auth: make connection_secret a std::string

Move connection mode decision to initial auth_request point so that it
can inform auth implementation how big the connection secret should be.
Pass that value through where appropriate.

The connection_secret is now a std::string filled with random bytes.

For now the v2 protocol just uses the session_key CryptoKey to encrypt,
but this is about to change.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/auth/Auth.h b/src/auth/Auth.h
index 2716a3ddb40df572ba45210a6bc75c9a204eb4b1..5e8e375fdf337bd759543b082bc1b7c43a55676f 100644 (file)
--- a/src/auth/Auth.h
+++ b/src/auth/Auth.h
@@ -146,7 +146,7 @@ struct AuthAuthorizer {
   explicit AuthAuthorizer(__u32 p) : protocol(p) {}
   virtual ~AuthAuthorizer() {}
   virtual bool verify_reply(bufferlist::const_iterator& reply,
-                           CryptoKey *connection_secret) = 0;
+                           std::string *connection_secret) = 0;
   virtual bool add_challenge(CephContext *cct, const bufferlist& challenge) = 0;
 };
 
@@ -162,9 +162,6 @@ struct AuthConnectionMeta {
 
   int auth_mode = 0;  ///< AUTH_MODE_*
 
-  /// server: client's preferred con_modes
-  std::vector<uint32_t> preferred_con_modes;
-
   int con_mode = 0;  ///< negotiated mode
 
   bool is_mode_crc() {
@@ -174,8 +171,18 @@ struct AuthConnectionMeta {
     return con_mode == CEPH_CON_MODE_SECURE;
   }
 
-  CryptoKey session_key;         ///< per-ticket key
-  CryptoKey connection_secret;   ///< per-connection key
+  CryptoKey session_key;           ///< per-ticket key
+
+  size_t get_connection_secret_length() const {
+    switch (con_mode) {
+    case CEPH_CON_MODE_CRC:
+      return 0;
+    case CEPH_CON_MODE_SECURE:
+      return 16 * 4;
+    }
+    return 0;
+  }
+  std::string connection_secret;   ///< per-connection key
 
   std::unique_ptr<AuthAuthorizer> authorizer;
   std::unique_ptr<AuthAuthorizerChallenge> authorizer_challenge;

diff --git a/src/auth/AuthAuthorizeHandler.h b/src/auth/AuthAuthorizeHandler.h
index 74703407dc90cb4ec847d63ceda2b6b7859566bf..b912e578995a05c111fa937509a58ed17cfd0570 100644 (file)
--- a/src/auth/AuthAuthorizeHandler.h
+++ b/src/auth/AuthAuthorizeHandler.h
@@ -33,12 +33,13 @@ struct AuthAuthorizeHandler {
     CephContext *cct,
     KeyStore *keys,
     const bufferlist& authorizer_data,
+    size_t connection_secret_required_len,
     bufferlist *authorizer_reply,
     EntityName *entity_name,
     uint64_t *global_id,
     AuthCapsInfo *caps_info,
     CryptoKey *session_key,
-    CryptoKey *connection_secret,
+    std::string *connection_secret,
     std::unique_ptr<AuthAuthorizerChallenge> *challenge) = 0;
   virtual int authorizer_session_crypto() = 0;
 };

diff --git a/src/auth/AuthClient.h b/src/auth/AuthClient.h
index 28eae6decce7fe2e9d792e374a7e16f2cb1ff88d..79912a3188bbb17c05910d45bdac9c5490ae935b 100644 (file)
--- a/src/auth/AuthClient.h
+++ b/src/auth/AuthClient.h
@@ -27,7 +27,7 @@ public:
     uint32_t con_mode,
     const bufferlist& bl,
     CryptoKey *session_key,
-    CryptoKey *connection_key) = 0;
+    std::string *connection_secret) = 0;
   virtual int handle_auth_bad_method(
     Connection *con,
     uint32_t old_auth_method,

diff --git a/src/auth/AuthClientHandler.h b/src/auth/AuthClientHandler.h
index 1e8f76eb4f3d60df62a8d556353a0f2bc846d37b..e0f3a7de952a6822f96ec2b9d3159f90d07ccf71 100644 (file)
--- a/src/auth/AuthClientHandler.h
+++ b/src/auth/AuthClientHandler.h
@@ -54,7 +54,7 @@ public:
   virtual int build_request(bufferlist& bl) const = 0;
   virtual int handle_response(int ret, bufferlist::const_iterator& iter,
                              CryptoKey *session_key,
-                             CryptoKey *connection_secret) = 0;
+                             std::string *connection_secret) = 0;
   virtual bool build_rotating_request(bufferlist& bl) const = 0;
 
   virtual AuthAuthorizer *build_authorizer(uint32_t service_id) const = 0;

diff --git a/src/auth/AuthServiceHandler.h b/src/auth/AuthServiceHandler.h
index a787663c29935bccaa203059cce89cc60bca4df9..9f695bfdf973ea8027fe07189b3bcede57e9fa84 100644 (file)
--- a/src/auth/AuthServiceHandler.h
+++ b/src/auth/AuthServiceHandler.h
@@ -37,16 +37,18 @@ public:
   virtual ~AuthServiceHandler() { }
 
   virtual int start_session(const EntityName& name,
+                           size_t connection_secret_required_length,
                            bufferlist *result,
                            AuthCapsInfo *caps,
                            CryptoKey *session_key,
-                           CryptoKey *connection_secret) = 0;
+                           std::string *connection_secret) = 0;
   virtual int handle_request(bufferlist::const_iterator& indata,
+                            size_t connection_secret_required_length,
                             bufferlist *result,
                             uint64_t *global_id,
                             AuthCapsInfo *caps,
                             CryptoKey *session_key,
-                            CryptoKey *connection_secret) = 0;
+                            std::string *connection_secret) = 0;
 
   EntityName& get_entity_name() { return entity_name; }
 };

diff --git a/src/auth/AuthSessionHandler.cc b/src/auth/AuthSessionHandler.cc
index 3e92051455a7d7ebcc7e7dbb6d2108f4dc6342dd..54dbdb79598a612c8a83f0eced5543f59829242a 100644 (file)
--- a/src/auth/AuthSessionHandler.cc
+++ b/src/auth/AuthSessionHandler.cc
@@ -27,7 +27,7 @@
 AuthSessionHandler *get_auth_session_handler(
   CephContext *cct, int protocol,
   const CryptoKey& key,
-  const CryptoKey& connection_secret,
+  const std::string& connection_secret,
   uint64_t features)
 {
 

diff --git a/src/auth/AuthSessionHandler.h b/src/auth/AuthSessionHandler.h
index 89015c839f8c923cd58bec2b8aa99fb238df6fdf..28f139d45ec8b524bc99c2ff35356239df41adea 100644 (file)
--- a/src/auth/AuthSessionHandler.h
+++ b/src/auth/AuthSessionHandler.h
@@ -30,15 +30,15 @@ struct AuthSessionHandler {
 protected:
   CephContext *cct;
   int protocol;
-  CryptoKey key;                // per mon authentication
-  CryptoKey connection_secret;  // per connection
+  CryptoKey key;                  // per mon authentication
+  std::string connection_secret;  // per connection
 
 public:
   explicit AuthSessionHandler(CephContext *cct_) : cct(cct_), protocol(CEPH_AUTH_UNKNOWN) {}
 
   AuthSessionHandler(CephContext *cct_, int protocol_,
                     const CryptoKey& key_,
-                    const CryptoKey& cs_)
+                    const std::string& cs_)
     : cct(cct_),
       protocol(protocol_),
       key(key_),
@@ -69,7 +69,7 @@ public:
 extern AuthSessionHandler *get_auth_session_handler(
   CephContext *cct, int protocol,
   const CryptoKey& key,
-  const CryptoKey& connection_secret,
+  const std::string& connection_secret,
   uint64_t features);
 
 #endif

diff --git a/src/auth/cephx/CephxAuthorizeHandler.cc b/src/auth/cephx/CephxAuthorizeHandler.cc
index 86003dae663c38b8affdc5b1c17e0adcead142b6..6684e164728c88d4eaeab9f53f6cf242db052644 100644 (file)
--- a/src/auth/cephx/CephxAuthorizeHandler.cc
+++ b/src/auth/cephx/CephxAuthorizeHandler.cc
@@ -10,12 +10,13 @@ bool CephxAuthorizeHandler::verify_authorizer(
   CephContext *cct,
   KeyStore *keys,
   const bufferlist& authorizer_data,
+  size_t connection_secret_required_len,
   bufferlist *authorizer_reply,
   EntityName *entity_name,
   uint64_t *global_id,
   AuthCapsInfo *caps_info,
   CryptoKey *session_key,
-  CryptoKey *connection_secret,
+  std::string *connection_secret,
   std::unique_ptr<AuthAuthorizerChallenge> *challenge)
 {
   auto iter = authorizer_data.cbegin();
@@ -27,7 +28,9 @@ bool CephxAuthorizeHandler::verify_authorizer(
 
   CephXServiceTicketInfo auth_ticket_info;
 
-  bool isvalid = cephx_verify_authorizer(cct, keys, iter, auth_ticket_info,
+  bool isvalid = cephx_verify_authorizer(cct, keys, iter,
+                                        connection_secret_required_len,
+                                        auth_ticket_info,
                                         challenge, connection_secret,
                                         authorizer_reply);
 

diff --git a/src/auth/cephx/CephxAuthorizeHandler.h b/src/auth/cephx/CephxAuthorizeHandler.h
index 6784fa2dae9f30acb7c2d766f2114acd3623e9c4..769426c43841ea45572d1b08289709e817a4a854 100644 (file)
--- a/src/auth/cephx/CephxAuthorizeHandler.h
+++ b/src/auth/cephx/CephxAuthorizeHandler.h
@@ -24,12 +24,13 @@ struct CephxAuthorizeHandler : public AuthAuthorizeHandler {
     CephContext *cct,
     KeyStore *keys,
     const bufferlist& authorizer_data,
+    size_t connection_secret_required_len,
     bufferlist *authorizer_reply,
     EntityName *entity_name,
     uint64_t *global_id,
     AuthCapsInfo *caps_info,
     CryptoKey *session_key,
-    CryptoKey *connection_secret,
+    std::string *connection_secret,
     std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
   int authorizer_session_crypto() override;
 };

diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc
index 9d0df43a8c458b99d5e7ed25d6aac91339d9b1e9..77d8e687e4144986bc0af23ece74d643626ae968 100644 (file)
--- a/src/auth/cephx/CephxClientHandler.cc
+++ b/src/auth/cephx/CephxClientHandler.cc
@@ -119,7 +119,7 @@ int CephxClientHandler::handle_response(
   int ret,
   bufferlist::const_iterator& indata,
   CryptoKey *session_key,
-  CryptoKey *connection_secret)
+  std::string *connection_secret)
 {
   ldout(cct, 10) << this << " handle_response ret = " << ret << dendl;
   
@@ -178,7 +178,8 @@ int CephxClientHandler::handle_response(
              lderr(cct) << __func__ << " failed to decrypt connection_secret"
                         << dendl;
            } else {
-             ldout(cct, 10) << " got connection_secret " << dendl;
+             ldout(cct, 10) << " got connection_secret "
+                            << connection_secret->size() << " bytes" << dendl;
            }
          }
          if (extra_tickets.length())  {

diff --git a/src/auth/cephx/CephxClientHandler.h b/src/auth/cephx/CephxClientHandler.h
index f56bc1d9137743cc8fab624142dec6fd8c4ef20b..cd1196a689ce2cae6abea8fc3acbdb802d2f558c 100644 (file)
--- a/src/auth/cephx/CephxClientHandler.h
+++ b/src/auth/cephx/CephxClientHandler.h
@@ -53,7 +53,7 @@ public:
   int build_request(bufferlist& bl) const override;
   int handle_response(int ret, bufferlist::const_iterator& iter,
                      CryptoKey *session_key,
-                     CryptoKey *connection_secret) override;
+                     std::string *connection_secret) override;
   bool build_rotating_request(bufferlist& bl) const override;
 
   int get_protocol() const override { return CEPH_AUTH_CEPHX; }

diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc
index 04f9e8e224968a2edc0888b4bf8baaaba33c6114..6254d8f3c1e6da096c9362e8e09ce150022ec3e0 100644 (file)
--- a/src/auth/cephx/CephxProtocol.cc
+++ b/src/auth/cephx/CephxProtocol.cc
@@ -393,9 +393,10 @@ bool cephx_decode_ticket(CephContext *cct, KeyStore *keys, uint32_t service_id,
  */
 bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys,
                             bufferlist::const_iterator& indata,
+                            size_t connection_secret_required_len,
                             CephXServiceTicketInfo& ticket_info,
                             std::unique_ptr<AuthAuthorizerChallenge> *challenge,
-                            CryptoKey *connection_secret,
+                            std::string *connection_secret,
                             bufferlist *reply_bl)
 {
   __u8 authorizer_v;
@@ -496,12 +497,11 @@ bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys,
 #ifndef WITH_SEASTAR
   if (connection_secret) {
     // generate a connection secret
-    bufferptr bp;
-    CryptoHandler *crypto = cct->get_crypto_handler(CEPH_CRYPTO_AES);
-    assert(crypto);
-    int r = crypto->create(cct->random(), bp);
-    assert(r >= 0);
-    connection_secret->set_secret(CEPH_CRYPTO_AES, bp, ceph_clock_now());
+    connection_secret->resize(connection_secret_required_len);
+    if (connection_secret_required_len) {
+      cct->random()->get_bytes(connection_secret->data(),
+                              connection_secret_required_len);
+    }
     reply.connection_secret = *connection_secret;
   }
 #endif
@@ -516,7 +516,7 @@ bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys,
 }
 
 bool CephXAuthorizer::verify_reply(bufferlist::const_iterator& indata,
-                                  CryptoKey *connection_secret)
+                                  std::string *connection_secret)
 {
   CephXAuthorizeReply reply;
 
@@ -534,7 +534,7 @@ bool CephXAuthorizer::verify_reply(bufferlist::const_iterator& indata,
   }
 
   if (connection_secret &&
-      reply.connection_secret.get_type()) {
+      reply.connection_secret.size()) {
     *connection_secret = reply.connection_secret;
   }
   return true;

diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h
index c4485f6e68de631ed7908597b58e0728dd92d39c..0aedc9d12d9597bd1bdf970e50b0282c121a4cc8 100644 (file)
--- a/src/auth/cephx/CephxProtocol.h
+++ b/src/auth/cephx/CephxProtocol.h
@@ -220,11 +220,11 @@ WRITE_CLASS_ENCODER(CephXServiceTicketRequest)
 
 struct CephXAuthorizeReply {
   uint64_t nonce_plus_one;
-  CryptoKey connection_secret;
+  std::string connection_secret;
   void encode(bufferlist& bl) const {
     using ceph::encode;
     __u8 struct_v = 1;
-    if (connection_secret.get_type()) {
+    if (connection_secret.size()) {
       struct_v = 2;
     }
     encode(struct_v, bl);
@@ -259,7 +259,7 @@ public:
 
   bool build_authorizer();
   bool verify_reply(bufferlist::const_iterator& reply,
-                   CryptoKey *connection_secret) override;
+                   std::string *connection_secret) override;
   bool add_challenge(CephContext *cct, const bufferlist& challenge) override;
 };
 
@@ -423,11 +423,13 @@ bool cephx_decode_ticket(CephContext *cct, KeyStore *keys,
  * Verify authorizer and generate reply authorizer
  */
 extern bool cephx_verify_authorizer(
-  CephContext *cct, KeyStore *keys,
+  CephContext *cct,
+  KeyStore *keys,
   bufferlist::const_iterator& indata,
+  size_t connection_secret_required_len,
   CephXServiceTicketInfo& ticket_info,
   std::unique_ptr<AuthAuthorizerChallenge> *challenge,
-  CryptoKey *connection_secret,
+  std::string *connection_secret,
   bufferlist *reply_bl);
 
 

diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc
index 64c0b5a0c8e178ecb5f407e2e42fe05f68a1e890..03d9c7357f1cedc9c3290629e0527db5d6d6e891 100644 (file)
--- a/src/auth/cephx/CephxServiceHandler.cc
+++ b/src/auth/cephx/CephxServiceHandler.cc
@@ -27,11 +27,13 @@
 #undef dout_prefix
 #define dout_prefix *_dout << "cephx server " << entity_name << ": "
 
-int CephxServiceHandler::start_session(const EntityName& name,
-                                      bufferlist *result_bl,
-                                      AuthCapsInfo *caps,
-                                      CryptoKey *session_key,
-                                      CryptoKey *connection_secret)
+int CephxServiceHandler::start_session(
+  const EntityName& name,
+  size_t connection_secret_required_length,
+  bufferlist *result_bl,
+  AuthCapsInfo *caps,
+  CryptoKey *session_key,
+  std::string *connection_secret)
 {
   entity_name = name;
 
@@ -49,11 +51,12 @@ int CephxServiceHandler::start_session(const EntityName& name,
 
 int CephxServiceHandler::handle_request(
   bufferlist::const_iterator& indata,
+  size_t connection_secret_required_len,
   bufferlist *result_bl,
   uint64_t *global_id,
   AuthCapsInfo *caps,
   CryptoKey *psession_key,
-  CryptoKey *pconnection_secret)
+  std::string *pconnection_secret)
 {
   int ret = 0;
 
@@ -169,9 +172,19 @@ int CephxServiceHandler::handle_request(
          // generate a connection_secret
          bufferlist cbl;
          if (pconnection_secret) {
-           key_server->generate_secret(*pconnection_secret);
-           string err;
-           encode_encrypt(cct, *pconnection_secret, session_key, cbl, err);
+           pconnection_secret->resize(connection_secret_required_len);
+           if (connection_secret_required_len) {
+             cct->random()->get_bytes(pconnection_secret->data(),
+                                      connection_secret_required_len);
+           }
+           std::string err;
+           if (encode_encrypt(cct, *pconnection_secret, session_key, cbl,
+                              err) < 0) {
+             lderr(cct) << __func__ << " failed to encrypt connection secret, "
+                        << err << dendl;
+             ret = -EACCES;
+             break;
+           }
          }
          encode(cbl, *result_bl);
          // provite all of the other tickets at the same time
@@ -213,7 +226,7 @@ int CephxServiceHandler::handle_request(
       CephXServiceTicketInfo auth_ticket_info;
       // note: no challenge here.
       if (!cephx_verify_authorizer(
-           cct, key_server, indata, auth_ticket_info, nullptr,
+           cct, key_server, indata, 0, auth_ticket_info, nullptr,
            nullptr,
            &tmp_bl)) {
         ret = -EPERM;

diff --git a/src/auth/cephx/CephxServiceHandler.h b/src/auth/cephx/CephxServiceHandler.h
index 2a5af6f7af74ffe5d5fbeec7206530b71b1cb0bf..cb598fc870a97c70a7cc8c05b718cca8bb4b967a 100644 (file)
--- a/src/auth/cephx/CephxServiceHandler.h
+++ b/src/auth/cephx/CephxServiceHandler.h
@@ -30,17 +30,19 @@ public:
   ~CephxServiceHandler() override {}
   
   int start_session(const EntityName& name,
+                   size_t connection_secret_required_length,
                    bufferlist *result_bl,
                    AuthCapsInfo *caps,
                    CryptoKey *session_key,
-                   CryptoKey *connection_secret) override;
+                   std::string *connection_secret) override;
   int handle_request(
     bufferlist::const_iterator& indata,
+    size_t connection_secret_required_length,
     bufferlist *result_bl,
     uint64_t *global_id,
     AuthCapsInfo *caps,
     CryptoKey *session_key,
-    CryptoKey *connection_secret) override;
+    std::string *connection_secret) override;
 
   void build_cephx_response_header(int request_type, int status, bufferlist& bl);
 };

diff --git a/src/auth/cephx/CephxSessionHandler.cc b/src/auth/cephx/CephxSessionHandler.cc
index 384e92c848bda55f61cf1be3656014c2b573056f..6de300dfbfe2c887ce18f756db8413f9fe1db1a4 100644 (file)
--- a/src/auth/cephx/CephxSessionHandler.cc
+++ b/src/auth/cephx/CephxSessionHandler.cc
@@ -207,7 +207,8 @@ int CephxSessionHandler::sign_bufferlist(bufferlist &in, bufferlist &out)
 int CephxSessionHandler::encrypt_bufferlist(bufferlist &in, bufferlist &out) {
   std::string error;
   try {
-    connection_secret.encrypt(cct, in, out, &error);
+#warning fixme key
+    key.encrypt(cct, in, out, &error);
   } catch (std::exception &e) {
     lderr(cct) << __func__ << " failed to encrypt buffer: " << error << dendl;
     return -1;
@@ -218,7 +219,8 @@ int CephxSessionHandler::encrypt_bufferlist(bufferlist &in, bufferlist &out) {
 int CephxSessionHandler::decrypt_bufferlist(bufferlist &in, bufferlist &out) {
   std::string error;
   try {
-    connection_secret.decrypt(cct, in, out, &error);
+#warning fixme key
+    key.decrypt(cct, in, out, &error);
   } catch (std::exception &e) {
     lderr(cct) << __func__ << " failed to decrypt buffer: " << error << dendl;
     return -1;

diff --git a/src/auth/cephx/CephxSessionHandler.h b/src/auth/cephx/CephxSessionHandler.h
index 19147b8a1699c229a2a82844b1f1baa983c9aac0..ad4b65aafe9d22f41e56e54642b09ed7dd098dff 100644 (file)
--- a/src/auth/cephx/CephxSessionHandler.h
+++ b/src/auth/cephx/CephxSessionHandler.h
@@ -25,7 +25,7 @@ class CephxSessionHandler  : public AuthSessionHandler {
 public:
   CephxSessionHandler(CephContext *cct_,
                      const CryptoKey& session_key,
-                     const CryptoKey& connection_secret,
+                     const std::string& connection_secret,
                      uint64_t features)
     : AuthSessionHandler(cct_, CEPH_AUTH_CEPHX, session_key, connection_secret),
       features(features) {}

diff --git a/src/auth/krb/KrbAuthorizeHandler.cpp b/src/auth/krb/KrbAuthorizeHandler.cpp
index ea4fe46b84f94393a4b2b7383864b592ad7737b8..1faad8bbe4df44be3e9e325ff57a80df653d6abb 100644 (file)
--- a/src/auth/krb/KrbAuthorizeHandler.cpp
+++ b/src/auth/krb/KrbAuthorizeHandler.cpp
@@ -23,12 +23,13 @@ bool KrbAuthorizeHandler::verify_authorizer(
   CephContext* ceph_ctx,
   KeyStore* keys,
   const bufferlist& authorizer_data,
+  size_t connection_secret_required_len,
   bufferlist *authorizer_reply,
   EntityName *entity_name,
   uint64_t *global_id,
   AuthCapsInfo *caps_info,
   CryptoKey *session_key,
-  CryptoKey *connection_secret,
+  std::string *connection_secret,
   std::unique_ptr<AuthAuthorizerChallenge>* challenge)
 {
   auto itr(authorizer_data.cbegin());

diff --git a/src/auth/krb/KrbAuthorizeHandler.hpp b/src/auth/krb/KrbAuthorizeHandler.hpp
index 3130896ab2fdb0404465d46445f078549b5d4319..bc8eac6259bfbe10427652d0c15508fd6e308e84 100644 (file)
--- a/src/auth/krb/KrbAuthorizeHandler.hpp
+++ b/src/auth/krb/KrbAuthorizeHandler.hpp
@@ -23,12 +23,13 @@ class KrbAuthorizeHandler : public AuthAuthorizeHandler {
     CephContext*,
     KeyStore*,
     const bufferlist&,
+    size_t,
     bufferlist *,
     EntityName *,
     uint64_t *,
     AuthCapsInfo *,
     CryptoKey *,
-    CryptoKey *connection_secret,
+    std::string *connection_secret,
     std::unique_ptr<
     AuthAuthorizerChallenge>* = nullptr) override;
 

diff --git a/src/auth/krb/KrbClientHandler.cpp b/src/auth/krb/KrbClientHandler.cpp
index b82c8a651887762ecd125db89d40b394b4eac8db..e39d074e64d1c93fb1922ebed4682f16134cd4ee 100644 (file)
--- a/src/auth/krb/KrbClientHandler.cpp
+++ b/src/auth/krb/KrbClientHandler.cpp
@@ -93,7 +93,7 @@ int KrbClientHandler::handle_response(
   int ret,
   bufferlist::const_iterator& buff_list,
   CryptoKey *session_key,
-  CryptoKey *connection_secret)
+  std::string *connection_secret)
 {
   auto result(ret);
   gss_buffer_desc gss_buffer_in = {0, nullptr};

diff --git a/src/auth/krb/KrbClientHandler.hpp b/src/auth/krb/KrbClientHandler.hpp
index 3418f0d6d7d785264f5ddc9c909d2ff5639d78c7..a8960a8898cbd7f372c658267ddb84410437e479 100644 (file)
--- a/src/auth/krb/KrbClientHandler.hpp
+++ b/src/auth/krb/KrbClientHandler.hpp
@@ -54,7 +54,7 @@ class KrbClientHandler : public AuthClientHandler {
     int handle_response(int ret, 
                         bufferlist::const_iterator& buff_list,
                        CryptoKey *session_key,
-                       CryptoKey *connection_secret) override;
+                       std::string *connection_secret) override;
 
     bool build_rotating_request(bufferlist& buff_list) const override { 
       return false; 

diff --git a/src/auth/krb/KrbProtocol.hpp b/src/auth/krb/KrbProtocol.hpp
index 780f66e9b039244038874585ce115378ff283533..abddb584878b91dde10901a587da53969d2f0f35 100644 (file)
--- a/src/auth/krb/KrbProtocol.hpp
+++ b/src/auth/krb/KrbProtocol.hpp
@@ -86,7 +86,7 @@ class KrbAuthorizer : public AuthAuthorizer {
     }
 
     bool verify_reply(bufferlist::const_iterator& buff_list,
-                     CryptoKey *connection_secret) override { 
+                     std::string *connection_secret) override {
       return true; 
     }
     bool add_challenge(CephContext* ceph_ctx, 

diff --git a/src/auth/krb/KrbServiceHandler.cpp b/src/auth/krb/KrbServiceHandler.cpp
index 3efd8c9087239e06d61a5c3d1a5974454c7ad415..d7c0feeb34a0a333d8d3989b99a4a5f00b5ae0e9 100644 (file)
--- a/src/auth/krb/KrbServiceHandler.cpp
+++ b/src/auth/krb/KrbServiceHandler.cpp
@@ -28,11 +28,12 @@
 
 int KrbServiceHandler::handle_request(
   bufferlist::const_iterator& indata,
+  size_t connection_secret_required_length,
   bufferlist *buff_list,
   uint64_t *global_id,
   AuthCapsInfo *caps,
   CryptoKey *session_key,
-  CryptoKey *connection_secret)
+  std::string *connection_secret)
 {
   auto result(0);
   gss_buffer_desc gss_buffer_in = {0, nullptr};
@@ -153,10 +154,11 @@ int KrbServiceHandler::handle_request(
 
 int KrbServiceHandler::start_session(
   const EntityName& name,
+  size_t connection_secret_required_length,
   bufferlist *buff_list,
   AuthCapsInfo *caps,
   CryptoKey *session_key,
-  CryptoKey *connection_secret)
+  std::string *connection_secret)
 {
   gss_buffer_desc gss_buffer_in = {0, nullptr};
   gss_OID gss_object_id = GSS_C_NT_HOSTBASED_SERVICE;

diff --git a/src/auth/krb/KrbServiceHandler.hpp b/src/auth/krb/KrbServiceHandler.hpp
index 8fe808a48a8298246ad15d02bd89ddc0890883e1..672efc54638bd5096266a6f39dc512af7ee4ab88 100644 (file)
--- a/src/auth/krb/KrbServiceHandler.hpp
+++ b/src/auth/krb/KrbServiceHandler.hpp
@@ -38,17 +38,19 @@ class KrbServiceHandler : public AuthServiceHandler {
       m_key_server(kserver) { }
     ~KrbServiceHandler();
     int handle_request(bufferlist::const_iterator& indata,
-                       bufferlist *buff_list,
+                      size_t connection_secret_required_length,
+                      bufferlist *buff_list,
                        uint64_t *global_id,
                        AuthCapsInfo *caps,
                       CryptoKey *session_key,
-                      CryptoKey *connection_secret) override;
+                      std::string *connection_secret) override;
 
     int start_session(const EntityName& name,
-                      bufferlist *buff_list,
+                     size_t connection_secret_required_length,
+                     bufferlist *buff_list,
                       AuthCapsInfo *caps,
                      CryptoKey *session_key,
-                     CryptoKey *connection_secret) override;
+                     std::string *connection_secret) override;
 
   private:
     gss_buffer_desc m_gss_buffer_out;

diff --git a/src/auth/krb/KrbSessionHandler.hpp b/src/auth/krb/KrbSessionHandler.hpp
index a38bbbba10e84b894b83aa2b4e61f8a8c5100607..c5fd2de4c1595985a7ca91c74789cf1db196168e 100644 (file)
--- a/src/auth/krb/KrbSessionHandler.hpp
+++ b/src/auth/krb/KrbSessionHandler.hpp
@@ -38,7 +38,7 @@ class KrbSessionHandler : public AuthSessionHandler {
   public:
     KrbSessionHandler(CephContext* ceph_ctx,
                      const CryptoKey& session_key,
-                     const CryptoKey& connection_secret) : 
+                     const std::string& connection_secret) :
       AuthSessionHandler(ceph_ctx, CEPH_AUTH_GSS, session_key,
                         connection_secret) { }
     ~KrbSessionHandler() override = default; 

diff --git a/src/auth/none/AuthNoneAuthorizeHandler.cc b/src/auth/none/AuthNoneAuthorizeHandler.cc
index e370507e20c3d70b8b2dd6228f621d33b4fd9166..15bcc06530d194a9a1421b62c9d787ef8d39747a 100644 (file)
--- a/src/auth/none/AuthNoneAuthorizeHandler.cc
+++ b/src/auth/none/AuthNoneAuthorizeHandler.cc
@@ -21,12 +21,13 @@ bool AuthNoneAuthorizeHandler::verify_authorizer(
   CephContext *cct,
   KeyStore *keys,
   const bufferlist& authorizer_data,
+  size_t connection_secret_required_len,
   bufferlist *authorizer_reply,
   EntityName *entity_name,
   uint64_t *global_id,
   AuthCapsInfo *caps_info,
   CryptoKey *session_key,
-  CryptoKey *connection_secret,
+  std::string *connection_secret,
   std::unique_ptr<AuthAuthorizerChallenge> *challenge)
 {
   auto iter = authorizer_data.cbegin();

diff --git a/src/auth/none/AuthNoneAuthorizeHandler.h b/src/auth/none/AuthNoneAuthorizeHandler.h
index 4cf9c18f66cfa5c346fe4bcc90653a4988304161..5b33f2fc3c326adf2bb7099d8b91b05ce018b5a1 100644 (file)
--- a/src/auth/none/AuthNoneAuthorizeHandler.h
+++ b/src/auth/none/AuthNoneAuthorizeHandler.h
@@ -24,12 +24,13 @@ struct AuthNoneAuthorizeHandler : public AuthAuthorizeHandler {
     CephContext *cct,
     KeyStore *keys,
     const bufferlist& authorizer_data,
+    size_t connection_secret_required_len,
     bufferlist *authorizer_reply,
     EntityName *entity_name,
     uint64_t *global_id,
     AuthCapsInfo *caps_info,
     CryptoKey *session_key,
-    CryptoKey *connection_secret,
+    std::string *connection_secret,
     std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
   int authorizer_session_crypto() override;
 };

diff --git a/src/auth/none/AuthNoneClientHandler.h b/src/auth/none/AuthNoneClientHandler.h
index 6578e2eb67e8daa64f71bc3d7cbe0a60bffca548..eb3ef8f552171460d7b54358e8ffa8d332ea765f 100644 (file)
--- a/src/auth/none/AuthNoneClientHandler.h
+++ b/src/auth/none/AuthNoneClientHandler.h
@@ -32,7 +32,7 @@ public:
   int build_request(bufferlist& bl) const override { return 0; }
   int handle_response(int ret, bufferlist::const_iterator& iter,
                      CryptoKey *session_key,
-                     CryptoKey *connection_secret) override { return 0; }
+                     std::string *connection_secret) override { return 0; }
   bool build_rotating_request(bufferlist& bl) const override { return false; }
 
   int get_protocol() const override { return CEPH_AUTH_NONE; }

diff --git a/src/auth/none/AuthNoneProtocol.h b/src/auth/none/AuthNoneProtocol.h
index cacfddefb70e7a36230fec4fb0adb4cfbc42657d..2a501efe5256b5ad9f688048e5d1a645f35898bc 100644 (file)
--- a/src/auth/none/AuthNoneProtocol.h
+++ b/src/auth/none/AuthNoneProtocol.h
@@ -29,7 +29,7 @@ struct AuthNoneAuthorizer : public AuthAuthorizer {
     return 0;
   }
   bool verify_reply(bufferlist::const_iterator& reply,
-                   CryptoKey *connection_secret) override { return true; }
+                   std::string *connection_secret) override { return true; }
   bool add_challenge(CephContext *cct, const bufferlist& ch) override {
     return true;
   }

diff --git a/src/auth/none/AuthNoneServiceHandler.h b/src/auth/none/AuthNoneServiceHandler.h
index d62f2a283a4555dc9f686166dff57757576d9efb..038c75e03be9783bcd0b4ce3680ee44d79e92338 100644 (file)
--- a/src/auth/none/AuthNoneServiceHandler.h
+++ b/src/auth/none/AuthNoneServiceHandler.h
@@ -27,20 +27,22 @@ public:
   ~AuthNoneServiceHandler() override {}
   
   int start_session(const EntityName& name,
+                   size_t connection_secret_required_length,
                    bufferlist *result_bl,
                    AuthCapsInfo *caps,
                    CryptoKey *session_key,
-                   CryptoKey *connection_secret) override {
+                   std::string *connection_secret) override {
     entity_name = name;
     caps->allow_all = true;
     return 1;
   }
   int handle_request(bufferlist::const_iterator& indata,
+                    size_t connection_secret_required_length,
                     bufferlist *result_bl,
                     uint64_t *global_id,
                     AuthCapsInfo *caps,
                     CryptoKey *session_key,
-                    CryptoKey *connection_secret) override {
+                    std::string *connection_secret) override {
     return 0;
   }
   void build_cephx_response_header(int request_type, int status,

diff --git a/src/auth/none/AuthNoneSessionHandler.h b/src/auth/none/AuthNoneSessionHandler.h
index d4b033a9c451edacb2ca2fbc01f523c788a84cfb..fca01ac2d4232e286fc974eb27cb582593294395 100644 (file)
--- a/src/auth/none/AuthNoneSessionHandler.h
+++ b/src/auth/none/AuthNoneSessionHandler.h
@@ -21,7 +21,7 @@ class AuthNoneSessionHandler  : public AuthSessionHandler {
 public:
   AuthNoneSessionHandler(CephContext *cct_,
                         const CryptoKey& session_key,
-                        const CryptoKey& connection_secret)
+                        const std::string& connection_secret)
     : AuthSessionHandler(cct_, CEPH_AUTH_NONE, session_key, connection_secret) {}
   ~AuthNoneSessionHandler() override {}
   

diff --git a/src/auth/unknown/AuthUnknownAuthorizeHandler.cc b/src/auth/unknown/AuthUnknownAuthorizeHandler.cc
index 632e41dd764e3edceafa8864308a796929c3971f..73b393db7e314e4897eefe2c0733b7385fc125d0 100644 (file)
--- a/src/auth/unknown/AuthUnknownAuthorizeHandler.cc
+++ b/src/auth/unknown/AuthUnknownAuthorizeHandler.cc
@@ -18,12 +18,13 @@ bool AuthUnknownAuthorizeHandler::verify_authorizer(
   CephContext *cct,
   KeyStore *keys,
   const bufferlist& authorizer_data,
+  size_t connection_secret_required_len,
   bufferlist * authorizer_reply,
   EntityName *entity_name,
   uint64_t *global_id,
   AuthCapsInfo *caps_info,
   CryptoKey *session_key,
-  CryptoKey *connection_secret,
+  std::string *connection_secret,
   std::unique_ptr<AuthAuthorizerChallenge> *challenge)
 {
   // For unknown authorizers, there's nothing to verify.  They're "OK" by definition.  PLR

diff --git a/src/auth/unknown/AuthUnknownAuthorizeHandler.h b/src/auth/unknown/AuthUnknownAuthorizeHandler.h
index 2590900b0cbe4b19d418973d9b6422ab5adf9f62..464d47f28d793ae13e8e3188e6a14de56b6452a8 100644 (file)
--- a/src/auth/unknown/AuthUnknownAuthorizeHandler.h
+++ b/src/auth/unknown/AuthUnknownAuthorizeHandler.h
@@ -24,12 +24,13 @@ struct AuthUnknownAuthorizeHandler : public AuthAuthorizeHandler {
     CephContext *cct,
     KeyStore *keys,
     const bufferlist& authorizer_data,
+    size_t connection_secret_required_len,
     bufferlist *authorizer_reply,
     EntityName *entity_name,
     uint64_t *global_id,
     AuthCapsInfo *caps_info,
     CryptoKey *session_key,
-    CryptoKey *connection_secret,
+    std::string *connection_secret,
     std::unique_ptr<AuthAuthorizerChallenge> *challenge) override;
   int authorizer_session_crypto() override;
 };

diff --git a/src/auth/unknown/AuthUnknownClientHandler.h b/src/auth/unknown/AuthUnknownClientHandler.h
index 0ffa3e50c0e52d559c35121f5e780ef719a62483..794415811302a31ea1af89baf526d3d44c9e0c17 100644 (file)
--- a/src/auth/unknown/AuthUnknownClientHandler.h
+++ b/src/auth/unknown/AuthUnknownClientHandler.h
@@ -31,7 +31,7 @@ public:
   int build_request(bufferlist& bl) const { return 0; }
   int handle_response(int ret, bufferlist::iterator& iter,
                      CryptoKey *session_key,
-                     CryptoKey *connection_secret) { return 0; }
+                     std::string *connection_secret) { return 0; }
   bool build_rotating_request(bufferlist& bl) const { return false; }
 
   int get_protocol() const { return CEPH_AUTH_UNKNOWN; }

diff --git a/src/auth/unknown/AuthUnknownServiceHandler.h b/src/auth/unknown/AuthUnknownServiceHandler.h
index 8a2315c1276b8b3d0d385b04ef0d52a408c5d894..7b4019f45d82b2ec97a8d4926551352fb92fee1a 100644 (file)
--- a/src/auth/unknown/AuthUnknownServiceHandler.h
+++ b/src/auth/unknown/AuthUnknownServiceHandler.h
@@ -27,18 +27,20 @@ public:
   ~AuthUnknownServiceHandler() {}
   
   int start_session(const EntityName& name,
+                   size_t connection_secret_required_length,
                    bufferlist *result_bl,
                    AuthCapsInfo *caps,
                    CryptoKey *session_key,
-                   CryptoKey *connection_secret) {
+                   std::string *connection_secret) {
     return 1;
   }
   int handle_request(bufferlist::iterator& indata,
+                    size_t connection_secret_required_length,
                     bufferlist *result_bl,
                     uint64_t *global_id,
                     AuthCapsInfo *caps,
                     CryptoKey *session_key,
-                    CryptoKey *connection_secret) {
+                    std::string *connection_secret) {
     ceph_abort();  // shouldn't get called
     return 0;
   }

diff --git a/src/auth/unknown/AuthUnknownSessionHandler.h b/src/auth/unknown/AuthUnknownSessionHandler.h
index e7810562c0bfe407377de4b335336d7adf5bfe00..b10320debda1531584227423e2312f115839266a 100644 (file)
--- a/src/auth/unknown/AuthUnknownSessionHandler.h
+++ b/src/auth/unknown/AuthUnknownSessionHandler.h
@@ -23,7 +23,7 @@ class AuthUnknownSessionHandler  : public AuthSessionHandler {
 public:
   AuthUnknownSessionHandler(CephContext *cct_,
                            const CryptoKey& session_key,
-                           const CryptoKey& connection_secret)
+                           const std::string& connection_secret)
     : AuthSessionHandler(cct_, CEPH_AUTH_UNKNOWN,
                         session_key, connection_secret) {}
   ~AuthUnknownSessionHandler() override {}

diff --git a/src/crimson/net/SocketConnection.cc b/src/crimson/net/SocketConnection.cc
index 601b090136f0d6071ae4f68eddf8cc3649722758..6e2d1a023072beec37009db56ccf5c4a283e9541 100644 (file)
--- a/src/crimson/net/SocketConnection.cc
+++ b/src/crimson/net/SocketConnection.cc
@@ -690,7 +690,7 @@ SocketConnection::handle_connect_reply(msgr_tag_t tag)
         h.backoff = 0ms;
         set_features(h.reply.features & h.connect.features);
         if (h.authorizer) {
-          CryptoKey connection_secret;  // this is not used here, we just need
+          std::string connection_secret;  // this is not used here, we just need
                                         // to make get_auth_session_handler
                                         // call happy
           session_security.reset(

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index ba1f2c5e557a8a27729ffa26d64b5ea085dfd0a6..9ad76cdc46a23446331da18f27b0b3594d14d134 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -665,13 +665,16 @@ bool AuthMonitor::prep_auth(MonOpRequestRef op, bool paxos_writable)
   try {
     if (start) {
       // new session
-      ret = s->auth_handler->start_session(entity_name, &response_bl,
+      ret = s->auth_handler->start_session(entity_name,
+                                          0, // no connection_secret needed
+                                          &response_bl,
                                           &s->con->peer_caps_info,
                                           nullptr, nullptr);
     } else {
       // request
       ret = s->auth_handler->handle_request(
        indata,
+       0, // no connection_secret needed
        &response_bl,
        &s->con->peer_global_id,
        &s->con->peer_caps_info,

diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc
index c67724ffb42353d2bf2de74295acfc10aa298400..182e8fcdf85dfce8e60f7784aefbaf9721486903 100644 (file)
--- a/src/mon/MonClient.cc
+++ b/src/mon/MonClient.cc
@@ -1281,7 +1281,7 @@ int MonClient::handle_auth_done(
   uint32_t con_mode,
   const bufferlist& bl,
   CryptoKey *session_key,
-  CryptoKey *connection_key)
+  std::string *connection_secret)
 {
   if (con->get_peer_type() == CEPH_ENTITY_TYPE_MON) {
     std::lock_guard l(monc_lock);
@@ -1289,7 +1289,7 @@ int MonClient::handle_auth_done(
       if (i.second.is_con(con)) {
        int r = i.second.handle_auth_done(
          global_id, bl,
-         session_key, connection_key);
+         session_key, connection_secret);
        if (r) {
          pending_cons.erase(i.first);
          if (!pending_cons.empty()) {
@@ -1384,6 +1384,7 @@ int MonClient::handle_auth_request(
     cct,
     rotating_secrets.get(),
     payload,
+    auth_meta->get_connection_secret_length(),
     reply,
     &con->peer_name,
     &con->peer_global_id,
@@ -1539,7 +1540,7 @@ int MonConnection::handle_auth_done(
   uint64_t new_global_id,
   const bufferlist& bl,
   CryptoKey *session_key,
-  CryptoKey *connection_secret)
+  std::string *connection_secret)
 {
   ldout(cct,10) << __func__ << " global_id " << new_global_id
                << " payload " << bl.length()

diff --git a/src/mon/MonClient.h b/src/mon/MonClient.h
index b2838d9c80689659400c537b39f81cc2f73e865e..d79234d2d43d61c984a33df48d762c0af889b54c 100644 (file)
--- a/src/mon/MonClient.h
+++ b/src/mon/MonClient.h
@@ -141,7 +141,7 @@ public:
     uint64_t global_id,
     const bufferlist& bl,
     CryptoKey *session_key,
-    CryptoKey *connection_secret);
+    std::string *connection_secret);
   int handle_auth_bad_method(
     uint32_t old_auth_method,
     int result,
@@ -284,7 +284,7 @@ public:
     uint32_t con_mode,
     const bufferlist& bl,
     CryptoKey *session_key,
-    CryptoKey *connection_key) override;
+    std::string *connection_secret) override;
   int handle_auth_bad_method(
     Connection *con,
     uint32_t old_auth_method,

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 777f3822c4dfe9951d0346420f61b943efe1487f..1b456434a754a09876358faece2e6115308be5ab 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -5908,12 +5908,12 @@ int Monitor::handle_auth_done(
   uint32_t con_mode,
   const bufferlist& bl,
   CryptoKey *session_key,
-  CryptoKey *connection_key)
+  std::string *connection_secret)
 {
   // verify authorizer reply
   auto auth_meta = con->get_auth_meta();
   auto p = bl.begin();
-  if (!auth_meta->authorizer->verify_reply(p, &auth_meta->connection_secret)) {
+  if (!auth_meta->authorizer->verify_reply(p, connection_secret)) {
     dout(0) << __func__ << " failed verifying authorizer reply" << dendl;
     return -EACCES;
   }
@@ -6058,6 +6058,7 @@ int Monitor::handle_auth_request(
       cct,
       &keyring,
       payload,
+      auth_meta->get_connection_secret_length(),
       reply,
       &con->peer_name,
       &con->peer_global_id,
@@ -6145,17 +6146,24 @@ int Monitor::handle_auth_request(
     s->auth_handler = auth_handler;
     con->set_priv(RefCountedPtr{s, false});
 
-    r = s->auth_handler->start_session(entity_name, reply,
-                                      &con->peer_caps_info,
-                                      &auth_meta->session_key,
-                                      &auth_meta->connection_secret);
+    r = s->auth_handler->start_session(
+      entity_name,
+      auth_meta->get_connection_secret_length(),
+      reply,
+      &con->peer_caps_info,
+      &auth_meta->session_key,
+      &auth_meta->connection_secret);
   } else {
     priv = con->get_priv();
     s = static_cast<MonSession*>(priv.get());
-    r = s->auth_handler->handle_request(p, reply, &con->peer_global_id,
-                                       &con->peer_caps_info,
-                                       &auth_meta->session_key,
-                                       &auth_meta->connection_secret);
+    r = s->auth_handler->handle_request(
+      p,
+      auth_meta->get_connection_secret_length(),
+      reply,
+      &con->peer_global_id,
+      &con->peer_caps_info,
+      &auth_meta->session_key,
+      &auth_meta->connection_secret);
   }
   if (r > 0 &&
       !s->authenticated) {

diff --git a/src/mon/Monitor.h b/src/mon/Monitor.h
index 5d674124ed65b15f24cb96468879421545cbea5b..d79249edb8e3e04a804dd30acbbfd6390cbb39ca 100644 (file)
--- a/src/mon/Monitor.h
+++ b/src/mon/Monitor.h
@@ -922,7 +922,7 @@ private:
     uint32_t con_mode,
     const bufferlist& bl,
     CryptoKey *session_key,
-    CryptoKey *connection_key) override;
+    std::string *connection_secret) override;
   int handle_auth_bad_method(
     Connection *con,
     uint32_t old_auth_method,

diff --git a/src/msg/Messenger.cc b/src/msg/Messenger.cc
index 23ce0ad78618315e9257c11d076d9bae9bf60b3f..efeab3902b56717f0ab5e210968a7e0a0fcdcc6f 100644 (file)
--- a/src/msg/Messenger.cc
+++ b/src/msg/Messenger.cc
@@ -115,7 +115,7 @@ bool Messenger::ms_deliver_verify_authorizer(
   bufferlist& authorizer_reply,
   bool& isvalid,
   CryptoKey& session_key,
-  CryptoKey *connection_secret,
+  std::string *connection_secret,
   std::unique_ptr<AuthAuthorizerChallenge> *challenge)
 {
   if (authorizer.length() == 0) {
@@ -148,6 +148,7 @@ bool Messenger::ms_deliver_verify_authorizer(
        cct,
        ks,
        authorizer,
+       0,
        &authorizer_reply,
        &con->peer_name,
        &con->peer_global_id,

diff --git a/src/msg/Messenger.h b/src/msg/Messenger.h
index bfd3eeef0429f5205632f7344e3748b5cb53a62b..911d9eea5f7f5341dbe4c35adecb13c89d84834e 100644 (file)
--- a/src/msg/Messenger.h
+++ b/src/msg/Messenger.h
@@ -800,8 +800,9 @@ public:
   bool ms_deliver_verify_authorizer(
     Connection *con, int peer_type,
     int protocol, bufferlist& authorizer, bufferlist& authorizer_reply,
-    bool& isvalid, CryptoKey& session_key,
-    CryptoKey *connection_secret,
+    bool& isvalid,
+    CryptoKey& session_key,
+    std::string *connection_secret,
     std::unique_ptr<AuthAuthorizerChallenge> *challenge);
 
   /**

diff --git a/src/msg/async/ProtocolV1.cc b/src/msg/async/ProtocolV1.cc
index fe05dead7b304e81a95ab1969cc3061846f4308a..03ceae78d2342ffcf05e6e82eeb8881e90770191 100644 (file)
--- a/src/msg/async/ProtocolV1.cc
+++ b/src/msg/async/ProtocolV1.cc
@@ -1682,7 +1682,7 @@ CtPtr ProtocolV1::client_ready() {
                   << authorizer << dendl;
     session_security.reset(get_auth_session_handler(
         cct, authorizer->protocol, authorizer->session_key,
-       authorizer->session_key /* connection_secret */,
+       string() /* connection_secret */,
         connection->get_features()));
   } else {
     // We have no authorizer, so we shouldn't be applying security to messages
@@ -2354,7 +2354,7 @@ CtPtr ProtocolV1::open(ceph_msg_connect_reply &reply,
   session_security.reset(
       get_auth_session_handler(cct, connect_msg.authorizer_protocol,
                                session_key,
-                              session_key /* connection secret */,
+                              string() /* connection secret */,
                               connection->get_features()));
 
   bufferlist reply_bl;

diff --git a/src/msg/async/ProtocolV2.cc b/src/msg/async/ProtocolV2.cc
index 6b3516db47178a06973537b8a51007a2861e6b17..9ec9d9fc809ef427fb174ff9601ff77c5f8f3b08 100644 (file)
--- a/src/msg/async/ProtocolV2.cc
+++ b/src/msg/async/ProtocolV2.cc
@@ -2423,7 +2423,24 @@ CtPtr ProtocolV2::handle_auth_request(char *payload, uint32_t length) {
                  << ", payload_len=" << request.auth_payload().length() << ")"
                  << dendl;
   auth_meta.auth_method = request.method();
-  auth_meta.preferred_con_modes = request.preferred_modes();
+
+  // select a connection mode
+  auto& preferred_modes = request.preferred_modes();
+  std::vector<uint32_t> allowed_modes;
+  messenger->auth_server->get_supported_con_modes(
+    connection->get_peer_type(), auth_meta.auth_method, &allowed_modes);
+  for (auto mode : allowed_modes) {
+    if (std::find(preferred_modes.begin(), preferred_modes.end(), mode)
+       != preferred_modes.end()) {
+      auth_meta.con_mode = mode;
+      break;
+    }
+  }
+  if (auth_meta.con_mode == CEPH_CON_MODE_UNKNOWN) {
+    ldout(cct,1) << "failed to pick con mode from client's " << preferred_modes
+                << " and our " << allowed_modes << dendl;
+    return _auth_bad_method(-EOPNOTSUPP);
+  }
   return _handle_auth_request(request.auth_payload(), false);
 }
 
@@ -2463,29 +2480,9 @@ CtPtr ProtocolV2::_handle_auth_request(bufferlist& auth_payload, bool more)
     return _fault();
   }
   if (r == 1) {
-    // select a connection mode
-    std::vector<uint32_t> allowed_modes;
-    messenger->auth_server->get_supported_con_modes(
-      connection->get_peer_type(), auth_meta.auth_method, &allowed_modes);
-    for (auto mode : allowed_modes) {
-      if (std::find(auth_meta.preferred_con_modes.begin(),
-                   auth_meta.preferred_con_modes.end(),
-                   mode) != auth_meta.preferred_con_modes.end()) {
-       auth_meta.con_mode = mode;
-       break;
-      }
-    }
-    if (auth_meta.con_mode == 0) {
-      ldout(cct, 1) << __func__ << " failed to select connection mode, i allow "
-                   << allowed_modes
-                   << ", client prefers " << auth_meta.preferred_con_modes
-                   << dendl;
-      return _auth_bad_method(-EOPNOTSUPP);
-    } else {
-      AuthDoneFrame auth_done(connection->peer_global_id, auth_meta.con_mode,
-                             reply);
-      return WRITE(auth_done.get_buffer(), "auth done", read_frame);
-    }
+    AuthDoneFrame auth_done(connection->peer_global_id, auth_meta.con_mode,
+                           reply);
+    return WRITE(auth_done.get_buffer(), "auth done", read_frame);
   } else if (r == 0) {
     AuthReplyMoreFrame more(reply);
     return WRITE(more.get_buffer(), "auth reply more", read_frame);

diff --git a/src/msg/simple/Pipe.cc b/src/msg/simple/Pipe.cc
index 8f5d45763c0c7918499637dd3e34404d45c64d00..271dec8e13a96a9d561fe23d7caab6d8bc824203 100644 (file)
--- a/src/msg/simple/Pipe.cc
+++ b/src/msg/simple/Pipe.cc
@@ -525,7 +525,8 @@ int Pipe::accept()
     had_challenge = (bool)authorizer_challenge;
     authorizer_reply.clear();
     if (!msgr->ms_deliver_verify_authorizer(
-         connection_state.get(), peer_type, connect.authorizer_protocol, authorizer,
+         connection_state.get(), peer_type, connect.authorizer_protocol,
+         authorizer,
          authorizer_reply, authorizer_valid, session_key,
          nullptr /* connection_secret */,
          need_challenge ? &authorizer_challenge : nullptr) ||
@@ -819,7 +820,7 @@ int Pipe::accept()
       get_auth_session_handler(msgr->cct,
                               connect.authorizer_protocol,
                               session_key,
-                              session_key, /* connection_secret */
+                              string(), /* connection_secret */
                               connection_state->get_features()));
 
   // notify
@@ -1346,7 +1347,7 @@ int Pipe::connect()
              msgr->cct,
              authorizer->protocol,
              authorizer->session_key,
-             authorizer->session_key /* connection secret*/,
+             string() /* connection secret*/,
              connection_state->get_features()));
       }  else {
         // We have no authorizer, so we shouldn't be applying security to messages in this pipe.  PLR

diff --git a/src/msg/xio/XioConnection.cc b/src/msg/xio/XioConnection.cc
index 97516f4bc6a838829a75cb598ba93bf719678ba8..4bfab39b454c5be92f9b100d55549b11f18642c3 100644 (file)
--- a/src/msg/xio/XioConnection.cc
+++ b/src/msg/xio/XioConnection.cc
@@ -234,6 +234,7 @@ int XioConnection::passive_setup()
   msgr->ms_deliver_verify_authorizer(
     this, peer_type, CEPH_AUTH_NONE,
     auth.bl,
+    0,
     authorizer_reply,
     authorizer_valid,
     session_key);