Commit 6daca13d authored by Ilya Dryomov's avatar Ilya Dryomov
Browse files

libceph: add authorizer challenge 

When a client authenticates with a service, an authorizer is sent with
a nonce to the service (ceph_x_authorize_[ab]) and the service responds
with a mutation of that nonce (ceph_x_authorize_reply).  This lets the
client verify the service is who it says it is but it doesn't protect
against a replay: someone can trivially capture the exchange and reuse
the same authorizer to authenticate themselves.

Allow the service to reject an initial authorizer with a random
challenge (ceph_x_authorize_challenge).  The client then has to respond
with an updated authorizer proving they are able to decrypt the
service's challenge and that the new authorizer was produced for this
specific connection instance.

The accepting side requires this challenge and response unconditionally
if the client side advertises they have CEPHX_V2 feature bit.

This addresses CVE-2018-1128.

Link: http://tracker.ceph.com/issues/24836


Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
Reviewed-by: default avatarSage Weil <sage@redhat.com>
parent 149cac4a

fs/ceph/mds_client.c

+11 −0
Original line number Diff line number Diff line
@@ -4154,6 +4154,16 @@ static struct ceph_auth_handshake *get_authorizer(struct ceph_connection *con, 
	return auth;

}



static int add_authorizer_challenge(struct ceph_connection *con,

				    void *challenge_buf, int challenge_buf_len)

{

	struct ceph_mds_session *s = con->private;

	struct ceph_mds_client *mdsc = s->s_mdsc;

	struct ceph_auth_client *ac = mdsc->fsc->client->monc.auth;



	return ceph_auth_add_authorizer_challenge(ac, s->s_auth.authorizer,

					    challenge_buf, challenge_buf_len);

}



static int verify_authorizer_reply(struct ceph_connection *con)

{
@@ -4217,6 +4227,7 @@ static const struct ceph_connection_operations mds_con_ops = { 
	.put = con_put,

	.dispatch = dispatch,

	.get_authorizer = get_authorizer,

	.add_authorizer_challenge = add_authorizer_challenge,

	.verify_authorizer_reply = verify_authorizer_reply,

	.invalidate_authorizer = invalidate_authorizer,

	.peer_reset = peer_reset,

include/linux/ceph/auth.h

+8 −0
Original line number Diff line number Diff line
@@ -64,6 +64,10 @@ struct ceph_auth_client_ops { 
	/* ensure that an existing authorizer is up to date */

	int (*update_authorizer)(struct ceph_auth_client *ac, int peer_type,

				 struct ceph_auth_handshake *auth);

	int (*add_authorizer_challenge)(struct ceph_auth_client *ac,

					struct ceph_authorizer *a,

					void *challenge_buf,

					int challenge_buf_len);

	int (*verify_authorizer_reply)(struct ceph_auth_client *ac,

				       struct ceph_authorizer *a);

	void (*invalidate_authorizer)(struct ceph_auth_client *ac,
@@ -118,6 +122,10 @@ void ceph_auth_destroy_authorizer(struct ceph_authorizer *a); 
extern int ceph_auth_update_authorizer(struct ceph_auth_client *ac,

				       int peer_type,

				       struct ceph_auth_handshake *a);

int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac,

				       struct ceph_authorizer *a,

				       void *challenge_buf,

				       int challenge_buf_len);

extern int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac,

					     struct ceph_authorizer *a);

extern void ceph_auth_invalidate_authorizer(struct ceph_auth_client *ac,

include/linux/ceph/messenger.h

+3 −0
Original line number Diff line number Diff line
@@ -31,6 +31,9 @@ struct ceph_connection_operations { 
	struct ceph_auth_handshake *(*get_authorizer) (

				struct ceph_connection *con,

			       int *proto, int force_new);

	int (*add_authorizer_challenge)(struct ceph_connection *con,

					void *challenge_buf,

					int challenge_buf_len);

	int (*verify_authorizer_reply) (struct ceph_connection *con);

	int (*invalidate_authorizer)(struct ceph_connection *con);

include/linux/ceph/msgr.h

+1 −1
Original line number Diff line number Diff line
@@ -91,7 +91,7 @@ struct ceph_entity_inst { 
#define CEPH_MSGR_TAG_SEQ           13 /* 64-bit int follows with seen seq number */

#define CEPH_MSGR_TAG_KEEPALIVE2    14 /* keepalive2 byte + ceph_timespec */

#define CEPH_MSGR_TAG_KEEPALIVE2_ACK 15 /* keepalive2 reply */



#define CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER 16  /* cephx v2 doing server challenge */



/*

 * connection negotiation

net/ceph/auth.c

+16 −0
Original line number Diff line number Diff line
@@ -315,6 +315,22 @@ int ceph_auth_update_authorizer(struct ceph_auth_client *ac, 
}

EXPORT_SYMBOL(ceph_auth_update_authorizer);



int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac,

				       struct ceph_authorizer *a,

				       void *challenge_buf,

				       int challenge_buf_len)

{

	int ret = 0;



	mutex_lock(&ac->mutex);

	if (ac->ops && ac->ops->add_authorizer_challenge)

		ret = ac->ops->add_authorizer_challenge(ac, a, challenge_buf,

							challenge_buf_len);

	mutex_unlock(&ac->mutex);

	return ret;

}

EXPORT_SYMBOL(ceph_auth_add_authorizer_challenge);



int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac,

				      struct ceph_authorizer *a)

{

CRA Git | Maintained and supported by SUSTech CRA and CCSE