Commit ae385eaf authored by Yan, Zheng's avatar Yan, Zheng Committed by Ilya Dryomov

libceph: store session key in cephx authorizer

Session key is required when calculating message signature. Save the session
key in authorizer, this avoid lookup ticket handler for each message
Signed-off-by: default avatarYan, Zheng <zyan@redhat.com>
parent e96a650a
...@@ -293,6 +293,11 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac, ...@@ -293,6 +293,11 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac,
dout("build_authorizer for %s %p\n", dout("build_authorizer for %s %p\n",
ceph_entity_type_name(th->service), au); ceph_entity_type_name(th->service), au);
ceph_crypto_key_destroy(&au->session_key);
ret = ceph_crypto_key_clone(&au->session_key, &th->session_key);
if (ret)
return ret;
maxlen = sizeof(*msg_a) + sizeof(msg_b) + maxlen = sizeof(*msg_a) + sizeof(msg_b) +
ceph_x_encrypt_buflen(ticket_blob_len); ceph_x_encrypt_buflen(ticket_blob_len);
dout(" need len %d\n", maxlen); dout(" need len %d\n", maxlen);
...@@ -302,9 +307,11 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac, ...@@ -302,9 +307,11 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac,
} }
if (!au->buf) { if (!au->buf) {
au->buf = ceph_buffer_new(maxlen, GFP_NOFS); au->buf = ceph_buffer_new(maxlen, GFP_NOFS);
if (!au->buf) if (!au->buf) {
ceph_crypto_key_destroy(&au->session_key);
return -ENOMEM; return -ENOMEM;
} }
}
au->service = th->service; au->service = th->service;
au->secret_id = th->secret_id; au->secret_id = th->secret_id;
...@@ -329,7 +336,7 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac, ...@@ -329,7 +336,7 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac,
get_random_bytes(&au->nonce, sizeof(au->nonce)); get_random_bytes(&au->nonce, sizeof(au->nonce));
msg_b.struct_v = 1; msg_b.struct_v = 1;
msg_b.nonce = cpu_to_le64(au->nonce); msg_b.nonce = cpu_to_le64(au->nonce);
ret = ceph_x_encrypt(&th->session_key, &msg_b, sizeof(msg_b), ret = ceph_x_encrypt(&au->session_key, &msg_b, sizeof(msg_b),
p, end - p); p, end - p);
if (ret < 0) if (ret < 0)
goto out_buf; goto out_buf;
...@@ -588,17 +595,13 @@ static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac, ...@@ -588,17 +595,13 @@ static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac,
struct ceph_authorizer *a, size_t len) struct ceph_authorizer *a, size_t len)
{ {
struct ceph_x_authorizer *au = (void *)a; struct ceph_x_authorizer *au = (void *)a;
struct ceph_x_ticket_handler *th;
int ret = 0; int ret = 0;
struct ceph_x_authorize_reply reply; struct ceph_x_authorize_reply reply;
void *preply = &reply; void *preply = &reply;
void *p = au->reply_buf; void *p = au->reply_buf;
void *end = p + sizeof(au->reply_buf); void *end = p + sizeof(au->reply_buf);
th = get_ticket_handler(ac, au->service); ret = ceph_x_decrypt(&au->session_key, &p, end, &preply, sizeof(reply));
if (IS_ERR(th))
return PTR_ERR(th);
ret = ceph_x_decrypt(&th->session_key, &p, end, &preply, sizeof(reply));
if (ret < 0) if (ret < 0)
return ret; return ret;
if (ret != sizeof(reply)) if (ret != sizeof(reply))
...@@ -618,6 +621,7 @@ static void ceph_x_destroy_authorizer(struct ceph_auth_client *ac, ...@@ -618,6 +621,7 @@ static void ceph_x_destroy_authorizer(struct ceph_auth_client *ac,
{ {
struct ceph_x_authorizer *au = (void *)a; struct ceph_x_authorizer *au = (void *)a;
ceph_crypto_key_destroy(&au->session_key);
ceph_buffer_put(au->buf); ceph_buffer_put(au->buf);
kfree(au); kfree(au);
} }
......
...@@ -26,6 +26,7 @@ struct ceph_x_ticket_handler { ...@@ -26,6 +26,7 @@ struct ceph_x_ticket_handler {
struct ceph_x_authorizer { struct ceph_x_authorizer {
struct ceph_crypto_key session_key;
struct ceph_buffer *buf; struct ceph_buffer *buf;
unsigned int service; unsigned int service;
u64 nonce; u64 nonce;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment