XRootD
XrdSecProtocolsss Class Reference

#include <XrdSecProtocolsss.hh>

+ Inheritance diagram for XrdSecProtocolsss:
+ Collaboration diagram for XrdSecProtocolsss:

Classes

struct  Crypto
 

Public Member Functions

 XrdSecProtocolsss (const char *hname, XrdNetAddrInfo &endPoint)
 
int Authenticate (XrdSecCredentials *cred, XrdSecParameters **parms, XrdOucErrInfo *einfo=0)
 
void Delete ()
 Delete the protocol object. DO NOT use C++ delete() on this object. More...
 
XrdSecCredentialsgetCredentials (XrdSecParameters *parms=0, XrdOucErrInfo *einfo=0)
 
int Init_Client (XrdOucErrInfo *erp, const char *Parms)
 
int Init_Server (XrdOucErrInfo *erp, const char *Parms)
 
- Public Member Functions inherited from XrdSecProtocol
 XrdSecProtocol (const char *pName)
 Constructor. More...
 
virtual int Decrypt (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int Encrypt (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int getKey (char *buff=0, int size=0)
 
virtual bool needTLS ()
 Check if this protocol requires TLS to properly function. More...
 
virtual int setKey (char *buff, int size)
 
virtual int Sign (const char *inbuff, int inlen, XrdSecBuffer **outbuff)
 
virtual int Verify (const char *inbuff, int inlen, const char *sigbuff, int siglen)
 

Static Public Member Functions

static int eMsg (const char *epn, int rc, const char *txt1, const char *txt2=0, const char *txt3=0, const char *txt4=0)
 
static int Fatal (XrdOucErrInfo *erP, const char *epn, int rc, const char *etxt)
 
static char * Load_Client (XrdOucErrInfo *erp, const char *Parms)
 
static char * Load_Server (XrdOucErrInfo *erp, const char *Parms)
 

Friends

class XrdSecProtocolDummy
 

Additional Inherited Members

- Public Attributes inherited from XrdSecProtocol
XrdSecEntity Entity
 
- Protected Member Functions inherited from XrdSecProtocol
virtual ~XrdSecProtocol ()
 Destructor (prevents use of direct delete). More...
 

Detailed Description

Definition at line 145 of file XrdSecProtocolsss.cc.


Class Documentation

◆ XrdSecProtocolsss::Crypto

struct XrdSecProtocolsss::Crypto

Definition at line 80 of file XrdSecProtocolsss.hh.

+ Collaboration diagram for XrdSecProtocolsss::Crypto:
Class Members
const char * cName
char cType

Constructor & Destructor Documentation

◆ XrdSecProtocolsss()

XrdSecProtocolsss::XrdSecProtocolsss ( const char *  hname,
XrdNetAddrInfo endPoint 
)
inline

Definition at line 74 of file XrdSecProtocolsss.hh.

75  : XrdSecProtocol("sss"),
76  keyTab(0), Crypto(0), idBuff(0), dataOpts(0),
77  Sequence(0), v2EndPnt(false)
78  {urName = strdup(hname); setIP(endPoint);}
XrdSecProtocol(const char *pName)
Constructor.

Member Function Documentation

◆ Authenticate()

int XrdSecProtocolsss::Authenticate ( XrdSecCredentials cred,
XrdSecParameters **  parms,
XrdOucErrInfo einfo = 0 
)
virtual

Authenticate a client.

Parameters
credCredentials supplied by the client.
parmsPlace where the address of additional authentication data is to be placed for another autrhentication handshake.
einfoThe error information object where error messages should be placed. The messages are returned to the client. Should einfo be null, messages should be written to stderr.
Returns
> 0 -> parms present (more authentication needed) = 0 -> Entity present (authentication succeeded) < 0 -> einfo present (error has occurred)

Implements XrdSecProtocol.

Definition at line 162 of file XrdSecProtocolsss.cc.

165 {
166  static const int minLen = sizeof(XrdSecsssRR_Hdr) + XrdSecsssRR_Data_HdrLen;
167  static const int maxLen = XrdSecsssRR_Data::MaxDSz + minLen;
168  static const int Special= XrdSecsssKT::ktEnt::anyUSR
170 
171  XrdSecsssRR_Hdr *rrHdr = (XrdSecsssRR_Hdr *)(cred->buffer);
172  XrdSecsssRR_Data *rrData;
173  XrdSecsssKT::ktEnt decKey;
174  Persona myID(&decKey);
175 
176  char *idP = 0, *dP = 0, *eodP = 0, *theIP = 0, *theHost = 0, *atKey = 0, eType = '\0';
177  int idNum = 0, idTLen, idSz, dLen;
178  bool badAttr = false;
179 
180 // Make sure we have atleast the header plus the data header
181 //
182  if (cred->size < minLen)
183  return Fatal(einfo, "Auth", EINVAL, "Credentials too small.");
184 
185 // Make sure the credentials are not too big (people misuse sss)
186 //
187  if (cred->size > maxLen)
188  return Fatal(einfo, "Auth", EINVAL, "Credentials too big.");
189 
190 // Allocate the buffer from the stack
191 //
192  rrData = (XrdSecsssRR_Data *)alloca(cred->size);
193 
194 // Decode the credentials
195 //
196  if ((dLen = Decode(einfo, decKey, cred->buffer, rrData, cred->size)) <= 0)
197  return -1;
198 
199 // Check if we should echo back the LID
200 //
201  if (rrData->Options == XrdSecsssRR_DataHdr::SndLID)
202  {XrdSecsssRR_DataResp rrResp;
203  char lidBuff[16];
204  rrResp.Options = 0;
205  getLID(lidBuff, sizeof(lidBuff));
206  dP = rrResp.Data;
208  XrdOucPup::Pack(&dP, lidBuff);
209  int n = dP-rrResp.Data + XrdSecsssRR_Data_HdrLen;
210  *parms = Encode(einfo, decKey, rrHdr, &rrResp, n);
211  return (*parms ? 1 : -1);
212  }
213 
214 // Extract out the entity information
215 //
216  dP = rrData->Data; eodP = dP + dLen - XrdSecsssRR_Data_HdrLen;
217  CLDBG("Processing " <<dLen <<" byes");
218  while(dP < eodP)
219  {eType = *dP++;
220  CLDBG("eType=" <<static_cast<int>(eType)
221  <<" Used " <<dP-rrData->Data <<" left " <<eodP-dP);
222  if (!XrdOucPup::Unpack(&dP, eodP, &idP, idSz) || (idP && *idP == '\0'))
223  {Fatal(einfo, "Authenticate", EINVAL, "Invalid id string.");
224  return -1;
225  }
226  idNum++;
227  switch(eType)
228  {case XrdSecsssRR_Data::theName: myID.name = idP; break;
229  case XrdSecsssRR_Data::theVorg: myID.vorg = idP; break;
230  case XrdSecsssRR_Data::theRole: myID.role = idP; break;
231  case XrdSecsssRR_Data::theGrps: myID.grps = idP; break;
232  case XrdSecsssRR_Data::theEndo: myID.endo = idP; break;
233  case XrdSecsssRR_Data::theCred: myID.creds = idP;
234  myID.credslen = idSz;break;
236  if (idP && *idP == '[')
237  myID.host = theIP = idP;
238 
239  else theHost = idP;
240  break;
241  case XrdSecsssRR_Data::theRand: idNum--; break;
242 
243  case XrdSecsssRR_Data::theAuth: myID.xAuth = idP; break;
244 
245  case XrdSecsssRR_Data::theTID: myID.pident = idP; break;
246  case XrdSecsssRR_Data::theAKey: if (atKey) badAttr = true;
247  atKey = idP; break;
249  if (!atKey) badAttr = true;
250  else {Entity.eaAPI->Add(std::string(atKey),
251  std::string(idP), true);
252  atKey = 0;
253  }
254  break;
255  case XrdSecsssRR_Data::theUser: myID.xUser = idP; break;
256  case XrdSecsssRR_Data::theGrup: myID.xGrup = idP; break;
257  case XrdSecsssRR_Data::theCaps: myID.caps = idP; break;
258  default: break;
259  }
260  }
261 
262 // Verify that we have some kind of identification
263 //
264  if (!idNum)
265  {Fatal(einfo, "Authenticate", ENOENT, "No identification specified.");
266  return -1;
267  }
268 
269 // Make sure we didn't encounter any attribute errors
270 //
271  if (badAttr)
272  {Fatal(einfo, "Authenticate", EINVAL, "Invalid attribute specification.");
273  return -1;
274  }
275 
276 // Verify the source of the information to largely prevent packet stealing. New
277 // version of the protocol will send an IP address which we prefrentially use.
278 // Older version used a hostname. This causes problems for multi-homed machines.
279 //
280 if (!(decKey.Data.Opts & XrdSecsssKT::ktEnt::noIPCK))
281  {if (!theHost && !theIP)
282  {Fatal(einfo,"Authenticate",ENOENT,"No hostname or IP address specified.");
283  return -1;
284  }
285  CLDBG(urName <<' ' <<urIP <<" or " <<urIQ << " must match "
286  <<(theHost ? theHost : "?") <<' ' <<(theIP ? theIP : "[?]"));
287  if (theIP)
288  {if (strcmp(theIP, urIP) && strcmp(theIP, urIQ))
289  {Fatal(einfo, "Authenticate", EINVAL, "IP address mismatch.");
290  return -1;
291  }
292  } else if (strcmp(theHost, urName))
293  {Fatal(einfo, "Authenticate", EINVAL, "Hostname mismatch.");
294  return -1;
295  }
296  } else {
297  CLDBG(urName <<' ' <<urIP <<" or " <<urIQ << " forwarded token from "
298  <<(theHost ? theHost : "?") <<' ' <<(theIP ? theIP : "[?]"));
299  }
300 
301 // At this point we need to check if this identity can be passed as a clone
302 //
303  if (aProts && myID.Clonable(aProts))
304  {strlcpy(Entity.prot, myID.xAuth, sizeof(Entity.prot));
306  if (myID.xUser) XrdOucUtils::getUID(myID.xUser,Entity.uid,&Entity.gid);
307  if (myID.xGrup) XrdOucUtils::getGID(myID.xGrup,Entity.gid);
308  } else {
309  // Set correct username
310  //
311  if (decKey.Data.Opts & Special)
312  {if (!myID.name) myID.name = (char *)"nobody";}
313  else myID.name = decKey.Data.User;
314 
315  // Set correct group
316  //
317  if (decKey.Data.Opts & XrdSecsssKT::ktEnt::usrGRP) myID.grps = 0;
318  else {if (decKey.Data.Opts & XrdSecsssKT::ktEnt::anyGRP)
319  {if (!myID.grps) myID.grps = (char *)"nogroup";}
320  else myID.grps = decKey.Data.Grup;
321  }
322 
323  // Set corresponding uid and gid
324  //
325  if (myID.name) XrdOucUtils::getUID(myID.name, Entity.uid, &Entity.gid);
326  if (myID.grps) XrdOucUtils::getGID(myID.grps, Entity.gid);
327  }
328 
329 // Calculate the amount of space we will need
330 //
331  idTLen = strlen(urName)
332  + (myID.name ? strlen(myID.name)+1 : 0)
333  + (myID.vorg ? strlen(myID.vorg)+1 : 0)
334  + (myID.role ? strlen(myID.role)+1 : 0)
335  + (myID.grps ? strlen(myID.grps)+1 : 0)
336  + (myID.caps ? strlen(myID.caps)+1 : 0)
337  + (myID.endo ? strlen(myID.endo)+1 : 0)
338  + (myID.creds ? myID.credslen : 0)
339  + (myID.pident ? strlen(myID.pident)+1 : 0);
340 
341 // Complete constructing our identification
342 //
343  if (idBuff) free(idBuff);
344  idBuff = idP = (char *)malloc(idTLen);
345  Entity.host = urName;
346  Entity.name = setID(myID.name, &idP);
347  Entity.vorg = setID(myID.vorg, &idP);
348  Entity.role = setID(myID.role, &idP);
349  Entity.grps = setID(myID.grps, &idP);
350  Entity.caps = setID(myID.caps, &idP);
351  Entity.endorsements = setID(myID.endo, &idP);
352 
353  if (myID.pident)
354  {strcpy(idP, myID.pident);
355  Entity.pident = idP;
356  idP += strlen(myID.pident) + 1;
357  }
358 
359  if (myID.creds)
360  {memcpy(idP, myID.creds, myID.credslen);
361  Entity.creds = idP;
362  Entity.credslen = myID.credslen;
363  }
364 
365 // All done
366 //
367  return 0;
368 }
#define XrdSecPROTOIDSIZE
Definition: XrdSecEntity.hh:47
#define CLDBG(x)
static const int XrdSecsssRR_Data_HdrLen
Definition: XrdSecsssRR.hh:77
size_t strlcpy(char *dst, const char *src, size_t sz)
static int Unpack(char **buff, const char *bend, char **data, int &dlen)
Definition: XrdOucPup.cc:250
static int Pack(struct iovec **, const char *, unsigned short &buff)
Definition: XrdOucPup.cc:52
static bool getGID(const char *gName, gid_t &gID)
Definition: XrdOucUtils.cc:514
static bool getUID(const char *uName, uid_t &uID, gid_t *gID=0)
Definition: XrdOucUtils.cc:530
bool Add(XrdSecAttr &attr)
char * vorg
Entity's virtual organization(s)
Definition: XrdSecEntity.hh:71
const char * pident
Trace identifier (originator)
Definition: XrdSecEntity.hh:82
int credslen
Length of the 'creds' data.
Definition: XrdSecEntity.hh:78
XrdSecEntityAttr * eaAPI
non-const API to attributes
Definition: XrdSecEntity.hh:92
char prot[XrdSecPROTOIDSIZE]
Auth protocol used (e.g. krb5)
Definition: XrdSecEntity.hh:67
char * caps
Entity's capabilities.
Definition: XrdSecEntity.hh:74
char * creds
Raw entity credentials or cert.
Definition: XrdSecEntity.hh:77
gid_t gid
Unix gid or 0 if none.
Definition: XrdSecEntity.hh:87
char * grps
Entity's group name(s)
Definition: XrdSecEntity.hh:73
uid_t uid
Unix uid or 0 if none.
Definition: XrdSecEntity.hh:86
char * name
Entity's name.
Definition: XrdSecEntity.hh:69
char * role
Entity's role(s)
Definition: XrdSecEntity.hh:72
char * endorsements
Protocol specific endorsements.
Definition: XrdSecEntity.hh:75
char * host
Entity's host name dnr dependent.
Definition: XrdSecEntity.hh:70
XrdSecEntity Entity
static const int anyUSR
Definition: XrdSecsssKT.hh:67
struct XrdSecsssKT::ktEnt::ktData Data
static const int noIPCK
Definition: XrdSecsssKT.hh:70
static const int anyGRP
Definition: XrdSecsssKT.hh:68
static const int allUSR
Definition: XrdSecsssKT.hh:66
static const int usrGRP
Definition: XrdSecsssKT.hh:69
char * buffer
Pointer to the buffer.
int size
Size of the buffer or length of data in the buffer.
static int Fatal(XrdOucErrInfo *erP, const char *epn, int rc, const char *etxt)
static const char SndLID
Definition: XrdSecsssRR.hh:72
char Data[XrdSecsssRR_Data::MinDSz+16]
Definition: XrdSecsssRR.hh:113
static const char theHost
Definition: XrdSecsssRR.hh:106
static const char theUser
Definition: XrdSecsssRR.hh:101
static const char theAKey
Definition: XrdSecsssRR.hh:99
static const char theCaps
Definition: XrdSecsssRR.hh:103
char Data[DataSz]
Definition: XrdSecsssRR.hh:85
static const char theAuth
Definition: XrdSecsssRR.hh:97
static const char theRole
Definition: XrdSecsssRR.hh:91
static const char theName
Definition: XrdSecsssRR.hh:89
static const char theLgid
Definition: XrdSecsssRR.hh:105
static const char theGrps
Definition: XrdSecsssRR.hh:92
static const char theRand
Definition: XrdSecsssRR.hh:95
static const char theEndo
Definition: XrdSecsssRR.hh:93
static const char theAVal
Definition: XrdSecsssRR.hh:100
static const char theVorg
Definition: XrdSecsssRR.hh:90
static const char theGrup
Definition: XrdSecsssRR.hh:102
static const char theTID
Definition: XrdSecsssRR.hh:98
static const int MaxDSz
Definition: XrdSecsssRR.hh:82
static const char theCred
Definition: XrdSecsssRR.hh:94

References XrdSecEntityAttr::Add(), XrdSecsssKT::ktEnt::allUSR, XrdSecsssKT::ktEnt::anyGRP, XrdSecsssKT::ktEnt::anyUSR, XrdSecBuffer::buffer, XrdSecEntity::caps, CLDBG, XrdSecEntity::creds, XrdSecEntity::credslen, XrdSecsssKT::ktEnt::Data, XrdSecsssRR_Data::Data, XrdSecsssRR_DataResp::Data, XrdSecEntity::eaAPI, XrdSecEntity::endorsements, XrdSecProtocol::Entity, Fatal(), XrdOucUtils::getGID(), XrdOucUtils::getUID(), XrdSecEntity::gid, XrdSecEntity::grps, XrdSecsssKT::ktEnt::ktData::Grup, XrdSecEntity::host, XrdSecsssRR_Data::MaxDSz, XrdSecEntity::name, XrdSecsssKT::ktEnt::noIPCK, XrdSecsssRR_DataHdr::Options, XrdSecsssKT::ktEnt::ktData::Opts, XrdOucPup::Pack(), XrdSecEntity::pident, XrdSecEntity::prot, XrdSecEntity::role, XrdSecBuffer::size, XrdSecsssRR_DataHdr::SndLID, strlcpy(), XrdSecsssRR_Data::theAKey, XrdSecsssRR_Data::theAuth, XrdSecsssRR_Data::theAVal, XrdSecsssRR_Data::theCaps, XrdSecsssRR_Data::theCred, XrdSecsssRR_Data::theEndo, XrdSecsssRR_Data::theGrps, XrdSecsssRR_Data::theGrup, XrdSecsssRR_Data::theHost, XrdSecsssRR_Data::theLgid, XrdSecsssRR_Data::theName, XrdSecsssRR_Data::theRand, XrdSecsssRR_Data::theRole, XrdSecsssRR_Data::theTID, XrdSecsssRR_Data::theUser, XrdSecsssRR_Data::theVorg, XrdSecEntity::uid, XrdOucPup::Unpack(), XrdSecsssKT::ktEnt::ktData::User, XrdSecsssKT::ktEnt::usrGRP, XrdSecEntity::vorg, XrdSecPROTOIDSIZE, and XrdSecsssRR_Data_HdrLen.

+ Here is the call graph for this function:

◆ Delete()

void XrdSecProtocolsss::Delete ( )
virtual

Delete the protocol object. DO NOT use C++ delete() on this object.

Implements XrdSecProtocol.

Definition at line 444 of file XrdSecProtocolsss.cc.

445 {
446 // Delete things that get re-allocated every time. The staticID is allocated
447 // only once so it must stick around for every instance of this object.
448 //
449  if (urName) free(urName); // Same pointer as Entity.host
450  if (idBuff) free(idBuff);
451  if (Crypto && Crypto != CryptObj) delete Crypto;
452  if (keyTab && keyTab != ktObject) delete keyTab;
453 
454  delete this;
455 }

Referenced by XrdSecProtocolsssObject().

+ Here is the caller graph for this function:

◆ eMsg()

int XrdSecProtocolsss::eMsg ( const char *  epn,
int  rc,
const char *  txt1,
const char *  txt2 = 0,
const char *  txt3 = 0,
const char *  txt4 = 0 
)
static

Definition at line 461 of file XrdSecProtocolsss.cc.

464 {
465  std::cerr <<"Secsss (" << epname <<"): ";
466  std::cerr <<txt1;
467  if (rc>0) std::cerr <<"; " <<XrdSysE2T(rc);
468  if (txt2) std::cerr <<txt2;
469  if (txt3) std::cerr <<txt3;
470  if (txt4) {std::cerr <<txt4;}
471  std::cerr <<"\n" <<std::flush;
472 
473  return (rc ? (rc < 0 ? rc : -rc) : -1);
474 }
const char * XrdSysE2T(int errcode)
Definition: XrdSysE2T.cc:104

References XrdSysE2T().

Referenced by Fatal().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Fatal()

int XrdSecProtocolsss::Fatal ( XrdOucErrInfo erP,
const char *  epn,
int  rc,
const char *  etxt 
)
static

Definition at line 531 of file XrdSecProtocolsss.cc.

533 {
534  if (erP) {erP->setErrInfo(rc, etxt);
535  CLDBG(epn <<": " <<etxt);
536  }
537  else eMsg(epn, rc, etxt);
538  return 0;
539 }
int setErrInfo(int code, const char *emsg)
static int eMsg(const char *epn, int rc, const char *txt1, const char *txt2=0, const char *txt3=0, const char *txt4=0)

References CLDBG, eMsg(), and XrdOucErrInfo::setErrInfo().

Referenced by Authenticate(), getCredentials(), Init_Client(), Load_Client(), Load_Server(), and XrdSecProtocolsssObject().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getCredentials()

XrdSecCredentials * XrdSecProtocolsss::getCredentials ( XrdSecParameters parm = 0,
XrdOucErrInfo einfo = 0 
)
virtual

Generate client credentials to be used in the authentication process.

Parameters
parmPointer to the information returned by the server either in the initial login response or the authmore response.
einfoThe error information object where error messages should be placed. The messages are returned to the client. Should einfo be null, messages should be written to stderr.
Returns
Success: Pointer to credentials to sent to the server. The caller is responsible for deleting the object. Failure: Null pointer with einfo, if supplied, containing the reason for the failure.

Implements XrdSecProtocol.

Definition at line 644 of file XrdSecProtocolsss.cc.

646 {
647  static const int nOpts = XrdNetUtils::oldFmt;
648  XrdSecsssRR_Hdr2 rrHdr;
649  sssRR_DataHdr rrDataHdr;
650  XrdSecsssKT::ktEnt encKey;
651  XrdOucEnv *errEnv;
652 
653  const char *myIP = 0, *myUD = 0;
654  char ipBuff[64];
655  int dLen;
656 
657 // Make sure we can extract out required information and get it as needed
658 //
659  if (einfo && (errEnv=einfo->getEnv()))
660  {if (isMapped) myUD = errEnv->Get("username");
661  if (!(myIP=errEnv->Get("sockname")))
662  {int fd = epAddr->SockFD();
663  if (fd > 0 && XrdNetUtils::IPFormat(-fd,ipBuff,sizeof(ipBuff),nOpts))
664  myIP = ipBuff;
665  else myIP = 0;
666  }
667  }
668 
669 // Do some debugging here
670 //
671  CLDBG("getCreds: " <<static_cast<int>(Sequence)
672  << " ud: '" <<(myUD ? myUD : "")
673  <<"' ip: '" <<(myIP ? myIP : "") <<"'");
674 
675 // Get the actual data portion
676 //
677  if (Sequence) dLen = getCred(einfo, rrDataHdr.P, myUD, myIP, parms);
678  else dLen = getCred(einfo, rrDataHdr.P, myUD, myIP);
679  if (!dLen) return (XrdSecCredentials *)0;
680 
681 // Get an encryption key
682 //
683  if (keyTab->getKey(encKey))
684  {Fatal(einfo, "getCredentials", ENOENT, "Encryption key not found.");
685  return (XrdSecCredentials *)0;
686  }
687 
688 // Fill out the header
689 //
690  strcpy(rrHdr.ProtID, XrdsssPROTOIDENT);
691  memset(rrHdr.Pad, 0, sizeof(rrHdr.Pad));
692  rrHdr.KeyID = htonll(encKey.Data.ID);
693  rrHdr.EncType = Crypto->Type();
694 
695 // Determine if we should send the keyname (v2 servers only)
696 //
697  if (v2EndPnt)
698  {int k = strlen(encKey.Data.Name), n = (k + 8) & ~7;
699  if (strlcpy(rrHdr.keyName, encKey.Data.Name, sizeof(rrHdr.keyName)) >= sizeof(rrHdr.keyName))
700  { Fatal(einfo, "getCredentials", EINVAL, "Encryption key name is too long.");
701  return nullptr;
702  }
703  if (n - k > 1) memset(rrHdr.keyName + k, 0, n - k);
704  rrHdr.knSize = static_cast<uint8_t>(n);
705  } else rrHdr.knSize = 0;
706 
707 // Now simply encode the data and return the result
708 //
709  return Encode(einfo, encKey, &rrHdr, rrDataHdr.P, dLen);
710 }
#define XrdsssPROTOIDENT
virtual char Type()
static int IPFormat(const struct sockaddr *sAddr, char *bP, int bL, int opts=0)
Definition: XrdNetUtils.cc:584
static const int oldFmt
Definition: XrdNetUtils.hh:256
char * Get(const char *varname)
Definition: XrdOucEnv.hh:69
XrdOucEnv * getEnv()
int getKey(ktEnt &ktEql, bool andKeyID=false)
Definition: XrdSecsssKT.cc:207
Generic structure to pass security information back and forth.
char keyName[XrdSecsssKT::ktEnt::NameSZ]
Definition: XrdSecsssRR.hh:59
long long KeyID
Definition: XrdSecsssRR.hh:49

References CLDBG, XrdSecsssKT::ktEnt::Data, XrdSecsssRR_Hdr::EncType, Fatal(), XrdOucEnv::Get(), XrdOucErrInfo::getEnv(), XrdSecsssKT::getKey(), XrdSecsssKT::ktEnt::ktData::ID, XrdNetUtils::IPFormat(), XrdSecsssRR_Hdr::KeyID, XrdSecsssRR_Hdr2::keyName, XrdSecsssRR_Hdr::knSize, XrdSecsssKT::ktEnt::ktData::Name, XrdNetUtils::oldFmt, XrdSecsssRR_Hdr::Pad, XrdSecsssRR_Hdr::ProtID, XrdNetAddrInfo::SockFD(), strlcpy(), and XrdsssPROTOIDENT.

+ Here is the call graph for this function:

◆ Init_Client()

int XrdSecProtocolsss::Init_Client ( XrdOucErrInfo erp,
const char *  Parms 
)

Definition at line 740 of file XrdSecProtocolsss.cc.

741 {
742  XrdSysMutexHelper initMon(&initMutex);
743  XrdSecsssKT *ktP;
744  struct stat buf;
745  char *Colon;
746  int lifeTime;
747 
748 // We must have <enccode>.[+]<lifetime>:<keytab>
749 //
750  if (!pP || !*pP) return Fatal(erp, "Init_Client", EINVAL,
751  "Client parameters missing.");
752 
753 // Get encryption object
754 //
755  if (!*pP || *(pP+1) != '.') return Fatal(erp, "Init_Client", EINVAL,
756  "Encryption type missing.");
757  if (!(Crypto = Load_Crypto(erp, *pP))) return 0;
758  pP += 2;
759 
760 // Check if this is a v2 server and if credentials are to be sent
761 //
762  if (*pP == '+')
763  {v2EndPnt = true;
764  dataOpts |= XrdSecsssEnt::addExtra;
765  if (*(pP+1) == '0') dataOpts |= XrdSecsssEnt::addCreds;
766  }
767 
768 // The next item is the cred lifetime
769 //
770  lifeTime = strtol(pP, &Colon, 10);
771  if (!lifeTime || *Colon != ':') return Fatal(erp, "Init_Client", EINVAL,
772  "Credential lifetime missing.");
773  deltaTime = lifeTime; pP = Colon+1;
774 
775 // Get the correct keytab
776 //
777  if (ktFixed || (ktObject && ktObject->Same(pP))) keyTab = ktObject;
778  else if (*pP == '/' && !stat(pP, &buf))
779  {if (!(ktP=new XrdSecsssKT(erp,pP,XrdSecsssKT::isClient,3600)))
780  return Fatal(erp, "Init_Client", ENOMEM,
781  "Unable to create keytab object.");
782  if (erp->getErrInfo()) {delete ktP; return 0;}
783  if (!ktObject) ktObject = ktP;
784  keyTab = ktP;
785  CLDBG("Client keytab='" <<pP <<"'");
786  } else keyTab = ktObject;
787 
788  if (!keyTab)
789  return Fatal(erp, "Init_Client", ENOENT,
790  "Unable to determine keytab location.");
791 
792 // All done
793 //
794  return 1;
795 }
int stat(const char *path, struct stat *buf)
static const int addExtra
Add v2 data.
Definition: XrdSecsssEnt.hh:77
static const int addCreds
Add v2 data plus creds.
Definition: XrdSecsssEnt.hh:78
int Same(const char *path)
Definition: XrdSecsssKT.hh:109

References XrdSecsssEnt::addCreds, XrdSecsssEnt::addExtra, CLDBG, Fatal(), XrdOucErrInfo::getErrInfo(), XrdSecsssKT::isClient, XrdSecsssKT::Same(), and stat().

Referenced by XrdSecProtocolsssObject().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Init_Server()

int XrdSecProtocolsss::Init_Server ( XrdOucErrInfo erp,
const char *  Parms 
)

Definition at line 801 of file XrdSecProtocolsss.cc.

802 {
803 
804 // This is a trivial init
805 //
806  keyTab = ktObject;
807  Crypto = CryptObj;
808  return 1;
809 }

Referenced by XrdSecProtocolsssObject().

+ Here is the caller graph for this function:

◆ Load_Client()

char * XrdSecProtocolsss::Load_Client ( XrdOucErrInfo erp,
const char *  Parms 
)
static

Definition at line 815 of file XrdSecProtocolsss.cc.

816 {
817  static const char *KTPath = XrdSecsssKT::genFN();
818  static const int rfrHR = 60*60;
819  struct stat buf;
821  const char *kP = 0;
822  char *myName;
823 
824 // Get our full host name
825 //
826  if (!(myName = XrdNetUtils::MyHostName(0)))
827  {Fatal(erp, "Load_Client", ENOENT, "Unable to obtain local hostname.");
828  return (char *)0;
829  }
830 
831 // Tell the entity serialization object who we are
832 //
834  free(myName);
835 
836 // Check for the presence of a registry object
837 //
838  idMap = XrdSecsssID::getObj(aType, staticID);
839  switch(aType)
840  {case XrdSecsssID::idDynamic: isMutual = true; break;
841  case XrdSecsssID::idStaticM: isMutual = true;
842  idMap = 0; break;
843  case XrdSecsssID::idStatic: idMap = 0; break;
844  case XrdSecsssID::idMapped: isMapped = true; break;
845  case XrdSecsssID::idMappedM: isMapped = true; break;
846  default: idMap = 0; break;
847  }
848 
849 // We want to establish the default location of the keytable. First check
850 // the environment passed from the client then the envar. We support two
851 // version of the envar for backward compatibility due to an early mistake.
852 //
853  if( erp && erp->getEnv() && ( kP = erp->getEnv()->Get( "xrd.sss" ) ) )
854  ktFixed = true;
855  else if ( ( (kP = getenv("XrdSecSSSKT")) || (kP = getenv("XrdSecsssKT")) )
856  && *kP && !stat(kP, &buf))
857  ktFixed = true;
858  else kP = 0;
859 
860  if (!kP && !stat(KTPath, &buf)) kP = KTPath;
861 
862 // Build the keytable if we actual have a path (if none, then the server
863 // will have to supply the path)
864 //
865  if (kP)
866  {if (!(ktObject=new XrdSecsssKT(erp,kP,XrdSecsssKT::isClient,rfrHR)))
867  {Fatal(erp, "Load_Client", ENOMEM, "Unable to create keytab object.");
868  return (char *)0;
869  }
870  if (erp && erp->getErrInfo())
871  {delete ktObject, ktObject = 0; return (char *)0;}
872  CLDBG("Client keytab='" <<kP <<"'");
873  }
874 
875 // All done
876 //
877  return (char *)"";
878 }
static char * MyHostName(const char *eName="*unknown*", const char **eText=0)
Definition: XrdNetUtils.cc:667
static void setHostName(const char *hnP)
static char * genFN()
Definition: XrdSecsssKT.cc:249

References CLDBG, Fatal(), XrdSecsssKT::genFN(), XrdOucEnv::Get(), XrdOucErrInfo::getEnv(), XrdOucErrInfo::getErrInfo(), XrdSecsssID::idDynamic, XrdSecsssID::idMapped, XrdSecsssID::idMappedM, XrdSecsssID::idStatic, XrdSecsssID::idStaticM, XrdSecsssKT::isClient, XrdNetUtils::MyHostName(), XrdSecsssEnt::setHostName(), and stat().

Referenced by XrdSecProtocolsssInit().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Load_Server()

char * XrdSecProtocolsss::Load_Server ( XrdOucErrInfo erp,
const char *  Parms 
)
static

Definition at line 948 of file XrdSecProtocolsss.cc.

949 {
950  const char *msg = 0;
951  const char *encName = "bf32", *ktClient = "", *ktServer = 0;
952  char buff[2048], parmbuff[2048], *op, *od, *eP;
953  int lifeTime = 13, rfrTime = 60*60;
954  XrdOucTokenizer inParms(parmbuff);
955  const char *ask4Creds = "";
956 
957 // Duplicate the parms
958 //
959  if (parms) strlcpy(parmbuff, parms, sizeof(parmbuff));
960 
961 // Expected parameters: [{-c | --clientkt} <ckt_path>]
962 // [{-e | --encrypt} <enctype>]
963 // [{-g | --getcreds}]
964 // [{-k | --keyname}]
965 // [{-l | --lifetime} <seconds>]
966 // [{-p | --proxy} <prots>]
967 // [{-r | --refresh} <minutes>]
968 // [{-s | --serverkt} <skt_path>]
969 //
970  if (parms && inParms.GetLine())
971  while((op = inParms.GetToken()))
972  {if (!strcmp("-k", op) || !strcmp("--keyname", op))
973  {sssUseKN = true;
974  continue;
975  }
976  if (!strcmp("-g", op) || !strcmp("--getcreds", op))
977  {ask4Creds = "0";
978  continue;
979  }
980  if (!(od = inParms.GetToken()))
981  {sprintf(buff,"Secsss: Missing %s parameter argument",op);
982  msg = buff; break;
983  }
984  if (!strcmp("-c", op) || !strcmp("--clientkt", op))
985  ktClient = od;
986  else if (!strcmp("-e", op) || !strcmp("--encrypt", op))
987  encName = od;
988  else if (!strcmp("-l", op) || !strcmp("--lifetime", op))
989  {lifeTime = strtol(od, &eP, 10) * 60;
990  if (errno || *eP || lifeTime < 1)
991  {msg = "Secsss: Invalid life time"; break;}
992  }
993  else if (!strcmp("-p", op) || !strcmp("--proxy", op))
994  {int n = strlen(od) + 2;
995  aProts = (char *)malloc(n);
996  *aProts = ':';
997  strcpy(aProts+1, od);
998  }
999  else if (!strcmp("-r", op) || !strcmp("--rfresh", op))
1000  {rfrTime = strtol(od, &eP, 10) * 60;
1001  if (errno || *eP || rfrTime < 600)
1002  {msg = "Secsss: Invalid refresh time"; break;}
1003  }
1004  else if (!strcmp("-s", op) || !strcmp("-serverkt", op))
1005  ktServer = od;
1006  else {sprintf(buff,"Secsss: Invalid parameter - %s",op);
1007  msg = buff; break;
1008  }
1009  }
1010 
1011 // Check for errors
1012 //
1013  if (msg) {Fatal(erp, "Load_Server", EINVAL, msg); return (char *)0;}
1014 
1015 // Load the right crypto object
1016 //
1017  if (!(CryptObj = Load_Crypto(erp, encName))) return (char *)0;
1018 
1019 // Supply default keytab location if not specified
1020 //
1021  if (!ktServer) ktServer = XrdSecsssKT::genFN();
1022 
1023 // Set the delta time used to expire credentials
1024 //
1025  deltaTime = lifeTime;
1026 
1027 // Create a keytab object (only one for the server)
1028 //
1029  if (!(ktObject = new XrdSecsssKT(erp, ktServer, XrdSecsssKT::isServer,
1030  rfrTime)))
1031  {Fatal(erp, "Load_Server", ENOMEM, "Unable to create keytab object.");
1032  return (char *)0;
1033  }
1034  if (erp->getErrInfo()) return (char *)0;
1035  ktFixed = true;
1036  CLDBG("Server keytab='" <<ktServer <<"'");
1037 
1038 // Construct client parameter <enccode>.+<lifetime>:<keytab>
1039 // Note: The plus preceding the <lifetime> indicates that we are a V2 server.
1040 // V1 clients will simply ignore this and treat us as a V1 server.
1041 //
1042  sprintf(buff, "%c.+%s%d:%s", CryptObj->Type(),ask4Creds,lifeTime,ktClient);
1043  CLDBG("client parms='" <<buff <<"'");
1044  return strdup(buff);
1045 }

References CLDBG, Fatal(), XrdSecsssKT::genFN(), XrdOucErrInfo::getErrInfo(), XrdOucTokenizer::GetLine(), XrdOucTokenizer::GetToken(), XrdSecsssKT::isServer, strlcpy(), and XrdCryptoLite::Type().

Referenced by XrdSecProtocolsssInit().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Friends And Related Function Documentation

◆ XrdSecProtocolDummy

friend class XrdSecProtocolDummy
friend

Definition at line 47 of file XrdSecProtocolsss.hh.


The documentation for this class was generated from the following files: