OLD | NEW |
1 /* ssl/ssl_sess.c */ | 1 /* ssl/ssl_sess.c */ |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 * All rights reserved. | 3 * All rights reserved. |
4 * | 4 * |
5 * This package is an SSL implementation written | 5 * This package is an SSL implementation written |
6 * by Eric Young (eay@cryptsoft.com). | 6 * by Eric Young (eay@cryptsoft.com). |
7 * The implementation was written so as to conform with Netscapes SSL. | 7 * The implementation was written so as to conform with Netscapes SSL. |
8 * | 8 * |
9 * This library is free for commercial and non-commercial use as long as | 9 * This library is free for commercial and non-commercial use as long as |
10 * the following conditions are aheared to. The following conditions | 10 * the following conditions are aheared to. The following conditions |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 * SUCH DAMAGE. | 51 * SUCH DAMAGE. |
52 * | 52 * |
53 * The licence and distribution terms for any publically available version or | 53 * The licence and distribution terms for any publically available version or |
54 * derivative of this code cannot be changed. i.e. this code cannot simply be | 54 * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 * copied and put under another distribution licence | 55 * copied and put under another distribution licence |
56 * [including the GNU Public Licence.] | 56 * [including the GNU Public Licence.] |
57 */ | 57 */ |
| 58 /* ==================================================================== |
| 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. |
| 60 * |
| 61 * Redistribution and use in source and binary forms, with or without |
| 62 * modification, are permitted provided that the following conditions |
| 63 * are met: |
| 64 * |
| 65 * 1. Redistributions of source code must retain the above copyright |
| 66 * notice, this list of conditions and the following disclaimer. |
| 67 * |
| 68 * 2. Redistributions in binary form must reproduce the above copyright |
| 69 * notice, this list of conditions and the following disclaimer in |
| 70 * the documentation and/or other materials provided with the |
| 71 * distribution. |
| 72 * |
| 73 * 3. All advertising materials mentioning features or use of this |
| 74 * software must display the following acknowledgment: |
| 75 * "This product includes software developed by the OpenSSL Project |
| 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| 77 * |
| 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 79 * endorse or promote products derived from this software without |
| 80 * prior written permission. For written permission, please contact |
| 81 * openssl-core@openssl.org. |
| 82 * |
| 83 * 5. Products derived from this software may not be called "OpenSSL" |
| 84 * nor may "OpenSSL" appear in their names without prior written |
| 85 * permission of the OpenSSL Project. |
| 86 * |
| 87 * 6. Redistributions of any form whatsoever must retain the following |
| 88 * acknowledgment: |
| 89 * "This product includes software developed by the OpenSSL Project |
| 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| 91 * |
| 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 103 * OF THE POSSIBILITY OF SUCH DAMAGE. |
| 104 * ==================================================================== |
| 105 * |
| 106 * This product includes cryptographic software written by Eric Young |
| 107 * (eay@cryptsoft.com). This product includes software written by Tim |
| 108 * Hudson (tjh@cryptsoft.com). |
| 109 * |
| 110 */ |
| 111 /* ==================================================================== |
| 112 * Copyright 2005 Nokia. All rights reserved. |
| 113 * |
| 114 * The portions of the attached software ("Contribution") is developed by |
| 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source |
| 116 * license. |
| 117 * |
| 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of |
| 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites |
| 120 * support (see RFC 4279) to OpenSSL. |
| 121 * |
| 122 * No patent licenses or other rights except those expressly stated in |
| 123 * the OpenSSL open source license shall be deemed granted or received |
| 124 * expressly, by implication, estoppel, or otherwise. |
| 125 * |
| 126 * No assurances are provided by Nokia that the Contribution does not |
| 127 * infringe the patent or other intellectual property rights of any third |
| 128 * party or that the license provides you with all the necessary rights |
| 129 * to make use of the Contribution. |
| 130 * |
| 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN |
| 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA |
| 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY |
| 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR |
| 135 * OTHERWISE. |
| 136 */ |
58 | 137 |
59 #include <stdio.h> | 138 #include <stdio.h> |
60 #include <openssl/lhash.h> | 139 #include <openssl/lhash.h> |
61 #include <openssl/rand.h> | 140 #include <openssl/rand.h> |
62 #ifndef OPENSSL_NO_ENGINE | 141 #ifndef OPENSSL_NO_ENGINE |
63 #include <openssl/engine.h> | 142 #include <openssl/engine.h> |
64 #endif | 143 #endif |
65 #include "ssl_locl.h" | 144 #include "ssl_locl.h" |
66 | 145 |
67 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); | 146 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
120 | 199 |
121 ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ | 200 ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ |
122 ss->references=1; | 201 ss->references=1; |
123 ss->timeout=60*5+4; /* 5 minute timeout by default */ | 202 ss->timeout=60*5+4; /* 5 minute timeout by default */ |
124 ss->time=(unsigned long)time(NULL); | 203 ss->time=(unsigned long)time(NULL); |
125 ss->prev=NULL; | 204 ss->prev=NULL; |
126 ss->next=NULL; | 205 ss->next=NULL; |
127 ss->compress_meth=0; | 206 ss->compress_meth=0; |
128 #ifndef OPENSSL_NO_TLSEXT | 207 #ifndef OPENSSL_NO_TLSEXT |
129 ss->tlsext_hostname = NULL; | 208 ss->tlsext_hostname = NULL; |
| 209 #ifndef OPENSSL_NO_EC |
| 210 ss->tlsext_ecpointformatlist_length = 0; |
| 211 ss->tlsext_ecpointformatlist = NULL; |
| 212 ss->tlsext_ellipticcurvelist_length = 0; |
| 213 ss->tlsext_ellipticcurvelist = NULL; |
| 214 #endif |
130 #endif | 215 #endif |
131 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); | 216 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); |
| 217 #ifndef OPENSSL_NO_PSK |
| 218 ss->psk_identity_hint=NULL; |
| 219 ss->psk_identity=NULL; |
| 220 #endif |
132 return(ss); | 221 return(ss); |
133 } | 222 } |
134 | 223 |
135 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) | 224 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) |
136 { | 225 { |
137 if(len) | 226 if(len) |
138 *len = s->session_id_length; | 227 *len = s->session_id_length; |
139 return s->session_id; | 228 return s->session_id; |
140 } | 229 } |
141 | 230 |
(...skipping 23 matching lines...) Expand all Loading... |
165 * but the probability of a collision is negligible, and | 254 * but the probability of a collision is negligible, and |
166 * we could not prevent the concurrent creation of sessions | 255 * we could not prevent the concurrent creation of sessions |
167 * with identical IDs since we currently don't have means | 256 * with identical IDs since we currently don't have means |
168 * to atomically check whether a session ID already exists | 257 * to atomically check whether a session ID already exists |
169 * and make a reservation for it if it does not | 258 * and make a reservation for it if it does not |
170 * (this problem applies to the internal cache as well). | 259 * (this problem applies to the internal cache as well). |
171 */ | 260 */ |
172 return 0; | 261 return 0; |
173 } | 262 } |
174 | 263 |
| 264 void SSL_set_session_creation_enabled (SSL *s, int creation_enabled) |
| 265 { |
| 266 s->session_creation_enabled = creation_enabled; |
| 267 } |
| 268 |
175 int ssl_get_new_session(SSL *s, int session) | 269 int ssl_get_new_session(SSL *s, int session) |
176 { | 270 { |
177 /* This gets used by clients and servers. */ | 271 /* This gets used by clients and servers. */ |
178 | 272 |
179 unsigned int tmp; | 273 unsigned int tmp; |
180 SSL_SESSION *ss=NULL; | 274 SSL_SESSION *ss=NULL; |
181 GEN_SESSION_CB cb = def_generate_session_id; | 275 GEN_SESSION_CB cb = def_generate_session_id; |
182 | 276 |
| 277 /* caller should check this if they can do better error handling */ |
| 278 if (!s->session_creation_enabled) return(0); |
183 if ((ss=SSL_SESSION_new()) == NULL) return(0); | 279 if ((ss=SSL_SESSION_new()) == NULL) return(0); |
184 | 280 |
185 /* If the context has a default timeout, use it */ | 281 /* If the context has a default timeout, use it */ |
186 » if (s->ctx->session_timeout == 0) | 282 » if (s->session_ctx->session_timeout == 0) |
187 ss->timeout=SSL_get_default_timeout(s); | 283 ss->timeout=SSL_get_default_timeout(s); |
188 else | 284 else |
189 » » ss->timeout=s->ctx->session_timeout; | 285 » » ss->timeout=s->session_ctx->session_timeout; |
190 | 286 |
191 if (s->session != NULL) | 287 if (s->session != NULL) |
192 { | 288 { |
193 SSL_SESSION_free(s->session); | 289 SSL_SESSION_free(s->session); |
194 s->session=NULL; | 290 s->session=NULL; |
195 } | 291 } |
196 | 292 |
197 if (session) | 293 if (session) |
198 { | 294 { |
199 if (s->version == SSL2_VERSION) | 295 if (s->version == SSL2_VERSION) |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
232 if (s->tlsext_ticket_expected) | 328 if (s->tlsext_ticket_expected) |
233 { | 329 { |
234 ss->session_id_length = 0; | 330 ss->session_id_length = 0; |
235 goto sess_id_done; | 331 goto sess_id_done; |
236 } | 332 } |
237 #endif | 333 #endif |
238 /* Choose which callback will set the session ID */ | 334 /* Choose which callback will set the session ID */ |
239 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); | 335 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); |
240 if(s->generate_session_id) | 336 if(s->generate_session_id) |
241 cb = s->generate_session_id; | 337 cb = s->generate_session_id; |
242 » » else if(s->ctx->generate_session_id) | 338 » » else if(s->session_ctx->generate_session_id) |
243 » » » cb = s->ctx->generate_session_id; | 339 » » » cb = s->session_ctx->generate_session_id; |
244 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); | 340 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); |
245 /* Choose a session ID */ | 341 /* Choose a session ID */ |
246 tmp = ss->session_id_length; | 342 tmp = ss->session_id_length; |
247 if(!cb(s, ss->session_id, &tmp)) | 343 if(!cb(s, ss->session_id, &tmp)) |
248 { | 344 { |
249 /* The callback failed */ | 345 /* The callback failed */ |
250 SSLerr(SSL_F_SSL_GET_NEW_SESSION, | 346 SSLerr(SSL_F_SSL_GET_NEW_SESSION, |
251 SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); | 347 SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); |
252 SSL_SESSION_free(ss); | 348 SSL_SESSION_free(ss); |
253 return(0); | 349 return(0); |
(...skipping 25 matching lines...) Expand all Loading... |
279 #ifndef OPENSSL_NO_TLSEXT | 375 #ifndef OPENSSL_NO_TLSEXT |
280 sess_id_done: | 376 sess_id_done: |
281 if (s->tlsext_hostname) { | 377 if (s->tlsext_hostname) { |
282 ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname); | 378 ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname); |
283 if (ss->tlsext_hostname == NULL) { | 379 if (ss->tlsext_hostname == NULL) { |
284 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL
_ERROR); | 380 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL
_ERROR); |
285 SSL_SESSION_free(ss); | 381 SSL_SESSION_free(ss); |
286 return 0; | 382 return 0; |
287 } | 383 } |
288 } | 384 } |
| 385 #ifndef OPENSSL_NO_EC |
| 386 if (s->tlsext_ecpointformatlist) |
| 387 { |
| 388 if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(s
s->tlsext_ecpointformatlist); |
| 389 if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tl
sext_ecpointformatlist_length)) == NULL) |
| 390 { |
| 391 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_F
AILURE); |
| 392 SSL_SESSION_free(ss); |
| 393 return 0; |
| 394 } |
| 395 ss->tlsext_ecpointformatlist_length = s->tlsext_ecpointf
ormatlist_length; |
| 396 memcpy(ss->tlsext_ecpointformatlist, s->tlsext_ecpointfo
rmatlist, s->tlsext_ecpointformatlist_length); |
| 397 } |
| 398 if (s->tlsext_ellipticcurvelist) |
| 399 { |
| 400 if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s
s->tlsext_ellipticcurvelist); |
| 401 if ((ss->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tl
sext_ellipticcurvelist_length)) == NULL) |
| 402 { |
| 403 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_F
AILURE); |
| 404 SSL_SESSION_free(ss); |
| 405 return 0; |
| 406 } |
| 407 ss->tlsext_ellipticcurvelist_length = s->tlsext_elliptic
curvelist_length; |
| 408 memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticc
urvelist, s->tlsext_ellipticcurvelist_length); |
| 409 } |
| 410 #endif |
289 #endif | 411 #endif |
290 } | 412 } |
291 else | 413 else |
292 { | 414 { |
293 ss->session_id_length=0; | 415 ss->session_id_length=0; |
294 } | 416 } |
295 | 417 |
296 if (s->sid_ctx_length > sizeof ss->sid_ctx) | 418 if (s->sid_ctx_length > sizeof ss->sid_ctx) |
297 { | 419 { |
298 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); | 420 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); |
(...skipping 12 matching lines...) Expand all Loading... |
311 int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, | 433 int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, |
312 const unsigned char *limit) | 434 const unsigned char *limit) |
313 { | 435 { |
314 /* This is used only by servers. */ | 436 /* This is used only by servers. */ |
315 | 437 |
316 SSL_SESSION *ret=NULL; | 438 SSL_SESSION *ret=NULL; |
317 int fatal = 0; | 439 int fatal = 0; |
318 #ifndef OPENSSL_NO_TLSEXT | 440 #ifndef OPENSSL_NO_TLSEXT |
319 int r; | 441 int r; |
320 #endif | 442 #endif |
321 | 443 |
322 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) | 444 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) |
323 goto err; | 445 goto err; |
324 #ifndef OPENSSL_NO_TLSEXT | 446 #ifndef OPENSSL_NO_TLSEXT |
325 » r = tls1_process_ticket(s, session_id, len, limit, &ret); | 447 » r = tls1_process_ticket(s, session_id, len, limit, &ret); |
326 if (r == -1) | 448 if (r == -1) |
327 { | 449 { |
328 fatal = 1; | 450 fatal = 1; |
329 » » goto err; | 451 » » goto err; |
330 } | 452 } |
331 else if (r == 0 || (!ret && !len)) | 453 else if (r == 0 || (!ret && !len)) |
332 goto err; | 454 goto err; |
333 else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_N
O_INTERNAL_LOOKUP)) | 455 else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_N
O_INTERNAL_LOOKUP)) |
334 #else | 456 #else |
335 if (len == 0) | 457 if (len == 0) |
336 goto err; | 458 goto err; |
337 » if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) | 459 » if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LO
OKUP)) |
338 #endif | 460 #endif |
339 { | 461 { |
340 SSL_SESSION data; | 462 SSL_SESSION data; |
341 data.ssl_version=s->version; | 463 data.ssl_version=s->version; |
342 data.session_id_length=len; | 464 data.session_id_length=len; |
343 if (len == 0) | 465 if (len == 0) |
344 return 0; | 466 return 0; |
345 » » memcpy(data.session_id,session_id,len); | 467 » » memcpy(data.session_id,session_id,len); |
346 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); | 468 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); |
347 » » ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data); | 469 » » ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data); |
348 if (ret != NULL) | 470 if (ret != NULL) |
349 /* don't allow other threads to steal it: */ | 471 /* don't allow other threads to steal it: */ |
350 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); | 472 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); |
351 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); | 473 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); |
352 } | 474 } |
353 | 475 |
354 if (ret == NULL) | 476 if (ret == NULL) |
355 { | 477 { |
356 int copy=1; | 478 int copy=1; |
357 | 479 |
358 » » s->ctx->stats.sess_miss++; | 480 » » s->session_ctx->stats.sess_miss++; |
359 ret=NULL; | 481 ret=NULL; |
360 » » if (s->ctx->get_session_cb != NULL | 482 » » if (s->session_ctx->get_session_cb != NULL |
361 » » && (ret=s->ctx->get_session_cb(s,session_id,len,©)) | 483 » » && (ret=s->session_ctx->get_session_cb(s,session_id,len,&cop
y)) |
362 != NULL) | 484 != NULL) |
363 { | 485 { |
364 » » » s->ctx->stats.sess_cb_hit++; | 486 » » » s->session_ctx->stats.sess_cb_hit++; |
365 | 487 |
366 /* Increment reference count now if the session callback | 488 /* Increment reference count now if the session callback |
367 * asks us to do so (note that if the session structures | 489 * asks us to do so (note that if the session structures |
368 * returned by the callback are shared between threads, | 490 * returned by the callback are shared between threads, |
369 * it must handle the reference count itself [i.e. copy
== 0], | 491 * it must handle the reference count itself [i.e. copy
== 0], |
370 * or things won't be thread-safe). */ | 492 * or things won't be thread-safe). */ |
371 if (copy) | 493 if (copy) |
372 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SE
SSION); | 494 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SE
SSION); |
373 | 495 |
374 /* Add the externally cached session to the internal | 496 /* Add the externally cached session to the internal |
375 * cache as well if and only if we are supposed to. */ | 497 * cache as well if and only if we are supposed to. */ |
376 » » » if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTE
RNAL_STORE)) | 498 » » » if(!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE
_NO_INTERNAL_STORE)) |
377 /* The following should not return 1, otherwise, | 499 /* The following should not return 1, otherwise, |
378 * things are very strange */ | 500 * things are very strange */ |
379 » » » » SSL_CTX_add_session(s->ctx,ret); | 501 » » » » SSL_CTX_add_session(s->session_ctx,ret); |
380 } | 502 } |
381 if (ret == NULL) | 503 if (ret == NULL) |
382 goto err; | 504 goto err; |
383 } | 505 } |
384 | 506 |
385 /* Now ret is non-NULL, and we own one of its reference counts. */ | 507 /* Now ret is non-NULL, and we own one of its reference counts. */ |
386 | 508 |
387 if (ret->sid_ctx_length != s->sid_ctx_length | 509 if (ret->sid_ctx_length != s->sid_ctx_length |
388 || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)) | 510 || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)) |
389 { | 511 { |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
436 | 558 |
437 /* If a thread got the session, then 'swaped', and another got | 559 /* If a thread got the session, then 'swaped', and another got |
438 * it and then due to a time-out decided to 'OPENSSL_free' it we could | 560 * it and then due to a time-out decided to 'OPENSSL_free' it we could |
439 * be in trouble. So I'll increment it now, then double decrement | 561 * be in trouble. So I'll increment it now, then double decrement |
440 * later - am I speaking rubbish?. */ | 562 * later - am I speaking rubbish?. */ |
441 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); | 563 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); |
442 #endif | 564 #endif |
443 | 565 |
444 if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */ | 566 if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */ |
445 { | 567 { |
446 » » s->ctx->stats.sess_timeout++; | 568 » » s->session_ctx->stats.sess_timeout++; |
447 /* remove it from the cache */ | 569 /* remove it from the cache */ |
448 » » SSL_CTX_remove_session(s->ctx,ret); | 570 » » SSL_CTX_remove_session(s->session_ctx,ret); |
449 goto err; | 571 goto err; |
450 } | 572 } |
451 | 573 |
452 » s->ctx->stats.sess_hit++; | 574 » s->session_ctx->stats.sess_hit++; |
453 | 575 |
454 /* ret->time=time(NULL); */ /* rezero timeout? */ | 576 /* ret->time=time(NULL); */ /* rezero timeout? */ |
455 /* again, just leave the session | 577 /* again, just leave the session |
456 * if it is the same session, we have just incremented and | 578 * if it is the same session, we have just incremented and |
457 * then decremented the reference count :-) */ | 579 * then decremented the reference count :-) */ |
458 if (s->session != NULL) | 580 if (s->session != NULL) |
459 SSL_SESSION_free(s->session); | 581 SSL_SESSION_free(s->session); |
460 s->session=ret; | 582 s->session=ret; |
461 s->verify_result = s->session->verify_result; | 583 s->verify_result = s->session->verify_result; |
462 return(1); | 584 return(1); |
(...skipping 12 matching lines...) Expand all Loading... |
475 int ret=0; | 597 int ret=0; |
476 SSL_SESSION *s; | 598 SSL_SESSION *s; |
477 | 599 |
478 /* add just 1 reference count for the SSL_CTX's session cache | 600 /* add just 1 reference count for the SSL_CTX's session cache |
479 * even though it has two ways of access: each session is in a | 601 * even though it has two ways of access: each session is in a |
480 * doubly linked list and an lhash */ | 602 * doubly linked list and an lhash */ |
481 CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION); | 603 CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION); |
482 /* if session c is in already in cache, we take back the increment later
*/ | 604 /* if session c is in already in cache, we take back the increment later
*/ |
483 | 605 |
484 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); | 606 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); |
485 » s=(SSL_SESSION *)lh_insert(ctx->sessions,c); | 607 » s=lh_SSL_SESSION_insert(ctx->sessions,c); |
486 | 608 |
487 /* s != NULL iff we already had a session with the given PID. | 609 /* s != NULL iff we already had a session with the given PID. |
488 * In this case, s == c should hold (then we did not really modify | 610 * In this case, s == c should hold (then we did not really modify |
489 * ctx->sessions), or we're in trouble. */ | 611 * ctx->sessions), or we're in trouble. */ |
490 if (s != NULL && s != c) | 612 if (s != NULL && s != c) |
491 { | 613 { |
492 /* We *are* in trouble ... */ | 614 /* We *are* in trouble ... */ |
493 SSL_SESSION_list_remove(ctx,s); | 615 SSL_SESSION_list_remove(ctx,s); |
494 SSL_SESSION_free(s); | 616 SSL_SESSION_free(s); |
495 /* ... so pretend the other session did not exist in cache | 617 /* ... so pretend the other session did not exist in cache |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
541 } | 663 } |
542 | 664 |
543 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) | 665 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) |
544 { | 666 { |
545 SSL_SESSION *r; | 667 SSL_SESSION *r; |
546 int ret=0; | 668 int ret=0; |
547 | 669 |
548 if ((c != NULL) && (c->session_id_length != 0)) | 670 if ((c != NULL) && (c->session_id_length != 0)) |
549 { | 671 { |
550 if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); | 672 if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); |
551 » » if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c) | 673 » » if ((r = lh_SSL_SESSION_retrieve(ctx->sessions,c)) == c) |
552 { | 674 { |
553 ret=1; | 675 ret=1; |
554 » » » r=(SSL_SESSION *)lh_delete(ctx->sessions,c); | 676 » » » r=lh_SSL_SESSION_delete(ctx->sessions,c); |
555 SSL_SESSION_list_remove(ctx,c); | 677 SSL_SESSION_list_remove(ctx,c); |
556 } | 678 } |
557 | 679 |
558 if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); | 680 if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); |
559 | 681 |
560 if (ret) | 682 if (ret) |
561 { | 683 { |
562 r->not_resumable=1; | 684 r->not_resumable=1; |
563 if (ctx->remove_session_cb != NULL) | 685 if (ctx->remove_session_cb != NULL) |
564 ctx->remove_session_cb(ctx,r); | 686 ctx->remove_session_cb(ctx,r); |
(...skipping 29 matching lines...) Expand all Loading... |
594 | 716 |
595 OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg); | 717 OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg); |
596 OPENSSL_cleanse(ss->master_key,sizeof ss->master_key); | 718 OPENSSL_cleanse(ss->master_key,sizeof ss->master_key); |
597 OPENSSL_cleanse(ss->session_id,sizeof ss->session_id); | 719 OPENSSL_cleanse(ss->session_id,sizeof ss->session_id); |
598 if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert); | 720 if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert); |
599 if (ss->peer != NULL) X509_free(ss->peer); | 721 if (ss->peer != NULL) X509_free(ss->peer); |
600 if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); | 722 if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); |
601 #ifndef OPENSSL_NO_TLSEXT | 723 #ifndef OPENSSL_NO_TLSEXT |
602 if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname); | 724 if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname); |
603 if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick); | 725 if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick); |
| 726 #ifndef OPENSSL_NO_EC |
| 727 ss->tlsext_ecpointformatlist_length = 0; |
| 728 if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpoin
tformatlist); |
| 729 ss->tlsext_ellipticcurvelist_length = 0; |
| 730 if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipt
iccurvelist); |
| 731 #endif /* OPENSSL_NO_EC */ |
| 732 #endif |
| 733 #ifndef OPENSSL_NO_PSK |
| 734 if (ss->psk_identity_hint != NULL) |
| 735 OPENSSL_free(ss->psk_identity_hint); |
| 736 if (ss->psk_identity != NULL) |
| 737 OPENSSL_free(ss->psk_identity); |
604 #endif | 738 #endif |
605 OPENSSL_cleanse(ss,sizeof(*ss)); | 739 OPENSSL_cleanse(ss,sizeof(*ss)); |
606 OPENSSL_free(ss); | 740 OPENSSL_free(ss); |
607 } | 741 } |
608 | 742 |
609 int SSL_set_session(SSL *s, SSL_SESSION *session) | 743 int SSL_set_session(SSL *s, SSL_SESSION *session) |
610 { | 744 { |
611 int ret=0; | 745 int ret=0; |
612 » SSL_METHOD *meth; | 746 » const SSL_METHOD *meth; |
613 | 747 |
614 if (session != NULL) | 748 if (session != NULL) |
615 { | 749 { |
616 meth=s->ctx->method->get_ssl_method(session->ssl_version); | 750 meth=s->ctx->method->get_ssl_method(session->ssl_version); |
617 if (meth == NULL) | 751 if (meth == NULL) |
618 meth=s->method->get_ssl_method(session->ssl_version); | 752 meth=s->method->get_ssl_method(session->ssl_version); |
619 if (meth == NULL) | 753 if (meth == NULL) |
620 { | 754 { |
621 SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_ME
THOD); | 755 SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_ME
THOD); |
622 return(0); | 756 return(0); |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
705 s->session_timeout=t; | 839 s->session_timeout=t; |
706 return(l); | 840 return(l); |
707 } | 841 } |
708 | 842 |
709 long SSL_CTX_get_timeout(const SSL_CTX *s) | 843 long SSL_CTX_get_timeout(const SSL_CTX *s) |
710 { | 844 { |
711 if (s == NULL) return(0); | 845 if (s == NULL) return(0); |
712 return(s->session_timeout); | 846 return(s->session_timeout); |
713 } | 847 } |
714 | 848 |
| 849 #ifndef OPENSSL_NO_TLSEXT |
| 850 int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void
*secret, int *secret_len, |
| 851 STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), voi
d *arg) |
| 852 { |
| 853 if (s == NULL) return(0); |
| 854 s->tls_session_secret_cb = tls_session_secret_cb; |
| 855 s->tls_session_secret_cb_arg = arg; |
| 856 return(1); |
| 857 } |
| 858 |
| 859 int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, |
| 860 void *arg) |
| 861 { |
| 862 if (s == NULL) return(0); |
| 863 s->tls_session_ticket_ext_cb = cb; |
| 864 s->tls_session_ticket_ext_cb_arg = arg; |
| 865 return(1); |
| 866 } |
| 867 |
| 868 int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) |
| 869 { |
| 870 if (s->version >= TLS1_VERSION) |
| 871 { |
| 872 if (s->tlsext_session_ticket) |
| 873 { |
| 874 OPENSSL_free(s->tlsext_session_ticket); |
| 875 s->tlsext_session_ticket = NULL; |
| 876 } |
| 877 |
| 878 s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TIC
KET_EXT) + ext_len); |
| 879 if (!s->tlsext_session_ticket) |
| 880 { |
| 881 SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FA
ILURE); |
| 882 return 0; |
| 883 } |
| 884 |
| 885 if (ext_data) |
| 886 { |
| 887 s->tlsext_session_ticket->length = ext_len; |
| 888 s->tlsext_session_ticket->data = s->tlsext_session_ticke
t + 1; |
| 889 memcpy(s->tlsext_session_ticket->data, ext_data, ext_len
); |
| 890 } |
| 891 else |
| 892 { |
| 893 s->tlsext_session_ticket->length = 0; |
| 894 s->tlsext_session_ticket->data = NULL; |
| 895 } |
| 896 |
| 897 return 1; |
| 898 } |
| 899 |
| 900 return 0; |
| 901 } |
| 902 #endif /* OPENSSL_NO_TLSEXT */ |
| 903 |
715 typedef struct timeout_param_st | 904 typedef struct timeout_param_st |
716 { | 905 { |
717 SSL_CTX *ctx; | 906 SSL_CTX *ctx; |
718 long time; | 907 long time; |
719 » LHASH *cache; | 908 » LHASH_OF(SSL_SESSION) *cache; |
720 } TIMEOUT_PARAM; | 909 } TIMEOUT_PARAM; |
721 | 910 |
722 static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p) | 911 static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) |
723 { | 912 { |
724 if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ | 913 if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ |
725 { | 914 { |
726 /* The reason we don't call SSL_CTX_remove_session() is to | 915 /* The reason we don't call SSL_CTX_remove_session() is to |
727 * save on locking overhead */ | 916 * save on locking overhead */ |
728 » » lh_delete(p->cache,s); | 917 » » (void)lh_SSL_SESSION_delete(p->cache,s); |
729 SSL_SESSION_list_remove(p->ctx,s); | 918 SSL_SESSION_list_remove(p->ctx,s); |
730 s->not_resumable=1; | 919 s->not_resumable=1; |
731 if (p->ctx->remove_session_cb != NULL) | 920 if (p->ctx->remove_session_cb != NULL) |
732 p->ctx->remove_session_cb(p->ctx,s); | 921 p->ctx->remove_session_cb(p->ctx,s); |
733 SSL_SESSION_free(s); | 922 SSL_SESSION_free(s); |
734 } | 923 } |
735 } | 924 } |
736 | 925 |
737 static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION *, TIMEOUT_PARAM *) | 926 static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM) |
738 | 927 |
739 void SSL_CTX_flush_sessions(SSL_CTX *s, long t) | 928 void SSL_CTX_flush_sessions(SSL_CTX *s, long t) |
740 { | 929 { |
741 unsigned long i; | 930 unsigned long i; |
742 TIMEOUT_PARAM tp; | 931 TIMEOUT_PARAM tp; |
743 | 932 |
744 tp.ctx=s; | 933 tp.ctx=s; |
745 tp.cache=s->sessions; | 934 tp.cache=s->sessions; |
746 if (tp.cache == NULL) return; | 935 if (tp.cache == NULL) return; |
747 tp.time=t; | 936 tp.time=t; |
748 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); | 937 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); |
749 » i=tp.cache->down_load; | 938 » i=CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load; |
750 » tp.cache->down_load=0; | 939 » CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=0; |
751 » lh_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), &tp); | 940 » lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), |
752 » tp.cache->down_load=i; | 941 » » » » TIMEOUT_PARAM, &tp); |
| 942 » CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=i; |
753 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); | 943 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); |
754 } | 944 } |
755 | 945 |
756 int ssl_clear_bad_session(SSL *s) | 946 int ssl_clear_bad_session(SSL *s) |
757 { | 947 { |
758 if ( (s->session != NULL) && | 948 if ( (s->session != NULL) && |
759 !(s->shutdown & SSL_SENT_SHUTDOWN) && | 949 !(s->shutdown & SSL_SENT_SHUTDOWN) && |
760 !(SSL_in_init(s) || SSL_in_before(s))) | 950 !(SSL_in_init(s) || SSL_in_before(s))) |
761 { | 951 { |
762 SSL_CTX_remove_session(s->ctx,s->session); | 952 SSL_CTX_remove_session(s->ctx,s->session); |
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
902 { | 1092 { |
903 ctx->app_gen_cookie_cb=cb; | 1093 ctx->app_gen_cookie_cb=cb; |
904 } | 1094 } |
905 | 1095 |
906 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, | 1096 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, |
907 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)) | 1097 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)) |
908 { | 1098 { |
909 ctx->app_verify_cookie_cb=cb; | 1099 ctx->app_verify_cookie_cb=cb; |
910 } | 1100 } |
911 | 1101 |
| 1102 IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION) |
OLD | NEW |