1*4882a593Smuzhiyun /* SPDX-License-Identifier: GPL-2.0 */
2*4882a593Smuzhiyun #ifndef _FS_CEPH_AUTH_H
3*4882a593Smuzhiyun #define _FS_CEPH_AUTH_H
4*4882a593Smuzhiyun
5*4882a593Smuzhiyun #include <linux/ceph/types.h>
6*4882a593Smuzhiyun #include <linux/ceph/buffer.h>
7*4882a593Smuzhiyun
8*4882a593Smuzhiyun /*
9*4882a593Smuzhiyun * Abstract interface for communicating with the authenticate module.
10*4882a593Smuzhiyun * There is some handshake that takes place between us and the monitor
11*4882a593Smuzhiyun * to acquire the necessary keys. These are used to generate an
12*4882a593Smuzhiyun * 'authorizer' that we use when connecting to a service (mds, osd).
13*4882a593Smuzhiyun */
14*4882a593Smuzhiyun
15*4882a593Smuzhiyun struct ceph_auth_client;
16*4882a593Smuzhiyun struct ceph_msg;
17*4882a593Smuzhiyun
18*4882a593Smuzhiyun struct ceph_authorizer {
19*4882a593Smuzhiyun void (*destroy)(struct ceph_authorizer *);
20*4882a593Smuzhiyun };
21*4882a593Smuzhiyun
22*4882a593Smuzhiyun struct ceph_auth_handshake {
23*4882a593Smuzhiyun struct ceph_authorizer *authorizer;
24*4882a593Smuzhiyun void *authorizer_buf;
25*4882a593Smuzhiyun size_t authorizer_buf_len;
26*4882a593Smuzhiyun void *authorizer_reply_buf;
27*4882a593Smuzhiyun size_t authorizer_reply_buf_len;
28*4882a593Smuzhiyun int (*sign_message)(struct ceph_auth_handshake *auth,
29*4882a593Smuzhiyun struct ceph_msg *msg);
30*4882a593Smuzhiyun int (*check_message_signature)(struct ceph_auth_handshake *auth,
31*4882a593Smuzhiyun struct ceph_msg *msg);
32*4882a593Smuzhiyun };
33*4882a593Smuzhiyun
34*4882a593Smuzhiyun struct ceph_auth_client_ops {
35*4882a593Smuzhiyun const char *name;
36*4882a593Smuzhiyun
37*4882a593Smuzhiyun /*
38*4882a593Smuzhiyun * true if we are authenticated and can connect to
39*4882a593Smuzhiyun * services.
40*4882a593Smuzhiyun */
41*4882a593Smuzhiyun int (*is_authenticated)(struct ceph_auth_client *ac);
42*4882a593Smuzhiyun
43*4882a593Smuzhiyun /*
44*4882a593Smuzhiyun * true if we should (re)authenticate, e.g., when our tickets
45*4882a593Smuzhiyun * are getting old and crusty.
46*4882a593Smuzhiyun */
47*4882a593Smuzhiyun int (*should_authenticate)(struct ceph_auth_client *ac);
48*4882a593Smuzhiyun
49*4882a593Smuzhiyun /*
50*4882a593Smuzhiyun * build requests and process replies during monitor
51*4882a593Smuzhiyun * handshake. if handle_reply returns -EAGAIN, we build
52*4882a593Smuzhiyun * another request.
53*4882a593Smuzhiyun */
54*4882a593Smuzhiyun int (*build_request)(struct ceph_auth_client *ac, void *buf, void *end);
55*4882a593Smuzhiyun int (*handle_reply)(struct ceph_auth_client *ac, int result,
56*4882a593Smuzhiyun void *buf, void *end);
57*4882a593Smuzhiyun
58*4882a593Smuzhiyun /*
59*4882a593Smuzhiyun * Create authorizer for connecting to a service, and verify
60*4882a593Smuzhiyun * the response to authenticate the service.
61*4882a593Smuzhiyun */
62*4882a593Smuzhiyun int (*create_authorizer)(struct ceph_auth_client *ac, int peer_type,
63*4882a593Smuzhiyun struct ceph_auth_handshake *auth);
64*4882a593Smuzhiyun /* ensure that an existing authorizer is up to date */
65*4882a593Smuzhiyun int (*update_authorizer)(struct ceph_auth_client *ac, int peer_type,
66*4882a593Smuzhiyun struct ceph_auth_handshake *auth);
67*4882a593Smuzhiyun int (*add_authorizer_challenge)(struct ceph_auth_client *ac,
68*4882a593Smuzhiyun struct ceph_authorizer *a,
69*4882a593Smuzhiyun void *challenge_buf,
70*4882a593Smuzhiyun int challenge_buf_len);
71*4882a593Smuzhiyun int (*verify_authorizer_reply)(struct ceph_auth_client *ac,
72*4882a593Smuzhiyun struct ceph_authorizer *a);
73*4882a593Smuzhiyun void (*invalidate_authorizer)(struct ceph_auth_client *ac,
74*4882a593Smuzhiyun int peer_type);
75*4882a593Smuzhiyun
76*4882a593Smuzhiyun /* reset when we (re)connect to a monitor */
77*4882a593Smuzhiyun void (*reset)(struct ceph_auth_client *ac);
78*4882a593Smuzhiyun
79*4882a593Smuzhiyun void (*destroy)(struct ceph_auth_client *ac);
80*4882a593Smuzhiyun
81*4882a593Smuzhiyun int (*sign_message)(struct ceph_auth_handshake *auth,
82*4882a593Smuzhiyun struct ceph_msg *msg);
83*4882a593Smuzhiyun int (*check_message_signature)(struct ceph_auth_handshake *auth,
84*4882a593Smuzhiyun struct ceph_msg *msg);
85*4882a593Smuzhiyun };
86*4882a593Smuzhiyun
87*4882a593Smuzhiyun struct ceph_auth_client {
88*4882a593Smuzhiyun u32 protocol; /* CEPH_AUTH_* */
89*4882a593Smuzhiyun void *private; /* for use by protocol implementation */
90*4882a593Smuzhiyun const struct ceph_auth_client_ops *ops; /* null iff protocol==0 */
91*4882a593Smuzhiyun
92*4882a593Smuzhiyun bool negotiating; /* true if negotiating protocol */
93*4882a593Smuzhiyun const char *name; /* entity name */
94*4882a593Smuzhiyun u64 global_id; /* our unique id in system */
95*4882a593Smuzhiyun const struct ceph_crypto_key *key; /* our secret key */
96*4882a593Smuzhiyun unsigned want_keys; /* which services we want */
97*4882a593Smuzhiyun
98*4882a593Smuzhiyun struct mutex mutex;
99*4882a593Smuzhiyun };
100*4882a593Smuzhiyun
101*4882a593Smuzhiyun extern struct ceph_auth_client *ceph_auth_init(const char *name,
102*4882a593Smuzhiyun const struct ceph_crypto_key *key);
103*4882a593Smuzhiyun extern void ceph_auth_destroy(struct ceph_auth_client *ac);
104*4882a593Smuzhiyun
105*4882a593Smuzhiyun extern void ceph_auth_reset(struct ceph_auth_client *ac);
106*4882a593Smuzhiyun
107*4882a593Smuzhiyun extern int ceph_auth_build_hello(struct ceph_auth_client *ac,
108*4882a593Smuzhiyun void *buf, size_t len);
109*4882a593Smuzhiyun extern int ceph_handle_auth_reply(struct ceph_auth_client *ac,
110*4882a593Smuzhiyun void *buf, size_t len,
111*4882a593Smuzhiyun void *reply_buf, size_t reply_len);
112*4882a593Smuzhiyun int ceph_auth_entity_name_encode(const char *name, void **p, void *end);
113*4882a593Smuzhiyun
114*4882a593Smuzhiyun extern int ceph_build_auth(struct ceph_auth_client *ac,
115*4882a593Smuzhiyun void *msg_buf, size_t msg_len);
116*4882a593Smuzhiyun
117*4882a593Smuzhiyun extern int ceph_auth_is_authenticated(struct ceph_auth_client *ac);
118*4882a593Smuzhiyun extern int ceph_auth_create_authorizer(struct ceph_auth_client *ac,
119*4882a593Smuzhiyun int peer_type,
120*4882a593Smuzhiyun struct ceph_auth_handshake *auth);
121*4882a593Smuzhiyun void ceph_auth_destroy_authorizer(struct ceph_authorizer *a);
122*4882a593Smuzhiyun extern int ceph_auth_update_authorizer(struct ceph_auth_client *ac,
123*4882a593Smuzhiyun int peer_type,
124*4882a593Smuzhiyun struct ceph_auth_handshake *a);
125*4882a593Smuzhiyun int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac,
126*4882a593Smuzhiyun struct ceph_authorizer *a,
127*4882a593Smuzhiyun void *challenge_buf,
128*4882a593Smuzhiyun int challenge_buf_len);
129*4882a593Smuzhiyun extern int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac,
130*4882a593Smuzhiyun struct ceph_authorizer *a);
131*4882a593Smuzhiyun extern void ceph_auth_invalidate_authorizer(struct ceph_auth_client *ac,
132*4882a593Smuzhiyun int peer_type);
133*4882a593Smuzhiyun
ceph_auth_sign_message(struct ceph_auth_handshake * auth,struct ceph_msg * msg)134*4882a593Smuzhiyun static inline int ceph_auth_sign_message(struct ceph_auth_handshake *auth,
135*4882a593Smuzhiyun struct ceph_msg *msg)
136*4882a593Smuzhiyun {
137*4882a593Smuzhiyun if (auth->sign_message)
138*4882a593Smuzhiyun return auth->sign_message(auth, msg);
139*4882a593Smuzhiyun return 0;
140*4882a593Smuzhiyun }
141*4882a593Smuzhiyun
142*4882a593Smuzhiyun static inline
ceph_auth_check_message_signature(struct ceph_auth_handshake * auth,struct ceph_msg * msg)143*4882a593Smuzhiyun int ceph_auth_check_message_signature(struct ceph_auth_handshake *auth,
144*4882a593Smuzhiyun struct ceph_msg *msg)
145*4882a593Smuzhiyun {
146*4882a593Smuzhiyun if (auth->check_message_signature)
147*4882a593Smuzhiyun return auth->check_message_signature(auth, msg);
148*4882a593Smuzhiyun return 0;
149*4882a593Smuzhiyun }
150*4882a593Smuzhiyun #endif
151