ceph/src/rgw/rgw_crypt.h

   1 // -*- mode:C; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
   2 // vim: ts=8 sw=2 smarttab ft=cpp
   3
   4 /**
   5  * Crypto filters for Put/Post/Get operations.
   6  */
   7
   8 #ifndef CEPH_RGW_CRYPT_H
   9 #define CEPH_RGW_CRYPT_H
  10
  11 #include <string_view>
  12
  13 #include <rgw/rgw_op.h>
  14 #include <rgw/rgw_rest.h>
  15 #include <rgw/rgw_rest_s3.h>
  16 #include "rgw_putobj.h"
  17
  18 /**
  19  * \brief Interface for block encryption methods
  20  *
  21  * Encrypts and decrypts data.
  22  * Operations are performed in context of larger stream being divided into blocks.
  23  * Each block can be processed independently, but only as a whole.
  24  * Part block cannot be properly processed.
  25  * Each request must start on block-aligned offset.
  26  * Each request should have length that is multiply of block size.
  27  * Request with unaligned length is only acceptable for last part of stream.
  28  */
  29 class BlockCrypt {
  30 public:
  31   BlockCrypt(){};
  32   virtual ~BlockCrypt(){};
  33
  34   /**
  35     * Determines size of encryption block.
  36     * This is usually multiply of key size.
  37     * It determines size of chunks that should be passed to \ref encrypt and \ref decrypt.
  38     */
  39   virtual size_t get_block_size() = 0;
  40
  41   /**
  42    * Encrypts data.
  43    * Argument \ref stream_offset shows where in generalized stream chunk is located.
  44    * Input for encryption is \ref input buffer, with relevant data in range <in_ofs, in_ofs+size).
  45    * \ref input and \output may not be the same buffer.
  46    *
  47    * \params
  48    * input - source buffer of data
  49    * in_ofs - offset of chunk inside input
  50    * size - size of chunk, must be chunk-aligned unless last part is processed
  51    * output - destination buffer to encrypt to
  52    * stream_offset - location of <in_ofs,in_ofs+size) chunk in data stream, must be chunk-aligned
  53    * \return true iff successfully encrypted
  54    */
  55   virtual bool encrypt(bufferlist& input,
  56                        off_t in_ofs,
  57                        size_t size,
  58                        bufferlist& output,
  59                        off_t stream_offset) = 0;
  60
  61   /**
  62    * Decrypts data.
  63    * Argument \ref stream_offset shows where in generalized stream chunk is located.
  64    * Input for decryption is \ref input buffer, with relevant data in range <in_ofs, in_ofs+size).
  65    * \ref input and \output may not be the same buffer.
  66    *
  67    * \params
  68    * input - source buffer of data
  69    * in_ofs - offset of chunk inside input
  70    * size - size of chunk, must be chunk-aligned unless last part is processed
  71    * output - destination buffer to encrypt to
  72    * stream_offset - location of <in_ofs,in_ofs+size) chunk in data stream, must be chunk-aligned
  73    * \return true iff successfully encrypted
  74    */
  75   virtual bool decrypt(bufferlist& input,
  76                        off_t in_ofs,
  77                        size_t size,
  78                        bufferlist& output,
  79                        off_t stream_offset) = 0;
  80 };
  81
  82 static const size_t AES_256_KEYSIZE = 256 / 8;
  83 bool AES_256_ECB_encrypt(const DoutPrefixProvider* dpp,
  84                          CephContext* cct,
  85                          const uint8_t* key,
  86                          size_t key_size,
  87                          const uint8_t* data_in,
  88                          uint8_t* data_out,
  89                          size_t data_size);
  90
  91 class RGWGetObj_BlockDecrypt : public RGWGetObj_Filter {
  92   const DoutPrefixProvider *dpp;
  93   CephContext* cct;
  94   std::unique_ptr<BlockCrypt> crypt; /**< already configured stateless BlockCrypt
  95                                           for operations when enough data is accumulated */
  96   off_t enc_begin_skip; /**< amount of data to skip from beginning of received data */
  97   off_t ofs; /**< stream offset of data we expect to show up next through \ref handle_data */
  98   off_t end; /**< stream offset of last byte that is requested */
  99   bufferlist cache; /**< stores extra data that could not (yet) be processed by BlockCrypt */
 100   size_t block_size; /**< snapshot of \ref BlockCrypt.get_block_size() */
 101
 102   int process(bufferlist& cipher, size_t part_ofs, size_t size);
 103
 104 protected:
 105   std::vector<size_t> parts_len; /**< size of parts of multipart object, parsed from manifest */
 106 public:
 107   RGWGetObj_BlockDecrypt(const DoutPrefixProvider *dpp,
 108                          CephContext* cct,
 109                          RGWGetObj_Filter* next,
 110                          std::unique_ptr<BlockCrypt> crypt);
 111   virtual ~RGWGetObj_BlockDecrypt();
 112
 113   virtual int fixup_range(off_t& bl_ofs,
 114                           off_t& bl_end) override;
 115   virtual int handle_data(bufferlist& bl,
 116                           off_t bl_ofs,
 117                           off_t bl_len) override;
 118   virtual int flush() override;
 119
 120   int read_manifest(const DoutPrefixProvider *dpp, bufferlist& manifest_bl);
 121 }; /* RGWGetObj_BlockDecrypt */
 122
 123
 124 class RGWPutObj_BlockEncrypt : public rgw::putobj::Pipe
 125 {
 126   const DoutPrefixProvider *dpp;
 127   CephContext* cct;
 128   std::unique_ptr<BlockCrypt> crypt; /**< already configured stateless BlockCrypt
 129                                           for operations when enough data is accumulated */
 130   bufferlist cache; /**< stores extra data that could not (yet) be processed by BlockCrypt */
 131   const size_t block_size; /**< snapshot of \ref BlockCrypt.get_block_size() */
 132 public:
 133   RGWPutObj_BlockEncrypt(const DoutPrefixProvider *dpp,
 134                          CephContext* cct,
 135                          rgw::sal::DataProcessor *next,
 136                          std::unique_ptr<BlockCrypt> crypt);
 137
 138   int process(bufferlist&& data, uint64_t logical_offset) override;
 139 }; /* RGWPutObj_BlockEncrypt */
 140
 141
 142 int rgw_s3_prepare_encrypt(struct req_state* s,
 143                            std::map<std::string, ceph::bufferlist>& attrs,
 144                            std::unique_ptr<BlockCrypt>* block_crypt,
 145                            std::map<std::string,
 146                                     std::string>& crypt_http_responses);
 147
 148 int rgw_s3_prepare_decrypt(struct req_state* s,
 149                            std::map<std::string, ceph::bufferlist>& attrs,
 150                            std::unique_ptr<BlockCrypt>* block_crypt,
 151                            std::map<std::string,
 152                                     std::string>& crypt_http_responses);
 153
 154 static inline void set_attr(std::map<std::string, bufferlist>& attrs,
 155                             const char* key,
 156                             std::string_view value)
 157 {
 158   bufferlist bl;
 159   bl.append(value.data(), value.size());
 160   attrs[key] = std::move(bl);
 161 }
 162
 163 static inline std::string get_str_attribute(std::map<std::string, bufferlist>& attrs,
 164                                             const char *name)
 165 {
 166   auto iter = attrs.find(name);
 167   if (iter == attrs.end()) {
 168     return {};
 169   }
 170   return iter->second.to_str();
 171 }
 172
 173 int rgw_remove_sse_s3_bucket_key(req_state *s);
 174
 175 #endif