static int
lka_X509_verify(struct ca_vrfy_req_msg *vrfy,
const char *CAfile, const char *CRLfile)
{
X509 *x509;
X509 *x509_tmp;
X509 *x509_tmp2;
STACK_OF(X509) *x509_chain;
const unsigned char *d2i;
size_t i;
int ret = 0;
const char *errstr;
x509 = NULL;
x509_tmp = NULL;
x509_chain = NULL;
d2i = vrfy->cert;
if (d2i_X509(&x509, &d2i, vrfy->cert_len) == NULL) {
x509 = NULL;
goto end;
}
if (vrfy->n_chain) {
x509_chain = sk_X509_new_null();
for (i = 0; i < vrfy->n_chain; ++i) {
d2i = vrfy->chain_cert[i];
if (d2i_X509(&x509_tmp, &d2i, vrfy->chain_cert_len[i]) == NULL) {
x509_tmp = NULL;
goto end;
}
if ((x509_tmp2 = X509_dup(x509_tmp)) == NULL)
goto end;
sk_X509_insert(x509_chain, x509_tmp2, i);
x509_tmp = x509_tmp2 = NULL;
}
}
if (! ca_X509_verify(x509, x509_chain, CAfile, NULL, &errstr))
log_debug("debug: lka: X509 verify: %s", errstr);
else
ret = 1;
end:
if (x509)
X509_free(x509);
if (x509_tmp)
X509_free(x509_tmp);
if (x509_chain)
sk_X509_pop_free(x509_chain, X509_free);
return ret;
}
int
myproxy_ocsp_set_responder_cert(const char *path) {
BIO * in = NULL;
X509 * x = NULL;
int count;
int rval = -1;
sk_X509_pop_free(responder_cert, X509_free);
responder_cert = NULL;
in = BIO_new(BIO_s_file_internal());
if (in == NULL || BIO_read_filename(in, path) <= 0) {
verror_put_string("error reading %s", path);
goto exit;
}
responder_cert = sk_X509_new_null();
if (!responder_cert) {
verror_put_string("sk_X509_new_null() failed in "
"myproxy_ocsp_set_responder_cert()");
goto exit;
}
for (count = 0; ; count++) {
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
if (x == NULL) {
if ((ERR_GET_REASON(ERR_peek_error()) ==
PEM_R_NO_START_LINE) && (count > 0)) {
ERR_clear_error();
break;
} else {
verror_put_string("error reading %s", path);
goto exit;
}
}
sk_X509_insert(responder_cert,x,sk_X509_num(responder_cert));
x = NULL;
}
rval = 0; /* success */
exit:
if (in) BIO_free_all(in);
if (x) X509_free(x);
return rval;
}
static STACK_OF(X509) *
file_to_certs(const char *file)
{
unsigned long ret;
STACK_OF(X509) *certs;
FILE *f;
if ((f = fopen(file, "r")) == NULL) {
warn("open failed %s", file);
return NULL;
}
certs = sk_X509_new_null();
for (;;) {
X509 *cert;
cert = PEM_read_X509(f, NULL, NULL, NULL);
if (cert == NULL) {
ret = ERR_GET_REASON(ERR_peek_error());
if (ret == PEM_R_NO_START_LINE) {
/* End of file reached. no error */
ERR_clear_error();
break;
}
sk_X509_free(certs);
warnx("Can't read certificate in file: %s", file);
fclose(f);
return NULL;
}
sk_X509_insert(certs, cert, sk_X509_num(certs));
}
fclose(f);
if (sk_X509_num(certs) == 0) {
sk_X509_free(certs);
certs = NULL;
warnx("No certificate found in file %s", file);
}
return certs;
}
/*
* Main entry point.
*/
int
main(int argc, char *argv[])
{
const char *argv0;
int ch;
opts_t *opts;
char *natengine;
int pidfd = -1;
int rv = EXIT_FAILURE;
argv0 = argv[0];
opts = opts_new();
natengine = strdup(nat_getdefaultname());
while ((ch = getopt(argc, argv, OPT_g OPT_G OPT_Z
"k:c:C:K:t:OPs:e:Eu:j:p:l:L:S:dDVh")) != -1) {
switch (ch) {
case 'c':
if (opts->cacrt)
X509_free(opts->cacrt);
opts->cacrt = ssl_x509_load(optarg);
if (!opts->cacrt) {
fprintf(stderr, "%s: error loading CA "
"cert from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n",
strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
ssl_x509_refcount_inc(opts->cacrt);
sk_X509_insert(opts->chain, opts->cacrt, 0);
if (!opts->cakey) {
opts->cakey = ssl_key_load(optarg);
}
#ifndef OPENSSL_NO_DH
if (!opts->dh) {
opts->dh = ssl_dh_load(optarg);
}
#endif /* !OPENSSL_NO_DH */
break;
case 'k':
if (opts->cakey)
EVP_PKEY_free(opts->cakey);
opts->cakey = ssl_key_load(optarg);
if (!opts->cakey) {
fprintf(stderr, "%s: error loading CA "
"key from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n",
strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
if (!opts->cacrt) {
opts->cacrt = ssl_x509_load(optarg);
if (opts->cacrt) {
ssl_x509_refcount_inc(
opts->cacrt);
sk_X509_insert(opts->chain,
opts->cacrt, 0);
}
}
#ifndef OPENSSL_NO_DH
if (!opts->dh) {
opts->dh = ssl_dh_load(optarg);
}
#endif /* !OPENSSL_NO_DH */
break;
case 'C':
if (ssl_x509chain_load(NULL, &opts->chain,
optarg) == -1) {
fprintf(stderr, "%s: error loading "
"chain from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n",
strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
break;
case 'K':
if (opts->key)
EVP_PKEY_free(opts->key);
opts->key = ssl_key_load(optarg);
if (!opts->key) {
fprintf(stderr, "%s: error loading lea"
"f key from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n",
strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
#ifndef OPENSSL_NO_DH
if (!opts->dh) {
opts->dh = ssl_dh_load(optarg);
}
#endif /* !OPENSSL_NO_DH */
break;
case 't':
if (!sys_isdir(optarg)) {
fprintf(stderr, "%s: '%s' is not a "
"directory\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
if (opts->tgcrtdir)
free(opts->tgcrtdir);
opts->tgcrtdir = strdup(optarg);
break;
case 'O':
opts->deny_ocsp = 1;
break;
case 'P':
opts->passthrough = 1;
break;
#ifndef OPENSSL_NO_DH
case 'g':
if (opts->dh)
DH_free(opts->dh);
opts->dh = ssl_dh_load(optarg);
if (!opts->dh) {
fprintf(stderr, "%s: error loading DH "
"params from '%s':\n",
argv0, optarg);
if (errno) {
fprintf(stderr, "%s\n",
strerror(errno));
} else {
ERR_print_errors_fp(stderr);
}
exit(EXIT_FAILURE);
}
break;
#endif /* !OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
case 'G':
{
EC_KEY *ec;
if (opts->ecdhcurve)
free(opts->ecdhcurve);
if (!(ec = ssl_ec_by_name(optarg))) {
fprintf(stderr, "%s: unknown curve "
"'%s'\n",
argv0, optarg);
exit(EXIT_FAILURE);
}
EC_KEY_free(ec);
opts->ecdhcurve = strdup(optarg);
break;
}
#endif /* !OPENSSL_NO_ECDH */
#ifdef SSL_OP_NO_COMPRESSION
case 'Z':
opts->sslcomp = 0;
break;
#endif /* SSL_OP_NO_COMPRESSION */
case 's':
if (opts->ciphers)
free(opts->ciphers);
opts->ciphers = strdup(optarg);
break;
case 'e':
free(natengine);
natengine = strdup(optarg);
break;
case 'E':
nat_list_engines();
exit(EXIT_SUCCESS);
break;
case 'u':
if (opts->dropuser)
free(opts->dropuser);
opts->dropuser = strdup(optarg);
break;
case 'p':
if (opts->pidfile)
free(opts->pidfile);
opts->pidfile = strdup(optarg);
break;
case 'j':
if (opts->jaildir)
free(opts->jaildir);
opts->jaildir = strdup(optarg);
break;
case 'l':
if (opts->connectlog)
free(opts->connectlog);
opts->connectlog = strdup(optarg);
break;
case 'L':
if (opts->contentlog)
free(opts->contentlog);
opts->contentlog = strdup(optarg);
opts->contentlogdir = 0;
break;
case 'S':
if (opts->contentlog)
free(opts->contentlog);
opts->contentlog = strdup(optarg);
opts->contentlogdir = 1;
break;
case 'd':
opts->detach = 1;
break;
case 'D':
log_dbg_mode(LOG_DBG_MODE_ERRLOG);
opts->debug = 1;
break;
case 'V':
main_version();
exit(EXIT_SUCCESS);
case 'h':
main_usage();
exit(EXIT_SUCCESS);
case '?':
exit(EXIT_FAILURE);
default:
main_usage();
exit(EXIT_FAILURE);
}
}
argc -= optind;
argv += optind;
opts->spec = proxyspec_parse(&argc, &argv, natengine);
/* usage checks */
if (opts->detach && OPTS_DEBUG(opts)) {
fprintf(stderr, "%s: -d and -D are mutually exclusive.\n",
argv0);
exit(EXIT_FAILURE);
}
if (!opts->spec) {
fprintf(stderr, "%s: no proxyspec specified.\n", argv0);
exit(EXIT_FAILURE);
}
for (proxyspec_t *spec = opts->spec; spec; spec = spec->next) {
if (spec->connect_addrlen || spec->sni_port)
continue;
if (!spec->natengine) {
fprintf(stderr, "%s: no supported NAT engines "
"on this platform.\n"
"Only static addr and SNI proxyspecs "
"supported.\n", argv0);
exit(EXIT_FAILURE);
}
if (spec->listen_addr.ss_family == AF_INET6 &&
!nat_ipv6ready(spec->natengine)) {
fprintf(stderr, "%s: IPv6 not supported by '%s'\n",
argv0, spec->natengine);
exit(EXIT_FAILURE);
}
spec->natlookup = nat_getlookupcb(spec->natengine);
spec->natsocket = nat_getsocketcb(spec->natengine);
}
if (opts_has_ssl_spec(opts)) {
if ((opts->cacrt || !opts->tgcrtdir) && !opts->cakey) {
fprintf(stderr, "%s: no CA key specified (-k).\n",
argv0);
exit(EXIT_FAILURE);
}
if (opts->cakey && !opts->cacrt) {
fprintf(stderr, "%s: no CA cert specified (-c).\n",
argv0);
exit(EXIT_FAILURE);
}
if (opts->cakey && opts->cacrt &&
(X509_check_private_key(opts->cacrt, opts->cakey) != 1)) {
fprintf(stderr, "%s: CA cert does not match key.\n",
argv0);
ERR_print_errors_fp(stderr);
exit(EXIT_FAILURE);
}
}
/* prevent multiple instances running */
if (opts->pidfile) {
pidfd = sys_pidf_open(opts->pidfile);
if (pidfd == -1) {
fprintf(stderr, "%s: cannot open PID file '%s' "
"- process already running?\n",
argv0, opts->pidfile);
exit(EXIT_FAILURE);
}
}
/* dynamic defaults */
if (!opts->ciphers) {
opts->ciphers = strdup("ALL:-aNULL");
if (!opts->ciphers) {
fprintf(stderr, "%s: out of memory.\n", argv0);
exit(EXIT_FAILURE);
}
}
if (!opts->jaildir && (geteuid() == 0) && !opts->contentlogdir) {
opts->jaildir = strdup("/var/empty");
}
if (!opts->dropuser && !geteuid() && !getuid() &&
!opts->contentlogdir) {
opts->dropuser = strdup("nobody");
}
if (opts_has_ssl_spec(opts) && !opts->key) {
opts->key = ssl_key_genrsa(1024);
if (!opts->key) {
fprintf(stderr, "%s: error generating RSA key:\n",
argv0);
ERR_print_errors_fp(stderr);
exit(EXIT_FAILURE);
}
if (OPTS_DEBUG(opts)) {
log_dbg_printf("Generated RSA key for leaf certs.\n");
}
}
/* debugging */
if (OPTS_DEBUG(opts)) {
main_version();
log_dbg_printf("proxyspecs:\n");
for (proxyspec_t *spec = opts->spec; spec; spec = spec->next) {
char *lbuf, *cbuf = NULL;
lbuf = sys_sockaddr_str((struct sockaddr *)
&spec->listen_addr,
spec->listen_addrlen);
if (spec->connect_addrlen) {
cbuf = sys_sockaddr_str((struct sockaddr *)
&spec->connect_addr,
spec->connect_addrlen);
}
if (spec->sni_port) {
asprintf(&cbuf, "sni %i", spec->sni_port);
}
log_dbg_printf("- %s %s %s %s\n", lbuf,
(spec->ssl ? "ssl" : "tcp"),
(spec->http ? "http" : "plain"),
(spec->natengine ? spec->natengine
: cbuf));
if (lbuf)
free(lbuf);
if (cbuf)
free(cbuf);
}
if (opts->cacrt) {
char *subj = ssl_x509_subject(opts->cacrt);
log_dbg_printf("Loaded CA: '%s'\n", subj);
free(subj);
#ifdef DEBUG_CERTIFICATE
log_dbg_print_free(ssl_x509_to_str(opts->cacrt));
log_dbg_print_free(ssl_x509_to_pem(opts->cacrt));
#endif /* DEBUG_CERTIFICATE */
} else {
log_dbg_printf("No CA loaded.\n");
}
}
/*
* Initialize as much as possible before daemon() in order to be
* able to provide direct feedback to the user when failing.
*/
if (cachemgr_preinit() == -1) {
fprintf(stderr, "%s: failed to preinit cachemgr.\n", argv0);
exit(EXIT_FAILURE);
}
if (log_preinit(opts) == -1) {
fprintf(stderr, "%s: failed to preinit logging.\n", argv0);
exit(EXIT_FAILURE);
}
if (nat_preinit() == -1) {
fprintf(stderr, "%s: failed to preinit NAT lookup.\n", argv0);
exit(EXIT_FAILURE);
}
/* Bind listeners before dropping privileges */
proxy_ctx_t *proxy = proxy_new(opts);
if (!proxy) {
fprintf(stderr, "%s: failed to initialize proxy.\n", argv0);
exit(EXIT_FAILURE);
}
/* Drop privs, chroot, detach from TTY */
if (sys_privdrop(opts->dropuser, opts->jaildir) == -1) {
fprintf(stderr, "%s: failed to drop privileges: %s\n",
argv0, strerror(errno));
exit(EXIT_FAILURE);
}
if (opts->detach) {
if (OPTS_DEBUG(opts)) {
log_dbg_printf("Detaching from TTY, see syslog for "
"errors after this point\n");
}
if (daemon(1, 0) == -1) {
fprintf(stderr, "%s: failed to detach from TTY: %s\n",
argv0, strerror(errno));
exit(EXIT_FAILURE);
}
log_err_mode(LOG_ERR_MODE_SYSLOG);
ssl_reinit();
}
/* Post-privdrop/chroot/detach initialization, thread spawning */
if (log_init(opts) == -1) {
fprintf(stderr, "%s: failed to init log facility.\n", argv0);
goto out_log_failed;
}
if (opts->pidfile && (sys_pidf_write(pidfd) == -1)) {
log_err_printf("Failed to write PID to PID file '%s': %s\n",
opts->pidfile, strerror(errno));
goto out_pidwrite_failed;
}
if (cachemgr_init() == -1) {
log_err_printf("Failed to init cache manager.\n");
goto out_cachemgr_failed;
}
if (nat_init() == -1) {
log_err_printf("Failed to init NAT state table lookup.\n");
goto out_nat_failed;
}
if (opts->tgcrtdir) {
sys_dir_eachfile(opts->tgcrtdir, main_loadtgcrt, opts);
}
rv = EXIT_SUCCESS;
proxy_run(proxy);
proxy_free(proxy);
nat_fini();
out_nat_failed:
cachemgr_fini();
out_cachemgr_failed:
if (opts->pidfile) {
sys_pidf_close(pidfd, opts->pidfile);
}
out_pidwrite_failed:
log_fini();
out_log_failed:
opts_free(opts);
ssl_fini();
return rv;
}
/**
* This function copies a globus_gsi_callback_data_t.
* @ingroup globus_gsi_callback_data
*
* @param source
* The structure to be copied
* @param dest
* The destination of the copy
*
* @return
* GLOBUS_SUCCESS unless an error occurred, in which case,
* a globus error object ID is returned
*/
globus_result_t
globus_gsi_callback_data_copy(
globus_gsi_callback_data_t source,
globus_gsi_callback_data_t * dest)
{
int index;
globus_result_t result = GLOBUS_SUCCESS;
static char * _function_name_ =
"globus_gsi_callback_data_copy";
GLOBUS_I_GSI_CALLBACK_DEBUG_ENTER;
if(!source)
{
GLOBUS_GSI_CALLBACK_ERROR_RESULT(
result,
GLOBUS_GSI_CALLBACK_ERROR_CALLBACK_DATA,
(_CLS("NULL callback data source parameter passed to function: %s"),
_function_name_));
goto exit;
}
if(!dest)
{
GLOBUS_GSI_CALLBACK_ERROR_RESULT(
result,
GLOBUS_GSI_CALLBACK_ERROR_CALLBACK_DATA,
(_CLS("NULL callback data dest parameter passed to function: %s"),
_function_name_));
goto exit;
}
globus_gsi_callback_data_init(dest);
(*dest)->cert_depth = source->cert_depth;
(*dest)->proxy_depth = source->proxy_depth;
(*dest)->cert_type = source->cert_type;
(*dest)->cert_chain = sk_X509_new_null();
for(index = 0; index < sk_X509_num(source->cert_chain); ++index)
{
if(!sk_X509_insert((*dest)->cert_chain,
X509_dup(sk_X509_value(source->cert_chain, index)),
index))
{
GLOBUS_GSI_CALLBACK_OPENSSL_ERROR_RESULT(
result,
GLOBUS_GSI_CALLBACK_ERROR_CERT_CHAIN,
(_CLS("Couldn't copy cert chain from callback data")));
goto exit;
}
}
(*dest)->cert_dir = strdup(source->cert_dir);
(*dest)->extension_cb = source->extension_cb;
/* just copy the pointer location - these get created
* and destroyed in gss code
*/
(*dest)->extension_oids = source->extension_oids;
(*dest)->error = source->error;
exit:
GLOBUS_I_GSI_CALLBACK_DEBUG_EXIT;
return result;
}
int load_config() {
string tmp;
vector<string> splited;
int tmpSize, tmpPort;
if(configFilePath[0] == '\0') {
strcpy(configFilePath, DEFAULT_CONFIG_FILE_PATH);
}
if(!options.read_options_file(configFilePath)) {
log_message(ERROR_LOG, "Couldn't read configuration file %s.", configFilePath);
return 1;
}
tmp = options["logLevel"];
config.logLevel = atoi(tmp.c_str());
tmp = options["maxClients"];
config.maxClients = atoi(tmp.c_str());
config.logFilePath = options["logFilePath"];
tmp = options["bindPort"];
config.bindPort = atoi(tmp.c_str());
tmp = options["sslPorts"];
splited = split(tmp, ',');
tmpSize = splited.size();
for(int i=0; i<tmpSize; i++) {
tmpPort = atoi(splited.at(i).c_str());
if((tmpPort >= 0) && (tmpPort <= 65535)) {
config.sslPorts.push_back(tmpPort);
}
}
/* load certificate */
tmp = options["cacrt"];
config.cacrt = ssl_x509_load(tmp.c_str());
if(!config.cacrt) {
log_message(ERROR_LOG, "Could not loading ca crt %s.", tmp.c_str());
return 1;
}
config.chain = sk_X509_new_null();
ssl_x509_refcount_inc(config.cacrt);
sk_X509_insert(config.chain, config.cacrt, 0);
tmp = options["cakey"];
config.cakey = ssl_key_load(tmp.c_str());
if (!config.cakey) {
log_message(ERROR_LOG, "Could not loading ca key %s.", tmp.c_str());
return 1;
}
tmp = options["leafkey"];
config.key = ssl_key_load(tmp.c_str());
if (!config.key) {
log_message(ERROR_LOG, "Could not loading leaf key %s.", tmp.c_str());
return 1;
}
config.ciphers = strdup("ALL:-aNULL");
if (!config.ciphers) {
log_message(ERROR_LOG, "Could not malloc ciphers.");
return 1;
}
tmp = options["contentLogDir"];
config.contentLogDir = strdup(tmp.c_str());
if (!config.contentLogDir) {
log_message(ERROR_LOG, "Could not malloc contentLogDir.");
return 1;
}
if (!sys_isdir(config.contentLogDir)) {
log_message(ERROR_LOG, "%s is not a directory.", config.contentLogDir);
return 1;
}
return 0;
}
