From 2d237693a4414138d1ac5161d0de52cfe72f9082 Mon Sep 17 00:00:00 2001 From: anwleung Date: Fri, 23 Feb 2007 00:22:12 +0000 Subject: [PATCH] Resolved some capability generation issues git-svn-id: https://ceph.svn.sf.net/svnroot/ceph@1118 29311d96-e01e-0410-9327-a35deaab8ce9 --- .../aleung/security1/ceph/client/Client.cc | 18 ++-- .../aleung/security1/ceph/crypto/CryptoLib.h | 2 +- .../aleung/security1/ceph/crypto/ExtCap.h | 66 +------------- .../aleung/security1/ceph/crypto/Ticket.h | 91 ++++++++++++------- .../aleung/security1/ceph/crypto/driver.cc | 16 ++++ branches/aleung/security1/ceph/mds/CInode.h | 4 +- branches/aleung/security1/ceph/mds/Locker.cc | 48 +++++----- branches/aleung/security1/ceph/mds/Server.cc | 14 --- .../ceph/messages/MClientAuthUserAck.h | 1 + .../security1/ceph/mon/ClientMonitor.cc | 20 +--- 10 files changed, 117 insertions(+), 163 deletions(-) diff --git a/branches/aleung/security1/ceph/client/Client.cc b/branches/aleung/security1/ceph/client/Client.cc index 2f3e532a03e77..cf8d93b67aa8a 100644 --- a/branches/aleung/security1/ceph/client/Client.cc +++ b/branches/aleung/security1/ceph/client/Client.cc @@ -642,6 +642,9 @@ void Client::handle_auth_user_ack(MClientAuthUserAck *m) // ** user_ticket[uid] = m->getTicket(); + // verify the ticket + assert(user_ticket[uid]->verif_ticket(monmap->get_key())); + // wait up the waiter(s) // this signals all ticket waiters for (list::iterator p = ticket_waiter_cond[uid].begin(); @@ -687,20 +690,16 @@ Ticket *Client::get_user_ticket(uid_t uid, gid_t gid) dout(10) << "get_user_ticket waiting for ticket for uid " << uid << endl; } - cout << "Ready to wait for reply" << endl; // wait for reply ticket_waiter_cond[uid].push_back( &cond ); - cout << "Waiting for a Wait" << endl; // naively assume we'll get a ticket FIXME while (user_ticket.count(uid) == 0) { - cout << "user_ticket.count(uid) = " << user_ticket.count(uid) << endl; cond.Wait(client_lock); } - cout << "Did I break the loop?" << endl; } - cout << "About to leave sending request function" << endl; + // inc ref count user_ticket_ref[uid]++; return user_ticket[uid]; @@ -2438,14 +2437,11 @@ int Client::open(const char *relpath, int flags, __int64_t uid, __int64_t gid) cout << "Received a " << ext_cap.mode() << " capability for uid: " << ext_cap.get_uid() << " for inode: " << ext_cap.get_ino() << endl; - - if (reply->get_ext_cap().verif_extcap(monmap->get_key())) - cout << "Verified the signature correctly" << endl; - else - cout << "Failed to verify the signature" << endl; + + assert(ext_cap.verif_extcap(monmap->get_key())); // cache it - //f->inode->set_ext_cap(uid, ext_cap); + f->inode->set_ext_cap(uid, ext_cap); assert(reply->get_file_caps_seq() >= f->inode->caps[mds].seq); if (reply->get_file_caps_seq() > f->inode->caps[mds].seq) { diff --git a/branches/aleung/security1/ceph/crypto/CryptoLib.h b/branches/aleung/security1/ceph/crypto/CryptoLib.h index 418687297dd6c..9521f5b8d0339 100644 --- a/branches/aleung/security1/ceph/crypto/CryptoLib.h +++ b/branches/aleung/security1/ceph/crypto/CryptoLib.h @@ -47,7 +47,7 @@ namespace CryptoLib { enum {MD5DIGESTSIZE=16, SHA1DIGESTSIZE=20, SHA256DIGESTSIZE=32, SHA384DIGESTSIZE=48, SHA512DIGESTSIZE=64}; enum {RJ128KEYSIZE=16, RJBLOCKSIZE=16, RC5KEYSIZE=16, RC5BLOCKSIZE=8}; - enum {ESIGNSIGSIZE=192}; + enum {ESIGNSIGSIZE=192, ESIGNKEYSIZE=404}; typedef CryptoPP::SecByteBlock SigBuf; typedef CryptoPP::FixedSizeSecBlock FixedSigBuf; diff --git a/branches/aleung/security1/ceph/crypto/ExtCap.h b/branches/aleung/security1/ceph/crypto/ExtCap.h index f2d4365dc9541..74fc26c1e5116 100644 --- a/branches/aleung/security1/ceph/crypto/ExtCap.h +++ b/branches/aleung/security1/ceph/crypto/ExtCap.h @@ -41,6 +41,8 @@ private: SigBuf signature; public: + friend class Client; + friend class OSD; // default constructor, should really not be used ExtCap() {} @@ -93,24 +95,6 @@ public: // FYI, you should resign the cap after this void set_mode(int new_mode) { data.mode = new_mode; } - /* - SigBuf get_sig() { - if (sigConverted) - return signature; - signature.Assign(allocSig.data(), allocSig.size()); - sigConverted = true; - return signature; - } - - FixedSigBuf get_fixed_sig() { - return allocSig; - } - - FixedSigBuf *get_fixed_sig_ptr( ){ - return &allocSig; - } - */ - const cap_data_t* get_data() const { return (&data); } @@ -131,9 +115,6 @@ public: //toHex(capArray, hexArray, sizeof(capArray), sizeof(capArray)); //cout << "Signed content capArray hex: " << endl << string((const char*)hexArray,sizeof(hexArray)) << endl; - //cout << "SIGNATURE SIZE: " << signature.size() << endl; - //allocSig.Assign(signature,signature.size()); - //byte hexTest[sizeof(sigArray)]; //memset(hexTest, 0x00, sizeof(sigArray)); //toHex(sigArray, hexTest, sizeof(sigArray), sizeof(sigArray)); @@ -144,10 +125,10 @@ public: byte capArray[sizeof(data)]; memcpy(capArray, &data, sizeof(data)); - //byte hexArray[sizeof(capArray)]; + //byte hexArray[sizeof(sigArray)]; //memset(hexArray, 0x00, sizeof(hexArray)); - //toHex(capArray, hexArray, sizeof(capArray), sizeof(capArray)); - //cout << "Verified content capArray hex: " << endl << string((const char*)hexArray,sizeof(hexArray)) << endl; + //toHex(sigArray, hexArray, sizeof(sigArray), sizeof(sigArray)); + //cout << "Verified signature hex: " << endl << string((const char*)hexArray,sizeof(hexArray)) << endl; signature.Assign(sigArray, sizeof(sigArray)); @@ -155,52 +136,15 @@ public: } void _encode(bufferlist& bl) { - /* - bl.append((char*)&(data.id), sizeof(data.id)); - bl.append((char*)&(data.t_s), sizeof(data.t_s)); - bl.append((char*)&(data.t_e), sizeof(data.t_e)); - bl.append((char*)&(data.mode), sizeof(data.mode)); - bl.append((char*)&(data.comp), sizeof(data.comp)); - bl.append((char*)&(data.uid), sizeof(data.uid)); - bl.append((char*)&(data.gid), sizeof(data.gid)); - bl.append((char*)&(data.ino), sizeof(data.ino)); - */ bl.append((char*)&(data), sizeof(data)); - //bl.append((char*)((void*)allocSig), sizeof(allocSig)); bl.append((char*)sigArray, sizeof(sigArray)); - - //::_encode(user_rhash, bl); - //::_encode(file_rhash, bl); } void _decode(bufferlist& bl, int& off) { - /* - bl.copy(off, sizeof(data.id), (char*)&(data.id)); - off += sizeof(data.id); - bl.copy(off, sizeof(data.t_s), (char*)&(data.t_s)); - off += sizeof(data.t_s); - bl.copy(off, sizeof(data.t_e), (char*)&(data.t_e)); - off += sizeof(data.t_e); - bl.copy(off, sizeof(data.mode), (char*)&(data.mode)); - off += sizeof(data.mode); - bl.copy(off, sizeof(data.comp), (char*)&(data.comp)); - off += sizeof(data.comp); - bl.copy(off, sizeof(data.uid), (char*)&(data.uid)); - off += sizeof(data.uid); - bl.copy(off, sizeof(data.gid), (char*)&(data.gid)); - off += sizeof(data.gid); - bl.copy(off, sizeof(data.ino ), (char*)&(data.ino )); - off += sizeof(data.ino); - */ bl.copy(off, sizeof(data), (char*)&(data)); off += sizeof(data); - //bl.copy(off, sizeof(allocSig), (char*)((void*)allocSig)); - //off += sizeof(allocSig); bl.copy(off, sizeof(sigArray), (char*)sigArray); off += sizeof(sigArray); - - //::_decode(user_rhash, bl, off); - //::_decode(file_rhash, bl, off); } }; diff --git a/branches/aleung/security1/ceph/crypto/Ticket.h b/branches/aleung/security1/ceph/crypto/Ticket.h index fe9b6a3987972..c50198d981d8b 100644 --- a/branches/aleung/security1/ceph/crypto/Ticket.h +++ b/branches/aleung/security1/ceph/crypto/Ticket.h @@ -25,24 +25,27 @@ class Ticket { utime_t t_s; utime_t t_e; // shared key IV - // needs to be converted back to a byte arry to be used - string iv; - string username; - string pubKey; + byte iv[RJBLOCKSIZE]; + char pubKey[ESIGNKEYSIZE]; + //string iv; + //string username; + //string pubKey; }; ident_t identity; - esignPub realKey; - FixedSigBuf allocSig; - SigBuf signature; + byte sigArray[ESIGNSIGSIZE]; + esignPub realPubKey; + //FixedSigBuf allocSig; + //SigBuf signature; bool keyConverted; - bool sigConverted; + //bool sigConverted; public: friend class Monitor; friend class MDS; public: - Ticket () : keyConverted(false), sigConverted(false) { } + Ticket () : keyConverted(false) { } + /* Ticket(uid_t u, gid_t g, utime_t s, utime_t e, string initVec, string user, string key) { identity.uid = u; @@ -55,6 +58,20 @@ public: keyConverted = false; sigConverted = false; } + */ + // take the key as a string and convert it automatically + // assume the IV is the correct size + Ticket(uid_t u, gid_t g, byte *initVec, esignPub key) { + identity.uid = u; + identity.gid = g; + identity.t_s = g_clock.now(); + identity.t_e = identity.t_s; + identity.t_e += 3600; + //identity.t_s = s; + //identity.t_e = e; + memcpy(identity.iv, initVec, sizeof(identity.iv)); + memcpy(identity.pubKey, pubToString(key).c_str(), sizeof(identity.pubKey)); + } ~Ticket() { } @@ -64,17 +81,20 @@ public: uid_t get_uid() const { return identity.uid; } uid_t get_gid() const { return identity.gid; } - const string& get_iv() { return identity.iv; } + //const string& get_iv() { return identity.iv; } + void get_iv(byte* arg) { + memcpy(arg, identity.iv, sizeof(identity.iv)); + } - const string& get_str_key() { return identity.pubKey; } esignPub get_key() { if (keyConverted) - return realKey; - realKey = _fromStr_esignPubKey(identity.pubKey); + return realPubKey; + realPubKey = _fromStr_esignPubKey(string(identity.pubKey, + sizeof(identity.pubKey))); keyConverted = true; - return realKey; + return realPubKey; } - + /* SigBuf get_sig() { if (sigConverted) return signature; @@ -82,24 +102,28 @@ public: sigConverted = true; return signature; } - + */ void sign_ticket(esignPriv privKey) { byte ticketArray[sizeof(identity)]; memcpy(ticketArray, &identity, sizeof(identity)); + SigBuf signature; signature = esignSig(ticketArray, sizeof(identity), privKey); - allocSig.Assign(signature,signature.size()); + //allocSig.Assign(signature,signature.size()); + assert(signature.size() == ESIGNSIGSIZE); + memcpy(sigArray, signature.data(), signature.size()); } bool verif_ticket (esignPub pubKey) { byte ticketArray[sizeof(identity)]; memcpy(ticketArray, &identity, sizeof(identity)); - signature.Assign(allocSig, allocSig.size()); + SigBuf signature; + signature.Assign(sigArray, sizeof(sigArray)); return esignVer(ticketArray, sizeof(identity), signature, pubKey); } void decode(bufferlist& blist, int& off) { - + /* blist.copy(off, sizeof(identity.uid), (char*)&(identity.uid)); off += sizeof(identity.uid); blist.copy(off, sizeof(identity.gid), (char*)&(identity.gid)); @@ -108,28 +132,33 @@ public: off += sizeof(identity.t_s); blist.copy(off, sizeof(identity.t_e), (char*)&(identity.t_e)); off += sizeof(identity.t_e); - blist.copy(off, sizeof(allocSig), (char*)&allocSig); - off += sizeof(allocSig); - //blist.copy(off, sizeof(identity), (char*)&identity); - //off += sizeof(identity); + */ + blist.copy(off, sizeof(identity), (char*)&identity); + off += sizeof(identity); + blist.copy(off, sizeof(sigArray), (char*)sigArray); + off += sizeof(sigArray); + //blist.copy(off, sizeof(allocSig), (char*)&allocSig); + //off += sizeof(allocSig); - _decode(identity.iv, blist, off); - _decode(identity.username, blist, off); - _decode(identity.pubKey, blist, off); + //_decode(identity.iv, blist, off); + //_decode(identity.username, blist, off); + //_decode(identity.pubKey, blist, off); } void encode(bufferlist& blist) { - + /* blist.append((char*)&(identity.uid), sizeof(identity.uid)); blist.append((char*)&(identity.gid), sizeof(identity.gid)); blist.append((char*)&(identity.t_s), sizeof(identity.t_s)); blist.append((char*)&(identity.t_e), sizeof(identity.t_e)); blist.append((char*)&allocSig, sizeof(allocSig)); - //blist.append((char*)&identity, sizeof(identity)); + */ + blist.append((char*)&identity, sizeof(identity)); + blist.append((char*)sigArray, sizeof(sigArray)); - _encode(identity.iv, blist); - _encode(identity.username, blist); - _encode(identity.pubKey, blist); + //_encode(identity.iv, blist); + //_encode(identity.username, blist); + //_encode(identity.pubKey, blist); } }; diff --git a/branches/aleung/security1/ceph/crypto/driver.cc b/branches/aleung/security1/ceph/crypto/driver.cc index 461bbf033534e..d587766af71b6 100644 --- a/branches/aleung/security1/ceph/crypto/driver.cc +++ b/branches/aleung/security1/ceph/crypto/driver.cc @@ -101,6 +101,22 @@ int main(int argc, char* argv[]) { else cout << "RE-ESIGN signature verification FAILED" << endl; + cout << "Trying to convert ESIGN pub key to byte array" << endl; + string tempString = pubToString(pubKey); + char charKey[tempString.size()]; + memcpy(charKey, tempString.c_str(), sizeof(charKey)); + byte hexKey[sizeof(charKey)]; + memset(hexKey, 0x00, sizeof(hexKey)); + toHex((byte*)charKey, hexKey, sizeof(charKey), sizeof(hexKey)); + cout << "ESIGN public key size is: " << tempString.size() << " " << sizeof(hexKey) << endl; + cout << "Hex array of ESIGN public key: " << string((const char*)hexKey, sizeof(hexKey)) << endl; + string convString(charKey, sizeof(charKey)); + esignPub testKey = _fromStr_esignPubKey(convString); + if (esignVer(signMsg, strlen((const char*)signMsg), mySignature, testKey)) + cout << "ARRAY copy KEY verified" << endl; + else + cout << "Array copy Key failed" << endl; + // RSA signature byte* rsaMsg = (byte *)"Message to sign"; char* rsaInput = "rsa1024.dat"; diff --git a/branches/aleung/security1/ceph/mds/CInode.h b/branches/aleung/security1/ceph/mds/CInode.h index 50924e91b21c9..99ba056c31309 100644 --- a/branches/aleung/security1/ceph/mds/CInode.h +++ b/branches/aleung/security1/ceph/mds/CInode.h @@ -473,11 +473,11 @@ class CInode : public LRUObject { // secure extended caps //map& get_client_extcaps() { return ext_caps; } - void add_user_extcap(uid_t user, ExtCap extcap) { + void add_user_extcap(uid_t user, ExtCap* extcap) { //if (ext_caps.empty()) // get(CINODE_PIN_CAPS); assert(ext_caps.count(user) == 0); - ext_caps[user] = extcap; + ext_caps[user] = (*extcap); } void remove_user_extcap(uid_t user) { assert(ext_caps.count(user) == 1); diff --git a/branches/aleung/security1/ceph/mds/Locker.cc b/branches/aleung/security1/ceph/mds/Locker.cc index bacfcb0f7d70b..49a82594689dc 100644 --- a/branches/aleung/security1/ceph/mds/Locker.cc +++ b/branches/aleung/security1/ceph/mds/Locker.cc @@ -193,41 +193,35 @@ ExtCap* Locker::issue_new_extcaps(CInode *in, int mode, MClientRequest *req) { int my_client = req->get_client(); uid_t my_user = req->get_caller_uid(); int my_want = 0; - // only care about reading a writing, no sync - if (mode & FILE_MODE_R) my_want |= CAP_FILE_RD; - if (mode & FILE_MODE_W) my_want |= CAP_FILE_WR; - - //ExtCap *ext_cap = in->get_user_extcap(my_user); - ExtCap *ext_cap = new ExtCap(my_want, my_user, in->ino()); - //ExtCap ext_cap(my_want, my_user, in->ino()); - //if (!ext_cap) { - cout << "Made new " << my_want << " capability for uid: " - << ext_cap->get_uid() << " for inode: " << ext_cap->get_ino()<< endl; + // issue most generic cap (RW) + my_want |= FILE_MODE_RW; - //ExtCap my_cap(my_want, my_user, in->ino()); - - // caches this capability in the inode - //in->add_user_extcap(my_user, my_cap); + // check cache + ExtCap *ext_cap = in->get_user_extcap(my_user); - //ext_cap = (&my_cap); - //ext_cap = in->get_user_extcap(my_user); + if (!ext_cap) { + // make new cap + ext_cap = new ExtCap(my_want, my_user, in->ino()); + + cout << "Made new " << my_want << " capability for uid: " + << ext_cap->get_uid() << " for inode: " << ext_cap->get_ino()<< endl; - ext_cap->sign_extcap(mds->getPrvKey()); + ext_cap->sign_extcap(mds->getPrvKey()); - if(ext_cap->verif_extcap(mds->getPubKey())) - cout << "Locker.cc::Verification succeeded" << endl; - else - cout << "Locker.cc::Verification failed" << endl; - //} + // caches this capability in the inode + in->add_user_extcap(my_user,ext_cap); + + } // we want to index based on mode, so we can cache more caps // does the cached cap have the write mode? - /*else { - cout << "Got capability from cache!!!" << endl; - if (ext_cap->mode() != mode) { + else { + cout << "Got cached " << my_want << " capability for uid: " + << ext_cap->get_uid() << " for inode: " << ext_cap->get_ino() << endl; + if (ext_cap->mode() < mode) { ext_cap->set_mode(mode); - ext_cap->clear_signature(); ext_cap->sign_extcap(mds->getPrvKey()); - }*/ + } + } return ext_cap; } diff --git a/branches/aleung/security1/ceph/mds/Server.cc b/branches/aleung/security1/ceph/mds/Server.cc index a5cbb4133034d..62d2edc1b1d18 100644 --- a/branches/aleung/security1/ceph/mds/Server.cc +++ b/branches/aleung/security1/ceph/mds/Server.cc @@ -2115,11 +2115,6 @@ void Server::handle_client_open(MClientRequest *req, // create signed security capability ExtCap *ext_cap = mds->locker->issue_new_extcaps(cur, mode, req); - if(ext_cap->verif_extcap(mds->getPubKey())) - cout << "Server.cc::first::Verification succeeded" << endl; - else - cout << "Server.cc::first::Verification failed" << endl; - if (!cap) return; // can't issue (yet), so wait! dout(12) << "open gets caps " << cap_string(cap->pending()) << " for " << req->get_source() << " on " << *cur << endl; @@ -2134,15 +2129,6 @@ void Server::handle_client_open(MClientRequest *req, // set security cap reply->set_ext_cap(ext_cap); - if(reply->get_ptr_cap()->verif_extcap(mds->getPubKey())) - cout << "Server.cc::ptr::Verification succeeded" << endl; - else - cout << "Server.cc::prr::Verification failed" << endl; - - if(reply->get_ext_cap().verif_extcap(mds->getPubKey())) - cout << "Server.cc::Verification succeeded" << endl; - else - cout << "Server.cc::Verification failed" << endl; reply_request(req, reply, cur); } diff --git a/branches/aleung/security1/ceph/messages/MClientAuthUserAck.h b/branches/aleung/security1/ceph/messages/MClientAuthUserAck.h index f291eb251bc5e..52af7302e24e4 100644 --- a/branches/aleung/security1/ceph/messages/MClientAuthUserAck.h +++ b/branches/aleung/security1/ceph/messages/MClientAuthUserAck.h @@ -26,6 +26,7 @@ class MClientAuthUserAck : public Message { } MClientAuthUserAck(Ticket *ticket) : Message(MSG_CLIENT_AUTH_USER_ACK) { myTicket = (*ticket); + } char *get_type_name() { return "client_auth_user_ack"; } diff --git a/branches/aleung/security1/ceph/mon/ClientMonitor.cc b/branches/aleung/security1/ceph/mon/ClientMonitor.cc index 498e30941dbe4..055a74237f21a 100644 --- a/branches/aleung/security1/ceph/mon/ClientMonitor.cc +++ b/branches/aleung/security1/ceph/mon/ClientMonitor.cc @@ -88,30 +88,18 @@ void ClientMonitor::handle_client_auth_user(MClientAuthUser *m) // user should be able to make new ticket eventually if (user_tickets.count(uid) == 0) { gid_t gid = m->get_gid(); - // ticket time = 60 minutes (too long? too short?) - utime_t t_s = g_clock.now(); - utime_t t_e = t_s; - t_e += 3600; - string name = "unknown"; - string key = m->get_str_key(); // create iv - char iv[RJBLOCKSIZE]; - memset(iv, 0x01, RJBLOCKSIZE); // worthless right now - string k_0 = iv; + byte iv[RJBLOCKSIZE]; + // set generic IV + memset(iv, 0x01, RJBLOCKSIZE); // create a ticket - userTicket = new Ticket(uid, gid, t_s, t_e, k_0, name, key); + userTicket = new Ticket(uid, gid, iv, m->get_key()); // sign the ticket userTicket->sign_ticket(mon->myPrivKey); - // test the verification - //if (userTicket.verif_ticket(mon->myPubKey)) - // cout << "Verification succeeded" << endl; - //else - // cout << "Verification failed" << endl; - // cache the ticket user_tickets[uid] = userTicket; } -- 2.39.5