Lines Matching refs:TLScontext
197 static SSL_SESSION *load_clnt_session(TLS_SESS_STATE *TLScontext) in load_clnt_session() argument
206 if (TLScontext->log_mask & TLS_LOG_CACHE) in load_clnt_session()
209 TLScontext->serverid, TLScontext->cache_type); in load_clnt_session()
216 if (TLScontext->cache_type == 0) in load_clnt_session()
224 if (tls_mgr_lookup(TLScontext->cache_type, TLScontext->serverid, in load_clnt_session()
228 if (TLScontext->log_mask & TLS_LOG_CACHE) in load_clnt_session()
231 TLScontext->serverid, TLScontext->cache_type); in load_clnt_session()
248 TLS_SESS_STATE *TLScontext; in new_client_session_cb() local
256 if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0) in new_client_session_cb()
264 if (TLScontext->cache_type == 0) in new_client_session_cb()
268 if (TLScontext->log_mask & TLS_LOG_CACHE) in new_client_session_cb()
271 TLScontext->serverid, TLScontext->cache_type); in new_client_session_cb()
278 tls_mgr_update(TLScontext->cache_type, TLScontext->serverid, in new_client_session_cb()
293 static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext) in uncache_session() argument
295 SSL_SESSION *session = SSL_get_session(TLScontext->con); in uncache_session()
298 if (TLScontext->cache_type == 0 || TLScontext->serverid == 0) in uncache_session()
301 if (TLScontext->log_mask & TLS_LOG_CACHE) in uncache_session()
303 msg_info("remove session %s from client cache", TLScontext->serverid); in uncache_session()
305 tls_mgr_delete(TLScontext->cache_type, TLScontext->serverid); in uncache_session()
310 static void verify_extract_name(TLS_SESS_STATE *TLScontext, X509 *peercert, in verify_extract_name() argument
315 verbose = TLScontext->log_mask & in verify_extract_name()
321 TLScontext->issuer_CN = tls_issuer_CN(peercert, TLScontext); in verify_extract_name()
322 TLScontext->peer_CN = tls_peer_CN(peercert, TLScontext); in verify_extract_name()
328 if (SSL_get_verify_result(TLScontext->con) == X509_V_OK) { in verify_extract_name()
329 TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED; in verify_extract_name()
330 if (TLScontext->must_fail) { in verify_extract_name()
332 TLScontext->namaddr); in verify_extract_name()
333 } else if (TLS_MUST_MATCH(TLScontext->level)) { in verify_extract_name()
346 if (!TLS_NEVER_SECURED(TLScontext->level)) in verify_extract_name()
347 TLScontext->peer_status |= TLS_CERT_FLAG_SECURED; in verify_extract_name()
348 TLScontext->peer_status |= TLS_CERT_FLAG_MATCHED; in verify_extract_name()
351 const char *peername = SSL_get0_peername(TLScontext->con); in verify_extract_name()
355 TLScontext->namaddr, peername); in verify_extract_name()
356 tls_dane_log(TLScontext); in verify_extract_name()
367 if (!TLS_CERT_IS_MATCHED(TLScontext) in verify_extract_name()
368 && (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) { in verify_extract_name()
369 if (TLScontext->session_reused == 0) in verify_extract_name()
370 tls_log_verify_error(TLScontext); in verify_extract_name()
379 static void add_namechecks(TLS_SESS_STATE *TLScontext, in add_namechecks() argument
382 SSL *ssl = TLScontext->con; in add_namechecks()
405 TLScontext->namaddr); in add_namechecks()
465 TLScontext->namaddr, name); in add_namechecks()
473 TLScontext->namaddr, dot_name); in add_namechecks()
484 TLScontext->namaddr); in add_namechecks()
485 TLScontext->must_fail = 1; in add_namechecks()
491 static int tls_auth_enable(TLS_SESS_STATE *TLScontext, in tls_auth_enable() argument
525 switch (TLScontext->level) { in tls_auth_enable()
541 if (SSL_dane_enable(TLScontext->con, 0) <= 0) { in tls_auth_enable()
543 TLScontext->namaddr); in tls_auth_enable()
548 SSL_dane_set_flags(TLScontext->con, DANE_FLAG_NO_DANE_EE_NAMECHECKS); in tls_auth_enable()
552 add_namechecks(TLScontext, props); in tls_auth_enable()
557 if (SSL_dane_enable(TLScontext->con, 0) <= 0) { in tls_auth_enable()
563 SSL_dane_set_flags(TLScontext->con, DANE_FLAG_NO_DANE_EE_NAMECHECKS); in tls_auth_enable()
568 if (TLScontext->dane != 0 && TLScontext->dane->tlsa != 0) { in tls_auth_enable()
570 if (SSL_dane_enable(TLScontext->con, NULL) <= 0) { in tls_auth_enable()
577 add_namechecks(TLScontext, props); in tls_auth_enable()
595 if (!SSL_set_tlsext_host_name(TLScontext->con, sni)) { in tls_auth_enable()
608 TLScontext->peer_sni = mystrdup(sni); in tls_auth_enable()
609 if (TLScontext->log_mask & TLS_LOG_DEBUG) in tls_auth_enable()
891 TLS_SESS_STATE *TLScontext; in tls_client_start() local
940 TLScontext = tls_alloc_sess_context(log_mask, props->namaddr); in tls_client_start()
941 TLScontext->cache_type = app_ctx->cache_type; in tls_client_start()
942 TLScontext->level = props->tls_level; in tls_client_start()
944 if ((TLScontext->con = SSL_new(app_ctx->ssl_ctx)) == NULL) { in tls_client_start()
947 tls_free_context(TLScontext); in tls_client_start()
958 cipher_list = tls_set_ciphers(TLScontext, props->cipher_grade, in tls_client_start()
962 tls_free_context(TLScontext); in tls_client_start()
968 TLScontext->stream = props->stream; in tls_client_start()
969 TLScontext->mdalg = props->mdalg; in tls_client_start()
972 TLScontext->dane = props->dane; in tls_client_start()
974 if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) { in tls_client_start()
977 tls_free_context(TLScontext); in tls_client_start()
983 TLScontext->namaddr, #which, which##_proto); \ in tls_client_start()
986 TLScontext->namaddr, #which); \ in tls_client_start()
993 SSL_set_options(TLScontext->con, TLS_SSL_OP_PROTOMASK(protomask)); in tls_client_start()
994 if (!SSL_set_min_proto_version(TLScontext->con, min_proto)) in tls_client_start()
996 if (!SSL_set_max_proto_version(TLScontext->con, max_proto)) in tls_client_start()
1007 if (!tls_auth_enable(TLScontext, props)) { in tls_client_start()
1008 tls_free_context(TLScontext); in tls_client_start()
1018 if (TLScontext->dane && TLScontext->dane->tlsa) { in tls_client_start()
1019 int usable = tls_dane_enable(TLScontext); in tls_client_start()
1023 switch (TLScontext->level) { in tls_client_start()
1027 "unauthenticated TLS", TLScontext->namaddr); in tls_client_start()
1029 TLScontext->level = TLS_LEV_ENCRYPT; in tls_client_start()
1033 msg_warn("%s: all fingerprints unusable", TLScontext->namaddr); in tls_client_start()
1036 msg_warn("%s: all TLSA records unusable", TLScontext->namaddr); in tls_client_start()
1040 msg_warn("%s: all trust anchors unusable", TLScontext->namaddr); in tls_client_start()
1044 TLScontext->must_fail |= must_fail; in tls_client_start()
1073 TLScontext->serverid = in tls_client_start()
1074 tls_serverid_digest(TLScontext, props, cipher_list); in tls_client_start()
1087 if (TLS_MUST_MATCH(TLScontext->level)) in tls_client_start()
1088 SSL_set_security_level(TLScontext->con, 1); in tls_client_start()
1095 if (TLScontext->cache_type) { in tls_client_start()
1096 session = load_clnt_session(TLScontext); in tls_client_start()
1098 SSL_set_session(TLScontext->con, session); in tls_client_start()
1113 if (SSL_set_fd(TLScontext->con, props->stream == 0 ? props->fd : in tls_client_start()
1117 uncache_session(app_ctx->ssl_ctx, TLScontext); in tls_client_start()
1118 tls_free_context(TLScontext); in tls_client_start()
1132 tls_set_bio_callback(SSL_get_rbio(TLScontext->con), tls_bio_dump_cb); in tls_client_start()
1139 return (TLScontext); in tls_client_start()
1155 TLScontext); in tls_client_start()
1166 uncache_session(app_ctx->ssl_ctx, TLScontext); in tls_client_start()
1167 tls_free_context(TLScontext); in tls_client_start()
1170 return (tls_client_post_connect(TLScontext, props)); in tls_client_start()
1175 TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *TLScontext, in tls_client_post_connect() argument
1182 if ((TLScontext->log_mask & TLS_LOG_ALLPKTS) == 0) in tls_client_post_connect()
1183 tls_set_bio_callback(SSL_get_rbio(TLScontext->con), 0); in tls_client_post_connect()
1189 TLScontext->session_reused = SSL_session_reused(TLScontext->con); in tls_client_post_connect()
1190 if ((TLScontext->log_mask & TLS_LOG_CACHE) && TLScontext->session_reused) in tls_client_post_connect()
1191 msg_info("%s: Reusing old session", TLScontext->namaddr); in tls_client_post_connect()
1197 if ((peercert = TLS_PEEK_PEER_CERT(TLScontext->con)) != 0) { in tls_client_post_connect()
1198 TLScontext->peer_status |= TLS_CERT_FLAG_PRESENT; in tls_client_post_connect()
1206 TLScontext->peer_cert_fprint = tls_cert_fprint(peercert, props->mdalg); in tls_client_post_connect()
1207 TLScontext->peer_pkey_fprint = tls_pkey_fprint(peercert, props->mdalg); in tls_client_post_connect()
1208 verify_extract_name(TLScontext, peercert, props); in tls_client_post_connect()
1210 if (TLScontext->log_mask & in tls_client_post_connect()
1214 TLScontext->peer_CN, TLScontext->issuer_CN, in tls_client_post_connect()
1215 TLScontext->peer_cert_fprint, in tls_client_post_connect()
1216 TLScontext->peer_pkey_fprint); in tls_client_post_connect()
1218 TLScontext->issuer_CN = mystrdup(""); in tls_client_post_connect()
1219 TLScontext->peer_CN = mystrdup(""); in tls_client_post_connect()
1220 TLScontext->peer_cert_fprint = mystrdup(""); in tls_client_post_connect()
1221 TLScontext->peer_pkey_fprint = mystrdup(""); in tls_client_post_connect()
1227 TLScontext->protocol = SSL_get_version(TLScontext->con); in tls_client_post_connect()
1228 cipher = SSL_get_current_cipher(TLScontext->con); in tls_client_post_connect()
1229 TLScontext->cipher_name = SSL_CIPHER_get_name(cipher); in tls_client_post_connect()
1230 TLScontext->cipher_usebits = SSL_CIPHER_get_bits(cipher, in tls_client_post_connect()
1231 &(TLScontext->cipher_algbits)); in tls_client_post_connect()
1237 if (TLScontext->stream != 0) in tls_client_post_connect()
1238 tls_stream_start(props->stream, TLScontext); in tls_client_post_connect()
1243 tls_get_signature_params(TLScontext); in tls_client_post_connect()
1245 if (TLScontext->log_mask & TLS_LOG_SUMMARY) in tls_client_post_connect()
1246 tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW, TLScontext); in tls_client_post_connect()
1250 return (TLScontext); in tls_client_post_connect()