4 #define __STDC_FORMAT_MACROS
7 #include <openssl/err.h>
8 #include <openssl/ssl.h>
28 STACK_OF(X509) *chain;
51 : authz_session_manager_(sm)
54 SSL_load_error_strings();
64 sslctx_info *p =
reinterpret_cast<sslctx_info *
>(parm);
65 SSL_CTX *
ctx =
reinterpret_cast<SSL_CTX *
>(sslctx);
70 STACK_OF(X509) *chain = p->chain;
71 EVP_PKEY *pkey = p->pkey;
75 int cert_count = sk_X509_num(chain);
76 if (cert_count == 0) {
79 X509 *cert = sk_X509_value(chain, 0);
82 if (!SSL_CTX_use_certificate(ctx, cert)) {
85 return CURLE_SSL_CERTPROBLEM;
88 if (!SSL_CTX_use_PrivateKey(ctx, pkey)) {
90 return CURLE_SSL_CERTPROBLEM;
93 if (!SSL_CTX_check_private_key(ctx)) {
95 return CURLE_SSL_CERTPROBLEM;
102 for (
int idx = 1; idx < cert_count; idx++) {
103 cert = sk_X509_value(chain, idx);
104 if (!SSL_CTX_add_extra_chain_cert(ctx, X509_dup(cert))) {
118 if (*info_data == NULL) {
121 saved_token->
data =
new bearer_info;
122 bearer_info* bearer =
static_cast<bearer_info*
>(saved_token->
data);
124 bearer->token =
static_cast<char*
>(smalloc((
sizeof(
char) * token.
size)+ 1));
125 memcpy(bearer->token, token.
data, token.
size);
126 static_cast<char*
>(bearer->token)[token.
size] = 0;
127 *info_data = saved_token;
131 bearer_info* bearer =
static_cast<bearer_info*
>(tmp_token->
data);
134 static_cast<char*>(bearer->token));
139 std::string auth_preamble =
"Authorization: Bearer ";
140 std::string auth_header = auth_preamble +
static_cast<char*
>(bearer->token);
141 bearer->list = curl_slist_append(bearer->list, auth_header.c_str());
142 int retval = curl_easy_setopt(curl_handle, CURLOPT_HTTPHEADER, bearer->list);
144 if (retval != CURLE_OK) {
163 curl_easy_setopt(curl_handle, CURLOPT_FRESH_CONNECT, 1);
164 curl_easy_setopt(curl_handle, CURLOPT_FORBID_REUSE, 1);
165 curl_easy_setopt(curl_handle, CURLOPT_SSL_SESSIONID_CACHE, 0);
169 if (!token.IsValid()) {
174 switch (token->type) {
190 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA, NULL);
194 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA,
195 static_cast<AuthzToken*>(*info_data)->data);
200 int retval = curl_easy_setopt(curl_handle,
201 CURLOPT_SSL_CTX_FUNCTION,
203 if (retval != CURLE_OK) {
210 STACK_OF(X509_INFO) *sk = NULL;
211 STACK_OF(X509) *certstack = sk_X509_new_null();
212 parm->chain = certstack;
213 if (certstack == NULL) {
218 BIO *bio_token = BIO_new_mem_buf(token->data, token->size);
219 assert(bio_token != NULL);
220 sk = PEM_X509_INFO_read_bio(bio_token, NULL, NULL, NULL);
224 sk_X509_INFO_free(sk);
225 sk_X509_free(certstack);
229 while (sk_X509_INFO_num(sk)) {
230 X509_INFO *xi = sk_X509_INFO_shift(sk);
231 if (xi == NULL) {
continue;}
232 if (xi->x509 != NULL) {
233 #ifdef OPENSSL_API_INTERFACE_V11
234 retval = X509_up_ref(xi->x509);
237 CRYPTO_add(&xi->x509->references, 1, CRYPTO_LOCK_X509);
239 sk_X509_push(certstack, xi->x509);
241 if ((xi->x_pkey != NULL) && (xi->x_pkey->dec_pkey != NULL)) {
242 parm->pkey = xi->x_pkey->dec_pkey;
243 #ifdef OPENSSL_API_INTERFACE_V11
244 retval = EVP_PKEY_up_ref(parm->pkey);
247 CRYPTO_add(&parm->pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
252 sk_X509_INFO_free(sk);
254 if (parm->pkey == NULL) {
257 BIO *bio_token = BIO_new_mem_buf(token->data, token->size);
258 assert(bio_token != NULL);
259 EVP_PKEY *old_pkey = PEM_read_bio_PrivateKey(bio_token, NULL, NULL, NULL);
262 parm->pkey = old_pkey;
264 sk_X509_free(certstack);
266 "credential did not contain a decrypted private key.");
271 if (!sk_X509_num(certstack)) {
272 EVP_PKEY_free(parm->pkey);
273 sk_X509_free(certstack);
275 "Credential file did not contain any actual credentials.");
279 sk_X509_num(certstack));
284 to_return->
data =
static_cast<void*
>(parm.
Release());
285 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA,
286 static_cast<sslctx_info*>(to_return->
data));
287 *info_data = to_return;
294 char error_buf[1024];
296 unsigned long next_err;
297 while ((next_err = ERR_get_error())) {
298 ERR_error_string_n(next_err, error_buf, 1024);
310 bearer_info* bearer =
static_cast<bearer_info*
>(token->
data);
311 delete static_cast<char*
>(bearer->token);
312 curl_slist_free_all(bearer->list);
313 delete static_cast<bearer_info*
>(token->
data);
318 sslctx_info *p =
static_cast<sslctx_info *
>(token->
data);
319 STACK_OF(X509) *chain = p->chain;
320 EVP_PKEY *pkey = p->pkey;
326 sk_X509_pop_free(chain, X509_free);
331 curl_easy_setopt(curl_handle, CURLOPT_SSL_CTX_DATA, 0);
#define LogCvmfs(source, mask,...)
struct cvmcache_context * ctx
virtual bool ConfigureCurlHandle(CURL *curl_handle, pid_t pid, void **info_data)
static CURLcode CallbackSslCtx(CURL *curl, void *sslctx, void *parm)
assert((mem||(size==0))&&"Out Of Memory")
AuthzToken * GetTokenCopy(const pid_t pid, const std::string &membership)
static bool ssl_strings_loaded_
bool ConfigureSciTokenCurl(CURL *curl_handle, const AuthzToken &token, void **info_data)
AuthzAttachment(AuthzSessionManager *sm)
AuthzSessionManager * authz_session_manager_
static void LogOpenSSLErrors(const char *top_message)
virtual void ReleaseCurlHandle(CURL *curl_handle, void *info_data)