/**
* Passes back the mech set of available mechs.
* We only have one for now.
*
* @param minor_status
* @param mech_set
*
* @return
*/
OM_uint32
GSS_CALLCONV gss_indicate_mechs(
OM_uint32 * minor_status,
gss_OID_set * mech_set)
{
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 local_minor_status;
gss_OID_set_desc * set;
static char * _function_name_ =
"gss_indicate_mechs";
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
if (minor_status == NULL || mech_set == NULL)
{
major_status = GSS_S_FAILURE;
if (minor_status != NULL)
{
GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid parameter")));
}
goto exit;
}
*minor_status = (OM_uint32) GLOBUS_SUCCESS;
major_status = gss_create_empty_oid_set(&local_minor_status,
&set);
if (GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_MECH);
goto exit;
}
major_status = gss_add_oid_set_member(
&local_minor_status,
(const gss_OID) gss_mech_globus_gssapi_openssl,
&set);
if (GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_OID);
gss_release_oid_set(&local_minor_status, &set);
goto exit;
}
*mech_set = set;
exit:
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
/**
* @brief Seal
* @ingroup globus_gsi_gssapi
* @details
* Obsolete variant of gss_wrap for V1 compatibility
*
* @param minor_status
* @param context_handle
* @param conf_req_flag
* @param qop_req
* @param input_message_buffer
* @param conf_state
* @param output_message_buffer
*
* @return
*/
OM_uint32
GSS_CALLCONV gss_seal(
OM_uint32 * minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,
int qop_req,
gss_buffer_t input_message_buffer,
int * conf_state,
gss_buffer_t output_message_buffer)
{
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 local_minor_status;
static char * _function_name_ =
"gss_seal";
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
major_status = gss_wrap(&local_minor_status,
context_handle,
conf_req_flag,
qop_req,
input_message_buffer,
conf_state,
output_message_buffer);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_ENCRYPTING_MESSAGE);
}
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
/**
* @brief Free a Buffer Set
* @ingroup globus_gsi_gssapi_buffer_set
* @details
* This function will free all memory associated with a buffer
* set. Note that it will also free all memory associated with the
* buffers int the buffer set.
*
* @param minor_status
* The minor status returned by this function. This parameter
* will be 0 upon success.
* @param buffer_set
* Pointer to a buffer set structure. This pointer will point
* at a NULL value upon return.
*
* @retval GSS_S_COMPLETE Success
* @retval GSS_S_FAILURE Failure
*
* @see gss_create_empty_buffer_set
* @see gss_add_buffer_set_member
*/
OM_uint32
GSS_CALLCONV gss_release_buffer_set(
OM_uint32 * minor_status,
gss_buffer_set_t * buffer_set)
{
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 local_minor_status;
int index;
static char * _function_name_ =
"gss_release_buffer_set";
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
*minor_status = GLOBUS_SUCCESS;
if (buffer_set == NULL || *buffer_set == GSS_C_NO_BUFFER_SET)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("NULL parameters passed to function: %s"),
_function_name_));
major_status = GSS_S_FAILURE;
goto exit;
}
for(index = 0; index < (*buffer_set)->count; index++)
{
major_status = gss_release_buffer(&local_minor_status,
&(*buffer_set)->elements[index]);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_BUFFER);
major_status = GSS_S_FAILURE;
goto exit;
}
}
free((*buffer_set)->elements);
free(*buffer_set);
*buffer_set = NULL;
exit:
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
/**
* @brief Set Security Context Option
* @ingroup globus_gsi_gssapi_extensions
* @details
* GSSAPI routine to initiate the sending of a security context
* See: <draft-ietf-cat-gssv2-cbind-04.txt>
*
* @param minor_status
* @param context_handle
* @param option
* @param value
*
* @return
*/
OM_uint32
GSS_CALLCONV gss_set_sec_context_option(
OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
const gss_OID option,
const gss_buffer_t value)
{
gss_ctx_id_desc * context = NULL;
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 local_minor_status;
globus_result_t local_result = GLOBUS_SUCCESS;
int index;
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
if(minor_status == NULL)
{
major_status = GSS_S_FAILURE;
goto exit;
}
*minor_status = (OM_uint32) GLOBUS_SUCCESS;
if(context_handle == NULL)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid context_handle passed to function - cannot be NULL")));
major_status = GSS_S_FAILURE;
goto exit;
}
context = *context_handle;
if(option == GSS_C_NO_OID)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid option passed to function with value: GSS_C_NO_OID")));
major_status = GSS_S_FAILURE;
goto exit;
}
if (*context_handle == GSS_C_NO_CONTEXT)
{
/* for now just malloc and zero the context */
context = (gss_ctx_id_desc *) malloc(sizeof(gss_ctx_id_desc));
if (context == NULL)
{
GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
major_status = GSS_S_FAILURE;
goto exit;
}
*context_handle = context;
memset(context, 0, sizeof(gss_ctx_id_desc));
context->ctx_flags = 0;
major_status = gss_create_empty_oid_set(
&local_minor_status,
(gss_OID_set *) &context->extension_oids);
/* initialize the callback_data in the context. This needs
* to be done so the verify_callback func can be set later.
*/
local_result = globus_gsi_callback_data_init(
&context->callback_data);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSS_CONTEXT,
(_GGSL("The callback data in the context "
"could not be initialized.")));
major_status = GSS_S_FAILURE;
goto exit;
}
}
else if(context->ctx_flags & GSS_I_CTX_INITIALIZED)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSS_CONTEXT,
(_GGSL("The context has already been initialized! %s should be "
"called on a context before initialization"), __func__));
major_status = GSS_S_FAILURE;
goto exit;
}
if(g_OID_equal(option, GSS_DISALLOW_ENCRYPTION))
{
context->ctx_flags |= GSS_I_DISALLOW_ENCRYPTION;
}
else if(g_OID_equal(option, GSS_PROTECTION_FAIL_ON_CONTEXT_EXPIRATION))
{
context->ctx_flags |= GSS_I_PROTECTION_FAIL_ON_CONTEXT_EXPIRATION;
}
else if(g_OID_equal(option, GSS_APPLICATION_WILL_HANDLE_EXTENSIONS))
{
if(value == GSS_C_NO_BUFFER)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid buffer passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
for(index = 0;
index < ((gss_OID_set_desc *) value->value)->count;
index++)
{
major_status = gss_add_oid_set_member(
&local_minor_status,
(gss_OID)
&((gss_OID_set_desc *) value->value)->elements[index],
(gss_OID_set *) &context->extension_oids);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_OID);
goto exit;
}
}
local_result = globus_gsi_callback_set_extension_cb(
context->callback_data,
globus_i_gsi_gss_verify_extensions_callback);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_CALLBACK_DATA);
major_status = GSS_S_FAILURE;
goto exit;
}
/* if the extension_oids are set,
* then we set them in the callback data */
local_result = globus_gsi_callback_set_extension_oids(
context->callback_data,
(void *) context->extension_oids);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_CALLBACK_DATA);
major_status = GSS_S_FAILURE;
goto exit;
}
context->ctx_flags |= GSS_I_APPLICATION_WILL_HANDLE_EXTENSIONS;
}
else
{
/* unknown option */
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_UNKNOWN_OPTION,
(NULL));
major_status = GSS_S_FAILURE;
goto exit;
}
*context_handle = context;
exit:
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
/**
* @brief Init Sec Context
* @ingroup globus_gsi_gssapi
*/
OM_uint32
GSS_CALLCONV gss_init_sec_context(
OM_uint32 * minor_status,
const gss_cred_id_t initiator_cred_handle,
gss_ctx_id_t * context_handle_P,
const gss_name_t target_name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID * actual_mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec)
{
gss_ctx_id_desc * context = NULL;
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 local_minor_status;
OM_uint32 local_major_status;
globus_result_t local_result;
int rc;
char cbuf[1];
globus_gsi_cert_utils_cert_type_t cert_type;
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
*minor_status = (OM_uint32) GLOBUS_SUCCESS;
output_token->length = 0;
context = *context_handle_P;
/* module activation if not already done by calling
* globus_module_activate
*/
globus_thread_once(
&once_control,
globus_l_gsi_gssapi_activate_once);
globus_mutex_lock(&globus_i_gssapi_activate_mutex);
if (!globus_i_gssapi_active)
{
globus_module_activate(GLOBUS_GSI_GSSAPI_MODULE);
}
globus_mutex_unlock(&globus_i_gssapi_activate_mutex);
if(req_flags & GSS_C_ANON_FLAG &&
req_flags & GSS_C_DELEG_FLAG)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Can't initialize a context to be both anonymous and "
"provide delegation")));
goto error_exit;
}
if(req_flags & GSS_C_GLOBUS_SSL_COMPATIBLE &&
req_flags & GSS_C_DELEG_FLAG)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Can't initialize a context to both use SSL compatible "
"context establishment and provide delegation")));
goto error_exit;
}
if(req_flags & GSS_C_DELEG_FLAG &&
target_name == GSS_C_NO_NAME)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Need a target name for authorization prior "
"to doing delegation")));
goto error_exit;
}
if ((context == (gss_ctx_id_t) GSS_C_NO_CONTEXT) ||
!(context->ctx_flags & GSS_I_CTX_INITIALIZED))
{
GLOBUS_I_GSI_GSSAPI_DEBUG_FPRINTF(
2, (globus_i_gsi_gssapi_debug_fstream,
"Creating context w/ %s.\n",
(initiator_cred_handle == GSS_C_NO_CREDENTIAL) ?
"GSS_C_NO_CREDENTIAL" :
"Credentials provided"));
major_status =
globus_i_gsi_gss_create_and_fill_context(&local_minor_status,
&context,
initiator_cred_handle,
GSS_C_INITIATE,
req_flags);
if (GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSS_CONTEXT);
goto error_exit;
}
*context_handle_P = context;
if (actual_mech_type != NULL)
{
*actual_mech_type = (gss_OID) gss_mech_globus_gssapi_openssl;
}
if (ret_flags != NULL)
{
*ret_flags = 0 ;
}
}
else
{
/* first time there is no input token, but after that
* there will always be one
*/
major_status = globus_i_gsi_gss_put_token(&local_minor_status,
context,
NULL,
input_token);
if (GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_TOKEN_FAIL);
goto error_exit;
}
}
switch (context->gss_state)
{
case(GSS_CON_ST_HANDSHAKE):
/* do the handshake work */
major_status = globus_i_gsi_gss_handshake(&local_minor_status,
context);
if (major_status == GSS_S_CONTINUE_NEEDED)
{
break;
}
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_HANDSHAKE);
context->gss_state = GSS_CON_ST_DONE;
break;
}
/* make sure we are talking to the correct server */
major_status = globus_i_gsi_gss_retrieve_peer(&local_minor_status,
context,
GSS_C_INITIATE);
if (GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSS_CONTEXT);
context->gss_state = GSS_CON_ST_DONE;
break;
}
local_result = globus_gsi_callback_get_cert_type(
context->callback_data,
&cert_type);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_CALLBACK_DATA);
major_status = GSS_S_FAILURE;
goto error_exit;
}
/*
* Need to check if the server is using a limited proxy.
* And if that is acceptable here.
* Caller tells us if it is not acceptable to
* use a limited proxy.
*/
if ((context->req_flags &
GSS_C_GLOBUS_DONT_ACCEPT_LIMITED_PROXY_FLAG)
&& GLOBUS_GSI_CERT_UTILS_IS_LIMITED_PROXY(cert_type))
{
major_status = GSS_S_UNAUTHORIZED;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_PROXY_VIOLATION,
(_GGSL("Function set to not accept limited proxies")));
context->gss_state = GSS_CON_ST_DONE;
break;
}
/* this is the mutual authentication test */
if (target_name != NULL)
{
major_status =
gss_compare_name(&local_minor_status,
context->peer_cred_handle->globusid,
target_name,
&rc);
if (GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_NAME);
context->gss_state = GSS_CON_ST_DONE;
break;
}
else if(rc == GSS_NAMES_NOT_EQUAL)
{
char * expected_name;
char * actual_name;
if(g_OID_equal(((gss_name_desc*) target_name)->name_oid,
GSS_C_NT_HOSTBASED_SERVICE))
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_AUTHZ_DENIED,
(_GGSL("The expected name for the remote host (%s%s%s) does not match the authenticated "
"name of the remote host (%s%s%s). This happens when the name in the host certificate does not match the information obtained from DNS and is often a DNS configuration problem."),
target_name->service_name
? target_name->service_name : "",
target_name->service_name
? "@" : "",
target_name->host_name
? target_name->host_name : "unknown",
context->peer_cred_handle->globusid->service_name
? context->peer_cred_handle->globusid->service_name
: "",
context->peer_cred_handle->globusid->service_name
? "@" : "",
context->peer_cred_handle->globusid->host_name
? context->peer_cred_handle->globusid->host_name
: "unknown"));
}
else
{
expected_name =
((gss_name_desc*) target_name)->x509n_oneline;
actual_name =
((gss_name_desc*)
context->peer_cred_handle->globusid)->x509n_oneline;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_AUTHZ_DENIED,
(_GGSL("The name of the remote entity (%s), and the expected "
"name for the remote entity (%s) do not match"),
actual_name, expected_name));
}
major_status = GSS_S_UNAUTHORIZED;
context->gss_state = GSS_CON_ST_DONE;
break;
}
}
context->ret_flags |= GSS_C_MUTUAL_FLAG;
context->ret_flags |= GSS_C_PROT_READY_FLAG;
context->ret_flags |= GSS_C_INTEG_FLAG
| GSS_C_REPLAY_FLAG
| GSS_C_SEQUENCE_FLAG
| GSS_C_ANON_FLAG
| GSS_C_DELEG_FLAG;
if (GLOBUS_GSI_CERT_UTILS_IS_LIMITED_PROXY(cert_type))
{
context->ret_flags |= GSS_C_GLOBUS_RECEIVED_LIMITED_PROXY_FLAG;
}
# if LINK_WITH_INTERNAL_OPENSSL_API
context->ret_flags |= GSS_C_TRANS_FLAG;
# endif
/*
* IF we are talking to a real SSL server,
* we don't want to do delegation, so we are done
*/
if (context->req_flags & GSS_C_GLOBUS_SSL_COMPATIBLE)
{
context->gss_state = GSS_CON_ST_DONE;
break;
}
/*
* If we have completed the handshake, but don't
* have any more data to send, we can send the flag
* now. i.e. fall through without break,
* Otherwise, we will wait for the null byte
* to get back in sync which we will ignore
*/
if (output_token->length != 0)
{
context->gss_state=GSS_CON_ST_FLAGS;
break;
}
case(GSS_CON_ST_FLAGS):
if (input_token->length > 0)
{
BIO_read(context->gss_sslbio, cbuf, 1);
}
/* send D if we want delegation, 0 otherwise */
if (context->req_flags & GSS_C_DELEG_FLAG)
{
BIO_write(context->gss_sslbio, "D", 1);
context->gss_state = GSS_CON_ST_REQ;
}
else
{
BIO_write(context->gss_sslbio, "0", 1);
context->gss_state = GSS_CON_ST_DONE;
}
break;
case(GSS_CON_ST_REQ):
local_result = globus_gsi_proxy_inquire_req(
context->proxy_handle,
context->gss_sslbio);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_PROXY_NOT_RECEIVED);
major_status = GSS_S_FAILURE;
context->gss_state = GSS_CON_ST_DONE;
goto error_exit;
}
local_result = globus_gsi_cred_get_cert_type(
context->cred_handle->cred_handle,
&cert_type);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_CREDENTIAL);
major_status = GSS_S_FAILURE;
context->gss_state = GSS_CON_ST_DONE;
goto error_exit;
}
local_result =
globus_gsi_proxy_handle_set_type(
context->proxy_handle,
(context->req_flags & GSS_C_GLOBUS_DELEGATE_LIMITED_PROXY_FLAG)
? GLOBUS_GSI_CERT_UTILS_TYPE_LIMITED_PROXY
: GLOBUS_GSI_CERT_UTILS_TYPE_IMPERSONATION_PROXY);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_PROXY);
major_status = GSS_S_FAILURE;
context->gss_state = GSS_CON_ST_DONE;
goto exit;
}
local_result = globus_gsi_proxy_sign_req(
context->proxy_handle,
context->cred_handle->cred_handle,
context->gss_sslbio);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_PROXY);
major_status = GSS_S_FAILURE;
context->gss_state = GSS_CON_ST_DONE;
goto error_exit;
}
context->gss_state = GSS_CON_ST_DONE;
break;
case(GSS_CON_ST_CERT): ;
case(GSS_CON_ST_DONE): ;
} /* end of switch for gss_con_st */
local_major_status = globus_i_gsi_gss_get_token(&local_minor_status,
context,
NULL,
output_token);
if(GSS_ERROR(local_major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_TOKEN_FAIL);
major_status = GSS_S_FAILURE;
context->gss_state = GSS_CON_ST_DONE;
goto error_exit;
}
/* some error occurred during switch */
if(GSS_ERROR(major_status))
{
goto error_exit;
}
if (context->gss_state != GSS_CON_ST_DONE)
{
major_status |= GSS_S_CONTINUE_NEEDED;
}
else if(time_rec != NULL)
{
time_t lifetime;
time_t current_time;
major_status = globus_i_gsi_gss_get_context_goodtill(
&local_minor_status,
context,
&lifetime);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSS_CONTEXT);
goto exit;
}
current_time = time(NULL);
if(current_time > lifetime)
{
*time_rec = 0;
}
else
{
*time_rec = (OM_uint32) (lifetime - current_time);
}
}
if (ret_flags != NULL)
{
*ret_flags = context->ret_flags;
}
GLOBUS_I_GSI_GSSAPI_DEBUG_FPRINTF(
2, (globus_i_gsi_gssapi_debug_fstream,
"init_sec_context:major_status:%08x"
":gss_state:%d req_flags=%08x:ret_flags=%08x\n",
(unsigned int) major_status,
context->gss_state,
(unsigned int) req_flags,
(unsigned int) context->ret_flags));
goto exit;
error_exit:
gss_delete_sec_context(&local_minor_status,
(gss_ctx_id_t *) &context,
output_token);
*context_handle_P = (gss_ctx_id_t) context;
exit:
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
/**
* @brief Initiate Delegation
* @ingroup globus_gsi_gssapi_extensions_delegation
* @details
* This functions drives the initiating side of the credential
* delegation process. It is expected to be called in tandem with the
* gss_accept_delegation function.
*
* @param minor_status
* The minor status returned by this function. This parameter
* will be 0 upon success.
* @param context_handle
* The security context over which the credential is
* delegated.
* @param cred_handle
* The credential to be delegated. May be GSS_C_NO_CREDENTIAL
* in which case the credential associated with the security
* context is used.
* @param desired_mech
* The desired security mechanism. Currently not used. May be
* GSS_C_NO_OID.
* @param extension_oids
* A set of extension OIDs corresponding to buffers in the
* extension_buffers parameter below. The extensions specified
* will be added to the delegated credential. May be
* GSS_C_NO_BUFFER_SET.
* @param extension_buffers
* A set of extension buffers corresponding to OIDs in the
* extension_oids parameter above. May be
* GSS_C_NO_BUFFER_SET.
* @param input_token
* The token that was produced by a prior call to
* gss_accept_delegation. This parameter will be ignored the
* first time this function is called.
* @param req_flags
* Flags that modify the behavior of the function. Currently
* only GSS_C_GLOBUS_SSL_COMPATIBLE and
* GSS_C_GLOBUS_LIMITED_DELEG_PROXY_FLAG are checked for. The
* GSS_C_GLOBUS_SSL_COMPATIBLE flag results in tokens that
* aren't wrapped and GSS_C_GLOBUS_LIMITED_DELEG_PROXY_FLAG
* causes the delegated proxy to be limited (requires that no
* extensions are specified.
*
* @param time_req
* The requested period of validity (seconds) of the delegated
* credential. Passing a time_req of 0 cause the delegated credential to
* have the same lifetime as the credential that issued it.
* @param output_token
* A token that should be passed to gss_accept_delegation if the
* return value is GSS_S_CONTINUE_NEEDED.
* @retval GSS_S_COMPLETE Success
* @retval GSS_S_CONTINUE_NEEDED This function needs to be called again.
* @retval GSS_S_FAILURE upon failure
*/
OM_uint32
GSS_CALLCONV gss_init_delegation(
OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_cred_id_t cred_handle,
const gss_OID desired_mech,
const gss_OID_set extension_oids,
const gss_buffer_set_t extension_buffers,
const gss_buffer_t input_token,
OM_uint32 req_flags,
OM_uint32 time_req,
gss_buffer_t output_token)
{
BIO * bio = NULL;
BIO * read_bio = NULL;
BIO * write_bio = NULL;
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 local_minor_status;
gss_ctx_id_desc * context;
gss_cred_id_desc * cred;
X509 * cert = NULL;
STACK_OF(X509) * cert_chain = NULL;
PROXYCERTINFO * pci;
globus_gsi_cert_utils_cert_type_t cert_type;
int index;
globus_result_t local_result = GLOBUS_SUCCESS;
static char * _function_name_ =
"init_delegation";
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
if(minor_status == NULL)
{
major_status = GSS_S_FAILURE;
goto exit;
}
*minor_status = (OM_uint32) GLOBUS_SUCCESS;
if(context_handle == GSS_C_NO_CONTEXT)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid context_handle passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
context = (gss_ctx_id_desc *) context_handle;
cred = (gss_cred_id_desc *) cred_handle;
if (cred_handle == GSS_C_NO_CREDENTIAL)
{
cred = (gss_cred_id_desc *) context->cred_handle;
}
if(cred == GSS_C_NO_CREDENTIAL)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Couldn't initialize delegation credential handle")));
major_status = GSS_S_FAILURE;
goto exit;
}
if(desired_mech != GSS_C_NO_OID &&
desired_mech != (gss_OID) gss_mech_globus_gssapi_openssl)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid desired_mech passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
if(extension_oids != GSS_C_NO_OID_SET &&
(extension_buffers == GSS_C_NO_BUFFER_SET ||
extension_oids->count != extension_buffers->count))
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid extension parameters passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
if(output_token == GSS_C_NO_BUFFER)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid output_token passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
output_token->length = 0;
if(req_flags & GSS_C_GLOBUS_SSL_COMPATIBLE)
{
bio = BIO_new(BIO_s_mem());
read_bio = bio;
write_bio = bio;
}
else
{
bio = context->gss_sslbio;
}
/* lock the context mutex */
globus_mutex_lock(&context->mutex);
/* pass the input to the BIO */
if(context->delegation_state != GSS_DELEGATION_START)
{
/*
* first time there is no input token, but after that
* there will always be one
*/
if(input_token == GSS_C_NO_BUFFER)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid input_token passed to function: "
"delegation is not at initial state")));
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
major_status =
globus_i_gsi_gss_put_token(&local_minor_status,
context,
read_bio,
input_token);
if (GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_TOKEN_FAIL);
goto mutex_unlock;
}
}
/* delegation state machine */
switch (context->delegation_state)
{
case GSS_DELEGATION_START:
/* start delegation by sending a "D" */
BIO_write(bio, "D", 1);
context->delegation_state = GSS_DELEGATION_SIGN_CERT;
break;
case GSS_DELEGATION_SIGN_CERT:
/* get the returned cert from the ssl BIO, make sure it is
* correct and then sign it and place it in the output_token
*/
local_result = globus_gsi_proxy_inquire_req(context->proxy_handle,
bio);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_PROXY);
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
local_result = globus_gsi_cred_get_cert_type(
context->cred_handle->cred_handle,
&cert_type);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_CREDENTIAL);
major_status = GSS_S_FAILURE;
context->delegation_state = GSS_DELEGATION_DONE;
goto mutex_unlock;
}
/* set the requested time */
if(time_req != 0)
{
if(time_req%60)
{
/* round up */
time_req += 60;
}
local_result = globus_gsi_proxy_handle_set_time_valid(
context->proxy_handle,
time_req/60);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_PROXY);
major_status = GSS_S_FAILURE;
context->delegation_state = GSS_DELEGATION_DONE;
goto mutex_unlock;
}
}
/* clear the proxycertinfo */
local_result =
globus_gsi_proxy_handle_clear_cert_info(context->proxy_handle);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_PROXY);
major_status = GSS_S_FAILURE;
context->delegation_state = GSS_DELEGATION_DONE;
goto mutex_unlock;
}
if(cert_type == GLOBUS_GSI_CERT_UTILS_TYPE_CA)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_CREDENTIAL);
major_status = GSS_S_FAILURE;
context->delegation_state = GSS_DELEGATION_DONE;
goto mutex_unlock;
}
local_result =
globus_gsi_proxy_handle_set_type(
context->proxy_handle,
(req_flags & GSS_C_GLOBUS_DELEGATE_LIMITED_PROXY_FLAG)
? GLOBUS_GSI_CERT_UTILS_TYPE_LIMITED_PROXY
: GLOBUS_GSI_CERT_UTILS_TYPE_IMPERSONATION_PROXY);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_PROXY);
major_status = GSS_S_FAILURE;
context->delegation_state = GSS_DELEGATION_DONE;
goto mutex_unlock;
}
/* set the proxycertinfo here */
if(extension_oids != GSS_C_NO_OID_SET)
{
if(GLOBUS_GSI_CERT_UTILS_IS_GSI_2_PROXY(cert_type))
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("A restricted globus proxy may not be created "
"from a legacy globus proxy")));
context->delegation_state = GSS_DELEGATION_DONE;
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
for(index = 0; index < extension_oids->count; index++)
{
if(g_OID_equal((gss_OID) &extension_oids->elements[index],
gss_proxycertinfo_extension))
{
pci = extension_buffers->elements[index].value;
local_result =
globus_gsi_proxy_handle_set_proxy_cert_info(
context->proxy_handle,
pci);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_PROXY);
major_status = GSS_S_FAILURE;
context->delegation_state = GSS_DELEGATION_DONE;
goto mutex_unlock;
}
}
}
}
local_result = globus_gsi_proxy_sign_req(
context->proxy_handle,
cred->cred_handle,
bio);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_PROXY);
major_status = GSS_S_FAILURE;
context->delegation_state = GSS_DELEGATION_DONE;
goto mutex_unlock;
}
local_result = globus_gsi_cred_get_cert(cred->cred_handle, &cert);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_CREDENTIAL);
major_status = GSS_S_FAILURE;
context->delegation_state = GSS_DELEGATION_DONE;
goto mutex_unlock;
}
/* push the cert used to sign the proxy */
i2d_X509_bio(bio, cert);
X509_free(cert);
/* push the number of certs in the cert chain */
local_result = globus_gsi_cred_get_cert_chain(cred->cred_handle,
&cert_chain);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_CREDENTIAL);
major_status = GSS_S_FAILURE;
context->delegation_state = GSS_DELEGATION_DONE;
goto mutex_unlock;
}
for(index = 0; index < sk_X509_num(cert_chain); index++)
{
cert = sk_X509_value(cert_chain, index);
if(!cert)
{
GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL,
(_GGSL("Couldn't get cert from cert chain")));
major_status = GSS_S_FAILURE;
context->delegation_state = GSS_DELEGATION_DONE;
goto mutex_unlock;
}
i2d_X509_bio(bio, cert);
}
sk_X509_pop_free(cert_chain, X509_free);
/* reset state machine */
context->delegation_state = GSS_DELEGATION_START;
break;
case GSS_DELEGATION_COMPLETE_CRED:
case GSS_DELEGATION_DONE:
break;
}
major_status = globus_i_gsi_gss_get_token(&local_minor_status,
context,
write_bio,
output_token);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_TOKEN_FAIL);
goto mutex_unlock;
}
if (context->delegation_state != GSS_DELEGATION_START)
{
major_status |= GSS_S_CONTINUE_NEEDED;
}
mutex_unlock:
globus_mutex_unlock(&context->mutex);
exit:
if(req_flags & GSS_C_GLOBUS_SSL_COMPATIBLE)
{
BIO_free(bio);
}
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
/**
* Accept a delegated credential.
*
* This functions drives the accepting side of the credential
* delegation process. It is expected to be called in tandem with the
* gss_init_delegation function.
*
* @param minor_status
* The minor status returned by this function. This paramter
* will be 0 upon success.
* @param context_handle
* The security context over which the credential is
* delegated.
* @param extension_oids
* A set of extension oids corresponding to buffers in the
* extension_buffers paramter below. May be
* GSS_C_NO_BUFFER_SET. Currently not used.
* @param extension_buffers
* A set of extension buffers corresponding to oids in the
* extension_oids paramter above. May be
* GSS_C_NO_BUFFER_SET. Currently not used.
* @param input_token
* The token that was produced by a prior call to
* gss_init_delegation.
* @param req_flags
* Flags that modify the behavior of the function. Currently
* only GSS_C_GLOBUS_SSL_COMPATIBLE is checked for. This flag
* results in tokens that aren't wrapped.
* @param time_req
* The requested period of validity (seconds) of the delegated
* credential. Currently a noop.
* @param time_rec
* This parameter will contain the received period of validity
* of the delegated credential upon success. May be NULL.
* @param delegated_cred_handle
* This parameter will contain the delegated credential upon
* success.
* @param mech_type
* Returns the security mechanism upon success. Currently not
* implemented. May be NULL.
* @param output_token
* A token that should be passed to gss_init_delegation if the
* return value is GSS_S_CONTINUE_NEEDED.
* @return
* GSS_S_COMPLETE upon successful completion
* GSS_S_CONTINUE_NEEDED if the function needs to be called
* again.
* GSS_S_FAILURE upon failure
*/
OM_uint32
GSS_CALLCONV gss_accept_delegation(
OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_OID_set extension_oids,
const gss_buffer_set_t extension_buffers,
const gss_buffer_t input_token,
OM_uint32 req_flags,
OM_uint32 time_req,
OM_uint32 * time_rec,
gss_cred_id_t * delegated_cred_handle,
gss_OID * mech_type,
gss_buffer_t output_token)
{
BIO * bio = NULL;
BIO * read_bio = NULL;
BIO * write_bio = NULL;
X509 * peer_cert = NULL;
const EVP_MD * peer_digest;
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 local_minor_status;
globus_result_t local_result = GLOBUS_SUCCESS;
gss_ctx_id_desc * context;
globus_gsi_cred_handle_t delegated_cred = NULL;
char dbuf[1];
static char * _function_name_ =
"gss_accept_delegation";
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
/* parameter checking goes here */
if(minor_status == NULL)
{
major_status = GSS_S_FAILURE;
goto exit;
}
*minor_status = (OM_uint32) GLOBUS_SUCCESS;
if(context_handle == GSS_C_NO_CONTEXT)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid context_handle passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
context = (gss_ctx_id_desc *) context_handle;
if(delegated_cred_handle == NULL)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid delegated_cred_handle passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
if(extension_oids != GSS_C_NO_OID_SET &&
(extension_buffers == GSS_C_NO_BUFFER_SET ||
extension_oids->count != extension_buffers->count))
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid restriction parameters passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
if(output_token == GSS_C_NO_BUFFER)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid output token passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
output_token->length = 0;
if(input_token == GSS_C_NO_BUFFER)
{
major_status |= GSS_S_CONTINUE_NEEDED;
goto exit;
}
if(req_flags & GSS_C_GLOBUS_SSL_COMPATIBLE)
{
bio = BIO_new(BIO_s_mem());
read_bio = bio;
write_bio = bio;
}
else
{
bio = context->gss_sslbio;
}
/* lock the context mutex */
globus_mutex_lock(&context->mutex);
major_status = globus_i_gsi_gss_put_token(&local_minor_status,
context,
read_bio,
input_token);
if (GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_TOKEN_FAIL);
goto mutex_unlock;
}
switch(context->delegation_state)
{
case GSS_DELEGATION_START:
/* generate the proxy */
BIO_read(bio, dbuf, 1);
GLOBUS_I_GSI_GSSAPI_DEBUG_FPRINTF(
2, (globus_i_gsi_gssapi_debug_fstream,
"delegation flag: %.1s\n", dbuf));
if (dbuf[0] == 'D')
{
globus_gsi_proxy_handle_attrs_t proxy_handle_attrs;
int key_bits;
/*
* The delegated credential always generated 512 bit keys
* irrespective of the key strength of the peer credential (bug
* 3794). Fix for that is added below.
*/
local_result = globus_gsi_cred_get_key_bits(
context->peer_cred_handle->cred_handle, &key_bits);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_DELEGATION);
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
local_result = globus_gsi_proxy_handle_attrs_init(
&proxy_handle_attrs);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_DELEGATION);
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
local_result = globus_gsi_proxy_handle_attrs_set_keybits(
proxy_handle_attrs, key_bits);
if(local_result != GLOBUS_SUCCESS)
{
globus_gsi_proxy_handle_attrs_destroy(proxy_handle_attrs);
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_DELEGATION);
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
local_result = globus_gsi_cred_get_cert(
context->peer_cred_handle->cred_handle,
&peer_cert);
if (local_result != GLOBUS_SUCCESS)
{
globus_gsi_proxy_handle_attrs_destroy(proxy_handle_attrs);
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_DELEGATION);
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
peer_digest = EVP_get_digestbynid(
OBJ_obj2nid(peer_cert->sig_alg->algorithm));
local_result = globus_gsi_proxy_handle_attrs_set_signing_algorithm(
proxy_handle_attrs, (EVP_MD *) peer_digest);
if (local_result != GLOBUS_SUCCESS)
{
globus_gsi_proxy_handle_attrs_destroy(proxy_handle_attrs);
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_DELEGATION);
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
if(context->proxy_handle)
{
globus_gsi_proxy_handle_destroy(context->proxy_handle);
}
local_result = globus_gsi_proxy_handle_init(
&context->proxy_handle, proxy_handle_attrs);
if(local_result != GLOBUS_SUCCESS)
{
globus_gsi_proxy_handle_attrs_destroy(proxy_handle_attrs);
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_DELEGATION);
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
local_result = globus_gsi_proxy_handle_attrs_destroy(
proxy_handle_attrs);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_DELEGATION);
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
local_result =
globus_gsi_proxy_create_req(context->proxy_handle, bio);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_DELEGATION);
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
context->delegation_state = GSS_DELEGATION_COMPLETE_CRED;
}
else
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_DELEGATION,
(_GGSL("Invalid initial hello message, expecting: 'D', "
"received: '%c'"), dbuf[0]));
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
break;
case GSS_DELEGATION_COMPLETE_CRED:
/* get the signed cert and the key chain and insert them into
* the cred structure
*/
local_result = globus_gsi_proxy_assemble_cred(
context->proxy_handle,
&delegated_cred,
bio);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_PROXY);
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
major_status = globus_i_gsi_gss_create_cred(&local_minor_status,
GSS_C_BOTH,
delegated_cred_handle,
&delegated_cred);
if(GSS_ERROR(major_status))
{
globus_gsi_cred_handle_destroy(delegated_cred);
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_CREDENTIAL);
goto mutex_unlock;
}
/* reset state machine */
context->delegation_state = GSS_DELEGATION_START;
if (time_rec != NULL)
{
time_t lifetime;
local_result = globus_gsi_cred_get_lifetime(
((gss_cred_id_desc *)(*delegated_cred_handle))->cred_handle,
&lifetime);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_CREDENTIAL);
major_status = GSS_S_FAILURE;
goto mutex_unlock;
}
*time_rec = (OM_uint32) lifetime;
}
case GSS_DELEGATION_SIGN_CERT:
case GSS_DELEGATION_DONE:
break;
}
/* returns empty token when there is no output */
major_status = globus_i_gsi_gss_get_token(&local_minor_status,
context,
write_bio,
output_token);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_TOKEN_FAIL);
goto mutex_unlock;
}
if (context->delegation_state != GSS_DELEGATION_START)
{
major_status |= GSS_S_CONTINUE_NEEDED;
}
mutex_unlock:
if (peer_cert)
{
X509_free(peer_cert);
}
globus_mutex_unlock(&context->mutex);
exit:
if(req_flags & GSS_C_GLOBUS_SSL_COMPATIBLE)
{
BIO_free(bio);
}
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
/**
* @brief Export a GSSAPI credential
* @ingroup globus_gsi_gssapi_extensions
* @details
* Saves the credential so it can be checkpointed and
* imported by gss_import_cred
*
* @param minor_status
* @param cred_handle
* @param desired_mech
* Should either be gss_mech_globus_gssapi_openssl or
* NULL (in which case gss_mech_globus_gssapi_openssl is
* assumed).
* @param option_req
* @param export_buffer
*
* @return
*/
OM_uint32
GSS_CALLCONV gss_export_cred(
OM_uint32 * minor_status,
const gss_cred_id_t cred_handle,
const gss_OID desired_mech,
OM_uint32 option_req,
gss_buffer_t export_buffer)
{
OM_uint32 major_status = GLOBUS_SUCCESS;
BIO * bp = NULL;
gss_cred_id_desc * cred_desc = NULL;
globus_result_t local_result;
char * proxy_filename = NULL;
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
cred_desc = (gss_cred_id_desc *) cred_handle;
*minor_status = (OM_uint32) GLOBUS_SUCCESS;
if (export_buffer == NULL ||
export_buffer == GSS_C_NO_BUFFER)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("NULL or empty export_buffer parameter passed to function: %s"),
__func__));
goto exit;
}
export_buffer->length = 0;
export_buffer->value = NULL;
if (cred_handle == NULL)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("NULL or empty export_buffer parameter passed to function: %s"),
__func__));
goto exit;
}
if(desired_mech != NULL &&
g_OID_equal(desired_mech, (gss_OID) gss_mech_globus_gssapi_openssl))
{
major_status = GSS_S_BAD_MECH;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_MECH,
(_GGSL("The desired mechanism of: %s, is not supported by this "
"GSS implementation"), desired_mech->elements));
goto exit;
}
if(option_req == GSS_IMPEXP_OPAQUE_FORM)
{
/* When option_req is equal to EXPORT_OPAQUE_FORM (0), it exports
* an opaque buffer suitable for storage in memory or on
* disk or passing to another process, which
* can import the buffer with gss_import_cred().
*/
bp = BIO_new(BIO_s_mem());
if(bp == NULL)
{
GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL,
(_GGSL("Couldn't initialize IO bio for exporting credential")));
major_status = GSS_S_FAILURE;
goto exit;
}
local_result = globus_gsi_cred_write(cred_desc->cred_handle, bp);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_IMPEXP_BIO_SSL);
major_status = GSS_S_FAILURE;
goto exit;
}
export_buffer->length = BIO_pending(bp);
if (export_buffer->length > 0)
{
export_buffer->value = (char *) malloc(export_buffer->length);
if (export_buffer->value == NULL)
{
export_buffer->length = 0;
GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
major_status = GSS_S_FAILURE;
goto exit;
}
BIO_read(bp, export_buffer->value, export_buffer->length);
}
else
{
export_buffer->value = NULL;
}
major_status = GSS_S_COMPLETE;
}
else if(option_req == GSS_IMPEXP_MECH_SPECIFIC)
{
/* With option_req is equal to EXPORT_MECH_SPECIFIC (1),
* it exports a buffer filled with mechanism-specific
* information that the calling application can use
* to pass the credentials to another process that
* is not written to the GSS-API.
*/
local_result =
GLOBUS_GSI_SYSCONFIG_GET_UNIQUE_PROXY_FILENAME(&proxy_filename);
if(local_result != GLOBUS_SUCCESS)
{
proxy_filename = NULL;
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_PROXY);
major_status = GSS_S_FAILURE;
goto exit;
}
GLOBUS_I_GSI_GSSAPI_DEBUG_FPRINTF(
3, (globus_i_gsi_gssapi_debug_fstream,
"Writing exported cred to: %s\n", proxy_filename));
local_result = globus_gsi_cred_write_proxy(cred_desc->cred_handle,
proxy_filename);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSI_PROXY);
major_status = GSS_S_FAILURE;
goto exit;
}
export_buffer->value = globus_common_create_string(
"X509_USER_PROXY=%s",
proxy_filename);
export_buffer->length = strlen(export_buffer->value)+1;
}
else
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Unrecognized option_req of: %d"), option_req));
goto exit;
}
exit:
if(proxy_filename != NULL)
{
free(proxy_filename);
}
if (bp)
{
BIO_free(bp);
}
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
/**
* @brief Wrap
* @ingroup globus_gsi_gssapi
* @details
* Wrap a message for integrity and protection.
* We do this using the SSLv3 routines, by writing to the
* SSL bio, and pulling off the buffer from the back
* of the write BIO. But we can't do everything SSL
* might want, such as control messages, or segment the messages
* here, since we are forced to using the GSSAPI tokens,
* and can not communicate directly with our peer.
* So there maybe some failures which would work with true
* SSL.
*
* @param minor_status
* @param context_handle
* @param conf_req_flag
* @param qop_req
* @param input_message_buffer
* @param conf_state
* @param output_message_buffer
*
* @return
*/
OM_uint32
GSS_CALLCONV gss_wrap(
OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
int * conf_state,
gss_buffer_t output_message_buffer)
{
gss_ctx_id_desc * context =
(gss_ctx_id_desc *)context_handle;
gss_buffer_desc mic_buf_desc;
gss_buffer_t mic_buf =
(gss_buffer_desc *) &mic_buf_desc;
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 local_minor_status;
unsigned char * message_value;
time_t context_goodtill;
static char * _function_name_ =
"gss_wrap";
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
*minor_status = (OM_uint32) GLOBUS_SUCCESS;
if(GLOBUS_I_GSI_GSSAPI_DEBUG(3))
{
BIO * debug_bio;
fprintf(globus_i_gsi_gssapi_debug_fstream,
"input message: length = %u\n"
" value = \n",
(unsigned) input_message_buffer->length);
debug_bio = BIO_new_fp(globus_i_gsi_gssapi_debug_fstream,
BIO_NOCLOSE);
BIO_dump(debug_bio,
input_message_buffer->value,
input_message_buffer->length);
}
output_message_buffer->value = NULL;
output_message_buffer->length = 0;
GLOBUS_I_GSI_GSSAPI_DEBUG_FPRINTF(
2, (globus_i_gsi_gssapi_debug_fstream,
"gss_wrap conf_req_flag=%d qop_req=%d\n",
conf_req_flag, (int) qop_req));
if (context_handle == GSS_C_NO_CONTEXT)
{
major_status = GSS_S_NO_CONTEXT;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid context handle passed to function")));
goto exit;
}
/* lock the context mutex */
globus_mutex_lock(&context->mutex);
if(context->ctx_flags & GSS_I_PROTECTION_FAIL_ON_CONTEXT_EXPIRATION)
{
time_t current_time;
current_time = time(NULL);
major_status = globus_i_gsi_gss_get_context_goodtill(
&local_minor_status,
context,
&context_goodtill);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GSS_CONTEXT);
goto unlock_mutex_error;
}
if(current_time > context_goodtill)
{
major_status = GSS_S_CONTEXT_EXPIRED;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_EXPIRED_CREDENTIAL,
(_GGSL("Expired credential: %s < %s"),
ctime(&context_goodtill), ctime(¤t_time)));
goto unlock_mutex_error;
}
}
if (conf_req_flag == GSS_INTEGRITY_ONLY &&
qop_req == GSS_C_QOP_GLOBUS_GSSAPI_OPENSSL_BIG)
{
/* unlock the context mutex */
globus_mutex_unlock(&context->mutex);
major_status = gss_get_mic(&local_minor_status,
context_handle,
qop_req,
input_message_buffer,
mic_buf);
if (GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_MIC);
goto unlock_mutex_error;
}
/* lock the context mutex */
globus_mutex_lock(&context->mutex);
output_message_buffer->value =
(char *) malloc(5 + mic_buf->length +
input_message_buffer->length);
if (output_message_buffer->value == NULL)
{
GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
gss_release_buffer(&local_minor_status, mic_buf);
major_status = GSS_S_FAILURE;
goto unlock_mutex_error;
}
output_message_buffer->length = 5 + mic_buf->length +
input_message_buffer->length;
message_value = output_message_buffer->value;
*message_value++ = SSL3_RT_GSSAPI_OPENSSL;
*message_value++ = 3;
*message_value++ = 0;
S2N(mic_buf->length, (char *) message_value);
message_value += 2;
memcpy(message_value, mic_buf->value, mic_buf->length);
message_value = message_value + mic_buf->length;
memcpy(message_value, input_message_buffer->value,
input_message_buffer->length);
if (conf_state)
{
*conf_state = GSS_INTEGRITY_ONLY;
}
}
else
{
int rc;
rc = SSL_write(context->gss_ssl,
input_message_buffer->value,
input_message_buffer->length);
if (rc != input_message_buffer->length)
{
/* problem, did not take the whole buffer */
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WRAP_BIO,
(_GGSL("SSL failed wrapping entire message: "
"SSL_write wrote %d bytes, should be %d bytes"),
rc, input_message_buffer->length));
major_status = GSS_S_FAILURE;
goto unlock_mutex_error;
}
if (conf_state)
{
if (SSL_CIPHER_get_bits(
SSL_get_current_cipher(context->gss_ssl), NULL) == 0)
{
*conf_state = GSS_INTEGRITY_ONLY;
}
else
{
*conf_state = GSS_CONFIDENTIALITY;
}
}
/* get the data from the write BIO */
major_status = globus_i_gsi_gss_get_token(&local_minor_status,
context,
NULL,
output_message_buffer);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_TOKEN_FAIL);
goto unlock_mutex_error;
}
}
unlock_mutex_error:
globus_mutex_unlock(&context->mutex);
exit:
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
/**
* @brief Inquire Sec Context by OID
* @ingroup globus_gsi_gssapi_extensions
*/
OM_uint32
GSS_CALLCONV gss_inquire_sec_context_by_oid(
OM_uint32 * minor_status,
const gss_ctx_id_t context_handle,
const gss_OID desired_object,
gss_buffer_set_t * data_set)
{
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 local_minor_status;
gss_ctx_id_desc * context = NULL;
int found_index;
int chain_index;
int cert_count;
X509_EXTENSION * extension;
X509 * cert = NULL;
STACK_OF(X509) * cert_chain = NULL;
ASN1_OBJECT * asn1_desired_obj = NULL;
ASN1_OCTET_STRING * asn1_oct_string;
gss_buffer_desc data_set_buffer = GSS_C_EMPTY_BUFFER;
globus_result_t local_result = GLOBUS_SUCCESS;
unsigned char * tmp_ptr;
static char * _function_name_ =
"gss_inquire_sec_context_by_oid";
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
/* parameter checking goes here */
if(minor_status == NULL)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid minor_status (NULL) passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
if(context_handle == GSS_C_NO_CONTEXT)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid context_handle passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
*minor_status = (OM_uint32) GLOBUS_SUCCESS;
context = (gss_ctx_id_desc *) context_handle;
if(desired_object == GSS_C_NO_OID)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid desired_object passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
if(data_set == NULL)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid data_set (NULL) passed to function")));
major_status = GSS_S_FAILURE;
goto exit;
}
*data_set = NULL;
/* lock the context mutex */
globus_mutex_lock(&context->mutex);
local_result =
globus_gsi_callback_get_cert_depth(context->callback_data,
&cert_count);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_CALLBACK_DATA);
major_status = GSS_S_FAILURE;
goto unlock_exit;
}
if(cert_count == 0)
{
goto unlock_exit;
}
major_status = gss_create_empty_buffer_set(&local_minor_status, data_set);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_BUFFER);
goto unlock_exit;
}
local_result = globus_gsi_callback_get_cert_chain(
context->callback_data,
&cert_chain);
if(local_result != GLOBUS_SUCCESS)
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_result,
GLOBUS_GSI_GSSAPI_ERROR_WITH_CALLBACK_DATA);
major_status = GSS_S_FAILURE;
cert_chain = NULL;
goto unlock_exit;
}
if(((gss_OID_desc *)desired_object)->length !=
gss_ext_x509_cert_chain_oid->length ||
memcmp(((gss_OID_desc *)desired_object)->elements,
gss_ext_x509_cert_chain_oid->elements,
gss_ext_x509_cert_chain_oid->length))
{
/* figure out what object was asked for */
asn1_desired_obj = ASN1_OBJECT_new();
if(!asn1_desired_obj)
{
GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL,
(_GGSL("Couldn't create ASN1 object")));
major_status = GSS_S_FAILURE;
goto unlock_exit;
}
asn1_desired_obj->length = ((gss_OID_desc *)desired_object)->length;
asn1_desired_obj->data = ((gss_OID_desc *)desired_object)->elements;
found_index = -1;
for(chain_index = 0; chain_index < cert_count; chain_index++)
{
cert = sk_X509_value(cert_chain, chain_index);
data_set_buffer.value = NULL;
data_set_buffer.length = 0;
found_index = X509_get_ext_by_OBJ(cert,
asn1_desired_obj,
found_index);
if(found_index >= 0)
{
extension = X509_get_ext(cert, found_index);
if(!extension)
{
GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL,
(_GGSL("Couldn't get extension at index %d "
"from cert in credential."), found_index));
major_status = GSS_S_FAILURE;
goto unlock_exit;
}
asn1_oct_string = X509_EXTENSION_get_data(extension);
if(!asn1_oct_string)
{
GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL,
(_GGSL("Couldn't get cert extension in the form of an "
"ASN1 octet string.")));
major_status = GSS_S_FAILURE;
goto unlock_exit;
}
asn1_oct_string = ASN1_OCTET_STRING_dup(asn1_oct_string);
if(!asn1_oct_string)
{
GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL,
(_GGSL("Failed to make copy of extension data")));
major_status = GSS_S_FAILURE;
goto unlock_exit;
}
data_set_buffer.value = asn1_oct_string->data;
data_set_buffer.length = asn1_oct_string->length;
OPENSSL_free(asn1_oct_string);
major_status = gss_add_buffer_set_member(
&local_minor_status,
&data_set_buffer,
data_set);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_BUFFER);
goto unlock_exit;
}
}
}
}
else
{
for(chain_index = 0; chain_index < cert_count; chain_index++)
{
int certlen;
cert = sk_X509_value(cert_chain, chain_index);
certlen = i2d_X509(cert, NULL);
data_set_buffer.length = certlen;
if (certlen < 0)
{
GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL,
(_GGSL("Failed to serialize certificate")));
major_status = GSS_S_FAILURE;
goto unlock_exit;
}
tmp_ptr = realloc(data_set_buffer.value,
data_set_buffer.length);
if(tmp_ptr == NULL)
{
GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status);
major_status = GSS_S_FAILURE;
goto unlock_exit;
}
data_set_buffer.value = tmp_ptr;
if(i2d_X509(cert,&tmp_ptr) < 0)
{
free(data_set_buffer.value);
GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL,
(_GGSL("Failed to serialize certificate")));
major_status = GSS_S_FAILURE;
goto unlock_exit;
}
major_status = gss_add_buffer_set_member(
&local_minor_status,
&data_set_buffer,
data_set);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_BUFFER);
goto unlock_exit;
}
}
if(data_set_buffer.value != NULL)
{
free(data_set_buffer.value);
}
}
unlock_exit:
/* unlock the context mutex */
globus_mutex_unlock(&context->mutex);
exit:
if (asn1_desired_obj != NULL)
{
ASN1_OBJECT_free(asn1_desired_obj);
}
if(cert_chain != NULL)
{
sk_X509_pop_free(cert_chain, X509_free);
}
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
/**
* Get the proxy group from a GSS name.
*
* This function will get the proxy group from a GSS name structure. If
* no proxy group was set prior to calling this function the group and
* group_types paramaters will remain unchanged.
*
* @param minor_status
* The minor status returned by this function. This paramter
* will be 0 upon success.
* @param name
* The GSS name from which the group information is extracted.
* @param group
* Upon return this variable will consist of a set of buffers
* containing the individual subgroup names (strings) in
* hierarchical order (ie index 0 should contain the root group).
* @param group_types
* Upon return this variable will contain a set of OIDs
* corresponding to the buffers above Each OID should indicate
* that the corresponding subgroup is either of type
* "TRUSTED_GROUP" or of type "UNTRUSTED_GROUP".
*
* @return
* GSS_S_COMPLETE upon success
* GSS_S_BAD_NAME if the name was found to be faulty
* GSS_S_FAILURE upon general failure
*/
OM_uint32
GSS_CALLCONV gss_get_group(
OM_uint32 * minor_status,
const gss_name_t name,
gss_buffer_set_t * group,
gss_OID_set * group_types)
{
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 tmp_minor_status;
int i;
int num_subgroups;
gss_name_desc * internal_name;
char * subgroup;
gss_buffer_desc buffer;
static char * _function_name_ =
"gss_get_group";
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
internal_name = (gss_name_desc *) name;
if(minor_status == NULL)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status, major_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("NULL parameter minor_status passed to function: %s"),
_function_name_));
goto exit;
}
*minor_status = (OM_uint32) GLOBUS_SUCCESS;
if(name == GSS_C_NO_NAME)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status, major_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid group name passed to function: %s"),
_function_name_));
goto exit;
}
if(group == NULL)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status, major_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid group passed to function: %s"),
_function_name_));
goto exit;
}
if(group_types == NULL)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status, major_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid group types passed to function: %s"),
_function_name_));
goto exit;
}
num_subgroups = sk_num(internal_name->group);
if(internal_name->group == NULL || num_subgroups == 0)
{
goto exit;
}
if(internal_name->group_types == NULL)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_NAME);
major_status = GSS_S_BAD_NAME;
goto exit;
}
major_status = gss_create_empty_buffer_set(local_minor_status, group);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GROUP);
goto exit;
}
major_status = gss_create_empty_oid_set(local_minor_status, group_types);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GROUP);
goto release_buffer;
}
for(++index = 0; ++index < num_subgroups; ++index)
{
subgroup = sk_value(internal_name->group, ++index);
buffer.value = (void *) subgroup;
buffer.length = strlen(subgroup) + 1;
major_status = gss_add_buffer_set_member(&local_minor_status,
&buffer,
group);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GROUP);
goto release_oid;
}
if(ASN1_BIT_STRING_get_bit(internal_name->group_types, index))
{
major_status = gss_add_oid_set_member(
&local_minor_status,
(gss_OID) gss_untrusted_group,
group_types);
}
else
{
major_status = gss_add_oid_set_member(
&local_minor_status,
(gss_OID) gss_trusted_group,
group_types);
}
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GROUP);
goto release_oid;
}
}
goto exit;
release_oid:
gss_release_oid_set(&local_minor_status, group_types);
release_buffer:
gss_release_buffer_set(&local_minor_status, group);
exit:
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
