From 7f3573bf508f2dcee2a93dd29237878d1626337b Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Tue, 8 Sep 2009 12:42:32 -0700 Subject: [PATCH] auth: redo authenticate request/response --- src/auth/Auth.cc | 61 +++++++++++--------------------- src/auth/Auth.h | 91 +++++++++++++++++++++++++++++++----------------- 2 files changed, 80 insertions(+), 72 deletions(-) diff --git a/src/auth/Auth.cc b/src/auth/Auth.cc index 8305737dddd07..4dac6fdd4f227 100644 --- a/src/auth/Auth.cc +++ b/src/auth/Auth.cc @@ -247,19 +247,19 @@ bool build_get_session_keys_response(ServiceTicket& ticket, CryptoKey& service_s /* * PRINCIPAL: build authenticator to access the service. * - * enc_ticket, {timestamp, nonce}^session_key + * ticket, {timestamp, nonce}^session_key */ utime_t AuthTicketHandler::build_authenticator(bufferlist& bl) { utime_t now = g_clock.now(); - + ::encode(ticket, bl); - - bufferlist info, enc_info; - ::encode(now, info); - ::encode(nonce, info); - session_key.encrypt(info, enc_info); - ::encode(enc_info, bl); + + AuthAuthenticate msg; + msg.now = now; + msg.nonce = nonce; + msg.encode_encrypt(session_key, bl); + return now; } @@ -269,40 +269,20 @@ utime_t AuthTicketHandler::build_authenticator(bufferlist& bl) * {timestamp + 1}^session_key */ bool verify_authenticator(CryptoKey& service_secret, bufferlist::iterator& indata, - bufferlist& enc_reply) + bufferlist& reply_bl) { + AuthTicket ticket; + ticket.decode_decrypt(service_secret, indata); + + AuthAuthenticate auth_msg; + auth_msg.decode_decrypt(ticket.session_key, indata); + bufferlist enc_ticket, enc_info; ::decode(enc_ticket, indata); ::decode(enc_info, indata); - // decrypt ticket - AuthTicket ticket; - CryptoKey session_key; - { - bufferlist bl; - if (service_secret.decrypt(enc_ticket, bl) < 0) - return false; - dout(0) << "verify_authenticator: decrypted ticket" << dendl; - bufferlist::iterator p = bl.begin(); - ::decode(ticket, p); - ::decode(session_key, p); - } - - // decrypt info with session key - utime_t timestamp; - string nonce; - { - bufferlist info; - if (session_key.decrypt(enc_info, info) < 0) - return false; - dout(0) << "verify_authenticator: decrypted session key" << dendl; - bufferlist::iterator p = info.begin(); - ::decode(timestamp, p); - ::decode(nonce, p); - } - // it's authentic if the nonces match - if (nonce != ticket.nonce) + if (auth_msg.nonce != ticket.nonce) return false; dout(0) << "verify_authenticator: nonce ok" << dendl; @@ -310,11 +290,10 @@ bool verify_authenticator(CryptoKey& service_secret, bufferlist::iterator& indat * Reply authenticator: * {timestamp + 1}^session_key */ - bufferlist reply; - timestamp += 1; - ::encode(timestamp, reply); - if (session_key.encrypt(reply, enc_reply) < 0) - return false; + AuthAuthenticateReply reply; + reply.timestamp = auth_msg.now; + reply.timestamp += 1; + reply.encode_encrypt(ticket.session_key, reply_bl); dout(0) << "verify_authenticator: ok" << dendl; diff --git a/src/auth/Auth.h b/src/auth/Auth.h index 674ccb54a70a3..57cbec8872da3 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -18,6 +18,36 @@ #include "Crypto.h" #include "msg/msg_types.h" +struct AuthEnc { + virtual void encode(bufferlist& bl) const = 0; + virtual void decode(bufferlist::iterator& bl) = 0; + + int encode_encrypt(CryptoKey key, bufferlist& out) { + bufferlist bl, bl_enc; + + encode(bl); + int ret = key.encrypt(bl, bl_enc); + if (ret < 0) + return ret; + + ::encode(bl_enc, out); + return 0; + } + + int decode_decrypt(CryptoKey key, bufferlist::iterator& iter) { + bufferlist bl_enc, bl; + ::decode(bl_enc, iter); + + int ret = key.decrypt(bl_enc, bl); + if (ret < 0) + return ret; + + bufferlist::iterator iter2 = bl.begin(); + decode(iter2); + return 0; + } +}; + struct EntityName { uint32_t entity_type; string name; @@ -39,12 +69,13 @@ WRITE_CLASS_ENCODER(EntityName); * services as described by 'caps' during the specified validity * period. */ -struct AuthTicket { +struct AuthTicket : public AuthEnc { entity_addr_t addr; utime_t created, renew_after, expires; string nonce; map caps; __u32 flags; + CryptoKey session_key; void encode(bufferlist& bl) const { __u8 v = 1; @@ -55,6 +86,7 @@ struct AuthTicket { ::encode(nonce, bl); ::encode(caps, bl); ::encode(flags, bl); + ::encode(session_key, bl); } void decode(bufferlist::iterator& bl) { __u8 v; @@ -65,6 +97,7 @@ struct AuthTicket { ::decode(nonce, bl); ::decode(caps, bl); ::decode(flags, bl); + ::decode(session_key, bl); } }; WRITE_CLASS_ENCODER(AuthTicket) @@ -173,36 +206,6 @@ struct AuthTicketHandler { }; //WRITE_CLASS_ENCODER(ServiceTicket) -struct AuthEnc { - virtual void encode(bufferlist& bl) const = 0; - virtual void decode(bufferlist::iterator& bl) = 0; - - int encode_encrypt(CryptoKey key, bufferlist& out) { - bufferlist bl, bl_enc; - - encode(bl); - int ret = key.encrypt(bl, bl_enc); - if (ret < 0) - return ret; - - ::encode(bl_enc, out); - return 0; - } - - int decode_decrypt(CryptoKey key, bufferlist::iterator& iter) { - bufferlist bl_enc, bl; - ::decode(bl_enc, iter); - - int ret = key.decrypt(bl_enc, bl); - if (ret < 0) - return ret; - - bufferlist::iterator iter2 = bl.begin(); - decode(iter2); - return 0; - } -}; - struct AuthServiceTicketRequest : public AuthEnc { entity_addr_t addr; utime_t timestamp; @@ -292,6 +295,32 @@ struct AuthMsg_E : public AuthEnc { WRITE_CLASS_ENCODER(AuthMsg_E); #endif +struct AuthAuthenticate : public AuthEnc { + utime_t now; + string nonce; + void encode(bufferlist& bl) const { + ::encode(now, bl); + ::encode(nonce, bl); + } + void decode(bufferlist::iterator& bl) { + ::decode(now, bl); + ::decode(nonce, bl); + } +}; +WRITE_CLASS_ENCODER(AuthAuthenticate); + +struct AuthAuthenticateReply : public AuthEnc { + utime_t timestamp; + void encode(bufferlist& bl) const { + ::encode(timestamp, bl); + } + void decode(bufferlist::iterator& bl) { + ::decode(timestamp, bl); + } +}; +WRITE_CLASS_ENCODER(AuthAuthenticateReply); + + extern void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr, uint32_t keys, -- 2.39.5