-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Overhaul curl's usage of CAs. #1431
Merged
Merged
Changes from 3 commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
5e31d97
Overhaul curl's usage of CAs.
bbockelm 75f631e
Add support for certfile directive for TPC handler.
bbockelm c84668f
Provide a pure-environment override for the XrdTpc cadir.
bbockelm 399d5a7
XrdTpc: Switch update variables to std::atomics.
bbockelm 1fe8f5d
XrdTpc: Remove deprecated readdir_r.
bbockelm 5793ac7
Remove use of smart pointers.
bbockelm 97deb89
XrdTpc: Pass filename to parsing / exporting functions.
bbockelm 2719b4b
XrdTpc: Use XrdSysFD functions where possible for CLOEXEC protection.
bbockelm 380f476
XrdTpc: If NSS hack is needed and fails, do not startup server.
bbockelm 5f49669
XrdTls: Move temp CA generator code into core XrdTls.
bbockelm ab5fad4
XrdTpc: Remove XrdTpcNSSSupport implementation.
bbockelm 1eb60a5
XrdTls: HACK - temporarily link crypto files into XrdUtils.
bbockelm c3dc4c1
XrdTls: Extend XrdCryptosslX509Crl to load / write CRLs to a FILE*
bbockelm 342ba6c
XrdTls: HACK - add CRLs to XrdUtils. Revert when we understand linki…
bbockelm 399fc03
XrdTls: Add CRL concatenation support to TempCA manager.
bbockelm 7d3a823
XrdTls: Remove XrdTlsTempCA from its dedicated namespace.
bbockelm 639e6e3
XrdTls: Convert TempCA loader to a separate thread.
bbockelm 87b341c
XrdTls: Refactor temp CA code to use ADMINPATH directory.
bbockelm File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -41,6 +41,7 @@ | |
#include "XrdSys/XrdSysPlugin.hh" | ||
#include "XrdCrypto/XrdCryptoX509Chain.hh" | ||
#include "XrdCrypto/XrdCryptosslAux.hh" | ||
#include "XrdCrypto/XrdCryptosslX509Crl.hh" | ||
#include "XrdVersion.hh" | ||
|
||
#include "XrdTlsTempCA.hh" | ||
|
@@ -120,6 +121,77 @@ CASet::processFile(file_smart_ptr &fp, const std::string &fname) | |
return true; | ||
} | ||
|
||
|
||
class CRLSet { | ||
public: | ||
CRLSet(int output_fd, XrdSysError &err) | ||
: m_log(err), | ||
m_output_fd(output_fd) | ||
{} | ||
|
||
/** | ||
* Given an open file descriptor pointing to | ||
* a file potentially containing a CRL, process it | ||
* for PEM-formatted entries. If a new, unique CRL | ||
* is found, then it is written into the current | ||
* tempfile. | ||
* | ||
* The fname argument is used solely for debugging. | ||
* | ||
* Returns true on success. | ||
*/ | ||
bool processFile(file_smart_ptr &fd, const std::string &fname); | ||
|
||
private: | ||
XrdSysError &m_log; | ||
|
||
// Grid CA directories tend to keep everything in triplicate; | ||
// we keep a unique hash of all known CRLs so we write out each | ||
// one only once. | ||
std::unordered_set<std::string> m_known_crls; | ||
const int m_output_fd; | ||
}; | ||
|
||
|
||
bool | ||
CRLSet::processFile(file_smart_ptr &fp, const std::string &fname) | ||
{ | ||
// Note we purposely leak the outputfp here; we are just borrowing the handle. | ||
FILE *outputfp = fdopen(m_output_fd, "w"); | ||
if (!outputfp) { | ||
m_log.Emsg("CAset", "Failed to reopen file for output", fname.c_str()); | ||
return false; | ||
} | ||
|
||
// Assume we can safely ignore a failure to parse; we load every file in | ||
// the directory and that will naturally include a number of non-CRL files. | ||
for (std::unique_ptr<XrdCryptosslX509Crl> xrd_crl(new XrdCryptosslX509Crl(fp.get(), fname.c_str())); | ||
xrd_crl->IsValid(); | ||
xrd_crl = std::unique_ptr<XrdCryptosslX509Crl>(new XrdCryptosslX509Crl(fp.get(), fname.c_str()))) | ||
{ | ||
auto hash_ptr = xrd_crl->IssuerHash(1); | ||
if (!hash_ptr) { | ||
continue; | ||
} | ||
auto iter = m_known_crls.find(hash_ptr); | ||
if (iter != m_known_crls.end()) { | ||
//m_log.Emsg("CRLset", "Skipping known CRL with hash", fname.c_str(), hash_ptr); | ||
continue; | ||
} | ||
//m_log.Emsg("CRLset", "New CRL with hash", fname.c_str(), hash_ptr); | ||
m_known_crls.insert(hash_ptr); | ||
|
||
if (!xrd_crl->ToFile(outputfp)) { | ||
m_log.Emsg("CRLset", "Failed to write out CRL", fname.c_str()); | ||
fflush(outputfp); | ||
return false; | ||
} | ||
} | ||
fflush(outputfp); | ||
|
||
return true; | ||
} | ||
|
||
} | ||
|
||
|
||
|
@@ -128,26 +200,36 @@ using namespace XrdTls; | |
|
||
std::unique_ptr<XrdTlsTempCA::TempCAGuard> | ||
XrdTlsTempCA::TempCAGuard::create(XrdSysError &err) { | ||
char fname[] = "/tmp/xrootd_ca_file.XXXXXX.pem"; | ||
int fd = mkstemps(fname, 4); | ||
if (fd < 0) { | ||
char ca_fname[] = "/tmp/xrootd_ca_file.XXXXXX.pem"; | ||
int ca_fd = mkstemps(ca_fname, 4); | ||
if (ca_fd < 0) { | ||
err.Emsg("TempCA", "Failed to create temp file:", strerror(errno)); | ||
return std::unique_ptr<TempCAGuard>(); | ||
} | ||
char crl_fname[] = "/tmp/xrootd_crl_file.XXXXXX.pem"; | ||
int crl_fd = mkstemps(crl_fname, 4); | ||
if (crl_fd < 0) { | ||
err.Emsg("TempCA", "Failed to create temp file:", strerror(errno)); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Referencing line 203; both messages are identical even though they actually refer to different files. To avoid confusion I suggest the message be: |
||
return std::unique_ptr<TempCAGuard>(); | ||
} | ||
return std::unique_ptr<TempCAGuard>(new TempCAGuard(fd, fname)); | ||
return std::unique_ptr<TempCAGuard>(new TempCAGuard(ca_fd, crl_fd, ca_fname, crl_fname)); | ||
} | ||
|
||
|
||
XrdTlsTempCA::TempCAGuard::~TempCAGuard() { | ||
if (m_fd >= 0) { | ||
unlink(m_fname.c_str()); | ||
close(m_fd); | ||
if (m_ca_fd >= 0) { | ||
unlink(m_ca_fname.c_str()); | ||
close(m_ca_fd); | ||
} | ||
if (m_crl_fd >= 0) { | ||
unlink(m_crl_fname.c_str()); | ||
close(m_crl_fd); | ||
} | ||
} | ||
|
||
|
||
XrdTlsTempCA::TempCAGuard::TempCAGuard(int fd, const std::string &fname) | ||
: m_fd(fd), m_fname(fname) | ||
XrdTlsTempCA::TempCAGuard::TempCAGuard(int ca_fd, int crl_fd, const std::string &ca_fname, const std::string &crl_fname) | ||
: m_ca_fd(ca_fd), m_crl_fd(crl_fd), m_ca_fname(ca_fname), m_crl_fname(crl_fname) | ||
{} | ||
|
||
|
||
|
@@ -162,14 +244,15 @@ XrdTlsTempCA::XrdTlsTempCA(XrdSysError *err, std::string ca_dir) | |
bool | ||
XrdTlsTempCA::Maintenance() | ||
{ | ||
m_log.Emsg("TempCA", "Reloading the list of CAs in directory"); | ||
m_log.Emsg("TempCA", "Reloading the list of CAs and CRLs in directory"); | ||
|
||
std::unique_ptr<TempCAGuard> new_file(TempCAGuard::create(m_log)); | ||
if (!new_file) { | ||
m_log.Emsg("TempCA", "Failed to create a new temp CA file"); | ||
m_log.Emsg("TempCA", "Failed to create a new temp CA / CRL file"); | ||
return false; | ||
} | ||
CASet builder(new_file->getFD(), m_log); | ||
CASet ca_builder(new_file->getCAFD(), m_log); | ||
CRLSet crl_builder(new_file->getCRLFD(), m_log); | ||
|
||
int fddir = XrdSysFD_Open(m_ca_dir.c_str(), O_DIRECTORY); | ||
if (fddir < 0) { | ||
|
@@ -196,8 +279,12 @@ XrdTlsTempCA::Maintenance() | |
} | ||
file_smart_ptr fp(fdopen(fd, "r"), &fclose); | ||
|
||
if (!builder.processFile(fp, result->d_name)) { | ||
m_log.Emsg("Maintenance", "Failed to process file", result->d_name); | ||
if (!ca_builder.processFile(fp, result->d_name)) { | ||
m_log.Emsg("Maintenance", "Failed to process file for CAs", result->d_name); | ||
} | ||
rewind(fp.get()); | ||
if (!crl_builder.processFile(fp, result->d_name)) { | ||
m_log.Emsg("Maintenance", "Failed to process file for CRLs", result->d_name); | ||
} | ||
} | ||
if (errno) { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Referencing line 209; both messages are identical even though they actually refer to different files. To avoid confusion I suggest the message be:
"Failed to create CA temp file:"