1 /* 2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright 2005 Nokia. All rights reserved. 4 * 5 * Licensed under the OpenSSL license (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <stdio.h> 12 #include <openssl/rand.h> 13 #include <openssl/engine.h> 14 #include "internal/refcount.h" 15 #include "internal/cryptlib.h" 16 #include "ssl_locl.h" 17 #include "statem/statem_locl.h" 18 19 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); 20 static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s); 21 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); 22 23 /* 24 * SSL_get_session() and SSL_get1_session() are problematic in TLS1.3 because, 25 * unlike in earlier protocol versions, the session ticket may not have been 26 * sent yet even though a handshake has finished. The session ticket data could 27 * come in sometime later...or even change if multiple session ticket messages 28 * are sent from the server. The preferred way for applications to obtain 29 * a resumable session is to use SSL_CTX_sess_set_new_cb(). 30 */ 31 32 SSL_SESSION *SSL_get_session(const SSL *ssl) 33 /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */ 34 { 35 return ssl->session; 36 } 37 38 SSL_SESSION *SSL_get1_session(SSL *ssl) 39 /* variant of SSL_get_session: caller really gets something */ 40 { 41 SSL_SESSION *sess; 42 /* 43 * Need to lock this all up rather than just use CRYPTO_add so that 44 * somebody doesn't free ssl->session between when we check it's non-null 45 * and when we up the reference count. 46 */ 47 CRYPTO_THREAD_read_lock(ssl->lock); 48 sess = ssl->session; 49 if (sess) 50 SSL_SESSION_up_ref(sess); 51 CRYPTO_THREAD_unlock(ssl->lock); 52 return sess; 53 } 54 55 int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg) 56 { 57 return CRYPTO_set_ex_data(&s->ex_data, idx, arg); 58 } 59 60 void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx) 61 { 62 return CRYPTO_get_ex_data(&s->ex_data, idx); 63 } 64 65 SSL_SESSION *SSL_SESSION_new(void) 66 { 67 SSL_SESSION *ss; 68 69 if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) 70 return NULL; 71 72 ss = OPENSSL_zalloc(sizeof(*ss)); 73 if (ss == NULL) { 74 SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); 75 return NULL; 76 } 77 78 ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ 79 ss->references = 1; 80 ss->timeout = 60 * 5 + 4; /* 5 minute timeout by default */ 81 ss->time = (unsigned long)time(NULL); 82 ss->lock = CRYPTO_THREAD_lock_new(); 83 if (ss->lock == NULL) { 84 SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); 85 OPENSSL_free(ss); 86 return NULL; 87 } 88 89 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data)) { 90 CRYPTO_THREAD_lock_free(ss->lock); 91 OPENSSL_free(ss); 92 return NULL; 93 } 94 return ss; 95 } 96 97 SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src) 98 { 99 return ssl_session_dup(src, 1); 100 } 101 102 /* 103 * Create a new SSL_SESSION and duplicate the contents of |src| into it. If 104 * ticket == 0 then no ticket information is duplicated, otherwise it is. 105 */ 106 SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) 107 { 108 SSL_SESSION *dest; 109 110 dest = OPENSSL_malloc(sizeof(*src)); 111 if (dest == NULL) { 112 goto err; 113 } 114 memcpy(dest, src, sizeof(*dest)); 115 116 /* 117 * Set the various pointers to NULL so that we can call SSL_SESSION_free in 118 * the case of an error whilst halfway through constructing dest 119 */ 120 #ifndef OPENSSL_NO_PSK 121 dest->psk_identity_hint = NULL; 122 dest->psk_identity = NULL; 123 #endif 124 dest->ext.hostname = NULL; 125 dest->ext.tick = NULL; 126 dest->ext.alpn_selected = NULL; 127 #ifndef OPENSSL_NO_SRP 128 dest->srp_username = NULL; 129 #endif 130 dest->peer_chain = NULL; 131 dest->peer = NULL; 132 dest->ticket_appdata = NULL; 133 memset(&dest->ex_data, 0, sizeof(dest->ex_data)); 134 135 /* We deliberately don't copy the prev and next pointers */ 136 dest->prev = NULL; 137 dest->next = NULL; 138 139 dest->references = 1; 140 141 dest->lock = CRYPTO_THREAD_lock_new(); 142 if (dest->lock == NULL) 143 goto err; 144 145 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data)) 146 goto err; 147 148 if (src->peer != NULL) { 149 if (!X509_up_ref(src->peer)) 150 goto err; 151 dest->peer = src->peer; 152 } 153 154 if (src->peer_chain != NULL) { 155 dest->peer_chain = X509_chain_up_ref(src->peer_chain); 156 if (dest->peer_chain == NULL) 157 goto err; 158 } 159 #ifndef OPENSSL_NO_PSK 160 if (src->psk_identity_hint) { 161 dest->psk_identity_hint = OPENSSL_strdup(src->psk_identity_hint); 162 if (dest->psk_identity_hint == NULL) { 163 goto err; 164 } 165 } 166 if (src->psk_identity) { 167 dest->psk_identity = OPENSSL_strdup(src->psk_identity); 168 if (dest->psk_identity == NULL) { 169 goto err; 170 } 171 } 172 #endif 173 174 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, 175 &dest->ex_data, &src->ex_data)) { 176 goto err; 177 } 178 179 if (src->ext.hostname) { 180 dest->ext.hostname = OPENSSL_strdup(src->ext.hostname); 181 if (dest->ext.hostname == NULL) { 182 goto err; 183 } 184 } 185 186 if (ticket != 0 && src->ext.tick != NULL) { 187 dest->ext.tick = 188 OPENSSL_memdup(src->ext.tick, src->ext.ticklen); 189 if (dest->ext.tick == NULL) 190 goto err; 191 } else { 192 dest->ext.tick_lifetime_hint = 0; 193 dest->ext.ticklen = 0; 194 } 195 196 if (src->ext.alpn_selected != NULL) { 197 dest->ext.alpn_selected = OPENSSL_memdup(src->ext.alpn_selected, 198 src->ext.alpn_selected_len); 199 if (dest->ext.alpn_selected == NULL) 200 goto err; 201 } 202 203 #ifndef OPENSSL_NO_SRP 204 if (src->srp_username) { 205 dest->srp_username = OPENSSL_strdup(src->srp_username); 206 if (dest->srp_username == NULL) { 207 goto err; 208 } 209 } 210 #endif 211 212 if (src->ticket_appdata != NULL) { 213 dest->ticket_appdata = 214 OPENSSL_memdup(src->ticket_appdata, src->ticket_appdata_len); 215 if (dest->ticket_appdata == NULL) 216 goto err; 217 } 218 219 return dest; 220 err: 221 SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE); 222 SSL_SESSION_free(dest); 223 return NULL; 224 } 225 226 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) 227 { 228 if (len) 229 *len = (unsigned int)s->session_id_length; 230 return s->session_id; 231 } 232 const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s, 233 unsigned int *len) 234 { 235 if (len != NULL) 236 *len = (unsigned int)s->sid_ctx_length; 237 return s->sid_ctx; 238 } 239 240 unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s) 241 { 242 return s->compress_meth; 243 } 244 245 /* 246 * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling 247 * the ID with random junk repeatedly until we have no conflict is going to 248 * complete in one iteration pretty much "most" of the time (btw: 249 * understatement). So, if it takes us 10 iterations and we still can't avoid 250 * a conflict - well that's a reasonable point to call it quits. Either the 251 * RAND code is broken or someone is trying to open roughly very close to 252 * 2^256 SSL sessions to our server. How you might store that many sessions 253 * is perhaps a more interesting question ... 254 */ 255 256 #define MAX_SESS_ID_ATTEMPTS 10 257 static int def_generate_session_id(SSL *ssl, unsigned char *id, 258 unsigned int *id_len) 259 { 260 unsigned int retry = 0; 261 do 262 if (RAND_bytes(id, *id_len) <= 0) 263 return 0; 264 while (SSL_has_matching_session_id(ssl, id, *id_len) && 265 (++retry < MAX_SESS_ID_ATTEMPTS)) ; 266 if (retry < MAX_SESS_ID_ATTEMPTS) 267 return 1; 268 /* else - woops a session_id match */ 269 /* 270 * XXX We should also check the external cache -- but the probability of 271 * a collision is negligible, and we could not prevent the concurrent 272 * creation of sessions with identical IDs since we currently don't have 273 * means to atomically check whether a session ID already exists and make 274 * a reservation for it if it does not (this problem applies to the 275 * internal cache as well). 276 */ 277 return 0; 278 } 279 280 int ssl_generate_session_id(SSL *s, SSL_SESSION *ss) 281 { 282 unsigned int tmp; 283 GEN_SESSION_CB cb = def_generate_session_id; 284 285 switch (s->version) { 286 case SSL3_VERSION: 287 case TLS1_VERSION: 288 case TLS1_1_VERSION: 289 case TLS1_2_VERSION: 290 case TLS1_3_VERSION: 291 case DTLS1_BAD_VER: 292 case DTLS1_VERSION: 293 case DTLS1_2_VERSION: 294 ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; 295 break; 296 default: 297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID, 298 SSL_R_UNSUPPORTED_SSL_VERSION); 299 return 0; 300 } 301 302 /*- 303 * If RFC5077 ticket, use empty session ID (as server). 304 * Note that: 305 * (a) ssl_get_prev_session() does lookahead into the 306 * ClientHello extensions to find the session ticket. 307 * When ssl_get_prev_session() fails, statem_srvr.c calls 308 * ssl_get_new_session() in tls_process_client_hello(). 309 * At that point, it has not yet parsed the extensions, 310 * however, because of the lookahead, it already knows 311 * whether a ticket is expected or not. 312 * 313 * (b) statem_clnt.c calls ssl_get_new_session() before parsing 314 * ServerHello extensions, and before recording the session 315 * ID received from the server, so this block is a noop. 316 */ 317 if (s->ext.ticket_expected) { 318 ss->session_id_length = 0; 319 return 1; 320 } 321 322 /* Choose which callback will set the session ID */ 323 CRYPTO_THREAD_read_lock(s->lock); 324 CRYPTO_THREAD_read_lock(s->session_ctx->lock); 325 if (s->generate_session_id) 326 cb = s->generate_session_id; 327 else if (s->session_ctx->generate_session_id) 328 cb = s->session_ctx->generate_session_id; 329 CRYPTO_THREAD_unlock(s->session_ctx->lock); 330 CRYPTO_THREAD_unlock(s->lock); 331 /* Choose a session ID */ 332 memset(ss->session_id, 0, ss->session_id_length); 333 tmp = (int)ss->session_id_length; 334 if (!cb(s, ss->session_id, &tmp)) { 335 /* The callback failed */ 336 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID, 337 SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); 338 return 0; 339 } 340 /* 341 * Don't allow the callback to set the session length to zero. nor 342 * set it higher than it was. 343 */ 344 if (tmp == 0 || tmp > ss->session_id_length) { 345 /* The callback set an illegal length */ 346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID, 347 SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH); 348 return 0; 349 } 350 ss->session_id_length = tmp; 351 /* Finally, check for a conflict */ 352 if (SSL_has_matching_session_id(s, ss->session_id, 353 (unsigned int)ss->session_id_length)) { 354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID, 355 SSL_R_SSL_SESSION_ID_CONFLICT); 356 return 0; 357 } 358 359 return 1; 360 } 361 362 int ssl_get_new_session(SSL *s, int session) 363 { 364 /* This gets used by clients and servers. */ 365 366 SSL_SESSION *ss = NULL; 367 368 if ((ss = SSL_SESSION_new()) == NULL) { 369 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_NEW_SESSION, 370 ERR_R_MALLOC_FAILURE); 371 return 0; 372 } 373 374 /* If the context has a default timeout, use it */ 375 if (s->session_ctx->session_timeout == 0) 376 ss->timeout = SSL_get_default_timeout(s); 377 else 378 ss->timeout = s->session_ctx->session_timeout; 379 380 SSL_SESSION_free(s->session); 381 s->session = NULL; 382 383 if (session) { 384 if (SSL_IS_TLS13(s)) { 385 /* 386 * We generate the session id while constructing the 387 * NewSessionTicket in TLSv1.3. 388 */ 389 ss->session_id_length = 0; 390 } else if (!ssl_generate_session_id(s, ss)) { 391 /* SSLfatal() already called */ 392 SSL_SESSION_free(ss); 393 return 0; 394 } 395 396 } else { 397 ss->session_id_length = 0; 398 } 399 400 if (s->sid_ctx_length > sizeof(ss->sid_ctx)) { 401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_NEW_SESSION, 402 ERR_R_INTERNAL_ERROR); 403 SSL_SESSION_free(ss); 404 return 0; 405 } 406 memcpy(ss->sid_ctx, s->sid_ctx, s->sid_ctx_length); 407 ss->sid_ctx_length = s->sid_ctx_length; 408 s->session = ss; 409 ss->ssl_version = s->version; 410 ss->verify_result = X509_V_OK; 411 412 /* If client supports extended master secret set it in session */ 413 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) 414 ss->flags |= SSL_SESS_FLAG_EXTMS; 415 416 return 1; 417 } 418 419 SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id, 420 size_t sess_id_len) 421 { 422 SSL_SESSION *ret = NULL; 423 424 if ((s->session_ctx->session_cache_mode 425 & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP) == 0) { 426 SSL_SESSION data; 427 428 data.ssl_version = s->version; 429 if (!ossl_assert(sess_id_len <= SSL_MAX_SSL_SESSION_ID_LENGTH)) 430 return NULL; 431 432 memcpy(data.session_id, sess_id, sess_id_len); 433 data.session_id_length = sess_id_len; 434 435 CRYPTO_THREAD_read_lock(s->session_ctx->lock); 436 ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data); 437 if (ret != NULL) { 438 /* don't allow other threads to steal it: */ 439 SSL_SESSION_up_ref(ret); 440 } 441 CRYPTO_THREAD_unlock(s->session_ctx->lock); 442 if (ret == NULL) 443 tsan_counter(&s->session_ctx->stats.sess_miss); 444 } 445 446 if (ret == NULL && s->session_ctx->get_session_cb != NULL) { 447 int copy = 1; 448 449 ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©); 450 451 if (ret != NULL) { 452 tsan_counter(&s->session_ctx->stats.sess_cb_hit); 453 454 /* 455 * Increment reference count now if the session callback asks us 456 * to do so (note that if the session structures returned by the 457 * callback are shared between threads, it must handle the 458 * reference count itself [i.e. copy == 0], or things won't be 459 * thread-safe). 460 */ 461 if (copy) 462 SSL_SESSION_up_ref(ret); 463 464 /* 465 * Add the externally cached session to the internal cache as 466 * well if and only if we are supposed to. 467 */ 468 if ((s->session_ctx->session_cache_mode & 469 SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0) { 470 /* 471 * Either return value of SSL_CTX_add_session should not 472 * interrupt the session resumption process. The return 473 * value is intentionally ignored. 474 */ 475 (void)SSL_CTX_add_session(s->session_ctx, ret); 476 } 477 } 478 } 479 480 return ret; 481 } 482 483 /*- 484 * ssl_get_prev attempts to find an SSL_SESSION to be used to resume this 485 * connection. It is only called by servers. 486 * 487 * hello: The parsed ClientHello data 488 * 489 * Returns: 490 * -1: fatal error 491 * 0: no session found 492 * 1: a session may have been found. 493 * 494 * Side effects: 495 * - If a session is found then s->session is pointed at it (after freeing an 496 * existing session if need be) and s->verify_result is set from the session. 497 * - Both for new and resumed sessions, s->ext.ticket_expected is set to 1 498 * if the server should issue a new session ticket (to 0 otherwise). 499 */ 500 int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello) 501 { 502 /* This is used only by servers. */ 503 504 SSL_SESSION *ret = NULL; 505 int fatal = 0; 506 int try_session_cache = 0; 507 SSL_TICKET_STATUS r; 508 509 if (SSL_IS_TLS13(s)) { 510 /* 511 * By default we will send a new ticket. This can be overridden in the 512 * ticket processing. 513 */ 514 s->ext.ticket_expected = 1; 515 if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes, 516 SSL_EXT_CLIENT_HELLO, hello->pre_proc_exts, 517 NULL, 0) 518 || !tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_CLIENT_HELLO, 519 hello->pre_proc_exts, NULL, 0)) 520 return -1; 521 522 ret = s->session; 523 } else { 524 /* sets s->ext.ticket_expected */ 525 r = tls_get_ticket_from_client(s, hello, &ret); 526 switch (r) { 527 case SSL_TICKET_FATAL_ERR_MALLOC: 528 case SSL_TICKET_FATAL_ERR_OTHER: 529 fatal = 1; 530 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_PREV_SESSION, 531 ERR_R_INTERNAL_ERROR); 532 goto err; 533 case SSL_TICKET_NONE: 534 case SSL_TICKET_EMPTY: 535 if (hello->session_id_len > 0) { 536 try_session_cache = 1; 537 ret = lookup_sess_in_cache(s, hello->session_id, 538 hello->session_id_len); 539 } 540 break; 541 case SSL_TICKET_NO_DECRYPT: 542 case SSL_TICKET_SUCCESS: 543 case SSL_TICKET_SUCCESS_RENEW: 544 break; 545 } 546 } 547 548 if (ret == NULL) 549 goto err; 550 551 /* Now ret is non-NULL and we own one of its reference counts. */ 552 553 /* Check TLS version consistency */ 554 if (ret->ssl_version != s->version) 555 goto err; 556 557 if (ret->sid_ctx_length != s->sid_ctx_length 558 || memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length)) { 559 /* 560 * We have the session requested by the client, but we don't want to 561 * use it in this context. 562 */ 563 goto err; /* treat like cache miss */ 564 } 565 566 if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) { 567 /* 568 * We can't be sure if this session is being used out of context, 569 * which is especially important for SSL_VERIFY_PEER. The application 570 * should have used SSL[_CTX]_set_session_id_context. For this error 571 * case, we generate an error instead of treating the event like a 572 * cache miss (otherwise it would be easy for applications to 573 * effectively disable the session cache by accident without anyone 574 * noticing). 575 */ 576 577 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_PREV_SESSION, 578 SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); 579 fatal = 1; 580 goto err; 581 } 582 583 if (ret->timeout < (long)(time(NULL) - ret->time)) { /* timeout */ 584 tsan_counter(&s->session_ctx->stats.sess_timeout); 585 if (try_session_cache) { 586 /* session was from the cache, so remove it */ 587 SSL_CTX_remove_session(s->session_ctx, ret); 588 } 589 goto err; 590 } 591 592 /* Check extended master secret extension consistency */ 593 if (ret->flags & SSL_SESS_FLAG_EXTMS) { 594 /* If old session includes extms, but new does not: abort handshake */ 595 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)) { 596 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_GET_PREV_SESSION, 597 SSL_R_INCONSISTENT_EXTMS); 598 fatal = 1; 599 goto err; 600 } 601 } else if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { 602 /* If new session includes extms, but old does not: do not resume */ 603 goto err; 604 } 605 606 if (!SSL_IS_TLS13(s)) { 607 /* We already did this for TLS1.3 */ 608 SSL_SESSION_free(s->session); 609 s->session = ret; 610 } 611 612 tsan_counter(&s->session_ctx->stats.sess_hit); 613 s->verify_result = s->session->verify_result; 614 return 1; 615 616 err: 617 if (ret != NULL) { 618 SSL_SESSION_free(ret); 619 /* In TLSv1.3 s->session was already set to ret, so we NULL it out */ 620 if (SSL_IS_TLS13(s)) 621 s->session = NULL; 622 623 if (!try_session_cache) { 624 /* 625 * The session was from a ticket, so we should issue a ticket for 626 * the new session 627 */ 628 s->ext.ticket_expected = 1; 629 } 630 } 631 if (fatal) 632 return -1; 633 634 return 0; 635 } 636 637 int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) 638 { 639 int ret = 0; 640 SSL_SESSION *s; 641 642 /* 643 * add just 1 reference count for the SSL_CTX's session cache even though 644 * it has two ways of access: each session is in a doubly linked list and 645 * an lhash 646 */ 647 SSL_SESSION_up_ref(c); 648 /* 649 * if session c is in already in cache, we take back the increment later 650 */ 651 652 CRYPTO_THREAD_write_lock(ctx->lock); 653 s = lh_SSL_SESSION_insert(ctx->sessions, c); 654 655 /* 656 * s != NULL iff we already had a session with the given PID. In this 657 * case, s == c should hold (then we did not really modify 658 * ctx->sessions), or we're in trouble. 659 */ 660 if (s != NULL && s != c) { 661 /* We *are* in trouble ... */ 662 SSL_SESSION_list_remove(ctx, s); 663 SSL_SESSION_free(s); 664 /* 665 * ... so pretend the other session did not exist in cache (we cannot 666 * handle two SSL_SESSION structures with identical session ID in the 667 * same cache, which could happen e.g. when two threads concurrently 668 * obtain the same session from an external cache) 669 */ 670 s = NULL; 671 } else if (s == NULL && 672 lh_SSL_SESSION_retrieve(ctx->sessions, c) == NULL) { 673 /* s == NULL can also mean OOM error in lh_SSL_SESSION_insert ... */ 674 675 /* 676 * ... so take back the extra reference and also don't add 677 * the session to the SSL_SESSION_list at this time 678 */ 679 s = c; 680 } 681 682 /* Put at the head of the queue unless it is already in the cache */ 683 if (s == NULL) 684 SSL_SESSION_list_add(ctx, c); 685 686 if (s != NULL) { 687 /* 688 * existing cache entry -- decrement previously incremented reference 689 * count because it already takes into account the cache 690 */ 691 692 SSL_SESSION_free(s); /* s == c */ 693 ret = 0; 694 } else { 695 /* 696 * new cache entry -- remove old ones if cache has become too large 697 */ 698 699 ret = 1; 700 701 if (SSL_CTX_sess_get_cache_size(ctx) > 0) { 702 while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) { 703 if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) 704 break; 705 else 706 tsan_counter(&ctx->stats.sess_cache_full); 707 } 708 } 709 } 710 CRYPTO_THREAD_unlock(ctx->lock); 711 return ret; 712 } 713 714 int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c) 715 { 716 return remove_session_lock(ctx, c, 1); 717 } 718 719 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) 720 { 721 SSL_SESSION *r; 722 int ret = 0; 723 724 if ((c != NULL) && (c->session_id_length != 0)) { 725 if (lck) 726 CRYPTO_THREAD_write_lock(ctx->lock); 727 if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) != NULL) { 728 ret = 1; 729 r = lh_SSL_SESSION_delete(ctx->sessions, r); 730 SSL_SESSION_list_remove(ctx, r); 731 } 732 c->not_resumable = 1; 733 734 if (lck) 735 CRYPTO_THREAD_unlock(ctx->lock); 736 737 if (ctx->remove_session_cb != NULL) 738 ctx->remove_session_cb(ctx, c); 739 740 if (ret) 741 SSL_SESSION_free(r); 742 } else 743 ret = 0; 744 return ret; 745 } 746 747 void SSL_SESSION_free(SSL_SESSION *ss) 748 { 749 int i; 750 751 if (ss == NULL) 752 return; 753 CRYPTO_DOWN_REF(&ss->references, &i, ss->lock); 754 REF_PRINT_COUNT("SSL_SESSION", ss); 755 if (i > 0) 756 return; 757 REF_ASSERT_ISNT(i < 0); 758 759 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); 760 761 OPENSSL_cleanse(ss->master_key, sizeof(ss->master_key)); 762 OPENSSL_cleanse(ss->session_id, sizeof(ss->session_id)); 763 X509_free(ss->peer); 764 sk_X509_pop_free(ss->peer_chain, X509_free); 765 OPENSSL_free(ss->ext.hostname); 766 OPENSSL_free(ss->ext.tick); 767 #ifndef OPENSSL_NO_PSK 768 OPENSSL_free(ss->psk_identity_hint); 769 OPENSSL_free(ss->psk_identity); 770 #endif 771 #ifndef OPENSSL_NO_SRP 772 OPENSSL_free(ss->srp_username); 773 #endif 774 OPENSSL_free(ss->ext.alpn_selected); 775 OPENSSL_free(ss->ticket_appdata); 776 CRYPTO_THREAD_lock_free(ss->lock); 777 OPENSSL_clear_free(ss, sizeof(*ss)); 778 } 779 780 int SSL_SESSION_up_ref(SSL_SESSION *ss) 781 { 782 int i; 783 784 if (CRYPTO_UP_REF(&ss->references, &i, ss->lock) <= 0) 785 return 0; 786 787 REF_PRINT_COUNT("SSL_SESSION", ss); 788 REF_ASSERT_ISNT(i < 2); 789 return ((i > 1) ? 1 : 0); 790 } 791 792 int SSL_set_session(SSL *s, SSL_SESSION *session) 793 { 794 ssl_clear_bad_session(s); 795 if (s->ctx->method != s->method) { 796 if (!SSL_set_ssl_method(s, s->ctx->method)) 797 return 0; 798 } 799 800 if (session != NULL) { 801 SSL_SESSION_up_ref(session); 802 s->verify_result = session->verify_result; 803 } 804 SSL_SESSION_free(s->session); 805 s->session = session; 806 807 return 1; 808 } 809 810 int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, 811 unsigned int sid_len) 812 { 813 if (sid_len > SSL_MAX_SSL_SESSION_ID_LENGTH) { 814 SSLerr(SSL_F_SSL_SESSION_SET1_ID, 815 SSL_R_SSL_SESSION_ID_TOO_LONG); 816 return 0; 817 } 818 s->session_id_length = sid_len; 819 if (sid != s->session_id) 820 memcpy(s->session_id, sid, sid_len); 821 return 1; 822 } 823 824 long SSL_SESSION_set_timeout(SSL_SESSION *s, long t) 825 { 826 if (s == NULL) 827 return 0; 828 s->timeout = t; 829 return 1; 830 } 831 832 long SSL_SESSION_get_timeout(const SSL_SESSION *s) 833 { 834 if (s == NULL) 835 return 0; 836 return s->timeout; 837 } 838 839 long SSL_SESSION_get_time(const SSL_SESSION *s) 840 { 841 if (s == NULL) 842 return 0; 843 return s->time; 844 } 845 846 long SSL_SESSION_set_time(SSL_SESSION *s, long t) 847 { 848 if (s == NULL) 849 return 0; 850 s->time = t; 851 return t; 852 } 853 854 int SSL_SESSION_get_protocol_version(const SSL_SESSION *s) 855 { 856 return s->ssl_version; 857 } 858 859 int SSL_SESSION_set_protocol_version(SSL_SESSION *s, int version) 860 { 861 s->ssl_version = version; 862 return 1; 863 } 864 865 const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *s) 866 { 867 return s->cipher; 868 } 869 870 int SSL_SESSION_set_cipher(SSL_SESSION *s, const SSL_CIPHER *cipher) 871 { 872 s->cipher = cipher; 873 return 1; 874 } 875 876 const char *SSL_SESSION_get0_hostname(const SSL_SESSION *s) 877 { 878 return s->ext.hostname; 879 } 880 881 int SSL_SESSION_set1_hostname(SSL_SESSION *s, const char *hostname) 882 { 883 OPENSSL_free(s->ext.hostname); 884 if (hostname == NULL) { 885 s->ext.hostname = NULL; 886 return 1; 887 } 888 s->ext.hostname = OPENSSL_strdup(hostname); 889 890 return s->ext.hostname != NULL; 891 } 892 893 int SSL_SESSION_has_ticket(const SSL_SESSION *s) 894 { 895 return (s->ext.ticklen > 0) ? 1 : 0; 896 } 897 898 unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s) 899 { 900 return s->ext.tick_lifetime_hint; 901 } 902 903 void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick, 904 size_t *len) 905 { 906 *len = s->ext.ticklen; 907 if (tick != NULL) 908 *tick = s->ext.tick; 909 } 910 911 uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *s) 912 { 913 return s->ext.max_early_data; 914 } 915 916 int SSL_SESSION_set_max_early_data(SSL_SESSION *s, uint32_t max_early_data) 917 { 918 s->ext.max_early_data = max_early_data; 919 920 return 1; 921 } 922 923 void SSL_SESSION_get0_alpn_selected(const SSL_SESSION *s, 924 const unsigned char **alpn, 925 size_t *len) 926 { 927 *alpn = s->ext.alpn_selected; 928 *len = s->ext.alpn_selected_len; 929 } 930 931 int SSL_SESSION_set1_alpn_selected(SSL_SESSION *s, const unsigned char *alpn, 932 size_t len) 933 { 934 OPENSSL_free(s->ext.alpn_selected); 935 if (alpn == NULL || len == 0) { 936 s->ext.alpn_selected = NULL; 937 s->ext.alpn_selected_len = 0; 938 return 1; 939 } 940 s->ext.alpn_selected = OPENSSL_memdup(alpn, len); 941 if (s->ext.alpn_selected == NULL) { 942 s->ext.alpn_selected_len = 0; 943 return 0; 944 } 945 s->ext.alpn_selected_len = len; 946 947 return 1; 948 } 949 950 X509 *SSL_SESSION_get0_peer(SSL_SESSION *s) 951 { 952 return s->peer; 953 } 954 955 int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, 956 unsigned int sid_ctx_len) 957 { 958 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { 959 SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT, 960 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 961 return 0; 962 } 963 s->sid_ctx_length = sid_ctx_len; 964 if (sid_ctx != s->sid_ctx) 965 memcpy(s->sid_ctx, sid_ctx, sid_ctx_len); 966 967 return 1; 968 } 969 970 int SSL_SESSION_is_resumable(const SSL_SESSION *s) 971 { 972 /* 973 * In the case of EAP-FAST, we can have a pre-shared "ticket" without a 974 * session ID. 975 */ 976 return !s->not_resumable 977 && (s->session_id_length > 0 || s->ext.ticklen > 0); 978 } 979 980 long SSL_CTX_set_timeout(SSL_CTX *s, long t) 981 { 982 long l; 983 if (s == NULL) 984 return 0; 985 l = s->session_timeout; 986 s->session_timeout = t; 987 return l; 988 } 989 990 long SSL_CTX_get_timeout(const SSL_CTX *s) 991 { 992 if (s == NULL) 993 return 0; 994 return s->session_timeout; 995 } 996 997 int SSL_set_session_secret_cb(SSL *s, 998 tls_session_secret_cb_fn tls_session_secret_cb, 999 void *arg) 1000 { 1001 if (s == NULL) 1002 return 0; 1003 s->ext.session_secret_cb = tls_session_secret_cb; 1004 s->ext.session_secret_cb_arg = arg; 1005 return 1; 1006 } 1007 1008 int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, 1009 void *arg) 1010 { 1011 if (s == NULL) 1012 return 0; 1013 s->ext.session_ticket_cb = cb; 1014 s->ext.session_ticket_cb_arg = arg; 1015 return 1; 1016 } 1017 1018 int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) 1019 { 1020 if (s->version >= TLS1_VERSION) { 1021 OPENSSL_free(s->ext.session_ticket); 1022 s->ext.session_ticket = NULL; 1023 s->ext.session_ticket = 1024 OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); 1025 if (s->ext.session_ticket == NULL) { 1026 SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE); 1027 return 0; 1028 } 1029 1030 if (ext_data != NULL) { 1031 s->ext.session_ticket->length = ext_len; 1032 s->ext.session_ticket->data = s->ext.session_ticket + 1; 1033 memcpy(s->ext.session_ticket->data, ext_data, ext_len); 1034 } else { 1035 s->ext.session_ticket->length = 0; 1036 s->ext.session_ticket->data = NULL; 1037 } 1038 1039 return 1; 1040 } 1041 1042 return 0; 1043 } 1044 1045 typedef struct timeout_param_st { 1046 SSL_CTX *ctx; 1047 long time; 1048 LHASH_OF(SSL_SESSION) *cache; 1049 } TIMEOUT_PARAM; 1050 1051 static void timeout_cb(SSL_SESSION *s, TIMEOUT_PARAM *p) 1052 { 1053 if ((p->time == 0) || (p->time > (s->time + s->timeout))) { /* timeout */ 1054 /* 1055 * The reason we don't call SSL_CTX_remove_session() is to save on 1056 * locking overhead 1057 */ 1058 (void)lh_SSL_SESSION_delete(p->cache, s); 1059 SSL_SESSION_list_remove(p->ctx, s); 1060 s->not_resumable = 1; 1061 if (p->ctx->remove_session_cb != NULL) 1062 p->ctx->remove_session_cb(p->ctx, s); 1063 SSL_SESSION_free(s); 1064 } 1065 } 1066 1067 IMPLEMENT_LHASH_DOALL_ARG(SSL_SESSION, TIMEOUT_PARAM); 1068 1069 void SSL_CTX_flush_sessions(SSL_CTX *s, long t) 1070 { 1071 unsigned long i; 1072 TIMEOUT_PARAM tp; 1073 1074 tp.ctx = s; 1075 tp.cache = s->sessions; 1076 if (tp.cache == NULL) 1077 return; 1078 tp.time = t; 1079 CRYPTO_THREAD_write_lock(s->lock); 1080 i = lh_SSL_SESSION_get_down_load(s->sessions); 1081 lh_SSL_SESSION_set_down_load(s->sessions, 0); 1082 lh_SSL_SESSION_doall_TIMEOUT_PARAM(tp.cache, timeout_cb, &tp); 1083 lh_SSL_SESSION_set_down_load(s->sessions, i); 1084 CRYPTO_THREAD_unlock(s->lock); 1085 } 1086 1087 int ssl_clear_bad_session(SSL *s) 1088 { 1089 if ((s->session != NULL) && 1090 !(s->shutdown & SSL_SENT_SHUTDOWN) && 1091 !(SSL_in_init(s) || SSL_in_before(s))) { 1092 SSL_CTX_remove_session(s->session_ctx, s->session); 1093 return 1; 1094 } else 1095 return 0; 1096 } 1097 1098 /* locked by SSL_CTX in the calling function */ 1099 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) 1100 { 1101 if ((s->next == NULL) || (s->prev == NULL)) 1102 return; 1103 1104 if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) { 1105 /* last element in list */ 1106 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { 1107 /* only one element in list */ 1108 ctx->session_cache_head = NULL; 1109 ctx->session_cache_tail = NULL; 1110 } else { 1111 ctx->session_cache_tail = s->prev; 1112 s->prev->next = (SSL_SESSION *)&(ctx->session_cache_tail); 1113 } 1114 } else { 1115 if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { 1116 /* first element in list */ 1117 ctx->session_cache_head = s->next; 1118 s->next->prev = (SSL_SESSION *)&(ctx->session_cache_head); 1119 } else { 1120 /* middle of list */ 1121 s->next->prev = s->prev; 1122 s->prev->next = s->next; 1123 } 1124 } 1125 s->prev = s->next = NULL; 1126 } 1127 1128 static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) 1129 { 1130 if ((s->next != NULL) && (s->prev != NULL)) 1131 SSL_SESSION_list_remove(ctx, s); 1132 1133 if (ctx->session_cache_head == NULL) { 1134 ctx->session_cache_head = s; 1135 ctx->session_cache_tail = s; 1136 s->prev = (SSL_SESSION *)&(ctx->session_cache_head); 1137 s->next = (SSL_SESSION *)&(ctx->session_cache_tail); 1138 } else { 1139 s->next = ctx->session_cache_head; 1140 s->next->prev = s; 1141 s->prev = (SSL_SESSION *)&(ctx->session_cache_head); 1142 ctx->session_cache_head = s; 1143 } 1144 } 1145 1146 void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, 1147 int (*cb) (struct ssl_st *ssl, SSL_SESSION *sess)) 1148 { 1149 ctx->new_session_cb = cb; 1150 } 1151 1152 int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)) (SSL *ssl, SSL_SESSION *sess) { 1153 return ctx->new_session_cb; 1154 } 1155 1156 void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, 1157 void (*cb) (SSL_CTX *ctx, SSL_SESSION *sess)) 1158 { 1159 ctx->remove_session_cb = cb; 1160 } 1161 1162 void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)) (SSL_CTX *ctx, 1163 SSL_SESSION *sess) { 1164 return ctx->remove_session_cb; 1165 } 1166 1167 void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, 1168 SSL_SESSION *(*cb) (struct ssl_st *ssl, 1169 const unsigned char *data, 1170 int len, int *copy)) 1171 { 1172 ctx->get_session_cb = cb; 1173 } 1174 1175 SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx)) (SSL *ssl, 1176 const unsigned char 1177 *data, int len, 1178 int *copy) { 1179 return ctx->get_session_cb; 1180 } 1181 1182 void SSL_CTX_set_info_callback(SSL_CTX *ctx, 1183 void (*cb) (const SSL *ssl, int type, int val)) 1184 { 1185 ctx->info_callback = cb; 1186 } 1187 1188 void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type, 1189 int val) { 1190 return ctx->info_callback; 1191 } 1192 1193 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, 1194 int (*cb) (SSL *ssl, X509 **x509, 1195 EVP_PKEY **pkey)) 1196 { 1197 ctx->client_cert_cb = cb; 1198 } 1199 1200 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx)) (SSL *ssl, X509 **x509, 1201 EVP_PKEY **pkey) { 1202 return ctx->client_cert_cb; 1203 } 1204 1205 #ifndef OPENSSL_NO_ENGINE 1206 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) 1207 { 1208 if (!ENGINE_init(e)) { 1209 SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB); 1210 return 0; 1211 } 1212 if (!ENGINE_get_ssl_client_cert_function(e)) { 1213 SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, 1214 SSL_R_NO_CLIENT_CERT_METHOD); 1215 ENGINE_finish(e); 1216 return 0; 1217 } 1218 ctx->client_cert_engine = e; 1219 return 1; 1220 } 1221 #endif 1222 1223 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, 1224 int (*cb) (SSL *ssl, 1225 unsigned char *cookie, 1226 unsigned int *cookie_len)) 1227 { 1228 ctx->app_gen_cookie_cb = cb; 1229 } 1230 1231 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, 1232 int (*cb) (SSL *ssl, 1233 const unsigned char *cookie, 1234 unsigned int cookie_len)) 1235 { 1236 ctx->app_verify_cookie_cb = cb; 1237 } 1238 1239 int SSL_SESSION_set1_ticket_appdata(SSL_SESSION *ss, const void *data, size_t len) 1240 { 1241 OPENSSL_free(ss->ticket_appdata); 1242 ss->ticket_appdata_len = 0; 1243 if (data == NULL || len == 0) { 1244 ss->ticket_appdata = NULL; 1245 return 1; 1246 } 1247 ss->ticket_appdata = OPENSSL_memdup(data, len); 1248 if (ss->ticket_appdata != NULL) { 1249 ss->ticket_appdata_len = len; 1250 return 1; 1251 } 1252 return 0; 1253 } 1254 1255 int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len) 1256 { 1257 *data = ss->ticket_appdata; 1258 *len = ss->ticket_appdata_len; 1259 return 1; 1260 } 1261 1262 void SSL_CTX_set_stateless_cookie_generate_cb( 1263 SSL_CTX *ctx, 1264 int (*cb) (SSL *ssl, 1265 unsigned char *cookie, 1266 size_t *cookie_len)) 1267 { 1268 ctx->gen_stateless_cookie_cb = cb; 1269 } 1270 1271 void SSL_CTX_set_stateless_cookie_verify_cb( 1272 SSL_CTX *ctx, 1273 int (*cb) (SSL *ssl, 1274 const unsigned char *cookie, 1275 size_t cookie_len)) 1276 { 1277 ctx->verify_stateless_cookie_cb = cb; 1278 } 1279 1280 IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION) 1281