00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028 #include <time.h>
00029
00030 #include "XrdNet/XrdNetAddrInfo.hh"
00031
00032 #include "XrdOuc/XrdOucErrInfo.hh"
00033 #include "XrdOuc/XrdOucGMap.hh"
00034 #include "XrdOuc/XrdOucHash.hh"
00035 #include "XrdOuc/XrdOucString.hh"
00036 #include "XrdOuc/XrdOucTokenizer.hh"
00037
00038 #include "XrdSys/XrdSysPthread.hh"
00039
00040 #include "XrdSec/XrdSecInterface.hh"
00041 #include "XrdSecgsi/XrdSecgsiTrace.hh"
00042
00043 #include "XrdSut/XrdSutCache.hh"
00044
00045 #include "XrdSut/XrdSutPFEntry.hh"
00046 #include "XrdSut/XrdSutPFile.hh"
00047 #include "XrdSut/XrdSutBuffer.hh"
00048 #include "XrdSut/XrdSutRndm.hh"
00049
00050 #include "XrdCrypto/XrdCryptoAux.hh"
00051 #include "XrdCrypto/XrdCryptoCipher.hh"
00052 #include "XrdCrypto/XrdCryptoFactory.hh"
00053 #include "XrdCrypto/XrdCryptoX509Crl.hh"
00054
00055 #include "XrdCrypto/XrdCryptogsiX509Chain.hh"
00056
00057
00058
00059
00060
00061 typedef XrdOucString String;
00062 typedef XrdCryptogsiX509Chain X509Chain;
00063
00064 #define XrdSecPROTOIDENT "gsi"
00065 #define XrdSecPROTOIDLEN sizeof(XrdSecPROTOIDENT)
00066 #define XrdSecgsiVERSION 10400
00067 #define XrdSecNOIPCHK 0x0001
00068 #define XrdSecDEBUG 0x1000
00069 #define XrdCryptoMax 10
00070
00071 #define kMAXBUFLEN 1024
00072
00073
00074 #define XrdSecgsiVersDHsigned 10400 // Version at which started signing
00075
00076
00077
00078
00079 enum kgsiStatus {
00080 kgST_error = -1,
00081 kgST_ok = 0,
00082 kgST_more = 1
00083 };
00084
00085
00086 enum kgsiClientSteps {
00087 kXGC_none = 0,
00088 kXGC_certreq = 1000,
00089 kXGC_cert,
00090 kXGC_sigpxy,
00091 kXGC_reserved
00092 };
00093
00094
00095 enum kgsiServerSteps {
00096 kXGS_none = 0,
00097 kXGS_init = 2000,
00098 kXGS_cert,
00099 kXGS_pxyreq,
00100 kXGS_reserved
00101 };
00102
00103
00104 enum kgsiHandshakeOpts {
00105 kOptsDlgPxy = 1,
00106 kOptsFwdPxy = 2,
00107 kOptsSigReq = 4,
00108 kOptsSrvReq = 8,
00109 kOptsPxFile = 16,
00110 kOptsDelChn = 32,
00111 kOptsPxCred = 64
00112 };
00113
00114
00115 enum kgsiErrors {
00116 kGSErrParseBuffer = 10000,
00117 kGSErrDecodeBuffer,
00118 kGSErrLoadCrypto,
00119 kGSErrBadProtocol,
00120 kGSErrCreateBucket,
00121 kGSErrDuplicateBucket,
00122 kGSErrCreateBuffer,
00123 kGSErrSerialBuffer,
00124 kGSErrGenCipher,
00125 kGSErrExportPuK,
00126 kGSErrEncRndmTag,
00127 kGSErrBadRndmTag,
00128 kGSErrNoRndmTag,
00129 kGSErrNoCipher,
00130 kGSErrNoCreds,
00131 kGSErrBadOpt,
00132 kGSErrMarshal,
00133 kGSErrUnmarshal,
00134 kGSErrSaveCreds,
00135 kGSErrNoBuffer,
00136 kGSErrRefCipher,
00137 kGSErrNoPublic,
00138 kGSErrAddBucket,
00139 kGSErrFinCipher,
00140 kGSErrInit,
00141 kGSErrBadCreds,
00142 kGSErrError
00143 };
00144
00145 #define REL1(x) { if (x) delete x; }
00146 #define REL2(x,y) { if (x) delete x; if (y) delete y; }
00147 #define REL3(x,y,z) { if (x) delete x; if (y) delete y; if (z) delete z; }
00148
00149 #define SafeDelete(x) { if (x) {delete x ; x = 0;} }
00150 #define SafeDelArray(x) { if (x) {delete [] x ; x = 0;} }
00151 #define SafeFree(x) { if (x) {free(x) ; x = 0;} }
00152
00153
00154 typedef char *(*XrdSecgsiGMAP_t)(const char *, int);
00155 typedef int (*XrdSecgsiAuthz_t)(XrdSecEntity &);
00156 typedef int (*XrdSecgsiAuthzInit_t)(const char *);
00157 typedef int (*XrdSecgsiAuthzKey_t)(XrdSecEntity &, char **);
00158
00159 typedef XrdSecgsiAuthz_t XrdSecgsiVOMS_t;
00160 typedef XrdSecgsiAuthzInit_t XrdSecgsiVOMSInit_t;
00161
00162
00163
00164 class XrdOucGMap;
00165 class XrdOucTrace;
00166 class gsiOptions {
00167 public:
00168 short debug;
00169 char mode;
00170 char *clist;
00171 char *certdir;
00172 char *crldir;
00173 char *crlext;
00174 char *cert;
00175
00176 char *key;
00177
00178 char *cipher;
00179 char *md;
00180 int crl;
00181 int ca;
00182 int crlrefresh;
00183 char *proxy;
00184 char *valid;
00185 int deplen;
00186 int bits;
00187 char *gridmap;
00188 int gmapto;
00189 char *gmapfun;
00190 char *gmapfunparms;
00191 char *authzfun;
00192 char *authzfunparms;
00193 int authzcall;
00194 int authzto;
00195 int ogmap;
00196 int dlgpxy;
00197
00198 int sigpxy;
00199 char *srvnames;
00200 char *exppxy;
00201 int authzpxy;
00202
00203 int vomsat;
00204 char *vomsfun;
00205 char *vomsfunparms;
00206 int moninfo;
00207 int hashcomp;
00208
00209 bool trustdns;
00210
00211 gsiOptions() { debug = -1; mode = 's'; clist = 0;
00212 certdir = 0; crldir = 0; crlext = 0; cert = 0; key = 0;
00213 cipher = 0; md = 0; ca = 1 ; crl = 1; crlrefresh = 86400;
00214 proxy = 0; valid = 0; deplen = 0; bits = 512;
00215 gridmap = 0; gmapto = 600;
00216 gmapfun = 0; gmapfunparms = 0; authzfun = 0; authzfunparms = 0;
00217 authzto = -1; authzcall = 1;
00218 ogmap = 1; dlgpxy = 0; sigpxy = 1; srvnames = 0;
00219 exppxy = 0; authzpxy = 0;
00220 vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0;
00221 hashcomp = 1; trustdns = true;}
00222 virtual ~gsiOptions() { }
00223 void Print(XrdOucTrace *t);
00224 };
00225
00226 class XrdSecProtocolgsi;
00227 class gsiHSVars;
00228
00229
00230 typedef struct {
00231 X509Chain *chain;
00232 XrdCryptoRSA *ksig;
00233 XrdSutBucket *cbck;
00234 } ProxyOut_t;
00235
00236
00237 typedef struct {
00238 const char *cert;
00239 const char *key;
00240 const char *certdir;
00241 const char *out;
00242 const char *valid;
00243 int deplen;
00244 int bits;
00245 } ProxyIn_t;
00246
00247 template<class T>
00248 class GSIStack {
00249 public:
00250 void Add(T *t) {
00251 char k[40]; snprintf(k, 40, "%p", t);
00252 mtx.Lock();
00253 if (!stack.Find(k)) stack.Add(k, t, 0, Hash_count);
00254 stack.Add(k, t, 0, Hash_count);
00255 mtx.UnLock();
00256 }
00257 void Del(T *t) {
00258 char k[40]; snprintf(k, 40, "%p", t);
00259 mtx.Lock();
00260 if (stack.Find(k)) stack.Del(k, Hash_count);
00261 mtx.UnLock();
00262 }
00263 private:
00264 XrdSysMutex mtx;
00265 XrdOucHash<T> stack;
00266 };
00267
00268
00269
00270
00271
00272 class XrdSecProtocolgsi : public XrdSecProtocol
00273 {
00274 friend class gsiOptions;
00275 friend class gsiHSVars;
00276 public:
00277 int Authenticate (XrdSecCredentials *cred,
00278 XrdSecParameters **parms,
00279 XrdOucErrInfo *einfo=0);
00280
00281 XrdSecCredentials *getCredentials(XrdSecParameters *parm=0,
00282 XrdOucErrInfo *einfo=0);
00283
00284 XrdSecProtocolgsi(int opts, const char *hname, XrdNetAddrInfo &endPoint,
00285 const char *parms = 0);
00286 virtual ~XrdSecProtocolgsi() {}
00287
00288
00289 static char *Init(gsiOptions o, XrdOucErrInfo *erp);
00290
00291 void Delete();
00292
00293
00294 int Encrypt(const char *inbuf, int inlen,
00295 XrdSecBuffer **outbuf);
00296 int Decrypt(const char *inbuf, int inlen,
00297 XrdSecBuffer **outbuf);
00298
00299 int Sign(const char *inbuf, int inlen,
00300 XrdSecBuffer **outbuf);
00301 int Verify(const char *inbuf, int inlen,
00302 const char *sigbuf, int siglen);
00303
00304
00305 int getKey(char *kbuf=0, int klen=0);
00306
00307 int setKey(char *kbuf, int klen);
00308
00309
00310 static XrdOucTrace *EnableTracing();
00311
00312 private:
00313 XrdNetAddrInfo epAddr;
00314
00315
00316 static XrdSysMutex gsiContext;
00317 static String CAdir;
00318 static String CRLdir;
00319 static String DefCRLext;
00320 static String SrvCert;
00321 static String SrvKey;
00322 static String UsrProxy;
00323 static String UsrCert;
00324 static String UsrKey;
00325 static String PxyValid;
00326 static int DepLength;
00327 static int DefBits;
00328 static int CACheck;
00329 static int CRLCheck;
00330 static int CRLDownload;
00331 static int CRLRefresh;
00332 static String DefCrypto;
00333 static String DefCipher;
00334 static String DefMD;
00335 static String DefError;
00336 static String GMAPFile;
00337 static int GMAPOpt;
00338 static bool GMAPuseDNname;
00339 static int GMAPCacheTimeOut;
00340 static XrdSecgsiGMAP_t GMAPFun;
00341 static XrdSecgsiAuthz_t AuthzFun;
00342 static XrdSecgsiAuthzKey_t AuthzKey;
00343 static int AuthzCertFmt;
00344 static int AuthzCacheTimeOut;
00345 static int PxyReqOpts;
00346 static int AuthzPxyWhat;
00347 static int AuthzPxyWhere;
00348 static int AuthzAlways;
00349 static String SrvAllowedNames;
00350 static int VOMSAttrOpt;
00351 static XrdSecgsiVOMS_t VOMSFun;
00352 static int VOMSCertFmt;
00353 static int MonInfoOpt;
00354 static bool HashCompatibility;
00355 static bool TrustDNS;
00356
00357
00358 static int ncrypt;
00359 static XrdCryptoFactory *cryptF[XrdCryptoMax];
00360 static int cryptID[XrdCryptoMax];
00361 static String cryptName[XrdCryptoMax];
00362 static XrdCryptoCipher *refcip[XrdCryptoMax];
00363
00364
00365 static XrdSutCache cacheCA;
00366 static XrdSutCache cacheCert;
00367 static XrdSutCache cachePxy;
00368 static XrdSutCache cacheGMAPFun;
00369 static XrdSutCache cacheAuthzFun;
00370
00371
00372 static XrdOucGMap *servGMap;
00373
00374
00375 static GSIStack<XrdCryptoX509Chain> stackCA;
00376 static GSIStack<XrdCryptoX509Crl> stackCRL;
00377
00378
00379 static time_t lastGMAPCheck;
00380 static XrdSysMutex mutexGMAP;
00381
00382
00383 static int Debug;
00384 static bool Server;
00385 static int TimeSkew;
00386
00387
00388 static XrdSysLogger Logger;
00389 static XrdSysError eDest;
00390 static XrdOucTrace *GSITrace;
00391
00392
00393 int options;
00394 XrdCryptoFactory *sessionCF;
00395 XrdCryptoCipher *sessionKey;
00396 XrdSutBucket *bucketKey;
00397 XrdCryptoMsgDigest *sessionMD;
00398 XrdCryptoRSA *sessionKsig;
00399 XrdCryptoRSA *sessionKver;
00400 X509Chain *proxyChain;
00401 bool srvMode;
00402 char *expectedHost;
00403 bool useIV;
00404
00405
00406 gsiHSVars *hs;
00407
00408
00409 int ParseClientInput(XrdSutBuffer *br, XrdSutBuffer **bm,
00410 String &emsg);
00411 int ClientDoInit(XrdSutBuffer *br, XrdSutBuffer **bm,
00412 String &cmsg);
00413 int ClientDoCert(XrdSutBuffer *br, XrdSutBuffer **bm,
00414 String &cmsg);
00415 int ClientDoPxyreq(XrdSutBuffer *br, XrdSutBuffer **bm,
00416 String &cmsg);
00417
00418
00419 int ParseServerInput(XrdSutBuffer *br, XrdSutBuffer **bm,
00420 String &cmsg);
00421 int ServerDoCertreq(XrdSutBuffer *br, XrdSutBuffer **bm,
00422 String &cmsg);
00423 int ServerDoCert(XrdSutBuffer *br, XrdSutBuffer **bm,
00424 String &cmsg);
00425 int ServerDoSigpxy(XrdSutBuffer *br, XrdSutBuffer **bm,
00426 String &cmsg);
00427
00428
00429 int ParseCrypto(String cryptlist);
00430 int ParseCAlist(String calist);
00431
00432
00433 static int GetCA(const char *cahash,
00434 XrdCryptoFactory *cryptof, gsiHSVars *hs = 0);
00435 static String GetCApath(const char *cahash);
00436 static bool VerifyCA(int opt, X509Chain *cca, XrdCryptoFactory *cf);
00437 static int VerifyCRL(XrdCryptoX509Crl *crl, XrdCryptoX509 *xca, XrdOucString crldir,
00438 XrdCryptoFactory *CF, int hashalg);
00439 bool ServerCertNameOK(const char *subject, const char *hname, String &e);
00440 static XrdSutCacheEntry *GetSrvCertEnt(XrdSutCERef &gcref,
00441 XrdCryptoFactory *cf,
00442 time_t timestamp, String &cal);
00443
00444
00445 static XrdCryptoX509Crl *LoadCRL(XrdCryptoX509 *xca, const char *sjhash,
00446 XrdCryptoFactory *CF, int dwld, int &err);
00447
00448
00449 static int QueryProxy(bool checkcache, XrdSutCache *cache, const char *tag,
00450 XrdCryptoFactory *cf, time_t timestamp,
00451 ProxyIn_t *pi, ProxyOut_t *po);
00452 static int InitProxy(ProxyIn_t *pi, XrdCryptoFactory *cf,
00453 X509Chain *ch = 0, XrdCryptoRSA **key = 0);
00454
00455
00456 static void ErrF(XrdOucErrInfo *einfo, kXR_int32 ecode,
00457 const char *msg1, const char *msg2 = 0,
00458 const char *msg3 = 0);
00459 XrdSecCredentials *ErrC(XrdOucErrInfo *einfo, XrdSutBuffer *b1,
00460 XrdSutBuffer *b2,XrdSutBuffer *b3,
00461 kXR_int32 ecode, const char *msg1 = 0,
00462 const char *msg2 = 0, const char *msg3 = 0);
00463 int ErrS(String ID, XrdOucErrInfo *einfo, XrdSutBuffer *b1,
00464 XrdSutBuffer *b2, XrdSutBuffer *b3,
00465 kXR_int32 ecode, const char *msg1 = 0,
00466 const char *msg2 = 0, const char *msg3 = 0);
00467
00468
00469 bool CheckTimeStamp(XrdSutBuffer *b, int skew, String &emsg);
00470
00471
00472 bool CheckRtag(XrdSutBuffer *bm, String &emsg);
00473
00474
00475 int AddSerialized(char opt, kXR_int32 step, String ID,
00476 XrdSutBuffer *bls, XrdSutBuffer *buf,
00477 kXR_int32 type, XrdCryptoCipher *cip);
00478
00479 static XrdSecgsiGMAP_t
00480 LoadGMAPFun(const char *plugin, const char *parms);
00481 static XrdSecgsiAuthz_t
00482 LoadAuthzFun(const char *plugin, const char *parms, int &fmt);
00483 static XrdSecgsiVOMS_t
00484 LoadVOMSFun(const char *plugin, const char *parms, int &fmt);
00485 static void QueryGMAP(XrdCryptoX509Chain* chain, int now, String &name);
00486
00487
00488 void CopyEntity(XrdSecEntity *in, XrdSecEntity *out, int *lout = 0);
00489 void FreeEntity(XrdSecEntity *in);
00490 };
00491
00492 class gsiHSVars {
00493 public:
00494 int Iter;
00495 time_t TimeStamp;
00496 String CryptoMod;
00497 int RemVers;
00498 XrdCryptoCipher *Rcip;
00499 bool HasPad;
00500 XrdSutBucket *Cbck;
00501 String ID;
00502 XrdSutPFEntry *Cref;
00503 XrdSutPFEntry *Pent;
00504 X509Chain *Chain;
00505 XrdCryptoX509Crl *Crl;
00506 X509Chain *PxyChain;
00507 bool RtagOK;
00508 bool Tty;
00509 int LastStep;
00510 int Options;
00511 int HashAlg;
00512 XrdSutBuffer *Parms;
00513
00514 gsiHSVars() { Iter = 0; TimeStamp = -1; CryptoMod = "";
00515 RemVers = -1; Rcip = 0; HasPad = 0;
00516 Cbck = 0;
00517 ID = ""; Cref = 0; Pent = 0; Chain = 0; Crl = 0; PxyChain = 0;
00518 RtagOK = 0; Tty = 0; LastStep = 0; Options = 0; HashAlg = 0; Parms = 0;}
00519
00520 ~gsiHSVars() { SafeDelete(Cref);
00521 if (Options & kOptsDelChn) {
00522
00523 if (Chain) Chain->Cleanup(1);
00524 SafeDelete(Chain);
00525 }
00526 if (Crl) {
00527
00528
00529 XrdSecProtocolgsi::stackCRL.Del(Crl);
00530 Crl = 0;
00531 }
00532
00533
00534 PxyChain = 0;
00535 SafeDelete(Parms); }
00536 void Dump(XrdSecProtocolgsi *p = 0);
00537 };