net/ceph/auth_x.c

   1
   2 #include <linux/ceph/ceph_debug.h>
   3
   4 #include <linux/err.h>
   5 #include <linux/module.h>
   6 #include <linux/random.h>
   7 #include <linux/slab.h>
   8
   9 #include <linux/ceph/decode.h>
  10 #include <linux/ceph/auth.h>
  11
  12 #include "crypto.h"
  13 #include "auth_x.h"
  14 #include "auth_x_protocol.h"
  15
  16 #define TEMP_TICKET_BUF_LEN     256
  17
  18 static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed);
  19
  20 static int ceph_x_is_authenticated(struct ceph_auth_client *ac)
  21 {
  22         struct ceph_x_info *xi = ac->private;
  23         int need;
  24
  25         ceph_x_validate_tickets(ac, &need);
  26         dout("ceph_x_is_authenticated want=%d need=%d have=%d\n",
  27              ac->want_keys, need, xi->have_keys);
  28         return (ac->want_keys & xi->have_keys) == ac->want_keys;
  29 }
  30
  31 static int ceph_x_should_authenticate(struct ceph_auth_client *ac)
  32 {
  33         struct ceph_x_info *xi = ac->private;
  34         int need;
  35
  36         ceph_x_validate_tickets(ac, &need);
  37         dout("ceph_x_should_authenticate want=%d need=%d have=%d\n",
  38              ac->want_keys, need, xi->have_keys);
  39         return need != 0;
  40 }
  41
  42 static int ceph_x_encrypt_buflen(int ilen)
  43 {
  44         return sizeof(struct ceph_x_encrypt_header) + ilen + 16 +
  45                 sizeof(u32);
  46 }
  47
  48 static int ceph_x_encrypt(struct ceph_crypto_key *secret,
  49                           void *ibuf, int ilen, void *obuf, size_t olen)
  50 {
  51         struct ceph_x_encrypt_header head = {
  52                 .struct_v = 1,
  53                 .magic = cpu_to_le64(CEPHX_ENC_MAGIC)
  54         };
  55         size_t len = olen - sizeof(u32);
  56         int ret;
  57
  58         ret = ceph_encrypt2(secret, obuf + sizeof(u32), &len,
  59                             &head, sizeof(head), ibuf, ilen);
  60         if (ret)
  61                 return ret;
  62         ceph_encode_32(&obuf, len);
  63         return len + sizeof(u32);
  64 }
  65
  66 static int ceph_x_decrypt(struct ceph_crypto_key *secret,
  67                           void **p, void *end, void *obuf, size_t olen)
  68 {
  69         struct ceph_x_encrypt_header head;
  70         size_t head_len = sizeof(head);
  71         int len, ret;
  72
  73         len = ceph_decode_32(p);
  74         if (*p + len > end)
  75                 return -EINVAL;
  76
  77         dout("ceph_x_decrypt len %d\n", len);
  78         ret = ceph_decrypt2(secret, &head, &head_len, obuf, &olen,
  79                             *p, len);
  80         if (ret)
  81                 return ret;
  82         if (head.struct_v != 1 || le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC)
  83                 return -EPERM;
  84         *p += len;
  85         return olen;
  86 }
  87
  88 /*
  89  * get existing (or insert new) ticket handler
  90  */
  91 static struct ceph_x_ticket_handler *
  92 get_ticket_handler(struct ceph_auth_client *ac, int service)
  93 {
  94         struct ceph_x_ticket_handler *th;
  95         struct ceph_x_info *xi = ac->private;
  96         struct rb_node *parent = NULL, **p = &xi->ticket_handlers.rb_node;
  97
  98         while (*p) {
  99                 parent = *p;
 100                 th = rb_entry(parent, struct ceph_x_ticket_handler, node);
 101                 if (service < th->service)
 102                         p = &(*p)->rb_left;
 103                 else if (service > th->service)
 104                         p = &(*p)->rb_right;
 105                 else
 106                         return th;
 107         }
 108
 109         /* add it */
 110         th = kzalloc(sizeof(*th), GFP_NOFS);
 111         if (!th)
 112                 return ERR_PTR(-ENOMEM);
 113         th->service = service;
 114         rb_link_node(&th->node, parent, p);
 115         rb_insert_color(&th->node, &xi->ticket_handlers);
 116         return th;
 117 }
 118
 119 static void remove_ticket_handler(struct ceph_auth_client *ac,
 120                                   struct ceph_x_ticket_handler *th)
 121 {
 122         struct ceph_x_info *xi = ac->private;
 123
 124         dout("remove_ticket_handler %p %d\n", th, th->service);
 125         rb_erase(&th->node, &xi->ticket_handlers);
 126         ceph_crypto_key_destroy(&th->session_key);
 127         if (th->ticket_blob)
 128                 ceph_buffer_put(th->ticket_blob);
 129         kfree(th);
 130 }
 131
 132 static int process_one_ticket(struct ceph_auth_client *ac,
 133                               struct ceph_crypto_key *secret,
 134                               void **p, void *end,
 135                               void *dbuf, void *ticket_buf)
 136 {
 137         struct ceph_x_info *xi = ac->private;
 138         int type;
 139         u8 tkt_struct_v, blob_struct_v;
 140         struct ceph_x_ticket_handler *th;
 141         void *dp, *dend;
 142         int dlen;
 143         char is_enc;
 144         struct timespec validity;
 145         struct ceph_crypto_key old_key;
 146         void *tp, *tpend;
 147         struct ceph_timespec new_validity;
 148         struct ceph_crypto_key new_session_key;
 149         struct ceph_buffer *new_ticket_blob;
 150         unsigned long new_expires, new_renew_after;
 151         u64 new_secret_id;
 152         int ret;
 153
 154         ceph_decode_need(p, end, sizeof(u32) + 1, bad);
 155
 156         type = ceph_decode_32(p);
 157         dout(" ticket type %d %s\n", type, ceph_entity_type_name(type));
 158
 159         tkt_struct_v = ceph_decode_8(p);
 160         if (tkt_struct_v != 1)
 161                 goto bad;
 162
 163         th = get_ticket_handler(ac, type);
 164         if (IS_ERR(th)) {
 165                 ret = PTR_ERR(th);
 166                 goto out;
 167         }
 168
 169         /* blob for me */
 170         dlen = ceph_x_decrypt(secret, p, end, dbuf,
 171                               TEMP_TICKET_BUF_LEN);
 172         if (dlen <= 0) {
 173                 ret = dlen;
 174                 goto out;
 175         }
 176         dout(" decrypted %d bytes\n", dlen);
 177         dp = dbuf;
 178         dend = dp + dlen;
 179
 180         tkt_struct_v = ceph_decode_8(&dp);
 181         if (tkt_struct_v != 1)
 182                 goto bad;
 183
 184         memcpy(&old_key, &th->session_key, sizeof(old_key));
 185         ret = ceph_crypto_key_decode(&new_session_key, &dp, dend);
 186         if (ret)
 187                 goto out;
 188
 189         ceph_decode_copy(&dp, &new_validity, sizeof(new_validity));
 190         ceph_decode_timespec(&validity, &new_validity);
 191         new_expires = get_seconds() + validity.tv_sec;
 192         new_renew_after = new_expires - (validity.tv_sec / 4);
 193         dout(" expires=%lu renew_after=%lu\n", new_expires,
 194              new_renew_after);
 195
 196         /* ticket blob for service */
 197         ceph_decode_8_safe(p, end, is_enc, bad);
 198         tp = ticket_buf;
 199         if (is_enc) {
 200                 /* encrypted */
 201                 dout(" encrypted ticket\n");
 202                 dlen = ceph_x_decrypt(&old_key, p, end, ticket_buf,
 203                                       TEMP_TICKET_BUF_LEN);
 204                 if (dlen < 0) {
 205                         ret = dlen;
 206                         goto out;
 207                 }
 208                 dlen = ceph_decode_32(&tp);
 209         } else {
 210                 /* unencrypted */
 211                 ceph_decode_32_safe(p, end, dlen, bad);
 212                 ceph_decode_need(p, end, dlen, bad);
 213                 ceph_decode_copy(p, ticket_buf, dlen);
 214         }
 215         tpend = tp + dlen;
 216         dout(" ticket blob is %d bytes\n", dlen);
 217         ceph_decode_need(&tp, tpend, 1 + sizeof(u64), bad);
 218         blob_struct_v = ceph_decode_8(&tp);
 219         new_secret_id = ceph_decode_64(&tp);
 220         ret = ceph_decode_buffer(&new_ticket_blob, &tp, tpend);
 221         if (ret)
 222                 goto out;
 223
 224         /* all is well, update our ticket */
 225         ceph_crypto_key_destroy(&th->session_key);
 226         if (th->ticket_blob)
 227                 ceph_buffer_put(th->ticket_blob);
 228         th->session_key = new_session_key;
 229         th->ticket_blob = new_ticket_blob;
 230         th->validity = new_validity;
 231         th->secret_id = new_secret_id;
 232         th->expires = new_expires;
 233         th->renew_after = new_renew_after;
 234         dout(" got ticket service %d (%s) secret_id %lld len %d\n",
 235              type, ceph_entity_type_name(type), th->secret_id,
 236              (int)th->ticket_blob->vec.iov_len);
 237         xi->have_keys |= th->service;
 238
 239 out:
 240         return ret;
 241
 242 bad:
 243         ret = -EINVAL;
 244         goto out;
 245 }
 246
 247 static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac,
 248                                     struct ceph_crypto_key *secret,
 249                                     void *buf, void *end)
 250 {
 251         void *p = buf;
 252         char *dbuf;
 253         char *ticket_buf;
 254         u8 reply_struct_v;
 255         u32 num;
 256         int ret;
 257
 258         dbuf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS);
 259         if (!dbuf)
 260                 return -ENOMEM;
 261
 262         ret = -ENOMEM;
 263         ticket_buf = kmalloc(TEMP_TICKET_BUF_LEN, GFP_NOFS);
 264         if (!ticket_buf)
 265                 goto out_dbuf;
 266
 267         ceph_decode_8_safe(&p, end, reply_struct_v, bad);
 268         if (reply_struct_v != 1)
 269                 return -EINVAL;
 270
 271         ceph_decode_32_safe(&p, end, num, bad);
 272         dout("%d tickets\n", num);
 273
 274         while (num--) {
 275                 ret = process_one_ticket(ac, secret, &p, end,
 276                                          dbuf, ticket_buf);
 277                 if (ret)
 278                         goto out;
 279         }
 280
 281         ret = 0;
 282 out:
 283         kfree(ticket_buf);
 284 out_dbuf:
 285         kfree(dbuf);
 286         return ret;
 287
 288 bad:
 289         ret = -EINVAL;
 290         goto out;
 291 }
 292
 293 static int ceph_x_build_authorizer(struct ceph_auth_client *ac,
 294                                    struct ceph_x_ticket_handler *th,
 295                                    struct ceph_x_authorizer *au)
 296 {
 297         int maxlen;
 298         struct ceph_x_authorize_a *msg_a;
 299         struct ceph_x_authorize_b msg_b;
 300         void *p, *end;
 301         int ret;
 302         int ticket_blob_len =
 303                 (th->ticket_blob ? th->ticket_blob->vec.iov_len : 0);
 304
 305         dout("build_authorizer for %s %p\n",
 306              ceph_entity_type_name(th->service), au);
 307
 308         maxlen = sizeof(*msg_a) + sizeof(msg_b) +
 309                 ceph_x_encrypt_buflen(ticket_blob_len);
 310         dout("  need len %d\n", maxlen);
 311         if (au->buf && au->buf->alloc_len < maxlen) {
 312                 ceph_buffer_put(au->buf);
 313                 au->buf = NULL;
 314         }
 315         if (!au->buf) {
 316                 au->buf = ceph_buffer_new(maxlen, GFP_NOFS);
 317                 if (!au->buf)
 318                         return -ENOMEM;
 319         }
 320         au->service = th->service;
 321         au->secret_id = th->secret_id;
 322
 323         msg_a = au->buf->vec.iov_base;
 324         msg_a->struct_v = 1;
 325         msg_a->global_id = cpu_to_le64(ac->global_id);
 326         msg_a->service_id = cpu_to_le32(th->service);
 327         msg_a->ticket_blob.struct_v = 1;
 328         msg_a->ticket_blob.secret_id = cpu_to_le64(th->secret_id);
 329         msg_a->ticket_blob.blob_len = cpu_to_le32(ticket_blob_len);
 330         if (ticket_blob_len) {
 331                 memcpy(msg_a->ticket_blob.blob, th->ticket_blob->vec.iov_base,
 332                        th->ticket_blob->vec.iov_len);
 333         }
 334         dout(" th %p secret_id %lld %lld\n", th, th->secret_id,
 335              le64_to_cpu(msg_a->ticket_blob.secret_id));
 336
 337         p = msg_a + 1;
 338         p += ticket_blob_len;
 339         end = au->buf->vec.iov_base + au->buf->vec.iov_len;
 340
 341         get_random_bytes(&au->nonce, sizeof(au->nonce));
 342         msg_b.struct_v = 1;
 343         msg_b.nonce = cpu_to_le64(au->nonce);
 344         ret = ceph_x_encrypt(&th->session_key, &msg_b, sizeof(msg_b),
 345                              p, end - p);
 346         if (ret < 0)
 347                 goto out_buf;
 348         p += ret;
 349         au->buf->vec.iov_len = p - au->buf->vec.iov_base;
 350         dout(" built authorizer nonce %llx len %d\n", au->nonce,
 351              (int)au->buf->vec.iov_len);
 352         BUG_ON(au->buf->vec.iov_len > maxlen);
 353         return 0;
 354
 355 out_buf:
 356         ceph_buffer_put(au->buf);
 357         au->buf = NULL;
 358         return ret;
 359 }
 360
 361 static int ceph_x_encode_ticket(struct ceph_x_ticket_handler *th,
 362                                 void **p, void *end)
 363 {
 364         ceph_decode_need(p, end, 1 + sizeof(u64), bad);
 365         ceph_encode_8(p, 1);
 366         ceph_encode_64(p, th->secret_id);
 367         if (th->ticket_blob) {
 368                 const char *buf = th->ticket_blob->vec.iov_base;
 369                 u32 len = th->ticket_blob->vec.iov_len;
 370
 371                 ceph_encode_32_safe(p, end, len, bad);
 372                 ceph_encode_copy_safe(p, end, buf, len, bad);
 373         } else {
 374                 ceph_encode_32_safe(p, end, 0, bad);
 375         }
 376
 377         return 0;
 378 bad:
 379         return -ERANGE;
 380 }
 381
 382 static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed)
 383 {
 384         int want = ac->want_keys;
 385         struct ceph_x_info *xi = ac->private;
 386         int service;
 387
 388         *pneed = ac->want_keys & ~(xi->have_keys);
 389
 390         for (service = 1; service <= want; service <<= 1) {
 391                 struct ceph_x_ticket_handler *th;
 392
 393                 if (!(ac->want_keys & service))
 394                         continue;
 395
 396                 if (*pneed & service)
 397                         continue;
 398
 399                 th = get_ticket_handler(ac, service);
 400
 401                 if (IS_ERR(th)) {
 402                         *pneed |= service;
 403                         continue;
 404                 }
 405
 406                 if (get_seconds() >= th->renew_after)
 407                         *pneed |= service;
 408                 if (get_seconds() >= th->expires)
 409                         xi->have_keys &= ~service;
 410         }
 411 }
 412
 413
 414 static int ceph_x_build_request(struct ceph_auth_client *ac,
 415                                 void *buf, void *end)
 416 {
 417         struct ceph_x_info *xi = ac->private;
 418         int need;
 419         struct ceph_x_request_header *head = buf;
 420         int ret;
 421         struct ceph_x_ticket_handler *th =
 422                 get_ticket_handler(ac, CEPH_ENTITY_TYPE_AUTH);
 423
 424         if (IS_ERR(th))
 425                 return PTR_ERR(th);
 426
 427         ceph_x_validate_tickets(ac, &need);
 428
 429         dout("build_request want %x have %x need %x\n",
 430              ac->want_keys, xi->have_keys, need);
 431
 432         if (need & CEPH_ENTITY_TYPE_AUTH) {
 433                 struct ceph_x_authenticate *auth = (void *)(head + 1);
 434                 void *p = auth + 1;
 435                 struct ceph_x_challenge_blob tmp;
 436                 char tmp_enc[40];
 437                 u64 *u;
 438
 439                 if (p > end)
 440                         return -ERANGE;
 441
 442                 dout(" get_auth_session_key\n");
 443                 head->op = cpu_to_le16(CEPHX_GET_AUTH_SESSION_KEY);
 444
 445                 /* encrypt and hash */
 446                 get_random_bytes(&auth->client_challenge, sizeof(u64));
 447                 tmp.client_challenge = auth->client_challenge;
 448                 tmp.server_challenge = cpu_to_le64(xi->server_challenge);
 449                 ret = ceph_x_encrypt(&xi->secret, &tmp, sizeof(tmp),
 450                                      tmp_enc, sizeof(tmp_enc));
 451                 if (ret < 0)
 452                         return ret;
 453
 454                 auth->struct_v = 1;
 455                 auth->key = 0;
 456                 for (u = (u64 *)tmp_enc; u + 1 <= (u64 *)(tmp_enc + ret); u++)
 457                         auth->key ^= *(__le64 *)u;
 458                 dout(" server_challenge %llx client_challenge %llx key %llx\n",
 459                      xi->server_challenge, le64_to_cpu(auth->client_challenge),
 460                      le64_to_cpu(auth->key));
 461
 462                 /* now encode the old ticket if exists */
 463                 ret = ceph_x_encode_ticket(th, &p, end);
 464                 if (ret < 0)
 465                         return ret;
 466
 467                 return p - buf;
 468         }
 469
 470         if (need) {
 471                 void *p = head + 1;
 472                 struct ceph_x_service_ticket_request *req;
 473
 474                 if (p > end)
 475                         return -ERANGE;
 476                 head->op = cpu_to_le16(CEPHX_GET_PRINCIPAL_SESSION_KEY);
 477
 478                 ret = ceph_x_build_authorizer(ac, th, &xi->auth_authorizer);
 479                 if (ret)
 480                         return ret;
 481                 ceph_encode_copy(&p, xi->auth_authorizer.buf->vec.iov_base,
 482                                  xi->auth_authorizer.buf->vec.iov_len);
 483
 484                 req = p;
 485                 req->keys = cpu_to_le32(need);
 486                 p += sizeof(*req);
 487                 return p - buf;
 488         }
 489
 490         return 0;
 491 }
 492
 493 static int ceph_x_handle_reply(struct ceph_auth_client *ac, int result,
 494                                void *buf, void *end)
 495 {
 496         struct ceph_x_info *xi = ac->private;
 497         struct ceph_x_reply_header *head = buf;
 498         struct ceph_x_ticket_handler *th;
 499         int len = end - buf;
 500         int op;
 501         int ret;
 502
 503         if (result)
 504                 return result;  /* XXX hmm? */
 505
 506         if (xi->starting) {
 507                 /* it's a hello */
 508                 struct ceph_x_server_challenge *sc = buf;
 509
 510                 if (len != sizeof(*sc))
 511                         return -EINVAL;
 512                 xi->server_challenge = le64_to_cpu(sc->server_challenge);
 513                 dout("handle_reply got server challenge %llx\n",
 514                      xi->server_challenge);
 515                 xi->starting = false;
 516                 xi->have_keys &= ~CEPH_ENTITY_TYPE_AUTH;
 517                 return -EAGAIN;
 518         }
 519
 520         op = le16_to_cpu(head->op);
 521         result = le32_to_cpu(head->result);
 522         dout("handle_reply op %d result %d\n", op, result);
 523         switch (op) {
 524         case CEPHX_GET_AUTH_SESSION_KEY:
 525                 /* verify auth key */
 526                 ret = ceph_x_proc_ticket_reply(ac, &xi->secret,
 527                                                buf + sizeof(*head), end);
 528                 break;
 529
 530         case CEPHX_GET_PRINCIPAL_SESSION_KEY:
 531                 th = get_ticket_handler(ac, CEPH_ENTITY_TYPE_AUTH);
 532                 if (IS_ERR(th))
 533                         return PTR_ERR(th);
 534                 ret = ceph_x_proc_ticket_reply(ac, &th->session_key,
 535                                                buf + sizeof(*head), end);
 536                 break;
 537
 538         default:
 539                 return -EINVAL;
 540         }
 541         if (ret)
 542                 return ret;
 543         if (ac->want_keys == xi->have_keys)
 544                 return 0;
 545         return -EAGAIN;
 546 }
 547
 548 static int ceph_x_create_authorizer(
 549         struct ceph_auth_client *ac, int peer_type,
 550         struct ceph_auth_handshake *auth)
 551 {
 552         struct ceph_x_authorizer *au;
 553         struct ceph_x_ticket_handler *th;
 554         int ret;
 555
 556         th = get_ticket_handler(ac, peer_type);
 557         if (IS_ERR(th))
 558                 return PTR_ERR(th);
 559
 560         au = kzalloc(sizeof(*au), GFP_NOFS);
 561         if (!au)
 562                 return -ENOMEM;
 563
 564         ret = ceph_x_build_authorizer(ac, th, au);
 565         if (ret) {
 566                 kfree(au);
 567                 return ret;
 568         }
 569
 570         auth->authorizer = (struct ceph_authorizer *) au;
 571         auth->authorizer_buf = au->buf->vec.iov_base;
 572         auth->authorizer_buf_len = au->buf->vec.iov_len;
 573         auth->authorizer_reply_buf = au->reply_buf;
 574         auth->authorizer_reply_buf_len = sizeof (au->reply_buf);
 575
 576         return 0;
 577 }
 578
 579 static int ceph_x_update_authorizer(
 580         struct ceph_auth_client *ac, int peer_type,
 581         struct ceph_auth_handshake *auth)
 582 {
 583         struct ceph_x_authorizer *au;
 584         struct ceph_x_ticket_handler *th;
 585
 586         th = get_ticket_handler(ac, peer_type);
 587         if (IS_ERR(th))
 588                 return PTR_ERR(th);
 589
 590         au = (struct ceph_x_authorizer *)auth->authorizer;
 591         if (au->secret_id < th->secret_id) {
 592                 dout("ceph_x_update_authorizer service %u secret %llu < %llu\n",
 593                      au->service, au->secret_id, th->secret_id);
 594                 return ceph_x_build_authorizer(ac, th, au);
 595         }
 596         return 0;
 597 }
 598
 599 static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac,
 600                                           struct ceph_authorizer *a, size_t len)
 601 {
 602         struct ceph_x_authorizer *au = (void *)a;
 603         struct ceph_x_ticket_handler *th;
 604         int ret = 0;
 605         struct ceph_x_authorize_reply reply;
 606         void *p = au->reply_buf;
 607         void *end = p + sizeof(au->reply_buf);
 608
 609         th = get_ticket_handler(ac, au->service);
 610         if (IS_ERR(th))
 611                 return PTR_ERR(th);
 612         ret = ceph_x_decrypt(&th->session_key, &p, end, &reply, sizeof(reply));
 613         if (ret < 0)
 614                 return ret;
 615         if (ret != sizeof(reply))
 616                 return -EPERM;
 617
 618         if (au->nonce + 1 != le64_to_cpu(reply.nonce_plus_one))
 619                 ret = -EPERM;
 620         else
 621                 ret = 0;
 622         dout("verify_authorizer_reply nonce %llx got %llx ret %d\n",
 623              au->nonce, le64_to_cpu(reply.nonce_plus_one), ret);
 624         return ret;
 625 }
 626
 627 static void ceph_x_destroy_authorizer(struct ceph_auth_client *ac,
 628                                       struct ceph_authorizer *a)
 629 {
 630         struct ceph_x_authorizer *au = (void *)a;
 631
 632         ceph_buffer_put(au->buf);
 633         kfree(au);
 634 }
 635
 636
 637 static void ceph_x_reset(struct ceph_auth_client *ac)
 638 {
 639         struct ceph_x_info *xi = ac->private;
 640
 641         dout("reset\n");
 642         xi->starting = true;
 643         xi->server_challenge = 0;
 644 }
 645
 646 static void ceph_x_destroy(struct ceph_auth_client *ac)
 647 {
 648         struct ceph_x_info *xi = ac->private;
 649         struct rb_node *p;
 650
 651         dout("ceph_x_destroy %p\n", ac);
 652         ceph_crypto_key_destroy(&xi->secret);
 653
 654         while ((p = rb_first(&xi->ticket_handlers)) != NULL) {
 655                 struct ceph_x_ticket_handler *th =
 656                         rb_entry(p, struct ceph_x_ticket_handler, node);
 657                 remove_ticket_handler(ac, th);
 658         }
 659
 660         if (xi->auth_authorizer.buf)
 661                 ceph_buffer_put(xi->auth_authorizer.buf);
 662
 663         kfree(ac->private);
 664         ac->private = NULL;
 665 }
 666
 667 static void ceph_x_invalidate_authorizer(struct ceph_auth_client *ac,
 668                                    int peer_type)
 669 {
 670         struct ceph_x_ticket_handler *th;
 671
 672         th = get_ticket_handler(ac, peer_type);
 673         if (!IS_ERR(th))
 674                 memset(&th->validity, 0, sizeof(th->validity));
 675 }
 676
 677
 678 static const struct ceph_auth_client_ops ceph_x_ops = {
 679         .name = "x",
 680         .is_authenticated = ceph_x_is_authenticated,
 681         .should_authenticate = ceph_x_should_authenticate,
 682         .build_request = ceph_x_build_request,
 683         .handle_reply = ceph_x_handle_reply,
 684         .create_authorizer = ceph_x_create_authorizer,
 685         .update_authorizer = ceph_x_update_authorizer,
 686         .verify_authorizer_reply = ceph_x_verify_authorizer_reply,
 687         .destroy_authorizer = ceph_x_destroy_authorizer,
 688         .invalidate_authorizer = ceph_x_invalidate_authorizer,
 689         .reset =  ceph_x_reset,
 690         .destroy = ceph_x_destroy,
 691 };
 692
 693
 694 int ceph_x_init(struct ceph_auth_client *ac)
 695 {
 696         struct ceph_x_info *xi;
 697         int ret;
 698
 699         dout("ceph_x_init %p\n", ac);
 700         ret = -ENOMEM;
 701         xi = kzalloc(sizeof(*xi), GFP_NOFS);
 702         if (!xi)
 703                 goto out;
 704
 705         ret = -EINVAL;
 706         if (!ac->key) {
 707                 pr_err("no secret set (for auth_x protocol)\n");
 708                 goto out_nomem;
 709         }
 710
 711         ret = ceph_crypto_key_clone(&xi->secret, ac->key);
 712         if (ret < 0) {
 713                 pr_err("cannot clone key: %d\n", ret);
 714                 goto out_nomem;
 715         }
 716
 717         xi->starting = true;
 718         xi->ticket_handlers = RB_ROOT;
 719
 720         ac->protocol = CEPH_AUTH_CEPHX;
 721         ac->private = xi;
 722         ac->ops = &ceph_x_ops;
 723         return 0;
 724
 725 out_nomem:
 726         kfree(xi);
 727 out:
 728         return ret;
 729 }
 730
 731