xref: /openbmc/linux/net/ceph/auth_x.c (revision 6774def6)
1 
2 #include <linux/ceph/ceph_debug.h>
3 
4 #include <linux/err.h>
5 #include <linux/module.h>
6 #include <linux/random.h>
7 #include <linux/slab.h>
8 
9 #include <linux/ceph/decode.h>
10 #include <linux/ceph/auth.h>
11 
12 #include "crypto.h"
13 #include "auth_x.h"
14 #include "auth_x_protocol.h"
15 
16 static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed);
17 
18 static int ceph_x_is_authenticated(struct ceph_auth_client *ac)
19 {
20 	struct ceph_x_info *xi = ac->private;
21 	int need;
22 
23 	ceph_x_validate_tickets(ac, &need);
24 	dout("ceph_x_is_authenticated want=%d need=%d have=%d\n",
25 	     ac->want_keys, need, xi->have_keys);
26 	return (ac->want_keys & xi->have_keys) == ac->want_keys;
27 }
28 
29 static int ceph_x_should_authenticate(struct ceph_auth_client *ac)
30 {
31 	struct ceph_x_info *xi = ac->private;
32 	int need;
33 
34 	ceph_x_validate_tickets(ac, &need);
35 	dout("ceph_x_should_authenticate want=%d need=%d have=%d\n",
36 	     ac->want_keys, need, xi->have_keys);
37 	return need != 0;
38 }
39 
40 static int ceph_x_encrypt_buflen(int ilen)
41 {
42 	return sizeof(struct ceph_x_encrypt_header) + ilen + 16 +
43 		sizeof(u32);
44 }
45 
46 static int ceph_x_encrypt(struct ceph_crypto_key *secret,
47 			  void *ibuf, int ilen, void *obuf, size_t olen)
48 {
49 	struct ceph_x_encrypt_header head = {
50 		.struct_v = 1,
51 		.magic = cpu_to_le64(CEPHX_ENC_MAGIC)
52 	};
53 	size_t len = olen - sizeof(u32);
54 	int ret;
55 
56 	ret = ceph_encrypt2(secret, obuf + sizeof(u32), &len,
57 			    &head, sizeof(head), ibuf, ilen);
58 	if (ret)
59 		return ret;
60 	ceph_encode_32(&obuf, len);
61 	return len + sizeof(u32);
62 }
63 
64 static int ceph_x_decrypt(struct ceph_crypto_key *secret,
65 			  void **p, void *end, void **obuf, size_t olen)
66 {
67 	struct ceph_x_encrypt_header head;
68 	size_t head_len = sizeof(head);
69 	int len, ret;
70 
71 	len = ceph_decode_32(p);
72 	if (*p + len > end)
73 		return -EINVAL;
74 
75 	dout("ceph_x_decrypt len %d\n", len);
76 	if (*obuf == NULL) {
77 		*obuf = kmalloc(len, GFP_NOFS);
78 		if (!*obuf)
79 			return -ENOMEM;
80 		olen = len;
81 	}
82 
83 	ret = ceph_decrypt2(secret, &head, &head_len, *obuf, &olen, *p, len);
84 	if (ret)
85 		return ret;
86 	if (head.struct_v != 1 || le64_to_cpu(head.magic) != CEPHX_ENC_MAGIC)
87 		return -EPERM;
88 	*p += len;
89 	return olen;
90 }
91 
92 /*
93  * get existing (or insert new) ticket handler
94  */
95 static struct ceph_x_ticket_handler *
96 get_ticket_handler(struct ceph_auth_client *ac, int service)
97 {
98 	struct ceph_x_ticket_handler *th;
99 	struct ceph_x_info *xi = ac->private;
100 	struct rb_node *parent = NULL, **p = &xi->ticket_handlers.rb_node;
101 
102 	while (*p) {
103 		parent = *p;
104 		th = rb_entry(parent, struct ceph_x_ticket_handler, node);
105 		if (service < th->service)
106 			p = &(*p)->rb_left;
107 		else if (service > th->service)
108 			p = &(*p)->rb_right;
109 		else
110 			return th;
111 	}
112 
113 	/* add it */
114 	th = kzalloc(sizeof(*th), GFP_NOFS);
115 	if (!th)
116 		return ERR_PTR(-ENOMEM);
117 	th->service = service;
118 	rb_link_node(&th->node, parent, p);
119 	rb_insert_color(&th->node, &xi->ticket_handlers);
120 	return th;
121 }
122 
123 static void remove_ticket_handler(struct ceph_auth_client *ac,
124 				  struct ceph_x_ticket_handler *th)
125 {
126 	struct ceph_x_info *xi = ac->private;
127 
128 	dout("remove_ticket_handler %p %d\n", th, th->service);
129 	rb_erase(&th->node, &xi->ticket_handlers);
130 	ceph_crypto_key_destroy(&th->session_key);
131 	if (th->ticket_blob)
132 		ceph_buffer_put(th->ticket_blob);
133 	kfree(th);
134 }
135 
136 static int process_one_ticket(struct ceph_auth_client *ac,
137 			      struct ceph_crypto_key *secret,
138 			      void **p, void *end)
139 {
140 	struct ceph_x_info *xi = ac->private;
141 	int type;
142 	u8 tkt_struct_v, blob_struct_v;
143 	struct ceph_x_ticket_handler *th;
144 	void *dbuf = NULL;
145 	void *dp, *dend;
146 	int dlen;
147 	char is_enc;
148 	struct timespec validity;
149 	struct ceph_crypto_key old_key;
150 	void *ticket_buf = NULL;
151 	void *tp, *tpend;
152 	void **ptp;
153 	struct ceph_timespec new_validity;
154 	struct ceph_crypto_key new_session_key;
155 	struct ceph_buffer *new_ticket_blob;
156 	unsigned long new_expires, new_renew_after;
157 	u64 new_secret_id;
158 	int ret;
159 
160 	ceph_decode_need(p, end, sizeof(u32) + 1, bad);
161 
162 	type = ceph_decode_32(p);
163 	dout(" ticket type %d %s\n", type, ceph_entity_type_name(type));
164 
165 	tkt_struct_v = ceph_decode_8(p);
166 	if (tkt_struct_v != 1)
167 		goto bad;
168 
169 	th = get_ticket_handler(ac, type);
170 	if (IS_ERR(th)) {
171 		ret = PTR_ERR(th);
172 		goto out;
173 	}
174 
175 	/* blob for me */
176 	dlen = ceph_x_decrypt(secret, p, end, &dbuf, 0);
177 	if (dlen <= 0) {
178 		ret = dlen;
179 		goto out;
180 	}
181 	dout(" decrypted %d bytes\n", dlen);
182 	dp = dbuf;
183 	dend = dp + dlen;
184 
185 	tkt_struct_v = ceph_decode_8(&dp);
186 	if (tkt_struct_v != 1)
187 		goto bad;
188 
189 	memcpy(&old_key, &th->session_key, sizeof(old_key));
190 	ret = ceph_crypto_key_decode(&new_session_key, &dp, dend);
191 	if (ret)
192 		goto out;
193 
194 	ceph_decode_copy(&dp, &new_validity, sizeof(new_validity));
195 	ceph_decode_timespec(&validity, &new_validity);
196 	new_expires = get_seconds() + validity.tv_sec;
197 	new_renew_after = new_expires - (validity.tv_sec / 4);
198 	dout(" expires=%lu renew_after=%lu\n", new_expires,
199 	     new_renew_after);
200 
201 	/* ticket blob for service */
202 	ceph_decode_8_safe(p, end, is_enc, bad);
203 	if (is_enc) {
204 		/* encrypted */
205 		dout(" encrypted ticket\n");
206 		dlen = ceph_x_decrypt(&old_key, p, end, &ticket_buf, 0);
207 		if (dlen < 0) {
208 			ret = dlen;
209 			goto out;
210 		}
211 		tp = ticket_buf;
212 		ptp = &tp;
213 		tpend = *ptp + dlen;
214 	} else {
215 		/* unencrypted */
216 		ptp = p;
217 		tpend = end;
218 	}
219 	ceph_decode_32_safe(ptp, tpend, dlen, bad);
220 	dout(" ticket blob is %d bytes\n", dlen);
221 	ceph_decode_need(ptp, tpend, 1 + sizeof(u64), bad);
222 	blob_struct_v = ceph_decode_8(ptp);
223 	new_secret_id = ceph_decode_64(ptp);
224 	ret = ceph_decode_buffer(&new_ticket_blob, ptp, tpend);
225 	if (ret)
226 		goto out;
227 
228 	/* all is well, update our ticket */
229 	ceph_crypto_key_destroy(&th->session_key);
230 	if (th->ticket_blob)
231 		ceph_buffer_put(th->ticket_blob);
232 	th->session_key = new_session_key;
233 	th->ticket_blob = new_ticket_blob;
234 	th->validity = new_validity;
235 	th->secret_id = new_secret_id;
236 	th->expires = new_expires;
237 	th->renew_after = new_renew_after;
238 	dout(" got ticket service %d (%s) secret_id %lld len %d\n",
239 	     type, ceph_entity_type_name(type), th->secret_id,
240 	     (int)th->ticket_blob->vec.iov_len);
241 	xi->have_keys |= th->service;
242 
243 out:
244 	kfree(ticket_buf);
245 	kfree(dbuf);
246 	return ret;
247 
248 bad:
249 	ret = -EINVAL;
250 	goto out;
251 }
252 
253 static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac,
254 				    struct ceph_crypto_key *secret,
255 				    void *buf, void *end)
256 {
257 	void *p = buf;
258 	u8 reply_struct_v;
259 	u32 num;
260 	int ret;
261 
262 	ceph_decode_8_safe(&p, end, reply_struct_v, bad);
263 	if (reply_struct_v != 1)
264 		return -EINVAL;
265 
266 	ceph_decode_32_safe(&p, end, num, bad);
267 	dout("%d tickets\n", num);
268 
269 	while (num--) {
270 		ret = process_one_ticket(ac, secret, &p, end);
271 		if (ret)
272 			return ret;
273 	}
274 
275 	return 0;
276 
277 bad:
278 	return -EINVAL;
279 }
280 
281 static int ceph_x_build_authorizer(struct ceph_auth_client *ac,
282 				   struct ceph_x_ticket_handler *th,
283 				   struct ceph_x_authorizer *au)
284 {
285 	int maxlen;
286 	struct ceph_x_authorize_a *msg_a;
287 	struct ceph_x_authorize_b msg_b;
288 	void *p, *end;
289 	int ret;
290 	int ticket_blob_len =
291 		(th->ticket_blob ? th->ticket_blob->vec.iov_len : 0);
292 
293 	dout("build_authorizer for %s %p\n",
294 	     ceph_entity_type_name(th->service), au);
295 
296 	maxlen = sizeof(*msg_a) + sizeof(msg_b) +
297 		ceph_x_encrypt_buflen(ticket_blob_len);
298 	dout("  need len %d\n", maxlen);
299 	if (au->buf && au->buf->alloc_len < maxlen) {
300 		ceph_buffer_put(au->buf);
301 		au->buf = NULL;
302 	}
303 	if (!au->buf) {
304 		au->buf = ceph_buffer_new(maxlen, GFP_NOFS);
305 		if (!au->buf)
306 			return -ENOMEM;
307 	}
308 	au->service = th->service;
309 	au->secret_id = th->secret_id;
310 
311 	msg_a = au->buf->vec.iov_base;
312 	msg_a->struct_v = 1;
313 	msg_a->global_id = cpu_to_le64(ac->global_id);
314 	msg_a->service_id = cpu_to_le32(th->service);
315 	msg_a->ticket_blob.struct_v = 1;
316 	msg_a->ticket_blob.secret_id = cpu_to_le64(th->secret_id);
317 	msg_a->ticket_blob.blob_len = cpu_to_le32(ticket_blob_len);
318 	if (ticket_blob_len) {
319 		memcpy(msg_a->ticket_blob.blob, th->ticket_blob->vec.iov_base,
320 		       th->ticket_blob->vec.iov_len);
321 	}
322 	dout(" th %p secret_id %lld %lld\n", th, th->secret_id,
323 	     le64_to_cpu(msg_a->ticket_blob.secret_id));
324 
325 	p = msg_a + 1;
326 	p += ticket_blob_len;
327 	end = au->buf->vec.iov_base + au->buf->vec.iov_len;
328 
329 	get_random_bytes(&au->nonce, sizeof(au->nonce));
330 	msg_b.struct_v = 1;
331 	msg_b.nonce = cpu_to_le64(au->nonce);
332 	ret = ceph_x_encrypt(&th->session_key, &msg_b, sizeof(msg_b),
333 			     p, end - p);
334 	if (ret < 0)
335 		goto out_buf;
336 	p += ret;
337 	au->buf->vec.iov_len = p - au->buf->vec.iov_base;
338 	dout(" built authorizer nonce %llx len %d\n", au->nonce,
339 	     (int)au->buf->vec.iov_len);
340 	BUG_ON(au->buf->vec.iov_len > maxlen);
341 	return 0;
342 
343 out_buf:
344 	ceph_buffer_put(au->buf);
345 	au->buf = NULL;
346 	return ret;
347 }
348 
349 static int ceph_x_encode_ticket(struct ceph_x_ticket_handler *th,
350 				void **p, void *end)
351 {
352 	ceph_decode_need(p, end, 1 + sizeof(u64), bad);
353 	ceph_encode_8(p, 1);
354 	ceph_encode_64(p, th->secret_id);
355 	if (th->ticket_blob) {
356 		const char *buf = th->ticket_blob->vec.iov_base;
357 		u32 len = th->ticket_blob->vec.iov_len;
358 
359 		ceph_encode_32_safe(p, end, len, bad);
360 		ceph_encode_copy_safe(p, end, buf, len, bad);
361 	} else {
362 		ceph_encode_32_safe(p, end, 0, bad);
363 	}
364 
365 	return 0;
366 bad:
367 	return -ERANGE;
368 }
369 
370 static void ceph_x_validate_tickets(struct ceph_auth_client *ac, int *pneed)
371 {
372 	int want = ac->want_keys;
373 	struct ceph_x_info *xi = ac->private;
374 	int service;
375 
376 	*pneed = ac->want_keys & ~(xi->have_keys);
377 
378 	for (service = 1; service <= want; service <<= 1) {
379 		struct ceph_x_ticket_handler *th;
380 
381 		if (!(ac->want_keys & service))
382 			continue;
383 
384 		if (*pneed & service)
385 			continue;
386 
387 		th = get_ticket_handler(ac, service);
388 
389 		if (IS_ERR(th)) {
390 			*pneed |= service;
391 			continue;
392 		}
393 
394 		if (get_seconds() >= th->renew_after)
395 			*pneed |= service;
396 		if (get_seconds() >= th->expires)
397 			xi->have_keys &= ~service;
398 	}
399 }
400 
401 
402 static int ceph_x_build_request(struct ceph_auth_client *ac,
403 				void *buf, void *end)
404 {
405 	struct ceph_x_info *xi = ac->private;
406 	int need;
407 	struct ceph_x_request_header *head = buf;
408 	int ret;
409 	struct ceph_x_ticket_handler *th =
410 		get_ticket_handler(ac, CEPH_ENTITY_TYPE_AUTH);
411 
412 	if (IS_ERR(th))
413 		return PTR_ERR(th);
414 
415 	ceph_x_validate_tickets(ac, &need);
416 
417 	dout("build_request want %x have %x need %x\n",
418 	     ac->want_keys, xi->have_keys, need);
419 
420 	if (need & CEPH_ENTITY_TYPE_AUTH) {
421 		struct ceph_x_authenticate *auth = (void *)(head + 1);
422 		void *p = auth + 1;
423 		struct ceph_x_challenge_blob tmp;
424 		char tmp_enc[40];
425 		u64 *u;
426 
427 		if (p > end)
428 			return -ERANGE;
429 
430 		dout(" get_auth_session_key\n");
431 		head->op = cpu_to_le16(CEPHX_GET_AUTH_SESSION_KEY);
432 
433 		/* encrypt and hash */
434 		get_random_bytes(&auth->client_challenge, sizeof(u64));
435 		tmp.client_challenge = auth->client_challenge;
436 		tmp.server_challenge = cpu_to_le64(xi->server_challenge);
437 		ret = ceph_x_encrypt(&xi->secret, &tmp, sizeof(tmp),
438 				     tmp_enc, sizeof(tmp_enc));
439 		if (ret < 0)
440 			return ret;
441 
442 		auth->struct_v = 1;
443 		auth->key = 0;
444 		for (u = (u64 *)tmp_enc; u + 1 <= (u64 *)(tmp_enc + ret); u++)
445 			auth->key ^= *(__le64 *)u;
446 		dout(" server_challenge %llx client_challenge %llx key %llx\n",
447 		     xi->server_challenge, le64_to_cpu(auth->client_challenge),
448 		     le64_to_cpu(auth->key));
449 
450 		/* now encode the old ticket if exists */
451 		ret = ceph_x_encode_ticket(th, &p, end);
452 		if (ret < 0)
453 			return ret;
454 
455 		return p - buf;
456 	}
457 
458 	if (need) {
459 		void *p = head + 1;
460 		struct ceph_x_service_ticket_request *req;
461 
462 		if (p > end)
463 			return -ERANGE;
464 		head->op = cpu_to_le16(CEPHX_GET_PRINCIPAL_SESSION_KEY);
465 
466 		ret = ceph_x_build_authorizer(ac, th, &xi->auth_authorizer);
467 		if (ret)
468 			return ret;
469 		ceph_encode_copy(&p, xi->auth_authorizer.buf->vec.iov_base,
470 				 xi->auth_authorizer.buf->vec.iov_len);
471 
472 		req = p;
473 		req->keys = cpu_to_le32(need);
474 		p += sizeof(*req);
475 		return p - buf;
476 	}
477 
478 	return 0;
479 }
480 
481 static int ceph_x_handle_reply(struct ceph_auth_client *ac, int result,
482 			       void *buf, void *end)
483 {
484 	struct ceph_x_info *xi = ac->private;
485 	struct ceph_x_reply_header *head = buf;
486 	struct ceph_x_ticket_handler *th;
487 	int len = end - buf;
488 	int op;
489 	int ret;
490 
491 	if (result)
492 		return result;  /* XXX hmm? */
493 
494 	if (xi->starting) {
495 		/* it's a hello */
496 		struct ceph_x_server_challenge *sc = buf;
497 
498 		if (len != sizeof(*sc))
499 			return -EINVAL;
500 		xi->server_challenge = le64_to_cpu(sc->server_challenge);
501 		dout("handle_reply got server challenge %llx\n",
502 		     xi->server_challenge);
503 		xi->starting = false;
504 		xi->have_keys &= ~CEPH_ENTITY_TYPE_AUTH;
505 		return -EAGAIN;
506 	}
507 
508 	op = le16_to_cpu(head->op);
509 	result = le32_to_cpu(head->result);
510 	dout("handle_reply op %d result %d\n", op, result);
511 	switch (op) {
512 	case CEPHX_GET_AUTH_SESSION_KEY:
513 		/* verify auth key */
514 		ret = ceph_x_proc_ticket_reply(ac, &xi->secret,
515 					       buf + sizeof(*head), end);
516 		break;
517 
518 	case CEPHX_GET_PRINCIPAL_SESSION_KEY:
519 		th = get_ticket_handler(ac, CEPH_ENTITY_TYPE_AUTH);
520 		if (IS_ERR(th))
521 			return PTR_ERR(th);
522 		ret = ceph_x_proc_ticket_reply(ac, &th->session_key,
523 					       buf + sizeof(*head), end);
524 		break;
525 
526 	default:
527 		return -EINVAL;
528 	}
529 	if (ret)
530 		return ret;
531 	if (ac->want_keys == xi->have_keys)
532 		return 0;
533 	return -EAGAIN;
534 }
535 
536 static int ceph_x_create_authorizer(
537 	struct ceph_auth_client *ac, int peer_type,
538 	struct ceph_auth_handshake *auth)
539 {
540 	struct ceph_x_authorizer *au;
541 	struct ceph_x_ticket_handler *th;
542 	int ret;
543 
544 	th = get_ticket_handler(ac, peer_type);
545 	if (IS_ERR(th))
546 		return PTR_ERR(th);
547 
548 	au = kzalloc(sizeof(*au), GFP_NOFS);
549 	if (!au)
550 		return -ENOMEM;
551 
552 	ret = ceph_x_build_authorizer(ac, th, au);
553 	if (ret) {
554 		kfree(au);
555 		return ret;
556 	}
557 
558 	auth->authorizer = (struct ceph_authorizer *) au;
559 	auth->authorizer_buf = au->buf->vec.iov_base;
560 	auth->authorizer_buf_len = au->buf->vec.iov_len;
561 	auth->authorizer_reply_buf = au->reply_buf;
562 	auth->authorizer_reply_buf_len = sizeof (au->reply_buf);
563 
564 	return 0;
565 }
566 
567 static int ceph_x_update_authorizer(
568 	struct ceph_auth_client *ac, int peer_type,
569 	struct ceph_auth_handshake *auth)
570 {
571 	struct ceph_x_authorizer *au;
572 	struct ceph_x_ticket_handler *th;
573 
574 	th = get_ticket_handler(ac, peer_type);
575 	if (IS_ERR(th))
576 		return PTR_ERR(th);
577 
578 	au = (struct ceph_x_authorizer *)auth->authorizer;
579 	if (au->secret_id < th->secret_id) {
580 		dout("ceph_x_update_authorizer service %u secret %llu < %llu\n",
581 		     au->service, au->secret_id, th->secret_id);
582 		return ceph_x_build_authorizer(ac, th, au);
583 	}
584 	return 0;
585 }
586 
587 static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac,
588 					  struct ceph_authorizer *a, size_t len)
589 {
590 	struct ceph_x_authorizer *au = (void *)a;
591 	struct ceph_x_ticket_handler *th;
592 	int ret = 0;
593 	struct ceph_x_authorize_reply reply;
594 	void *preply = &reply;
595 	void *p = au->reply_buf;
596 	void *end = p + sizeof(au->reply_buf);
597 
598 	th = get_ticket_handler(ac, au->service);
599 	if (IS_ERR(th))
600 		return PTR_ERR(th);
601 	ret = ceph_x_decrypt(&th->session_key, &p, end, &preply, sizeof(reply));
602 	if (ret < 0)
603 		return ret;
604 	if (ret != sizeof(reply))
605 		return -EPERM;
606 
607 	if (au->nonce + 1 != le64_to_cpu(reply.nonce_plus_one))
608 		ret = -EPERM;
609 	else
610 		ret = 0;
611 	dout("verify_authorizer_reply nonce %llx got %llx ret %d\n",
612 	     au->nonce, le64_to_cpu(reply.nonce_plus_one), ret);
613 	return ret;
614 }
615 
616 static void ceph_x_destroy_authorizer(struct ceph_auth_client *ac,
617 				      struct ceph_authorizer *a)
618 {
619 	struct ceph_x_authorizer *au = (void *)a;
620 
621 	ceph_buffer_put(au->buf);
622 	kfree(au);
623 }
624 
625 
626 static void ceph_x_reset(struct ceph_auth_client *ac)
627 {
628 	struct ceph_x_info *xi = ac->private;
629 
630 	dout("reset\n");
631 	xi->starting = true;
632 	xi->server_challenge = 0;
633 }
634 
635 static void ceph_x_destroy(struct ceph_auth_client *ac)
636 {
637 	struct ceph_x_info *xi = ac->private;
638 	struct rb_node *p;
639 
640 	dout("ceph_x_destroy %p\n", ac);
641 	ceph_crypto_key_destroy(&xi->secret);
642 
643 	while ((p = rb_first(&xi->ticket_handlers)) != NULL) {
644 		struct ceph_x_ticket_handler *th =
645 			rb_entry(p, struct ceph_x_ticket_handler, node);
646 		remove_ticket_handler(ac, th);
647 	}
648 
649 	if (xi->auth_authorizer.buf)
650 		ceph_buffer_put(xi->auth_authorizer.buf);
651 
652 	kfree(ac->private);
653 	ac->private = NULL;
654 }
655 
656 static void ceph_x_invalidate_authorizer(struct ceph_auth_client *ac,
657 				   int peer_type)
658 {
659 	struct ceph_x_ticket_handler *th;
660 
661 	th = get_ticket_handler(ac, peer_type);
662 	if (!IS_ERR(th))
663 		memset(&th->validity, 0, sizeof(th->validity));
664 }
665 
666 
667 static const struct ceph_auth_client_ops ceph_x_ops = {
668 	.name = "x",
669 	.is_authenticated = ceph_x_is_authenticated,
670 	.should_authenticate = ceph_x_should_authenticate,
671 	.build_request = ceph_x_build_request,
672 	.handle_reply = ceph_x_handle_reply,
673 	.create_authorizer = ceph_x_create_authorizer,
674 	.update_authorizer = ceph_x_update_authorizer,
675 	.verify_authorizer_reply = ceph_x_verify_authorizer_reply,
676 	.destroy_authorizer = ceph_x_destroy_authorizer,
677 	.invalidate_authorizer = ceph_x_invalidate_authorizer,
678 	.reset =  ceph_x_reset,
679 	.destroy = ceph_x_destroy,
680 };
681 
682 
683 int ceph_x_init(struct ceph_auth_client *ac)
684 {
685 	struct ceph_x_info *xi;
686 	int ret;
687 
688 	dout("ceph_x_init %p\n", ac);
689 	ret = -ENOMEM;
690 	xi = kzalloc(sizeof(*xi), GFP_NOFS);
691 	if (!xi)
692 		goto out;
693 
694 	ret = -EINVAL;
695 	if (!ac->key) {
696 		pr_err("no secret set (for auth_x protocol)\n");
697 		goto out_nomem;
698 	}
699 
700 	ret = ceph_crypto_key_clone(&xi->secret, ac->key);
701 	if (ret < 0) {
702 		pr_err("cannot clone key: %d\n", ret);
703 		goto out_nomem;
704 	}
705 
706 	xi->starting = true;
707 	xi->ticket_handlers = RB_ROOT;
708 
709 	ac->protocol = CEPH_AUTH_CEPHX;
710 	ac->private = xi;
711 	ac->ops = &ceph_x_ops;
712 	return 0;
713 
714 out_nomem:
715 	kfree(xi);
716 out:
717 	return ret;
718 }
719 
720 
721