ssl_sess.c 32 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100
  1. /* ssl/ssl_sess.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. /* ====================================================================
  112. * Copyright 2005 Nokia. All rights reserved.
  113. *
  114. * The portions of the attached software ("Contribution") is developed by
  115. * Nokia Corporation and is licensed pursuant to the OpenSSL open source
  116. * license.
  117. *
  118. * The Contribution, originally written by Mika Kousa and Pasi Eronen of
  119. * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
  120. * support (see RFC 4279) to OpenSSL.
  121. *
  122. * No patent licenses or other rights except those expressly stated in
  123. * the OpenSSL open source license shall be deemed granted or received
  124. * expressly, by implication, estoppel, or otherwise.
  125. *
  126. * No assurances are provided by Nokia that the Contribution does not
  127. * infringe the patent or other intellectual property rights of any third
  128. * party or that the license provides you with all the necessary rights
  129. * to make use of the Contribution.
  130. *
  131. * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
  132. * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
  133. * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
  134. * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  135. * OTHERWISE.
  136. */
  137. #include <stdio.h>
  138. #include <openssl/lhash.h>
  139. #include <openssl/rand.h>
  140. #ifndef OPENSSL_NO_ENGINE
  141. #include <openssl/engine.h>
  142. #endif
  143. #include "ssl_locl.h"
  144. static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
  145. static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
  146. static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
  147. SSL_SESSION *SSL_get_session(const SSL *ssl)
  148. /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
  149. {
  150. return(ssl->session);
  151. }
  152. SSL_SESSION *SSL_get1_session(SSL *ssl)
  153. /* variant of SSL_get_session: caller really gets something */
  154. {
  155. SSL_SESSION *sess;
  156. /* Need to lock this all up rather than just use CRYPTO_add so that
  157. * somebody doesn't free ssl->session between when we check it's
  158. * non-null and when we up the reference count. */
  159. CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
  160. sess = ssl->session;
  161. if(sess)
  162. sess->references++;
  163. CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
  164. return(sess);
  165. }
  166. int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
  167. CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
  168. {
  169. return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
  170. new_func, dup_func, free_func);
  171. }
  172. int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
  173. {
  174. return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
  175. }
  176. void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
  177. {
  178. return(CRYPTO_get_ex_data(&s->ex_data,idx));
  179. }
  180. SSL_SESSION *SSL_SESSION_new(void)
  181. {
  182. SSL_SESSION *ss;
  183. ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION));
  184. if (ss == NULL)
  185. {
  186. SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE);
  187. return(0);
  188. }
  189. memset(ss,0,sizeof(SSL_SESSION));
  190. ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
  191. ss->references=1;
  192. ss->timeout=60*5+4; /* 5 minute timeout by default */
  193. ss->time=(unsigned long)time(NULL);
  194. ss->prev=NULL;
  195. ss->next=NULL;
  196. ss->compress_meth=0;
  197. #ifndef OPENSSL_NO_TLSEXT
  198. ss->tlsext_hostname = NULL;
  199. #ifndef OPENSSL_NO_EC
  200. ss->tlsext_ecpointformatlist_length = 0;
  201. ss->tlsext_ecpointformatlist = NULL;
  202. ss->tlsext_ellipticcurvelist_length = 0;
  203. ss->tlsext_ellipticcurvelist = NULL;
  204. #endif
  205. #endif
  206. CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
  207. #ifndef OPENSSL_NO_PSK
  208. ss->psk_identity_hint=NULL;
  209. ss->psk_identity=NULL;
  210. #endif
  211. return(ss);
  212. }
  213. const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
  214. {
  215. if(len)
  216. *len = s->session_id_length;
  217. return s->session_id;
  218. }
  219. /* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
  220. * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
  221. * until we have no conflict is going to complete in one iteration pretty much
  222. * "most" of the time (btw: understatement). So, if it takes us 10 iterations
  223. * and we still can't avoid a conflict - well that's a reasonable point to call
  224. * it quits. Either the RAND code is broken or someone is trying to open roughly
  225. * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
  226. * store that many sessions is perhaps a more interesting question ... */
  227. #define MAX_SESS_ID_ATTEMPTS 10
  228. static int def_generate_session_id(const SSL *ssl, unsigned char *id,
  229. unsigned int *id_len)
  230. {
  231. unsigned int retry = 0;
  232. do
  233. if (RAND_pseudo_bytes(id, *id_len) <= 0)
  234. return 0;
  235. while(SSL_has_matching_session_id(ssl, id, *id_len) &&
  236. (++retry < MAX_SESS_ID_ATTEMPTS));
  237. if(retry < MAX_SESS_ID_ATTEMPTS)
  238. return 1;
  239. /* else - woops a session_id match */
  240. /* XXX We should also check the external cache --
  241. * but the probability of a collision is negligible, and
  242. * we could not prevent the concurrent creation of sessions
  243. * with identical IDs since we currently don't have means
  244. * to atomically check whether a session ID already exists
  245. * and make a reservation for it if it does not
  246. * (this problem applies to the internal cache as well).
  247. */
  248. return 0;
  249. }
  250. int ssl_get_new_session(SSL *s, int session)
  251. {
  252. /* This gets used by clients and servers. */
  253. unsigned int tmp;
  254. SSL_SESSION *ss=NULL;
  255. GEN_SESSION_CB cb = def_generate_session_id;
  256. if ((ss=SSL_SESSION_new()) == NULL) return(0);
  257. /* If the context has a default timeout, use it */
  258. if (s->session_ctx->session_timeout == 0)
  259. ss->timeout=SSL_get_default_timeout(s);
  260. else
  261. ss->timeout=s->session_ctx->session_timeout;
  262. if (s->session != NULL)
  263. {
  264. SSL_SESSION_free(s->session);
  265. s->session=NULL;
  266. }
  267. if (session)
  268. {
  269. if (s->version == SSL2_VERSION)
  270. {
  271. ss->ssl_version=SSL2_VERSION;
  272. ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
  273. }
  274. else if (s->version == SSL3_VERSION)
  275. {
  276. ss->ssl_version=SSL3_VERSION;
  277. ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
  278. }
  279. else if (s->version == TLS1_VERSION)
  280. {
  281. ss->ssl_version=TLS1_VERSION;
  282. ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
  283. }
  284. else if (s->version == TLS1_1_VERSION)
  285. {
  286. ss->ssl_version=TLS1_1_VERSION;
  287. ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
  288. }
  289. else if (s->version == DTLS1_BAD_VER)
  290. {
  291. ss->ssl_version=DTLS1_BAD_VER;
  292. ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
  293. }
  294. else if (s->version == DTLS1_VERSION)
  295. {
  296. ss->ssl_version=DTLS1_VERSION;
  297. ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
  298. }
  299. else
  300. {
  301. SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
  302. SSL_SESSION_free(ss);
  303. return(0);
  304. }
  305. #ifndef OPENSSL_NO_TLSEXT
  306. /* If RFC4507 ticket use empty session ID */
  307. if (s->tlsext_ticket_expected)
  308. {
  309. ss->session_id_length = 0;
  310. goto sess_id_done;
  311. }
  312. #endif
  313. /* Choose which callback will set the session ID */
  314. CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
  315. if(s->generate_session_id)
  316. cb = s->generate_session_id;
  317. else if(s->session_ctx->generate_session_id)
  318. cb = s->session_ctx->generate_session_id;
  319. CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
  320. /* Choose a session ID */
  321. tmp = ss->session_id_length;
  322. if(!cb(s, ss->session_id, &tmp))
  323. {
  324. /* The callback failed */
  325. SSLerr(SSL_F_SSL_GET_NEW_SESSION,
  326. SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
  327. SSL_SESSION_free(ss);
  328. return(0);
  329. }
  330. /* Don't allow the callback to set the session length to zero.
  331. * nor set it higher than it was. */
  332. if(!tmp || (tmp > ss->session_id_length))
  333. {
  334. /* The callback set an illegal length */
  335. SSLerr(SSL_F_SSL_GET_NEW_SESSION,
  336. SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
  337. SSL_SESSION_free(ss);
  338. return(0);
  339. }
  340. /* If the session length was shrunk and we're SSLv2, pad it */
  341. if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION))
  342. memset(ss->session_id + tmp, 0, ss->session_id_length - tmp);
  343. else
  344. ss->session_id_length = tmp;
  345. /* Finally, check for a conflict */
  346. if(SSL_has_matching_session_id(s, ss->session_id,
  347. ss->session_id_length))
  348. {
  349. SSLerr(SSL_F_SSL_GET_NEW_SESSION,
  350. SSL_R_SSL_SESSION_ID_CONFLICT);
  351. SSL_SESSION_free(ss);
  352. return(0);
  353. }
  354. #ifndef OPENSSL_NO_TLSEXT
  355. sess_id_done:
  356. if (s->tlsext_hostname) {
  357. ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
  358. if (ss->tlsext_hostname == NULL) {
  359. SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
  360. SSL_SESSION_free(ss);
  361. return 0;
  362. }
  363. }
  364. #ifndef OPENSSL_NO_EC
  365. if (s->tlsext_ecpointformatlist)
  366. {
  367. if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
  368. if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
  369. {
  370. SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
  371. SSL_SESSION_free(ss);
  372. return 0;
  373. }
  374. ss->tlsext_ecpointformatlist_length = s->tlsext_ecpointformatlist_length;
  375. memcpy(ss->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
  376. }
  377. if (s->tlsext_ellipticcurvelist)
  378. {
  379. if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
  380. if ((ss->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
  381. {
  382. SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
  383. SSL_SESSION_free(ss);
  384. return 0;
  385. }
  386. ss->tlsext_ellipticcurvelist_length = s->tlsext_ellipticcurvelist_length;
  387. memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
  388. }
  389. #endif
  390. #endif
  391. }
  392. else
  393. {
  394. ss->session_id_length=0;
  395. }
  396. if (s->sid_ctx_length > sizeof ss->sid_ctx)
  397. {
  398. SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
  399. SSL_SESSION_free(ss);
  400. return 0;
  401. }
  402. memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
  403. ss->sid_ctx_length=s->sid_ctx_length;
  404. s->session=ss;
  405. ss->ssl_version=s->version;
  406. ss->verify_result = X509_V_OK;
  407. return(1);
  408. }
  409. int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
  410. const unsigned char *limit)
  411. {
  412. /* This is used only by servers. */
  413. SSL_SESSION *ret=NULL;
  414. int fatal = 0;
  415. #ifndef OPENSSL_NO_TLSEXT
  416. int r;
  417. #endif
  418. if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
  419. goto err;
  420. #ifndef OPENSSL_NO_TLSEXT
  421. r = tls1_process_ticket(s, session_id, len, limit, &ret);
  422. if (r == -1)
  423. {
  424. fatal = 1;
  425. goto err;
  426. }
  427. else if (r == 0 || (!ret && !len))
  428. goto err;
  429. else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
  430. #else
  431. if (len == 0)
  432. goto err;
  433. if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
  434. #endif
  435. {
  436. SSL_SESSION data;
  437. data.ssl_version=s->version;
  438. data.session_id_length=len;
  439. if (len == 0)
  440. return 0;
  441. memcpy(data.session_id,session_id,len);
  442. CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
  443. ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data);
  444. if (ret != NULL)
  445. /* don't allow other threads to steal it: */
  446. CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
  447. CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
  448. }
  449. if (ret == NULL)
  450. {
  451. int copy=1;
  452. s->session_ctx->stats.sess_miss++;
  453. ret=NULL;
  454. if (s->session_ctx->get_session_cb != NULL
  455. && (ret=s->session_ctx->get_session_cb(s,session_id,len,&copy))
  456. != NULL)
  457. {
  458. s->session_ctx->stats.sess_cb_hit++;
  459. /* Increment reference count now if the session callback
  460. * asks us to do so (note that if the session structures
  461. * returned by the callback are shared between threads,
  462. * it must handle the reference count itself [i.e. copy == 0],
  463. * or things won't be thread-safe). */
  464. if (copy)
  465. CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
  466. /* Add the externally cached session to the internal
  467. * cache as well if and only if we are supposed to. */
  468. if(!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
  469. /* The following should not return 1, otherwise,
  470. * things are very strange */
  471. SSL_CTX_add_session(s->session_ctx,ret);
  472. }
  473. if (ret == NULL)
  474. goto err;
  475. }
  476. /* Now ret is non-NULL, and we own one of its reference counts. */
  477. if (ret->sid_ctx_length != s->sid_ctx_length
  478. || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))
  479. {
  480. /* We've found the session named by the client, but we don't
  481. * want to use it in this context. */
  482. #if 0 /* The client cannot always know when a session is not appropriate,
  483. * so we shouldn't generate an error message. */
  484. SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
  485. #endif
  486. goto err; /* treat like cache miss */
  487. }
  488. if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0)
  489. {
  490. /* We can't be sure if this session is being used out of
  491. * context, which is especially important for SSL_VERIFY_PEER.
  492. * The application should have used SSL[_CTX]_set_session_id_context.
  493. *
  494. * For this error case, we generate an error instead of treating
  495. * the event like a cache miss (otherwise it would be easy for
  496. * applications to effectively disable the session cache by
  497. * accident without anyone noticing).
  498. */
  499. SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
  500. fatal = 1;
  501. goto err;
  502. }
  503. if (ret->cipher == NULL)
  504. {
  505. unsigned char buf[5],*p;
  506. unsigned long l;
  507. p=buf;
  508. l=ret->cipher_id;
  509. l2n(l,p);
  510. if ((ret->ssl_version>>8) >= SSL3_VERSION_MAJOR)
  511. ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
  512. else
  513. ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
  514. if (ret->cipher == NULL)
  515. goto err;
  516. }
  517. #if 0 /* This is way too late. */
  518. /* If a thread got the session, then 'swaped', and another got
  519. * it and then due to a time-out decided to 'OPENSSL_free' it we could
  520. * be in trouble. So I'll increment it now, then double decrement
  521. * later - am I speaking rubbish?. */
  522. CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
  523. #endif
  524. if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
  525. {
  526. s->session_ctx->stats.sess_timeout++;
  527. /* remove it from the cache */
  528. SSL_CTX_remove_session(s->session_ctx,ret);
  529. goto err;
  530. }
  531. s->session_ctx->stats.sess_hit++;
  532. /* ret->time=time(NULL); */ /* rezero timeout? */
  533. /* again, just leave the session
  534. * if it is the same session, we have just incremented and
  535. * then decremented the reference count :-) */
  536. if (s->session != NULL)
  537. SSL_SESSION_free(s->session);
  538. s->session=ret;
  539. s->verify_result = s->session->verify_result;
  540. return(1);
  541. err:
  542. if (ret != NULL)
  543. SSL_SESSION_free(ret);
  544. if (fatal)
  545. return -1;
  546. else
  547. return 0;
  548. }
  549. int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
  550. {
  551. int ret=0;
  552. SSL_SESSION *s;
  553. /* add just 1 reference count for the SSL_CTX's session cache
  554. * even though it has two ways of access: each session is in a
  555. * doubly linked list and an lhash */
  556. CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
  557. /* if session c is in already in cache, we take back the increment later */
  558. CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
  559. s=lh_SSL_SESSION_insert(ctx->sessions,c);
  560. /* s != NULL iff we already had a session with the given PID.
  561. * In this case, s == c should hold (then we did not really modify
  562. * ctx->sessions), or we're in trouble. */
  563. if (s != NULL && s != c)
  564. {
  565. /* We *are* in trouble ... */
  566. SSL_SESSION_list_remove(ctx,s);
  567. SSL_SESSION_free(s);
  568. /* ... so pretend the other session did not exist in cache
  569. * (we cannot handle two SSL_SESSION structures with identical
  570. * session ID in the same cache, which could happen e.g. when
  571. * two threads concurrently obtain the same session from an external
  572. * cache) */
  573. s = NULL;
  574. }
  575. /* Put at the head of the queue unless it is already in the cache */
  576. if (s == NULL)
  577. SSL_SESSION_list_add(ctx,c);
  578. if (s != NULL)
  579. {
  580. /* existing cache entry -- decrement previously incremented reference
  581. * count because it already takes into account the cache */
  582. SSL_SESSION_free(s); /* s == c */
  583. ret=0;
  584. }
  585. else
  586. {
  587. /* new cache entry -- remove old ones if cache has become too large */
  588. ret=1;
  589. if (SSL_CTX_sess_get_cache_size(ctx) > 0)
  590. {
  591. while (SSL_CTX_sess_number(ctx) >
  592. SSL_CTX_sess_get_cache_size(ctx))
  593. {
  594. if (!remove_session_lock(ctx,
  595. ctx->session_cache_tail, 0))
  596. break;
  597. else
  598. ctx->stats.sess_cache_full++;
  599. }
  600. }
  601. }
  602. CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
  603. return(ret);
  604. }
  605. int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
  606. {
  607. return remove_session_lock(ctx, c, 1);
  608. }
  609. static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
  610. {
  611. SSL_SESSION *r;
  612. int ret=0;
  613. if ((c != NULL) && (c->session_id_length != 0))
  614. {
  615. if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
  616. if ((r = lh_SSL_SESSION_retrieve(ctx->sessions,c)) == c)
  617. {
  618. ret=1;
  619. r=lh_SSL_SESSION_delete(ctx->sessions,c);
  620. SSL_SESSION_list_remove(ctx,c);
  621. }
  622. if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
  623. if (ret)
  624. {
  625. r->not_resumable=1;
  626. if (ctx->remove_session_cb != NULL)
  627. ctx->remove_session_cb(ctx,r);
  628. SSL_SESSION_free(r);
  629. }
  630. }
  631. else
  632. ret=0;
  633. return(ret);
  634. }
  635. void SSL_SESSION_free(SSL_SESSION *ss)
  636. {
  637. int i;
  638. if(ss == NULL)
  639. return;
  640. i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
  641. #ifdef REF_PRINT
  642. REF_PRINT("SSL_SESSION",ss);
  643. #endif
  644. if (i > 0) return;
  645. #ifdef REF_CHECK
  646. if (i < 0)
  647. {
  648. fprintf(stderr,"SSL_SESSION_free, bad reference count\n");
  649. abort(); /* ok */
  650. }
  651. #endif
  652. CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
  653. OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
  654. OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
  655. OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
  656. if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
  657. if (ss->peer != NULL) X509_free(ss->peer);
  658. if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
  659. #ifndef OPENSSL_NO_TLSEXT
  660. if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
  661. if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
  662. #ifndef OPENSSL_NO_EC
  663. ss->tlsext_ecpointformatlist_length = 0;
  664. if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
  665. ss->tlsext_ellipticcurvelist_length = 0;
  666. if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
  667. #endif /* OPENSSL_NO_EC */
  668. #endif
  669. #ifndef OPENSSL_NO_PSK
  670. if (ss->psk_identity_hint != NULL)
  671. OPENSSL_free(ss->psk_identity_hint);
  672. if (ss->psk_identity != NULL)
  673. OPENSSL_free(ss->psk_identity);
  674. #endif
  675. OPENSSL_cleanse(ss,sizeof(*ss));
  676. OPENSSL_free(ss);
  677. }
  678. int SSL_set_session(SSL *s, SSL_SESSION *session)
  679. {
  680. int ret=0;
  681. const SSL_METHOD *meth;
  682. if (session != NULL)
  683. {
  684. meth=s->ctx->method->get_ssl_method(session->ssl_version);
  685. if (meth == NULL)
  686. meth=s->method->get_ssl_method(session->ssl_version);
  687. if (meth == NULL)
  688. {
  689. SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD);
  690. return(0);
  691. }
  692. if (meth != s->method)
  693. {
  694. if (!SSL_set_ssl_method(s,meth))
  695. return(0);
  696. if (s->ctx->session_timeout == 0)
  697. session->timeout=SSL_get_default_timeout(s);
  698. else
  699. session->timeout=s->ctx->session_timeout;
  700. }
  701. #ifndef OPENSSL_NO_KRB5
  702. if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
  703. session->krb5_client_princ_len > 0)
  704. {
  705. s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
  706. memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
  707. session->krb5_client_princ_len);
  708. s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
  709. }
  710. #endif /* OPENSSL_NO_KRB5 */
  711. /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
  712. CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
  713. if (s->session != NULL)
  714. SSL_SESSION_free(s->session);
  715. s->session=session;
  716. s->verify_result = s->session->verify_result;
  717. /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
  718. ret=1;
  719. }
  720. else
  721. {
  722. if (s->session != NULL)
  723. {
  724. SSL_SESSION_free(s->session);
  725. s->session=NULL;
  726. }
  727. meth=s->ctx->method;
  728. if (meth != s->method)
  729. {
  730. if (!SSL_set_ssl_method(s,meth))
  731. return(0);
  732. }
  733. ret=1;
  734. }
  735. return(ret);
  736. }
  737. long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
  738. {
  739. if (s == NULL) return(0);
  740. s->timeout=t;
  741. return(1);
  742. }
  743. long SSL_SESSION_get_timeout(const SSL_SESSION *s)
  744. {
  745. if (s == NULL) return(0);
  746. return(s->timeout);
  747. }
  748. long SSL_SESSION_get_time(const SSL_SESSION *s)
  749. {
  750. if (s == NULL) return(0);
  751. return(s->time);
  752. }
  753. long SSL_SESSION_set_time(SSL_SESSION *s, long t)
  754. {
  755. if (s == NULL) return(0);
  756. s->time=t;
  757. return(t);
  758. }
  759. long SSL_CTX_set_timeout(SSL_CTX *s, long t)
  760. {
  761. long l;
  762. if (s == NULL) return(0);
  763. l=s->session_timeout;
  764. s->session_timeout=t;
  765. return(l);
  766. }
  767. long SSL_CTX_get_timeout(const SSL_CTX *s)
  768. {
  769. if (s == NULL) return(0);
  770. return(s->session_timeout);
  771. }
  772. #ifndef OPENSSL_NO_TLSEXT
  773. int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
  774. STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
  775. {
  776. if (s == NULL) return(0);
  777. s->tls_session_secret_cb = tls_session_secret_cb;
  778. s->tls_session_secret_cb_arg = arg;
  779. return(1);
  780. }
  781. int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
  782. void *arg)
  783. {
  784. if (s == NULL) return(0);
  785. s->tls_session_ticket_ext_cb = cb;
  786. s->tls_session_ticket_ext_cb_arg = arg;
  787. return(1);
  788. }
  789. int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
  790. {
  791. if (s->version >= TLS1_VERSION)
  792. {
  793. if (s->tlsext_session_ticket)
  794. {
  795. OPENSSL_free(s->tlsext_session_ticket);
  796. s->tlsext_session_ticket = NULL;
  797. }
  798. s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
  799. if (!s->tlsext_session_ticket)
  800. {
  801. SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
  802. return 0;
  803. }
  804. if (ext_data)
  805. {
  806. s->tlsext_session_ticket->length = ext_len;
  807. s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
  808. memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
  809. }
  810. else
  811. {
  812. s->tlsext_session_ticket->length = 0;
  813. s->tlsext_session_ticket->data = NULL;
  814. }
  815. return 1;
  816. }
  817. return 0;
  818. }
  819. #endif /* OPENSSL_NO_TLSEXT */
  820. typedef struct timeout_param_st
  821. {
  822. SSL_CTX *ctx;
  823. long time;
  824. LHASH_OF(SSL_SESSION) *cache;
  825. } TIMEOUT_PARAM;
  826. static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
  827. {
  828. if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
  829. {
  830. /* The reason we don't call SSL_CTX_remove_session() is to
  831. * save on locking overhead */
  832. (void)lh_SSL_SESSION_delete(p->cache,s);
  833. SSL_SESSION_list_remove(p->ctx,s);
  834. s->not_resumable=1;
  835. if (p->ctx->remove_session_cb != NULL)
  836. p->ctx->remove_session_cb(p->ctx,s);
  837. SSL_SESSION_free(s);
  838. }
  839. }
  840. static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM)
  841. void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
  842. {
  843. unsigned long i;
  844. TIMEOUT_PARAM tp;
  845. tp.ctx=s;
  846. tp.cache=s->sessions;
  847. if (tp.cache == NULL) return;
  848. tp.time=t;
  849. CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
  850. i=CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load;
  851. CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=0;
  852. lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout),
  853. TIMEOUT_PARAM, &tp);
  854. CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=i;
  855. CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
  856. }
  857. int ssl_clear_bad_session(SSL *s)
  858. {
  859. if ( (s->session != NULL) &&
  860. !(s->shutdown & SSL_SENT_SHUTDOWN) &&
  861. !(SSL_in_init(s) || SSL_in_before(s)))
  862. {
  863. SSL_CTX_remove_session(s->ctx,s->session);
  864. return(1);
  865. }
  866. else
  867. return(0);
  868. }
  869. /* locked by SSL_CTX in the calling function */
  870. static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
  871. {
  872. if ((s->next == NULL) || (s->prev == NULL)) return;
  873. if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
  874. { /* last element in list */
  875. if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
  876. { /* only one element in list */
  877. ctx->session_cache_head=NULL;
  878. ctx->session_cache_tail=NULL;
  879. }
  880. else
  881. {
  882. ctx->session_cache_tail=s->prev;
  883. s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
  884. }
  885. }
  886. else
  887. {
  888. if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
  889. { /* first element in list */
  890. ctx->session_cache_head=s->next;
  891. s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
  892. }
  893. else
  894. { /* middle of list */
  895. s->next->prev=s->prev;
  896. s->prev->next=s->next;
  897. }
  898. }
  899. s->prev=s->next=NULL;
  900. }
  901. static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
  902. {
  903. if ((s->next != NULL) && (s->prev != NULL))
  904. SSL_SESSION_list_remove(ctx,s);
  905. if (ctx->session_cache_head == NULL)
  906. {
  907. ctx->session_cache_head=s;
  908. ctx->session_cache_tail=s;
  909. s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
  910. s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
  911. }
  912. else
  913. {
  914. s->next=ctx->session_cache_head;
  915. s->next->prev=s;
  916. s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
  917. ctx->session_cache_head=s;
  918. }
  919. }
  920. void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
  921. int (*cb)(struct ssl_st *ssl,SSL_SESSION *sess))
  922. {
  923. ctx->new_session_cb=cb;
  924. }
  925. int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
  926. {
  927. return ctx->new_session_cb;
  928. }
  929. void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
  930. void (*cb)(SSL_CTX *ctx,SSL_SESSION *sess))
  931. {
  932. ctx->remove_session_cb=cb;
  933. }
  934. void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx,SSL_SESSION *sess)
  935. {
  936. return ctx->remove_session_cb;
  937. }
  938. void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
  939. SSL_SESSION *(*cb)(struct ssl_st *ssl,
  940. unsigned char *data,int len,int *copy))
  941. {
  942. ctx->get_session_cb=cb;
  943. }
  944. SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,
  945. unsigned char *data,int len,int *copy)
  946. {
  947. return ctx->get_session_cb;
  948. }
  949. void SSL_CTX_set_info_callback(SSL_CTX *ctx,
  950. void (*cb)(const SSL *ssl,int type,int val))
  951. {
  952. ctx->info_callback=cb;
  953. }
  954. void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val)
  955. {
  956. return ctx->info_callback;
  957. }
  958. void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
  959. int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey))
  960. {
  961. ctx->client_cert_cb=cb;
  962. }
  963. int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey)
  964. {
  965. return ctx->client_cert_cb;
  966. }
  967. #ifndef OPENSSL_NO_ENGINE
  968. int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
  969. {
  970. if (!ENGINE_init(e))
  971. {
  972. SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
  973. return 0;
  974. }
  975. if(!ENGINE_get_ssl_client_cert_function(e))
  976. {
  977. SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
  978. ENGINE_finish(e);
  979. return 0;
  980. }
  981. ctx->client_cert_engine = e;
  982. return 1;
  983. }
  984. #endif
  985. void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
  986. int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
  987. {
  988. ctx->app_gen_cookie_cb=cb;
  989. }
  990. void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
  991. int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len))
  992. {
  993. ctx->app_verify_cookie_cb=cb;
  994. }
  995. IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)