| /* SPDX-License-Identifier: GPL-2.0 */ |
| #ifndef __FS_CEPH_AUTH_X_PROTOCOL |
| #define __FS_CEPH_AUTH_X_PROTOCOL |
| |
| #define CEPHX_GET_AUTH_SESSION_KEY 0x0100 |
| #define CEPHX_GET_PRINCIPAL_SESSION_KEY 0x0200 |
| #define CEPHX_GET_ROTATING_KEY 0x0400 |
| |
| /* Client <-> AuthMonitor */ |
| /* |
| * The AUTH session's connection secret: encrypted with the AUTH |
| * ticket session key |
| */ |
| #define CEPHX_KEY_USAGE_AUTH_CONNECTION_SECRET 0x03 |
| /* |
| * The ticket's blob for the client ("blob for me", contains the |
| * session key): encrypted with the client's secret key in case of |
| * the AUTH ticket and the AUTH ticket session key in case of other |
| * service tickets |
| */ |
| #define CEPHX_KEY_USAGE_TICKET_SESSION_KEY 0x04 |
| /* |
| * The ticket's blob for the service (ceph_x_ticket_blob): possibly |
| * encrypted with the old AUTH ticket session key in case of the AUTH |
| * ticket and not encrypted in case of other service tickets |
| */ |
| #define CEPHX_KEY_USAGE_TICKET_BLOB 0x05 |
| |
| /* Client <-> Service */ |
| /* |
| * The client's authorization request (ceph_x_authorize_b): |
| * encrypted with the service ticket session key |
| */ |
| #define CEPHX_KEY_USAGE_AUTHORIZE 0x10 |
| /* |
| * The service's challenge (ceph_x_authorize_challenge): |
| * encrypted with the service ticket session key |
| */ |
| #define CEPHX_KEY_USAGE_AUTHORIZE_CHALLENGE 0x11 |
| /* |
| * The service's final reply (ceph_x_authorize_reply + the service |
| * session's connection secret): encrypted with the service ticket |
| * session key |
| */ |
| #define CEPHX_KEY_USAGE_AUTHORIZE_REPLY 0x12 |
| |
| /* common bits */ |
| struct ceph_x_ticket_blob { |
| __u8 struct_v; |
| __le64 secret_id; |
| __le32 blob_len; |
| char blob[]; |
| } __attribute__ ((packed)); |
| |
| |
| /* common request/reply headers */ |
| struct ceph_x_request_header { |
| __le16 op; |
| } __attribute__ ((packed)); |
| |
| struct ceph_x_reply_header { |
| __le16 op; |
| __le32 result; |
| } __attribute__ ((packed)); |
| |
| |
| /* authenticate handshake */ |
| |
| /* initial hello (no reply header) */ |
| struct ceph_x_server_challenge { |
| __u8 struct_v; |
| __le64 server_challenge; |
| } __attribute__ ((packed)); |
| |
| struct ceph_x_authenticate { |
| __u8 struct_v; |
| __le64 client_challenge; |
| __le64 key; |
| /* old_ticket blob */ |
| /* nautilus+: other_keys */ |
| } __attribute__ ((packed)); |
| |
| struct ceph_x_service_ticket_request { |
| __u8 struct_v; |
| __le32 keys; |
| } __attribute__ ((packed)); |
| |
| struct ceph_x_challenge_blob { |
| __le64 server_challenge; |
| __le64 client_challenge; |
| } __attribute__ ((packed)); |
| |
| |
| |
| /* authorize handshake */ |
| |
| /* |
| * The authorizer consists of two pieces: |
| * a - service id, ticket blob |
| * b - encrypted with session key |
| */ |
| struct ceph_x_authorize_a { |
| __u8 struct_v; |
| __le64 global_id; |
| __le32 service_id; |
| struct ceph_x_ticket_blob ticket_blob; |
| } __attribute__ ((packed)); |
| |
| struct ceph_x_authorize_b { |
| __u8 struct_v; |
| __le64 nonce; |
| __u8 have_challenge; |
| __le64 server_challenge_plus_one; |
| } __attribute__ ((packed)); |
| |
| struct ceph_x_authorize_challenge { |
| __u8 struct_v; |
| __le64 server_challenge; |
| } __attribute__ ((packed)); |
| |
| struct ceph_x_authorize_reply { |
| __u8 struct_v; |
| __le64 nonce_plus_one; |
| } __attribute__ ((packed)); |
| |
| |
| /* |
| * encryption bundle |
| */ |
| #define CEPHX_ENC_MAGIC 0xff009cad8826aa55ull |
| |
| struct ceph_x_encrypt_header { |
| __u8 struct_v; |
| __le64 magic; |
| } __attribute__ ((packed)); |
| |
| #endif |
