static gss_cred_id_t mycred = GSS_C_NO_CREDENTIAL;
char *cadir = NULL,
- *vomsdir = NULL;
+ *vomsdir = NULL,
+ *server_key = NULL,
+ *server_cert = NULL;
static struct option opts[] = {
int opt;
char pidfile[PATH_MAX] = EDG_BKSERVERD_PIDFILE,
*port,
- *name,
- *cert, *key;
+ *name;
#ifdef GLITE_LB_SERVER_WITH_WS
char *ws_port;
#endif /* GLITE_LB_SERVER_WITH_WS */
#ifdef GLITE_LB_SERVER_WITH_WS
asprintf(&ws_port, "%d", GLITE_WMSC_JOBID_DEFAULT_PORT+2);
#endif /* GLITE_LB_SERVER_WITH_WS */
- cert = key = cadir = vomsdir = NULL;
+ server_cert = server_key = cadir = vomsdir = NULL;
/* no magic here: 1 month, 3 and 7 days */
purge_timeout[EDG_WLL_PURGE_JOBSTAT_OTHER] = 60*60*24*31;
while ((opt = getopt_long(argc,argv,get_opt_string,opts,NULL)) != EOF) switch (opt) {
case 'a': fake_host = strdup(optarg); break;
- case 'c': cert = optarg; break;
- case 'k': key = optarg; break;
+ case 'c': server_cert = optarg; break;
+ case 'k': server_key = optarg; break;
case 'C': cadir = optarg; break;
case 'V': vomsdir = optarg; break;
case 'p': free(port); port = strdup(optarg); break;
#endif /* GLITE_LB_SERVER_WITH_WS */
- if (!cert || !key)
+ if (!server_cert || !server_key)
fprintf(stderr, "%s: key or certificate file not specified"
" - unable to watch them for changes!\n", argv[0]);
if ( cadir ) setenv("X509_CERT_DIR", cadir, 1);
- if ( !edg_wll_gss_acquire_cred_gsi(cert, key, &mycred, &mysubj, &gss_code) )
+ if ( !edg_wll_gss_acquire_cred_gsi(server_cert, server_key, &mycred, &mysubj, &gss_code) )
{
int i;
if ( token.value )
gss_release_buffer(&min_stat, &token);
- edg_wll_SetVomsGroups(ctx, &ctx->connPool[ctx->connToUse].gss, vomsdir, cadir);
+ edg_wll_SetVomsGroups(ctx, &ctx->connPool[ctx->connToUse].gss, server_cert, server_key, vomsdir, cadir);
if (debug && ctx->vomsGroups.len > 0)
{
int i;
}
static int
-get_peer_cred(edg_wll_GssConnection *gss, STACK_OF(X509) **chain, X509 **cert)
+get_peer_cred(edg_wll_GssConnection *gss, char *server_cert, char *server_key, STACK_OF(X509) **chain, X509 **cert)
{
OM_uint32 maj_stat, min_stat;
gss_buffer_desc buffer = GSS_C_EMPTY_BUFFER;
if (GSS_ERROR(maj_stat))
return -1; /* XXX */
- /* The GSSAPI specs requires gss_export_sec_context() to destroy the context
- * after exporting. So we have to resurrect the context here by importing
- * from just generated buffer. I'm eagerly waiting for adaptations in the
- * VOMS API to avoid these hacks */
- maj_stat = gss_import_sec_context(&min_stat, &buffer, &gss->context);
+ {
+ /* The GSSAPI specs requires gss_export_sec_context() to destroy the
+ * context after exporting. So we have to resurrect the context here by
+ * importing from just generated buffer. gss_import_sec_context() must be
+ * able to read valid credential before it loads the exported context
+ * so we set the environment temporarily to point to the ones used by
+ * the server.
+ *
+ * I'm eagerly waiting for adaptations in the VOMS API to avoid these
+ * hacks */
+
+ char *orig_cert = NULL, *orig_key = NULL;
+
+ orig_cert = getenv("X509_USER_CERT");
+ orig_key = getenv("X509_USER_KEY");
+
+ if (server_cert)
+ setenv("X509_USER_CERT", server_cert, 1);
+ if (server_key)
+ setenv("X509_USER_KEY", server_key, 1);
+
+ maj_stat = gss_import_sec_context(&min_stat, &buffer, &gss->context);
+
+ if (orig_cert)
+ setenv("X509_USER_CERT", orig_cert, 1);
+ else
+ unsetenv("X509_USER_CERT");
+
+ if (orig_key)
+ setenv("X509_USER_KEY", orig_key, 1);
+ else
+ unsetenv("X509_USER_KEY");
+
+ if (GSS_ERROR(maj_stat)) {
+ ret = -1;
+ goto end;
+ }
+ }
bio = BIO_new(BIO_s_mem());
if (bio == NULL) {
}
int
-edg_wll_SetVomsGroups(edg_wll_Context ctx, edg_wll_GssConnection *gss, char *voms_dir, char *ca_dir)
+edg_wll_SetVomsGroups(edg_wll_Context ctx, edg_wll_GssConnection *gss, char *server_cert, char *server_key, char *voms_dir, char *ca_dir)
{
STACK_OF(X509) *p_chain = NULL;
X509 *cert = NULL;
memset (&ctx->vomsGroups, 0, sizeof(ctx->vomsGroups));
edg_wll_ResetError(ctx);
- ret = get_peer_cred(gss, &p_chain, &cert);
+ ret = get_peer_cred(gss, server_cert, server_key, &p_chain, &cert);
if (ret) {
ret = 0;
goto end;
fail:
if (cred)
/* XXX GRSTgaclCredFree(cred); */
+ ;
if (user)
/* XXX GRSTgaclUserFree(user); */
+ ;
return ret;
}
git://scientific.zcu.cz / jra1mw.git / commitdiff