Use instance UID as TLS session ID

2025-12-22 04:02:04 +03:00 · 2015-11-09 23:12:35 +01:00
parent b3064181ae
commit dfd25b63a3
1 changed files with 21 additions and 2 deletions
--- a/src/civetweb.c
+++ b/src/civetweb.c
@@ -866,6 +866,7 @@ struct ssl_func {
 #define SSL_CTX_check_private_key (*(int (*)(SSL_CTX *))ssl_sw[28].ptr)
 #define SSL_CTX_set_session_id_context                                         \
 	(*(int (*)(SSL_CTX *, const unsigned char *, unsigned int))ssl_sw[29].ptr)
+
 #define CRYPTO_num_locks (*(int (*)(void))crypto_sw[0].ptr)
 #define CRYPTO_set_locking_callback                                            \
 	(*(void (*)(void (*)(int, int, const char *, int)))crypto_sw[1].ptr)
@@ -4662,6 +4663,7 @@ bin2str(char *to, const unsigned char *p, size_t len)
 	*to = '\0';
 }

+
 /* Return stringified MD5 hash for list of strings. Buffer must be 33 bytes. */
 char *
 mg_md5(char buf[33], ...)
@@ -4684,6 +4686,7 @@ mg_md5(char buf[33], ...)
 	return buf;
 }

+
 /* Check the user's password, return 1 if OK */
 static int
 check_password(const char *method,
@@ -4731,6 +4734,7 @@ check_password(const char *method,
 	return mg_strcasecmp(response, expected_response) == 0;
 }

+
 /* Use the global passwords file, if specified by auth_gpass option,
 * or search for .htpasswd in the requested directory. */
 static void
@@ -10157,7 +10161,10 @@ set_ssl_option(struct mg_context *ctx)
 	const char *ca_file;
 	int use_default_verify_paths;
 	int verify_depth;
-	int session_context_id = 1;
+	time_t now_rt = time(NULL);
+	struct timespec now_mt;
+	md5_byte_t ssl_context_id[16];
+	md5_state_t md5state;

 	/* If PEM file is not specified and the init_ssl callback
 	 * is not specified, skip SSL initialization. */
@@ -10211,8 +10218,20 @@ set_ssl_option(struct mg_context *ctx)
 		return 1;
 	}

+	/* Use some UID as session context ID. */
+	md5_init(&md5state);
+	md5_append(&md5state, (const md5_byte_t *)&now_rt, sizeof(now_rt));
+	clock_gettime(CLOCK_MONOTONIC, &now_mt);
+	md5_append(&md5state, (const md5_byte_t *)&now_mt, sizeof(now_mt));
+	md5_append(&md5state,
+	           (const md5_byte_t *)ctx->config[LISTENING_PORTS],
+	           strlen(ctx->config[LISTENING_PORTS]));
+	md5_append(&md5state, (const md5_byte_t *)ctx, sizeof(*ctx));
+	md5_finish(&md5state, ssl_context_id);
+
 	SSL_CTX_set_session_id_context(ctx->ssl_ctx,
-		                           &session_context_id, sizeof(int));
+	                               (const unsigned char *)&ssl_context_id,
+	                               sizeof(ssl_context_id));

 	if (pem != NULL) {
 		if (!ssl_use_pem_file(ctx, pem)) {