diff options
| -rw-r--r-- | debian/control | 2 | ||||
| -rw-r--r-- | src/.gitignore | 1 | ||||
| -rw-r--r-- | src/Makefile.am | 17 | ||||
| -rw-r--r-- | src/common/ceph_crypto_cms.cc | 56 | ||||
| -rw-r--r-- | src/common/ceph_crypto_cms.h | 4 | ||||
| -rw-r--r-- | src/rgw/rgw_swift.cc | 7 | ||||
| -rw-r--r-- | src/test/ceph_crypto.cc | 6 | ||||
| -rw-r--r-- | src/test/crypto.cc | 2 |
8 files changed, 54 insertions, 41 deletions
diff --git a/debian/control b/debian/control index acf3db0ab40..5512f6d7dfa 100644 --- a/debian/control +++ b/debian/control @@ -6,7 +6,7 @@ Vcs-Git: git://github.com/ceph/ceph.git Vcs-Browser: https://github.com/ceph/ceph Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu> Uploaders: Sage Weil <sage@newdream.net> -Build-Depends: debhelper (>= 6.0.7~), autotools-dev, autoconf, automake, libfuse-dev, libboost-dev (>= 1.34), libedit-dev, libnss3-dev, libtool, libexpat1-dev, libfcgi-dev, libatomic-ops-dev, libgoogle-perftools-dev [i386 amd64], pkg-config, libcurl4-gnutls-dev, libkeyutils-dev, uuid-dev, libaio-dev, python (>= 2.6.6-3~), libxml2-dev +Build-Depends: debhelper (>= 6.0.7~), autotools-dev, autoconf, automake, libfuse-dev, libboost-dev (>= 1.34), libboost-thread-dev, libedit-dev, libnss3-dev, libtool, libexpat1-dev, libfcgi-dev, libatomic-ops-dev, libgoogle-perftools-dev [i386 amd64], pkg-config, libcurl4-gnutls-dev, libkeyutils-dev, uuid-dev, libaio-dev, python (>= 2.6.6-3~), libxml2-dev Standards-Version: 3.9.3 Package: ceph diff --git a/src/.gitignore b/src/.gitignore index 5a4216503ff..7548b5e47ae 100644 --- a/src/.gitignore +++ b/src/.gitignore @@ -23,6 +23,7 @@ /radosgw /radosgw-admin /rbdtool +/rgw_jsonparser /rgw_multiparser /streamtest /bench_log diff --git a/src/Makefile.am b/src/Makefile.am index ec654c7a965..1a187c7cd14 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -207,12 +207,15 @@ test_ioctls_SOURCES = client/test_ioctls.c bin_DEBUGPROGRAMS += test_ioctls dupstore_SOURCES = dupstore.cc +dupstore_CXXFLAGS= ${CRYPTO_CXXFLAGS} ${AM_CXXFLAGS} dupstore_LDADD = $(LIBOS_LDA) $(LIBGLOBAL_LDA) streamtest_SOURCES = streamtest.cc +streamtest_CXXFLAGS= ${CRYPTO_CXXFLAGS} ${AM_CXXFLAGS} streamtest_LDADD = $(LIBOS_LDA) $(LIBGLOBAL_LDA) bin_DEBUGPROGRAMS += dupstore streamtest test_trans_SOURCES = test_trans.cc +test_trans_CXXFLAGS= ${CRYPTO_CXXFLAGS} ${AM_CXXFLAGS} test_trans_LDADD = $(LIBOS_LDA) $(LIBGLOBAL_LDA) bin_DEBUGPROGRAMS += test_trans @@ -878,7 +881,7 @@ bin_DEBUGPROGRAMS += test_libcephfs test_filestore_SOURCES = test/filestore/store_test.cc test_filestore_LDFLAGS = ${AM_LDFLAGS} test_filestore_LDADD = ${UNITTEST_STATIC_LDADD} $(LIBOS_LDA) $(LIBGLOBAL_LDA) -test_filestore_CXXFLAGS = ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS} $(LEVELDB_INCLUDE) +test_filestore_CXXFLAGS = ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS} $(LEVELDB_INCLUDE) ${CRYPTO_CXXFLAGS} bin_DEBUGPROGRAMS += test_filestore test_filestore_workloadgen_SOURCES = \ @@ -886,11 +889,12 @@ test_filestore_workloadgen_SOURCES = \ test/filestore/TestFileStoreState.cc test_filestore_workloadgen_LDFLAGS = ${AM_LDFLAGS} test_filestore_workloadgen_LDADD = $(LIBOS_LDA) $(LIBGLOBAL_LDA) +test_filestore_workloadgen_CXXFLAGS = ${CRYPTO_CXXFLAGS} ${AM_CXXFLAGS} bin_DEBUGPROGRAMS += test_filestore_workloadgen test_filestore_idempotent_SOURCES = test/filestore/test_idempotent.cc test/filestore/FileStoreTracker.cc test/common/ObjectContents.cc test_filestore_idempotent_LDADD = $(LIBOS_LDA) $(LIBGLOBAL_LDA) -test_filestore_idempotent_CXXFLAGS = $(LEVELDB_INCLUDE) +test_filestore_idempotent_CXXFLAGS = ${CRYPTO_CXXFLAGS} $(LEVELDB_INCLUDE) bin_DEBUGPROGRAMS += test_filestore_idempotent test_filestore_idempotent_sequence_SOURCES = \ @@ -898,13 +902,14 @@ test_filestore_idempotent_sequence_SOURCES = \ test/filestore/DeterministicOpSequence.cc \ test/filestore/TestFileStoreState.cc \ test/filestore/FileStoreDiff.cc +test_filestore_idempotent_sequence_CXXFLAGS = ${CRYPTO_CXXFLAGS} ${AM_CXXFLAGS} test_filestore_idempotent_sequence_LDADD = $(LIBOS_LDA) $(LIBGLOBAL_LDA) bin_DEBUGPROGRAMS += test_filestore_idempotent_sequence xattr_bench_SOURCES = test/xattr_bench.cc xattr_bench_LDFLAGS = ${AM_LDFLAGS} xattr_bench_LDADD = ${UNITTEST_STATIC_LDADD} $(LIBOS_LDA) $(LIBGLOBAL_LDA) -xattr_bench_CXXFLAGS = ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS} $(LEVELDB_INCLUDE) +xattr_bench_CXXFLAGS = ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS} $(LEVELDB_INCLUDE) ${CRYPTO_CXXFLAGS} bin_DEBUGPROGRAMS += xattr_bench test_filejournal_SOURCES = test/test_filejournal.cc @@ -922,13 +927,13 @@ bin_DEBUGPROGRAMS += test_stress_watch test_object_map_SOURCES = test/ObjectMap/test_object_map.cc test/ObjectMap/KeyValueDBMemory.cc os/DBObjectMap.cc os/LevelDBStore.cc test_object_map_LDFLAGS = ${AM_LDFLAGS} test_object_map_LDADD = ${UNITTEST_STATIC_LDADD} $(LIBOS_LDA) $(LIBGLOBAL_LDA) -test_object_map_CXXFLAGS = ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS} $(LEVELDB_INCLUDE) +test_object_map_CXXFLAGS = ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS} $(LEVELDB_INCLUDE) ${CRYPTO_CXXFLAGS} bin_DEBUGPROGRAMS += test_object_map test_keyvaluedb_atomicity_SOURCES = test/ObjectMap/test_keyvaluedb_atomicity.cc os/LevelDBStore.cc test_keyvaluedb_atomicity_LDFLAGS = ${AM_LDFLAGS} test_keyvaluedb_atomicity_LDADD = ${UNITTEST_STATIC_LDADD} $(LIBOS_LDA) $(LIBGLOBAL_LDA) -test_keyvaluedb_atomicity_CXXFLAGS = ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS} $(LEVELDB_INCLUDE) +test_keyvaluedb_atomicity_CXXFLAGS = ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS} $(LEVELDB_INCLUDE) ${CRYPTO_CXXFLAGS} bin_DEBUGPROGRAMS += test_keyvaluedb_atomicity test_keyvaluedb_iterators_SOURCES = test/ObjectMap/test_keyvaluedb_iterators.cc \ @@ -936,7 +941,7 @@ test_keyvaluedb_iterators_SOURCES = test/ObjectMap/test_keyvaluedb_iterators.cc os/LevelDBStore.cc test_keyvaluedb_iterators_LDFLAGS = ${AM_LDFLAGS} test_keyvaluedb_iterators_LDADD = ${UNITTEST_STATIC_LDADD} $(LIBOS_LDA) $(LIBGLOBAL_LDA) -test_keyvaluedb_iterators_CXXFLAGS = ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS} $(LEVELDB_INCLUDE) +test_keyvaluedb_iterators_CXXFLAGS = ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS} $(LEVELDB_INCLUDE) ${CRYPTO_CXXFLAGS} bin_DEBUGPROGRAMS += test_keyvaluedb_iterators test_cfuse_cache_invalidate_SOURCES = test/test_cfuse_cache_invalidate.cc diff --git a/src/common/ceph_crypto_cms.cc b/src/common/ceph_crypto_cms.cc index 7c0f5537548..4d7a4ef598b 100644 --- a/src/common/ceph_crypto_cms.cc +++ b/src/common/ceph_crypto_cms.cc @@ -61,7 +61,7 @@ #ifndef USE_NSS -int ceph_decode_cms(bufferlist& cms_bl, bufferlist& decoded_bl) +int ceph_decode_cms(CephContext *cct, bufferlist& cms_bl, bufferlist& decoded_bl) { return -ENOTSUP; } @@ -105,7 +105,7 @@ struct decodeOptionsStr { }; static NSSCMSMessage * -decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& out) +decode(CephContext *cct, SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& out) { NSSCMSDecoderContext *dcx; SECStatus rv; @@ -124,23 +124,23 @@ decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& decodeOptions->dkcb, /* decrypt key callback */ decodeOptions->bulkkey); if (dcx == NULL) { - dout(0) << "ERROR: failed to set up message decoder" << dendl; + ldout(cct, 0) << "ERROR: failed to set up message decoder" << dendl; return NULL; } rv = NSS_CMSDecoder_Update(dcx, (char *)input->data, input->len); if (rv != SECSuccess) { - dout(0) << "ERROR: failed to decode message" << dendl; + ldout(cct, 0) << "ERROR: failed to decode message" << dendl; NSS_CMSDecoder_Cancel(dcx); return NULL; } cmsg = NSS_CMSDecoder_Finish(dcx); if (cmsg == NULL) { - dout(0) << "ERROR: failed to decode message" << dendl; + ldout(cct, 0) << "ERROR: failed to decode message" << dendl; return NULL; } if (decodeOptions->headerLevel >= 0) { - dout(20) << "SMIME: " << dendl; + ldout(cct, 20) << "SMIME: " << dendl; } nlevels = NSS_CMSMessage_ContentLevelCount(cmsg); @@ -151,7 +151,7 @@ decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& cinfo = NSS_CMSMessage_ContentLevel(cmsg, i); typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); - dout(20) << "level=" << decodeOptions->headerLevel << "." << nlevels - i << dendl; + ldout(cct, 20) << "level=" << decodeOptions->headerLevel << "." << nlevels - i << dendl; switch (typetag) { case SEC_OID_PKCS7_SIGNED_DATA: @@ -162,10 +162,10 @@ decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& int j; if (decodeOptions->headerLevel >= 0) - dout(20) << "type=signedData; " << dendl; + ldout(cct, 20) << "type=signedData; " << dendl; sigd = (NSSCMSSignedData *)NSS_CMSContentInfo_GetContent(cinfo); if (sigd == NULL) { - dout(0) << "ERROR: signedData component missing" << dendl; + ldout(cct, 0) << "ERROR: signedData component missing" << dendl; goto loser; } @@ -179,19 +179,19 @@ decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& sitem = decodeOptions->content; if ((poolp = PORT_NewArena(1024)) == NULL) { - dout(0) << "ERROR: Out of memory" << dendl; + ldout(cct, 0) << "ERROR: Out of memory" << dendl; goto loser; } digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd); if (DigestFile (poolp, &digests, &sitem, digestalgs) != SECSuccess) { - dout(0) << "ERROR: problem computing message digest" << dendl; + ldout(cct, 0) << "ERROR: problem computing message digest" << dendl; PORT_FreeArena(poolp, PR_FALSE); goto loser; } if (NSS_CMSSignedData_SetDigests(sigd, digestalgs, digests) != SECSuccess) { - dout(0) << "ERROR: problem setting message digests" << dendl; + ldout(cct, 0) << "ERROR: problem setting message digests" << dendl; PORT_FreeArena(poolp, PR_FALSE); goto loser; } @@ -204,14 +204,14 @@ decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& decodeOptions->options->certUsage, decodeOptions->keepCerts) != SECSuccess) { - dout(0) << "ERROR: cert import failed" << dendl; + ldout(cct, 0) << "ERROR: cert import failed" << dendl; goto loser; } /* find out about signers */ nsigners = NSS_CMSSignedData_SignerInfoCount(sigd); if (decodeOptions->headerLevel >= 0) - dout(20) << "nsigners=" << nsigners << dendl; + ldout(cct, 20) << "nsigners=" << nsigners << dendl; if (nsigners == 0) { /* Might be a cert transport message ** or might be an invalid message, such as a QA test message @@ -222,7 +222,7 @@ decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& decodeOptions->options->certHandle, decodeOptions->options->certUsage); if (rv != SECSuccess) { - dout(0) << "ERROR: Verify certs-only failed!" << dendl; + ldout(cct, 0) << "ERROR: Verify certs-only failed!" << dendl; goto loser; } return cmsg; @@ -230,7 +230,7 @@ decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& /* still no digests? */ if (!NSS_CMSSignedData_HasDigests(sigd)) { - dout(0) << "ERROR: no message digests" << dendl; + ldout(cct, 0) << "ERROR: no message digests" << dendl; goto loser; } @@ -248,7 +248,7 @@ decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& signercn = NSS_CMSSignerInfo_GetSignerCommonName(si); if (signercn == NULL) signercn = empty; - dout(20) << "\t\tsigner" << j << ".id=" << signercn << dendl; + ldout(cct, 20) << "\t\tsigner" << j << ".id=" << signercn << dendl; if (signercn != empty) PORT_Free(signercn); } @@ -258,10 +258,10 @@ decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& vs = NSS_CMSSignerInfo_GetVerificationStatus(si); svs = NSS_CMSUtil_VerificationStatusToString(vs); if (decodeOptions->headerLevel >= 0) { - dout(20) << "signer" << j << "status=" << svs << dendl; + ldout(cct, 20) << "signer" << j << "status=" << svs << dendl; /* goto loser ? */ } else if (bad) { - dout(0) << "ERROR: signer " << j << " status = " << svs << dendl; + ldout(cct, 0) << "ERROR: signer " << j << " status = " << svs << dendl; goto loser; } } @@ -271,10 +271,10 @@ decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& { NSSCMSEnvelopedData *envd; if (decodeOptions->headerLevel >= 0) - dout(20) << "type=envelopedData; " << dendl; + ldout(cct, 20) << "type=envelopedData; " << dendl; envd = (NSSCMSEnvelopedData *)NSS_CMSContentInfo_GetContent(cinfo); if (envd == NULL) { - dout(0) << "ERROR: envelopedData component missing" << dendl; + ldout(cct, 0) << "ERROR: envelopedData component missing" << dendl; goto loser; } } @@ -283,17 +283,17 @@ decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& { NSSCMSEncryptedData *encd; if (decodeOptions->headerLevel >= 0) - dout(20) << "type=encryptedData; " << dendl; + ldout(cct, 20) << "type=encryptedData; " << dendl; encd = (NSSCMSEncryptedData *)NSS_CMSContentInfo_GetContent(cinfo); if (encd == NULL) { - dout(0) << "ERROR: encryptedData component missing" << dendl; + ldout(cct, 0) << "ERROR: encryptedData component missing" << dendl; goto loser; } } break; case SEC_OID_PKCS7_DATA: if (decodeOptions->headerLevel >= 0) - dout(20) << "type=data; " << dendl; + ldout(cct, 20) << "type=data; " << dendl; break; default: break; @@ -310,7 +310,7 @@ loser: return NULL; } -int ceph_decode_cms(bufferlist& cms_bl, bufferlist& decoded_bl) +int ceph_decode_cms(CephContext *cct, bufferlist& cms_bl, bufferlist& decoded_bl) { NSSCMSMessage *cmsg = NULL; struct decodeOptionsStr decodeOptions = { 0 }; @@ -332,7 +332,7 @@ int ceph_decode_cms(bufferlist& cms_bl, bufferlist& decoded_bl) options.certHandle = CERT_GetDefaultCertDB(); if (!options.certHandle) { - dout(0) << "ERROR: No default cert DB" << dendl; + ldout(cct, 0) << "ERROR: No default cert DB" << dendl; return -EIO; } if (cms_verbose) { @@ -343,9 +343,9 @@ int ceph_decode_cms(bufferlist& cms_bl, bufferlist& decoded_bl) int ret = 0; - cmsg = decode(&input, &decodeOptions, decoded_bl); + cmsg = decode(cct, &input, &decodeOptions, decoded_bl); if (!cmsg) { - dout(0) << "ERROR: problem decoding" << dendl; + ldout(cct, 0) << "ERROR: problem decoding" << dendl; ret = -EINVAL; } diff --git a/src/common/ceph_crypto_cms.h b/src/common/ceph_crypto_cms.h index 2b29dda0f96..5b0a7f5950f 100644 --- a/src/common/ceph_crypto_cms.h +++ b/src/common/ceph_crypto_cms.h @@ -3,6 +3,8 @@ #include "include/buffer.h" -int ceph_decode_cms(bufferlist& cms_bl, bufferlist& decoded_bl); +class CephContext; + +int ceph_decode_cms(CephContext *cct, bufferlist& cms_bl, bufferlist& decoded_bl); #endif diff --git a/src/rgw/rgw_swift.cc b/src/rgw/rgw_swift.cc index 060b435dfa4..002c380444a 100644 --- a/src/rgw/rgw_swift.cc +++ b/src/rgw/rgw_swift.cc @@ -370,7 +370,7 @@ static int decode_b64_cms(CephContext *cct, const string& signed_b64, bufferlist bufferlist signed_ber_bl; signed_ber_bl.append(signed_ber); - ret = ceph_decode_cms(signed_ber_bl, bl); + ret = ceph_decode_cms(cct, signed_ber_bl, bl); if (ret < 0) { ldout(cct, 0) << "ceph_decode_cms returned " << ret << dendl; return ret; @@ -570,6 +570,7 @@ int RGWSwift::validate_keystone_token(RGWRados *store, const string& token, stru ldout(cct, 20) << "token_id=" << token_id << dendl; + /* check cache first */ if (keystone_token_cache->find(token_id, t)) { rgw_set_keystone_token_auth_info(t, info); @@ -584,7 +585,11 @@ int RGWSwift::validate_keystone_token(RGWRados *store, const string& token, stru bufferlist bl; + /* check if that's a self signed token that we can decode */ if (!decode_pki_token(cct, token, bl)) { + + /* can't decode, just go to the keystone server for validation */ + RGWValidateKeystoneToken validate(&bl); string url = g_conf->rgw_keystone_url; diff --git a/src/test/ceph_crypto.cc b/src/test/ceph_crypto.cc index 403f6b5400b..2c934fa848c 100644 --- a/src/test/ceph_crypto.cc +++ b/src/test/ceph_crypto.cc @@ -5,7 +5,7 @@ class CryptoEnvironment: public ::testing::Environment { public: void SetUp() { - ceph::crypto::init(); + ceph::crypto::init(g_ceph_context); } }; @@ -117,7 +117,7 @@ class ForkDeathTest : public ::testing::Test { virtual void TearDown() { // undo the NSS shutdown we did in the parent process, after the // test is done - ceph::crypto::init(); + ceph::crypto::init(g_ceph_context); } }; @@ -127,7 +127,7 @@ void do_simple_crypto() { // fork, and if you comment out the ceph::crypto::init, or if the // trick were to fail, you would see this ending in an assert and // not exit status 0 - ceph::crypto::init(); + ceph::crypto::init(g_ceph_context); ceph::crypto::MD5 h; h.Update((const byte*)"foo", 3); unsigned char digest[CEPH_CRYPTO_MD5_DIGESTSIZE]; diff --git a/src/test/crypto.cc b/src/test/crypto.cc index 85150ef80a9..80a5495001d 100644 --- a/src/test/crypto.cc +++ b/src/test/crypto.cc @@ -10,7 +10,7 @@ class CryptoEnvironment: public ::testing::Environment { public: void SetUp() { - ceph::crypto::init(); + ceph::crypto::init(g_ceph_context); } }; |