From: Ilya Dryomov <idryomov@gmail.com>
Date: Tue, 2 Mar 2021 14:09:26 +0000 (+0100)
Subject: auth/cephx: ignore CEPH_ENTITY_TYPE_AUTH in requested keys
X-Git-Tag: archive/raspbian/12.2.11+dfsg1-2.1+rpi1+deb10u1^2~3
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=53bb1d9dd639205e1efe102ef72f2645acfa7237;p=ceph.git

auth/cephx: ignore CEPH_ENTITY_TYPE_AUTH in requested keys

When handling CEPHX_GET_AUTH_SESSION_KEY requests from nautilus+
clients, ignore CEPH_ENTITY_TYPE_AUTH in CephXAuthenticate::other_keys.
Similarly, when handling CEPHX_GET_PRINCIPAL_SESSION_KEY requests,
ignore CEPH_ENTITY_TYPE_AUTH in CephXServiceTicketRequest::keys.
These fields are intended for requesting service tickets, the auth
ticket (which is really a ticket granting ticket) must not be shared
this way.

Otherwise we end up sharing an auth ticket that a) isn't encrypted
with the old session key even if needed (should_enc_ticket == true)
and b) has the wrong validity, namely auth_service_ticket_ttl instead
of auth_mon_ticket_ttl.  In the CEPHX_GET_AUTH_SESSION_KEY case, this
undue ticket immediately supersedes the actual auth ticket already
encoded in the same reply (the reply frame ends up containing two auth
tickets).

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
(cherry picked from commit 05772ab6127bdd9ed2f63fceef840f197ecd9ea8)

This only applies part of the patch, as the
CephXAuthenticate::other_keys handling isn't present in this version.

Origin: upstream, https://github.com/ceph/ceph/commit/05b3b6a305ddbb56cc53bbeadf5866db4d785f49

Gbp-Pq: Name CVE-2021-20288.patch
---

diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc
index b06e0080b..b36490f78 100644
--- a/src/auth/cephx/CephxServiceHandler.cc
+++ b/src/auth/cephx/CephxServiceHandler.cc
@@ -169,7 +169,10 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist
       int service_err = 0;
       for (uint32_t service_id = 1; service_id <= ticket_req.keys;
 	   service_id <<= 1) {
-        if (ticket_req.keys & service_id) {
+        // skip CEPH_ENTITY_TYPE_AUTH: auth ticket must be obtained with
+        // CEPHX_GET_AUTH_SESSION_KEY
+        if ((ticket_req.keys & service_id) &&
+            service_id != CEPH_ENTITY_TYPE_AUTH) {
 	  ldout(cct, 10) << " adding key for service "
 			 << ceph_entity_type_name(service_id) << dendl;
           CephXSessionAuthInfo info;