Merge pull request #540 from gganis/secgsi-improvements-3.3.6-x

Secgsi improvements 3.3.6 x
xrootd · Jul 13, 2017 · 483e0a5 · 483e0a5
2 parents 4218fe4 + 407cbf3
commit 483e0a5
Show file tree

Hide file tree

Showing 14 changed files with 984 additions and 521 deletions.
diff --git a/src/XrdCrypto/XrdCryptosslX509Crl.cc b/src/XrdCrypto/XrdCryptosslX509Crl.cc
@@ -45,6 +45,13 @@
 #include <openssl/bn.h>
 #include <openssl/pem.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_REVOKED_get0_revocationDate(x) (x)->revocationDate
+#define X509_REVOKED_get0_serialNumber(x) (x)->serialNumber
+#define X509_CRL_get0_lastUpdate X509_CRL_get_lastUpdate
+#define X509_CRL_get0_nextUpdate X509_CRL_get_nextUpdate
+#endif
+
 //_____________________________________________________________________________
 XrdCryptosslX509Crl::XrdCryptosslX509Crl(const char *cf, int opt)
                  : XrdCryptoX509Crl()
@@ -185,12 +192,15 @@ int XrdCryptosslX509Crl::Init(const char *cf)
    if (!PEM_read_X509_CRL(fc, &crl, 0, 0)) {
       DEBUG("Unable to load CRL from file");
       return -1;
-   } else {
-      DEBUG("CRL successfully loaded");
    }
    //
    // Close the file
    fclose(fc);
+
+   //
+   // Notify
+   DEBUG("CRL successfully loaded from "<< cf);
+
    //
    // Save source file name
    srcfile = cf;
@@ -340,7 +350,6 @@ int XrdCryptosslX509Crl::LoadCache()
    // Load relevant info into the cache
    // Return 0 if ok, -1 in case of error
    EPNAME("LoadCache");
-   XrdSutCacheRef pfeRef;
 
    // The CRL must exists
    if (!crl) {
@@ -371,12 +380,6 @@ int XrdCryptosslX509Crl::LoadCache()
       return 0;
    }
 
-   // Init cache
-   if (cache.Init(nrevoked) != 0) {
-      DEBUG("problems init cache for CRL info");
-      return -1;
-   }
-
    // Get serial numbers of revoked certificates
    char *tagser = 0;
    int i = 0;
@@ -388,28 +391,29 @@ int XrdCryptosslX509Crl::LoadCache()
 #endif /* OPENSSL */
       if (rev) {
          BIGNUM *bn = BN_new();
-         ASN1_INTEGER_to_BN(rev->serialNumber, bn);
+         ASN1_INTEGER_to_BN(X509_REVOKED_get0_serialNumber(rev), bn);
          tagser = BN_bn2hex(bn);
          BN_free(bn);
          TRACE(Dump, "certificate with serial number: "<<tagser<<
                      "  has been revoked");
          // Add to the cache
-         XrdSutPFEntry *cent = cache.Add(pfeRef, (const char *)tagser);
+         bool rdlock = false;
+         XrdSutCacheEntry *cent = cache.Get((const char *)tagser, rdlock);
          if (!cent) {
-            DEBUG("problems updating the cache");
+            DEBUG("problems getting entry in the cache");
             return -1;
          }
          // Add revocation date
-         cent->mtime = XrdCryptosslASN1toUTC(rev->revocationDate);
+         cent->mtime = XrdCryptosslASN1toUTC(X509_REVOKED_get0_revocationDate(rev));
+         // Set status
+         cent->mtime = kCE_ok;
          // Release the string for the serial number
          OPENSSL_free(tagser);
+         // Unlock the entry
+         cent->rwmtx.UnLock();
       }
    }
 
-   // rehash the cache
-   pfeRef.UnLock(); // Prevent lock inversion (though it doesn't matter here)
-   cache.Rehash(1);
-
    return 0;
 }
 
@@ -423,7 +427,7 @@ int XrdCryptosslX509Crl::LastUpdate()
       // Make sure we have a CRL
       if (crl)
          // Extract UTC time in secs from Epoch
-         lastupdate = XrdCryptosslASN1toUTC(X509_CRL_get_lastUpdate(crl));
+         lastupdate = XrdCryptosslASN1toUTC(X509_CRL_get0_lastUpdate(crl));
    }
    // return what we have
    return lastupdate;
@@ -439,7 +443,7 @@ int XrdCryptosslX509Crl::NextUpdate()
       // Make sure we have a CRL
       if (crl)
          // Extract UTC time in secs from Epoch
-         nextupdate = XrdCryptosslASN1toUTC(X509_CRL_get_nextUpdate(crl));
+         nextupdate = XrdCryptosslASN1toUTC(X509_CRL_get0_nextUpdate(crl));
    }
    // return what we have
    return nextupdate;
@@ -476,14 +480,15 @@ const char *XrdCryptosslX509Crl::IssuerHash(int alg)
    // (for v>=1.0.0) when alg = 1
    EPNAME("X509::IssuerHash");
 
-#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
+#if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
    if (alg == 1) {
       // md5 based
       if (issueroldhash.length() <= 0) {
          // Make sure we have a certificate
          if (crl) {
-            char chash[15] = {0};
-            snprintf(chash,15,"%08lx.0",X509_NAME_hash_old(crl->crl->issuer));
+            char chash[30] = {0};
+            snprintf(chash, sizeof(chash),
+                     "%08lx.0",X509_NAME_hash_old(X509_CRL_get_issuer(crl)));
             issueroldhash = chash;
          } else {
             DEBUG("WARNING: no certificate available - cannot extract issuer hash (md5)");
@@ -501,9 +506,9 @@ const char *XrdCryptosslX509Crl::IssuerHash(int alg)
 
       // Make sure we have a certificate
       if (crl) {
-         char chash[15] = {0};
-         if (chash[0] == 0)
-            snprintf(chash,15,"%08lx.0",X509_NAME_hash(crl->crl->issuer));
+         char chash[30] = {0};
+         snprintf(chash, sizeof(chash),
+                  "%08lx.0",X509_NAME_hash(X509_CRL_get_issuer(crl)));
          issuerhash = chash;
       } else {
          DEBUG("WARNING: no certificate available - cannot extract issuer hash (default)");
@@ -539,7 +544,6 @@ bool XrdCryptosslX509Crl::IsRevoked(int serialnumber, int when)
    // Check if certificate with serialnumber is in the
    // list of revocated certificates
    EPNAME("IsRevoked");
-   XrdSutCacheRef pfeRef;
 
    // Reference time
    int now = (when > 0) ? when : time(0);
@@ -560,13 +564,15 @@ bool XrdCryptosslX509Crl::IsRevoked(int serialnumber, int when)
    sprintf(tagser,"%x",serialnumber);
 
    // Look into the cache
-   XrdSutPFEntry *cent = cache.Get(pfeRef, (const char *)tagser);
-   if (cent) {
+   XrdSutCacheEntry *cent = cache.Get((const char *)tagser);
+   if (cent && cent->status == kCE_ok) {
       // Check the revocation time
       if (now > cent->mtime) {
          DEBUG("certificate "<<tagser<<" has been revoked");
+         cent->rwmtx.UnLock();
          return 1;
       }
+      cent->rwmtx.UnLock();
    }
 
    // Certificate not revoked
@@ -579,7 +585,6 @@ bool XrdCryptosslX509Crl::IsRevoked(const char *sernum, int when)
    // Check if certificate with 'sernum' is in the
    // list of revocated certificates
    EPNAME("IsRevoked");
-   XrdSutCacheRef pfeRef;
 
    // Reference time
    int now = (when > 0) ? when : time(0);
@@ -596,13 +601,15 @@ bool XrdCryptosslX509Crl::IsRevoked(const char *sernum, int when)
    }
 
    // Look into the cache
-   XrdSutPFEntry *cent = cache.Get(pfeRef, (const char *)sernum);
-   if (cent) {
+   XrdSutCacheEntry *cent = cache.Get((const char *)sernum);
+   if (cent && cent->status == kCE_ok) {
       // Check the revocation time
       if (now > cent->mtime) {
          DEBUG("certificate "<<sernum<<" has been revoked");
+         cent->rwmtx.UnLock();
          return 1;
       }
+      cent->rwmtx.UnLock();
    }
 
    // Certificate not revoked

diff --git a/src/XrdCrypto/XrdCryptosslX509Crl.hh b/src/XrdCrypto/XrdCryptosslX509Crl.hh
@@ -45,7 +45,6 @@
 //
 // ---------------------------------------------------------------------------//
 
-class XrdSutCache;
 class XrdCryptoX509;
 
 class XrdCryptosslX509Crl : public XrdCryptoX509Crl {