Validate top-level group and other patches from OSG

Include patch from Brian Bockelman and Matyas Selmeci from here: https://github.com/opensciencegrid/Software-Redhat/blob/trunk/voms/osg/Validate-top-level-group-of-VOMS-attribute-also-acce.patch https://raw.githubusercontent.com/opensciencegrid/Software-Redhat/trunk/voms/osg/Make-RFC-proxies-by-default-SOFTWARE-2381.patch https://github.com/opensciencegrid/Software-Redhat/blob/trunk/voms/osg/Disable-TLS-1.1-and-older-openssl-1.0.2.patch https://github.com/opensciencegrid/Software-Redhat/blob/trunk/voms/osg/Disable-weak-ciphers.patch
italiangrid · Sep 24, 2020 · feeaed1 · feeaed1
1 parent 601fa2e
commit feeaed1
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 10 deletions.
diff --git a/src/ac/validate.cc b/src/ac/validate.cc
@@ -150,7 +150,7 @@ std::string get_error(int e)
     return "VOMS Server contact data missing from AC.";
     break;
   case AC_ERR_ATTRIB_FQAN:
-    return "VOMS Attributes absent or misformed.";
+    return "VOMS Attributes absent or malformed.";
     break;
   case AC_ERR_EXTS_ABSENT:
     return "Required AC extensions missing (NoRevAvail and AuthorityKeyIdentifier)";
@@ -430,6 +430,8 @@ static int checkAttributes(STACK_OF(AC_ATTR) *atts, voms &v)
   else
     return AC_ERR_ATTRIB_URI;
 
+  std::string top_group = "/" + v.voname;
+
   /* scan the stack of IETFATTRVAL to put attribute in voms struct */
   for (int i=0; i<sk_AC_IETFATTRVAL_num(values); i++) {
     capname = sk_AC_IETFATTRVAL_value(values, i);
@@ -438,6 +440,18 @@ static int checkAttributes(STACK_OF(AC_ATTR) *atts, voms &v)
       return AC_ERR_ATTRIB_FQAN;
 
     std::string str  = std::string((char*)capname->data, capname->length);
+    std::string::size_type top_group_size = top_group.size();
+    std::string::size_type str_size = str.size();
+
+    /* The top level group name must be identical to the VO name.
+       An attribute may end right after the group name, or may continue on
+       (separated by a "/"). */
+    if (str.compare(0, top_group_size, top_group)) {
+      return AC_ERR_ATTRIB_FQAN;
+    }
+    else if (str_size > top_group_size && str[top_group_size] != '/') {
+      return AC_ERR_ATTRIB_FQAN;
+    }
 
     v.fqan.push_back(str);
 

diff --git a/src/client/vomsclient.cc b/src/client/vomsclient.cc
@@ -438,15 +438,9 @@ Client::Client(int argc, char ** argv) :
     exit(1);
   }
   else if (proxyver==0) {
-    if (version<30)
-      proxyver = 2;
-    else if (version < 40)
-      proxyver = 3;
-    else
-      proxyver = 4;
+    proxyver = 4;
 
-    Print(DEBUG) << "Unspecified proxy version, settling on Globus version: " 
-                 << proxyver << std::endl;
+    Print(DEBUG) << "Unspecified proxy version, settling on version 4 (RFC)" << std::endl;
   }
 
   /* PCI extension option */ 

diff --git a/src/socklib/Server.cpp b/src/socklib/Server.cpp
@@ -321,12 +321,16 @@ GSISocketServer::AcceptGSIAuthentication()
   SSL_CTX_load_verify_locations(ctx, NULL, cacertdir);
   SSL_CTX_use_certificate(ctx, ucert);
   SSL_CTX_use_PrivateKey(ctx,upkey);
-  SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:!MD2");    
+  SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:!MD2:!3DES:!RC4:!IDEA");
   SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY);
   SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
   SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, proxy_verify_callback);
   SSL_CTX_set_verify_depth(ctx, 100);
   SSL_CTX_set_cert_verify_callback(ctx, proxy_app_verify_callback, 0);
+  if (!SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1)) {
+    SetErrorOpenSSL("Cannot set minimum TLS protocol version");
+    goto err;
+  }
 
   if (own_stack) {
     /*