From fec31964a12b82f3d7d3a130b749aee428dbc265 Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Thu, 19 Nov 2009 14:15:20 -0800 Subject: [PATCH] auth: when renewing session, encrypt ticket --- src/auth/cephx/CephxProtocol.cc | 39 ++++++++++++++++++++++----- src/auth/cephx/CephxProtocol.h | 4 ++- src/auth/cephx/CephxServiceHandler.cc | 15 ++++++----- 3 files changed, 45 insertions(+), 13 deletions(-) diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc index 208fce1f24db2..4b659b4c55da2 100644 --- a/src/auth/cephx/CephxProtocol.cc +++ b/src/auth/cephx/CephxProtocol.cc @@ -60,6 +60,8 @@ bool cephx_build_service_ticket(CephXSessionAuthInfo& info, bufferlist& reply) bool cephx_build_service_ticket_reply( CryptoKey& principal_secret, vector ticket_info_vec, + bool should_encrypt_ticket, + CryptoKey& ticket_enc_key, bufferlist& reply) { uint32_t num = ticket_info_vec.size(); @@ -79,8 +81,21 @@ bool cephx_build_service_ticket_reply( if (encode_encrypt(msg_a, principal_secret, reply) < 0) return false; - if (!cephx_build_service_ticket(info, reply)) - return false; + bufferlist service_ticket_bl; + + if (!cephx_build_service_ticket(info, service_ticket_bl)) + return false; + + ::encode((__u8)should_encrypt_ticket, reply); + + if (should_encrypt_ticket) { + bufferlist enc_ticket; + + if (encode_encrypt(service_ticket_bl, ticket_enc_key, reply) < 0) + return false; + } else { + reply.claim_append(service_ticket_bl); + } } return true; } @@ -98,7 +113,20 @@ bool CephXTicketHandler::verify_service_ticket_reply(CryptoKey& secret, dout(0) << "verify_service_ticket_reply failed decode_decrypt with secret " << secret << dendl; return false; } - ::decode(ticket, indata); + __u8 ticket_enc; + ::decode(ticket_enc, indata); + if (ticket_enc) { + dout(10) << "getting encrypted ticket" << dendl; + bufferlist service_ticket_bl; + if (decode_decrypt(service_ticket_bl, session_key, indata) < 0) + return false; + bufferlist::iterator iter = service_ticket_bl.begin(); + ::decode(ticket, iter); + dout(10) << "ticket.secret_id=" << ticket.secret_id << dendl; + } else { + dout(10) << "got unencrypted ticket" << dendl; + ::decode(ticket, indata); + } dout(10) << "verify_service_ticket_reply service " << ceph_entity_type_name(service_id) << " secret_id " << ticket.secret_id << " session_key " << msg_a.session_key @@ -220,6 +248,7 @@ CephXAuthorizer *CephXTicketHandler::build_authorizer(uint64_t global_id) CephXAuthorize msg; msg.nonce = a->nonce; + if (encode_encrypt(msg, session_key, a->bl) < 0) { dout(0) << "failed to encrypt authorizer" << dendl; delete a; @@ -256,11 +285,10 @@ void CephXTicketManager::validate_tickets(uint32_t mask, uint32_t& have, uint32_ } } -bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& ticket_blob, AuthTicket& ticket) +bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info) { uint64_t secret_id = ticket_blob.secret_id; CryptoKey service_secret; - CephXServiceTicketInfo ticket_info; if (!ticket_blob.blob.length()) { return false; @@ -283,7 +311,6 @@ bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& t return false; } - ticket = ticket_info.ticket; return true; } diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h index 121065e204015..2a816a1455123 100644 --- a/src/auth/cephx/CephxProtocol.h +++ b/src/auth/cephx/CephxProtocol.h @@ -205,6 +205,8 @@ extern void cephx_build_service_ticket_request(uint32_t keys, extern bool cephx_build_service_ticket_reply(CryptoKey& principal_secret, vector ticket_info, + bool should_encrypt_ticket, + CryptoKey& ticket_enc_key, bufferlist& reply); struct CephXServiceTicketRequest { @@ -338,7 +340,7 @@ WRITE_CLASS_ENCODER(CephXAuthorize); /* * Decode an extract ticket */ -bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& ticket_blob, AuthTicket& ticket); +bool cephx_decode_ticket(KeyStore& keys, uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info); /* * Verify authorizer and generate reply authorizer diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index 9967eb260f3d6..01ad4428883f1 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -84,17 +84,19 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist CryptoKey session_key; CephXSessionAuthInfo info; + bool should_enc_ticket = false; CryptoKey principal_secret; if (key_server->get_secret(entity_name, principal_secret) < 0) { ret = -EPERM; break; } - AuthTicket old_ticket; + CephXServiceTicketInfo old_ticket_info; - if (cephx_decode_ticket(*key_server, CEPH_ENTITY_TYPE_AUTH, req.old_ticket, old_ticket)) { - global_id = old_ticket.global_id; - dout(0) << "decoded old_ticket with global_id=" << old_ticket.global_id << dendl; + if (cephx_decode_ticket(*key_server, CEPH_ENTITY_TYPE_AUTH, req.old_ticket, old_ticket_info)) { + global_id = old_ticket_info.ticket.global_id; + dout(10) << "decoded old_ticket with global_id=" << global_id << dendl; + should_enc_ticket = true; } info.ticket.init_timestamps(g_clock.now(), g_conf.auth_mon_ticket_ttl); @@ -116,7 +118,7 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist info_vec.push_back(info); build_cephx_response_header(cephx_header.request_type, 0, result_bl); - if (!cephx_build_service_ticket_reply(principal_secret, info_vec, result_bl)) { + if (!cephx_build_service_ticket_reply(principal_secret, info_vec, should_enc_ticket, old_ticket_info.session_key, result_bl)) { ret = -EIO; break; } @@ -157,8 +159,9 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist info_vec.push_back(info); } } + CryptoKey no_key; build_cephx_response_header(cephx_header.request_type, ret, result_bl); - cephx_build_service_ticket_reply(auth_ticket_info.session_key, info_vec, result_bl); + cephx_build_service_ticket_reply(auth_ticket_info.session_key, info_vec, false, no_key, result_bl); } break; -- 2.39.5