if (!encrypt) {
::encode(ticket_req, request);
} else {
- ticket_req.encode_encrypt(session_key, request);
+ encode_encrypt(ticket_req, session_key, request);
}
::encode(ticket_info, request);
}
AuthServiceTicket msg_a;
msg_a.session_key = session_key;
- if (msg_a.encode_encrypt(principal_secret, reply) < 0)
+ if (encode_encrypt(msg_a, principal_secret, reply) < 0)
return false;
AuthServiceTicketInfo ticket_info;
ticket_info.session_key = session_key;
ticket_info.ticket = ticket;
- if (ticket_info.encode_encrypt(service_secret, reply) < 0)
+ if (encode_encrypt(ticket_info, service_secret, reply) < 0)
return false;
return true;
}
if (encrypted) {
dout(0) << "verify encrypted service ticket request" << dendl;
- if (msg.decode_decrypt(session_key, indata) < 0)
+ if (decode_decrypt(msg, session_key, indata) < 0)
return false;
dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << " (was encrypted)" << dendl;
AuthServiceTicketInfo ticket_info;
- if (ticket_info.decode_decrypt(service_secret, indata) < 0)
+ if (decode_decrypt(ticket_info, service_secret, indata) < 0)
return false;
} else {
::decode(msg, indata);
bufferlist::iterator& indata)
{
AuthServiceTicket msg_a;
- if (msg_a.decode_decrypt(secret, indata) < 0)
+ if (decode_decrypt(msg_a, secret, indata) < 0)
return false;
::decode(ticket, indata);
AuthAuthenticate msg;
msg.now = now;
msg.nonce = nonce;
- msg.encode_encrypt(session_key, bl);
+ encode_encrypt(msg, session_key, bl);
return now;
}
bool verify_authenticator(CryptoKey& service_secret, bufferlist::iterator& indata,
bufferlist& reply_bl)
{
- AuthTicket ticket;
- ticket.decode_decrypt(service_secret, indata);
+ AuthServiceTicketInfo ticket_info;
+ decode_decrypt(ticket_info, service_secret, indata);
AuthAuthenticate auth_msg;
- auth_msg.decode_decrypt(ticket.session_key, indata);
-
- bufferlist enc_ticket, enc_info;
- ::decode(enc_ticket, indata);
- ::decode(enc_info, indata);
+ decode_decrypt(auth_msg, ticket_info.session_key, indata);
// it's authentic if the nonces match
- if (auth_msg.nonce != ticket.nonce)
+ if (auth_msg.nonce != ticket_info.ticket.nonce)
return false;
dout(0) << "verify_authenticator: nonce ok" << dendl;
AuthAuthenticateReply reply;
reply.timestamp = auth_msg.now;
reply.timestamp += 1;
- reply.encode_encrypt(ticket.session_key, reply_bl);
+ encode_encrypt(reply, ticket_info.session_key, reply_bl);
dout(0) << "verify_authenticator: ok" << dendl;
#include "Crypto.h"
#include "msg/msg_types.h"
-struct AuthEnc {
- virtual void encode(bufferlist& bl) const = 0;
- virtual void decode(bufferlist::iterator& bl) = 0;
-
- int encode_encrypt(CryptoKey key, bufferlist& out) {
- bufferlist bl, bl_enc;
-
- encode(bl);
- int ret = key.encrypt(bl, bl_enc);
- if (ret < 0)
- return ret;
-
- ::encode(bl_enc, out);
- return 0;
- }
-
- int decode_decrypt(CryptoKey key, bufferlist::iterator& iter) {
- bufferlist bl_enc, bl;
- ::decode(bl_enc, iter);
-
- int ret = key.decrypt(bl_enc, bl);
- if (ret < 0)
- return ret;
-
- bufferlist::iterator iter2 = bl.begin();
- decode(iter2);
- return 0;
- }
-};
-
struct EntityName {
uint32_t entity_type;
string name;
* services as described by 'caps' during the specified validity
* period.
*/
-struct AuthTicket : public AuthEnc {
+struct AuthTicket {
entity_addr_t addr;
utime_t created, renew_after, expires;
string nonce;
map<string, bufferlist> caps;
__u32 flags;
- CryptoKey session_key;
void encode(bufferlist& bl) const {
__u8 v = 1;
::encode(nonce, bl);
::encode(caps, bl);
::encode(flags, bl);
- ::encode(session_key, bl);
}
void decode(bufferlist::iterator& bl) {
__u8 v;
::decode(nonce, bl);
::decode(caps, bl);
::decode(flags, bl);
- ::decode(session_key, bl);
}
};
WRITE_CLASS_ENCODER(AuthTicket)
};
WRITE_CLASS_ENCODER(AuthenticateRequest)
-class AuthenticateReply {
-
- bool verify() {
- /* FIXME */
- return false;
- };
-};
-
-
struct AuthBlob {
bufferlist blob;
};
//WRITE_CLASS_ENCODER(ServiceTicket)
-struct AuthServiceTicketRequest : public AuthEnc {
+struct AuthServiceTicketRequest {
entity_addr_t addr;
utime_t timestamp;
uint32_t keys;
WRITE_CLASS_ENCODER(AuthServiceTicketRequest);
/* A */
-struct AuthServiceTicket : public AuthEnc {
+struct AuthServiceTicket {
CryptoKey session_key;
utime_t validity;
WRITE_CLASS_ENCODER(AuthServiceTicket);
/* B */
-struct AuthServiceTicketInfo : public AuthEnc {
+struct AuthServiceTicketInfo {
AuthTicket ticket;
CryptoKey session_key;
};
WRITE_CLASS_ENCODER(AuthServiceTicketInfo);
-struct AuthAuthenticate : public AuthEnc {
+struct AuthAuthenticate {
utime_t now;
string nonce;
void encode(bufferlist& bl) const {
};
WRITE_CLASS_ENCODER(AuthAuthenticate);
-struct AuthAuthenticateReply : public AuthEnc {
+struct AuthAuthenticateReply {
utime_t timestamp;
void encode(bufferlist& bl) const {
::encode(timestamp, bl);
};
WRITE_CLASS_ENCODER(AuthAuthenticateReply);
-
+template <class T>
+int decode_decrypt(T& t, CryptoKey key, bufferlist::iterator& iter) {
+ bufferlist bl_enc, bl;
+ ::decode(bl_enc, iter);
+
+ int ret = key.decrypt(bl_enc, bl);
+ if (ret < 0)
+ return ret;
+
+ bufferlist::iterator iter2 = bl.begin();
+ ::decode(t, iter2);
+ return 0;
+}
+
+template <class T>
+int encode_encrypt(const T& t, CryptoKey& key, bufferlist& out) {
+ bufferlist bl;
+ ::encode(t, bl);
+
+ bufferlist bl_enc;
+ int ret = key.encrypt(bl, bl_enc);
+ if (ret < 0)
+ return ret;
+
+ ::encode(bl_enc, out);
+ return 0;
+}
extern void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr,
uint32_t keys,
projects / ceph.git / commitdiff