xrootd
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
XrdSecProtocolgsi.hh
Go to the documentation of this file.
1 /******************************************************************************/
2 /* */
3 /* X r d S e c P r o t o c o l g s i . h h */
4 /* */
5 /* (c) 2005 G. Ganis / CERN */
6 /* */
7 /* This file is part of the XRootD software suite. */
8 /* */
9 /* XRootD is free software: you can redistribute it and/or modify it under */
10 /* the terms of the GNU Lesser General Public License as published by the */
11 /* Free Software Foundation, either version 3 of the License, or (at your */
12 /* option) any later version. */
13 /* */
14 /* XRootD is distributed in the hope that it will be useful, but WITHOUT */
15 /* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
16 /* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
17 /* License for more details. */
18 /* */
19 /* You should have received a copy of the GNU Lesser General Public License */
20 /* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
21 /* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
22 /* */
23 /* The copyright holder's institutional names and contributor's names may not */
24 /* be used to endorse or promote products derived from this software without */
25 /* specific prior written permission of the institution or contributor. */
26 /* */
27 /******************************************************************************/
28 #include <ctime>
29 #include <memory>
30 
31 #include "XrdNet/XrdNetAddrInfo.hh"
32 
33 #include "XrdOuc/XrdOucErrInfo.hh"
34 #include "XrdOuc/XrdOucGMap.hh"
35 #include "XrdOuc/XrdOucHash.hh"
36 #include "XrdOuc/XrdOucString.hh"
38 
39 #include "XrdSys/XrdSysPthread.hh"
40 
43 
44 #include "XrdSut/XrdSutCache.hh"
45 
46 #include "XrdSut/XrdSutPFEntry.hh"
47 #include "XrdSut/XrdSutPFile.hh"
48 #include "XrdSut/XrdSutBuffer.hh"
49 #include "XrdSut/XrdSutRndm.hh"
50 
55 
57 
58 /******************************************************************************/
59 /* D e f i n e s */
60 /******************************************************************************/
61 
64 
65 #define XrdSecPROTOIDENT "gsi"
66 #define XrdSecPROTOIDLEN sizeof(XrdSecPROTOIDENT)
67 #define XrdSecgsiVERSION 10600
68 #define XrdSecNOIPCHK 0x0001
69 #define XrdSecDEBUG 0x1000
70 #define XrdCryptoMax 10
71 
72 #define kMAXBUFLEN 1024
73 
74 
75 #define XrdSecgsiVersDHsigned 10400 // Version at which started signing
76  // of server DH parameters
77 #define XrdSecgsiVersCertKey 10600 // Version at which started supporting
78  // authentication with cert/key only
79 
80 //
81 // Message codes either returned by server or included in buffers
82 enum kgsiStatus {
83  kgST_error = -1, // error occurred
84  kgST_ok = 0, // ok
85  kgST_more = 1 // need more info
86 };
87 
88 // Client steps
90  kXGC_none = 0,
91  kXGC_certreq = 1000, // 1000: request server certificate
92  kXGC_cert, // 1001: packet with (proxy) certificate
93  kXGC_sigpxy, // 1002: packet with signed proxy certificate
95 };
96 
97 // Server steps
99  kXGS_none = 0,
100  kXGS_init = 2000, // 2000: fake code used the first time
101  kXGS_cert, // 2001: packet with certificate
102  kXGS_pxyreq, // 2002: packet with proxy req to be signed
104 };
105 
106 // Handshake options
108  kOptsDlgPxy = 1, // 0x0001: Ask for a delegated proxy
109  kOptsFwdPxy = 2, // 0x0002: Forward local proxy
110  kOptsSigReq = 4, // 0x0004: Accept to sign delegated proxy
111  kOptsSrvReq = 8, // 0x0008: Server request for delegated proxy
112  kOptsPxFile = 16, // 0x0010: Save delegated proxies in file
113  kOptsDelChn = 32, // 0x0020: Delete chain
114  kOptsPxCred = 64, // 0x0040: Save delegated proxies as credentials
115  kOptsCreatePxy = 128 // 0x0080: Request a client proxy
116 };
117 
118 // Error codes
120  kGSErrParseBuffer = 10000, // 10000
128  kGSErrGenCipher, // 10008
129  kGSErrExportPuK, // 10009
132  kGSErrNoRndmTag, // 10012
133  kGSErrNoCipher, // 10013
134  kGSErrNoCreds, // 10014
135  kGSErrBadOpt, // 10015
136  kGSErrMarshal, // 10016
137  kGSErrUnmarshal, // 10017
138  kGSErrSaveCreds, // 10018
139  kGSErrNoBuffer, // 10019
140  kGSErrRefCipher, // 10020
141  kGSErrNoPublic, // 10021
142  kGSErrAddBucket, // 10022
143  kGSErrFinCipher, // 10023
144  kGSErrInit, // 10024
145  kGSErrBadCreds, // 10025
146  kGSErrError // 10026
147 };
148 
149 #define REL1(x) { if (x) delete x; }
150 #define REL2(x,y) { if (x) delete x; if (y) delete y; }
151 #define REL3(x,y,z) { if (x) delete x; if (y) delete y; if (z) delete z; }
152 
153 #define SafeDelete(x) { if (x) {delete x ; x = 0;} }
154 #define SafeDelArray(x) { if (x) {delete [] x ; x = 0;} }
155 #define SafeFree(x) { if (x) {free(x) ; x = 0;} }
156 
157 // External functions for generic mapping
158 typedef char *(*XrdSecgsiGMAP_t)(const char *, int);
159 typedef int (*XrdSecgsiAuthz_t)(XrdSecEntity &);
160 typedef int (*XrdSecgsiAuthzInit_t)(const char *);
161 typedef int (*XrdSecgsiAuthzKey_t)(XrdSecEntity &, char **);
162 // VOMS extraction
165 //
166 // This a small class to set the relevant options in one go
167 //
168 class XrdOucGMap;
169 class XrdOucTrace;
170 class gsiOptions {
171 public:
172  short debug; // [cs] debug flag
173  char mode; // [cs] 'c' or 's'
174  char *clist; // [s] list of crypto modules ["ssl" ]
175  char *certdir;// [cs] dir with CA info [/etc/grid-security/certificates]
176  char *crldir; // [cs] dir with CRL info [/etc/grid-security/certificates]
177  char *crlext; // [cs] extension of CRL files [.r0]
178  char *cert; // [s] server certificate [/etc/grid-security/root/rootcert.pem]
179  // [c] user certificate [$HOME/.globus/usercert.pem]
180  char *key; // [s] server private key [/etc/grid-security/root/rootkey.pem]
181  // [c] user private key [$HOME/.globus/userkey.pem]
182  char *cipher; // [s] list of ciphers [aes-128-cbc:bf-cbc:des-ede3-cbc]
183  char *md; // [s] list of MDs [sha256:md5]
184  int crl; // [cs] check level of CRL's [1]
185  int ca; // [cs] verification level of CA's [1]
186  int crlrefresh; // [cs] CRL refresh or expiration period in secs [1 day]
187  char *proxy; // [c] user proxy [/tmp/x509up_u<uid>]
188  char *valid; // [c] proxy validity [12:00]
189  int deplen; // [c] depth of signature path for proxies [0]
190  int bits; // [c] bits in PKI for proxies [512]
191  char *gridmap;// [s] gridmap file [/etc/grid-security/gridmap]
192  int gmapto; // [s] validity in secs of grid-map cache entries [600 s]
193  char *gmapfun;// [s] file with the function to map DN to usernames [0]
194  char *gmapfunparms;// [s] parameters for the function to map DN to usernames [0]
195  char *authzfun;// [s] file with the function to fill entities [0]
196  char *authzfunparms;// [s] parameters for the function to fill entities [0]
197  int authzcall; // [s] when to call authz function [1 -> always]
198  int authzto; // [s] validity in secs of authz cache entries [-1 => unlimited]
199  int ogmap; // [s] gridmap file checking option
200  int dlgpxy; // [c] explicitely ask the creation of a delegated proxy; default 0
201  // [s] ask client for proxies; default: do not accept delegated proxies
202  int sigpxy; // [c] accept delegated proxy requests
203  int createpxy; // [c] force client proxy authentications
204  char *srvnames;// [c] '|' separated list of allowed server names
205  char *exppxy; // [s] template for the exported file with proxies
206  int authzpxy; // [s] if 1 make proxy available in exported form in the 'endorsement'
207  // field of the XrdSecEntity object for use in XrdAcc
208  int vomsat; // [s] 0 do not look for; 1 extract if any
209  char *vomsfun;// [s] file with the function to fill VOMS [0]
210  char *vomsfunparms;// [s] parameters for the function to fill VOMS [0]
211  int moninfo; // [s] 0 do not look for; 1 use DN as default
212  int hashcomp; // [cs] 1 send hash names with both algorithms; 0 send only the default [1]
213 
214  bool trustdns; // [cs] 'true' if DNS is trusted [true]
215 
216  gsiOptions() { debug = -1; mode = 's'; clist = 0;
217  certdir = 0; crldir = 0; crlext = 0; cert = 0; key = 0;
218  cipher = 0; md = 0; ca = 1 ; crl = 1; crlrefresh = 86400;
219  proxy = 0; valid = 0; deplen = 0; bits = 512;
220  gridmap = 0; gmapto = 600;
221  gmapfun = 0; gmapfunparms = 0; authzfun = 0; authzfunparms = 0;
222  authzto = -1; authzcall = 1;
223  ogmap = 1; dlgpxy = 0; sigpxy = 1; srvnames = 0;
224  exppxy = 0; authzpxy = 0;
225  vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0;
226  hashcomp = 1; trustdns = true; createpxy = 1;}
227  virtual ~gsiOptions() { } // Cleanup inside XrdSecProtocolgsiInit
228  void Print(XrdOucTrace *t); // Print summary of gsi option status
229 };
230 
231 class XrdSecProtocolgsi;
232 class gsiHSVars;
233 
234 // From a proxy query
235 typedef struct {
239 } ProxyOut_t;
240 
241 // To query proxies
242 typedef struct {
243  const char *cert;
244  const char *key;
245  const char *certdir;
246  const char *out;
247  const char *valid;
248  int deplen;
249  int bits;
250  bool createpxy;
251 } ProxyIn_t;
252 
253 template<class T>
254 class GSIStack {
255 public:
256  void Add(T *t) {
257  char k[40]; snprintf(k, 40, "%p", t);
258  mtx.Lock();
259  if (!stack.Find(k)) stack.Add(k, t, 0, Hash_count); // We need an additional count
260  stack.Add(k, t, 0, Hash_count);
261  mtx.UnLock();
262  }
263  void Del(T *t) {
264  char k[40]; snprintf(k, 40, "%p", t);
265  mtx.Lock();
266  if (stack.Find(k)) stack.Del(k, Hash_count);
267  mtx.UnLock();
268  }
269 private:
272 };
273 
274 /******************************************************************************/
275 /* X r d S e c P r o t o c o l g s i C l a s s */
276 /******************************************************************************/
277 
279 {
280 friend class gsiOptions;
281 friend class gsiHSVars;
282 public:
283  int Authenticate (XrdSecCredentials *cred,
284  XrdSecParameters **parms,
285  XrdOucErrInfo *einfo=0);
286 
288  XrdOucErrInfo *einfo=0);
289 
290  XrdSecProtocolgsi(int opts, const char *hname, XrdNetAddrInfo &endPoint,
291  const char *parms = 0);
292  virtual ~XrdSecProtocolgsi() {} // Delete() does it all
293 
294  // Initialization methods
295  static char *Init(gsiOptions o, XrdOucErrInfo *erp);
296 
297  void Delete();
298 
299  // Encrypt / Decrypt methods
300  int Encrypt(const char *inbuf, int inlen,
301  XrdSecBuffer **outbuf);
302  int Decrypt(const char *inbuf, int inlen,
303  XrdSecBuffer **outbuf);
304  // Sign / Verify methods
305  int Sign(const char *inbuf, int inlen,
306  XrdSecBuffer **outbuf);
307  int Verify(const char *inbuf, int inlen,
308  const char *sigbuf, int siglen);
309 
310  // Export session key
311  int getKey(char *kbuf=0, int klen=0);
312  // Import a key
313  int setKey(char *kbuf, int klen);
314 
315  // Enable tracing
316  static XrdOucTrace *EnableTracing();
317 
318 private:
320 
321  // Static members initialized at startup
323  static String CAdir;
324  static String CRLdir;
326  static String SrvCert;
327  static String SrvKey;
328  static String UsrProxy;
329  static String UsrCert;
330  static String UsrKey;
331  static String PxyValid;
332  static int DepLength;
333  static int DefBits;
334  static int CACheck;
335  static int CRLCheck;
336  static int CRLDownload;
337  static int CRLRefresh;
340  static String DefMD;
341  static String DefError;
342  static String GMAPFile;
343  static int GMAPOpt;
344  static bool GMAPuseDNname;
345  static int GMAPCacheTimeOut;
349  static int AuthzCertFmt;
350  static int AuthzCacheTimeOut;
351  static int PxyReqOpts;
352  static int AuthzPxyWhat;
353  static int AuthzPxyWhere;
354  static int AuthzAlways;
356  static int VOMSAttrOpt;
358  static int VOMSCertFmt;
359  static int MonInfoOpt;
360  static bool HashCompatibility;
361  static bool TrustDNS;
362  //
363  // Crypto related info
364  static int ncrypt; // Number of factories
365  static XrdCryptoFactory *cryptF[XrdCryptoMax]; // their hooks
366  static int cryptID[XrdCryptoMax]; // their IDs
367  static String cryptName[XrdCryptoMax]; // their names
368  static XrdCryptoCipher *refcip[XrdCryptoMax]; // ref for session ciphers
369  //
370  // Caches
371  static XrdSutCache cacheCA; // Info about trusted CA's
372  static XrdSutCache cacheCert; // Server certificates info cache
373  static XrdSutCache cachePxy; // Client proxies cache;
374  static XrdSutCache cacheGMAPFun; // Cache for entries mapped by GMAPFun
375  static XrdSutCache cacheAuthzFun; // Cache for entities filled by AuthzFun
376  //
377  // Services
378  static XrdOucGMap *servGMap; // Grid mapping service
379  //
380  // CA and CRL stacks
381  static GSIStack<XrdCryptoX509Chain> stackCA; // Stack of CA in use
382  static std::unique_ptr<GSIStack<XrdCryptoX509Crl>> stackCRL; // Stack of CRL in use
383  //
384  // GMAP control vars
385  static time_t lastGMAPCheck; // time of last check on GMAP
386  static XrdSysMutex mutexGMAP; // mutex to control GMAP reloads
387  //
388  // Running options / settings
389  static int Debug; // [CS] Debug level
390  static bool Server; // [CS] If server mode
391  static int TimeSkew; // [CS] Allowed skew in secs for time stamps
392  //
393  // for error logging and tracing
397 
398  // Information local to this instance
399  int options;
400  XrdCryptoFactory *sessionCF; // Chosen crypto factory
401  XrdCryptoCipher *sessionKey; // Session Key (result of the handshake)
402  XrdSutBucket *bucketKey; // Bucket with the key in export form
403  XrdCryptoMsgDigest *sessionMD; // Message Digest instance
404  XrdCryptoRSA *sessionKsig; // RSA key to sign
405  XrdCryptoRSA *sessionKver; // RSA key to verify
406  X509Chain *proxyChain; // Chain with the delegated proxy on servers
407  bool srvMode; // TRUE if server mode
408  char *expectedHost; // Expected hostname if TrustDNS is enabled.
409  bool useIV; // Use a non-zeroed unique IV in cipher enc/dec operations
410 
411  // Temporary Handshake local info
413 
414  // Parsing received buffers: client
416  String &emsg);
417  int ClientDoInit(XrdSutBuffer *br, XrdSutBuffer **bm,
418  String &cmsg);
419  int ClientDoCert(XrdSutBuffer *br, XrdSutBuffer **bm,
420  String &cmsg);
422  String &cmsg);
423 
424  // Parsing received buffers: server
426  String &cmsg);
428  String &cmsg);
429  int ServerDoCert(XrdSutBuffer *br, XrdSutBuffer **bm,
430  String &cmsg);
432  String &cmsg);
433 
434  // Auxilliary functions
435  int ParseCrypto(String cryptlist);
436  int ParseCAlist(String calist);
437 
438  // Load CA certificates
439  static int GetCA(const char *cahash,
440  XrdCryptoFactory *cryptof, gsiHSVars *hs = 0);
441  static String GetCApath(const char *cahash);
442  static bool VerifyCA(int opt, X509Chain *cca, XrdCryptoFactory *cf);
443  static int VerifyCRL(XrdCryptoX509Crl *crl, XrdCryptoX509 *xca, XrdOucString crldir,
444  XrdCryptoFactory *CF, int hashalg);
445  bool ServerCertNameOK(const char *subject, const char *hname, String &e);
447  XrdCryptoFactory *cf,
448  time_t timestamp, String &cal);
449 
450  // Load CRLs
451  static XrdCryptoX509Crl *LoadCRL(XrdCryptoX509 *xca, const char *sjhash,
452  XrdCryptoFactory *CF, int dwld, int &err);
453 
454  // Updating proxies
455  static int QueryProxy(bool checkcache, XrdSutCache *cache, const char *tag,
456  XrdCryptoFactory *cf, time_t timestamp,
457  ProxyIn_t *pi, ProxyOut_t *po);
458  static int InitProxy(ProxyIn_t *pi, XrdCryptoFactory *cf,
459  X509Chain *ch = 0, XrdCryptoRSA **key = 0);
460 
461  // Error functions
462  static void ErrF(XrdOucErrInfo *einfo, kXR_int32 ecode,
463  const char *msg1, const char *msg2 = 0,
464  const char *msg3 = 0);
466  XrdSutBuffer *b2,XrdSutBuffer *b3,
467  kXR_int32 ecode, const char *msg1 = 0,
468  const char *msg2 = 0, const char *msg3 = 0);
469  int ErrS(String ID, XrdOucErrInfo *einfo, XrdSutBuffer *b1,
470  XrdSutBuffer *b2, XrdSutBuffer *b3,
471  kXR_int32 ecode, const char *msg1 = 0,
472  const char *msg2 = 0, const char *msg3 = 0);
473 
474  // Check Time stamp
475  bool CheckTimeStamp(XrdSutBuffer *b, int skew, String &emsg);
476 
477  // Check random challenge
478  bool CheckRtag(XrdSutBuffer *bm, String &emsg);
479 
480  // Auxilliary methods
481  int AddSerialized(char opt, kXR_int32 step, String ID,
482  XrdSutBuffer *bls, XrdSutBuffer *buf,
483  kXR_int32 type, XrdCryptoCipher *cip);
484  // Grid map cache handling
485  static XrdSecgsiGMAP_t // Load alternative function for mapping
486  LoadGMAPFun(const char *plugin, const char *parms);
487  static XrdSecgsiAuthz_t // Load alternative function to fill XrdSecEntity
488  LoadAuthzFun(const char *plugin, const char *parms, int &fmt);
489  static XrdSecgsiVOMS_t // Load alternative function to extract VOMS
490  LoadVOMSFun(const char *plugin, const char *parms, int &fmt);
491  static void QueryGMAP(XrdCryptoX509Chain* chain, int now, String &name); //Lookup info for DN
492 
493  // Entity handling
494  void CopyEntity(XrdSecEntity *in, XrdSecEntity *out, int *lout = 0);
495  void FreeEntity(XrdSecEntity *in);
496 };
497 
498 class gsiHSVars {
499 public:
500  int Iter; // Iteration number
501  time_t TimeStamp; // Time of last call
502  String CryptoMod; // Crypto module in use
503  int RemVers; // Version run by remote counterpart
504  XrdCryptoCipher *Rcip; // Reference cipher
505  bool HasPad; // Whether padding is supported
506  XrdSutBucket *Cbck; // Bucket with the certificate in export form
507  String ID; // Handshake ID (dummy for clients)
508  XrdSutPFEntry *Cref; // Cache reference
509  XrdSutPFEntry *Pent; // Pointer to relevant file entry
510  X509Chain *Chain; // Chain to be eventually verified
511  XrdCryptoX509Crl *Crl; // Pointer to CRL, if required
512  X509Chain *PxyChain; // Proxy Chain on clients
513  bool RtagOK; // Rndm tag checked / not checked
514  bool Tty; // Terminal attached / not attached
515  int LastStep; // Step required at previous iteration
516  int Options; // Handshake options;
517  int HashAlg; // Hash algorithm of peer hash name;
518  XrdSutBuffer *Parms; // Buffer with server parms on first iteration
519 
520  gsiHSVars() { Iter = 0; TimeStamp = -1; CryptoMod = "";
521  RemVers = -1; Rcip = 0; HasPad = 0;
522  Cbck = 0;
523  ID = ""; Cref = 0; Pent = 0; Chain = 0; Crl = 0; PxyChain = 0;
524  RtagOK = 0; Tty = 0; LastStep = 0; Options = 0; HashAlg = 0; Parms = 0;}
525 
527  if (Options & kOptsDelChn) {
528  // Do not delete the CA certificate in the cached reference
529  if (Chain) Chain->Cleanup(1);
530  SafeDelete(Chain);
531  }
532  // Make sure XrdSecProtocolgsi::stackCRL exists, it could happen
533  // that it has been deallocated due to static deinitialization
534  // order fiasco
535  if (Crl && bool( XrdSecProtocolgsi::stackCRL ) ) {
536  // This decreases the counter and actually deletes the object only
537  // when no instance is using it
539  Crl = 0;
540  }
541  // The proxy chain is owned by the proxy cache; invalid proxies are
542  // detected (and eventually removed) by QueryProxy
543  PxyChain = 0;
544  SafeDelete(Parms); }
545  void Dump(XrdSecProtocolgsi *p = 0);
546 };
short debug
Definition: XrdSecProtocolgsi.hh:172
int ParseClientInput(XrdSutBuffer *br, XrdSutBuffer **bm, String &emsg)
int ParseCrypto(String cryptlist)
Definition: XrdSecProtocolgsi.hh:143
char * proxy
Definition: XrdSecProtocolgsi.hh:187
int authzpxy
Definition: XrdSecProtocolgsi.hh:206
XrdSutBucket * bucketKey
Definition: XrdSecProtocolgsi.hh:402
static std::unique_ptr< GSIStack< XrdCryptoX509Crl > > stackCRL
Definition: XrdSecProtocolgsi.hh:382
Definition: XrdCryptoRSA.hh:50
static XrdOucTrace * GSITrace
Definition: XrdSecProtocolgsi.hh:396
int Decrypt(const char *inbuf, int inlen, XrdSecBuffer **outbuf)
Definition: XrdSecProtocolgsi.hh:103
static int DepLength
Definition: XrdSecProtocolgsi.hh:332
Definition: XrdSutCache.hh:49
static XrdSecgsiVOMS_t LoadVOMSFun(const char *plugin, const char *parms, int &fmt)
Definition: XrdCryptoMsgDigest.hh:46
int Authenticate(XrdSecCredentials *cred, XrdSecParameters **parms, XrdOucErrInfo *einfo=0)
XrdSutBuffer * Parms
Definition: XrdSecProtocolgsi.hh:518
Definition: XrdCryptoCipher.hh:47
Definition: XrdSecProtocolgsi.hh:125
int ClientDoPxyreq(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
static String DefCipher
Definition: XrdSecProtocolgsi.hh:339
Definition: XrdSecProtocolgsi.hh:94
bool HasPad
Definition: XrdSecProtocolgsi.hh:505
int Encrypt(const char *inbuf, int inlen, XrdSecBuffer **outbuf)
Definition: XrdSecProtocolgsi.hh:137
char * authzfun
Definition: XrdSecProtocolgsi.hh:195
XrdSecgsiAuthz_t XrdSecgsiVOMS_t
Definition: XrdSecProtocolgsi.hh:163
int Sign(const char *inbuf, int inlen, XrdSecBuffer **outbuf)
static XrdSysLogger Logger
Definition: XrdSecProtocolgsi.hh:394
virtual ~XrdSecProtocolgsi()
Definition: XrdSecProtocolgsi.hh:292
static String CAdir
Definition: XrdSecProtocolgsi.hh:323
Definition: XrdSecProtocolgsi.hh:138
static String UsrProxy
Definition: XrdSecProtocolgsi.hh:328
char * valid
Definition: XrdSecProtocolgsi.hh:188
static int TimeSkew
Definition: XrdSecProtocolgsi.hh:391
Definition: XrdSutCacheEntry.hh:99
Definition: XrdSecProtocolgsi.hh:131
static bool TrustDNS
Definition: XrdSecProtocolgsi.hh:361
char mode
Definition: XrdSecProtocolgsi.hh:173
kgsiHandshakeOpts
Definition: XrdSecProtocolgsi.hh:107
Definition: XrdSecProtocolgsi.hh:129
Definition: XrdSecProtocolgsi.hh:132
int(* XrdSecgsiAuthz_t)(XrdSecEntity &)
Definition: XrdSecProtocolgsi.hh:159
int bits
Definition: XrdSecProtocolgsi.hh:249
int hashcomp
Definition: XrdSecProtocolgsi.hh:212
Definition: XrdSecProtocolgsi.hh:130
void FreeEntity(XrdSecEntity *in)
static bool VerifyCA(int opt, X509Chain *cca, XrdCryptoFactory *cf)
Definition: XrdSecProtocolgsi.hh:134
Definition: XrdSecProtocolgsi.hh:93
Definition: XrdSecProtocolgsi.hh:100
static int GetCA(const char *cahash, XrdCryptoFactory *cryptof, gsiHSVars *hs=0)
static String UsrKey
Definition: XrdSecProtocolgsi.hh:330
static String SrvKey
Definition: XrdSecProtocolgsi.hh:327
XrdSecgsiAuthzInit_t XrdSecgsiVOMSInit_t
Definition: XrdSecProtocolgsi.hh:164
bool CheckTimeStamp(XrdSutBuffer *b, int skew, String &emsg)
char * authzfunparms
Definition: XrdSecProtocolgsi.hh:196
static String DefMD
Definition: XrdSecProtocolgsi.hh:340
Definition: XrdSecInterface.hh:130
Definition: XrdSecProtocolgsi.hh:142
#define SafeDelete(x)
Definition: XrdSecProtocolgsi.hh:153
XrdCryptoCipher * sessionKey
Definition: XrdSecProtocolgsi.hh:401
static bool GMAPuseDNname
Definition: XrdSecProtocolgsi.hh:344
X509Chain * proxyChain
Definition: XrdSecProtocolgsi.hh:406
Definition: XrdSecProtocolgsi.hh:145
Definition: XrdSecProtocolgsi.hh:141
const char * cert
Definition: XrdSecProtocolgsi.hh:243
int Options
Definition: XrdSecProtocolgsi.hh:516
Definition: XrdSecProtocolgsi.hh:85
static int cryptID[XrdCryptoMax]
Definition: XrdSecProtocolgsi.hh:366
static XrdOucGMap * servGMap
Definition: XrdSecProtocolgsi.hh:378
Definition: XrdSecProtocolgsi.hh:112
static XrdSecgsiAuthzKey_t AuthzKey
Definition: XrdSecProtocolgsi.hh:348
int(* XrdSecgsiAuthzInit_t)(const char *)
Definition: XrdSecProtocolgsi.hh:160
String ID
Definition: XrdSecProtocolgsi.hh:507
XrdCryptoCipher * Rcip
Definition: XrdSecProtocolgsi.hh:504
static XrdSecgsiGMAP_t GMAPFun
Definition: XrdSecProtocolgsi.hh:346
char * md
Definition: XrdSecProtocolgsi.hh:183
static XrdSutCache cachePxy
Definition: XrdSecProtocolgsi.hh:373
static int Debug
Definition: XrdSecProtocolgsi.hh:389
void Print(XrdOucTrace *t)
Definition: XrdSecProtocolgsi.hh:135
Definition: XrdSecProtocolgsi.hh:124
Definition: XrdSecProtocolgsi.hh:101
X509Chain * Chain
Definition: XrdSecProtocolgsi.hh:510
Definition: XrdSecProtocolgsi.hh:122
XrdSecCredentials * ErrC(XrdOucErrInfo *einfo, XrdSutBuffer *b1, XrdSutBuffer *b2, XrdSutBuffer *b3, kXR_int32 ecode, const char *msg1=0, const char *msg2=0, const char *msg3=0)
Definition: XrdSutBuffer.hh:43
int HashAlg
Definition: XrdSecProtocolgsi.hh:517
static String cryptName[XrdCryptoMax]
Definition: XrdSecProtocolgsi.hh:367
static String DefCrypto
Definition: XrdSecProtocolgsi.hh:338
XrdCryptoRSA * sessionKver
Definition: XrdSecProtocolgsi.hh:405
int AddSerialized(char opt, kXR_int32 step, String ID, XrdSutBuffer *bls, XrdSutBuffer *buf, kXR_int32 type, XrdCryptoCipher *cip)
static XrdSysMutex mutexGMAP
Definition: XrdSecProtocolgsi.hh:386
int crlrefresh
Definition: XrdSecProtocolgsi.hh:186
static int AuthzPxyWhat
Definition: XrdSecProtocolgsi.hh:352
Definition: XrdSecProtocolgsi.hh:90
Definition: XrdOucTrace.hh:35
Definition: XrdSysError.hh:89
static void QueryGMAP(XrdCryptoX509Chain *chain, int now, String &name)
char * key
Definition: XrdSecProtocolgsi.hh:180
static XrdSysMutex gsiContext
Definition: XrdSecProtocolgsi.hh:322
static XrdCryptoX509Crl * LoadCRL(XrdCryptoX509 *xca, const char *sjhash, XrdCryptoFactory *CF, int dwld, int &err)
const char * out
Definition: XrdSecProtocolgsi.hh:246
int ca
Definition: XrdSecProtocolgsi.hh:185
static XrdSecgsiAuthz_t LoadAuthzFun(const char *plugin, const char *parms, int &fmt)
static XrdSutCache cacheCA
Definition: XrdSecProtocolgsi.hh:371
Definition: XrdSysPthread.hh:164
kgsiClientSteps
Definition: XrdSecProtocolgsi.hh:89
char * crlext
Definition: XrdSecProtocolgsi.hh:177
static int CRLCheck
Definition: XrdSecProtocolgsi.hh:335
static bool HashCompatibility
Definition: XrdSecProtocolgsi.hh:360
static String GMAPFile
Definition: XrdSecProtocolgsi.hh:342
static XrdOucTrace * EnableTracing()
String CryptoMod
Definition: XrdSecProtocolgsi.hh:502
XrdOucString String
Definition: XrdSecProtocolgsi.hh:62
int Verify(const char *inbuf, int inlen, const char *sigbuf, int siglen)
gsiHSVars * hs
Definition: XrdSecProtocolgsi.hh:412
int ErrS(String ID, XrdOucErrInfo *einfo, XrdSutBuffer *b1, XrdSutBuffer *b2, XrdSutBuffer *b3, kXR_int32 ecode, const char *msg1=0, const char *msg2=0, const char *msg3=0)
static XrdSecgsiVOMS_t VOMSFun
Definition: XrdSecProtocolgsi.hh:357
bool CheckRtag(XrdSutBuffer *bm, String &emsg)
XrdCryptoX509Crl * Crl
Definition: XrdSecProtocolgsi.hh:511
static int ncrypt
Definition: XrdSecProtocolgsi.hh:364
int createpxy
Definition: XrdSecProtocolgsi.hh:203
int authzto
Definition: XrdSecProtocolgsi.hh:198
int ParseCAlist(String calist)
static String GetCApath(const char *cahash)
void CopyEntity(XrdSecEntity *in, XrdSecEntity *out, int *lout=0)
void Delete()
Delete the protocol object. DO NOT use C++ delete() on this object.
Definition: XrdSecProtocolgsi.hh:120
XrdSecCredentials * getCredentials(XrdSecParameters *parm=0, XrdOucErrInfo *einfo=0)
int ClientDoInit(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
static XrdSecgsiAuthz_t AuthzFun
Definition: XrdSecProtocolgsi.hh:347
Definition: XrdSecProtocolgsi.hh:242
Definition: XrdSecProtocolgsi.hh:498
int deplen
Definition: XrdSecProtocolgsi.hh:189
char * crldir
Definition: XrdSecProtocolgsi.hh:176
static XrdCryptoFactory * cryptF[XrdCryptoMax]
Definition: XrdSecProtocolgsi.hh:365
int setKey(char *kbuf, int klen)
Definition: XrdOucErrInfo.hh:100
Definition: XrdOucGMap.hh:48
int dlgpxy
Definition: XrdSecProtocolgsi.hh:200
Definition: XrdSutCacheEntry.hh:75
int gmapto
Definition: XrdSecProtocolgsi.hh:192
bool Tty
Definition: XrdSecProtocolgsi.hh:514
bool RtagOK
Definition: XrdSecProtocolgsi.hh:513
XrdSysMutex mtx
Definition: XrdSecProtocolgsi.hh:270
Definition: XrdSecProtocolgsi.hh:84
static String DefCRLext
Definition: XrdSecProtocolgsi.hh:325
XrdSutBucket * Cbck
Definition: XrdSecProtocolgsi.hh:506
char *(* XrdSecgsiGMAP_t)(const char *, int)
Definition: XrdSecProtocolgsi.hh:158
char * vomsfun
Definition: XrdSecProtocolgsi.hh:209
XrdSutPFEntry * Pent
Definition: XrdSecProtocolgsi.hh:509
static String UsrCert
Definition: XrdSecProtocolgsi.hh:329
static time_t lastGMAPCheck
Definition: XrdSecProtocolgsi.hh:385
int RemVers
Definition: XrdSecProtocolgsi.hh:503
int(* XrdSecgsiAuthzKey_t)(XrdSecEntity &, char **)
Definition: XrdSecProtocolgsi.hh:161
char * cipher
Definition: XrdSecProtocolgsi.hh:182
Definition: XrdSecProtocolgsi.hh:108
static int InitProxy(ProxyIn_t *pi, XrdCryptoFactory *cf, X509Chain *ch=0, XrdCryptoRSA **key=0)
static int AuthzPxyWhere
Definition: XrdSecProtocolgsi.hh:353
Definition: XrdSecProtocolgsi.hh:170
Definition: XrdSecProtocolgsi.hh:83
XrdCryptogsiX509Chain X509Chain
Definition: XrdSecProtocolgsi.hh:63
static int VOMSAttrOpt
Definition: XrdSecProtocolgsi.hh:356
const char * key
Definition: XrdSecProtocolgsi.hh:244
void Add(T *t)
Definition: XrdSecProtocolgsi.hh:256
bool ServerCertNameOK(const char *subject, const char *hname, String &e)
Definition: XrdSecProtocolgsi.hh:123
int ogmap
Definition: XrdSecProtocolgsi.hh:199
int Iter
Definition: XrdSecProtocolgsi.hh:500
char * gridmap
Definition: XrdSecProtocolgsi.hh:191
Definition: XrdSecProtocolgsi.hh:99
XrdOucHash< T > stack
Definition: XrdSecProtocolgsi.hh:271
virtual ~gsiOptions()
Definition: XrdSecProtocolgsi.hh:227
void Del(T *t)
Definition: XrdSecProtocolgsi.hh:263
static int GMAPCacheTimeOut
Definition: XrdSecProtocolgsi.hh:345
static bool Server
Definition: XrdSecProtocolgsi.hh:390
char * gmapfun
Definition: XrdSecProtocolgsi.hh:193
Definition: XrdNetAddrInfo.hh:53
static XrdSecgsiGMAP_t LoadGMAPFun(const char *plugin, const char *parms)
Definition: XrdSysLogger.hh:52
int LastStep
Definition: XrdSecProtocolgsi.hh:515
Definition: XrdSecProtocolgsi.hh:235
~gsiHSVars()
Definition: XrdSecProtocolgsi.hh:526
Definition: XrdSecProtocolgsi.hh:139
char * cert
Definition: XrdSecProtocolgsi.hh:178
Definition: XrdSecProtocolgsi.hh:113
void Lock()
Definition: XrdSysPthread.hh:222
int vomsat
Definition: XrdSecProtocolgsi.hh:208
int crl
Definition: XrdSecProtocolgsi.hh:184
Definition: XrdSecProtocolgsi.hh:254
static String CRLdir
Definition: XrdSecProtocolgsi.hh:324
gsiOptions()
Definition: XrdSecProtocolgsi.hh:216
Definition: XrdCryptoX509Crl.hh:49
static XrdSutCacheEntry * GetSrvCertEnt(XrdSutCERef &gcref, XrdCryptoFactory *cf, time_t timestamp, String &cal)
const char * certdir
Definition: XrdSecProtocolgsi.hh:245
kgsiErrors
Definition: XrdSecProtocolgsi.hh:119
static String SrvAllowedNames
Definition: XrdSecProtocolgsi.hh:355
Definition: XrdSecProtocolgsi.hh:126
Definition: XrdSecProtocolgsi.hh:110
int sigpxy
Definition: XrdSecProtocolgsi.hh:202
XrdCryptoFactory * sessionCF
Definition: XrdSecProtocolgsi.hh:400
char * gmapfunparms
Definition: XrdSecProtocolgsi.hh:194
Definition: XrdSecProtocolgsi.hh:111
char * certdir
Definition: XrdSecProtocolgsi.hh:175
XrdSecProtocolgsi(int opts, const char *hname, XrdNetAddrInfo &endPoint, const char *parms=0)
static GSIStack< XrdCryptoX509Chain > stackCA
Definition: XrdSecProtocolgsi.hh:381
static int QueryProxy(bool checkcache, XrdSutCache *cache, const char *tag, XrdCryptoFactory *cf, time_t timestamp, ProxyIn_t *pi, ProxyOut_t *po)
XrdCryptoRSA * ksig
Definition: XrdSecProtocolgsi.hh:237
Definition: XrdSutPFEntry.hh:78
Definition: XrdSecProtocolgsi.hh:140
X509Chain * chain
Definition: XrdSecProtocolgsi.hh:236
static int PxyReqOpts
Definition: XrdSecProtocolgsi.hh:351
XrdNetAddrInfo epAddr
Definition: XrdSecProtocolgsi.hh:319
int getKey(char *kbuf=0, int klen=0)
Definition: XrdCryptogsiX509Chain.hh:50
Definition: XrdSutBucket.hh:43
static int AuthzAlways
Definition: XrdSecProtocolgsi.hh:354
char * expectedHost
Definition: XrdSecProtocolgsi.hh:408
Definition: XrdSecProtocolgsi.hh:115
bool useIV
Definition: XrdSecProtocolgsi.hh:409
static XrdSutCache cacheGMAPFun
Definition: XrdSecProtocolgsi.hh:374
gsiHSVars()
Definition: XrdSecProtocolgsi.hh:520
Definition: XrdOucHash.hh:127
int ClientDoCert(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
static int VerifyCRL(XrdCryptoX509Crl *crl, XrdCryptoX509 *xca, XrdOucString crldir, XrdCryptoFactory *CF, int hashalg)
int kXR_int32
Definition: XPtypes.hh:89
Definition: XrdSecProtocolgsi.hh:144
int options
Definition: XrdSecProtocolgsi.hh:399
static XrdSutCache cacheAuthzFun
Definition: XrdSecProtocolgsi.hh:375
bool trustdns
Definition: XrdSecProtocolgsi.hh:214
Definition: XrdCryptoFactory.hh:121
static XrdSutCache cacheCert
Definition: XrdSecProtocolgsi.hh:372
char * vomsfunparms
Definition: XrdSecProtocolgsi.hh:210
XrdSutBucket * cbck
Definition: XrdSecProtocolgsi.hh:238
int moninfo
Definition: XrdSecProtocolgsi.hh:211
Definition: XrdSecEntity.hh:63
const char * valid
Definition: XrdSecProtocolgsi.hh:247
XrdCryptoMsgDigest * sessionMD
Definition: XrdSecProtocolgsi.hh:403
static int AuthzCacheTimeOut
Definition: XrdSecProtocolgsi.hh:350
int bits
Definition: XrdSecProtocolgsi.hh:190
int deplen
Definition: XrdSecProtocolgsi.hh:248
X509Chain * PxyChain
Definition: XrdSecProtocolgsi.hh:512
char * exppxy
Definition: XrdSecProtocolgsi.hh:205
int ServerDoCertreq(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
Definition: XrdOucHash.hh:54
static int VOMSCertFmt
Definition: XrdSecProtocolgsi.hh:358
bool srvMode
Definition: XrdSecProtocolgsi.hh:407
Definition: XrdSecProtocolgsi.hh:146
static void ErrF(XrdOucErrInfo *einfo, kXR_int32 ecode, const char *msg1, const char *msg2=0, const char *msg3=0)
void UnLock()
Definition: XrdSysPthread.hh:224
static int CACheck
Definition: XrdSecProtocolgsi.hh:334
Generic structure to pass security information back and forth.
Definition: XrdSecInterface.hh:50
static int DefBits
Definition: XrdSecProtocolgsi.hh:333
Definition: XrdSecProtocolgsi.hh:91
static int CRLRefresh
Definition: XrdSecProtocolgsi.hh:337
int ParseServerInput(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
Definition: XrdSecProtocolgsi.hh:102
static String DefError
Definition: XrdSecProtocolgsi.hh:341
XrdCryptoRSA * sessionKsig
Definition: XrdSecProtocolgsi.hh:404
char * clist
Definition: XrdSecProtocolgsi.hh:174
Definition: XrdSecProtocolgsi.hh:121
static int GMAPOpt
Definition: XrdSecProtocolgsi.hh:343
Definition: XrdSecProtocolgsi.hh:114
Definition: XrdSecProtocolgsi.hh:92
kgsiStatus
Definition: XrdSecProtocolgsi.hh:82
static int MonInfoOpt
Definition: XrdSecProtocolgsi.hh:359
Definition: XrdSecProtocolgsi.hh:278
static char * Init(gsiOptions o, XrdOucErrInfo *erp)
Definition: XrdSecProtocolgsi.hh:133
Definition: XrdCryptoX509.hh:51
Definition: XrdSecProtocolgsi.hh:128
static XrdSysError eDest
Definition: XrdSecProtocolgsi.hh:395
Definition: XrdSecProtocolgsi.hh:136
XrdSutPFEntry * Cref
Definition: XrdSecProtocolgsi.hh:508
static int AuthzCertFmt
Definition: XrdSecProtocolgsi.hh:349
Definition: XrdOucString.hh:254
int ServerDoSigpxy(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
static String PxyValid
Definition: XrdSecProtocolgsi.hh:331
void Cleanup(bool keepCA=0)
char * srvnames
Definition: XrdSecProtocolgsi.hh:204
Definition: XrdSecProtocolgsi.hh:109
kgsiServerSteps
Definition: XrdSecProtocolgsi.hh:98
static String SrvCert
Definition: XrdSecProtocolgsi.hh:326
#define XrdCryptoMax
Definition: XrdSecProtocolgsi.hh:70
bool createpxy
Definition: XrdSecProtocolgsi.hh:250
void Dump(XrdSecProtocolgsi *p=0)
Definition: XrdCryptoX509Chain.hh:80
int authzcall
Definition: XrdSecProtocolgsi.hh:197
Definition: XrdSecProtocolgsi.hh:127
time_t TimeStamp
Definition: XrdSecProtocolgsi.hh:501
static XrdCryptoCipher * refcip[XrdCryptoMax]
Definition: XrdSecProtocolgsi.hh:368
static int CRLDownload
Definition: XrdSecProtocolgsi.hh:336
int ServerDoCert(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)