1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _FS_CEPH_AUTH_H
3 #define _FS_CEPH_AUTH_H
4 
5 #include <linux/ceph/types.h>
6 #include <linux/ceph/buffer.h>
7 
8 /*
9  * Abstract interface for communicating with the authenticate module.
10  * There is some handshake that takes place between us and the monitor
11  * to acquire the necessary keys.  These are used to generate an
12  * 'authorizer' that we use when connecting to a service (mds, osd).
13  */
14 
15 struct ceph_auth_client;
16 struct ceph_msg;
17 
18 struct ceph_authorizer {
19 	void (*destroy)(struct ceph_authorizer *);
20 };
21 
22 struct ceph_auth_handshake {
23 	struct ceph_authorizer *authorizer;
24 	void *authorizer_buf;
25 	size_t authorizer_buf_len;
26 	void *authorizer_reply_buf;
27 	size_t authorizer_reply_buf_len;
28 	int (*sign_message)(struct ceph_auth_handshake *auth,
29 			    struct ceph_msg *msg);
30 	int (*check_message_signature)(struct ceph_auth_handshake *auth,
31 				       struct ceph_msg *msg);
32 };
33 
34 struct ceph_auth_client_ops {
35 	/*
36 	 * true if we are authenticated and can connect to
37 	 * services.
38 	 */
39 	int (*is_authenticated)(struct ceph_auth_client *ac);
40 
41 	/*
42 	 * true if we should (re)authenticate, e.g., when our tickets
43 	 * are getting old and crusty.
44 	 */
45 	int (*should_authenticate)(struct ceph_auth_client *ac);
46 
47 	/*
48 	 * build requests and process replies during monitor
49 	 * handshake.  if handle_reply returns -EAGAIN, we build
50 	 * another request.
51 	 */
52 	int (*build_request)(struct ceph_auth_client *ac, void *buf, void *end);
53 	int (*handle_reply)(struct ceph_auth_client *ac, u64 global_id,
54 			    void *buf, void *end, u8 *session_key,
55 			    int *session_key_len, u8 *con_secret,
56 			    int *con_secret_len);
57 
58 	/*
59 	 * Create authorizer for connecting to a service, and verify
60 	 * the response to authenticate the service.
61 	 */
62 	int (*create_authorizer)(struct ceph_auth_client *ac, int peer_type,
63 				 struct ceph_auth_handshake *auth);
64 	/* ensure that an existing authorizer is up to date */
65 	int (*update_authorizer)(struct ceph_auth_client *ac, int peer_type,
66 				 struct ceph_auth_handshake *auth);
67 	int (*add_authorizer_challenge)(struct ceph_auth_client *ac,
68 					struct ceph_authorizer *a,
69 					void *challenge_buf,
70 					int challenge_buf_len);
71 	int (*verify_authorizer_reply)(struct ceph_auth_client *ac,
72 				       struct ceph_authorizer *a,
73 				       void *reply, int reply_len,
74 				       u8 *session_key, int *session_key_len,
75 				       u8 *con_secret, int *con_secret_len);
76 	void (*invalidate_authorizer)(struct ceph_auth_client *ac,
77 				      int peer_type);
78 
79 	/* reset when we (re)connect to a monitor */
80 	void (*reset)(struct ceph_auth_client *ac);
81 
82 	void (*destroy)(struct ceph_auth_client *ac);
83 
84 	int (*sign_message)(struct ceph_auth_handshake *auth,
85 			    struct ceph_msg *msg);
86 	int (*check_message_signature)(struct ceph_auth_handshake *auth,
87 				       struct ceph_msg *msg);
88 };
89 
90 struct ceph_auth_client {
91 	u32 protocol;           /* CEPH_AUTH_* */
92 	void *private;          /* for use by protocol implementation */
93 	const struct ceph_auth_client_ops *ops;  /* null iff protocol==0 */
94 
95 	bool negotiating;       /* true if negotiating protocol */
96 	const char *name;       /* entity name */
97 	u64 global_id;          /* our unique id in system */
98 	const struct ceph_crypto_key *key;     /* our secret key */
99 	unsigned want_keys;     /* which services we want */
100 
101 	int preferred_mode;	/* CEPH_CON_MODE_* */
102 	int fallback_mode;	/* ditto */
103 
104 	struct mutex mutex;
105 };
106 
107 void ceph_auth_set_global_id(struct ceph_auth_client *ac, u64 global_id);
108 
109 struct ceph_auth_client *ceph_auth_init(const char *name,
110 					const struct ceph_crypto_key *key,
111 					const int *con_modes);
112 extern void ceph_auth_destroy(struct ceph_auth_client *ac);
113 
114 extern void ceph_auth_reset(struct ceph_auth_client *ac);
115 
116 extern int ceph_auth_build_hello(struct ceph_auth_client *ac,
117 				 void *buf, size_t len);
118 extern int ceph_handle_auth_reply(struct ceph_auth_client *ac,
119 				  void *buf, size_t len,
120 				  void *reply_buf, size_t reply_len);
121 int ceph_auth_entity_name_encode(const char *name, void **p, void *end);
122 
123 extern int ceph_build_auth(struct ceph_auth_client *ac,
124 		    void *msg_buf, size_t msg_len);
125 extern int ceph_auth_is_authenticated(struct ceph_auth_client *ac);
126 
127 int __ceph_auth_get_authorizer(struct ceph_auth_client *ac,
128 			       struct ceph_auth_handshake *auth,
129 			       int peer_type, bool force_new,
130 			       int *proto, int *pref_mode, int *fallb_mode);
131 void ceph_auth_destroy_authorizer(struct ceph_authorizer *a);
132 int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac,
133 				       struct ceph_authorizer *a,
134 				       void *challenge_buf,
135 				       int challenge_buf_len);
136 int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac,
137 				      struct ceph_authorizer *a,
138 				      void *reply, int reply_len,
139 				      u8 *session_key, int *session_key_len,
140 				      u8 *con_secret, int *con_secret_len);
141 extern void ceph_auth_invalidate_authorizer(struct ceph_auth_client *ac,
142 					    int peer_type);
143 
ceph_auth_sign_message(struct ceph_auth_handshake * auth,struct ceph_msg * msg)144 static inline int ceph_auth_sign_message(struct ceph_auth_handshake *auth,
145 					 struct ceph_msg *msg)
146 {
147 	if (auth->sign_message)
148 		return auth->sign_message(auth, msg);
149 	return 0;
150 }
151 
152 static inline
ceph_auth_check_message_signature(struct ceph_auth_handshake * auth,struct ceph_msg * msg)153 int ceph_auth_check_message_signature(struct ceph_auth_handshake *auth,
154 				      struct ceph_msg *msg)
155 {
156 	if (auth->check_message_signature)
157 		return auth->check_message_signature(auth, msg);
158 	return 0;
159 }
160 
161 int ceph_auth_get_request(struct ceph_auth_client *ac, void *buf, int buf_len);
162 int ceph_auth_handle_reply_more(struct ceph_auth_client *ac, void *reply,
163 				int reply_len, void *buf, int buf_len);
164 int ceph_auth_handle_reply_done(struct ceph_auth_client *ac,
165 				u64 global_id, void *reply, int reply_len,
166 				u8 *session_key, int *session_key_len,
167 				u8 *con_secret, int *con_secret_len);
168 bool ceph_auth_handle_bad_method(struct ceph_auth_client *ac,
169 				 int used_proto, int result,
170 				 const int *allowed_protos, int proto_cnt,
171 				 const int *allowed_modes, int mode_cnt);
172 
173 int ceph_auth_get_authorizer(struct ceph_auth_client *ac,
174 			     struct ceph_auth_handshake *auth,
175 			     int peer_type, void *buf, int *buf_len);
176 int ceph_auth_handle_svc_reply_more(struct ceph_auth_client *ac,
177 				    struct ceph_auth_handshake *auth,
178 				    void *reply, int reply_len,
179 				    void *buf, int *buf_len);
180 int ceph_auth_handle_svc_reply_done(struct ceph_auth_client *ac,
181 				    struct ceph_auth_handshake *auth,
182 				    void *reply, int reply_len,
183 				    u8 *session_key, int *session_key_len,
184 				    u8 *con_secret, int *con_secret_len);
185 bool ceph_auth_handle_bad_authorizer(struct ceph_auth_client *ac,
186 				     int peer_type, int used_proto, int result,
187 				     const int *allowed_protos, int proto_cnt,
188 				     const int *allowed_modes, int mode_cnt);
189 
190 #endif
191