myproxy_creds.c

代理服务器源代码 供大家学习使用,希望大家喜欢

    /* XXX Should check for expiration? */

 done:
    if (creds_path) free(creds_path);
    if (data_path) free(data_path);
    if (lock_path) free(lock_path);

    return rc;
}

int
myproxy_creds_is_owner(const char		*username, 
			const char 		*credname, 
			const char		*client_name)
{
    char *creds_path = NULL;
    char *data_path = NULL;
    char *lock_path = NULL;
    struct myproxy_creds retrieved_creds = {0}; /* initialize with 0s */
    int return_code = -1;

    assert(username != NULL);
    assert(client_name != NULL);
    
    if (get_storage_locations(username, credname,
                              &creds_path, &data_path, &lock_path) == -1)
    {
        goto error;
    }

    if (read_data_file(&retrieved_creds, data_path) == -1)
    {
        goto error;
    }

    if (strcmp(retrieved_creds.owner_name, client_name) == 0)
    {
	/* Is owner */
	return_code = 1;
    }
    else
    {
	/* Is not owner */
	return_code = 0;
    }
    
  error:
    myproxy_creds_free_contents(&retrieved_creds);
    if (creds_path) free(creds_path);
    if (data_path) free(data_path);
    if (lock_path) free(lock_path);
    
    return return_code;
}

int
myproxy_creds_delete(const struct myproxy_creds *creds)
{
    char *creds_path = NULL;
    char *data_path = NULL;
    char *lock_path = NULL;
    int return_code = -1;
    
    if ((creds == NULL) || (creds->username == NULL)) {
        verror_put_errno(EINVAL);
        return -1;
    }
    
    if (get_storage_locations(creds->username, creds->credname,
                              &creds_path, &data_path, &lock_path) == -1) {
        goto error;
    }

    if (unlink(data_path) == -1) {
	if (errno == ENOENT) {
	    verror_put_string("Credentials do not exist.");
	} else {
	    verror_put_errno(errno);
	    verror_put_string("deleting credentials data file %s: %s",
			      data_path, verror_strerror());
	}
        goto error;
    }

    if (ssl_proxy_file_destroy(creds_path) != SSL_SUCCESS) {
	verror_put_string("deleting credentials file %s", creds_path);
        goto error;
    }
    
    unlink(lock_path);		/* may not exist */

    /* Success */
    return_code = 0;
    
  error:
    if (creds_path) free(creds_path);
    if (data_path) free(data_path);
    if (lock_path) free(lock_path);

    return return_code;
}

int
myproxy_creds_lock(const struct myproxy_creds *creds, const char *reason)
{
    char *creds_path = NULL;
    char *data_path = NULL;
    char *lock_path = NULL;
    int return_code = -1;
    FILE *lockfile = NULL;
    
    if ((creds == NULL) || (creds->username == NULL) || (reason == NULL)) {
        verror_put_errno(EINVAL);
        return -1;
    }
    
    if (get_storage_locations(creds->username, creds->credname,
                              &creds_path, &data_path, &lock_path) == -1) {
        goto error;
    }

    lockfile = fopen(lock_path, "w");
    if (!lockfile) {
	verror_put_errno(errno);
	verror_put_string("Error opening lockfile for writing");
	goto error;
    }
    fprintf(lockfile, "%s", reason);
    fclose(lockfile);

    /* Success */
    return_code = 0;
    
  error:
    if (creds_path) free(creds_path);
    if (data_path) free(data_path);
    if (lock_path) free(lock_path);

    return return_code;
}

int
myproxy_creds_unlock(const struct myproxy_creds *creds)
{
    char *creds_path = NULL;
    char *data_path = NULL;
    char *lock_path = NULL;
    int return_code = -1;
    
    if ((creds == NULL) || (creds->username == NULL)) {
        verror_put_errno(EINVAL);
        return -1;
    }
    
    if (get_storage_locations(creds->username, creds->credname,
                              &creds_path, &data_path, &lock_path) == -1) {
        goto error;
    }

    unlink(lock_path);

    /* Success */
    return_code = 0;
    
  error:
    if (creds_path) free(creds_path);
    if (data_path) free(data_path);
    if (lock_path) free(lock_path);
    return return_code;
}

/* Server password change function - called from myproxy_server.
   Checks existing password before changing it */ 
int
myproxy_creds_change_passphrase(const struct myproxy_creds *creds,
				const char *new_passphrase)
{
    char *creds_path = NULL;
    char *data_path = NULL;
    char *lock_path = NULL;
    mode_t data_file_mode = FILE_MODE;
    struct myproxy_creds tmp_creds = {0}; /* initialize with 0s */
    int return_code = -1;
    SSL_CREDENTIALS *ssl_creds = NULL;
    
    if ((creds == NULL) || (creds->username == NULL)) {
	verror_put_errno(EINVAL);
	goto error;
    }
    
    if (get_storage_locations(creds->username, creds->credname,
                              &creds_path, &data_path, &lock_path) == -1) {
        goto error;
    }

    if ((ssl_creds = ssl_credentials_new()) == NULL) {
	goto error;
    }

    if (ssl_proxy_load_from_file(ssl_creds, creds_path, creds->passphrase) !=
	SSL_SUCCESS) {
	goto error;
    }

    if (read_data_file(&tmp_creds, data_path) == -1) {
        goto error;
    }
   
    /* Remove and rewrite with modified password.  Crude but works */ 
    if (unlink(data_path) == -1) {
        verror_put_errno(errno);
        verror_put_string("deleting credentials data file %s: %s", data_path,
                          verror_strerror());
        goto error;
    }
    if (ssl_proxy_file_destroy(creds_path) == SSL_ERROR) {
        verror_put_string("deleting credentials data file %s", creds_path);
        goto error;
    }

    /* overwrite old passphrase with new */
    if (new_passphrase)
	tmp_creds.passphrase = strdup(new_passphrase);

    if (write_data_file(&tmp_creds, data_path, data_file_mode) == -1) {
	verror_put_string ("Error writing data file");
       	goto error;
    }
    if (ssl_proxy_store_to_file(ssl_creds, creds_path, new_passphrase) !=
	SSL_SUCCESS) {
	goto error;
    }

    /* Success */
    return_code = 0;
    
  error:
    myproxy_creds_free_contents(&tmp_creds);
    ssl_credentials_destroy(ssl_creds);
    if (creds_path) free(creds_path);
    if (data_path) free(data_path);
    if (lock_path) free(lock_path);

    return return_code;
}

int
myproxy_creds_encrypted(const struct myproxy_creds *creds)
{
    char *creds_path = NULL;
    char *data_path = NULL;
    char *lock_path = NULL;
    int rc = -1;
    
    if ((creds == NULL) || (creds->username == NULL)) {
	verror_put_errno(EINVAL);
	goto error;
    }
    
    if (get_storage_locations(creds->username, creds->credname,
                              &creds_path, &data_path, &lock_path) == -1) {
	goto error;
    }

    rc = ssl_private_key_is_encrypted(creds_path);
 error:
    if (creds_path) free(creds_path);
    if (data_path) free(data_path);
    if (lock_path) free(lock_path);

    return rc;
}

int
myproxy_creds_verify_passphrase(const struct myproxy_creds *creds,
				const char *passphrase)
{
    char *creds_path = NULL;
    char *data_path = NULL;
    char *lock_path = NULL;
    char *tmp = NULL;
    int return_code = -1;
    SSL_CREDENTIALS *ssl_creds = NULL;
    
    if ((creds == NULL) || (creds->username == NULL) ||
	(passphrase == NULL)) {
	verror_put_errno(EINVAL);
	goto error;
    }
    
    if (get_storage_locations(creds->username, creds->credname,
                              &creds_path, &data_path, &lock_path) == -1) {
        goto error;
    }

    /*
     * Verify the passphrase here.
     * If the private key is encrypted, verify the passphrase by attempting
     * to decrypt.
     * Otherwise, if we have a crypted passphrase in the myproxy_creds
     * struct, verify against that (for backwards compatibility).
     */
    if (ssl_private_key_is_encrypted(creds_path) == 1 &&
	(ssl_creds = ssl_credentials_new()) != NULL &&
	ssl_private_key_load_from_file(ssl_creds, creds_path, passphrase,
				       NULL) == SSL_SUCCESS) {
	return_code = 1;
    }
    else if (creds->passphrase &&
	     strlen(passphrase) >= MIN_PASS_PHRASE_LEN &&
	     (tmp = (char *)des_crypt(passphrase,
		   &creds->owner_name[strlen(creds->owner_name)-3])) != NULL &&
	     strcmp(creds->passphrase, tmp) == 0) {
	return_code = 1;
    }
    else
	return_code = 0;

  error:
    ssl_credentials_destroy(ssl_creds);
    if (creds_path) free(creds_path);
    if (data_path) free(data_path);
    if (lock_path) free(lock_path);

    return return_code;
}

void myproxy_creds_free(struct myproxy_creds *creds)
{
    if (!creds) return;
    if (creds->next) myproxy_creds_free(creds->next);
    myproxy_creds_free_contents(creds);
    free(creds);
}

void myproxy_creds_free_contents(struct myproxy_creds *creds)
{
    if (creds == NULL) return;
    if (creds->username != NULL)	free(creds->username);
    if (creds->passphrase != NULL)	free(creds->passphrase);
    if (creds->owner_name != NULL)	free(creds->owner_name);
    if (creds->location != NULL)	free(creds->location);
    if (creds->retrievers != NULL)	free(creds->retrievers);
    if (creds->keyretrieve != NULL)	free(creds->keyretrieve);
    if (creds->trusted_retrievers != NULL) free(creds->trusted_retrievers);
    if (creds->renewers != NULL)	free(creds->renewers);
    if (creds->credname != NULL)	free(creds->credname);
    if (creds->creddesc != NULL)	free(creds->creddesc);
    memset(creds, 0, sizeof(struct myproxy_creds));
}

void myproxy_certs_free(struct myproxy_certs *certs)
{
    if (!certs) return;
    if (certs->filename) free(certs->filename);
    if (certs->contents) free(certs->contents);
    myproxy_certs_free(certs->next);
    free(certs);
}

int myproxy_set_storage_dir(const char *dir)
{
    if (storage_dir) {
	free(storage_dir);
	storage_dir = NULL;
    }
    storage_dir=strdup(dir);
    if (!storage_dir) {
	verror_put_errno(errno);
	verror_put_string("strdup() failed");
	return -1;
    }
    return 0;
}

int myproxy_check_storage_dir()
{
    return check_storage_directory();
}

const char *myproxy_get_storage_dir()
{
    if (check_storage_directory() < 0) {
	return NULL;
    }
    return storage_dir;
}

int
myproxy_print_cred_info(myproxy_creds_t *creds, FILE *out)
{
    if (!creds) return -1;
    for (; creds; creds = creds->next) {
	time_t time_diff = 0, now = 0;
	float days = 0.0;
	if (creds->owner_name) fprintf(out, "owner: %s\n", creds->owner_name);
	if (creds->username)   fprintf(out, "username: %s\n", creds->username);
        if (creds->credname)   fprintf(out, "  name: %s\n", creds->credname);
	if (creds->creddesc)   fprintf(out, "  description: %s\n",
				       creds->creddesc);
	if (creds->retrievers) fprintf(out, "  retrieval policy: %s\n",
				       creds->retrievers);
	if (creds->renewers)   fprintf(out, "  renewal policy: %s\n",
				       creds->renewers);
	if (creds->keyretrieve) fprintf(out, "  key retrieval policy: %s\n",
				       creds->keyretrieve);
	if (creds->trusted_retrievers)
	    fprintf(out, "  trusted retrieval policy: %s\n",
				       creds->trusted_retrievers);
	if (creds->lockmsg)    fprintf(out, "  locked: %s\n", creds->lockmsg);
	now = time(0);
	if (creds->end_time > now) {
	    time_diff = creds->end_time - now;
	    days = time_diff / 86400.0;
	}
	fprintf(out, "  timeleft: %ld:%02ld:%02ld", 
		(long)(time_diff / 3600),
		(long)(time_diff % 3600) / 60,
		(long)time_diff % 60 );
	if (days > 1.0) {
	    fprintf(out, "  (%.1f days)\n", days);
	} else {
	    fprintf(out, "\n");
	}
    }
    return 0;
}

myproxy_certs_t *
myproxy_get_certs(const char cert_dir[])
{
    DIR *dir = NULL;
    struct dirent *de = NULL;
    myproxy_certs_t *head=NULL, *curr=NULL;
    char path[MAXPATHLEN];

    if ((dir = opendir(cert_dir)) == NULL) {
	verror_put_string("failed to open %s", cert_dir);
	return NULL;
    }
    while ((de = readdir(dir)) != NULL) {
	if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, "..")) {
	    continue;
	}
	if (curr == NULL) {
	    curr = head = (myproxy_certs_t *)malloc(sizeof(myproxy_certs_t));
	} else {
	    curr->next = (myproxy_certs_t *)malloc(sizeof(myproxy_certs_t));
	    curr = curr->next;
	}
	memset(curr, 0, sizeof(myproxy_certs_t));
	curr->filename = strdup(de->d_name);
	sprintf(path, "%s/%s", cert_dir, curr->filename);
	if (buffer_from_file(path, (unsigned char **)&curr->contents,
			     NULL) < 0) {
	    goto failure;
	}
    }
    closedir(dir);

    return head;

 failure:
    myproxy_certs_free(head);
    return NULL;
}

/*
** Install a list of files in trusted certificates directory.
*/

#define TRUSTED_INSTALL_LOG     "myproxy-install-log"

int
myproxy_install_trusted_cert_files(myproxy_certs_t *trusted_certs)
{
    myproxy_certs_t *trusted_cert;
    char *file_path = NULL;
    FILE *file = NULL;
    char *log_file_name = NULL;
    FILE *log_file = NULL;
    
    if (trusted_certs == NULL)
    {
        return 0;
    }
    
    /* Make writable only by user */
    umask(S_IWGRP|S_IWOTH);
    
    if (check_trusted_certs_dir() != 0)
    {
        goto error;
    }

    log_file_name = get_trusted_file_path(TRUSTED_INSTALL_LOG);
    
    if (log_file_name == NULL)
    {
        goto error;
    }

    myproxy_debug("Writing out trusted certificate files. Logging to %s\n",
                  log_file_name);

    log_file = fopen(log_file_name, "w");
    
    if (log_file == NULL)
    {
        verror_put_errno(errno);
        verror_put_string("fopen(%s)", log_file_name);
        goto error;
    }

    for (trusted_cert = trusted_certs;
         trusted_cert != NULL;
         trusted_cert = trusted_cert->next)
    {
    
        /*
        ** Sanity check structure
        */
        if ((trusted_cert == NULL) ||
            (trusted_cert->filename == NULL) ||
            (trusted_cert->contents == NULL))
        {
            myproxy_debug("Malformed trusted_cert ignored.\n");
            continue;
        }

        file_path = get_trusted_file_path(trusted_cert->filename);
    
        if (file_path == NULL)
        {
            goto error;
        }

        myproxy_debug("Creating trusted cert file: %s\n", file_path);
        
        file = fopen(file_path, "w");
        if (file == NULL)
        {
            myproxy_debug("Error opening \"%s\": %s\n",
                          file_path, strerror(errno));
            free(file_path);
            file_path = NULL;
            continue;
        }

        fprintf(file, "%s", trusted_cert->contents);
        fclose(file);
        fprintf(log_file, "%ld: %s\n", time(NULL), file_path);
        file = NULL;
        free(file_path);
        file_path = NULL;
    }        

    free(log_file_name);
    fclose(log_file);
    
    myproxy_debug("Trusted cert file writing complete.\n");
    
    return 0;

  error:
    if (log_file_name != NULL)
    {
        free(log_file_name);
    }
    if (file != NULL)
    {
        fclose(file);
    }
    if (file_path != NULL)
    {
        free(file_path);
    }
    return -1;
}