4 #define __STDC_FORMAT_MACROS
7 #include <openssl/err.h>
8 #include <openssl/ssl.h>
28 STACK_OF(X509) * chain;
51 : authz_session_manager_(sm) {
53 SSL_load_error_strings();
59 sslctx_info *p =
reinterpret_cast<sslctx_info *
>(parm);
60 SSL_CTX *
ctx =
reinterpret_cast<SSL_CTX *
>(sslctx);
65 STACK_OF(X509) *chain = p->chain;
66 EVP_PKEY *pkey = p->pkey;
70 const int cert_count = sk_X509_num(chain);
71 if (cert_count == 0) {
74 X509 *cert = sk_X509_value(chain, 0);
77 if (!SSL_CTX_use_certificate(ctx, cert)) {
80 return CURLE_SSL_CERTPROBLEM;
83 if (!SSL_CTX_use_PrivateKey(ctx, pkey)) {
85 return CURLE_SSL_CERTPROBLEM;
88 if (!SSL_CTX_check_private_key(ctx)) {
90 return CURLE_SSL_CERTPROBLEM;
97 for (
int idx = 1; idx < cert_count; idx++) {
98 cert = sk_X509_value(chain, idx);
99 if (!SSL_CTX_add_extra_chain_cert(ctx, X509_dup(cert))) {
111 if (*info_data == NULL) {
114 saved_token->
data =
new bearer_info;
115 bearer_info *bearer =
static_cast<bearer_info *
>(saved_token->
data);
117 bearer->token =
static_cast<char *
>(
118 smalloc((
sizeof(
char) * token.
size) + 1));
119 memcpy(bearer->token, token.
data, token.
size);
120 static_cast<char *
>(bearer->token)[token.
size] = 0;
121 *info_data = saved_token;
125 bearer_info *bearer =
static_cast<bearer_info *
>(tmp_token->
data);
128 static_cast<char *>(bearer->token));
133 const std::string auth_preamble =
"Authorization: Bearer ";
134 const std::string auth_header =
135 auth_preamble +
static_cast<char *
>(bearer->token);
136 bearer->list = curl_slist_append(bearer->list, auth_header.c_str());
138 curl_easy_setopt(curl_handle, CURLOPT_HTTPHEADER, bearer->list);
140 if (retval != CURLE_OK) {
160 curl_easy_setopt(curl_handle, CURLOPT_FRESH_CONNECT, 1);
161 curl_easy_setopt(curl_handle, CURLOPT_FORBID_REUSE, 1);
162 curl_easy_setopt(curl_handle, CURLOPT_SSL_SESSIONID_CACHE, 0);
166 if (!token.IsValid()) {
171 switch (token->type) {
187 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA, NULL);
191 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA,
192 static_cast<AuthzToken *>(*info_data)->data);
197 int retval = curl_easy_setopt(
199 if (retval != CURLE_OK) {
206 STACK_OF(X509_INFO) *sk = NULL;
207 STACK_OF(X509) *certstack = sk_X509_new_null();
208 parm->chain = certstack;
209 if (certstack == NULL) {
214 BIO *bio_token = BIO_new_mem_buf(token->data, token->size);
215 assert(bio_token != NULL);
216 sk = PEM_X509_INFO_read_bio(bio_token, NULL, NULL, NULL);
220 sk_X509_INFO_free(sk);
221 sk_X509_free(certstack);
225 while (sk_X509_INFO_num(sk)) {
226 X509_INFO *xi = sk_X509_INFO_shift(sk);
230 if (xi->x509 != NULL) {
231 #ifdef OPENSSL_API_INTERFACE_V11
232 retval = X509_up_ref(xi->x509);
235 CRYPTO_add(&xi->x509->references, 1, CRYPTO_LOCK_X509);
237 sk_X509_push(certstack, xi->x509);
239 if ((xi->x_pkey != NULL) && (xi->x_pkey->dec_pkey != NULL)) {
240 parm->pkey = xi->x_pkey->dec_pkey;
241 #ifdef OPENSSL_API_INTERFACE_V11
242 retval = EVP_PKEY_up_ref(parm->pkey);
245 CRYPTO_add(&parm->pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
250 sk_X509_INFO_free(sk);
252 if (parm->pkey == NULL) {
255 BIO *bio_token = BIO_new_mem_buf(token->data, token->size);
256 assert(bio_token != NULL);
257 EVP_PKEY *old_pkey = PEM_read_bio_PrivateKey(bio_token, NULL, NULL, NULL);
260 parm->pkey = old_pkey;
262 sk_X509_free(certstack);
264 "credential did not contain a decrypted private key.");
269 if (!sk_X509_num(certstack)) {
270 EVP_PKEY_free(parm->pkey);
271 sk_X509_free(certstack);
273 "Credential file did not contain any actual credentials.");
277 sk_X509_num(certstack));
282 to_return->
data =
static_cast<void *
>(parm.
Release());
283 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA,
284 static_cast<sslctx_info *>(to_return->
data));
285 *info_data = to_return;
292 char error_buf[1024];
294 unsigned long next_err;
295 while ((next_err = ERR_get_error())) {
296 ERR_error_string_n(next_err, error_buf, 1024);
308 bearer_info *bearer =
static_cast<bearer_info *
>(token->
data);
309 delete static_cast<char *
>(bearer->token);
310 curl_slist_free_all(bearer->list);
311 delete static_cast<bearer_info *
>(token->
data);
316 sslctx_info *p =
static_cast<sslctx_info *
>(token->
data);
317 STACK_OF(X509) *chain = p->chain;
318 EVP_PKEY *pkey = p->pkey;
324 sk_X509_pop_free(chain, X509_free);
329 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA, 0);
struct cvmcache_context * ctx
virtual bool ConfigureCurlHandle(CURL *curl_handle, pid_t pid, void **info_data)
static CURLcode CallbackSslCtx(CURL *curl, void *sslctx, void *parm)
assert((mem||(size==0))&&"Out Of Memory")
AuthzToken * GetTokenCopy(const pid_t pid, const std::string &membership)
static bool ssl_strings_loaded_
bool ConfigureSciTokenCurl(CURL *curl_handle, const AuthzToken &token, void **info_data)
AuthzAttachment(AuthzSessionManager *sm)
AuthzSessionManager * authz_session_manager_
static void LogOpenSSLErrors(const char *top_message)
virtual void ReleaseCurlHandle(CURL *curl_handle, void *info_data)
CVMFS_EXPORT void LogCvmfs(const LogSource source, const int mask, const char *format,...)