From 6f79fb2018b2e3130448cc654866c63656e254e8 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Wed, 23 Sep 2009 11:17:08 -0700 Subject: [PATCH] auth: break out authenticate request --- src/auth/Auth.cc | 62 +++++++++++--------- src/auth/Auth.h | 100 ++++++++++++++++----------------- src/auth/AuthClientHandler.cc | 10 ++-- src/auth/AuthServiceManager.cc | 12 ++-- 4 files changed, 91 insertions(+), 93 deletions(-) diff --git a/src/auth/Auth.cc b/src/auth/Auth.cc index b9629ff0acccd..bc30797bb0b90 100644 --- a/src/auth/Auth.cc +++ b/src/auth/Auth.cc @@ -31,9 +31,15 @@ static void hexdump(string msg, const char *s, int len) * * principal_name, principal_addr. "please authenticate me." */ +void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr, + bufferlist& request) +{ + AuthAuthenticateRequest req(principal_name, principal_addr, g_clock.now()); + ::encode(req, request); +} + void build_service_ticket_request(EntityName& principal_name, entity_addr_t& principal_addr, uint32_t keys, - bool encrypt, CryptoKey& session_key, AuthBlob& ticket_info, bufferlist& request) @@ -43,13 +49,11 @@ void build_service_ticket_request(EntityName& principal_name, entity_addr_t& pri ticket_req.addr = principal_addr; ticket_req.timestamp = g_clock.now(); ticket_req.keys = keys; - if (!encrypt) { - ::encode(ticket_req, request); - } else { - bufferptr& s1 = session_key.get_secret(); - hexdump("encoding, session key", s1.c_str(), s1.length()); - encode_encrypt(ticket_req, session_key, request); - } + + bufferptr& s1 = session_key.get_secret(); + hexdump("encoding, session key", s1.c_str(), s1.length()); + encode_encrypt(ticket_req, session_key, request); + ::encode(ticket_info, request); } @@ -93,32 +97,36 @@ bool build_service_ticket_reply( return true; } -bool verify_service_ticket_request(bool encrypted, - CryptoKey& service_secret, +bool verify_authenticate_request(CryptoKey& service_secret, + bufferlist::iterator& indata) +{ + AuthAuthenticateRequest msg; + ::decode(msg, indata); + dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << dendl; + + /* FIXME: validate that request makes sense */ + return true; +} + +bool verify_service_ticket_request(CryptoKey& service_secret, CryptoKey& session_key, uint32_t& keys, bufferlist::iterator& indata) { AuthServiceTicketRequest msg; - if (encrypted) { - bufferptr& s1 = session_key.get_secret(); - hexdump("decoding, session key", s1.c_str(), s1.length()); - - dout(0) << "verify encrypted service ticket request" << dendl; - if (decode_decrypt(msg, session_key, indata) < 0) - return false; - - dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << " (was encrypted)" << dendl; - - AuthServiceTicketInfo ticket_info; - if (decode_decrypt(ticket_info, service_secret, indata) < 0) + bufferptr& s1 = session_key.get_secret(); + hexdump("decoding, session key", s1.c_str(), s1.length()); + + dout(0) << "verify encrypted service ticket request" << dendl; + if (decode_decrypt(msg, session_key, indata) < 0) + return false; + + dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << " (was encrypted)" << dendl; + + AuthServiceTicketInfo ticket_info; + if (decode_decrypt(ticket_info, service_secret, indata) < 0) return false; - } else { - ::decode(msg, indata); - - dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << dendl; - } /* FIXME: validate that request makes sense */ diff --git a/src/auth/Auth.h b/src/auth/Auth.h index ad4fbeca5b23a..607194491387f 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -165,34 +165,60 @@ struct SessionAuthInfo { /* * Authentication */ +extern void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr, + bufferlist& request); + + extern void build_service_ticket_request(EntityName& principal_name, entity_addr_t& principal_addr, - uint32_t keys, - bool encrypt, - CryptoKey& session_key, - AuthBlob& ticket_info, - bufferlist& request); - -extern bool build_service_ticket_reply( - CryptoKey& principal_secret, - vector ticket_info, - bufferlist& reply); - -class AuthenticateRequest { + uint32_t keys, + CryptoKey& session_key, + AuthBlob& ticket_info, + bufferlist& request); + +extern bool build_service_ticket_reply(CryptoKey& principal_secret, + vector ticket_info, + bufferlist& reply); + +struct AuthAuthenticateRequest { EntityName name; entity_addr_t addr; -public: - AuthenticateRequest(EntityName& principal_name, entity_addr_t principal_addr) : name(principal_name), addr(principal_addr) {} + utime_t timestamp; + + AuthAuthenticateRequest() {} + AuthAuthenticateRequest(EntityName& principal_name, entity_addr_t principal_addr, utime_t t) : + name(principal_name), addr(principal_addr), timestamp(t) {} void encode(bufferlist& bl) const { ::encode(name, bl); ::encode(addr, bl); + ::encode(timestamp, bl); } void decode(bufferlist::iterator& bl) { ::decode(name, bl); ::decode(addr, bl); + ::decode(timestamp, bl); + } +}; +WRITE_CLASS_ENCODER(AuthAuthenticateRequest) + +struct AuthServiceTicketRequest { + entity_addr_t addr; + utime_t timestamp; + uint32_t keys; + + void encode(bufferlist& bl) const { + ::encode(addr, bl); + ::encode(timestamp, bl); + ::encode(keys, bl); + } + void decode(bufferlist::iterator& bl) { + ::decode(addr, bl); + ::decode(timestamp, bl); + ::decode(keys, bl); } }; -WRITE_CLASS_ENCODER(AuthenticateRequest) +WRITE_CLASS_ENCODER(AuthServiceTicketRequest); + struct AuthAuthorizeReply { uint32_t trans_id; @@ -221,9 +247,6 @@ struct AuthTicketHandler { AuthTicketHandler() : has_key_flag(false) {} - bool build_authenticate_request(); - bool verify_authenticate_response(); - // to build our ServiceTicket bool verify_service_ticket_reply(CryptoKey& principal_secret, bufferlist::iterator& indata); @@ -252,23 +275,6 @@ struct AuthTicketsManager { bool has_key(uint32_t service_id); }; -struct AuthServiceTicketRequest { - entity_addr_t addr; - utime_t timestamp; - uint32_t keys; - - void encode(bufferlist& bl) const { - ::encode(addr, bl); - ::encode(timestamp, bl); - ::encode(keys, bl); - } - void decode(bufferlist::iterator& bl) { - ::decode(addr, bl); - ::decode(timestamp, bl); - ::decode(keys, bl); - } -}; -WRITE_CLASS_ENCODER(AuthServiceTicketRequest); /* A */ struct AuthServiceTicket { @@ -383,27 +389,15 @@ int encode_encrypt(const T& t, CryptoKey& key, bufferlist& out) { return 0; } -extern void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr, - uint32_t keys, - bool encrypt, - CryptoKey& session_key, - AuthBlob& ticket_info, - bufferlist& request); - -extern bool build_authenticate_reply(AuthTicketHandler ticket_handler, - CryptoKey session_key, - CryptoKey auth_session_key, - CryptoKey& service_secret, - bufferlist& reply); /* * Verify authorizer and generate reply authorizer */ - -extern bool verify_service_ticket_request(bool encrypted, - CryptoKey& service_secret, - CryptoKey& session_key, - uint32_t& keys, - bufferlist::iterator& indata); +extern bool verify_authenticate_request(CryptoKey& service_secret, + bufferlist::iterator& indata); +extern bool verify_service_ticket_request(CryptoKey& service_secret, + CryptoKey& session_key, + uint32_t& keys, + bufferlist::iterator& indata); extern bool verify_authorizer(CryptoKey& service_secret, bufferlist::iterator& bl, bufferlist& enc_reply); diff --git a/src/auth/AuthClientHandler.cc b/src/auth/AuthClientHandler.cc index 879d5a16830c0..6a2229b3eed95 100644 --- a/src/auth/AuthClientHandler.cc +++ b/src/auth/AuthClientHandler.cc @@ -204,11 +204,9 @@ int AuthClientAuthenticateHandler::generate_cephx_authenticate_request(bufferlis header.request_type = CEPHX_GET_AUTH_SESSION_KEY; - ::encode(header, bl); - CryptoKey key; - AuthBlob blob; - build_service_ticket_request(client->name, client->addr, CEPHX_PRINCIPAL_AUTH, - false, key, blob, bl); + ::encode(header, bl); + + build_authenticate_request(client->name, client->addr, bl); cephx_request_state = 1; return 0; } @@ -226,7 +224,7 @@ int AuthClientAuthenticateHandler::generate_cephx_authenticate_request(bufferlis ::encode(header, bl); build_service_ticket_request(client->name, client->addr, want, - true, ticket_handler.session_key, ticket_handler.ticket, bl); + ticket_handler.session_key, ticket_handler.ticket, bl); return 0; } diff --git a/src/auth/AuthServiceManager.cc b/src/auth/AuthServiceManager.cc index 8ca0064604f65..9bd167271b092 100644 --- a/src/auth/AuthServiceManager.cc +++ b/src/auth/AuthServiceManager.cc @@ -187,17 +187,16 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe ticket.expires = g_clock.now(); - uint32_t keys; - auth_server.get_client_secret(principal_secret); auth_server.get_service_session_key(session_key, CEPHX_PRINCIPAL_AUTH); auth_server.get_service_secret(auth_secret, CEPHX_PRINCIPAL_AUTH); - if (!verify_service_ticket_request(false, auth_secret, - session_key, keys, indata)) { + if (!verify_authenticate_request(auth_secret, indata)) { ret = -EPERM; break; - } + } + + // checking password? build_cephx_response_header(request_type, 0, result_bl); vector info_vec; @@ -229,8 +228,7 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe vector info_vec; - if (!verify_service_ticket_request(true, auth_secret, - auth_session_key, keys, indata)) { + if (!verify_service_ticket_request(auth_secret, auth_session_key, keys, indata)) { ret = -EPERM; break; } -- 2.39.5