From 1a8d910103086b4d066b6224b68d4765f225af34 Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Mon, 21 Sep 2009 11:03:05 -0700 Subject: [PATCH] auth: more than 1 rotating key per service, key id --- src/auth/Crypto.cc | 2 +- src/auth/KeysServer.cc | 43 +++++++++++++++++++++++++++-------------- src/auth/KeysServer.h | 44 ++++++++++++++++++++++++++++++------------ src/authtool.cc | 1 + 4 files changed, 63 insertions(+), 27 deletions(-) diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc index b3b0c7556dad8..07c7abb0a4d65 100644 --- a/src/auth/Crypto.cc +++ b/src/auth/Crypto.cc @@ -25,7 +25,7 @@ static int get_random_bytes(int len, bufferlist& out) { char buf[len]; char *t = buf; - int fd = ::open("/dev/random", O_RDONLY); + int fd = ::open("/dev/urandom", O_RDONLY); int l = len; if (fd < 0) return -errno; diff --git a/src/auth/KeysServer.cc b/src/auth/KeysServer.cc index e9382165fd3ad..9de7b78b8c042 100644 --- a/src/auth/KeysServer.cc +++ b/src/auth/KeysServer.cc @@ -38,9 +38,19 @@ static void hexdump(string msg, const char *s, int len) dout(0) << msg << ":\n" << buf << dendl; } -bool KeysServerData::get_service_secret(uint32_t service_id, RotatingSecret& secret) +void RotatingSecrets::add(ExpiringCryptoKey& key) { - map::iterator iter = rotating_secrets.find(service_id); + secrets[++max_ver] = key; + + while (secrets.size() > KEY_ROTATE_NUM) { + map::iterator iter = secrets.lower_bound(0); + secrets.erase(iter); + } +} + +bool KeysServerData::get_service_secret(uint32_t service_id, RotatingSecrets& secret) +{ + map::iterator iter = rotating_secrets.find(service_id); if (iter == rotating_secrets.end()) return false; @@ -86,25 +96,30 @@ void KeysServer::_generate_all_rotating_secrets() dout(0) << "generated: " << dendl; - map::iterator iter = data.rotating_secrets.begin(); + map::iterator iter = data.rotating_secrets.begin(); for (; iter != data.rotating_secrets.end(); ++iter) { dout(0) << "service id: " << iter->first << dendl; - RotatingSecret& key = iter->second; - bufferptr bp = key.secret.get_secret(); - hexdump("key", bp.c_str(), bp.length()); - dout(0) << "expiration: " << key.expiration << dendl; + RotatingSecrets& key = iter->second; + + map::iterator mapiter = key.secrets.begin(); + for (; mapiter != key.secrets.end(); ++mapiter) { + dout(0) << " id: " << mapiter->first << dendl; + bufferptr bp = mapiter->second.key.get_secret(); + hexdump(" key", bp.c_str(), bp.length()); + dout(0) << " expiration: " << mapiter->second.expiration << dendl; + } } } void KeysServer::_rotate_secret(uint32_t service_id) { - RotatingSecret secret; - generate_secret(secret.secret); - secret.expiration = g_clock.now(); - secret.expiration += (KEY_ROTATE_TIME * 3); - - data.add_rotating_secret(service_id, secret); + ExpiringCryptoKey ek; + generate_secret(ek.key); + ek.expiration = g_clock.now(); + ek.expiration += (KEY_ROTATE_TIME * 3); + + data.add_rotating_secret(service_id, ek); } void KeysServer::rotate_timeout(double timeout) @@ -123,7 +138,7 @@ bool KeysServer::get_secret(EntityName& name, CryptoKey& secret) return data.get_secret(name, secret); } -bool KeysServer::get_service_secret(uint32_t service_id, RotatingSecret& secret) +bool KeysServer::get_service_secret(uint32_t service_id, RotatingSecrets& secret) { Mutex::Locker l(lock); diff --git a/src/auth/KeysServer.h b/src/auth/KeysServer.h index 1c885c7befad7..ae2f9b38a69b1 100644 --- a/src/auth/KeysServer.h +++ b/src/auth/KeysServer.h @@ -22,21 +22,41 @@ #include "Auth.h" #define KEY_ROTATE_TIME 5 +#define KEY_ROTATE_NUM 3 -struct RotatingSecret { - CryptoKey secret; +struct ExpiringCryptoKey { + CryptoKey key; utime_t expiration; void encode(bufferlist& bl) const { - ::encode(secret, bl); + ::encode(key, bl); ::encode(expiration, bl); } void decode(bufferlist::iterator& bl) { - ::decode(secret, bl); + ::decode(key, bl); ::decode(expiration, bl); } }; -WRITE_CLASS_ENCODER(RotatingSecret); +WRITE_CLASS_ENCODER(ExpiringCryptoKey); + + + +struct RotatingSecrets { + map secrets; + version_t max_ver; + + void encode(bufferlist& bl) const { + ::encode(secrets, bl); + ::encode(max_ver, bl); + } + void decode(bufferlist::iterator& bl) { + ::decode(secrets, bl); + ::decode(max_ver, bl); + } + + void add(ExpiringCryptoKey& key); +}; +WRITE_CLASS_ENCODER(RotatingSecrets); struct KeysServerData { @@ -47,7 +67,7 @@ struct KeysServerData { map secrets; /* for each service type */ - map rotating_secrets; + map rotating_secrets; KeysServerData() : version(0), rotating_ver(0) {} @@ -79,11 +99,11 @@ struct KeysServerData { secrets.erase(iter); } - void add_rotating_secret(uint32_t service_id, RotatingSecret& secret) { - rotating_secrets[service_id] = secret; + void add_rotating_secret(uint32_t service_id, ExpiringCryptoKey& key) { + rotating_secrets[service_id].add(key); } - bool get_service_secret(uint32_t service_id, RotatingSecret& secret); + bool get_service_secret(uint32_t service_id, RotatingSecrets& secret); bool get_secret(EntityName& name, CryptoKey& secret); map::iterator secrets_begin() { return secrets.begin(); } @@ -123,7 +143,7 @@ public: void rotate_timeout(double timeout); /* get current secret for specific service type */ - bool get_service_secret(uint32_t service_id, RotatingSecret& service_key); + bool get_service_secret(uint32_t service_id, RotatingSecrets& service_key); bool generate_secret(EntityName& name, CryptoKey& secret); @@ -155,9 +175,9 @@ public: data.remove_secret(name); } - void add_rotating_secret(uint32_t service_id, RotatingSecret& secret) { + void add_rotating_secret(uint32_t service_id, ExpiringCryptoKey& key) { Mutex::Locker l(lock); - data.add_rotating_secret(service_id, secret); + data.add_rotating_secret(service_id, key); } void clone_to(KeysServerData& dst) { Mutex::Locker l(lock); diff --git a/src/authtool.cc b/src/authtool.cc index 7165ba8ad8526..822f40a72d59b 100644 --- a/src/authtool.cc +++ b/src/authtool.cc @@ -18,6 +18,7 @@ using namespace std; #include "common/common_init.h" #include "auth/Crypto.h" +#include "auth/KeysServer.h" void usage() { -- 2.39.5