int Condor_Auth_X509::authenticate_continue(CondorError* errstack, bool non_blocking)
{
int gsi_auth_timeout = param_integer("GSI_AUTHENTICATION_TIMEOUT",-1);
int old_timeout=0;
if (gsi_auth_timeout>=0) {
old_timeout = mySock_->timeout(gsi_auth_timeout);
}
CondorAuthX509Retval retval = Continue;
while (retval == Continue)
{
switch (m_state)
{
case GetClientPre:
retval = authenticate_server_pre(errstack, non_blocking);
break;
case GSSAuth:
retval = authenticate_server_gss(errstack, non_blocking);
break;
case GetClientPost:
retval = authenticate_server_gss_post(errstack, non_blocking);
break;
default:
retval = Fail;
break;
}
}
if (gsi_auth_timeout>=0) {
mySock_->timeout(old_timeout); //put it back to what it was before
}
return static_cast<int>(retval);
}
int Condor_Auth_X509 :: authenticate(const char * /* remoteHost */, CondorError* errstack)
{
int status = 1;
int reply = 0;
//don't just return TRUE if isAuthenticated() == TRUE, since
//we should BALANCE calls of Authenticate() on client/server side
//just like end_of_message() calls must balance!
if ( !authenticate_self_gss(errstack) ) {
dprintf( D_SECURITY, "authenticate: user creds not established\n" );
status = 0;
// If I failed, notify the other side.
if (mySock_->isClient()) {
// Tell the other side, abort
mySock_->encode();
mySock_->code(status);
mySock_->end_of_message();
}
else {
// I am server, first wait for the other side
mySock_->decode();
mySock_->code(reply);
mySock_->end_of_message();
if (reply == 1) {
// The other side was okay, tell them the bad news
mySock_->encode();
mySock_->code(status);
mySock_->end_of_message();
}
}
}
else {
// wait to see if the other side is okay
if (mySock_->isClient()) {
// Tell the other side, that I am fine, then wait for answer
mySock_->encode();
mySock_->code(status);
mySock_->end_of_message();
mySock_->decode();
mySock_->code(reply);
mySock_->end_of_message();
if (reply == 0) { // The other side failed, abort
errstack->push("GSI", GSI_ERR_REMOTE_SIDE_FAILED,
"Failed to authenticate because the remote (server) "
"side was not able to acquire its credentials.");
return 0;
}
}
else {
// I am server, first wait for the other side
mySock_->decode();
mySock_->code(reply);
mySock_->end_of_message();
if (reply) {
mySock_->encode();
mySock_->code(status);
mySock_->end_of_message();
}
else {
errstack->push("GSI", GSI_ERR_REMOTE_SIDE_FAILED,
"Failed to authenticate because the remote (client) "
"side was not able to acquire its credentials.");
return 0; // The other side failed, abort
}
}
int gsi_auth_timeout = param_integer("GSI_AUTHENTICATION_TIMEOUT",-1);
int old_timeout=0;
if (gsi_auth_timeout>=0) {
old_timeout = mySock_->timeout(gsi_auth_timeout);
}
switch ( mySock_->isClient() ) {
case 1:
status = authenticate_client_gss(errstack);
break;
default:
status = authenticate_server_gss(errstack);
break;
}
if (gsi_auth_timeout>=0) {
mySock_->timeout(old_timeout); //put it back to what it was before
}
}
return( status );
}
int Condor_Auth_X509 :: authenticate(const char * /* remoteHost */, CondorError* errstack, bool non_blocking)
{
int status = 1;
int reply = 0;
token_status = 0;
m_state = GetClientPre;
//don't just return TRUE if isAuthenticated() == TRUE, since
//we should BALANCE calls of Authenticate() on client/server side
//just like end_of_message() calls must balance!
if ( !authenticate_self_gss(errstack) ) {
dprintf( D_SECURITY, "authenticate: user creds not established\n" );
status = 0;
// If I failed, notify the other side.
if (mySock_->isClient()) {
// Tell the other side, abort
mySock_->encode();
if (!mySock_->code(status)) {
dprintf( D_SECURITY, "authenticate: and the remote side hung up on us.\n" );
}
mySock_->end_of_message();
}
else {
// I am server, first wait for the other side
mySock_->decode();
if (!mySock_->code(reply)) {
dprintf( D_SECURITY, "authenticate: the client side hung up on us.\n" );
}
mySock_->end_of_message();
if (reply == 1) {
// The other side was okay, tell them the bad news
mySock_->encode();
if (!mySock_->code(status)) {
dprintf(D_SECURITY,"authenticate: the client hung up before authenticatiation\n");
}
mySock_->end_of_message();
}
}
}
else {
// wait to see if the other side is okay
if (mySock_->isClient()) {
// Tell the other side, that I am fine, then wait for answer
mySock_->encode();
if (!mySock_->code(status)) {
dprintf(D_SECURITY, "authenticate: the service hung up before authentication\n");
}
mySock_->end_of_message();
mySock_->decode();
if (!mySock_->code(reply)) {
dprintf(D_SECURITY, "authenticate: the service hung up before authentication reply could be sent\n");
}
mySock_->end_of_message();
if (reply == 0) { // The other side failed, abort
errstack->push("GSI", GSI_ERR_REMOTE_SIDE_FAILED,
"Failed to authenticate because the remote (server) "
"side was not able to acquire its credentials.");
return 0;
}
}
else {
m_state = GetClientPre;
CondorAuthX509Retval tmp_status = authenticate_server_pre(errstack, non_blocking);
if ((tmp_status == Fail) || (tmp_status == WouldBlock)) {
return static_cast<int>(tmp_status);
}
}
int gsi_auth_timeout = param_integer("GSI_AUTHENTICATION_TIMEOUT",-1);
int old_timeout=0;
if (gsi_auth_timeout>=0) {
old_timeout = mySock_->timeout(gsi_auth_timeout);
}
if ( mySock_->isClient() ) {
status = authenticate_client_gss(errstack);
} else {
CondorAuthX509Retval rc = authenticate_server_gss(errstack, non_blocking);
if ( rc == Continue ) {
rc = authenticate_server_gss_post( errstack, non_blocking );
}
status = static_cast<int>( rc );
}
if (gsi_auth_timeout>=0) {
mySock_->timeout(old_timeout); //put it back to what it was before
}
}
return( status );
}
