XRootD
Loading...
Searching...
No Matches
XrdSecProtocolsss Class Reference

#include <XrdSecProtocolsss.hh>

+ Inheritance diagram for XrdSecProtocolsss:
+ Collaboration diagram for XrdSecProtocolsss:

Classes

struct  Crypto
 

Public Member Functions

 XrdSecProtocolsss (const char *hname, XrdNetAddrInfo &endPoint)
 
int Authenticate (XrdSecCredentials *cred, XrdSecParameters **parms, XrdOucErrInfo *einfo=0)
 
void Delete ()
 Delete the protocol object. DO NOT use C++ delete() on this object.
 
XrdSecCredentialsgetCredentials (XrdSecParameters *parms=0, XrdOucErrInfo *einfo=0)
 
int Init_Client (XrdOucErrInfo *erp, const char *Parms)
 
int Init_Server (XrdOucErrInfo *erp, const char *Parms)
 
- Public Member Functions inherited from XrdSecProtocol
 XrdSecProtocol (const char *pName)
 Constructor.
 
virtual int Decrypt (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int Encrypt (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int getKey (char *buff=0, int size=0)
 
virtual bool needTLS ()
 Check if this protocol requires TLS to properly function.
 
virtual int setKey (char *buff, int size)
 
virtual int Sign (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int Verify (const char *inbuff, int inlen, const char *sigbuff, int siglen)
 

Static Public Member Functions

static int eMsg (const char *epn, int rc, const char *txt1, const char *txt2=0, const char *txt3=0, const char *txt4=0)
 
static int Fatal (XrdOucErrInfo *erP, const char *epn, int rc, const char *etxt)
 
static char * Load_Client (XrdOucErrInfo *erp, const char *Parms)
 
static char * Load_Server (XrdOucErrInfo *erp, const char *Parms)
 

Friends

class XrdSecProtocolDummy
 

Additional Inherited Members

- Public Attributes inherited from XrdSecProtocol
XrdSecEntity Entity
 
- Protected Member Functions inherited from XrdSecProtocol
virtual ~XrdSecProtocol ()
 Destructor (prevents use of direct delete).
 

Detailed Description

Definition at line 44 of file XrdSecProtocolsss.hh.


Class Documentation

◆ XrdSecProtocolsss::Crypto

struct XrdSecProtocolsss::Crypto

Definition at line 80 of file XrdSecProtocolsss.hh.

+ Collaboration diagram for XrdSecProtocolsss::Crypto:
Class Members
const char * cName
char cType

Constructor & Destructor Documentation

◆ XrdSecProtocolsss()

XrdSecProtocolsss::XrdSecProtocolsss ( const char * hname,
XrdNetAddrInfo & endPoint )
inline

Definition at line 74 of file XrdSecProtocolsss.hh.

75 : XrdSecProtocol("sss"),
76 keyTab(0), Crypto(0), idBuff(0), dataOpts(0),
77 Sequence(0), v2EndPnt(false)
78 {urName = strdup(hname); setIP(endPoint);}
XrdSecProtocol(const char *pName)
Constructor.

Member Function Documentation

◆ Authenticate()

int XrdSecProtocolsss::Authenticate ( XrdSecCredentials * cred,
XrdSecParameters ** parms,
XrdOucErrInfo * einfo = 0 )
virtual

Authenticate a client.

Parameters
credCredentials supplied by the client.
parmsPlace where the address of additional authentication data is to be placed for another autrhentication handshake.
einfoThe error information object where error messages should be placed. The messages are returned to the client. Should einfo be null, messages should be written to stderr.
Returns
> 0 -> parms present (more authentication needed) = 0 -> Entity present (authentication suceeded) < 0 -> einfo present (error has occurred)

Implements XrdSecProtocol.

Definition at line 151 of file XrdSecProtocolsss.cc.

154{
155 static const int minLen = sizeof(XrdSecsssRR_Hdr) + XrdSecsssRR_Data_HdrLen;
156 static const int maxLen = XrdSecsssRR_Data::MaxDSz + minLen;
157 static const int Special= XrdSecsssKT::ktEnt::anyUSR
159
160 XrdSecsssRR_Hdr *rrHdr = (XrdSecsssRR_Hdr *)(cred->buffer);
161 XrdSecsssRR_Data *rrData;
162 XrdSecsssKT::ktEnt decKey;
163 Persona myID(&decKey);
164
165 char *idP, *dP, *eodP, *theIP = 0, *theHost = 0, *atKey = 0, eType;
166 int idNum = 0, idTLen, idSz, dLen;
167 bool badAttr = false;
168
169// Make sure we have atleast the header plus the data header
170//
171 if (cred->size < minLen)
172 return Fatal(einfo, "Auth", EINVAL, "Credentials too small.");
173
174// Make sure the credentials are not too big (people misuse sss)
175//
176 if (cred->size > maxLen)
177 return Fatal(einfo, "Auth", EINVAL, "Credentials too big.");
178
179// Allocate the buffer from the stack
180//
181 rrData = (XrdSecsssRR_Data *)alloca(cred->size);
182
183// Decode the credentials
184//
185 if ((dLen = Decode(einfo, decKey, cred->buffer, rrData, cred->size)) <= 0)
186 return -1;
187
188// Check if we should echo back the LID
189//
191 {XrdSecsssRR_DataResp rrResp;
192 char lidBuff[16];
193 rrResp.Options = 0;
194 getLID(lidBuff, sizeof(lidBuff));
195 dP = rrResp.Data;
197 XrdOucPup::Pack(&dP, lidBuff);
198 int n = dP-rrResp.Data + XrdSecsssRR_Data_HdrLen;
199 *parms = Encode(einfo, decKey, rrHdr, &rrResp, n);
200 return (*parms ? 1 : -1);
201 }
202
203// Extract out the entity information
204//
205 dP = rrData->Data; eodP = dP + dLen - XrdSecsssRR_Data_HdrLen;
206 CLDBG("Processing " <<dLen <<" byes");
207 while(dP < eodP)
208 {eType = *dP++;
209 CLDBG("eType=" <<static_cast<int>(eType)
210 <<" Used " <<dP-rrData->Data <<" left " <<eodP-dP);
211 if (!XrdOucPup::Unpack(&dP, eodP, &idP, idSz) || (idP && *idP == '\0'))
212 {Fatal(einfo, "Authenticate", EINVAL, "Invalid id string.");
213 return -1;
214 }
215 idNum++;
216 switch(eType)
217 {case XrdSecsssRR_Data::theName: myID.name = idP; break;
218 case XrdSecsssRR_Data::theVorg: myID.vorg = idP; break;
219 case XrdSecsssRR_Data::theRole: myID.role = idP; break;
220 case XrdSecsssRR_Data::theGrps: myID.grps = idP; break;
221 case XrdSecsssRR_Data::theEndo: myID.endo = idP; break;
222 case XrdSecsssRR_Data::theCred: myID.creds = idP;
223 myID.credslen = idSz;break;
225 if (*idP == '[')
226 myID.host = theIP = idP;
227
228 else theHost = idP;
229 break;
230 case XrdSecsssRR_Data::theRand: idNum--; break;
231
232 case XrdSecsssRR_Data::theAuth: myID.xAuth = idP; break;
233
234 case XrdSecsssRR_Data::theTID: myID.pident = idP; break;
235 case XrdSecsssRR_Data::theAKey: if (atKey) badAttr = true;
236 atKey = idP; break;
238 if (!atKey) badAttr = true;
239 else {Entity.eaAPI->Add(std::string(atKey),
240 std::string(idP), true);
241 atKey = 0;
242 }
243 break;
244 case XrdSecsssRR_Data::theUser: myID.xUser = idP; break;
245 case XrdSecsssRR_Data::theGrup: myID.xGrup = idP; break;
246 case XrdSecsssRR_Data::theCaps: myID.caps = idP; break;
247 default: break;
248 }
249 }
250
251// Verify that we have some kind of identification
252//
253 if (!idNum)
254 {Fatal(einfo, "Authenticate", ENOENT, "No identification specified.");
255 return -1;
256 }
257
258// Make sure we didn't encounter any attribute errors
259//
260 if (badAttr)
261 {Fatal(einfo, "Authenticate", EINVAL, "Invalid attribute specification.");
262 return -1;
263 }
264
265// Verify the source of the information to largely prevent packet stealing. New
266// version of the protocol will send an IP address which we prefrentially use.
267// Older version used a hostname. This causes problems for multi-homed machines.
268//
269if (!(decKey.Data.Opts & XrdSecsssKT::ktEnt::noIPCK))
270 {if (!theHost && !theIP)
271 {Fatal(einfo,"Authenticate",ENOENT,"No hostname or IP address specified.");
272 return -1;
273 }
274 CLDBG(urName <<' ' <<urIP <<" or " <<urIQ << " must match "
275 <<(theHost ? theHost : "?") <<' ' <<(theIP ? theIP : "[?]"));
276 if (theIP)
277 {if (strcmp(theIP, urIP) && strcmp(theIP, urIQ))
278 {Fatal(einfo, "Authenticate", EINVAL, "IP address mismatch.");
279 return -1;
280 }
281 } else if (strcmp(theHost, urName))
282 {Fatal(einfo, "Authenticate", EINVAL, "Hostname mismatch.");
283 return -1;
284 }
285 } else {
286 CLDBG(urName <<' ' <<urIP <<" or " <<urIQ << " forwarded token from "
287 <<(theHost ? theHost : "?") <<' ' <<(theIP ? theIP : "[?]"));
288 }
289
290// At this point we need to check if this identity can be passed as a clone
291//
292 if (aProts && myID.Clonable(aProts))
293 {strlcpy(Entity.prot, myID.xAuth, sizeof(Entity.prot));
295 if (myID.xUser) XrdOucUtils::getUID(myID.xUser,Entity.uid,&Entity.gid);
296 if (myID.xGrup) XrdOucUtils::getGID(myID.xGrup,Entity.gid);
297 } else {
298 // Set correct username
299 //
300 if (decKey.Data.Opts & Special)
301 {if (!myID.name) myID.name = (char *)"nobody";}
302 else myID.name = decKey.Data.User;
303
304 // Set correct group
305 //
306 if (decKey.Data.Opts & XrdSecsssKT::ktEnt::usrGRP) myID.grps = 0;
307 else {if (decKey.Data.Opts & XrdSecsssKT::ktEnt::anyGRP)
308 {if (!myID.grps) myID.grps = (char *)"nogroup";}
309 else myID.grps = decKey.Data.Grup;
310 }
311
312 // Set corresponding uid and gid
313 //
314 if (myID.name) XrdOucUtils::getUID(myID.name, Entity.uid, &Entity.gid);
315 if (myID.grps) XrdOucUtils::getGID(myID.grps, Entity.gid);
316 }
317
318// Calculate the amount of space we will need
319//
320 idTLen = strlen(urName)
321 + (myID.name ? strlen(myID.name)+1 : 0)
322 + (myID.vorg ? strlen(myID.vorg)+1 : 0)
323 + (myID.role ? strlen(myID.role)+1 : 0)
324 + (myID.grps ? strlen(myID.grps)+1 : 0)
325 + (myID.caps ? strlen(myID.caps)+1 : 0)
326 + (myID.endo ? strlen(myID.endo)+1 : 0)
327 + (myID.creds ? myID.credslen : 0)
328 + (myID.pident ? strlen(myID.pident)+1 : 0);
329
330// Complete constructing our identification
331//
332 if (idBuff) free(idBuff);
333 idBuff = idP = (char *)malloc(idTLen);
334 Entity.host = urName;
335 Entity.name = setID(myID.name, &idP);
336 Entity.vorg = setID(myID.vorg, &idP);
337 Entity.role = setID(myID.role, &idP);
338 Entity.grps = setID(myID.grps, &idP);
339 Entity.caps = setID(myID.caps, &idP);
340 Entity.endorsements = setID(myID.endo, &idP);
341
342 if (myID.pident)
343 {strcpy(idP, myID.pident);
344 Entity.pident = idP;
345 idP += strlen(myID.pident) + 1;
346 }
347
348 if (myID.creds)
349 {memcpy(idP, myID.creds, myID.credslen);
350 Entity.creds = idP;
351 Entity.credslen = myID.credslen;
352 }
353
354// All done
355//
356 return 0;
357}
#define XrdSecPROTOIDSIZE
#define CLDBG(x)
static const int XrdSecsssRR_Data_HdrLen
size_t strlcpy(char *dst, const char *src, size_t sz)
static int Unpack(char **buff, const char *bend, char **data, int &dlen)
Definition XrdOucPup.cc:250
static int Pack(struct iovec **, const char *, unsigned short &buff)
Definition XrdOucPup.cc:52
static bool getGID(const char *gName, gid_t &gID)
static bool getUID(const char *uName, uid_t &uID, gid_t *gID=0)
bool Add(XrdSecAttr &attr)
char * vorg
Entity's virtual organization(s)
const char * pident
Trace identifier (originator)
int credslen
Length of the 'creds' data.
XrdSecEntityAttr * eaAPI
non-const API to attributes
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5)
char * caps
Entity's capabilities.
char * creds
Raw entity credentials or cert.
gid_t gid
Unix gid or 0 if none.
char * grps
Entity's group name(s)
uid_t uid
Unix uid or 0 if none.
char * name
Entity's name.
char * role
Entity's role(s)
char * endorsements
Protocol specific endorsements.
char * host
Entity's host name dnr dependent.
XrdSecEntity Entity
static int Fatal(XrdOucErrInfo *erP, const char *epn, int rc, const char *etxt)
static const int anyUSR
struct XrdSecsssKT::ktEnt::ktData Data
static const int noIPCK
static const int anyGRP
static const int allUSR
static const int usrGRP
char * buffer
Pointer to the buffer.
int size
Size of the buffer or length of data in the buffer.
static const char SndLID
char Data[XrdSecsssRR_Data::MinDSz+16]
static const char theHost
static const char theUser
static const char theAKey
static const char theCaps
char Data[DataSz]
static const char theAuth
static const char theRole
static const char theName
static const char theLgid
static const char theGrps
static const char theRand
static const char theEndo
static const char theAVal
static const char theVorg
static const char theGrup
static const char theTID
static const int MaxDSz
static const char theCred

References XrdSecEntityAttr::Add(), XrdSecsssKT::ktEnt::allUSR, XrdSecsssKT::ktEnt::anyGRP, XrdSecsssKT::ktEnt::anyUSR, XrdSecBuffer::buffer, XrdSecEntity::caps, CLDBG, XrdSecEntity::creds, XrdSecEntity::credslen, XrdSecsssKT::ktEnt::Data, XrdSecsssRR_Data::Data, XrdSecsssRR_DataResp::Data, XrdSecEntity::eaAPI, XrdSecEntity::endorsements, XrdSecProtocol::Entity, Fatal(), XrdOucUtils::getGID(), XrdOucUtils::getUID(), XrdSecEntity::gid, XrdSecEntity::grps, XrdSecsssKT::ktEnt::ktData::Grup, XrdSecEntity::host, XrdSecsssRR_Data::MaxDSz, XrdSecEntity::name, XrdSecsssKT::ktEnt::noIPCK, XrdSecsssRR_DataHdr::Options, XrdSecsssKT::ktEnt::ktData::Opts, XrdOucPup::Pack(), XrdSecEntity::pident, XrdSecEntity::prot, XrdSecEntity::role, XrdSecBuffer::size, XrdSecsssRR_DataHdr::SndLID, strlcpy(), XrdSecsssRR_Data::theAKey, XrdSecsssRR_Data::theAuth, XrdSecsssRR_Data::theAVal, XrdSecsssRR_Data::theCaps, XrdSecsssRR_Data::theCred, XrdSecsssRR_Data::theEndo, XrdSecsssRR_Data::theGrps, XrdSecsssRR_Data::theGrup, XrdSecsssRR_Data::theHost, XrdSecsssRR_Data::theLgid, XrdSecsssRR_Data::theName, XrdSecsssRR_Data::theRand, XrdSecsssRR_Data::theRole, XrdSecsssRR_Data::theTID, XrdSecsssRR_Data::theUser, XrdSecsssRR_Data::theVorg, XrdSecEntity::uid, XrdOucPup::Unpack(), XrdSecsssKT::ktEnt::ktData::User, XrdSecsssKT::ktEnt::usrGRP, XrdSecEntity::vorg, XrdSecPROTOIDSIZE, and XrdSecsssRR_Data_HdrLen.

+ Here is the call graph for this function:

◆ Delete()

void XrdSecProtocolsss::Delete ( )
virtual

Delete the protocol object. DO NOT use C++ delete() on this object.

Implements XrdSecProtocol.

Definition at line 433 of file XrdSecProtocolsss.cc.

434{
435// Delete things that get re-allocated every time. The staticID is allocated
436// only once so it must stick around for every instance of this object.
437//
438 if (urName) free(urName); // Same pointer as Entity.host
439 if (idBuff) free(idBuff);
440 if (Crypto && Crypto != CryptObj) delete Crypto;
441 if (keyTab && keyTab != ktObject) delete keyTab;
442
443 delete this;
444}

Referenced by XrdSecProtocolsssObject().

+ Here is the caller graph for this function:

◆ eMsg()

int XrdSecProtocolsss::eMsg ( const char * epn,
int rc,
const char * txt1,
const char * txt2 = 0,
const char * txt3 = 0,
const char * txt4 = 0 )
static

Definition at line 450 of file XrdSecProtocolsss.cc.

453{
454 std::cerr <<"Secsss (" << epname <<"): ";
455 std::cerr <<txt1;
456 if (rc>0) std::cerr <<"; " <<XrdSysE2T(rc);
457 if (txt2) std::cerr <<txt2;
458 if (txt3) std::cerr <<txt3;
459 if (txt4) {std::cerr <<txt4;}
460 std::cerr <<"\n" <<std::flush;
461
462 return (rc ? (rc < 0 ? rc : -rc) : -1);
463}
const char * XrdSysE2T(int errcode)
Definition XrdSysE2T.cc:99

References XrdSysE2T().

+ Here is the call graph for this function:

◆ Fatal()

int XrdSecProtocolsss::Fatal ( XrdOucErrInfo * erP,
const char * epn,
int rc,
const char * etxt )
static

Definition at line 520 of file XrdSecProtocolsss.cc.

522{
523 if (erP) {erP->setErrInfo(rc, etxt);
524 CLDBG(epn <<": " <<etxt);
525 }
526 else eMsg(epn, rc, etxt);
527 return 0;
528}
#define eMsg(x)
int setErrInfo(int code, const char *emsg)

References CLDBG, eMsg, and XrdOucErrInfo::setErrInfo().

Referenced by Authenticate(), getCredentials(), Init_Client(), Load_Client(), Load_Server(), and XrdSecProtocolsssObject().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getCredentials()

XrdSecCredentials * XrdSecProtocolsss::getCredentials ( XrdSecParameters * parm = 0,
XrdOucErrInfo * einfo = 0 )
virtual

Generate client credentials to be used in the authentication process.

Parameters
parmPointer to the information returned by the server either in the initial login response or the authmore response.
einfoThe error information object where error messages should be placed. The messages are returned to the client. Should einfo be null, messages should be written to stderr.
Returns
Success: Pointer to credentials to sent to the server. The caller is responsible for deleting the object. Failure: Null pointer with einfo, if supplied, containing the reason for the failure.

Implements XrdSecProtocol.

Definition at line 633 of file XrdSecProtocolsss.cc.

635{
636 static const int nOpts = XrdNetUtils::oldFmt;
637 XrdSecsssRR_Hdr2 rrHdr;
638 sssRR_DataHdr rrDataHdr;
639 XrdSecsssKT::ktEnt encKey;
640 XrdOucEnv *errEnv;
641
642 const char *myIP = 0, *myUD = 0;
643 char ipBuff[64];
644 int dLen;
645
646// Make sure we can extract out required information and get it as needed
647//
648 if (einfo && (errEnv=einfo->getEnv()))
649 {if (isMapped) myUD = errEnv->Get("username");
650 if (!(myIP=errEnv->Get("sockname")))
651 {int fd = epAddr->SockFD();
652 if (fd > 0 && XrdNetUtils::IPFormat(-fd,ipBuff,sizeof(ipBuff),nOpts))
653 myIP = ipBuff;
654 else myIP = 0;
655 }
656 }
657
658// Do some debugging here
659//
660 CLDBG("getCreds: " <<static_cast<int>(Sequence)
661 << " ud: '" <<(myUD ? myUD : "")
662 <<"' ip: '" <<(myIP ? myIP : "") <<"'");
663
664// Get the actual data portion
665//
666 if (Sequence) dLen = getCred(einfo, rrDataHdr.P, myUD, myIP, parms);
667 else dLen = getCred(einfo, rrDataHdr.P, myUD, myIP);
668 if (!dLen) return (XrdSecCredentials *)0;
669
670// Get an encryption key
671//
672 if (keyTab->getKey(encKey))
673 {Fatal(einfo, "getCredentials", ENOENT, "Encryption key not found.");
674 return (XrdSecCredentials *)0;
675 }
676
677// Fill out the header
678//
679 strcpy(rrHdr.ProtID, XrdsssPROTOIDENT);
680 memset(rrHdr.Pad, 0, sizeof(rrHdr.Pad));
681 rrHdr.KeyID = htonll(encKey.Data.ID);
682 rrHdr.EncType = Crypto->Type();
683
684// Determine if we should send the keyname (v2 servers only)
685//
686 if (v2EndPnt)
687 {int k = strlen(encKey.Data.Name), n = (k + 8) & ~7;
688 strcpy(rrHdr.keyName, encKey.Data.Name);
689 if (n - k > 1) memset(rrHdr.keyName + k, 0, n - k);
690 rrHdr.knSize = static_cast<uint8_t>(n);
691 } else rrHdr.knSize = 0;
692
693// Now simply encode the data and return the result
694//
695 return Encode(einfo, encKey, &rrHdr, rrDataHdr.P, dLen);
696}
#define XrdsssPROTOIDENT
virtual char Type()
static int IPFormat(const struct sockaddr *sAddr, char *bP, int bL, int opts=0)
static const int oldFmt
char * Get(const char *varname)
Definition XrdOucEnv.hh:69
XrdOucEnv * getEnv()
int getKey(ktEnt &ktEql, bool andKeyID=false)
Generic structure to pass security information back and forth.
char keyName[XrdSecsssKT::ktEnt::NameSZ]
long long KeyID

References CLDBG, XrdSecsssKT::ktEnt::Data, XrdSecsssRR_Hdr::EncType, Fatal(), XrdOucEnv::Get(), XrdOucErrInfo::getEnv(), XrdSecsssKT::getKey(), XrdSecsssKT::ktEnt::ktData::ID, XrdNetUtils::IPFormat(), XrdSecsssRR_Hdr::KeyID, XrdSecsssRR_Hdr2::keyName, XrdSecsssRR_Hdr::knSize, XrdSecsssKT::ktEnt::ktData::Name, XrdNetUtils::oldFmt, XrdSecsssRR_Hdr::Pad, XrdSecsssRR_Hdr::ProtID, XrdNetAddrInfo::SockFD(), and XrdsssPROTOIDENT.

+ Here is the call graph for this function:

◆ Init_Client()

int XrdSecProtocolsss::Init_Client ( XrdOucErrInfo * erp,
const char * Parms )

Definition at line 726 of file XrdSecProtocolsss.cc.

727{
728 XrdSysMutexHelper initMon(&initMutex);
729 XrdSecsssKT *ktP;
730 struct stat buf;
731 char *Colon;
732 int lifeTime;
733
734// We must have <enccode>.[+]<lifetime>:<keytab>
735//
736 if (!pP || !*pP) return Fatal(erp, "Init_Client", EINVAL,
737 "Client parameters missing.");
738
739// Get encryption object
740//
741 if (!*pP || *(pP+1) != '.') return Fatal(erp, "Init_Client", EINVAL,
742 "Encryption type missing.");
743 if (!(Crypto = Load_Crypto(erp, *pP))) return 0;
744 pP += 2;
745
746// Check if this is a v2 server and if credentials are to be sent
747//
748 if (*pP == '+')
749 {v2EndPnt = true;
750 dataOpts |= XrdSecsssEnt::addExtra;
751 if (*(pP+1) == '0') dataOpts |= XrdSecsssEnt::addCreds;
752 }
753
754// The next item is the cred lifetime
755//
756 lifeTime = strtol(pP, &Colon, 10);
757 if (!lifeTime || *Colon != ':') return Fatal(erp, "Init_Client", EINVAL,
758 "Credential lifetime missing.");
759 deltaTime = lifeTime; pP = Colon+1;
760
761// Get the correct keytab
762//
763 if (ktFixed || (ktObject && ktObject->Same(pP))) keyTab = ktObject;
764 else if (*pP == '/' && !stat(pP, &buf))
765 {if (!(ktP=new XrdSecsssKT(erp,pP,XrdSecsssKT::isClient,3600)))
766 return Fatal(erp, "Init_Client", ENOMEM,
767 "Unable to create keytab object.");
768 if (erp->getErrInfo()) {delete ktP; return 0;}
769 if (!ktObject) ktObject = ktP;
770 keyTab = ktP;
771 CLDBG("Client keytab='" <<pP <<"'");
772 } else keyTab = ktObject;
773
774 if (!keyTab)
775 return Fatal(erp, "Init_Client", ENOENT,
776 "Unable to determine keytab location.");
777
778// All done
779//
780 return 1;
781}
#define stat(a, b)
Definition XrdPosix.hh:96
static const int addExtra
Add v2 data.
static const int addCreds
Add v2 data plus creds.
int Same(const char *path)

References XrdSecsssEnt::addCreds, XrdSecsssEnt::addExtra, CLDBG, Fatal(), XrdOucErrInfo::getErrInfo(), XrdSecsssKT::isClient, XrdSecsssKT::Same(), and stat.

Referenced by XrdSecProtocolsssObject().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Init_Server()

int XrdSecProtocolsss::Init_Server ( XrdOucErrInfo * erp,
const char * Parms )

Definition at line 787 of file XrdSecProtocolsss.cc.

788{
789
790// This is a trivial init
791//
792 keyTab = ktObject;
793 Crypto = CryptObj;
794 return 1;
795}

Referenced by XrdSecProtocolsssObject().

+ Here is the caller graph for this function:

◆ Load_Client()

char * XrdSecProtocolsss::Load_Client ( XrdOucErrInfo * erp,
const char * Parms )
static

Definition at line 801 of file XrdSecProtocolsss.cc.

802{
803 static const char *KTPath = XrdSecsssKT::genFN();
804 static const int rfrHR = 60*60;
805 struct stat buf;
807 const char *kP = 0;
808 char *myName;
809
810// Get our full host name
811//
812 if (!(myName = XrdNetUtils::MyHostName(0)))
813 {Fatal(erp, "Load_Client", ENOENT, "Unable to obtain local hostname.");
814 return (char *)0;
815 }
816
817// Tell the entity serialization object who we are
818//
820 free(myName);
821
822// Check for the presence of a registry object
823//
824 idMap = XrdSecsssID::getObj(aType, staticID);
825 switch(aType)
826 {case XrdSecsssID::idDynamic: isMutual = true; break;
827 case XrdSecsssID::idStaticM: isMutual = true;
828 idMap = 0; break;
829 case XrdSecsssID::idStatic: idMap = 0; break;
830 case XrdSecsssID::idMapped: isMapped = true; break;
831 case XrdSecsssID::idMappedM: isMapped = true; break;
832 default: idMap = 0; break;
833 }
834
835// We want to establish the default location of the keytable. First check
836// the environment passed from the client then the envar. We support two
837// version of the envar for backward compatibility due to an early mistake.
838//
839 if( erp && erp->getEnv() && ( kP = erp->getEnv()->Get( "xrd.sss" ) ) )
840 ktFixed = true;
841 else if ( ( (kP = getenv("XrdSecSSSKT")) || (kP = getenv("XrdSecsssKT")) )
842 && *kP && !stat(kP, &buf))
843 ktFixed = true;
844 else kP = 0;
845
846 if (!kP && !stat(KTPath, &buf)) kP = KTPath;
847
848// Build the keytable if we actual have a path (if none, then the server
849// will have to supply the path)
850//
851 if (kP)
852 {if (!(ktObject=new XrdSecsssKT(erp,kP,XrdSecsssKT::isClient,rfrHR)))
853 {Fatal(erp, "Load_Client", ENOMEM, "Unable to create keytab object.");
854 return (char *)0;
855 }
856 if (erp->getErrInfo())
857 {delete ktObject, ktObject = 0; return (char *)0;}
858 CLDBG("Client keytab='" <<kP <<"'");
859 }
860
861// All done
862//
863 return (char *)"";
864}
static char * MyHostName(const char *eName="*unknown*", const char **eText=0)
static void setHostName(const char *hnP)
static char * genFN()

References CLDBG, Fatal(), XrdSecsssKT::genFN(), XrdOucEnv::Get(), XrdOucErrInfo::getEnv(), XrdOucErrInfo::getErrInfo(), XrdSecsssID::idDynamic, XrdSecsssID::idMapped, XrdSecsssID::idMappedM, XrdSecsssID::idStatic, XrdSecsssID::idStaticM, XrdSecsssKT::isClient, XrdNetUtils::MyHostName(), XrdSecsssEnt::setHostName(), and stat.

Referenced by XrdSecProtocolsssInit().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Load_Server()

char * XrdSecProtocolsss::Load_Server ( XrdOucErrInfo * erp,
const char * Parms )
static

Definition at line 934 of file XrdSecProtocolsss.cc.

935{
936 const char *msg = 0;
937 const char *encName = "bf32", *ktClient = "", *ktServer = 0;
938 char buff[2048], parmbuff[2048], *op, *od, *eP;
939 int lifeTime = 13, rfrTime = 60*60;
940 XrdOucTokenizer inParms(parmbuff);
941 const char *ask4Creds = "";
942
943// Duplicate the parms
944//
945 if (parms) strlcpy(parmbuff, parms, sizeof(parmbuff));
946
947// Expected parameters: [{-c | --clientkt} <ckt_path>]
948// [{-e | --encrypt} <enctype>]
949// [{-g | --getcreds}]
950// [{-k | --keyname}]
951// [{-l | --lifetime} <seconds>]
952// [{-p | --proxy} <prots>]
953// [{-r | --refresh} <minutes>]
954// [{-s | --serverkt} <skt_path>]
955//
956 if (parms && inParms.GetLine())
957 while((op = inParms.GetToken()))
958 {if (!strcmp("-k", op) || !strcmp("--keyname", op))
959 {sssUseKN = true;
960 continue;
961 }
962 if (!strcmp("-g", op) || !strcmp("--getcreds", op))
963 {ask4Creds = "0";
964 continue;
965 }
966 if (!(od = inParms.GetToken()))
967 {sprintf(buff,"Secsss: Missing %s parameter argument",op);
968 msg = buff; break;
969 }
970 if (!strcmp("-c", op) || !strcmp("--clientkt", op))
971 ktClient = od;
972 else if (!strcmp("-e", op) || !strcmp("--encrypt", op))
973 encName = od;
974 else if (!strcmp("-l", op) || !strcmp("--lifetime", op))
975 {lifeTime = strtol(od, &eP, 10) * 60;
976 if (errno || *eP || lifeTime < 1)
977 {msg = "Secsss: Invalid life time"; break;}
978 }
979 else if (!strcmp("-p", op) || !strcmp("--proxy", op))
980 {int n = strlen(od) + 2;
981 aProts = (char *)malloc(n);
982 *aProts = ':';
983 strcpy(aProts+1, od);
984 }
985 else if (!strcmp("-r", op) || !strcmp("--rfresh", op))
986 {rfrTime = strtol(od, &eP, 10) * 60;
987 if (errno || *eP || rfrTime < 600)
988 {msg = "Secsss: Invalid refresh time"; break;}
989 }
990 else if (!strcmp("-s", op) || !strcmp("-serverkt", op))
991 ktServer = od;
992 else {sprintf(buff,"Secsss: Invalid parameter - %s",op);
993 msg = buff; break;
994 }
995 }
996
997// Check for errors
998//
999 if (msg) {Fatal(erp, "Load_Server", EINVAL, msg); return (char *)0;}
1000
1001// Load the right crypto object
1002//
1003 if (!(CryptObj = Load_Crypto(erp, encName))) return (char *)0;
1004
1005// Supply default keytab location if not specified
1006//
1007 if (!ktServer) ktServer = XrdSecsssKT::genFN();
1008
1009// Set the delta time used to expire credentials
1010//
1011 deltaTime = lifeTime;
1012
1013// Create a keytab object (only one for the server)
1014//
1015 if (!(ktObject = new XrdSecsssKT(erp, ktServer, XrdSecsssKT::isServer,
1016 rfrTime)))
1017 {Fatal(erp, "Load_Server", ENOMEM, "Unable to create keytab object.");
1018 return (char *)0;
1019 }
1020 if (erp->getErrInfo()) return (char *)0;
1021 ktFixed = true;
1022 CLDBG("Server keytab='" <<ktServer <<"'");
1023
1024// Construct client parameter <enccode>.+<lifetime>:<keytab>
1025// Note: The plus preceding the <lifetime> indicates that we are a V2 server.
1026// V1 clients will simply ignore this and treat us as a V1 server.
1027//
1028 sprintf(buff, "%c.+%s%d:%s", CryptObj->Type(),ask4Creds,lifeTime,ktClient);
1029 CLDBG("client parms='" <<buff <<"'");
1030 return strdup(buff);
1031}

References CLDBG, Fatal(), XrdSecsssKT::genFN(), XrdOucErrInfo::getErrInfo(), XrdOucTokenizer::GetLine(), XrdOucTokenizer::GetToken(), XrdSecsssKT::isServer, strlcpy(), and XrdCryptoLite::Type().

Referenced by XrdSecProtocolsssInit().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Friends And Related Symbol Documentation

◆ XrdSecProtocolDummy

friend class XrdSecProtocolDummy
friend

Definition at line 47 of file XrdSecProtocolsss.hh.


The documentation for this class was generated from the following files: