-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Overhaul curl's usage of CAs. #1431
Merged
Merged
Changes from 1 commit
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
5e31d97
Overhaul curl's usage of CAs.
bbockelm 75f631e
Add support for certfile directive for TPC handler.
bbockelm c84668f
Provide a pure-environment override for the XrdTpc cadir.
bbockelm 399d5a7
XrdTpc: Switch update variables to std::atomics.
bbockelm 1fe8f5d
XrdTpc: Remove deprecated readdir_r.
bbockelm 5793ac7
Remove use of smart pointers.
bbockelm 97deb89
XrdTpc: Pass filename to parsing / exporting functions.
bbockelm 2719b4b
XrdTpc: Use XrdSysFD functions where possible for CLOEXEC protection.
bbockelm 380f476
XrdTpc: If NSS hack is needed and fails, do not startup server.
bbockelm 5f49669
XrdTls: Move temp CA generator code into core XrdTls.
bbockelm ab5fad4
XrdTpc: Remove XrdTpcNSSSupport implementation.
bbockelm 1eb60a5
XrdTls: HACK - temporarily link crypto files into XrdUtils.
bbockelm c3dc4c1
XrdTls: Extend XrdCryptosslX509Crl to load / write CRLs to a FILE*
bbockelm 342ba6c
XrdTls: HACK - add CRLs to XrdUtils. Revert when we understand linki…
bbockelm 399fc03
XrdTls: Add CRL concatenation support to TempCA manager.
bbockelm 7d3a823
XrdTls: Remove XrdTlsTempCA from its dedicated namespace.
bbockelm 639e6e3
XrdTls: Convert TempCA loader to a separate thread.
bbockelm 87b341c
XrdTls: Refactor temp CA code to use ADMINPATH directory.
bbockelm File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -47,6 +47,9 @@ | |
|
||
#include "XrdTlsTempCA.hh" | ||
|
||
#include <sstream> | ||
#include <vector> | ||
|
||
namespace { | ||
|
||
typedef std::unique_ptr<FILE, decltype(&fclose)> file_smart_ptr; | ||
|
@@ -205,20 +208,36 @@ CRLSet::processFile(file_smart_ptr &fp, const std::string &fname) | |
|
||
|
||
std::unique_ptr<XrdTlsTempCA::TempCAGuard> | ||
XrdTlsTempCA::TempCAGuard::create(XrdSysError &err) { | ||
char ca_fname[] = "/tmp/xrootd_ca_file.XXXXXX.pem"; | ||
int ca_fd = mkstemps(ca_fname, 4); | ||
XrdTlsTempCA::TempCAGuard::create(XrdSysError &err, const std::string &ca_tmp_dir) { | ||
|
||
if (-1 == mkdir(ca_tmp_dir.c_str(), S_IRWXU) && errno != EEXIST) { | ||
err.Emsg("TempCA", "Unable to create CA temp directory", ca_tmp_dir.c_str(), strerror(errno)); | ||
} | ||
|
||
std::stringstream ss; | ||
ss << ca_tmp_dir << "/ca_file.XXXXXX.pem"; | ||
std::vector<char> ca_fname; | ||
ca_fname.resize(ss.str().size() + 1); | ||
memcpy(ca_fname.data(), ss.str().c_str(), ss.str().size()); | ||
|
||
int ca_fd = mkstemps(ca_fname.data(), 4); | ||
if (ca_fd < 0) { | ||
err.Emsg("TempCA", "Failed to create temp file:", strerror(errno)); | ||
return std::unique_ptr<TempCAGuard>(); | ||
} | ||
char crl_fname[] = "/tmp/xrootd_crl_file.XXXXXX.pem"; | ||
int crl_fd = mkstemps(crl_fname, 4); | ||
|
||
std::stringstream ss2; | ||
ss2 << ca_tmp_dir << "/crl_file.XXXXXX.pem"; | ||
std::vector<char> crl_fname; | ||
crl_fname.resize(ss2.str().size() + 1); | ||
memcpy(crl_fname.data(), ss2.str().c_str(), ss2.str().size()); | ||
|
||
int crl_fd = mkstemps(crl_fname.data(), 4); | ||
if (crl_fd < 0) { | ||
err.Emsg("TempCA", "Failed to create temp file:", strerror(errno)); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Referencing line 203; both messages are identical even though they actually refer to different files. To avoid confusion I suggest the message be: |
||
return std::unique_ptr<TempCAGuard>(); | ||
} | ||
return std::unique_ptr<TempCAGuard>(new TempCAGuard(ca_fd, crl_fd, ca_fname, crl_fname)); | ||
return std::unique_ptr<TempCAGuard>(new TempCAGuard(ca_fd, crl_fd, ca_tmp_dir, ca_fname.data(), crl_fname.data())); | ||
} | ||
|
||
|
||
|
@@ -234,8 +253,32 @@ XrdTlsTempCA::TempCAGuard::~TempCAGuard() { | |
} | ||
|
||
|
||
XrdTlsTempCA::TempCAGuard::TempCAGuard(int ca_fd, int crl_fd, const std::string &ca_fname, const std::string &crl_fname) | ||
: m_ca_fd(ca_fd), m_crl_fd(crl_fd), m_ca_fname(ca_fname), m_crl_fname(crl_fname) | ||
bool | ||
XrdTlsTempCA::TempCAGuard::commit() { | ||
if (m_ca_fd < 0 || m_ca_tmp_dir.empty()) {return false;} | ||
close(m_ca_fd); | ||
m_ca_fd = -1; | ||
std::string ca_fname = m_ca_tmp_dir + "/ca_file.pem"; | ||
if (-1 == rename(m_ca_fname.c_str(), ca_fname.c_str())) { | ||
return false; | ||
} | ||
m_ca_fname = ca_fname; | ||
|
||
if (m_crl_fd < 0 || m_ca_tmp_dir.empty()) {return false;} | ||
close(m_crl_fd); | ||
m_crl_fd = -1; | ||
std::string crl_fname = m_ca_tmp_dir + "/crl_file.pem"; | ||
if (-1 == rename(m_crl_fname.c_str(), crl_fname.c_str())) { | ||
return false; | ||
} | ||
m_crl_fname = crl_fname; | ||
|
||
return true; | ||
} | ||
|
||
|
||
XrdTlsTempCA::TempCAGuard::TempCAGuard(int ca_fd, int crl_fd, const std::string &ca_tmp_dir, const std::string &ca_fname, const std::string &crl_fname) | ||
: m_ca_fd(ca_fd), m_crl_fd(crl_fd), m_ca_tmp_dir(ca_tmp_dir), m_ca_fname(ca_fname), m_crl_fname(crl_fname) | ||
{} | ||
|
||
|
||
|
@@ -266,6 +309,7 @@ XrdTlsTempCA::XrdTlsTempCA(XrdSysError *err, std::string ca_dir) | |
if (rc) { | ||
m_log.Emsg("XrdTlsTempCA", "Failed to launch CA monitoring thread"); | ||
m_ca_file.reset(); | ||
m_crl_file.reset(); | ||
} | ||
} | ||
|
||
|
@@ -293,7 +337,14 @@ XrdTlsTempCA::Maintenance() | |
{ | ||
m_log.Emsg("TempCA", "Reloading the list of CAs and CRLs in directory"); | ||
|
||
std::unique_ptr<TempCAGuard> new_file(TempCAGuard::create(m_log)); | ||
auto adminpath = getenv("XRDADMINPATH"); | ||
if (!adminpath) { | ||
m_log.Emsg("TempCA", "Admin path is not set!"); | ||
return false; | ||
} | ||
std::string ca_tmp_dir = std::string(adminpath) + "/.xrdtls"; | ||
|
||
std::unique_ptr<TempCAGuard> new_file(TempCAGuard::create(m_log, ca_tmp_dir)); | ||
if (!new_file) { | ||
m_log.Emsg("TempCA", "Failed to create a new temp CA / CRL file"); | ||
return false; | ||
|
@@ -314,6 +365,7 @@ XrdTlsTempCA::Maintenance() | |
} | ||
|
||
struct dirent *result; | ||
errno = 0; | ||
while ((result = readdir(dirp))) { | ||
//m_log.Emsg("Will parse file for CA certificates", result->d_name); | ||
if (result->d_type != DT_REG && result->d_type != DT_LNK) {continue;} | ||
|
@@ -333,6 +385,7 @@ XrdTlsTempCA::Maintenance() | |
if (!crl_builder.processFile(fp, result->d_name)) { | ||
m_log.Emsg("Maintenance", "Failed to process file for CRLs", result->d_name); | ||
} | ||
errno = 0; | ||
} | ||
if (errno) { | ||
m_log.Emsg("Maintenance", "Failure during readdir", strerror(errno)); | ||
|
@@ -341,7 +394,14 @@ XrdTlsTempCA::Maintenance() | |
} | ||
closedir(dirp); | ||
|
||
m_ca_file.reset(new_file.release()); | ||
if (!new_file->commit()) { | ||
m_log.Emsg("Mainteance", "Failed to finalize new CA / CRL files"); | ||
return false; | ||
} | ||
//m_log.Emsg("Maintenance", "Successfully created CA and CRL files", new_file->getCAFilename().c_str(), | ||
// new_file->getCRLFilename().c_str()); | ||
m_ca_file.reset(new std::string(new_file->getCAFilename())); | ||
m_crl_file.reset(new std::string(new_file->getCRLFilename())); | ||
return true; | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Referencing line 209; both messages are identical even though they actually refer to different files. To avoid confusion I suggest the message be:
"Failed to create CA temp file:"