Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hammer: cephx: Fix multiple segfaults due to attempts to encrypt or decrypt #11930

Merged
merged 1 commit into from Nov 23, 2016
Merged

hammer: cephx: Fix multiple segfaults due to attempts to encrypt or decrypt #11930

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/auth/Crypto.h
View file
Open in desktop
Expand Up @@ -107,10 +107,12 @@ class CryptoKey {
int create(CephContext *cct, int type);
int encrypt(CephContext *cct, const bufferlist& in, bufferlist& out,
std::string *error) const {
assert(ckh); // Bad key?
return ckh->encrypt(in, out, error);
}
int decrypt(CephContext *cct, const bufferlist& in, bufferlist& out,
std::string *error) const {
assert(ckh); // Bad key?
return ckh->decrypt(in, out, error);
}

Expand Down
6 changes: 6 additions & 0 deletions src/auth/cephx/CephxClientHandler.cc
View file
Open in desktop
Expand Up @@ -46,6 +46,12 @@ int CephxClientHandler::build_request(bufferlist& bl) const
return -ENOENT;
}

// is the key OK?
if (!secret.get_secret().length()) {
ldout(cct, 20) << "secret for entity " << cct->_conf->name << " is invalid" << dendl;
return -EINVAL;
}

CephXAuthenticate req;
get_random_bytes((char *)&req.client_challenge, sizeof(req.client_challenge));
std::string error;
Expand Down
10 changes: 8 additions & 2 deletions src/auth/cephx/CephxProtocol.cc
View file
Open in desktop
Expand Up @@ -61,7 +61,10 @@ bool cephx_build_service_ticket_blob(CephContext *cct, CephXSessionAuthInfo& inf
<< " ticket_info.ticket.name=" << ticket_info.ticket.name.to_str() << dendl;
blob.secret_id = info.secret_id;
std::string error;
encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, blob.blob, error);
if (!info.service_secret.get_secret().length())
error = "invalid key"; // Bad key?
else
encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, blob.blob, error);
if (!error.empty()) {
ldout(cct, -1) << "cephx_build_service_ticket_blob failed with error "
<< error << dendl;
Expand Down Expand Up @@ -429,7 +432,10 @@ bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys,
}
}
std::string error;
decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error);
if (!service_secret.get_secret().length())
error = "invalid key"; // Bad key?
else
decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error);
if (!error.empty()) {
ldout(cct, 0) << "verify_authorizer could not decrypt ticket info: error: "
<< error << dendl;
Expand Down