Globus xio gsi driver -
An XIO handle with the gsi driver can be created with either globus_xio_handle_create () or globus_xio_server_register_accept ().
If the handle is created with globus_xio_server_register_accept (), the globus_xio_register_open () call will proceed to accept a GSSAPI security context. Upon successful completion of the open (after the open callback has been called) the application may proceed to read or write data associated with the GSI session.
If the handle is created with globus_xio_handle_create (), then the XIO handle will implement the client-side (init) of the GSSAPI call sequence and establish a security context with the accepting side indicated by the contact_string passed to globus_xio_register_open ().
The GSI driver behaves similar to the underlying transport driver with respect to reads and writes, except for the try-read and try-write operations (ie. waitforbytes ==0) which always return immediately. This is due to the fact that the security layer needs to read and write tokens of a certain minimal size and thus needs to rely on the underlying transport to handle greater than 0 reads/write which is not possible in 'try' mode.
globus_xio_server_create() causes a new transport-specific listener socket to be created to handle new GSI connections. globus_xio_server_register_accept() will accept a new connection for processing. globus_xio_server_register_close() cleans up the internal resources associated with the http server and calls close on the listener.
All accepted handles inherit all GSI-specific attributes set in the attr to globus_xio_server_create(), but can be overridden with the attr to globus_xio_register_open(). Furthermore, accepted handles will use the GSSAPI accept security context call unless explicitly overridden during the globus_xio_register_open() call ( GLOBUS_XIO_GSI_FORCE_SERVER_MODE).
The gsi driver uses the following environment variables
X509_USER_PROXY
X509_USER_CERT
X509_USER_KEY
X509_CERT_DIR
For details see Globus: GSI Environment Variables
GSI driver specific attrs and cntls
See also:
globus_xio_attr_cntl ()
globus_xio_handle_cntl ()
The GSI driver uses mostly GSSAPI calls, so it generally just wraps the underlying GSSAPI errors or uses generic XIO errors.
See also:
globus_xio_driver_error_match ()
globus_error_gssapi_match ()
globus_error_match_openssl_error ()
Globus XIO GSI init delegation callback
Globus XIO GSI init delegation callback
Globus XIO GSI authorization modes
Enumerator
GLOBUS_XIO_GSI_NO_AUTHORIZATION
Do not perform any authorization. This will cause a error when used in conjunction with delegation on the init/client side.
GLOBUS_XIO_GSI_SELF_AUTHORIZATION
Authorize the peer if the peer has the same identity as ourselves
GLOBUS_XIO_GSI_IDENTITY_AUTHORIZATION
Authorize the peer if the peer identity matches the identity set in the target name.
GLOBUS_XIO_GSI_HOST_AUTHORIZATION
Authorize the peer if the identity of the peer matches the identity of the peer hostname.
GSI driver specific cntls
Enumerator
GLOBUS_XIO_GSI_SET_CREDENTIAL
See usage for: globus_xio_gsi_attr_cntl , globus_xio_gsi_handle_cntl
GLOBUS_XIO_GSI_GET_CREDENTIAL
See usage for: globus_xio_gsi_attr_cntl , globus_xio_gsi_handle_cntl
GLOBUS_XIO_GSI_SET_GSSAPI_REQ_FLAGS
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_GET_GSSAPI_REQ_FLAGS
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_SET_PROXY_MODE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_GET_PROXY_MODE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_SET_AUTHORIZATION_MODE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_GET_AUTHORIZATION_MODE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_SET_DELEGATION_MODE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_GET_DELEGATION_MODE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_SET_SSL_COMPATIBLE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_SET_ANON
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_SET_WRAP_MODE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_GET_WRAP_MODE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_SET_BUFFER_SIZE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_GET_BUFFER_SIZE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_SET_PROTECTION_LEVEL
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_GET_PROTECTION_LEVEL
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_GET_TARGET_NAME
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_SET_TARGET_NAME
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_GET_CONTEXT
See usage for: globus_xio_gsi_handle_cntl
GLOBUS_XIO_GSI_GET_DELEGATED_CRED
See usage for: globus_xio_gsi_handle_cntl
GLOBUS_XIO_GSI_GET_PEER_NAME
See usage for: globus_xio_gsi_handle_cntl
GLOBUS_XIO_GSI_GET_LOCAL_NAME
See usage for: globus_xio_gsi_handle_cntl
GLOBUS_XIO_GSI_INIT_DELEGATION
See usage for: globus_xio_gsi_handle_cntl
GLOBUS_XIO_GSI_REGISTER_INIT_DELEGATION
See usage for: globus_xio_gsi_handle_cntl
GLOBUS_XIO_GSI_ACCEPT_DELEGATION
See usage for: globus_xio_gsi_handle_cntl
GLOBUS_XIO_GSI_REGISTER_ACCEPT_DELEGATION
See usage for: globus_xio_gsi_handle_cntl
GLOBUS_XIO_GSI_FORCE_SERVER_MODE
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_SET_ALLOW_MISSING_SIGNING_POLICY
See usage for: globus_xio_gsi_attr_cntl
GLOBUS_XIO_GSI_GET_ALLOW_MISSING_SIGNING_POLICY
See usage for: globus_xio_gsi_attr_cntl
Globus XIO GSI delegation modes
Enumerator
GLOBUS_XIO_GSI_DELEGATION_MODE_NONE
No delegation
GLOBUS_XIO_GSI_DELEGATION_MODE_LIMITED
Delegate a limited proxy
GLOBUS_XIO_GSI_DELEGATION_MODE_FULL
Delegate a full proxy
GSI driver specific error types
Enumerator
GLOBUS_XIO_GSI_ERROR_INVALID_PROTECTION_LEVEL
Indicates that the established context does not meet the required protection level
GLOBUS_XIO_GSI_ERROR_WRAP_GSSAPI
Wraps a GSSAPI error
GLOBUS_XIO_GSI_ERROR_EMPTY_TARGET_NAME
Indicates that GLOBUS_XIO_GSI_IDENTITY_AUTHORIZATION is set but that the target name is empty
GLOBUS_XIO_GSI_ERROR_EMPTY_HOST_NAME
Indicates that GLOBUS_XIO_GSI_HOST_AUTHORIZATION is set but that no host name is available
GLOBUS_XIO_GSI_AUTHORIZATION_FAILED
Indicates that the peer is not authorized
GLOBUS_XIO_GSI_ERROR_TOKEN_TOO_BIG
Indicates the token being read is too big. Usually happens when someone tries to establish a non secure session with a endpoint that expects security
Globus XIO GSI protection levels
Enumerator
GLOBUS_XIO_GSI_PROTECTION_LEVEL_NONE
No security
GLOBUS_XIO_GSI_PROTECTION_LEVEL_INTEGRITY
Messages are signed
GLOBUS_XIO_GSI_PROTECTION_LEVEL_PRIVACY
Messages are signed and encrypted
Globus XIO GSI proxy modes
Enumerator
GLOBUS_XIO_GSI_PROXY_MODE_FULL
Accept only full proxies
GLOBUS_XIO_GSI_PROXY_MODE_LIMITED
Accept full proxies and limited proxies if they are the only limited proxy in the cert chain.
GLOBUS_XIO_GSI_PROXY_MODE_MANY
Accept both full and limited proxies unconditionally
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the credential to be used
Parameters:
credential The credential to set. The credential structure needs to remain valid for the lifetime of any XIO data structure it is used by.
Note:
If this is called with the handle_cntl, there must be no outstanding operations on the handle.
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the credential to be used
Parameters:
credential The credential that is currently set. This will only return a credential if a credential was explicitly set prior to this call. It will not return any credential automatically acquired during context initialization.
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the GSSAPI req_flags to be used
Parameters:
req_flags The req_flags to set
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the GSSAPI req_flags to be used
Parameters:
req_flags The req flags currently in effect
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the proxy mode
Parameters:
proxy_mode The proxy mode to set
Note:
Changing the proxy mode changes the req_flags
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the proxy mode
Parameters:
proxy_mode The proxy mode that is currently in effect
Note:
Changing the proxy mode changes the req_flags
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the authorization mode
Parameters:
authz_mode The authorization mode to set
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the authorization mode
Parameters:
authz_mode The authorization mode that is currently in effect
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the delegation mode
Parameters:
delegation_mode The delegation mode to use
Note:
Changing the delegation mode changes the req_flags
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the delegation mode
Parameters:
delegation_mode The delegation mode currently in effect
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Make the on the wire protocol SSL compatible.
This implies no wrapping of security tokens and no delegation
Parameters:
ssl_mode The ssl compatibility mode to use
Note:
Changing the ssl compatibility mode changes the req_flags
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Do anonymous authentication
Parameters:
anon_mode The ssl compatibility mode to use
Note:
Changing the ssl compatibility mode changes the req_flags and the wrapping mode
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the wrapping mode
This mode determines whether tokens will be wrapped with a Globus IO style header or not.
Parameters:
wrap_mode The wrapping mode to use
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the wrapping mode
This mode determines whether tokens will be wrapped with a Globus IO style header or not.
Parameters:
wrap_mode The wrapping mode currently in use.
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the read buffer size
The read buffer is used for buffering wrapped data, is initialized with a default size of 128K and scaled dynamically to always be able to fit whole tokens.
Parameters:
buffer_size The size of the read buffer
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the read buffer size
The read buffer is used for buffering wrapped data, is initialized with a default size of 128K and scaled dynamically to always be able to fit whole tokens.
Parameters:
buffer_size The size of the read buffer
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the protection level
Parameters:
protection_level The protection level to set
Note:
Changing the proxy mode changes the req_flags
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the protection level
Parameters:
protection_level The current protection level
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the expected peer name
Parameters:
target_name The expected peer name
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the expected peer name
Parameters:
target_name The expected peer name
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Force the server mode setting.
This explicitly sets the directionality of context establishment and delegation.
Parameters:
server_mode The server mode.
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the allow missing signing policy flag
Parameters:
allow The flag setting to use
Note:
Changing this flag changes the req_flags
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the allow missing signing policy flag
Parameters:
allow The flag currently set
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Set the credential to be used
Parameters:
credential The credential to set. The credential structure needs to remain valid for the lifetime of any XIO data structure it is used by.
Note:
If this is called with the handle_cntl, there must be no outstanding operations on the handle.
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the credential to be used
Parameters:
credential The credential that is currently set. This will only return a credential if a credential was explicitly set prior to this call. It will not return any credential automatically acquired during context initialization.
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the GSS context
Parameters:
context The GSS context
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the delegated credential
Parameters:
credential The delegated credential
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the name of the peer
Parameters:
peer_name The GSS name of the peer.
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Get the GSS name associated with the local credentials
Parameters:
local_name The GSS name of the local credentials
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Initialize delegation-at-any-time process
Parameters:
credential The GSS credential to delegate
restriction_oids The OIDs for X.509 extensions to embed in the delegated credential
restriction_buffers The corresponding bodies for the X.509 extensions
time_req The lifetime of the delegated credential
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Initialize non-blocking delegation-at-any-time process
Parameters:
credential The GSS credential to delegate
restriction_oids The OIDS for X.509 extensions to embed in the delegated credential
restriction_buffers The corresponding bodies for the X.509 extensions
time_req The lifetime of the delegated credential
callback The callback to call when the operation completes
callback_arg The arguments to pass to the callback
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Accept delegation-at-any-time process
Parameters:
credential The delegated GSS credential
restriction_oids The OIDS for X.509 extensions to embed in the delegated credential
restriction_buffers The corresponding bodies for the X.509 extensions
time_req The requested lifetime of the delegated credential
This is an overloaded member function, provided for convenience. It differs from the above function only in what argument(s) it accepts. Accept non-blocking delegation-at-any-time process
Parameters:
restriction_oids The OIDS for X.509 extensions to embed in the delegated credential
restriction_buffers The corresponding bodies for the X.509 extensions
time_req The lifetime of the delegated credential
callback The callback to call when the operation completes
callback_arg The arguments to pass to the callback
Generated automatically by Doxygen for globus_xio_gsi_driver from the source code.