ports/openmpi
ports/openmpi
1
1
Форкнуть 0
Код Релизы Активность

Merge pull request #501 from rhc54/topic/sec2

Просмотр исходного кода 
Support authentication across security domains
Этот коммит содержится в:
rhc54 2015-03-30 09:59:43 -07:00
родитель 79b90a54b6 d07dc362d5
Коммит bc016617a0
13 изменённых файлов: 246 добавлений и 114 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

16
opal/mca/pmix/native/usock.c
Просмотреть файл

@ -347,7 +347,8 @@ int usock_send_connect_ack(void)
pmix_usock_hdr_t hdr; pmix_usock_hdr_t hdr;
int rc; int rc;
size_t sdsize; size_t sdsize;
opal_sec_cred_t *cred; char *cred;
size_t credsize;
opal_output_verbose(2, opal_pmix_base_framework.framework_output, opal_output_verbose(2, opal_pmix_base_framework.framework_output,
"%s SEND CONNECT ACK", "%s SEND CONNECT ACK",
@ -359,15 +360,15 @@ int usock_send_connect_ack(void)
hdr.type = PMIX_USOCK_IDENT; hdr.type = PMIX_USOCK_IDENT;
/* get our security credential */ /* get our security credential */
if (OPAL_SUCCESS != (rc = opal_sec.get_my_credential(NULL, opal_dstore_internal, &OPAL_PROC_MY_NAME, &cred))) { if (OPAL_SUCCESS != (rc = opal_sec.get_my_credential(NULL, opal_dstore_internal, &OPAL_PROC_MY_NAME, &cred, &credsize))) {
return rc; return rc;
} }
/* set the number of bytes to be read beyond the header */ /* set the number of bytes to be read beyond the header */
hdr.nbytes = strlen(opal_version_string) + 1 + strlen(cred->method) + 1 + cred->size; hdr.nbytes = strlen(opal_version_string) + 1 + credsize;
/* create a space for our message */ /* create a space for our message */
sdsize = (sizeof(hdr) + strlen(opal_version_string) + 1 + strlen(cred->method) + 1 + cred->size); sdsize = (sizeof(hdr) + strlen(opal_version_string) + 1 + credsize);
if (NULL == (msg = (char*)malloc(sdsize))) { if (NULL == (msg = (char*)malloc(sdsize))) {
return OPAL_ERR_OUT_OF_RESOURCE; return OPAL_ERR_OUT_OF_RESOURCE;
} }
@ -376,9 +377,10 @@ int usock_send_connect_ack(void)
/* load the message */ /* load the message */
memcpy(msg, &hdr, sizeof(hdr)); memcpy(msg, &hdr, sizeof(hdr));
memcpy(msg+sizeof(hdr), opal_version_string, strlen(opal_version_string)); memcpy(msg+sizeof(hdr), opal_version_string, strlen(opal_version_string));
memcpy(msg+sizeof(hdr)+strlen(opal_version_string)+1, cred->method, strlen(cred->method)); memcpy(msg+sizeof(hdr)+strlen(opal_version_string)+1, cred, credsize);
memcpy(msg+sizeof(hdr)+strlen(opal_version_string)+1+strlen(cred->method)+1, cred->credential, cred->size); if (NULL != cred) {
free(cred);
}
if (OPAL_SUCCESS != usock_send_blocking(msg, sdsize)) { if (OPAL_SUCCESS != usock_send_blocking(msg, sdsize)) {
free(msg); free(msg);

14
opal/mca/pmix/native/usock_sendrecv.c
Просмотреть файл

@ -545,7 +545,8 @@ static int usock_recv_connect_ack(void)
char *msg; char *msg;
char *version; char *version;
int rc; int rc;
opal_sec_cred_t creds; char *cred;
size_t credsize;
pmix_usock_hdr_t hdr; pmix_usock_hdr_t hdr;
opal_output_verbose(2, opal_pmix_base_framework.framework_output, opal_output_verbose(2, opal_pmix_base_framework.framework_output,
@ -632,11 +633,14 @@ static int usock_recv_connect_ack(void)
OPAL_NAME_PRINT(OPAL_PROC_MY_NAME)); OPAL_NAME_PRINT(OPAL_PROC_MY_NAME));
/* check security token */ /* check security token */
creds.method = (char*)(msg + strlen(version) + 1); cred = (char*)(msg + strlen(version) + 1);
creds.credential = (char*)(msg + strlen(version) + 1 + strlen(creds.method) + 1); credsize = hdr.nbytes - strlen(version) - 1;
creds.size = hdr.nbytes - strlen(version) - 1 - strlen(creds.method) - 1; if (OPAL_SUCCESS != (rc = opal_sec.authenticate(cred, credsize, NULL))) {
if (OPAL_SUCCESS != (rc = opal_sec.authenticate(&creds))) {
OPAL_ERROR_LOG(rc); OPAL_ERROR_LOG(rc);
mca_pmix_native_component.state = PMIX_USOCK_FAILED;
CLOSE_THE_SOCKET(mca_pmix_native_component.sd);
free(msg);
return OPAL_ERR_UNREACH;
} }
free(msg); free(msg);

4
opal/mca/sec/base/base.h
Просмотреть файл

@ -45,9 +45,9 @@ OPAL_DECLSPEC int opal_sec_base_select(void);
OPAL_DECLSPEC int opal_sec_base_get_cred(char *method, OPAL_DECLSPEC int opal_sec_base_get_cred(char *method,
int dstorehandle, int dstorehandle,
opal_process_name_t *my_id, opal_process_name_t *my_id,
opal_sec_cred_t **cred); char **payload, size_t *size);
OPAL_DECLSPEC int opal_sec_base_validate(opal_sec_cred_t *cred); OPAL_DECLSPEC int opal_sec_base_validate(char *payload, size_t size, char **method);
END_C_DECLS END_C_DECLS

123
opal/mca/sec/base/sec_base_stubs.c
Просмотреть файл

@ -12,58 +12,153 @@
#include "opal/constants.h" #include "opal/constants.h"
#include "opal/mca/mca.h" #include "opal/mca/mca.h"
#include "opal/util/error.h"
#include "opal/util/output.h" #include "opal/util/output.h"
#include "opal/mca/base/base.h" #include "opal/mca/base/base.h"
#include "opal/dss/dss_types.h" #include "opal/dss/dss_types.h"
#include "opal/mca/sec/base/base.h" #include "opal/mca/sec/base/base.h"
static void cleanup_cred(opal_sec_cred_t *cred)
{
if (NULL == cred) {
return;
}
if (NULL != cred->method) {
free(cred->method);
}
if (NULL != cred->credential) {
free(cred->credential);
}
}
int opal_sec_base_get_cred(char *method, int opal_sec_base_get_cred(char *method,
int dstorehandle, int dstorehandle,
opal_process_name_t *my_id, opal_process_name_t *my_id,
opal_sec_cred_t **cred) char **payload, size_t *size)
{ {
opal_sec_handle_t *hdl; opal_sec_handle_t *hdl;
opal_sec_cred_t cred;
opal_buffer_t buf;
int rc;
opal_output_verbose(5, opal_sec_base_framework.framework_output, opal_output_verbose(5, opal_sec_base_framework.framework_output,
"Requesting credential from source %s", "Requesting credential from source %s",
(NULL == method) ? "ANY" : method); (NULL == method) ? "ANY" : method);
OBJ_CONSTRUCT(&buf, opal_buffer_t);
OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) { OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
if (NULL != method && 0 != strcmp(method, hdl->component->mca_component_name)) { if (NULL != method && 0 != strcmp(method, hdl->component->mca_component_name)) {
continue; continue;
} }
if (OPAL_SUCCESS == hdl->module->get_my_credential(dstorehandle, my_id, cred)) { if (OPAL_SUCCESS == hdl->module->get_my_credential(dstorehandle, my_id, &cred)) {
opal_output_verbose(5, opal_sec_base_framework.framework_output, opal_output_verbose(5, opal_sec_base_framework.framework_output,
"Created credential from source %s", hdl->component->mca_component_name); "Created credential from source %s", hdl->component->mca_component_name);
/* record the source */ /* pack the credential */
(*cred)->method = strdup(hdl->component->mca_component_name); if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, &cred.method, 1, OPAL_STRING))) {
return OPAL_SUCCESS; OPAL_ERROR_LOG(rc);
cleanup_cred(&cred);
OBJ_DESTRUCT(&buf);
return rc;
}
if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, &cred.size, 1, OPAL_SIZE))) {
OPAL_ERROR_LOG(rc);
cleanup_cred(&cred);
OBJ_DESTRUCT(&buf);
return rc;
}
if (0 < cred.size) {
if (OPAL_SUCCESS != (rc = opal_dss.pack(&buf, cred.credential, cred.size, OPAL_BYTE))) {
OPAL_ERROR_LOG(rc);
cleanup_cred(&cred);
OBJ_DESTRUCT(&buf);
return rc;
} }
} }
opal_output_verbose(5, opal_sec_base_framework.framework_output,
"opal_sec: Created credential %s of size %lu",
cred.credential, (unsigned long)cred.size);
cleanup_cred(&cred);
}
}
if (0 == buf.bytes_used) {
OBJ_DESTRUCT(&buf);
return OPAL_ERROR; return OPAL_ERROR;
} }
*payload = buf.base_ptr;
*size = buf.bytes_used;
buf.base_ptr = NULL;
buf.bytes_used = 0;
OBJ_DESTRUCT(&buf);
return OPAL_SUCCESS;
}
int opal_sec_base_validate(opal_sec_cred_t *cred) int opal_sec_base_validate(char *payload, size_t size, char **method)
{ {
opal_sec_handle_t *hdl; opal_sec_handle_t *hdl;
opal_buffer_t buf;
int cnt, rc;
opal_sec_cred_t cred;
opal_output_verbose(5, opal_sec_base_framework.framework_output, opal_output_verbose(5, opal_sec_base_framework.framework_output,
"Received credential %s from source %s", "opal_sec: Received credential of size %lu",
(NULL == cred->credential) ? "NULL" : cred->credential, (unsigned long)size);
(NULL == cred->method) ? "NULL" : cred->method);
OBJ_CONSTRUCT(&buf, opal_buffer_t);
opal_dss.load(&buf, payload, size);
cnt = 1;
while (OPAL_SUCCESS == (rc = opal_dss.unpack(&buf, &cred.method, &cnt, OPAL_STRING))) {
opal_output_verbose(5, opal_sec_base_framework.framework_output,
"Received credential from source %s", cred.method);
cnt=1;
if (OPAL_SUCCESS != (rc = opal_dss.unpack(&buf, &cred.size, &cnt, OPAL_SIZE))) {
OPAL_ERROR_LOG(rc);
cleanup_cred(&cred);
goto done;
}
opal_output_verbose(5, opal_sec_base_framework.framework_output,
"Received credential of size %lu", (unsigned long)cred.size);
if (0 < cred.size) {
cred.credential = (char*)malloc(cred.size);
cnt=cred.size;
if (OPAL_SUCCESS != (rc = opal_dss.unpack(&buf, cred.credential, &cnt, OPAL_BYTE))) {
OPAL_ERROR_LOG(rc);
cleanup_cred(&cred);
goto done;
}
opal_output_verbose(5, opal_sec_base_framework.framework_output,
"Received credential %s", cred.credential);
}
OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) { OPAL_LIST_FOREACH(hdl, &opal_sec_base_actives, opal_sec_handle_t) {
if (NULL != cred->method && if (NULL != cred.method &&
0 != strcmp(cred->method, hdl->component->mca_component_name)) { 0 != strcmp(cred.method, hdl->component->mca_component_name)) {
continue; continue;
} }
if (OPAL_SUCCESS == hdl->module->authenticate(cred)) { if (OPAL_SUCCESS == hdl->module->authenticate(&cred)) {
return OPAL_SUCCESS; rc = OPAL_SUCCESS;
/* record the method */
if (NULL != method) {
if (NULL != *method) {
free(*method);
}
*method = strdup(cred.method);
}
cleanup_cred(&cred);
goto done;
} }
} }
return OPAL_ERROR; cleanup_cred(&cred);
cnt = 1;
}
/* if we get here, then nothing authenticated */
rc = OPAL_ERR_AUTHENTICATION_FAILED;
done:
buf.base_ptr = NULL;
OBJ_DESTRUCT(&buf);
return rc;
} }

17
opal/mca/sec/basic/sec_basic.c
Просмотреть файл

@ -29,7 +29,7 @@ static int init(void);
static void finalize(void); static void finalize(void);
static int get_my_cred(int dstorehandle, static int get_my_cred(int dstorehandle,
opal_process_name_t *my_id, opal_process_name_t *my_id,
opal_sec_cred_t **cred); opal_sec_cred_t *cred);
static int authenticate(opal_sec_cred_t *cred); static int authenticate(opal_sec_cred_t *cred);
opal_sec_base_module_t opal_sec_basic_module = { opal_sec_base_module_t opal_sec_basic_module = {
@ -56,7 +56,7 @@ static void finalize(void)
static int get_my_cred(int dstorehandle, static int get_my_cred(int dstorehandle,
opal_process_name_t *my_id, opal_process_name_t *my_id,
opal_sec_cred_t **cred) opal_sec_cred_t *cred)
{ {
opal_list_t vals; opal_list_t vals;
opal_value_t *kv; opal_value_t *kv;
@ -77,26 +77,31 @@ static int get_my_cred(int dstorehandle,
my_cred.size = strlen(my_cred.credential)+1; // include the NULL my_cred.size = strlen(my_cred.credential)+1; // include the NULL
} else { } else {
my_cred.credential = strdup(kv->data.string); my_cred.credential = strdup(kv->data.string);
my_cred.size = strlen(kv->data.string); my_cred.size = strlen(kv->data.string)+1; // include the NULL
OBJ_RELEASE(kv); OBJ_RELEASE(kv);
} }
} else { } else {
my_cred.credential = strdup("12345"); my_cred.credential = strdup("1234567");
my_cred.size = strlen(my_cred.credential)+1; // include the NULL my_cred.size = strlen(my_cred.credential)+1; // include the NULL
} }
OPAL_LIST_DESTRUCT(&vals); OPAL_LIST_DESTRUCT(&vals);
} }
initialized = true; initialized = true;
*cred = &my_cred; cred->method = strdup("basic");
cred->credential = strdup(my_cred.credential);
cred->size = my_cred.size;
return OPAL_SUCCESS; return OPAL_SUCCESS;
} }
static int authenticate(opal_sec_cred_t *cred) static int authenticate(opal_sec_cred_t *cred)
{ {
opal_output_verbose(5, opal_sec_base_framework.framework_output,
"opal_sec:basic Received credential %s of size %lu",
cred->credential, (unsigned long)cred->size);
if (0 == strncmp(cred->credential, "12345", strlen("12345"))) { if (0 == strncmp(cred->credential, "1234567", strlen("1234567"))) {
return OPAL_SUCCESS; return OPAL_SUCCESS;
} }
return OPAL_ERR_AUTHENTICATION_FAILED; return OPAL_ERR_AUTHENTICATION_FAILED;

4
opal/mca/sec/keystone/sec_keystone.c
Просмотреть файл

@ -34,7 +34,7 @@ static int init(void);
static void finalize(void); static void finalize(void);
static int get_my_cred(int dstorehandle, static int get_my_cred(int dstorehandle,
opal_process_name_t *my_id, opal_process_name_t *my_id,
opal_sec_cred_t **cred); opal_sec_cred_t *cred);
static int authenticate(opal_sec_cred_t *cred); static int authenticate(opal_sec_cred_t *cred);
opal_sec_base_module_t opal_sec_keystone_module = { opal_sec_base_module_t opal_sec_keystone_module = {
@ -66,7 +66,7 @@ static size_t op_cbfunc(void *ptr, size_t size, size_t count, void *stream)
static int get_my_cred(int dstorehandle, static int get_my_cred(int dstorehandle,
opal_process_name_t *my_id, opal_process_name_t *my_id,
opal_sec_cred_t **cred) opal_sec_cred_t *cred)
{ {
char *cmd; char *cmd;
CURL *curl; CURL *curl;

11
opal/mca/sec/munge/sec_munge.c
Просмотреть файл

@ -32,7 +32,7 @@ static int init(void);
static void finalize(void); static void finalize(void);
static int get_my_cred(int dstorehandle, static int get_my_cred(int dstorehandle,
opal_process_name_t *my_id, opal_process_name_t *my_id,
opal_sec_cred_t **cred); opal_sec_cred_t *cred);
static int authenticate(opal_sec_cred_t *cred); static int authenticate(opal_sec_cred_t *cred);
opal_sec_base_module_t opal_sec_munge_module = { opal_sec_base_module_t opal_sec_munge_module = {
@ -79,13 +79,12 @@ static void finalize(void)
static int get_my_cred(int dstorehandle, static int get_my_cred(int dstorehandle,
opal_process_name_t *my_id, opal_process_name_t *my_id,
opal_sec_cred_t **cred) opal_sec_cred_t *cred)
{ {
int rc; int rc;
if (initialized) { if (initialized) {
if (!refresh) { if (!refresh) {
*cred = &my_cred;
refresh = true; refresh = true;
} else { } else {
/* get a new credential as munge will not /* get a new credential as munge will not
@ -98,10 +97,12 @@ static int get_my_cred(int dstorehandle,
} }
/* include the '\0' termination string character */ /* include the '\0' termination string character */
my_cred.size = strlen(my_cred.credential)+1; my_cred.size = strlen(my_cred.credential)+1;
*cred = &my_cred;
} }
cred->method = strdup("munge");
cred->credential = strdup(my_cred.credential);
cred->size = my_cred.size;
} else { } else {
*cred = NULL; rc = OPAL_ERROR;
} }
return OPAL_SUCCESS; return OPAL_SUCCESS;

8
opal/mca/sec/sec.h
Просмотреть файл

@ -79,12 +79,12 @@ typedef void (*opal_sec_base_module_finalize_fn_t)(void);
*/ */
typedef int (*opal_sec_base_module_get_my_cred_fn_t)(int dstorehandle, typedef int (*opal_sec_base_module_get_my_cred_fn_t)(int dstorehandle,
opal_process_name_t *my_id, opal_process_name_t *my_id,
opal_sec_cred_t **cred); opal_sec_cred_t *cred);
typedef int (*opal_sec_API_module_get_my_cred_fn_t)(char *method, typedef int (*opal_sec_API_module_get_my_cred_fn_t)(char *method,
int dstorehandle, int dstorehandle,
opal_process_name_t *my_id, opal_process_name_t *my_id,
opal_sec_cred_t **cred); char **payload, size_t *size);
/* /*
* Authenticate a security credential - given a security credential, * Authenticate a security credential - given a security credential,
* determine if the credential is valid. The credential is passed in * determine if the credential is valid. The credential is passed in
@ -95,6 +95,8 @@ typedef int (*opal_sec_API_module_get_my_cred_fn_t)(char *method,
*/ */
typedef int (*opal_sec_base_module_auth_fn_t)(opal_sec_cred_t *cred); typedef int (*opal_sec_base_module_auth_fn_t)(opal_sec_cred_t *cred);
typedef int (*opal_sec_API_module_auth_fn_t)(char *payload, size_t size, char **method);
/* /*
* the standard module data structure * the standard module data structure
*/ */
@ -110,7 +112,7 @@ typedef struct opal_sec_base_module_1_0_0_t opal_sec_base_module_t;
/* the API structure */ /* the API structure */
typedef struct { typedef struct {
opal_sec_API_module_get_my_cred_fn_t get_my_credential; opal_sec_API_module_get_my_cred_fn_t get_my_credential;
opal_sec_base_module_auth_fn_t authenticate; opal_sec_API_module_auth_fn_t authenticate;
} opal_sec_API_module_t; } opal_sec_API_module_t;
/* /*

15
orte/mca/oob/tcp/help-oob-tcp.txt
Просмотреть файл

@ -10,7 +10,7 @@
# University of Stuttgart. All rights reserved. # University of Stuttgart. All rights reserved.
# Copyright (c) 2004-2005 The Regents of the University of California. # Copyright (c) 2004-2005 The Regents of the University of California.
# All rights reserved. # All rights reserved.
# Copyright (c) 2014 Intel, Inc. All rights reserved. # Copyright (c) 2014-2015 Intel, Inc. All rights reserved.
# $COPYRIGHT$ # $COPYRIGHT$
# #
# Additional copyrights may follow # Additional copyrights may follow
@ -64,3 +64,16 @@ value will be ignored.
Local host: %s Local host: %s
Value: %s Value: %s
Message: %s Message: %s
#
[authent-fail]
An attempt was made to make a TCP connection between two hosts:
Initiating host: %s
Receiving host: %s
Unfortunately, the connection was refused due to a failure to
authenticate. This is usually caused by a mis-match between
the security domains of the two hosts - e.g., one might be
using Munge while the other is not. This can typically be
resolved by specifying the desired security method. For
example, adding "--mca sec basic" to your command line.

45
orte/mca/oob/tcp/oob_tcp_connection.c
Просмотреть файл

@ -13,7 +13,7 @@
* All rights reserved. * All rights reserved.
* Copyright (c) 2009-2014 Cisco Systems, Inc. All rights reserved. * Copyright (c) 2009-2014 Cisco Systems, Inc. All rights reserved.
* Copyright (c) 2011 Oak Ridge National Labs. All rights reserved. * Copyright (c) 2011 Oak Ridge National Labs. All rights reserved.
* Copyright (c) 2013-2014 Intel, Inc. All rights reserved. * Copyright (c) 2013-2015 Intel, Inc. All rights reserved.
* Copyright (c) 2014-2015 Research Organization for Information Science * Copyright (c) 2014-2015 Research Organization for Information Science
* and Technology (RIST). All rights reserved. * and Technology (RIST). All rights reserved.
* $COPYRIGHT$ * $COPYRIGHT$
@ -355,7 +355,8 @@ static int tcp_peer_send_connect_ack(mca_oob_tcp_peer_t* peer)
mca_oob_tcp_hdr_t hdr; mca_oob_tcp_hdr_t hdr;
int rc; int rc;
size_t sdsize; size_t sdsize;
opal_sec_cred_t *cred; char *cred;
size_t credsize;
opal_output_verbose(OOB_TCP_DEBUG_CONNECT, orte_oob_base_framework.framework_output, opal_output_verbose(OOB_TCP_DEBUG_CONNECT, orte_oob_base_framework.framework_output,
"%s SEND CONNECT ACK", ORTE_NAME_PRINT(ORTE_PROC_MY_NAME)); "%s SEND CONNECT ACK", ORTE_NAME_PRINT(ORTE_PROC_MY_NAME));
@ -369,17 +370,22 @@ static int tcp_peer_send_connect_ack(mca_oob_tcp_peer_t* peer)
/* get our security credential*/ /* get our security credential*/
if (OPAL_SUCCESS != (rc = opal_sec.get_my_credential(peer->auth_method, if (OPAL_SUCCESS != (rc = opal_sec.get_my_credential(peer->auth_method,
opal_dstore_internal, opal_dstore_internal,
ORTE_PROC_MY_NAME, &cred))) { ORTE_PROC_MY_NAME,
&cred, &credsize))) {
ORTE_ERROR_LOG(rc); ORTE_ERROR_LOG(rc);
return rc; return rc;
} }
opal_output_verbose(OOB_TCP_DEBUG_CONNECT, orte_oob_base_framework.framework_output,
"%s SENDING CREDENTIAL OF SIZE %lu",
ORTE_NAME_PRINT(ORTE_PROC_MY_NAME),
(unsigned long)credsize);
/* set the number of bytes to be read beyond the header */ /* set the number of bytes to be read beyond the header */
hdr.nbytes = strlen(orte_version_string) + 1 + strlen(cred->method) + 1 + cred->size; hdr.nbytes = strlen(orte_version_string) + 1 + credsize;
MCA_OOB_TCP_HDR_HTON(&hdr); MCA_OOB_TCP_HDR_HTON(&hdr);
/* create a space for our message */ /* create a space for our message */
sdsize = (sizeof(hdr) + strlen(orte_version_string) + 1 + strlen(cred->method) + 1 + cred->size); sdsize = sizeof(hdr) + strlen(orte_version_string) + 1 + credsize;
if (NULL == (msg = (char*)malloc(sdsize))) { if (NULL == (msg = (char*)malloc(sdsize))) {
return ORTE_ERR_OUT_OF_RESOURCE; return ORTE_ERR_OUT_OF_RESOURCE;
} }
@ -388,8 +394,11 @@ static int tcp_peer_send_connect_ack(mca_oob_tcp_peer_t* peer)
/* load the message */ /* load the message */
memcpy(msg, &hdr, sizeof(hdr)); memcpy(msg, &hdr, sizeof(hdr));
memcpy(msg+sizeof(hdr), orte_version_string, strlen(orte_version_string)); memcpy(msg+sizeof(hdr), orte_version_string, strlen(orte_version_string));
memcpy(msg+sizeof(hdr)+strlen(orte_version_string)+1, cred->method, strlen(cred->method)); memcpy(msg+sizeof(hdr)+strlen(orte_version_string)+1, cred, credsize);
memcpy(msg+sizeof(hdr)+strlen(orte_version_string)+1+strlen(cred->method)+1, cred->credential, cred->size); /* clear the memory */
if (NULL != cred) {
free(cred);
}
/* send it */ /* send it */
if (ORTE_SUCCESS != tcp_peer_send_blocking(peer->sd, msg, sdsize)) { if (ORTE_SUCCESS != tcp_peer_send_blocking(peer->sd, msg, sdsize)) {
@ -618,7 +627,8 @@ int mca_oob_tcp_peer_recv_connect_ack(mca_oob_tcp_peer_t* pr,
char *msg; char *msg;
char *version; char *version;
int rc; int rc;
opal_sec_cred_t creds; char *cred;
size_t credsize;
mca_oob_tcp_hdr_t hdr; mca_oob_tcp_hdr_t hdr;
mca_oob_tcp_peer_t *peer; mca_oob_tcp_peer_t *peer;
uint64_t *ui64; uint64_t *ui64;
@ -799,18 +809,19 @@ int mca_oob_tcp_peer_recv_connect_ack(mca_oob_tcp_peer_t* pr,
ORTE_NAME_PRINT(&peer->name)); ORTE_NAME_PRINT(&peer->name));
/* check security token */ /* check security token */
creds.method = (char*)(msg + strlen(version) + 1); cred = (char*)(msg + strlen(version) + 1);
creds.credential = (char*)(msg + strlen(version) + 1 + strlen(creds.method) + 1); credsize = hdr.nbytes - strlen(version) - 1;
creds.size = hdr.nbytes - strlen(version) - 1 - strlen(creds.method) - 1; if (OPAL_SUCCESS != (rc = opal_sec.authenticate(cred, credsize, &peer->auth_method))) {
if (OPAL_SUCCESS != (rc = opal_sec.authenticate(&creds))) { char *hostname;
ORTE_ERROR_LOG(rc); hostname = orte_get_proc_hostname(&peer->name);
orte_show_help("help-oob-tcp.txt", "authent-fail", true,
(NULL == hostname) ? "unknown" : hostname,
orte_process_info.nodename);
peer->state = MCA_OOB_TCP_FAILED;
mca_oob_tcp_peer_close(peer);
free(msg); free(msg);
return ORTE_ERR_CONNECTION_REFUSED; return ORTE_ERR_CONNECTION_REFUSED;
} }
/* record the method they used so we can reciprocate */
if (NULL == peer->auth_method) {
peer->auth_method = strdup(creds.method);
}
free(msg); free(msg);
opal_output_verbose(OOB_TCP_DEBUG_CONNECT, orte_oob_base_framework.framework_output, opal_output_verbose(OOB_TCP_DEBUG_CONNECT, orte_oob_base_framework.framework_output,

28
orte/mca/oob/usock/oob_usock_connection.c
Просмотреть файл

@ -277,7 +277,8 @@ static int usock_peer_send_connect_ack(mca_oob_usock_peer_t* peer)
mca_oob_usock_hdr_t hdr; mca_oob_usock_hdr_t hdr;
int rc; int rc;
size_t sdsize; size_t sdsize;
opal_sec_cred_t *cred; char *cred;
size_t credsize;
opal_output_verbose(OOB_USOCK_DEBUG_CONNECT, orte_oob_base_framework.framework_output, opal_output_verbose(OOB_USOCK_DEBUG_CONNECT, orte_oob_base_framework.framework_output,
"%s SEND CONNECT ACK", ORTE_NAME_PRINT(ORTE_PROC_MY_NAME)); "%s SEND CONNECT ACK", ORTE_NAME_PRINT(ORTE_PROC_MY_NAME));
@ -293,16 +294,16 @@ static int usock_peer_send_connect_ack(mca_oob_usock_peer_t* peer)
/* get our security credential*/ /* get our security credential*/
if (OPAL_SUCCESS != (rc = opal_sec.get_my_credential(peer->auth_method, if (OPAL_SUCCESS != (rc = opal_sec.get_my_credential(peer->auth_method,
opal_dstore_internal, opal_dstore_internal,
ORTE_PROC_MY_NAME, &cred))) { ORTE_PROC_MY_NAME, &cred, &credsize))) {
ORTE_ERROR_LOG(rc); ORTE_ERROR_LOG(rc);
return rc; return rc;
} }
/* set the number of bytes to be read beyond the header */ /* set the number of bytes to be read beyond the header */
hdr.nbytes = strlen(orte_version_string) + 1 + strlen(cred->method) + 1 + cred->size; hdr.nbytes = strlen(orte_version_string) + 1 + credsize;
/* create a space for our message */ /* create a space for our message */
sdsize = (sizeof(hdr) + strlen(orte_version_string) + 1 + strlen(cred->method) + 1 + cred->size); sdsize = (sizeof(hdr) + strlen(orte_version_string) + 1 + credsize);
if (NULL == (msg = (char*)malloc(sdsize))) { if (NULL == (msg = (char*)malloc(sdsize))) {
return ORTE_ERR_OUT_OF_RESOURCE; return ORTE_ERR_OUT_OF_RESOURCE;
} }
@ -311,9 +312,8 @@ static int usock_peer_send_connect_ack(mca_oob_usock_peer_t* peer)
/* load the message */ /* load the message */
memcpy(msg, &hdr, sizeof(hdr)); memcpy(msg, &hdr, sizeof(hdr));
memcpy(msg+sizeof(hdr), orte_version_string, strlen(orte_version_string)); memcpy(msg+sizeof(hdr), orte_version_string, strlen(orte_version_string));
memcpy(msg+sizeof(hdr)+strlen(orte_version_string)+1, cred->method, strlen(cred->method)); memcpy(msg+sizeof(hdr)+strlen(orte_version_string)+1, cred, credsize);
memcpy(msg+sizeof(hdr)+strlen(orte_version_string)+1+strlen(cred->method)+1, cred->credential, cred->size); free(cred);
if (ORTE_SUCCESS != usock_peer_send_blocking(peer, peer->sd, msg, sdsize)) { if (ORTE_SUCCESS != usock_peer_send_blocking(peer, peer->sd, msg, sdsize)) {
ORTE_ERROR_LOG(ORTE_ERR_UNREACH); ORTE_ERROR_LOG(ORTE_ERR_UNREACH);
@ -488,7 +488,8 @@ int mca_oob_usock_peer_recv_connect_ack(mca_oob_usock_peer_t* pr, int sd,
char *msg; char *msg;
char *version; char *version;
int rc, cmpval; int rc, cmpval;
opal_sec_cred_t creds; char *cred;
size_t credsize;
mca_oob_usock_peer_t *peer; mca_oob_usock_peer_t *peer;
mca_oob_usock_hdr_t hdr; mca_oob_usock_hdr_t hdr;
uint64_t *ui64; uint64_t *ui64;
@ -668,16 +669,11 @@ int mca_oob_usock_peer_recv_connect_ack(mca_oob_usock_peer_t* pr, int sd,
ORTE_NAME_PRINT(&peer->name)); ORTE_NAME_PRINT(&peer->name));
/* check security token */ /* check security token */
creds.method = (char*)(msg + strlen(version) + 1); cred = (char*)(msg + strlen(version) + 1);
creds.credential = (char*)(msg + strlen(version) + 1 + strlen(creds.method) + 1); credsize = hdr.nbytes - strlen(version) - 1;
creds.size = hdr.nbytes - strlen(version) - 1; if (OPAL_SUCCESS != (rc = opal_sec.authenticate(cred, credsize, &peer->auth_method))) {
if (OPAL_SUCCESS != (rc = opal_sec.authenticate(&creds))) {
ORTE_ERROR_LOG(rc); ORTE_ERROR_LOG(rc);
} }
/* record the method they used so we can reciprocate */
if (NULL == peer->auth_method) {
peer->auth_method = strdup(creds.method);
}
free(msg); free(msg);
opal_output_verbose(OOB_USOCK_DEBUG_CONNECT, orte_oob_base_framework.framework_output, opal_output_verbose(OOB_USOCK_DEBUG_CONNECT, orte_oob_base_framework.framework_output,

34
orte/orted/pmix/pmix_server_connection.c
Просмотреть файл

@ -83,7 +83,8 @@ int pmix_server_send_connect_ack(pmix_server_peer_t* peer)
pmix_server_hdr_t hdr; pmix_server_hdr_t hdr;
int rc; int rc;
size_t sdsize; size_t sdsize;
opal_sec_cred_t *cred; char *cred;
size_t credsize;
opal_output_verbose(2, pmix_server_output, opal_output_verbose(2, pmix_server_output,
"%s SEND CONNECT ACK", ORTE_NAME_PRINT(ORTE_PROC_MY_NAME)); "%s SEND CONNECT ACK", ORTE_NAME_PRINT(ORTE_PROC_MY_NAME));
@ -98,16 +99,16 @@ int pmix_server_send_connect_ack(pmix_server_peer_t* peer)
/* get our security credential*/ /* get our security credential*/
if (OPAL_SUCCESS != (rc = opal_sec.get_my_credential(peer->auth_method, if (OPAL_SUCCESS != (rc = opal_sec.get_my_credential(peer->auth_method,
opal_dstore_internal, opal_dstore_internal,
ORTE_PROC_MY_NAME, &cred))) { ORTE_PROC_MY_NAME, &cred, &credsize))) {
ORTE_ERROR_LOG(rc); ORTE_ERROR_LOG(rc);
return rc; return rc;
} }
/* set the number of bytes to be read beyond the header */ /* set the number of bytes to be read beyond the header */
hdr.nbytes = strlen(orte_version_string) + 1 + + strlen(cred->method) + 1 + cred->size; hdr.nbytes = strlen(orte_version_string) + 1 + credsize;
/* create a space for our message */ /* create a space for our message */
sdsize = (sizeof(hdr) + strlen(opal_version_string) + 1 + strlen(cred->method) + 1 + cred->size); sdsize = (sizeof(hdr) + strlen(opal_version_string) + 1 + credsize);
if (NULL == (msg = (char*)malloc(sdsize))) { if (NULL == (msg = (char*)malloc(sdsize))) {
return ORTE_ERR_OUT_OF_RESOURCE; return ORTE_ERR_OUT_OF_RESOURCE;
} }
@ -116,9 +117,8 @@ int pmix_server_send_connect_ack(pmix_server_peer_t* peer)
/* load the message */ /* load the message */
memcpy(msg, &hdr, sizeof(hdr)); memcpy(msg, &hdr, sizeof(hdr));
memcpy(msg+sizeof(hdr), opal_version_string, strlen(opal_version_string)); memcpy(msg+sizeof(hdr), opal_version_string, strlen(opal_version_string));
memcpy(msg+sizeof(hdr)+strlen(opal_version_string)+1, cred->method, strlen(cred->method)); memcpy(msg+sizeof(hdr)+strlen(opal_version_string)+1, cred, credsize);
memcpy(msg+sizeof(hdr)+strlen(opal_version_string)+1+strlen(cred->method)+1, cred->credential, cred->size); free(cred);
if (ORTE_SUCCESS != usock_peer_send_blocking(peer, peer->sd, msg, sdsize)) { if (ORTE_SUCCESS != usock_peer_send_blocking(peer, peer->sd, msg, sdsize)) {
ORTE_ERROR_LOG(ORTE_ERR_UNREACH); ORTE_ERROR_LOG(ORTE_ERR_UNREACH);
@ -212,7 +212,8 @@ int pmix_server_recv_connect_ack(pmix_server_peer_t* pr, int sd,
char *msg; char *msg;
char *version; char *version;
int rc; int rc;
opal_sec_cred_t creds; char *cred;
size_t credsize;
pmix_server_peer_t *peer; pmix_server_peer_t *peer;
pmix_server_hdr_t hdr; pmix_server_hdr_t hdr;
orte_process_name_t sender; orte_process_name_t sender;
@ -367,15 +368,14 @@ int pmix_server_recv_connect_ack(pmix_server_peer_t* pr, int sd,
ORTE_NAME_PRINT(&peer->name)); ORTE_NAME_PRINT(&peer->name));
/* check security token */ /* check security token */
creds.method = (char*)(msg + strlen(version) + 1); cred = (char*)(msg + strlen(version) + 1);
creds.credential = (char*)(msg + strlen(version) + 1 + strlen(creds.method) + 1); credsize = hdr.nbytes - strlen(version) - 1;
creds.size = strlen(creds.credential); if (OPAL_SUCCESS != (rc = opal_sec.authenticate(cred, credsize, &peer->auth_method))) {
if (OPAL_SUCCESS != (rc = opal_sec.authenticate(&creds))) {
ORTE_ERROR_LOG(rc); ORTE_ERROR_LOG(rc);
} peer->state = PMIX_SERVER_FAILED;
/* record the method they used so we can reciprocate */ CLOSE_THE_SOCKET(peer->sd);
if (NULL == peer->auth_method) { free(msg);
peer->auth_method = strdup(creds.method); return ORTE_ERR_UNREACH;
} }
free(msg); free(msg);
@ -459,8 +459,10 @@ static bool usock_peer_recv_blocking(pmix_server_peer_t* peer,
ORTE_NAME_PRINT(ORTE_PROC_MY_NAME), ORTE_NAME_PRINT(ORTE_PROC_MY_NAME),
(NULL == peer) ? "UNKNOWN" : ORTE_NAME_PRINT(&(peer->name)), (NULL == peer) ? "UNKNOWN" : ORTE_NAME_PRINT(&(peer->name)),
(NULL == peer) ? 0 : peer->state); (NULL == peer) ? 0 : peer->state);
if (NULL != peer) {
peer->state = PMIX_SERVER_FAILED; peer->state = PMIX_SERVER_FAILED;
CLOSE_THE_SOCKET(peer->sd); CLOSE_THE_SOCKET(peer->sd);
}
return false; return false;
} }

9
orte/orted/pmix/pmix_server_sendrecv.c
Просмотреть файл

@ -569,7 +569,8 @@ int pmix_server_peer_recv_connect_ack(pmix_server_peer_t* pr,
char *msg; char *msg;
char *version; char *version;
int rc; int rc;
opal_sec_cred_t creds; char *cred;
size_t credsize;
pmix_server_hdr_t hdr; pmix_server_hdr_t hdr;
pmix_server_peer_t *peer; pmix_server_peer_t *peer;
uint64_t *ui64; uint64_t *ui64;
@ -720,9 +721,9 @@ int pmix_server_peer_recv_connect_ack(pmix_server_peer_t* pr,
ORTE_NAME_PRINT(&peer->name)); ORTE_NAME_PRINT(&peer->name));
/* check security token */ /* check security token */
creds.credential = (char*)(msg + strlen(version) + 1); cred = (char*)(msg + strlen(version) + 1);
creds.size = hdr.nbytes - strlen(version) - 1; credsize = hdr.nbytes - strlen(version) - 1;
if (OPAL_SUCCESS != (rc = opal_sec.authenticate(&creds))) { if (OPAL_SUCCESS != (rc = opal_sec.authenticate(cred, credsize, NULL))) {
ORTE_ERROR_LOG(rc); ORTE_ERROR_LOG(rc);
} }
free(msg); free(msg);