auth: check service key is valid before decryption

CryptoKey::empty is the correct mechanism to check for an invalid key (and this
is codified elsewhere, fixed in this commit). Decryption would fail with an
abort if the key handler was unset. This would happen after rotating the "mon."
key and then restarting one of the mons.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h
index 132a23216d6c180d34927a379314999fe9167169..b2d871645eadc41cbc3fbc93a9d4e8559e7e3c17 100644 (file)
--- a/src/auth/Crypto.h
+++ b/src/auth/Crypto.h
@@ -185,13 +185,13 @@ public:
   int encrypt(CephContext *cct, const ceph::buffer::list& in,
              ceph::buffer::list& out,
              std::string *error) const {
-    ceph_assert(ckh); // Bad key?
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out, error);
   }
   int decrypt(CephContext *cct, const ceph::buffer::list& in,
              ceph::buffer::list& out,
              std::string *error) const {
-    ceph_assert(ckh); // Bad key?
+    ceph_assert(!empty()); // Bad key?
     return ckh->decrypt(cct, in, out, error);
   }
 
@@ -200,17 +200,17 @@ public:
 
   std::size_t encrypt(CephContext *cct, const in_slice_t& in,
                      const out_slice_t& out) {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out);
   }
   std::size_t decrypt(CephContext *cct, const in_slice_t& in,
                      const out_slice_t& out) {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out);
   }
 
   sha256_digest_t hmac_sha256(CephContext*, const ceph::buffer::list& in) const {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->hmac_sha256(in);
   }
 

diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc
index 4d7f67525d4217dcacc7a14e945f53e189c384da..10eda69c1f49c9029100f4bccc372994e57bcd7a 100644 (file)
--- a/src/auth/cephx/CephxProtocol.cc
+++ b/src/auth/cephx/CephxProtocol.cc
@@ -90,7 +90,7 @@ bool cephx_build_service_ticket_blob(CephContext *cct, const CephXSessionAuthInf
   ldout(cct, 10) << "build_service_ticket service " << info << dendl;
   blob.secret_id = info.secret_id;
   std::string error;
-  if (!info.service_secret.get_secret().length())
+  if (info.service_secret.empty())
     error = "invalid key";  // Bad key?
   else
     encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, blob.blob, error);
@@ -499,7 +499,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
   ldout(cct, 30) << __func__ << ": got secret " << service_secret << dendl;
 
   std::string error;
-  if (!service_secret.get_secret().length())
+  if (service_secret.empty())
     error = "invalid key";  // Bad key?
   else
     decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error);
@@ -519,9 +519,13 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
 
   // CephXAuthorize
   CephXAuthorize auth_msg;
-  if (decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error)) {
-    ldout(cct, 0) << "verify_authorizercould not decrypt authorize request with error: "
-      << error << dendl;
+  if (ticket_info.session_key.empty()) {
+    error = "session key is invalid";
+  } else if (!decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error)) {
+    error = "";
+  }
+  if (!error.empty()) {
+    ldout(cct, 0) << __func__ << ": could not decrypt authorize request: " << error << dendl;
     return false;
   }