35 #include <sys/param.h>
37 #include <sys/types.h>
43 #include "XrdVersion.hh"
68 #define POPTS(t,y) {if (t) {std::cerr <<"Secgsi" <<y <<'\n' << std::flush;}}
103 "ErrDuplicateBucket",
141 String XrdSecProtocolgsi::CAdir =
"/etc/grid-security/certificates/";
142 String XrdSecProtocolgsi::CRLdir =
"/etc/grid-security/certificates/";
143 String XrdSecProtocolgsi::DefCRLext=
".r0";
144 String XrdSecProtocolgsi::GMAPFile =
"/etc/grid-security/grid-mapfile";
145 String XrdSecProtocolgsi::SrvCert =
"/etc/grid-security/xrd/xrdcert.pem";
146 String XrdSecProtocolgsi::SrvKey =
"/etc/grid-security/xrd/xrdkey.pem";
147 String XrdSecProtocolgsi::UsrProxy;
148 String XrdSecProtocolgsi::UsrCert =
"/.globus/usercert.pem";
149 String XrdSecProtocolgsi::UsrKey =
"/.globus/userkey.pem";
150 String XrdSecProtocolgsi::PxyValid =
"12:00";
151 int XrdSecProtocolgsi::DepLength= 0;
153 int XrdSecProtocolgsi::CACheck = caVerifyss;
154 int XrdSecProtocolgsi::CRLCheck = crlTry;
155 int XrdSecProtocolgsi::CRLDownload = 0;
156 int XrdSecProtocolgsi::CRLRefresh = 86400;
157 int XrdSecProtocolgsi::GMAPOpt = 1;
158 bool XrdSecProtocolgsi::GMAPuseDNname = 0;
159 String XrdSecProtocolgsi::DefCrypto=
"ssl";
160 String XrdSecProtocolgsi::DefCipher=
"aes-128-cbc:bf-cbc:des-ede3-cbc";
161 String XrdSecProtocolgsi::DefMD =
"sha256";
162 String XrdSecProtocolgsi::DefError =
"invalid credentials ";
163 int XrdSecProtocolgsi::PxyReqOpts = 0;
164 int XrdSecProtocolgsi::AuthzPxyWhat = -1;
165 int XrdSecProtocolgsi::AuthzPxyWhere = -1;
166 int XrdSecProtocolgsi::AuthzAlways = 1;
170 int XrdSecProtocolgsi::AuthzCertFmt = -1;
171 int XrdSecProtocolgsi::GMAPCacheTimeOut = -1;
172 int XrdSecProtocolgsi::AuthzCacheTimeOut = 43200;
173 String XrdSecProtocolgsi::SrvAllowedNames;
174 int XrdSecProtocolgsi::VOMSAttrOpt = vatIgnore;
176 int XrdSecProtocolgsi::VOMSCertFmt = -1;
177 int XrdSecProtocolgsi::MonInfoOpt = 0;
178 bool XrdSecProtocolgsi::HashCompatibility = 1;
179 bool XrdSecProtocolgsi::TrustDNS =
false;
180 bool XrdSecProtocolgsi::ShowDN =
false;
183 int XrdSecProtocolgsi::ncrypt = 0;
204 time_t XrdSecProtocolgsi::lastGMAPCheck = -1;
208 int XrdSecProtocolgsi::Debug = 0;
209 bool XrdSecProtocolgsi::Server = 1;
210 int XrdSecProtocolgsi::TimeSkew = 300;
213 XrdSysError XrdSecProtocolgsi::eDest(0,
"secgsi_");
226 static const char *ukn =
"Unknown";
228 kclt = (kclt < 0) ? 0 : kclt;
242 static const char *ukn =
"Unknown";
244 ksrv = (ksrv < 0) ? 0 : ksrv;
265 PRINT(
"----------------------------------------------------------------");
266 PRINT(
"protocol instance: "<<p);
267 PRINT(
"this: "<<
this);
284 PRINT(
"----------------------------------------------------------------");
298 EPNAME(
"XrdSecProtocolgsi");
300 if (
QTRACE(Authen)) {
PRINT(
"constructing: "<<
this); }
307 hs->
Tty = (isatty(0) == 0 || isatty(1) == 0) ? 0 : 1;
309 PRINT(
"could not create handshake vars object");
338 if (strchr(hname,
'.')) {
357 expectedHost = strdup(hname);
386 DEBUG(
"mode: server");
388 DEBUG(
"mode: client");
411 char *Failure = 0, *Parms = 0;
420 ErrF(erp,
kGSErrInit,
"tracing object (gsiTrace) not initialized! cannot continue");
424 int trace = 0, traceSut = 0, traceCrypto = 0;
430 }
else if (Debug >= 2) {
436 }
else if (Debug >= 1) {
448 if (opt.
hashcomp == 0) HashCompatibility = 0;
452 Server = (opt.
mode ==
's');
461 if (opt.
ca >= caNoVerify && opt.
ca <= caVerify)
463 DEBUG(
"option CACheck: "<<getOptName(caVerOpts,CACheck));
474 while ((from = tmp.
tokenize(dp, from,
',')) != -1) {
478 if (errno == ENOENT) {
487 if (!(CAtmp.
endswith(
','))) CAtmp +=
',';
491 PRINT(
"Warning: could not expand: "<<dp);
510 const char *cocrl[] = {
"do-not-care",
"use-if-available",
"require",
"require-not-expired" };
511 const char *codwld[] = {
"no",
"yes"};
512 if (opt.
crl >= crlUpdate) {
516 if (opt.
crl >= crlIgnore && opt.
crl <= crlRequire)
518 DEBUG(
"option CRLCheck: "<<CRLCheck<<
" ('"<<cocrl[CRLCheck]<<
"'; download? "<<
519 codwld[CRLDownload]<<
")");
530 while ((from = tmp.
tokenize(dp, from,
',')) != -1) {
534 if (errno == ENOENT) {
543 if (!(CRLtmp.
endswith(
','))) CRLtmp +=
',';
547 PRINT(
"Warning: could not expand: "<<dp);
570 DEBUG(
"CRL information refreshed every "<<CRLRefresh<<
" secs");
575 DEBUG(
"trust DNS option: "<<TrustDNS);
580 DEBUG(
"show DN option: "<<ShowDN);
600 while ((from = crypts.
tokenize(ncpt, from,
'|')) != -1) {
601 if (ncpt.
length() > 0 && ncpt[0] !=
'-') {
612 PRINT(
"ref cipher for module "<<ncpt<<
613 " cannot be instantiated : disable");
618 PRINT(
"max number of crypto modules ("
622 if (cryptlist.
length()) cryptlist +=
":";
627 PRINT(
"cannot instantiate crypto factory "<<ncpt<<
637 ErrF(erp,
kGSErrInit,
"could not find any valid crypto module");
648 while ((from = DefCipher.
tokenize(cip, from,
':')) != -1) {
652 if (!(cryptF[i]->SupportedCipher(cip.
c_str()))) {
654 DEBUG(
"cipher type not supported ("<<cip<<
") - disabling");
656 DefCipher.
erase(cip);
669 while ((from = DefMD.
tokenize(md, from,
':')) != -1) {
673 if (!(cryptF[i]->SupportedMsgDigest(md.
c_str()))) {
675 PRINT(
"MD type not supported ("<<md<<
") - disabling");
690 PRINT(
"Could not expand: "<<opt.
cert<<
": use default");
698 PRINT(
"Could not expand: "<<opt.
key<<
": use default");
704 PRINT(
"WARNING: process has no permission to read the certificate key file: "<<SrvKey);
710 if (!GetSrvCertEnt(ceref, cryptF[i], time(0), certcalist)) {
711 PRINT(
"problems loading srv cert");
720 if (cacheCert.
Num() <= 0) {
721 ErrF(erp,
kGSErrError,
"no valid server certificate found");
726 DEBUG(
"CA list: "<<certcalist);
736 const char *cogmap[] = {
"do-not-use",
"use-if-available",
"require" };
737 const char *codnnm[] = {
"DN hash",
"DN name"};
738 if (opt.
ogmap >= 10) {
744 DEBUG(
"user mapping file option: "<<cogmap[GMAPOpt]);
746 DEBUG(
"default option for entity name if no mapping available: "<<codnnm[(
int)GMAPuseDNname]);
755 PRINT(
"Could not expand: "<<opt.
gridmap<<
": use default");
763 if (
Debug) pars +=
"dbg|";
764 if (opt.
gmapto > 0) { pars +=
"to="; pars += (int)opt.
gmapto; }
771 NOTIFY(
"Grid map file: "<<GMAPFile<<
" cannot be 'access'ed: do not use");
774 DEBUG(
"using grid map file: "<<GMAPFile);
781 if (opt.
gmapfun && GMAPOpt > 0) {
782 if (!(GMAPFun = LoadGMAPFun((
const char *) opt.
gmapfun,
793 if (!hasgmap && !hasgmapfun) {
795 ErrF(erp,
kGSErrError,
"User mapping required, but neither a grid mapfile"
796 " nor a mapping function are available");
804 bool hasauthzfun = 0;
807 if (!(AuthzFun = LoadAuthzFun((
const char *) opt.
authzfun,
815 if (AuthzCertFmt >= 0 && AuthzCertFmt <= 1) {
816 const char *ccfmt[] = {
"raw",
"PEM base64" };
817 DEBUG(
"authzfun: proxy certificate format: "<<ccfmt[AuthzCertFmt]);
819 NOTIFY(
"authzfun: proxy certificate format: unknown (code: "<<AuthzCertFmt<<
")");
823 AuthzCacheTimeOut = opt.
authzto;
824 DEBUG(
"grid-map cache entries expire after "<<AuthzCacheTimeOut<<
" secs");
830 if (GMAPOpt > 0 && !hasauthzfun && opt.
gmapto > 0) {
831 GMAPCacheTimeOut = opt.
gmapto;
832 DEBUG(
"grid-map cache entries expire after "<<GMAPCacheTimeOut<<
" secs");
846 const char *capxy_what = (AuthzPxyWhat == 1) ?
"'last proxy only'"
847 :
"'full proxy chain'";
848 const char *capxy_where = (AuthzPxyWhere == 1) ?
"XrdSecEntity.creds"
849 :
"XrdSecEntity.endorsements";
850 DEBUG(
"Export proxy for authorization in '"<<capxy_where<<
"': "<<capxy_what);
853 PRINT(
"WARNING: proxy export for authz enabled: be aware that any setting of '"<<capxy_what<<
854 "' done by '"<<opt.
authzfun<<
"' will get overwritten with "<<capxy_what);
862 DEBUG(
"Will not accept delegated proxies");
865 if (opt.
dlgpxy == dlgReqSign)
870 if (!strcmp(opt.
exppxy,
"=creds")) {
873 DEBUG(
"Delegated proxy saved in Entity.creds ");
876 if (strcmp(opt.
exppxy,
"=default"))
882 UsrProxy +=
"u<uid>";
885 DEBUG(
"File template for delegated proxy: "<<UsrProxy);
888 DEBUG(
"Delegated proxies options: "<<PxyReqOpts);
896 VOMSAttrOpt = (opt.
vomsat <= vatRequire && opt.
vomsat >= vatIgnore)
897 ? opt.
vomsat : VOMSAttrOpt;
902 if (!(VOMSFun = LoadVOMSFun((
const char *) opt.
vomsfun,
909 if (VOMSCertFmt >= 0 && VOMSCertFmt <= 1) {
910 const char *ccfmt[] = {
"raw",
"PEM base64" };
911 DEBUG(
"vomsfun: proxy certificate format: "<<ccfmt[VOMSCertFmt]);
914 snprintf(fbuff,
sizeof(fbuff),
"%d", VOMSCertFmt);
915 ErrF(erp,
kGSErrError,
"VOMS plug-in returned invalid cert "
922 DEBUG(
"VOMS attributes options: "<<getOptName(vomsatOpts, VOMSAttrOpt));
929 const char *cmoninfo = (MonInfoOpt == 1) ?
"DN" :
"none";
930 DEBUG(
"Monitor information options: "<<cmoninfo);
935 if (certcalist.
length() == 0)
936 {ErrF(erp,
kGSErrInit,
"unable to generate ca cert hash list!");
944 Parms =
new char[cryptlist.
length()+3+12+certcalist.
length()+5];
946 sprintf(Parms,
"v:%d,c:%s,ca:%s",
949 ErrF(erp,
kGSErrInit,
"no system resources for 'Parms'");
955 DEBUG(
"available crypto modules: "<<cryptlist);
956 DEBUG(
"issuer CAs of server certs (hashes): "<<certcalist);
963 struct passwd *pw = getpwuid(getuid());
965 NOTIFY(
"WARNING: cannot get user information (uid:"<<getuid()<<
")");
975 PRINT(
"Could not expand: "<<opt.
proxy<<
": use default");
979 UsrProxy += (int)(pw->pw_uid);
987 PRINT(
"Could not expand: "<<opt.
cert<<
": use default");
999 PRINT(
"Could not expand: "<<opt.
key<<
": use default");
1007 PxyValid = opt.
valid;
1009 if (opt.
deplen != DepLength)
1012 if (opt.
bits > DefBits)
1016 if (opt.
dlgpxy > dlgIgnore) {
1018 if (opt.
dlgpxy == dlgSendpxy) {
1036 TRACE(Authen,
"using certificate file: "<<UsrCert);
1037 TRACE(Authen,
"using private key file: "<<UsrKey);
1038 TRACE(Authen,
"proxy: file: "<<UsrProxy);
1039 TRACE(Authen,
"proxy: validity: "<<PxyValid);
1040 TRACE(Authen,
"proxy: depth of signature path: "<<DepLength);
1041 TRACE(Authen,
"proxy: bits in key: "<<DefBits);
1042 TRACE(Authen,
"server cert: allowed names: "<<SrvAllowedNames);
1044 TRACE(Authen,
"allowing for pure cert/key authentication (no proxy) ");
1083 if (proxyChain) proxyChain->
Cleanup();
1116 if (!inbuf || inlen <= 0 || !outbuf)
1128 char *buf = (
char *)malloc(sessionKey->
EncOutLength(inlen) + liv);
1132 memcpy(buf, iv, liv);
1135 int len = sessionKey->
Encrypt(inbuf, inlen, buf + liv) + liv;
1146 DEBUG(
"encrypted buffer has "<<len<<
" bytes");
1166 if (!inbuf || inlen <= 0 || !outbuf)
1170 int liv = (useIV) ? sessionKey->
MaxIVLength() : 0;
1171 int sz = inlen - liv;
1173 char *buf = (
char *)malloc(sessionKey->
DecOutLength(sz) + liv);
1179 char *iv =
new char[liv];
1180 memcpy(iv, inbuf, liv);
1181 sessionKey->
SetIV(liv, iv);
1186 int len = sessionKey->
Decrypt(inbuf + liv, sz, buf);
1196 DEBUG(
"decrypted buffer has "<<len<<
" bytes");
1214 if (!sessionKsig || !sessionMD)
1218 if (!inbuf || inlen <= 0 || !outbuf)
1222 sessionMD->
Reset(0);
1225 sessionMD->
Update(inbuf, inlen);
1230 char *buf = (
char *)malloc(lmax);
1247 DEBUG(
"signature has "<<len<<
" bytes");
1266 if (!sessionKver || !sessionMD)
1270 if (!inbuf || inlen <= 0 || !sigbuf || siglen <= 0)
1274 sessionMD->
Reset(0);
1277 sessionMD->
Update(inbuf, inlen);
1281 int lmax = sessionKver->
GetOutlen(siglen);
1282 char *buf =
new char[lmax];
1287 int len = sessionKver->
DecryptPublic(sigbuf, siglen, buf, lmax);
1295 if (len == sessionMD->
Length()) {
1296 if (!strncmp(buf, sessionMD->
Buffer(), len)) {
1299 DEBUG(
"signature successfully verified");
1304 if (buf)
delete[] buf;
1307 return ((bad) ? 1 : 0);
1330 bucketKey = sessionKey->
AsBucket();
1337 return bucketKey->
size;
1340 if (klen < bucketKey->size)
1345 memcpy(kbuf, bucketKey->
buffer, bucketKey->
size);
1348 DEBUG(
"session key exported");
1349 return bucketKey->
size;
1367 if (!kbuf || klen <= 0)
1394 sessionKey = newKey;
1400 DEBUG(
"session key update");
1416 EPNAME(
"getCredentials");
1430 char *nbuf = (
char *) malloc(bck->
size);
1446 "handshake var container missing",
"getCredentials");
1449 if ((!parm && !hs->
Parms) || (parm && (!(parm->
buffer) || parm->
size <= 0))) {
1451 return ErrC(ei,0,0,0,
kGSErrNoBuffer,
"missing parameters",
"getCredentials");
1457 char *upp = (ei && ei->
getEnv()) ? ei->
getEnv()->
Get(
"xrd.gsiusrpxy") : 0;
1458 if (upp) urlUsrProxy = upp;
1460 if (upp) urlUsrCert = upp;
1462 if (upp) urlUsrKey = upp;
1473 const char *stepstr = 0;
1500 if (!(step = bpar->
GetStep())) {
1509 bmsg.
form(
"IN: bpar: %s", stepstr);
1514 if (ParseClientInput(bpar, &bmai, Emsg) == -1) {
1515 DEBUG(Emsg<<
" CF: "<<sessionCF);
1521 bmsg.
form(
"IN: bmai: %s", stepstr);
1530 if (!CheckRtag(bmai, Emsg))
1535 if (user.
length() <= 0) user = getenv(
"XrdSecUSER");
1551 return ErrC(ei,bpar,bmai,0,
1564 issuerHash +=
"|"; issuerHash += c->
SubjectHash(1); }
1569 issuerHash +=
"|"; issuerHash += c->
IssuerHash(1); }
1577 issuerHash +=
"|"; issuerHash += c->
SubjectHash(1); }
1580 DEBUG(
"Client issuer hash: " << issuerHash);
1600 return ErrC(ei,bpar,bmai,0,
1605 if (!(bpub = sessionKey->
Public(lpub)))
1606 return ErrC(ei,bpar,bmai,0,
1617 "encrypting client DH public parameters",stepstr);
1620 "client signing key undefined!",stepstr);
1631 "exporting client public key",stepstr);
1685 if (AddSerialized(
'c', nextstep, hs->
ID,
1686 bpar, bmai,
kXRS_main, sessionKey) != 0) {
1687 return ErrC(ei,bpar,bmai,0,
1707 DEBUG(
"returned " << nser <<
" bytes of credentials");
1710 NOTIFY(
"problems with final serialization");
1727 if (e && (e->
status == st_ref)) {
1730 if (to_ref > 0 && (ts_ref - e->
mtime) > to_ref) expired = 1;
1731 int notafter = *((
int *) e->
buf2.
buf);
1732 if (to_ref > notafter) expired = 1;
1767 "handshake var container missing",
1768 "protocol initialization problems");
1777 DEBUG(
"handshaking ID: " << hs->
ID);
1785 bool vomsFailed =
false;
1786 const char *stepstr = 0;
1818 bmsg.
form(
"IN: bpar: %s", stepstr);
1823 if (ParseServerInput(bpar, &bmai, ClntMsg) == -1) {
1835 bmsg.
form(
"IN: bmai: %s", stepstr);
1841 if (!CheckRtag(bmai, ClntMsg))
1846 if (!X509ExportChain) {
1849 "crypto factory function for chain export not found");
1873 "encrypting server DH public parameters",stepstr);
1876 "server signing key undefined!",stepstr);
1892 return ErrS(hs->
ID,ei,bpar,bmai,0,
1897 return ErrS(hs->
ID,ei,bpar,bmai,0,
1918 DEBUG(
"username(s) associated with this DN: "<<name);
1919 if (name.
length() <= 0) {
1924 PRINT(
"ERROR: user mapping required, but lookup failed - failure");
1927 NOTIFY(
"WARNING: user mapping lookup failed - use DN or DN-hash as name");
1938 DEBUG(
"target user: "<<user);
1944 while ((from = name.
tokenize(u, from,
',')) != -1) {
1945 if (user == u) { ok = 1;
break; }
1949 DEBUG(
"DN mapping: requested user is authorized: name is '"<<name<<
"'");
1954 PRINT(
"WARNING: user mapping lookup ok, but the requested user is not"
1955 " authorized ("<<user<<
"). Instead, mapped as " << name <<
".");
1960 DEBUG(
"user mapping lookup successful: name is '"<<name<<
"'");
1974 PRINT(
"WARNING: DN missing: corruption? ");
1979 if (MonInfoOpt > 0 || ShowDN) {
1982 if (ShowDN && !GMAPuseDNname) {
1989 if (VOMSAttrOpt > vatIgnore && VOMSFun) {
1991 if (VOMSCertFmt == 1) {
1993 bpxy = (*X509ExportChain)(hs->
Chain,
true);
2003 if ((*VOMSFun)(
Entity) != 0) {
2005 if (VOMSAttrOpt == vatRequire) {
2008 PRINT(
"ERROR: the VOMS extraction plug-in reported "
2009 "authentication failure");
2022 if (AuthzFun && AuthzKey && (AuthzAlways || vomsFailed)) {
2024 if (AuthzCertFmt == 1) {
2028 bpxy = (*X509ExportChain)(hs->
Chain,
true);
2048 if ((lkey = (*AuthzKey)(
Entity, &key)) < 0) {
2051 PRINT(
"ERROR: unable to get the key associated to this user");
2054 const char *dn = (
const char *)key;
2058 bool rdlock =
false;
2064 PRINT(
"ERROR: unable to get cache entry for dn: "<<dn);
2076 if ((authzrc = (*AuthzFun)(
Entity)) != 0) {
2079 PRINT(
"ERROR: the authz plug-in reported failure");
2088 CopyEntity(&
Entity, se, &slen);
2095 cent->
buf2.
buf = (
char *)
new int(notafter);
2101 DEBUG(
"Saved Entity to cacheAuthzFun ("<<slen<<
" bytes)");
2109 DEBUG(
"Got Entity from cacheAuthzFun ("<<slen<<
" bytes)");
2118 if (AuthzPxyWhat >= azFull) {
2119 if (bpxy && AuthzPxyWhat == azLast) {
2125 if (AuthzPxyWhat == 1 && hs->
Chain->
End()) {
2128 bpxy = (*X509ExportChain)(hs->
Chain,
true);
2132 if (AuthzPxyWhere == azCred) {
2166 if (ClntMsg.
length() > 0) {
2178 if (ClntMsg.
length() > 0)
2180 NOTIFY(
"problems adding bucket with message for client");
2184 if (AddSerialized(
's', nextstep, hs->
ID,
2185 bpar, bmai,
kXRS_main, sessionKey) != 0) {
2187 "main / session cipher",stepstr);
2226 if (!in || !out)
return;
2240 slen += strlen(in->
moninfo); }
2243 if (lout) *lout = slen;
2296 if ((
mode ==
'c') &&
debug <= 0)
return;
2298 POPTS(t,
" -------------------------------------------------------------------");
2299 POPTS(t,
" Mode: "<< ((
mode ==
'c') ?
"client" :
"server"));
2302 POPTS(t,
" CA verification level: "<< getOptName(caVerOpts,
ca));
2304 POPTS(t,
" CRL extension: " << (
crlext ?
crlext : XrdSecProtocolgsi::DefCRLext));
2305 POPTS(t,
" CRL check level: "<< getOptName(crlOpts,
crl));
2308 POPTS(t,
" Certificate: " << (
cert ?
cert : XrdSecProtocolgsi::UsrCert));
2309 POPTS(t,
" Key: " << (
key ?
key : XrdSecProtocolgsi::UsrKey));
2310 POPTS(t,
" Proxy file: " << XrdSecProtocolgsi::UsrProxy);
2311 POPTS(t,
" Proxy validity: " << (
valid ?
valid : XrdSecProtocolgsi::PxyValid));
2316 if (
createpxy)
POPTS(t,
" Pure Cert/Key authentication allowed");
2319 POPTS(t,
" Certificate: " << (
cert ?
cert : XrdSecProtocolgsi::SrvCert));
2320 POPTS(t,
" Key: " << (
key ?
key : XrdSecProtocolgsi::SrvKey));
2321 POPTS(t,
" Proxy delegation option: "<< getOptName(sDlgOpts,
dlgpxy));
2325 POPTS(t,
" GRIDmap option: "<< getOptName(gmoOpts,
ogmap));
2326 POPTS(t,
" GRIDmap cache entries expiration (secs): "<<
gmapto);
2331 if (
gmapfunparms)
POPTS(t,
" DN mapping function parms: ignored (no mapping function defined)");
2337 POPTS(t,
" Authz cache entries expiration (secs): " <<
authzto);
2339 if (
authzfunparms)
POPTS(t,
" Authz function parms: ignored (no authz function defined)");
2342 POPTS(t,
" Client proxy availability in XrdSecEntity.endorsement: "<< getOptName(azPxyOpts,
authzpxy));
2343 POPTS(t,
" VOMS option: "<< getOptName(vomsatOpts,
vomsat));
2348 if (
vomsfunparms)
POPTS(t,
" VOMS extraction function parms: ignored (no VOMS extraction function defined)");
2352 POPTS(t,
" Name hashing algorithm compatibility OFF");
2356 POPTS(t,
" Crypto modules: "<< (
clist ?
clist : XrdSecProtocolgsi::DefCrypto));
2358 POPTS(t,
" MDigests: "<< (
md ?
md : XrdSecProtocolgsi::DefMD));
2360 POPTS(t,
" Trusting DNS for hostname checking");
2362 POPTS(t,
" Untrusting DNS for hostname checking");
2364 POPTS(t,
" -------------------------------------------------------------------");
2381 EPNAME(
"ProtocolgsiInit");
2384 char *rc = (
char *)
"";
2445 cenv = getenv(
"XrdSecDEBUG");
2447 {
if (cenv[0] >= 49 && cenv[0] <= 51)
opts.
debug = atoi(cenv);
2448 else {
PRINT(
"unsupported debug value from env XrdSecDEBUG: "<<cenv<<
" - setting to 1");
2454 cenv = (getenv(
"XrdSecGSICADIR") ? getenv(
"XrdSecGSICADIR")
2455 : getenv(
"X509_CERT_DIR"));
2457 opts.certdir = strdup(cenv);
2460 cenv = (getenv(
"XrdSecGSICRLDIR") ? getenv(
"XrdSecGSICRLDIR")
2461 : getenv(
"X509_CERT_DIR"));
2463 opts.crldir = strdup(cenv);
2466 cenv = getenv(
"XrdSecGSICRLEXT");
2468 opts.crlext = strdup(cenv);
2471 cenv = getenv(
"XrdSecGSICRLRefresh");
2473 opts.crlrefresh = atoi(cenv);
2476 cenv = (getenv(
"XrdSecGSIUSERCERT") ? getenv(
"XrdSecGSIUSERCERT")
2477 : getenv(
"X509_USER_CERT"));
2479 opts.cert = strdup(cenv);
2482 cenv = (getenv(
"XrdSecGSIUSERKEY") ? getenv(
"XrdSecGSIUSERKEY")
2483 : getenv(
"X509_USER_KEY"));
2485 opts.key = strdup(cenv);
2488 cenv = (getenv(
"XrdSecGSIUSERPROXY") ? getenv(
"XrdSecGSIUSERPROXY")
2489 : getenv(
"X509_USER_PROXY"));
2491 opts.proxy = strdup(cenv);
2494 cenv = getenv(
"XrdSecGSIPROXYVALID");
2496 opts.valid = strdup(cenv);
2499 cenv = getenv(
"XrdSecGSIPROXYDEPLEN");
2501 opts.deplen = atoi(cenv);
2504 cenv = getenv(
"XrdSecGSIPROXYKEYBITS");
2506 opts.bits = atoi(cenv);
2509 cenv = getenv(
"XrdSecGSICACHECK");
2511 opts.ca = atoi(cenv);
2514 cenv = getenv(
"XrdSecGSICRLCHECK");
2516 opts.crl = atoi(cenv);
2519 cenv = getenv(
"XrdSecGSIDELEGPROXY");
2521 opts.dlgpxy = atoi(cenv);
2524 cenv = getenv(
"XrdSecGSICREATEPROXY");
2526 opts.createpxy = atoi(cenv);
2529 cenv = getenv(
"XrdSecGSISRVNAMES");
2531 opts.srvnames = strdup(cenv);
2534 cenv = getenv(
"XrdSecGSIUSEDEFAULTHASH");
2539 if ((cenv = getenv(
"XrdSecGSITRUSTDNS")))
2540 opts.trustdns = (!strcmp(cenv,
"0")) ?
false :
true;
2565 cenv = getenv(
"XRDDEBUG");
2566 if (cenv && !strcmp(cenv,
"1"))
opts.
debug = 1;
2573 char parmbuff[1024];
2574 strlcpy(parmbuff, parms,
sizeof(parmbuff));
2622 String gmapfunparms =
"";
2624 String authzfunparms =
"";
2626 String vomsfunparms =
"";
2630 int crlrefresh = 86400;
2635 int dlgpxy = dlgIgnore;
2637 int vomsat = vatIgnore;
2640 int trustdns =
false;
2644 while ((op = inParms.
GetToken())) {
2645 if (!strncmp(op,
"-d:",3)) {
2647 }
else if (!strncmp(op,
"-c:",3)) {
2648 clist = (
const char *)(op+3);
2649 }
else if (!strncmp(op,
"-certdir:",9)) {
2650 certdir = (
const char *)(op+9);
2651 }
else if (!strncmp(op,
"-crldir:",8)) {
2652 crldir = (
const char *)(op+8);
2653 }
else if (!strncmp(op,
"-crlext:",8)) {
2654 crlext = (
const char *)(op+8);
2655 }
else if (!strncmp(op,
"-cert:",6)) {
2656 cert = (
const char *)(op+6);
2657 }
else if (!strncmp(op,
"-key:",5)) {
2658 key = (
const char *)(op+5);
2659 }
else if (!strncmp(op,
"-cipher:",8)) {
2660 cipher = (
const char *)(op+8);
2661 }
else if (!strncmp(op,
"-md:",4)) {
2662 md = (
const char *)(op+4);
2663 }
else if (!strncmp(op,
"-ca:",4)) {
2664 ca = getOptVal(caVerOpts, op+4);
2666 }
else if (!strncmp(op,
"-crl:",5)) {
2667 crl = getOptVal(crlOpts, op+5);
2668 }
else if (!strncmp(op,
"-crlrefresh:",12)) {
2669 crlrefresh = atoi(op+12);
2670 }
else if (!strncmp(op,
"-gmapopt:",9)) {
2671 ogmap = getOptVal(gmoOpts, op+9);
2672 }
else if (!strncmp(op,
"-gridmap:",9)) {
2673 gridmap = (
const char *)(op+9);
2674 }
else if (!strncmp(op,
"-gmapfun:",9)) {
2675 gmapfun = (
const char *)(op+9);
2676 }
else if (!strncmp(op,
"-gmapfunparms:",14)) {
2677 gmapfunparms = (
const char *)(op+14);
2678 }
else if (!strncmp(op,
"-authzcall:",11)) {
2679 authzcall = getOptVal(azCallOpts, op+11);
2680 }
else if (!strncmp(op,
"-authzfun:",10)) {
2681 authzfun = (
const char *)(op+10);
2682 }
else if (!strncmp(op,
"-authzfunparms:",15)) {
2683 authzfunparms = (
const char *)(op+15);
2684 }
else if (!strncmp(op,
"-authzto:",9)) {
2685 authzto = atoi(op+9);
2686 }
else if (!strncmp(op,
"-gmapto:",8)) {
2687 gmapto = atoi(op+8);
2688 }
else if (!strncmp(op,
"-dlgpxy:",8)) {
2689 opts.dlgpxy = getOptVal(sDlgOpts, op+8);
2690 }
else if (!strncmp(op,
"-exppxy:",8)) {
2691 exppxy = (
const char *)(op+8);
2692 }
else if (!strncmp(op,
"-authzpxy:",10)) {
2693 opts.authzpxy = getOptVal(azPxyOpts, op+10);
2694 }
else if (!strncmp(op,
"-authzpxy",9)) {
2696 }
else if (!strncmp(op,
"-vomsat:",8)) {
2697 vomsat = getOptVal(vomsatOpts, op+8);
2698 if (vomsat != vatIgnore && vomsfun.
length() == 0)
2699 vomsfun =
"default";
2700 }
else if (!strncmp(op,
"-vomsfun:",9)) {
2701 vomsfun = (
const char *)(op+9);
2702 }
else if (!strncmp(op,
"-vomsfunparms:",14)) {
2703 vomsfunparms = (
const char *)(op+14);
2704 }
else if (!strcmp(op,
"-moninfo")) {
2706 }
else if (!strncmp(op,
"-moninfo:",9)) {
2707 moninfo = atoi(op+9);
2708 }
else if (!strcmp(op,
"-defaulthash")) {
2710 }
else if (!strncmp(op,
"-trustdns:",10)) {
2711 trustdns = getOptVal(tdnsOpts, op+10);
2712 }
else if (!strncmp(op,
"-showdn:",8)) {
2713 showDN = getOptVal(tdnsOpts, op+8);
2715 PRINT(
"ignoring unknown switch: "<<op);
2725 if (vomsfun.
length() > 0)
2726 {
if (vomsat == vatIgnore) vomsat = vatExtract;
2728 }
else authzcall = azAlways;
2736 opts.crlrefresh = crlrefresh;
2738 opts.gmapto = gmapto;
2739 opts.authzcall = authzcall;
2740 opts.authzto = authzto;
2741 opts.dlgpxy = (dlgpxy >= dlgIgnore && dlgpxy <= dlgReqSign) ? dlgpxy : 0;
2742 opts.authzpxy = authzpxy;
2743 opts.vomsat = vomsat;
2744 opts.moninfo = moninfo;
2745 opts.hashcomp = hashcomp;
2746 opts.trustdns = (trustdns <= 0) ?
false :
true;
2747 opts.showDN = (showDN > 0) ?
true :
false;
2750 if (certdir.
length() > 0)
2764 if (gridmap.
length() > 0)
2766 if (gmapfun.
length() > 0)
2768 if (gmapfunparms.
length() > 0)
2769 opts.gmapfunparms = (
char *)gmapfunparms.
c_str();
2770 if (authzfun.
length() > 0)
2771 opts.authzfun = (
char *)authzfun.
c_str();
2772 if (authzfunparms.
length() > 0)
2773 opts.authzfunparms = (
char *)authzfunparms.
c_str();
2776 if (vomsfun.
length() > 0)
2778 if (vomsfunparms.
length() > 0)
2779 opts.vomsfunparms = (
char *)vomsfunparms.
c_str();
2809 const char *hostname,
2820 const char *msg =
"Secgsi: Insufficient memory for protocol.";
2824 std::cerr <<msg <<std::endl;
2830 std::cerr <<
"protocol object instantiated" << std::endl;
2850 if (!bls || !buf || (opt != 0 && opt !=
'c' && opt !=
's')) {
2851 PRINT(
"invalid inputs ("
2852 <<bls<<
","<<buf<<
","<<opt<<
")"
2869 if (brt && sessionKsig) {
2873 PRINT(
"error encrypting random tag");
2892 PRINT(
"error creating random tag bucket");
2900 PRINT(
"cache entry not found: protocol error");
2917 PRINT(
"error creating bucket "
2930 if (cip->
Encrypt(*bck, useIV) == 0) {
2931 PRINT(
"error encrypting bucket - cipher "
2946 EPNAME(
"ParseClientInput");
2950 PRINT(
"invalid inputs ("<<br<<
","<<bm<<
")");
2951 cmsg =
"invalid inputs";
2963 if (ClientDoInit(br, bm, cmsg) != 0)
2968 if (ClientDoCert(br, bm, cmsg) != 0)
2973 if (ClientDoPxyreq(br, bm, cmsg) != 0)
2977 cmsg =
"protocol error: unknown action: "; cmsg += step;
2998 emsg =
"error instantiating main buffer";
3004 int ii =
opts.find(
"v:");
3007 sver.erase(sver.find(
','));
3008 hs->
RemVers = atoi(sver.c_str());
3011 emsg =
"server version information not found in options:"
3012 " assume same as local";
3023 emsg =
"error creating cache";
3035 ii =
opts.find(
"c:");
3040 NOTIFY(
"Crypto list missing: protocol error? (use defaults)");
3045 emsg =
"cannot find / load crypto requested modules :";
3052 ii =
opts.find(
"ca:");
3058 if (ParseCAlist(srvca) != 0) {
3059 emsg =
"unknown CA: cannot verify server certificate";
3073 String clientcert = UsrCert, clientkey = UsrKey, clientproxy = UsrProxy;
3074 if (urlUsrCert.
length()>0) clientcert = urlUsrCert;
3075 if (urlUsrKey.
length()>0) clientkey = urlUsrKey;
3076 if (urlUsrProxy.
length()>0) clientproxy = urlUsrProxy;
3081 PRINT(
"Problems resolving templates in "<<clientcert);
3085 PRINT(
"Problems resolving templates in "<<clientkey);
3092 PRINT(
"Problems resolving templates in "<<clientproxy);
3098 clientproxy.c_str(), PxyValid.
c_str(),
3099 DepLength, DefBits, createpxy};
3101 if (QueryProxy(1, &cachePxy, clientproxy.c_str(),
3102 sessionCF, hs->
TimeStamp, &pi, &po) != 0) {
3103 emsg =
"error getting user proxies";
3109 emsg =
"failed to initialize user proxies";
3117 if (!po.
ksig || !(sessionKsig = sessionCF->
RSA(*(po.
ksig)))) {
3118 emsg =
"could not get a copy of the signing key:";
3140 emsg =
"cache entry not found";
3148 emsg =
"cache entry expired";
3166 while ((from = ciplist.
tokenize(cip, from,
':')) != -1) {
3174 emsg =
"no common cipher algorithm";
3179 NOTIFY(
"WARNING: list of ciphers supported by server missing"
3180 " - using default");
3186 emsg =
"server certificate missing";
3195 emsg =
"cannot duplicate reference chain";
3204 emsg =
"cannot attach to ParseBucket function!";
3208 int nci = (*ParseBucket)(bck, hs->
Chain);
3211 emsg +=
" vs 1 expected)";
3219 emsg =
"certificate chain verification failed: ";
3233 bool hasSAN, usedDNS =
false;
3237 {
if (hasSAN && !TrustDNS)
3238 {
emsg =
"Unable to verify server hostname '";
emsg += wantHost;
3239 emsg+=
"' using SAN extension; common name fallback disallowed.";
3245 {
emsg =
"Unable to verify server hostname '";
emsg += wantHost;
3246 emsg+=
"' using common name; DNS fallback prohibited.";
3252 {
emsg =
"Unable to verify server hostname '";
emsg += wantHost;
3253 emsg+=
"'; DNS fallback translation failed.";
3256 DEBUG(
"TrustDNS: checking if cert is for host " <<name);
3260 if (!hostOK)
return -1;
3271 (SrvAllowedNames.
length() > 0 &&
3275 std::cerr <<
"secgsi: proxy delegation forbidden when trusting DNS "
3276 "to resolve '" <<wantHost <<
"'!\n" <<std::flush;
3283 if (!sessionKver || !sessionKver->
IsValid()) {
3284 emsg =
"server certificate contains an invalid key";
3296 emsg =
"server public part for session cipher missing";
3303 emsg =
"decrypting server DH public parameters";
3310 emsg =
"server public part for session cipher missing";
3319 <<
". Will not delegate x509 proxy to it");
3328 PRINT(
"could not instantiate session cipher "
3329 "using cipher public info from server");
3330 emsg =
"could not instantiate session cipher ";
3358 bck->ToString(mdlist);
3361 while ((from = mdlist.
tokenize(md, from,
':')) != -1) {
3368 NOTIFY(
"WARNING: list of digests supported by server missing"
3369 " - using default");
3373 emsg =
"could not instantiate digest object";
3384 emsg =
"main buffer missing";
3391 emsg =
"error deserializing main buffer";
3414 emsg =
"main buffer missing";
3420 if (!(sessionKey->
Decrypt(*bckm, useIV))) {
3421 emsg =
"error with session cipher";
3429 emsg =
"error deserializing main buffer";
3441 emsg =
"local proxy info missing or corrupted";
3447 emsg =
"problems exporting private key";
3451 if ((*bm)->AddBucket(pri,
kXRS_x509) != 0) {
3452 emsg =
"problem adding bucket with private key to main buffer";
3458 emsg =
"Not allowed to sign proxy requests";
3463 emsg =
"bucket with proxy request missing";
3468 emsg =
"could not resolve proxy request";
3477 emsg =
"local proxy info missing or corrupted";
3482 if (!X509SignProxyReq) {
3483 emsg =
"problems getting method to sign request";
3487 if ((*X509SignProxyReq)(pxy, kpxy, req, &npxy) != 0) {
3488 emsg =
"problems signing the request";
3495 if ((bck = npxy->
Export())) {
3497 if ((*bm)->AddBucket(bck) != 0) {
3498 emsg =
"problem adding signed request to main buffer";
3519 EPNAME(
"ParseServerInput");
3523 PRINT(
"invalid inputs ("<<br<<
","<<bm<<
")");
3524 cmsg =
"invalid inputs";
3536 if (ServerDoCertreq(br, bm, cmsg) != 0)
3541 if (ServerDoCert(br, bm, cmsg) != 0)
3546 if (ServerDoSigpxy(br, bm, cmsg) != 0)
3550 cmsg =
"protocol error: unknown action: "; cmsg += step;
3575 cmsg =
"client version information not found in options:"
3576 " assume same as local";
3586 cmsg =
"main buffer missing";
3592 cmsg =
"crypto module specification missing";
3599 cmsg =
"cannot find / load crypto requested module :";
3606 cmsg =
"client issuer hash missing";
3613 if (ParseCAlist(cahash) != 0) {
3614 cmsg =
"unknown CA: cannot verify client credentials";
3621 cmsg =
"cannot find certificate: corruption?";
3632 cmsg =
"cannot create cache entry";
3638 cmsg =
"error deserializing main buffer";
3669 cmsg =
"main buffer missing";
3679 int piv = cip.
find(
'#');
3682 if (siv.isdigit()) lenIV = siv.atoi();
3686 if (DefCipher.
find(cip) == -1) {
3687 cmsg =
"unsupported cipher chosen by the client";
3694 NOTIFY(
"WARNING: client choice for cipher missing"
3695 " - using default");
3704 cmsg =
"bucket with client public key missing";
3709 if (!sessionKver || !sessionKver->
IsValid()) {
3710 cmsg =
"bucket with client public key contains an invalid key";
3716 cmsg =
"bucket with client DH parameters missing";
3722 cmsg =
"decrypting client DH public parameters";
3730 cmsg =
"bucket with client DH parameters missing";
3738 " : will not delegate x509 proxy to it");
3752 cmsg =
"reference cipher missing";
3756 sessionKey = hs->
Rcip;
3760 cmsg =
"cannot finalize session cipher";
3766 if (lenIV > 0) sessionKey->
SetIV(lenIV, (
const char *)0);
3769 cmsg =
"bucket with DH parameters not found or invalid: cannot finalize session cipher";
3780 if (!(sessionKey->
Decrypt(*bckm, useIV))) {
3781 cmsg =
"error decrypting main buffer with session cipher";
3789 cmsg =
"error deserializing main buffer";
3798 cmsg =
"client version information not found in options:"
3799 " assume same as local";
3808 cmsg =
"session cache has gone";
3816 cmsg =
"cache entry expired";
3824 if (!(bck = (*bm)->GetBucket(
kXRS_x509))) {
3825 cmsg =
"client certificate missing";
3835 cmsg =
"cannot duplicate reference chain";
3844 cmsg =
"cannot attach to ParseBucket function!";
3849 int nci = (*ParseBucket)(bck, hs->
Chain);
3851 cmsg =
"wrong number of certificates in received bucket (received: ";
3853 cmsg +=
", expected: >= ";
3863 cmsg =
"certificate chain verification failed: ";
3871 if (!ckey || !ckey->
IsValid()) {
3872 cmsg =
"client certificate contains an invalid key";
3879 cmsg =
"exporting client public key";
3882 if (cpubcert != cpub) {
3883 cmsg =
"client public key does not match the one from the bucket!";
3902 if (!X509CreateProxyReq) {
3903 cmsg =
"cannot attach to X509CreateProxyReq function!";
3916 if ((*ParseBucket)(bck, hs->
PxyChain) > 1) {
3923 if ((*X509CreateProxyReq)(hs->
PxyChain->
End(), &rPXp, &krPXp) == 0) {
3932 cmsg =
"cannot export private key of the proxy request!";
3938 if ((*bm)->AddBucket(bckr) != 0) {
3941 NOTIFY(
"WARNING: proxy req: problem adding bucket to main buffer");
3948 NOTIFY(
"WARNING: proxy req: problem creating request");
3954 NOTIFY(
"WARNING: proxy req: wrong number of certificates");
3965 if (DefMD.
find(md) == -1) {
3966 cmsg =
"unsupported MD chosen by the client";
3972 NOTIFY(
"WARNING: client choice for digests missing"
3973 " - using default");
3977 cmsg =
"could not instantiate digest object";
3992 EPNAME(
"ServerDoSigpxy");
4000 cmsg =
"main buffer missing";
4006 if (!(sessionKey->
Decrypt(*bckm, useIV))) {
4007 cmsg =
"error decrypting main buffer with session cipher";
4014 cmsg =
"error deserializing main buffer";
4019 if (!(bck = (*bm)->GetBucket(
kXRS_x509))) {
4020 cmsg =
"buffer with requested info missing";
4026 DEBUG(
"msg from client: "<<m);
4028 cmsg +=
" :"; cmsg += m;
4036 cmsg =
"the proxy chain is gone";
4046 cmsg =
"problems importing private key";
4053 cmsg =
"session cache has gone";
4059 cmsg =
"could not resolve signed request";
4066 cmsg =
"could not import private key into signed request";
4084 cmsg =
"chain exporter not found; proxy chain not exported";
4102 if ((bck = (*bm)->GetBucket(
kXRS_user))) {
4111 String pxfile = UsrProxy, name;
4112 struct passwd *pw = getpwnam(user.
c_str());
4117 XrdCryptoX509 *c = proxyChain->SearchBySubject(proxyChain->EECname());
4121 cmsg =
"proxy chain not dumped to file: could not find subject hash";
4127 PRINT(
"Problems resolving templates in "<<pxfile);
4132 String suid; suid += (int) pw->pw_uid;
4138 if ((*ctofile)(proxyChain,pxfile.
c_str()) != 0) {
4139 cmsg =
"problems dumping proxy chain to file ";
4143 PRINT(
"proxy chain dumped to "<< pxfile);
4145 cmsg =
"proxy chain not dumped to file: entity name undefined";
4156 const char *msg1,
const char *msg2,
4163 int k, i = 0, sz = strlen(
"Secgsi");
4169 const char *cmsg = (cm > -1) ?
gGSErrStr[cm] : 0;
4173 msgv[i++] = (
char *)
"Secgsi";
4174 if (cmsg) {msgv[i++] = (
char *)
": ";
4175 msgv[i++] = (
char *)cmsg;
4176 sz += strlen(msgv[i-1]) + 2;
4178 if (msg1) {msgv[i++] = (
char *)
": ";
4179 msgv[i++] = (
char *)msg1;
4180 sz += strlen(msgv[i-1]) + 2;
4182 if (msg2) {msgv[i++] = (
char *)
": ";
4183 msgv[i++] = (
char *)msg2;
4184 sz += strlen(msgv[i-1]) + 2;
4186 if (msg3) {msgv[i++] = (
char *)
": ";
4187 msgv[i++] = (
char *)msg3;
4188 sz += strlen(msgv[i-1]) + 2;
4193 einfo->
setErrInfo(ecode, (
const char **)msgv, i);
4196 char *bout =
new char[sz+10];
4199 for (k = 0; k < i; k++)
4200 strcat(bout, msgv[k]);
4203 for (k = 0; k < i; k++)
4222 ErrF(einfo, ecode, msg1, msg2, msg3);
4235 const char *msg1,
const char *msg2,
4241 ErrF(einfo, ecode, msg1, msg2, msg3);
4258 emsg =
"Buffer not defined";
4267 if (!(sessionKver)) {
4268 emsg =
"Session cipher undefined";
4273 emsg =
"error decrypting random tag with public key";
4277 emsg =
"random tag missing - protocol error";
4283 emsg =
"random tag content mismatch";
4296 DEBUG(
"Random tag successfully checked");
4298 DEBUG(
"Nothing to check");
4321 PRINT(
"Invalid inputs");
4329 if (strcmp(subjhash, xca->
SubjectHash())) hashalg = 1;
4331 String caroot(cahash, 0, cahash.
find(
".0")-1);
4334 String crlext = XrdSecProtocolgsi::DefCRLext;
4339 if (crldir.
length() <= 0)
continue;
4341 String crlfile = crldir + caroot;
4343 DEBUG(
"target file: "<<crlfile);
4346 if ((errcrl = VerifyCRL(crl, xca, crldir,
CF, hashalg)) == 0)
return crl;
4352 if (CRLCheck < 2 || (dwld == 0)) {
4365 if ((errcrl = VerifyCRL(crl, xca, crldir,
CF, hashalg)) == 0)
return crl;
4372 if (crldir.
length() <= 0)
continue;
4374 String crlurl = crldir + caroot;
4375 crlurl +=
".crl_url";
4376 DEBUG(
"target file: "<<crlurl);
4379 PRINT(
"could not open file: "<<crlurl);
4383 while ((fgets(line,
sizeof(line), furl))) {
4384 if (line[strlen(line) - 1] ==
'\n') line[strlen(line) - 1] = 0;
4386 if ((errcrl = VerifyCRL(crl, xca, crldir,
CF, hashalg)) == 0)
return crl;
4395 if (crldir.
length() <= 0)
continue;
4400 PRINT(
"could not open directory: "<<crldir<<
" (errno: "<<errno<<
")");
4404 struct dirent *dent = 0;
4405 while ((dent =
readdir(dd))) {
4407 if (!strcmp(cahash.
c_str(),dent->d_name))
continue;
4409 if (!strstr(dent->d_name,caroot.c_str()))
continue;
4411 String crlfile = crldir + dent->d_name;
4412 DEBUG(
"analysing entry "<<crlfile);
4415 if ((errcrl = VerifyCRL(crl, xca, crldir,
CF, hashalg)) == 0)
break;
4439 DEBUG(
"CA signing certificate file = "<<casigfile);
4443 if (CRLCheck >= 2) {
4444 PRINT(
"CA certificate to verify the signature ("<<crl->
IssuerHash(hashalg)<<
4445 ") could not be loaded - exit");
4447 DEBUG(
"CA certificate to verify the signature could not be loaded - verification skipped");
4452 if (crl->
Verify(xcasig)) {
4454 if (CRLCheck >= 3 && crl && crl->
IsExpired()) {
4456 NOTIFY(
"CRL is expired (CRLCheck: "<<CRLCheck<<
")");
4460 PRINT(
"CA signature or CRL verification failed!");
4466 PRINT(
"Loaded CRL does not match CA (subject CA "<<xca->
SubjectHash(hashalg)<<
4467 " does not match CRL issuer "<<crl->
IssuerHash(hashalg)<<
"! ");
4473 String XrdSecProtocolgsi::GetCApath(
const char *cahash)
4513 PRINT(
"Invalid input ");
4520 PRINT(
"Cannot attach to the ParseFile function");
4527 PRINT(
"Cannot attach to first certificate in chain");
4547 for (
int ha = 0; ha < 2; ha++) {
4549 if (inam.
length() <= 0)
continue;
4551 ncis = (*ParseFile)(inam.
c_str(), ch, 0);
4552 if (ncis >= 1)
break;
4555 if (ncis < 1)
break;
4583 if (!(verified = cca->
Verify(e, &vopt)))
4586 PRINT(
"CA certificate not self-signed: cannot verify integrity ("<<xc->
SubjectHash()<<
")");
4595 NOTIFY(
"Warning: CA certificate not self-signed and"
4596 " integrity not checked: assuming OK ("<<xc->
SubjectHash()<<
")");
4600 if (CACheck > caNoVerify) {
4602 bool checkselfsigned = (CACheck > caVerifyss) ?
true :
false;
4603 if (!(verified = cca->
CheckCA(checkselfsigned)))
4604 PRINT(
"CA certificate self-signed: integrity check failed ("<<xc->
SubjectHash()<<
")");
4609 NOTIFY(
"Warning: CA certificate self-signed but"
4610 " integrity not checked: assuming OK ("<<xc->
SubjectHash()<<
")");
4631 if (!e)
return false;
4642 PRINT(
"CA entry for '"<<e->
name<<
"' needs refreshing: clean the related entry cache first");
4649 if ((crl_check == 2 && !crl) || (crl_check == 3 && crl->
IsExpired())) goodcrl = 0;
4650 if (crl_refresh > 0 && ((ts_ref - e->
mtime) > crl_refresh)) goodcrl = 0;
4654 PRINT(
"CRL entry for '"<<e->
name<<
"' needs refreshing: clean the related entry cache first ("<<e<<
")");
4661 int XrdSecProtocolgsi::GetCA(
const char *cahash,
4673 if (!cahash || !cf) {
4674 PRINT(
"Invalid input ");
4679 time_t timestamp = (hs) ? hs->
TimeStamp : time(0);
4685 DEBUG(
"Querying cache for tag: "<<tag<<
" (timestamp:"<<timestamp<<
4686 ", refresh fq:"<< CRLRefresh <<
")");
4688 bool rdlock =
false;
4692 PRINT(
"unable to get a valid entry from cache for " << tag);
4704 if (chain) stackCA.
Del(chain);
4705 if (crl) stackCRL->Del(crl);
4706 PRINT(
"unable to get a valid entry from cache for " << tag);
4713 if (hs) hs->
Chain = chain;
4717 if (hs) hs->
Crl = crl;
4725 if (chain) stackCA.
Del(chain);
4726 if (crl) stackCRL->Del(crl);
4734 String fnam = GetCApath(cahash);
4735 DEBUG(
"trying to load CA certificate from "<<fnam);
4738 bool createchain = (hs && hs->
Chain) ? 0 : 1;
4741 PRINT(
"could not attach-to or create new GSI chain");
4748 int nci = (createchain) ? (*
ParseFile)(fnam.
c_str(), chain, 0) : 1;
4749 bool ok = 0, verified = 0;
4752 verified = VerifyCA(CACheck, chain, cf);
4759 if ((crl = LoadCRL(chain->
EffCA(), cahash, cf, CRLDownload, errcrl))) {
4761 DEBUG(
"CRL successfully loaded");
4763 String em =
"missing or expired: ignoring";
4764 if ((CRLCheck == 1 && errcrl != 0 && errcrl != -5) || (CRLCheck >= 2 && errcrl != 0)) {
4766 em =
"invalid: failing";
4767 }
else if (CRLCheck >= 2) {
4769 em =
"missing or expired: failing";
4771 NOTIFY(
"CRL is "<<em<<
" (CRLCheck: "<<CRLCheck<<
")");
4778 cent->
buf1.
buf = (
char *)(chain);
4782 cent->
buf2.
buf = (
char *)(crl);
4786 cent->
mtime = timestamp;
4802 NOTIFY(
"certificate not found or invalid (nci: "<<nci<<
", CA: "<<
4803 (
int)(verified)<<
")");
4812 return (rc != 0) ? rc : 0;
4826 if (isatty(0) == 0 || isatty(1) == 0) {
4827 NOTIFY(
"Not a tty: cannot prompt for proxies - do nothing ");
4831 #ifndef HASGRIDPROXYINIT
4837 PRINT(
"chain or key container undefined");
4842 if (
stat(pi->
key, &st) != 0) {
4843 DEBUG(
"cannot access private key file: "<<pi->
key);
4846 if (!S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) ||
4847 (st.st_mode & (S_IWGRP | S_IWOTH)) != 0 ||
4848 (st.st_mode & (S_IRGRP | S_IROTH)) != 0) {
4849 DEBUG(
"wrong permissions for file: "<<pi->
key<<
" (should be 0600)");
4863 if (!X509CreateProxy) {
4864 PRINT(
"cannot attach to X509CreateProxy function!");
4867 rc = (*X509CreateProxy)(pi->
cert, pi->
key, &pxopt, ch, kp, pi->
out);
4873 if (getenv(
"GLOBUS_LOCATION"))
4874 cmd =
"source $GLOBUS_LOCATION/etc/globus-user-env.sh;";
4877 cmd +=
" grid-proxy-init";
4889 cdir.erase(cdir.find(
','));
4890 cmd +=
" -certdir ";
4907 cmd +=
" -path-length ";
4917 DEBUG(
"executing: " << cmd);
4920 rc = system(cmd.c_str());
4921 DEBUG(
"return code: "<< rc <<
" (0x"<<(
int *)rc<<
")");
4929 int XrdSecProtocolgsi::ParseCAlist(
String calist)
4937 if (calist.
length() <= 0) {
4938 PRINT(
"nothing to parse");
4941 DEBUG(
"parsing list: "<<calist);
4949 while ((from = calist.
tokenize(cahash, from,
'|')) != -1) {
4954 if (!cahash.
endswith(
".0")) cahash +=
".0";
4956 if (GetCA(cahash.
c_str(), sessionCF, hs) == 0)
4967 int XrdSecProtocolgsi::ParseCrypto(
String clist)
4978 if (clist.
length() <= 0) {
4979 NOTIFY(
"empty list: nothing to parse");
4982 DEBUG(
"parsing list: "<<clist);
4994 bool otherHasPad =
true;
4997 otherHasPad =
false;
5001 otherHasPad =
false;
5009 int fid = sessionCF->
ID();
5013 if (cryptID[i] == fid)
break;
5018 DEBUG(
"max number of crypto slots reached - do nothing");
5022 cryptF[i] = sessionCF;
5053 int XrdSecProtocolgsi::QueryProxy(
bool checkcache,
XrdSutCache *cache,
5063 bool rdlock =
false;
5067 PRINT(
"cannot get cache entry for: "<<tag);
5072 if (checkcache && rdlock) {
5106 PRINT(
"cannot create new chain!");
5111 bool exportbucket = 0;
5114 while (!hasproxy && ntry > 0) {
5122 if (InitProxy(pi, cf, po->
chain, &(po->
ksig)) != 0) {
5123 NOTIFY(
"problems initializing proxy via external shell");
5129 #ifndef HASGRIDPROXYINIT
5133 timestamp = time(0);
5142 char *cbuf = getenv(
"XrdSecCREDS");
5147 xbck.SetBuf(cbuf, strlen(cbuf));
5150 PRINT(
"cannot attach to ParseBucket function!");
5153 int nci = (*ParseBucket)(&xbck, po->
chain);
5155 NOTIFY(
"proxy bucket must have at least two certificates"
5156 " (found: "<<nci<<
")");
5168 PRINT(
"cannot attach to ParseFile function!");
5174 int nci = (*ParseFile)(pi->
out, po->
chain, 0);
5176 DEBUG(
"proxy files must have at least 2 certificates"
5177 " (found: "<<nci<<
")");
5182 DEBUG(
"cert files must have at least 1 certificates"
5183 " (found: "<<nci<<
")");
5192 bool checkselfsigned = (CACheck > caVerifyss) ?
true :
false;
5200 NOTIFY(
"proxy files contains expired certificates");
5206 NOTIFY(
"proxy files contains inconsistent certificates");
5213 NOTIFY(
"proxy files contain invalid key pair");
5219 PRINT(
"cannot attach to ExportChain function!");
5225 po->
cbck = (*ExportChain)(po->
chain, 0);
5227 PRINT(
"could not create bucket for export");
5271 if ((e->
status != st_ref) ||
5272 ((e->
status == st_ref) &&
5274 ((ts_ref - e->
mtime) > to_ref))) {
5300 PRINT(
"input chain undefined!");
5306 const char *dn = chain->
EECname();
5309 bool rdlock =
false;
5313 PRINT(
"unable to get a valid entry from cache for dn: " << dn);
5321 char *name = (*GMAPFun)(dn, now);
5327 cent->
buf1.
len = strlen(name);
5343 if (servGMap->
dn2user(dn, u,
sizeof(u), now) == 0) {
5344 if (usrs.
length() > 0) usrs +=
",";
5345 usrs += (
const char *)u;
5362 if (!plugin || strlen(plugin) <= 0) {
5363 PRINT(
"plug-in file undefined");
5368 XrdOucPinLoader gmapLib(errBuff,
sizeof(errBuff),gsiVersion,
"gmaplib",plugin);
5371 bool useglobals = 0;
5374 while ((from = ps.tokenize(p, from,
'|')) != -1) {
5375 if (p ==
"useglobals") {
5378 if (params.
length() > 0) params +=
" ";
5382 DEBUG(
"params: '"<< params<<
"'; useglobals: "<<useglobals);
5386 if (useglobals) gmapLib.Global(
true);
5391 PRINT(
"could not find 'XrdSecgsiGMAPFun()' in "<<plugin);
5396 if ((*ep)(params.
c_str(), 0) == (
char *)-1) {
5397 PRINT(
"could not initialize 'XrdSecgsiGMAPFun()'");
5402 PRINT(
"using 'XrdSecgsiGMAPFun()' from "<<plugin);
5410 const char *parms,
int &certfmt)
5455 if (!plugin || strlen(plugin) <= 0) {
5456 PRINT(
"plug-in file undefined");
5461 XrdOucPinLoader authzLib(errBuff,
sizeof(errBuff),gsiVersion,
"authzlib",plugin);
5464 bool useglobals = 0;
5467 while ((from = ps.tokenize(p, from,
'|')) != -1) {
5468 if (p ==
"useglobals") {
5471 if (params.
length() > 0) params +=
" ";
5475 DEBUG(
"params: '"<< params<<
"'; useglobals: "<<useglobals);
5479 if (useglobals) authzLib.Global(
true);
5483 PRINT(
"could not find 'XrdSecgsiAuthzFun()' in "<<plugin);
5491 PRINT(
"could not find 'XrdSecgsiAuthzKey()' in "<<plugin);
5499 PRINT(
"could not find 'XrdSecgsiAuthzInit()' in "<<plugin);
5504 if ((certfmt = (*epinit)(params.
c_str())) == -1) {
5505 PRINT(
"problems executing 'XrdSecgsiAuthzInit()' (rc: "<<certfmt<<
")");
5510 PRINT(
"using 'XrdSecgsiAuthzFun()' from "<<plugin);
5518 const char *parms,
int &certfmt)
5552 if (!plugin || strlen(plugin) <= 0) {
5553 PRINT(
"plug-in file undefined");
5558 XrdOucPinLoader vomsLib(errBuff,
sizeof(errBuff),gsiVersion,
"vomslib",plugin);
5561 bool useglobals = 0;
5564 while ((from = ps.tokenize(p, from,
'|')) != -1) {
5565 if (p ==
"useglobals") {
5568 if (params.
length() > 0) params +=
" ";
5572 DEBUG(
"params: '"<< params<<
"'; useglobals: "<<useglobals);
5576 if (useglobals) vomsLib.Global(
true);
5580 PRINT(
"could not find 'XrdSecgsiVOMSFun()' in "<<plugin);
5589 PRINT(
"could not find 'XrdSecgsiVOMSInit()' in "<<plugin);
5594 if ((certfmt = (*epinit)(params.
c_str())) == -1) {
5595 PRINT(
"problems executing 'XrdSecgsiVOMSInit()' (rc: "<<certfmt<<
")");
5600 PRINT(
"using 'XrdSecgsiVOMSFun()' from "<<plugin);
5608 bool XrdSecProtocolgsi::ServerCertNameOK(
const char *subject,
const char *hname,
XrdOucString &
emsg)
5614 if (!subject || strlen(subject) <= 0)
return 0;
5622 int cnidx = srvsubj.
find(
"CN=");
5627 size_t ih = srvcn.
find(
"/");
5628 if (ih != std::string::npos) {
5635 if (
emsg.length() <= 0) {
5636 emsg =
"server certificate CN '";
emsg += srvcn;
5637 emsg +=
"' does not match the expected format(s):";
5639 String defcn(
"[*/]"); defcn += hname; defcn +=
"[/*]";
5645 if (SrvAllowedNames.
length() > 0) {
5651 String allowedfmts(SrvAllowedNames);
5652 allowedfmts.replace(
"<host>", hname);
5653 allowedfmts.replace(
"<fqdn>", hname);
5656 while ((from = allowedfmts.tokenize(fmt, from,
'|')) != -1) {
5663 if (srvcn.
matches(fmt.
c_str()) > 0) allowed = (deny) ? 0 : 1;
5667 if (
emsg.length() <= 0) {
5668 emsg =
"server certificate CN '";
emsg += srvcn;
5669 emsg +=
"' does not match the expected format:";
5671 emsg +=
" '";
emsg += SrvAllowedNames;
emsg +=
"' (exceptions)";
5678 emsg +=
"; exceptions are controlled by the env XrdSecGSISRVNAMES";
5689 if (e->
status > st_ref) {
5690 if (e->
mtime >= ts_ref)
5700 time_t timestamp,
String &certcalist)
5708 PRINT(
"Invalid inputs");
5712 bool rdlock =
false;
5716 PRINT(
"unable to get a valid entry from cache for " << cf->
Name());
5722 if (rdlock)
return cent;
5723 if (cent->
buf1.
buf)
PRINT(
"entry has expired: trying to renew ...");
5729 UsrProxy.
c_str(), PxyValid.
c_str(), 0, 512,
false};
5736 if (QueryProxy(0, &cacheCert, cf->
Name(), cf, timestamp, &pi, &po) != 0) {
5737 PRINT(
"proxy expired and cannot be renewed");
5761 uid_t gsi_uid = geteuid();
5762 gid_t gsi_gid = getegid();
5765 if (st.st_uid != gsi_uid || st.st_gid != gsi_gid) {
5766 gsi_uid = st.st_uid;
5767 gsi_gid = st.st_gid;
5776 PRINT(
"problems loading srv cert: not EEC but: "<<xsrv->
Type());
5783 PRINT(
"problems loading srv cert: invalid");
5790 PRINT(
"problems loading srv cert: invalid PKI");
5798 PRINT(
"problems loading srv cert: cannot export into bucket");
5805 if ((rcgetca = GetCA(xsrv->
IssuerHash(), cf)) != 0) {
5809 if ((rcgetca = GetCA(xsrv->
IssuerHash(1), cf)) != 0) {
5816 if (rcgetca == -1) {
5817 PRINT(
"do not have certificate for the issuing CA '"<<
emsg<<
"'");
5819 PRINT(
"failed to load certificate for the issuing CA '"<<
emsg<<
"'");
5836 cent->
buf1.
buf = (
char *)xsrv;
5846 cent->
buf3.
buf = (
char *)(xbck);
5851 if (certcalist.
length() > 0) certcalist +=
"|";
5855 if (HashCompatibility && xsrv->
IssuerHash(1) &&
5858 if (certcalist.
length() > 0) certcalist +=
"|";
5863 PRINT(
"failed to load certificate from files ("<< SrvCert <<
","<<SrvKey<<
")");
void XrdCryptoSetTrace(kXR_int32 trace)
static XrdSysError eDest(0,"crypto_")
#define cryptoTRACE_Notify
#define cryptoTRACE_Debug
#define XrdCryptoDefRSABits
int(* XrdCryptoX509ChainToFile_t)(XrdCryptoX509Chain *, const char *)
int(* XrdCryptoX509CreateProxy_t)(const char *, const char *, XrdProxyOpt_t *, XrdCryptogsiX509Chain *, XrdCryptoRSA **, const char *)
int(* XrdCryptoX509SignProxyReq_t)(XrdCryptoX509 *, XrdCryptoRSA *, XrdCryptoX509Req *, XrdCryptoX509 **)
int(* XrdCryptoX509ParseBucket_t)(XrdSutBucket *, XrdCryptoX509Chain *)
XrdSutBucket *(* XrdCryptoX509ExportChain_t)(XrdCryptoX509Chain *, bool)
int(* XrdCryptoX509ParseFile_t)(const char *fname, XrdCryptoX509Chain *, const char *)
int(* XrdCryptoX509CreateProxyReq_t)(XrdCryptoX509 *, XrdCryptoX509Req **, XrdCryptoRSA **)
const int kOptsCheckSubCA
XrdOucGMap * XrdOucgetGMap(XrdOucGMapArgs)
int stat(const char *path, struct stat *buf)
struct dirent * readdir(DIR *dirp)
int access(const char *path, int amode)
DIR * opendir(const char *path)
XrdSecBuffer XrdSecParameters
XrdSecBuffer XrdSecCredentials
static bool GetCACheck(XrdSutCacheEntry *e, void *a)
static const char * gGSErrStr[]
static const char * gsiServerSteps[]
static bool QueryProxyCheck(XrdSutCacheEntry *e, void *a)
XrdSecProtocol * XrdSecProtocolgsiObject(const char mode, const char *hostname, XrdNetAddrInfo &endPoint, const char *parms, XrdOucErrInfo *erp)
static const char * gNoPadTag
static const char * ServerStepStr(int ksrv)
static const char * gUsrPxyDef
static const kXR_int32 Version
static bool GetSrvCertEntCheck(XrdSutCacheEntry *e, void *a)
static bool QueryGMAPCheck(XrdSutCacheEntry *e, void *a)
XrdVERSIONINFO(XrdSecProtocolgsiObject, secgsi)
static const char * gsiClientSteps[]
char * XrdSecProtocolgsiInit(const char mode, const char *parms, XrdOucErrInfo *erp)
static bool AuthzFunCheck(XrdSutCacheEntry *e, void *a)
static const char * ClientStepStr(int kclt)
int(* XrdSecgsiAuthz_t)(XrdSecEntity &)
XrdCryptogsiX509Chain X509Chain
XrdSecgsiAuthz_t XrdSecgsiVOMS_t
int(* XrdSecgsiAuthzKey_t)(XrdSecEntity &, char **)
#define XrdSecgsiVersCertKey
#define XrdSecgsiVersDHsigned
int(* XrdSecgsiAuthzInit_t)(const char *)
char *(* XrdSecgsiGMAP_t)(const char *, int)
XrdSecgsiAuthzInit_t XrdSecgsiVOMSInit_t
XrdCryptoX509ParseFile_t ParseFile
int emsg(int rc, char *msg)
int XrdSutParseTime(const char *tstr, int opt)
int XrdSutExpand(XrdOucString &path)
int XrdSutResolve(XrdOucString &path, const char *ho, const char *vo, const char *gr, const char *us)
const char * XrdSutHome()
const char * XrdSutBuckStr(int kbck)
void XrdSutSetTrace(kXR_int32 trace)
virtual int Length() const
virtual char * Buffer() const
virtual void SetIV(int l, const char *iv)
virtual int Decrypt(const char *in, int lin, char *out)
virtual int DecOutLength(int l)
virtual char * RefreshIV(int &l)
virtual int Encrypt(const char *in, int lin, char *out)
virtual int MaxIVLength() const
virtual XrdSutBucket * AsBucket()
virtual char * Public(int &lpub)
virtual int EncOutLength(int l)
virtual bool Finalize(bool padded, char *pub, int lpub, const char *t)
virtual bool HasPaddingSupport()
virtual XrdCryptoX509ParseBucket_t X509ParseBucket()
virtual XrdCryptoX509CreateProxyReq_t X509CreateProxyReq()
virtual XrdCryptoX509 * X509(const char *cf, const char *kf=0)
virtual void SetTrace(kXR_int32 trace)
virtual XrdCryptoX509ParseFile_t X509ParseFile()
virtual XrdCryptoX509CreateProxy_t X509CreateProxy()
virtual XrdCryptoX509ChainToFile_t X509ChainToFile()
virtual XrdCryptoCipher * Cipher(const char *t, int l=0)
virtual XrdCryptoRSA * RSA(int b=0, int e=0)
virtual bool SupportedMsgDigest(const char *dgst)
virtual XrdCryptoMsgDigest * MsgDigest(const char *dgst)
virtual XrdCryptoX509Crl * X509Crl(const char *crlfile, int opt=0)
static XrdCryptoFactory * GetCryptoFactory(const char *factoryname)
virtual bool SupportedCipher(const char *t)
virtual XrdCryptoX509Req * X509Req(XrdSutBucket *bck)
virtual XrdCryptoX509SignProxyReq_t X509SignProxyReq()
virtual XrdCryptoX509ExportChain_t X509ExportChain()
virtual int Update(const char *b, int l)
virtual int Reset(const char *dgst)
virtual int ExportPrivate(char *out, int lout)
virtual int EncryptPrivate(const char *in, int lin, char *out, int lout)
virtual int GetOutlen(int lin)
virtual int ImportPrivate(const char *in, int lin)
virtual int DecryptPublic(const char *in, int lin, char *out, int lout)
virtual int ExportPublic(char *out, int lout)
bool CheckCA(bool checkselfsigned=1)
virtual int CheckValidity(bool outatfirst=1, int when=0)
XrdCryptoX509 * End() const
void Cleanup(bool keepCA=0)
void Remove(XrdCryptoX509 *c)
void SetStatusCA(ECAStatus st)
void PushBack(XrdCryptoX509 *c)
const char * X509ChainError(EX509ChainErr e)
XrdCryptoX509 * EffCA() const
const char * LastError() const
void PutInFront(XrdCryptoX509 *c)
virtual const char * IssuerHash(int)
virtual bool IsExpired(int when=0)
virtual bool Verify(XrdCryptoX509 *ref)
virtual XrdSutBucket * Export()
virtual const char * Subject()
const char * Type(EX509Type t=kUnknown) const
virtual bool MatchesSAN(const char *fqdn, bool &hasSAN)=0
virtual XrdCryptoRSA * PKI()
virtual const char * SubjectHash(int)
virtual time_t NotBefore()
virtual const char * IssuerHash(int)
virtual XrdSutBucket * Export()
static bool MatchHostnames(const char *match_pattern, const char *fqdn)
virtual bool IsValid(int when=0)
virtual time_t NotAfter()
bool Verify(EX509ChainErr &e, x509ChainVerifyOpt_t *vopt=0)
static const int noPort
Do not add port number.
static bool isHostName(const char *name)
int Format(char *bAddr, int bLen, fmtUse fmtType=fmtAuto, int fmtOpts=0)
@ fmtName
Hostname if it is resolvable o/w use fmtAddr.
const char * Name(const char *eName=0, const char **eText=0)
const char * Set(const char *hSpec, int pNum=PortInSpec)
char * Get(const char *varname)
const char * getErrText()
int setErrInfo(int code, const char *emsg)
virtual int dn2user(const char *dn, char *user, int ulen, time_t now=0)
void insert(const int i, int start=-1)
const char * c_str() const
void assign(const char *s, int j, int k=-1)
int erasefromstart(int sz=0)
int erase(int start=0, int size=0)
int matches(const char *s, char wch=' *')
int replace(const char *s1, const char *s2, int from=0, int to=-1)
int find(const char c, int start=0, bool forward=1)
int form(const char *fmt,...)
int tokenize(XrdOucString &tok, int from, char del=':')
char * GetToken(char **rest=0, int lowcase=0)
bool Add(XrdSecAttr &attr)
char * vorg
Entity's virtual organization(s)
int credslen
Length of the 'creds' data.
XrdNetAddrInfo * addrInfo
Entity's connection details.
XrdSecEntityAttr * eaAPI
non-const API to attributes
const char * tident
Trace identifier always preset.
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5)
char * caps
Entity's capabilities.
char * creds
Raw entity credentials or cert.
char * grps
Entity's group name(s)
char * name
Entity's name.
char * role
Entity's role(s)
char * endorsements
Protocol specific endorsements.
char * moninfo
Information for monitoring.
char * host
Entity's host name dnr dependent.
static XrdOucTrace * EnableTracing()
int Authenticate(XrdSecCredentials *cred, XrdSecParameters **parms, XrdOucErrInfo *einfo=0)
int Verify(const char *inbuf, int inlen, const char *sigbuf, int siglen)
XrdSecProtocolgsi(int opts, const char *hname, XrdNetAddrInfo &endPoint, const char *parms=0)
int Decrypt(const char *inbuf, int inlen, XrdSecBuffer **outbuf)
int Encrypt(const char *inbuf, int inlen, XrdSecBuffer **outbuf)
void Delete()
Delete the protocol object. DO NOT use C++ delete() on this object.
static char * Init(gsiOptions o, XrdOucErrInfo *erp)
XrdSecCredentials * getCredentials(XrdSecParameters *parm=0, XrdOucErrInfo *einfo=0)
int getKey(char *kbuf=0, int klen=0)
int Sign(const char *inbuf, int inlen, XrdSecBuffer **outbuf)
int setKey(char *kbuf, int klen)
int SetBuf(const char *nb=0, int ns=0)
void ToString(XrdOucString &s)
void Update(char *nb=0, int ns=0, int ty=0)
int AddBucket(char *bp=0, int sz=0, int ty=0)
int UpdateBucket(const char *bp, int sz, int ty)
int Serialized(char **buffer, char opt='n')
const char * GetOptions() const
void Dump(const char *stepstr=0, bool all=false)
XrdSutBucket * GetBucket(kXR_int32 type, const char *tag=0)
kXR_int32 MarshalBucket(kXR_int32 type, kXR_int32 code)
const char * GetProtocol() const
void Deactivate(kXR_int32 type)
kXR_int32 UnmarshalBucket(kXR_int32 type, kXR_int32 &code)
void UnLock(bool reset=true)
void ReadLock(XrdSysRWLock *lock=0)
void Set(XrdSysRWLock *lock)
XrdSutCacheEntry * Get(const char *tag)
void SetBuf(const char *b=0, kXR_int32 l=0)
static int GetRndmTag(XrdOucString &rtag)
XrdSysLogger * logger(XrdSysLogger *lp=0)
void Dump(XrdSecProtocolgsi *p=0)
void Print(XrdOucTrace *t)
Generic structure to pass security information back and forth.
char * buffer
Pointer to the buffer.
int size
Size of the buffer or length of data in the buffer.