bool cephx_build_service_ticket_reply(
CryptoKey& principal_secret,
vector<CephXSessionAuthInfo> ticket_info_vec,
+ bool should_encrypt_ticket,
+ CryptoKey& ticket_enc_key,
bufferlist& reply)
{
uint32_t num = ticket_info_vec.size();
if (encode_encrypt(msg_a, principal_secret, reply) < 0)
return false;
- if (!cephx_build_service_ticket(info, reply))
- return false;
+ bufferlist service_ticket_bl;
+
+ if (!cephx_build_service_ticket(info, service_ticket_bl))
+ return false;
+
+ ::encode((__u8)should_encrypt_ticket, reply);
+
+ if (should_encrypt_ticket) {
+ bufferlist enc_ticket;
+
+ if (encode_encrypt(service_ticket_bl, ticket_enc_key, reply) < 0)
+ return false;
+ } else {
+ reply.claim_append(service_ticket_bl);
+ }
}
return true;
}
dout(0) << "verify_service_ticket_reply failed decode_decrypt with secret " << secret << dendl;
return false;
}
- ::decode(ticket, indata);
+ __u8 ticket_enc;
+ ::decode(ticket_enc, indata);
+ if (ticket_enc) {
+ dout(10) << "getting encrypted ticket" << dendl;
+ bufferlist service_ticket_bl;
+ if (decode_decrypt(service_ticket_bl, session_key, indata) < 0)
+ return false;
+ bufferlist::iterator iter = service_ticket_bl.begin();
+ ::decode(ticket, iter);
+ dout(10) << "ticket.secret_id=" << ticket.secret_id << dendl;
+ } else {
+ dout(10) << "got unencrypted ticket" << dendl;
+ ::decode(ticket, indata);
+ }
dout(10) << "verify_service_ticket_reply service " << ceph_entity_type_name(service_id)
<< " secret_id " << ticket.secret_id
<< " session_key " << msg_a.session_key
CephXAuthorize msg;
msg.nonce = a->nonce;
+
if (encode_encrypt(msg, session_key, a->bl) < 0) {
dout(0) << "failed to encrypt authorizer" << dendl;
delete a;
}
}
-bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& ticket_blob, AuthTicket& ticket)
+bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info)
{
uint64_t secret_id = ticket_blob.secret_id;
CryptoKey service_secret;
- CephXServiceTicketInfo ticket_info;
if (!ticket_blob.blob.length()) {
return false;
return false;
}
- ticket = ticket_info.ticket;
return true;
}
extern bool cephx_build_service_ticket_reply(CryptoKey& principal_secret,
vector<CephXSessionAuthInfo> ticket_info,
+ bool should_encrypt_ticket,
+ CryptoKey& ticket_enc_key,
bufferlist& reply);
struct CephXServiceTicketRequest {
/*
* Decode an extract ticket
*/
-bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& ticket_blob, AuthTicket& ticket);
+bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info);
/*
* Verify authorizer and generate reply authorizer
CryptoKey session_key;
CephXSessionAuthInfo info;
+ bool should_enc_ticket = false;
CryptoKey principal_secret;
if (key_server->get_secret(entity_name, principal_secret) < 0) {
ret = -EPERM;
break;
}
- AuthTicket old_ticket;
+ CephXServiceTicketInfo old_ticket_info;
- if (cephx_decode_ticket(*key_server, CEPH_ENTITY_TYPE_AUTH, req.old_ticket, old_ticket)) {
- global_id = old_ticket.global_id;
- dout(0) << "decoded old_ticket with global_id=" << old_ticket.global_id << dendl;
+ if (cephx_decode_ticket(*key_server, CEPH_ENTITY_TYPE_AUTH, req.old_ticket, old_ticket_info)) {
+ global_id = old_ticket_info.ticket.global_id;
+ dout(10) << "decoded old_ticket with global_id=" << global_id << dendl;
+ should_enc_ticket = true;
}
info.ticket.init_timestamps(g_clock.now(), g_conf.auth_mon_ticket_ttl);
info_vec.push_back(info);
build_cephx_response_header(cephx_header.request_type, 0, result_bl);
- if (!cephx_build_service_ticket_reply(principal_secret, info_vec, result_bl)) {
+ if (!cephx_build_service_ticket_reply(principal_secret, info_vec, should_enc_ticket, old_ticket_info.session_key, result_bl)) {
ret = -EIO;
break;
}
info_vec.push_back(info);
}
}
+ CryptoKey no_key;
build_cephx_response_header(cephx_header.request_type, ret, result_bl);
- cephx_build_service_ticket_reply(auth_ticket_info.session_key, info_vec, result_bl);
+ cephx_build_service_ticket_reply(auth_ticket_info.session_key, info_vec, false, no_key, result_bl);
}
break;
projects / ceph.git / commitdiff