#include <XrdTlsContext.hh>

Collaboration diagram for XrdTlsContext:

Classes
struct	CTX_Params

Public Member Functions
	XrdTlsContext (const char cert=0, const char key=0, const char cadir=0, const char cafile=0, uint64_t opts=0, std::string *eMsg=0)

	XrdTlsContext (const XrdTlsContext &ctx)=delete
	Disallow any copies of this object.

	XrdTlsContext (XrdTlsContext &&ctx)=delete

	~XrdTlsContext ()
	Destructor.

XrdTlsContext *	Clone (bool full=true, bool startCRLRefresh=false)

void *	Context ()

const CTX_Params *	GetParams ()

bool	isOK ()

bool	newHostCertificateDetected ()

XrdTlsContext &	operator= (const XrdTlsContext &ctx)=delete

XrdTlsContext &	operator= (XrdTlsContext &&ctx)=delete

void *	Session ()

int	SessionCache (int opts=scNone, const char *id=0, int idlen=0)

bool	SetContextCiphers (const char *ciphers)

bool	SetCrlRefresh (int refsec=-1)

void	SetTlsClientAuth (bool setting)

bool	x509Verify ()

Static Public Member Functions
static const char *	Init ()

static void	SetDefaultCiphers (const char *ciphers)

Static Public Attributes
static const uint64_t	artON = 0x0000002000000000
	Auto retry Handshake.

static const uint64_t	clcOF = 0x0000010000000000
	Disable client certificate request.

static const uint64_t	crlAM = 0x0000001000000000
	Allow CA validation when CRL is missing (CRL soft-fail)

static const uint64_t	crlFC = 0x000000C000000000
	Full crl chain checking.

static const uint64_t	crlON = 0x0000008000000000
	Enables crl checking.

static const uint64_t	crlRF = 0x00000000ffff0000
	Mask to isolate crl refresh in min.

static const int	crlRS = 16
	Bits to shift vdept.

static int	ctxIndex = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL)

static const int	DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60
	Default CRL refresh interval in seconds.

static const uint64_t	dnsok = 0x0000000200000000
	Trust DNS for host name.

static const uint64_t	hsto = 0x00000000000000ff
	Mask to isolate the hsto.

static const uint64_t	logVF = 0x0000000800000000
	Log verify failures.

static const uint64_t	nopxy = 0x0000000100000000
	Do not allow proxy certs.

static const uint64_t	rfCRL = 0x0000004000000000
	Turn on the CRL refresh thread.

static const int	scClnt = 0x00040000
	Turn on cache client mode.

static const int	scFMax = 0x00007fff

static const int	scIdErr = 0x80000000
	Info: Id not set, is too long.

static const int	scKeep = 0x40000000
	Info: TLS-controlled flush disabled.

static const int	scNone = 0x00000000
	Do not change any option settings.

static const int	scOff = 0x00010000
	Turn off cache.

static const int	scSrvr = 0x00020000
	Turn on cache server mode (default)

static const uint64_t	servr = 0x0000000400000000
	This is a server context.

static const int	vdepS = 8
	Bits to shift vdept.

static const uint64_t	vdept = 0x000000000000ff00
	Mask to isolate vdept.

Detailed Description

Definition at line 36 of file XrdTlsContext.hh.

Constructor & Destructor Documentation

◆ XrdTlsContext() [1/3]

XrdTlsContext::XrdTlsContext	(	const char *	cert = 0,
		const char *	key = 0,
		const char *	cadir = 0,
		const char *	cafile = 0,
		uint64_t	opts = 0,
		std::string *	eMsg = 0 )

Definition at line 671 of file XrdTlsContext.cc.

                            : pImpl( new XrdTlsContextImpl(this) )
{
   class ctx_helper
        {public:
 
         void Keep() {ctxLoc = 0;}
 
              ctx_helper(SSL_CTX **ctxP) : ctxLoc(ctxP) {}
             ~ctx_helper() {if (ctxLoc && *ctxLoc)
                               {SSL_CTX_free(*ctxLoc); *ctxLoc = 0;}
                           }
         private:
         SSL_CTX **ctxLoc;
        } ctx_tracker(&pImpl->ctx);
 
   static const uint64_t sslOpts = SSL_OP_ALL
                            | SSL_OP_NO_SSLv2
                            | SSL_OP_NO_SSLv3
                            | SSL_OP_NO_COMPRESSION
                            | SSL_OP_NO_RENEGOTIATION
#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
                            | SSL_OP_IGNORE_UNEXPECTED_EOF
#endif
                            ;
 
   std::string certFN, eText;
   const char *emsg;
 
// Assume we will fail
//
   pImpl->ctx   = 0;
 
// Verify that initialzation has occurred. This is not heavy weight as
// there will usually be no more than two instances of this object.
//
   if (!initDbgDone)
      {XrdSysMutexHelper dbgHelper(dbgMutex);
       if (!initDbgDone)
          {const char *dbg;
           if (!(opts & servr) && (dbg = getenv("XRDTLS_DEBUG")))
              {int dbgOpts = 0;
               if (strstr(dbg, "ctx")) dbgOpts |= XrdTls::dbgCTX;
               if (strstr(dbg, "sok")) dbgOpts |= XrdTls::dbgSOK;
               if (strstr(dbg, "sio")) dbgOpts |= XrdTls::dbgSIO;
               if (!dbgOpts) dbgOpts = XrdTls::dbgALL;
               XrdTls::SetDebug(dbgOpts|XrdTls::dbgOUT);
              }
           if ((emsg = Init())) FATAL(emsg);
           initDbgDone = true;
          }
      }
 
// If no CA cert information is specified and this is not a server context,
// then get the paths from the environment. They must exist as we need to
// verify peer certs in order to verify target host names client-side. We
// also use this setupt to see if we should use a specific cert and key.
//
   if (!(opts & servr))
      {if (!caDir && !caFile)
          {caDir  = getenv("X509_CERT_DIR");
           caFile = getenv("X509_CERT_FILE");
           if (!caDir && !caFile)
              FATAL("No CA cert specified; host identity cannot be verified.");
          }
       if (!key)  key  = getenv("X509_USER_KEY");
       if (!cert) cert = getenv("X509_USER_PROXY");
       if (!cert)
          {struct stat Stat;
           long long int uid = static_cast<long long int>(getuid());
           certFN = std::string("/tmp/x509up_u") + std::to_string(uid);
           if (!stat(certFN.c_str(), &Stat)) cert = certFN.c_str();
          }
      }
 
// Before we try to use any specified files, make sure they exist, are of
// the right type and do not have excessive access privileges.
//                                                                              .a
   if (!VerPaths(cert, key, caDir, caFile, eText)) FATAL( eText.c_str());
 
// Copy parameters to out parm structure.
//
   if (cert)   {
       pImpl->Parm.cert   = cert;
       //This call should not fail as a stat is already performed in the call of VerPaths() above
       XrdOucUtils::getModificationTime(pImpl->Parm.cert.c_str(),pImpl->lastCertModTime);
   }
   if (key)    pImpl->Parm.pkey   = key;
   if (caDir)  pImpl->Parm.cadir  = caDir;
   if (caFile) pImpl->Parm.cafile = caFile;
   pImpl->Parm.opts   = opts;
   if (opts & crlRF) {
       // What we store in crlRF is the time in minutes, convert it back to seconds
       pImpl->Parm.crlRT = static_cast<int>((opts & crlRF) >> crlRS) * 60;
   }
 
// Get the correct method to use for TLS and check if successful create a
// server context that uses the method.
//
   const SSL_METHOD *meth;
   emsg = GetTlsMethod(meth);
   if (emsg) FATAL(emsg);
 
   pImpl->ctx = SSL_CTX_new(meth);
 
// Make sure we have a context here
//
   if (pImpl->ctx == 0) FATAL_SSL("Unable to allocate TLS context!");
 
   //Add the XrdTlsContext object as extra information for OpenSSL callback re-use
   SSL_CTX_set_ex_data(pImpl->ctx, ctxIndex, this);
 
// Always prohibit SSLv2 & SSLv3 as these are not secure.
//
   SSL_CTX_set_options(pImpl->ctx, sslOpts);
 
// Handle session re-negotiation automatically
//
// SSL_CTX_set_mode(pImpl->ctx, sslMode);
 
// Turn off the session cache as it's useless with peer cert chains
//
   SSL_CTX_set_session_cache_mode(pImpl->ctx, SSL_SESS_CACHE_OFF);
 
// Establish the CA cert locations, if specified. Then set the verification
// depth and turn on peer cert validation. For now, we don't set a callback.
// In the future we may to grab debugging information.
//
   if ((caDir || caFile) && !(opts & clcOF))
     {if (!SSL_CTX_load_verify_locations(pImpl->ctx, caFile, caDir))
         FATAL_SSL("Unable to load the CA cert file or directory.");
 
      int vDepth = (opts & vdept) >> vdepS;
      SSL_CTX_set_verify_depth(pImpl->ctx, (vDepth ? vDepth : 9));
 
      bool LogVF = (opts & logVF) != 0;
      bool crlAllowMissingCA = (opts & crlAM) != 0;
 
      if (crlAllowMissingCA || LogVF) {
         SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, verifyPeerCB);
      } else {
         SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, 0);
      }
 
      unsigned long xFlags = (opts & nopxy ? 0 : X509_V_FLAG_ALLOW_PROXY_CERTS);
      if (opts & crlON)
         {xFlags |= X509_V_FLAG_CRL_CHECK;
          if (opts & crlFC) xFlags |= X509_V_FLAG_CRL_CHECK_ALL;
         }
      if (opts) X509_STORE_set_flags(SSL_CTX_get_cert_store(pImpl->ctx),xFlags);
     } else {
      SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_NONE, 0);
     }
 
// Set cipher list
//
   if (!SSL_CTX_set_cipher_list(pImpl->ctx, sslCiphers))
      FATAL_SSL("Unable to set SSL cipher list; no supported ciphers.");
 
// If we need to enable eliptic-curve support, do so now. Note that for
// OpenSSL 1.1.0+ this is automatically done for us.
//
#if SSL_CTRL_SET_ECDH_AUTO
   SSL_CTX_set_ecdh_auto(pImpl->ctx, 1);
#endif
 
// We normally handle renegotiation during reads and writes or selective
// prohibit on a SSL socket basis. The calle may request this be applied
// to all SSL's generated from this context. If so, do it here.
//
   if (opts & artON) SSL_CTX_set_mode(pImpl->ctx, SSL_MODE_AUTO_RETRY);
 
// If there is no cert then assume this is a generic context for a client
//
   if (cert == 0)
      {ctx_tracker.Keep();
       return;
      }
 
// We have a cert. If the key is missing then we assume the key is in the
// cert file (ssl will complain if it isn't).
//
   if (!key) key = cert;
 
// Load certificate
//
   if (SSL_CTX_use_certificate_chain_file(pImpl->ctx, cert) != 1)
      FATAL_SSL("Unable to create TLS context; invalid certificate.");
 
// Load the private key
//
   if (key[0] == 'p') {
      if (!EnsureOpenSSLConfigLoaded())
         FATAL_SSL("Unable to load OpenSSL configuration; cannot initialize pkcs11.");
 
#ifdef XRDTLS_HAVE_OSSL_STORE
      // OpenSSL 3.x+: Use OSSL_STORE API with pkcs11-provider in an ISOLATED context
      // This prevents PKCS11 from affecting other TLS operations (e.g., SciTokens library)
      
      OSSL_PROVIDER *defaultProv = nullptr;
      
      // Initialize isolated PKCS11 context
      // This loads the OPENSSL_CONF into an isolated context so PKCS11 doesn't affect
      // other libraries in the process (like SciTokens)
      if (!InitIsolatedPKCS11Context(&pImpl->pkcs11LibCtx, &pImpl->pkcs11Provider, &defaultProv)) {
         FATAL_SSL("Failed to initialize isolated PKCS11 context. Check OPENSSL_CONF and pkcs11-provider installation.");
      }
 
      // Open PKCS11 URI using the isolated context
      OSSL_STORE_CTX *store_ctx = OSSL_STORE_open_ex(key, pImpl->pkcs11LibCtx, nullptr, 
                                                       nullptr, nullptr, nullptr, nullptr, nullptr);
      if (!store_ctx) {
         if (defaultProv) OSSL_PROVIDER_unload(defaultProv);
         FATAL_SSL("Failed to open PKCS11 URI in isolated context.");
      }
 
      EVP_PKEY *priv_key = nullptr;
      while (!OSSL_STORE_eof(store_ctx)) {
         OSSL_STORE_INFO *info = OSSL_STORE_load(store_ctx);
         if (info) {
            int type = OSSL_STORE_INFO_get_type(info);
            if (type == OSSL_STORE_INFO_PKEY) {
               priv_key = OSSL_STORE_INFO_get1_PKEY(info);
               OSSL_STORE_INFO_free(info);
               break;
            }
            OSSL_STORE_INFO_free(info);
         }
      }
      OSSL_STORE_close(store_ctx);
      if (defaultProv) OSSL_PROVIDER_unload(defaultProv);
 
      if (!priv_key)
         FATAL_SSL("Failed to load private key from PKCS11 URI in isolated context.");
 
      if (SSL_CTX_use_PrivateKey(pImpl->ctx, priv_key) != 1) {
         EVP_PKEY_free(priv_key);
         FATAL_SSL("Failed to have SSL context use private key");
      }
      EVP_PKEY_free(priv_key);
 
#elif defined(XRDTLS_HAVE_ENGINE)
      // OpenSSL 1.1.x (EL8): Use ENGINE API with libp11/engine_pkcs11
      ENGINE *e = ENGINE_by_id("pkcs11");
      if (e) {
         const char* modulePath = getenv("PKCS11_MODULE_PATH");
         if (modulePath && modulePath[0]) {
            if (!ENGINE_ctrl_cmd_string(e, "MODULE_PATH", modulePath, 0)) {
               ENGINE_free(e);
               FATAL_SSL("Unable to configure pkcs11 engine MODULE_PATH");
            }
         }
         if(!ENGINE_init(e)) {
            ENGINE_free(e);
            FATAL_SSL("Unable to initialize pkcs11 engine");
         }
      } else {
         FATAL_SSL("Unable to create pkcs11 engine");
      }
      auto priv_key = ENGINE_load_private_key(e, key, nullptr, nullptr);
 
      if (!priv_key) {
         FATAL_SSL("Failed to load private key through engine");
      }
      if (SSL_CTX_use_PrivateKey(pImpl->ctx, priv_key) != 1)
         FATAL_SSL("Failed to have SSL context use private key");
      EVP_PKEY_free(priv_key);
#else
      FATAL_SSL("PKCS11 support not available.");
#endif
 
   } else if (SSL_CTX_use_PrivateKey_file(pImpl->ctx, key, SSL_FILETYPE_PEM) != 1 )
      FATAL_SSL("Unable to create TLS context; invalid private key.");
 
// Make sure the key and certificate file match.
//
   if (SSL_CTX_check_private_key(pImpl->ctx) != 1 )
      FATAL_SSL("Unable to create TLS context; cert-key mismatch.");
 
// All went well, start the CRL refresh thread and keep the context.
//
   if(opts & rfCRL) {
       SetCrlRefresh();
   }
   ctx_tracker.Keep();
}

References artON, clcOF, crlAM, crlFC, crlON, crlRF, crlRS, ctxIndex, XrdTls::dbgALL, XrdTls::dbgCTX, XrdTls::dbgOUT, XrdTls::dbgSIO, XrdTls::dbgSOK, eMsg, emsg(), FATAL, FATAL_SSL, XrdOucUtils::getModificationTime(), Init(), logVF, nopxy, opts, rfCRL, servr, SetCrlRefresh(), XrdTls::SetDebug(), Stat, stat, vdepS, and vdept.

Referenced by XrdTlsContext(), XrdTlsContext(), Clone(), operator=(), operator=(), and Session().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ ~XrdTlsContext()

XrdTlsContext::~XrdTlsContext ( )

Destructor.

Definition at line 964 of file XrdTlsContext.cc.

{
// We can delet eour implementation of there is no refresh thread running. If
// there is then the refresh thread has to delete the implementation.
//
   if (pImpl->crlRunning | pImpl->flsRunning)
      {pImpl->crlMutex.WriteLock();
       pImpl->owner = 0;
       pImpl->crlMutex.UnLock();
      } else delete pImpl;
}

◆ XrdTlsContext() [2/3]

XrdTlsContext::XrdTlsContext ( const XrdTlsContext & ctx )

delete

Disallow any copies of this object.

References XrdTlsContext().

Here is the call graph for this function:

◆ XrdTlsContext() [3/3]

XrdTlsContext::XrdTlsContext ( XrdTlsContext && ctx )

delete

References XrdTlsContext().

Here is the call graph for this function:

Member Function Documentation

◆ Clone()

XrdTlsContext * XrdTlsContext::Clone	(	bool	full = true,
		bool	startCRLRefresh = false )

Clone a new context from this context.

Parameters

full	When true the complete context is cloned. When false, a context with no peer verification is cloned.

Returns: Upon success, the pointer to a new XrdTlsContext is returned. Upon failure, a nil pointer is returned.

Note: The cloned context is identical to the one created by the original constructor. Note that while the crl refresh interval is set, the refresh thread needs to be started by calling crlRefresh(). Also, the session cache is set to off with no identifier.

Definition at line 980 of file XrdTlsContext.cc.

{
  XrdTlsContext::CTX_Params &my = pImpl->Parm;
  const char *cert = (my.cert.size()   ? my.cert.c_str()   : 0);
  const char *pkey = (my.pkey.size()   ? my.pkey.c_str()   : 0);
  const char *caD  = (my.cadir.size()  ? my.cadir.c_str()  : 0);
  const char *caF  = (my.cafile.size() ? my.cafile.c_str() : 0);
 
// If this is a non-full context, get rid of any verification
//
   if (!full) caD = caF = 0;
 
// Cloning simply means getting a object with the old parameters.
//
   uint64_t myOpts = my.opts;
    if(startCRLRefresh){
        myOpts |= XrdTlsContext::rfCRL;
    } else {
        myOpts &= ~XrdTlsContext::rfCRL;
    }
   XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, myOpts);
 
// Verify that the context was built
//
   if (xtc->isOK()) {
       if(pImpl->sessionCacheOpts != -1){
           //A SessionCache() call was done for the current context, so apply it for this new cloned context
           xtc->SessionCache(pImpl->sessionCacheOpts,pImpl->sessionCacheId.c_str(),pImpl->sessionCacheId.size());
       }
       return xtc;
   }
 
// We failed, cleanup.
//
   delete xtc;
   return 0;
}

References XrdTlsContext(), XrdTlsContext::CTX_Params::cadir, XrdTlsContext::CTX_Params::cafile, XrdTlsContext::CTX_Params::cert, isOK(), XrdTlsContext::CTX_Params::opts, XrdTlsContext::CTX_Params::pkey, rfCRL, and SessionCache().

Referenced by XrdTlsCrl::Refresh().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ Context()

void * XrdTlsContext::Context ( )

Get the underlying context (should not be used).

Returns: Pointer to the underlying context.

Definition at line 1022 of file XrdTlsContext.cc.

{
   return pImpl->ctx;
}

◆ GetParams()

const XrdTlsContext::CTX_Params * XrdTlsContext::GetParams ( )

Definition at line 1031 of file XrdTlsContext.cc.

{
  return &pImpl->Parm;
}

Referenced by XrdTlsSocket::Init().

Here is the caller graph for this function:

◆ Init()

const char * XrdTlsContext::Init ( )

static

Simply initialize the TLS library.

Returns: =0 Library initialized. !0 Library not initialized, return string indicates why.

Note: Init() is implicitly called by the contructor. Use this method to use the TLS libraries without instantiating a context.

Definition at line 1040 of file XrdTlsContext.cc.

{
 
// Disallow use if this object unless SSL provides thread-safety!
//
#ifndef OPENSSL_THREADS
   return "Installed OpenSSL lacks the required thread support!";
#endif
 
// Initialize the library (one time call)
//
   InitTLS();
   return 0;
}

Referenced by XrdCryptosslFactory::XrdCryptosslFactory(), and XrdTlsContext().

Here is the caller graph for this function:

◆ isOK()

bool XrdTlsContext::isOK ( )

Determine if this object was correctly built.

Returns: True if this object is usuable and false otherwise.

Definition at line 1059 of file XrdTlsContext.cc.

{
   return pImpl->ctx != 0;
}

Referenced by Clone(), and XrdTlsCrl::Refresh().

Here is the caller graph for this function:

◆ newHostCertificateDetected()

bool XrdTlsContext::newHostCertificateDetected ( )

Definition at line 1288 of file XrdTlsContext.cc.

                                               {
    const std::string certPath = pImpl->Parm.cert;
    if(certPath.empty()) {
        //No certificate provided, should not happen though
        return false;
    }
    time_t modificationTime;
    if(!XrdOucUtils::getModificationTime(certPath.c_str(),modificationTime)){
        if (pImpl->lastCertModTime != modificationTime) {
            //The certificate file has changed
            pImpl->lastCertModTime = modificationTime;
            return true;
        }
    }
    return false;
}

References XrdOucUtils::getModificationTime().

Referenced by XrdTlsCrl::Refresh().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ operator=() [1/2]

XrdTlsContext & XrdTlsContext::operator= ( const XrdTlsContext & ctx )

delete

References XrdTlsContext().

Here is the call graph for this function:

◆ operator=() [2/2]

XrdTlsContext & XrdTlsContext::operator= ( XrdTlsContext && ctx )

delete

References XrdTlsContext().

Here is the call graph for this function:

◆ Session()

void * XrdTlsContext::Session ( )

Apply this context to obtain a new SSL session.

Returns: A pointer to a new SSL session if successful and nil otherwise.

Definition at line 1074 of file XrdTlsContext.cc.

{
   EPNAME("Session");
   SSL *ssl;
 
// Check if we have a refreshed context. If so, we need to replace the X509
// store in the current context with the new one before we create the session.
//
   pImpl->crlMutex.ReadLock();
   if (!(pImpl->ctxnew))
      {ssl = SSL_new(pImpl->ctx);
       pImpl->crlMutex.UnLock();
       return ssl;
      }
 
// Things have changed, so we need to take the long route here. We need to
// replace the x509 cache with the current cache. Get a R/W lock now.
//
   pImpl->crlMutex.UnLock();
   pImpl->crlMutex.WriteLock();
 
// If some other thread beat us to the punch, just return what we have.
//
   if (!(pImpl->ctxnew))
      {ssl = SSL_new(pImpl->ctx);
       pImpl->crlMutex.UnLock();
       return ssl;
      }
 
// Do some tracing
//
   DBG_CTX("Replacing x509 store with new contents.");
 
// Get the new store and set it in our context. Setting the store is black
// magic. For OpenSSL < 1.1, Two stores need to be set with the "set1" variant.
// Newer version only require SSL_CTX_set1_cert_store() to be used.
//
   //We have a new context generated by Refresh, so we must use it.
   XrdTlsContext * ctxnew = pImpl->ctxnew;
 
   /*X509_STORE *newX509 = SSL_CTX_get_cert_store(ctxnew->pImpl->ctx);
   SSL_CTX_set1_verify_cert_store(pImpl->ctx, newX509);
   SSL_CTX_set1_chain_cert_store(pImpl->ctx, newX509);*/
   //The above two macros actually do not replace the certificate that has
   //to be used for that SSL session, so we will create the session with the SSL_CTX * of
   //the TlsContext created by Refresh()
   //First, free the current SSL_CTX, if it is used by any transfer, it will just decrease
   //the reference counter of it. There is therefore no risk of double free...
   SSL_CTX_free(pImpl->ctx);
   pImpl->ctx = ctxnew->pImpl->ctx;
 
   //Update ex_data to point to this (the surviving owner), not the
   //cloned context which is about to be deleted.
   SSL_CTX_set_ex_data(pImpl->ctx, ctxIndex, this);
 
   //In the destructor of XrdTlsContextImpl, SSL_CTX_Free() is
   //called if ctx is != 0. As this new ctx is used by the session
   //we just created, we don't want that to happen. We therefore set it to 0.
   //The SSL_free called on the session will cleanup the context for us.
   ctxnew->pImpl->ctx = 0;
 
// Save the generated context and clear it's presence
//
   XrdTlsContext *ctxold = pImpl->ctxnew;
   pImpl->ctxnew = 0;
 
// Generate a new session (might as well to keep the lock we have)
//
   ssl = SSL_new(pImpl->ctx);
 
// OK, now we can drop all the locks and get rid of the old context
//
   pImpl->crlMutex.UnLock();
   delete ctxold;
   return ssl;
}

References XrdTlsContext(), XrdTlsContextImpl::ctx, ctxIndex, DBG_CTX, and EPNAME.

Referenced by XrdTlsSocket::Init().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SessionCache()

int XrdTlsContext::SessionCache	(	int	opts = scNone,
		const char *	id = 0,
		int	idlen = 0 )

Definition at line 1155 of file XrdTlsContext.cc.

{
   static const int doSet = scSrvr | scClnt | scOff;
   long sslopt = 0;
   int flushT = opts & scFMax;
 
   pImpl->sessionCacheOpts = opts;
   pImpl->sessionCacheId = id;
 
// If initialization failed there is nothing to do
//
   if (pImpl->ctx == 0) return 0;
 
// Set options as appropriate
//
   if (opts & doSet)
      {if (opts & scOff) sslopt = SSL_SESS_CACHE_OFF;
          else {if (opts & scSrvr) sslopt  = SSL_SESS_CACHE_SERVER;
                if (opts & scClnt) sslopt |= SSL_SESS_CACHE_CLIENT;
               }
      }
 
// Check if we should set any cache options or simply get them
//
   if (!(opts & doSet)) sslopt = SSL_CTX_get_session_cache_mode(pImpl->ctx);
      else {sslopt = SSL_CTX_set_session_cache_mode(pImpl->ctx, sslopt);
            if (opts & scOff) SSL_CTX_set_options(pImpl->ctx, SSL_OP_NO_TICKET);
           }
 
// Compute what he previous cache options were
//
   opts = scNone;
   if (sslopt & SSL_SESS_CACHE_SERVER) opts |= scSrvr;
   if (sslopt & SSL_SESS_CACHE_CLIENT) opts |= scClnt;
   if (!opts) opts = scOff;
   if (sslopt & SSL_SESS_CACHE_NO_AUTO_CLEAR) opts |= scKeep;
   opts |= (static_cast<int>(pImpl->flushT) & scFMax);
 
// Set the id is so wanted
//
   if (id && idlen > 0)
      {if (!SSL_CTX_set_session_id_context(pImpl->ctx,
                                          (unsigned const char *)id,
                                          (unsigned int)idlen)) opts |= scIdErr;
      }
 
// If a flush interval was specified and it is different from what we have
// then reset the flush interval.
//
   if (flushT && flushT != pImpl->flushT)
      XrdTlsFlush::Setup_Flusher(pImpl, flushT);
 
// All done
//
   return opts;
}

References opts, scClnt, scFMax, scIdErr, scKeep, scNone, scOff, scSrvr, and XrdTlsFlush::Setup_Flusher().

Referenced by Clone().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SetContextCiphers()

bool XrdTlsContext::SetContextCiphers ( const char * ciphers )

Set allowed ciphers for this context.

Parameters

ciphers The colon separated list of allowable ciphers.

Returns: True if at least one cipher can be used; false otherwise. When false is reurned, this context is no longer usable.

Definition at line 1216 of file XrdTlsContext.cc.

{
   if (pImpl->ctx && SSL_CTX_set_cipher_list(pImpl->ctx, ciphers)) return true;
 
   char eBuff[2048];
   snprintf(eBuff,sizeof(eBuff),"Unable to set context ciphers '%s'",ciphers);
   Fatal(0, eBuff, true);
   return false;
}

References Fatal().

Here is the call graph for this function:

◆ SetCrlRefresh()

bool XrdTlsContext::SetCrlRefresh ( int refsec = -1 )

Set CRL refresh time. By default, CRL's are not refreshed.

Parameters

refsec >0: The number of seconds between refreshes. A value less than 60 sets it to 60. =0: Stops automatic refreshing. <0: Starts automatic refreshing with the current setting if it has not already been started.

Returns: True if the CRL refresh thread was started; false otherwise.

Definition at line 1239 of file XrdTlsContext.cc.

{
   pthread_t tid;
   int       rc;
 
// If it's negative or equal to 0, use the current setting
//
   if (refsec <= 0)
      {pImpl->crlMutex.WriteLock();
       refsec = pImpl->Parm.crlRT;
       pImpl->crlMutex.UnLock();
       if (!refsec) refsec = XrdTlsContext::DEFAULT_CRL_REF_INT_SEC;
      }
 
// Make sure this is at least 60 seconds between refreshes
//
// if (refsec < 60) refsec = 60;
 
// We will set the new interval and start a refresh thread if not running.
//
   pImpl->crlMutex.WriteLock();
   pImpl->Parm.crlRT = refsec;
   if (!pImpl->crlRunning)
      {if ((rc = XrdSysThread::Run(&tid, XrdTlsCrl::Refresh, (void *)pImpl,
                                   0, "CRL Refresh")))
          {char eBuff[512];
           snprintf(eBuff, sizeof(eBuff),
                    "Unable to start CRL refresh thread; rc=%d", rc);
           XrdTls::Emsg("CrlRefresh:", eBuff, false);
           pImpl->crlMutex.UnLock();
           return false;
          } else pImpl->crlRunning = true;
       pImpl->crlMutex.UnLock();
      }
 
// All done
//
   return true;
}

References DEFAULT_CRL_REF_INT_SEC, XrdTls::Emsg(), XrdTlsCrl::Refresh(), and XrdSysThread::Run().

Referenced by XrdTlsContext().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ SetDefaultCiphers()

void XrdTlsContext::SetDefaultCiphers ( const char * ciphers )

static

Set allowed default ciphers.

Parameters

ciphers The colon separated list of allowable ciphers.

Definition at line 1230 of file XrdTlsContext.cc.

{
   sslCiphers = ciphers;
}

◆ SetTlsClientAuth()

void XrdTlsContext::SetTlsClientAuth ( bool setting )

Indicate how the server should handle TLS client authentication.

Parameters

setting true: All clients will be asked to send a TLS client certificate. false: No clients will be asked to send a TLS client certificate.

Note the TLS connection will not fail if the client is asked for a cert but none are provided.

Definition at line 1305 of file XrdTlsContext.cc.

                                                 {
    if (setting)
       {pImpl->Parm.opts &= ~clcOF;
       bool LogVF = (pImpl->Parm.opts & logVF) != 0;
       bool crlAllowMissingCA = (pImpl->Parm.opts & crlAM) != 0;
 
       if (LogVF || crlAllowMissingCA)
          SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, verifyPeerCB);
       else
          SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, 0);
       } else
       {pImpl->Parm.opts |= clcOF;
        SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_NONE, 0);
       }
}

References clcOF, crlAM, and logVF.

◆ x509Verify()

bool XrdTlsContext::x509Verify ( )

Check if certificates are being verified.

Returns: True if certificates are being verified, false otherwise.

Definition at line 1283 of file XrdTlsContext.cc.

{
   return !(pImpl->Parm.cadir.empty()) || !(pImpl->Parm.cafile.empty());
}

Referenced by XrdTlsSocket::Init(), and XrdTlsCrl::Refresh().

Here is the caller graph for this function:

Member Data Documentation

◆ artON

const uint64_t XrdTlsContext::artON = 0x0000002000000000

static

Auto retry Handshake.

Definition at line 257 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ clcOF

const uint64_t XrdTlsContext::clcOF = 0x0000010000000000

static

Disable client certificate request.

Definition at line 258 of file XrdTlsContext.hh.

Referenced by XrdTlsContext(), and SetTlsClientAuth().

◆ crlAM

const uint64_t XrdTlsContext::crlAM = 0x0000001000000000

static

Allow CA validation when CRL is missing (CRL soft-fail)

Definition at line 255 of file XrdTlsContext.hh.

Referenced by XrdTlsContext(), and SetTlsClientAuth().

◆ crlFC

const uint64_t XrdTlsContext::crlFC = 0x000000C000000000

static

Full crl chain checking.

Definition at line 253 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlON

const uint64_t XrdTlsContext::crlON = 0x0000008000000000

static

Enables crl checking.

Definition at line 252 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlRF

const uint64_t XrdTlsContext::crlRF = 0x00000000ffff0000

static

Mask to isolate crl refresh in min.

Definition at line 254 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ crlRS

const int XrdTlsContext::crlRS = 16

static

Bits to shift vdept.

Definition at line 256 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ ctxIndex

int XrdTlsContext::ctxIndex = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL)

static

Definition at line 261 of file XrdTlsContext.hh.

Referenced by XrdTlsContext(), and Session().

◆ DEFAULT_CRL_REF_INT_SEC

const int XrdTlsContext::DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60

static

Default CRL refresh interval in seconds.

Definition at line 66 of file XrdTlsContext.hh.

Referenced by XrdTlsContext::CTX_Params::CTX_Params(), and SetCrlRefresh().

◆ dnsok

const uint64_t XrdTlsContext::dnsok = 0x0000000200000000

static

Trust DNS for host name.

Definition at line 249 of file XrdTlsContext.hh.

Referenced by XrdTlsSocket::Init().

◆ hsto

const uint64_t XrdTlsContext::hsto = 0x00000000000000ff

static

Mask to isolate the hsto.

Constructor. Note that you should use isOK() to determine if construction was successful. A false return indicates failure.

Parameters

cert	Pointer to the certificate file to be used. If nil, a generic context is created for client use.
key	Pointer to the private key flle to be used. It must correspond to the certificate file. If nil, it is assumed that the key is contained in the cert file.
cadir	path to the directory containing the CA certificates.
cafile	path to the file containing the CA certificates.
opts	Processing options (or'd bitwise): artON - Auto retry handshakes (i.e. block on handshake) crlON - Perform crl check on the leaf node crlFC - Apply crl check to full chain crlRF - Initial crl refresh interval in minutes. dnsok - trust DNS when verifying hostname. hsto - the handshake timeout value in seconds. logVF - Turn on verification failure logging. nopxy - Do not allow proxy cert (normally allowed) servr - This is a server-side context and x509 peer certificate validation may be turned off. vdept - The maximum depth of the certificate chain that must be validated (max is 255).
eMsg	If non-zero, the reason for the failure is returned,

Note: a) If neither cadir nor cafile is specified, certificate validation is not performed if and only if the servr option is specified. Otherwise, the cadir value is obtained from the X509_CERT_DIR envar and the cafile value is obtained from the X509_CERT_File envar. If both are nil, context creation fails. b) Additionally for client-side contructions, if cert or key is not specified their locations come from X509_USER_PROXY and X509_USER_KEY. These may be nil in which case a generic context is created with a local key-pair and no certificate. c) You should immediately call isOK() after instantiating this object. A return value of false means that construction failed. d) Failure messages are routed to the message callback function during construction. e) While the crl refresh interval is set you must engage it by calling crlRefresh() so as to avoid unnecessary refresh threads.

Definition at line 244 of file XrdTlsContext.hh.

Referenced by XrdTlsSocket::Init().

◆ logVF

const uint64_t XrdTlsContext::logVF = 0x0000000800000000

static

Log verify failures.

Definition at line 247 of file XrdTlsContext.hh.

Referenced by XrdConfig::XrdConfig(), XrdTlsContext(), and SetTlsClientAuth().

◆ nopxy

const uint64_t XrdTlsContext::nopxy = 0x0000000100000000

static

Do not allow proxy certs.

Definition at line 250 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ rfCRL

const uint64_t XrdTlsContext::rfCRL = 0x0000004000000000

static

Turn on the CRL refresh thread.

Definition at line 251 of file XrdTlsContext.hh.

Referenced by XrdTlsContext(), and Clone().

◆ scClnt

const int XrdTlsContext::scClnt = 0x00040000

static

Turn on cache client mode.

Definition at line 135 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scFMax

const int XrdTlsContext::scFMax = 0x00007fff

static

Maximum flush interval in seconds When 0 keeps the current setting

Definition at line 138 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scIdErr

const int XrdTlsContext::scIdErr = 0x80000000

static

Info: Id not set, is too long.

Definition at line 137 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scKeep

const int XrdTlsContext::scKeep = 0x40000000

static

Info: TLS-controlled flush disabled.

Definition at line 136 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scNone

const int XrdTlsContext::scNone = 0x00000000

static

Do not change any option settings.

Get or set session cache parameters for generated sessions.

Parameters

opts	One or more bit or'd options (see below).
id	The identifier to be used (may be nil to keep setting).
idlen	The length of the identifier (may be zero as above).

Returns: The cache settings prior to any changes are returned. When setting the id, the scIdErr may be returned if the name is too long. If the context has been pprroperly initialized, zero is returned. By default, the session cache is disabled as it is impossible to verify a peer certificate chain when a cached session is reused.

Definition at line 132 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scOff

const int XrdTlsContext::scOff = 0x00010000

static

Turn off cache.

Definition at line 133 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ scSrvr

const int XrdTlsContext::scSrvr = 0x00020000

static

Turn on cache server mode (default)

Definition at line 134 of file XrdTlsContext.hh.

Referenced by SessionCache().

◆ servr

const uint64_t XrdTlsContext::servr = 0x0000000400000000

static

This is a server context.

Definition at line 248 of file XrdTlsContext.hh.

Referenced by XrdConfig::XrdConfig(), and XrdTlsContext().

◆ vdepS

const int XrdTlsContext::vdepS = 8

static

Bits to shift vdept.

Definition at line 246 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

◆ vdept

const uint64_t XrdTlsContext::vdept = 0x000000000000ff00

static

Mask to isolate vdept.

Definition at line 245 of file XrdTlsContext.hh.

Referenced by XrdTlsContext().

The documentation for this class was generated from the following files:

Classes

Public Member Functions

Static Public Member Functions

Static Public Attributes

Detailed Description

Constructor & Destructor Documentation

◆ XrdTlsContext() [1/3]

◆ ~XrdTlsContext()

◆ XrdTlsContext() [2/3]

◆ XrdTlsContext() [3/3]

Member Function Documentation

◆ Clone()

◆ Context()

◆ GetParams()

◆ Init()

◆ isOK()

◆ newHostCertificateDetected()

◆ operator=() [1/2]

◆ operator=() [2/2]

◆ Session()

◆ SessionCache()

◆ SetContextCiphers()

◆ SetCrlRefresh()

◆ SetDefaultCiphers()

◆ SetTlsClientAuth()

◆ x509Verify()

Member Data Documentation

◆ artON

◆ clcOF

◆ crlAM

◆ crlFC

◆ crlON

◆ crlRF

◆ crlRS

◆ ctxIndex

◆ DEFAULT_CRL_REF_INT_SEC

◆ dnsok

◆ hsto

◆ logVF

◆ nopxy

◆ rfCRL

◆ scClnt

◆ scFMax

◆ scIdErr

◆ scKeep

◆ scNone

◆ scOff

◆ scSrvr

◆ servr

◆ vdepS

◆ vdept