![]() |
XRootD
|
#include <XrdTlsContext.hh>
Classes | |
struct | CTX_Params |
Public Types | |
enum | ClientAuthSetting { kOn , kOff } |
Public Member Functions | |
XrdTlsContext (const char *cert=0, const char *key=0, const char *cadir=0, const char *cafile=0, uint64_t opts=0, std::string *eMsg=0) | |
XrdTlsContext (const XrdTlsContext &ctx)=delete | |
Disallow any copies of this object. More... | |
XrdTlsContext (XrdTlsContext &&ctx)=delete | |
~XrdTlsContext () | |
Destructor. More... | |
XrdTlsContext * | Clone (bool full=true, bool startCRLRefresh=false) |
void * | Context () |
const CTX_Params * | GetParams () |
bool | isOK () |
bool | newHostCertificateDetected () |
XrdTlsContext & | operator= (const XrdTlsContext &ctx)=delete |
XrdTlsContext & | operator= (XrdTlsContext &&ctx)=delete |
void * | Session () |
int | SessionCache (int opts=scNone, const char *id=0, int idlen=0) |
bool | SetContextCiphers (const char *ciphers) |
bool | SetCrlRefresh (int refsec=-1) |
bool | SetTlsClientAuth (ClientAuthSetting setting) |
bool | x509Verify () |
Static Public Member Functions | |
static const char * | Init () |
static void | SetDefaultCiphers (const char *ciphers) |
Static Public Attributes | |
static const uint64_t | artON = 0x0000002000000000 |
Auto retry Handshake. More... | |
static const uint64_t | crlFC = 0x000000C000000000 |
Full crl chain checking. More... | |
static const uint64_t | crlON = 0x0000008000000000 |
Enables crl checking. More... | |
static const uint64_t | crlRF = 0x00000000ffff0000 |
Mask to isolate crl refresh in min. More... | |
static const int | crlRS = 16 |
Bits to shift vdept. More... | |
static const int | DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60 |
Default CRL refresh interval in seconds. More... | |
static const uint64_t | dnsok = 0x0000000200000000 |
Trust DNS for host name. More... | |
static const uint64_t | hsto = 0x00000000000000ff |
Mask to isolate the hsto. More... | |
static const uint64_t | logVF = 0x0000000800000000 |
Log verify failures. More... | |
static const uint64_t | nopxy = 0x0000000100000000 |
Do not allow proxy certs. More... | |
static const uint64_t | rfCRL = 0x0000004000000000 |
Turn on the CRL refresh thread. More... | |
static const int | scClnt = 0x00040000 |
Turn on cache client mode. More... | |
static const int | scFMax = 0x00007fff |
static const int | scIdErr = 0x80000000 |
Info: Id not set, is too long. More... | |
static const int | scKeep = 0x40000000 |
Info: TLS-controlled flush disabled. More... | |
static const int | scNone = 0x00000000 |
Do not change any option settings. More... | |
static const int | scOff = 0x00010000 |
Turn off cache. More... | |
static const int | scSrvr = 0x00020000 |
Turn on cache server mode (default) More... | |
static const uint64_t | servr = 0x0000000400000000 |
This is a server context. More... | |
static const int | vdepS = 8 |
Bits to shift vdept. More... | |
static const uint64_t | vdept = 0x000000000000ff00 |
Mask to isolate vdept. More... | |
Definition at line 36 of file XrdTlsContext.hh.
XrdTlsContext::XrdTlsContext | ( | const char * | cert = 0 , |
const char * | key = 0 , |
||
const char * | cadir = 0 , |
||
const char * | cafile = 0 , |
||
uint64_t | opts = 0 , |
||
std::string * | eMsg = 0 |
||
) |
Definition at line 577 of file XrdTlsContext.cc.
References artON, XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, XrdTlsContext::CTX_Params::cert, crlFC, crlON, crlRF, crlRS, XrdTlsContext::CTX_Params::crlRT, XrdTlsContextImpl::ctx, XrdTls::dbgALL, XrdTls::dbgCTX, XrdTls::dbgOUT, XrdTls::dbgSIO, XrdTls::dbgSOK, emsg(), FATAL, FATAL_SSL, XrdOucUtils::getModificationTime(), Init(), XrdTlsContextImpl::lastCertModTime, logVF, nopxy, opts, XrdTlsContextImpl::opts, XrdTlsContext::CTX_Params::opts, XrdTlsContextImpl::Parm, XrdTlsContext::CTX_Params::pkey, rfCRL, servr, SetCrlRefresh(), XrdTls::SetDebug(), Stat, stat(), vdepS, and vdept.
Referenced by Clone().
XrdTlsContext::~XrdTlsContext | ( | ) |
Destructor.
Definition at line 785 of file XrdTlsContext.cc.
References XrdTlsContextImpl::crlMutex, XrdTlsContextImpl::crlRunning, XrdTlsContextImpl::flsRunning, XrdTlsContextImpl::owner, XrdSysRWLock::UnLock(), and XrdSysRWLock::WriteLock().
Referenced by Clone().
|
delete |
Disallow any copies of this object.
|
delete |
XrdTlsContext * XrdTlsContext::Clone | ( | bool | full = true , |
bool | startCRLRefresh = false |
||
) |
Clone a new context from this context.
full | When true the complete context is cloned. When false, a context with no peer verification is cloned. |
Definition at line 801 of file XrdTlsContext.cc.
References XrdTlsContext(), ~XrdTlsContext(), XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, XrdTlsContext::CTX_Params::cert, isOK(), XrdTlsContext::CTX_Params::opts, XrdTlsContextImpl::Parm, XrdTlsContext::CTX_Params::pkey, rfCRL, SessionCache(), XrdTlsContextImpl::sessionCacheId, and XrdTlsContextImpl::sessionCacheOpts.
Referenced by XrdTlsCrl::Refresh().
void * XrdTlsContext::Context | ( | ) |
Get the underlying context (should not be used).
Definition at line 843 of file XrdTlsContext.cc.
References XrdTlsContextImpl::ctx.
const XrdTlsContext::CTX_Params * XrdTlsContext::GetParams | ( | ) |
Definition at line 852 of file XrdTlsContext.cc.
References XrdTlsContextImpl::Parm.
Referenced by XrdTlsSocket::Init().
|
static |
Simply initialize the TLS library.
Definition at line 861 of file XrdTlsContext.cc.
References XrdCl::InitTLS().
Referenced by XrdCryptosslFactory::XrdCryptosslFactory(), XrdTlsContext(), and XrdCryptoLite_New_bf32().
bool XrdTlsContext::isOK | ( | ) |
Determine if this object was correctly built.
Definition at line 880 of file XrdTlsContext.cc.
References XrdTlsContextImpl::ctx.
Referenced by Clone(), and XrdTlsCrl::Refresh().
bool XrdTlsContext::newHostCertificateDetected | ( | ) |
Definition at line 1126 of file XrdTlsContext.cc.
References XrdTlsContext::CTX_Params::cert, XrdOucUtils::getModificationTime(), XrdTlsContextImpl::lastCertModTime, and XrdTlsContextImpl::Parm.
Referenced by XrdTlsCrl::Refresh().
|
delete |
|
delete |
void * XrdTlsContext::Session | ( | ) |
Apply this context to obtain a new SSL session.
Definition at line 895 of file XrdTlsContext.cc.
References XrdTlsContextImpl::crlMutex, XrdTlsContextImpl::ctx, XrdTlsContextImpl::ctxnew, DBG_CTX, EPNAME, XrdSysRWLock::ReadLock(), XrdSysRWLock::UnLock(), and XrdSysRWLock::WriteLock().
Referenced by XrdTlsSocket::Init(), and XrdHttpProtocol::Process().
int XrdTlsContext::SessionCache | ( | int | opts = scNone , |
const char * | id = 0 , |
||
int | idlen = 0 |
||
) |
Definition at line 981 of file XrdTlsContext.cc.
References XrdTlsContextImpl::ctx, XrdTlsContextImpl::flushT, opts, scClnt, scFMax, scIdErr, scKeep, scNone, scOff, scSrvr, XrdTlsContextImpl::sessionCacheId, XrdTlsContextImpl::sessionCacheOpts, and XrdTlsFlush::Setup_Flusher().
Referenced by Clone().
bool XrdTlsContext::SetContextCiphers | ( | const char * | ciphers | ) |
Set allowed ciphers for this context.
ciphers | The colon separated list of allowable ciphers. |
Definition at line 1042 of file XrdTlsContext.cc.
References XrdTlsContextImpl::ctx, and Fatal().
bool XrdTlsContext::SetCrlRefresh | ( | int | refsec = -1 | ) |
Set CRL refresh time. By default, CRL's are not refreshed.
refsec | >0: The number of seconds between refreshes. A value less than 60 sets it to 60. =0: Stops automatic refreshing. <0: Starts automatic refreshing with the current setting if it has not already been started. |
Definition at line 1065 of file XrdTlsContext.cc.
References XrdTlsContextImpl::crlMutex, XrdTlsContext::CTX_Params::crlRT, XrdTlsContextImpl::crlRunning, DEFAULT_CRL_REF_INT_SEC, XrdTls::Emsg(), XrdTlsContextImpl::Parm, XrdTlsCrl::Refresh(), XrdSysThread::Run(), XrdSysRWLock::UnLock(), and XrdSysRWLock::WriteLock().
Referenced by XrdTlsContext().
|
static |
Set allowed default ciphers.
ciphers | The colon separated list of allowable ciphers. |
Definition at line 1056 of file XrdTlsContext.cc.
bool XrdTlsContext::SetTlsClientAuth | ( | ClientAuthSetting | setting | ) |
Indicate how the server should handle TLS client authentication.
setting | kOn: All clients will be asked to send a TLS client certificate kOff: No clients will be asked to send a TLS client certificate; |
Note the TLS connection will not fail if the client is asked for a cert but none are provided.
Definition at line 1143 of file XrdTlsContext.cc.
References XrdTlsContextImpl::ctx, kOff, kOn, logVF, and XrdTlsContextImpl::opts.
Referenced by XrdHttpProtocol::Process().
bool XrdTlsContext::x509Verify | ( | ) |
Check if certificates are being verified.
Definition at line 1121 of file XrdTlsContext.cc.
References XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, and XrdTlsContextImpl::Parm.
Referenced by XrdTlsSocket::Init(), and XrdTlsCrl::Refresh().
|
static |
Auto retry Handshake.
Definition at line 262 of file XrdTlsContext.hh.
Referenced by XrdTlsContext().
|
static |
Full crl chain checking.
Definition at line 259 of file XrdTlsContext.hh.
Referenced by XrdTlsContext().
|
static |
Enables crl checking.
Definition at line 258 of file XrdTlsContext.hh.
Referenced by XrdTlsContext().
|
static |
Mask to isolate crl refresh in min.
Definition at line 260 of file XrdTlsContext.hh.
Referenced by XrdTlsContext().
|
static |
Bits to shift vdept.
Definition at line 261 of file XrdTlsContext.hh.
Referenced by XrdTlsContext().
|
static |
Default CRL refresh interval in seconds.
Definition at line 66 of file XrdTlsContext.hh.
Referenced by SetCrlRefresh().
|
static |
Trust DNS for host name.
Definition at line 255 of file XrdTlsContext.hh.
Referenced by XrdTlsSocket::Init().
|
static |
Mask to isolate the hsto.
Constructor. Note that you should use isOK() to determine if construction was successful. A false return indicates failure.
cert | Pointer to the certificate file to be used. If nil, a generic context is created for client use. |
key | Pointer to the private key flle to be used. It must correspond to the certificate file. If nil, it is assumed that the key is contained in the cert file. |
cadir | path to the directory containing the CA certificates. |
cafile | path to the file containing the CA certificates. |
opts | Processing options (or'd bitwise): artON - Auto retry handshakes (i.e. block on handshake) crlON - Perform crl check on the leaf node crlFC - Apply crl check to full chain crlRF - Initial crl refresh interval in minutes. dnsok - trust DNS when verifying hostname. hsto - the handshake timeout value in seconds. logVF - Turn on verification failure logging. nopxy - Do not allow proxy cert (normally allowed) servr - This is a server-side context and x509 peer certificate validation may be turned off. vdept - The maximum depth of the certificate chain that must be validated (max is 255). |
eMsg | If non-zero, the reason for the failure is returned, |
Definition at line 250 of file XrdTlsContext.hh.
Referenced by XrdTlsSocket::Init().
|
static |
Log verify failures.
Definition at line 253 of file XrdTlsContext.hh.
Referenced by XrdConfig::XrdConfig(), XrdTlsContext(), and SetTlsClientAuth().
|
static |
Do not allow proxy certs.
Definition at line 256 of file XrdTlsContext.hh.
Referenced by XrdTlsContext().
|
static |
Turn on the CRL refresh thread.
Definition at line 257 of file XrdTlsContext.hh.
Referenced by XrdTlsContext(), and Clone().
|
static |
Turn on cache client mode.
Definition at line 135 of file XrdTlsContext.hh.
Referenced by SessionCache().
|
static |
Maximum flush interval in seconds When 0 keeps the current setting
Definition at line 138 of file XrdTlsContext.hh.
Referenced by SessionCache().
|
static |
Info: Id not set, is too long.
Definition at line 137 of file XrdTlsContext.hh.
Referenced by SessionCache().
|
static |
Info: TLS-controlled flush disabled.
Definition at line 136 of file XrdTlsContext.hh.
Referenced by SessionCache().
|
static |
Do not change any option settings.
Get or set session cache parameters for generated sessions.
opts | One or more bit or'd options (see below). |
id | The identifier to be used (may be nil to keep setting). |
idlen | The length of the identifier (may be zero as above). |
Definition at line 132 of file XrdTlsContext.hh.
Referenced by SessionCache().
|
static |
|
static |
Turn on cache server mode (default)
Definition at line 134 of file XrdTlsContext.hh.
Referenced by SessionCache().
|
static |
This is a server context.
Definition at line 254 of file XrdTlsContext.hh.
Referenced by XrdConfig::XrdConfig(), and XrdTlsContext().
|
static |
Bits to shift vdept.
Definition at line 252 of file XrdTlsContext.hh.
Referenced by XrdTlsContext().
|
static |
Mask to isolate vdept.
Definition at line 251 of file XrdTlsContext.hh.
Referenced by XrdTlsContext().