ROOT_528-00b_version: net/xrootd/src/xrootd/src/XrdSecpwd/XrdSecProtocolpwd.hh Source File

00001 // $Id: XrdSecProtocolpwd.hh 25932 2008-10-23 10:58:11Z ganis $
00002 /******************************************************************************/
00003 /*                                                                            */
00004 /*                 X r d S e c P r o t o c o l p w d . h h                    */
00005 /*                                                                            */
00006 /* (c) 2005 by the Board of Trustees of the Leland Stanford, Jr., University  */
00007 /*                            All Rights Reserved                             */
00008 /*   Produced by Andrew Hanushevsky for Stanford University under contract    */
00009 /*              DE-AC03-76-SFO0515 with the Department of Energy              */
00010 /******************************************************************************/
00011 #include <XrdOuc/XrdOucErrInfo.hh>
00012 #include <XrdSys/XrdSysPthread.hh>
00013 #include <XrdOuc/XrdOucString.hh>
00014 #include <XrdOuc/XrdOucTokenizer.hh>
00015 
00016 #include <XrdSec/XrdSecInterface.hh>
00017 #include <XrdSec/XrdSecTrace.hh>
00018 
00019 #include <XrdSut/XrdSutPFEntry.hh>
00020 #include <XrdSut/XrdSutPFile.hh>
00021 #include <XrdSut/XrdSutBuffer.hh>
00022 #include <XrdSut/XrdSutRndm.hh>
00023 
00024 #include <XrdCrypto/XrdCryptoAux.hh>
00025 #include <XrdCrypto/XrdCryptoCipher.hh>
00026 #include <XrdCrypto/XrdCryptoFactory.hh>
00027 
00028 /******************************************************************************/
00029 /*                               D e f i n e s                                */
00030 /******************************************************************************/
00031 
00032 typedef XrdOucString String;
00033   
00034 #define XrdSecPROTOIDENT    "pwd"
00035 #define XrdSecPROTOIDLEN    sizeof(XrdSecPROTOIDENT)
00036 #define XrdSecpwdVERSION    10100
00037 #define XrdSecNOIPCHK       0x0001
00038 #define XrdSecDEBUG         0x1000
00039 #define XrdCryptoMax        10
00040 
00041 #define kMAXBUFLEN          1024
00042 #define kMAXUSRLEN          9
00043 #define kMAXPWDLEN          64
00044 
00045 //
00046 // Message codes either returned by server or included in buffers
00047 enum kpwdStatus {
00048    kpST_error    = -1,      // error occured
00049    kpST_ok       =  0,      // ok
00050    kpST_more     =  1       // need more info
00051 };
00052 
00053 //
00054 // Auto-reg modes
00055 enum kpwdAutoreg {
00056    kpAR_none       =  0,      // autoreg disabled
00057    kpAR_users      =  1,      // only for tags in password files (local, system's) 
00058    kpAR_all        =  2       // for all tags
00059 };
00060 
00061 //
00062 // Client update autologin modes
00063 enum kpwdUpdate {
00064    kpUP_none       =  0,      // no update
00065    kpUP_remove     =  1,      // remove obsolete entries only 
00066    kpUP_all        =  2       // remove obsolete entries and register new valid info 
00067 };
00068 
00069 //
00070 // Creds input type
00071 enum kpwdCredsInput {
00072    kpCI_undef      = -1,      // undefined
00073    kpCI_prompt     =  0,      // from prompt
00074    kpCI_exact      =  1,      // from FileNetRc, exact tag 
00075    kpCI_wildcard   =  2       // from FileNetRc, wildcard tag
00076 };
00077 
00078 //
00079 // Creds type (for prompt)
00080 enum kpwdCredType {
00081    kpCT_undef      = -1,      // undefined
00082    kpCT_normal     =  0,      // confirmed credentials
00083    kpCT_onetime    =  1,      // one-time credentials
00084    kpCT_old        =  2,      // old credentials to be changed 
00085    kpCT_new        =  3,      // new credentials to be confirmed
00086    kpCT_newagain   =  4,      // new credentials again for confirmation
00087    kpCT_autoreg    =  5,      // autoreg: new creds to be confirmed
00088    kpCT_ar_again   =  6,      // autoreg: new creds again for confirmation
00089    kpCT_crypt      =  7,      // standard crypt hash
00090    kpCT_afs        =  8,      // AFS plain password
00091    kpCT_afsenc     =  9       // AFS encrypted password
00092 };
00093 
00094 //
00095 // Creds actions
00096 enum kpwdCredsActions {
00097    kpCA_undef      = -1,      // undefined
00098    kpCA_check      =  0,      // normal check of credentials
00099    kpCA_checkold   =  1,      // check current creds before asking for new ones 
00100    kpCA_cache      =  2,      // cache received (new) credentials
00101    kpCA_checkcache =  3       // check cached credentials and save them, if ok
00102 };
00103 
00104 // Client steps
00105 enum kpwdClientSteps {
00106    kXPC_none = 0,
00107    kXPC_normal     = 1000, // 1000: standard packet
00108    kXPC_verifysrv,         // 1001: request for server verification 
00109    kXPC_signedrtag,        // 1002: signed rtag (after server request for verification)
00110    kXPC_creds,             // 1003: credentials packet
00111    kXPC_autoreg,           // 1004: query for autoregistration
00112    kXPC_failureack,        // 1005: failure acknowledgement
00113    kXPC_reserved           // 
00114 };
00115 
00116 // Server steps
00117 enum kpwdServerSteps {
00118    kXPS_none = 0,
00119    kXPS_init       = 2000,   // 2000: fake code used the first time 
00120    kXPS_credsreq,            // 2001: request for credentials 
00121    kXPS_rtag,                // 2002: rndm tag to be signed (strong verification)
00122    kXPS_signedrtag,          // 2003: signed rtag (after client request for verification)
00123    kXPS_newpuk,              // 2004: new public part for session ciphers 
00124    kXPS_puk,                 // 2005: public part for session ciphers (after autoreg)
00125    kXPS_failure,             // 2006: signal failure to client to drop invalid cached info
00126    kXPS_reserved             //
00127 };
00128 
00129 // Error codes
00130 enum kpwdErrors {
00131    kPWErrParseBuffer = 10000,       // 10000
00132    kPWErrDecodeBuffer,              // 10001
00133    kPWErrLoadCrypto,                // 10002
00134    kPWErrBadProtocol,               // 10003
00135    kPWErrNoUserHost,                // 10004
00136    kPWErrNoUser,                    // 10005
00137    kPWErrNoHost,                    // 10006
00138    kPWErrBadUser,                   // 10007
00139    kPWErrCreateBucket,              // 10008
00140    kPWErrDuplicateBucket,           // 10009
00141    kPWErrCreateBuffer,              // 10010
00142    kPWErrSerialBuffer,              // 10011
00143    kPWErrGenCipher,                 // 10012
00144    kPWErrExportPuK,                 // 10013
00145    kPWErrEncRndmTag,                // 10014
00146    kPWErrBadRndmTag,                // 10015
00147    kPWErrNoRndmTag,                 // 10016
00148    kPWErrNoCipher,                  // 10017
00149    kPWErrQueryCreds,                // 10018
00150    kPWErrNoCreds,                   // 10019
00151    kPWErrBadPasswd,                 // 10020
00152    kPWErrBadCache,                  // 10021
00153    kPWErrNoCache,                   // 10022
00154    kPWErrNoSessID,                  // 10023
00155    kPWErrBadSessID,                 // 10024
00156    kPWErrBadOpt,                    // 10025
00157    kPWErrMarshal,                   // 10026
00158    kPWErrUnmarshal,                 // 10027
00159    kPWErrSaveCreds,                 // 10028
00160    kPWErrNoSalt,                    // 10029
00161    kPWErrNoBuffer,                  // 10030
00162    kPWErrRefCipher,                 // 10031
00163    kPWErrNoPublic,                  // 10032
00164    kPWErrAddBucket,                 // 10033
00165    kPWErrFinCipher,                 // 10034
00166    kPWErrInit,                      // 10034
00167    kPWErrBadCreds,                  // 10035
00168    kPWErrError                      // 10036  
00169 };
00170 
00171 // Structuring the status word
00172 typedef struct {
00173    char  ctype;
00174    char  action;
00175    short options; 
00176 } pwdStatus_t;
00177 
00178 #define REL1(x)     { if (x) delete x; }
00179 #define REL2(x,y)   { if (x) delete x; if (y) delete y; }
00180 #define REL3(x,y,z) { if (x) delete x; if (y) delete y; if (z) delete z; }
00181 
00182 #ifndef NODEBUG
00183 #define PRINT(y) {{SecTrace->Beg(epname); cerr <<y; SecTrace->End();}}
00184 #else
00185 #define PRINT(y) { }
00186 #endif
00187 
00188 #define SafeDelete(x) { if (x) delete x ; x = 0; }
00189 #define SafeDelArray(x) { if (x) delete [] x ; x = 0; }
00190 
00191 //
00192 // This a small class to set the relevant options in one go
00193 //
00194 class pwdOptions {
00195 public:
00196    short  debug;        // [cs] debug flag
00197    short  mode;         // [cs] 'c' or 's'
00198    short  areg;         // [cs] auto-registration opt (s); update-autolog-info opt (c)
00199    short  upwd;         // [s] check / do-not-check pwd file in user's $HOME
00200    short  alog;         // [c] check / do-not-check user's autologin info
00201    short  verisrv;      // [c] verify / do-not-verify server ownership of srvpuk
00202    short  vericlnt;     // [s] level of verification client ownership of clntpuk
00203    short  syspwd;       // [s] check / do-not-check system pwd (requires privileges) 
00204    int    lifecreds;    // [s] lifetime in seconds of credentials
00205    int    maxprompts;   // [c] max number of empty prompts
00206    int    maxfailures;  // [s] max passwd failures before blocking
00207    char  *clist;        // [s] list of crypto modules ["ssl"]
00208    char  *dir;          // [s] directory with admin pwd files [$HOME/.xrd]
00209    char  *udir;         // [s] users's sub-directory with pwd files [$HOME/.xrd]
00210    char  *cpass;        // [s] users's crypt hash pwd file [$HOME/.xrootdpass]
00211    char  *alogfile;     // [c] autologin file [$HOME/.xrd/pwdnetrc]
00212    char  *srvpuk;       // [c] file with server puks [$HOME/.xrd/pwdsrvpuk]
00213    short  keepcreds;    // [s] keep / do-not-keep client credentials 
00214    char  *expcreds;     // [s] (template for) file with exported creds
00215 
00216    pwdOptions() { debug = -1; mode = 's'; areg = -1; upwd = -1; alog = -1;
00217                   verisrv = -1; vericlnt = -1;
00218                   syspwd = -1; lifecreds = -1; maxprompts = -1; maxfailures = -1;
00219                   clist = 0; dir = 0; udir = 0; cpass = 0;
00220                   alogfile = 0; srvpuk = 0; keepcreds = 0; expcreds = 0;}
00221    virtual ~pwdOptions() { } // Cleanup inside XrdSecProtocolpwdInit
00222 };
00223 
00224 class pwdHSVars {
00225 public:
00226    int               Iter;          // iteration number
00227    int               TimeStamp;     // Time of last call
00228    String            CryptoMod;     // crypto module in use
00229    String            User;          // remote username
00230    String            Tag;           // tag for credentials
00231    int               RemVers;       // Version run by remote counterpart
00232    XrdCryptoFactory *CF;            // crypto factory
00233    XrdCryptoCipher  *Hcip;          // handshake cipher
00234    XrdCryptoCipher  *Rcip;          // reference cipher
00235    String            ID;            // Handshake ID (dummy for clients)
00236    XrdSutPFEntry    *Cref;          // Cache reference
00237    XrdSutPFEntry    *Pent;          // Pointer to relevant file entry 
00238    bool              RtagOK;        // Rndm tag checked / not checked
00239    pwdStatus_t       Status;        // Some state flags
00240    bool              Tty;           // Terminal attached / not attached
00241    int               Step;          // Current step
00242    int               LastStep;      // Step required at previous iteration
00243    String            ErrMsg;        // Last error message
00244    int               SysPwd;        // 0 = no, 1 = Unix sys pwd, 2 = AFS pwd
00245    String            AFScell;       // AFS cell if it makes sense
00246    XrdSutBuffer     *Parms;         // Buffer with server parms on first iteration 
00247 
00248    pwdHSVars() { Iter = 0; TimeStamp = -1; CryptoMod = ""; User = ""; Tag = "";
00249                  RemVers = -1; CF = 0; Hcip = 0; Rcip = 0;
00250                  ID = ""; Cref = 0; Pent = 0; RtagOK = 0; Tty = 0;
00251                  Step = 0; LastStep = 0; ErrMsg = "";
00252                  SysPwd = 0; AFScell = "";
00253                  Status.ctype = 0; Status.action = 0; Status.options = 0; Parms = 0;}
00254 
00255    ~pwdHSVars() { SafeDelete(Cref); SafeDelete(Hcip); SafeDelete(Parms); }
00256 };
00257 
00258 
00259 /******************************************************************************/
00260 /*              X r d S e c P r o t o c o l p w d   C l a s s                 */
00261 /******************************************************************************/
00262 
00263 class XrdSecProtocolpwd : public XrdSecProtocol
00264 {
00265 public:
00266         int                Authenticate  (XrdSecCredentials *cred,
00267                                           XrdSecParameters **parms,
00268                                           XrdOucErrInfo     *einfo=0);
00269 
00270         XrdSecCredentials *getCredentials(XrdSecParameters  *parm=0,
00271                                           XrdOucErrInfo     *einfo=0);
00272 
00273         XrdSecProtocolpwd(int opts, const char *hname,
00274                           const struct sockaddr *ipadd,
00275                           const char *parms = 0);
00276         virtual ~XrdSecProtocolpwd() {} // Delete() does it all
00277 
00278         // Initialization methods
00279         static char      *Init(pwdOptions o, XrdOucErrInfo *erp);
00280 
00281         void              Delete();
00282 
00283    static void       PrintTimeStat();
00284 
00285 private:
00286 
00287    // Static members initialized at startup
00288    static XrdSysMutex      pwdContext;
00289    static String           FileAdmin;
00290    static String           FileExpCreds;     // (Template for) file with exported creds [S]
00291    static String           FileUser;
00292    static String           FileCrypt;
00293    static String           FileSrvPuk;
00294    static String           SrvID;
00295    static String           SrvEmail; 
00296    static String           DefCrypto;
00297    static String           DefError;
00298    static XrdSutPFile      PFAdmin;          // Admin file [S]
00299    static XrdSutPFile      PFAlog;           // Autologin file [CS]
00300    static XrdSutPFile      PFSrvPuk;         // File with server public keys [CS]
00301    //
00302    // Crypto related info
00303    static int              ncrypt;                  // Number of factories
00304    static int              cryptID[XrdCryptoMax];   // their IDs 
00305    static String           cryptName[XrdCryptoMax]; // their names 
00306    static XrdCryptoCipher *loccip[XrdCryptoMax];    // local ciphers
00307    static XrdCryptoCipher *refcip[XrdCryptoMax];    // ref for session ciphers 
00308    //
00309    // Caches for info files
00310    static XrdSutCache      cacheAdmin;  // Admin file
00311    static XrdSutCache      cacheSrvPuk; // SrvPuk file
00312    static XrdSutCache      cacheUser;   // User files
00313    static XrdSutCache      cacheAlog;   // Autologin file
00314    //
00315    // Running options / settings
00316    static int              Debug;          // [CS] Debug level
00317    static bool             Server;         // [CS] If server mode 
00318    static int              UserPwd;        // [S] Check passwd file in user's <xrdsecdir> 
00319    static bool             SysPwd;         // [S] Check system passwd file if allowed 
00320    static int              VeriClnt;       // [S] Client verification level
00321    static int              VeriSrv;        // [C] Server verification level
00322    static int              AutoReg;        // [S] Autoreg mode 
00323    static int              LifeCreds;      // [S] if > 0, credential lifetime in secs
00324    static int              MaxPrompts;     // [C] Repeating prompt
00325    static int              MaxFailures;    // [S] Max passwd failures before blocking
00326    static int              AutoLogin;      // [C] do-not-check/check/update autolog info
00327    static int              TimeSkew;       // [CS] Allowed skew in secs for time stamps 
00328    static bool             KeepCreds;      // [S] Keep / Do-Not-Keep client creds
00329    //
00330    // for error logging and tracing
00331    static XrdSysLogger     Logger;
00332    static XrdSysError      eDest;
00333    static XrdOucTrace     *SecTrace;
00334 
00335    // Information local to this instance
00336    int                     options;
00337    struct sockaddr         hostaddr;      // Client-side only
00338    char                    CName[256];    // Client-name
00339    bool                    srvMode;       // TRUE if server mode 
00340 
00341    // Handshake local info
00342    pwdHSVars              *hs;
00343 
00344    // Acquired credentials (server side)
00345    XrdSecCredentials      *clientCreds;
00346 
00347    // Parsing received buffers
00348    int            ParseClientInput(XrdSutBuffer *br, XrdSutBuffer **bm,
00349                                    String &emsg);
00350    int            ParseServerInput(XrdSutBuffer *br, XrdSutBuffer **bm,
00351                                    String &cmsg);
00352    int            ParseCrypto(XrdSutBuffer *buf);
00353 
00354    // Error functions
00355    static void    ErrF(XrdOucErrInfo *einfo, kXR_int32 ecode,
00356                        const char *msg1, const char *msg2 = 0,
00357                        const char *msg3 = 0);
00358    XrdSecCredentials *ErrC(XrdOucErrInfo *einfo, XrdSutBuffer *b1,
00359                            XrdSutBuffer *b2,XrdSutBuffer *b3,
00360                            kXR_int32 ecode, const char *msg1 = 0,
00361                            const char *msg2 = 0, const char *msg3 = 0);
00362    int            ErrS(String ID, XrdOucErrInfo *einfo, XrdSutBuffer *b1,
00363                        XrdSutBuffer *b2, XrdSutBuffer *b3,
00364                        kXR_int32 ecode, const char *msg1 = 0,
00365                        const char *msg2 = 0, const char *msg3 = 0);
00366 
00367    // Query methods
00368    XrdSutBucket  *QueryCreds(XrdSutBuffer *bm, bool netrc, int &status);
00369    int            QueryUser(int &status, String &cmsg);
00370    int            QueryCrypt(String &fn, String &pwhash);
00371    int            QueryNetRc(String host, String &passwd, int &status);
00372 
00373    // Check credentials
00374    bool           CheckCreds(XrdSutBucket *creds, int credtype);
00375    bool           CheckCredsAFS(XrdSutBucket *creds, int ctype);
00376 
00377    // Check Time stamp
00378    bool           CheckTimeStamp(XrdSutBuffer *b, int skew, String &emsg);
00379 
00380    // Check random challenge
00381    bool           CheckRtag(XrdSutBuffer *bm, String &emsg);
00382 
00383    // Saving / Updating
00384    int            ExportCreds(XrdSutBucket *creds);
00385    int            SaveCreds(XrdSutBucket *creds);
00386    int            UpdateAlog();
00387 
00388    // Auxilliary methods
00389    int            GetUserHost(String &usr, String &host);
00390    int            AddSerialized(char opt, kXR_int32 step, String ID, 
00391                                 XrdSutBuffer *bls, XrdSutBuffer *buf,
00392                                 kXR_int32 type, XrdCryptoCipher *cip);
00393    int            DoubleHash(XrdCryptoFactory *cf, XrdSutBucket *bck,
00394                              XrdSutBucket *s1, XrdSutBucket *s2 = 0,
00395                              const char *tag = 0);
00396 };