AuthSessionHandler *get_auth_session_handler(
CephContext *cct, int protocol,
const CryptoKey& key,
- const std::string& connection_secret,
uint64_t features)
{
if (key.get_type() == CEPH_CRYPTO_NONE) {
return nullptr;
}
- return new CephxSessionHandler(cct, key, connection_secret, features);
+ return new CephxSessionHandler(cct, key, features);
case CEPH_AUTH_NONE:
return new AuthNoneSessionHandler();
case CEPH_AUTH_UNKNOWN:
return nullptr;
}
}
+
+std::unique_ptr<AuthStreamHandler> AuthStreamHandler::create_stream_handler(
+ CephContext* ctx,
+ const class AuthConnectionMeta& auth_meta)
+{
+ return std::make_unique<AuthStreamHandler>();
+}
virtual ~AuthSessionHandler() = default;
virtual int sign_message(Message *message) = 0;
virtual int check_message_signature(Message *message) = 0;
-
- virtual int encrypt_bufferlist(bufferlist &in, bufferlist &out) {
- return 0;
- }
- virtual int decrypt_bufferlist(bufferlist &in, bufferlist &out) {
- return 0;
- }
};
struct DummyAuthSessionHandler : AuthSessionHandler {
}
};
+// TODO: make this a static member of AuthSessionHandler.
extern AuthSessionHandler *get_auth_session_handler(
CephContext *cct, int protocol,
const CryptoKey& key,
- const std::string& connection_secret,
uint64_t features);
+
+struct AuthStreamHandler {
+ virtual ~AuthStreamHandler() = default;
+ //virtual ceph::bufferlist authenticated_encrypt(ceph::bufferlist& in) = 0;
+ //virtual ceph::bufferlist authenticated_decrypt(ceph::bufferlist& in) = 0;
+
+ // TODO: kill the dummies
+ int encrypt_bufferlist(bufferlist &in, bufferlist &out) {
+ return 0;
+ }
+ int decrypt_bufferlist(bufferlist &in, bufferlist &out) {
+ return 0;
+ }
+
+ static std::unique_ptr<AuthStreamHandler> create_stream_handler(
+ CephContext* ctx,
+ const class AuthConnectionMeta& auth_meta);
+};
+
#endif
int CephxSessionHandler::encrypt_bufferlist(bufferlist &in, bufferlist &out) {
std::string error;
try {
-#warning fixme key
key.encrypt(cct, in, out, &error);
} catch (std::exception &e) {
lderr(cct) << __func__ << " failed to encrypt buffer: " << error << dendl;
int CephxSessionHandler::decrypt_bufferlist(bufferlist &in, bufferlist &out) {
std::string error;
try {
-#warning fixme key
key.decrypt(cct, in, out, &error);
} catch (std::exception &e) {
lderr(cct) << __func__ << " failed to decrypt buffer: " << error << dendl;
class CephxSessionHandler : public AuthSessionHandler {
CephContext *cct;
int protocol;
- CryptoKey key; // per mon authentication
- std::string connection_secret; // per connection
+ CryptoKey key; // per mon authentication
uint64_t features;
int _calc_signature(Message *m, uint64_t *psig);
public:
CephxSessionHandler(CephContext *cct,
const CryptoKey& session_key,
- const std::string& connection_secret,
const uint64_t features)
: cct(cct),
protocol(CEPH_AUTH_CEPHX),
key(session_key),
- connection_secret(connection_secret),
features(features) {
}
~CephxSessionHandler() override = default;
int sign_message(Message *m) override;
int check_message_signature(Message *m) override ;
- int encrypt_bufferlist(bufferlist &in, bufferlist &out) override;
- int decrypt_bufferlist(bufferlist &in, bufferlist &out) override;
+ int encrypt_bufferlist(bufferlist &in, bufferlist &out);
+ int decrypt_bufferlist(bufferlist &in, bufferlist &out);
};
h.backoff = 0ms;
set_features(h.reply.features & h.connect.features);
if (h.authorizer) {
- std::string connection_secret; // this is not used here, we just need
- // to make get_auth_session_handler
- // call happy
session_security.reset(
get_auth_session_handler(nullptr,
h.authorizer->protocol,
h.authorizer->session_key,
- connection_secret,
features));
}
h.authorizer.reset();
session_security.reset(get_auth_session_handler(
cct, authorizer->protocol,
authorizer->session_key,
- string() /* connection_secret */,
connection->get_features()));
} else {
// We have no authorizer, so we shouldn't be applying security to messages
session_security.reset(
get_auth_session_handler(cct, connect_msg.authorizer_protocol,
session_key,
- string() /* connection secret */,
connection->get_features()));
bufferlist reply_bl;
return _fault();
}
session_security.reset(
- get_auth_session_handler(
- cct, auth_meta->auth_method, auth_meta->session_key,
- auth_meta->connection_secret,
- CEPH_FEATURE_MSG_AUTH | CEPH_FEATURE_CEPHX_V2));
+ AuthStreamHandler::create_stream_handler(cct, auth_meta).release());
if (!server_cookie) {
ceph_assert(connect_seq == 0);
char *temp_buffer;
State state;
uint64_t peer_required_features;
- std::shared_ptr<AuthSessionHandler> session_security;
+ std::shared_ptr<AuthStreamHandler> session_security;
uint64_t client_cookie;
uint64_t server_cookie;
get_auth_session_handler(msgr->cct,
connect.authorizer_protocol,
session_key,
- string(), /* connection_secret */
connection_state->get_features()));
// notify
msgr->cct,
authorizer->protocol,
authorizer->session_key,
- string() /* connection secret*/,
connection_state->get_features()));
} else {
// We have no authorizer, so we shouldn't be applying security to messages in this pipe. PLR
projects / ceph.git / commitdiff