From: Patrick Donnelly <pdonnell@ibm.com>
Date: Thu, 29 May 2025 15:57:55 +0000 (-0400)
Subject: auth: check service key is valid before decryption
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=9790359a31ba47c7e619569c2f3e9b29fd32b1dd;p=ceph-ci.git

auth: check service key is valid before decryption

CryptoKey::empty is the correct mechanism to check for an invalid key (and this
is codified elsewhere, fixed in this commit). Decryption would fail with an
abort if the key handler was unset. This would happen after rotating the "mon."
key and then restarting one of the mons.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
(cherry picked from commit ece656cf6703b2aca03c186a74901add49316d1b)
---

diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h
index c12d316fa0e..3abd38ca7b1 100644
--- a/src/auth/Crypto.h
+++ b/src/auth/Crypto.h
@@ -184,13 +184,13 @@ public:
   int encrypt(CephContext *cct, const ceph::buffer::list& in,
 	      ceph::buffer::list& out,
 	      std::string *error) const {
-    ceph_assert(ckh); // Bad key?
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out, error);
   }
   int decrypt(CephContext *cct, const ceph::buffer::list& in,
 	      ceph::buffer::list& out,
 	      std::string *error) const {
-    ceph_assert(ckh); // Bad key?
+    ceph_assert(!empty()); // Bad key?
     return ckh->decrypt(cct, in, out, error);
   }
 
@@ -199,17 +199,17 @@ public:
 
   std::size_t encrypt(CephContext *cct, const in_slice_t& in,
 		      const out_slice_t& out) {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out);
   }
   std::size_t decrypt(CephContext *cct, const in_slice_t& in,
 		      const out_slice_t& out) {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->encrypt(cct, in, out);
   }
 
   sha256_digest_t hmac_sha256(CephContext*, const ceph::buffer::list& in) const {
-    ceph_assert(ckh);
+    ceph_assert(!empty()); // Bad key?
     return ckh->hmac_sha256(in);
   }
 
diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc
index e216dc3ed99..ff105c7b923 100644
--- a/src/auth/cephx/CephxProtocol.cc
+++ b/src/auth/cephx/CephxProtocol.cc
@@ -89,7 +89,7 @@ bool cephx_build_service_ticket_blob(CephContext *cct, const CephXSessionAuthInf
   ldout(cct, 10) << "build_service_ticket service " << info << dendl;
   blob.secret_id = info.secret_id;
   std::string error;
-  if (!info.service_secret.get_secret().length())
+  if (info.service_secret.empty())
     error = "invalid key";  // Bad key?
   else
     encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, blob.blob, error);
@@ -498,7 +498,7 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
   ldout(cct, 30) << __func__ << ": got secret " << service_secret << dendl;
 
   std::string error;
-  if (!service_secret.get_secret().length())
+  if (service_secret.empty())
     error = "invalid key";  // Bad key?
   else
     decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error);
@@ -518,9 +518,13 @@ bool cephx_verify_authorizer(CephContext *cct, const KeyStore& keys,
 
   // CephXAuthorize
   CephXAuthorize auth_msg;
-  if (decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error)) {
-    ldout(cct, 0) << "verify_authorizercould not decrypt authorize request with error: "
-      << error << dendl;
+  if (ticket_info.session_key.empty()) {
+    error = "session key is invalid";
+  } else if (!decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error)) {
+    error = "";
+  }
+  if (!error.empty()) {
+    ldout(cct, 0) << __func__ << ": could not decrypt authorize request: " << error << dendl;
     return false;
   }