NSPR_INCLUDE_DIRS and NSPR_LIBRARIES variables only in the advanced view - mark_as_advanced(NSPR_INCLUDE_DIRS NSPR_LIBRARIES) - -endif (NSPR_LIBRARIES AND NSPR_INCLUDE_DIRS) diff --git a/cmake/modules/FindNSS.cmake b/cmake/modules/FindNSS.cmake deleted file mode 100644 index a22e0f74f4e..00000000000 --- a/cmake/modules/FindNSS.cmake +++ /dev/null @@ -1,126 +0,0 @@ -# - Try to find NSS -# Once done this will define -# -# NSS_FOUND - system has NSS -# NSS_INCLUDE_DIRS - the NSS include directory -# NSS_LIBRARIES - Link these to use NSS -# NSS_DEFINITIONS - Compiler switches required for using NSS -# -# Copyright (c) 2010 Andreas Schneider -# -# Redistribution and use is allowed according to the terms of the New -# BSD license. -# For details see the accompanying COPYING-CMAKE-SCRIPTS file. -# - - -if (NSS_LIBRARIES AND NSS_INCLUDE_DIRS) - # in cache already - set(NSS_FOUND TRUE) -else (NSS_LIBRARIES AND NSS_INCLUDE_DIRS) - find_package(PkgConfig) - if (PKG_CONFIG_FOUND) - pkg_check_modules(_NSS nss) - endif (PKG_CONFIG_FOUND) - - find_path(NSS_INCLUDE_DIR - NAMES - pk11pub.h - PATHS - ${_NSS_INCLUDEDIR} - /usr/include - /usr/local/include - /opt/local/include - /sw/include - /usr/local/include/nss - PATH_SUFFIXES - nss3 - nss - ) - - find_library(SSL3_LIBRARY - NAMES - ssl3 - PATHS - ${_NSS_LIBDIR} - /usr/lib - /usr/local/lib - /opt/local/lib - /sw/lib - ) - - find_library(SMIME3_LIBRARY - NAMES - smime3 - PATHS - ${_NSS_LIBDIR} - /usr/lib - /usr/local/lib - /opt/local/lib - /sw/lib - ) - - find_library(NSS3_LIBRARY - NAMES - nss3 - PATHS - ${_NSS_LIBDIR} - /usr/lib - /usr/local/lib - /opt/local/lib - /sw/lib - /usr/lib/x86_64-linux-gnu - ) - - find_library(NSSUTIL3_LIBRARY - NAMES - nssutil3 - PATHS - ${_NSS_LIBDIR} - /usr/lib - /usr/local/lib - /opt/local/lib - /sw/lib - ) - - set(NSS_INCLUDE_DIRS - ${NSS_INCLUDE_DIR} - ) - - if (SSL3_LIBRARY) - set(NSS_LIBRARIES - ${NSS_LIBRARIES} - ${SSL3_LIBRARY} - ) - endif (SSL3_LIBRARY) - - if (SMIME3_LIBRARY) - set(NSS_LIBRARIES - ${NSS_LIBRARIES} - ${SMIME3_LIBRARY} - ) - endif (SMIME3_LIBRARY) - - if (NSS3_LIBRARY) - set(NSS_LIBRARIES - ${NSS_LIBRARIES} - ${NSS3_LIBRARY} - ) - endif (NSS3_LIBRARY) - - if (NSSUTIL3_LIBRARY) - set(NSS_LIBRARIES - ${NSS_LIBRARIES} - ${NSSUTIL3_LIBRARY} - ) - endif (NSSUTIL3_LIBRARY) - - include(FindPackageHandleStandardArgs) - message(STATUS "NSS_LIBRARIES: ${NSS_LIBRARIES}") - message(STATUS "NSS_INCLUDE_DIRS: ${NSS_INCLUDE_DIRS}") - find_package_handle_standard_args(NSS DEFAULT_MSG NSS_LIBRARIES NSS_INCLUDE_DIRS) - - # show the NSS_INCLUDE_DIRS and NSS_LIBRARIES variables only in the advanced view - mark_as_advanced(NSS_INCLUDE_DIRS NSS_LIBRARIES) - -endif (NSS_LIBRARIES AND NSS_INCLUDE_DIRS) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index a5929f00c29..157c4e65bdd 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -179,8 +179,6 @@ if(${ENABLE_COVERAGE}) list(APPEND EXTRALIBS gcov) endif(${ENABLE_COVERAGE}) -include_directories(${NSS_INCLUDE_DIR} ${NSPR_INCLUDE_DIR}) - set(GCOV_PREFIX_STRIP 4) # the src/.git_version file may be written out by make-dist; otherwise diff --git a/src/common/ceph_crypto.cc b/src/common/ceph_crypto.cc index 577edef727f..bcf0b27ffcd 100644 --- a/src/common/ceph_crypto.cc +++ b/src/common/ceph_crypto.cc @@ -16,14 +16,6 @@ #include "common/config.h" #include "ceph_crypto.h" -#ifdef USE_NSS - -// for SECMOD_RestartModules() -#include -#include - -#endif /*USE_NSS*/ - #ifdef USE_OPENSSL #include @@ -173,77 +165,13 @@ static void shutdown() { } } // namespace ceph::crypto::openssl -#endif /*USE_OPENSSL*/ - -#ifdef USE_NSS - -namespace ceph::crypto::nss { - -static pthread_mutex_t crypto_init_mutex = PTHREAD_MUTEX_INITIALIZER; -static uint32_t crypto_refs = 0; -static NSSInitContext *crypto_context = NULL; -static pid_t crypto_init_pid = 0; - - -static void init(CephContext *cct) -{ - pid_t pid = getpid(); - pthread_mutex_lock(&crypto_init_mutex); - if (crypto_init_pid != pid) { - if (crypto_init_pid > 0) { - SECMOD_RestartModules(PR_FALSE); - } - crypto_init_pid = pid; - } - - if (++crypto_refs == 1) { - NSSInitParameters init_params; - memset(&init_params, 0, sizeof(init_params)); - init_params.length = sizeof(init_params); - - uint32_t flags = (NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); - if (cct->_conf->nss_db_path.empty()) { - flags |= (NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB); - } - crypto_context = NSS_InitContext(cct->_conf->nss_db_path.c_str(), "", "", - SECMOD_DB, &init_params, flags); - } - pthread_mutex_unlock(&crypto_init_mutex); - ceph_assert_always(crypto_context != NULL); -} - -static void shutdown(bool shared) -{ - pthread_mutex_lock(&crypto_init_mutex); - ceph_assert_always(crypto_refs > 0); - if (--crypto_refs == 0) { - NSS_ShutdownContext(crypto_context); - if (!shared) { - PR_Cleanup(); - } - crypto_context = NULL; - crypto_init_pid = 0; - } - pthread_mutex_unlock(&crypto_init_mutex); -} - -ceph::crypto::nss::HMAC::~HMAC() -{ - PK11_DestroyContext(ctx, PR_TRUE); - PK11_FreeSymKey(symkey); - PK11_FreeSlot(slot); -} - -} // namespace ceph::crypto::nss #else # error "No supported crypto implementation found." -#endif /*USE_NSS*/ +#endif /*USE_OPENSSL*/ void ceph::crypto::init(CephContext* const cct) { -#ifdef USE_NSS - ceph::crypto::nss::init(cct); -#endif + static_cast(cct); #ifdef USE_OPENSSL ceph::crypto::ssl::init(); @@ -251,9 +179,7 @@ void ceph::crypto::init(CephContext* const cct) { } void ceph::crypto::shutdown(const bool shared) { -#ifdef USE_NSS - ceph::crypto::nss::shutdown(shared); -#endif + static_cast(shared); #ifdef USE_OPENSSL ceph::crypto::ssl::shutdown(); @@ -286,4 +212,6 @@ void ceph::crypto::ssl::OpenSSLDigest::Final(unsigned char *digest) { unsigned int s; EVP_DigestFinal_ex(mpContext, digest, &s); } +#else +# error "No supported crypto implementation found." #endif /*USE_OPENSSL*/ diff --git a/src/common/ceph_crypto.h b/src/common/ceph_crypto.h index 737454b53e7..0303e3bc583 100644 --- a/src/common/ceph_crypto.h +++ b/src/common/ceph_crypto.h @@ -15,24 +15,13 @@ #define CEPH_CRYPTO_SHA256_DIGESTSIZE 32 #define CEPH_CRYPTO_SHA512_DIGESTSIZE 64 -#ifdef USE_NSS -// you *must* use CRYPTO_CXXFLAGS in CMakeLists.txt for including this include -# include -# include - -// NSS thinks a lot of fairly fundamental operations might potentially -// fail, because it has been written to support e.g. smartcards doing all -// the crypto operations. We don't want to contaminate too much code -// with error checking, and just say these really should never fail. -// This assert MUST NOT be compiled out, even on non-debug builds. -# include "include/ceph_assert.h" -#endif /*USE_NSS*/ - #ifdef USE_OPENSSL #include #include #include +#include "include/ceph_assert.h" + extern "C" { const EVP_MD *EVP_md5(void); const EVP_MD *EVP_sha1(void); @@ -44,15 +33,14 @@ extern "C" { namespace ceph { namespace crypto { void assert_init(); - void init(CephContext *cct); + void init(class CephContext* cct); void shutdown(bool shared=true); } } -#ifdef USE_NSS +#ifdef USE_OPENSSL namespace ceph { namespace crypto { - class DigestException : public std::runtime_error { public: @@ -60,79 +48,6 @@ namespace ceph { {} }; - namespace nss { - - template - class NSSDigest { - private: - PK11Context *ctx; - public: - static constexpr size_t digest_size = DigestSize; - NSSDigest (SECOidTag _type) { - ctx = PK11_CreateDigestContext(_type); - if (! ctx) { - throw DigestException("PK11_CreateDigestContext() failed"); - } - Restart(); - } - ~NSSDigest () { - PK11_DestroyContext(ctx, PR_TRUE); - } - void Restart() { - SECStatus s; - s = PK11_DigestBegin(ctx); - if (s != SECSuccess) { - throw DigestException("PK11_DigestBegin() failed"); - } - } - void Update (const unsigned char *input, size_t length) { - if (length) { - SECStatus s; - s = PK11_DigestOp(ctx, input, length); - if (s != SECSuccess) { - throw DigestException("PK11_DigestOp() failed"); - } - } - } - void Final (unsigned char *digest) { - SECStatus s; - unsigned int dummy; - s = PK11_DigestFinal(ctx, digest, &dummy, digest_size); - if (! (s == SECSuccess) && - (dummy == digest_size)) { - throw DigestException("PK11_DigestFinal() failed"); - } - Restart(); - } - }; - - class MD5 : public NSSDigest { - public: - MD5 () : NSSDigest{SEC_OID_MD5} { } - }; - - class SHA1 : public NSSDigest { - public: - SHA1 () : NSSDigest{SEC_OID_SHA1} { } - }; - - class SHA256 : public NSSDigest { - public: - SHA256 () : NSSDigest{SEC_OID_SHA256} { } - }; - - class SHA512 : public NSSDigest { - public: - SHA512 () : NSSDigest{SEC_OID_SHA512} { } - }; - } - } -} -#endif /*USE_NSS*/ - -#ifdef USE_OPENSSL -namespace ceph { - namespace crypto { namespace ssl { class OpenSSLDigest { private: @@ -172,85 +87,8 @@ namespace ceph { } } } -#endif /*USE_OPENSSL*/ -#ifdef USE_NSS -namespace ceph { - namespace crypto::nss { - class HMAC { - private: - PK11SlotInfo *slot; - PK11SymKey *symkey; - PK11Context *ctx; - unsigned int digest_size; - public: - HMAC (CK_MECHANISM_TYPE cktype, unsigned int digestsize, const unsigned char *key, size_t length) { - digest_size = digestsize; - slot = PK11_GetBestSlot(cktype, NULL); - if (! slot) { - throw DigestException("PK11_GetBestSlot() failed"); - } - SECItem keyItem; - keyItem.type = siBuffer; - keyItem.data = (unsigned char*)key; - keyItem.len = length; - symkey = PK11_ImportSymKey(slot, cktype, PK11_OriginUnwrap, - CKA_SIGN, &keyItem, NULL); - if (! symkey) { - throw DigestException("PK11_ImportSymKey() failed"); - } - SECItem param; - param.type = siBuffer; - param.data = NULL; - param.len = 0; - ctx = PK11_CreateContextBySymKey(cktype, CKA_SIGN, symkey, ¶m); - if (! ctx) { - throw DigestException("PK11_CreateContextBySymKey() failed"); - } - Restart(); - } - ~HMAC (); - void Restart() { - SECStatus s; - s = PK11_DigestBegin(ctx); - if (s != SECSuccess) { - throw DigestException("PK11_DigestBegin() failed"); - } - } - void Update (const unsigned char *input, size_t length) { - SECStatus s; - s = PK11_DigestOp(ctx, input, length); - if (s != SECSuccess) { - throw DigestException("PK11_DigestOp() failed"); - } - } - void Final (unsigned char *digest) { - SECStatus s; - unsigned int dummy; - s = PK11_DigestFinal(ctx, digest, &dummy, digest_size); - if (! (s == SECSuccess) && - (dummy == digest_size)) { - throw DigestException("PK11_DigestFinal() failed"); - } - Restart(); - } - }; - - class HMACSHA1 : public HMAC { - public: - HMACSHA1 (const unsigned char *key, size_t length) : HMAC(CKM_SHA_1_HMAC, CEPH_CRYPTO_HMACSHA1_DIGESTSIZE, key, length) { } - }; - - class HMACSHA256 : public HMAC { - public: - HMACSHA256 (const unsigned char *key, size_t length) : HMAC(CKM_SHA256_HMAC, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, key, length) { } - }; - } -} -#endif - -#ifdef USE_OPENSSL namespace ceph::crypto::ssl { # if OPENSSL_VERSION_NUMBER < 0x10100000L class HMAC { @@ -347,10 +185,8 @@ namespace ceph::crypto::ssl { } }; } -#endif /*USE_OPENSSL*/ -#if defined(USE_OPENSSL) namespace ceph { namespace crypto { using ceph::crypto::ssl::SHA256; @@ -362,22 +198,10 @@ namespace ceph { using ceph::crypto::ssl::HMACSHA1; } } -#elif defined(USE_NSS) -namespace ceph { - namespace crypto { - using ceph::crypto::nss::SHA256; - using ceph::crypto::nss::MD5; - using ceph::crypto::nss::SHA1; - using ceph::crypto::nss::SHA512; - - using ceph::crypto::nss::HMACSHA256; - using ceph::crypto::nss::HMACSHA1; - } -} #else // cppcheck-suppress preprocessorErrorDirective # error "No supported crypto implementation found." -#endif +#endif /*USE_OPENSSL*/ namespace ceph::crypto { template diff --git a/src/common/legacy_config_opts.h b/src/common/legacy_config_opts.h index ceb3b90ede3..4c6e508022d 100644 --- a/src/common/legacy_config_opts.h +++ b/src/common/legacy_config_opts.h @@ -1245,8 +1245,6 @@ OPTION(rados_mon_op_timeout, OPT_DOUBLE) // how many seconds to wait for a respo OPTION(rados_osd_op_timeout, OPT_DOUBLE) // how many seconds to wait for a response from osds before returning an error from a rados operation. 0 means no limit. OPTION(rados_tracing, OPT_BOOL) // true if LTTng-UST tracepoints should be enabled -OPTION(nss_db_path, OPT_STR) // path to nss db - OPTION(rgw_max_chunk_size, OPT_INT) OPTION(rgw_put_obj_min_window_size, OPT_INT) diff --git a/src/common/options.cc b/src/common/options.cc index 545f89ba28a..43886d3e20d 100644 --- a/src/common/options.cc +++ b/src/common/options.cc @@ -5293,10 +5293,6 @@ std::vector