mon/MonClient: skip CEPHX_V2 challenge if client doesn't support it

If the client doesn't support the CEPHX_V2 challenge, and we don't require
it, skip it.  This allows the client to authenticate without getting an
error like

  cephx: verify_reply couldn't decrypt with error: error decoding block for decryption

Note that we don't have this problem in the monitor exchange in
Monitor::handle_auth_request() because that verify_authorizer() caller is
only used for msgrv2, and all such clients support CEPHX_V2.  Instead,
those client authenticate via the MAuth messages, a path that does not use
authorizers at all.

Fixes: https://tracker.ceph.com/issues/40716
Signed-off-by: Sage Weil <sage@redhat.com>
(cherry picked from commit 321548010578d6ff7bbf2e5ce8a550008b131423)

diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc
index 37e4c347f5b8e738c7b348aac535aab6073a12d7..c7e64d7dc9c94b3c96fbe97263f2ff17c1a54c37 100644 (file)
--- a/src/mon/MonClient.cc
+++ b/src/mon/MonClient.cc
@@ -1403,6 +1403,18 @@ int MonClient::handle_auth_request(
               << auth_method << dendl;
     return -EOPNOTSUPP;
   }
+
+  auto ac = &auth_meta->authorizer_challenge;
+  if (!HAVE_FEATURE(con->get_features(), CEPHX_V2)) {
+    if (cct->_conf->cephx_service_require_version >= 2) {
+      ldout(cct,10) << __func__ << " client missing CEPHX_V2 ("
+                   << "cephx_service_requre_version = "
+                   << cct->_conf->cephx_service_require_version << ")" << dendl;
+      return -EACCES;
+    }
+    ac = nullptr;
+  }
+
   bool was_challenge = (bool)auth_meta->authorizer_challenge;
   bool isvalid = ah->verify_authorizer(
     cct,
@@ -1415,7 +1427,7 @@ int MonClient::handle_auth_request(
     &con->peer_caps_info,
     &auth_meta->session_key,
     &auth_meta->connection_secret,
-    &auth_meta->authorizer_challenge);
+    ac);
   if (isvalid) {
     handle_authentication_dispatcher->ms_handle_authentication(con);
     return 1;