From eb92fb1cf806a4ceff2ba5a52ad482afefa47d4e Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Mon, 31 Aug 2009 11:16:49 -0700 Subject: [PATCH] auth: follow auth with keys request --- src/auth/Auth.cc | 23 ++++++++++++++++------- src/auth/Auth.h | 5 +++++ src/auth/AuthClientHandler.cc | 35 +++++++++++++++++++++-------------- src/librados.cc | 5 ++++- src/mon/MonClient.cc | 4 +++- src/mon/MonClient.h | 2 +- 6 files changed, 50 insertions(+), 24 deletions(-) diff --git a/src/auth/Auth.cc b/src/auth/Auth.cc index be4c147c257b4..caa3d7478ade9 100644 --- a/src/auth/Auth.cc +++ b/src/auth/Auth.cc @@ -90,7 +90,9 @@ bool ServiceTicket::verify_authenticate_reply(CryptoKey& client_secret, } if (!indata.end()) return false; - + + has_key_flag = true; + return true; } @@ -110,7 +112,7 @@ utime_t ServiceTicket::build_authenticator(bufferlist& bl) ::encode(nonce, info); session_key.encrypt(info, enc_info); ::encode(enc_info, bl); - return now; + return now; } /* @@ -131,7 +133,8 @@ bool verify_authenticator(CryptoKey& service_secret, bufferlist& bl, CryptoKey session_key; { bufferlist bl; - service_secret.decrypt(enc_ticket, bl); + if (service_secret.decrypt(enc_ticket, bl) < 0) + return false; bufferlist::iterator p = bl.begin(); ::decode(ticket, p); ::decode(session_key, p); @@ -142,7 +145,8 @@ bool verify_authenticator(CryptoKey& service_secret, bufferlist& bl, string nonce; { bufferlist info; - session_key.decrypt(enc_info, info); + if (session_key.decrypt(enc_info, info) < 0) + return false; bufferlist::iterator p = info.begin(); ::decode(timestamp, p); ::decode(nonce, p); @@ -159,7 +163,8 @@ bool verify_authenticator(CryptoKey& service_secret, bufferlist& bl, bufferlist reply; timestamp += 1; ::encode(timestamp, reply); - session_key.encrypt(reply, enc_reply); + if (session_key.encrypt(reply, enc_reply) < 0) + return false; return true; } @@ -171,13 +176,17 @@ bool verify_authenticator(CryptoKey& service_secret, bufferlist& bl, bool ServiceTicket::verify_reply_authenticator(utime_t then, bufferlist& enc_reply) { bufferlist reply; - session_key.decrypt(enc_reply, reply); + if (session_key.decrypt(enc_reply, reply) < 0) + return false; bufferlist::iterator p = reply.begin(); utime_t later; ::decode(later, p); - if (then + 1 == later) + dout(0) << "later=" << later << " then=" << then << dendl; + if (then + 1 == later) { return true; + } + return false; } diff --git a/src/auth/Auth.h b/src/auth/Auth.h index 948e5d562ffa4..2aa9ddf91161e 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -89,6 +89,9 @@ struct ServiceTicket { bufferlist enc_ticket; // opaque to us string nonce; utime_t renew_after, expires; + bool has_key_flag; + + ServiceTicket() : has_key_flag(false) {} // to build our ServiceTicket bool verify_authenticate_reply(CryptoKey& client_secret, @@ -97,6 +100,8 @@ struct ServiceTicket { // to access the service utime_t build_authenticator(bufferlist& bl); bool verify_reply_authenticator(utime_t then, bufferlist& enc_reply); + + bool has_key() { return has_key_flag; } }; diff --git a/src/auth/AuthClientHandler.cc b/src/auth/AuthClientHandler.cc index 4f645175844f0..98abb8b22a40e 100644 --- a/src/auth/AuthClientHandler.cc +++ b/src/auth/AuthClientHandler.cc @@ -20,6 +20,7 @@ int AuthClientHandler::generate_request(bufferlist& bl) { + dout(0) << "status=" << status << dendl; if (status < 0) { return status; } @@ -110,7 +111,8 @@ int AuthClientHandler::generate_cephx_protocol_request(bufferlist& bl) { CephXRequestHeader header; - if (!auth_session_key.length()) { + if (!auth_ticket.has_key()) { + dout(0) << "auth ticket: doesn't have key" << dendl; /* we first need to get the principle/auth session key */ header.request_type = CEPHX_GET_AUTH_SESSION_KEY; @@ -120,19 +122,16 @@ int AuthClientHandler::generate_cephx_protocol_request(bufferlist& bl) return 0; } - if (!cur_cap) { - uint32_t left_caps = (want_caps ^ have_caps) & want_caps; + dout(0) << "want_keys=" << hex << want_keys << " have_keys=" << have_keys << dec << dendl; - for (uint32_t i=0; i