vendor: update containerd/cri 1a00c06886

full diff: c0294ebfe0...1a00c06886 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-06 21:07:29 +01:00
parent 5607b23b0f
commit 12c7d69769
98 changed files with 24933 additions and 92 deletions
--- a/vendor/github.com/containers/ocicrypt/blockcipher/blockcipher.go
+++ b/vendor/github.com/containers/ocicrypt/blockcipher/blockcipher.go
@@ -0,0 +1,160 @@
+/*
+   Copyright The ocicrypt Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package blockcipher
+
+import (
+	"io"
+
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+// LayerCipherType is the ciphertype as specified in the layer metadata
+type LayerCipherType string
+
+// TODO: Should be obtained from OCI spec once included
+const (
+	AES256CTR LayerCipherType = "AES_256_CTR_HMAC_SHA256"
+)
+
+// PrivateLayerBlockCipherOptions includes the information required to encrypt/decrypt
+// an image which are sensitive and should not be in plaintext
+type PrivateLayerBlockCipherOptions struct {
+	// SymmetricKey represents the symmetric key used for encryption/decryption
+	// This field should be populated by Encrypt/Decrypt calls
+	SymmetricKey []byte `json:"symkey"`
+
+	// Digest is the digest of the original data for verification.
+	// This is NOT populated by Encrypt/Decrypt calls
+	Digest digest.Digest `json:"digest"`
+
+	// CipherOptions contains the cipher metadata used for encryption/decryption
+	// This field should be populated by Encrypt/Decrypt calls
+	CipherOptions map[string][]byte `json:"cipheroptions"`
+}
+
+// PublicLayerBlockCipherOptions includes the information required to encrypt/decrypt
+// an image which are public and can be deduplicated in plaintext across multiple
+// recipients
+type PublicLayerBlockCipherOptions struct {
+	// CipherType denotes the cipher type according to the list of OCI suppported
+	// cipher types.
+	CipherType LayerCipherType `json:"cipher"`
+
+	// Hmac contains the hmac string to help verify encryption
+	Hmac []byte `json:"hmac"`
+
+	// CipherOptions contains the cipher metadata used for encryption/decryption
+	// This field should be populated by Encrypt/Decrypt calls
+	CipherOptions map[string][]byte `json:"cipheroptions"`
+}
+
+// LayerBlockCipherOptions contains the public and private LayerBlockCipherOptions
+// required to encrypt/decrypt an image
+type LayerBlockCipherOptions struct {
+	Public  PublicLayerBlockCipherOptions
+	Private PrivateLayerBlockCipherOptions
+}
+
+// LayerBlockCipher returns a provider for encrypt/decrypt functionality
+// for handling the layer data for a specific algorithm
+type LayerBlockCipher interface {
+	// GenerateKey creates a symmetric key
+	GenerateKey() ([]byte, error)
+	// Encrypt takes in layer data and returns the ciphertext and relevant LayerBlockCipherOptions
+	Encrypt(layerDataReader io.Reader, opt LayerBlockCipherOptions) (io.Reader, Finalizer, error)
+	// Decrypt takes in layer ciphertext data and returns the plaintext and relevant LayerBlockCipherOptions
+	Decrypt(layerDataReader io.Reader, opt LayerBlockCipherOptions) (io.Reader, LayerBlockCipherOptions, error)
+}
+
+// LayerBlockCipherHandler is the handler for encrypt/decrypt for layers
+type LayerBlockCipherHandler struct {
+	cipherMap map[LayerCipherType]LayerBlockCipher
+}
+
+// Finalizer is called after data blobs are written, and returns the LayerBlockCipherOptions for the encrypted blob
+type Finalizer func() (LayerBlockCipherOptions, error)
+
+// GetOpt returns the value of the cipher option and if the option exists
+func (lbco LayerBlockCipherOptions) GetOpt(key string) (value []byte, ok bool) {
+	if v, ok := lbco.Public.CipherOptions[key]; ok {
+		return v, ok
+	} else if v, ok := lbco.Private.CipherOptions[key]; ok {
+		return v, ok
+	} else {
+		return nil, false
+	}
+}
+
+func wrapFinalizerWithType(fin Finalizer, typ LayerCipherType) Finalizer {
+	return func() (LayerBlockCipherOptions, error) {
+		lbco, err := fin()
+		if err != nil {
+			return LayerBlockCipherOptions{}, err
+		}
+		lbco.Public.CipherType = typ
+		return lbco, err
+	}
+}
+
+// Encrypt is the handler for the layer decryption routine
+func (h *LayerBlockCipherHandler) Encrypt(plainDataReader io.Reader, typ LayerCipherType) (io.Reader, Finalizer, error) {
+	if c, ok := h.cipherMap[typ]; ok {
+		sk, err := c.GenerateKey()
+		if err != nil {
+			return nil, nil, err
+		}
+		opt := LayerBlockCipherOptions{
+			Private: PrivateLayerBlockCipherOptions{
+				SymmetricKey: sk,
+			},
+		}
+		encDataReader, fin, err := c.Encrypt(plainDataReader, opt)
+		if err == nil {
+			fin = wrapFinalizerWithType(fin, typ)
+		}
+		return encDataReader, fin, err
+	}
+	return nil, nil, errors.Errorf("unsupported cipher type: %s", typ)
+}
+
+// Decrypt is the handler for the layer decryption routine
+func (h *LayerBlockCipherHandler) Decrypt(encDataReader io.Reader, opt LayerBlockCipherOptions) (io.Reader, LayerBlockCipherOptions, error) {
+	typ := opt.Public.CipherType
+	if typ == "" {
+		return nil, LayerBlockCipherOptions{}, errors.New("no cipher type provided")
+	}
+	if c, ok := h.cipherMap[LayerCipherType(typ)]; ok {
+		return c.Decrypt(encDataReader, opt)
+	}
+	return nil, LayerBlockCipherOptions{}, errors.Errorf("unsupported cipher type: %s", typ)
+}
+
+// NewLayerBlockCipherHandler returns a new default handler
+func NewLayerBlockCipherHandler() (*LayerBlockCipherHandler, error) {
+	h := LayerBlockCipherHandler{
+		cipherMap: map[LayerCipherType]LayerBlockCipher{},
+	}
+
+	var err error
+	h.cipherMap[AES256CTR], err = NewAESCTRLayerBlockCipher(256)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to set up Cipher AES-256-CTR")
+	}
+
+	return &h, nil
+}
--- a/vendor/github.com/containers/ocicrypt/blockcipher/blockcipher_aes_ctr.go
+++ b/vendor/github.com/containers/ocicrypt/blockcipher/blockcipher_aes_ctr.go
@@ -0,0 +1,193 @@
+/*
+   Copyright The ocicrypt Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package blockcipher
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"fmt"
+	"hash"
+	"io"
+
+	"github.com/containers/ocicrypt/utils"
+	"github.com/pkg/errors"
+)
+
+// AESCTRLayerBlockCipher implements the AES CTR stream cipher
+type AESCTRLayerBlockCipher struct {
+	keylen         int // in bytes
+	reader         io.Reader
+	encrypt        bool
+	stream         cipher.Stream
+	err            error
+	hmac           hash.Hash
+	expHmac        []byte
+	doneEncrypting bool
+}
+
+type aesctrcryptor struct {
+	bc *AESCTRLayerBlockCipher
+}
+
+// NewAESCTRLayerBlockCipher returns a new AES SIV block cipher of 256 or 512 bits
+func NewAESCTRLayerBlockCipher(bits int) (LayerBlockCipher, error) {
+	if bits != 256 {
+		return nil, errors.New("AES CTR bit count not supported")
+	}
+	return &AESCTRLayerBlockCipher{keylen: bits / 8}, nil
+}
+
+func (r *aesctrcryptor) Read(p []byte) (int, error) {
+	var (
+		o int
+	)
+
+	if r.bc.err != nil {
+		return 0, r.bc.err
+	}
+
+	o, err := utils.FillBuffer(r.bc.reader, p)
+	if err != nil {
+		if err == io.EOF {
+			r.bc.err = err
+		} else {
+			return 0, err
+		}
+	}
+
+	if !r.bc.encrypt {
+		if _, err := r.bc.hmac.Write(p[:o]); err != nil {
+			r.bc.err = errors.Wrapf(err, "could not write to hmac")
+			return 0, r.bc.err
+		}
+
+		if r.bc.err == io.EOF {
+			// Before we return EOF we let the HMAC comparison
+			// provide a verdict
+			if !hmac.Equal(r.bc.hmac.Sum(nil), r.bc.expHmac) {
+				r.bc.err = fmt.Errorf("could not properly decrypt byte stream; exp hmac: '%x', actual hmac: '%s'", r.bc.expHmac, r.bc.hmac.Sum(nil))
+				return 0, r.bc.err
+			}
+		}
+	}
+
+	r.bc.stream.XORKeyStream(p[:o], p[:o])
+
+	if r.bc.encrypt {
+		if _, err := r.bc.hmac.Write(p[:o]); err != nil {
+			r.bc.err = errors.Wrapf(err, "could not write to hmac")
+			return 0, r.bc.err
+		}
+
+		if r.bc.err == io.EOF {
+			// Final data encrypted; Do the 'then-MAC' part
+			r.bc.doneEncrypting = true
+		}
+	}
+
+	return o, r.bc.err
+}
+
+// init initializes an instance
+func (bc *AESCTRLayerBlockCipher) init(encrypt bool, reader io.Reader, opts LayerBlockCipherOptions) (LayerBlockCipherOptions, error) {
+	var (
+		err error
+	)
+
+	key := opts.Private.SymmetricKey
+	if len(key) != bc.keylen {
+		return LayerBlockCipherOptions{}, fmt.Errorf("invalid key length of %d bytes; need %d bytes", len(key), bc.keylen)
+	}
+
+	nonce, ok := opts.GetOpt("nonce")
+	if !ok {
+		nonce = make([]byte, aes.BlockSize)
+		if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+			return LayerBlockCipherOptions{}, errors.Wrap(err, "unable to generate random nonce")
+		}
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return LayerBlockCipherOptions{}, errors.Wrap(err, "aes.NewCipher failed")
+	}
+
+	bc.reader = reader
+	bc.encrypt = encrypt
+	bc.stream = cipher.NewCTR(block, nonce)
+	bc.err = nil
+	bc.hmac = hmac.New(sha256.New, key)
+	bc.expHmac = opts.Public.Hmac
+	bc.doneEncrypting = false
+
+	if !encrypt && len(bc.expHmac) == 0 {
+		return LayerBlockCipherOptions{}, errors.New("HMAC is not provided for decryption process")
+	}
+
+	lbco := LayerBlockCipherOptions{
+		Private: PrivateLayerBlockCipherOptions{
+			SymmetricKey: key,
+			CipherOptions: map[string][]byte{
+				"nonce": nonce,
+			},
+		},
+	}
+
+	return lbco, nil
+}
+
+// GenerateKey creates a synmmetric key
+func (bc *AESCTRLayerBlockCipher) GenerateKey() ([]byte, error) {
+	key := make([]byte, bc.keylen)
+	if _, err := io.ReadFull(rand.Reader, key); err != nil {
+		return nil, err
+	}
+	return key, nil
+}
+
+// Encrypt takes in layer data and returns the ciphertext and relevant LayerBlockCipherOptions
+func (bc *AESCTRLayerBlockCipher) Encrypt(plainDataReader io.Reader, opt LayerBlockCipherOptions) (io.Reader, Finalizer, error) {
+	lbco, err := bc.init(true, plainDataReader, opt)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	finalizer := func() (LayerBlockCipherOptions, error) {
+		if !bc.doneEncrypting {
+			return LayerBlockCipherOptions{}, errors.New("Read()ing not complete, unable to finalize")
+		}
+		if lbco.Public.CipherOptions == nil {
+			lbco.Public.CipherOptions = map[string][]byte{}
+		}
+		lbco.Public.Hmac = bc.hmac.Sum(nil)
+		return lbco, nil
+	}
+	return &aesctrcryptor{bc}, finalizer, nil
+}
+
+// Decrypt takes in layer ciphertext data and returns the plaintext and relevant LayerBlockCipherOptions
+func (bc *AESCTRLayerBlockCipher) Decrypt(encDataReader io.Reader, opt LayerBlockCipherOptions) (io.Reader, LayerBlockCipherOptions, error) {
+	lbco, err := bc.init(false, encDataReader, opt)
+	if err != nil {
+		return nil, LayerBlockCipherOptions{}, err
+	}
+
+	return utils.NewDelayedReader(&aesctrcryptor{bc}, 1024*10), lbco, nil
+}