From 688ee617c711c709e89f674b7400859253459bae Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Mon, 9 Nov 2009 14:02:11 -0800 Subject: [PATCH] auth: verify global_id with the one on the ticket --- src/auth/Auth.h | 3 +++ src/auth/AuthClientHandler.h | 3 +++ src/auth/AuthServiceHandler.h | 5 ++++- src/auth/KeyRing.cc | 2 +- src/auth/cephx/CephxClientHandler.cc | 2 +- src/auth/cephx/CephxClientHandler.h | 5 +++++ src/auth/cephx/CephxKeyServer.cc | 1 + src/auth/cephx/CephxProtocol.cc | 14 ++++++++++++-- src/auth/cephx/CephxProtocol.h | 5 ++++- src/auth/cephx/CephxServiceHandler.cc | 4 +++- src/auth/cephx/CephxServiceHandler.h | 2 +- src/auth/none/AuthNoneClientHandler.h | 2 ++ src/auth/none/AuthNoneServiceHandler.h | 2 +- src/mon/MonClient.cc | 1 + src/mon/Monitor.cc | 4 +++- 15 files changed, 45 insertions(+), 10 deletions(-) diff --git a/src/auth/Auth.h b/src/auth/Auth.h index 995fa6ca89530..f86659b28e865 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -146,6 +146,7 @@ WRITE_CLASS_ENCODER(AuthCapsInfo) */ struct AuthTicket { EntityName name; + uint64_t global_id; /* global instance id */ utime_t created, renew_after, expires; AuthCapsInfo caps; __u32 flags; @@ -164,6 +165,7 @@ struct AuthTicket { __u8 v = 1; ::encode(v, bl); ::encode(name, bl); + ::encode(global_id, bl); ::encode(created, bl); ::encode(expires, bl); ::encode(caps, bl); @@ -173,6 +175,7 @@ struct AuthTicket { __u8 v; ::decode(v, bl); ::decode(name, bl); + ::decode(global_id, bl); ::decode(created, bl); ::decode(expires, bl); ::decode(caps, bl); diff --git a/src/auth/AuthClientHandler.h b/src/auth/AuthClientHandler.h index 679c909f12cc3..171b1b5a934fd 100644 --- a/src/auth/AuthClientHandler.h +++ b/src/auth/AuthClientHandler.h @@ -29,6 +29,7 @@ class AuthClientHandler; class AuthClientHandler { protected: EntityName name; + uint64_t global_id; uint32_t want; uint32_t have; uint32_t need; @@ -71,6 +72,8 @@ public: virtual void validate_tickets() = 0; virtual bool need_tickets() = 0; + + virtual void set_global_id(uint64_t id) = 0; }; diff --git a/src/auth/AuthServiceHandler.h b/src/auth/AuthServiceHandler.h index bebefc1e3d7fc..38a470c41e8c9 100644 --- a/src/auth/AuthServiceHandler.h +++ b/src/auth/AuthServiceHandler.h @@ -23,10 +23,13 @@ class KeyServer; struct AuthServiceHandler { EntityName entity_name; + uint64_t global_id; + + AuthServiceHandler() : global_id(0) {} virtual ~AuthServiceHandler() { } - virtual int start_session(EntityName& name, bufferlist::iterator& indata, bufferlist& result) = 0; + virtual int start_session(EntityName& name, uint64_t global_id, bufferlist::iterator& indata, bufferlist& result) = 0; virtual int handle_request(bufferlist::iterator& indata, bufferlist& result, AuthCapsInfo& caps) = 0; EntityName& get_entity_name() { return entity_name; } diff --git a/src/auth/KeyRing.cc b/src/auth/KeyRing.cc index a632019befdce..b0090b1b0a699 100644 --- a/src/auth/KeyRing.cc +++ b/src/auth/KeyRing.cc @@ -36,7 +36,7 @@ bool KeyRing::load_master(const char *filename_list) string filename; list ls; get_str_list(k, ls); - int fd; + int fd = -1; for (list::iterator p = ls.begin(); p != ls.end(); p++) { fd = open(p->c_str(), O_RDONLY); if (fd >= 0) { diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc index 9b9c39dc1d71b..fcbea034ff7c2 100644 --- a/src/auth/cephx/CephxClientHandler.cc +++ b/src/auth/cephx/CephxClientHandler.cc @@ -63,7 +63,7 @@ int CephxClientHandler::build_request(bufferlist& bl) ::encode(header, bl); CephXTicketHandler& ticket_handler = tickets.get_handler(CEPH_ENTITY_TYPE_AUTH); - authorizer = ticket_handler.build_authorizer(); + authorizer = ticket_handler.build_authorizer(global_id); if (!authorizer) return -EINVAL; bl.claim_append(authorizer->bl); diff --git a/src/auth/cephx/CephxClientHandler.h b/src/auth/cephx/CephxClientHandler.h index 3e1ad47d95f7c..7d8c7888b572b 100644 --- a/src/auth/cephx/CephxClientHandler.h +++ b/src/auth/cephx/CephxClientHandler.h @@ -49,6 +49,11 @@ public: void validate_tickets(); bool need_tickets(); + + void set_global_id(uint64_t id) { + global_id = id; + tickets.global_id = id; + } }; #endif diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index a4e57c5d9d8ed..88603780452d3 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -333,6 +333,7 @@ bool KeyServer::get_service_caps(EntityName& name, uint32_t service_id, AuthCaps int KeyServer::_build_session_auth_info(uint32_t service_id, CephXServiceTicketInfo& auth_ticket_info, CephXSessionAuthInfo& info) { info.ticket.name = auth_ticket_info.ticket.name; + info.ticket.global_id = auth_ticket_info.ticket.global_id; info.ticket.init_timestamps(g_clock.now(), g_conf.auth_service_ticket_ttl); generate_secret(info.session_key); diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc index 607be3ddf60f1..5e25825e073b4 100644 --- a/src/auth/cephx/CephxProtocol.cc +++ b/src/auth/cephx/CephxProtocol.cc @@ -208,12 +208,13 @@ bool CephXTicketManager::verify_service_ticket_reply(CryptoKey& secret, * * ticket, {timestamp}^session_key */ -CephXAuthorizer *CephXTicketHandler::build_authorizer() +CephXAuthorizer *CephXTicketHandler::build_authorizer(uint64_t global_id) { CephXAuthorizer *a = new CephXAuthorizer; a->session_key = session_key; a->nonce = ((__u64)rand() << 32) + rand(); + ::encode(global_id, a->bl); ::encode(service_id, a->bl); ::encode(ticket, a->bl); @@ -238,7 +239,7 @@ CephXAuthorizer *CephXTicketManager::build_authorizer(uint32_t service_id) return false; CephXTicketHandler& handler = iter->second; - return handler.build_authorizer(); + return handler.build_authorizer(global_id); } void CephXTicketManager::validate_tickets(uint32_t mask, uint32_t& have, uint32_t& need) @@ -262,8 +263,10 @@ bool cephx_verify_authorizer(KeyStore& keys, bufferlist::iterator& indata, { uint32_t service_id; uint64_t secret_id; + uint64_t global_id; CryptoKey service_secret; + ::decode(global_id, indata); ::decode(service_id, indata); ::decode(secret_id, indata); dout(10) << "verify_authorizer decrypted service_id=" << service_id << " secret_id=" << secret_id << dendl; @@ -286,6 +289,13 @@ bool cephx_verify_authorizer(KeyStore& keys, bufferlist::iterator& indata, return false; } + if (ticket_info.ticket.global_id != global_id) { + dout(0) << "verify_authorizer global_id mismatch: declared id=" << global_id << " ticket_id=" << ticket_info.ticket.global_id << dendl; + return false; + } + + dout(10) << "verify_authorizer global_id=" << global_id << dendl; + CephXAuthorize auth_msg; if (decode_decrypt(auth_msg, ticket_info.session_key, indata) < 0) { dout(0) << "verify_authorizercould not decrypt authorize request" << dendl; diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h index e4d2d24c21df0..4e48c38e54df2 100644 --- a/src/auth/cephx/CephxProtocol.h +++ b/src/auth/cephx/CephxProtocol.h @@ -261,7 +261,7 @@ struct CephXTicketHandler { bool verify_service_ticket_reply(CryptoKey& principal_secret, bufferlist::iterator& indata); // to access the service - CephXAuthorizer *build_authorizer(); + CephXAuthorizer *build_authorizer(uint64_t global_id); bool have_key(); bool need_key(); @@ -269,6 +269,9 @@ struct CephXTicketHandler { struct CephXTicketManager { map tickets_map; + uint64_t global_id; + + CephXTicketManager() : global_id(0) {} bool verify_service_ticket_reply(CryptoKey& principal_secret, bufferlist::iterator& indata); diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index a3384754f7f26..47ff6fa8e188e 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -29,9 +29,10 @@ #undef dout_prefix #define dout_prefix *_dout << dbeginl << "cephx server " << entity_name << ": " -int CephxServiceHandler::start_session(EntityName& name, bufferlist::iterator& indata, bufferlist& result_bl) +int CephxServiceHandler::start_session(EntityName& name, uint64_t global_id, bufferlist::iterator& indata, bufferlist& result_bl) { entity_name = name; + this->global_id = global_id; get_random_bytes((char *)&server_challenge, sizeof(server_challenge)); if (!server_challenge) @@ -93,6 +94,7 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist info.ticket.init_timestamps(g_clock.now(), g_conf.auth_mon_ticket_ttl); info.ticket.name = entity_name; + info.ticket.global_id = global_id; info.validity += g_conf.auth_mon_ticket_ttl; key_server->generate_secret(session_key); diff --git a/src/auth/cephx/CephxServiceHandler.h b/src/auth/cephx/CephxServiceHandler.h index aff050b04b1ad..f03b5a32d2583 100644 --- a/src/auth/cephx/CephxServiceHandler.h +++ b/src/auth/cephx/CephxServiceHandler.h @@ -28,7 +28,7 @@ public: CephxServiceHandler(KeyServer *ks) : key_server(ks), server_challenge(0) {} ~CephxServiceHandler() {} - int start_session(EntityName& name, bufferlist::iterator& indata, bufferlist& result_bl); + int start_session(EntityName& name, uint64_t global_id, bufferlist::iterator& indata, bufferlist& result_bl); int handle_request(bufferlist::iterator& indata, bufferlist& result_bl, AuthCapsInfo& caps); void build_cephx_response_header(int request_type, int status, bufferlist& bl); }; diff --git a/src/auth/none/AuthNoneClientHandler.h b/src/auth/none/AuthNoneClientHandler.h index f45746a7b4044..ecfac4b13e590 100644 --- a/src/auth/none/AuthNoneClientHandler.h +++ b/src/auth/none/AuthNoneClientHandler.h @@ -41,6 +41,8 @@ public: void validate_tickets() { } bool need_tickets() { return false; } + + void set_global_id(uint64_t id) { global_id = id; } }; #endif diff --git a/src/auth/none/AuthNoneServiceHandler.h b/src/auth/none/AuthNoneServiceHandler.h index a0456d9fde59d..8aa7c019a2ee5 100644 --- a/src/auth/none/AuthNoneServiceHandler.h +++ b/src/auth/none/AuthNoneServiceHandler.h @@ -23,7 +23,7 @@ public: AuthNoneServiceHandler() {} ~AuthNoneServiceHandler() {} - int start_session(EntityName& name, bufferlist::iterator& indata, bufferlist& result_bl) { + int start_session(EntityName& name, uint64_t global_id, bufferlist::iterator& indata, bufferlist& result_bl) { entity_name = name; return CEPH_AUTH_NONE; } diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc index 387ff28017371..7626b14eb0f10 100644 --- a/src/mon/MonClient.cc +++ b/src/mon/MonClient.cc @@ -335,6 +335,7 @@ void MonClient::handle_auth(MAuthReply *m) } try { ::decode(global_id, p); + auth->set_global_id(global_id); dout(0) << "decoded global_id=" << global_id << dendl; } catch (buffer::error *err) { delete m; diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index 7a2c85f449de5..c96bf0eaeb0bc 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -933,6 +933,8 @@ bool Monitor::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer, bool int ret; uint32_t service_id = dest_type; + auth_ticket_info.ticket.global_id = 0; + dout(0) << "ms_get_authorizer service_id=" << service_id << dendl; if (service_id != CEPH_ENTITY_TYPE_MON) { @@ -975,7 +977,7 @@ bool Monitor::ms_get_authorizer(int dest_type, AuthAuthorizer **authorizer, bool handler.service_id = service_id; handler.session_key = info.session_key; - *authorizer = handler.build_authorizer(); + *authorizer = handler.build_authorizer(0); return true; } -- 2.39.5