XRootD
XrdSecProtocolgsi.cc File Reference
#include <unistd.h>
#include <cctype>
#include <cerrno>
#include <cstdlib>
#include <strings.h>
#include <cstdio>
#include <sys/param.h>
#include <pwd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <dirent.h>
#include <iostream>
#include "XrdVersion.hh"
#include "XrdNet/XrdNetAddr.hh"
#include "XrdSec/XrdSecEntityAttr.hh"
#include "XrdSys/XrdSysHeaders.hh"
#include "XrdSys/XrdSysLogger.hh"
#include "XrdSys/XrdSysError.hh"
#include "XrdOuc/XrdOucPinLoader.hh"
#include "XrdOuc/XrdOucStream.hh"
#include "XrdOuc/XrdOucEnv.hh"
#include "XrdSut/XrdSutAux.hh"
#include "XrdCrypto/XrdCryptoMsgDigest.hh"
#include "XrdCrypto/XrdCryptoX509Chain.hh"
#include "XrdCrypto/XrdCryptoX509Req.hh"
#include "XrdSecgsi/XrdSecProtocolgsi.hh"
#include "XrdSecgsi/XrdSecgsiOpts.hh"
+ Include dependency graph for XrdSecProtocolgsi.cc:

Go to the source code of this file.

Macros

#define POPTS(t, y)   {if (t) {std::cerr <<"Secgsi" <<y <<'\n' << std::flush;}}
 

Functions

static bool AuthzFunCheck (XrdSutCacheEntry *e, void *a)
 
static const char * ClientStepStr (int kclt)
 
static bool GetCACheck (XrdSutCacheEntry *e, void *a)
 
static bool GetSrvCertEntCheck (XrdSutCacheEntry *e, void *a)
 
static bool QueryGMAPCheck (XrdSutCacheEntry *e, void *a)
 
static bool QueryProxyCheck (XrdSutCacheEntry *e, void *a)
 
static const char * ServerStepStr (int ksrv)
 
char * XrdSecProtocolgsiInit (const char mode, const char *parms, XrdOucErrInfo *erp)
 
XrdSecProtocolXrdSecProtocolgsiObject (const char mode, const char *hostname, XrdNetAddrInfo &endPoint, const char *parms, XrdOucErrInfo *erp)
 
 XrdVERSIONINFO (XrdSecProtocolgsiObject, secgsi)
 

Variables

static const char * gGSErrStr []
 
static const char * gNoPadTag = "nopad"
 
static const char * gsiClientSteps []
 
static const char * gsiServerSteps []
 
XrdOucTracegsiTrace = 0
 
static const char * gUsrPxyDef = "/tmp/x509up_u"
 
static const int kOneDay = 86400
 
static String Prefix = "xrd"
 
static String ProtoID = XrdSecPROTOIDENT
 
static const kXR_int32 Version = XrdSecgsiVERSION
 

Macro Definition Documentation

◆ POPTS

#define POPTS (   t,
 
)    {if (t) {std::cerr <<"Secgsi" <<y <<'\n' << std::flush;}}

Definition at line 68 of file XrdSecProtocolgsi.cc.

Function Documentation

◆ AuthzFunCheck()

static bool AuthzFunCheck ( XrdSutCacheEntry e,
void *  a 
)
static

Definition at line 1720 of file XrdSecProtocolgsi.cc.

1720  {
1721 
1722  int st_ref = (*((XrdSutCacheArg_t *)a)).arg1;
1723  time_t ts_ref = (time_t)(*((XrdSutCacheArg_t *)a)).arg2;
1724  long to_ref = (*((XrdSutCacheArg_t *)a)).arg3;
1725  int st_exp = (*((XrdSutCacheArg_t *)a)).arg4;
1726 
1727  if (e && (e->status == st_ref)) {
1728  // Check expiration, if required
1729  bool expired = 0;
1730  if (to_ref > 0 && (ts_ref - e->mtime) > to_ref) expired = 1;
1731  int notafter = *((int *) e->buf2.buf);
1732  if (to_ref > notafter) expired = 1;
1733 
1734  if (expired) {
1735  // Invalidate the entry, if the case
1736  e->status = st_exp;
1737  } else {
1738  return true;
1739  }
1740  }
1741  return false;
1742 }
XrdSutCacheEntryBuf buf2

References XrdSutCacheEntryBuf::buf, XrdSutCacheEntry::buf2, XrdSutCacheEntry::mtime, and XrdSutCacheEntry::status.

Referenced by XrdSecProtocolgsi::Authenticate().

+ Here is the caller graph for this function:

◆ ClientStepStr()

static const char* ClientStepStr ( int  kclt)
static

Definition at line 223 of file XrdSecProtocolgsi.cc.

224 {
225  // Return string with client step
226  static const char *ukn = "Unknown";
227 
228  kclt = (kclt < 0) ? 0 : kclt;
229  kclt = (kclt > kXGC_reserved) ? 0 : kclt;
230  kclt = (kclt >= kXGC_certreq) ? (kclt - kXGC_certreq + 1) : kclt;
231 
232  if (kclt < 0 || kclt > (kXGC_reserved - kXGC_certreq + 1))
233  return ukn;
234  else
235  return gsiClientSteps[kclt];
236 }
static const char * gsiClientSteps[]
@ kXGC_reserved
@ kXGC_certreq

References gsiClientSteps, kXGC_certreq, and kXGC_reserved.

Referenced by XrdSecProtocolgsi::Authenticate(), and XrdSecProtocolgsi::getCredentials().

+ Here is the caller graph for this function:

◆ GetCACheck()

static bool GetCACheck ( XrdSutCacheEntry e,
void *  a 
)
static

Definition at line 4623 of file XrdSecProtocolgsi.cc.

4623  {
4624 
4625  EPNAME("GetCACheck");
4626 
4627  int crl_check = (*((XrdSutCacheArg_t *)a)).arg1;
4628  int crl_refresh = (*((XrdSutCacheArg_t *)a)).arg2;
4629  time_t ts_ref = (time_t)(*((XrdSutCacheArg_t *)a)).arg3;
4630 
4631  if (!e) return false;
4632 
4633  X509Chain *chain = 0;
4634  // If we had already something, check it, as we may be done
4635  bool goodca = 0;
4636  if ((chain = (X509Chain *)(e->buf1.buf))) {
4637  // Check the validity of the certificates in the chain; if a certificate became invalid,
4638  // we need to reload a valid one for the same CA.
4639  if (chain->CheckValidity() == 0) {
4640  goodca = 1;
4641  } else {
4642  PRINT("CA entry for '"<<e->name<<"' needs refreshing: clean the related entry cache first");
4643  return false;
4644  }
4645  }
4646  if (goodca) {
4647  XrdCryptoX509Crl *crl = (XrdCryptoX509Crl *)(e->buf2.buf);
4648  bool goodcrl = 1;
4649  if ((crl_check == 2 && !crl) || (crl_check == 3 && crl->IsExpired())) goodcrl = 0;
4650  if (crl_refresh > 0 && ((ts_ref - e->mtime) > crl_refresh)) goodcrl = 0;
4651  if (goodcrl) {
4652  return true;
4653  } else if (crl) {
4654  PRINT("CRL entry for '"<<e->name<<"' needs refreshing: clean the related entry cache first ("<<e<<")");
4655  }
4656  }
4657  return false;
4658 }
#define EPNAME(x)
Definition: XrdBwmTrace.hh:56
#define PRINT(y)
virtual int CheckValidity(bool outatfirst=1, int when=0)
virtual bool IsExpired(int when=0)
XrdSutCacheEntryBuf buf1

References XrdSutCacheEntryBuf::buf, XrdSutCacheEntry::buf1, XrdSutCacheEntry::buf2, XrdCryptoX509Chain::CheckValidity(), EPNAME, XrdCryptoX509Crl::IsExpired(), XrdSutCacheEntry::mtime, XrdSutCacheEntry::name, and PRINT.

+ Here is the call graph for this function:

◆ GetSrvCertEntCheck()

static bool GetSrvCertEntCheck ( XrdSutCacheEntry e,
void *  a 
)
static

Definition at line 5685 of file XrdSecProtocolgsi.cc.

5685  {
5686  int st_ref = (*((XrdSutCacheArg_t *)a)).arg1;
5687  time_t ts_ref = (time_t)(*((XrdSutCacheArg_t *)a)).arg2;
5688  if (e) {
5689  if (e->status > st_ref) {
5690  if (e->mtime >= ts_ref)
5691  return true;
5692  }
5693  }
5694  return false;
5695 }

References XrdSutCacheEntry::mtime, and XrdSutCacheEntry::status.

◆ QueryGMAPCheck()

static bool QueryGMAPCheck ( XrdSutCacheEntry e,
void *  a 
)
static

Definition at line 5265 of file XrdSecProtocolgsi.cc.

5265  {
5266  int st_ref = (*((XrdSutCacheArg_t *)a)).arg1;
5267  time_t ts_ref = (time_t)(*((XrdSutCacheArg_t *)a)).arg2;
5268  long to_ref = (*((XrdSutCacheArg_t *)a)).arg3;
5269  if (e) {
5270  // Check expiration, if required
5271  if ((e->status != st_ref) ||
5272  ((e->status == st_ref) &&
5273  (to_ref > 0) &&
5274  ((ts_ref - e->mtime) > to_ref))) {
5275  return false;
5276  } else {
5277  return true;
5278  }
5279  }
5280  return false;
5281 }

References XrdSutCacheEntry::mtime, and XrdSutCacheEntry::status.

◆ QueryProxyCheck()

static bool QueryProxyCheck ( XrdSutCacheEntry e,
void *  a 
)
static

Definition at line 5040 of file XrdSecProtocolgsi.cc.

5040  {
5041 
5042  time_t ts_ref = (time_t)(*((XrdSutCacheArg_t *)a)).arg1;
5043 
5044  if (e && e->buf1.buf) {
5045  X509Chain *chain = (X509Chain *)(e->buf1.buf);
5046  if (chain->CheckValidity(1, ts_ref) == 0) return true;
5047  }
5048  return false;
5049 }

References XrdSutCacheEntryBuf::buf, XrdSutCacheEntry::buf1, and XrdCryptoX509Chain::CheckValidity().

+ Here is the call graph for this function:

◆ ServerStepStr()

static const char* ServerStepStr ( int  ksrv)
static

Definition at line 239 of file XrdSecProtocolgsi.cc.

240 {
241  // Return string with server step
242  static const char *ukn = "Unknown";
243 
244  ksrv = (ksrv < 0) ? 0 : ksrv;
245  ksrv = (ksrv > kXGS_reserved) ? 0 : ksrv;
246  ksrv = (ksrv >= kXGS_init) ? (ksrv - kXGS_init + 1) : ksrv;
247 
248  if (ksrv < 0 || ksrv > (kXGS_reserved - kXGS_init + 1))
249  return ukn;
250  else
251  return gsiServerSteps[ksrv];
252 }
static const char * gsiServerSteps[]
@ kXGS_init
@ kXGS_reserved

References gsiServerSteps, kXGS_init, and kXGS_reserved.

Referenced by XrdSecProtocolgsi::Authenticate(), and XrdSecProtocolgsi::getCredentials().

+ Here is the caller graph for this function:

◆ XrdSecProtocolgsiInit()

char* XrdSecProtocolgsiInit ( const char  mode,
const char *  parms,
XrdOucErrInfo erp 
)

Definition at line 2373 of file XrdSecProtocolgsi.cc.

2375 {
2376  // One-time protocol initialization, filling the static flags and options
2377  // of the protocol.
2378  // For clients (mode == 'c') we use values in envs.
2379  // For servers (mode == 's') the command line options are passed through
2380  // parms.
2381  EPNAME("ProtocolgsiInit");
2382 
2383  gsiOptions opts;
2384  char *rc = (char *)"";
2385  char *cenv = 0;
2386 
2387  // Initiate error logging and tracing
2389 
2390  //
2391  // Clients first
2392  if (mode == 'c') {
2393  //
2394  // Decode envs:
2395  // "XrdSecDEBUG" debug flag ("0","1","2","3")
2396  // "XrdSecGSICADIR" full path to an alternative path
2397  // containing the CA info
2398  // [/etc/grid-security/certificates]
2399  // "XrdSecGSICRLDIR" full path to an alternative path
2400  // containing the CRL info
2401  // [/etc/grid-security/certificates]
2402  // "XrdSecGSICRLEXT" default extension of CRL files [.r0]
2403  // "XrdSecGSIUSERCERT" full path to an alternative file
2404  // containing the user certificate
2405  // [$HOME/.globus/usercert.pem]
2406  // "XrdSecGSIUSERKEY" full path to an alternative file
2407  // containing the user key
2408  // [$HOME/.globus/userkey.pem]
2409  // "XrdSecGSIUSERPROXY" full path to an alternative file
2410  // containing the user proxy
2411  // [/tmp/x509up_u<uid>]
2412  // "XrdSecGSIPROXYVALID" validity of proxies in the
2413  // grid-proxy-init format
2414  // ["12:00", i.e. 12 hours]
2415  // "XrdSecGSIPROXYDEPLEN" depth of signature path for proxies;
2416  // use -1 for unlimited [0]
2417  // "XrdSecGSIPROXYKEYBITS" bits in PKI for proxies [default: XrdCryptoDefRSABits]
2418  // "XrdSecGSICACHECK" CA check level [1]:
2419  // 0 do not verify;
2420  // 1 verify if self-signed, warn if not;
2421  // 2 verify in all cases, fail if not possible
2422  // "XrdSecGSICRLCHECK" CRL check level [2]:
2423  // 0 don't care;
2424  // 1 use if available;
2425  // 2 require,
2426  // 3 require non-expired CRL
2427  // "XrdSecGSIDELEGPROXY" Forwarding of credentials option:
2428  // 0 deny; 1 sign request created
2429  // by server; 2 forward local proxy
2430  // (include private key) [1]
2431  // "XrdSecGSICREATEPROXY" Controls use of proxy [1]:
2432  // 1 auto-generate proxy from the cert/key pair if no one is not found
2433  // 0 a proxy is used if present; else, the cert/key pair is used if present.
2434  // "XrdSecGSISRVNAMES" Server names allowed: if the server CN
2435  // does not match any of these, or it is
2436  // explicitely denied by these, or it is
2437  // not in the form "*/<hostname>", the
2438  // handshake fails.
2439  // "XrdSecGSIUSEDEFAULTHASH" If this variable is set only the default
2440  // name hashing algorithm is used
2441 
2442  //
2443  opts.mode = mode;
2444  // debug
2445  cenv = getenv("XrdSecDEBUG");
2446  if (cenv)
2447  {if (cenv[0] >= 49 && cenv[0] <= 51) opts.debug = atoi(cenv);
2448  else {PRINT("unsupported debug value from env XrdSecDEBUG: "<<cenv<<" - setting to 1");
2449  opts.debug = 1;
2450  }
2451  }
2452 
2453  // directory with CA certificates
2454  cenv = (getenv("XrdSecGSICADIR") ? getenv("XrdSecGSICADIR")
2455  : getenv("X509_CERT_DIR"));
2456  if (cenv)
2457  opts.certdir = strdup(cenv);
2458 
2459  // directory with CRL info
2460  cenv = (getenv("XrdSecGSICRLDIR") ? getenv("XrdSecGSICRLDIR")
2461  : getenv("X509_CERT_DIR"));
2462  if (cenv)
2463  opts.crldir = strdup(cenv);
2464 
2465  // Default extension CRL files
2466  cenv = getenv("XrdSecGSICRLEXT");
2467  if (cenv)
2468  opts.crlext = strdup(cenv);
2469 
2470  // CRL refresh or expiration time
2471  cenv = getenv("XrdSecGSICRLRefresh");
2472  if (cenv)
2473  opts.crlrefresh = atoi(cenv);
2474 
2475  // file with user cert
2476  cenv = (getenv("XrdSecGSIUSERCERT") ? getenv("XrdSecGSIUSERCERT")
2477  : getenv("X509_USER_CERT"));
2478  if (cenv)
2479  opts.cert = strdup(cenv);
2480 
2481  // file with user key
2482  cenv = (getenv("XrdSecGSIUSERKEY") ? getenv("XrdSecGSIUSERKEY")
2483  : getenv("X509_USER_KEY"));
2484  if (cenv)
2485  opts.key = strdup(cenv);
2486 
2487  // file with user proxy
2488  cenv = (getenv("XrdSecGSIUSERPROXY") ? getenv("XrdSecGSIUSERPROXY")
2489  : getenv("X509_USER_PROXY"));
2490  if (cenv)
2491  opts.proxy = strdup(cenv);
2492 
2493  // file with user proxy
2494  cenv = getenv("XrdSecGSIPROXYVALID");
2495  if (cenv)
2496  opts.valid = strdup(cenv);
2497 
2498  // Depth of signature path for proxies
2499  cenv = getenv("XrdSecGSIPROXYDEPLEN");
2500  if (cenv)
2501  opts.deplen = atoi(cenv);
2502 
2503  // Key Bit length
2504  cenv = getenv("XrdSecGSIPROXYKEYBITS");
2505  if (cenv)
2506  opts.bits = atoi(cenv);
2507 
2508  // CA verification level
2509  cenv = getenv("XrdSecGSICACHECK");
2510  if (cenv)
2511  opts.ca = atoi(cenv);
2512 
2513  // CRL check level
2514  cenv = getenv("XrdSecGSICRLCHECK");
2515  if (cenv)
2516  opts.crl = atoi(cenv);
2517 
2518  // Delegate proxy
2519  cenv = getenv("XrdSecGSIDELEGPROXY");
2520  if (cenv)
2521  opts.dlgpxy = atoi(cenv);
2522 
2523  // No proxy
2524  cenv = getenv("XrdSecGSICREATEPROXY");
2525  if (cenv)
2526  opts.createpxy = atoi(cenv);
2527 
2528  // Allowed server name formats
2529  cenv = getenv("XrdSecGSISRVNAMES");
2530  if (cenv)
2531  opts.srvnames = strdup(cenv);
2532 
2533  // Name hashing algorithm
2534  cenv = getenv("XrdSecGSIUSEDEFAULTHASH");
2535  if (cenv)
2536  opts.hashcomp = 0;
2537 
2538  // DNS trusting control
2539  if ((cenv = getenv("XrdSecGSITRUSTDNS")))
2540  opts.trustdns = (!strcmp(cenv, "0")) ? false : true;
2541 
2542  //
2543  // Setup the object with the chosen options
2544  rc = XrdSecProtocolgsi::Init(opts,erp);
2545 
2546  // Notify init options, if required or in case of init errors
2547  if (!rc) opts.debug = 1;
2548  opts.Print(gsiTrace);
2549 
2550  // Some cleanup
2551  SafeFree(opts.certdir);
2552  SafeFree(opts.crldir);
2553  SafeFree(opts.crlext);
2554  SafeFree(opts.cert);
2555  SafeFree(opts.key);
2556  SafeFree(opts.proxy);
2557  SafeFree(opts.valid);
2558  SafeFree(opts.srvnames);
2559 
2560  // We are done
2561  return rc;
2562  }
2563 
2564  // Take into account xrootd debug flag
2565  cenv = getenv("XRDDEBUG");
2566  if (cenv && !strcmp(cenv,"1")) opts.debug = 1;
2567 
2568  //
2569  // Server initialization
2570  if (parms) {
2571  //
2572  // Duplicate the parms
2573  char parmbuff[1024];
2574  strlcpy(parmbuff, parms, sizeof(parmbuff));
2575  //
2576  // The tokenizer
2577  XrdOucTokenizer inParms(parmbuff);
2578  //
2579  // Decode parms:
2580  // for servers:
2581  // [-d:<debug_level>]
2582  // [-c:[-]ssl[:[-]<CryptoModuleName]]
2583  // [-certdir:<dir_with_CA_info>]
2584  // [-crldir:<dir_with_CRL_info>]
2585  // [-crlext:<default_extension_CRL_files>]
2586  // [-cert:<path_to_server_certificate>]
2587  // [-key:<path_to_server_key>]
2588  // [-cipher:<list_of_supported_ciphers>]
2589  // [-md:<list_of_supported_digests>]
2590  // [-ca:<crl_verification_level>]
2591  // [-crl:<crl_check_level>]
2592  // [-crlrefresh:<crl_refresh_time>]
2593  // [-gridmap:<grid_map_file>]
2594  // [-gmapfun:<grid_map_function>]
2595  // [-gmapfunparms:<grid_map_function_init_parameters>]
2596  // [-authzcall:<authz_callopt>]
2597  // [-authzfun:<authz_function>]
2598  // [-authzfunparms:<authz_function_init_parameters>]
2599  // [-authzto:<authz_cache_entry_validity_in_secs>]
2600  // [-gmapto:<grid_map_cache_entry_validity_in_secs>]
2601  // [-gmapopt:<grid_map_check_option>]
2602  // [-dlgpxy:<proxy_req_option>]
2603  // [-exppxy:<filetemplate>]
2604  // [-authzpxy]
2605  // [-vomsat:<voms_option>]
2606  // [-vomsfun:<voms_function>]
2607  // [-vomsfunparms:<voms_function_init_parameters>]
2608  // [-defaulthash]
2609  // [-trustdns:<0|1>]
2610  //
2611  int debug = -1;
2612  String clist = "";
2613  String certdir = "";
2614  String crldir = "";
2615  String crlext = "";
2616  String cert = "";
2617  String key = "";
2618  String cipher = "";
2619  String md = "";
2620  String gridmap = "";
2621  String gmapfun = "";
2622  String gmapfunparms = "";
2623  String authzfun = "";
2624  String authzfunparms = "";
2625  String vomsfun = "";
2626  String vomsfunparms = "";
2627  String exppxy = "";
2628  int ca = 1;
2629  int crl = 1;
2630  int crlrefresh = 86400;
2631  int ogmap = 1;
2632  int gmapto = 600;
2633  int authzto = -1;
2634  int authzcall = 1;
2635  int dlgpxy = dlgIgnore;
2636  int authzpxy = 0;
2637  int vomsat = vatIgnore; // Was 1 or extract
2638  int moninfo = 0;
2639  int hashcomp = 1;
2640  int trustdns = false;
2641  int showDN = false;
2642  char *op = 0;
2643  while (inParms.GetLine()) {
2644  while ((op = inParms.GetToken())) {
2645  if (!strncmp(op, "-d:",3)) {
2646  debug = atoi(op+3);
2647  } else if (!strncmp(op, "-c:",3)) {
2648  clist = (const char *)(op+3);
2649  } else if (!strncmp(op, "-certdir:",9)) {
2650  certdir = (const char *)(op+9);
2651  } else if (!strncmp(op, "-crldir:",8)) {
2652  crldir = (const char *)(op+8);
2653  } else if (!strncmp(op, "-crlext:",8)) {
2654  crlext = (const char *)(op+8);
2655  } else if (!strncmp(op, "-cert:",6)) {
2656  cert = (const char *)(op+6);
2657  } else if (!strncmp(op, "-key:",5)) {
2658  key = (const char *)(op+5);
2659  } else if (!strncmp(op, "-cipher:",8)) {
2660  cipher = (const char *)(op+8);
2661  } else if (!strncmp(op, "-md:",4)) {
2662  md = (const char *)(op+4);
2663  } else if (!strncmp(op, "-ca:",4)) {
2664  ca = getOptVal(caVerOpts, op+4);
2665  ca = atoi(op+4);
2666  } else if (!strncmp(op, "-crl:",5)) {
2667  crl = getOptVal(crlOpts, op+5);
2668  } else if (!strncmp(op, "-crlrefresh:",12)) {
2669  crlrefresh = atoi(op+12);
2670  } else if (!strncmp(op, "-gmapopt:",9)) {
2671  ogmap = getOptVal(gmoOpts, op+9);
2672  } else if (!strncmp(op, "-gridmap:",9)) {
2673  gridmap = (const char *)(op+9);
2674  } else if (!strncmp(op, "-gmapfun:",9)) {
2675  gmapfun = (const char *)(op+9);
2676  } else if (!strncmp(op, "-gmapfunparms:",14)) {
2677  gmapfunparms = (const char *)(op+14);
2678  } else if (!strncmp(op, "-authzcall:",11)) {
2679  authzcall = getOptVal(azCallOpts, op+11);
2680  } else if (!strncmp(op, "-authzfun:",10)) {
2681  authzfun = (const char *)(op+10);
2682  } else if (!strncmp(op, "-authzfunparms:",15)) {
2683  authzfunparms = (const char *)(op+15);
2684  } else if (!strncmp(op, "-authzto:",9)) {
2685  authzto = atoi(op+9);
2686  } else if (!strncmp(op, "-gmapto:",8)) {
2687  gmapto = atoi(op+8);
2688  } else if (!strncmp(op, "-dlgpxy:",8)) {
2689  opts.dlgpxy = getOptVal(sDlgOpts, op+8);
2690  } else if (!strncmp(op, "-exppxy:",8)) {
2691  exppxy = (const char *)(op+8);
2692  } else if (!strncmp(op, "-authzpxy:",10)) {
2693  opts.authzpxy = getOptVal(azPxyOpts, op+10);
2694  } else if (!strncmp(op, "-authzpxy",9)) {
2695  authzpxy = 11;
2696  } else if (!strncmp(op, "-vomsat:",8)) {
2697  vomsat = getOptVal(vomsatOpts, op+8);
2698  if (vomsat != vatIgnore && vomsfun.length() == 0)
2699  vomsfun = "default";
2700  } else if (!strncmp(op, "-vomsfun:",9)) {
2701  vomsfun = (const char *)(op+9);
2702  } else if (!strncmp(op, "-vomsfunparms:",14)) {
2703  vomsfunparms = (const char *)(op+14);
2704  } else if (!strcmp(op, "-moninfo")) {
2705  moninfo = 1;
2706  } else if (!strncmp(op, "-moninfo:",9)) {
2707  moninfo = atoi(op+9);
2708  } else if (!strcmp(op, "-defaulthash")) {
2709  hashcomp = 0;
2710  } else if (!strncmp(op, "-trustdns:",10)) {
2711  trustdns = getOptVal(tdnsOpts, op+10);
2712  } else if (!strncmp(op, "-showdn:",8)) {
2713  showDN = getOptVal(tdnsOpts, op+8);
2714  } else {
2715  PRINT("ignoring unknown switch: "<<op);
2716  }
2717  }
2718  }
2719 
2720  // If vomsfun is 'default' substitute the default plugin. The go on to
2721  // resolve conflicts between vomsfun and vomsat options. So, if vomsfun
2722  // was specified but vomsat is set to 'ignore' then we set vomsat to be
2723  // 'required'.
2724  //
2725  if (vomsfun.length() > 0)
2726  {if (vomsat == vatIgnore) vomsat = vatExtract;
2727  if (vomsfun == "default") vomsfun = LIB_XRDVOMS;
2728  } else authzcall = azAlways;
2729 
2730  //
2731  // Build the option object
2732  opts.debug = (debug > -1) ? debug : opts.debug;
2733  opts.mode = 's';
2734  opts.ca = ca;
2735  opts.crl = crl;
2736  opts.crlrefresh = crlrefresh;
2737  opts.ogmap = ogmap;
2738  opts.gmapto = gmapto;
2739  opts.authzcall = authzcall;
2740  opts.authzto = authzto;
2741  opts.dlgpxy = (dlgpxy >= dlgIgnore && dlgpxy <= dlgReqSign) ? dlgpxy : 0;
2742  opts.authzpxy = authzpxy;
2743  opts.vomsat = vomsat;
2744  opts.moninfo = moninfo;
2745  opts.hashcomp = hashcomp;
2746  opts.trustdns = (trustdns <= 0) ? false : true;
2747  opts.showDN = (showDN > 0) ? true : false;
2748  if (clist.length() > 0)
2749  opts.clist = (char *)clist.c_str();
2750  if (certdir.length() > 0)
2751  opts.certdir = (char *)certdir.c_str();
2752  if (crldir.length() > 0)
2753  opts.crldir = (char *)crldir.c_str();
2754  if (crlext.length() > 0)
2755  opts.crlext = (char *)crlext.c_str();
2756  if (cert.length() > 0)
2757  opts.cert = (char *)cert.c_str();
2758  if (key.length() > 0)
2759  opts.key = (char *)key.c_str();
2760  if (cipher.length() > 0)
2761  opts.cipher = (char *)cipher.c_str();
2762  if (md.length() > 0)
2763  opts.md = (char *)md.c_str();
2764  if (gridmap.length() > 0)
2765  opts.gridmap = (char *)gridmap.c_str();
2766  if (gmapfun.length() > 0)
2767  opts.gmapfun = (char *)gmapfun.c_str();
2768  if (gmapfunparms.length() > 0)
2769  opts.gmapfunparms = (char *)gmapfunparms.c_str();
2770  if (authzfun.length() > 0)
2771  opts.authzfun = (char *)authzfun.c_str();
2772  if (authzfunparms.length() > 0)
2773  opts.authzfunparms = (char *)authzfunparms.c_str();
2774  if (exppxy.length() > 0)
2775  opts.exppxy = (char *)exppxy.c_str();
2776  if (vomsfun.length() > 0)
2777  opts.vomsfun = (char *)vomsfun.c_str();
2778  if (vomsfunparms.length() > 0)
2779  opts.vomsfunparms = (char *)vomsfunparms.c_str();
2780 
2781  // Notify init options, if required
2782  opts.Print(gsiTrace);
2783 
2784  //
2785  // Setup the plug-in with the chosen options
2786  return XrdSecProtocolgsi::Init(opts,erp);
2787  }
2788 
2789  // Notify init options, if required
2790  opts.Print(gsiTrace);
2791  //
2792  // Setup the plug-in with the defaults
2793  return XrdSecProtocolgsi::Init(opts,erp);
2794 }}
XrdOucTrace * gsiTrace
#define SafeFree(x)
#define LIB_XRDVOMS
struct myOpts opts
size_t strlcpy(char *dst, const char *src, size_t sz)
const char * c_str() const
int length() const
static XrdOucTrace * EnableTracing()
static char * Init(gsiOptions o, XrdOucErrInfo *erp)

References XrdOucString::c_str(), myOpts::debug, XrdSecProtocolgsi::EnableTracing(), EPNAME, XrdOucTokenizer::GetLine(), XrdOucTokenizer::GetToken(), gsiTrace, XrdSecProtocolgsi::Init(), XrdOucString::length(), LIB_XRDVOMS, opts, PRINT, SafeFree, and strlcpy().

+ Here is the call graph for this function:

◆ XrdSecProtocolgsiObject()

XrdSecProtocol* XrdSecProtocolgsiObject ( const char  mode,
const char *  hostname,
XrdNetAddrInfo endPoint,
const char *  parms,
XrdOucErrInfo erp 
)

Definition at line 2808 of file XrdSecProtocolgsi.cc.

2813 {
2814  XrdSecProtocolgsi *prot;
2815  int options = XrdSecNOIPCHK;
2816 
2817  //
2818  // Get a new protocol object
2819  if (!(prot = new XrdSecProtocolgsi(options, hostname, endPoint, parms))) {
2820  const char *msg = "Secgsi: Insufficient memory for protocol.";
2821  if (erp)
2822  erp->setErrInfo(ENOMEM, msg);
2823  else
2824  std::cerr <<msg <<std::endl;
2825  return (XrdSecProtocol *)0;
2826  }
2827  //
2828  // We are done
2829  if (!erp)
2830  std::cerr << "protocol object instantiated" << std::endl;
2831  return prot;
2832 }}
#define XrdSecNOIPCHK
int setErrInfo(int code, const char *emsg)

References XrdOucErrInfo::setErrInfo(), and XrdSecNOIPCHK.

+ Here is the call graph for this function:

◆ XrdVERSIONINFO()

XrdVERSIONINFO ( XrdSecProtocolgsiObject  ,
secgsi   
)

Variable Documentation

◆ gGSErrStr

const char* gGSErrStr[]
static
Initial value:
= {
"ErrParseBuffer",
"ErrDecodeBuffer",
"ErrLoadCrypto",
"ErrBadProtocol",
"ErrCreateBucket",
"ErrDuplicateBucket",
"ErrCreateBuffer",
"ErrSerialBuffer",
"ErrGenCipher",
"ErrExportPuK",
"ErrEncRndmTag",
"ErrBadRndmTag",
"ErrNoRndmTag",
"ErrNoCipher",
"ErrNoCreds",
"ErrBadOpt",
"ErrMarshal",
"ErrUnmarshal",
"ErrSaveCreds",
"ErrNoBuffer",
"ErrRefCipher",
"ErrNoPublic",
"ErrAddBucket",
"ErrFinCipher",
"ErrInit",
"ErrBadCreds",
"ErrError"
}

Definition at line 97 of file XrdSecProtocolgsi.cc.

◆ gNoPadTag

const char* gNoPadTag = "nopad"
static

◆ gsiClientSteps

const char* gsiClientSteps[]
static
Initial value:
= {
"kXGC_none",
"kXGC_certreq",
"kXGC_cert",
"kXGC_sigpxy",
"kXGC_reserved"
}

Definition at line 81 of file XrdSecProtocolgsi.cc.

Referenced by ClientStepStr().

◆ gsiServerSteps

const char* gsiServerSteps[]
static
Initial value:
= {
"kXGS_none",
"kXGS_init",
"kXGS_cert",
"kXGS_pxyreq",
"kXGS_reserved"
}

Definition at line 89 of file XrdSecProtocolgsi.cc.

Referenced by ServerStepStr().

◆ gsiTrace

XrdOucTrace* gsiTrace = 0

Definition at line 217 of file XrdSecProtocolgsi.cc.

Referenced by XrdSecProtocolgsi::Init(), and XrdSecProtocolgsiInit().

◆ gUsrPxyDef

const char* gUsrPxyDef = "/tmp/x509up_u"
static

Definition at line 130 of file XrdSecProtocolgsi.cc.

Referenced by XrdSecProtocolgsi::Init(), and gsiOptions::Print().

◆ kOneDay

const int kOneDay = 86400
static

Definition at line 128 of file XrdSecProtocolgsi.cc.

◆ Prefix

String Prefix = "xrd"
static

Definition at line 77 of file XrdSecProtocolgsi.cc.

◆ ProtoID

String ProtoID = XrdSecPROTOIDENT
static

Definition at line 78 of file XrdSecProtocolgsi.cc.

◆ Version