Skip to content

Commit

Permalink
auth: drop AES128CBC_HMACSHA256_StreamHandler.
Browse files Browse the repository at this point in the history 
Signed-off-by: Radoslaw Zarzynski <[email protected]>
  • Loading branch information
@rzarzynski
rzarzynski committed Feb 21, 2019
1 parent 8245a29 commit 4314944
Showing 1 changed file with 0 additions and 184 deletions.
184 changes: 0 additions & 184 deletions src/auth/AuthSessionHandler.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,190 +55,6 @@ AuthSessionHandler *get_auth_session_handler(
}
}

class AES128CBC_HMACSHA256_StreamHandler : public AuthStreamHandler {
CephContext* const cct;
const AuthConnectionMeta& auth_meta;
CryptoKey key;

void calc_signature(const char *in, uint32_t length, char *out) {
auto secret = auth_meta.connection_secret;
ceph::crypto::HMACSHA256 hmac((const unsigned char *)secret.c_str(),
secret.length());
hmac.Update((const unsigned char *)in, length);
hmac.Final((unsigned char *)out);
}

void calculate_payload_size(uint32_t length, uint32_t *total_len,
uint32_t *sig_pad_len = nullptr,
uint32_t *enc_pad_len = nullptr) {
bool is_signed = auth_meta.is_mode_secure(); // REMOVE ME
bool is_encrypted = auth_meta.is_mode_secure();

uint32_t sig_pad_l = 0;
uint32_t enc_pad_l = 0;
uint32_t total_l = length;

if (is_signed && !is_encrypted) {
sig_pad_l = SIGNATURE_BLOCK_SIZE - (length % SIGNATURE_BLOCK_SIZE);
total_l += sig_pad_l + SIGNATURE_BLOCK_SIZE;
} else if (is_encrypted) {
if (is_signed) {
total_l += SIGNATURE_BLOCK_SIZE;
}
uint32_t block_size = auth_meta.session_key.get_max_outbuf_size(0);
uint32_t pad_len = block_size - (total_l % block_size);
if (is_signed) {
sig_pad_l = pad_len;
} else if (!is_signed) {
enc_pad_l = pad_len;
}
total_l = auth_meta.session_key.get_max_outbuf_size(total_l + pad_len);
}

if (sig_pad_len) {
*sig_pad_len = sig_pad_l;
}
if (enc_pad_len) {
*enc_pad_len = enc_pad_l;
}
if (total_len) {
*total_len = total_l;
}

ldout(cct, 21) << __func__ << " length=" << length << " total_len=" << total_l
<< " sig_pad_len=" << sig_pad_l << " enc_pad_len=" << enc_pad_l
<< dendl;
}

void sign_payload(bufferlist &payload) {
ldout(cct, 21) << __func__ << " len=" << payload.length() << dendl;

if (false) {
uint32_t pad_len;
calculate_payload_size(payload.length(), nullptr, &pad_len);
auto padding = bufferptr(buffer::create(pad_len));
cct->random()->get_bytes((char *)padding.raw_c_str(), pad_len);
payload.push_back(padding);

auto signature =
bufferptr(buffer::create(CEPH_CRYPTO_HMACSHA256_DIGESTSIZE));
calc_signature(payload.c_str(), payload.length(),
(char *)signature.raw_c_str());

uint64_t s1 = *(uint64_t *)signature.raw_c_str();
uint64_t s2 = *(uint64_t *)(signature.raw_c_str() + 8);
uint64_t s3 = *(uint64_t *)(signature.raw_c_str() + 16);
uint64_t s4 = *(uint64_t *)(signature.raw_c_str() + 24);
ldout(cct, 15) << __func__ << " payload signature=" << std::hex << s4 << s3
<< s2 << s1 << std::dec << dendl;

payload.push_back(signature);
}
}

void verify_signature(char *payload, uint32_t length) {
ldout(cct, 21) << __func__ << " len=" << length << dendl;

if (false) {
uint32_t payload_len = length - CEPH_CRYPTO_HMACSHA256_DIGESTSIZE;
const char *p = payload + payload_len;
char signature[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE];
calc_signature(payload, payload_len, signature);

auto r = memcmp(p, signature, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE);

if (r != 0) { // signature mismatch
ldout(cct, 1) << __func__ << " signature verification failed" << dendl;
throw SHA256SignatureError(signature, p);
}
}
}

int encrypt_bufferlist(bufferlist &in, bufferlist &out) {
std::string error;
try {
key.encrypt(cct, in, out, &error);
} catch (std::exception &e) {
lderr(cct) << __func__ << " failed to encrypt buffer: " << error << dendl;
return -1;
}
return 0;
}

int decrypt_bufferlist(bufferlist &in, bufferlist &out) {
std::string error;
try {
key.decrypt(cct, in, out, &error);
} catch (std::exception &e) {
lderr(cct) << __func__ << " failed to decrypt buffer: " << error << dendl;
return -1;
}
return 0;
}

void encrypt_payload(bufferlist &payload) {
ldout(cct, 21) << __func__ << " len=" << payload.length() << dendl;
if (auth_meta.is_mode_secure()) {
uint32_t pad_len;
calculate_payload_size(payload.length(), nullptr, nullptr, &pad_len);
if (pad_len) {
auto padding = bufferptr(buffer::create(pad_len));
cct->random()->get_bytes((char *)padding.raw_c_str(), pad_len);
payload.push_back(padding);
}

bufferlist tmp;
tmp.claim(payload);
encrypt_bufferlist(tmp, payload);
}
}

void decrypt_payload(char *payload, uint32_t &length) {
ldout(cct, 21) << __func__ << " len=" << length << dendl;
if (auth_meta.is_mode_secure()) {
bufferlist in;
in.push_back(buffer::create_static(length, payload));
bufferlist out;
if (decrypt_bufferlist(in, out) < 0) {
throw DecryptionError();
}
ceph_assert(out.length() <= length);
memcpy(payload, out.c_str(), out.length());
length = out.length();
}
}

/* HMAC Block Size
* Currently we're using only SHA256 for computing the HMAC
*/
static const int SIGNATURE_BLOCK_SIZE = CEPH_CRYPTO_HMACSHA256_DIGESTSIZE;

public:
AES128CBC_HMACSHA256_StreamHandler(CephContext* const cct,
const AuthConnectionMeta& auth_meta)
: cct(cct),
auth_meta(auth_meta),
#warning fixme key
key(auth_meta.session_key) {
}

void authenticated_encrypt(ceph::bufferlist& payload) override {
sign_payload(payload);
encrypt_payload(payload);
}

void authenticated_decrypt(char* payload, uint32_t& length) override {
decrypt_payload(payload, length);
verify_signature(payload, length);
}

std::size_t calculate_payload_size(std::size_t length) override {
uint32_t total_l;
calculate_payload_size(length, &total_l);
return total_l;
}
};


#ifdef USE_OPENSSL
# include <openssl/evp.h>
Expand Down

0 comments on commit 4314944

Please sign in to comment.