From d372a3afb7c85a8bb10db9493d705dbc830848ce Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Sat, 5 Jul 2025 11:28:21 +0200 Subject: [PATCH] generalize ceph_x_encrypt_offset() and ceph_x_encrypt_buflen() --- net/ceph/auth_x.c | 44 +++++++++++++++++++++++++++++--------------- net/ceph/crypto.c | 25 +++++++++++++++++++++++++ net/ceph/crypto.h | 2 ++ 3 files changed, 56 insertions(+), 15 deletions(-) diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c index b71b1635916e1..f7ccfc30c372a 100644 --- a/net/ceph/auth_x.c +++ b/net/ceph/auth_x.c @@ -44,23 +44,35 @@ static int ceph_x_should_authenticate(struct ceph_auth_client *ac) return !!need; } -static int ceph_x_encrypt_offset(void) +static int __ceph_x_encrypt_offset(const struct ceph_crypto_key *secret) { - return sizeof(u32) + sizeof(struct ceph_x_encrypt_header); + return ceph_crypt_data_offset(secret) + + sizeof(struct ceph_x_encrypt_header); } -static int ceph_x_encrypt_buflen(int ilen) +static int ceph_x_encrypt_offset(const struct ceph_crypto_key *secret) { - return ceph_x_encrypt_offset() + ilen + 16; + return sizeof(u32) + __ceph_x_encrypt_offset(secret); +} + +/* + * AES: ciphertext_len | hdr | data... | padding + */ +static int ceph_x_encrypt_buflen(const struct ceph_crypto_key *secret, + int data_len) +{ + int encrypt_len = sizeof(struct ceph_x_encrypt_header) + data_len; + return sizeof(u32) + ceph_crypt_buflen(secret, encrypt_len); } static int ceph_x_encrypt(struct ceph_crypto_key *secret, void *buf, int buf_len, int plaintext_len) { - struct ceph_x_encrypt_header *hdr = buf + sizeof(u32); + struct ceph_x_encrypt_header *hdr; int ciphertext_len; int ret; + hdr = buf + sizeof(u32) + ceph_crypt_data_offset(secret); hdr->struct_v = 1; hdr->magic = cpu_to_le64(CEPHX_ENC_MAGIC); @@ -77,7 +89,7 @@ static int ceph_x_encrypt(struct ceph_crypto_key *secret, void *buf, static int __ceph_x_decrypt(struct ceph_crypto_key *secret, void *p, int ciphertext_len) { - struct ceph_x_encrypt_header *hdr = p; + struct ceph_x_encrypt_header *hdr; int plaintext_len; int ret; @@ -86,6 +98,7 @@ static int __ceph_x_decrypt(struct ceph_crypto_key *secret, void *p, if (ret) return ret; + hdr = p + ceph_crypt_data_offset(secret); if (le64_to_cpu(hdr->magic) != CEPHX_ENC_MAGIC) { pr_err("%s bad magic\n", __func__); return -EINVAL; @@ -193,7 +206,7 @@ static int process_one_ticket(struct ceph_auth_client *ac, } /* blob for me */ - dp = *p + ceph_x_encrypt_offset(); + dp = *p + ceph_x_encrypt_offset(secret); ret = ceph_x_decrypt(secret, p, end); if (ret < 0) goto out; @@ -220,7 +233,7 @@ static int process_one_ticket(struct ceph_auth_client *ac, ceph_decode_8_safe(p, end, is_enc, bad); if (is_enc) { /* encrypted */ - tp = *p + ceph_x_encrypt_offset(); + tp = *p + ceph_x_encrypt_offset(&th->session_key); ret = ceph_x_decrypt(&th->session_key, p, end); if (ret < 0) goto out; @@ -312,7 +325,7 @@ static int encrypt_authorizer(struct ceph_x_authorizer *au, p = (void *)(msg_a + 1) + le32_to_cpu(msg_a->ticket_blob.blob_len); end = au->buf->vec.iov_base + au->buf->vec.iov_len; - msg_b = p + ceph_x_encrypt_offset(); + msg_b = p + ceph_x_encrypt_offset(&au->session_key); msg_b->struct_v = 2; msg_b->nonce = cpu_to_le64(au->nonce); if (server_challenge) { @@ -368,7 +381,7 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac, goto out_au; maxlen = sizeof(*msg_a) + ticket_blob_len + - ceph_x_encrypt_buflen(sizeof(*msg_b)); + ceph_x_encrypt_buflen(&au->session_key, sizeof(*msg_b)); dout(" need len %d\n", maxlen); if (au->buf && au->buf->alloc_len < maxlen) { ceph_buffer_put(au->buf); @@ -507,7 +520,7 @@ static int ceph_x_build_request(struct ceph_auth_client *ac, struct ceph_x_authenticate *auth = (void *)(head + 1); void *enc_buf = xi->auth_authorizer.enc_buf; struct ceph_x_challenge_blob *blob = enc_buf + - ceph_x_encrypt_offset(); + ceph_x_encrypt_offset(&xi->secret); u64 *u; p = auth + 1; @@ -633,7 +646,7 @@ static int handle_auth_session_key(struct ceph_auth_client *ac, u64 global_id, ceph_decode_32_safe(p, end, len, e_inval); dout("%s connection secret blob len %d\n", __func__, len); if (len > 0) { - dp = *p + ceph_x_encrypt_offset(); + dp = *p + ceph_x_encrypt_offset(&th->session_key); ret = ceph_x_decrypt(&th->session_key, p, *p + len); if (ret < 0) return ret; @@ -802,7 +815,7 @@ static int decrypt_authorizer_challenge(struct ceph_crypto_key *secret, return ret; dout("%s decrypted %d bytes\n", __func__, ret); - dp = challenge + sizeof(struct ceph_x_encrypt_header); + dp = challenge + __ceph_x_encrypt_offset(secret); dend = dp + ret; ceph_decode_skip_8(&dp, dend, e_inval); /* struct_v */ @@ -849,7 +862,7 @@ static int decrypt_authorizer_reply(struct ceph_crypto_key *secret, u8 struct_v; int ret; - dp = *p + ceph_x_encrypt_offset(); + dp = *p + ceph_x_encrypt_offset(secret); ret = ceph_x_decrypt(secret, p, end); if (ret < 0) return ret; @@ -972,7 +985,8 @@ static int calc_signature(struct ceph_x_authorizer *au, struct ceph_msg *msg, __le32 front_crc; __le32 middle_crc; __le32 data_crc; - } __packed *sigblock = enc_buf + ceph_x_encrypt_offset(); + } __packed *sigblock = enc_buf + + ceph_x_encrypt_offset(&au->session_key); sigblock->len = cpu_to_le32(4*sizeof(u32)); sigblock->header_crc = msg->hdr.crc; diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c index aac6dd2203520..5bb91043ce4d4 100644 --- a/net/ceph/crypto.c +++ b/net/ceph/crypto.c @@ -285,6 +285,31 @@ int ceph_crypt(const struct ceph_crypto_key *key, bool encrypt, } } +int ceph_crypt_data_offset(const struct ceph_crypto_key *key) +{ + switch (key->type) { + case CEPH_CRYPTO_NONE: + case CEPH_CRYPTO_AES: + return 0; + default: + BUG(); + } +} + +int ceph_crypt_buflen(const struct ceph_crypto_key *key, int data_len) +{ + switch (key->type) { + case CEPH_CRYPTO_NONE: + return data_len; + case CEPH_CRYPTO_AES: + /* PKCS#7 padding at the end */ + return data_len + AES_BLOCK_SIZE - + (data_len & (AES_BLOCK_SIZE - 1)); + default: + BUG(); + } +} + static int ceph_key_preparse(struct key_preparsed_payload *prep) { struct ceph_crypto_key *ckey; diff --git a/net/ceph/crypto.h b/net/ceph/crypto.h index a20bad6d1e964..736ec6d2fbcb2 100644 --- a/net/ceph/crypto.h +++ b/net/ceph/crypto.h @@ -28,6 +28,8 @@ void ceph_crypto_key_destroy(struct ceph_crypto_key *key); /* crypto.c */ int ceph_crypt(const struct ceph_crypto_key *key, bool encrypt, void *buf, int buf_len, int in_len, int *pout_len); +int ceph_crypt_data_offset(const struct ceph_crypto_key *key); +int ceph_crypt_buflen(const struct ceph_crypto_key *key, int data_len); int ceph_crypto_init(void); void ceph_crypto_shutdown(void); -- 2.39.5