static int auth_globus_assert(struct link *link, time_t stoptime)
{
int rc;
gss_cred_id_t credential = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
OM_uint32 major, minor, flags = 0;
int token;
char *reason = NULL;
globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE);
if(use_delegated_credential && delegated_credential != GSS_C_NO_CREDENTIAL) {
debug(D_AUTH, "globus: using delegated credential");
credential = delegated_credential;
major = GSS_S_COMPLETE;
} else {
debug(D_AUTH, "globus: loading my credentials");
major = globus_gss_assist_acquire_cred(&minor, GSS_C_INITIATE, &credential);
}
if(major == GSS_S_COMPLETE) {
debug(D_AUTH, "globus: waiting for server to get ready");
if(auth_barrier(link, "yes\n", stoptime) == 0) {
debug(D_AUTH, "globus: authenticating with server");
major = globus_gss_assist_init_sec_context(&minor, credential, &context, "GSI-NO-TARGET", 0, &flags, &token, read_token, link, write_token, link);
if(major == GSS_S_COMPLETE) {
debug(D_AUTH, "globus: credentials accepted!");
gss_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
} else {
globus_gss_assist_display_status_str(&reason, "", major, minor, token);
debug(D_AUTH, "globus: credentials rejected: %s", reason ? reason : "unknown reason");
THROW_QUIET(EACCES);
}
} else {
debug(D_AUTH, "globus: server couldn't load credentials");
THROW_QUIET(EACCES);
}
} else {
debug(D_AUTH, "globus: couldn't load my credentials; did you grid-proxy-init?");
auth_barrier(link, "no\n", stoptime);
THROW_QUIET(EACCES);
}
rc = 0;
goto out;
out:
if(!use_delegated_credential) {
gss_release_cred(&major, &credential);
}
globus_module_deactivate(GLOBUS_GSI_GSS_ASSIST_MODULE);
free(reason);
return RCUNIX(rc);
}
static int auth_globus_accept(struct link *link, char **subject, time_t stoptime)
{
gss_cred_id_t credential = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
OM_uint32 major, minor, flags = 0;
int token;
int success = 0;
globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE);
*subject = 0;
debug(D_AUTH, "globus: loading my credentials");
major = globus_gss_assist_acquire_cred(&minor, GSS_C_ACCEPT, &credential);
if(major == GSS_S_COMPLETE) {
debug(D_AUTH, "globus: waiting for client to get ready");
if(auth_barrier(link, "yes\n", stoptime) == 0) {
delegated_credential = GSS_C_NO_CREDENTIAL;
debug(D_AUTH, "globus: authenticating client");
major = globus_gss_assist_accept_sec_context(&minor, &context, credential, subject, &flags, 0, &token, &delegated_credential, read_token, link, write_token, link);
if(major == GSS_S_COMPLETE) {
debug(D_AUTH, "globus: accepted client %s", *subject);
if(delegated_credential != GSS_C_NO_CREDENTIAL) {
debug(D_AUTH, "globus: client delegated its credentials");
}
success = 1;
gss_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
} else {
char *reason;
globus_gss_assist_display_status_str(&reason, "", major, minor, token);
if(!reason)
reason = xxstrdup("unknown reason");
debug(D_AUTH, "globus: couldn't authenticate client: %s", reason);
if(reason)
free(reason);
}
} else {
debug(D_AUTH, "globus: client couldn't load credentials");
}
gss_release_cred(&major, &credential);
} else {
debug(D_AUTH, "globus: couldn't load my credentials: did you run grid-proxy-init?");
auth_barrier(link, "no\n", stoptime);
}
globus_module_deactivate(GLOBUS_GSI_GSS_ASSIST_MODULE);
return success;
}
void Condor_Auth_X509 :: print_log(OM_uint32 major_status,
OM_uint32 minor_status,
int token_stat,
const char * comment)
{
char* buffer;
char *tmp = (char *)malloc(strlen(comment)+1);
strcpy(tmp, comment);
globus_gss_assist_display_status_str(&buffer,
tmp,
major_status,
minor_status,
token_stat);
free(tmp);
if (buffer){
dprintf(D_ALWAYS,"%s\n",buffer);
free(buffer);
}
}
void internal_release_buffer(
gss_buffer_desc * buffer)
{
char * error_str = NULL;
OM_uint32 maj_stat, min_stat;
maj_stat = gss_release_buffer(&min_stat, (gss_buffer_t) buffer);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
exit(1);
}
}
/**
* Return a copy of the short description from the instance data
* @ingroup globus_gssapi_error_object
*
* @param error
* The error object to retrieve the data from.
* @return
* String containing the short description if it exists, NULL
* otherwise.
*/
static
char *
globus_l_error_gssapi_printable(
globus_object_t * error)
{
OM_uint32 minor_status;
OM_uint32 message_context;
gss_buffer_desc status_string_desc
= GSS_C_EMPTY_BUFFER;
gss_buffer_t status_string = &status_string_desc;
char * msg = NULL;
char * tmp;
int len = 0;
globus_l_gssapi_error_data_t * data;
data = (globus_l_gssapi_error_data_t *)
globus_object_get_local_instance_data(error);
if(data->is_globus_gsi)
{
message_context = 0;
do
{
if(gss_display_status(&minor_status,
data->major_status,
GSS_C_GSS_CODE,
GSS_C_NO_OID,
&message_context,
status_string) == GSS_S_COMPLETE)
{
if(status_string->length)
{
if(msg)
{
tmp = globus_realloc(
msg,
sizeof(char) * (len + status_string->length + 1));
}
else
{
tmp = globus_malloc(
sizeof(char) * (status_string->length + 1));
}
if(tmp)
{
memcpy(
tmp + len,
status_string->value,
status_string->length);
msg = tmp;
len += status_string->length;
}
}
gss_release_buffer(&minor_status, status_string);
}
} while(message_context != 0);
if(msg)
{
if(msg[len - 1] == '\n')
{
len--;
}
msg[len] = '\0';
}
}
else
{
globus_gss_assist_display_status_str(
&msg, NULL, data->major_status, data->minor_status, 0);
}
return msg;
}/* globus_l_error_gssapi_printable */
int main()
{
OM_uint32 init_maj_stat;
OM_uint32 accept_maj_stat;
OM_uint32 maj_stat;
OM_uint32 min_stat;
OM_uint32 ret_flags;
OM_uint32 req_flags = 0;
OM_uint32 time_rec;
gss_buffer_desc send_tok;
gss_buffer_desc recv_tok;
gss_buffer_desc * token_ptr;
gss_OID mech_type;
gss_name_t target_name;
gss_ctx_id_t init_context;
gss_ctx_id_t accept_context;
gss_ctx_id_t del_init_context;
gss_ctx_id_t del_accept_context;
gss_cred_id_t delegated_cred;
gss_cred_id_t imported_cred;
gss_cred_id_t cred_handle;
char * error_str;
int rc = EXIT_SUCCESS;
printf("1..1\n");
/* Initialize variables */
token_ptr = GSS_C_NO_BUFFER;
init_context = GSS_C_NO_CONTEXT;
accept_context = GSS_C_NO_CONTEXT;
del_init_context = GSS_C_NO_CONTEXT;
del_accept_context = GSS_C_NO_CONTEXT;
delegated_cred = GSS_C_NO_CREDENTIAL;
accept_maj_stat = GSS_S_CONTINUE_NEEDED;
ret_flags = 0;
req_flags |= GSS_C_GLOBUS_SSL_COMPATIBLE;
/* Activate Modules */
globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE);
globus_module_activate(GLOBUS_GSI_GSSAPI_MODULE);
maj_stat = gss_acquire_cred(&min_stat,
NULL,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_BOTH,
&cred_handle,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
/* get the subject name */
maj_stat = gss_inquire_cred(&min_stat,
cred_handle,
&target_name,
NULL,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
/* set up the first security context */
init_maj_stat = gss_init_sec_context(&min_stat,
cred_handle,
&init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
token_ptr,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
while(1)
{
accept_maj_stat=gss_accept_sec_context(&min_stat,
&accept_context,
GSS_C_NO_CREDENTIAL,
&send_tok,
GSS_C_NO_CHANNEL_BINDINGS,
NULL,
&mech_type,
&recv_tok,
&ret_flags,
/* ignore time_rec */
NULL,
NULL);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_sec_context(&min_stat,
GSS_C_NO_CREDENTIAL,
&init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&recv_tok,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
}
printf("# %s:%d: Successfully established initial security context\n",
__FILE__,
__LINE__);
init_maj_stat = gss_init_delegation(&min_stat,
init_context,
cred_handle,
GSS_C_NO_OID,
GSS_C_NO_OID_SET,
GSS_C_NO_BUFFER_SET,
token_ptr,
req_flags,
0,
&send_tok);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&recv_tok);
maj_stat = gss_wrap(&min_stat,
init_context,
0,
GSS_C_QOP_DEFAULT,
&send_tok,
NULL,
&recv_tok);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
while(1)
{
internal_release_buffer(&send_tok);
maj_stat = gss_unwrap(&min_stat,
accept_context,
&recv_tok,
&send_tok,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&recv_tok);
accept_maj_stat=gss_accept_delegation(&min_stat,
accept_context,
GSS_C_NO_OID_SET,
GSS_C_NO_BUFFER_SET,
&send_tok,
req_flags,
0,
&time_rec,
&delegated_cred,
&mech_type,
&recv_tok);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
internal_release_buffer(&send_tok);
maj_stat = gss_wrap(&min_stat,
accept_context,
0,
GSS_C_QOP_DEFAULT,
&recv_tok,
NULL,
&send_tok);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&recv_tok);
maj_stat = gss_unwrap(&min_stat,
init_context,
&send_tok,
&recv_tok,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&send_tok);
init_maj_stat = gss_init_delegation(&min_stat,
init_context,
cred_handle,
GSS_C_NO_OID,
GSS_C_NO_OID_SET,
GSS_C_NO_BUFFER_SET,
&recv_tok,
req_flags,
0,
&send_tok);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&recv_tok);
maj_stat = gss_wrap(&min_stat,
init_context,
0,
GSS_C_QOP_DEFAULT,
&send_tok,
NULL,
&recv_tok);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
}
printf("# %s:%d: Successfully delegated credential\n",
__FILE__,
__LINE__);
/* export and import the delegated credential */
/* this can be done both to a buffer and to a file */
/* New in GT 2.0 */
internal_release_buffer(&send_tok);
maj_stat = gss_export_cred(&min_stat,
delegated_cred,
GSS_C_NO_OID,
0,
&send_tok);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
maj_stat = gss_import_cred(&min_stat,
&imported_cred,
GSS_C_NO_OID,
0,
&send_tok,
0,
&time_rec);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
internal_release_buffer(&send_tok);
printf("# %s:%d: Successfully exported/imported the delegated credential\n",
__FILE__,
__LINE__);
/* set up another security context using the delegated credential */
init_maj_stat = gss_init_sec_context(&min_stat,
imported_cred,
&del_init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
token_ptr,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
while(1)
{
internal_release_buffer(&recv_tok);
accept_maj_stat=gss_accept_sec_context(&min_stat,
&del_accept_context,
imported_cred,
&send_tok,
GSS_C_NO_CHANNEL_BINDINGS,
&target_name,
&mech_type,
&recv_tok,
&ret_flags,
/* ignore time_rec */
NULL,
NULL);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_sec_context(&min_stat,
imported_cred,
&del_init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&recv_tok,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
fprintf(stderr, "\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
globus_print_error((globus_result_t) min_stat);
rc = EXIT_FAILURE;
goto fail;
}
}
/* got sec context based on delegated cred now */
printf("# %s:%d: Successfully established security context with delegated credential\n",
__FILE__,
__LINE__);
fail:
printf("%s gssapi_delegation_compat_test\n",
(rc == EXIT_SUCCESS) ? "ok" : "not ok");
globus_module_deactivate_all();
exit(rc);
}
int main()
{
OM_uint32 init_maj_stat;
OM_uint32 accept_maj_stat;
OM_uint32 maj_stat;
OM_uint32 min_stat;
OM_uint32 ret_flags;
OM_uint32 time_rec;
gss_buffer_desc send_tok;
gss_buffer_desc recv_tok;
gss_buffer_desc * token_ptr;
gss_buffer_desc oid_buffer;
gss_buffer_set_desc oid_buffers;
gss_buffer_set_t inquire_buffers;
gss_OID name_type;
gss_OID mech_type;
gss_OID_set_desc oid_set;
gss_name_t target_name;
gss_ctx_id_t init_context;
gss_ctx_id_t accept_context;
gss_ctx_id_desc * init_context_handle;
gss_ctx_id_t del_init_context;
gss_ctx_id_t del_accept_context;
gss_cred_id_t delegated_cred;
gss_cred_id_t imported_cred;
gss_cred_id_t cred_handle;
char * subject =
"/O=Grid/O=Globus/OU=mcs.anl.gov/CN=Samuel Meder";
char * error_str;
char * buf;
/* Initialize variables */
token_ptr = GSS_C_NO_BUFFER;
init_context = GSS_C_NO_CONTEXT;
accept_context = GSS_C_NO_CONTEXT;
del_init_context = GSS_C_NO_CONTEXT;
del_accept_context = GSS_C_NO_CONTEXT;
name_type = GSS_C_NT_USER_NAME;
delegated_cred = GSS_C_NO_CREDENTIAL;
accept_maj_stat = GSS_S_CONTINUE_NEEDED;
ret_flags = 0;
oid_buffer.value = malloc(EXT_SIZE);
oid_buffer.length = EXT_SIZE;
buf = (char *) oid_buffer.value;
memset(buf,'A',EXT_SIZE);
buf[EXT_SIZE-1]='\0';
oid_buffers.count = 1;
oid_buffers.elements = &oid_buffer;
oid_set.count = 1;
oid_set.elements = gss_restrictions_extension;
send_tok.value = subject;
send_tok.length = strlen(subject) + 1;
/* acquire the credential */
maj_stat = gss_acquire_cred(&min_stat,
NULL,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_BOTH,
&cred_handle,
NULL,
NULL);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
/* import the subject name */
maj_stat = gss_import_name(&min_stat,
&send_tok,
name_type,
&target_name);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
/* set up the first security context */
init_maj_stat = gss_init_sec_context(&min_stat,
cred_handle,
&init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
token_ptr,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
while(1)
{
accept_maj_stat=gss_accept_sec_context(&min_stat,
&accept_context,
GSS_C_NO_CREDENTIAL,
&send_tok,
GSS_C_NO_CHANNEL_BINDINGS,
NULL,
&mech_type,
&recv_tok,
&ret_flags,
/* ignore time_rec */
NULL,
GSS_C_NO_CREDENTIAL);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_sec_context(&min_stat,
GSS_C_NO_CREDENTIAL,
&init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&recv_tok,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
}
printf("%s:%d: Successfully established initial security context\n",
__FILE__,
__LINE__);
/* delegate our credential over the initial security context and
* insert a restriction extension into the delegated credential.
* This is a post GT 2.0 feature.
*/
init_maj_stat = gss_init_delegation(&min_stat,
init_context,
cred_handle,
GSS_C_NO_OID,
&oid_set,
&oid_buffers,
token_ptr,
0,
&send_tok);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
while(1)
{
accept_maj_stat=gss_accept_delegation(&min_stat,
accept_context,
GSS_C_NO_OID_SET,
GSS_C_NO_BUFFER_SET,
&send_tok,
0,
&time_rec,
&delegated_cred,
&mech_type,
&recv_tok);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_delegation(&min_stat,
init_context,
cred_handle,
GSS_C_NO_OID,
&oid_set,
&oid_buffers,
&recv_tok,
0,
&send_tok);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
}
printf("%s:%d: Successfully delegated credential\n",
__FILE__,
__LINE__);
/* export and import the delegated credential */
/* this can be done both to a buffer and to a file */
/* New in GT 2.0 */
maj_stat = gss_export_cred(&min_stat,
delegated_cred,
GSS_C_NO_OID,
0,
&send_tok);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
maj_stat = gss_import_cred(&min_stat,
&imported_cred,
GSS_C_NO_OID,
0,
&send_tok,
0,
&time_rec);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
printf("%s:%d: Successfully exported/imported the delegated credential\n",
__FILE__,
__LINE__);
free(oid_buffer.value);
oid_buffer.value = (void *) &oid_set;
oid_buffer.length = 1;
/* Tell the GSS that we will handle restriction extensions */
/* This is a post GT 2.0 feature */
maj_stat = gss_set_sec_context_option(
&min_stat,
&del_init_context,
(gss_OID) GSS_APPLICATION_WILL_HANDLE_EXTENSIONS,
&oid_buffer);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
maj_stat = gss_set_sec_context_option(
&min_stat,
&del_accept_context,
(gss_OID) GSS_APPLICATION_WILL_HANDLE_EXTENSIONS,
&oid_buffer);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
/* set up another security context using the delegated credential */
init_maj_stat = gss_init_sec_context(&min_stat,
imported_cred,
&del_init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
token_ptr,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
while(1)
{
accept_maj_stat=gss_accept_sec_context(&min_stat,
&del_accept_context,
imported_cred,
&send_tok,
GSS_C_NO_CHANNEL_BINDINGS,
&target_name,
&mech_type,
&recv_tok,
&ret_flags,
/* ignore time_rec */
NULL,
GSS_C_NO_CREDENTIAL);
if(accept_maj_stat != GSS_S_COMPLETE &&
accept_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
else if(accept_maj_stat == GSS_S_COMPLETE)
{
break;
}
init_maj_stat = gss_init_sec_context(&min_stat,
imported_cred,
&del_init_context,
target_name,
GSS_C_NULL_OID,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&recv_tok,
NULL,
&send_tok,
NULL,
NULL);
if(init_maj_stat != GSS_S_COMPLETE &&
init_maj_stat != GSS_S_CONTINUE_NEEDED)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
}
/* got sec context based on delegated cred now */
printf("%s:%d: Successfully established security context with delegated credential\n",
__FILE__,
__LINE__);
/* Extract and print the restrictions extension from the security
* context.
* This is a post GT 2.0 feature.
*/
maj_stat = gss_inquire_sec_context_by_oid(&min_stat,
del_accept_context,
gss_restrictions_extension,
&inquire_buffers);
if(maj_stat != GSS_S_COMPLETE)
{
globus_gss_assist_display_status_str(&error_str,
NULL,
init_maj_stat,
min_stat,
0);
printf("\nLINE %d ERROR: %s\n\n", __LINE__, error_str);
exit(1);
}
printf("%s:%d: Security context contains restriction extension %s\n",
__FILE__,
__LINE__,
(char *) inquire_buffers->elements[0].value);
}
/**
* Initialize GSI Authentication.
* This method asks the server for authentication.
* @param sock the socket descriptot
* @return true on success, false otherwise.
*/
bool GSISocketClient::InitGSIAuthentication(int sock)
{
OM_uint32 major_status = 0;
OM_uint32 minor_status = 0;
gss_cred_id_t credential = GSS_C_NO_CREDENTIAL;
OM_uint32 req_flags = 0;
OM_uint32 ret_flags = 0;
int token_status = 0;
bool return_status = false;
gss_name_t targ_name;
gss_buffer_desc name_buffer;
char service[1024];
//acquire our credentials
major_status = globus_gss_assist_acquire_cred(&minor_status,
GSS_C_BOTH,
&credential);
if(major_status != GSS_S_COMPLETE)
{
char buf[32];
std::string msg(FAILED_ACQ_CRED);
sprintf(buf, "%d", port);
msg.append(host + ":" + std::string(buf));
char *gssmsg = NULL;
globus_gss_assist_display_status_str( &gssmsg,
NULL,
major_status,
minor_status,
token_status);
std::string source(gssmsg);
free(gssmsg);
return false;
}
//Request that remote peer authenticate tself
req_flags = GSS_C_MUTUAL_FLAG;
if(_delegate_credentials)
{
req_flags |= GSS_C_DELEG_FLAG;
}
snprintf(service, sizeof(service), "host@%s", host.c_str());
//initialize the security context
// credential has to be fill in beforehand
std::pair<int,int> arg(sock, m_auth_timeout);
major_status =
globus_gss_assist_init_sec_context(&minor_status,
credential,
&gss_context,
_server_contact.empty() ? service :(char*) _server_contact.c_str(),
req_flags,
&ret_flags,
&token_status,
get_token,
(void *) &arg,
send_token,
(void *) &arg);
gss_release_cred(&minor_status, &credential);
if(major_status != GSS_S_COMPLETE)
{
char *gssmsg = NULL;
globus_gss_assist_display_status_str(&gssmsg,
NULL,
major_status,
minor_status,
token_status);
if(gss_context != GSS_C_NO_CONTEXT)
{
gss_delete_sec_context(&minor_status, &gss_context, GSS_C_NO_BUFFER);
}
std::string source(gssmsg);
free(gssmsg);
return_status = false;
}
else
{
major_status = gss_inquire_context(&minor_status,
gss_context,
NULL,
&targ_name,
NULL,
NULL,
NULL,
NULL,
NULL);
return_status = (major_status == GSS_S_COMPLETE);
major_status = gss_display_name(&minor_status, targ_name, &name_buffer, NULL);
gss_release_name(&minor_status, &targ_name);
}
if (return_status == false && gss_context != GSS_C_NO_CONTEXT)
{
gss_delete_sec_context(&minor_status, &gss_context, GSS_C_NO_BUFFER);
}
if (return_status == false)
{
char *gssmsg = NULL;
globus_gss_assist_display_status_str( &gssmsg,
NULL,
major_status,
minor_status,
token_status);
std::string source(gssmsg);
free(gssmsg);
}
return return_status;
}
