auth/cephx: use defines for magic usage values

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

diff --git a/doc/dev/cephx.rst b/doc/dev/cephx.rst
index e4400b80107a89f4badca7a0849d61ae01324f50..d5bb645c32250db88e3bd37ae49e7c2c462cb8f1 100644 (file)
--- a/doc/dev/cephx.rst
+++ b/doc/dev/cephx.rst
@@ -136,7 +136,7 @@ where::
     ticket_info {
       u32 service_id       # CEPH_ENTITY_TYPE_AUTH
       u8 msg_version (1)
-      {CephXServiceTicket service_ticket}^principal_secret
+      {CephXServiceTicket service_ticket}^principal_secret # principal_secret ONLY for _AUTH
       {CephxTicketBlob ticket_blob}^existing session_key   # if we are renewing a ticket,
       CephxTicketBlob ticket_blob                          # otherwise
     }
@@ -144,7 +144,7 @@ where::
     service_ticket_info {
       u32 service_id       # CEPH_ENTITY_TYPE_{MON,MGR,OSD,MDS}
       u8 msg_version (1)
-      {CephxServiceTicket service_ticket}^session_key
+      {CephxServiceTicket service_ticket}^auth_session_key # session_key from _AUTH CephxServiceTicket
       CephxTicketBlob ticket_blob
     }
 

diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc
index fcfbcfc67122208ac667a5fc1ce89857274e881c..5feb82c494a87a3b37e39836e91e30055b9a753c 100644 (file)
--- a/src/auth/cephx/CephxClientHandler.cc
+++ b/src/auth/cephx/CephxClientHandler.cc
@@ -228,7 +228,7 @@ int CephxClientHandler::handle_response(
          if (cbl.length() && connection_secret) {
            auto p = cbl.cbegin();
            string err;
-           if (decode_decrypt(cct, *connection_secret, *session_key, 3, p,
+           if (decode_decrypt(cct, *connection_secret, *session_key, CEPHX_KEY_USAGE_AUTH_CONNECTION_SECRET, p,
                               err)) {
              lderr(cct) << __func__ << " failed to decrypt connection_secret"
                         << dendl;
@@ -284,7 +284,7 @@ int CephxClientHandler::handle_response(
           return -ENOENT;
         }
        std::string error;
-       if (decode_decrypt(cct, secrets, secret_key, 16, indata, error)) {
+       if (decode_decrypt(cct, secrets, secret_key, CEPHX_KEY_USAGE_ROTATING_SECRET, indata, error)) {
          ldout(cct, 0) << "could not set rotating key: decode_decrypt failed. error:"
            << error << dendl;
          return -EINVAL;

diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
index a9aeea5c0b78803074af4706bc792d7cf641723f..fa0926993004c5acabd3d4155b10bb2f38995811 100644 (file)
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -450,7 +450,7 @@ bool KeyServer::get_rotating_encrypted(const EntityName& name,
   RotatingSecrets secrets = rotate_iter->second;
 
   std::string error;
-  if (encode_encrypt(cct, secrets, specific_key, 16, enc_bl, error))
+  if (encode_encrypt(cct, secrets, specific_key, CEPHX_KEY_USAGE_ROTATING_SECRET, enc_bl, error))
     return false;
 
   return true;

diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc
index f324846b53e7fb007a6a8a394ed95090b48b3df7..186c6f246bcdafb46f69cde6334cafb29a735f3e 100644 (file)
--- a/src/auth/cephx/CephxProtocol.cc
+++ b/src/auth/cephx/CephxProtocol.cc
@@ -93,7 +93,7 @@ bool cephx_build_service_ticket_blob(CephContext *cct, const CephXSessionAuthInf
   if (info.service_secret.empty())
     error = "invalid key";  // Bad key?
   else
-    encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, 10, blob.blob, error);
+    encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, CEPHX_KEY_USAGE_TICKET_INFO, blob.blob, error);
   if (!error.empty()) {
     ldout(cct, -1) << "cephx_build_service_ticket_blob failed with error "
          << error << dendl;
@@ -139,7 +139,7 @@ bool cephx_build_service_ticket_reply(CephContext *cct,
     msg_a.session_key = info.session_key;
     msg_a.validity = info.validity;
     std::string error;
-    if (encode_encrypt(cct, msg_a, principal_secret, 4, reply, error)) {
+    if (encode_encrypt(cct, msg_a, principal_secret, CEPHX_KEY_USAGE_TICKET_SESSION_KEY, reply, error)) {
       ldout(cct, -1) << "error encoding encrypted: " << error << dendl;
       return false;
     }
@@ -157,7 +157,7 @@ bool cephx_build_service_ticket_reply(CephContext *cct,
 
     encode((__u8)should_encrypt_ticket, reply);
     if (should_encrypt_ticket) {
-      if (encode_encrypt(cct, service_ticket_bl, ticket_enc_key, 5, reply, error)) {
+      if (encode_encrypt(cct, service_ticket_bl, ticket_enc_key, CEPHX_KEY_USAGE_TICKET_BLOB, reply, error)) {
        ldout(cct, -1) << "error encoding encrypted ticket: " << error << dendl;
         return false;
       }
@@ -183,7 +183,7 @@ bool CephXTicketHandler::verify_service_ticket_reply(
 
     CephXServiceTicket msg_a;
     std::string error;
-    if (decode_decrypt(cct, msg_a, secret, 4, indata, error)) {
+    if (decode_decrypt(cct, msg_a, secret, CEPHX_KEY_USAGE_TICKET_SESSION_KEY, indata, error)) {
       ldout(cct, 0) << __func__ << " failed decode_decrypt, error is: " << error
                    << dendl;
       return false;
@@ -196,7 +196,7 @@ bool CephXTicketHandler::verify_service_ticket_reply(
     if (ticket_enc) {
       ldout(cct, 10) << __func__ << " got encrypted ticket" << dendl;
       std::string error;
-      if (decode_decrypt(cct, service_ticket_bl, session_key, 5, indata, error)) {
+      if (decode_decrypt(cct, service_ticket_bl, session_key, CEPHX_KEY_USAGE_TICKET_BLOB, indata, error)) {
        ldout(cct, 10) << __func__ << " decode_decrypt failed "
                       << "with " << error << dendl;
        return false;
@@ -367,7 +367,7 @@ CephXAuthorizer *CephXTicketHandler::build_authorizer(uint64_t global_id) const
   msg.nonce = a->nonce;
 
   std::string error;
-  if (encode_encrypt(cct, msg, session_key, 11, a->bl, error)) {
+  if (encode_encrypt(cct, msg, session_key, CEPHX_KEY_USAGE_AUTHORIZE, a->bl, error)) {
     ldout(cct, 0) << "failed to encrypt authorizer: " << error << dendl;
     delete a;
     return 0;
@@ -433,7 +433,7 @@ bool cephx_decode_ticket(CephContext *cct, KeyStore *keys,
   }
 
   std::string error;
-  decode_decrypt_enc_bl(cct, ticket_info, service_secret, 10, ticket_blob.blob, error);
+  decode_decrypt_enc_bl(cct, ticket_info, service_secret, CEPHX_KEY_USAGE_TICKET_INFO, ticket_blob.blob, error);
   if (!error.empty()) {
     ldout(cct, 0) << "ceph_decode_ticket could not decrypt ticket info. error:" 
        << error << dendl;
@@ -502,7 +502,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
   if (service_secret.empty())
     error = "invalid key";  // Bad key?
   else
-    decode_decrypt_enc_bl(cct, ticket_info, service_secret, 10, ticket.blob, error);
+    decode_decrypt_enc_bl(cct, ticket_info, service_secret, CEPHX_KEY_USAGE_TICKET_INFO, ticket.blob, error);
   if (!error.empty()) {
     ldout(cct, 0) << __func__ << ": could not decrypt ticket info: " << error << dendl;
     return false;
@@ -521,7 +521,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
   CephXAuthorize auth_msg;
   if (ticket_info.session_key.empty()) {
     error = "session key is invalid";
-  } else if (!decode_decrypt(cct, auth_msg, ticket_info.session_key, 11, indata, error)) {
+  } else if (!decode_decrypt(cct, auth_msg, ticket_info.session_key, CEPHX_KEY_USAGE_AUTHORIZE, indata, error)) {
     error = "";
   }
   if (!error.empty()) {
@@ -538,7 +538,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
       ldout(cct,10) << __func__ << ": adding server_challenge " << c->server_challenge
                    << dendl;
 
-      encode_encrypt_enc_bl(cct, *c, ticket_info.session_key, 13, *reply_bl, error);
+      encode_encrypt_enc_bl(cct, *c, ticket_info.session_key, CEPHX_KEY_USAGE_AUTHORIZE_CHALLENGE, *reply_bl, error);
       if (!error.empty()) {
        ldout(cct, 0) << __func__ << ": encode_encrypt error: " << error << dendl;
        return false;
@@ -576,7 +576,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
     }
     reply.connection_secret = *connection_secret;
   }
-  if (encode_encrypt(cct, reply, ticket_info.session_key, 15, *reply_bl, error)) {
+  if (encode_encrypt(cct, reply, ticket_info.session_key, CEPHX_KEY_USAGE_AUTHORIZE_REPLY, *reply_bl, error)) {
     ldout(cct, 10) << "verify_authorizer: encode_encrypt error: " << error << dendl;
     return false;
   }
@@ -592,7 +592,7 @@ bool CephXAuthorizer::verify_reply(bufferlist::const_iterator& indata,
   CephXAuthorizeReply reply;
 
   std::string error;
-  if (decode_decrypt(cct, reply, session_key, 15, indata, error)) {
+  if (decode_decrypt(cct, reply, session_key, CEPHX_KEY_USAGE_AUTHORIZE_REPLY, indata, error)) {
       ldout(cct, 0) << "verify_reply couldn't decrypt with error: " << error << dendl;
       return false;
   }
@@ -623,7 +623,7 @@ bool CephXAuthorizer::add_challenge(CephContext *cct,
   if (!p.end()) {
     std::string error;
     CephXAuthorizeChallenge ch{};
-    decode_decrypt_enc_bl(cct, ch, session_key, 13, challenge, error);
+    decode_decrypt_enc_bl(cct, ch, session_key, CEPHX_KEY_USAGE_AUTHORIZE_CHALLENGE, challenge, error);
     if (!error.empty()) {
       ldout(cct, 0) << "failed to decrypt challenge (" << challenge.length() << " bytes): "
                    << error << dendl;
@@ -634,7 +634,7 @@ bool CephXAuthorizer::add_challenge(CephContext *cct,
   }
 
   std::string error;
-  if (encode_encrypt(cct, msg, session_key, 11, bl, error)) {
+  if (encode_encrypt(cct, msg, session_key, CEPHX_KEY_USAGE_AUTHORIZE, bl, error)) {
     ldout(cct, 0) << __func__ << " failed to encrypt authorizer: " << error << dendl;
     return false;
   }

diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h
index fb431a84cbca2d4dd79a971c9e11fc1e1407700e..0e8de0b8f1e52fa67d7d7eb189bccbc2ffdc3f8b 100644 (file)
--- a/src/auth/cephx/CephxProtocol.h
+++ b/src/auth/cephx/CephxProtocol.h
@@ -31,6 +31,29 @@
 #define CEPHX_REQUEST_TYPE_MASK            0x0F00
 #define CEPHX_CRYPT_ERR                        1
 
+
+/* Principal <-> AuthMonitor */
+/* The session's connection secret: encrypted with AUTH ticket session key */
+#define CEPHX_KEY_USAGE_AUTH_CONNECTION_SECRET  0x03
+/* The ticket's CephXServiceTicket containing the session key: uses principal's key for the AUTH ticket otherwise the AUTH ticket session key for the service tickets */
+#define CEPHX_KEY_USAGE_TICKET_SESSION_KEY         0x04
+/* The ticket's CephXTicketBlob: uses old AUTH session key (if presented) */
+#define CEPHX_KEY_USAGE_TICKET_BLOB                0x05
+
+/* Principal <-> Service */
+/* Client Authorization Request: using the ticket session key */
+#define CEPHX_KEY_USAGE_AUTHORIZE             0x10
+/* Service's Challenge: using the ticket session key */
+#define CEPHX_KEY_USAGE_AUTHORIZE_CHALLENGE   0x11
+/* Service's final reply: using the ticket session key */
+#define CEPHX_KEY_USAGE_AUTHORIZE_REPLY       0x12
+
+/* Service Daemon <-> AuthMonitor */
+/* Rotating Secret Fetch by Services: service daemon's principal key */
+#define CEPHX_KEY_USAGE_ROTATING_SECRET       0x20
+/* CephXServiceTicketInfo: rotating service key */
+#define CEPHX_KEY_USAGE_TICKET_INFO           0x30
+
 #include "auth/Auth.h"
 #include <errno.h>
 #include <sstream>

diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc
index 9366dd8963cc1ae95d6dae629204412c7b23f132..3d17c66e3b686c0114d3b52e41b446f53a9c993a 100644 (file)
--- a/src/auth/cephx/CephxServiceHandler.cc
+++ b/src/auth/cephx/CephxServiceHandler.cc
@@ -318,7 +318,7 @@ int CephxServiceHandler::handle_request(
                                       connection_secret_required_len);
            }
            std::string err;
-           if (encode_encrypt(cct, *pconnection_secret, session_key, 3, cbl,
+           if (encode_encrypt(cct, *pconnection_secret, session_key, CEPHX_KEY_USAGE_AUTH_CONNECTION_SECRET, cbl,
                               err)) {
              lderr(cct) << __func__ << " failed to encrypt connection secret, "
                         << err << dendl;