ROOT_528-00b_version: net/xrootd/src/xrootd/src/XrdSecssl/XrdSecProtocolssl.hh Source File

00001 /******************************************************************************/
00002 /*                                                                            */
00003 /*                 X r d S e c P r o t o c o l s s l . h h                    */
00004 /*                                                                            */
00005 /* (c) 2007 by the Board of Trustees of the Leland Stanford, Jr., University  */
00006 /*                            All Rights Reserved                             */
00007 /*   Produced by Andrew Hanushevsky for Stanford University under contract    */
00008 /*              DE-AC02-76-SFO0515 with the Department of Energy              */
00009 /******************************************************************************/
00010 
00011 #include <unistd.h>
00012 #include <ctype.h>
00013 #include <errno.h>
00014 #include <iostream>
00015 #include <stdlib.h>
00016 #include <strings.h>
00017 #include <grp.h>
00018 #include <pwd.h>
00019 
00020 #define OPENSSL_THREAD_DEFINES
00021 #include <openssl/opensslconf.h>
00022 
00023 #include <openssl/crypto.h>
00024 #include <openssl/x509v3.h>
00025 #include <openssl/ssl.h>
00026 #include <openssl/pem.h>
00027 #include <openssl/err.h>
00028 #include <openssl/rand.h>
00029 #include <sys/socket.h>
00030 #include <sys/types.h>
00031 #include <sys/stat.h>
00032 #include <netinet/in.h>
00033 #include <arpa/inet.h>
00034 #include <netdb.h>
00035 #include <sys/types.h>
00036 #include <sys/time.h>
00037 #include <sys/file.h>
00038 #include <fcntl.h>
00039 #include <pwd.h>
00040 #include <grp.h>
00041 
00042 #include "XrdNet/XrdNetDNS.hh"
00043 #include "XrdOuc/XrdOucErrInfo.hh"
00044 #include "XrdOuc/XrdOucHash.hh"
00045 #include "XrdOuc/XrdOucString.hh"
00046 #include "XrdOuc/XrdOucTrace.hh"
00047 #include "XrdOuc/XrdOucTokenizer.hh"
00048 #include "XrdSys/XrdSysPthread.hh"
00049 #include "XrdSys/XrdSysLogger.hh"
00050 #include "XrdSec/XrdSecInterface.hh"
00051 #include "XrdSec/XrdSecTLayer.hh"
00052 #include "XrdSecssl/XrdSecProtocolsslTrace.hh"
00053 #include "XrdSecssl/XrdSecProtocolsslProc.hh"
00054 #include "libsslGridSite/grst_verifycallback.h"
00055 #include "libsslGridSite/gridsite.h"
00056 
00057 #define EXPORTKEYSTRENGTH 10
00058 
00059 #define PROTOCOLSSL_MAX_CRYPTO_MUTEX 256
00060 
00061 
00062 // fix for SSL 098 stuff and g++ 
00063 
00064 #ifdef R__SSL_GE_098
00065 #undef PEM_read_SSL_SESSION
00066 #undef PEM_write_SSL_SESSION
00067 
00068 #define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( (void *(*)(void **, const unsigned char **, long int))d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(void **)x,cb,u)
00069 
00070 #define PEM_write_SSL_SESSION(fp,x) PEM_ASN1_write((int (*)(void*, unsigned char**))i2d_SSL_SESSION, PEM_STRING_SSL_SESSION,fp, (char *)x,  NULL,NULL,0,NULL,NULL)
00071 #else
00072 #if defined(__APPLE__) && !defined(MAC_OS_X_VERSION_10_5)
00073 #undef PEM_read_SSL_SESSION
00074 #undef PEM_write_SSL_SESSION
00075 
00076 #define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( (char *(*)(...))d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x  ,cb,u)
00077 #define PEM_write_SSL_SESSION(fp,x) PEM_ASN1_write((int(*)(...))i2d_SSL_SESSION, PEM_STRING_SSL_SESSION,fp, (char *)x,NULL,NULL,0,NULL,NULL)
00078 #endif
00079 #endif
00080 
00081 #define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
00082                          *((c)++)=(unsigned char)(((l)>>16)&0xff), \
00083                          *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
00084                          *((c)++)=(unsigned char)(((l)    )&0xff))
00085 
00086 #ifdef SUNCC
00087 #define __FUNCTION__ "-unknown-"
00088 #endif
00089 
00090 static XrdOucTrace        *SSLxTrace=0;
00091 
00092 class XrdSecProtocolssl;
00093 
00094 #define MAX_SESSION_ID_ATTEMPTS 10
00095 
00096 /******************************************************************************/
00097 /*              X r d S e c P r o t o c o l s s l C l a s s                   */
00098 /******************************************************************************/
00099 
00100 class XrdSecsslSessionLock {
00101 private:
00102 static  XrdSysMutex sessionmutex;
00103   int sessionfd;
00104   
00105 public:
00106   XrdSecsslSessionLock() {sessionfd=0;}
00107   bool SoftLock() { sessionmutex.Lock();return true;}
00108   bool SoftUnLock() {sessionmutex.UnLock();return true;}
00109 #ifdef SUNCC
00110   bool HardLock(const char* path) {return true;}
00111   bool HardUnLock() {return true;}
00112   ~XrdSecsslSessionLock() {sessionmutex.UnLock();}
00113 #else
00114   bool HardLock(const char* path) {sessionfd = open(path,O_RDWR); if ( (sessionfd>0) && (!flock(sessionfd,LOCK_EX)))return true;return false;}
00115   bool HardUnLock() {if (sessionfd>0) {flock(sessionfd,LOCK_UN);close(sessionfd);sessionfd=0;}return true;}
00116   ~XrdSecsslSessionLock() {if (sessionfd>0) {flock(sessionfd,LOCK_UN);close(sessionfd);};}
00117 #endif
00118 
00119 };
00120 
00121 
00122 
00123 class XrdSecProtocolssl : public XrdSecTLayer
00124 {
00125 public:
00126   friend class XrdSecProtocolDummy; // Avoid stupid gcc warnings about destructor
00127 
00128   XrdSecProtocolssl(const char* hostname, const struct sockaddr  *ipaddr) : XrdSecTLayer("ssl",XrdSecTLayer::isClient) {
00129     credBuff    = 0;
00130     ssl         = 0;
00131     Entity.name = 0;
00132     Entity.grps = 0;
00133     Entity.endorsements = 0;
00134     strncpy(Entity.prot,"ssl", sizeof(Entity.prot));
00135     host        = hostname;
00136     if (ipaddr)
00137       Entity.host = (XrdNetDNS::getHostName((sockaddr&)*ipaddr));
00138     else 
00139       Entity.host = strdup("");
00140     proxyBuff[0]=0;
00141     client_cert=0;
00142     server_cert=0;
00143     ssl = 0 ;
00144     clientctx = 0;
00145     terminate = 0;
00146   }
00147   
00148   virtual void   secClient(int theFD, XrdOucErrInfo      *einfo);
00149   virtual void   secServer(int theFD, XrdOucErrInfo      *einfo=0);
00150 
00151   // triggers purging of expired SecTLayer threads
00152   static  int    dummy(const char* key, XrdSecProtocolssl *ssl, void* Arg) { return 0;}
00153 
00154   // delayed garbage collection
00155   virtual void              Delete() {
00156     terminate = true;
00157     if (secTid) XrdSysThread::Join(secTid,NULL);
00158     secTid=0;
00159     SSLMutex.Lock();
00160     if (credBuff)    free(credBuff);
00161     if (Entity.name) free(Entity.name);
00162     if (Entity.grps) free(Entity.grps);
00163     if (Entity.role) free(Entity.role);
00164     if (Entity.host) free(Entity.host);
00165     if (ssl) SSL_free(ssl);
00166     if (client_cert) X509_free(client_cert);
00167     if (server_cert) X509_free(server_cert);
00168     credBuff = 0;
00169     Entity.name = 0;
00170     Entity.grps = 0;
00171     Entity.role = 0;
00172     Entity.host = 0;
00173     client_cert = 0;
00174     server_cert = 0;
00175     ssl=0;
00176     secTid=0;
00177     SSLMutex.UnLock();
00178     delete this;
00179   }
00180 
00181 
00182   static int GenerateSession(const SSL* ssl, unsigned char *id, unsigned int *id_len);
00183   static int NewSession(SSL* ssl, SSL_SESSION *pNew);
00184   static int GetSession(SSL* ssl, SSL_SESSION *pNew);
00185 
00186   static char*              SessionIdContext ;
00187   static char*              sslcadir; 
00188   static char*              sslvomsdir;
00189   static char*              sslserverkeyfile; 
00190   static char*              sslkeyfile;
00191   static char*              sslcertfile;
00192   static char*              sslproxyexportdir;
00193   static bool               sslproxyexportplain;
00194   static char               sslserverexportpassword[EXPORTKEYSTRENGTH+1];
00195   static int                threadsinuse;
00196   static char*              gridmapfile;
00197   static char*              vomsmapfile;
00198   static bool               mapuser;
00199   static bool               mapnobody;
00200   static bool               mapgroup;
00201   static bool               mapcerncertificates;
00202   static int                debug;
00203   static time_t             sslsessionlifetime;
00204   static int                sslselecttimeout;
00205   static int                sslsessioncachesize;
00206   static char*              procdir;
00207   static XrdSecProtocolsslProc* proc;
00208 
00209   static int                errortimeout;
00210   static int                errorverify;
00211   static int                errorqueue;
00212   static int                erroraccept;
00213   static int                errorabort;
00214   static int                errorread;
00215   static int                forwardedproxies;
00216 
00217   static bool               isServer;
00218   static bool               forwardProxy;
00219   static bool               allowSessions;
00220   static X509_STORE*        store;  
00221   static X509_LOOKUP*       lookup;
00222   static int                verifydepth;
00223   static int                verifyindex;
00224   int                       sessionfd;
00225   X509*    client_cert; 
00226   X509*    server_cert;
00227   XrdOucString              host;
00228 
00229   // User/Group mapping
00230   static void ReloadGridMapFile();
00231   static void ReloadVomsMapFile();
00232   static bool VomsMapGroups(const char* groups, XrdOucString& allgroups, XrdOucString& defaultgroup);
00233 
00234   static void GetEnvironment();
00235   static  XrdOucHash<XrdOucString>  gridmapstore;
00236   static  XrdOucHash<XrdOucString>  vomsmapstore;
00237   static  XrdOucHash<XrdOucString>  stringstore;
00238   static  XrdSysMutex               StoreMutex;
00239   static  XrdSysMutex               VomsMapMutex;
00240   static  XrdSysMutex               GridMapMutex;
00241   static  XrdSysMutex*              CryptoMutexPool[PROTOCOLSSL_MAX_CRYPTO_MUTEX];
00242   static  XrdSysMutex               ThreadsInUseMutex;
00243   static  XrdSysMutex               ErrorMutex;
00244 
00245   // for error logging and tracing
00246   static XrdSysLogger       Logger;
00247   static XrdSysError        ssleDest;
00248   static time_t             storeLoadTime;
00249   
00250   typedef struct {
00251     int verbose_mode;
00252     int verify_depth;
00253     int always_continue;
00254   } sslverify_t;
00255   
00256   char proxyBuff[16384];
00257   static SSL_CTX* ctx;
00258   SSL_CTX* clientctx;
00259 
00260   XrdSysMutex SSLMutex;
00261   bool terminate;
00262   ~XrdSecProtocolssl() {
00263   }
00264 
00265   static int Fatal(XrdOucErrInfo *erp, const char* msg, int rc);
00266   
00267   
00268   struct sockaddr           hostaddr;      // Client-side only
00269   char                     *credBuff;      // Credentials buffer (server)
00270   int                       Step;          // Indicates step in authentication
00271   
00272   int sd;
00273   int listen_sd;
00274   struct sockaddr_in sa_serv;
00275   struct sockaddr_in sa_cli;
00276   SSL*     ssl;
00277 };
00278 
00279 extern "C"
00280 {
00281   char  *XrdSecProtocolsslInit(const char     mode,
00282                                const char    *parms,
00283                                XrdOucErrInfo *erp);
00284 }
00285 
00286 
00287 class XrdSecsslThreadInUse {
00288 public:
00289   XrdSecsslThreadInUse() {XrdSecProtocolssl::ThreadsInUseMutex.Lock();XrdSecProtocolssl::threadsinuse++;XrdSecProtocolssl::ThreadsInUseMutex.UnLock();}
00290   ~XrdSecsslThreadInUse() {XrdSecProtocolssl::ThreadsInUseMutex.Lock();XrdSecProtocolssl::threadsinuse--;XrdSecProtocolssl::ThreadsInUseMutex.UnLock();}
00291 };
00292 
00293