1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _FS_CEPH_AUTH_H
3 #define _FS_CEPH_AUTH_H
4
5 #include <linux/ceph/types.h>
6 #include <linux/ceph/buffer.h>
7
8 /*
9 * Abstract interface for communicating with the authenticate module.
10 * There is some handshake that takes place between us and the monitor
11 * to acquire the necessary keys. These are used to generate an
12 * 'authorizer' that we use when connecting to a service (mds, osd).
13 */
14
15 struct ceph_auth_client;
16 struct ceph_msg;
17
18 struct ceph_authorizer {
19 void (*destroy)(struct ceph_authorizer *);
20 };
21
22 struct ceph_auth_handshake {
23 struct ceph_authorizer *authorizer;
24 void *authorizer_buf;
25 size_t authorizer_buf_len;
26 void *authorizer_reply_buf;
27 size_t authorizer_reply_buf_len;
28 int (*sign_message)(struct ceph_auth_handshake *auth,
29 struct ceph_msg *msg);
30 int (*check_message_signature)(struct ceph_auth_handshake *auth,
31 struct ceph_msg *msg);
32 };
33
34 struct ceph_auth_client_ops {
35 /*
36 * true if we are authenticated and can connect to
37 * services.
38 */
39 int (*is_authenticated)(struct ceph_auth_client *ac);
40
41 /*
42 * true if we should (re)authenticate, e.g., when our tickets
43 * are getting old and crusty.
44 */
45 int (*should_authenticate)(struct ceph_auth_client *ac);
46
47 /*
48 * build requests and process replies during monitor
49 * handshake. if handle_reply returns -EAGAIN, we build
50 * another request.
51 */
52 int (*build_request)(struct ceph_auth_client *ac, void *buf, void *end);
53 int (*handle_reply)(struct ceph_auth_client *ac, u64 global_id,
54 void *buf, void *end, u8 *session_key,
55 int *session_key_len, u8 *con_secret,
56 int *con_secret_len);
57
58 /*
59 * Create authorizer for connecting to a service, and verify
60 * the response to authenticate the service.
61 */
62 int (*create_authorizer)(struct ceph_auth_client *ac, int peer_type,
63 struct ceph_auth_handshake *auth);
64 /* ensure that an existing authorizer is up to date */
65 int (*update_authorizer)(struct ceph_auth_client *ac, int peer_type,
66 struct ceph_auth_handshake *auth);
67 int (*add_authorizer_challenge)(struct ceph_auth_client *ac,
68 struct ceph_authorizer *a,
69 void *challenge_buf,
70 int challenge_buf_len);
71 int (*verify_authorizer_reply)(struct ceph_auth_client *ac,
72 struct ceph_authorizer *a,
73 void *reply, int reply_len,
74 u8 *session_key, int *session_key_len,
75 u8 *con_secret, int *con_secret_len);
76 void (*invalidate_authorizer)(struct ceph_auth_client *ac,
77 int peer_type);
78
79 /* reset when we (re)connect to a monitor */
80 void (*reset)(struct ceph_auth_client *ac);
81
82 void (*destroy)(struct ceph_auth_client *ac);
83
84 int (*sign_message)(struct ceph_auth_handshake *auth,
85 struct ceph_msg *msg);
86 int (*check_message_signature)(struct ceph_auth_handshake *auth,
87 struct ceph_msg *msg);
88 };
89
90 struct ceph_auth_client {
91 u32 protocol; /* CEPH_AUTH_* */
92 void *private; /* for use by protocol implementation */
93 const struct ceph_auth_client_ops *ops; /* null iff protocol==0 */
94
95 bool negotiating; /* true if negotiating protocol */
96 const char *name; /* entity name */
97 u64 global_id; /* our unique id in system */
98 const struct ceph_crypto_key *key; /* our secret key */
99 unsigned want_keys; /* which services we want */
100
101 int preferred_mode; /* CEPH_CON_MODE_* */
102 int fallback_mode; /* ditto */
103
104 struct mutex mutex;
105 };
106
107 void ceph_auth_set_global_id(struct ceph_auth_client *ac, u64 global_id);
108
109 struct ceph_auth_client *ceph_auth_init(const char *name,
110 const struct ceph_crypto_key *key,
111 const int *con_modes);
112 extern void ceph_auth_destroy(struct ceph_auth_client *ac);
113
114 extern void ceph_auth_reset(struct ceph_auth_client *ac);
115
116 extern int ceph_auth_build_hello(struct ceph_auth_client *ac,
117 void *buf, size_t len);
118 extern int ceph_handle_auth_reply(struct ceph_auth_client *ac,
119 void *buf, size_t len,
120 void *reply_buf, size_t reply_len);
121 int ceph_auth_entity_name_encode(const char *name, void **p, void *end);
122
123 extern int ceph_build_auth(struct ceph_auth_client *ac,
124 void *msg_buf, size_t msg_len);
125 extern int ceph_auth_is_authenticated(struct ceph_auth_client *ac);
126
127 int __ceph_auth_get_authorizer(struct ceph_auth_client *ac,
128 struct ceph_auth_handshake *auth,
129 int peer_type, bool force_new,
130 int *proto, int *pref_mode, int *fallb_mode);
131 void ceph_auth_destroy_authorizer(struct ceph_authorizer *a);
132 int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac,
133 struct ceph_authorizer *a,
134 void *challenge_buf,
135 int challenge_buf_len);
136 int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac,
137 struct ceph_authorizer *a,
138 void *reply, int reply_len,
139 u8 *session_key, int *session_key_len,
140 u8 *con_secret, int *con_secret_len);
141 extern void ceph_auth_invalidate_authorizer(struct ceph_auth_client *ac,
142 int peer_type);
143
ceph_auth_sign_message(struct ceph_auth_handshake * auth,struct ceph_msg * msg)144 static inline int ceph_auth_sign_message(struct ceph_auth_handshake *auth,
145 struct ceph_msg *msg)
146 {
147 if (auth->sign_message)
148 return auth->sign_message(auth, msg);
149 return 0;
150 }
151
152 static inline
ceph_auth_check_message_signature(struct ceph_auth_handshake * auth,struct ceph_msg * msg)153 int ceph_auth_check_message_signature(struct ceph_auth_handshake *auth,
154 struct ceph_msg *msg)
155 {
156 if (auth->check_message_signature)
157 return auth->check_message_signature(auth, msg);
158 return 0;
159 }
160
161 int ceph_auth_get_request(struct ceph_auth_client *ac, void *buf, int buf_len);
162 int ceph_auth_handle_reply_more(struct ceph_auth_client *ac, void *reply,
163 int reply_len, void *buf, int buf_len);
164 int ceph_auth_handle_reply_done(struct ceph_auth_client *ac,
165 u64 global_id, void *reply, int reply_len,
166 u8 *session_key, int *session_key_len,
167 u8 *con_secret, int *con_secret_len);
168 bool ceph_auth_handle_bad_method(struct ceph_auth_client *ac,
169 int used_proto, int result,
170 const int *allowed_protos, int proto_cnt,
171 const int *allowed_modes, int mode_cnt);
172
173 int ceph_auth_get_authorizer(struct ceph_auth_client *ac,
174 struct ceph_auth_handshake *auth,
175 int peer_type, void *buf, int *buf_len);
176 int ceph_auth_handle_svc_reply_more(struct ceph_auth_client *ac,
177 struct ceph_auth_handshake *auth,
178 void *reply, int reply_len,
179 void *buf, int *buf_len);
180 int ceph_auth_handle_svc_reply_done(struct ceph_auth_client *ac,
181 struct ceph_auth_handshake *auth,
182 void *reply, int reply_len,
183 u8 *session_key, int *session_key_len,
184 u8 *con_secret, int *con_secret_len);
185 bool ceph_auth_handle_bad_authorizer(struct ceph_auth_client *ac,
186 int peer_type, int used_proto, int result,
187 const int *allowed_protos, int proto_cnt,
188 const int *allowed_modes, int mode_cnt);
189
190 #endif
191