]>
Commit | Line | Data |
---|---|---|
d02b48c6 | 1 | /* ssl/ssl_sess.c */ |
58964a49 | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
d02b48c6 RE |
3 | * All rights reserved. |
4 | * | |
5 | * This package is an SSL implementation written | |
6 | * by Eric Young (eay@cryptsoft.com). | |
7 | * The implementation was written so as to conform with Netscapes SSL. | |
8 | * | |
9 | * This library is free for commercial and non-commercial use as long as | |
10 | * the following conditions are aheared to. The following conditions | |
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 | * included with this distribution is covered by the same copyright terms | |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 | * | |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 | * the code are not to be removed. | |
18 | * If this package is used in a product, Eric Young should be given attribution | |
19 | * as the author of the parts of the library used. | |
20 | * This can be in the form of a textual message at program startup or | |
21 | * in documentation (online or textual) provided with the package. | |
22 | * | |
23 | * Redistribution and use in source and binary forms, with or without | |
24 | * modification, are permitted provided that the following conditions | |
25 | * are met: | |
26 | * 1. Redistributions of source code must retain the copyright | |
27 | * notice, this list of conditions and the following disclaimer. | |
28 | * 2. Redistributions in binary form must reproduce the above copyright | |
29 | * notice, this list of conditions and the following disclaimer in the | |
30 | * documentation and/or other materials provided with the distribution. | |
31 | * 3. All advertising materials mentioning features or use of this software | |
32 | * must display the following acknowledgement: | |
33 | * "This product includes cryptographic software written by | |
34 | * Eric Young (eay@cryptsoft.com)" | |
35 | * The word 'cryptographic' can be left out if the rouines from the library | |
36 | * being used are not cryptographic related :-). | |
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 | * the apps directory (application code) you must include an acknowledgement: | |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 | * | |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 | * SUCH DAMAGE. | |
52 | * | |
53 | * The licence and distribution terms for any publically available version or | |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 | * copied and put under another distribution licence | |
56 | * [including the GNU Public Licence.] | |
57 | */ | |
f1fd4544 BM |
58 | /* ==================================================================== |
59 | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. | |
60 | * | |
61 | * Redistribution and use in source and binary forms, with or without | |
62 | * modification, are permitted provided that the following conditions | |
63 | * are met: | |
64 | * | |
65 | * 1. Redistributions of source code must retain the above copyright | |
66 | * notice, this list of conditions and the following disclaimer. | |
67 | * | |
68 | * 2. Redistributions in binary form must reproduce the above copyright | |
69 | * notice, this list of conditions and the following disclaimer in | |
70 | * the documentation and/or other materials provided with the | |
71 | * distribution. | |
72 | * | |
73 | * 3. All advertising materials mentioning features or use of this | |
74 | * software must display the following acknowledgment: | |
75 | * "This product includes software developed by the OpenSSL Project | |
76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
77 | * | |
78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
79 | * endorse or promote products derived from this software without | |
80 | * prior written permission. For written permission, please contact | |
81 | * openssl-core@openssl.org. | |
82 | * | |
83 | * 5. Products derived from this software may not be called "OpenSSL" | |
84 | * nor may "OpenSSL" appear in their names without prior written | |
85 | * permission of the OpenSSL Project. | |
86 | * | |
87 | * 6. Redistributions of any form whatsoever must retain the following | |
88 | * acknowledgment: | |
89 | * "This product includes software developed by the OpenSSL Project | |
90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
91 | * | |
92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
103 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
104 | * ==================================================================== | |
105 | * | |
106 | * This product includes cryptographic software written by Eric Young | |
107 | * (eay@cryptsoft.com). This product includes software written by Tim | |
108 | * Hudson (tjh@cryptsoft.com). | |
109 | * | |
110 | */ | |
ddac1974 NL |
111 | /* ==================================================================== |
112 | * Copyright 2005 Nokia. All rights reserved. | |
113 | * | |
114 | * The portions of the attached software ("Contribution") is developed by | |
115 | * Nokia Corporation and is licensed pursuant to the OpenSSL open source | |
116 | * license. | |
117 | * | |
118 | * The Contribution, originally written by Mika Kousa and Pasi Eronen of | |
119 | * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites | |
120 | * support (see RFC 4279) to OpenSSL. | |
121 | * | |
122 | * No patent licenses or other rights except those expressly stated in | |
123 | * the OpenSSL open source license shall be deemed granted or received | |
124 | * expressly, by implication, estoppel, or otherwise. | |
125 | * | |
126 | * No assurances are provided by Nokia that the Contribution does not | |
127 | * infringe the patent or other intellectual property rights of any third | |
128 | * party or that the license provides you with all the necessary rights | |
129 | * to make use of the Contribution. | |
130 | * | |
131 | * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN | |
132 | * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA | |
133 | * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY | |
134 | * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR | |
135 | * OTHERWISE. | |
136 | */ | |
d02b48c6 RE |
137 | |
138 | #include <stdio.h> | |
ec577822 BM |
139 | #include <openssl/lhash.h> |
140 | #include <openssl/rand.h> | |
368888bc DSH |
141 | #ifndef OPENSSL_NO_ENGINE |
142 | #include <openssl/engine.h> | |
143 | #endif | |
d02b48c6 RE |
144 | #include "ssl_locl.h" |
145 | ||
58964a49 RE |
146 | static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); |
147 | static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); | |
801294f8 | 148 | static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); |
58964a49 | 149 | |
0821bcd4 | 150 | SSL_SESSION *SSL_get_session(const SSL *ssl) |
52732b38 | 151 | /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */ |
1088e27c BM |
152 | { |
153 | return(ssl->session); | |
154 | } | |
52732b38 BM |
155 | |
156 | SSL_SESSION *SSL_get1_session(SSL *ssl) | |
157 | /* variant of SSL_get_session: caller really gets something */ | |
58964a49 | 158 | { |
b7cfcfb7 MC |
159 | SSL_SESSION *sess; |
160 | /* Need to lock this all up rather than just use CRYPTO_add so that | |
161 | * somebody doesn't free ssl->session between when we check it's | |
162 | * non-null and when we up the reference count. */ | |
9ea72d37 | 163 | CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION); |
b7cfcfb7 MC |
164 | sess = ssl->session; |
165 | if(sess) | |
166 | sess->references++; | |
9ea72d37 | 167 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION); |
b7cfcfb7 | 168 | return(sess); |
58964a49 RE |
169 | } |
170 | ||
dd9d233e DSH |
171 | int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, |
172 | CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) | |
b1c4fe36 | 173 | { |
79aa04ef GT |
174 | return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp, |
175 | new_func, dup_func, free_func); | |
b1c4fe36 | 176 | } |
58964a49 | 177 | |
6b691a5c | 178 | int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg) |
58964a49 RE |
179 | { |
180 | return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); | |
181 | } | |
182 | ||
0821bcd4 | 183 | void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx) |
58964a49 RE |
184 | { |
185 | return(CRYPTO_get_ex_data(&s->ex_data,idx)); | |
186 | } | |
187 | ||
6b691a5c | 188 | SSL_SESSION *SSL_SESSION_new(void) |
d02b48c6 RE |
189 | { |
190 | SSL_SESSION *ss; | |
191 | ||
26a3a48d | 192 | ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION)); |
d02b48c6 RE |
193 | if (ss == NULL) |
194 | { | |
195 | SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE); | |
196 | return(0); | |
197 | } | |
198 | memset(ss,0,sizeof(SSL_SESSION)); | |
199 | ||
b1fe6ca1 | 200 | ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ |
d02b48c6 RE |
201 | ss->references=1; |
202 | ss->timeout=60*5+4; /* 5 minute timeout by default */ | |
7bbcb2f6 | 203 | ss->time=(unsigned long)time(NULL); |
58964a49 RE |
204 | ss->prev=NULL; |
205 | ss->next=NULL; | |
413c4f45 | 206 | ss->compress_meth=0; |
ed3883d2 BM |
207 | #ifndef OPENSSL_NO_TLSEXT |
208 | ss->tlsext_hostname = NULL; | |
36ca4ba6 BM |
209 | #ifndef OPENSSL_NO_EC |
210 | ss->tlsext_ecpointformatlist_length = 0; | |
211 | ss->tlsext_ecpointformatlist = NULL; | |
33273721 BM |
212 | ss->tlsext_ellipticcurvelist_length = 0; |
213 | ss->tlsext_ellipticcurvelist = NULL; | |
36ca4ba6 | 214 | #endif |
ed3883d2 | 215 | #endif |
79aa04ef | 216 | CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); |
ddac1974 NL |
217 | #ifndef OPENSSL_NO_PSK |
218 | ss->psk_identity_hint=NULL; | |
219 | ss->psk_identity=NULL; | |
220 | #endif | |
d02b48c6 RE |
221 | return(ss); |
222 | } | |
223 | ||
4879ec7b GT |
224 | const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) |
225 | { | |
226 | if(len) | |
227 | *len = s->session_id_length; | |
228 | return s->session_id; | |
229 | } | |
230 | ||
dc644fe2 GT |
231 | /* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1 |
232 | * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly | |
233 | * until we have no conflict is going to complete in one iteration pretty much | |
234 | * "most" of the time (btw: understatement). So, if it takes us 10 iterations | |
235 | * and we still can't avoid a conflict - well that's a reasonable point to call | |
236 | * it quits. Either the RAND code is broken or someone is trying to open roughly | |
237 | * very close to 2^128 (or 2^256) SSL sessions to our server. How you might | |
238 | * store that many sessions is perhaps a more interesting question ... */ | |
239 | ||
240 | #define MAX_SESS_ID_ATTEMPTS 10 | |
241 | static int def_generate_session_id(const SSL *ssl, unsigned char *id, | |
242 | unsigned int *id_len) | |
243 | { | |
244 | unsigned int retry = 0; | |
245 | do | |
7c7667b8 NL |
246 | if (RAND_pseudo_bytes(id, *id_len) <= 0) |
247 | return 0; | |
f85c9904 | 248 | while(SSL_has_matching_session_id(ssl, id, *id_len) && |
dc644fe2 GT |
249 | (++retry < MAX_SESS_ID_ATTEMPTS)); |
250 | if(retry < MAX_SESS_ID_ATTEMPTS) | |
251 | return 1; | |
252 | /* else - woops a session_id match */ | |
253 | /* XXX We should also check the external cache -- | |
254 | * but the probability of a collision is negligible, and | |
255 | * we could not prevent the concurrent creation of sessions | |
256 | * with identical IDs since we currently don't have means | |
257 | * to atomically check whether a session ID already exists | |
258 | * and make a reservation for it if it does not | |
259 | * (this problem applies to the internal cache as well). | |
260 | */ | |
261 | return 0; | |
262 | } | |
263 | ||
6b691a5c | 264 | int ssl_get_new_session(SSL *s, int session) |
d02b48c6 | 265 | { |
b56bce4f BM |
266 | /* This gets used by clients and servers. */ |
267 | ||
dc644fe2 | 268 | unsigned int tmp; |
d02b48c6 | 269 | SSL_SESSION *ss=NULL; |
dc644fe2 | 270 | GEN_SESSION_CB cb = def_generate_session_id; |
d02b48c6 RE |
271 | |
272 | if ((ss=SSL_SESSION_new()) == NULL) return(0); | |
273 | ||
274 | /* If the context has a default timeout, use it */ | |
1aeb3da8 | 275 | if (s->session_ctx->session_timeout == 0) |
d02b48c6 | 276 | ss->timeout=SSL_get_default_timeout(s); |
413c4f45 | 277 | else |
a13c20f6 | 278 | ss->timeout=s->session_ctx->session_timeout; |
d02b48c6 RE |
279 | |
280 | if (s->session != NULL) | |
281 | { | |
282 | SSL_SESSION_free(s->session); | |
283 | s->session=NULL; | |
284 | } | |
285 | ||
286 | if (session) | |
287 | { | |
6d02d8e4 | 288 | if (s->version == SSL2_VERSION) |
d02b48c6 | 289 | { |
58964a49 | 290 | ss->ssl_version=SSL2_VERSION; |
d02b48c6 RE |
291 | ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH; |
292 | } | |
58964a49 | 293 | else if (s->version == SSL3_VERSION) |
d02b48c6 | 294 | { |
58964a49 RE |
295 | ss->ssl_version=SSL3_VERSION; |
296 | ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; | |
297 | } | |
298 | else if (s->version == TLS1_VERSION) | |
299 | { | |
300 | ss->ssl_version=TLS1_VERSION; | |
d02b48c6 RE |
301 | ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; |
302 | } | |
36d16f8e BL |
303 | else if (s->version == DTLS1_VERSION) |
304 | { | |
305 | ss->ssl_version=DTLS1_VERSION; | |
306 | ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; | |
307 | } | |
d02b48c6 RE |
308 | else |
309 | { | |
310 | SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION); | |
311 | SSL_SESSION_free(ss); | |
312 | return(0); | |
313 | } | |
6434abbf DSH |
314 | #ifndef OPENSSL_NO_TLSEXT |
315 | /* If RFC4507 ticket use empty session ID */ | |
316 | if (s->tlsext_ticket_expected) | |
317 | { | |
318 | ss->session_id_length = 0; | |
319 | goto sess_id_done; | |
320 | } | |
321 | #endif | |
dc644fe2 GT |
322 | /* Choose which callback will set the session ID */ |
323 | CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); | |
324 | if(s->generate_session_id) | |
325 | cb = s->generate_session_id; | |
1aeb3da8 BM |
326 | else if(s->session_ctx->generate_session_id) |
327 | cb = s->session_ctx->generate_session_id; | |
dc644fe2 GT |
328 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); |
329 | /* Choose a session ID */ | |
330 | tmp = ss->session_id_length; | |
331 | if(!cb(s, ss->session_id, &tmp)) | |
332 | { | |
333 | /* The callback failed */ | |
334 | SSLerr(SSL_F_SSL_GET_NEW_SESSION, | |
335 | SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); | |
336 | SSL_SESSION_free(ss); | |
337 | return(0); | |
338 | } | |
339 | /* Don't allow the callback to set the session length to zero. | |
340 | * nor set it higher than it was. */ | |
341 | if(!tmp || (tmp > ss->session_id_length)) | |
d02b48c6 | 342 | { |
dc644fe2 GT |
343 | /* The callback set an illegal length */ |
344 | SSLerr(SSL_F_SSL_GET_NEW_SESSION, | |
345 | SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH); | |
346 | SSL_SESSION_free(ss); | |
347 | return(0); | |
348 | } | |
349 | /* If the session length was shrunk and we're SSLv2, pad it */ | |
350 | if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION)) | |
351 | memset(ss->session_id + tmp, 0, ss->session_id_length - tmp); | |
352 | else | |
353 | ss->session_id_length = tmp; | |
354 | /* Finally, check for a conflict */ | |
f85c9904 | 355 | if(SSL_has_matching_session_id(s, ss->session_id, |
dc644fe2 GT |
356 | ss->session_id_length)) |
357 | { | |
358 | SSLerr(SSL_F_SSL_GET_NEW_SESSION, | |
359 | SSL_R_SSL_SESSION_ID_CONFLICT); | |
360 | SSL_SESSION_free(ss); | |
361 | return(0); | |
d02b48c6 | 362 | } |
a13c20f6 | 363 | #ifndef OPENSSL_NO_TLSEXT |
6434abbf | 364 | sess_id_done: |
a13c20f6 BM |
365 | if (s->tlsext_hostname) { |
366 | ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname); | |
367 | if (ss->tlsext_hostname == NULL) { | |
368 | SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); | |
369 | SSL_SESSION_free(ss); | |
370 | return 0; | |
371 | } | |
372 | } | |
36ca4ba6 BM |
373 | #ifndef OPENSSL_NO_EC |
374 | if (s->tlsext_ecpointformatlist) | |
375 | { | |
b6acb8d0 | 376 | if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist); |
36ca4ba6 BM |
377 | if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL) |
378 | { | |
379 | SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE); | |
380 | SSL_SESSION_free(ss); | |
381 | return 0; | |
382 | } | |
383 | ss->tlsext_ecpointformatlist_length = s->tlsext_ecpointformatlist_length; | |
384 | memcpy(ss->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); | |
385 | } | |
33273721 BM |
386 | if (s->tlsext_ellipticcurvelist) |
387 | { | |
388 | if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist); | |
389 | if ((ss->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) | |
390 | { | |
391 | SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE); | |
392 | SSL_SESSION_free(ss); | |
393 | return 0; | |
394 | } | |
395 | ss->tlsext_ellipticcurvelist_length = s->tlsext_ellipticcurvelist_length; | |
396 | memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); | |
397 | } | |
36ca4ba6 | 398 | #endif |
a13c20f6 | 399 | #endif |
d02b48c6 RE |
400 | } |
401 | else | |
402 | { | |
403 | ss->session_id_length=0; | |
404 | } | |
405 | ||
5574e0ed BM |
406 | if (s->sid_ctx_length > sizeof ss->sid_ctx) |
407 | { | |
408 | SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); | |
409 | SSL_SESSION_free(ss); | |
410 | return 0; | |
411 | } | |
b4cadc6e BL |
412 | memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); |
413 | ss->sid_ctx_length=s->sid_ctx_length; | |
d02b48c6 RE |
414 | s->session=ss; |
415 | ss->ssl_version=s->version; | |
b1fe6ca1 | 416 | ss->verify_result = X509_V_OK; |
d02b48c6 RE |
417 | |
418 | return(1); | |
419 | } | |
420 | ||
6434abbf DSH |
421 | int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, |
422 | const unsigned char *limit) | |
d02b48c6 | 423 | { |
b56bce4f BM |
424 | /* This is used only by servers. */ |
425 | ||
6434abbf | 426 | SSL_SESSION *ret=NULL; |
8876bc05 | 427 | int fatal = 0; |
6434abbf DSH |
428 | #ifndef OPENSSL_NO_TLSEXT |
429 | int r; | |
430 | #endif | |
d02b48c6 | 431 | |
d02b48c6 | 432 | if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) |
8876bc05 | 433 | goto err; |
6434abbf DSH |
434 | #ifndef OPENSSL_NO_TLSEXT |
435 | r = tls1_process_ticket(s, session_id, len, limit, &ret); | |
436 | if (r == -1) | |
437 | { | |
438 | fatal = 1; | |
439 | goto err; | |
440 | } | |
e8da6a1d | 441 | else if (r == 0 || (!ret && !len)) |
6434abbf DSH |
442 | goto err; |
443 | else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) | |
444 | #else | |
3d3bf9c7 DSH |
445 | if (len == 0) |
446 | goto err; | |
1aeb3da8 | 447 | if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) |
6434abbf | 448 | #endif |
58964a49 | 449 | { |
6434abbf DSH |
450 | SSL_SESSION data; |
451 | data.ssl_version=s->version; | |
452 | data.session_id_length=len; | |
453 | if (len == 0) | |
454 | return 0; | |
455 | memcpy(data.session_id,session_id,len); | |
58964a49 | 456 | CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); |
3c1d6bbc | 457 | ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data); |
bdc98ffb BM |
458 | if (ret != NULL) |
459 | /* don't allow other threads to steal it: */ | |
460 | CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); | |
58964a49 RE |
461 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); |
462 | } | |
d02b48c6 RE |
463 | |
464 | if (ret == NULL) | |
465 | { | |
9a193d88 BM |
466 | int copy=1; |
467 | ||
1aeb3da8 | 468 | s->session_ctx->stats.sess_miss++; |
d02b48c6 | 469 | ret=NULL; |
1aeb3da8 BM |
470 | if (s->session_ctx->get_session_cb != NULL |
471 | && (ret=s->session_ctx->get_session_cb(s,session_id,len,©)) | |
b4cadc6e | 472 | != NULL) |
d02b48c6 | 473 | { |
1aeb3da8 | 474 | s->session_ctx->stats.sess_cb_hit++; |
d02b48c6 | 475 | |
8876bc05 BM |
476 | /* Increment reference count now if the session callback |
477 | * asks us to do so (note that if the session structures | |
478 | * returned by the callback are shared between threads, | |
479 | * it must handle the reference count itself [i.e. copy == 0], | |
480 | * or things won't be thread-safe). */ | |
481 | if (copy) | |
482 | CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); | |
483 | ||
e0db2eed GT |
484 | /* Add the externally cached session to the internal |
485 | * cache as well if and only if we are supposed to. */ | |
1aeb3da8 | 486 | if(!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE)) |
e0db2eed GT |
487 | /* The following should not return 1, otherwise, |
488 | * things are very strange */ | |
1aeb3da8 | 489 | SSL_CTX_add_session(s->session_ctx,ret); |
d02b48c6 | 490 | } |
8876bc05 BM |
491 | if (ret == NULL) |
492 | goto err; | |
d02b48c6 RE |
493 | } |
494 | ||
8876bc05 BM |
495 | /* Now ret is non-NULL, and we own one of its reference counts. */ |
496 | ||
0f32c841 BM |
497 | if (ret->sid_ctx_length != s->sid_ctx_length |
498 | || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)) | |
499 | { | |
8876bc05 BM |
500 | /* We've found the session named by the client, but we don't |
501 | * want to use it in this context. */ | |
8876bc05 | 502 | |
8876bc05 | 503 | #if 0 /* The client cannot always know when a session is not appropriate, |
0f32c841 | 504 | * so we shouldn't generate an error message. */ |
8876bc05 | 505 | |
0f32c841 | 506 | SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); |
8876bc05 | 507 | #endif |
0f32c841 BM |
508 | goto err; /* treat like cache miss */ |
509 | } | |
510 | ||
511 | if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) | |
512 | { | |
513 | /* We can't be sure if this session is being used out of | |
514 | * context, which is especially important for SSL_VERIFY_PEER. | |
515 | * The application should have used SSL[_CTX]_set_session_id_context. | |
516 | * | |
517 | * For this error case, we generate an error instead of treating | |
518 | * the event like a cache miss (otherwise it would be easy for | |
519 | * applications to effectively disable the session cache by | |
520 | * accident without anyone noticing). | |
521 | */ | |
522 | ||
523 | SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); | |
524 | fatal = 1; | |
525 | goto err; | |
8876bc05 | 526 | } |
b4cadc6e | 527 | |
d02b48c6 RE |
528 | if (ret->cipher == NULL) |
529 | { | |
c5db363e | 530 | unsigned char buf[5],*p; |
d02b48c6 RE |
531 | unsigned long l; |
532 | ||
533 | p=buf; | |
534 | l=ret->cipher_id; | |
535 | l2n(l,p); | |
58964a49 | 536 | if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR) |
d02b48c6 RE |
537 | ret->cipher=ssl_get_cipher_by_char(s,&(buf[2])); |
538 | else | |
539 | ret->cipher=ssl_get_cipher_by_char(s,&(buf[1])); | |
540 | if (ret->cipher == NULL) | |
8876bc05 | 541 | goto err; |
d02b48c6 RE |
542 | } |
543 | ||
8876bc05 BM |
544 | |
545 | #if 0 /* This is way too late. */ | |
546 | ||
d02b48c6 | 547 | /* If a thread got the session, then 'swaped', and another got |
26a3a48d | 548 | * it and then due to a time-out decided to 'OPENSSL_free' it we could |
d02b48c6 RE |
549 | * be in trouble. So I'll increment it now, then double decrement |
550 | * later - am I speaking rubbish?. */ | |
551 | CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); | |
8876bc05 | 552 | #endif |
d02b48c6 | 553 | |
7476f3ac | 554 | if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */ |
d02b48c6 | 555 | { |
1aeb3da8 | 556 | s->session_ctx->stats.sess_timeout++; |
d02b48c6 | 557 | /* remove it from the cache */ |
1aeb3da8 | 558 | SSL_CTX_remove_session(s->session_ctx,ret); |
8876bc05 | 559 | goto err; |
d02b48c6 RE |
560 | } |
561 | ||
1aeb3da8 | 562 | s->session_ctx->stats.sess_hit++; |
d02b48c6 RE |
563 | |
564 | /* ret->time=time(NULL); */ /* rezero timeout? */ | |
565 | /* again, just leave the session | |
566 | * if it is the same session, we have just incremented and | |
567 | * then decremented the reference count :-) */ | |
568 | if (s->session != NULL) | |
569 | SSL_SESSION_free(s->session); | |
570 | s->session=ret; | |
b1fe6ca1 | 571 | s->verify_result = s->session->verify_result; |
d02b48c6 | 572 | return(1); |
8876bc05 BM |
573 | |
574 | err: | |
575 | if (ret != NULL) | |
576 | SSL_SESSION_free(ret); | |
577 | if (fatal) | |
578 | return -1; | |
579 | else | |
580 | return 0; | |
d02b48c6 RE |
581 | } |
582 | ||
6b691a5c | 583 | int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) |
d02b48c6 | 584 | { |
58964a49 | 585 | int ret=0; |
d02b48c6 RE |
586 | SSL_SESSION *s; |
587 | ||
45fd4dbb BM |
588 | /* add just 1 reference count for the SSL_CTX's session cache |
589 | * even though it has two ways of access: each session is in a | |
590 | * doubly linked list and an lhash */ | |
d02b48c6 | 591 | CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION); |
45fd4dbb | 592 | /* if session c is in already in cache, we take back the increment later */ |
d02b48c6 RE |
593 | |
594 | CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); | |
3c1d6bbc | 595 | s=lh_SSL_SESSION_insert(ctx->sessions,c); |
58964a49 | 596 | |
45fd4dbb BM |
597 | /* s != NULL iff we already had a session with the given PID. |
598 | * In this case, s == c should hold (then we did not really modify | |
599 | * ctx->sessions), or we're in trouble. */ | |
600 | if (s != NULL && s != c) | |
601 | { | |
602 | /* We *are* in trouble ... */ | |
603 | SSL_SESSION_list_remove(ctx,s); | |
604 | SSL_SESSION_free(s); | |
605 | /* ... so pretend the other session did not exist in cache | |
606 | * (we cannot handle two SSL_SESSION structures with identical | |
607 | * session ID in the same cache, which could happen e.g. when | |
608 | * two threads concurrently obtain the same session from an external | |
609 | * cache) */ | |
610 | s = NULL; | |
611 | } | |
612 | ||
613 | /* Put at the head of the queue unless it is already in the cache */ | |
58964a49 RE |
614 | if (s == NULL) |
615 | SSL_SESSION_list_add(ctx,c); | |
d02b48c6 | 616 | |
d02b48c6 RE |
617 | if (s != NULL) |
618 | { | |
45fd4dbb BM |
619 | /* existing cache entry -- decrement previously incremented reference |
620 | * count because it already takes into account the cache */ | |
621 | ||
622 | SSL_SESSION_free(s); /* s == c */ | |
58964a49 | 623 | ret=0; |
d02b48c6 RE |
624 | } |
625 | else | |
58964a49 | 626 | { |
45fd4dbb BM |
627 | /* new cache entry -- remove old ones if cache has become too large */ |
628 | ||
58964a49 RE |
629 | ret=1; |
630 | ||
631 | if (SSL_CTX_sess_get_cache_size(ctx) > 0) | |
632 | { | |
633 | while (SSL_CTX_sess_number(ctx) > | |
634 | SSL_CTX_sess_get_cache_size(ctx)) | |
635 | { | |
801294f8 DSH |
636 | if (!remove_session_lock(ctx, |
637 | ctx->session_cache_tail, 0)) | |
58964a49 RE |
638 | break; |
639 | else | |
413c4f45 | 640 | ctx->stats.sess_cache_full++; |
58964a49 RE |
641 | } |
642 | } | |
643 | } | |
644 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); | |
645 | return(ret); | |
d02b48c6 RE |
646 | } |
647 | ||
6b691a5c | 648 | int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c) |
801294f8 DSH |
649 | { |
650 | return remove_session_lock(ctx, c, 1); | |
651 | } | |
652 | ||
0fda2e37 | 653 | static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) |
d02b48c6 RE |
654 | { |
655 | SSL_SESSION *r; | |
656 | int ret=0; | |
657 | ||
58964a49 | 658 | if ((c != NULL) && (c->session_id_length != 0)) |
d02b48c6 | 659 | { |
801294f8 | 660 | if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); |
3c1d6bbc | 661 | if ((r = lh_SSL_SESSION_retrieve(ctx->sessions,c)) == c) |
58964a49 RE |
662 | { |
663 | ret=1; | |
3c1d6bbc | 664 | r=lh_SSL_SESSION_delete(ctx->sessions,c); |
58964a49 RE |
665 | SSL_SESSION_list_remove(ctx,c); |
666 | } | |
d02b48c6 | 667 | |
801294f8 | 668 | if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); |
d02b48c6 RE |
669 | |
670 | if (ret) | |
671 | { | |
672 | r->not_resumable=1; | |
673 | if (ctx->remove_session_cb != NULL) | |
58964a49 | 674 | ctx->remove_session_cb(ctx,r); |
d02b48c6 RE |
675 | SSL_SESSION_free(r); |
676 | } | |
677 | } | |
678 | else | |
679 | ret=0; | |
680 | return(ret); | |
681 | } | |
682 | ||
6b691a5c | 683 | void SSL_SESSION_free(SSL_SESSION *ss) |
d02b48c6 RE |
684 | { |
685 | int i; | |
686 | ||
e03ddfae BL |
687 | if(ss == NULL) |
688 | return; | |
689 | ||
d02b48c6 | 690 | i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION); |
58964a49 RE |
691 | #ifdef REF_PRINT |
692 | REF_PRINT("SSL_SESSION",ss); | |
693 | #endif | |
d02b48c6 RE |
694 | if (i > 0) return; |
695 | #ifdef REF_CHECK | |
696 | if (i < 0) | |
697 | { | |
698 | fprintf(stderr,"SSL_SESSION_free, bad reference count\n"); | |
699 | abort(); /* ok */ | |
700 | } | |
701 | #endif | |
702 | ||
79aa04ef | 703 | CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); |
58964a49 | 704 | |
4579924b RL |
705 | OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg); |
706 | OPENSSL_cleanse(ss->master_key,sizeof ss->master_key); | |
707 | OPENSSL_cleanse(ss->session_id,sizeof ss->session_id); | |
b56bce4f | 708 | if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert); |
d02b48c6 | 709 | if (ss->peer != NULL) X509_free(ss->peer); |
f73e07cf | 710 | if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); |
ed3883d2 | 711 | #ifndef OPENSSL_NO_TLSEXT |
f1fd4544 | 712 | if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname); |
6434abbf | 713 | if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick); |
36ca4ba6 BM |
714 | #ifndef OPENSSL_NO_EC |
715 | ss->tlsext_ecpointformatlist_length = 0; | |
716 | if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist); | |
33273721 BM |
717 | ss->tlsext_ellipticcurvelist_length = 0; |
718 | if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist); | |
36ca4ba6 | 719 | #endif /* OPENSSL_NO_EC */ |
ddac1974 NL |
720 | #endif |
721 | #ifndef OPENSSL_NO_PSK | |
722 | if (ss->psk_identity_hint != NULL) | |
723 | OPENSSL_free(ss->psk_identity_hint); | |
724 | if (ss->psk_identity != NULL) | |
725 | OPENSSL_free(ss->psk_identity); | |
ed3883d2 | 726 | #endif |
4579924b | 727 | OPENSSL_cleanse(ss,sizeof(*ss)); |
26a3a48d | 728 | OPENSSL_free(ss); |
d02b48c6 RE |
729 | } |
730 | ||
6b691a5c | 731 | int SSL_set_session(SSL *s, SSL_SESSION *session) |
d02b48c6 RE |
732 | { |
733 | int ret=0; | |
4ebb342f | 734 | const SSL_METHOD *meth; |
d02b48c6 RE |
735 | |
736 | if (session != NULL) | |
737 | { | |
738 | meth=s->ctx->method->get_ssl_method(session->ssl_version); | |
739 | if (meth == NULL) | |
740 | meth=s->method->get_ssl_method(session->ssl_version); | |
741 | if (meth == NULL) | |
742 | { | |
743 | SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD); | |
744 | return(0); | |
745 | } | |
746 | ||
747 | if (meth != s->method) | |
748 | { | |
749 | if (!SSL_set_ssl_method(s,meth)) | |
750 | return(0); | |
413c4f45 MC |
751 | if (s->ctx->session_timeout == 0) |
752 | session->timeout=SSL_get_default_timeout(s); | |
753 | else | |
754 | session->timeout=s->ctx->session_timeout; | |
d02b48c6 RE |
755 | } |
756 | ||
882e8912 RL |
757 | #ifndef OPENSSL_NO_KRB5 |
758 | if (s->kssl_ctx && !s->kssl_ctx->client_princ && | |
759 | session->krb5_client_princ_len > 0) | |
760 | { | |
15780a1e | 761 | s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1); |
882e8912 RL |
762 | memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ, |
763 | session->krb5_client_princ_len); | |
c2a3358b | 764 | s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0'; |
882e8912 RL |
765 | } |
766 | #endif /* OPENSSL_NO_KRB5 */ | |
767 | ||
d02b48c6 RE |
768 | /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/ |
769 | CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION); | |
770 | if (s->session != NULL) | |
771 | SSL_SESSION_free(s->session); | |
772 | s->session=session; | |
0dd2254d | 773 | s->verify_result = s->session->verify_result; |
d02b48c6 RE |
774 | /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ |
775 | ret=1; | |
776 | } | |
58964a49 RE |
777 | else |
778 | { | |
779 | if (s->session != NULL) | |
780 | { | |
781 | SSL_SESSION_free(s->session); | |
782 | s->session=NULL; | |
783 | } | |
413c4f45 MC |
784 | |
785 | meth=s->ctx->method; | |
786 | if (meth != s->method) | |
787 | { | |
788 | if (!SSL_set_ssl_method(s,meth)) | |
789 | return(0); | |
790 | } | |
791 | ret=1; | |
58964a49 | 792 | } |
d02b48c6 RE |
793 | return(ret); |
794 | } | |
795 | ||
6b691a5c | 796 | long SSL_SESSION_set_timeout(SSL_SESSION *s, long t) |
d02b48c6 RE |
797 | { |
798 | if (s == NULL) return(0); | |
799 | s->timeout=t; | |
800 | return(1); | |
801 | } | |
802 | ||
0821bcd4 | 803 | long SSL_SESSION_get_timeout(const SSL_SESSION *s) |
d02b48c6 RE |
804 | { |
805 | if (s == NULL) return(0); | |
806 | return(s->timeout); | |
807 | } | |
808 | ||
0821bcd4 | 809 | long SSL_SESSION_get_time(const SSL_SESSION *s) |
d02b48c6 RE |
810 | { |
811 | if (s == NULL) return(0); | |
812 | return(s->time); | |
813 | } | |
814 | ||
6b691a5c | 815 | long SSL_SESSION_set_time(SSL_SESSION *s, long t) |
d02b48c6 RE |
816 | { |
817 | if (s == NULL) return(0); | |
818 | s->time=t; | |
819 | return(t); | |
820 | } | |
821 | ||
6b691a5c | 822 | long SSL_CTX_set_timeout(SSL_CTX *s, long t) |
413c4f45 MC |
823 | { |
824 | long l; | |
825 | if (s == NULL) return(0); | |
826 | l=s->session_timeout; | |
827 | s->session_timeout=t; | |
828 | return(l); | |
829 | } | |
830 | ||
0821bcd4 | 831 | long SSL_CTX_get_timeout(const SSL_CTX *s) |
413c4f45 MC |
832 | { |
833 | if (s == NULL) return(0); | |
834 | return(s->session_timeout); | |
835 | } | |
836 | ||
12bf56c0 DSH |
837 | #ifndef OPENSSL_NO_TLSEXT |
838 | int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len, | |
839 | STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg) | |
840 | { | |
841 | if (s == NULL) return(0); | |
842 | s->tls_session_secret_cb = tls_session_secret_cb; | |
843 | s->tls_session_secret_cb_arg = arg; | |
844 | return(1); | |
845 | } | |
846 | ||
847 | int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, | |
848 | void *arg) | |
849 | { | |
850 | if (s == NULL) return(0); | |
851 | s->tls_session_ticket_ext_cb = cb; | |
852 | s->tls_session_ticket_ext_cb_arg = arg; | |
853 | return(1); | |
854 | } | |
855 | ||
856 | int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) | |
857 | { | |
858 | if (s->version >= TLS1_VERSION) | |
859 | { | |
860 | if (s->tlsext_session_ticket) | |
861 | { | |
862 | OPENSSL_free(s->tlsext_session_ticket); | |
863 | s->tlsext_session_ticket = NULL; | |
864 | } | |
865 | ||
866 | s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); | |
867 | if (!s->tlsext_session_ticket) | |
868 | { | |
869 | SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE); | |
870 | return 0; | |
871 | } | |
872 | ||
873 | if (ext_data) | |
874 | { | |
875 | s->tlsext_session_ticket->length = ext_len; | |
876 | s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1; | |
877 | memcpy(s->tlsext_session_ticket->data, ext_data, ext_len); | |
878 | } | |
879 | else | |
880 | { | |
881 | s->tlsext_session_ticket->length = 0; | |
882 | s->tlsext_session_ticket->data = NULL; | |
883 | } | |
884 | ||
885 | return 1; | |
886 | } | |
887 | ||
888 | return 0; | |
889 | } | |
890 | #endif /* OPENSSL_NO_TLSEXT */ | |
891 | ||
d02b48c6 RE |
892 | typedef struct timeout_param_st |
893 | { | |
894 | SSL_CTX *ctx; | |
895 | long time; | |
3c1d6bbc | 896 | LHASH_OF(SSL_SESSION) *cache; |
d02b48c6 RE |
897 | } TIMEOUT_PARAM; |
898 | ||
3c1d6bbc | 899 | static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) |
d02b48c6 RE |
900 | { |
901 | if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ | |
902 | { | |
58964a49 RE |
903 | /* The reason we don't call SSL_CTX_remove_session() is to |
904 | * save on locking overhead */ | |
d4cdbab9 | 905 | (void)lh_SSL_SESSION_delete(p->cache,s); |
58964a49 | 906 | SSL_SESSION_list_remove(p->ctx,s); |
d02b48c6 RE |
907 | s->not_resumable=1; |
908 | if (p->ctx->remove_session_cb != NULL) | |
909 | p->ctx->remove_session_cb(p->ctx,s); | |
910 | SSL_SESSION_free(s); | |
911 | } | |
912 | } | |
913 | ||
3c1d6bbc | 914 | static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM) |
3c914840 | 915 | |
6b691a5c | 916 | void SSL_CTX_flush_sessions(SSL_CTX *s, long t) |
d02b48c6 RE |
917 | { |
918 | unsigned long i; | |
919 | TIMEOUT_PARAM tp; | |
920 | ||
921 | tp.ctx=s; | |
413c4f45 | 922 | tp.cache=s->sessions; |
d02b48c6 RE |
923 | if (tp.cache == NULL) return; |
924 | tp.time=t; | |
925 | CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); | |
3c1d6bbc BL |
926 | i=CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load; |
927 | CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=0; | |
928 | lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), | |
929 | TIMEOUT_PARAM, &tp); | |
930 | CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=i; | |
d02b48c6 RE |
931 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); |
932 | } | |
933 | ||
6b691a5c | 934 | int ssl_clear_bad_session(SSL *s) |
d02b48c6 RE |
935 | { |
936 | if ( (s->session != NULL) && | |
937 | !(s->shutdown & SSL_SENT_SHUTDOWN) && | |
938 | !(SSL_in_init(s) || SSL_in_before(s))) | |
939 | { | |
940 | SSL_CTX_remove_session(s->ctx,s->session); | |
941 | return(1); | |
942 | } | |
943 | else | |
944 | return(0); | |
945 | } | |
58964a49 RE |
946 | |
947 | /* locked by SSL_CTX in the calling function */ | |
6b691a5c | 948 | static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) |
58964a49 RE |
949 | { |
950 | if ((s->next == NULL) || (s->prev == NULL)) return; | |
951 | ||
952 | if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) | |
953 | { /* last element in list */ | |
954 | if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) | |
955 | { /* only one element in list */ | |
956 | ctx->session_cache_head=NULL; | |
957 | ctx->session_cache_tail=NULL; | |
958 | } | |
959 | else | |
960 | { | |
961 | ctx->session_cache_tail=s->prev; | |
962 | s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail); | |
963 | } | |
964 | } | |
965 | else | |
966 | { | |
967 | if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) | |
968 | { /* first element in list */ | |
969 | ctx->session_cache_head=s->next; | |
970 | s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head); | |
971 | } | |
972 | else | |
973 | { /* middle of list */ | |
974 | s->next->prev=s->prev; | |
975 | s->prev->next=s->next; | |
976 | } | |
977 | } | |
978 | s->prev=s->next=NULL; | |
979 | } | |
980 | ||
6b691a5c | 981 | static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) |
58964a49 RE |
982 | { |
983 | if ((s->next != NULL) && (s->prev != NULL)) | |
984 | SSL_SESSION_list_remove(ctx,s); | |
985 | ||
986 | if (ctx->session_cache_head == NULL) | |
987 | { | |
988 | ctx->session_cache_head=s; | |
989 | ctx->session_cache_tail=s; | |
990 | s->prev=(SSL_SESSION *)&(ctx->session_cache_head); | |
991 | s->next=(SSL_SESSION *)&(ctx->session_cache_tail); | |
992 | } | |
993 | else | |
994 | { | |
995 | s->next=ctx->session_cache_head; | |
996 | s->next->prev=s; | |
997 | s->prev=(SSL_SESSION *)&(ctx->session_cache_head); | |
998 | ctx->session_cache_head=s; | |
999 | } | |
1000 | } | |
1001 | ||
7806f3dd NL |
1002 | void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, |
1003 | int (*cb)(struct ssl_st *ssl,SSL_SESSION *sess)) | |
1004 | { | |
1005 | ctx->new_session_cb=cb; | |
1006 | } | |
1007 | ||
d137b56a | 1008 | int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess) |
7806f3dd NL |
1009 | { |
1010 | return ctx->new_session_cb; | |
1011 | } | |
1012 | ||
1013 | void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, | |
d137b56a | 1014 | void (*cb)(SSL_CTX *ctx,SSL_SESSION *sess)) |
7806f3dd NL |
1015 | { |
1016 | ctx->remove_session_cb=cb; | |
1017 | } | |
1018 | ||
d137b56a | 1019 | void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx,SSL_SESSION *sess) |
7806f3dd NL |
1020 | { |
1021 | return ctx->remove_session_cb; | |
1022 | } | |
1023 | ||
1024 | void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, | |
1025 | SSL_SESSION *(*cb)(struct ssl_st *ssl, | |
1026 | unsigned char *data,int len,int *copy)) | |
1027 | { | |
1028 | ctx->get_session_cb=cb; | |
1029 | } | |
1030 | ||
d137b56a DSH |
1031 | SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, |
1032 | unsigned char *data,int len,int *copy) | |
7806f3dd NL |
1033 | { |
1034 | return ctx->get_session_cb; | |
1035 | } | |
1036 | ||
1037 | void SSL_CTX_set_info_callback(SSL_CTX *ctx, | |
1038 | void (*cb)(const SSL *ssl,int type,int val)) | |
1039 | { | |
1040 | ctx->info_callback=cb; | |
1041 | } | |
1042 | ||
d137b56a | 1043 | void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val) |
7806f3dd NL |
1044 | { |
1045 | return ctx->info_callback; | |
1046 | } | |
1047 | ||
1048 | void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, | |
1049 | int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)) | |
1050 | { | |
1051 | ctx->client_cert_cb=cb; | |
1052 | } | |
1053 | ||
d137b56a | 1054 | int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey) |
7806f3dd NL |
1055 | { |
1056 | return ctx->client_cert_cb; | |
1057 | } | |
1058 | ||
368888bc DSH |
1059 | #ifndef OPENSSL_NO_ENGINE |
1060 | int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) | |
1061 | { | |
1062 | if (!ENGINE_init(e)) | |
1063 | { | |
1064 | SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB); | |
1065 | return 0; | |
1066 | } | |
1067 | if(!ENGINE_get_ssl_client_cert_function(e)) | |
1068 | { | |
1069 | SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD); | |
1070 | ENGINE_finish(e); | |
1071 | return 0; | |
1072 | } | |
1073 | ctx->client_cert_engine = e; | |
1074 | return 1; | |
1075 | } | |
1076 | #endif | |
1077 | ||
7806f3dd NL |
1078 | void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, |
1079 | int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)) | |
1080 | { | |
1081 | ctx->app_gen_cookie_cb=cb; | |
1082 | } | |
1083 | ||
1084 | void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, | |
1085 | int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)) | |
1086 | { | |
1087 | ctx->app_verify_cookie_cb=cb; | |
1088 | } | |
1089 | ||
3c07d3a3 | 1090 | IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION) |