xref: /freebsd/crypto/openssl/ssl/ssl_sess.c (revision cc426dd31990b8b50b210efc450e404596548ca1)
1 /*
2  * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright 2005 Nokia. All rights reserved.
4  *
5  * Licensed under the OpenSSL license (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10 
11 #include <stdio.h>
12 #include <openssl/rand.h>
13 #include <openssl/engine.h>
14 #include "internal/refcount.h"
15 #include "internal/cryptlib.h"
16 #include "ssl_locl.h"
17 #include "statem/statem_locl.h"
18 
19 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
20 static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
21 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
22 
23 /*
24  * SSL_get_session() and SSL_get1_session() are problematic in TLS1.3 because,
25  * unlike in earlier protocol versions, the session ticket may not have been
26  * sent yet even though a handshake has finished. The session ticket data could
27  * come in sometime later...or even change if multiple session ticket messages
28  * are sent from the server. The preferred way for applications to obtain
29  * a resumable session is to use SSL_CTX_sess_set_new_cb().
30  */
31 
32 SSL_SESSION *SSL_get_session(const SSL *ssl)
33 /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
34 {
35     return ssl->session;
36 }
37 
38 SSL_SESSION *SSL_get1_session(SSL *ssl)
39 /* variant of SSL_get_session: caller really gets something */
40 {
41     SSL_SESSION *sess;
42     /*
43      * Need to lock this all up rather than just use CRYPTO_add so that
44      * somebody doesn't free ssl->session between when we check it's non-null
45      * and when we up the reference count.
46      */
47     CRYPTO_THREAD_read_lock(ssl->lock);
48     sess = ssl->session;
49     if (sess)
50         SSL_SESSION_up_ref(sess);
51     CRYPTO_THREAD_unlock(ssl->lock);
52     return sess;
53 }
54 
55 int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
56 {
57     return CRYPTO_set_ex_data(&s->ex_data, idx, arg);
58 }
59 
60 void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
61 {
62     return CRYPTO_get_ex_data(&s->ex_data, idx);
63 }
64 
65 SSL_SESSION *SSL_SESSION_new(void)
66 {
67     SSL_SESSION *ss;
68 
69     if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
70         return NULL;
71 
72     ss = OPENSSL_zalloc(sizeof(*ss));
73     if (ss == NULL) {
74         SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
75         return NULL;
76     }
77 
78     ss->verify_result = 1;      /* avoid 0 (= X509_V_OK) just in case */
79     ss->references = 1;
80     ss->timeout = 60 * 5 + 4;   /* 5 minute timeout by default */
81     ss->time = (unsigned long)time(NULL);
82     ss->lock = CRYPTO_THREAD_lock_new();
83     if (ss->lock == NULL) {
84         SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
85         OPENSSL_free(ss);
86         return NULL;
87     }
88 
89     if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data)) {
90         CRYPTO_THREAD_lock_free(ss->lock);
91         OPENSSL_free(ss);
92         return NULL;
93     }
94     return ss;
95 }
96 
97 SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
98 {
99     return ssl_session_dup(src, 1);
100 }
101 
102 /*
103  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
104  * ticket == 0 then no ticket information is duplicated, otherwise it is.
105  */
106 SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
107 {
108     SSL_SESSION *dest;
109 
110     dest = OPENSSL_malloc(sizeof(*src));
111     if (dest == NULL) {
112         goto err;
113     }
114     memcpy(dest, src, sizeof(*dest));
115 
116     /*
117      * Set the various pointers to NULL so that we can call SSL_SESSION_free in
118      * the case of an error whilst halfway through constructing dest
119      */
120 #ifndef OPENSSL_NO_PSK
121     dest->psk_identity_hint = NULL;
122     dest->psk_identity = NULL;
123 #endif
124     dest->ciphers = NULL;
125     dest->ext.hostname = NULL;
126 #ifndef OPENSSL_NO_EC
127     dest->ext.ecpointformats = NULL;
128     dest->ext.supportedgroups = NULL;
129 #endif
130     dest->ext.tick = NULL;
131     dest->ext.alpn_selected = NULL;
132 #ifndef OPENSSL_NO_SRP
133     dest->srp_username = NULL;
134 #endif
135     dest->peer_chain = NULL;
136     dest->peer = NULL;
137     dest->ticket_appdata = NULL;
138     memset(&dest->ex_data, 0, sizeof(dest->ex_data));
139 
140     /* We deliberately don't copy the prev and next pointers */
141     dest->prev = NULL;
142     dest->next = NULL;
143 
144     dest->references = 1;
145 
146     dest->lock = CRYPTO_THREAD_lock_new();
147     if (dest->lock == NULL)
148         goto err;
149 
150     if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data))
151         goto err;
152 
153     if (src->peer != NULL) {
154         if (!X509_up_ref(src->peer))
155             goto err;
156         dest->peer = src->peer;
157     }
158 
159     if (src->peer_chain != NULL) {
160         dest->peer_chain = X509_chain_up_ref(src->peer_chain);
161         if (dest->peer_chain == NULL)
162             goto err;
163     }
164 #ifndef OPENSSL_NO_PSK
165     if (src->psk_identity_hint) {
166         dest->psk_identity_hint = OPENSSL_strdup(src->psk_identity_hint);
167         if (dest->psk_identity_hint == NULL) {
168             goto err;
169         }
170     }
171     if (src->psk_identity) {
172         dest->psk_identity = OPENSSL_strdup(src->psk_identity);
173         if (dest->psk_identity == NULL) {
174             goto err;
175         }
176     }
177 #endif
178 
179     if (src->ciphers != NULL) {
180         dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers);
181         if (dest->ciphers == NULL)
182             goto err;
183     }
184 
185     if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
186                             &dest->ex_data, &src->ex_data)) {
187         goto err;
188     }
189 
190     if (src->ext.hostname) {
191         dest->ext.hostname = OPENSSL_strdup(src->ext.hostname);
192         if (dest->ext.hostname == NULL) {
193             goto err;
194         }
195     }
196 #ifndef OPENSSL_NO_EC
197     if (src->ext.ecpointformats) {
198         dest->ext.ecpointformats =
199             OPENSSL_memdup(src->ext.ecpointformats,
200                            src->ext.ecpointformats_len);
201         if (dest->ext.ecpointformats == NULL)
202             goto err;
203     }
204     if (src->ext.supportedgroups) {
205         dest->ext.supportedgroups =
206             OPENSSL_memdup(src->ext.supportedgroups,
207                            src->ext.supportedgroups_len
208                                 * sizeof(*src->ext.supportedgroups));
209         if (dest->ext.supportedgroups == NULL)
210             goto err;
211     }
212 #endif
213 
214     if (ticket != 0 && src->ext.tick != NULL) {
215         dest->ext.tick =
216             OPENSSL_memdup(src->ext.tick, src->ext.ticklen);
217         if (dest->ext.tick == NULL)
218             goto err;
219     } else {
220         dest->ext.tick_lifetime_hint = 0;
221         dest->ext.ticklen = 0;
222     }
223 
224     if (src->ext.alpn_selected != NULL) {
225         dest->ext.alpn_selected = OPENSSL_memdup(src->ext.alpn_selected,
226                                                  src->ext.alpn_selected_len);
227         if (dest->ext.alpn_selected == NULL)
228             goto err;
229     }
230 
231 #ifndef OPENSSL_NO_SRP
232     if (src->srp_username) {
233         dest->srp_username = OPENSSL_strdup(src->srp_username);
234         if (dest->srp_username == NULL) {
235             goto err;
236         }
237     }
238 #endif
239 
240     if (src->ticket_appdata != NULL) {
241         dest->ticket_appdata =
242             OPENSSL_memdup(src->ticket_appdata, src->ticket_appdata_len);
243         if (dest->ticket_appdata == NULL)
244             goto err;
245     }
246 
247     return dest;
248  err:
249     SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
250     SSL_SESSION_free(dest);
251     return NULL;
252 }
253 
254 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
255 {
256     if (len)
257         *len = (unsigned int)s->session_id_length;
258     return s->session_id;
259 }
260 const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s,
261                                                 unsigned int *len)
262 {
263     if (len != NULL)
264         *len = (unsigned int)s->sid_ctx_length;
265     return s->sid_ctx;
266 }
267 
268 unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s)
269 {
270     return s->compress_meth;
271 }
272 
273 /*
274  * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling
275  * the ID with random junk repeatedly until we have no conflict is going to
276  * complete in one iteration pretty much "most" of the time (btw:
277  * understatement). So, if it takes us 10 iterations and we still can't avoid
278  * a conflict - well that's a reasonable point to call it quits. Either the
279  * RAND code is broken or someone is trying to open roughly very close to
280  * 2^256 SSL sessions to our server. How you might store that many sessions
281  * is perhaps a more interesting question ...
282  */
283 
284 #define MAX_SESS_ID_ATTEMPTS 10
285 static int def_generate_session_id(SSL *ssl, unsigned char *id,
286                                    unsigned int *id_len)
287 {
288     unsigned int retry = 0;
289     do
290         if (RAND_bytes(id, *id_len) <= 0)
291             return 0;
292     while (SSL_has_matching_session_id(ssl, id, *id_len) &&
293            (++retry < MAX_SESS_ID_ATTEMPTS)) ;
294     if (retry < MAX_SESS_ID_ATTEMPTS)
295         return 1;
296     /* else - woops a session_id match */
297     /*
298      * XXX We should also check the external cache -- but the probability of
299      * a collision is negligible, and we could not prevent the concurrent
300      * creation of sessions with identical IDs since we currently don't have
301      * means to atomically check whether a session ID already exists and make
302      * a reservation for it if it does not (this problem applies to the
303      * internal cache as well).
304      */
305     return 0;
306 }
307 
308 int ssl_generate_session_id(SSL *s, SSL_SESSION *ss)
309 {
310     unsigned int tmp;
311     GEN_SESSION_CB cb = def_generate_session_id;
312 
313     switch (s->version) {
314     case SSL3_VERSION:
315     case TLS1_VERSION:
316     case TLS1_1_VERSION:
317     case TLS1_2_VERSION:
318     case TLS1_3_VERSION:
319     case DTLS1_BAD_VER:
320     case DTLS1_VERSION:
321     case DTLS1_2_VERSION:
322         ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
323         break;
324     default:
325         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID,
326                  SSL_R_UNSUPPORTED_SSL_VERSION);
327         return 0;
328     }
329 
330     /*-
331      * If RFC5077 ticket, use empty session ID (as server).
332      * Note that:
333      * (a) ssl_get_prev_session() does lookahead into the
334      *     ClientHello extensions to find the session ticket.
335      *     When ssl_get_prev_session() fails, statem_srvr.c calls
336      *     ssl_get_new_session() in tls_process_client_hello().
337      *     At that point, it has not yet parsed the extensions,
338      *     however, because of the lookahead, it already knows
339      *     whether a ticket is expected or not.
340      *
341      * (b) statem_clnt.c calls ssl_get_new_session() before parsing
342      *     ServerHello extensions, and before recording the session
343      *     ID received from the server, so this block is a noop.
344      */
345     if (s->ext.ticket_expected) {
346         ss->session_id_length = 0;
347         return 1;
348     }
349 
350     /* Choose which callback will set the session ID */
351     CRYPTO_THREAD_read_lock(s->lock);
352     CRYPTO_THREAD_read_lock(s->session_ctx->lock);
353     if (s->generate_session_id)
354         cb = s->generate_session_id;
355     else if (s->session_ctx->generate_session_id)
356         cb = s->session_ctx->generate_session_id;
357     CRYPTO_THREAD_unlock(s->session_ctx->lock);
358     CRYPTO_THREAD_unlock(s->lock);
359     /* Choose a session ID */
360     memset(ss->session_id, 0, ss->session_id_length);
361     tmp = (int)ss->session_id_length;
362     if (!cb(s, ss->session_id, &tmp)) {
363         /* The callback failed */
364         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID,
365                  SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
366         return 0;
367     }
368     /*
369      * Don't allow the callback to set the session length to zero. nor
370      * set it higher than it was.
371      */
372     if (tmp == 0 || tmp > ss->session_id_length) {
373         /* The callback set an illegal length */
374         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID,
375                  SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
376         return 0;
377     }
378     ss->session_id_length = tmp;
379     /* Finally, check for a conflict */
380     if (SSL_has_matching_session_id(s, ss->session_id,
381                                     (unsigned int)ss->session_id_length)) {
382         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID,
383                  SSL_R_SSL_SESSION_ID_CONFLICT);
384         return 0;
385     }
386 
387     return 1;
388 }
389 
390 int ssl_get_new_session(SSL *s, int session)
391 {
392     /* This gets used by clients and servers. */
393 
394     SSL_SESSION *ss = NULL;
395 
396     if ((ss = SSL_SESSION_new()) == NULL) {
397         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_NEW_SESSION,
398                  ERR_R_MALLOC_FAILURE);
399         return 0;
400     }
401 
402     /* If the context has a default timeout, use it */
403     if (s->session_ctx->session_timeout == 0)
404         ss->timeout = SSL_get_default_timeout(s);
405     else
406         ss->timeout = s->session_ctx->session_timeout;
407 
408     SSL_SESSION_free(s->session);
409     s->session = NULL;
410 
411     if (session) {
412         if (SSL_IS_TLS13(s)) {
413             /*
414              * We generate the session id while constructing the
415              * NewSessionTicket in TLSv1.3.
416              */
417             ss->session_id_length = 0;
418         } else if (!ssl_generate_session_id(s, ss)) {
419             /* SSLfatal() already called */
420             SSL_SESSION_free(ss);
421             return 0;
422         }
423 
424     } else {
425         ss->session_id_length = 0;
426     }
427 
428     if (s->sid_ctx_length > sizeof(ss->sid_ctx)) {
429         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_NEW_SESSION,
430                  ERR_R_INTERNAL_ERROR);
431         SSL_SESSION_free(ss);
432         return 0;
433     }
434     memcpy(ss->sid_ctx, s->sid_ctx, s->sid_ctx_length);
435     ss->sid_ctx_length = s->sid_ctx_length;
436     s->session = ss;
437     ss->ssl_version = s->version;
438     ss->verify_result = X509_V_OK;
439 
440     /* If client supports extended master secret set it in session */
441     if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
442         ss->flags |= SSL_SESS_FLAG_EXTMS;
443 
444     return 1;
445 }
446 
447 SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
448                                   size_t sess_id_len)
449 {
450     SSL_SESSION *ret = NULL;
451 
452     if ((s->session_ctx->session_cache_mode
453          & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP) == 0) {
454         SSL_SESSION data;
455 
456         data.ssl_version = s->version;
457         if (!ossl_assert(sess_id_len <= SSL_MAX_SSL_SESSION_ID_LENGTH))
458             return NULL;
459 
460         memcpy(data.session_id, sess_id, sess_id_len);
461         data.session_id_length = sess_id_len;
462 
463         CRYPTO_THREAD_read_lock(s->session_ctx->lock);
464         ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data);
465         if (ret != NULL) {
466             /* don't allow other threads to steal it: */
467             SSL_SESSION_up_ref(ret);
468         }
469         CRYPTO_THREAD_unlock(s->session_ctx->lock);
470         if (ret == NULL)
471             tsan_counter(&s->session_ctx->stats.sess_miss);
472     }
473 
474     if (ret == NULL && s->session_ctx->get_session_cb != NULL) {
475         int copy = 1;
476 
477         ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, &copy);
478 
479         if (ret != NULL) {
480             tsan_counter(&s->session_ctx->stats.sess_cb_hit);
481 
482             /*
483              * Increment reference count now if the session callback asks us
484              * to do so (note that if the session structures returned by the
485              * callback are shared between threads, it must handle the
486              * reference count itself [i.e. copy == 0], or things won't be
487              * thread-safe).
488              */
489             if (copy)
490                 SSL_SESSION_up_ref(ret);
491 
492             /*
493              * Add the externally cached session to the internal cache as
494              * well if and only if we are supposed to.
495              */
496             if ((s->session_ctx->session_cache_mode &
497                  SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0) {
498                 /*
499                  * Either return value of SSL_CTX_add_session should not
500                  * interrupt the session resumption process. The return
501                  * value is intentionally ignored.
502                  */
503                 (void)SSL_CTX_add_session(s->session_ctx, ret);
504             }
505         }
506     }
507 
508     return ret;
509 }
510 
511 /*-
512  * ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
513  * connection. It is only called by servers.
514  *
515  *   hello: The parsed ClientHello data
516  *
517  * Returns:
518  *   -1: fatal error
519  *    0: no session found
520  *    1: a session may have been found.
521  *
522  * Side effects:
523  *   - If a session is found then s->session is pointed at it (after freeing an
524  *     existing session if need be) and s->verify_result is set from the session.
525  *   - Both for new and resumed sessions, s->ext.ticket_expected is set to 1
526  *     if the server should issue a new session ticket (to 0 otherwise).
527  */
528 int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
529 {
530     /* This is used only by servers. */
531 
532     SSL_SESSION *ret = NULL;
533     int fatal = 0;
534     int try_session_cache = 0;
535     SSL_TICKET_STATUS r;
536 
537     if (SSL_IS_TLS13(s)) {
538         /*
539          * By default we will send a new ticket. This can be overridden in the
540          * ticket processing.
541          */
542         s->ext.ticket_expected = 1;
543         if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes,
544                                  SSL_EXT_CLIENT_HELLO, hello->pre_proc_exts,
545                                  NULL, 0)
546                 || !tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_CLIENT_HELLO,
547                                         hello->pre_proc_exts, NULL, 0))
548             return -1;
549 
550         ret = s->session;
551     } else {
552         /* sets s->ext.ticket_expected */
553         r = tls_get_ticket_from_client(s, hello, &ret);
554         switch (r) {
555         case SSL_TICKET_FATAL_ERR_MALLOC:
556         case SSL_TICKET_FATAL_ERR_OTHER:
557             fatal = 1;
558             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_PREV_SESSION,
559                      ERR_R_INTERNAL_ERROR);
560             goto err;
561         case SSL_TICKET_NONE:
562         case SSL_TICKET_EMPTY:
563             if (hello->session_id_len > 0) {
564                 try_session_cache = 1;
565                 ret = lookup_sess_in_cache(s, hello->session_id,
566                                            hello->session_id_len);
567             }
568             break;
569         case SSL_TICKET_NO_DECRYPT:
570         case SSL_TICKET_SUCCESS:
571         case SSL_TICKET_SUCCESS_RENEW:
572             break;
573         }
574     }
575 
576     if (ret == NULL)
577         goto err;
578 
579     /* Now ret is non-NULL and we own one of its reference counts. */
580 
581     /* Check TLS version consistency */
582     if (ret->ssl_version != s->version)
583         goto err;
584 
585     if (ret->sid_ctx_length != s->sid_ctx_length
586         || memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length)) {
587         /*
588          * We have the session requested by the client, but we don't want to
589          * use it in this context.
590          */
591         goto err;               /* treat like cache miss */
592     }
593 
594     if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) {
595         /*
596          * We can't be sure if this session is being used out of context,
597          * which is especially important for SSL_VERIFY_PEER. The application
598          * should have used SSL[_CTX]_set_session_id_context. For this error
599          * case, we generate an error instead of treating the event like a
600          * cache miss (otherwise it would be easy for applications to
601          * effectively disable the session cache by accident without anyone
602          * noticing).
603          */
604 
605         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_PREV_SESSION,
606                  SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
607         fatal = 1;
608         goto err;
609     }
610 
611     if (ret->timeout < (long)(time(NULL) - ret->time)) { /* timeout */
612         tsan_counter(&s->session_ctx->stats.sess_timeout);
613         if (try_session_cache) {
614             /* session was from the cache, so remove it */
615             SSL_CTX_remove_session(s->session_ctx, ret);
616         }
617         goto err;
618     }
619 
620     /* Check extended master secret extension consistency */
621     if (ret->flags & SSL_SESS_FLAG_EXTMS) {
622         /* If old session includes extms, but new does not: abort handshake */
623         if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)) {
624             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_GET_PREV_SESSION,
625                      SSL_R_INCONSISTENT_EXTMS);
626             fatal = 1;
627             goto err;
628         }
629     } else if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
630         /* If new session includes extms, but old does not: do not resume */
631         goto err;
632     }
633 
634     if (!SSL_IS_TLS13(s)) {
635         /* We already did this for TLS1.3 */
636         SSL_SESSION_free(s->session);
637         s->session = ret;
638     }
639 
640     tsan_counter(&s->session_ctx->stats.sess_hit);
641     s->verify_result = s->session->verify_result;
642     return 1;
643 
644  err:
645     if (ret != NULL) {
646         SSL_SESSION_free(ret);
647         /* In TLSv1.3 s->session was already set to ret, so we NULL it out */
648         if (SSL_IS_TLS13(s))
649             s->session = NULL;
650 
651         if (!try_session_cache) {
652             /*
653              * The session was from a ticket, so we should issue a ticket for
654              * the new session
655              */
656             s->ext.ticket_expected = 1;
657         }
658     }
659     if (fatal)
660         return -1;
661 
662     return 0;
663 }
664 
665 int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
666 {
667     int ret = 0;
668     SSL_SESSION *s;
669 
670     /*
671      * add just 1 reference count for the SSL_CTX's session cache even though
672      * it has two ways of access: each session is in a doubly linked list and
673      * an lhash
674      */
675     SSL_SESSION_up_ref(c);
676     /*
677      * if session c is in already in cache, we take back the increment later
678      */
679 
680     CRYPTO_THREAD_write_lock(ctx->lock);
681     s = lh_SSL_SESSION_insert(ctx->sessions, c);
682 
683     /*
684      * s != NULL iff we already had a session with the given PID. In this
685      * case, s == c should hold (then we did not really modify
686      * ctx->sessions), or we're in trouble.
687      */
688     if (s != NULL && s != c) {
689         /* We *are* in trouble ... */
690         SSL_SESSION_list_remove(ctx, s);
691         SSL_SESSION_free(s);
692         /*
693          * ... so pretend the other session did not exist in cache (we cannot
694          * handle two SSL_SESSION structures with identical session ID in the
695          * same cache, which could happen e.g. when two threads concurrently
696          * obtain the same session from an external cache)
697          */
698         s = NULL;
699     } else if (s == NULL &&
700                lh_SSL_SESSION_retrieve(ctx->sessions, c) == NULL) {
701         /* s == NULL can also mean OOM error in lh_SSL_SESSION_insert ... */
702 
703         /*
704          * ... so take back the extra reference and also don't add
705          * the session to the SSL_SESSION_list at this time
706          */
707         s = c;
708     }
709 
710     /* Put at the head of the queue unless it is already in the cache */
711     if (s == NULL)
712         SSL_SESSION_list_add(ctx, c);
713 
714     if (s != NULL) {
715         /*
716          * existing cache entry -- decrement previously incremented reference
717          * count because it already takes into account the cache
718          */
719 
720         SSL_SESSION_free(s);    /* s == c */
721         ret = 0;
722     } else {
723         /*
724          * new cache entry -- remove old ones if cache has become too large
725          */
726 
727         ret = 1;
728 
729         if (SSL_CTX_sess_get_cache_size(ctx) > 0) {
730             while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) {
731                 if (!remove_session_lock(ctx, ctx->session_cache_tail, 0))
732                     break;
733                 else
734                     tsan_counter(&ctx->stats.sess_cache_full);
735             }
736         }
737     }
738     CRYPTO_THREAD_unlock(ctx->lock);
739     return ret;
740 }
741 
742 int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
743 {
744     return remove_session_lock(ctx, c, 1);
745 }
746 
747 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
748 {
749     SSL_SESSION *r;
750     int ret = 0;
751 
752     if ((c != NULL) && (c->session_id_length != 0)) {
753         if (lck)
754             CRYPTO_THREAD_write_lock(ctx->lock);
755         if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) != NULL) {
756             ret = 1;
757             r = lh_SSL_SESSION_delete(ctx->sessions, r);
758             SSL_SESSION_list_remove(ctx, r);
759         }
760         c->not_resumable = 1;
761 
762         if (lck)
763             CRYPTO_THREAD_unlock(ctx->lock);
764 
765         if (ctx->remove_session_cb != NULL)
766             ctx->remove_session_cb(ctx, c);
767 
768         if (ret)
769             SSL_SESSION_free(r);
770     } else
771         ret = 0;
772     return ret;
773 }
774 
775 void SSL_SESSION_free(SSL_SESSION *ss)
776 {
777     int i;
778 
779     if (ss == NULL)
780         return;
781     CRYPTO_DOWN_REF(&ss->references, &i, ss->lock);
782     REF_PRINT_COUNT("SSL_SESSION", ss);
783     if (i > 0)
784         return;
785     REF_ASSERT_ISNT(i < 0);
786 
787     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
788 
789     OPENSSL_cleanse(ss->master_key, sizeof(ss->master_key));
790     OPENSSL_cleanse(ss->session_id, sizeof(ss->session_id));
791     X509_free(ss->peer);
792     sk_X509_pop_free(ss->peer_chain, X509_free);
793     sk_SSL_CIPHER_free(ss->ciphers);
794     OPENSSL_free(ss->ext.hostname);
795     OPENSSL_free(ss->ext.tick);
796 #ifndef OPENSSL_NO_EC
797     OPENSSL_free(ss->ext.ecpointformats);
798     ss->ext.ecpointformats = NULL;
799     ss->ext.ecpointformats_len = 0;
800     OPENSSL_free(ss->ext.supportedgroups);
801     ss->ext.supportedgroups = NULL;
802     ss->ext.supportedgroups_len = 0;
803 #endif                          /* OPENSSL_NO_EC */
804 #ifndef OPENSSL_NO_PSK
805     OPENSSL_free(ss->psk_identity_hint);
806     OPENSSL_free(ss->psk_identity);
807 #endif
808 #ifndef OPENSSL_NO_SRP
809     OPENSSL_free(ss->srp_username);
810 #endif
811     OPENSSL_free(ss->ext.alpn_selected);
812     OPENSSL_free(ss->ticket_appdata);
813     CRYPTO_THREAD_lock_free(ss->lock);
814     OPENSSL_clear_free(ss, sizeof(*ss));
815 }
816 
817 int SSL_SESSION_up_ref(SSL_SESSION *ss)
818 {
819     int i;
820 
821     if (CRYPTO_UP_REF(&ss->references, &i, ss->lock) <= 0)
822         return 0;
823 
824     REF_PRINT_COUNT("SSL_SESSION", ss);
825     REF_ASSERT_ISNT(i < 2);
826     return ((i > 1) ? 1 : 0);
827 }
828 
829 int SSL_set_session(SSL *s, SSL_SESSION *session)
830 {
831     ssl_clear_bad_session(s);
832     if (s->ctx->method != s->method) {
833         if (!SSL_set_ssl_method(s, s->ctx->method))
834             return 0;
835     }
836 
837     if (session != NULL) {
838         SSL_SESSION_up_ref(session);
839         s->verify_result = session->verify_result;
840     }
841     SSL_SESSION_free(s->session);
842     s->session = session;
843 
844     return 1;
845 }
846 
847 int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
848                         unsigned int sid_len)
849 {
850     if (sid_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
851       SSLerr(SSL_F_SSL_SESSION_SET1_ID,
852              SSL_R_SSL_SESSION_ID_TOO_LONG);
853       return 0;
854     }
855     s->session_id_length = sid_len;
856     if (sid != s->session_id)
857         memcpy(s->session_id, sid, sid_len);
858     return 1;
859 }
860 
861 long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
862 {
863     if (s == NULL)
864         return 0;
865     s->timeout = t;
866     return 1;
867 }
868 
869 long SSL_SESSION_get_timeout(const SSL_SESSION *s)
870 {
871     if (s == NULL)
872         return 0;
873     return s->timeout;
874 }
875 
876 long SSL_SESSION_get_time(const SSL_SESSION *s)
877 {
878     if (s == NULL)
879         return 0;
880     return s->time;
881 }
882 
883 long SSL_SESSION_set_time(SSL_SESSION *s, long t)
884 {
885     if (s == NULL)
886         return 0;
887     s->time = t;
888     return t;
889 }
890 
891 int SSL_SESSION_get_protocol_version(const SSL_SESSION *s)
892 {
893     return s->ssl_version;
894 }
895 
896 int SSL_SESSION_set_protocol_version(SSL_SESSION *s, int version)
897 {
898     s->ssl_version = version;
899     return 1;
900 }
901 
902 const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *s)
903 {
904     return s->cipher;
905 }
906 
907 int SSL_SESSION_set_cipher(SSL_SESSION *s, const SSL_CIPHER *cipher)
908 {
909     s->cipher = cipher;
910     return 1;
911 }
912 
913 const char *SSL_SESSION_get0_hostname(const SSL_SESSION *s)
914 {
915     return s->ext.hostname;
916 }
917 
918 int SSL_SESSION_set1_hostname(SSL_SESSION *s, const char *hostname)
919 {
920     OPENSSL_free(s->ext.hostname);
921     if (hostname == NULL) {
922         s->ext.hostname = NULL;
923         return 1;
924     }
925     s->ext.hostname = OPENSSL_strdup(hostname);
926 
927     return s->ext.hostname != NULL;
928 }
929 
930 int SSL_SESSION_has_ticket(const SSL_SESSION *s)
931 {
932     return (s->ext.ticklen > 0) ? 1 : 0;
933 }
934 
935 unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
936 {
937     return s->ext.tick_lifetime_hint;
938 }
939 
940 void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick,
941                              size_t *len)
942 {
943     *len = s->ext.ticklen;
944     if (tick != NULL)
945         *tick = s->ext.tick;
946 }
947 
948 uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *s)
949 {
950     return s->ext.max_early_data;
951 }
952 
953 int SSL_SESSION_set_max_early_data(SSL_SESSION *s, uint32_t max_early_data)
954 {
955     s->ext.max_early_data = max_early_data;
956 
957     return 1;
958 }
959 
960 void SSL_SESSION_get0_alpn_selected(const SSL_SESSION *s,
961                                     const unsigned char **alpn,
962                                     size_t *len)
963 {
964     *alpn = s->ext.alpn_selected;
965     *len = s->ext.alpn_selected_len;
966 }
967 
968 int SSL_SESSION_set1_alpn_selected(SSL_SESSION *s, const unsigned char *alpn,
969                                    size_t len)
970 {
971     OPENSSL_free(s->ext.alpn_selected);
972     if (alpn == NULL || len == 0) {
973         s->ext.alpn_selected = NULL;
974         s->ext.alpn_selected_len = 0;
975         return 1;
976     }
977     s->ext.alpn_selected = OPENSSL_memdup(alpn, len);
978     if (s->ext.alpn_selected == NULL) {
979         s->ext.alpn_selected_len = 0;
980         return 0;
981     }
982     s->ext.alpn_selected_len = len;
983 
984     return 1;
985 }
986 
987 X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
988 {
989     return s->peer;
990 }
991 
992 int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
993                                 unsigned int sid_ctx_len)
994 {
995     if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
996         SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT,
997                SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
998         return 0;
999     }
1000     s->sid_ctx_length = sid_ctx_len;
1001     if (sid_ctx != s->sid_ctx)
1002         memcpy(s->sid_ctx, sid_ctx, sid_ctx_len);
1003 
1004     return 1;
1005 }
1006 
1007 int SSL_SESSION_is_resumable(const SSL_SESSION *s)
1008 {
1009     /*
1010      * In the case of EAP-FAST, we can have a pre-shared "ticket" without a
1011      * session ID.
1012      */
1013     return !s->not_resumable
1014            && (s->session_id_length > 0 || s->ext.ticklen > 0);
1015 }
1016 
1017 long SSL_CTX_set_timeout(SSL_CTX *s, long t)
1018 {
1019     long l;
1020     if (s == NULL)
1021         return 0;
1022     l = s->session_timeout;
1023     s->session_timeout = t;
1024     return l;
1025 }
1026 
1027 long SSL_CTX_get_timeout(const SSL_CTX *s)
1028 {
1029     if (s == NULL)
1030         return 0;
1031     return s->session_timeout;
1032 }
1033 
1034 int SSL_set_session_secret_cb(SSL *s,
1035                               tls_session_secret_cb_fn tls_session_secret_cb,
1036                               void *arg)
1037 {
1038     if (s == NULL)
1039         return 0;
1040     s->ext.session_secret_cb = tls_session_secret_cb;
1041     s->ext.session_secret_cb_arg = arg;
1042     return 1;
1043 }
1044 
1045 int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
1046                                   void *arg)
1047 {
1048     if (s == NULL)
1049         return 0;
1050     s->ext.session_ticket_cb = cb;
1051     s->ext.session_ticket_cb_arg = arg;
1052     return 1;
1053 }
1054 
1055 int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
1056 {
1057     if (s->version >= TLS1_VERSION) {
1058         OPENSSL_free(s->ext.session_ticket);
1059         s->ext.session_ticket = NULL;
1060         s->ext.session_ticket =
1061             OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
1062         if (s->ext.session_ticket == NULL) {
1063             SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
1064             return 0;
1065         }
1066 
1067         if (ext_data != NULL) {
1068             s->ext.session_ticket->length = ext_len;
1069             s->ext.session_ticket->data = s->ext.session_ticket + 1;
1070             memcpy(s->ext.session_ticket->data, ext_data, ext_len);
1071         } else {
1072             s->ext.session_ticket->length = 0;
1073             s->ext.session_ticket->data = NULL;
1074         }
1075 
1076         return 1;
1077     }
1078 
1079     return 0;
1080 }
1081 
1082 typedef struct timeout_param_st {
1083     SSL_CTX *ctx;
1084     long time;
1085     LHASH_OF(SSL_SESSION) *cache;
1086 } TIMEOUT_PARAM;
1087 
1088 static void timeout_cb(SSL_SESSION *s, TIMEOUT_PARAM *p)
1089 {
1090     if ((p->time == 0) || (p->time > (s->time + s->timeout))) { /* timeout */
1091         /*
1092          * The reason we don't call SSL_CTX_remove_session() is to save on
1093          * locking overhead
1094          */
1095         (void)lh_SSL_SESSION_delete(p->cache, s);
1096         SSL_SESSION_list_remove(p->ctx, s);
1097         s->not_resumable = 1;
1098         if (p->ctx->remove_session_cb != NULL)
1099             p->ctx->remove_session_cb(p->ctx, s);
1100         SSL_SESSION_free(s);
1101     }
1102 }
1103 
1104 IMPLEMENT_LHASH_DOALL_ARG(SSL_SESSION, TIMEOUT_PARAM);
1105 
1106 void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
1107 {
1108     unsigned long i;
1109     TIMEOUT_PARAM tp;
1110 
1111     tp.ctx = s;
1112     tp.cache = s->sessions;
1113     if (tp.cache == NULL)
1114         return;
1115     tp.time = t;
1116     CRYPTO_THREAD_write_lock(s->lock);
1117     i = lh_SSL_SESSION_get_down_load(s->sessions);
1118     lh_SSL_SESSION_set_down_load(s->sessions, 0);
1119     lh_SSL_SESSION_doall_TIMEOUT_PARAM(tp.cache, timeout_cb, &tp);
1120     lh_SSL_SESSION_set_down_load(s->sessions, i);
1121     CRYPTO_THREAD_unlock(s->lock);
1122 }
1123 
1124 int ssl_clear_bad_session(SSL *s)
1125 {
1126     if ((s->session != NULL) &&
1127         !(s->shutdown & SSL_SENT_SHUTDOWN) &&
1128         !(SSL_in_init(s) || SSL_in_before(s))) {
1129         SSL_CTX_remove_session(s->session_ctx, s->session);
1130         return 1;
1131     } else
1132         return 0;
1133 }
1134 
1135 /* locked by SSL_CTX in the calling function */
1136 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
1137 {
1138     if ((s->next == NULL) || (s->prev == NULL))
1139         return;
1140 
1141     if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) {
1142         /* last element in list */
1143         if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) {
1144             /* only one element in list */
1145             ctx->session_cache_head = NULL;
1146             ctx->session_cache_tail = NULL;
1147         } else {
1148             ctx->session_cache_tail = s->prev;
1149             s->prev->next = (SSL_SESSION *)&(ctx->session_cache_tail);
1150         }
1151     } else {
1152         if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) {
1153             /* first element in list */
1154             ctx->session_cache_head = s->next;
1155             s->next->prev = (SSL_SESSION *)&(ctx->session_cache_head);
1156         } else {
1157             /* middle of list */
1158             s->next->prev = s->prev;
1159             s->prev->next = s->next;
1160         }
1161     }
1162     s->prev = s->next = NULL;
1163 }
1164 
1165 static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
1166 {
1167     if ((s->next != NULL) && (s->prev != NULL))
1168         SSL_SESSION_list_remove(ctx, s);
1169 
1170     if (ctx->session_cache_head == NULL) {
1171         ctx->session_cache_head = s;
1172         ctx->session_cache_tail = s;
1173         s->prev = (SSL_SESSION *)&(ctx->session_cache_head);
1174         s->next = (SSL_SESSION *)&(ctx->session_cache_tail);
1175     } else {
1176         s->next = ctx->session_cache_head;
1177         s->next->prev = s;
1178         s->prev = (SSL_SESSION *)&(ctx->session_cache_head);
1179         ctx->session_cache_head = s;
1180     }
1181 }
1182 
1183 void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
1184                              int (*cb) (struct ssl_st *ssl, SSL_SESSION *sess))
1185 {
1186     ctx->new_session_cb = cb;
1187 }
1188 
1189 int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)) (SSL *ssl, SSL_SESSION *sess) {
1190     return ctx->new_session_cb;
1191 }
1192 
1193 void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
1194                                 void (*cb) (SSL_CTX *ctx, SSL_SESSION *sess))
1195 {
1196     ctx->remove_session_cb = cb;
1197 }
1198 
1199 void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)) (SSL_CTX *ctx,
1200                                                   SSL_SESSION *sess) {
1201     return ctx->remove_session_cb;
1202 }
1203 
1204 void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
1205                              SSL_SESSION *(*cb) (struct ssl_st *ssl,
1206                                                  const unsigned char *data,
1207                                                  int len, int *copy))
1208 {
1209     ctx->get_session_cb = cb;
1210 }
1211 
1212 SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx)) (SSL *ssl,
1213                                                        const unsigned char
1214                                                        *data, int len,
1215                                                        int *copy) {
1216     return ctx->get_session_cb;
1217 }
1218 
1219 void SSL_CTX_set_info_callback(SSL_CTX *ctx,
1220                                void (*cb) (const SSL *ssl, int type, int val))
1221 {
1222     ctx->info_callback = cb;
1223 }
1224 
1225 void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type,
1226                                                  int val) {
1227     return ctx->info_callback;
1228 }
1229 
1230 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
1231                                 int (*cb) (SSL *ssl, X509 **x509,
1232                                            EVP_PKEY **pkey))
1233 {
1234     ctx->client_cert_cb = cb;
1235 }
1236 
1237 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx)) (SSL *ssl, X509 **x509,
1238                                                  EVP_PKEY **pkey) {
1239     return ctx->client_cert_cb;
1240 }
1241 
1242 #ifndef OPENSSL_NO_ENGINE
1243 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
1244 {
1245     if (!ENGINE_init(e)) {
1246         SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
1247         return 0;
1248     }
1249     if (!ENGINE_get_ssl_client_cert_function(e)) {
1250         SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
1251                SSL_R_NO_CLIENT_CERT_METHOD);
1252         ENGINE_finish(e);
1253         return 0;
1254     }
1255     ctx->client_cert_engine = e;
1256     return 1;
1257 }
1258 #endif
1259 
1260 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
1261                                     int (*cb) (SSL *ssl,
1262                                                unsigned char *cookie,
1263                                                unsigned int *cookie_len))
1264 {
1265     ctx->app_gen_cookie_cb = cb;
1266 }
1267 
1268 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
1269                                   int (*cb) (SSL *ssl,
1270                                              const unsigned char *cookie,
1271                                              unsigned int cookie_len))
1272 {
1273     ctx->app_verify_cookie_cb = cb;
1274 }
1275 
1276 int SSL_SESSION_set1_ticket_appdata(SSL_SESSION *ss, const void *data, size_t len)
1277 {
1278     OPENSSL_free(ss->ticket_appdata);
1279     ss->ticket_appdata_len = 0;
1280     if (data == NULL || len == 0) {
1281         ss->ticket_appdata = NULL;
1282         return 1;
1283     }
1284     ss->ticket_appdata = OPENSSL_memdup(data, len);
1285     if (ss->ticket_appdata != NULL) {
1286         ss->ticket_appdata_len = len;
1287         return 1;
1288     }
1289     return 0;
1290 }
1291 
1292 int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len)
1293 {
1294     *data = ss->ticket_appdata;
1295     *len = ss->ticket_appdata_len;
1296     return 1;
1297 }
1298 
1299 void SSL_CTX_set_stateless_cookie_generate_cb(
1300     SSL_CTX *ctx,
1301     int (*cb) (SSL *ssl,
1302                unsigned char *cookie,
1303                size_t *cookie_len))
1304 {
1305     ctx->gen_stateless_cookie_cb = cb;
1306 }
1307 
1308 void SSL_CTX_set_stateless_cookie_verify_cb(
1309     SSL_CTX *ctx,
1310     int (*cb) (SSL *ssl,
1311                const unsigned char *cookie,
1312                size_t cookie_len))
1313 {
1314     ctx->verify_stateless_cookie_cb = cb;
1315 }
1316 
1317 IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)
1318