libceph: add nocephx_sign_messages option

Support for message signing was merged into 3.19, along with
nocephx_require_signatures option.  But, all that option does is allow
the kernel client to talk to clusters that don't support MSG_AUTH
feature bit.  That's pretty useless, given that it's been supported
since bobtail.

Meanwhile, if one disables message signing on the server side with
"cephx sign messages = false", it becomes impossible to use the kernel
client since it expects messages to be signed if MSG_AUTH was
negotiated.  Add nocephx_sign_messages option to support this use case.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

diff --git a/include/linux/ceph/libceph.h b/include/linux/ceph/libceph.h
index a7caafe03d3cc1076d2005ccf21aafaf9435bcc0..3e3799cdc6e66d719fed8ae9adc8539d4e2cb0c6 100644 (file)
--- a/include/linux/ceph/libceph.h
+++ b/include/linux/ceph/libceph.h
@@ -29,8 +29,9 @@
 #define CEPH_OPT_NOSHARE          (1<<1) /* don't share client with other sbs */
 #define CEPH_OPT_MYIP             (1<<2) /* specified my ip */
 #define CEPH_OPT_NOCRC            (1<<3) /* no data crc on writes */
-#define CEPH_OPT_NOMSGAUTH       (1<<4) /* not require cephx message signature */
+#define CEPH_OPT_NOMSGAUTH       (1<<4) /* don't require msg signing feat */
 #define CEPH_OPT_TCP_NODELAY     (1<<5) /* TCP_NODELAY on TCP sockets */
+#define CEPH_OPT_NOMSGSIGN       (1<<6) /* don't sign msgs */
 
 #define CEPH_OPT_DEFAULT   (CEPH_OPT_TCP_NODELAY)
 

diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c
index 3a544ca6b5ced9f1ca062b785c2924d4beb68ebb..10d87753ed8737329c244b1ae7718e95c8abd118 100644 (file)
--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@@ -8,6 +8,7 @@
 
 #include <linux/ceph/decode.h>
 #include <linux/ceph/auth.h>
+#include <linux/ceph/libceph.h>
 #include <linux/ceph/messenger.h>
 
 #include "crypto.h"
@@ -698,6 +699,9 @@ static int ceph_x_sign_message(struct ceph_auth_handshake *auth,
 {
        int ret;
 
+       if (ceph_test_opt(from_msgr(msg->con->msgr), NOMSGSIGN))
+               return 0;
+
        ret = calcu_signature((struct ceph_x_authorizer *)auth->authorizer,
                              msg, &msg->footer.sig);
        if (ret < 0)
@@ -712,6 +716,9 @@ static int ceph_x_check_message_signature(struct ceph_auth_handshake *auth,
        __le64 sig_check;
        int ret;
 
+       if (ceph_test_opt(from_msgr(msg->con->msgr), NOMSGSIGN))
+               return 0;
+
        ret = calcu_signature((struct ceph_x_authorizer *)auth->authorizer,
                              msg, &sig_check);
        if (ret < 0)

diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index d1494d1a8592097b25cab67512e70b282b8c4a99..6b4d3a1684de082d21d30a0360465348c15363f1 100644 (file)
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -245,6 +245,8 @@ enum {
        Opt_nocrc,
        Opt_cephx_require_signatures,
        Opt_nocephx_require_signatures,
+       Opt_cephx_sign_messages,
+       Opt_nocephx_sign_messages,
        Opt_tcp_nodelay,
        Opt_notcp_nodelay,
 };
@@ -267,6 +269,8 @@ static match_table_t opt_tokens = {
        {Opt_nocrc, "nocrc"},
        {Opt_cephx_require_signatures, "cephx_require_signatures"},
        {Opt_nocephx_require_signatures, "nocephx_require_signatures"},
+       {Opt_cephx_sign_messages, "cephx_sign_messages"},
+       {Opt_nocephx_sign_messages, "nocephx_sign_messages"},
        {Opt_tcp_nodelay, "tcp_nodelay"},
        {Opt_notcp_nodelay, "notcp_nodelay"},
        {-1, NULL}
@@ -491,6 +495,12 @@ ceph_parse_options(char *options, const char *dev_name,
                case Opt_nocephx_require_signatures:
                        opt->flags |= CEPH_OPT_NOMSGAUTH;
                        break;
+               case Opt_cephx_sign_messages:
+                       opt->flags &= ~CEPH_OPT_NOMSGSIGN;
+                       break;
+               case Opt_nocephx_sign_messages:
+                       opt->flags |= CEPH_OPT_NOMSGSIGN;
+                       break;
 
                case Opt_tcp_nodelay:
                        opt->flags |= CEPH_OPT_TCP_NODELAY;
@@ -534,6 +544,8 @@ int ceph_print_client_options(struct seq_file *m, struct ceph_client *client)
                seq_puts(m, "nocrc,");
        if (opt->flags & CEPH_OPT_NOMSGAUTH)
                seq_puts(m, "nocephx_require_signatures,");
+       if (opt->flags & CEPH_OPT_NOMSGSIGN)
+               seq_puts(m, "nocephx_sign_messages,");
        if ((opt->flags & CEPH_OPT_TCP_NODELAY) == 0)
                seq_puts(m, "notcp_nodelay,");
 

diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 11108076bac34b77221aaa6b7a46a0b433c4a2a9..0cc5608b2c8fedbf8744cf307d459038755e9ee5 100644 (file)
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2677,7 +2677,7 @@ more:
                if (ret <= 0) {
                        switch (ret) {
                        case -EBADMSG:
-                               con->error_msg = "bad crc";
+                               con->error_msg = "bad crc/signature";
                                /* fall through */
                        case -EBADE:
                                ret = -EIO;