1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef __FS_CEPH_AUTH_X_PROTOCOL 3 #define __FS_CEPH_AUTH_X_PROTOCOL 4 5 #define CEPHX_GET_AUTH_SESSION_KEY 0x0100 6 #define CEPHX_GET_PRINCIPAL_SESSION_KEY 0x0200 7 #define CEPHX_GET_ROTATING_KEY 0x0400 8 9 /* Client <-> AuthMonitor */ 10 /* 11 * The AUTH session's connection secret: encrypted with the AUTH 12 * ticket session key 13 */ 14 #define CEPHX_KEY_USAGE_AUTH_CONNECTION_SECRET 0x03 15 /* 16 * The ticket's blob for the client ("blob for me", contains the 17 * session key): encrypted with the client's secret key in case of 18 * the AUTH ticket and the AUTH ticket session key in case of other 19 * service tickets 20 */ 21 #define CEPHX_KEY_USAGE_TICKET_SESSION_KEY 0x04 22 /* 23 * The ticket's blob for the service (ceph_x_ticket_blob): possibly 24 * encrypted with the old AUTH ticket session key in case of the AUTH 25 * ticket and not encrypted in case of other service tickets 26 */ 27 #define CEPHX_KEY_USAGE_TICKET_BLOB 0x05 28 29 /* Client <-> Service */ 30 /* 31 * The client's authorization request (ceph_x_authorize_b): 32 * encrypted with the service ticket session key 33 */ 34 #define CEPHX_KEY_USAGE_AUTHORIZE 0x10 35 /* 36 * The service's challenge (ceph_x_authorize_challenge): 37 * encrypted with the service ticket session key 38 */ 39 #define CEPHX_KEY_USAGE_AUTHORIZE_CHALLENGE 0x11 40 /* 41 * The service's final reply (ceph_x_authorize_reply + the service 42 * session's connection secret): encrypted with the service ticket 43 * session key 44 */ 45 #define CEPHX_KEY_USAGE_AUTHORIZE_REPLY 0x12 46 47 /* common bits */ 48 struct ceph_x_ticket_blob { 49 __u8 struct_v; 50 __le64 secret_id; 51 __le32 blob_len; 52 char blob[]; 53 } __attribute__ ((packed)); 54 55 56 /* common request/reply headers */ 57 struct ceph_x_request_header { 58 __le16 op; 59 } __attribute__ ((packed)); 60 61 struct ceph_x_reply_header { 62 __le16 op; 63 __le32 result; 64 } __attribute__ ((packed)); 65 66 67 /* authenticate handshake */ 68 69 /* initial hello (no reply header) */ 70 struct ceph_x_server_challenge { 71 __u8 struct_v; 72 __le64 server_challenge; 73 } __attribute__ ((packed)); 74 75 struct ceph_x_authenticate { 76 __u8 struct_v; 77 __le64 client_challenge; 78 __le64 key; 79 /* old_ticket blob */ 80 /* nautilus+: other_keys */ 81 } __attribute__ ((packed)); 82 83 struct ceph_x_service_ticket_request { 84 __u8 struct_v; 85 __le32 keys; 86 } __attribute__ ((packed)); 87 88 struct ceph_x_challenge_blob { 89 __le64 server_challenge; 90 __le64 client_challenge; 91 } __attribute__ ((packed)); 92 93 94 95 /* authorize handshake */ 96 97 /* 98 * The authorizer consists of two pieces: 99 * a - service id, ticket blob 100 * b - encrypted with session key 101 */ 102 struct ceph_x_authorize_a { 103 __u8 struct_v; 104 __le64 global_id; 105 __le32 service_id; 106 struct ceph_x_ticket_blob ticket_blob; 107 } __attribute__ ((packed)); 108 109 struct ceph_x_authorize_b { 110 __u8 struct_v; 111 __le64 nonce; 112 __u8 have_challenge; 113 __le64 server_challenge_plus_one; 114 } __attribute__ ((packed)); 115 116 struct ceph_x_authorize_challenge { 117 __u8 struct_v; 118 __le64 server_challenge; 119 } __attribute__ ((packed)); 120 121 struct ceph_x_authorize_reply { 122 __u8 struct_v; 123 __le64 nonce_plus_one; 124 } __attribute__ ((packed)); 125 126 127 /* 128 * encryption bundle 129 */ 130 #define CEPHX_ENC_MAGIC 0xff009cad8826aa55ull 131 132 struct ceph_x_encrypt_header { 133 __u8 struct_v; 134 __le64 magic; 135 } __attribute__ ((packed)); 136 137 #endif 138