17 /*	TLS_SESS_STATE *tls_server_post_accept(TLScontext)
18 /*	TLS_SESS_STATE *TLScontext;
20 /*	void	tls_server_stop(app_ctx, stream, failure, TLScontext)
24 /*	TLS_SESS_STATE *TLScontext;
50 /*	state is available via the TLScontext structure:
51 /* .IP TLScontext->protocol
53 /* .IP TLScontext->cipher_name
55 /* .IP TLScontext->cipher_usebits
57 /* .IP TLScontext->cipher_algbits
65 /* .IP TLScontext->peer_status
69 /* .IP TLScontext->peer_CN
72 /* .IP TLScontext->issuer_CN
75 /* .IP TLScontext->peer_cert_fprint
190     TLS_SESS_STATE *TLScontext;
195     if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0)
196 	msg_panic("%s: null TLScontext in session lookup callback", myname);
207     GEN_CACHE_ID(cache_id, session_id, session_id_length, TLScontext->serverid);
209     if (TLScontext->log_mask & TLS_LOG_CACHE)
210 	msg_info("%s: looking up session %s in %s cache", TLScontext->namaddr,
211 		 STR(cache_id), TLScontext->cache_type);
216     if (tls_mgr_lookup(TLScontext->cache_type, STR(cache_id),
219 	if (session && (TLScontext->log_mask & TLS_LOG_CACHE))
221 		     TLScontext->namaddr, STR(cache_id),
222 		     TLScontext->cache_type);
236 static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext)
239     SSL_SESSION *session = SSL_get_session(TLScontext->con);
245     if (TLScontext->cache_type == 0)
249     GEN_CACHE_ID(cache_id, sid, sid_length, TLScontext->serverid);
251     if (TLScontext->log_mask & TLS_LOG_CACHE)
252 	msg_info("%s: remove session %s from %s cache", TLScontext->namaddr,
253 		 STR(cache_id), TLScontext->cache_type);
255     tls_mgr_delete(TLScontext->cache_type, STR(cache_id));
265     TLS_SESS_STATE *TLScontext;
270     if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0)
271 	msg_panic("%s: null TLScontext in new session callback", myname);
274     GEN_CACHE_ID(cache_id, sid, sid_length, TLScontext->serverid);
276     if (TLScontext->log_mask & TLS_LOG_CACHE)
277 	msg_info("%s: save session %s to %s cache", TLScontext->namaddr,
278 		 STR(cache_id), TLScontext->cache_type);
285 	tls_mgr_update(TLScontext->cache_type, STR(cache_id),
316     TLS_SESS_STATE *TLScontext = SSL_get_ex_data(con, TLScontext_index);
335 	if (TLScontext->log_mask & TLS_LOG_CACHE)
337 		     TLScontext->namaddr, (long) key->tout);
340 	if (TLScontext->log_mask & TLS_LOG_CACHE)
342 		     TLScontext->namaddr, (long) key->tout);
344     TLScontext->ticketed = 1;
357     TLS_SESS_STATE *TLScontext = SSL_get_ex_data(con, TLScontext_index);
370 	if (TLScontext->log_mask & TLS_LOG_CACHE)
372 		     TLScontext->namaddr, (long) key->tout);
375 	if (TLScontext->log_mask & TLS_LOG_CACHE)
377 		     TLScontext->namaddr, (long) key->tout);
379     TLScontext->ticketed = 1;
444      * attach TLScontext information; this information is needed inside
819     TLS_SESS_STATE *TLScontext;
835      * Allocate a new TLScontext for the new connection and get an SSL
836      * structure. Add the location of TLScontext to the SSL to later retrieve
839     TLScontext = tls_alloc_sess_context(log_mask, props->namaddr);
840     TLScontext->cache_type = app_ctx->cache_type;
843     if ((TLScontext->con = (SSL *) SSL_new(app_ctx->ssl_ctx)) == 0) {
844 	msg_warn("Could not allocate 'TLScontext->con' with SSL_new()");
846 	tls_free_context(TLScontext);
849     cipher_list = tls_set_ciphers(TLScontext, props->cipher_grade,
853 	tls_free_context(TLScontext);
859     TLScontext->serverid = mystrdup(props->serverid);
860     TLScontext->am_server = 1;
861     TLScontext->stream = props->stream;
862     TLScontext->mdalg = props->mdalg;
864     if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
865 	msg_warn("Could not set application data for 'TLScontext->con'");
867 	tls_free_context(TLScontext);
873 	SSL_set_security_level(TLScontext->con, 1);
886     if (SSL_set_fd(TLScontext->con, props->stream == 0 ? props->fd :
890 	uncache_session(app_ctx->ssl_ctx, TLScontext);
891 	tls_free_context(TLScontext);
905 	tls_set_bio_callback(SSL_get_rbio(TLScontext->con), tls_bio_dump_cb);
912 	return (TLScontext);
928 			 TLScontext);
939 	tls_free_context(TLScontext);
942     return (tls_server_post_accept(TLScontext));
947 TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *TLScontext)
954     if ((TLScontext->log_mask & TLS_LOG_ALLPKTS) == 0)
955 	tls_set_bio_callback(SSL_get_rbio(TLScontext->con), 0);
961     TLScontext->session_reused = SSL_session_reused(TLScontext->con);
962     if ((TLScontext->log_mask & TLS_LOG_CACHE) && TLScontext->session_reused)
963 	msg_info("%s: Reusing old session%s", TLScontext->namaddr,
964 		 TLScontext->ticketed ? " (RFC 5077 session ticket)" : "");
970     peer = TLS_PEEK_PEER_CERT(TLScontext->con);
972 	TLScontext->peer_status |= TLS_CERT_FLAG_PRESENT;
973 	if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
974 	    TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
976 	if (TLScontext->log_mask & TLS_LOG_VERBOSE) {
984 	TLScontext->peer_CN = tls_peer_CN(peer, TLScontext);
985 	TLScontext->issuer_CN = tls_issuer_CN(peer, TLScontext);
986 	TLScontext->peer_cert_fprint = tls_cert_fprint(peer, TLScontext->mdalg);
987 	TLScontext->peer_pkey_fprint = tls_pkey_fprint(peer, TLScontext->mdalg);
989 	if (TLScontext->log_mask & (TLS_LOG_VERBOSE | TLS_LOG_PEERCERT)) {
992 		     TLScontext->namaddr,
993 		     TLScontext->peer_CN, TLScontext->issuer_CN,
994 		     TLScontext->peer_cert_fprint,
995 		     TLScontext->peer_pkey_fprint);
1005 	if (!TLS_CERT_IS_TRUSTED(TLScontext)
1006 	    && (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) {
1007 	    if (TLScontext->session_reused == 0)
1008 		tls_log_verify_error(TLScontext);
1012 			 TLScontext->namaddr);
1015 	TLScontext->peer_CN = mystrdup("");
1016 	TLScontext->issuer_CN = mystrdup("");
1017 	TLScontext->peer_cert_fprint = mystrdup("");
1018 	TLScontext->peer_pkey_fprint = mystrdup("");
1024     TLScontext->protocol = SSL_get_version(TLScontext->con);
1025     cipher = SSL_get_current_cipher(TLScontext->con);
1026     TLScontext->cipher_name = SSL_CIPHER_get_name(cipher);
1027     TLScontext->cipher_usebits = SSL_CIPHER_get_bits(cipher,
1028 					     &(TLScontext->cipher_algbits));
1032      * tls_timed_read/write() functions and make the TLScontext available to
1036     if (TLScontext->stream != 0)
1037 	tls_stream_start(TLScontext->stream, TLScontext);
1042     tls_get_signature_params(TLScontext);
1047     if (TLScontext->log_mask & TLS_LOG_SUMMARY)
1048 	tls_log_summary(TLS_ROLE_SERVER, TLS_USAGE_NEW, TLScontext);
1052     return (TLScontext);

Indexes created Mon Jul 01 21:43:02 MDT 2024