Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a51983e4 authored by Ilya Dryomov's avatar Ilya Dryomov
Browse files

libceph: add nocephx_sign_messages option 



Support for message signing was merged into 3.19, along with
nocephx_require_signatures option.  But, all that option does is allow
the kernel client to talk to clusters that don't support MSG_AUTH
feature bit.  That's pretty useless, given that it's been supported
since bobtail.

Meanwhile, if one disables message signing on the server side with
"cephx sign messages = false", it becomes impossible to use the kernel
client since it expects messages to be signed if MSG_AUTH was
negotiated.  Add nocephx_sign_messages option to support this use case.

Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
parent 859bff51

include/linux/ceph/libceph.h

+2 −1
Original line number Diff line number Diff line
@@ -29,8 +29,9 @@ 
#define CEPH_OPT_NOSHARE          (1<<1) /* don't share client with other sbs */

#define CEPH_OPT_MYIP             (1<<2) /* specified my ip */

#define CEPH_OPT_NOCRC            (1<<3) /* no data crc on writes */

#define CEPH_OPT_NOMSGAUTH	  (1<<4) /* not require cephx message signature */

#define CEPH_OPT_NOMSGAUTH	  (1<<4) /* don't require msg signing feat */

#define CEPH_OPT_TCP_NODELAY	  (1<<5) /* TCP_NODELAY on TCP sockets */

#define CEPH_OPT_NOMSGSIGN	  (1<<6) /* don't sign msgs */



#define CEPH_OPT_DEFAULT   (CEPH_OPT_TCP_NODELAY)

net/ceph/auth_x.c

+7 −0
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ 


#include <linux/ceph/decode.h>

#include <linux/ceph/auth.h>

#include <linux/ceph/libceph.h>

#include <linux/ceph/messenger.h>



#include "crypto.h"
@@ -698,6 +699,9 @@ static int ceph_x_sign_message(struct ceph_auth_handshake *auth, 
{

	int ret;



	if (ceph_test_opt(from_msgr(msg->con->msgr), NOMSGSIGN))

		return 0;



	ret = calcu_signature((struct ceph_x_authorizer *)auth->authorizer,

			      msg, &msg->footer.sig);

	if (ret < 0)
@@ -712,6 +716,9 @@ static int ceph_x_check_message_signature(struct ceph_auth_handshake *auth, 
	__le64 sig_check;

	int ret;



	if (ceph_test_opt(from_msgr(msg->con->msgr), NOMSGSIGN))

		return 0;



	ret = calcu_signature((struct ceph_x_authorizer *)auth->authorizer,

			      msg, &sig_check);

	if (ret < 0)

net/ceph/ceph_common.c

+12 −0
Original line number Diff line number Diff line
@@ -245,6 +245,8 @@ enum { 
	Opt_nocrc,

	Opt_cephx_require_signatures,

	Opt_nocephx_require_signatures,

	Opt_cephx_sign_messages,

	Opt_nocephx_sign_messages,

	Opt_tcp_nodelay,

	Opt_notcp_nodelay,

};
@@ -267,6 +269,8 @@ static match_table_t opt_tokens = { 
	{Opt_nocrc, "nocrc"},

	{Opt_cephx_require_signatures, "cephx_require_signatures"},

	{Opt_nocephx_require_signatures, "nocephx_require_signatures"},

	{Opt_cephx_sign_messages, "cephx_sign_messages"},

	{Opt_nocephx_sign_messages, "nocephx_sign_messages"},

	{Opt_tcp_nodelay, "tcp_nodelay"},

	{Opt_notcp_nodelay, "notcp_nodelay"},

	{-1, NULL}
@@ -491,6 +495,12 @@ ceph_parse_options(char *options, const char *dev_name, 
		case Opt_nocephx_require_signatures:

			opt->flags |= CEPH_OPT_NOMSGAUTH;

			break;

		case Opt_cephx_sign_messages:

			opt->flags &= ~CEPH_OPT_NOMSGSIGN;

			break;

		case Opt_nocephx_sign_messages:

			opt->flags |= CEPH_OPT_NOMSGSIGN;

			break;



		case Opt_tcp_nodelay:

			opt->flags |= CEPH_OPT_TCP_NODELAY;
@@ -534,6 +544,8 @@ int ceph_print_client_options(struct seq_file *m, struct ceph_client *client) 
		seq_puts(m, "nocrc,");

	if (opt->flags & CEPH_OPT_NOMSGAUTH)

		seq_puts(m, "nocephx_require_signatures,");

	if (opt->flags & CEPH_OPT_NOMSGSIGN)

		seq_puts(m, "nocephx_sign_messages,");

	if ((opt->flags & CEPH_OPT_TCP_NODELAY) == 0)

		seq_puts(m, "notcp_nodelay,");

net/ceph/messenger.c

+1 −1
Original line number Diff line number Diff line
@@ -2677,7 +2677,7 @@ static int try_read(struct ceph_connection *con) 
		if (ret <= 0) {

			switch (ret) {

			case -EBADMSG:

				con->error_msg = "bad crc";

				con->error_msg = "bad crc/signature";

				/* fall through */

			case -EBADE:

				ret = -EIO;