Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secgsi improvements 3.3.6 x #540

Merged
merged 10 commits into from
Jul 13, 2017
Merged

Secgsi improvements 3.3.6 x #540

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
31b317d
xrdsut: rename old XrdSutCache to XrdSutPFCache
gganis May 18, 2017
e1da43d
secpwd: rename XrdSutCache to XrdSutPFCache
gganis May 18, 2017
aef4a21
xrdsut: new XrdSutCache based on XrdOucHash
gganis May 18, 2017
0db906c
sysrwlock: return status from pthread_rwlock_{rd,wr}lock
gganis May 19, 2017
d8a5133
cryptocrl: adapt to new XrdSutCache
gganis May 18, 2017
ee34569
secgsi: adapt to new XrdSutCache
gganis May 18, 2017
3f0f086
secgsi: remove definition and use of GSIStack
gganis May 31, 2017
eb092ea
secgsi: do not delete explicitely the CRL in Delete
gganis May 31, 2017
db73662
xrdsut: add pure getter in XrdSutCache
gganis May 31, 2017
407cbf3
cryptocrl: modified logic for retrieving entries in IsRevoked
gganis May 31, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
69 changes: 38 additions & 31 deletions src/XrdCrypto/XrdCryptosslX509Crl.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,13 @@
#include <openssl/bn.h>
#include <openssl/pem.h>

#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define X509_REVOKED_get0_revocationDate(x) (x)->revocationDate
#define X509_REVOKED_get0_serialNumber(x) (x)->serialNumber
#define X509_CRL_get0_lastUpdate X509_CRL_get_lastUpdate
#define X509_CRL_get0_nextUpdate X509_CRL_get_nextUpdate
#endif

//_____________________________________________________________________________
XrdCryptosslX509Crl::XrdCryptosslX509Crl(const char *cf, int opt)
: XrdCryptoX509Crl()
Expand Down Expand Up @@ -185,12 +192,15 @@ int XrdCryptosslX509Crl::Init(const char *cf)
if (!PEM_read_X509_CRL(fc, &crl, 0, 0)) {
DEBUG("Unable to load CRL from file");
return -1;
} else {
DEBUG("CRL successfully loaded");
}
//
// Close the file
fclose(fc);

//
// Notify
DEBUG("CRL successfully loaded from "<< cf);

//
// Save source file name
srcfile = cf;
Expand Down Expand Up @@ -340,7 +350,6 @@ int XrdCryptosslX509Crl::LoadCache()
// Load relevant info into the cache
// Return 0 if ok, -1 in case of error
EPNAME("LoadCache");
XrdSutCacheRef pfeRef;

// The CRL must exists
if (!crl) {
Expand Down Expand Up @@ -371,12 +380,6 @@ int XrdCryptosslX509Crl::LoadCache()
return 0;
}

// Init cache
if (cache.Init(nrevoked) != 0) {
DEBUG("problems init cache for CRL info");
return -1;
}

// Get serial numbers of revoked certificates
char *tagser = 0;
int i = 0;
Expand All @@ -388,28 +391,29 @@ int XrdCryptosslX509Crl::LoadCache()
#endif /* OPENSSL */
if (rev) {
BIGNUM *bn = BN_new();
ASN1_INTEGER_to_BN(rev->serialNumber, bn);
ASN1_INTEGER_to_BN(X509_REVOKED_get0_serialNumber(rev), bn);
tagser = BN_bn2hex(bn);
BN_free(bn);
TRACE(Dump, "certificate with serial number: "<<tagser<<
" has been revoked");
// Add to the cache
XrdSutPFEntry *cent = cache.Add(pfeRef, (const char *)tagser);
bool rdlock = false;
XrdSutCacheEntry *cent = cache.Get((const char *)tagser, rdlock);
if (!cent) {
DEBUG("problems updating the cache");
DEBUG("problems getting entry in the cache");
return -1;
}
// Add revocation date
cent->mtime = XrdCryptosslASN1toUTC(rev->revocationDate);
cent->mtime = XrdCryptosslASN1toUTC(X509_REVOKED_get0_revocationDate(rev));
// Set status
cent->mtime = kCE_ok;
// Release the string for the serial number
OPENSSL_free(tagser);
// Unlock the entry
cent->rwmtx.UnLock();
}
}

// rehash the cache
pfeRef.UnLock(); // Prevent lock inversion (though it doesn't matter here)
cache.Rehash(1);

return 0;
}

Expand All @@ -423,7 +427,7 @@ int XrdCryptosslX509Crl::LastUpdate()
// Make sure we have a CRL
if (crl)
// Extract UTC time in secs from Epoch
lastupdate = XrdCryptosslASN1toUTC(X509_CRL_get_lastUpdate(crl));
lastupdate = XrdCryptosslASN1toUTC(X509_CRL_get0_lastUpdate(crl));
}
// return what we have
return lastupdate;
Expand All @@ -439,7 +443,7 @@ int XrdCryptosslX509Crl::NextUpdate()
// Make sure we have a CRL
if (crl)
// Extract UTC time in secs from Epoch
nextupdate = XrdCryptosslASN1toUTC(X509_CRL_get_nextUpdate(crl));
nextupdate = XrdCryptosslASN1toUTC(X509_CRL_get0_nextUpdate(crl));
}
// return what we have
return nextupdate;
Expand Down Expand Up @@ -476,14 +480,15 @@ const char *XrdCryptosslX509Crl::IssuerHash(int alg)
// (for v>=1.0.0) when alg = 1
EPNAME("X509::IssuerHash");

#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(__APPLE__))
if (alg == 1) {
// md5 based
if (issueroldhash.length() <= 0) {
// Make sure we have a certificate
if (crl) {
char chash[15] = {0};
snprintf(chash,15,"%08lx.0",X509_NAME_hash_old(crl->crl->issuer));
char chash[30] = {0};
snprintf(chash, sizeof(chash),
"%08lx.0",X509_NAME_hash_old(X509_CRL_get_issuer(crl)));
issueroldhash = chash;
} else {
DEBUG("WARNING: no certificate available - cannot extract issuer hash (md5)");
Expand All @@ -501,9 +506,9 @@ const char *XrdCryptosslX509Crl::IssuerHash(int alg)

// Make sure we have a certificate
if (crl) {
char chash[15] = {0};
if (chash[0] == 0)
snprintf(chash,15,"%08lx.0",X509_NAME_hash(crl->crl->issuer));
char chash[30] = {0};
snprintf(chash, sizeof(chash),
"%08lx.0",X509_NAME_hash(X509_CRL_get_issuer(crl)));
issuerhash = chash;
} else {
DEBUG("WARNING: no certificate available - cannot extract issuer hash (default)");
Expand Down Expand Up @@ -539,7 +544,6 @@ bool XrdCryptosslX509Crl::IsRevoked(int serialnumber, int when)
// Check if certificate with serialnumber is in the
// list of revocated certificates
EPNAME("IsRevoked");
XrdSutCacheRef pfeRef;

// Reference time
int now = (when > 0) ? when : time(0);
Expand All @@ -560,13 +564,15 @@ bool XrdCryptosslX509Crl::IsRevoked(int serialnumber, int when)
sprintf(tagser,"%x",serialnumber);

// Look into the cache
XrdSutPFEntry *cent = cache.Get(pfeRef, (const char *)tagser);
if (cent) {
XrdSutCacheEntry *cent = cache.Get((const char *)tagser);
if (cent && cent->status == kCE_ok) {
// Check the revocation time
if (now > cent->mtime) {
DEBUG("certificate "<<tagser<<" has been revoked");
cent->rwmtx.UnLock();
return 1;
}
cent->rwmtx.UnLock();
}

// Certificate not revoked
Expand All @@ -579,7 +585,6 @@ bool XrdCryptosslX509Crl::IsRevoked(const char *sernum, int when)
// Check if certificate with 'sernum' is in the
// list of revocated certificates
EPNAME("IsRevoked");
XrdSutCacheRef pfeRef;

// Reference time
int now = (when > 0) ? when : time(0);
Expand All @@ -596,13 +601,15 @@ bool XrdCryptosslX509Crl::IsRevoked(const char *sernum, int when)
}

// Look into the cache
XrdSutPFEntry *cent = cache.Get(pfeRef, (const char *)sernum);
if (cent) {
XrdSutCacheEntry *cent = cache.Get((const char *)sernum);
if (cent && cent->status == kCE_ok) {
// Check the revocation time
if (now > cent->mtime) {
DEBUG("certificate "<<sernum<<" has been revoked");
cent->rwmtx.UnLock();
return 1;
}
cent->rwmtx.UnLock();
}

// Certificate not revoked
Expand Down
1 change: 0 additions & 1 deletion src/XrdCrypto/XrdCryptosslX509Crl.hh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@
//
// ---------------------------------------------------------------------------//

class XrdSutCache;
class XrdCryptoX509;

class XrdCryptosslX509Crl : public XrdCryptoX509Crl {
Expand Down