auth: check service key is valid before decryption

CryptoKey::empty is the correct mechanism to check for an invalid key (and this
is codified elsewhere, fixed in this commit). Decryption would fail with an
abort if the key handler was unset. This would happen after rotating the "mon."
key and then restarting one of the mons.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
(cherry picked from commit ece656cf6703b2aca03c186a74901add49316d1b)

diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h
index c12d316fa0ef2693853a3df3070134f843e9b480..3abd38ca7b1241fd0a3e1ecd9c3f97c9e15a1173 100644 (file)
--- a/src/auth/Crypto.h
+++ b/src/auth/Crypto.h
@@ -184,13 +184,13 @@ public:
   int encrypt(CephContext *cct, const ceph::buffer::list& in,
              ceph::buffer::list& out,
              std::string *error) const {
-    ceph_assert(ckh); // Bad key?
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out, error);
   }
   int decrypt(CephContext *cct, const ceph::buffer::list& in,
              ceph::buffer::list& out,
              std::string *error) const {
-    ceph_assert(ckh); // Bad key?
+    ceph_assert(!empty()); // Bad key?
     return ckh->decrypt(cct, in, out, error);
   }
 
@@ -199,17 +199,17 @@ public:
 
   std::size_t encrypt(CephContext *cct, const in_slice_t& in,
                      const out_slice_t& out) {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out);
   }
   std::size_t decrypt(CephContext *cct, const in_slice_t& in,
                      const out_slice_t& out) {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out);
   }
 
   sha256_digest_t hmac_sha256(CephContext*, const ceph::buffer::list& in) const {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->hmac_sha256(in);
   }
 

diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc
index e216dc3ed99a82d5297982cf4f8870aef653e59e..ff105c7b9230b375de1cc33a68c9169aad33f270 100644 (file)
--- a/src/auth/cephx/CephxProtocol.cc
+++ b/src/auth/cephx/CephxProtocol.cc
@@ -89,7 +89,7 @@ bool cephx_build_service_ticket_blob(CephContext *cct, const CephXSessionAuthInf
   ldout(cct, 10) << "build_service_ticket service " << info << dendl;
   blob.secret_id = info.secret_id;
   std::string error;
-  if (!info.service_secret.get_secret().length())
+  if (info.service_secret.empty())
     error = "invalid key";  // Bad key?
   else
     encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, blob.blob, error);
@@ -498,7 +498,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
   ldout(cct, 30) << __func__ << ": got secret " << service_secret << dendl;
 
   std::string error;
-  if (!service_secret.get_secret().length())
+  if (service_secret.empty())
     error = "invalid key";  // Bad key?
   else
     decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error);
@@ -518,9 +518,13 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
 
   // CephXAuthorize
   CephXAuthorize auth_msg;
-  if (decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error)) {
-    ldout(cct, 0) << "verify_authorizercould not decrypt authorize request with error: "
-      << error << dendl;
+  if (ticket_info.session_key.empty()) {
+    error = "session key is invalid";
+  } else if (!decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error)) {
+    error = "";
+  }
+  if (!error.empty()) {
+    ldout(cct, 0) << __func__ << ": could not decrypt authorize request: " << error << dendl;
     return false;
   }