XRootD
Loading...
Searching...
No Matches
XrdTlsContext Class Reference

#include <XrdTlsContext.hh>

Collaboration diagram for XrdTlsContext:

Classes

struct  CTX_Params

Public Member Functions

 XrdTlsContext (const char *cert=0, const char *key=0, const char *cadir=0, const char *cafile=0, uint64_t opts=0, std::string *eMsg=0)
 XrdTlsContext (const XrdTlsContext &ctx)=delete
 Disallow any copies of this object.
 XrdTlsContext (XrdTlsContext &&ctx)=delete
 ~XrdTlsContext ()
 Destructor.
XrdTlsContextClone (bool full=true, bool startCRLRefresh=false)
void * Context ()
const CTX_ParamsGetParams ()
bool isOK ()
bool newHostCertificateDetected ()
XrdTlsContextoperator= (const XrdTlsContext &ctx)=delete
XrdTlsContextoperator= (XrdTlsContext &&ctx)=delete
void * Session ()
int SessionCache (int opts=scNone, const char *id=0, int idlen=0)
bool SetContextCiphers (const char *ciphers)
bool SetCrlRefresh (int refsec=-1)
void SetTlsClientAuth (bool setting)
bool x509Verify ()

Static Public Member Functions

static const char * Init ()
static void SetDefaultCiphers (const char *ciphers)

Static Public Attributes

static const uint64_t artON = 0x0000002000000000
 Auto retry Handshake.
static const uint64_t clcOF = 0x0000010000000000
 Disable client certificate request.
static const uint64_t crlFC = 0x000000C000000000
 Full crl chain checking.
static const uint64_t crlON = 0x0000008000000000
 Enables crl checking.
static const uint64_t crlRF = 0x00000000ffff0000
 Mask to isolate crl refresh in min.
static const int crlRS = 16
 Bits to shift vdept.
static const int DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60
 Default CRL refresh interval in seconds.
static const uint64_t dnsok = 0x0000000200000000
 Trust DNS for host name.
static const uint64_t hsto = 0x00000000000000ff
 Mask to isolate the hsto.
static const uint64_t logVF = 0x0000000800000000
 Log verify failures.
static const uint64_t nopxy = 0x0000000100000000
 Do not allow proxy certs.
static const uint64_t rfCRL = 0x0000004000000000
 Turn on the CRL refresh thread.
static const int scClnt = 0x00040000
 Turn on cache client mode.
static const int scFMax = 0x00007fff
static const int scIdErr = 0x80000000
 Info: Id not set, is too long.
static const int scKeep = 0x40000000
 Info: TLS-controlled flush disabled.
static const int scNone = 0x00000000
 Do not change any option settings.
static const int scOff = 0x00010000
 Turn off cache.
static const int scSrvr = 0x00020000
 Turn on cache server mode (default).
static const uint64_t servr = 0x0000000400000000
 This is a server context.
static const int vdepS = 8
 Bits to shift vdept.
static const uint64_t vdept = 0x000000000000ff00
 Mask to isolate vdept.

Detailed Description

Definition at line 36 of file XrdTlsContext.hh.

Constructor & Destructor Documentation

◆ XrdTlsContext() [1/3]

XrdTlsContext::XrdTlsContext ( const char * cert = 0,
const char * key = 0,
const char * cadir = 0,
const char * cafile = 0,
uint64_t opts = 0,
std::string * eMsg = 0 )

Definition at line 580 of file XrdTlsContext.cc.

583 : pImpl( new XrdTlsContextImpl(this) )
584{
585 class ctx_helper
586 {public:
587
588 void Keep() {ctxLoc = 0;}
589
590 ctx_helper(SSL_CTX **ctxP) : ctxLoc(ctxP) {}
591 ~ctx_helper() {if (ctxLoc && *ctxLoc)
592 {SSL_CTX_free(*ctxLoc); *ctxLoc = 0;}
593 }
594 private:
595 SSL_CTX **ctxLoc;
596 } ctx_tracker(&pImpl->ctx);
597
598 static const uint64_t sslOpts = SSL_OP_ALL
599 | SSL_OP_NO_SSLv2
600 | SSL_OP_NO_SSLv3
601 | SSL_OP_NO_COMPRESSION
602#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
603 | SSL_OP_IGNORE_UNEXPECTED_EOF
604#endif
605#if OPENSSL_VERSION_NUMBER >= 0x10101000L
606 | SSL_OP_NO_RENEGOTIATION
607#endif
608 ;
609
610 std::string certFN, eText;
611 const char *emsg;
612
613// Assume we will fail
614//
615 pImpl->ctx = 0;
616
617// Verify that initialzation has occurred. This is not heavy weight as
618// there will usually be no more than two instances of this object.
619//
620 if (!initDbgDone)
621 {XrdSysMutexHelper dbgHelper(dbgMutex);
622 if (!initDbgDone)
623 {const char *dbg;
624 if (!(opts & servr) && (dbg = getenv("XRDTLS_DEBUG")))
625 {int dbgOpts = 0;
626 if (strstr(dbg, "ctx")) dbgOpts |= XrdTls::dbgCTX;
627 if (strstr(dbg, "sok")) dbgOpts |= XrdTls::dbgSOK;
628 if (strstr(dbg, "sio")) dbgOpts |= XrdTls::dbgSIO;
629 if (!dbgOpts) dbgOpts = XrdTls::dbgALL;
630 XrdTls::SetDebug(dbgOpts|XrdTls::dbgOUT);
631 }
632 if ((emsg = Init())) FATAL(emsg);
633 initDbgDone = true;
634 }
635 }
636
637// If no CA cert information is specified and this is not a server context,
638// then get the paths from the environment. They must exist as we need to
639// verify peer certs in order to verify target host names client-side. We
640// also use this setupt to see if we should use a specific cert and key.
641//
642 if (!(opts & servr))
643 {if (!caDir && !caFile)
644 {caDir = getenv("X509_CERT_DIR");
645 caFile = getenv("X509_CERT_FILE");
646 if (!caDir && !caFile)
647 FATAL("No CA cert specified; host identity cannot be verified.");
648 }
649 if (!key) key = getenv("X509_USER_KEY");
650 if (!cert) cert = getenv("X509_USER_PROXY");
651 if (!cert)
652 {struct stat Stat;
653 long long int uid = static_cast<long long int>(getuid());
654 certFN = std::string("/tmp/x509up_u") + std::to_string(uid);
655 if (!stat(certFN.c_str(), &Stat)) cert = certFN.c_str();
656 }
657 }
658
659// Before we try to use any specified files, make sure they exist, are of
660// the right type and do not have excessive access privileges.
661// .a
662 if (!VerPaths(cert, key, caDir, caFile, eText)) FATAL( eText.c_str());
663
664// Copy parameters to out parm structure.
665//
666 if (cert) {
667 pImpl->Parm.cert = cert;
668 //This call should not fail as a stat is already performed in the call of VerPaths() above
669 XrdOucUtils::getModificationTime(pImpl->Parm.cert.c_str(),pImpl->lastCertModTime);
670 }
671 if (key) pImpl->Parm.pkey = key;
672 if (caDir) pImpl->Parm.cadir = caDir;
673 if (caFile) pImpl->Parm.cafile = caFile;
674 pImpl->Parm.opts = opts;
675 if (opts & crlRF) {
676 // What we store in crlRF is the time in minutes, convert it back to seconds
677 pImpl->Parm.crlRT = static_cast<int>((opts & crlRF) >> crlRS) * 60;
678 }
679
680// Get the correct method to use for TLS and check if successful create a
681// server context that uses the method.
682//
683 const SSL_METHOD *meth;
684 emsg = GetTlsMethod(meth);
685 if (emsg) FATAL(emsg);
686
687 pImpl->ctx = SSL_CTX_new(meth);
688
689// Make sure we have a context here
690//
691 if (pImpl->ctx == 0) FATAL_SSL("Unable to allocate TLS context!");
692
693// Always prohibit SSLv2 & SSLv3 as these are not secure.
694//
695 SSL_CTX_set_options(pImpl->ctx, sslOpts);
696
697// Handle session re-negotiation automatically
698//
699// SSL_CTX_set_mode(pImpl->ctx, sslMode);
700
701// Turn off the session cache as it's useless with peer cert chains
702//
703 SSL_CTX_set_session_cache_mode(pImpl->ctx, SSL_SESS_CACHE_OFF);
704
705// Establish the CA cert locations, if specified. Then set the verification
706// depth and turn on peer cert validation. For now, we don't set a callback.
707// In the future we may to grab debugging information.
708//
709 if ((caDir || caFile) && !(opts & clcOF))
710 {if (!SSL_CTX_load_verify_locations(pImpl->ctx, caFile, caDir))
711 FATAL_SSL("Unable to load the CA cert file or directory.");
712
713 int vDepth = (opts & vdept) >> vdepS;
714 SSL_CTX_set_verify_depth(pImpl->ctx, (vDepth ? vDepth : 9));
715
716 bool LogVF = (opts & logVF) != 0;
717 SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, (LogVF ? VerCB : 0));
718
719 unsigned long xFlags = (opts & nopxy ? 0 : X509_V_FLAG_ALLOW_PROXY_CERTS);
720 if (opts & crlON)
721 {xFlags |= X509_V_FLAG_CRL_CHECK;
722 if (opts & crlFC) xFlags |= X509_V_FLAG_CRL_CHECK_ALL;
723 }
724 if (opts) X509_STORE_set_flags(SSL_CTX_get_cert_store(pImpl->ctx),xFlags);
725 } else {
726 SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_NONE, 0);
727 }
728
729// Set cipher list
730//
731 if (!SSL_CTX_set_cipher_list(pImpl->ctx, sslCiphers))
732 FATAL_SSL("Unable to set SSL cipher list; no supported ciphers.");
733
734// If we need to enable eliptic-curve support, do so now. Note that for
735// OpenSSL 1.1.0+ this is automatically done for us.
736//
737#if SSL_CTRL_SET_ECDH_AUTO
738 SSL_CTX_set_ecdh_auto(pImpl->ctx, 1);
739#endif
740
741// We normally handle renegotiation during reads and writes or selective
742// prohibit on a SSL socket basis. The calle may request this be applied
743// to all SSL's generated from this context. If so, do it here.
744//
745 if (opts & artON) SSL_CTX_set_mode(pImpl->ctx, SSL_MODE_AUTO_RETRY);
746
747// If there is no cert then assume this is a generic context for a client
748//
749 if (cert == 0)
750 {ctx_tracker.Keep();
751 return;
752 }
753
754// We have a cert. If the key is missing then we assume the key is in the
755// cert file (ssl will complain if it isn't).
756//
757 if (!key) key = cert;
758
759// Load certificate
760//
761 if (SSL_CTX_use_certificate_chain_file(pImpl->ctx, cert) != 1)
762 FATAL_SSL("Unable to create TLS context; invalid certificate.");
763
764// Load the private key
765//
766 if (SSL_CTX_use_PrivateKey_file(pImpl->ctx, key, SSL_FILETYPE_PEM) != 1 )
767 FATAL_SSL("Unable to create TLS context; invalid private key.");
768
769// Make sure the key and certificate file match.
770//
771 if (SSL_CTX_check_private_key(pImpl->ctx) != 1 )
772 FATAL_SSL("Unable to create TLS context; cert-key mismatch.");
773
774// All went well, start the CRL refresh thread and keep the context.
775//
776 if(opts & rfCRL) {
777 SetCrlRefresh();
778 }
779 ctx_tracker.Keep();
780}
Stat
struct stat Stat
Definition XrdCks.cc:49
stat
#define stat(a, b)
Definition XrdPosix.hh:101
opts
struct myOpts opts
emsg
int emsg(int rc, char *msg)
Definition XrdSectestServer.cc:309
FATAL_SSL
#define FATAL_SSL(msg)
Definition XrdTlsContext.cc:578
FATAL
#define FATAL(msg)
Definition XrdTlsContext.cc:576
XrdOucUtils::getModificationTime
static int getModificationTime(const char *path, time_t &modificationTime)
Definition XrdOucUtils.cc:1478
XrdTlsContext::vdept
static const uint64_t vdept
Mask to isolate vdept.
Definition XrdTlsContext.hh:245
XrdTlsContext::crlRS
static const int crlRS
Bits to shift vdept.
Definition XrdTlsContext.hh:255
XrdTlsContext::clcOF
static const uint64_t clcOF
Disable client certificate request.
Definition XrdTlsContext.hh:257
XrdTlsContext::servr
static const uint64_t servr
This is a server context.
Definition XrdTlsContext.hh:248
XrdTlsContext::rfCRL
static const uint64_t rfCRL
Turn on the CRL refresh thread.
Definition XrdTlsContext.hh:251
XrdTlsContext::nopxy
static const uint64_t nopxy
Do not allow proxy certs.
Definition XrdTlsContext.hh:250
XrdTlsContext::logVF
static const uint64_t logVF
Log verify failures.
Definition XrdTlsContext.hh:247
XrdTlsContext::crlFC
static const uint64_t crlFC
Full crl chain checking.
Definition XrdTlsContext.hh:253
XrdTlsContext::crlON
static const uint64_t crlON
Enables crl checking.
Definition XrdTlsContext.hh:252
XrdTlsContext::artON
static const uint64_t artON
Auto retry Handshake.
Definition XrdTlsContext.hh:256
XrdTlsContext::vdepS
static const int vdepS
Bits to shift vdept.
Definition XrdTlsContext.hh:246
XrdTlsContext::Init
static const char * Init()
Definition XrdTlsContext.cc:862
XrdTlsContext::SetCrlRefresh
bool SetCrlRefresh(int refsec=-1)
Definition XrdTlsContext.cc:1066
XrdTlsContext::crlRF
static const uint64_t crlRF
Mask to isolate crl refresh in min.
Definition XrdTlsContext.hh:254
XrdTls::dbgSIO
static const int dbgSIO
Turn debugging in for socket I/O.
Definition XrdTls.hh:102
XrdTls::dbgSOK
static const int dbgSOK
Turn debugging in for socket operations.
Definition XrdTls.hh:101
XrdTls::dbgOUT
static const int dbgOUT
Force msgs to stderr for easier client debug.
Definition XrdTls.hh:104
XrdTls::dbgALL
static const int dbgALL
Turn debugging for everything.
Definition XrdTls.hh:103
XrdTls::dbgCTX
static const int dbgCTX
Turn debugging in for context operations.
Definition XrdTls.hh:100
XrdTls::SetDebug
static void SetDebug(int opts, XrdSysLogger *logP=0)
Definition XrdTls.cc:177

References artON, clcOF, crlFC, crlON, crlRF, crlRS, XrdTls::dbgALL, XrdTls::dbgCTX, XrdTls::dbgOUT, XrdTls::dbgSIO, XrdTls::dbgSOK, eMsg, emsg(), FATAL, FATAL_SSL, XrdOucUtils::getModificationTime(), Init(), logVF, nopxy, opts, rfCRL, servr, SetCrlRefresh(), XrdTls::SetDebug(), Stat, stat, vdepS, and vdept.

Referenced by XrdTlsContext(), XrdTlsContext(), Clone(), operator=(), operator=(), and Session().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ ~XrdTlsContext()

XrdTlsContext::~XrdTlsContext ( )

Destructor.

Definition at line 786 of file XrdTlsContext.cc.

787{
788// We can delet eour implementation of there is no refresh thread running. If
789// there is then the refresh thread has to delete the implementation.
790//
791 if (pImpl->crlRunning | pImpl->flsRunning)
792 {pImpl->crlMutex.WriteLock();
793 pImpl->owner = 0;
794 pImpl->crlMutex.UnLock();
795 } else delete pImpl;
796}

◆ XrdTlsContext() [2/3]

XrdTlsContext::XrdTlsContext ( const XrdTlsContext & ctx)
delete

Disallow any copies of this object.

References XrdTlsContext().

Here is the call graph for this function:

◆ XrdTlsContext() [3/3]

XrdTlsContext::XrdTlsContext ( XrdTlsContext && ctx)
delete

References XrdTlsContext().

Here is the call graph for this function:

Member Function Documentation

◆ Clone()

XrdTlsContext * XrdTlsContext::Clone ( bool full = true,
bool startCRLRefresh = false )

Clone a new context from this context.

Parameters
fullWhen true the complete context is cloned. When false, a context with no peer verification is cloned.
Returns
Upon success, the pointer to a new XrdTlsContext is returned. Upon failure, a nil pointer is returned.
Note
The cloned context is identical to the one created by the original constructor. Note that while the crl refresh interval is set, the refresh thread needs to be started by calling crlRefresh(). Also, the session cache is set to off with no identifier.

Definition at line 802 of file XrdTlsContext.cc.

803{
804 XrdTlsContext::CTX_Params &my = pImpl->Parm;
805 const char *cert = (my.cert.size() ? my.cert.c_str() : 0);
806 const char *pkey = (my.pkey.size() ? my.pkey.c_str() : 0);
807 const char *caD = (my.cadir.size() ? my.cadir.c_str() : 0);
808 const char *caF = (my.cafile.size() ? my.cafile.c_str() : 0);
809
810// If this is a non-full context, get rid of any verification
811//
812 if (!full) caD = caF = 0;
813
814// Cloning simply means getting a object with the old parameters.
815//
816 uint64_t myOpts = my.opts;
817 if(startCRLRefresh){
818 myOpts |= XrdTlsContext::rfCRL;
819 } else {
820 myOpts &= ~XrdTlsContext::rfCRL;
821 }
822 XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, myOpts);
823
824// Verify that the context was built
825//
826 if (xtc->isOK()) {
827 if(pImpl->sessionCacheOpts != -1){
828 //A SessionCache() call was done for the current context, so apply it for this new cloned context
829 xtc->SessionCache(pImpl->sessionCacheOpts,pImpl->sessionCacheId.c_str(),pImpl->sessionCacheId.size());
830 }
831 return xtc;
832 }
833
834// We failed, cleanup.
835//
836 delete xtc;
837 return 0;
838}
XrdTlsContext::SessionCache
int SessionCache(int opts=scNone, const char *id=0, int idlen=0)
Definition XrdTlsContext.cc:982
XrdTlsContext::XrdTlsContext
XrdTlsContext(const char *cert=0, const char *key=0, const char *cadir=0, const char *cafile=0, uint64_t opts=0, std::string *eMsg=0)
Definition XrdTlsContext.cc:580
XrdTlsContext::CTX_Params::cafile
std::string cafile
-> ca cert file.
Definition XrdTlsContext.hh:78
XrdTlsContext::CTX_Params::opts
uint64_t opts
Options as passed to the constructor.
Definition XrdTlsContext.hh:79
XrdTlsContext::CTX_Params::cadir
std::string cadir
-> ca cert directory.
Definition XrdTlsContext.hh:77
XrdTlsContext::CTX_Params::pkey
std::string pkey
-> private key path.
Definition XrdTlsContext.hh:76
XrdTlsContext::CTX_Params::cert
std::string cert
-> certificate path.
Definition XrdTlsContext.hh:75

References XrdTlsContext(), XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, XrdTlsContext::CTX_Params::cert, isOK(), XrdTlsContext::CTX_Params::opts, XrdTlsContext::CTX_Params::pkey, rfCRL, and SessionCache().

Referenced by XrdTlsCrl::Refresh().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ Context()

void * XrdTlsContext::Context ( )

Get the underlying context (should not be used).

Returns
Pointer to the underlying context.

Definition at line 844 of file XrdTlsContext.cc.

845{
846 return pImpl->ctx;
847}

◆ GetParams()

const XrdTlsContext::CTX_Params * XrdTlsContext::GetParams ( )

Definition at line 853 of file XrdTlsContext.cc.

854{
855 return &pImpl->Parm;
856}

Referenced by XrdTlsSocket::Init().

Here is the caller graph for this function:

◆ Init()

const char * XrdTlsContext::Init ( )
static

Simply initialize the TLS library.

Returns
=0 Library initialized. !0 Library not initialized, return string indicates why.
Note
Init() is implicitly called by the contructor. Use this method to use the TLS libraries without instantiating a context.

Definition at line 862 of file XrdTlsContext.cc.

863{
864
865// Disallow use if this object unless SSL provides thread-safety!
866//
867#ifndef OPENSSL_THREADS
868 return "Installed OpenSSL lacks the required thread support!";
869#endif
870
871// Initialize the library (one time call)
872//
873 InitTLS();
874 return 0;
875}
XrdCl::InitTLS
bool InitTLS()
Definition XrdClTls.cc:96

Referenced by XrdCryptosslFactory::XrdCryptosslFactory(), XrdTlsContext(), and XrdCryptoLite_New_bf32().

Here is the caller graph for this function:

◆ isOK()

bool XrdTlsContext::isOK ( )

Determine if this object was correctly built.

Returns
True if this object is usuable and false otherwise.

Definition at line 881 of file XrdTlsContext.cc.

882{
883 return pImpl->ctx != 0;
884}

Referenced by Clone(), and XrdTlsCrl::Refresh().

Here is the caller graph for this function:

◆ newHostCertificateDetected()

bool XrdTlsContext::newHostCertificateDetected ( )

Definition at line 1127 of file XrdTlsContext.cc.

1127 {
1128 const std::string certPath = pImpl->Parm.cert;
1129 if(certPath.empty()) {
1130 //No certificate provided, should not happen though
1131 return false;
1132 }
1133 time_t modificationTime;
1134 if(!XrdOucUtils::getModificationTime(certPath.c_str(),modificationTime)){
1135 if (pImpl->lastCertModTime != modificationTime) {
1136 //The certificate file has changed
1137 pImpl->lastCertModTime = modificationTime;
1138 return true;
1139 }
1140 }
1141 return false;
1142}

References XrdOucUtils::getModificationTime().

Referenced by XrdTlsCrl::Refresh().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ operator=() [1/2]

XrdTlsContext & XrdTlsContext::operator= ( const XrdTlsContext & ctx)
delete

References XrdTlsContext().

Here is the call graph for this function:

◆ operator=() [2/2]

XrdTlsContext & XrdTlsContext::operator= ( XrdTlsContext && ctx)
delete

References XrdTlsContext().

Here is the call graph for this function:

◆ Session()

void * XrdTlsContext::Session ( )

Apply this context to obtain a new SSL session.

Returns
A pointer to a new SSL session if successful and nil otherwise.

Definition at line 896 of file XrdTlsContext.cc.

897{
898#if OPENSSL_VERSION_NUMBER >= 0x10002000L
899
900 EPNAME("Session");
901 SSL *ssl;
902
903// Check if we have a refreshed context. If so, we need to replace the X509
904// store in the current context with the new one before we create the session.
905//
906 pImpl->crlMutex.ReadLock();
907 if (!(pImpl->ctxnew))
908 {ssl = SSL_new(pImpl->ctx);
909 pImpl->crlMutex.UnLock();
910 return ssl;
911 }
912
913// Things have changed, so we need to take the long route here. We need to
914// replace the x509 cache with the current cache. Get a R/W lock now.
915//
916 pImpl->crlMutex.UnLock();
917 pImpl->crlMutex.WriteLock();
918
919// If some other thread beat us to the punch, just return what we have.
920//
921 if (!(pImpl->ctxnew))
922 {ssl = SSL_new(pImpl->ctx);
923 pImpl->crlMutex.UnLock();
924 return ssl;
925 }
926
927// Do some tracing
928//
929 DBG_CTX("Replacing x509 store with new contents.");
930
931// Get the new store and set it in our context. Setting the store is black
932// magic. For OpenSSL < 1.1, Two stores need to be set with the "set1" variant.
933// Newer version only require SSL_CTX_set1_cert_store() to be used.
934//
935 //We have a new context generated by Refresh, so we must use it.
936 XrdTlsContext * ctxnew = pImpl->ctxnew;
937
938 /*X509_STORE *newX509 = SSL_CTX_get_cert_store(ctxnew->pImpl->ctx);
939 SSL_CTX_set1_verify_cert_store(pImpl->ctx, newX509);
940 SSL_CTX_set1_chain_cert_store(pImpl->ctx, newX509);*/
941 //The above two macros actually do not replace the certificate that has
942 //to be used for that SSL session, so we will create the session with the SSL_CTX * of
943 //the TlsContext created by Refresh()
944 //First, free the current SSL_CTX, if it is used by any transfer, it will just decrease
945 //the reference counter of it. There is therefore no risk of double free...
946 SSL_CTX_free(pImpl->ctx);
947 pImpl->ctx = ctxnew->pImpl->ctx;
948 //In the destructor of XrdTlsContextImpl, SSL_CTX_Free() is
949 //called if ctx is != 0. As this new ctx is used by the session
950 //we just created, we don't want that to happen. We therefore set it to 0.
951 //The SSL_free called on the session will cleanup the context for us.
952 ctxnew->pImpl->ctx = 0;
953
954// Save the generated context and clear it's presence
955//
956 XrdTlsContext *ctxold = pImpl->ctxnew;
957 pImpl->ctxnew = 0;
958
959// Generate a new session (might as well to keep the lock we have)
960//
961 ssl = SSL_new(pImpl->ctx);
962
963// OK, now we can drop all the locks and get rid of the old context
964//
965 pImpl->crlMutex.UnLock();
966 delete ctxold;
967 return ssl;
968
969#else
970// If we did not compile crl refresh code, we can simply return the OpenSSL
971// session using our context. Otherwise, we need to see if we have a refreshed
972// context and if so, carry forward the X509_store to our original context.
973//
974 return SSL_new(pImpl->ctx);
975#endif
976}
EPNAME
#define EPNAME(x)
Definition XrdBwmTrace.hh:56
DBG_CTX
#define DBG_CTX(y)
Definition XrdTlsTrace.hh:39

References XrdTlsContext(), XrdTlsContextImpl::ctx, DBG_CTX, and EPNAME.

Referenced by XrdTlsSocket::Init().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SessionCache()

int XrdTlsContext::SessionCache ( int opts = scNone,
const char * id = 0,
int idlen = 0 )

Definition at line 982 of file XrdTlsContext.cc.

983{
984 static const int doSet = scSrvr | scClnt | scOff;
985 long sslopt = 0;
986 int flushT = opts & scFMax;
987
988 pImpl->sessionCacheOpts = opts;
989 pImpl->sessionCacheId = id;
990
991// If initialization failed there is nothing to do
992//
993 if (pImpl->ctx == 0) return 0;
994
995// Set options as appropriate
996//
997 if (opts & doSet)
998 {if (opts & scOff) sslopt = SSL_SESS_CACHE_OFF;
999 else {if (opts & scSrvr) sslopt = SSL_SESS_CACHE_SERVER;
1000 if (opts & scClnt) sslopt |= SSL_SESS_CACHE_CLIENT;
1001 }
1002 }
1003
1004// Check if we should set any cache options or simply get them
1005//
1006 if (!(opts & doSet)) sslopt = SSL_CTX_get_session_cache_mode(pImpl->ctx);
1007 else {sslopt = SSL_CTX_set_session_cache_mode(pImpl->ctx, sslopt);
1008 if (opts & scOff) SSL_CTX_set_options(pImpl->ctx, SSL_OP_NO_TICKET);
1009 }
1010
1011// Compute what he previous cache options were
1012//
1013 opts = scNone;
1014 if (sslopt & SSL_SESS_CACHE_SERVER) opts |= scSrvr;
1015 if (sslopt & SSL_SESS_CACHE_CLIENT) opts |= scClnt;
1016 if (!opts) opts = scOff;
1017 if (sslopt & SSL_SESS_CACHE_NO_AUTO_CLEAR) opts |= scKeep;
1018 opts |= (static_cast<int>(pImpl->flushT) & scFMax);
1019
1020// Set the id is so wanted
1021//
1022 if (id && idlen > 0)
1023 {if (!SSL_CTX_set_session_id_context(pImpl->ctx,
1024 (unsigned const char *)id,
1025 (unsigned int)idlen)) opts |= scIdErr;
1026 }
1027
1028// If a flush interval was specified and it is different from what we have
1029// then reset the flush interval.
1030//
1031 if (flushT && flushT != pImpl->flushT)
1032 XrdTlsFlush::Setup_Flusher(pImpl, flushT);
1033
1034// All done
1035//
1036 return opts;
1037}
XrdTlsContext::scIdErr
static const int scIdErr
Info: Id not set, is too long.
Definition XrdTlsContext.hh:137
XrdTlsContext::scClnt
static const int scClnt
Turn on cache client mode.
Definition XrdTlsContext.hh:135
XrdTlsContext::scKeep
static const int scKeep
Info: TLS-controlled flush disabled.
Definition XrdTlsContext.hh:136
XrdTlsContext::scNone
static const int scNone
Do not change any option settings.
Definition XrdTlsContext.hh:132
XrdTlsContext::scOff
static const int scOff
Turn off cache.
Definition XrdTlsContext.hh:133
XrdTlsContext::scFMax
static const int scFMax
Definition XrdTlsContext.hh:138
XrdTlsContext::scSrvr
static const int scSrvr
Turn on cache server mode (default).
Definition XrdTlsContext.hh:134
XrdTlsFlush::Setup_Flusher
bool Setup_Flusher(XrdTlsContextImpl *pImpl, int flushT)
Definition XrdTlsContext.cc:261

References opts, scClnt, scFMax, scIdErr, scKeep, scNone, scOff, scSrvr, and XrdTlsFlush::Setup_Flusher().

Referenced by Clone().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SetContextCiphers()

bool XrdTlsContext::SetContextCiphers ( const char * ciphers)

Set allowed ciphers for this context.

Parameters
ciphersThe colon separated list of allowable ciphers.
Returns
True if at least one cipher can be used; false otherwise. When false is reurned, this context is no longer usable.

Definition at line 1043 of file XrdTlsContext.cc.

1044{
1045 if (pImpl->ctx && SSL_CTX_set_cipher_list(pImpl->ctx, ciphers)) return true;
1046
1047 char eBuff[2048];
1048 snprintf(eBuff,sizeof(eBuff),"Unable to set context ciphers '%s'",ciphers);
1049 Fatal(0, eBuff, true);
1050 return false;
1051}
Fatal
void Fatal(const char *op, const char *target)
Definition XrdCrc32c.cc:58

References Fatal().

Here is the call graph for this function:

◆ SetCrlRefresh()

bool XrdTlsContext::SetCrlRefresh ( int refsec = -1)

Set CRL refresh time. By default, CRL's are not refreshed.

Parameters
refsec>0: The number of seconds between refreshes. A value less than 60 sets it to 60. =0: Stops automatic refreshing. <0: Starts automatic refreshing with the current setting if it has not already been started.
Returns
True if the CRL refresh thread was started; false otherwise.

Definition at line 1066 of file XrdTlsContext.cc.

1067{
1068#if OPENSSL_VERSION_NUMBER >= 0x10002000L
1069
1070 pthread_t tid;
1071 int rc;
1072
1073// If it's negative or equal to 0, use the current setting
1074//
1075 if (refsec <= 0)
1076 {pImpl->crlMutex.WriteLock();
1077 refsec = pImpl->Parm.crlRT;
1078 pImpl->crlMutex.UnLock();
1079 if (!refsec) refsec = XrdTlsContext::DEFAULT_CRL_REF_INT_SEC;
1080 }
1081
1082// Make sure this is at least 60 seconds between refreshes
1083//
1084// if (refsec < 60) refsec = 60;
1085
1086// We will set the new interval and start a refresh thread if not running.
1087//
1088 pImpl->crlMutex.WriteLock();
1089 pImpl->Parm.crlRT = refsec;
1090 if (!pImpl->crlRunning)
1091 {if ((rc = XrdSysThread::Run(&tid, XrdTlsCrl::Refresh, (void *)pImpl,
1092 0, "CRL Refresh")))
1093 {char eBuff[512];
1094 snprintf(eBuff, sizeof(eBuff),
1095 "Unable to start CRL refresh thread; rc=%d", rc);
1096 XrdTls::Emsg("CrlRefresh:", eBuff, false);
1097 pImpl->crlMutex.UnLock();
1098 return false;
1099 } else pImpl->crlRunning = true;
1100 pImpl->crlMutex.UnLock();
1101 }
1102
1103// All done
1104//
1105 return true;
1106
1107#else
1108// We use features present on OpenSSL 1.02 and above to implement crl refresh.
1109// Older version are too difficult to deal with. Issue a message if this
1110// feature is being enabled on an old version.
1111//
1112 XrdTls::Emsg("CrlRefresh:", "Refreshing CRLs only supported in "
1113 "OpenSSL version >= 1.02; CRL refresh disabled!", false);
1114 return false;
1115#endif
1116}
XrdSysThread::Run
static int Run(pthread_t *, void *(*proc)(void *), void *arg, int opts=0, const char *desc=0)
Definition XrdSysPthread.cc:307
XrdTlsContext::DEFAULT_CRL_REF_INT_SEC
static const int DEFAULT_CRL_REF_INT_SEC
Default CRL refresh interval in seconds.
Definition XrdTlsContext.hh:66
XrdTls::Emsg
static void Emsg(const char *tid, const char *msg=0, bool flush=true)
Definition XrdTls.cc:104
XrdTlsCrl::Refresh
void * Refresh(void *parg)
Definition XrdTlsContext.cc:87

References DEFAULT_CRL_REF_INT_SEC, XrdTls::Emsg(), XrdTlsCrl::Refresh(), and XrdSysThread::Run().

Referenced by XrdTlsContext().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SetDefaultCiphers()

void XrdTlsContext::SetDefaultCiphers ( const char * ciphers)
static

Set allowed default ciphers.

Parameters
ciphersThe colon separated list of allowable ciphers.

Definition at line 1057 of file XrdTlsContext.cc.

1058{
1059 sslCiphers = ciphers;
1060}

◆ SetTlsClientAuth()

void XrdTlsContext::SetTlsClientAuth ( bool setting)

Indicate how the server should handle TLS client authentication.

Parameters
settingtrue: All clients will be asked to send a TLS client certificate. false: No clients will be asked to send a TLS client certificate.

Note the TLS connection will not fail if the client is asked for a cert but none are provided.

Definition at line 1144 of file XrdTlsContext.cc.

1144 {
1145 bool LogVF = (pImpl->Parm.opts & logVF) != 0;
1146 if (setting)
1147 {pImpl->Parm.opts &= ~clcOF;
1148 SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, (LogVF ? VerCB : 0));
1149 } else
1150 {pImpl->Parm.opts |= clcOF;
1151 SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_NONE, 0);
1152 }
1153}

References clcOF, and logVF.

◆ x509Verify()

bool XrdTlsContext::x509Verify ( )

Check if certificates are being verified.

Returns
True if certificates are being verified, false otherwise.

Definition at line 1122 of file XrdTlsContext.cc.

1123{
1124 return !(pImpl->Parm.cadir.empty()) || !(pImpl->Parm.cafile.empty());
1125}

Referenced by XrdTlsSocket::Init(), and XrdTlsCrl::Refresh().

Here is the caller graph for this function:

Member Data Documentation

◆ artON

const uint64_t XrdTlsContext::artON = 0x0000002000000000
static

Auto retry Handshake.

Definition at line 256 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ clcOF

const uint64_t XrdTlsContext::clcOF = 0x0000010000000000
static

Disable client certificate request.

Definition at line 257 of file XrdTlsContext.hh.

Referenced by XrdTlsContext(), and SetTlsClientAuth().

◆ crlFC

const uint64_t XrdTlsContext::crlFC = 0x000000C000000000
static

Full crl chain checking.

Definition at line 253 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlON

const uint64_t XrdTlsContext::crlON = 0x0000008000000000
static

Enables crl checking.

Definition at line 252 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlRF

const uint64_t XrdTlsContext::crlRF = 0x00000000ffff0000
static

Mask to isolate crl refresh in min.

Definition at line 254 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlRS

const int XrdTlsContext::crlRS = 16
static

Bits to shift vdept.

Definition at line 255 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ DEFAULT_CRL_REF_INT_SEC

const int XrdTlsContext::DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60
static

Default CRL refresh interval in seconds.

Definition at line 66 of file XrdTlsContext.hh.

Referenced by XrdTlsContext::CTX_Params::CTX_Params(), and SetCrlRefresh().

◆ dnsok

const uint64_t XrdTlsContext::dnsok = 0x0000000200000000
static

Trust DNS for host name.

Definition at line 249 of file XrdTlsContext.hh.

Referenced by XrdTlsSocket::Init().

◆ hsto

const uint64_t XrdTlsContext::hsto = 0x00000000000000ff
static

Mask to isolate the hsto.

Constructor. Note that you should use isOK() to determine if construction was successful. A false return indicates failure.

Parameters
certPointer to the certificate file to be used. If nil, a generic context is created for client use.
keyPointer to the private key flle to be used. It must correspond to the certificate file. If nil, it is assumed that the key is contained in the cert file.
cadirpath to the directory containing the CA certificates.
cafilepath to the file containing the CA certificates.
optsProcessing options (or'd bitwise): artON - Auto retry handshakes (i.e. block on handshake) crlON - Perform crl check on the leaf node crlFC - Apply crl check to full chain crlRF - Initial crl refresh interval in minutes. dnsok - trust DNS when verifying hostname. hsto - the handshake timeout value in seconds. logVF - Turn on verification failure logging. nopxy - Do not allow proxy cert (normally allowed) servr - This is a server-side context and x509 peer certificate validation may be turned off. vdept - The maximum depth of the certificate chain that must be validated (max is 255).
eMsgIf non-zero, the reason for the failure is returned,
Note
a) If neither cadir nor cafile is specified, certificate validation is not performed if and only if the servr option is specified. Otherwise, the cadir value is obtained from the X509_CERT_DIR envar and the cafile value is obtained from the X509_CERT_File envar. If both are nil, context creation fails. b) Additionally for client-side contructions, if cert or key is not specified their locations come from X509_USER_PROXY and X509_USER_KEY. These may be nil in which case a generic context is created with a local key-pair and no certificate. c) You should immediately call isOK() after instantiating this object. A return value of false means that construction failed. d) Failure messages are routed to the message callback function during construction. e) While the crl refresh interval is set you must engage it by calling crlRefresh() so as to avoid unnecessary refresh threads.

Definition at line 244 of file XrdTlsContext.hh.

Referenced by XrdTlsSocket::Init().

◆ logVF

const uint64_t XrdTlsContext::logVF = 0x0000000800000000
static

Log verify failures.

Definition at line 247 of file XrdTlsContext.hh.

Referenced by XrdConfig::XrdConfig(), XrdTlsContext(), and SetTlsClientAuth().

◆ nopxy

const uint64_t XrdTlsContext::nopxy = 0x0000000100000000
static

Do not allow proxy certs.

Definition at line 250 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ rfCRL

const uint64_t XrdTlsContext::rfCRL = 0x0000004000000000
static

Turn on the CRL refresh thread.

Definition at line 251 of file XrdTlsContext.hh.

Referenced by XrdTlsContext(), and Clone().

◆ scClnt

const int XrdTlsContext::scClnt = 0x00040000
static

Turn on cache client mode.

Definition at line 135 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scFMax

const int XrdTlsContext::scFMax = 0x00007fff
static

Maximum flush interval in seconds When 0 keeps the current setting

Definition at line 138 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scIdErr

const int XrdTlsContext::scIdErr = 0x80000000
static

Info: Id not set, is too long.

Definition at line 137 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scKeep

const int XrdTlsContext::scKeep = 0x40000000
static

Info: TLS-controlled flush disabled.

Definition at line 136 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scNone

const int XrdTlsContext::scNone = 0x00000000
static

Do not change any option settings.

Get or set session cache parameters for generated sessions.

Parameters
optsOne or more bit or'd options (see below).
idThe identifier to be used (may be nil to keep setting).
idlenThe length of the identifier (may be zero as above).
Returns
The cache settings prior to any changes are returned. When setting the id, the scIdErr may be returned if the name is too long. If the context has been pprroperly initialized, zero is returned. By default, the session cache is disabled as it is impossible to verify a peer certificate chain when a cached session is reused.

Definition at line 132 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scOff

const int XrdTlsContext::scOff = 0x00010000
static

Turn off cache.

Definition at line 133 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scSrvr

const int XrdTlsContext::scSrvr = 0x00020000
static

Turn on cache server mode (default).

Definition at line 134 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ servr

const uint64_t XrdTlsContext::servr = 0x0000000400000000
static

This is a server context.

Definition at line 248 of file XrdTlsContext.hh.

Referenced by XrdConfig::XrdConfig(), and XrdTlsContext().

◆ vdepS

const int XrdTlsContext::vdepS = 8
static

Bits to shift vdept.

Definition at line 246 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ vdept

const uint64_t XrdTlsContext::vdept = 0x000000000000ff00
static

Mask to isolate vdept.

Definition at line 245 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

The documentation for this class was generated from the following files: