[Pvfs2-cvs] commit by nlmills in pvfs2/src/common/security:
module.mk.in pint-security.c pint-security.h getugroups.c
getugroups.h
CVS commit program
cvs at parl.clemson.edu
Fri May 21 17:38:16 EDT 2010
Update of /projects/cvsroot/pvfs2/src/common/security
In directory parlweb1:/tmp/cvs-serv30601/src/common/security
Modified Files:
Tag: cu-security-branch
module.mk.in pint-security.c pint-security.h
Removed Files:
Tag: cu-security-branch
getugroups.c getugroups.h
Log Message:
removed anything and everything related to certificates
Index: module.mk.in
===================================================================
RCS file: /projects/cvsroot/pvfs2/src/common/security/Attic/module.mk.in,v
diff -p -u -r1.1.2.4 -r1.1.2.5
--- module.mk.in 25 Aug 2009 17:56:05 -0000 1.1.2.4
+++ module.mk.in 21 May 2010 21:38:16 -0000 1.1.2.5
@@ -1,6 +1,5 @@
DIR := src/common/security
SERVERSRC += $(DIR)/pint-security.c \
$(DIR)/security-hash.c \
- $(DIR)/security-util.c \
- $(DIR)/getugroups.c
+ $(DIR)/security-util.c
LIBSRC += $(DIR)/security-util.c
Index: pint-security.c
===================================================================
RCS file: /projects/cvsroot/pvfs2/src/common/security/Attic/pint-security.c,v
diff -p -u -r1.1.2.59 -r1.1.2.60
--- pint-security.c 25 Aug 2009 17:56:05 -0000 1.1.2.59
+++ pint-security.c 21 May 2010 21:38:16 -0000 1.1.2.60
@@ -19,13 +19,8 @@
#include <openssl/crypto.h>
#include <openssl/err.h>
-#include <openssl/stack.h>
-#include <openssl/bio.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/x509_vfy.h>
#include "pvfs2.h"
#include "pvfs2-types.h"
@@ -41,7 +36,6 @@
#include "pint-security.h"
#include "security-hash.h"
#include "security-util.h"
-#include "getugroups.h"
static gen_mutex_t security_init_mutex = GEN_MUTEX_INITIALIZER;
@@ -50,8 +44,6 @@ static int security_init_status = 0;
/* private key used for signing */
static EVP_PKEY *security_privkey = NULL;
-/* store context used to verify client certificates */
-static X509_STORE *security_store = NULL;
struct CRYPTO_dynlock_value
@@ -72,9 +64,6 @@ static void dyn_destroy_function(struct
static int load_private_key(const char*);
static int load_public_keys(const char*);
-static int load_ca_bundle(const char*);
-static int verify_callback(int, X509_STORE_CTX*);
-static const char *find_account(const char*, const STACK*);
/* PINT_security_initialize
@@ -120,7 +109,6 @@ int PINT_security_initialize(void)
config = PINT_get_server_config();
assert(config->serverkey_path);
assert(config->keystore_path);
- assert(config->cabundle_path);
security_privkey = EVP_PKEY_new();
ret = load_private_key(config->serverkey_path);
@@ -146,18 +134,6 @@ int PINT_security_initialize(void)
return -PVFS_EIO;
}
- ret = load_ca_bundle(config->cabundle_path);
- if (ret < 0)
- {
- EVP_PKEY_free(security_privkey);
- SECURITY_hash_finalize();
- EVP_cleanup();
- ERR_free_strings();
- cleanup_threading();
- gen_mutex_unlock(&security_init_mutex);
- return -PVFS_EIO;
- }
-
security_init_status = 1;
gen_mutex_unlock(&security_init_mutex);
@@ -183,7 +159,6 @@ int PINT_security_finalize(void)
SECURITY_hash_finalize();
EVP_PKEY_free(security_privkey);
- X509_STORE_free(security_store);
EVP_cleanup();
ERR_free_strings();
@@ -449,7 +424,6 @@ int PINT_sign_credential(PVFS_credential
cred->issuer = strdup(config->server_alias);
- /* nlmills: TODO: time out the credential with the cert */
cred->timeout = PINT_util_get_current_time() + config->security_timeout;
#if defined(SECURITY_ENCRYPTION_RSA)
@@ -582,379 +556,6 @@ int PINT_verify_credential(const PVFS_cr
return (ret == 1);
}
-/* PINT_verify_certificate
- *
- * Verifies an X.509 certificate against the local trust store.
- *
- * returns negative on error.
- * returns 0 on success.
- */
-int PINT_verify_certificate(const char *certstr,
- const PVFS_signature signature,
- uint32_t sig_size)
-{
- BIO *certbio;
- X509 *cert;
- X509_STORE_CTX *store_ctx;
- EVP_PKEY *pkey;
- EVP_MD_CTX mdctx;
- const EVP_MD *md = NULL;
- unsigned long err;
- int ret;
-
- if (!certstr || !signature || (sig_size == 0))
- {
- return -PVFS_EINVAL;
- }
-
- /******* Part 1 - verify the certificate */
-
- certbio = BIO_new_mem_buf((char*)certstr, -1);
- if (!certbio)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- return -PVFS_EINVAL;
- }
-
- cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
- BIO_vfree(certbio);
- if (!cert)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- return -PVFS_EINVAL;
- }
-
- store_ctx = X509_STORE_CTX_new();
- if (!store_ctx)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- X509_free(cert);
- return -PVFS_ENOMEM;
- }
- /* XXX: previous versions did not return a value */
- ret = X509_STORE_CTX_init(store_ctx, security_store, cert, NULL);
- if (!ret)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- X509_STORE_CTX_free(store_ctx);
- X509_free(cert);
- return -PVFS_EINVAL;
- }
- /* nlmills: TODO: set any verification options */
-
- ret = X509_verify_cert(store_ctx);
- X509_STORE_CTX_free(store_ctx);
- if (ret == 0)
- {
- X509_free(cert);
- return -PVFS_EPERM;
- }
- else if (ret < 0)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- X509_free(cert);
- return -PVFS_EINVAL;
- }
-
- /* nlmills: TODO: does ref counting keep key from being freed with cert */
- pkey = X509_get_pubkey(cert);
- X509_free(cert);
- if (!pkey)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- return -PVFS_EINVAL;
- }
-
- /******* Part 2 - verify the signature */
-
- EVP_MD_CTX_init(&mdctx);
-
-#if defined(SECURITY_ENCRYPTION_RSA)
- md = EVP_sha1();
-#elif defined(SECURITY_ENCRYPTION_DSA)
- md = EVP_dss1();
-#endif
-
- ret = EVP_VerifyInit_ex(&mdctx, md, NULL);
- if (!ret)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- EVP_PKEY_free(pkey);
- return -PVFS_EINVAL;
- }
-
- ret = EVP_VerifyUpdate(&mdctx, certstr, strlen(certstr) * sizeof(char));
- if (!ret)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- EVP_PKEY_free(pkey);
- return -PVFS_EINVAL;
- }
-
- ret = EVP_VerifyFinal(&mdctx,
- (unsigned char*)signature,
- (unsigned int)sig_size,
- pkey);
- EVP_MD_CTX_cleanup(&mdctx);
- EVP_PKEY_free(pkey);
- if (ret == 0)
- {
- gossip_debug(GOSSIP_SECURITY_DEBUG,
- "Certificate verification error: invalid client signature\n");
- return -PVFS_EPERM;
- }
- else if (ret < -1)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- return -PVFS_EINVAL;
- }
-
- return 0;
-}
-
-/* PINT_lookup_account
- *
- * Finds the user account mapped to the given X.509 certificate.
- *
- * returns the account name on success.
- * returns NULL if no mapping exists.
- */
-const char *PINT_lookup_account(const char *certstr)
-{
- BIO *certbio;
- X509 *cert;
- X509_NAME *subject;
- char *subjectstr;
- STACK *emails;
- const char *account;
- unsigned long err;
-
- if (!certstr)
- {
- return NULL;
- }
-
- certbio = BIO_new_mem_buf((char*)certstr, -1);
- if (!certbio)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- return NULL;
- }
-
- cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
- BIO_vfree(certbio);
- if (!cert)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- return NULL;
- }
-
- subject = X509_get_subject_name(cert);
- if (!subject)
- {
- X509_free(cert);
- return NULL;
- }
-
- subjectstr = X509_NAME_oneline(subject, NULL, 0);
- if (!subjectstr)
- {
- err = ERR_get_error();
- gossip_debug(GOSSIP_SECURITY_DEBUG, "%s: %s\n",
- ERR_func_error_string(err),
- ERR_reason_error_string(err));
- X509_free(cert);
- return NULL;
- }
-
- emails = X509_get1_email(cert);
-
- account = find_account(subjectstr, emails);
-
- X509_email_free(emails);
- CRYPTO_free(subjectstr);
- X509_free(cert);
-
- return account;
-}
-
-/* PINT_lookup_userid
- *
- * Searches for a userid that matches the given account in the system
- * password database.
- *
- * returns negative on failure.
- * returns zero on success.
- */
-int PINT_lookup_userid(const char *account, PVFS_uid *userid)
-{
- struct passwd pwbuf;
- struct passwd *pwbufp;
- char *buf;
- long max;
- int ret;
-
- max = sysconf(_SC_GETPW_R_SIZE_MAX);
- assert(max != -1);
- buf = calloc(max, sizeof(char));
- if (!buf)
- {
- return -PVFS_ENOMEM;
- }
-
- memset(&pwbuf, 0, sizeof(struct passwd));
- ret = getpwnam_r(account, &pwbuf, buf, max, &pwbufp);
- if ((pwbufp == NULL) || ret)
- {
- gossip_debug(GOSSIP_SECURITY_DEBUG,
- "User '%s' not found in password database\n",
- account);
- free(buf);
- return -PVFS_EINVAL;
- }
-
- *userid = pwbuf.pw_uid;
-
- free(buf);
- return 0;
-}
-
-int PINT_lookup_groups(const char *account, PVFS_gid **group_array,
- uint32_t *num_groups)
-{
- long ngroups_max;
- long buf_max;
- struct passwd pwbuf;
- struct passwd *pwbufp;
- char *buf;
- gid_t pw_gid;
- int ngroups;
- gid_t *groups;
- int ret;
- int i;
-
- buf_max = sysconf(_SC_GETPW_R_SIZE_MAX);
- assert(buf_max != -1);
- buf = calloc(buf_max, sizeof(char));
- if (!buf)
- {
- *num_groups = 0;
- *group_array = NULL;
- return -PVFS_ENOMEM;
- }
-
- memset(&pwbuf, 0, sizeof(struct passwd));
- ret = getpwnam_r(account, &pwbuf, buf, buf_max, &pwbufp);
- if ((pwbufp == NULL) || ret)
- {
- gossip_debug(GOSSIP_SECURITY_DEBUG,
- "User '%s' not found in password database\n",
- account);
- free(buf);
- *num_groups = 0;
- *group_array = NULL;
- return -PVFS_EINVAL;
- }
-
- pw_gid = pwbuf.pw_gid;
- free(buf);
-
- /* leave room for euid */
- ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1;
- assert(ngroups_max != -1);
- groups = calloc(ngroups_max, sizeof(gid_t));
- if (!groups)
- {
- *num_groups = 0;
- *group_array = NULL;
- return -PVFS_ENOMEM;
- }
-
- /* nlmills: TODO: set up autoconf to define HAVE_GETGROUPLIST */
-#ifdef HAVE_GETGROUPLIST
-
- ngroups = ngroups_max;
- ret = getgrouplist(account, pw_gid, groups, &ngroups);
- if (ret < 0)
- {
- free(groups);
- *num_groups = 0;
- *group_array = NULL;
- return -PVFS_EINVAL;
- }
-
- /* getgrouplist likes to put pw_gid last */
- if (groups[ngroups-1] == pw_gid)
- {
- groups[ngroups-1] = groups[0];
- groups[0] = pw_gid;
- }
-
-#else /* !HAVE_GETGROUPLIST */
-
- ngroups = getugroups(ngroups_max, groups, account, pw_gid);
- if (ngroups < 0)
- {
- free(groups);
- *num_groups = 0;
- *group_array = NULL;
- return -PVFS_EINVAL;
- }
-
-#endif /* HAVE_GROUPLIST */
-
- *group_array = calloc(ngroups, sizeof(PVFS_gid));
- if(!(*group_array))
- {
- free(groups);
- *num_groups = 0;
- return -PVFS_ENOMEM;
- }
-
- for(i = 0; i < ngroups; i++)
- {
- (*group_array)[i] = (PVFS_gid)groups[i];
- }
- *num_groups = ngroups;
-
- free(groups);
-
- return 0;
-}
-
/* setup_threading
*
* Sets up the data structures and callbacks required by the OpenSSL library
@@ -1219,193 +820,6 @@ static int load_public_keys(const char *
fclose(keyfile);
return 0;
-}
-
-/* load_ca_bundle
- *
- * Initializes the X509_STORE used to verify client credentials
- * and loads a list of trusted CA's from the filesystem. The path
- * argument is the location of the file containing trusted CA
- * certificates in PEM format.
- *
- * returns -1 on failure
- * returns 0 on success
- */
-static int load_ca_bundle(const char *path)
-{
- char buf[512];
- int ret;
-
- security_store = X509_STORE_new();
- if (!security_store)
- {
- ERR_error_string_n(ERR_get_error(), buf, 512);
- gossip_debug(GOSSIP_SECURITY_DEBUG, "Error creating security store: "
- "%s\n", buf);
- return -1;
- }
-
- X509_STORE_set_verify_cb_func(security_store, verify_callback);
- /* nlmills: TODO: set any default verification options */
-
- ret = X509_STORE_load_locations(security_store, path, NULL);
- if (!ret)
- {
- ERR_error_string_n(ERR_get_error(), buf, 512);
- gossip_err("Error loading CA bundle file: %s\n", buf);
- X509_STORE_free(security_store);
- return -1;
- }
-
- return 0;
-}
-
-static int verify_callback(int ok, X509_STORE_CTX *ctx)
-{
- if (!ok)
- {
- int err;
- err = X509_STORE_CTX_get_error(ctx);
- gossip_debug(GOSSIP_SECURITY_DEBUG,
- "Certificate verification error: %s\n",
- X509_verify_cert_error_string(err));
- }
-
- return ok;
-}
-
-/* find_account
- *
- * Internal function to find matches in the mappings configuration for the
- * given subject strings and email addresses.
- */
-/* nlmills: TODO: log matches for debugging configs */
-/* nlmills: TODO: consider case-insensitve compare */
-/* nlmills: TODO: refactor into separate functions for each mapping type */
-static const char *find_account(const char *subject, const STACK *emails)
-{
- const struct server_configuration_s *config;
- PINT_llist_p mappings;
- struct security_mapping_s *mapping;
- regex_t regex;
- char *errbuf;
- int sz;
- const char *account = NULL;
- int ret;
-
- config = PINT_get_server_config();
-
- mappings = config->security_mappings;
- if (!mappings)
- {
- gossip_debug(GOSSIP_SECURITY_DEBUG, "No security mappings defined!\n");
- return NULL;
- }
-
- /* exits after the first match */
- for (mappings = mappings->next; mappings; mappings = mappings->next)
- {
- mapping = (struct security_mapping_s*)mappings->item;
- if (mapping->keyword == SECURITY_KEYWORD_EMAIL)
- {
- ret = sk_find((STACK*)emails, mapping->pattern);
- if (ret != -1)
- {
- gossip_debug(GOSSIP_SECURITY_DEBUG,
- "Matched email '%s' to account '%s'\n",
- sk_value(emails, ret),
- mapping->account);
- account = mapping->account;
- }
- }
- else if (mapping->keyword == SECURITY_KEYWORD_EMAIL_REGEX)
- {
- int i;
-
- ret = regcomp(®ex, mapping->pattern, REG_EXTENDED|REG_NOSUB);
- if (ret)
- {
- sz = regerror(ret, ®ex, NULL, 0);
- errbuf = calloc(sz, sizeof(char));
- if (errbuf)
- {
- regerror(ret, ®ex, errbuf, sz);
- gossip_err("Error compiling regular expression '%s': %s\n",
- mapping->pattern,
- errbuf);
- free(errbuf);
- }
- continue;
- }
-
- for (i = 0; i < sk_num(emails); i++)
- {
- ret = regexec(®ex, sk_value(emails, i), 0, NULL, 0);
- if (!ret)
- {
- gossip_debug(GOSSIP_SECURITY_DEBUG,
- "Matched pattern '%s' to email '%s' "
- "and account '%s'\n",
- mapping->pattern,
- sk_value(emails, i),
- mapping->account);
- account = mapping->account;
- break;
- }
- }
-
- regfree(®ex);
- }
- else if (mapping->keyword == SECURITY_KEYWORD_SUBJECT)
- {
- if (!strcmp(subject, mapping->pattern))
- {
- gossip_debug(GOSSIP_SECURITY_DEBUG,
- "Matched subject '%s' to account '%s'\n",
- subject,
- mapping->account);
- account = mapping->account;
- }
- }
- else if (mapping->keyword == SECURITY_KEYWORD_SUBJECT_REGEX)
- {
- ret = regcomp(®ex, mapping->pattern, REG_EXTENDED|REG_NOSUB);
- if (ret)
- {
- sz = regerror(ret, ®ex, NULL, 0);
- errbuf = calloc(sz, sizeof(char));
- if (errbuf)
- {
- regerror(ret, ®ex, errbuf, sz);
- gossip_err("Error compiling regular expression '%s': %s\n",
- mapping->pattern,
- errbuf);
- free(errbuf);
- }
- continue;
- }
- ret = regexec(®ex, subject, 0, NULL, 0);
- regfree(®ex);
- if (!ret)
- {
- gossip_debug(GOSSIP_SECURITY_DEBUG,
- "Matched pattern '%s' to subject '%s' "
- "and account '%s'\n",
- mapping->pattern,
- subject,
- mapping->account);
- account = mapping->account;
- }
- }
-
- /* match found */
- if (account)
- {
- break;
- }
- }
-
- return account;
}
Index: pint-security.h
===================================================================
RCS file: /projects/cvsroot/pvfs2/src/common/security/Attic/pint-security.h,v
diff -p -u -r1.1.2.28 -r1.1.2.29
--- pint-security.h 25 Aug 2009 17:56:05 -0000 1.1.2.28
+++ pint-security.h 21 May 2010 21:38:16 -0000 1.1.2.29
@@ -35,17 +35,6 @@ int PINT_init_credential(PVFS_credential
int PINT_sign_credential(PVFS_credential *cred);
int PINT_verify_credential(const PVFS_credential *cred);
-int PINT_verify_certificate(const char *certstr,
- const PVFS_signature signature,
- uint32_t sig_size);
-
-
-const char *PINT_lookup_account(const char *certstr);
-int PINT_lookup_userid(const char *account, PVFS_uid *userid);
-int PINT_lookup_groups(const char *account,
- PVFS_gid **group_array,
- uint32_t *num_groups);
-
#endif /* _PINT_SECURITY_H_ */
More information about the Pvfs2-cvs
mailing list