XRootD
Loading...
Searching...
No Matches
Classes | Public Types | Public Member Functions | Static Public Member Functions | Static Public Attributes | List of all members
XrdTlsContext Class Reference

#include <XrdTlsContext.hh>

+ Collaboration diagram for XrdTlsContext:

Classes

struct  CTX_Params
 

Public Types

enum  ClientAuthSetting {
  kOn ,
  kOff
}
 

Public Member Functions

 XrdTlsContext (const char *cert=0, const char *key=0, const char *cadir=0, const char *cafile=0, uint64_t opts=0, std::string *eMsg=0)
 
 XrdTlsContext (const XrdTlsContext &ctx)=delete
 Disallow any copies of this object.
 
 XrdTlsContext (XrdTlsContext &&ctx)=delete
 
 ~XrdTlsContext ()
 Destructor.
 
XrdTlsContextClone (bool full=true, bool startCRLRefresh=false)
 
void * Context ()
 
const CTX_ParamsGetParams ()
 
bool isOK ()
 
bool newHostCertificateDetected ()
 
XrdTlsContextoperator= (const XrdTlsContext &ctx)=delete
 
XrdTlsContextoperator= (XrdTlsContext &&ctx)=delete
 
void * Session ()
 
int SessionCache (int opts=scNone, const char *id=0, int idlen=0)
 
bool SetContextCiphers (const char *ciphers)
 
bool SetCrlRefresh (int refsec=-1)
 
bool SetTlsClientAuth (ClientAuthSetting setting)
 
bool x509Verify ()
 

Static Public Member Functions

static const char * Init ()
 
static void SetDefaultCiphers (const char *ciphers)
 

Static Public Attributes

static const uint64_t artON = 0x0000002000000000
 Auto retry Handshake.
 
static const uint64_t crlFC = 0x000000C000000000
 Full crl chain checking.
 
static const uint64_t crlON = 0x0000008000000000
 Enables crl checking.
 
static const uint64_t crlRF = 0x00000000ffff0000
 Mask to isolate crl refresh in min.
 
static const int crlRS = 16
 Bits to shift vdept.
 
static const int DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60
 Default CRL refresh interval in seconds.
 
static const uint64_t dnsok = 0x0000000200000000
 Trust DNS for host name.
 
static const uint64_t hsto = 0x00000000000000ff
 Mask to isolate the hsto.
 
static const uint64_t logVF = 0x0000000800000000
 Log verify failures.
 
static const uint64_t nopxy = 0x0000000100000000
 Do not allow proxy certs.
 
static const uint64_t rfCRL = 0x0000004000000000
 Turn on the CRL refresh thread.
 
static const int scClnt = 0x00040000
 Turn on cache client mode.
 
static const int scFMax = 0x00007fff
 
static const int scIdErr = 0x80000000
 Info: Id not set, is too long.
 
static const int scKeep = 0x40000000
 Info: TLS-controlled flush disabled.
 
static const int scNone = 0x00000000
 Do not change any option settings.
 
static const int scOff = 0x00010000
 Turn off cache.
 
static const int scSrvr = 0x00020000
 Turn on cache server mode (default)
 
static const uint64_t servr = 0x0000000400000000
 This is a server context.
 
static const int vdepS = 8
 Bits to shift vdept.
 
static const uint64_t vdept = 0x000000000000ff00
 Mask to isolate vdept.
 

Detailed Description

Definition at line 36 of file XrdTlsContext.hh.

Member Enumeration Documentation

◆ ClientAuthSetting

enum XrdTlsContext::ClientAuthSetting
Enumerator
kOn 
kOff 

Definition at line 176 of file XrdTlsContext.hh.

176 {
177 kOn,
178 kOff,
179};

Constructor & Destructor Documentation

◆ XrdTlsContext() [1/3]

XrdTlsContext::XrdTlsContext ( const char * cert = 0,
const char * key = 0,
const char * cadir = 0,
const char * cafile = 0,
uint64_t opts = 0,
std::string * eMsg = 0 )

Definition at line 581 of file XrdTlsContext.cc.

584 : pImpl( new XrdTlsContextImpl(this) )
585{
586 class ctx_helper
587 {public:
588
589 void Keep() {ctxLoc = 0;}
590
591 ctx_helper(SSL_CTX **ctxP) : ctxLoc(ctxP) {}
592 ~ctx_helper() {if (ctxLoc && *ctxLoc)
593 {SSL_CTX_free(*ctxLoc); *ctxLoc = 0;}
594 }
595 private:
596 SSL_CTX **ctxLoc;
597 } ctx_tracker(&pImpl->ctx);
598
599 pImpl->opts = opts;
600
601 static const uint64_t sslOpts = SSL_OP_ALL
602 | SSL_OP_NO_SSLv2
603 | SSL_OP_NO_SSLv3
604 | SSL_OP_NO_COMPRESSION
605#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
606 | SSL_OP_IGNORE_UNEXPECTED_EOF
607#endif
608#if OPENSSL_VERSION_NUMBER >= 0x10101000L
609 | SSL_OP_NO_RENEGOTIATION
610#endif
611 ;
612
613 std::string certFN, eText;
614 const char *emsg;
615
616// Assume we will fail
617//
618 pImpl->ctx = 0;
619
620// Verify that initialzation has occurred. This is not heavy weight as
621// there will usually be no more than two instances of this object.
622//
623 if (!initDbgDone)
624 {XrdSysMutexHelper dbgHelper(dbgMutex);
625 if (!initDbgDone)
626 {const char *dbg;
627 if (!(opts & servr) && (dbg = getenv("XRDTLS_DEBUG")))
628 {int dbgOpts = 0;
629 if (strstr(dbg, "ctx")) dbgOpts |= XrdTls::dbgCTX;
630 if (strstr(dbg, "sok")) dbgOpts |= XrdTls::dbgSOK;
631 if (strstr(dbg, "sio")) dbgOpts |= XrdTls::dbgSIO;
632 if (!dbgOpts) dbgOpts = XrdTls::dbgALL;
633 XrdTls::SetDebug(dbgOpts|XrdTls::dbgOUT);
634 }
635 if ((emsg = Init())) FATAL(emsg);
636 initDbgDone = true;
637 }
638 }
639
640// If no CA cert information is specified and this is not a server context,
641// then get the paths from the environment. They must exist as we need to
642// verify peer certs in order to verify target host names client-side. We
643// also use this setupt to see if we should use a specific cert and key.
644//
645 if (!(opts & servr))
646 {if (!caDir && !caFile)
647 {caDir = getenv("X509_CERT_DIR");
648 caFile = getenv("X509_CERT_FILE");
649 if (!caDir && !caFile)
650 FATAL("No CA cert specified; host identity cannot be verified.");
651 }
652 if (!key) key = getenv("X509_USER_KEY");
653 if (!cert) cert = getenv("X509_USER_PROXY");
654 if (!cert)
655 {struct stat Stat;
656 long long int uid = static_cast<long long int>(getuid());
657 certFN = std::string("/tmp/x509up_u") + std::to_string(uid);
658 if (!stat(certFN.c_str(), &Stat)) cert = certFN.c_str();
659 }
660 }
661
662// Before we try to use any specified files, make sure they exist, are of
663// the right type and do not have excessive access privileges.
664// .a
665 if (!VerPaths(cert, key, caDir, caFile, eText)) FATAL( eText.c_str());
666
667// Copy parameters to out parm structure.
668//
669 if (cert) {
670 pImpl->Parm.cert = cert;
671 //This call should not fail as a stat is already performed in the call of VerPaths() above
672 XrdOucUtils::getModificationTime(pImpl->Parm.cert.c_str(),pImpl->lastCertModTime);
673 }
674 if (key) pImpl->Parm.pkey = key;
675 if (caDir) pImpl->Parm.cadir = caDir;
676 if (caFile) pImpl->Parm.cafile = caFile;
677 pImpl->Parm.opts = opts;
678 if (opts & crlRF) {
679 // What we store in crlRF is the time in minutes, convert it back to seconds
680 pImpl->Parm.crlRT = static_cast<int>((opts & crlRF) >> crlRS) * 60;
681 }
682
683// Get the correct method to use for TLS and check if successful create a
684// server context that uses the method.
685//
686 const SSL_METHOD *meth;
687 emsg = GetTlsMethod(meth);
688 if (emsg) FATAL(emsg);
689
690 pImpl->ctx = SSL_CTX_new(meth);
691
692// Make sure we have a context here
693//
694 if (pImpl->ctx == 0) FATAL_SSL("Unable to allocate TLS context!");
695
696// Always prohibit SSLv2 & SSLv3 as these are not secure.
697//
698 SSL_CTX_set_options(pImpl->ctx, sslOpts);
699
700// Handle session re-negotiation automatically
701//
702// SSL_CTX_set_mode(pImpl->ctx, sslMode);
703
704// Turn off the session cache as it's useless with peer cert chains
705//
706 SSL_CTX_set_session_cache_mode(pImpl->ctx, SSL_SESS_CACHE_OFF);
707
708// Establish the CA cert locations, if specified. Then set the verification
709// depth and turn on peer cert validation. For now, we don't set a callback.
710// In the future we may to grab debugging information.
711//
712 if (caDir || caFile)
713 {if (!SSL_CTX_load_verify_locations(pImpl->ctx, caFile, caDir))
714 FATAL_SSL("Unable to load the CA cert file or directory.");
715
716 int vDepth = (opts & vdept) >> vdepS;
717 SSL_CTX_set_verify_depth(pImpl->ctx, (vDepth ? vDepth : 9));
718
719 bool LogVF = (opts & logVF) != 0;
720 SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, (LogVF ? VerCB : 0));
721
722 unsigned long xFlags = (opts & nopxy ? 0 : X509_V_FLAG_ALLOW_PROXY_CERTS);
723 if (opts & crlON)
724 {xFlags |= X509_V_FLAG_CRL_CHECK;
725 if (opts & crlFC) xFlags |= X509_V_FLAG_CRL_CHECK_ALL;
726 }
727 if (opts) X509_STORE_set_flags(SSL_CTX_get_cert_store(pImpl->ctx),xFlags);
728 } else {
729 SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_NONE, 0);
730 }
731
732// Set cipher list
733//
734 if (!SSL_CTX_set_cipher_list(pImpl->ctx, sslCiphers))
735 FATAL_SSL("Unable to set SSL cipher list; no supported ciphers.");
736
737// If we need to enable eliptic-curve support, do so now. Note that for
738// OpenSSL 1.1.0+ this is automatically done for us.
739//
740#if SSL_CTRL_SET_ECDH_AUTO
741 SSL_CTX_set_ecdh_auto(pImpl->ctx, 1);
742#endif
743
744// We normally handle renegotiation during reads and writes or selective
745// prohibit on a SSL socket basis. The calle may request this be applied
746// to all SSL's generated from this context. If so, do it here.
747//
748 if (opts & artON) SSL_CTX_set_mode(pImpl->ctx, SSL_MODE_AUTO_RETRY);
749
750// If there is no cert then assume this is a generic context for a client
751//
752 if (cert == 0)
753 {ctx_tracker.Keep();
754 return;
755 }
756
757// We have a cert. If the key is missing then we assume the key is in the
758// cert file (ssl will complain if it isn't).
759//
760 if (!key) key = cert;
761
762// Load certificate
763//
764 if (SSL_CTX_use_certificate_chain_file(pImpl->ctx, cert) != 1)
765 FATAL_SSL("Unable to create TLS context; invalid certificate.");
766
767// Load the private key
768//
769 if (SSL_CTX_use_PrivateKey_file(pImpl->ctx, key, SSL_FILETYPE_PEM) != 1 )
770 FATAL_SSL("Unable to create TLS context; invalid private key.");
771
772// Make sure the key and certificate file match.
773//
774 if (SSL_CTX_check_private_key(pImpl->ctx) != 1 )
775 FATAL_SSL("Unable to create TLS context; cert-key mismatch.");
776
777// All went well, start the CRL refresh thread and keep the context.
778//
779 if(opts & rfCRL) {
780 SetCrlRefresh();
781 }
782 ctx_tracker.Keep();
783}
Stat
struct stat Stat
Definition XrdCks.cc:49
stat
#define stat(a, b)
Definition XrdPosix.hh:101
opts
struct myOpts opts
emsg
int emsg(int rc, char *msg)
Definition XrdSectestServer.cc:309
FATAL_SSL
#define FATAL_SSL(msg)
Definition XrdTlsContext.cc:579
FATAL
#define FATAL(msg)
Definition XrdTlsContext.cc:577
XrdOucUtils::getModificationTime
static int getModificationTime(const char *path, time_t &modificationTime)
Definition XrdOucUtils.cc:1433
XrdTlsContext::vdept
static const uint64_t vdept
Mask to isolate vdept.
Definition XrdTlsContext.hh:251
XrdTlsContext::crlRS
static const int crlRS
Bits to shift vdept.
Definition XrdTlsContext.hh:261
XrdTlsContext::servr
static const uint64_t servr
This is a server context.
Definition XrdTlsContext.hh:254
XrdTlsContext::rfCRL
static const uint64_t rfCRL
Turn on the CRL refresh thread.
Definition XrdTlsContext.hh:257
XrdTlsContext::nopxy
static const uint64_t nopxy
Do not allow proxy certs.
Definition XrdTlsContext.hh:256
XrdTlsContext::logVF
static const uint64_t logVF
Log verify failures.
Definition XrdTlsContext.hh:253
XrdTlsContext::crlFC
static const uint64_t crlFC
Full crl chain checking.
Definition XrdTlsContext.hh:259
XrdTlsContext::crlON
static const uint64_t crlON
Enables crl checking.
Definition XrdTlsContext.hh:258
XrdTlsContext::artON
static const uint64_t artON
Auto retry Handshake.
Definition XrdTlsContext.hh:262
XrdTlsContext::vdepS
static const int vdepS
Bits to shift vdept.
Definition XrdTlsContext.hh:252
XrdTlsContext::Init
static const char * Init()
Definition XrdTlsContext.cc:865
XrdTlsContext::SetCrlRefresh
bool SetCrlRefresh(int refsec=-1)
Definition XrdTlsContext.cc:1069
XrdTlsContext::crlRF
static const uint64_t crlRF
Mask to isolate crl refresh in min.
Definition XrdTlsContext.hh:260
XrdTls::dbgSIO
static const int dbgSIO
Turn debugging in for socket I/O.
Definition XrdTls.hh:102
XrdTls::dbgSOK
static const int dbgSOK
Turn debugging in for socket operations.
Definition XrdTls.hh:101
XrdTls::dbgOUT
static const int dbgOUT
Force msgs to stderr for easier client debug.
Definition XrdTls.hh:104
XrdTls::dbgALL
static const int dbgALL
Turn debugging for everything.
Definition XrdTls.hh:103
XrdTls::dbgCTX
static const int dbgCTX
Turn debugging in for context operations.
Definition XrdTls.hh:100
XrdTls::SetDebug
static void SetDebug(int opts, XrdSysLogger *logP=0)
Definition XrdTls.cc:177

References artON, crlFC, crlON, crlRF, crlRS, XrdTls::dbgALL, XrdTls::dbgCTX, XrdTls::dbgOUT, XrdTls::dbgSIO, XrdTls::dbgSOK, eMsg, emsg(), FATAL, FATAL_SSL, XrdOucUtils::getModificationTime(), Init(), logVF, nopxy, opts, rfCRL, servr, SetCrlRefresh(), XrdTls::SetDebug(), Stat, stat, vdepS, and vdept.

Referenced by XrdTlsContext(), XrdTlsContext(), Clone(), operator=(), operator=(), and Session().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ~XrdTlsContext()

XrdTlsContext::~XrdTlsContext ( )

Destructor.

Definition at line 789 of file XrdTlsContext.cc.

790{
791// We can delet eour implementation of there is no refresh thread running. If
792// there is then the refresh thread has to delete the implementation.
793//
794 if (pImpl->crlRunning | pImpl->flsRunning)
795 {pImpl->crlMutex.WriteLock();
796 pImpl->owner = 0;
797 pImpl->crlMutex.UnLock();
798 } else delete pImpl;
799}

◆ XrdTlsContext() [2/3]

XrdTlsContext::XrdTlsContext ( const XrdTlsContext & ctx)
delete

Disallow any copies of this object.

References XrdTlsContext().

+ Here is the call graph for this function:

◆ XrdTlsContext() [3/3]

XrdTlsContext::XrdTlsContext ( XrdTlsContext && ctx)
delete

References XrdTlsContext().

+ Here is the call graph for this function:

Member Function Documentation

◆ Clone()

XrdTlsContext * XrdTlsContext::Clone ( bool full = true,
bool startCRLRefresh = false )

Clone a new context from this context.

Parameters
fullWhen true the complete context is cloned. When false, a context with no peer verification is cloned.
Returns
Upon success, the pointer to a new XrdTlsContext is returned. Upon failure, a nil pointer is returned.
Note
The cloned context is identical to the one created by the original constructor. Note that while the crl refresh interval is set, the refresh thread needs to be started by calling crlRefresh(). Also, the session cache is set to off with no identifier.

Definition at line 805 of file XrdTlsContext.cc.

806{
807 XrdTlsContext::CTX_Params &my = pImpl->Parm;
808 const char *cert = (my.cert.size() ? my.cert.c_str() : 0);
809 const char *pkey = (my.pkey.size() ? my.pkey.c_str() : 0);
810 const char *caD = (my.cadir.size() ? my.cadir.c_str() : 0);
811 const char *caF = (my.cafile.size() ? my.cafile.c_str() : 0);
812
813// If this is a non-full context, get rid of any verification
814//
815 if (!full) caD = caF = 0;
816
817// Cloning simply means getting a object with the old parameters.
818//
819 uint64_t myOpts = my.opts;
820 if(startCRLRefresh){
821 myOpts |= XrdTlsContext::rfCRL;
822 } else {
823 myOpts &= ~XrdTlsContext::rfCRL;
824 }
825 XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, myOpts);
826
827// Verify that the context was built
828//
829 if (xtc->isOK()) {
830 if(pImpl->sessionCacheOpts != -1){
831 //A SessionCache() call was done for the current context, so apply it for this new cloned context
832 xtc->SessionCache(pImpl->sessionCacheOpts,pImpl->sessionCacheId.c_str(),pImpl->sessionCacheId.size());
833 }
834 return xtc;
835 }
836
837// We failed, cleanup.
838//
839 delete xtc;
840 return 0;
841}
XrdTlsContext::SessionCache
int SessionCache(int opts=scNone, const char *id=0, int idlen=0)
Definition XrdTlsContext.cc:985
XrdTlsContext::XrdTlsContext
XrdTlsContext(const char *cert=0, const char *key=0, const char *cadir=0, const char *cafile=0, uint64_t opts=0, std::string *eMsg=0)
Definition XrdTlsContext.cc:581
XrdTlsContext::CTX_Params::cafile
std::string cafile
-> ca cert file.
Definition XrdTlsContext.hh:78
XrdTlsContext::CTX_Params::opts
uint64_t opts
Options as passed to the constructor.
Definition XrdTlsContext.hh:79
XrdTlsContext::CTX_Params::cadir
std::string cadir
-> ca cert directory.
Definition XrdTlsContext.hh:77
XrdTlsContext::CTX_Params::pkey
std::string pkey
-> private key path.
Definition XrdTlsContext.hh:76
XrdTlsContext::CTX_Params::cert
std::string cert
-> certificate path.
Definition XrdTlsContext.hh:75

References XrdTlsContext(), XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, XrdTlsContext::CTX_Params::cert, isOK(), XrdTlsContext::CTX_Params::opts, XrdTlsContext::CTX_Params::pkey, rfCRL, and SessionCache().

Referenced by XrdTlsCrl::Refresh().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Context()

void * XrdTlsContext::Context ( )

Get the underlying context (should not be used).

Returns
Pointer to the underlying context.

Definition at line 847 of file XrdTlsContext.cc.

848{
849 return pImpl->ctx;
850}

◆ GetParams()

const XrdTlsContext::CTX_Params * XrdTlsContext::GetParams ( )

Definition at line 856 of file XrdTlsContext.cc.

857{
858 return &pImpl->Parm;
859}

Referenced by XrdTlsSocket::Init().

+ Here is the caller graph for this function:

◆ Init()

const char * XrdTlsContext::Init ( )
static

Simply initialize the TLS library.

Returns
=0 Library initialized. !0 Library not initialized, return string indicates why.
Note
Init() is implicitly called by the contructor. Use this method to use the TLS libraries without instantiating a context.

Definition at line 865 of file XrdTlsContext.cc.

866{
867
868// Disallow use if this object unless SSL provides thread-safety!
869//
870#ifndef OPENSSL_THREADS
871 return "Installed OpenSSL lacks the required thread support!";
872#endif
873
874// Initialize the library (one time call)
875//
876 InitTLS();
877 return 0;
878}
XrdCl::InitTLS
bool InitTLS()
Definition XrdClTls.cc:96

Referenced by XrdCryptosslFactory::XrdCryptosslFactory(), XrdTlsContext(), and XrdCryptoLite_New_bf32().

+ Here is the caller graph for this function:

◆ isOK()

bool XrdTlsContext::isOK ( )

Determine if this object was correctly built.

Returns
True if this object is usuable and false otherwise.

Definition at line 884 of file XrdTlsContext.cc.

885{
886 return pImpl->ctx != 0;
887}

Referenced by Clone(), and XrdTlsCrl::Refresh().

+ Here is the caller graph for this function:

◆ newHostCertificateDetected()

bool XrdTlsContext::newHostCertificateDetected ( )

Definition at line 1130 of file XrdTlsContext.cc.

1130 {
1131 const std::string certPath = pImpl->Parm.cert;
1132 if(certPath.empty()) {
1133 //No certificate provided, should not happen though
1134 return false;
1135 }
1136 time_t modificationTime;
1137 if(!XrdOucUtils::getModificationTime(certPath.c_str(),modificationTime)){
1138 if (pImpl->lastCertModTime != modificationTime) {
1139 //The certificate file has changed
1140 pImpl->lastCertModTime = modificationTime;
1141 return true;
1142 }
1143 }
1144 return false;
1145}

References XrdOucUtils::getModificationTime().

Referenced by XrdTlsCrl::Refresh().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ operator=() [1/2]

XrdTlsContext & XrdTlsContext::operator= ( const XrdTlsContext & ctx)
delete

References XrdTlsContext().

+ Here is the call graph for this function:

◆ operator=() [2/2]

XrdTlsContext & XrdTlsContext::operator= ( XrdTlsContext && ctx)
delete

References XrdTlsContext().

+ Here is the call graph for this function:

◆ Session()

void * XrdTlsContext::Session ( )

Apply this context to obtain a new SSL session.

Returns
A pointer to a new SSL session if successful and nil otherwise.

Definition at line 899 of file XrdTlsContext.cc.

900{
901#if OPENSSL_VERSION_NUMBER >= 0x10002000L
902
903 EPNAME("Session");
904 SSL *ssl;
905
906// Check if we have a refreshed context. If so, we need to replace the X509
907// store in the current context with the new one before we create the session.
908//
909 pImpl->crlMutex.ReadLock();
910 if (!(pImpl->ctxnew))
911 {ssl = SSL_new(pImpl->ctx);
912 pImpl->crlMutex.UnLock();
913 return ssl;
914 }
915
916// Things have changed, so we need to take the long route here. We need to
917// replace the x509 cache with the current cache. Get a R/W lock now.
918//
919 pImpl->crlMutex.UnLock();
920 pImpl->crlMutex.WriteLock();
921
922// If some other thread beat us to the punch, just return what we have.
923//
924 if (!(pImpl->ctxnew))
925 {ssl = SSL_new(pImpl->ctx);
926 pImpl->crlMutex.UnLock();
927 return ssl;
928 }
929
930// Do some tracing
931//
932 DBG_CTX("Replacing x509 store with new contents.");
933
934// Get the new store and set it in our context. Setting the store is black
935// magic. For OpenSSL < 1.1, Two stores need to be set with the "set1" variant.
936// Newer version only require SSL_CTX_set1_cert_store() to be used.
937//
938 //We have a new context generated by Refresh, so we must use it.
939 XrdTlsContext * ctxnew = pImpl->ctxnew;
940
941 /*X509_STORE *newX509 = SSL_CTX_get_cert_store(ctxnew->pImpl->ctx);
942 SSL_CTX_set1_verify_cert_store(pImpl->ctx, newX509);
943 SSL_CTX_set1_chain_cert_store(pImpl->ctx, newX509);*/
944 //The above two macros actually do not replace the certificate that has
945 //to be used for that SSL session, so we will create the session with the SSL_CTX * of
946 //the TlsContext created by Refresh()
947 //First, free the current SSL_CTX, if it is used by any transfer, it will just decrease
948 //the reference counter of it. There is therefore no risk of double free...
949 SSL_CTX_free(pImpl->ctx);
950 pImpl->ctx = ctxnew->pImpl->ctx;
951 //In the destructor of XrdTlsContextImpl, SSL_CTX_Free() is
952 //called if ctx is != 0. As this new ctx is used by the session
953 //we just created, we don't want that to happen. We therefore set it to 0.
954 //The SSL_free called on the session will cleanup the context for us.
955 ctxnew->pImpl->ctx = 0;
956
957// Save the generated context and clear it's presence
958//
959 XrdTlsContext *ctxold = pImpl->ctxnew;
960 pImpl->ctxnew = 0;
961
962// Generate a new session (might as well to keep the lock we have)
963//
964 ssl = SSL_new(pImpl->ctx);
965
966// OK, now we can drop all the locks and get rid of the old context
967//
968 pImpl->crlMutex.UnLock();
969 delete ctxold;
970 return ssl;
971
972#else
973// If we did not compile crl refresh code, we can simply return the OpenSSL
974// session using our context. Otherwise, we need to see if we have a refreshed
975// context and if so, carry forward the X509_store to our original context.
976//
977 return SSL_new(pImpl->ctx);
978#endif
979}
EPNAME
#define EPNAME(x)
Definition XrdBwmTrace.hh:56
DBG_CTX
#define DBG_CTX(y)
Definition XrdTlsTrace.hh:39

References XrdTlsContext(), XrdTlsContextImpl::ctx, DBG_CTX, and EPNAME.

Referenced by XrdTlsSocket::Init().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SessionCache()

int XrdTlsContext::SessionCache ( int opts = scNone,
const char * id = 0,
int idlen = 0 )

Definition at line 985 of file XrdTlsContext.cc.

986{
987 static const int doSet = scSrvr | scClnt | scOff;
988 long sslopt = 0;
989 int flushT = opts & scFMax;
990
991 pImpl->sessionCacheOpts = opts;
992 pImpl->sessionCacheId = id;
993
994// If initialization failed there is nothing to do
995//
996 if (pImpl->ctx == 0) return 0;
997
998// Set options as appropriate
999//
1000 if (opts & doSet)
1001 {if (opts & scOff) sslopt = SSL_SESS_CACHE_OFF;
1002 else {if (opts & scSrvr) sslopt = SSL_SESS_CACHE_SERVER;
1003 if (opts & scClnt) sslopt |= SSL_SESS_CACHE_CLIENT;
1004 }
1005 }
1006
1007// Check if we should set any cache options or simply get them
1008//
1009 if (!(opts & doSet)) sslopt = SSL_CTX_get_session_cache_mode(pImpl->ctx);
1010 else {sslopt = SSL_CTX_set_session_cache_mode(pImpl->ctx, sslopt);
1011 if (opts & scOff) SSL_CTX_set_options(pImpl->ctx, SSL_OP_NO_TICKET);
1012 }
1013
1014// Compute what he previous cache options were
1015//
1016 opts = scNone;
1017 if (sslopt & SSL_SESS_CACHE_SERVER) opts |= scSrvr;
1018 if (sslopt & SSL_SESS_CACHE_CLIENT) opts |= scClnt;
1019 if (!opts) opts = scOff;
1020 if (sslopt & SSL_SESS_CACHE_NO_AUTO_CLEAR) opts |= scKeep;
1021 opts |= (static_cast<int>(pImpl->flushT) & scFMax);
1022
1023// Set the id is so wanted
1024//
1025 if (id && idlen > 0)
1026 {if (!SSL_CTX_set_session_id_context(pImpl->ctx,
1027 (unsigned const char *)id,
1028 (unsigned int)idlen)) opts |= scIdErr;
1029 }
1030
1031// If a flush interval was specified and it is different from what we have
1032// then reset the flush interval.
1033//
1034 if (flushT && flushT != pImpl->flushT)
1035 XrdTlsFlush::Setup_Flusher(pImpl, flushT);
1036
1037// All done
1038//
1039 return opts;
1040}
XrdTlsContext::scIdErr
static const int scIdErr
Info: Id not set, is too long.
Definition XrdTlsContext.hh:137
XrdTlsContext::scClnt
static const int scClnt
Turn on cache client mode.
Definition XrdTlsContext.hh:135
XrdTlsContext::scKeep
static const int scKeep
Info: TLS-controlled flush disabled.
Definition XrdTlsContext.hh:136
XrdTlsContext::scNone
static const int scNone
Do not change any option settings.
Definition XrdTlsContext.hh:132
XrdTlsContext::scOff
static const int scOff
Turn off cache.
Definition XrdTlsContext.hh:133
XrdTlsContext::scFMax
static const int scFMax
Definition XrdTlsContext.hh:138
XrdTlsContext::scSrvr
static const int scSrvr
Turn on cache server mode (default)
Definition XrdTlsContext.hh:134
XrdTlsFlush::Setup_Flusher
bool Setup_Flusher(XrdTlsContextImpl *pImpl, int flushT)
Definition XrdTlsContext.cc:262

References opts, scClnt, scFMax, scIdErr, scKeep, scNone, scOff, scSrvr, and XrdTlsFlush::Setup_Flusher().

Referenced by Clone().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SetContextCiphers()

bool XrdTlsContext::SetContextCiphers ( const char * ciphers)

Set allowed ciphers for this context.

Parameters
ciphersThe colon separated list of allowable ciphers.
Returns
True if at least one cipher can be used; false otherwise. When false is reurned, this context is no longer usable.

Definition at line 1046 of file XrdTlsContext.cc.

1047{
1048 if (pImpl->ctx && SSL_CTX_set_cipher_list(pImpl->ctx, ciphers)) return true;
1049
1050 char eBuff[2048];
1051 snprintf(eBuff,sizeof(eBuff),"Unable to set context ciphers '%s'",ciphers);
1052 Fatal(0, eBuff, true);
1053 return false;
1054}
Fatal
void Fatal(const char *op, const char *target)
Definition XrdCrc32c.cc:58

References Fatal().

+ Here is the call graph for this function:

◆ SetCrlRefresh()

bool XrdTlsContext::SetCrlRefresh ( int refsec = -1)

Set CRL refresh time. By default, CRL's are not refreshed.

Parameters
refsec>0: The number of seconds between refreshes. A value less than 60 sets it to 60. =0: Stops automatic refreshing. <0: Starts automatic refreshing with the current setting if it has not already been started.
Returns
True if the CRL refresh thread was started; false otherwise.

Definition at line 1069 of file XrdTlsContext.cc.

1070{
1071#if OPENSSL_VERSION_NUMBER >= 0x10002000L
1072
1073 pthread_t tid;
1074 int rc;
1075
1076// If it's negative or equal to 0, use the current setting
1077//
1078 if (refsec <= 0)
1079 {pImpl->crlMutex.WriteLock();
1080 refsec = pImpl->Parm.crlRT;
1081 pImpl->crlMutex.UnLock();
1082 if (!refsec) refsec = XrdTlsContext::DEFAULT_CRL_REF_INT_SEC;
1083 }
1084
1085// Make sure this is at least 60 seconds between refreshes
1086//
1087// if (refsec < 60) refsec = 60;
1088
1089// We will set the new interval and start a refresh thread if not running.
1090//
1091 pImpl->crlMutex.WriteLock();
1092 pImpl->Parm.crlRT = refsec;
1093 if (!pImpl->crlRunning)
1094 {if ((rc = XrdSysThread::Run(&tid, XrdTlsCrl::Refresh, (void *)pImpl,
1095 0, "CRL Refresh")))
1096 {char eBuff[512];
1097 snprintf(eBuff, sizeof(eBuff),
1098 "Unable to start CRL refresh thread; rc=%d", rc);
1099 XrdTls::Emsg("CrlRefresh:", eBuff, false);
1100 pImpl->crlMutex.UnLock();
1101 return false;
1102 } else pImpl->crlRunning = true;
1103 pImpl->crlMutex.UnLock();
1104 }
1105
1106// All done
1107//
1108 return true;
1109
1110#else
1111// We use features present on OpenSSL 1.02 and above to implement crl refresh.
1112// Older version are too difficult to deal with. Issue a message if this
1113// feature is being enabled on an old version.
1114//
1115 XrdTls::Emsg("CrlRefresh:", "Refreshing CRLs only supported in "
1116 "OpenSSL version >= 1.02; CRL refresh disabled!", false);
1117 return false;
1118#endif
1119}
XrdSysThread::Run
static int Run(pthread_t *, void *(*proc)(void *), void *arg, int opts=0, const char *desc=0)
Definition XrdSysPthread.cc:307
XrdTlsContext::DEFAULT_CRL_REF_INT_SEC
static const int DEFAULT_CRL_REF_INT_SEC
Default CRL refresh interval in seconds.
Definition XrdTlsContext.hh:66
XrdTls::Emsg
static void Emsg(const char *tid, const char *msg=0, bool flush=true)
Definition XrdTls.cc:104
XrdTlsCrl::Refresh
void * Refresh(void *parg)
Definition XrdTlsContext.cc:88

References DEFAULT_CRL_REF_INT_SEC, XrdTls::Emsg(), XrdTlsCrl::Refresh(), and XrdSysThread::Run().

Referenced by XrdTlsContext().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SetDefaultCiphers()

void XrdTlsContext::SetDefaultCiphers ( const char * ciphers)
static

Set allowed default ciphers.

Parameters
ciphersThe colon separated list of allowable ciphers.

Definition at line 1060 of file XrdTlsContext.cc.

1061{
1062 sslCiphers = ciphers;
1063}

◆ SetTlsClientAuth()

bool XrdTlsContext::SetTlsClientAuth ( ClientAuthSetting setting)

Indicate how the server should handle TLS client authentication.

Parameters
settingkOn: All clients will be asked to send a TLS client certificate kOff: No clients will be asked to send a TLS client certificate;
Returns
True if the client auth was configured; False on failure.

Note the TLS connection will not fail if the client is asked for a cert but none are provided.

Definition at line 1147 of file XrdTlsContext.cc.

1147 {
1148
1149 bool LogVF = (pImpl->opts & logVF) != 0;
1150 switch (setting) {
1151 case kOn:
1152 SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, (LogVF ? VerCB : 0));
1153 break;
1154 case kOff:
1155 SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_NONE, 0);
1156 break;
1157 default:
1158 return false;
1159 }
1160 return true;
1161}

References kOff, kOn, and logVF.

◆ x509Verify()

bool XrdTlsContext::x509Verify ( )

Check if certificates are being verified.

Returns
True if certificates are being verified, false otherwise.

Definition at line 1125 of file XrdTlsContext.cc.

1126{
1127 return !(pImpl->Parm.cadir.empty()) || !(pImpl->Parm.cafile.empty());
1128}

Referenced by XrdTlsSocket::Init(), and XrdTlsCrl::Refresh().

+ Here is the caller graph for this function:

Member Data Documentation

◆ artON

const uint64_t XrdTlsContext::artON = 0x0000002000000000
static

Auto retry Handshake.

Definition at line 262 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlFC

const uint64_t XrdTlsContext::crlFC = 0x000000C000000000
static

Full crl chain checking.

Definition at line 259 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlON

const uint64_t XrdTlsContext::crlON = 0x0000008000000000
static

Enables crl checking.

Definition at line 258 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlRF

const uint64_t XrdTlsContext::crlRF = 0x00000000ffff0000
static

Mask to isolate crl refresh in min.

Definition at line 260 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlRS

const int XrdTlsContext::crlRS = 16
static

Bits to shift vdept.

Definition at line 261 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ DEFAULT_CRL_REF_INT_SEC

const int XrdTlsContext::DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60
static

Default CRL refresh interval in seconds.

Definition at line 66 of file XrdTlsContext.hh.

Referenced by XrdTlsContext::CTX_Params::CTX_Params(), and SetCrlRefresh().

◆ dnsok

const uint64_t XrdTlsContext::dnsok = 0x0000000200000000
static

Trust DNS for host name.

Definition at line 255 of file XrdTlsContext.hh.

Referenced by XrdTlsSocket::Init().

◆ hsto

const uint64_t XrdTlsContext::hsto = 0x00000000000000ff
static

Mask to isolate the hsto.

Constructor. Note that you should use isOK() to determine if construction was successful. A false return indicates failure.

Parameters
certPointer to the certificate file to be used. If nil, a generic context is created for client use.
keyPointer to the private key flle to be used. It must correspond to the certificate file. If nil, it is assumed that the key is contained in the cert file.
cadirpath to the directory containing the CA certificates.
cafilepath to the file containing the CA certificates.
optsProcessing options (or'd bitwise): artON - Auto retry handshakes (i.e. block on handshake) crlON - Perform crl check on the leaf node crlFC - Apply crl check to full chain crlRF - Initial crl refresh interval in minutes. dnsok - trust DNS when verifying hostname. hsto - the handshake timeout value in seconds. logVF - Turn on verification failure logging. nopxy - Do not allow proxy cert (normally allowed) servr - This is a server-side context and x509 peer certificate validation may be turned off. vdept - The maximum depth of the certificate chain that must be validated (max is 255).
eMsgIf non-zero, the reason for the failure is returned,
Note
a) If neither cadir nor cafile is specified, certificate validation is not performed if and only if the servr option is specified. Otherwise, the cadir value is obtained from the X509_CERT_DIR envar and the cafile value is obtained from the X509_CERT_File envar. If both are nil, context creation fails. b) Additionally for client-side contructions, if cert or key is not specified their locations come from X509_USER_PROXY and X509_USER_KEY. These may be nil in which case a generic context is created with a local key-pair and no certificate. c) You should immediately call isOK() after instantiating this object. A return value of false means that construction failed. d) Failure messages are routed to the message callback function during construction. e) While the crl refresh interval is set you must engage it by calling crlRefresh() so as to avoid unnecessary refresh threads.

Definition at line 250 of file XrdTlsContext.hh.

Referenced by XrdTlsSocket::Init().

◆ logVF

const uint64_t XrdTlsContext::logVF = 0x0000000800000000
static

Log verify failures.

Definition at line 253 of file XrdTlsContext.hh.

Referenced by XrdConfig::XrdConfig(), XrdTlsContext(), and SetTlsClientAuth().

◆ nopxy

const uint64_t XrdTlsContext::nopxy = 0x0000000100000000
static

Do not allow proxy certs.

Definition at line 256 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ rfCRL

const uint64_t XrdTlsContext::rfCRL = 0x0000004000000000
static

Turn on the CRL refresh thread.

Definition at line 257 of file XrdTlsContext.hh.

Referenced by XrdTlsContext(), and Clone().

◆ scClnt

const int XrdTlsContext::scClnt = 0x00040000
static

Turn on cache client mode.

Definition at line 135 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scFMax

const int XrdTlsContext::scFMax = 0x00007fff
static

Maximum flush interval in seconds When 0 keeps the current setting

Definition at line 138 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scIdErr

const int XrdTlsContext::scIdErr = 0x80000000
static

Info: Id not set, is too long.

Definition at line 137 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scKeep

const int XrdTlsContext::scKeep = 0x40000000
static

Info: TLS-controlled flush disabled.

Definition at line 136 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scNone

const int XrdTlsContext::scNone = 0x00000000
static

Do not change any option settings.

Get or set session cache parameters for generated sessions.

Parameters
optsOne or more bit or'd options (see below).
idThe identifier to be used (may be nil to keep setting).
idlenThe length of the identifier (may be zero as above).
Returns
The cache settings prior to any changes are returned. When setting the id, the scIdErr may be returned if the name is too long. If the context has been pprroperly initialized, zero is returned. By default, the session cache is disabled as it is impossible to verify a peer certificate chain when a cached session is reused.

Definition at line 132 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scOff

const int XrdTlsContext::scOff = 0x00010000
static

Turn off cache.

Definition at line 133 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scSrvr

const int XrdTlsContext::scSrvr = 0x00020000
static

Turn on cache server mode (default)

Definition at line 134 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ servr

const uint64_t XrdTlsContext::servr = 0x0000000400000000
static

This is a server context.

Definition at line 254 of file XrdTlsContext.hh.

Referenced by XrdConfig::XrdConfig(), and XrdTlsContext().

◆ vdepS

const int XrdTlsContext::vdepS = 8
static

Bits to shift vdept.

Definition at line 252 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ vdept

const uint64_t XrdTlsContext::vdept = 0x000000000000ff00
static

Mask to isolate vdept.

Definition at line 251 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

The documentation for this class was generated from the following files: