*
* principal_name, principal_addr. "please authenticate me."
*/
+void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr,
+ bufferlist& request)
+{
+ AuthAuthenticateRequest req(principal_name, principal_addr, g_clock.now());
+ ::encode(req, request);
+}
+
void build_service_ticket_request(EntityName& principal_name, entity_addr_t& principal_addr,
uint32_t keys,
- bool encrypt,
CryptoKey& session_key,
AuthBlob& ticket_info,
bufferlist& request)
ticket_req.addr = principal_addr;
ticket_req.timestamp = g_clock.now();
ticket_req.keys = keys;
- if (!encrypt) {
- ::encode(ticket_req, request);
- } else {
- bufferptr& s1 = session_key.get_secret();
- hexdump("encoding, session key", s1.c_str(), s1.length());
- encode_encrypt(ticket_req, session_key, request);
- }
+
+ bufferptr& s1 = session_key.get_secret();
+ hexdump("encoding, session key", s1.c_str(), s1.length());
+ encode_encrypt(ticket_req, session_key, request);
+
::encode(ticket_info, request);
}
return true;
}
-bool verify_service_ticket_request(bool encrypted,
- CryptoKey& service_secret,
+bool verify_authenticate_request(CryptoKey& service_secret,
+ bufferlist::iterator& indata)
+{
+ AuthAuthenticateRequest msg;
+ ::decode(msg, indata);
+ dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << dendl;
+
+ /* FIXME: validate that request makes sense */
+ return true;
+}
+
+bool verify_service_ticket_request(CryptoKey& service_secret,
CryptoKey& session_key,
uint32_t& keys,
bufferlist::iterator& indata)
{
AuthServiceTicketRequest msg;
- if (encrypted) {
- bufferptr& s1 = session_key.get_secret();
- hexdump("decoding, session key", s1.c_str(), s1.length());
-
- dout(0) << "verify encrypted service ticket request" << dendl;
- if (decode_decrypt(msg, session_key, indata) < 0)
- return false;
-
- dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << " (was encrypted)" << dendl;
-
- AuthServiceTicketInfo ticket_info;
- if (decode_decrypt(ticket_info, service_secret, indata) < 0)
+ bufferptr& s1 = session_key.get_secret();
+ hexdump("decoding, session key", s1.c_str(), s1.length());
+
+ dout(0) << "verify encrypted service ticket request" << dendl;
+ if (decode_decrypt(msg, session_key, indata) < 0)
+ return false;
+
+ dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << " (was encrypted)" << dendl;
+
+ AuthServiceTicketInfo ticket_info;
+ if (decode_decrypt(ticket_info, service_secret, indata) < 0)
return false;
- } else {
- ::decode(msg, indata);
-
- dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << dendl;
- }
/* FIXME: validate that request makes sense */
/*
* Authentication
*/
+extern void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr,
+ bufferlist& request);
+
+
extern void build_service_ticket_request(EntityName& principal_name, entity_addr_t& principal_addr,
- uint32_t keys,
- bool encrypt,
- CryptoKey& session_key,
- AuthBlob& ticket_info,
- bufferlist& request);
-
-extern bool build_service_ticket_reply(
- CryptoKey& principal_secret,
- vector<SessionAuthInfo> ticket_info,
- bufferlist& reply);
-
-class AuthenticateRequest {
+ uint32_t keys,
+ CryptoKey& session_key,
+ AuthBlob& ticket_info,
+ bufferlist& request);
+
+extern bool build_service_ticket_reply(CryptoKey& principal_secret,
+ vector<SessionAuthInfo> ticket_info,
+ bufferlist& reply);
+
+struct AuthAuthenticateRequest {
EntityName name;
entity_addr_t addr;
-public:
- AuthenticateRequest(EntityName& principal_name, entity_addr_t principal_addr) : name(principal_name), addr(principal_addr) {}
+ utime_t timestamp;
+
+ AuthAuthenticateRequest() {}
+ AuthAuthenticateRequest(EntityName& principal_name, entity_addr_t principal_addr, utime_t t) :
+ name(principal_name), addr(principal_addr), timestamp(t) {}
void encode(bufferlist& bl) const {
::encode(name, bl);
::encode(addr, bl);
+ ::encode(timestamp, bl);
}
void decode(bufferlist::iterator& bl) {
::decode(name, bl);
::decode(addr, bl);
+ ::decode(timestamp, bl);
+ }
+};
+WRITE_CLASS_ENCODER(AuthAuthenticateRequest)
+
+struct AuthServiceTicketRequest {
+ entity_addr_t addr;
+ utime_t timestamp;
+ uint32_t keys;
+
+ void encode(bufferlist& bl) const {
+ ::encode(addr, bl);
+ ::encode(timestamp, bl);
+ ::encode(keys, bl);
+ }
+ void decode(bufferlist::iterator& bl) {
+ ::decode(addr, bl);
+ ::decode(timestamp, bl);
+ ::decode(keys, bl);
}
};
-WRITE_CLASS_ENCODER(AuthenticateRequest)
+WRITE_CLASS_ENCODER(AuthServiceTicketRequest);
+
struct AuthAuthorizeReply {
uint32_t trans_id;
AuthTicketHandler() : has_key_flag(false) {}
- bool build_authenticate_request();
- bool verify_authenticate_response();
-
// to build our ServiceTicket
bool verify_service_ticket_reply(CryptoKey& principal_secret,
bufferlist::iterator& indata);
bool has_key(uint32_t service_id);
};
-struct AuthServiceTicketRequest {
- entity_addr_t addr;
- utime_t timestamp;
- uint32_t keys;
-
- void encode(bufferlist& bl) const {
- ::encode(addr, bl);
- ::encode(timestamp, bl);
- ::encode(keys, bl);
- }
- void decode(bufferlist::iterator& bl) {
- ::decode(addr, bl);
- ::decode(timestamp, bl);
- ::decode(keys, bl);
- }
-};
-WRITE_CLASS_ENCODER(AuthServiceTicketRequest);
/* A */
struct AuthServiceTicket {
return 0;
}
-extern void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr,
- uint32_t keys,
- bool encrypt,
- CryptoKey& session_key,
- AuthBlob& ticket_info,
- bufferlist& request);
-
-extern bool build_authenticate_reply(AuthTicketHandler ticket_handler,
- CryptoKey session_key,
- CryptoKey auth_session_key,
- CryptoKey& service_secret,
- bufferlist& reply);
/*
* Verify authorizer and generate reply authorizer
*/
-
-extern bool verify_service_ticket_request(bool encrypted,
- CryptoKey& service_secret,
- CryptoKey& session_key,
- uint32_t& keys,
- bufferlist::iterator& indata);
+extern bool verify_authenticate_request(CryptoKey& service_secret,
+ bufferlist::iterator& indata);
+extern bool verify_service_ticket_request(CryptoKey& service_secret,
+ CryptoKey& session_key,
+ uint32_t& keys,
+ bufferlist::iterator& indata);
extern bool verify_authorizer(CryptoKey& service_secret, bufferlist::iterator& bl,
bufferlist& enc_reply);
header.request_type = CEPHX_GET_AUTH_SESSION_KEY;
- ::encode(header, bl);
- CryptoKey key;
- AuthBlob blob;
- build_service_ticket_request(client->name, client->addr, CEPHX_PRINCIPAL_AUTH,
- false, key, blob, bl);
+ ::encode(header, bl);
+
+ build_authenticate_request(client->name, client->addr, bl);
cephx_request_state = 1;
return 0;
}
::encode(header, bl);
build_service_ticket_request(client->name, client->addr, want,
- true, ticket_handler.session_key, ticket_handler.ticket, bl);
+ ticket_handler.session_key, ticket_handler.ticket, bl);
return 0;
}
ticket.expires = g_clock.now();
- uint32_t keys;
-
auth_server.get_client_secret(principal_secret);
auth_server.get_service_session_key(session_key, CEPHX_PRINCIPAL_AUTH);
auth_server.get_service_secret(auth_secret, CEPHX_PRINCIPAL_AUTH);
- if (!verify_service_ticket_request(false, auth_secret,
- session_key, keys, indata)) {
+ if (!verify_authenticate_request(auth_secret, indata)) {
ret = -EPERM;
break;
- }
+ }
+
+ // checking password?
build_cephx_response_header(request_type, 0, result_bl);
vector<SessionAuthInfo> info_vec;
vector<SessionAuthInfo> info_vec;
- if (!verify_service_ticket_request(true, auth_secret,
- auth_session_key, keys, indata)) {
+ if (!verify_service_ticket_request(auth_secret, auth_session_key, keys, indata)) {
ret = -EPERM;
break;
}
projects / ceph.git / commitdiff