gss_ctx_id_t accept_context(gss_cred_id_t credential_handle, char **client_name, int sck) { OM_uint32 major_status = 0; OM_uint32 minor_status = 0; int token_status = 0; OM_uint32 ret_flags = 0; gss_ctx_id_t context_handle = GSS_C_NO_CONTEXT; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; major_status = globus_gss_assist_accept_sec_context( &minor_status, /* minor_status */ &context_handle, /* context_handle */ credential_handle, /* acceptor_cred_handle */ client_name, /* src_name as char ** */ &ret_flags, /* ret_flags */ NULL, /* don't need user_to_user */ &token_status, /* token_status */ &delegated_cred, /* no delegated cred */ get_token, (void *) &sck, send_token, (void *) &sck); if (major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status( stderr, "GSS authentication failure ", major_status, minor_status, token_status); return (GSS_C_NO_CONTEXT); } return (context_handle); }
static int auth_globus_accept(struct link *link, char **subject, time_t stoptime) { gss_cred_id_t credential = GSS_C_NO_CREDENTIAL; gss_ctx_id_t context = GSS_C_NO_CONTEXT; OM_uint32 major, minor, flags = 0; int token; int success = 0; globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE); *subject = 0; debug(D_AUTH, "globus: loading my credentials"); major = globus_gss_assist_acquire_cred(&minor, GSS_C_ACCEPT, &credential); if(major == GSS_S_COMPLETE) { debug(D_AUTH, "globus: waiting for client to get ready"); if(auth_barrier(link, "yes\n", stoptime) == 0) { delegated_credential = GSS_C_NO_CREDENTIAL; debug(D_AUTH, "globus: authenticating client"); major = globus_gss_assist_accept_sec_context(&minor, &context, credential, subject, &flags, 0, &token, &delegated_credential, read_token, link, write_token, link); if(major == GSS_S_COMPLETE) { debug(D_AUTH, "globus: accepted client %s", *subject); if(delegated_credential != GSS_C_NO_CREDENTIAL) { debug(D_AUTH, "globus: client delegated its credentials"); } success = 1; gss_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER); } else { char *reason; globus_gss_assist_display_status_str(&reason, "", major, minor, token); if(!reason) reason = xxstrdup("unknown reason"); debug(D_AUTH, "globus: couldn't authenticate client: %s", reason); if(reason) free(reason); } } else { debug(D_AUTH, "globus: client couldn't load credentials"); } gss_release_cred(&major, &credential); } else { debug(D_AUTH, "globus: couldn't load my credentials: did you run grid-proxy-init?"); auth_barrier(link, "no\n", stoptime); } globus_module_deactivate(GLOBUS_GSI_GSS_ASSIST_MODULE); return success; }
int GSI_SOCKET_authentication_accept(GSI_SOCKET *self) { gss_cred_id_t creds = GSS_C_NO_CREDENTIAL; int token_status; int return_value = GSI_SOCKET_ERROR; OM_uint32 gss_flags = 0; int sock; FILE *fp = NULL; char *cert_dir = NULL; globus_result_t res; if (self == NULL) { return GSI_SOCKET_ERROR; } if (self->gss_context != GSS_C_NO_CONTEXT) { GSI_SOCKET_set_error_string(self, "GSI_SOCKET already authenticated"); goto error; } res = GLOBUS_GSI_SYSCONFIG_GET_CERT_DIR(&cert_dir); if (res == GLOBUS_SUCCESS) { myproxy_debug("using trusted certificates directory %s", cert_dir); } else { verror_put_string("error getting trusted certificates directory"); globus_error_to_verror(res); goto error; } self->major_status = globus_gss_assist_acquire_cred(&self->minor_status, GSS_C_ACCEPT, &creds); if (self->major_status != GSS_S_COMPLETE) { goto error; } /* These are supposed to be return flags only, according to RFC 2774, but GSI helpfully uses them as request flags too. */ gss_flags |= GSS_C_REPLAY_FLAG; gss_flags |= GSS_C_MUTUAL_FLAG; gss_flags |= GSS_C_CONF_FLAG; gss_flags |= GSS_C_INTEG_FLAG; if ((sock = dup(self->sock)) < 0) { GSI_SOCKET_set_error_string(self, "dup() of socket fd failed"); self->error_number = errno; goto error; } if ((fp = fdopen(sock, "r")) == NULL) { GSI_SOCKET_set_error_string(self, "fdopen() of socket failed"); self->error_number = errno; goto error; } if (setvbuf(fp, NULL, _IONBF, 0) != 0) { GSI_SOCKET_set_error_string(self, "setvbuf() for socket failed"); self->error_number = errno; goto error; } self->major_status = globus_gss_assist_accept_sec_context(&self->minor_status, &self->gss_context, creds, &self->peer_name, &gss_flags, NULL, /* u2u flag */ &token_status, NULL, /* Delegated creds * added in Globus 1.1.3 */ globus_gss_assist_token_get_fd, (void *)fp, assist_write_token, (void *)&self->sock); if (self->major_status != GSS_S_COMPLETE) { goto error; } if (!(gss_flags & GSS_C_CONF_FLAG)) { GSI_SOCKET_set_error_string(self, "requested confidentiality GSSAPI service" " but it is not available"); goto error; } if (gss_flags & GSS_C_GLOBUS_LIMITED_PROXY_FLAG) { self->limited_proxy = 1; } /* Success */ return_value = GSI_SOCKET_SUCCESS; error: if (creds != GSS_C_NO_CREDENTIAL) { OM_uint32 minor_status; gss_release_cred(&minor_status, &creds); } if (cert_dir) free(cert_dir); if (fp) fclose(fp); return return_value; }
int main(int argc, char * argv[]) { gss_cred_id_t accept_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_init_cred = GSS_C_NO_CREDENTIAL; OM_uint32 major_status; OM_uint32 minor_status; int token_status; gss_ctx_id_t accept_context = GSS_C_NO_CONTEXT; OM_uint32 ret_flags = 0; int sock, connect_sock; FILE * infd; FILE * outfd; char * print_buffer = NULL; char * recv_buffer = NULL; size_t buffer_length; struct sockaddr_in sockaddr; socklen_t length; char * init_name; char * verbose_env = NULL; globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE); verbose_env = getenv("GSS_ASSIST_VERBOSE_TEST"); setbuf(stdout, NULL); sock = socket(AF_INET, SOCK_STREAM, 0); if(sock < 0) { perror("opening stream socket"); exit(1); } sockaddr.sin_family = AF_INET; sockaddr.sin_addr.s_addr = INADDR_ANY; sockaddr.sin_port = 0; if(bind(sock, (struct sockaddr *) &sockaddr, sizeof(sockaddr))) { perror("binding stream socket"); exit(1); } length = sizeof(sockaddr); if(getsockname(sock, (struct sockaddr *) &sockaddr, &length)) { perror("getting socket name"); exit(1); } /* Start accepting connection */ listen(sock, 1); fprintf(stdout, "Socket has port #%d\n", ntohs(sockaddr.sin_port)); connect_sock = accept(sock, 0, 0); if(connect_sock == -1) { perror("accept"); exit(1); } if(close(sock) < 0) { perror("Couldn't close listening socket"); exit(1); } infd = fdopen(dup(connect_sock), "r"); setbuf(infd, NULL); outfd = fdopen(dup(connect_sock), "w"); setbuf(outfd, NULL); close(connect_sock); /* ACCEPTOR PROCESS */ major_status = globus_gss_assist_acquire_cred(&minor_status, GSS_C_ACCEPT, &accept_cred); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't acquire acceptor's credentials", major_status, minor_status, 0); exit(1); } major_status = globus_gss_assist_accept_sec_context( &minor_status, &accept_context, accept_cred, &init_name, &ret_flags, NULL, &token_status, &delegated_init_cred, globus_gss_assist_token_get_fd, (void *) (infd), globus_gss_assist_token_send_fd, (void *) (outfd)); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't authenticate as acceptor\n", major_status, minor_status, token_status); exit(1); } if(verbose_env) { fprintf(stdout, "ACCEPTOR: "__FILE__":%d" ": Acceptor successfully created context" " for initiator: %s\n", __LINE__, init_name); } /* major_status = globus_gss_assist_get_unwrap( &minor_status, accept_context, &recv_buffer, &buffer_length, &token_status, globus_gss_assist_token_get_fd, (void *) (infd), stdout); if(GSS_ERROR(major_status)) { fprintf(stdout, "ACCEPTOR ERROR\n"); globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't get encrypted message from initiator\n", major_status, minor_status, token_status); fprintf(stdout, "ACCEPTOR ERROR FINISHED\n"); exit(1); } print_buffer = malloc(buffer_length + 1); globus_libc_snprintf(print_buffer, buffer_length + 1, "%s", recv_buffer); if(verbose_env) { fprintf(stdout, "ACCEPTOR: "__FILE__":%d" ": received: %s\n", __LINE__, print_buffer); } free(print_buffer); free(recv_buffer); */ major_status = globus_gss_assist_get_unwrap( &minor_status, accept_context, &recv_buffer, &buffer_length, &token_status, globus_gss_assist_token_get_fd, (void *) (infd), stdout); if(GSS_ERROR(major_status)) { fprintf(stdout, "ACCEPTOR ERROR\n"); globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't get encrypted message from initiator\n", major_status, minor_status, token_status); fprintf(stdout, "ACCEPTOR ERROR FINISHED\n"); exit(1); } print_buffer = malloc(buffer_length + 1); globus_libc_snprintf(print_buffer, buffer_length + 1, "%s", recv_buffer); if(verbose_env) { fprintf(stdout, "ACCEPTOR: "__FILE__":%d" ": received: %s\n", __LINE__, print_buffer); } free(print_buffer); free(recv_buffer); major_status = globus_gss_assist_wrap_send( &minor_status, accept_context, accept_message, sizeof(accept_message), &token_status, globus_gss_assist_token_send_fd, (void *) (outfd), stdout); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't encrypt and send message\n", major_status, minor_status, token_status); exit(1); } major_status = globus_gss_assist_get_unwrap( &minor_status, accept_context, &recv_buffer, &buffer_length, &token_status, globus_gss_assist_token_get_fd, (void *) (infd), stdout); if(GSS_ERROR(major_status)) { fprintf(stdout, "ACCEPTOR ERROR\n"); globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't get encrypted message from initiator\n", major_status, minor_status, token_status); fprintf(stdout, "ACCEPTOR ERROR FINISHED\n"); exit(1); } print_buffer = malloc(buffer_length + 1); globus_libc_snprintf(print_buffer, buffer_length + 1, "%s", recv_buffer); if(verbose_env) { fprintf(stdout, "ACCEPTOR: "__FILE__":%d" ": received: %s\n", __LINE__, print_buffer); } free(print_buffer); free(recv_buffer); major_status = globus_gss_assist_wrap_send( &minor_status, accept_context, accept_message, sizeof(accept_message), &token_status, globus_gss_assist_token_send_fd, (void *) (outfd), stdout); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't encrypt and send message\n", major_status, minor_status, token_status); exit(1); } major_status = gss_delete_sec_context(&minor_status, &accept_context, GSS_C_NO_BUFFER); if(major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status( stdout, "INITIATOR: Couldn't delete security context\n", major_status, minor_status, 0); exit(1); } gss_release_cred(&minor_status, &accept_cred); if(major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status( stdout, "INITIATOR: Couldn't delete security context\n", major_status, minor_status, 0); exit(1); } if(fclose(infd) == EOF) { perror("closing stream socket"); exit(1); } if(fclose(outfd) == EOF) { perror("closing stream socket"); exit(1); } globus_module_deactivate(GLOBUS_GSI_GSS_ASSIST_MODULE); exit(0); }
int Condor_Auth_X509::authenticate_server_gss(CondorError* errstack) { char * GSSClientname; int status = 0; OM_uint32 major_status = 0; OM_uint32 minor_status = 0; priv_state priv; priv = set_root_priv(); major_status = globus_gss_assist_accept_sec_context(&minor_status, &context_handle, credential_handle, &GSSClientname, &ret_flags, NULL, /* don't need user_to_user */ &token_status, NULL, /* don't delegate credential */ relisock_gsi_get, (void *) mySock_, relisock_gsi_put, (void *) mySock_ ); set_priv(priv); if ( (major_status != GSS_S_COMPLETE)) { if (major_status == 655360) { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "COMMON Failed to authenticate (%u:%u)", (unsigned)major_status, (unsigned)minor_status); } else { errstack->pushf("GSI", GSI_ERR_AUTHENTICATION_FAILED, "Failed to authenticate. Globus is reporting error (%u:%u)", (unsigned)major_status, (unsigned)minor_status); } print_log(major_status,minor_status,token_status, "Condor GSI authentication failure" ); } else { // store the raw subject name for later mapping setAuthenticatedName(GSSClientname); setRemoteUser("gsi"); setRemoteDomain( UNMAPPED_DOMAIN ); if (param_boolean("USE_VOMS_ATTRIBUTES", true)) { // get the voms attributes from the peer globus_gsi_cred_handle_t peer_cred = context_handle->peer_cred_handle->cred_handle; char * voms_fqan = NULL; int voms_err = extract_VOMS_info(peer_cred, 1, NULL, NULL, &voms_fqan); if (!voms_err) { setFQAN(voms_fqan); free(voms_fqan); } else { // complain! dprintf(D_SECURITY, "ZKM: VOMS FQAN not present (error %i), ignoring.\n", voms_err); } } // XXX FIXME ZKM // i am making failure to be mapped a non-fatal error at this point. status = 1; mySock_->encode(); if (!mySock_->code(status) || !mySock_->end_of_message()) { errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR, "Failed to authenticate with client. Unable to send status"); dprintf(D_SECURITY, "Unable to send final confirmation\n"); status = 0; } if (status != 0) { // Now, see if client likes me or not mySock_->decode(); if (!mySock_->code(status) || !mySock_->end_of_message()) { errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR, "Failed to authenticate with client. Unable to receive status"); dprintf(D_SECURITY, "Unable to receive client confirmation.\n"); status = 0; } else { if (status == 0) { errstack->push("GSI", GSI_ERR_COMMUNICATIONS_ERROR, "Failed to authenticate with client. Client does not trust our certificate. " "You may want to check the GSI_DAEMON_NAME in the condor_config"); dprintf(D_SECURITY, "Client rejected my certificate. Please check the GSI_DAEMON_NAME parameter in Condor's config file.\n"); } } } if (GSSClientname) { free(GSSClientname); } } return (status == 0) ? FALSE : TRUE; }