gss_ctx_id_t accept_context(gss_cred_id_t credential_handle, char **client_name, int sck) { OM_uint32 major_status = 0; OM_uint32 minor_status = 0; int token_status = 0; OM_uint32 ret_flags = 0; gss_ctx_id_t context_handle = GSS_C_NO_CONTEXT; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; major_status = globus_gss_assist_accept_sec_context( &minor_status, /* minor_status */ &context_handle, /* context_handle */ credential_handle, /* acceptor_cred_handle */ client_name, /* src_name as char ** */ &ret_flags, /* ret_flags */ NULL, /* don't need user_to_user */ &token_status, /* token_status */ &delegated_cred, /* no delegated cred */ get_token, (void *) &sck, send_token, (void *) &sck); if (major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status( stderr, "GSS authentication failure ", major_status, minor_status, token_status); return (GSS_C_NO_CONTEXT); } return (context_handle); }
gss_cred_id_t acquire_cred(const gss_cred_usage_t cred_usage) { OM_uint32 major_status = 0; OM_uint32 minor_status = 0; gss_cred_id_t credential_handle = GSS_C_NO_CREDENTIAL; /* Acquire GSS credential */ major_status = globus_gss_assist_acquire_cred( &minor_status, cred_usage, &credential_handle); if (major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status( stderr, "Error acquiring credentials", major_status, minor_status, 0); return(GSS_C_NO_CREDENTIAL); } return(credential_handle); }
gss_ctx_id_t initiate_context(gss_cred_id_t credential_handle, const char *server_name, int sck) { OM_uint32 major_status = 0; OM_uint32 minor_status = 0; int token_status = 0; OM_uint32 ret_flags = 0; gss_ctx_id_t context_handle = GSS_C_NO_CONTEXT; major_status = globus_gss_assist_init_sec_context( &minor_status, credential_handle, &context_handle, (char *) server_name, GSS_C_MUTUAL_FLAG | GSS_C_CONF_FLAG | GSS_C_GLOBUS_ACCEPT_PROXY_SIGNED_BY_LIMITED_PROXY_FLAG, &ret_flags, &token_status, get_token, (void *) &sck, send_token, (void *) &sck); if (major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status(stderr, "GSS Authentication failure: client\n ", major_status, minor_status, token_status); return(GSS_C_NO_CONTEXT); /* fail somehow */ } return(context_handle); }
OM_uint32 get_cred_lifetime(const gss_cred_id_t credential_handle) { OM_uint32 major_status = 0; OM_uint32 minor_status = 0; gss_name_t name = NULL; OM_uint32 lifetime; gss_OID_set mechanisms; gss_cred_usage_t cred_usage; major_status = gss_inquire_cred( &minor_status, credential_handle, &name, &lifetime, &cred_usage, &mechanisms); if (major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status( stderr, "Error acquiring credentials", major_status, minor_status, 0); return(-1); } return(lifetime); }
gss_cred_id_t make_cred(char *proxyname) { static gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL; OM_uint32 major_status; OM_uint32 minor_status; setenv("X509_USER_PROXY",proxyname,1); major_status = globus_gss_assist_acquire_cred(&minor_status, GSS_C_INITIATE, /* or GSS_C_ACCEPT */ &delegated_cred_handle); if (major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status(stderr, "Some failure message here", major_status, minor_status, 0); exit(1); } return delegated_cred_handle; }
int main(int argc, char * argv[]) { gss_cred_id_t init_cred = GSS_C_NO_CREDENTIAL; OM_uint32 major_status; OM_uint32 minor_status; int token_status; gss_ctx_id_t init_context = GSS_C_NO_CONTEXT; OM_uint32 ret_flags; int sock; FILE * infd; FILE * outfd; char * print_buffer = NULL; char * recv_buffer = NULL; size_t buffer_length; struct sockaddr_in sockaddr; struct hostent * hostname; char * verbose_env = NULL; globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE); verbose_env = getenv("GSS_ASSIST_VERBOSE_TEST"); sock = socket(AF_INET, SOCK_STREAM, 0); if(sock < 0) { perror("opening stream socket"); exit(1); } sockaddr.sin_family = AF_INET; hostname = gethostbyname(argv[1]); if(hostname == 0) { fprintf(stdout, "%s: uknown host", argv[1]); exit(2); } bcopy(hostname->h_addr, &sockaddr.sin_addr, hostname->h_length); sockaddr.sin_port = htons(atoi(argv[2])); if(connect(sock, (struct sockaddr *) &sockaddr, sizeof(sockaddr)) < 0) { perror("connecting stream socket"); exit(1); } infd = fdopen(dup(sock), "r"); setbuf(infd, NULL); outfd = fdopen(dup(sock), "w"); setbuf(outfd, NULL); close(sock); /* INITIATOR PROCESS */ major_status = globus_gss_assist_acquire_cred(&minor_status, GSS_C_INITIATE, &init_cred); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "INITIATOR: Couldn't acquire initiator's credentials", major_status, minor_status, 0); exit(1); } major_status = globus_gss_assist_init_sec_context( &minor_status, init_cred, &init_context, NULL, GSS_C_MUTUAL_FLAG|GSS_C_DELEG_FLAG, &ret_flags, &token_status, globus_gss_assist_token_get_fd, (void *) (infd), globus_gss_assist_token_send_fd, (void *) (outfd)); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "INITIATOR: Couldn't authenticate as initiator\n", major_status, minor_status, token_status); exit(1); } if(verbose_env) { fprintf(stdout, "INITIATOR: "__FILE__":%d" ": Initiator successfully created context\n", __LINE__); } major_status = globus_gss_assist_wrap_send( &minor_status, init_context, init_message, sizeof(init_message), &token_status, globus_gss_assist_token_send_fd, (void *) (outfd), stdout); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "INITATOR: Couldn't wrap and send message\n", major_status, minor_status, token_status); exit(1); } major_status = globus_gss_assist_get_unwrap( &minor_status, init_context, &recv_buffer, &buffer_length, &token_status, globus_gss_assist_token_get_fd, (void *) (infd), stdout); if(GSS_ERROR(major_status)) { fprintf(stdout, "INITIATOR ERROR\n"); globus_gss_assist_display_status( stdout, "INITIATOR: Couldn't get encrypted message from initiator\n", major_status, minor_status, token_status); fprintf(stdout, "INITIATOR ERROR FINISHED\n"); exit(1); } print_buffer = malloc(buffer_length + 1); globus_libc_snprintf(print_buffer, buffer_length + 1, "%s", recv_buffer); if(verbose_env) { fprintf(stdout, "INITIATOR: "__FILE__":%d" ": received: %s\n", __LINE__, print_buffer); } free(print_buffer); free(recv_buffer); major_status = globus_gss_assist_wrap_send( &minor_status, init_context, init_message, sizeof(init_message), &token_status, globus_gss_assist_token_send_fd, (void *) (outfd), stdout); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "INITATOR: Couldn't wrap and send message\n", major_status, minor_status, token_status); exit(1); } major_status = globus_gss_assist_get_unwrap( &minor_status, init_context, &recv_buffer, &buffer_length, &token_status, globus_gss_assist_token_get_fd, (void *) (infd), stdout); if(GSS_ERROR(major_status)) { fprintf(stdout, "INITIATOR ERROR\n"); globus_gss_assist_display_status( stdout, "INITIATOR: Couldn't get encrypted message from initiator\n", major_status, minor_status, token_status); fprintf(stdout, "INITIATOR ERROR FINISHED\n"); exit(1); } print_buffer = malloc(buffer_length + 1); globus_libc_snprintf(print_buffer, buffer_length + 1, "%s", recv_buffer); if(verbose_env) { fprintf(stdout, "INITIATOR: "__FILE__":%d" ": received: %s\n", __LINE__, print_buffer); } free(print_buffer); free(recv_buffer); major_status = gss_delete_sec_context(&minor_status, &init_context, GSS_C_NO_BUFFER); if(major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status( stdout, "INITIATOR: Couldn't delete security context\n", major_status, minor_status, 0); exit(1); } gss_release_cred(&minor_status, &init_cred); if(major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status( stdout, "INITIATOR: Couldn't delete security context\n", major_status, minor_status, 0); exit(1); } if(fclose(infd) == EOF) { perror("closing stream socket"); exit(1); } if(fclose(outfd) == EOF) { perror("closing stream socket"); exit(1); } globus_module_deactivate(GLOBUS_GSI_GSS_ASSIST_MODULE); exit(0); }
int main( int argc, char ** argv) { int rc; globus_gram_job_manager_config_t config; globus_gram_job_manager_t manager; char * sleeptime_str; long sleeptime = 0; globus_bool_t debug_mode_service = GLOBUS_FALSE; globus_bool_t located_active_jm = GLOBUS_FALSE; int http_body_fd = -1; int context_fd = -1; gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; OM_uint32 major_status, minor_status; pid_t forked_starter = 0; globus_bool_t cgi_invoked = GLOBUS_FALSE; int lock_tries_left = 10; if ((sleeptime_str = getenv("GLOBUS_JOB_MANAGER_SLEEP"))) { sleeptime = atoi(sleeptime_str); sleep(sleeptime); } if (getenv("GATEWAY_INTERFACE")) { cgi_invoked = GLOBUS_TRUE; } /* * Stdin and stdout point at socket to client * Make sure no buffering. * stderr may also, depending on the option in the grid-services */ setbuf(stdout,NULL); /* Don't export these to the perl scripts */ fcntl(STDIN_FILENO, F_SETFD, (int) 1); fcntl(STDOUT_FILENO, F_SETFD, (int) 1); fcntl(STDERR_FILENO, F_SETFD, (int) 1); /* * At least have minimal POSIX path for job environment via extra * environment values */ if(getenv("PATH") == NULL) { char * path; char default_path[] = "/usr/bin:/bin"; size_t pathlen; pathlen = confstr(_CS_PATH, NULL, (size_t) 0); if (pathlen < sizeof(default_path)) { pathlen = sizeof(default_path); } path = malloc(pathlen); path[0] = 0; (void) confstr(_CS_PATH, path, pathlen); if (path[0] == 0) { strncpy(path, default_path, pathlen); } setenv("PATH", path, 1); } /* Force non-threaded execution for now */ globus_thread_set_model(GLOBUS_THREAD_MODEL_NONE); /* Activate a common before parsing command-line so that * things work. Note that we can't activate everything yet because we might * set the GLOBUS_TCP_PORT_RANGE after parsing command-line args and we * need that set before activating XIO. */ rc = globus_module_activate(GLOBUS_COMMON_MODULE); if (rc != GLOBUS_SUCCESS) { fprintf(stderr, "Error activating GLOBUS_COMMON_MODULE\n"); exit(1); } /* Parse command line options to get jobmanager configuration */ rc = globus_gram_job_manager_config_init(&config, argc, argv); if (rc != GLOBUS_SUCCESS) { reply_and_exit(NULL, rc, NULL); } globus_thread_key_create( &globus_i_gram_request_key, NULL); rc = globus_gram_job_manager_logging_init(&config); if (rc != GLOBUS_SUCCESS) { exit(1); } if (getenv("GRID_SECURITY_HTTP_BODY_FD") == NULL && !cgi_invoked) { debug_mode_service = GLOBUS_TRUE; } /* Set environment variables from configuration */ if(config.globus_location != NULL) { globus_libc_setenv("GLOBUS_LOCATION", config.globus_location, GLOBUS_TRUE); } if(config.tcp_port_range != NULL) { globus_libc_setenv("GLOBUS_TCP_PORT_RANGE", config.tcp_port_range, GLOBUS_TRUE); } if(config.tcp_source_range != NULL) { globus_libc_setenv("GLOBUS_TCP_SOURCE_RANGE", config.tcp_source_range, GLOBUS_TRUE); } /* Activate all of the modules we will be using */ rc = globus_l_gram_job_manager_activate(); if(rc != GLOBUS_SUCCESS) { exit(1); } /* * Get the delegated credential (or the default credential if we are * run without a client. Don't care about errors in the latter case. */ major_status = globus_gss_assist_acquire_cred( &minor_status, GSS_C_BOTH, &cred); if ((!debug_mode_service) && GSS_ERROR(major_status)) { globus_gss_assist_display_status( stderr, "Error acquiring security credential\n", major_status, minor_status, 0); exit(1); } if (cred != GSS_C_NO_CREDENTIAL) { unsigned long hash; char * newtag; rc = globus_gram_gsi_get_dn_hash( cred, &hash); if (rc == GLOBUS_SUCCESS) { newtag = globus_common_create_string("%s%s%lx", strcmp(config.service_tag, "untagged") == 0 ? "" : config.service_tag, strcmp(config.service_tag, "untagged") == 0 ? "" : ".", hash); free(config.service_tag); config.service_tag = newtag; } } /* * Remove delegated proxy from disk. */ if ((!debug_mode_service) && getenv("X509_USER_PROXY") != NULL) { remove(getenv("X509_USER_PROXY")); unsetenv("X509_USER_PROXY"); } /* Set up LRM-specific state based on our configuration. This will create * the job contact listener, start the SEG if needed, and open the log * file if needed. */ rc = globus_gram_job_manager_init(&manager, cred, &config); if(rc != GLOBUS_SUCCESS) { reply_and_exit(NULL, rc, manager.gt3_failure_message); } /* * Pull out file descriptor numbers for security context and job request * from the environment (set by the gatekeeper) */ if (cgi_invoked) { http_body_fd = 0; context_fd = -1; } else if (!debug_mode_service) { char * fd_env = getenv("GRID_SECURITY_HTTP_BODY_FD"); rc = sscanf(fd_env ? fd_env : "-1", "%d", &http_body_fd); if (rc != 1 || http_body_fd < 0) { fprintf(stderr, "Error locating http body fd\n"); exit(1); } fcntl(http_body_fd, F_SETFD, 1); fd_env = getenv("GRID_SECURITY_CONTEXT_FD"); rc = sscanf(fd_env ? fd_env : "-1", "%d", &context_fd); if (rc != 1 || context_fd < 0) { fprintf(stderr, "Error locating security context fd\n"); exit(1); } fcntl(context_fd, F_SETFD, 1); } /* Redirect stdin from /dev/null, we'll handle stdout after the reply is * sent */ if (!cgi_invoked) { freopen("/dev/null", "r", stdin); } /* Here we'll either become the active job manager to process all * jobs for this user/host/lrm combination, or we'll hand off the * file descriptors containing the info to the active job manager */ while (!located_active_jm) { /* We'll try to get the lock file associated with being the * active job manager here. If we get the OLD_JM_ALIVE error * somebody else has it */ rc = globus_gram_job_manager_startup_lock( &manager, &manager.lock_fd); if (rc == GLOBUS_SUCCESS) { /* We've acquired the lock. We will fork a new process to act like * all other job managers which don't have the lock, and continue * on in this process managing jobs for this LRM. Note that the * child process does not inherit the lock */ if (!debug_mode_service) { int save_errno = 0; /* We've acquired the manager lock */ forked_starter = fork(); save_errno = errno; if (forked_starter < 0) { if (sleeptime != 0) { sleep(sleeptime); } fprintf(stderr, "fork failed: %s", strerror(save_errno)); exit(1); } else if (forked_starter == 0) { /* We are the child process. We'll close our reference to * the lock and let the other process deal with jobs */ close(manager.lock_fd); manager.lock_fd = -1; } globus_logging_update_pid(); if (sleeptime != 0) { sleep(sleeptime); } } if (manager.lock_fd >= 0) { /* We hold the manager lock, so we'll store our credential, and * then, try to accept socket connections. If the socket * connections fail, we'll exit, and another process * will be forked to handle them. */ rc = globus_gram_job_manager_gsi_write_credential( NULL, cred, manager.cred_path); if (rc != GLOBUS_SUCCESS) { fprintf(stderr, "write cred failed\n"); exit(1); } if (!debug_mode_service) { close(http_body_fd); http_body_fd = -1; } rc = globus_gram_job_manager_startup_socket_init( &manager, &manager.active_job_manager_handle, &manager.socket_fd); if (rc != GLOBUS_SUCCESS) { /* This releases our lock. Either the child process will * attempt to acquire the lock again or some another job * manager will acquire the lock */ exit(0); } assert(manager.socket_fd != -1); } } else if (rc != GLOBUS_GRAM_PROTOCOL_ERROR_OLD_JM_ALIVE) { /* Some system error. Try again */ if (--lock_tries_left == 0) { reply_and_exit(NULL, rc, "Unable to create lock file"); } sleep(1); continue; } /* If manager.socket_fd != -1 then we are the main job manager for this * LRM. * We will restart all existing jobs and then allow the startup * socket to accept new jobs from other job managers. */ if (manager.socket_fd != -1) { /* Look up cputype/manufacturer if not known yet */ globus_l_gram_cputype_and_manufacturer(manager.config); GlobusTimeAbstimeGetCurrent(manager.usagetracker->jm_start_time); globus_i_gram_usage_stats_init(&manager); globus_i_gram_usage_start_session_stats(&manager); located_active_jm = GLOBUS_TRUE; /* Load existing jobs. The show must go on if this fails, unless it * fails with a misconfiguration error */ rc = globus_gram_job_manager_request_load_all( &manager); if (rc == GLOBUS_GRAM_PROTOCOL_ERROR_GATEKEEPER_MISCONFIGURED) { if (forked_starter > 0) { kill(forked_starter, SIGTERM); forked_starter = 0; } reply_and_exit(NULL, rc, manager.gt3_failure_message); } if (context_fd != -1) { close(context_fd); context_fd = -1; } freopen("/dev/null", "a", stdout); /* At this point, seg_last_timestamp is the earliest last timestamp * for any pre-existing jobs. If that is 0, then we don't have any * existing jobs so we'll just ignore seg events prior to now. */ if (manager.seg_last_timestamp == 0) { manager.seg_last_timestamp = time(NULL); } /* Start off the SEG if we need it. */ if (config.seg_module != NULL || strcmp(config.jobmanager_type, "fork") == 0 || strcmp(config.jobmanager_type, "condor") == 0) { rc = globus_gram_job_manager_init_seg(&manager); /* TODO: If SEG load fails and load_all added some to the * job_id hash, they will need to be pushed into the state * machine so that polling fallback can happen. */ if (rc != GLOBUS_SUCCESS) { config.seg_module = NULL; } } /* GRAM-128: * Register a periodic event to process the GRAM jobs that were * reloaded from their job state files at job manager start time. * This will acquire and then release a reference to each job, * which, behind the scenes, will kick of the state machine * for that job if needed. */ if (!globus_list_empty(manager.pending_restarts)) { globus_reltime_t restart_period; GlobusTimeReltimeSet(restart_period, 1, 0); rc = globus_callback_register_periodic( &manager.pending_restart_handle, NULL, &restart_period, globus_l_gram_process_pending_restarts, &manager); } { globus_reltime_t expire_period; GlobusTimeReltimeSet(expire_period, 1, 0); rc = globus_callback_register_periodic( &manager.expiration_handle, NULL, &expire_period, globus_gram_job_manager_expire_old_jobs, &manager); } { globus_reltime_t lockcheck_period; GlobusTimeReltimeSet(lockcheck_period, 60, 0); rc = globus_callback_register_periodic( &manager.lockcheck_handle, NULL, &lockcheck_period, globus_l_gram_lockcheck, &manager); } { globus_reltime_t idlescript_period; GlobusTimeReltimeSet(idlescript_period, 60, 0); rc = globus_callback_register_periodic( &manager.idle_script_handle, NULL, &idlescript_period, globus_gram_script_close_idle, &manager); } } else if (http_body_fd >= 0) { /* If manager.socket_fd == -1 then we are either the child from the * fork or another process started somehow (either command-line * invocation or via a job submit). If we have a client, then we'll * send our fds to the job manager with the lock and let it process * the job. * * If this succeeds, we set located_active_jm and leave the loop. * Otherwise, we try again. */ if (context_fd >= 0) { rc = globus_gram_job_manager_starter_send( &manager, http_body_fd, context_fd, fileno(stdout), cred); } else { rc = globus_gram_job_manager_starter_send_v2( &manager, cred); } if (rc == GLOBUS_SUCCESS) { located_active_jm = GLOBUS_TRUE; close(http_body_fd); if (context_fd >= 0) { close(context_fd); } manager.done = GLOBUS_TRUE; } else { globus_libc_usleep(250000); } } else { /* We were started by hand, but another process is currently the * main job manager */ unsigned long realpid = 0; FILE * pidin = fopen(manager.pid_path, "r"); fscanf(pidin, "%lu", &realpid); fclose(pidin); fprintf(stderr, "Other job manager process with pid %lu running and processing jobs\n", realpid); exit(0); } } /* Ignore SIGCHILD, and automatically reap child processes. Because of the * fork() above to delegate to another job manager process, and the use of * sub-processes to invoke the perl modules, we create some other * processes. We don't care too much how they exit, so we'll just make sure * we don't create zombies out of them. */ { struct sigaction act; act.sa_handler = SIG_IGN; sigemptyset(&act.sa_mask); sigaddset(&act.sa_mask, SIGCHLD); #ifdef SA_NOCLDWAIT act.sa_flags = SA_NOCLDWAIT; #else /* This may leave zombies running on non-POSIX systems like Hurd */ act.sa_flags = 0; #endif sigaction(SIGCHLD, &act, NULL); } /* Enable log rotation via SIGUSR1 */ { struct sigaction act; act.sa_handler = globus_i_job_manager_log_rotate; sigemptyset(&act.sa_mask); sigaddset(&act.sa_mask, SIGUSR1); act.sa_flags = 0; sigaction(SIGUSR1, &act, NULL); } GlobusGramJobManagerLock(&manager); if (manager.socket_fd != -1 && globus_hashtable_empty(&manager.request_hash) && manager.grace_period_timer == GLOBUS_NULL_HANDLE) { globus_gram_job_manager_set_grace_period_timer(&manager); } /* For the active job manager, this will block until all jobs have * terminated. For any other job manager, the monitor.done is set to * GLOBUS_TRUE and this falls right through. */ while (! manager.done) { GlobusGramJobManagerWait(&manager); } if (manager.expiration_handle != GLOBUS_NULL_HANDLE) { globus_callback_unregister(manager.expiration_handle, NULL, NULL, NULL); } if (manager.lockcheck_handle != GLOBUS_NULL_HANDLE) { globus_callback_unregister(manager.lockcheck_handle, NULL, NULL, NULL); } if (manager.idle_script_handle != GLOBUS_NULL_HANDLE) { globus_callback_unregister(manager.idle_script_handle, NULL, NULL, NULL); } GlobusGramJobManagerUnlock(&manager); globus_gram_job_manager_log( &manager, GLOBUS_GRAM_JOB_MANAGER_LOG_DEBUG, "event=gram.end " "level=DEBUG " "\n"); /* Clean-up to do if we are the active job manager only */ if (manager.socket_fd != -1) { globus_gram_job_manager_script_close_all(&manager); globus_i_gram_usage_end_session_stats(&manager); globus_i_gram_usage_stats_destroy(&manager); remove(manager.pid_path); remove(manager.cred_path); remove(manager.socket_path); remove(manager.lock_path); } globus_gram_job_manager_logging_destroy(); globus_gram_job_manager_destroy(&manager); globus_gram_job_manager_config_destroy(&config); rc = globus_l_gram_deactivate(); if (rc != GLOBUS_SUCCESS) { fprintf(stderr, "deactivation failed with rc=%d\n", rc); exit(1); } /* { const char * gk_jm_id_var = "GATEKEEPER_JM_ID"; const char * gk_jm_id = globus_libc_getenv(gk_jm_id_var); globus_gram_job_manager_request_acct( request, "%s %s JM exiting\n", gk_jm_id_var, gk_jm_id ? gk_jm_id : "none"); } */ return(0); }
/** * @brief Wrap * @ingroup globus_gsi_gss_assist * * @param minor_status * GSSAPI return code. If the call was successful, the minor * status is equal to GLOBUS_SUCCESS. Otherwise, it is an * error object ID for which * globus_error_get() and globus_object_free() * can be used to get and destroy it. * @param context_handle * the context. * @param data * pointer to application data to wrap and send * @param length * length of the @a data array * @param token_status * assist routine get/send token status * @param gss_assist_send_token * a send_token routine * @param gss_assist_send_context * first arg for the send_token * @param fperr * file handle to write error message to. * * @return * GSS_S_COMPLETE on success * Other GSSAPI errors on failure. * * @see gss_wrap() */ OM_uint32 globus_gss_assist_wrap_send( OM_uint32 * minor_status, const gss_ctx_id_t context_handle, char * data, size_t length, int * token_status, int (*gss_assist_send_token)(void *, void *, size_t), void * gss_assist_send_context, FILE * fperr) { OM_uint32 major_status = GSS_S_COMPLETE; OM_uint32 local_minor_status; globus_result_t local_result = GLOBUS_SUCCESS; gss_buffer_desc input_token_desc = GSS_C_EMPTY_BUFFER; gss_buffer_t input_token = &input_token_desc; gss_buffer_desc output_token_desc = GSS_C_EMPTY_BUFFER; gss_buffer_t output_token = &output_token_desc; static char * _function_name_ = "globus_gss_assist_wrap_send"; GLOBUS_I_GSI_GSS_ASSIST_DEBUG_ENTER; *token_status = 0; input_token->value = data; input_token->length = length; major_status = gss_wrap(&local_minor_status, context_handle, 0, GSS_C_QOP_DEFAULT, input_token, NULL, output_token); GLOBUS_I_GSI_GSS_ASSIST_DEBUG_FPRINTF( 3, (globus_i_gsi_gss_assist_debug_fstream, _GASL("Wrap_send:maj:%8.8x min:%8.8x inlen:%u outlen:%u\n"), (unsigned int) major_status, (unsigned int) *minor_status, input_token->length = length, output_token->length)); if (major_status != GSS_S_COMPLETE) { globus_object_t * error_obj; globus_object_t * error_copy; error_obj = globus_error_get((globus_result_t) local_minor_status); error_copy = globus_object_copy(error_obj); local_minor_status = (OM_uint32) globus_error_put(error_obj); if(fperr) { globus_gss_assist_display_status( stderr, _GASL("gss_assist_wrap_send failure:"), major_status, local_minor_status, *token_status); } local_result = globus_error_put(error_copy); GLOBUS_GSI_GSS_ASSIST_ERROR_CHAIN_RESULT( local_result, GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_WRAP); *minor_status = (OM_uint32) local_result; goto release_output_token; } *token_status = (*gss_assist_send_token)(gss_assist_send_context, output_token->value, output_token->length); if(*token_status != 0) { GLOBUS_GSI_GSS_ASSIST_ERROR_RESULT( local_result, GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_WRAP, (_GASL("Error sending output token. token status: %d\n"), *token_status)); *minor_status = (OM_uint32) local_result; major_status = GSS_S_FAILURE; goto release_output_token; } major_status = gss_release_buffer(& local_minor_status, output_token); if(GSS_ERROR(major_status)) { GLOBUS_GSI_GSS_ASSIST_ERROR_CHAIN_RESULT( local_result, GLOBUS_GSI_GSS_ASSIST_ERROR_WITH_WRAP); *minor_status = (OM_uint32) local_result; } goto exit; release_output_token: gss_release_buffer(&local_minor_status, output_token); exit: GLOBUS_I_GSI_GSS_ASSIST_DEBUG_EXIT; return major_status; }
int main(int argc, char * argv[]) { gss_cred_id_t accept_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_init_cred = GSS_C_NO_CREDENTIAL; OM_uint32 major_status; OM_uint32 minor_status; int token_status; gss_ctx_id_t accept_context = GSS_C_NO_CONTEXT; OM_uint32 ret_flags = 0; int sock, connect_sock; FILE * infd; FILE * outfd; char * print_buffer = NULL; char * recv_buffer = NULL; size_t buffer_length; struct sockaddr_in sockaddr; socklen_t length; char * init_name; char * verbose_env = NULL; globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE); verbose_env = getenv("GSS_ASSIST_VERBOSE_TEST"); setbuf(stdout, NULL); sock = socket(AF_INET, SOCK_STREAM, 0); if(sock < 0) { perror("opening stream socket"); exit(1); } sockaddr.sin_family = AF_INET; sockaddr.sin_addr.s_addr = INADDR_ANY; sockaddr.sin_port = 0; if(bind(sock, (struct sockaddr *) &sockaddr, sizeof(sockaddr))) { perror("binding stream socket"); exit(1); } length = sizeof(sockaddr); if(getsockname(sock, (struct sockaddr *) &sockaddr, &length)) { perror("getting socket name"); exit(1); } /* Start accepting connection */ listen(sock, 1); fprintf(stdout, "Socket has port #%d\n", ntohs(sockaddr.sin_port)); connect_sock = accept(sock, 0, 0); if(connect_sock == -1) { perror("accept"); exit(1); } if(close(sock) < 0) { perror("Couldn't close listening socket"); exit(1); } infd = fdopen(dup(connect_sock), "r"); setbuf(infd, NULL); outfd = fdopen(dup(connect_sock), "w"); setbuf(outfd, NULL); close(connect_sock); /* ACCEPTOR PROCESS */ major_status = globus_gss_assist_acquire_cred(&minor_status, GSS_C_ACCEPT, &accept_cred); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't acquire acceptor's credentials", major_status, minor_status, 0); exit(1); } major_status = globus_gss_assist_accept_sec_context( &minor_status, &accept_context, accept_cred, &init_name, &ret_flags, NULL, &token_status, &delegated_init_cred, globus_gss_assist_token_get_fd, (void *) (infd), globus_gss_assist_token_send_fd, (void *) (outfd)); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't authenticate as acceptor\n", major_status, minor_status, token_status); exit(1); } if(verbose_env) { fprintf(stdout, "ACCEPTOR: "__FILE__":%d" ": Acceptor successfully created context" " for initiator: %s\n", __LINE__, init_name); } /* major_status = globus_gss_assist_get_unwrap( &minor_status, accept_context, &recv_buffer, &buffer_length, &token_status, globus_gss_assist_token_get_fd, (void *) (infd), stdout); if(GSS_ERROR(major_status)) { fprintf(stdout, "ACCEPTOR ERROR\n"); globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't get encrypted message from initiator\n", major_status, minor_status, token_status); fprintf(stdout, "ACCEPTOR ERROR FINISHED\n"); exit(1); } print_buffer = malloc(buffer_length + 1); globus_libc_snprintf(print_buffer, buffer_length + 1, "%s", recv_buffer); if(verbose_env) { fprintf(stdout, "ACCEPTOR: "__FILE__":%d" ": received: %s\n", __LINE__, print_buffer); } free(print_buffer); free(recv_buffer); */ major_status = globus_gss_assist_get_unwrap( &minor_status, accept_context, &recv_buffer, &buffer_length, &token_status, globus_gss_assist_token_get_fd, (void *) (infd), stdout); if(GSS_ERROR(major_status)) { fprintf(stdout, "ACCEPTOR ERROR\n"); globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't get encrypted message from initiator\n", major_status, minor_status, token_status); fprintf(stdout, "ACCEPTOR ERROR FINISHED\n"); exit(1); } print_buffer = malloc(buffer_length + 1); globus_libc_snprintf(print_buffer, buffer_length + 1, "%s", recv_buffer); if(verbose_env) { fprintf(stdout, "ACCEPTOR: "__FILE__":%d" ": received: %s\n", __LINE__, print_buffer); } free(print_buffer); free(recv_buffer); major_status = globus_gss_assist_wrap_send( &minor_status, accept_context, accept_message, sizeof(accept_message), &token_status, globus_gss_assist_token_send_fd, (void *) (outfd), stdout); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't encrypt and send message\n", major_status, minor_status, token_status); exit(1); } major_status = globus_gss_assist_get_unwrap( &minor_status, accept_context, &recv_buffer, &buffer_length, &token_status, globus_gss_assist_token_get_fd, (void *) (infd), stdout); if(GSS_ERROR(major_status)) { fprintf(stdout, "ACCEPTOR ERROR\n"); globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't get encrypted message from initiator\n", major_status, minor_status, token_status); fprintf(stdout, "ACCEPTOR ERROR FINISHED\n"); exit(1); } print_buffer = malloc(buffer_length + 1); globus_libc_snprintf(print_buffer, buffer_length + 1, "%s", recv_buffer); if(verbose_env) { fprintf(stdout, "ACCEPTOR: "__FILE__":%d" ": received: %s\n", __LINE__, print_buffer); } free(print_buffer); free(recv_buffer); major_status = globus_gss_assist_wrap_send( &minor_status, accept_context, accept_message, sizeof(accept_message), &token_status, globus_gss_assist_token_send_fd, (void *) (outfd), stdout); if(GSS_ERROR(major_status)) { globus_gss_assist_display_status( stdout, "ACCEPTOR: Couldn't encrypt and send message\n", major_status, minor_status, token_status); exit(1); } major_status = gss_delete_sec_context(&minor_status, &accept_context, GSS_C_NO_BUFFER); if(major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status( stdout, "INITIATOR: Couldn't delete security context\n", major_status, minor_status, 0); exit(1); } gss_release_cred(&minor_status, &accept_cred); if(major_status != GSS_S_COMPLETE) { globus_gss_assist_display_status( stdout, "INITIATOR: Couldn't delete security context\n", major_status, minor_status, 0); exit(1); } if(fclose(infd) == EOF) { perror("closing stream socket"); exit(1); } if(fclose(outfd) == EOF) { perror("closing stream socket"); exit(1); } globus_module_deactivate(GLOBUS_GSI_GSS_ASSIST_MODULE); exit(0); }
/** * @ingroup globus_gsi_gss_assist * Gets a token using the specific tokenizing functions, * and performs the GSS unwrap of that token * * @see gss_unwrap * * @param minor_status * GSSAPI return code, @see gss_unwrap * @param context_handle * the context * @param data * pointer to be set to the unwrapped application data. This must be * freed by the caller. * @param length * pointer to be set to the length of the @a data byte array. * @param token_status * assist routine get/send token status * @param gss_assist_get_token * a detokenizing routine * @param gss_assist_get_context * first arg for above routine * @param fperr * error stream to print to * * @return * GSS_S_COMPLETE on sucess * Other gss errors on failure. */ OM_uint32 globus_gss_assist_get_unwrap( OM_uint32 * minor_status, const gss_ctx_id_t context_handle, char ** data, size_t * length, int * token_status, int (*gss_assist_get_token)(void *, void **, size_t *), void * gss_assist_get_context, FILE * fperr) { OM_uint32 major_status = GSS_S_COMPLETE; OM_uint32 minor_status1 = 0; gss_buffer_desc input_token_desc = GSS_C_EMPTY_BUFFER; gss_buffer_t input_token = &input_token_desc; gss_buffer_desc output_token_desc = GSS_C_EMPTY_BUFFER; gss_buffer_t output_token = &output_token_desc; static char * _function_name_ = "globus_gss_assist_get_unwrap"; GLOBUS_I_GSI_GSS_ASSIST_DEBUG_ENTER; *token_status = (*gss_assist_get_token)(gss_assist_get_context, &input_token->value, &input_token->length); if (*token_status == 0) { major_status = gss_unwrap(minor_status, context_handle, input_token, output_token, NULL, NULL); GLOBUS_I_GSI_GSS_ASSIST_DEBUG_FPRINTF( 3, (globus_i_gsi_gss_assist_debug_fstream, _GASL("unwrap: maj: %8.8x min: %8.8x inlen: %u outlen: %u\n"), (unsigned int) major_status, (unsigned int) *minor_status, input_token->length, output_token->length)); gss_release_buffer(&minor_status1, input_token); *data = output_token->value; *length = output_token->length; } if (fperr && (major_status != GSS_S_COMPLETE || *token_status != 0)) { globus_gss_assist_display_status(stderr, _GASL("gss_assist_get_unwrap failure:"), major_status, *minor_status, *token_status); } *data = output_token->value; *length = output_token->length; if (*token_status) { major_status = GSS_S_FAILURE; } GLOBUS_I_GSI_GSS_ASSIST_DEBUG_EXIT; return major_status; }