RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-03-06 08:20:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Modified extcap buffer management

Browse Source 
git-svn-id: https://ceph.svn.sf.net/svnroot/ceph@1115 29311d96-e01e-0410-9327-a35deaab8ce9
This commit is contained in:
anwleung 2007-02-21 07:03:58 +00:00
parent e50846fead
commit 9fe20ecf48
8 changed files with 190 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
branches/aleung/security1/ceph/Makefile
View File

@ -17,10 +17,10 @@ EXTRA_CFLAGS =
ifeq ($(target),darwin)
# For Darwin
CFLAGS = -g -Wall -I. -D_FILE_OFFSET_BITS=64 -DMPICH_IGNORE_CXX_SEEK -D_REENTRANT -D_THREAD_SAFE -DDARWIN -D__FreeBSD__=10 ${EXTRA_CFLAGS}
CFLAGS = -ggdb3 -Wall -I. -D_FILE_OFFSET_BITS=64 -DMPICH_IGNORE_CXX_SEEK -D_REENTRANT -D_THREAD_SAFE -DDARWIN -D__FreeBSD__=10 ${EXTRA_CFLAGS}
else
# For linux
CFLAGS = -g -Wall -I. -D_FILE_OFFSET_BITS=64 -DMPICH_IGNORE_CXX_SEEK -D_REENTRANT -D_THREAD_SAFE
CFLAGS = -ggdb3 -Wall -I. -D_FILE_OFFSET_BITS=64 -DMPICH_IGNORE_CXX_SEEK -D_REENTRANT -D_THREAD_SAFE
endif
CC = g++

41
branches/aleung/security1/ceph/client/Client.cc
View File

@ -635,33 +635,28 @@ void Client::handle_client_reply(MClientReply *reply)
void Client::handle_auth_user_ack(MClientAuthUserAck *m)
{
cout << "Handling auth user ack" << endl;
uid_t uid = m->get_uid();
dout(10) << "handle_auth_user_ack for " << uid << endl;
// put the ticket in the ticket map
// **
cout << "Got ticket for uid: " << uid << endl;
user_ticket[uid] = m->getTicket();
// wait up the waiter(s)
// this signals all ticket waiters
cout << "Entering for loop" << endl;
for (list<Cond*>::iterator p = ticket_waiter_cond[uid].begin();
p != ticket_waiter_cond[uid].end();
++p) {
cout << "In the for loop" << endl;
(*p)->Signal();
cout << "Signal waiter" << endl;
}
cout << "Out of the for loop" << endl;
ticket_waiter_cond.erase(uid);
cout << "Leaving the auth user ack handler" << endl;
}
Ticket *Client::get_user_ticket(uid_t uid, gid_t gid)
{
cout << "Requesting ticket for uid: " << uid << ", gid: " << gid << endl;
dout(10) << "get_user_ticket for uid: " << uid << ", gid: " << gid << endl;
// do we already have it?
if (user_ticket.count(uid) == 0) {
Cond cond;
@ -2391,13 +2386,13 @@ int Client::open(const char *relpath, int flags, __int64_t uid, __int64_t gid)
req->set_iarg2(cmode);
// don't need a cap if I have one cached
ExtCap *ext_cap;
//ExtCap ext_cap;
//ExtCap *ext_cap = fc->get_ext_caps(uid);
// !!FIX ME!! Set flag to not ask for cap if I have one already
if (!ext_cap)
cout << "No capability cached at client for file " << path << endl;
else
cout << "Cached capability found! for file " << path << endl;
//if (!ext_cap)
// cout << "No capability cached at client for file " << path << endl;
//else
// cout << "Cached capability found! for file " << path << endl;
// FIXME where does FUSE maintain user information
req->set_caller_uid(uid);
@ -2439,11 +2434,19 @@ int Client::open(const char *relpath, int flags, __int64_t uid, __int64_t gid)
int new_caps = reply->get_file_caps();
// need security caps? check if I even asked for one
ext_cap = reply->get_ext_cap();
ExtCap ext_cap = reply->get_ext_cap();
cout << "Received a " << ext_cap.mode() << " capability for uid: "
<< ext_cap.get_uid() << " for inode: " << ext_cap.get_ino() << endl;
if (reply->get_ext_cap().verif_extcap(monmap->get_key()))
cout << "Verified the signature correctly" << endl;
else
cout << "Failed to verify the signature" << endl;
// cache it
f->inode->set_ext_cap(uid, ext_cap);
//f->inode->set_ext_cap(uid, ext_cap);
assert(reply->get_file_caps_seq() >= f->inode->caps[mds].seq);
if (reply->get_file_caps_seq() > f->inode->caps[mds].seq) {
dout(7) << "open got caps " << cap_string(new_caps)
@ -2480,7 +2483,9 @@ int Client::open(const char *relpath, int flags, __int64_t uid, __int64_t gid)
dout(0) << "open failure result " << result << endl;
}
cout << "Before delete!!" << endl << endl;
delete reply;
cout << "After delete!!" << endl << endl;
put_user_ticket(tk);
trim_cache();
@ -2638,6 +2643,10 @@ int Client::read(fh_t fh, char *buf, off_t size, off_t offset,
offset = f->pos;
bool lazy = f->mode == FILE_MODE_LAZY;
// grab security cap for file (mode should always be correct)
// add that assertion
ExtCap *read_ext_cap = in->get_ext_cap(uid);
// do we have read file cap?
while (!lazy && (in->file_caps() & CAP_FILE_RD) == 0) {

136
branches/aleung/security1/ceph/crypto/ExtCap.h
View File

@ -23,38 +23,27 @@ using namespace std;
using namespace CryptoLib;
class ExtCap {
private:
struct cap_data_t {
int id;
utime_t t_s;
utime_t t_e;
int mode;
__uint8_t comp;
int id; // capability id
utime_t t_s; // creation time
utime_t t_e; // expiration time
int mode; // I/O mode
__uint8_t comp; // specify users/pubkey (for delegation)
uid_t uid;
gid_t gid;
uid_t uid; // user id
gid_t gid; // group id
inodeno_t ino; // inode number
string user_rhash;
string file_rhash;
};
cap_data_t data;
FixedSigBuf allocSig;
byte sigArray[ESIGNSIGSIZE];
SigBuf signature;
bool sigConverted;
public:
// default constructor, should really not be used
ExtCap() {}
ExtCap(utime_t s, utime_t e, int m, __uint8_t c, string user, string file)
{
data.id = 0;
data.t_s = s;
data.t_e = e;
data.mode = m;
data.comp = c;
data.user_rhash = user;
data.file_rhash = file;
sigConverted = false;
}
// capability for single user/single file
/**********
* This function will create the time on the spot
@ -70,21 +59,41 @@ public:
data.t_e += 3600;
data.mode = m;
data.uid = u;
sigConverted = false;
data.ino = n;
}
// capability for single user, many named files
// capability for single user, too many files
// capability for many named users, single file
// capability for many named user, many named files
// capability for many named users, too many files
// capability for too many users, single file
// capability for too many user, many named files
// capability for too many user, too many files
~ExtCap() { }
int get_id() const { return data.id; }
utime_t get_ts() const { return data.t_s; }
utime_t get_te() const { return data.t_e; }
uid_t get_uid() const { return data.uid; }
gid_t get_gid() const { return data.gid; }
inodeno_t get_ino() const { return data.ino; }
int mode() const { return data.mode; }
__int8_t comp() const { return data.comp; }
string get_user_rhash() const { return data.user_rhash; }
string get_file_rhash() const { return data.file_rhash; }
// in case the mode needs to be changed
// FYI, you should resign the cap after this
void set_mode(int new_mode) { data.mode = new_mode; }
/*
SigBuf get_sig() {
if (sigConverted)
return signature;
@ -93,33 +102,79 @@ public:
return signature;
}
FixedSigBuf get_fixed_sig() {
return allocSig;
}
FixedSigBuf *get_fixed_sig_ptr( ){
return &allocSig;
}
*/
const cap_data_t* get_data() const {
return (&data);
}
int get_data_size() const {
return sizeof(data);
}
void sign_extcap(esignPriv privKey) {
byte capArray[sizeof(data)];
memcpy(capArray, &data, sizeof(data));
signature = esignSig(capArray, sizeof(data), privKey);
allocSig.Assign(signature,signature.size());
// store the signature into permanent buffer
memcpy(sigArray, signature.data(), signature.size());
//byte hexArray[sizeof(capArray)];
//memset(hexArray, 0x00, sizeof(hexArray));
//toHex(capArray, hexArray, sizeof(capArray), sizeof(capArray));
//cout << "Signed content capArray hex: " << endl << string((const char*)hexArray,sizeof(hexArray)) << endl;
//cout << "SIGNATURE SIZE: " << signature.size() << endl;
//allocSig.Assign(signature,signature.size());
//byte hexTest[sizeof(sigArray)];
//memset(hexTest, 0x00, sizeof(sigArray));
//toHex(sigArray, hexTest, sizeof(sigArray), sizeof(sigArray));
//cout << "COPIED DATA BUFFER HEX: " << endl << string((const char*)hexTest,sizeof(hexTest)) << endl;
}
bool verif_extcap (esignPub pubKey) {
byte capArray[sizeof(data)];
memcpy(capArray, &data, sizeof(data));
signature.Assign(allocSig, allocSig.size());
//byte hexArray[sizeof(capArray)];
//memset(hexArray, 0x00, sizeof(hexArray));
//toHex(capArray, hexArray, sizeof(capArray), sizeof(capArray));
//cout << "Verified content capArray hex: " << endl << string((const char*)hexArray,sizeof(hexArray)) << endl;
signature.Assign(sigArray, sizeof(sigArray));
return esignVer(capArray, sizeof(data), signature, pubKey);
}
void _encode(bufferlist& bl) {
/*
bl.append((char*)&(data.id), sizeof(data.id));
bl.append((char*)&(data.t_s), sizeof(data.t_s));
bl.append((char*)&(data.t_e), sizeof(data.t_e));
bl.append((char*)&(data.mode), sizeof(data.mode));
bl.append((char*)&(data.comp), sizeof(data.comp));
bl.append((char*)&allocSig, sizeof(allocSig));
bl.append((char*)&(data.uid), sizeof(data.uid));
bl.append((char*)&(data.gid), sizeof(data.gid));
bl.append((char*)&(data.ino), sizeof(data.ino));
*/
bl.append((char*)&(data), sizeof(data));
//bl.append((char*)((void*)allocSig), sizeof(allocSig));
bl.append((char*)sigArray, sizeof(sigArray));
::_encode(data.user_rhash, bl);
::_encode(data.file_rhash, bl);
//::_encode(user_rhash, bl);
//::_encode(file_rhash, bl);
}
void _decode(bufferlist& bl, int& off) {
/*
bl.copy(off, sizeof(data.id), (char*)&(data.id));
off += sizeof(data.id);
bl.copy(off, sizeof(data.t_s), (char*)&(data.t_s));
@ -130,11 +185,22 @@ public:
off += sizeof(data.mode);
bl.copy(off, sizeof(data.comp), (char*)&(data.comp));
off += sizeof(data.comp);
bl.copy(off, sizeof(allocSig), (char*)&allocSig);
off += sizeof(allocSig);
bl.copy(off, sizeof(data.uid), (char*)&(data.uid));
off += sizeof(data.uid);
bl.copy(off, sizeof(data.gid), (char*)&(data.gid));
off += sizeof(data.gid);
bl.copy(off, sizeof(data.ino ), (char*)&(data.ino ));
off += sizeof(data.ino);
*/
bl.copy(off, sizeof(data), (char*)&(data));
off += sizeof(data);
//bl.copy(off, sizeof(allocSig), (char*)((void*)allocSig));
//off += sizeof(allocSig);
bl.copy(off, sizeof(sigArray), (char*)sigArray);
off += sizeof(sigArray);
::_decode(data.user_rhash, bl, off);
::_decode(data.file_rhash, bl, off);
//::_decode(user_rhash, bl, off);
//::_decode(file_rhash, bl, off);
}
};

1
branches/aleung/security1/ceph/crypto/Ticket.h
View File

@ -102,7 +102,6 @@ public:
blist.copy(off, sizeof(identity.uid), (char*)&(identity.uid));
off += sizeof(identity.uid);
cout << "Decoded uid: " << identity.uid << endl;
blist.copy(off, sizeof(identity.gid), (char*)&(identity.gid));
off += sizeof(identity.gid);
blist.copy(off, sizeof(identity.t_s), (char*)&(identity.t_s));

14
branches/aleung/security1/ceph/crypto/driver.cc
View File

@ -70,6 +70,15 @@ int main(int argc, char* argv[]) {
SigBuf testSecBuf(testBuf, mySignature.size());
FixedSigBuf testFixedBuf;
testFixedBuf.Assign(testSecBuf, testSecBuf.size());
FixedSigBuf ftBuf;
memcpy((void*)ftBuf, (void*)testFixedBuf, testFixedBuf.size());
SigBuf copyTest;
copyTest.Assign(ftBuf, ftBuf.size());
if (esignVer(signMsg, strlen((const char*)signMsg), copyTest, pubKey))
cout << "COPYTEST! signature verification SUCCEDED" << endl;
else
cout << "COPYTEST! signature verification FAILED" << endl;
//memcpy((void*)testSecBuf, (void*)testBuf, mySignature.size());
cout << "sizeof(testBuf)=" << sizeof(testBuf) << endl;
cout << "sizeof(testSecBuf)=" << sizeof(testSecBuf) << " and .size()=" << testSecBuf.size() << endl;
@ -87,6 +96,11 @@ int main(int argc, char* argv[]) {
else
cout << "ESIGN signature verification FAILED" << endl;
if (esignVer(signMsg, strlen((const char*)signMsg), mySignature, pubKey))
cout << "RE-ESIGN signature verification SUCCEDED" << endl;
else
cout << "RE-ESIGN signature verification FAILED" << endl;
// RSA signature
byte* rsaMsg = (byte *)"Message to sign";
char* rsaInput = "rsa1024.dat";

39
branches/aleung/security1/ceph/mds/Locker.cc
View File

@ -197,29 +197,38 @@ ExtCap* Locker::issue_new_extcaps(CInode *in, int mode, MClientRequest *req) {
if (mode & FILE_MODE_R) my_want |= CAP_FILE_RD;
if (mode & FILE_MODE_W) my_want |= CAP_FILE_WR;
// checks capabilities for the file indexed by client id
// returns 0 if there is no cached capability
ExtCap *ext_cap = in->get_user_extcap(my_user);
if (!ext_cap) {
// need to create new cap
ExtCap my_cap(my_want, my_user, in->ino());
//ExtCap *ext_cap = in->get_user_extcap(my_user);
ExtCap *ext_cap = new ExtCap(my_want, my_user, in->ino());
//ExtCap ext_cap(my_want, my_user, in->ino());
//if (!ext_cap) {
cout << "Made new " << my_want << " capability for uid: "
<< ext_cap->get_uid() << " for inode: " << ext_cap->get_ino()<< endl;
//ExtCap my_cap(my_want, my_user, in->ino());
// caches this capability in the inode
in->add_user_extcap(my_user, my_cap);
//in->add_user_extcap(my_user, my_cap);
//ext_cap = (&my_cap);
ext_cap = in->get_user_extcap(my_user);
//ext_cap = in->get_user_extcap(my_user);
}
ext_cap->sign_extcap(mds->getPrvKey());
if(ext_cap->verif_extcap(mds->getPubKey()))
cout << "Locker.cc::Verification succeeded" << endl;
else
cout << "Locker.cc::Verification failed" << endl;
//}
// we want to index based on mode, so we can cache more caps
// does the cached cap have the write mode?
else {
// augment the capability if not right mode
if (ext_cap->mode() != mode)
/*else {
cout << "Got capability from cache!!!" << endl;
if (ext_cap->mode() != mode) {
ext_cap->set_mode(mode);
}
return ext_cap;
ext_cap->clear_signature();
ext_cap->sign_extcap(mds->getPrvKey());
}*/
return ext_cap;
}
bool Locker::issue_caps(CInode *in)

22
branches/aleung/security1/ceph/mds/Server.cc
View File

@ -2105,18 +2105,20 @@ void Server::handle_client_open(MClientRequest *req,
return;
}
// hmm, check permissions or something.
// permissions must be checked at the user/group/world level
// can we issue the caps they want?
version_t fdv = mds->locker->issue_file_data_version(cur);
Capability *cap = mds->locker->issue_new_caps(cur, mode, req);
// create security capability
// create signed security capability
ExtCap *ext_cap = mds->locker->issue_new_extcaps(cur, mode, req);
ext_cap->sign_extcap(mds->getPrvKey());
if(ext_cap->verif_extcap(mds->getPubKey()))
cout << "Server.cc::first::Verification succeeded" << endl;
else
cout << "Server.cc::first::Verification failed" << endl;
if (!cap) return; // can't issue (yet), so wait!
@ -2130,7 +2132,17 @@ void Server::handle_client_open(MClientRequest *req,
reply->set_file_caps_seq(cap->get_last_seq());
reply->set_file_data_version(fdv);
// set security cap
reply->set_ext_cap((*ext_cap));
reply->set_ext_cap(ext_cap);
if(reply->get_ptr_cap()->verif_extcap(mds->getPubKey()))
cout << "Server.cc::ptr::Verification succeeded" << endl;
else
cout << "Server.cc::prr::Verification failed" << endl;
if(reply->get_ext_cap().verif_extcap(mds->getPubKey()))
cout << "Server.cc::Verification succeeded" << endl;
else
cout << "Server.cc::Verification failed" << endl;
reply_request(req, reply, cur);
}

9
branches/aleung/security1/ceph/messages/MClientReply.h
View File

@ -172,14 +172,19 @@ class MClientReply : public Message {
long get_file_caps_seq() { return st.file_caps_seq; }
__uint64_t get_file_data_version() { return st.file_data_version; }
ExtCap* get_ext_cap() { return &ext_cap; }
ExtCap get_ext_cap() { return ext_cap; }
ExtCap *get_ptr_cap() { return &ext_cap; }
void set_result(int r) { st.result = r; }
void set_file_caps(unsigned char c) { st.file_caps = c; }
void set_file_caps_seq(long s) { st.file_caps_seq = s; }
void set_file_data_version(__uint64_t v) { st.file_data_version = v; }
void set_ext_cap(ExtCap ecap) { ext_cap = ecap; }
void set_ext_cap(ExtCap *ecap) { ext_cap = (*ecap); }
//void set_ext_cap(ExtCap *ecap) {
// ext_cap = (*ecap);
// memcpy(&(ext_cap.allocSig), &(ecap->allocSig), ecap->allocSig.size());
//}
MClientReply() {};
MClientReply(MClientRequest *req, int result = 0) :