[mirror_ubuntu-jammy-kernel.git] / net / ceph / auth.c

// SPDX-License-Identifier: GPL-2.0
#include <linux/ceph/ceph_debug.h>

#include <linux/module.h>
#include <linux/err.h>
#include <linux/slab.h>

#include <linux/ceph/types.h>
#include <linux/ceph/decode.h>
#include <linux/ceph/libceph.h>
#include <linux/ceph/messenger.h>
#include "auth_none.h"
#include "auth_x.h"


/*
 * get protocol handler
 */
static u32 supported_protocols[] = {
	CEPH_AUTH_NONE,
	CEPH_AUTH_CEPHX
};

static int init_protocol(struct ceph_auth_client *ac, int proto)
{
	dout("%s proto %d\n", __func__, proto);

	switch (proto) {
	case CEPH_AUTH_NONE:
		return ceph_auth_none_init(ac);
	case CEPH_AUTH_CEPHX:
		return ceph_x_init(ac);
	default:
		pr_err("bad auth protocol %d\n", proto);
		return -EINVAL;
	}
}

static void set_global_id(struct ceph_auth_client *ac, u64 global_id)
{
	dout("%s global_id %llu\n", __func__, global_id);

	if (!global_id)
		pr_err("got zero global_id\n");

	if (ac->global_id && global_id != ac->global_id)
		pr_err("global_id changed from %llu to %llu\n", ac->global_id,
		       global_id);

	ac->global_id = global_id;
}

/*
 * setup, teardown.
 */
struct ceph_auth_client *ceph_auth_init(const char *name,
					const struct ceph_crypto_key *key,
					const int *con_modes)
{
	struct ceph_auth_client *ac;
	int ret;

	ret = -ENOMEM;
	ac = kzalloc(sizeof(*ac), GFP_NOFS);
	if (!ac)
		goto out;

	mutex_init(&ac->mutex);
	ac->negotiating = true;
	if (name)
		ac->name = name;
	else
		ac->name = CEPH_AUTH_NAME_DEFAULT;
	ac->key = key;
	ac->preferred_mode = con_modes[0];
	ac->fallback_mode = con_modes[1];

	dout("%s name '%s' preferred_mode %d fallback_mode %d\n", __func__,
	     ac->name, ac->preferred_mode, ac->fallback_mode);
	return ac;

out:
	return ERR_PTR(ret);
}

void ceph_auth_destroy(struct ceph_auth_client *ac)
{
	dout("auth_destroy %p\n", ac);
	if (ac->ops)
		ac->ops->destroy(ac);
	kfree(ac);
}

/*
 * Reset occurs when reconnecting to the monitor.
 */
void ceph_auth_reset(struct ceph_auth_client *ac)
{
	mutex_lock(&ac->mutex);
	dout("auth_reset %p\n", ac);
	if (ac->ops && !ac->negotiating)
		ac->ops->reset(ac);
	ac->negotiating = true;
	mutex_unlock(&ac->mutex);
}

/*
 * EntityName, not to be confused with entity_name_t
 */
int ceph_auth_entity_name_encode(const char *name, void **p, void *end)
{
	int len = strlen(name);

	if (*p + 2*sizeof(u32) + len > end)
		return -ERANGE;
	ceph_encode_32(p, CEPH_ENTITY_TYPE_CLIENT);
	ceph_encode_32(p, len);
	ceph_encode_copy(p, name, len);
	return 0;
}

/*
 * Initiate protocol negotiation with monitor.  Include entity name
 * and list supported protocols.
 */
int ceph_auth_build_hello(struct ceph_auth_client *ac, void *buf, size_t len)
{
	struct ceph_mon_request_header *monhdr = buf;
	void *p = monhdr + 1, *end = buf + len, *lenp;
	int i, num;
	int ret;

	mutex_lock(&ac->mutex);
	dout("auth_build_hello\n");
	monhdr->have_version = 0;
	monhdr->session_mon = cpu_to_le16(-1);
	monhdr->session_mon_tid = 0;

	ceph_encode_32(&p, CEPH_AUTH_UNKNOWN);  /* no protocol, yet */

	lenp = p;
	p += sizeof(u32);

	ceph_decode_need(&p, end, 1 + sizeof(u32), bad);
	ceph_encode_8(&p, 1);
	num = ARRAY_SIZE(supported_protocols);
	ceph_encode_32(&p, num);
	ceph_decode_need(&p, end, num * sizeof(u32), bad);
	for (i = 0; i < num; i++)
		ceph_encode_32(&p, supported_protocols[i]);

	ret = ceph_auth_entity_name_encode(ac->name, &p, end);
	if (ret < 0)
		goto out;
	ceph_decode_need(&p, end, sizeof(u64), bad);
	ceph_encode_64(&p, ac->global_id);

	ceph_encode_32(&lenp, p - lenp - sizeof(u32));
	ret = p - buf;
out:
	mutex_unlock(&ac->mutex);
	return ret;

bad:
	ret = -ERANGE;
	goto out;
}

static int build_request(struct ceph_auth_client *ac, bool add_header,
			 void *buf, int buf_len)
{
	void *end = buf + buf_len;
	void *p;
	int ret;

	p = buf;
	if (add_header) {
		/* struct ceph_mon_request_header + protocol */
		ceph_encode_64_safe(&p, end, 0, e_range);
		ceph_encode_16_safe(&p, end, -1, e_range);
		ceph_encode_64_safe(&p, end, 0, e_range);
		ceph_encode_32_safe(&p, end, ac->protocol, e_range);
	}

	ceph_encode_need(&p, end, sizeof(u32), e_range);
	ret = ac->ops->build_request(ac, p + sizeof(u32), end);
	if (ret < 0) {
		pr_err("auth protocol '%s' building request failed: %d\n",
		       ceph_auth_proto_name(ac->protocol), ret);
		return ret;
	}
	dout(" built request %d bytes\n", ret);
	ceph_encode_32(&p, ret);
	return p + ret - buf;

e_range:
	return -ERANGE;
}

/*
 * Handle auth message from monitor.
 */
int ceph_handle_auth_reply(struct ceph_auth_client *ac,
			   void *buf, size_t len,
			   void *reply_buf, size_t reply_len)
{
	void *p = buf;
	void *end = buf + len;
	int protocol;
	s32 result;
	u64 global_id;
	void *payload, *payload_end;
	int payload_len;
	char *result_msg;
	int result_msg_len;
	int ret = -EINVAL;

	mutex_lock(&ac->mutex);
	dout("handle_auth_reply %p %p\n", p, end);
	ceph_decode_need(&p, end, sizeof(u32) * 3 + sizeof(u64), bad);
	protocol = ceph_decode_32(&p);
	result = ceph_decode_32(&p);
	global_id = ceph_decode_64(&p);
	payload_len = ceph_decode_32(&p);
	payload = p;
	p += payload_len;
	ceph_decode_need(&p, end, sizeof(u32), bad);
	result_msg_len = ceph_decode_32(&p);
	result_msg = p;
	p += result_msg_len;
	if (p != end)
		goto bad;

	dout(" result %d '%.*s' gid %llu len %d\n", result, result_msg_len,
	     result_msg, global_id, payload_len);

	payload_end = payload + payload_len;

	if (ac->negotiating) {
		/* server does not support our protocols? */
		if (!protocol && result < 0) {
			ret = result;
			goto out;
		}
		/* set up (new) protocol handler? */
		if (ac->protocol && ac->protocol != protocol) {
			ac->ops->destroy(ac);
			ac->protocol = 0;
			ac->ops = NULL;
		}
		if (ac->protocol != protocol) {
			ret = init_protocol(ac, protocol);
			if (ret) {
				pr_err("auth protocol '%s' init failed: %d\n",
				       ceph_auth_proto_name(protocol), ret);
				goto out;
			}
		}

		ac->negotiating = false;
	}

	ret = ac->ops->handle_reply(ac, result, payload, payload_end,
				    NULL, NULL, NULL, NULL);
	if (ret == -EAGAIN) {
		ret = build_request(ac, true, reply_buf, reply_len);
		goto out;
	} else if (ret) {
		pr_err("auth protocol '%s' mauth authentication failed: %d\n",
		       ceph_auth_proto_name(ac->protocol), result);
		goto out;
	}

	set_global_id(ac, global_id);

out:
	mutex_unlock(&ac->mutex);
	return ret;

bad:
	pr_err("failed to decode auth msg\n");
	ret = -EINVAL;
	goto out;
}

int ceph_build_auth(struct ceph_auth_client *ac,
		    void *msg_buf, size_t msg_len)
{
	int ret = 0;

	mutex_lock(&ac->mutex);
	if (ac->ops->should_authenticate(ac))
		ret = build_request(ac, true, msg_buf, msg_len);
	mutex_unlock(&ac->mutex);
	return ret;
}

int ceph_auth_is_authenticated(struct ceph_auth_client *ac)
{
	int ret = 0;

	mutex_lock(&ac->mutex);
	if (ac->ops)
		ret = ac->ops->is_authenticated(ac);
	mutex_unlock(&ac->mutex);
	return ret;
}
EXPORT_SYMBOL(ceph_auth_is_authenticated);

int __ceph_auth_get_authorizer(struct ceph_auth_client *ac,
			       struct ceph_auth_handshake *auth,
			       int peer_type, bool force_new,
			       int *proto, int *pref_mode, int *fallb_mode)
{
	int ret;

	mutex_lock(&ac->mutex);
	if (force_new && auth->authorizer) {
		ceph_auth_destroy_authorizer(auth->authorizer);
		auth->authorizer = NULL;
	}
	if (!auth->authorizer)
		ret = ac->ops->create_authorizer(ac, peer_type, auth);
	else if (ac->ops->update_authorizer)
		ret = ac->ops->update_authorizer(ac, peer_type, auth);
	else
		ret = 0;
	if (ret)
		goto out;

	*proto = ac->protocol;
	if (pref_mode && fallb_mode) {
		*pref_mode = ac->preferred_mode;
		*fallb_mode = ac->fallback_mode;
	}

out:
	mutex_unlock(&ac->mutex);
	return ret;
}
EXPORT_SYMBOL(__ceph_auth_get_authorizer);

void ceph_auth_destroy_authorizer(struct ceph_authorizer *a)
{
	a->destroy(a);
}
EXPORT_SYMBOL(ceph_auth_destroy_authorizer);

int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac,
				       struct ceph_authorizer *a,
				       void *challenge_buf,
				       int challenge_buf_len)
{
	int ret = 0;

	mutex_lock(&ac->mutex);
	if (ac->ops && ac->ops->add_authorizer_challenge)
		ret = ac->ops->add_authorizer_challenge(ac, a, challenge_buf,
							challenge_buf_len);
	mutex_unlock(&ac->mutex);
	return ret;
}
EXPORT_SYMBOL(ceph_auth_add_authorizer_challenge);

int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac,
				      struct ceph_authorizer *a,
				      void *reply, int reply_len,
				      u8 *session_key, int *session_key_len,
				      u8 *con_secret, int *con_secret_len)
{
	int ret = 0;

	mutex_lock(&ac->mutex);
	if (ac->ops && ac->ops->verify_authorizer_reply)
		ret = ac->ops->verify_authorizer_reply(ac, a,
			reply, reply_len, session_key, session_key_len,
			con_secret, con_secret_len);
	mutex_unlock(&ac->mutex);
	return ret;
}
EXPORT_SYMBOL(ceph_auth_verify_authorizer_reply);

void ceph_auth_invalidate_authorizer(struct ceph_auth_client *ac, int peer_type)
{
	mutex_lock(&ac->mutex);
	if (ac->ops && ac->ops->invalidate_authorizer)
		ac->ops->invalidate_authorizer(ac, peer_type);
	mutex_unlock(&ac->mutex);
}
EXPORT_SYMBOL(ceph_auth_invalidate_authorizer);

/*
 * msgr2 authentication
 */

static bool contains(const int *arr, int cnt, int val)
{
	int i;

	for (i = 0; i < cnt; i++) {
		if (arr[i] == val)
			return true;
	}

	return false;
}

static int encode_con_modes(void **p, void *end, int pref_mode, int fallb_mode)
{
	WARN_ON(pref_mode == CEPH_CON_MODE_UNKNOWN);
	if (fallb_mode != CEPH_CON_MODE_UNKNOWN) {
		ceph_encode_32_safe(p, end, 2, e_range);
		ceph_encode_32_safe(p, end, pref_mode, e_range);
		ceph_encode_32_safe(p, end, fallb_mode, e_range);
	} else {
		ceph_encode_32_safe(p, end, 1, e_range);
		ceph_encode_32_safe(p, end, pref_mode, e_range);
	}

	return 0;

e_range:
	return -ERANGE;
}

/*
 * Similar to ceph_auth_build_hello().
 */
int ceph_auth_get_request(struct ceph_auth_client *ac, void *buf, int buf_len)
{
	int proto = ac->key ? CEPH_AUTH_CEPHX : CEPH_AUTH_NONE;
	void *end = buf + buf_len;
	void *lenp;
	void *p;
	int ret;

	mutex_lock(&ac->mutex);
	if (ac->protocol == CEPH_AUTH_UNKNOWN) {
		ret = init_protocol(ac, proto);
		if (ret) {
			pr_err("auth protocol '%s' init failed: %d\n",
			       ceph_auth_proto_name(proto), ret);
			goto out;
		}
	} else {
		WARN_ON(ac->protocol != proto);
		ac->ops->reset(ac);
	}

	p = buf;
	ceph_encode_32_safe(&p, end, ac->protocol, e_range);
	ret = encode_con_modes(&p, end, ac->preferred_mode, ac->fallback_mode);
	if (ret)
		goto out;

	lenp = p;
	p += 4;  /* space for len */

	ceph_encode_8_safe(&p, end, CEPH_AUTH_MODE_MON, e_range);
	ret = ceph_auth_entity_name_encode(ac->name, &p, end);
	if (ret)
		goto out;

	ceph_encode_64_safe(&p, end, ac->global_id, e_range);
	ceph_encode_32(&lenp, p - lenp - 4);
	ret = p - buf;

out:
	mutex_unlock(&ac->mutex);
	return ret;

e_range:
	ret = -ERANGE;
	goto out;
}

int ceph_auth_handle_reply_more(struct ceph_auth_client *ac, void *reply,
				int reply_len, void *buf, int buf_len)
{
	int ret;

	mutex_lock(&ac->mutex);
	ret = ac->ops->handle_reply(ac, 0, reply, reply + reply_len,
				    NULL, NULL, NULL, NULL);
	if (ret == -EAGAIN)
		ret = build_request(ac, false, buf, buf_len);
	else
		WARN_ON(ret >= 0);
	mutex_unlock(&ac->mutex);
	return ret;
}

int ceph_auth_handle_reply_done(struct ceph_auth_client *ac,
				u64 global_id, void *reply, int reply_len,
				u8 *session_key, int *session_key_len,
				u8 *con_secret, int *con_secret_len)
{
	int ret;

	mutex_lock(&ac->mutex);
	ret = ac->ops->handle_reply(ac, 0, reply, reply + reply_len,
				    session_key, session_key_len,
				    con_secret, con_secret_len);
	if (!ret)
		set_global_id(ac, global_id);
	mutex_unlock(&ac->mutex);
	return ret;
}

bool ceph_auth_handle_bad_method(struct ceph_auth_client *ac,
				 int used_proto, int result,
				 const int *allowed_protos, int proto_cnt,
				 const int *allowed_modes, int mode_cnt)
{
	mutex_lock(&ac->mutex);
	WARN_ON(used_proto != ac->protocol);

	if (result == -EOPNOTSUPP) {
		if (!contains(allowed_protos, proto_cnt, ac->protocol)) {
			pr_err("auth protocol '%s' not allowed\n",
			       ceph_auth_proto_name(ac->protocol));
			goto not_allowed;
		}
		if (!contains(allowed_modes, mode_cnt, ac->preferred_mode) &&
		    (ac->fallback_mode == CEPH_CON_MODE_UNKNOWN ||
		     !contains(allowed_modes, mode_cnt, ac->fallback_mode))) {
			pr_err("preferred mode '%s' not allowed\n",
			       ceph_con_mode_name(ac->preferred_mode));
			if (ac->fallback_mode == CEPH_CON_MODE_UNKNOWN)
				pr_err("no fallback mode\n");
			else
				pr_err("fallback mode '%s' not allowed\n",
				       ceph_con_mode_name(ac->fallback_mode));
			goto not_allowed;
		}
	}

	WARN_ON(result == -EOPNOTSUPP || result >= 0);
	pr_err("auth protocol '%s' msgr authentication failed: %d\n",
	       ceph_auth_proto_name(ac->protocol), result);

	mutex_unlock(&ac->mutex);
	return true;

not_allowed:
	mutex_unlock(&ac->mutex);
	return false;
}

int ceph_auth_get_authorizer(struct ceph_auth_client *ac,
			     struct ceph_auth_handshake *auth,
			     int peer_type, void *buf, int *buf_len)
{
	void *end = buf + *buf_len;
	int pref_mode, fallb_mode;
	int proto;
	void *p;
	int ret;

	ret = __ceph_auth_get_authorizer(ac, auth, peer_type, true, &proto,
					 &pref_mode, &fallb_mode);
	if (ret)
		return ret;

	p = buf;
	ceph_encode_32_safe(&p, end, proto, e_range);
	ret = encode_con_modes(&p, end, pref_mode, fallb_mode);
	if (ret)
		return ret;

	ceph_encode_32_safe(&p, end, auth->authorizer_buf_len, e_range);
	*buf_len = p - buf;
	return 0;

e_range:
	return -ERANGE;
}
EXPORT_SYMBOL(ceph_auth_get_authorizer);

int ceph_auth_handle_svc_reply_more(struct ceph_auth_client *ac,
				    struct ceph_auth_handshake *auth,
				    void *reply, int reply_len,
				    void *buf, int *buf_len)
{
	void *end = buf + *buf_len;
	void *p;
	int ret;

	ret = ceph_auth_add_authorizer_challenge(ac, auth->authorizer,
						 reply, reply_len);
	if (ret)
		return ret;

	p = buf;
	ceph_encode_32_safe(&p, end, auth->authorizer_buf_len, e_range);
	*buf_len = p - buf;
	return 0;

e_range:
	return -ERANGE;
}
EXPORT_SYMBOL(ceph_auth_handle_svc_reply_more);

int ceph_auth_handle_svc_reply_done(struct ceph_auth_client *ac,
				    struct ceph_auth_handshake *auth,
				    void *reply, int reply_len,
				    u8 *session_key, int *session_key_len,
				    u8 *con_secret, int *con_secret_len)
{
	return ceph_auth_verify_authorizer_reply(ac, auth->authorizer,
		reply, reply_len, session_key, session_key_len,
		con_secret, con_secret_len);
}
EXPORT_SYMBOL(ceph_auth_handle_svc_reply_done);

bool ceph_auth_handle_bad_authorizer(struct ceph_auth_client *ac,
				     int peer_type, int used_proto, int result,
				     const int *allowed_protos, int proto_cnt,
				     const int *allowed_modes, int mode_cnt)
{
	mutex_lock(&ac->mutex);
	WARN_ON(used_proto != ac->protocol);

	if (result == -EOPNOTSUPP) {
		if (!contains(allowed_protos, proto_cnt, ac->protocol)) {
			pr_err("auth protocol '%s' not allowed by %s\n",
			       ceph_auth_proto_name(ac->protocol),
			       ceph_entity_type_name(peer_type));
			goto not_allowed;
		}
		if (!contains(allowed_modes, mode_cnt, ac->preferred_mode) &&
		    (ac->fallback_mode == CEPH_CON_MODE_UNKNOWN ||
		     !contains(allowed_modes, mode_cnt, ac->fallback_mode))) {
			pr_err("preferred mode '%s' not allowed by %s\n",
			       ceph_con_mode_name(ac->preferred_mode),
			       ceph_entity_type_name(peer_type));
			if (ac->fallback_mode == CEPH_CON_MODE_UNKNOWN)
				pr_err("no fallback mode\n");
			else
				pr_err("fallback mode '%s' not allowed by %s\n",
				       ceph_con_mode_name(ac->fallback_mode),
				       ceph_entity_type_name(peer_type));
			goto not_allowed;
		}
	}

	WARN_ON(result == -EOPNOTSUPP || result >= 0);
	pr_err("auth protocol '%s' authorization to %s failed: %d\n",
	       ceph_auth_proto_name(ac->protocol),
	       ceph_entity_type_name(peer_type), result);

	if (ac->ops->invalidate_authorizer)
		ac->ops->invalidate_authorizer(ac, peer_type);

	mutex_unlock(&ac->mutex);
	return true;

not_allowed:
	mutex_unlock(&ac->mutex);
	return false;
}
EXPORT_SYMBOL(ceph_auth_handle_bad_authorizer);
Commit	Line	Data
b2441318	1	// SPDX-License-Identifier: GPL-2.0
3d14c5d2	2	#include <linux/ceph/ceph_debug.h>
4e7a5dcd SW	3
	4	#include <linux/module.h>
	5	#include <linux/err.h>
d45d0d97	6	#include <linux/slab.h>
4e7a5dcd	7
3d14c5d2 YS	8	#include <linux/ceph/types.h>
	9	#include <linux/ceph/decode.h>
	10	#include <linux/ceph/libceph.h>
	11	#include <linux/ceph/messenger.h>
4e7a5dcd	12	#include "auth_none.h"
ec0994e4	13	#include "auth_x.h"
4e7a5dcd	14
4e7a5dcd SW	15
	16	/*
	17	* get protocol handler
	18	*/
	19	static u32 supported_protocols[] = {
ec0994e4 SW	20	CEPH_AUTH_NONE,
ec0994e4 SW	21	CEPH_AUTH_CEPHX
4e7a5dcd SW	22	};
4e7a5dcd SW	23
59711f9e	24	static int init_protocol(struct ceph_auth_client *ac, int proto)
4e7a5dcd	25	{
59711f9e ID	26	dout("%s proto %d\n", __func__, proto);
	27
	28	switch (proto) {
4e7a5dcd SW	29	case CEPH_AUTH_NONE:
4e7a5dcd SW	30	return ceph_auth_none_init(ac);
ec0994e4 SW	31	case CEPH_AUTH_CEPHX:
ec0994e4 SW	32	return ceph_x_init(ac);
4e7a5dcd	33	default:
59711f9e ID	34	pr_err("bad auth protocol %d\n", proto);
59711f9e ID	35	return -EINVAL;
4e7a5dcd SW	36	}
	37	}
	38
61ca49a9 ID	39	static void set_global_id(struct ceph_auth_client *ac, u64 global_id)
	40	{
	41	dout("%s global_id %llu\n", __func__, global_id);
	42
	43	if (!global_id)
	44	pr_err("got zero global_id\n");
	45
	46	if (ac->global_id && global_id != ac->global_id)
	47	pr_err("global_id changed from %llu to %llu\n", ac->global_id,
	48	global_id);
	49
	50	ac->global_id = global_id;
	51	}
	52
4e7a5dcd SW	53	/*
	54	* setup, teardown.
	55	*/
00498b99 ID	56	struct ceph_auth_client ceph_auth_init(const char name,
	57	const struct ceph_crypto_key *key,
	58	const int *con_modes)
4e7a5dcd SW	59	{
	60	struct ceph_auth_client *ac;
	61	int ret;
	62
4e7a5dcd SW	63	ret = -ENOMEM;
	64	ac = kzalloc(sizeof(*ac), GFP_NOFS);
	65	if (!ac)
	66	goto out;
	67
e9966076	68	mutex_init(&ac->mutex);
4e7a5dcd SW	69	ac->negotiating = true;
	70	if (name)
	71	ac->name = name;
	72	else
	73	ac->name = CEPH_AUTH_NAME_DEFAULT;
8323c3aa	74	ac->key = key;
00498b99 ID	75	ac->preferred_mode = con_modes[0];
	76	ac->fallback_mode = con_modes[1];
	77
	78	dout("%s name '%s' preferred_mode %d fallback_mode %d\n", __func__,
	79	ac->name, ac->preferred_mode, ac->fallback_mode);
4e7a5dcd SW	80	return ac;
	81
	82	out:
	83	return ERR_PTR(ret);
	84	}
	85
	86	void ceph_auth_destroy(struct ceph_auth_client *ac)
	87	{
	88	dout("auth_destroy %p\n", ac);
	89	if (ac->ops)
	90	ac->ops->destroy(ac);
	91	kfree(ac);
	92	}
	93
	94	/*
	95	* Reset occurs when reconnecting to the monitor.
	96	*/
	97	void ceph_auth_reset(struct ceph_auth_client *ac)
	98	{
e9966076	99	mutex_lock(&ac->mutex);
4e7a5dcd SW	100	dout("auth_reset %p\n", ac);
	101	if (ac->ops && !ac->negotiating)
	102	ac->ops->reset(ac);
	103	ac->negotiating = true;
e9966076	104	mutex_unlock(&ac->mutex);
4e7a5dcd SW	105	}
4e7a5dcd SW	106
f01d5cb2 ID	107	/*
	108	* EntityName, not to be confused with entity_name_t
	109	*/
	110	int ceph_auth_entity_name_encode(const char name, void p, void end)
4e7a5dcd SW	111	{
	112	int len = strlen(name);
	113
	114	if (p + 2sizeof(u32) + len > end)
	115	return -ERANGE;
	116	ceph_encode_32(p, CEPH_ENTITY_TYPE_CLIENT);
	117	ceph_encode_32(p, len);
	118	ceph_encode_copy(p, name, len);
	119	return 0;
	120	}
	121
	122	/*
	123	* Initiate protocol negotiation with monitor. Include entity name
	124	* and list supported protocols.
	125	*/
	126	int ceph_auth_build_hello(struct ceph_auth_client ac, void buf, size_t len)
	127	{
	128	struct ceph_mon_request_header *monhdr = buf;
	129	void p = monhdr + 1, end = buf + len, *lenp;
	130	int i, num;
	131	int ret;
	132
e9966076	133	mutex_lock(&ac->mutex);
4e7a5dcd SW	134	dout("auth_build_hello\n");
	135	monhdr->have_version = 0;
	136	monhdr->session_mon = cpu_to_le16(-1);
	137	monhdr->session_mon_tid = 0;
	138
fdc723e7	139	ceph_encode_32(&p, CEPH_AUTH_UNKNOWN); /* no protocol, yet */
4e7a5dcd SW	140
	141	lenp = p;
	142	p += sizeof(u32);
	143
07c8739c SW	144	ceph_decode_need(&p, end, 1 + sizeof(u32), bad);
07c8739c SW	145	ceph_encode_8(&p, 1);
4e7a5dcd SW	146	num = ARRAY_SIZE(supported_protocols);
4e7a5dcd SW	147	ceph_encode_32(&p, num);
07c8739c	148	ceph_decode_need(&p, end, num * sizeof(u32), bad);
4e7a5dcd SW	149	for (i = 0; i < num; i++)
	150	ceph_encode_32(&p, supported_protocols[i]);
	151
f01d5cb2	152	ret = ceph_auth_entity_name_encode(ac->name, &p, end);
4e7a5dcd	153	if (ret < 0)
e9966076	154	goto out;
4e7a5dcd SW	155	ceph_decode_need(&p, end, sizeof(u64), bad);
	156	ceph_encode_64(&p, ac->global_id);
	157
	158	ceph_encode_32(&lenp, p - lenp - sizeof(u32));
e9966076 SW	159	ret = p - buf;
	160	out:
	161	mutex_unlock(&ac->mutex);
	162	return ret;
4e7a5dcd SW	163
4e7a5dcd SW	164	bad:
e9966076 SW	165	ret = -ERANGE;
e9966076 SW	166	goto out;
4e7a5dcd SW	167	}
4e7a5dcd SW	168
59711f9e ID	169	static int build_request(struct ceph_auth_client *ac, bool add_header,
59711f9e ID	170	void *buf, int buf_len)
9bd2e6f8	171	{
59711f9e ID	172	void *end = buf + buf_len;
59711f9e ID	173	void *p;
9bd2e6f8 SW	174	int ret;
9bd2e6f8 SW	175
59711f9e ID	176	p = buf;
	177	if (add_header) {
	178	/* struct ceph_mon_request_header + protocol */
	179	ceph_encode_64_safe(&p, end, 0, e_range);
	180	ceph_encode_16_safe(&p, end, -1, e_range);
	181	ceph_encode_64_safe(&p, end, 0, e_range);
	182	ceph_encode_32_safe(&p, end, ac->protocol, e_range);
	183	}
9bd2e6f8	184
59711f9e	185	ceph_encode_need(&p, end, sizeof(u32), e_range);
9bd2e6f8 SW	186	ret = ac->ops->build_request(ac, p + sizeof(u32), end);
9bd2e6f8 SW	187	if (ret < 0) {
59711f9e ID	188	pr_err("auth protocol '%s' building request failed: %d\n",
	189	ceph_auth_proto_name(ac->protocol), ret);
	190	return ret;
9bd2e6f8 SW	191	}
	192	dout(" built request %d bytes\n", ret);
	193	ceph_encode_32(&p, ret);
59711f9e ID	194	return p + ret - buf;
	195
	196	e_range:
	197	return -ERANGE;
9bd2e6f8 SW	198	}
9bd2e6f8 SW	199
4e7a5dcd SW	200	/*
	201	* Handle auth message from monitor.
	202	*/
	203	int ceph_handle_auth_reply(struct ceph_auth_client *ac,
	204	void *buf, size_t len,
	205	void *reply_buf, size_t reply_len)
	206	{
	207	void *p = buf;
	208	void *end = buf + len;
	209	int protocol;
	210	s32 result;
	211	u64 global_id;
	212	void payload, payload_end;
	213	int payload_len;
	214	char *result_msg;
	215	int result_msg_len;
	216	int ret = -EINVAL;
	217
e9966076	218	mutex_lock(&ac->mutex);
4e7a5dcd SW	219	dout("handle_auth_reply %p %p\n", p, end);
	220	ceph_decode_need(&p, end, sizeof(u32) * 3 + sizeof(u64), bad);
	221	protocol = ceph_decode_32(&p);
	222	result = ceph_decode_32(&p);
	223	global_id = ceph_decode_64(&p);
	224	payload_len = ceph_decode_32(&p);
	225	payload = p;
	226	p += payload_len;
	227	ceph_decode_need(&p, end, sizeof(u32), bad);
	228	result_msg_len = ceph_decode_32(&p);
	229	result_msg = p;
	230	p += result_msg_len;
	231	if (p != end)
	232	goto bad;
	233
	234	dout(" result %d '%.*s' gid %llu len %d\n", result, result_msg_len,
	235	result_msg, global_id, payload_len);
	236
	237	payload_end = payload + payload_len;
	238
4e7a5dcd	239	if (ac->negotiating) {
dc14657c YS	240	/* server does not support our protocols? */
	241	if (!protocol && result < 0) {
	242	ret = result;
	243	goto out;
	244	}
4e7a5dcd SW	245	/* set up (new) protocol handler? */
	246	if (ac->protocol && ac->protocol != protocol) {
	247	ac->ops->destroy(ac);
	248	ac->protocol = 0;
	249	ac->ops = NULL;
	250	}
	251	if (ac->protocol != protocol) {
59711f9e	252	ret = init_protocol(ac, protocol);
4e7a5dcd	253	if (ret) {
59711f9e ID	254	pr_err("auth protocol '%s' init failed: %d\n",
59711f9e ID	255	ceph_auth_proto_name(protocol), ret);
4e7a5dcd SW	256	goto out;
	257	}
	258	}
9bd2e6f8 SW	259
9bd2e6f8 SW	260	ac->negotiating = false;
4e7a5dcd SW	261	}
4e7a5dcd SW	262
285ea34f ID	263	ret = ac->ops->handle_reply(ac, result, payload, payload_end,
285ea34f ID	264	NULL, NULL, NULL, NULL);
61ca49a9	265	if (ret == -EAGAIN) {
59711f9e	266	ret = build_request(ac, true, reply_buf, reply_len);
61ca49a9 ID	267	goto out;
61ca49a9 ID	268	} else if (ret) {
59711f9e ID	269	pr_err("auth protocol '%s' mauth authentication failed: %d\n",
59711f9e ID	270	ceph_auth_proto_name(ac->protocol), result);
61ca49a9 ID	271	goto out;
	272	}
	273
	274	set_global_id(ac, global_id);
4e7a5dcd	275
4e7a5dcd	276	out:
e9966076	277	mutex_unlock(&ac->mutex);
4e7a5dcd	278	return ret;
e9966076 SW	279
	280	bad:
	281	pr_err("failed to decode auth msg\n");
	282	ret = -EINVAL;
	283	goto out;
4e7a5dcd SW	284	}
4e7a5dcd SW	285
9bd2e6f8 SW	286	int ceph_build_auth(struct ceph_auth_client *ac,
	287	void *msg_buf, size_t msg_len)
	288	{
e9966076 SW	289	int ret = 0;
	290
	291	mutex_lock(&ac->mutex);
464691bd	292	if (ac->ops->should_authenticate(ac))
59711f9e	293	ret = build_request(ac, true, msg_buf, msg_len);
e9966076 SW	294	mutex_unlock(&ac->mutex);
e9966076 SW	295	return ret;
9bd2e6f8	296	}
4e7a5dcd	297
9bd2e6f8 SW	298	int ceph_auth_is_authenticated(struct ceph_auth_client *ac)
9bd2e6f8 SW	299	{
e9966076 SW	300	int ret = 0;
	301
	302	mutex_lock(&ac->mutex);
	303	if (ac->ops)
	304	ret = ac->ops->is_authenticated(ac);
	305	mutex_unlock(&ac->mutex);
	306	return ret;
9bd2e6f8	307	}
27859f97 SW	308	EXPORT_SYMBOL(ceph_auth_is_authenticated);
27859f97 SW	309
cd1a677c ID	310	int __ceph_auth_get_authorizer(struct ceph_auth_client *ac,
	311	struct ceph_auth_handshake *auth,
	312	int peer_type, bool force_new,
	313	int proto, int pref_mode, int *fallb_mode)
	314	{
	315	int ret;
	316
	317	mutex_lock(&ac->mutex);
	318	if (force_new && auth->authorizer) {
	319	ceph_auth_destroy_authorizer(auth->authorizer);
	320	auth->authorizer = NULL;
	321	}
	322	if (!auth->authorizer)
	323	ret = ac->ops->create_authorizer(ac, peer_type, auth);
	324	else if (ac->ops->update_authorizer)
	325	ret = ac->ops->update_authorizer(ac, peer_type, auth);
	326	else
	327	ret = 0;
	328	if (ret)
	329	goto out;
	330
	331	*proto = ac->protocol;
	332	if (pref_mode && fallb_mode) {
	333	*pref_mode = ac->preferred_mode;
	334	*fallb_mode = ac->fallback_mode;
	335	}
	336
	337	out:
	338	mutex_unlock(&ac->mutex);
	339	return ret;
	340	}
	341	EXPORT_SYMBOL(__ceph_auth_get_authorizer);
	342
6c1ea260	343	void ceph_auth_destroy_authorizer(struct ceph_authorizer *a)
27859f97	344	{
6c1ea260	345	a->destroy(a);
27859f97 SW	346	}
	347	EXPORT_SYMBOL(ceph_auth_destroy_authorizer);
	348
6daca13d ID	349	int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac,
	350	struct ceph_authorizer *a,
	351	void *challenge_buf,
	352	int challenge_buf_len)
	353	{
	354	int ret = 0;
	355
	356	mutex_lock(&ac->mutex);
	357	if (ac->ops && ac->ops->add_authorizer_challenge)
	358	ret = ac->ops->add_authorizer_challenge(ac, a, challenge_buf,
	359	challenge_buf_len);
	360	mutex_unlock(&ac->mutex);
	361	return ret;
	362	}
	363	EXPORT_SYMBOL(ceph_auth_add_authorizer_challenge);
	364
27859f97	365	int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac,
285ea34f ID	366	struct ceph_authorizer *a,
	367	void *reply, int reply_len,
	368	u8 session_key, int session_key_len,
	369	u8 con_secret, int con_secret_len)
27859f97	370	{
e9966076 SW	371	int ret = 0;
	372
	373	mutex_lock(&ac->mutex);
27859f97	374	if (ac->ops && ac->ops->verify_authorizer_reply)
285ea34f ID	375	ret = ac->ops->verify_authorizer_reply(ac, a,
	376	reply, reply_len, session_key, session_key_len,
	377	con_secret, con_secret_len);
e9966076 SW	378	mutex_unlock(&ac->mutex);
e9966076 SW	379	return ret;
27859f97 SW	380	}
	381	EXPORT_SYMBOL(ceph_auth_verify_authorizer_reply);
	382
	383	void ceph_auth_invalidate_authorizer(struct ceph_auth_client *ac, int peer_type)
	384	{
e9966076	385	mutex_lock(&ac->mutex);
27859f97 SW	386	if (ac->ops && ac->ops->invalidate_authorizer)
27859f97 SW	387	ac->ops->invalidate_authorizer(ac, peer_type);
e9966076	388	mutex_unlock(&ac->mutex);
27859f97 SW	389	}
27859f97 SW	390	EXPORT_SYMBOL(ceph_auth_invalidate_authorizer);
cd1a677c ID	391
	392	/*
	393	* msgr2 authentication
	394	*/
	395
	396	static bool contains(const int *arr, int cnt, int val)
	397	{
	398	int i;
	399
	400	for (i = 0; i < cnt; i++) {
	401	if (arr[i] == val)
	402	return true;
	403	}
	404
	405	return false;
	406	}
	407
	408	static int encode_con_modes(void *p, void end, int pref_mode, int fallb_mode)
	409	{
	410	WARN_ON(pref_mode == CEPH_CON_MODE_UNKNOWN);
	411	if (fallb_mode != CEPH_CON_MODE_UNKNOWN) {
	412	ceph_encode_32_safe(p, end, 2, e_range);
	413	ceph_encode_32_safe(p, end, pref_mode, e_range);
	414	ceph_encode_32_safe(p, end, fallb_mode, e_range);
	415	} else {
	416	ceph_encode_32_safe(p, end, 1, e_range);
	417	ceph_encode_32_safe(p, end, pref_mode, e_range);
	418	}
	419
	420	return 0;
	421
	422	e_range:
	423	return -ERANGE;
	424	}
	425
	426	/*
	427	* Similar to ceph_auth_build_hello().
	428	*/
	429	int ceph_auth_get_request(struct ceph_auth_client ac, void buf, int buf_len)
	430	{
	431	int proto = ac->key ? CEPH_AUTH_CEPHX : CEPH_AUTH_NONE;
	432	void *end = buf + buf_len;
	433	void *lenp;
	434	void *p;
	435	int ret;
	436
	437	mutex_lock(&ac->mutex);
	438	if (ac->protocol == CEPH_AUTH_UNKNOWN) {
	439	ret = init_protocol(ac, proto);
	440	if (ret) {
	441	pr_err("auth protocol '%s' init failed: %d\n",
	442	ceph_auth_proto_name(proto), ret);
	443	goto out;
	444	}
	445	} else {
	446	WARN_ON(ac->protocol != proto);
	447	ac->ops->reset(ac);
	448	}
	449
	450	p = buf;
	451	ceph_encode_32_safe(&p, end, ac->protocol, e_range);
	452	ret = encode_con_modes(&p, end, ac->preferred_mode, ac->fallback_mode);
	453	if (ret)
	454	goto out;
455
456	lenp = p;
457	p += 4; /* space for len */
458
459	ceph_encode_8_safe(&p, end, CEPH_AUTH_MODE_MON, e_range);
460	ret = ceph_auth_entity_name_encode(ac->name, &p, end);
461	if (ret)
462	goto out;
463
464	ceph_encode_64_safe(&p, end, ac->global_id, e_range);
465	ceph_encode_32(&lenp, p - lenp - 4);
466	ret = p - buf;
467
468	out:
469	mutex_unlock(&ac->mutex);
470	return ret;
471
472	e_range:
473	ret = -ERANGE;
474	goto out;
475	}
476
477	int ceph_auth_handle_reply_more(struct ceph_auth_client ac, void reply,
478	int reply_len, void *buf, int buf_len)
479	{
480	int ret;
481
482	mutex_lock(&ac->mutex);
483	ret = ac->ops->handle_reply(ac, 0, reply, reply + reply_len,
484	NULL, NULL, NULL, NULL);
485	if (ret == -EAGAIN)
486	ret = build_request(ac, false, buf, buf_len);
487	else
488	WARN_ON(ret >= 0);
489	mutex_unlock(&ac->mutex);
490	return ret;
491	}
492
493	int ceph_auth_handle_reply_done(struct ceph_auth_client *ac,
494	u64 global_id, void *reply, int reply_len,
495	u8 session_key, int session_key_len,
496	u8 con_secret, int con_secret_len)
497	{
498	int ret;
499
500	mutex_lock(&ac->mutex);
cd1a677c ID	501	ret = ac->ops->handle_reply(ac, 0, reply, reply + reply_len,
	502	session_key, session_key_len,
	503	con_secret, con_secret_len);
61ca49a9 ID	504	if (!ret)
61ca49a9 ID	505	set_global_id(ac, global_id);
cd1a677c ID	506	mutex_unlock(&ac->mutex);
	507	return ret;
	508	}
	509
	510	bool ceph_auth_handle_bad_method(struct ceph_auth_client *ac,
	511	int used_proto, int result,
	512	const int *allowed_protos, int proto_cnt,
	513	const int *allowed_modes, int mode_cnt)
	514	{
	515	mutex_lock(&ac->mutex);
	516	WARN_ON(used_proto != ac->protocol);
	517
	518	if (result == -EOPNOTSUPP) {
	519	if (!contains(allowed_protos, proto_cnt, ac->protocol)) {
	520	pr_err("auth protocol '%s' not allowed\n",
	521	ceph_auth_proto_name(ac->protocol));
	522	goto not_allowed;
	523	}
	524	if (!contains(allowed_modes, mode_cnt, ac->preferred_mode) &&
	525	(ac->fallback_mode == CEPH_CON_MODE_UNKNOWN \|\|
	526	!contains(allowed_modes, mode_cnt, ac->fallback_mode))) {
	527	pr_err("preferred mode '%s' not allowed\n",
	528	ceph_con_mode_name(ac->preferred_mode));
	529	if (ac->fallback_mode == CEPH_CON_MODE_UNKNOWN)
	530	pr_err("no fallback mode\n");
	531	else
	532	pr_err("fallback mode '%s' not allowed\n",
	533	ceph_con_mode_name(ac->fallback_mode));
	534	goto not_allowed;
	535	}
	536	}
	537
	538	WARN_ON(result == -EOPNOTSUPP \|\| result >= 0);
	539	pr_err("auth protocol '%s' msgr authentication failed: %d\n",
	540	ceph_auth_proto_name(ac->protocol), result);
	541
	542	mutex_unlock(&ac->mutex);
	543	return true;
	544
	545	not_allowed:
	546	mutex_unlock(&ac->mutex);
	547	return false;
	548	}
	549
	550	int ceph_auth_get_authorizer(struct ceph_auth_client *ac,
	551	struct ceph_auth_handshake *auth,
	552	int peer_type, void buf, int buf_len)
	553	{
	554	void end = buf + buf_len;
	555	int pref_mode, fallb_mode;
	556	int proto;
	557	void *p;
	558	int ret;
	559
	560	ret = __ceph_auth_get_authorizer(ac, auth, peer_type, true, &proto,
	561	&pref_mode, &fallb_mode);
	562	if (ret)
	563	return ret;
	564
	565	p = buf;
	566	ceph_encode_32_safe(&p, end, proto, e_range);
	567	ret = encode_con_modes(&p, end, pref_mode, fallb_mode);
	568	if (ret)
	569	return ret;
570
571	ceph_encode_32_safe(&p, end, auth->authorizer_buf_len, e_range);
572	*buf_len = p - buf;
573	return 0;
574
575	e_range:
576	return -ERANGE;
577	}
578	EXPORT_SYMBOL(ceph_auth_get_authorizer);
579
580	int ceph_auth_handle_svc_reply_more(struct ceph_auth_client *ac,
581	struct ceph_auth_handshake *auth,
582	void *reply, int reply_len,
583	void buf, int buf_len)
584	{
585	void end = buf + buf_len;
586	void *p;
587	int ret;
588
589	ret = ceph_auth_add_authorizer_challenge(ac, auth->authorizer,
590	reply, reply_len);
591	if (ret)
592	return ret;
593
594	p = buf;
595	ceph_encode_32_safe(&p, end, auth->authorizer_buf_len, e_range);
596	*buf_len = p - buf;
597	return 0;
598
599	e_range:
600	return -ERANGE;
601	}
602	EXPORT_SYMBOL(ceph_auth_handle_svc_reply_more);
603
604	int ceph_auth_handle_svc_reply_done(struct ceph_auth_client *ac,
605	struct ceph_auth_handshake *auth,
606	void *reply, int reply_len,
607	u8 session_key, int session_key_len,
608	u8 con_secret, int con_secret_len)
609	{
610	return ceph_auth_verify_authorizer_reply(ac, auth->authorizer,
611	reply, reply_len, session_key, session_key_len,
612	con_secret, con_secret_len);
613	}
614	EXPORT_SYMBOL(ceph_auth_handle_svc_reply_done);
615
616	bool ceph_auth_handle_bad_authorizer(struct ceph_auth_client *ac,
617	int peer_type, int used_proto, int result,
618	const int *allowed_protos, int proto_cnt,
619	const int *allowed_modes, int mode_cnt)
620	{
621	mutex_lock(&ac->mutex);
622	WARN_ON(used_proto != ac->protocol);
623
624	if (result == -EOPNOTSUPP) {
625	if (!contains(allowed_protos, proto_cnt, ac->protocol)) {
626	pr_err("auth protocol '%s' not allowed by %s\n",
627	ceph_auth_proto_name(ac->protocol),
628	ceph_entity_type_name(peer_type));
629	goto not_allowed;
630	}
631	if (!contains(allowed_modes, mode_cnt, ac->preferred_mode) &&
632	(ac->fallback_mode == CEPH_CON_MODE_UNKNOWN \|\|
633	!contains(allowed_modes, mode_cnt, ac->fallback_mode))) {
634	pr_err("preferred mode '%s' not allowed by %s\n",
635	ceph_con_mode_name(ac->preferred_mode),
636	ceph_entity_type_name(peer_type));
637	if (ac->fallback_mode == CEPH_CON_MODE_UNKNOWN)
638	pr_err("no fallback mode\n");
639	else
640	pr_err("fallback mode '%s' not allowed by %s\n",
641	ceph_con_mode_name(ac->fallback_mode),
642	ceph_entity_type_name(peer_type));
643	goto not_allowed;
644	}
645	}
646
647	WARN_ON(result == -EOPNOTSUPP \|\| result >= 0);
648	pr_err("auth protocol '%s' authorization to %s failed: %d\n",
649	ceph_auth_proto_name(ac->protocol),
650	ceph_entity_type_name(peer_type), result);
651
652	if (ac->ops->invalidate_authorizer)
653	ac->ops->invalidate_authorizer(ac, peer_type);
654
655	mutex_unlock(&ac->mutex);
656	return true;
657
658	not_allowed:
659	mutex_unlock(&ac->mutex);
660	return false;
661	}
662	EXPORT_SYMBOL(ceph_auth_handle_bad_authorizer);