xrootd
|
00001 /******************************************************************************/ 00002 /* */ 00003 /* X r d S e c P r o t o c o l s s l . h h */ 00004 /* */ 00005 /* (c) 2007 by the Board of Trustees of the Leland Stanford, Jr., University */ 00006 /* All Rights Reserved */ 00007 /* Produced by Andrew Hanushevsky for Stanford University under contract */ 00008 /* DE-AC02-76-SFO0515 with the Department of Energy */ 00009 /******************************************************************************/ 00010 00011 #include <unistd.h> 00012 #include <ctype.h> 00013 #include <errno.h> 00014 #include <iostream> 00015 #include <stdlib.h> 00016 #include <strings.h> 00017 #include <grp.h> 00018 #include <pwd.h> 00019 00020 #define OPENSSL_THREAD_DEFINES 00021 #include <openssl/opensslconf.h> 00022 00023 #include <openssl/crypto.h> 00024 #include <openssl/x509v3.h> 00025 #include <openssl/ssl.h> 00026 #include <openssl/pem.h> 00027 #include <openssl/err.h> 00028 #include <openssl/rand.h> 00029 #include <sys/socket.h> 00030 #include <sys/types.h> 00031 #include <sys/stat.h> 00032 #include <netinet/in.h> 00033 #include <arpa/inet.h> 00034 #include <netdb.h> 00035 #include <sys/types.h> 00036 #include <sys/time.h> 00037 #include <sys/file.h> 00038 #include <fcntl.h> 00039 #include <pwd.h> 00040 #include <grp.h> 00041 00042 #include "XrdNet/XrdNetDNS.hh" 00043 #include "XrdOuc/XrdOucErrInfo.hh" 00044 #include "XrdOuc/XrdOucHash.hh" 00045 #include "XrdOuc/XrdOucString.hh" 00046 #include "XrdOuc/XrdOucTrace.hh" 00047 #include "XrdOuc/XrdOucTokenizer.hh" 00048 #include "XrdSys/XrdSysPthread.hh" 00049 #include "XrdSys/XrdSysLogger.hh" 00050 #include "XrdSec/XrdSecInterface.hh" 00051 #include "XrdSec/XrdSecTLayer.hh" 00052 #include "XrdSecssl/XrdSecProtocolsslTrace.hh" 00053 #include "XrdSecssl/XrdSecProtocolsslProc.hh" 00054 #include "libsslGridSite/grst_verifycallback.h" 00055 #include "gridsite.h" 00056 00057 #define EXPORTKEYSTRENGTH 10 00058 00059 #define PROTOCOLSSL_MAX_CRYPTO_MUTEX 256 00060 00061 00062 // fix for SSL 098 stuff and g++ 00063 00064 #ifdef R__SSL_GE_098 00065 #undef PEM_read_SSL_SESSION 00066 #undef PEM_write_SSL_SESSION 00067 00068 #define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( (void *(*)(void **, const unsigned char **, long int))d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(void **)x,cb,u) 00069 00070 #define PEM_write_SSL_SESSION(fp,x) PEM_ASN1_write((int (*)(void*, unsigned char**))i2d_SSL_SESSION, PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL,NULL) 00071 #else 00072 #if defined(__APPLE__) && !defined(MAC_OS_X_VERSION_10_5) 00073 #undef PEM_read_SSL_SESSION 00074 #undef PEM_write_SSL_SESSION 00075 00076 #define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( (char *(*)(...))d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x ,cb,u) 00077 #define PEM_write_SSL_SESSION(fp,x) PEM_ASN1_write((int(*)(...))i2d_SSL_SESSION, PEM_STRING_SSL_SESSION,fp, (char *)x,NULL,NULL,0,NULL,NULL) 00078 #endif 00079 #endif 00080 00081 #define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \ 00082 *((c)++)=(unsigned char)(((l)>>16)&0xff), \ 00083 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ 00084 *((c)++)=(unsigned char)(((l) )&0xff)) 00085 00086 #ifdef SUNCC 00087 #define __FUNCTION__ "-unknown-" 00088 #endif 00089 00090 static XrdOucTrace *SSLxTrace=0; 00091 00092 class XrdSecProtocolssl; 00093 00094 #define MAX_SESSION_ID_ATTEMPTS 10 00095 00096 /******************************************************************************/ 00097 /* X r d S e c P r o t o c o l s s l C l a s s */ 00098 /******************************************************************************/ 00099 00100 class XrdSecsslSessionLock { 00101 private: 00102 static XrdSysMutex sessionmutex; 00103 int sessionfd; 00104 00105 public: 00106 XrdSecsslSessionLock() {sessionfd=0;} 00107 bool SoftLock() { sessionmutex.Lock();return true;} 00108 bool SoftUnLock() {sessionmutex.UnLock();return true;} 00109 #ifdef SUNCC 00110 bool HardLock(const char* path) {return true;} 00111 bool HardUnLock() {return true;} 00112 ~XrdSecsslSessionLock() {sessionmutex.UnLock();} 00113 #else 00114 bool HardLock(const char* path) {sessionfd = open(path,O_RDWR); if ( (sessionfd>0) && (!flock(sessionfd,LOCK_EX)))return true;return false;} 00115 bool HardUnLock() {if (sessionfd>0) {flock(sessionfd,LOCK_UN);close(sessionfd);sessionfd=0;}return true;} 00116 ~XrdSecsslSessionLock() {if (sessionfd>0) {flock(sessionfd,LOCK_UN);close(sessionfd);};} 00117 #endif 00118 00119 }; 00120 00121 00122 00123 class XrdSecProtocolssl : public XrdSecTLayer 00124 { 00125 public: 00126 friend class XrdSecProtocolDummy; // Avoid stupid gcc warnings about destructor 00127 00128 XrdSecProtocolssl(const char* hostname, const struct sockaddr *ipaddr) : XrdSecTLayer("ssl",XrdSecTLayer::isClient) { 00129 credBuff = 0; 00130 ssl = 0; 00131 Entity.name = 0; 00132 Entity.grps = 0; 00133 Entity.endorsements = 0; 00134 strncpy(Entity.prot,"ssl", sizeof(Entity.prot)); 00135 host = hostname; 00136 if (ipaddr) 00137 Entity.host = (XrdNetDNS::getHostName((sockaddr&)*ipaddr)); 00138 else 00139 Entity.host = strdup(""); 00140 proxyBuff[0]=0; 00141 client_cert=0; 00142 server_cert=0; 00143 ssl = 0 ; 00144 clientctx = 0; 00145 terminate = 0; 00146 } 00147 00148 virtual void secClient(int theFD, XrdOucErrInfo *einfo); 00149 virtual void secServer(int theFD, XrdOucErrInfo *einfo=0); 00150 00151 // triggers purging of expired SecTLayer threads 00152 static int dummy(const char* key, XrdSecProtocolssl *ssl, void* Arg) { return 0;} 00153 00154 // delayed garbage collection 00155 virtual void Delete() { 00156 terminate = true; 00157 if (secTid) XrdSysThread::Join(secTid,NULL); 00158 secTid=0; 00159 SSLMutex.Lock(); 00160 if (credBuff) free(credBuff); 00161 if (Entity.name) free(Entity.name); 00162 if (Entity.grps) free(Entity.grps); 00163 if (Entity.role) free(Entity.role); 00164 if (Entity.host) free(Entity.host); 00165 if (ssl) SSL_free(ssl); 00166 if (client_cert) X509_free(client_cert); 00167 if (server_cert) X509_free(server_cert); 00168 credBuff = 0; 00169 Entity.name = 0; 00170 Entity.grps = 0; 00171 Entity.role = 0; 00172 Entity.host = 0; 00173 client_cert = 0; 00174 server_cert = 0; 00175 ssl=0; 00176 secTid=0; 00177 SSLMutex.UnLock(); 00178 delete this; 00179 } 00180 00181 00182 static int GenerateSession(const SSL* ssl, unsigned char *id, unsigned int *id_len); 00183 static int NewSession(SSL* ssl, SSL_SESSION *pNew); 00184 static int GetSession(SSL* ssl, SSL_SESSION *pNew); 00185 00186 static char* SessionIdContext ; 00187 static char* sslcadir; 00188 static char* sslvomsdir; 00189 static char* sslserverkeyfile; 00190 static char* sslkeyfile; 00191 static char* sslcertfile; 00192 static char* sslproxyexportdir; 00193 static bool sslproxyexportplain; 00194 static char sslserverexportpassword[EXPORTKEYSTRENGTH+1]; 00195 static int threadsinuse; 00196 static char* gridmapfile; 00197 static char* vomsmapfile; 00198 static bool mapuser; 00199 static bool mapnobody; 00200 static bool mapgroup; 00201 static bool mapcerncertificates; 00202 static int debug; 00203 static time_t sslsessionlifetime; 00204 static int sslselecttimeout; 00205 static int sslsessioncachesize; 00206 static char* procdir; 00207 static XrdSecProtocolsslProc* proc; 00208 00209 static int errortimeout; 00210 static int errorverify; 00211 static int errorqueue; 00212 static int erroraccept; 00213 static int errorabort; 00214 static int errorread; 00215 static int forwardedproxies; 00216 00217 static bool isServer; 00218 static bool forwardProxy; 00219 static bool allowSessions; 00220 static X509_STORE* store; 00221 static X509_LOOKUP* lookup; 00222 static int verifydepth; 00223 static int verifyindex; 00224 int sessionfd; 00225 X509* client_cert; 00226 X509* server_cert; 00227 XrdOucString host; 00228 00229 // User/Group mapping 00230 static void ReloadGridMapFile(); 00231 static void ReloadVomsMapFile(); 00232 static bool VomsMapGroups(const char* groups, XrdOucString& allgroups, XrdOucString& defaultgroup); 00233 00234 static void GetEnvironment(); 00235 static XrdOucHash<XrdOucString> gridmapstore; 00236 static XrdOucHash<XrdOucString> vomsmapstore; 00237 static XrdOucHash<XrdOucString> stringstore; 00238 static XrdSysMutex StoreMutex; 00239 static XrdSysMutex VomsMapMutex; 00240 static XrdSysMutex GridMapMutex; 00241 static XrdSysMutex* CryptoMutexPool[PROTOCOLSSL_MAX_CRYPTO_MUTEX]; 00242 static XrdSysMutex ThreadsInUseMutex; 00243 static XrdSysMutex ErrorMutex; 00244 00245 // for error logging and tracing 00246 static XrdSysLogger Logger; 00247 static XrdSysError ssleDest; 00248 static time_t storeLoadTime; 00249 00250 typedef struct { 00251 int verbose_mode; 00252 int verify_depth; 00253 int always_continue; 00254 } sslverify_t; 00255 00256 char proxyBuff[16384]; 00257 static SSL_CTX* ctx; 00258 SSL_CTX* clientctx; 00259 00260 XrdSysMutex SSLMutex; 00261 bool terminate; 00262 ~XrdSecProtocolssl() { 00263 } 00264 00265 static int Fatal(XrdOucErrInfo *erp, const char* msg, int rc); 00266 00267 00268 struct sockaddr hostaddr; // Client-side only 00269 char *credBuff; // Credentials buffer (server) 00270 int Step; // Indicates step in authentication 00271 00272 int sd; 00273 int listen_sd; 00274 struct sockaddr_in sa_serv; 00275 struct sockaddr_in sa_cli; 00276 SSL* ssl; 00277 }; 00278 00279 extern "C" 00280 { 00281 char *XrdSecProtocolsslInit(const char mode, 00282 const char *parms, 00283 XrdOucErrInfo *erp); 00284 } 00285 00286 00287 class XrdSecsslThreadInUse { 00288 public: 00289 XrdSecsslThreadInUse() {XrdSecProtocolssl::ThreadsInUseMutex.Lock();XrdSecProtocolssl::threadsinuse++;XrdSecProtocolssl::ThreadsInUseMutex.UnLock();} 00290 ~XrdSecsslThreadInUse() {XrdSecProtocolssl::ThreadsInUseMutex.Lock();XrdSecProtocolssl::threadsinuse--;XrdSecProtocolssl::ThreadsInUseMutex.UnLock();} 00291 }; 00292 00293