xrootd
XrdSecProtocolgsi.hh
Go to the documentation of this file.
1 // $Id$
2 /******************************************************************************/
3 /* */
4 /* X r d S e c P r o t o c o l g s i . h h */
5 /* */
6 /* (c) 2005 G. Ganis / CERN */
7 /* */
8 /******************************************************************************/
9 
10 #include "XrdOuc/XrdOucErrInfo.hh"
11 #include "XrdSys/XrdSysPthread.hh"
12 #include "XrdOuc/XrdOucString.hh"
13 #include "XrdOuc/XrdOucTokenizer.hh"
14 
15 #include "XrdSec/XrdSecInterface.hh"
16 #include "XrdSecgsi/XrdSecgsiTrace.hh"
17 
18 #include "XrdSut/XrdSutPFEntry.hh"
19 #include "XrdSut/XrdSutPFile.hh"
20 #include "XrdSut/XrdSutBuffer.hh"
21 #include "XrdSut/XrdSutRndm.hh"
22 
23 #include "XrdCrypto/XrdCryptoAux.hh"
24 #include "XrdCrypto/XrdCryptoCipher.hh"
25 #include "XrdCrypto/XrdCryptoFactory.hh"
26 #include "XrdCrypto/XrdCryptoX509Crl.hh"
27 
28 #include "XrdCrypto/XrdCryptosslgsiX509Chain.hh"
29 
30 /******************************************************************************/
31 /* D e f i n e s */
32 /******************************************************************************/
33 
34 typedef XrdOucString String;
35 typedef XrdCryptosslgsiX509Chain X509Chain;
36 
37 #define XrdSecPROTOIDENT "gsi"
38 #define XrdSecPROTOIDLEN sizeof(XrdSecPROTOIDENT)
39 #define XrdSecgsiVERSION 10300
40 #define XrdSecNOIPCHK 0x0001
41 #define XrdSecDEBUG 0x1000
42 #define XrdCryptoMax 10
43 
44 #define kMAXBUFLEN 1024
45 
46 //
47 // Message codes either returned by server or included in buffers
48 enum kgsiStatus {
49  kgST_error = -1, // error occured
50  kgST_ok = 0, // ok
51  kgST_more = 1 // need more info
52 };
53 
54 // Client steps
55 enum kgsiClientSteps {
56  kXGC_none = 0,
57  kXGC_certreq = 1000, // 1000: request server certificate
58  kXGC_cert, // 1001: packet with (proxy) certificate
59  kXGC_sigpxy, // 1002: packet with signed proxy certificate
60  kXGC_reserved //
61 };
62 
63 // Server steps
64 enum kgsiServerSteps {
65  kXGS_none = 0,
66  kXGS_init = 2000, // 2000: fake code used the first time
67  kXGS_cert, // 2001: packet with certificate
68  kXGS_pxyreq, // 2002: packet with proxy req to be signed
69  kXGS_reserved //
70 };
71 
72 // Handshake options
73 enum kgsiHandshakeOpts {
74  kOptsDlgPxy = 1, // 0x0001: Ask for a delegated proxy
75  kOptsFwdPxy = 2, // 0x0002: Forward local proxy
76  kOptsSigReq = 4, // 0x0004: Accept to sign delegated proxy
77  kOptsSrvReq = 8, // 0x0008: Server request for delegated proxy
78  kOptsPxFile = 16, // 0x0010: Save delegated proxies in file
79  kOptsDelChn = 32 // 0x0020: Delete chain
80 };
81 
82 // Error codes
83 enum kgsiErrors {
84  kGSErrParseBuffer = 10000, // 10000
85  kGSErrDecodeBuffer, // 10001
86  kGSErrLoadCrypto, // 10002
87  kGSErrBadProtocol, // 10003
88  kGSErrCreateBucket, // 10004
89  kGSErrDuplicateBucket, // 10005
90  kGSErrCreateBuffer, // 10006
91  kGSErrSerialBuffer, // 10007
92  kGSErrGenCipher, // 10008
93  kGSErrExportPuK, // 10009
94  kGSErrEncRndmTag, // 10010
95  kGSErrBadRndmTag, // 10011
96  kGSErrNoRndmTag, // 10012
97  kGSErrNoCipher, // 10013
98  kGSErrNoCreds, // 10014
99  kGSErrBadOpt, // 10015
100  kGSErrMarshal, // 10016
101  kGSErrUnmarshal, // 10017
102  kGSErrSaveCreds, // 10018
103  kGSErrNoBuffer, // 10019
104  kGSErrRefCipher, // 10020
105  kGSErrNoPublic, // 10021
106  kGSErrAddBucket, // 10022
107  kGSErrFinCipher, // 10023
108  kGSErrInit, // 10024
109  kGSErrBadCreds, // 10025
110  kGSErrError // 10026
111 };
112 
113 #define REL1(x) { if (x) delete x; }
114 #define REL2(x,y) { if (x) delete x; if (y) delete y; }
115 #define REL3(x,y,z) { if (x) delete x; if (y) delete y; if (z) delete z; }
116 
117 #define SafeDelete(x) { if (x) delete x ; x = 0; }
118 #define SafeDelArray(x) { if (x) delete [] x ; x = 0; }
119 #define SafeFree(x) { if (x) free(x) ; x = 0; }
120 
121 // External functions for generic mapping
122 typedef char *(*XrdSecgsiGMAP_t)(const char *, int);
123 typedef int (*XrdSecgsiAuthz_t)(XrdSecEntity &);
124 typedef int (*XrdSecgsiAuthzInit_t)(const char *);
125 typedef int (*XrdSecgsiAuthzKey_t)(XrdSecEntity &, char **);
126 
127 //
128 // This a small class to set the relevant options in one go
129 //
130 class XrdOucTrace;
131 class gsiOptions {
132 public:
133  short debug; // [cs] debug flag
134  char mode; // [cs] 'c' or 's'
135  char *clist; // [s] list of crypto modules ["ssl" ]
136  char *certdir;// [cs] dir with CA info [/etc/grid-security/certificates]
137  char *crldir; // [cs] dir with CRL info [/etc/grid-security/certificates]
138  char *crlext; // [cs] extension of CRL files [.r0]
139  char *cert; // [s] server certificate [/etc/grid-security/root/rootcert.pem]
140  // [c] user certificate [$HOME/.globus/usercert.pem]
141  char *key; // [s] server private key [/etc/grid-security/root/rootkey.pem]
142  // [c] user private key [$HOME/.globus/userkey.pem]
143  char *cipher; // [s] list of ciphers [aes-128-cbc:bf-cbc:des-ede3-cbc]
144  char *md; // [s] list of MDs [sha1:md5]
145  int crl; // [cs] check level of CRL's [1]
146  int ca; // [cs] verification level of CA's [1]
147  int crlrefresh; // [cs] CRL refresh or expiration period in secs [1 day]
148  char *proxy; // [c] user proxy [/tmp/x509up_u<uid>]
149  char *valid; // [c] proxy validity [12:00]
150  int deplen; // [c] depth of signature path for proxies [0]
151  int bits; // [c] bits in PKI for proxies [512]
152  char *gridmap;// [s] gridmap file [/etc/grid-security/gridmap]
153  int gmapto; // [s] validity in secs of grid-map cache entries [-1 => unlimited]
154  char *gmapfun;// [s] file with the function to map DN to usernames [0]
155  char *gmapfunparms;// [s] parameters for the function to map DN to usernames [0]
156  char *authzfun;// [s] file with the function to fill entities [0]
157  char *authzfunparms;// [s] parameters for the function to fill entities [0]
158  int authzto; // [s] validity in secs of authz cache entries [-1 => unlimited]
159  int ogmap; // [s] gridmap file checking option
160  int dlgpxy; // [c] explicitely ask the creation of a delegated proxy
161  // [s] ask client for proxies
162  int sigpxy; // [c] accept delegated proxy requests
163  char *srvnames;// [c] '|' separated list of allowed server names
164  char *exppxy; // [s] template for the exported file with proxies (dlgpxy == 3)
165  int authzpxy; // [s] if 1 make proxy available in exported form in the 'endorsement'
166  // field of the XrdSecEntity object for use in XrdAcc
167  int vomsat; // [s] 0 do not look for; 1 extract if any
168  int moninfo; // [s] 0 do not look for; 1 use DN as default
169 
170  gsiOptions() { debug = -1; mode = 's'; clist = 0;
171  certdir = 0; crldir = 0; crlext = 0; cert = 0; key = 0;
172  cipher = 0; md = 0; ca = 1 ; crl = 1; crlrefresh = 86400;
173  proxy = 0; valid = 0; deplen = 0; bits = 512;
174  gridmap = 0; gmapto = -1;
175  gmapfun = 0; gmapfunparms = 0; authzfun = 0; authzfunparms = 0; authzto = -1;
176  ogmap = 1; dlgpxy = 0; sigpxy = 1; srvnames = 0;
177  exppxy = 0; authzpxy = 0; vomsat = 1; moninfo = 0;}
178  virtual ~gsiOptions() { } // Cleanup inside XrdSecProtocolgsiInit
179  void Print(XrdOucTrace *t); // Print summary of gsi option status
180 };
181 
182 class XrdSecProtocolgsi;
183 class gsiHSVars {
184 public:
185  int Iter; // iteration number
186  int TimeStamp; // Time of last call
187  String CryptoMod; // crypto module in use
188  int RemVers; // Version run by remote counterpart
189  XrdCryptoCipher *Rcip; // reference cipher
190  XrdSutBucket *Cbck; // Bucket with the certificate in export form
191  String ID; // Handshake ID (dummy for clients)
192  XrdSutPFEntry *Cref; // Cache reference
193  XrdSutPFEntry *Pent; // Pointer to relevant file entry
194  X509Chain *Chain; // Chain to be eventually verified
195  XrdCryptoX509Crl *Crl; // Pointer to CRL, if required
196  X509Chain *PxyChain; // Proxy Chain on clients
197  bool RtagOK; // Rndm tag checked / not checked
198  bool Tty; // Terminal attached / not attached
199  int LastStep; // Step required at previous iteration
200  int Options; // Handshake options;
201  XrdSutBuffer *Parms; // Buffer with server parms on first iteration
202 
203  gsiHSVars() { Iter = 0; TimeStamp = -1; CryptoMod = "";
204  RemVers = -1; Rcip = 0;
205  Cbck = 0;
206  ID = ""; Cref = 0; Pent = 0; Chain = 0; Crl = 0; PxyChain = 0;
207  RtagOK = 0; Tty = 0; LastStep = 0; Options = 0; Parms = 0;}
208 
209  ~gsiHSVars() { SafeDelete(Cref);
210  if (Options & kOptsDelChn) {
211  // Do not delete the CA certificate in the cached reference
212  if (Chain) Chain->Cleanup(1);
213  SafeDelete(Chain);
214  }
215  // The proxy chain is owned by the proxy cache; invalid proxies are
216  // detected (and eventually removed) by QueryProxy
217  PxyChain = 0;
218  SafeDelete(Parms); }
219  void Dump(XrdSecProtocolgsi *p = 0);
220 };
221 
222 // From a proxy query
223 typedef struct {
224  X509Chain *chain;
225  XrdCryptoRSA *ksig;
226  XrdSutBucket *cbck;
227 } ProxyOut_t;
228 
229 // To query proxies
230 typedef struct {
231  const char *cert;
232  const char *key;
233  const char *certdir;
234  const char *out;
235  const char *valid;
236  int deplen;
237  int bits;
238 } ProxyIn_t;
239 
240 /******************************************************************************/
241 /* X r d S e c P r o t o c o l g s i C l a s s */
242 /******************************************************************************/
243 
244 class XrdSecProtocolgsi : public XrdSecProtocol
245 {
246 friend class gsiOptions;
247 public:
248  int Authenticate (XrdSecCredentials *cred,
249  XrdSecParameters **parms,
250  XrdOucErrInfo *einfo=0);
251 
252  XrdSecCredentials *getCredentials(XrdSecParameters *parm=0,
253  XrdOucErrInfo *einfo=0);
254 
255  XrdSecProtocolgsi(int opts, const char *hname,
256  const struct sockaddr *ipadd, const char *parms = 0);
257  virtual ~XrdSecProtocolgsi() {} // Delete() does it all
258 
259  // Initialization methods
260  static char *Init(gsiOptions o, XrdOucErrInfo *erp);
261 
262  void Delete();
263 
264  // Encrypt / Decrypt methods
265  int Encrypt(const char *inbuf, int inlen,
266  XrdSecBuffer **outbuf);
267  int Decrypt(const char *inbuf, int inlen,
268  XrdSecBuffer **outbuf);
269  // Sign / Verify methods
270  int Sign(const char *inbuf, int inlen,
271  XrdSecBuffer **outbuf);
272  int Verify(const char *inbuf, int inlen,
273  const char *sigbuf, int siglen);
274 
275  // Export session key
276  int getKey(char *kbuf=0, int klen=0);
277  // Import a key
278  int setKey(char *kbuf, int klen);
279 
280  // Enable tracing
281  static XrdOucTrace *EnableTracing();
282 
283 private:
284 
285  // Static members initialized at startup
286  static XrdSysMutex gsiContext;
287  static String CAdir;
288  static String CRLdir;
289  static String DefCRLext;
290  static String SrvCert;
291  static String SrvKey;
292  static String UsrProxy;
293  static String UsrCert;
294  static String UsrKey;
295  static String PxyValid;
296  static int DepLength;
297  static int DefBits;
298  static int CACheck;
299  static int CRLCheck;
300  static int CRLDownload;
301  static int CRLRefresh;
302  static String DefCrypto;
303  static String DefCipher;
304  static String DefMD;
305  static String DefError;
306  static String GMAPFile;
307  static int GMAPOpt;
308  static bool GMAPuseDNname;
309  static int GMAPCacheTimeOut;
310  static XrdSysPlugin *GMAPPlugin;
311  static XrdSecgsiGMAP_t GMAPFun;
312  static XrdSysPlugin *AuthzPlugin;
313  static XrdSecgsiAuthz_t AuthzFun;
314  static XrdSecgsiAuthzKey_t AuthzKey;
315  static int AuthzCertFmt;
316  static int AuthzCacheTimeOut;
317  static int PxyReqOpts;
318  static int AuthzPxyWhat;
319  static int AuthzPxyWhere;
320  static String SrvAllowedNames;
321  static int VOMSAttrOpt;
322  static int MonInfoOpt;
323  //
324  // Crypto related info
325  static int ncrypt; // Number of factories
326  static XrdCryptoFactory *cryptF[XrdCryptoMax]; // their hooks
327  static int cryptID[XrdCryptoMax]; // their IDs
328  static String cryptName[XrdCryptoMax]; // their names
329  static XrdCryptoCipher *refcip[XrdCryptoMax]; // ref for session ciphers
330  //
331  // Caches
332  static XrdSutCache cacheCA; // Info about trusted CA's
333  static XrdSutCache cacheCert; // Cache for available server certs
334  static XrdSutCache cachePxy; // Cache for client proxies
335  static XrdSutCache cacheGMAP; // Cache for gridmap entries
336  static XrdSutCache cacheGMAPFun; // Cache for entries mapped by GMAPFun
337  static XrdSutCache cacheAuthzFun; // Cache for entities filled by AuthzFun
338  //
339  // GMAP control vars
340  static int lastGMAPCheck; // time of last check on GMAP
341  static XrdSysMutex mutexGMAP; // mutex to control GMAP reloads
342  //
343  // Running options / settings
344  static int Debug; // [CS] Debug level
345  static bool Server; // [CS] If server mode
346  static int TimeSkew; // [CS] Allowed skew in secs for time stamps
347  //
348  // for error logging and tracing
349  static XrdSysLogger Logger;
350  static XrdSysError eDest;
351  static XrdOucTrace *GSITrace;
352 
353  // Information local to this instance
354  int options;
355  struct sockaddr hostaddr; // Client-side only
356  XrdCryptoFactory *sessionCF; // Chosen crypto factory
357  XrdCryptoCipher *sessionKey; // Session Key (result of the handshake)
358  XrdSutBucket *bucketKey; // Bucket with the key in export form
359  XrdCryptoMsgDigest *sessionMD; // Message Digest instance
360  XrdCryptoRSA *sessionKsig; // RSA key to sign
361  XrdCryptoRSA *sessionKver; // RSA key to verify
362  X509Chain *proxyChain; // Chain with the delegated proxy on servers
363  bool srvMode; // TRUE if server mode
364 
365  // Temporary Handshake local info
366  gsiHSVars *hs;
367 
368  // Parsing received buffers: client
369  int ParseClientInput(XrdSutBuffer *br, XrdSutBuffer **bm,
370  String &emsg);
371  int ClientDoInit(XrdSutBuffer *br, XrdSutBuffer **bm,
372  String &cmsg);
373  int ClientDoCert(XrdSutBuffer *br, XrdSutBuffer **bm,
374  String &cmsg);
375  int ClientDoPxyreq(XrdSutBuffer *br, XrdSutBuffer **bm,
376  String &cmsg);
377 
378  // Parsing received buffers: server
379  int ParseServerInput(XrdSutBuffer *br, XrdSutBuffer **bm,
380  String &cmsg);
381  int ServerDoCertreq(XrdSutBuffer *br, XrdSutBuffer **bm,
382  String &cmsg);
383  int ServerDoCert(XrdSutBuffer *br, XrdSutBuffer **bm,
384  String &cmsg);
385  int ServerDoSigpxy(XrdSutBuffer *br, XrdSutBuffer **bm,
386  String &cmsg);
387 
388  // Auxilliary functions
389  int ParseCrypto(String cryptlist);
390  int ParseCAlist(String calist);
391 
392  // Load CA certificates
393  static int GetCA(const char *cahash,
394  XrdCryptoFactory *cryptof, gsiHSVars *hs = 0);
395  static String GetCApath(const char *cahash);
396  static bool VerifyCA(int opt, X509Chain *cca, XrdCryptoFactory *cf);
397  bool ServerCertNameOK(const char *subject, String &e);
398  static XrdSutPFEntry *GetSrvCertEnt(XrdCryptoFactory *cf, int timestamp, String &cal);
399 
400  // Load CRLs
401  static XrdCryptoX509Crl *LoadCRL(XrdCryptoX509 *xca,
402  XrdCryptoFactory *CF, int dwld);
403 
404  // Updating proxies
405  static int QueryProxy(bool checkcache, XrdSutCache *cache, const char *tag,
406  XrdCryptoFactory *cf, int timestamp,
407  ProxyIn_t *pi, ProxyOut_t *po);
408  static int InitProxy(ProxyIn_t *pi,
409  X509Chain *ch = 0, XrdCryptoRSA **key = 0);
410 
411  // Error functions
412  static void ErrF(XrdOucErrInfo *einfo, kXR_int32 ecode,
413  const char *msg1, const char *msg2 = 0,
414  const char *msg3 = 0);
415  XrdSecCredentials *ErrC(XrdOucErrInfo *einfo, XrdSutBuffer *b1,
416  XrdSutBuffer *b2,XrdSutBuffer *b3,
417  kXR_int32 ecode, const char *msg1 = 0,
418  const char *msg2 = 0, const char *msg3 = 0);
419  int ErrS(String ID, XrdOucErrInfo *einfo, XrdSutBuffer *b1,
420  XrdSutBuffer *b2, XrdSutBuffer *b3,
421  kXR_int32 ecode, const char *msg1 = 0,
422  const char *msg2 = 0, const char *msg3 = 0);
423 
424  // Check Time stamp
425  bool CheckTimeStamp(XrdSutBuffer *b, int skew, String &emsg);
426 
427  // Check random challenge
428  bool CheckRtag(XrdSutBuffer *bm, String &emsg);
429 
430  // Auxilliary methods
431  int AddSerialized(char opt, kXR_int32 step, String ID,
432  XrdSutBuffer *bls, XrdSutBuffer *buf,
433  kXR_int32 type, XrdCryptoCipher *cip);
434  // Grid map cache handling
435  static int LoadGMAP(int now); // Init or refresh the cache
436  static XrdSecgsiGMAP_t // Load alternative function for mapping
437  LoadGMAPFun(const char *plugin, const char *parms);
438  static XrdSecgsiAuthz_t // Load alternative function to fill XrdSecEntity
439  LoadAuthzFun(const char *plugin, const char *parms, int &fmt);
440  static void QueryGMAP(XrdCryptoX509Chain* chain, int now, String &name); //Lookup info for DN
441 
442  // Entity handling
443  void CopyEntity(XrdSecEntity *in, XrdSecEntity *out, int *lout = 0);
444  void FreeEntity(XrdSecEntity *in);
445 
446  // VOMS parsing
447  void ExtractVOMS(X509Chain *c, XrdSecEntity &ent);
448 };
Generated by   doxygen 1.8.1.2