4 #define __STDC_FORMAT_MACROS
7 #include <openssl/err.h>
8 #include <openssl/ssl.h>
28 STACK_OF(X509) *chain;
51 : authz_session_manager_(sm)
54 SSL_load_error_strings();
64 sslctx_info *p =
reinterpret_cast<sslctx_info *
>(parm);
65 SSL_CTX *
ctx =
reinterpret_cast<SSL_CTX *
>(sslctx);
70 STACK_OF(X509) *chain = p->chain;
71 EVP_PKEY *pkey = p->pkey;
75 int cert_count = sk_X509_num(chain);
76 if (cert_count == 0) {
79 X509 *cert = sk_X509_value(chain, 0);
82 if (!SSL_CTX_use_certificate(ctx, cert)) {
85 return CURLE_SSL_CERTPROBLEM;
88 if (!SSL_CTX_use_PrivateKey(ctx, pkey)) {
90 return CURLE_SSL_CERTPROBLEM;
93 if (!SSL_CTX_check_private_key(ctx)) {
95 return CURLE_SSL_CERTPROBLEM;
102 for (
int idx = 1; idx < cert_count; idx++) {
103 cert = sk_X509_value(chain, idx);
104 if (!SSL_CTX_add_extra_chain_cert(ctx, X509_dup(cert))) {
118 if (*info_data == NULL) {
121 saved_token->
data =
new bearer_info;
122 bearer_info* bearer =
static_cast<bearer_info*
>(saved_token->
data);
124 bearer->token =
static_cast<char*
>(smalloc((
sizeof(
char) * token.
size)+ 1));
125 memcpy(bearer->token, token.
data, token.
size);
126 static_cast<char*
>(bearer->token)[token.
size] = 0;
127 *info_data = saved_token;
131 bearer_info* bearer =
static_cast<bearer_info*
>(tmp_token->
data);
134 static_cast<char*>(bearer->token));
139 std::string auth_preamble =
"Authorization: Bearer ";
140 std::string auth_header = auth_preamble +
static_cast<char*
>(bearer->token);
141 bearer->list = curl_slist_append(bearer->list, auth_header.c_str());
142 int retval = curl_easy_setopt(curl_handle, CURLOPT_HTTPHEADER, bearer->list);
144 if (retval != CURLE_OK) {
167 curl_easy_setopt(curl_handle, CURLOPT_FRESH_CONNECT, 1);
168 curl_easy_setopt(curl_handle, CURLOPT_FORBID_REUSE, 1);
169 curl_easy_setopt(curl_handle, CURLOPT_SSL_SESSIONID_CACHE, 0);
173 if (!token.IsValid()) {
178 switch (token->type) {
194 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA, NULL);
198 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA,
199 static_cast<AuthzToken*>(*info_data)->data);
204 int retval = curl_easy_setopt(curl_handle,
205 CURLOPT_SSL_CTX_FUNCTION,
207 if (retval != CURLE_OK) {
214 STACK_OF(X509_INFO) *sk = NULL;
215 STACK_OF(X509) *certstack = sk_X509_new_null();
216 parm->chain = certstack;
217 if (certstack == NULL) {
222 BIO *bio_token = BIO_new_mem_buf(token->data, token->size);
223 assert(bio_token != NULL);
224 sk = PEM_X509_INFO_read_bio(bio_token, NULL, NULL, NULL);
228 sk_X509_INFO_free(sk);
229 sk_X509_free(certstack);
233 while (sk_X509_INFO_num(sk)) {
234 X509_INFO *xi = sk_X509_INFO_shift(sk);
235 if (xi == NULL) {
continue;}
236 if (xi->x509 != NULL) {
237 #ifdef OPENSSL_API_INTERFACE_V11
238 retval = X509_up_ref(xi->x509);
241 CRYPTO_add(&xi->x509->references, 1, CRYPTO_LOCK_X509);
243 sk_X509_push(certstack, xi->x509);
245 if ((xi->x_pkey != NULL) && (xi->x_pkey->dec_pkey != NULL)) {
246 parm->pkey = xi->x_pkey->dec_pkey;
247 #ifdef OPENSSL_API_INTERFACE_V11
248 retval = EVP_PKEY_up_ref(parm->pkey);
251 CRYPTO_add(&parm->pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
256 sk_X509_INFO_free(sk);
258 if (parm->pkey == NULL) {
261 BIO *bio_token = BIO_new_mem_buf(token->data, token->size);
262 assert(bio_token != NULL);
263 EVP_PKEY *old_pkey = PEM_read_bio_PrivateKey(bio_token, NULL, NULL, NULL);
266 parm->pkey = old_pkey;
268 sk_X509_free(certstack);
270 "credential did not contain a decrypted private key.");
275 if (!sk_X509_num(certstack)) {
276 EVP_PKEY_free(parm->pkey);
277 sk_X509_free(certstack);
279 "Credential file did not contain any actual credentials.");
283 sk_X509_num(certstack));
288 to_return->
data =
static_cast<void*
>(parm.
Release());
289 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA,
290 static_cast<sslctx_info*>(to_return->
data));
291 *info_data = to_return;
298 char error_buf[1024];
300 unsigned long next_err;
301 while ((next_err = ERR_get_error())) {
302 ERR_error_string_n(next_err, error_buf, 1024);
314 bearer_info* bearer =
static_cast<bearer_info*
>(token->
data);
315 delete static_cast<char*
>(bearer->token);
316 curl_slist_free_all(bearer->list);
317 delete static_cast<bearer_info*
>(token->
data);
322 sslctx_info *p =
static_cast<sslctx_info *
>(token->
data);
323 STACK_OF(X509) *chain = p->chain;
324 EVP_PKEY *pkey = p->pkey;
330 sk_X509_pop_free(chain, X509_free);
335 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA, 0);
struct cvmcache_context * ctx
virtual bool ConfigureCurlHandle(CURL *curl_handle, pid_t pid, void **info_data)
static CURLcode CallbackSslCtx(CURL *curl, void *sslctx, void *parm)
assert((mem||(size==0))&&"Out Of Memory")
AuthzToken * GetTokenCopy(const pid_t pid, const std::string &membership)
static bool ssl_strings_loaded_
bool ConfigureSciTokenCurl(CURL *curl_handle, const AuthzToken &token, void **info_data)
AuthzAttachment(AuthzSessionManager *sm)
AuthzSessionManager * authz_session_manager_
static void LogOpenSSLErrors(const char *top_message)
virtual void ReleaseCurlHandle(CURL *curl_handle, void *info_data)
CVMFS_EXPORT void LogCvmfs(const LogSource source, const int mask, const char *format,...)