linux-dev/net/ceph/auth_x.c, branch linus/masterLinux kernel development work - see feature brancheshttps://git.zx2c4.com/linux-dev/atom/net/ceph/auth_x.c?h=linus%2Fmaster2021-06-24T19:03:17Zlibceph: set global_id as soon as we get an auth ticket2021-06-24T19:03:17ZIlya Dryomovidryomov@gmail.com2021-06-21T10:17:40Zurn:sha1:03af4c7bad8ca59143bca488b90b3775d10d7f94
Commit 61ca49a9105f ("libceph: don't set global_id until we get an
auth ticket") delayed the setting of global_id too much. It is set
only after all tickets are received, but in pre-nautilus clusters an
auth ticket and the service tickets are obtained in separate steps
(for a total of three MAuth replies). When the service tickets are
requested, global_id is used to build an authorizer; if global_id is
still 0 we never get them and fail to establish the session.
Moving the setting of global_id into protocol implementations. This
way global_id can be set exactly when an auth ticket is received, not
sooner nor later.
Fixes: 61ca49a9105f ("libceph: don't set global_id until we get an auth ticket")
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
libceph: don't pass result into ac->ops->handle_reply()2021-06-24T19:03:16ZIlya Dryomovidryomov@gmail.com2021-06-21T09:53:38Zurn:sha1:3c0d0894320cc517fda657c69939cd0313d0b4e2
There is no result to pass in msgr2 case because authentication
failures are reported through auth_bad_method frame and in MAuth
case an error is returned immediately.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
libceph: bump CephXAuthenticate encoding version2021-04-27T21:52:24ZIlya Dryomovidryomov@gmail.com2021-04-14T08:38:40Zurn:sha1:7807dafda21a549403d922da98dde0ddfeb70d08
A dummy v3 encoding (exactly the same as v2) was introduced so that
the monitors can distinguish broken clients that may not include their
auth ticket in CEPHX_GET_AUTH_SESSION_KEY request on reconnects, thus
failing to prove previous possession of their global_id (one part of
CVE-2021-20288).
The kernel client has always included its auth ticket, so it is
compatible with enforcing mode as is. However we want to bump the
encoding version to avoid having to authenticate twice on the initial
connect -- all legacy (CephXAuthenticate < v3) are now forced do so in
order to expose insecure global_id reclaim.
Marking for stable since at least for 5.11 and 5.12 it is trivial
(v2 -> v3).
Cc: stable@vger.kernel.org # 5.11+
URL: https://tracker.ceph.com/issues/50452
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
libceph: zero out session key and connection secret2021-01-04T16:31:32ZIlya Dryomovidryomov@gmail.com2020-12-22T18:00:48Zurn:sha1:10f42b3e648377b2f2f323a5530354710616c6cc
Try and avoid leaving bits and pieces of session key and connection
secret (gets split into GCM key and a pair of GCM IVs) around.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
libceph: drop ac->ops->name field2020-12-14T22:21:50ZIlya Dryomovidryomov@gmail.com2020-10-26T16:05:44Zurn:sha1:c1c0ce78f479cf4d7dfe72c4c1cabbf0bc0730c9
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
libceph, ceph: incorporate nautilus cephx changes2020-12-14T22:21:50ZIlya Dryomovidryomov@gmail.com2020-10-26T15:47:20Zurn:sha1:285ea34fc876aa0a2c5e65d310c4a41269e2e5f2
- request service tickets together with auth ticket. Currently we get
auth ticket via CEPHX_GET_AUTH_SESSION_KEY op and then request service
tickets via CEPHX_GET_PRINCIPAL_SESSION_KEY op in a separate message.
Since nautilus, desired service tickets are shared togther with auth
ticket in CEPHX_GET_AUTH_SESSION_KEY reply.
- propagate session key and connection secret, if any. In preparation
for msgr2, update handle_reply() and verify_authorizer_reply() auth
ops to propagate session key and connection secret. Since nautilus,
if secure mode is negotiated, connection secret is shared either in
CEPHX_GET_AUTH_SESSION_KEY reply (for mons) or in a final authorizer
reply (for osds and mdses).
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
libceph: safer en/decoding of cephx requests and replies2020-12-14T22:21:50ZIlya Dryomovidryomov@gmail.com2020-10-12T13:05:09Zurn:sha1:6610fff2782a4a793069a5dd395883a91c76e7d4
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
libceph: more insight into ticket expiry and invalidation2020-12-14T22:21:50ZIlya Dryomovidryomov@gmail.com2020-11-27T16:18:27Zurn:sha1:f79e25b087b80eef47eef4c8b0763eb1a583a357
Make it clear that "need" is a union of "missing" and "have, but up
for renewal" and dout when the ticket goes missing due to expiry or
invalidation by client.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()2018-08-02T19:33:26ZIlya Dryomovidryomov@gmail.com2018-07-27T17:45:36Zurn:sha1:f1d10e04637924f2b00a0fecdd2ca4565f5cfc3f
Allow for extending ceph_x_authorize_reply in the future.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
libceph: implement CEPHX_V2 calculation mode2018-08-02T19:33:25ZIlya Dryomovidryomov@gmail.com2018-07-27T17:25:32Zurn:sha1:cc255c76c70f7a87d97939621eae04b600d9f4a1
Derive the signature from the entire buffer (both AES cipher blocks)
instead of using just the first half of the first block, leaving out
data_crc entirely.
This addresses CVE-2018-1129.
Link: http://tracker.ceph.com/issues/24837
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>