Lines Matching +full:dout +full:- +full:default
1 // SPDX-License-Identifier: GPL-2.0
24 struct ceph_x_info *xi = ac->private; in ceph_x_is_authenticated()
29 missing = ac->want_keys & ~xi->have_keys; in ceph_x_is_authenticated()
31 dout("%s want 0x%x have 0x%x missing 0x%x -> %d\n", __func__, in ceph_x_is_authenticated()
32 ac->want_keys, xi->have_keys, missing, !missing); in ceph_x_is_authenticated()
38 struct ceph_x_info *xi = ac->private; in ceph_x_should_authenticate()
42 dout("%s want 0x%x have 0x%x need 0x%x -> %d\n", __func__, in ceph_x_should_authenticate()
43 ac->want_keys, xi->have_keys, need, !!need); in ceph_x_should_authenticate()
64 hdr->struct_v = 1; in ceph_x_encrypt()
65 hdr->magic = cpu_to_le64(CEPHX_ENC_MAGIC); in ceph_x_encrypt()
67 ret = ceph_crypt(secret, true, buf + sizeof(u32), buf_len - sizeof(u32), in ceph_x_encrypt()
89 if (le64_to_cpu(hdr->magic) != CEPHX_ENC_MAGIC) { in __ceph_x_decrypt()
91 return -EINVAL; in __ceph_x_decrypt()
94 return plaintext_len - sizeof(*hdr); in __ceph_x_decrypt()
113 return -EINVAL; in ceph_x_decrypt()
123 struct ceph_x_info *xi = ac->private; in get_ticket_handler()
124 struct rb_node *parent = NULL, **p = &xi->ticket_handlers.rb_node; in get_ticket_handler()
129 if (service < th->service) in get_ticket_handler()
130 p = &(*p)->rb_left; in get_ticket_handler()
131 else if (service > th->service) in get_ticket_handler()
132 p = &(*p)->rb_right; in get_ticket_handler()
140 return ERR_PTR(-ENOMEM); in get_ticket_handler()
141 th->service = service; in get_ticket_handler()
142 rb_link_node(&th->node, parent, p); in get_ticket_handler()
143 rb_insert_color(&th->node, &xi->ticket_handlers); in get_ticket_handler()
150 struct ceph_x_info *xi = ac->private; in remove_ticket_handler()
152 dout("remove_ticket_handler %p %d\n", th, th->service); in remove_ticket_handler()
153 rb_erase(&th->node, &xi->ticket_handlers); in remove_ticket_handler()
154 ceph_crypto_key_destroy(&th->session_key); in remove_ticket_handler()
155 if (th->ticket_blob) in remove_ticket_handler()
156 ceph_buffer_put(th->ticket_blob); in remove_ticket_handler()
164 struct ceph_x_info *xi = ac->private; in process_one_ticket()
183 dout(" ticket type %d %s\n", type, ceph_entity_type_name(type)); in process_one_ticket()
200 dout(" decrypted %d bytes\n", ret); in process_one_ticket()
215 new_renew_after = new_expires - (validity.tv_sec / 4); in process_one_ticket()
216 dout(" expires=%llu renew_after=%llu\n", new_expires, in process_one_ticket()
224 ret = ceph_x_decrypt(&th->session_key, p, end); in process_one_ticket()
227 dout(" encrypted ticket, decrypted %d bytes\n", ret); in process_one_ticket()
236 dout(" ticket blob is %d bytes\n", dlen); in process_one_ticket()
248 ceph_crypto_key_destroy(&th->session_key); in process_one_ticket()
249 if (th->ticket_blob) in process_one_ticket()
250 ceph_buffer_put(th->ticket_blob); in process_one_ticket()
251 th->session_key = new_session_key; in process_one_ticket()
252 th->ticket_blob = new_ticket_blob; in process_one_ticket()
253 th->secret_id = new_secret_id; in process_one_ticket()
254 th->expires = new_expires; in process_one_ticket()
255 th->renew_after = new_renew_after; in process_one_ticket()
256 th->have_key = true; in process_one_ticket()
257 dout(" got ticket service %d (%s) secret_id %lld len %d\n", in process_one_ticket()
258 type, ceph_entity_type_name(type), th->secret_id, in process_one_ticket()
259 (int)th->ticket_blob->vec.iov_len); in process_one_ticket()
260 xi->have_keys |= th->service; in process_one_ticket()
264 ret = -EINVAL; in process_one_ticket()
280 return -EINVAL; in ceph_x_proc_ticket_reply()
283 dout("%d tickets\n", num); in ceph_x_proc_ticket_reply()
285 while (num--) { in ceph_x_proc_ticket_reply()
294 return -EINVAL; in ceph_x_proc_ticket_reply()
310 msg_a = au->buf->vec.iov_base; in encrypt_authorizer()
311 WARN_ON(msg_a->ticket_blob.secret_id != cpu_to_le64(au->secret_id)); in encrypt_authorizer()
312 p = (void *)(msg_a + 1) + le32_to_cpu(msg_a->ticket_blob.blob_len); in encrypt_authorizer()
313 end = au->buf->vec.iov_base + au->buf->vec.iov_len; in encrypt_authorizer()
316 msg_b->struct_v = 2; in encrypt_authorizer()
317 msg_b->nonce = cpu_to_le64(au->nonce); in encrypt_authorizer()
319 msg_b->have_challenge = 1; in encrypt_authorizer()
320 msg_b->server_challenge_plus_one = in encrypt_authorizer()
323 msg_b->have_challenge = 0; in encrypt_authorizer()
324 msg_b->server_challenge_plus_one = 0; in encrypt_authorizer()
327 ret = ceph_x_encrypt(&au->session_key, p, end - p, sizeof(*msg_b)); in encrypt_authorizer()
336 au->buf->vec.iov_len = p - au->buf->vec.iov_base; in encrypt_authorizer()
344 ceph_crypto_key_destroy(&au->session_key); in ceph_x_authorizer_cleanup()
345 if (au->buf) { in ceph_x_authorizer_cleanup()
346 ceph_buffer_put(au->buf); in ceph_x_authorizer_cleanup()
347 au->buf = NULL; in ceph_x_authorizer_cleanup()
360 (th->ticket_blob ? th->ticket_blob->vec.iov_len : 0); in ceph_x_build_authorizer()
362 dout("build_authorizer for %s %p\n", in ceph_x_build_authorizer()
363 ceph_entity_type_name(th->service), au); in ceph_x_build_authorizer()
365 ceph_crypto_key_destroy(&au->session_key); in ceph_x_build_authorizer()
366 ret = ceph_crypto_key_clone(&au->session_key, &th->session_key); in ceph_x_build_authorizer()
372 dout(" need len %d\n", maxlen); in ceph_x_build_authorizer()
373 if (au->buf && au->buf->alloc_len < maxlen) { in ceph_x_build_authorizer()
374 ceph_buffer_put(au->buf); in ceph_x_build_authorizer()
375 au->buf = NULL; in ceph_x_build_authorizer()
377 if (!au->buf) { in ceph_x_build_authorizer()
378 au->buf = ceph_buffer_new(maxlen, GFP_NOFS); in ceph_x_build_authorizer()
379 if (!au->buf) { in ceph_x_build_authorizer()
380 ret = -ENOMEM; in ceph_x_build_authorizer()
384 au->service = th->service; in ceph_x_build_authorizer()
385 WARN_ON(!th->secret_id); in ceph_x_build_authorizer()
386 au->secret_id = th->secret_id; in ceph_x_build_authorizer()
388 msg_a = au->buf->vec.iov_base; in ceph_x_build_authorizer()
389 msg_a->struct_v = 1; in ceph_x_build_authorizer()
390 msg_a->global_id = cpu_to_le64(ac->global_id); in ceph_x_build_authorizer()
391 msg_a->service_id = cpu_to_le32(th->service); in ceph_x_build_authorizer()
392 msg_a->ticket_blob.struct_v = 1; in ceph_x_build_authorizer()
393 msg_a->ticket_blob.secret_id = cpu_to_le64(th->secret_id); in ceph_x_build_authorizer()
394 msg_a->ticket_blob.blob_len = cpu_to_le32(ticket_blob_len); in ceph_x_build_authorizer()
396 memcpy(msg_a->ticket_blob.blob, th->ticket_blob->vec.iov_base, in ceph_x_build_authorizer()
397 th->ticket_blob->vec.iov_len); in ceph_x_build_authorizer()
399 dout(" th %p secret_id %lld %lld\n", th, th->secret_id, in ceph_x_build_authorizer()
400 le64_to_cpu(msg_a->ticket_blob.secret_id)); in ceph_x_build_authorizer()
402 get_random_bytes(&au->nonce, sizeof(au->nonce)); in ceph_x_build_authorizer()
409 dout(" built authorizer nonce %llx len %d\n", au->nonce, in ceph_x_build_authorizer()
410 (int)au->buf->vec.iov_len); in ceph_x_build_authorizer()
423 ceph_encode_64(p, th->secret_id); in ceph_x_encode_ticket()
424 if (th->ticket_blob) { in ceph_x_encode_ticket()
425 const char *buf = th->ticket_blob->vec.iov_base; in ceph_x_encode_ticket()
426 u32 len = th->ticket_blob->vec.iov_len; in ceph_x_encode_ticket()
436 return -ERANGE; in ceph_x_encode_ticket()
441 if (!th->have_key) in need_key()
444 return ktime_get_real_seconds() >= th->renew_after; in need_key()
449 if (th->have_key && ktime_get_real_seconds() >= th->expires) { in have_key()
450 dout("ticket %d (%s) secret_id %llu expired\n", th->service, in have_key()
451 ceph_entity_type_name(th->service), th->secret_id); in have_key()
452 th->have_key = false; in have_key()
455 return th->have_key; in have_key()
460 int want = ac->want_keys; in ceph_x_validate_tickets()
461 struct ceph_x_info *xi = ac->private; in ceph_x_validate_tickets()
464 *pneed = ac->want_keys & ~(xi->have_keys); in ceph_x_validate_tickets()
469 if (!(ac->want_keys & service)) in ceph_x_validate_tickets()
484 xi->have_keys &= ~service; in ceph_x_validate_tickets()
491 struct ceph_x_info *xi = ac->private; in ceph_x_build_request()
503 dout("%s want 0x%x have 0x%x need 0x%x\n", __func__, ac->want_keys, in ceph_x_build_request()
504 xi->have_keys, need); in ceph_x_build_request()
508 void *enc_buf = xi->auth_authorizer.enc_buf; in ceph_x_build_request()
515 return -ERANGE; in ceph_x_build_request()
517 dout(" get_auth_session_key\n"); in ceph_x_build_request()
518 head->op = cpu_to_le16(CEPHX_GET_AUTH_SESSION_KEY); in ceph_x_build_request()
521 get_random_bytes(&auth->client_challenge, sizeof(u64)); in ceph_x_build_request()
522 blob->client_challenge = auth->client_challenge; in ceph_x_build_request()
523 blob->server_challenge = cpu_to_le64(xi->server_challenge); in ceph_x_build_request()
524 ret = ceph_x_encrypt(&xi->secret, enc_buf, CEPHX_AU_ENC_BUF_LEN, in ceph_x_build_request()
529 auth->struct_v = 3; /* nautilus+ */ in ceph_x_build_request()
530 auth->key = 0; in ceph_x_build_request()
532 auth->key ^= *(__le64 *)u; in ceph_x_build_request()
533 dout(" server_challenge %llx client_challenge %llx key %llx\n", in ceph_x_build_request()
534 xi->server_challenge, le64_to_cpu(auth->client_challenge), in ceph_x_build_request()
535 le64_to_cpu(auth->key)); in ceph_x_build_request()
543 need = ac->want_keys & ~CEPH_ENTITY_TYPE_AUTH; in ceph_x_build_request()
546 return p - buf; in ceph_x_build_request()
550 dout(" get_principal_session_key\n"); in ceph_x_build_request()
551 ret = ceph_x_build_authorizer(ac, th, &xi->auth_authorizer); in ceph_x_build_request()
559 xi->auth_authorizer.buf->vec.iov_base, in ceph_x_build_request()
560 xi->auth_authorizer.buf->vec.iov_len, e_range); in ceph_x_build_request()
563 return p - buf; in ceph_x_build_request()
569 return -ERANGE; in ceph_x_build_request()
580 dout("%s len %d\n", __func__, len); in decode_con_secret()
597 return -EINVAL; in decode_con_secret()
605 struct ceph_x_info *xi = ac->private; in handle_auth_session_key()
612 ret = ceph_x_proc_ticket_reply(ac, &xi->secret, p, end); in handle_auth_session_key()
618 /* pre-nautilus (or didn't request service tickets!) */ in handle_auth_session_key()
628 memcpy(session_key, th->session_key.key, th->session_key.len); in handle_auth_session_key()
629 *session_key_len = th->session_key.len; in handle_auth_session_key()
634 dout("%s connection secret blob len %d\n", __func__, len); in handle_auth_session_key()
637 ret = ceph_x_decrypt(&th->session_key, p, *p + len); in handle_auth_session_key()
641 dout("%s decrypted %d bytes\n", __func__, ret); in handle_auth_session_key()
651 dout("%s service tickets blob len %d\n", __func__, len); in handle_auth_session_key()
653 ret = ceph_x_proc_ticket_reply(ac, &th->session_key, in handle_auth_session_key()
662 return -EINVAL; in handle_auth_session_key()
670 struct ceph_x_info *xi = ac->private; in ceph_x_handle_reply()
672 int len = end - buf; in ceph_x_handle_reply()
678 if (xi->starting) { in ceph_x_handle_reply()
683 return -EINVAL; in ceph_x_handle_reply()
684 xi->server_challenge = le64_to_cpu(sc->server_challenge); in ceph_x_handle_reply()
685 dout("handle_reply got server challenge %llx\n", in ceph_x_handle_reply()
686 xi->server_challenge); in ceph_x_handle_reply()
687 xi->starting = false; in ceph_x_handle_reply()
688 xi->have_keys &= ~CEPH_ENTITY_TYPE_AUTH; in ceph_x_handle_reply()
689 return -EAGAIN; in ceph_x_handle_reply()
695 dout("handle_reply op %d result %d\n", op, result); in ceph_x_handle_reply()
710 ret = ceph_x_proc_ticket_reply(ac, &th->session_key, &p, end); in ceph_x_handle_reply()
713 default: in ceph_x_handle_reply()
714 return -EINVAL; in ceph_x_handle_reply()
718 if (ac->want_keys == xi->have_keys) in ceph_x_handle_reply()
720 return -EAGAIN; in ceph_x_handle_reply()
723 return -EINVAL; in ceph_x_handle_reply()
748 return -ENOMEM; in ceph_x_create_authorizer()
750 au->base.destroy = ceph_x_destroy_authorizer; in ceph_x_create_authorizer()
758 auth->authorizer = (struct ceph_authorizer *) au; in ceph_x_create_authorizer()
759 auth->authorizer_buf = au->buf->vec.iov_base; in ceph_x_create_authorizer()
760 auth->authorizer_buf_len = au->buf->vec.iov_len; in ceph_x_create_authorizer()
761 auth->authorizer_reply_buf = au->enc_buf; in ceph_x_create_authorizer()
762 auth->authorizer_reply_buf_len = CEPHX_AU_ENC_BUF_LEN; in ceph_x_create_authorizer()
763 auth->sign_message = ac->ops->sign_message; in ceph_x_create_authorizer()
764 auth->check_message_signature = ac->ops->check_message_signature; in ceph_x_create_authorizer()
780 au = (struct ceph_x_authorizer *)auth->authorizer; in ceph_x_update_authorizer()
781 if (au->secret_id < th->secret_id) { in ceph_x_update_authorizer()
782 dout("ceph_x_update_authorizer service %u secret %llu < %llu\n", in ceph_x_update_authorizer()
783 au->service, au->secret_id, th->secret_id); in ceph_x_update_authorizer()
804 dout("%s decrypted %d bytes\n", __func__, ret); in decrypt_authorizer_challenge()
810 dout("%s server_challenge %llu\n", __func__, *server_challenge); in decrypt_authorizer_challenge()
814 return -EINVAL; in decrypt_authorizer_challenge()
825 ret = decrypt_authorizer_challenge(&au->session_key, challenge, in ceph_x_add_authorizer_challenge()
857 dout("%s decrypted %d bytes\n", __func__, ret); in decrypt_authorizer_reply()
862 dout("%s nonce_plus_one %llu\n", __func__, *nonce_plus_one); in decrypt_authorizer_reply()
872 return -EINVAL; in decrypt_authorizer_reply()
886 memcpy(session_key, au->session_key.key, au->session_key.len); in ceph_x_verify_authorizer_reply()
887 *session_key_len = au->session_key.len; in ceph_x_verify_authorizer_reply()
890 ret = decrypt_authorizer_reply(&au->session_key, &reply, in ceph_x_verify_authorizer_reply()
896 if (nonce_plus_one != au->nonce + 1) { in ceph_x_verify_authorizer_reply()
898 return -EPERM; in ceph_x_verify_authorizer_reply()
906 struct ceph_x_info *xi = ac->private; in ceph_x_reset()
908 dout("reset\n"); in ceph_x_reset()
909 xi->starting = true; in ceph_x_reset()
910 xi->server_challenge = 0; in ceph_x_reset()
915 struct ceph_x_info *xi = ac->private; in ceph_x_destroy()
918 dout("ceph_x_destroy %p\n", ac); in ceph_x_destroy()
919 ceph_crypto_key_destroy(&xi->secret); in ceph_x_destroy()
921 while ((p = rb_first(&xi->ticket_handlers)) != NULL) { in ceph_x_destroy()
927 ceph_x_authorizer_cleanup(&xi->auth_authorizer); in ceph_x_destroy()
929 kfree(ac->private); in ceph_x_destroy()
930 ac->private = NULL; in ceph_x_destroy()
941 if (th->have_key) { in invalidate_ticket()
942 dout("ticket %d (%s) secret_id %llu invalidated\n", in invalidate_ticket()
943 th->service, ceph_entity_type_name(th->service), in invalidate_ticket()
944 th->secret_id); in invalidate_ticket()
945 th->have_key = false; in invalidate_ticket()
965 void *enc_buf = au->enc_buf; in calc_signature()
968 if (!CEPH_HAVE_FEATURE(msg->con->peer_features, CEPHX_V2)) { in calc_signature()
977 sigblock->len = cpu_to_le32(4*sizeof(u32)); in calc_signature()
978 sigblock->header_crc = msg->hdr.crc; in calc_signature()
979 sigblock->front_crc = msg->footer.front_crc; in calc_signature()
980 sigblock->middle_crc = msg->footer.middle_crc; in calc_signature()
981 sigblock->data_crc = msg->footer.data_crc; in calc_signature()
983 ret = ceph_x_encrypt(&au->session_key, enc_buf, in calc_signature()
1005 sigblock->header_crc = msg->hdr.crc; in calc_signature()
1006 sigblock->front_crc = msg->footer.front_crc; in calc_signature()
1007 sigblock->front_len = msg->hdr.front_len; in calc_signature()
1008 sigblock->middle_crc = msg->footer.middle_crc; in calc_signature()
1009 sigblock->middle_len = msg->hdr.middle_len; in calc_signature()
1010 sigblock->data_crc = msg->footer.data_crc; in calc_signature()
1011 sigblock->data_len = msg->hdr.data_len; in calc_signature()
1012 sigblock->seq_lower_word = *(__le32 *)&msg->hdr.seq; in calc_signature()
1015 ret = ceph_crypt(&au->session_key, true, enc_buf, in calc_signature()
1021 *psig = penc->a ^ penc->b ^ penc->c ^ penc->d; in calc_signature()
1033 if (ceph_test_opt(from_msgr(msg->con->msgr), NOMSGSIGN)) in ceph_x_sign_message()
1036 ret = calc_signature((struct ceph_x_authorizer *)auth->authorizer, in ceph_x_sign_message()
1041 msg->footer.sig = sig; in ceph_x_sign_message()
1042 msg->footer.flags |= CEPH_MSG_FOOTER_SIGNED; in ceph_x_sign_message()
1052 if (ceph_test_opt(from_msgr(msg->con->msgr), NOMSGSIGN)) in ceph_x_check_message_signature()
1055 ret = calc_signature((struct ceph_x_authorizer *)auth->authorizer, in ceph_x_check_message_signature()
1059 if (sig_check == msg->footer.sig) in ceph_x_check_message_signature()
1061 if (msg->footer.flags & CEPH_MSG_FOOTER_SIGNED) in ceph_x_check_message_signature()
1062 dout("ceph_x_check_message_signature %p has signature %llx " in ceph_x_check_message_signature()
1063 "expect %llx\n", msg, msg->footer.sig, sig_check); in ceph_x_check_message_signature()
1065 dout("ceph_x_check_message_signature %p sender did not set " in ceph_x_check_message_signature()
1067 return -EBADMSG; in ceph_x_check_message_signature()
1092 dout("ceph_x_init %p\n", ac); in ceph_x_init()
1093 ret = -ENOMEM; in ceph_x_init()
1098 ret = -EINVAL; in ceph_x_init()
1099 if (!ac->key) { in ceph_x_init()
1104 ret = ceph_crypto_key_clone(&xi->secret, ac->key); in ceph_x_init()
1110 xi->starting = true; in ceph_x_init()
1111 xi->ticket_handlers = RB_ROOT; in ceph_x_init()
1113 ac->protocol = CEPH_AUTH_CEPHX; in ceph_x_init()
1114 ac->private = xi; in ceph_x_init()
1115 ac->ops = &ceph_x_ops; in ceph_x_init()