xref: /linux-6.15/include/linux/ceph/auth.h (revision 03af4c7b) 
1b2441318SGreg Kroah-Hartman /* SPDX-License-Identifier: GPL-2.0 */
23d14c5d2SYehuda Sadeh #ifndef _FS_CEPH_AUTH_H
33d14c5d2SYehuda Sadeh #define _FS_CEPH_AUTH_H
43d14c5d2SYehuda Sadeh 
53d14c5d2SYehuda Sadeh #include <linux/ceph/types.h>
63d14c5d2SYehuda Sadeh #include <linux/ceph/buffer.h>
73d14c5d2SYehuda Sadeh 
83d14c5d2SYehuda Sadeh /*
93d14c5d2SYehuda Sadeh  * Abstract interface for communicating with the authenticate module.
103d14c5d2SYehuda Sadeh  * There is some handshake that takes place between us and the monitor
113d14c5d2SYehuda Sadeh  * to acquire the necessary keys.  These are used to generate an
123d14c5d2SYehuda Sadeh  * 'authorizer' that we use when connecting to a service (mds, osd).
133d14c5d2SYehuda Sadeh  */
143d14c5d2SYehuda Sadeh 
153d14c5d2SYehuda Sadeh struct ceph_auth_client;
1633d07337SYan, Zheng struct ceph_msg;
173d14c5d2SYehuda Sadeh 
186c1ea260SIlya Dryomov struct ceph_authorizer {
196c1ea260SIlya Dryomov 	void (*destroy)(struct ceph_authorizer *);
206c1ea260SIlya Dryomov };
216c1ea260SIlya Dryomov 
226c4a1915SAlex Elder struct ceph_auth_handshake {
236c4a1915SAlex Elder 	struct ceph_authorizer *authorizer;
246c4a1915SAlex Elder 	void *authorizer_buf;
256c4a1915SAlex Elder 	size_t authorizer_buf_len;
266c4a1915SAlex Elder 	void *authorizer_reply_buf;
276c4a1915SAlex Elder 	size_t authorizer_reply_buf_len;
2833d07337SYan, Zheng 	int (*sign_message)(struct ceph_auth_handshake *auth,
2933d07337SYan, Zheng 			    struct ceph_msg *msg);
3033d07337SYan, Zheng 	int (*check_message_signature)(struct ceph_auth_handshake *auth,
3133d07337SYan, Zheng 				       struct ceph_msg *msg);
326c4a1915SAlex Elder };
336c4a1915SAlex Elder 
343d14c5d2SYehuda Sadeh struct ceph_auth_client_ops {
353d14c5d2SYehuda Sadeh 	/*
363d14c5d2SYehuda Sadeh 	 * true if we are authenticated and can connect to
373d14c5d2SYehuda Sadeh 	 * services.
383d14c5d2SYehuda Sadeh 	 */
393d14c5d2SYehuda Sadeh 	int (*is_authenticated)(struct ceph_auth_client *ac);
403d14c5d2SYehuda Sadeh 
413d14c5d2SYehuda Sadeh 	/*
423d14c5d2SYehuda Sadeh 	 * true if we should (re)authenticate, e.g., when our tickets
433d14c5d2SYehuda Sadeh 	 * are getting old and crusty.
443d14c5d2SYehuda Sadeh 	 */
453d14c5d2SYehuda Sadeh 	int (*should_authenticate)(struct ceph_auth_client *ac);
463d14c5d2SYehuda Sadeh 
473d14c5d2SYehuda Sadeh 	/*
483d14c5d2SYehuda Sadeh 	 * build requests and process replies during monitor
493d14c5d2SYehuda Sadeh 	 * handshake.  if handle_reply returns -EAGAIN, we build
503d14c5d2SYehuda Sadeh 	 * another request.
513d14c5d2SYehuda Sadeh 	 */
523d14c5d2SYehuda Sadeh 	int (*build_request)(struct ceph_auth_client *ac, void *buf, void *end);
53*03af4c7bSIlya Dryomov 	int (*handle_reply)(struct ceph_auth_client *ac, u64 global_id,
54285ea34fSIlya Dryomov 			    void *buf, void *end, u8 *session_key,
55285ea34fSIlya Dryomov 			    int *session_key_len, u8 *con_secret,
56285ea34fSIlya Dryomov 			    int *con_secret_len);
573d14c5d2SYehuda Sadeh 
583d14c5d2SYehuda Sadeh 	/*
593d14c5d2SYehuda Sadeh 	 * Create authorizer for connecting to a service, and verify
603d14c5d2SYehuda Sadeh 	 * the response to authenticate the service.
613d14c5d2SYehuda Sadeh 	 */
623d14c5d2SYehuda Sadeh 	int (*create_authorizer)(struct ceph_auth_client *ac, int peer_type,
6374f1869fSAlex Elder 				 struct ceph_auth_handshake *auth);
640bed9b5cSSage Weil 	/* ensure that an existing authorizer is up to date */
650bed9b5cSSage Weil 	int (*update_authorizer)(struct ceph_auth_client *ac, int peer_type,
660bed9b5cSSage Weil 				 struct ceph_auth_handshake *auth);
676daca13dSIlya Dryomov 	int (*add_authorizer_challenge)(struct ceph_auth_client *ac,
686daca13dSIlya Dryomov 					struct ceph_authorizer *a,
696daca13dSIlya Dryomov 					void *challenge_buf,
706daca13dSIlya Dryomov 					int challenge_buf_len);
713d14c5d2SYehuda Sadeh 	int (*verify_authorizer_reply)(struct ceph_auth_client *ac,
72285ea34fSIlya Dryomov 				       struct ceph_authorizer *a,
73285ea34fSIlya Dryomov 				       void *reply, int reply_len,
74285ea34fSIlya Dryomov 				       u8 *session_key, int *session_key_len,
75285ea34fSIlya Dryomov 				       u8 *con_secret, int *con_secret_len);
763d14c5d2SYehuda Sadeh 	void (*invalidate_authorizer)(struct ceph_auth_client *ac,
773d14c5d2SYehuda Sadeh 				      int peer_type);
783d14c5d2SYehuda Sadeh 
793d14c5d2SYehuda Sadeh 	/* reset when we (re)connect to a monitor */
803d14c5d2SYehuda Sadeh 	void (*reset)(struct ceph_auth_client *ac);
813d14c5d2SYehuda Sadeh 
823d14c5d2SYehuda Sadeh 	void (*destroy)(struct ceph_auth_client *ac);
8333d07337SYan, Zheng 
8433d07337SYan, Zheng 	int (*sign_message)(struct ceph_auth_handshake *auth,
8533d07337SYan, Zheng 			    struct ceph_msg *msg);
8633d07337SYan, Zheng 	int (*check_message_signature)(struct ceph_auth_handshake *auth,
8733d07337SYan, Zheng 				       struct ceph_msg *msg);
883d14c5d2SYehuda Sadeh };
893d14c5d2SYehuda Sadeh 
903d14c5d2SYehuda Sadeh struct ceph_auth_client {
913d14c5d2SYehuda Sadeh 	u32 protocol;           /* CEPH_AUTH_* */
923d14c5d2SYehuda Sadeh 	void *private;          /* for use by protocol implementation */
933d14c5d2SYehuda Sadeh 	const struct ceph_auth_client_ops *ops;  /* null iff protocol==0 */
943d14c5d2SYehuda Sadeh 
953d14c5d2SYehuda Sadeh 	bool negotiating;       /* true if negotiating protocol */
963d14c5d2SYehuda Sadeh 	const char *name;       /* entity name */
973d14c5d2SYehuda Sadeh 	u64 global_id;          /* our unique id in system */
988323c3aaSTommi Virtanen 	const struct ceph_crypto_key *key;     /* our secret key */
993d14c5d2SYehuda Sadeh 	unsigned want_keys;     /* which services we want */
100e9966076SSage Weil 
10100498b99SIlya Dryomov 	int preferred_mode;	/* CEPH_CON_MODE_* */
10200498b99SIlya Dryomov 	int fallback_mode;	/* ditto */
10300498b99SIlya Dryomov 
104e9966076SSage Weil 	struct mutex mutex;
1053d14c5d2SYehuda Sadeh };
1063d14c5d2SYehuda Sadeh 
107*03af4c7bSIlya Dryomov void ceph_auth_set_global_id(struct ceph_auth_client *ac, u64 global_id);
108*03af4c7bSIlya Dryomov 
10900498b99SIlya Dryomov struct ceph_auth_client *ceph_auth_init(const char *name,
11000498b99SIlya Dryomov 					const struct ceph_crypto_key *key,
11100498b99SIlya Dryomov 					const int *con_modes);
1123d14c5d2SYehuda Sadeh extern void ceph_auth_destroy(struct ceph_auth_client *ac);
1133d14c5d2SYehuda Sadeh 
1143d14c5d2SYehuda Sadeh extern void ceph_auth_reset(struct ceph_auth_client *ac);
1153d14c5d2SYehuda Sadeh 
1163d14c5d2SYehuda Sadeh extern int ceph_auth_build_hello(struct ceph_auth_client *ac,
1173d14c5d2SYehuda Sadeh 				 void *buf, size_t len);
1183d14c5d2SYehuda Sadeh extern int ceph_handle_auth_reply(struct ceph_auth_client *ac,
1193d14c5d2SYehuda Sadeh 				  void *buf, size_t len,
1203d14c5d2SYehuda Sadeh 				  void *reply_buf, size_t reply_len);
121f01d5cb2SIlya Dryomov int ceph_auth_entity_name_encode(const char *name, void **p, void *end);
1223d14c5d2SYehuda Sadeh 
1233d14c5d2SYehuda Sadeh extern int ceph_build_auth(struct ceph_auth_client *ac,
1243d14c5d2SYehuda Sadeh 		    void *msg_buf, size_t msg_len);
1253d14c5d2SYehuda Sadeh extern int ceph_auth_is_authenticated(struct ceph_auth_client *ac);
126cd1a677cSIlya Dryomov 
127cd1a677cSIlya Dryomov int __ceph_auth_get_authorizer(struct ceph_auth_client *ac,
128cd1a677cSIlya Dryomov 			       struct ceph_auth_handshake *auth,
129cd1a677cSIlya Dryomov 			       int peer_type, bool force_new,
130cd1a677cSIlya Dryomov 			       int *proto, int *pref_mode, int *fallb_mode);
1316c1ea260SIlya Dryomov void ceph_auth_destroy_authorizer(struct ceph_authorizer *a);
1326daca13dSIlya Dryomov int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac,
1336daca13dSIlya Dryomov 				       struct ceph_authorizer *a,
1346daca13dSIlya Dryomov 				       void *challenge_buf,
1356daca13dSIlya Dryomov 				       int challenge_buf_len);
136285ea34fSIlya Dryomov int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac,
137285ea34fSIlya Dryomov 				      struct ceph_authorizer *a,
138285ea34fSIlya Dryomov 				      void *reply, int reply_len,
139285ea34fSIlya Dryomov 				      u8 *session_key, int *session_key_len,
140285ea34fSIlya Dryomov 				      u8 *con_secret, int *con_secret_len);
14127859f97SSage Weil extern void ceph_auth_invalidate_authorizer(struct ceph_auth_client *ac,
14227859f97SSage Weil 					    int peer_type);
1433d14c5d2SYehuda Sadeh 
ceph_auth_sign_message(struct ceph_auth_handshake * auth,struct ceph_msg * msg)14433d07337SYan, Zheng static inline int ceph_auth_sign_message(struct ceph_auth_handshake *auth,
14533d07337SYan, Zheng 					 struct ceph_msg *msg)
14633d07337SYan, Zheng {
14733d07337SYan, Zheng 	if (auth->sign_message)
14833d07337SYan, Zheng 		return auth->sign_message(auth, msg);
14933d07337SYan, Zheng 	return 0;
15033d07337SYan, Zheng }
15133d07337SYan, Zheng 
15233d07337SYan, Zheng static inline
ceph_auth_check_message_signature(struct ceph_auth_handshake * auth,struct ceph_msg * msg)15333d07337SYan, Zheng int ceph_auth_check_message_signature(struct ceph_auth_handshake *auth,
15433d07337SYan, Zheng 				      struct ceph_msg *msg)
15533d07337SYan, Zheng {
15633d07337SYan, Zheng 	if (auth->check_message_signature)
15733d07337SYan, Zheng 		return auth->check_message_signature(auth, msg);
15833d07337SYan, Zheng 	return 0;
15933d07337SYan, Zheng }
160cd1a677cSIlya Dryomov 
161cd1a677cSIlya Dryomov int ceph_auth_get_request(struct ceph_auth_client *ac, void *buf, int buf_len);
162cd1a677cSIlya Dryomov int ceph_auth_handle_reply_more(struct ceph_auth_client *ac, void *reply,
163cd1a677cSIlya Dryomov 				int reply_len, void *buf, int buf_len);
164cd1a677cSIlya Dryomov int ceph_auth_handle_reply_done(struct ceph_auth_client *ac,
165cd1a677cSIlya Dryomov 				u64 global_id, void *reply, int reply_len,
166cd1a677cSIlya Dryomov 				u8 *session_key, int *session_key_len,
167cd1a677cSIlya Dryomov 				u8 *con_secret, int *con_secret_len);
168cd1a677cSIlya Dryomov bool ceph_auth_handle_bad_method(struct ceph_auth_client *ac,
169cd1a677cSIlya Dryomov 				 int used_proto, int result,
170cd1a677cSIlya Dryomov 				 const int *allowed_protos, int proto_cnt,
171cd1a677cSIlya Dryomov 				 const int *allowed_modes, int mode_cnt);
172cd1a677cSIlya Dryomov 
173cd1a677cSIlya Dryomov int ceph_auth_get_authorizer(struct ceph_auth_client *ac,
174cd1a677cSIlya Dryomov 			     struct ceph_auth_handshake *auth,
175cd1a677cSIlya Dryomov 			     int peer_type, void *buf, int *buf_len);
176cd1a677cSIlya Dryomov int ceph_auth_handle_svc_reply_more(struct ceph_auth_client *ac,
177cd1a677cSIlya Dryomov 				    struct ceph_auth_handshake *auth,
178cd1a677cSIlya Dryomov 				    void *reply, int reply_len,
179cd1a677cSIlya Dryomov 				    void *buf, int *buf_len);
180cd1a677cSIlya Dryomov int ceph_auth_handle_svc_reply_done(struct ceph_auth_client *ac,
181cd1a677cSIlya Dryomov 				    struct ceph_auth_handshake *auth,
182cd1a677cSIlya Dryomov 				    void *reply, int reply_len,
183cd1a677cSIlya Dryomov 				    u8 *session_key, int *session_key_len,
184cd1a677cSIlya Dryomov 				    u8 *con_secret, int *con_secret_len);
185cd1a677cSIlya Dryomov bool ceph_auth_handle_bad_authorizer(struct ceph_auth_client *ac,
186cd1a677cSIlya Dryomov 				     int peer_type, int used_proto, int result,
187cd1a677cSIlya Dryomov 				     const int *allowed_protos, int proto_cnt,
188cd1a677cSIlya Dryomov 				     const int *allowed_modes, int mode_cnt);
189cd1a677cSIlya Dryomov 
1903d14c5d2SYehuda Sadeh #endif
191