XRootD
XrdTlsContext.cc
Go to the documentation of this file.
1 //------------------------------------------------------------------------------
2 // Copyright (c) 2011-2018 by European Organization for Nuclear Research (CERN)
3 // Author: Michal Simon <simonm@cern.ch>
4 //------------------------------------------------------------------------------
5 // XRootD is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU Lesser General Public License as published by
7 // the Free Software Foundation, either version 3 of the License, or
8 // (at your option) any later version.
9 //
10 // XRootD is distributed in the hope that it will be useful,
11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 // GNU General Public License for more details.
14 //
15 // You should have received a copy of the GNU Lesser General Public License
16 // along with XRootD. If not, see <http://www.gnu.org/licenses/>.
17 //------------------------------------------------------------------------------
18 
19 #include <cstdio>
20 #include <cstdlib>
21 #include <mutex>
22 
23 // Include OpenSSL config headers first to get feature detection macros
24 #include <openssl/opensslconf.h>
25 #include <openssl/opensslv.h>
26 
27 // PKCS#11 support strategy:
28 // - OpenSSL 3.x+ (EL9+, AlmaLinux 10): Prefer OSSL_STORE API with pkcs11-provider (modern)
29 // Falls back to ENGINE if pkcs11-provider is not installed but engine_pkcs11 is
30 // - OpenSSL 1.1.x (EL8): Use ENGINE API with libp11/engine_pkcs11 (legacy compatibility)
31 
32 // OpenSSL 3.0+ Provider/OSSL_STORE support (preferred for modern systems)
33 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
34  #define XRDTLS_HAVE_OSSL_STORE 1
35  #include <openssl/store.h>
36  #include <openssl/provider.h>
37 #endif
38 
39 // ENGINE API support:
40 // - OpenSSL 1.1.x: Primary method for PKCS#11
41 #if !defined(OPENSSL_NO_ENGINE)
42  #define XRDTLS_HAVE_ENGINE 1
43  #include <openssl/engine.h>
44 #endif
45 
46 #include <openssl/bio.h>
47 #include <openssl/crypto.h>
48 #include <openssl/err.h>
49 #include <openssl/conf.h>
50 #include <openssl/ssl.h>
51 #include <sys/stat.h>
52 
53 #include "XrdOuc/XrdOucUtils.hh"
54 #include "XrdSys/XrdSysRAtomic.hh"
55 #include "XrdSys/XrdSysError.hh"
56 #include "XrdSys/XrdSysPthread.hh"
57 #include "XrdSys/XrdSysTimer.hh"
58 
59 #include "XrdTls/XrdTls.hh"
60 #include "XrdTls/XrdTlsContext.hh"
61 #include "XrdTls/XrdTlsTrace.hh"
62 
63 #if OPENSSL_VERSION_NUMBER >= 0x30400010
64 #define SSL_CTX_flush_sessions SSL_CTX_flush_sessions_ex
65 #endif
66 
67 /******************************************************************************/
68 /* G l o b a l s */
69 /******************************************************************************/
70 
71 namespace XrdTlsGlobal
72 {
73 extern XrdSysTrace SysTrace;
74 };
75 
76 namespace
77 {
78 #ifndef OPENSSL_NO_CONF
79 bool EnsureOpenSSLConfigLoaded()
80 {
81  static std::once_flag configFlag;
82  static bool loadOK = true;
83 
84  std::call_once(configFlag, []() {
85 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
86  if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, nullptr))
87  loadOK = false;
88 #else
89  OPENSSL_config(nullptr);
90 #endif
91  });
92  return loadOK;
93 }
94 #else
95 bool EnsureOpenSSLConfigLoaded()
96 {
97  return false;
98 }
99 #endif
100 
101 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
102 // Initialize an isolated OSSL_LIB_CTX for PKCS11 operations
103 // This prevents PKCS11 from affecting other parts of the process (e.g., SciTokens library)
104 bool InitIsolatedPKCS11Context(OSSL_LIB_CTX **libCtx, OSSL_PROVIDER **pkcs11Prov, OSSL_PROVIDER **defaultProv)
105 {
106  // Create an isolated library context
107  *libCtx = OSSL_LIB_CTX_new();
108  if (!*libCtx) {
109  return false;
110  }
111 
112  // Load the OpenSSL configuration into the isolated context
113  // This allows the pkcs11-provider to be properly configured with module paths, etc.
114  const char *opensslConf = getenv("OPENSSL_CONF");
115  if (opensslConf && opensslConf[0]) {
116  // Load the config file into the isolated context
117  if (!OSSL_LIB_CTX_load_config(*libCtx, opensslConf)) {
118  // Config loading failed, cleanup and return error
119  OSSL_LIB_CTX_free(*libCtx);
120  *libCtx = nullptr;
121  return false;
122  }
123  } else {
124  // No OPENSSL_CONF set, try loading providers manually
125  // Load the default provider in the isolated context (needed for basic crypto)
126  *defaultProv = OSSL_PROVIDER_load(*libCtx, "default");
127  if (!*defaultProv) {
128  OSSL_LIB_CTX_free(*libCtx);
129  *libCtx = nullptr;
130  return false;
131  }
132 
133  // Load the pkcs11 provider in the isolated context
134  *pkcs11Prov = OSSL_PROVIDER_load(*libCtx, "pkcs11");
135  if (!*pkcs11Prov) {
136  OSSL_PROVIDER_unload(*defaultProv);
137  OSSL_LIB_CTX_free(*libCtx);
138  *libCtx = nullptr;
139  *defaultProv = nullptr;
140  return false;
141  }
142  }
143 
144  return true;
145 }
146 #endif
147 }
148 
149 /******************************************************************************/
150 /* X r d T l s C o n t e x t I m p l */
151 /******************************************************************************/
152 
153 struct XrdTlsContextImpl
154 {
155  XrdTlsContextImpl(XrdTlsContext *p)
156  : ctx(0), ctxnew(0), owner(p), flsCVar(0),
157  flushT(0),
158  crlRunning(false), flsRunning(false)
159 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
160  , pkcs11LibCtx(0), pkcs11Provider(0)
161 #endif
162  {}
163  ~XrdTlsContextImpl() {if (ctx) SSL_CTX_free(ctx);
164  if (ctxnew) delete ctxnew;
165  if (flsCVar) delete flsCVar;
166 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
167  if (pkcs11Provider) OSSL_PROVIDER_unload(pkcs11Provider);
168  if (pkcs11LibCtx) OSSL_LIB_CTX_free(pkcs11LibCtx);
169 #endif
170  }
171 
172  SSL_CTX *ctx;
173  XrdTlsContext *ctxnew;
174  XrdTlsContext *owner;
175  XrdTlsContext::CTX_Params Parm;
176  XrdSysRWLock crlMutex;
177  XrdSysCondVar *flsCVar;
178  short flushT;
179  bool crlRunning;
180  bool flsRunning;
181  time_t lastCertModTime = 0;
182  int sessionCacheOpts = -1;
183  std::string sessionCacheId;
184 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
185  OSSL_LIB_CTX *pkcs11LibCtx; // Isolated context for PKCS11
186  OSSL_PROVIDER *pkcs11Provider; // PKCS11 provider handle
187 #endif
188 };
189 
190 /******************************************************************************/
191 /* C r l R e f r e s h S u p p o r t */
192 /******************************************************************************/
193 
194 namespace XrdTlsCrl
195 {
196 // Inital entry for refreshing crls
197 //
198 void *Refresh(void *parg)
199 {
200  EPNAME("Refresh");
201  int sleepTime;
202  bool doreplace;
203 
204 // Get the implementation details
205 //
206  XrdTlsContextImpl *ctxImpl = static_cast<XrdTlsContextImpl*>(parg);
207 
208 // Indicate we have started in the trace record
209 //
210  DBG_CTX("CRL refresh started.")
211 
212 // Do this forever but first get the sleep time
213 //
214 do{ctxImpl->crlMutex.ReadLock();
215  sleepTime = ctxImpl->Parm.crlRT;
216  ctxImpl->crlMutex.UnLock();
217 
218 // We may have been cancelled, in which case we just exit
219 //
220  if (!sleepTime)
221  {ctxImpl->crlMutex.WriteLock();
222  ctxImpl->crlRunning = false;
223  ctxImpl->crlMutex.UnLock();
224  DBG_CTX("CRL refresh ending by request!");
225  return (void *)0;
226  }
227 
228 // Indicate we how long before a refresh
229 //
230  DBG_CTX("CRL refresh will happen in " <<sleepTime <<" seconds.");
231 
232 // Now sleep the request amount of time
233 //
234  XrdSysTimer::Snooze(sleepTime);
235 
236  if (ctxImpl->owner->x509Verify() || ctxImpl->owner->newHostCertificateDetected()) {
237  // Check if this context is still alive. Generally, it never gets deleted.
238  //
239  ctxImpl->crlMutex.WriteLock();
240  if (!ctxImpl->owner) break;
241 
242  // We clone the original, this will give us the latest crls (i.e. refreshed).
243  // We drop the lock while doing so as this may take a long time. This is
244  // completely safe to do because we implicitly own the implementation.
245  //
246  ctxImpl->crlMutex.UnLock();
247  XrdTlsContext *newctx = ctxImpl->owner->Clone();
248 
249  // Verify that the context was properly built
250  //
251  if (!newctx || !newctx->isOK())
252  {XrdTls::Emsg("CrlRefresh:","Refresh of context failed!!!",false);
253  continue;
254  }
255 
256  // OK, set the new context to be used next time Session() is called.
257  //
258  ctxImpl->crlMutex.WriteLock();
259  doreplace = (ctxImpl->ctxnew != 0);
260  if (doreplace) delete ctxImpl->ctxnew;
261  ctxImpl->ctxnew = newctx;
262  ctxImpl->crlMutex.UnLock();
263 
264  // Do some debugging
265  //
266  if (doreplace) {DBG_CTX("CRL refresh created replacement x509 store.");}
267  else {DBG_CTX("CRL refresh created new x509 store.");}
268  }
269  } while(true);
270 
271 // If we are here the context that started us has gone away and we are done
272 //
273  bool keepctx = ctxImpl->flsRunning;
274  ctxImpl->crlRunning = false;
275  ctxImpl->crlMutex.UnLock();
276  if (!keepctx) delete ctxImpl;
277  return (void *)0;
278 }
279 }
280 
281 /******************************************************************************/
282 /* C a c h e F l u s h S u p p o r t */
283 /******************************************************************************/
284 
285 namespace XrdTlsFlush
286 {
287 /******************************************************************************/
288 /* F l u s h e r */
289 /******************************************************************************/
290 // Inital entry for refreshing crls
291 //
292 void *Flusher(void *parg)
293 {
294  EPNAME("Flusher");
295  time_t tStart, tWaited;
296  int flushT, waitT, hits, miss, sesn, tmos;
297  long tNow;
298 
299 // Get the implementation details
300 //
301  XrdTlsContextImpl *ctxImpl = static_cast<XrdTlsContextImpl*>(parg);
302 
303 // Get the interval as it may change as we are running
304 //
305  ctxImpl->crlMutex.ReadLock();
306  waitT = flushT = ctxImpl->flushT;
307  ctxImpl->crlMutex.UnLock();
308 
309 // Indicate we have started in the trace record
310 //
311  DBG_CTX("Cache flusher started; interval="<<flushT<<" seconds.");
312 
313 // Do this forever
314 //
315 do{tStart = time(0);
316  ctxImpl->flsCVar->Wait(waitT);
317  tWaited= time(0) - tStart;
318 
319 // Check if this context is still alive. Generally, it never gets deleted.
320 //
321  ctxImpl->crlMutex.ReadLock();
322  if (!ctxImpl->owner) break;
323 
324 // If the interval changed, see if we should wait a bit longer
325 //
326  if (flushT != ctxImpl->flushT && tWaited < ctxImpl->flushT-1)
327  {waitT = ctxImpl->flushT - tWaited;
328  ctxImpl->crlMutex.UnLock();
329  continue;
330  }
331 
332 // Get the new values and drop the lock
333 //
334  waitT = flushT = ctxImpl->flushT;
335  ctxImpl->crlMutex.UnLock();
336 
337 // Get some relevant statistics
338 //
339  sesn = SSL_CTX_sess_number(ctxImpl->ctx);
340  hits = SSL_CTX_sess_hits(ctxImpl->ctx);
341  miss = SSL_CTX_sess_misses(ctxImpl->ctx);
342  tmos = SSL_CTX_sess_timeouts(ctxImpl->ctx);
343 
344 // Flush the cache
345 //
346  tNow = time(0);
347  SSL_CTX_flush_sessions(ctxImpl->ctx, tNow);
348 
349 // Print some stuff should debugging be on
350 //
351  if (TRACING(XrdTls::dbgCTX))
352  {char mBuff[512];
353  snprintf(mBuff, sizeof(mBuff), "sess=%d hits=%d miss=%d timeouts=%d",
354  sesn, hits, miss, tmos);
355  DBG_CTX("Cache flushed; " <<mBuff);
356  }
357  } while(true);
358 
359 // If we are here the context that started us has gone away and we are done
360 //
361  bool keepctx = ctxImpl->crlRunning;
362  ctxImpl->flsRunning = false;
363  ctxImpl->crlMutex.UnLock();
364  if (!keepctx) delete ctxImpl;
365  return (void *)0;
366 }
367 
368 /******************************************************************************/
369 /* S e t u p _ F l u s h e r */
370 /******************************************************************************/
371 
372 bool Setup_Flusher(XrdTlsContextImpl *pImpl, int flushT)
373 {
374  pthread_t tid;
375  int rc;
376 
377 // Set the new flush interval
378 //
379  pImpl->crlMutex.WriteLock();
380  pImpl->flushT = flushT;
381  pImpl->crlMutex.UnLock();
382 
383 // If the flush thread is already running, then wake it up to get the new value
384 //
385  if (pImpl->flsRunning)
386  {pImpl->flsCVar->Signal();
387  return true;
388  }
389 
390 // Start the flusher thread
391 //
392  pImpl->flsCVar = new XrdSysCondVar();
393  if ((rc = XrdSysThread::Run(&tid, XrdTlsFlush::Flusher, (void *)pImpl,
394  0, "Cache Flusher")))
395  {char eBuff[512];
396  snprintf(eBuff, sizeof(eBuff),
397  "Unable to start cache flusher thread; rc=%d", rc);
398  XrdTls::Emsg("SessCache:", eBuff, false);
399  return false;
400  }
401 
402 // Finish up
403 //
404  pImpl->flsRunning = true;
405  SSL_CTX_set_session_cache_mode(pImpl->ctx, SSL_SESS_CACHE_NO_AUTO_CLEAR);
406  return true;
407 }
408 }
409 
410 /******************************************************************************/
411 /* S S L T h r e a d i n g S u p p o r t */
412 /******************************************************************************/
413 
414 // The following may confusing because SSL MT support is somewhat bizarre.
415 // Versions < 1.0 require a numeric thread_id and lock callbasks.
416 // Versions < 1.1 require a lock_callbacks but the thread_is callback is
417 // optional. While the numeric thread_id callback can be used
418 // it's deprecated and fancier pointer/numeric call should be
419 // used. In our case, we use the deprecated version.
420 // Versions >- 1.1 Do not need any callbacks as all threading functions are
421 // internally defined to use native MT functions.
422 
423 #if OPENSSL_VERSION_NUMBER < 0x10100000L && defined(OPENSSL_THREADS)
424 namespace
425 {
426 #define XRDTLS_SET_CALLBACKS 1
427 #ifdef __solaris__
428 extern "C" {
429 #endif
430 
431 template<bool is32>
432 struct tlsmix;
433 
434 template<>
435 struct tlsmix<false> {
436  static unsigned long mixer(unsigned long x) {
437  // mixer based on splitmix64
438  x ^= x >> 30;
439  x *= 0xbf58476d1ce4e5b9UL;
440  x ^= x >> 27;
441  x *= 0x94d049bb133111ebUL;
442  x ^= x >> 31;
443  return x;
444  }
445 };
446 
447 template<>
448 struct tlsmix<true> {
449  static unsigned long mixer(unsigned long x) {
450  // mixer based on murmurhash3
451  x ^= x >> 16;
452  x *= 0x85ebca6bU;
453  x ^= x >> 13;
454  x *= 0xc2b2ae35U;
455  x ^= x >> 16;
456  return x;
457  }
458 };
459 
460 unsigned long sslTLS_id_callback(void)
461 {
462  // base thread-id on the id given by XrdSysThread;
463  // but openssl 1.0 uses thread-id as a key for looking
464  // up per thread crypto ERR structures in a hash-table.
465  // So mix bits so that the table's hash function gives
466  // better distribution.
467 
468  unsigned long x = (unsigned long)XrdSysThread::ID();
469  return tlsmix<sizeof(unsigned long)==4>::mixer(x);
470 }
471 
472 XrdSysMutex *MutexVector = 0;
473 
474 void sslTLS_lock(int mode, int n, const char *file, int line)
475 {
476 // Use exclusive locks. At some point, SSL categorizes these as read and
477 // write locks but it's not clear when this actually occurs, sigh.
478 //
479  if (mode & CRYPTO_LOCK) MutexVector[n].Lock();
480  else MutexVector[n].UnLock();
481 }
482 #ifdef __solaris__
483 }
484 #endif
485 } // namespace
486 #else
487 #undef XRDTLS_SET_CALLBACKS
488 #endif
489 
490 /******************************************************************************/
491 /* F i l e L o c a l D e f i n i t i o n s */
492 /******************************************************************************/
493 
494 namespace
495 {
496 // The following is the default cipher list. Note that for OpenSSL v1.0.2+ we
497 // use the recommended cipher list from Mozilla. Otherwise, we use the dumber
498 // less secure ciphers as older versions of openssl have issues with them. See
499 // ssl-config.mozilla.org/#config=intermediate&openssl=1.0.2k&guideline=5.4
500 //
501 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
502 const char *sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:"
503  "ECDHE-RSA-AES128-GCM-SHA256:"
504  "ECDHE-ECDSA-AES256-GCM-SHA384:"
505  "ECDHE-RSA-AES256-GCM-SHA384:"
506  "ECDHE-ECDSA-CHACHA20-POLY1305:"
507  "ECDHE-RSA-CHACHA20-POLY1305:"
508  "DHE-RSA-AES128-GCM-SHA256:"
509  "DHE-RSA-AES256-GCM-SHA384";
510 #else
511 const char *sslCiphers = "ALL:!LOW:!EXP:!MD5:!MD2";
512 #endif
513 
514 XrdSysMutex dbgMutex, tlsMutex;
515 XrdSys::RAtomic<bool> initDbgDone{ false };
516 bool initTlsDone{ false };
517 
518 /******************************************************************************/
519 /* I n i t T L S */
520 /******************************************************************************/
521 
522 void InitTLS() // This is strictly a one-time call!
523 {
524  XrdSysMutexHelper tlsHelper(tlsMutex);
525 
526 // Make sure we are not trying to load the ssl library more than once. This can
527 // happen when a server and a client instance happen to be both defined.
528 //
529  if (initTlsDone) return;
530  initTlsDone = true;
531 
532 // SSL library initialisation
533 //
534  SSL_library_init();
535  OpenSSL_add_all_algorithms();
536  SSL_load_error_strings();
537  OpenSSL_add_all_ciphers();
538 #if OPENSSL_VERSION_NUMBER < 0x30000000L
539  ERR_load_BIO_strings();
540 #endif
541  ERR_load_crypto_strings();
542 
543 // Set callbacks if we need to do this
544 //
545 #ifdef XRDTLS_SET_CALLBACKS
546 
547  int n = CRYPTO_num_locks();
548  if (n > 0)
549  {MutexVector = new XrdSysMutex[n];
550  CRYPTO_set_locking_callback(sslTLS_lock);
551  }
552  CRYPTO_set_id_callback(sslTLS_id_callback);
553 
554 #endif
555 }
556 
557 /******************************************************************************/
558 /* F a t a l */
559 /******************************************************************************/
560 
561 void Fatal(std::string *eMsg, const char *msg, bool sslmsg=false)
562 {
563 // If there is an outboard error string object, return the message there.
564 //
565  if (eMsg) *eMsg = msg;
566 
567 // Now route the message to the message callback function. If this is an ssl
568 // related error we also flush the ssl error queue to prevent suprises.
569 //
570  XrdTls::Emsg("TLS_Context:", msg, sslmsg);
571 }
572 
573 /******************************************************************************/
574 /* G e t T l s M e t h o d */
575 /******************************************************************************/
576 
577 const char *GetTlsMethod(const SSL_METHOD *&meth)
578 {
579 #if OPENSSL_VERSION_NUMBER > 0x1010000fL /* v1.1.0 */
580  meth = TLS_method();
581 #else
582  meth = SSLv23_method();
583 #endif
584  if (meth == 0) return "No negotiable TLS method available.";
585  return 0;
586 }
587 
588 /******************************************************************************/
589 /* V e r P a t h s */
590 /******************************************************************************/
591 
592 bool VerPaths(const char *cert, const char *pkey,
593  const char *cadr, const char *cafl, std::string &eMsg)
594 {
595  static const mode_t cert_mode = S_IRUSR | S_IWUSR | S_IRWXG | S_IROTH;
596  static const mode_t pkey_mode = S_IRUSR | S_IWUSR;
597  static const mode_t cadr_mode = S_IRWXU | S_IRGRP | S_IXGRP
598  | S_IROTH | S_IXOTH;
599  static const mode_t cafl_mode = S_IRUSR | S_IWUSR | S_IRWXG | S_IROTH;
600  const char *emsg;
601 
602 // If the ca cert directory is present make sure it's a directory and
603 // only the ower can write to that directory (anyone can read from it).
604 //
605  if (cadr && (emsg = XrdOucUtils::ValPath(cadr, cadr_mode, true)))
606  {eMsg = "Unable to use CA cert directory ";
607  eMsg += cadr; eMsg += "; "; eMsg += emsg;
608  return false;
609  }
610 
611 // If a ca cert file is present make sure it's a file and only the owner can
612 // write it (anyone can read it).
613 //
614  if (cafl && (emsg = XrdOucUtils::ValPath(cafl, cafl_mode, false)))
615  {eMsg = "Unable to use CA cert file ";
616  eMsg += cafl; eMsg += "; "; eMsg += emsg;
617  return false;
618  }
619 
620 // If a private key is provided as a filesystem path, verify it's a file and only the
621 // owner has access to it. If it's a PKCS#11 URI, it will be validated later.
622 //
623  if (pkey && pkey[0] == '/' && (emsg = XrdOucUtils::ValPath(pkey, pkey_mode, false)))
624  {eMsg = "Unable to use key file ";
625  eMsg += pkey; eMsg += "; "; eMsg += emsg;
626  return false;
627  }
628 
629 // If a cert file is present then make sure it's a file. If a keyfile is
630 // present then anyone can read it but only the owner can write it.
631 // Otherwise, only the owner can gave access to it (it contains the key).
632 //
633  if (cert)
634  {mode_t cmode = (pkey ? cert_mode : pkey_mode);
635  if ((emsg = XrdOucUtils::ValPath(cert, cmode, false)))
636  {if (pkey) eMsg = "Unable to use cert file ";
637  else eMsg = "Unable to use cert+key file ";
638  eMsg += cert; eMsg += "; "; eMsg += emsg;
639  return false;
640  }
641  }
642 
643 // All tests succeeded.
644 //
645  return true;
646 }
647 
648 /******************************************************************************/
649 /* V e r C B */
650 /******************************************************************************/
651 
652 extern "C"
653 {
654 int VerCB(int aOK, X509_STORE_CTX *x509P)
655 {
656  if (!aOK)
657  {X509 *cert = X509_STORE_CTX_get_current_cert(x509P);
658  int depth = X509_STORE_CTX_get_error_depth(x509P);
659  int err = X509_STORE_CTX_get_error(x509P);
660  char name[512], info[1024];
661 
662  X509_NAME_oneline(X509_get_subject_name(cert), name, sizeof(name));
663  snprintf(info,sizeof(info),"Cert verification failed for DN=%s",name);
664  XrdTls::Emsg("CertVerify:", info, false);
665 
666  X509_NAME_oneline(X509_get_issuer_name(cert), name, sizeof(name));
667  snprintf(info,sizeof(info),"Failing cert issuer=%s", name);
668  XrdTls::Emsg("CertVerify:", info, false);
669 
670  snprintf(info, sizeof(info), "Error %d at depth %d [%s]", err, depth,
671  X509_verify_cert_error_string(err));
672  XrdTls::Emsg("CertVerify:", info, true);
673  }
674 
675  return aOK;
676 }
677 }
678 
679 } // Anonymous namespace end
680 
681 /******************************************************************************/
682 /* C o n s t r u c t o r */
683 /******************************************************************************/
684 
685 #define KILL_CTX(x) if (x) {SSL_CTX_free(x); x = 0;}
686 
687 #define FATAL(msg) {Fatal(eMsg, msg); KILL_CTX(pImpl->ctx); return;}
688 
689 #define FATAL_SSL(msg) {Fatal(eMsg, msg, true); KILL_CTX(pImpl->ctx); return;}
690 
691 XrdTlsContext::XrdTlsContext(const char *cert, const char *key,
692  const char *caDir, const char *caFile,
693  uint64_t opts, std::string *eMsg)
694  : pImpl( new XrdTlsContextImpl(this) )
695 {
696  class ctx_helper
697  {public:
698 
699  void Keep() {ctxLoc = 0;}
700 
701  ctx_helper(SSL_CTX **ctxP) : ctxLoc(ctxP) {}
702  ~ctx_helper() {if (ctxLoc && *ctxLoc)
703  {SSL_CTX_free(*ctxLoc); *ctxLoc = 0;}
704  }
705  private:
706  SSL_CTX **ctxLoc;
707  } ctx_tracker(&pImpl->ctx);
708 
709  static const uint64_t sslOpts = SSL_OP_ALL
710  | SSL_OP_NO_SSLv2
711  | SSL_OP_NO_SSLv3
712  | SSL_OP_NO_COMPRESSION
713 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
714  | SSL_OP_IGNORE_UNEXPECTED_EOF
715 #endif
716 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
717  | SSL_OP_NO_RENEGOTIATION
718 #endif
719  ;
720 
721  std::string certFN, eText;
722  const char *emsg;
723 
724 // Assume we will fail
725 //
726  pImpl->ctx = 0;
727 
728 // Verify that initialzation has occurred. This is not heavy weight as
729 // there will usually be no more than two instances of this object.
730 //
731  if (!initDbgDone)
732  {XrdSysMutexHelper dbgHelper(dbgMutex);
733  if (!initDbgDone)
734  {const char *dbg;
735  if (!(opts & servr) && (dbg = getenv("XRDTLS_DEBUG")))
736  {int dbgOpts = 0;
737  if (strstr(dbg, "ctx")) dbgOpts |= XrdTls::dbgCTX;
738  if (strstr(dbg, "sok")) dbgOpts |= XrdTls::dbgSOK;
739  if (strstr(dbg, "sio")) dbgOpts |= XrdTls::dbgSIO;
740  if (!dbgOpts) dbgOpts = XrdTls::dbgALL;
741  XrdTls::SetDebug(dbgOpts|XrdTls::dbgOUT);
742  }
743  if ((emsg = Init())) FATAL(emsg);
744  initDbgDone = true;
745  }
746  }
747 
748 // If no CA cert information is specified and this is not a server context,
749 // then get the paths from the environment. They must exist as we need to
750 // verify peer certs in order to verify target host names client-side. We
751 // also use this setupt to see if we should use a specific cert and key.
752 //
753  if (!(opts & servr))
754  {if (!caDir && !caFile)
755  {caDir = getenv("X509_CERT_DIR");
756  caFile = getenv("X509_CERT_FILE");
757  if (!caDir && !caFile)
758  FATAL("No CA cert specified; host identity cannot be verified.");
759  }
760  if (!key) key = getenv("X509_USER_KEY");
761  if (!cert) cert = getenv("X509_USER_PROXY");
762  if (!cert)
763  {struct stat Stat;
764  long long int uid = static_cast<long long int>(getuid());
765  certFN = std::string("/tmp/x509up_u") + std::to_string(uid);
766  if (!stat(certFN.c_str(), &Stat)) cert = certFN.c_str();
767  }
768  }
769 
770 // Before we try to use any specified files, make sure they exist, are of
771 // the right type and do not have excessive access privileges.
772 // .a
773  if (!VerPaths(cert, key, caDir, caFile, eText)) FATAL( eText.c_str());
774 
775 // Copy parameters to out parm structure.
776 //
777  if (cert) {
778  pImpl->Parm.cert = cert;
779  //This call should not fail as a stat is already performed in the call of VerPaths() above
780  XrdOucUtils::getModificationTime(pImpl->Parm.cert.c_str(),pImpl->lastCertModTime);
781  }
782  if (key) pImpl->Parm.pkey = key;
783  if (caDir) pImpl->Parm.cadir = caDir;
784  if (caFile) pImpl->Parm.cafile = caFile;
785  pImpl->Parm.opts = opts;
786  if (opts & crlRF) {
787  // What we store in crlRF is the time in minutes, convert it back to seconds
788  pImpl->Parm.crlRT = static_cast<int>((opts & crlRF) >> crlRS) * 60;
789  }
790 
791 // Get the correct method to use for TLS and check if successful create a
792 // server context that uses the method.
793 //
794  const SSL_METHOD *meth;
795  emsg = GetTlsMethod(meth);
796  if (emsg) FATAL(emsg);
797 
798  pImpl->ctx = SSL_CTX_new(meth);
799 
800 // Make sure we have a context here
801 //
802  if (pImpl->ctx == 0) FATAL_SSL("Unable to allocate TLS context!");
803 
804 // Always prohibit SSLv2 & SSLv3 as these are not secure.
805 //
806  SSL_CTX_set_options(pImpl->ctx, sslOpts);
807 
808 // Handle session re-negotiation automatically
809 //
810 // SSL_CTX_set_mode(pImpl->ctx, sslMode);
811 
812 // Turn off the session cache as it's useless with peer cert chains
813 //
814  SSL_CTX_set_session_cache_mode(pImpl->ctx, SSL_SESS_CACHE_OFF);
815 
816 // Establish the CA cert locations, if specified. Then set the verification
817 // depth and turn on peer cert validation. For now, we don't set a callback.
818 // In the future we may to grab debugging information.
819 //
820  if ((caDir || caFile) && !(opts & clcOF))
821  {if (!SSL_CTX_load_verify_locations(pImpl->ctx, caFile, caDir))
822  FATAL_SSL("Unable to load the CA cert file or directory.");
823 
824  int vDepth = (opts & vdept) >> vdepS;
825  SSL_CTX_set_verify_depth(pImpl->ctx, (vDepth ? vDepth : 9));
826 
827  bool LogVF = (opts & logVF) != 0;
828  SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, (LogVF ? VerCB : 0));
829 
830  unsigned long xFlags = (opts & nopxy ? 0 : X509_V_FLAG_ALLOW_PROXY_CERTS);
831  if (opts & crlON)
832  {xFlags |= X509_V_FLAG_CRL_CHECK;
833  if (opts & crlFC) xFlags |= X509_V_FLAG_CRL_CHECK_ALL;
834  }
835  if (opts) X509_STORE_set_flags(SSL_CTX_get_cert_store(pImpl->ctx),xFlags);
836  } else {
837  SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_NONE, 0);
838  }
839 
840 // Set cipher list
841 //
842  if (!SSL_CTX_set_cipher_list(pImpl->ctx, sslCiphers))
843  FATAL_SSL("Unable to set SSL cipher list; no supported ciphers.");
844 
845 // If we need to enable eliptic-curve support, do so now. Note that for
846 // OpenSSL 1.1.0+ this is automatically done for us.
847 //
848 #if SSL_CTRL_SET_ECDH_AUTO
849  SSL_CTX_set_ecdh_auto(pImpl->ctx, 1);
850 #endif
851 
852 // We normally handle renegotiation during reads and writes or selective
853 // prohibit on a SSL socket basis. The calle may request this be applied
854 // to all SSL's generated from this context. If so, do it here.
855 //
856  if (opts & artON) SSL_CTX_set_mode(pImpl->ctx, SSL_MODE_AUTO_RETRY);
857 
858 // If there is no cert then assume this is a generic context for a client
859 //
860  if (cert == 0)
861  {ctx_tracker.Keep();
862  return;
863  }
864 
865 // We have a cert. If the key is missing then we assume the key is in the
866 // cert file (ssl will complain if it isn't).
867 //
868  if (!key) key = cert;
869 
870 // Load certificate
871 //
872  if (SSL_CTX_use_certificate_chain_file(pImpl->ctx, cert) != 1)
873  FATAL_SSL("Unable to create TLS context; invalid certificate.");
874 
875 // Load the private key
876 //
877  if (key[0] == 'p') {
878  if (!EnsureOpenSSLConfigLoaded())
879  FATAL_SSL("Unable to load OpenSSL configuration; cannot initialize pkcs11.");
880 
881 #ifdef XRDTLS_HAVE_OSSL_STORE
882  // OpenSSL 3.x+: Use OSSL_STORE API with pkcs11-provider in an ISOLATED context
883  // This prevents PKCS11 from affecting other TLS operations (e.g., SciTokens library)
884 
885  OSSL_PROVIDER *defaultProv = nullptr;
886 
887  // Initialize isolated PKCS11 context
888  // This loads the OPENSSL_CONF into an isolated context so PKCS11 doesn't affect
889  // other libraries in the process (like SciTokens)
890  if (!InitIsolatedPKCS11Context(&pImpl->pkcs11LibCtx, &pImpl->pkcs11Provider, &defaultProv)) {
891  FATAL_SSL("Failed to initialize isolated PKCS11 context. Check OPENSSL_CONF and pkcs11-provider installation.");
892  }
893 
894  // Open PKCS11 URI using the isolated context
895  OSSL_STORE_CTX *store_ctx = OSSL_STORE_open_ex(key, pImpl->pkcs11LibCtx, nullptr,
896  nullptr, nullptr, nullptr, nullptr, nullptr);
897  if (!store_ctx) {
898  if (defaultProv) OSSL_PROVIDER_unload(defaultProv);
899  FATAL_SSL("Failed to open PKCS11 URI in isolated context.");
900  }
901 
902  EVP_PKEY *priv_key = nullptr;
903  while (!OSSL_STORE_eof(store_ctx)) {
904  OSSL_STORE_INFO *info = OSSL_STORE_load(store_ctx);
905  if (info) {
906  int type = OSSL_STORE_INFO_get_type(info);
907  if (type == OSSL_STORE_INFO_PKEY) {
908  priv_key = OSSL_STORE_INFO_get1_PKEY(info);
909  OSSL_STORE_INFO_free(info);
910  break;
911  }
912  OSSL_STORE_INFO_free(info);
913  }
914  }
915  OSSL_STORE_close(store_ctx);
916  if (defaultProv) OSSL_PROVIDER_unload(defaultProv);
917 
918  if (!priv_key)
919  FATAL_SSL("Failed to load private key from PKCS11 URI in isolated context.");
920 
921  if (SSL_CTX_use_PrivateKey(pImpl->ctx, priv_key) != 1) {
922  EVP_PKEY_free(priv_key);
923  FATAL_SSL("Failed to have SSL context use private key");
924  }
925  EVP_PKEY_free(priv_key);
926 
927 #elif defined(XRDTLS_HAVE_ENGINE)
928  // OpenSSL 1.1.x (EL8): Use ENGINE API with libp11/engine_pkcs11
929  ENGINE *e = ENGINE_by_id("pkcs11");
930  if (e) {
931  const char* modulePath = getenv("PKCS11_MODULE_PATH");
932  if (modulePath && modulePath[0]) {
933  if (!ENGINE_ctrl_cmd_string(e, "MODULE_PATH", modulePath, 0)) {
934  ENGINE_free(e);
935  FATAL_SSL("Unable to configure pkcs11 engine MODULE_PATH");
936  }
937  }
938  if(!ENGINE_init(e)) {
939  ENGINE_free(e);
940  FATAL_SSL("Unable to initialize pkcs11 engine");
941  }
942  } else {
943  FATAL_SSL("Unable to create pkcs11 engine");
944  }
945  auto priv_key = ENGINE_load_private_key(e, key, nullptr, nullptr);
946 
947  if (!priv_key) {
948  FATAL_SSL("Failed to load private key through engine");
949  }
950  if (SSL_CTX_use_PrivateKey(pImpl->ctx, priv_key) != 1)
951  FATAL_SSL("Failed to have SSL context use private key");
952  EVP_PKEY_free(priv_key);
953 #else
954  FATAL_SSL("PKCS11 support not available.");
955 #endif
956 
957  } else if (SSL_CTX_use_PrivateKey_file(pImpl->ctx, key, SSL_FILETYPE_PEM) != 1 )
958  FATAL_SSL("Unable to create TLS context; invalid private key.");
959 
960 // Make sure the key and certificate file match.
961 //
962  if (SSL_CTX_check_private_key(pImpl->ctx) != 1 )
963  FATAL_SSL("Unable to create TLS context; cert-key mismatch.");
964 
965 // All went well, start the CRL refresh thread and keep the context.
966 //
967  if(opts & rfCRL) {
968  SetCrlRefresh();
969  }
970  ctx_tracker.Keep();
971 }
972 
973 /******************************************************************************/
974 /* D e s t r u c t o r */
975 /******************************************************************************/
976 
977 XrdTlsContext::~XrdTlsContext()
978 {
979 // We can delet eour implementation of there is no refresh thread running. If
980 // there is then the refresh thread has to delete the implementation.
981 //
982  if (pImpl->crlRunning | pImpl->flsRunning)
983  {pImpl->crlMutex.WriteLock();
984  pImpl->owner = 0;
985  pImpl->crlMutex.UnLock();
986  } else delete pImpl;
987 }
988 
989 /******************************************************************************/
990 /* C l o n e */
991 /******************************************************************************/
992 
993 XrdTlsContext *XrdTlsContext::Clone(bool full,bool startCRLRefresh)
994 {
995  XrdTlsContext::CTX_Params &my = pImpl->Parm;
996  const char *cert = (my.cert.size() ? my.cert.c_str() : 0);
997  const char *pkey = (my.pkey.size() ? my.pkey.c_str() : 0);
998  const char *caD = (my.cadir.size() ? my.cadir.c_str() : 0);
999  const char *caF = (my.cafile.size() ? my.cafile.c_str() : 0);
1000 
1001 // If this is a non-full context, get rid of any verification
1002 //
1003  if (!full) caD = caF = 0;
1004 
1005 // Cloning simply means getting a object with the old parameters.
1006 //
1007  uint64_t myOpts = my.opts;
1008  if(startCRLRefresh){
1009  myOpts |= XrdTlsContext::rfCRL;
1010  } else {
1011  myOpts &= ~XrdTlsContext::rfCRL;
1012  }
1013  XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, myOpts);
1014 
1015 // Verify that the context was built
1016 //
1017  if (xtc->isOK()) {
1018  if(pImpl->sessionCacheOpts != -1){
1019  //A SessionCache() call was done for the current context, so apply it for this new cloned context
1020  xtc->SessionCache(pImpl->sessionCacheOpts,pImpl->sessionCacheId.c_str(),pImpl->sessionCacheId.size());
1021  }
1022  return xtc;
1023  }
1024 
1025 // We failed, cleanup.
1026 //
1027  delete xtc;
1028  return 0;
1029 }
1030 
1031 /******************************************************************************/
1032 /* C o n t e x t */
1033 /******************************************************************************/
1034 
1035 void *XrdTlsContext::Context()
1036 {
1037  return pImpl->ctx;
1038 }
1039 
1040 /******************************************************************************/
1041 /* G e t P a r a m s */
1042 /******************************************************************************/
1043 
1044 const XrdTlsContext::CTX_Params *XrdTlsContext::GetParams()
1045 {
1046  return &pImpl->Parm;
1047 }
1048 
1049 /******************************************************************************/
1050 /* I n i t */
1051 /******************************************************************************/
1052 
1053 const char *XrdTlsContext::Init()
1054 {
1055 
1056 // Disallow use if this object unless SSL provides thread-safety!
1057 //
1058 #ifndef OPENSSL_THREADS
1059  return "Installed OpenSSL lacks the required thread support!";
1060 #endif
1061 
1062 // Initialize the library (one time call)
1063 //
1064  InitTLS();
1065  return 0;
1066 }
1067 
1068 /******************************************************************************/
1069 /* i s O K */
1070 /******************************************************************************/
1071 
1072 bool XrdTlsContext::isOK()
1073 {
1074  return pImpl->ctx != 0;
1075 }
1076 
1077 /******************************************************************************/
1078 /* S e s s i o n */
1079 /******************************************************************************/
1080 
1081 // Note: The reason we handle the x509 store update here is because allow the
1082 // SSL context to be exported and then have no lock control over it. This may
1083 // happen for transient purposes other than creating sessions. Once we
1084 // disallow direct access to the context, the exchange can happen in the
1085 // refresh thread which simplifies this whole process.
1086 
1087 void *XrdTlsContext::Session()
1088 {
1089 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
1090 
1091  EPNAME("Session");
1092  SSL *ssl;
1093 
1094 // Check if we have a refreshed context. If so, we need to replace the X509
1095 // store in the current context with the new one before we create the session.
1096 //
1097  pImpl->crlMutex.ReadLock();
1098  if (!(pImpl->ctxnew))
1099  {ssl = SSL_new(pImpl->ctx);
1100  pImpl->crlMutex.UnLock();
1101  return ssl;
1102  }
1103 
1104 // Things have changed, so we need to take the long route here. We need to
1105 // replace the x509 cache with the current cache. Get a R/W lock now.
1106 //
1107  pImpl->crlMutex.UnLock();
1108  pImpl->crlMutex.WriteLock();
1109 
1110 // If some other thread beat us to the punch, just return what we have.
1111 //
1112  if (!(pImpl->ctxnew))
1113  {ssl = SSL_new(pImpl->ctx);
1114  pImpl->crlMutex.UnLock();
1115  return ssl;
1116  }
1117 
1118 // Do some tracing
1119 //
1120  DBG_CTX("Replacing x509 store with new contents.");
1121 
1122 // Get the new store and set it in our context. Setting the store is black
1123 // magic. For OpenSSL < 1.1, Two stores need to be set with the "set1" variant.
1124 // Newer version only require SSL_CTX_set1_cert_store() to be used.
1125 //
1126  //We have a new context generated by Refresh, so we must use it.
1127  XrdTlsContext * ctxnew = pImpl->ctxnew;
1128 
1129  /*X509_STORE *newX509 = SSL_CTX_get_cert_store(ctxnew->pImpl->ctx);
1130  SSL_CTX_set1_verify_cert_store(pImpl->ctx, newX509);
1131  SSL_CTX_set1_chain_cert_store(pImpl->ctx, newX509);*/
1132  //The above two macros actually do not replace the certificate that has
1133  //to be used for that SSL session, so we will create the session with the SSL_CTX * of
1134  //the TlsContext created by Refresh()
1135  //First, free the current SSL_CTX, if it is used by any transfer, it will just decrease
1136  //the reference counter of it. There is therefore no risk of double free...
1137  SSL_CTX_free(pImpl->ctx);
1138  pImpl->ctx = ctxnew->pImpl->ctx;
1139  //In the destructor of XrdTlsContextImpl, SSL_CTX_Free() is
1140  //called if ctx is != 0. As this new ctx is used by the session
1141  //we just created, we don't want that to happen. We therefore set it to 0.
1142  //The SSL_free called on the session will cleanup the context for us.
1143  ctxnew->pImpl->ctx = 0;
1144 
1145 // Save the generated context and clear it's presence
1146 //
1147  XrdTlsContext *ctxold = pImpl->ctxnew;
1148  pImpl->ctxnew = 0;
1149 
1150 // Generate a new session (might as well to keep the lock we have)
1151 //
1152  ssl = SSL_new(pImpl->ctx);
1153 
1154 // OK, now we can drop all the locks and get rid of the old context
1155 //
1156  pImpl->crlMutex.UnLock();
1157  delete ctxold;
1158  return ssl;
1159 
1160 #else
1161 // If we did not compile crl refresh code, we can simply return the OpenSSL
1162 // session using our context. Otherwise, we need to see if we have a refreshed
1163 // context and if so, carry forward the X509_store to our original context.
1164 //
1165  return SSL_new(pImpl->ctx);
1166 #endif
1167 }
1168 
1169 /******************************************************************************/
1170 /* S e s s i o n C a c h e */
1171 /******************************************************************************/
1172 
1173 int XrdTlsContext::SessionCache(int opts, const char *id, int idlen)
1174 {
1175  static const int doSet = scSrvr | scClnt | scOff;
1176  long sslopt = 0;
1177  int flushT = opts & scFMax;
1178 
1179  pImpl->sessionCacheOpts = opts;
1180  pImpl->sessionCacheId = id;
1181 
1182 // If initialization failed there is nothing to do
1183 //
1184  if (pImpl->ctx == 0) return 0;
1185 
1186 // Set options as appropriate
1187 //
1188  if (opts & doSet)
1189  {if (opts & scOff) sslopt = SSL_SESS_CACHE_OFF;
1190  else {if (opts & scSrvr) sslopt = SSL_SESS_CACHE_SERVER;
1191  if (opts & scClnt) sslopt |= SSL_SESS_CACHE_CLIENT;
1192  }
1193  }
1194 
1195 // Check if we should set any cache options or simply get them
1196 //
1197  if (!(opts & doSet)) sslopt = SSL_CTX_get_session_cache_mode(pImpl->ctx);
1198  else {sslopt = SSL_CTX_set_session_cache_mode(pImpl->ctx, sslopt);
1199  if (opts & scOff) SSL_CTX_set_options(pImpl->ctx, SSL_OP_NO_TICKET);
1200  }
1201 
1202 // Compute what he previous cache options were
1203 //
1204  opts = scNone;
1205  if (sslopt & SSL_SESS_CACHE_SERVER) opts |= scSrvr;
1206  if (sslopt & SSL_SESS_CACHE_CLIENT) opts |= scClnt;
1207  if (!opts) opts = scOff;
1208  if (sslopt & SSL_SESS_CACHE_NO_AUTO_CLEAR) opts |= scKeep;
1209  opts |= (static_cast<int>(pImpl->flushT) & scFMax);
1210 
1211 // Set the id is so wanted
1212 //
1213  if (id && idlen > 0)
1214  {if (!SSL_CTX_set_session_id_context(pImpl->ctx,
1215  (unsigned const char *)id,
1216  (unsigned int)idlen)) opts |= scIdErr;
1217  }
1218 
1219 // If a flush interval was specified and it is different from what we have
1220 // then reset the flush interval.
1221 //
1222  if (flushT && flushT != pImpl->flushT)
1223  XrdTlsFlush::Setup_Flusher(pImpl, flushT);
1224 
1225 // All done
1226 //
1227  return opts;
1228 }
1229 
1230 /******************************************************************************/
1231 /* S e t C o n t e x t C i p h e r s */
1232 /******************************************************************************/
1233 
1234 bool XrdTlsContext::SetContextCiphers(const char *ciphers)
1235 {
1236  if (pImpl->ctx && SSL_CTX_set_cipher_list(pImpl->ctx, ciphers)) return true;
1237 
1238  char eBuff[2048];
1239  snprintf(eBuff,sizeof(eBuff),"Unable to set context ciphers '%s'",ciphers);
1240  Fatal(0, eBuff, true);
1241  return false;
1242 }
1243 
1244 /******************************************************************************/
1245 /* S e t D e f a u l t C i p h e r s */
1246 /******************************************************************************/
1247 
1248 void XrdTlsContext::SetDefaultCiphers(const char *ciphers)
1249 {
1250  sslCiphers = ciphers;
1251 }
1252 
1253 /******************************************************************************/
1254 /* S e t C r l R e f r e s h */
1255 /******************************************************************************/
1256 
1257 bool XrdTlsContext::SetCrlRefresh(int refsec)
1258 {
1259 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
1260 
1261  pthread_t tid;
1262  int rc;
1263 
1264 // If it's negative or equal to 0, use the current setting
1265 //
1266  if (refsec <= 0)
1267  {pImpl->crlMutex.WriteLock();
1268  refsec = pImpl->Parm.crlRT;
1269  pImpl->crlMutex.UnLock();
1270  if (!refsec) refsec = XrdTlsContext::DEFAULT_CRL_REF_INT_SEC;
1271  }
1272 
1273 // Make sure this is at least 60 seconds between refreshes
1274 //
1275 // if (refsec < 60) refsec = 60;
1276 
1277 // We will set the new interval and start a refresh thread if not running.
1278 //
1279  pImpl->crlMutex.WriteLock();
1280  pImpl->Parm.crlRT = refsec;
1281  if (!pImpl->crlRunning)
1282  {if ((rc = XrdSysThread::Run(&tid, XrdTlsCrl::Refresh, (void *)pImpl,
1283  0, "CRL Refresh")))
1284  {char eBuff[512];
1285  snprintf(eBuff, sizeof(eBuff),
1286  "Unable to start CRL refresh thread; rc=%d", rc);
1287  XrdTls::Emsg("CrlRefresh:", eBuff, false);
1288  pImpl->crlMutex.UnLock();
1289  return false;
1290  } else pImpl->crlRunning = true;
1291  pImpl->crlMutex.UnLock();
1292  }
1293 
1294 // All done
1295 //
1296  return true;
1297 
1298 #else
1299 // We use features present on OpenSSL 1.02 and above to implement crl refresh.
1300 // Older version are too difficult to deal with. Issue a message if this
1301 // feature is being enabled on an old version.
1302 //
1303  XrdTls::Emsg("CrlRefresh:", "Refreshing CRLs only supported in "
1304  "OpenSSL version >= 1.02; CRL refresh disabled!", false);
1305  return false;
1306 #endif
1307 }
1308 
1309 /******************************************************************************/
1310 /* x 5 0 9 V e r i f y */
1311 /******************************************************************************/
1312 
1313 bool XrdTlsContext::x509Verify()
1314 {
1315  return !(pImpl->Parm.cadir.empty()) || !(pImpl->Parm.cafile.empty());
1316 }
1317 
1318 bool XrdTlsContext::newHostCertificateDetected() {
1319  const std::string certPath = pImpl->Parm.cert;
1320  if(certPath.empty()) {
1321  //No certificate provided, should not happen though
1322  return false;
1323  }
1324  time_t modificationTime;
1325  if(!XrdOucUtils::getModificationTime(certPath.c_str(),modificationTime)){
1326  if (pImpl->lastCertModTime != modificationTime) {
1327  //The certificate file has changed
1328  pImpl->lastCertModTime = modificationTime;
1329  return true;
1330  }
1331  }
1332  return false;
1333 }
1334 
1335 void XrdTlsContext::SetTlsClientAuth(bool setting) {
1336  bool LogVF = (pImpl->Parm.opts & logVF) != 0;
1337  if (setting)
1338  {pImpl->Parm.opts &= ~clcOF;
1339  SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_PEER, (LogVF ? VerCB : 0));
1340  } else
1341  {pImpl->Parm.opts |= clcOF;
1342  SSL_CTX_set_verify(pImpl->ctx, SSL_VERIFY_NONE, 0);
1343  }
1344 }
EPNAME
#define EPNAME(x)
Definition: XrdBwmTrace.hh:56
Stat
struct stat Stat
Definition: XrdCks.cc:49
Fatal
void Fatal(const char *op, const char *target)
Definition: XrdCrc32c.cc:58
stat
#define stat(a, b)
Definition: XrdPosix.hh:101
eMsg
#define eMsg(x)
Definition: XrdSecsssAdmin.cc:53
opts
struct myOpts opts
emsg
int emsg(int rc, char *msg)
Definition: XrdSectestServer.cc:309
if
if(Avsz)
Definition: XrdSysFAttrSun.icc:98
FATAL_SSL
#define FATAL_SSL(msg)
Definition: XrdTlsContext.cc:689
FATAL
#define FATAL(msg)
Definition: XrdTlsContext.cc:687
DBG_CTX
#define DBG_CTX(y)
Definition: XrdTlsTrace.hh:39
TRACING
#define TRACING(x)
Definition: XrdTrace.hh:70
XrdOucUtils::getModificationTime
static int getModificationTime(const char *path, time_t &modificationTime)
Definition: XrdOucUtils.cc:1478
XrdOucUtils::ValPath
static const char * ValPath(const char *path, mode_t allow, bool isdir)
Definition: XrdOucUtils.cc:1420
XrdSysThread::Run
static int Run(pthread_t *, void *(*proc)(void *), void *arg, int opts=0, const char *desc=0)
Definition: XrdSysPthread.cc:307
XrdSysThread::ID
static pthread_t ID(void)
Definition: XrdSysPthread.hh:584
XrdSysTimer::Snooze
static void Snooze(int seconds)
Definition: XrdSysTimer.cc:168
XrdTlsContext::scIdErr
static const int scIdErr
Info: Id not set, is too long.
Definition: XrdTlsContext.hh:137
XrdTlsContext::Clone
XrdTlsContext * Clone(bool full=true, bool startCRLRefresh=false)
Definition: XrdTlsContext.cc:993
XrdTlsContext::~XrdTlsContext
~XrdTlsContext()
Destructor.
Definition: XrdTlsContext.cc:977
XrdTlsContext::vdept
static const uint64_t vdept
Mask to isolate vdept.
Definition: XrdTlsContext.hh:245
XrdTlsContext::crlRS
static const int crlRS
Bits to shift vdept.
Definition: XrdTlsContext.hh:255
XrdTlsContext::SessionCache
int SessionCache(int opts=scNone, const char *id=0, int idlen=0)
Definition: XrdTlsContext.cc:1173
XrdTlsContext::SetDefaultCiphers
static void SetDefaultCiphers(const char *ciphers)
Definition: XrdTlsContext.cc:1248
XrdTlsContext::XrdTlsContext
XrdTlsContext(const char *cert=0, const char *key=0, const char *cadir=0, const char *cafile=0, uint64_t opts=0, std::string *eMsg=0)
Definition: XrdTlsContext.cc:691
XrdTlsContext::clcOF
static const uint64_t clcOF
Disable client certificate request.
Definition: XrdTlsContext.hh:257
XrdTlsContext::scClnt
static const int scClnt
Turn on cache client mode.
Definition: XrdTlsContext.hh:135
XrdTlsContext::DEFAULT_CRL_REF_INT_SEC
static const int DEFAULT_CRL_REF_INT_SEC
Default CRL refresh interval in seconds.
Definition: XrdTlsContext.hh:66
XrdTlsContext::servr
static const uint64_t servr
This is a server context.
Definition: XrdTlsContext.hh:248
XrdTlsContext::rfCRL
static const uint64_t rfCRL
Turn on the CRL refresh thread.
Definition: XrdTlsContext.hh:251
XrdTlsContext::scKeep
static const int scKeep
Info: TLS-controlled flush disabled.
Definition: XrdTlsContext.hh:136
XrdTlsContext::nopxy
static const uint64_t nopxy
Do not allow proxy certs.
Definition: XrdTlsContext.hh:250
XrdTlsContext::scNone
static const int scNone
Do not change any option settings.
Definition: XrdTlsContext.hh:132
XrdTlsContext::logVF
static const uint64_t logVF
Log verify failures.
Definition: XrdTlsContext.hh:247
XrdTlsContext::crlFC
static const uint64_t crlFC
Full crl chain checking.
Definition: XrdTlsContext.hh:253
XrdTlsContext::crlON
static const uint64_t crlON
Enables crl checking.
Definition: XrdTlsContext.hh:252
XrdTlsContext::artON
static const uint64_t artON
Auto retry Handshake.
Definition: XrdTlsContext.hh:256
XrdTlsContext::vdepS
static const int vdepS
Bits to shift vdept.
Definition: XrdTlsContext.hh:246
XrdTlsContext::GetParams
const CTX_Params * GetParams()
Definition: XrdTlsContext.cc:1044
XrdTlsContext::scOff
static const int scOff
Turn off cache.
Definition: XrdTlsContext.hh:133
XrdTlsContext::Init
static const char * Init()
Definition: XrdTlsContext.cc:1053
XrdTlsContext::newHostCertificateDetected
bool newHostCertificateDetected()
Definition: XrdTlsContext.cc:1318
XrdTlsContext::SetContextCiphers
bool SetContextCiphers(const char *ciphers)
Definition: XrdTlsContext.cc:1234
XrdTlsContext::scFMax
static const int scFMax
Definition: XrdTlsContext.hh:138
XrdTlsContext::SetCrlRefresh
bool SetCrlRefresh(int refsec=-1)
Definition: XrdTlsContext.cc:1257
XrdTlsContext::scSrvr
static const int scSrvr
Turn on cache server mode (default)
Definition: XrdTlsContext.hh:134
XrdTlsContext::SetTlsClientAuth
void SetTlsClientAuth(bool setting)
Definition: XrdTlsContext.cc:1335
XrdTlsContext::crlRF
static const uint64_t crlRF
Mask to isolate crl refresh in min.
Definition: XrdTlsContext.hh:254
XrdTls::dbgSIO
static const int dbgSIO
Turn debugging in for socket I/O.
Definition: XrdTls.hh:102
XrdTls::dbgSOK
static const int dbgSOK
Turn debugging in for socket operations.
Definition: XrdTls.hh:101
XrdTls::dbgOUT
static const int dbgOUT
Force msgs to stderr for easier client debug.
Definition: XrdTls.hh:104
XrdTls::Emsg
static void Emsg(const char *tid, const char *msg=0, bool flush=true)
Definition: XrdTls.cc:104
XrdTls::dbgALL
static const int dbgALL
Turn debugging for everything.
Definition: XrdTls.hh:103
XrdTls::dbgCTX
static const int dbgCTX
Turn debugging in for context operations.
Definition: XrdTls.hh:100
XrdTls::SetDebug
static void SetDebug(int opts, XrdSysLogger *logP=0)
Definition: XrdTls.cc:177
XrdCl::InitTLS
bool InitTLS()
Definition: XrdClTls.cc:96
XrdTlsCrl::Refresh
void * Refresh(void *parg)
Definition: XrdTlsContext.cc:198
XrdTlsFlush::Flusher
void * Flusher(void *parg)
Definition: XrdTlsContext.cc:292
XrdTlsFlush::Setup_Flusher
bool Setup_Flusher(XrdTlsContextImpl *pImpl, int flushT)
Definition: XrdTlsContext.cc:372
XrdTlsGlobal::SysTrace
XrdSysTrace SysTrace("TLS", 0)
Definition: XrdTlsContext.cc:73
XrdTlsContextImpl::XrdTlsContextImpl
XrdTlsContextImpl(XrdTlsContext *p)
Definition: XrdTlsContext.cc:155
XrdTlsContextImpl::sessionCacheId
std::string sessionCacheId
Definition: XrdTlsContext.cc:183
XrdTlsContextImpl::owner
XrdTlsContext * owner
Definition: XrdTlsContext.cc:174
XrdTlsContextImpl::Parm
XrdTlsContext::CTX_Params Parm
Definition: XrdTlsContext.cc:175
XrdTlsContextImpl::ctxnew
XrdTlsContext * ctxnew
Definition: XrdTlsContext.cc:173
XrdTlsContextImpl::flsCVar
XrdSysCondVar * flsCVar
Definition: XrdTlsContext.cc:177
XrdTlsContextImpl::crlMutex
XrdSysRWLock crlMutex
Definition: XrdTlsContext.cc:176
XrdTlsContext::CTX_Params
Definition: XrdTlsContext.hh:75
XrdTlsContext::CTX_Params::cafile
std::string cafile
-> ca cert file.
Definition: XrdTlsContext.hh:78
XrdTlsContext::CTX_Params::opts
uint64_t opts
Options as passed to the constructor.
Definition: XrdTlsContext.hh:79
XrdTlsContext::CTX_Params::cadir
std::string cadir
-> ca cert directory.
Definition: XrdTlsContext.hh:77
XrdTlsContext::CTX_Params::crlRT
int crlRT
crl refresh interval time in seconds
Definition: XrdTlsContext.hh:80
XrdTlsContext::CTX_Params::pkey
std::string pkey
-> private key path.
Definition: XrdTlsContext.hh:76
XrdTlsContext::CTX_Params::cert
std::string cert
-> certificate path.
Definition: XrdTlsContext.hh:75