auth: check service key is valid before decryption

CryptoKey::empty is the correct mechanism to check for an invalid key (and this
is codified elsewhere, fixed in this commit). Decryption would fail with an
abort if the key handler was unset. This would happen after rotating the "mon."
key and then restarting one of the mons.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h
index fc5bcdf235c2e0ea94dde3320a820ae800ce0166..12ba317427a1d25adeea736de441646bbe3105b1 100644 (file)
--- a/src/auth/Crypto.h
+++ b/src/auth/Crypto.h
@@ -184,13 +184,13 @@ public:
   int encrypt(CephContext *cct, const ceph::buffer::list& in,
              ceph::buffer::list& out,
              std::string *error) const {
-    ceph_assert(ckh); // Bad key?
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out, error);
   }
   int decrypt(CephContext *cct, const ceph::buffer::list& in,
              ceph::buffer::list& out,
              std::string *error) const {
-    ceph_assert(ckh); // Bad key?
+    ceph_assert(!empty()); // Bad key?
     return ckh->decrypt(cct, in, out, error);
   }
 
@@ -199,17 +199,17 @@ public:
 
   std::size_t encrypt(CephContext *cct, const in_slice_t& in,
                      const out_slice_t& out) {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out);
   }
   std::size_t decrypt(CephContext *cct, const in_slice_t& in,
                      const out_slice_t& out) {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out);
   }
 
   sha256_digest_t hmac_sha256(CephContext*, const ceph::buffer::list& in) const {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->hmac_sha256(in);
   }
 

diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc
index 131bb29fa0561aa24c6b6cc791531a4623439b83..7ddc7d35c38aa56772900291e9e2eedb02bd275c 100644 (file)
--- a/src/auth/cephx/CephxProtocol.cc
+++ b/src/auth/cephx/CephxProtocol.cc
@@ -89,7 +89,7 @@ bool cephx_build_service_ticket_blob(CephContext *cct, const CephXSessionAuthInf
   ldout(cct, 10) << "build_service_ticket service " << info << dendl;
   blob.secret_id = info.secret_id;
   std::string error;
-  if (!info.service_secret.get_secret().length())
+  if (info.service_secret.empty())
     error = "invalid key";  // Bad key?
   else
     encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, blob.blob, error);
@@ -498,7 +498,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
   ldout(cct, 30) << __func__ << ": got secret " << service_secret << dendl;
 
   std::string error;
-  if (!service_secret.get_secret().length())
+  if (service_secret.empty())
     error = "invalid key";  // Bad key?
   else
     decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error);
@@ -518,9 +518,13 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
 
   // CephXAuthorize
   CephXAuthorize auth_msg;
-  if (decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error)) {
-    ldout(cct, 0) << "verify_authorizercould not decrypt authorize request with error: "
-      << error << dendl;
+  if (ticket_info.session_key.empty()) {
+    error = "session key is invalid";
+  } else if (!decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error)) {
+    error = "";
+  }
+  if (!error.empty()) {
+    ldout(cct, 0) << __func__ << ": could not decrypt authorize request: " << error << dendl;
     return false;
   }