From: Sage Weil Date: Tue, 8 Jan 2019 14:56:44 +0000 (-0600) Subject: msg,cephx: establish a unique connection_secret for every connection X-Git-Tag: v14.1.0~271^2~31 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=67218f12e3a505ed361fd7ee7c9ef87b6f0f03b8;p=ceph.git msg,cephx: establish a unique connection_secret for every connection The session_key is unique for each time we newly authenticate with the mon--e.g., for each client instantiation. This is not ideal for encryption, since we don't want to encrypt all connections with the same key. Signed-off-by: Sage Weil --- diff --git a/src/auth/Auth.h b/src/auth/Auth.h index aac83632bf9..69c488af776 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -139,7 +139,8 @@ struct AuthAuthorizer { explicit AuthAuthorizer(__u32 p) : protocol(p) {} virtual ~AuthAuthorizer() {} - virtual bool verify_reply(bufferlist::const_iterator& reply) = 0; + virtual bool verify_reply(bufferlist::const_iterator& reply, + CryptoKey *connection_secret) = 0; virtual bool add_challenge(CephContext *cct, bufferlist& challenge) = 0; }; diff --git a/src/auth/AuthAuthorizeHandler.h b/src/auth/AuthAuthorizeHandler.h index 45778836e36..df4643c8cb0 100644 --- a/src/auth/AuthAuthorizeHandler.h +++ b/src/auth/AuthAuthorizeHandler.h @@ -30,11 +30,17 @@ class KeyRing; struct AuthAuthorizeHandler { virtual ~AuthAuthorizeHandler() {} - virtual bool verify_authorizer(CephContext *cct, KeyStore *keys, - bufferlist& authorizer_data, bufferlist& authorizer_reply, - EntityName& entity_name, uint64_t& global_id, - AuthCapsInfo& caps_info, CryptoKey& session_key, - std::unique_ptr *challenge) = 0; + virtual bool verify_authorizer( + CephContext *cct, + KeyStore *keys, + bufferlist& authorizer_data, + bufferlist& authorizer_reply, + EntityName& entity_name, + uint64_t& global_id, + AuthCapsInfo& caps_info, + CryptoKey& session_key, + CryptoKey *connection_secret, + std::unique_ptr *challenge) = 0; virtual int authorizer_session_crypto() = 0; }; diff --git a/src/auth/AuthSessionHandler.cc b/src/auth/AuthSessionHandler.cc index 69fe9a7bb74..3e92051455a 100644 --- a/src/auth/AuthSessionHandler.cc +++ b/src/auth/AuthSessionHandler.cc @@ -24,7 +24,11 @@ #define dout_subsys ceph_subsys_auth -AuthSessionHandler *get_auth_session_handler(CephContext *cct, int protocol, CryptoKey key, uint64_t features) +AuthSessionHandler *get_auth_session_handler( + CephContext *cct, int protocol, + const CryptoKey& key, + const CryptoKey& connection_secret, + uint64_t features) { // Should add code to only print the SHA1 hash of the key, unless in secure debugging mode @@ -37,14 +41,14 @@ AuthSessionHandler *get_auth_session_handler(CephContext *cct, int protocol, Cry if (key.get_type() == CEPH_CRYPTO_NONE) { return nullptr; } - return new CephxSessionHandler(cct, key, features); + return new CephxSessionHandler(cct, key, connection_secret, features); case CEPH_AUTH_NONE: - return new AuthNoneSessionHandler(cct, key); + return new AuthNoneSessionHandler(cct, key, connection_secret); case CEPH_AUTH_UNKNOWN: - return new AuthUnknownSessionHandler(cct, key); + return new AuthUnknownSessionHandler(cct, key, connection_secret); #ifdef HAVE_GSSAPI case CEPH_AUTH_GSS: - return new KrbSessionHandler(cct, key); + return new KrbSessionHandler(cct, key, connection_secret); #endif default: return nullptr; diff --git a/src/auth/AuthSessionHandler.h b/src/auth/AuthSessionHandler.h index 65e593c4d2f..89015c839f8 100644 --- a/src/auth/AuthSessionHandler.h +++ b/src/auth/AuthSessionHandler.h @@ -30,13 +30,19 @@ struct AuthSessionHandler { protected: CephContext *cct; int protocol; - CryptoKey key; + CryptoKey key; // per mon authentication + CryptoKey connection_secret; // per connection public: explicit AuthSessionHandler(CephContext *cct_) : cct(cct_), protocol(CEPH_AUTH_UNKNOWN) {} - AuthSessionHandler(CephContext *cct_, int protocol_, CryptoKey key_) : cct(cct_), - protocol(protocol_), key(key_) {} + AuthSessionHandler(CephContext *cct_, int protocol_, + const CryptoKey& key_, + const CryptoKey& cs_) + : cct(cct_), + protocol(protocol_), + key(key_), + connection_secret(cs_) {} virtual ~AuthSessionHandler() { } virtual bool no_security() = 0; @@ -60,7 +66,10 @@ public: }; -extern AuthSessionHandler *get_auth_session_handler(CephContext *cct, int protocol, CryptoKey key, - uint64_t features); +extern AuthSessionHandler *get_auth_session_handler( + CephContext *cct, int protocol, + const CryptoKey& key, + const CryptoKey& connection_secret, + uint64_t features); #endif diff --git a/src/auth/cephx/CephxAuthorizeHandler.cc b/src/auth/cephx/CephxAuthorizeHandler.cc index 8e1c778dcee..46fd050abda 100644 --- a/src/auth/cephx/CephxAuthorizeHandler.cc +++ b/src/auth/cephx/CephxAuthorizeHandler.cc @@ -7,10 +7,15 @@ bool CephxAuthorizeHandler::verify_authorizer( - CephContext *cct, KeyStore *keys, - bufferlist& authorizer_data, bufferlist& authorizer_reply, - EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info, + CephContext *cct, + KeyStore *keys, + bufferlist& authorizer_data, + bufferlist& authorizer_reply, + EntityName& entity_name, + uint64_t& global_id, + AuthCapsInfo& caps_info, CryptoKey& session_key, + CryptoKey *connection_secret, std::unique_ptr *challenge) { auto iter = authorizer_data.cbegin(); @@ -22,7 +27,8 @@ bool CephxAuthorizeHandler::verify_authorizer( CephXServiceTicketInfo auth_ticket_info; - bool isvalid = cephx_verify_authorizer(cct, keys, iter, auth_ticket_info, challenge, + bool isvalid = cephx_verify_authorizer(cct, keys, iter, auth_ticket_info, + challenge, connection_secret, authorizer_reply); if (isvalid) { diff --git a/src/auth/cephx/CephxAuthorizeHandler.h b/src/auth/cephx/CephxAuthorizeHandler.h index ab11d2c37cb..446906849dd 100644 --- a/src/auth/cephx/CephxAuthorizeHandler.h +++ b/src/auth/cephx/CephxAuthorizeHandler.h @@ -20,11 +20,17 @@ class CephContext; struct CephxAuthorizeHandler : public AuthAuthorizeHandler { - bool verify_authorizer(CephContext *cct, KeyStore *keys, - bufferlist& authorizer_data, bufferlist& authorizer_reply, - EntityName& entity_name, uint64_t& global_id, - AuthCapsInfo& caps_info, CryptoKey& session_key, - std::unique_ptr *challenge) override; + bool verify_authorizer( + CephContext *cct, + KeyStore *keys, + bufferlist& authorizer_data, + bufferlist& authorizer_reply, + EntityName& entity_name, + uint64_t& global_id, + AuthCapsInfo& caps_info, + CryptoKey& session_key, + CryptoKey *connection_secret, + std::unique_ptr *challenge) override; int authorizer_session_crypto() override; }; diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc index d57c6e768ee..07cfb00ec80 100644 --- a/src/auth/cephx/CephxProtocol.cc +++ b/src/auth/cephx/CephxProtocol.cc @@ -394,6 +394,7 @@ bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys, bufferlist::const_iterator& indata, CephXServiceTicketInfo& ticket_info, std::unique_ptr *challenge, + CryptoKey *connection_secret, bufferlist& reply_bl) { __u8 authorizer_v; @@ -403,7 +404,6 @@ bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys, // ticket blob CephXTicketBlob ticket; - try { decode(authorizer_v, indata); decode(global_id, indata); @@ -492,6 +492,16 @@ bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys, CephXAuthorizeReply reply; // reply.trans_id = auth_msg.trans_id; reply.nonce_plus_one = auth_msg.nonce + 1; + if (connection_secret) { + // generate a connection secret + bufferptr bp; + CryptoHandler *crypto = cct->get_crypto_handler(CEPH_CRYPTO_AES); + assert(crypto); + int r = crypto->create(cct->random(), bp); + assert(r >= 0); + connection_secret->set_secret(CEPH_CRYPTO_AES, bp, ceph_clock_now()); + reply.connection_secret = *connection_secret; + } if (encode_encrypt(cct, reply, ticket_info.session_key, reply_bl, error)) { ldout(cct, 10) << "verify_authorizer: encode_encrypt error: " << error << dendl; return false; @@ -502,7 +512,8 @@ bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys, return true; } -bool CephXAuthorizer::verify_reply(bufferlist::const_iterator& indata) +bool CephXAuthorizer::verify_reply(bufferlist::const_iterator& indata, + CryptoKey *connection_secret) { CephXAuthorizeReply reply; @@ -518,6 +529,11 @@ bool CephXAuthorizer::verify_reply(bufferlist::const_iterator& indata) << " sent " << nonce << dendl; return false; } + + if (connection_secret && + reply.connection_secret.get_type()) { + *connection_secret = reply.connection_secret; + } return true; } diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h index 4629bba80ad..f1268d730a6 100644 --- a/src/auth/cephx/CephxProtocol.h +++ b/src/auth/cephx/CephxProtocol.h @@ -268,17 +268,28 @@ WRITE_CLASS_ENCODER(CephXServiceTicketRequest) struct CephXAuthorizeReply { uint64_t nonce_plus_one; + CryptoKey connection_secret; void encode(bufferlist& bl) const { using ceph::encode; __u8 struct_v = 1; + if (connection_secret.get_type()) { + struct_v = 2; + } encode(struct_v, bl); encode(nonce_plus_one, bl); + if (struct_v >= 2) { + struct_v = 2; + encode(connection_secret, bl); + } } void decode(bufferlist::const_iterator& bl) { using ceph::decode; __u8 struct_v; decode(struct_v, bl); decode(nonce_plus_one, bl); + if (struct_v >= 2) { + decode(connection_secret, bl); + } } }; WRITE_CLASS_ENCODER(CephXAuthorizeReply) @@ -295,7 +306,8 @@ public: : AuthAuthorizer(CEPH_AUTH_CEPHX), cct(cct_), nonce(0) {} bool build_authorizer(); - bool verify_reply(bufferlist::const_iterator& reply) override; + bool verify_reply(bufferlist::const_iterator& reply, + CryptoKey *connection_secret) override; bool add_challenge(CephContext *cct, bufferlist& challenge) override; }; @@ -463,6 +475,7 @@ extern bool cephx_verify_authorizer( bufferlist::const_iterator& indata, CephXServiceTicketInfo& ticket_info, std::unique_ptr *challenge, + CryptoKey *connection_secret, bufferlist& reply_bl); diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index c7c75a04a6d..4bd197ae5a7 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -151,8 +151,11 @@ int CephxServiceHandler::handle_request(bufferlist::const_iterator& indata, buff bufferlist tmp_bl; CephXServiceTicketInfo auth_ticket_info; // note: no challenge here. - if (!cephx_verify_authorizer(cct, key_server, indata, auth_ticket_info, nullptr, - tmp_bl)) { + if (!cephx_verify_authorizer( + cct, key_server, indata, auth_ticket_info, nullptr, +#warning FIXME mon connection needs connection_secret too + nullptr, + tmp_bl)) { ret = -EPERM; break; } diff --git a/src/auth/cephx/CephxSessionHandler.h b/src/auth/cephx/CephxSessionHandler.h index 5e37e165672..19147b8a169 100644 --- a/src/auth/cephx/CephxSessionHandler.h +++ b/src/auth/cephx/CephxSessionHandler.h @@ -23,8 +23,11 @@ class CephxSessionHandler : public AuthSessionHandler { uint64_t features; public: - CephxSessionHandler(CephContext *cct_, CryptoKey session_key, uint64_t features) - : AuthSessionHandler(cct_, CEPH_AUTH_CEPHX, session_key), + CephxSessionHandler(CephContext *cct_, + const CryptoKey& session_key, + const CryptoKey& connection_secret, + uint64_t features) + : AuthSessionHandler(cct_, CEPH_AUTH_CEPHX, session_key, connection_secret), features(features) {} ~CephxSessionHandler() override {} diff --git a/src/auth/krb/KrbAuthorizeHandler.cpp b/src/auth/krb/KrbAuthorizeHandler.cpp index cd84b8a9f0e..37202660280 100644 --- a/src/auth/krb/KrbAuthorizeHandler.cpp +++ b/src/auth/krb/KrbAuthorizeHandler.cpp @@ -26,7 +26,8 @@ bool KrbAuthorizeHandler::verify_authorizer(CephContext* ceph_ctx, EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info, - CryptoKey& session_key, + CryptoKey& session_key, + CryptoKey *connection_secret, std::unique_ptr< AuthAuthorizerChallenge>* challenge) { diff --git a/src/auth/krb/KrbAuthorizeHandler.hpp b/src/auth/krb/KrbAuthorizeHandler.hpp index d5f16eef850..03277a2f19c 100644 --- a/src/auth/krb/KrbAuthorizeHandler.hpp +++ b/src/auth/krb/KrbAuthorizeHandler.hpp @@ -22,7 +22,8 @@ class KrbAuthorizeHandler : public AuthAuthorizeHandler { bool verify_authorizer(CephContext*, KeyStore*, bufferlist&, bufferlist&, EntityName&, uint64_t&, - AuthCapsInfo&, CryptoKey&, + AuthCapsInfo&, CryptoKey&, + CryptoKey *connection_secret, std::unique_ptr< AuthAuthorizerChallenge>* = nullptr) override; diff --git a/src/auth/krb/KrbProtocol.hpp b/src/auth/krb/KrbProtocol.hpp index 0081dfcfa10..5b91d153869 100644 --- a/src/auth/krb/KrbProtocol.hpp +++ b/src/auth/krb/KrbProtocol.hpp @@ -85,7 +85,8 @@ class KrbAuthorizer : public AuthAuthorizer { return false; } - bool verify_reply(bufferlist::const_iterator& buff_list) override { + bool verify_reply(bufferlist::const_iterator& buff_list, + CryptoKey *connection_secret) override { return true; } bool add_challenge(CephContext* ceph_ctx, diff --git a/src/auth/krb/KrbSessionHandler.hpp b/src/auth/krb/KrbSessionHandler.hpp index e01b6de5128..a38bbbba10e 100644 --- a/src/auth/krb/KrbSessionHandler.hpp +++ b/src/auth/krb/KrbSessionHandler.hpp @@ -36,8 +36,11 @@ class Message; class KrbSessionHandler : public AuthSessionHandler { public: - KrbSessionHandler(CephContext* ceph_ctx, CryptoKey session_key) : - AuthSessionHandler(ceph_ctx, CEPH_AUTH_GSS, session_key) { } + KrbSessionHandler(CephContext* ceph_ctx, + const CryptoKey& session_key, + const CryptoKey& connection_secret) : + AuthSessionHandler(ceph_ctx, CEPH_AUTH_GSS, session_key, + connection_secret) { } ~KrbSessionHandler() override = default; bool no_security() override { return true; } diff --git a/src/auth/none/AuthNoneAuthorizeHandler.cc b/src/auth/none/AuthNoneAuthorizeHandler.cc index 723b463fe92..4e0974086f8 100644 --- a/src/auth/none/AuthNoneAuthorizeHandler.cc +++ b/src/auth/none/AuthNoneAuthorizeHandler.cc @@ -22,6 +22,7 @@ bool AuthNoneAuthorizeHandler::verify_authorizer( bufferlist& authorizer_data, bufferlist& authorizer_reply, EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info, CryptoKey& session_key, + CryptoKey *connection_secret, std::unique_ptr *challenge) { auto iter = authorizer_data.cbegin(); diff --git a/src/auth/none/AuthNoneAuthorizeHandler.h b/src/auth/none/AuthNoneAuthorizeHandler.h index 7dcd029b8e3..d6853c4884a 100644 --- a/src/auth/none/AuthNoneAuthorizeHandler.h +++ b/src/auth/none/AuthNoneAuthorizeHandler.h @@ -20,11 +20,13 @@ class CephContext; struct AuthNoneAuthorizeHandler : public AuthAuthorizeHandler { - bool verify_authorizer(CephContext *cct, KeyStore *keys, - bufferlist& authorizer_data, bufferlist& authorizer_reply, - EntityName& entity_name, uint64_t& global_id, - AuthCapsInfo& caps_info, CryptoKey& session_key, - std::unique_ptr *challenge) override; + bool verify_authorizer( + CephContext *cct, KeyStore *keys, + bufferlist& authorizer_data, bufferlist& authorizer_reply, + EntityName& entity_name, uint64_t& global_id, + AuthCapsInfo& caps_info, CryptoKey& session_key, + CryptoKey *connection_secret, + std::unique_ptr *challenge) override; int authorizer_session_crypto() override; }; diff --git a/src/auth/none/AuthNoneProtocol.h b/src/auth/none/AuthNoneProtocol.h index 64865355eae..d5c2677a681 100644 --- a/src/auth/none/AuthNoneProtocol.h +++ b/src/auth/none/AuthNoneProtocol.h @@ -28,7 +28,8 @@ struct AuthNoneAuthorizer : public AuthAuthorizer { encode(global_id, bl); return 0; } - bool verify_reply(bufferlist::const_iterator& reply) override { return true; } + bool verify_reply(bufferlist::const_iterator& reply, + CryptoKey *connection_secret) override { return true; } bool add_challenge(CephContext *cct, bufferlist& ch) override { return true; } }; diff --git a/src/auth/none/AuthNoneSessionHandler.h b/src/auth/none/AuthNoneSessionHandler.h index a65b227fd51..d4b033a9c45 100644 --- a/src/auth/none/AuthNoneSessionHandler.h +++ b/src/auth/none/AuthNoneSessionHandler.h @@ -19,8 +19,10 @@ class CephContext; class AuthNoneSessionHandler : public AuthSessionHandler { public: - AuthNoneSessionHandler(CephContext *cct_, CryptoKey session_key) - : AuthSessionHandler(cct_, CEPH_AUTH_NONE, session_key) {} + AuthNoneSessionHandler(CephContext *cct_, + const CryptoKey& session_key, + const CryptoKey& connection_secret) + : AuthSessionHandler(cct_, CEPH_AUTH_NONE, session_key, connection_secret) {} ~AuthNoneSessionHandler() override {} bool no_security() override { diff --git a/src/auth/unknown/AuthUnknownAuthorizeHandler.cc b/src/auth/unknown/AuthUnknownAuthorizeHandler.cc index 1f59401fe41..af7bd2d25b1 100644 --- a/src/auth/unknown/AuthUnknownAuthorizeHandler.cc +++ b/src/auth/unknown/AuthUnknownAuthorizeHandler.cc @@ -19,6 +19,7 @@ bool AuthUnknownAuthorizeHandler::verify_authorizer( bufferlist& authorizer_data, bufferlist& authorizer_reply, EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info, CryptoKey& session_key, + CryptoKey *connection_secret, std::unique_ptr *challenge) { // For unknown authorizers, there's nothing to verify. They're "OK" by definition. PLR diff --git a/src/auth/unknown/AuthUnknownAuthorizeHandler.h b/src/auth/unknown/AuthUnknownAuthorizeHandler.h index fdbcd1c3d95..6c9d056ac10 100644 --- a/src/auth/unknown/AuthUnknownAuthorizeHandler.h +++ b/src/auth/unknown/AuthUnknownAuthorizeHandler.h @@ -24,6 +24,7 @@ struct AuthUnknownAuthorizeHandler : public AuthAuthorizeHandler { bufferlist& authorizer_data, bufferlist& authorizer_reply, EntityName& entity_name, uint64_t& global_id, AuthCapsInfo& caps_info, CryptoKey& session_key, + CryptoKey *connection_secret, std::unique_ptr *challenge) override; int authorizer_session_crypto() override; }; diff --git a/src/auth/unknown/AuthUnknownSessionHandler.h b/src/auth/unknown/AuthUnknownSessionHandler.h index d78a6d21aaa..e7810562c0b 100644 --- a/src/auth/unknown/AuthUnknownSessionHandler.h +++ b/src/auth/unknown/AuthUnknownSessionHandler.h @@ -21,8 +21,11 @@ class CephContext; class AuthUnknownSessionHandler : public AuthSessionHandler { public: - AuthUnknownSessionHandler(CephContext *cct_, CryptoKey session_key) - : AuthSessionHandler(cct_, CEPH_AUTH_UNKNOWN, session_key) {} + AuthUnknownSessionHandler(CephContext *cct_, + const CryptoKey& session_key, + const CryptoKey& connection_secret) + : AuthSessionHandler(cct_, CEPH_AUTH_UNKNOWN, + session_key, connection_secret) {} ~AuthUnknownSessionHandler() override {} bool no_security() override { diff --git a/src/msg/Messenger.cc b/src/msg/Messenger.cc index d7dc58fc0a6..7569acbb341 100644 --- a/src/msg/Messenger.cc +++ b/src/msg/Messenger.cc @@ -157,6 +157,7 @@ bool Messenger::ms_deliver_verify_authorizer( bufferlist& authorizer_reply, bool& isvalid, CryptoKey& session_key, + CryptoKey *connection_secret, std::unique_ptr *challenge) { if (authorizer.length() == 0) { @@ -203,6 +204,7 @@ bool Messenger::ms_deliver_verify_authorizer( con->peer_global_id, con->peer_caps_info, session_key, + connection_secret, challenge); if (isvalid) { dis->ms_handle_authentication(con); diff --git a/src/msg/Messenger.h b/src/msg/Messenger.h index 6e26bf52827..4c41dfce95e 100644 --- a/src/msg/Messenger.h +++ b/src/msg/Messenger.h @@ -784,6 +784,7 @@ public: Connection *con, int peer_type, int protocol, bufferlist& authorizer, bufferlist& authorizer_reply, bool& isvalid, CryptoKey& session_key, + CryptoKey *connection_secret, std::unique_ptr *challenge); /** diff --git a/src/msg/async/ProtocolV1.cc b/src/msg/async/ProtocolV1.cc index cccaa6183b8..781518c1322 100644 --- a/src/msg/async/ProtocolV1.cc +++ b/src/msg/async/ProtocolV1.cc @@ -1525,7 +1525,8 @@ CtPtr ProtocolV1::handle_connect_reply_auth(char *buffer, int r) { } auto iter = authorizer_reply.cbegin(); - if (authorizer && !authorizer->verify_reply(iter)) { + if (authorizer && !authorizer->verify_reply(iter, + nullptr /* connection_secret */)) { ldout(cct, 0) << __func__ << " failed verifying authorize reply" << dendl; return _fault(); } @@ -1681,6 +1682,7 @@ CtPtr ProtocolV1::client_ready() { << authorizer << dendl; session_security.reset(get_auth_session_handler( cct, authorizer->protocol, authorizer->session_key, + authorizer->session_key /* connection_secret */, connection->get_features())); } else { // We have no authorizer, so we shouldn't be applying security to messages @@ -1913,6 +1915,7 @@ CtPtr ProtocolV1::handle_connect_message_2() { if (!messenger->ms_deliver_verify_authorizer( connection, connection->peer_type, connect_msg.authorizer_protocol, authorizer_buf, authorizer_reply, authorizer_valid, session_key, + nullptr /* connection_secret */, need_challenge ? &authorizer_challenge : nullptr) || !authorizer_valid) { connection->lock.lock(); @@ -2346,7 +2349,9 @@ CtPtr ProtocolV1::open(ceph_msg_connect_reply &reply, session_security.reset( get_auth_session_handler(cct, connect_msg.authorizer_protocol, - session_key, connection->get_features())); + session_key, + session_key /* connection secret */, + connection->get_features())); bufferlist reply_bl; reply_bl.append((char *)&reply, sizeof(reply)); diff --git a/src/msg/async/ProtocolV2.cc b/src/msg/async/ProtocolV2.cc index ddb37afba1a..856c450e6cb 100644 --- a/src/msg/async/ProtocolV2.cc +++ b/src/msg/async/ProtocolV2.cc @@ -2128,10 +2128,10 @@ CtPtr ProtocolV2::handle_auth_done(char *payload, uint32_t length) { ldout(cct, 20) << __func__ << " payload_len=" << length << dendl; AuthDoneFrame auth_done(payload, length); - + CryptoKey connection_secret; if (authorizer) { auto iter = auth_done.auth_payload().cbegin(); - if (!authorizer->verify_reply(iter)) { + if (!authorizer->verify_reply(iter, &connection_secret)) { ldout(cct, 0) << __func__ << " failed verifying authorize reply" << dendl; return _fault(); } @@ -2146,6 +2146,7 @@ CtPtr ProtocolV2::handle_auth_done(char *payload, uint32_t length) { << authorizer << dendl; session_security.reset(get_auth_session_handler( cct, authorizer->protocol, authorizer->session_key, + connection_secret, CEPH_FEATURE_MSG_AUTH | CEPH_FEATURE_CEPHX_V2)); auth_flags = auth_done.flags(); } else { @@ -2365,9 +2366,10 @@ CtPtr ProtocolV2::handle_cephx_auth(bufferlist &auth_payload) { connection->lock.unlock(); if (!messenger->ms_deliver_verify_authorizer( - connection, connection->peer_type, auth_method, auth_payload, - authorizer_reply, authorizer_valid, session_key, - &authorizer_challenge) || + connection, connection->peer_type, auth_method, auth_payload, + authorizer_reply, authorizer_valid, session_key, + &connection_secret, + &authorizer_challenge) || !authorizer_valid) { connection->lock.lock(); @@ -2389,6 +2391,7 @@ CtPtr ProtocolV2::handle_cephx_auth(bufferlist &auth_payload) { session_security.reset( get_auth_session_handler(cct, auth_method, session_key, + connection_secret, CEPH_FEATURE_MSG_AUTH | CEPH_FEATURE_CEPHX_V2)); if (cct->_conf.get_val("ms_msgr2_sign_messages")) { @@ -2446,7 +2449,9 @@ CtPtr ProtocolV2::handle_auth_request(char *payload, uint32_t length) { messenger->ms_deliver_verify_authorizer( connection, connection->peer_type, auth_method, auth_request.auth_payload(), authorizer_reply, authorizer_valid, - session_key, nullptr); + session_key, + nullptr /* connection_secret */, + nullptr); connection->lock.lock(); if (!authorizer_valid) { diff --git a/src/msg/async/ProtocolV2.h b/src/msg/async/ProtocolV2.h index 718eb1f225b..c45b429d959 100644 --- a/src/msg/async/ProtocolV2.h +++ b/src/msg/async/ProtocolV2.h @@ -78,6 +78,7 @@ private: bool got_bad_auth; uint32_t got_bad_method; CryptoKey session_key; + CryptoKey connection_secret; std::shared_ptr session_security; std::unique_ptr authorizer_challenge; uint64_t auth_flags; diff --git a/src/msg/simple/Pipe.cc b/src/msg/simple/Pipe.cc index de933aa49df..44886ce361c 100644 --- a/src/msg/simple/Pipe.cc +++ b/src/msg/simple/Pipe.cc @@ -526,6 +526,7 @@ int Pipe::accept() if (!msgr->ms_deliver_verify_authorizer( connection_state.get(), peer_type, connect.authorizer_protocol, authorizer, authorizer_reply, authorizer_valid, session_key, + nullptr /* connection_secret */, need_challenge ? &authorizer_challenge : nullptr) || !authorizer_valid) { pipe_lock.Lock(); @@ -817,6 +818,7 @@ int Pipe::accept() get_auth_session_handler(msgr->cct, connect.authorizer_protocol, session_key, + session_key, /* connection_secret */ connection_state->get_features())); // notify @@ -1223,7 +1225,7 @@ int Pipe::connect() if (authorizer) { auto iter = authorizer_reply.cbegin(); - if (!authorizer->verify_reply(iter)) { + if (!authorizer->verify_reply(iter, nullptr /* connection_secret */)) { ldout(msgr->cct,0) << "failed verifying authorize reply" << dendl; goto fail; } @@ -1339,10 +1341,12 @@ int Pipe::connect() if (authorizer != NULL) { session_security.reset( - get_auth_session_handler(msgr->cct, - authorizer->protocol, - authorizer->session_key, - connection_state->get_features())); + get_auth_session_handler( + msgr->cct, + authorizer->protocol, + authorizer->session_key, + authorizer->session_key /* connection secret*/, + connection_state->get_features())); } else { // We have no authorizer, so we shouldn't be applying security to messages in this pipe. PLR session_security.reset();