Encryption with Change Management #7020
Conversation
…db into mv-changable-encryption
|
I am staring at this error and it really looks like a compiler bug: https://travis-ci.org/github/facebook/rocksdb/jobs/701431752 Open to making any fixes that I am missing. |
|
@ajkr @mrambacher @yiwu-arbug As promised, here is the second encryption PR that exploits inheritance from #6830. Mark has already pointed out that part of the library_loader is already present Env. I will adjust to use it Wednesday. |
include/rocksdb/env_encrypt2.h
Outdated
|
|
||
| bool Valid() const { return valid_; }; | ||
| const Sha1Description_t& key_desc() const { return key_desc_; }; | ||
| const AesCtrKey_t& key() const { return key_; }; |
There was a problem hiding this comment.
We hit this all the time with gcc 4.8, which is why we added the build. Ctor param shadows this member function.
There was a problem hiding this comment.
@pdillinger Thank you for taking time to explain. I can easily adapt the constructor.
There was a problem hiding this comment.
this is complete and passing tests now.
…db into mv-changable-encryption
There was a problem hiding this comment.
Thank you for adding the EncryptedEnv interface and the continuing work. I learn a lot of crypto basics from the original EncryptedEnv implementation.
I have some questions. They are probably more related to the original EncryptedEnv, but since those logic are reused, I'd take the chance for discussion
- We are concatenating 8 bytes nonce and 8 bytes counter to form a 16 bytes openssl IV. This is incompatible with openssl format, where openssl use the whole 16 bytes as a 128-bits big endian integer counter. Do we consider making the format compatible with openssl, so potentially we can use other openssl compatible tools to encrypt/decrypt file? (of cause there's also the file prefix needs to be strip beforehand).
- We are encrypting (and decrypting) data block by block (the 16 bytes AES block), each time initiating openssl cipher again. Do we consider encrypting data in bulk. Say if rocksdb want to write 1MB into a file, we call
EVP_EncryptInit_ex,EVP_EncryptUpdateandEVP_EncryptFinalset of functions only once? (actually maybe 3 times to take care of unaligned blocks at the begining and at the end). This depends on item 1. I don't have benchmark and not sure how much benefit it is, but at least it will save a lot of function calls. - It is undocumented, but with CTR mode openssl seems to support encrypting in-place (use the same address for encryption input and output). Have we consider using the fact to reduce number of memcopy?
And some minor comments. Thanks.
util/library_loader.h
Outdated
| // Base class / interface | ||
| // expectation is to derive one class for unux and one for Windows | ||
| // | ||
| class LibraryLoader { |
There was a problem hiding this comment.
Could we also have static link option?
There was a problem hiding this comment.
I see two ways to achieve static link. First is a conditional compile. Second is to exploit PosixEnv::LoadLibrary()'s ability to pull symbols from either external library or running executable. I prefer the latter. It creates one code path for both scenarios. It would also allow the user to ship with a "current" version and then override at runtime if an update version comes out with a critical fix. The feature would require an option setting. If you like this idea, would you suggest which options structure is most appropriate?
There was a problem hiding this comment.
might still need a conditional compile to make sure the symbols exist in the executable. I am guessing that a link against .a instead of .so would not pull in the symbols/functions needed unless there is "code calling them". any thoughts here are welcome
There was a problem hiding this comment.
Not familiar with dylib loading, but it remind me Jemalloc allow to add prefixes to its methods so to not conflict with, say, libc. But if OpenSSL don't support that, maybe we just conditional compile to choose whether static link to dynamic link?
There was a problem hiding this comment.
openssl does not directly support prefixes with dylib loading. I can make both static+dynamic or dynamic only work via compile time flag. If static is not correctly identified as missing at compile time, the compile fails. A couple of recent test passes are suggesting the dynamic load might be having dependency problems in your test infrastructure (I have added some debug code to figure this out. Might have to make test for openssl more exhaustive in build_detect_platform). I am continuing to work this issue.
util/library_loader.h
Outdated
|
|
||
| EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) const { return cipher_new_(); }; | ||
|
|
||
| void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { cipher_free_(ctx); } |
There was a problem hiding this comment.
EVP_CIPHER_CTX_free does not exist in openssl 1.0.2. Can we add a version check for openssl?
There was a problem hiding this comment.
Agreed. And it ticked me off. The code already compensates. Please see (and the 3 lines following):
rocksdb/util/library_loader.cc
Line 96 in 09d5080
The code simply maps the ENV_CIPHER_CTX_destroy into the cipher_free_ pointer since parameters are same.
There was a problem hiding this comment.
OpenSSL 1.0.2 doesn't seems to provide EVP_CIPHER_CTX_destroy as well. With 1.0.2 the ctx can only be created on stack. https://www.openssl.org/docs/man1.0.2/man3/EVP_EncryptInit_ex.html
There was a problem hiding this comment.
Ok. That would actually simplify the current code. Using thread_local to get around recoding a bunch of stuff. Keeps one context per thread ... which equates to one context per read or write call.
There was a problem hiding this comment.
I have pulled the source code to 1.0.1u. It has functions _new, _free, and _cleanup. I have pulled the source code to 1.0.2.u. It has the functions _new, _free, and _cleanup. Going to strongly suggest a documentation problem on their website. My code is using _new, _free, and _reset. ENV_CIPHER_CTX_reset() is a name change for _cleanup. Source code uses the two equivalently inside _free and _init. I believe the real action item here is to create code that will pull _cleanup as an alternative entry point to _reset.
I was happily looking at maybe using a stack based copy of ENV_CIPHER_CTX. There is no destructor and there are internal allocations that need clean up. _new & _free might be safer in the long run, though calling _cleanup/_reset when done with stack struct accomplishes the same. Looking at other alternatives too based upon review of ctrl128.c reference you posted elsewhere in this PR.
include/rocksdb/env_encrypt2.h
Outdated
| if (sizeof(marker) == marker_slice.size() && | ||
| marker_slice.starts_with(Marker)) { | ||
| // code_version currently unused | ||
| uint8_t code_version = (uint8_t)marker_slice[7]; |
There was a problem hiding this comment.
can we verify code_version is indeed 0, or return error?
There was a problem hiding this comment.
Same for ReadSeqEncryptionPrefix.
There was a problem hiding this comment.
oops ... will fix.
…talized function parameters
|
@yiwu-arbug Per your item one about 16 versus 32 byte IV. The NIST standard and samples use 16 byte IV AES CTR 256. The code is currently verified against that standard. I have two sources that say 16 byte/128bit is proper IV for AES 256:
The encrypt/decrypt samples from the second document are part of env_encrypt2_test.cc. Do you have a reference that I can review? There is nothing to prevent a coder from implementing a different cipher with different IV size. In fact, the purpose of env_encrypt2's design is to enable and encourage those changes and differences. |
|
@yiwu-arbug Can you point me to source code or such for item three's update in place? update: I believe this confirms your "update in place" for software AES implementation. https://github.com/openssl/openssl/blob/master/crypto/aes/aes_core.c Searching now for confirmation when hardware AES used (I know it is likely true, but feel obligated to verify). update 2: it looks to me that the memmove within EncryptedWritableFile::Append() is related to getting data for encryption aligned with offsets within files. Once the addresses and offsets are aligned on proper boundaries, encryption/decryption is an "update in place". The shifting is about alignment. update 3: ok, I understand now how to eliminate the need for alignment of buffers and offsets for CTR mode. I do not know what other derived code might be depending upon the alignment. Therefore, I am going to copy those routines from EncryptedEnv into EnctypedEnv2 for modification. This should also simplify reuse of the EVP_CIPHER_CTX object. update 4: hold the phone. the memmove is because we are handed a const buffer from the caller. we do not know the impact of encrypt in place to the caller. so the memmove is to create a copy that we then encrypt in place. the current EncryptionEnv is clean. The alignment stuff is purely a side benefit ... and likely required for use_direct_io. |
…er module. switched to static const char *
…db into mv-changable-encryption
|
@mrambacher I have converted code to PosixEnv::LoadLibrary(). That revealed a bug in env_posix.cc where constants used for library suffixes within std::string might not have initialized by the time LoadLibrary is called. Switched those three constants to static const char * so that compiler initializes, not loader. |
|
As of this moment, all checks have again passed. At least two of the recent failures were infrastructure related ... did not check 178cf31. |
env/env_openssl.cc
Outdated
| thread_local static std::unique_ptr<EVP_CIPHER_CTX, void (*)(EVP_CIPHER_CTX*)> | ||
| aes_context(nullptr, &do_nothing); |
There was a problem hiding this comment.
Can we use the util/thread_local class?
include/rocksdb/env_openssl.h
Outdated
| struct ShaDescription { | ||
| uint8_t desc[EVP_MAX_MD_SIZE]; | ||
| bool valid; | ||
|
|
There was a problem hiding this comment.
Is there a reason this class/struct is still required in the public API?
include/rocksdb/env_openssl.h
Outdated
| struct AesCtrKey { | ||
| uint8_t key[EVP_MAX_KEY_LENGTH]; | ||
| bool valid; |
There was a problem hiding this comment.
Is this class still required in the public API?
include/rocksdb/env_openssl.h
Outdated
| class OpenSSLEncryptionProvider : public EncryptionProvider { | ||
| public: |
There was a problem hiding this comment.
Is this class still required in the public API?
env/env_openssl_impl.h
Outdated
| class EncryptedWritableFileV2 : public EncryptedWritableFile { | ||
| public: |
There was a problem hiding this comment.
Is this class still required?
include/rocksdb/env_openssl.h
Outdated
|
|
||
| #pragma once | ||
|
|
||
| #ifdef ROCKSDB_OPENSSL_AES_CTR |
There was a problem hiding this comment.
Is this still required in this header (along with the openssl includes)?
include/rocksdb/env_openssl.h
Outdated
| @@ -0,0 +1,180 @@ | |||
| // copyright (c) 2011-present, Facebook, Inc. All rights reserved. | |||
There was a problem hiding this comment.
Should this file still be in the public API?
util/library_loader.cc
Outdated
| size_t LibraryLoader::GetEntryPoints(std::map<std::string, void*>& functions) { | ||
| size_t num_found{0}; |
There was a problem hiding this comment.
Can we get rid of this class and have a "LoadSymbols API" off the Dynamic Library class?
util/library_loader.cc
Outdated
| encrypt_init_ = (EVP_EncryptInit_ex_t)functions_["EVP_EncryptInit_ex"]; | ||
| aes_256_ctr_ = (EVP_aes_256_ctr_t)functions_["EVP_aes_256_ctr"]; | ||
| encrypt_update_ = (EVP_EncryptUpdate_t)functions_["EVP_EncryptUpdate"]; | ||
| encrypt_final_ = (EVP_EncryptFinal_ex_t)functions_["EVP_EncryptFinal_ex"]; |
There was a problem hiding this comment.
Are any of these allowed to be NULL? Is there an advantage to doing it as LoadSymbols versus a direct call (LoadSymbol) with a better check?
util/library_loader.cc
Outdated
| UnixLibCrypto::UnixLibCrypto() : LibraryLoader(crypto_lib_name_) { | ||
| if (is_valid_) { |
There was a problem hiding this comment.
Is there a reason to keep this in a separate file rather than in the env_openssl file?
Encryption at rest is often an enterprise requirement. This PR provides an implementation that uses OpenSSLs AES 256 CTL encryption.
The code is written in such a way that the programmer can easily switch to a different library and/or encryption cipher. And the switch can happen later without requiring the end user to dump their entire database then reload under the new library / cipher. The encryption library is intentionally loaded at runtime, not compiled into rocksdb. This allows for situations such as HeartBleed where users want a quick update of security code without waiting for a new product release. They simply load the new library and restart the database.
The code also allows for encryption keys to change. There must be a "current key" for writing and reading. There can also be previous keys for reading older .sst files. This implies that the end user can migrate from older keys either by simply waiting for compactions to naturally replace older keys, or by forcing a compaction of all files. The latter might take time, but the database is still operational.