int check_privileges(SSL *ssl)
{
SSL_SESSION* session;
const unsigned char *sess_id;
int sess_id_len;
GDBM_FILE database;
datum key, data;
int ret = 0;
session = SSL_get_session(ssl);
sess_id = SSL_SESSION_get_id(session, &sess_id_len);
/* check session id in database */
key.dptr = (char *)sess_id;
key.dsize = strlen(key.dptr);
database = gdbm_open(https_d.sess_db_name, 0, GDBM_READER | GDBM_NOMMAP, S_IRWXU, NULL);
data = gdbm_fetch(database, key);
if (data.dptr != NULL) {
if (!strcmp(data.dptr, "ADMIN")) {
ret = ADMIN_PRIV;
} else if (!strcmp(data.dptr, "GUEST")) {
ret = GUEST_PRIV;
}
}
gdbm_close(database);
printf("session id: %s", sess_id);
return ret;
}
static int openssl_ssl_session_id(lua_State*L)
{
#if OPENSSL_VERSION_NUMBER > 0x10000000L
const
#endif
SSL_SESSION* session = CHECK_OBJECT(1, SSL_SESSION, "openssl.ssl_session");
if (lua_isnoneornil(L, 2))
{
unsigned int len;
const unsigned char* id = SSL_SESSION_get_id(session, &len);
lua_pushlstring(L, (const char*)id, len);
return 1;
}
else
{
#if OPENSSL_VERSION_NUMBER > 0x10000000L
size_t len;
const char* id = luaL_checklstring(L, 2, &len);
int ret = SSL_SESSION_set1_id_context((SSL_SESSION*)session, (const unsigned char*)id, len);
lua_pushboolean(L, ret);
return 1;
#else
return 0;
#endif
}
}
void save_session(SSL *ssl, int privilege)
{
SSL_SESSION* session;
const unsigned char *sess_id;
int sess_id_len;
GDBM_FILE database;
datum key, data;
session = SSL_get_session(ssl);
sess_id = SSL_SESSION_get_id(session, &sess_id_len);
/* write session to dbm */
key.dptr = (char *)sess_id;
key.dsize = strlen(key.dptr);
database = gdbm_open(https_d.sess_db_name, 0, GDBM_WRITER | GDBM_NOMMAP , S_IRWXU, NULL);
switch (privilege) {
case ADMIN_PRIV:
data.dptr = "ADMIN";
data.dsize = strlen(data.dptr);
gdbm_store(database, key, data, GDBM_REPLACE);
break;
case GUEST_PRIV:
data.dptr = "GUEST";
data.dsize = strlen(data.dptr);
gdbm_store(database, key, data, GDBM_REPLACE);
break;
}
gdbm_close(database);
printf("session id: %s", sess_id);
}
/*
* call-seq:
* session.id -> aString
*
* Returns the Session ID.
*/
static VALUE ossl_ssl_session_get_id(VALUE self)
{
SSL_SESSION *ctx;
const unsigned char *p = NULL;
unsigned int i = 0;
GetSSLSession(self, ctx);
p = SSL_SESSION_get_id(ctx, &i);
return rb_str_new((const char *) p, i);
}
NOEXPORT void cache_remove(SSL_CTX *ctx, SSL_SESSION *sess) {
const unsigned char *session_id;
unsigned int session_id_length;
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
session_id=SSL_SESSION_get_id(sess, &session_id_length);
#else
session_id=(const unsigned char *)sess->session_id;
session_id_length=sess->session_id_length;
#endif
cache_transfer(ctx, CACHE_CMD_REMOVE, 0,
session_id, session_id_length, NULL, 0, NULL, NULL);
}
std::string SSLSessionImpl::getSessionID() const {
std::string ret;
if (session_) {
const unsigned char* ptr = nullptr;
unsigned int len = 0;
#if defined(OPENSSL_IS_102) || defined(OPENSSL_IS_101)
len = session_->session_id_length;
ptr = session_->session_id;
#elif defined(OPENSSL_IS_110) || defined(OPENSSL_IS_BORINGSSL)
ptr = SSL_SESSION_get_id(session_, &len);
#endif
ret.assign(ptr, ptr + len);
}
return ret;
}
static int on_async_resumption_new(SSL *ssl, SSL_SESSION *session)
{
h2o_iovec_t data;
const unsigned char *id;
unsigned id_len;
unsigned char *p;
/* build data */
data.len = i2d_SSL_SESSION(session, NULL);
data.base = alloca(data.len);
p = (void *)data.base;
i2d_SSL_SESSION(session, &p);
id = SSL_SESSION_get_id(session, &id_len);
resumption_new(h2o_iovec_init(id, id_len), data);
return 0;
}
NOEXPORT void cache_new(SSL *ssl, SSL_SESSION *sess) {
unsigned char *val, *val_tmp;
ssize_t val_len;
const unsigned char *session_id;
unsigned int session_id_length;
val_len=i2d_SSL_SESSION(sess, NULL);
val_tmp=val=str_alloc((size_t)val_len);
i2d_SSL_SESSION(sess, &val_tmp);
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
session_id=SSL_SESSION_get_id(sess, &session_id_length);
#else
session_id=(const unsigned char *)sess->session_id;
session_id_length=sess->session_id_length;
#endif
cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_NEW,
SSL_SESSION_get_timeout(sess),
session_id, session_id_length, val, (size_t)val_len, NULL, NULL);
str_free(val);
}
void describeSession(SSL *ssl)
{
SSL_SESSION *session = SSL_get_session(ssl);
CHECK(session != NULL);
{
unsigned int len;
const unsigned char *id = SSL_SESSION_get_id(session, &len);
char *s = hex_to_string(id,len);
fprintf(stderr, "Session ID: %s\n", s);
OPENSSL_free(s);
}
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L
// Don't seem to have this available to read any more
char *s = hex_to_string(session->sid_ctx,
session->sid_ctx_length);
fprintf(stderr, "Session ID CTX: %s\n", s);
OPENSSL_free(s);
#endif
}
{
unsigned char *ticket;
size_t ticklen;
#if !defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER >= 0x10100000L
SSL_SESSION_get0_ticket(session, &ticket, &ticklen);
#else
ticket = session->tlsext_tick;
ticklen = session->tlsext_ticklen;
#endif
if (ticklen > 0) {
char *s = hex_to_string(ticket,ticklen);
fprintf(stderr, "Session Ticket: %s\n", s);
OPENSSL_free(s);
}
}
}
static void on_async_resumption_remove(SSL_CTX *ssl_ctx, SSL_SESSION *session)
{
unsigned idlen;
const unsigned char *id = SSL_SESSION_get_id(session, &idlen);
resumption_remove(h2o_iovec_init(id, idlen));
}
/* callback for new session caching, to be set with SSL_CTX_sess_set_new_cb */
int
ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn,
ngx_ssl_session_t *sess)
{
lua_State *L;
ngx_int_t rc;
#if OPENSSL_VERSION_NUMBER >= 0x1010005fL
unsigned int len;
#endif
ngx_connection_t *c, *fc = NULL;
ngx_http_request_t *r = NULL;
ngx_http_connection_t *hc;
ngx_http_lua_ssl_ctx_t *cctx;
ngx_http_lua_srv_conf_t *lscf;
ngx_http_core_loc_conf_t *clcf;
c = ngx_ssl_get_connection(ssl_conn);
dd("c = %p", c);
cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection);
dd("ssl sess_store handler, sess_store-ctx=%p", cctx);
hc = c->data;
fc = ngx_http_lua_create_fake_connection(NULL);
if (fc == NULL) {
goto failed;
}
fc->log->handler = ngx_http_lua_log_ssl_sess_store_error;
fc->log->data = fc;
fc->addr_text = c->addr_text;
fc->listening = c->listening;
r = ngx_http_lua_create_fake_request(fc);
if (r == NULL) {
goto failed;
}
r->main_conf = hc->conf_ctx->main_conf;
r->srv_conf = hc->conf_ctx->srv_conf;
r->loc_conf = hc->conf_ctx->loc_conf;
fc->log->file = c->log->file;
fc->log->log_level = c->log->log_level;
fc->ssl = c->ssl;
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
#if defined(nginx_version) && nginx_version >= 1003014
# if nginx_version >= 1009000
ngx_set_connection_log(fc, clcf->error_log);
# else
ngx_http_set_connection_log(fc, clcf->error_log);
# endif
#else
fc->log->file = clcf->error_log->file;
if (!(fc->log->log_level & NGX_LOG_DEBUG_CONNECTION)) {
fc->log->log_level = clcf->error_log->log_level;
}
#endif
if (cctx == NULL) {
cctx = ngx_pcalloc(c->pool, sizeof(ngx_http_lua_ssl_ctx_t));
if (cctx == NULL) {
goto failed; /* error */
}
}
cctx->connection = c;
cctx->request = r;
cctx->session = sess;
#if OPENSSL_VERSION_NUMBER < 0x1010005fL
cctx->session_id.data = sess->session_id;
cctx->session_id.len = sess->session_id_length;
#else
cctx->session_id.data = (u_char *)SSL_SESSION_get_id(sess, &len);
cctx->session_id.len = len;
#endif
cctx->done = 0;
dd("setting cctx");
if (SSL_set_ex_data(c->ssl->connection, ngx_http_lua_ssl_ctx_index, cctx)
== 0)
{
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed");
goto failed;
}
lscf = ngx_http_get_module_srv_conf(r, ngx_http_lua_module);
/* TODO honor lua_code_cache off */
L = ngx_http_lua_get_lua_vm(r, NULL);
c->log->action = "storing SSL session by lua";
rc = lscf->srv.ssl_sess_store_handler(r, lscf, L);
if (rc >= NGX_OK || rc == NGX_ERROR) {
cctx->done = 1;
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
"ssl_session_store_by_lua*: handler return value: %i, "
"sess new cb exit code: %d", rc, cctx->exit_code);
c->log->action = "SSL handshaking";
/* Return value is a flag indicating whether the passed-in session
* has been freed by this callback; always return 0 so OpenSSL will
* free the session. Nginx's own session caching logic has the same
* practice. */
return 0;
}
/* impossible to reach here */
ngx_http_lua_assert(0);
failed:
if (r && r->pool) {
ngx_http_lua_free_fake_request(r);
}
if (fc) {
ngx_http_lua_close_fake_connection(fc);
}
return 0;
}
static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn,
request_rec *r, char *var)
{
char *result;
X509 *xs;
STACK_OF(X509) *sk;
SSL *ssl;
result = NULL;
ssl = sslconn->ssl;
if (strlen(var) > 8 && strcEQn(var, "VERSION_", 8)) {
result = ssl_var_lookup_ssl_version(p, var+8);
}
else if (ssl != NULL && strcEQ(var, "PROTOCOL")) {
result = (char *)SSL_get_version(ssl);
}
else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
char buf[MODSSL_SESSION_ID_STRING_LEN];
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
IDCONST unsigned char *id;
unsigned int idlen;
#ifdef OPENSSL_NO_SSL_INTERN
id = (unsigned char *)SSL_SESSION_get_id(pSession, &idlen);
#else
id = pSession->session_id;
idlen = pSession->session_id_length;
#endif
result = apr_pstrdup(p, modssl_SSL_SESSION_id2sz(id, idlen,
buf, sizeof(buf)));
}
}
else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) {
if (SSL_session_reused(ssl) == 1)
result = "Resumed";
else
result = "Initial";
}
else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) {
result = ssl_var_lookup_ssl_cipher(p, sslconn, var+6);
}
else if (ssl != NULL && strlen(var) > 18 && strcEQn(var, "CLIENT_CERT_CHAIN_", 18)) {
sk = SSL_get_peer_cert_chain(ssl);
result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18);
}
else if (ssl != NULL && strcEQ(var, "CLIENT_CERT_RFC4523_CEA")) {
result = ssl_var_lookup_ssl_cert_rfc4523_cea(p, ssl);
}
else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) {
result = ssl_var_lookup_ssl_cert_verify(p, sslconn);
}
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) {
if ((xs = SSL_get_peer_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, r, xs, var+7);
X509_free(xs);
}
}
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "SERVER_", 7)) {
if ((xs = SSL_get_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, r, xs, var+7);
/* SSL_get_certificate is different from SSL_get_peer_certificate.
* No need to X509_free(xs).
*/
}
}
else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
result = ssl_var_lookup_ssl_compress_meth(ssl);
}
#ifdef HAVE_TLSEXT
else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
result = apr_pstrdup(p, SSL_get_servername(ssl,
TLSEXT_NAMETYPE_host_name));
}
#endif
else if (ssl != NULL && strcEQ(var, "SECURE_RENEG")) {
int flag = 0;
#ifdef SSL_get_secure_renegotiation_support
flag = SSL_get_secure_renegotiation_support(ssl);
#endif
result = apr_pstrdup(p, flag ? "true" : "false");
}
#ifdef HAVE_SRP
else if (ssl != NULL && strcEQ(var, "SRP_USER")) {
if ((result = SSL_get_srp_username(ssl)) != NULL) {
result = apr_pstrdup(p, result);
}
}
else if (ssl != NULL && strcEQ(var, "SRP_USERINFO")) {
if ((result = SSL_get_srp_userinfo(ssl)) != NULL) {
result = apr_pstrdup(p, result);
}
}
#endif
return result;
}
