285ea34fc8
- request service tickets together with auth ticket. Currently we get auth ticket via CEPHX_GET_AUTH_SESSION_KEY op and then request service tickets via CEPHX_GET_PRINCIPAL_SESSION_KEY op in a separate message. Since nautilus, desired service tickets are shared togther with auth ticket in CEPHX_GET_AUTH_SESSION_KEY reply. - propagate session key and connection secret, if any. In preparation for msgr2, update handle_reply() and verify_authorizer_reply() auth ops to propagate session key and connection secret. Since nautilus, if secure mode is negotiated, connection secret is shared either in CEPHX_GET_AUTH_SESSION_KEY reply (for mons) or in a final authorizer reply (for osds and mdses). Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
100 lines
1.9 KiB
C
100 lines
1.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef __FS_CEPH_AUTH_X_PROTOCOL
|
|
#define __FS_CEPH_AUTH_X_PROTOCOL
|
|
|
|
#define CEPHX_GET_AUTH_SESSION_KEY 0x0100
|
|
#define CEPHX_GET_PRINCIPAL_SESSION_KEY 0x0200
|
|
#define CEPHX_GET_ROTATING_KEY 0x0400
|
|
|
|
/* common bits */
|
|
struct ceph_x_ticket_blob {
|
|
__u8 struct_v;
|
|
__le64 secret_id;
|
|
__le32 blob_len;
|
|
char blob[];
|
|
} __attribute__ ((packed));
|
|
|
|
|
|
/* common request/reply headers */
|
|
struct ceph_x_request_header {
|
|
__le16 op;
|
|
} __attribute__ ((packed));
|
|
|
|
struct ceph_x_reply_header {
|
|
__le16 op;
|
|
__le32 result;
|
|
} __attribute__ ((packed));
|
|
|
|
|
|
/* authenticate handshake */
|
|
|
|
/* initial hello (no reply header) */
|
|
struct ceph_x_server_challenge {
|
|
__u8 struct_v;
|
|
__le64 server_challenge;
|
|
} __attribute__ ((packed));
|
|
|
|
struct ceph_x_authenticate {
|
|
__u8 struct_v;
|
|
__le64 client_challenge;
|
|
__le64 key;
|
|
/* old_ticket blob */
|
|
/* nautilus+: other_keys */
|
|
} __attribute__ ((packed));
|
|
|
|
struct ceph_x_service_ticket_request {
|
|
__u8 struct_v;
|
|
__le32 keys;
|
|
} __attribute__ ((packed));
|
|
|
|
struct ceph_x_challenge_blob {
|
|
__le64 server_challenge;
|
|
__le64 client_challenge;
|
|
} __attribute__ ((packed));
|
|
|
|
|
|
|
|
/* authorize handshake */
|
|
|
|
/*
|
|
* The authorizer consists of two pieces:
|
|
* a - service id, ticket blob
|
|
* b - encrypted with session key
|
|
*/
|
|
struct ceph_x_authorize_a {
|
|
__u8 struct_v;
|
|
__le64 global_id;
|
|
__le32 service_id;
|
|
struct ceph_x_ticket_blob ticket_blob;
|
|
} __attribute__ ((packed));
|
|
|
|
struct ceph_x_authorize_b {
|
|
__u8 struct_v;
|
|
__le64 nonce;
|
|
__u8 have_challenge;
|
|
__le64 server_challenge_plus_one;
|
|
} __attribute__ ((packed));
|
|
|
|
struct ceph_x_authorize_challenge {
|
|
__u8 struct_v;
|
|
__le64 server_challenge;
|
|
} __attribute__ ((packed));
|
|
|
|
struct ceph_x_authorize_reply {
|
|
__u8 struct_v;
|
|
__le64 nonce_plus_one;
|
|
} __attribute__ ((packed));
|
|
|
|
|
|
/*
|
|
* encyption bundle
|
|
*/
|
|
#define CEPHX_ENC_MAGIC 0xff009cad8826aa55ull
|
|
|
|
struct ceph_x_encrypt_header {
|
|
__u8 struct_v;
|
|
__le64 magic;
|
|
} __attribute__ ((packed));
|
|
|
|
#endif
|