Grid Community Toolkit
6.2.1629922860 (tag: v6.2.20210826)
|
Globus XIO GSI Driver. More...
Typedefs | |
typedef void(* | globus_xio_gsi_delegation_init_callback_t )(globus_result_t result, void *user_arg) |
typedef void(* | globus_xio_gsi_delegation_accept_callback_t )(globus_result_t result, gss_cred_id_t delegated_cred, OM_uint32 time_rec, void *user_arg) |
Globus XIO GSI Driver.
An XIO handle with the gsi driver can be created with either globus_xio_handle_create () or globus_xio_server_register_accept ().
If the handle is created with globus_xio_server_register_accept (), the globus_xio_register_open () call will proceed to accept a GSSAPI security context. Upon successful completion of the open (after the open callback has been called) the application may proceed to read or write data associated with the GSI session.
If the handle is created with globus_xio_handle_create (), then the XIO handle will implement the client-side (init) of the GSSAPI call sequence and establish a security context with the accepting side indicated by the contact_string passed to globus_xio_register_open ().
The GSI driver behaves similar to the underlying transport driver with respect to reads and writes, except for the try-read and try-write operations (ie. waitforbytes ==0) which always return immediately. This is due to the fact that the security layer needs to read and write tokens of a certain minimal size and thus needs to rely on the underlying transport to handle greater than 0 reads/write which is not possible in "try" mode.
globus_xio_server_create() causes a new transport-specific listener socket to be created to handle new GSI connections. globus_xio_server_register_accept() will accept a new connection for processing. globus_xio_server_register_close() cleans up the internal resources associated with the http server and calls close on the listener.
All accepted handles inherit all GSI-specific attributes set in the attr to globus_xio_server_create(), but can be overridden with the attr to globus_xio_register_open(). Furthermore, accepted handles will use the GSSAPI accept security context call unless explicitly overridden during the globus_xio_register_open() call ( GLOBUS_XIO_GSI_FORCE_SERVER_MODE).
The gsi driver uses the following environment variables
For details see Globus: GSI Environment Variables
GSI driver specific attrs and cntls
The GSI driver uses mostly GSSAPI calls, so it generally just wraps the underlying GSSAPI errors or uses generic XIO errors.
typedef void(* globus_xio_gsi_delegation_accept_callback_t)(globus_result_t result, gss_cred_id_t delegated_cred, OM_uint32 time_rec, void *user_arg) |
Globus XIO GSI init delegation callback
typedef void(* globus_xio_gsi_delegation_init_callback_t)(globus_result_t result, void *user_arg) |
Globus XIO GSI init delegation callback
Globus XIO GSI authorization modes
enum globus_xio_gsi_cmd_t |
GSI driver specific cntls
Enumerator | |
---|---|
GLOBUS_XIO_GSI_SET_CREDENTIAL |
See usage for: globus_xio_gsi_attr_cntl , globus_xio_gsi_handle_cntl |
GLOBUS_XIO_GSI_GET_CREDENTIAL |
See usage for: globus_xio_gsi_attr_cntl , globus_xio_gsi_handle_cntl |
GLOBUS_XIO_GSI_SET_GSSAPI_REQ_FLAGS |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_GET_GSSAPI_REQ_FLAGS |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_SET_PROXY_MODE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_GET_PROXY_MODE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_SET_AUTHORIZATION_MODE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_GET_AUTHORIZATION_MODE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_SET_DELEGATION_MODE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_GET_DELEGATION_MODE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_SET_SSL_COMPATIBLE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_SET_ANON |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_SET_WRAP_MODE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_GET_WRAP_MODE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_SET_BUFFER_SIZE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_GET_BUFFER_SIZE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_SET_PROTECTION_LEVEL |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_GET_PROTECTION_LEVEL |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_GET_TARGET_NAME |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_SET_TARGET_NAME |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_GET_CONTEXT |
See usage for: globus_xio_gsi_handle_cntl |
GLOBUS_XIO_GSI_GET_DELEGATED_CRED |
See usage for: globus_xio_gsi_handle_cntl |
GLOBUS_XIO_GSI_GET_PEER_NAME |
See usage for: globus_xio_gsi_handle_cntl |
GLOBUS_XIO_GSI_GET_LOCAL_NAME |
See usage for: globus_xio_gsi_handle_cntl |
GLOBUS_XIO_GSI_INIT_DELEGATION |
See usage for: globus_xio_gsi_handle_cntl |
GLOBUS_XIO_GSI_REGISTER_INIT_DELEGATION |
See usage for: globus_xio_gsi_handle_cntl |
GLOBUS_XIO_GSI_ACCEPT_DELEGATION |
See usage for: globus_xio_gsi_handle_cntl |
GLOBUS_XIO_GSI_REGISTER_ACCEPT_DELEGATION |
See usage for: globus_xio_gsi_handle_cntl |
GLOBUS_XIO_GSI_FORCE_SERVER_MODE |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_SET_ALLOW_MISSING_SIGNING_POLICY |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_GET_ALLOW_MISSING_SIGNING_POLICY |
See usage for: globus_xio_gsi_attr_cntl |
GLOBUS_XIO_GSI_SET_CREDENTIALS_DIR |
See usage for: globus_xio_gsi_attr_cntl , globus_xio_gsi_handle_cntl |
GLOBUS_XIO_GSI_SET_APPLICATION_PROTOCOLS |
See usage for: globus_xio_gsi_attr_cntl , globus_xio_gsi_handle_cntl |
GSI driver specific error types
Globus XIO GSI proxy modes
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_CREDENTIAL | , | ||
gss_cred_id_t | credential | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the credential to be used
credential | The credential to set. The credential structure needs to remain valid for the lifetime of any XIO data structure it is used by. |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_CREDENTIAL | , | ||
gss_cred_id_t * | credential | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the credential to be used
credential | The credential that is currently set. This will only return a credential if a credential was explicitly set prior to this call. It will not return any credential automatically acquired during context initialization. |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_GSSAPI_REQ_FLAGS | , | ||
OM_uint32 | req_flags | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the GSSAPI req_flags to be used
req_flags | The req_flags to set |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_GSSAPI_REQ_FLAGS | , | ||
OM_uint32 * | req_flags | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the GSSAPI req_flags to be used
req_flags | The req flags currently in effect |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_PROXY_MODE | , | ||
globus_xio_gsi_proxy_mode_t | proxy_mode | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the proxy mode
proxy_mode | The proxy mode to set |
string opt: proxy="many"|"full"|"limited"
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_PROXY_MODE | , | ||
globus_xio_gsi_proxy_mode_t * | proxy_mode | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the proxy mode
proxy_mode | The proxy mode that is currently in effect |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_AUTHORIZATION_MODE | , | ||
globus_xio_gsi_authorization_mode_t | authz_mode | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the authorization mode
authz_mode | The authorization mode to set |
string opt: auth="none"|"self"|"host"|"id"
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_AUTHORIZATION_MODE | , | ||
globus_xio_gsi_authorization_mode_t * | authz_mode | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the authorization mode
authz_mode | The authorization mode that is currently in effect |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_DELEGATION_MODE | , | ||
globus_xio_gsi_delegation_mode_t | delegation_mode | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the delegation mode
delegation_mode | The delegation mode to use |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_DELEGATION_MODE | , | ||
globus_xio_gsi_delegation_mode_t * | delegation_mode | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the delegation mode
delegation_mode | The delegation mode currently in effect |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_SSL_COMPATIBLE | , | ||
globus_bool_t | ssl_mode | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Make the on the wire protocol SSL compatible.
This implies no wrapping of security tokens and no delegation
ssl_mode | The ssl compatibility mode to use |
string opt: ssl_compatible="true"|"false"
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_ANON | , | ||
globus_bool_t | anon_mode | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Do anonymous authentication
anon_mode | The ssl compatibility mode to use |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_WRAP_MODE | , | ||
globus_bool_t | wrap_mode | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the wrapping mode
This mode determines whether tokens will be wrapped with a Globus IO style header or not.
wrap_mode | The wrapping mode to use |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_WRAP_MODE | , | ||
globus_bool_t * | wrap_mode | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the wrapping mode
This mode determines whether tokens will be wrapped with a Globus IO style header or not.
wrap_mode | The wrapping mode currently in use. |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_BUFFER_SIZE | , | ||
globus_size_t | buffer_size | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the read buffer size
The read buffer is used for buffering wrapped data, is initialized with a default size of 128K and scaled dynamically to always be able to fit whole tokens.
buffer_size | The size of the read buffer |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_BUFFER_SIZE | , | ||
globus_size_t * | buffer_size | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the read buffer size
The read buffer is used for buffering wrapped data, is initialized with a default size of 128K and scaled dynamically to always be able to fit whole tokens.
buffer_size | The size of the read buffer |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_PROTECTION_LEVEL | , | ||
globus_xio_gsi_protection_level_t | protection_level | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the protection level
protection_level | The protection level to set |
string opt: protection="none"|"private"|"integrity"
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_PROTECTION_LEVEL | , | ||
globus_xio_gsi_protection_level_t * | protection_level | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the protection level
protection_level | The current protection level |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_TARGET_NAME | , | ||
gss_name_t * | target_name | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the expected peer name
target_name | The expected peer name |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_TARGET_NAME | , | ||
gss_name_t | target_name | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the expected peer name
target_name | The expected peer name |
string opt: subject=string
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_FORCE_SERVER_MODE | , | ||
globus_bool_t | server_mode | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Force the server mode setting.
This explicitly sets the directionality of context establishment and delegation.
server_mode | The server mode. |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_ALLOW_MISSING_SIGNING_POLICY | , | ||
globus_bool_t | allow | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the allow missing signing policy flag
allow | The flag setting to use |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_ALLOW_MISSING_SIGNING_POLICY | , | ||
globus_bool_t * | allow | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the allow missing signing policy flag
allow | The flag currently set |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_CREDENTIALS_DIR | , | ||
const char * | directory | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the directory for credentials to use when accepting a security context. This is used when a service requires different credentials based on the SNI TLS extension.
directory | The path to the directory containing credentials. string opt: credentials_dir=string |
globus_result_t globus_xio_gsi_attr_cntl | ( | attr | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_APPLICATION_PROTOCOLS | , | ||
char ** | protocols | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the list of application protocols to negotiate during TLS handshake. This uses tht TLS ALPN extension.
protocols | An array of protocol names. The array must be terminated by a NULL pointer. |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_CREDENTIAL | , | ||
gss_cred_id_t | credential | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the credential to be used
credential | The credential to set. The credential structure needs to remain valid for the lifetime of any XIO data structure it is used by. |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_CREDENTIAL | , | ||
gss_cred_id_t * | credential | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the credential to be used
credential | The credential that is currently set. This will only return a credential if a credential was explicitly set prior to this call. It will not return any credential automatically acquired during context initialization. |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_CONTEXT | , | ||
gss_ctx_id_t * | context | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the GSS context
context | The GSS context |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_DELEGATED_CRED | , | ||
gss_cred_id_t * | credential | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the delegated credential
credential | The delegated credential |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_PEER_NAME | , | ||
gss_name_t * | peer_name | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the name of the peer
peer_name | The GSS name of the peer. |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_GET_LOCAL_NAME | , | ||
gss_name_t * | local_name | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the GSS name associated with the local credentials
local_name | The GSS name of the local credentials |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_INIT_DELEGATION | , | ||
gss_cred_id_t | credential, | ||
gss_OID_set | restriction_oids, | ||
gss_buffer_set_t | restriction_buffers, | ||
OM_uint32 | time_req | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Initialize delegation-at-any-time process
credential | The GSS credential to delegate |
restriction_oids | The OIDs for X.509 extensions to embed in the delegated credential |
restriction_buffers | The corresponding bodies for the X.509 extensions |
time_req | The lifetime of the delegated credential |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_REGISTER_INIT_DELEGATION | , | ||
gss_cred_id_t | credential, | ||
gss_OID_set | restriction_oids, | ||
gss_buffer_set_t | restriction_buffers, | ||
OM_uint32 | time_req, | ||
globus_xio_gsi_delegation_init_callback_t | callback, | ||
void * | callback_arg | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Initialize non-blocking delegation-at-any-time process
credential | The GSS credential to delegate |
restriction_oids | The OIDS for X.509 extensions to embed in the delegated credential |
restriction_buffers | The corresponding bodies for the X.509 extensions |
time_req | The lifetime of the delegated credential |
callback | The callback to call when the operation completes |
callback_arg | The arguments to pass to the callback |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_ACCEPT_DELEGATION | , | ||
gss_cred_id_t * | credential, | ||
gss_OID_set | restriction_oids, | ||
gss_buffer_set_t | restriction_buffers, | ||
OM_uint32 | time_req | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Accept delegation-at-any-time process
credential | The delegated GSS credential |
restriction_oids | The OIDS for X.509 extensions to embed in the delegated credential |
restriction_buffers | The corresponding bodies for the X.509 extensions |
time_req | The requested lifetime of the delegated credential |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_REGISTER_ACCEPT_DELEGATION | , | ||
gss_OID_set | restriction_oids, | ||
gss_buffer_set_t | restriction_buffers, | ||
OM_uint32 | time_req, | ||
globus_xio_gsi_delegation_accept_callback_t | callback, | ||
void * | callback_arg | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Accept non-blocking delegation-at-any-time process
restriction_oids | The OIDS for X.509 extensions to embed in the delegated credential |
restriction_buffers | The corresponding bodies for the X.509 extensions |
time_req | The lifetime of the delegated credential |
callback | The callback to call when the operation completes |
callback_arg | The arguments to pass to the callback |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_CREDENTIALS_DIR | , | ||
const char * | directory | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the directory for credentials to use when accepting a security context. This is used when a service requires different credentials based on the SNI TLS extension.
directory | The path to the directory containing credentials. string opt: credentials_dir=string |
globus_result_t globus_xio_gsi_handle_cntl | ( | handle | , |
driver | , | ||
GLOBUS_XIO_GSI_SET_APPLICATION_PROTOCOLS | , | ||
char ** | protocols | ||
) |
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the list of application protocols to negotiate during TLS handshake. This uses tht TLS ALPN extension.
protocols | An array of protocol names. The array must be terminated by a NULL pointer. |