Minor formatting in tls.c

diff --git a/configure b/configure
index 161c9da..be4fe89 100755 (executable)
--- a/configure
+++ b/configure
@@ -8567,6 +8567,7 @@ $as_echo "#define HAVE_OPENSSL_SSL_H 1" >>confdefs.h
       openssl/md5.h \
       openssl/md4.h \
       openssl/sha.h \
+      openssl/ssl.h \
       openssl/ocsp.h \
       openssl/engine.h
 do :

diff --git a/configure.ac b/configure.ac
index 8b4dd94..018cb57 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1088,6 +1088,7 @@ if test "x$WITH_OPENSSL" = xyes; then
       openssl/md5.h \
       openssl/md4.h \
       openssl/sha.h \
+      openssl/ssl.h \
       openssl/ocsp.h \
       openssl/engine.h,
       [ OPENSSL_CPPFLAGS="$smart_include" ],

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index db1356f..174dd8a 100644 (file)
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -348,26 +348,32 @@ eap {
                #
                cache {
                        #
-                       #  Enable it.  The default is "no".
-                       #  Deleting the entire "cache" subsection
-                       #  also disables caching.
+                       #  Enable it.  The default is "no". Deleting the entire "cache"
+                       #  subsection also disables caching.
                        #
-                       #  You can disallow resumption for a
-                       #  particular user by adding the following
-                       #  attribute to the control item list:
+                       #  You can disallow resumption for a particular user by adding the
+                       #  following attribute to the control item list:
                        #
-                       #               Allow-Session-Resumption = No
+                       #    Allow-Session-Resumption = No
                        #
-                       #  If "enable = no" below, you CANNOT
-                       #  enable resumption for just one user
-                       #  by setting the above attribute to "yes".
+                       #  If "enable = no" below, you CANNOT enable resumption for just one
+                       #  user by setting the above attribute to "yes".
                        #
                        enable = yes
 
                        #
-                       #  Lifetime of the cached entries, in hours.
-                       #  The sessions will be deleted after this
-                       #  time.
+                       #  Internal "name" of the session cache. Used to distinguish which
+                       #  TLS context sessions belong to.
+                       #
+                       #  The server will generate a random value if unset. This will change
+                       #  across server restart so you MUST set the "name" if you want to
+                       #  persist sessions (see below).
+                       #
+#                       name = "EAP module"
+
+                       #
+                       #  Lifetime of the cached entries, in hours. The sessions will be
+                       #  deleted/invalidated after this time.
                        #
                        lifetime = 24 # hours
 

diff --git a/src/main/tls.c b/src/main/tls.c
index 21b6cfc..ba3573e 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -43,13 +43,18 @@ USES_APPLE_DEPRECATED_API   /* OpenSSL API has been deprecated by Apple */
 #include <ctype.h>
 
 #ifdef WITH_TLS
-#ifdef HAVE_OPENSSL_RAND_H
-#include <openssl/rand.h>
-#endif
+#  ifdef HAVE_OPENSSL_RAND_H
+#    include <openssl/rand.h>
+#  endif
 
-#ifdef HAVE_OPENSSL_OCSP_H
-#include <openssl/ocsp.h>
-#endif
+#  ifdef HAVE_OPENSSL_OCSP_H
+#    include <openssl/ocsp.h>
+#  endif
+
+#  ifdef HAVE_OPENSSL_EVP_H
+#    include <openssl/evp.h>
+#  endif
+#  include <openssl/ssl.h>
 
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
 typedef struct libssl_defect {
@@ -920,9 +925,11 @@ void tls_session_information(tls_session_t *tls_session)
 
 static CONF_PARSER cache_config[] = {
        { "enable", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, session_cache_enable), "no" },
+
        { "lifetime", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, session_timeout), "24" },
-       { "max_entries", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, session_cache_size), "255" },
        { "name", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, session_id_name), NULL },
+
+       { "max_entries", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, session_cache_size), "255" },
        { "persist_dir", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, session_cache_path), NULL },
        { NULL, -1, 0, NULL, NULL }        /* end the list */
 };
@@ -2176,9 +2183,11 @@ void tls_global_cleanup(void)
 /*
  *     Create SSL context
  *
- *     - Load the trusted CAs
- *     - Load the Private key & the certificate
- *     - Set the Context options & Verify options
+/** Create SSL context
+ *
+ * - Load the trusted CAs
+ * - Load the Private key & the certificate
+ * - Set the Context options & Verify options
  */
 SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client)
 {
@@ -2547,13 +2556,10 @@ post_ca:
                 *      Create a unique context Id per EAP-TLS configuration.
                 */
                if (conf->session_id_name) {
-                       snprintf(conf->session_context_id,
-                                sizeof(conf->session_context_id),
-                                "FR eap %s",
-                                conf->session_id_name);
+                       snprintf(conf->session_context_id, sizeof(conf->session_context_id),
+                                "FR eap %s", conf->session_id_name);
                } else {
-                       snprintf(conf->session_context_id,
-                                sizeof(conf->session_context_id),
+                       snprintf(conf->session_context_id, sizeof(conf->session_context_id),
                                 "FR eap %p", conf);
                }