]>
git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_crypt.h
1 // -*- mode:C; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
5 * Crypto filters for Put/Post/Get operations.
8 #ifndef CEPH_RGW_CRYPT_H
9 #define CEPH_RGW_CRYPT_H
11 #include <string_view>
13 #include <rgw/rgw_op.h>
14 #include <rgw/rgw_rest.h>
15 #include <rgw/rgw_rest_s3.h>
16 #include "rgw_putobj.h"
19 * \brief Interface for block encryption methods
21 * Encrypts and decrypts data.
22 * Operations are performed in context of larger stream being divided into blocks.
23 * Each block can be processed independently, but only as a whole.
24 * Part block cannot be properly processed.
25 * Each request must start on block-aligned offset.
26 * Each request should have length that is multiply of block size.
27 * Request with unaligned length is only acceptable for last part of stream.
32 virtual ~BlockCrypt(){};
35 * Determines size of encryption block.
36 * This is usually multiply of key size.
37 * It determines size of chunks that should be passed to \ref encrypt and \ref decrypt.
39 virtual size_t get_block_size() = 0;
43 * Argument \ref stream_offset shows where in generalized stream chunk is located.
44 * Input for encryption is \ref input buffer, with relevant data in range <in_ofs, in_ofs+size).
45 * \ref input and \output may not be the same buffer.
48 * input - source buffer of data
49 * in_ofs - offset of chunk inside input
50 * size - size of chunk, must be chunk-aligned unless last part is processed
51 * output - destination buffer to encrypt to
52 * stream_offset - location of <in_ofs,in_ofs+size) chunk in data stream, must be chunk-aligned
53 * \return true iff successfully encrypted
55 virtual bool encrypt(bufferlist
& input
,
59 off_t stream_offset
) = 0;
63 * Argument \ref stream_offset shows where in generalized stream chunk is located.
64 * Input for decryption is \ref input buffer, with relevant data in range <in_ofs, in_ofs+size).
65 * \ref input and \output may not be the same buffer.
68 * input - source buffer of data
69 * in_ofs - offset of chunk inside input
70 * size - size of chunk, must be chunk-aligned unless last part is processed
71 * output - destination buffer to encrypt to
72 * stream_offset - location of <in_ofs,in_ofs+size) chunk in data stream, must be chunk-aligned
73 * \return true iff successfully encrypted
75 virtual bool decrypt(bufferlist
& input
,
79 off_t stream_offset
) = 0;
82 static const size_t AES_256_KEYSIZE
= 256 / 8;
83 bool AES_256_ECB_encrypt(const DoutPrefixProvider
* dpp
,
87 const uint8_t* data_in
,
91 class RGWGetObj_BlockDecrypt
: public RGWGetObj_Filter
{
92 const DoutPrefixProvider
*dpp
;
94 std::unique_ptr
<BlockCrypt
> crypt
; /**< already configured stateless BlockCrypt
95 for operations when enough data is accumulated */
96 off_t enc_begin_skip
; /**< amount of data to skip from beginning of received data */
97 off_t ofs
; /**< stream offset of data we expect to show up next through \ref handle_data */
98 off_t end
; /**< stream offset of last byte that is requested */
99 bufferlist cache
; /**< stores extra data that could not (yet) be processed by BlockCrypt */
100 size_t block_size
; /**< snapshot of \ref BlockCrypt.get_block_size() */
102 int process(bufferlist
& cipher
, size_t part_ofs
, size_t size
);
105 std::vector
<size_t> parts_len
; /**< size of parts of multipart object, parsed from manifest */
107 RGWGetObj_BlockDecrypt(const DoutPrefixProvider
*dpp
,
109 RGWGetObj_Filter
* next
,
110 std::unique_ptr
<BlockCrypt
> crypt
);
111 virtual ~RGWGetObj_BlockDecrypt();
113 virtual int fixup_range(off_t
& bl_ofs
,
114 off_t
& bl_end
) override
;
115 virtual int handle_data(bufferlist
& bl
,
117 off_t bl_len
) override
;
118 virtual int flush() override
;
120 int read_manifest(const DoutPrefixProvider
*dpp
, bufferlist
& manifest_bl
);
121 }; /* RGWGetObj_BlockDecrypt */
124 class RGWPutObj_BlockEncrypt
: public rgw::putobj::Pipe
126 const DoutPrefixProvider
*dpp
;
128 std::unique_ptr
<BlockCrypt
> crypt
; /**< already configured stateless BlockCrypt
129 for operations when enough data is accumulated */
130 bufferlist cache
; /**< stores extra data that could not (yet) be processed by BlockCrypt */
131 const size_t block_size
; /**< snapshot of \ref BlockCrypt.get_block_size() */
133 RGWPutObj_BlockEncrypt(const DoutPrefixProvider
*dpp
,
135 rgw::sal::DataProcessor
*next
,
136 std::unique_ptr
<BlockCrypt
> crypt
);
138 int process(bufferlist
&& data
, uint64_t logical_offset
) override
;
139 }; /* RGWPutObj_BlockEncrypt */
142 int rgw_s3_prepare_encrypt(struct req_state
* s
,
143 std::map
<std::string
, ceph::bufferlist
>& attrs
,
144 std::unique_ptr
<BlockCrypt
>* block_crypt
,
145 std::map
<std::string
,
146 std::string
>& crypt_http_responses
);
148 int rgw_s3_prepare_decrypt(struct req_state
* s
,
149 std::map
<std::string
, ceph::bufferlist
>& attrs
,
150 std::unique_ptr
<BlockCrypt
>* block_crypt
,
151 std::map
<std::string
,
152 std::string
>& crypt_http_responses
);
154 static inline void set_attr(std::map
<std::string
, bufferlist
>& attrs
,
156 std::string_view value
)
159 bl
.append(value
.data(), value
.size());
160 attrs
[key
] = std::move(bl
);
163 static inline std::string
get_str_attribute(std::map
<std::string
, bufferlist
>& attrs
,
166 auto iter
= attrs
.find(name
);
167 if (iter
== attrs
.end()) {
170 return iter
->second
.to_str();
173 int rgw_remove_sse_s3_bucket_key(req_state
*s
);