xrootd: XrdSecProtocolssl.hh Source File

Go to the documentation of this file.
00001 /******************************************************************************/
00002 /*                                                                            */
00003 /*                 X r d S e c P r o t o c o l s s l . h h                    */
00004 /*                                                                            */
00005 /* (c) 2007 by the Board of Trustees of the Leland Stanford, Jr., University  */
00006 /*                            All Rights Reserved                             */
00007 /*   Produced by Andrew Hanushevsky for Stanford University under contract    */
00008 /*              DE-AC02-76-SFO0515 with the Department of Energy              */
00009 /******************************************************************************/
00010 
00011 //       $Id: XrdSecProtocolssl.hh,v 1.2 2010/01/29 15:50:18 ganis Exp $
00012 
00013 #include <unistd.h>
00014 #include <ctype.h>
00015 #include <errno.h>
00016 #include <iostream>
00017 #include <stdlib.h>
00018 #include <strings.h>
00019 #include <grp.h>
00020 #include <pwd.h>
00021 
00022 #define OPENSSL_THREAD_DEFINES
00023 #include <openssl/opensslconf.h>
00024 
00025 #include <openssl/crypto.h>
00026 #include <openssl/x509v3.h>
00027 #include <openssl/ssl.h>
00028 #include <openssl/pem.h>
00029 #include <openssl/err.h>
00030 #include <openssl/rand.h>
00031 #include <sys/socket.h>
00032 #include <sys/types.h>
00033 #include <sys/stat.h>
00034 #include <netinet/in.h>
00035 #include <arpa/inet.h>
00036 #include <netdb.h>
00037 #include <sys/types.h>
00038 #include <sys/time.h>
00039 #include <sys/file.h>
00040 #include <fcntl.h>
00041 #include <pwd.h>
00042 #include <grp.h>
00043 
00044 #include "XrdNet/XrdNetDNS.hh"
00045 #include "XrdOuc/XrdOucErrInfo.hh"
00046 #include "XrdOuc/XrdOucHash.hh"
00047 #include "XrdOuc/XrdOucString.hh"
00048 #include "XrdOuc/XrdOucTrace.hh"
00049 #include "XrdOuc/XrdOucTokenizer.hh"
00050 #include "XrdSys/XrdSysPthread.hh"
00051 #include "XrdSys/XrdSysLogger.hh"
00052 #include "XrdSec/XrdSecInterface.hh"
00053 #include "XrdSec/XrdSecTLayer.hh"
00054 #include "XrdSecssl/XrdSecProtocolsslTrace.hh"
00055 #include "libsslGridSite/grst_verifycallback.h"
00056 #include "libsslGridSite/gridsite.h"
00057 
00058 #define EXPORTKEYSTRENGTH 10
00059 
00060 #define PROTOCOLSSL_MAX_CRYPTO_MUTEX 256
00061 
00062 
00063 // fix for SSL 098 stuff and g++ 
00064 
00065 #ifdef R__SSL_GE_098
00066 #undef PEM_read_SSL_SESSION
00067 #undef PEM_write_SSL_SESSION
00068 
00069 #define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( (void *(*)(void **, const unsigned char **, long int))d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(void **)x,cb,u)
00070 
00071 #define PEM_write_SSL_SESSION(fp,x) PEM_ASN1_write((int (*)(void*, unsigned char**))i2d_SSL_SESSION, PEM_STRING_SSL_SESSION,fp, (char *)x,  NULL,NULL,0,NULL,NULL)
00072 #endif
00073 
00074 #define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
00075                          *((c)++)=(unsigned char)(((l)>>16)&0xff), \
00076                          *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
00077                          *((c)++)=(unsigned char)(((l)    )&0xff))
00078 
00079 #ifdef SUNCC
00080 #define __FUNCTION__ "-unknown-"
00081 #endif
00082 
00083 
00084 static XrdOucTrace        *SSLxTrace=0;
00085 
00086 class XrdSecProtocolssl;
00087 
00088 #define MAX_SESSION_ID_ATTEMPTS 10
00089 
00090 /******************************************************************************/
00091 /*              X r d S e c P r o t o c o l s s l C l a s s                   */
00092 /******************************************************************************/
00093 
00094 class XrdSecsslSessionLock {
00095 private:
00096 static  XrdSysMutex sessionmutex;
00097   int sessionfd;
00098   
00099 public:
00100   XrdSecsslSessionLock() {sessionfd=0;}
00101   bool SoftLock() { sessionmutex.Lock();return true;}
00102   bool SoftUnLock() {sessionmutex.UnLock();return true;}
00103 #ifdef SUNCC
00104   bool HardLock(const char* path) {return true;}
00105   bool HardUnLock() {return true;}
00106   ~XrdSecsslSessionLock() {sessionmutex.UnLock();}
00107 #else
00108   bool HardLock(const char* path) {sessionfd = open(path,O_RDWR); if ( (sessionfd>0) && (!flock(sessionfd,LOCK_EX)))return true;return false;}
00109   bool HardUnLock() {if (sessionfd>0) {flock(sessionfd,LOCK_UN);close(sessionfd);sessionfd=0;}return true;}
00110   ~XrdSecsslSessionLock() {if (sessionfd>0) {flock(sessionfd,LOCK_UN);close(sessionfd);};sessionmutex.UnLock();}
00111 #endif
00112 
00113 };
00114 
00115 
00116 
00117 class XrdSecProtocolssl : public XrdSecTLayer
00118 {
00119 public:
00120   friend class XrdSecProtocolDummy; // Avoid stupid gcc warnings about destructor
00121 
00122   XrdSecProtocolssl(const char* hostname, const struct sockaddr  *ipaddr) : XrdSecTLayer("ssl",XrdSecTLayer::isServer) {
00123     credBuff    = 0;
00124     ssl         = 0;
00125     Entity.name = 0;
00126     Entity.grps = 0;
00127     Entity.endorsements = 0;
00128     host        = hostname;
00129     if (ipaddr)
00130       Entity.host = (XrdNetDNS::getHostName((sockaddr&)*ipaddr));
00131     else 
00132       Entity.host = strdup("");
00133     proxyBuff[0]=0;
00134     client_cert=0;
00135     server_cert=0;
00136     ssl = 0 ;
00137     clientctx = 0;
00138   }
00139   
00140   
00141   virtual void   secClient(int theFD, XrdOucErrInfo      *einfo);
00142   virtual void   secServer(int theFD, XrdOucErrInfo      *einfo=0);
00143 
00144   virtual void              Delete() {delete this;}
00145 
00146 
00147   static int GenerateSession(const SSL* ssl, unsigned char *id, unsigned int *id_len);
00148   static int NewSession(SSL* ssl, SSL_SESSION *pNew);
00149   static int GetSession(SSL* ssl, SSL_SESSION *pNew);
00150 
00151   static char*              SessionIdContext ;
00152   static char*              sslcadir; 
00153   static char*              sslvomsdir;
00154   static char*              sslserverkeyfile; 
00155   static char*              sslkeyfile;
00156   static char*              sslcertfile;
00157   static char*              sslproxyexportdir;
00158   static bool               sslproxyexportplain;
00159   static char               sslserverexportpassword[EXPORTKEYSTRENGTH+1];
00160   
00161   static char*              gridmapfile;
00162   static char*              vomsmapfile;
00163   static bool               mapuser;
00164   static bool               mapnobody;
00165   static bool               mapgroup;
00166   static bool               mapcerncertificates;
00167   static int                debug;
00168   static time_t             sslsessionlifetime;
00169   static bool               isServer;
00170   static bool               forwardProxy;
00171   static bool               allowSessions;
00172   static X509_STORE*        store;  
00173   static X509_LOOKUP*       lookup;
00174   static int                verifydepth;
00175   static int                verifyindex;
00176   int                       sessionfd;
00177   X509*    client_cert; 
00178   X509*    server_cert;
00179   XrdOucString              host;
00180 
00181   // User/Group mapping
00182   static void ReloadGridMapFile();
00183   static void ReloadVomsMapFile();
00184   static bool VomsMapGroups(const char* groups, XrdOucString& allgroups, XrdOucString& defaultgroup);
00185 
00186   static void GetEnvironment();
00187   static  XrdOucHash<XrdOucString>  gridmapstore;
00188   static  XrdOucHash<XrdOucString>  vomsmapstore;
00189   static  XrdOucHash<XrdOucString>  stringstore;
00190   static  XrdSysMutex               StoreMutex;
00191   static  XrdSysMutex               VomsMapMutex;
00192   static  XrdSysMutex               GridMapMutex;
00193   static  XrdSysMutex*              CryptoMutexPool[PROTOCOLSSL_MAX_CRYPTO_MUTEX];
00194   // for error logging and tracing
00195   static XrdSysLogger       Logger;
00196   static XrdSysError        ssleDest;
00197   static time_t             storeLoadTime;
00198   
00199   typedef struct {
00200     int verbose_mode;
00201     int verify_depth;
00202     int always_continue;
00203   } sslverify_t;
00204   
00205   char proxyBuff[16384];
00206   static SSL_CTX* ctx;
00207   SSL_CTX* clientctx;
00208 
00209   XrdSysMutex SSLMutex;
00210 private:
00211   
00212   ~XrdSecProtocolssl() {
00213     if (credBuff)    free(credBuff);
00214     if (Entity.name) free(Entity.name);
00215     if (Entity.grps) free(Entity.grps);
00216     if (Entity.role) free(Entity.role);
00217     if (Entity.host) free(Entity.host);
00218     SSLMutex.Lock();
00219     if (ssl) SSL_free(ssl);ssl=0;
00220     if (client_cert) X509_free(client_cert);
00221     if (server_cert) X509_free(server_cert);
00222     SSLMutex.UnLock();    
00223   }
00224 
00225   static int Fatal(XrdOucErrInfo *erp, const char* msg, int rc);
00226   
00227   
00228   struct sockaddr           hostaddr;      // Client-side only
00229   char                     *credBuff;      // Credentials buffer (server)
00230   int                       Step;          // Indicates step in authentication
00231   
00232   int sd;
00233   int listen_sd;
00234   struct sockaddr_in sa_serv;
00235   struct sockaddr_in sa_cli;
00236   SSL*     ssl;
00237 };
00238 
00239 extern "C"
00240 {
00241   char  *XrdSecProtocolsslInit(const char     mode,
00242                                const char    *parms,
00243                                XrdOucErrInfo *erp);
00244 }
00245 
00246