Skip to content

small BlobCipher and SimKmsConnector fixes and changes#6936

Merged
sfc-gh-yiwu merged 6 commits into
apple:mainfrom
sfc-gh-yiwu:encrypt_small
May 4, 2022
Merged

small BlobCipher and SimKmsConnector fixes and changes#6936
sfc-gh-yiwu merged 6 commits into
apple:mainfrom
sfc-gh-yiwu:encrypt_small

Conversation

@sfc-gh-yiwu

@sfc-gh-yiwu sfc-gh-yiwu commented Apr 22, 2022

Copy link
Copy Markdown
Collaborator
  • SimKmsConnector fix domain id being unsigned
  • SimKmsConnector fix returning cipher id 0 as latest key, which is invalid
  • SimKmsConnector fix keys initialized as c-style strings with incorrect length and uninitialized bytes
  • SimKmsConnector fix returning different keys for the same id after restart
  • BlobCipher change APIs to return null reference when key not found
  • BlobCipher insertCipherKey to return the inserted key

Code-Reviewer Section

The general guidelines can be found here.

Please check each of the following things and check all boxes before accepting a PR.

  • The PR has a description, explaining both the problem and the solution.
  • The description mentions which forms of testing were done and the testing seems reasonable.
  • Every function/class/actor that was touched is reasonably well documented.

For Release-Branches

If this PR is made against a release-branch, please also check the following:

  • This change/bugfix is a cherry-pick from the next younger branch (younger release-branch or main if this is the youngest branch)
  • There is a good reason why this PR needs to go into a release branch and this reason is documented (either in the description above or in a linked GitHub issue)

@fdb-windows-ci

Copy link
Copy Markdown
Collaborator

Doxense CI Report for Windows 10

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for Linux CentOS 7

  • CodeBuild project: foundationdb-pr
  • Commit ID: b4ff784
  • Result: SUCCEEDED
  • Error: N/A
  • Build Logs (available for 30 days)

Comment thread flow/BlobCipher.cpp Outdated
throw encrypt_key_not_found();
// ENCRYPT_INVALID_CIPHER_KEY_ID indicate there was no key inserted. In this case we return empty key instead of
// throwing encrypt_invalid_id.
if (latestBaseCipherKeyId == ENCRYPT_INVALID_CIPHER_KEY_ID) {

@sfc-gh-yiwu sfc-gh-yiwu Apr 22, 2022

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sfc-gh-ahusain I'm still making this change since I want to make it consistent that things isn't actually an error don't throw an exception. Or if you prefer to, I can make latestBaseCipherKeyId an Optional, and testing against Optional::present() rather than whether the id is invalid to tell if the cache is empty.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you need to rebase the branch with the latest main, I updated this code as part of re-merging the auth header changes. API throws encyrpt_key_not_found if cache is empty; otherwise, it asserts that member values are valid.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I saw that change. I'm just so tempting to do without exception :/

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My suggestion was to pull the change and replace exception with "empty reference"; I thought we agreed that "invalid_id" will be thrown and if key is not present due to: empty cache and/or key_not_found, then "empty reference" will be returned ?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated to use Optional. does it look a little bit better?

Comment thread flow/BlobCipher.cpp Outdated
sfc-gh-ahusain
sfc-gh-ahusain previously approved these changes Apr 22, 2022

@sfc-gh-ahusain sfc-gh-ahusain left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for doing it

Comment thread fdbserver/SimEncryptKmsProxy.actor.h Outdated
@fdb-windows-ci

Copy link
Copy Markdown
Collaborator

Doxense CI Report for Windows 10

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for Linux CentOS 7

  • CodeBuild project: foundationdb-pr
  • Commit ID: d7eaeeb
  • Result: FAILED
  • Error: Error while executing command: ctest -j ${NPROC} --no-compress-output -T test --output-on-failure. Reason: exit status 8
  • Build Logs (available for 30 days)

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for macOS BigSur 11.5.2

  • CodeBuild project: foundationdb-pr-macos
  • Commit ID: 428bd84
  • Result: SUCCEEDED
  • Error: N/A
  • Build Logs (available for 30 days)

@fdb-windows-ci

Copy link
Copy Markdown
Collaborator

Doxense CI Report for Windows 10

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for Linux CentOS 7

  • CodeBuild project: foundationdb-pr
  • Commit ID: c926d2b
  • Result: FAILED
  • Error: Error while executing command: ctest -j ${NPROC} --no-compress-output -T test --output-on-failure. Reason: exit status 8
  • Build Logs (available for 30 days)

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for Linux CentOS 7

  • CodeBuild project: foundationdb-pr
  • Commit ID: 428bd84
  • Result: SUCCEEDED
  • Error: N/A
  • Build Logs (available for 30 days)

Comment thread fdbserver/EncryptKeyProxy.actor.cpp Outdated
Comment thread flow/BlobCipher.cpp Outdated
BlobCipherKeyIdCacheKey BlobCipherKeyIdCache::getCacheKey(const EncryptCipherBaseKeyId& baseCipherKeyId,
const EncryptCipherRandomSalt& salt) {
if (baseCipherKeyId == ENCRYPT_INVALID_CIPHER_KEY_ID || salt == ENCRYPT_INVALID_RANDOM_SALT) {
if (baseCipherKeyId == ENCRYPT_INVALID_CIPHER_KEY_ID) {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any reason we removed the 'salt' validity check? We can force the invariant that salt > 0?

@sfc-gh-yiwu sfc-gh-yiwu Apr 23, 2022

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed to use Optional for latest salt so there's no need to add an invalid salt value as a placeholder. plus... I'm a bit paranoid as when we create the random salt in theory it can be 0, so 0 is still a valid salt. True we can control how the salt is generated, but there's probably no need to do so.

@sfc-gh-ahusain sfc-gh-ahusain Apr 23, 2022

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as when we create the random salt in theory it can be 0

RandomSalt generation is controlled by BlobCipher and happens as part of BaseCipher KeyDerivation (https://github.com/apple/foundationdb/blob/main/flow/BlobCipher.cpp#L48); if it fair that std::mt19937 random; can generate 0 as the output, we could code to handle '0' random-num generated (it is super rate to happen, but, could) to the BlobCipherKey::BlobCipherKey() to distinguish salt from its default/invalid value i.e. 0

However, once we make above changes, the library controls the salt generation and I don't think it can be modified other than tampering with plaintext EncryptHeader (brute force attack..)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed to use Optional for latest salt

Am not sure if Optional is the right choice, the values will be always present after a first latestKey gets inserted; to me they is a "default" value at the time of object construction and then value keeps updating with time.

It is not a biggy either ways and we have discussed this more than needed, if you prefer Optional, please proceed with it; no strong opinions from my side.
Thanks .

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "default" value effectively make the salt an Optional. To me, Optional is just an explicit way to represent nullable value.

And I put back the invalid random salt check, just in case you think it is handy somewhere else.

Comment thread flow/BlobCipher.cpp
Comment thread flow/BlobCipher.cpp Outdated
Comment thread flow/BlobCipher.cpp
@sfc-gh-yiwu

Copy link
Copy Markdown
Collaborator Author

Adding another fix to make SimKmsConnector return fixed keys after restart.

@fdb-windows-ci

Copy link
Copy Markdown
Collaborator

Doxense CI Report for Windows 10

@fdb-windows-ci

Copy link
Copy Markdown
Collaborator

Doxense CI Report for Windows 10

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for macOS BigSur 11.5.2

  • CodeBuild project: foundationdb-pr-macos
  • Commit ID: 5de271f
  • Result: SUCCEEDED
  • Error: N/A
  • Build Logs (available for 30 days)

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for Linux CentOS 7

  • CodeBuild project: foundationdb-pr
  • Commit ID: 5de271f
  • Result: SUCCEEDED
  • Error: N/A
  • Build Logs (available for 30 days)

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for Linux CentOS 7

  • CodeBuild project: foundationdb-pr
  • Commit ID: 5e9f6ab
  • Result: SUCCEEDED
  • Error: N/A
  • Build Logs (available for 30 days)

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for macOS BigSur 11.5.2

  • CodeBuild project: foundationdb-pr-macos
  • Commit ID: 5de271f
  • Result: SUCCEEDED
  • Error: N/A
  • Build Logs (available for 30 days)

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for Linux CentOS 7

  • CodeBuild project: foundationdb-pr
  • Commit ID: 5de271f
  • Result: SUCCEEDED
  • Error: N/A
  • Build Logs (available for 30 days)

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for macOS BigSur 11.5.2

  • CodeBuild project: foundationdb-pr-macos
  • Commit ID: 97ef77b
  • Result: FAILED
  • Error: Error while executing command: ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${HOME}/.ssh_key ec2-user@${MAC_EC2_HOST} /usr/local/bin/bash --login -c ./build_pr_macos.sh. Reason: exit status 1
  • Build Logs (available for 30 days)

@fdb-windows-ci

Copy link
Copy Markdown
Collaborator

Doxense CI Report for Windows 10

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for Linux CentOS 7

  • CodeBuild project: foundationdb-pr
  • Commit ID: 97ef77b
  • Result: SUCCEEDED
  • Error: N/A
  • Build Logs (available for 30 days)

@foundationdb-ci

Copy link
Copy Markdown
Contributor

AWS CodeBuild CI Report for Linux CentOS 7

  • CodeBuild project: foundationdb-pr
  • Commit ID: 4834d05
  • Result: SUCCEEDED
  • Error: N/A
  • Build Logs (available for 30 days)

@fdb-windows-ci

Copy link
Copy Markdown
Collaborator

Doxense CI Report for Windows 10

@sfc-gh-yiwu sfc-gh-yiwu changed the title small BlobCipher and SimEncryptKmsProxy fixes and changes small BlobCipher and SimKmsConnector fixes and changes May 4, 2022
@sfc-gh-yiwu

Copy link
Copy Markdown
Collaborator Author

@sfc-gh-ahusain Do you have more comments on this one? I'm wanting to merge this one so I can rebase #6942 onto it. Thanks.


explicit SimKmsConnectorContext(uint32_t keyCount) : maxEncryptionKeys(keyCount) {
uint8_t buffer[AES_256_KEY_LENGTH];
const unsigned char SHA_KEY[] = "0c39e7906db6d51ac0573d328ce1b6be";

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we intend to checkin this code?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not debug code. It is intent to make the encrypt keys deterministic after restart, otherwise SimKmsConnector will return different set of cipher keys after a crash in simulation.

@sfc-gh-ahusain

Copy link
Copy Markdown
Collaborator

@sfc-gh-ahusain Do you have more comments on this one? I'm wanting to merge this one so I can rebase #6942 onto it. Thanks.

Looks great. One minor comment, I think some debugging changes are still in the code that you might want to get rid off before checking in.

Thanks for doing this change.

@sfc-gh-ahusain sfc-gh-ahusain self-requested a review May 4, 2022 19:36

@sfc-gh-ahusain sfc-gh-ahusain left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sfc-gh-yiwu sfc-gh-yiwu merged commit 66f1c5c into apple:main May 4, 2022
@sfc-gh-yiwu sfc-gh-yiwu deleted the encrypt_small branch May 4, 2022 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants