int authenticate_gss_server_clean(gss_server_state *state)
{
OM_uint32 min_stat;
int ret = AUTH_GSS_COMPLETE;
if (state->context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&min_stat, &state->context, GSS_C_NO_BUFFER);
if (state->server_name != GSS_C_NO_NAME)
gss_release_name(&min_stat, &state->server_name);
if (state->client_name != GSS_C_NO_NAME)
gss_release_name(&min_stat, &state->client_name);
if (state->server_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min_stat, &state->server_creds);
if (state->client_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min_stat, &state->client_creds);
if (state->username != NULL)
{
free(state->username);
state->username = NULL;
}
if (state->targetname != NULL)
{
free(state->targetname);
state->targetname = NULL;
}
if (state->response != NULL)
{
free(state->response);
state->response = NULL;
}
return ret;
}
/* Delete our context, providing it has been built correctly */
void
ssh_gssapi_delete_ctx(Gssctxt **ctx)
{
OM_uint32 ms;
if ((*ctx) == NULL)
return;
if ((*ctx)->context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&ms, &(*ctx)->context, GSS_C_NO_BUFFER);
if ((*ctx)->name != GSS_C_NO_NAME)
gss_release_name(&ms, &(*ctx)->name);
if ((*ctx)->oid != GSS_C_NO_OID) {
free((*ctx)->oid->elements);
free((*ctx)->oid);
(*ctx)->oid = GSS_C_NO_OID;
}
if ((*ctx)->creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&ms, &(*ctx)->creds);
if ((*ctx)->client != GSS_C_NO_NAME)
gss_release_name(&ms, &(*ctx)->client);
if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&ms, &(*ctx)->client_creds);
free(*ctx);
*ctx = NULL;
}
/* Delete our context, providing it has been built correctly */
void
ssh_gssapi_delete_ctx(Gssctxt **ctx)
{
#if !defined(MECHGLUE)
OM_uint32 ms;
#endif
if ((*ctx) == NULL)
return;
#if !defined(MECHGLUE) /* mechglue has some memory management issues */
if ((*ctx)->context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&ms, &(*ctx)->context, GSS_C_NO_BUFFER);
if ((*ctx)->name != GSS_C_NO_NAME)
gss_release_name(&ms, &(*ctx)->name);
if ((*ctx)->oid != GSS_C_NO_OID) {
free((*ctx)->oid->elements);
free((*ctx)->oid);
(*ctx)->oid = GSS_C_NO_OID;
}
if ((*ctx)->creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&ms, &(*ctx)->creds);
if ((*ctx)->client != GSS_C_NO_NAME)
gss_release_name(&ms, &(*ctx)->client);
if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&ms, &(*ctx)->client_creds);
#endif
free(*ctx);
*ctx = NULL;
}
static void
acquire_add_release_add(gss_name_t name, gss_cred_usage_t usage)
{
OM_uint32 maj_stat, min_stat;
gss_cred_id_t cred, cred2, cred3;
maj_stat = gss_acquire_cred(&min_stat, name,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
usage,
&cred,
NULL,
NULL);
if (maj_stat != GSS_S_COMPLETE)
gss_err(1, min_stat, "aquire %d != GSS_S_COMPLETE", (int)maj_stat);
maj_stat = gss_add_cred(&min_stat,
cred,
GSS_C_NO_NAME,
GSS_KRB5_MECHANISM,
usage,
GSS_C_INDEFINITE,
GSS_C_INDEFINITE,
&cred2,
NULL,
NULL,
NULL);
if (maj_stat != GSS_S_COMPLETE)
gss_err(1, min_stat, "add_cred %d != GSS_S_COMPLETE", (int)maj_stat);
maj_stat = gss_release_cred(&min_stat, &cred);
if (maj_stat != GSS_S_COMPLETE)
gss_err(1, min_stat, "release %d != GSS_S_COMPLETE", (int)maj_stat);
maj_stat = gss_add_cred(&min_stat,
cred2,
GSS_C_NO_NAME,
GSS_KRB5_MECHANISM,
GSS_C_BOTH,
GSS_C_INDEFINITE,
GSS_C_INDEFINITE,
&cred3,
NULL,
NULL,
NULL);
if (maj_stat != GSS_S_COMPLETE)
gss_err(1, min_stat, "add_cred 2 %d != GSS_S_COMPLETE", (int)maj_stat);
maj_stat = gss_release_cred(&min_stat, &cred2);
if (maj_stat != GSS_S_COMPLETE)
gss_err(1, min_stat, "release 2 %d != GSS_S_COMPLETE", (int)maj_stat);
maj_stat = gss_release_cred(&min_stat, &cred3);
if (maj_stat != GSS_S_COMPLETE)
gss_err(1, min_stat, "release 3 %d != GSS_S_COMPLETE", (int)maj_stat);
}
/** @internal
* @frees a gssapi context
*/
static void ssh_gssapi_free(ssh_session session){
OM_uint32 min;
if (session->gssapi == NULL)
return;
SAFE_FREE(session->gssapi->user);
SAFE_FREE(session->gssapi->mech.elements);
gss_release_cred(&min,&session->gssapi->server_creds);
if (session->gssapi->client.creds !=
session->gssapi->client.client_deleg_creds) {
gss_release_cred(&min, &session->gssapi->client.creds);
}
SAFE_FREE(session->gssapi);
}
/* Privileged */
int
ssh_gssapi_userok(char *user, struct passwd *pw)
{
OM_uint32 lmin;
if (gssapi_client.exportedname.length == 0 ||
gssapi_client.exportedname.value == NULL) {
debug("No suitable client data");
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
if ((*gssapi_client.mech->userok)(&gssapi_client, user)) {
gssapi_client.used = 1;
gssapi_client.store.owner = pw;
return 1;
} else {
/* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
gss_release_cred(&lmin, &gssapi_client.creds);
memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
return 0;
}
else
debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
return (0);
}
VOID
SMBGSSContextFree(
HANDLE hSMBGSSContext
)
{
DWORD dwMinorStatus = 0;
PSMB_GSS_SEC_CONTEXT pContext = (PSMB_GSS_SEC_CONTEXT)hSMBGSSContext;
if (pContext)
{
if (pContext->target_name != NULL)
{
gss_release_name(&dwMinorStatus, &pContext->target_name);
}
if (pContext->pGSSContext &&
(*pContext->pGSSContext != GSS_C_NO_CONTEXT))
{
gss_delete_sec_context(
&dwMinorStatus,
pContext->pGSSContext,
GSS_C_NO_BUFFER);
LwIoFreeMemory(pContext->pGSSContext);
}
if (pContext->credHandle)
{
gss_release_cred(&dwMinorStatus, &pContext->credHandle);
}
LwIoFreeMemory(pContext);
}
}
int
gfarmGssDeleteCredential(gss_cred_id_t *credPtr, OM_uint32 *majStatPtr,
OM_uint32 *minStatPtr)
{
OM_uint32 majStat = 0;
OM_uint32 minStat = 0;
int ret = -1;
majStat = gss_release_cred(&minStat, credPtr);
if (majStat == GSS_S_COMPLETE)
ret = 1; /* valid */
if (majStatPtr != NULL)
*majStatPtr = majStat;
if (minStatPtr != NULL)
*minStatPtr = minStat;
if (ret == -1) {
gflog_debug(GFARM_MSG_1000791,
"failed to delete credential (%u)(%u)",
majStat, minStat);
}
return ret;
}
zmq::gssapi_client_t::~gssapi_client_t ()
{
if(service_name)
free (service_name);
if(cred)
gss_release_cred(&min_stat, &cred);
}
static void
acquire_release_loop(gss_name_t name, int counter, gss_cred_usage_t usage)
{
OM_uint32 maj_stat, min_stat;
gss_cred_id_t cred;
int i;
for (i = 0; i < counter; i++) {
maj_stat = gss_acquire_cred(&min_stat, name,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
usage,
&cred,
NULL,
NULL);
if (maj_stat != GSS_S_COMPLETE)
gss_err(1, min_stat, "aquire %d %d != GSS_S_COMPLETE",
i, (int)maj_stat);
maj_stat = gss_release_cred(&min_stat, &cred);
if (maj_stat != GSS_S_COMPLETE)
gss_err(1, min_stat, "release %d %d != GSS_S_COMPLETE",
i, (int)maj_stat);
}
}
int main()
{
OM_uint32 minor_status;
OM_uint32 major_status;
gss_cred_id_t cred;
char * error_str;
int rc = EXIT_SUCCESS;
printf("1..1\n");
globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE);
globus_module_activate(GLOBUS_GSI_GSSAPI_MODULE);
major_status = gss_acquire_cred(
&minor_status,
NULL,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_BOTH,
&cred,
NULL,
NULL);
if(GSS_ERROR(major_status))
{
globus_gss_assist_display_status_str(&error_str,
NULL,
major_status,
minor_status,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n", __LINE__, error_str);
free(error_str);
rc = EXIT_FAILURE;
goto fail;
}
major_status = gss_release_cred(
&minor_status,
&cred);
if(GSS_ERROR(major_status))
{
globus_gss_assist_display_status_str(&error_str,
NULL,
major_status,
minor_status,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n", __LINE__, error_str);
free(error_str);
rc = EXIT_FAILURE;
goto fail;
}
fail:
printf("%s gssapi_acquire_test\n",
(rc == EXIT_SUCCESS) ? "ok" : "not ok");
globus_module_deactivate_all();
return rc;
}
static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_state)
{
OM_uint32 min_stat;
if (gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
gss_release_cred(&min_stat,
&gensec_gssapi_state->delegated_cred_handle);
}
if (gensec_gssapi_state->gssapi_context != GSS_C_NO_CONTEXT) {
gss_delete_sec_context(&min_stat,
&gensec_gssapi_state->gssapi_context,
GSS_C_NO_BUFFER);
}
if (gensec_gssapi_state->server_name != GSS_C_NO_NAME) {
gss_release_name(&min_stat,
&gensec_gssapi_state->server_name);
}
if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
gss_release_name(&min_stat,
&gensec_gssapi_state->client_name);
}
return 0;
}
static void
test_add(gss_cred_id_t cred_handle)
{
OM_uint32 major_status, minor_status;
gss_cred_id_t copy_cred;
OM_uint32 time_rec;
major_status = gss_add_cred (&minor_status,
cred_handle,
GSS_C_NO_NAME,
GSS_KRB5_MECHANISM,
GSS_C_INITIATE,
0,
0,
©_cred,
NULL,
&time_rec,
NULL);
if (GSS_ERROR(major_status))
errx(1, "add_cred failed");
print_time(time_rec);
major_status = gss_release_cred(&minor_status,
©_cred);
if (GSS_ERROR(major_status))
errx(1, "release_cred failed");
}
static void
copy_cred(void)
{
OM_uint32 major_status, minor_status;
gss_cred_id_t cred_handle;
OM_uint32 time_rec;
major_status = gss_acquire_cred(&minor_status,
GSS_C_NO_NAME,
0,
NULL,
GSS_C_INITIATE,
&cred_handle,
NULL,
&time_rec);
if (GSS_ERROR(major_status))
errx(1, "acquire_cred failed");
print_time(time_rec);
test_add(cred_handle);
test_add(cred_handle);
test_add(cred_handle);
major_status = gss_release_cred(&minor_status,
&cred_handle);
if (GSS_ERROR(major_status))
errx(1, "release_cred failed");
}
uint32_t
sapgss_release_cred(
uint32_t *minor_status,
gss_cred_id_t *cred_handle)
{
return gss_release_cred(minor_status, cred_handle);
}
static void
del_handle(struct handle **h, int32_t idx)
{
OM_uint32 min_stat;
if (idx == 0)
return;
while (*h) {
if ((*h)->idx == idx) {
struct handle *p = *h;
*h = (*h)->next;
switch(p->type) {
case handle_context: {
gss_ctx_id_t c = p->ptr;
gss_delete_sec_context(&min_stat, &c, NULL);
break; }
case handle_cred: {
gss_cred_id_t c = p->ptr;
gss_release_cred(&min_stat, &c);
break; }
}
free(p);
return;
}
h = &((*h)->next);
}
errx(1, "tried to delete an unexisting handle");
}
int
GSI_SOCKET_check_creds(GSI_SOCKET *self)
{
gss_cred_id_t creds = GSS_C_NO_CREDENTIAL;
int return_value = GSI_SOCKET_ERROR;
if (self == NULL) {
return GSI_SOCKET_ERROR;
}
self->major_status = globus_gss_assist_acquire_cred(&self->minor_status,
GSS_C_BOTH,
&creds);
if (self->major_status != GSS_S_COMPLETE) {
goto error;
}
/* Success */
return_value = GSI_SOCKET_SUCCESS;
error:
if (creds != GSS_C_NO_CREDENTIAL) {
OM_uint32 minor_status;
gss_release_cred(&minor_status, &creds);
}
return return_value;
}
static void
pamGssCleanupCred(pam_handle_t *pamh, void *data, int error_status)
{
OM_uint32 minor;
gss_release_cred(&minor, (gss_cred_id_t *)&data);
}
/* Privileged */
int
ssh_gssapi_userok(char *user)
{
OM_uint32 lmin;
if (gssapi_client.exportedname.length == 0 ||
gssapi_client.exportedname.value == NULL) {
debug("No suitable client data");
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
if ((*gssapi_client.mech->userok)(&gssapi_client, user))
return 1;
else {
/* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
gss_release_cred(&lmin, &gssapi_client.creds);
explicit_bzero(&gssapi_client,
sizeof(ssh_gssapi_client));
return 0;
}
else
debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
return (0);
}
gss_client_response *authenticate_gss_server_clean(gss_server_state *state)
{
OM_uint32 min_stat;
int ret = AUTH_GSS_COMPLETE;
gss_client_response *response = NULL;
if (state->context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&min_stat, &state->context, GSS_C_NO_BUFFER);
if (state->server_name != GSS_C_NO_NAME)
gss_release_name(&min_stat, &state->server_name);
if (state->client_name != GSS_C_NO_NAME)
gss_release_name(&min_stat, &state->client_name);
if (state->server_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min_stat, &state->server_creds);
if (state->client_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min_stat, &state->client_creds);
if (state->username != NULL)
{
free(state->username);
state->username = NULL;
}
if (state->targetname != NULL)
{
free(state->targetname);
state->targetname = NULL;
}
if (state->response != NULL)
{
free(state->response);
state->response = NULL;
}
if (state->delegated_credentials_cache)
{
// TODO: what about actually destroying the cache? It can't be done now as
// the whole point is having it around for the lifetime of the "session"
free(state->delegated_credentials_cache);
}
if(response == NULL) {
response = calloc(1, sizeof(gss_client_response));
if(response == NULL) die1("Memory allocation failed");
response->return_code = ret;
}
// Return the response
return response;
}
static gboolean kill_pending_client(struct pending_client *pc)
{
#ifdef HAVE_GSSAPI
guint32 major_status, minor_status;
#endif
pc->listener->pending = g_list_remove(pc->listener->pending, pc);
g_source_remove(pc->watch_id);
#ifdef HAVE_GSSAPI
if (pc->authn_name != GSS_C_NO_NAME) {
major_status = gss_release_name(&minor_status, &pc->authn_name);
if (GSS_ERROR(major_status)) {
log_gssapi(pc->listener, LOG_WARNING,
"releasing name", major_status, minor_status);
gssapi_fail(pc);
}
}
if (pc->gss_ctx != GSS_C_NO_CONTEXT) {
major_status = gss_delete_sec_context(&minor_status,
&pc->gss_ctx,
GSS_C_NO_BUFFER);
if (GSS_ERROR(major_status)) {
log_gssapi(pc->listener, LOG_WARNING,
"deleting context name", major_status, minor_status);
gssapi_fail(pc);
}
}
if (pc->service_cred != GSS_C_NO_CREDENTIAL) {
major_status = gss_release_cred(&minor_status, &pc->service_cred);
if (GSS_ERROR(major_status)) {
log_gssapi(pc->listener, LOG_WARNING,
"releasing credentials", major_status, minor_status);
return FALSE;
}
}
if (pc->gss_service != GSS_C_NO_NAME) {
guint32 major_status, minor_status;
major_status = gss_release_name(&minor_status, &pc->gss_service);
if (GSS_ERROR(major_status)) {
log_gssapi(pc->listener, LOG_WARNING,
"releasing name", major_status, minor_status);
return FALSE;
}
}
#endif
g_free(pc->clientname);
g_free(pc);
return TRUE;
}
zmq::gssapi_server_t::~gssapi_server_t ()
{
if(cred)
gss_release_cred(&min_stat, &cred);
if(target_name)
gss_release_name(&min_stat, &target_name);
}
/*
* Function: auth_gssapi_destroy
*
* Purpose: Destroy a GSS-API authentication structure.
*
* Effects: This function destroys the GSS-API authentication
* context, and sends a message to the server instructing it to
* invokte gss_process_token() and thereby destroy its corresponding
* context. Since the client doesn't really care whether the server
* gets this message, no failures are reported.
*/
static void auth_gssapi_destroy(AUTH *auth)
{
struct timeval timeout;
OM_uint32 gssstat, minor_stat;
gss_cred_id_t cred;
int callstat;
if (AUTH_PRIVATE(auth)->client_handle.length == 0) {
PRINTF(("gssapi_destroy: no client_handle, not calling destroy\n"));
goto skip_call;
}
PRINTF(("gssapi_destroy: marshalling new creds\n"));
if (!marshall_new_creds(auth, TRUE, &AUTH_PRIVATE(auth)->client_handle)) {
PRINTF(("gssapi_destroy: marshall_new_creds failed\n"));
goto skip_call;
}
PRINTF(("gssapi_destroy: calling GSSAPI_DESTROY\n"));
timeout.tv_sec = 1;
timeout.tv_usec = 0;
callstat = clnt_call(AUTH_PRIVATE(auth)->clnt, AUTH_GSSAPI_DESTROY,
xdr_void, NULL, xdr_void, NULL, timeout);
if (callstat != RPC_SUCCESS)
clnt_sperror(AUTH_PRIVATE(auth)->clnt,
"gssapi_destroy: GSSAPI_DESTROY failed");
skip_call:
PRINTF(("gssapi_destroy: deleting context\n"));
gssstat = gss_delete_sec_context(&minor_stat,
&AUTH_PRIVATE(auth)->context,
NULL);
if (gssstat != GSS_S_COMPLETE)
AUTH_GSSAPI_DISPLAY_STATUS(("deleting context", gssstat,
minor_stat));
if (AUTH_PRIVATE(auth)->def_cred) {
cred = GSS_C_NO_CREDENTIAL;
gssstat = gss_release_cred(&minor_stat, &cred);
if (gssstat != GSS_S_COMPLETE)
AUTH_GSSAPI_DISPLAY_STATUS(("deleting default credential",
gssstat, minor_stat));
}
if (AUTH_PRIVATE(auth)->client_handle.length != 0)
gss_release_buffer(&minor_stat,
&AUTH_PRIVATE(auth)->client_handle);
#if 0
PRINTF(("gssapi_destroy: calling GSSAPI_EXIT\n"));
AUTH_PRIVATE(auth)->established = FALSE;
callstat = clnt_call(AUTH_PRIVATE(auth)->clnt, AUTH_GSSAPI_EXIT,
xdr_void, NULL, xdr_void, NULL, timeout);
#endif
free(auth->ah_private);
free(auth);
PRINTF(("gssapi_destroy: done\n"));
}
GSSCredential::~GSSCredential() {
if (credential != GSS_C_NO_CREDENTIAL) {
OM_uint32 majstat, minstat;
majstat = gss_release_cred(&minstat, &credential);
if (GSS_ERROR(majstat)) {
logger.msg(DEBUG, "Failed to release GSS credential "
"(major: %d, minor: %d):%s", majstat, minstat, ErrorStr(majstat, minstat));
return;
}
}
}
static int auth_globus_assert(struct link *link, time_t stoptime)
{
int rc;
gss_cred_id_t credential = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
OM_uint32 major, minor, flags = 0;
int token;
char *reason = NULL;
globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE);
if(use_delegated_credential && delegated_credential != GSS_C_NO_CREDENTIAL) {
debug(D_AUTH, "globus: using delegated credential");
credential = delegated_credential;
major = GSS_S_COMPLETE;
} else {
debug(D_AUTH, "globus: loading my credentials");
major = globus_gss_assist_acquire_cred(&minor, GSS_C_INITIATE, &credential);
}
if(major == GSS_S_COMPLETE) {
debug(D_AUTH, "globus: waiting for server to get ready");
if(auth_barrier(link, "yes\n", stoptime) == 0) {
debug(D_AUTH, "globus: authenticating with server");
major = globus_gss_assist_init_sec_context(&minor, credential, &context, "GSI-NO-TARGET", 0, &flags, &token, read_token, link, write_token, link);
if(major == GSS_S_COMPLETE) {
debug(D_AUTH, "globus: credentials accepted!");
gss_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
} else {
globus_gss_assist_display_status_str(&reason, "", major, minor, token);
debug(D_AUTH, "globus: credentials rejected: %s", reason ? reason : "unknown reason");
THROW_QUIET(EACCES);
}
} else {
debug(D_AUTH, "globus: server couldn't load credentials");
THROW_QUIET(EACCES);
}
} else {
debug(D_AUTH, "globus: couldn't load my credentials; did you grid-proxy-init?");
auth_barrier(link, "no\n", stoptime);
THROW_QUIET(EACCES);
}
rc = 0;
goto out;
out:
if(!use_delegated_credential) {
gss_release_cred(&major, &credential);
}
globus_module_deactivate(GLOBUS_GSI_GSS_ASSIST_MODULE);
free(reason);
return RCUNIX(rc);
}
void
export_import_cred(gss_cred_id_t *cred)
{
OM_uint32 major, minor;
gss_buffer_desc buf;
major = gss_export_cred(&minor, *cred, &buf);
check_gsserr("gss_export_cred", major, minor);
(void)gss_release_cred(&minor, cred);
major = gss_import_cred(&minor, &buf, cred);
check_gsserr("gss_import_cred", major, minor);
(void)gss_release_buffer(&minor, &buf);
}
static void common_free_gss_state(struct smb_tran_enc_state_gss **pp_gss_state)
{
OM_uint32 minor = 0;
struct smb_tran_enc_state_gss *gss_state = *pp_gss_state;
if (gss_state->creds != GSS_C_NO_CREDENTIAL) {
gss_release_cred(&minor, &gss_state->creds);
}
if (gss_state->gss_ctx != GSS_C_NO_CONTEXT) {
gss_delete_sec_context(&minor, &gss_state->gss_ctx, NULL);
}
SAFE_FREE(*pp_gss_state);
}
static int auth_globus_accept(struct link *link, char **subject, time_t stoptime)
{
gss_cred_id_t credential = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
OM_uint32 major, minor, flags = 0;
int token;
int success = 0;
globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE);
*subject = 0;
debug(D_AUTH, "globus: loading my credentials");
major = globus_gss_assist_acquire_cred(&minor, GSS_C_ACCEPT, &credential);
if(major == GSS_S_COMPLETE) {
debug(D_AUTH, "globus: waiting for client to get ready");
if(auth_barrier(link, "yes\n", stoptime) == 0) {
delegated_credential = GSS_C_NO_CREDENTIAL;
debug(D_AUTH, "globus: authenticating client");
major = globus_gss_assist_accept_sec_context(&minor, &context, credential, subject, &flags, 0, &token, &delegated_credential, read_token, link, write_token, link);
if(major == GSS_S_COMPLETE) {
debug(D_AUTH, "globus: accepted client %s", *subject);
if(delegated_credential != GSS_C_NO_CREDENTIAL) {
debug(D_AUTH, "globus: client delegated its credentials");
}
success = 1;
gss_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
} else {
char *reason;
globus_gss_assist_display_status_str(&reason, "", major, minor, token);
if(!reason)
reason = xxstrdup("unknown reason");
debug(D_AUTH, "globus: couldn't authenticate client: %s", reason);
if(reason)
free(reason);
}
} else {
debug(D_AUTH, "globus: client couldn't load credentials");
}
gss_release_cred(&major, &credential);
} else {
debug(D_AUTH, "globus: couldn't load my credentials: did you run grid-proxy-init?");
auth_barrier(link, "no\n", stoptime);
}
globus_module_deactivate(GLOBUS_GSI_GSS_ASSIST_MODULE);
return success;
}
static gss_cred_id_t
acquire_cred_service(const char *service,
gss_OID nametype,
gss_OID_set oidset,
gss_cred_usage_t usage,
gss_const_key_value_set_t cred_store)
{
OM_uint32 major_status, minor_status;
gss_cred_id_t cred_handle;
OM_uint32 time_rec;
gss_buffer_desc name_buffer;
gss_name_t name = GSS_C_NO_NAME;
if (service) {
name_buffer.value = rk_UNCONST(service);
name_buffer.length = strlen(service);
major_status = gss_import_name(&minor_status,
&name_buffer,
nametype,
&name);
if (GSS_ERROR(major_status))
errx(1, "import_name failed");
}
major_status = gss_acquire_cred_from(&minor_status,
name,
0,
oidset,
usage,
cred_store,
&cred_handle,
NULL,
&time_rec);
if (GSS_ERROR(major_status)) {
warnx("acquire_cred failed: %s",
gssapi_err(major_status, minor_status, GSS_C_NO_OID));
} else {
print_time(time_rec);
gss_release_cred(&minor_status, &cred_handle);
}
if (name != GSS_C_NO_NAME)
gss_release_name(&minor_status, &name);
if (GSS_ERROR(major_status))
exit(1);
return cred_handle;
}
static void
empty_release(void)
{
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
gss_name_t name = GSS_C_NO_NAME;
gss_OID_set oidset = GSS_C_NO_OID_SET;
OM_uint32 junk;
gss_delete_sec_context(&junk, &ctx, NULL);
gss_release_cred(&junk, &cred);
gss_release_name(&junk, &name);
gss_release_oid_set(&junk, &oidset);
}
