int
lu_fsctl_mount(struct fs_ctl *ctl){
int res;
struct file_system *fs;
if(!ctl->fs_ops)
return 0;
if(!(fs = new_fsinstance(ctl)))
return 0;
res = ctl->fs_ops->mount(fs->fs_context);
if(res){
ctl->fs_available = fs;
fs->fs_mounted = 1;
if(load_credentials(ctl, fs) < 0)
TRACE("could not load credentials.");
else
TRACE("credentials loaded.");
}else{
WARN("fs mount failed...");
free(fs);
}
return res;
}
// Use this to load the keys for a Nym (whether public or private), and then
// call VerifyPseudonym, and then load the actual Nymfile using
// LoadSignedNymfile.
bool Nym::LoadCredentials(
bool bLoadPrivate,
const OTPasswordData* pPWData,
const OTPassword* pImportPassword)
{
eLock lock(shared_lock_);
return load_credentials(lock);
}
// This version is run on the server side, and assumes only a Public Key.
// This code reads up the file, discards the bookends, and saves only the
// gibberish itself.
bool Nym::LoadPublicKey()
{
eLock lock(shared_lock_);
if (load_credentials(lock) && (m_mapCredentialSets.size() > 0)) {
return true;
}
LogVerbose(OT_METHOD)(__FUNCTION__)(": Failure. ").Flush();
return false;
}
/**
* Accept the GSI Authentication.
* @param sock the socket for communication.
* @param ctx the authorization context.
* @return the context identifier.
*/
bool
GSISocketServer::AcceptGSIAuthentication()
{
char *name = NULL;
long errorcode = 0;
int flags;
time_t curtime, starttime;
int ret, accept_status;
bool accept_timed_out = false;
int expected = 0;
BIO *bio = NULL;
char *cert_file, *user_cert, *user_key, *user_proxy;
char *serial=NULL;
cert_file = user_cert = user_key = user_proxy = NULL;
if (proxy_get_filenames(0, &cert_file, &cacertdir, &user_proxy, &user_cert, &user_key) == 0) {
(void)load_credentials(user_cert, user_key, &ucert, &own_stack, &upkey, NULL);
}
free(cert_file);
free(user_cert);
free(user_key);
free(user_proxy);
own_cert = ucert;
own_key = upkey;
ctx = SSL_CTX_new(SSLv23_method());
SSL_CTX_load_verify_locations(ctx, NULL, cacertdir);
SSL_CTX_use_certificate(ctx, ucert);
SSL_CTX_use_PrivateKey(ctx,upkey);
SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:!MD2");
SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY);
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, proxy_verify_callback);
SSL_CTX_set_verify_depth(ctx, 100);
SSL_CTX_set_cert_verify_callback(ctx, proxy_app_verify_callback, 0);
if (own_stack) {
/*
* Certificate was a proxy with a cert. chain.
* Add the certificates one by one to the chain.
*/
X509_STORE_add_cert(ctx->cert_store, ucert);
for (int i = 0; i <sk_X509_num(own_stack); ++i) {
X509 *cert = (sk_X509_value(own_stack,i));
if (!X509_STORE_add_cert(ctx->cert_store, cert)) {
if (ERR_GET_REASON(ERR_peek_error()) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
ERR_clear_error();
continue;
}
else {
SetErrorOpenSSL("Cannot add certificate to the SSL context's certificate store");
goto err;
}
}
}
}
flags = fcntl(newsock, F_GETFL, 0);
(void)fcntl(newsock, F_SETFL, flags | O_NONBLOCK);
bio = BIO_new_socket(newsock, BIO_NOCLOSE);
(void)BIO_set_nbio(bio, 1);
ssl = SSL_new(ctx);
setup_SSL_proxy_handler(ssl, cacertdir);
writeb = bio->method->bwrite;
readb = bio->method->bread;
bio->method->bwrite = globusf_write;
bio->method->bread = globusf_read;
SSL_set_bio(ssl, bio, bio);
curtime = starttime = time(NULL);
ret = accept_status = -1;
expected = 0;
do {
ret = do_select(newsock, starttime, timeout, expected);
LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Select status: %d",ret);
curtime = time(NULL);
if (ret == 0){
LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Select timed out.");
if (curtime - starttime > timeout){
accept_timed_out = true;
break;
}else{
continue;
}
}
if (ret > 0) {
accept_status = SSL_accept(ssl);
curtime = time(NULL);
expected = errorcode = SSL_get_error(ssl, accept_status);
LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Accept status: %d",accept_status);
LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Error code: %d",errorcode);
LOGM(VARP, logh, LEV_DEBUG, T_PRE, "SSL_WANT_READ: %d, SSL_WANT_WRITE: %d",SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE);
}
if (ret < 0)
// No more data from the select
break;
if (accept_status == 1)
// SSL handshake completed
break;
if (timeout != -1 && (curtime - starttime > timeout)){
// Timeout reached
accept_timed_out = true;
break;
}
if (accept_status <= 0 && ( errorcode != SSL_ERROR_WANT_READ && errorcode != SSL_ERROR_WANT_WRITE ))
// SSL handshake error
break;
} while (true);
// Error enstabilishing context
if (accept_status != 1){
LOGM(VARP, logh, LEV_INFO, T_PRE, "Error enstabilishing SSL context.");
if (accept_timed_out){
SetError("SSL Handshake failed due to server timeout!");
}else{
SetErrorOpenSSL("SSL Handshake error:");
}
goto err;
}
// Context enstabilished
actual_cert = SSL_get_peer_certificate(ssl);
peer_stack = SSL_get_peer_cert_chain(ssl);
char buffer[1000];
// if (LogLevelMin(logh, LEV_DEBUG)) {
LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Certificate DN: %s",
X509_NAME_oneline(X509_get_subject_name(actual_cert), buffer, 999));
LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Certificate CA: %s",
X509_NAME_oneline(X509_get_issuer_name(actual_cert), buffer, 999));
LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Stack Size: %d", sk_X509_num(peer_stack));
// }
peer_cert = get_real_cert(actual_cert, peer_stack);
if (peer_cert) {
char *name = X509_NAME_oneline(X509_get_subject_name(peer_cert), NULL, 0);
own_subject = std::string(name);
OPENSSL_free(name);
}
if (LogLevelMin(logh, LEV_DEBUG)){
for (int i = 0; i < sk_X509_num(peer_stack); i++) {
X509 *cert = sk_X509_value(peer_stack, i);
LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Certificate DN: %s",
X509_NAME_oneline(X509_get_subject_name(cert), buffer, 999));
LOGM(VARP, logh, LEV_DEBUG, T_PRE, "Certificate CA: %s",
X509_NAME_oneline(X509_get_issuer_name(cert), buffer, 999));
}
}
name = X509_NAME_oneline(X509_get_subject_name(peer_cert), NULL, 0);
if (name)
peer_subject = std::string(name);
OPENSSL_free(name);
name = X509_NAME_oneline(X509_get_issuer_name(peer_cert), NULL, 0);
if (name)
peer_ca = std::string(name);
OPENSSL_free(name);
serial = get_peer_serial(actual_cert);
peer_serial = std::string(serial ? serial : "");
OPENSSL_free(serial);
return true;
err:
destroy_SSL_proxy_handler(ssl);
SSL_free(ssl);
SSL_CTX_free(ctx);
return false;
}
