Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Types | Public Member Functions | Static Public Member Functions | Protected Attributes | Private Member Functions | Private Attributes | Static Private Attributes
Arc::PayloadTLSMCC Class Reference

#include <PayloadTLSMCC.h>

Inheritance diagram for Arc::PayloadTLSMCC:
Inheritance graph
[legend]
Collaboration diagram for Arc::PayloadTLSMCC:
Collaboration graph
[legend]

List of all members.

Public Types

typedef signed long long int Size_t

Public Member Functions

 PayloadTLSMCC (MCCInterface *mcc, const ConfigTLSMCC &cfg, Logger &logger)
 Constructor - creates ssl object which is bound to next MCC.
 PayloadTLSMCC (PayloadStreamInterface *stream, const ConfigTLSMCC &cfg, Logger &logger)
 Constructor - creates ssl object which is bound to stream.
 PayloadTLSMCC (PayloadTLSMCC &stream)
 Copy constructor with new logger.
virtual ~PayloadTLSMCC (void)
const ConfigTLSMCCConfig (void)
unsigned long Flags (void)
void Flags (unsigned long flags)
void HandleError (int code=SSL_ERROR_NONE)
virtual bool Get (char *buf, int &size)
 Extracts information from stream up to 'size' bytes.
virtual bool Get (std::string &buf)
 Read as many as possible (sane amount) of bytes into buf.
virtual std::string Get (void)
 Read as many as possible (sane amount) of bytes.
virtual bool Put (const char *buf, Size_t size)
 Push 'size' bytes from 'buf' into stream.
virtual bool Put (const std::string &buf)
 Push information from 'buf' into stream.
virtual bool Put (const char *buf)
 Push null terminated information from 'buf' into stream.
virtual operator bool (void)
 Returns true if stream is valid.
virtual bool operator! (void)
 Returns true if stream is invalid.
virtual int Timeout (void) const
 Query current timeout for Get() and Put() operations.
virtual void Timeout (int to)
 Set current timeout for Get() and Put() operations.
virtual Size_t Pos (void) const
 Returns current position in stream if supported.
virtual Size_t Size (void) const
 Returns size of underlying object if supported.
virtual Size_t Limit (void) const
 Returns position at which stream reading will stop if supported.
X509 * GetPeerCert (void)
 Get peer certificate from the established ssl.
 STACK_OF (X509)*GetPeerChain(void)
 Get chain of peer certificates from the established ssl.
X509 * GetCert (void)
 Get local certificate from associated ssl.

Static Public Member Functions

static PayloadTLSMCCRetrieveInstance (X509_STORE_CTX *container)
static void HandleError (Logger &logger, int code=SSL_ERROR_NONE)
static void ClearError (void)

Protected Attributes

int timeout_
SSL * ssl_
 Timeout for read/write operations.
Loggerlogger_

Private Member Functions

bool StoreInstance (void)

Private Attributes

bool master_
 Specifies if this object owns internal SSL objects.
SSL_CTX * sslctx_
 SSL context.
ConfigTLSMCC config_
unsigned long flags_

Static Private Attributes

static int ex_data_index_ = -1

Detailed Description

Definition at line 19 of file PayloadTLSMCC.h.


Member Typedef Documentation

typedef signed long long int Arc::PayloadStreamInterface::Size_t [inherited]

Definition at line 18 of file PayloadStream.h.


Constructor & Destructor Documentation

Arc::PayloadTLSMCC::PayloadTLSMCC ( MCCInterface mcc,
const ConfigTLSMCC cfg,
Logger logger 
)

Constructor - creates ssl object which is bound to next MCC.

This instance must be used on client side. It obtains Stream interface from next MCC dynamically.

Definition at line 210 of file PayloadTLSMCC.cpp.

                                                                                      :PayloadTLSStream(logger),sslctx_(NULL),config_(cfg) {
   // Client mode
   int err = SSL_ERROR_NONE;
   master_=true;
   // Creating BIO for communication through stream which it will
   // extract from provided MCC
   BIO* bio = BIO_new_MCC(mcc);
   // Initialize the SSL Context object
   if(cfg.IfTLSHandshake()) {
     sslctx_=SSL_CTX_new(SSLv23_client_method());
   } else {
     sslctx_=SSL_CTX_new(SSLv3_client_method());
   };
   if(sslctx_==NULL){
      logger.msg(ERROR, "Can not create the SSL Context object");
      goto error;
   };
   SSL_CTX_set_mode(sslctx_,SSL_MODE_ENABLE_PARTIAL_WRITE);
   SSL_CTX_set_session_cache_mode(sslctx_,SSL_SESS_CACHE_OFF);
   if(!config_.Set(sslctx_,logger_)) goto error;
   SSL_CTX_set_verify(sslctx_, SSL_VERIFY_PEER |  SSL_VERIFY_FAIL_IF_NO_PEER_CERT, &verify_callback);

   // Allow proxies, request CRL check
#ifdef HAVE_OPENSSL_X509_VERIFY_PARAM
   if(sslctx_->param == NULL) {
      logger.msg(ERROR,"Can't set OpenSSL verify flags");
      goto error;
   } else {
#ifdef HAVE_OPENSSL_PROXY
      if(sslctx_->param) X509_VERIFY_PARAM_set_flags(sslctx_->param,X509_V_FLAG_CRL_CHECK | X509_V_FLAG_ALLOW_PROXY_CERTS);
#else
      if(sslctx_->param) X509_VERIFY_PARAM_set_flags(sslctx_->param,X509_V_FLAG_CRL_CHECK);
#endif
   };
#endif
   StoreInstance();
#ifdef SSL_OP_NO_TICKET
   SSL_CTX_set_options(sslctx_, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2 | SSL_OP_ALL | SSL_OP_NO_TICKET);
#else
   SSL_CTX_set_options(sslctx_, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2 | SSL_OP_ALL);
#endif

   SSL_CTX_set_default_passwd_cb(sslctx_, no_passphrase_callback);
   /* Get DN from certificate, and put it into message's attribute */

   // Creating SSL object for handling connection
   ssl_ = SSL_new(sslctx_);
   if (ssl_ == NULL){
      logger.msg(ERROR, "Can not create the SSL object");
      goto error;
   };
   SSL_set_bio(ssl_,bio,bio); bio=NULL;
   //SSL_set_connect_state(ssl_);
   if((err=SSL_connect(ssl_)) != 1) {
      logger.msg(ERROR, "Failed to establish SSL connection");
      goto error;
   };
   // if(SSL_in_init(ssl_)){
   //handle error
   // }
   return;
error:
   HandleError(err);
   if(bio) BIO_free(bio);
   if(ssl_) SSL_free(ssl_); ssl_=NULL;
   if(sslctx_) SSL_CTX_free(sslctx_); sslctx_=NULL;
   return;
}

Here is the call graph for this function:

Arc::PayloadTLSMCC::PayloadTLSMCC ( PayloadStreamInterface stream,
const ConfigTLSMCC cfg,
Logger logger 
)

Constructor - creates ssl object which is bound to stream.

This constructor to be used on server side. Provided stream is NOT destroyed in destructor.

Definition at line 279 of file PayloadTLSMCC.cpp.

                                                                                                   :PayloadTLSStream(logger),sslctx_(NULL),config_(cfg) {
   // Server mode
   int err = SSL_ERROR_NONE;
   master_=true;
   // Creating BIO for communication through provided stream
   BIO* bio = BIO_new_MCC(stream);
   // Initialize the SSL Context object
   if(cfg.IfTLSHandshake()) {
     sslctx_=SSL_CTX_new(SSLv23_server_method());
   } else {
     sslctx_=SSL_CTX_new(SSLv3_server_method());
   };
   if(sslctx_==NULL){
      logger.msg(ERROR, "Can not create the SSL Context object");
      goto error;
   };
   SSL_CTX_set_mode(sslctx_,SSL_MODE_ENABLE_PARTIAL_WRITE);
   SSL_CTX_set_session_cache_mode(sslctx_,SSL_SESS_CACHE_OFF);
   if(config_.IfClientAuthn()) {
     SSL_CTX_set_verify(sslctx_, SSL_VERIFY_PEER |  SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE, &verify_callback);
   }
   else {
     SSL_CTX_set_verify(sslctx_, SSL_VERIFY_NONE, NULL);
   }
   if(!config_.Set(sslctx_,logger_)) goto error;

   // Allow proxies, request CRL check
#ifdef HAVE_OPENSSL_X509_VERIFY_PARAM
   if(sslctx_->param == NULL) {
      logger.msg(ERROR,"Can't set OpenSSL verify flags");
      goto error;
   } else {
#ifdef HAVE_OPENSSL_PROXY
      if(sslctx_->param) X509_VERIFY_PARAM_set_flags(sslctx_->param,X509_V_FLAG_CRL_CHECK | X509_V_FLAG_ALLOW_PROXY_CERTS);
#else
      if(sslctx_->param) X509_VERIFY_PARAM_set_flags(sslctx_->param,X509_V_FLAG_CRL_CHECK);
#endif
   };
#endif
   StoreInstance();
   SSL_CTX_set_options(sslctx_, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2 | SSL_OP_ALL);
   SSL_CTX_set_default_passwd_cb(sslctx_, no_passphrase_callback);

   // Creating SSL object for handling connection
   ssl_ = SSL_new(sslctx_);
   if (ssl_ == NULL){
      logger.msg(ERROR, "Can not create the SSL object");
      goto error;
   };
   SSL_set_bio(ssl_,bio,bio); bio=NULL;
   //SSL_set_accept_state(ssl_);
   if((err=SSL_accept(ssl_)) != 1) {
      logger.msg(ERROR, "Failed to accept SSL connection");
      goto error;
   };
   //handle error
   // if(SSL_in_init(ssl_)){
   //handle error
   // }
   return;
error:
   HandleError(err);
   if(bio) BIO_free(bio);
   if(ssl_) SSL_free(ssl_); ssl_=NULL;
   if(sslctx_) SSL_CTX_free(sslctx_); sslctx_=NULL;
   return;
}

Here is the call graph for this function:

Copy constructor with new logger.

Created object shares same SSL objects but does not destroy them in destructor. Main instance must be destroyed after all copied ones.

Definition at line 347 of file PayloadTLSMCC.cpp.

                                                 :
  PayloadTLSStream(stream), config_(stream.config_) {
   master_=false;
   sslctx_=stream.sslctx_;
   ssl_=stream.ssl_;
}
Arc::PayloadTLSMCC::~PayloadTLSMCC ( void  ) [virtual]

Definition at line 355 of file PayloadTLSMCC.cpp.

                                  {
  if (!master_)
    return;
  if (ssl_) {
    if (SSL_shutdown(ssl_) < 0)
      logger_.msg(ERROR, "Failed to shut down SSL");
    SSL_free(ssl_);
    ssl_ = NULL;
  }
  if(sslctx_) {
    SSL_CTX_free(sslctx_);
    sslctx_ = NULL;
  }
}

Here is the call graph for this function:


Member Function Documentation

void Arc::PayloadTLSStream::ClearError ( void  ) [static, inherited]

Definition at line 49 of file PayloadTLSStream.cpp.

                                      {
  int e = ERR_get_error();
  while(e != 0) {
    e = ERR_get_error();
  }
}

Here is the caller graph for this function:

const ConfigTLSMCC& Arc::PayloadTLSMCC::Config ( void  ) [inline]

Definition at line 45 of file PayloadTLSMCC.h.

{ return config_; };

Here is the caller graph for this function:

unsigned long Arc::PayloadTLSMCC::Flags ( void  ) [inline]

Definition at line 47 of file PayloadTLSMCC.h.

{ return flags_; };

Here is the caller graph for this function:

void Arc::PayloadTLSMCC::Flags ( unsigned long  flags) [inline]

Definition at line 48 of file PayloadTLSMCC.h.

{ flags=flags_; };
bool Arc::PayloadTLSStream::Get ( char *  buf,
int &  size 
) [virtual, inherited]

Extracts information from stream up to 'size' bytes.

'size' contains number of read bytes on exit. Returns true in case of success.

Implements Arc::PayloadStreamInterface.

Definition at line 68 of file PayloadTLSStream.cpp.

                                              {
  if(ssl_ == NULL) return false;
  //ssl read
  ssize_t l=size;
  size=0;
  l=SSL_read(ssl_,buf,l);
  if(l <= 0){
     HandleError(SSL_get_error(ssl_,l));
     return false;
  }
  size=l;
  return true;
}

Here is the call graph for this function:

bool Arc::PayloadTLSStream::Get ( std::string &  buf) [virtual, inherited]

Read as many as possible (sane amount) of bytes into buf.

Implements Arc::PayloadStreamInterface.

Definition at line 82 of file PayloadTLSStream.cpp.

                                         {
  char tbuf[1024];
  int l = sizeof(tbuf);
  bool result = Get(tbuf,l);
  buf.assign(tbuf,l);
  return result;
}

Here is the call graph for this function:

virtual std::string Arc::PayloadTLSStream::Get ( void  ) [inline, virtual, inherited]

Read as many as possible (sane amount) of bytes.

Implements Arc::PayloadStreamInterface.

Definition at line 35 of file PayloadTLSStream.h.

{ std::string buf; Get(buf); return buf; };

Here is the call graph for this function:

Here is the caller graph for this function:

X509 * Arc::PayloadTLSStream::GetCert ( void  ) [inherited]

Get local certificate from associated ssl.

Obtained X509 object is owned by this instance and becomes invalid after destruction.

Definition at line 123 of file PayloadTLSStream.cpp.

                                   {
  X509* cert;
  if(ssl_ == NULL) return NULL;
  cert=SSL_get_certificate (ssl_);
  if(cert!=NULL) return cert;
  logger_.msg(WARNING,"Certificate cannot be extracted, make sure it is the case where client side authentication is turned off");
  HandleError();
  return NULL;
}

Here is the call graph for this function:

Here is the caller graph for this function:

X509 * Arc::PayloadTLSStream::GetPeerCert ( void  ) [inherited]

Get peer certificate from the established ssl.

Obtained X509 object is owned by this instance and becomes invalid after destruction. Still obtained has to be freed at end of usage.

Definition at line 105 of file PayloadTLSStream.cpp.

                                       {
  X509* peercert;
  int err;
  if(ssl_ == NULL) return NULL;
  if((err=SSL_get_verify_result(ssl_)) == X509_V_OK){
    peercert=SSL_get_peer_certificate (ssl_);
    if(peercert!=NULL) return peercert;
    logger_.msg(ERROR,"Peer certificate cannot be extracted");
    HandleError();
  }
  else{
    logger_.msg(ERROR,"Peer cert verification fail");
    logger_.msg(ERROR,"%s",X509_verify_cert_error_string(err));
    HandleError(err);
  }
  return NULL;
}

Here is the call graph for this function:

Here is the caller graph for this function:

void Arc::PayloadTLSStream::HandleError ( int  code = SSL_ERROR_NONE) [inherited]

Definition at line 25 of file PayloadTLSStream.cpp.

                                           {
   HandleError(logger_,code);
}

Here is the caller graph for this function:

void Arc::PayloadTLSStream::HandleError ( Logger logger,
int  code = SSL_ERROR_NONE 
) [static, inherited]

Definition at line 29 of file PayloadTLSStream.cpp.

                                                          {
  unsigned long e = (code==SSL_ERROR_NONE)?ERR_get_error():code;
  while(e != SSL_ERROR_NONE) {
    if(e == SSL_ERROR_SYSCALL) {
      // Hiding system errors
      //logger.msg(ERROR, "SSL error: %d - system call failed",e); 
    } else {
      const char* lib = ERR_lib_error_string(e);
      const char* func = ERR_func_error_string(e);
      const char* reason = ERR_reason_error_string(e);
      logger.msg(ERROR, "SSL error: %d - %s:%s:%s", 
                        e, 
                        lib?lib:"",
                        func?func:"",
                        reason?reason:"");
    };
    e = ERR_get_error();
  }
}

Here is the call graph for this function:

virtual Size_t Arc::PayloadTLSStream::Limit ( void  ) const [inline, virtual, inherited]

Returns position at which stream reading will stop if supported.

That may be not same as Size() if instance is meant to provide access to only part of underlying obejct.

Implements Arc::PayloadStreamInterface.

Definition at line 45 of file PayloadTLSStream.h.

{ return 0; };
virtual Arc::PayloadTLSStream::operator bool ( void  ) [inline, virtual, inherited]

Returns true if stream is valid.

Implements Arc::PayloadStreamInterface.

Definition at line 39 of file PayloadTLSStream.h.

{ return (ssl_ != NULL); };
virtual bool Arc::PayloadTLSStream::operator! ( void  ) [inline, virtual, inherited]

Returns true if stream is invalid.

Implements Arc::PayloadStreamInterface.

Definition at line 40 of file PayloadTLSStream.h.

{ return (ssl_ == NULL); };
virtual Size_t Arc::PayloadTLSStream::Pos ( void  ) const [inline, virtual, inherited]

Returns current position in stream if supported.

Implements Arc::PayloadStreamInterface.

Definition at line 43 of file PayloadTLSStream.h.

{ return 0; };
bool Arc::PayloadTLSStream::Put ( const char *  buf,
Size_t  size 
) [virtual, inherited]

Push 'size' bytes from 'buf' into stream.

Returns true on success.

Implements Arc::PayloadStreamInterface.

Definition at line 90 of file PayloadTLSStream.cpp.

                                                      {
  //ssl write
  ssize_t l;
  if(ssl_ == NULL) return false;
  for(;size;){
     l=SSL_write(ssl_,buf,size);
     if(l <= 0){
        HandleError(SSL_get_error(ssl_,l));
        return false;
     }
     buf+=l; size-=l;
  }
  return true;
}

Here is the call graph for this function:

Here is the caller graph for this function:

virtual bool Arc::PayloadTLSStream::Put ( const std::string &  buf) [inline, virtual, inherited]

Push information from 'buf' into stream.

Returns true on success.

Implements Arc::PayloadStreamInterface.

Definition at line 37 of file PayloadTLSStream.h.

{ return Put(buf.c_str(),buf.length()); };

Here is the call graph for this function:

Here is the caller graph for this function:

virtual bool Arc::PayloadTLSStream::Put ( const char *  buf) [inline, virtual, inherited]

Push null terminated information from 'buf' into stream.

Returns true on success.

Implements Arc::PayloadStreamInterface.

Definition at line 38 of file PayloadTLSStream.h.

{ return Put(buf,buf?strlen(buf):0); };

Here is the call graph for this function:

Here is the caller graph for this function:

PayloadTLSMCC * Arc::PayloadTLSMCC::RetrieveInstance ( X509_STORE_CTX *  container) [static]

Definition at line 193 of file PayloadTLSMCC.cpp.

                                                                        {
  PayloadTLSMCC* it = NULL;
  if(ex_data_index_ != -1) {
    SSL* ssl = (SSL*)X509_STORE_CTX_get_ex_data(container,SSL_get_ex_data_X509_STORE_CTX_idx());
    if(ssl != NULL) {
      SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);
      if(ssl_ctx != NULL) {
        it = (PayloadTLSMCC*)SSL_CTX_get_ex_data(ssl_ctx,ex_data_index_);
      }
    };
  };
  if(it == NULL) {
    Logger::getRootLogger().msg(ERROR,"Failed to retrieve application data from OpenSSL");
  };
  return it;
}

Here is the call graph for this function:

Here is the caller graph for this function:

virtual Size_t Arc::PayloadTLSStream::Size ( void  ) const [inline, virtual, inherited]

Returns size of underlying object if supported.

Implements Arc::PayloadStreamInterface.

Definition at line 44 of file PayloadTLSStream.h.

{ return 0; };
Arc::PayloadTLSStream::STACK_OF ( X509  ) [inherited]

Get chain of peer certificates from the established ssl.

Obtained X509 object is owned by this instance and becomes invalid after destruction.

bool Arc::PayloadTLSMCC::StoreInstance ( void  ) [private]

Definition at line 180 of file PayloadTLSMCC.cpp.

                                      {
   if(ex_data_index_ == -1) {
      // In case of race condition we will have 2 indices assigned - harmless
      ex_data_index_=SSL_CTX_get_ex_new_index(0,ex_data_id,NULL,NULL,NULL);
   };
   if(ex_data_index_ == -1) {
      Logger::getRootLogger().msg(ERROR,"Failed to store application data");
      return false;
   };
   SSL_CTX_set_ex_data(sslctx_,ex_data_index_,this);
   return true;
}

Here is the call graph for this function:

Here is the caller graph for this function:

virtual int Arc::PayloadTLSStream::Timeout ( void  ) const [inline, virtual, inherited]

Query current timeout for Get() and Put() operations.

Implements Arc::PayloadStreamInterface.

Definition at line 41 of file PayloadTLSStream.h.

{ return timeout_; };
virtual void Arc::PayloadTLSStream::Timeout ( int  to) [inline, virtual, inherited]

Set current timeout for Get() and Put() operations.

Implements Arc::PayloadStreamInterface.

Definition at line 42 of file PayloadTLSStream.h.

{ timeout_=to; };

Member Data Documentation

Definition at line 27 of file PayloadTLSMCC.h.

int Arc::PayloadTLSMCC::ex_data_index_ = -1 [static, private]

Definition at line 25 of file PayloadTLSMCC.h.

unsigned long Arc::PayloadTLSMCC::flags_ [private]

Definition at line 30 of file PayloadTLSMCC.h.

Logger& Arc::PayloadTLSStream::logger_ [protected, inherited]

Definition at line 20 of file PayloadTLSStream.h.

Specifies if this object owns internal SSL objects.

Definition at line 22 of file PayloadTLSMCC.h.

SSL* Arc::PayloadTLSStream::ssl_ [protected, inherited]

Timeout for read/write operations.

Definition at line 19 of file PayloadTLSStream.h.

SSL_CTX* Arc::PayloadTLSMCC::sslctx_ [private]

SSL context.

Definition at line 24 of file PayloadTLSMCC.h.

int Arc::PayloadTLSStream::timeout_ [protected, inherited]

Definition at line 18 of file PayloadTLSStream.h.


The documentation for this class was generated from the following files: