xrootd
|
00001 // $Id$ 00002 /******************************************************************************/ 00003 /* */ 00004 /* X r d S e c P r o t o c o l p w d . h h */ 00005 /* */ 00006 /* (c) 2005 by the Board of Trustees of the Leland Stanford, Jr., University */ 00007 /* All Rights Reserved */ 00008 /* Produced by Andrew Hanushevsky for Stanford University under contract */ 00009 /* DE-AC03-76-SFO0515 with the Department of Energy */ 00010 /******************************************************************************/ 00011 #include <XrdOuc/XrdOucErrInfo.hh> 00012 #include <XrdSys/XrdSysPthread.hh> 00013 #include <XrdOuc/XrdOucString.hh> 00014 #include <XrdOuc/XrdOucTokenizer.hh> 00015 00016 #include <XrdSec/XrdSecInterface.hh> 00017 #include <XrdSec/XrdSecTrace.hh> 00018 00019 #include <XrdSut/XrdSutPFEntry.hh> 00020 #include <XrdSut/XrdSutPFile.hh> 00021 #include <XrdSut/XrdSutBuffer.hh> 00022 #include <XrdSut/XrdSutRndm.hh> 00023 00024 #include <XrdCrypto/XrdCryptoAux.hh> 00025 #include <XrdCrypto/XrdCryptoCipher.hh> 00026 #include <XrdCrypto/XrdCryptoFactory.hh> 00027 00028 /******************************************************************************/ 00029 /* D e f i n e s */ 00030 /******************************************************************************/ 00031 00032 typedef XrdOucString String; 00033 00034 #define XrdSecPROTOIDENT "pwd" 00035 #define XrdSecPROTOIDLEN sizeof(XrdSecPROTOIDENT) 00036 #define XrdSecpwdVERSION 10100 00037 #define XrdSecNOIPCHK 0x0001 00038 #define XrdSecDEBUG 0x1000 00039 #define XrdCryptoMax 10 00040 00041 #define kMAXBUFLEN 1024 00042 #define kMAXUSRLEN 9 00043 #define kMAXPWDLEN 64 00044 00045 // 00046 // Message codes either returned by server or included in buffers 00047 enum kpwdStatus { 00048 kpST_error = -1, // error occured 00049 kpST_ok = 0, // ok 00050 kpST_more = 1 // need more info 00051 }; 00052 00053 // 00054 // Auto-reg modes 00055 enum kpwdAutoreg { 00056 kpAR_none = 0, // autoreg disabled 00057 kpAR_users = 1, // only for tags in password files (local, system's) 00058 kpAR_all = 2 // for all tags 00059 }; 00060 00061 // 00062 // Client update autologin modes 00063 enum kpwdUpdate { 00064 kpUP_none = 0, // no update 00065 kpUP_remove = 1, // remove obsolete entries only 00066 kpUP_all = 2 // remove obsolete entries and register new valid info 00067 }; 00068 00069 // 00070 // Creds input type 00071 enum kpwdCredsInput { 00072 kpCI_undef = -1, // undefined 00073 kpCI_prompt = 0, // from prompt 00074 kpCI_exact = 1, // from FileNetRc, exact tag 00075 kpCI_wildcard = 2 // from FileNetRc, wildcard tag 00076 }; 00077 00078 // 00079 // Creds type (for prompt) 00080 enum kpwdCredType { 00081 kpCT_undef = -1, // undefined 00082 kpCT_normal = 0, // confirmed credentials 00083 kpCT_onetime = 1, // one-time credentials 00084 kpCT_old = 2, // old credentials to be changed 00085 kpCT_new = 3, // new credentials to be confirmed 00086 kpCT_newagain = 4, // new credentials again for confirmation 00087 kpCT_autoreg = 5, // autoreg: new creds to be confirmed 00088 kpCT_ar_again = 6, // autoreg: new creds again for confirmation 00089 kpCT_crypt = 7, // standard crypt hash 00090 kpCT_afs = 8, // AFS plain password 00091 kpCT_afsenc = 9 // AFS encrypted password 00092 }; 00093 00094 // 00095 // Creds actions 00096 enum kpwdCredsActions { 00097 kpCA_undef = -1, // undefined 00098 kpCA_check = 0, // normal check of credentials 00099 kpCA_checkold = 1, // check current creds before asking for new ones 00100 kpCA_cache = 2, // cache received (new) credentials 00101 kpCA_checkcache = 3 // check cached credentials and save them, if ok 00102 }; 00103 00104 // Client steps 00105 enum kpwdClientSteps { 00106 kXPC_none = 0, 00107 kXPC_normal = 1000, // 1000: standard packet 00108 kXPC_verifysrv, // 1001: request for server verification 00109 kXPC_signedrtag, // 1002: signed rtag (after server request for verification) 00110 kXPC_creds, // 1003: credentials packet 00111 kXPC_autoreg, // 1004: query for autoregistration 00112 kXPC_failureack, // 1005: failure acknowledgement 00113 kXPC_reserved // 00114 }; 00115 00116 // Server steps 00117 enum kpwdServerSteps { 00118 kXPS_none = 0, 00119 kXPS_init = 2000, // 2000: fake code used the first time 00120 kXPS_credsreq, // 2001: request for credentials 00121 kXPS_rtag, // 2002: rndm tag to be signed (strong verification) 00122 kXPS_signedrtag, // 2003: signed rtag (after client request for verification) 00123 kXPS_newpuk, // 2004: new public part for session ciphers 00124 kXPS_puk, // 2005: public part for session ciphers (after autoreg) 00125 kXPS_failure, // 2006: signal failure to client to drop invalid cached info 00126 kXPS_reserved // 00127 }; 00128 00129 // Error codes 00130 enum kpwdErrors { 00131 kPWErrParseBuffer = 10000, // 10000 00132 kPWErrDecodeBuffer, // 10001 00133 kPWErrLoadCrypto, // 10002 00134 kPWErrBadProtocol, // 10003 00135 kPWErrNoUserHost, // 10004 00136 kPWErrNoUser, // 10005 00137 kPWErrNoHost, // 10006 00138 kPWErrBadUser, // 10007 00139 kPWErrCreateBucket, // 10008 00140 kPWErrDuplicateBucket, // 10009 00141 kPWErrCreateBuffer, // 10010 00142 kPWErrSerialBuffer, // 10011 00143 kPWErrGenCipher, // 10012 00144 kPWErrExportPuK, // 10013 00145 kPWErrEncRndmTag, // 10014 00146 kPWErrBadRndmTag, // 10015 00147 kPWErrNoRndmTag, // 10016 00148 kPWErrNoCipher, // 10017 00149 kPWErrQueryCreds, // 10018 00150 kPWErrNoCreds, // 10019 00151 kPWErrBadPasswd, // 10020 00152 kPWErrBadCache, // 10021 00153 kPWErrNoCache, // 10022 00154 kPWErrNoSessID, // 10023 00155 kPWErrBadSessID, // 10024 00156 kPWErrBadOpt, // 10025 00157 kPWErrMarshal, // 10026 00158 kPWErrUnmarshal, // 10027 00159 kPWErrSaveCreds, // 10028 00160 kPWErrNoSalt, // 10029 00161 kPWErrNoBuffer, // 10030 00162 kPWErrRefCipher, // 10031 00163 kPWErrNoPublic, // 10032 00164 kPWErrAddBucket, // 10033 00165 kPWErrFinCipher, // 10034 00166 kPWErrInit, // 10034 00167 kPWErrBadCreds, // 10035 00168 kPWErrError // 10036 00169 }; 00170 00171 // Structuring the status word 00172 typedef struct { 00173 char ctype; 00174 char action; 00175 short options; 00176 } pwdStatus_t; 00177 00178 #define REL1(x) { if (x) delete x; } 00179 #define REL2(x,y) { if (x) delete x; if (y) delete y; } 00180 #define REL3(x,y,z) { if (x) delete x; if (y) delete y; if (z) delete z; } 00181 00182 #ifndef NODEBUG 00183 #define PRINT(y) {{SecTrace->Beg(epname); cerr <<y; SecTrace->End();}} 00184 #else 00185 #define PRINT(y) { } 00186 #endif 00187 00188 #define SafeDelete(x) { if (x) delete x ; x = 0; } 00189 #define SafeDelArray(x) { if (x) delete [] x ; x = 0; } 00190 00191 // 00192 // This a small class to set the relevant options in one go 00193 // 00194 class pwdOptions { 00195 public: 00196 short debug; // [cs] debug flag 00197 short mode; // [cs] 'c' or 's' 00198 short areg; // [cs] auto-registration opt (s); update-autolog-info opt (c) 00199 short upwd; // [s] check / do-not-check pwd file in user's $HOME 00200 short alog; // [c] check / do-not-check user's autologin info 00201 short verisrv; // [c] verify / do-not-verify server ownership of srvpuk 00202 short vericlnt; // [s] level of verification client ownership of clntpuk 00203 short syspwd; // [s] check / do-not-check system pwd (requires privileges) 00204 int lifecreds; // [s] lifetime in seconds of credentials 00205 int maxprompts; // [c] max number of empty prompts 00206 int maxfailures; // [s] max passwd failures before blocking 00207 char *clist; // [s] list of crypto modules ["ssl"] 00208 char *dir; // [s] directory with admin pwd files [$HOME/.xrd] 00209 char *udir; // [s] users's sub-directory with pwd files [$HOME/.xrd] 00210 char *cpass; // [s] users's crypt hash pwd file [$HOME/.xrootdpass] 00211 char *alogfile; // [c] autologin file [$HOME/.xrd/pwdnetrc] 00212 char *srvpuk; // [c] file with server puks [$HOME/.xrd/pwdsrvpuk] 00213 short keepcreds; // [s] keep / do-not-keep client credentials 00214 char *expcreds; // [s] (template for) file with exported creds 00215 00216 pwdOptions() { debug = -1; mode = 's'; areg = -1; upwd = -1; alog = -1; 00217 verisrv = -1; vericlnt = -1; 00218 syspwd = -1; lifecreds = -1; maxprompts = -1; maxfailures = -1; 00219 clist = 0; dir = 0; udir = 0; cpass = 0; 00220 alogfile = 0; srvpuk = 0; keepcreds = 0; expcreds = 0;} 00221 virtual ~pwdOptions() { } // Cleanup inside XrdSecProtocolpwdInit 00222 }; 00223 00224 class pwdHSVars { 00225 public: 00226 int Iter; // iteration number 00227 int TimeStamp; // Time of last call 00228 String CryptoMod; // crypto module in use 00229 String User; // remote username 00230 String Tag; // tag for credentials 00231 int RemVers; // Version run by remote counterpart 00232 XrdCryptoFactory *CF; // crypto factory 00233 XrdCryptoCipher *Hcip; // handshake cipher 00234 XrdCryptoCipher *Rcip; // reference cipher 00235 String ID; // Handshake ID (dummy for clients) 00236 XrdSutPFEntry *Cref; // Cache reference 00237 XrdSutPFEntry *Pent; // Pointer to relevant file entry 00238 bool RtagOK; // Rndm tag checked / not checked 00239 pwdStatus_t Status; // Some state flags 00240 bool Tty; // Terminal attached / not attached 00241 int Step; // Current step 00242 int LastStep; // Step required at previous iteration 00243 String ErrMsg; // Last error message 00244 int SysPwd; // 0 = no, 1 = Unix sys pwd, 2 = AFS pwd 00245 String AFScell; // AFS cell if it makes sense 00246 XrdSutBuffer *Parms; // Buffer with server parms on first iteration 00247 00248 pwdHSVars() { Iter = 0; TimeStamp = -1; CryptoMod = ""; User = ""; Tag = ""; 00249 RemVers = -1; CF = 0; Hcip = 0; Rcip = 0; 00250 ID = ""; Cref = 0; Pent = 0; RtagOK = 0; Tty = 0; 00251 Step = 0; LastStep = 0; ErrMsg = ""; 00252 SysPwd = 0; AFScell = ""; 00253 Status.ctype = 0; Status.action = 0; Status.options = 0; Parms = 0;} 00254 00255 ~pwdHSVars() { SafeDelete(Cref); SafeDelete(Hcip); SafeDelete(Parms); } 00256 }; 00257 00258 00259 /******************************************************************************/ 00260 /* X r d S e c P r o t o c o l p w d C l a s s */ 00261 /******************************************************************************/ 00262 00263 class XrdSecProtocolpwd : public XrdSecProtocol 00264 { 00265 public: 00266 int Authenticate (XrdSecCredentials *cred, 00267 XrdSecParameters **parms, 00268 XrdOucErrInfo *einfo=0); 00269 00270 XrdSecCredentials *getCredentials(XrdSecParameters *parm=0, 00271 XrdOucErrInfo *einfo=0); 00272 00273 XrdSecProtocolpwd(int opts, const char *hname, 00274 const struct sockaddr *ipadd, 00275 const char *parms = 0); 00276 virtual ~XrdSecProtocolpwd() {} // Delete() does it all 00277 00278 // Initialization methods 00279 static char *Init(pwdOptions o, XrdOucErrInfo *erp); 00280 00281 void Delete(); 00282 00283 static void PrintTimeStat(); 00284 00285 private: 00286 00287 // Static members initialized at startup 00288 static XrdSysMutex pwdContext; 00289 static String FileAdmin; 00290 static String FileExpCreds; // (Template for) file with exported creds [S] 00291 static String FileUser; 00292 static String FileCrypt; 00293 static String FileSrvPuk; 00294 static String SrvID; 00295 static String SrvEmail; 00296 static String DefCrypto; 00297 static String DefError; 00298 static XrdSutPFile PFAdmin; // Admin file [S] 00299 static XrdSutPFile PFAlog; // Autologin file [CS] 00300 static XrdSutPFile PFSrvPuk; // File with server public keys [CS] 00301 // 00302 // Crypto related info 00303 static int ncrypt; // Number of factories 00304 static int cryptID[XrdCryptoMax]; // their IDs 00305 static String cryptName[XrdCryptoMax]; // their names 00306 static XrdCryptoCipher *loccip[XrdCryptoMax]; // local ciphers 00307 static XrdCryptoCipher *refcip[XrdCryptoMax]; // ref for session ciphers 00308 // 00309 // Caches for info files 00310 static XrdSutCache cacheAdmin; // Admin file 00311 static XrdSutCache cacheSrvPuk; // SrvPuk file 00312 static XrdSutCache cacheUser; // User files 00313 static XrdSutCache cacheAlog; // Autologin file 00314 // 00315 // Running options / settings 00316 static int Debug; // [CS] Debug level 00317 static bool Server; // [CS] If server mode 00318 static int UserPwd; // [S] Check passwd file in user's <xrdsecdir> 00319 static bool SysPwd; // [S] Check system passwd file if allowed 00320 static int VeriClnt; // [S] Client verification level 00321 static int VeriSrv; // [C] Server verification level 00322 static int AutoReg; // [S] Autoreg mode 00323 static int LifeCreds; // [S] if > 0, credential lifetime in secs 00324 static int MaxPrompts; // [C] Repeating prompt 00325 static int MaxFailures; // [S] Max passwd failures before blocking 00326 static int AutoLogin; // [C] do-not-check/check/update autolog info 00327 static int TimeSkew; // [CS] Allowed skew in secs for time stamps 00328 static bool KeepCreds; // [S] Keep / Do-Not-Keep client creds 00329 // 00330 // for error logging and tracing 00331 static XrdSysLogger Logger; 00332 static XrdSysError eDest; 00333 static XrdOucTrace *SecTrace; 00334 00335 // Information local to this instance 00336 int options; 00337 struct sockaddr hostaddr; // Client-side only 00338 char CName[256]; // Client-name 00339 bool srvMode; // TRUE if server mode 00340 00341 // Handshake local info 00342 pwdHSVars *hs; 00343 00344 // Acquired credentials (server side) 00345 XrdSecCredentials *clientCreds; 00346 00347 // Parsing received buffers 00348 int ParseClientInput(XrdSutBuffer *br, XrdSutBuffer **bm, 00349 String &emsg); 00350 int ParseServerInput(XrdSutBuffer *br, XrdSutBuffer **bm, 00351 String &cmsg); 00352 int ParseCrypto(XrdSutBuffer *buf); 00353 00354 // Error functions 00355 static void ErrF(XrdOucErrInfo *einfo, kXR_int32 ecode, 00356 const char *msg1, const char *msg2 = 0, 00357 const char *msg3 = 0); 00358 XrdSecCredentials *ErrC(XrdOucErrInfo *einfo, XrdSutBuffer *b1, 00359 XrdSutBuffer *b2,XrdSutBuffer *b3, 00360 kXR_int32 ecode, const char *msg1 = 0, 00361 const char *msg2 = 0, const char *msg3 = 0); 00362 int ErrS(String ID, XrdOucErrInfo *einfo, XrdSutBuffer *b1, 00363 XrdSutBuffer *b2, XrdSutBuffer *b3, 00364 kXR_int32 ecode, const char *msg1 = 0, 00365 const char *msg2 = 0, const char *msg3 = 0); 00366 00367 // Query methods 00368 XrdSutBucket *QueryCreds(XrdSutBuffer *bm, bool netrc, int &status); 00369 int QueryUser(int &status, String &cmsg); 00370 int QueryCrypt(String &fn, String &pwhash); 00371 int QueryNetRc(String host, String &passwd, int &status); 00372 00373 // Check credentials 00374 bool CheckCreds(XrdSutBucket *creds, int credtype); 00375 bool CheckCredsAFS(XrdSutBucket *creds, int ctype); 00376 00377 // Check Time stamp 00378 bool CheckTimeStamp(XrdSutBuffer *b, int skew, String &emsg); 00379 00380 // Check random challenge 00381 bool CheckRtag(XrdSutBuffer *bm, String &emsg); 00382 00383 // Saving / Updating 00384 int ExportCreds(XrdSutBucket *creds); 00385 int SaveCreds(XrdSutBucket *creds); 00386 int UpdateAlog(); 00387 00388 // Auxilliary methods 00389 int GetUserHost(String &usr, String &host); 00390 int AddSerialized(char opt, kXR_int32 step, String ID, 00391 XrdSutBuffer *bls, XrdSutBuffer *buf, 00392 kXR_int32 type, XrdCryptoCipher *cip); 00393 int DoubleHash(XrdCryptoFactory *cf, XrdSutBucket *bck, 00394 XrdSutBucket *s1, XrdSutBucket *s2 = 0, 00395 const char *tag = 0); 00396 };