From 2780b8d275cd1274b8c6c208938054202032ddf8 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Fri, 23 Oct 2009 11:56:53 -0700 Subject: [PATCH] auth: simplify part of initial auth handshake --- src/auth/Auth.cc | 12 ------ src/auth/Auth.h | 19 ---------- src/auth/cephx/CephxClientHandler.cc | 49 +++++++++++------------- src/auth/cephx/CephxProtocol.h | 54 +++++++++++++-------------- src/auth/cephx/CephxServiceHandler.cc | 24 ++++++------ src/auth/cephx/CephxServiceHandler.h | 1 - 6 files changed, 59 insertions(+), 100 deletions(-) diff --git a/src/auth/Auth.cc b/src/auth/Auth.cc index 49b7b545fd367..25e7638d9e27f 100644 --- a/src/auth/Auth.cc +++ b/src/auth/Auth.cc @@ -10,18 +10,6 @@ * Authentication */ -/* - * PRINCIPAL: request authentication - * - * principal_name, principal_addr. "please authenticate me." - */ -void build_authenticate_request(EntityName& principal_name, - bufferlist& request) -{ - AuthAuthenticateRequest req(principal_name); - ::encode(req, request); -} - void build_service_ticket_request(uint32_t keys, bufferlist& request) { diff --git a/src/auth/Auth.h b/src/auth/Auth.h index 5ea28ae3951b2..75fee1c9b28ef 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -187,9 +187,6 @@ struct SessionAuthInfo { /* * Authentication */ -extern void build_authenticate_request(EntityName& principal_name, bufferlist& request); - - extern bool build_service_ticket(SessionAuthInfo& ticket_info, bufferlist& reply); extern void build_service_ticket_request(uint32_t keys, @@ -199,22 +196,6 @@ extern bool build_service_ticket_reply(CryptoKey& principal_secret, vector ticket_info, bufferlist& reply); -struct AuthAuthenticateRequest { - EntityName name; - - AuthAuthenticateRequest() {} - AuthAuthenticateRequest(EntityName& principal_name) : - name(principal_name) {} - - void encode(bufferlist& bl) const { - ::encode(name, bl); - } - void decode(bufferlist::iterator& bl) { - ::decode(name, bl); - } -}; -WRITE_CLASS_ENCODER(AuthAuthenticateRequest) - struct AuthServiceTicketRequest { uint32_t keys; diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc index 888bc8405f21d..de37605cae6e1 100644 --- a/src/auth/cephx/CephxClientHandler.cc +++ b/src/auth/cephx/CephxClientHandler.cc @@ -31,8 +31,11 @@ int CephxClientHandler::build_request(bufferlist& bl) case STATE_GETTING_MON_KEY: /* authenticate */ { - /* FIXME: init req fields */ - CephXGetMonKey req; + CephXRequestHeader header; + header.request_type = CEPHX_GET_AUTH_SESSION_KEY; + ::encode(header, bl); + + CephXAuthenticate req; req.name = client->name; CryptoKey secret; g_keyring.get_master(secret); @@ -49,13 +52,6 @@ int CephxClientHandler::build_request(bufferlist& bl) req.key ^= *p; } ::encode(req, bl); - - /* we first need to get the principle/auth session key */ - CephXRequestHeader header; - header.request_type = CEPHX_GET_AUTH_SESSION_KEY; - ::encode(header, bl); - build_authenticate_request(client->name, bl); - return 0; } break; @@ -64,15 +60,15 @@ int CephxClientHandler::build_request(bufferlist& bl) { dout(0) << "want=" << hex << client->want << " have=" << client->have << dec << dendl; - AuthTicketHandler& ticket_handler = client->tickets.get_handler(CEPH_ENTITY_TYPE_AUTH); - if (!ticket_handler.build_authorizer(authorizer)) - return -EINVAL; - CephXRequestHeader header; header.request_type = CEPHX_GET_PRINCIPAL_SESSION_KEY; ::encode(header, bl); - + + AuthTicketHandler& ticket_handler = client->tickets.get_handler(CEPH_ENTITY_TYPE_AUTH); + if (!ticket_handler.build_authorizer(authorizer)) + return -EINVAL; bl.claim_append(authorizer.bl); + build_service_ticket_request(client->want, bl); } break; @@ -90,23 +86,20 @@ int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata) { dout(0) << "cephx handle_response ret = " << ret << " state " << state << dendl; + if (state == STATE_START) { + CephXServerChallenge ch; + ::decode(ch, indata); + server_challenge = ch.server_challenge; + state = STATE_GETTING_MON_KEY; + return -EAGAIN; + } + + struct CephXResponseHeader header; + ::decode(header, indata); + switch (state) { - case STATE_START: - /* initialize */ - { - CephXEnvResponse1 response; - ::decode(response, indata); - server_challenge = response.server_challenge; - state = STATE_GETTING_MON_KEY; - ret = -EAGAIN; - } - break; case STATE_GETTING_MON_KEY: - /* authenticate */ { - struct CephXResponseHeader header; - ::decode(header, indata); - dout(0) << "request_type=" << hex << header.request_type << dec << dendl; dout(0) << "handle_cephx_response()" << dendl; diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h index 4b9c67600a5c7..8ee2b714d429d 100644 --- a/src/auth/cephx/CephxProtocol.h +++ b/src/auth/cephx/CephxProtocol.h @@ -82,18 +82,14 @@ /* authorize requests */ #define CEPHX_OPEN_SESSION 0x0300 -#define CEPHX_REQUEST_TYPE_MASK 0x0F00 - +#define CEPHX_REQUEST_TYPE_MASK 0x0F00 #include "../Auth.h" - -/* - Ceph X-Envelope protocol -*/ -struct CephXEnvResponse1 { - uint64_t server_challenge; +// initial server -> client challenge +struct CephXServerChallenge { + __u64 server_challenge; void encode(bufferlist& bl) const { ::encode(server_challenge, bl); @@ -102,29 +98,13 @@ struct CephXEnvResponse1 { ::decode(server_challenge, bl); } }; -WRITE_CLASS_ENCODER(CephXEnvResponse1); +WRITE_CLASS_ENCODER(CephXServerChallenge); -struct CephXGetMonKey { - EntityName name; - __u64 client_challenge; - __u64 key; - - void encode(bufferlist& bl) const { - ::encode(name, bl); - ::encode(client_challenge, bl); - ::encode(key, bl); - } - void decode(bufferlist::iterator& bl) { - ::decode(name, bl); - ::decode(client_challenge, bl); - ::decode(key, bl); - } -}; -WRITE_CLASS_ENCODER(CephXGetMonKey) +// request/reply headers struct CephXRequestHeader { - uint16_t request_type; + __u16 request_type; void encode(bufferlist& bl) const { ::encode(request_type, bl); @@ -151,5 +131,25 @@ struct CephXResponseHeader { WRITE_CLASS_ENCODER(CephXResponseHeader); +struct CephXAuthenticate { + EntityName name; + __u64 client_challenge; + __u64 key; + + void encode(bufferlist& bl) const { + ::encode(name, bl); + ::encode(client_challenge, bl); + ::encode(key, bl); + } + void decode(bufferlist::iterator& bl) { + ::decode(name, bl); + ::decode(client_challenge, bl); + ::decode(key, bl); + } +}; +WRITE_CLASS_ENCODER(CephXAuthenticate) + + + #endif diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index 474b58421b9fa..3977ab543c439 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -28,10 +28,10 @@ int CephxServiceHandler::start_session(bufferlist& result_bl) { - CephXEnvResponse1 response; + CephXServerChallenge ch; get_random_bytes((char *)&server_challenge, sizeof(server_challenge)); - response.server_challenge = server_challenge; - ::encode(response, result_bl); + ch.server_challenge = server_challenge; + ::encode(ch, result_bl); state = 1; return CEPH_AUTH_CEPHX; } @@ -43,13 +43,18 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist dout(0) << "CephxServiceHandler: handle request" << dendl; dout(0) << "state=" << state << dendl; + struct CephXRequestHeader cephx_header; + ::decode(cephx_header, indata); + + dout(0) << "op = " << cephx_header.request_type << dendl; + switch (state) { case 0: assert(0); break; case 1: { - CephXGetMonKey req; + CephXAuthenticate req; ::decode(req, indata); entity_name = req.name; @@ -81,22 +86,17 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist } dout(0) << "CEPHX_GET_AUTH_SESSION_KEY" << dendl; - struct CephXRequestHeader cephx_header; - ::decode(cephx_header, indata); - - AuthAuthenticateRequest areq; - ::decode(areq, indata); CryptoKey session_key; SessionAuthInfo info; CryptoKey principal_secret; - if (key_server->get_secret(areq.name, principal_secret) < 0) { + if (key_server->get_secret(req.name, principal_secret) < 0) { ret = -EPERM; break; } - info.ticket.name = areq.name; + info.ticket.name = req.name; info.ticket.init_timestamps(g_clock.now(), g_conf.auth_mon_ticket_ttl); key_server->generate_secret(session_key); @@ -122,8 +122,6 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist case 2: { - struct CephXRequestHeader cephx_header; - ::decode(cephx_header, indata); dout(0) << "CEPHX_GET_PRINCIPAL_SESSION_KEY " << cephx_header.request_type << dendl; bufferlist tmp_bl; diff --git a/src/auth/cephx/CephxServiceHandler.h b/src/auth/cephx/CephxServiceHandler.h index 839d02abfab00..336786e134dac 100644 --- a/src/auth/cephx/CephxServiceHandler.h +++ b/src/auth/cephx/CephxServiceHandler.h @@ -32,7 +32,6 @@ public: int start_session(bufferlist& result_bl); int handle_request(bufferlist::iterator& indata, bufferlist& result_bl); - int handle_cephx_protocol(bufferlist::iterator& indata, bufferlist& result_bl); void build_cephx_response_header(int request_type, int status, bufferlist& bl); }; -- 2.39.5