Commit 8323c3aa authored by Tommi Virtanen's avatar Tommi Virtanen Committed by Sage Weil

ceph: Move secret key parsing earlier.

This makes the base64 logic be contained in mount option parsing,
and prepares us for replacing the homebew key management with the
kernel key retention service.
Signed-off-by: default avatarTommi Virtanen <tommi.virtanen@dreamhost.com>
Signed-off-by: default avatarSage Weil <sage@newdream.net>
parent fbdb9190
...@@ -353,7 +353,7 @@ static int ceph_show_options(struct seq_file *m, struct vfsmount *mnt) ...@@ -353,7 +353,7 @@ static int ceph_show_options(struct seq_file *m, struct vfsmount *mnt)
if (opt->name) if (opt->name)
seq_printf(m, ",name=%s", opt->name); seq_printf(m, ",name=%s", opt->name);
if (opt->secret) if (opt->key)
seq_puts(m, ",secret=<hidden>"); seq_puts(m, ",secret=<hidden>");
if (opt->mount_timeout != CEPH_MOUNT_TIMEOUT_DEFAULT) if (opt->mount_timeout != CEPH_MOUNT_TIMEOUT_DEFAULT)
......
...@@ -67,12 +67,12 @@ struct ceph_auth_client { ...@@ -67,12 +67,12 @@ struct ceph_auth_client {
bool negotiating; /* true if negotiating protocol */ bool negotiating; /* true if negotiating protocol */
const char *name; /* entity name */ const char *name; /* entity name */
u64 global_id; /* our unique id in system */ u64 global_id; /* our unique id in system */
const char *secret; /* our secret key */ const struct ceph_crypto_key *key; /* our secret key */
unsigned want_keys; /* which services we want */ unsigned want_keys; /* which services we want */
}; };
extern struct ceph_auth_client *ceph_auth_init(const char *name, extern struct ceph_auth_client *ceph_auth_init(const char *name,
const char *secret); const struct ceph_crypto_key *key);
extern void ceph_auth_destroy(struct ceph_auth_client *ac); extern void ceph_auth_destroy(struct ceph_auth_client *ac);
extern void ceph_auth_reset(struct ceph_auth_client *ac); extern void ceph_auth_reset(struct ceph_auth_client *ac);
......
...@@ -61,7 +61,7 @@ struct ceph_options { ...@@ -61,7 +61,7 @@ struct ceph_options {
pointer type of args */ pointer type of args */
int num_mon; int num_mon;
char *name; char *name;
char *secret; struct ceph_crypto_key *key;
}; };
/* /*
......
...@@ -35,12 +35,12 @@ static int ceph_auth_init_protocol(struct ceph_auth_client *ac, int protocol) ...@@ -35,12 +35,12 @@ static int ceph_auth_init_protocol(struct ceph_auth_client *ac, int protocol)
/* /*
* setup, teardown. * setup, teardown.
*/ */
struct ceph_auth_client *ceph_auth_init(const char *name, const char *secret) struct ceph_auth_client *ceph_auth_init(const char *name, const struct ceph_crypto_key *key)
{ {
struct ceph_auth_client *ac; struct ceph_auth_client *ac;
int ret; int ret;
dout("auth_init name '%s' secret '%s'\n", name, secret); dout("auth_init name '%s'\n", name);
ret = -ENOMEM; ret = -ENOMEM;
ac = kzalloc(sizeof(*ac), GFP_NOFS); ac = kzalloc(sizeof(*ac), GFP_NOFS);
...@@ -52,8 +52,8 @@ struct ceph_auth_client *ceph_auth_init(const char *name, const char *secret) ...@@ -52,8 +52,8 @@ struct ceph_auth_client *ceph_auth_init(const char *name, const char *secret)
ac->name = name; ac->name = name;
else else
ac->name = CEPH_AUTH_NAME_DEFAULT; ac->name = CEPH_AUTH_NAME_DEFAULT;
dout("auth_init name %s secret %s\n", ac->name, secret); dout("auth_init name %s\n", ac->name);
ac->secret = secret; ac->key = key;
return ac; return ac;
out: out:
......
...@@ -662,14 +662,16 @@ int ceph_x_init(struct ceph_auth_client *ac) ...@@ -662,14 +662,16 @@ int ceph_x_init(struct ceph_auth_client *ac)
goto out; goto out;
ret = -EINVAL; ret = -EINVAL;
if (!ac->secret) { if (!ac->key) {
pr_err("no secret set (for auth_x protocol)\n"); pr_err("no secret set (for auth_x protocol)\n");
goto out_nomem; goto out_nomem;
} }
ret = ceph_crypto_key_unarmor(&xi->secret, ac->secret); ret = ceph_crypto_key_clone(&xi->secret, ac->key);
if (ret) if (ret < 0) {
pr_err("cannot clone key: %d\n", ret);
goto out_nomem; goto out_nomem;
}
xi->starting = true; xi->starting = true;
xi->ticket_handlers = RB_ROOT; xi->ticket_handlers = RB_ROOT;
......
...@@ -20,6 +20,7 @@ ...@@ -20,6 +20,7 @@
#include <linux/ceph/decode.h> #include <linux/ceph/decode.h>
#include <linux/ceph/mon_client.h> #include <linux/ceph/mon_client.h>
#include <linux/ceph/auth.h> #include <linux/ceph/auth.h>
#include "crypto.h"
...@@ -117,9 +118,29 @@ int ceph_compare_options(struct ceph_options *new_opt, ...@@ -117,9 +118,29 @@ int ceph_compare_options(struct ceph_options *new_opt,
if (ret) if (ret)
return ret; return ret;
ret = strcmp_null(opt1->secret, opt2->secret); if (opt1->key && !opt2->key)
return -1;
if (!opt1->key && opt2->key)
return 1;
if (opt1->key && opt2->key) {
if (opt1->key->type != opt2->key->type)
return -1;
if (opt1->key->created.tv_sec != opt2->key->created.tv_sec)
return -1;
if (opt1->key->created.tv_nsec != opt2->key->created.tv_nsec)
return -1;
if (opt1->key->len != opt2->key->len)
return -1;
if (opt1->key->key && !opt2->key->key)
return -1;
if (!opt1->key->key && opt2->key->key)
return 1;
if (opt1->key->key && opt2->key->key) {
ret = memcmp(opt1->key->key, opt2->key->key, opt1->key->len);
if (ret) if (ret)
return ret; return ret;
}
}
/* any matching mon ip implies a match */ /* any matching mon ip implies a match */
for (i = 0; i < opt1->num_mon; i++) { for (i = 0; i < opt1->num_mon; i++) {
...@@ -203,7 +224,10 @@ void ceph_destroy_options(struct ceph_options *opt) ...@@ -203,7 +224,10 @@ void ceph_destroy_options(struct ceph_options *opt)
{ {
dout("destroy_options %p\n", opt); dout("destroy_options %p\n", opt);
kfree(opt->name); kfree(opt->name);
kfree(opt->secret); if (opt->key) {
ceph_crypto_key_destroy(opt->key);
kfree(opt->key);
}
kfree(opt); kfree(opt);
} }
EXPORT_SYMBOL(ceph_destroy_options); EXPORT_SYMBOL(ceph_destroy_options);
...@@ -295,9 +319,14 @@ int ceph_parse_options(struct ceph_options **popt, char *options, ...@@ -295,9 +319,14 @@ int ceph_parse_options(struct ceph_options **popt, char *options,
GFP_KERNEL); GFP_KERNEL);
break; break;
case Opt_secret: case Opt_secret:
opt->secret = kstrndup(argstr[0].from, opt->key = kzalloc(sizeof(*opt->key), GFP_KERNEL);
argstr[0].to-argstr[0].from, if (!opt->key) {
GFP_KERNEL); err = -ENOMEM;
goto out;
}
err = ceph_crypto_key_unarmor(opt->key, argstr[0].from);
if (err < 0)
goto out;
break; break;
/* misc */ /* misc */
......
...@@ -9,6 +9,17 @@ ...@@ -9,6 +9,17 @@
#include <linux/ceph/decode.h> #include <linux/ceph/decode.h>
#include "crypto.h" #include "crypto.h"
int ceph_crypto_key_clone(struct ceph_crypto_key *dst,
const struct ceph_crypto_key *src)
{
memcpy(dst, src, sizeof(struct ceph_crypto_key));
dst->key = kmalloc(src->len, GFP_NOFS);
if (!dst->key)
return -ENOMEM;
memcpy(dst->key, src->key, src->len);
return 0;
}
int ceph_crypto_key_encode(struct ceph_crypto_key *key, void **p, void *end) int ceph_crypto_key_encode(struct ceph_crypto_key *key, void **p, void *end)
{ {
if (*p + sizeof(u16) + sizeof(key->created) + if (*p + sizeof(u16) + sizeof(key->created) +
......
...@@ -19,6 +19,8 @@ static inline void ceph_crypto_key_destroy(struct ceph_crypto_key *key) ...@@ -19,6 +19,8 @@ static inline void ceph_crypto_key_destroy(struct ceph_crypto_key *key)
kfree(key->key); kfree(key->key);
} }
extern int ceph_crypto_key_clone(struct ceph_crypto_key *dst,
const struct ceph_crypto_key *src);
extern int ceph_crypto_key_encode(struct ceph_crypto_key *key, extern int ceph_crypto_key_encode(struct ceph_crypto_key *key,
void **p, void *end); void **p, void *end);
extern int ceph_crypto_key_decode(struct ceph_crypto_key *key, extern int ceph_crypto_key_decode(struct ceph_crypto_key *key,
......
...@@ -759,7 +759,7 @@ int ceph_monc_init(struct ceph_mon_client *monc, struct ceph_client *cl) ...@@ -759,7 +759,7 @@ int ceph_monc_init(struct ceph_mon_client *monc, struct ceph_client *cl)
/* authentication */ /* authentication */
monc->auth = ceph_auth_init(cl->options->name, monc->auth = ceph_auth_init(cl->options->name,
cl->options->secret); cl->options->key);
if (IS_ERR(monc->auth)) if (IS_ERR(monc->auth))
return PTR_ERR(monc->auth); return PTR_ERR(monc->auth);
monc->auth->want_keys = monc->auth->want_keys =
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment