char *
newStringOfCredential(gss_cred_id_t cred)
{
OM_uint32 majStat, minStat;
gss_name_t name;
char *s;
if (gfarmGssNewCredentialName(&name, cred, &majStat, &minStat) > 0) {
s = newStringOfName(name);
gfarmGssDeleteName(&name, NULL, NULL);
return s;
}
fprintf(stderr, "cannot convert credential to gss_name_t:\n");
gfarmGssPrintMajorStatus(majStat);
gfarmGssPrintMinorStatus(minStat);
return strdup("(invalid credential)");
}
char *
gfarm_gsi_client_cred_name(void)
{
gss_cred_id_t cred;
gss_name_t name;
OM_uint32 e_major, e_minor;
static int initialized = 0;
static char *dn;
if (initialized)
return (dn);
if (gfarmSecSessionGetInitiatorInitialCredential(&cred) < 0) {
dn = NULL;
gflog_auth_error("gfarm_gsi_client_cred_name(): "
"not initialized as an initiator");
} else if (gfarmGssNewCredentialName(&name, cred, &e_major, &e_minor)
< 0) {
dn = NULL;
if (gflog_auth_get_verbose()) {
gflog_error("cannot convert initiator credential "
"to name");
gfarmGssPrintMajorStatus(e_major);
gfarmGssPrintMinorStatus(e_minor);
}
} else {
dn = gfarmGssNewDisplayName(name, &e_major, &e_minor, NULL);
if (dn == NULL && gflog_auth_get_verbose()) {
gflog_error("cannot convert initiator credential "
"to string");
gfarmGssPrintMajorStatus(e_major);
gfarmGssPrintMinorStatus(e_minor);
}
gfarmGssDeleteName(&name, NULL, NULL);
}
initialized = 1;
return (dn);
}
int
gfarmGssAcquireCredential(gss_cred_id_t *credPtr,
const gss_name_t desiredName, gss_cred_usage_t credUsage,
OM_uint32 *majStatPtr, OM_uint32 *minStatPtr, gss_name_t *credNamePtr)
{
OM_uint32 majStat = 0;
OM_uint32 minStat = 0;
int ret = -1;
gss_cred_id_t cred;
*credPtr = GSS_C_NO_CREDENTIAL;
majStat = gss_acquire_cred(&minStat,
desiredName,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
credUsage,
&cred,
NULL,
NULL);
#if GFARM_FAKE_GSS_C_NT_USER_NAME_FOR_GLOBUS
if (majStat != GSS_S_COMPLETE) {
OM_uint32 majStat2, majStat3;
OM_uint32 minStat2, minStat3;
/*
* to workaround a problem that any proxy credential cannot be
* acquired by using "/C=.../O=.../CN=John Smith" as its name.
* Globus requires "/C=.../O=.../CN=John Smith/CN=proxy".
*/
majStat2 = gss_acquire_cred(&minStat2,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
credUsage,
&cred,
NULL,
NULL);
if (majStat2 == GSS_S_COMPLETE) {
gss_name_t credName;
if (gfarmGssNewCredentialName(&credName, cred, NULL, NULL) > 0) {
int equal;
majStat3 = gss_compare_name(&minStat3, desiredName, credName,
&equal);
if (majStat3 == GSS_S_COMPLETE && equal) {
majStat = majStat2;
minStat = minStat2;
}
gfarmGssDeleteName(&credName, NULL, NULL);
}
if (majStat != GSS_S_COMPLETE) {
gfarmGssDeleteCredential(&cred, NULL, NULL);
}
}
}
#endif /* GFARM_FAKE_GSS_C_NT_USER_NAME_FOR_GLOBUS */
/*
* Check validness.
*/
if (majStat == GSS_S_COMPLETE) {
if (credNamePtr == NULL) {
ret = 1;
} else if (gfarmGssNewCredentialName(credNamePtr, cred,
&majStat, &minStat) > 0) {
/* Only valid when the name is got. */
ret = 1;
}
if (ret > 0 && credPtr != NULL) {
*credPtr = cred;
} else {
gfarmGssDeleteCredential(&cred, NULL, NULL);
}
}
if (majStatPtr != NULL) {
*majStatPtr = majStat;
}
if (minStatPtr != NULL) {
*minStatPtr = minStat;
}
if (ret == -1) {
gflog_debug(GFARM_MSG_1000790,
"failed to acquire credential (%u)(%u)",
majStat, minStat);
}
return ret;
}
char *
gfarm_gsi_cred_config_convert_to_name(
enum gfarm_auth_cred_type type, char *service, char *name,
char *hostname,
gss_name_t *namep)
{
int rv;
OM_uint32 e_major;
OM_uint32 e_minor;
gss_cred_id_t cred;
switch (type) {
case GFARM_AUTH_CRED_TYPE_DEFAULT:
/* special. equivalent to GSS_C_NO_CREDENTIAL */
if (name != NULL)
return ("cred_type is not set, but cred_name is set");
if (service != NULL)
return ("cred_type is not set, but cred_service is set"
);
return ("internal error: missing GSS_C_NO_CREDENTIAL check");
case GFARM_AUTH_CRED_TYPE_NO_NAME:
if (name != NULL)
return ("cred_type is \"no-name\", "
"but cred_name is set");
if (service != NULL)
return ("cred_type is \"no-name\", "
"but cred_service is set");
*namep = GSS_C_NO_NAME;
return (NULL);
case GFARM_AUTH_CRED_TYPE_MECHANISM_SPECIFIC:
if (name == NULL)
return ("cred_type is \"mechanism-specific\", "
"but cred_name is not set");
if (service != NULL)
return ("cred_type is \"mechanism-specific\", "
"but cred_service is set");
rv = gfarmGssImportName(namep, name, strlen(name),
GSS_C_NO_OID, &e_major, &e_minor);
break;
case GFARM_AUTH_CRED_TYPE_HOST:
if (name == NULL)
name = hostname;
if (service == NULL) {
rv = gfarmGssImportNameOfHost(namep, name,
&e_major, &e_minor);
} else {
rv = gfarmGssImportNameOfHostBasedService(namep,
service, name, &e_major, &e_minor);
}
break;
case GFARM_AUTH_CRED_TYPE_USER:
if (service != NULL)
return ("cred_type is \"user\", "
"but cred_service is set");
/*
* XXX FIXME: `name' must be converted from global_username
* to local_username, but there is no such function for now.
*/
if (name == NULL)
name = gfarm_get_local_username();
rv = gfarmGssImportName(namep, name, strlen(name),
GSS_C_NT_USER_NAME, &e_major, &e_minor);
break;
case GFARM_AUTH_CRED_TYPE_SELF:
/* special. there is no corresponding name_type in GSSAPI */
if (name != NULL)
return ("cred_type is \"self\", but cred_name is set");
if (service != NULL)
return ("cred_type is \"self\", "
"but cred_service is set");
if (gfarmSecSessionGetInitiatorInitialCredential(&cred) < 0 ||
cred == GSS_C_NO_CREDENTIAL)
return ("cred_type is \"self\", "
"but not initialized as an initiator");
rv = gfarmGssNewCredentialName(namep, cred, &e_major,&e_minor);
break;
default:
return ("internal error - invalid cred_type");
}
if (rv < 0) {
if (gflog_auth_get_verbose()) {
gflog_error("gfarmGssImportName(): "
"invalid credential configuration:");
gfarmGssPrintMajorStatus(e_major);
gfarmGssPrintMinorStatus(e_minor);
}
return ("invalid credential configuration");
}
return (NULL);
}