XRootD
XrdTlsContext Class Reference

#include <XrdTlsContext.hh>

+ Collaboration diagram for XrdTlsContext:

Classes

struct  CTX_Params
 

Public Types

enum  ClientAuthSetting {
  kOn ,
  kOff
}
 

Public Member Functions

 XrdTlsContext (const char *cert=0, const char *key=0, const char *cadir=0, const char *cafile=0, uint64_t opts=0, std::string *eMsg=0)
 
 XrdTlsContext (const XrdTlsContext &ctx)=delete
 Disallow any copies of this object. More...
 
 XrdTlsContext (XrdTlsContext &&ctx)=delete
 
 ~XrdTlsContext ()
 Destructor. More...
 
XrdTlsContextClone (bool full=true, bool startCRLRefresh=false)
 
void * Context ()
 
const CTX_ParamsGetParams ()
 
bool isOK ()
 
bool newHostCertificateDetected ()
 
XrdTlsContextoperator= (const XrdTlsContext &ctx)=delete
 
XrdTlsContextoperator= (XrdTlsContext &&ctx)=delete
 
void * Session ()
 
int SessionCache (int opts=scNone, const char *id=0, int idlen=0)
 
bool SetContextCiphers (const char *ciphers)
 
bool SetCrlRefresh (int refsec=-1)
 
bool SetTlsClientAuth (ClientAuthSetting setting)
 
bool x509Verify ()
 

Static Public Member Functions

static const char * Init ()
 
static void SetDefaultCiphers (const char *ciphers)
 

Static Public Attributes

static const uint64_t artON = 0x0000002000000000
 Auto retry Handshake. More...
 
static const uint64_t crlFC = 0x000000C000000000
 Full crl chain checking. More...
 
static const uint64_t crlON = 0x0000008000000000
 Enables crl checking. More...
 
static const uint64_t crlRF = 0x00000000ffff0000
 Mask to isolate crl refresh in min. More...
 
static const int crlRS = 16
 Bits to shift vdept. More...
 
static const int DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60
 Default CRL refresh interval in seconds. More...
 
static const uint64_t dnsok = 0x0000000200000000
 Trust DNS for host name. More...
 
static const uint64_t hsto = 0x00000000000000ff
 Mask to isolate the hsto. More...
 
static const uint64_t logVF = 0x0000000800000000
 Log verify failures. More...
 
static const uint64_t nopxy = 0x0000000100000000
 Do not allow proxy certs. More...
 
static const uint64_t rfCRL = 0x0000004000000000
 Turn on the CRL refresh thread. More...
 
static const int scClnt = 0x00040000
 Turn on cache client mode. More...
 
static const int scFMax = 0x00007fff
 
static const int scIdErr = 0x80000000
 Info: Id not set, is too long. More...
 
static const int scKeep = 0x40000000
 Info: TLS-controlled flush disabled. More...
 
static const int scNone = 0x00000000
 Do not change any option settings. More...
 
static const int scOff = 0x00010000
 Turn off cache. More...
 
static const int scSrvr = 0x00020000
 Turn on cache server mode (default) More...
 
static const uint64_t servr = 0x0000000400000000
 This is a server context. More...
 
static const int vdepS = 8
 Bits to shift vdept. More...
 
static const uint64_t vdept = 0x000000000000ff00
 Mask to isolate vdept. More...
 

Detailed Description

Definition at line 36 of file XrdTlsContext.hh.

Member Enumeration Documentation

◆ ClientAuthSetting

Enumerator
kOn 
kOff 

Definition at line 176 of file XrdTlsContext.hh.

176  {
177  kOn,
178  kOff,
179 };

Constructor & Destructor Documentation

◆ XrdTlsContext() [1/3]

XrdTlsContext::XrdTlsContext ( const char *  cert = 0,
const char *  key = 0,
const char *  cadir = 0,
const char *  cafile = 0,
uint64_t  opts = 0,
std::string *  eMsg = 0 
)

Definition at line 577 of file XrdTlsContext.cc.

580  : pImpl( new XrdTlsContextImpl(this) )
581 {
582  class ctx_helper
583  {public:
584 
585  void Keep() {ctxLoc = 0;}
586 
587  ctx_helper(SSL_CTX **ctxP) : ctxLoc(ctxP) {}
588  ~ctx_helper() {if (ctxLoc && *ctxLoc)
589  {SSL_CTX_free(*ctxLoc); *ctxLoc = 0;}
590  }
591  private:
592  SSL_CTX **ctxLoc;
593  } ctx_tracker(&pImpl->ctx);
594 
595  pImpl->opts = opts;
596 
597  static const uint64_t sslOpts = SSL_OP_ALL
598  | SSL_OP_NO_SSLv2
599  | SSL_OP_NO_SSLv3
600  | SSL_OP_NO_COMPRESSION
601 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
602  | SSL_OP_IGNORE_UNEXPECTED_EOF
603 #endif
604 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
605  | SSL_OP_NO_RENEGOTIATION
606 #endif
607  ;
608 
609  std::string certFN, eText;
610  const char *emsg;
611 
612 // Assume we will fail
613 //
614  pImpl->ctx = 0;
615 
616 // Verify that initialzation has occurred. This is not heavy weight as
617 // there will usually be no more than two instances of this object.
618 //
619  if (!initDbgDone)
620  {XrdSysMutexHelper dbgHelper(dbgMutex);
621  if (!initDbgDone)
622  {const char *dbg;
623  if (!(opts & servr) && (dbg = getenv("XRDTLS_DEBUG")))
624  {int dbgOpts = 0;
625  if (strstr(dbg, "ctx")) dbgOpts |= XrdTls::dbgCTX;
626  if (strstr(dbg, "sok")) dbgOpts |= XrdTls::dbgSOK;
627  if (strstr(dbg, "sio")) dbgOpts |= XrdTls::dbgSIO;
628  if (!dbgOpts) dbgOpts = XrdTls::dbgALL;
630  }
631  if ((emsg = Init())) FATAL(emsg);
632  initDbgDone = true;
633  }
634  }
635 
636 // If no CA cert information is specified and this is not a server context,
637 // then get the paths from the environment. They must exist as we need to
638 // verify peer certs in order to verify target host names client-side. We
639 // also use this setupt to see if we should use a specific cert and key.
640 //
641  if (!(opts & servr))
642  {if (!caDir && !caFile)
643  {caDir = getenv("X509_CERT_DIR");
644  caFile = getenv("X509_CERT_FILE");
645  if (!caDir && !caFile)
646  FATAL("No CA cert specified; host identity cannot be verified.");
647  }
648  if (!key) key = getenv("X509_USER_KEY");
649  if (!cert) cert = getenv("X509_USER_PROXY");
650  if (!cert)
651  {struct stat Stat;
652  long long int uid = static_cast<long long int>(getuid());
653  certFN = std::string("/tmp/x509up_u") + std::to_string(uid);
654  if (!stat(certFN.c_str(), &Stat)) cert = certFN.c_str();
655  }
656  }
657 
658 // Before we try to use any specified files, make sure they exist, are of
659 // the right type and do not have excessive access privileges.
660 // .a
661  if (!VerPaths(cert, key, caDir, caFile, eText)) FATAL( eText.c_str());
662 
663 // Copy parameters to out parm structure.
664 //
665  if (cert) {
666  pImpl->Parm.cert = cert;
667  //This call should not fail as a stat is already performed in the call of VerPaths() above
669  }
670  if (key) pImpl->Parm.pkey = key;
671  if (caDir) pImpl->Parm.cadir = caDir;
672  if (caFile) pImpl->Parm.cafile = caFile;
673  pImpl->Parm.opts = opts;
674  if (opts & crlRF) {
675  // What we store in crlRF is the time in minutes, convert it back to seconds
676  pImpl->Parm.crlRT = static_cast<int>((opts & crlRF) >> crlRS) * 60;
677  }
678 
679 // Get the correct method to use for TLS and check if successful create a
680 // server context that uses the method.
681 //
682  const SSL_METHOD *meth;
683  emsg = GetTlsMethod(meth);
684  if (emsg) FATAL(emsg);
685 
686  pImpl->ctx = SSL_CTX_new(meth);
687 
688 // Make sure we have a context here
689 //
690  if (pImpl->ctx == 0) FATAL_SSL("Unable to allocate TLS context!");
691 
692 // Always prohibit SSLv2 & SSLv3 as these are not secure.
693 //
694  SSL_CTX_set_options(pImpl->ctx, sslOpts);
695 
696 // Handle session re-negotiation automatically
697 //
698 // SSL_CTX_set_mode(pImpl->ctx, sslMode);
699 
700 // Turn off the session cache as it's useless with peer cert chains
701 //
702  SSL_CTX_set_session_cache_mode(pImpl->ctx, SSL_SESS_CACHE_OFF);
703 
704 // Establish the CA cert locations, if specified. Then set the verification
705 // depth and turn on peer cert validation. For now, we don't set a callback.
706 // In the future we may to grab debugging information.
707 //
708  if (caDir || caFile)
709  {if (!SSL_CTX_load_verify_locations(pImpl->ctx, caFile, caDir))
710  FATAL_SSL("Unable to load the CA cert file or directory.");
711 
712  int vDepth = (opts & vdept) >> vdepS;
713  SSL_CTX_set_verify_depth(pImpl->ctx, (vDepth ? vDepth : 9));
714 
715  bool LogVF = (opts & logVF) != 0;
716  SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, (LogVF ? VerCB : 0));
717 
718  unsigned long xFlags = (opts & nopxy ? 0 : X509_V_FLAG_ALLOW_PROXY_CERTS);
719  if (opts & crlON)
720  {xFlags |= X509_V_FLAG_CRL_CHECK;
721  if (opts & crlFC) xFlags |= X509_V_FLAG_CRL_CHECK_ALL;
722  }
723  if (opts) X509_STORE_set_flags(SSL_CTX_get_cert_store(pImpl->ctx),xFlags);
724  } else {
725  SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_NONE, 0);
726  }
727 
728 // Set cipher list
729 //
730  if (!SSL_CTX_set_cipher_list(pImpl->ctx, sslCiphers))
731  FATAL_SSL("Unable to set SSL cipher list; no supported ciphers.");
732 
733 // If we need to enable eliptic-curve support, do so now. Note that for
734 // OpenSSL 1.1.0+ this is automatically done for us.
735 //
736 #if SSL_CTRL_SET_ECDH_AUTO
737  SSL_CTX_set_ecdh_auto(pImpl->ctx, 1);
738 #endif
739 
740 // We normally handle renegotiation during reads and writes or selective
741 // prohibit on a SSL socket basis. The calle may request this be applied
742 // to all SSL's generated from this context. If so, do it here.
743 //
744  if (opts & artON) SSL_CTX_set_mode(pImpl->ctx, SSL_MODE_AUTO_RETRY);
745 
746 // If there is no cert then assume this is a generic context for a client
747 //
748  if (cert == 0)
749  {ctx_tracker.Keep();
750  return;
751  }
752 
753 // We have a cert. If the key is missing then we assume the key is in the
754 // cert file (ssl will complain if it isn't).
755 //
756  if (!key) key = cert;
757 
758 // Load certificate
759 //
760  if (SSL_CTX_use_certificate_chain_file(pImpl->ctx, cert) != 1)
761  FATAL_SSL("Unable to create TLS context; invalid certificate.");
762 
763 // Load the private key
764 //
765  if (SSL_CTX_use_PrivateKey_file(pImpl->ctx, key, SSL_FILETYPE_PEM) != 1 )
766  FATAL_SSL("Unable to create TLS context; invalid private key.");
767 
768 // Make sure the key and certificate file match.
769 //
770  if (SSL_CTX_check_private_key(pImpl->ctx) != 1 )
771  FATAL_SSL("Unable to create TLS context; cert-key mismatch.");
772 
773 // All went well, start the CRL refresh thread and keep the context.
774 //
775  if(opts & rfCRL) {
776  SetCrlRefresh();
777  }
778  ctx_tracker.Keep();
779 }
struct stat Stat
Definition: XrdCks.cc:49
int stat(const char *path, struct stat *buf)
struct myOpts opts
int emsg(int rc, char *msg)
#define FATAL_SSL(msg)
#define FATAL(msg)
static int getModificationTime(const char *path, time_t &modificationTime)
static const uint64_t vdept
Mask to isolate vdept.
static const int crlRS
Bits to shift vdept.
static const uint64_t servr
This is a server context.
static const uint64_t rfCRL
Turn on the CRL refresh thread.
static const uint64_t nopxy
Do not allow proxy certs.
static const uint64_t logVF
Log verify failures.
static const uint64_t crlFC
Full crl chain checking.
static const uint64_t crlON
Enables crl checking.
static const uint64_t artON
Auto retry Handshake.
static const int vdepS
Bits to shift vdept.
static const char * Init()
bool SetCrlRefresh(int refsec=-1)
static const uint64_t crlRF
Mask to isolate crl refresh in min.
static const int dbgSIO
Turn debugging in for socket I/O.
Definition: XrdTls.hh:102
static const int dbgSOK
Turn debugging in for socket operations.
Definition: XrdTls.hh:101
static const int dbgOUT
Force msgs to stderr for easier client debug.
Definition: XrdTls.hh:104
static const int dbgALL
Turn debugging for everything.
Definition: XrdTls.hh:103
static const int dbgCTX
Turn debugging in for context operations.
Definition: XrdTls.hh:100
static void SetDebug(int opts, XrdSysLogger *logP=0)
Definition: XrdTls.cc:177
XrdTlsContext::CTX_Params Parm
std::string cafile
-> ca cert file.
uint64_t opts
Options as passed to the constructor.
std::string cadir
-> ca cert directory.
int crlRT
crl refresh interval time in seconds
std::string pkey
-> private key path.
std::string cert
-> certificate path.

References artON, XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, XrdTlsContext::CTX_Params::cert, crlFC, crlON, crlRF, crlRS, XrdTlsContext::CTX_Params::crlRT, XrdTlsContextImpl::ctx, XrdTls::dbgALL, XrdTls::dbgCTX, XrdTls::dbgOUT, XrdTls::dbgSIO, XrdTls::dbgSOK, emsg(), FATAL, FATAL_SSL, XrdOucUtils::getModificationTime(), Init(), XrdTlsContextImpl::lastCertModTime, logVF, nopxy, opts, XrdTlsContextImpl::opts, XrdTlsContext::CTX_Params::opts, XrdTlsContextImpl::Parm, XrdTlsContext::CTX_Params::pkey, rfCRL, servr, SetCrlRefresh(), XrdTls::SetDebug(), Stat, stat(), vdepS, and vdept.

Referenced by Clone().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ~XrdTlsContext()

XrdTlsContext::~XrdTlsContext ( )

Destructor.

Definition at line 785 of file XrdTlsContext.cc.

786 {
787 // We can delet eour implementation of there is no refresh thread running. If
788 // there is then the refresh thread has to delete the implementation.
789 //
790  if (pImpl->crlRunning | pImpl->flsRunning)
791  {pImpl->crlMutex.WriteLock();
792  pImpl->owner = 0;
793  pImpl->crlMutex.UnLock();
794  } else delete pImpl;
795 }
XrdTlsContext * owner
XrdSysRWLock crlMutex

References XrdTlsContextImpl::crlMutex, XrdTlsContextImpl::crlRunning, XrdTlsContextImpl::flsRunning, XrdTlsContextImpl::owner, XrdSysRWLock::UnLock(), and XrdSysRWLock::WriteLock().

Referenced by Clone().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ XrdTlsContext() [2/3]

XrdTlsContext::XrdTlsContext ( const XrdTlsContext ctx)
delete

Disallow any copies of this object.

◆ XrdTlsContext() [3/3]

XrdTlsContext::XrdTlsContext ( XrdTlsContext &&  ctx)
delete

Member Function Documentation

◆ Clone()

XrdTlsContext * XrdTlsContext::Clone ( bool  full = true,
bool  startCRLRefresh = false 
)

Clone a new context from this context.

Parameters
fullWhen true the complete context is cloned. When false, a context with no peer verification is cloned.
Returns
Upon success, the pointer to a new XrdTlsContext is returned. Upon failure, a nil pointer is returned.
Note
The cloned context is identical to the one created by the original constructor. Note that while the crl refresh interval is set, the refresh thread needs to be started by calling crlRefresh(). Also, the session cache is set to off with no identifier.

Definition at line 801 of file XrdTlsContext.cc.

802 {
803  XrdTlsContext::CTX_Params &my = pImpl->Parm;
804  const char *cert = (my.cert.size() ? my.cert.c_str() : 0);
805  const char *pkey = (my.pkey.size() ? my.pkey.c_str() : 0);
806  const char *caD = (my.cadir.size() ? my.cadir.c_str() : 0);
807  const char *caF = (my.cafile.size() ? my.cafile.c_str() : 0);
808 
809 // If this is a non-full context, get rid of any verification
810 //
811  if (!full) caD = caF = 0;
812 
813 // Cloning simply means getting a object with the old parameters.
814 //
815  uint64_t myOpts = my.opts;
816  if(startCRLRefresh){
818  } else {
820  }
821  XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, myOpts);
822 
823 // Verify that the context was built
824 //
825  if (xtc->isOK()) {
826  if(pImpl->sessionCacheOpts != -1){
827  //A SessionCache() call was done for the current context, so apply it for this new cloned context
828  xtc->SessionCache(pImpl->sessionCacheOpts,pImpl->sessionCacheId.c_str(),pImpl->sessionCacheId.size());
829  }
830  return xtc;
831  }
832 
833 // We failed, cleanup.
834 //
835  delete xtc;
836  return 0;
837 }
~XrdTlsContext()
Destructor.
int SessionCache(int opts=scNone, const char *id=0, int idlen=0)
XrdTlsContext(const char *cert=0, const char *key=0, const char *cadir=0, const char *cafile=0, uint64_t opts=0, std::string *eMsg=0)
std::string sessionCacheId

References XrdTlsContext(), ~XrdTlsContext(), XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, XrdTlsContext::CTX_Params::cert, isOK(), XrdTlsContext::CTX_Params::opts, XrdTlsContextImpl::Parm, XrdTlsContext::CTX_Params::pkey, rfCRL, SessionCache(), XrdTlsContextImpl::sessionCacheId, and XrdTlsContextImpl::sessionCacheOpts.

Referenced by XrdTlsCrl::Refresh().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ Context()

void * XrdTlsContext::Context ( )

Get the underlying context (should not be used).

Returns
Pointer to the underlying context.

Definition at line 843 of file XrdTlsContext.cc.

844 {
845  return pImpl->ctx;
846 }

References XrdTlsContextImpl::ctx.

◆ GetParams()

const XrdTlsContext::CTX_Params * XrdTlsContext::GetParams ( )

Definition at line 852 of file XrdTlsContext.cc.

853 {
854  return &pImpl->Parm;
855 }

References XrdTlsContextImpl::Parm.

Referenced by XrdTlsSocket::Init().

+ Here is the caller graph for this function:

◆ Init()

const char * XrdTlsContext::Init ( )
static

Simply initialize the TLS library.

Returns
=0 Library initialized. !0 Library not initialized, return string indicates why.
Note
Init() is implicitly called by the contructor. Use this method to use the TLS libraries without instantiating a context.

Definition at line 861 of file XrdTlsContext.cc.

862 {
863 
864 // Disallow use if this object unless SSL provides thread-safety!
865 //
866 #ifndef OPENSSL_THREADS
867  return "Installed OpenSSL lacks the required thread support!";
868 #endif
869 
870 // Initialize the library (one time call)
871 //
872  InitTLS();
873  return 0;
874 }
bool InitTLS()
Definition: XrdClTls.cc:96

References XrdCl::InitTLS().

Referenced by XrdCryptosslFactory::XrdCryptosslFactory(), XrdTlsContext(), and XrdCryptoLite_New_bf32().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ isOK()

bool XrdTlsContext::isOK ( )

Determine if this object was correctly built.

Returns
True if this object is usuable and false otherwise.

Definition at line 880 of file XrdTlsContext.cc.

881 {
882  return pImpl->ctx != 0;
883 }

References XrdTlsContextImpl::ctx.

Referenced by Clone(), and XrdTlsCrl::Refresh().

+ Here is the caller graph for this function:

◆ newHostCertificateDetected()

bool XrdTlsContext::newHostCertificateDetected ( )

Definition at line 1126 of file XrdTlsContext.cc.

1126  {
1127  const std::string certPath = pImpl->Parm.cert;
1128  if(certPath.empty()) {
1129  //No certificate provided, should not happen though
1130  return false;
1131  }
1132  time_t modificationTime;
1133  if(!XrdOucUtils::getModificationTime(certPath.c_str(),modificationTime)){
1134  if (pImpl->lastCertModTime != modificationTime) {
1135  //The certificate file has changed
1136  pImpl->lastCertModTime = modificationTime;
1137  return true;
1138  }
1139  }
1140  return false;
1141 }

References XrdTlsContext::CTX_Params::cert, XrdOucUtils::getModificationTime(), XrdTlsContextImpl::lastCertModTime, and XrdTlsContextImpl::Parm.

Referenced by XrdTlsCrl::Refresh().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ operator=() [1/2]

XrdTlsContext& XrdTlsContext::operator= ( const XrdTlsContext ctx)
delete

◆ operator=() [2/2]

XrdTlsContext& XrdTlsContext::operator= ( XrdTlsContext &&  ctx)
delete

◆ Session()

void * XrdTlsContext::Session ( )

Apply this context to obtain a new SSL session.

Returns
A pointer to a new SSL session if successful and nil otherwise.

Definition at line 895 of file XrdTlsContext.cc.

896 {
897 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
898 
899  EPNAME("Session");
900  SSL *ssl;
901 
902 // Check if we have a refreshed context. If so, we need to replace the X509
903 // store in the current context with the new one before we create the session.
904 //
905  pImpl->crlMutex.ReadLock();
906  if (!(pImpl->ctxnew))
907  {ssl = SSL_new(pImpl->ctx);
908  pImpl->crlMutex.UnLock();
909  return ssl;
910  }
911 
912 // Things have changed, so we need to take the long route here. We need to
913 // replace the x509 cache with the current cache. Get a R/W lock now.
914 //
915  pImpl->crlMutex.UnLock();
916  pImpl->crlMutex.WriteLock();
917 
918 // If some other thread beat us to the punch, just return what we have.
919 //
920  if (!(pImpl->ctxnew))
921  {ssl = SSL_new(pImpl->ctx);
922  pImpl->crlMutex.UnLock();
923  return ssl;
924  }
925 
926 // Do some tracing
927 //
928  DBG_CTX("Replacing x509 store with new contents.");
929 
930 // Get the new store and set it in our context. Setting the store is black
931 // magic. For OpenSSL < 1.1, Two stores need to be set with the "set1" variant.
932 // Newer version only require SSL_CTX_set1_cert_store() to be used.
933 //
934  //We have a new context generated by Refresh, so we must use it.
935  XrdTlsContext * ctxnew = pImpl->ctxnew;
936 
937  /*X509_STORE *newX509 = SSL_CTX_get_cert_store(ctxnew->pImpl->ctx);
938  SSL_CTX_set1_verify_cert_store(pImpl->ctx, newX509);
939  SSL_CTX_set1_chain_cert_store(pImpl->ctx, newX509);*/
940  //The above two macros actually do not replace the certificate that has
941  //to be used for that SSL session, so we will create the session with the SSL_CTX * of
942  //the TlsContext created by Refresh()
943  //First, free the current SSL_CTX, if it is used by any transfer, it will just decrease
944  //the reference counter of it. There is therefore no risk of double free...
945  SSL_CTX_free(pImpl->ctx);
946  pImpl->ctx = ctxnew->pImpl->ctx;
947  //In the destructor of XrdTlsContextImpl, SSL_CTX_Free() is
948  //called if ctx is != 0. As this new ctx is used by the session
949  //we just created, we don't want that to happen. We therefore set it to 0.
950  //The SSL_free called on the session will cleanup the context for us.
951  ctxnew->pImpl->ctx = 0;
952 
953 // Save the generated context and clear it's presence
954 //
955  XrdTlsContext *ctxold = pImpl->ctxnew;
956  pImpl->ctxnew = 0;
957 
958 // Generate a new session (might as well to keep the lock we have)
959 //
960  ssl = SSL_new(pImpl->ctx);
961 
962 // OK, now we can drop all the locks and get rid of the old context
963 //
964  pImpl->crlMutex.UnLock();
965  delete ctxold;
966  return ssl;
967 
968 #else
969 // If we did not compile crl refresh code, we can simply return the OpenSSL
970 // session using our context. Otherwise, we need to see if we have a refreshed
971 // context and if so, carry forward the X509_store to our original context.
972 //
973  return SSL_new(pImpl->ctx);
974 #endif
975 }
#define EPNAME(x)
Definition: XrdBwmTrace.hh:56
#define DBG_CTX(y)
Definition: XrdTlsTrace.hh:39
XrdTlsContext * ctxnew

References XrdTlsContextImpl::crlMutex, XrdTlsContextImpl::ctx, XrdTlsContextImpl::ctxnew, DBG_CTX, EPNAME, XrdSysRWLock::ReadLock(), XrdSysRWLock::UnLock(), and XrdSysRWLock::WriteLock().

Referenced by XrdTlsSocket::Init(), and XrdHttpProtocol::Process().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SessionCache()

int XrdTlsContext::SessionCache ( int  opts = scNone,
const char *  id = 0,
int  idlen = 0 
)

Definition at line 981 of file XrdTlsContext.cc.

982 {
983  static const int doSet = scSrvr | scClnt | scOff;
984  long sslopt = 0;
985  int flushT = opts & scFMax;
986 
987  pImpl->sessionCacheOpts = opts;
988  pImpl->sessionCacheId = id;
989 
990 // If initialization failed there is nothing to do
991 //
992  if (pImpl->ctx == 0) return 0;
993 
994 // Set options as appropriate
995 //
996  if (opts & doSet)
997  {if (opts & scOff) sslopt = SSL_SESS_CACHE_OFF;
998  else {if (opts & scSrvr) sslopt = SSL_SESS_CACHE_SERVER;
999  if (opts & scClnt) sslopt |= SSL_SESS_CACHE_CLIENT;
1000  }
1001  }
1002 
1003 // Check if we should set any cache options or simply get them
1004 //
1005  if (!(opts & doSet)) sslopt = SSL_CTX_get_session_cache_mode(pImpl->ctx);
1006  else {sslopt = SSL_CTX_set_session_cache_mode(pImpl->ctx, sslopt);
1007  if (opts & scOff) SSL_CTX_set_options(pImpl->ctx, SSL_OP_NO_TICKET);
1008  }
1009 
1010 // Compute what he previous cache options were
1011 //
1012  opts = scNone;
1013  if (sslopt & SSL_SESS_CACHE_SERVER) opts |= scSrvr;
1014  if (sslopt & SSL_SESS_CACHE_CLIENT) opts |= scClnt;
1015  if (!opts) opts = scOff;
1016  if (sslopt & SSL_SESS_CACHE_NO_AUTO_CLEAR) opts |= scKeep;
1017  opts |= (static_cast<int>(pImpl->flushT) & scFMax);
1018 
1019 // Set the id is so wanted
1020 //
1021  if (id && idlen > 0)
1022  {if (!SSL_CTX_set_session_id_context(pImpl->ctx,
1023  (unsigned const char *)id,
1024  (unsigned int)idlen)) opts |= scIdErr;
1025  }
1026 
1027 // If a flush interval was specified and it is different from what we have
1028 // then reset the flush interval.
1029 //
1030  if (flushT && flushT != pImpl->flushT)
1031  XrdTlsFlush::Setup_Flusher(pImpl, flushT);
1032 
1033 // All done
1034 //
1035  return opts;
1036 }
static const int scIdErr
Info: Id not set, is too long.
static const int scClnt
Turn on cache client mode.
static const int scKeep
Info: TLS-controlled flush disabled.
static const int scNone
Do not change any option settings.
static const int scOff
Turn off cache.
static const int scFMax
static const int scSrvr
Turn on cache server mode (default)
bool Setup_Flusher(XrdTlsContextImpl *pImpl, int flushT)

References XrdTlsContextImpl::ctx, XrdTlsContextImpl::flushT, opts, scClnt, scFMax, scIdErr, scKeep, scNone, scOff, scSrvr, XrdTlsContextImpl::sessionCacheId, XrdTlsContextImpl::sessionCacheOpts, and XrdTlsFlush::Setup_Flusher().

Referenced by Clone().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SetContextCiphers()

bool XrdTlsContext::SetContextCiphers ( const char *  ciphers)

Set allowed ciphers for this context.

Parameters
ciphersThe colon separated list of allowable ciphers.
Returns
True if at least one cipher can be used; false otherwise. When false is reurned, this context is no longer usable.

Definition at line 1042 of file XrdTlsContext.cc.

1043 {
1044  if (pImpl->ctx && SSL_CTX_set_cipher_list(pImpl->ctx, ciphers)) return true;
1045 
1046  char eBuff[2048];
1047  snprintf(eBuff,sizeof(eBuff),"Unable to set context ciphers '%s'",ciphers);
1048  Fatal(0, eBuff, true);
1049  return false;
1050 }
void Fatal(const char *op, const char *target)
Definition: XrdCrc32c.cc:58

References XrdTlsContextImpl::ctx, and Fatal().

+ Here is the call graph for this function:

◆ SetCrlRefresh()

bool XrdTlsContext::SetCrlRefresh ( int  refsec = -1)

Set CRL refresh time. By default, CRL's are not refreshed.

Parameters
refsec>0: The number of seconds between refreshes. A value less than 60 sets it to 60. =0: Stops automatic refreshing. <0: Starts automatic refreshing with the current setting if it has not already been started.
Returns
True if the CRL refresh thread was started; false otherwise.

Definition at line 1065 of file XrdTlsContext.cc.

1066 {
1067 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
1068 
1069  pthread_t tid;
1070  int rc;
1071 
1072 // If it's negative or equal to 0, use the current setting
1073 //
1074  if (refsec <= 0)
1075  {pImpl->crlMutex.WriteLock();
1076  refsec = pImpl->Parm.crlRT;
1077  pImpl->crlMutex.UnLock();
1078  if (!refsec) refsec = XrdTlsContext::DEFAULT_CRL_REF_INT_SEC;
1079  }
1080 
1081 // Make sure this is at least 60 seconds between refreshes
1082 //
1083 // if (refsec < 60) refsec = 60;
1084 
1085 // We will set the new interval and start a refresh thread if not running.
1086 //
1087  pImpl->crlMutex.WriteLock();
1088  pImpl->Parm.crlRT = refsec;
1089  if (!pImpl->crlRunning)
1090  {if ((rc = XrdSysThread::Run(&tid, XrdTlsCrl::Refresh, (void *)pImpl,
1091  0, "CRL Refresh")))
1092  {char eBuff[512];
1093  snprintf(eBuff, sizeof(eBuff),
1094  "Unable to start CRL refresh thread; rc=%d", rc);
1095  XrdTls::Emsg("CrlRefresh:", eBuff, false);
1096  pImpl->crlMutex.UnLock();
1097  return false;
1098  } else pImpl->crlRunning = true;
1099  pImpl->crlMutex.UnLock();
1100  }
1101 
1102 // All done
1103 //
1104  return true;
1105 
1106 #else
1107 // We use features present on OpenSSL 1.02 and above to implement crl refresh.
1108 // Older version are too difficult to deal with. Issue a message if this
1109 // feature is being enabled on an old version.
1110 //
1111  XrdTls::Emsg("CrlRefresh:", "Refreshing CRLs only supported in "
1112  "OpenSSL version >= 1.02; CRL refresh disabled!", false);
1113  return false;
1114 #endif
1115 }
static int Run(pthread_t *, void *(*proc)(void *), void *arg, int opts=0, const char *desc=0)
static const int DEFAULT_CRL_REF_INT_SEC
Default CRL refresh interval in seconds.
static void Emsg(const char *tid, const char *msg=0, bool flush=true)
Definition: XrdTls.cc:104
void * Refresh(void *parg)

References XrdTlsContextImpl::crlMutex, XrdTlsContext::CTX_Params::crlRT, XrdTlsContextImpl::crlRunning, DEFAULT_CRL_REF_INT_SEC, XrdTls::Emsg(), XrdTlsContextImpl::Parm, XrdTlsCrl::Refresh(), XrdSysThread::Run(), XrdSysRWLock::UnLock(), and XrdSysRWLock::WriteLock().

Referenced by XrdTlsContext().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ SetDefaultCiphers()

void XrdTlsContext::SetDefaultCiphers ( const char *  ciphers)
static

Set allowed default ciphers.

Parameters
ciphersThe colon separated list of allowable ciphers.

Definition at line 1056 of file XrdTlsContext.cc.

1057 {
1058  sslCiphers = ciphers;
1059 }

◆ SetTlsClientAuth()

bool XrdTlsContext::SetTlsClientAuth ( ClientAuthSetting  setting)

Indicate how the server should handle TLS client authentication.

Parameters
settingkOn: All clients will be asked to send a TLS client certificate kOff: No clients will be asked to send a TLS client certificate;
Returns
True if the client auth was configured; False on failure.

Note the TLS connection will not fail if the client is asked for a cert but none are provided.

Definition at line 1143 of file XrdTlsContext.cc.

1143  {
1144 
1145  bool LogVF = (pImpl->opts & logVF) != 0;
1146  switch (setting) {
1147  case kOn:
1148  SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, (LogVF ? VerCB : 0));
1149  break;
1150  case kOff:
1151  SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_NONE, 0);
1152  break;
1153  default:
1154  return false;
1155  }
1156  return true;
1157 }

References XrdTlsContextImpl::ctx, kOff, kOn, logVF, and XrdTlsContextImpl::opts.

Referenced by XrdHttpProtocol::Process().

+ Here is the caller graph for this function:

◆ x509Verify()

bool XrdTlsContext::x509Verify ( )

Check if certificates are being verified.

Returns
True if certificates are being verified, false otherwise.

Definition at line 1121 of file XrdTlsContext.cc.

1122 {
1123  return !(pImpl->Parm.cadir.empty()) || !(pImpl->Parm.cafile.empty());
1124 }

References XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, and XrdTlsContextImpl::Parm.

Referenced by XrdTlsSocket::Init(), and XrdTlsCrl::Refresh().

+ Here is the caller graph for this function:

Member Data Documentation

◆ artON

const uint64_t XrdTlsContext::artON = 0x0000002000000000
static

Auto retry Handshake.

Definition at line 262 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlFC

const uint64_t XrdTlsContext::crlFC = 0x000000C000000000
static

Full crl chain checking.

Definition at line 259 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlON

const uint64_t XrdTlsContext::crlON = 0x0000008000000000
static

Enables crl checking.

Definition at line 258 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlRF

const uint64_t XrdTlsContext::crlRF = 0x00000000ffff0000
static

Mask to isolate crl refresh in min.

Definition at line 260 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlRS

const int XrdTlsContext::crlRS = 16
static

Bits to shift vdept.

Definition at line 261 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ DEFAULT_CRL_REF_INT_SEC

const int XrdTlsContext::DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60
static

Default CRL refresh interval in seconds.

Definition at line 66 of file XrdTlsContext.hh.

Referenced by SetCrlRefresh().

◆ dnsok

const uint64_t XrdTlsContext::dnsok = 0x0000000200000000
static

Trust DNS for host name.

Definition at line 255 of file XrdTlsContext.hh.

Referenced by XrdTlsSocket::Init().

◆ hsto

const uint64_t XrdTlsContext::hsto = 0x00000000000000ff
static

Mask to isolate the hsto.

Constructor. Note that you should use isOK() to determine if construction was successful. A false return indicates failure.

Parameters
certPointer to the certificate file to be used. If nil, a generic context is created for client use.
keyPointer to the private key flle to be used. It must correspond to the certificate file. If nil, it is assumed that the key is contained in the cert file.
cadirpath to the directory containing the CA certificates.
cafilepath to the file containing the CA certificates.
optsProcessing options (or'd bitwise): artON - Auto retry handshakes (i.e. block on handshake) crlON - Perform crl check on the leaf node crlFC - Apply crl check to full chain crlRF - Initial crl refresh interval in minutes. dnsok - trust DNS when verifying hostname. hsto - the handshake timeout value in seconds. logVF - Turn on verification failure logging. nopxy - Do not allow proxy cert (normally allowed) servr - This is a server-side context and x509 peer certificate validation may be turned off. vdept - The maximum depth of the certificate chain that must be validated (max is 255).
eMsgIf non-zero, the reason for the failure is returned,
Note
a) If neither cadir nor cafile is specified, certificate validation is not performed if and only if the servr option is specified. Otherwise, the cadir value is obtained from the X509_CERT_DIR envar and the cafile value is obtained from the X509_CERT_File envar. If both are nil, context creation fails. b) Additionally for client-side contructions, if cert or key is not specified their locations come from X509_USER_PROXY and X509_USER_KEY. These may be nil in which case a generic context is created with a local key-pair and no certificate. c) You should immediately call isOK() after instantiating this object. A return value of false means that construction failed. d) Failure messages are routed to the message callback function during construction. e) While the crl refresh interval is set you must engage it by calling crlRefresh() so as to avoid unnecessary refresh threads.

Definition at line 250 of file XrdTlsContext.hh.

Referenced by XrdTlsSocket::Init().

◆ logVF

const uint64_t XrdTlsContext::logVF = 0x0000000800000000
static

Log verify failures.

Definition at line 253 of file XrdTlsContext.hh.

Referenced by XrdConfig::XrdConfig(), XrdTlsContext(), and SetTlsClientAuth().

◆ nopxy

const uint64_t XrdTlsContext::nopxy = 0x0000000100000000
static

Do not allow proxy certs.

Definition at line 256 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ rfCRL

const uint64_t XrdTlsContext::rfCRL = 0x0000004000000000
static

Turn on the CRL refresh thread.

Definition at line 257 of file XrdTlsContext.hh.

Referenced by XrdTlsContext(), and Clone().

◆ scClnt

const int XrdTlsContext::scClnt = 0x00040000
static

Turn on cache client mode.

Definition at line 135 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scFMax

const int XrdTlsContext::scFMax = 0x00007fff
static

Maximum flush interval in seconds When 0 keeps the current setting

Definition at line 138 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scIdErr

const int XrdTlsContext::scIdErr = 0x80000000
static

Info: Id not set, is too long.

Definition at line 137 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scKeep

const int XrdTlsContext::scKeep = 0x40000000
static

Info: TLS-controlled flush disabled.

Definition at line 136 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scNone

const int XrdTlsContext::scNone = 0x00000000
static

Do not change any option settings.

Get or set session cache parameters for generated sessions.

Parameters
optsOne or more bit or'd options (see below).
idThe identifier to be used (may be nil to keep setting).
idlenThe length of the identifier (may be zero as above).
Returns
The cache settings prior to any changes are returned. When setting the id, the scIdErr may be returned if the name is too long. If the context has been pprroperly initialized, zero is returned. By default, the session cache is disabled as it is impossible to verify a peer certificate chain when a cached session is reused.

Definition at line 132 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scOff

const int XrdTlsContext::scOff = 0x00010000
static

Turn off cache.

Definition at line 133 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scSrvr

const int XrdTlsContext::scSrvr = 0x00020000
static

Turn on cache server mode (default)

Definition at line 134 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ servr

const uint64_t XrdTlsContext::servr = 0x0000000400000000
static

This is a server context.

Definition at line 254 of file XrdTlsContext.hh.

Referenced by XrdConfig::XrdConfig(), and XrdTlsContext().

◆ vdepS

const int XrdTlsContext::vdepS = 8
static

Bits to shift vdept.

Definition at line 252 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ vdept

const uint64_t XrdTlsContext::vdept = 0x000000000000ff00
static

Mask to isolate vdept.

Definition at line 251 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().


The documentation for this class was generated from the following files: