blob: d097b3651c99e21977bcd06412ecd09eea6addac (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef __FS_CEPH_AUTH_X_PROTOCOL
#define __FS_CEPH_AUTH_X_PROTOCOL
#define CEPHX_GET_AUTH_SESSION_KEY 0x0100
#define CEPHX_GET_PRINCIPAL_SESSION_KEY 0x0200
#define CEPHX_GET_ROTATING_KEY 0x0400
/* Client <-> AuthMonitor */
/*
* The AUTH session's connection secret: encrypted with the AUTH
* ticket session key
*/
#define CEPHX_KEY_USAGE_AUTH_CONNECTION_SECRET 0x03
/*
* The ticket's blob for the client ("blob for me", contains the
* session key): encrypted with the client's secret key in case of
* the AUTH ticket and the AUTH ticket session key in case of other
* service tickets
*/
#define CEPHX_KEY_USAGE_TICKET_SESSION_KEY 0x04
/*
* The ticket's blob for the service (ceph_x_ticket_blob): possibly
* encrypted with the old AUTH ticket session key in case of the AUTH
* ticket and not encrypted in case of other service tickets
*/
#define CEPHX_KEY_USAGE_TICKET_BLOB 0x05
/* Client <-> Service */
/*
* The client's authorization request (ceph_x_authorize_b):
* encrypted with the service ticket session key
*/
#define CEPHX_KEY_USAGE_AUTHORIZE 0x10
/*
* The service's challenge (ceph_x_authorize_challenge):
* encrypted with the service ticket session key
*/
#define CEPHX_KEY_USAGE_AUTHORIZE_CHALLENGE 0x11
/*
* The service's final reply (ceph_x_authorize_reply + the service
* session's connection secret): encrypted with the service ticket
* session key
*/
#define CEPHX_KEY_USAGE_AUTHORIZE_REPLY 0x12
/* common bits */
struct ceph_x_ticket_blob {
__u8 struct_v;
__le64 secret_id;
__le32 blob_len;
char blob[];
} __attribute__ ((packed));
/* common request/reply headers */
struct ceph_x_request_header {
__le16 op;
} __attribute__ ((packed));
struct ceph_x_reply_header {
__le16 op;
__le32 result;
} __attribute__ ((packed));
/* authenticate handshake */
/* initial hello (no reply header) */
struct ceph_x_server_challenge {
__u8 struct_v;
__le64 server_challenge;
} __attribute__ ((packed));
struct ceph_x_authenticate {
__u8 struct_v;
__le64 client_challenge;
__le64 key;
/* old_ticket blob */
/* nautilus+: other_keys */
} __attribute__ ((packed));
struct ceph_x_service_ticket_request {
__u8 struct_v;
__le32 keys;
} __attribute__ ((packed));
struct ceph_x_challenge_blob {
__le64 server_challenge;
__le64 client_challenge;
} __attribute__ ((packed));
/* authorize handshake */
/*
* The authorizer consists of two pieces:
* a - service id, ticket blob
* b - encrypted with session key
*/
struct ceph_x_authorize_a {
__u8 struct_v;
__le64 global_id;
__le32 service_id;
struct ceph_x_ticket_blob ticket_blob;
} __attribute__ ((packed));
struct ceph_x_authorize_b {
__u8 struct_v;
__le64 nonce;
__u8 have_challenge;
__le64 server_challenge_plus_one;
} __attribute__ ((packed));
struct ceph_x_authorize_challenge {
__u8 struct_v;
__le64 server_challenge;
} __attribute__ ((packed));
struct ceph_x_authorize_reply {
__u8 struct_v;
__le64 nonce_plus_one;
} __attribute__ ((packed));
/*
* encryption bundle
*/
#define CEPHX_ENC_MAGIC 0xff009cad8826aa55ull
struct ceph_x_encrypt_header {
__u8 struct_v;
__le64 magic;
} __attribute__ ((packed));
#endif
|
