See errDesc returned by edg_wll_ErrorCode(). */
EDG_WLL_ERROR_URL_FORMAT, /**< Malformed URL */
EDG_WLL_ERROR_MD5_CLASH, /**< MD5 hash same for different strings. Very unlikely :-). */
- EDG_WLL_ERROR_SSL, /**< Generic SSL error. See errDesc returned by edg_wll_Error(). */
+ EDG_WLL_ERROR_GSS, /**< Generic GSSAPI error. See errDesc returned by edg_wll_Error(). */
EDG_WLL_ERROR_DNS, /**< DNS resolver error. See errDesc returned by edg_wll_Error(). */
EDG_WLL_ERROR_NOJOBID, /**< Attmepted call requires calling edg_wll_SetLoggingJob() first. */
EDG_WLL_ERROR_NOINDEX, /**< Query does not contain any conidion on indexed attribute. */
SUFFIXES = .T
-GLOBUSINC:= -I${globus_prefix}/include/${nothrflavour} \
- -I${globus_prefix}/include/${nothrflavour}/openssl
-GLOBUSTHRINC:= -I${globus_prefix}/include/${thrflavour} \
- -I${globus_prefix}/include/${thrflavour}/openssl
+GLOBUSINC:= -I${globus_prefix}/include/${nothrflavour}
+GLOBUSTHRINC:= -I${globus_prefix}/include/${thrflavour}
DEBUG:=-g -O0
CFLAGS:=${DEBUG} \
GLOBUS_LIBS:=-L${globus_prefix}/lib \
-lglobus_common_${nothrflavour} \
- -lssl_${nothrflavour}
+ -lglobus_gssapi_gsi_${nothrflavour} \
GLOBUS_THRLIBS:=-L${globus_prefix}/lib \
-lglobus_common_${thrflavour} \
- -lssl_${thrflavour}
+ -lglobus_gssapi_gsi_${thrflavour}
EXPAT_LIBS:=-L${expat_prefix}/lib \
-lexpat
stage: compile
$(MAKE) install PREFIX=${stagedir}
-
dist: distsrc distbin
distsrc:
#include <netinet/in.h>
#include <netdb.h>
-#include "globus_config.h"
-#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h"
-
#include "glite/lb/consumer.h"
#include "glite/lb/context-int.h"
-#include "glite/lb/dgssl.h"
+#include "glite/lb/lb_gss.h"
#include "glite/lb/mini_http.h"
static void CloseConnection(edg_wll_Context ctx, int conn_index)
{
/* close connection ad free its structures */
- if (ctx->connPool[conn_index].ssl)
- edg_wll_ssl_close_timeout(ctx->connPool[conn_index].ssl,&ctx->p_tmp_timeout);
+ OM_uint32 min_stat;
+
+ edg_wll_gss_close(&ctx->connPool[conn_index].gss, &ctx->p_tmp_timeout);
if (ctx->connPool[conn_index].gsiCred)
- edg_wll_ssl_free(ctx->connPool[conn_index].gsiCred);
+ gss_release_cred(&min_stat, &ctx->connPool[conn_index].gsiCred);
free(ctx->connPool[conn_index].peerName);
free(ctx->connPool[conn_index].buf);
int edg_wll_open(edg_wll_Context ctx)
{
int index;
+ edg_wll_GssStatus gss_stat;
edg_wll_ResetError(ctx);
ctx->connToUse = index;
- if (!ctx->connPool[index].gsiCred) {
- if (!(ctx->connPool[index].gsiCred = edg_wll_ssl_init(SSL_VERIFY_PEER,0,
- ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_cert_filename,
- ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_key_filename,
- 0, 0)))
- {
- edg_wll_SetError(ctx,EDG_WLL_ERROR_SSL,
- ERR_error_string(ERR_get_error(), NULL));
- goto err;
- }
-
+ /* XXX support anonymous connections, perhaps add a flag to the connPool
+ * struct specifying whether or not this connection shall be authenticated
+ * to prevent from repeated calls to edg_wll_gss_acquire_cred_gsi() */
+ if (!ctx->connPool[index].gsiCred &&
+ edg_wll_gss_acquire_cred_gsi(ctx->p_proxy_filename,
+ &ctx->connPool[index].gsiCred,
+ NULL,
+ &gss_stat)) {
+ edg_wll_SetErrorGss(ctx, "failed to load GSI credentials", &gss_stat);
+ goto err;
}
- if (!ctx->connPool[index].ssl) {
- switch (edg_wll_ssl_connect(ctx->connPool[index].gsiCred,
+ if (ctx->connPool[index].gss.context == GSS_C_NO_CONTEXT) {
+ switch (edg_wll_gss_connect(ctx->connPool[index].gsiCred,
ctx->connPool[index].peerName, ctx->connPool[index].peerPort,
- &ctx->p_tmp_timeout,&ctx->connPool[index].ssl)) {
+ &ctx->p_tmp_timeout,&ctx->connPool[index].gss,
+ &gss_stat)) {
- case EDG_WLL_SSL_OK:
+ case EDG_WLL_GSS_OK:
goto ok;
- case EDG_WLL_SSL_ERROR_ERRNO:
- edg_wll_SetError(ctx,errno,"edg_wll_ssl_connect()");
+ case EDG_WLL_GSS_ERROR_ERRNO:
+ edg_wll_SetError(ctx,errno,"edg_wll_gss_connect()");
break;
- case EDG_WLL_SSL_ERROR_SSL:
- edg_wll_SetError(ctx,EDG_WLL_ERROR_SSL,
- ERR_error_string(ERR_get_error(), NULL));
+ case EDG_WLL_GSS_ERROR_GSS:
+ edg_wll_SetErrorGss(ctx, "failed to authenticate to server", &gss_stat);
break;
- case EDG_WLL_SSL_ERROR_HERRNO:
+ case EDG_WLL_GSS_ERROR_HERRNO:
{ const char *msg1;
char *msg2;
msg1 = hstrerror(errno);
- asprintf(&msg2, "edg_wll_ssl_connect(): %s", msg1);
+ asprintf(&msg2, "edg_wll_gss_connect(): %s", msg1);
edg_wll_SetError(ctx,EDG_WLL_ERROR_DNS, msg2);
free(msg2);
}
break;
- case EDG_WLL_SSL_ERROR_EOF:
- edg_wll_SetError(ctx,ECONNREFUSED,"edg_wll_ssl_connect():"
+ case EDG_WLL_GSS_ERROR_EOF:
+ edg_wll_SetError(ctx,ECONNREFUSED,"edg_wll_gss_connect():"
" server closed the connection, probably due to overload");
break;
- case EDG_WLL_SSL_ERROR_TIMEOUT:
- edg_wll_SetError(ctx,ETIMEDOUT,"edg_wll_ssl_connect()");
+ case EDG_WLL_GSS_ERROR_TIMEOUT:
+ edg_wll_SetError(ctx,ETIMEDOUT,"edg_wll_gss_connect()");
break;
}
}
case HTTP_UNAVAIL: /* EAGAIN */
case HTTP_INVALID: /* EINVAL */
break;
- case EDG_WLL_SSL_ERROR_HERRNO:
+ case EDG_WLL_GSS_ERROR_HERRNO:
{ const char *msg1;
char *msg2;
msg1 = hstrerror(errno);
- asprintf(&msg2, "edg_wll_ssl_connect(): %s", msg1);
+ asprintf(&msg2, "edg_wll_gss_connect(): %s", msg1);
edg_wll_SetError(ctx,EDG_WLL_ERROR_DNS, msg2);
free(msg2);
}
#include <expat.h>
#include "globus_config.h"
-#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h"
#include "glite/lb/consumer.h"
#include "glite/lb/context-int.h"
#include "glite/lb/events_parse.h"
#include "glite/lb/il_string.h"
#include "glite/lb/escape.h"
+#include "glite/lb/lb_gss.h"
#include "connection.h"
int ret, len;
char fbuf[17];
size_t total;
+ edg_wll_GssStatus gss_code;
if (ctx->connPool[ctx->connToUse].buf) {
ctx->connPool[ctx->connToUse].bufUse = 0;
ctx->connPool[ctx->connToUse].bufSize = 0;
-
- if ((ret=edg_wll_ssl_read_full(ctx->connPool[ctx->connToUse].ssl,
- fbuf,17,&ctx->p_tmp_timeout,&total)) < 0)
+ ret = edg_wll_gss_read_full(&ctx->connPool[ctx->connToUse].gss,
+ fbuf,17, &ctx->p_tmp_timeout,&total, &gss_code);
+ if (ret < 0)
switch (ret) {
- case EDG_WLL_SSL_ERROR_TIMEOUT:
+ case EDG_WLL_GSS_ERROR_TIMEOUT:
return edg_wll_SetError(ctx,ETIMEDOUT,"read message header");
- case EDG_WLL_SSL_ERROR_EOF:
+ case EDG_WLL_GSS_ERROR_EOF:
return edg_wll_SetError(ctx,ENOTCONN,NULL);
+ case EDG_WLL_GSS_ERROR_GSS:
+ return edg_wll_SetErrorGss(ctx, "read message header", &gss_code);
default:
- return edg_wll_SetError(ctx,EDG_WLL_ERROR_SSL,"read message header");
+ return edg_wll_SetError(ctx,EDG_WLL_ERROR_GSS,"read message header"); /* XXX */
}
if ((len = atoi(fbuf)) <= 0) {
}
- if ((ret=edg_wll_ssl_read_full(ctx->connPool[ctx->connToUse].ssl,
- ctx->connPool[ctx->connToUse].buf,
- len,
- &ctx->p_tmp_timeout,&total)) < 0) {
+ ret = edg_wll_gss_read_full(&ctx->connPool[ctx->connToUse].gss,
+ ctx->connPool[ctx->connToUse].buf, len,
+ &ctx->p_tmp_timeout,&total, &gss_code);
+ if (ret < 0) {
free(ctx->connPool[ctx->connToUse].buf);
ctx->connPool[ctx->connToUse].bufUse = 0;
ctx->connPool[ctx->connToUse].bufSize = 0;
return edg_wll_SetError(ctx,
- ret == EDG_WLL_SSL_ERROR_TIMEOUT ?
- ETIMEDOUT : EDG_WLL_ERROR_SSL,
+ ret == EDG_WLL_GSS_ERROR_TIMEOUT ?
+ ETIMEDOUT : EDG_WLL_ERROR_GSS,
"read message");
}
int ret, len, err_code, err_code_min = 0, max_len = 256;
char *p, *err_msg = NULL, buf[max_len];
size_t total;
+ edg_wll_GssStatus gss_code;
err_code = edg_wll_Error(ctx,NULL,&err_msg);
p = put_int(p, err_code_min);
p = put_string(p, err_msg);
-
- if ((ret = edg_wll_ssl_write_full(ctx->connPool[ctx->connToUse].ssl,
- buf,len,&ctx->p_tmp_timeout,&total)) < 0) {
+ ret = edg_wll_gss_write_full(&ctx->connPool[ctx->connToUse].gss,
+ buf,len,&ctx->p_tmp_timeout,&total, &gss_code);
+ if (ret < 0) {
edg_wll_SetError(ctx,
- ret == EDG_WLL_SSL_ERROR_TIMEOUT ?
- ETIMEDOUT : EDG_WLL_ERROR_SSL,
+ ret == EDG_WLL_GSS_ERROR_TIMEOUT ?
+ ETIMEDOUT : EDG_WLL_ERROR_GSS,
"write reply");
goto err;
}
struct timeval start_time,check_time,tv;
char *p = NULL, *ucs = NULL,
*event_char = NULL, *jobstat_char = NULL;
+ int ret;
+ edg_wll_GssStatus gss_code;
goto err;
}
+ ret = edg_wll_gss_accept(ctx->connPool[ctx->connToUse].gsiCred, recv_sock,
+ &tv, &ctx->connPool[ctx->connToUse].gss, &gss_code);
- ctx->connPool[ctx->connToUse].ssl =
- edg_wll_ssl_accept(ctx->connPool[ctx->connToUse].gsiCred,recv_sock,&tv);
-
- if (ctx->connPool[ctx->connToUse].ssl == NULL) {
- edg_wll_SetError(ctx, errno, "SSL hanshake failed.");
+ if (ret) {
+ edg_wll_SetError(ctx, errno, "GSS authentication failed.");
goto err;
}
// XXX
// konzultovat s Danem
- edg_wll_ssl_close(ctx->connPool[ctx->connToUse].ssl);
- ctx->connPool[ctx->connToUse].ssl = NULL;
+ /* Dan: ??? */
+ edg_wll_gss_close(&ctx->connPool[ctx->connToUse].gss, NULL);
return edg_wll_Error(ctx,NULL,NULL);
}
int err;
if (ctx->notifSock >= 0) {
- if (ctx->connPool[ctx->connToUse].ssl) {
- edg_wll_ssl_close(ctx->connPool[ctx->connToUse].ssl);
- ctx->connPool[ctx->connToUse].ssl = NULL;
+ if (ctx->connPool[ctx->connToUse].gss.context != GSS_C_NO_CONTEXT) {
+ edg_wll_gss_close(&ctx->connPool[ctx->connToUse].gss, NULL);
}
err = close(ctx->notifSock);
ctx->notifSock = -1;
#include "prod_proto.h"
#include "glite/lb/producer.h"
#include "glite/lb/escape.h"
+#include "glite/lb/lb_gss.h"
#include <signal.h>
#include <string.h>
*
*----------------------------------------------------------------------
*/
-int edg_wll_log_proto_client(edg_wll_Context context, SSL *ssl, edg_wll_LogLine logline/*, int priority,*/)
+int edg_wll_log_proto_client(edg_wll_Context context, edg_wll_GssConnection *con, edg_wll_LogLine logline/*, int priority,*/)
{
char header[EDG_WLL_LOG_SOCKET_HEADER_LENGTH+1];
int err;
int count;
int size;
u_int8_t size_end[4];
+ edg_wll_GssStatus gss_code;
errno = err = answer = count = 0;
size = strlen(logline)+1;
#endif
sprintf(header,"%s",EDG_WLL_LOG_SOCKET_HEADER);
header[EDG_WLL_LOG_SOCKET_HEADER_LENGTH]='\0';
- if ((err = edg_wll_ssl_write_full(ssl, header, EDG_WLL_LOG_SOCKET_HEADER_LENGTH, &context->p_tmp_timeout, &count)) < 0) {
- answer = edg_wll_log_proto_client_failure(context,err,"send header");
+ if ((err = edg_wll_gss_write_full(con, header, EDG_WLL_LOG_SOCKET_HEADER_LENGTH, &context->p_tmp_timeout, &count, &gss_code)) < 0) {
+ answer = edg_wll_log_proto_client_failure(context,err,&gss_code,"send header");
goto edg_wll_log_proto_client_end;
}
fprintf(stderr,"Sending message priority...\n");
#endif
count = 0;
- if ((err = edg_wll_ssl_write_full(ssl, &priority, sizeof(priority), &context->p_tmp_timeout, &count)) < 0) {
- answer = edg_wll_log_proto_client_failure(context,err,"send message priority");
+ if ((err = edg_wll_gss_write_full(con, &priority, sizeof(priority), &context->p_tmp_timeout, &count, &gss_code)) < 0) {
+ answer = edg_wll_log_proto_client_failure(context,err,&gss_code,"send message priority");
goto edg_wll_log_proto_client_end;
}
*/
fprintf(stderr,"Sending message size...\n");
#endif
count = 0;
- if ((err = edg_wll_ssl_write_full(ssl, size_end, 4, &context->p_tmp_timeout, &count)) < 0) {
- answer = edg_wll_log_proto_client_failure(context,err,"send message size");
+ if ((err = edg_wll_gss_write_full(con, size_end, 4, &context->p_tmp_timeout, &count, &gss_code)) < 0) {
+ answer = edg_wll_log_proto_client_failure(context,err,&gss_code,"send message size");
goto edg_wll_log_proto_client_end;
}
fprintf(stderr,"Sending message to socket...\n");
#endif
count = 0;
- if (( err = edg_wll_ssl_write_full(ssl, logline, size, &context->p_tmp_timeout, &count)) < 0) {
- answer = edg_wll_log_proto_client_failure(context,err,"send message");
+ if (( err = edg_wll_gss_write_full(con, logline, size, &context->p_tmp_timeout, &count, &gss_code)) < 0) {
+ answer = edg_wll_log_proto_client_failure(context,err,&gss_code,"send message");
goto edg_wll_log_proto_client_end;
}
fprintf(stderr,"Reading answer from server...\n");
#endif
count = 0;
- if ((err = edg_wll_ssl_read_full(ssl, answer_end, 4, &context->p_tmp_timeout, &count)) < 0 ) {
- answer = edg_wll_log_proto_client_failure(context,err,"get answer");
+ if ((err = edg_wll_gss_read_full(con, answer_end, 4, &context->p_tmp_timeout, &count, &gss_code)) < 0 ) {
+ answer = edg_wll_log_proto_client_failure(context,err,&gss_code,"get answer");
/* FIXME: update the answer (in context?) to EAGAIN or not?
answer = EAGAIN;
*/
*
*----------------------------------------------------------------------
*/
-int edg_wll_log_proto_client_failure(edg_wll_Context context, int code, const char *text)
+int edg_wll_log_proto_client_failure(edg_wll_Context context, int code, edg_wll_GssStatus *gss_code, const char *text)
{
const char *func="edg_wll_log_proto_client()";
static char err[256];
int ret = 0;
+ char *gss_err;
edg_wll_ResetError(context);
return(0);
switch(code) {
- case EDG_WLL_SSL_ERROR_EOF:
+ case EDG_WLL_GSS_ERROR_EOF:
snprintf(err, sizeof(err), "%s: Error %s, EOF occured;", func, text);
ret = edg_wll_SetError(context,ENOTCONN,err);
break;
- case EDG_WLL_SSL_ERROR_TIMEOUT:
+ case EDG_WLL_GSS_ERROR_TIMEOUT:
snprintf(err, sizeof(err), "%s: Error %s, timeout expired;", func, text);
ret = edg_wll_SetError(context,ENOTCONN,err);
break;
- case EDG_WLL_SSL_ERROR_ERRNO: // XXX: perror("edg_wll_ssl_read()"); break;
+ case EDG_WLL_GSS_ERROR_ERRNO: // XXX: perror("edg_wll_ssl_read()"); break;
snprintf(err, sizeof(err), "%s: Error %s, system error occured;", func, text);
ret = edg_wll_SetError(context,ENOTCONN,err);
break;
- case EDG_WLL_SSL_ERROR_SSL:
- snprintf(err, sizeof(err), "%s: Error %s, SSL error occured; %s;", func, text,
- ERR_reason_error_string(ERR_get_error()));
- ret = edg_wll_SetError(context,ENOTCONN,err);
+ case EDG_WLL_GSS_ERROR_GSS:
+ snprintf(err, sizeof(err), "%s: Error %s, GSS error occured", func, text);
+ edg_wll_gss_get_error(gss_code, err, &gss_err);
+ ret = edg_wll_SetError(context,ENOTCONN,gss_err);
+ free(gss_err);
break;
default:
break;
#include "glite/lb/log_proto.h"
#include "glite/lb/context-int.h"
-#include "glite/lb/dgssl.h"
+#include "glite/lb/lb_gss.h"
-int edg_wll_log_proto_client(edg_wll_Context context, SSL *ssl, edg_wll_LogLine logline/*, int priority,*/);
-int edg_wll_log_proto_client_failure(edg_wll_Context context, int code, const char *text);
+int edg_wll_log_proto_client(edg_wll_Context context, edg_wll_GssConnection *con, edg_wll_LogLine logline/*, int priority,*/);
+int edg_wll_log_proto_client_failure(edg_wll_Context context, int code, edg_wll_GssStatus *gss_code, const char *text);
#ifdef __cplusplus
}
#ident "$Header$"
-#include <globus_gss_assist.h>
-#include <globus_config.h>
-
#include <syslog.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
-#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h"
#include "glite/wmsutils/jobid/strmd5.h"
#include "glite/lb/consumer.h"
#include "glite/lb/producer.h"
#include "glite/lb/context-int.h"
#include "glite/lb/ulm_parse.h"
#include "glite/lb/trio.h"
+#include "glite/lb/lb_gss.h"
#include "prod_proto.h"
edg_wll_LogLine logline)
{
int ret,answer;
- void *cred_handle = NULL;
- SSL *ssl = NULL;
-#ifdef EDG_WLL_LOG_STUB
char *my_subject_name = NULL;
-#endif
+ edg_wll_GssStatus gss_stat;
+ edg_wll_GssConnection con;
+ gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
+ OM_uint32 min_stat;
edg_wll_ResetError(context);
ret = answer = 0;
+ memset(&con, 0, sizeof(con));
- /* open a SSL connection to the local-logger: */
+ /* open an authenticated connection to the local-logger: */
#ifdef EDG_WLL_LOG_STUB
fprintf(stderr,"Logging to host %s, port %d\n",
context->p_destination, context->p_dest_port);
#endif
-
- if ((cred_handle=edg_wll_ssl_init(SSL_VERIFY_PEER, 0,
- context->p_proxy_filename ? context->p_proxy_filename : context->p_cert_filename,
- context->p_proxy_filename ? context->p_proxy_filename : context->p_key_filename,
- 0, 0)) == NULL) {
- edg_wll_SetError(context,EDG_WLL_ERROR_SSL,"edg_wll_ssl_init()");
- goto edg_wll_DoLogEvent_end;
+ ret = edg_wll_gss_acquire_cred_gsi(context->p_proxy_filename, &cred,
+ &my_subject_name, &gss_stat);
+ /* Give up if unable to prescribed credentials, otherwise go on anonymously */
+ if (ret && context->p_proxy_filename) {
+ edg_wll_SetErrorGss(context, "failed to load GSI credentials", &gss_stat);
+ goto edg_wll_DoLogEvent_end;
}
-#ifdef EDG_WLL_LOG_STUB
- edg_wll_ssl_get_my_subject(cred_handle,&my_subject_name);
+
if (my_subject_name != NULL) {
+#ifdef EDG_WLL_LOG_STUB
fprintf(stderr,"Using certificate: %s\n",my_subject_name);
+#endif
free(my_subject_name);
- } else {
- edg_wll_SetError(context,ECONNREFUSERD,"edg_wll_ssl_get_my_subject()");
- goto edg_wll_DoLogEvent_end;
}
-#endif
- if ((answer = edg_wll_ssl_connect(cred_handle,
+ if ((answer = edg_wll_gss_connect(cred,
context->p_destination, context->p_dest_port,
- &context->p_tmp_timeout, &ssl)) < 0) {
+ &context->p_tmp_timeout, &con, &gss_stat)) < 0) {
switch(answer) {
- case EDG_WLL_SSL_ERROR_EOF:
- edg_wll_SetError(context,ENOTCONN,"edg_wll_ssl_connect()");
+ case EDG_WLL_GSS_ERROR_EOF:
+ edg_wll_SetError(context,ENOTCONN,"edg_wll_gss_connect()");
break;
- case EDG_WLL_SSL_ERROR_TIMEOUT:
- edg_wll_SetError(context,ETIMEDOUT,"edg_wll_ssl_connect()");
+ case EDG_WLL_GSS_ERROR_TIMEOUT:
+ edg_wll_SetError(context,ETIMEDOUT,"edg_wll_gss_connect()");
break;
- case EDG_WLL_SSL_ERROR_ERRNO:
- edg_wll_SetError(context,errno,"edg_wll_ssl_connect()");
+ case EDG_WLL_GSS_ERROR_ERRNO:
+ edg_wll_SetError(context,errno,"edg_wll_gss_connect()");
break;
- case EDG_WLL_SSL_ERROR_SSL:
- {
- const char *msg1;
- char *msg2;
- msg1 = ERR_reason_error_string(ERR_get_error());
- asprintf(&msg2, "edg_wll_ssl_connect(): %s", msg1);
- edg_wll_SetError(context,EDG_WLL_ERROR_SSL,msg2);
- free(msg2);
- }
+ case EDG_WLL_GSS_ERROR_GSS:
+ edg_wll_SetErrorGss(context, "failed to authenticate to server",&gss_stat);
break;
- case EDG_WLL_SSL_ERROR_HERRNO:
+ case EDG_WLL_GSS_ERROR_HERRNO:
{
const char *msg1;
char *msg2;
msg1 = hstrerror(errno);
- asprintf(&msg2, "edg_wll_ssl_connect(): %s", msg1);
+ asprintf(&msg2, "edg_wll_gss_connect(): %s", msg1);
edg_wll_SetError(context,EDG_WLL_ERROR_DNS, msg2);
free(msg2);
}
break;
default:
- edg_wll_SetError(context,ECONNREFUSED,"edg_wll_ssl_connect(): unknown");
+ edg_wll_SetError(context,ECONNREFUSED,"edg_wll_gss_connect(): unknown");
break;
}
goto edg_wll_DoLogEvent_end;
/* and send the message to the local-logger: */
- answer = edg_wll_log_proto_client(context,ssl,logline/*,priority*/);
+ answer = edg_wll_log_proto_client(context,&con,logline/*,priority*/);
switch(answer) {
case 0:
case EINVAL:
case ENOSPC:
case ENOMEM:
- case EDG_WLL_ERROR_SSL:
+ case EDG_WLL_ERROR_GSS:
case EDG_WLL_ERROR_DNS:
case ENOTCONN:
case ECONNREFUSED:
}
edg_wll_DoLogEvent_end:
- if (ssl) edg_wll_ssl_close_timeout(ssl,&context->p_tmp_timeout);
- if (cred_handle) edg_wll_ssl_free(cred_handle);
+ if (con.context != GSS_C_NO_CONTEXT)
+ edg_wll_gss_close(&con,&context->p_tmp_timeout);
+ if (cred != GSS_C_NO_CREDENTIAL)
+ gss_release_cred(&min_stat, &cred);
return edg_wll_Error(context, NULL, NULL);
}
SUFFIXES = .T
DEBUG:=-g -O0 -Wall
-GLOBUSINC:= -I${globus_prefix}/include/${nothrflavour} \
- -I${globus_prefix}/include/${nothrflavour}/openssl
-GLOBUSTHRINC:= -I${globus_prefix}/include/${thrflavour} \
- -I${globus_prefix}/include/${thrflavour}/openssl
+GLOBUSINC:= -I${globus_prefix}/include/${nothrflavour}
+GLOBUSTHRINC:= -I${globus_prefix}/include/${thrflavour}
CFLAGS:=${DEBUG} -I${top_srcdir}/src -I${top_srcdir}/interface \
-I${stagedir}/include \
LINK:=libtool --mode=link ${CC} -rpath ${stagedir}/lib ${LDFLAGS}
INSTALL:=libtool --mode=install install
-OBJS:=dgssl.o escape.o events.o mini_http.o query_rec.o status.o \
+OBJS:=lb_gss.o escape.o events.o mini_http.o query_rec.o status.o \
xml_conversions.o xml_parse.o ulm_parse.o param.o \
events_parse.o il_string.o il_int.o notifid.o \
il_log.o il_msg.o context.o trio.o strio.o
THROBJS:=${OBJS:.o=.thr.o}
THRLOBJS:=${OBJS:.o=.thr.lo}
-HDRS:=context-int.h dgssl.h mini_http.h authz.h xml_parse.h \
+HDRS:=context-int.h lb_gss.h mini_http.h authz.h xml_parse.h \
xml_conversions.h log_proto.h events_parse.h il_string.h escape.h \
ulm_parse.h trio.h
${LTLIB}: ${OBJS}
${LINK} -o $@ ${LOBJS} \
- -lglobus_ssl_utils -lglite_wmsutils_cjobid \
+ -lglite_wmsutils_cjobid \
-lm
${THRLTLIB}: ${THROBJS}
${LINK} -o $@ ${THRLOBJS} \
- -lglobus_ssl_utils -lglite_wmsutils_cjobid \
+ -lglite_wmsutils_cjobid \
-lm
stage: compile
#ident "$Header$"
#include "glite/lb/consumer.h"
-#include "dgssl.h"
+#include "lb_gss.h"
#include "authz.h"
#ifdef __cplusplus
unsigned int peerPort;
/* http(s) stream */
- void *gsiCred;
- SSL *ssl;
+ gss_cred_id_t gsiCred;
+ edg_wll_GssConnection gss;
char *buf;
int bufUse,bufSize;
const char * /* error description */
);
+extern int edg_wll_SetErrorGss(
+ edg_wll_Context,
+ const char *,
+ edg_wll_GssStatus *
+);
+
/** update errDesc and errCode */
extern int edg_wll_UpdateError(
edg_wll_Context, /* context */
+++ /dev/null
-#ifndef __EDG_WORKLOAD_LOGGING_COMMON_DGSSL_H__
-#define __EDG_WORKLOAD_LOGGING_COMMON_DGSSL_H__
-/**
- * \file Client/dgssl.h
- * \brief Auxiliary SSL functions for L&B
- */
-
-#ident "$Header$"
-
-/* openssl headers */
-#include <globus_config.h>
-#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h"
-
-#include <ssl.h>
-#include <err.h>
-#include <rand.h>
-#include <bio.h>
-#include <pem.h>
-#include <x509.h>
-#if SSLEAY_VERSION_NUMBER >= 0x0090581fL
-#include <x509v3.h>
-#endif
-
-/**
- * Initialize SSL and GSI contexts and set SSL parameters for authentication.
- * \param verify IN: specifies SSL authentication mode to be used for peer
- * verification. (SSL_VERIFY_NONE, SSL_VERIFY_PEER,
- * SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE) -- see also ssl.h
- * \param callback IN: if nonzero the standard GSI authentication callback will
- * be called on each certificate in a chain in order to verify the chain
- * consists only of valid GSI proxy certs. If the parametr is zero only the
- * default SSL callback will be used.
- * \param p_cert_file IN: file containg the caller's cert.
- * \param p_key_file IN: file containg the caller's key. If at least one of
- * these parameters is NULL, the default proxy is examined and used (if
- * exists), otherwise the default long-term credential will be used. \param
- * ask_passwd IN: if nonzero, the standard SSL prompt is used whenever an
- * encrypted keyfile is encountered. If the paramater zero, no password will be
- * prompted for even if the key is encrypted.
- * \param no_auth IN: if nonzero, only context necessary for authentication of
- * the peer will be set. No caller's credential is read.
- * \retval pointer to an opaque structure containg the initialized context, if
- * any error occurs, the context will contain only those basic parameters
- * necessary for authentication of the peer
- */
-proxy_cred_desc *edg_wll_ssl_init(int verify, int callback, char *p_cert_file,char *p_key_file,
- int ask_passwd, int noauth);
-
-/**
- * frees cred_handle returned by edg_wll_ssl_init()
- * \param cred_handle IN: pointer returned by edg_wll_ssl_init()
- */
-int edg_wll_ssl_free(proxy_cred_desc *cred_handle);
-
-/**
- * Establish SSL context with server.
- * Called by the clients when they tryies to do SSL handshake with the server.
- * This includes authentication of the server and optionaly the client, and
- * establishing SSL security parameters.
- *
- * \param cred_handle IN: pointer returned by edg_wll_ssl_init()
- * \param hostname IN: hostname to connect to
- * \param port IN: port to connect to
- * \param timeout INOUT: if NULL, blocking SSL I/O is done, otherwise the
- * I/O and SSL handshake will take at most the specified time. Remaining
- * time is returned.
- * \param sslp OUT: on success, returned pointer to SSL connection
- * \return one of EDG_WLL_SSL_*
- */
-int edg_wll_ssl_connect(proxy_cred_desc *cred_handle,char const *hostname,int port,
- struct timeval *timeout,SSL **sslp);
-
-/**
- * Establish SSL context with client.
- * Called by the server when trying to do a SSL handshake with the client. A
- * network connection must be established before calling this function. Use
- * timeout set in context.
- * \param ctx IN: used to obtain timeout
- * \param cred_handle IN: pointer returned by edg_wll_ssl_init()
- * \param sock IN: specification of the network connection
- * \retval pointer to SSL connection on success
- * \retval NULL on error
- */
-SSL *edg_wll_ssl_accept(proxy_cred_desc *cred_handle,int sock, struct timeval *timeout);
-
-/**
- * Try to send SSL close alert on socket (reject the client in orderly way).
- * \param cred_handle IN: pointer returned by edg_wll_ssl_init(), to get SSL_CTX
- * \param sock IN: specification of the network connection
- */
-
-void edg_wll_ssl_reject(proxy_cred_desc *cred_handle,int sock);
-
-/**
- * Close SSL connection, possibly saving open sessions, and destroy the SSL object.
- * Called by anyone who wishes to close the connection.
- * \param ssl IN: object identifying the SSL connection
- * \param timeout INOUT: max time allowed for operation, remaining time
- * on return
- * \retval one of EDG_WLL_SSL_*
- */
-int edg_wll_ssl_close_timeout(SSL *ssl, struct timeval *timeout);
-
-/**
- * Close SSL connection, call edg_wll_ssl_close_timeout() with hard-wired
- * timeout 120 secs.
- * \param ssl IN: object identifying the SSL connection
- * \retval one of EDG_WLL_SSL_*
- */
-int edg_wll_ssl_close(SSL *ssl);
-
-/**
- * Return subject name of the caller as specified in the context.
- * \param cred_handle IN: pointer returned by edg_wll_ssl_init()
- * \param my_subject_name OUT: contains the subject name. The caller must free
- * this variable when no needed.
- */
-void edg_wll_ssl_get_my_subject(proxy_cred_desc *cred_handle, char **my_subject_name);
-void edg_wll_ssl_get_my_subject_base(proxy_cred_desc *cred_handle, char **my_subject_name);
-
-/** no SSL errors */
-#define EDG_WLL_SSL_OK 0
-/** SSL specific error. Call ERR_* functions for details. */
-#define EDG_WLL_SSL_ERROR_SSL -1
-/** Timeout */
-#define EDG_WLL_SSL_ERROR_TIMEOUT -2
-/** EOF occured */
-#define EDG_WLL_SSL_ERROR_EOF -3
-/** System error. See errno. */
-#define EDG_WLL_SSL_ERROR_ERRNO -4
-/** Resolver error. See h_errno. */
-#define EDG_WLL_SSL_ERROR_HERRNO -5
-
-/**
- * Read from SSL connection.
- * Needn't read entire buffer. Timeout is applicable only for non-blocking
- * connections (created with non-NULL timeout param of edg_wll_ssl_connect()).
- * \param ssl IN: connection to work with
- * \param buf OUT: buffer
- * \param bufsize IN: max size to read
- * \param timeout INOUT: max time allowed for operation, remaining time
- * on return
- * \retval bytes read (>0) on success
- * \retval one of EDG_WLL_SSL_* (<0) on error
- */
-
-int edg_wll_ssl_read(SSL *ssl,void *buf,size_t bufsize,struct timeval *timeout);
-
-/**
- * Write to SSL connection.
- * Needn't write entire buffer. Timeout is applicable only for non-blocking
- * connections (created with non-NULL timeout param of edg_wll_ssl_connect()).
- * \param ssl IN: connection to work with
- * \param buf IN: buffer
- * \param bufsize IN: max size to write
- * \param timeout INOUT: max time allowed for operation, remaining time
- * on return
- * \retval bytes written (>0) on success
- * \retval one of EDG_WLL_SSL_* (<0) on error
- */
-
-int edg_wll_ssl_write(SSL *ssl,const void *buf,size_t bufsize,struct timeval *timeout);
-
-/**
- * Read specified amount of data from SSL connection.
- * Attempts to call edg_wll_ssl_read() untill the entire request is satisfied
- * (or EOF reached, or times out)
- *
- * \param ssl IN: connection to work with
- * \param buf OUT: buffer
- * \param bufsize IN: max size to read
- * \param timeout INOUT: max time allowed for operation, remaining time
- * on return
- * \param total OUT: bytes actually read
- * \return one of EDG_WLL_SSL_*
- */
-
-int edg_wll_ssl_read_full(SSL *ssl,void *buf,size_t bufsize,struct timeval *timeout,size_t *total);
-
-/**
- * Write specified amount of data to SSL connection.
- * Attempts to call edg_wll_ssl_write() untill the entire request is satisfied
- * (or times out).
- *
- * \param ssl IN: connection to work with
- * \param buf IN: buffer
- * \param bufsize IN: max size to read
- * \param timeout INOUT: max time allowed for operation, remaining time
- * on return
- * \param total OUT: bytes actually written
- * \return one of EDG_WLL_SSL_*
- */
-
-int edg_wll_ssl_write_full(SSL *ssl,const void *buf,size_t bufsize,struct timeval *timeout,size_t *total);
-
-void edg_wll_ssl_set_noauth(proxy_cred_desc* cred_handle);
-
-/**
- * Check modification times of key and cert files.
- */
-int edg_wll_ssl_watch_creds(const char *,const char *,time_t *,time_t *);
-
-#endif /* __EDG_WORKLOAD_LOGGING_COMMON_DGSSL_H__ */
-
#include <assert.h>
#include <globus_config.h>
-#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h"
#include "glite/wmsutils/jobid/strmd5.h"
#include "glite/wmsutils/jobid/cjobid.h"
void edg_wll_FreeContext(edg_wll_Context ctx)
{
struct timeval close_timeout = {0, 50000};
+ OM_uint32 min_stat;
if (!ctx) return;
for (i=0; i<ctx->poolSize; i++) {
if (ctx->connPool[i].peerName) free(ctx->connPool[i].peerName);
- if (ctx->connPool[i].ssl)
- edg_wll_ssl_close_timeout(ctx->connPool[i].ssl,&close_timeout);
- if (ctx->connPool[i].gsiCred) edg_wll_ssl_free(ctx->connPool[i].gsiCred);
+ edg_wll_gss_close(&ctx->connPool[i].gss,&close_timeout);
+ if (ctx->connPool[i].gsiCred)
+ gss_release_cred(&min_stat, &ctx->connPool[i].gsiCred);
if (ctx->connPool[i].buf) free(ctx->connPool[i].buf);
}
free(ctx->connPool);
"Database call failed",
"Bad URL format",
"MD5 key clash",
- "SSL Error",
+ "GSSAPI Error",
"DNS resolver error",
"No JobId specified in context",
"No indexed condition in query",
free(groups->val[len].name);
}
}
+
+int edg_wll_SetErrorGss(edg_wll_Context ctx, const char *desc, edg_wll_GssStatus *gss_code)
+{
+ char *err_msg;
+
+ edg_wll_gss_get_error(gss_code, desc, &err_msg);
+ edg_wll_SetError(ctx,EDG_WLL_ERROR_GSS, err_msg);
+ free(err_msg);
+ return ctx->errCode;
+}
+++ /dev/null
-#ident "$Header$"
-
-#include <string.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <time.h>
-#include <stdlib.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <sys/socket.h>
-#include <netdb.h>
-#include <netinet/in.h>
-#include <ares.h>
-
-#include "globus_config.h"
-#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h"
-
-#include "dgssl.h"
-
-/* This two functions are not in globus sslutils.h */
-void proxy_verify_ctx_release(proxy_verify_ctx_desc *pvxd);
-void proxy_verify_ctx_init(proxy_verify_ctx_desc *pvxd);
-
-#include "globus_gss_assist.h"
-
-#define tv_sub(a,b) {\
- (a).tv_usec -= (b).tv_usec;\
- (a).tv_sec -= (b).tv_sec;\
- if ((a).tv_usec < 0) {\
- (a).tv_sec--;\
- (a).tv_usec += 1000000;\
- }\
-}
-
-static int decrement_timeout(struct timeval *timeout, struct timeval before, struct timeval after)
-{
- (*timeout).tv_sec = (*timeout).tv_sec - (after.tv_sec - before.tv_sec);
- (*timeout).tv_usec = (*timeout).tv_usec - (after.tv_usec - before.tv_usec);
- while ( (*timeout).tv_usec < 0) {
- (*timeout).tv_sec--;
- (*timeout).tv_usec += 1000000;
- }
- if ( ((*timeout).tv_sec < 0) || (((*timeout).tv_sec == 0) && ((*timeout).tv_usec == 0)) ) return(1);
- else return(0);
-}
-
-
-static int handle_ssl_error(int sock,int err,struct timeval *to);
-
-static unsigned char dh512_p[]={
- 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
- 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
- 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
- 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
- 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
- 0x47,0x74,0xE8,0x33,
- };
-static unsigned char dh512_g[]={
- 0x02,
- };
-
-static DH *get_dh512(void)
- {
- DH *dh=NULL;
-
- if ((dh=DH_new()) == NULL) return(NULL);
- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
- return(NULL);
- return(dh);
- }
-
-struct asyn_result {
- struct hostent *ent;
- int err;
-};
-
-/* ares callback handler for ares_gethostbyname() */
-static void callback_handler(void *arg, int status, struct hostent *h) {
- struct asyn_result *arp = (struct asyn_result *) arg;
-
- switch (status) {
- case ARES_SUCCESS:
- if (h && h->h_addr_list[0]) {
- arp->ent->h_addr_list =
- (char **) malloc(2 * sizeof(char *));
- if (arp->ent->h_addr_list == NULL) {
- arp->err = NETDB_INTERNAL;
- break;
- }
- arp->ent->h_addr_list[0] =
- malloc(sizeof(struct in_addr));
- if (arp->ent->h_addr_list[0] == NULL) {
- free(arp->ent->h_addr_list);
- arp->err = NETDB_INTERNAL;
- break;
- }
- memcpy(arp->ent->h_addr_list[0], h->h_addr_list[0],
- sizeof(struct in_addr));
- arp->ent->h_addr_list[1] = NULL;
- arp->err = NETDB_SUCCESS;
- } else {
- arp->err = NO_DATA;
- }
- break;
- case ARES_EBADNAME:
- case ARES_ENOTFOUND:
- arp->err = HOST_NOT_FOUND;
- break;
- case ARES_ENOTIMP:
- arp->err = NO_RECOVERY;
- break;
- case ARES_ENOMEM:
- case ARES_EDESTRUCTION:
- default:
- arp->err = NETDB_INTERNAL;
- break;
- }
-}
-
-
-static void free_hostent(struct hostent *h){
- int i;
-
- if (h) {
- if (h->h_name) free(h->h_name);
- if (h->h_aliases) {
- for (i=0; h->h_aliases[i]; i++) free(h->h_aliases[i]);
- free(h->h_aliases);
- }
- if (h->h_addr_list) {
- for (i=0; h->h_addr_list[i]; i++) free(h->h_addr_list[i]);
- free(h->h_addr_list);
- }
- free(h);
- }
-}
-
-static int asyn_gethostbyname(char **addrOut, char const *name, struct timeval *timeout) {
- struct asyn_result ar;
- ares_channel channel;
- int nfds;
- fd_set readers, writers;
- struct timeval tv, *tvp;
- struct timeval start_time,check_time;
-
-
-/* start timer */
- gettimeofday(&start_time,0);
-
-/* ares init */
- if ( ares_init(&channel) != ARES_SUCCESS ) return(NETDB_INTERNAL);
- ar.ent = (struct hostent *) calloc (sizeof(*ar.ent),1);
-
-/* query DNS server asynchronously */
- ares_gethostbyname(channel, name, AF_INET, callback_handler,
- (void *) &ar);
-
-/* wait for result */
- while (1) {
- FD_ZERO(&readers);
- FD_ZERO(&writers);
- nfds = ares_fds(channel, &readers, &writers);
- if (nfds == 0)
- break;
-
- gettimeofday(&check_time,0);
- if (decrement_timeout(timeout, start_time, check_time)) {
- ares_destroy(channel);
- free_hostent(ar.ent);
- return(TRY_AGAIN);
- }
- start_time = check_time;
-
- tvp = ares_timeout(channel, timeout, &tv);
-
- switch ( select(nfds, &readers, &writers, NULL, tvp) ) {
- case -1: if (errno != EINTR) {
- ares_destroy(channel);
- free_hostent(ar.ent);
- return NETDB_INTERNAL;
- } else
- continue;
- case 0:
- FD_ZERO(&readers);
- FD_ZERO(&writers);
- /* fallthrough */
- default: ares_process(channel, &readers, &writers);
- }
- }
-
-
- ares_destroy(channel);
-
- if (ar.err == NETDB_SUCCESS) {
- *addrOut = malloc(sizeof(struct in_addr));
- memcpy(*addrOut,ar.ent->h_addr_list[0], sizeof(struct in_addr));
- free_hostent(ar.ent);
- }
- return(ar.err);
-}
-
-
-
-void edg_wll_ssl_set_noauth(proxy_cred_desc* cred_handle)
-{ DH *dh=NULL;
-
- SSL_CTX_set_cipher_list(cred_handle->gs_ctx,
- "ADH:RSA:HIGH:MEDIUM:LOW:EXP:+eNULL:+aNULL");
- dh=get_dh512();
- SSL_CTX_set_tmp_dh(cred_handle->gs_ctx,dh);
- DH_free(dh);
-}
-
-proxy_cred_desc *edg_wll_ssl_init(int verify, int callback, char *p_cert_file,char *p_key_file,
- int ask_passwd, int noauth)
-{
- proxy_cred_desc * cred_handle = NULL;
- char *certdir=NULL;
- int (*pw_cb)() = NULL;
- int load_err = 0;
-
- if (ask_passwd == 0)
- pw_cb = proxy_password_callback_no_prompt;
-
- cred_handle = proxy_cred_desc_new();
- proxy_get_filenames(cred_handle,1,NULL,&certdir,NULL,NULL,NULL);
- if (!noauth) {
- if ((p_cert_file!=NULL) && (p_key_file!=NULL)) {
- load_err = proxy_load_user_cert(cred_handle,p_cert_file,NULL,NULL);
- if (load_err == 0)
- load_err = proxy_load_user_key(cred_handle,p_key_file,pw_cb,NULL);
- if (load_err == 0) {
- if (proxy_check_proxy_name(cred_handle->ucert)>0) {
- cred_handle->type =CRED_TYPE_PROXY;
- if (cred_handle->cert_chain == NULL)
- cred_handle->cert_chain = sk_X509_new_null();
- proxy_load_user_proxy(cred_handle->cert_chain,p_cert_file,NULL);
- /*
- if (cred_handle->cert_chain)
- for (int i=0;i<sk_X509_num(cred_handle->cert_chain);i++)
- X509_STORE_add_cert(cred_handle->gs_ctx->cert_store,
- sk_X509_value(cred_handle->cert_chain,i));
- */
- } else cred_handle->type = CRED_TYPE_PERMANENT;
- }
- }
- if (load_err == 0)
- proxy_init_cred(cred_handle,pw_cb,NULL);
- }
-
- if ( (cred_handle->gs_ctx != NULL
- && !SSL_CTX_check_private_key(cred_handle->gs_ctx))
- || noauth == 1
- || load_err) {
- if (cred_handle->ucert != NULL) {
- X509_free(cred_handle->ucert);
- cred_handle->ucert = NULL;
- }
- if (cred_handle->upkey != NULL) {
- EVP_PKEY_free(cred_handle->upkey);
- cred_handle->upkey = NULL;
- }
- if (cred_handle->gs_ctx)
- SSL_CTX_free(cred_handle->gs_ctx);
- cred_handle->gs_ctx=SSL_CTX_new(SSLv3_method());
- SSL_CTX_set_options(cred_handle->gs_ctx,0);
- SSL_CTX_sess_set_cache_size(cred_handle->gs_ctx,5);
- SSL_CTX_load_verify_locations(cred_handle->gs_ctx,NULL,certdir);
- }
-
- if (cred_handle->gs_ctx != NULL) {
- SSL_CTX_set_verify(cred_handle->gs_ctx,verify,
- (callback==0)?NULL:proxy_verify_callback);
- SSL_CTX_set_purpose(cred_handle->gs_ctx,X509_PURPOSE_ANY);
- SSL_CTX_set_session_id_context(cred_handle->gs_ctx, "DG_BKSERVER",
- strlen("DG_BKSERVER"));
- if (noauth == 1)
- edg_wll_ssl_set_noauth(cred_handle);
- }
-
- free(certdir);
- return(cred_handle);
-}
-
-void edg_wll_ssl_get_my_subject(proxy_cred_desc *cred_handle, char **my_subject_name)
-{
- if ((my_subject_name!=NULL) && (cred_handle->ucert!=NULL))
- *my_subject_name=X509_NAME_oneline(X509_get_subject_name(
- cred_handle->ucert), NULL, 0);
-}
-
-void edg_wll_ssl_get_my_subject_base(proxy_cred_desc *cred_handle, char **my_subject_name)
-{
- X509_NAME *base;
- if ((my_subject_name!=NULL) && (cred_handle->ucert!=NULL)) {
- X509_NAME *s = X509_get_subject_name(cred_handle->ucert);
-
- base = X509_NAME_dup(s);
- proxy_get_base_name(base);
- *my_subject_name=strdup(X509_NAME_oneline(base,NULL, 0));
- X509_NAME_free(base);
- }
-}
-
-int edg_wll_ssl_free(proxy_cred_desc * cred_handle)
-{ return(proxy_cred_desc_free(cred_handle));
-}
-
-int edg_wll_ssl_connect(proxy_cred_desc *cred_handle,char const *hostname,int port,
- struct timeval *timeout,SSL **sslp)
-{
- int sock,ret;
- struct sockaddr_in a;
- SSL_CTX *ctx;
- SSL *ssl;
- struct timeval before,after,to;
- int sock_err;
- socklen_t err_len;
- char *certdir=NULL, *addr;
- proxy_verify_ctx_desc verify_ctx_area;
- proxy_verify_desc verify_area;
- int h_errno;
-
-
- sock = socket(AF_INET, SOCK_STREAM, 0);
- if (sock < 0) return EDG_WLL_SSL_ERROR_ERRNO;
-
- if (timeout) {
- int flags = fcntl(sock, F_GETFL, 0);
- if (fcntl(sock, F_SETFL, flags | O_NONBLOCK) < 0)
- return EDG_WLL_SSL_ERROR_ERRNO;
- gettimeofday(&before,NULL);
- }
-
- switch (h_errno = asyn_gethostbyname(&addr, hostname, timeout)) {
- case NETDB_SUCCESS:
- memset(&a,0,sizeof a);
- a.sin_family = AF_INET;
- memcpy(&a.sin_addr.s_addr,addr,sizeof a.sin_addr.s_addr);
- a.sin_port = htons(port);
- free(addr);
- break;
- case TRY_AGAIN:
- close(sock);
- return EDG_WLL_SSL_ERROR_TIMEOUT;
- case NETDB_INTERNAL:
- /* fall through */
- default:
- close(sock);
- /* h_errno may be thread safe with Linux pthread libs,
- * but such an assumption is not portable
- */
- errno = h_errno;
- return EDG_WLL_SSL_ERROR_HERRNO;
- }
-
- if (connect(sock,(struct sockaddr *) &a,sizeof a) < 0) {
- if (timeout && errno == EINPROGRESS) {
- fd_set fds;
- FD_ZERO(&fds);
- FD_SET(sock,&fds);
- memcpy(&to,timeout,sizeof to);
- gettimeofday(&before,NULL);
- switch (select(sock+1,NULL,&fds,NULL,&to)) {
- case -1: close(sock);
- return EDG_WLL_SSL_ERROR_ERRNO;
- case 0: close(sock);
- return EDG_WLL_SSL_ERROR_TIMEOUT;
- }
- gettimeofday(&after,NULL);
- tv_sub(after,before);
- tv_sub(*timeout,after);
-
- err_len = sizeof sock_err;
- if (getsockopt(sock,SOL_SOCKET,SO_ERROR,&sock_err,&err_len)) {
- close(sock);
- return EDG_WLL_SSL_ERROR_ERRNO;
- }
- if (sock_err) {
- close(sock);
- errno = sock_err;
- return EDG_WLL_SSL_ERROR_ERRNO;
- }
- }
- else {
- close(sock);
- return EDG_WLL_SSL_ERROR_ERRNO;
- }
- }
-
- ctx = cred_handle->gs_ctx;
- ssl = SSL_new(ctx);
- if (!ssl) {
- close(sock);
- return EDG_WLL_SSL_ERROR_SSL;
- }
- SSL_set_ssl_method(ssl,SSLv3_method());
- SSL_set_fd(ssl, sock);
- proxy_get_filenames(NULL,1,NULL,&certdir,NULL,NULL,NULL);
- proxy_verify_ctx_init(&verify_ctx_area);
- proxy_verify_init(&verify_area,&verify_ctx_area);
- SSL_set_ex_data(ssl, PVD_SSL_EX_DATA_IDX, (char *)&verify_area);
- if (certdir!=NULL) verify_ctx_area.certdir=certdir;
-
- if (timeout) SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
-
- ret = SSL_connect(ssl);
- while (ret <= 0) {
- int err = SSL_get_error(ssl,ret);
- if ((err = handle_ssl_error(sock,err,timeout))) {
- proxy_verify_release(&verify_area);
- proxy_verify_ctx_release(&verify_ctx_area);
- SSL_free(ssl);
- close(sock);
- return err;
- }
- ret = SSL_connect(ssl);
- }
- proxy_verify_release(&verify_area);
- proxy_verify_ctx_release(&verify_ctx_area);
- *sslp = ssl;
- return EDG_WLL_SSL_OK;
-}
-
-SSL *edg_wll_ssl_accept(proxy_cred_desc *cred_handle,int sock,struct timeval *timeout)
-{ SSL *ssl = NULL;
- char *certdir=NULL;
- SSL_CTX *sslContext;
- int ret;
-
-
- proxy_verify_ctx_desc verify_ctx_area;
- proxy_verify_desc verify_area;
-
- sslContext=cred_handle->gs_ctx;
-
- ssl = SSL_new(sslContext);
- if (ssl == NULL) {
- fprintf(stderr, "SSL_new(): %s\n",
- ERR_error_string(ERR_get_error(), NULL));
- return(NULL);
- }
-
- SSL_set_ssl_method(ssl,SSLv23_method());
- SSL_set_options(ssl,SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1);
-
- proxy_get_filenames(NULL,1,NULL,&certdir,NULL,NULL,NULL);
- proxy_verify_ctx_init(&verify_ctx_area);
- proxy_verify_init(&verify_area,&verify_ctx_area);
- SSL_set_ex_data(ssl, PVD_SSL_EX_DATA_IDX, (char *)&verify_area);
- if (certdir!=NULL) verify_ctx_area.certdir=certdir;
-
- SSL_set_accept_state(ssl);
- SSL_set_fd(ssl, sock);
-
- ret = SSL_accept(ssl);
- while (ret <= 0) {
- int err = SSL_get_error(ssl,ret);
- if ((err = handle_ssl_error(sock,err,timeout))) {
- proxy_verify_release(&verify_area);
- proxy_verify_ctx_release(&verify_ctx_area);
- SSL_free(ssl);
- return (NULL);
- }
- ret = SSL_accept(ssl);
- }
-
- proxy_verify_release(&verify_area);
- proxy_verify_ctx_release(&verify_ctx_area);
-
- return(ssl);
-}
-
-void edg_wll_ssl_reject(proxy_cred_desc *cred_handle,int sock)
-{ SSL *ssl = NULL;
- SSL_CTX *sslContext;
-
- sslContext=cred_handle->gs_ctx;
-
- ssl = SSL_new(sslContext);
- if (ssl == NULL) {
- fprintf(stderr, "SSL_new(): %s\n",
- ERR_error_string(ERR_get_error(), NULL));
- return;
- }
-
- SSL_set_ssl_method(ssl,SSLv23_method());
- SSL_set_options(ssl,SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1);
-
- SSL_set_accept_state(ssl);
- SSL_set_fd(ssl, sock);
-
- SSL_shutdown(ssl);
- SSL_free(ssl);
-
- return;
-}
-
-int edg_wll_ssl_close_timeout(SSL *ssl, struct timeval *timeout)
-{
- int ret, sock;
-
- if (!ssl) return(0);
- sock = SSL_get_fd(ssl);
- ret = SSL_shutdown(ssl);
- while (ret <= 0) {
- int err = SSL_get_error(ssl, ret);
- if (ret == 0 && err == SSL_ERROR_SYSCALL) {
- /* translate misleading error returned by SSL_shutdown() to correct one */
- switch (errno) {
- case 0: goto closed; break;
- case EAGAIN: err = SSL_ERROR_WANT_READ; break;
- default: /* obey err */ break;
- }
- }
- if (handle_ssl_error(sock, err, timeout))
- break;
- ret = SSL_shutdown(ssl);
- }
-
-closed:
- ret = SSL_clear(ssl);
- ret = close(sock);
- SSL_free(ssl);
-
- return(0);
-}
-
-int edg_wll_ssl_close(SSL *ssl)
-{
- struct timeval timeout = {120, 0};
- return edg_wll_ssl_close_timeout(ssl, &timeout);
-}
-
-int edg_wll_ssl_read(SSL *ssl,void *buf,size_t bufsize,struct timeval *timeout)
-{
- int len = 0;
- int sock = SSL_get_fd(ssl);
-
- len = SSL_read(ssl,buf,bufsize);
- while (len <= 0) {
- int err = SSL_get_error(ssl,len);
- if ((err = handle_ssl_error(sock,err,timeout))) return err;
- len = SSL_read(ssl,buf,bufsize);
- }
- return len;
-}
-
-int edg_wll_ssl_write(SSL *ssl,const void *buf,size_t bufsize,struct timeval *timeout)
-{
- int len = 0;
- int sock = SSL_get_fd(ssl);
-
- len = SSL_write(ssl,buf,bufsize);
- while (len <= 0) {
- int err = SSL_get_error(ssl,len);
- if ((err = handle_ssl_error(sock,err,timeout))) return err;
- len = SSL_write(ssl,buf,bufsize);
- }
- return len;
-}
-
-int edg_wll_ssl_read_full(SSL *ssl,void *buf,size_t bufsize,struct timeval *timeout,size_t *total)
-{
- int len;
- *total = 0;
-
- while (*total < bufsize) {
- len = edg_wll_ssl_read(ssl,buf+*total,bufsize-*total,timeout);
- if (len < 0) return len;
- *total += len;
- }
- return 0;
-}
-
-int edg_wll_ssl_write_full(SSL *ssl,const void *buf,size_t bufsize,struct timeval *timeout,size_t *total)
-{
- int len;
- *total = 0;
-
- while (*total < bufsize) {
- len = edg_wll_ssl_write(ssl,buf+*total,bufsize-*total,timeout);
- if (len < 0) return len;
- *total += len;
- }
- return 0;
-}
-
-static int handle_ssl_error(int sock,int err,struct timeval *to)
-{
- struct timeval timeout,before,after;
- fd_set fds;
- int ret = EDG_WLL_SSL_OK;
- int saved_errno = errno;
-
- if (to) {
- memcpy(&timeout,to,sizeof timeout);
- gettimeofday(&before,NULL);
- }
- switch (err) {
- case SSL_ERROR_ZERO_RETURN:
- ret = EDG_WLL_SSL_ERROR_EOF;
- break;
- case SSL_ERROR_WANT_READ:
- FD_ZERO(&fds);
- FD_SET(sock,&fds);
- switch (select(sock+1,&fds,NULL,NULL,to?&timeout:NULL)){
- case 0: ret = EDG_WLL_SSL_ERROR_TIMEOUT;
- break;
- case -1: ret = EDG_WLL_SSL_ERROR_ERRNO;
- break;
- }
- break;
- case SSL_ERROR_WANT_WRITE:
- FD_ZERO(&fds);
- FD_SET(sock,&fds);
- switch (select(sock+1,NULL,&fds,NULL,to?&timeout:NULL)){
- case 0: ret = EDG_WLL_SSL_ERROR_TIMEOUT;
- break;
- case -1: ret = EDG_WLL_SSL_ERROR_ERRNO;
- break;
- }
- break;
- case SSL_ERROR_SYSCALL:
- if (saved_errno == 0) ret = EDG_WLL_SSL_ERROR_EOF;
- else ret = EDG_WLL_SSL_ERROR_ERRNO;
- break;
- case SSL_ERROR_SSL:
- ret = EDG_WLL_SSL_ERROR_SSL;
- break;
- default:
- fprintf(stderr,"unexpected SSL_get_error code %d\n",err);
- abort();
- }
- if (to) {
- gettimeofday(&after,NULL);
- tv_sub(after,before);
- tv_sub(*to,after);
- if (to->tv_sec < 0) {
- to->tv_sec = 0;
- to->tv_usec = 0;
- }
- }
-
- return ret;
-}
-
-/* XXX: I'm afraid the contents of stuct stat is somewhat OS dependent */
-
-int edg_wll_ssl_watch_creds(
- const char *key_file,
- const char *cert_file,
- time_t *key_mtime,
- time_t *cert_mtime)
-{
- struct stat kstat,cstat;
- int reload = 0;
-
- if (!key_file || !cert_file) return 0;
- if (stat(key_file,&kstat) || stat(cert_file,&cstat)) return -1;
-
- if (!*key_mtime) *key_mtime = kstat.st_mtime;
- if (!*cert_mtime) *cert_mtime = cstat.st_mtime;
-
- if (*key_mtime != kstat.st_mtime) {
- *key_mtime = kstat.st_mtime;
- reload = 1;
- }
-
- if (*cert_mtime != cstat.st_mtime) {
- *cert_mtime = cstat.st_mtime;
- reload = 1;
- }
-
- return reload;
-}
#include <syslog.h>
#include "globus_config.h"
-#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h"
#include "mini_http.h"
-#include "dgssl.h"
+#include "lb_gss.h"
#include "context-int.h"
#define min(x,y) ((x) < (y) ? (x) : (y))
enum { FIRST, HEAD, BODY, DONE } pstat = FIRST;
int len, nhdr = 0,rdmore = 0,clen = 0,blen = 0;
int sock;
+ edg_wll_GssStatus gss_code;
#define bshift(shift) {\
memmove(ctx->connPool[ctx->connToUse].buf,ctx->connPool[ctx->connToUse].buf+(shift),ctx->connPool[ctx->connToUse].bufUse-(shift));\
}
edg_wll_ResetError(ctx);
-
- if (ctx->connPool[ctx->connToUse].ssl) sock = SSL_get_fd(ctx->connPool[ctx->connToUse].ssl);
- else {
+ if (ctx->connPool[ctx->connToUse].gss.context != GSS_C_NO_CONTEXT)
+ sock = ctx->connPool[ctx->connToUse].gss.sock;
+ else {
edg_wll_SetError(ctx,ENOTCONN,NULL);
goto error;
}
if (!ctx->connPool[ctx->connToUse].buf) ctx->connPool[ctx->connToUse].buf = malloc(ctx->connPool[ctx->connToUse].bufSize = BUFSIZ);
do {
- len = edg_wll_ssl_read(ctx->connPool[ctx->connToUse].ssl,
- ctx->connPool[ctx->connToUse].buf+ctx->connPool[ctx->connToUse].bufUse,ctx->connPool[ctx->connToUse].bufSize-ctx->connPool[ctx->connToUse].bufUse,&ctx->p_tmp_timeout);
+ len = edg_wll_gss_read(&ctx->connPool[ctx->connToUse].gss,
+ ctx->connPool[ctx->connToUse].buf+ctx->connPool[ctx->connToUse].bufUse,ctx->connPool[ctx->connToUse].bufSize-ctx->connPool[ctx->connToUse].bufUse,&ctx->p_tmp_timeout, &gss_code);
switch (len) {
- case EDG_WLL_SSL_OK:
- case EDG_WLL_SSL_ERROR_SSL:
- edg_wll_SetError(ctx,EDG_WLL_ERROR_SSL,
- ERR_error_string(ERR_get_error(), NULL));
+ case EDG_WLL_GSS_OK:
+ break;
+ case EDG_WLL_GSS_ERROR_GSS:
+ edg_wll_SetErrorGss(ctx, "receving HTTP request", &gss_code);
goto error;
- case EDG_WLL_SSL_ERROR_ERRNO:
- edg_wll_SetError(ctx,errno,"edg_wll_ssl_read()");
+ case EDG_WLL_GSS_ERROR_ERRNO:
+ edg_wll_SetError(ctx,errno,"edg_wll_gss_read()");
goto error;
- case EDG_WLL_SSL_ERROR_TIMEOUT:
+ case EDG_WLL_GSS_ERROR_TIMEOUT:
edg_wll_SetError(ctx,ETIMEDOUT,NULL);
goto error;
- case EDG_WLL_SSL_ERROR_EOF:
+ case EDG_WLL_GSS_ERROR_EOF:
edg_wll_SetError(ctx,ENOTCONN,NULL);
goto error;
/* default: fallthrough */
return edg_wll_Error(ctx,NULL,NULL);
}
-static int real_write(edg_wll_Context ctx, SSL *ssl,int fd,const char *data,int len)
+static int real_write(edg_wll_Context ctx, edg_wll_GssConnection *con,const char *data,int len)
{
- int once,total = 0;
+ int total = 0;
struct sigaction sa,osa;
+ edg_wll_GssStatus gss_code;
+ int ret;
memset(&sa,0,sizeof(sa)); assert(sa.sa_handler == NULL);
sa.sa_handler = SIG_IGN;
sigaction(SIGPIPE,&sa,&osa);
- while (total < len) {
- int sslerr;
-
- switch (once = edg_wll_ssl_write(ssl,(void*)(data+total),len-total,&ctx->p_tmp_timeout)) {
- case EDG_WLL_SSL_ERROR_EOF:
- errno = ENOTCONN;
- total = -1;
- goto end;
- case EDG_WLL_SSL_ERROR_TIMEOUT:
- errno = ETIMEDOUT;
- total = -1;
- goto end;
- case EDG_WLL_SSL_ERROR_ERRNO:
- if (errno == EPIPE) errno = ENOTCONN;
- total = -1;
- goto end;
- case EDG_WLL_SSL_OK:
- case EDG_WLL_SSL_ERROR_SSL:
- sslerr = SSL_get_error(ssl,once);
- if (sslerr == SSL_ERROR_SYSCALL) {
- if (errno == EPIPE) errno = ENOTCONN;
- }
- else errno = EDG_WLL_ERROR_SSL;
- total = -1;
- goto end;
- default:
- total += once;
- }
- }
-end:
+ ret = edg_wll_gss_write_full(con, (void*)data, len, &ctx->p_tmp_timeout,
+ &total, &gss_code);
sigaction(SIGPIPE,&osa,NULL);
- return total;
+
+ switch(ret) {
+ case EDG_WLL_GSS_OK:
+ return 0;
+ case EDG_WLL_GSS_ERROR_EOF:
+ errno = ENOTCONN;
+ return -1;
+ case EDG_WLL_GSS_ERROR_TIMEOUT:
+ errno = ETIMEDOUT;
+ return -1;
+ case EDG_WLL_GSS_ERROR_ERRNO:
+ if (errno == EPIPE) errno = ENOTCONN;
+ return -1;
+ case EDG_WLL_GSS_ERROR_GSS:
+ errno = EDG_WLL_ERROR_GSS;
+ return -1;
+ default:
+ /* XXX DK: */
+ errno = ENOTCONN;
+ return -1;
+ }
}
edg_wll_ErrorCode edg_wll_http_send(edg_wll_Context ctx,const char *first,const char * const *head,const char *body)
{
const char* const *h;
- int len = 0, blen, sock;
+ int len = 0, blen;
edg_wll_ResetError(ctx);
- if (ctx->connPool[ctx->connToUse].ssl) sock = SSL_get_fd(ctx->connPool[ctx->connToUse].ssl);
- else return edg_wll_SetError(ctx,ENOTCONN,NULL);
+ if (ctx->connPool[ctx->connToUse].gss.context == GSS_C_NO_CONTEXT)
+ return edg_wll_SetError(ctx,ENOTCONN,NULL);
- if (real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,first,strlen(first)) < 0 ||
- real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,"\r\n",2) < 0)
+ if (real_write(ctx,&ctx->connPool[ctx->connToUse].gss,first,strlen(first)) < 0 ||
+ real_write(ctx,&ctx->connPool[ctx->connToUse].gss,"\r\n",2) < 0)
return edg_wll_SetError(ctx,errno,"edg_wll_http_send()");
if (head) for (h=head; *h; h++)
- if (real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,*h,strlen(*h)) < 0 ||
- real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,"\r\n",2) < 0)
+ if (real_write(ctx,&ctx->connPool[ctx->connToUse].gss,*h,strlen(*h)) < 0 ||
+ real_write(ctx,&ctx->connPool[ctx->connToUse].gss,"\r\n",2) < 0)
return edg_wll_SetError(ctx,errno,"edg_wll_http_send()");
if (body) {
len = strlen(body);
blen = sprintf(buf,CONTENT_LENGTH " %d\r\n",len);
- if (real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,buf,blen) < 0)
+ if (real_write(ctx,&ctx->connPool[ctx->connToUse].gss,buf,blen) < 0)
return edg_wll_SetError(ctx,errno,"edg_wll_http_send()");
}
- if (real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,"\r\n",2) < 0)
+ if (real_write(ctx,&ctx->connPool[ctx->connToUse].gss,"\r\n",2) < 0)
return edg_wll_SetError(ctx,errno,"edg_wll_http_send()");
- if (body && real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,body,len) < 0)
+ if (body && real_write(ctx,&ctx->connPool[ctx->connToUse].gss,body,len) < 0)
return edg_wll_SetError(ctx,errno,"edg_wll_http_send()");
return edg_wll_Error(ctx,NULL,NULL);
#include <expat.h> // Expat header file
#include "globus_config.h"
-#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h"
#include "trio.h"
#include "glite/lb/producer.h"
SUFFIXES=.no
-GLOBUSINC=-I${globus_prefix}/include/${nothrflavour} \
- -I${globus_prefix}/include/${nothrflavour}/openssl
+GLOBUSINC=-I${globus_prefix}/include/${nothrflavour}
-GLOBUSTHRINC=-I${globus_prefix}/include/${thrflavour} \
- -I${globus_prefix}/include/${thrflavour}/openssl
+GLOBUSTHRINC=-I${globus_prefix}/include/${thrflavour}
DEBUG:=-g -O0
CFLAGS:=${DEBUG} \
GLOBUS_LIBS:= -L${globus_prefix}/lib \
-lglobus_common_${nothrflavour} \
- -lssl_${nothrflavour}
+ -lglobus_gssapi_gsi_${nothrflavour}
GLOBUS_THRLIBS:= -L${globus_prefix}/lib \
-lglobus_common_${thrflavour} \
- -lssl_${thrflavour}
+ -lglobus_gssapi_gsi_${thrflavour}
EXT_LIBS:= -L${ares_prefix}/lib -lares \
-L${expat_prefix}/lib -lexpat
#include <pthread.h>
#include <stdlib.h>
-#include <err.h> // SSL header file
+/* XXX DK: */
+#include <err.h> // SSL header file
-#include "glite/lb/dgssl.h"
+#include "glite/lb/lb_gss.h"
#include "il_error.h"
snprintf(err->msg, IL_ERR_MSG_LEN, "%s: %s", msg, hstrerror(err->code_min));
break;
+ /* XXX DK: je tahle hodnota k necemu potreba? */
case IL_AUTH:
snprintf(err->msg, IL_ERR_MSG_LEN, "%s: %s", msg, ERR_error_string(err->code_min, NULL));
break;
- case IL_DGSSL:
+ case IL_DGGSS:
switch(err->code_min) {
- case EDG_WLL_SSL_ERROR_SSL:
- snprintf(err->msg, IL_ERR_MSG_LEN, "%s: %s", msg, ERR_error_string(ERR_get_error(), NULL));
+ case EDG_WLL_GSS_ERROR_GSS:
+ snprintf(err->msg, IL_ERR_MSG_LEN, "%s", msg);
break;
- case EDG_WLL_SSL_ERROR_TIMEOUT:
- snprintf(err->msg, IL_ERR_MSG_LEN, "%s: Timeout in SSL connection.", msg);
+ case EDG_WLL_GSS_ERROR_TIMEOUT:
+ snprintf(err->msg, IL_ERR_MSG_LEN, "%s: Timeout in GSS connection.", msg);
break;
- case EDG_WLL_SSL_ERROR_EOF:
+ case EDG_WLL_GSS_ERROR_EOF:
snprintf(err->msg, IL_ERR_MSG_LEN, "%s: Connection lost.", msg);
break;
- case EDG_WLL_SSL_ERROR_ERRNO:
+ case EDG_WLL_GSS_ERROR_ERRNO:
snprintf(err->msg, IL_ERR_MSG_LEN, "%s: %s", msg, strerror(errno));
break;
- case EDG_WLL_SSL_ERROR_HERRNO:
+ case EDG_WLL_GSS_ERROR_HERRNO:
snprintf(err->msg, IL_ERR_MSG_LEN, "%s: %s", msg, hstrerror(errno));
break;
}
IL_AUTH, /* 0 (SSL error) */
IL_PROTO, /* LB_* */
IL_LBAPI, /* dgLBErrCode */
- IL_DGSSL, /* EDG_WLL_SSL_* */
+ IL_DGGSS, /* EDG_WLL_GSS_* */
IL_HOST /* h_errno */
};
#include "glite/wmsutils/tls/ssl_helpers/ssl_pthreads.h"
#include "interlogd.h"
#include "glite/lb/consumer.h"
-#include "glite/lb/dgssl.h"
+#include "glite/lb/lb_gss.h"
#define EXIT_FAILURE 1
#if defined(IL_NOTIFICATIONS)
int TIMEOUT = DEFAULT_TIMEOUT;
-proxy_cred_desc *cred_handle;
+gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL;
pthread_mutex_t cred_handle_lock = PTHREAD_MUTEX_INITIALIZER;
static void usage (int status)
main (int argc, char **argv)
{
int i;
- char *dummy = NULL,*p;
+ char *p;
+ edg_wll_GssStatus gss_stat;
+ int ret;
program_name = argv[0];
exit(EXIT_FAILURE);
}
- /* try to get default credential file names from globus */
- if(proxy_get_filenames(NULL,0, &dummy, &CAcert_dir, &dummy, &cert_file, &key_file) < 0) {
- il_log(LOG_CRIT, "Failed to acquire credential file names. Exiting.\n");
- exit(EXIT_FAILURE);
- }
+ if (CAcert_dir)
+ setenv("X509_CERT_DIR", CAcert_dir, 1);
+ /* XXX DK: still needed? */
il_log(LOG_INFO, "Initializing SSL...\n");
if(edg_wlc_SSLInitialization() < 0) {
il_log(LOG_CRIT, "Failed to initialize SSL. Exiting.\n");
exit(EXIT_FAILURE);
}
- cred_handle = edg_wll_ssl_init(SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0, cert_file, key_file, 0, 0);
- if(cred_handle == NULL) {
- il_log(LOG_CRIT, "Failed to initialize SSL certificates. Exiting.\n");
- exit(EXIT_FAILURE);
+ ret = edg_wll_gss_acquire_cred_gsi(cert_file, &cred_handle, NULL, &gss_stat);
+ if (ret) {
+ char *gss_err = NULL;
+ char *str;
+
+ if (ret == EDG_WLL_GSS_ERROR_GSS)
+ edg_wll_gss_get_error(&gss_stat, "edg_wll_gss_acquire_cred_gsi()", &gss_err);
+ asprintf(&str, "Failed to load GSI credential: %s\n",
+ (gss_err) ? gss_err : "edg_wll_gss_acquire_cred_gsi() failed");
+ il_log(LOG_CRIT, str);
+ free(str);
+ if (gss_err)
+ free(gss_err);
+ exit(EXIT_FAILURE);
}
-
+
if(!debug &&
(daemon(0,0) < 0)) {
perror("daemon");
exit(EXIT_FAILURE);
}
+ /* XXX DK: needed? */
if (edg_wlc_SSLLockingInit() != 0) {
il_log(LOG_CRIT, "Failed to initialize SSL locking. Exiting.\n");
exit(EXIT_FAILURE);
#ident "$Header$"
#include "il_error.h"
-#include "glite/lb/dgssl.h"
+#include "glite/lb/lb_gss.h"
#include <pthread.h>
#include <sys/time.h>
#define INPUT_TIMEOUT (60)
-/* extern SSL_CTX *sslContext; */
-extern proxy_cred_desc *cred_handle;
+extern gss_cred_id_t cred_handle;
extern pthread_mutex_t cred_handle_lock;
extern char *cert_file;
extern char *key_file;
struct event_queue {
- SSL *ssl; /* SSL connection */
+ edg_wll_GssConnection gss; /* GSS connection */
char *dest_name;
int dest_port;
int timeout; /* queue timeout */
#include "logd_proto.h"
#include "glite/lb/consumer.h"
#include "glite/wmsutils/tls/ssl_helpers/ssl_inits.h"
+#include "glite/lb/lb_gss.h"
static const char rcsid[] = "@(#)$Id$";
static int verbose = 0;
static char *cert_file = NULL;
static char *key_file = NULL;
static char *CAcert_dir = NULL;
-static char *gridmap_file = NULL;
static int noAuth = 0;
static int noIPC = 0;
static int noParse = 0;
{ "cert", required_argument, 0, 'c' },
{ "key", required_argument, 0, 'k' },
{ "CAdir", required_argument, 0, 'C' },
- { "gridmap", required_argument, 0, 'g' },
{ "socket",required_argument, 0, 's' },
{ "noAuth", no_argument, 0, 'x' },
{ "noIPC", no_argument, 0, 'y' },
*----------------------------------------------------------------------
*/
static int
-doit(int socket, void *cred_handle, char *file_name_prefix, int noipc, int noparse)
+doit(int socket, gss_cred_id_t cred_handle, char *file_name_prefix, int noipc, int noparse)
{
- SSL *ssl = NULL;
- X509 *peer = NULL;
-
char *subject;
- char buf[1024];
int ret;
- struct timeval timeout = {10,0};
+ struct timeval timeout = {10,0};
+ edg_wll_GssConnection con;
+ edg_wll_GssStatus gss_stat;
+ gss_buffer_desc gss_token = GSS_C_EMPTY_BUFFER;
+ gss_name_t client_name = GSS_C_NO_NAME;
+ OM_uint32 min_stat;
+ gss_OID name_type = GSS_C_NO_OID;
/* authentication */
edg_wll_ll_log(LOG_INFO,"Processing authentication:\n");
// FIXME - put here some meaningfull value of timeout + do somthing if timeouted
- ssl = edg_wll_ssl_accept(cred_handle,socket,&timeout);
- if (ssl==NULL) {
- edg_wll_ll_log(LOG_ERR,"edg_wll_ssl_accept() failed (%s)\n",
- ERR_error_string(ERR_get_error(), NULL));
+ ret = edg_wll_gss_accept(cred_handle,socket,&timeout,&con, &gss_stat);
+ if (ret) {
+ edg_wll_ll_log(LOG_ERR,"edg_wll_gss_accept() failed\n");
return(-1);
}
- peer = SSL_get_peer_certificate(ssl);
- if (peer != NULL) {
- X509_NAME *s;
-
- edg_wll_ll_log(LOG_INFO," User successfully authenticated with the following certificate:\n");
- X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof(buf));
- edg_wll_ll_log(LOG_INFO, " Issuer: %s\n", buf);
- X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof(buf));
- edg_wll_ll_log(LOG_INFO, " Subject: %s\n", buf);
- s = X509_NAME_dup(X509_get_subject_name(peer));
- proxy_get_base_name(s);
- subject=X509_NAME_oneline(s,NULL,0);
- X509_NAME_free(s);
+
+ gss_stat.major_status = gss_inquire_context(&gss_stat.minor_status, con.context,
+ &client_name, NULL, NULL, NULL, NULL,
+ NULL, NULL);
+ if (GSS_ERROR(gss_stat.major_status)) {
+ char *gss_err;
+ edg_wll_gss_get_error(&gss_stat, "Cannot read client identification", &gss_err);
+ edg_wll_ll_log(LOG_WARNING, "%s\n", gss_err);
+ free(gss_err);
+ } else {
+ gss_stat.major_status = gss_display_name(&gss_stat.minor_status, client_name,
+ &gss_token, &name_type);
+ if (GSS_ERROR(gss_stat.major_status)) {
+ char *gss_err;
+ edg_wll_gss_get_error(&gss_stat, "Cannot process client identification", &gss_err);
+ edg_wll_ll_log(LOG_WARNING, "%s\n", gss_err);
+ free(gss_err);
+ }
}
- else {
+
+ if (GSS_ERROR(gss_stat.major_status) ||
+ edg_wll_gss_oid_equal(name_type, GSS_C_NT_ANONYMOUS)) {
edg_wll_ll_log(LOG_INFO," User not authenticated, setting as \"%s\". \n",EDG_WLL_LOG_USER_DEFAULT);
subject=strdup(EDG_WLL_LOG_USER_DEFAULT);
+ } else {
+ edg_wll_ll_log(LOG_INFO," User successfully authenticated as:\n");
+ edg_wll_ll_log(LOG_INFO, " %s\n", (char *)gss_token.value);
+ subject=gss_token.value;
+ memset(&gss_token.value, 0, sizeof(gss_token.value));
}
- ret = edg_wll_log_proto_server(ssl,subject,file_name_prefix,noipc,noparse);
+ ret = edg_wll_log_proto_server(&con,subject,file_name_prefix,noipc,noparse);
- edg_wll_ssl_close(ssl);
+ edg_wll_gss_close(&con, NULL);
if (subject) free(subject);
+ if (gss_token.length)
+ gss_release_buffer(&min_stat, &gss_token);
+ if (client_name != GSS_C_NO_NAME)
+ gss_release_name(&min_stat, &client_name);
return ret;
}
*/
int main(int argc, char *argv[])
{
- void *cred_handle = NULL;
-
int ret;
int childpid;
int opt;
char *my_subject_name = NULL;
time_t cert_mtime = 0, key_mtime = 0;
+ OM_uint32 min_stat;
+ edg_wll_GssStatus gss_stat;
+ gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
setlinebuf(stdout);
"c:" /* certificate */
"k:" /* key */
"C:" /* CA dir */
- "g:" /* gridmap */
"s:" /* socket */
"x" /* noAuth */
"y" /* noIPC */
case 'c': cert_file = optarg; break;
case 'k': key_file = optarg; break;
case 'C': CAcert_dir = optarg; break;
- case 'g': gridmap_file = optarg; break;
case 's': socket_path = optarg; break;
case 'x': noAuth = 1; break;
case 'y': noIPC = 1; break;
edg_wll_ll_log(LOG_INFO,"yes.\n");
}
- /* parse X509 arguments to environment */
- edg_wll_set_environment(cert_file, key_file, NULL, NULL, CAcert_dir, gridmap_file);
- if (noAuth) setenv("X509_USER_PROXY","/dev/null",1);
+ if (CAcert_dir)
+ setenv("X509_CERT_DIR", CAcert_dir, 1);
/* daemonize */
edg_wll_ll_log(LOG_INFO,"Running as daemon...");
exit(1);
}
- cred_handle=edg_wll_ssl_init(SSL_VERIFY_PEER, 1,cert_file,key_file,0,0);
- if (cred_handle==NULL) {
- edg_wll_ll_log(LOG_CRIT,"Failed to initialize SSL certificates. Exiting.\n");
- exit(1);
+ /* XXX DK: support noAuth */
+ ret = edg_wll_gss_acquire_cred_gsi(cert_file, &cred, &my_subject_name,
+ &gss_stat);
+ if (ret) {
+ /* XXX DK: call edg_wll_gss_get_error() */
+ edg_wll_ll_log(LOG_CRIT, "Failed to get GSI credentials. Exiting.\n");
+ exit(1);
}
- edg_wll_ssl_get_my_subject(cred_handle, &my_subject_name);
if (my_subject_name!=NULL) {
edg_wll_ll_log(LOG_INFO," server running with certificate: %s\n",my_subject_name);
free(my_subject_name);
} else if (noAuth) {
edg_wll_ll_log(LOG_INFO," running without certificate\n");
+#if 0
+ /* XXX DK: */
} else {
edg_wll_ll_log(LOG_CRIT,"No server credential found. Exiting.\n");
exit(1);
+#endif
}
/* do listen */
listener_fd = do_listen(port);
if (listener_fd == -1) {
edg_wll_ll_log(LOG_CRIT,"Failed to listen on port %d\n",port);
- edg_wll_ssl_free(cred_handle);
+ gss_release_cred(&min_stat, &cred);
exit(-1);
}
close(listener_fd);
edg_wll_ll_log(LOG_CRIT,"Failed to accept incomming connections\n");
perror("accept");
- edg_wll_ssl_free(cred_handle);
+ gss_release_cred(&min_stat, &cred);
exit(-1);
}
- if (edg_wll_ssl_watch_creds(key_file,cert_file,&key_mtime,&cert_mtime) > 0) {
- void * new_cred_handle=edg_wll_ssl_init(SSL_VERIFY_PEER, 1,cert_file,key_file,0,0);
- if (new_cred_handle) {
- edg_wll_ssl_free(cred_handle);
- cred_handle = new_cred_handle;
- }
+ switch (edg_wll_gss_watch_creds(cert_file,&cert_mtime)) {
+ gss_cred_id_t newcred;
+ case 0: break;
+ case 1:
+ ret = edg_wll_gss_acquire_cred_gsi(cert_file,&newcred,NULL,&gss_stat);
+ if (ret) {
+ edg_wll_ll_log(LOG_WARNING, "Reloading credentials failed, continue with older\n");
+ } else {
+ edg_wll_ll_log(LOG_INFO, "Reloading credentials\n");
+ gss_release_cred(&min_stat, &cred);
+ cred = newcred;
+ }
+ break;
+ case -1:
+ edg_wll_ll_log(LOG_WARNING, "edg_wll_gss_watch_creds failed\n");
+ break;
}
+
/* FORK - change next line if fork() is not needed (for debugging for
* example
*/
close(client_fd);
}
if (childpid == 0) {
- ret=doit(client_fd,cred_handle,prefix,noIPC,noParse);
+ ret=doit(client_fd,cred,prefix,noIPC,noParse);
close(client_fd);
goto end;
}
close(client_fd);
}
#else
- ret=doit(client_fd,cred_handle,prefix,msg_sock);
+ ret=doit(client_fd,cred,prefix,noIPC,noParse);
close(client_fd);
#endif
} /* while */
end:
close(listener_fd);
- edg_wll_ssl_free(cred_handle);
+ gss_release_cred(&min_stat, &cred);
exit(ret);
}
*
*----------------------------------------------------------------------
*/
-static int send_answer_back(SSL *ssl, int answer, struct timeval *timeout) {
+static int send_answer_back(edg_wll_GssConnection *con, int answer, struct timeval *timeout) {
int count = 0;
int err = 0;
int ans = answer;
u_int8_t ans_end[4];
+ edg_wll_GssStatus gss_stat;
edg_wll_ll_log(LOG_INFO,"Sending answer \"%d\" back to client...",answer);
ans_end[0] = ans & 0xff; ans >>= 8;
ans_end[1] = ans & 0xff; ans >>= 8;
ans_end[2] = ans & 0xff; ans >>= 8;
ans_end[3] = ans;
- if ((err = edg_wll_ssl_write_full(ssl,ans_end,4,timeout,&count)) < 0 ) {
+ if ((err = edg_wll_gss_write_full(con,ans_end,4,timeout,&count, &gss_stat)) < 0 ) {
edg_wll_ll_log(LOG_INFO,"error.\n");
- return edg_wll_log_proto_server_failure(err,"Error sending answer");
+ return edg_wll_log_proto_server_failure(err,&gss_stat,"Error sending answer");
} else {
edg_wll_ll_log(LOG_INFO,"o.k.\n");
return 0;
*
*----------------------------------------------------------------------
*/
-int edg_wll_log_proto_server(SSL *ssl, char *name, char *prefix, int noipc, int noparse)
+int edg_wll_log_proto_server(edg_wll_GssConnection *con, char *name, char *prefix, int noipc, int noparse)
{
char *buf,*dglllid,*dguser,*jobId,*name_esc;
char header[EDG_WLL_LOG_SOCKET_HEADER_LENGTH+1];
int err;
edg_wll_Context context;
edg_wll_Event *event;
+ edg_wll_GssStatus gss_stat;
errno = i = answer = answer_sent = size = msg_size = dglllid_size = dguser_size = count = count_total = msg_sock = filedesc = filelock_status = /* priority */ unique = err = 0;
buf = dglllid = dguser = jobId = name_esc = msg = msg_begin = NULL;
/* receive socket header */
edg_wll_ll_log(LOG_INFO,"Reading socket header...");
memset(header, 0, EDG_WLL_LOG_SOCKET_HEADER_LENGTH+1);
- if ((err = edg_wll_ssl_read_full(ssl, header, EDG_WLL_LOG_SOCKET_HEADER_LENGTH, &timeout, &count)) < 0) {
+ if ((err = edg_wll_gss_read_full(con, header, EDG_WLL_LOG_SOCKET_HEADER_LENGTH, &timeout, &count, &gss_stat)) < 0) {
edg_wll_ll_log(LOG_INFO,"error.\n");
- answer = edg_wll_log_proto_server_failure(err,"Error receiving header");
+ answer = edg_wll_log_proto_server_failure(err,&gss_stat,"Error receiving header");
goto edg_wll_log_proto_server_end;
} else {
edg_wll_ll_log(LOG_INFO,"o.k.\n");
/*
edg_wll_ll_log(LOG_DEBUG,"Reading message priority...");
count = 0;
- if ((err = edg_wll_ssl_read_full(ssl, &priority, sizeof(priority), &timeout, &count)) < 0) {
+ if ((err = edg_wll_gss_read_full(con, &priority, sizeof(priority), &timeout, &count, &gss_stat)) < 0) {
edg_wll_ll_log(LOG_DEBUG,"error.\n");
- answer = edg_wll_log_proto_server_failure(err,"Error receiving message priority");
+ answer = edg_wll_log_proto_server_failure(err,&gss_stat,"Error receiving message priority");
goto edg_wll_log_proto_server_end;
} else {
edg_wll_ll_log(LOG_DEBUG,"o.k.\n");
edg_wll_ll_log(LOG_DEBUG,"Reading message size...");
count = 0;
- if ((err = edg_wll_ssl_read_full(ssl, size_end, 4, &timeout, &count)) < 0) {
+ if ((err = edg_wll_gss_read_full(con, size_end, 4, &timeout, &count,&gss_stat)) < 0) {
edg_wll_ll_log(LOG_DEBUG,"error.\n");
- answer = edg_wll_log_proto_server_failure(err,"Error receiving message size");
+ answer = edg_wll_log_proto_server_failure(err,&gss_stat,"Error receiving message size");
goto edg_wll_log_proto_server_end;
} else {
edg_wll_ll_log(LOG_DEBUG,"o.k.\n");
edg_wll_ll_log(LOG_INFO,"Reading message from socket...");
buf = msg_begin + dguser_size;
count = 0;
- if ((err = edg_wll_ssl_read_full(ssl, buf, size, &timeout, &count)) < 0) {
+ if ((err = edg_wll_gss_read_full(con, buf, size, &timeout, &count, &gss_stat)) < 0) {
edg_wll_ll_log(LOG_INFO,"error.\n");
- answer = edg_wll_log_proto_server_failure(err,"Error receiving message");
+ answer = edg_wll_log_proto_server_failure(err,&gss_stat,"Error receiving message");
goto edg_wll_log_proto_server_end;
} else {
edg_wll_ll_log(LOG_INFO,"o.k.\n");
/* if not priority send now the answer back to client */
if (!event->any.priority) {
- if (!send_answer_back(ssl,answer,&timeout)) {
+ if (!send_answer_back(con,answer,&timeout)) {
answer_sent = 1;
}
}
edg_wll_log_proto_server_end:
/* if not sent already, send the answer back to client */
if (!answer_sent) {
- answer = send_answer_back(ssl,answer,&timeout);
+ answer = send_answer_back(con,answer,&timeout);
}
/* clean */
edg_wll_FreeContext(context);
*
*----------------------------------------------------------------------
*/
-int edg_wll_log_proto_server_failure(int code, const char *text)
+int edg_wll_log_proto_server_failure(int code, edg_wll_GssStatus *gss_code, const char *text)
{
const char *func = "edg_wll_log_proto_server()";
int ret = 0;
return(0);
}
switch(code) {
- case EDG_WLL_SSL_ERROR_EOF:
+ case EDG_WLL_GSS_ERROR_EOF:
edg_wll_ll_log(LOG_ERR,"%s: %s, EOF occured\n", func, text);
ret = EAGAIN;
break;
- case EDG_WLL_SSL_ERROR_TIMEOUT:
+ case EDG_WLL_GSS_ERROR_TIMEOUT:
edg_wll_ll_log(LOG_ERR,"%s: %s, timeout expired\n", func, text);
ret = EAGAIN;
break;
- case EDG_WLL_SSL_ERROR_ERRNO: perror("edg_wll_ssl_read()"); break;
+ /* XXX DK: co tenhle break??: */
+ case EDG_WLL_GSS_ERROR_ERRNO: perror("edg_wll_gss_read()"); break;
edg_wll_ll_log(LOG_ERR,"%s: %s, system error occured\n", func, text);
ret = EAGAIN;
break;
- case EDG_WLL_SSL_ERROR_SSL:
- edg_wll_ll_log(LOG_ERR,"%s: %s, SSL error occured: %s\n", func, text,
- ERR_reason_error_string(ERR_get_error()));
- ret = EAGAIN;
- break;
+ case EDG_WLL_GSS_ERROR_GSS:
+ {
+ char *gss_err;
+
+ edg_wll_gss_get_error(gss_code, "GSS error occured", &gss_err);
+ edg_wll_ll_log(LOG_ERR,"%s: %s, %s\n", func, text, gss_err);
+ free(gss_err);
+ ret = EAGAIN;
+ break;
+ }
default:
edg_wll_ll_log(LOG_ERR,"%s: %s, unknown error occured\n");
break;
/*
*----------------------------------------------------------------------
*
- * edg_wll_set_environment - set X509 environment variables form given args
- *
- * Calls: setenv
- *
- * Algorithm:
- *
- *----------------------------------------------------------------------
- */
-void edg_wll_set_environment(char *user_cert,
- char *user_key,
- char *user_proxy,
- char *CAcert_file,
- char *CAcert_dir,
- char *gridmap)
-{
- if (user_cert) setenv("X509_USER_CERT", user_cert, 1);
- if (user_key) setenv("X509_USER_KEY", user_key, 1);
- if (user_proxy) setenv("X509_USER_PROXY", user_proxy, 1);
- if (CAcert_file) setenv("X509_CERT_FILE", CAcert_file, 1);
- if (CAcert_dir) setenv("X509_CERT_DIR", CAcert_dir, 1);
- if (gridmap) setenv("GRIDMAP", gridmap, 1);
-
- return;
-}
-
-/*
- *----------------------------------------------------------------------
- *
* edg_wll_ll_log_init - initialize the logging level
*
*----------------------------------------------------------------------
#include <syslog.h>
#include "glite/lb/log_proto.h"
-#include "glite/lb/dgssl.h"
+#include "glite/lb/lb_gss.h"
-int edg_wll_log_proto_server(SSL *ssl, char *name, char *prefix, int noipc, int noparse);
-int edg_wll_log_proto_server_failure(int code, const char *text);
+int edg_wll_log_proto_server(edg_wll_GssConnection *con, char *name, char *prefix, int noipc, int noparse);
+int edg_wll_log_proto_server_failure(int code, edg_wll_GssStatus *gss_code, const char *text);
#define SYSTEM_ERROR(my_err) { \
if (errno !=0 ) \
else \
edg_wll_ll_log(LOG_ERR,"%s\n",my_err); }
-void edg_wll_set_environment(char *user_cert,
- char *user_key,
- char *user_proxy,
- char *CAcert_file,
- char *CAcert_dir,
- char *gridmapfile);
-
/* locallogger daemon error handling */
extern int edg_wll_ll_log_level;
il_log(LOG_INFO, "Checking for new certificate...\n");
if(pthread_mutex_lock(&cred_handle_lock) < 0)
abort();
- if (edg_wll_ssl_watch_creds(key_file,
- cert_file,
- &key_mtime,
- &cert_mtime) > 0) {
- void * new_cred_handle = edg_wll_ssl_init(SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
- 0,
- cert_file,
- key_file,
- 0,
- 0);
- if (new_cred_handle) {
- edg_wll_ssl_free(cred_handle);
+ if (edg_wll_gss_watch_creds(cert_file, &cert_mtime) > 0) {
+ gss_cred_id_t new_cred_handle = GSS_C_NO_CREDENTIAL;
+ OM_uint32 min_stat;
+ int ret;
+
+ ret = edg_wll_gss_acquire_cred_gsi(cert_file,
+ &new_cred_handle, NULL, NULL);
+ if (new_cred_handle != GSS_C_NO_CREDENTIAL) {
+ gss_release_cred(&min_stat, &cred_handle);
cred_handle = new_cred_handle;
il_log(LOG_INFO, "New certificate found and deployed.\n");
}
char buffer[17];
char *msg, *p;
int len, code, l;
- SSL *ssl;
+ edg_wll_GssConnection *gss;
struct timeval tv;
+ edg_wll_GssStatus gss_stat;
- ssl = eq->ssl;
+ gss = &eq->gss;
/* get message header */
tv.tv_sec = TIMEOUT;
tv.tv_usec = 0;
- code = edg_wll_ssl_read_full(ssl, buffer, 17, &tv, &len);
+ code = edg_wll_gss_read_full(gss, buffer, 17, &tv, &len, &gss_stat);
if(code < 0) {
- set_error(IL_DGSSL, code, "get_reply (header)");
+ char *gss_err = NULL;
+
+ if (code == EDG_WLL_GSS_ERROR_GSS)
+ edg_wll_gss_get_error(&gss_stat, "get_reply (header)", &gss_err);
+ set_error(IL_DGGSS, code,
+ (code == EDG_WLL_GSS_ERROR_GSS) ? gss_err : "get_reply (header)");
+ if (gss_err) free(gss_err);
return(-1);
}
/* read all the data */
tv.tv_sec = TIMEOUT;
tv.tv_usec = 0;
- code = edg_wll_ssl_read_full(ssl, msg, len, &tv, &l);
+ code = edg_wll_gss_read_full(gss, msg, len, &tv, &l, &gss_stat);
if(code < 0) {
- set_error(IL_DGSSL, code, "get_reply (body)");
+ char *gss_err = NULL;
+
+ if (code == EDG_WLL_GSS_ERROR_GSS)
+ edg_wll_gss_get_error(&gss_stat, "get_reply (body)", &gss_err);
+ set_error(IL_DGGSS, code,
+ (code == EDG_WLL_GSS_ERROR_GSS) ? gss_err : "get_reply (body)");
+ if (gss_err) free(gss_err);
return(-1);
}
{
int ret;
struct timeval tv;
+ edg_wll_GssStatus gss_stat;
assert(eq != NULL);
- if(eq->ssl == NULL) {
+ if(eq->gss.context == GSS_C_NO_CONTEXT) {
tv.tv_sec = TIMEOUT;
tv.tv_usec = 0;
if(pthread_mutex_lock(&cred_handle_lock) < 0)
abort();
il_log(LOG_DEBUG, " trying to connect to %s:%d\n", eq->dest_name, eq->dest_port);
- ret = edg_wll_ssl_connect(cred_handle, eq->dest_name, eq->dest_port, &tv, &eq->ssl);
+ ret = edg_wll_gss_connect(cred_handle, eq->dest_name, eq->dest_port, &tv, &eq->gss, &gss_stat);
if(pthread_mutex_unlock(&cred_handle_lock) < 0)
abort();
if(ret < 0) {
- set_error(IL_DGSSL, ret, "event_queue_connect: edg_wll_ssl_connect");
- eq->ssl = NULL;
+ char *gss_err = NULL;
+
+ if (ret == EDG_WLL_GSS_ERROR_GSS)
+ edg_wll_gss_get_error(&gss_stat, "event_queue_connect: edg_wll_gss_connect", &gss_err);
+ set_error(IL_DGGSS, ret,
+ (ret == EDG_WLL_GSS_ERROR_GSS) ? gss_err : "event_queue_connect: edg_wll_gss_connect");
+ if (gss_err) free(gss_err);
+ eq->gss.context = GSS_C_NO_CONTEXT;
eq->timeout = TIMEOUT;
return(0);
}
{
assert(eq != NULL);
- if(eq->ssl != NULL) {
- edg_wll_ssl_close(eq->ssl);
- eq->ssl = NULL;
+ if(eq->gss.context != GSS_C_NO_CONTEXT) {
+ edg_wll_gss_close(&eq->gss, NULL);
+ eq->gss.context = GSS_C_NO_CONTEXT;
}
return(0);
}
{
assert(eq != NULL);
- if(eq->ssl == NULL)
+ if(eq->gss.context == GSS_C_NO_CONTEXT)
return(0);
/* feed the server with events */
char *rep;
int ret, code, code_min, bytes_sent;
struct timeval tv;
+ edg_wll_GssStatus gss_stat;
clear_error();
tv.tv_sec = TIMEOUT;
tv.tv_usec = 0;
- ret = edg_wll_ssl_write_full(eq->ssl, msg->msg, msg->len, &tv, &bytes_sent);
+ ret = edg_wll_gss_write_full(&eq->gss, msg->msg, msg->len, &tv, &bytes_sent, &gss_stat);
if(ret < 0) {
eq->timeout = TIMEOUT;
return(0);
-I${expat_prefix}/include \
-I${ares_prefix}/include \
-I${mysql_prefix}/include \
- -I${globus_prefix}/include/${nothrflavour} \
- -I${globus_prefix}/include/${nothrflavour}/openssl
+ -I${globus_prefix}/include/${nothrflavour}
LINK:=libtool --mode=link ${CC} ${LDFLAGS}
INSTALL:=libtool --mode=install install
GLOBUS_LIBS:= -L${globus_prefix}/lib \
-lglobus_common_${nothrflavour} \
- -lssl_${nothrflavour}
+ -lglobus_gssapi_gsi_${nothrflavour}
# XXX: our vomsc.la depends on badly installed expat
done
for f in dbsetup.sql index.conf.template; do \
- ${INSTALL} -m 644 ${top_srcdir}/config/"glite-lb-$$p" ${PREFIX}/etc
+ ${INSTALL} -m 644 ${top_srcdir}/config/"glite-lb-$$f" ${PREFIX}/etc; \
+ done
${INSTALL} -m 755 ${top_srcdir}/config/startup ${PREFIX}/etc/init.d/glite-lb-bkserverd
#include "glite/lb/context.h"
#include "glite/lb/mini_http.h"
#include "glite/lb/context-int.h"
+#include "glite/lb/lb_gss.h"
#include "lb_http.h"
#include "lb_proto.h"
if (fcntl(conn, F_SETFL, flags | O_NONBLOCK) < 0)
return;
- edg_wll_ssl_reject(mycred, conn);
+ edg_wll_gss_reject(conn);
return;
}
}
static unsigned long clnt_dispatched=0, clnt_accepted=0;
-static void *mycred;
+static gss_cred_id_t mycred = GSS_C_NO_CREDENTIAL;
static int server_sock,store_sock;
static int check_mkdir(const char *);
key_t semkey;
time_t cert_mtime = 0,key_mtime = 0;
edg_wll_Context ctx;
+ OM_uint32 min_stat;
+ edg_wll_GssStatus gss_code;
name = strrchr(argv[0],'/');
if (name) name++; else name = argv[0];
if (!cert || !key) fprintf(stderr,"%s: key or certificate file not specified - unable to watch them for changes!\n",argv[0]);
if (cadir) setenv("X509_CERT_DIR",cadir,1);
- mycred = edg_wll_ssl_init(SSL_VERIFY_PEER,1,cert,key,0,0);
- edg_wll_ssl_get_my_subject_base(mycred,&mysubj);
- if (mysubj) {
+ if (edg_wll_gss_acquire_cred_gsi(cert, &mycred, &mysubj, &gss_code)) {
+ dprintf(("Running unauthenticated\n"));
+ } else {
int i;
dprintf(("Server identity: %s\n",mysubj));
super_users[i] = mysubj;
super_users[i+1] = NULL;
}
- else dprintf(("Running unauthenticated\n"));
if (noAuth) dprintf(("Promiscuous mode\n"));
dprintf(("Listening at %d,%d (accepting protocols: " COMP_PROTO " and compatible) ...\n",atoi(port),atoi(port)+1));
fd_set fds;
int ret,mx;
struct timeval watch_to = { WATCH_TIMEOUT, 0 };
+ gss_cred_id_t newcred = GSS_C_NO_CREDENTIAL;
+ edg_wll_GssStatus gss_code;
FD_ZERO(&fds);
FD_SET(store_sock,&fds);
FD_SET(sock_slave[0],&fds);
- switch (edg_wll_ssl_watch_creds(key,cert,&key_mtime,&cert_mtime)) {
- void *newcred;
+ switch (edg_wll_gss_watch_creds(cert,&cert_mtime)) {
case 0: break;
- case 1: newcred = edg_wll_ssl_init(SSL_VERIFY_PEER,1,cert,key,0,0);
- if (newcred) {
+ case 1:
+ ret = edg_wll_gss_acquire_cred_gsi(cert, &newcred, NULL, &gss_code);
+ if (ret == 0) {
dprintf(("reloading credentials"));
- edg_wll_ssl_free(mycred);
+ gss_release_cred(&min_stat, &mycred);
mycred = newcred;
kill(0,SIGUSR1);
}
semctl(semset,0,IPC_RMID,0);
unlink(pidfile);
free(port);
- edg_wll_ssl_free(mycred);
+ gss_release_cred(&min_stat, &mycred);
return 0;
}
int alen,store,max = sock,newconn = -1;
int connflags,kick_client = 0;
unsigned long seq;
- X509 *peer;
struct timeval dns_to = {DNS_TIMEOUT, 0},
check_to = {SLAVE_CHECK_SIGNALS, 0},
total_to = { TOTAL_CLNT_TIMEOUT,0 },
client_to = { CLNT_TIMEOUT,0 }, now;
char *name = NULL;
struct sockaddr_in a;
+ edg_wll_GssStatus gss_code;
FD_ZERO(&fds);
switch (edg_wll_Error(ctx,&errt,&errd)) {
case ETIMEDOUT:
/* fallthrough */
- case EDG_WLL_ERROR_SSL:
+ case EDG_WLL_ERROR_GSS:
case EPIPE:
dprintf(("[%d] %s (%s)\n",getpid(),errt,errd));
if (!debug) syslog(LOG_ERR,"%s (%s)",errt,errd);
/* fallthrough */
case ENOTCONN:
- edg_wll_ssl_close(ctx->connPool[ctx->connToUse].ssl);
- ctx->connPool[ctx->connToUse].ssl = NULL; /* XXX: is it necessary ? */
+ edg_wll_gss_close(&ctx->connPool[ctx->connToUse].gss, NULL);
edg_wll_FreeContext(ctx);
ctx = NULL;
close(conn);
}
if (kick_client && conn >= 0) {
- if (ctx->connPool[ctx->connToUse].ssl) {
+ if (ctx->connPool[ctx->connToUse].gss.context != GSS_C_NO_CONTEXT) {
struct timeval to = { 0, CLNT_REJECT_TIMEOUT };
- edg_wll_ssl_close_timeout(ctx->connPool[ctx->connToUse].ssl,&to);
- ctx->connPool[ctx->connToUse].ssl = NULL;
+ edg_wll_gss_close(&ctx->connPool[ctx->connToUse].gss,&to);
}
edg_wll_FreeContext(ctx);
close(conn); /* XXX: should not harm */
}
if (newconn >= 0) {
+ OM_uint32 min_stat, maj_stat;
+ gss_name_t client_name = GSS_C_NO_NAME;
+ gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+
conn = newconn;
gettimeofday(&client_start,NULL);
client_done.tv_sec = client_start.tv_sec;
ctx->srvPort = ntohs(a.sin_port);
}
- if (!(ctx->connPool[ctx->connToUse].ssl = edg_wll_ssl_accept(mycred,conn,&ctx->p_tmp_timeout))) {
- dprintf(("[%d] SSL hanshake failed, closing.\n",getpid()));
- if (!debug) syslog(LOG_ERR,"SSL hanshake failed");
+ if (edg_wll_gss_accept(mycred, conn, &ctx->p_tmp_timeout, &ctx->connPool[ctx->connToUse].gss, &gss_code)) {
+ dprintf(("[%d] Client authentication failed, closing.\n",getpid()));
+ if (!debug) syslog(LOG_ERR,"Client authentication failed");
close(conn);
conn = -1;
edg_wll_FreeContext(ctx);
continue;
- } else if ((peer = SSL_get_peer_certificate(ctx->connPool[ctx->connToUse].ssl)) != NULL) {
- X509_NAME *s = X509_get_subject_name(peer);
-
- proxy_get_base_name(s);
- free(ctx->peerName);
- ctx->peerName = X509_NAME_oneline(s,NULL,0);
+ }
+ maj_stat = gss_inquire_context(&min_stat, ctx->connPool[ctx->connToUse].gss.context, &client_name, NULL, NULL, NULL, NULL, NULL, NULL);
+ if (!GSS_ERROR(maj_stat))
+ maj_stat = gss_display_name(&min_stat, client_name, &token, NULL);
+
+ if (!GSS_ERROR(maj_stat)) {
+ if (ctx->peerName) free(ctx->peerName);
+ ctx->peerName = (char *)token.value;
+ memset(&token, 0, sizeof(token));
+/* XXX DK: pujde pouzit lifetime z inquire_context()?
ctx->peerProxyValidity = ASN1_UTCTIME_mktime(X509_get_notAfter(peer));
- X509_free(peer);
-
+*/
+
dprintf(("[%d] client DN: %s\n",getpid(),ctx->peerName));
- edg_wll_GetVomsGroups(ctx, vomsdir, cadir);
- if (debug && ctx->vomsGroups.len > 0) {
- int i;
-
- dprintf(("[%d] client's VOMS groups:\n",getpid()));
- for (i = 0; i < ctx->vomsGroups.len; i++)
- dprintf(("\t%s:%s\n",
- ctx->vomsGroups.val[i].vo,
- ctx->vomsGroups.val[i].name));
- }
-
- } else dprintf(("[%d] annonymous client\n",getpid()));
+ } else {
+ /* XXX DK: Check if the ANONYMOUS flag is set ? */
+ dprintf(("[%d] annonymous client\n",getpid()));
+ }
+
+ if (client_name != GSS_C_NO_NAME)
+ gss_release_name(&min_stat, &client_name);
+ if (token.value)
+ gss_release_buffer(&min_stat, &token);
+
+ edg_wll_SetVomsGroups(ctx, &ctx->connPool[ctx->connToUse].gss, vomsdir, cadir);
+ if (debug && ctx->vomsGroups.len > 0) {
+ int i;
+
+ dprintf(("[%d] client's VOMS groups:\n",getpid()));
+ for (i = 0; i < ctx->vomsGroups.len; i++)
+ dprintf(("\t%s:%s\n",
+ ctx->vomsGroups.val[i].vo,
+ ctx->vomsGroups.val[i].name));
+ }
/* used also to reset start_time after edg_wll_ssl_accept! */
/* gettimeofday(&start_time,0); */
}
ctx->strict_locking = strict_locking;
}
-
}
if (die) {
return 0;
}
+static int
+get_peer_cred(edg_wll_GssConnection *gss, STACK_OF(X509) **chain, X509 **cert)
+{
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc buffer = GSS_C_EMPTY_BUFFER;
+ BIO *bio = NULL;
+ SSL_SESSION *session = NULL;
+ unsigned char int_buffer[4];
+ long length;
+ int ret, index;
+ STACK_OF(X509) *cert_chain = NULL;
+ X509 *peer_cert = NULL;
+ X509 *p_cert;
+
+ maj_stat = gss_export_sec_context(&min_stat, gss->context, &buffer);
+ if (GSS_ERROR(maj_stat))
+ return -1; /* XXX */
+
+ bio = BIO_new(BIO_s_mem());
+ if (bio == NULL) {
+ ret = -1;
+ goto end;
+ }
+
+ /* Store exported context to memory, skipping the version number and and cred_usage fields */
+ BIO_write(bio, buffer.value + 8 , buffer.length - 8);
+
+ /* decode the session data in order to skip at the start of the cert chain */
+ session = d2i_SSL_SESSION_bio(bio, NULL);
+ if (session == NULL) {
+ ret = -1; /* XXX */
+ goto end;
+ }
+ if (session->peer)
+ peer_cert = X509_dup(session->peer);
+
+ SSL_SESSION_free(session);
+
+ BIO_read(bio, (char *) int_buffer, 4);
+ length = (((size_t) int_buffer[0]) << 24) & 0xffff;
+ length |= (((size_t) int_buffer[1]) << 16) & 0xffff;
+ length |= (((size_t) int_buffer[2]) << 8) & 0xffff;
+ length |= (((size_t) int_buffer[3]) ) & 0xffff;
+
+ if (length == 0) {
+ ret = 0;
+ goto end;
+ }
+
+ cert_chain = sk_X509_new_null();
+ for(index = 0; index < length; index++) {
+ p_cert = d2i_X509_bio(bio, NULL);
+ if (p_cert == NULL) {
+ ret = -1; /* XXX */
+ sk_X509_pop_free(cert_chain, X509_free);
+ goto end;
+ }
+
+ sk_X509_push(cert_chain, p_cert);
+ }
+
+ *chain = cert_chain;
+ *cert = peer_cert;
+ peer_cert = NULL;
+ ret = 0;
+
+end:
+ if (peer_cert)
+ X509_free(peer_cert);
+ gss_release_buffer(&min_stat, &buffer);
+
+ return ret;
+}
+
int
-edg_wll_GetVomsGroups(edg_wll_Context ctx, char *voms_dir, char *ca_dir)
+edg_wll_SetVomsGroups(edg_wll_Context ctx, edg_wll_GssConnection *gss, char *voms_dir, char *ca_dir)
{
STACK_OF(X509) *p_chain = NULL;
X509 *cert = NULL;
int err = 0;
struct vomsdata *voms_info = NULL;
+ /* XXX DK: correct cleanup ?? */
memset (&ctx->vomsGroups, 0, sizeof(ctx->vomsGroups));
edg_wll_ResetError(ctx);
- p_chain = SSL_get_peer_cert_chain(ctx->connPool[ctx->connToUse].ssl);
- cert = SSL_get_peer_certificate(ctx->connPool[ctx->connToUse].ssl);
+ ret = get_peer_cred(gss, &p_chain, &cert);
+ if (ret) {
+ ret = 0;
+ goto end;
+ }
/* exit if peer's credentials are not available */
if (p_chain == NULL || cert == NULL) {
ret = VOMS_Retrieve(cert, p_chain, RECURSE_CHAIN, voms_info, &err);
if (ret == 0) {
if (err == VERR_NOEXT)
+ /* XXX DK:
edg_wll_SetError(ctx, EINVAL, "no client VOMS certificates found");
+ */
+ ret = 0;
else {
edg_wll_SetError(ctx, -1, "failed to retrieve VOMS info");
ret = -1; /* XXX VOMS Error */
#else /* NO_VOMS */
int
-edg_wll_GetVomsGroups() { return 0; }
+edg_wll_SetVomsGroups() { return 0; }
void edg_wll_FreeVomsGroups() {}
#include <stdio.h>
#include "glite/lb/context-int.h"
+#include "glite/lb/lb_gss.h"
extern int
edg_wll_InitAcl(edg_wll_Acl *);
#endif /* NO_GACL */
extern int
-edg_wll_GetVomsGroups(edg_wll_Context, char *, char *);
+edg_wll_SetVomsGroups(edg_wll_Context, edg_wll_GssConnection *, char *, char *);
extern void
edg_wll_FreeVomsGroups(edg_wll_VomsGroups *);
#include <globus_config.h>
-#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h"
#include "glite/wmsutils/jobid/strmd5.h"
#include "glite/lb/events_parse.h"
#include <assert.h>
#include "glite/lb/il_string.h"
-#include "glite/lb/dgssl.h"
+#include "glite/lb/lb_gss.h"
#include "glite/lb/context-int.h"
#include "store.h"
char fbuf[256],*buf;
int len,ret;
size_t total;
+ edg_wll_GssStatus gss_code;
edg_wll_ResetError(ctx);
- if ((ret=edg_wll_ssl_read_full(ctx->connPool[ctx->connToUse].ssl,fbuf,17,&ctx->p_tmp_timeout,&total)) < 0) switch (ret) {
- case EDG_WLL_SSL_ERROR_TIMEOUT: return edg_wll_SetError(ctx,ETIMEDOUT,"read message header");
- case EDG_WLL_SSL_ERROR_EOF: return edg_wll_SetError(ctx,ENOTCONN,NULL);
- default: return edg_wll_SetError(ctx,EDG_WLL_ERROR_SSL,"read message header");
+ if ((ret=edg_wll_gss_read_full(&ctx->connPool[ctx->connToUse].gss,fbuf,17,&ctx->p_tmp_timeout,&total,&gss_code)) < 0) switch (ret) {
+ case EDG_WLL_GSS_ERROR_TIMEOUT: return edg_wll_SetError(ctx,ETIMEDOUT,"read message header");
+ case EDG_WLL_GSS_ERROR_EOF: return edg_wll_SetError(ctx,ENOTCONN,NULL);
+ default: return edg_wll_SetError(ctx,EDG_WLL_ERROR_GSS,"read message header");
}
if ((len = atoi(fbuf)) <= 0) return edg_wll_SetError(ctx,EINVAL,"message length");
buf = malloc(len+1);
- if ((ret=edg_wll_ssl_read_full(ctx->connPool[ctx->connToUse].ssl,buf,len,&ctx->p_tmp_timeout,&total)) < 0) {
+ if ((ret=edg_wll_gss_read_full(&ctx->connPool[ctx->connToUse].gss,buf,len,&ctx->p_tmp_timeout,&total,&gss_code)) < 0) {
free(buf);
return edg_wll_SetError(ctx,
- ret == EDG_WLL_SSL_ERROR_TIMEOUT ?
- ETIMEDOUT : EDG_WLL_ERROR_SSL,
+ ret == EDG_WLL_GSS_ERROR_TIMEOUT ?
+ ETIMEDOUT : EDG_WLL_ERROR_GSS,
"read message");
}
free(buf);
if ((len = create_reply(ctx,fbuf,sizeof fbuf))) {
- if ((ret = edg_wll_ssl_write_full(ctx->connPool[ctx->connToUse].ssl,fbuf,len,&ctx->p_tmp_timeout,&total)) < 0)
+ if ((ret = edg_wll_gss_write_full(&ctx->connPool[ctx->connToUse].gss,fbuf,len,&ctx->p_tmp_timeout,&total,&gss_code)) < 0)
edg_wll_SetError(ctx,
- ret == EDG_WLL_SSL_ERROR_TIMEOUT ?
- ETIMEDOUT : EDG_WLL_ERROR_SSL,
+ ret == EDG_WLL_GSS_ERROR_TIMEOUT ?
+ ETIMEDOUT : EDG_WLL_ERROR_GSS,
"write reply");
}
else edg_wll_SetError(ctx,E2BIG,"create_reply()");
git://scientific.zcu.cz / jra1mw.git / commitdiff