From: Patrick Donnelly Date: Wed, 26 Nov 2025 18:25:33 +0000 (-0500) Subject: auth/cephx: use defines for magic usage values X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=455a58d68a56d06628938275f3683ea328b29399;p=ceph-ci.git auth/cephx: use defines for magic usage values Signed-off-by: Patrick Donnelly --- diff --git a/doc/dev/cephx.rst b/doc/dev/cephx.rst index e4400b80107..d5bb645c322 100644 --- a/doc/dev/cephx.rst +++ b/doc/dev/cephx.rst @@ -136,7 +136,7 @@ where:: ticket_info { u32 service_id # CEPH_ENTITY_TYPE_AUTH u8 msg_version (1) - {CephXServiceTicket service_ticket}^principal_secret + {CephXServiceTicket service_ticket}^principal_secret # principal_secret ONLY for _AUTH {CephxTicketBlob ticket_blob}^existing session_key # if we are renewing a ticket, CephxTicketBlob ticket_blob # otherwise } @@ -144,7 +144,7 @@ where:: service_ticket_info { u32 service_id # CEPH_ENTITY_TYPE_{MON,MGR,OSD,MDS} u8 msg_version (1) - {CephxServiceTicket service_ticket}^session_key + {CephxServiceTicket service_ticket}^auth_session_key # session_key from _AUTH CephxServiceTicket CephxTicketBlob ticket_blob } diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc index fcfbcfc6712..5feb82c494a 100644 --- a/src/auth/cephx/CephxClientHandler.cc +++ b/src/auth/cephx/CephxClientHandler.cc @@ -228,7 +228,7 @@ int CephxClientHandler::handle_response( if (cbl.length() && connection_secret) { auto p = cbl.cbegin(); string err; - if (decode_decrypt(cct, *connection_secret, *session_key, 3, p, + if (decode_decrypt(cct, *connection_secret, *session_key, CEPHX_KEY_USAGE_AUTH_CONNECTION_SECRET, p, err)) { lderr(cct) << __func__ << " failed to decrypt connection_secret" << dendl; @@ -284,7 +284,7 @@ int CephxClientHandler::handle_response( return -ENOENT; } std::string error; - if (decode_decrypt(cct, secrets, secret_key, 16, indata, error)) { + if (decode_decrypt(cct, secrets, secret_key, CEPHX_KEY_USAGE_ROTATING_SECRET, indata, error)) { ldout(cct, 0) << "could not set rotating key: decode_decrypt failed. error:" << error << dendl; return -EINVAL; diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index a9aeea5c0b7..fa092699300 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -450,7 +450,7 @@ bool KeyServer::get_rotating_encrypted(const EntityName& name, RotatingSecrets secrets = rotate_iter->second; std::string error; - if (encode_encrypt(cct, secrets, specific_key, 16, enc_bl, error)) + if (encode_encrypt(cct, secrets, specific_key, CEPHX_KEY_USAGE_ROTATING_SECRET, enc_bl, error)) return false; return true; diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc index f324846b53e..186c6f246bc 100644 --- a/src/auth/cephx/CephxProtocol.cc +++ b/src/auth/cephx/CephxProtocol.cc @@ -93,7 +93,7 @@ bool cephx_build_service_ticket_blob(CephContext *cct, const CephXSessionAuthInf if (info.service_secret.empty()) error = "invalid key"; // Bad key? else - encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, 10, blob.blob, error); + encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, CEPHX_KEY_USAGE_TICKET_INFO, blob.blob, error); if (!error.empty()) { ldout(cct, -1) << "cephx_build_service_ticket_blob failed with error " << error << dendl; @@ -139,7 +139,7 @@ bool cephx_build_service_ticket_reply(CephContext *cct, msg_a.session_key = info.session_key; msg_a.validity = info.validity; std::string error; - if (encode_encrypt(cct, msg_a, principal_secret, 4, reply, error)) { + if (encode_encrypt(cct, msg_a, principal_secret, CEPHX_KEY_USAGE_TICKET_SESSION_KEY, reply, error)) { ldout(cct, -1) << "error encoding encrypted: " << error << dendl; return false; } @@ -157,7 +157,7 @@ bool cephx_build_service_ticket_reply(CephContext *cct, encode((__u8)should_encrypt_ticket, reply); if (should_encrypt_ticket) { - if (encode_encrypt(cct, service_ticket_bl, ticket_enc_key, 5, reply, error)) { + if (encode_encrypt(cct, service_ticket_bl, ticket_enc_key, CEPHX_KEY_USAGE_TICKET_BLOB, reply, error)) { ldout(cct, -1) << "error encoding encrypted ticket: " << error << dendl; return false; } @@ -183,7 +183,7 @@ bool CephXTicketHandler::verify_service_ticket_reply( CephXServiceTicket msg_a; std::string error; - if (decode_decrypt(cct, msg_a, secret, 4, indata, error)) { + if (decode_decrypt(cct, msg_a, secret, CEPHX_KEY_USAGE_TICKET_SESSION_KEY, indata, error)) { ldout(cct, 0) << __func__ << " failed decode_decrypt, error is: " << error << dendl; return false; @@ -196,7 +196,7 @@ bool CephXTicketHandler::verify_service_ticket_reply( if (ticket_enc) { ldout(cct, 10) << __func__ << " got encrypted ticket" << dendl; std::string error; - if (decode_decrypt(cct, service_ticket_bl, session_key, 5, indata, error)) { + if (decode_decrypt(cct, service_ticket_bl, session_key, CEPHX_KEY_USAGE_TICKET_BLOB, indata, error)) { ldout(cct, 10) << __func__ << " decode_decrypt failed " << "with " << error << dendl; return false; @@ -367,7 +367,7 @@ CephXAuthorizer *CephXTicketHandler::build_authorizer(uint64_t global_id) const msg.nonce = a->nonce; std::string error; - if (encode_encrypt(cct, msg, session_key, 11, a->bl, error)) { + if (encode_encrypt(cct, msg, session_key, CEPHX_KEY_USAGE_AUTHORIZE, a->bl, error)) { ldout(cct, 0) << "failed to encrypt authorizer: " << error << dendl; delete a; return 0; @@ -433,7 +433,7 @@ bool cephx_decode_ticket(CephContext *cct, KeyStore *keys, } std::string error; - decode_decrypt_enc_bl(cct, ticket_info, service_secret, 10, ticket_blob.blob, error); + decode_decrypt_enc_bl(cct, ticket_info, service_secret, CEPHX_KEY_USAGE_TICKET_INFO, ticket_blob.blob, error); if (!error.empty()) { ldout(cct, 0) << "ceph_decode_ticket could not decrypt ticket info. error:" << error << dendl; @@ -502,7 +502,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys, if (service_secret.empty()) error = "invalid key"; // Bad key? else - decode_decrypt_enc_bl(cct, ticket_info, service_secret, 10, ticket.blob, error); + decode_decrypt_enc_bl(cct, ticket_info, service_secret, CEPHX_KEY_USAGE_TICKET_INFO, ticket.blob, error); if (!error.empty()) { ldout(cct, 0) << __func__ << ": could not decrypt ticket info: " << error << dendl; return false; @@ -521,7 +521,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys, CephXAuthorize auth_msg; if (ticket_info.session_key.empty()) { error = "session key is invalid"; - } else if (!decode_decrypt(cct, auth_msg, ticket_info.session_key, 11, indata, error)) { + } else if (!decode_decrypt(cct, auth_msg, ticket_info.session_key, CEPHX_KEY_USAGE_AUTHORIZE, indata, error)) { error = ""; } if (!error.empty()) { @@ -538,7 +538,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys, ldout(cct,10) << __func__ << ": adding server_challenge " << c->server_challenge << dendl; - encode_encrypt_enc_bl(cct, *c, ticket_info.session_key, 13, *reply_bl, error); + encode_encrypt_enc_bl(cct, *c, ticket_info.session_key, CEPHX_KEY_USAGE_AUTHORIZE_CHALLENGE, *reply_bl, error); if (!error.empty()) { ldout(cct, 0) << __func__ << ": encode_encrypt error: " << error << dendl; return false; @@ -576,7 +576,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys, } reply.connection_secret = *connection_secret; } - if (encode_encrypt(cct, reply, ticket_info.session_key, 15, *reply_bl, error)) { + if (encode_encrypt(cct, reply, ticket_info.session_key, CEPHX_KEY_USAGE_AUTHORIZE_REPLY, *reply_bl, error)) { ldout(cct, 10) << "verify_authorizer: encode_encrypt error: " << error << dendl; return false; } @@ -592,7 +592,7 @@ bool CephXAuthorizer::verify_reply(bufferlist::const_iterator& indata, CephXAuthorizeReply reply; std::string error; - if (decode_decrypt(cct, reply, session_key, 15, indata, error)) { + if (decode_decrypt(cct, reply, session_key, CEPHX_KEY_USAGE_AUTHORIZE_REPLY, indata, error)) { ldout(cct, 0) << "verify_reply couldn't decrypt with error: " << error << dendl; return false; } @@ -623,7 +623,7 @@ bool CephXAuthorizer::add_challenge(CephContext *cct, if (!p.end()) { std::string error; CephXAuthorizeChallenge ch{}; - decode_decrypt_enc_bl(cct, ch, session_key, 13, challenge, error); + decode_decrypt_enc_bl(cct, ch, session_key, CEPHX_KEY_USAGE_AUTHORIZE_CHALLENGE, challenge, error); if (!error.empty()) { ldout(cct, 0) << "failed to decrypt challenge (" << challenge.length() << " bytes): " << error << dendl; @@ -634,7 +634,7 @@ bool CephXAuthorizer::add_challenge(CephContext *cct, } std::string error; - if (encode_encrypt(cct, msg, session_key, 11, bl, error)) { + if (encode_encrypt(cct, msg, session_key, CEPHX_KEY_USAGE_AUTHORIZE, bl, error)) { ldout(cct, 0) << __func__ << " failed to encrypt authorizer: " << error << dendl; return false; } diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h index fb431a84cbc..0e8de0b8f1e 100644 --- a/src/auth/cephx/CephxProtocol.h +++ b/src/auth/cephx/CephxProtocol.h @@ -31,6 +31,29 @@ #define CEPHX_REQUEST_TYPE_MASK 0x0F00 #define CEPHX_CRYPT_ERR 1 + +/* Principal <-> AuthMonitor */ +/* The session's connection secret: encrypted with AUTH ticket session key */ +#define CEPHX_KEY_USAGE_AUTH_CONNECTION_SECRET 0x03 +/* The ticket's CephXServiceTicket containing the session key: uses principal's key for the AUTH ticket otherwise the AUTH ticket session key for the service tickets */ +#define CEPHX_KEY_USAGE_TICKET_SESSION_KEY 0x04 +/* The ticket's CephXTicketBlob: uses old AUTH session key (if presented) */ +#define CEPHX_KEY_USAGE_TICKET_BLOB 0x05 + +/* Principal <-> Service */ +/* Client Authorization Request: using the ticket session key */ +#define CEPHX_KEY_USAGE_AUTHORIZE 0x10 +/* Service's Challenge: using the ticket session key */ +#define CEPHX_KEY_USAGE_AUTHORIZE_CHALLENGE 0x11 +/* Service's final reply: using the ticket session key */ +#define CEPHX_KEY_USAGE_AUTHORIZE_REPLY 0x12 + +/* Service Daemon <-> AuthMonitor */ +/* Rotating Secret Fetch by Services: service daemon's principal key */ +#define CEPHX_KEY_USAGE_ROTATING_SECRET 0x20 +/* CephXServiceTicketInfo: rotating service key */ +#define CEPHX_KEY_USAGE_TICKET_INFO 0x30 + #include "auth/Auth.h" #include #include diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index 9366dd8963c..3d17c66e3b6 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -318,7 +318,7 @@ int CephxServiceHandler::handle_request( connection_secret_required_len); } std::string err; - if (encode_encrypt(cct, *pconnection_secret, session_key, 3, cbl, + if (encode_encrypt(cct, *pconnection_secret, session_key, CEPHX_KEY_USAGE_AUTH_CONNECTION_SECRET, cbl, err)) { lderr(cct) << __func__ << " failed to encrypt connection secret, " << err << dendl;