int check_privileges(SSL *ssl) { SSL_SESSION* session; const unsigned char *sess_id; int sess_id_len; GDBM_FILE database; datum key, data; int ret = 0; session = SSL_get_session(ssl); sess_id = SSL_SESSION_get_id(session, &sess_id_len); /* check session id in database */ key.dptr = (char *)sess_id; key.dsize = strlen(key.dptr); database = gdbm_open(https_d.sess_db_name, 0, GDBM_READER | GDBM_NOMMAP, S_IRWXU, NULL); data = gdbm_fetch(database, key); if (data.dptr != NULL) { if (!strcmp(data.dptr, "ADMIN")) { ret = ADMIN_PRIV; } else if (!strcmp(data.dptr, "GUEST")) { ret = GUEST_PRIV; } } gdbm_close(database); printf("session id: %s", sess_id); return ret; }
static int openssl_ssl_session_id(lua_State*L) { #if OPENSSL_VERSION_NUMBER > 0x10000000L const #endif SSL_SESSION* session = CHECK_OBJECT(1, SSL_SESSION, "openssl.ssl_session"); if (lua_isnoneornil(L, 2)) { unsigned int len; const unsigned char* id = SSL_SESSION_get_id(session, &len); lua_pushlstring(L, (const char*)id, len); return 1; } else { #if OPENSSL_VERSION_NUMBER > 0x10000000L size_t len; const char* id = luaL_checklstring(L, 2, &len); int ret = SSL_SESSION_set1_id_context((SSL_SESSION*)session, (const unsigned char*)id, len); lua_pushboolean(L, ret); return 1; #else return 0; #endif } }
void save_session(SSL *ssl, int privilege) { SSL_SESSION* session; const unsigned char *sess_id; int sess_id_len; GDBM_FILE database; datum key, data; session = SSL_get_session(ssl); sess_id = SSL_SESSION_get_id(session, &sess_id_len); /* write session to dbm */ key.dptr = (char *)sess_id; key.dsize = strlen(key.dptr); database = gdbm_open(https_d.sess_db_name, 0, GDBM_WRITER | GDBM_NOMMAP , S_IRWXU, NULL); switch (privilege) { case ADMIN_PRIV: data.dptr = "ADMIN"; data.dsize = strlen(data.dptr); gdbm_store(database, key, data, GDBM_REPLACE); break; case GUEST_PRIV: data.dptr = "GUEST"; data.dsize = strlen(data.dptr); gdbm_store(database, key, data, GDBM_REPLACE); break; } gdbm_close(database); printf("session id: %s", sess_id); }
/* * call-seq: * session.id -> aString * * Returns the Session ID. */ static VALUE ossl_ssl_session_get_id(VALUE self) { SSL_SESSION *ctx; const unsigned char *p = NULL; unsigned int i = 0; GetSSLSession(self, ctx); p = SSL_SESSION_get_id(ctx, &i); return rb_str_new((const char *) p, i); }
NOEXPORT void cache_remove(SSL_CTX *ctx, SSL_SESSION *sess) { const unsigned char *session_id; unsigned int session_id_length; #if OPENSSL_VERSION_NUMBER>=0x0090800fL session_id=SSL_SESSION_get_id(sess, &session_id_length); #else session_id=(const unsigned char *)sess->session_id; session_id_length=sess->session_id_length; #endif cache_transfer(ctx, CACHE_CMD_REMOVE, 0, session_id, session_id_length, NULL, 0, NULL, NULL); }
std::string SSLSessionImpl::getSessionID() const { std::string ret; if (session_) { const unsigned char* ptr = nullptr; unsigned int len = 0; #if defined(OPENSSL_IS_102) || defined(OPENSSL_IS_101) len = session_->session_id_length; ptr = session_->session_id; #elif defined(OPENSSL_IS_110) || defined(OPENSSL_IS_BORINGSSL) ptr = SSL_SESSION_get_id(session_, &len); #endif ret.assign(ptr, ptr + len); } return ret; }
static int on_async_resumption_new(SSL *ssl, SSL_SESSION *session) { h2o_iovec_t data; const unsigned char *id; unsigned id_len; unsigned char *p; /* build data */ data.len = i2d_SSL_SESSION(session, NULL); data.base = alloca(data.len); p = (void *)data.base; i2d_SSL_SESSION(session, &p); id = SSL_SESSION_get_id(session, &id_len); resumption_new(h2o_iovec_init(id, id_len), data); return 0; }
NOEXPORT void cache_new(SSL *ssl, SSL_SESSION *sess) { unsigned char *val, *val_tmp; ssize_t val_len; const unsigned char *session_id; unsigned int session_id_length; val_len=i2d_SSL_SESSION(sess, NULL); val_tmp=val=str_alloc((size_t)val_len); i2d_SSL_SESSION(sess, &val_tmp); #if OPENSSL_VERSION_NUMBER>=0x0090800fL session_id=SSL_SESSION_get_id(sess, &session_id_length); #else session_id=(const unsigned char *)sess->session_id; session_id_length=sess->session_id_length; #endif cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_NEW, SSL_SESSION_get_timeout(sess), session_id, session_id_length, val, (size_t)val_len, NULL, NULL); str_free(val); }
void describeSession(SSL *ssl) { SSL_SESSION *session = SSL_get_session(ssl); CHECK(session != NULL); { unsigned int len; const unsigned char *id = SSL_SESSION_get_id(session, &len); char *s = hex_to_string(id,len); fprintf(stderr, "Session ID: %s\n", s); OPENSSL_free(s); } { #if OPENSSL_VERSION_NUMBER < 0x10100000L // Don't seem to have this available to read any more char *s = hex_to_string(session->sid_ctx, session->sid_ctx_length); fprintf(stderr, "Session ID CTX: %s\n", s); OPENSSL_free(s); #endif } { unsigned char *ticket; size_t ticklen; #if !defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER >= 0x10100000L SSL_SESSION_get0_ticket(session, &ticket, &ticklen); #else ticket = session->tlsext_tick; ticklen = session->tlsext_ticklen; #endif if (ticklen > 0) { char *s = hex_to_string(ticket,ticklen); fprintf(stderr, "Session Ticket: %s\n", s); OPENSSL_free(s); } } }
static void on_async_resumption_remove(SSL_CTX *ssl_ctx, SSL_SESSION *session) { unsigned idlen; const unsigned char *id = SSL_SESSION_get_id(session, &idlen); resumption_remove(h2o_iovec_init(id, idlen)); }
/* callback for new session caching, to be set with SSL_CTX_sess_set_new_cb */ int ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) { lua_State *L; ngx_int_t rc; #if OPENSSL_VERSION_NUMBER >= 0x1010005fL unsigned int len; #endif ngx_connection_t *c, *fc = NULL; ngx_http_request_t *r = NULL; ngx_http_connection_t *hc; ngx_http_lua_ssl_ctx_t *cctx; ngx_http_lua_srv_conf_t *lscf; ngx_http_core_loc_conf_t *clcf; c = ngx_ssl_get_connection(ssl_conn); dd("c = %p", c); cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection); dd("ssl sess_store handler, sess_store-ctx=%p", cctx); hc = c->data; fc = ngx_http_lua_create_fake_connection(NULL); if (fc == NULL) { goto failed; } fc->log->handler = ngx_http_lua_log_ssl_sess_store_error; fc->log->data = fc; fc->addr_text = c->addr_text; fc->listening = c->listening; r = ngx_http_lua_create_fake_request(fc); if (r == NULL) { goto failed; } r->main_conf = hc->conf_ctx->main_conf; r->srv_conf = hc->conf_ctx->srv_conf; r->loc_conf = hc->conf_ctx->loc_conf; fc->log->file = c->log->file; fc->log->log_level = c->log->log_level; fc->ssl = c->ssl; clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); #if defined(nginx_version) && nginx_version >= 1003014 # if nginx_version >= 1009000 ngx_set_connection_log(fc, clcf->error_log); # else ngx_http_set_connection_log(fc, clcf->error_log); # endif #else fc->log->file = clcf->error_log->file; if (!(fc->log->log_level & NGX_LOG_DEBUG_CONNECTION)) { fc->log->log_level = clcf->error_log->log_level; } #endif if (cctx == NULL) { cctx = ngx_pcalloc(c->pool, sizeof(ngx_http_lua_ssl_ctx_t)); if (cctx == NULL) { goto failed; /* error */ } } cctx->connection = c; cctx->request = r; cctx->session = sess; #if OPENSSL_VERSION_NUMBER < 0x1010005fL cctx->session_id.data = sess->session_id; cctx->session_id.len = sess->session_id_length; #else cctx->session_id.data = (u_char *)SSL_SESSION_get_id(sess, &len); cctx->session_id.len = len; #endif cctx->done = 0; dd("setting cctx"); if (SSL_set_ex_data(c->ssl->connection, ngx_http_lua_ssl_ctx_index, cctx) == 0) { ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed"); goto failed; } lscf = ngx_http_get_module_srv_conf(r, ngx_http_lua_module); /* TODO honor lua_code_cache off */ L = ngx_http_lua_get_lua_vm(r, NULL); c->log->action = "storing SSL session by lua"; rc = lscf->srv.ssl_sess_store_handler(r, lscf, L); if (rc >= NGX_OK || rc == NGX_ERROR) { cctx->done = 1; ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, "ssl_session_store_by_lua*: handler return value: %i, " "sess new cb exit code: %d", rc, cctx->exit_code); c->log->action = "SSL handshaking"; /* Return value is a flag indicating whether the passed-in session * has been freed by this callback; always return 0 so OpenSSL will * free the session. Nginx's own session caching logic has the same * practice. */ return 0; } /* impossible to reach here */ ngx_http_lua_assert(0); failed: if (r && r->pool) { ngx_http_lua_free_fake_request(r); } if (fc) { ngx_http_lua_close_fake_connection(fc); } return 0; }
static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, request_rec *r, char *var) { char *result; X509 *xs; STACK_OF(X509) *sk; SSL *ssl; result = NULL; ssl = sslconn->ssl; if (strlen(var) > 8 && strcEQn(var, "VERSION_", 8)) { result = ssl_var_lookup_ssl_version(p, var+8); } else if (ssl != NULL && strcEQ(var, "PROTOCOL")) { result = (char *)SSL_get_version(ssl); } else if (ssl != NULL && strcEQ(var, "SESSION_ID")) { char buf[MODSSL_SESSION_ID_STRING_LEN]; SSL_SESSION *pSession = SSL_get_session(ssl); if (pSession) { IDCONST unsigned char *id; unsigned int idlen; #ifdef OPENSSL_NO_SSL_INTERN id = (unsigned char *)SSL_SESSION_get_id(pSession, &idlen); #else id = pSession->session_id; idlen = pSession->session_id_length; #endif result = apr_pstrdup(p, modssl_SSL_SESSION_id2sz(id, idlen, buf, sizeof(buf))); } } else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) { if (SSL_session_reused(ssl) == 1) result = "Resumed"; else result = "Initial"; } else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) { result = ssl_var_lookup_ssl_cipher(p, sslconn, var+6); } else if (ssl != NULL && strlen(var) > 18 && strcEQn(var, "CLIENT_CERT_CHAIN_", 18)) { sk = SSL_get_peer_cert_chain(ssl); result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18); } else if (ssl != NULL && strcEQ(var, "CLIENT_CERT_RFC4523_CEA")) { result = ssl_var_lookup_ssl_cert_rfc4523_cea(p, ssl); } else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) { result = ssl_var_lookup_ssl_cert_verify(p, sslconn); } else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) { if ((xs = SSL_get_peer_certificate(ssl)) != NULL) { result = ssl_var_lookup_ssl_cert(p, r, xs, var+7); X509_free(xs); } } else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "SERVER_", 7)) { if ((xs = SSL_get_certificate(ssl)) != NULL) { result = ssl_var_lookup_ssl_cert(p, r, xs, var+7); /* SSL_get_certificate is different from SSL_get_peer_certificate. * No need to X509_free(xs). */ } } else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { result = ssl_var_lookup_ssl_compress_meth(ssl); } #ifdef HAVE_TLSEXT else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { result = apr_pstrdup(p, SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)); } #endif else if (ssl != NULL && strcEQ(var, "SECURE_RENEG")) { int flag = 0; #ifdef SSL_get_secure_renegotiation_support flag = SSL_get_secure_renegotiation_support(ssl); #endif result = apr_pstrdup(p, flag ? "true" : "false"); } #ifdef HAVE_SRP else if (ssl != NULL && strcEQ(var, "SRP_USER")) { if ((result = SSL_get_srp_username(ssl)) != NULL) { result = apr_pstrdup(p, result); } } else if (ssl != NULL && strcEQ(var, "SRP_USERINFO")) { if ((result = SSL_get_srp_userinfo(ssl)) != NULL) { result = apr_pstrdup(p, result); } } #endif return result; }