Hello community, here is the log from the commit of package xrootd for openSUSE:Factory checked in at 2012-12-19 14:11:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xrootd (Old) and /work/SRC/openSUSE:Factory/.xrootd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xrootd", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/xrootd/xrootd.changes 2012-11-12 16:07:04.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.xrootd.new/xrootd.changes 2012-12-19 14:11:51.000000000 +0100 @@ -1,0 +2,13 @@ +Thu Dec 13 11:39:00 UTC 2012 - [email protected] + +- update to version 3.2.7 + * For OpenSSL versions prior to 1, make the 'default' and 'old' hash + algorithm result the same. This fixes Savannah bug #98997. + * Do not rebuild the full chain when the CRL is invalidated; also, make + sure that the invalid CRL object in only deleted when no longer in use. + Fixes bug #99074. + * Allow for null fields in the cgi string. + * Add missing return statement to avoid SEGV during write error recovery + under certain circumstances. Fixes bug #99002. + +------------------------------------------------------------------- Old: ---- xrootd-3.2.6.tar.gz New: ---- xrootd-3.2.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xrootd.spec ++++++ --- /var/tmp/diff_new_pack.dtiHqw/_old 2012-12-19 14:11:52.000000000 +0100 +++ /var/tmp/diff_new_pack.dtiHqw/_new 2012-12-19 14:11:52.000000000 +0100 @@ -17,7 +17,7 @@ Name: xrootd -Version: 3.2.6 +Version: 3.2.7 Release: 0 Summary: An eXtended Root Daemon (xrootd) License: BSD-3-Clause ++++++ xrootd-3.2.6.tar.gz -> xrootd-3.2.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xrootd-3.2.6/VERSION_INFO new/xrootd-3.2.7/VERSION_INFO --- old/xrootd-3.2.6/VERSION_INFO 2012-11-05 18:30:06.000000000 +0100 +++ new/xrootd-3.2.7/VERSION_INFO 2012-12-11 17:25:50.000000000 +0100 @@ -1,3 +1,3 @@ -RefNames: (v3.2.6, stable) -ShortHash: 1cec4f5 -Date: 2012-11-05 18:30:06 +0100 +RefNames: (v3.2.7, stable) +ShortHash: 7c01279 +Date: 2012-12-11 17:25:50 +0100 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xrootd-3.2.6/docs/ReleaseNotes.txt new/xrootd-3.2.7/docs/ReleaseNotes.txt --- old/xrootd-3.2.6/docs/ReleaseNotes.txt 2012-11-05 18:30:06.000000000 +0100 +++ new/xrootd-3.2.7/docs/ReleaseNotes.txt 2012-12-11 17:25:50.000000000 +0100 @@ -9,6 +9,21 @@ Version 3.2.6 ------------- + **Major bug fixes** + * For OpenSSL versions prior to 1, make the 'default' and 'old' hash + algorithm result the same. This fixes Savannah bug #98997. + * Do not rebuild the full chain when the CRL is invalidated; also, make + sure that the invalid CRL object in only deleted when no longer in use. + Fixes bug #99074. + ++ **Minor bug fixes** + * Allow for null fields in the cgi string. + * Add missing return statement to avoid SEGV during write error recovery + under certain circumstances. Fixes bug #99002. + +------------- +Version 3.2.6 +------------- ++ **Major bug fixes** * GSI authentication: fix possible race condition while re-loading CA certificates; fix also related memory leaks. * GSI authentication: make sure the CA cache is not initialized twice (e.g. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xrootd-3.2.6/src/XrdCrypto/XrdCryptosslX509.cc new/xrootd-3.2.7/src/XrdCrypto/XrdCryptosslX509.cc --- old/xrootd-3.2.6/src/XrdCrypto/XrdCryptosslX509.cc 2012-11-05 18:30:06.000000000 +0100 +++ new/xrootd-3.2.7/src/XrdCrypto/XrdCryptosslX509.cc 2012-12-11 17:25:50.000000000 +0100 @@ -182,7 +182,7 @@ } // Get certificate from BIO - if (!PEM_read_bio_X509(bmem,&cert,0,0)) { + if (!(cert = PEM_read_bio_X509(bmem,0,0,0))) { DEBUG("unable to read certificate to memory BIO"); return; } @@ -398,7 +398,7 @@ return (issueroldhash.length() > 0) ? issueroldhash.c_str() : (const char *)0; } #else - if (alg == 1) return (const char *)0; + if (alg == 1) { } #endif // If we do not have it already, try extraction @@ -444,7 +444,7 @@ return (subjectoldhash.length() > 0) ? subjectoldhash.c_str() : (const char *)0; } #else - if (alg == 1) return (const char *)0; + if (alg == 1) { } #endif // If we do not have it already, try extraction diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xrootd-3.2.6/src/XrdCrypto/XrdCryptosslX509Crl.cc new/xrootd-3.2.7/src/XrdCrypto/XrdCryptosslX509Crl.cc --- old/xrootd-3.2.6/src/XrdCrypto/XrdCryptosslX509Crl.cc 2012-11-05 18:30:06.000000000 +0100 +++ new/xrootd-3.2.7/src/XrdCrypto/XrdCryptosslX509Crl.cc 2012-12-11 17:25:50.000000000 +0100 @@ -477,7 +477,7 @@ return (issueroldhash.length() > 0) ? issueroldhash.c_str() : (const char *)0; } #else - if (alg == 1) return (const char *)0; + if (alg == 1) { } #endif // If we do not have it already, try extraction diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xrootd-3.2.6/src/XrdCrypto/XrdCryptosslX509Req.cc new/xrootd-3.2.7/src/XrdCrypto/XrdCryptosslX509Req.cc --- old/xrootd-3.2.6/src/XrdCrypto/XrdCryptosslX509Req.cc 2012-11-05 18:30:06.000000000 +0100 +++ new/xrootd-3.2.7/src/XrdCrypto/XrdCryptosslX509Req.cc 2012-12-11 17:25:50.000000000 +0100 @@ -183,7 +183,7 @@ return (subjectoldhash.length() > 0) ? subjectoldhash.c_str() : (const char *)0; } #else - if (alg == 1) return (const char *)0; + if (alg == 1) { } #endif // If we do not have it already, try extraction diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xrootd-3.2.6/src/XrdOuc/XrdOucEnv.cc new/xrootd-3.2.7/src/XrdOuc/XrdOucEnv.cc --- old/xrootd-3.2.6/src/XrdOuc/XrdOucEnv.cc 2012-11-05 18:30:06.000000000 +0100 +++ new/xrootd-3.2.7/src/XrdOuc/XrdOucEnv.cc 2012-12-11 17:25:50.000000000 +0100 @@ -26,21 +26,24 @@ if (!vardata) {global_env = 0; global_len = 0; return;} -// Copy the the global information (don't rely on its being correct) +// Allocate storage for the global information (don't rely on its being correct) // if (!varlen) varlen = strlen(vardata); global_env = (char *)malloc(varlen+2); global_len = varlen; - if (*vardata == '&') vdp = global_env; - else {*global_env = '&'; vdp = global_env+1;} + +// We want our env copy to start with a single ampersand +// + while(*vardata == '&' && varlen) {vardata++; varlen--;} + if (!varlen) {global_env = 0; global_len = 0; return;} + *global_env = '&'; vdp = global_env+1; memcpy((void *)vdp, (const void *)vardata, (size_t)varlen); *(vdp+varlen) = '\0'; - vdp = global_env; // scan through the string looking for '&' // - if (vdp) while(*vdp) - {if (*vdp != '&') {vdp++; continue;} // &.... - varname = ++vdp; + while(*vdp) + {while(*vdp == '&') vdp++; + varname = vdp; while(*vdp && *vdp != '=') vdp++; // &....= if (!*vdp) break; @@ -53,7 +56,7 @@ if (*varname && *varvalu) env_Hash.Rep(varname, strdup(varvalu), 0, Hash_dofree); - *vdp = varsave; *(--varvalu) = '='; + *vdp = varsave; *(varvalu-1) = '='; } return; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xrootd-3.2.6/src/XrdSecgsi/XrdSecProtocolgsi.cc new/xrootd-3.2.7/src/XrdSecgsi/XrdSecProtocolgsi.cc --- old/xrootd-3.2.6/src/XrdSecgsi/XrdSecProtocolgsi.cc 2012-11-05 18:30:06.000000000 +0100 +++ new/xrootd-3.2.7/src/XrdSecgsi/XrdSecProtocolgsi.cc 2012-12-11 17:25:50.000000000 +0100 @@ -159,6 +159,9 @@ XrdSutCache XrdSecProtocolgsi::cacheGMAPFun; // Entries mapped by GMAPFun XrdSutCache XrdSecProtocolgsi::cacheAuthzFun; // Entities filled by AuthzFun // +// CRL stack +GSICrlStack XrdSecProtocolgsi::stackCRL; // Stack of CRL in use +// // GMAP control vars time_t XrdSecProtocolgsi::lastGMAPCheck = -1; // Time of last check XrdSysMutex XrdSecProtocolgsi::mutexGMAP; // Mutex to control GMAP reloads @@ -1445,14 +1448,16 @@ issuerHash += "|"; issuerHash += c->SubjectHash(1); } } else { issuerHash = c->IssuerHash(); - if (HashCompatibility && c->IssuerHash(1)) { + if (HashCompatibility && c->IssuerHash(1) + && strcmp(c->IssuerHash(1),c->IssuerHash())) { issuerHash += "|"; issuerHash += c->IssuerHash(1); } } while ((c = hs->PxyChain->Next()) != 0) { if (c->type != XrdCryptoX509::kCA) break; issuerHash = c->SubjectHash(); - if (HashCompatibility && c->SubjectHash(1)) { + if (HashCompatibility && c->SubjectHash(1) + && strcmp(c->IssuerHash(1),c->IssuerHash())) { issuerHash += "|"; issuerHash += c->SubjectHash(1); } } @@ -3823,7 +3828,6 @@ } // Get the CA hash -// String cahash = xca->SubjectHash(); String cahash(subjhash); int hashalg = 0; if (strcmp(subjhash, xca->SubjectHash())) hashalg = 1; @@ -4065,10 +4069,16 @@ // We need to load the issuer(s) CA(s) XrdCryptoX509 *xd = xc; while (notdone) { - inam = GetCApath(xd->IssuerHash()); - if (inam.length() <= 0) break; - X509Chain *ch = new X509Chain(); - int ncis = (*ParseFile)(inam.c_str(), ch); + X509Chain *ch = 0; + int ncis = -1; + for (int ha = 0; ha < 2; ha++) { + inam = GetCApath(xd->IssuerHash(ha)); + if (inam.length() <= 0) continue; + ch = new X509Chain(); + ncis = (*ParseFile)(inam.c_str(), ch); + if (ncis >= 1) break; + SafeDelete(ch); + } if (ncis < 1) break; XrdCryptoX509 *xi = ch->Begin(); while (xi) { @@ -4165,17 +4175,19 @@ // If found, we are done if (cent) { + if (hs) hs->Chain = (X509Chain *)(cent->buf1.buf); + XrdCryptoX509Crl *crl = (XrdCryptoX509Crl *)(cent->buf2.buf); if ((CRLRefresh <= 0) || ((timestamp - cent->mtime) < CRLRefresh)) { - if (hs) { - hs->Chain = (X509Chain *)(cent->buf1.buf); - hs->Crl = (XrdCryptoX509Crl *)(cent->buf2.buf); - } + if (hs) hs->Crl = crl; + // Add to the stack for proper cleaning of invalidated CRLs + stackCRL.Add(crl); return 0; } else { PRINT("entry for '"<<tag<<"' needs refreshing: clean the related entry cache first"); - // Entry needs refreshing - delete (X509Chain *)(cent->buf1.buf); cent->buf1.buf = 0; - delete (XrdCryptoX509Crl *)(cent->buf2.buf); cent->buf2.buf = 0; + // Entry needs refreshing: we remove it from the stack, so it gets deleted when + // the last handshake using it is over + stackCRL.Del(crl); + cent->buf2.buf = 0; if (!cacheCA.Remove(tag.c_str())) { PRINT("problems removing entry from CA cache"); return -1; @@ -4191,17 +4203,18 @@ String fnam = GetCApath(cahash); DEBUG("trying to load CA certificate from "<<fnam); - // Create chain - X509Chain *chain = new X509Chain(); - if (!chain ) { - PRINT("could not create new GSI chain"); + // Create chain ? + bool createchain = (hs && hs->Chain) ? 0 : 1; + X509Chain *chain = (createchain) ? new X509Chain() : hs->Chain; + if (!chain) { + PRINT("could not attach-to or create new GSI chain"); return -1; } // Get the parse function XrdCryptoX509ParseFile_t ParseFile = cf->X509ParseFile(); if (ParseFile) { - int nci = (*ParseFile)(fnam.c_str(), chain); + int nci = (createchain) ? (*ParseFile)(fnam.c_str(), chain) : 1; bool ok = 0, verified = 0; if (nci == 1) { // Verify the CA @@ -4234,6 +4247,7 @@ if (crl) { cent->buf2.buf = (char *)(crl); cent->buf2.len = 0; // Just a flag + stackCRL.Add(crl); } cent->mtime = timestamp; cent->status = kPFE_ok; @@ -4246,6 +4260,7 @@ if (strcmp(cahash, chain->Begin()->SubjectHash())) hs->HashAlg = 1; } } else { + SafeDelete(crl); return -2; } } else { @@ -5227,7 +5242,7 @@ if ((rcgetca = GetCA(xsrv->IssuerHash(), cf)) != 0) { String emsg(xsrv->IssuerHash()); // Try different name hash, if it makes sense - if (xsrv->IssuerHash(1)) { + if (strcmp(xsrv->IssuerHash(1), xsrv->IssuerHash(0))) { if ((rcgetca = GetCA(xsrv->IssuerHash(1), cf)) != 0) { emsg += "|"; emsg += xsrv->IssuerHash(1); @@ -5270,7 +5285,8 @@ certcalist += xsrv->IssuerHash(); } // Save also old CA hash in list to communicate to clients, if relevant - if (HashCompatibility && xsrv->IssuerHash(1)) { + if (HashCompatibility && xsrv->IssuerHash(1) && + strcmp(xsrv->IssuerHash(1),xsrv->IssuerHash())) { if (certcalist.find(xsrv->IssuerHash(1)) == STR_NPOS) { if (certcalist.length() > 0) certcalist += "|"; certcalist += xsrv->IssuerHash(1); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xrootd-3.2.6/src/XrdSecgsi/XrdSecProtocolgsi.hh new/xrootd-3.2.7/src/XrdSecgsi/XrdSecProtocolgsi.hh --- old/xrootd-3.2.6/src/XrdSecgsi/XrdSecProtocolgsi.hh 2012-11-05 18:30:06.000000000 +0100 +++ new/xrootd-3.2.7/src/XrdSecgsi/XrdSecProtocolgsi.hh 2012-12-11 17:25:50.000000000 +0100 @@ -9,6 +9,7 @@ #include <time.h> #include "XrdOuc/XrdOucErrInfo.hh" +#include "XrdOuc/XrdOucHash.hh" #include "XrdSys/XrdSysPthread.hh" #include "XrdOuc/XrdOucString.hh" #include "XrdOuc/XrdOucTokenizer.hh" @@ -183,45 +184,7 @@ }; class XrdSecProtocolgsi; -class gsiHSVars { -public: - int Iter; // iteration number - time_t TimeStamp; // Time of last call - String CryptoMod; // crypto module in use - int RemVers; // Version run by remote counterpart - XrdCryptoCipher *Rcip; // reference cipher - XrdSutBucket *Cbck; // Bucket with the certificate in export form - String ID; // Handshake ID (dummy for clients) - XrdSutPFEntry *Cref; // Cache reference - XrdSutPFEntry *Pent; // Pointer to relevant file entry - X509Chain *Chain; // Chain to be eventually verified - XrdCryptoX509Crl *Crl; // Pointer to CRL, if required - X509Chain *PxyChain; // Proxy Chain on clients - bool RtagOK; // Rndm tag checked / not checked - bool Tty; // Terminal attached / not attached - int LastStep; // Step required at previous iteration - int Options; // Handshake options; - int HashAlg; // Hash algorithm of peer hash name; - XrdSutBuffer *Parms; // Buffer with server parms on first iteration - - gsiHSVars() { Iter = 0; TimeStamp = -1; CryptoMod = ""; - RemVers = -1; Rcip = 0; - Cbck = 0; - ID = ""; Cref = 0; Pent = 0; Chain = 0; Crl = 0; PxyChain = 0; - RtagOK = 0; Tty = 0; LastStep = 0; Options = 0; HashAlg = 0; Parms = 0;} - - ~gsiHSVars() { SafeDelete(Cref); - if (Options & kOptsDelChn) { - // Do not delete the CA certificate in the cached reference - if (Chain) Chain->Cleanup(1); - SafeDelete(Chain); - } - // The proxy chain is owned by the proxy cache; invalid proxies are - // detected (and eventually removed) by QueryProxy - PxyChain = 0; - SafeDelete(Parms); } - void Dump(XrdSecProtocolgsi *p = 0); -}; +class gsiHSVars; // From a proxy query typedef struct { @@ -241,6 +204,28 @@ int bits; } ProxyIn_t; + +class GSICrlStack { +public: + void Add(XrdCryptoX509Crl *crl) { + char k[40]; snprintf(k, 40, "%p", crl); + mtx.Lock(); + if (!stack.Find(k)) stack.Add(k, crl, 0, Hash_count); + stack.Add(k, crl, 0, Hash_count); + mtx.UnLock(); + } + void Del(XrdCryptoX509Crl *crl) { + char k[40]; snprintf(k, 40, "%p", crl); + mtx.Lock(); + if (stack.Find(k)) stack.Del(k, Hash_count); + mtx.UnLock(); + } +private: + XrdSysMutex mtx; + XrdOucHash<XrdCryptoX509Crl> stack; +}; + + /******************************************************************************/ /* X r d S e c P r o t o c o l g s i C l a s s */ /******************************************************************************/ @@ -248,6 +233,7 @@ class XrdSecProtocolgsi : public XrdSecProtocol { friend class gsiOptions; +friend class gsiHSVars; public: int Authenticate (XrdSecCredentials *cred, XrdSecParameters **parms, @@ -342,6 +328,9 @@ static XrdSutCache cacheGMAPFun; // Cache for entries mapped by GMAPFun static XrdSutCache cacheAuthzFun; // Cache for entities filled by AuthzFun // + // CRL stack + static GSICrlStack stackCRL; // Stack of CRL in use + // // GMAP control vars static time_t lastGMAPCheck; // time of last check on GMAP static XrdSysMutex mutexGMAP; // mutex to control GMAP reloads @@ -454,3 +443,49 @@ // VOMS parsing void ExtractVOMS(X509Chain *c, XrdSecEntity &ent); }; + +class gsiHSVars { +public: + int Iter; // iteration number + time_t TimeStamp; // Time of last call + String CryptoMod; // crypto module in use + int RemVers; // Version run by remote counterpart + XrdCryptoCipher *Rcip; // reference cipher + XrdSutBucket *Cbck; // Bucket with the certificate in export form + String ID; // Handshake ID (dummy for clients) + XrdSutPFEntry *Cref; // Cache reference + XrdSutPFEntry *Pent; // Pointer to relevant file entry + X509Chain *Chain; // Chain to be eventually verified + XrdCryptoX509Crl *Crl; // Pointer to CRL, if required + X509Chain *PxyChain; // Proxy Chain on clients + bool RtagOK; // Rndm tag checked / not checked + bool Tty; // Terminal attached / not attached + int LastStep; // Step required at previous iteration + int Options; // Handshake options; + int HashAlg; // Hash algorithm of peer hash name; + XrdSutBuffer *Parms; // Buffer with server parms on first iteration + + gsiHSVars() { Iter = 0; TimeStamp = -1; CryptoMod = ""; + RemVers = -1; Rcip = 0; + Cbck = 0; + ID = ""; Cref = 0; Pent = 0; Chain = 0; Crl = 0; PxyChain = 0; + RtagOK = 0; Tty = 0; LastStep = 0; Options = 0; HashAlg = 0; Parms = 0;} + + ~gsiHSVars() { SafeDelete(Cref); + if (Options & kOptsDelChn) { + // Do not delete the CA certificate in the cached reference + if (Chain) Chain->Cleanup(1); + SafeDelete(Chain); + } + if (Crl) { + // This decreases the counter and actually deletes the object only + // when no instance is using it + XrdSecProtocolgsi::stackCRL.Del(Crl); + Crl = 0; + } + // The proxy chain is owned by the proxy cache; invalid proxies are + // detected (and eventually removed) by QueryProxy + PxyChain = 0; + SafeDelete(Parms); } + void Dump(XrdSecProtocolgsi *p = 0); +}; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xrootd-3.2.6/src/XrdXrootd/XrdXrootdXeq.cc new/xrootd-3.2.7/src/XrdXrootd/XrdXrootdXeq.cc --- old/xrootd-3.2.6/src/XrdXrootd/XrdXrootdXeq.cc 2012-11-05 18:30:06.000000000 +0100 +++ new/xrootd-3.2.7/src/XrdXrootd/XrdXrootdXeq.cc 2012-12-11 17:25:50.000000000 +0100 @@ -2347,7 +2347,7 @@ // Send our the error message and return // - if (!myFile) + if (!myFile) return Response.Send(kXR_FileNotOpen,"write does not refer to an open file"); if (myEInfo[0]) return fsError(myEInfo[0], 0, myFile->XrdSfsp->error, 0); return Response.Send(kXR_FSError, myFile->XrdSfsp->error.getErrText()); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
