From f2e3692a79491bcc6c6efe33a3422237b1614a21 Mon Sep 17 00:00:00 2001
From: Yehuda Sadeh <yehuda@hq.newdream.net>
Date: Tue, 8 Sep 2009 13:19:19 -0700
Subject: [PATCH] auth: fix session key, encode_encrypt using templates

---
 src/auth/Auth.cc | 28 +++++++----------
 src/auth/Auth.h  | 82 +++++++++++++++++++-----------------------------
 2 files changed, 45 insertions(+), 65 deletions(-)

diff --git a/src/auth/Auth.cc b/src/auth/Auth.cc
index b9e6f6571725c..991722fbc051b 100644
--- a/src/auth/Auth.cc
+++ b/src/auth/Auth.cc
@@ -29,7 +29,7 @@ void build_authenticate_request(EntityName& principal_name, entity_addr_t& princ
   if (!encrypt) {
     ::encode(ticket_req, request);
   } else {
-    ticket_req.encode_encrypt(session_key, request);
+    encode_encrypt(ticket_req, session_key, request);
   }
   ::encode(ticket_info, request);
 }
@@ -51,13 +51,13 @@ bool build_authenticate_reply(AuthTicket& ticket,
   AuthServiceTicket msg_a;
 
   msg_a.session_key = session_key;
-  if (msg_a.encode_encrypt(principal_secret, reply) < 0)
+  if (encode_encrypt(msg_a, principal_secret, reply) < 0)
     return false;
 
   AuthServiceTicketInfo ticket_info;
   ticket_info.session_key = session_key;
   ticket_info.ticket = ticket;
-  if (ticket_info.encode_encrypt(service_secret, reply) < 0)
+  if (encode_encrypt(ticket_info, service_secret, reply) < 0)
     return false;
   return true;
 }
@@ -72,13 +72,13 @@ bool verify_service_ticket_request(bool encrypted,
 
   if (encrypted) {
     dout(0) << "verify encrypted service ticket request" << dendl;
-    if (msg.decode_decrypt(session_key, indata) < 0)
+    if (decode_decrypt(msg, session_key, indata) < 0)
       return false;
 
     dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << " (was encrypted)" << dendl;
 
     AuthServiceTicketInfo ticket_info;
-    if (ticket_info.decode_decrypt(service_secret, indata) < 0)
+    if (decode_decrypt(ticket_info, service_secret, indata) < 0)
       return false;
   } else {
     ::decode(msg, indata);
@@ -102,7 +102,7 @@ bool AuthTicketHandler::verify_service_ticket_reply(CryptoKey& secret,
 					      bufferlist::iterator& indata)
 {
   AuthServiceTicket msg_a;
-  if (msg_a.decode_decrypt(secret, indata) < 0)
+  if (decode_decrypt(msg_a, secret, indata) < 0)
     return false;
 
   ::decode(ticket, indata);
@@ -129,7 +129,7 @@ utime_t AuthTicketHandler::build_authenticator(bufferlist& bl)
   AuthAuthenticate msg;
   msg.now = now;
   msg.nonce = nonce;
-  msg.encode_encrypt(session_key, bl);
+  encode_encrypt(msg, session_key, bl);
 
   return now;
 }
@@ -142,18 +142,14 @@ utime_t AuthTicketHandler::build_authenticator(bufferlist& bl)
 bool verify_authenticator(CryptoKey& service_secret, bufferlist::iterator& indata,
 			  bufferlist& reply_bl)
 {
-  AuthTicket ticket;
-  ticket.decode_decrypt(service_secret, indata);
+  AuthServiceTicketInfo ticket_info;
+  decode_decrypt(ticket_info, service_secret, indata);
 
   AuthAuthenticate auth_msg;
-  auth_msg.decode_decrypt(ticket.session_key, indata);
-
-  bufferlist enc_ticket, enc_info;
-  ::decode(enc_ticket, indata);
-  ::decode(enc_info, indata);
+  decode_decrypt(auth_msg, ticket_info.session_key, indata);
 
   // it's authentic if the nonces match
-  if (auth_msg.nonce != ticket.nonce)
+  if (auth_msg.nonce != ticket_info.ticket.nonce)
     return false;
   dout(0) << "verify_authenticator: nonce ok" << dendl;
   
@@ -164,7 +160,7 @@ bool verify_authenticator(CryptoKey& service_secret, bufferlist::iterator& indat
   AuthAuthenticateReply reply;
   reply.timestamp = auth_msg.now;
   reply.timestamp += 1;
-  reply.encode_encrypt(ticket.session_key, reply_bl);
+  encode_encrypt(reply, ticket_info.session_key, reply_bl);
 
   dout(0) << "verify_authenticator: ok" << dendl;
 
diff --git a/src/auth/Auth.h b/src/auth/Auth.h
index 3269d52ebaf50..f536c5d6e977a 100644
--- a/src/auth/Auth.h
+++ b/src/auth/Auth.h
@@ -18,36 +18,6 @@
 #include "Crypto.h"
 #include "msg/msg_types.h"
 
-struct AuthEnc {
-  virtual void encode(bufferlist& bl) const = 0;
-  virtual void decode(bufferlist::iterator& bl) = 0;
-
-  int encode_encrypt(CryptoKey key, bufferlist& out) {
-     bufferlist bl, bl_enc;
-
-     encode(bl);
-     int ret = key.encrypt(bl, bl_enc);
-      if (ret < 0)
-        return ret;
-
-     ::encode(bl_enc, out);
-     return 0;
-  }
-
-  int decode_decrypt(CryptoKey key, bufferlist::iterator& iter) {
-     bufferlist bl_enc, bl;
-     ::decode(bl_enc, iter);
-
-     int ret = key.decrypt(bl_enc, bl);
-     if (ret < 0)
-       return ret;
-
-     bufferlist::iterator iter2 = bl.begin();
-     decode(iter2); 
-     return 0;
-  }
-};
-
 struct EntityName {
   uint32_t entity_type;
   string name;
@@ -69,13 +39,12 @@ WRITE_CLASS_ENCODER(EntityName);
  * services as described by 'caps' during the specified validity
  * period.
  */
-struct AuthTicket : public AuthEnc {
+struct AuthTicket {
   entity_addr_t addr;
   utime_t created, renew_after, expires;
   string nonce;
   map<string, bufferlist> caps;
   __u32 flags;
-  CryptoKey session_key;
 
   void encode(bufferlist& bl) const {
     __u8 v = 1;
@@ -86,7 +55,6 @@ struct AuthTicket : public AuthEnc {
     ::encode(nonce, bl);
     ::encode(caps, bl);
     ::encode(flags, bl);
-    ::encode(session_key, bl);
   }
   void decode(bufferlist::iterator& bl) {
     __u8 v;
@@ -97,7 +65,6 @@ struct AuthTicket : public AuthEnc {
     ::decode(nonce, bl);
     ::decode(caps, bl);
     ::decode(flags, bl);
-    ::decode(session_key, bl);
   }
 };
 WRITE_CLASS_ENCODER(AuthTicket)
@@ -128,15 +95,6 @@ public:
 };
 WRITE_CLASS_ENCODER(AuthenticateRequest)
 
-class AuthenticateReply {
-
-  bool verify() {
-    /* FIXME */
-    return false;
-  };
-};
-
-
 struct AuthBlob {
   bufferlist blob;
 
@@ -181,7 +139,7 @@ struct AuthTicketHandler {
 };
 //WRITE_CLASS_ENCODER(ServiceTicket)
 
-struct AuthServiceTicketRequest : public AuthEnc {
+struct AuthServiceTicketRequest {
   entity_addr_t addr;
   utime_t timestamp;
   uint32_t keys;
@@ -200,7 +158,7 @@ struct AuthServiceTicketRequest : public AuthEnc {
 WRITE_CLASS_ENCODER(AuthServiceTicketRequest);
 
 /* A */
-struct AuthServiceTicket : public AuthEnc {
+struct AuthServiceTicket {
   CryptoKey session_key;
   utime_t validity;
 
@@ -216,7 +174,7 @@ struct AuthServiceTicket : public AuthEnc {
 WRITE_CLASS_ENCODER(AuthServiceTicket);
 
 /* B */
-struct AuthServiceTicketInfo : public AuthEnc {
+struct AuthServiceTicketInfo {
   AuthTicket ticket;
   CryptoKey session_key;
 
@@ -235,7 +193,7 @@ struct AuthServiceTicketInfo : public AuthEnc {
 };
 WRITE_CLASS_ENCODER(AuthServiceTicketInfo);
 
-struct AuthAuthenticate : public AuthEnc {
+struct AuthAuthenticate {
   utime_t now;
   string nonce;
   void encode(bufferlist& bl) const {
@@ -249,7 +207,7 @@ struct AuthAuthenticate : public AuthEnc {
 };
 WRITE_CLASS_ENCODER(AuthAuthenticate);
 
-struct AuthAuthenticateReply : public AuthEnc {
+struct AuthAuthenticateReply {
   utime_t timestamp;
   void encode(bufferlist& bl) const {
     ::encode(timestamp, bl);
@@ -260,7 +218,33 @@ struct AuthAuthenticateReply : public AuthEnc {
 };
 WRITE_CLASS_ENCODER(AuthAuthenticateReply);
 
-
+template <class T>
+int decode_decrypt(T& t, CryptoKey key, bufferlist::iterator& iter) {
+   bufferlist bl_enc, bl;
+   ::decode(bl_enc, iter);
+
+   int ret = key.decrypt(bl_enc, bl);
+   if (ret < 0)
+     return ret;
+
+   bufferlist::iterator iter2 = bl.begin();
+   ::decode(t, iter2); 
+   return 0;
+}
+
+template <class T>
+int encode_encrypt(const T& t, CryptoKey& key, bufferlist& out) {
+  bufferlist bl;
+  ::encode(t, bl);
+
+  bufferlist bl_enc;
+  int ret = key.encrypt(bl, bl_enc);
+  if (ret < 0)
+    return ret;
+
+  ::encode(bl_enc, out);
+  return 0;
+}
 
 extern void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr,
                                 uint32_t keys,
-- 
2.39.5