Exemple #1
0
gss_ctx_id_t accept_context(gss_cred_id_t credential_handle, char **client_name, int sck)
{
	OM_uint32       major_status = 0;
	OM_uint32       minor_status = 0;
	int             token_status = 0;
	OM_uint32       ret_flags = 0;
	gss_ctx_id_t    context_handle = GSS_C_NO_CONTEXT;
	gss_cred_id_t   delegated_cred = GSS_C_NO_CREDENTIAL;
		                        
	major_status = globus_gss_assist_accept_sec_context(
		&minor_status, /* minor_status */
		&context_handle, /* context_handle */
		credential_handle, /* acceptor_cred_handle */
		client_name, /* src_name as char ** */
		&ret_flags, /* ret_flags */
		NULL, /* don't need user_to_user */
		&token_status, /* token_status */
		&delegated_cred, /* no delegated cred */
		get_token,
		(void *) &sck,
		send_token,
		(void *) &sck);
                                                                                                                                                                                    
	if (major_status != GSS_S_COMPLETE)
	{
		globus_gss_assist_display_status(
				stderr,
				"GSS authentication failure ",
				major_status,
				minor_status,
				token_status);
		return (GSS_C_NO_CONTEXT);
	}
	return (context_handle);
}
Exemple #2
0
static int auth_globus_accept(struct link *link, char **subject, time_t stoptime)
{
	gss_cred_id_t credential = GSS_C_NO_CREDENTIAL;
	gss_ctx_id_t context = GSS_C_NO_CONTEXT;
	OM_uint32 major, minor, flags = 0;
	int token;
	int success = 0;

	globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE);

	*subject = 0;

	debug(D_AUTH, "globus: loading my credentials");
	major = globus_gss_assist_acquire_cred(&minor, GSS_C_ACCEPT, &credential);
	if(major == GSS_S_COMPLETE) {

		debug(D_AUTH, "globus: waiting for client to get ready");
		if(auth_barrier(link, "yes\n", stoptime) == 0) {

			delegated_credential = GSS_C_NO_CREDENTIAL;
			debug(D_AUTH, "globus: authenticating client");
			major = globus_gss_assist_accept_sec_context(&minor, &context, credential, subject, &flags, 0, &token, &delegated_credential, read_token, link, write_token, link);
			if(major == GSS_S_COMPLETE) {
				debug(D_AUTH, "globus: accepted client %s", *subject);
				if(delegated_credential != GSS_C_NO_CREDENTIAL) {
					debug(D_AUTH, "globus: client delegated its credentials");
				}
				success = 1;
				gss_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
			} else {
				char *reason;
				globus_gss_assist_display_status_str(&reason, "", major, minor, token);
				if(!reason)
					reason = xxstrdup("unknown reason");
				debug(D_AUTH, "globus: couldn't authenticate client: %s", reason);
				if(reason)
					free(reason);
			}
		} else {
			debug(D_AUTH, "globus: client couldn't load credentials");
		}
		gss_release_cred(&major, &credential);
	} else {
		debug(D_AUTH, "globus: couldn't load my credentials: did you run grid-proxy-init?");
		auth_barrier(link, "no\n", stoptime);
	}

	globus_module_deactivate(GLOBUS_GSI_GSS_ASSIST_MODULE);

	return success;
}
Exemple #3
0
int
GSI_SOCKET_authentication_accept(GSI_SOCKET *self)
{
    gss_cred_id_t		creds = GSS_C_NO_CREDENTIAL;
    int				token_status;
    int				return_value = GSI_SOCKET_ERROR;
    OM_uint32			gss_flags = 0;
    int				sock;
    FILE			*fp = NULL;
    char                        *cert_dir = NULL;
    globus_result_t res;

    if (self == NULL) {	
	return GSI_SOCKET_ERROR;
    }

    if (self->gss_context != GSS_C_NO_CONTEXT) {
	GSI_SOCKET_set_error_string(self, "GSI_SOCKET already authenticated");
	goto error;
    }

    res = GLOBUS_GSI_SYSCONFIG_GET_CERT_DIR(&cert_dir);
    if (res == GLOBUS_SUCCESS) {
        myproxy_debug("using trusted certificates directory %s", cert_dir);
    } else {
        verror_put_string("error getting trusted certificates directory");
        globus_error_to_verror(res);
        goto error;
    }

    self->major_status = globus_gss_assist_acquire_cred(&self->minor_status,
							GSS_C_ACCEPT,
							&creds);

    if (self->major_status != GSS_S_COMPLETE) {
	goto error;
    }
    
    /* These are supposed to be return flags only, according to RFC
       2774, but GSI helpfully uses them as request flags too. */
    gss_flags |= GSS_C_REPLAY_FLAG;
    gss_flags |= GSS_C_MUTUAL_FLAG;
    gss_flags |= GSS_C_CONF_FLAG;
    gss_flags |= GSS_C_INTEG_FLAG;

    if ((sock = dup(self->sock)) < 0) {
	GSI_SOCKET_set_error_string(self, "dup() of socket fd failed");
	self->error_number = errno;
	goto error;
    }
    if ((fp = fdopen(sock, "r")) == NULL) {
	GSI_SOCKET_set_error_string(self, "fdopen() of socket failed");
	self->error_number = errno;
	goto error;
    }
    if (setvbuf(fp, NULL, _IONBF, 0) != 0) {
    GSI_SOCKET_set_error_string(self, "setvbuf() for socket failed");
	self->error_number = errno;
	goto error;
    }
    
    self->major_status =
	globus_gss_assist_accept_sec_context(&self->minor_status,
					     &self->gss_context,
					     creds,
					     &self->peer_name,
					     &gss_flags,
					     NULL, /* u2u flag */
					     &token_status,
					     NULL, /* Delegated creds
						    * added in Globus 1.1.3
						    */
					     globus_gss_assist_token_get_fd,
					     (void *)fp,
					     assist_write_token,
					     (void *)&self->sock);

    if (self->major_status != GSS_S_COMPLETE) {
	goto error;
    }

    if (!(gss_flags & GSS_C_CONF_FLAG)) {
      GSI_SOCKET_set_error_string(self,
                                  "requested confidentiality GSSAPI service"
                                  " but it is not available");
      goto error;
    }

    if (gss_flags & GSS_C_GLOBUS_LIMITED_PROXY_FLAG) {
        self->limited_proxy = 1;
    }

    /* Success */
    return_value = GSI_SOCKET_SUCCESS;
    
  error:
    if (creds != GSS_C_NO_CREDENTIAL) {
	OM_uint32 minor_status;

	gss_release_cred(&minor_status, &creds);
    }
    if (cert_dir) free(cert_dir);
    if (fp) fclose(fp);
    
    return return_value;
}
Exemple #4
0
int main(int argc, char * argv[])
{
    gss_cred_id_t                       accept_cred = GSS_C_NO_CREDENTIAL;
    gss_cred_id_t                       delegated_init_cred 
        = GSS_C_NO_CREDENTIAL;
    OM_uint32                           major_status;
    OM_uint32                           minor_status;
    int                                 token_status;
    gss_ctx_id_t                        accept_context = GSS_C_NO_CONTEXT;
    OM_uint32                           ret_flags = 0;
    int                                 sock, connect_sock;
    FILE *                              infd;
    FILE *                              outfd;
    char *                              print_buffer = NULL;
    char *                              recv_buffer = NULL;
    size_t                              buffer_length;
    struct sockaddr_in                  sockaddr;
    socklen_t                           length;
    char *                              init_name;
    char *                              verbose_env = NULL;
    
    globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE);

    verbose_env = getenv("GSS_ASSIST_VERBOSE_TEST");

    setbuf(stdout, NULL);
    
    sock = socket(AF_INET, SOCK_STREAM, 0);
    if(sock < 0)
    {
        perror("opening stream socket");
        exit(1);
    }

    sockaddr.sin_family = AF_INET;
    sockaddr.sin_addr.s_addr = INADDR_ANY;
    sockaddr.sin_port = 0;
    if(bind(sock, (struct sockaddr *) &sockaddr, sizeof(sockaddr)))
    {
        perror("binding stream socket");
        exit(1);
    }
    
    length = sizeof(sockaddr);
    if(getsockname(sock, (struct sockaddr *) &sockaddr, &length))
    {
        perror("getting socket name");
        exit(1);
    }
    /* Start accepting connection */
    listen(sock, 1);

    fprintf(stdout, "Socket has port #%d\n", ntohs(sockaddr.sin_port));

    connect_sock = accept(sock, 0, 0);
    if(connect_sock == -1) 
    {
        perror("accept");
        exit(1);
    }

    if(close(sock) < 0)
    {
        perror("Couldn't close listening socket");
        exit(1);
    }

    infd = fdopen(dup(connect_sock), "r");
    setbuf(infd, NULL);

    outfd = fdopen(dup(connect_sock), "w");
    setbuf(outfd, NULL);
    
    close(connect_sock);

    /* ACCEPTOR PROCESS */
    major_status = globus_gss_assist_acquire_cred(&minor_status,
                                                  GSS_C_ACCEPT,
                                                  &accept_cred);
    
    if(GSS_ERROR(major_status))
    {
        globus_gss_assist_display_status(
            stdout,
            "ACCEPTOR: Couldn't acquire acceptor's credentials",
            major_status,
            minor_status,
            0);
        exit(1);
    }

    major_status = globus_gss_assist_accept_sec_context(
        &minor_status,
        &accept_context,
        accept_cred,
        &init_name,
        &ret_flags,
        NULL,
        &token_status,
        &delegated_init_cred,
        globus_gss_assist_token_get_fd,
        (void *) (infd),
        globus_gss_assist_token_send_fd,
        (void *) (outfd));
    if(GSS_ERROR(major_status))
    {
        globus_gss_assist_display_status(
            stdout,
            "ACCEPTOR: Couldn't authenticate as acceptor\n",
            major_status,
            minor_status,
            token_status);
        exit(1);
    }

    if(verbose_env)
    {
        fprintf(stdout, 
                "ACCEPTOR: "__FILE__":%d"
                ": Acceptor successfully created context"
                " for initiator: %s\n", __LINE__, init_name);
    }

    /*
    
    major_status = globus_gss_assist_get_unwrap(
        &minor_status,
        accept_context,
        &recv_buffer,
        &buffer_length,
        &token_status,
        globus_gss_assist_token_get_fd,
        (void *) (infd),
        stdout);
    if(GSS_ERROR(major_status))
    {
        fprintf(stdout, "ACCEPTOR ERROR\n");
        globus_gss_assist_display_status(
            stdout,
            "ACCEPTOR: Couldn't get encrypted message from initiator\n",
            major_status,
            minor_status,
            token_status);
        fprintf(stdout, "ACCEPTOR ERROR FINISHED\n");
        exit(1);
    }

    print_buffer = malloc(buffer_length + 1);
    globus_libc_snprintf(print_buffer, buffer_length + 1, "%s", recv_buffer);

    if(verbose_env)
    {
        fprintf(stdout,
                "ACCEPTOR: "__FILE__":%d"
                ": received: %s\n", __LINE__, print_buffer);
    }

    free(print_buffer);
    free(recv_buffer);

    */
    
    major_status = globus_gss_assist_get_unwrap(
        &minor_status,
        accept_context,
        &recv_buffer,
        &buffer_length,
        &token_status,
        globus_gss_assist_token_get_fd,
        (void *) (infd),
        stdout);
    if(GSS_ERROR(major_status))
    {
        fprintf(stdout, "ACCEPTOR ERROR\n");
        globus_gss_assist_display_status(
            stdout,
            "ACCEPTOR: Couldn't get encrypted message from initiator\n",
            major_status,
            minor_status,
            token_status);
        fprintf(stdout, "ACCEPTOR ERROR FINISHED\n");
        exit(1);
    }

    print_buffer = malloc(buffer_length + 1);
    globus_libc_snprintf(print_buffer, buffer_length + 1, "%s", recv_buffer);

    if(verbose_env)
    {
        fprintf(stdout,
                "ACCEPTOR: "__FILE__":%d"
                ": received: %s\n", __LINE__, print_buffer);
    }

    free(print_buffer);
    free(recv_buffer);

    major_status = globus_gss_assist_wrap_send(
        &minor_status,
        accept_context,
        accept_message,
        sizeof(accept_message),
        &token_status,
        globus_gss_assist_token_send_fd,
        (void *) (outfd),
        stdout);
    if(GSS_ERROR(major_status))
    {
        globus_gss_assist_display_status(
            stdout,
            "ACCEPTOR: Couldn't encrypt and send message\n",
            major_status,
            minor_status,
            token_status);
        exit(1);
    }

    major_status = globus_gss_assist_get_unwrap(
        &minor_status,
        accept_context,
        &recv_buffer,
        &buffer_length,
        &token_status,
        globus_gss_assist_token_get_fd,
        (void *) (infd),
        stdout);
    if(GSS_ERROR(major_status))
    {
        fprintf(stdout, "ACCEPTOR ERROR\n");
        globus_gss_assist_display_status(
            stdout,
            "ACCEPTOR: Couldn't get encrypted message from initiator\n",
            major_status,
            minor_status,
            token_status);
        fprintf(stdout, "ACCEPTOR ERROR FINISHED\n");
        exit(1);
    }

    print_buffer = malloc(buffer_length + 1);
    globus_libc_snprintf(print_buffer, buffer_length + 1, "%s", recv_buffer);

    if(verbose_env)
    {
        fprintf(stdout,
                "ACCEPTOR: "__FILE__":%d"
                ": received: %s\n", __LINE__, print_buffer);
    }

    free(print_buffer);
    free(recv_buffer);

    major_status = globus_gss_assist_wrap_send(
        &minor_status,
        accept_context,
        accept_message,
        sizeof(accept_message),
        &token_status,
        globus_gss_assist_token_send_fd,
        (void *) (outfd),
        stdout);
    if(GSS_ERROR(major_status))
    {
        globus_gss_assist_display_status(
            stdout,
            "ACCEPTOR: Couldn't encrypt and send message\n",
            major_status,
            minor_status,
            token_status);
        exit(1);
    }
                
    major_status = gss_delete_sec_context(&minor_status,
                                          &accept_context,
                                          GSS_C_NO_BUFFER);
    if(major_status != GSS_S_COMPLETE)
    {
        globus_gss_assist_display_status(
            stdout,
            "INITIATOR: Couldn't delete security context\n",
            major_status,
            minor_status,
            0);
        exit(1);
    }
            
    gss_release_cred(&minor_status,
                     &accept_cred);
    if(major_status != GSS_S_COMPLETE)
    {
        globus_gss_assist_display_status(
            stdout,
            "INITIATOR: Couldn't delete security context\n",
            major_status,
            minor_status,
            0);
        exit(1);
    }

    if(fclose(infd) == EOF)
    {
        perror("closing stream socket");
        exit(1);
    }

    if(fclose(outfd) == EOF)
    {
        perror("closing stream socket");
        exit(1);
    }

    globus_module_deactivate(GLOBUS_GSI_GSS_ASSIST_MODULE);

    exit(0);
}
Exemple #5
0
int Condor_Auth_X509::authenticate_server_gss(CondorError* errstack)
{
    char *    GSSClientname;
    int       status = 0;
    OM_uint32 major_status = 0;
    OM_uint32 minor_status = 0;

    priv_state priv;
    
    priv = set_root_priv();
    
    major_status = globus_gss_assist_accept_sec_context(&minor_status,
                                                        &context_handle, 
                                                        credential_handle,
                                                        &GSSClientname,
                                                        &ret_flags, NULL,
                                                        /* don't need user_to_user */
                                                        &token_status,
                                                        NULL,     /* don't delegate credential */
                                                        relisock_gsi_get, 
                                                        (void *) mySock_,
                                                        relisock_gsi_put, 
                                                        (void *) mySock_
                                                        );
    
    set_priv(priv);
    
    if ( (major_status != GSS_S_COMPLETE)) {
		if (major_status == 655360) {
			errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED,
				"COMMON Failed to authenticate (%u:%u)", (unsigned)major_status, (unsigned)minor_status);
		} else {
			errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED,
				"Failed to authenticate.  Globus is reporting error (%u:%u)",
				(unsigned)major_status, (unsigned)minor_status);
		}
        print_log(major_status,minor_status,token_status, 
                  "Condor GSI authentication failure" );
    }
    else {
		// store the raw subject name for later mapping
		setAuthenticatedName(GSSClientname);
		setRemoteUser("gsi");
		setRemoteDomain( UNMAPPED_DOMAIN );

		if (param_boolean("USE_VOMS_ATTRIBUTES", true)) {

			// get the voms attributes from the peer
			globus_gsi_cred_handle_t peer_cred = context_handle->peer_cred_handle->cred_handle;

			char * voms_fqan = NULL;
			int voms_err = extract_VOMS_info(peer_cred, 1, NULL, NULL, &voms_fqan);
			if (!voms_err) {
				setFQAN(voms_fqan);
				free(voms_fqan);
			} else {
				// complain!
				dprintf(D_SECURITY, "ZKM: VOMS FQAN not present (error %i), ignoring.\n", voms_err);
			}
		}

		// XXX FIXME ZKM
		// i am making failure to be mapped a non-fatal error at this point.
		status = 1;

        mySock_->encode();
        if (!mySock_->code(status) || !mySock_->end_of_message()) {
			errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR,
				"Failed to authenticate with client.  Unable to send status");
            dprintf(D_SECURITY, "Unable to send final confirmation\n");
            status = 0;
        }

        if (status != 0) {
            // Now, see if client likes me or not
            mySock_->decode();
            if (!mySock_->code(status) || !mySock_->end_of_message()) {
				errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR,
					"Failed to authenticate with client.  Unable to receive status");
                dprintf(D_SECURITY, "Unable to receive client confirmation.\n");
                status = 0;
            }
            else {
                if (status == 0) {
					errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR,
						"Failed to authenticate with client.  Client does not trust our certificate.  "
						"You may want to check the GSI_DAEMON_NAME in the condor_config");
                    dprintf(D_SECURITY, "Client rejected my certificate. Please check the GSI_DAEMON_NAME parameter in Condor's config file.\n");
                }
            }
        }
        
        if (GSSClientname) {
            free(GSSClientname);
        }
    }
    return (status == 0) ? FALSE : TRUE;
}