--- /dev/null
+// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
+// vim: ts=8 sw=2 smarttab
+/*
+ * Ceph - scalable distributed file system
+ *
+ * Copyright (C) 2009-2011 New Dream Network
+ *
+ * This is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License version 2.1, as published by the Free Software
+ * Foundation. See file COPYING.
+ *
+ */
+
+#include "CephxProtocol.h"
+#include "common/Clock.h"
+#include "common/config.h"
+#include "common/debug.h"
+#include "include/buffer.h"
+
+#define dout_subsys ceph_subsys_auth
+#undef dout_prefix
+#define dout_prefix *_dout << "cephx: "
+
+
+
+void cephx_calc_client_server_challenge(CephContext *cct, CryptoKey& secret, uint64_t server_challenge,
+ uint64_t client_challenge, uint64_t *key, std::string &error)
+{
+ CephXChallengeBlob b;
+ b.server_challenge = server_challenge;
+ b.client_challenge = client_challenge;
+
+ bufferlist enc;
+ if (encode_encrypt(cct, b, secret, enc, error))
+ return;
+
+ uint64_t k = 0;
+ const uint64_t *p = (const uint64_t *)enc.c_str();
+ for (int pos = 0; pos + sizeof(k) <= enc.length(); pos+=sizeof(k), p++)
+ k ^= mswab(*p);
+ *key = k;
+}
+
+
+/*
+ * Authentication
+ */
+
+bool cephx_build_service_ticket_blob(CephContext *cct, CephXSessionAuthInfo& info,
+ CephXTicketBlob& blob)
+{
+ CephXServiceTicketInfo ticket_info;
+ ticket_info.session_key = info.session_key;
+ ticket_info.ticket = info.ticket;
+ ticket_info.ticket.caps = info.ticket.caps;
+
+ ldout(cct, 10) << "build_service_ticket service " << ceph_entity_type_name(info.service_id)
+ << " secret_id " << info.secret_id
+ << " ticket_info.ticket.name=" << ticket_info.ticket.name.to_str() << dendl;
+ blob.secret_id = info.secret_id;
+ std::string error;
+ if (!info.service_secret.get_secret().length())
+ error = "invalid key"; // Bad key?
+ else
+ encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, blob.blob, error);
+ if (!error.empty()) {
+ ldout(cct, -1) << "cephx_build_service_ticket_blob failed with error "
+ << error << dendl;
+ return false;
+ }
+ return true;
+}
+
+/*
+ * AUTH SERVER: authenticate
+ *
+ * Authenticate principal, respond with AuthServiceTicketInfo
+ *
+ * {session key, validity}^principal_secret
+ * {principal_ticket, session key}^service_secret ... "enc_ticket"
+ */
+bool cephx_build_service_ticket_reply(CephContext *cct,
+ CryptoKey& principal_secret,
+ vector<CephXSessionAuthInfo> ticket_info_vec,
+ bool should_encrypt_ticket,
+ CryptoKey& ticket_enc_key,
+ bufferlist& reply)
+{
+ __u8 service_ticket_reply_v = 1;
+ ::encode(service_ticket_reply_v, reply);
+
+ uint32_t num = ticket_info_vec.size();
+ ::encode(num, reply);
+ ldout(cct, 10) << "build_service_ticket_reply encoding " << num
+ << " tickets with secret " << principal_secret << dendl;
+
+ for (vector<CephXSessionAuthInfo>::iterator ticket_iter = ticket_info_vec.begin();
+ ticket_iter != ticket_info_vec.end();
+ ++ticket_iter) {
+ CephXSessionAuthInfo& info = *ticket_iter;
+ ::encode(info.service_id, reply);
+
+ __u8 service_ticket_v = 1;
+ ::encode(service_ticket_v, reply);
+
+ CephXServiceTicket msg_a;
+ msg_a.session_key = info.session_key;
+ msg_a.validity = info.validity;
+ std::string error;
+ if (encode_encrypt(cct, msg_a, principal_secret, reply, error)) {
+ ldout(cct, -1) << "error encoding encrypted: " << error << dendl;
+ return false;
+ }
+
+ bufferlist service_ticket_bl;
+ CephXTicketBlob blob;
+ if (!cephx_build_service_ticket_blob(cct, info, blob)) {
+ return false;
+ }
+ ::encode(blob, service_ticket_bl);
+
+ ldout(cct, 30) << "service_ticket_blob is ";
+ service_ticket_bl.hexdump(*_dout);
+ *_dout << dendl;
+
+ ::encode((__u8)should_encrypt_ticket, reply);
+ if (should_encrypt_ticket) {
+ if (encode_encrypt(cct, service_ticket_bl, ticket_enc_key, reply, error)) {
+ ldout(cct, -1) << "error encoding encrypted ticket: " << error << dendl;
+ return false;
+ }
+ } else {
+ ::encode(service_ticket_bl, reply);
+ }
+ }
+ return true;
+}
+
+/*
+ * PRINCIPAL: verify our attempt to authenticate succeeded. fill out
+ * this ServiceTicket with the result.
+ */
+bool CephXTicketHandler::verify_service_ticket_reply(CryptoKey& secret,
+ bufferlist::iterator& indata)
+{
+ __u8 service_ticket_v;
+ ::decode(service_ticket_v, indata);
+
+ CephXServiceTicket msg_a;
+ std::string error;
+ if (decode_decrypt(cct, msg_a, secret, indata, error)) {
+ ldout(cct, 0) << "verify_service_ticket_reply: failed decode_decrypt, error is: " << error << dendl;
+ return false;
+ }
+
+ __u8 ticket_enc;
+ ::decode(ticket_enc, indata);
+
+ bufferlist service_ticket_bl;
+ if (ticket_enc) {
+ ldout(cct, 10) << " got encrypted ticket" << dendl;
+ std::string error;
+ if (decode_decrypt(cct, service_ticket_bl, session_key, indata, error)) {
+ ldout(cct, 10) << "verify_service_ticket_reply: decode_decrypt failed "
+ << "with " << error << dendl;
+ return false;
+ }
+ } else {
+ ::decode(service_ticket_bl, indata);
+ }
+ bufferlist::iterator iter = service_ticket_bl.begin();
+ ::decode(ticket, iter);
+ ldout(cct, 10) << " ticket.secret_id=" << ticket.secret_id << dendl;
+
+ ldout(cct, 10) << "verify_service_ticket_reply service " << ceph_entity_type_name(service_id)
+ << " secret_id " << ticket.secret_id
+ << " session_key " << msg_a.session_key
+ << " validity=" << msg_a.validity << dendl;
+ session_key = msg_a.session_key;
+ if (!msg_a.validity.is_zero()) {
+ expires = ceph_clock_now();
+ expires += msg_a.validity;
+ renew_after = expires;
+ renew_after -= ((double)msg_a.validity.sec() / 4);
+ ldout(cct, 10) << "ticket expires=" << expires << " renew_after=" << renew_after << dendl;
+ }
+
+ have_key_flag = true;
+ return true;
+}
+
+bool CephXTicketHandler::have_key()
+{
+ if (have_key_flag) {
+ have_key_flag = ceph_clock_now() < expires;
+ }
+
+ return have_key_flag;
+}
+
+bool CephXTicketHandler::need_key() const
+{
+ if (have_key_flag) {
+ return (!expires.is_zero()) && (ceph_clock_now() >= renew_after);
+ }
+
+ return true;
+}
+
+bool CephXTicketManager::have_key(uint32_t service_id)
+{
+ map<uint32_t, CephXTicketHandler>::iterator iter = tickets_map.find(service_id);
+ if (iter == tickets_map.end())
+ return false;
+ return iter->second.have_key();
+}
+
+bool CephXTicketManager::need_key(uint32_t service_id) const
+{
+ map<uint32_t, CephXTicketHandler>::const_iterator iter = tickets_map.find(service_id);
+ if (iter == tickets_map.end())
+ return true;
+ return iter->second.need_key();
+}
+
+void CephXTicketManager::set_have_need_key(uint32_t service_id, uint32_t& have, uint32_t& need)
+{
+ map<uint32_t, CephXTicketHandler>::iterator iter = tickets_map.find(service_id);
+ if (iter == tickets_map.end()) {
+ have &= ~service_id;
+ need |= service_id;
+ ldout(cct, 10) << "set_have_need_key no handler for service "
+ << ceph_entity_type_name(service_id) << dendl;
+ return;
+ }
+
+ //ldout(cct, 10) << "set_have_need_key service " << ceph_entity_type_name(service_id)
+ //<< " (" << service_id << ")"
+ //<< " need=" << iter->second.need_key() << " have=" << iter->second.have_key() << dendl;
+ if (iter->second.need_key())
+ need |= service_id;
+ else
+ need &= ~service_id;
+
+ if (iter->second.have_key())
+ have |= service_id;
+ else
+ have &= ~service_id;
+}
+
+void CephXTicketManager::invalidate_ticket(uint32_t service_id)
+{
+ map<uint32_t, CephXTicketHandler>::iterator iter = tickets_map.find(service_id);
+ if (iter != tickets_map.end())
+ iter->second.invalidate_ticket();
+}
+
+/*
+ * PRINCIPAL: verify our attempt to authenticate succeeded. fill out
+ * this ServiceTicket with the result.
+ */
+bool CephXTicketManager::verify_service_ticket_reply(CryptoKey& secret,
+ bufferlist::iterator& indata)
+{
+ __u8 service_ticket_reply_v;
+ ::decode(service_ticket_reply_v, indata);
+
+ uint32_t num;
+ ::decode(num, indata);
+ ldout(cct, 10) << "verify_service_ticket_reply got " << num << " keys" << dendl;
+
+ for (int i=0; i<(int)num; i++) {
+ uint32_t type;
+ ::decode(type, indata);
+ ldout(cct, 10) << "got key for service_id " << ceph_entity_type_name(type) << dendl;
+ CephXTicketHandler& handler = get_handler(type);
+ if (!handler.verify_service_ticket_reply(secret, indata)) {
+ return false;
+ }
+ handler.service_id = type;
+ }
+
+ if (!indata.end())
+ return false;
+
+ return true;
+}
+
+/*
+ * PRINCIPAL: build authorizer to access the service.
+ *
+ * ticket, {timestamp}^session_key
+ */
+CephXAuthorizer *CephXTicketHandler::build_authorizer(uint64_t global_id) const
+{
+ CephXAuthorizer *a = new CephXAuthorizer(cct);
+ a->session_key = session_key;
+ a->nonce = ((uint64_t)rand() << 32) + rand();
+
+ __u8 authorizer_v = 1;
+ ::encode(authorizer_v, a->bl);
+ ::encode(global_id, a->bl);
+ ::encode(service_id, a->bl);
+
+ ::encode(ticket, a->bl);
+
+ CephXAuthorize msg;
+ msg.nonce = a->nonce;
+
+ std::string error;
+ if (encode_encrypt(cct, msg, session_key, a->bl, error)) {
+ ldout(cct, 0) << "failed to encrypt authorizer: " << error << dendl;
+ delete a;
+ return 0;
+ }
+ return a;
+}
+
+/*
+ * PRINCIPAL: build authorizer to access the service.
+ *
+ * ticket, {timestamp}^session_key
+ */
+CephXAuthorizer *CephXTicketManager::build_authorizer(uint32_t service_id) const
+{
+ map<uint32_t, CephXTicketHandler>::const_iterator iter = tickets_map.find(service_id);
+ if (iter == tickets_map.end()) {
+ ldout(cct, 0) << "no TicketHandler for service "
+ << ceph_entity_type_name(service_id) << dendl;
+ return NULL;
+ }
+
+ const CephXTicketHandler& handler = iter->second;
+ return handler.build_authorizer(global_id);
+}
+
+void CephXTicketManager::validate_tickets(uint32_t mask, uint32_t& have, uint32_t& need)
+{
+ uint32_t i;
+ need = 0;
+ for (i = 1; i<=mask; i<<=1) {
+ if (mask & i) {
+ set_have_need_key(i, have, need);
+ }
+ }
+ ldout(cct, 10) << "validate_tickets want " << mask << " have " << have
+ << " need " << need << dendl;
+}
+
+bool cephx_decode_ticket(CephContext *cct, KeyStore *keys, uint32_t service_id,
+ CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info)
+{
+ uint64_t secret_id = ticket_blob.secret_id;
+ CryptoKey service_secret;
+
+ if (!ticket_blob.blob.length()) {
+ return false;
+ }
+
+ if (secret_id == (uint64_t)-1) {
+ if (!keys->get_secret(cct->_conf->name, service_secret)) {
+ ldout(cct, 0) << "ceph_decode_ticket could not get general service secret for service_id="
+ << ceph_entity_type_name(service_id) << " secret_id=" << secret_id << dendl;
+ return false;
+ }
+ } else {
+ if (!keys->get_service_secret(service_id, secret_id, service_secret)) {
+ ldout(cct, 0) << "ceph_decode_ticket could not get service secret for service_id="
+ << ceph_entity_type_name(service_id) << " secret_id=" << secret_id << dendl;
+ return false;
+ }
+ }
+
+ std::string error;
+ decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket_blob.blob, error);
+ if (!error.empty()) {
+ ldout(cct, 0) << "ceph_decode_ticket could not decrypt ticket info. error:"
+ << error << dendl;
+ return false;
+ }
+
+ return true;
+}
+
+/*
+ * SERVICE: verify authorizer and generate reply authorizer
+ *
+ * {timestamp + 1}^session_key
+ */
+bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys,
+ bufferlist::iterator& indata,
+ CephXServiceTicketInfo& ticket_info, bufferlist& reply_bl)
+{
+ __u8 authorizer_v;
+ uint32_t service_id;
+ uint64_t global_id;
+ CryptoKey service_secret;
+ // ticket blob
+ CephXTicketBlob ticket;
+
+
+ try {
+ ::decode(authorizer_v, indata);
+ ::decode(global_id, indata);
+ ::decode(service_id, indata);
+ ::decode(ticket, indata);
+ } catch (buffer::end_of_buffer &e) {
+ // Unable to decode!
+ return false;
+ }
+ ldout(cct, 10) << "verify_authorizer decrypted service "
+ << ceph_entity_type_name(service_id)
+ << " secret_id=" << ticket.secret_id << dendl;
+
+ if (ticket.secret_id == (uint64_t)-1) {
+ EntityName name;
+ name.set_type(service_id);
+ if (!keys->get_secret(name, service_secret)) {
+ ldout(cct, 0) << "verify_authorizer could not get general service secret for service "
+ << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl;
+ return false;
+ }
+ } else {
+ if (!keys->get_service_secret(service_id, ticket.secret_id, service_secret)) {
+ ldout(cct, 0) << "verify_authorizer could not get service secret for service "
+ << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl;
+ if (cct->_conf->auth_debug && ticket.secret_id == 0)
+ assert(0 == "got secret_id=0");
+ return false;
+ }
+ }
+ std::string error;
+ if (!service_secret.get_secret().length())
+ error = "invalid key"; // Bad key?
+ else
+ decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error);
+ if (!error.empty()) {
+ ldout(cct, 0) << "verify_authorizer could not decrypt ticket info: error: "
+ << error << dendl;
+ return false;
+ }
+
+ if (ticket_info.ticket.global_id != global_id) {
+ ldout(cct, 0) << "verify_authorizer global_id mismatch: declared id=" << global_id
+ << " ticket_id=" << ticket_info.ticket.global_id << dendl;
+ return false;
+ }
+
+ ldout(cct, 10) << "verify_authorizer global_id=" << global_id << dendl;
+
+ // CephXAuthorize
+ CephXAuthorize auth_msg;
+ if (decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error)) {
+ ldout(cct, 0) << "verify_authorizercould not decrypt authorize request with error: "
+ << error << dendl;
+ return false;
+ }
+
+ /*
+ * Reply authorizer:
+ * {timestamp + 1}^session_key
+ */
+ CephXAuthorizeReply reply;
+ // reply.trans_id = auth_msg.trans_id;
+ reply.nonce_plus_one = auth_msg.nonce + 1;
+ if (encode_encrypt(cct, reply, ticket_info.session_key, reply_bl, error)) {
+ ldout(cct, 10) << "verify_authorizer: encode_encrypt error: " << error << dendl;
+ return false;
+ }
+
+ ldout(cct, 10) << "verify_authorizer ok nonce " << hex << auth_msg.nonce << dec
+ << " reply_bl.length()=" << reply_bl.length() << dendl;
+ return true;
+}
+
+bool CephXAuthorizer::verify_reply(bufferlist::iterator& indata)
+{
+ CephXAuthorizeReply reply;
+
+ std::string error;
+ if (decode_decrypt(cct, reply, session_key, indata, error)) {
+ ldout(cct, 0) << "verify_reply couldn't decrypt with error: " << error << dendl;
+ return false;
+ }
+
+ uint64_t expect = nonce + 1;
+ if (expect != reply.nonce_plus_one) {
+ ldout(cct, 0) << "verify_authorizer_reply bad nonce got " << reply.nonce_plus_one << " expected " << expect
+ << " sent " << nonce << dendl;
+ return false;
+ }
+ return true;
+}
+