archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 00:44:31 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net/ceph/auth_x_protocol.h
Ilya Dryomov b7cc142dba libceph: add support for CEPH_CRYPTO_AES256KRB5 
This is based on AES256-CTS-HMAC384-192 crypto algorithm per RFC 8009
(i.e. Kerberos 5, hence the name) with custom-defined key usage numbers.
The implementation allows a given key to have/be linked to between one
and three usage numbers.

The existing CEPH_CRYPTO_AES remains in place and unchanged.  The
usage_slot parameter that needed to be added to ceph_crypt() and its
wrappers is simply ignored there.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2026-02-09 12:29:22 +01:00

137 lines
3.1 KiB
C
Raw Permalink Blame History

/* SPDX-License-Identifier: GPL-2.0 */
#ifndef __FS_CEPH_AUTH_X_PROTOCOL
#define __FS_CEPH_AUTH_X_PROTOCOL
#define CEPHX_GET_AUTH_SESSION_KEY 0x0100
#define CEPHX_GET_PRINCIPAL_SESSION_KEY 0x0200
#define CEPHX_GET_ROTATING_KEY 0x0400
/* Client <-> AuthMonitor */
/*
* The AUTH session's connection secret: encrypted with the AUTH
* ticket session key
*/
#define CEPHX_KEY_USAGE_AUTH_CONNECTION_SECRET 0x03
/*
* The ticket's blob for the client ("blob for me", contains the
* session key): encrypted with the client's secret key in case of
* the AUTH ticket and the AUTH ticket session key in case of other
* service tickets
*/
#define CEPHX_KEY_USAGE_TICKET_SESSION_KEY 0x04
/*
* The ticket's blob for the service (ceph_x_ticket_blob): possibly
* encrypted with the old AUTH ticket session key in case of the AUTH
* ticket and not encrypted in case of other service tickets
*/
#define CEPHX_KEY_USAGE_TICKET_BLOB 0x05
/* Client <-> Service */
/*
* The client's authorization request (ceph_x_authorize_b):
* encrypted with the service ticket session key
*/
#define CEPHX_KEY_USAGE_AUTHORIZE 0x10
/*
* The service's challenge (ceph_x_authorize_challenge):
* encrypted with the service ticket session key
*/
#define CEPHX_KEY_USAGE_AUTHORIZE_CHALLENGE 0x11
/*
* The service's final reply (ceph_x_authorize_reply + the service
* session's connection secret): encrypted with the service ticket
* session key
*/
#define CEPHX_KEY_USAGE_AUTHORIZE_REPLY 0x12
/* common bits */
struct ceph_x_ticket_blob {
__u8 struct_v;
__le64 secret_id;
__le32 blob_len;
char blob[];
} __attribute__ ((packed));
/* common request/reply headers */
struct ceph_x_request_header {
__le16 op;
} __attribute__ ((packed));
struct ceph_x_reply_header {
__le16 op;
__le32 result;
} __attribute__ ((packed));
/* authenticate handshake */
/* initial hello (no reply header) */
struct ceph_x_server_challenge {
__u8 struct_v;
__le64 server_challenge;
} __attribute__ ((packed));
struct ceph_x_authenticate {
__u8 struct_v;
__le64 client_challenge;
__le64 key;
/* old_ticket blob */
/* nautilus+: other_keys */
} __attribute__ ((packed));
struct ceph_x_service_ticket_request {
__u8 struct_v;
__le32 keys;
} __attribute__ ((packed));
struct ceph_x_challenge_blob {
__le64 server_challenge;
__le64 client_challenge;
} __attribute__ ((packed));
/* authorize handshake */
/*
* The authorizer consists of two pieces:
* a - service id, ticket blob
* b - encrypted with session key
*/
struct ceph_x_authorize_a {
__u8 struct_v;
__le64 global_id;
__le32 service_id;
struct ceph_x_ticket_blob ticket_blob;
} __attribute__ ((packed));
struct ceph_x_authorize_b {
__u8 struct_v;
__le64 nonce;
__u8 have_challenge;
__le64 server_challenge_plus_one;
} __attribute__ ((packed));
struct ceph_x_authorize_challenge {
__u8 struct_v;
__le64 server_challenge;
} __attribute__ ((packed));
struct ceph_x_authorize_reply {
__u8 struct_v;
__le64 nonce_plus_one;
} __attribute__ ((packed));
/*
* encryption bundle
*/
#define CEPHX_ENC_MAGIC 0xff009cad8826aa55ull
struct ceph_x_encrypt_header {
__u8 struct_v;
__le64 magic;
} __attribute__ ((packed));
#endif
Reference in a new issue View git blame Copy permalink