openmpi/opal/mca/sec/base/sec_base_stubs.c

/* -*- Mode: C; c-basic-offset:4 ; indent-tabs-mode:nil -*- */
/*
 * Copyright (c) 2014-2015 Intel, Inc. All rights reserved.
 * Copyright (c) 2015      Los Alamos National Security, LLC. All rights
 *                         reserved.
 * $COPYRIGHT$
 *
 * Additional copyrights may follow
 *
 * $HEADER$
 */


#include "opal_config.h"
#include "opal/constants.h"

#include "opal/mca/mca.h"
#include "opal/util/error.h"
#include "opal/util/output.h"
#include "opal/mca/base/base.h"
#include "opal/dss/dss_types.h"

#include "opal/mca/sec/base/base.h"

static void cleanup_cred(opal_sec_cred_t *cred)
{
    if (NULL == cred) {
        return;
    }
    if (NULL != cred->method) {
        free(cred->method);
        cred->method = NULL;
    }
    if (NULL != cred->credential) {
        free(cred->credential);
        cred->credential = NULL;
    }
}

int opal_sec_base_get_cred(char *method,
                           opal_process_name_t *my_id,
                           char **payload, size_t *size)
{
    opal_sec_handle_t *hdl;
    opal_sec_cred_t cred;
    opal_buffer_t buf;
    int rc;

    opal_output_verbose(5, opal_sec_base_framework.framework_output,
                        "Requesting credential from source %s",
                        (NULL == method) ? "ANY" : method);

    OBJ_CONSTRUCT(&buf, opal_buffer_t);
    OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
        if (NULL != method && 0 != strcmp(method, hdl->component->mca_component_name)) {
            continue;
        }
        if (OPAL_SUCCESS == hdl->module->get_my_credential(my_id, &cred)) {
            opal_output_verbose(5, opal_sec_base_framework.framework_output,
                                "Created credential from source %s", hdl->component->mca_component_name);
            /* pack the credential */
            if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, &cred.method, 1, OPAL_STRING))) {
                OPAL_ERROR_LOG(rc);
                cleanup_cred(&cred);
                OBJ_DESTRUCT(&buf);
                return rc;
            }
            if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, &cred.size, 1, OPAL_SIZE))) {
                OPAL_ERROR_LOG(rc);
                cleanup_cred(&cred);
                OBJ_DESTRUCT(&buf);
                return rc;
            }
            if (0 < cred.size) {
                if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, cred.credential, cred.size, OPAL_BYTE))) {
                    OPAL_ERROR_LOG(rc);
                    cleanup_cred(&cred);
                    OBJ_DESTRUCT(&buf);
                    return rc;
                }
            }
            opal_output_verbose(5, opal_sec_base_framework.framework_output,
                                "opal_sec: Created credential %s of size %lu",
                                cred.credential, (unsigned long)cred.size);
            cleanup_cred(&cred);
        }
    }
    if (0 == buf.bytes_used) {
        OBJ_DESTRUCT(&buf);
        return OPAL_ERROR;
    }
    *payload = buf.base_ptr;
    *size = buf.bytes_used;
    buf.base_ptr = NULL;
    buf.bytes_used = 0;
    OBJ_DESTRUCT(&buf);
    return OPAL_SUCCESS;
}


int opal_sec_base_validate(char *payload, size_t size, char **method)
{
    opal_sec_handle_t *hdl;
    opal_buffer_t buf;
    int cnt, rc;
    opal_sec_cred_t cred = {.method = NULL, .credential = NULL};

    opal_output_verbose(5, opal_sec_base_framework.framework_output,
                        "opal_sec: Received credential of size %lu",
                        (unsigned long)size);

    OBJ_CONSTRUCT(&buf, opal_buffer_t);
    opal_dss.load(&buf, payload, size);

    cnt = 1;
    while (OPAL_SUCCESS == (rc = opal_dss.unpack(&buf, &cred.method, &cnt, OPAL_STRING))) {
        opal_output_verbose(5, opal_sec_base_framework.framework_output,
                            "Received credential from source %s", cred.method);
        cnt=1;
        if (OPAL_SUCCESS != (rc = opal_dss.unpack(&buf, &cred.size, &cnt, OPAL_SIZE))) {
            OPAL_ERROR_LOG(rc);
            cleanup_cred(&cred);
            goto done;
        }
        opal_output_verbose(5, opal_sec_base_framework.framework_output,
                            "Received credential of size %lu", (unsigned long)cred.size);
        if (0 < cred.size) {
            cred.credential = (char*)malloc(cred.size);
            cnt=cred.size;
            if (OPAL_SUCCESS != (rc = opal_dss.unpack(&buf, cred.credential, &cnt, OPAL_BYTE))) {
                OPAL_ERROR_LOG(rc);
                cleanup_cred(&cred);
                goto done;
            }
            opal_output_verbose(5, opal_sec_base_framework.framework_output,
                                "Received credential %s", cred.credential);
        }
        OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
            if (NULL != cred.method &&
                0 != strcmp(cred.method, hdl->component->mca_component_name)) {
                continue;
            }
            if (OPAL_SUCCESS == hdl->module->authenticate(&cred)) {
                rc = OPAL_SUCCESS;
                /* record the method */
                if (NULL != method) {
                    if (NULL != *method) {
                        free(*method);
                    }
                    *method = strdup(cred.method);
                }
                cleanup_cred(&cred);
                goto done;
            }
        }
        cleanup_cred(&cred);
        cnt = 1;
    }
    /* if we get here, then nothing authenticated */
    rc = OPAL_ERR_AUTHENTICATION_FAILED;

 done:
    buf.base_ptr = NULL;
    OBJ_DESTRUCT(&buf);
    return rc;
}
sec/base: fix coverity issues CID 1292483 Uninitialized pointer read (UNINIT) Initialize the method and credential members of the opal_sec_cred_t to avoid possible invalid read when calling cleanup_cred. CID 1292484 Double free (USE_AFTER_FREE) Set method and credential members to NULL after freeing in cleanup_cred. Signed-off-by: Nathan Hjelm <hjelmn@lanl.gov> 2015-05-27 09:19:56 -06:00			`/* -- Mode: C; c-basic-offset:4 ; indent-tabs-mode:nil -- */`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`/*`
			`* Copyright (c) 2014-2015 Intel, Inc. All rights reserved.`
sec/base: fix coverity issues CID 1292483 Uninitialized pointer read (UNINIT) Initialize the method and credential members of the opal_sec_cred_t to avoid possible invalid read when calling cleanup_cred. CID 1292484 Double free (USE_AFTER_FREE) Set method and credential members to NULL after freeing in cleanup_cred. Signed-off-by: Nathan Hjelm <hjelmn@lanl.gov> 2015-05-27 09:19:56 -06:00			`* Copyright (c) 2015 Los Alamos National Security, LLC. All rights`
			`* reserved.`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`* $COPYRIGHT$`
Purge whitespace from the repo 2015-06-23 20:59:57 -07:00			`*`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`* Additional copyrights may follow`
Purge whitespace from the repo 2015-06-23 20:59:57 -07:00			`*`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`* $HEADER$`
			`*/`


			`#include "opal_config.h"`
			`#include "opal/constants.h"`

			`#include "opal/mca/mca.h"`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`#include "opal/util/error.h"`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`#include "opal/util/output.h"`
			`#include "opal/mca/base/base.h"`
			`#include "opal/dss/dss_types.h"`

			`#include "opal/mca/sec/base/base.h"`

Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`static void cleanup_cred(opal_sec_cred_t *cred)`
			`{`
			`if (NULL == cred) {`
			`return;`
			`}`
			`if (NULL != cred->method) {`
			`free(cred->method);`
sec/base: fix coverity issues CID 1292483 Uninitialized pointer read (UNINIT) Initialize the method and credential members of the opal_sec_cred_t to avoid possible invalid read when calling cleanup_cred. CID 1292484 Double free (USE_AFTER_FREE) Set method and credential members to NULL after freeing in cleanup_cred. Signed-off-by: Nathan Hjelm <hjelmn@lanl.gov> 2015-05-27 09:19:56 -06:00			`cred->method = NULL;`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`}`
			`if (NULL != cred->credential) {`
			`free(cred->credential);`
sec/base: fix coverity issues CID 1292483 Uninitialized pointer read (UNINIT) Initialize the method and credential members of the opal_sec_cred_t to avoid possible invalid read when calling cleanup_cred. CID 1292484 Double free (USE_AFTER_FREE) Set method and credential members to NULL after freeing in cleanup_cred. Signed-off-by: Nathan Hjelm <hjelmn@lanl.gov> 2015-05-27 09:19:56 -06:00			`cred->credential = NULL;`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`}`
			`}`

Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`int opal_sec_base_get_cred(char *method,`
			`opal_process_name_t *my_id,`
ckpt 2015-03-28 07:59:20 -07:00			`char *payload, size_t size)`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`{`
			`opal_sec_handle_t *hdl;`
ckpt 2015-03-28 07:59:20 -07:00			`opal_sec_cred_t cred;`
			`opal_buffer_t buf;`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`int rc;`
Purge whitespace from the repo 2015-06-23 20:59:57 -07:00
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`opal_output_verbose(5, opal_sec_base_framework.framework_output,`
			`"Requesting credential from source %s",`
			`(NULL == method) ? "ANY" : method);`
ckpt 2015-03-28 07:59:20 -07:00
			`OBJ_CONSTRUCT(&buf, opal_buffer_t);`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {`
			`if (NULL != method && 0 != strcmp(method, hdl->component->mca_component_name)) {`
			`continue;`
			`}`
Integrate PMIx 1.0 with OMPI. Bring Slurm PMI-1 component online Bring the s2 component online Little cleanup - let the various PMIx modules set the process name during init, and then just raise it up to the ORTE level. Required as the different PMI environments all pass the jobid in different ways. Bring the OMPI pubsub/pmi component online Get comm_spawn working again Ensure we always provide a cpuset, even if it is NULL pmix/cray: adjust cray pmix component for pmix Make changes so cray pmix can work within the integrated ompi/pmix framework. Bring singletons back online. Implement the comm_spawn operation using pmix - not tested yet Cleanup comm_spawn - procs now starting, error in connect_accept Complete integration 2015-06-18 09:53:20 -07:00			`if (OPAL_SUCCESS == hdl->module->get_my_credential(my_id, &cred)) {`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`opal_output_verbose(5, opal_sec_base_framework.framework_output,`
			`"Created credential from source %s", hdl->component->mca_component_name);`
ckpt 2015-03-28 07:59:20 -07:00			`/* pack the credential */`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, &cred.method, 1, OPAL_STRING))) {`
			`OPAL_ERROR_LOG(rc);`
			`cleanup_cred(&cred);`
			`OBJ_DESTRUCT(&buf);`
			`return rc;`
			`}`
			`if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, &cred.size, 1, OPAL_SIZE))) {`
			`OPAL_ERROR_LOG(rc);`
			`cleanup_cred(&cred);`
			`OBJ_DESTRUCT(&buf);`
			`return rc;`
ckpt 2015-03-28 07:59:20 -07:00			`}`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`if (0 < cred.size) {`
			`if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, cred.credential, cred.size, OPAL_BYTE))) {`
			`OPAL_ERROR_LOG(rc);`
			`cleanup_cred(&cred);`
			`OBJ_DESTRUCT(&buf);`
			`return rc;`
			`}`
			`}`
			`opal_output_verbose(5, opal_sec_base_framework.framework_output,`
			`"opal_sec: Created credential %s of size %lu",`
			`cred.credential, (unsigned long)cred.size);`
			`cleanup_cred(&cred);`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`}`
			`}`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`if (0 == buf.bytes_used) {`
			`OBJ_DESTRUCT(&buf);`
			`return OPAL_ERROR;`
			`}`
			`*payload = buf.base_ptr;`
			`*size = buf.bytes_used;`
			`buf.base_ptr = NULL;`
			`buf.bytes_used = 0;`
			`OBJ_DESTRUCT(&buf);`
			`return OPAL_SUCCESS;`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`}`


Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`int opal_sec_base_validate(char payload, size_t size, char *method)`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`{`
			`opal_sec_handle_t *hdl;`
ckpt 2015-03-28 07:59:20 -07:00			`opal_buffer_t buf;`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`int cnt, rc;`
sec/base: fix coverity issues CID 1292483 Uninitialized pointer read (UNINIT) Initialize the method and credential members of the opal_sec_cred_t to avoid possible invalid read when calling cleanup_cred. CID 1292484 Double free (USE_AFTER_FREE) Set method and credential members to NULL after freeing in cleanup_cred. Signed-off-by: Nathan Hjelm <hjelmn@lanl.gov> 2015-05-27 09:19:56 -06:00			`opal_sec_cred_t cred = {.method = NULL, .credential = NULL};`
Purge whitespace from the repo 2015-06-23 20:59:57 -07:00
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`opal_output_verbose(5, opal_sec_base_framework.framework_output,`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`"opal_sec: Received credential of size %lu",`
			`(unsigned long)size);`
Purge whitespace from the repo 2015-06-23 20:59:57 -07:00
ckpt 2015-03-28 07:59:20 -07:00			`OBJ_CONSTRUCT(&buf, opal_buffer_t);`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`opal_dss.load(&buf, payload, size);`
Purge whitespace from the repo 2015-06-23 20:59:57 -07:00
ckpt 2015-03-28 07:59:20 -07:00			`cnt = 1;`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`while (OPAL_SUCCESS == (rc = opal_dss.unpack(&buf, &cred.method, &cnt, OPAL_STRING))) {`
			`opal_output_verbose(5, opal_sec_base_framework.framework_output,`
			`"Received credential from source %s", cred.method);`
			`cnt=1;`
			`if (OPAL_SUCCESS != (rc = opal_dss.unpack(&buf, &cred.size, &cnt, OPAL_SIZE))) {`
			`OPAL_ERROR_LOG(rc);`
			`cleanup_cred(&cred);`
			`goto done;`
			`}`
			`opal_output_verbose(5, opal_sec_base_framework.framework_output,`
			`"Received credential of size %lu", (unsigned long)cred.size);`
			`if (0 < cred.size) {`
			`cred.credential = (char*)malloc(cred.size);`
			`cnt=cred.size;`
			`if (OPAL_SUCCESS != (rc = opal_dss.unpack(&buf, cred.credential, &cnt, OPAL_BYTE))) {`
			`OPAL_ERROR_LOG(rc);`
			`cleanup_cred(&cred);`
			`goto done;`
			`}`
			`opal_output_verbose(5, opal_sec_base_framework.framework_output,`
			`"Received credential %s", cred.credential);`
			`}`
ckpt 2015-03-28 07:59:20 -07:00			`OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`if (NULL != cred.method &&`
			`0 != strcmp(cred.method, hdl->component->mca_component_name)) {`
ckpt 2015-03-28 07:59:20 -07:00			`continue;`
			`}`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`if (OPAL_SUCCESS == hdl->module->authenticate(&cred)) {`
			`rc = OPAL_SUCCESS;`
			`/* record the method */`
			`if (NULL != method) {`
			`if (NULL != *method) {`
			`free(*method);`
			`}`
			`*method = strdup(cred.method);`
			`}`
			`cleanup_cred(&cred);`
			`goto done;`
ckpt 2015-03-28 07:59:20 -07:00			`}`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`}`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`cleanup_cred(&cred);`
ckpt 2015-03-28 07:59:20 -07:00			`cnt = 1;`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`}`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`/* if we get here, then nothing authenticated */`
			`rc = OPAL_ERR_AUTHENTICATION_FAILED;`
Purge whitespace from the repo 2015-06-23 20:59:57 -07:00
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`done:`
ckpt 2015-03-28 07:59:20 -07:00			`buf.base_ptr = NULL;`
			`OBJ_DESTRUCT(&buf);`
Ensure we can authenticate when crossing security domains by including all available credentials, and letting the receiver use the highest priority one they have in common. 2015-03-28 20:34:26 -07:00			`return rc;`
Allow for different security domains. Let the initiator of the connection determine the method to be used - if the receiver cannot support it, then that's an error that will cause the connection attempt to fail. 2015-03-25 13:17:47 -07:00			`}`