/*
* PRINCIPAL: build authenticator to access the service.
*
- * enc_ticket, {timestamp, nonce}^session_key
+ * ticket, {timestamp, nonce}^session_key
*/
utime_t AuthTicketHandler::build_authenticator(bufferlist& bl)
{
utime_t now = g_clock.now();
-
+
::encode(ticket, bl);
-
- bufferlist info, enc_info;
- ::encode(now, info);
- ::encode(nonce, info);
- session_key.encrypt(info, enc_info);
- ::encode(enc_info, bl);
+
+ AuthAuthenticate msg;
+ msg.now = now;
+ msg.nonce = nonce;
+ msg.encode_encrypt(session_key, bl);
+
return now;
}
* {timestamp + 1}^session_key
*/
bool verify_authenticator(CryptoKey& service_secret, bufferlist::iterator& indata,
- bufferlist& enc_reply)
+ bufferlist& reply_bl)
{
+ AuthTicket ticket;
+ ticket.decode_decrypt(service_secret, indata);
+
+ AuthAuthenticate auth_msg;
+ auth_msg.decode_decrypt(ticket.session_key, indata);
+
bufferlist enc_ticket, enc_info;
::decode(enc_ticket, indata);
::decode(enc_info, indata);
- // decrypt ticket
- AuthTicket ticket;
- CryptoKey session_key;
- {
- bufferlist bl;
- if (service_secret.decrypt(enc_ticket, bl) < 0)
- return false;
- dout(0) << "verify_authenticator: decrypted ticket" << dendl;
- bufferlist::iterator p = bl.begin();
- ::decode(ticket, p);
- ::decode(session_key, p);
- }
-
- // decrypt info with session key
- utime_t timestamp;
- string nonce;
- {
- bufferlist info;
- if (session_key.decrypt(enc_info, info) < 0)
- return false;
- dout(0) << "verify_authenticator: decrypted session key" << dendl;
- bufferlist::iterator p = info.begin();
- ::decode(timestamp, p);
- ::decode(nonce, p);
- }
-
// it's authentic if the nonces match
- if (nonce != ticket.nonce)
+ if (auth_msg.nonce != ticket.nonce)
return false;
dout(0) << "verify_authenticator: nonce ok" << dendl;
* Reply authenticator:
* {timestamp + 1}^session_key
*/
- bufferlist reply;
- timestamp += 1;
- ::encode(timestamp, reply);
- if (session_key.encrypt(reply, enc_reply) < 0)
- return false;
+ AuthAuthenticateReply reply;
+ reply.timestamp = auth_msg.now;
+ reply.timestamp += 1;
+ reply.encode_encrypt(ticket.session_key, reply_bl);
dout(0) << "verify_authenticator: ok" << dendl;
#include "Crypto.h"
#include "msg/msg_types.h"
+struct AuthEnc {
+ virtual void encode(bufferlist& bl) const = 0;
+ virtual void decode(bufferlist::iterator& bl) = 0;
+
+ int encode_encrypt(CryptoKey key, bufferlist& out) {
+ bufferlist bl, bl_enc;
+
+ encode(bl);
+ int ret = key.encrypt(bl, bl_enc);
+ if (ret < 0)
+ return ret;
+
+ ::encode(bl_enc, out);
+ return 0;
+ }
+
+ int decode_decrypt(CryptoKey key, bufferlist::iterator& iter) {
+ bufferlist bl_enc, bl;
+ ::decode(bl_enc, iter);
+
+ int ret = key.decrypt(bl_enc, bl);
+ if (ret < 0)
+ return ret;
+
+ bufferlist::iterator iter2 = bl.begin();
+ decode(iter2);
+ return 0;
+ }
+};
+
struct EntityName {
uint32_t entity_type;
string name;
* services as described by 'caps' during the specified validity
* period.
*/
-struct AuthTicket {
+struct AuthTicket : public AuthEnc {
entity_addr_t addr;
utime_t created, renew_after, expires;
string nonce;
map<string, bufferlist> caps;
__u32 flags;
+ CryptoKey session_key;
void encode(bufferlist& bl) const {
__u8 v = 1;
::encode(nonce, bl);
::encode(caps, bl);
::encode(flags, bl);
+ ::encode(session_key, bl);
}
void decode(bufferlist::iterator& bl) {
__u8 v;
::decode(nonce, bl);
::decode(caps, bl);
::decode(flags, bl);
+ ::decode(session_key, bl);
}
};
WRITE_CLASS_ENCODER(AuthTicket)
};
//WRITE_CLASS_ENCODER(ServiceTicket)
-struct AuthEnc {
- virtual void encode(bufferlist& bl) const = 0;
- virtual void decode(bufferlist::iterator& bl) = 0;
-
- int encode_encrypt(CryptoKey key, bufferlist& out) {
- bufferlist bl, bl_enc;
-
- encode(bl);
- int ret = key.encrypt(bl, bl_enc);
- if (ret < 0)
- return ret;
-
- ::encode(bl_enc, out);
- return 0;
- }
-
- int decode_decrypt(CryptoKey key, bufferlist::iterator& iter) {
- bufferlist bl_enc, bl;
- ::decode(bl_enc, iter);
-
- int ret = key.decrypt(bl_enc, bl);
- if (ret < 0)
- return ret;
-
- bufferlist::iterator iter2 = bl.begin();
- decode(iter2);
- return 0;
- }
-};
-
struct AuthServiceTicketRequest : public AuthEnc {
entity_addr_t addr;
utime_t timestamp;
WRITE_CLASS_ENCODER(AuthMsg_E);
#endif
+struct AuthAuthenticate : public AuthEnc {
+ utime_t now;
+ string nonce;
+ void encode(bufferlist& bl) const {
+ ::encode(now, bl);
+ ::encode(nonce, bl);
+ }
+ void decode(bufferlist::iterator& bl) {
+ ::decode(now, bl);
+ ::decode(nonce, bl);
+ }
+};
+WRITE_CLASS_ENCODER(AuthAuthenticate);
+
+struct AuthAuthenticateReply : public AuthEnc {
+ utime_t timestamp;
+ void encode(bufferlist& bl) const {
+ ::encode(timestamp, bl);
+ }
+ void decode(bufferlist::iterator& bl) {
+ ::decode(timestamp, bl);
+ }
+};
+WRITE_CLASS_ENCODER(AuthAuthenticateReply);
+
+
extern void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr,
uint32_t keys,
projects / ceph.git / commitdiff