kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5126 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 3f8074c2de
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3f8074c2de'
${ noResults }
boringssl/ssl/ssl_session.cc

1213 lines
40 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com).

  108.  *

  109.  */

  110. /* ====================================================================

  111.  * Copyright 2005 Nokia. All rights reserved.

  112.  *

  113.  * The portions of the attached software ("Contribution") is developed by

  114.  * Nokia Corporation and is licensed pursuant to the OpenSSL open source

  115.  * license.

  116.  *

  117.  * The Contribution, originally written by Mika Kousa and Pasi Eronen of

  118.  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites

  119.  * support (see RFC 4279) to OpenSSL.

  120.  *

  121.  * No patent licenses or other rights except those expressly stated in

  122.  * the OpenSSL open source license shall be deemed granted or received

  123.  * expressly, by implication, estoppel, or otherwise.

  124.  *

  125.  * No assurances are provided by Nokia that the Contribution does not

  126.  * infringe the patent or other intellectual property rights of any third

  127.  * party or that the license provides you with all the necessary rights

  128.  * to make use of the Contribution.

  129.  *

  130.  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN

  131.  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA

  132.  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY

  133.  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR

  134.  * OTHERWISE. */

  135. 

  136. #include <openssl/ssl.h>

  137. 

  138. #include <assert.h>

  139. #include <stdlib.h>

  140. #include <string.h>

  141. 

  142. #include <utility>

  143. 

  144. #include <openssl/err.h>

  145. #include <openssl/hmac.h>

  146. #include <openssl/lhash.h>

  147. #include <openssl/mem.h>

  148. #include <openssl/rand.h>

  149. 

  150. #include "internal.h"

  151. #include "../crypto/internal.h"

  152. 

  153. 

  154. namespace bssl {

  155. 

  156. // The address of this is a magic value, a pointer to which is returned by

  157. // SSL_magic_pending_session_ptr(). It allows a session callback to indicate

  158. // that it needs to asynchronously fetch session information.

  159. static const char g_pending_session_magic = 0;

  160. 

  161. static CRYPTO_EX_DATA_CLASS g_ex_data_class =

  162.     CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;

  163. 

  164. static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session);

  165. static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *session);

  166. static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *session, int lock);

  167. 

  168. UniquePtr<SSL_SESSION> ssl_session_new(const SSL_X509_METHOD *x509_method) {

  169.   UniquePtr<SSL_SESSION> session(

  170.       (SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION)));

  171.   if (!session) {

  172.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  173.     return 0;

  174.   }

  175.   OPENSSL_memset(session.get(), 0, sizeof(SSL_SESSION));

  176. 

  177.   session->x509_method = x509_method;

  178.   session->verify_result = X509_V_ERR_INVALID_CALL;

  179.   session->references = 1;

  180.   session->timeout = SSL_DEFAULT_SESSION_TIMEOUT;

  181.   session->auth_timeout = SSL_DEFAULT_SESSION_TIMEOUT;

  182.   session->time = time(NULL);

  183.   CRYPTO_new_ex_data(&session->ex_data);

  184.   return session;

  185. }

  186. 

  187. UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {

  188.   UniquePtr<SSL_SESSION> new_session = ssl_session_new(session->x509_method);

  189.   if (!new_session) {

  190.     return nullptr;

  191.   }

  192. 

  193.   new_session->is_server = session->is_server;

  194.   new_session->ssl_version = session->ssl_version;

  195.   new_session->sid_ctx_length = session->sid_ctx_length;

  196.   OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length);

  197. 

  198.   // Copy the key material.

  199.   new_session->master_key_length = session->master_key_length;

  200.   OPENSSL_memcpy(new_session->master_key, session->master_key,

  201.          session->master_key_length);

  202.   new_session->cipher = session->cipher;

  203. 

  204.   // Copy authentication state.

  205.   if (session->psk_identity != NULL) {

  206.     new_session->psk_identity = BUF_strdup(session->psk_identity);

  207.     if (new_session->psk_identity == NULL) {

  208.       return nullptr;

  209.     }

  210.   }

  211.   if (session->certs != NULL) {

  212.     new_session->certs = sk_CRYPTO_BUFFER_new_null();

  213.     if (new_session->certs == NULL) {

  214.       return nullptr;

  215.     }

  216.     for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(session->certs); i++) {

  217.       CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(session->certs, i);

  218.       if (!sk_CRYPTO_BUFFER_push(new_session->certs, buffer)) {

  219.         return nullptr;

  220.       }

  221.       CRYPTO_BUFFER_up_ref(buffer);

  222.     }

  223.   }

  224. 

  225.   if (!session->x509_method->session_dup(new_session.get(), session)) {

  226.     return nullptr;

  227.   }

  228. 

  229.   new_session->verify_result = session->verify_result;

  230. 

  231.   if (session->ocsp_response != NULL) {

  232.     new_session->ocsp_response = session->ocsp_response;

  233.     CRYPTO_BUFFER_up_ref(new_session->ocsp_response);

  234.   }

  235. 

  236.   if (session->signed_cert_timestamp_list != NULL) {

  237.     new_session->signed_cert_timestamp_list =

  238.         session->signed_cert_timestamp_list;

  239.     CRYPTO_BUFFER_up_ref(new_session->signed_cert_timestamp_list);

  240.   }

  241. 

  242.   OPENSSL_memcpy(new_session->peer_sha256, session->peer_sha256,

  243.                  SHA256_DIGEST_LENGTH);

  244.   new_session->peer_sha256_valid = session->peer_sha256_valid;

  245. 

  246.   new_session->peer_signature_algorithm = session->peer_signature_algorithm;

  247. 

  248.   new_session->timeout = session->timeout;

  249.   new_session->auth_timeout = session->auth_timeout;

  250.   new_session->time = session->time;

  251. 

  252.   // Copy non-authentication connection properties.

  253.   if (dup_flags & SSL_SESSION_INCLUDE_NONAUTH) {

  254.     new_session->session_id_length = session->session_id_length;

  255.     OPENSSL_memcpy(new_session->session_id, session->session_id,

  256.                    session->session_id_length);

  257. 

  258.     new_session->group_id = session->group_id;

  259. 

  260.     OPENSSL_memcpy(new_session->original_handshake_hash,

  261.                    session->original_handshake_hash,

  262.                    session->original_handshake_hash_len);

  263.     new_session->original_handshake_hash_len =

  264.         session->original_handshake_hash_len;

  265.     new_session->tlsext_tick_lifetime_hint = session->tlsext_tick_lifetime_hint;

  266.     new_session->ticket_age_add = session->ticket_age_add;

  267.     new_session->ticket_max_early_data = session->ticket_max_early_data;

  268.     new_session->extended_master_secret = session->extended_master_secret;

  269. 

  270.     if (session->early_alpn != NULL) {

  271.       new_session->early_alpn =

  272.           (uint8_t *)BUF_memdup(session->early_alpn, session->early_alpn_len);

  273.       if (new_session->early_alpn == NULL) {

  274.         return nullptr;

  275.       }

  276.     }

  277.     new_session->early_alpn_len = session->early_alpn_len;

  278.   }

  279. 

  280.   // Copy the ticket.

  281.   if (dup_flags & SSL_SESSION_INCLUDE_TICKET) {

  282.     if (session->tlsext_tick != NULL) {

  283.       new_session->tlsext_tick =

  284.           (uint8_t *)BUF_memdup(session->tlsext_tick, session->tlsext_ticklen);

  285.       if (new_session->tlsext_tick == NULL) {

  286.         return nullptr;

  287.       }

  288.     }

  289.     new_session->tlsext_ticklen = session->tlsext_ticklen;

  290.   }

  291. 

  292.   // The new_session does not get a copy of the ex_data.

  293. 

  294.   new_session->not_resumable = 1;

  295.   return new_session;

  296. }

  297. 

  298. void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session) {

  299.   struct OPENSSL_timeval now;

  300.   ssl_get_current_time(ssl, &now);

  301. 

  302.   // To avoid overflows and underflows, if we've gone back in time, update the

  303.   // time, but mark the session expired.

  304.   if (session->time > now.tv_sec) {

  305.     session->time = now.tv_sec;

  306.     session->timeout = 0;

  307.     session->auth_timeout = 0;

  308.     return;

  309.   }

  310. 

  311.   // Adjust the session time and timeouts. If the session has already expired,

  312.   // clamp the timeouts at zero.

  313.   uint64_t delta = now.tv_sec - session->time;

  314.   session->time = now.tv_sec;

  315.   if (session->timeout < delta) {

  316.     session->timeout = 0;

  317.   } else {

  318.     session->timeout -= delta;

  319.   }

  320.   if (session->auth_timeout < delta) {

  321.     session->auth_timeout = 0;

  322.   } else {

  323.     session->auth_timeout -= delta;

  324.   }

  325. }

  326. 

  327. void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session,

  328.                                uint32_t timeout) {

  329.   // Rebase the timestamp relative to the current time so |timeout| is measured

  330.   // correctly.

  331.   ssl_session_rebase_time(ssl, session);

  332. 

  333.   if (session->timeout > timeout) {

  334.     return;

  335.   }

  336. 

  337.   session->timeout = timeout;

  338.   if (session->timeout > session->auth_timeout) {

  339.     session->timeout = session->auth_timeout;

  340.   }

  341. }

  342. 

  343. uint16_t ssl_session_protocol_version(const SSL_SESSION *session) {

  344.   uint16_t ret;

  345.   if (!ssl_protocol_version_from_wire(&ret, session->ssl_version)) {

  346.     // An |SSL_SESSION| will never have an invalid version. This is enforced by

  347.     // the parser.

  348.     assert(0);

  349.     return 0;

  350.   }

  351. 

  352.   return ret;

  353. }

  354. 

  355. const EVP_MD *ssl_session_get_digest(const SSL_SESSION *session) {

  356.   return ssl_get_handshake_digest(ssl_session_protocol_version(session),

  357.                                   session->cipher);

  358. }

  359. 

  360. int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {

  361.   SSL *const ssl = hs->ssl;

  362.   if (ssl->mode & SSL_MODE_NO_SESSION_CREATION) {

  363.     OPENSSL_PUT_ERROR(SSL, SSL_R_SESSION_MAY_NOT_BE_CREATED);

  364.     return 0;

  365.   }

  366. 

  367.   UniquePtr<SSL_SESSION> session = ssl_session_new(ssl->ctx->x509_method);

  368.   if (session == NULL) {

  369.     return 0;

  370.   }

  371. 

  372.   session->is_server = is_server;

  373.   session->ssl_version = ssl->version;

  374. 

  375.   // Fill in the time from the |SSL_CTX|'s clock.

  376.   struct OPENSSL_timeval now;

  377.   ssl_get_current_time(ssl, &now);

  378.   session->time = now.tv_sec;

  379. 

  380.   uint16_t version = ssl_protocol_version(ssl);

  381.   if (version >= TLS1_3_VERSION) {

  382.     // TLS 1.3 uses tickets as authenticators, so we are willing to use them for

  383.     // longer.

  384.     session->timeout = ssl->session_ctx->session_psk_dhe_timeout;

  385.     session->auth_timeout = SSL_DEFAULT_SESSION_AUTH_TIMEOUT;

  386.   } else {

  387.     // TLS 1.2 resumption does not incorporate new key material, so we use a

  388.     // much shorter timeout.

  389.     session->timeout = ssl->session_ctx->session_timeout;

  390.     session->auth_timeout = ssl->session_ctx->session_timeout;

  391.   }

  392. 

  393.   if (is_server) {

  394.     if (hs->ticket_expected || version >= TLS1_3_VERSION) {

  395.       // Don't set session IDs for sessions resumed with tickets. This will keep

  396.       // them out of the session cache.

  397.       session->session_id_length = 0;

  398.     } else {

  399.       session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;

  400.       if (!RAND_bytes(session->session_id, session->session_id_length)) {

  401.         return 0;

  402.       }

  403.     }

  404.   } else {

  405.     session->session_id_length = 0;

  406.   }

  407. 

  408.   if (ssl->cert->sid_ctx_length > sizeof(session->sid_ctx)) {

  409.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  410.     return 0;

  411.   }

  412.   OPENSSL_memcpy(session->sid_ctx, ssl->cert->sid_ctx,

  413.                  ssl->cert->sid_ctx_length);

  414.   session->sid_ctx_length = ssl->cert->sid_ctx_length;

  415. 

  416.   // The session is marked not resumable until it is completely filled in.

  417.   session->not_resumable = 1;

  418.   session->verify_result = X509_V_ERR_INVALID_CALL;

  419. 

  420.   hs->new_session = std::move(session);

  421.   ssl_set_session(ssl, NULL);

  422.   return 1;

  423. }

  424. 

  425. int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) {

  426.   OPENSSL_timeval now;

  427.   ssl_ctx_get_current_time(ctx, &now);

  428.   {

  429.     // Avoid acquiring a write lock in the common case (i.e. a non-default key

  430.     // is used or the default keys have not expired yet).

  431.     MutexReadLock lock(&ctx->lock);

  432.     if (ctx->tlsext_ticket_key_current &&

  433.         (ctx->tlsext_ticket_key_current->next_rotation_tv_sec == 0 ||

  434.          ctx->tlsext_ticket_key_current->next_rotation_tv_sec > now.tv_sec) &&

  435.         (!ctx->tlsext_ticket_key_prev ||

  436.          ctx->tlsext_ticket_key_prev->next_rotation_tv_sec > now.tv_sec)) {

  437.       return 1;

  438.     }

  439.   }

  440. 

  441.   MutexWriteLock lock(&ctx->lock);

  442.   if (!ctx->tlsext_ticket_key_current ||

  443.       (ctx->tlsext_ticket_key_current->next_rotation_tv_sec != 0 &&

  444.        ctx->tlsext_ticket_key_current->next_rotation_tv_sec <= now.tv_sec)) {

  445.     // The current key has not been initialized or it is expired.

  446.     auto new_key = bssl::MakeUnique<struct tlsext_ticket_key>();

  447.     if (!new_key) {

  448.       return 0;

  449.     }

  450.     OPENSSL_memset(new_key.get(), 0, sizeof(struct tlsext_ticket_key));

  451.     if (ctx->tlsext_ticket_key_current) {

  452.       // The current key expired. Rotate it to prev and bump up its rotation

  453.       // timestamp. Note that even with the new rotation time it may still be

  454.       // expired and get droppped below.

  455.       ctx->tlsext_ticket_key_current->next_rotation_tv_sec +=

  456.           SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;

  457.       OPENSSL_free(ctx->tlsext_ticket_key_prev);

  458.       ctx->tlsext_ticket_key_prev = ctx->tlsext_ticket_key_current;

  459.     }

  460.     ctx->tlsext_ticket_key_current = new_key.release();

  461.     RAND_bytes(ctx->tlsext_ticket_key_current->name, 16);

  462.     RAND_bytes(ctx->tlsext_ticket_key_current->hmac_key, 16);

  463.     RAND_bytes(ctx->tlsext_ticket_key_current->aes_key, 16);

  464.     ctx->tlsext_ticket_key_current->next_rotation_tv_sec =

  465.         now.tv_sec + SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;

  466.   }

  467. 

  468.   // Drop an expired prev key.

  469.   if (ctx->tlsext_ticket_key_prev &&

  470.       ctx->tlsext_ticket_key_prev->next_rotation_tv_sec <= now.tv_sec) {

  471.     OPENSSL_free(ctx->tlsext_ticket_key_prev);

  472.     ctx->tlsext_ticket_key_prev = nullptr;

  473.   }

  474. 

  475.   return 1;

  476. }

  477. 

  478. static int ssl_encrypt_ticket_with_cipher_ctx(SSL *ssl, CBB *out,

  479.                                               const uint8_t *session_buf,

  480.                                               size_t session_len) {

  481.   ScopedEVP_CIPHER_CTX ctx;

  482.   ScopedHMAC_CTX hctx;

  483. 

  484.   // If the session is too long, emit a dummy value rather than abort the

  485.   // connection.

  486.   static const size_t kMaxTicketOverhead =

  487.       16 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE;

  488.   if (session_len > 0xffff - kMaxTicketOverhead) {

  489.     static const char kTicketPlaceholder[] = "TICKET TOO LARGE";

  490.     return CBB_add_bytes(out, (const uint8_t *)kTicketPlaceholder,

  491.                          strlen(kTicketPlaceholder));

  492.   }

  493. 

  494.   // Initialize HMAC and cipher contexts. If callback present it does all the

  495.   // work otherwise use generated values from parent ctx.

  496.   SSL_CTX *tctx = ssl->session_ctx;

  497.   uint8_t iv[EVP_MAX_IV_LENGTH];

  498.   uint8_t key_name[16];

  499.   if (tctx->tlsext_ticket_key_cb != NULL) {

  500.     if (tctx->tlsext_ticket_key_cb(ssl, key_name, iv, ctx.get(), hctx.get(),

  501.                                    1 /* encrypt */) < 0) {

  502.       return 0;

  503.     }

  504.   } else {

  505.     // Rotate ticket key if necessary.

  506.     if (!ssl_ctx_rotate_ticket_encryption_key(tctx)) {

  507.       return 0;

  508.     }

  509.     MutexReadLock lock(&tctx->lock);

  510.     if (!RAND_bytes(iv, 16) ||

  511.         !EVP_EncryptInit_ex(ctx.get(), EVP_aes_128_cbc(), NULL,

  512.                             tctx->tlsext_ticket_key_current->aes_key, iv) ||

  513.         !HMAC_Init_ex(hctx.get(), tctx->tlsext_ticket_key_current->hmac_key, 16,

  514.                       tlsext_tick_md(), NULL)) {

  515.       return 0;

  516.     }

  517.     OPENSSL_memcpy(key_name, tctx->tlsext_ticket_key_current->name, 16);

  518.   }

  519. 

  520.   uint8_t *ptr;

  521.   if (!CBB_add_bytes(out, key_name, 16) ||

  522.       !CBB_add_bytes(out, iv, EVP_CIPHER_CTX_iv_length(ctx.get())) ||

  523.       !CBB_reserve(out, &ptr, session_len + EVP_MAX_BLOCK_LENGTH)) {

  524.     return 0;

  525.   }

  526. 

  527.   size_t total = 0;

  528. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  529.   OPENSSL_memcpy(ptr, session_buf, session_len);

  530.   total = session_len;

  531. #else

  532.   int len;

  533.   if (!EVP_EncryptUpdate(ctx.get(), ptr + total, &len, session_buf, session_len)) {

  534.     return 0;

  535.   }

  536.   total += len;

  537.   if (!EVP_EncryptFinal_ex(ctx.get(), ptr + total, &len)) {

  538.     return 0;

  539.   }

  540.   total += len;

  541. #endif

  542.   if (!CBB_did_write(out, total)) {

  543.     return 0;

  544.   }

  545. 

  546.   unsigned hlen;

  547.   if (!HMAC_Update(hctx.get(), CBB_data(out), CBB_len(out)) ||

  548.       !CBB_reserve(out, &ptr, EVP_MAX_MD_SIZE) ||

  549.       !HMAC_Final(hctx.get(), ptr, &hlen) ||

  550.       !CBB_did_write(out, hlen)) {

  551.     return 0;

  552.   }

  553. 

  554.   return 1;

  555. }

  556. 

  557. static int ssl_encrypt_ticket_with_method(SSL *ssl, CBB *out,

  558.                                           const uint8_t *session_buf,

  559.                                           size_t session_len) {

  560.   const SSL_TICKET_AEAD_METHOD *method = ssl->session_ctx->ticket_aead_method;

  561.   const size_t max_overhead = method->max_overhead(ssl);

  562.   const size_t max_out = session_len + max_overhead;

  563.   if (max_out < max_overhead) {

  564.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  565.     return 0;

  566.   }

  567. 

  568.   uint8_t *ptr;

  569.   if (!CBB_reserve(out, &ptr, max_out)) {

  570.     return 0;

  571.   }

  572. 

  573.   size_t out_len;

  574.   if (!method->seal(ssl, ptr, &out_len, max_out, session_buf, session_len)) {

  575.     OPENSSL_PUT_ERROR(SSL, SSL_R_TICKET_ENCRYPTION_FAILED);

  576.     return 0;

  577.   }

  578. 

  579.   if (!CBB_did_write(out, out_len)) {

  580.     return 0;

  581.   }

  582. 

  583.   return 1;

  584. }

  585. 

  586. int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session) {

  587.   // Serialize the SSL_SESSION to be encoded into the ticket.

  588.   uint8_t *session_buf = NULL;

  589.   size_t session_len;

  590.   if (!SSL_SESSION_to_bytes_for_ticket(session, &session_buf, &session_len)) {

  591.     return -1;

  592.   }

  593. 

  594.   int ret = 0;

  595.   if (ssl->session_ctx->ticket_aead_method) {

  596.     ret = ssl_encrypt_ticket_with_method(ssl, out, session_buf, session_len);

  597.   } else {

  598.     ret =

  599.         ssl_encrypt_ticket_with_cipher_ctx(ssl, out, session_buf, session_len);

  600.   }

  601. 

  602.   OPENSSL_free(session_buf);

  603.   return ret;

  604. }

  605. 

  606. int ssl_session_is_context_valid(const SSL *ssl, const SSL_SESSION *session) {

  607.   if (session == NULL) {

  608.     return 0;

  609.   }

  610. 

  611.   return session->sid_ctx_length == ssl->cert->sid_ctx_length &&

  612.          OPENSSL_memcmp(session->sid_ctx, ssl->cert->sid_ctx,

  613.                         ssl->cert->sid_ctx_length) == 0;

  614. }

  615. 

  616. int ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session) {

  617.   if (session == NULL) {

  618.     return 0;

  619.   }

  620. 

  621.   struct OPENSSL_timeval now;

  622.   ssl_get_current_time(ssl, &now);

  623. 

  624.   // Reject tickets from the future to avoid underflow.

  625.   if (now.tv_sec < session->time) {

  626.     return 0;

  627.   }

  628. 

  629.   return session->timeout > now.tv_sec - session->time;

  630. }

  631. 

  632. int ssl_session_is_resumable(const SSL_HANDSHAKE *hs,

  633.                              const SSL_SESSION *session) {

  634.   const SSL *const ssl = hs->ssl;

  635.   return ssl_session_is_context_valid(ssl, session) &&

  636.          // The session must have been created by the same type of end point as

  637.          // we're now using it with.

  638.          ssl->server == session->is_server &&

  639.          // The session must not be expired.

  640.          ssl_session_is_time_valid(ssl, session) &&

  641.          /* Only resume if the session's version matches the negotiated

  642.            * version. */

  643.          ssl->version == session->ssl_version &&

  644.          // Only resume if the session's cipher matches the negotiated one.

  645.          hs->new_cipher == session->cipher &&

  646.          // If the session contains a client certificate (either the full

  647.          // certificate or just the hash) then require that the form of the

  648.          // certificate matches the current configuration.

  649.          ((sk_CRYPTO_BUFFER_num(session->certs) == 0 &&

  650.            !session->peer_sha256_valid) ||

  651.           session->peer_sha256_valid ==

  652.               ssl->retain_only_sha256_of_client_certs);

  653. }

  654. 

  655. // ssl_lookup_session looks up |session_id| in the session cache and sets

  656. // |*out_session| to an |SSL_SESSION| object if found.

  657. static enum ssl_hs_wait_t ssl_lookup_session(

  658.     SSL *ssl, UniquePtr<SSL_SESSION> *out_session, const uint8_t *session_id,

  659.     size_t session_id_len) {

  660.   out_session->reset();

  661. 

  662.   if (session_id_len == 0 || session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {

  663.     return ssl_hs_ok;

  664.   }

  665. 

  666.   UniquePtr<SSL_SESSION> session;

  667.   // Try the internal cache, if it exists.

  668.   if (!(ssl->session_ctx->session_cache_mode &

  669.         SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {

  670.     SSL_SESSION data;

  671.     data.ssl_version = ssl->version;

  672.     data.session_id_length = session_id_len;

  673.     OPENSSL_memcpy(data.session_id, session_id, session_id_len);

  674. 

  675.     MutexReadLock lock(&ssl->session_ctx->lock);

  676.     session.reset(lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &data));

  677.     if (session) {

  678.       // |lh_SSL_SESSION_retrieve| returns a non-owning pointer.

  679.       SSL_SESSION_up_ref(session.get());

  680.     }

  681.     // TODO(davidben): This should probably move it to the front of the list.

  682.   }

  683. 

  684.   // Fall back to the external cache, if it exists.

  685.   if (!session && ssl->session_ctx->get_session_cb != nullptr) {

  686.     int copy = 1;

  687.     session.reset(ssl->session_ctx->get_session_cb(ssl, session_id,

  688.                                                    session_id_len, &copy));

  689.     if (!session) {

  690.       return ssl_hs_ok;

  691.     }

  692. 

  693.     if (session.get() == SSL_magic_pending_session_ptr()) {

  694.       session.release();  // This pointer is not actually owned.

  695.       return ssl_hs_pending_session;

  696.     }

  697. 

  698.     // Increment reference count now if the session callback asks us to do so

  699.     // (note that if the session structures returned by the callback are shared

  700.     // between threads, it must handle the reference count itself [i.e. copy ==

  701.     // 0], or things won't be thread-safe).

  702.     if (copy) {

  703.       SSL_SESSION_up_ref(session.get());

  704.     }

  705. 

  706.     // Add the externally cached session to the internal cache if necessary.

  707.     if (!(ssl->session_ctx->session_cache_mode &

  708.           SSL_SESS_CACHE_NO_INTERNAL_STORE)) {

  709.       SSL_CTX_add_session(ssl->session_ctx, session.get());

  710.     }

  711.   }

  712. 

  713.   if (session && !ssl_session_is_time_valid(ssl, session.get())) {

  714.     // The session was from the cache, so remove it.

  715.     SSL_CTX_remove_session(ssl->session_ctx, session.get());

  716.     session.reset();

  717.   }

  718. 

  719.   *out_session = std::move(session);

  720.   return ssl_hs_ok;

  721. }

  722. 

  723. enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl,

  724.                                         UniquePtr<SSL_SESSION> *out_session,

  725.                                         bool *out_tickets_supported,

  726.                                         bool *out_renew_ticket,

  727.                                         const SSL_CLIENT_HELLO *client_hello) {

  728.   // This is used only by servers.

  729.   assert(ssl->server);

  730.   UniquePtr<SSL_SESSION> session;

  731.   bool renew_ticket = false;

  732. 

  733.   // If tickets are disabled, always behave as if no tickets are present.

  734.   const uint8_t *ticket = NULL;

  735.   size_t ticket_len = 0;

  736.   const bool tickets_supported =

  737.       !(SSL_get_options(ssl) & SSL_OP_NO_TICKET) &&

  738.       ssl->version > SSL3_VERSION &&

  739.       SSL_early_callback_ctx_extension_get(

  740.           client_hello, TLSEXT_TYPE_session_ticket, &ticket, &ticket_len);

  741.   if (tickets_supported && ticket_len > 0) {

  742.     switch (ssl_process_ticket(ssl, &session, &renew_ticket, ticket, ticket_len,

  743.                                client_hello->session_id,

  744.                                client_hello->session_id_len)) {

  745.       case ssl_ticket_aead_success:

  746.         break;

  747.       case ssl_ticket_aead_ignore_ticket:

  748.         assert(!session);

  749.         break;

  750.       case ssl_ticket_aead_error:

  751.         return ssl_hs_error;

  752.       case ssl_ticket_aead_retry:

  753.         return ssl_hs_pending_ticket;

  754.     }

  755.   } else {

  756.     // The client didn't send a ticket, so the session ID is a real ID.

  757.     enum ssl_hs_wait_t lookup_ret = ssl_lookup_session(

  758.         ssl, &session, client_hello->session_id, client_hello->session_id_len);

  759.     if (lookup_ret != ssl_hs_ok) {

  760.       return lookup_ret;

  761.     }

  762.   }

  763. 

  764.   *out_session = std::move(session);

  765.   *out_tickets_supported = tickets_supported;

  766.   *out_renew_ticket = renew_ticket;

  767.   return ssl_hs_ok;

  768. }

  769. 

  770. static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *session, int lock) {

  771.   int ret = 0;

  772. 

  773.   if (session != NULL && session->session_id_length != 0) {

  774.     if (lock) {

  775.       CRYPTO_MUTEX_lock_write(&ctx->lock);

  776.     }

  777.     SSL_SESSION *found_session = lh_SSL_SESSION_retrieve(ctx->sessions,

  778.                                                          session);

  779.     if (found_session == session) {

  780.       ret = 1;

  781.       found_session = lh_SSL_SESSION_delete(ctx->sessions, session);

  782.       SSL_SESSION_list_remove(ctx, session);

  783.     }

  784. 

  785.     if (lock) {

  786.       CRYPTO_MUTEX_unlock_write(&ctx->lock);

  787.     }

  788. 

  789.     if (ret) {

  790.       if (ctx->remove_session_cb != NULL) {

  791.         ctx->remove_session_cb(ctx, found_session);

  792.       }

  793.       SSL_SESSION_free(found_session);

  794.     }

  795.   }

  796. 

  797.   return ret;

  798. }

  799. 

  800. void ssl_set_session(SSL *ssl, SSL_SESSION *session) {

  801.   if (ssl->session == session) {

  802.     return;

  803.   }

  804. 

  805.   SSL_SESSION_free(ssl->session);

  806.   ssl->session = session;

  807.   if (session != NULL) {

  808.     SSL_SESSION_up_ref(session);

  809.   }

  810. }

  811. 

  812. // locked by SSL_CTX in the calling function

  813. static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session) {

  814.   if (session->next == NULL || session->prev == NULL) {

  815.     return;

  816.   }

  817. 

  818.   if (session->next == (SSL_SESSION *)&ctx->session_cache_tail) {

  819.     // last element in list

  820.     if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) {

  821.       // only one element in list

  822.       ctx->session_cache_head = NULL;

  823.       ctx->session_cache_tail = NULL;

  824.     } else {

  825.       ctx->session_cache_tail = session->prev;

  826.       session->prev->next = (SSL_SESSION *)&(ctx->session_cache_tail);

  827.     }

  828.   } else {

  829.     if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) {

  830.       // first element in list

  831.       ctx->session_cache_head = session->next;

  832.       session->next->prev = (SSL_SESSION *)&(ctx->session_cache_head);

  833.     } else {  // middle of list

  834.       session->next->prev = session->prev;

  835.       session->prev->next = session->next;

  836.     }

  837.   }

  838.   session->prev = session->next = NULL;

  839. }

  840. 

  841. static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *session) {

  842.   if (session->next != NULL && session->prev != NULL) {

  843.     SSL_SESSION_list_remove(ctx, session);

  844.   }

  845. 

  846.   if (ctx->session_cache_head == NULL) {

  847.     ctx->session_cache_head = session;

  848.     ctx->session_cache_tail = session;

  849.     session->prev = (SSL_SESSION *)&(ctx->session_cache_head);

  850.     session->next = (SSL_SESSION *)&(ctx->session_cache_tail);

  851.   } else {

  852.     session->next = ctx->session_cache_head;

  853.     session->next->prev = session;

  854.     session->prev = (SSL_SESSION *)&(ctx->session_cache_head);

  855.     ctx->session_cache_head = session;

  856.   }

  857. }

  858. 

  859. }  // namespace bssl

  860. 

  861. using namespace bssl;

  862. 

  863. SSL_SESSION *SSL_SESSION_new(const SSL_CTX *ctx) {

  864.   return ssl_session_new(ctx->x509_method).release();

  865. }

  866. 

  867. int SSL_SESSION_up_ref(SSL_SESSION *session) {

  868.   CRYPTO_refcount_inc(&session->references);

  869.   return 1;

  870. }

  871. 

  872. void SSL_SESSION_free(SSL_SESSION *session) {

  873.   if (session == NULL ||

  874.       !CRYPTO_refcount_dec_and_test_zero(&session->references)) {

  875.     return;

  876.   }

  877. 

  878.   CRYPTO_free_ex_data(&g_ex_data_class, session, &session->ex_data);

  879. 

  880.   OPENSSL_cleanse(session->master_key, sizeof(session->master_key));

  881.   OPENSSL_cleanse(session->session_id, sizeof(session->session_id));

  882.   sk_CRYPTO_BUFFER_pop_free(session->certs, CRYPTO_BUFFER_free);

  883.   session->x509_method->session_clear(session);

  884.   OPENSSL_free(session->tlsext_tick);

  885.   CRYPTO_BUFFER_free(session->signed_cert_timestamp_list);

  886.   CRYPTO_BUFFER_free(session->ocsp_response);

  887.   OPENSSL_free(session->psk_identity);

  888.   OPENSSL_free(session->early_alpn);

  889.   OPENSSL_free(session);

  890. }

  891. 

  892. const uint8_t *SSL_SESSION_get_id(const SSL_SESSION *session,

  893.                                   unsigned *out_len) {

  894.   if (out_len != NULL) {

  895.     *out_len = session->session_id_length;

  896.   }

  897.   return session->session_id;

  898. }

  899. 

  900. uint32_t SSL_SESSION_get_timeout(const SSL_SESSION *session) {

  901.   return session->timeout;

  902. }

  903. 

  904. uint64_t SSL_SESSION_get_time(const SSL_SESSION *session) {

  905.   if (session == NULL) {

  906.     // NULL should crash, but silently accept it here for compatibility.

  907.     return 0;

  908.   }

  909.   return session->time;

  910. }

  911. 

  912. X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session) {

  913.   return session->x509_peer;

  914. }

  915. 

  916. size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,

  917.                                   size_t max_out) {

  918.   // TODO(davidben): Fix master_key_length's type and remove these casts.

  919.   if (max_out == 0) {

  920.     return (size_t)session->master_key_length;

  921.   }

  922.   if (max_out > (size_t)session->master_key_length) {

  923.     max_out = (size_t)session->master_key_length;

  924.   }

  925.   OPENSSL_memcpy(out, session->master_key, max_out);

  926.   return max_out;

  927. }

  928. 

  929. uint64_t SSL_SESSION_set_time(SSL_SESSION *session, uint64_t time) {

  930.   if (session == NULL) {

  931.     return 0;

  932.   }

  933. 

  934.   session->time = time;

  935.   return time;

  936. }

  937. 

  938. uint32_t SSL_SESSION_set_timeout(SSL_SESSION *session, uint32_t timeout) {

  939.   if (session == NULL) {

  940.     return 0;

  941.   }

  942. 

  943.   session->timeout = timeout;

  944.   session->auth_timeout = timeout;

  945.   return 1;

  946. }

  947. 

  948. int SSL_SESSION_set1_id_context(SSL_SESSION *session, const uint8_t *sid_ctx,

  949.                                 size_t sid_ctx_len) {

  950.   if (sid_ctx_len > sizeof(session->sid_ctx)) {

  951.     OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);

  952.     return 0;

  953.   }

  954. 

  955.   static_assert(sizeof(session->sid_ctx) < 256, "sid_ctx_len does not fit");

  956.   session->sid_ctx_length = (uint8_t)sid_ctx_len;

  957.   OPENSSL_memcpy(session->sid_ctx, sid_ctx, sid_ctx_len);

  958. 

  959.   return 1;

  960. }

  961. 

  962. int SSL_SESSION_should_be_single_use(const SSL_SESSION *session) {

  963.   return ssl_session_protocol_version(session) >= TLS1_3_VERSION;

  964. }

  965. 

  966. int SSL_SESSION_is_resumable(const SSL_SESSION *session) {

  967.   return !session->not_resumable;

  968. }

  969. 

  970. int SSL_SESSION_has_ticket(const SSL_SESSION *session) {

  971.   return session->tlsext_ticklen > 0;

  972. }

  973. 

  974. void SSL_SESSION_get0_ticket(const SSL_SESSION *session,

  975.                              const uint8_t **out_ticket, size_t *out_len) {

  976.   if (out_ticket != nullptr) {

  977.     *out_ticket = session->tlsext_tick;

  978.   }

  979.   *out_len = session->tlsext_ticklen;

  980. }

  981. 

  982. uint32_t SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *session) {

  983.   return session->tlsext_tick_lifetime_hint;

  984. }

  985. 

  986. const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *session) {

  987.   return session->cipher;

  988. }

  989. 

  990. SSL_SESSION *SSL_magic_pending_session_ptr(void) {

  991.   return (SSL_SESSION *)&g_pending_session_magic;

  992. }

  993. 

  994. SSL_SESSION *SSL_get_session(const SSL *ssl) {

  995.   // Once the handshake completes we return the established session. Otherwise

  996.   // we return the intermediate session, either |session| (for resumption) or

  997.   // |new_session| if doing a full handshake.

  998.   if (!SSL_in_init(ssl)) {

  999.     return ssl->s3->established_session.get();

  1000.   }

  1001.   SSL_HANDSHAKE *hs = ssl->s3->hs.get();

  1002.   if (hs->early_session) {

  1003.     return hs->early_session.get();

  1004.   }

  1005.   if (hs->new_session) {

  1006.     return hs->new_session.get();

  1007.   }

  1008.   return ssl->session;

  1009. }

  1010. 

  1011. SSL_SESSION *SSL_get1_session(SSL *ssl) {

  1012.   SSL_SESSION *ret = SSL_get_session(ssl);

  1013.   if (ret != NULL) {

  1014.     SSL_SESSION_up_ref(ret);

  1015.   }

  1016.   return ret;

  1017. }

  1018. 

  1019. int SSL_SESSION_get_ex_new_index(long argl, void *argp,

  1020.                                  CRYPTO_EX_unused *unused,

  1021.                                  CRYPTO_EX_dup *dup_unused,

  1022.                                  CRYPTO_EX_free *free_func) {

  1023.   int index;

  1024.   if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,

  1025.                                free_func)) {

  1026.     return -1;

  1027.   }

  1028.   return index;

  1029. }

  1030. 

  1031. int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg) {

  1032.   return CRYPTO_set_ex_data(&session->ex_data, idx, arg);

  1033. }

  1034. 

  1035. void *SSL_SESSION_get_ex_data(const SSL_SESSION *session, int idx) {

  1036.   return CRYPTO_get_ex_data(&session->ex_data, idx);

  1037. }

  1038. 

  1039. int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session) {

  1040.   // Although |session| is inserted into two structures (a doubly-linked list

  1041.   // and the hash table), |ctx| only takes one reference.

  1042.   SSL_SESSION_up_ref(session);

  1043.   UniquePtr<SSL_SESSION> owned_session(session);

  1044. 

  1045.   SSL_SESSION *old_session;

  1046.   MutexWriteLock lock(&ctx->lock);

  1047.   if (!lh_SSL_SESSION_insert(ctx->sessions, &old_session, session)) {

  1048.     return 0;

  1049.   }

  1050.   // |ctx->sessions| took ownership of |session| and gave us back a reference to

  1051.   // |old_session|. (|old_session| may be the same as |session|, in which case

  1052.   // we traded identical references with |ctx->sessions|.)

  1053.   owned_session.release();

  1054.   owned_session.reset(old_session);

  1055. 

  1056.   if (old_session != NULL) {

  1057.     if (old_session == session) {

  1058.       // |session| was already in the cache. There are no linked list pointers

  1059.       // to update.

  1060.       return 0;

  1061.     }

  1062. 

  1063.     // There was a session ID collision. |old_session| was replaced with

  1064.     // |session| in the hash table, so |old_session| must be removed from the

  1065.     // linked list to match.

  1066.     SSL_SESSION_list_remove(ctx, old_session);

  1067.   }

  1068. 

  1069.   SSL_SESSION_list_add(ctx, session);

  1070. 

  1071.   // Enforce any cache size limits.

  1072.   if (SSL_CTX_sess_get_cache_size(ctx) > 0) {

  1073.     while (lh_SSL_SESSION_num_items(ctx->sessions) >

  1074.            SSL_CTX_sess_get_cache_size(ctx)) {

  1075.       if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) {

  1076.         break;

  1077.       }

  1078.     }

  1079.   }

  1080. 

  1081.   return 1;

  1082. }

  1083. 

  1084. int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session) {

  1085.   return remove_session_lock(ctx, session, 1);

  1086. }

  1087. 

  1088. int SSL_set_session(SSL *ssl, SSL_SESSION *session) {

  1089.   // SSL_set_session may only be called before the handshake has started.

  1090.   if (ssl->s3->initial_handshake_complete ||

  1091.       ssl->s3->hs == NULL ||

  1092.       ssl->s3->hs->state != 0) {

  1093.     abort();

  1094.   }

  1095. 

  1096.   ssl_set_session(ssl, session);

  1097.   return 1;

  1098. }

  1099. 

  1100. uint32_t SSL_CTX_set_timeout(SSL_CTX *ctx, uint32_t timeout) {

  1101.   if (ctx == NULL) {

  1102.     return 0;

  1103.   }

  1104. 

  1105.   // Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|.

  1106.   if (timeout == 0) {

  1107.     timeout = SSL_DEFAULT_SESSION_TIMEOUT;

  1108.   }

  1109. 

  1110.   uint32_t old_timeout = ctx->session_timeout;

  1111.   ctx->session_timeout = timeout;

  1112.   return old_timeout;

  1113. }

  1114. 

  1115. uint32_t SSL_CTX_get_timeout(const SSL_CTX *ctx) {

  1116.   if (ctx == NULL) {

  1117.     return 0;

  1118.   }

  1119. 

  1120.   return ctx->session_timeout;

  1121. }

  1122. 

  1123. void SSL_CTX_set_session_psk_dhe_timeout(SSL_CTX *ctx, uint32_t timeout) {

  1124.   ctx->session_psk_dhe_timeout = timeout;

  1125. }

  1126. 

  1127. typedef struct timeout_param_st {

  1128.   SSL_CTX *ctx;

  1129.   uint64_t time;

  1130.   LHASH_OF(SSL_SESSION) *cache;

  1131. } TIMEOUT_PARAM;

  1132. 

  1133. static void timeout_doall_arg(SSL_SESSION *session, void *void_param) {

  1134.   TIMEOUT_PARAM *param = reinterpret_cast<TIMEOUT_PARAM *>(void_param);

  1135. 

  1136.   if (param->time == 0 ||

  1137.       session->time + session->timeout < session->time ||

  1138.       param->time > (session->time + session->timeout)) {

  1139.     // The reason we don't call SSL_CTX_remove_session() is to

  1140.     // save on locking overhead

  1141.     (void) lh_SSL_SESSION_delete(param->cache, session);

  1142.     SSL_SESSION_list_remove(param->ctx, session);

  1143.     if (param->ctx->remove_session_cb != NULL) {

  1144.       param->ctx->remove_session_cb(param->ctx, session);

  1145.     }

  1146.     SSL_SESSION_free(session);

  1147.   }

  1148. }

  1149. 

  1150. void SSL_CTX_flush_sessions(SSL_CTX *ctx, uint64_t time) {

  1151.   TIMEOUT_PARAM tp;

  1152. 

  1153.   tp.ctx = ctx;

  1154.   tp.cache = ctx->sessions;

  1155.   if (tp.cache == NULL) {

  1156.     return;

  1157.   }

  1158.   tp.time = time;

  1159.   MutexWriteLock lock(&ctx->lock);

  1160.   lh_SSL_SESSION_doall_arg(tp.cache, timeout_doall_arg, &tp);

  1161. }

  1162. 

  1163. void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,

  1164.                              int (*cb)(SSL *ssl, SSL_SESSION *session)) {

  1165.   ctx->new_session_cb = cb;

  1166. }

  1167. 

  1168. int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *session) {

  1169.   return ctx->new_session_cb;

  1170. }

  1171. 

  1172. void SSL_CTX_sess_set_remove_cb(

  1173.     SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *session)) {

  1174.   ctx->remove_session_cb = cb;

  1175. }

  1176. 

  1177. void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX *ctx,

  1178.                                                  SSL_SESSION *session) {

  1179.   return ctx->remove_session_cb;

  1180. }

  1181. 

  1182. void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,

  1183.                              SSL_SESSION *(*cb)(SSL *ssl, const uint8_t *id,

  1184.                                                 int id_len, int *out_copy)) {

  1185.   ctx->get_session_cb = cb;

  1186. }

  1187. 

  1188. SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,

  1189.                                                       const uint8_t *id,

  1190.                                                       int id_len,

  1191.                                                       int *out_copy) {

  1192.   return ctx->get_session_cb;

  1193. }

  1194. 

  1195. void SSL_CTX_set_info_callback(

  1196.     SSL_CTX *ctx, void (*cb)(const SSL *ssl, int type, int value)) {

  1197.   ctx->info_callback = cb;

  1198. }

  1199. 

  1200. void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type,

  1201.                                                 int value) {

  1202.   return ctx->info_callback;

  1203. }

  1204. 

  1205. void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx,

  1206.                                void (*cb)(SSL *ssl, EVP_PKEY **pkey)) {

  1207.   ctx->channel_id_cb = cb;

  1208. }

  1209. 

  1210. void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, EVP_PKEY **pkey) {

  1211.   return ctx->channel_id_cb;

  1212. }