From: Daniel KouĊ™il Date: Fri, 20 Aug 2004 13:25:33 +0000 (+0000) Subject: Merged patches for GSSAPI support in the communication layer, which remove X-Git-Tag: ext_bones_merge_dest~68 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=64dbe7537c6f2eae34eb1a11a8ed4ecf7c8801a5;p=jra1mw.git Merged patches for GSSAPI support in the communication layer, which remove dependency on old sslutils library. The patches were created from the exp_lb_gss branch in INFN cvs (files were tagged with `merge_gss2scm_src'). --- diff --git a/org.glite.lb.client-interface/interface/context.h b/org.glite.lb.client-interface/interface/context.h index 634f884..4ac899a 100644 --- a/org.glite.lb.client-interface/interface/context.h +++ b/org.glite.lb.client-interface/interface/context.h @@ -139,7 +139,7 @@ typedef enum _edg_wll_ErrorCode { See errDesc returned by edg_wll_ErrorCode(). */ EDG_WLL_ERROR_URL_FORMAT, /**< Malformed URL */ EDG_WLL_ERROR_MD5_CLASH, /**< MD5 hash same for different strings. Very unlikely :-). */ - EDG_WLL_ERROR_SSL, /**< Generic SSL error. See errDesc returned by edg_wll_Error(). */ + EDG_WLL_ERROR_GSS, /**< Generic GSSAPI error. See errDesc returned by edg_wll_Error(). */ EDG_WLL_ERROR_DNS, /**< DNS resolver error. See errDesc returned by edg_wll_Error(). */ EDG_WLL_ERROR_NOJOBID, /**< Attmepted call requires calling edg_wll_SetLoggingJob() first. */ EDG_WLL_ERROR_NOINDEX, /**< Query does not contain any conidion on indexed attribute. */ diff --git a/org.glite.lb.client/Makefile b/org.glite.lb.client/Makefile index 93a92e5..165b55f 100644 --- a/org.glite.lb.client/Makefile +++ b/org.glite.lb.client/Makefile @@ -24,10 +24,8 @@ AT3=perl -I${top_srcdir}/project ${top_srcdir}/project/at3 SUFFIXES = .T -GLOBUSINC:= -I${globus_prefix}/include/${nothrflavour} \ - -I${globus_prefix}/include/${nothrflavour}/openssl -GLOBUSTHRINC:= -I${globus_prefix}/include/${thrflavour} \ - -I${globus_prefix}/include/${thrflavour}/openssl +GLOBUSINC:= -I${globus_prefix}/include/${nothrflavour} +GLOBUSTHRINC:= -I${globus_prefix}/include/${thrflavour} DEBUG:=-g -O0 CFLAGS:=${DEBUG} \ @@ -43,11 +41,11 @@ HELPERS:=-L${glite_location}/lib -lglite_wmsutils_tls_ssl_helpers GLOBUS_LIBS:=-L${globus_prefix}/lib \ -lglobus_common_${nothrflavour} \ - -lssl_${nothrflavour} + -lglobus_gssapi_gsi_${nothrflavour} \ GLOBUS_THRLIBS:=-L${globus_prefix}/lib \ -lglobus_common_${thrflavour} \ - -lssl_${thrflavour} + -lglobus_gssapi_gsi_${thrflavour} EXPAT_LIBS:=-L${expat_prefix}/lib \ -lexpat @@ -143,7 +141,6 @@ check: stage: compile $(MAKE) install PREFIX=${stagedir} - dist: distsrc distbin distsrc: diff --git a/org.glite.lb.client/src/connection.c b/org.glite.lb.client/src/connection.c index 14939cc..ea7b4b8 100644 --- a/org.glite.lb.client/src/connection.c +++ b/org.glite.lb.client/src/connection.c @@ -9,12 +9,9 @@ #include #include -#include "globus_config.h" -#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h" - #include "glite/lb/consumer.h" #include "glite/lb/context-int.h" -#include "glite/lb/dgssl.h" +#include "glite/lb/lb_gss.h" #include "glite/lb/mini_http.h" @@ -22,10 +19,11 @@ static void CloseConnection(edg_wll_Context ctx, int conn_index) { /* close connection ad free its structures */ - if (ctx->connPool[conn_index].ssl) - edg_wll_ssl_close_timeout(ctx->connPool[conn_index].ssl,&ctx->p_tmp_timeout); + OM_uint32 min_stat; + + edg_wll_gss_close(&ctx->connPool[conn_index].gss, &ctx->p_tmp_timeout); if (ctx->connPool[conn_index].gsiCred) - edg_wll_ssl_free(ctx->connPool[conn_index].gsiCred); + gss_release_cred(&min_stat, &ctx->connPool[conn_index].gsiCred); free(ctx->connPool[conn_index].peerName); free(ctx->connPool[conn_index].buf); @@ -110,6 +108,7 @@ int edg_wll_close(edg_wll_Context ctx) int edg_wll_open(edg_wll_Context ctx) { int index; + edg_wll_GssStatus gss_stat; edg_wll_ResetError(ctx); @@ -126,48 +125,47 @@ int edg_wll_open(edg_wll_Context ctx) ctx->connToUse = index; - if (!ctx->connPool[index].gsiCred) { - if (!(ctx->connPool[index].gsiCred = edg_wll_ssl_init(SSL_VERIFY_PEER,0, - ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_cert_filename, - ctx->p_proxy_filename ? ctx->p_proxy_filename : ctx->p_key_filename, - 0, 0))) - { - edg_wll_SetError(ctx,EDG_WLL_ERROR_SSL, - ERR_error_string(ERR_get_error(), NULL)); - goto err; - } - + /* XXX support anonymous connections, perhaps add a flag to the connPool + * struct specifying whether or not this connection shall be authenticated + * to prevent from repeated calls to edg_wll_gss_acquire_cred_gsi() */ + if (!ctx->connPool[index].gsiCred && + edg_wll_gss_acquire_cred_gsi(ctx->p_proxy_filename, + &ctx->connPool[index].gsiCred, + NULL, + &gss_stat)) { + edg_wll_SetErrorGss(ctx, "failed to load GSI credentials", &gss_stat); + goto err; } - if (!ctx->connPool[index].ssl) { - switch (edg_wll_ssl_connect(ctx->connPool[index].gsiCred, + if (ctx->connPool[index].gss.context == GSS_C_NO_CONTEXT) { + switch (edg_wll_gss_connect(ctx->connPool[index].gsiCred, ctx->connPool[index].peerName, ctx->connPool[index].peerPort, - &ctx->p_tmp_timeout,&ctx->connPool[index].ssl)) { + &ctx->p_tmp_timeout,&ctx->connPool[index].gss, + &gss_stat)) { - case EDG_WLL_SSL_OK: + case EDG_WLL_GSS_OK: goto ok; - case EDG_WLL_SSL_ERROR_ERRNO: - edg_wll_SetError(ctx,errno,"edg_wll_ssl_connect()"); + case EDG_WLL_GSS_ERROR_ERRNO: + edg_wll_SetError(ctx,errno,"edg_wll_gss_connect()"); break; - case EDG_WLL_SSL_ERROR_SSL: - edg_wll_SetError(ctx,EDG_WLL_ERROR_SSL, - ERR_error_string(ERR_get_error(), NULL)); + case EDG_WLL_GSS_ERROR_GSS: + edg_wll_SetErrorGss(ctx, "failed to authenticate to server", &gss_stat); break; - case EDG_WLL_SSL_ERROR_HERRNO: + case EDG_WLL_GSS_ERROR_HERRNO: { const char *msg1; char *msg2; msg1 = hstrerror(errno); - asprintf(&msg2, "edg_wll_ssl_connect(): %s", msg1); + asprintf(&msg2, "edg_wll_gss_connect(): %s", msg1); edg_wll_SetError(ctx,EDG_WLL_ERROR_DNS, msg2); free(msg2); } break; - case EDG_WLL_SSL_ERROR_EOF: - edg_wll_SetError(ctx,ECONNREFUSED,"edg_wll_ssl_connect():" + case EDG_WLL_GSS_ERROR_EOF: + edg_wll_SetError(ctx,ECONNREFUSED,"edg_wll_gss_connect():" " server closed the connection, probably due to overload"); break; - case EDG_WLL_SSL_ERROR_TIMEOUT: - edg_wll_SetError(ctx,ETIMEDOUT,"edg_wll_ssl_connect()"); + case EDG_WLL_GSS_ERROR_TIMEOUT: + edg_wll_SetError(ctx,ETIMEDOUT,"edg_wll_gss_connect()"); break; } } @@ -203,11 +201,11 @@ int http_check_status( case HTTP_UNAVAIL: /* EAGAIN */ case HTTP_INVALID: /* EINVAL */ break; - case EDG_WLL_SSL_ERROR_HERRNO: + case EDG_WLL_GSS_ERROR_HERRNO: { const char *msg1; char *msg2; msg1 = hstrerror(errno); - asprintf(&msg2, "edg_wll_ssl_connect(): %s", msg1); + asprintf(&msg2, "edg_wll_gss_connect(): %s", msg1); edg_wll_SetError(ctx,EDG_WLL_ERROR_DNS, msg2); free(msg2); } diff --git a/org.glite.lb.client/src/consumer.c b/org.glite.lb.client/src/consumer.c index d3313a1..054d9fe 100644 --- a/org.glite.lb.client/src/consumer.c +++ b/org.glite.lb.client/src/consumer.c @@ -10,7 +10,6 @@ #include #include "globus_config.h" -#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h" #include "glite/lb/consumer.h" #include "glite/lb/context-int.h" diff --git a/org.glite.lb.client/src/notification.c b/org.glite.lb.client/src/notification.c index 6eb186a..4fd57cb 100644 --- a/org.glite.lb.client/src/notification.c +++ b/org.glite.lb.client/src/notification.c @@ -18,6 +18,7 @@ #include "glite/lb/events_parse.h" #include "glite/lb/il_string.h" #include "glite/lb/escape.h" +#include "glite/lb/lb_gss.h" #include "connection.h" @@ -451,6 +452,7 @@ static int recv_notif(edg_wll_Context ctx) int ret, len; char fbuf[17]; size_t total; + edg_wll_GssStatus gss_code; if (ctx->connPool[ctx->connToUse].buf) { @@ -460,16 +462,18 @@ static int recv_notif(edg_wll_Context ctx) ctx->connPool[ctx->connToUse].bufUse = 0; ctx->connPool[ctx->connToUse].bufSize = 0; - - if ((ret=edg_wll_ssl_read_full(ctx->connPool[ctx->connToUse].ssl, - fbuf,17,&ctx->p_tmp_timeout,&total)) < 0) + ret = edg_wll_gss_read_full(&ctx->connPool[ctx->connToUse].gss, + fbuf,17, &ctx->p_tmp_timeout,&total, &gss_code); + if (ret < 0) switch (ret) { - case EDG_WLL_SSL_ERROR_TIMEOUT: + case EDG_WLL_GSS_ERROR_TIMEOUT: return edg_wll_SetError(ctx,ETIMEDOUT,"read message header"); - case EDG_WLL_SSL_ERROR_EOF: + case EDG_WLL_GSS_ERROR_EOF: return edg_wll_SetError(ctx,ENOTCONN,NULL); + case EDG_WLL_GSS_ERROR_GSS: + return edg_wll_SetErrorGss(ctx, "read message header", &gss_code); default: - return edg_wll_SetError(ctx,EDG_WLL_ERROR_SSL,"read message header"); + return edg_wll_SetError(ctx,EDG_WLL_ERROR_GSS,"read message header"); /* XXX */ } if ((len = atoi(fbuf)) <= 0) { @@ -486,16 +490,16 @@ static int recv_notif(edg_wll_Context ctx) } - if ((ret=edg_wll_ssl_read_full(ctx->connPool[ctx->connToUse].ssl, - ctx->connPool[ctx->connToUse].buf, - len, - &ctx->p_tmp_timeout,&total)) < 0) { + ret = edg_wll_gss_read_full(&ctx->connPool[ctx->connToUse].gss, + ctx->connPool[ctx->connToUse].buf, len, + &ctx->p_tmp_timeout,&total, &gss_code); + if (ret < 0) { free(ctx->connPool[ctx->connToUse].buf); ctx->connPool[ctx->connToUse].bufUse = 0; ctx->connPool[ctx->connToUse].bufSize = 0; return edg_wll_SetError(ctx, - ret == EDG_WLL_SSL_ERROR_TIMEOUT ? - ETIMEDOUT : EDG_WLL_ERROR_SSL, + ret == EDG_WLL_GSS_ERROR_TIMEOUT ? + ETIMEDOUT : EDG_WLL_ERROR_GSS, "read message"); } @@ -514,6 +518,7 @@ static int send_reply(const edg_wll_Context ctx) int ret, len, err_code, err_code_min = 0, max_len = 256; char *p, *err_msg = NULL, buf[max_len]; size_t total; + edg_wll_GssStatus gss_code; err_code = edg_wll_Error(ctx,NULL,&err_msg); @@ -532,12 +537,12 @@ static int send_reply(const edg_wll_Context ctx) p = put_int(p, err_code_min); p = put_string(p, err_msg); - - if ((ret = edg_wll_ssl_write_full(ctx->connPool[ctx->connToUse].ssl, - buf,len,&ctx->p_tmp_timeout,&total)) < 0) { + ret = edg_wll_gss_write_full(&ctx->connPool[ctx->connToUse].gss, + buf,len,&ctx->p_tmp_timeout,&total, &gss_code); + if (ret < 0) { edg_wll_SetError(ctx, - ret == EDG_WLL_SSL_ERROR_TIMEOUT ? - ETIMEDOUT : EDG_WLL_ERROR_SSL, + ret == EDG_WLL_GSS_ERROR_TIMEOUT ? + ETIMEDOUT : EDG_WLL_ERROR_GSS, "write reply"); goto err; } @@ -563,6 +568,8 @@ int edg_wll_NotifReceive( struct timeval start_time,check_time,tv; char *p = NULL, *ucs = NULL, *event_char = NULL, *jobstat_char = NULL; + int ret; + edg_wll_GssStatus gss_code; @@ -612,12 +619,11 @@ int edg_wll_NotifReceive( goto err; } + ret = edg_wll_gss_accept(ctx->connPool[ctx->connToUse].gsiCred, recv_sock, + &tv, &ctx->connPool[ctx->connToUse].gss, &gss_code); - ctx->connPool[ctx->connToUse].ssl = - edg_wll_ssl_accept(ctx->connPool[ctx->connToUse].gsiCred,recv_sock,&tv); - - if (ctx->connPool[ctx->connToUse].ssl == NULL) { - edg_wll_SetError(ctx, errno, "SSL hanshake failed."); + if (ret) { + edg_wll_SetError(ctx, errno, "GSS authentication failed."); goto err; } @@ -703,8 +709,8 @@ err: // XXX // konzultovat s Danem - edg_wll_ssl_close(ctx->connPool[ctx->connToUse].ssl); - ctx->connPool[ctx->connToUse].ssl = NULL; + /* Dan: ??? */ + edg_wll_gss_close(&ctx->connPool[ctx->connToUse].gss, NULL); return edg_wll_Error(ctx,NULL,NULL); } @@ -728,9 +734,8 @@ int edg_wll_NotifCloseFd( int err; if (ctx->notifSock >= 0) { - if (ctx->connPool[ctx->connToUse].ssl) { - edg_wll_ssl_close(ctx->connPool[ctx->connToUse].ssl); - ctx->connPool[ctx->connToUse].ssl = NULL; + if (ctx->connPool[ctx->connToUse].gss.context != GSS_C_NO_CONTEXT) { + edg_wll_gss_close(&ctx->connPool[ctx->connToUse].gss, NULL); } err = close(ctx->notifSock); ctx->notifSock = -1; diff --git a/org.glite.lb.client/src/prod_proto.c b/org.glite.lb.client/src/prod_proto.c index 696d58d..5ed120d 100644 --- a/org.glite.lb.client/src/prod_proto.c +++ b/org.glite.lb.client/src/prod_proto.c @@ -3,6 +3,7 @@ #include "prod_proto.h" #include "glite/lb/producer.h" #include "glite/lb/escape.h" +#include "glite/lb/lb_gss.h" #include #include @@ -21,7 +22,7 @@ * *---------------------------------------------------------------------- */ -int edg_wll_log_proto_client(edg_wll_Context context, SSL *ssl, edg_wll_LogLine logline/*, int priority,*/) +int edg_wll_log_proto_client(edg_wll_Context context, edg_wll_GssConnection *con, edg_wll_LogLine logline/*, int priority,*/) { char header[EDG_WLL_LOG_SOCKET_HEADER_LENGTH+1]; int err; @@ -30,6 +31,7 @@ int edg_wll_log_proto_client(edg_wll_Context context, SSL *ssl, edg_wll_LogLine int count; int size; u_int8_t size_end[4]; + edg_wll_GssStatus gss_code; errno = err = answer = count = 0; size = strlen(logline)+1; @@ -46,8 +48,8 @@ int edg_wll_log_proto_client(edg_wll_Context context, SSL *ssl, edg_wll_LogLine #endif sprintf(header,"%s",EDG_WLL_LOG_SOCKET_HEADER); header[EDG_WLL_LOG_SOCKET_HEADER_LENGTH]='\0'; - if ((err = edg_wll_ssl_write_full(ssl, header, EDG_WLL_LOG_SOCKET_HEADER_LENGTH, &context->p_tmp_timeout, &count)) < 0) { - answer = edg_wll_log_proto_client_failure(context,err,"send header"); + if ((err = edg_wll_gss_write_full(con, header, EDG_WLL_LOG_SOCKET_HEADER_LENGTH, &context->p_tmp_timeout, &count, &gss_code)) < 0) { + answer = edg_wll_log_proto_client_failure(context,err,&gss_code,"send header"); goto edg_wll_log_proto_client_end; } @@ -56,8 +58,8 @@ int edg_wll_log_proto_client(edg_wll_Context context, SSL *ssl, edg_wll_LogLine fprintf(stderr,"Sending message priority...\n"); #endif count = 0; - if ((err = edg_wll_ssl_write_full(ssl, &priority, sizeof(priority), &context->p_tmp_timeout, &count)) < 0) { - answer = edg_wll_log_proto_client_failure(context,err,"send message priority"); + if ((err = edg_wll_gss_write_full(con, &priority, sizeof(priority), &context->p_tmp_timeout, &count, &gss_code)) < 0) { + answer = edg_wll_log_proto_client_failure(context,err,&gss_code,"send message priority"); goto edg_wll_log_proto_client_end; } */ @@ -66,8 +68,8 @@ int edg_wll_log_proto_client(edg_wll_Context context, SSL *ssl, edg_wll_LogLine fprintf(stderr,"Sending message size...\n"); #endif count = 0; - if ((err = edg_wll_ssl_write_full(ssl, size_end, 4, &context->p_tmp_timeout, &count)) < 0) { - answer = edg_wll_log_proto_client_failure(context,err,"send message size"); + if ((err = edg_wll_gss_write_full(con, size_end, 4, &context->p_tmp_timeout, &count, &gss_code)) < 0) { + answer = edg_wll_log_proto_client_failure(context,err,&gss_code,"send message size"); goto edg_wll_log_proto_client_end; } @@ -76,8 +78,8 @@ int edg_wll_log_proto_client(edg_wll_Context context, SSL *ssl, edg_wll_LogLine fprintf(stderr,"Sending message to socket...\n"); #endif count = 0; - if (( err = edg_wll_ssl_write_full(ssl, logline, size, &context->p_tmp_timeout, &count)) < 0) { - answer = edg_wll_log_proto_client_failure(context,err,"send message"); + if (( err = edg_wll_gss_write_full(con, logline, size, &context->p_tmp_timeout, &count, &gss_code)) < 0) { + answer = edg_wll_log_proto_client_failure(context,err,&gss_code,"send message"); goto edg_wll_log_proto_client_end; } @@ -86,8 +88,8 @@ int edg_wll_log_proto_client(edg_wll_Context context, SSL *ssl, edg_wll_LogLine fprintf(stderr,"Reading answer from server...\n"); #endif count = 0; - if ((err = edg_wll_ssl_read_full(ssl, answer_end, 4, &context->p_tmp_timeout, &count)) < 0 ) { - answer = edg_wll_log_proto_client_failure(context,err,"get answer"); + if ((err = edg_wll_gss_read_full(con, answer_end, 4, &context->p_tmp_timeout, &count, &gss_code)) < 0 ) { + answer = edg_wll_log_proto_client_failure(context,err,&gss_code,"get answer"); /* FIXME: update the answer (in context?) to EAGAIN or not? answer = EAGAIN; */ @@ -116,11 +118,12 @@ edg_wll_log_proto_client_end: * *---------------------------------------------------------------------- */ -int edg_wll_log_proto_client_failure(edg_wll_Context context, int code, const char *text) +int edg_wll_log_proto_client_failure(edg_wll_Context context, int code, edg_wll_GssStatus *gss_code, const char *text) { const char *func="edg_wll_log_proto_client()"; static char err[256]; int ret = 0; + char *gss_err; edg_wll_ResetError(context); @@ -128,22 +131,23 @@ int edg_wll_log_proto_client_failure(edg_wll_Context context, int code, const ch return(0); switch(code) { - case EDG_WLL_SSL_ERROR_EOF: + case EDG_WLL_GSS_ERROR_EOF: snprintf(err, sizeof(err), "%s: Error %s, EOF occured;", func, text); ret = edg_wll_SetError(context,ENOTCONN,err); break; - case EDG_WLL_SSL_ERROR_TIMEOUT: + case EDG_WLL_GSS_ERROR_TIMEOUT: snprintf(err, sizeof(err), "%s: Error %s, timeout expired;", func, text); ret = edg_wll_SetError(context,ENOTCONN,err); break; - case EDG_WLL_SSL_ERROR_ERRNO: // XXX: perror("edg_wll_ssl_read()"); break; + case EDG_WLL_GSS_ERROR_ERRNO: // XXX: perror("edg_wll_ssl_read()"); break; snprintf(err, sizeof(err), "%s: Error %s, system error occured;", func, text); ret = edg_wll_SetError(context,ENOTCONN,err); break; - case EDG_WLL_SSL_ERROR_SSL: - snprintf(err, sizeof(err), "%s: Error %s, SSL error occured; %s;", func, text, - ERR_reason_error_string(ERR_get_error())); - ret = edg_wll_SetError(context,ENOTCONN,err); + case EDG_WLL_GSS_ERROR_GSS: + snprintf(err, sizeof(err), "%s: Error %s, GSS error occured", func, text); + edg_wll_gss_get_error(gss_code, err, &gss_err); + ret = edg_wll_SetError(context,ENOTCONN,gss_err); + free(gss_err); break; default: break; diff --git a/org.glite.lb.client/src/prod_proto.h b/org.glite.lb.client/src/prod_proto.h index 8b22258..ef90710 100644 --- a/org.glite.lb.client/src/prod_proto.h +++ b/org.glite.lb.client/src/prod_proto.h @@ -16,10 +16,10 @@ extern "C" { #include "glite/lb/log_proto.h" #include "glite/lb/context-int.h" -#include "glite/lb/dgssl.h" +#include "glite/lb/lb_gss.h" -int edg_wll_log_proto_client(edg_wll_Context context, SSL *ssl, edg_wll_LogLine logline/*, int priority,*/); -int edg_wll_log_proto_client_failure(edg_wll_Context context, int code, const char *text); +int edg_wll_log_proto_client(edg_wll_Context context, edg_wll_GssConnection *con, edg_wll_LogLine logline/*, int priority,*/); +int edg_wll_log_proto_client_failure(edg_wll_Context context, int code, edg_wll_GssStatus *gss_code, const char *text); #ifdef __cplusplus } diff --git a/org.glite.lb.client/src/producer.c b/org.glite.lb.client/src/producer.c index 44fb814..aa15106 100644 --- a/org.glite.lb.client/src/producer.c +++ b/org.glite.lb.client/src/producer.c @@ -5,21 +5,18 @@ #ident "$Header$" -#include -#include - #include #include #include #include -#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h" #include "glite/wmsutils/jobid/strmd5.h" #include "glite/lb/consumer.h" #include "glite/lb/producer.h" #include "glite/lb/context-int.h" #include "glite/lb/ulm_parse.h" #include "glite/lb/trio.h" +#include "glite/lb/lb_gss.h" #include "prod_proto.h" @@ -38,74 +35,64 @@ static int edg_wll_DoLogEvent( edg_wll_LogLine logline) { int ret,answer; - void *cred_handle = NULL; - SSL *ssl = NULL; -#ifdef EDG_WLL_LOG_STUB char *my_subject_name = NULL; -#endif + edg_wll_GssStatus gss_stat; + edg_wll_GssConnection con; + gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; + OM_uint32 min_stat; edg_wll_ResetError(context); ret = answer = 0; + memset(&con, 0, sizeof(con)); - /* open a SSL connection to the local-logger: */ + /* open an authenticated connection to the local-logger: */ #ifdef EDG_WLL_LOG_STUB fprintf(stderr,"Logging to host %s, port %d\n", context->p_destination, context->p_dest_port); #endif - - if ((cred_handle=edg_wll_ssl_init(SSL_VERIFY_PEER, 0, - context->p_proxy_filename ? context->p_proxy_filename : context->p_cert_filename, - context->p_proxy_filename ? context->p_proxy_filename : context->p_key_filename, - 0, 0)) == NULL) { - edg_wll_SetError(context,EDG_WLL_ERROR_SSL,"edg_wll_ssl_init()"); - goto edg_wll_DoLogEvent_end; + ret = edg_wll_gss_acquire_cred_gsi(context->p_proxy_filename, &cred, + &my_subject_name, &gss_stat); + /* Give up if unable to prescribed credentials, otherwise go on anonymously */ + if (ret && context->p_proxy_filename) { + edg_wll_SetErrorGss(context, "failed to load GSI credentials", &gss_stat); + goto edg_wll_DoLogEvent_end; } -#ifdef EDG_WLL_LOG_STUB - edg_wll_ssl_get_my_subject(cred_handle,&my_subject_name); + if (my_subject_name != NULL) { +#ifdef EDG_WLL_LOG_STUB fprintf(stderr,"Using certificate: %s\n",my_subject_name); +#endif free(my_subject_name); - } else { - edg_wll_SetError(context,ECONNREFUSERD,"edg_wll_ssl_get_my_subject()"); - goto edg_wll_DoLogEvent_end; } -#endif - if ((answer = edg_wll_ssl_connect(cred_handle, + if ((answer = edg_wll_gss_connect(cred, context->p_destination, context->p_dest_port, - &context->p_tmp_timeout, &ssl)) < 0) { + &context->p_tmp_timeout, &con, &gss_stat)) < 0) { switch(answer) { - case EDG_WLL_SSL_ERROR_EOF: - edg_wll_SetError(context,ENOTCONN,"edg_wll_ssl_connect()"); + case EDG_WLL_GSS_ERROR_EOF: + edg_wll_SetError(context,ENOTCONN,"edg_wll_gss_connect()"); break; - case EDG_WLL_SSL_ERROR_TIMEOUT: - edg_wll_SetError(context,ETIMEDOUT,"edg_wll_ssl_connect()"); + case EDG_WLL_GSS_ERROR_TIMEOUT: + edg_wll_SetError(context,ETIMEDOUT,"edg_wll_gss_connect()"); break; - case EDG_WLL_SSL_ERROR_ERRNO: - edg_wll_SetError(context,errno,"edg_wll_ssl_connect()"); + case EDG_WLL_GSS_ERROR_ERRNO: + edg_wll_SetError(context,errno,"edg_wll_gss_connect()"); break; - case EDG_WLL_SSL_ERROR_SSL: - { - const char *msg1; - char *msg2; - msg1 = ERR_reason_error_string(ERR_get_error()); - asprintf(&msg2, "edg_wll_ssl_connect(): %s", msg1); - edg_wll_SetError(context,EDG_WLL_ERROR_SSL,msg2); - free(msg2); - } + case EDG_WLL_GSS_ERROR_GSS: + edg_wll_SetErrorGss(context, "failed to authenticate to server",&gss_stat); break; - case EDG_WLL_SSL_ERROR_HERRNO: + case EDG_WLL_GSS_ERROR_HERRNO: { const char *msg1; char *msg2; msg1 = hstrerror(errno); - asprintf(&msg2, "edg_wll_ssl_connect(): %s", msg1); + asprintf(&msg2, "edg_wll_gss_connect(): %s", msg1); edg_wll_SetError(context,EDG_WLL_ERROR_DNS, msg2); free(msg2); } break; default: - edg_wll_SetError(context,ECONNREFUSED,"edg_wll_ssl_connect(): unknown"); + edg_wll_SetError(context,ECONNREFUSED,"edg_wll_gss_connect(): unknown"); break; } goto edg_wll_DoLogEvent_end; @@ -113,14 +100,14 @@ static int edg_wll_DoLogEvent( /* and send the message to the local-logger: */ - answer = edg_wll_log_proto_client(context,ssl,logline/*,priority*/); + answer = edg_wll_log_proto_client(context,&con,logline/*,priority*/); switch(answer) { case 0: case EINVAL: case ENOSPC: case ENOMEM: - case EDG_WLL_ERROR_SSL: + case EDG_WLL_ERROR_GSS: case EDG_WLL_ERROR_DNS: case ENOTCONN: case ECONNREFUSED: @@ -146,8 +133,10 @@ static int edg_wll_DoLogEvent( } edg_wll_DoLogEvent_end: - if (ssl) edg_wll_ssl_close_timeout(ssl,&context->p_tmp_timeout); - if (cred_handle) edg_wll_ssl_free(cred_handle); + if (con.context != GSS_C_NO_CONTEXT) + edg_wll_gss_close(&con,&context->p_tmp_timeout); + if (cred != GSS_C_NO_CREDENTIAL) + gss_release_cred(&min_stat, &cred); return edg_wll_Error(context, NULL, NULL); } diff --git a/org.glite.lb.common/Makefile b/org.glite.lb.common/Makefile index 41810d8..b08a231 100644 --- a/org.glite.lb.common/Makefile +++ b/org.glite.lb.common/Makefile @@ -25,10 +25,8 @@ AT3=perl -I${top_srcdir}/project ${top_srcdir}/project/at3 SUFFIXES = .T DEBUG:=-g -O0 -Wall -GLOBUSINC:= -I${globus_prefix}/include/${nothrflavour} \ - -I${globus_prefix}/include/${nothrflavour}/openssl -GLOBUSTHRINC:= -I${globus_prefix}/include/${thrflavour} \ - -I${globus_prefix}/include/${thrflavour}/openssl +GLOBUSINC:= -I${globus_prefix}/include/${nothrflavour} +GLOBUSTHRINC:= -I${globus_prefix}/include/${thrflavour} CFLAGS:=${DEBUG} -I${top_srcdir}/src -I${top_srcdir}/interface \ -I${stagedir}/include \ @@ -51,7 +49,7 @@ COMPILE:=libtool --mode=compile ${CC} ${CFLAGS} LINK:=libtool --mode=link ${CC} -rpath ${stagedir}/lib ${LDFLAGS} INSTALL:=libtool --mode=install install -OBJS:=dgssl.o escape.o events.o mini_http.o query_rec.o status.o \ +OBJS:=lb_gss.o escape.o events.o mini_http.o query_rec.o status.o \ xml_conversions.o xml_parse.o ulm_parse.o param.o \ events_parse.o il_string.o il_int.o notifid.o \ il_log.o il_msg.o context.o trio.o strio.o @@ -60,7 +58,7 @@ LOBJS:=${OBJS:.o=.lo} THROBJS:=${OBJS:.o=.thr.o} THRLOBJS:=${OBJS:.o=.thr.lo} -HDRS:=context-int.h dgssl.h mini_http.h authz.h xml_parse.h \ +HDRS:=context-int.h lb_gss.h mini_http.h authz.h xml_parse.h \ xml_conversions.h log_proto.h events_parse.h il_string.h escape.h \ ulm_parse.h trio.h @@ -83,12 +81,12 @@ ${THRSTATICLIB}: ${THROBJS} ${LTLIB}: ${OBJS} ${LINK} -o $@ ${LOBJS} \ - -lglobus_ssl_utils -lglite_wmsutils_cjobid \ + -lglite_wmsutils_cjobid \ -lm ${THRLTLIB}: ${THROBJS} ${LINK} -o $@ ${THRLOBJS} \ - -lglobus_ssl_utils -lglite_wmsutils_cjobid \ + -lglite_wmsutils_cjobid \ -lm stage: compile diff --git a/org.glite.lb.common/interface/context-int.h b/org.glite.lb.common/interface/context-int.h index 55d4a61..4fb9381 100644 --- a/org.glite.lb.common/interface/context-int.h +++ b/org.glite.lb.common/interface/context-int.h @@ -4,7 +4,7 @@ #ident "$Header$" #include "glite/lb/consumer.h" -#include "dgssl.h" +#include "lb_gss.h" #include "authz.h" #ifdef __cplusplus @@ -24,8 +24,8 @@ typedef struct _edg_wll_ConnPool { unsigned int peerPort; /* http(s) stream */ - void *gsiCred; - SSL *ssl; + gss_cred_id_t gsiCred; + edg_wll_GssConnection gss; char *buf; int bufUse,bufSize; @@ -127,6 +127,12 @@ extern int edg_wll_SetError( const char * /* error description */ ); +extern int edg_wll_SetErrorGss( + edg_wll_Context, + const char *, + edg_wll_GssStatus * +); + /** update errDesc and errCode */ extern int edg_wll_UpdateError( edg_wll_Context, /* context */ diff --git a/org.glite.lb.common/interface/dgssl.h b/org.glite.lb.common/interface/dgssl.h deleted file mode 100644 index dcb8036..0000000 --- a/org.glite.lb.common/interface/dgssl.h +++ /dev/null @@ -1,204 +0,0 @@ -#ifndef __EDG_WORKLOAD_LOGGING_COMMON_DGSSL_H__ -#define __EDG_WORKLOAD_LOGGING_COMMON_DGSSL_H__ -/** - * \file Client/dgssl.h - * \brief Auxiliary SSL functions for L&B - */ - -#ident "$Header$" - -/* openssl headers */ -#include -#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h" - -#include -#include -#include -#include -#include -#include -#if SSLEAY_VERSION_NUMBER >= 0x0090581fL -#include -#endif - -/** - * Initialize SSL and GSI contexts and set SSL parameters for authentication. - * \param verify IN: specifies SSL authentication mode to be used for peer - * verification. (SSL_VERIFY_NONE, SSL_VERIFY_PEER, - * SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE) -- see also ssl.h - * \param callback IN: if nonzero the standard GSI authentication callback will - * be called on each certificate in a chain in order to verify the chain - * consists only of valid GSI proxy certs. If the parametr is zero only the - * default SSL callback will be used. - * \param p_cert_file IN: file containg the caller's cert. - * \param p_key_file IN: file containg the caller's key. If at least one of - * these parameters is NULL, the default proxy is examined and used (if - * exists), otherwise the default long-term credential will be used. \param - * ask_passwd IN: if nonzero, the standard SSL prompt is used whenever an - * encrypted keyfile is encountered. If the paramater zero, no password will be - * prompted for even if the key is encrypted. - * \param no_auth IN: if nonzero, only context necessary for authentication of - * the peer will be set. No caller's credential is read. - * \retval pointer to an opaque structure containg the initialized context, if - * any error occurs, the context will contain only those basic parameters - * necessary for authentication of the peer - */ -proxy_cred_desc *edg_wll_ssl_init(int verify, int callback, char *p_cert_file,char *p_key_file, - int ask_passwd, int noauth); - -/** - * frees cred_handle returned by edg_wll_ssl_init() - * \param cred_handle IN: pointer returned by edg_wll_ssl_init() - */ -int edg_wll_ssl_free(proxy_cred_desc *cred_handle); - -/** - * Establish SSL context with server. - * Called by the clients when they tryies to do SSL handshake with the server. - * This includes authentication of the server and optionaly the client, and - * establishing SSL security parameters. - * - * \param cred_handle IN: pointer returned by edg_wll_ssl_init() - * \param hostname IN: hostname to connect to - * \param port IN: port to connect to - * \param timeout INOUT: if NULL, blocking SSL I/O is done, otherwise the - * I/O and SSL handshake will take at most the specified time. Remaining - * time is returned. - * \param sslp OUT: on success, returned pointer to SSL connection - * \return one of EDG_WLL_SSL_* - */ -int edg_wll_ssl_connect(proxy_cred_desc *cred_handle,char const *hostname,int port, - struct timeval *timeout,SSL **sslp); - -/** - * Establish SSL context with client. - * Called by the server when trying to do a SSL handshake with the client. A - * network connection must be established before calling this function. Use - * timeout set in context. - * \param ctx IN: used to obtain timeout - * \param cred_handle IN: pointer returned by edg_wll_ssl_init() - * \param sock IN: specification of the network connection - * \retval pointer to SSL connection on success - * \retval NULL on error - */ -SSL *edg_wll_ssl_accept(proxy_cred_desc *cred_handle,int sock, struct timeval *timeout); - -/** - * Try to send SSL close alert on socket (reject the client in orderly way). - * \param cred_handle IN: pointer returned by edg_wll_ssl_init(), to get SSL_CTX - * \param sock IN: specification of the network connection - */ - -void edg_wll_ssl_reject(proxy_cred_desc *cred_handle,int sock); - -/** - * Close SSL connection, possibly saving open sessions, and destroy the SSL object. - * Called by anyone who wishes to close the connection. - * \param ssl IN: object identifying the SSL connection - * \param timeout INOUT: max time allowed for operation, remaining time - * on return - * \retval one of EDG_WLL_SSL_* - */ -int edg_wll_ssl_close_timeout(SSL *ssl, struct timeval *timeout); - -/** - * Close SSL connection, call edg_wll_ssl_close_timeout() with hard-wired - * timeout 120 secs. - * \param ssl IN: object identifying the SSL connection - * \retval one of EDG_WLL_SSL_* - */ -int edg_wll_ssl_close(SSL *ssl); - -/** - * Return subject name of the caller as specified in the context. - * \param cred_handle IN: pointer returned by edg_wll_ssl_init() - * \param my_subject_name OUT: contains the subject name. The caller must free - * this variable when no needed. - */ -void edg_wll_ssl_get_my_subject(proxy_cred_desc *cred_handle, char **my_subject_name); -void edg_wll_ssl_get_my_subject_base(proxy_cred_desc *cred_handle, char **my_subject_name); - -/** no SSL errors */ -#define EDG_WLL_SSL_OK 0 -/** SSL specific error. Call ERR_* functions for details. */ -#define EDG_WLL_SSL_ERROR_SSL -1 -/** Timeout */ -#define EDG_WLL_SSL_ERROR_TIMEOUT -2 -/** EOF occured */ -#define EDG_WLL_SSL_ERROR_EOF -3 -/** System error. See errno. */ -#define EDG_WLL_SSL_ERROR_ERRNO -4 -/** Resolver error. See h_errno. */ -#define EDG_WLL_SSL_ERROR_HERRNO -5 - -/** - * Read from SSL connection. - * Needn't read entire buffer. Timeout is applicable only for non-blocking - * connections (created with non-NULL timeout param of edg_wll_ssl_connect()). - * \param ssl IN: connection to work with - * \param buf OUT: buffer - * \param bufsize IN: max size to read - * \param timeout INOUT: max time allowed for operation, remaining time - * on return - * \retval bytes read (>0) on success - * \retval one of EDG_WLL_SSL_* (<0) on error - */ - -int edg_wll_ssl_read(SSL *ssl,void *buf,size_t bufsize,struct timeval *timeout); - -/** - * Write to SSL connection. - * Needn't write entire buffer. Timeout is applicable only for non-blocking - * connections (created with non-NULL timeout param of edg_wll_ssl_connect()). - * \param ssl IN: connection to work with - * \param buf IN: buffer - * \param bufsize IN: max size to write - * \param timeout INOUT: max time allowed for operation, remaining time - * on return - * \retval bytes written (>0) on success - * \retval one of EDG_WLL_SSL_* (<0) on error - */ - -int edg_wll_ssl_write(SSL *ssl,const void *buf,size_t bufsize,struct timeval *timeout); - -/** - * Read specified amount of data from SSL connection. - * Attempts to call edg_wll_ssl_read() untill the entire request is satisfied - * (or EOF reached, or times out) - * - * \param ssl IN: connection to work with - * \param buf OUT: buffer - * \param bufsize IN: max size to read - * \param timeout INOUT: max time allowed for operation, remaining time - * on return - * \param total OUT: bytes actually read - * \return one of EDG_WLL_SSL_* - */ - -int edg_wll_ssl_read_full(SSL *ssl,void *buf,size_t bufsize,struct timeval *timeout,size_t *total); - -/** - * Write specified amount of data to SSL connection. - * Attempts to call edg_wll_ssl_write() untill the entire request is satisfied - * (or times out). - * - * \param ssl IN: connection to work with - * \param buf IN: buffer - * \param bufsize IN: max size to read - * \param timeout INOUT: max time allowed for operation, remaining time - * on return - * \param total OUT: bytes actually written - * \return one of EDG_WLL_SSL_* - */ - -int edg_wll_ssl_write_full(SSL *ssl,const void *buf,size_t bufsize,struct timeval *timeout,size_t *total); - -void edg_wll_ssl_set_noauth(proxy_cred_desc* cred_handle); - -/** - * Check modification times of key and cert files. - */ -int edg_wll_ssl_watch_creds(const char *,const char *,time_t *,time_t *); - -#endif /* __EDG_WORKLOAD_LOGGING_COMMON_DGSSL_H__ */ - diff --git a/org.glite.lb.common/src/context.c b/org.glite.lb.common/src/context.c index a81644b..ed68244 100644 --- a/org.glite.lb.common/src/context.c +++ b/org.glite.lb.common/src/context.c @@ -7,7 +7,6 @@ #include #include -#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h" #include "glite/wmsutils/jobid/strmd5.h" #include "glite/wmsutils/jobid/cjobid.h" @@ -40,6 +39,7 @@ int edg_wll_InitContext(edg_wll_Context *ctx) void edg_wll_FreeContext(edg_wll_Context ctx) { struct timeval close_timeout = {0, 50000}; + OM_uint32 min_stat; if (!ctx) return; @@ -49,9 +49,9 @@ void edg_wll_FreeContext(edg_wll_Context ctx) for (i=0; ipoolSize; i++) { if (ctx->connPool[i].peerName) free(ctx->connPool[i].peerName); - if (ctx->connPool[i].ssl) - edg_wll_ssl_close_timeout(ctx->connPool[i].ssl,&close_timeout); - if (ctx->connPool[i].gsiCred) edg_wll_ssl_free(ctx->connPool[i].gsiCred); + edg_wll_gss_close(&ctx->connPool[i].gss,&close_timeout); + if (ctx->connPool[i].gsiCred) + gss_release_cred(&min_stat, &ctx->connPool[i].gsiCred); if (ctx->connPool[i].buf) free(ctx->connPool[i].buf); } free(ctx->connPool); @@ -95,7 +95,7 @@ static const char* const errTexts[] = { "Database call failed", "Bad URL format", "MD5 key clash", - "SSL Error", + "GSSAPI Error", "DNS resolver error", "No JobId specified in context", "No indexed condition in query", @@ -417,3 +417,13 @@ free_voms_groups(edg_wll_VomsGroups *groups) free(groups->val[len].name); } } + +int edg_wll_SetErrorGss(edg_wll_Context ctx, const char *desc, edg_wll_GssStatus *gss_code) +{ + char *err_msg; + + edg_wll_gss_get_error(gss_code, desc, &err_msg); + edg_wll_SetError(ctx,EDG_WLL_ERROR_GSS, err_msg); + free(err_msg); + return ctx->errCode; +} diff --git a/org.glite.lb.common/src/dgssl.c b/org.glite.lb.common/src/dgssl.c deleted file mode 100644 index 51a55d3..0000000 --- a/org.glite.lb.common/src/dgssl.c +++ /dev/null @@ -1,679 +0,0 @@ -#ident "$Header$" - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "globus_config.h" -#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h" - -#include "dgssl.h" - -/* This two functions are not in globus sslutils.h */ -void proxy_verify_ctx_release(proxy_verify_ctx_desc *pvxd); -void proxy_verify_ctx_init(proxy_verify_ctx_desc *pvxd); - -#include "globus_gss_assist.h" - -#define tv_sub(a,b) {\ - (a).tv_usec -= (b).tv_usec;\ - (a).tv_sec -= (b).tv_sec;\ - if ((a).tv_usec < 0) {\ - (a).tv_sec--;\ - (a).tv_usec += 1000000;\ - }\ -} - -static int decrement_timeout(struct timeval *timeout, struct timeval before, struct timeval after) -{ - (*timeout).tv_sec = (*timeout).tv_sec - (after.tv_sec - before.tv_sec); - (*timeout).tv_usec = (*timeout).tv_usec - (after.tv_usec - before.tv_usec); - while ( (*timeout).tv_usec < 0) { - (*timeout).tv_sec--; - (*timeout).tv_usec += 1000000; - } - if ( ((*timeout).tv_sec < 0) || (((*timeout).tv_sec == 0) && ((*timeout).tv_usec == 0)) ) return(1); - else return(0); -} - - -static int handle_ssl_error(int sock,int err,struct timeval *to); - -static unsigned char dh512_p[]={ - 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, - 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, - 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, - 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, - 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, - 0x47,0x74,0xE8,0x33, - }; -static unsigned char dh512_g[]={ - 0x02, - }; - -static DH *get_dh512(void) - { - DH *dh=NULL; - - if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - return(NULL); - return(dh); - } - -struct asyn_result { - struct hostent *ent; - int err; -}; - -/* ares callback handler for ares_gethostbyname() */ -static void callback_handler(void *arg, int status, struct hostent *h) { - struct asyn_result *arp = (struct asyn_result *) arg; - - switch (status) { - case ARES_SUCCESS: - if (h && h->h_addr_list[0]) { - arp->ent->h_addr_list = - (char **) malloc(2 * sizeof(char *)); - if (arp->ent->h_addr_list == NULL) { - arp->err = NETDB_INTERNAL; - break; - } - arp->ent->h_addr_list[0] = - malloc(sizeof(struct in_addr)); - if (arp->ent->h_addr_list[0] == NULL) { - free(arp->ent->h_addr_list); - arp->err = NETDB_INTERNAL; - break; - } - memcpy(arp->ent->h_addr_list[0], h->h_addr_list[0], - sizeof(struct in_addr)); - arp->ent->h_addr_list[1] = NULL; - arp->err = NETDB_SUCCESS; - } else { - arp->err = NO_DATA; - } - break; - case ARES_EBADNAME: - case ARES_ENOTFOUND: - arp->err = HOST_NOT_FOUND; - break; - case ARES_ENOTIMP: - arp->err = NO_RECOVERY; - break; - case ARES_ENOMEM: - case ARES_EDESTRUCTION: - default: - arp->err = NETDB_INTERNAL; - break; - } -} - - -static void free_hostent(struct hostent *h){ - int i; - - if (h) { - if (h->h_name) free(h->h_name); - if (h->h_aliases) { - for (i=0; h->h_aliases[i]; i++) free(h->h_aliases[i]); - free(h->h_aliases); - } - if (h->h_addr_list) { - for (i=0; h->h_addr_list[i]; i++) free(h->h_addr_list[i]); - free(h->h_addr_list); - } - free(h); - } -} - -static int asyn_gethostbyname(char **addrOut, char const *name, struct timeval *timeout) { - struct asyn_result ar; - ares_channel channel; - int nfds; - fd_set readers, writers; - struct timeval tv, *tvp; - struct timeval start_time,check_time; - - -/* start timer */ - gettimeofday(&start_time,0); - -/* ares init */ - if ( ares_init(&channel) != ARES_SUCCESS ) return(NETDB_INTERNAL); - ar.ent = (struct hostent *) calloc (sizeof(*ar.ent),1); - -/* query DNS server asynchronously */ - ares_gethostbyname(channel, name, AF_INET, callback_handler, - (void *) &ar); - -/* wait for result */ - while (1) { - FD_ZERO(&readers); - FD_ZERO(&writers); - nfds = ares_fds(channel, &readers, &writers); - if (nfds == 0) - break; - - gettimeofday(&check_time,0); - if (decrement_timeout(timeout, start_time, check_time)) { - ares_destroy(channel); - free_hostent(ar.ent); - return(TRY_AGAIN); - } - start_time = check_time; - - tvp = ares_timeout(channel, timeout, &tv); - - switch ( select(nfds, &readers, &writers, NULL, tvp) ) { - case -1: if (errno != EINTR) { - ares_destroy(channel); - free_hostent(ar.ent); - return NETDB_INTERNAL; - } else - continue; - case 0: - FD_ZERO(&readers); - FD_ZERO(&writers); - /* fallthrough */ - default: ares_process(channel, &readers, &writers); - } - } - - - ares_destroy(channel); - - if (ar.err == NETDB_SUCCESS) { - *addrOut = malloc(sizeof(struct in_addr)); - memcpy(*addrOut,ar.ent->h_addr_list[0], sizeof(struct in_addr)); - free_hostent(ar.ent); - } - return(ar.err); -} - - - -void edg_wll_ssl_set_noauth(proxy_cred_desc* cred_handle) -{ DH *dh=NULL; - - SSL_CTX_set_cipher_list(cred_handle->gs_ctx, - "ADH:RSA:HIGH:MEDIUM:LOW:EXP:+eNULL:+aNULL"); - dh=get_dh512(); - SSL_CTX_set_tmp_dh(cred_handle->gs_ctx,dh); - DH_free(dh); -} - -proxy_cred_desc *edg_wll_ssl_init(int verify, int callback, char *p_cert_file,char *p_key_file, - int ask_passwd, int noauth) -{ - proxy_cred_desc * cred_handle = NULL; - char *certdir=NULL; - int (*pw_cb)() = NULL; - int load_err = 0; - - if (ask_passwd == 0) - pw_cb = proxy_password_callback_no_prompt; - - cred_handle = proxy_cred_desc_new(); - proxy_get_filenames(cred_handle,1,NULL,&certdir,NULL,NULL,NULL); - if (!noauth) { - if ((p_cert_file!=NULL) && (p_key_file!=NULL)) { - load_err = proxy_load_user_cert(cred_handle,p_cert_file,NULL,NULL); - if (load_err == 0) - load_err = proxy_load_user_key(cred_handle,p_key_file,pw_cb,NULL); - if (load_err == 0) { - if (proxy_check_proxy_name(cred_handle->ucert)>0) { - cred_handle->type =CRED_TYPE_PROXY; - if (cred_handle->cert_chain == NULL) - cred_handle->cert_chain = sk_X509_new_null(); - proxy_load_user_proxy(cred_handle->cert_chain,p_cert_file,NULL); - /* - if (cred_handle->cert_chain) - for (int i=0;icert_chain);i++) - X509_STORE_add_cert(cred_handle->gs_ctx->cert_store, - sk_X509_value(cred_handle->cert_chain,i)); - */ - } else cred_handle->type = CRED_TYPE_PERMANENT; - } - } - if (load_err == 0) - proxy_init_cred(cred_handle,pw_cb,NULL); - } - - if ( (cred_handle->gs_ctx != NULL - && !SSL_CTX_check_private_key(cred_handle->gs_ctx)) - || noauth == 1 - || load_err) { - if (cred_handle->ucert != NULL) { - X509_free(cred_handle->ucert); - cred_handle->ucert = NULL; - } - if (cred_handle->upkey != NULL) { - EVP_PKEY_free(cred_handle->upkey); - cred_handle->upkey = NULL; - } - if (cred_handle->gs_ctx) - SSL_CTX_free(cred_handle->gs_ctx); - cred_handle->gs_ctx=SSL_CTX_new(SSLv3_method()); - SSL_CTX_set_options(cred_handle->gs_ctx,0); - SSL_CTX_sess_set_cache_size(cred_handle->gs_ctx,5); - SSL_CTX_load_verify_locations(cred_handle->gs_ctx,NULL,certdir); - } - - if (cred_handle->gs_ctx != NULL) { - SSL_CTX_set_verify(cred_handle->gs_ctx,verify, - (callback==0)?NULL:proxy_verify_callback); - SSL_CTX_set_purpose(cred_handle->gs_ctx,X509_PURPOSE_ANY); - SSL_CTX_set_session_id_context(cred_handle->gs_ctx, "DG_BKSERVER", - strlen("DG_BKSERVER")); - if (noauth == 1) - edg_wll_ssl_set_noauth(cred_handle); - } - - free(certdir); - return(cred_handle); -} - -void edg_wll_ssl_get_my_subject(proxy_cred_desc *cred_handle, char **my_subject_name) -{ - if ((my_subject_name!=NULL) && (cred_handle->ucert!=NULL)) - *my_subject_name=X509_NAME_oneline(X509_get_subject_name( - cred_handle->ucert), NULL, 0); -} - -void edg_wll_ssl_get_my_subject_base(proxy_cred_desc *cred_handle, char **my_subject_name) -{ - X509_NAME *base; - if ((my_subject_name!=NULL) && (cred_handle->ucert!=NULL)) { - X509_NAME *s = X509_get_subject_name(cred_handle->ucert); - - base = X509_NAME_dup(s); - proxy_get_base_name(base); - *my_subject_name=strdup(X509_NAME_oneline(base,NULL, 0)); - X509_NAME_free(base); - } -} - -int edg_wll_ssl_free(proxy_cred_desc * cred_handle) -{ return(proxy_cred_desc_free(cred_handle)); -} - -int edg_wll_ssl_connect(proxy_cred_desc *cred_handle,char const *hostname,int port, - struct timeval *timeout,SSL **sslp) -{ - int sock,ret; - struct sockaddr_in a; - SSL_CTX *ctx; - SSL *ssl; - struct timeval before,after,to; - int sock_err; - socklen_t err_len; - char *certdir=NULL, *addr; - proxy_verify_ctx_desc verify_ctx_area; - proxy_verify_desc verify_area; - int h_errno; - - - sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock < 0) return EDG_WLL_SSL_ERROR_ERRNO; - - if (timeout) { - int flags = fcntl(sock, F_GETFL, 0); - if (fcntl(sock, F_SETFL, flags | O_NONBLOCK) < 0) - return EDG_WLL_SSL_ERROR_ERRNO; - gettimeofday(&before,NULL); - } - - switch (h_errno = asyn_gethostbyname(&addr, hostname, timeout)) { - case NETDB_SUCCESS: - memset(&a,0,sizeof a); - a.sin_family = AF_INET; - memcpy(&a.sin_addr.s_addr,addr,sizeof a.sin_addr.s_addr); - a.sin_port = htons(port); - free(addr); - break; - case TRY_AGAIN: - close(sock); - return EDG_WLL_SSL_ERROR_TIMEOUT; - case NETDB_INTERNAL: - /* fall through */ - default: - close(sock); - /* h_errno may be thread safe with Linux pthread libs, - * but such an assumption is not portable - */ - errno = h_errno; - return EDG_WLL_SSL_ERROR_HERRNO; - } - - if (connect(sock,(struct sockaddr *) &a,sizeof a) < 0) { - if (timeout && errno == EINPROGRESS) { - fd_set fds; - FD_ZERO(&fds); - FD_SET(sock,&fds); - memcpy(&to,timeout,sizeof to); - gettimeofday(&before,NULL); - switch (select(sock+1,NULL,&fds,NULL,&to)) { - case -1: close(sock); - return EDG_WLL_SSL_ERROR_ERRNO; - case 0: close(sock); - return EDG_WLL_SSL_ERROR_TIMEOUT; - } - gettimeofday(&after,NULL); - tv_sub(after,before); - tv_sub(*timeout,after); - - err_len = sizeof sock_err; - if (getsockopt(sock,SOL_SOCKET,SO_ERROR,&sock_err,&err_len)) { - close(sock); - return EDG_WLL_SSL_ERROR_ERRNO; - } - if (sock_err) { - close(sock); - errno = sock_err; - return EDG_WLL_SSL_ERROR_ERRNO; - } - } - else { - close(sock); - return EDG_WLL_SSL_ERROR_ERRNO; - } - } - - ctx = cred_handle->gs_ctx; - ssl = SSL_new(ctx); - if (!ssl) { - close(sock); - return EDG_WLL_SSL_ERROR_SSL; - } - SSL_set_ssl_method(ssl,SSLv3_method()); - SSL_set_fd(ssl, sock); - proxy_get_filenames(NULL,1,NULL,&certdir,NULL,NULL,NULL); - proxy_verify_ctx_init(&verify_ctx_area); - proxy_verify_init(&verify_area,&verify_ctx_area); - SSL_set_ex_data(ssl, PVD_SSL_EX_DATA_IDX, (char *)&verify_area); - if (certdir!=NULL) verify_ctx_area.certdir=certdir; - - if (timeout) SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE); - - ret = SSL_connect(ssl); - while (ret <= 0) { - int err = SSL_get_error(ssl,ret); - if ((err = handle_ssl_error(sock,err,timeout))) { - proxy_verify_release(&verify_area); - proxy_verify_ctx_release(&verify_ctx_area); - SSL_free(ssl); - close(sock); - return err; - } - ret = SSL_connect(ssl); - } - proxy_verify_release(&verify_area); - proxy_verify_ctx_release(&verify_ctx_area); - *sslp = ssl; - return EDG_WLL_SSL_OK; -} - -SSL *edg_wll_ssl_accept(proxy_cred_desc *cred_handle,int sock,struct timeval *timeout) -{ SSL *ssl = NULL; - char *certdir=NULL; - SSL_CTX *sslContext; - int ret; - - - proxy_verify_ctx_desc verify_ctx_area; - proxy_verify_desc verify_area; - - sslContext=cred_handle->gs_ctx; - - ssl = SSL_new(sslContext); - if (ssl == NULL) { - fprintf(stderr, "SSL_new(): %s\n", - ERR_error_string(ERR_get_error(), NULL)); - return(NULL); - } - - SSL_set_ssl_method(ssl,SSLv23_method()); - SSL_set_options(ssl,SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1); - - proxy_get_filenames(NULL,1,NULL,&certdir,NULL,NULL,NULL); - proxy_verify_ctx_init(&verify_ctx_area); - proxy_verify_init(&verify_area,&verify_ctx_area); - SSL_set_ex_data(ssl, PVD_SSL_EX_DATA_IDX, (char *)&verify_area); - if (certdir!=NULL) verify_ctx_area.certdir=certdir; - - SSL_set_accept_state(ssl); - SSL_set_fd(ssl, sock); - - ret = SSL_accept(ssl); - while (ret <= 0) { - int err = SSL_get_error(ssl,ret); - if ((err = handle_ssl_error(sock,err,timeout))) { - proxy_verify_release(&verify_area); - proxy_verify_ctx_release(&verify_ctx_area); - SSL_free(ssl); - return (NULL); - } - ret = SSL_accept(ssl); - } - - proxy_verify_release(&verify_area); - proxy_verify_ctx_release(&verify_ctx_area); - - return(ssl); -} - -void edg_wll_ssl_reject(proxy_cred_desc *cred_handle,int sock) -{ SSL *ssl = NULL; - SSL_CTX *sslContext; - - sslContext=cred_handle->gs_ctx; - - ssl = SSL_new(sslContext); - if (ssl == NULL) { - fprintf(stderr, "SSL_new(): %s\n", - ERR_error_string(ERR_get_error(), NULL)); - return; - } - - SSL_set_ssl_method(ssl,SSLv23_method()); - SSL_set_options(ssl,SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1); - - SSL_set_accept_state(ssl); - SSL_set_fd(ssl, sock); - - SSL_shutdown(ssl); - SSL_free(ssl); - - return; -} - -int edg_wll_ssl_close_timeout(SSL *ssl, struct timeval *timeout) -{ - int ret, sock; - - if (!ssl) return(0); - sock = SSL_get_fd(ssl); - ret = SSL_shutdown(ssl); - while (ret <= 0) { - int err = SSL_get_error(ssl, ret); - if (ret == 0 && err == SSL_ERROR_SYSCALL) { - /* translate misleading error returned by SSL_shutdown() to correct one */ - switch (errno) { - case 0: goto closed; break; - case EAGAIN: err = SSL_ERROR_WANT_READ; break; - default: /* obey err */ break; - } - } - if (handle_ssl_error(sock, err, timeout)) - break; - ret = SSL_shutdown(ssl); - } - -closed: - ret = SSL_clear(ssl); - ret = close(sock); - SSL_free(ssl); - - return(0); -} - -int edg_wll_ssl_close(SSL *ssl) -{ - struct timeval timeout = {120, 0}; - return edg_wll_ssl_close_timeout(ssl, &timeout); -} - -int edg_wll_ssl_read(SSL *ssl,void *buf,size_t bufsize,struct timeval *timeout) -{ - int len = 0; - int sock = SSL_get_fd(ssl); - - len = SSL_read(ssl,buf,bufsize); - while (len <= 0) { - int err = SSL_get_error(ssl,len); - if ((err = handle_ssl_error(sock,err,timeout))) return err; - len = SSL_read(ssl,buf,bufsize); - } - return len; -} - -int edg_wll_ssl_write(SSL *ssl,const void *buf,size_t bufsize,struct timeval *timeout) -{ - int len = 0; - int sock = SSL_get_fd(ssl); - - len = SSL_write(ssl,buf,bufsize); - while (len <= 0) { - int err = SSL_get_error(ssl,len); - if ((err = handle_ssl_error(sock,err,timeout))) return err; - len = SSL_write(ssl,buf,bufsize); - } - return len; -} - -int edg_wll_ssl_read_full(SSL *ssl,void *buf,size_t bufsize,struct timeval *timeout,size_t *total) -{ - int len; - *total = 0; - - while (*total < bufsize) { - len = edg_wll_ssl_read(ssl,buf+*total,bufsize-*total,timeout); - if (len < 0) return len; - *total += len; - } - return 0; -} - -int edg_wll_ssl_write_full(SSL *ssl,const void *buf,size_t bufsize,struct timeval *timeout,size_t *total) -{ - int len; - *total = 0; - - while (*total < bufsize) { - len = edg_wll_ssl_write(ssl,buf+*total,bufsize-*total,timeout); - if (len < 0) return len; - *total += len; - } - return 0; -} - -static int handle_ssl_error(int sock,int err,struct timeval *to) -{ - struct timeval timeout,before,after; - fd_set fds; - int ret = EDG_WLL_SSL_OK; - int saved_errno = errno; - - if (to) { - memcpy(&timeout,to,sizeof timeout); - gettimeofday(&before,NULL); - } - switch (err) { - case SSL_ERROR_ZERO_RETURN: - ret = EDG_WLL_SSL_ERROR_EOF; - break; - case SSL_ERROR_WANT_READ: - FD_ZERO(&fds); - FD_SET(sock,&fds); - switch (select(sock+1,&fds,NULL,NULL,to?&timeout:NULL)){ - case 0: ret = EDG_WLL_SSL_ERROR_TIMEOUT; - break; - case -1: ret = EDG_WLL_SSL_ERROR_ERRNO; - break; - } - break; - case SSL_ERROR_WANT_WRITE: - FD_ZERO(&fds); - FD_SET(sock,&fds); - switch (select(sock+1,NULL,&fds,NULL,to?&timeout:NULL)){ - case 0: ret = EDG_WLL_SSL_ERROR_TIMEOUT; - break; - case -1: ret = EDG_WLL_SSL_ERROR_ERRNO; - break; - } - break; - case SSL_ERROR_SYSCALL: - if (saved_errno == 0) ret = EDG_WLL_SSL_ERROR_EOF; - else ret = EDG_WLL_SSL_ERROR_ERRNO; - break; - case SSL_ERROR_SSL: - ret = EDG_WLL_SSL_ERROR_SSL; - break; - default: - fprintf(stderr,"unexpected SSL_get_error code %d\n",err); - abort(); - } - if (to) { - gettimeofday(&after,NULL); - tv_sub(after,before); - tv_sub(*to,after); - if (to->tv_sec < 0) { - to->tv_sec = 0; - to->tv_usec = 0; - } - } - - return ret; -} - -/* XXX: I'm afraid the contents of stuct stat is somewhat OS dependent */ - -int edg_wll_ssl_watch_creds( - const char *key_file, - const char *cert_file, - time_t *key_mtime, - time_t *cert_mtime) -{ - struct stat kstat,cstat; - int reload = 0; - - if (!key_file || !cert_file) return 0; - if (stat(key_file,&kstat) || stat(cert_file,&cstat)) return -1; - - if (!*key_mtime) *key_mtime = kstat.st_mtime; - if (!*cert_mtime) *cert_mtime = cstat.st_mtime; - - if (*key_mtime != kstat.st_mtime) { - *key_mtime = kstat.st_mtime; - reload = 1; - } - - if (*cert_mtime != cstat.st_mtime) { - *cert_mtime = cstat.st_mtime; - reload = 1; - } - - return reload; -} diff --git a/org.glite.lb.common/src/mini_http.c b/org.glite.lb.common/src/mini_http.c index 4f0aceb..5f4f13a 100644 --- a/org.glite.lb.common/src/mini_http.c +++ b/org.glite.lb.common/src/mini_http.c @@ -11,10 +11,9 @@ #include #include "globus_config.h" -#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h" #include "mini_http.h" -#include "dgssl.h" +#include "lb_gss.h" #include "context-int.h" #define min(x,y) ((x) < (y) ? (x) : (y)) @@ -26,6 +25,7 @@ edg_wll_ErrorCode edg_wll_http_recv(edg_wll_Context ctx,char **firstOut,char *** enum { FIRST, HEAD, BODY, DONE } pstat = FIRST; int len, nhdr = 0,rdmore = 0,clen = 0,blen = 0; int sock; + edg_wll_GssStatus gss_code; #define bshift(shift) {\ memmove(ctx->connPool[ctx->connToUse].buf,ctx->connPool[ctx->connToUse].buf+(shift),ctx->connPool[ctx->connToUse].bufUse-(shift));\ @@ -33,9 +33,9 @@ edg_wll_ErrorCode edg_wll_http_recv(edg_wll_Context ctx,char **firstOut,char *** } edg_wll_ResetError(ctx); - - if (ctx->connPool[ctx->connToUse].ssl) sock = SSL_get_fd(ctx->connPool[ctx->connToUse].ssl); - else { + if (ctx->connPool[ctx->connToUse].gss.context != GSS_C_NO_CONTEXT) + sock = ctx->connPool[ctx->connToUse].gss.sock; + else { edg_wll_SetError(ctx,ENOTCONN,NULL); goto error; } @@ -43,22 +43,22 @@ edg_wll_ErrorCode edg_wll_http_recv(edg_wll_Context ctx,char **firstOut,char *** if (!ctx->connPool[ctx->connToUse].buf) ctx->connPool[ctx->connToUse].buf = malloc(ctx->connPool[ctx->connToUse].bufSize = BUFSIZ); do { - len = edg_wll_ssl_read(ctx->connPool[ctx->connToUse].ssl, - ctx->connPool[ctx->connToUse].buf+ctx->connPool[ctx->connToUse].bufUse,ctx->connPool[ctx->connToUse].bufSize-ctx->connPool[ctx->connToUse].bufUse,&ctx->p_tmp_timeout); + len = edg_wll_gss_read(&ctx->connPool[ctx->connToUse].gss, + ctx->connPool[ctx->connToUse].buf+ctx->connPool[ctx->connToUse].bufUse,ctx->connPool[ctx->connToUse].bufSize-ctx->connPool[ctx->connToUse].bufUse,&ctx->p_tmp_timeout, &gss_code); switch (len) { - case EDG_WLL_SSL_OK: - case EDG_WLL_SSL_ERROR_SSL: - edg_wll_SetError(ctx,EDG_WLL_ERROR_SSL, - ERR_error_string(ERR_get_error(), NULL)); + case EDG_WLL_GSS_OK: + break; + case EDG_WLL_GSS_ERROR_GSS: + edg_wll_SetErrorGss(ctx, "receving HTTP request", &gss_code); goto error; - case EDG_WLL_SSL_ERROR_ERRNO: - edg_wll_SetError(ctx,errno,"edg_wll_ssl_read()"); + case EDG_WLL_GSS_ERROR_ERRNO: + edg_wll_SetError(ctx,errno,"edg_wll_gss_read()"); goto error; - case EDG_WLL_SSL_ERROR_TIMEOUT: + case EDG_WLL_GSS_ERROR_TIMEOUT: edg_wll_SetError(ctx,ETIMEDOUT,NULL); goto error; - case EDG_WLL_SSL_ERROR_EOF: + case EDG_WLL_GSS_ERROR_EOF: edg_wll_SetError(ctx,ENOTCONN,NULL); goto error; /* default: fallthrough */ @@ -144,66 +144,60 @@ error: return edg_wll_Error(ctx,NULL,NULL); } -static int real_write(edg_wll_Context ctx, SSL *ssl,int fd,const char *data,int len) +static int real_write(edg_wll_Context ctx, edg_wll_GssConnection *con,const char *data,int len) { - int once,total = 0; + int total = 0; struct sigaction sa,osa; + edg_wll_GssStatus gss_code; + int ret; memset(&sa,0,sizeof(sa)); assert(sa.sa_handler == NULL); sa.sa_handler = SIG_IGN; sigaction(SIGPIPE,&sa,&osa); - while (total < len) { - int sslerr; - - switch (once = edg_wll_ssl_write(ssl,(void*)(data+total),len-total,&ctx->p_tmp_timeout)) { - case EDG_WLL_SSL_ERROR_EOF: - errno = ENOTCONN; - total = -1; - goto end; - case EDG_WLL_SSL_ERROR_TIMEOUT: - errno = ETIMEDOUT; - total = -1; - goto end; - case EDG_WLL_SSL_ERROR_ERRNO: - if (errno == EPIPE) errno = ENOTCONN; - total = -1; - goto end; - case EDG_WLL_SSL_OK: - case EDG_WLL_SSL_ERROR_SSL: - sslerr = SSL_get_error(ssl,once); - if (sslerr == SSL_ERROR_SYSCALL) { - if (errno == EPIPE) errno = ENOTCONN; - } - else errno = EDG_WLL_ERROR_SSL; - total = -1; - goto end; - default: - total += once; - } - } -end: + ret = edg_wll_gss_write_full(con, (void*)data, len, &ctx->p_tmp_timeout, + &total, &gss_code); sigaction(SIGPIPE,&osa,NULL); - return total; + + switch(ret) { + case EDG_WLL_GSS_OK: + return 0; + case EDG_WLL_GSS_ERROR_EOF: + errno = ENOTCONN; + return -1; + case EDG_WLL_GSS_ERROR_TIMEOUT: + errno = ETIMEDOUT; + return -1; + case EDG_WLL_GSS_ERROR_ERRNO: + if (errno == EPIPE) errno = ENOTCONN; + return -1; + case EDG_WLL_GSS_ERROR_GSS: + errno = EDG_WLL_ERROR_GSS; + return -1; + default: + /* XXX DK: */ + errno = ENOTCONN; + return -1; + } } edg_wll_ErrorCode edg_wll_http_send(edg_wll_Context ctx,const char *first,const char * const *head,const char *body) { const char* const *h; - int len = 0, blen, sock; + int len = 0, blen; edg_wll_ResetError(ctx); - if (ctx->connPool[ctx->connToUse].ssl) sock = SSL_get_fd(ctx->connPool[ctx->connToUse].ssl); - else return edg_wll_SetError(ctx,ENOTCONN,NULL); + if (ctx->connPool[ctx->connToUse].gss.context == GSS_C_NO_CONTEXT) + return edg_wll_SetError(ctx,ENOTCONN,NULL); - if (real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,first,strlen(first)) < 0 || - real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,"\r\n",2) < 0) + if (real_write(ctx,&ctx->connPool[ctx->connToUse].gss,first,strlen(first)) < 0 || + real_write(ctx,&ctx->connPool[ctx->connToUse].gss,"\r\n",2) < 0) return edg_wll_SetError(ctx,errno,"edg_wll_http_send()"); if (head) for (h=head; *h; h++) - if (real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,*h,strlen(*h)) < 0 || - real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,"\r\n",2) < 0) + if (real_write(ctx,&ctx->connPool[ctx->connToUse].gss,*h,strlen(*h)) < 0 || + real_write(ctx,&ctx->connPool[ctx->connToUse].gss,"\r\n",2) < 0) return edg_wll_SetError(ctx,errno,"edg_wll_http_send()"); if (body) { @@ -211,13 +205,13 @@ edg_wll_ErrorCode edg_wll_http_send(edg_wll_Context ctx,const char *first,const len = strlen(body); blen = sprintf(buf,CONTENT_LENGTH " %d\r\n",len); - if (real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,buf,blen) < 0) + if (real_write(ctx,&ctx->connPool[ctx->connToUse].gss,buf,blen) < 0) return edg_wll_SetError(ctx,errno,"edg_wll_http_send()"); } - if (real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,"\r\n",2) < 0) + if (real_write(ctx,&ctx->connPool[ctx->connToUse].gss,"\r\n",2) < 0) return edg_wll_SetError(ctx,errno,"edg_wll_http_send()"); - if (body && real_write(ctx,ctx->connPool[ctx->connToUse].ssl,sock,body,len) < 0) + if (body && real_write(ctx,&ctx->connPool[ctx->connToUse].gss,body,len) < 0) return edg_wll_SetError(ctx,errno,"edg_wll_http_send()"); return edg_wll_Error(ctx,NULL,NULL); diff --git a/org.glite.lb.common/src/xml_parse.c.T b/org.glite.lb.common/src/xml_parse.c.T index e5c6bf8..e3fb8d8 100644 --- a/org.glite.lb.common/src/xml_parse.c.T +++ b/org.glite.lb.common/src/xml_parse.c.T @@ -8,7 +8,6 @@ #include // Expat header file #include "globus_config.h" -#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h" #include "trio.h" #include "glite/lb/producer.h" diff --git a/org.glite.lb.logger/Makefile b/org.glite.lb.logger/Makefile index d649f0b..92c71a4 100644 --- a/org.glite.lb.logger/Makefile +++ b/org.glite.lb.logger/Makefile @@ -25,11 +25,9 @@ VERSION=-DVERSION=\"GLite-${version}\" SUFFIXES=.no -GLOBUSINC=-I${globus_prefix}/include/${nothrflavour} \ - -I${globus_prefix}/include/${nothrflavour}/openssl +GLOBUSINC=-I${globus_prefix}/include/${nothrflavour} -GLOBUSTHRINC=-I${globus_prefix}/include/${thrflavour} \ - -I${globus_prefix}/include/${thrflavour}/openssl +GLOBUSTHRINC=-I${globus_prefix}/include/${thrflavour} DEBUG:=-g -O0 CFLAGS:=${DEBUG} \ @@ -43,11 +41,11 @@ INSTALL:=libtool --mode=install install GLOBUS_LIBS:= -L${globus_prefix}/lib \ -lglobus_common_${nothrflavour} \ - -lssl_${nothrflavour} + -lglobus_gssapi_gsi_${nothrflavour} GLOBUS_THRLIBS:= -L${globus_prefix}/lib \ -lglobus_common_${thrflavour} \ - -lssl_${thrflavour} + -lglobus_gssapi_gsi_${thrflavour} EXT_LIBS:= -L${ares_prefix}/lib -lares \ -L${expat_prefix}/lib -lexpat diff --git a/org.glite.lb.logger/src/il_error.c b/org.glite.lb.logger/src/il_error.c index 322d6f1..6a9083a 100644 --- a/org.glite.lb.logger/src/il_error.c +++ b/org.glite.lb.logger/src/il_error.c @@ -8,9 +8,10 @@ #include #include -#include // SSL header file +/* XXX DK: */ +#include // SSL header file -#include "glite/lb/dgssl.h" +#include "glite/lb/lb_gss.h" #include "il_error.h" @@ -99,30 +100,31 @@ set_error(int code, long minor, char *msg) snprintf(err->msg, IL_ERR_MSG_LEN, "%s: %s", msg, hstrerror(err->code_min)); break; + /* XXX DK: je tahle hodnota k necemu potreba? */ case IL_AUTH: snprintf(err->msg, IL_ERR_MSG_LEN, "%s: %s", msg, ERR_error_string(err->code_min, NULL)); break; - case IL_DGSSL: + case IL_DGGSS: switch(err->code_min) { - case EDG_WLL_SSL_ERROR_SSL: - snprintf(err->msg, IL_ERR_MSG_LEN, "%s: %s", msg, ERR_error_string(ERR_get_error(), NULL)); + case EDG_WLL_GSS_ERROR_GSS: + snprintf(err->msg, IL_ERR_MSG_LEN, "%s", msg); break; - case EDG_WLL_SSL_ERROR_TIMEOUT: - snprintf(err->msg, IL_ERR_MSG_LEN, "%s: Timeout in SSL connection.", msg); + case EDG_WLL_GSS_ERROR_TIMEOUT: + snprintf(err->msg, IL_ERR_MSG_LEN, "%s: Timeout in GSS connection.", msg); break; - case EDG_WLL_SSL_ERROR_EOF: + case EDG_WLL_GSS_ERROR_EOF: snprintf(err->msg, IL_ERR_MSG_LEN, "%s: Connection lost.", msg); break; - case EDG_WLL_SSL_ERROR_ERRNO: + case EDG_WLL_GSS_ERROR_ERRNO: snprintf(err->msg, IL_ERR_MSG_LEN, "%s: %s", msg, strerror(errno)); break; - case EDG_WLL_SSL_ERROR_HERRNO: + case EDG_WLL_GSS_ERROR_HERRNO: snprintf(err->msg, IL_ERR_MSG_LEN, "%s: %s", msg, hstrerror(errno)); break; } diff --git a/org.glite.lb.logger/src/il_error.h b/org.glite.lb.logger/src/il_error.h index b593bd6..120e7ed 100644 --- a/org.glite.lb.logger/src/il_error.h +++ b/org.glite.lb.logger/src/il_error.h @@ -12,7 +12,7 @@ enum err_code_maj { /* minor = */ IL_AUTH, /* 0 (SSL error) */ IL_PROTO, /* LB_* */ IL_LBAPI, /* dgLBErrCode */ - IL_DGSSL, /* EDG_WLL_SSL_* */ + IL_DGGSS, /* EDG_WLL_GSS_* */ IL_HOST /* h_errno */ }; diff --git a/org.glite.lb.logger/src/interlogd.c b/org.glite.lb.logger/src/interlogd.c index 467043f..1603668 100644 --- a/org.glite.lb.logger/src/interlogd.c +++ b/org.glite.lb.logger/src/interlogd.c @@ -15,7 +15,7 @@ #include "glite/wmsutils/tls/ssl_helpers/ssl_pthreads.h" #include "interlogd.h" #include "glite/lb/consumer.h" -#include "glite/lb/dgssl.h" +#include "glite/lb/lb_gss.h" #define EXIT_FAILURE 1 #if defined(IL_NOTIFICATIONS) @@ -33,7 +33,7 @@ static int killflg = 0; int TIMEOUT = DEFAULT_TIMEOUT; -proxy_cred_desc *cred_handle; +gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL; pthread_mutex_t cred_handle_lock = PTHREAD_MUTEX_INITIALIZER; static void usage (int status) @@ -174,7 +174,9 @@ int main (int argc, char **argv) { int i; - char *dummy = NULL,*p; + char *p; + edg_wll_GssStatus gss_stat; + int ret; program_name = argv[0]; @@ -217,24 +219,32 @@ main (int argc, char **argv) exit(EXIT_FAILURE); } - /* try to get default credential file names from globus */ - if(proxy_get_filenames(NULL,0, &dummy, &CAcert_dir, &dummy, &cert_file, &key_file) < 0) { - il_log(LOG_CRIT, "Failed to acquire credential file names. Exiting.\n"); - exit(EXIT_FAILURE); - } + if (CAcert_dir) + setenv("X509_CERT_DIR", CAcert_dir, 1); + /* XXX DK: still needed? */ il_log(LOG_INFO, "Initializing SSL...\n"); if(edg_wlc_SSLInitialization() < 0) { il_log(LOG_CRIT, "Failed to initialize SSL. Exiting.\n"); exit(EXIT_FAILURE); } - cred_handle = edg_wll_ssl_init(SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0, cert_file, key_file, 0, 0); - if(cred_handle == NULL) { - il_log(LOG_CRIT, "Failed to initialize SSL certificates. Exiting.\n"); - exit(EXIT_FAILURE); + ret = edg_wll_gss_acquire_cred_gsi(cert_file, &cred_handle, NULL, &gss_stat); + if (ret) { + char *gss_err = NULL; + char *str; + + if (ret == EDG_WLL_GSS_ERROR_GSS) + edg_wll_gss_get_error(&gss_stat, "edg_wll_gss_acquire_cred_gsi()", &gss_err); + asprintf(&str, "Failed to load GSI credential: %s\n", + (gss_err) ? gss_err : "edg_wll_gss_acquire_cred_gsi() failed"); + il_log(LOG_CRIT, str); + free(str); + if (gss_err) + free(gss_err); + exit(EXIT_FAILURE); } - + if(!debug && (daemon(0,0) < 0)) { perror("daemon"); @@ -246,6 +256,7 @@ main (int argc, char **argv) exit(EXIT_FAILURE); } + /* XXX DK: needed? */ if (edg_wlc_SSLLockingInit() != 0) { il_log(LOG_CRIT, "Failed to initialize SSL locking. Exiting.\n"); exit(EXIT_FAILURE); diff --git a/org.glite.lb.logger/src/interlogd.h b/org.glite.lb.logger/src/interlogd.h index 543bb12..bebda87 100644 --- a/org.glite.lb.logger/src/interlogd.h +++ b/org.glite.lb.logger/src/interlogd.h @@ -4,7 +4,7 @@ #ident "$Header$" #include "il_error.h" -#include "glite/lb/dgssl.h" +#include "glite/lb/lb_gss.h" #include #include @@ -58,8 +58,7 @@ extern int TIMEOUT; #define INPUT_TIMEOUT (60) -/* extern SSL_CTX *sslContext; */ -extern proxy_cred_desc *cred_handle; +extern gss_cred_id_t cred_handle; extern pthread_mutex_t cred_handle_lock; extern char *cert_file; extern char *key_file; @@ -105,7 +104,7 @@ struct server_msg { struct event_queue { - SSL *ssl; /* SSL connection */ + edg_wll_GssConnection gss; /* GSS connection */ char *dest_name; int dest_port; int timeout; /* queue timeout */ diff --git a/org.glite.lb.logger/src/logd.c b/org.glite.lb.logger/src/logd.c index fd6f245..ae42afe 100644 --- a/org.glite.lb.logger/src/logd.c +++ b/org.glite.lb.logger/src/logd.c @@ -16,6 +16,7 @@ #include "logd_proto.h" #include "glite/lb/consumer.h" #include "glite/wmsutils/tls/ssl_helpers/ssl_inits.h" +#include "glite/lb/lb_gss.h" static const char rcsid[] = "@(#)$Id$"; static int verbose = 0; @@ -25,7 +26,6 @@ static char *prefix = EDG_WLL_LOG_PREFIX_DEFAULT; static char *cert_file = NULL; static char *key_file = NULL; static char *CAcert_dir = NULL; -static char *gridmap_file = NULL; static int noAuth = 0; static int noIPC = 0; static int noParse = 0; @@ -46,7 +46,6 @@ static struct option const long_options[] = { { "cert", required_argument, 0, 'c' }, { "key", required_argument, 0, 'k' }, { "CAdir", required_argument, 0, 'C' }, - { "gridmap", required_argument, 0, 'g' }, { "socket",required_argument, 0, 's' }, { "noAuth", no_argument, 0, 'x' }, { "noIPC", no_argument, 0, 'y' }, @@ -143,48 +142,65 @@ void handle_signal(int num) { *---------------------------------------------------------------------- */ static int -doit(int socket, void *cred_handle, char *file_name_prefix, int noipc, int noparse) +doit(int socket, gss_cred_id_t cred_handle, char *file_name_prefix, int noipc, int noparse) { - SSL *ssl = NULL; - X509 *peer = NULL; - char *subject; - char buf[1024]; int ret; - struct timeval timeout = {10,0}; + struct timeval timeout = {10,0}; + edg_wll_GssConnection con; + edg_wll_GssStatus gss_stat; + gss_buffer_desc gss_token = GSS_C_EMPTY_BUFFER; + gss_name_t client_name = GSS_C_NO_NAME; + OM_uint32 min_stat; + gss_OID name_type = GSS_C_NO_OID; /* authentication */ edg_wll_ll_log(LOG_INFO,"Processing authentication:\n"); // FIXME - put here some meaningfull value of timeout + do somthing if timeouted - ssl = edg_wll_ssl_accept(cred_handle,socket,&timeout); - if (ssl==NULL) { - edg_wll_ll_log(LOG_ERR,"edg_wll_ssl_accept() failed (%s)\n", - ERR_error_string(ERR_get_error(), NULL)); + ret = edg_wll_gss_accept(cred_handle,socket,&timeout,&con, &gss_stat); + if (ret) { + edg_wll_ll_log(LOG_ERR,"edg_wll_gss_accept() failed\n"); return(-1); } - peer = SSL_get_peer_certificate(ssl); - if (peer != NULL) { - X509_NAME *s; - - edg_wll_ll_log(LOG_INFO," User successfully authenticated with the following certificate:\n"); - X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof(buf)); - edg_wll_ll_log(LOG_INFO, " Issuer: %s\n", buf); - X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof(buf)); - edg_wll_ll_log(LOG_INFO, " Subject: %s\n", buf); - s = X509_NAME_dup(X509_get_subject_name(peer)); - proxy_get_base_name(s); - subject=X509_NAME_oneline(s,NULL,0); - X509_NAME_free(s); + + gss_stat.major_status = gss_inquire_context(&gss_stat.minor_status, con.context, + &client_name, NULL, NULL, NULL, NULL, + NULL, NULL); + if (GSS_ERROR(gss_stat.major_status)) { + char *gss_err; + edg_wll_gss_get_error(&gss_stat, "Cannot read client identification", &gss_err); + edg_wll_ll_log(LOG_WARNING, "%s\n", gss_err); + free(gss_err); + } else { + gss_stat.major_status = gss_display_name(&gss_stat.minor_status, client_name, + &gss_token, &name_type); + if (GSS_ERROR(gss_stat.major_status)) { + char *gss_err; + edg_wll_gss_get_error(&gss_stat, "Cannot process client identification", &gss_err); + edg_wll_ll_log(LOG_WARNING, "%s\n", gss_err); + free(gss_err); + } } - else { + + if (GSS_ERROR(gss_stat.major_status) || + edg_wll_gss_oid_equal(name_type, GSS_C_NT_ANONYMOUS)) { edg_wll_ll_log(LOG_INFO," User not authenticated, setting as \"%s\". \n",EDG_WLL_LOG_USER_DEFAULT); subject=strdup(EDG_WLL_LOG_USER_DEFAULT); + } else { + edg_wll_ll_log(LOG_INFO," User successfully authenticated as:\n"); + edg_wll_ll_log(LOG_INFO, " %s\n", (char *)gss_token.value); + subject=gss_token.value; + memset(&gss_token.value, 0, sizeof(gss_token.value)); } - ret = edg_wll_log_proto_server(ssl,subject,file_name_prefix,noipc,noparse); + ret = edg_wll_log_proto_server(&con,subject,file_name_prefix,noipc,noparse); - edg_wll_ssl_close(ssl); + edg_wll_gss_close(&con, NULL); if (subject) free(subject); + if (gss_token.length) + gss_release_buffer(&min_stat, &gss_token); + if (client_name != GSS_C_NO_NAME) + gss_release_name(&min_stat, &client_name); return ret; } @@ -197,8 +213,6 @@ doit(int socket, void *cred_handle, char *file_name_prefix, int noipc, int nopar */ int main(int argc, char *argv[]) { - void *cred_handle = NULL; - int ret; int childpid; int opt; @@ -211,6 +225,9 @@ int main(int argc, char *argv[]) char *my_subject_name = NULL; time_t cert_mtime = 0, key_mtime = 0; + OM_uint32 min_stat; + edg_wll_GssStatus gss_stat; + gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; setlinebuf(stdout); @@ -232,7 +249,6 @@ Copyright (c) 2002 CERN, INFN and CESNET on behalf of the EU DataGrid.\n"); "c:" /* certificate */ "k:" /* key */ "C:" /* CA dir */ - "g:" /* gridmap */ "s:" /* socket */ "x" /* noAuth */ "y" /* noIPC */ @@ -248,7 +264,6 @@ Copyright (c) 2002 CERN, INFN and CESNET on behalf of the EU DataGrid.\n"); case 'c': cert_file = optarg; break; case 'k': key_file = optarg; break; case 'C': CAcert_dir = optarg; break; - case 'g': gridmap_file = optarg; break; case 's': socket_path = optarg; break; case 'x': noAuth = 1; break; case 'y': noIPC = 1; break; @@ -288,9 +303,8 @@ Copyright (c) 2002 CERN, INFN and CESNET on behalf of the EU DataGrid.\n"); edg_wll_ll_log(LOG_INFO,"yes.\n"); } - /* parse X509 arguments to environment */ - edg_wll_set_environment(cert_file, key_file, NULL, NULL, CAcert_dir, gridmap_file); - if (noAuth) setenv("X509_USER_PROXY","/dev/null",1); + if (CAcert_dir) + setenv("X509_CERT_DIR", CAcert_dir, 1); /* daemonize */ edg_wll_ll_log(LOG_INFO,"Running as daemon..."); @@ -333,21 +347,26 @@ Copyright (c) 2002 CERN, INFN and CESNET on behalf of the EU DataGrid.\n"); exit(1); } - cred_handle=edg_wll_ssl_init(SSL_VERIFY_PEER, 1,cert_file,key_file,0,0); - if (cred_handle==NULL) { - edg_wll_ll_log(LOG_CRIT,"Failed to initialize SSL certificates. Exiting.\n"); - exit(1); + /* XXX DK: support noAuth */ + ret = edg_wll_gss_acquire_cred_gsi(cert_file, &cred, &my_subject_name, + &gss_stat); + if (ret) { + /* XXX DK: call edg_wll_gss_get_error() */ + edg_wll_ll_log(LOG_CRIT, "Failed to get GSI credentials. Exiting.\n"); + exit(1); } - edg_wll_ssl_get_my_subject(cred_handle, &my_subject_name); if (my_subject_name!=NULL) { edg_wll_ll_log(LOG_INFO," server running with certificate: %s\n",my_subject_name); free(my_subject_name); } else if (noAuth) { edg_wll_ll_log(LOG_INFO," running without certificate\n"); +#if 0 + /* XXX DK: */ } else { edg_wll_ll_log(LOG_CRIT,"No server credential found. Exiting.\n"); exit(1); +#endif } /* do listen */ @@ -355,7 +374,7 @@ Copyright (c) 2002 CERN, INFN and CESNET on behalf of the EU DataGrid.\n"); listener_fd = do_listen(port); if (listener_fd == -1) { edg_wll_ll_log(LOG_CRIT,"Failed to listen on port %d\n",port); - edg_wll_ssl_free(cred_handle); + gss_release_cred(&min_stat, &cred); exit(-1); } @@ -373,17 +392,28 @@ Copyright (c) 2002 CERN, INFN and CESNET on behalf of the EU DataGrid.\n"); close(listener_fd); edg_wll_ll_log(LOG_CRIT,"Failed to accept incomming connections\n"); perror("accept"); - edg_wll_ssl_free(cred_handle); + gss_release_cred(&min_stat, &cred); exit(-1); } - if (edg_wll_ssl_watch_creds(key_file,cert_file,&key_mtime,&cert_mtime) > 0) { - void * new_cred_handle=edg_wll_ssl_init(SSL_VERIFY_PEER, 1,cert_file,key_file,0,0); - if (new_cred_handle) { - edg_wll_ssl_free(cred_handle); - cred_handle = new_cred_handle; - } + switch (edg_wll_gss_watch_creds(cert_file,&cert_mtime)) { + gss_cred_id_t newcred; + case 0: break; + case 1: + ret = edg_wll_gss_acquire_cred_gsi(cert_file,&newcred,NULL,&gss_stat); + if (ret) { + edg_wll_ll_log(LOG_WARNING, "Reloading credentials failed, continue with older\n"); + } else { + edg_wll_ll_log(LOG_INFO, "Reloading credentials\n"); + gss_release_cred(&min_stat, &cred); + cred = newcred; + } + break; + case -1: + edg_wll_ll_log(LOG_WARNING, "edg_wll_gss_watch_creds failed\n"); + break; } + /* FORK - change next line if fork() is not needed (for debugging for * example */ @@ -393,7 +423,7 @@ Copyright (c) 2002 CERN, INFN and CESNET on behalf of the EU DataGrid.\n"); close(client_fd); } if (childpid == 0) { - ret=doit(client_fd,cred_handle,prefix,noIPC,noParse); + ret=doit(client_fd,cred,prefix,noIPC,noParse); close(client_fd); goto end; } @@ -401,13 +431,13 @@ Copyright (c) 2002 CERN, INFN and CESNET on behalf of the EU DataGrid.\n"); close(client_fd); } #else - ret=doit(client_fd,cred_handle,prefix,msg_sock); + ret=doit(client_fd,cred,prefix,noIPC,noParse); close(client_fd); #endif } /* while */ end: close(listener_fd); - edg_wll_ssl_free(cred_handle); + gss_release_cred(&min_stat, &cred); exit(ret); } diff --git a/org.glite.lb.logger/src/logd_proto.c b/org.glite.lb.logger/src/logd_proto.c index 4ef2f29..bb033a7 100644 --- a/org.glite.lb.logger/src/logd_proto.c +++ b/org.glite.lb.logger/src/logd_proto.c @@ -37,20 +37,21 @@ int edg_wll_ll_log_level; * *---------------------------------------------------------------------- */ -static int send_answer_back(SSL *ssl, int answer, struct timeval *timeout) { +static int send_answer_back(edg_wll_GssConnection *con, int answer, struct timeval *timeout) { int count = 0; int err = 0; int ans = answer; u_int8_t ans_end[4]; + edg_wll_GssStatus gss_stat; edg_wll_ll_log(LOG_INFO,"Sending answer \"%d\" back to client...",answer); ans_end[0] = ans & 0xff; ans >>= 8; ans_end[1] = ans & 0xff; ans >>= 8; ans_end[2] = ans & 0xff; ans >>= 8; ans_end[3] = ans; - if ((err = edg_wll_ssl_write_full(ssl,ans_end,4,timeout,&count)) < 0 ) { + if ((err = edg_wll_gss_write_full(con,ans_end,4,timeout,&count, &gss_stat)) < 0 ) { edg_wll_ll_log(LOG_INFO,"error.\n"); - return edg_wll_log_proto_server_failure(err,"Error sending answer"); + return edg_wll_log_proto_server_failure(err,&gss_stat,"Error sending answer"); } else { edg_wll_ll_log(LOG_INFO,"o.k.\n"); return 0; @@ -304,7 +305,7 @@ static ssize_t edg_wll_socket_write_full(int sock,void *buf,size_t bufsize,struc * *---------------------------------------------------------------------- */ -int edg_wll_log_proto_server(SSL *ssl, char *name, char *prefix, int noipc, int noparse) +int edg_wll_log_proto_server(edg_wll_GssConnection *con, char *name, char *prefix, int noipc, int noparse) { char *buf,*dglllid,*dguser,*jobId,*name_esc; char header[EDG_WLL_LOG_SOCKET_HEADER_LENGTH+1]; @@ -326,6 +327,7 @@ int edg_wll_log_proto_server(SSL *ssl, char *name, char *prefix, int noipc, int int err; edg_wll_Context context; edg_wll_Event *event; + edg_wll_GssStatus gss_stat; errno = i = answer = answer_sent = size = msg_size = dglllid_size = dguser_size = count = count_total = msg_sock = filedesc = filelock_status = /* priority */ unique = err = 0; buf = dglllid = dguser = jobId = name_esc = msg = msg_begin = NULL; @@ -370,9 +372,9 @@ int edg_wll_log_proto_server(SSL *ssl, char *name, char *prefix, int noipc, int /* receive socket header */ edg_wll_ll_log(LOG_INFO,"Reading socket header..."); memset(header, 0, EDG_WLL_LOG_SOCKET_HEADER_LENGTH+1); - if ((err = edg_wll_ssl_read_full(ssl, header, EDG_WLL_LOG_SOCKET_HEADER_LENGTH, &timeout, &count)) < 0) { + if ((err = edg_wll_gss_read_full(con, header, EDG_WLL_LOG_SOCKET_HEADER_LENGTH, &timeout, &count, &gss_stat)) < 0) { edg_wll_ll_log(LOG_INFO,"error.\n"); - answer = edg_wll_log_proto_server_failure(err,"Error receiving header"); + answer = edg_wll_log_proto_server_failure(err,&gss_stat,"Error receiving header"); goto edg_wll_log_proto_server_end; } else { edg_wll_ll_log(LOG_INFO,"o.k.\n"); @@ -394,9 +396,9 @@ int edg_wll_log_proto_server(SSL *ssl, char *name, char *prefix, int noipc, int /* edg_wll_ll_log(LOG_DEBUG,"Reading message priority..."); count = 0; - if ((err = edg_wll_ssl_read_full(ssl, &priority, sizeof(priority), &timeout, &count)) < 0) { + if ((err = edg_wll_gss_read_full(con, &priority, sizeof(priority), &timeout, &count, &gss_stat)) < 0) { edg_wll_ll_log(LOG_DEBUG,"error.\n"); - answer = edg_wll_log_proto_server_failure(err,"Error receiving message priority"); + answer = edg_wll_log_proto_server_failure(err,&gss_stat,"Error receiving message priority"); goto edg_wll_log_proto_server_end; } else { edg_wll_ll_log(LOG_DEBUG,"o.k.\n"); @@ -405,9 +407,9 @@ int edg_wll_log_proto_server(SSL *ssl, char *name, char *prefix, int noipc, int edg_wll_ll_log(LOG_DEBUG,"Reading message size..."); count = 0; - if ((err = edg_wll_ssl_read_full(ssl, size_end, 4, &timeout, &count)) < 0) { + if ((err = edg_wll_gss_read_full(con, size_end, 4, &timeout, &count,&gss_stat)) < 0) { edg_wll_ll_log(LOG_DEBUG,"error.\n"); - answer = edg_wll_log_proto_server_failure(err,"Error receiving message size"); + answer = edg_wll_log_proto_server_failure(err,&gss_stat,"Error receiving message size"); goto edg_wll_log_proto_server_end; } else { edg_wll_ll_log(LOG_DEBUG,"o.k.\n"); @@ -464,9 +466,9 @@ int edg_wll_log_proto_server(SSL *ssl, char *name, char *prefix, int noipc, int edg_wll_ll_log(LOG_INFO,"Reading message from socket..."); buf = msg_begin + dguser_size; count = 0; - if ((err = edg_wll_ssl_read_full(ssl, buf, size, &timeout, &count)) < 0) { + if ((err = edg_wll_gss_read_full(con, buf, size, &timeout, &count, &gss_stat)) < 0) { edg_wll_ll_log(LOG_INFO,"error.\n"); - answer = edg_wll_log_proto_server_failure(err,"Error receiving message"); + answer = edg_wll_log_proto_server_failure(err,&gss_stat,"Error receiving message"); goto edg_wll_log_proto_server_end; } else { edg_wll_ll_log(LOG_INFO,"o.k.\n"); @@ -625,7 +627,7 @@ open_event_file: /* if not priority send now the answer back to client */ if (!event->any.priority) { - if (!send_answer_back(ssl,answer,&timeout)) { + if (!send_answer_back(con,answer,&timeout)) { answer_sent = 1; } } @@ -743,7 +745,7 @@ open_event_file: edg_wll_log_proto_server_end: /* if not sent already, send the answer back to client */ if (!answer_sent) { - answer = send_answer_back(ssl,answer,&timeout); + answer = send_answer_back(con,answer,&timeout); } /* clean */ edg_wll_FreeContext(context); @@ -768,7 +770,7 @@ edg_wll_log_proto_server_end: * *---------------------------------------------------------------------- */ -int edg_wll_log_proto_server_failure(int code, const char *text) +int edg_wll_log_proto_server_failure(int code, edg_wll_GssStatus *gss_code, const char *text) { const char *func = "edg_wll_log_proto_server()"; int ret = 0; @@ -777,23 +779,29 @@ int edg_wll_log_proto_server_failure(int code, const char *text) return(0); } switch(code) { - case EDG_WLL_SSL_ERROR_EOF: + case EDG_WLL_GSS_ERROR_EOF: edg_wll_ll_log(LOG_ERR,"%s: %s, EOF occured\n", func, text); ret = EAGAIN; break; - case EDG_WLL_SSL_ERROR_TIMEOUT: + case EDG_WLL_GSS_ERROR_TIMEOUT: edg_wll_ll_log(LOG_ERR,"%s: %s, timeout expired\n", func, text); ret = EAGAIN; break; - case EDG_WLL_SSL_ERROR_ERRNO: perror("edg_wll_ssl_read()"); break; + /* XXX DK: co tenhle break??: */ + case EDG_WLL_GSS_ERROR_ERRNO: perror("edg_wll_gss_read()"); break; edg_wll_ll_log(LOG_ERR,"%s: %s, system error occured\n", func, text); ret = EAGAIN; break; - case EDG_WLL_SSL_ERROR_SSL: - edg_wll_ll_log(LOG_ERR,"%s: %s, SSL error occured: %s\n", func, text, - ERR_reason_error_string(ERR_get_error())); - ret = EAGAIN; - break; + case EDG_WLL_GSS_ERROR_GSS: + { + char *gss_err; + + edg_wll_gss_get_error(gss_code, "GSS error occured", &gss_err); + edg_wll_ll_log(LOG_ERR,"%s: %s, %s\n", func, text, gss_err); + free(gss_err); + ret = EAGAIN; + break; + } default: edg_wll_ll_log(LOG_ERR,"%s: %s, unknown error occured\n"); break; @@ -804,34 +812,6 @@ int edg_wll_log_proto_server_failure(int code, const char *text) /* *---------------------------------------------------------------------- * - * edg_wll_set_environment - set X509 environment variables form given args - * - * Calls: setenv - * - * Algorithm: - * - *---------------------------------------------------------------------- - */ -void edg_wll_set_environment(char *user_cert, - char *user_key, - char *user_proxy, - char *CAcert_file, - char *CAcert_dir, - char *gridmap) -{ - if (user_cert) setenv("X509_USER_CERT", user_cert, 1); - if (user_key) setenv("X509_USER_KEY", user_key, 1); - if (user_proxy) setenv("X509_USER_PROXY", user_proxy, 1); - if (CAcert_file) setenv("X509_CERT_FILE", CAcert_file, 1); - if (CAcert_dir) setenv("X509_CERT_DIR", CAcert_dir, 1); - if (gridmap) setenv("GRIDMAP", gridmap, 1); - - return; -} - -/* - *---------------------------------------------------------------------- - * * edg_wll_ll_log_init - initialize the logging level * *---------------------------------------------------------------------- diff --git a/org.glite.lb.logger/src/logd_proto.h b/org.glite.lb.logger/src/logd_proto.h index b71bdf5..f28ee53 100644 --- a/org.glite.lb.logger/src/logd_proto.h +++ b/org.glite.lb.logger/src/logd_proto.h @@ -17,10 +17,10 @@ extern "C" { #include #include "glite/lb/log_proto.h" -#include "glite/lb/dgssl.h" +#include "glite/lb/lb_gss.h" -int edg_wll_log_proto_server(SSL *ssl, char *name, char *prefix, int noipc, int noparse); -int edg_wll_log_proto_server_failure(int code, const char *text); +int edg_wll_log_proto_server(edg_wll_GssConnection *con, char *name, char *prefix, int noipc, int noparse); +int edg_wll_log_proto_server_failure(int code, edg_wll_GssStatus *gss_code, const char *text); #define SYSTEM_ERROR(my_err) { \ if (errno !=0 ) \ @@ -28,13 +28,6 @@ int edg_wll_log_proto_server_failure(int code, const char *text); else \ edg_wll_ll_log(LOG_ERR,"%s\n",my_err); } -void edg_wll_set_environment(char *user_cert, - char *user_key, - char *user_proxy, - char *CAcert_file, - char *CAcert_dir, - char *gridmapfile); - /* locallogger daemon error handling */ extern int edg_wll_ll_log_level; diff --git a/org.glite.lb.logger/src/recover.c b/org.glite.lb.logger/src/recover.c index 18b6d5b..7ae417e 100644 --- a/org.glite.lb.logger/src/recover.c +++ b/org.glite.lb.logger/src/recover.c @@ -35,18 +35,15 @@ recover_thread(void *q) il_log(LOG_INFO, "Checking for new certificate...\n"); if(pthread_mutex_lock(&cred_handle_lock) < 0) abort(); - if (edg_wll_ssl_watch_creds(key_file, - cert_file, - &key_mtime, - &cert_mtime) > 0) { - void * new_cred_handle = edg_wll_ssl_init(SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - 0, - cert_file, - key_file, - 0, - 0); - if (new_cred_handle) { - edg_wll_ssl_free(cred_handle); + if (edg_wll_gss_watch_creds(cert_file, &cert_mtime) > 0) { + gss_cred_id_t new_cred_handle = GSS_C_NO_CREDENTIAL; + OM_uint32 min_stat; + int ret; + + ret = edg_wll_gss_acquire_cred_gsi(cert_file, + &new_cred_handle, NULL, NULL); + if (new_cred_handle != GSS_C_NO_CREDENTIAL) { + gss_release_cred(&min_stat, &cred_handle); cred_handle = new_cred_handle; il_log(LOG_INFO, "New certificate found and deployed.\n"); } diff --git a/org.glite.lb.logger/src/send_event.c b/org.glite.lb.logger/src/send_event.c index 1c24e3e..b3b0193 100644 --- a/org.glite.lb.logger/src/send_event.c +++ b/org.glite.lb.logger/src/send_event.c @@ -103,17 +103,24 @@ get_reply(struct event_queue *eq, char **buf, int *code_min) char buffer[17]; char *msg, *p; int len, code, l; - SSL *ssl; + edg_wll_GssConnection *gss; struct timeval tv; + edg_wll_GssStatus gss_stat; - ssl = eq->ssl; + gss = &eq->gss; /* get message header */ tv.tv_sec = TIMEOUT; tv.tv_usec = 0; - code = edg_wll_ssl_read_full(ssl, buffer, 17, &tv, &len); + code = edg_wll_gss_read_full(gss, buffer, 17, &tv, &len, &gss_stat); if(code < 0) { - set_error(IL_DGSSL, code, "get_reply (header)"); + char *gss_err = NULL; + + if (code == EDG_WLL_GSS_ERROR_GSS) + edg_wll_gss_get_error(&gss_stat, "get_reply (header)", &gss_err); + set_error(IL_DGGSS, code, + (code == EDG_WLL_GSS_ERROR_GSS) ? gss_err : "get_reply (header)"); + if (gss_err) free(gss_err); return(-1); } @@ -134,9 +141,15 @@ get_reply(struct event_queue *eq, char **buf, int *code_min) /* read all the data */ tv.tv_sec = TIMEOUT; tv.tv_usec = 0; - code = edg_wll_ssl_read_full(ssl, msg, len, &tv, &l); + code = edg_wll_gss_read_full(gss, msg, len, &tv, &l, &gss_stat); if(code < 0) { - set_error(IL_DGSSL, code, "get_reply (body)"); + char *gss_err = NULL; + + if (code == EDG_WLL_GSS_ERROR_GSS) + edg_wll_gss_get_error(&gss_stat, "get_reply (body)", &gss_err); + set_error(IL_DGGSS, code, + (code == EDG_WLL_GSS_ERROR_GSS) ? gss_err : "get_reply (body)"); + if (gss_err) free(gss_err); return(-1); } @@ -177,22 +190,29 @@ event_queue_connect(struct event_queue *eq) { int ret; struct timeval tv; + edg_wll_GssStatus gss_stat; assert(eq != NULL); - if(eq->ssl == NULL) { + if(eq->gss.context == GSS_C_NO_CONTEXT) { tv.tv_sec = TIMEOUT; tv.tv_usec = 0; if(pthread_mutex_lock(&cred_handle_lock) < 0) abort(); il_log(LOG_DEBUG, " trying to connect to %s:%d\n", eq->dest_name, eq->dest_port); - ret = edg_wll_ssl_connect(cred_handle, eq->dest_name, eq->dest_port, &tv, &eq->ssl); + ret = edg_wll_gss_connect(cred_handle, eq->dest_name, eq->dest_port, &tv, &eq->gss, &gss_stat); if(pthread_mutex_unlock(&cred_handle_lock) < 0) abort(); if(ret < 0) { - set_error(IL_DGSSL, ret, "event_queue_connect: edg_wll_ssl_connect"); - eq->ssl = NULL; + char *gss_err = NULL; + + if (ret == EDG_WLL_GSS_ERROR_GSS) + edg_wll_gss_get_error(&gss_stat, "event_queue_connect: edg_wll_gss_connect", &gss_err); + set_error(IL_DGGSS, ret, + (ret == EDG_WLL_GSS_ERROR_GSS) ? gss_err : "event_queue_connect: edg_wll_gss_connect"); + if (gss_err) free(gss_err); + eq->gss.context = GSS_C_NO_CONTEXT; eq->timeout = TIMEOUT; return(0); } @@ -207,9 +227,9 @@ event_queue_close(struct event_queue *eq) { assert(eq != NULL); - if(eq->ssl != NULL) { - edg_wll_ssl_close(eq->ssl); - eq->ssl = NULL; + if(eq->gss.context != GSS_C_NO_CONTEXT) { + edg_wll_gss_close(&eq->gss, NULL); + eq->gss.context = GSS_C_NO_CONTEXT; } return(0); } @@ -224,7 +244,7 @@ event_queue_send(struct event_queue *eq) { assert(eq != NULL); - if(eq->ssl == NULL) + if(eq->gss.context == GSS_C_NO_CONTEXT) return(0); /* feed the server with events */ @@ -233,6 +253,7 @@ event_queue_send(struct event_queue *eq) char *rep; int ret, code, code_min, bytes_sent; struct timeval tv; + edg_wll_GssStatus gss_stat; clear_error(); @@ -241,7 +262,7 @@ event_queue_send(struct event_queue *eq) tv.tv_sec = TIMEOUT; tv.tv_usec = 0; - ret = edg_wll_ssl_write_full(eq->ssl, msg->msg, msg->len, &tv, &bytes_sent); + ret = edg_wll_gss_write_full(&eq->gss, msg->msg, msg->len, &tv, &bytes_sent, &gss_stat); if(ret < 0) { eq->timeout = TIMEOUT; return(0); diff --git a/org.glite.lb.server/Makefile b/org.glite.lb.server/Makefile index a1313fa..cf0c7eb 100644 --- a/org.glite.lb.server/Makefile +++ b/org.glite.lb.server/Makefile @@ -38,8 +38,7 @@ CFLAGS:= -DNO_VOMS -DNO_GACL \ -I${expat_prefix}/include \ -I${ares_prefix}/include \ -I${mysql_prefix}/include \ - -I${globus_prefix}/include/${nothrflavour} \ - -I${globus_prefix}/include/${nothrflavour}/openssl + -I${globus_prefix}/include/${nothrflavour} LINK:=libtool --mode=link ${CC} ${LDFLAGS} INSTALL:=libtool --mode=install install @@ -50,7 +49,7 @@ INSTALL:=libtool --mode=install install GLOBUS_LIBS:= -L${globus_prefix}/lib \ -lglobus_common_${nothrflavour} \ - -lssl_${nothrflavour} + -lglobus_gssapi_gsi_${nothrflavour} # XXX: our vomsc.la depends on badly installed expat @@ -118,7 +117,8 @@ install: done for f in dbsetup.sql index.conf.template; do \ - ${INSTALL} -m 644 ${top_srcdir}/config/"glite-lb-$$p" ${PREFIX}/etc + ${INSTALL} -m 644 ${top_srcdir}/config/"glite-lb-$$f" ${PREFIX}/etc; \ + done ${INSTALL} -m 755 ${top_srcdir}/config/startup ${PREFIX}/etc/init.d/glite-lb-bkserverd diff --git a/org.glite.lb.server/src/bkserverd.c b/org.glite.lb.server/src/bkserverd.c index d0b5e5d..fa36b4a 100644 --- a/org.glite.lb.server/src/bkserverd.c +++ b/org.glite.lb.server/src/bkserverd.c @@ -36,6 +36,7 @@ #include "glite/lb/context.h" #include "glite/lb/mini_http.h" #include "glite/lb/context-int.h" +#include "glite/lb/lb_gss.h" #include "lb_http.h" #include "lb_proto.h" @@ -207,7 +208,7 @@ static void clnt_reject(void *mycred, int conn) if (fcntl(conn, F_SETFL, flags | O_NONBLOCK) < 0) return; - edg_wll_ssl_reject(mycred, conn); + edg_wll_gss_reject(conn); return; } @@ -454,7 +455,7 @@ static int parse_limits(char *opt, int *j_limit, int *e_limit, int *size_limit) } static unsigned long clnt_dispatched=0, clnt_accepted=0; -static void *mycred; +static gss_cred_id_t mycred = GSS_C_NO_CREDENTIAL; static int server_sock,store_sock; static int check_mkdir(const char *); @@ -474,6 +475,8 @@ int main(int argc,char *argv[]) key_t semkey; time_t cert_mtime = 0,key_mtime = 0; edg_wll_Context ctx; + OM_uint32 min_stat; + edg_wll_GssStatus gss_code; name = strrchr(argv[0],'/'); if (name) name++; else name = argv[0]; @@ -662,9 +665,9 @@ int main(int argc,char *argv[]) if (!cert || !key) fprintf(stderr,"%s: key or certificate file not specified - unable to watch them for changes!\n",argv[0]); if (cadir) setenv("X509_CERT_DIR",cadir,1); - mycred = edg_wll_ssl_init(SSL_VERIFY_PEER,1,cert,key,0,0); - edg_wll_ssl_get_my_subject_base(mycred,&mysubj); - if (mysubj) { + if (edg_wll_gss_acquire_cred_gsi(cert, &mycred, &mysubj, &gss_code)) { + dprintf(("Running unauthenticated\n")); + } else { int i; dprintf(("Server identity: %s\n",mysubj)); @@ -673,7 +676,6 @@ int main(int argc,char *argv[]) super_users[i] = mysubj; super_users[i+1] = NULL; } - else dprintf(("Running unauthenticated\n")); if (noAuth) dprintf(("Promiscuous mode\n")); dprintf(("Listening at %d,%d (accepting protocols: " COMP_PROTO " and compatible) ...\n",atoi(port),atoi(port)+1)); @@ -733,6 +735,8 @@ int main(int argc,char *argv[]) fd_set fds; int ret,mx; struct timeval watch_to = { WATCH_TIMEOUT, 0 }; + gss_cred_id_t newcred = GSS_C_NO_CREDENTIAL; + edg_wll_GssStatus gss_code; FD_ZERO(&fds); @@ -740,13 +744,13 @@ int main(int argc,char *argv[]) FD_SET(store_sock,&fds); FD_SET(sock_slave[0],&fds); - switch (edg_wll_ssl_watch_creds(key,cert,&key_mtime,&cert_mtime)) { - void *newcred; + switch (edg_wll_gss_watch_creds(cert,&cert_mtime)) { case 0: break; - case 1: newcred = edg_wll_ssl_init(SSL_VERIFY_PEER,1,cert,key,0,0); - if (newcred) { + case 1: + ret = edg_wll_gss_acquire_cred_gsi(cert, &newcred, NULL, &gss_code); + if (ret == 0) { dprintf(("reloading credentials")); - edg_wll_ssl_free(mycred); + gss_release_cred(&min_stat, &mycred); mycred = newcred; kill(0,SIGUSR1); } @@ -809,7 +813,7 @@ int main(int argc,char *argv[]) semctl(semset,0,IPC_RMID,0); unlink(pidfile); free(port); - edg_wll_ssl_free(mycred); + gss_release_cred(&min_stat, &mycred); return 0; } @@ -949,13 +953,13 @@ static int slave(void *mycred,int sock) int alen,store,max = sock,newconn = -1; int connflags,kick_client = 0; unsigned long seq; - X509 *peer; struct timeval dns_to = {DNS_TIMEOUT, 0}, check_to = {SLAVE_CHECK_SIGNALS, 0}, total_to = { TOTAL_CLNT_TIMEOUT,0 }, client_to = { CLNT_TIMEOUT,0 }, now; char *name = NULL; struct sockaddr_in a; + edg_wll_GssStatus gss_code; FD_ZERO(&fds); @@ -1004,14 +1008,13 @@ static int slave(void *mycred,int sock) switch (edg_wll_Error(ctx,&errt,&errd)) { case ETIMEDOUT: /* fallthrough */ - case EDG_WLL_ERROR_SSL: + case EDG_WLL_ERROR_GSS: case EPIPE: dprintf(("[%d] %s (%s)\n",getpid(),errt,errd)); if (!debug) syslog(LOG_ERR,"%s (%s)",errt,errd); /* fallthrough */ case ENOTCONN: - edg_wll_ssl_close(ctx->connPool[ctx->connToUse].ssl); - ctx->connPool[ctx->connToUse].ssl = NULL; /* XXX: is it necessary ? */ + edg_wll_gss_close(&ctx->connPool[ctx->connToUse].gss, NULL); edg_wll_FreeContext(ctx); ctx = NULL; close(conn); @@ -1059,10 +1062,9 @@ static int slave(void *mycred,int sock) } if (kick_client && conn >= 0) { - if (ctx->connPool[ctx->connToUse].ssl) { + if (ctx->connPool[ctx->connToUse].gss.context != GSS_C_NO_CONTEXT) { struct timeval to = { 0, CLNT_REJECT_TIMEOUT }; - edg_wll_ssl_close_timeout(ctx->connPool[ctx->connToUse].ssl,&to); - ctx->connPool[ctx->connToUse].ssl = NULL; + edg_wll_gss_close(&ctx->connPool[ctx->connToUse].gss,&to); } edg_wll_FreeContext(ctx); close(conn); /* XXX: should not harm */ @@ -1071,6 +1073,10 @@ static int slave(void *mycred,int sock) } if (newconn >= 0) { + OM_uint32 min_stat, maj_stat; + gss_name_t client_name = GSS_C_NO_NAME; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; + conn = newconn; gettimeofday(&client_start,NULL); client_done.tv_sec = client_start.tv_sec; @@ -1194,36 +1200,48 @@ static int slave(void *mycred,int sock) ctx->srvPort = ntohs(a.sin_port); } - if (!(ctx->connPool[ctx->connToUse].ssl = edg_wll_ssl_accept(mycred,conn,&ctx->p_tmp_timeout))) { - dprintf(("[%d] SSL hanshake failed, closing.\n",getpid())); - if (!debug) syslog(LOG_ERR,"SSL hanshake failed"); + if (edg_wll_gss_accept(mycred, conn, &ctx->p_tmp_timeout, &ctx->connPool[ctx->connToUse].gss, &gss_code)) { + dprintf(("[%d] Client authentication failed, closing.\n",getpid())); + if (!debug) syslog(LOG_ERR,"Client authentication failed"); close(conn); conn = -1; edg_wll_FreeContext(ctx); continue; - } else if ((peer = SSL_get_peer_certificate(ctx->connPool[ctx->connToUse].ssl)) != NULL) { - X509_NAME *s = X509_get_subject_name(peer); - - proxy_get_base_name(s); - free(ctx->peerName); - ctx->peerName = X509_NAME_oneline(s,NULL,0); + } + maj_stat = gss_inquire_context(&min_stat, ctx->connPool[ctx->connToUse].gss.context, &client_name, NULL, NULL, NULL, NULL, NULL, NULL); + if (!GSS_ERROR(maj_stat)) + maj_stat = gss_display_name(&min_stat, client_name, &token, NULL); + + if (!GSS_ERROR(maj_stat)) { + if (ctx->peerName) free(ctx->peerName); + ctx->peerName = (char *)token.value; + memset(&token, 0, sizeof(token)); +/* XXX DK: pujde pouzit lifetime z inquire_context()? ctx->peerProxyValidity = ASN1_UTCTIME_mktime(X509_get_notAfter(peer)); - X509_free(peer); - +*/ + dprintf(("[%d] client DN: %s\n",getpid(),ctx->peerName)); - edg_wll_GetVomsGroups(ctx, vomsdir, cadir); - if (debug && ctx->vomsGroups.len > 0) { - int i; - - dprintf(("[%d] client's VOMS groups:\n",getpid())); - for (i = 0; i < ctx->vomsGroups.len; i++) - dprintf(("\t%s:%s\n", - ctx->vomsGroups.val[i].vo, - ctx->vomsGroups.val[i].name)); - } - - } else dprintf(("[%d] annonymous client\n",getpid())); + } else { + /* XXX DK: Check if the ANONYMOUS flag is set ? */ + dprintf(("[%d] annonymous client\n",getpid())); + } + + if (client_name != GSS_C_NO_NAME) + gss_release_name(&min_stat, &client_name); + if (token.value) + gss_release_buffer(&min_stat, &token); + + edg_wll_SetVomsGroups(ctx, &ctx->connPool[ctx->connToUse].gss, vomsdir, cadir); + if (debug && ctx->vomsGroups.len > 0) { + int i; + + dprintf(("[%d] client's VOMS groups:\n",getpid())); + for (i = 0; i < ctx->vomsGroups.len; i++) + dprintf(("\t%s:%s\n", + ctx->vomsGroups.val[i].vo, + ctx->vomsGroups.val[i].name)); + } /* used also to reset start_time after edg_wll_ssl_accept! */ /* gettimeofday(&start_time,0); */ @@ -1237,7 +1255,6 @@ static int slave(void *mycred,int sock) } ctx->strict_locking = strict_locking; } - } if (die) { diff --git a/org.glite.lb.server/src/lb_authz.c b/org.glite.lb.server/src/lb_authz.c index 95539ad..9eb17e2 100644 --- a/org.glite.lb.server/src/lb_authz.c +++ b/org.glite.lb.server/src/lb_authz.c @@ -72,8 +72,82 @@ get_groups(edg_wll_Context ctx, struct vomsdata *voms_info, return 0; } +static int +get_peer_cred(edg_wll_GssConnection *gss, STACK_OF(X509) **chain, X509 **cert) +{ + OM_uint32 maj_stat, min_stat; + gss_buffer_desc buffer = GSS_C_EMPTY_BUFFER; + BIO *bio = NULL; + SSL_SESSION *session = NULL; + unsigned char int_buffer[4]; + long length; + int ret, index; + STACK_OF(X509) *cert_chain = NULL; + X509 *peer_cert = NULL; + X509 *p_cert; + + maj_stat = gss_export_sec_context(&min_stat, gss->context, &buffer); + if (GSS_ERROR(maj_stat)) + return -1; /* XXX */ + + bio = BIO_new(BIO_s_mem()); + if (bio == NULL) { + ret = -1; + goto end; + } + + /* Store exported context to memory, skipping the version number and and cred_usage fields */ + BIO_write(bio, buffer.value + 8 , buffer.length - 8); + + /* decode the session data in order to skip at the start of the cert chain */ + session = d2i_SSL_SESSION_bio(bio, NULL); + if (session == NULL) { + ret = -1; /* XXX */ + goto end; + } + if (session->peer) + peer_cert = X509_dup(session->peer); + + SSL_SESSION_free(session); + + BIO_read(bio, (char *) int_buffer, 4); + length = (((size_t) int_buffer[0]) << 24) & 0xffff; + length |= (((size_t) int_buffer[1]) << 16) & 0xffff; + length |= (((size_t) int_buffer[2]) << 8) & 0xffff; + length |= (((size_t) int_buffer[3]) ) & 0xffff; + + if (length == 0) { + ret = 0; + goto end; + } + + cert_chain = sk_X509_new_null(); + for(index = 0; index < length; index++) { + p_cert = d2i_X509_bio(bio, NULL); + if (p_cert == NULL) { + ret = -1; /* XXX */ + sk_X509_pop_free(cert_chain, X509_free); + goto end; + } + + sk_X509_push(cert_chain, p_cert); + } + + *chain = cert_chain; + *cert = peer_cert; + peer_cert = NULL; + ret = 0; + +end: + if (peer_cert) + X509_free(peer_cert); + gss_release_buffer(&min_stat, &buffer); + + return ret; +} + int -edg_wll_GetVomsGroups(edg_wll_Context ctx, char *voms_dir, char *ca_dir) +edg_wll_SetVomsGroups(edg_wll_Context ctx, edg_wll_GssConnection *gss, char *voms_dir, char *ca_dir) { STACK_OF(X509) *p_chain = NULL; X509 *cert = NULL; @@ -81,11 +155,15 @@ edg_wll_GetVomsGroups(edg_wll_Context ctx, char *voms_dir, char *ca_dir) int err = 0; struct vomsdata *voms_info = NULL; + /* XXX DK: correct cleanup ?? */ memset (&ctx->vomsGroups, 0, sizeof(ctx->vomsGroups)); edg_wll_ResetError(ctx); - p_chain = SSL_get_peer_cert_chain(ctx->connPool[ctx->connToUse].ssl); - cert = SSL_get_peer_certificate(ctx->connPool[ctx->connToUse].ssl); + ret = get_peer_cred(gss, &p_chain, &cert); + if (ret) { + ret = 0; + goto end; + } /* exit if peer's credentials are not available */ if (p_chain == NULL || cert == NULL) { @@ -104,7 +182,10 @@ edg_wll_GetVomsGroups(edg_wll_Context ctx, char *voms_dir, char *ca_dir) ret = VOMS_Retrieve(cert, p_chain, RECURSE_CHAIN, voms_info, &err); if (ret == 0) { if (err == VERR_NOEXT) + /* XXX DK: edg_wll_SetError(ctx, EINVAL, "no client VOMS certificates found"); + */ + ret = 0; else { edg_wll_SetError(ctx, -1, "failed to retrieve VOMS info"); ret = -1; /* XXX VOMS Error */ @@ -142,7 +223,7 @@ edg_wll_FreeVomsGroups(edg_wll_VomsGroups *groups) #else /* NO_VOMS */ int -edg_wll_GetVomsGroups() { return 0; } +edg_wll_SetVomsGroups() { return 0; } void edg_wll_FreeVomsGroups() {} diff --git a/org.glite.lb.server/src/lb_authz.h b/org.glite.lb.server/src/lb_authz.h index 87af429..a23bd1b 100644 --- a/org.glite.lb.server/src/lb_authz.h +++ b/org.glite.lb.server/src/lb_authz.h @@ -22,6 +22,7 @@ typedef struct _edg_wll_Acl *edg_wll_Acl; #include #include "glite/lb/context-int.h" +#include "glite/lb/lb_gss.h" extern int edg_wll_InitAcl(edg_wll_Acl *); @@ -47,7 +48,7 @@ edg_wll_GetACL(edg_wll_Context, edg_wlc_JobId, edg_wll_Acl *); #endif /* NO_GACL */ extern int -edg_wll_GetVomsGroups(edg_wll_Context, char *, char *); +edg_wll_SetVomsGroups(edg_wll_Context, edg_wll_GssConnection *, char *, char *); extern void edg_wll_FreeVomsGroups(edg_wll_VomsGroups *); diff --git a/org.glite.lb.server/src/store.c.T b/org.glite.lb.server/src/store.c.T index 51989ee..47a894f 100644 --- a/org.glite.lb.server/src/store.c.T +++ b/org.glite.lb.server/src/store.c.T @@ -19,7 +19,6 @@ #include -#include "glite/wmsutils/thirdparty/globus_ssl_utils/sslutils.h" #include "glite/wmsutils/jobid/strmd5.h" #include "glite/lb/events_parse.h" diff --git a/org.glite.lb.server/src/stored_master.c b/org.glite.lb.server/src/stored_master.c index 87e1b3d..7c29f77 100644 --- a/org.glite.lb.server/src/stored_master.c +++ b/org.glite.lb.server/src/stored_master.c @@ -9,7 +9,7 @@ #include #include "glite/lb/il_string.h" -#include "glite/lb/dgssl.h" +#include "glite/lb/lb_gss.h" #include "glite/lb/context-int.h" #include "store.h" @@ -19,23 +19,24 @@ int edg_wll_StoreProto(edg_wll_Context ctx) char fbuf[256],*buf; int len,ret; size_t total; + edg_wll_GssStatus gss_code; edg_wll_ResetError(ctx); - if ((ret=edg_wll_ssl_read_full(ctx->connPool[ctx->connToUse].ssl,fbuf,17,&ctx->p_tmp_timeout,&total)) < 0) switch (ret) { - case EDG_WLL_SSL_ERROR_TIMEOUT: return edg_wll_SetError(ctx,ETIMEDOUT,"read message header"); - case EDG_WLL_SSL_ERROR_EOF: return edg_wll_SetError(ctx,ENOTCONN,NULL); - default: return edg_wll_SetError(ctx,EDG_WLL_ERROR_SSL,"read message header"); + if ((ret=edg_wll_gss_read_full(&ctx->connPool[ctx->connToUse].gss,fbuf,17,&ctx->p_tmp_timeout,&total,&gss_code)) < 0) switch (ret) { + case EDG_WLL_GSS_ERROR_TIMEOUT: return edg_wll_SetError(ctx,ETIMEDOUT,"read message header"); + case EDG_WLL_GSS_ERROR_EOF: return edg_wll_SetError(ctx,ENOTCONN,NULL); + default: return edg_wll_SetError(ctx,EDG_WLL_ERROR_GSS,"read message header"); } if ((len = atoi(fbuf)) <= 0) return edg_wll_SetError(ctx,EINVAL,"message length"); buf = malloc(len+1); - if ((ret=edg_wll_ssl_read_full(ctx->connPool[ctx->connToUse].ssl,buf,len,&ctx->p_tmp_timeout,&total)) < 0) { + if ((ret=edg_wll_gss_read_full(&ctx->connPool[ctx->connToUse].gss,buf,len,&ctx->p_tmp_timeout,&total,&gss_code)) < 0) { free(buf); return edg_wll_SetError(ctx, - ret == EDG_WLL_SSL_ERROR_TIMEOUT ? - ETIMEDOUT : EDG_WLL_ERROR_SSL, + ret == EDG_WLL_GSS_ERROR_TIMEOUT ? + ETIMEDOUT : EDG_WLL_ERROR_GSS, "read message"); } @@ -46,10 +47,10 @@ int edg_wll_StoreProto(edg_wll_Context ctx) free(buf); if ((len = create_reply(ctx,fbuf,sizeof fbuf))) { - if ((ret = edg_wll_ssl_write_full(ctx->connPool[ctx->connToUse].ssl,fbuf,len,&ctx->p_tmp_timeout,&total)) < 0) + if ((ret = edg_wll_gss_write_full(&ctx->connPool[ctx->connToUse].gss,fbuf,len,&ctx->p_tmp_timeout,&total,&gss_code)) < 0) edg_wll_SetError(ctx, - ret == EDG_WLL_SSL_ERROR_TIMEOUT ? - ETIMEDOUT : EDG_WLL_ERROR_SSL, + ret == EDG_WLL_GSS_ERROR_TIMEOUT ? + ETIMEDOUT : EDG_WLL_ERROR_GSS, "write reply"); } else edg_wll_SetError(ctx,E2BIG,"create_reply()");