1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
/*
* sfcBasicAuthentication.c
*
* © Copyright IBM Corp. 2005, 2007
*
* THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE
* ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE
* CONSTITUTES RECIPIENTS ACCEPTANCE OF THE AGREEMENT.
*
* You can obtain a current copy of the Eclipse Public License from
* http://www.opensource.org/licenses/eclipse-1.0.php
*
* Author: Adrian Schuur <schuur@de.ibm.com>
*
* Description:
*
* Basic Authentication exit.
*
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <string.h>
#ifdef HAVE_LIBSSL
#include <stdlib.h>
#include <openssl/x509.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <sys/shm.h>
#include <errno.h>
#define MAX_PRINCIPAL 1000
#define MAX_CERTIFICATE 5000
#define NUM_CERTS 50
typedef struct cert_table {
size_t cert_length;
unsigned char cert_der[MAX_CERTIFICATE];
char cert_principal[MAX_PRINCIPAL];
} CERT_TABLE;
typedef struct _CertStore {
CERT_TABLE certs[NUM_CERTS];
size_t maxcert;
} CertStore_t;
CertStore_t * CertStore = NULL;
static int aquireSem();
static int releaseSem();
int _sfcCertificateAuthenticate(X509 *cert, char ** principal, int mode)
{
int i;
size_t der_buflen = 0;
unsigned char der_buf[MAX_CERTIFICATE];
unsigned char *der_bufp = der_buf;
#ifdef DEBUG
fprintf(stderr, "_sfcCertificateAuthenticate: mode = %d\n",mode);
#endif
if (cert && principal) {
der_buflen = i2d_X509(cert,&der_bufp);
if (der_buflen > 0 && der_buflen <= MAX_CERTIFICATE && aquireSem()) {
#ifdef DEBUG
fprintf(stderr, "_sfcCertificateAuthenticate: cert len = %d\n",der_buflen);
#endif
for (i=0; i < CertStore->maxcert; i++) {
if (CertStore->certs[i].cert_length == der_buflen &&
memcmp(CertStore->certs[i].cert_der,der_buf,der_buflen) == 0) {
if (mode == 0) {
*principal = CertStore->certs[i].cert_principal;
#ifdef DEBUG
fprintf(stderr, "_sfcCertificateAuthenticate: found cert\n");
#endif
return 1;
} else {
break;
}
}
}
if (mode == 1 && i < NUM_CERTS && *principal &&
strlen(*principal) < MAX_PRINCIPAL) {
CertStore->certs[i].cert_length = der_buflen;
memcpy(CertStore->certs[i].cert_der,der_buf,der_buflen);
strcpy(CertStore->certs[i].cert_principal,*principal);
CertStore->maxcert = i+1;
#ifdef DEBUG
fprintf(stderr, "_sfcCertificateAuthenticate: inserted cert\n");
#endif
return 1;
}
}
releaseSem();
}
#ifdef DEBUG
fprintf(stderr, "_sfcCertificateAuthenticate: failed\n");
#endif
return 0;
}
static int semId = -1;
static struct sembuf
sembP = {0,-1,SEM_UNDO},
sembVInitial = {0,1,0},
sembV = {0,1,SEM_UNDO};
static int aquireSem()
{
key_t semkey;
int memid;
if (semId == -1) {
/* try to create semaphore and shared memory segment */
semkey = ftok(SFCB_BINARY,'C');
semId = semget(semkey,1,IPC_CREAT|IPC_EXCL|0600);
if (semId >= 0) {
#ifdef DEBUG
fprintf(stderr,"sem value %d = %d\n",semId,semctl(semId,0,GETVAL));
#endif
/* successfully created semaphore - must create shared memory now */
memid = shmget(semkey,sizeof(CertStore_t),IPC_CREAT|IPC_EXCL|0600);
if (memid < 0 || (CertStore=shmat(memid,NULL,0))==NULL) {
/* problem: got semaphore, won't get shared mem */
#ifdef DEBUG
fprintf(stderr,"failed to allocate/attach shared memory 0: %s\n",
strerror(errno));
#endif
semctl(semId,0,IPC_RMID);
semId = -1;
return 0;
} else {
memset(CertStore,0,sizeof(CertStore_t));
/* Init completed. Release semaphore and compete with other processes.
* Necessary to make sure that the semaphore stays in a sane state
* if the process is unexpectedly terminated.
*/
semop(semId,&sembVInitial,1);
}
} else {
#ifdef DEBUG
fprintf(stderr,"failed to aquire semaphore 0: %s(%d)\n",
strerror(errno), semId);
#endif
semId = semget(semkey,1,0);
if (semId < 0) {
#ifdef DEBUG
fprintf(stderr,"failed to aquire semaphore 1: %s (%d)\n",
strerror(errno),semId);
#endif
return 0;
} else {
#ifdef DEBUG
fprintf(stderr,"sem value %d = %d\n",semId,semctl(semId,0,GETVAL));
#endif
memid = shmget(semkey,sizeof(CertStore_t),0);
if (memid < 0 || (CertStore=shmat(memid,NULL,0))==NULL) {
/* problem: got semaphore, won't get shared mem */
#ifdef DEBUG
fprintf(stderr,"failed to allocate/attach shared memory 1: %s\n",
strerror(errno));
#endif
semctl(semId,0,IPC_RMID);
semId = -1;
return 0;
}
}
}
}
#ifdef DEBUG
fprintf(stderr,"aquire sem (%d)\n",semId);
#endif
if (semop(semId,&sembP,1)) {
#ifdef DEBUG
fprintf(stderr,"failed to aquire semaphore 2: %s (%d)\n",
strerror(errno),semId);
#endif
return 0;
}
return 1;
}
static int releaseSem()
{
if (semId >= 0) {
return (semop(semId,&sembV,1) == 0);
} else {
return 0;
}
}
#else
int _sfcCertificateAuthenticate(void *cert, char ** principal, int mode)
{
return 0;
}
#endif
|