static int openssl_ssl_ctx_flush_sessions(lua_State*L)
{
SSL_CTX* ctx = CHECK_OBJECT(1, SSL_CTX, "openssl.ssl_ctx");
long tm = luaL_checkinteger(L, 2);
SSL_CTX_flush_sessions(ctx, tm);
return 0;
}
void SSLContext::flushSessionCache()
{
assert(_usage == SERVER_USE);
Timestamp now;
SSL_CTX_flush_sessions(_sslContext, static_cast<long>(now.epochTime()));
}
void Context::flushSessionCache()
{
poco_assert (isForServerUse());
Poco::Timestamp now;
SSL_CTX_flush_sessions(_pSSLContext, static_cast<long>(now.epochTime()));
}
H2O_NORETURN static void *cache_cleanup_thread(void *_contexts)
{
SSL_CTX **contexts = _contexts;
while (1) {
size_t i;
for (i = 0; contexts[i] != NULL; ++i)
SSL_CTX_flush_sessions(contexts[i], time(NULL));
sleep(conf.lifetime / 4);
}
}
/* clear fds, close old ports */
void unbind_ports(void) {
SERVICE_OPTIONS *opt;
#ifdef HAVE_STRUCT_SOCKADDR_UN
struct stat sb; /* buffer for stat */
#endif
s_poll_init(fds);
s_poll_add(fds, signal_pipe[0], 1, 0);
for(opt=service_options.next; opt; opt=opt->next) {
s_log(LOG_DEBUG, "Closing service [%s]", opt->servname);
if(opt->option.accept && opt->fd!=INVALID_SOCKET) {
if(opt->fd<(SOCKET)listen_fds_start ||
opt->fd>=(SOCKET)(listen_fds_start+systemd_fds))
closesocket(opt->fd);
s_log(LOG_DEBUG, "Service [%s] closed (FD=%d)",
opt->servname, opt->fd);
opt->fd=INVALID_SOCKET;
#ifdef HAVE_STRUCT_SOCKADDR_UN
if(opt->local_addr.sa.sa_family==AF_UNIX) {
if(lstat(opt->local_addr.un.sun_path, &sb))
sockerror(opt->local_addr.un.sun_path);
else if(!S_ISSOCK(sb.st_mode))
s_log(LOG_ERR, "Not a socket: %s",
opt->local_addr.un.sun_path);
else if(unlink(opt->local_addr.un.sun_path))
sockerror(opt->local_addr.un.sun_path);
else
s_log(LOG_DEBUG, "Socket removed: %s",
opt->local_addr.un.sun_path);
}
#endif
} else if(opt->exec_name && opt->connect_addr.names) {
/* create exec+connect services */
/* FIXME: this is just a crude workaround */
/* is it better to kill the service? */
opt->option.retry=0;
}
/* purge session cache of the old SSL_CTX object */
/* this workaround won't be needed anymore after */
/* delayed deallocation calls SSL_CTX_free() */
if(opt->ctx)
SSL_CTX_flush_sessions(opt->ctx,
(long)time(NULL)+opt->session_timeout+1);
s_log(LOG_DEBUG, "Service [%s] closed", opt->servname);
}
}
/*
* call-seq:
* ctx.flush_sessions(time | nil) -> self
*
*/
static VALUE
ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)
{
VALUE arg1;
SSL_CTX *ctx;
time_t tm = 0;
rb_scan_args(argc, argv, "01", &arg1);
Data_Get_Struct(self, SSL_CTX, ctx);
if (NIL_P(arg1)) {
tm = time(0);
} else if (rb_obj_is_instance_of(arg1, rb_cTime)) {
tm = NUM2LONG(rb_funcall(arg1, rb_intern("to_i"), 0));
} else {
rb_raise(rb_eArgError, "arg must be Time or nil");
}
SSL_CTX_flush_sessions(ctx, (long)tm);
return self;
}
/*
* Send an initial eap-tls request to the peer.
*
* Frame eap reply packet.
* len = header + type + tls_typedata
* tls_typedata = flags(Start (S) bit set, and no data)
*
* Once having received the peer's Identity, the EAP server MUST
* respond with an EAP-TLS/Start packet, which is an
* EAP-Request packet with EAP-Type=EAP-TLS, the Start (S) bit
* set, and no data. The EAP-TLS conversation will then begin,
* with the peer sending an EAP-Response packet with
* EAP-Type = EAP-TLS. The data field of that packet will
* be the TLS data.
*
* Fragment length is Framed-MTU - 4.
*
* http://mail.frascone.com/pipermail/public/eap/2003-July/001426.html
*/
static int eaptls_initiate(void *type_arg, EAP_HANDLER *handler)
{
int status;
tls_session_t *ssn;
eap_tls_t *inst;
VALUE_PAIR *vp;
int client_cert = TRUE;
int verify_mode = 0;
REQUEST *request = handler->request;
inst = (eap_tls_t *)type_arg;
handler->tls = TRUE;
handler->finished = FALSE;
/*
* Manually flush the sessions every so often. If HALF
* of the session lifetime has passed since we last
* flushed, then flush it again.
*
* FIXME: Also do it every N sessions?
*/
if (inst->conf->session_cache_enable &&
((inst->conf->session_last_flushed + (inst->conf->session_timeout * 1800)) <= request->timestamp)) {
RDEBUG2("Flushing SSL sessions (of #%ld)",
SSL_CTX_sess_number(inst->ctx));
SSL_CTX_flush_sessions(inst->ctx, request->timestamp);
inst->conf->session_last_flushed = request->timestamp;
}
/*
* If we're TTLS or PEAP, then do NOT require a client
* certificate.
*
* FIXME: This should be more configurable.
*/
if (handler->eap_type != PW_EAP_TLS) {
vp = pairfind(handler->request->config_items,
PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0);
if (!vp) {
client_cert = FALSE;
} else {
client_cert = vp->vp_integer;
}
}
/*
* Every new session is started only from EAP-TLS-START.
* Before Sending EAP-TLS-START, open a new SSL session.
* Create all the required data structures & store them
* in Opaque. So that we can use these data structures
* when we get the response
*/
ssn = eaptls_new_session(inst->ctx, client_cert);
if (!ssn) {
return 0;
}
/*
* Verify the peer certificate, if asked.
*/
if (client_cert) {
RDEBUG2("Requiring client certificate");
verify_mode = SSL_VERIFY_PEER;
verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
verify_mode |= SSL_VERIFY_CLIENT_ONCE;
}
SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify);
/*
* Create a structure for all the items required to be
* verified for each client and set that as opaque data
* structure.
*
* NOTE: If we want to set each item sepearately then
* this index should be global.
*/
SSL_set_ex_data(ssn->ssl, 0, (void *)handler);
SSL_set_ex_data(ssn->ssl, 1, (void *)inst->conf);
#ifdef HAVE_OPENSSL_OCSP_H
SSL_set_ex_data(ssn->ssl, 2, (void *)inst->store);
#endif
ssn->length_flag = inst->conf->include_length;
/*
* We use default fragment size, unless the Framed-MTU
* tells us it's too big. Note that we do NOT account
* for the EAP-TLS headers if conf->fragment_size is
* large, because that config item looks to be confusing.
*
* i.e. it should REALLY be called MTU, and the code here
* should figure out what that means for TLS fragment size.
* asking the administrator to know the internal details
* of EAP-TLS in order to calculate fragment sizes is
* just too much.
*/
ssn->offset = inst->conf->fragment_size;
vp = pairfind(handler->request->packet->vps, PW_FRAMED_MTU, 0);
if (vp && ((vp->vp_integer - 14) < ssn->offset)) {
/*
* Discount the Framed-MTU by:
* 4 : EAPOL header
* 4 : EAP header (code + id + length)
* 1 : EAP type == EAP-TLS
* 1 : EAP-TLS Flags
* 4 : EAP-TLS Message length
* (even if conf->include_length == 0,
* just to be lazy).
* ---
* 14
*/
ssn->offset = vp->vp_integer - 14;
}
handler->opaque = ((void *)ssn);
handler->free_opaque = session_free;
RDEBUG2("Initiate");
/*
* Set up type-specific information.
*/
switch (handler->eap_type) {
case PW_EAP_TLS:
default:
ssn->prf_label = "client EAP encryption";
break;
case PW_EAP_TTLS:
ssn->prf_label = "ttls keying material";
break;
/*
* PEAP-specific breakage.
*/
case PW_EAP_PEAP:
/*
* As it is a poorly designed protocol, PEAP uses
* bits in the TLS header to indicate PEAP
* version numbers. For now, we only support
* PEAP version 0, so it doesn't matter too much.
* However, if we support later versions of PEAP,
* we will need this flag to indicate which
* version we're currently dealing with.
*/
ssn->peap_flag = 0x00;
/*
* PEAP version 0 requires 'include_length = no',
* so rather than hoping the user figures it out,
* we force it here.
*/
ssn->length_flag = 0;
ssn->prf_label = "client EAP encryption";
break;
}
if (inst->conf->session_cache_enable) {
ssn->allow_session_resumption = 1; /* otherwise it's zero */
}
/*
* TLS session initialization is over. Now handle TLS
* related handshaking or application data.
*/
status = eaptls_start(handler->eap_ds, ssn->peap_flag);
RDEBUG2("Start returned %d", status);
if (status == 0)
return 0;
/*
* The next stage to process the packet.
*/
handler->stage = AUTHENTICATE;
return 1;
}
