Logo ROOT  

Reference Guide
 
Loading...
Searching...
No Matches
TAuthenticate.cxx
Go to the documentation of this file.
1// @(#)root/auth:$Id: f2cfa663e232707e1201467b5805ff1d13575326 $
2// Author: Fons Rademakers 26/11/2000
3
4/*************************************************************************
5 * Copyright (C) 1995-2000, Rene Brun and Fons Rademakers. *
6 * All rights reserved. *
7 * *
8 * For the licensing terms see $ROOTSYS/LICENSE. *
9 * For the list of contributors see $ROOTSYS/README/CREDITS. *
10 *************************************************************************/
11
12//////////////////////////////////////////////////////////////////////////
13// //
14// TAuthenticate //
15// //
16// An authentication module for ROOT based network services, like rootd // //
17// //
18//////////////////////////////////////////////////////////////////////////
19
20#include "RConfigure.h"
21
22#include "TAuthenticate.h"
23#include "TApplication.h"
24#include "THostAuth.h"
25#include "TRootSecContext.h"
26#include "TPluginManager.h"
27#include "TNetFile.h"
28#include "TPSocket.h"
29#include "TMessage.h"
30#include "TSystem.h"
31#include "TError.h"
32#include "Getline.h"
33#include "TROOT.h"
34#include "TEnv.h"
35#include "TList.h"
36#include "NetErrors.h"
37#include "TRegexp.h"
38#include "TVirtualMutex.h"
39#include "TTimer.h"
40#include "TBase64.h"
41#include "strlcpy.h"
42#include "snprintf.h"
43
44#include "rsafun.h"
45
46#ifndef R__LYNXOS
47#include <sys/stat.h>
48#endif
49#include <cerrno>
50#include <sys/types.h>
51#include <ctime>
52#if !defined(R__WIN32) && !defined(R__MACOSX) && !defined(R__FBSD) && \
53 !defined(R__OBSD)
54#include <crypt.h>
55#endif
56#ifdef WIN32
57# include <io.h>
58#endif /* WIN32 */
59#if defined(R__LINUX) || defined(R__FBSD) || defined(R__OBSD)
60# include <unistd.h>
61#endif
62#include <cstdlib>
63#ifndef WIN32
64# include <sys/time.h>
65#endif /* WIN32 */
66
67#if defined(R__MACOSX)
68extern "C" char *crypt(const char *, const char *);
69#endif
70
71#ifdef R__SSL
72// SSL specific headers
73# include <openssl/bio.h>
74# include <openssl/err.h>
75# include <openssl/pem.h>
76# include <openssl/rand.h>
77# include <openssl/rsa.h>
78# include <openssl/ssl.h>
79# include <openssl/blowfish.h>
80#endif
81
82struct R__rsa_KEY: rsa_KEY { R__rsa_KEY(): rsa_KEY() {} };
83struct R__rsa_KEY_export: rsa_KEY_export {};
84struct R__rsa_NUMBER: rsa_NUMBER {};
85
86#ifdef R__SSL
87 static BF_KEY fgBFKey; // Blowfish symmetric key
88#endif
89
90// Statics initialization
91TList *TAuthenticate::fgAuthInfo = 0;
92TString TAuthenticate::fgAuthMeth[] = { "UsrPwd", "Unsupported", "Unsupported",
93 "Unsupported", "Unsupported", "Unsupported" };
94Bool_t TAuthenticate::fgAuthReUse;
95TString TAuthenticate::fgDefaultUser;
96TDatime TAuthenticate::fgExpDate;
97TDatime TAuthenticate::fgLastAuthrc; // Time of last reading of fgRootAuthrc
98TString TAuthenticate::fgPasswd;
99TPluginHandler *TAuthenticate::fgPasswdDialog = (TPluginHandler *)(-1);
100Bool_t TAuthenticate::fgPromptUser;
101Bool_t TAuthenticate::fgPwHash;
102Bool_t TAuthenticate::fgReadHomeAuthrc = kTRUE; // on/off search for $HOME/.rootauthrc
103TString TAuthenticate::fgRootAuthrc; // Path to last rootauthrc-like file read
104Int_t TAuthenticate::fgRSAKey = -1; // Default RSA key type to be used
105Int_t TAuthenticate::fgRSAInit = 0;
106R__rsa_KEY TAuthenticate::fgRSAPriKey;
107R__rsa_KEY_export R__fgRSAPubExport[2] = {{}, {}};
108R__rsa_KEY_export* TAuthenticate::fgRSAPubExport = R__fgRSAPubExport;
109R__rsa_KEY TAuthenticate::fgRSAPubKey;
110SecureAuth_t TAuthenticate::fgSecAuthHook;
111TString TAuthenticate::fgUser;
112Bool_t TAuthenticate::fgUsrPwdCrypt;
113Int_t TAuthenticate::fgLastError = -1;
114Int_t TAuthenticate::fgAuthTO = -2; // Timeout value
115
116// ID of the main thread as unique identifier
117Int_t TAuthenticate::fgProcessID = -1;
118
119TVirtualMutex *gAuthenticateMutex = 0;
120
121// Standard version of Sec Context match checking
122Int_t StdCheckSecCtx(const char *, TRootSecContext *);
123
124
125
126////////////////////////////////////////////////////////////////////////////////
127/// rand() implementation using /udev/random or /dev/random, if available
128
129static int auth_rand()
130{
131#ifndef WIN32
132 int frnd = open("/dev/urandom", O_RDONLY);
133 if (frnd < 0) frnd = open("/dev/random", O_RDONLY);
134 int r;
135 if (frnd >= 0) {
136 ssize_t rs = read(frnd, (void *) &r, sizeof(int));
137 close(frnd);
138 if (r < 0) r = -r;
139 if (rs == sizeof(int)) return r;
140 }
141 Printf("+++ERROR+++ : auth_rand: neither /dev/urandom nor /dev/random are available or readable!");
142 struct timeval tv;
143 if (gettimeofday(&tv,0) == 0) {
144 int t1, t2;
145 memcpy((void *)&t1, (void *)&tv.tv_sec, sizeof(int));
146 memcpy((void *)&t2, (void *)&tv.tv_usec, sizeof(int));
147 r = t1 + t2;
148 if (r < 0) r = -r;
149 return r;
150 }
151 return -1;
152#else
153 // No special random device available: use rand()
154 return rand();
155#endif
156}
157
158////////////////////////////////////////////////////////////////////////////////
159/// Create authentication object.
160
161TAuthenticate::TAuthenticate(TSocket *sock, const char *remote,
162 const char *proto, const char *user)
163{
164 if (gDebug > 2 && gAuthenticateMutex)
165 Info("Authenticate", "locking mutex (pid: %d)",gSystem->GetPid());
166 R__LOCKGUARD2(gAuthenticateMutex);
167
168 // Use the ID of the starting thread as unique identifier
169 if (fgProcessID < 0)
170 fgProcessID = gSystem->GetPid();
171
172 if (fgAuthTO == -2)
173 fgAuthTO = gEnv->GetValue("Auth.Timeout",-1);
174
175 fSocket = sock;
176 fRemote = remote;
177 fHostAuth = 0;
178 fVersion = 5; // The latest, by default
179 fSecContext = 0;
180
181 if (gDebug > 2)
182 Info("TAuthenticate", "Enter: local host: %s, user is: %s (proto: %s)",
183 gSystem->HostName(), user, proto);
184
185 // Set protocol string.
186 // Check if version should be different ...
187 char *pdd;
188 Int_t servtype = TSocket::kSOCKD;
189 if (proto && strlen(proto) > 0) {
190 char *sproto = StrDup(proto);
191 if ((pdd = strstr(sproto, ":")) != 0) {
192 int rproto = atoi(pdd + 1);
193 *pdd = '\0';
194 if (strstr(sproto, "root") != 0) {
195 if (rproto < 12 ) {
196 fVersion = 4;
197 if (rproto < 11 ) {
198 fVersion = 3;
199 if (rproto < 9 ) {
200 fVersion = 2;
201 if (rproto < 8) {
202 fVersion = 1;
203 if (rproto < 6)
204 fVersion = 0;
205 }
206 }
207 }
208 }
209 servtype = TSocket::kROOTD;
210 }
211 if (gDebug > 3)
212 Info("TAuthenticate",
213 "service: %s (remote protocol: %d): fVersion: %d", sproto,
214 rproto, fVersion);
215 }
216 fProtocol = sproto;
217 delete [] sproto;
218 }
219
220 // Check or get user name
221 fUser = "";
222 TString checkUser;
223 if (user && strlen(user) > 0) {
224 fUser = user;
225 checkUser = user;
226 } else {
227 UserGroup_t *u = gSystem->GetUserInfo();
228 if (u)
229 checkUser = u->fUser;
230 delete u;
231 }
232 fPasswd = "";
233 fPwHash = kFALSE;
234
235 // Type of RSA key
236 if (fgRSAKey < 0) {
237 fgRSAKey = 0; // Default key
238#ifdef R__SSL
239 // Another choice possible: check user preferences
240 if (gEnv->GetValue("RSA.KeyType",0) == 1)
241 fgRSAKey = 1;
242#endif
243 }
244 // This is the key actually used: we propose the default
245 // to the server, and behave according to its reply
246 fRSAKey = fgRSAKey;
247 if (gDebug > 3)
248 Info("TAuthenticate","RSA key: default type %d", fgRSAKey);
249
250 // RSA key generation (one per session)
251 if (!fgRSAInit) {
252 GenRSAKeys();
253 fgRSAInit = 1;
254 }
255
256 // Check and save the host FQDN ...
257 TString fqdn;
258 TInetAddress addr = gSystem->GetHostByName(fRemote);
259 if (addr.IsValid())
260 fqdn = addr.GetHostName();
261 TString fqdnsrv;
262 fqdnsrv.Form("%s:%d",fqdn.Data(),servtype);
263
264 // Read directives from files; re-read if files have changed
265 TAuthenticate::ReadRootAuthrc();
266
267 if (gDebug > 3) {
268 Info("TAuthenticate",
269 "number of HostAuth Instantiations in memory: %d",
270 GetAuthInfo()->GetSize());
271 TAuthenticate::Show("H");
272 TAuthenticate::Show("P");
273 }
274
275 // Check the list of auth info for already loaded info about this host
276 fHostAuth = GetHostAuth(fqdnsrv, checkUser);
277
278 //
279 // If generic THostAuth (i.e. with wild card or user == any)
280 // make a personalized memory copy of this THostAuth
281 if (strchr(fHostAuth->GetHost(),'*') || strchr(fHostAuth->GetHost(),'*') ||
282 fHostAuth->GetServer() == -1 ) {
283 fHostAuth = new THostAuth(*fHostAuth);
284 fHostAuth->SetHost(fqdn);
285 fHostAuth->SetUser(checkUser);
286 fHostAuth->SetServer(servtype);
287 }
288
289 // If a specific method has been requested via the protocol
290 // set it as first
291 Int_t sec = -1;
292 TString tmp = fProtocol;
293 tmp.ReplaceAll("root",4,"",0);
294 tmp.ReplaceAll("sock",4,"",0);
295 if (!strncmp(tmp.Data(),"up",2))
296 sec = 0;
297 else if (!strncmp(tmp.Data(),"s",1))
298 sec = 1;
299 else if (!strncmp(tmp.Data(),"k",1))
300 sec = 2;
301 else if (!strncmp(tmp.Data(),"g",1))
302 sec = 3;
303 else if (!strncmp(tmp.Data(),"h",1))
304 sec = 4;
305 else if (!strncmp(tmp.Data(),"ug",2))
306 sec = 5;
307 if (sec > -1 && sec < kMAXSEC) {
308 if (fHostAuth->HasMethod(sec)) {
309 fHostAuth->SetFirst(sec);
310 } else {
311 char *dtmp = GetDefaultDetails(sec, 1, checkUser);
312 TString det(dtmp);
313 fHostAuth->AddFirst(sec, det);
314 if (dtmp)
315 delete [] dtmp;
316 }
317 }
318
319 // This is what we have in memory
320 if (gDebug > 3) {
321 TIter next(fHostAuth->Established());
322 TRootSecContext *ctx;
323 while ((ctx = (TRootSecContext *) next()))
324 ctx->Print("0");
325 }
326}
327
328////////////////////////////////////////////////////////////////////////////////
329/// Called in connection with a timer timeout
330
331void TAuthenticate::CatchTimeOut()
332{
333 Info("CatchTimeOut", "%d sec timeout expired (protocol: %s)",
334 fgAuthTO, fgAuthMeth[fSecurity].Data());
335
336 fTimeOut = 1;
337 if (fSocket)
338 fSocket->Close("force");
339
340 return;
341}
342
343////////////////////////////////////////////////////////////////////////////////
344/// Authenticate to remote rootd server. Return kTRUE if
345/// authentication succeeded.
346
347Bool_t TAuthenticate::Authenticate()
348{
349 if (gDebug > 2 && gAuthenticateMutex)
350 Info("Authenticate", "locking mutex (pid: %d)",gSystem->GetPid());
351 R__LOCKGUARD2(gAuthenticateMutex);
352
353 Bool_t rc = kFALSE;
354 Int_t st = -1;
355 Int_t remMeth = 0, rMth[kMAXSEC], tMth[kMAXSEC] = {0};
356 Int_t meth = 0;
357 char noSupport[80] = { 0 };
358 char triedMeth[80] = { 0 };
359 Int_t ntry = 0;
360
361 TString user, passwd;
362 Bool_t pwhash;
363
364 if (gDebug > 2)
365 Info("Authenticate", "enter: fUser: %s", fUser.Data());
366
367 //
368 // Setup timeout timer, if required
369 TTimer *alarm = 0;
370 if (fgAuthTO > 0) {
371 alarm = new TTimer(0, kFALSE);
372 alarm->SetInterruptSyscalls();
373 // The method CatchTimeOut will be called at timeout
374 alarm->Connect("Timeout()", "TAuthenticate", this, "CatchTimeOut()");
375 }
376
377negotia:
378 st = -1;
379 tMth[meth] = 1;
380 ntry++;
381 if (gDebug > 2)
382 Info("Authenticate", "try #: %d", ntry);
383
384 user = "";
385 passwd = "";
386 pwhash = kFALSE;
387
388 // Security level from the list (if not in cleanup mode ...)
389 fSecurity = (ESecurity) fHostAuth->GetMethod(meth);
390 fDetails = fHostAuth->GetDetails((Int_t) fSecurity);
391 if (gDebug > 2)
392 Info("Authenticate",
393 "trying authentication: method:%d, default details:%s",
394 fSecurity, fDetails.Data());
395
396 // Keep track of tried methods in a list
397 if (triedMeth[0] != '\0')
398 (void) strlcat(triedMeth, " ", sizeof(triedMeth) - 1);
399
400 (void) strlcat(triedMeth, fgAuthMeth[fSecurity].Data(), sizeof(triedMeth) - 1);
401
402 // Set environments
403 SetEnvironment();
404
405 //
406 // Reset timeout variables and start timer
407 fTimeOut = 0;
408 if (fgAuthTO > 0 && alarm) {
409 alarm->Start(fgAuthTO*1000, kTRUE);
410 }
411
412 // Auth calls depend of fSec
413 if (fSecurity == kClear) {
414
415 rc = kFALSE;
416
417 // UsrPwd Authentication
418 user = fgDefaultUser;
419 if (user != "")
420 CheckNetrc(user, passwd, pwhash, kFALSE);
421 if (passwd == "") {
422 if (fgPromptUser) {
423 char *u = PromptUser(fRemote);
424 user = u;
425 delete[] u;
426 }
427 rc = GetUserPasswd(user, passwd, pwhash, kFALSE);
428 }
429 fUser = user;
430 fPasswd = passwd;
431
432 if (!rc) {
433
434 if (fUser != "root")
435 st = ClearAuth(user, passwd, pwhash);
436 } else {
437 Error("Authenticate",
438 "unable to get user name for UsrPwd authentication");
439 }
440
441 }
442
443 // Stop timer
444 if (alarm) alarm->Stop();
445
446 // Flag timeout condition
447 st = (fTimeOut > 0) ? -3 : st;
448
449 //
450 // Analyse the result now ...
451 // Type of action after the analysis:
452 // 0 = return, 1 = negotiation, 2 = send kROOTD_BYE + 3,
453 // 3 = print failure and return
454 Int_t action = 0;
455 Int_t nmet = fHostAuth->NumMethods();
456 Int_t remloc = nmet - ntry;
457 if (gDebug > 0)
458 Info("Authenticate","remloc: %d, ntry: %d, meth: %d, fSecurity: %d",
459 remloc, ntry, meth, fSecurity);
460 Int_t kind, stat;
461 switch (st) {
462
463 case 1:
464 //
465 // Success
466 fHostAuth->CountSuccess((Int_t)fSecurity);
467 if (gDebug > 2)
468 fSecContext->Print();
469 if (fSecContext->IsActive())
470 fSecContext->AddForCleanup(fSocket->GetPort(),
471 fSocket->GetRemoteProtocol(),fSocket->GetServType());
472 rc = kTRUE;
473 break;
474
475 case 0:
476 //
477 // Failure
478 fHostAuth->CountFailure((Int_t)fSecurity);
479 if (fVersion < 2) {
480 //
481 // Negotiation not supported by old daemons ...
482 if (gDebug > 2)
483 Info("Authenticate",
484 "negotiation not supported remotely: try next method, if any");
485 if (meth < nmet - 1) {
486 meth++;
487 action = 1;
488 } else {
489 action = 2;
490 }
491 rc = kFALSE;
492 break;
493 }
494 //
495 // Attempt negotiation ...
496 if (fSocket->Recv(stat, kind) < 0) {
497 action = 0;
498 rc = kFALSE;
499 }
500 if (gDebug > 2)
501 Info("Authenticate",
502 "after failed attempt: kind= %d, stat= %d", kind, stat);
503 if (kind == kROOTD_ERR) {
504 action = 2;
505 rc = kFALSE;
506 } else if (kind == kROOTD_NEGOTIA) {
507 if (stat > 0) {
508 int len = 3 * stat;
509 char *answer = new char[len];
510 int nrec = fSocket->Recv(answer, len, kind); // returns user
511 if (nrec < 0) {
512 delete[] answer; // delete buffer while it exit switch() scope
513 action = 0;
514 rc = kFALSE;
515 break;
516 }
517 if (kind != kMESS_STRING)
518 Warning("Authenticate",
519 "strings with accepted methods not received (%d:%d)",
520 kind, nrec);
521 remMeth =
522 sscanf(answer, "%d %d %d %d %d %d", &rMth[0], &rMth[1],
523 &rMth[2], &rMth[3], &rMth[4], &rMth[5]);
524 if (gDebug > 0 && remloc > 0)
525 Info("Authenticate",
526 "remotely allowed methods not yet tried: %s",
527 answer);
528 delete[] answer;
529 } else if (stat == 0) {
530 Info("Authenticate",
531 "no more methods accepted remotely to be tried");
532 action = 3;
533 rc = kFALSE;
534 break;
535 }
536 // If no more local methods, return
537 if (remloc < 1) {
538 action = 2;
539 rc = kFALSE;
540 break;
541 }
542 // Look if a non-tried method matches
543 int i, j;
544 std::string available{};
545 Bool_t methfound = kFALSE;
546 for (i = 0; i < remMeth; i++) {
547 for (j = 0; j < nmet; j++) {
548 if (fHostAuth->GetMethod(j) == rMth[i] && tMth[j] == 0) {
549 meth = j;
550 action = 1;
551 methfound = kTRUE;
552 break;
553 }
554 if (i == 0)
555 available += " " + std::to_string(fHostAuth->GetMethod(j));
556 }
557 if (methfound) break;
558 }
559 if (methfound) break;
560 //
561 // No method left to be tried: notify and exit
562 if (gDebug > 0)
563 Warning("Authenticate", "no match with those locally available: %s", available.c_str());
564 action = 2;
565 rc = kFALSE;
566 break;
567 } else { // unknown message code at this stage
568 action = 3;
569 rc = kFALSE;
570 break;
571 }
572 break;
573
574 case -1:
575 //
576 // Method not supported
577 fHostAuth->CountFailure((Int_t)fSecurity);
578 if (gDebug > 2)
579 Info("Authenticate",
580 "method not even started: insufficient or wrong info: %s",
581 "try with next method, if any");
582 fHostAuth->RemoveMethod(fSecurity);
583 nmet--;
584 if (nmet > 0) {
585 action = 1;
586 } else
587 action = 2;
588
589 break;
590
591 case -2:
592 //
593 // Remote host does not accepts connections from local host
594 fHostAuth->CountFailure((Int_t)fSecurity);
595 if (fVersion <= 2)
596 if (gDebug > 2)
597 Warning("Authenticate",
598 "status code -2 not expected from old daemons");
599 rc = kFALSE;
600 break;
601
602 case -3:
603 //
604 // Timeout: we set the method as last one, should the caller
605 // decide to retry, if it will attempt first something else.
606 // (We can not retry directly, because the server will not be
607 // synchronized ...)
608 fHostAuth->CountFailure((Int_t)fSecurity);
609 if (gDebug > 2)
610 Info("Authenticate", "got a timeout");
611 fHostAuth->SetLast(fSecurity);
612 if (meth < nmet - 1) {
613 fTimeOut = 2;
614 } else
615 fTimeOut = 1;
616 rc = kFALSE;
617 break;
618
619 default:
620 fHostAuth->CountFailure((Int_t)fSecurity);
621 if (gDebug > 2)
622 Info("Authenticate", "unknown status code: %d - assume failure",st);
623 rc = kFALSE;
624 action = 0;
625 break;
626 }
627
628 switch (action) {
629 case 1:
630 goto negotia;
631 // No break but we go away anyhow
632 case 2:
633 fSocket->Send("0", kROOTD_BYE);
634 // fallthrough
635 case 3:
636 if (strlen(noSupport) > 0)
637 Info("Authenticate", "attempted methods %s are not supported"
638 " by remote server version", noSupport);
639 Info("Authenticate",
640 "failure: list of attempted methods: %s", triedMeth);
641 AuthError("Authenticate",-1);
642 rc = kFALSE;
643 break;
644 default:
645 break;
646 }
647
648 // Cleanup timer
649 SafeDelete(alarm);
650
651 return rc;
652
653}
654
655////////////////////////////////////////////////////////////////////////////////
656/// Set default authentication environment. The values are inferred
657/// from fSecurity and fDetails.
658
659void TAuthenticate::SetEnvironment()
660{
661 R__LOCKGUARD2(gAuthenticateMutex);
662
663 if (gDebug > 2)
664 Info("SetEnvironment",
665 "setting environment: fSecurity:%d, fDetails:%s", fSecurity,
666 fDetails.Data());
667
668 // Defaults
669 fgDefaultUser = fgUser;
670 fgAuthReUse = kTRUE;
671 fgPromptUser = kFALSE;
672
673 // Decode fDetails, is non empty ...
674 if (fDetails != "") {
675 char usdef[kMAXPATHLEN] = { 0 };
676 char pt[5] = { 0 }, ru[5] = { 0 };
677 Int_t hh = 0, mm = 0;
678 char us[kMAXPATHLEN] = {0}, cp[kMAXPATHLEN] = {0};
679 const char *ptr;
680
681 TString usrPromptDef = TString(GetAuthMethod(fSecurity)) + ".LoginPrompt";
682 if ((ptr = strstr(fDetails, "pt:")) != 0) {
683 sscanf(ptr + 3, "%4s %8191s", pt, usdef);
684 } else {
685 if (!strncasecmp(gEnv->GetValue(usrPromptDef,""),"no",2) ||
686 !strncmp(gEnv->GetValue(usrPromptDef,""),"0",1))
687 strncpy(pt,"0",2);
688 else
689 strncpy(pt,"1",2);
690 }
691 TString usrReUseDef = TString(GetAuthMethod(fSecurity)) + ".ReUse";
692 if ((ptr = strstr(fDetails, "ru:")) != 0) {
693 sscanf(ptr + 3, "%4s %8191s", ru, usdef);
694 } else {
695 if (!strncasecmp(gEnv->GetValue(usrReUseDef,""),"no",2) ||
696 !strncmp(gEnv->GetValue(usrReUseDef,""),"0",1))
697 strncpy(ru,"0",2);
698 else
699 strncpy(ru,"1",2);
700 }
701 TString usrValidDef = TString(GetAuthMethod(fSecurity)) + ".Valid";
702 TString hours(gEnv->GetValue(usrValidDef,"24:00"));
703 Int_t pd = 0;
704 if ((pd = hours.Index(":")) > -1) {
705 TString minutes = hours;
706 hours.Resize(pd);
707 minutes.Replace(0,pd+1,"");
708 hh = atoi(hours.Data());
709 mm = atoi(minutes.Data());
710 } else {
711 hh = atoi(hours.Data());
712 mm = 0;
713 }
714
715 // Now action depends on method ...
716 if (fSecurity == kClear) {
717 if ((ptr = strstr(fDetails, "us:")) != 0)
718 sscanf(ptr + 3, "%8191s %8191s", us, usdef);
719 if ((ptr = strstr(fDetails, "cp:")) != 0)
720 sscanf(ptr + 3, "%8191s %8191s", cp, usdef);
721 if (gDebug > 2)
722 Info("SetEnvironment", "details:%s, pt:%s, ru:%s, us:%s cp:%s",
723 fDetails.Data(), pt, ru, us, cp);
724 } else {
725 if ((ptr = strstr(fDetails, "us:")) != 0)
726 sscanf(ptr + 3, "%8191s %8191s", us, usdef);
727 if (gDebug > 2)
728 Info("SetEnvironment", "details:%s, pt:%s, ru:%s, us:%s",
729 fDetails.Data(), pt, ru, us);
730 }
731
732 // Set Prompt flag
733 if (!strncasecmp(pt, "yes",3) || !strncmp(pt, "1", 1))
734 fgPromptUser = kTRUE;
735
736 // Set Expiring date
737 fgExpDate = TDatime();
738 fgExpDate.Set(fgExpDate.Convert() + hh*3600 + mm*60);
739
740 // UnSet Crypt flag for UsrPwd, if requested
741 if (fSecurity == kClear) {
742 fgUsrPwdCrypt = kTRUE;
743 if (!strncmp(cp, "no", 2) || !strncmp(cp, "0", 1))
744 fgUsrPwdCrypt = kFALSE;
745 }
746 // Build UserDefaults
747 usdef[0] = '\0';
748 // give highest priority to command-line specification
749 if (fUser == "") {
750 if (strlen(us) > 0) snprintf(usdef, kMAXPATHLEN, "%s", us);
751 } else {
752 snprintf(usdef, kMAXPATHLEN, "%s", fUser.Data());
753 }
754
755 if (strlen(usdef) > 0) {
756 fgDefaultUser = usdef;
757 } else {
758 if (fgUser != "") {
759 fgDefaultUser = fgUser;
760 } else {
761 UserGroup_t *u = gSystem->GetUserInfo();
762 if (u)
763 fgDefaultUser = u->fUser;
764 delete u;
765 }
766 }
767 if (fgDefaultUser == "anonymous" || fgDefaultUser == "rootd" ||
768 fgUser != "" || fUser != "") {
769 // when set by user don't prompt for it anymore
770 fgPromptUser = kFALSE;
771 }
772
773 if (gDebug > 2)
774 Info("SetEnvironment", "usdef:%s", fgDefaultUser.Data());
775 }
776}
777
778////////////////////////////////////////////////////////////////////////////////
779/// Try to get user name and passwd from several sources.
780
781Bool_t TAuthenticate::GetUserPasswd(TString &user, TString &passwd,
782 Bool_t &pwhash, Bool_t srppwd)
783{
784 if (srppwd) {
785 Error("GetUserPasswd", "SRP no longer supported by ROOT");
786 return 1;
787 }
788
789 if (gDebug > 3)
790 Info("GetUserPasswd", "Enter: User: '%s' Hash:%d SRP:%d",
791 user.Data(),(Int_t)pwhash,(Int_t)false);
792
793 // Get user and passwd set via static functions SetUser and SetPasswd.
794 if (user == "" && fgUser != "")
795 user = fgUser;
796
797 if (fgUser != "" && user == fgUser) {
798 if (passwd == "" && fgPasswd != "") {
799 passwd = fgPasswd;
800 pwhash = fgPwHash;
801 }
802 }
803
804 if (gDebug > 3)
805 Info("GetUserPasswd", "In memory: User: '%s' Hash:%d",
806 user.Data(),(Int_t)pwhash);
807
808 // Check system info for user if still not defined
809 if (user == "") {
810 UserGroup_t *u = gSystem->GetUserInfo();
811 if (u)
812 user = u->fUser;
813 delete u;
814 if (gDebug > 3)
815 Info("GetUserPasswd", "In memory: User: '%s' Hash:%d",
816 user.Data(),(Int_t)pwhash);
817 }
818
819 // Check ~/.rootnetrc and ~/.netrc files if user was not set via
820 // the static SetUser() method.
821 if (user == "" || passwd == "") {
822 if (gDebug > 3)
823 Info("GetUserPasswd", "Checking .netrc family ...");
824 CheckNetrc(user, passwd, pwhash, /* srppwd */ false);
825 }
826 if (gDebug > 3)
827 Info("GetUserPasswd", "From .netrc family: User: '%s' Hash:%d",
828 user.Data(),(Int_t)pwhash);
829
830 // If user also not set via ~/.rootnetrc or ~/.netrc ask user.
831 if (user == "") {
832 char *p = PromptUser(fRemote);
833 user = p;
834 delete [] p;
835 if (user == "") {
836 Error("GetUserPasswd", "user name not set");
837 return 1;
838 }
839 }
840
841 return 0;
842}
843
844////////////////////////////////////////////////////////////////////////////////
845/// Try to get user name and passwd from the ~/.rootnetrc or
846/// ~/.netrc files. For more info see the version with 4 arguments.
847/// This version is maintained for backward compatability reasons.
848
849Bool_t TAuthenticate::CheckNetrc(TString &user, TString &passwd)
850{
851 Bool_t hash = false;
852 return CheckNetrc(user, passwd, hash, /* srppwd */ false);
853}
854
855////////////////////////////////////////////////////////////////////////////////
856/// Try to get user name and passwd from the ~/.rootnetrc or
857/// ~/.netrc files. First ~/.rootnetrc is tried, after that ~/.netrc.
858/// These files will only be used when their access masks are 0600.
859/// Returns kTRUE if user and passwd were found for the machine
860/// specified in the URL. If kFALSE, user and passwd are "".
861/// The boolean pwhash is set to kTRUE if the returned passwd is to
862/// be understood as password hash, i.e. if the 'password-hash' keyword
863/// is found in the 'machine' lines; not implemented for 'secure'
864/// and the .netrc file.
865/// The format of these files are:
866///
867/// # this is a comment line
868/// machine `<machine fqdn>` login `<user>` password `<passwd>`
869/// machine `<machine fqdn>` login `<user>` password-hash `<passwd>`
870///
871/// and in addition ~/.rootnetrc also supports:
872///
873/// secure `<machine fqdn>` login `<user>` password `<passwd>`
874///
875/// `<machine fqdn>` may be a domain name or contain the wild card '*'.
876///
877/// for the secure protocols. All lines must start in the first column.
878
879Bool_t TAuthenticate::CheckNetrc(TString &user, TString &passwd,
880 Bool_t &pwhash, Bool_t srppwd)
881{
882 if (srppwd) {
883 Error("CheckNetrc", "SRP no longer supported by ROOT");
884 return 1;
885 }
886
887 Bool_t result = kFALSE;
888 Bool_t first = kTRUE;
889 TString remote = fRemote;
890
891 passwd = "";
892 pwhash = kFALSE;
893
894 TString temp_rootnet = ".rootnetrc";
895 const char *net =
896 gSystem->PrependPathName(gSystem->HomeDirectory(), temp_rootnet);
897
898 // Determine FQDN of the host ...
899 TInetAddress addr = gSystem->GetHostByName(fRemote);
900 if (addr.IsValid())
901 remote = addr.GetHostName();
902
903again:
904 // Only use file when its access rights are 0600
905 FileStat_t buf;
906 if (gSystem->GetPathInfo(net, buf) == 0) {
907#ifdef WIN32
908 // Since Win32 does not have proper protections use file always
909 bool mode0600 = true;
910#else
911 bool mode0600 = (buf.fMode & 0777) == (kS_IRUSR | kS_IWUSR);
912#endif
913 if (R_ISREG(buf.fMode) && !R_ISDIR(buf.fMode) && mode0600) {
914 FILE *fd = fopen(net, "r");
915 char line[256];
916 while (fgets(line, sizeof(line), fd) != 0) {
917 if (line[0] == '#')
918 continue;
919 char word[6][64];
920 int nword = sscanf(line, "%63s %63s %63s %63s %63s %63s",
921 word[0], word[1], word[2], word[3], word[4], word[5]);
922 if (nword != 6)
923 continue;
924 if (strcmp(word[0], "machine"))
925 continue;
926 if (strcmp(word[2], "login"))
927 continue;
928 if (strcmp(word[4], "password") && strcmp(word[4], "password-hash"))
929 continue;
930
931 // Treat the host name found in file as a regular expression
932 // with '*' as a wild card
933 TString href(word[1]);
934 href.ReplaceAll("*",".*");
935 TRegexp rg(href);
936 if (remote.Index(rg) != kNPOS) {
937 if (user == "") {
938 user = word[3];
939 passwd = word[5];
940 if (!strcmp(word[4], "password-hash"))
941 pwhash = kTRUE;
942 result = kTRUE;
943 break;
944 } else {
945 if (!strcmp(word[3], user.Data())) {
946 passwd = word[5];
947 if (!strcmp(word[4], "password-hash"))
948 pwhash = kTRUE;
949 result = kTRUE;
950 break;
951 }
952 }
953 }
954 }
955 fclose(fd);
956 } else
957 Warning("CheckNetrc",
958 "file %s exists but has not 0600 permission", net);
959 }
960
961 if (first && !result) {
962 TString temp_net = ".netrc";
963 net = gSystem->PrependPathName(gSystem->HomeDirectory(), temp_net);
964 first = kFALSE;
965 goto again;
966 }
967
968 return result;
969 }
970
971////////////////////////////////////////////////////////////////////////////////
972/// Static method returning the global user.
973
974const char *TAuthenticate::GetGlobalUser()
975{
976 return fgUser;
977}
978
979////////////////////////////////////////////////////////////////////////////////
980/// Static method returning the global password hash flag.
981
986
987////////////////////////////////////////////////////////////////////////////////
988/// Static method returning the global SRP password flag.
989
990Bool_t TAuthenticate::GetGlobalSRPPwd()
991{
992 return false;
993}
994
995////////////////////////////////////////////////////////////////////////////////
996/// Static method returning default expiring date for new validity contexts
997
1002
1003////////////////////////////////////////////////////////////////////////////////
1004/// Static method returning the default user information.
1005
1006const char *TAuthenticate::GetDefaultUser()
1007{
1008 return fgDefaultUser;
1009}
1010
1011////////////////////////////////////////////////////////////////////////////////
1012/// Static method returning the principal to be used to init Krb5 tickets.
1013
1014const char *TAuthenticate::GetKrb5Principal()
1015{
1016 ::Error("Krb5Auth", "Kerberos5 is no longer supported by ROOT");
1017 return nullptr;
1018}
1019
1020////////////////////////////////////////////////////////////////////////////////
1021/// Static method returning the authentication reuse settings.
1022
1027
1028////////////////////////////////////////////////////////////////////////////////
1029/// Static method returning the prompt user settings.
1030
1035
1036////////////////////////////////////////////////////////////////////////////////
1037/// Static method returning the method corresponding to idx.
1038
1039const char *TAuthenticate::GetAuthMethod(Int_t idx)
1040{
1041 R__LOCKGUARD2(gAuthenticateMutex);
1042
1043 if (idx < 0 || idx > kMAXSEC-1) {
1044 ::Error("Authenticate::GetAuthMethod", "idx out of bounds (%d)", idx);
1045 idx = 0;
1046 }
1047 return fgAuthMeth[idx];
1048}
1049
1050////////////////////////////////////////////////////////////////////////////////
1051/// Static method returning the method index (which can be used to find
1052/// the method in GetAuthMethod()). Returns -1 in case meth is not found.
1053
1054Int_t TAuthenticate::GetAuthMethodIdx(const char *meth)
1055{
1056 R__LOCKGUARD2(gAuthenticateMutex);
1057
1058 if (meth && meth[0]) {
1059 for (Int_t i = 0; i < kMAXSEC; i++) {
1060 if (!fgAuthMeth[i].CompareTo(meth, TString::kIgnoreCase))
1061 return i;
1062 }
1063 }
1064
1065 return -1;
1066}
1067
1068////////////////////////////////////////////////////////////////////////////////
1069/// Static method to prompt for the user name to be used for authentication
1070/// to rootd. User is asked to type user name.
1071/// Returns user name (which must be deleted by caller) or 0.
1072/// If non-interactive run returns default user.
1073
1074char *TAuthenticate::PromptUser(const char *remote)
1075{
1076 R__LOCKGUARD2(gAuthenticateMutex);
1077
1078 const char *user;
1079 if (fgDefaultUser != "")
1080 user = fgDefaultUser;
1081 else
1082 user = gSystem->Getenv("USER");
1083#ifdef R__WIN32
1084 if (!user)
1085 user = gSystem->Getenv("USERNAME");
1086#endif
1087 if (isatty(0) == 0 || isatty(1) == 0) {
1088 ::Warning("TAuthenticate::PromptUser",
1089 "not tty: cannot prompt for user, returning default");
1090 if (strlen(user))
1091 return StrDup(user);
1092 else
1093 return StrDup("None");
1094 }
1095
1096 const char *usrIn = Getline(Form("Name (%s:%s): ", remote, user));
1097 if (usrIn[0]) {
1098 TString usr(usrIn);
1099 usr.Remove(usr.Length() - 1); // get rid of \n
1100 if (!usr.IsNull())
1101 return StrDup(usr);
1102 else
1103 return StrDup(user);
1104 }
1105 return 0;
1106}
1107
1108////////////////////////////////////////////////////////////////////////////////
1109/// Static method to prompt for the user's passwd to be used for
1110/// authentication to rootd. Uses non-echoing command line
1111/// to get passwd. Returns passwd (which must de deleted by caller) or 0.
1112/// If non-interactive run returns -1
1113
1114char *TAuthenticate::PromptPasswd(const char *prompt)
1115{
1116 if (isatty(0) == 0 || isatty(1) == 0) {
1117 ::Warning("TAuthenticate::PromptPasswd",
1118 "not tty: cannot prompt for passwd, returning -1");
1119 static char noint[4] = {"-1"};
1120 return StrDup(noint);
1121 }
1122
1123 char buf[128] = "";
1124 const char *pw = buf;
1125 // Get the plugin for the passwd dialog box, if needed
1126 if (!gROOT->IsBatch() && (fgPasswdDialog == (TPluginHandler *)(-1)) &&
1127 gEnv->GetValue("Auth.UsePasswdDialogBox", 1) == 1) {
1128 if ((fgPasswdDialog =
1129 gROOT->GetPluginManager()->FindHandler("TGPasswdDialog"))) {
1130 if (fgPasswdDialog->LoadPlugin() == -1) {
1131 fgPasswdDialog = 0;
1132 ::Warning("TAuthenticate",
1133 "could not load plugin for the password dialog box");
1134 }
1135 }
1136 }
1137 if (fgPasswdDialog && (fgPasswdDialog != (TPluginHandler *)(-1))) {
1138
1139 // Use graphic dialog
1140 fgPasswdDialog->ExecPlugin(3, prompt, buf, 128);
1141
1142 // Wait until the user is done
1143 while (gROOT->IsInterrupted())
1144 gSystem->DispatchOneEvent(kFALSE);
1145
1146 } else {
1147 Gl_config("noecho", 1);
1148 pw = Getline(prompt);
1149 Gl_config("noecho", 0);
1150 }
1151
1152 // Final checks
1153 if (pw[0]) {
1154 TString spw(pw);
1155 if (spw.EndsWith("\n"))
1156 spw.Remove(spw.Length() - 1); // get rid of \n
1157 char *rpw = StrDup(spw.Data());
1158 return rpw;
1159 }
1160 return 0;
1161}
1162
1163////////////////////////////////////////////////////////////////////////////////
1164/// Static method returning the globus authorization hook (no longer supported)
1165
1166GlobusAuth_t TAuthenticate::GetGlobusAuthHook()
1167{
1168 return nullptr;
1169}
1170
1171////////////////////////////////////////////////////////////////////////////////
1172/// Static method returning the RSA public keys.
1173
1174const char *TAuthenticate::GetRSAPubExport(Int_t key)
1175{
1176 key = (key >= 0 && key <= 1) ? key : 0;
1177 return fgRSAPubExport[key].keys;
1178}
1179
1180////////////////////////////////////////////////////////////////////////////////
1181/// Static method returning the RSA initialization flag.
1182
1183Int_t TAuthenticate::GetRSAInit()
1184{
1185 return fgRSAInit;
1186}
1187
1188////////////////////////////////////////////////////////////////////////////////
1189/// Static method setting the default type of RSA key.
1190
1191void TAuthenticate::SetDefaultRSAKeyType(Int_t key)
1192{
1193 if (key >= 0 && key <= 1)
1194 fgRSAKey = key;
1195}
1196
1197////////////////////////////////////////////////////////////////////////////////
1198/// Static method setting RSA initialization flag.
1199
1200void TAuthenticate::SetRSAInit(Int_t init)
1201{
1202 fgRSAInit = init;
1203}
1204
1205////////////////////////////////////////////////////////////////////////////////
1206/// Static method returning the list with authentication details.
1207
1208TList *TAuthenticate::GetAuthInfo()
1209{
1210 R__LOCKGUARD2(gAuthenticateMutex);
1211
1212 if (!fgAuthInfo)
1213 fgAuthInfo = new TList;
1214 return fgAuthInfo;
1215}
1216
1217////////////////////////////////////////////////////////////////////////////////
1218/// Print error string depending on error code.
1219
1220void TAuthenticate::AuthError(const char *where, Int_t err)
1221{
1222 R__LOCKGUARD2(gAuthenticateMutex);
1223
1224 // Make sure it is in range
1225 err = (err < kErrError) ? ((err > -1) ? err : -1) : kErrError;
1226
1227 Int_t erc = err;
1228 Bool_t forceprint = kFALSE;
1229 TString lasterr = "";
1230 if (err == -1) {
1231 forceprint = kTRUE;
1232 erc = fgLastError;
1233 lasterr = "(last error only; re-run with gDebug > 0 for more details)";
1234 }
1235
1236 if (erc > -1)
1237 if (gDebug > 0 || forceprint) {
1238 if (gRootdErrStr[erc])
1239 ::Error(Form("TAuthenticate::%s", where), "%s %s",
1240 gRootdErrStr[erc], lasterr.Data());
1241 else
1242 ::Error(Form("TAuthenticate::%s", where),
1243 "unknown error code: server must be running a newer ROOT version %s",
1244 lasterr.Data());
1245 }
1246
1247 // Update last error code
1248 fgLastError = err;
1249}
1250
1251////////////////////////////////////////////////////////////////////////////////
1252/// Set global user name to be used for authentication to rootd.
1253
1254void TAuthenticate::SetGlobalUser(const char *user)
1255{
1256 R__LOCKGUARD2(gAuthenticateMutex);
1257
1258 if (fgUser != "")
1259 fgUser = "";
1260
1261 if (user && user[0])
1262 fgUser = user;
1263}
1264
1265////////////////////////////////////////////////////////////////////////////////
1266/// Set global passwd to be used for authentication to rootd.
1267
1268void TAuthenticate::SetGlobalPasswd(const char *passwd)
1269{
1270 R__LOCKGUARD2(gAuthenticateMutex);
1271
1272 if (fgPasswd != "")
1273 fgPasswd = "";
1274
1275 if (passwd && passwd[0])
1276 fgPasswd = passwd;
1277}
1278
1279////////////////////////////////////////////////////////////////////////////////
1280/// Set global passwd hash flag to be used for authentication to rootd.
1281
1286
1287////////////////////////////////////////////////////////////////////////////////
1288/// Set global SRP passwd flag to be used for authentication to rootd.
1289
1290void TAuthenticate::SetGlobalSRPPwd(Bool_t)
1291{
1292 ::Error("SetGlobalSRPPwd", "SRP no longer supported by ROOT");
1293}
1294
1295////////////////////////////////////////////////////////////////////////////////
1296/// Set default expiring date for new validity contexts
1297
1302
1303////////////////////////////////////////////////////////////////////////////////
1304/// Set default user name.
1305
1306void TAuthenticate::SetDefaultUser(const char *defaultuser)
1307{
1308 if (fgDefaultUser != "")
1309 fgDefaultUser = "";
1310
1311 if (defaultuser && defaultuser[0])
1312 fgDefaultUser = defaultuser;
1313}
1314
1315////////////////////////////////////////////////////////////////////////////////
1316/// Set timeout (active if > 0)
1317
1318void TAuthenticate::SetTimeOut(Int_t to)
1319{
1320 fgAuthTO = (to <= 0) ? -1 : to;
1321}
1322
1323////////////////////////////////////////////////////////////////////////////////
1324/// Set global AuthReUse flag
1325
1330
1331////////////////////////////////////////////////////////////////////////////////
1332/// Set global PromptUser flag
1333
1338
1339////////////////////////////////////////////////////////////////////////////////
1340/// Set secure authorization function.
1341
1346
1347////////////////////////////////////////////////////////////////////////////////
1348/// Set kerberos5 authorization function. Automatically called when
1349/// libKrb5Auth is loaded.
1350
1351void TAuthenticate::SetKrb5AuthHook(Krb5Auth_t)
1352{
1353 ::Error("Krb5Auth", "Kerberos5 is no longer supported by ROOT");
1354}
1355
1356////////////////////////////////////////////////////////////////////////////////
1357/// Set Globus authorization function. Automatically called when
1358/// libGlobusAuth is loaded.
1359
1360void TAuthenticate::SetGlobusAuthHook(GlobusAuth_t)
1361{
1362 ::Error("GlobusAuth", "Globus is no longer supported by ROOT");
1363}
1364
1365////////////////////////////////////////////////////////////////////////////////
1366/// SSH client authentication code (no longer supported)
1367
1368Int_t TAuthenticate::SshAuth(TString & /* user */)
1369{
1370 ::Error("SshAuth", "SSH is no longer supported by ROOT");
1371 return 1;
1372}
1373
1374////////////////////////////////////////////////////////////////////////////////
1375/// Method returning the user to be used for the ssh login (no longer supported)
1376
1377const char *TAuthenticate::GetSshUser(TString /* user */) const
1378{
1379 ::Error("GetSshUser", "SSH is no longer supported by ROOT");
1380 return nullptr;
1381}
1382
1383////////////////////////////////////////////////////////////////////////////////
1384/// Check if 'host' matches 'href':
1385/// this means either equal or "containing" it, even with wild cards *
1386/// in the first field (in the case 'href' is a name, ie not IP address)
1387/// Returns kTRUE if the two matches.
1388
1389Bool_t TAuthenticate::CheckHost(const char *host, const char *href)
1390{
1391 R__LOCKGUARD2(gAuthenticateMutex);
1392
1393 Bool_t retval = kTRUE;
1394
1395 // Both strings should have been defined
1396 if (!host || !href)
1397 return kFALSE;
1398
1399 // 'href' == '*' indicates any 'host' ...
1400 if (!strcmp(href,"*"))
1401 return kTRUE;
1402
1403 // If 'href' contains at a letter or an hyphen it is assumed to be
1404 // a host name. Otherwise a name.
1405 // Check also for wild cards
1406 Bool_t name = kFALSE;
1407 TRegexp rename("[+a-zA-Z]");
1408 Int_t len;
1409 if (rename.Index(href,&len) != -1 || strstr(href,"-"))
1410 name = kTRUE;
1411
1412 // Check also for wild cards
1413 Bool_t wild = kFALSE;
1414 if (strstr(href,"*"))
1415 wild = kTRUE;
1416
1417 // Now build the regular expression for final checking
1418 TRegexp rehost(href,wild);
1419
1420 // host to check
1421 TString theHost(host);
1422 if (!name) {
1423 TInetAddress addr = gSystem->GetHostByName(host);
1424 theHost = addr.GetHostAddress();
1425 if (gDebug > 2)
1426 ::Info("TAuthenticate::CheckHost", "checking host IP: %s", theHost.Data());
1427 }
1428
1429 // Check 'host' against 'rehost'
1430 Ssiz_t pos = rehost.Index(theHost,&len);
1431 if (pos == -1)
1432 retval = kFALSE;
1433
1434 // If IP and no wilds, it should match either
1435 // the beginning or the end of the string
1436 if (!wild) {
1437 if (pos > 0 && pos != (Ssiz_t)(theHost.Length()-strlen(href)))
1438 retval = kFALSE;
1439 }
1440
1441 return retval;
1442}
1443
1444////////////////////////////////////////////////////////////////////////////////
1445/// RFIO authentication (no longer supported)
1446
1447Int_t TAuthenticate::RfioAuth(TString &)
1448{
1449 ::Error("RfioAuth", "RfioAuth is no longer supported by ROOT");
1450 return -1;
1451}
1452
1453////////////////////////////////////////////////////////////////////////////////
1454/// UsrPwd client authentication code.
1455/// Returns 0 in case authentication failed
1456/// 1 in case of success
1457
1458Int_t TAuthenticate::ClearAuth(TString &user, TString &passwd, Bool_t &pwdhash)
1459{
1460 R__LOCKGUARD2(gAuthenticateMutex);
1461
1462 if (gDebug > 2)
1463 Info("ClearAuth", "enter: user: %s (passwd hashed?: %d)",
1464 user.Data(),(Int_t)pwdhash);
1465
1466 Int_t reuse = fgAuthReUse;
1467 Int_t prompt = fgPromptUser;
1468 Int_t cryptopt = fgUsrPwdCrypt;
1469 Int_t needsalt = 1;
1470 if (pwdhash)
1471 needsalt = 0;
1472 fDetails = TString::Format("pt:%d ru:%d cp:%d us:",
1473 fgPromptUser, fgAuthReUse, fgUsrPwdCrypt) + user;
1474 if (gDebug > 2)
1475 Info("ClearAuth", "ru:%d pt:%d cp:%d ns:%d rk:%d",
1476 fgAuthReUse,fgPromptUser,fgUsrPwdCrypt,needsalt,fgRSAKey);
1477#ifdef R__WIN32
1478 needsalt = 0;
1479#endif
1480 Int_t stat, kind;
1481
1482 if (fVersion > 1) {
1483
1484 //
1485 // New protocol
1486 //
1487 Int_t anon = 0;
1488 TString salt = "";
1489 TString pashash = "";
1490
1491 // Get effective user (fro remote checks in $HOME/.rhosts)
1492 UserGroup_t *pw = gSystem->GetUserInfo(gSystem->GetEffectiveUid());
1493 TString effUser;
1494 if (pw) {
1495 effUser = TString(pw->fUser);
1496 delete pw;
1497 } else
1498 effUser = user;
1499
1500 // Create options string
1501 int opt = (reuse * kAUTH_REUSE_MSK) + (cryptopt * kAUTH_CRYPT_MSK) +
1502 (needsalt * kAUTH_SSALT_MSK) + (fRSAKey * kAUTH_RSATY_MSK);
1503 TString options;
1504 options.Form("%d %ld %s %ld %s", opt,
1505 (Long_t)user.Length(), user.Data(),
1506 (Long_t)effUser.Length(), effUser.Data());
1507
1508 // Check established authentications
1509 kind = kROOTD_USER;
1510 stat = reuse;
1511 Int_t rc = 0;
1512 if ((rc = AuthExists(user, (Int_t) TAuthenticate::kClear, options,
1513 &kind, &stat, &StdCheckSecCtx)) == 1) {
1514 // A valid authentication exists: we are done ...
1515 return 1;
1516 }
1517 if (rc == -2) {
1518 return rc;
1519 }
1520 if (stat == kErrNotAllowed && kind == kROOTD_ERR) {
1521 return 0;
1522 }
1523
1524 if (kind == kROOTD_AUTH && stat == -1) {
1525 if (gDebug > 3)
1526 Info("ClearAuth", "anonymous user");
1527 anon = 1;
1528 cryptopt = 0;
1529 reuse = 0;
1530 needsalt = 0;
1531 }
1532
1533 // The random tag in hex representation
1534 // Protection against reply attacks
1535 char ctag[11] = {0};
1536 if (anon == 0 && cryptopt == 1) {
1537
1538 // Check that we got the right thing ..
1539 if (kind != kROOTD_RSAKEY || stat < 1 || stat > 2 ) {
1540 // Check for errors
1541 if (kind != kROOTD_ERR) {
1542 Warning("ClearAuth",
1543 "problems recvn RSA key flag: got message %d, flag: %d",
1544 kind, stat);
1545 }
1546 return 0;
1547 }
1548 if (gDebug > 3)
1549 Info("ClearAuth", "get key request ...");
1550
1551 // Save type of key
1552 fRSAKey = stat - 1;
1553
1554 // Send the key securely
1555 if (SendRSAPublicKey(fSocket,fRSAKey) < 0)
1556 return 0;
1557
1558 int slen = 0;
1559 if (needsalt) {
1560 // Receive password salt
1561 char *tmpsalt = 0;
1562 if ((slen = SecureRecv(fSocket, 1, fRSAKey, &tmpsalt)) == -1) {
1563 Warning("ClearAuth", "problems secure-receiving salt -"
1564 " may result in corrupted salt");
1565 Warning("ClearAuth", "switch off reuse for this session");
1566 delete [] tmpsalt;
1567 return 0;
1568 }
1569 if (slen) {
1570 // Extract random tag, if there
1571 if (slen > 9) {
1572 int ltmp = slen;
1573 while (ltmp && tmpsalt[ltmp-1] != '#') ltmp--;
1574 if (ltmp) {
1575 if (tmpsalt[ltmp-1] == '#' &&
1576 tmpsalt[ltmp-10] == '#') {
1577 strlcpy(ctag,&tmpsalt[ltmp-10],11);
1578 // We drop the random tag
1579 ltmp -= 10;
1580 tmpsalt[ltmp] = 0;
1581 // Update salt length
1582 slen -= 10;
1583 }
1584 }
1585 if (!tmpsalt[0]) {
1586 // No salt left
1587 needsalt = 0;
1588 slen = 0;
1589 }
1590 }
1591 if (slen)
1592 salt = TString(tmpsalt);
1593 }
1594 delete [] tmpsalt;
1595 if (gDebug > 2)
1596 Info("ClearAuth", "got salt: '%s' (len: %d)", salt.Data(), slen);
1597 } else {
1598 if (gDebug > 2)
1599 Info("ClearAuth", "Salt not required");
1600 char *tmptag = 0;
1601 if (SecureRecv(fSocket, 1, fRSAKey, &tmptag) == -1) {
1602 Warning("ClearAuth", "problems secure-receiving rndmtag -"
1603 " may result in corrupted rndmtag");
1604 }
1605 if (tmptag) {
1606 strlcpy(ctag, tmptag, 11);
1607 delete [] tmptag;
1608 }
1609 }
1610 // We may not have got a salt (if the server may not access it
1611 // or if it needs the full password, like for AFS ...)
1612 if (!slen)
1613 needsalt = 0;
1614 }
1615 // Now get the password either from prompt or from memory, if saved already
1616 if (anon == 1) {
1617
1618 if (fgPasswd.Contains("@")) {
1619 // Anonymous like login with user chosen passwd ...
1620 passwd = fgPasswd;
1621 } else {
1622 // Anonymous like login with automatic passwd generation ...
1623 TString localuser;
1624 pw = gSystem->GetUserInfo();
1625 if (pw) {
1626 char *u = StrDup(pw->fUser);
1627 localuser = u;
1628 delete[] u;
1629 }
1630 delete pw;
1631 static TString localFQDN;
1632 if (localFQDN == "") {
1633 TInetAddress addr = gSystem->GetHostByName(gSystem->HostName());
1634 if (addr.IsValid())
1635 localFQDN = addr.GetHostName();
1636 }
1637 passwd.Form("%s@%s", localuser.Data(), localFQDN.Data());
1638 if (gDebug > 2)
1639 Info("ClearAuth",
1640 "automatically generated anonymous passwd: %s",
1641 passwd.Data());
1642 }
1643
1644 } else {
1645
1646 if (prompt == 1 || pashash.Length() == 0) {
1647
1648 if (passwd == "") {
1649 TString xp;
1650 xp.Form("%s@%s password: ", user.Data(),fRemote.Data());
1651 char *pwd = PromptPasswd(xp);
1652 passwd = TString(pwd);
1653 delete [] pwd;
1654 if (passwd == "") {
1655 Error("ClearAuth", "password not set");
1656 fSocket->Send("-1", kROOTD_PASS); // Needs this for consistency
1657 return 0;
1658 }
1659 }
1660 if (needsalt && !pwdhash) {
1661#ifndef R__WIN32
1662 pashash = TString(crypt(passwd, salt));
1663 if (!pashash.BeginsWith(salt)) {
1664 // not the right version of the crypt function:
1665 // do not send hash
1666 pashash = passwd;
1667 }
1668#else
1669 pashash = passwd;
1670#endif
1671 } else {
1672 pashash = passwd;
1673 }
1674 }
1675
1676 }
1677
1678 // Store password for later use
1679 fgUser = fUser;
1680 fgPwHash = kFALSE;
1681 fPwHash = kFALSE;
1682 fgPasswd = passwd;
1683 fPasswd = passwd;
1684
1685 // Send it to server
1686 if (anon == 0 && cryptopt == 1) {
1687
1688 // Needs to send this for consistency
1689 if (fSocket->Send("\0", kROOTD_PASS) < 0)
1690 return 0;
1691
1692 // Add the random tag received from the server
1693 // (if any); makes packets non re-usable
1694 if (strlen(ctag))
1695 pashash += ctag;
1696
1697 if (SecureSend(fSocket, 1, fRSAKey, pashash.Data()) == -1) {
1698 Warning("ClearAuth", "problems secure-sending pass hash"
1699 " - may result in authentication failure");
1700 return 0;
1701 }
1702 } else {
1703
1704 // Standard technique: invert passwd
1705 if (passwd != "") {
1706 for (int i = 0; i < passwd.Length(); i++) {
1707 char inv = ~passwd(i);
1708 passwd.Replace(i, 1, inv);
1709 }
1710 }
1711 if (fSocket->Send(passwd.Data(), kROOTD_PASS) < 0)
1712 return 0;
1713 }
1714
1715 Int_t nrec = 0;
1716 // Receive username used for login
1717 if ((nrec = fSocket->Recv(stat, kind)) < 0 ) // returns user
1718 return 0;
1719 if (gDebug > 3)
1720 Info("ClearAuth", "after kROOTD_PASS: kind= %d, stat= %d", kind,
1721 stat);
1722
1723 // Check for errors
1724 if (kind == kROOTD_ERR) {
1725 AuthError("ClearAuth", stat);
1726 fgPasswd = "";
1727 return 0;
1728 }
1729
1730 if (kind != kROOTD_PASS || stat < 1)
1731 Warning("ClearAuth",
1732 "problems recvn (user,offset) length (%d:%d bytes:%d)",
1733 kind, stat, nrec);
1734
1735 // Get user and offset
1736 char answer[256];
1737 int reclen = (stat+1 > 256) ? 256 : stat+1;
1738 if ((nrec = fSocket->Recv(answer, reclen, kind)) < 0)
1739 return 0;
1740 if (kind != kMESS_STRING)
1741 Warning("ClearAuth",
1742 "username and offset not received (%d:%d)", kind,
1743 nrec);
1744
1745 // Parse answer
1746 char lUser[128];
1747 Int_t offset = -1;
1748 sscanf(answer, "%127s %d", lUser, &offset);
1749 if (gDebug > 3)
1750 Info("ClearAuth",
1751 "received from server: user: %s, offset: %d (%s)", lUser,
1752 offset, answer);
1753
1754 // Return username
1755 user = lUser;
1756
1757 char *token = 0;
1758 if (reuse == 1 && offset > -1) {
1759 // Receive token
1760 if (cryptopt == 1) {
1761 if (SecureRecv(fSocket, 1, fRSAKey, &token) == -1) {
1762 Warning("ClearAuth",
1763 "problems secure-receiving token -"
1764 " may result in corrupted token");
1765 return 0;
1766 }
1767 } else {
1768 Int_t tlen = 9;
1769 token = new char[tlen];
1770 if (fSocket->Recv(token, tlen, kind) < 0) {
1771 delete [] token;
1772 return 0;
1773 }
1774 if (kind != kMESS_STRING)
1775 Warning("ClearAuth", "token not received (%d:%d)", kind,
1776 nrec);
1777 // Invert token
1778 for (int i = 0; i < (int) strlen(token); i++) {
1779 token[i] = ~token[i];
1780 }
1781
1782 }
1783 if (gDebug > 3)
1784 Info("ClearAuth", "received from server: token: '%s' ",
1785 token);
1786 }
1787 TPwdCtx *pwdctx = new TPwdCtx(fPasswd,fPwHash);
1788 // Create SecContext object
1789 fSecContext = fHostAuth->CreateSecContext((const char *)lUser, fRemote,
1790 kClear, offset, fDetails, (const char *)token,
1791 fgExpDate, (void *)pwdctx, fRSAKey);
1792
1793 // Release allocated memory ...
1794 if (token)
1795 delete [] token;
1796
1797 // This from remote login
1798 if (fSocket->Recv(stat, kind) < 0)
1799 return 0;
1800
1801
1802 if (kind == kROOTD_AUTH && stat >= 1) {
1803 fgPasswd = "";
1804 if (kind == kROOTD_ERR)
1805 AuthError("ClearAuth", stat);
1806 return 0;
1807 }
1808
1809 } else {
1810
1811 // Old Protocol
1812
1813 // Send username
1814 if (fSocket->Send(user.Data(), kROOTD_USER) < 0)
1815 return 0;
1816
1817 // Get replay from server
1818 if (fSocket->Recv(stat, kind) < 0)
1819 return 0;
1820
1821 // This check should guarantee backward compatibility with a private
1822 // version of rootd used by CDF
1823 if (kind == kROOTD_AUTH && stat == 1) {
1824 fSecContext =
1825 fHostAuth->CreateSecContext(user,fRemote,kClear,-1,fDetails,0);
1826 return 1;
1827 }
1828
1829 if (kind == kROOTD_ERR) {
1830 TString server = "sockd";
1831 if (fProtocol.Contains("root"))
1832 server = "rootd";
1833 if (stat == kErrConnectionRefused) {
1834 if (gDebug > 0)
1835 Error("ClearAuth",
1836 "%s@%s does not accept connections from %s@%s",
1837 server.Data(),fRemote.Data(),
1838 fUser.Data(),gSystem->HostName());
1839 return -2;
1840 } else if (stat == kErrNotAllowed) {
1841 if (gDebug > 0)
1842 Error("ClearAuth",
1843 "%s@%s does not accept %s authentication from %s@%s",
1844 server.Data(),fRemote.Data(),
1845 TAuthenticate::fgAuthMeth[0].Data(),
1846 fUser.Data(),gSystem->HostName());
1847 } else
1848 AuthError("ClearAuth", stat);
1849 return 0;
1850 }
1851 // Prepare passwd to send
1852 badpass1:
1853 if (passwd == "") {
1854 TString xp;
1855 xp.Form("%s@%s password: ", user.Data(),fRemote.Data());
1856 char *p = PromptPasswd(xp);
1857 passwd = p;
1858 delete [] p;
1859 if (passwd == "")
1860 Error("ClearAuth", "password not set");
1861 }
1862 if (fUser == "anonymous" || fUser == "rootd") {
1863 if (!passwd.Contains("@")) {
1864 Warning("ClearAuth",
1865 "please use passwd of form: user@host.do.main");
1866 passwd = "";
1867 goto badpass1;
1868 }
1869 }
1870
1871 fgPasswd = passwd;
1872 fPasswd = passwd;
1873
1874 // Invert passwd
1875 if (passwd != "") {
1876 for (int i = 0; i < passwd.Length(); i++) {
1877 char inv = ~passwd(i);
1878 passwd.Replace(i, 1, inv);
1879 }
1880 }
1881 // Send it over the net
1882 if (fSocket->Send(passwd, kROOTD_PASS) < 0)
1883 return 0;
1884
1885 // Get result of attempt
1886 if (fSocket->Recv(stat, kind) < 0) // returns user
1887 return 0;
1888 if (gDebug > 3)
1889 Info("ClearAuth", "after kROOTD_PASS: kind= %d, stat= %d", kind,
1890 stat);
1891
1892 if (kind == kROOTD_AUTH && stat == 1) {
1893 fSecContext =
1894 fHostAuth->CreateSecContext(user,fRemote,kClear,-1,fDetails,0);
1895 return 1;
1896 } else {
1897 if (kind == kROOTD_ERR)
1898 AuthError("ClearAuth", stat);
1899 return 0;
1900 }
1901 }
1902 return 0;
1903}
1904
1905////////////////////////////////////////////////////////////////////////////////
1906/// Sets fUser=user and search fgAuthInfo for the entry pertaining to
1907/// (host,user), setting fHostAuth accordingly.
1908/// If no entry is found fHostAuth is not changed
1909
1910THostAuth *TAuthenticate::GetHostAuth(const char *host, const char *user,
1911 Option_t */*opt*/, Int_t *exact)
1912{
1913 if (exact)
1914 *exact = 0;
1915
1916 if (gDebug > 2)
1917 ::Info("TAuthenticate::GetHostAuth", "enter ... %s ... %s", host, user);
1918
1919 // Strip off the servertype, if any
1920 Int_t srvtyp = -1;
1921 TString hostname = host;
1922 if (hostname.Contains(":")) {
1923 char *ps = (char *)strstr(host,":");
1924 if (ps)
1925 srvtyp = atoi(ps+1);
1926 hostname.Remove(hostname.Index(":"));
1927 }
1928 TString hostFQDN = hostname;
1929 if (strncmp(host,"default",7) && !hostFQDN.Contains("*")) {
1930 TInetAddress addr = gSystem->GetHostByName(hostFQDN);
1931 if (addr.IsValid())
1932 hostFQDN = addr.GetHostName();
1933 }
1934 TString usr = user;
1935 if (!usr.Length())
1936 usr = "*";
1937 THostAuth *rHA = 0;
1938
1939 // Check list of auth info for already loaded info about this host
1940 TIter *next = new TIter(GetAuthInfo());
1941
1942 THostAuth *ai;
1943 Bool_t notFound = kTRUE;
1944 Bool_t serverOK = kTRUE;
1945 while ((ai = (THostAuth *) (*next)())) {
1946 if (gDebug > 3)
1947 ai->Print("Authenticate::GetHostAuth");
1948
1949 // server
1950 if (!(serverOK = (ai->GetServer() == -1) ||
1951 (ai->GetServer() == srvtyp)))
1952 continue;
1953
1954 // Use default entry if existing and nothing more specific is found
1955 if (!strcmp(ai->GetHost(),"default") && serverOK && notFound)
1956 rHA = ai;
1957
1958 // Check
1959 if (CheckHost(hostFQDN,ai->GetHost()) &&
1960 CheckHost(usr,ai->GetUser()) && serverOK) {
1961 rHA = ai;
1962 notFound = kFALSE;
1963 }
1964
1965 if (hostFQDN == ai->GetHost() &&
1966 usr == ai->GetUser() && srvtyp == ai->GetServer() ) {
1967 rHA = ai;
1968 if (exact)
1969 *exact = 1;
1970 break;
1971 }
1972 }
1973 SafeDelete(next);
1974 return rHA;
1975}
1976
1977////////////////////////////////////////////////////////////////////////////////
1978/// Checks if a THostAuth with exact match for {host,user} exists
1979/// in the fgAuthInfo list
1980/// Returns pointer to it or 0
1981
1982THostAuth *TAuthenticate::HasHostAuth(const char *host, const char *user,
1983 Option_t */*opt*/)
1984{
1985 if (gDebug > 2)
1986 ::Info("TAuthenticate::HasHostAuth", "enter ... %s ... %s", host, user);
1987
1988 // Strip off the servertype, if any
1989 Int_t srvtyp = -1;
1990 TString hostFQDN = host;
1991 if (hostFQDN.Contains(":")) {
1992 char *ps = (char *)strstr(host,":");
1993 if (ps)
1994 srvtyp = atoi(ps+1);
1995 hostFQDN.Remove(hostFQDN.Index(":"));
1996 }
1997 if (strncmp(host,"default",7) && !hostFQDN.Contains("*")) {
1998 TInetAddress addr = gSystem->GetHostByName(hostFQDN);
1999 if (addr.IsValid())
2000 hostFQDN = addr.GetHostName();
2001 }
2002
2003 TIter *next = new TIter(GetAuthInfo());
2004 THostAuth *ai;
2005 while ((ai = (THostAuth *) (*next)())) {
2006
2007 if (hostFQDN == ai->GetHost() &&
2008 !strcmp(user, ai->GetUser()) && srvtyp == ai->GetServer()) {
2009 SafeDelete(next);
2010 return ai;
2011 }
2012 }
2013 SafeDelete(next);
2014 return 0;
2015}
2016
2017////////////////////////////////////////////////////////////////////////////////
2018/// Expands include directives found in fexp files
2019/// The expanded, temporary file, is pointed to by 'ftmp'
2020/// and should be already open. To be called recursively.
2021
2022void TAuthenticate::FileExpand(const char *fexp, FILE *ftmp)
2023{
2024 FILE *fin;
2025 char line[kMAXPATHLEN];
2026 char cinc[20], fileinc[kMAXPATHLEN];
2027
2028 if (gDebug > 2)
2029 ::Info("TAuthenticate::FileExpand", "enter ... '%s' ... 0x%zx", fexp, (size_t)ftmp);
2030
2031 fin = fopen(fexp, "r");
2032 if (fin == 0)
2033 return;
2034
2035 while (fgets(line, sizeof(line), fin) != 0) {
2036 // Skip comment lines
2037 if (line[0] == '#')
2038 continue;
2039 if (line[strlen(line) - 1] == '\n')
2040 line[strlen(line) - 1] = '\0';
2041 if (gDebug > 2)
2042 ::Info("TAuthenticate::FileExpand", "read line ... '%s'", line);
2043 int nw = sscanf(line, "%19s %8191s", cinc, fileinc);
2044 if (nw < 1)
2045 continue; // Not enough info in this line
2046 if (strcmp(cinc, "include") != 0) {
2047 // copy line in temporary file
2048 fprintf(ftmp, "%s\n", line);
2049 } else {
2050
2051 // Drop quotes or double quotes, if any
2052 TString ln(line);
2053 ln.ReplaceAll("\"",1,"",0);
2054 ln.ReplaceAll("'",1,"",0);
2055 sscanf(ln.Data(), "%19s %8191s", cinc, fileinc);
2056
2057 // support environment directories ...
2058 if (fileinc[0] == '$') {
2059 TString finc(fileinc);
2060 TString edir(fileinc);
2061 if (edir.Contains("/")) {
2062 edir.Remove(edir.Index("/"));
2063 edir.Remove(0,1);
2064 if (gSystem->Getenv(edir.Data())) {
2065 finc.Remove(0,1);
2066 finc.ReplaceAll(edir.Data(),gSystem->Getenv(edir.Data()));
2067 fileinc[0] = '\0';
2068 strncpy(fileinc,finc.Data(),kMAXPATHLEN);
2069 fileinc[kMAXPATHLEN-1] = '\0';
2070 }
2071 }
2072 }
2073
2074 // open (expand) file in temporary file ...
2075 if (fileinc[0] == '~') {
2076 // needs to expand
2077 int flen =
2078 strlen(fileinc) + strlen(gSystem->HomeDirectory()) + 10;
2079 char *ffull = new char[flen];
2080 snprintf(ffull, flen, "%s/%s", gSystem->HomeDirectory(), fileinc + 1);
2081 if (strlen(ffull) < kMAXPATHLEN - 1) strlcpy(fileinc, ffull,kMAXPATHLEN);
2082 delete [] ffull;
2083 }
2084 // Check if file exist and can be read ... ignore if not ...
2085 if (!gSystem->AccessPathName(fileinc, kReadPermission)) {
2086 FileExpand(fileinc, ftmp);
2087 } else {
2088 ::Warning("TAuthenticate::FileExpand",
2089 "file specified by 'include' cannot be open or read (%s)",
2090 fileinc);
2091 }
2092 }
2093 }
2094 fclose(fin);
2095}
2096
2097////////////////////////////////////////////////////////////////////////////////
2098/// Determine default authentication details for method 'sec' and user 'usr'.
2099/// Checks .rootrc family files. Returned string must be deleted by the user.
2100
2101char *TAuthenticate::GetDefaultDetails(int sec, int opt, const char *usr)
2102{
2103 char temp[kMAXPATHLEN] = { 0 };
2104 const char copt[2][5] = { "no", "yes" };
2105
2106 if (gDebug > 2)
2107 ::Info("TAuthenticate::GetDefaultDetails",
2108 "enter ... %d ...pt:%d ... '%s'", sec, opt, usr);
2109
2110 if (opt < 0 || opt > 1)
2111 opt = 1;
2112
2113 // UsrPwd
2114 if (sec == TAuthenticate::kClear) {
2115 if (!usr[0] || !strncmp(usr,"*",1))
2116 usr = gEnv->GetValue("UsrPwd.Login", "");
2117 snprintf(temp, kMAXPATHLEN, "pt:%s ru:%s cp:%s us:%s",
2118 gEnv->GetValue("UsrPwd.LoginPrompt", copt[opt]),
2119 gEnv->GetValue("UsrPwd.ReUse", "1"),
2120 gEnv->GetValue("UsrPwd.Crypt", "1"), usr);
2121 }
2122
2123 if (gDebug > 2)
2124 ::Info("TAuthenticate::GetDefaultDetails", "returning ... %s", temp);
2125
2126 return StrDup(temp);
2127}
2128
2129////////////////////////////////////////////////////////////////////////////////
2130/// Remove THostAuth instance from the list
2131
2132void TAuthenticate::RemoveHostAuth(THostAuth * ha, Option_t */*opt*/)
2133{
2134 GetAuthInfo()->Remove(ha);
2135 // ... destroy it
2136 delete ha;
2137}
2138
2139////////////////////////////////////////////////////////////////////////////////
2140/// Print info about the authentication sector.
2141/// If 'opt' contains 's' or 'S' prints information about established TSecContext,
2142/// else prints information about THostAuth
2143
2144void TAuthenticate::Show(Option_t *opt)
2145{
2146 TString sopt(opt);
2147
2148 if (sopt.Contains("s", TString::kIgnoreCase)) {
2149
2150 // Print established security contexts
2151 TIter next(gROOT->GetListOfSecContexts());
2152 TSecContext *sc = 0;
2153 while ((sc = (TSecContext *)next()))
2154 sc->Print();
2155
2156 } else {
2157
2158 ::Info("::Print", " +--------------------------- BEGIN --------------------------------+");
2159 ::Info("::Print", " + +");
2160 ::Info("::Print", " + List fgAuthInfo has %4d members +",
2161 GetAuthInfo()->GetSize());
2162 ::Info("::Print", " + +");
2163 ::Info("::Print", " +------------------------------------------------------------------+");
2164 TIter next(GetAuthInfo());
2165 THostAuth *ai;
2166 while ((ai = (THostAuth *)next())) {
2167 ai->Print();
2168 ai->PrintEstablished();
2169 }
2170 ::Info("::Print", " +---------------------------- END ---------------------------------+");
2171 }
2172}
2173
2174////////////////////////////////////////////////////////////////////////////////
2175/// Check if we have a valid established sec context in memory
2176/// Retrieves relevant info and negotiates with server.
2177/// options = "Opt,strlen(username),username.Data()"
2178/// message = kROOTD_USER, ...
2179
2180Int_t TAuthenticate::AuthExists(TString username, Int_t method, const char *options,
2181 Int_t *message, Int_t *rflag,
2182 CheckSecCtx_t checksecctx)
2183{
2184 // Welcome message, if requested ...
2185 if (gDebug > 2)
2186 Info("AuthExists","%d: enter: msg: %d options: '%s'",
2187 method,*message, options);
2188
2189 // Look for an existing security context matching this request
2190 Bool_t notHA = kFALSE;
2191
2192 // First in the local list
2193 TIter next(fHostAuth->Established());
2194 TRootSecContext *secctx;
2195 while ((secctx = (TRootSecContext *)next())) {
2196 if (secctx->GetMethod() == method) {
2197 if (fRemote == secctx->GetHost()) {
2198 if (checksecctx &&
2199 (*checksecctx)(username,secctx) == 1)
2200 break;
2201 }
2202 }
2203 }
2204
2205 // If nothing found, try the all list
2206 if (!secctx) {
2207 next = TIter(gROOT->GetListOfSecContexts());
2208 while ((secctx = (TRootSecContext *)next())) {
2209 if (secctx->GetMethod() == method) {
2210 if (fRemote == secctx->GetHost()) {
2211 if (checksecctx &&
2212 (*checksecctx)(username,secctx) == 1) {
2213 notHA = kTRUE;
2214 break;
2215 }
2216 }
2217 }
2218 }
2219 }
2220
2221 // If we have been given a valid sec context retrieve some info
2222 Int_t offset = -1;
2223 TString token;
2224 if (secctx) {
2225 offset = secctx->GetOffSet();
2226 token = secctx->GetToken();
2227 if (gDebug > 2)
2228 Info("AuthExists",
2229 "found valid TSecContext: offset: %d token: '%s'",
2230 offset, token.Data());
2231 }
2232
2233 // Prepare string to be sent to the server
2234 TString sstr;
2235 sstr.Form("%d %d %s", fgProcessID, offset, options);
2236
2237 // Send message
2238 if (fSocket->Send(sstr, *message) < 0)
2239 return -2;
2240
2241 Int_t reuse = *rflag;
2242 if (reuse == 1 && offset > -1) {
2243
2244 // Receive result of checking offset
2245 // But only for recent servers
2246 // NB: not backward compatible with dev version 4.00.02: switch
2247 // off 'reuse' for such servers to avoid hanging at this point.
2248 Int_t rproto = fSocket->GetRemoteProtocol();
2249 Bool_t oldsrv = ((fProtocol.BeginsWith("root") && rproto == 9));
2250 Int_t stat = 1, kind;
2251 if (!oldsrv) {
2252 if (fSocket->Recv(stat, kind) < 0)
2253 return -2;
2254 if (kind != kROOTD_AUTH)
2255 Warning("AuthExists","protocol error: expecting %d got %d"
2256 " (value: %d)",kROOTD_AUTH,kind,stat);
2257 }
2258
2259 if (stat > 0) {
2260 if (gDebug > 2)
2261 Info("AuthExists","offset OK");
2262
2263 Int_t rsaKey = secctx->GetRSAKey();
2264 if (gDebug > 2)
2265 Info("AuthExists", "key type: %d", rsaKey);
2266
2267 if (rsaKey > -1) {
2268
2269 // Recent servers send a random tag in stat
2270 // It has to be signed too
2271 if (stat > 1) {
2272 // Create hex from tag
2273 char tag[9] = {0};
2274 snprintf(tag, 9, "%08x",stat);
2275 // Add to token
2276 token += tag;
2277 }
2278
2279 // Send token encrypted
2280 if (SecureSend(fSocket, 1, rsaKey, token) == -1) {
2281 Warning("AuthExists", "problems secure-sending token %s",
2282 "- may trigger problems in proofing Id ");
2283 return -2;
2284 }
2285 } else {
2286 // Send inverted
2287 for (int i = 0; i < token.Length(); i++) {
2288 char inv = ~token(i);
2289 token.Replace(i, 1, inv);
2290 }
2291 if (fSocket->Send(token, kMESS_STRING) < 0)
2292 return -2;
2293 }
2294 } else {
2295 if (gDebug > 0)
2296 Info("AuthExists","offset not OK - rerun authentication");
2297 // If the sec context was not valid, deactivate it ...
2298 if (secctx)
2299 secctx->DeActivate("");
2300 }
2301 }
2302
2303 Int_t stat, kind;
2304 if (fSocket->Recv(stat, kind) < 0)
2305 return -2;
2306 if (gDebug > 3)
2307 Info("AuthExists","%d: after msg %d: kind= %d, stat= %d",
2308 method,*message, kind, stat);
2309
2310 // Return flags
2311 *message = kind;
2312 *rflag = stat;
2313
2314 if (kind == kROOTD_ERR) {
2315 TString server = "sockd";
2316 if (fSocket->GetServType() == TSocket::kROOTD)
2317 server = "rootd";
2318 if (stat == kErrConnectionRefused) {
2319 Error("AuthExists","%s@%s does not accept connections from %s@%s",
2320 server.Data(),fRemote.Data(),fUser.Data(),gSystem->HostName());
2321 return -2;
2322 } else if (stat == kErrNotAllowed) {
2323 if (gDebug > 0)
2324 Info("AuthExists",
2325 "%s@%s does not accept %s authentication from %s@%s",
2326 server.Data(),fRemote.Data(), fgAuthMeth[method].Data(),
2327 fUser.Data(),gSystem->HostName());
2328 } else
2329 AuthError("AuthExists", stat);
2330
2331 // If the sec context was not valid, deactivate it ...
2332 if (secctx)
2333 secctx->DeActivate("");
2334 return 0;
2335 }
2336
2337 if (kind == kROOTD_AUTH && stat >= 1) {
2338 if (!secctx)
2339 secctx =
2340 fHostAuth->CreateSecContext(fUser,fRemote,method,-stat,fDetails,0);
2341 if (gDebug > 3) {
2342 if (stat == 1)
2343 Info("AuthExists", "valid authentication exists");
2344 if (stat == 2)
2345 Info("AuthExists", "valid authentication exists: offset changed");
2346 if (stat == 3)
2347 Info("AuthExists", "remote access authorized by /etc/hosts.equiv");
2348 if (stat == 4)
2349 Info("AuthExists", "no authentication required remotely");
2350 }
2351
2352 if (stat == 2) {
2353 int newOffSet;
2354 // Receive new offset ...
2355 if (fSocket->Recv(newOffSet, kind) < 0)
2356 return -2;
2357 // ... and save it
2358 secctx->SetOffSet(newOffSet);
2359 }
2360
2361 fSecContext = secctx;
2362 // Add it to local list for later use (if not already there)
2363 if (notHA)
2364 fHostAuth->Established()->Add(secctx);
2365 return 1;
2366 }
2367 return 0;
2368}
2369
2370////////////////////////////////////////////////////////////////////////////////
2371/// Initialize random machine using seed from /dev/urandom
2372/// (or current time if /dev/urandom not available).
2373
2374void TAuthenticate::InitRandom()
2375{
2376 static Bool_t notinit = kTRUE;
2377
2378 if (notinit) {
2379 const char *randdev = "/dev/urandom";
2380 Int_t fd;
2381 UInt_t seed;
2382 if ((fd = open(randdev, O_RDONLY)) != -1) {
2383 if (gDebug > 2)
2384 ::Info("InitRandom", "taking seed from %s", randdev);
2385 if (read(fd, &seed, sizeof(seed)) != sizeof(seed))
2386 ::Warning("InitRandom", "could not read seed from %s", randdev);
2387 close(fd);
2388 } else {
2389 if (gDebug > 2)
2390 ::Info("InitRandom", "%s not available: using time()", randdev);
2391 seed = time(0); //better use times() + win32 equivalent
2392 }
2393 srand(seed);
2394 notinit = kFALSE;
2395 }
2396}
2397
2398////////////////////////////////////////////////////////////////////////////////
2399/// Generate a valid pair of private/public RSA keys to protect for
2400/// authentication token exchange
2401
2402Int_t TAuthenticate::GenRSAKeys()
2403{
2404 if (gDebug > 2)
2405 Info("GenRSAKeys", "enter");
2406
2407 if (fgRSAInit == 1) {
2408 if (gDebug > 2)
2409 Info("GenRSAKeys", "Keys prviously generated - return");
2410 }
2411
2412 // This is for dynamic loads ...
2413 TString lib = "libRsa";
2414
2415 // This is the local RSA implementation
2416 if (!TRSA_fun::RSA_genprim()) {
2417 char *p;
2418 if ((p = gSystem->DynamicPathName(lib, kTRUE))) {
2419 delete [] p;
2420 gSystem->Load(lib);
2421 }
2422 }
2423
2424 // Init random machine
2425 TAuthenticate::InitRandom();
2426
2427#ifdef R__SSL
2428 if (fgRSAKey == 1) {
2429 // Generate also the SSL key
2430 if (gDebug > 2)
2431 Info("GenRSAKeys","SSL: Generate Blowfish key");
2432
2433 // Init SSL ...
2434 SSL_library_init();
2435
2436 // ... and its error strings
2437 SSL_load_error_strings();
2438
2439 // Load Ciphers
2440 OpenSSL_add_all_ciphers();
2441
2442 // Number of bits for key
2443 Int_t nbits = gEnv->GetValue("SSL.BFBits",256);
2444
2445 // Minimum is 128
2446 nbits = (nbits >= 128) ? nbits : 128;
2447
2448 // Max to limit size of buffers to 15912 (internal limitation)
2449 nbits = (nbits <= 15912) ? nbits : 15912;
2450
2451 // Closer Number of chars
2452 Int_t klen = nbits / 8 ;
2453
2454 // Init random engine
2455 char *rbuf = GetRandString(0,klen);
2456 RAND_seed(rbuf,strlen(rbuf));
2457
2458 // This is what we export
2459 fgRSAPubExport[1].len = klen;
2460 fgRSAPubExport[1].keys = rbuf;
2461 if (gDebug > 2)
2462 Info("GenRSAKeys","SSL: BF key length: %d", fgRSAPubExport[1].len);
2463
2464 // Now set the key locally in BF form
2465 BF_set_key(&fgBFKey, klen, (const unsigned char *)rbuf);
2466 }
2467#endif
2468
2469 // Sometimes some bunch is not decrypted correctly
2470 // That's why we make retries to make sure that encryption/decryption
2471 // works as expected
2472 Bool_t notOk = 1;
2473 rsa_NUMBER p1, p2, rsa_n, rsa_e, rsa_d;
2474 Int_t l_n = 0, l_d = 0;
2475 char buf_n[rsa_STRLEN], buf_e[rsa_STRLEN], buf_d[rsa_STRLEN];
2476#if R__RSADE
2477 Int_t l_e;
2478 char buf[rsa_STRLEN];
2479#endif
2480
2481 Int_t nAttempts = 0;
2482 Int_t thePrimeLen = kPRIMELENGTH;
2483 Int_t thePrimeExp = kPRIMEEXP; // Prime probability = 1-0.5^thePrimeExp
2484 while (notOk && nAttempts < kMAXRSATRIES) {
2485
2486 nAttempts++;
2487 if (gDebug > 2 && nAttempts > 1) {
2488 Info("GenRSAKeys", "retry no. %d",nAttempts);
2489 srand(auth_rand());
2490 }
2491
2492 // Valid pair of primes
2493 p1 = TRSA_fun::RSA_genprim()(thePrimeLen, thePrimeExp);
2494 p2 = TRSA_fun::RSA_genprim()(thePrimeLen+1, thePrimeExp);
2495
2496 // Retry if equal
2497 Int_t nPrimes = 0;
2498 while (TRSA_fun::RSA_cmp()(&p1, &p2) == 0 && nPrimes < kMAXRSATRIES) {
2499 nPrimes++;
2500 if (gDebug > 2)
2501 Info("GenRSAKeys", "equal primes: regenerate (%d times)",nPrimes);
2502 srand(auth_rand());
2503 p1 = TRSA_fun::RSA_genprim()(thePrimeLen, thePrimeExp);
2504 p2 = TRSA_fun::RSA_genprim()(thePrimeLen+1, thePrimeExp);
2505 }
2506#if R__RSADEB
2507 if (gDebug > 3) {
2508 TRSA_fun::RSA_num_sput()(&p1, buf, rsa_STRLEN);
2509 Info("GenRSAKeys", "local: p1: '%s' ", buf);
2510 TRSA_fun::RSA_num_sput()(&p2, buf, rsa_STRLEN);
2511 Info("GenRSAKeys", "local: p2: '%s' ", buf);
2512 }
2513#endif
2514 // Generate keys
2515 if (TRSA_fun::RSA_genrsa()(p1, p2, &rsa_n, &rsa_e, &rsa_d)) {
2516 if (gDebug > 2 && nAttempts > 1)
2517 Info("GenRSAKeys"," genrsa: unable to generate keys (%d)",
2518 nAttempts);
2519 continue;
2520 }
2521
2522 // Get equivalent strings and determine their lengths
2523 TRSA_fun::RSA_num_sput()(&rsa_n, buf_n, rsa_STRLEN);
2524 l_n = strlen(buf_n);
2525 TRSA_fun::RSA_num_sput()(&rsa_e, buf_e, rsa_STRLEN);
2526#if R__RSADEB
2527 l_e = strlen(buf_e);
2528#endif
2529 TRSA_fun::RSA_num_sput()(&rsa_d, buf_d, rsa_STRLEN);
2530 l_d = strlen(buf_d);
2531
2532#if R__RSADEB
2533 if (gDebug > 3) {
2534 Info("GenRSAKeys", "local: n: '%s' length: %d", buf_n, l_n);
2535 Info("GenRSAKeys", "local: e: '%s' length: %d", buf_e, l_e);
2536 Info("GenRSAKeys", "local: d: '%s' length: %d", buf_d, l_d);
2537 }
2538#endif
2539 if (TRSA_fun::RSA_cmp()(&rsa_n, &rsa_e) <= 0)
2540 continue;
2541 if (TRSA_fun::RSA_cmp()(&rsa_n, &rsa_d) <= 0)
2542 continue;
2543
2544 // Now we try the keys
2545 char test[2 * rsa_STRLEN] = "ThisIsTheStringTest01203456-+/";
2546 Int_t lTes = 31;
2547 char *tdum = GetRandString(0, lTes - 1);
2548 strlcpy(test, tdum, lTes+1);
2549 delete [] tdum;
2550 char buf[2 * rsa_STRLEN];
2551 if (gDebug > 3)
2552 Info("GenRSAKeys", "local: test string: '%s' ", test);
2553
2554 // Private/Public
2555 strlcpy(buf, test, lTes+1);
2556
2557 // Try encryption with private key
2558 int lout = TRSA_fun::RSA_encode()(buf, lTes, rsa_n, rsa_e);
2559 if (gDebug > 3)
2560 Info("GenRSAKeys",
2561 "local: length of crypted string: %d bytes", lout);
2562
2563 // Try decryption with public key
2564 TRSA_fun::RSA_decode()(buf, lout, rsa_n, rsa_d);
2565 buf[lTes] = 0;
2566 if (gDebug > 3)
2567 Info("GenRSAKeys", "local: after private/public : '%s' ", buf);
2568
2569 if (strncmp(test, buf, lTes))
2570 continue;
2571
2572 // Public/Private
2573 strlcpy(buf, test, lTes+1);
2574
2575 // Try encryption with public key
2576 lout = TRSA_fun::RSA_encode()(buf, lTes, rsa_n, rsa_d);
2577 if (gDebug > 3)
2578 Info("GenRSAKeys", "local: length of crypted string: %d bytes ",
2579 lout);
2580
2581 // Try decryption with private key
2582 TRSA_fun::RSA_decode()(buf, lout, rsa_n, rsa_e);
2583 buf[lTes] = 0;
2584 if (gDebug > 3)
2585 Info("GenRSAKeys", "local: after public/private : '%s' ", buf);
2586
2587 if (strncmp(test, buf, lTes))
2588 continue;
2589
2590 notOk = 0;
2591 }
2592
2593 // Save Private key
2594 TRSA_fun::RSA_assign()(&fgRSAPriKey.n, &rsa_n);
2595 TRSA_fun::RSA_assign()(&fgRSAPriKey.e, &rsa_e);
2596
2597 // Save Public key
2598 TRSA_fun::RSA_assign()(&fgRSAPubKey.n, &rsa_n);
2599 TRSA_fun::RSA_assign()(&fgRSAPubKey.e, &rsa_d);
2600
2601#if R__RSADEB
2602 if (gDebug > 2) {
2603 // Determine their lengths
2604 Info("GenRSAKeys", "local: generated keys are:");
2605 Info("GenRSAKeys", "local: n: '%s' length: %d", buf_n, l_n);
2606 Info("GenRSAKeys", "local: e: '%s' length: %d", buf_e, l_e);
2607 Info("GenRSAKeys", "local: d: '%s' length: %d", buf_d, l_d);
2608 }
2609#endif
2610 // Export form
2611 if (fgRSAPubExport[0].keys) {
2612 delete [] fgRSAPubExport[0].keys;
2613 fgRSAPubExport[0].len = 0;
2614 }
2615 fgRSAPubExport[0].len = l_n + l_d + 4;
2616 fgRSAPubExport[0].keys = new char[fgRSAPubExport[0].len];
2617
2618 fgRSAPubExport[0].keys[0] = '#';
2619 memcpy(fgRSAPubExport[0].keys + 1, buf_n, l_n);
2620 fgRSAPubExport[0].keys[l_n + 1] = '#';
2621 memcpy(fgRSAPubExport[0].keys + l_n + 2, buf_d, l_d);
2622 fgRSAPubExport[0].keys[l_n + l_d + 2] = '#';
2623 fgRSAPubExport[0].keys[l_n + l_d + 3] = 0;
2624#if R__RSADEB
2625 if (gDebug > 2)
2626 Info("GenRSAKeys", "local: export pub: '%s'", fgRSAPubExport[0].keys);
2627#else
2628 if (gDebug > 2)
2629 Info("GenRSAKeys", "local: export pub length: %d bytes", fgRSAPubExport[0].len);
2630#endif
2631
2632 // Set availability flag
2633 fgRSAInit = 1;
2634
2635 return 0;
2636}
2637
2638////////////////////////////////////////////////////////////////////////////////
2639/// Allocates and fills a 0 terminated buffer of length len+1 with
2640/// len random characters.
2641/// Returns pointer to the buffer (to be deleted by the caller)
2642/// opt = 0 any non dangerous char
2643/// 1 letters and numbers (upper and lower case)
2644/// 2 hex characters (upper and lower case)
2645
2646char *TAuthenticate::GetRandString(Int_t opt, Int_t len)
2647{
2648 unsigned int iimx[4][4] = {
2649 {0x0, 0xffffff08, 0xafffffff, 0x2ffffffe}, // opt = 0
2650 {0x0, 0x3ff0000, 0x7fffffe, 0x7fffffe}, // opt = 1
2651 {0x0, 0x3ff0000, 0x7e, 0x7e}, // opt = 2
2652 {0x0, 0x3ffc000, 0x7fffffe, 0x7fffffe} // opt = 3
2653 };
2654
2655 const char *cOpt[4] = { "Any", "LetNum", "Hex", "Crypt" };
2656
2657 // Default option 0
2658 if (opt < 0 || opt > 2) {
2659 opt = 0;
2660 if (gDebug > 2)
2661 Info("GetRandString", "unknown option: %d : assume 0", opt);
2662 }
2663 if (gDebug > 2)
2664 Info("GetRandString", "enter ... len: %d %s", len, cOpt[opt]);
2665
2666 // Allocate buffer
2667 char *buf = new char[len + 1];
2668
2669 // Init random machine (if needed)
2670 TAuthenticate::InitRandom();
2671
2672 // randomize
2673 Int_t k = 0;
2674 Int_t i, j, l, m, frnd;
2675 while (k < len) {
2676 frnd = auth_rand();
2677 for (m = 7; m < 32; m += 7) {
2678 i = 0x7F & (frnd >> m);
2679 j = i / 32;
2680 l = i - j * 32;
2681 if ((iimx[opt][j] & (1 << l))) {
2682 buf[k] = i;
2683 k++;
2684 }
2685 if (k == len)
2686 break;
2687 }
2688 }
2689
2690 // null terminated
2691 buf[len] = 0;
2692 if (gDebug > 3)
2693 Info("GetRandString", "got '%s' ", buf);
2694
2695 return buf;
2696}
2697
2698////////////////////////////////////////////////////////////////////////////////
2699/// Encode null terminated str using the session private key indicated by enc
2700/// and sends it over the network
2701/// Returns number of bytes sent, or -1 in case of error.
2702/// enc = 1 for private encoding, enc = 2 for public encoding
2703
2704Int_t TAuthenticate::SecureSend(TSocket *sock, Int_t enc,
2705 Int_t key, const char *str)
2706{
2707 char buftmp[kMAXSECBUF];
2708 char buflen[20];
2709
2710 if (gDebug > 2)
2711 ::Info("TAuthenticate::SecureSend", "local: enter ... (enc: %d)", enc);
2712
2713 Int_t slen = strlen(str) + 1;
2714 Int_t ttmp = 0;
2715 Int_t nsen = -1;
2716
2717 if (key == 0) {
2718 strlcpy(buftmp, str, slen+1);
2719
2720 if (enc == 1)
2721 ttmp = TRSA_fun::RSA_encode()(buftmp, slen, fgRSAPriKey.n,
2722 fgRSAPriKey.e);
2723 else if (enc == 2)
2724 ttmp = TRSA_fun::RSA_encode()(buftmp, slen, fgRSAPubKey.n,
2725 fgRSAPubKey.e);
2726 else
2727 return nsen;
2728 } else if (key == 1) {
2729
2730#ifdef R__SSL
2731 ttmp = strlen(str);
2732 if ((ttmp % 8) > 0) // It should be a multiple of 8!
2733 ttmp = ((ttmp + 8)/8) * 8;
2734 unsigned char iv[8];
2735 memset((void *)&iv[0],0,8);
2736 BF_cbc_encrypt((const unsigned char *)str, (unsigned char *)buftmp,
2737 strlen(str), &fgBFKey, iv, BF_ENCRYPT);
2738#else
2739 if (gDebug > 0)
2740 ::Info("TAuthenticate::SecureSend","not compiled with SSL support:"
2741 " you should not have got here!");
2742#endif
2743 } else {
2744 if (gDebug > 0)
2745 ::Info("TAuthenticate::SecureSend","unknown key type (%d)",key);
2746 return nsen;
2747 }
2748
2749 snprintf(buflen,20,"%d",ttmp);
2750 if (sock->Send(buflen, kROOTD_ENCRYPT) < 0)
2751 return -1;
2752 nsen = sock->SendRaw(buftmp, ttmp);
2753 if (gDebug > 3)
2754 ::Info("TAuthenticate::SecureSend",
2755 "local: sent %d bytes (expected: %d)", nsen,ttmp);
2756
2757 return nsen;
2758}
2759
2760////////////////////////////////////////////////////////////////////////////////
2761/// Receive str from sock and decode it using key indicated by key type
2762/// Return number of received bytes or -1 in case of error.
2763/// dec = 1 for private decoding, dec = 2 for public decoding
2764
2765Int_t TAuthenticate::SecureRecv(TSocket *sock, Int_t dec, Int_t key, char **str)
2766{
2767
2768 char buftmp[kMAXSECBUF];
2769 char buflen[20];
2770
2771 Int_t nrec = -1;
2772 // We must get a pointer ...
2773 if (!str)
2774 return nrec;
2775
2776 Int_t kind;
2777 if (sock->Recv(buflen, 20, kind) < 0)
2778 return -1;
2779 Int_t len = atoi(buflen);
2780 if (gDebug > 3)
2781 ::Info("TAuthenticate::SecureRecv", "got len '%s' %d (msg kind: %d)",
2782 buflen, len, kind);
2783 if (len == 0) {
2784 return len;
2785 }
2786 if (len < 0 || len > kMAXSECBUF) {
2787 return nrec;
2788 }
2789
2790 // Receive buffer
2791 if ((nrec = sock->RecvRaw(buftmp, len)) < 0)
2792 return nrec;
2793 if (key == 0) {
2794 if (dec == 1)
2795 TRSA_fun::RSA_decode()(buftmp, len, fgRSAPriKey.n, fgRSAPriKey.e);
2796 else if (dec == 2)
2797 TRSA_fun::RSA_decode()(buftmp, len, fgRSAPubKey.n, fgRSAPubKey.e);
2798 else
2799 return -1;
2800
2801 // Prepare output
2802 const size_t strSize = strlen(buftmp) + 1;
2803 *str = new char[strSize];
2804 if (*str == nullptr) {
2805 if (gDebug > 0)
2806 ::Info("TAuthenticate::SecureRecv","Memory allocation error size (%ld)", (long) strSize);
2807 return -1;
2808 }
2809 strlcpy(*str, buftmp, strSize);
2810
2811 } else if (key == 1) {
2812#ifdef R__SSL
2813 unsigned char iv[8];
2814 memset((void *)&iv[0],0,8);
2815 *str = new char[nrec + 1];
2816 BF_cbc_encrypt((const unsigned char *)buftmp, (unsigned char *)(*str),
2817 nrec, &fgBFKey, iv, BF_DECRYPT);
2818 (*str)[nrec] = '\0';
2819#else
2820 if (gDebug > 0)
2821 ::Info("TAuthenticate::SecureRecv","not compiled with SSL support:"
2822 " you should not have got here!");
2823#endif
2824 } else {
2825 if (gDebug > 0)
2826 ::Info("TAuthenticate::SecureRecv","unknown key type (%d)",key);
2827 return -1;
2828 }
2829
2830 nrec= strlen(*str);
2831
2832 return nrec;
2833}
2834
2835////////////////////////////////////////////////////////////////////////////////
2836/// Store RSA public keys from export string rsaPubExport.
2837
2838Int_t TAuthenticate::DecodeRSAPublic(const char *rsaPubExport, R__rsa_NUMBER &rsa_n,
2839 R__rsa_NUMBER &rsa_d, char **rsassl)
2840{
2841 if (!rsaPubExport)
2842 return -1;
2843
2844 if (gDebug > 2)
2845 ::Info("TAuthenticate::DecodeRSAPublic",
2846 "enter: string length: %ld bytes", (Long_t)strlen(rsaPubExport));
2847
2848 char str[kMAXPATHLEN] = { 0 };
2849 Int_t klen = strlen(rsaPubExport);
2850 if (klen > kMAXPATHLEN - 1) {
2851 ::Info("TAuthenticate::DecodeRSAPublic",
2852 "key too long (%d): truncate to %d",klen,kMAXPATHLEN);
2853 klen = kMAXPATHLEN - 1;
2854 }
2855 memcpy(str, rsaPubExport, klen);
2856 str[klen] ='\0';
2857
2858 Int_t keytype = -1;
2859
2860 if (klen > 0) {
2861
2862 // Skip spaces at beginning, if any
2863 int k = 0;
2864 while (str[k] == 32) k++;
2865
2866 if (str[k] == '#') {
2867
2868 keytype = 0;
2869
2870 // The format is #<hex_n>#<hex_d>#
2871 char *pd1 = strstr(str, "#");
2872 char *pd2 = pd1 ? strstr(pd1 + 1, "#") : (char *)0;
2873 char *pd3 = pd2 ? strstr(pd2 + 1, "#") : (char *)0;
2874 if (pd1 && pd2 && pd3) {
2875 // Get <hex_n> ...
2876 int l1 = (int) (pd2 - pd1 - 1);
2877 char *rsa_n_exp = new char[l1 + 1];
2878 strlcpy(rsa_n_exp, pd1 + 1, l1+1);
2879 if (gDebug > 2)
2880 ::Info("TAuthenticate::DecodeRSAPublic",
2881 "got %ld bytes for rsa_n_exp", (Long_t)strlen(rsa_n_exp));
2882 // Now <hex_d>
2883 int l2 = (int) (pd3 - pd2 - 1);
2884 char *rsa_d_exp = new char[l2 + 1];
2885 strlcpy(rsa_d_exp, pd2 + 1, 13);
2886 if (gDebug > 2)
2887 ::Info("TAuthenticate::DecodeRSAPublic",
2888 "got %ld bytes for rsa_d_exp", (Long_t)strlen(rsa_d_exp));
2889
2890 TRSA_fun::RSA_num_sget()(&rsa_n, rsa_n_exp);
2891 TRSA_fun::RSA_num_sget()(&rsa_d, rsa_d_exp);
2892
2893 delete[] rsa_n_exp;
2894 delete[] rsa_d_exp;
2895
2896 } else
2897 ::Info("TAuthenticate::DecodeRSAPublic","bad format for input string");
2898#ifdef R__SSL
2899 } else {
2900 // try SSL
2901 keytype = 1;
2902
2903 RSA *rsatmp;
2904
2905 // Bio for exporting the pub key
2906 BIO *bpub = BIO_new(BIO_s_mem());
2907
2908 // Write key from kbuf to BIO
2909 BIO_write(bpub,(void *)str,strlen(str));
2910
2911 // Read pub key from BIO
2912 if (!(rsatmp = PEM_read_bio_RSAPublicKey(bpub, 0, 0, 0))) {
2913 if (gDebug > 0)
2914 ::Info("TAuthenticate::DecodeRSAPublic",
2915 "unable to read pub key from bio");
2916 } else
2917 if (rsassl)
2918 *rsassl = (char *)rsatmp;
2919 else
2920 ::Info("TAuthenticate::DecodeRSAPublic",
2921 "no space allocated for output variable");
2922 BIO_free(bpub);
2923 }
2924#else
2925 } else {
2926 if (rsassl) { } // To avoid compiler complains
2927 if (gDebug > 0)
2928 ::Info("TAuthenticate::DecodeRSAPublic","not compiled with SSL support:"
2929 " you should not have got here!");
2930 }
2931#endif
2932 }
2933
2934 return keytype;
2935}
2936
2937////////////////////////////////////////////////////////////////////////////////
2938/// Store RSA public keys from export string rsaPubExport.
2939/// Returns type of stored key, or -1 is not recognized
2940
2941Int_t TAuthenticate::SetRSAPublic(const char *rsaPubExport, Int_t klen)
2942{
2943 if (gDebug > 2)
2944 ::Info("TAuthenticate::SetRSAPublic",
2945 "enter: string length %ld bytes", (Long_t)strlen(rsaPubExport));
2946
2947 Int_t rsakey = -1;
2948 if (!rsaPubExport)
2949 return rsakey;
2950
2951 if (klen > 0) {
2952
2953 // Skip spaces at beginning, if any
2954 int k0 = 0;
2955 while (rsaPubExport[k0] == 32) k0++;
2956 int k2 = klen - 1;
2957
2958 // Parse rsaPubExport
2959 // Type 0 is in the form
2960 //
2961 // #< gt 10 exa chars >#< gt 10 exa chars >#
2962 //
2963 rsakey = 1;
2964 if (rsaPubExport[k0] == '#' && rsaPubExport[k2] == '#') {
2965 char *p0 = (char *)&rsaPubExport[k0];
2966 char *p2 = (char *)&rsaPubExport[k2];
2967 char *p1 = strchr(p0+1,'#');
2968 if (p1 > p0 && p1 < p2) {
2969 Int_t l01 = (Int_t)(p1-p0)-1;
2970 Int_t l12 = (Int_t)(p2-p1)-1;
2971 if (l01 >= kPRIMELENGTH*2 && l12 >= kPRIMELENGTH*2) {
2972 // Require exadecimal chars in between
2973 char *c = p0+1;
2974 while (c < p1 && ((*c < 58 && *c > 47) || (*c < 91 && *c > 64)))
2975 c++;
2976 if (c == p1) {
2977 c++;
2978 while (c < p2 && ((*c < 58 && *c > 47) || (*c < 91 && *c > 64)))
2979 c++;
2980 if (c == p2)
2981 rsakey = 0;
2982 }
2983 }
2984 }
2985 }
2986 if (gDebug > 3)
2987 ::Info("TAuthenticate::SetRSAPublic"," Key type: %d",rsakey);
2988 if (rsakey == 0) {
2989
2990 // Decode input string
2991 R__rsa_NUMBER rsa_n, rsa_d;
2992 rsakey = TAuthenticate::DecodeRSAPublic(rsaPubExport,rsa_n,rsa_d);
2993
2994 // Save Public key
2995 TRSA_fun::RSA_assign()(&fgRSAPubKey.n, &rsa_n);
2996 TRSA_fun::RSA_assign()(&fgRSAPubKey.e, &rsa_d);
2997
2998 } else {
2999 rsakey = 1;
3000#ifdef R__SSL
3001 // Now set the key locally in BF form
3002 BF_set_key(&fgBFKey, klen, (const unsigned char *)rsaPubExport);
3003#else
3004 if (gDebug > 0)
3005 ::Info("TAuthenticate::SetRSAPublic",
3006 "not compiled with SSL support:"
3007 " you should not have got here!");
3008#endif
3009 }
3010 }
3011
3012 return rsakey;
3013}
3014
3015////////////////////////////////////////////////////////////////////////////////
3016/// Receives server RSA Public key
3017/// Sends local RSA public key encoded
3018
3019Int_t TAuthenticate::SendRSAPublicKey(TSocket *socket, Int_t key)
3020{
3021 // Receive server public key
3022 char serverPubKey[kMAXSECBUF];
3023 int kind, nr = 0;
3024 if ((nr = socket->Recv(serverPubKey, kMAXSECBUF, kind)) < 0)
3025 return nr;
3026 if (gDebug > 3)
3027 ::Info("TAuthenticate::SendRSAPublicKey",
3028 "received key from server %ld bytes", (Long_t)strlen(serverPubKey));
3029
3030 // Decode it
3031 R__rsa_NUMBER rsa_n, rsa_d;
3032#ifdef R__SSL
3033 char *tmprsa = nullptr;
3034 if (TAuthenticate::DecodeRSAPublic(serverPubKey,rsa_n,rsa_d,
3035 &tmprsa) != key) {
3036 if (tmprsa)
3037 RSA_free((RSA *)tmprsa);
3038 return -1;
3039 }
3040 RSA *RSASSLServer = (RSA *)tmprsa;
3041#else
3042 if (TAuthenticate::DecodeRSAPublic(serverPubKey,rsa_n,rsa_d) != key)
3043 return -1;
3044#endif
3045
3046 // Send local public key, encodes
3047 char buftmp[kMAXSECBUF] = {0};
3048 char buflen[20] = {0};
3049 Int_t slen = fgRSAPubExport[key].len;
3050 Int_t ttmp = 0;
3051 if (key == 0) {
3052 strlcpy(buftmp, fgRSAPubExport[key].keys, sizeof(buftmp));
3053 ttmp = TRSA_fun::RSA_encode()(buftmp, slen, rsa_n, rsa_d); // NOLINT: rsa_n, rsa_d are initialized
3054 snprintf(buflen, sizeof(buflen), "%d", ttmp);
3055 } else if (key == 1) {
3056#ifdef R__SSL
3057 Int_t lcmax = RSA_size(RSASSLServer) - 11;
3058 Int_t kk = 0;
3059 Int_t ke = 0;
3060 Int_t ns = slen;
3061 while (ns > 0) {
3062 Int_t lc = (ns > lcmax) ? lcmax : ns ;
3063 if ((ttmp = RSA_public_encrypt(lc,
3064 (unsigned char *)&fgRSAPubExport[key].keys[kk],
3065 (unsigned char *)&buftmp[ke],
3066 RSASSLServer,RSA_PKCS1_PADDING)) < 0) {
3067 char errstr[120];
3068 ERR_error_string(ERR_get_error(), errstr);
3069 ::Info("TAuthenticate::SendRSAPublicKey","SSL: error: '%s' ",errstr);
3070 }
3071 kk += lc;
3072 ke += ttmp;
3073 ns -= lc;
3074 }
3075 ttmp = ke;
3076 snprintf(buflen, 20, "%d", ttmp);
3077#else
3078 if (gDebug > 0)
3079 ::Info("TAuthenticate::SendRSAPublicKey","not compiled with SSL support:"
3080 " you should not have got here!");
3081 return -1;
3082#endif
3083 } else {
3084 if (gDebug > 0)
3085 ::Info("TAuthenticate::SendRSAPublicKey","unknown key type (%d)",key);
3086#ifdef R__SSL
3087 if (RSASSLServer)
3088 RSA_free(RSASSLServer);
3089#endif
3090 return -1;
3091 }
3092
3093 // Send length first
3094 if ((nr = socket->Send(buflen, kROOTD_ENCRYPT)) < 0)
3095 return nr;
3096 // Send Key. second ...
3097 Int_t nsen = socket->SendRaw(buftmp, ttmp);
3098 if (gDebug > 3)
3099 ::Info("TAuthenticate::SendRSAPublicKey",
3100 "local: sent %d bytes (expected: %d)", nsen,ttmp);
3101#ifdef R__SSL
3102 if (RSASSLServer)
3103 RSA_free(RSASSLServer);
3104#endif
3105 return nsen;
3106}
3107
3108////////////////////////////////////////////////////////////////////////////////
3109/// Read authentication directives from $ROOTAUTHRC, $HOME/.rootauthrc or
3110/// `<Root_etc_dir>/system.rootauthrc` and create related THostAuth objects.
3111/// Files are read only if they changed since last reading
3112
3113Int_t TAuthenticate::ReadRootAuthrc()
3114{
3115 // rootauthrc family
3116 TString tRootAuthrc;
3117 if (gSystem->Getenv("ROOTAUTHRC") != 0) {
3118 tRootAuthrc = gSystem->Getenv("ROOTAUTHRC");
3119 } else {
3120 if (fgReadHomeAuthrc) {
3121 tRootAuthrc = ".rootauthrc";
3122 gSystem->PrependPathName(gSystem->HomeDirectory(), tRootAuthrc);
3123 }
3124 }
3125 if (!tRootAuthrc.IsNull() && gDebug > 2)
3126 ::Info("TAuthenticate::ReadRootAuthrc", "Checking file: %s", tRootAuthrc.Data());
3127 if (tRootAuthrc.IsNull() || gSystem->AccessPathName(tRootAuthrc, kReadPermission)) {
3128 if (!tRootAuthrc.IsNull() && gDebug > 1)
3129 ::Info("TAuthenticate::ReadRootAuthrc",
3130 "file %s cannot be read (errno: %d)", tRootAuthrc.Data(), errno);
3131 tRootAuthrc = "system.rootauthrc";
3132 gSystem->PrependPathName(TROOT::GetEtcDir(), tRootAuthrc);
3133 if (gDebug > 2)
3134 ::Info("TAuthenticate::ReadRootAuthrc", "Checking system file: %s", tRootAuthrc.Data());
3135 if (gSystem->AccessPathName(tRootAuthrc, kReadPermission)) {
3136 if (gDebug > 1)
3137 ::Info("TAuthenticate::ReadRootAuthrc",
3138 "file %s cannot be read (errno: %d)", tRootAuthrc.Data(), errno);
3139 return 0;
3140 }
3141 }
3142
3143 // Check if file has changed since last read
3144 if (tRootAuthrc == fgRootAuthrc) {
3145 struct stat si;
3146 stat(tRootAuthrc, &si);
3147 if ((UInt_t)si.st_mtime < fgLastAuthrc.Convert()) {
3148 if (gDebug > 1)
3149 ::Info("TAuthenticate::ReadRootAuthrc",
3150 "file %s already read", tRootAuthrc.Data());
3151 return 0;
3152 }
3153 }
3154
3155 // Save filename in static variable
3156 fgRootAuthrc = tRootAuthrc;
3157 fgLastAuthrc = TDatime();
3158
3159 // THostAuth lists
3160 TList *authinfo = TAuthenticate::GetAuthInfo();
3161
3162 // Expand File into temporary file name and open it
3163 int expand = 1;
3164 TString filetmp = "rootauthrc";
3165 FILE *ftmp = gSystem->TempFileName(filetmp);
3166 if (gDebug > 2)
3167 ::Info("TAuthenticate::ReadRootAuthrc", "got tmp file: %s open at 0x%zx",
3168 filetmp.Data(), (size_t)ftmp);
3169 if (ftmp == 0)
3170 expand = 0; // Problems opening temporary file: ignore 'include's ...
3171
3172 FILE *fd = 0;
3173 // If the temporary file is open, copy everything to the new file ...
3174 if (expand == 1) {
3175 TAuthenticate::FileExpand(tRootAuthrc, ftmp);
3176 fd = ftmp;
3177 rewind(fd);
3178 } else {
3179 // Open file
3180 fd = fopen(tRootAuthrc, "r");
3181 if (fd == 0) {
3182 if (gDebug > 2)
3183 ::Info("TAuthenticate::ReadRootAuthrc",
3184 "file %s cannot be open (errno: %d)", tRootAuthrc.Data(), errno);
3185 return 0;
3186 }
3187 }
3188
3189 // Now scan file for meaningful directives
3190 TList tmpAuthInfo;
3191 char line[kMAXPATHLEN];
3192 while (fgets(line, sizeof(line), fd) != 0) {
3193
3194 // Skip comment lines
3195 if (line[0] == '#')
3196 continue;
3197
3198 // Get rid of end of line '\n', if there ...
3199 if (line[strlen(line) - 1] == '\n')
3200 line[strlen(line) - 1] = '\0';
3201
3202 // Skip empty lines
3203 if (!line[0])
3204 continue;
3205
3206 // Now scan
3207 const size_t tmpSize = strlen(line) + 1;
3208 char *tmp = new char[tmpSize];
3209 if (!tmp) {
3210 ::Error("TAuthenticate::ReadRootAuthrc",
3211 "could not allocate temporary buffer");
3212 fclose(fd);
3213 return 0;
3214 }
3215 strlcpy(tmp, line, tmpSize);
3216 char *nxt = strtok(tmp," ");
3217
3218
3219 TString hostsrv = nxt;
3220 TString host = hostsrv;
3221 TString server = "";
3222 if (hostsrv.Contains(":")) {
3223 server = hostsrv;
3224 host.Remove(host.Index(":"));
3225 server.Remove(0,server.Index(":")+1);
3226 }
3227 Int_t srvtyp = -1;
3228 if (server.Length()) {
3229 if (server == "0" || server.BeginsWith("sock"))
3230 srvtyp = TSocket::kSOCKD;
3231 else if (server == "1" || server.BeginsWith("root"))
3232 srvtyp = TSocket::kROOTD;
3233 }
3234
3235 // Line with host info directives
3236 TString user = "*";
3237
3238 nxt = strtok(0," ");
3239 if (!strncmp(nxt,"user",4)) {
3240 nxt = strtok(0," ");
3241 if (strncmp(nxt,"list",4) && strncmp(nxt,"method",6)) {
3242 user = TString(nxt);
3243 nxt = strtok(0," ");
3244 }
3245 }
3246
3247 // Get related THostAuth, if exists in the tmp list,
3248 TIter next(&tmpAuthInfo);
3249 THostAuth *ha;
3250 while ((ha = (THostAuth *)next())) {
3251 if (host == ha->GetHost() && user == ha->GetUser() &&
3252 srvtyp == ha->GetServer())
3253 break;
3254 }
3255 if (!ha) {
3256 // Create a new one
3257 ha = new THostAuth(host,srvtyp,user);
3258 tmpAuthInfo.Add(ha);
3259 }
3260
3261 if (!strncmp(nxt,"list",4)) {
3262 // list of methods for {host,usr}
3263 Int_t nm = 0, me[kMAXSEC] = {0};
3264 char *mth = strtok(0," ");
3265 while (mth) {
3266 Int_t met = -1;
3267 if (strlen(mth) > 1) {
3268 // Method passed as string: translate it to number
3269 met = GetAuthMethodIdx(mth);
3270 if (met == -1 && gDebug > 2)
3271 ::Info("TAuthenticate::ReadRootAuthrc",
3272 "unrecognized method (%s): ", mth);
3273 } else {
3274 met = atoi(mth);
3275 }
3276 if (met > -1 && met < kMAXSEC)
3277 me[nm++] = met;
3278 mth = strtok(0," ");
3279 }
3280 if (nm)
3281 ha->ReOrder(nm,me);
3282
3283 } else if (!strncmp(nxt,"method",6)) {
3284
3285 // details for {host,usr,method}
3286 char *mth = strtok(0," ");
3287 Int_t met = -1;
3288 if (strlen(mth) > 1) {
3289 // Method passed as string: translate it to number
3290 met = GetAuthMethodIdx(mth);
3291 if (met == -1 && gDebug > 2)
3292 ::Info("TAuthenticate::ReadRootAuthrc",
3293 "unrecognized method (%s): ", mth);
3294 } else {
3295 met = atoi(mth);
3296 }
3297 if (met > -1 && met < kMAXSEC) {
3298 const char *det = 0;
3299 nxt = strtok(0," ");
3300 if (nxt) {
3301 det = (const char *)strstr(line,nxt);
3302 }
3303 if (ha->HasMethod(met))
3304 ha->SetDetails(met,det);
3305 else
3306 ha->AddMethod(met,det);
3307 }
3308 }
3309 if (tmp) delete [] tmp;
3310 }
3311 // Close file and remove it if temporary
3312 fclose(fd);
3313 if (expand == 1)
3314 gSystem->Unlink(filetmp);
3315
3316 // Update authinfo with new info found
3317 TAuthenticate::MergeHostAuthList(authinfo,&tmpAuthInfo);
3318
3319 // Print those left, if requested ...
3320 if (gDebug > 2)
3321 TAuthenticate::Show();
3322
3323 return authinfo->GetSize();
3324}
3325
3326////////////////////////////////////////////////////////////////////////////////
3327/// Standard version of CheckSecCtx to be passed to TAuthenticate::AuthExists
3328/// Check if User is matches the one in Ctx
3329/// Returns: 1 if ok, 0 if not
3330/// Deactivates Ctx is not valid
3331
3332Int_t StdCheckSecCtx(const char *user, TRootSecContext *ctx)
3333{
3334 Int_t rc = 0;
3335
3336 if (ctx->IsActive()) {
3337 if (!strcmp(user,ctx->GetUser()) &&
3338 strncmp("AFS", ctx->GetID(), 3))
3339 rc = 1;
3340 }
3341 return rc;
3342}
3343
3344////////////////////////////////////////////////////////////////////////////////
3345/// Tool for updating fgAuthInfo
3346/// 'nin' contains list of last input information through (re)reading
3347/// of a rootauthrc-alike file. 'nin' info has priority.
3348/// 'std' is cleaned from inactive members.
3349/// 'nin' members used to update existing members in 'std' are
3350/// removed from 'nin', do that they do not leak
3351
3352void TAuthenticate::MergeHostAuthList(TList *std, TList *nin, Option_t *opt)
3353{
3354 // Remove inactive from the 'std'
3355 TIter nxstd(std);
3356 THostAuth *ha;
3357 while ((ha = (THostAuth *) nxstd())) {
3358 if (!ha->IsActive()) {
3359 std->Remove(ha);
3360 SafeDelete(ha);
3361 }
3362 }
3363
3364 // Merge 'nin' info in 'std'
3365 TIter nxnew(nin);
3366 THostAuth *hanew;
3367 while ((hanew = (THostAuth *)nxnew())) {
3368 if (hanew->NumMethods()) {
3369 TString hostsrv;
3370 hostsrv.Form("%s:%d",hanew->GetHost(),hanew->GetServer());
3371 THostAuth *hastd =
3372 TAuthenticate::HasHostAuth(hostsrv,hanew->GetUser(),opt);
3373 if (hastd) {
3374 // Update with new info
3375 hastd->Update(hanew);
3376 // Flag for removal
3377 hanew->DeActivate();
3378 } else {
3379 // Add new ThostAuth to std
3380 std->Add(hanew);
3381 }
3382 } else
3383 // Flag for removal empty objects
3384 hanew->DeActivate();
3385 }
3386
3387 // Cleanup memory before quitting
3388 nxnew.Reset();
3389 while ((hanew = (THostAuth *)nxnew())) {
3390 if (!hanew->IsActive()) {
3391 nin->Remove(hanew);
3392 SafeDelete(hanew);
3393 }
3394 }
3395
3396}
3397
3398////////////////////////////////////////////////////////////////////////////////
3399/// Tool for removing SecContext ctx from THostAuth listed in
3400/// fgAuthInfo
3401
3402void TAuthenticate::RemoveSecContext(TRootSecContext *ctx)
3403{
3404 THostAuth *ha = 0;
3405
3406 // authinfo first
3407 TIter nxai(GetAuthInfo());
3408 while ((ha = (THostAuth *)nxai())) {
3409 TIter next(ha->Established());
3410 TRootSecContext *lctx = 0;
3411 while ((lctx = (TRootSecContext *) next())) {
3412 if (lctx == ctx) {
3413 ha->Established()->Remove(ctx);
3414 break;
3415 }
3416 }
3417 }
3418}
3419
3420////////////////////////////////////////////////////////////////////////////////
3421/// Static method returning supported client protocol.
3422
3427
kAUTH_SSALT_MSK
const Int_t kAUTH_SSALT_MSK
Definition AuthConst.h:30
kAUTH_CRYPT_MSK
const Int_t kAUTH_CRYPT_MSK
Definition AuthConst.h:29
kMAXSECBUF
const Int_t kMAXSECBUF
Definition AuthConst.h:27
kAUTH_REUSE_MSK
const Int_t kAUTH_REUSE_MSK
Definition AuthConst.h:28
kPRIMEEXP
const Int_t kPRIMEEXP
Definition AuthConst.h:34
kPRIMELENGTH
const Int_t kPRIMELENGTH
Definition AuthConst.h:33
kMAXRSATRIES
const Int_t kMAXRSATRIES
Definition AuthConst.h:32
kAUTH_RSATY_MSK
const Int_t kAUTH_RSATY_MSK
Definition AuthConst.h:31
kMAXSEC
const Int_t kMAXSEC
Definition AuthConst.h:26
kROOTD_RSAKEY
@ kROOTD_RSAKEY
Definition MessageTypes.h:68
kROOTD_ENCRYPT
@ kROOTD_ENCRYPT
Definition MessageTypes.h:69
kROOTD_PASS
@ kROOTD_PASS
Definition MessageTypes.h:42
kMESS_STRING
@ kMESS_STRING
Definition MessageTypes.h:34
kROOTD_USER
@ kROOTD_USER
Definition MessageTypes.h:41
kROOTD_BYE
@ kROOTD_BYE
Definition MessageTypes.h:65
kROOTD_NEGOTIA
@ kROOTD_NEGOTIA
Definition MessageTypes.h:67
kROOTD_AUTH
@ kROOTD_AUTH
Definition MessageTypes.h:43
kROOTD_ERR
@ kROOTD_ERR
Definition MessageTypes.h:52
gRootdErrStr
R__EXTERN const char * gRootdErrStr[]
Definition NetErrors.h:72
kErrNotAllowed
@ kErrNotAllowed
Definition NetErrors.h:49
kErrConnectionRefused
@ kErrConnectionRefused
Definition NetErrors.h:50
kErrError
@ kErrError
Definition NetErrors.h:69
SafeDelete
#define SafeDelete(p)
Definition RConfig.hxx:531
c
#define c(i)
Definition RSha256.hxx:101
Bool_t
bool Bool_t
Boolean (0=false, 1=true) (bool)
Definition RtypesCore.h:77
Int_t
int Int_t
Signed integer 4 bytes (int)
Definition RtypesCore.h:59
Long_t
long Long_t
Signed long integer 4 bytes (long). Size depends on architecture.
Definition RtypesCore.h:68
kFALSE
constexpr Bool_t kFALSE
Definition RtypesCore.h:108
kNPOS
constexpr Ssiz_t kNPOS
The equivalent of std::string::npos for the ROOT class TString.
Definition RtypesCore.h:131
kTRUE
constexpr Bool_t kTRUE
Definition RtypesCore.h:107
Option_t
const char Option_t
Option string (const char)
Definition RtypesCore.h:80
kMAXPATHLEN
@ kMAXPATHLEN
Definition Rtypes.h:61
gAuthenticateMutex
TVirtualMutex * gAuthenticateMutex
Definition TAuthenticate.cxx:119
StdCheckSecCtx
Int_t StdCheckSecCtx(const char *, TRootSecContext *)
Standard version of CheckSecCtx to be passed to TAuthenticate::AuthExists Check if User is matches th...
Definition TAuthenticate.cxx:3332
R__fgRSAPubExport
R__rsa_KEY_export R__fgRSAPubExport[2]
Definition TAuthenticate.cxx:107
auth_rand
static int auth_rand()
rand() implementation using /udev/random or /dev/random, if available
Definition TAuthenticate.cxx:129
gAuthenticateMutex
R__EXTERN TVirtualMutex * gAuthenticateMutex
Definition TAuthenticate.h:46
Krb5Auth_t
Int_t(* Krb5Auth_t)(TAuthenticate *auth, TString &user, TString &det, Int_t version)
Definition TAuthenticate.h:42
SecureAuth_t
Int_t(* SecureAuth_t)(TAuthenticate *auth, const char *user, const char *passwd, const char *remote, TString &det, Int_t version)
Definition TAuthenticate.h:43
GlobusAuth_t
Int_t(* GlobusAuth_t)(TAuthenticate *auth, TString &user, TString &det)
Definition TAuthenticate.h:41
CheckSecCtx_t
Int_t(* CheckSecCtx_t)(const char *subj, TRootSecContext *ctx)
Definition TAuthenticate.h:40
TRangeDynCast
ROOT::Detail::TRangeCast< T, true > TRangeDynCast
TRangeDynCast is an adapter class that allows the typed iteration through a TCollection.
Definition TCollection.h:360
gEnv
R__EXTERN TEnv * gEnv
Definition TEnv.h:170
p
winID h TVirtualViewer3D TVirtualGLPainter p
Definition TGWin32VirtualGLProxy.cxx:51
offset
Option_t Option_t TPoint TPoint const char GetTextMagnitude GetFillStyle GetLineColor GetLineWidth GetMarkerStyle GetTextAlign GetTextColor GetTextSize void char Point_t Rectangle_t WindowAttributes_t Float_t Float_t Float_t Int_t Int_t UInt_t UInt_t Rectangle_t Int_t Int_t Window_t TString Int_t GCValues_t GetPrimarySelectionOwner GetDisplay GetScreen GetColormap GetNativeEvent const char const char dpyName wid window const char font_name cursor keysym reg const char only_if_exist regb h Point_t winding char text const char depth char const char Int_t count const char ColorStruct_t color const char Pixmap_t Pixmap_t PictureAttributes_t attr const char char ret_data h unsigned char height h offset
Definition TGWin32VirtualXProxy.cxx:245
r
Option_t Option_t TPoint TPoint const char GetTextMagnitude GetFillStyle GetLineColor GetLineWidth GetMarkerStyle GetTextAlign GetTextColor GetTextSize void char Point_t Rectangle_t WindowAttributes_t Float_t r
Definition TGWin32VirtualXProxy.cxx:168
result
Option_t Option_t TPoint TPoint const char GetTextMagnitude GetFillStyle GetLineColor GetLineWidth GetMarkerStyle GetTextAlign GetTextColor GetTextSize void char Point_t Rectangle_t WindowAttributes_t Float_t Float_t Float_t Int_t Int_t UInt_t UInt_t Rectangle_t result
Definition TGWin32VirtualXProxy.cxx:174
len
Option_t Option_t TPoint TPoint const char GetTextMagnitude GetFillStyle GetLineColor GetLineWidth GetMarkerStyle GetTextAlign GetTextColor GetTextSize void char Point_t Rectangle_t WindowAttributes_t Float_t Float_t Float_t Int_t Int_t UInt_t UInt_t Rectangle_t Int_t Int_t Window_t TString Int_t GCValues_t GetPrimarySelectionOwner GetDisplay GetScreen GetColormap GetNativeEvent const char const char dpyName wid window const char font_name cursor keysym reg const char only_if_exist regb h Point_t winding char text const char depth char const char Int_t count const char ColorStruct_t color const char Pixmap_t Pixmap_t PictureAttributes_t attr const char char ret_data h unsigned char height h Atom_t Int_t ULong_t ULong_t unsigned char prop_list Atom_t Atom_t Atom_t Time_t UChar_t len
Definition TGWin32VirtualXProxy.cxx:249
name
char name[80]
Definition TGX11.cxx:157
gDebug
Int_t gDebug
Global variable setting the debug level. Set to 0 to disable, increase it in steps of 1 to increase t...
Definition TROOT.cxx:627
gROOT
#define gROOT
Definition TROOT.h:414
Form
char * Form(const char *fmt,...)
Formats a string in a circular formatting buffer.
Definition TString.cxx:2495
Printf
void Printf(const char *fmt,...)
Formats a string in a circular formatting buffer and prints the string.
Definition TString.cxx:2509
StrDup
char * StrDup(const char *str)
Duplicate the string str.
Definition TString.cxx:2563
kReadPermission
@ kReadPermission
Definition TSystem.h:55
R_ISREG
Bool_t R_ISREG(Int_t mode)
Definition TSystem.h:126
R_ISDIR
Bool_t R_ISDIR(Int_t mode)
Definition TSystem.h:123
gSystem
R__EXTERN TSystem * gSystem
Definition TSystem.h:582
kS_IWUSR
@ kS_IWUSR
Definition TSystem.h:111
kS_IRUSR
@ kS_IRUSR
Definition TSystem.h:110
R__LOCKGUARD2
#define R__LOCKGUARD2(mutex)
Definition TVirtualMutex.h:96
proto
const char * proto
Definition civetweb.c:18822
snprintf
#define snprintf
Definition civetweb.c:1579
TAuthenticate::RemoveHostAuth
static void RemoveHostAuth(THostAuth *ha, Option_t *opt="")
Remove THostAuth instance from the list.
Definition TAuthenticate.cxx:2132
TAuthenticate::SetRSAPublic
static Int_t SetRSAPublic(const char *rsapubexport, Int_t klen)
Store RSA public keys from export string rsaPubExport.
Definition TAuthenticate.cxx:2941
TAuthenticate::fgPasswdDialog
static TPluginHandler * fgPasswdDialog
Definition TAuthenticate.h:112
TAuthenticate::fgProcessID
static Int_t fgProcessID
Definition TAuthenticate.h:127
TAuthenticate::SetGlobalSRPPwd
static void SetGlobalSRPPwd(Bool_t srppwd)
Set global SRP passwd flag to be used for authentication to rootd.
Definition TAuthenticate.cxx:1290
TAuthenticate::fgPromptUser
static Bool_t fgPromptUser
Definition TAuthenticate.h:113
TAuthenticate::fSecContext
TRootSecContext * fSecContext
Definition TAuthenticate.h:79
TAuthenticate::fgPwHash
static Bool_t fgPwHash
Definition TAuthenticate.h:114
TAuthenticate::fSecurity
ESecurity fSecurity
Definition TAuthenticate.h:80
TAuthenticate::fHostAuth
THostAuth * fHostAuth
Definition TAuthenticate.h:73
TAuthenticate::FileExpand
static void FileExpand(const char *fin, FILE *ftmp)
Expands include directives found in fexp files The expanded, temporary file, is pointed to by 'ftmp' ...
Definition TAuthenticate.cxx:2022
TAuthenticate::fgUser
static TString fgUser
Definition TAuthenticate.h:123
TAuthenticate::fSocket
TSocket * fSocket
Definition TAuthenticate.h:81
TAuthenticate::GetGlobalUser
static const char * GetGlobalUser()
Static method returning the global user.
Definition TAuthenticate.cxx:974
TAuthenticate::SetGlobalUser
static void SetGlobalUser(const char *user)
Set global user name to be used for authentication to rootd.
Definition TAuthenticate.cxx:1254
TAuthenticate::SetPromptUser
static void SetPromptUser(Bool_t promptuser)
Set global PromptUser flag.
Definition TAuthenticate.cxx:1334
TAuthenticate::RfioAuth
Int_t RfioAuth(TString &user)
RFIO authentication (no longer supported)
Definition TAuthenticate.cxx:1447
TAuthenticate::Show
static void Show(Option_t *opt="S")
Print info about the authentication sector.
Definition TAuthenticate.cxx:2144
TAuthenticate::GetSshUser
const char * GetSshUser(TString user) const
Method returning the user to be used for the ssh login (no longer supported)
Definition TAuthenticate.cxx:1377
TAuthenticate::GetDefaultUser
static const char * GetDefaultUser()
Static method returning the default user information.
Definition TAuthenticate.cxx:1006
TAuthenticate::GetPromptUser
static Bool_t GetPromptUser()
Static method returning the prompt user settings.
Definition TAuthenticate.cxx:1031
TAuthenticate::SecureRecv
static Int_t SecureRecv(TSocket *Socket, Int_t dec, Int_t KeyType, char **Out)
Receive str from sock and decode it using key indicated by key type Return number of received bytes o...
Definition TAuthenticate.cxx:2765
TAuthenticate::GetKrb5Principal
static const char * GetKrb5Principal()
Static method returning the principal to be used to init Krb5 tickets.
Definition TAuthenticate.cxx:1014
TAuthenticate::GetHostAuth
THostAuth * GetHostAuth() const
Definition TAuthenticate.h:146
TAuthenticate::SetAuthReUse
static void SetAuthReUse(Bool_t authreuse)
Set global AuthReUse flag.
Definition TAuthenticate.cxx:1326
TAuthenticate::fgRSAPubExport
static R__rsa_KEY_export * fgRSAPubExport
Definition TAuthenticate.h:121
TAuthenticate::fgRSAInit
static Int_t fgRSAInit
Definition TAuthenticate.h:118
TAuthenticate::GetRandString
char * GetRandString(Int_t Opt, Int_t Len)
Allocates and fills a 0 terminated buffer of length len+1 with len random characters.
Definition TAuthenticate.cxx:2646
TAuthenticate::SshAuth
Int_t SshAuth(TString &user)
SSH client authentication code (no longer supported)
Definition TAuthenticate.cxx:1368
TAuthenticate::PromptPasswd
static char * PromptPasswd(const char *prompt="Password: ")
Static method to prompt for the user's passwd to be used for authentication to rootd.
Definition TAuthenticate.cxx:1114
TAuthenticate::SetDefaultUser
static void SetDefaultUser(const char *defaultuser)
Set default user name.
Definition TAuthenticate.cxx:1306
TAuthenticate::SetGlobalPwHash
static void SetGlobalPwHash(Bool_t pwhash)
Set global passwd hash flag to be used for authentication to rootd.
Definition TAuthenticate.cxx:1282
TAuthenticate::SetGlobalExpDate
static void SetGlobalExpDate(TDatime expdate)
Set default expiring date for new validity contexts.
Definition TAuthenticate.cxx:1298
TAuthenticate::GetRSAInit
static Int_t GetRSAInit()
Static method returning the RSA initialization flag.
Definition TAuthenticate.cxx:1183
TAuthenticate::SetSecureAuthHook
static void SetSecureAuthHook(SecureAuth_t func)
Set secure authorization function.
Definition TAuthenticate.cxx:1342
TAuthenticate::GetClientProtocol
static Int_t GetClientProtocol()
Static method returning supported client protocol.
Definition TAuthenticate.cxx:3423
TAuthenticate::ReadRootAuthrc
static Int_t ReadRootAuthrc()
Read authentication directives from $ROOTAUTHRC, $HOME/.rootauthrc or <Root_etc_dir>/system....
Definition TAuthenticate.cxx:3113
TAuthenticate::fgReadHomeAuthrc
static Bool_t fgReadHomeAuthrc
Definition TAuthenticate.h:115
TAuthenticate::fgAuthTO
static Int_t fgAuthTO
Definition TAuthenticate.h:126
TAuthenticate::fgLastError
static Int_t fgLastError
Definition TAuthenticate.h:125
TAuthenticate::SecureSend
static Int_t SecureSend(TSocket *Socket, Int_t enc, Int_t KeyType, const char *In)
Encode null terminated str using the session private key indicated by enc and sends it over the netwo...
Definition TAuthenticate.cxx:2704
TAuthenticate::GenRSAKeys
Int_t GenRSAKeys()
Generate a valid pair of private/public RSA keys to protect for authentication token exchange.
Definition TAuthenticate.cxx:2402
TAuthenticate::CheckNetrc
Bool_t CheckNetrc(TString &user, TString &passwd)
Try to get user name and passwd from the ~/.rootnetrc or ~/.netrc files.
Definition TAuthenticate.cxx:849
TAuthenticate::GetRSAPubExport
static const char * GetRSAPubExport(Int_t key=0)
Static method returning the RSA public keys.
Definition TAuthenticate.cxx:1174
TAuthenticate::InitRandom
static void InitRandom()
Initialize random machine using seed from /dev/urandom (or current time if /dev/urandom not available...
Definition TAuthenticate.cxx:2374
TAuthenticate::fgRSAPubKey
static R__rsa_KEY fgRSAPubKey
Definition TAuthenticate.h:120
TAuthenticate::fgAuthReUse
static Bool_t fgAuthReUse
Definition TAuthenticate.h:104
TAuthenticate::GetGlobalPwHash
static Bool_t GetGlobalPwHash()
Static method returning the global password hash flag.
Definition TAuthenticate.cxx:982
TAuthenticate::SetKrb5AuthHook
static void SetKrb5AuthHook(Krb5Auth_t func)
Set kerberos5 authorization function.
Definition TAuthenticate.cxx:1351
TAuthenticate::SetGlobusAuthHook
static void SetGlobusAuthHook(GlobusAuth_t func)
Set Globus authorization function.
Definition TAuthenticate.cxx:1360
TAuthenticate::SetRSAInit
static void SetRSAInit(Int_t init=1)
Static method setting RSA initialization flag.
Definition TAuthenticate.cxx:1200
TAuthenticate::SetGlobalPasswd
static void SetGlobalPasswd(const char *passwd)
Set global passwd to be used for authentication to rootd.
Definition TAuthenticate.cxx:1268
TAuthenticate::fgExpDate
static TDatime fgExpDate
Definition TAuthenticate.h:106
TAuthenticate::fProtocol
TString fProtocol
Definition TAuthenticate.h:75
TAuthenticate::SetEnvironment
void SetEnvironment()
Set default authentication environment.
Definition TAuthenticate.cxx:659
TAuthenticate::SendRSAPublicKey
static Int_t SendRSAPublicKey(TSocket *Socket, Int_t key=0)
Receives server RSA Public key Sends local RSA public key encoded.
Definition TAuthenticate.cxx:3019
TAuthenticate::fgLastAuthrc
static TDatime fgLastAuthrc
Definition TAuthenticate.h:110
TAuthenticate::fgAuthInfo
static TList * fgAuthInfo
Definition TAuthenticate.h:102
TAuthenticate::fgPasswd
static TString fgPasswd
Definition TAuthenticate.h:111
TAuthenticate::fgAuthMeth
static TString fgAuthMeth[kMAXSEC]
Definition TAuthenticate.h:92
TAuthenticate::CatchTimeOut
void CatchTimeOut()
Called in connection with a timer timeout.
Definition TAuthenticate.cxx:331
TAuthenticate::GetUserPasswd
Bool_t GetUserPasswd(TString &user, TString &passwd, Bool_t &pwhash, Bool_t srppwd)
Try to get user name and passwd from several sources.
Definition TAuthenticate.cxx:781
TAuthenticate::Authenticate
Bool_t Authenticate()
Authenticate to remote rootd server.
Definition TAuthenticate.cxx:347
TAuthenticate::fgRSAPriKey
static R__rsa_KEY fgRSAPriKey
Definition TAuthenticate.h:119
TAuthenticate::fgRootAuthrc
static TString fgRootAuthrc
Definition TAuthenticate.h:116
TAuthenticate::AuthExists
Int_t AuthExists(TString User, Int_t method, const char *Options, Int_t *Message, Int_t *Rflag, CheckSecCtx_t funcheck)
Check if we have a valid established sec context in memory Retrieves relevant info and negotiates wit...
Definition TAuthenticate.cxx:2180
TAuthenticate::GetAuthInfo
static TList * GetAuthInfo()
Static method returning the list with authentication details.
Definition TAuthenticate.cxx:1208
TAuthenticate::GetGlobusAuthHook
static GlobusAuth_t GetGlobusAuthHook()
Static method returning the globus authorization hook (no longer supported)
Definition TAuthenticate.cxx:1166
TAuthenticate::ClearAuth
Int_t ClearAuth(TString &user, TString &passwd, Bool_t &pwhash)
UsrPwd client authentication code.
Definition TAuthenticate.cxx:1458
TAuthenticate::AuthError
static void AuthError(const char *where, Int_t error)
Print error string depending on error code.
Definition TAuthenticate.cxx:1220
TAuthenticate::GetDefaultDetails
static char * GetDefaultDetails(Int_t method, Int_t opt, const char *user)
Determine default authentication details for method 'sec' and user 'usr'.
Definition TAuthenticate.cxx:2101
TAuthenticate::MergeHostAuthList
static void MergeHostAuthList(TList *Std, TList *New, Option_t *Opt="")
Tool for updating fgAuthInfo 'nin' contains list of last input information through (re)reading of a r...
Definition TAuthenticate.cxx:3352
TAuthenticate::fgDefaultUser
static TString fgDefaultUser
Definition TAuthenticate.h:105
TAuthenticate::GetAuthMethodIdx
static Int_t GetAuthMethodIdx(const char *meth)
Static method returning the method index (which can be used to find the method in GetAuthMethod()).
Definition TAuthenticate.cxx:1054
TAuthenticate::fgRSAKey
static Int_t fgRSAKey
Definition TAuthenticate.h:117
TAuthenticate::DecodeRSAPublic
static Int_t DecodeRSAPublic(const char *rsapubexport, R__rsa_NUMBER &n, R__rsa_NUMBER &d, char **rsassl=nullptr)
Store RSA public keys from export string rsaPubExport.
Definition TAuthenticate.cxx:2838
TAuthenticate::SetTimeOut
static void SetTimeOut(Int_t to)
Set timeout (active if > 0)
Definition TAuthenticate.cxx:1318
TAuthenticate::fgUsrPwdCrypt
static Bool_t fgUsrPwdCrypt
Definition TAuthenticate.h:124
TAuthenticate::TAuthenticate
TAuthenticate(TSocket *sock, const char *remote, const char *proto, const char *user="")
Create authentication object.
Definition TAuthenticate.cxx:161
TAuthenticate::RemoveSecContext
static void RemoveSecContext(TRootSecContext *ctx)
Tool for removing SecContext ctx from THostAuth listed in fgAuthInfo.
Definition TAuthenticate.cxx:3402
TAuthenticate::GetGlobalExpDate
static TDatime GetGlobalExpDate()
Static method returning default expiring date for new validity contexts.
Definition TAuthenticate.cxx:998
TAuthenticate::GetGlobalSRPPwd
static Bool_t GetGlobalSRPPwd()
Static method returning the global SRP password flag.
Definition TAuthenticate.cxx:990
TAuthenticate::fgSecAuthHook
static SecureAuth_t fgSecAuthHook
Definition TAuthenticate.h:122
TAuthenticate::PromptUser
static char * PromptUser(const char *remote)
Static method to prompt for the user name to be used for authentication to rootd.
Definition TAuthenticate.cxx:1074
TAuthenticate::CheckHost
static Bool_t CheckHost(const char *Host, const char *host)
Check if 'host' matches 'href': this means either equal or "containing" it, even with wild cards * in...
Definition TAuthenticate.cxx:1389
TAuthenticate::SetDefaultRSAKeyType
static void SetDefaultRSAKeyType(Int_t key)
Static method setting the default type of RSA key.
Definition TAuthenticate.cxx:1191
TAuthenticate::GetAuthMethod
static const char * GetAuthMethod(Int_t idx)
Static method returning the method corresponding to idx.
Definition TAuthenticate.cxx:1039
TAuthenticate::GetAuthReUse
static Bool_t GetAuthReUse()
Static method returning the authentication reuse settings.
Definition TAuthenticate.cxx:1023
TAuthenticate::HasHostAuth
static THostAuth * HasHostAuth(const char *host, const char *user, Option_t *opt="R")
Checks if a THostAuth with exact match for {host,user} exists in the fgAuthInfo list Returns pointer ...
Definition TAuthenticate.cxx:1982
TDatime
This class stores the date and time with a precision of one second in an unsigned 32 bit word (950130...
Definition TDatime.h:37
TEnv::GetValue
virtual Int_t GetValue(const char *name, Int_t dflt) const
Returns the integer value for a resource.
Definition TEnv.cxx:503
THostAuth::NumMethods
Int_t NumMethods() const
Definition THostAuth.h:68
THostAuth::CreateSecContext
TRootSecContext * CreateSecContext(const char *user, const char *host, Int_t meth, Int_t offset, const char *details, const char *token, TDatime expdate=kROOTTZERO, void *ctx=nullptr, Int_t key=-1)
Create a Security context and add it to local list Return pointer to it to be stored in TAuthenticate...
Definition THostAuth.cxx:654
THostAuth::GetHost
const char * GetHost() const
Definition THostAuth.h:91
THostAuth::GetServer
Int_t GetServer() const
Definition THostAuth.h:92
THostAuth::SetUser
void SetUser(const char *user)
Definition THostAuth.h:97
THostAuth::SetHost
void SetHost(const char *host)
Definition THostAuth.h:95
THostAuth::SetFirst
void SetFirst(Int_t level)
Set 'method' to be the first used (if in the list ...).
Definition THostAuth.cxx:514
THostAuth::SetServer
void SetServer(Int_t server)
Definition THostAuth.h:96
THostAuth::RemoveMethod
void RemoveMethod(Int_t level)
Remove method 'meth' from the list, if there ...
Definition THostAuth.cxx:241
THostAuth::CountFailure
void CountFailure(Int_t level)
Count failures for 'method'.
Definition THostAuth.cxx:639
THostAuth::AddFirst
void AddFirst(Int_t level, const char *details=nullptr)
Add new method in first position If already in the list, set as first method 'level' with authenticat...
Definition THostAuth.cxx:582
THostAuth::GetMethod
Int_t GetMethod(Int_t idx) const
Definition THostAuth.h:69
THostAuth::HasMethod
Bool_t HasMethod(Int_t level, Int_t *pos=nullptr)
Return kTRUE if method 'level' is in the list.
Definition THostAuth.cxx:318
THostAuth::Established
TList * Established() const
Definition THostAuth.h:99
THostAuth::GetDetails
const char * GetDetails(Int_t level)
Return authentication details for specified level or "" if the specified level does not exist for thi...
Definition THostAuth.cxx:302
THostAuth::SetLast
void SetLast(Int_t level)
Set 'method' to be the last used (if in the list ...).
Definition THostAuth.cxx:546
THostAuth::CountSuccess
void CountSuccess(Int_t level)
Count successes for 'method'.
Definition THostAuth.cxx:625
TInetAddress
This class represents an Internet Protocol (IP) address.
Definition TInetAddress.h:36
TList
A doubly linked list.
Definition TList.h:38
TList::Add
void Add(TObject *obj) override
Definition TList.h:81
TList::Remove
TObject * Remove(TObject *obj) override
Remove object from the list.
Definition TList.cxx:952
TObject::Warning
virtual void Warning(const char *method, const char *msgfmt,...) const
Issue warning message.
Definition TObject.cxx:1081
TObject::Error
virtual void Error(const char *method, const char *msgfmt,...) const
Issue error message.
Definition TObject.cxx:1095
TObject::Info
virtual void Info(const char *method, const char *msgfmt,...) const
Issue info message.
Definition TObject.cxx:1069
TROOT::GetEtcDir
static const TString & GetEtcDir()
Get the sysconfig directory in the installation. Static utility function.
Definition TROOT.cxx:3234
TRSA_fun::RSA_encode
static RSA_encode_t RSA_encode()
Definition rsafun.cxx:58
TRSA_fun::RSA_genprim
static RSA_genprim_t RSA_genprim()
Definition rsafun.cxx:56
TRSA_fun::RSA_assign
static RSA_assign_t RSA_assign()
Definition rsafun.cxx:64
TRSA_fun::RSA_cmp
static RSA_cmp_t RSA_cmp()
Definition rsafun.cxx:65
TRSA_fun::RSA_decode
static RSA_decode_t RSA_decode()
Definition rsafun.cxx:59
TRSA_fun::RSA_genrsa
static RSA_genrsa_t RSA_genrsa()
Definition rsafun.cxx:57
TRSA_fun::RSA_num_sput
static RSA_num_sput_t RSA_num_sput()
Definition rsafun.cxx:60
TRSA_fun::RSA_num_sget
static RSA_num_sget_t RSA_num_sget()
Definition rsafun.cxx:62
TRegexp
Regular expression class.
Definition TRegexp.h:31
TRootSecContext::Print
void Print(Option_t *option="F") const override
If opt is "F" (default) print object content.
Definition TRootSecContext.cxx:185
TSecContext::IsActive
Bool_t IsActive() const
Check remote OffSet and expiring Date.
Definition TSecContext.cxx:232
TSecContext::GetID
const char * GetID() const
Definition TSecContext.h:76
TSecContext::AddForCleanup
void AddForCleanup(Int_t port, Int_t proto, Int_t type)
Create a new TSecContextCleanup Internally is added to the list.
Definition TSecContext.cxx:213
TSecContext::GetUser
const char * GetUser() const
Definition TSecContext.h:82
TSocket::Recv
virtual Int_t Recv(TMessage *&mess)
Receive a TMessage object.
Definition TSocket.cxx:809
TSocket::GetClientProtocol
static Int_t GetClientProtocol()
Static method returning supported client protocol.
Definition TSocket.cxx:1445
TSocket::GetRemoteProtocol
Int_t GetRemoteProtocol() const
Definition TSocket.h:132
TSocket::Close
virtual void Close(Option_t *opt="")
Close the socket.
Definition TSocket.cxx:380
TSocket::RecvRaw
virtual Int_t RecvRaw(void *buffer, Int_t length, ESendRecvOptions opt=kDefault)
Receive a raw buffer of specified length bytes.
Definition TSocket.cxx:899
TSocket::SendRaw
virtual Int_t SendRaw(const void *buffer, Int_t length, ESendRecvOptions opt=kDefault)
Send a raw buffer of specified length.
Definition TSocket.cxx:611
TSocket::kSOCKD
@ kSOCKD
Definition TSocket.h:50
TSocket::kROOTD
@ kROOTD
Definition TSocket.h:50
TSocket::GetPort
Int_t GetPort() const
Definition TSocket.h:121
TSocket::GetServType
Int_t GetServType() const
Definition TSocket.h:123
TSocket::Send
virtual Int_t Send(const TMessage &mess)
Send a TMessage object.
Definition TSocket.cxx:513
TString
Basic string class.
Definition TString.h:138
TString::Length
Ssiz_t Length() const
Definition TString.h:425
TString::Replace
TString & Replace(Ssiz_t pos, Ssiz_t n, const char *s)
Definition TString.h:703
TString::Data
const char * Data() const
Definition TString.h:384
TString::kIgnoreCase
@ kIgnoreCase
Definition TString.h:285
TString::BeginsWith
Bool_t BeginsWith(const char *s, ECaseCompare cmp=kExact) const
Definition TString.h:632
TString::Remove
TString & Remove(Ssiz_t pos)
Definition TString.h:694
TString::Format
static TString Format(const char *fmt,...)
Static method which formats a string using a printf style format descriptor and return a TString.
Definition TString.cxx:2384
TString::Form
void Form(const char *fmt,...)
Formats a string using a printf style format descriptor.
Definition TString.cxx:2362
TString::Contains
Bool_t Contains(const char *pat, ECaseCompare cmp=kExact) const
Definition TString.h:641
TString::Index
Ssiz_t Index(const char *pat, Ssiz_t i=0, ECaseCompare cmp=kExact) const
Definition TString.h:660
TSystem::TempFileName
virtual FILE * TempFileName(TString &base, const char *dir=nullptr, const char *suffix=nullptr)
Create a secure temporary file by appending a unique 6 letter string to base.
Definition TSystem.cxx:1510
TSystem::GetPid
virtual int GetPid()
Get process id.
Definition TSystem.cxx:716
TSystem::Getenv
virtual const char * Getenv(const char *env)
Get environment variable.
Definition TSystem.cxx:1676
TSystem::Load
virtual int Load(const char *module, const char *entry="", Bool_t system=kFALSE)
Load a shared library.
Definition TSystem.cxx:1868
TSystem::GetPathInfo
int GetPathInfo(const char *path, Long_t *id, Long_t *size, Long_t *flags, Long_t *modtime)
Get info about a file: id, size, flags, modification time.
Definition TSystem.cxx:1409
TSystem::PrependPathName
virtual const char * PrependPathName(const char *dir, TString &name)
Concatenate a directory and a file name.
Definition TSystem.cxx:1092
TSystem::AccessPathName
virtual Bool_t AccessPathName(const char *path, EAccessMode mode=kFileExists)
Returns FALSE if one can access a file using the specified access mode.
Definition TSystem.cxx:1307
TSystem::DispatchOneEvent
virtual void DispatchOneEvent(Bool_t pendingOnly=kFALSE)
Dispatch a single event.
Definition TSystem.cxx:427
TSystem::HostName
virtual const char * HostName()
Return the system's host name.
Definition TSystem.cxx:301
TSystem::GetEffectiveUid
virtual Int_t GetEffectiveUid()
Returns the effective user id.
Definition TSystem.cxx:1583
TSystem::GetHostByName
virtual TInetAddress GetHostByName(const char *server)
Get Internet Protocol (IP) address of host.
Definition TSystem.cxx:2302
TSystem::HomeDirectory
virtual const char * HomeDirectory(const char *userName=nullptr)
Return the user's home directory.
Definition TSystem.cxx:897
TSystem::Unlink
virtual int Unlink(const char *name)
Unlink, i.e.
Definition TSystem.cxx:1392
TSystem::GetUserInfo
virtual UserGroup_t * GetUserInfo(Int_t uid)
Returns all user info in the UserGroup_t structure.
Definition TSystem.cxx:1612
TSystem::DynamicPathName
char * DynamicPathName(const char *lib, Bool_t quiet=kFALSE)
Find a dynamic library called lib using the system search paths.
Definition TSystem.cxx:2031
TTimer
Handles synchronous and a-synchronous timer events.
Definition TTimer.h:51
TVirtualMutex
This class implements a mutex interface.
Definition TVirtualMutex.h:32
pt
TPaveText * pt
Definition entrylist_figure1.C:7
line
TLine * line
Definition entrylistblock_figure1.C:235
inv
void inv(rsa_NUMBER *, rsa_NUMBER *, rsa_NUMBER *)
Definition rsaaux.cxx:949
rsa_STRLEN
#define rsa_STRLEN
Definition rsadef.h:87
FileStat_t
Definition TSystem.h:132
FileStat_t::fMode
Int_t fMode
Definition TSystem.h:135
R__rsa_KEY_export
Definition TAuthenticate.cxx:83
R__rsa_KEY
Definition TAuthenticate.cxx:82
R__rsa_KEY::R__rsa_KEY
R__rsa_KEY()
Definition TAuthenticate.cxx:82
R__rsa_NUMBER
Definition TAuthenticate.cxx:84
UserGroup_t
Definition TSystem.h:146
rsa_KEY_export
Definition rsadef.h:116
rsa_KEY
Definition rsadef.h:112
rsa_NUMBER
Definition rsadef.h:104
m
TMarker m
Definition textangle.C:8
l
TLine l
Definition textangle.C:4
t1
auto * t1
Definition textangle.C:20