1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/ceph/ceph_debug.h> 3 4 #include <linux/module.h> 5 #include <linux/err.h> 6 #include <linux/slab.h> 7 8 #include <linux/ceph/types.h> 9 #include <linux/ceph/decode.h> 10 #include <linux/ceph/libceph.h> 11 #include <linux/ceph/messenger.h> 12 #include "auth_none.h" 13 #include "auth_x.h" 14 15 16 /* 17 * get protocol handler 18 */ 19 static u32 supported_protocols[] = { 20 CEPH_AUTH_NONE, 21 CEPH_AUTH_CEPHX 22 }; 23 24 static int init_protocol(struct ceph_auth_client *ac, int proto) 25 { 26 dout("%s proto %d\n", __func__, proto); 27 28 switch (proto) { 29 case CEPH_AUTH_NONE: 30 return ceph_auth_none_init(ac); 31 case CEPH_AUTH_CEPHX: 32 return ceph_x_init(ac); 33 default: 34 pr_err("bad auth protocol %d\n", proto); 35 return -EINVAL; 36 } 37 } 38 39 /* 40 * setup, teardown. 41 */ 42 struct ceph_auth_client *ceph_auth_init(const char *name, 43 const struct ceph_crypto_key *key, 44 const int *con_modes) 45 { 46 struct ceph_auth_client *ac; 47 int ret; 48 49 ret = -ENOMEM; 50 ac = kzalloc(sizeof(*ac), GFP_NOFS); 51 if (!ac) 52 goto out; 53 54 mutex_init(&ac->mutex); 55 ac->negotiating = true; 56 if (name) 57 ac->name = name; 58 else 59 ac->name = CEPH_AUTH_NAME_DEFAULT; 60 ac->key = key; 61 ac->preferred_mode = con_modes[0]; 62 ac->fallback_mode = con_modes[1]; 63 64 dout("%s name '%s' preferred_mode %d fallback_mode %d\n", __func__, 65 ac->name, ac->preferred_mode, ac->fallback_mode); 66 return ac; 67 68 out: 69 return ERR_PTR(ret); 70 } 71 72 void ceph_auth_destroy(struct ceph_auth_client *ac) 73 { 74 dout("auth_destroy %p\n", ac); 75 if (ac->ops) 76 ac->ops->destroy(ac); 77 kfree(ac); 78 } 79 80 /* 81 * Reset occurs when reconnecting to the monitor. 82 */ 83 void ceph_auth_reset(struct ceph_auth_client *ac) 84 { 85 mutex_lock(&ac->mutex); 86 dout("auth_reset %p\n", ac); 87 if (ac->ops && !ac->negotiating) 88 ac->ops->reset(ac); 89 ac->negotiating = true; 90 mutex_unlock(&ac->mutex); 91 } 92 93 /* 94 * EntityName, not to be confused with entity_name_t 95 */ 96 int ceph_auth_entity_name_encode(const char *name, void **p, void *end) 97 { 98 int len = strlen(name); 99 100 if (*p + 2*sizeof(u32) + len > end) 101 return -ERANGE; 102 ceph_encode_32(p, CEPH_ENTITY_TYPE_CLIENT); 103 ceph_encode_32(p, len); 104 ceph_encode_copy(p, name, len); 105 return 0; 106 } 107 108 /* 109 * Initiate protocol negotiation with monitor. Include entity name 110 * and list supported protocols. 111 */ 112 int ceph_auth_build_hello(struct ceph_auth_client *ac, void *buf, size_t len) 113 { 114 struct ceph_mon_request_header *monhdr = buf; 115 void *p = monhdr + 1, *end = buf + len, *lenp; 116 int i, num; 117 int ret; 118 119 mutex_lock(&ac->mutex); 120 dout("auth_build_hello\n"); 121 monhdr->have_version = 0; 122 monhdr->session_mon = cpu_to_le16(-1); 123 monhdr->session_mon_tid = 0; 124 125 ceph_encode_32(&p, CEPH_AUTH_UNKNOWN); /* no protocol, yet */ 126 127 lenp = p; 128 p += sizeof(u32); 129 130 ceph_decode_need(&p, end, 1 + sizeof(u32), bad); 131 ceph_encode_8(&p, 1); 132 num = ARRAY_SIZE(supported_protocols); 133 ceph_encode_32(&p, num); 134 ceph_decode_need(&p, end, num * sizeof(u32), bad); 135 for (i = 0; i < num; i++) 136 ceph_encode_32(&p, supported_protocols[i]); 137 138 ret = ceph_auth_entity_name_encode(ac->name, &p, end); 139 if (ret < 0) 140 goto out; 141 ceph_decode_need(&p, end, sizeof(u64), bad); 142 ceph_encode_64(&p, ac->global_id); 143 144 ceph_encode_32(&lenp, p - lenp - sizeof(u32)); 145 ret = p - buf; 146 out: 147 mutex_unlock(&ac->mutex); 148 return ret; 149 150 bad: 151 ret = -ERANGE; 152 goto out; 153 } 154 155 static int build_request(struct ceph_auth_client *ac, bool add_header, 156 void *buf, int buf_len) 157 { 158 void *end = buf + buf_len; 159 void *p; 160 int ret; 161 162 p = buf; 163 if (add_header) { 164 /* struct ceph_mon_request_header + protocol */ 165 ceph_encode_64_safe(&p, end, 0, e_range); 166 ceph_encode_16_safe(&p, end, -1, e_range); 167 ceph_encode_64_safe(&p, end, 0, e_range); 168 ceph_encode_32_safe(&p, end, ac->protocol, e_range); 169 } 170 171 ceph_encode_need(&p, end, sizeof(u32), e_range); 172 ret = ac->ops->build_request(ac, p + sizeof(u32), end); 173 if (ret < 0) { 174 pr_err("auth protocol '%s' building request failed: %d\n", 175 ceph_auth_proto_name(ac->protocol), ret); 176 return ret; 177 } 178 dout(" built request %d bytes\n", ret); 179 ceph_encode_32(&p, ret); 180 return p + ret - buf; 181 182 e_range: 183 return -ERANGE; 184 } 185 186 /* 187 * Handle auth message from monitor. 188 */ 189 int ceph_handle_auth_reply(struct ceph_auth_client *ac, 190 void *buf, size_t len, 191 void *reply_buf, size_t reply_len) 192 { 193 void *p = buf; 194 void *end = buf + len; 195 int protocol; 196 s32 result; 197 u64 global_id; 198 void *payload, *payload_end; 199 int payload_len; 200 char *result_msg; 201 int result_msg_len; 202 int ret = -EINVAL; 203 204 mutex_lock(&ac->mutex); 205 dout("handle_auth_reply %p %p\n", p, end); 206 ceph_decode_need(&p, end, sizeof(u32) * 3 + sizeof(u64), bad); 207 protocol = ceph_decode_32(&p); 208 result = ceph_decode_32(&p); 209 global_id = ceph_decode_64(&p); 210 payload_len = ceph_decode_32(&p); 211 payload = p; 212 p += payload_len; 213 ceph_decode_need(&p, end, sizeof(u32), bad); 214 result_msg_len = ceph_decode_32(&p); 215 result_msg = p; 216 p += result_msg_len; 217 if (p != end) 218 goto bad; 219 220 dout(" result %d '%.*s' gid %llu len %d\n", result, result_msg_len, 221 result_msg, global_id, payload_len); 222 223 payload_end = payload + payload_len; 224 225 if (global_id && ac->global_id != global_id) { 226 dout(" set global_id %lld -> %lld\n", ac->global_id, global_id); 227 ac->global_id = global_id; 228 } 229 230 if (ac->negotiating) { 231 /* server does not support our protocols? */ 232 if (!protocol && result < 0) { 233 ret = result; 234 goto out; 235 } 236 /* set up (new) protocol handler? */ 237 if (ac->protocol && ac->protocol != protocol) { 238 ac->ops->destroy(ac); 239 ac->protocol = 0; 240 ac->ops = NULL; 241 } 242 if (ac->protocol != protocol) { 243 ret = init_protocol(ac, protocol); 244 if (ret) { 245 pr_err("auth protocol '%s' init failed: %d\n", 246 ceph_auth_proto_name(protocol), ret); 247 goto out; 248 } 249 } 250 251 ac->negotiating = false; 252 } 253 254 ret = ac->ops->handle_reply(ac, result, payload, payload_end, 255 NULL, NULL, NULL, NULL); 256 if (ret == -EAGAIN) 257 ret = build_request(ac, true, reply_buf, reply_len); 258 else if (ret) 259 pr_err("auth protocol '%s' mauth authentication failed: %d\n", 260 ceph_auth_proto_name(ac->protocol), result); 261 262 out: 263 mutex_unlock(&ac->mutex); 264 return ret; 265 266 bad: 267 pr_err("failed to decode auth msg\n"); 268 ret = -EINVAL; 269 goto out; 270 } 271 272 int ceph_build_auth(struct ceph_auth_client *ac, 273 void *msg_buf, size_t msg_len) 274 { 275 int ret = 0; 276 277 mutex_lock(&ac->mutex); 278 if (ac->ops->should_authenticate(ac)) 279 ret = build_request(ac, true, msg_buf, msg_len); 280 mutex_unlock(&ac->mutex); 281 return ret; 282 } 283 284 int ceph_auth_is_authenticated(struct ceph_auth_client *ac) 285 { 286 int ret = 0; 287 288 mutex_lock(&ac->mutex); 289 if (ac->ops) 290 ret = ac->ops->is_authenticated(ac); 291 mutex_unlock(&ac->mutex); 292 return ret; 293 } 294 EXPORT_SYMBOL(ceph_auth_is_authenticated); 295 296 int __ceph_auth_get_authorizer(struct ceph_auth_client *ac, 297 struct ceph_auth_handshake *auth, 298 int peer_type, bool force_new, 299 int *proto, int *pref_mode, int *fallb_mode) 300 { 301 int ret; 302 303 mutex_lock(&ac->mutex); 304 if (force_new && auth->authorizer) { 305 ceph_auth_destroy_authorizer(auth->authorizer); 306 auth->authorizer = NULL; 307 } 308 if (!auth->authorizer) 309 ret = ac->ops->create_authorizer(ac, peer_type, auth); 310 else if (ac->ops->update_authorizer) 311 ret = ac->ops->update_authorizer(ac, peer_type, auth); 312 else 313 ret = 0; 314 if (ret) 315 goto out; 316 317 *proto = ac->protocol; 318 if (pref_mode && fallb_mode) { 319 *pref_mode = ac->preferred_mode; 320 *fallb_mode = ac->fallback_mode; 321 } 322 323 out: 324 mutex_unlock(&ac->mutex); 325 return ret; 326 } 327 EXPORT_SYMBOL(__ceph_auth_get_authorizer); 328 329 int ceph_auth_create_authorizer(struct ceph_auth_client *ac, 330 int peer_type, 331 struct ceph_auth_handshake *auth) 332 { 333 int ret = 0; 334 335 mutex_lock(&ac->mutex); 336 if (ac->ops && ac->ops->create_authorizer) 337 ret = ac->ops->create_authorizer(ac, peer_type, auth); 338 mutex_unlock(&ac->mutex); 339 return ret; 340 } 341 EXPORT_SYMBOL(ceph_auth_create_authorizer); 342 343 void ceph_auth_destroy_authorizer(struct ceph_authorizer *a) 344 { 345 a->destroy(a); 346 } 347 EXPORT_SYMBOL(ceph_auth_destroy_authorizer); 348 349 int ceph_auth_update_authorizer(struct ceph_auth_client *ac, 350 int peer_type, 351 struct ceph_auth_handshake *a) 352 { 353 int ret = 0; 354 355 mutex_lock(&ac->mutex); 356 if (ac->ops && ac->ops->update_authorizer) 357 ret = ac->ops->update_authorizer(ac, peer_type, a); 358 mutex_unlock(&ac->mutex); 359 return ret; 360 } 361 EXPORT_SYMBOL(ceph_auth_update_authorizer); 362 363 int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac, 364 struct ceph_authorizer *a, 365 void *challenge_buf, 366 int challenge_buf_len) 367 { 368 int ret = 0; 369 370 mutex_lock(&ac->mutex); 371 if (ac->ops && ac->ops->add_authorizer_challenge) 372 ret = ac->ops->add_authorizer_challenge(ac, a, challenge_buf, 373 challenge_buf_len); 374 mutex_unlock(&ac->mutex); 375 return ret; 376 } 377 EXPORT_SYMBOL(ceph_auth_add_authorizer_challenge); 378 379 int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac, 380 struct ceph_authorizer *a, 381 void *reply, int reply_len, 382 u8 *session_key, int *session_key_len, 383 u8 *con_secret, int *con_secret_len) 384 { 385 int ret = 0; 386 387 mutex_lock(&ac->mutex); 388 if (ac->ops && ac->ops->verify_authorizer_reply) 389 ret = ac->ops->verify_authorizer_reply(ac, a, 390 reply, reply_len, session_key, session_key_len, 391 con_secret, con_secret_len); 392 mutex_unlock(&ac->mutex); 393 return ret; 394 } 395 EXPORT_SYMBOL(ceph_auth_verify_authorizer_reply); 396 397 void ceph_auth_invalidate_authorizer(struct ceph_auth_client *ac, int peer_type) 398 { 399 mutex_lock(&ac->mutex); 400 if (ac->ops && ac->ops->invalidate_authorizer) 401 ac->ops->invalidate_authorizer(ac, peer_type); 402 mutex_unlock(&ac->mutex); 403 } 404 EXPORT_SYMBOL(ceph_auth_invalidate_authorizer); 405 406 /* 407 * msgr2 authentication 408 */ 409 410 static bool contains(const int *arr, int cnt, int val) 411 { 412 int i; 413 414 for (i = 0; i < cnt; i++) { 415 if (arr[i] == val) 416 return true; 417 } 418 419 return false; 420 } 421 422 static int encode_con_modes(void **p, void *end, int pref_mode, int fallb_mode) 423 { 424 WARN_ON(pref_mode == CEPH_CON_MODE_UNKNOWN); 425 if (fallb_mode != CEPH_CON_MODE_UNKNOWN) { 426 ceph_encode_32_safe(p, end, 2, e_range); 427 ceph_encode_32_safe(p, end, pref_mode, e_range); 428 ceph_encode_32_safe(p, end, fallb_mode, e_range); 429 } else { 430 ceph_encode_32_safe(p, end, 1, e_range); 431 ceph_encode_32_safe(p, end, pref_mode, e_range); 432 } 433 434 return 0; 435 436 e_range: 437 return -ERANGE; 438 } 439 440 /* 441 * Similar to ceph_auth_build_hello(). 442 */ 443 int ceph_auth_get_request(struct ceph_auth_client *ac, void *buf, int buf_len) 444 { 445 int proto = ac->key ? CEPH_AUTH_CEPHX : CEPH_AUTH_NONE; 446 void *end = buf + buf_len; 447 void *lenp; 448 void *p; 449 int ret; 450 451 mutex_lock(&ac->mutex); 452 if (ac->protocol == CEPH_AUTH_UNKNOWN) { 453 ret = init_protocol(ac, proto); 454 if (ret) { 455 pr_err("auth protocol '%s' init failed: %d\n", 456 ceph_auth_proto_name(proto), ret); 457 goto out; 458 } 459 } else { 460 WARN_ON(ac->protocol != proto); 461 ac->ops->reset(ac); 462 } 463 464 p = buf; 465 ceph_encode_32_safe(&p, end, ac->protocol, e_range); 466 ret = encode_con_modes(&p, end, ac->preferred_mode, ac->fallback_mode); 467 if (ret) 468 goto out; 469 470 lenp = p; 471 p += 4; /* space for len */ 472 473 ceph_encode_8_safe(&p, end, CEPH_AUTH_MODE_MON, e_range); 474 ret = ceph_auth_entity_name_encode(ac->name, &p, end); 475 if (ret) 476 goto out; 477 478 ceph_encode_64_safe(&p, end, ac->global_id, e_range); 479 ceph_encode_32(&lenp, p - lenp - 4); 480 ret = p - buf; 481 482 out: 483 mutex_unlock(&ac->mutex); 484 return ret; 485 486 e_range: 487 ret = -ERANGE; 488 goto out; 489 } 490 491 int ceph_auth_handle_reply_more(struct ceph_auth_client *ac, void *reply, 492 int reply_len, void *buf, int buf_len) 493 { 494 int ret; 495 496 mutex_lock(&ac->mutex); 497 ret = ac->ops->handle_reply(ac, 0, reply, reply + reply_len, 498 NULL, NULL, NULL, NULL); 499 if (ret == -EAGAIN) 500 ret = build_request(ac, false, buf, buf_len); 501 else 502 WARN_ON(ret >= 0); 503 mutex_unlock(&ac->mutex); 504 return ret; 505 } 506 507 int ceph_auth_handle_reply_done(struct ceph_auth_client *ac, 508 u64 global_id, void *reply, int reply_len, 509 u8 *session_key, int *session_key_len, 510 u8 *con_secret, int *con_secret_len) 511 { 512 int ret; 513 514 mutex_lock(&ac->mutex); 515 if (global_id && ac->global_id != global_id) { 516 dout("%s global_id %llu -> %llu\n", __func__, ac->global_id, 517 global_id); 518 ac->global_id = global_id; 519 } 520 521 ret = ac->ops->handle_reply(ac, 0, reply, reply + reply_len, 522 session_key, session_key_len, 523 con_secret, con_secret_len); 524 mutex_unlock(&ac->mutex); 525 return ret; 526 } 527 528 bool ceph_auth_handle_bad_method(struct ceph_auth_client *ac, 529 int used_proto, int result, 530 const int *allowed_protos, int proto_cnt, 531 const int *allowed_modes, int mode_cnt) 532 { 533 mutex_lock(&ac->mutex); 534 WARN_ON(used_proto != ac->protocol); 535 536 if (result == -EOPNOTSUPP) { 537 if (!contains(allowed_protos, proto_cnt, ac->protocol)) { 538 pr_err("auth protocol '%s' not allowed\n", 539 ceph_auth_proto_name(ac->protocol)); 540 goto not_allowed; 541 } 542 if (!contains(allowed_modes, mode_cnt, ac->preferred_mode) && 543 (ac->fallback_mode == CEPH_CON_MODE_UNKNOWN || 544 !contains(allowed_modes, mode_cnt, ac->fallback_mode))) { 545 pr_err("preferred mode '%s' not allowed\n", 546 ceph_con_mode_name(ac->preferred_mode)); 547 if (ac->fallback_mode == CEPH_CON_MODE_UNKNOWN) 548 pr_err("no fallback mode\n"); 549 else 550 pr_err("fallback mode '%s' not allowed\n", 551 ceph_con_mode_name(ac->fallback_mode)); 552 goto not_allowed; 553 } 554 } 555 556 WARN_ON(result == -EOPNOTSUPP || result >= 0); 557 pr_err("auth protocol '%s' msgr authentication failed: %d\n", 558 ceph_auth_proto_name(ac->protocol), result); 559 560 mutex_unlock(&ac->mutex); 561 return true; 562 563 not_allowed: 564 mutex_unlock(&ac->mutex); 565 return false; 566 } 567 568 int ceph_auth_get_authorizer(struct ceph_auth_client *ac, 569 struct ceph_auth_handshake *auth, 570 int peer_type, void *buf, int *buf_len) 571 { 572 void *end = buf + *buf_len; 573 int pref_mode, fallb_mode; 574 int proto; 575 void *p; 576 int ret; 577 578 ret = __ceph_auth_get_authorizer(ac, auth, peer_type, true, &proto, 579 &pref_mode, &fallb_mode); 580 if (ret) 581 return ret; 582 583 p = buf; 584 ceph_encode_32_safe(&p, end, proto, e_range); 585 ret = encode_con_modes(&p, end, pref_mode, fallb_mode); 586 if (ret) 587 return ret; 588 589 ceph_encode_32_safe(&p, end, auth->authorizer_buf_len, e_range); 590 *buf_len = p - buf; 591 return 0; 592 593 e_range: 594 return -ERANGE; 595 } 596 EXPORT_SYMBOL(ceph_auth_get_authorizer); 597 598 int ceph_auth_handle_svc_reply_more(struct ceph_auth_client *ac, 599 struct ceph_auth_handshake *auth, 600 void *reply, int reply_len, 601 void *buf, int *buf_len) 602 { 603 void *end = buf + *buf_len; 604 void *p; 605 int ret; 606 607 ret = ceph_auth_add_authorizer_challenge(ac, auth->authorizer, 608 reply, reply_len); 609 if (ret) 610 return ret; 611 612 p = buf; 613 ceph_encode_32_safe(&p, end, auth->authorizer_buf_len, e_range); 614 *buf_len = p - buf; 615 return 0; 616 617 e_range: 618 return -ERANGE; 619 } 620 EXPORT_SYMBOL(ceph_auth_handle_svc_reply_more); 621 622 int ceph_auth_handle_svc_reply_done(struct ceph_auth_client *ac, 623 struct ceph_auth_handshake *auth, 624 void *reply, int reply_len, 625 u8 *session_key, int *session_key_len, 626 u8 *con_secret, int *con_secret_len) 627 { 628 return ceph_auth_verify_authorizer_reply(ac, auth->authorizer, 629 reply, reply_len, session_key, session_key_len, 630 con_secret, con_secret_len); 631 } 632 EXPORT_SYMBOL(ceph_auth_handle_svc_reply_done); 633 634 bool ceph_auth_handle_bad_authorizer(struct ceph_auth_client *ac, 635 int peer_type, int used_proto, int result, 636 const int *allowed_protos, int proto_cnt, 637 const int *allowed_modes, int mode_cnt) 638 { 639 mutex_lock(&ac->mutex); 640 WARN_ON(used_proto != ac->protocol); 641 642 if (result == -EOPNOTSUPP) { 643 if (!contains(allowed_protos, proto_cnt, ac->protocol)) { 644 pr_err("auth protocol '%s' not allowed by %s\n", 645 ceph_auth_proto_name(ac->protocol), 646 ceph_entity_type_name(peer_type)); 647 goto not_allowed; 648 } 649 if (!contains(allowed_modes, mode_cnt, ac->preferred_mode) && 650 (ac->fallback_mode == CEPH_CON_MODE_UNKNOWN || 651 !contains(allowed_modes, mode_cnt, ac->fallback_mode))) { 652 pr_err("preferred mode '%s' not allowed by %s\n", 653 ceph_con_mode_name(ac->preferred_mode), 654 ceph_entity_type_name(peer_type)); 655 if (ac->fallback_mode == CEPH_CON_MODE_UNKNOWN) 656 pr_err("no fallback mode\n"); 657 else 658 pr_err("fallback mode '%s' not allowed by %s\n", 659 ceph_con_mode_name(ac->fallback_mode), 660 ceph_entity_type_name(peer_type)); 661 goto not_allowed; 662 } 663 } 664 665 WARN_ON(result == -EOPNOTSUPP || result >= 0); 666 pr_err("auth protocol '%s' authorization to %s failed: %d\n", 667 ceph_auth_proto_name(ac->protocol), 668 ceph_entity_type_name(peer_type), result); 669 670 if (ac->ops->invalidate_authorizer) 671 ac->ops->invalidate_authorizer(ac, peer_type); 672 673 mutex_unlock(&ac->mutex); 674 return true; 675 676 not_allowed: 677 mutex_unlock(&ac->mutex); 678 return false; 679 } 680 EXPORT_SYMBOL(ceph_auth_handle_bad_authorizer); 681