From: Andrew McNab <andrew.mcnab@manchester.ac.uk>
Date: Wed, 12 Oct 2005 12:35:17 +0000 (+0000)
Subject: Get up to date
X-Git-Tag: gridsite-core_R_1_1_16~1
X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=439c814b91b92b98ae6a86d83fff3d3a8e293807;p=jra1mw.git

Get up to date
---

diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES
index 7aa4a69..aa0ac3a 100644
--- a/org.gridsite.core/CHANGES
+++ b/org.gridsite.core/CHANGES
@@ -1,3 +1,13 @@
+* Wed Oct 12 2005 Andrew McNab <Andrew.McNab@man.ac.uk>
+- Fix for older OpenSSL to grst_x509.c from
+  Zoltan.Farkas <Zoltan.Farkas@cern.ch>
+* Wed Oct 12 2005 Andrew McNab <Andrew.McNab@man.ac.uk>
+- ==== GridSite version 1.1.14 ====
+* Tue Oct 11 2005 Andrew McNab <Andrew.McNab@man.ac.uk>
+- Modify VOMS AC parsing to handle multiple ACs inside
+  the same X.509 AC extension.
+* Mon Oct 10 2005 Andrew McNab <Andrew.McNab@man.ac.uk>
+- ==== GridSite version 1.1.13 ====
 * Mon Oct 10 2005 Andrew McNab <Andrew.McNab@man.ac.uk>
 - Add target_gname patch to gsexec from
   Gerben Venekamp <venekamp@nikhef.nl>
diff --git a/org.gridsite.core/VERSION b/org.gridsite.core/VERSION
index 9429197..ed036b5 100644
--- a/org.gridsite.core/VERSION
+++ b/org.gridsite.core/VERSION
@@ -1,4 +1,4 @@
 MAJOR_VERSION=1
 MINOR_VERSION=1.1
-PATCH_VERSION=1.1.12
+PATCH_VERSION=1.1.14
 VERSION=$(PATCH_VERSION)
diff --git a/org.gridsite.core/project/version.properties b/org.gridsite.core/project/version.properties
index 6c6d643..55c7065 100644
--- a/org.gridsite.core/project/version.properties
+++ b/org.gridsite.core/project/version.properties
@@ -1,2 +1,2 @@
-module.version=1.1.12
+module.version=1.1.14
 module.age=1
diff --git a/org.gridsite.core/src/Makefile b/org.gridsite.core/src/Makefile
index 05349b2..a465cf4 100644
--- a/org.gridsite.core/src/Makefile
+++ b/org.gridsite.core/src/Makefile
@@ -193,7 +193,7 @@ showx509exts: showx509exts.c libgridsite.a
             -o showx509exts showx509exts.c -L. \
             -I/usr/kerberos/include \
             -lgridsite \
-            -lssl -lcrypto
+            -lssl -lcrypto -lxml2 -lz -lm
  
 apidoc:
 	doxygen Doxyfile
diff --git a/org.gridsite.core/src/gridsite.spec b/org.gridsite.core/src/gridsite.spec
index 4e7dfe7..0819eb0 100644
--- a/org.gridsite.core/src/gridsite.spec
+++ b/org.gridsite.core/src/gridsite.spec
@@ -63,7 +63,7 @@ OPENSSL_LIBS=$OPENSSL_LIBS FLAVOR_EXT=$FLAVOR_EXT
 ln -sf %(echo ${MYPREFIX:-/usr})/share/doc/gridsite-%{version} \
  %(echo ${MYPREFIX:-/usr})/share/doc/gridsite
 
-%postun
+#%postun
 rm -f %(echo ${MYPREFIX:-/usr})/share/doc/gridsite
 
 %files
diff --git a/org.gridsite.core/src/grst_asn1.c b/org.gridsite.core/src/grst_asn1.c
index e47c143..bc92a87 100644
--- a/org.gridsite.core/src/grst_asn1.c
+++ b/org.gridsite.core/src/grst_asn1.c
@@ -469,14 +469,14 @@ int GRSTasn1GetX509Name(char *x509name, int maxlength, char *coords,
    ASN1_OBJECT *obj = NULL;
    unsigned char coordstmp[81], *q;
    const unsigned char *shortname;
-   
+
    for (i=1; ; ++i)
       {
-        sprintf(coordstmp, coords, i, 1);
+        snprintf(coordstmp, sizeof(coordstmp), coords, i, 1);
         iobj = GRSTasn1SearchTaglist(taglist, lasttag, coordstmp);
         if (iobj < 0) break;
         
-        sprintf(coordstmp, coords, i, 2);
+        snprintf(coordstmp, sizeof(coordstmp), coords, i, 2);
         istr = GRSTasn1SearchTaglist(taglist, lasttag, coordstmp);
         if (istr < 0) break;
         
@@ -502,5 +502,5 @@ int GRSTasn1GetX509Name(char *x509name, int maxlength, char *coords,
       
    x509name[len] = '\0';
    
-   return GRST_RET_OK;
+   return (x509name[0] != '\0') ? GRST_RET_OK : GRST_RET_FAILED;
 }
diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c
index 00caa61..4bbdc04 100644
--- a/org.gridsite.core/src/grst_x509.c
+++ b/org.gridsite.core/src/grst_x509.c
@@ -374,13 +374,14 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
                                  unsigned char *asn1string, 
                                  struct GRSTasn1TagList taglist[], 
                                  int lasttag,
-                                 char *vomsdir)
+                                 char *vomsdir, int acnumber)
 {   
-#define GRST_ASN1_COORDS_VOMS_DN   "-1-1-1-1-3-1-1-1-%d-1-%d"
-#define GRST_ASN1_COORDS_VOMS_INFO "-1-1-1-1"
-#define GRST_ASN1_COORDS_VOMS_SIG  "-1-1-1-3"
+#define GRST_ASN1_COORDS_VOMS_DN   "-1-1-%d-1-3-1-1-1-%%d-1-%%d"
+#define GRST_ASN1_COORDS_VOMS_INFO "-1-1-%d-1"
+#define GRST_ASN1_COORDS_VOMS_SIG  "-1-1-%d-3"
    int            ret, isig, iinfo;
-   char          *certpath, acvomsdn[200];
+   char          *certpath, acvomsdn[200], dn_coords[200],
+                  info_coords[200], sig_coords[200];
    unsigned char *q;
    DIR           *vomsDIR;
    struct dirent *vomsdirent;
@@ -391,13 +392,20 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
    time_t         voms_service_time1, voms_service_time2;
 
    if ((vomsdir == NULL) || (vomsdir[0] == '\0')) return GRST_RET_FAILED;
+
+   snprintf(dn_coords, sizeof(dn_coords), 
+            GRST_ASN1_COORDS_VOMS_DN, acnumber);
    
-   if (GRSTasn1GetX509Name(acvomsdn, sizeof(acvomsdn), 
-                           GRST_ASN1_COORDS_VOMS_DN,
+   if (GRSTasn1GetX509Name(acvomsdn, sizeof(acvomsdn), dn_coords,
          asn1string, taglist, lasttag) != GRST_RET_OK) return GRST_RET_FAILED;
          
-   iinfo = GRSTasn1SearchTaglist(taglist, lasttag, GRST_ASN1_COORDS_VOMS_INFO);
-   isig  = GRSTasn1SearchTaglist(taglist, lasttag, GRST_ASN1_COORDS_VOMS_SIG);
+   snprintf(info_coords, sizeof(info_coords), 
+            GRST_ASN1_COORDS_VOMS_INFO, acnumber);
+   iinfo = GRSTasn1SearchTaglist(taglist, lasttag, info_coords);
+
+   snprintf(sig_coords, sizeof(sig_coords), 
+            GRST_ASN1_COORDS_VOMS_SIG, acnumber);
+   isig  = GRSTasn1SearchTaglist(taglist, lasttag, sig_coords);
 
    if ((iinfo < 0) || (isig < 0)) return GRST_RET_FAILED;
 
@@ -433,6 +441,8 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
 #if OPENSSL_VERSION_NUMBER >= 0x0090701fL
           EVP_MD_CTX_init(&ctx);
           EVP_VerifyInit_ex(&ctx, EVP_md5(), NULL);
+#else
+          EVP_VerifyInit(&ctx, EVP_md5());
 #endif
           
           EVP_VerifyUpdate(&ctx, 
@@ -448,7 +458,7 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
 
 #if OPENSSL_VERSION_NUMBER >= 0x0090701fL
           EVP_MD_CTX_cleanup(&ctx);      
-#endif                
+#endif
           EVP_PKEY_free(prvkey);
 
           if (ret != 1) /* signature doesnt match, look for more */
@@ -479,7 +489,8 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
 /// Get the VOMS attributes in the given extension
 /*
  *  Puts any VOMS credentials found into the Compact Creds string array
- *  starting at *creds. Always returns GRST_RET_OK.
+ *  starting at *creds. Always returns GRST_RET_OK - even for invalid
+ *  credentials, which are just ignored.
  */
 
 int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen, 
@@ -487,14 +498,16 @@ int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen,
                          X509_EXTENSION *ex, char *ucuserdn, char *vomsdir)
 {
 #define MAXTAG 500
-#define GRST_ASN1_COORDS_FQAN    "-1-1-1-1-7-1-2-1-2-%d"
-#define GRST_ASN1_COORDS_USER_DN "-1-1-1-1-2-1-1-1-1-%d-1-%d"
-#define GRST_ASN1_COORDS_TIME1   "-1-1-1-1-6-1"
-#define GRST_ASN1_COORDS_TIME2   "-1-1-1-1-6-2"
+#define GRST_ASN1_COORDS_FQAN    "-1-1-%d-1-7-1-2-1-2-%d"
+#define GRST_ASN1_COORDS_USER_DN "-1-1-%d-1-2-1-1-1-1-%%d-1-%%d"
+#define GRST_ASN1_COORDS_TIME1   "-1-1-%d-1-6-1"
+#define GRST_ASN1_COORDS_TIME2   "-1-1-%d-1-6-2"
    ASN1_OCTET_STRING *asn1data;
-   char              *asn1string, s[81], acuserdn[200], acvomsdn[200];
+   char              *asn1string, acuserdn[200], acvomsdn[200],
+                      dn_coords[200], fqan_coords[200], time1_coords[200],
+                      time2_coords[200];
    long               asn1length;
-   int                lasttag=-1, itag, i;
+   int                lasttag=-1, itag, i, acnumber = 1;
    struct GRSTasn1TagList taglist[MAXTAG+1];
    time_t             actime1, actime2, time_now;
 
@@ -504,52 +517,58 @@ int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen,
 
    GRSTasn1ParseDump(NULL, asn1string, asn1length, taglist, MAXTAG, &lasttag);
 
-   GRSTasn1GetX509Name(acuserdn, sizeof(acuserdn), GRST_ASN1_COORDS_USER_DN,
-                       asn1string, taglist, lasttag);
-   if (GRSTx509NameCmp(ucuserdn, acuserdn) != 0) return GRST_RET_FAILED;
+   for (acnumber = 1; ; ++acnumber) /* go through ACs one by one */
+      {
+        snprintf(dn_coords, sizeof(dn_coords), GRST_ASN1_COORDS_USER_DN, acnumber);
+        if (GRSTasn1GetX509Name(acuserdn, sizeof(acuserdn), dn_coords,
+                       asn1string, taglist, lasttag) != GRST_RET_OK) break;
 
-   if (GRSTx509VerifyVomsSig(&time1_time, &time2_time,
-                             asn1string, taglist, lasttag, vomsdir)
-                             != GRST_RET_OK) return GRST_RET_FAILED;
+        if (GRSTx509NameCmp(ucuserdn, acuserdn) != 0) continue;
 
-   itag = GRSTasn1SearchTaglist(taglist, lasttag, GRST_ASN1_COORDS_TIME1);
-   actime1 = GRSTasn1TimeToTimeT(&asn1string[taglist[itag].start+
-                                             taglist[itag].headerlength],
-                                 taglist[itag].length);
-   if (actime1 > time1_time) time1_time = actime1;
+        if (GRSTx509VerifyVomsSig(&time1_time, &time2_time,
+                             asn1string, taglist, lasttag, vomsdir, acnumber)
+                             != GRST_RET_OK) continue;
 
-   itag = GRSTasn1SearchTaglist(taglist, lasttag, GRST_ASN1_COORDS_TIME2);
-   actime2 = GRSTasn1TimeToTimeT(&asn1string[taglist[itag].start+
+        snprintf(time1_coords, sizeof(time1_coords), GRST_ASN1_COORDS_TIME1, acnumber);
+        itag = GRSTasn1SearchTaglist(taglist, lasttag, time1_coords);
+        actime1 = GRSTasn1TimeToTimeT(&asn1string[taglist[itag].start+
                                              taglist[itag].headerlength],
                                  taglist[itag].length);
-   if (actime2 < time2_time) time2_time = actime2;
+        if (actime1 > time1_time) time1_time = actime1;
 
-   time(&time_now);
-   if ((time1_time > time_now) || (time2_time < time_now)) 
-               return GRST_RET_OK; /* expiration isnt invalidity ...? */
+        snprintf(time2_coords, sizeof(time2_coords), GRST_ASN1_COORDS_TIME2, acnumber);
+        itag = GRSTasn1SearchTaglist(taglist, lasttag, time2_coords);
+        actime2 = GRSTasn1TimeToTimeT(&asn1string[taglist[itag].start+
+                                             taglist[itag].headerlength],
+                                             taglist[itag].length);
+        if (actime2 < time2_time) time2_time = actime2;
 
-   for (i=1; ; ++i)
-      {
-        sprintf(s, GRST_ASN1_COORDS_FQAN, i);
-        itag = GRSTasn1SearchTaglist(taglist, lasttag, s);
+        time(&time_now);
+        if ((time1_time > time_now) || (time2_time < time_now)) 
+               continue; /* expiration isnt invalidity ...? */
 
-        if (itag > -1)
-          {
-            if (*lastcred < maxcreds - 1)
-              {
-                ++(*lastcred);
+        for (i=1; ; ++i)
+           {
+             snprintf(fqan_coords, sizeof(fqan_coords), GRST_ASN1_COORDS_FQAN, acnumber, i);
+             itag = GRSTasn1SearchTaglist(taglist, lasttag, fqan_coords);
 
-                snprintf(&creds[*lastcred * (credlen + 1)], credlen+1,
+             if (itag > -1)
+               {
+                 if (*lastcred < maxcreds - 1)
+                   {
+                     ++(*lastcred);
+                     snprintf(&creds[*lastcred * (credlen + 1)], credlen+1,
                            "VOMS %010lu %010lu 0 %.*s", 
                            time1_time, time2_time, 
                            taglist[itag].length,
                            &asn1string[taglist[itag].start+
                                        taglist[itag].headerlength]);
-              }            
-          }
-        else break;
+                   }            
+               }
+             else break;
+           }
       }
-
+      
    return GRST_RET_OK;
 }
 
diff --git a/org.gridsite.core/src/htcp b/org.gridsite.core/src/htcp
index 1b8ab8a..a2950e1 100644
Binary files a/org.gridsite.core/src/htcp and b/org.gridsite.core/src/htcp differ
diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c
index 1d77bc3..2d0a47b 100644
--- a/org.gridsite.core/src/mod_gridsite.c
+++ b/org.gridsite.core/src/mod_gridsite.c
@@ -2139,7 +2139,7 @@ static int mod_gridsite_perm_handler(request_rec *r)
 */
 {
     int          retcode = DECLINED, i, n, file_is_acl = 0,
-                 destination_is_acl = 0;
+                 destination_is_acl = 0, proxylevel;
     char        *dn, *p, envname[14], *grst_cred_0 = NULL, *dir_path, 
                 *remotehost, s[99], *grst_cred_i, *cookies, *file,
                 *gridauthonetime = NULL, *cookiefile, oneline[1025], *key_i,
@@ -2186,18 +2186,19 @@ static int mod_gridsite_perm_handler(request_rec *r)
         GRST_creds_to_conn(r->connection, certstack, peercert);
       }
 
+    proxylevel = ((mod_gridsite_dir_cfg *) cfg)->gsiproxylimit + 1;
+    
     if ((user == NULL) && 
         (r->connection->notes != NULL) &&
         ((grst_cred_0 = (char *) 
-            apr_table_get(r->connection->notes, "GRST_CRED_0")) != NULL))
+            apr_table_get(r->connection->notes, "GRST_CRED_0")) != NULL) &&
+        (sscanf(grst_cred_0, "X509USER %*d %*d %d ", &proxylevel) == 1) &&
+        (proxylevel <= ((mod_gridsite_dir_cfg *) cfg)->gsiproxylimit))
       {
-        if (((mod_gridsite_dir_cfg *) cfg)->envs)
-                            apr_table_setn(env, "GRST_CRED_0", grst_cred_0);
+        apr_table_setn(env, "GRST_CRED_0", grst_cred_0);
                                     
         cred_0 = GRSTx509CompactToCred(grst_cred_0);
-        if ((cred_0 != NULL) &&
-            (GRSTgaclCredGetDelegation(cred_0) 
-                         <= ((mod_gridsite_dir_cfg *) cfg)->gsiproxylimit))
+        if (cred_0 != NULL)
           {
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                          "Using identity %s from SSL/TLS", grst_cred_0);
diff --git a/org.gridsite.core/src/showx509exts.c b/org.gridsite.core/src/showx509exts.c
index d37dff4..86f0290 100644
--- a/org.gridsite.core/src/showx509exts.c
+++ b/org.gridsite.core/src/showx509exts.c
@@ -53,7 +53,7 @@ main()
         lasttag=-1;
       
         ex = X509_get_ext(cert, i);
-                          
+
         OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1);        
         printf("%d OID=%s\n", i, s);
         
@@ -73,8 +73,10 @@ main()
         ASN1_OBJECT *obj = NULL;
         const EVP_MD *m;
         EVP_MD_CTX ctx;
+        char creds[501][101];
+        int lastcred = -1;
    
-        itag = GRSTasn1SearchTaglist(taglist, &lasttag, 
+        itag = GRSTasn1SearchTaglist(taglist, lasttag, 
                "-1-1-1-1-2-1-1-1-1-1-1-1");
                
         X509_NAME *xname;
@@ -91,10 +93,24 @@ main()
         
         printf("n=%d dn=%s obj2txt=%s\n", n, dn, OBJ_obj2txt(NULL,0,obj,1));
 
-        GRSTasn1GetX509Name(buf, 99, "-1-1-1-1-2-1-1-1-1-%d-1-%d", p1, taglist, &lasttag);
+        GRSTasn1GetX509Name(buf, 99, "-1-1-1-1-2-1-1-1-1-%d-1-%d", 
+                            p1, taglist, lasttag);
         printf("%s\n", buf);
-        GRSTasn1GetX509Name(buf, 99, "-1-1-1-1-3-1-1-1-%d-1-%d", p1, taglist, &lasttag);
+        GRSTasn1GetX509Name(buf, 99, "-1-1-1-1-3-1-1-1-%d-1-%d", 
+                            p1, taglist, lasttag);
         printf("%s\n", buf);
+
+        lastcred = -1;        
+        ret = GRSTx509ParseVomsExt(&lastcred, 500, 100, creds, 0, 2000040861,
+                             ex, 
+                  "/C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab",
+                  "/etc/grid-security/vomsdir");
+                  
+                  
+        printf("GRSTx509ParseVomsExt() returns %d, %d\n", ret, lastcred);
+                  
+        for (j=0; j <= lastcred;  ++j)
+         printf("cred=%d %s\n", j, creds[j]);
         
 /*        
         m = EVP_md5();