4 #define __STDC_FORMAT_MACROS
7 #include <openssl/err.h>
8 #include <openssl/ssl.h>
28 STACK_OF(X509) * chain;
51 : authz_session_manager_(sm) {
53 SSL_load_error_strings();
59 sslctx_info *p =
reinterpret_cast<sslctx_info *
>(parm);
60 SSL_CTX *
ctx =
reinterpret_cast<SSL_CTX *
>(sslctx);
65 STACK_OF(X509) *chain = p->chain;
66 EVP_PKEY *pkey = p->pkey;
70 int cert_count = sk_X509_num(chain);
71 if (cert_count == 0) {
74 X509 *cert = sk_X509_value(chain, 0);
77 if (!SSL_CTX_use_certificate(ctx, cert)) {
80 return CURLE_SSL_CERTPROBLEM;
83 if (!SSL_CTX_use_PrivateKey(ctx, pkey)) {
85 return CURLE_SSL_CERTPROBLEM;
88 if (!SSL_CTX_check_private_key(ctx)) {
90 return CURLE_SSL_CERTPROBLEM;
97 for (
int idx = 1; idx < cert_count; idx++) {
98 cert = sk_X509_value(chain, idx);
99 if (!SSL_CTX_add_extra_chain_cert(ctx, X509_dup(cert))) {
111 if (*info_data == NULL) {
114 saved_token->
data =
new bearer_info;
115 bearer_info *bearer =
static_cast<bearer_info *
>(saved_token->
data);
117 bearer->token =
static_cast<char *
>(
118 smalloc((
sizeof(
char) * token.
size) + 1));
119 memcpy(bearer->token, token.
data, token.
size);
120 static_cast<char *
>(bearer->token)[token.
size] = 0;
121 *info_data = saved_token;
125 bearer_info *bearer =
static_cast<bearer_info *
>(tmp_token->
data);
128 static_cast<char *>(bearer->token));
133 std::string auth_preamble =
"Authorization: Bearer ";
134 std::string auth_header = auth_preamble +
static_cast<char *
>(bearer->token);
135 bearer->list = curl_slist_append(bearer->list, auth_header.c_str());
136 int retval = curl_easy_setopt(curl_handle, CURLOPT_HTTPHEADER, bearer->list);
138 if (retval != CURLE_OK) {
158 curl_easy_setopt(curl_handle, CURLOPT_FRESH_CONNECT, 1);
159 curl_easy_setopt(curl_handle, CURLOPT_FORBID_REUSE, 1);
160 curl_easy_setopt(curl_handle, CURLOPT_SSL_SESSIONID_CACHE, 0);
164 if (!token.IsValid()) {
169 switch (token->type) {
185 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA, NULL);
189 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA,
190 static_cast<AuthzToken *>(*info_data)->data);
195 int retval = curl_easy_setopt(
197 if (retval != CURLE_OK) {
204 STACK_OF(X509_INFO) *sk = NULL;
205 STACK_OF(X509) *certstack = sk_X509_new_null();
206 parm->chain = certstack;
207 if (certstack == NULL) {
212 BIO *bio_token = BIO_new_mem_buf(token->data, token->size);
213 assert(bio_token != NULL);
214 sk = PEM_X509_INFO_read_bio(bio_token, NULL, NULL, NULL);
218 sk_X509_INFO_free(sk);
219 sk_X509_free(certstack);
223 while (sk_X509_INFO_num(sk)) {
224 X509_INFO *xi = sk_X509_INFO_shift(sk);
228 if (xi->x509 != NULL) {
229 #ifdef OPENSSL_API_INTERFACE_V11
230 retval = X509_up_ref(xi->x509);
233 CRYPTO_add(&xi->x509->references, 1, CRYPTO_LOCK_X509);
235 sk_X509_push(certstack, xi->x509);
237 if ((xi->x_pkey != NULL) && (xi->x_pkey->dec_pkey != NULL)) {
238 parm->pkey = xi->x_pkey->dec_pkey;
239 #ifdef OPENSSL_API_INTERFACE_V11
240 retval = EVP_PKEY_up_ref(parm->pkey);
243 CRYPTO_add(&parm->pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
248 sk_X509_INFO_free(sk);
250 if (parm->pkey == NULL) {
253 BIO *bio_token = BIO_new_mem_buf(token->data, token->size);
254 assert(bio_token != NULL);
255 EVP_PKEY *old_pkey = PEM_read_bio_PrivateKey(bio_token, NULL, NULL, NULL);
258 parm->pkey = old_pkey;
260 sk_X509_free(certstack);
262 "credential did not contain a decrypted private key.");
267 if (!sk_X509_num(certstack)) {
268 EVP_PKEY_free(parm->pkey);
269 sk_X509_free(certstack);
271 "Credential file did not contain any actual credentials.");
275 sk_X509_num(certstack));
280 to_return->
data =
static_cast<void *
>(parm.
Release());
281 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA,
282 static_cast<sslctx_info *>(to_return->
data));
283 *info_data = to_return;
290 char error_buf[1024];
292 unsigned long next_err;
293 while ((next_err = ERR_get_error())) {
294 ERR_error_string_n(next_err, error_buf, 1024);
306 bearer_info *bearer =
static_cast<bearer_info *
>(token->
data);
307 delete static_cast<char *
>(bearer->token);
308 curl_slist_free_all(bearer->list);
309 delete static_cast<bearer_info *
>(token->
data);
314 sslctx_info *p =
static_cast<sslctx_info *
>(token->
data);
315 STACK_OF(X509) *chain = p->chain;
316 EVP_PKEY *pkey = p->pkey;
322 sk_X509_pop_free(chain, X509_free);
327 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA, 0);
struct cvmcache_context * ctx
virtual bool ConfigureCurlHandle(CURL *curl_handle, pid_t pid, void **info_data)
static CURLcode CallbackSslCtx(CURL *curl, void *sslctx, void *parm)
assert((mem||(size==0))&&"Out Of Memory")
AuthzToken * GetTokenCopy(const pid_t pid, const std::string &membership)
static bool ssl_strings_loaded_
bool ConfigureSciTokenCurl(CURL *curl_handle, const AuthzToken &token, void **info_data)
AuthzAttachment(AuthzSessionManager *sm)
AuthzSessionManager * authz_session_manager_
static void LogOpenSSLErrors(const char *top_message)
virtual void ReleaseCurlHandle(CURL *curl_handle, void *info_data)
CVMFS_EXPORT void LogCvmfs(const LogSource source, const int mask, const char *format,...)