XRootD
XrdTlsContext.hh
Go to the documentation of this file.
1 #ifndef __XRD_TLSCONTEXT_HH__
2 #define __XRD_TLSCONTEXT_HH__
3 //------------------------------------------------------------------------------
4 // Copyright (c) 2011-2018 by European Organization for Nuclear Research (CERN)
5 // Author: Michal Simon <simonm@cern.ch>
6 //------------------------------------------------------------------------------
7 // XRootD is free software: you can redistribute it and/or modify
8 // it under the terms of the GNU Lesser General Public License as published by
9 // the Free Software Foundation, either version 3 of the License, or
10 // (at your option) any later version.
11 //
12 // XRootD is distributed in the hope that it will be useful,
13 // but WITHOUT ANY WARRANTY; without even the implied warranty of
14 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 // GNU General Public License for more details.
16 //
17 // You should have received a copy of the GNU Lesser General Public License
18 // along with XRootD. If not, see <http://www.gnu.org/licenses/>.
19 //------------------------------------------------------------------------------
20 
21 #include <cstdint>
22 #include <string>
23 
24 //----------------------------------------------------------------------------
25 // Forward declarations
26 //----------------------------------------------------------------------------
27 
28 class XrdSysLogger;
29 struct XrdTlsContextImpl;
30 struct XrdTlsSocket;
31 
32 /******************************************************************************/
33 /* X r d T l s C o n t e x t */
34 /******************************************************************************/
35 
37 {
38 public:
39 
40 //------------------------------------------------------------------------
53 //------------------------------------------------------------------------
54 
55 XrdTlsContext *Clone(bool full=true, bool startCRLRefresh = false);
56 
57 //------------------------------------------------------------------------
61 //------------------------------------------------------------------------
62 
63 void *Context();
64 
66 static const int DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60;
67 
68 //------------------------------------------------------------------------
72 //------------------------------------------------------------------------
73 
74 struct CTX_Params
75  {std::string cert;
76  std::string pkey;
77  std::string cadir;
78  std::string cafile;
79  uint64_t opts;
80  int crlRT;
81  int rsvd;
82 
85  };
86 
87 const
88 CTX_Params *GetParams();
89 
90 //------------------------------------------------------------------------
98 //------------------------------------------------------------------------
99 static
100 const char *Init();
101 
102 //------------------------------------------------------------------------
106 //------------------------------------------------------------------------
107 
108 bool isOK();
109 
110 //------------------------------------------------------------------------
114 //------------------------------------------------------------------------
115 
116 void *Session();
117 
118 //------------------------------------------------------------------------
130 //------------------------------------------------------------------------
131 
132 static const int scNone = 0x00000000;
133 static const int scOff = 0x00010000;
134 static const int scSrvr = 0x00020000;
135 static const int scClnt = 0x00040000;
136 static const int scKeep = 0x40000000;
137 static const int scIdErr= 0x80000000;
138 static const int scFMax = 0x00007fff;
140 
141  int SessionCache(int opts=scNone, const char *id=0, int idlen=0);
142 
143 //------------------------------------------------------------------------
150 //------------------------------------------------------------------------
151 
152 bool SetContextCiphers(const char *ciphers);
153 
154 //------------------------------------------------------------------------
158 //------------------------------------------------------------------------
159 static
160 void SetDefaultCiphers(const char *ciphers);
161 
162 //------------------------------------------------------------------------
172 //------------------------------------------------------------------------
173 
174  bool SetCrlRefresh(int refsec=-1);
175 
179 };
180 
181 //------------------------------------------------------------------------
193 //------------------------------------------------------------------------
194 
195  bool SetTlsClientAuth(ClientAuthSetting setting);
196 
197 //------------------------------------------------------------------------
201 //------------------------------------------------------------------------
202 
203  bool x509Verify();
204 
206 
207 //------------------------------------------------------------------------
248 //------------------------------------------------------------------------
249 
250 static const uint64_t hsto = 0x00000000000000ff;
251 static const uint64_t vdept = 0x000000000000ff00;
252 static const int vdepS = 8;
253 static const uint64_t logVF = 0x0000000800000000;
254 static const uint64_t servr = 0x0000000400000000;
255 static const uint64_t dnsok = 0x0000000200000000;
256 static const uint64_t nopxy = 0x0000000100000000;
257 static const uint64_t rfCRL = 0x0000004000000000;
258 static const uint64_t crlON = 0x0000008000000000;
259 static const uint64_t crlFC = 0x000000C000000000;
260 static const uint64_t crlRF = 0x00000000ffff0000;
261 static const int crlRS = 16;
262 static const uint64_t artON = 0x0000002000000000;
263 
264  XrdTlsContext(const char *cert=0, const char *key=0,
265  const char *cadir=0, const char *cafile=0,
266  uint64_t opts=0, std::string *eMsg=0);
267 
268 //------------------------------------------------------------------------
270 //------------------------------------------------------------------------
271 
272  ~XrdTlsContext();
273 
274 //------------------------------------------------------------------------
276 //------------------------------------------------------------------------
277 
278  XrdTlsContext( const XrdTlsContext &ctx ) = delete;
279  XrdTlsContext( XrdTlsContext &&ctx ) = delete;
280 
281  XrdTlsContext& operator=( const XrdTlsContext &ctx ) = delete;
283 
284 private:
285  XrdTlsContextImpl *pImpl;
286 };
287 
288 /******************************************************************************/
289 /* O p t i o n M a n i p u l a t i o n M a c r o s */
290 /******************************************************************************/
291 
292 //------------------------------------------------------------------------
297 //------------------------------------------------------------------------
298 
299 #define TLS_SET_HSTO(cOpts,hstv) \
300  ((cOpts & ~XrdTlsContext::hsto) | (hstv & XrdTlsContext::hsto))
301 
302 //------------------------------------------------------------------------
309 //------------------------------------------------------------------------
310 
311 #define TLS_SET_REFINT(cOpts,refi) ((cOpts & ~XrdTlsContext::crlRF) |\
312  (XrdTlsContext::crlRF & (refi <<XrdTlsContext::crlRS)))
313 
314 //------------------------------------------------------------------------
321 //------------------------------------------------------------------------
322 
323 #define TLS_SET_VDEPTH(cOpts,vdv) ((cOpts & ~XrdTlsContext::vdept) |\
324  (XrdTlsContext::vdept & (vdv <<XrdTlsContext::vdepS)))
325 
326 #endif // __XRD_TLSCONTEXT_HH__
#define eMsg(x)
struct myOpts opts
static const int scIdErr
Info: Id not set, is too long.
XrdTlsContext & operator=(XrdTlsContext &&ctx)=delete
XrdTlsContext * Clone(bool full=true, bool startCRLRefresh=false)
~XrdTlsContext()
Destructor.
static const uint64_t hsto
Mask to isolate the hsto.
static const uint64_t vdept
Mask to isolate vdept.
static const int crlRS
Bits to shift vdept.
int SessionCache(int opts=scNone, const char *id=0, int idlen=0)
static void SetDefaultCiphers(const char *ciphers)
XrdTlsContext(const char *cert=0, const char *key=0, const char *cadir=0, const char *cafile=0, uint64_t opts=0, std::string *eMsg=0)
static const int scClnt
Turn on cache client mode.
static const int DEFAULT_CRL_REF_INT_SEC
Default CRL refresh interval in seconds.
static const uint64_t servr
This is a server context.
static const uint64_t rfCRL
Turn on the CRL refresh thread.
static const int scKeep
Info: TLS-controlled flush disabled.
static const uint64_t nopxy
Do not allow proxy certs.
bool SetTlsClientAuth(ClientAuthSetting setting)
static const int scNone
Do not change any option settings.
XrdTlsContext(const XrdTlsContext &ctx)=delete
Disallow any copies of this object.
static const uint64_t logVF
Log verify failures.
static const uint64_t crlFC
Full crl chain checking.
static const uint64_t crlON
Enables crl checking.
static const uint64_t artON
Auto retry Handshake.
void * Session()
void * Context()
XrdTlsContext(XrdTlsContext &&ctx)=delete
static const int vdepS
Bits to shift vdept.
const CTX_Params * GetParams()
static const int scOff
Turn off cache.
static const uint64_t dnsok
Trust DNS for host name.
static const char * Init()
bool newHostCertificateDetected()
XrdTlsContext & operator=(const XrdTlsContext &ctx)=delete
bool SetContextCiphers(const char *ciphers)
static const int scFMax
bool SetCrlRefresh(int refsec=-1)
static const int scSrvr
Turn on cache server mode (default)
static const uint64_t crlRF
Mask to isolate crl refresh in min.
Socket wrapper for TLS I/O.
Definition: XrdTlsSocket.hh:40
std::string cafile
-> ca cert file.
uint64_t opts
Options as passed to the constructor.
std::string cadir
-> ca cert directory.
int crlRT
crl refresh interval time in seconds
std::string pkey
-> private key path.
std::string cert
-> certificate path.