From 475ed4b1dc648354672198acb75700cbedce0bc2 Mon Sep 17 00:00:00 2001 From: Andrew Noyes Date: Thu, 1 Sep 2022 12:47:03 -0700 Subject: [PATCH] Improve memory safety (#8069) * Move arena members to the end of serializer calls See https://github.com/apple/foundationdb/tree/main/flow#flatbuffersobjectserializer for why this is necessary. * Fix a heap-use-after-free Previously memory owned by EncryptKeyProxyData::baseCipherDomainIdKeyIdCache was borrowed by a call to EncryptKeyProxyData::insertIntoBaseDomainIdCache where it was invalidated and then used. Now EncryptKeyProxyData::insertIntoBaseDomainIdCache takes shared ownership by taking a Standalone. And also rename some types to end in Ref to follow the flow conventions described here: https://github.com/apple/foundationdb/tree/main/flow#arenas --- .../fdbclient/ConfigTransactionInterface.h | 2 +- .../fdbclient/EncryptKeyProxyInterface.h | 10 +-- .../fdbclient/GetEncryptCipherKeys.actor.h | 6 +- fdbserver/BlobWorker.actor.cpp | 2 +- fdbserver/CommitProxyServer.actor.cpp | 4 +- fdbserver/EncryptKeyProxy.actor.cpp | 18 ++-- fdbserver/RESTKmsConnector.actor.cpp | 36 ++++---- fdbserver/SimKmsConnector.actor.cpp | 2 +- .../fdbserver/IEncryptionKeyProvider.actor.h | 4 +- .../include/fdbserver/KmsConnectorInterface.h | 87 ++++++++++--------- .../fdbserver/SimEncryptKmsProxy.actor.h | 4 +- fdbserver/include/fdbserver/TLogInterface.h | 2 +- flow/include/flow/EncryptUtils.h | 2 +- 13 files changed, 90 insertions(+), 89 deletions(-) diff --git a/fdbclient/include/fdbclient/ConfigTransactionInterface.h b/fdbclient/include/fdbclient/ConfigTransactionInterface.h index 98b65e4c4b..b42f653c27 100644 --- a/fdbclient/include/fdbclient/ConfigTransactionInterface.h +++ b/fdbclient/include/fdbclient/ConfigTransactionInterface.h @@ -124,7 +124,7 @@ struct ConfigTransactionCommitRequest { template void serialize(Ar& ar) { - serializer(ar, arena, generation, mutations, annotation, reply); + serializer(ar, generation, mutations, annotation, reply, arena); } }; diff --git a/fdbclient/include/fdbclient/EncryptKeyProxyInterface.h b/fdbclient/include/fdbclient/EncryptKeyProxyInterface.h index 12178b11ab..f027b76f7a 100644 --- a/fdbclient/include/fdbclient/EncryptKeyProxyInterface.h +++ b/fdbclient/include/fdbclient/EncryptKeyProxyInterface.h @@ -144,7 +144,7 @@ struct EKPGetBaseCipherKeysRequestInfo { EncryptCipherBaseKeyId baseCipherId; // Encryption domain name - ancillairy metadata information, an encryption key should be uniquely identified by // {domainId, cipherBaseId} tuple - EncryptCipherDomainName domainName; + EncryptCipherDomainNameRef domainName; EKPGetBaseCipherKeysRequestInfo() : domainId(ENCRYPT_INVALID_DOMAIN_ID), baseCipherId(ENCRYPT_INVALID_CIPHER_KEY_ID) {} @@ -176,7 +176,7 @@ struct EKPGetBaseCipherKeysByIdsRequest { template void serialize(Ar& ar) { - serializer(ar, arena, baseCipherInfos, debugId, reply); + serializer(ar, baseCipherInfos, debugId, reply, arena); } }; @@ -193,7 +193,7 @@ struct EKPGetLatestBaseCipherKeysReply { template void serialize(Ar& ar) { - serializer(ar, arena, baseCipherDetails, numHits, error); + serializer(ar, baseCipherDetails, numHits, error, arena); } }; @@ -203,7 +203,7 @@ struct EKPGetLatestCipherKeysRequestInfo { EncryptCipherDomainId domainId; // Encryption domain name - ancillairy metadata information, an encryption key should be uniquely identified by // {domainId, cipherBaseId} tuple - EncryptCipherDomainName domainName; + EncryptCipherDomainNameRef domainName; EKPGetLatestCipherKeysRequestInfo() : domainId(ENCRYPT_INVALID_DOMAIN_ID) {} EKPGetLatestCipherKeysRequestInfo(const EncryptCipherDomainId dId, StringRef name, Arena& arena) @@ -239,7 +239,7 @@ struct EKPGetLatestBaseCipherKeysRequest { template void serialize(Ar& ar) { - serializer(ar, arena, encryptDomainInfos, debugId, reply); + serializer(ar, encryptDomainInfos, debugId, reply, arena); } }; diff --git a/fdbclient/include/fdbclient/GetEncryptCipherKeys.actor.h b/fdbclient/include/fdbclient/GetEncryptCipherKeys.actor.h index 42537bfacb..b809870735 100644 --- a/fdbclient/include/fdbclient/GetEncryptCipherKeys.actor.h +++ b/fdbclient/include/fdbclient/GetEncryptCipherKeys.actor.h @@ -88,7 +88,7 @@ Future getUncachedLatestEncryptCipherKeys(Refer ACTOR template Future>> getLatestEncryptCipherKeys( Reference const> db, - std::unordered_map domains) { + std::unordered_map domains) { state Reference cipherKeyCache = BlobCipherKeyCache::getInstance(); state std::unordered_map> cipherKeys; state EKPGetLatestBaseCipherKeysRequest request; @@ -253,8 +253,8 @@ struct TextAndHeaderCipherKeys { ACTOR template Future getLatestEncryptCipherKeysForDomain(Reference const> db, EncryptCipherDomainId domainId, - EncryptCipherDomainName domainName) { - std::unordered_map domains; + EncryptCipherDomainNameRef domainName) { + std::unordered_map domains; domains[domainId] = domainName; domains[ENCRYPT_HEADER_DOMAIN_ID] = FDB_DEFAULT_ENCRYPT_DOMAIN_NAME; std::unordered_map> cipherKeys = diff --git a/fdbserver/BlobWorker.actor.cpp b/fdbserver/BlobWorker.actor.cpp index 06fe73910b..5ef6fb92f6 100644 --- a/fdbserver/BlobWorker.actor.cpp +++ b/fdbserver/BlobWorker.actor.cpp @@ -357,7 +357,7 @@ ACTOR Future getLatestGranuleCipherKeys(Reference domains; + std::unordered_map domains; domains.emplace(tenantData->entry.id, StringRef(*arena, tenantData->name)); std::unordered_map> domainKeyMap = wait(getLatestEncryptCipherKeys(bwData->dbInfo, domains)); diff --git a/fdbserver/CommitProxyServer.actor.cpp b/fdbserver/CommitProxyServer.actor.cpp index 59c8e62abe..b22c5120e8 100644 --- a/fdbserver/CommitProxyServer.actor.cpp +++ b/fdbserver/CommitProxyServer.actor.cpp @@ -917,11 +917,11 @@ ACTOR Future getResolution(CommitBatchContext* self) { // Fetch cipher keys if needed. state Future>> getCipherKeys; if (pProxyCommitData->isEncryptionEnabled) { - static std::unordered_map defaultDomains = { + static std::unordered_map defaultDomains = { { SYSTEM_KEYSPACE_ENCRYPT_DOMAIN_ID, FDB_DEFAULT_ENCRYPT_DOMAIN_NAME }, { ENCRYPT_HEADER_DOMAIN_ID, FDB_DEFAULT_ENCRYPT_DOMAIN_NAME } }; - std::unordered_map encryptDomains = defaultDomains; + std::unordered_map encryptDomains = defaultDomains; for (int t = 0; t < trs.size(); t++) { TenantInfo const& tenantInfo = trs[t].tenantInfo; int64_t tenantId = tenantInfo.tenantId; diff --git a/fdbserver/EncryptKeyProxy.actor.cpp b/fdbserver/EncryptKeyProxy.actor.cpp index 44799b521a..2ebf98ae95 100644 --- a/fdbserver/EncryptKeyProxy.actor.cpp +++ b/fdbserver/EncryptKeyProxy.actor.cpp @@ -141,7 +141,7 @@ CipherKeyValidityTS getCipherKeyValidityTS(Optional refreshInterval, Op struct EncryptBaseCipherKey { EncryptCipherDomainId domainId; - Standalone domainName; + Standalone domainName; EncryptCipherBaseKeyId baseCipherId; Standalone baseCipherKey; // Timestamp after which the cached CipherKey is eligible for KMS refresh @@ -159,13 +159,13 @@ struct EncryptBaseCipherKey { EncryptBaseCipherKey() : domainId(0), baseCipherId(0), baseCipherKey(StringRef()), refreshAt(0), expireAt(0) {} explicit EncryptBaseCipherKey(EncryptCipherDomainId dId, - EncryptCipherDomainName dName, + Standalone dName, EncryptCipherBaseKeyId cipherId, - StringRef cipherKey, + Standalone cipherKey, int64_t refAtTS, int64_t expAtTS) - : domainId(dId), domainName(Standalone(dName)), baseCipherId(cipherId), - baseCipherKey(Standalone(cipherKey)), refreshAt(refAtTS), expireAt(expAtTS) {} + : domainId(dId), domainName(dName), baseCipherId(cipherId), baseCipherKey(cipherKey), refreshAt(refAtTS), + expireAt(expAtTS) {} bool isValid() const { int64_t currTS = (int64_t)now(); @@ -244,9 +244,9 @@ public: } void insertIntoBaseDomainIdCache(const EncryptCipherDomainId domainId, - EncryptCipherDomainName domainName, + Standalone domainName, const EncryptCipherBaseKeyId baseCipherId, - StringRef baseCipherKey, + Standalone baseCipherKey, int64_t refreshAtTS, int64_t expireAtTS) { // Entries in domainId cache are eligible for periodic refreshes to support 'limiting lifetime of encryption @@ -263,9 +263,9 @@ public: } void insertIntoBaseCipherIdCache(const EncryptCipherDomainId domainId, - EncryptCipherDomainName domainName, + Standalone domainName, const EncryptCipherBaseKeyId baseCipherId, - const StringRef baseCipherKey, + const Standalone baseCipherKey, int64_t refreshAtTS, int64_t expireAtTS) { // Given an cipherKey is immutable, it is OK to NOT expire cached information. diff --git a/fdbserver/RESTKmsConnector.actor.cpp b/fdbserver/RESTKmsConnector.actor.cpp index 60f46c001f..2aef038144 100644 --- a/fdbserver/RESTKmsConnector.actor.cpp +++ b/fdbserver/RESTKmsConnector.actor.cpp @@ -276,7 +276,7 @@ ACTOR Future discoverKmsUrls(Reference ctx, bool refr void parseKmsResponse(Reference ctx, Reference resp, Arena* arena, - VectorRef* outCipherKeyDetails) { + VectorRef* outCipherKeyDetails) { // Acceptable response payload json format: // // response_json_payload { @@ -542,7 +542,7 @@ ACTOR Future fetchEncryptionKeys_impl(Reference ctx, StringRef requestBodyRef, Arena* arena, - VectorRef* outCipherKeyDetails) { + VectorRef* outCipherKeyDetails) { state Reference resp; // Follow 2-phase scheme: @@ -1096,15 +1096,15 @@ void validateKmsUrls(Reference ctx) { ASSERT_EQ(urlCtx->url.compare(KMS_URL_NAME_TEST), 0); } -void testGetEncryptKeysByKeyIdsRequestBody(Reference ctx, Arena arena) { +void testGetEncryptKeysByKeyIdsRequestBody(Reference ctx, Arena& arena) { KmsConnLookupEKsByKeyIdsReq req; std::unordered_map keyMap; const int nKeys = deterministicRandom()->randomInt(7, 8); for (int i = 1; i < nKeys; i++) { EncryptCipherDomainId domainId = getRandomDomainId(); - EncryptCipherDomainName domainName = domainId < 0 - ? StringRef(arena, std::string(FDB_DEFAULT_ENCRYPT_DOMAIN_NAME)) - : StringRef(arena, std::to_string(domainId)); + EncryptCipherDomainNameRef domainName = domainId < 0 + ? StringRef(arena, std::string(FDB_DEFAULT_ENCRYPT_DOMAIN_NAME)) + : StringRef(arena, std::to_string(domainId)); req.encryptKeyInfos.emplace_back_deep(req.arena, domainId, i, domainName); keyMap[i] = domainId; } @@ -1121,7 +1121,7 @@ void testGetEncryptKeysByKeyIdsRequestBody(Reference ctx, A getFakeKmsResponse(requestBodyRef, true, httpResp); TraceEvent("FetchKeysByKeyIds", ctx->uid).setMaxFieldLength(100000).detail("HttpRespStr", httpResp->content); - VectorRef cipherDetails; + VectorRef cipherDetails; parseKmsResponse(ctx, httpResp, &arena, &cipherDetails); ASSERT_EQ(cipherDetails.size(), keyMap.size()); for (const auto& detail : cipherDetails) { @@ -1135,16 +1135,16 @@ void testGetEncryptKeysByKeyIdsRequestBody(Reference ctx, A } } -void testGetEncryptKeysByDomainIdsRequestBody(Reference ctx, Arena arena) { +void testGetEncryptKeysByDomainIdsRequestBody(Reference ctx, Arena& arena) { KmsConnLookupEKsByDomainIdsReq req; - std::unordered_map domainInfoMap; + std::unordered_map domainInfoMap; const int nKeys = deterministicRandom()->randomInt(7, 25); for (int i = 1; i < nKeys; i++) { EncryptCipherDomainId domainId = getRandomDomainId(); - EncryptCipherDomainName domainName = domainId < 0 - ? StringRef(arena, std::string(FDB_DEFAULT_ENCRYPT_DOMAIN_NAME)) - : StringRef(arena, std::to_string(domainId)); - KmsConnLookupDomainIdsReqInfo reqInfo(req.arena, domainId, domainName); + EncryptCipherDomainNameRef domainName = domainId < 0 + ? StringRef(arena, std::string(FDB_DEFAULT_ENCRYPT_DOMAIN_NAME)) + : StringRef(arena, std::to_string(domainId)); + KmsConnLookupDomainIdsReqInfoRef reqInfo(req.arena, domainId, domainName); if (domainInfoMap.insert({ domainId, reqInfo }).second) { req.encryptDomainInfos.push_back(req.arena, reqInfo); } @@ -1159,7 +1159,7 @@ void testGetEncryptKeysByDomainIdsRequestBody(Reference ctx getFakeKmsResponse(jsonReqRef, false, httpResp); TraceEvent("FetchKeysByDomainIds", ctx->uid).detail("HttpRespStr", httpResp->content); - VectorRef cipherDetails; + VectorRef cipherDetails; parseKmsResponse(ctx, httpResp, &arena, &cipherDetails); ASSERT_EQ(domainInfoMap.size(), cipherDetails.size()); for (const auto& detail : cipherDetails) { @@ -1174,7 +1174,7 @@ void testGetEncryptKeysByDomainIdsRequestBody(Reference ctx void testMissingCipherDetailsTag(Reference ctx) { Arena arena; - VectorRef cipherDetails; + VectorRef cipherDetails; rapidjson::Document doc; doc.SetObject(); @@ -1201,7 +1201,7 @@ void testMissingCipherDetailsTag(Reference ctx) { void testMalformedCipherDetails(Reference ctx) { Arena arena; - VectorRef cipherDetails; + VectorRef cipherDetails; rapidjson::Document doc; doc.SetObject(); @@ -1228,7 +1228,7 @@ void testMalformedCipherDetails(Reference ctx) { void testMalfromedCipherDetailObj(Reference ctx) { Arena arena; - VectorRef cipherDetails; + VectorRef cipherDetails; rapidjson::Document doc; doc.SetObject(); @@ -1260,7 +1260,7 @@ void testMalfromedCipherDetailObj(Reference ctx) { void testKMSErrorResponse(Reference ctx) { Arena arena; - VectorRef cipherDetails; + VectorRef cipherDetails; rapidjson::Document doc; doc.SetObject(); diff --git a/fdbserver/SimKmsConnector.actor.cpp b/fdbserver/SimKmsConnector.actor.cpp index 0a427d82f6..6b72a2849f 100644 --- a/fdbserver/SimKmsConnector.actor.cpp +++ b/fdbserver/SimKmsConnector.actor.cpp @@ -295,7 +295,7 @@ ACTOR Future testRunWorkload(KmsConnectorInterface inf, uint32_t nEncrypti for (i = 0; i < maxDomainIds; i++) { // domainIdsReq.encryptDomainIds.push_back(i); EncryptCipherDomainId domainId = i; - EncryptCipherDomainName domainName = StringRef(domainIdsReq.arena, std::to_string(domainId)); + EncryptCipherDomainNameRef domainName = StringRef(domainIdsReq.arena, std::to_string(domainId)); domainIdsReq.encryptDomainInfos.emplace_back(domainIdsReq.arena, i, domainName); } KmsConnLookupEKsByDomainIdsRep domainIdsRep = wait(inf.ekLookupByDomainIds.getReply(domainIdsReq)); diff --git a/fdbserver/include/fdbserver/IEncryptionKeyProvider.actor.h b/fdbserver/include/fdbserver/IEncryptionKeyProvider.actor.h index 4dce8c4441..66e2a1ee38 100644 --- a/fdbserver/include/fdbserver/IEncryptionKeyProvider.actor.h +++ b/fdbserver/include/fdbserver/IEncryptionKeyProvider.actor.h @@ -216,7 +216,7 @@ public: Future getSecrets(const EncryptionKeyRef& key) override { return getSecrets(this, key); } ACTOR static Future getByRange(TenantAwareEncryptionKeyProvider* self, KeyRef begin, KeyRef end) { - EncryptCipherDomainName domainName; + EncryptCipherDomainNameRef domainName; EncryptCipherDomainId domainId = self->getEncryptionDomainId(begin, end, &domainName); TextAndHeaderCipherKeys cipherKeys = wait(getLatestEncryptCipherKeysForDomain(self->db, domainId, domainName)); EncryptionKey s; @@ -236,7 +236,7 @@ public: private: EncryptCipherDomainId getEncryptionDomainId(const KeyRef& begin, const KeyRef& end, - EncryptCipherDomainName* domainName) { + EncryptCipherDomainNameRef* domainName) { int64_t domainId = SYSTEM_KEYSPACE_ENCRYPT_DOMAIN_ID; int64_t beginTenantId = getTenant(begin, true /*inclusive*/); int64_t endTenantId = getTenant(end, false /*inclusive*/); diff --git a/fdbserver/include/fdbserver/KmsConnectorInterface.h b/fdbserver/include/fdbserver/KmsConnectorInterface.h index 3e91fd38f6..73afc1cbc0 100644 --- a/fdbserver/include/fdbserver/KmsConnectorInterface.h +++ b/fdbserver/include/fdbserver/KmsConnectorInterface.h @@ -67,7 +67,7 @@ struct KmsConnectorInterface { } }; -struct EncryptCipherKeyDetails { +struct EncryptCipherKeyDetailsRef { constexpr static FileIdentifier file_identifier = 1227025; EncryptCipherDomainId encryptDomainId; EncryptCipherBaseKeyId encryptKeyId; @@ -75,33 +75,33 @@ struct EncryptCipherKeyDetails { Optional refreshAfterSec; Optional expireAfterSec; - EncryptCipherKeyDetails() {} - explicit EncryptCipherKeyDetails(Arena& arena, - EncryptCipherDomainId dId, - EncryptCipherBaseKeyId keyId, - StringRef key) + EncryptCipherKeyDetailsRef() {} + explicit EncryptCipherKeyDetailsRef(Arena& arena, + EncryptCipherDomainId dId, + EncryptCipherBaseKeyId keyId, + StringRef key) : encryptDomainId(dId), encryptKeyId(keyId), encryptKey(StringRef(arena, key)), refreshAfterSec(Optional()), expireAfterSec(Optional()) {} - explicit EncryptCipherKeyDetails(EncryptCipherDomainId dId, EncryptCipherBaseKeyId keyId, StringRef key) + explicit EncryptCipherKeyDetailsRef(EncryptCipherDomainId dId, EncryptCipherBaseKeyId keyId, StringRef key) : encryptDomainId(dId), encryptKeyId(keyId), encryptKey(key), refreshAfterSec(Optional()), expireAfterSec(Optional()) {} - explicit EncryptCipherKeyDetails(Arena& arena, - EncryptCipherDomainId dId, - EncryptCipherBaseKeyId keyId, - StringRef key, - Optional refAfterSec, - Optional expAfterSec) + explicit EncryptCipherKeyDetailsRef(Arena& arena, + EncryptCipherDomainId dId, + EncryptCipherBaseKeyId keyId, + StringRef key, + Optional refAfterSec, + Optional expAfterSec) : encryptDomainId(dId), encryptKeyId(keyId), encryptKey(StringRef(arena, key)), refreshAfterSec(refAfterSec), expireAfterSec(expAfterSec) {} - explicit EncryptCipherKeyDetails(EncryptCipherDomainId dId, - EncryptCipherBaseKeyId keyId, - StringRef key, - Optional refAfterSec, - Optional expAfterSec) + explicit EncryptCipherKeyDetailsRef(EncryptCipherDomainId dId, + EncryptCipherBaseKeyId keyId, + StringRef key, + Optional refAfterSec, + Optional expAfterSec) : encryptDomainId(dId), encryptKeyId(keyId), encryptKey(key), refreshAfterSec(refAfterSec), expireAfterSec(expAfterSec) {} - bool operator==(const EncryptCipherKeyDetails& toCompare) { + bool operator==(const EncryptCipherKeyDetailsRef& toCompare) { return encryptDomainId == toCompare.encryptDomainId && encryptKeyId == toCompare.encryptKeyId && encryptKey.compare(toCompare.encryptKey) == 0; } @@ -115,30 +115,31 @@ struct EncryptCipherKeyDetails { struct KmsConnLookupEKsByKeyIdsRep { constexpr static FileIdentifier file_identifier = 2313778; Arena arena; - VectorRef cipherKeyDetails; + VectorRef cipherKeyDetails; KmsConnLookupEKsByKeyIdsRep() {} template void serialize(Ar& ar) { - serializer(ar, arena, cipherKeyDetails); + serializer(ar, cipherKeyDetails, arena); } }; -struct KmsConnLookupKeyIdsReqInfo { +struct KmsConnLookupKeyIdsReqInfoRef { constexpr static FileIdentifier file_identifier = 3092256; EncryptCipherDomainId domainId; EncryptCipherBaseKeyId baseCipherId; - EncryptCipherDomainName domainName; + EncryptCipherDomainNameRef domainName; - KmsConnLookupKeyIdsReqInfo() : domainId(ENCRYPT_INVALID_DOMAIN_ID), baseCipherId(ENCRYPT_INVALID_CIPHER_KEY_ID) {} - explicit KmsConnLookupKeyIdsReqInfo(Arena& arena, - const EncryptCipherDomainId dId, - const EncryptCipherBaseKeyId bCId, - StringRef name) + KmsConnLookupKeyIdsReqInfoRef() + : domainId(ENCRYPT_INVALID_DOMAIN_ID), baseCipherId(ENCRYPT_INVALID_CIPHER_KEY_ID) {} + explicit KmsConnLookupKeyIdsReqInfoRef(Arena& arena, + const EncryptCipherDomainId dId, + const EncryptCipherBaseKeyId bCId, + StringRef name) : domainId(dId), baseCipherId(bCId), domainName(StringRef(arena, name)) {} - bool operator==(const KmsConnLookupKeyIdsReqInfo& info) const { + bool operator==(const KmsConnLookupKeyIdsReqInfoRef& info) const { return domainId == info.domainId && baseCipherId == info.baseCipherId && (domainName.compare(info.domainName) == 0); } @@ -152,45 +153,45 @@ struct KmsConnLookupKeyIdsReqInfo { struct KmsConnLookupEKsByKeyIdsReq { constexpr static FileIdentifier file_identifier = 6913396; Arena arena; - VectorRef encryptKeyInfos; + VectorRef encryptKeyInfos; Optional debugId; ReplyPromise reply; KmsConnLookupEKsByKeyIdsReq() {} - explicit KmsConnLookupEKsByKeyIdsReq(VectorRef keyInfos, Optional dbgId) + explicit KmsConnLookupEKsByKeyIdsReq(VectorRef keyInfos, Optional dbgId) : encryptKeyInfos(keyInfos), debugId(dbgId) {} template void serialize(Ar& ar) { - serializer(ar, arena, encryptKeyInfos, debugId, reply); + serializer(ar, encryptKeyInfos, debugId, reply, arena); } }; struct KmsConnLookupEKsByDomainIdsRep { constexpr static FileIdentifier file_identifier = 3009025; Arena arena; - VectorRef cipherKeyDetails; + VectorRef cipherKeyDetails; KmsConnLookupEKsByDomainIdsRep() {} template void serialize(Ar& ar) { - serializer(ar, arena, cipherKeyDetails); + serializer(ar, cipherKeyDetails, arena); } }; -struct KmsConnLookupDomainIdsReqInfo { +struct KmsConnLookupDomainIdsReqInfoRef { constexpr static FileIdentifier file_identifier = 8980149; EncryptCipherDomainId domainId; - EncryptCipherDomainName domainName; + EncryptCipherDomainNameRef domainName; - KmsConnLookupDomainIdsReqInfo() : domainId(ENCRYPT_INVALID_DOMAIN_ID) {} - explicit KmsConnLookupDomainIdsReqInfo(Arena& arena, const EncryptCipherDomainId dId, StringRef name) + KmsConnLookupDomainIdsReqInfoRef() : domainId(ENCRYPT_INVALID_DOMAIN_ID) {} + explicit KmsConnLookupDomainIdsReqInfoRef(Arena& arena, const EncryptCipherDomainId dId, StringRef name) : domainId(dId), domainName(StringRef(arena, name)) {} - explicit KmsConnLookupDomainIdsReqInfo(const EncryptCipherDomainId dId, StringRef name) + explicit KmsConnLookupDomainIdsReqInfoRef(const EncryptCipherDomainId dId, StringRef name) : domainId(dId), domainName(name) {} - bool operator==(const KmsConnLookupDomainIdsReqInfo& info) const { + bool operator==(const KmsConnLookupDomainIdsReqInfoRef& info) const { return domainId == info.domainId && (domainName.compare(info.domainName) == 0); } @@ -203,17 +204,17 @@ struct KmsConnLookupDomainIdsReqInfo { struct KmsConnLookupEKsByDomainIdsReq { constexpr static FileIdentifier file_identifier = 9918682; Arena arena; - VectorRef encryptDomainInfos; + VectorRef encryptDomainInfos; Optional debugId; ReplyPromise reply; KmsConnLookupEKsByDomainIdsReq() {} - explicit KmsConnLookupEKsByDomainIdsReq(VectorRef& infos, Optional dbgId) + explicit KmsConnLookupEKsByDomainIdsReq(VectorRef& infos, Optional dbgId) : encryptDomainInfos(infos), debugId(dbgId) {} template void serialize(Ar& ar) { - serializer(ar, arena, encryptDomainInfos, debugId, reply); + serializer(ar, encryptDomainInfos, debugId, reply, arena); } }; diff --git a/fdbserver/include/fdbserver/SimEncryptKmsProxy.actor.h b/fdbserver/include/fdbserver/SimEncryptKmsProxy.actor.h index 588f6d4cfb..dcbaa4969c 100644 --- a/fdbserver/include/fdbserver/SimEncryptKmsProxy.actor.h +++ b/fdbserver/include/fdbserver/SimEncryptKmsProxy.actor.h @@ -98,7 +98,7 @@ struct SimGetEncryptKeysByKeyIdsReply { template void serialize(Ar& ar) { - serializer(ar, arena, encryptKeyDetails); + serializer(ar, encryptKeyDetails, arena); } }; @@ -127,7 +127,7 @@ struct SimGetEncryptKeyByDomainIdReply { template void serialize(Ar& ar) { - serializer(ar, arena, encryptKeyDetails); + serializer(ar, encryptKeyDetails, arena); } }; diff --git a/fdbserver/include/fdbserver/TLogInterface.h b/fdbserver/include/fdbserver/TLogInterface.h index 9da4ecedd4..1e101ac16b 100644 --- a/fdbserver/include/fdbserver/TLogInterface.h +++ b/fdbserver/include/fdbserver/TLogInterface.h @@ -189,7 +189,7 @@ struct TLogPeekReply { template void serialize(Ar& ar) { - serializer(ar, arena, messages, end, popped, maxKnownVersion, minKnownCommittedVersion, begin, onlySpilled); + serializer(ar, messages, end, popped, maxKnownVersion, minKnownCommittedVersion, begin, onlySpilled, arena); } }; diff --git a/flow/include/flow/EncryptUtils.h b/flow/include/flow/EncryptUtils.h index 0587da9a81..e20af33d1e 100644 --- a/flow/include/flow/EncryptUtils.h +++ b/flow/include/flow/EncryptUtils.h @@ -41,7 +41,7 @@ const std::string FDB_DEFAULT_ENCRYPT_DOMAIN_NAME = "FdbDefaultEncryptDomain"; using EncryptCipherDomainId = int64_t; -using EncryptCipherDomainName = StringRef; +using EncryptCipherDomainNameRef = StringRef; using EncryptCipherBaseKeyId = uint64_t; using EncryptCipherRandomSalt = uint64_t;