]> git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_crypt.h
projects / ceph.git / blob
? search:


77f07f8f2fe2ead5dea00d57296c1068ac7bd3fb
[ceph.git] / ceph / src / rgw / rgw_crypt.h
1 // -*- mode:C; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
3 /**
4 * Crypto filters for Put/Post/Get operations.
5 */
6 #ifndef CEPH_RGW_CRYPT_H
7 #define CEPH_RGW_CRYPT_H
8
9 #include <rgw/rgw_op.h>
10 #include <rgw/rgw_rest.h>
11 #include <rgw/rgw_rest_s3.h>
12 #include <boost/utility/string_view.hpp>
13
14 /**
15 * \brief Interface for block encryption methods
16 *
17 * Encrypts and decrypts data.
18 * Operations are performed in context of larger stream being divided into blocks.
19 * Each block can be processed independently, but only as a whole.
20 * Part block cannot be properly processed.
21 * Each request must start on block-aligned offset.
22 * Each request should have length that is multiply of block size.
23 * Request with unaligned length is only acceptable for last part of stream.
24 */
25 class BlockCrypt {
26 public:
27 BlockCrypt(){};
28 virtual ~BlockCrypt(){};
29
30 /**
31 * Determines size of encryption block.
32 * This is usually multiply of key size.
33 * It determines size of chunks that should be passed to \ref encrypt and \ref decrypt.
34 */
35 virtual size_t get_block_size() = 0;
36
37 /**
38 * Encrypts data.
39 * Argument \ref stream_offset shows where in generalized stream chunk is located.
40 * Input for encryption is \ref input buffer, with relevant data in range <in_ofs, in_ofs+size).
41 * \ref input and \output may not be the same buffer.
42 *
43 * \params
44 * input - source buffer of data
45 * in_ofs - offset of chunk inside input
46 * size - size of chunk, must be chunk-aligned unless last part is processed
47 * output - destination buffer to encrypt to
48 * stream_offset - location of <in_ofs,in_ofs+size) chunk in data stream, must be chunk-aligned
49 * \return true iff successfully encrypted
50 */
51 virtual bool encrypt(bufferlist& input,
52 off_t in_ofs,
53 size_t size,
54 bufferlist& output,
55 off_t stream_offset) = 0;
56
57 /**
58 * Decrypts data.
59 * Argument \ref stream_offset shows where in generalized stream chunk is located.
60 * Input for decryption is \ref input buffer, with relevant data in range <in_ofs, in_ofs+size).
61 * \ref input and \output may not be the same buffer.
62 *
63 * \params
64 * input - source buffer of data
65 * in_ofs - offset of chunk inside input
66 * size - size of chunk, must be chunk-aligned unless last part is processed
67 * output - destination buffer to encrypt to
68 * stream_offset - location of <in_ofs,in_ofs+size) chunk in data stream, must be chunk-aligned
69 * \return true iff successfully encrypted
70 */
71 virtual bool decrypt(bufferlist& input,
72 off_t in_ofs,
73 size_t size,
74 bufferlist& output,
75 off_t stream_offset) = 0;
76 };
77
78 static const size_t AES_256_KEYSIZE = 256 / 8;
79 bool AES_256_ECB_encrypt(CephContext* cct,
80 const uint8_t* key,
81 size_t key_size,
82 const uint8_t* data_in,
83 uint8_t* data_out,
84 size_t data_size);
85
86 class RGWGetObj_BlockDecrypt : public RGWGetObj_Filter {
87 CephContext* cct;
88
89 std::unique_ptr<BlockCrypt> crypt; /**< already configured stateless BlockCrypt
90 for operations when enough data is accumulated */
91 off_t enc_begin_skip; /**< amount of data to skip from beginning of received data */
92 off_t ofs; /**< stream offset of data we expect to show up next through \ref handle_data */
93 off_t end; /**< stream offset of last byte that is requested */
94 bufferlist cache; /**< stores extra data that could not (yet) be processed by BlockCrypt */
95 size_t block_size; /**< snapshot of \ref BlockCrypt.get_block_size() */
96 std::vector<size_t> parts_len; /**< size of parts of multipart object, parsed from manifest */
97 public:
98 RGWGetObj_BlockDecrypt(CephContext* cct,
99 RGWGetDataCB* next,
100 std::unique_ptr<BlockCrypt> crypt);
101 virtual ~RGWGetObj_BlockDecrypt();
102
103 virtual int fixup_range(off_t& bl_ofs,
104 off_t& bl_end) override;
105 virtual int handle_data(bufferlist& bl,
106 off_t bl_ofs,
107 off_t bl_len) override;
108 virtual int flush() override;
109
110 int read_manifest(bufferlist& manifest_bl);
111 }; /* RGWGetObj_BlockDecrypt */
112
113
114 class RGWPutObj_BlockEncrypt : public RGWPutObj_Filter
115 {
116 CephContext* cct;
117 std::unique_ptr<BlockCrypt> crypt; /**< already configured stateless BlockCrypt
118 for operations when enough data is accumulated */
119 off_t ofs; /**< stream offset of data we expect to show up next through \ref handle_data */
120 bufferlist cache; /**< stores extra data that could not (yet) be processed by BlockCrypt */
121 size_t block_size; /**< snapshot of \ref BlockCrypt.get_block_size() */
122 public:
123 RGWPutObj_BlockEncrypt(CephContext* cct,
124 RGWPutObjDataProcessor* next,
125 std::unique_ptr<BlockCrypt> crypt);
126 virtual ~RGWPutObj_BlockEncrypt();
127 virtual int handle_data(bufferlist& bl,
128 off_t ofs,
129 void **phandle,
130 rgw_raw_obj *pobj,
131 bool *again) override;
132 virtual int throttle_data(void *handle,
133 const rgw_raw_obj& obj,
134 uint64_t size,
135 bool need_to_wait) override;
136 }; /* RGWPutObj_BlockEncrypt */
137
138
139 int rgw_s3_prepare_encrypt(struct req_state* s,
140 std::map<std::string, ceph::bufferlist>& attrs,
141 std::map<std::string,
142 RGWPostObj_ObjStore::post_form_part,
143 const ltstr_nocase>* parts,
144 std::unique_ptr<BlockCrypt>* block_crypt,
145 std::map<std::string,
146 std::string>& crypt_http_responses);
147
148 int rgw_s3_prepare_decrypt(struct req_state* s,
149 std::map<std::string, ceph::bufferlist>& attrs,
150 std::unique_ptr<BlockCrypt>* block_crypt,
151 std::map<std::string,
152 std::string>& crypt_http_responses);
153
154 #endif
Ceph