]>
Commit | Line | Data |
---|---|---|
d02b48c6 | 1 | /* ssl/ssl_sess.c */ |
58964a49 | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
d02b48c6 RE |
3 | * All rights reserved. |
4 | * | |
5 | * This package is an SSL implementation written | |
6 | * by Eric Young (eay@cryptsoft.com). | |
7 | * The implementation was written so as to conform with Netscapes SSL. | |
8 | * | |
9 | * This library is free for commercial and non-commercial use as long as | |
10 | * the following conditions are aheared to. The following conditions | |
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 | * included with this distribution is covered by the same copyright terms | |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 | * | |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 | * the code are not to be removed. | |
18 | * If this package is used in a product, Eric Young should be given attribution | |
19 | * as the author of the parts of the library used. | |
20 | * This can be in the form of a textual message at program startup or | |
21 | * in documentation (online or textual) provided with the package. | |
22 | * | |
23 | * Redistribution and use in source and binary forms, with or without | |
24 | * modification, are permitted provided that the following conditions | |
25 | * are met: | |
26 | * 1. Redistributions of source code must retain the copyright | |
27 | * notice, this list of conditions and the following disclaimer. | |
28 | * 2. Redistributions in binary form must reproduce the above copyright | |
29 | * notice, this list of conditions and the following disclaimer in the | |
30 | * documentation and/or other materials provided with the distribution. | |
31 | * 3. All advertising materials mentioning features or use of this software | |
32 | * must display the following acknowledgement: | |
33 | * "This product includes cryptographic software written by | |
34 | * Eric Young (eay@cryptsoft.com)" | |
35 | * The word 'cryptographic' can be left out if the rouines from the library | |
36 | * being used are not cryptographic related :-). | |
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 | * the apps directory (application code) you must include an acknowledgement: | |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 | * | |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 | * SUCH DAMAGE. | |
52 | * | |
53 | * The licence and distribution terms for any publically available version or | |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 | * copied and put under another distribution licence | |
56 | * [including the GNU Public Licence.] | |
57 | */ | |
58 | ||
59 | #include <stdio.h> | |
ec577822 BM |
60 | #include <openssl/lhash.h> |
61 | #include <openssl/rand.h> | |
d02b48c6 RE |
62 | #include "ssl_locl.h" |
63 | ||
58964a49 RE |
64 | static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); |
65 | static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); | |
801294f8 | 66 | static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); |
dfeab068 | 67 | static int ssl_session_num=0; |
dd9d233e | 68 | static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_session_meth=NULL; |
58964a49 | 69 | |
1088e27c | 70 | SSL_SESSION *SSL_get_session(SSL *ssl) |
52732b38 | 71 | /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */ |
1088e27c BM |
72 | { |
73 | return(ssl->session); | |
74 | } | |
52732b38 BM |
75 | |
76 | SSL_SESSION *SSL_get1_session(SSL *ssl) | |
77 | /* variant of SSL_get_session: caller really gets something */ | |
58964a49 | 78 | { |
b7cfcfb7 MC |
79 | SSL_SESSION *sess; |
80 | /* Need to lock this all up rather than just use CRYPTO_add so that | |
81 | * somebody doesn't free ssl->session between when we check it's | |
82 | * non-null and when we up the reference count. */ | |
83 | CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION); | |
84 | sess = ssl->session; | |
85 | if(sess) | |
86 | sess->references++; | |
87 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION); | |
88 | return(sess); | |
58964a49 RE |
89 | } |
90 | ||
dd9d233e DSH |
91 | int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, |
92 | CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) | |
b1c4fe36 BM |
93 | { |
94 | ssl_session_num++; | |
95 | return(CRYPTO_get_ex_new_index(ssl_session_num-1, | |
58964a49 | 96 | &ssl_session_meth, |
b1c4fe36 BM |
97 | argl,argp,new_func,dup_func,free_func)); |
98 | } | |
58964a49 | 99 | |
6b691a5c | 100 | int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg) |
58964a49 RE |
101 | { |
102 | return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); | |
103 | } | |
104 | ||
6b691a5c | 105 | void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx) |
58964a49 RE |
106 | { |
107 | return(CRYPTO_get_ex_data(&s->ex_data,idx)); | |
108 | } | |
109 | ||
6b691a5c | 110 | SSL_SESSION *SSL_SESSION_new(void) |
d02b48c6 RE |
111 | { |
112 | SSL_SESSION *ss; | |
113 | ||
26a3a48d | 114 | ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION)); |
d02b48c6 RE |
115 | if (ss == NULL) |
116 | { | |
117 | SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE); | |
118 | return(0); | |
119 | } | |
120 | memset(ss,0,sizeof(SSL_SESSION)); | |
121 | ||
b1fe6ca1 | 122 | ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ |
d02b48c6 RE |
123 | ss->references=1; |
124 | ss->timeout=60*5+4; /* 5 minute timeout by default */ | |
125 | ss->time=time(NULL); | |
58964a49 RE |
126 | ss->prev=NULL; |
127 | ss->next=NULL; | |
413c4f45 | 128 | ss->compress_meth=0; |
dd9d233e | 129 | CRYPTO_new_ex_data(ssl_session_meth,ss,&ss->ex_data); |
d02b48c6 RE |
130 | return(ss); |
131 | } | |
132 | ||
6b691a5c | 133 | int ssl_get_new_session(SSL *s, int session) |
d02b48c6 | 134 | { |
b56bce4f BM |
135 | /* This gets used by clients and servers. */ |
136 | ||
d02b48c6 RE |
137 | SSL_SESSION *ss=NULL; |
138 | ||
139 | if ((ss=SSL_SESSION_new()) == NULL) return(0); | |
140 | ||
141 | /* If the context has a default timeout, use it */ | |
413c4f45 | 142 | if (s->ctx->session_timeout == 0) |
d02b48c6 | 143 | ss->timeout=SSL_get_default_timeout(s); |
413c4f45 MC |
144 | else |
145 | ss->timeout=s->ctx->session_timeout; | |
d02b48c6 RE |
146 | |
147 | if (s->session != NULL) | |
148 | { | |
149 | SSL_SESSION_free(s->session); | |
150 | s->session=NULL; | |
151 | } | |
152 | ||
153 | if (session) | |
154 | { | |
6d02d8e4 | 155 | if (s->version == SSL2_VERSION) |
d02b48c6 | 156 | { |
58964a49 | 157 | ss->ssl_version=SSL2_VERSION; |
d02b48c6 RE |
158 | ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH; |
159 | } | |
58964a49 | 160 | else if (s->version == SSL3_VERSION) |
d02b48c6 | 161 | { |
58964a49 RE |
162 | ss->ssl_version=SSL3_VERSION; |
163 | ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; | |
164 | } | |
165 | else if (s->version == TLS1_VERSION) | |
166 | { | |
167 | ss->ssl_version=TLS1_VERSION; | |
d02b48c6 RE |
168 | ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; |
169 | } | |
170 | else | |
171 | { | |
172 | SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION); | |
173 | SSL_SESSION_free(ss); | |
174 | return(0); | |
175 | } | |
176 | ||
177 | for (;;) | |
178 | { | |
179 | SSL_SESSION *r; | |
180 | ||
e7f97e2d | 181 | RAND_pseudo_bytes(ss->session_id,ss->session_id_length); |
d02b48c6 | 182 | CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); |
9d1a01be | 183 | r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions, ss); |
d02b48c6 RE |
184 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); |
185 | if (r == NULL) break; | |
186 | /* else - woops a session_id match */ | |
45fd4dbb BM |
187 | /* XXX We should also check the external cache -- |
188 | * but the probability of a collision is negligible, and | |
189 | * we could not prevent the concurrent creation of sessions | |
190 | * with identical IDs since we currently don't have means | |
191 | * to atomically check whether a session ID already exists | |
192 | * and make a reservation for it if it does not | |
193 | * (this problem applies to the internal cache as well). | |
194 | */ | |
d02b48c6 RE |
195 | } |
196 | } | |
197 | else | |
198 | { | |
199 | ss->session_id_length=0; | |
200 | } | |
201 | ||
b4cadc6e BL |
202 | memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); |
203 | ss->sid_ctx_length=s->sid_ctx_length; | |
d02b48c6 RE |
204 | s->session=ss; |
205 | ss->ssl_version=s->version; | |
b1fe6ca1 | 206 | ss->verify_result = X509_V_OK; |
d02b48c6 RE |
207 | |
208 | return(1); | |
209 | } | |
210 | ||
6b691a5c | 211 | int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len) |
d02b48c6 | 212 | { |
b56bce4f BM |
213 | /* This is used only by servers. */ |
214 | ||
58964a49 | 215 | SSL_SESSION *ret=NULL,data; |
8876bc05 | 216 | int fatal = 0; |
d02b48c6 | 217 | |
d02b48c6 RE |
218 | data.ssl_version=s->version; |
219 | data.session_id_length=len; | |
220 | if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) | |
8876bc05 | 221 | goto err; |
b4cadc6e | 222 | memcpy(data.session_id,session_id,len); |
d02b48c6 | 223 | |
58964a49 RE |
224 | if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) |
225 | { | |
226 | CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); | |
9d1a01be | 227 | ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data); |
bdc98ffb BM |
228 | if (ret != NULL) |
229 | /* don't allow other threads to steal it: */ | |
230 | CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); | |
58964a49 RE |
231 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); |
232 | } | |
d02b48c6 RE |
233 | |
234 | if (ret == NULL) | |
235 | { | |
9a193d88 BM |
236 | int copy=1; |
237 | ||
413c4f45 | 238 | s->ctx->stats.sess_miss++; |
d02b48c6 | 239 | ret=NULL; |
b4cadc6e BL |
240 | if (s->ctx->get_session_cb != NULL |
241 | && (ret=s->ctx->get_session_cb(s,session_id,len,©)) | |
242 | != NULL) | |
d02b48c6 | 243 | { |
413c4f45 | 244 | s->ctx->stats.sess_cb_hit++; |
d02b48c6 | 245 | |
8876bc05 BM |
246 | /* Increment reference count now if the session callback |
247 | * asks us to do so (note that if the session structures | |
248 | * returned by the callback are shared between threads, | |
249 | * it must handle the reference count itself [i.e. copy == 0], | |
250 | * or things won't be thread-safe). */ | |
251 | if (copy) | |
252 | CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); | |
253 | ||
d02b48c6 RE |
254 | /* The following should not return 1, otherwise, |
255 | * things are very strange */ | |
256 | SSL_CTX_add_session(s->ctx,ret); | |
d02b48c6 | 257 | } |
8876bc05 BM |
258 | if (ret == NULL) |
259 | goto err; | |
d02b48c6 RE |
260 | } |
261 | ||
8876bc05 BM |
262 | /* Now ret is non-NULL, and we own one of its reference counts. */ |
263 | ||
b4cadc6e BL |
264 | if((s->verify_mode&SSL_VERIFY_PEER) |
265 | && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length | |
266 | || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))) | |
267 | { | |
8876bc05 BM |
268 | /* We've found the session named by the client, but we don't |
269 | * want to use it in this context. */ | |
270 | ||
271 | if (s->sid_ctx_length == 0) | |
272 | { | |
273 | /* application should have used SSL[_CTX]_set_session_id_context | |
274 | * -- we could tolerate this and just pretend we never heard | |
275 | * of this session, but then applications could effectively | |
276 | * disable the session cache by accident without anyone noticing */ | |
277 | ||
673eadec | 278 | SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); |
8876bc05 BM |
279 | fatal = 1; |
280 | goto err; | |
281 | } | |
282 | else | |
283 | { | |
284 | #if 0 /* The client cannot always know when a session is not appropriate, | |
285 | * so we shouldn't generate an error message. */ | |
286 | ||
287 | SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); | |
288 | #endif | |
289 | goto err; /* treat like cache miss */ | |
290 | } | |
291 | } | |
b4cadc6e | 292 | |
d02b48c6 RE |
293 | if (ret->cipher == NULL) |
294 | { | |
c5db363e | 295 | unsigned char buf[5],*p; |
d02b48c6 RE |
296 | unsigned long l; |
297 | ||
298 | p=buf; | |
299 | l=ret->cipher_id; | |
300 | l2n(l,p); | |
58964a49 | 301 | if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR) |
d02b48c6 RE |
302 | ret->cipher=ssl_get_cipher_by_char(s,&(buf[2])); |
303 | else | |
304 | ret->cipher=ssl_get_cipher_by_char(s,&(buf[1])); | |
305 | if (ret->cipher == NULL) | |
8876bc05 | 306 | goto err; |
d02b48c6 RE |
307 | } |
308 | ||
8876bc05 BM |
309 | |
310 | #if 0 /* This is way too late. */ | |
311 | ||
d02b48c6 | 312 | /* If a thread got the session, then 'swaped', and another got |
26a3a48d | 313 | * it and then due to a time-out decided to 'OPENSSL_free' it we could |
d02b48c6 RE |
314 | * be in trouble. So I'll increment it now, then double decrement |
315 | * later - am I speaking rubbish?. */ | |
316 | CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); | |
8876bc05 | 317 | #endif |
d02b48c6 RE |
318 | |
319 | if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */ | |
320 | { | |
413c4f45 | 321 | s->ctx->stats.sess_timeout++; |
d02b48c6 RE |
322 | /* remove it from the cache */ |
323 | SSL_CTX_remove_session(s->ctx,ret); | |
8876bc05 | 324 | goto err; |
d02b48c6 RE |
325 | } |
326 | ||
413c4f45 | 327 | s->ctx->stats.sess_hit++; |
d02b48c6 RE |
328 | |
329 | /* ret->time=time(NULL); */ /* rezero timeout? */ | |
330 | /* again, just leave the session | |
331 | * if it is the same session, we have just incremented and | |
332 | * then decremented the reference count :-) */ | |
333 | if (s->session != NULL) | |
334 | SSL_SESSION_free(s->session); | |
335 | s->session=ret; | |
b1fe6ca1 | 336 | s->verify_result = s->session->verify_result; |
d02b48c6 | 337 | return(1); |
8876bc05 BM |
338 | |
339 | err: | |
340 | if (ret != NULL) | |
341 | SSL_SESSION_free(ret); | |
342 | if (fatal) | |
343 | return -1; | |
344 | else | |
345 | return 0; | |
d02b48c6 RE |
346 | } |
347 | ||
6b691a5c | 348 | int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) |
d02b48c6 | 349 | { |
58964a49 | 350 | int ret=0; |
d02b48c6 RE |
351 | SSL_SESSION *s; |
352 | ||
45fd4dbb BM |
353 | /* add just 1 reference count for the SSL_CTX's session cache |
354 | * even though it has two ways of access: each session is in a | |
355 | * doubly linked list and an lhash */ | |
d02b48c6 | 356 | CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION); |
45fd4dbb | 357 | /* if session c is in already in cache, we take back the increment later */ |
d02b48c6 RE |
358 | |
359 | CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); | |
9d1a01be | 360 | s=(SSL_SESSION *)lh_insert(ctx->sessions,c); |
58964a49 | 361 | |
45fd4dbb BM |
362 | /* s != NULL iff we already had a session with the given PID. |
363 | * In this case, s == c should hold (then we did not really modify | |
364 | * ctx->sessions), or we're in trouble. */ | |
365 | if (s != NULL && s != c) | |
366 | { | |
367 | /* We *are* in trouble ... */ | |
368 | SSL_SESSION_list_remove(ctx,s); | |
369 | SSL_SESSION_free(s); | |
370 | /* ... so pretend the other session did not exist in cache | |
371 | * (we cannot handle two SSL_SESSION structures with identical | |
372 | * session ID in the same cache, which could happen e.g. when | |
373 | * two threads concurrently obtain the same session from an external | |
374 | * cache) */ | |
375 | s = NULL; | |
376 | } | |
377 | ||
378 | /* Put at the head of the queue unless it is already in the cache */ | |
58964a49 RE |
379 | if (s == NULL) |
380 | SSL_SESSION_list_add(ctx,c); | |
d02b48c6 | 381 | |
d02b48c6 RE |
382 | if (s != NULL) |
383 | { | |
45fd4dbb BM |
384 | /* existing cache entry -- decrement previously incremented reference |
385 | * count because it already takes into account the cache */ | |
386 | ||
387 | SSL_SESSION_free(s); /* s == c */ | |
58964a49 | 388 | ret=0; |
d02b48c6 RE |
389 | } |
390 | else | |
58964a49 | 391 | { |
45fd4dbb BM |
392 | /* new cache entry -- remove old ones if cache has become too large */ |
393 | ||
58964a49 RE |
394 | ret=1; |
395 | ||
396 | if (SSL_CTX_sess_get_cache_size(ctx) > 0) | |
397 | { | |
398 | while (SSL_CTX_sess_number(ctx) > | |
399 | SSL_CTX_sess_get_cache_size(ctx)) | |
400 | { | |
801294f8 DSH |
401 | if (!remove_session_lock(ctx, |
402 | ctx->session_cache_tail, 0)) | |
58964a49 RE |
403 | break; |
404 | else | |
413c4f45 | 405 | ctx->stats.sess_cache_full++; |
58964a49 RE |
406 | } |
407 | } | |
408 | } | |
409 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); | |
410 | return(ret); | |
d02b48c6 RE |
411 | } |
412 | ||
6b691a5c | 413 | int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c) |
801294f8 DSH |
414 | { |
415 | return remove_session_lock(ctx, c, 1); | |
416 | } | |
417 | ||
0fda2e37 | 418 | static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) |
d02b48c6 RE |
419 | { |
420 | SSL_SESSION *r; | |
421 | int ret=0; | |
422 | ||
58964a49 | 423 | if ((c != NULL) && (c->session_id_length != 0)) |
d02b48c6 | 424 | { |
801294f8 | 425 | if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); |
9d1a01be | 426 | r=(SSL_SESSION *)lh_delete(ctx->sessions,c); |
58964a49 RE |
427 | if (r != NULL) |
428 | { | |
429 | ret=1; | |
430 | SSL_SESSION_list_remove(ctx,c); | |
431 | } | |
d02b48c6 | 432 | |
801294f8 | 433 | if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); |
d02b48c6 RE |
434 | |
435 | if (ret) | |
436 | { | |
437 | r->not_resumable=1; | |
438 | if (ctx->remove_session_cb != NULL) | |
58964a49 | 439 | ctx->remove_session_cb(ctx,r); |
d02b48c6 RE |
440 | SSL_SESSION_free(r); |
441 | } | |
442 | } | |
443 | else | |
444 | ret=0; | |
445 | return(ret); | |
446 | } | |
447 | ||
6b691a5c | 448 | void SSL_SESSION_free(SSL_SESSION *ss) |
d02b48c6 RE |
449 | { |
450 | int i; | |
451 | ||
e03ddfae BL |
452 | if(ss == NULL) |
453 | return; | |
454 | ||
d02b48c6 | 455 | i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION); |
58964a49 RE |
456 | #ifdef REF_PRINT |
457 | REF_PRINT("SSL_SESSION",ss); | |
458 | #endif | |
d02b48c6 RE |
459 | if (i > 0) return; |
460 | #ifdef REF_CHECK | |
461 | if (i < 0) | |
462 | { | |
463 | fprintf(stderr,"SSL_SESSION_free, bad reference count\n"); | |
464 | abort(); /* ok */ | |
465 | } | |
466 | #endif | |
467 | ||
dd9d233e | 468 | CRYPTO_free_ex_data(ssl_session_meth,ss,&ss->ex_data); |
58964a49 | 469 | |
d02b48c6 RE |
470 | memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH); |
471 | memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH); | |
472 | memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH); | |
b56bce4f | 473 | if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert); |
d02b48c6 | 474 | if (ss->peer != NULL) X509_free(ss->peer); |
f73e07cf | 475 | if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); |
d02b48c6 | 476 | memset(ss,0,sizeof(*ss)); |
26a3a48d | 477 | OPENSSL_free(ss); |
d02b48c6 RE |
478 | } |
479 | ||
6b691a5c | 480 | int SSL_set_session(SSL *s, SSL_SESSION *session) |
d02b48c6 RE |
481 | { |
482 | int ret=0; | |
483 | SSL_METHOD *meth; | |
484 | ||
485 | if (session != NULL) | |
486 | { | |
487 | meth=s->ctx->method->get_ssl_method(session->ssl_version); | |
488 | if (meth == NULL) | |
489 | meth=s->method->get_ssl_method(session->ssl_version); | |
490 | if (meth == NULL) | |
491 | { | |
492 | SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD); | |
493 | return(0); | |
494 | } | |
495 | ||
496 | if (meth != s->method) | |
497 | { | |
498 | if (!SSL_set_ssl_method(s,meth)) | |
499 | return(0); | |
413c4f45 MC |
500 | if (s->ctx->session_timeout == 0) |
501 | session->timeout=SSL_get_default_timeout(s); | |
502 | else | |
503 | session->timeout=s->ctx->session_timeout; | |
d02b48c6 RE |
504 | } |
505 | ||
506 | /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/ | |
507 | CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION); | |
508 | if (s->session != NULL) | |
509 | SSL_SESSION_free(s->session); | |
510 | s->session=session; | |
0dd2254d | 511 | s->verify_result = s->session->verify_result; |
d02b48c6 RE |
512 | /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ |
513 | ret=1; | |
514 | } | |
58964a49 RE |
515 | else |
516 | { | |
517 | if (s->session != NULL) | |
518 | { | |
519 | SSL_SESSION_free(s->session); | |
520 | s->session=NULL; | |
521 | } | |
413c4f45 MC |
522 | |
523 | meth=s->ctx->method; | |
524 | if (meth != s->method) | |
525 | { | |
526 | if (!SSL_set_ssl_method(s,meth)) | |
527 | return(0); | |
528 | } | |
529 | ret=1; | |
58964a49 | 530 | } |
d02b48c6 RE |
531 | return(ret); |
532 | } | |
533 | ||
6b691a5c | 534 | long SSL_SESSION_set_timeout(SSL_SESSION *s, long t) |
d02b48c6 RE |
535 | { |
536 | if (s == NULL) return(0); | |
537 | s->timeout=t; | |
538 | return(1); | |
539 | } | |
540 | ||
6b691a5c | 541 | long SSL_SESSION_get_timeout(SSL_SESSION *s) |
d02b48c6 RE |
542 | { |
543 | if (s == NULL) return(0); | |
544 | return(s->timeout); | |
545 | } | |
546 | ||
6b691a5c | 547 | long SSL_SESSION_get_time(SSL_SESSION *s) |
d02b48c6 RE |
548 | { |
549 | if (s == NULL) return(0); | |
550 | return(s->time); | |
551 | } | |
552 | ||
6b691a5c | 553 | long SSL_SESSION_set_time(SSL_SESSION *s, long t) |
d02b48c6 RE |
554 | { |
555 | if (s == NULL) return(0); | |
556 | s->time=t; | |
557 | return(t); | |
558 | } | |
559 | ||
6b691a5c | 560 | long SSL_CTX_set_timeout(SSL_CTX *s, long t) |
413c4f45 MC |
561 | { |
562 | long l; | |
563 | if (s == NULL) return(0); | |
564 | l=s->session_timeout; | |
565 | s->session_timeout=t; | |
566 | return(l); | |
567 | } | |
568 | ||
6b691a5c | 569 | long SSL_CTX_get_timeout(SSL_CTX *s) |
413c4f45 MC |
570 | { |
571 | if (s == NULL) return(0); | |
572 | return(s->session_timeout); | |
573 | } | |
574 | ||
d02b48c6 RE |
575 | typedef struct timeout_param_st |
576 | { | |
577 | SSL_CTX *ctx; | |
578 | long time; | |
579 | LHASH *cache; | |
580 | } TIMEOUT_PARAM; | |
581 | ||
6b691a5c | 582 | static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p) |
d02b48c6 RE |
583 | { |
584 | if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ | |
585 | { | |
58964a49 RE |
586 | /* The reason we don't call SSL_CTX_remove_session() is to |
587 | * save on locking overhead */ | |
9d1a01be | 588 | lh_delete(p->cache,s); |
58964a49 | 589 | SSL_SESSION_list_remove(p->ctx,s); |
d02b48c6 RE |
590 | s->not_resumable=1; |
591 | if (p->ctx->remove_session_cb != NULL) | |
592 | p->ctx->remove_session_cb(p->ctx,s); | |
593 | SSL_SESSION_free(s); | |
594 | } | |
595 | } | |
596 | ||
3c914840 GT |
597 | static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION *, TIMEOUT_PARAM *) |
598 | ||
6b691a5c | 599 | void SSL_CTX_flush_sessions(SSL_CTX *s, long t) |
d02b48c6 RE |
600 | { |
601 | unsigned long i; | |
602 | TIMEOUT_PARAM tp; | |
603 | ||
604 | tp.ctx=s; | |
413c4f45 | 605 | tp.cache=s->sessions; |
d02b48c6 RE |
606 | if (tp.cache == NULL) return; |
607 | tp.time=t; | |
608 | CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); | |
609 | i=tp.cache->down_load; | |
610 | tp.cache->down_load=0; | |
3c914840 | 611 | lh_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), &tp); |
d02b48c6 RE |
612 | tp.cache->down_load=i; |
613 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); | |
614 | } | |
615 | ||
6b691a5c | 616 | int ssl_clear_bad_session(SSL *s) |
d02b48c6 RE |
617 | { |
618 | if ( (s->session != NULL) && | |
619 | !(s->shutdown & SSL_SENT_SHUTDOWN) && | |
620 | !(SSL_in_init(s) || SSL_in_before(s))) | |
621 | { | |
622 | SSL_CTX_remove_session(s->ctx,s->session); | |
623 | return(1); | |
624 | } | |
625 | else | |
626 | return(0); | |
627 | } | |
58964a49 RE |
628 | |
629 | /* locked by SSL_CTX in the calling function */ | |
6b691a5c | 630 | static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) |
58964a49 RE |
631 | { |
632 | if ((s->next == NULL) || (s->prev == NULL)) return; | |
633 | ||
634 | if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) | |
635 | { /* last element in list */ | |
636 | if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) | |
637 | { /* only one element in list */ | |
638 | ctx->session_cache_head=NULL; | |
639 | ctx->session_cache_tail=NULL; | |
640 | } | |
641 | else | |
642 | { | |
643 | ctx->session_cache_tail=s->prev; | |
644 | s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail); | |
645 | } | |
646 | } | |
647 | else | |
648 | { | |
649 | if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) | |
650 | { /* first element in list */ | |
651 | ctx->session_cache_head=s->next; | |
652 | s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head); | |
653 | } | |
654 | else | |
655 | { /* middle of list */ | |
656 | s->next->prev=s->prev; | |
657 | s->prev->next=s->next; | |
658 | } | |
659 | } | |
660 | s->prev=s->next=NULL; | |
661 | } | |
662 | ||
6b691a5c | 663 | static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) |
58964a49 RE |
664 | { |
665 | if ((s->next != NULL) && (s->prev != NULL)) | |
666 | SSL_SESSION_list_remove(ctx,s); | |
667 | ||
668 | if (ctx->session_cache_head == NULL) | |
669 | { | |
670 | ctx->session_cache_head=s; | |
671 | ctx->session_cache_tail=s; | |
672 | s->prev=(SSL_SESSION *)&(ctx->session_cache_head); | |
673 | s->next=(SSL_SESSION *)&(ctx->session_cache_tail); | |
674 | } | |
675 | else | |
676 | { | |
677 | s->next=ctx->session_cache_head; | |
678 | s->next->prev=s; | |
679 | s->prev=(SSL_SESSION *)&(ctx->session_cache_head); | |
680 | ctx->session_cache_head=s; | |
681 | } | |
682 | } | |
683 |