Lines Matching +full:dout +full:- +full:default
1 // SPDX-License-Identifier: GPL-2.0
24 struct ceph_x_info *xi = ac->private; in ceph_x_is_authenticated()
28 dout("ceph_x_is_authenticated want=%d need=%d have=%d\n", in ceph_x_is_authenticated()
29 ac->want_keys, need, xi->have_keys); in ceph_x_is_authenticated()
30 return (ac->want_keys & xi->have_keys) == ac->want_keys; in ceph_x_is_authenticated()
35 struct ceph_x_info *xi = ac->private; in ceph_x_should_authenticate()
39 dout("ceph_x_should_authenticate want=%d need=%d have=%d\n", in ceph_x_should_authenticate()
40 ac->want_keys, need, xi->have_keys); in ceph_x_should_authenticate()
61 hdr->struct_v = 1; in ceph_x_encrypt()
62 hdr->magic = cpu_to_le64(CEPHX_ENC_MAGIC); in ceph_x_encrypt()
64 ret = ceph_crypt(secret, true, buf + sizeof(u32), buf_len - sizeof(u32), in ceph_x_encrypt()
86 if (le64_to_cpu(hdr->magic) != CEPHX_ENC_MAGIC) { in __ceph_x_decrypt()
88 return -EINVAL; in __ceph_x_decrypt()
91 return plaintext_len - sizeof(*hdr); in __ceph_x_decrypt()
110 return -EINVAL; in ceph_x_decrypt()
120 struct ceph_x_info *xi = ac->private; in get_ticket_handler()
121 struct rb_node *parent = NULL, **p = &xi->ticket_handlers.rb_node; in get_ticket_handler()
126 if (service < th->service) in get_ticket_handler()
127 p = &(*p)->rb_left; in get_ticket_handler()
128 else if (service > th->service) in get_ticket_handler()
129 p = &(*p)->rb_right; in get_ticket_handler()
137 return ERR_PTR(-ENOMEM); in get_ticket_handler()
138 th->service = service; in get_ticket_handler()
139 rb_link_node(&th->node, parent, p); in get_ticket_handler()
140 rb_insert_color(&th->node, &xi->ticket_handlers); in get_ticket_handler()
147 struct ceph_x_info *xi = ac->private; in remove_ticket_handler()
149 dout("remove_ticket_handler %p %d\n", th, th->service); in remove_ticket_handler()
150 rb_erase(&th->node, &xi->ticket_handlers); in remove_ticket_handler()
151 ceph_crypto_key_destroy(&th->session_key); in remove_ticket_handler()
152 if (th->ticket_blob) in remove_ticket_handler()
153 ceph_buffer_put(th->ticket_blob); in remove_ticket_handler()
161 struct ceph_x_info *xi = ac->private; in process_one_ticket()
180 dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); in process_one_ticket()
197 dout(" decrypted %d bytes\n", ret); in process_one_ticket()
211 new_renew_after = new_expires - (validity.tv_sec / 4); in process_one_ticket()
212 dout(" expires=%llu renew_after=%llu\n", new_expires, in process_one_ticket()
220 ret = ceph_x_decrypt(&th->session_key, p, end); in process_one_ticket()
223 dout(" encrypted ticket, decrypted %d bytes\n", ret); in process_one_ticket()
232 dout(" ticket blob is %d bytes\n", dlen); in process_one_ticket()
244 ceph_crypto_key_destroy(&th->session_key); in process_one_ticket()
245 if (th->ticket_blob) in process_one_ticket()
246 ceph_buffer_put(th->ticket_blob); in process_one_ticket()
247 th->session_key = new_session_key; in process_one_ticket()
248 th->ticket_blob = new_ticket_blob; in process_one_ticket()
249 th->secret_id = new_secret_id; in process_one_ticket()
250 th->expires = new_expires; in process_one_ticket()
251 th->renew_after = new_renew_after; in process_one_ticket()
252 th->have_key = true; in process_one_ticket()
253 dout(" got ticket service %d (%s) secret_id %lld len %d\n", in process_one_ticket()
254 type, ceph_entity_type_name(type), th->secret_id, in process_one_ticket()
255 (int)th->ticket_blob->vec.iov_len); in process_one_ticket()
256 xi->have_keys |= th->service; in process_one_ticket()
260 ret = -EINVAL; in process_one_ticket()
277 return -EINVAL; in ceph_x_proc_ticket_reply()
280 dout("%d tickets\n", num); in ceph_x_proc_ticket_reply()
282 while (num--) { in ceph_x_proc_ticket_reply()
291 return -EINVAL; in ceph_x_proc_ticket_reply()
307 msg_a = au->buf->vec.iov_base; in encrypt_authorizer()
308 WARN_ON(msg_a->ticket_blob.secret_id != cpu_to_le64(au->secret_id)); in encrypt_authorizer()
309 p = (void *)(msg_a + 1) + le32_to_cpu(msg_a->ticket_blob.blob_len); in encrypt_authorizer()
310 end = au->buf->vec.iov_base + au->buf->vec.iov_len; in encrypt_authorizer()
313 msg_b->struct_v = 2; in encrypt_authorizer()
314 msg_b->nonce = cpu_to_le64(au->nonce); in encrypt_authorizer()
316 msg_b->have_challenge = 1; in encrypt_authorizer()
317 msg_b->server_challenge_plus_one = in encrypt_authorizer()
320 msg_b->have_challenge = 0; in encrypt_authorizer()
321 msg_b->server_challenge_plus_one = 0; in encrypt_authorizer()
324 ret = ceph_x_encrypt(&au->session_key, p, end - p, sizeof(*msg_b)); in encrypt_authorizer()
333 au->buf->vec.iov_len = p - au->buf->vec.iov_base; in encrypt_authorizer()
341 ceph_crypto_key_destroy(&au->session_key); in ceph_x_authorizer_cleanup()
342 if (au->buf) { in ceph_x_authorizer_cleanup()
343 ceph_buffer_put(au->buf); in ceph_x_authorizer_cleanup()
344 au->buf = NULL; in ceph_x_authorizer_cleanup()
357 (th->ticket_blob ? th->ticket_blob->vec.iov_len : 0); in ceph_x_build_authorizer()
359 dout("build_authorizer for %s %p\n", in ceph_x_build_authorizer()
360 ceph_entity_type_name(th->service), au); in ceph_x_build_authorizer()
362 ceph_crypto_key_destroy(&au->session_key); in ceph_x_build_authorizer()
363 ret = ceph_crypto_key_clone(&au->session_key, &th->session_key); in ceph_x_build_authorizer()
369 dout(" need len %d\n", maxlen); in ceph_x_build_authorizer()
370 if (au->buf && au->buf->alloc_len < maxlen) { in ceph_x_build_authorizer()
371 ceph_buffer_put(au->buf); in ceph_x_build_authorizer()
372 au->buf = NULL; in ceph_x_build_authorizer()
374 if (!au->buf) { in ceph_x_build_authorizer()
375 au->buf = ceph_buffer_new(maxlen, GFP_NOFS); in ceph_x_build_authorizer()
376 if (!au->buf) { in ceph_x_build_authorizer()
377 ret = -ENOMEM; in ceph_x_build_authorizer()
381 au->service = th->service; in ceph_x_build_authorizer()
382 au->secret_id = th->secret_id; in ceph_x_build_authorizer()
384 msg_a = au->buf->vec.iov_base; in ceph_x_build_authorizer()
385 msg_a->struct_v = 1; in ceph_x_build_authorizer()
386 msg_a->global_id = cpu_to_le64(ac->global_id); in ceph_x_build_authorizer()
387 msg_a->service_id = cpu_to_le32(th->service); in ceph_x_build_authorizer()
388 msg_a->ticket_blob.struct_v = 1; in ceph_x_build_authorizer()
389 msg_a->ticket_blob.secret_id = cpu_to_le64(th->secret_id); in ceph_x_build_authorizer()
390 msg_a->ticket_blob.blob_len = cpu_to_le32(ticket_blob_len); in ceph_x_build_authorizer()
392 memcpy(msg_a->ticket_blob.blob, th->ticket_blob->vec.iov_base, in ceph_x_build_authorizer()
393 th->ticket_blob->vec.iov_len); in ceph_x_build_authorizer()
395 dout(" th %p secret_id %lld %lld\n", th, th->secret_id, in ceph_x_build_authorizer()
396 le64_to_cpu(msg_a->ticket_blob.secret_id)); in ceph_x_build_authorizer()
398 get_random_bytes(&au->nonce, sizeof(au->nonce)); in ceph_x_build_authorizer()
405 dout(" built authorizer nonce %llx len %d\n", au->nonce, in ceph_x_build_authorizer()
406 (int)au->buf->vec.iov_len); in ceph_x_build_authorizer()
419 ceph_encode_64(p, th->secret_id); in ceph_x_encode_ticket()
420 if (th->ticket_blob) { in ceph_x_encode_ticket()
421 const char *buf = th->ticket_blob->vec.iov_base; in ceph_x_encode_ticket()
422 u32 len = th->ticket_blob->vec.iov_len; in ceph_x_encode_ticket()
432 return -ERANGE; in ceph_x_encode_ticket()
437 if (!th->have_key) in need_key()
440 return ktime_get_real_seconds() >= th->renew_after; in need_key()
445 if (th->have_key) { in have_key()
446 if (ktime_get_real_seconds() >= th->expires) in have_key()
447 th->have_key = false; in have_key()
450 return th->have_key; in have_key()
455 int want = ac->want_keys; in ceph_x_validate_tickets()
456 struct ceph_x_info *xi = ac->private; in ceph_x_validate_tickets()
459 *pneed = ac->want_keys & ~(xi->have_keys); in ceph_x_validate_tickets()
464 if (!(ac->want_keys & service)) in ceph_x_validate_tickets()
479 xi->have_keys &= ~service; in ceph_x_validate_tickets()
486 struct ceph_x_info *xi = ac->private; in ceph_x_build_request()
498 dout("build_request want %x have %x need %x\n", in ceph_x_build_request()
499 ac->want_keys, xi->have_keys, need); in ceph_x_build_request()
504 void *enc_buf = xi->auth_authorizer.enc_buf; in ceph_x_build_request()
510 return -ERANGE; in ceph_x_build_request()
512 dout(" get_auth_session_key\n"); in ceph_x_build_request()
513 head->op = cpu_to_le16(CEPHX_GET_AUTH_SESSION_KEY); in ceph_x_build_request()
516 get_random_bytes(&auth->client_challenge, sizeof(u64)); in ceph_x_build_request()
517 blob->client_challenge = auth->client_challenge; in ceph_x_build_request()
518 blob->server_challenge = cpu_to_le64(xi->server_challenge); in ceph_x_build_request()
519 ret = ceph_x_encrypt(&xi->secret, enc_buf, CEPHX_AU_ENC_BUF_LEN, in ceph_x_build_request()
524 auth->struct_v = 1; in ceph_x_build_request()
525 auth->key = 0; in ceph_x_build_request()
527 auth->key ^= *(__le64 *)u; in ceph_x_build_request()
528 dout(" server_challenge %llx client_challenge %llx key %llx\n", in ceph_x_build_request()
529 xi->server_challenge, le64_to_cpu(auth->client_challenge), in ceph_x_build_request()
530 le64_to_cpu(auth->key)); in ceph_x_build_request()
537 return p - buf; in ceph_x_build_request()
545 return -ERANGE; in ceph_x_build_request()
546 head->op = cpu_to_le16(CEPHX_GET_PRINCIPAL_SESSION_KEY); in ceph_x_build_request()
548 ret = ceph_x_build_authorizer(ac, th, &xi->auth_authorizer); in ceph_x_build_request()
551 ceph_encode_copy(&p, xi->auth_authorizer.buf->vec.iov_base, in ceph_x_build_request()
552 xi->auth_authorizer.buf->vec.iov_len); in ceph_x_build_request()
555 req->keys = cpu_to_le32(need); in ceph_x_build_request()
557 return p - buf; in ceph_x_build_request()
566 struct ceph_x_info *xi = ac->private; in ceph_x_handle_reply()
569 int len = end - buf; in ceph_x_handle_reply()
576 if (xi->starting) { in ceph_x_handle_reply()
581 return -EINVAL; in ceph_x_handle_reply()
582 xi->server_challenge = le64_to_cpu(sc->server_challenge); in ceph_x_handle_reply()
583 dout("handle_reply got server challenge %llx\n", in ceph_x_handle_reply()
584 xi->server_challenge); in ceph_x_handle_reply()
585 xi->starting = false; in ceph_x_handle_reply()
586 xi->have_keys &= ~CEPH_ENTITY_TYPE_AUTH; in ceph_x_handle_reply()
587 return -EAGAIN; in ceph_x_handle_reply()
590 op = le16_to_cpu(head->op); in ceph_x_handle_reply()
591 result = le32_to_cpu(head->result); in ceph_x_handle_reply()
592 dout("handle_reply op %d result %d\n", op, result); in ceph_x_handle_reply()
596 ret = ceph_x_proc_ticket_reply(ac, &xi->secret, in ceph_x_handle_reply()
604 ret = ceph_x_proc_ticket_reply(ac, &th->session_key, in ceph_x_handle_reply()
608 default: in ceph_x_handle_reply()
609 return -EINVAL; in ceph_x_handle_reply()
613 if (ac->want_keys == xi->have_keys) in ceph_x_handle_reply()
615 return -EAGAIN; in ceph_x_handle_reply()
640 return -ENOMEM; in ceph_x_create_authorizer()
642 au->base.destroy = ceph_x_destroy_authorizer; in ceph_x_create_authorizer()
650 auth->authorizer = (struct ceph_authorizer *) au; in ceph_x_create_authorizer()
651 auth->authorizer_buf = au->buf->vec.iov_base; in ceph_x_create_authorizer()
652 auth->authorizer_buf_len = au->buf->vec.iov_len; in ceph_x_create_authorizer()
653 auth->authorizer_reply_buf = au->enc_buf; in ceph_x_create_authorizer()
654 auth->authorizer_reply_buf_len = CEPHX_AU_ENC_BUF_LEN; in ceph_x_create_authorizer()
655 auth->sign_message = ac->ops->sign_message; in ceph_x_create_authorizer()
656 auth->check_message_signature = ac->ops->check_message_signature; in ceph_x_create_authorizer()
672 au = (struct ceph_x_authorizer *)auth->authorizer; in ceph_x_update_authorizer()
673 if (au->secret_id < th->secret_id) { in ceph_x_update_authorizer()
674 dout("ceph_x_update_authorizer service %u secret %llu < %llu\n", in ceph_x_update_authorizer()
675 au->service, au->secret_id, th->secret_id); in ceph_x_update_authorizer()
691 ret = __ceph_x_decrypt(&au->session_key, challenge_buf, in decrypt_authorize_challenge()
697 return -EINVAL; in decrypt_authorize_challenge()
700 *server_challenge = le64_to_cpu(ch->server_challenge); in decrypt_authorize_challenge()
733 void *p = au->enc_buf; in ceph_x_verify_authorizer_reply()
737 ret = ceph_x_decrypt(&au->session_key, &p, p + CEPHX_AU_ENC_BUF_LEN); in ceph_x_verify_authorizer_reply()
742 return -EINVAL; in ceph_x_verify_authorizer_reply()
745 if (au->nonce + 1 != le64_to_cpu(reply->nonce_plus_one)) in ceph_x_verify_authorizer_reply()
746 ret = -EPERM; in ceph_x_verify_authorizer_reply()
749 dout("verify_authorizer_reply nonce %llx got %llx ret %d\n", in ceph_x_verify_authorizer_reply()
750 au->nonce, le64_to_cpu(reply->nonce_plus_one), ret); in ceph_x_verify_authorizer_reply()
756 struct ceph_x_info *xi = ac->private; in ceph_x_reset()
758 dout("reset\n"); in ceph_x_reset()
759 xi->starting = true; in ceph_x_reset()
760 xi->server_challenge = 0; in ceph_x_reset()
765 struct ceph_x_info *xi = ac->private; in ceph_x_destroy()
768 dout("ceph_x_destroy %p\n", ac); in ceph_x_destroy()
769 ceph_crypto_key_destroy(&xi->secret); in ceph_x_destroy()
771 while ((p = rb_first(&xi->ticket_handlers)) != NULL) { in ceph_x_destroy()
777 ceph_x_authorizer_cleanup(&xi->auth_authorizer); in ceph_x_destroy()
779 kfree(ac->private); in ceph_x_destroy()
780 ac->private = NULL; in ceph_x_destroy()
789 th->have_key = false; in invalidate_ticket()
808 void *enc_buf = au->enc_buf; in calc_signature()
811 if (!CEPH_HAVE_FEATURE(msg->con->peer_features, CEPHX_V2)) { in calc_signature()
820 sigblock->len = cpu_to_le32(4*sizeof(u32)); in calc_signature()
821 sigblock->header_crc = msg->hdr.crc; in calc_signature()
822 sigblock->front_crc = msg->footer.front_crc; in calc_signature()
823 sigblock->middle_crc = msg->footer.middle_crc; in calc_signature()
824 sigblock->data_crc = msg->footer.data_crc; in calc_signature()
826 ret = ceph_x_encrypt(&au->session_key, enc_buf, in calc_signature()
848 sigblock->header_crc = msg->hdr.crc; in calc_signature()
849 sigblock->front_crc = msg->footer.front_crc; in calc_signature()
850 sigblock->front_len = msg->hdr.front_len; in calc_signature()
851 sigblock->middle_crc = msg->footer.middle_crc; in calc_signature()
852 sigblock->middle_len = msg->hdr.middle_len; in calc_signature()
853 sigblock->data_crc = msg->footer.data_crc; in calc_signature()
854 sigblock->data_len = msg->hdr.data_len; in calc_signature()
855 sigblock->seq_lower_word = *(__le32 *)&msg->hdr.seq; in calc_signature()
858 ret = ceph_crypt(&au->session_key, true, enc_buf, in calc_signature()
864 *psig = penc->a ^ penc->b ^ penc->c ^ penc->d; in calc_signature()
876 if (ceph_test_opt(from_msgr(msg->con->msgr), NOMSGSIGN)) in ceph_x_sign_message()
879 ret = calc_signature((struct ceph_x_authorizer *)auth->authorizer, in ceph_x_sign_message()
884 msg->footer.sig = sig; in ceph_x_sign_message()
885 msg->footer.flags |= CEPH_MSG_FOOTER_SIGNED; in ceph_x_sign_message()
895 if (ceph_test_opt(from_msgr(msg->con->msgr), NOMSGSIGN)) in ceph_x_check_message_signature()
898 ret = calc_signature((struct ceph_x_authorizer *)auth->authorizer, in ceph_x_check_message_signature()
902 if (sig_check == msg->footer.sig) in ceph_x_check_message_signature()
904 if (msg->footer.flags & CEPH_MSG_FOOTER_SIGNED) in ceph_x_check_message_signature()
905 dout("ceph_x_check_message_signature %p has signature %llx " in ceph_x_check_message_signature()
906 "expect %llx\n", msg, msg->footer.sig, sig_check); in ceph_x_check_message_signature()
908 dout("ceph_x_check_message_signature %p sender did not set " in ceph_x_check_message_signature()
910 return -EBADMSG; in ceph_x_check_message_signature()
936 dout("ceph_x_init %p\n", ac); in ceph_x_init()
937 ret = -ENOMEM; in ceph_x_init()
942 ret = -EINVAL; in ceph_x_init()
943 if (!ac->key) { in ceph_x_init()
948 ret = ceph_crypto_key_clone(&xi->secret, ac->key); in ceph_x_init()
954 xi->starting = true; in ceph_x_init()
955 xi->ticket_handlers = RB_ROOT; in ceph_x_init()
957 ac->protocol = CEPH_AUTH_CEPHX; in ceph_x_init()
958 ac->private = xi; in ceph_x_init()
959 ac->ops = &ceph_x_ops; in ceph_x_init()