int Condor_Auth_Kerberos :: map_domain_name(const char * domain) { if (RealmMap == 0) { init_realm_mapping(); // it's okay if it returns false } // two cases, if domain is the same as the current uid domain, // then we are okay, other wise, see if we have a map if (RealmMap) { MyString from(domain), to; if (RealmMap->lookup(from, to) != -1) { if (IsFulldebug(D_SECURITY)) { dprintf (D_SECURITY, "KERBEROS: mapping realm %s to domain %s.\n", from.Value(), to.Value()); } setRemoteDomain(to.Value()); return TRUE; } else { // if the map exists, they must be listed. and they're NOT! return FALSE; } } // if there is no map, we just allow realm -> domain. if (IsDebugVerbose(D_SECURITY)) { dprintf (D_SECURITY, "KERBEROS: mapping realm %s to domain %s.\n", domain, domain); setRemoteDomain(domain); } return TRUE; }
int Condor_Auth_X509::nameGssToLocal(const char * GSSClientname) { //this might need to change with SSLK5 stuff //just extract username from /CN=<username>@<domain,etc> OM_uint32 major_status; char *tmp_user = NULL; char local_user[USER_NAME_MAX]; // windows gsi does not currently include this function. we use it on // unix, but implement our own on windows for now. #ifdef WIN32 major_status = condor_gss_assist_gridmap(GSSClientname, &tmp_user); #else // Switched the unix map function to _map_and_authorize, which allows access // to the Globus callout infrastructure. char condor_str[] = "condor"; major_status = globus_gss_assist_map_and_authorize( context_handle, condor_str, // Requested service name NULL, // Requested user name; NULL for non-specified local_user, USER_NAME_MAX-1); // Leave one space at end of buffer, just-in-case // Defensive programming: to protect against buffer overruns in the // unknown globus mapping module, make sure we are at least nul-term'd local_user[USER_NAME_MAX-1] = '\0'; #endif if (tmp_user) { strcpy( local_user, tmp_user ); free(tmp_user); tmp_user = NULL; } if ( major_status != GSS_S_COMPLETE) { setRemoteUser("gsi"); setRemoteDomain( UNMAPPED_DOMAIN ); return 0; } MyString user; MyString domain; Authentication::split_canonical_name( local_user, user, domain ); setRemoteUser (user.Value()); setRemoteDomain(domain.Value()); setAuthenticatedName(GSSClientname); return 1; }
int Condor_Auth_Passwd::authenticate(const char * /* remoteHost */, CondorError* /* errstack */ ) { int client_status = AUTH_PW_A_OK; int server_status = AUTH_PW_A_OK; int ret_value = -1; struct msg_t_buf t_client; struct msg_t_buf t_server; // In order to create the shared keys used by the client and // the server in this protocol, we take a single shared secret // and hmac it twice with two different keys. The original // password buffer and the two generated keys are stored in // the sk_buf structure. struct sk_buf sk; int tmp_rv; // Initialize these structures (with NULLs) init_t_buf(&t_client); init_t_buf(&t_server); init_sk(&sk); dprintf(D_SECURITY, "PW.\n"); if ( mySock_->isClient() ) { // ** client side authentication ** // Get my name, password and setup the shared keys based // on this data. The server will do the same when it // learns my name. dprintf(D_SECURITY, "PW: getting name.\n"); t_client.a = fetchLogin(); // We complete the entire protocol even if there's an // error, but there's no point trying to actually do any // work. This is protocol step (a). dprintf(D_SECURITY, "PW: Generating ra.\n"); if(client_status == AUTH_PW_A_OK) { t_client.ra = Condor_Crypt_Base::randomKey(AUTH_PW_KEY_LEN); if(!t_client.ra) { dprintf(D_SECURITY, "Malloc error in random key?\n"); client_status = AUTH_PW_ERROR; } } // This differs from the protocol description in the book // only that the client also sends its name "A". The // protocol doesn't mention how the peers know who they're // talking to. This is also protocol step (a). dprintf(D_SECURITY, "PW: Client sending.\n"); client_status = client_send_one(client_status, &t_client); if(client_status == AUTH_PW_ABORT) { goto client_abort; } // This is protocol step (b). dprintf(D_SECURITY, "PW: Client receiving.\n"); server_status = client_receive(&client_status, &t_server); if(client_status == AUTH_PW_ABORT) { goto client_abort; } // Now that we've received the server's name, we can go // ahead and setup the keys. if(client_status == AUTH_PW_A_OK && server_status == AUTH_PW_A_OK) { sk.shared_key = fetchPassword(t_client.a, t_server.b); dprintf(D_SECURITY, "PW: Client setting keys.\n"); if(!setup_shared_keys(&sk)) { client_status = AUTH_PW_ERROR; } } // This is protocol step (c). if(client_status == AUTH_PW_A_OK && server_status == AUTH_PW_A_OK) { dprintf(D_SECURITY, "PW: Client checking T.\n"); client_status = client_check_t_validity(&t_client, &t_server, &sk); } // Are we copying the data into the t_client struct? // This is protocol step (d). Server does (e). dprintf(D_SECURITY, "PW: CLient sending two.\n"); client_status = client_send_two(client_status, &t_client, &sk); if(client_status == AUTH_PW_ABORT) { goto client_abort; } client_abort: // This is protocol step (f). if(client_status == AUTH_PW_A_OK && server_status == AUTH_PW_A_OK && set_session_key(&t_client, &sk)) { dprintf(D_SECURITY, "PW: CLient set session key.\n"); ret_value = 1; } else { ret_value = 0; } } else { // ** server side authentication ** // First we get the client's name and ra, protocol step // (a). dprintf(D_SECURITY, "PW: Server receiving 1.\n"); client_status = server_receive_one(&server_status, &t_client); if(client_status == AUTH_PW_ABORT || server_status == AUTH_PW_ABORT) { goto server_abort; } // Then we do the key setup, and generate the random string. if(client_status == AUTH_PW_A_OK && server_status == AUTH_PW_A_OK) { t_server.b = fetchLogin(); dprintf(D_SECURITY, "PW: Server fetching password.\n"); sk.shared_key = fetchPassword(t_client.a, t_server.b); if(!setup_shared_keys(&sk)) { server_status = AUTH_PW_ERROR; } else { dprintf(D_SECURITY, "PW: Server generating rb.\n"); //server_status = server_gen_rand_rb(&t_server); t_server.rb = Condor_Crypt_Base::randomKey(AUTH_PW_KEY_LEN); if(t_client.a) { t_server.a = strdup(t_client.a); } else { t_server.a = NULL; } t_server.ra = (unsigned char *)malloc(AUTH_PW_KEY_LEN); if(!t_server.ra || !t_server.rb) { dprintf(D_SECURITY, "Malloc error 1.\n"); server_status = AUTH_PW_ERROR; } else { memcpy(t_server.ra, t_client.ra, AUTH_PW_KEY_LEN); } } } // Protocol message (2), step (b). dprintf(D_SECURITY, "PW: Server sending.\n"); tmp_rv = server_send(server_status, &t_server, &sk); if(server_status == AUTH_PW_A_OK) { server_status = tmp_rv; } if(server_status == AUTH_PW_ABORT) { goto server_abort; } // Protocol step (d) dprintf(D_SECURITY, "PW: Server receiving 2.\n"); if(t_server.a) { t_client.a = strdup(t_server.a); } else { t_client.a = NULL; } if(server_status == AUTH_PW_A_OK) { t_client.rb = (unsigned char *)malloc(AUTH_PW_KEY_LEN); if(!t_client.rb) { dprintf(D_SECURITY, "Malloc_error.\n"); server_status = AUTH_PW_ERROR; } else { memcpy(t_client.rb, t_server.rb, AUTH_PW_KEY_LEN); } } else { t_client.rb = NULL; } client_status = server_receive_two(&server_status, &t_client); if(server_status == AUTH_PW_A_OK && client_status == AUTH_PW_A_OK) { // Protocol step (e) dprintf(D_SECURITY, "PW: Server checking hk.\n"); server_status = server_check_hk_validity(&t_client, &t_server, &sk); } server_abort: // protocol step (f) if(client_status == AUTH_PW_A_OK && server_status == AUTH_PW_A_OK && set_session_key(&t_server, &sk)) { dprintf(D_SECURITY, "PW: Server set session key.\n"); ret_value = 1; } else { ret_value = 0; } } //ret_value is 1 for success, 0 for failure. if ( ret_value == 1 ) { // if all is good, set the remote user and domain names char *login, *domain; if ( mySock_->isClient() ) { login = t_server.b; // server is remote to client } else { login = t_client.a; // client is remote to server } ASSERT(login); domain = strchr(login,'@'); if (domain) { *domain='\0'; domain++; } setRemoteUser(login); setRemoteDomain(domain); } destroy_t_buf(&t_client); destroy_t_buf(&t_server); destroy_sk(&sk); //return 1 for success, 0 for failure. Server should send //sucess/failure back to client so client can know what to //return. return ret_value; }
int Condor_Auth_Claim :: authenticate(const char * /* remoteHost */, CondorError* /* errstack */, bool /*non_blocking*/) { const char * pszFunction = "Condor_Auth_Claim :: authenticate"; int retval = 0; int fail = 0; if ( mySock_->isClient() ) { MyString myUser; bool error_getting_name = false; // get our user name in condor priv // (which is what we want to use for daemons. for // tools and daemons not started as root, this will // just give us the username that we were invoked // as, which is also what we want) priv_state priv = set_condor_priv(); char* tmpOwner = NULL; char* tmpSwitchUser = param("SEC_CLAIMTOBE_USER"); if(tmpSwitchUser) { tmpOwner = tmpSwitchUser; dprintf(D_ALWAYS, "SEC_CLAIMTOBE_USER to %s!\n", tmpSwitchUser); } else { tmpOwner = my_username(); } // remove temptation to use this variable to see if we were // specifying the claim to be user tmpSwitchUser = NULL; set_priv(priv); if ( !tmpOwner ) { //send 0 if (!mySock_->code( retval )) { dprintf(D_SECURITY, "Protocol failure at %s, %d!\n", pszFunction, __LINE__); return fail; } error_getting_name = true; } else { myUser = tmpOwner; free(tmpOwner); // check SEC_CLAIMTOBE_INCLUDE_DOMAIN. this knob exists (and defaults // to false) to provide backwards compatibility. it will be removed // completely in the development (6.9) series if (param_boolean("SEC_CLAIMTOBE_INCLUDE_DOMAIN", false)) { char* tmpDomain = param("UID_DOMAIN"); if ( !tmpDomain ) { //send 0 if (!mySock_->code( retval )) { dprintf(D_SECURITY, "Protocol failure at %s, %d!\n", pszFunction, __LINE__); return fail; } error_getting_name = true; } else { myUser += "@"; myUser += tmpDomain; free(tmpDomain); } } } if (!error_getting_name) { //send 1 and then our username mySock_->encode(); retval = 1; char* tmpUser = strdup(myUser.Value()); ASSERT(tmpUser); if (!mySock_->code( retval ) || !mySock_->code( tmpUser )) { free(tmpUser); dprintf(D_SECURITY, "Protocol failure at %s, %d!\n", pszFunction, __LINE__); return fail; } //setRemoteUser(tmpUser); // <-- IS THIS NEEDED???? free(tmpUser); if (!mySock_->end_of_message()) { dprintf(D_SECURITY, "Protocol failure at %s, %d!\n", pszFunction, __LINE__); return fail; } mySock_->decode(); if (!mySock_->code( retval )) { dprintf(D_SECURITY, "Protocol failure at %s, %d!\n", pszFunction, __LINE__); return fail; } } } else { //server side mySock_->decode(); if (!mySock_->code( retval )) { dprintf(D_SECURITY, "Protocol failure at %s, %d!\n", pszFunction, __LINE__); return fail; } //if 1, receive user and send back ok if( retval == 1 ) { char* tmpUser = NULL; if (!mySock_->code( tmpUser ) || !mySock_->end_of_message()) { dprintf(D_SECURITY, "Protocol failure at %s, %d!\n", pszFunction, __LINE__); if (tmpUser != NULL) { free(tmpUser); } return fail; } if( tmpUser ) { MyString myUser = tmpUser; // check SEC_CLAIMTOBE_INCLUDE_DOMAIN. this knob exists (and defaults // to false) to provide backwards compatibility. it will be removed // completely in the development (6.9) series if (param_boolean("SEC_CLAIMTOBE_INCLUDE_DOMAIN", false)) { // look for an '@' char in the name we received. // if present (newer clients), set the domain using // the given component. if not present (older clients), // use UID_DOMAIN from our config char* tmpDomain = NULL; char* at = strchr(tmpUser, '@'); if ( at ) { *at = '\0'; if (*(at + 1) != '\0') { tmpDomain = strdup(at + 1); } } if (!tmpDomain) { tmpDomain = param("UID_DOMAIN"); } ASSERT(tmpDomain); setRemoteDomain(tmpDomain); myUser.formatstr("%s@%s", tmpUser, tmpDomain); free(tmpDomain); } setRemoteUser(tmpUser); setAuthenticatedName(myUser.Value()); free(tmpUser); retval = 1; } else { // tmpUser is NULL; failure retval = 0; } mySock_->encode(); if (!mySock_->code( retval )) { dprintf(D_SECURITY, "Protocol failure at %s, %d!\n", pszFunction, __LINE__); return fail; } } } if (!mySock_->end_of_message()) { dprintf(D_SECURITY, "Protocol failure at %s, %d!\n", pszFunction, __LINE__); return fail; } return retval; }
int Condor_Auth_X509::authenticate_server_gss(CondorError* errstack) { char * GSSClientname; int status = 0; OM_uint32 major_status = 0; OM_uint32 minor_status = 0; priv_state priv; priv = set_root_priv(); major_status = globus_gss_assist_accept_sec_context(&minor_status, &context_handle, credential_handle, &GSSClientname, &ret_flags, NULL, /* don't need user_to_user */ &token_status, NULL, /* don't delegate credential */ relisock_gsi_get, (void *) mySock_, relisock_gsi_put, (void *) mySock_ ); set_priv(priv); if ( (major_status != GSS_S_COMPLETE)) { if (major_status == 655360) { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "COMMON Failed to authenticate (%u:%u)", (unsigned)major_status, (unsigned)minor_status); } else { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "Failed to authenticate. Globus is reporting error (%u:%u)", (unsigned)major_status, (unsigned)minor_status); } print_log(major_status,minor_status,token_status, "Condor GSI authentication failure" ); } else { // store the raw subject name for later mapping setAuthenticatedName(GSSClientname); setRemoteUser("gsi"); setRemoteDomain( UNMAPPED_DOMAIN ); if (param_boolean("USE_VOMS_ATTRIBUTES", true)) { // get the voms attributes from the peer globus_gsi_cred_handle_t peer_cred = context_handle->peer_cred_handle->cred_handle; char * voms_fqan = NULL; int voms_err = extract_VOMS_info(peer_cred, 1, NULL, NULL, &voms_fqan); if (!voms_err) { setFQAN(voms_fqan); free(voms_fqan); } else { // complain! dprintf(D_SECURITY, "ZKM: VOMS FQAN not present (error %i), ignoring.\n", voms_err); } } // XXX FIXME ZKM // i am making failure to be mapped a non-fatal error at this point. status = 1; mySock_->encode(); if (!mySock_->code(status) || !mySock_->end_of_message()) { errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR, "Failed to authenticate with client. Unable to send status"); dprintf(D_SECURITY, "Unable to send final confirmation\n"); status = 0; } if (status != 0) { // Now, see if client likes me or not mySock_->decode(); if (!mySock_->code(status) || !mySock_->end_of_message()) { errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR, "Failed to authenticate with client. Unable to receive status"); dprintf(D_SECURITY, "Unable to receive client confirmation.\n"); status = 0; } else { if (status == 0) { errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR, "Failed to authenticate with client. Client does not trust our certificate. " "You may want to check the GSI_DAEMON_NAME in the condor_config"); dprintf(D_SECURITY, "Client rejected my certificate. Please check the GSI_DAEMON_NAME parameter in Condor's config file.\n"); } } } if (GSSClientname) { free(GSSClientname); } } return (status == 0) ? FALSE : TRUE; }
int Condor_Auth_X509::authenticate_client_gss(CondorError* errstack) { OM_uint32 major_status = 0; OM_uint32 minor_status = 0; int status = 0; priv_state priv = PRIV_UNKNOWN; if (isDaemon()) { priv = set_root_priv(); } char target_str[] = "GSI-NO-TARGET"; major_status = globus_gss_assist_init_sec_context(&minor_status, credential_handle, &context_handle, target_str, GSS_C_MUTUAL_FLAG, &ret_flags, &token_status, relisock_gsi_get, (void *) mySock_, relisock_gsi_put, (void *) mySock_ ); if (isDaemon()) { set_priv(priv); } if (major_status != GSS_S_COMPLETE) { if (major_status == 655360 && minor_status == 6) { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "Failed to authenticate. Globus is reporting error (%u:%u). " "This indicates that it was unable to find the issuer " "certificate for your credential", (unsigned)major_status, (unsigned)minor_status); } else if (major_status == 655360 && minor_status == 9) { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "Failed to authenticate. Globus is reporting error (%u:%u). " "This indicates that it was unable to verify the server's " "credential", (unsigned)major_status, (unsigned)minor_status); } else if (major_status == 655360 && minor_status == 11) { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "Failed to authenticate. Globus is reporting error (%u:%u). " "This indicates that it was unable verify the server's " "credentials because a signing policy file was not found or " "could not be read.", (unsigned)major_status, (unsigned)minor_status); } else { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "Failed to authenticate. Globus is reporting error (%u:%u)", (unsigned)major_status, (unsigned)minor_status); } print_log(major_status,minor_status,token_status, "Condor GSI authentication failure"); // Following four lines of code is added to temporarily // resolve a bug (I belive so) in Globus's GSI code. // basically, if client calls init_sec_context with // mutual authentication and it returns with a mismatched // target principal, init_sec_context will return without // sending the server any token. The sever, therefore, // hangs on waiting for the token (or until the timeout // occurs). This code will force the server to break out // the loop. status = 0; mySock_->encode(); mySock_->code(status); mySock_->end_of_message(); } else { // Now, wait for final signal mySock_->decode(); if (!mySock_->code(status) || !mySock_->end_of_message()) { errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR, "Failed to authenticate with server. Unable to receive server status"); dprintf(D_SECURITY, "Unable to receive final confirmation for GSI Authentication!\n"); } if (status == 0) { errstack->push("GSI", GSI_ERR_AUTHENTICATION_FAILED, "Failed to get authorization from server. Either the server " "does not trust your certificate, or you are not in the server's " "authorization file (grid-mapfile)"); dprintf(D_SECURITY, "Server is unable to authorize my user name. Check the GRIDMAP file on the server side.\n"); goto clear; } char * server = get_server_info(); // store the raw subject name for later mapping setAuthenticatedName(server); // Default to user name "gsi@unmapped". // Later on, if configured, we will invoke the callout in nameGssToLocal. setRemoteUser("gsi"); setRemoteDomain( UNMAPPED_DOMAIN ); // extract and store VOMS attributes if (param_boolean("USE_VOMS_ATTRIBUTES", true)) { // get the voms attributes from the peer globus_gsi_cred_handle_t peer_cred = context_handle->peer_cred_handle->cred_handle; char * voms_fqan = NULL; int voms_err = extract_VOMS_info(peer_cred, 1, NULL, NULL, &voms_fqan); if (!voms_err) { setFQAN(voms_fqan); free(voms_fqan); } else { // complain! dprintf(D_SECURITY, "ZKM: VOMS FQAN not present (error %i), ignoring.\n", voms_err); } } std::string fqh = get_full_hostname(mySock_->peer_addr()); StringList * daemonNames = getDaemonList("GSI_DAEMON_NAME",fqh.c_str()); // Now, let's see if the name is in the list, I am not using // anycase here, so if the host name and what we are looking for // are in different cases, then we will run into problems. if( daemonNames ) { status = daemonNames->contains_withwildcard(server) == TRUE? 1 : 0; if( !status ) { errstack->pushf("GSI", GSI_ERR_UNAUTHORIZED_SERVER, "Failed to authenticate because the subject '%s' is not currently trusted by you. " "If it should be, add it to GSI_DAEMON_NAME or undefine GSI_DAEMON_NAME.", server); dprintf(D_SECURITY, "GSI_DAEMON_NAME is defined and the server %s is not specified in the GSI_DAEMON_NAME parameter\n", server); } } else { status = CheckServerName(fqh.c_str(),mySock_->peer_ip_str(),mySock_,errstack); } if (status) { dprintf(D_SECURITY, "valid GSS connection established to %s\n", server); } mySock_->encode(); if (!mySock_->code(status) || !mySock_->end_of_message()) { errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR, "Failed to authenticate with server. Unable to send status"); dprintf(D_SECURITY, "Unable to mutually authenticate with server!\n"); status = 0; } delete [] server; delete daemonNames; } clear: return (status == 0) ? FALSE : TRUE; }
int Condor_Auth_X509::nameGssToLocal(const char * GSSClientname) { //this might need to change with SSLK5 stuff //just extract username from /CN=<username>@<domain,etc> OM_uint32 major_status = GSS_S_COMPLETE; char *tmp_user = NULL; char local_user[USER_NAME_MAX]; // windows gsi does not currently include this function. we use it on // unix, but implement our own on windows for now. #ifdef WIN32 major_status = condor_gss_assist_gridmap(GSSClientname, &tmp_user); #else // Switched the unix map function to _map_and_authorize, which allows access // to the Globus callout infrastructure. if (m_mapping == NULL) { // Size of hash table is purposely initialized small to prevent this // from hogging memory. This will, of course, grow at large sites. m_mapping = new GlobusMappingTable(53, hashFuncString, updateDuplicateKeys); } const char *auth_name_to_map; const char *fqan = getFQAN(); if (fqan && fqan[0]) { auth_name_to_map = fqan; } else { auth_name_to_map = GSSClientname; } globus_mapping_entry_ptr value; time_t now = 0; time_t gsi_cache_expiry = param_integer("GSS_ASSIST_GRIDMAP_CACHE_EXPIRATION", 0); if (gsi_cache_expiry && (m_mapping->lookup(auth_name_to_map, value) == 0)) { now = time(NULL); if (now < value->expiry_time) { dprintf(D_SECURITY, "Using Globus mapping result from the cache.\n"); if (value->name.size()) { tmp_user = strdup(value->name.c_str()); } else { major_status = GSS_S_FAILURE; } } } if ((tmp_user == NULL) && (major_status == GSS_S_COMPLETE)) { char condor_str[] = "condor"; major_status = globus_gss_assist_map_and_authorize( context_handle, condor_str, // Requested service name NULL, // Requested user name; NULL for non-specified local_user, USER_NAME_MAX-1); // Leave one space at end of buffer, just-in-case // Defensive programming: to protect against buffer overruns in the // unknown globus mapping module, make sure we are at least nul-term'd local_user[USER_NAME_MAX-1] = '\0'; // More defensive programming: There is a bug in LCMAPS, (which is possibly // called by a globus callout) that sometimes returns with the euid set to // root (!?!). As a safeguard, We check for that here and return to the // condor euid. This is done "outside" of the condor priv stack since this // is essentially undoing a side effect of the library call, not // intentionally changing priv state. if (geteuid() == 0) { dprintf(D_ALWAYS, "WARNING: globus returned with euid 0\n"); // attempt to undo if (seteuid(get_condor_uid())) { // complain loudly, but continue dprintf(D_ALWAYS, "ERROR: something has gone terribly wrong: errno %i\n", errno); } } if (now == 0) { now = time(NULL); } value.reset(new globus_mapping_entry_t); value->expiry_time = now + gsi_cache_expiry; // The special name of "" indicates failed mapping. if (major_status == GSS_S_COMPLETE) { value->name = local_user; } m_mapping->insert(auth_name_to_map, value); } #endif if (tmp_user) { strcpy( local_user, tmp_user ); free(tmp_user); tmp_user = NULL; } if ( major_status != GSS_S_COMPLETE) { setRemoteUser("gsi"); setRemoteDomain( UNMAPPED_DOMAIN ); return 0; } MyString user; MyString domain; Authentication::split_canonical_name( local_user, user, domain ); setRemoteUser (user.Value()); setRemoteDomain(domain.Value()); setAuthenticatedName(GSSClientname); return 1; }
Condor_Auth_X509::CondorAuthX509Retval Condor_Auth_X509::authenticate_server_gss(CondorError* errstack, bool non_blocking) { OM_uint32 major_status = GSS_S_COMPLETE; OM_uint32 minor_status = 0; OM_uint32 time_req; gss_buffer_desc output_token_desc = GSS_C_EMPTY_BUFFER; gss_buffer_t output_token = &output_token_desc; gss_buffer_desc input_token_desc; gss_buffer_t input_token; if ( !m_globusActivated ) { errstack->push("GSI", GSI_ERR_AUTHENTICATION_FAILED, "Failed to load Globus libraries."); return Fail; } m_state = GSSAuth; do { if (non_blocking && !mySock_->readReady()) { dprintf(D_NETWORK, "Returning to DC as read would block.\n"); return WouldBlock; } input_token_desc.length = 0; input_token_desc.value = NULL; input_token = &input_token_desc; if ((token_status = relisock_gsi_get( mySock_, &input_token->value, &input_token->length)) != 0) { major_status = GSS_S_DEFECTIVE_TOKEN | GSS_S_CALL_INACCESSIBLE_READ; break; } dprintf(D_NETWORK, "gss_assist_accept_sec_context(1):inlen:%lu\n", static_cast<unsigned long>(input_token->length)); major_status = (*gss_accept_sec_context_ptr)( &minor_status, &context_handle, credential_handle, input_token, GSS_C_NO_CHANNEL_BINDINGS, &m_client_name, NULL, output_token, &ret_flags, &time_req, NULL); dprintf(D_NETWORK, "gss_assist_accept_sec_context(2)" "maj:%8.8x:min:%8.8x:ret:%8.8x " "outlen:%lu:context:%p\n", (unsigned int) major_status, (unsigned int) minor_status, (unsigned int) ret_flags, output_token->length, context_handle); if (output_token->length != 0) { if ((token_status = relisock_gsi_put( mySock_, output_token->value, output_token->length)) != 0) { major_status = GSS_S_DEFECTIVE_TOKEN | GSS_S_CALL_INACCESSIBLE_WRITE; } (*gss_release_buffer_ptr)(&minor_status, output_token); } if (GSS_ERROR(major_status)) { if (context_handle != GSS_C_NO_CONTEXT) { (*gss_delete_sec_context_ptr)(&minor_status, &context_handle, GSS_C_NO_BUFFER); } break; } if (input_token->length >0) { free(input_token->value); input_token->length = 0; } } while (major_status & GSS_S_CONTINUE_NEEDED); if (input_token->length >0) { free(input_token->value); input_token->length = 0; } m_status = 0; if ( (major_status != GSS_S_COMPLETE)) { if (major_status == 655360) { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "COMMON Failed to authenticate (%u:%u)", (unsigned)major_status, (unsigned)minor_status); } else { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "Failed to authenticate. Globus is reporting error (%u:%u)", (unsigned)major_status, (unsigned)minor_status); } print_log(major_status,minor_status,token_status, "Condor GSI authentication failure" ); } else { gss_buffer_desc tmp_buffer_desc = GSS_C_EMPTY_BUFFER; gss_buffer_t tmp_buffer = &tmp_buffer_desc; char * gss_name = NULL; major_status = (*gss_display_name_ptr)(&minor_status, m_client_name, tmp_buffer, NULL); if (major_status == GSS_S_COMPLETE) { gss_name = (char *)malloc(tmp_buffer->length+1); if (gss_name) { memcpy(gss_name, tmp_buffer->value, tmp_buffer->length); gss_name[tmp_buffer->length] = '\0'; } else { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "Unable to allocate buffer"); major_status = GSS_S_FAILURE; } } else { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "Unable to determine remote client name. Globus is reporting error (%u:%u)", (unsigned)major_status, (unsigned)minor_status); } (*gss_release_buffer_ptr)(&minor_status, tmp_buffer); // store the raw subject name for later mapping if (gss_name) { setAuthenticatedName(gss_name); free(gss_name); } setRemoteUser("gsi"); setRemoteDomain( UNMAPPED_DOMAIN ); if (param_boolean("USE_VOMS_ATTRIBUTES", true)) { // get the voms attributes from the peer globus_gsi_cred_handle_t peer_cred = context_handle->peer_cred_handle->cred_handle; char * voms_fqan = NULL; int voms_err = extract_VOMS_info(peer_cred, 1, NULL, NULL, &voms_fqan); if (!voms_err) { setFQAN(voms_fqan); free(voms_fqan); } else { // complain! dprintf(D_SECURITY, "ZKM: VOMS FQAN not present (error %i), ignoring.\n", voms_err); } } // XXX FIXME ZKM // i am making failure to be mapped a non-fatal error at this point. m_status = (major_status == GSS_S_COMPLETE); mySock_->encode(); if (!mySock_->code(m_status) || !mySock_->end_of_message()) { errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR, "Failed to authenticate with client. Unable to send status"); dprintf(D_SECURITY, "Unable to send final confirmation\n"); m_status = 0; } } m_state = GetClientPost; return (m_status == 0) ? Fail : Continue; }
int Condor_Auth_SSPI::sspi_server_auth(CredHandle& cred,CtxtHandle& srvCtx) { int rc; SecPkgInfo *secPackInfo; int it_worked = FALSE; // assume failure dprintf(D_FULLDEBUG, "sspi_server_auth() entered\n" ); rc = (pf->QuerySecurityPackageInfo)( "NTLM", &secPackInfo ); TimeStamp useBefore; rc = (pf->AcquireCredentialsHandle)( NULL, "NTLM", SECPKG_CRED_INBOUND, NULL, NULL, NULL, NULL, &cred, &useBefore ); // input and output buffers SecBufferDesc obd, ibd; SecBuffer ob, ib; DWORD ctxAttr; bool haveContext = false; while ( 1 ) { // prepare to get the server's response ibd.ulVersion = SECBUFFER_VERSION; ibd.cBuffers = 1; ibd.pBuffers = &ib; // just one buffer ib.BufferType = SECBUFFER_TOKEN; // preping a token here // receive the client's POD ib.pvBuffer = NULL; mySock_->decode(); if ( !mySock_->code(ib.cbBuffer) || !mySock_->end_of_message() || !(ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer )) || !mySock_->get_bytes((char *) ib.pvBuffer, ib.cbBuffer) || !mySock_->end_of_message() ) { dprintf(D_ALWAYS, "ERROR sspi_server_auth() failed to received client POD\n"); if ( ib.pvBuffer ) { LocalFree( ib.pvBuffer ); ib.pvBuffer = NULL; } (pf->FreeContextBuffer)( secPackInfo ); return 0; } // by now we have an input buffer obd.ulVersion = SECBUFFER_VERSION; obd.cBuffers = 1; obd.pBuffers = &ob; // just one buffer ob.BufferType = SECBUFFER_TOKEN; // preping a token here ob.cbBuffer = secPackInfo->cbMaxToken; ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); rc = (pf->AcceptSecurityContext)( &cred, haveContext? &srvCtx: NULL, &ibd, 0, SECURITY_NATIVE_DREP, &srvCtx, &obd, &ctxAttr, &useBefore ); if ( ib.pvBuffer != NULL ) { LocalFree( ib.pvBuffer ); ib.pvBuffer = NULL; } if ( rc == SEC_I_COMPLETE_AND_CONTINUE || rc == SEC_I_COMPLETE_NEEDED ) { if ( pf->CompleteAuthToken != NULL ) // only if implemented (pf->CompleteAuthToken)( &srvCtx, &obd ); if ( rc == SEC_I_COMPLETE_NEEDED ) rc = SEC_E_OK; else if ( rc == SEC_I_COMPLETE_AND_CONTINUE ) rc = SEC_I_CONTINUE_NEEDED; } // send the output buffer off to the server if ( ob.cbBuffer != 0 ) { mySock_->encode(); if ( !mySock_->code(ob.cbBuffer) || !mySock_->end_of_message() || !mySock_->put_bytes( (const char *) ob.pvBuffer, ob.cbBuffer ) || !mySock_->end_of_message() ) { dprintf(D_ALWAYS, "ERROR sspi_server_auth() failed to send output blob\n"); LocalFree( ob.pvBuffer ); ob.pvBuffer = NULL; (pf->FreeContextBuffer)( secPackInfo ); return 0; } } LocalFree( ob.pvBuffer ); ob.pvBuffer = NULL; if ( rc != SEC_I_CONTINUE_NEEDED ) break; haveContext = true; // loop back for another round dprintf(D_FULLDEBUG,"sspi_server_auth() looping\n"); } // we arrive here as soon as InitializeSecurityContext() // returns != SEC_I_CONTINUE_NEEDED. if ( rc != SEC_E_OK ) { dprintf( D_ALWAYS,"sspi_server_auth(): Oops! ASC() returned %d!\n", rc ); } // now we try to use the context to Impersonate and thereby get the login rc = (pf->ImpersonateSecurityContext)( &srvCtx ); char buf[256]; char *dom = NULL; DWORD bufsiz = sizeof buf; if ( rc != SEC_E_OK ) { dprintf( D_ALWAYS, "sspi_server_auth(): Failed to impersonate (returns %d)!\n", rc ); } else { // PLEASE READ: We're now running in the context of the // client we're impersonating. This means dprintf()'ing is // OFF LIMITS until we RevertSecurityContext(), since the // dprintf() will likely fail because the client // probably will not have write access to the log file. GetUserName( buf, &bufsiz ); dom = my_domainname(); // revert as soon as possible. (pf->RevertSecurityContext)( &srvCtx ); // Ok, safe to dprintf() now... it_worked = TRUE; setRemoteUser(buf); setRemoteDomain(dom); // set authenticated name used for mapping MyString auth_name; auth_name = buf; if(dom) { auth_name += "@"; auth_name += dom; } setAuthenticatedName(auth_name.Value()); dprintf( D_FULLDEBUG, "sspi_server_auth(): user name is: \"%s\"\n", buf ); if (dom) { dprintf( D_FULLDEBUG, "sspi_server_auth(): domain name is: \"%s\"\n", dom); free(dom); } } (pf->FreeContextBuffer)( secPackInfo ); dprintf( D_FULLDEBUG,"sspi_server_auth() exiting\n" ); // return success (1) or failure (0) return it_worked; }