| OLD | NEW |
|---|
| 1 /* ssl/ssl_sess.c */ | 1 /* ssl/ssl_sess.c */ |
| 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 * All rights reserved. | 3 * All rights reserved. |
| 4 * | 4 * |
| 5 * This package is an SSL implementation written | 5 * This package is an SSL implementation written |
| 6 * by Eric Young (eay@cryptsoft.com). | 6 * by Eric Young (eay@cryptsoft.com). |
| 7 * The implementation was written so as to conform with Netscapes SSL. | 7 * The implementation was written so as to conform with Netscapes SSL. |
| 8 * | 8 * |
| 9 * This library is free for commercial and non-commercial use as long as | 9 * This library is free for commercial and non-commercial use as long as |
| 10 * the following conditions are aheared to. The following conditions | 10 * the following conditions are aheared to. The following conditions |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 51 * SUCH DAMAGE. | 51 * SUCH DAMAGE. |
| 52 * | 52 * |
| 53 * The licence and distribution terms for any publically available version or | 53 * The licence and distribution terms for any publically available version or |
| 54 * derivative of this code cannot be changed. i.e. this code cannot simply be | 54 * derivative of this code cannot be changed. i.e. this code cannot simply be |
| 55 * copied and put under another distribution licence | 55 * copied and put under another distribution licence |
| 56 * [including the GNU Public Licence.] | 56 * [including the GNU Public Licence.] |
| 57 */ | 57 */ |
| 58 /* ==================================================================== |
| 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. |
| 60 * |
| 61 * Redistribution and use in source and binary forms, with or without |
| 62 * modification, are permitted provided that the following conditions |
| 63 * are met: |
| 64 * |
| 65 * 1. Redistributions of source code must retain the above copyright |
| 66 * notice, this list of conditions and the following disclaimer. |
| 67 * |
| 68 * 2. Redistributions in binary form must reproduce the above copyright |
| 69 * notice, this list of conditions and the following disclaimer in |
| 70 * the documentation and/or other materials provided with the |
| 71 * distribution. |
| 72 * |
| 73 * 3. All advertising materials mentioning features or use of this |
| 74 * software must display the following acknowledgment: |
| 75 * "This product includes software developed by the OpenSSL Project |
| 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| 77 * |
| 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 79 * endorse or promote products derived from this software without |
| 80 * prior written permission. For written permission, please contact |
| 81 * openssl-core@openssl.org. |
| 82 * |
| 83 * 5. Products derived from this software may not be called "OpenSSL" |
| 84 * nor may "OpenSSL" appear in their names without prior written |
| 85 * permission of the OpenSSL Project. |
| 86 * |
| 87 * 6. Redistributions of any form whatsoever must retain the following |
| 88 * acknowledgment: |
| 89 * "This product includes software developed by the OpenSSL Project |
| 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| 91 * |
| 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 103 * OF THE POSSIBILITY OF SUCH DAMAGE. |
| 104 * ==================================================================== |
| 105 * |
| 106 * This product includes cryptographic software written by Eric Young |
| 107 * (eay@cryptsoft.com). This product includes software written by Tim |
| 108 * Hudson (tjh@cryptsoft.com). |
| 109 * |
| 110 */ |
| 111 /* ==================================================================== |
| 112 * Copyright 2005 Nokia. All rights reserved. |
| 113 * |
| 114 * The portions of the attached software ("Contribution") is developed by |
| 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source |
| 116 * license. |
| 117 * |
| 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of |
| 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites |
| 120 * support (see RFC 4279) to OpenSSL. |
| 121 * |
| 122 * No patent licenses or other rights except those expressly stated in |
| 123 * the OpenSSL open source license shall be deemed granted or received |
| 124 * expressly, by implication, estoppel, or otherwise. |
| 125 * |
| 126 * No assurances are provided by Nokia that the Contribution does not |
| 127 * infringe the patent or other intellectual property rights of any third |
| 128 * party or that the license provides you with all the necessary rights |
| 129 * to make use of the Contribution. |
| 130 * |
| 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN |
| 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA |
| 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY |
| 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR |
| 135 * OTHERWISE. |
| 136 */ |
| 58 | 137 |
| 59 #include <stdio.h> | 138 #include <stdio.h> |
| 60 #include <openssl/lhash.h> | 139 #include <openssl/lhash.h> |
| 61 #include <openssl/rand.h> | 140 #include <openssl/rand.h> |
| 62 #ifndef OPENSSL_NO_ENGINE | 141 #ifndef OPENSSL_NO_ENGINE |
| 63 #include <openssl/engine.h> | 142 #include <openssl/engine.h> |
| 64 #endif | 143 #endif |
| 65 #include "ssl_locl.h" | 144 #include "ssl_locl.h" |
| 66 | 145 |
| 67 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); | 146 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 120 | 199 |
| 121 ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ | 200 ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ |
| 122 ss->references=1; | 201 ss->references=1; |
| 123 ss->timeout=60*5+4; /* 5 minute timeout by default */ | 202 ss->timeout=60*5+4; /* 5 minute timeout by default */ |
| 124 ss->time=(unsigned long)time(NULL); | 203 ss->time=(unsigned long)time(NULL); |
| 125 ss->prev=NULL; | 204 ss->prev=NULL; |
| 126 ss->next=NULL; | 205 ss->next=NULL; |
| 127 ss->compress_meth=0; | 206 ss->compress_meth=0; |
| 128 #ifndef OPENSSL_NO_TLSEXT | 207 #ifndef OPENSSL_NO_TLSEXT |
| 129 ss->tlsext_hostname = NULL; | 208 ss->tlsext_hostname = NULL; |
| 209 #ifndef OPENSSL_NO_EC |
| 210 ss->tlsext_ecpointformatlist_length = 0; |
| 211 ss->tlsext_ecpointformatlist = NULL; |
| 212 ss->tlsext_ellipticcurvelist_length = 0; |
| 213 ss->tlsext_ellipticcurvelist = NULL; |
| 214 #endif |
| 130 #endif | 215 #endif |
| 131 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); | 216 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); |
| 217 #ifndef OPENSSL_NO_PSK |
| 218 ss->psk_identity_hint=NULL; |
| 219 ss->psk_identity=NULL; |
| 220 #endif |
| 132 return(ss); | 221 return(ss); |
| 133 } | 222 } |
| 134 | 223 |
| 135 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) | 224 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) |
| 136 { | 225 { |
| 137 if(len) | 226 if(len) |
| 138 *len = s->session_id_length; | 227 *len = s->session_id_length; |
| 139 return s->session_id; | 228 return s->session_id; |
| 140 } | 229 } |
| 141 | 230 |
| (...skipping 23 matching lines...) Expand all Loading... |
| 165 * but the probability of a collision is negligible, and | 254 * but the probability of a collision is negligible, and |
| 166 * we could not prevent the concurrent creation of sessions | 255 * we could not prevent the concurrent creation of sessions |
| 167 * with identical IDs since we currently don't have means | 256 * with identical IDs since we currently don't have means |
| 168 * to atomically check whether a session ID already exists | 257 * to atomically check whether a session ID already exists |
| 169 * and make a reservation for it if it does not | 258 * and make a reservation for it if it does not |
| 170 * (this problem applies to the internal cache as well). | 259 * (this problem applies to the internal cache as well). |
| 171 */ | 260 */ |
| 172 return 0; | 261 return 0; |
| 173 } | 262 } |
| 174 | 263 |
| 264 void SSL_set_session_creation_enabled (SSL *s, int creation_enabled) |
| 265 { |
| 266 s->session_creation_enabled = creation_enabled; |
| 267 } |
| 268 |
| 175 int ssl_get_new_session(SSL *s, int session) | 269 int ssl_get_new_session(SSL *s, int session) |
| 176 { | 270 { |
| 177 /* This gets used by clients and servers. */ | 271 /* This gets used by clients and servers. */ |
| 178 | 272 |
| 179 unsigned int tmp; | 273 unsigned int tmp; |
| 180 SSL_SESSION *ss=NULL; | 274 SSL_SESSION *ss=NULL; |
| 181 GEN_SESSION_CB cb = def_generate_session_id; | 275 GEN_SESSION_CB cb = def_generate_session_id; |
| 182 | 276 |
| 277 /* caller should check this if they can do better error handling */ |
| 278 if (!s->session_creation_enabled) return(0); |
| 183 if ((ss=SSL_SESSION_new()) == NULL) return(0); | 279 if ((ss=SSL_SESSION_new()) == NULL) return(0); |
| 184 | 280 |
| 185 /* If the context has a default timeout, use it */ | 281 /* If the context has a default timeout, use it */ |
| 186 » if (s->ctx->session_timeout == 0) | 282 » if (s->session_ctx->session_timeout == 0) |
| 187 ss->timeout=SSL_get_default_timeout(s); | 283 ss->timeout=SSL_get_default_timeout(s); |
| 188 else | 284 else |
| 189 » » ss->timeout=s->ctx->session_timeout; | 285 » » ss->timeout=s->session_ctx->session_timeout; |
| 190 | 286 |
| 191 if (s->session != NULL) | 287 if (s->session != NULL) |
| 192 { | 288 { |
| 193 SSL_SESSION_free(s->session); | 289 SSL_SESSION_free(s->session); |
| 194 s->session=NULL; | 290 s->session=NULL; |
| 195 } | 291 } |
| 196 | 292 |
| 197 if (session) | 293 if (session) |
| 198 { | 294 { |
| 199 if (s->version == SSL2_VERSION) | 295 if (s->version == SSL2_VERSION) |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 232 if (s->tlsext_ticket_expected) | 328 if (s->tlsext_ticket_expected) |
| 233 { | 329 { |
| 234 ss->session_id_length = 0; | 330 ss->session_id_length = 0; |
| 235 goto sess_id_done; | 331 goto sess_id_done; |
| 236 } | 332 } |
| 237 #endif | 333 #endif |
| 238 /* Choose which callback will set the session ID */ | 334 /* Choose which callback will set the session ID */ |
| 239 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); | 335 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); |
| 240 if(s->generate_session_id) | 336 if(s->generate_session_id) |
| 241 cb = s->generate_session_id; | 337 cb = s->generate_session_id; |
| 242 » » else if(s->ctx->generate_session_id) | 338 » » else if(s->session_ctx->generate_session_id) |
| 243 » » » cb = s->ctx->generate_session_id; | 339 » » » cb = s->session_ctx->generate_session_id; |
| 244 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); | 340 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); |
| 245 /* Choose a session ID */ | 341 /* Choose a session ID */ |
| 246 tmp = ss->session_id_length; | 342 tmp = ss->session_id_length; |
| 247 if(!cb(s, ss->session_id, &tmp)) | 343 if(!cb(s, ss->session_id, &tmp)) |
| 248 { | 344 { |
| 249 /* The callback failed */ | 345 /* The callback failed */ |
| 250 SSLerr(SSL_F_SSL_GET_NEW_SESSION, | 346 SSLerr(SSL_F_SSL_GET_NEW_SESSION, |
| 251 SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); | 347 SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); |
| 252 SSL_SESSION_free(ss); | 348 SSL_SESSION_free(ss); |
| 253 return(0); | 349 return(0); |
| (...skipping 25 matching lines...) Expand all Loading... |
| 279 #ifndef OPENSSL_NO_TLSEXT | 375 #ifndef OPENSSL_NO_TLSEXT |
| 280 sess_id_done: | 376 sess_id_done: |
| 281 if (s->tlsext_hostname) { | 377 if (s->tlsext_hostname) { |
| 282 ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname); | 378 ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname); |
| 283 if (ss->tlsext_hostname == NULL) { | 379 if (ss->tlsext_hostname == NULL) { |
| 284 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL
_ERROR); | 380 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL
_ERROR); |
| 285 SSL_SESSION_free(ss); | 381 SSL_SESSION_free(ss); |
| 286 return 0; | 382 return 0; |
| 287 } | 383 } |
| 288 } | 384 } |
| 385 #ifndef OPENSSL_NO_EC |
| 386 if (s->tlsext_ecpointformatlist) |
| 387 { |
| 388 if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(s
s->tlsext_ecpointformatlist); |
| 389 if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tl
sext_ecpointformatlist_length)) == NULL) |
| 390 { |
| 391 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_F
AILURE); |
| 392 SSL_SESSION_free(ss); |
| 393 return 0; |
| 394 } |
| 395 ss->tlsext_ecpointformatlist_length = s->tlsext_ecpointf
ormatlist_length; |
| 396 memcpy(ss->tlsext_ecpointformatlist, s->tlsext_ecpointfo
rmatlist, s->tlsext_ecpointformatlist_length); |
| 397 } |
| 398 if (s->tlsext_ellipticcurvelist) |
| 399 { |
| 400 if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s
s->tlsext_ellipticcurvelist); |
| 401 if ((ss->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tl
sext_ellipticcurvelist_length)) == NULL) |
| 402 { |
| 403 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_F
AILURE); |
| 404 SSL_SESSION_free(ss); |
| 405 return 0; |
| 406 } |
| 407 ss->tlsext_ellipticcurvelist_length = s->tlsext_elliptic
curvelist_length; |
| 408 memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticc
urvelist, s->tlsext_ellipticcurvelist_length); |
| 409 } |
| 410 #endif |
| 289 #endif | 411 #endif |
| 290 } | 412 } |
| 291 else | 413 else |
| 292 { | 414 { |
| 293 ss->session_id_length=0; | 415 ss->session_id_length=0; |
| 294 } | 416 } |
| 295 | 417 |
| 296 if (s->sid_ctx_length > sizeof ss->sid_ctx) | 418 if (s->sid_ctx_length > sizeof ss->sid_ctx) |
| 297 { | 419 { |
| 298 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); | 420 SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); |
| (...skipping 12 matching lines...) Expand all Loading... |
| 311 int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, | 433 int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, |
| 312 const unsigned char *limit) | 434 const unsigned char *limit) |
| 313 { | 435 { |
| 314 /* This is used only by servers. */ | 436 /* This is used only by servers. */ |
| 315 | 437 |
| 316 SSL_SESSION *ret=NULL; | 438 SSL_SESSION *ret=NULL; |
| 317 int fatal = 0; | 439 int fatal = 0; |
| 318 #ifndef OPENSSL_NO_TLSEXT | 440 #ifndef OPENSSL_NO_TLSEXT |
| 319 int r; | 441 int r; |
| 320 #endif | 442 #endif |
| 321 | 443 |
| 322 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) | 444 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) |
| 323 goto err; | 445 goto err; |
| 324 #ifndef OPENSSL_NO_TLSEXT | 446 #ifndef OPENSSL_NO_TLSEXT |
| 325 » r = tls1_process_ticket(s, session_id, len, limit, &ret); | 447 » r = tls1_process_ticket(s, session_id, len, limit, &ret); |
| 326 if (r == -1) | 448 if (r == -1) |
| 327 { | 449 { |
| 328 fatal = 1; | 450 fatal = 1; |
| 329 » » goto err; | 451 » » goto err; |
| 330 } | 452 } |
| 331 else if (r == 0 || (!ret && !len)) | 453 else if (r == 0 || (!ret && !len)) |
| 332 goto err; | 454 goto err; |
| 333 else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_N
O_INTERNAL_LOOKUP)) | 455 else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_N
O_INTERNAL_LOOKUP)) |
| 334 #else | 456 #else |
| 335 if (len == 0) | 457 if (len == 0) |
| 336 goto err; | 458 goto err; |
| 337 » if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) | 459 » if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LO
OKUP)) |
| 338 #endif | 460 #endif |
| 339 { | 461 { |
| 340 SSL_SESSION data; | 462 SSL_SESSION data; |
| 341 data.ssl_version=s->version; | 463 data.ssl_version=s->version; |
| 342 data.session_id_length=len; | 464 data.session_id_length=len; |
| 343 if (len == 0) | 465 if (len == 0) |
| 344 return 0; | 466 return 0; |
| 345 » » memcpy(data.session_id,session_id,len); | 467 » » memcpy(data.session_id,session_id,len); |
| 346 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); | 468 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); |
| 347 » » ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data); | 469 » » ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data); |
| 348 if (ret != NULL) | 470 if (ret != NULL) |
| 349 /* don't allow other threads to steal it: */ | 471 /* don't allow other threads to steal it: */ |
| 350 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); | 472 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); |
| 351 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); | 473 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); |
| 352 } | 474 } |
| 353 | 475 |
| 354 if (ret == NULL) | 476 if (ret == NULL) |
| 355 { | 477 { |
| 356 int copy=1; | 478 int copy=1; |
| 357 | 479 |
| 358 » » s->ctx->stats.sess_miss++; | 480 » » s->session_ctx->stats.sess_miss++; |
| 359 ret=NULL; | 481 ret=NULL; |
| 360 » » if (s->ctx->get_session_cb != NULL | 482 » » if (s->session_ctx->get_session_cb != NULL |
| 361 » » && (ret=s->ctx->get_session_cb(s,session_id,len,©)) | 483 » » && (ret=s->session_ctx->get_session_cb(s,session_id,len,&cop
y)) |
| 362 != NULL) | 484 != NULL) |
| 363 { | 485 { |
| 364 » » » s->ctx->stats.sess_cb_hit++; | 486 » » » s->session_ctx->stats.sess_cb_hit++; |
| 365 | 487 |
| 366 /* Increment reference count now if the session callback | 488 /* Increment reference count now if the session callback |
| 367 * asks us to do so (note that if the session structures | 489 * asks us to do so (note that if the session structures |
| 368 * returned by the callback are shared between threads, | 490 * returned by the callback are shared between threads, |
| 369 * it must handle the reference count itself [i.e. copy
== 0], | 491 * it must handle the reference count itself [i.e. copy
== 0], |
| 370 * or things won't be thread-safe). */ | 492 * or things won't be thread-safe). */ |
| 371 if (copy) | 493 if (copy) |
| 372 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SE
SSION); | 494 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SE
SSION); |
| 373 | 495 |
| 374 /* Add the externally cached session to the internal | 496 /* Add the externally cached session to the internal |
| 375 * cache as well if and only if we are supposed to. */ | 497 * cache as well if and only if we are supposed to. */ |
| 376 » » » if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTE
RNAL_STORE)) | 498 » » » if(!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE
_NO_INTERNAL_STORE)) |
| 377 /* The following should not return 1, otherwise, | 499 /* The following should not return 1, otherwise, |
| 378 * things are very strange */ | 500 * things are very strange */ |
| 379 » » » » SSL_CTX_add_session(s->ctx,ret); | 501 » » » » SSL_CTX_add_session(s->session_ctx,ret); |
| 380 } | 502 } |
| 381 if (ret == NULL) | 503 if (ret == NULL) |
| 382 goto err; | 504 goto err; |
| 383 } | 505 } |
| 384 | 506 |
| 385 /* Now ret is non-NULL, and we own one of its reference counts. */ | 507 /* Now ret is non-NULL, and we own one of its reference counts. */ |
| 386 | 508 |
| 387 if (ret->sid_ctx_length != s->sid_ctx_length | 509 if (ret->sid_ctx_length != s->sid_ctx_length |
| 388 || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)) | 510 || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)) |
| 389 { | 511 { |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 436 | 558 |
| 437 /* If a thread got the session, then 'swaped', and another got | 559 /* If a thread got the session, then 'swaped', and another got |
| 438 * it and then due to a time-out decided to 'OPENSSL_free' it we could | 560 * it and then due to a time-out decided to 'OPENSSL_free' it we could |
| 439 * be in trouble. So I'll increment it now, then double decrement | 561 * be in trouble. So I'll increment it now, then double decrement |
| 440 * later - am I speaking rubbish?. */ | 562 * later - am I speaking rubbish?. */ |
| 441 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); | 563 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); |
| 442 #endif | 564 #endif |
| 443 | 565 |
| 444 if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */ | 566 if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */ |
| 445 { | 567 { |
| 446 » » s->ctx->stats.sess_timeout++; | 568 » » s->session_ctx->stats.sess_timeout++; |
| 447 /* remove it from the cache */ | 569 /* remove it from the cache */ |
| 448 » » SSL_CTX_remove_session(s->ctx,ret); | 570 » » SSL_CTX_remove_session(s->session_ctx,ret); |
| 449 goto err; | 571 goto err; |
| 450 } | 572 } |
| 451 | 573 |
| 452 » s->ctx->stats.sess_hit++; | 574 » s->session_ctx->stats.sess_hit++; |
| 453 | 575 |
| 454 /* ret->time=time(NULL); */ /* rezero timeout? */ | 576 /* ret->time=time(NULL); */ /* rezero timeout? */ |
| 455 /* again, just leave the session | 577 /* again, just leave the session |
| 456 * if it is the same session, we have just incremented and | 578 * if it is the same session, we have just incremented and |
| 457 * then decremented the reference count :-) */ | 579 * then decremented the reference count :-) */ |
| 458 if (s->session != NULL) | 580 if (s->session != NULL) |
| 459 SSL_SESSION_free(s->session); | 581 SSL_SESSION_free(s->session); |
| 460 s->session=ret; | 582 s->session=ret; |
| 461 s->verify_result = s->session->verify_result; | 583 s->verify_result = s->session->verify_result; |
| 462 return(1); | 584 return(1); |
| (...skipping 12 matching lines...) Expand all Loading... |
| 475 int ret=0; | 597 int ret=0; |
| 476 SSL_SESSION *s; | 598 SSL_SESSION *s; |
| 477 | 599 |
| 478 /* add just 1 reference count for the SSL_CTX's session cache | 600 /* add just 1 reference count for the SSL_CTX's session cache |
| 479 * even though it has two ways of access: each session is in a | 601 * even though it has two ways of access: each session is in a |
| 480 * doubly linked list and an lhash */ | 602 * doubly linked list and an lhash */ |
| 481 CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION); | 603 CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION); |
| 482 /* if session c is in already in cache, we take back the increment later
*/ | 604 /* if session c is in already in cache, we take back the increment later
*/ |
| 483 | 605 |
| 484 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); | 606 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); |
| 485 » s=(SSL_SESSION *)lh_insert(ctx->sessions,c); | 607 » s=lh_SSL_SESSION_insert(ctx->sessions,c); |
| 486 | 608 |
| 487 /* s != NULL iff we already had a session with the given PID. | 609 /* s != NULL iff we already had a session with the given PID. |
| 488 * In this case, s == c should hold (then we did not really modify | 610 * In this case, s == c should hold (then we did not really modify |
| 489 * ctx->sessions), or we're in trouble. */ | 611 * ctx->sessions), or we're in trouble. */ |
| 490 if (s != NULL && s != c) | 612 if (s != NULL && s != c) |
| 491 { | 613 { |
| 492 /* We *are* in trouble ... */ | 614 /* We *are* in trouble ... */ |
| 493 SSL_SESSION_list_remove(ctx,s); | 615 SSL_SESSION_list_remove(ctx,s); |
| 494 SSL_SESSION_free(s); | 616 SSL_SESSION_free(s); |
| 495 /* ... so pretend the other session did not exist in cache | 617 /* ... so pretend the other session did not exist in cache |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 541 } | 663 } |
| 542 | 664 |
| 543 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) | 665 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) |
| 544 { | 666 { |
| 545 SSL_SESSION *r; | 667 SSL_SESSION *r; |
| 546 int ret=0; | 668 int ret=0; |
| 547 | 669 |
| 548 if ((c != NULL) && (c->session_id_length != 0)) | 670 if ((c != NULL) && (c->session_id_length != 0)) |
| 549 { | 671 { |
| 550 if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); | 672 if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); |
| 551 » » if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c) | 673 » » if ((r = lh_SSL_SESSION_retrieve(ctx->sessions,c)) == c) |
| 552 { | 674 { |
| 553 ret=1; | 675 ret=1; |
| 554 » » » r=(SSL_SESSION *)lh_delete(ctx->sessions,c); | 676 » » » r=lh_SSL_SESSION_delete(ctx->sessions,c); |
| 555 SSL_SESSION_list_remove(ctx,c); | 677 SSL_SESSION_list_remove(ctx,c); |
| 556 } | 678 } |
| 557 | 679 |
| 558 if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); | 680 if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); |
| 559 | 681 |
| 560 if (ret) | 682 if (ret) |
| 561 { | 683 { |
| 562 r->not_resumable=1; | 684 r->not_resumable=1; |
| 563 if (ctx->remove_session_cb != NULL) | 685 if (ctx->remove_session_cb != NULL) |
| 564 ctx->remove_session_cb(ctx,r); | 686 ctx->remove_session_cb(ctx,r); |
| (...skipping 29 matching lines...) Expand all Loading... |
| 594 | 716 |
| 595 OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg); | 717 OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg); |
| 596 OPENSSL_cleanse(ss->master_key,sizeof ss->master_key); | 718 OPENSSL_cleanse(ss->master_key,sizeof ss->master_key); |
| 597 OPENSSL_cleanse(ss->session_id,sizeof ss->session_id); | 719 OPENSSL_cleanse(ss->session_id,sizeof ss->session_id); |
| 598 if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert); | 720 if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert); |
| 599 if (ss->peer != NULL) X509_free(ss->peer); | 721 if (ss->peer != NULL) X509_free(ss->peer); |
| 600 if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); | 722 if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); |
| 601 #ifndef OPENSSL_NO_TLSEXT | 723 #ifndef OPENSSL_NO_TLSEXT |
| 602 if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname); | 724 if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname); |
| 603 if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick); | 725 if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick); |
| 726 #ifndef OPENSSL_NO_EC |
| 727 ss->tlsext_ecpointformatlist_length = 0; |
| 728 if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpoin
tformatlist); |
| 729 ss->tlsext_ellipticcurvelist_length = 0; |
| 730 if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipt
iccurvelist); |
| 731 #endif /* OPENSSL_NO_EC */ |
| 732 #endif |
| 733 #ifndef OPENSSL_NO_PSK |
| 734 if (ss->psk_identity_hint != NULL) |
| 735 OPENSSL_free(ss->psk_identity_hint); |
| 736 if (ss->psk_identity != NULL) |
| 737 OPENSSL_free(ss->psk_identity); |
| 604 #endif | 738 #endif |
| 605 OPENSSL_cleanse(ss,sizeof(*ss)); | 739 OPENSSL_cleanse(ss,sizeof(*ss)); |
| 606 OPENSSL_free(ss); | 740 OPENSSL_free(ss); |
| 607 } | 741 } |
| 608 | 742 |
| 609 int SSL_set_session(SSL *s, SSL_SESSION *session) | 743 int SSL_set_session(SSL *s, SSL_SESSION *session) |
| 610 { | 744 { |
| 611 int ret=0; | 745 int ret=0; |
| 612 » SSL_METHOD *meth; | 746 » const SSL_METHOD *meth; |
| 613 | 747 |
| 614 if (session != NULL) | 748 if (session != NULL) |
| 615 { | 749 { |
| 616 meth=s->ctx->method->get_ssl_method(session->ssl_version); | 750 meth=s->ctx->method->get_ssl_method(session->ssl_version); |
| 617 if (meth == NULL) | 751 if (meth == NULL) |
| 618 meth=s->method->get_ssl_method(session->ssl_version); | 752 meth=s->method->get_ssl_method(session->ssl_version); |
| 619 if (meth == NULL) | 753 if (meth == NULL) |
| 620 { | 754 { |
| 621 SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_ME
THOD); | 755 SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_ME
THOD); |
| 622 return(0); | 756 return(0); |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 705 s->session_timeout=t; | 839 s->session_timeout=t; |
| 706 return(l); | 840 return(l); |
| 707 } | 841 } |
| 708 | 842 |
| 709 long SSL_CTX_get_timeout(const SSL_CTX *s) | 843 long SSL_CTX_get_timeout(const SSL_CTX *s) |
| 710 { | 844 { |
| 711 if (s == NULL) return(0); | 845 if (s == NULL) return(0); |
| 712 return(s->session_timeout); | 846 return(s->session_timeout); |
| 713 } | 847 } |
| 714 | 848 |
| 849 #ifndef OPENSSL_NO_TLSEXT |
| 850 int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void
*secret, int *secret_len, |
| 851 STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), voi
d *arg) |
| 852 { |
| 853 if (s == NULL) return(0); |
| 854 s->tls_session_secret_cb = tls_session_secret_cb; |
| 855 s->tls_session_secret_cb_arg = arg; |
| 856 return(1); |
| 857 } |
| 858 |
| 859 int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, |
| 860 void *arg) |
| 861 { |
| 862 if (s == NULL) return(0); |
| 863 s->tls_session_ticket_ext_cb = cb; |
| 864 s->tls_session_ticket_ext_cb_arg = arg; |
| 865 return(1); |
| 866 } |
| 867 |
| 868 int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) |
| 869 { |
| 870 if (s->version >= TLS1_VERSION) |
| 871 { |
| 872 if (s->tlsext_session_ticket) |
| 873 { |
| 874 OPENSSL_free(s->tlsext_session_ticket); |
| 875 s->tlsext_session_ticket = NULL; |
| 876 } |
| 877 |
| 878 s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TIC
KET_EXT) + ext_len); |
| 879 if (!s->tlsext_session_ticket) |
| 880 { |
| 881 SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FA
ILURE); |
| 882 return 0; |
| 883 } |
| 884 |
| 885 if (ext_data) |
| 886 { |
| 887 s->tlsext_session_ticket->length = ext_len; |
| 888 s->tlsext_session_ticket->data = s->tlsext_session_ticke
t + 1; |
| 889 memcpy(s->tlsext_session_ticket->data, ext_data, ext_len
); |
| 890 } |
| 891 else |
| 892 { |
| 893 s->tlsext_session_ticket->length = 0; |
| 894 s->tlsext_session_ticket->data = NULL; |
| 895 } |
| 896 |
| 897 return 1; |
| 898 } |
| 899 |
| 900 return 0; |
| 901 } |
| 902 #endif /* OPENSSL_NO_TLSEXT */ |
| 903 |
| 715 typedef struct timeout_param_st | 904 typedef struct timeout_param_st |
| 716 { | 905 { |
| 717 SSL_CTX *ctx; | 906 SSL_CTX *ctx; |
| 718 long time; | 907 long time; |
| 719 » LHASH *cache; | 908 » LHASH_OF(SSL_SESSION) *cache; |
| 720 } TIMEOUT_PARAM; | 909 } TIMEOUT_PARAM; |
| 721 | 910 |
| 722 static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p) | 911 static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) |
| 723 { | 912 { |
| 724 if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ | 913 if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ |
| 725 { | 914 { |
| 726 /* The reason we don't call SSL_CTX_remove_session() is to | 915 /* The reason we don't call SSL_CTX_remove_session() is to |
| 727 * save on locking overhead */ | 916 * save on locking overhead */ |
| 728 » » lh_delete(p->cache,s); | 917 » » (void)lh_SSL_SESSION_delete(p->cache,s); |
| 729 SSL_SESSION_list_remove(p->ctx,s); | 918 SSL_SESSION_list_remove(p->ctx,s); |
| 730 s->not_resumable=1; | 919 s->not_resumable=1; |
| 731 if (p->ctx->remove_session_cb != NULL) | 920 if (p->ctx->remove_session_cb != NULL) |
| 732 p->ctx->remove_session_cb(p->ctx,s); | 921 p->ctx->remove_session_cb(p->ctx,s); |
| 733 SSL_SESSION_free(s); | 922 SSL_SESSION_free(s); |
| 734 } | 923 } |
| 735 } | 924 } |
| 736 | 925 |
| 737 static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION *, TIMEOUT_PARAM *) | 926 static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM) |
| 738 | 927 |
| 739 void SSL_CTX_flush_sessions(SSL_CTX *s, long t) | 928 void SSL_CTX_flush_sessions(SSL_CTX *s, long t) |
| 740 { | 929 { |
| 741 unsigned long i; | 930 unsigned long i; |
| 742 TIMEOUT_PARAM tp; | 931 TIMEOUT_PARAM tp; |
| 743 | 932 |
| 744 tp.ctx=s; | 933 tp.ctx=s; |
| 745 tp.cache=s->sessions; | 934 tp.cache=s->sessions; |
| 746 if (tp.cache == NULL) return; | 935 if (tp.cache == NULL) return; |
| 747 tp.time=t; | 936 tp.time=t; |
| 748 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); | 937 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); |
| 749 » i=tp.cache->down_load; | 938 » i=CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load; |
| 750 » tp.cache->down_load=0; | 939 » CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=0; |
| 751 » lh_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), &tp); | 940 » lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), |
| 752 » tp.cache->down_load=i; | 941 » » » » TIMEOUT_PARAM, &tp); |
| 942 » CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=i; |
| 753 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); | 943 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); |
| 754 } | 944 } |
| 755 | 945 |
| 756 int ssl_clear_bad_session(SSL *s) | 946 int ssl_clear_bad_session(SSL *s) |
| 757 { | 947 { |
| 758 if ( (s->session != NULL) && | 948 if ( (s->session != NULL) && |
| 759 !(s->shutdown & SSL_SENT_SHUTDOWN) && | 949 !(s->shutdown & SSL_SENT_SHUTDOWN) && |
| 760 !(SSL_in_init(s) || SSL_in_before(s))) | 950 !(SSL_in_init(s) || SSL_in_before(s))) |
| 761 { | 951 { |
| 762 SSL_CTX_remove_session(s->ctx,s->session); | 952 SSL_CTX_remove_session(s->ctx,s->session); |
| (...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 902 { | 1092 { |
| 903 ctx->app_gen_cookie_cb=cb; | 1093 ctx->app_gen_cookie_cb=cb; |
| 904 } | 1094 } |
| 905 | 1095 |
| 906 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, | 1096 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, |
| 907 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)) | 1097 int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)) |
| 908 { | 1098 { |
| 909 ctx->app_verify_cookie_cb=cb; | 1099 ctx->app_verify_cookie_cb=cb; |
| 910 } | 1100 } |
| 911 | 1101 |
| 1102 IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION) |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9254031:
Upgrade chrome's OpenSSL to same version Android ships with. (Closed)
Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/