XRootD
XrdSecProtocolsss Class Reference

#include <XrdSecProtocolsss.hh>

+ Inheritance diagram for XrdSecProtocolsss:
+ Collaboration diagram for XrdSecProtocolsss:

Classes

struct  Crypto
 

Public Member Functions

 XrdSecProtocolsss (const char *hname, XrdNetAddrInfo &endPoint)
 
int Authenticate (XrdSecCredentials *cred, XrdSecParameters **parms, XrdOucErrInfo *einfo=0)
 
void Delete ()
 Delete the protocol object. DO NOT use C++ delete() on this object. More...
 
XrdSecCredentialsgetCredentials (XrdSecParameters *parms=0, XrdOucErrInfo *einfo=0)
 
int Init_Client (XrdOucErrInfo *erp, const char *Parms)
 
int Init_Server (XrdOucErrInfo *erp, const char *Parms)
 
- Public Member Functions inherited from XrdSecProtocol
 XrdSecProtocol (const char *pName)
 Constructor. More...
 
virtual int Decrypt (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int Encrypt (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int getKey (char *buff=0, int size=0)
 
virtual bool needTLS ()
 Check if this protocol requires TLS to properly function. More...
 
virtual int setKey (char *buff, int size)
 
virtual int Sign (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int Verify (const char *inbuff, int inlen, const char *sigbuff, int siglen)
 

Static Public Member Functions

static int eMsg (const char *epn, int rc, const char *txt1, const char *txt2=0, const char *txt3=0, const char *txt4=0)
 
static int Fatal (XrdOucErrInfo *erP, const char *epn, int rc, const char *etxt)
 
static char * Load_Client (XrdOucErrInfo *erp, const char *Parms)
 
static char * Load_Server (XrdOucErrInfo *erp, const char *Parms)
 

Friends

class XrdSecProtocolDummy
 

Additional Inherited Members

- Public Attributes inherited from XrdSecProtocol
XrdSecEntity Entity
 
- Protected Member Functions inherited from XrdSecProtocol
virtual ~XrdSecProtocol ()
 Destructor (prevents use of direct delete). More...
 

Detailed Description

Definition at line 134 of file XrdSecProtocolsss.cc.


Class Documentation

◆ XrdSecProtocolsss::Crypto

struct XrdSecProtocolsss::Crypto

Definition at line 80 of file XrdSecProtocolsss.hh.

+ Collaboration diagram for XrdSecProtocolsss::Crypto:
Class Members
const char * cName
char cType

Constructor & Destructor Documentation

◆ XrdSecProtocolsss()

XrdSecProtocolsss::XrdSecProtocolsss ( const char *  hname,
XrdNetAddrInfo endPoint 
)
inline

Definition at line 74 of file XrdSecProtocolsss.hh.

75  : XrdSecProtocol("sss"),
76  keyTab(0), Crypto(0), idBuff(0), dataOpts(0),
77  Sequence(0), v2EndPnt(false)
78  {urName = strdup(hname); setIP(endPoint);}
XrdSecProtocol(const char *pName)
Constructor.

Member Function Documentation

◆ Authenticate()

int XrdSecProtocolsss::Authenticate ( XrdSecCredentials cred,
XrdSecParameters **  parms,
XrdOucErrInfo einfo = 0 
)
virtual

Authenticate a client.

Parameters
credCredentials supplied by the client.
parmsPlace where the address of additional authentication data is to be placed for another autrhentication handshake.
einfoThe error information object where error messages should be placed. The messages are returned to the client. Should einfo be null, messages should be written to stderr.
Returns
> 0 -> parms present (more authentication needed) = 0 -> Entity present (authentication suceeded) < 0 -> einfo present (error has occurred)

Implements XrdSecProtocol.

Definition at line 151 of file XrdSecProtocolsss.cc.

154 {
155  static const int minLen = sizeof(XrdSecsssRR_Hdr) + XrdSecsssRR_Data_HdrLen;
156  static const int maxLen = XrdSecsssRR_Data::MaxDSz + minLen;
157  static const int Special= XrdSecsssKT::ktEnt::anyUSR
159 
160  XrdSecsssRR_Hdr *rrHdr = (XrdSecsssRR_Hdr *)(cred->buffer);
161  XrdSecsssRR_Data *rrData;
162  XrdSecsssKT::ktEnt decKey;
163  Persona myID(&decKey);
164 
165  char *idP, *dP, *eodP, *theIP = 0, *theHost = 0, *atKey = 0, eType;
166  int idNum = 0, idTLen, idSz, dLen;
167  bool badAttr = false;
168 
169 // Make sure we have atleast the header plus the data header
170 //
171  if (cred->size < minLen)
172  return Fatal(einfo, "Auth", EINVAL, "Credentials too small.");
173 
174 // Make sure the credentials are not too big (people misuse sss)
175 //
176  if (cred->size > maxLen)
177  return Fatal(einfo, "Auth", EINVAL, "Credentials too big.");
178 
179 // Allocate the buffer from the stack
180 //
181  rrData = (XrdSecsssRR_Data *)alloca(cred->size);
182 
183 // Decode the credentials
184 //
185  if ((dLen = Decode(einfo, decKey, cred->buffer, rrData, cred->size)) <= 0)
186  return -1;
187 
188 // Check if we should echo back the LID
189 //
190  if (rrData->Options == XrdSecsssRR_DataHdr::SndLID)
191  {XrdSecsssRR_DataResp rrResp;
192  char lidBuff[16];
193  rrResp.Options = 0;
194  getLID(lidBuff, sizeof(lidBuff));
195  dP = rrResp.Data;
197  XrdOucPup::Pack(&dP, lidBuff);
198  int n = dP-rrResp.Data + XrdSecsssRR_Data_HdrLen;
199  *parms = Encode(einfo, decKey, rrHdr, &rrResp, n);
200  return (*parms ? 1 : -1);
201  }
202 
203 // Extract out the entity information
204 //
205  dP = rrData->Data; eodP = dP + dLen - XrdSecsssRR_Data_HdrLen;
206  CLDBG("Processing " <<dLen <<" byes");
207  while(dP < eodP)
208  {eType = *dP++;
209  CLDBG("eType=" <<static_cast<int>(eType)
210  <<" Used " <<dP-rrData->Data <<" left " <<eodP-dP);
211  if (!XrdOucPup::Unpack(&dP, eodP, &idP, idSz) || (idP && *idP == '\0'))
212  {Fatal(einfo, "Authenticate", EINVAL, "Invalid id string.");
213  return -1;
214  }
215  idNum++;
216  switch(eType)
217  {case XrdSecsssRR_Data::theName: myID.name = idP; break;
218  case XrdSecsssRR_Data::theVorg: myID.vorg = idP; break;
219  case XrdSecsssRR_Data::theRole: myID.role = idP; break;
220  case XrdSecsssRR_Data::theGrps: myID.grps = idP; break;
221  case XrdSecsssRR_Data::theEndo: myID.endo = idP; break;
222  case XrdSecsssRR_Data::theCred: myID.creds = idP;
223  myID.credslen = idSz;break;
225  if (*idP == '[')
226  myID.host = theIP = idP;
227 
228  else theHost = idP;
229  break;
230  case XrdSecsssRR_Data::theRand: idNum--; break;
231 
232  case XrdSecsssRR_Data::theAuth: myID.xAuth = idP; break;
233 
234  case XrdSecsssRR_Data::theTID: myID.pident = idP; break;
235  case XrdSecsssRR_Data::theAKey: if (atKey) badAttr = true;
236  atKey = idP; break;
238  if (!atKey) badAttr = true;
239  else {Entity.eaAPI->Add(std::string(atKey),
240  std::string(idP), true);
241  atKey = 0;
242  }
243  break;
244  case XrdSecsssRR_Data::theUser: myID.xUser = idP; break;
245  case XrdSecsssRR_Data::theGrup: myID.xGrup = idP; break;
246  case XrdSecsssRR_Data::theCaps: myID.caps = idP; break;
247  default: break;
248  }
249  }
250 
251 // Verify that we have some kind of identification
252 //
253  if (!idNum)
254  {Fatal(einfo, "Authenticate", ENOENT, "No identification specified.");
255  return -1;
256  }
257 
258 // Make sure we didn't encounter any attribute errors
259 //
260  if (badAttr)
261  {Fatal(einfo, "Authenticate", EINVAL, "Invalid attribute specification.");
262  return -1;
263  }
264 
265 // Verify the source of the information to largely prevent packet stealing. New
266 // version of the protocol will send an IP address which we prefrentially use.
267 // Older version used a hostname. This causes problems for multi-homed machines.
268 //
269 if (!(decKey.Data.Opts & XrdSecsssKT::ktEnt::noIPCK))
270  {if (!theHost && !theIP)
271  {Fatal(einfo,"Authenticate",ENOENT,"No hostname or IP address specified.");
272  return -1;
273  }
274  CLDBG(urName <<' ' <<urIP <<" or " <<urIQ << " must match "
275  <<(theHost ? theHost : "?") <<' ' <<(theIP ? theIP : "[?]"));
276  if (theIP)
277  {if (strcmp(theIP, urIP) && strcmp(theIP, urIQ))
278  {Fatal(einfo, "Authenticate", EINVAL, "IP address mismatch.");
279  return -1;
280  }
281  } else if (strcmp(theHost, urName))
282  {Fatal(einfo, "Authenticate", EINVAL, "Hostname mismatch.");
283  return -1;
284  }
285  } else {
286  CLDBG(urName <<' ' <<urIP <<" or " <<urIQ << " forwarded token from "
287  <<(theHost ? theHost : "?") <<' ' <<(theIP ? theIP : "[?]"));
288  }
289 
290 // At this point we need to check if this identity can be passed as a clone
291 //
292  if (aProts && myID.Clonable(aProts))
293  {strlcpy(Entity.prot, myID.xAuth, sizeof(Entity.prot));
295  if (myID.xUser) XrdOucUtils::getUID(myID.xUser,Entity.uid,&Entity.gid);
296  if (myID.xGrup) XrdOucUtils::getGID(myID.xGrup,Entity.gid);
297  } else {
298  // Set correct username
299  //
300  if (decKey.Data.Opts & Special)
301  {if (!myID.name) myID.name = (char *)"nobody";}
302  else myID.name = decKey.Data.User;
303 
304  // Set correct group
305  //
306  if (decKey.Data.Opts & XrdSecsssKT::ktEnt::usrGRP) myID.grps = 0;
307  else {if (decKey.Data.Opts & XrdSecsssKT::ktEnt::anyGRP)
308  {if (!myID.grps) myID.grps = (char *)"nogroup";}
309  else myID.grps = decKey.Data.Grup;
310  }
311 
312  // Set corresponding uid and gid
313  //
314  if (myID.name) XrdOucUtils::getUID(myID.name, Entity.uid, &Entity.gid);
315  if (myID.grps) XrdOucUtils::getGID(myID.grps, Entity.gid);
316  }
317 
318 // Calculate the amount of space we will need
319 //
320  idTLen = strlen(urName)
321  + (myID.name ? strlen(myID.name)+1 : 0)
322  + (myID.vorg ? strlen(myID.vorg)+1 : 0)
323  + (myID.role ? strlen(myID.role)+1 : 0)
324  + (myID.grps ? strlen(myID.grps)+1 : 0)
325  + (myID.caps ? strlen(myID.caps)+1 : 0)
326  + (myID.endo ? strlen(myID.endo)+1 : 0)
327  + (myID.creds ? myID.credslen : 0)
328  + (myID.pident ? strlen(myID.pident)+1 : 0);
329 
330 // Complete constructing our identification
331 //
332  if (idBuff) free(idBuff);
333  idBuff = idP = (char *)malloc(idTLen);
334  Entity.host = urName;
335  Entity.name = setID(myID.name, &idP);
336  Entity.vorg = setID(myID.vorg, &idP);
337  Entity.role = setID(myID.role, &idP);
338  Entity.grps = setID(myID.grps, &idP);
339  Entity.caps = setID(myID.caps, &idP);
340  Entity.endorsements = setID(myID.endo, &idP);
341 
342  if (myID.pident)
343  {strcpy(idP, myID.pident);
344  Entity.pident = idP;
345  idP += strlen(myID.pident) + 1;
346  }
347 
348  if (myID.creds)
349  {memcpy(idP, myID.creds, myID.credslen);
350  Entity.creds = idP;
351  Entity.credslen = myID.credslen;
352  }
353 
354 // All done
355 //
356  return 0;
357 }
#define XrdSecPROTOIDSIZE
Definition: XrdSecEntity.hh:47
#define CLDBG(x)
static const int XrdSecsssRR_Data_HdrLen
Definition: XrdSecsssRR.hh:77
size_t strlcpy(char *dst, const char *src, size_t sz)
static int Unpack(char **buff, const char *bend, char **data, int &dlen)
Definition: XrdOucPup.cc:250
static int Pack(struct iovec **, const char *, unsigned short &buff)
Definition: XrdOucPup.cc:52
static bool getGID(const char *gName, gid_t &gID)
Definition: XrdOucUtils.cc:513
static bool getUID(const char *uName, uid_t &uID, gid_t *gID=0)
Definition: XrdOucUtils.cc:529
bool Add(XrdSecAttr &attr)
char * vorg
Entity's virtual organization(s)
Definition: XrdSecEntity.hh:71
const char * pident
Trace identifier (originator)
Definition: XrdSecEntity.hh:82
int credslen
Length of the 'creds' data.
Definition: XrdSecEntity.hh:78
XrdSecEntityAttr * eaAPI
non-const API to attributes
Definition: XrdSecEntity.hh:92
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5)
Definition: XrdSecEntity.hh:67
char * caps
Entity's capabilities.
Definition: XrdSecEntity.hh:74
char * creds
Raw entity credentials or cert.
Definition: XrdSecEntity.hh:77
gid_t gid
Unix gid or 0 if none.
Definition: XrdSecEntity.hh:87
char * grps
Entity's group name(s)
Definition: XrdSecEntity.hh:73
uid_t uid
Unix uid or 0 if none.
Definition: XrdSecEntity.hh:86
char * name
Entity's name.
Definition: XrdSecEntity.hh:69
char * role
Entity's role(s)
Definition: XrdSecEntity.hh:72
char * endorsements
Protocol specific endorsements.
Definition: XrdSecEntity.hh:75
char * host
Entity's host name dnr dependent.
Definition: XrdSecEntity.hh:70
XrdSecEntity Entity
static const int anyUSR
Definition: XrdSecsssKT.hh:67
struct XrdSecsssKT::ktEnt::ktData Data
static const int noIPCK
Definition: XrdSecsssKT.hh:70
static const int anyGRP
Definition: XrdSecsssKT.hh:68
static const int allUSR
Definition: XrdSecsssKT.hh:66
static const int usrGRP
Definition: XrdSecsssKT.hh:69
char * buffer
Pointer to the buffer.
int size
Size of the buffer or length of data in the buffer.
static int Fatal(XrdOucErrInfo *erP, const char *epn, int rc, const char *etxt)
static const char SndLID
Definition: XrdSecsssRR.hh:72
char Data[XrdSecsssRR_Data::MinDSz+16]
Definition: XrdSecsssRR.hh:113
static const char theHost
Definition: XrdSecsssRR.hh:106
static const char theUser
Definition: XrdSecsssRR.hh:101
static const char theAKey
Definition: XrdSecsssRR.hh:99
static const char theCaps
Definition: XrdSecsssRR.hh:103
char Data[DataSz]
Definition: XrdSecsssRR.hh:85
static const char theAuth
Definition: XrdSecsssRR.hh:97
static const char theRole
Definition: XrdSecsssRR.hh:91
static const char theName
Definition: XrdSecsssRR.hh:89
static const char theLgid
Definition: XrdSecsssRR.hh:105
static const char theGrps
Definition: XrdSecsssRR.hh:92
static const char theRand
Definition: XrdSecsssRR.hh:95
static const char theEndo
Definition: XrdSecsssRR.hh:93
static const char theAVal
Definition: XrdSecsssRR.hh:100
static const char theVorg
Definition: XrdSecsssRR.hh:90
static const char theGrup
Definition: XrdSecsssRR.hh:102
static const char theTID
Definition: XrdSecsssRR.hh:98
static const int MaxDSz
Definition: XrdSecsssRR.hh:82
static const char theCred
Definition: XrdSecsssRR.hh:94

References XrdSecEntityAttr::Add(), XrdSecsssKT::ktEnt::allUSR, XrdSecsssKT::ktEnt::anyGRP, XrdSecsssKT::ktEnt::anyUSR, XrdSecBuffer::buffer, XrdSecEntity::caps, CLDBG, XrdSecEntity::creds, XrdSecEntity::credslen, XrdSecsssKT::ktEnt::Data, XrdSecsssRR_Data::Data, XrdSecsssRR_DataResp::Data, XrdSecEntity::eaAPI, XrdSecEntity::endorsements, XrdSecProtocol::Entity, Fatal(), XrdOucUtils::getGID(), XrdOucUtils::getUID(), XrdSecEntity::gid, XrdSecEntity::grps, XrdSecsssKT::ktEnt::ktData::Grup, XrdSecEntity::host, XrdSecsssRR_Data::MaxDSz, XrdSecEntity::name, XrdSecsssKT::ktEnt::noIPCK, XrdSecsssRR_DataHdr::Options, XrdSecsssKT::ktEnt::ktData::Opts, XrdOucPup::Pack(), XrdSecEntity::pident, XrdSecEntity::prot, XrdSecEntity::role, XrdSecBuffer::size, XrdSecsssRR_DataHdr::SndLID, strlcpy(), XrdSecsssRR_Data::theAKey, XrdSecsssRR_Data::theAuth, XrdSecsssRR_Data::theAVal, XrdSecsssRR_Data::theCaps, XrdSecsssRR_Data::theCred, XrdSecsssRR_Data::theEndo, XrdSecsssRR_Data::theGrps, XrdSecsssRR_Data::theGrup, XrdSecsssRR_Data::theHost, XrdSecsssRR_Data::theLgid, XrdSecsssRR_Data::theName, XrdSecsssRR_Data::theRand, XrdSecsssRR_Data::theRole, XrdSecsssRR_Data::theTID, XrdSecsssRR_Data::theUser, XrdSecsssRR_Data::theVorg, XrdSecEntity::uid, XrdOucPup::Unpack(), XrdSecsssKT::ktEnt::ktData::User, XrdSecsssKT::ktEnt::usrGRP, XrdSecEntity::vorg, XrdSecPROTOIDSIZE, and XrdSecsssRR_Data_HdrLen.

+ Here is the call graph for this function:

◆ Delete()

void XrdSecProtocolsss::Delete ( )
virtual

Delete the protocol object. DO NOT use C++ delete() on this object.

Implements XrdSecProtocol.

Definition at line 433 of file XrdSecProtocolsss.cc.

434 {
435 // Delete things that get re-allocated every time. The staticID is allocated
436 // only once so it must stick around for every instance of this object.
437 //
438  if (urName) free(urName); // Same pointer as Entity.host
439  if (idBuff) free(idBuff);
440  if (Crypto && Crypto != CryptObj) delete Crypto;
441  if (keyTab && keyTab != ktObject) delete keyTab;
442 
443  delete this;
444 }

Referenced by XrdSecProtocolsssObject().

+ Here is the caller graph for this function:

◆ eMsg()

int XrdSecProtocolsss::eMsg ( const char *  epn,
int  rc,
const char *  txt1,
const char *  txt2 = 0,
const char *  txt3 = 0,
const char *  txt4 = 0 
)
static

Definition at line 450 of file XrdSecProtocolsss.cc.

453 {
454  std::cerr <<"Secsss (" << epname <<"): ";
455  std::cerr <<txt1;
456  if (rc>0) std::cerr <<"; " <<XrdSysE2T(rc);
457  if (txt2) std::cerr <<txt2;
458  if (txt3) std::cerr <<txt3;
459  if (txt4) {std::cerr <<txt4;}
460  std::cerr <<"\n" <<std::flush;
461 
462  return (rc ? (rc < 0 ? rc : -rc) : -1);
463 }
const char * XrdSysE2T(int errcode)
Definition: XrdSysE2T.cc:104

References XrdSysE2T().

Referenced by Fatal().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Fatal()

int XrdSecProtocolsss::Fatal ( XrdOucErrInfo erP,
const char *  epn,
int  rc,
const char *  etxt 
)
static

Definition at line 520 of file XrdSecProtocolsss.cc.

522 {
523  if (erP) {erP->setErrInfo(rc, etxt);
524  CLDBG(epn <<": " <<etxt);
525  }
526  else eMsg(epn, rc, etxt);
527  return 0;
528 }
int setErrInfo(int code, const char *emsg)
static int eMsg(const char *epn, int rc, const char *txt1, const char *txt2=0, const char *txt3=0, const char *txt4=0)

References CLDBG, eMsg(), and XrdOucErrInfo::setErrInfo().

Referenced by Authenticate(), getCredentials(), Init_Client(), Load_Client(), Load_Server(), and XrdSecProtocolsssObject().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getCredentials()

XrdSecCredentials * XrdSecProtocolsss::getCredentials ( XrdSecParameters parm = 0,
XrdOucErrInfo einfo = 0 
)
virtual

Generate client credentials to be used in the authentication process.

Parameters
parmPointer to the information returned by the server either in the initial login response or the authmore response.
einfoThe error information object where error messages should be placed. The messages are returned to the client. Should einfo be null, messages should be written to stderr.
Returns
Success: Pointer to credentials to sent to the server. The caller is responsible for deleting the object. Failure: Null pointer with einfo, if supplied, containing the reason for the failure.

Implements XrdSecProtocol.

Definition at line 633 of file XrdSecProtocolsss.cc.

635 {
636  static const int nOpts = XrdNetUtils::oldFmt;
637  XrdSecsssRR_Hdr2 rrHdr;
638  sssRR_DataHdr rrDataHdr;
639  XrdSecsssKT::ktEnt encKey;
640  XrdOucEnv *errEnv;
641 
642  const char *myIP = 0, *myUD = 0;
643  char ipBuff[64];
644  int dLen;
645 
646 // Make sure we can extract out required information and get it as needed
647 //
648  if (einfo && (errEnv=einfo->getEnv()))
649  {if (isMapped) myUD = errEnv->Get("username");
650  if (!(myIP=errEnv->Get("sockname")))
651  {int fd = epAddr->SockFD();
652  if (fd > 0 && XrdNetUtils::IPFormat(-fd,ipBuff,sizeof(ipBuff),nOpts))
653  myIP = ipBuff;
654  else myIP = 0;
655  }
656  }
657 
658 // Do some debugging here
659 //
660  CLDBG("getCreds: " <<static_cast<int>(Sequence)
661  << " ud: '" <<(myUD ? myUD : "")
662  <<"' ip: '" <<(myIP ? myIP : "") <<"'");
663 
664 // Get the actual data portion
665 //
666  if (Sequence) dLen = getCred(einfo, rrDataHdr.P, myUD, myIP, parms);
667  else dLen = getCred(einfo, rrDataHdr.P, myUD, myIP);
668  if (!dLen) return (XrdSecCredentials *)0;
669 
670 // Get an encryption key
671 //
672  if (keyTab->getKey(encKey))
673  {Fatal(einfo, "getCredentials", ENOENT, "Encryption key not found.");
674  return (XrdSecCredentials *)0;
675  }
676 
677 // Fill out the header
678 //
679  strcpy(rrHdr.ProtID, XrdsssPROTOIDENT);
680  memset(rrHdr.Pad, 0, sizeof(rrHdr.Pad));
681  rrHdr.KeyID = htonll(encKey.Data.ID);
682  rrHdr.EncType = Crypto->Type();
683 
684 // Determine if we should send the keyname (v2 servers only)
685 //
686  if (v2EndPnt)
687  {int k = strlen(encKey.Data.Name), n = (k + 8) & ~7;
688  strcpy(rrHdr.keyName, encKey.Data.Name);
689  if (n - k > 1) memset(rrHdr.keyName + k, 0, n - k);
690  rrHdr.knSize = static_cast<uint8_t>(n);
691  } else rrHdr.knSize = 0;
692 
693 // Now simply encode the data and return the result
694 //
695  return Encode(einfo, encKey, &rrHdr, rrDataHdr.P, dLen);
696 }
#define XrdsssPROTOIDENT
virtual char Type()
static int IPFormat(const struct sockaddr *sAddr, char *bP, int bL, int opts=0)
Definition: XrdNetUtils.cc:584
static const int oldFmt
Definition: XrdNetUtils.hh:256
char * Get(const char *varname)
Definition: XrdOucEnv.hh:69
XrdOucEnv * getEnv()
int getKey(ktEnt &ktEql, bool andKeyID=false)
Definition: XrdSecsssKT.cc:207
Generic structure to pass security information back and forth.
char keyName[XrdSecsssKT::ktEnt::NameSZ]
Definition: XrdSecsssRR.hh:59
long long KeyID
Definition: XrdSecsssRR.hh:49

References CLDBG, XrdSecsssKT::ktEnt::Data, XrdSecsssRR_Hdr::EncType, Fatal(), XrdOucEnv::Get(), XrdOucErrInfo::getEnv(), XrdSecsssKT::getKey(), XrdSecsssKT::ktEnt::ktData::ID, XrdNetUtils::IPFormat(), XrdSecsssRR_Hdr::KeyID, XrdSecsssRR_Hdr2::keyName, XrdSecsssRR_Hdr::knSize, XrdSecsssKT::ktEnt::ktData::Name, XrdNetUtils::oldFmt, XrdSecsssRR_Hdr::Pad, XrdSecsssRR_Hdr::ProtID, XrdNetAddrInfo::SockFD(), and XrdsssPROTOIDENT.

+ Here is the call graph for this function:

◆ Init_Client()

int XrdSecProtocolsss::Init_Client ( XrdOucErrInfo erp,
const char *  Parms 
)

Definition at line 726 of file XrdSecProtocolsss.cc.

727 {
728  XrdSysMutexHelper initMon(&initMutex);
729  XrdSecsssKT *ktP;
730  struct stat buf;
731  char *Colon;
732  int lifeTime;
733 
734 // We must have <enccode>.[+]<lifetime>:<keytab>
735 //
736  if (!pP || !*pP) return Fatal(erp, "Init_Client", EINVAL,
737  "Client parameters missing.");
738 
739 // Get encryption object
740 //
741  if (!*pP || *(pP+1) != '.') return Fatal(erp, "Init_Client", EINVAL,
742  "Encryption type missing.");
743  if (!(Crypto = Load_Crypto(erp, *pP))) return 0;
744  pP += 2;
745 
746 // Check if this is a v2 server and if credentials are to be sent
747 //
748  if (*pP == '+')
749  {v2EndPnt = true;
750  dataOpts |= XrdSecsssEnt::addExtra;
751  if (*(pP+1) == '0') dataOpts |= XrdSecsssEnt::addCreds;
752  }
753 
754 // The next item is the cred lifetime
755 //
756  lifeTime = strtol(pP, &Colon, 10);
757  if (!lifeTime || *Colon != ':') return Fatal(erp, "Init_Client", EINVAL,
758  "Credential lifetime missing.");
759  deltaTime = lifeTime; pP = Colon+1;
760 
761 // Get the correct keytab
762 //
763  if (ktFixed || (ktObject && ktObject->Same(pP))) keyTab = ktObject;
764  else if (*pP == '/' && !stat(pP, &buf))
765  {if (!(ktP=new XrdSecsssKT(erp,pP,XrdSecsssKT::isClient,3600)))
766  return Fatal(erp, "Init_Client", ENOMEM,
767  "Unable to create keytab object.");
768  if (erp->getErrInfo()) {delete ktP; return 0;}
769  if (!ktObject) ktObject = ktP;
770  keyTab = ktP;
771  CLDBG("Client keytab='" <<pP <<"'");
772  } else keyTab = ktObject;
773 
774  if (!keyTab)
775  return Fatal(erp, "Init_Client", ENOENT,
776  "Unable to determine keytab location.");
777 
778 // All done
779 //
780  return 1;
781 }
int stat(const char *path, struct stat *buf)
static const int addExtra
Add v2 data.
Definition: XrdSecsssEnt.hh:77
static const int addCreds
Add v2 data plus creds.
Definition: XrdSecsssEnt.hh:78
int Same(const char *path)
Definition: XrdSecsssKT.hh:109

References XrdSecsssEnt::addCreds, XrdSecsssEnt::addExtra, CLDBG, Fatal(), XrdOucErrInfo::getErrInfo(), XrdSecsssKT::isClient, XrdSecsssKT::Same(), and stat().

Referenced by XrdSecProtocolsssObject().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Init_Server()

int XrdSecProtocolsss::Init_Server ( XrdOucErrInfo erp,
const char *  Parms 
)

Definition at line 787 of file XrdSecProtocolsss.cc.

788 {
789 
790 // This is a trivial init
791 //
792  keyTab = ktObject;
793  Crypto = CryptObj;
794  return 1;
795 }

Referenced by XrdSecProtocolsssObject().

+ Here is the caller graph for this function:

◆ Load_Client()

char * XrdSecProtocolsss::Load_Client ( XrdOucErrInfo erp,
const char *  Parms 
)
static

Definition at line 801 of file XrdSecProtocolsss.cc.

802 {
803  static const char *KTPath = XrdSecsssKT::genFN();
804  static const int rfrHR = 60*60;
805  struct stat buf;
807  const char *kP = 0;
808  char *myName;
809 
810 // Get our full host name
811 //
812  if (!(myName = XrdNetUtils::MyHostName(0)))
813  {Fatal(erp, "Load_Client", ENOENT, "Unable to obtain local hostname.");
814  return (char *)0;
815  }
816 
817 // Tell the entity serialization object who we are
818 //
820  free(myName);
821 
822 // Check for the presence of a registry object
823 //
824  idMap = XrdSecsssID::getObj(aType, staticID);
825  switch(aType)
826  {case XrdSecsssID::idDynamic: isMutual = true; break;
827  case XrdSecsssID::idStaticM: isMutual = true;
828  idMap = 0; break;
829  case XrdSecsssID::idStatic: idMap = 0; break;
830  case XrdSecsssID::idMapped: isMapped = true; break;
831  case XrdSecsssID::idMappedM: isMapped = true; break;
832  default: idMap = 0; break;
833  }
834 
835 // We want to establish the default location of the keytable. First check
836 // the environment passed from the client then the envar. We support two
837 // version of the envar for backward compatibility due to an early mistake.
838 //
839  if( erp && erp->getEnv() && ( kP = erp->getEnv()->Get( "xrd.sss" ) ) )
840  ktFixed = true;
841  else if ( ( (kP = getenv("XrdSecSSSKT")) || (kP = getenv("XrdSecsssKT")) )
842  && *kP && !stat(kP, &buf))
843  ktFixed = true;
844  else kP = 0;
845 
846  if (!kP && !stat(KTPath, &buf)) kP = KTPath;
847 
848 // Build the keytable if we actual have a path (if none, then the server
849 // will have to supply the path)
850 //
851  if (kP)
852  {if (!(ktObject=new XrdSecsssKT(erp,kP,XrdSecsssKT::isClient,rfrHR)))
853  {Fatal(erp, "Load_Client", ENOMEM, "Unable to create keytab object.");
854  return (char *)0;
855  }
856  if (erp->getErrInfo())
857  {delete ktObject, ktObject = 0; return (char *)0;}
858  CLDBG("Client keytab='" <<kP <<"'");
859  }
860 
861 // All done
862 //
863  return (char *)"";
864 }
static char * MyHostName(const char *eName="*unknown*", const char **eText=0)
Definition: XrdNetUtils.cc:667
static void setHostName(const char *hnP)
static char * genFN()
Definition: XrdSecsssKT.cc:249

References CLDBG, Fatal(), XrdSecsssKT::genFN(), XrdOucEnv::Get(), XrdOucErrInfo::getEnv(), XrdOucErrInfo::getErrInfo(), XrdSecsssID::idDynamic, XrdSecsssID::idMapped, XrdSecsssID::idMappedM, XrdSecsssID::idStatic, XrdSecsssID::idStaticM, XrdSecsssKT::isClient, XrdNetUtils::MyHostName(), XrdSecsssEnt::setHostName(), and stat().

Referenced by XrdSecProtocolsssInit().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Load_Server()

char * XrdSecProtocolsss::Load_Server ( XrdOucErrInfo erp,
const char *  Parms 
)
static

Definition at line 934 of file XrdSecProtocolsss.cc.

935 {
936  const char *msg = 0;
937  const char *encName = "bf32", *ktClient = "", *ktServer = 0;
938  char buff[2048], parmbuff[2048], *op, *od, *eP;
939  int lifeTime = 13, rfrTime = 60*60;
940  XrdOucTokenizer inParms(parmbuff);
941  const char *ask4Creds = "";
942 
943 // Duplicate the parms
944 //
945  if (parms) strlcpy(parmbuff, parms, sizeof(parmbuff));
946 
947 // Expected parameters: [{-c | --clientkt} <ckt_path>]
948 // [{-e | --encrypt} <enctype>]
949 // [{-g | --getcreds}]
950 // [{-k | --keyname}]
951 // [{-l | --lifetime} <seconds>]
952 // [{-p | --proxy} <prots>]
953 // [{-r | --refresh} <minutes>]
954 // [{-s | --serverkt} <skt_path>]
955 //
956  if (parms && inParms.GetLine())
957  while((op = inParms.GetToken()))
958  {if (!strcmp("-k", op) || !strcmp("--keyname", op))
959  {sssUseKN = true;
960  continue;
961  }
962  if (!strcmp("-g", op) || !strcmp("--getcreds", op))
963  {ask4Creds = "0";
964  continue;
965  }
966  if (!(od = inParms.GetToken()))
967  {sprintf(buff,"Secsss: Missing %s parameter argument",op);
968  msg = buff; break;
969  }
970  if (!strcmp("-c", op) || !strcmp("--clientkt", op))
971  ktClient = od;
972  else if (!strcmp("-e", op) || !strcmp("--encrypt", op))
973  encName = od;
974  else if (!strcmp("-l", op) || !strcmp("--lifetime", op))
975  {lifeTime = strtol(od, &eP, 10) * 60;
976  if (errno || *eP || lifeTime < 1)
977  {msg = "Secsss: Invalid life time"; break;}
978  }
979  else if (!strcmp("-p", op) || !strcmp("--proxy", op))
980  {int n = strlen(od) + 2;
981  aProts = (char *)malloc(n);
982  *aProts = ':';
983  strcpy(aProts+1, od);
984  }
985  else if (!strcmp("-r", op) || !strcmp("--rfresh", op))
986  {rfrTime = strtol(od, &eP, 10) * 60;
987  if (errno || *eP || rfrTime < 600)
988  {msg = "Secsss: Invalid refresh time"; break;}
989  }
990  else if (!strcmp("-s", op) || !strcmp("-serverkt", op))
991  ktServer = od;
992  else {sprintf(buff,"Secsss: Invalid parameter - %s",op);
993  msg = buff; break;
994  }
995  }
996 
997 // Check for errors
998 //
999  if (msg) {Fatal(erp, "Load_Server", EINVAL, msg); return (char *)0;}
1000 
1001 // Load the right crypto object
1002 //
1003  if (!(CryptObj = Load_Crypto(erp, encName))) return (char *)0;
1004 
1005 // Supply default keytab location if not specified
1006 //
1007  if (!ktServer) ktServer = XrdSecsssKT::genFN();
1008 
1009 // Set the delta time used to expire credentials
1010 //
1011  deltaTime = lifeTime;
1012 
1013 // Create a keytab object (only one for the server)
1014 //
1015  if (!(ktObject = new XrdSecsssKT(erp, ktServer, XrdSecsssKT::isServer,
1016  rfrTime)))
1017  {Fatal(erp, "Load_Server", ENOMEM, "Unable to create keytab object.");
1018  return (char *)0;
1019  }
1020  if (erp->getErrInfo()) return (char *)0;
1021  ktFixed = true;
1022  CLDBG("Server keytab='" <<ktServer <<"'");
1023 
1024 // Construct client parameter <enccode>.+<lifetime>:<keytab>
1025 // Note: The plus preceding the <lifetime> indicates that we are a V2 server.
1026 // V1 clients will simply ignore this and treat us as a V1 server.
1027 //
1028  sprintf(buff, "%c.+%s%d:%s", CryptObj->Type(),ask4Creds,lifeTime,ktClient);
1029  CLDBG("client parms='" <<buff <<"'");
1030  return strdup(buff);
1031 }

References CLDBG, Fatal(), XrdSecsssKT::genFN(), XrdOucErrInfo::getErrInfo(), XrdOucTokenizer::GetLine(), XrdOucTokenizer::GetToken(), XrdSecsssKT::isServer, strlcpy(), and XrdCryptoLite::Type().

Referenced by XrdSecProtocolsssInit().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Friends And Related Function Documentation

◆ XrdSecProtocolDummy

friend class XrdSecProtocolDummy
friend

Definition at line 47 of file XrdSecProtocolsss.hh.


The documentation for this class was generated from the following files: