From: Radoslaw Zarzynski Date: Sat, 9 Mar 2019 14:01:21 +0000 (+0100) Subject: msg/async, v2: switch the pre-auth mechanism to HMAC-SHA256. X-Git-Tag: v14.2.0~23^2~1 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=8e324a5851b462ae0f6ee874fd37363c5b3297c5;p=ceph-ci.git msg/async, v2: switch the pre-auth mechanism to HMAC-SHA256. Signed-off-by: Radoslaw Zarzynski --- diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h index 46323348bf5..c3ace5c8aff 100644 --- a/src/auth/Crypto.h +++ b/src/auth/Crypto.h @@ -119,6 +119,8 @@ public: const bufferptr& get_secret() { return secret; } const bufferptr& get_secret() const { return secret; } + bool empty() const { return ckh.get() == nullptr; } + void encode_base64(string& s) const { bufferlist bl; encode(bl); diff --git a/src/msg/async/ProtocolV2.cc b/src/msg/async/ProtocolV2.cc index 3880c598672..b4c5e76985d 100644 --- a/src/msg/async/ProtocolV2.cc +++ b/src/msg/async/ProtocolV2.cc @@ -94,6 +94,7 @@ ProtocolV2::ProtocolV2(AsyncConnection *connection) bannerExchangeCallback(nullptr), next_tag(static_cast(0)), keepalive(false) { + ceph::crypto::init(cct); } ProtocolV2::~ProtocolV2() { @@ -1779,8 +1780,9 @@ CtPtr ProtocolV2::handle_auth_done(ceph::bufferlist &payload) state = AUTH_CONNECTING_SIGN; - // FIXME, WIP: crc32 is just scaffolding - auto sig_frame = AuthSignatureFrame::Encode(pre_auth.rxbuf.crc32c(-1)); + const auto sig = auth_meta->session_key.empty() ? sha256_digest_t() : + auth_meta->session_key.hmac_sha256(cct, pre_auth.rxbuf); + auto sig_frame = AuthSignatureFrame::Encode(sig); pre_auth.enabled = false; pre_auth.rxbuf.clear(); return WRITE(sig_frame, "auth signature", read_frame); @@ -2188,8 +2190,9 @@ CtPtr ProtocolV2::finish_auth() session_stream_handlers = \ ceph::crypto::onwire::rxtx_t::create_handler_pair(cct, *auth_meta, true); - // FIXME, WIP: crc32 is just scaffolding - auto sig_frame = AuthSignatureFrame::Encode(pre_auth.rxbuf.crc32c(-1)); + const auto sig = auth_meta->session_key.empty() ? sha256_digest_t() : + auth_meta->session_key.hmac_sha256(cct, pre_auth.rxbuf); + auto sig_frame = AuthSignatureFrame::Encode(sig); pre_auth.enabled = false; pre_auth.rxbuf.clear(); return WRITE(sig_frame, "auth signature", read_frame); @@ -2223,7 +2226,8 @@ CtPtr ProtocolV2::handle_auth_signature(ceph::bufferlist &payload) auto sig_frame = AuthSignatureFrame::Decode(payload); - const auto actual_tx_sig = pre_auth.txbuf.crc32c(-1); + const auto actual_tx_sig = auth_meta->session_key.empty() ? + sha256_digest_t() : auth_meta->session_key.hmac_sha256(cct, pre_auth.txbuf); if (sig_frame.signature() != actual_tx_sig) { ldout(cct, 2) << __func__ << " pre-auth signature mismatch" << " actual_tx_sig=" << actual_tx_sig diff --git a/src/msg/async/frames_v2.h b/src/msg/async/frames_v2.h index f58358f8993..9975b74aa9f 100644 --- a/src/msg/async/frames_v2.h +++ b/src/msg/async/frames_v2.h @@ -474,13 +474,12 @@ protected: struct AuthSignatureFrame : public ControlFrame { + sha256_digest_t> { static const Tag tag = Tag::AUTH_SIGNATURE; using ControlFrame::Encode; using ControlFrame::Decode; - inline uint32_t &signature() { return get_val<0>(); } + inline sha256_digest_t &signature() { return get_val<0>(); } protected: using ControlFrame::ControlFrame;