/*
- Copyright (c) 2002-6, Andrew McNab, University of Manchester
+ Copyright (c) 2002-5, Andrew McNab, University of Manchester
All rights reserved.
Redistribution and use in source and binary forms, with or
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
-#include <stdarg.h>
#include <time.h>
#include <stdarg.h>
#include <dirent.h>
if (actime2 < time2_time) time2_time = actime2;
time(&time_now);
- if ((time1_time > time_now + 300) || (time2_time < time_now))
+ if ((time1_time > time_now) || (time2_time < time_now))
continue; /* expiration isnt invalidity ...? */
for (i=1; ; ++i)
char *creds, X509 *usercert, STACK_OF(X509) *certstack,
char *vomsdir)
{
- int i, j, vomsfound=0;
+ int i, j;
char s[80];
unsigned char *ucuser;
X509_EXTENSION *ex;
if (strcmp(s, GRST_VOMS_OID) == 0) /* a VOMS extension */
{
- vomsfound=1;
GRSTx509ParseVomsExt(lastcred, maxcreds, credlen, creds,
uctime1_time, uctime2_time,
ex, ucuser, vomsdir);
}
}
-
- if (vomsfound) return GRST_RET_OK;
}
return GRST_RET_OK;
*/
int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp,
- char *reqtxt, char *cert, char *key, int minutes)
+ char *reqtxt, char *cert, char *key, int minutes)
{
char *ptr, *certchain;
int i, subjAltName_pos, ncerts;
return keyfile;
}
-static void mkdir_printf(mode_t mode, char *fmt, ...)
-{
- int ret;
- char *path;
- va_list ap;
-
- va_start(ap, fmt);
- vasprintf(&path, fmt, ap);
- va_end(ap);
-
- ret = mkdir(path, mode);
-
- free(path);
-}
-
/// Make and store a X.509 request for a GSI proxy
/**
* Returns GRST_RET_OK on success, non-zero otherwise. Request string
- * is PEM encoded, and the key is stored in the temporary cache under
- * proxydir
+ * is PEM encoded, and the key is stored in proxydir as temporary file
+ * with a filename like .XXXXXX
*/
int GRSTx509MakeProxyRequest(char **reqtxt, char *proxydir,
char *delegation_id, char *user_dn)
{
- int i;
- char *docroot, *prvkeyfile, *ptr, *user_dn_enc;
+ int i, fd;
+ char *docroot, *reqfile, *prvkeyfile, *ptr;
size_t ptrlen;
FILE *fp;
RSA *keypair;
EVP_PKEY *pkey;
X509_REQ *certreq;
BIO *reqmem;
- const EVP_MD *digest;
+ const EVP_MD *digest;
struct stat statbuf;
- if (strcmp(user_dn, "cache") == 0) return GRST_RET_FAILED;
-
- user_dn_enc = GRSThttpUrlEncode(user_dn);
-
- /* create directories if necessary */
-
- mkdir_printf(S_IRUSR | S_IWUSR | S_IXUSR,
- "%s/cache", proxydir);
- mkdir_printf(S_IRUSR | S_IWUSR | S_IXUSR,
- "%s/cache/%s", proxydir, user_dn_enc);
- mkdir_printf(S_IRUSR | S_IWUSR | S_IXUSR,
- "%s/cache/%s/%s", proxydir, user_dn_enc, delegation_id);
-
- /* make the new proxy private key */
-
- asprintf(&prvkeyfile, "%s/cache/%s/%s/userkey.pem",
- proxydir, user_dn_enc, delegation_id);
-
- if (prvkeyfile == NULL)
- {
- free(user_dn_enc);
- return GRST_RET_FAILED;
- }
-
if ((keypair = RSA_generate_key(GRST_KEYSIZE, 65537, NULL, NULL)) == NULL)
return 1;
+ asprintf(&prvkeyfile, "%s/.XXXXXX", proxydir);
- if ((fp = fopen(prvkeyfile, "w")) == NULL) return 2;
-
- chmod(prvkeyfile, S_IRUSR | S_IWUSR);
- free(prvkeyfile);
- free(user_dn_enc);
-
+ fd = mkstemp(prvkeyfile);
+
+ if ((fp = fdopen(fd, "w")) == NULL) return 1;
+
+ fprintf(fp, "%s\n%s\n", delegation_id, user_dn);
+
if (!PEM_write_RSAPrivateKey(fp, keypair, NULL, NULL, 0, NULL, NULL))
- return 3;
+ return 1;
- if (fclose(fp) != 0) return 4;
+ if (fclose(fp) != 0) return 1;
/* now create the certificate request */
certreq = X509_REQ_new();
- if (certreq == NULL) return 5;
+ if (certreq == NULL) return 1;
OpenSSL_add_all_algorithms();
return 0;
}
-/// Destroy stored GSI proxy files
-/**
- * Returns GRST_RET_OK on success, non-zero otherwise.
- * (Including GRST_RET_NO_SUCH_FILE if the private key or cert chain
- * were not found.)
- */
-
-int GRSTx509ProxyDestroy(char *proxydir, char *delegation_id, char *user_dn)
-{
- int ret = GRST_RET_OK;
- char *docroot, *filename, *user_dn_enc;
-
- if (strcmp(user_dn, "cache") == 0) return GRST_RET_FAILED;
-
- user_dn_enc = GRSThttpUrlEncode(user_dn);
-
- /* private key */
-
- asprintf(&filename, "%s/%s/%s/userkey.pem",
- proxydir, user_dn_enc, delegation_id);
-
- if (filename == NULL)
- {
- free(user_dn_enc);
- return GRST_RET_FAILED;
- }
-
- if (unlink(filename) != 0) ret = GRST_RET_NO_SUCH_FILE;
- free(filename);
-
- /* cert chain */
-
- asprintf(&filename, "%s/%s/%s/usercert.pem",
- proxydir, user_dn_enc, delegation_id);
-
- if (filename == NULL)
- {
- free(user_dn_enc);
- return GRST_RET_FAILED;
- }
-
- if (unlink(filename) != 0) ret = GRST_RET_NO_SUCH_FILE;
- free(filename);
-
- /* voms file */
-
- asprintf(&filename, "%s/%s/%s/voms.attributes",
- proxydir, user_dn_enc, delegation_id);
-
- if (filename == NULL)
- {
- free(user_dn_enc);
- return GRST_RET_FAILED;
- }
-
- unlink(filename);
- free(filename);
-
- return ret;
-}
-
-/// Get start and finish validity times of stored GSI proxy file
-/**
- * Returns GRST_RET_OK on success, non-zero otherwise.
- * (Including GRST_RET_NO_SUCH_FILE if the cert chain was not found.)
- */
-
-int GRSTx509ProxyGetTimes(char *proxydir, char *delegation_id, char *user_dn,
- time_t *start, time_t *finish)
-{
- char *docroot, *filename, *user_dn_enc;
- FILE *fp;
- X509 *cert;
-
- if (strcmp(user_dn, "cache") == 0) return GRST_RET_FAILED;
-
- user_dn_enc = GRSThttpUrlEncode(user_dn);
-
- /* cert chain */
-
- asprintf(&filename, "%s/%s/%s/usercert.pem",
- proxydir, user_dn_enc, delegation_id);
-
- free(user_dn_enc);
-
- if (filename == NULL) return GRST_RET_FAILED;
-
- fp = fopen(filename, "r");
- free(filename);
-
- if (fp == NULL) return GRST_RET_NO_SUCH_FILE;
-
- cert = PEM_read_X509(fp, NULL, NULL, NULL);
-
- fclose(fp);
-
- *start = GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notBefore(cert)),0);
- *finish = GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(cert)),0);
-
- X509_free(cert);
-
- return GRST_RET_OK;
-}
-
/// Create a stack of X509 certificate from a PEM-encoded string
/**
* Creates a dynamically allocated stack of X509 certificate objects
return GRST_RET_OK;
}
-/// Returns a Delegation ID based on hash of GRST_CRED_0, ...
-/**
- * Returns a malloc'd string with Delegation ID made by SHA1-hashing the
- * values of the compact credentials exported by mod_gridsite
- */
-
-char *GRSTx509MakeDelegationID(void)
-{
- unsigned char hash_delegation_id[EVP_MAX_MD_SIZE];
- int size_needed = 0, i, delegation_id_len;
- char cred_name[14], *cred_value, *delegation_id;
- const EVP_MD *m;
- EVP_MD_CTX ctx;
-
- OpenSSL_add_all_digests();
-
- m = EVP_sha1();
- if (m == NULL) return NULL;
-
- EVP_DigestInit(&ctx, m);
-
- for (i=0; i <= 999; ++i)
- {
- snprintf(cred_name, sizeof(cred_name), "GRST_CRED_%d", i);
- if ((cred_value = getenv(cred_name)) == NULL) break;
-
- EVP_DigestUpdate(&ctx, cred_value, strlen(cred_value));
- }
-
- EVP_DigestFinal(&ctx, hash_delegation_id, &delegation_id_len);
-
- delegation_id = malloc(17);
-
- for (i=0; i <=7; ++i)
- sprintf(&delegation_id[i*2], "%02x", hash_delegation_id[i]);
-
- delegation_id[16] = '\0';
-
- return delegation_id;
-}
-
/// Return the short file name for the given delegation_id and user_dn
/**
* Returns a malloc'd string with the short file name (no paths) that
filename[16] = '-';
+
+
EVP_DigestInit(&ctx, m);
EVP_DigestUpdate(&ctx, buf, der_name_len);
EVP_DigestFinal(&ctx, hash_name, &hash_name_len);
/// Store a GSI proxy chain in the proxy cache, along with the private key
/**
* Returns GRST_RET_OK on success, non-zero otherwise. The existing
- * private key with the same delegation ID and user DN is moved out of
- * the temporary cache.
+ * private key with the same delegation ID and user DN is appended to
+ * make a valid proxy file, and the temporary private key file deleted.
*/
int GRSTx509CacheProxy(char *proxydir, char *delegation_id,
char *user_dn, char *proxychain)
{
- int c, len = 0, i, ret;
- char *user_dn_enc, *upcertfile, *upcertpath, *userkeyfile, *cachekeyfile,
- *p, *ptr;
+ int c, len = 0, i;
+ char *upcertfile, *upcertpath, *prvkeyfile, *p, *ptr;
FILE *ifp, *ofp;
-
- if (strcmp(user_dn, "cache") == 0) return GRST_RET_FAILED;
+ STACK_OF(X509) *certstack;
+ BIO *certmem;
+ X509 *cert;
+ long ptrlen;
- user_dn_enc = GRSThttpUrlEncode(user_dn);
+ prvkeyfile = GRSTx509CachedProxyKeyFind(proxydir, delegation_id, user_dn);
- /* create directories if necessary */
-
- mkdir_printf(S_IRUSR | S_IWUSR | S_IXUSR,
- "%s/%s", proxydir, user_dn_enc);
- mkdir_printf(S_IRUSR | S_IWUSR | S_IXUSR,
- "%s/%s/%s", proxydir, user_dn_enc, delegation_id);
-
- /* move the new proxy private key */
-
- asprintf(&cachekeyfile, "%s/cache/%s/%s/userkey.pem",
- proxydir, user_dn_enc, delegation_id);
-
- if (cachekeyfile == NULL)
+ if (prvkeyfile == NULL)
{
- free(user_dn_enc);
return GRST_RET_FAILED;
}
- asprintf(&userkeyfile, "%s/%s/%s/userkey.pem",
- proxydir, user_dn_enc, delegation_id);
-
- if (userkeyfile == NULL)
+ if ((ifp = fopen(prvkeyfile, "r")) == NULL)
{
- free(cachekeyfile);
- free(user_dn_enc);
+ free(prvkeyfile);
return GRST_RET_FAILED;
}
- ret = rename(cachekeyfile, userkeyfile);
- chmod(userkeyfile, S_IRUSR | S_IWUSR);
+// fprintf(stderr, "\n\n\n\n PROXYCHAIN = \n %s", proxychain);
+ if (GRSTx509StringToChain(&certstack, proxychain) != GRST_RET_OK)
+ return GRST_RET_FAILED;
- free(cachekeyfile);
- free(userkeyfile);
-
- if (ret != 0)
- {
- free(user_dn_enc);
- return GRST_RET_FAILED;
- }
-
- /* write out the proxy certificate chain */
-
- asprintf(&upcertfile, "%s/%s/%s/usercert.pem",
- proxydir, user_dn_enc, delegation_id);
+ upcertfile = GRSTx509MakeProxyFileName(delegation_id, certstack);
if (upcertfile == NULL)
{
- free(user_dn_enc);
+ free(prvkeyfile);
+ sk_X509_free(certstack);
return GRST_RET_FAILED;
}
- ofp = fopen(upcertfile, "w");
+ asprintf(&upcertpath, "%s/%s", proxydir, upcertfile);
+ ofp = fopen(upcertpath, "w");
+ chmod(upcertpath, S_IRUSR | S_IWUSR);
+ free(upcertpath);
+
if (ofp == NULL)
{
- free(user_dn_enc);
+ fclose(ifp);
+ free(prvkeyfile);
free(upcertfile);
return GRST_RET_FAILED;
}
+
+ fprintf(ofp, "%s\n%s\n", delegation_id, user_dn);
+
+ /* write out the most recent proxy by itself */
+
+ if (cert = sk_X509_value(certstack, 0))
+ {
+ certmem = BIO_new(BIO_s_mem());
+ if (PEM_write_bio_X509(certmem, cert) == 1)
+ {
+ ptrlen = BIO_get_mem_data(certmem, &ptr);
+ fwrite(ptr, 1, ptrlen, ofp);
+ }
+
+ BIO_free(certmem);
+ }
- chmod(upcertfile, S_IRUSR | S_IWUSR);
+ /* insert proxy private key */
+
+ while ((c = fgetc(ifp)) != EOF) fputc(c, ofp);
+ unlink(prvkeyfile);
+ free(prvkeyfile);
- free(user_dn_enc);
- free(upcertfile);
+ for (i=1; i <= sk_X509_num(certstack) - 1; ++i)
+ /* loop through the proxy chain starting at 2nd most recent proxy */
+ {
+ if (cert = sk_X509_value(certstack, i))
+ {
+ certmem = BIO_new(BIO_s_mem());
+ if (PEM_write_bio_X509(certmem, cert) == 1)
+ {
+ ptrlen = BIO_get_mem_data(certmem, &ptr);
+ fwrite(ptr, 1, ptrlen, ofp);
+ }
+
+ BIO_free(certmem);
+ }
+ }
- if ((fwrite(proxychain, sizeof (char), strlen(proxychain), ofp) !=
- strlen(proxychain)) || (fclose(ofp) != 0))
- {
- return GRST_RET_FAILED;
- }
+ sk_X509_free(certstack);
+ free(upcertfile);
+
+ if (fclose(ifp) != 0) return GRST_RET_FAILED;
+ if (fclose(ofp) != 0) return GRST_RET_FAILED;
/* should also check validity of proxy cert to avoid suprises? */
/*
- Copyright (c) 2003-5, Andrew McNab and Shiv Kaushal,
+ Copyright (c) 2003-6, Andrew McNab and Shiv Kaushal,
University of Manchester. All rights reserved.
Redistribution and use in source and binary forms, with or
#include <libxml/parser.h>
#include <libxml/tree.h>
-
#include "mod_ssl-private.h"
#include "gridsite.h"
#define UNSET -1
#endif
+#define GRST_SESSIONS_DIR "/var/www/sessions"
+
module AP_MODULE_DECLARE_DATA gridsite_module;
#define GRST_SITECAST_GROUPS 32
These are assigned default values in create_gridsite_srv_config() */
int gridhttpport = 0;
-char *passcodesdir = NULL;
+char *sessionsdir = NULL;
char *sitecastdnlists = NULL;
struct sitecast_group sitecastgroups[GRST_SITECAST_GROUPS+1];
struct sitecast_alias sitecastaliases[GRST_SITECAST_ALIASES];
char *headfile;
char *footfile;
int gridhttp;
- int soap2cgi;
char *aclformat;
char *execmethod;
char *delegationuri;
apr_fileperms_t diskmode;
} mod_gridsite_dir_cfg; /* per-directory config choices */
-typedef struct
-{
- xmlDocPtr doc;
-// char *outbuffer;
-} soap2cgi_ctx; /* store per-request context for Soap2cgi in/out filters */
-
-static const char Soap2cgiFilterName[]="Soap2cgiFilter";
-
-static void mod_gridsite_soap2cgi_insert(request_rec *r)
-{
- mod_gridsite_dir_cfg *conf;
- soap2cgi_ctx *ctx;
-
- conf = (mod_gridsite_dir_cfg *) ap_get_module_config(r->per_dir_config,
- &gridsite_module);
-
- if (conf->soap2cgi)
- {
- ctx = (soap2cgi_ctx *) malloc(sizeof(soap2cgi_ctx));
- ctx->doc = NULL;
-
- ap_add_output_filter(Soap2cgiFilterName, ctx, r, r->connection);
-
- ap_add_input_filter(Soap2cgiFilterName, NULL, r, r->connection);
- }
-}
-
-xmlNodePtr find_one_child(xmlNodePtr parent_node, char *name)
-{
- xmlNodePtr cur;
-
- for (cur = parent_node->children; cur != NULL; cur = cur->next)
- {
- if ((cur->type == XML_ELEMENT_NODE) &&
- (strcmp(cur->name, name) == 0)) return cur;
- }
-
- return NULL;
-}
-
-int add_one_node(xmlDocPtr doc, char *line)
-{
- char *p, *name, *aftername, *attrname = NULL, *value = NULL;
- xmlNodePtr cur, cur_child;
-
- cur = xmlDocGetRootElement(doc);
-
- p = index(line, '=');
- if (p == NULL) return 1;
-
- *p = '\0';
- value = &p[1];
-
- name = line;
-
- while (1) /* go through each .-deliminated segment of line[] */
- {
- if ((p = index(name, '.')) != NULL)
- {
- *p = '\0';
- aftername = &p[1];
- }
- else aftername = &name[strlen(name)];
-
- if ((p = index(name, '_')) != NULL)
- {
- *p = '\0';
- attrname = &p[1];
- }
-
- cur_child = find_one_child(cur, name);
-
- if (cur_child == NULL)
- cur_child = xmlNewChild(cur, NULL, name, NULL);
-
- cur = cur_child;
-
- name = aftername;
-
- if (attrname != NULL)
- {
- xmlSetProp(cur, attrname, value);
- return 0;
- }
-
- if (*name == '\0')
- {
- xmlNodeSetContent(cur, value);
- return 0;
- }
- }
-}
-
-static apr_status_t mod_gridsite_soap2cgi_out(ap_filter_t *f,
- apr_bucket_brigade *bbIn)
-{
- char *p, *name, *outbuffer;
- request_rec *r = f->r;
- conn_rec *c = r->connection;
- apr_bucket *bucketIn, *pbktEOS;
- apr_bucket_brigade *bbOut;
-
- const char *data;
- apr_size_t len;
- char *buf;
- apr_size_t n;
- apr_bucket *pbktOut;
-
- soap2cgi_ctx *ctx;
- xmlNodePtr root_node = NULL;
- xmlBufferPtr buff;
-
- ctx = (soap2cgi_ctx *) f->ctx;
-
-// LIBXML_TEST_VERSION;
-
- bbOut = apr_brigade_create(r->pool, c->bucket_alloc);
-
- if (ctx->doc == NULL)
- {
- ctx->doc = xmlNewDoc("1.0");
-
- root_node = xmlNewNode(NULL, "Envelope");
- xmlDocSetRootElement(ctx->doc, root_node);
-
- xmlNewChild(root_node, NULL, "Header", NULL);
- xmlNewChild(root_node, NULL, "Body", NULL);
- }
-
- apr_brigade_pflatten(bbIn, &outbuffer, &len, r->pool);
-
- /* split up buffer and feed each line to add_one_node() */
-
- name = outbuffer;
-
- while (*name != '\0')
- {
- p = index(name, '\n');
- if (p != NULL)
- {
- *p = '\0';
- ++p;
- }
- else p = &name[strlen(name)]; /* point to final NUL */
-
- add_one_node(ctx->doc, name);
-
- name = p;
- }
-
- APR_BRIGADE_FOREACH(bucketIn, bbIn)
- {
- if (APR_BUCKET_IS_EOS(bucketIn))
- {
- /* write out XML tree we have built */
-
- buff = xmlBufferCreate();
- xmlNodeDump(buff, ctx->doc, root_node, 0, 0);
-
-// TODO: simplify/reduce number of copies or libxml vs APR buffers?
-
- buf = (char *) xmlBufferContent(buff);
-
- pbktOut = apr_bucket_heap_create(buf, strlen(buf), NULL,
- c->bucket_alloc);
-
- APR_BRIGADE_INSERT_TAIL(bbOut, pbktOut);
-
- xmlBufferFree(buff);
-
- pbktEOS = apr_bucket_eos_create(c->bucket_alloc);
- APR_BRIGADE_INSERT_TAIL(bbOut, pbktEOS);
-
- continue;
- }
- }
-
- return ap_pass_brigade(f->next, bbOut);
-}
-
-static apr_status_t mod_gridsite_soap2cgi_in(ap_filter_t *f,
- apr_bucket_brigade *pbbOut,
- ap_input_mode_t eMode,
- apr_read_type_e eBlock,
- apr_off_t nBytes)
-{
- request_rec *r = f->r;
- conn_rec *c = r->connection;
-// CaseFilterInContext *pCtx;
- apr_status_t ret;
-
-#ifdef NEVERDEFINED
-
- ret = ap_get_brigade(f->next, pCtx->pbbTmp, eMode, eBlock, nBytes);
-
- if (!(pCtx = f->ctx)) {
- f->ctx = pCtx = apr_palloc(r->pool, sizeof *pCtx);
- pCtx->pbbTmp = apr_brigade_create(r->pool, c->bucket_alloc);
- }
-
- if (APR_BRIGADE_EMPTY(pCtx->pbbTmp)) {
- ret = ap_get_brigade(f->next, pCtx->pbbTmp, eMode, eBlock, nBytes);
-
- if (eMode == AP_MODE_EATCRLF || ret != APR_SUCCESS)
- return ret;
- }
-
- while(!APR_BRIGADE_EMPTY(pCtx->pbbTmp)) {
- apr_bucket *pbktIn = APR_BRIGADE_FIRST(pCtx->pbbTmp);
- apr_bucket *pbktOut;
- const char *data;
- apr_size_t len;
- char *buf;
- int n;
-
- /* It is tempting to do this...
- * APR_BUCKET_REMOVE(pB);
- * APR_BRIGADE_INSERT_TAIL(pbbOut,pB);
- * and change the case of the bucket data, but that would be wrong
- * for a file or socket buffer, for example...
- */
-
- if(APR_BUCKET_IS_EOS(pbktIn)) {
- APR_BUCKET_REMOVE(pbktIn);
- APR_BRIGADE_INSERT_TAIL(pbbOut, pbktIn);
- break;
- }
-
- ret=apr_bucket_read(pbktIn, &data, &len, eBlock);
- if(ret != APR_SUCCESS)
- return ret;
-
- buf = malloc(len);
- for(n=0 ; n < len ; ++n)
- buf[n] = apr_toupper(data[n]);
-
- pbktOut = apr_bucket_heap_create(buf, len, 0, c->bucket_alloc);
- APR_BRIGADE_INSERT_TAIL(pbbOut, pbktOut);
- apr_bucket_delete(pbktIn);
- }
-#endif
-
- return APR_SUCCESS;
-}
-
/*
* dav_parse_range() is based on modules/dav/main/mod_dav.c from Apache
void delegation_header(request_rec *r, mod_gridsite_dir_cfg *conf){
apr_table_add(r->headers_out,
- apr_pstrdup(r->pool, "Grst-Delegation-Service"),
+ apr_pstrdup(r->pool, "Proxy-Delegation-Service"),
apr_psprintf(r->pool,"https://%s%s", r->hostname, conf->delegationuri));
return;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Generated GridHTTP passcode %016llx", gridauthcookie);
- filetemplate = apr_psprintf(r->pool, "%s/%016llxXXXXXX",
+ filetemplate = apr_psprintf(r->pool, "%s/passcode-%016llxXXXXXX",
ap_server_root_relative(r->pool,
- passcodesdir),
+ sessionsdir),
gridauthcookie);
if (apr_file_mktemp(&fp,
/* send redirection header back to client */
- cookievalue = rindex(filetemplate, '/');
+ cookievalue = rindex(filetemplate, '-');
if (cookievalue != NULL) ++cookievalue;
else cookievalue = filetemplate;
{
gridhttpport = GRST_HTTP_PORT;
- passcodesdir = apr_pstrdup(p, "/var/www/onetimes");
- /* GridSiteOnetimesDir dir-path */
+ sessionsdir = apr_pstrdup(p, GRST_SESSIONS_DIR);
+ /* GridSiteSessionsDir dir-path */
sitecastdnlists = NULL;
/* GridSiteHeadFile and GridSiteFootFile file name */
conf->gridhttp = 0; /* GridSiteGridHTTP on/off */
- conf->soap2cgi = 0; /* GridSiteSoap2cgi on/off */
conf->aclformat = apr_pstrdup(p, "GACL");
/* GridSiteACLFormat gacl/xacml */
conf->delegationuri = NULL; /* GridSiteDelegationURI URI-value */
conf->headfile = NULL; /* GridSiteHeadFile file name */
conf->footfile = NULL; /* GridSiteFootFile file name */
conf->gridhttp = UNSET; /* GridSiteGridHTTP on/off */
- conf->soap2cgi = UNSET; /* GridSiteSoap2cgi on/off */
conf->aclformat = NULL; /* GridSiteACLFormat gacl/xacml */
conf->delegationuri = NULL; /* GridSiteDelegationURI URI-value */
conf->execmethod = NULL; /* GridSiteExecMethod */
if (direct->gridhttp != UNSET) conf->gridhttp = direct->gridhttp;
else conf->gridhttp = server->gridhttp;
- if (direct->soap2cgi != UNSET) conf->soap2cgi = direct->soap2cgi;
- else conf->soap2cgi = server->soap2cgi;
-
if (direct->aclformat != NULL) conf->aclformat = direct->aclformat;
else conf->aclformat = server->aclformat;
int n, i;
char *p;
- if (strcasecmp(a->cmd->name, "GridSiteOnetimesDir") == 0)
+ if (strcasecmp(a->cmd->name, "GridSiteSessionsDir") == 0)
+ {
+ if (a->server->is_virtual)
+ return "GridSiteSessionsDir cannot be used inside a virtual server";
+
+ sessionsdir = apr_pstrdup(a->pool, parm);
+ }
+/* GridSiteOnetimesDir is deprecated in favour of GridSiteSessionsDir */
+ else if (strcasecmp(a->cmd->name, "GridSiteOnetimesDir") == 0)
{
if (a->server->is_virtual)
return "GridSiteOnetimesDir cannot be used inside a virtual server";
- passcodesdir = apr_pstrdup(a->pool, parm);
+ sessionsdir = apr_pstrdup(a->pool, parm);
}
else if (strcasecmp(a->cmd->name, "GridSiteGridHTTPport") == 0)
{
((mod_gridsite_dir_cfg *) cfg)->gridhttp = flag;
}
- else if (strcasecmp(a->cmd->name, "GridSiteSoap2cgi") == 0)
- {
- ((mod_gridsite_dir_cfg *) cfg)->soap2cgi = flag;
- }
return NULL;
}
NULL, OR_FILEINFO, "on or off"),
AP_INIT_TAKE1("GridSiteGridHTTPport", mod_gridsite_take1_cmds,
NULL, RSRC_CONF, "GridHTTP port"),
+ AP_INIT_TAKE1("GridSiteSessionsDir", mod_gridsite_take1_cmds,
+ NULL, RSRC_CONF, "directory with GridHTTP passcodes and SSL session creds"),
+/* GridSiteOnetimesDir is deprecated in favour of GridSiteSessionsDir */
AP_INIT_TAKE1("GridSiteOnetimesDir", mod_gridsite_take1_cmds,
NULL, RSRC_CONF, "directory with GridHTTP passcodes"),
AP_INIT_TAKE2("GridSiteCastAlias", mod_gridsite_take2_cmds,
NULL, RSRC_CONF, "URL and local path mapping"),
- AP_INIT_FLAG("GridSiteSoap2cgi", mod_gridsite_flag_cmds,
- NULL, OR_FILEINFO, "on or off"),
-
AP_INIT_TAKE1("GridSiteACLFormat", mod_gridsite_take1_cmds,
NULL, OR_FILEINFO, "format to save access control lists in"),
return DECLINED;
}
-void GRST_creds_to_conn(conn_rec *conn,
+
+int GRST_get_session_id(SSL *ssl, char *session_id, size_t len)
+{
+ int i;
+ SSL_SESSION *session;
+
+ if (((session = SSL_get_session(ssl)) == NULL) ||
+ (session->session_id_length == 0)) return GRST_RET_FAILED;
+
+ if (2 * session->session_id_length + 1 > len) return GRST_RET_FAILED;
+
+ for (i=0; i < (int) session->session_id_length; ++i)
+ sprintf(&(session_id[i*2]), "%02X", (unsigned char) session->session_id[i]);
+
+ session_id[i*2] = '\0';
+
+ return GRST_RET_OK;
+}
+
+int GRST_load_ssl_creds(SSL *ssl, conn_rec *conn)
+{
+ char session_id[(SSL_MAX_SSL_SESSION_ID_LENGTH+1)*2], *sessionfile = NULL,
+ line[512], *p;
+ apr_file_t *fp = NULL;
+ int i;
+
+ if (GRST_get_session_id(ssl, session_id, sizeof(session_id)) != GRST_RET_OK)
+ return GRST_RET_FAILED;
+
+ sessionfile = apr_psprintf(conn->pool, "%s/sslcreds-%s",
+ ap_server_root_relative(conn->pool, sessionsdir),
+ session_id);
+
+ if (apr_file_open(&fp, sessionfile, APR_READ, 0, conn->pool) != APR_SUCCESS)
+ return GRST_RET_FAILED;
+
+ while (apr_file_gets(line, sizeof(line), fp) == APR_SUCCESS)
+ {
+ if (sscanf(line, "GRST_CRED_%d=", &i) == 1)
+ {
+ p = index(line, '=');
+
+ apr_table_setn(conn->notes,
+ apr_psprintf(conn->pool, "GRST_CRED_%d", i),
+ apr_pstrdup(conn->pool, &p[1]));
+ }
+ }
+
+ apr_file_close(fp);
+
+ /* connection notes created by GRST_save_ssl_creds() are now reloaded */
+ apr_table_set(conn->notes, "GRST_save_ssl_creds", "yes");
+
+ return GRST_RET_OK;
+}
+
+/*
+ Save result of GRSTx509CompactCreds() into connection notes, and
+ write out in an SSL session creds file.
+*/
+
+void GRST_save_ssl_creds(conn_rec *conn,
STACK_OF(X509) *certstack, X509 *peercert)
{
- int i, lastcred;
- const int maxcreds = 99;
+ int i, lastcred;
+ const int maxcreds = 99;
const size_t credlen = 1024;
- char creds[maxcreds][credlen+1], envname[14];
+ char creds[maxcreds][credlen+1], envname[14], *tempfile = NULL,
+ *sessionfile, session_id[(SSL_MAX_SSL_SESSION_ID_LENGTH+1)*2];
+ apr_file_t *fp = NULL;
+ SSL *ssl;
+ SSLConnRec *sslconn;
+
+ /* check if already done */
if ((certstack != NULL) && (conn->notes != NULL) &&
- (apr_table_get(conn->notes, "GRST_creds_to_conn") != NULL)) return;
+ (apr_table_get(conn->notes, "GRST_save_ssl_creds") != NULL)) return;
- /* Put result of GRSTx509CompactCreds() into connection notes */
+ /* we at least need to say we've been run */
- apr_table_set(conn->notes, "GRST_creds_to_conn", "yes");
+ apr_table_set(conn->notes, "GRST_save_ssl_creds", "yes");
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, conn->base_server,
- "set GRST_creds_to_conn");
+ "set GRST_save_ssl_creds");
+
+ sslconn = (SSLConnRec *)ap_get_module_config(conn->conn_config,&ssl_module);
+
+ if ((sslconn != NULL) &&
+ ((ssl = sslconn->ssl) != NULL) &&
+ (GRST_get_session_id(ssl,session_id,sizeof(session_id)) == GRST_RET_OK))
+ {
+ sessionfile = apr_psprintf(conn->pool, "%s/sslcreds-%s",
+ ap_server_root_relative(conn->pool, sessionsdir),
+ session_id);
+
+ tempfile = apr_pstrcat(conn->pool,
+ ap_server_root_relative(conn->pool, sessionsdir),
+ "/tmp-XXXXXX", NULL);
+
+ if ((tempfile != NULL) && (tempfile[0] != '\0'))
+ apr_file_mktemp(&fp, tempfile,
+ APR_CREATE | APR_WRITE | APR_EXCL, conn->pool);
+ }
if (GRSTx509CompactCreds(&lastcred, maxcreds, credlen, (char *) creds,
certstack, GRST_VOMS_DIR, peercert) == GRST_RET_OK)
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, conn->base_server,
"store GRST_CRED_%d=%s", i, creds[i]);
+ if (fp != NULL) apr_file_printf(fp, "GRST_CRED_%d=%s\n",
+ i, creds[i]);
}
/* free remaining dup'd certs? */
- }
+ }
+
+ if (fp != NULL)
+ {
+ apr_file_close(fp);
+ apr_file_rename(tempfile, sessionfile, conn->pool);
+ }
}
static int mod_gridsite_perm_handler(request_rec *r)
p = (char *) apr_table_get(r->subprocess_env, "HTTPS");
if ((p != NULL) && (strcmp(p, "on") == 0)) ishttps = 1;
- /* do we need/have per-connection (SSL) cred variable(s)? */
-
+ /* reload per-connection (SSL) cred variables? */
+
sslconn = (SSLConnRec *) ap_get_module_config(r->connection->conn_config,
&ssl_module);
-
- if ((sslconn != NULL) && (sslconn->ssl != NULL) &&
+ if ((sslconn != NULL) &&
+ (sslconn->ssl != NULL) &&
+ (sslconn->ssl->session != NULL) &&
(r->connection->notes != NULL) &&
- (apr_table_get(r->connection->notes, "GRST_creds_to_conn") == NULL))
+ (apr_table_get(r->connection->notes, "GRST_save_ssl_creds") == NULL))
{
- certstack = SSL_get_peer_cert_chain(sslconn->ssl);
- peercert = SSL_get_peer_certificate(sslconn->ssl);
-
- GRST_creds_to_conn(r->connection, certstack, peercert);
+ if (GRST_load_ssl_creds(sslconn->ssl, r->connection) == GRST_RET_OK)
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "Restored SSL session data from session cache file");
}
proxylevel = ((mod_gridsite_dir_cfg *) cfg)->gsiproxylimit + 1;
if ((gridauthpasscode != NULL) && (gridauthpasscode[0] != '\0'))
{
- cookiefile = apr_psprintf(r->pool, "%s/%s",
+ cookiefile = apr_psprintf(r->pool, "%s/passcode-%s",
ap_server_root_relative(r->pool,
- passcodesdir),
+ sessionsdir),
gridauthpasscode);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
/* Put result of GRSTx509CompactCreds() into connection notes */
if ((certstack =
(STACK_OF(X509) *) X509_STORE_CTX_get_chain(ctx)) != NULL)
- GRST_creds_to_conn(conn, certstack, NULL);
+ GRST_save_ssl_creds(conn, certstack, NULL);
}
}
server_rec *this_server;
apr_proc_t *procnew = NULL;
apr_status_t status;
+ char *path;
const char *userdata_key = "sitecast_init";
apr_pool_userdata_get((void **) &procnew, userdata_key,
"Set mod_ssl verify callbacks to GridSite wrappers");
}
}
-
+
+ /* create sessions directory if necessary */
+
+ path = ap_server_root_relative(pPool, sessionsdir);
+ apr_dir_make_recursive(path, APR_UREAD | APR_UWRITE | APR_UEXECUTE, pPool);
+ chown(path, unixd_config.user_id, unixd_config.group_id);
+
return OK;
}
static void mod_gridsite_child_init(apr_pool_t *pPool, server_rec *pServer)
{
+ apr_time_t cutoff_time;
+ apr_dir_t *dir;
+ char *filename;
+ apr_finfo_t finfo;
+ SSLSrvConfigRec *sc = ap_get_module_config(pServer->module_config,
+ &ssl_module);
GRSTgaclInit();
+
+ /* expire old ssl creds files */
+
+ if (sc != NULL) // && sc->enabled)
+ {
+ cutoff_time = apr_time_now()
+ - apr_time_from_sec(sc->session_cache_timeout);
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, pServer,
+ "Cutoff time for ssl creds cache: %ld",
+ (long) apr_time_sec(cutoff_time));
+
+ if (apr_dir_open(&dir,
+ ap_server_root_relative(pPool, sessionsdir), pPool) == APR_SUCCESS)
+ {
+ while (apr_dir_read(&finfo,
+ APR_FINFO_CTIME | APR_FINFO_NAME, dir) == APR_SUCCESS)
+ {
+ if ((finfo.ctime < cutoff_time) &&
+ (strncmp(finfo.name, "sslcreds-", 9) == 0))
+ {
+ filename = apr_pstrcat(pPool,
+ ap_server_root_relative(pPool, sessionsdir),
+ "/", finfo.name, NULL);
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, pServer,
+ "Remove %s from ssl creds cache", filename);
+
+ apr_file_remove(filename, pPool);
+ }
+ }
+
+ apr_dir_close(dir);
+ }
+ }
}
static int mod_gridsite_handler(request_rec *r)
static void register_hooks(apr_pool_t *p)
{
- /* set up the Soap2cgi input and output filters */
-
- ap_hook_insert_filter(mod_gridsite_soap2cgi_insert, NULL, NULL,
- APR_HOOK_MIDDLE);
-
- ap_register_output_filter(Soap2cgiFilterName, mod_gridsite_soap2cgi_out,
- NULL, AP_FTYPE_RESOURCE);
-
-// ap_register_input_filter(Soap2cgiFilterName, mod_gridsite_soap2cgi_in,
-// NULL, AP_FTYPE_RESOURCE);
-
/* config and handler stuff */
ap_hook_post_config(mod_gridsite_server_post_config, NULL, NULL,
git://scientific.zcu.cz / jra1mw.git / commitdiff