ssl_sess.c 33 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162
  1. /* ssl/ssl_sess.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. /* ====================================================================
  112. * Copyright 2005 Nokia. All rights reserved.
  113. *
  114. * The portions of the attached software ("Contribution") is developed by
  115. * Nokia Corporation and is licensed pursuant to the OpenSSL open source
  116. * license.
  117. *
  118. * The Contribution, originally written by Mika Kousa and Pasi Eronen of
  119. * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
  120. * support (see RFC 4279) to OpenSSL.
  121. *
  122. * No patent licenses or other rights except those expressly stated in
  123. * the OpenSSL open source license shall be deemed granted or received
  124. * expressly, by implication, estoppel, or otherwise.
  125. *
  126. * No assurances are provided by Nokia that the Contribution does not
  127. * infringe the patent or other intellectual property rights of any third
  128. * party or that the license provides you with all the necessary rights
  129. * to make use of the Contribution.
  130. *
  131. * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
  132. * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
  133. * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
  134. * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  135. * OTHERWISE.
  136. */
  137. #include <stdio.h>
  138. #include <openssl/lhash.h>
  139. #include <openssl/rand.h>
  140. #ifndef OPENSSL_NO_ENGINE
  141. #include <openssl/engine.h>
  142. #endif
  143. #include "ssl_locl.h"
  144. static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
  145. static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
  146. static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
  147. SSL_SESSION *SSL_get_session(const SSL *ssl)
  148. /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
  149. {
  150. return(ssl->session);
  151. }
  152. SSL_SESSION *SSL_get1_session(SSL *ssl)
  153. /* variant of SSL_get_session: caller really gets something */
  154. {
  155. SSL_SESSION *sess;
  156. /* Need to lock this all up rather than just use CRYPTO_add so that
  157. * somebody doesn't free ssl->session between when we check it's
  158. * non-null and when we up the reference count. */
  159. CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
  160. sess = ssl->session;
  161. if(sess)
  162. sess->references++;
  163. CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
  164. return(sess);
  165. }
  166. int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
  167. CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
  168. {
  169. return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
  170. new_func, dup_func, free_func);
  171. }
  172. int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
  173. {
  174. return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
  175. }
  176. void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
  177. {
  178. return(CRYPTO_get_ex_data(&s->ex_data,idx));
  179. }
  180. SSL_SESSION *SSL_SESSION_new(void)
  181. {
  182. SSL_SESSION *ss;
  183. ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION));
  184. if (ss == NULL)
  185. {
  186. SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE);
  187. return(0);
  188. }
  189. memset(ss,0,sizeof(SSL_SESSION));
  190. ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
  191. ss->references=1;
  192. ss->timeout=60*5+4; /* 5 minute timeout by default */
  193. ss->time=(unsigned long)time(NULL);
  194. ss->prev=NULL;
  195. ss->next=NULL;
  196. ss->compress_meth=0;
  197. #ifndef OPENSSL_NO_TLSEXT
  198. ss->tlsext_hostname = NULL;
  199. #ifndef OPENSSL_NO_EC
  200. ss->tlsext_ecpointformatlist_length = 0;
  201. ss->tlsext_ecpointformatlist = NULL;
  202. ss->tlsext_ellipticcurvelist_length = 0;
  203. ss->tlsext_ellipticcurvelist = NULL;
  204. #endif
  205. #endif
  206. CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
  207. #ifndef OPENSSL_NO_PSK
  208. ss->psk_identity_hint=NULL;
  209. ss->psk_identity=NULL;
  210. #endif
  211. #ifndef OPENSSL_NO_SRP
  212. ss->srp_username=NULL;
  213. #endif
  214. return(ss);
  215. }
  216. const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
  217. {
  218. if(len)
  219. *len = s->session_id_length;
  220. return s->session_id;
  221. }
  222. /* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
  223. * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
  224. * until we have no conflict is going to complete in one iteration pretty much
  225. * "most" of the time (btw: understatement). So, if it takes us 10 iterations
  226. * and we still can't avoid a conflict - well that's a reasonable point to call
  227. * it quits. Either the RAND code is broken or someone is trying to open roughly
  228. * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
  229. * store that many sessions is perhaps a more interesting question ... */
  230. #define MAX_SESS_ID_ATTEMPTS 10
  231. static int def_generate_session_id(const SSL *ssl, unsigned char *id,
  232. unsigned int *id_len)
  233. {
  234. unsigned int retry = 0;
  235. do
  236. if (RAND_pseudo_bytes(id, *id_len) <= 0)
  237. return 0;
  238. while(SSL_has_matching_session_id(ssl, id, *id_len) &&
  239. (++retry < MAX_SESS_ID_ATTEMPTS));
  240. if(retry < MAX_SESS_ID_ATTEMPTS)
  241. return 1;
  242. /* else - woops a session_id match */
  243. /* XXX We should also check the external cache --
  244. * but the probability of a collision is negligible, and
  245. * we could not prevent the concurrent creation of sessions
  246. * with identical IDs since we currently don't have means
  247. * to atomically check whether a session ID already exists
  248. * and make a reservation for it if it does not
  249. * (this problem applies to the internal cache as well).
  250. */
  251. return 0;
  252. }
  253. int ssl_get_new_session(SSL *s, int session)
  254. {
  255. /* This gets used by clients and servers. */
  256. unsigned int tmp;
  257. SSL_SESSION *ss=NULL;
  258. GEN_SESSION_CB cb = def_generate_session_id;
  259. if ((ss=SSL_SESSION_new()) == NULL) return(0);
  260. /* If the context has a default timeout, use it */
  261. if (s->session_ctx->session_timeout == 0)
  262. ss->timeout=SSL_get_default_timeout(s);
  263. else
  264. ss->timeout=s->session_ctx->session_timeout;
  265. if (s->session != NULL)
  266. {
  267. SSL_SESSION_free(s->session);
  268. s->session=NULL;
  269. }
  270. if (session)
  271. {
  272. if (s->version == SSL2_VERSION)
  273. {
  274. ss->ssl_version=SSL2_VERSION;
  275. ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
  276. }
  277. else if (s->version == SSL3_VERSION)
  278. {
  279. ss->ssl_version=SSL3_VERSION;
  280. ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
  281. }
  282. else if (s->version == TLS1_VERSION)
  283. {
  284. ss->ssl_version=TLS1_VERSION;
  285. ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
  286. }
  287. else if (s->version == TLS1_1_VERSION)
  288. {
  289. ss->ssl_version=TLS1_1_VERSION;
  290. ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
  291. }
  292. else if (s->version == TLS1_2_VERSION)
  293. {
  294. ss->ssl_version=TLS1_2_VERSION;
  295. ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
  296. }
  297. else if (s->version == DTLS1_BAD_VER)
  298. {
  299. ss->ssl_version=DTLS1_BAD_VER;
  300. ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
  301. }
  302. else if (s->version == DTLS1_VERSION)
  303. {
  304. ss->ssl_version=DTLS1_VERSION;
  305. ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
  306. }
  307. else
  308. {
  309. SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
  310. SSL_SESSION_free(ss);
  311. return(0);
  312. }
  313. #ifndef OPENSSL_NO_TLSEXT
  314. /* If RFC4507 ticket use empty session ID */
  315. if (s->tlsext_ticket_expected)
  316. {
  317. ss->session_id_length = 0;
  318. goto sess_id_done;
  319. }
  320. #endif
  321. /* Choose which callback will set the session ID */
  322. CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
  323. if(s->generate_session_id)
  324. cb = s->generate_session_id;
  325. else if(s->session_ctx->generate_session_id)
  326. cb = s->session_ctx->generate_session_id;
  327. CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
  328. /* Choose a session ID */
  329. tmp = ss->session_id_length;
  330. if(!cb(s, ss->session_id, &tmp))
  331. {
  332. /* The callback failed */
  333. SSLerr(SSL_F_SSL_GET_NEW_SESSION,
  334. SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
  335. SSL_SESSION_free(ss);
  336. return(0);
  337. }
  338. /* Don't allow the callback to set the session length to zero.
  339. * nor set it higher than it was. */
  340. if(!tmp || (tmp > ss->session_id_length))
  341. {
  342. /* The callback set an illegal length */
  343. SSLerr(SSL_F_SSL_GET_NEW_SESSION,
  344. SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
  345. SSL_SESSION_free(ss);
  346. return(0);
  347. }
  348. /* If the session length was shrunk and we're SSLv2, pad it */
  349. if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION))
  350. memset(ss->session_id + tmp, 0, ss->session_id_length - tmp);
  351. else
  352. ss->session_id_length = tmp;
  353. /* Finally, check for a conflict */
  354. if(SSL_has_matching_session_id(s, ss->session_id,
  355. ss->session_id_length))
  356. {
  357. SSLerr(SSL_F_SSL_GET_NEW_SESSION,
  358. SSL_R_SSL_SESSION_ID_CONFLICT);
  359. SSL_SESSION_free(ss);
  360. return(0);
  361. }
  362. #ifndef OPENSSL_NO_TLSEXT
  363. sess_id_done:
  364. if (s->tlsext_hostname) {
  365. ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
  366. if (ss->tlsext_hostname == NULL) {
  367. SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
  368. SSL_SESSION_free(ss);
  369. return 0;
  370. }
  371. }
  372. #ifndef OPENSSL_NO_EC
  373. if (s->tlsext_ecpointformatlist)
  374. {
  375. if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
  376. if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
  377. {
  378. SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
  379. SSL_SESSION_free(ss);
  380. return 0;
  381. }
  382. ss->tlsext_ecpointformatlist_length = s->tlsext_ecpointformatlist_length;
  383. memcpy(ss->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
  384. }
  385. if (s->tlsext_ellipticcurvelist)
  386. {
  387. if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
  388. if ((ss->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
  389. {
  390. SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
  391. SSL_SESSION_free(ss);
  392. return 0;
  393. }
  394. ss->tlsext_ellipticcurvelist_length = s->tlsext_ellipticcurvelist_length;
  395. memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
  396. }
  397. #endif
  398. #endif
  399. }
  400. else
  401. {
  402. ss->session_id_length=0;
  403. }
  404. if (s->sid_ctx_length > sizeof ss->sid_ctx)
  405. {
  406. SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
  407. SSL_SESSION_free(ss);
  408. return 0;
  409. }
  410. memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
  411. ss->sid_ctx_length=s->sid_ctx_length;
  412. s->session=ss;
  413. ss->ssl_version=s->version;
  414. ss->verify_result = X509_V_OK;
  415. return(1);
  416. }
  417. /* ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
  418. * connection. It is only called by servers.
  419. *
  420. * session_id: points at the session ID in the ClientHello. This code will
  421. * read past the end of this in order to parse out the session ticket
  422. * extension, if any.
  423. * len: the length of the session ID.
  424. * limit: a pointer to the first byte after the ClientHello.
  425. *
  426. * Returns:
  427. * -1: error
  428. * 0: a session may have been found.
  429. *
  430. * Side effects:
  431. * - If a session is found then s->session is pointed at it (after freeing an
  432. * existing session if need be) and s->verify_result is set from the session.
  433. * - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1
  434. * if the server should issue a new session ticket (to 0 otherwise).
  435. */
  436. int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
  437. const unsigned char *limit)
  438. {
  439. /* This is used only by servers. */
  440. SSL_SESSION *ret=NULL;
  441. int fatal = 0;
  442. int try_session_cache = 1;
  443. #ifndef OPENSSL_NO_TLSEXT
  444. int r;
  445. #endif
  446. if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
  447. goto err;
  448. if (len == 0)
  449. try_session_cache = 0;
  450. #ifndef OPENSSL_NO_TLSEXT
  451. r = tls1_process_ticket(s, session_id, len, limit, &ret); /* sets s->tlsext_ticket_expected */
  452. switch (r)
  453. {
  454. case -1: /* Error during processing */
  455. fatal = 1;
  456. goto err;
  457. case 0: /* No ticket found */
  458. case 1: /* Zero length ticket found */
  459. break; /* Ok to carry on processing session id. */
  460. case 2: /* Ticket found but not decrypted. */
  461. case 3: /* Ticket decrypted, *ret has been set. */
  462. try_session_cache = 0;
  463. break;
  464. default:
  465. abort();
  466. }
  467. #endif
  468. if (try_session_cache &&
  469. ret == NULL &&
  470. !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
  471. {
  472. SSL_SESSION data;
  473. data.ssl_version=s->version;
  474. data.session_id_length=len;
  475. if (len == 0)
  476. return 0;
  477. memcpy(data.session_id,session_id,len);
  478. CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
  479. ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data);
  480. if (ret != NULL)
  481. {
  482. /* don't allow other threads to steal it: */
  483. CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
  484. }
  485. CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
  486. if (ret == NULL)
  487. s->session_ctx->stats.sess_miss++;
  488. }
  489. if (try_session_cache &&
  490. ret == NULL &&
  491. s->session_ctx->get_session_cb != NULL)
  492. {
  493. int copy=1;
  494. if ((ret=s->session_ctx->get_session_cb(s,session_id,len,&copy)))
  495. {
  496. s->session_ctx->stats.sess_cb_hit++;
  497. /* Increment reference count now if the session callback
  498. * asks us to do so (note that if the session structures
  499. * returned by the callback are shared between threads,
  500. * it must handle the reference count itself [i.e. copy == 0],
  501. * or things won't be thread-safe). */
  502. if (copy)
  503. CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
  504. /* Add the externally cached session to the internal
  505. * cache as well if and only if we are supposed to. */
  506. if(!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
  507. /* The following should not return 1, otherwise,
  508. * things are very strange */
  509. SSL_CTX_add_session(s->session_ctx,ret);
  510. }
  511. }
  512. if (ret == NULL)
  513. goto err;
  514. /* Now ret is non-NULL and we own one of its reference counts. */
  515. if (ret->sid_ctx_length != s->sid_ctx_length
  516. || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))
  517. {
  518. /* We have the session requested by the client, but we don't
  519. * want to use it in this context. */
  520. goto err; /* treat like cache miss */
  521. }
  522. if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0)
  523. {
  524. /* We can't be sure if this session is being used out of
  525. * context, which is especially important for SSL_VERIFY_PEER.
  526. * The application should have used SSL[_CTX]_set_session_id_context.
  527. *
  528. * For this error case, we generate an error instead of treating
  529. * the event like a cache miss (otherwise it would be easy for
  530. * applications to effectively disable the session cache by
  531. * accident without anyone noticing).
  532. */
  533. SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
  534. fatal = 1;
  535. goto err;
  536. }
  537. if (ret->cipher == NULL)
  538. {
  539. unsigned char buf[5],*p;
  540. unsigned long l;
  541. p=buf;
  542. l=ret->cipher_id;
  543. l2n(l,p);
  544. if ((ret->ssl_version>>8) >= SSL3_VERSION_MAJOR)
  545. ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
  546. else
  547. ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
  548. if (ret->cipher == NULL)
  549. goto err;
  550. }
  551. if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
  552. {
  553. s->session_ctx->stats.sess_timeout++;
  554. if (try_session_cache)
  555. {
  556. /* session was from the cache, so remove it */
  557. SSL_CTX_remove_session(s->session_ctx,ret);
  558. }
  559. goto err;
  560. }
  561. s->session_ctx->stats.sess_hit++;
  562. if (s->session != NULL)
  563. SSL_SESSION_free(s->session);
  564. s->session=ret;
  565. s->verify_result = s->session->verify_result;
  566. return 1;
  567. err:
  568. if (ret != NULL)
  569. {
  570. SSL_SESSION_free(ret);
  571. if (!try_session_cache)
  572. {
  573. /* The session was from a ticket, so we should
  574. * issue a ticket for the new session */
  575. s->tlsext_ticket_expected = 1;
  576. }
  577. }
  578. if (fatal)
  579. return -1;
  580. else
  581. return 0;
  582. }
  583. int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
  584. {
  585. int ret=0;
  586. SSL_SESSION *s;
  587. /* add just 1 reference count for the SSL_CTX's session cache
  588. * even though it has two ways of access: each session is in a
  589. * doubly linked list and an lhash */
  590. CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
  591. /* if session c is in already in cache, we take back the increment later */
  592. CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
  593. s=lh_SSL_SESSION_insert(ctx->sessions,c);
  594. /* s != NULL iff we already had a session with the given PID.
  595. * In this case, s == c should hold (then we did not really modify
  596. * ctx->sessions), or we're in trouble. */
  597. if (s != NULL && s != c)
  598. {
  599. /* We *are* in trouble ... */
  600. SSL_SESSION_list_remove(ctx,s);
  601. SSL_SESSION_free(s);
  602. /* ... so pretend the other session did not exist in cache
  603. * (we cannot handle two SSL_SESSION structures with identical
  604. * session ID in the same cache, which could happen e.g. when
  605. * two threads concurrently obtain the same session from an external
  606. * cache) */
  607. s = NULL;
  608. }
  609. /* Put at the head of the queue unless it is already in the cache */
  610. if (s == NULL)
  611. SSL_SESSION_list_add(ctx,c);
  612. if (s != NULL)
  613. {
  614. /* existing cache entry -- decrement previously incremented reference
  615. * count because it already takes into account the cache */
  616. SSL_SESSION_free(s); /* s == c */
  617. ret=0;
  618. }
  619. else
  620. {
  621. /* new cache entry -- remove old ones if cache has become too large */
  622. ret=1;
  623. if (SSL_CTX_sess_get_cache_size(ctx) > 0)
  624. {
  625. while (SSL_CTX_sess_number(ctx) >
  626. SSL_CTX_sess_get_cache_size(ctx))
  627. {
  628. if (!remove_session_lock(ctx,
  629. ctx->session_cache_tail, 0))
  630. break;
  631. else
  632. ctx->stats.sess_cache_full++;
  633. }
  634. }
  635. }
  636. CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
  637. return(ret);
  638. }
  639. int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
  640. {
  641. return remove_session_lock(ctx, c, 1);
  642. }
  643. static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
  644. {
  645. SSL_SESSION *r;
  646. int ret=0;
  647. if ((c != NULL) && (c->session_id_length != 0))
  648. {
  649. if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
  650. if ((r = lh_SSL_SESSION_retrieve(ctx->sessions,c)) == c)
  651. {
  652. ret=1;
  653. r=lh_SSL_SESSION_delete(ctx->sessions,c);
  654. SSL_SESSION_list_remove(ctx,c);
  655. }
  656. if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
  657. if (ret)
  658. {
  659. r->not_resumable=1;
  660. if (ctx->remove_session_cb != NULL)
  661. ctx->remove_session_cb(ctx,r);
  662. SSL_SESSION_free(r);
  663. }
  664. }
  665. else
  666. ret=0;
  667. return(ret);
  668. }
  669. void SSL_SESSION_free(SSL_SESSION *ss)
  670. {
  671. int i;
  672. if(ss == NULL)
  673. return;
  674. i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
  675. #ifdef REF_PRINT
  676. REF_PRINT("SSL_SESSION",ss);
  677. #endif
  678. if (i > 0) return;
  679. #ifdef REF_CHECK
  680. if (i < 0)
  681. {
  682. fprintf(stderr,"SSL_SESSION_free, bad reference count\n");
  683. abort(); /* ok */
  684. }
  685. #endif
  686. CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
  687. OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
  688. OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
  689. OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
  690. if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
  691. if (ss->peer != NULL) X509_free(ss->peer);
  692. if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
  693. #ifndef OPENSSL_NO_TLSEXT
  694. if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
  695. if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
  696. #ifndef OPENSSL_NO_EC
  697. ss->tlsext_ecpointformatlist_length = 0;
  698. if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
  699. ss->tlsext_ellipticcurvelist_length = 0;
  700. if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
  701. #endif /* OPENSSL_NO_EC */
  702. #endif
  703. #ifndef OPENSSL_NO_PSK
  704. if (ss->psk_identity_hint != NULL)
  705. OPENSSL_free(ss->psk_identity_hint);
  706. if (ss->psk_identity != NULL)
  707. OPENSSL_free(ss->psk_identity);
  708. #endif
  709. #ifndef OPENSSL_NO_SRP
  710. if (ss->srp_username != NULL)
  711. OPENSSL_free(ss->srp_username);
  712. #endif
  713. OPENSSL_cleanse(ss,sizeof(*ss));
  714. OPENSSL_free(ss);
  715. }
  716. int SSL_set_session(SSL *s, SSL_SESSION *session)
  717. {
  718. int ret=0;
  719. const SSL_METHOD *meth;
  720. if (session != NULL)
  721. {
  722. meth=s->ctx->method->get_ssl_method(session->ssl_version);
  723. if (meth == NULL)
  724. meth=s->method->get_ssl_method(session->ssl_version);
  725. if (meth == NULL)
  726. {
  727. SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD);
  728. return(0);
  729. }
  730. if (meth != s->method)
  731. {
  732. if (!SSL_set_ssl_method(s,meth))
  733. return(0);
  734. }
  735. #ifndef OPENSSL_NO_KRB5
  736. if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
  737. session->krb5_client_princ_len > 0)
  738. {
  739. s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
  740. memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
  741. session->krb5_client_princ_len);
  742. s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
  743. }
  744. #endif /* OPENSSL_NO_KRB5 */
  745. /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
  746. CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
  747. if (s->session != NULL)
  748. SSL_SESSION_free(s->session);
  749. s->session=session;
  750. s->verify_result = s->session->verify_result;
  751. /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
  752. ret=1;
  753. }
  754. else
  755. {
  756. if (s->session != NULL)
  757. {
  758. SSL_SESSION_free(s->session);
  759. s->session=NULL;
  760. }
  761. meth=s->ctx->method;
  762. if (meth != s->method)
  763. {
  764. if (!SSL_set_ssl_method(s,meth))
  765. return(0);
  766. }
  767. ret=1;
  768. }
  769. return(ret);
  770. }
  771. long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
  772. {
  773. if (s == NULL) return(0);
  774. s->timeout=t;
  775. return(1);
  776. }
  777. long SSL_SESSION_get_timeout(const SSL_SESSION *s)
  778. {
  779. if (s == NULL) return(0);
  780. return(s->timeout);
  781. }
  782. long SSL_SESSION_get_time(const SSL_SESSION *s)
  783. {
  784. if (s == NULL) return(0);
  785. return(s->time);
  786. }
  787. long SSL_SESSION_set_time(SSL_SESSION *s, long t)
  788. {
  789. if (s == NULL) return(0);
  790. s->time=t;
  791. return(t);
  792. }
  793. unsigned int SSL_SESSION_get_id_len(SSL_SESSION *s)
  794. {
  795. return s->session_id_length;
  796. }
  797. const unsigned char *SSL_SESSION_get0_id(SSL_SESSION *s)
  798. {
  799. return s->session_id;
  800. }
  801. X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
  802. {
  803. return s->peer;
  804. }
  805. int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
  806. unsigned int sid_ctx_len)
  807. {
  808. if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
  809. {
  810. SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
  811. return 0;
  812. }
  813. s->sid_ctx_length=sid_ctx_len;
  814. memcpy(s->sid_ctx,sid_ctx,sid_ctx_len);
  815. return 1;
  816. }
  817. long SSL_CTX_set_timeout(SSL_CTX *s, long t)
  818. {
  819. long l;
  820. if (s == NULL) return(0);
  821. l=s->session_timeout;
  822. s->session_timeout=t;
  823. return(l);
  824. }
  825. long SSL_CTX_get_timeout(const SSL_CTX *s)
  826. {
  827. if (s == NULL) return(0);
  828. return(s->session_timeout);
  829. }
  830. #ifndef OPENSSL_NO_TLSEXT
  831. int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
  832. STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
  833. {
  834. if (s == NULL) return(0);
  835. s->tls_session_secret_cb = tls_session_secret_cb;
  836. s->tls_session_secret_cb_arg = arg;
  837. return(1);
  838. }
  839. int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
  840. void *arg)
  841. {
  842. if (s == NULL) return(0);
  843. s->tls_session_ticket_ext_cb = cb;
  844. s->tls_session_ticket_ext_cb_arg = arg;
  845. return(1);
  846. }
  847. int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
  848. {
  849. if (s->version >= TLS1_VERSION)
  850. {
  851. if (s->tlsext_session_ticket)
  852. {
  853. OPENSSL_free(s->tlsext_session_ticket);
  854. s->tlsext_session_ticket = NULL;
  855. }
  856. s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
  857. if (!s->tlsext_session_ticket)
  858. {
  859. SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
  860. return 0;
  861. }
  862. if (ext_data)
  863. {
  864. s->tlsext_session_ticket->length = ext_len;
  865. s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
  866. memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
  867. }
  868. else
  869. {
  870. s->tlsext_session_ticket->length = 0;
  871. s->tlsext_session_ticket->data = NULL;
  872. }
  873. return 1;
  874. }
  875. return 0;
  876. }
  877. #endif /* OPENSSL_NO_TLSEXT */
  878. typedef struct timeout_param_st
  879. {
  880. SSL_CTX *ctx;
  881. long time;
  882. LHASH_OF(SSL_SESSION) *cache;
  883. } TIMEOUT_PARAM;
  884. static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
  885. {
  886. if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
  887. {
  888. /* The reason we don't call SSL_CTX_remove_session() is to
  889. * save on locking overhead */
  890. (void)lh_SSL_SESSION_delete(p->cache,s);
  891. SSL_SESSION_list_remove(p->ctx,s);
  892. s->not_resumable=1;
  893. if (p->ctx->remove_session_cb != NULL)
  894. p->ctx->remove_session_cb(p->ctx,s);
  895. SSL_SESSION_free(s);
  896. }
  897. }
  898. static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM)
  899. void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
  900. {
  901. unsigned long i;
  902. TIMEOUT_PARAM tp;
  903. tp.ctx=s;
  904. tp.cache=s->sessions;
  905. if (tp.cache == NULL) return;
  906. tp.time=t;
  907. CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
  908. i=CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load;
  909. CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=0;
  910. lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout),
  911. TIMEOUT_PARAM, &tp);
  912. CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=i;
  913. CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
  914. }
  915. int ssl_clear_bad_session(SSL *s)
  916. {
  917. if ( (s->session != NULL) &&
  918. !(s->shutdown & SSL_SENT_SHUTDOWN) &&
  919. !(SSL_in_init(s) || SSL_in_before(s)))
  920. {
  921. SSL_CTX_remove_session(s->ctx,s->session);
  922. return(1);
  923. }
  924. else
  925. return(0);
  926. }
  927. /* locked by SSL_CTX in the calling function */
  928. static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
  929. {
  930. if ((s->next == NULL) || (s->prev == NULL)) return;
  931. if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
  932. { /* last element in list */
  933. if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
  934. { /* only one element in list */
  935. ctx->session_cache_head=NULL;
  936. ctx->session_cache_tail=NULL;
  937. }
  938. else
  939. {
  940. ctx->session_cache_tail=s->prev;
  941. s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
  942. }
  943. }
  944. else
  945. {
  946. if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
  947. { /* first element in list */
  948. ctx->session_cache_head=s->next;
  949. s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
  950. }
  951. else
  952. { /* middle of list */
  953. s->next->prev=s->prev;
  954. s->prev->next=s->next;
  955. }
  956. }
  957. s->prev=s->next=NULL;
  958. }
  959. static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
  960. {
  961. if ((s->next != NULL) && (s->prev != NULL))
  962. SSL_SESSION_list_remove(ctx,s);
  963. if (ctx->session_cache_head == NULL)
  964. {
  965. ctx->session_cache_head=s;
  966. ctx->session_cache_tail=s;
  967. s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
  968. s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
  969. }
  970. else
  971. {
  972. s->next=ctx->session_cache_head;
  973. s->next->prev=s;
  974. s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
  975. ctx->session_cache_head=s;
  976. }
  977. }
  978. void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
  979. int (*cb)(struct ssl_st *ssl,SSL_SESSION *sess))
  980. {
  981. ctx->new_session_cb=cb;
  982. }
  983. int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
  984. {
  985. return ctx->new_session_cb;
  986. }
  987. void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
  988. void (*cb)(SSL_CTX *ctx,SSL_SESSION *sess))
  989. {
  990. ctx->remove_session_cb=cb;
  991. }
  992. void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx,SSL_SESSION *sess)
  993. {
  994. return ctx->remove_session_cb;
  995. }
  996. void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
  997. SSL_SESSION *(*cb)(struct ssl_st *ssl,
  998. unsigned char *data,int len,int *copy))
  999. {
  1000. ctx->get_session_cb=cb;
  1001. }
  1002. SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,
  1003. unsigned char *data,int len,int *copy)
  1004. {
  1005. return ctx->get_session_cb;
  1006. }
  1007. void SSL_CTX_set_info_callback(SSL_CTX *ctx,
  1008. void (*cb)(const SSL *ssl,int type,int val))
  1009. {
  1010. ctx->info_callback=cb;
  1011. }
  1012. void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val)
  1013. {
  1014. return ctx->info_callback;
  1015. }
  1016. void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
  1017. int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey))
  1018. {
  1019. ctx->client_cert_cb=cb;
  1020. }
  1021. int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey)
  1022. {
  1023. return ctx->client_cert_cb;
  1024. }
  1025. #ifndef OPENSSL_NO_ENGINE
  1026. int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
  1027. {
  1028. if (!ENGINE_init(e))
  1029. {
  1030. SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
  1031. return 0;
  1032. }
  1033. if(!ENGINE_get_ssl_client_cert_function(e))
  1034. {
  1035. SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
  1036. ENGINE_finish(e);
  1037. return 0;
  1038. }
  1039. ctx->client_cert_engine = e;
  1040. return 1;
  1041. }
  1042. #endif
  1043. void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
  1044. int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
  1045. {
  1046. ctx->app_gen_cookie_cb=cb;
  1047. }
  1048. void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
  1049. int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len))
  1050. {
  1051. ctx->app_verify_cookie_cb=cb;
  1052. }
  1053. IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)