XRootD
Loading...
Searching...
No Matches
XrdTlsContext Class Reference

#include <XrdTlsContext.hh>

+ Collaboration diagram for XrdTlsContext:

Classes

struct  CTX_Params
 

Public Member Functions

 XrdTlsContext (const char *cert=0, const char *key=0, const char *cadir=0, const char *cafile=0, uint64_t opts=0, std::string *eMsg=0)
 
 XrdTlsContext (const XrdTlsContext &ctx)=delete
 Disallow any copies of this object.
 
 XrdTlsContext (XrdTlsContext &&ctx)=delete
 
 ~XrdTlsContext ()
 Destructor.
 
XrdTlsContextClone (bool full=true, bool startCRLRefresh=false)
 
void * Context ()
 
const CTX_ParamsGetParams ()
 
bool isOK ()
 
bool newHostCertificateDetected ()
 
XrdTlsContextoperator= (const XrdTlsContext &ctx)=delete
 
XrdTlsContextoperator= (XrdTlsContext &&ctx)=delete
 
void * Session ()
 
int SessionCache (int opts=scNone, const char *id=0, int idlen=0)
 
bool SetContextCiphers (const char *ciphers)
 
bool SetCrlRefresh (int refsec=-1)
 
bool x509Verify ()
 

Static Public Member Functions

static const char * Init ()
 
static void SetDefaultCiphers (const char *ciphers)
 

Static Public Attributes

static const uint64_t artON = 0x0000002000000000
 Auto retry Handshake.
 
static const uint64_t crlFC = 0x000000C000000000
 Full crl chain checking.
 
static const uint64_t crlON = 0x0000008000000000
 Enables crl checking.
 
static const uint64_t crlRF = 0x00000000ffff0000
 Mask to isolate crl refresh in min.
 
static const int crlRS = 16
 Bits to shift vdept.
 
static const int DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60
 Default CRL refresh interval in seconds.
 
static const uint64_t dnsok = 0x0000000200000000
 Trust DNS for host name.
 
static const uint64_t hsto = 0x00000000000000ff
 Mask to isolate the hsto.
 
static const uint64_t logVF = 0x0000000800000000
 Log verify failures.
 
static const uint64_t nopxy = 0x0000000100000000
 Do not allow proxy certs.
 
static const uint64_t rfCRL = 0x0000004000000000
 Turn on the CRL refresh thread.
 
static const int scClnt = 0x00040000
 Turn on cache client mode.
 
static const int scFMax = 0x00007fff
 
static const int scIdErr = 0x80000000
 Info: Id not set, is too long.
 
static const int scKeep = 0x40000000
 Info: TLS-controlled flush disabled.
 
static const int scNone = 0x00000000
 Do not change any option settings.
 
static const int scOff = 0x00010000
 Turn off cache.
 
static const int scSrvr = 0x00020000
 Turn on cache server mode (default)
 
static const uint64_t servr = 0x0000000400000000
 This is a server context.
 
static const int vdepS = 8
 Bits to shift vdept.
 
static const uint64_t vdept = 0x000000000000ff00
 Mask to isolate vdept.
 

Detailed Description

Definition at line 36 of file XrdTlsContext.hh.

Constructor & Destructor Documentation

◆ XrdTlsContext() [1/3]

XrdTlsContext::XrdTlsContext ( const char *  cert = 0,
const char *  key = 0,
const char *  cadir = 0,
const char *  cafile = 0,
uint64_t  opts = 0,
std::string *  eMsg = 0 
)

Definition at line 576 of file XrdTlsContext.cc.

579 : pImpl( new XrdTlsContextImpl(this) )
580{
581 class ctx_helper
582 {public:
583
584 void Keep() {ctxLoc = 0;}
585
586 ctx_helper(SSL_CTX **ctxP) : ctxLoc(ctxP) {}
587 ~ctx_helper() {if (ctxLoc && *ctxLoc)
588 {SSL_CTX_free(*ctxLoc); *ctxLoc = 0;}
589 }
590 private:
591 SSL_CTX **ctxLoc;
592 } ctx_tracker(&pImpl->ctx);
593
594 static const uint64_t sslOpts = SSL_OP_ALL
595 | SSL_OP_NO_SSLv2
596 | SSL_OP_NO_SSLv3
597 | SSL_OP_NO_COMPRESSION
598#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
599 | SSL_OP_IGNORE_UNEXPECTED_EOF
600#endif
601#if OPENSSL_VERSION_NUMBER >= 0x10101000L
602 | SSL_OP_NO_RENEGOTIATION
603#endif
604 ;
605
606 std::string certFN, eText;
607 const char *emsg;
608
609// Assume we will fail
610//
611 pImpl->ctx = 0;
612
613// Verify that initialzation has occurred. This is not heavy weight as
614// there will usually be no more than two instances of this object.
615//
616 if (!initDbgDone)
617 {XrdSysMutexHelper dbgHelper(dbgMutex);
618 if (!initDbgDone)
619 {const char *dbg;
620 if (!(opts & servr) && (dbg = getenv("XRDTLS_DEBUG")))
621 {int dbgOpts = 0;
622 if (strstr(dbg, "ctx")) dbgOpts |= XrdTls::dbgCTX;
623 if (strstr(dbg, "sok")) dbgOpts |= XrdTls::dbgSOK;
624 if (strstr(dbg, "sio")) dbgOpts |= XrdTls::dbgSIO;
625 if (!dbgOpts) dbgOpts = XrdTls::dbgALL;
627 }
628 if ((emsg = Init())) FATAL(emsg);
629 initDbgDone = true;
630 }
631 }
632
633// If no CA cert information is specified and this is not a server context,
634// then get the paths from the environment. They must exist as we need to
635// verify peer certs in order to verify target host names client-side. We
636// also use this setupt to see if we should use a specific cert and key.
637//
638 if (!(opts & servr))
639 {if (!caDir && !caFile)
640 {caDir = getenv("X509_CERT_DIR");
641 caFile = getenv("X509_CERT_FILE");
642 if (!caDir && !caFile)
643 FATAL("No CA cert specified; host identity cannot be verified.");
644 }
645 if (!key) key = getenv("X509_USER_KEY");
646 if (!cert) cert = getenv("X509_USER_PROXY");
647 if (!cert)
648 {struct stat Stat;
649 long long int uid = static_cast<long long int>(getuid());
650 certFN = std::string("/tmp/x509up_u") + std::to_string(uid);
651 if (!stat(certFN.c_str(), &Stat)) cert = certFN.c_str();
652 }
653 }
654
655// Before we try to use any specified files, make sure they exist, are of
656// the right type and do not have excessive access privileges.
657// .a
658 if (!VerPaths(cert, key, caDir, caFile, eText)) FATAL( eText.c_str());
659
660// Copy parameters to out parm structure.
661//
662 if (cert) {
663 pImpl->Parm.cert = cert;
664 //This call should not fail as a stat is already performed in the call of VerPaths() above
666 }
667 if (key) pImpl->Parm.pkey = key;
668 if (caDir) pImpl->Parm.cadir = caDir;
669 if (caFile) pImpl->Parm.cafile = caFile;
670 pImpl->Parm.opts = opts;
671 if (opts & crlRF) {
672 // What we store in crlRF is the time in minutes, convert it back to seconds
673 pImpl->Parm.crlRT = static_cast<int>((opts & crlRF) >> crlRS) * 60;
674 }
675
676// Get the correct method to use for TLS and check if successful create a
677// server context that uses the method.
678//
679 const SSL_METHOD *meth;
680 emsg = GetTlsMethod(meth);
681 if (emsg) FATAL(emsg);
682
683 pImpl->ctx = SSL_CTX_new(meth);
684
685// Make sure we have a context here
686//
687 if (pImpl->ctx == 0) FATAL_SSL("Unable to allocate TLS context!");
688
689// Always prohibit SSLv2 & SSLv3 as these are not secure.
690//
691 SSL_CTX_set_options(pImpl->ctx, sslOpts);
692
693// Handle session re-negotiation automatically
694//
695// SSL_CTX_set_mode(pImpl->ctx, sslMode);
696
697// Turn off the session cache as it's useless with peer cert chains
698//
699 SSL_CTX_set_session_cache_mode(pImpl->ctx, SSL_SESS_CACHE_OFF);
700
701// Establish the CA cert locations, if specified. Then set the verification
702// depth and turn on peer cert validation. For now, we don't set a callback.
703// In the future we may to grab debugging information.
704//
705 if (caDir || caFile)
706 {if (!SSL_CTX_load_verify_locations(pImpl->ctx, caFile, caDir))
707 FATAL_SSL("Unable to load the CA cert file or directory.");
708
709 int vDepth = (opts & vdept) >> vdepS;
710 SSL_CTX_set_verify_depth(pImpl->ctx, (vDepth ? vDepth : 9));
711
712 bool LogVF = (opts & logVF) != 0;
713 SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, (LogVF ? VerCB : 0));
714
715 unsigned long xFlags = (opts & nopxy ? 0 : X509_V_FLAG_ALLOW_PROXY_CERTS);
716 if (opts & crlON)
717 {xFlags |= X509_V_FLAG_CRL_CHECK;
718 if (opts & crlFC) xFlags |= X509_V_FLAG_CRL_CHECK_ALL;
719 }
720 if (opts) X509_STORE_set_flags(SSL_CTX_get_cert_store(pImpl->ctx),xFlags);
721 } else {
722 SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_NONE, 0);
723 }
724
725// Set cipher list
726//
727 if (!SSL_CTX_set_cipher_list(pImpl->ctx, sslCiphers))
728 FATAL_SSL("Unable to set SSL cipher list; no supported ciphers.");
729
730// If we need to enable eliptic-curve support, do so now. Note that for
731// OpenSSL 1.1.0+ this is automatically done for us.
732//
733#if SSL_CTRL_SET_ECDH_AUTO
734 SSL_CTX_set_ecdh_auto(pImpl->ctx, 1);
735#endif
736
737// We normally handle renegotiation during reads and writes or selective
738// prohibit on a SSL socket basis. The calle may request this be applied
739// to all SSL's generated from this context. If so, do it here.
740//
741 if (opts & artON) SSL_CTX_set_mode(pImpl->ctx, SSL_MODE_AUTO_RETRY);
742
743// If there is no cert then assume this is a generic context for a client
744//
745 if (cert == 0)
746 {ctx_tracker.Keep();
747 return;
748 }
749
750// We have a cert. If the key is missing then we assume the key is in the
751// cert file (ssl will complain if it isn't).
752//
753 if (!key) key = cert;
754
755// Load certificate
756//
757 if (SSL_CTX_use_certificate_chain_file(pImpl->ctx, cert) != 1)
758 FATAL_SSL("Unable to create TLS context; invalid certificate.");
759
760// Load the private key
761//
762 if (SSL_CTX_use_PrivateKey_file(pImpl->ctx, key, SSL_FILETYPE_PEM) != 1 )
763 FATAL_SSL("Unable to create TLS context; invalid private key.");
764
765// Make sure the key and certificate file match.
766//
767 if (SSL_CTX_check_private_key(pImpl->ctx) != 1 )
768 FATAL_SSL("Unable to create TLS context; cert-key mismatch.");
769
770// All went well, start the CRL refresh thread and keep the context.
771//
772 if(opts & rfCRL) {
774 }
775 ctx_tracker.Keep();
776}
struct stat Stat
Definition XrdCks.cc:49
#define stat(a, b)
Definition XrdPosix.hh:96
struct myOpts opts
int emsg(int rc, char *msg)
#define FATAL_SSL(msg)
#define FATAL(msg)
static int getModificationTime(const char *path, time_t &modificationTime)
static const uint64_t vdept
Mask to isolate vdept.
static const int crlRS
Bits to shift vdept.
static const uint64_t servr
This is a server context.
static const uint64_t rfCRL
Turn on the CRL refresh thread.
static const uint64_t nopxy
Do not allow proxy certs.
static const uint64_t logVF
Log verify failures.
static const uint64_t crlFC
Full crl chain checking.
static const uint64_t crlON
Enables crl checking.
static const uint64_t artON
Auto retry Handshake.
static const int vdepS
Bits to shift vdept.
static const char * Init()
bool SetCrlRefresh(int refsec=-1)
static const uint64_t crlRF
Mask to isolate crl refresh in min.
static const int dbgSIO
Turn debugging in for socket I/O.
Definition XrdTls.hh:102
static const int dbgSOK
Turn debugging in for socket operations.
Definition XrdTls.hh:101
static const int dbgOUT
Force msgs to stderr for easier client debug.
Definition XrdTls.hh:104
static const int dbgALL
Turn debugging for everything.
Definition XrdTls.hh:103
static const int dbgCTX
Turn debugging in for context operations.
Definition XrdTls.hh:100
static void SetDebug(int opts, XrdSysLogger *logP=0)
Definition XrdTls.cc:177
XrdTlsContext::CTX_Params Parm
std::string cafile
-> ca cert file.
uint64_t opts
Options as passed to the constructor.
std::string cadir
-> ca cert directory.
int crlRT
crl refresh interval time in seconds
std::string pkey
-> private key path.
std::string cert
-> certificate path.

References artON, XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, XrdTlsContext::CTX_Params::cert, crlFC, crlON, crlRF, crlRS, XrdTlsContext::CTX_Params::crlRT, XrdTlsContextImpl::ctx, XrdTls::dbgALL, XrdTls::dbgCTX, XrdTls::dbgOUT, XrdTls::dbgSIO, XrdTls::dbgSOK, emsg(), FATAL, FATAL_SSL, XrdOucUtils::getModificationTime(), Init(), XrdTlsContextImpl::lastCertModTime, logVF, nopxy, opts, XrdTlsContext::CTX_Params::opts, XrdTlsContextImpl::Parm, XrdTlsContext::CTX_Params::pkey, rfCRL, servr, SetCrlRefresh(), XrdTls::SetDebug(), Stat, stat, vdepS, and vdept.

+ Here is the call graph for this function:

◆ ~XrdTlsContext()

XrdTlsContext::~XrdTlsContext ( )

Destructor.

Definition at line 782 of file XrdTlsContext.cc.

783{
784// We can delet eour implementation of there is no refresh thread running. If
785// there is then the refresh thread has to delete the implementation.
786//
787 if (pImpl->crlRunning | pImpl->flsRunning)
788 {pImpl->crlMutex.WriteLock();
789 pImpl->owner = 0;
790 pImpl->crlMutex.UnLock();
791 } else delete pImpl;
792}
XrdTlsContext * owner
XrdSysRWLock crlMutex

References XrdTlsContextImpl::crlMutex, XrdTlsContextImpl::crlRunning, XrdTlsContextImpl::flsRunning, XrdTlsContextImpl::owner, XrdSysRWLock::UnLock(), and XrdSysRWLock::WriteLock().

Referenced by Clone().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ XrdTlsContext() [2/3]

XrdTlsContext::XrdTlsContext ( const XrdTlsContext ctx)
delete

Disallow any copies of this object.

◆ XrdTlsContext() [3/3]

XrdTlsContext::XrdTlsContext ( XrdTlsContext &&  ctx)
delete

Member Function Documentation

◆ Clone()

XrdTlsContext * XrdTlsContext::Clone ( bool  full = true,
bool  startCRLRefresh = false 
)

Clone a new context from this context.

Parameters
fullWhen true the complete context is cloned. When false, a context with no peer verification is cloned.
Returns
Upon success, the pointer to a new XrdTlsContext is returned. Upon failure, a nil pointer is returned.
Note
The cloned context is identical to the one created by the original constructor. Note that while the crl refresh interval is set, the refresh thread needs to be started by calling crlRefresh(). Also, the session cache is set to off with no identifier.

Definition at line 798 of file XrdTlsContext.cc.

799{
800 XrdTlsContext::CTX_Params &my = pImpl->Parm;
801 const char *cert = (my.cert.size() ? my.cert.c_str() : 0);
802 const char *pkey = (my.pkey.size() ? my.pkey.c_str() : 0);
803 const char *caD = (my.cadir.size() ? my.cadir.c_str() : 0);
804 const char *caF = (my.cafile.size() ? my.cafile.c_str() : 0);
805
806// If this is a non-full context, get rid of any verification
807//
808 if (!full) caD = caF = 0;
809
810// Cloning simply means getting a object with the old parameters.
811//
812 uint64_t myOpts = my.opts;
813 if(startCRLRefresh){
815 } else {
817 }
818 XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, myOpts);
819
820// Verify that the context was built
821//
822 if (xtc->isOK()) {
823 if(pImpl->sessionCacheOpts != -1){
824 //A SessionCache() call was done for the current context, so apply it for this new cloned context
825 xtc->SessionCache(pImpl->sessionCacheOpts,pImpl->sessionCacheId.c_str(),pImpl->sessionCacheId.size());
826 }
827 return xtc;
828 }
829
830// We failed, cleanup.
831//
832 delete xtc;
833 return 0;
834}
~XrdTlsContext()
Destructor.
int SessionCache(int opts=scNone, const char *id=0, int idlen=0)
std::string sessionCacheId

References ~XrdTlsContext(), XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, XrdTlsContext::CTX_Params::cert, isOK(), XrdTlsContext::CTX_Params::opts, XrdTlsContextImpl::Parm, XrdTlsContext::CTX_Params::pkey, rfCRL, SessionCache(), XrdTlsContextImpl::sessionCacheId, and XrdTlsContextImpl::sessionCacheOpts.

Referenced by XrdTlsCrl::Refresh().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Context()

void * XrdTlsContext::Context ( )

Get the underlying context (should not be used).

Returns
Pointer to the underlying context.

Definition at line 840 of file XrdTlsContext.cc.

841{
842 return pImpl->ctx;
843}

References XrdTlsContextImpl::ctx.

◆ GetParams()

const XrdTlsContext::CTX_Params * XrdTlsContext::GetParams ( )

Definition at line 849 of file XrdTlsContext.cc.

850{
851 return &pImpl->Parm;
852}

References XrdTlsContextImpl::Parm.

Referenced by XrdTlsSocket::Init().

+ Here is the caller graph for this function:

◆ Init()

const char * XrdTlsContext::Init ( )
static

Simply initialize the TLS library.

Returns
=0 Library initialized. !0 Library not initialized, return string indicates why.
Note
Init() is implicitly called by the contructor. Use this method to use the TLS libraries without instantiating a context.

Definition at line 858 of file XrdTlsContext.cc.

859{
860
861// Disallow use if this object unless SSL provides thread-safety!
862//
863#ifndef OPENSSL_THREADS
864 return "Installed OpenSSL lacks the required thread support!";
865#endif
866
867// Initialize the library (one time call)
868//
869 InitTLS();
870 return 0;
871}
bool InitTLS()
Definition XrdClTls.cc:96

Referenced by XrdCryptosslFactory::XrdCryptosslFactory(), XrdTlsContext(), and XrdCryptoLite_New_bf32().

+ Here is the caller graph for this function:

◆ isOK()

bool XrdTlsContext::isOK ( )

Determine if this object was correctly built.

Returns
True if this object is usuable and false otherwise.

Definition at line 877 of file XrdTlsContext.cc.

878{
879 return pImpl->ctx != 0;
880}

References XrdTlsContextImpl::ctx.

Referenced by Clone(), and XrdTlsCrl::Refresh().

+ Here is the caller graph for this function:

◆ newHostCertificateDetected()

bool XrdTlsContext::newHostCertificateDetected ( )

Definition at line 1123 of file XrdTlsContext.cc.

1123 {
1124 const std::string certPath = pImpl->Parm.cert;
1125 if(certPath.empty()) {
1126 //No certificate provided, should not happen though
1127 return false;
1128 }
1129 time_t modificationTime;
1130 if(!XrdOucUtils::getModificationTime(certPath.c_str(),modificationTime)){
1131 if (pImpl->lastCertModTime != modificationTime) {
1132 //The certificate file has changed
1133 pImpl->lastCertModTime = modificationTime;
1134 return true;
1135 }
1136 }
1137 return false;
1138}

References XrdTlsContext::CTX_Params::cert, XrdOucUtils::getModificationTime(), XrdTlsContextImpl::lastCertModTime, and XrdTlsContextImpl::Parm.

Referenced by XrdTlsCrl::Refresh().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ operator=() [1/2]

XrdTlsContext & XrdTlsContext::operator= ( const XrdTlsContext ctx)
delete

◆ operator=() [2/2]

XrdTlsContext & XrdTlsContext::operator= ( XrdTlsContext &&  ctx)
delete

◆ Session()

void * XrdTlsContext::Session ( )

Apply this context to obtain a new SSL session.

Returns
A pointer to a new SSL session if successful and nil otherwise.

Definition at line 892 of file XrdTlsContext.cc.

893{
894#if OPENSSL_VERSION_NUMBER >= 0x10002000L
895
896 EPNAME("Session");
897 SSL *ssl;
898
899// Check if we have a refreshed context. If so, we need to replace the X509
900// store in the current context with the new one before we create the session.
901//
902 pImpl->crlMutex.ReadLock();
903 if (!(pImpl->ctxnew))
904 {ssl = SSL_new(pImpl->ctx);
905 pImpl->crlMutex.UnLock();
906 return ssl;
907 }
908
909// Things have changed, so we need to take the long route here. We need to
910// replace the x509 cache with the current cache. Get a R/W lock now.
911//
912 pImpl->crlMutex.UnLock();
913 pImpl->crlMutex.WriteLock();
914
915// If some other thread beat us to the punch, just return what we have.
916//
917 if (!(pImpl->ctxnew))
918 {ssl = SSL_new(pImpl->ctx);
919 pImpl->crlMutex.UnLock();
920 return ssl;
921 }
922
923// Do some tracing
924//
925 DBG_CTX("Replacing x509 store with new contents.");
926
927// Get the new store and set it in our context. Setting the store is black
928// magic. For OpenSSL < 1.1, Two stores need to be set with the "set1" variant.
929// Newer version only require SSL_CTX_set1_cert_store() to be used.
930//
931 //We have a new context generated by Refresh, so we must use it.
932 XrdTlsContext * ctxnew = pImpl->ctxnew;
933
934 /*X509_STORE *newX509 = SSL_CTX_get_cert_store(ctxnew->pImpl->ctx);
935 SSL_CTX_set1_verify_cert_store(pImpl->ctx, newX509);
936 SSL_CTX_set1_chain_cert_store(pImpl->ctx, newX509);*/
937 //The above two macros actually do not replace the certificate that has
938 //to be used for that SSL session, so we will create the session with the SSL_CTX * of
939 //the TlsContext created by Refresh()
940 //First, free the current SSL_CTX, if it is used by any transfer, it will just decrease
941 //the reference counter of it. There is therefore no risk of double free...
942 SSL_CTX_free(pImpl->ctx);
943 pImpl->ctx = ctxnew->pImpl->ctx;
944 //In the destructor of XrdTlsContextImpl, SSL_CTX_Free() is
945 //called if ctx is != 0. As this new ctx is used by the session
946 //we just created, we don't want that to happen. We therefore set it to 0.
947 //The SSL_free called on the session will cleanup the context for us.
948 ctxnew->pImpl->ctx = 0;
949
950// Save the generated context and clear it's presence
951//
952 XrdTlsContext *ctxold = pImpl->ctxnew;
953 pImpl->ctxnew = 0;
954
955// Generate a new session (might as well to keep the lock we have)
956//
957 ssl = SSL_new(pImpl->ctx);
958
959// OK, now we can drop all the locks and get rid of the old context
960//
961 pImpl->crlMutex.UnLock();
962 delete ctxold;
963 return ssl;
964
965#else
966// If we did not compile crl refresh code, we can simply return the OpenSSL
967// session using our context. Otherwise, we need to see if we have a refreshed
968// context and if so, carry forward the X509_store to our original context.
969//
970 return SSL_new(pImpl->ctx);
971#endif
972}
#define EPNAME(x)
#define DBG_CTX(y)
XrdTlsContext * ctxnew

References XrdTlsContextImpl::crlMutex, XrdTlsContextImpl::ctx, XrdTlsContextImpl::ctxnew, DBG_CTX, EPNAME, XrdSysRWLock::ReadLock(), XrdSysRWLock::UnLock(), and XrdSysRWLock::WriteLock().

Referenced by XrdTlsSocket::Init(), and XrdHttpProtocol::Process().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SessionCache()

int XrdTlsContext::SessionCache ( int  opts = scNone,
const char *  id = 0,
int  idlen = 0 
)

Definition at line 978 of file XrdTlsContext.cc.

979{
980 static const int doSet = scSrvr | scClnt | scOff;
981 long sslopt = 0;
982 int flushT = opts & scFMax;
983
984 pImpl->sessionCacheOpts = opts;
985 pImpl->sessionCacheId = id;
986
987// If initialization failed there is nothing to do
988//
989 if (pImpl->ctx == 0) return 0;
990
991// Set options as appropriate
992//
993 if (opts & doSet)
994 {if (opts & scOff) sslopt = SSL_SESS_CACHE_OFF;
995 else {if (opts & scSrvr) sslopt = SSL_SESS_CACHE_SERVER;
996 if (opts & scClnt) sslopt |= SSL_SESS_CACHE_CLIENT;
997 }
998 }
999
1000// Check if we should set any cache options or simply get them
1001//
1002 if (!(opts & doSet)) sslopt = SSL_CTX_get_session_cache_mode(pImpl->ctx);
1003 else {sslopt = SSL_CTX_set_session_cache_mode(pImpl->ctx, sslopt);
1004 if (opts & scOff) SSL_CTX_set_options(pImpl->ctx, SSL_OP_NO_TICKET);
1005 }
1006
1007// Compute what he previous cache options were
1008//
1009 opts = scNone;
1010 if (sslopt & SSL_SESS_CACHE_SERVER) opts |= scSrvr;
1011 if (sslopt & SSL_SESS_CACHE_CLIENT) opts |= scClnt;
1012 if (!opts) opts = scOff;
1013 if (sslopt & SSL_SESS_CACHE_NO_AUTO_CLEAR) opts |= scKeep;
1014 opts |= (static_cast<int>(pImpl->flushT) & scFMax);
1015
1016// Set the id is so wanted
1017//
1018 if (id && idlen > 0)
1019 {if (!SSL_CTX_set_session_id_context(pImpl->ctx,
1020 (unsigned const char *)id,
1021 (unsigned int)idlen)) opts |= scIdErr;
1022 }
1023
1024// If a flush interval was specified and it is different from what we have
1025// then reset the flush interval.
1026//
1027 if (flushT && flushT != pImpl->flushT)
1028 XrdTlsFlush::Setup_Flusher(pImpl, flushT);
1029
1030// All done
1031//
1032 return opts;
1033}
static const int scIdErr
Info: Id not set, is too long.
static const int scClnt
Turn on cache client mode.
static const int scKeep
Info: TLS-controlled flush disabled.
static const int scNone
Do not change any option settings.
static const int scOff
Turn off cache.
static const int scFMax
static const int scSrvr
Turn on cache server mode (default)
bool Setup_Flusher(XrdTlsContextImpl *pImpl, int flushT)

References XrdTlsContextImpl::ctx, XrdTlsContextImpl::flushT, opts, scClnt, scFMax, scIdErr, scKeep, scNone, scOff, scSrvr, XrdTlsContextImpl::sessionCacheId, XrdTlsContextImpl::sessionCacheOpts, and XrdTlsFlush::Setup_Flusher().

Referenced by Clone().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SetContextCiphers()

bool XrdTlsContext::SetContextCiphers ( const char *  ciphers)

Set allowed ciphers for this context.

Parameters
ciphersThe colon separated list of allowable ciphers.
Returns
True if at least one cipher can be used; false otherwise. When false is reurned, this context is no longer usable.

Definition at line 1039 of file XrdTlsContext.cc.

1040{
1041 if (pImpl->ctx && SSL_CTX_set_cipher_list(pImpl->ctx, ciphers)) return true;
1042
1043 char eBuff[2048];
1044 snprintf(eBuff,sizeof(eBuff),"Unable to set context ciphers '%s'",ciphers);
1045 Fatal(0, eBuff, true);
1046 return false;
1047}
void Fatal(const char *op, const char *target)
Definition XrdCrc32c.cc:58

References XrdTlsContextImpl::ctx, and Fatal().

+ Here is the call graph for this function:

◆ SetCrlRefresh()

bool XrdTlsContext::SetCrlRefresh ( int  refsec = -1)

Set CRL refresh time. By default, CRL's are not refreshed.

Parameters
refsec>0: The number of seconds between refreshes. A value less than 60 sets it to 60. =0: Stops automatic refreshing. <0: Starts automatic refreshing with the current setting if it has not already been started.
Returns
True if the CRL refresh thread was started; false otherwise.

Definition at line 1062 of file XrdTlsContext.cc.

1063{
1064#if OPENSSL_VERSION_NUMBER >= 0x10002000L
1065
1066 pthread_t tid;
1067 int rc;
1068
1069// If it's negative or equal to 0, use the current setting
1070//
1071 if (refsec <= 0)
1072 {pImpl->crlMutex.WriteLock();
1073 refsec = pImpl->Parm.crlRT;
1074 pImpl->crlMutex.UnLock();
1075 if (!refsec) refsec = XrdTlsContext::DEFAULT_CRL_REF_INT_SEC;
1076 }
1077
1078// Make sure this is at least 60 seconds between refreshes
1079//
1080// if (refsec < 60) refsec = 60;
1081
1082// We will set the new interval and start a refresh thread if not running.
1083//
1084 pImpl->crlMutex.WriteLock();
1085 pImpl->Parm.crlRT = refsec;
1086 if (!pImpl->crlRunning)
1087 {if ((rc = XrdSysThread::Run(&tid, XrdTlsCrl::Refresh, (void *)pImpl,
1088 0, "CRL Refresh")))
1089 {char eBuff[512];
1090 snprintf(eBuff, sizeof(eBuff),
1091 "Unable to start CRL refresh thread; rc=%d", rc);
1092 XrdTls::Emsg("CrlRefresh:", eBuff, false);
1093 pImpl->crlMutex.UnLock();
1094 return false;
1095 } else pImpl->crlRunning = true;
1096 pImpl->crlMutex.UnLock();
1097 }
1098
1099// All done
1100//
1101 return true;
1102
1103#else
1104// We use features present on OpenSSL 1.02 and above to implement crl refresh.
1105// Older version are too difficult to deal with. Issue a message if this
1106// feature is being enabled on an old version.
1107//
1108 XrdTls::Emsg("CrlRefresh:", "Refreshing CRLs only supported in "
1109 "OpenSSL version >= 1.02; CRL refresh disabled!", false);
1110 return false;
1111#endif
1112}
static int Run(pthread_t *, void *(*proc)(void *), void *arg, int opts=0, const char *desc=0)
static const int DEFAULT_CRL_REF_INT_SEC
Default CRL refresh interval in seconds.
static void Emsg(const char *tid, const char *msg=0, bool flush=true)
Definition XrdTls.cc:104
void * Refresh(void *parg)

References XrdTlsContextImpl::crlMutex, XrdTlsContext::CTX_Params::crlRT, XrdTlsContextImpl::crlRunning, DEFAULT_CRL_REF_INT_SEC, XrdTls::Emsg(), XrdTlsContextImpl::Parm, XrdTlsCrl::Refresh(), XrdSysThread::Run(), XrdSysRWLock::UnLock(), and XrdSysRWLock::WriteLock().

Referenced by XrdTlsContext().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SetDefaultCiphers()

void XrdTlsContext::SetDefaultCiphers ( const char *  ciphers)
static

Set allowed default ciphers.

Parameters
ciphersThe colon separated list of allowable ciphers.

Definition at line 1053 of file XrdTlsContext.cc.

1054{
1055 sslCiphers = ciphers;
1056}

◆ x509Verify()

bool XrdTlsContext::x509Verify ( )

Check if certificates are being verified.

Returns
True if certificates are being verified, false otherwise.

Definition at line 1118 of file XrdTlsContext.cc.

1119{
1120 return !(pImpl->Parm.cadir.empty()) || !(pImpl->Parm.cafile.empty());
1121}

References XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, and XrdTlsContextImpl::Parm.

Referenced by XrdTlsSocket::Init(), and XrdTlsCrl::Refresh().

+ Here is the caller graph for this function:

Member Data Documentation

◆ artON

const uint64_t XrdTlsContext::artON = 0x0000002000000000
static

Auto retry Handshake.

Definition at line 241 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlFC

const uint64_t XrdTlsContext::crlFC = 0x000000C000000000
static

Full crl chain checking.

Definition at line 238 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlON

const uint64_t XrdTlsContext::crlON = 0x0000008000000000
static

Enables crl checking.

Definition at line 237 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlRF

const uint64_t XrdTlsContext::crlRF = 0x00000000ffff0000
static

Mask to isolate crl refresh in min.

Definition at line 239 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlRS

const int XrdTlsContext::crlRS = 16
static

Bits to shift vdept.

Definition at line 240 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ DEFAULT_CRL_REF_INT_SEC

const int XrdTlsContext::DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60
static

Default CRL refresh interval in seconds.

Definition at line 66 of file XrdTlsContext.hh.

Referenced by SetCrlRefresh().

◆ dnsok

const uint64_t XrdTlsContext::dnsok = 0x0000000200000000
static

Trust DNS for host name.

Definition at line 234 of file XrdTlsContext.hh.

Referenced by XrdTlsSocket::Init().

◆ hsto

const uint64_t XrdTlsContext::hsto = 0x00000000000000ff
static

Mask to isolate the hsto.

Constructor. Note that you should use isOK() to determine if construction was successful. A false return indicates failure.

Parameters
certPointer to the certificate file to be used. If nil, a generic context is created for client use.
keyPointer to the private key flle to be used. It must correspond to the certificate file. If nil, it is assumed that the key is contained in the cert file.
cadirpath to the directory containing the CA certificates.
cafilepath to the file containing the CA certificates.
optsProcessing options (or'd bitwise): artON - Auto retry handshakes (i.e. block on handshake) crlON - Perform crl check on the leaf node crlFC - Apply crl check to full chain crlRF - Initial crl refresh interval in minutes. dnsok - trust DNS when verifying hostname. hsto - the handshake timeout value in seconds. logVF - Turn on verification failure logging. nopxy - Do not allow proxy cert (normally allowed) servr - This is a server-side context and x509 peer certificate validation may be turned off. vdept - The maximum depth of the certificate chain that must be validated (max is 255).
eMsgIf non-zero, the reason for the failure is returned,
Note
a) If neither cadir nor cafile is specified, certificate validation is not performed if and only if the servr option is specified. Otherwise, the cadir value is obtained from the X509_CERT_DIR envar and the cafile value is obtained from the X509_CERT_File envar. If both are nil, context creation fails. b) Additionally for client-side contructions, if cert or key is not specified their locations come from X509_USER_PROXY and X509_USER_KEY. These may be nil in which case a generic context is created with a local key-pair and no certificate. c) You should immediately call isOK() after instantiating this object. A return value of false means that construction failed. d) Failure messages are routed to the message callback function during construction. e) While the crl refresh interval is set you must engage it by calling crlRefresh() so as to avoid unnecessary refresh threads.

Definition at line 229 of file XrdTlsContext.hh.

Referenced by XrdTlsSocket::Init().

◆ logVF

const uint64_t XrdTlsContext::logVF = 0x0000000800000000
static

Log verify failures.

Definition at line 232 of file XrdTlsContext.hh.

Referenced by XrdConfig::XrdConfig(), and XrdTlsContext().

◆ nopxy

const uint64_t XrdTlsContext::nopxy = 0x0000000100000000
static

Do not allow proxy certs.

Definition at line 235 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ rfCRL

const uint64_t XrdTlsContext::rfCRL = 0x0000004000000000
static

Turn on the CRL refresh thread.

Definition at line 236 of file XrdTlsContext.hh.

Referenced by XrdTlsContext(), and Clone().

◆ scClnt

const int XrdTlsContext::scClnt = 0x00040000
static

Turn on cache client mode.

Definition at line 135 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scFMax

const int XrdTlsContext::scFMax = 0x00007fff
static

Maximum flush interval in seconds When 0 keeps the current setting

Definition at line 138 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scIdErr

const int XrdTlsContext::scIdErr = 0x80000000
static

Info: Id not set, is too long.

Definition at line 137 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scKeep

const int XrdTlsContext::scKeep = 0x40000000
static

Info: TLS-controlled flush disabled.

Definition at line 136 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scNone

const int XrdTlsContext::scNone = 0x00000000
static

Do not change any option settings.

Get or set session cache parameters for generated sessions.

Parameters
optsOne or more bit or'd options (see below).
idThe identifier to be used (may be nil to keep setting).
idlenThe length of the identifier (may be zero as above).
Returns
The cache settings prior to any changes are returned. When setting the id, the scIdErr may be returned if the name is too long. If the context has been pprroperly initialized, zero is returned. By default, the session cache is disabled as it is impossible to verify a peer certificate chain when a cached session is reused.

Definition at line 132 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scOff

const int XrdTlsContext::scOff = 0x00010000
static

Turn off cache.

Definition at line 133 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scSrvr

const int XrdTlsContext::scSrvr = 0x00020000
static

Turn on cache server mode (default)

Definition at line 134 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ servr

const uint64_t XrdTlsContext::servr = 0x0000000400000000
static

This is a server context.

Definition at line 233 of file XrdTlsContext.hh.

Referenced by XrdConfig::XrdConfig(), and XrdTlsContext().

◆ vdepS

const int XrdTlsContext::vdepS = 8
static

Bits to shift vdept.

Definition at line 231 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ vdept

const uint64_t XrdTlsContext::vdept = 0x000000000000ff00
static

Mask to isolate vdept.

Definition at line 230 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().


The documentation for this class was generated from the following files: