xrootd
XrdSecProtocolgsi.hh
Go to the documentation of this file.
1 /******************************************************************************/
2 /* */
3 /* X r d S e c P r o t o c o l g s i . h h */
4 /* */
5 /* (c) 2005 G. Ganis / CERN */
6 /* */
7 /* This file is part of the XRootD software suite. */
8 /* */
9 /* XRootD is free software: you can redistribute it and/or modify it under */
10 /* the terms of the GNU Lesser General Public License as published by the */
11 /* Free Software Foundation, either version 3 of the License, or (at your */
12 /* option) any later version. */
13 /* */
14 /* XRootD is distributed in the hope that it will be useful, but WITHOUT */
15 /* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
16 /* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
17 /* License for more details. */
18 /* */
19 /* You should have received a copy of the GNU Lesser General Public License */
20 /* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
21 /* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
22 /* */
23 /* The copyright holder's institutional names and contributor's names may not */
24 /* be used to endorse or promote products derived from this software without */
25 /* specific prior written permission of the institution or contributor. */
26 /* */
27 /******************************************************************************/
28 #include <time.h>
29 
30 #include "XrdNet/XrdNetAddrInfo.hh"
31 
32 #include "XrdOuc/XrdOucErrInfo.hh"
33 #include "XrdOuc/XrdOucGMap.hh"
34 #include "XrdOuc/XrdOucHash.hh"
35 #include "XrdOuc/XrdOucString.hh"
37 
38 #include "XrdSys/XrdSysPthread.hh"
39 
42 
43 #include "XrdSut/XrdSutCache.hh"
44 
45 #include "XrdSut/XrdSutPFEntry.hh"
46 #include "XrdSut/XrdSutPFile.hh"
47 #include "XrdSut/XrdSutBuffer.hh"
48 #include "XrdSut/XrdSutRndm.hh"
49 
54 
56 
57 /******************************************************************************/
58 /* D e f i n e s */
59 /******************************************************************************/
60 
63 
64 #define XrdSecPROTOIDENT "gsi"
65 #define XrdSecPROTOIDLEN sizeof(XrdSecPROTOIDENT)
66 #define XrdSecgsiVERSION 10400
67 #define XrdSecNOIPCHK 0x0001
68 #define XrdSecDEBUG 0x1000
69 #define XrdCryptoMax 10
70 
71 #define kMAXBUFLEN 1024
72 
73 
74 #define XrdSecgsiVersDHsigned 10400 // Version at which started signing
75  // of server DH parameters
76 
77 //
78 // Message codes either returned by server or included in buffers
79 enum kgsiStatus {
80  kgST_error = -1, // error occured
81  kgST_ok = 0, // ok
82  kgST_more = 1 // need more info
83 };
84 
85 // Client steps
87  kXGC_none = 0,
88  kXGC_certreq = 1000, // 1000: request server certificate
89  kXGC_cert, // 1001: packet with (proxy) certificate
90  kXGC_sigpxy, // 1002: packet with signed proxy certificate
92 };
93 
94 // Server steps
96  kXGS_none = 0,
97  kXGS_init = 2000, // 2000: fake code used the first time
98  kXGS_cert, // 2001: packet with certificate
99  kXGS_pxyreq, // 2002: packet with proxy req to be signed
101 };
102 
103 // Handshake options
105  kOptsDlgPxy = 1, // 0x0001: Ask for a delegated proxy
106  kOptsFwdPxy = 2, // 0x0002: Forward local proxy
107  kOptsSigReq = 4, // 0x0004: Accept to sign delegated proxy
108  kOptsSrvReq = 8, // 0x0008: Server request for delegated proxy
109  kOptsPxFile = 16, // 0x0010: Save delegated proxies in file
110  kOptsDelChn = 32, // 0x0020: Delete chain
111  kOptsPxCred = 64 // 0x0040: Save delegated proxies as credentials
112 };
113 
114 // Error codes
116  kGSErrParseBuffer = 10000, // 10000
124  kGSErrGenCipher, // 10008
125  kGSErrExportPuK, // 10009
128  kGSErrNoRndmTag, // 10012
129  kGSErrNoCipher, // 10013
130  kGSErrNoCreds, // 10014
131  kGSErrBadOpt, // 10015
132  kGSErrMarshal, // 10016
133  kGSErrUnmarshal, // 10017
134  kGSErrSaveCreds, // 10018
135  kGSErrNoBuffer, // 10019
136  kGSErrRefCipher, // 10020
137  kGSErrNoPublic, // 10021
138  kGSErrAddBucket, // 10022
139  kGSErrFinCipher, // 10023
140  kGSErrInit, // 10024
141  kGSErrBadCreds, // 10025
142  kGSErrError // 10026
143 };
144 
145 #define REL1(x) { if (x) delete x; }
146 #define REL2(x,y) { if (x) delete x; if (y) delete y; }
147 #define REL3(x,y,z) { if (x) delete x; if (y) delete y; if (z) delete z; }
148 
149 #define SafeDelete(x) { if (x) {delete x ; x = 0;} }
150 #define SafeDelArray(x) { if (x) {delete [] x ; x = 0;} }
151 #define SafeFree(x) { if (x) {free(x) ; x = 0;} }
152 
153 // External functions for generic mapping
154 typedef char *(*XrdSecgsiGMAP_t)(const char *, int);
155 typedef int (*XrdSecgsiAuthz_t)(XrdSecEntity &);
156 typedef int (*XrdSecgsiAuthzInit_t)(const char *);
157 typedef int (*XrdSecgsiAuthzKey_t)(XrdSecEntity &, char **);
158 // VOMS extraction
161 //
162 // This a small class to set the relevant options in one go
163 //
164 class XrdOucGMap;
165 class XrdOucTrace;
166 class gsiOptions {
167 public:
168  short debug; // [cs] debug flag
169  char mode; // [cs] 'c' or 's'
170  char *clist; // [s] list of crypto modules ["ssl" ]
171  char *certdir;// [cs] dir with CA info [/etc/grid-security/certificates]
172  char *crldir; // [cs] dir with CRL info [/etc/grid-security/certificates]
173  char *crlext; // [cs] extension of CRL files [.r0]
174  char *cert; // [s] server certificate [/etc/grid-security/root/rootcert.pem]
175  // [c] user certificate [$HOME/.globus/usercert.pem]
176  char *key; // [s] server private key [/etc/grid-security/root/rootkey.pem]
177  // [c] user private key [$HOME/.globus/userkey.pem]
178  char *cipher; // [s] list of ciphers [aes-128-cbc:bf-cbc:des-ede3-cbc]
179  char *md; // [s] list of MDs [sha256:md5]
180  int crl; // [cs] check level of CRL's [1]
181  int ca; // [cs] verification level of CA's [1]
182  int crlrefresh; // [cs] CRL refresh or expiration period in secs [1 day]
183  char *proxy; // [c] user proxy [/tmp/x509up_u<uid>]
184  char *valid; // [c] proxy validity [12:00]
185  int deplen; // [c] depth of signature path for proxies [0]
186  int bits; // [c] bits in PKI for proxies [512]
187  char *gridmap;// [s] gridmap file [/etc/grid-security/gridmap]
188  int gmapto; // [s] validity in secs of grid-map cache entries [600 s]
189  char *gmapfun;// [s] file with the function to map DN to usernames [0]
190  char *gmapfunparms;// [s] parameters for the function to map DN to usernames [0]
191  char *authzfun;// [s] file with the function to fill entities [0]
192  char *authzfunparms;// [s] parameters for the function to fill entities [0]
193  int authzcall; // [s] when to call authz function [1 -> always]
194  int authzto; // [s] validity in secs of authz cache entries [-1 => unlimited]
195  int ogmap; // [s] gridmap file checking option
196  int dlgpxy; // [c] explicitely ask the creation of a delegated proxy; default 0
197  // [s] ask client for proxies; default: do not accept delegated proxies
198  int sigpxy; // [c] accept delegated proxy requests
199  char *srvnames;// [c] '|' separated list of allowed server names
200  char *exppxy; // [s] template for the exported file with proxies
201  int authzpxy; // [s] if 1 make proxy available in exported form in the 'endorsement'
202  // field of the XrdSecEntity object for use in XrdAcc
203  int vomsat; // [s] 0 do not look for; 1 extract if any
204  char *vomsfun;// [s] file with the function to fill VOMS [0]
205  char *vomsfunparms;// [s] parameters for the function to fill VOMS [0]
206  int moninfo; // [s] 0 do not look for; 1 use DN as default
207  int hashcomp; // [cs] 1 send hash names with both algorithms; 0 send only the default [1]
208 
209  bool trustdns; // [cs] 'true' if DNS is trusted [true]
210 
211  gsiOptions() { debug = -1; mode = 's'; clist = 0;
212  certdir = 0; crldir = 0; crlext = 0; cert = 0; key = 0;
213  cipher = 0; md = 0; ca = 1 ; crl = 1; crlrefresh = 86400;
214  proxy = 0; valid = 0; deplen = 0; bits = 512;
215  gridmap = 0; gmapto = 600;
216  gmapfun = 0; gmapfunparms = 0; authzfun = 0; authzfunparms = 0;
217  authzto = -1; authzcall = 1;
218  ogmap = 1; dlgpxy = 0; sigpxy = 1; srvnames = 0;
219  exppxy = 0; authzpxy = 0;
220  vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0;
221  hashcomp = 1; trustdns = true;}
222  virtual ~gsiOptions() { } // Cleanup inside XrdSecProtocolgsiInit
223  void Print(XrdOucTrace *t); // Print summary of gsi option status
224 };
225 
226 class XrdSecProtocolgsi;
227 class gsiHSVars;
228 
229 // From a proxy query
230 typedef struct {
234 } ProxyOut_t;
235 
236 // To query proxies
237 typedef struct {
238  const char *cert;
239  const char *key;
240  const char *certdir;
241  const char *out;
242  const char *valid;
243  int deplen;
244  int bits;
245 } ProxyIn_t;
246 
247 template<class T>
248 class GSIStack {
249 public:
250  void Add(T *t) {
251  char k[40]; snprintf(k, 40, "%p", t);
252  mtx.Lock();
253  if (!stack.Find(k)) stack.Add(k, t, 0, Hash_count); // We need an additional count
254  stack.Add(k, t, 0, Hash_count);
255  mtx.UnLock();
256  }
257  void Del(T *t) {
258  char k[40]; snprintf(k, 40, "%p", t);
259  mtx.Lock();
260  if (stack.Find(k)) stack.Del(k, Hash_count);
261  mtx.UnLock();
262  }
263 private:
266 };
267 
268 /******************************************************************************/
269 /* X r d S e c P r o t o c o l g s i C l a s s */
270 /******************************************************************************/
271 
273 {
274 friend class gsiOptions;
275 friend class gsiHSVars;
276 public:
277  int Authenticate (XrdSecCredentials *cred,
278  XrdSecParameters **parms,
279  XrdOucErrInfo *einfo=0);
280 
282  XrdOucErrInfo *einfo=0);
283 
284  XrdSecProtocolgsi(int opts, const char *hname, XrdNetAddrInfo &endPoint,
285  const char *parms = 0);
286  virtual ~XrdSecProtocolgsi() {} // Delete() does it all
287 
288  // Initialization methods
289  static char *Init(gsiOptions o, XrdOucErrInfo *erp);
290 
291  void Delete();
292 
293  // Encrypt / Decrypt methods
294  int Encrypt(const char *inbuf, int inlen,
295  XrdSecBuffer **outbuf);
296  int Decrypt(const char *inbuf, int inlen,
297  XrdSecBuffer **outbuf);
298  // Sign / Verify methods
299  int Sign(const char *inbuf, int inlen,
300  XrdSecBuffer **outbuf);
301  int Verify(const char *inbuf, int inlen,
302  const char *sigbuf, int siglen);
303 
304  // Export session key
305  int getKey(char *kbuf=0, int klen=0);
306  // Import a key
307  int setKey(char *kbuf, int klen);
308 
309  // Enable tracing
310  static XrdOucTrace *EnableTracing();
311 
312 private:
314 
315  // Static members initialized at startup
317  static String CAdir;
318  static String CRLdir;
320  static String SrvCert;
321  static String SrvKey;
322  static String UsrProxy;
323  static String UsrCert;
324  static String UsrKey;
325  static String PxyValid;
326  static int DepLength;
327  static int DefBits;
328  static int CACheck;
329  static int CRLCheck;
330  static int CRLDownload;
331  static int CRLRefresh;
334  static String DefMD;
335  static String DefError;
336  static String GMAPFile;
337  static int GMAPOpt;
338  static bool GMAPuseDNname;
339  static int GMAPCacheTimeOut;
343  static int AuthzCertFmt;
344  static int AuthzCacheTimeOut;
345  static int PxyReqOpts;
346  static int AuthzPxyWhat;
347  static int AuthzPxyWhere;
348  static int AuthzAlways;
350  static int VOMSAttrOpt;
352  static int VOMSCertFmt;
353  static int MonInfoOpt;
354  static bool HashCompatibility;
355  static bool TrustDNS;
356  //
357  // Crypto related info
358  static int ncrypt; // Number of factories
359  static XrdCryptoFactory *cryptF[XrdCryptoMax]; // their hooks
360  static int cryptID[XrdCryptoMax]; // their IDs
361  static String cryptName[XrdCryptoMax]; // their names
362  static XrdCryptoCipher *refcip[XrdCryptoMax]; // ref for session ciphers
363  //
364  // Caches
365  static XrdSutCache cacheCA; // Info about trusted CA's
366  static XrdSutCache cacheCert; // Server certificates info cache
367  static XrdSutCache cachePxy; // Client proxies cache;
368  static XrdSutCache cacheGMAPFun; // Cache for entries mapped by GMAPFun
369  static XrdSutCache cacheAuthzFun; // Cache for entities filled by AuthzFun
370  //
371  // Services
372  static XrdOucGMap *servGMap; // Grid mapping service
373  //
374  // CA and CRL stacks
375  static GSIStack<XrdCryptoX509Chain> stackCA; // Stack of CA in use
376  static GSIStack<XrdCryptoX509Crl> stackCRL; // Stack of CRL in use
377  //
378  // GMAP control vars
379  static time_t lastGMAPCheck; // time of last check on GMAP
380  static XrdSysMutex mutexGMAP; // mutex to control GMAP reloads
381  //
382  // Running options / settings
383  static int Debug; // [CS] Debug level
384  static bool Server; // [CS] If server mode
385  static int TimeSkew; // [CS] Allowed skew in secs for time stamps
386  //
387  // for error logging and tracing
391 
392  // Information local to this instance
393  int options;
394  XrdCryptoFactory *sessionCF; // Chosen crypto factory
395  XrdCryptoCipher *sessionKey; // Session Key (result of the handshake)
396  XrdSutBucket *bucketKey; // Bucket with the key in export form
397  XrdCryptoMsgDigest *sessionMD; // Message Digest instance
398  XrdCryptoRSA *sessionKsig; // RSA key to sign
399  XrdCryptoRSA *sessionKver; // RSA key to verify
400  X509Chain *proxyChain; // Chain with the delegated proxy on servers
401  bool srvMode; // TRUE if server mode
402  char *expectedHost; // Expected hostname if TrustDNS is enabled.
403  bool useIV; // Use a non-zeroed unique IV in cipher enc/dec operations
404 
405  // Temporary Handshake local info
407 
408  // Parsing received buffers: client
410  String &emsg);
411  int ClientDoInit(XrdSutBuffer *br, XrdSutBuffer **bm,
412  String &cmsg);
413  int ClientDoCert(XrdSutBuffer *br, XrdSutBuffer **bm,
414  String &cmsg);
416  String &cmsg);
417 
418  // Parsing received buffers: server
420  String &cmsg);
422  String &cmsg);
423  int ServerDoCert(XrdSutBuffer *br, XrdSutBuffer **bm,
424  String &cmsg);
426  String &cmsg);
427 
428  // Auxilliary functions
429  int ParseCrypto(String cryptlist);
430  int ParseCAlist(String calist);
431 
432  // Load CA certificates
433  static int GetCA(const char *cahash,
434  XrdCryptoFactory *cryptof, gsiHSVars *hs = 0);
435  static String GetCApath(const char *cahash);
436  static bool VerifyCA(int opt, X509Chain *cca, XrdCryptoFactory *cf);
437  static int VerifyCRL(XrdCryptoX509Crl *crl, XrdCryptoX509 *xca, XrdOucString crldir,
438  XrdCryptoFactory *CF, int hashalg);
439  bool ServerCertNameOK(const char *subject, const char *hname, String &e);
441  XrdCryptoFactory *cf,
442  time_t timestamp, String &cal);
443 
444  // Load CRLs
445  static XrdCryptoX509Crl *LoadCRL(XrdCryptoX509 *xca, const char *sjhash,
446  XrdCryptoFactory *CF, int dwld, int &err);
447 
448  // Updating proxies
449  static int QueryProxy(bool checkcache, XrdSutCache *cache, const char *tag,
450  XrdCryptoFactory *cf, time_t timestamp,
451  ProxyIn_t *pi, ProxyOut_t *po);
452  static int InitProxy(ProxyIn_t *pi, XrdCryptoFactory *cf,
453  X509Chain *ch = 0, XrdCryptoRSA **key = 0);
454 
455  // Error functions
456  static void ErrF(XrdOucErrInfo *einfo, kXR_int32 ecode,
457  const char *msg1, const char *msg2 = 0,
458  const char *msg3 = 0);
460  XrdSutBuffer *b2,XrdSutBuffer *b3,
461  kXR_int32 ecode, const char *msg1 = 0,
462  const char *msg2 = 0, const char *msg3 = 0);
463  int ErrS(String ID, XrdOucErrInfo *einfo, XrdSutBuffer *b1,
464  XrdSutBuffer *b2, XrdSutBuffer *b3,
465  kXR_int32 ecode, const char *msg1 = 0,
466  const char *msg2 = 0, const char *msg3 = 0);
467 
468  // Check Time stamp
469  bool CheckTimeStamp(XrdSutBuffer *b, int skew, String &emsg);
470 
471  // Check random challenge
472  bool CheckRtag(XrdSutBuffer *bm, String &emsg);
473 
474  // Auxilliary methods
475  int AddSerialized(char opt, kXR_int32 step, String ID,
476  XrdSutBuffer *bls, XrdSutBuffer *buf,
477  kXR_int32 type, XrdCryptoCipher *cip);
478  // Grid map cache handling
479  static XrdSecgsiGMAP_t // Load alternative function for mapping
480  LoadGMAPFun(const char *plugin, const char *parms);
481  static XrdSecgsiAuthz_t // Load alternative function to fill XrdSecEntity
482  LoadAuthzFun(const char *plugin, const char *parms, int &fmt);
483  static XrdSecgsiVOMS_t // Load alternative function to extract VOMS
484  LoadVOMSFun(const char *plugin, const char *parms, int &fmt);
485  static void QueryGMAP(XrdCryptoX509Chain* chain, int now, String &name); //Lookup info for DN
486 
487  // Entity handling
488  void CopyEntity(XrdSecEntity *in, XrdSecEntity *out, int *lout = 0);
489  void FreeEntity(XrdSecEntity *in);
490 };
491 
492 class gsiHSVars {
493 public:
494  int Iter; // Iteration number
495  time_t TimeStamp; // Time of last call
496  String CryptoMod; // Crypto module in use
497  int RemVers; // Version run by remote counterpart
498  XrdCryptoCipher *Rcip; // Reference cipher
499  bool HasPad; // Whether padding is supported
500  XrdSutBucket *Cbck; // Bucket with the certificate in export form
501  String ID; // Handshake ID (dummy for clients)
502  XrdSutPFEntry *Cref; // Cache reference
503  XrdSutPFEntry *Pent; // Pointer to relevant file entry
504  X509Chain *Chain; // Chain to be eventually verified
505  XrdCryptoX509Crl *Crl; // Pointer to CRL, if required
506  X509Chain *PxyChain; // Proxy Chain on clients
507  bool RtagOK; // Rndm tag checked / not checked
508  bool Tty; // Terminal attached / not attached
509  int LastStep; // Step required at previous iteration
510  int Options; // Handshake options;
511  int HashAlg; // Hash algorithm of peer hash name;
512  XrdSutBuffer *Parms; // Buffer with server parms on first iteration
513 
514  gsiHSVars() { Iter = 0; TimeStamp = -1; CryptoMod = "";
515  RemVers = -1; Rcip = 0; HasPad = 0;
516  Cbck = 0;
517  ID = ""; Cref = 0; Pent = 0; Chain = 0; Crl = 0; PxyChain = 0;
518  RtagOK = 0; Tty = 0; LastStep = 0; Options = 0; HashAlg = 0; Parms = 0;}
519 
521  if (Options & kOptsDelChn) {
522  // Do not delete the CA certificate in the cached reference
523  if (Chain) Chain->Cleanup(1);
524  SafeDelete(Chain);
525  }
526  if (Crl) {
527  // This decreases the counter and actually deletes the object only
528  // when no instance is using it
530  Crl = 0;
531  }
532  // The proxy chain is owned by the proxy cache; invalid proxies are
533  // detected (and eventually removed) by QueryProxy
534  PxyChain = 0;
535  SafeDelete(Parms); }
536  void Dump(XrdSecProtocolgsi *p = 0);
537 };
short debug
Definition: XrdSecProtocolgsi.hh:168
int ParseClientInput(XrdSutBuffer *br, XrdSutBuffer **bm, String &emsg)
int ParseCrypto(String cryptlist)
Definition: XrdSecProtocolgsi.hh:139
char * proxy
Definition: XrdSecProtocolgsi.hh:183
int authzpxy
Definition: XrdSecProtocolgsi.hh:201
XrdSutBucket * bucketKey
Definition: XrdSecProtocolgsi.hh:396
Definition: XrdCryptoRSA.hh:50
static XrdOucTrace * GSITrace
Definition: XrdSecProtocolgsi.hh:390
int Decrypt(const char *inbuf, int inlen, XrdSecBuffer **outbuf)
Definition: XrdSecProtocolgsi.hh:100
static int DepLength
Definition: XrdSecProtocolgsi.hh:326
int(* XrdSecgsiAuthzInit_t)(const char *)
Definition: XrdSecProtocolgsi.hh:156
Definition: XrdSutCache.hh:49
static XrdSecgsiVOMS_t LoadVOMSFun(const char *plugin, const char *parms, int &fmt)
Definition: XrdCryptoMsgDigest.hh:46
int Authenticate(XrdSecCredentials *cred, XrdSecParameters **parms, XrdOucErrInfo *einfo=0)
XrdSutBuffer * Parms
Definition: XrdSecProtocolgsi.hh:512
Definition: XrdCryptoCipher.hh:47
Definition: XrdSecProtocolgsi.hh:121
int ClientDoPxyreq(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
static String DefCipher
Definition: XrdSecProtocolgsi.hh:333
int(* XrdSecgsiAuthzKey_t)(XrdSecEntity &, char **)
Definition: XrdSecProtocolgsi.hh:157
Definition: XrdSecProtocolgsi.hh:91
bool HasPad
Definition: XrdSecProtocolgsi.hh:499
int Encrypt(const char *inbuf, int inlen, XrdSecBuffer **outbuf)
Definition: XrdSecProtocolgsi.hh:133
char * authzfun
Definition: XrdSecProtocolgsi.hh:191
XrdSecgsiAuthz_t XrdSecgsiVOMS_t
Definition: XrdSecProtocolgsi.hh:159
int Sign(const char *inbuf, int inlen, XrdSecBuffer **outbuf)
static XrdSysLogger Logger
Definition: XrdSecProtocolgsi.hh:388
virtual ~XrdSecProtocolgsi()
Definition: XrdSecProtocolgsi.hh:286
static String CAdir
Definition: XrdSecProtocolgsi.hh:317
Definition: XrdSecProtocolgsi.hh:134
static String UsrProxy
Definition: XrdSecProtocolgsi.hh:322
char * valid
Definition: XrdSecProtocolgsi.hh:184
static int TimeSkew
Definition: XrdSecProtocolgsi.hh:385
Definition: XrdSutCacheEntry.hh:99
Definition: XrdSecProtocolgsi.hh:127
static bool TrustDNS
Definition: XrdSecProtocolgsi.hh:355
char mode
Definition: XrdSecProtocolgsi.hh:169
kgsiHandshakeOpts
Definition: XrdSecProtocolgsi.hh:104
Definition: XrdSecProtocolgsi.hh:125
Definition: XrdSecProtocolgsi.hh:128
int bits
Definition: XrdSecProtocolgsi.hh:244
int hashcomp
Definition: XrdSecProtocolgsi.hh:207
Definition: XrdSecProtocolgsi.hh:126
void FreeEntity(XrdSecEntity *in)
static bool VerifyCA(int opt, X509Chain *cca, XrdCryptoFactory *cf)
Definition: XrdSecProtocolgsi.hh:130
Definition: XrdSecProtocolgsi.hh:90
Definition: XrdSecProtocolgsi.hh:97
static int GetCA(const char *cahash, XrdCryptoFactory *cryptof, gsiHSVars *hs=0)
static String UsrKey
Definition: XrdSecProtocolgsi.hh:324
static String SrvKey
Definition: XrdSecProtocolgsi.hh:321
XrdSecgsiAuthzInit_t XrdSecgsiVOMSInit_t
Definition: XrdSecProtocolgsi.hh:160
bool CheckTimeStamp(XrdSutBuffer *b, int skew, String &emsg)
char * authzfunparms
Definition: XrdSecProtocolgsi.hh:192
static String DefMD
Definition: XrdSecProtocolgsi.hh:334
Definition: XrdSecInterface.hh:130
Definition: XrdSecProtocolgsi.hh:138
#define SafeDelete(x)
Definition: XrdSecProtocolgsi.hh:149
XrdCryptoCipher * sessionKey
Definition: XrdSecProtocolgsi.hh:395
static bool GMAPuseDNname
Definition: XrdSecProtocolgsi.hh:338
X509Chain * proxyChain
Definition: XrdSecProtocolgsi.hh:400
Definition: XrdSecProtocolgsi.hh:141
Definition: XrdSecProtocolgsi.hh:137
const char * cert
Definition: XrdSecProtocolgsi.hh:238
int Options
Definition: XrdSecProtocolgsi.hh:510
Definition: XrdSecProtocolgsi.hh:82
static int cryptID[XrdCryptoMax]
Definition: XrdSecProtocolgsi.hh:360
static XrdOucGMap * servGMap
Definition: XrdSecProtocolgsi.hh:372
Definition: XrdSecProtocolgsi.hh:109
static XrdSecgsiAuthzKey_t AuthzKey
Definition: XrdSecProtocolgsi.hh:342
String ID
Definition: XrdSecProtocolgsi.hh:501
XrdCryptoCipher * Rcip
Definition: XrdSecProtocolgsi.hh:498
static XrdSecgsiGMAP_t GMAPFun
Definition: XrdSecProtocolgsi.hh:340
char * md
Definition: XrdSecProtocolgsi.hh:179
static XrdSutCache cachePxy
Definition: XrdSecProtocolgsi.hh:367
static int Debug
Definition: XrdSecProtocolgsi.hh:383
static GSIStack< XrdCryptoX509Crl > stackCRL
Definition: XrdSecProtocolgsi.hh:376
void Print(XrdOucTrace *t)
Definition: XrdSecProtocolgsi.hh:131
Definition: XrdSecProtocolgsi.hh:120
Definition: XrdSecProtocolgsi.hh:98
X509Chain * Chain
Definition: XrdSecProtocolgsi.hh:504
Definition: XrdSecProtocolgsi.hh:118
XrdSecCredentials * ErrC(XrdOucErrInfo *einfo, XrdSutBuffer *b1, XrdSutBuffer *b2, XrdSutBuffer *b3, kXR_int32 ecode, const char *msg1=0, const char *msg2=0, const char *msg3=0)
Definition: XrdSutBuffer.hh:43
int HashAlg
Definition: XrdSecProtocolgsi.hh:511
static String cryptName[XrdCryptoMax]
Definition: XrdSecProtocolgsi.hh:361
static String DefCrypto
Definition: XrdSecProtocolgsi.hh:332
XrdCryptoRSA * sessionKver
Definition: XrdSecProtocolgsi.hh:399
int AddSerialized(char opt, kXR_int32 step, String ID, XrdSutBuffer *bls, XrdSutBuffer *buf, kXR_int32 type, XrdCryptoCipher *cip)
static XrdSysMutex mutexGMAP
Definition: XrdSecProtocolgsi.hh:380
int crlrefresh
Definition: XrdSecProtocolgsi.hh:182
static int AuthzPxyWhat
Definition: XrdSecProtocolgsi.hh:346
Definition: XrdSecProtocolgsi.hh:87
Definition: XrdOucTrace.hh:35
Definition: XrdSysError.hh:89
static void QueryGMAP(XrdCryptoX509Chain *chain, int now, String &name)
char * key
Definition: XrdSecProtocolgsi.hh:176
static XrdSysMutex gsiContext
Definition: XrdSecProtocolgsi.hh:316
static XrdCryptoX509Crl * LoadCRL(XrdCryptoX509 *xca, const char *sjhash, XrdCryptoFactory *CF, int dwld, int &err)
const char * out
Definition: XrdSecProtocolgsi.hh:241
int ca
Definition: XrdSecProtocolgsi.hh:181
static XrdSecgsiAuthz_t LoadAuthzFun(const char *plugin, const char *parms, int &fmt)
static XrdSutCache cacheCA
Definition: XrdSecProtocolgsi.hh:365
Definition: XrdSysPthread.hh:165
kgsiClientSteps
Definition: XrdSecProtocolgsi.hh:86
char * crlext
Definition: XrdSecProtocolgsi.hh:173
static int CRLCheck
Definition: XrdSecProtocolgsi.hh:329
static bool HashCompatibility
Definition: XrdSecProtocolgsi.hh:354
static String GMAPFile
Definition: XrdSecProtocolgsi.hh:336
static XrdOucTrace * EnableTracing()
String CryptoMod
Definition: XrdSecProtocolgsi.hh:496
XrdOucString String
Definition: XrdSecProtocolgsi.hh:61
int Verify(const char *inbuf, int inlen, const char *sigbuf, int siglen)
gsiHSVars * hs
Definition: XrdSecProtocolgsi.hh:406
int ErrS(String ID, XrdOucErrInfo *einfo, XrdSutBuffer *b1, XrdSutBuffer *b2, XrdSutBuffer *b3, kXR_int32 ecode, const char *msg1=0, const char *msg2=0, const char *msg3=0)
static XrdSecgsiVOMS_t VOMSFun
Definition: XrdSecProtocolgsi.hh:351
bool CheckRtag(XrdSutBuffer *bm, String &emsg)
XrdCryptoX509Crl * Crl
Definition: XrdSecProtocolgsi.hh:505
static int ncrypt
Definition: XrdSecProtocolgsi.hh:358
int authzto
Definition: XrdSecProtocolgsi.hh:194
int ParseCAlist(String calist)
static String GetCApath(const char *cahash)
void CopyEntity(XrdSecEntity *in, XrdSecEntity *out, int *lout=0)
void Delete()
Delete the protocol object. DO NOT use C++ delete() on this object.
Definition: XrdSecProtocolgsi.hh:116
XrdSecCredentials * getCredentials(XrdSecParameters *parm=0, XrdOucErrInfo *einfo=0)
int ClientDoInit(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
static XrdSecgsiAuthz_t AuthzFun
Definition: XrdSecProtocolgsi.hh:341
char *(* XrdSecgsiGMAP_t)(const char *, int)
Definition: XrdSecProtocolgsi.hh:154
Definition: XrdSecProtocolgsi.hh:237
Definition: XrdSecProtocolgsi.hh:492
int deplen
Definition: XrdSecProtocolgsi.hh:185
char * crldir
Definition: XrdSecProtocolgsi.hh:172
static XrdCryptoFactory * cryptF[XrdCryptoMax]
Definition: XrdSecProtocolgsi.hh:359
int setKey(char *kbuf, int klen)
Definition: XrdOucErrInfo.hh:100
Definition: XrdOucGMap.hh:48
int dlgpxy
Definition: XrdSecProtocolgsi.hh:196
Definition: XrdSutCacheEntry.hh:75
int gmapto
Definition: XrdSecProtocolgsi.hh:188
bool Tty
Definition: XrdSecProtocolgsi.hh:508
bool RtagOK
Definition: XrdSecProtocolgsi.hh:507
XrdSysMutex mtx
Definition: XrdSecProtocolgsi.hh:264
Definition: XrdSecProtocolgsi.hh:81
static String DefCRLext
Definition: XrdSecProtocolgsi.hh:319
XrdSutBucket * Cbck
Definition: XrdSecProtocolgsi.hh:500
int(* XrdSecgsiAuthz_t)(XrdSecEntity &)
Definition: XrdSecProtocolgsi.hh:155
char * vomsfun
Definition: XrdSecProtocolgsi.hh:204
XrdSutPFEntry * Pent
Definition: XrdSecProtocolgsi.hh:503
static String UsrCert
Definition: XrdSecProtocolgsi.hh:323
static time_t lastGMAPCheck
Definition: XrdSecProtocolgsi.hh:379
int RemVers
Definition: XrdSecProtocolgsi.hh:497
char * cipher
Definition: XrdSecProtocolgsi.hh:178
Definition: XrdSecProtocolgsi.hh:105
static int InitProxy(ProxyIn_t *pi, XrdCryptoFactory *cf, X509Chain *ch=0, XrdCryptoRSA **key=0)
static int AuthzPxyWhere
Definition: XrdSecProtocolgsi.hh:347
Definition: XrdSecProtocolgsi.hh:166
Definition: XrdSecProtocolgsi.hh:80
XrdCryptogsiX509Chain X509Chain
Definition: XrdSecProtocolgsi.hh:62
static int VOMSAttrOpt
Definition: XrdSecProtocolgsi.hh:350
const char * key
Definition: XrdSecProtocolgsi.hh:239
void Add(T *t)
Definition: XrdSecProtocolgsi.hh:250
bool ServerCertNameOK(const char *subject, const char *hname, String &e)
Definition: XrdSecProtocolgsi.hh:119
int ogmap
Definition: XrdSecProtocolgsi.hh:195
int Iter
Definition: XrdSecProtocolgsi.hh:494
char * gridmap
Definition: XrdSecProtocolgsi.hh:187
Definition: XrdSecProtocolgsi.hh:96
XrdOucHash< T > stack
Definition: XrdSecProtocolgsi.hh:265
virtual ~gsiOptions()
Definition: XrdSecProtocolgsi.hh:222
void Del(T *t)
Definition: XrdSecProtocolgsi.hh:257
static int GMAPCacheTimeOut
Definition: XrdSecProtocolgsi.hh:339
static bool Server
Definition: XrdSecProtocolgsi.hh:384
char * gmapfun
Definition: XrdSecProtocolgsi.hh:189
Definition: XrdNetAddrInfo.hh:53
static XrdSecgsiGMAP_t LoadGMAPFun(const char *plugin, const char *parms)
Definition: XrdSysLogger.hh:52
int LastStep
Definition: XrdSecProtocolgsi.hh:509
Definition: XrdSecProtocolgsi.hh:230
~gsiHSVars()
Definition: XrdSecProtocolgsi.hh:520
Definition: XrdSecProtocolgsi.hh:135
char * cert
Definition: XrdSecProtocolgsi.hh:174
Definition: XrdSecProtocolgsi.hh:110
void Lock()
Definition: XrdSysPthread.hh:222
int vomsat
Definition: XrdSecProtocolgsi.hh:203
int crl
Definition: XrdSecProtocolgsi.hh:180
Definition: XrdSecProtocolgsi.hh:248
static String CRLdir
Definition: XrdSecProtocolgsi.hh:318
gsiOptions()
Definition: XrdSecProtocolgsi.hh:211
Definition: XrdCryptoX509Crl.hh:49
static XrdSutCacheEntry * GetSrvCertEnt(XrdSutCERef &gcref, XrdCryptoFactory *cf, time_t timestamp, String &cal)
const char * certdir
Definition: XrdSecProtocolgsi.hh:240
kgsiErrors
Definition: XrdSecProtocolgsi.hh:115
static String SrvAllowedNames
Definition: XrdSecProtocolgsi.hh:349
Definition: XrdSecProtocolgsi.hh:122
Definition: XrdSecProtocolgsi.hh:107
int sigpxy
Definition: XrdSecProtocolgsi.hh:198
XrdCryptoFactory * sessionCF
Definition: XrdSecProtocolgsi.hh:394
char * gmapfunparms
Definition: XrdSecProtocolgsi.hh:190
Definition: XrdSecProtocolgsi.hh:108
char * certdir
Definition: XrdSecProtocolgsi.hh:171
XrdSecProtocolgsi(int opts, const char *hname, XrdNetAddrInfo &endPoint, const char *parms=0)
static GSIStack< XrdCryptoX509Chain > stackCA
Definition: XrdSecProtocolgsi.hh:375
static int QueryProxy(bool checkcache, XrdSutCache *cache, const char *tag, XrdCryptoFactory *cf, time_t timestamp, ProxyIn_t *pi, ProxyOut_t *po)
XrdCryptoRSA * ksig
Definition: XrdSecProtocolgsi.hh:232
Definition: XrdSutPFEntry.hh:78
Definition: XrdSecProtocolgsi.hh:136
X509Chain * chain
Definition: XrdSecProtocolgsi.hh:231
static int PxyReqOpts
Definition: XrdSecProtocolgsi.hh:345
XrdNetAddrInfo epAddr
Definition: XrdSecProtocolgsi.hh:313
int getKey(char *kbuf=0, int klen=0)
Definition: XrdCryptogsiX509Chain.hh:50
Definition: XrdSutBucket.hh:43
static int AuthzAlways
Definition: XrdSecProtocolgsi.hh:348
char * expectedHost
Definition: XrdSecProtocolgsi.hh:402
bool useIV
Definition: XrdSecProtocolgsi.hh:403
static XrdSutCache cacheGMAPFun
Definition: XrdSecProtocolgsi.hh:368
gsiHSVars()
Definition: XrdSecProtocolgsi.hh:514
Definition: XrdOucHash.hh:127
int ClientDoCert(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
static int VerifyCRL(XrdCryptoX509Crl *crl, XrdCryptoX509 *xca, XrdOucString crldir, XrdCryptoFactory *CF, int hashalg)
int kXR_int32
Definition: XPtypes.hh:89
Definition: XrdSecProtocolgsi.hh:140
int options
Definition: XrdSecProtocolgsi.hh:393
static XrdSutCache cacheAuthzFun
Definition: XrdSecProtocolgsi.hh:369
bool trustdns
Definition: XrdSecProtocolgsi.hh:209
Definition: XrdCryptoFactory.hh:121
static XrdSutCache cacheCert
Definition: XrdSecProtocolgsi.hh:366
char * vomsfunparms
Definition: XrdSecProtocolgsi.hh:205
XrdSutBucket * cbck
Definition: XrdSecProtocolgsi.hh:233
int moninfo
Definition: XrdSecProtocolgsi.hh:206
Definition: XrdSecEntity.hh:63
const char * valid
Definition: XrdSecProtocolgsi.hh:242
XrdCryptoMsgDigest * sessionMD
Definition: XrdSecProtocolgsi.hh:397
static int AuthzCacheTimeOut
Definition: XrdSecProtocolgsi.hh:344
int bits
Definition: XrdSecProtocolgsi.hh:186
int deplen
Definition: XrdSecProtocolgsi.hh:243
X509Chain * PxyChain
Definition: XrdSecProtocolgsi.hh:506
char * exppxy
Definition: XrdSecProtocolgsi.hh:200
int ServerDoCertreq(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
Definition: XrdOucHash.hh:54
static int VOMSCertFmt
Definition: XrdSecProtocolgsi.hh:352
bool srvMode
Definition: XrdSecProtocolgsi.hh:401
Definition: XrdSecProtocolgsi.hh:142
static void ErrF(XrdOucErrInfo *einfo, kXR_int32 ecode, const char *msg1, const char *msg2=0, const char *msg3=0)
void UnLock()
Definition: XrdSysPthread.hh:224
static int CACheck
Definition: XrdSecProtocolgsi.hh:328
Generic structure to pass security information back and forth.
Definition: XrdSecInterface.hh:50
static int DefBits
Definition: XrdSecProtocolgsi.hh:327
Definition: XrdSecProtocolgsi.hh:88
static int CRLRefresh
Definition: XrdSecProtocolgsi.hh:331
int ParseServerInput(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
Definition: XrdSecProtocolgsi.hh:99
static String DefError
Definition: XrdSecProtocolgsi.hh:335
XrdCryptoRSA * sessionKsig
Definition: XrdSecProtocolgsi.hh:398
char * clist
Definition: XrdSecProtocolgsi.hh:170
Definition: XrdSecProtocolgsi.hh:117
static int GMAPOpt
Definition: XrdSecProtocolgsi.hh:337
Definition: XrdSecProtocolgsi.hh:111
Definition: XrdSecProtocolgsi.hh:89
kgsiStatus
Definition: XrdSecProtocolgsi.hh:79
static int MonInfoOpt
Definition: XrdSecProtocolgsi.hh:353
Definition: XrdSecProtocolgsi.hh:272
static char * Init(gsiOptions o, XrdOucErrInfo *erp)
Definition: XrdSecProtocolgsi.hh:129
Definition: XrdCryptoX509.hh:51
Definition: XrdSecProtocolgsi.hh:124
static XrdSysError eDest
Definition: XrdSecProtocolgsi.hh:389
Definition: XrdSecProtocolgsi.hh:132
XrdSutPFEntry * Cref
Definition: XrdSecProtocolgsi.hh:502
static int AuthzCertFmt
Definition: XrdSecProtocolgsi.hh:343
Definition: XrdOucString.hh:254
int ServerDoSigpxy(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)
static String PxyValid
Definition: XrdSecProtocolgsi.hh:325
void Cleanup(bool keepCA=0)
char * srvnames
Definition: XrdSecProtocolgsi.hh:199
Definition: XrdSecProtocolgsi.hh:106
kgsiServerSteps
Definition: XrdSecProtocolgsi.hh:95
static String SrvCert
Definition: XrdSecProtocolgsi.hh:320
#define XrdCryptoMax
Definition: XrdSecProtocolgsi.hh:69
void Dump(XrdSecProtocolgsi *p=0)
Definition: XrdCryptoX509Chain.hh:80
int authzcall
Definition: XrdSecProtocolgsi.hh:193
Definition: XrdSecProtocolgsi.hh:123
time_t TimeStamp
Definition: XrdSecProtocolgsi.hh:495
static XrdCryptoCipher * refcip[XrdCryptoMax]
Definition: XrdSecProtocolgsi.hh:362
static int CRLDownload
Definition: XrdSecProtocolgsi.hh:330
int ServerDoCert(XrdSutBuffer *br, XrdSutBuffer **bm, String &cmsg)