Condor_Auth_X509 :: Condor_Auth_X509(ReliSock * sock) : Condor_Auth_Base (sock, CAUTH_GSI), credential_handle(GSS_C_NO_CREDENTIAL), context_handle (GSS_C_NO_CONTEXT), m_gss_server_name(NULL), token_status (0), ret_flags (0) { #ifdef WIN32 ParseMapFile(); #endif if ( !m_globusActivated ) { // The Globus callout module is a system-wide setting. There are several // cases where a user may not want it to apply to Condor by default // (for example, if it causes crashes when mixed with Condor libs!). // Setting GSI_AUTHZ_CONF=/dev/null works for disabling the callouts. std::string gsi_authz_conf; if (param(gsi_authz_conf, "GSI_AUTHZ_CONF")) { if (setenv("GSI_AUTHZ_CONF", gsi_authz_conf.c_str(), 1)) { dprintf(D_ALWAYS, "Failed to set the GSI_AUTHZ_CONF environment variable.\n"); EXCEPT("Failed to set the GSI_AUTHZ_CONF environment variable.\n"); } } if ( activate_globus_gsi() < 0 ) { dprintf( D_ALWAYS, "Can't intialize GSI, authentication will fail: %s\n", x509_error_string() ); } else { m_globusActivated = true; } } }
int Authentication::handshake(MyString my_methods, bool non_blocking) { int shouldUseMethod = 0; dprintf ( D_SECURITY, "HANDSHAKE: in handshake(my_methods = '%s')\n", my_methods.Value()); if ( mySock->isClient() ) { // client dprintf (D_SECURITY, "HANDSHAKE: handshake() - i am the client\n"); mySock->encode(); int method_bitmask = SecMan::getAuthBitmask(my_methods.Value()); if ( (method_bitmask & CAUTH_KERBEROS) && Condor_Auth_Kerberos::Initialize() == false ) { dprintf (D_SECURITY, "HANDSHAKE: excluding KERBEROS: %s\n", "Initialization failed"); method_bitmask &= ~CAUTH_KERBEROS; } if ( (method_bitmask & CAUTH_SSL) && Condor_Auth_SSL::Initialize() == false ) { dprintf (D_SECURITY, "HANDSHAKE: excluding SSL: %s\n", "Initialization failed"); method_bitmask &= ~CAUTH_SSL; } if ( (method_bitmask & CAUTH_GSI) && activate_globus_gsi() != 0 ) { dprintf (D_SECURITY, "HANDSHAKE: excluding GSI: %s\n", x509_error_string()); method_bitmask &= ~CAUTH_GSI; } dprintf ( D_SECURITY, "HANDSHAKE: sending (methods == %i) to server\n", method_bitmask); if ( !mySock->code( method_bitmask ) || !mySock->end_of_message() ) { return -1; } mySock->decode(); if ( !mySock->code( shouldUseMethod ) || !mySock->end_of_message() ) { return -1; } dprintf ( D_SECURITY, "HANDSHAKE: server replied (method = %i)\n", shouldUseMethod); } else { return handshake_continue(my_methods, non_blocking); } return( shouldUseMethod ); }
int Authentication::handshake_continue(MyString my_methods, bool non_blocking) { //server if( non_blocking && !mySock->readReady() ) { return -2; } int shouldUseMethod = 0; int client_methods = 0; dprintf (D_SECURITY, "HANDSHAKE: handshake() - i am the server\n"); mySock->decode(); if ( !mySock->code( client_methods ) || !mySock->end_of_message() ) { return -1; } dprintf ( D_SECURITY, "HANDSHAKE: client sent (methods == %i)\n", client_methods); shouldUseMethod = selectAuthenticationType( my_methods, client_methods ); if ( (shouldUseMethod & CAUTH_KERBEROS) && Condor_Auth_Kerberos::Initialize() == false ) { dprintf (D_SECURITY, "HANDSHAKE: excluding KERBEROS: %s\n", "Initialization failed"); shouldUseMethod &= ~CAUTH_KERBEROS; } if ( (shouldUseMethod & CAUTH_SSL) && Condor_Auth_SSL::Initialize() == false ) { dprintf (D_SECURITY, "HANDSHAKE: excluding SSL: %s\n", "Initialization failed"); shouldUseMethod &= ~CAUTH_SSL; } if ( shouldUseMethod == CAUTH_GSI && activate_globus_gsi() != 0 ) { dprintf (D_SECURITY, "HANDSHAKE: excluding GSI: %s\n", x509_error_string()); client_methods &= ~CAUTH_GSI; shouldUseMethod = selectAuthenticationType( my_methods, client_methods ); } dprintf ( D_SECURITY, "HANDSHAKE: i picked (method == %i)\n", shouldUseMethod); mySock->encode(); if ( !mySock->code( shouldUseMethod ) || !mySock->end_of_message() ) { return -1; } dprintf ( D_SECURITY, "HANDSHAKE: client received (method == %i)\n", shouldUseMethod); return shouldUseMethod; }