1 files changed, 159 insertions, 30 deletions
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 2ba8b9612e..ee88be2b88 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -122,10 +122,20 @@ SSL_SESSION *SSL_SESSION_new(void)
        ss->prev=NULL;
        ss->next=NULL;
        ss->compress_meth=0;
+#ifndef OPENSSL_NO_TLSEXT
+        ss->tlsext_hostname = NULL; 
+#endif
        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
        return(ss);
        }
+const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+        {
+        if(len)
+                *len = s->session_id_length;
+        return s->session_id;
+        }
 /* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
 * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
 * until we have no conflict is going to complete in one iteration pretty much
@@ -141,7 +151,7 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id,
 {
        unsigned int retry = 0;
        do
-                if(RAND_pseudo_bytes(id, *id_len) <= 0)
+                if (RAND_pseudo_bytes(id, *id_len) <= 0)
                        return 0;
        while(SSL_has_matching_session_id(ssl, id, *id_len) &&
                (++retry < MAX_SESS_ID_ATTEMPTS));
@@ -198,12 +208,25 @@ int ssl_get_new_session(SSL *s, int session)
                        ss->ssl_version=TLS1_VERSION;
                        ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
                        }
+                else if (s->version == DTLS1_VERSION)
+                        {
+                        ss->ssl_version=DTLS1_VERSION;
+                        ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+                        }
                else
                        {
                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
                        SSL_SESSION_free(ss);
                        return(0);
                        }
+#ifndef OPENSSL_NO_TLSEXT
+                /* If RFC4507 ticket use empty session ID */
+                if (s->tlsext_ticket_expected)
+                        {
+                        ss->session_id_length = 0;
+                        goto sess_id_done;
+                        }
+#endif
                /* Choose which callback will set the session ID */
                CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
                if(s->generate_session_id)
@@ -245,6 +268,17 @@ int ssl_get_new_session(SSL *s, int session)
                        SSL_SESSION_free(ss);
                        return(0);
                        }
+#ifndef OPENSSL_NO_TLSEXT
+                sess_id_done:
+                if (s->tlsext_hostname) {
+                        ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
+                        if (ss->tlsext_hostname == NULL) {
+                                SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
+                                SSL_SESSION_free(ss);
+                                return 0;
+                                }
+                        }
+#endif
                }
        else
                {
@@ -266,21 +300,41 @@ int ssl_get_new_session(SSL *s, int session)
        return(1);
        }
-int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
+int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
+                        const unsigned char *limit)
        {
        /* This is used only by servers. */
-        SSL_SESSION *ret=NULL,data;
+        SSL_SESSION *ret=NULL;
        int fatal = 0;
+#ifndef OPENSSL_NO_TLSEXT
-        data.ssl_version=s->version;
+        int r;
-        data.session_id_length=len;
+#endif
+  
        if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
                goto err;
-        memcpy(data.session_id,session_id,len);
+#ifndef OPENSSL_NO_TLSEXT
+        r = tls1_process_ticket(s, session_id, len, limit, &ret);
+        if (r == -1)
+                {
+                fatal = 1;
+                goto err;
+                }
+        else if (r == 0 || (!ret && !len))
+                goto err;
+        else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
+#else
+        if (len == 0)
+                goto err;
        if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
+#endif
                {
+                SSL_SESSION data;
+                data.ssl_version=s->version;
+                data.session_id_length=len;
+                if (len == 0)
+                        return 0;
+                memcpy(data.session_id,session_id,len);
                CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
                ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);
                if (ret != NULL)
@@ -322,33 +376,35 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
        /* Now ret is non-NULL, and we own one of its reference counts. */
-        if((s->verify_mode&SSL_VERIFY_PEER)
+        if (ret->sid_ctx_length != s->sid_ctx_length
-           && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length
+            || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))
-               || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)))
+                {
-            {
                /* We've found the session named by the client, but we don't
                 * want to use it in this context. */
-                
-                if (s->sid_ctx_length == 0)
-                        {
-                        /* application should have used SSL[_CTX]_set_session_id_context
-                         * -- we could tolerate this and just pretend we never heard
-                         * of this session, but then applications could effectively
-                         * disable the session cache by accident without anyone noticing */
-                        SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
-                        fatal = 1;
-                        goto err;
-                        }
-                else
-                        {
 #if 0 /* The client cannot always know when a session is not appropriate,
-           * so we shouldn't generate an error message. */
+       * so we shouldn't generate an error message. */
-                        SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+                SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
 #endif
-                        goto err; /* treat like cache miss */
+                goto err; /* treat like cache miss */
-                        }
+                }
+        
+        if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0)
+                {
+                /* We can't be sure if this session is being used out of
+                 * context, which is especially important for SSL_VERIFY_PEER.
+                 * The application should have used SSL[_CTX]_set_session_id_context.
+                 *
+                 * For this error case, we generate an error instead of treating
+                 * the event like a cache miss (otherwise it would be easy for
+                 * applications to effectively disable the session cache by
+                 * accident without anyone noticing).
+                 */
+                
+                SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
+                fatal = 1;
+                goto err;
                }
        if (ret->cipher == NULL)
@@ -534,6 +590,10 @@ void SSL_SESSION_free(SSL_SESSION *ss)
        if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
        if (ss->peer != NULL) X509_free(ss->peer);
        if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
+#ifndef OPENSSL_NO_TLSEXT
+        if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
+        if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
+#endif
        OPENSSL_cleanse(ss,sizeof(*ss));
        OPENSSL_free(ss);
        }
@@ -568,7 +628,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
                if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
                    session->krb5_client_princ_len > 0)
                {
-                    s->kssl_ctx->client_princ = (char *)malloc(session->krb5_client_princ_len + 1);
+                    s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
                    memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
                            session->krb5_client_princ_len);
                    s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
@@ -753,3 +813,72 @@ static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
                }
        }
+void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
+        int (*cb)(struct ssl_st *ssl,SSL_SESSION *sess))
+        {
+        ctx->new_session_cb=cb;
+        }
+int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
+        {
+        return ctx->new_session_cb;
+        }
+void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
+        void (*cb)(SSL_CTX *ctx,SSL_SESSION *sess))
+        {
+        ctx->remove_session_cb=cb;
+        }
+void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx,SSL_SESSION *sess)
+        {
+        return ctx->remove_session_cb;
+        }
+void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
+        SSL_SESSION *(*cb)(struct ssl_st *ssl,
+                 unsigned char *data,int len,int *copy))
+        {
+        ctx->get_session_cb=cb;
+        }
+SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,
+                 unsigned char *data,int len,int *copy)
+        {
+        return ctx->get_session_cb;
+        }
+void SSL_CTX_set_info_callback(SSL_CTX *ctx, 
+        void (*cb)(const SSL *ssl,int type,int val))
+        {
+        ctx->info_callback=cb;
+        }
+void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val)
+        {
+        return ctx->info_callback;
+        }
+void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
+        int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey))
+        {
+        ctx->client_cert_cb=cb;
+        }
+int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey)
+        {
+        return ctx->client_cert_cb;
+        }
+void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
+        int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
+        {
+        ctx->app_gen_cookie_cb=cb;
+        }
+void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
+        int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len))
+        {
+        ctx->app_verify_cookie_cb=cb;
+        }

diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 2ba8b9612e..ee88be2b88 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c
@@ -122,10 +122,20 @@ SSL_SESSION *SSL_SESSION_new(void)
122	ss->prev=NULL;	122	ss->prev=NULL;
123	ss->next=NULL;	123	ss->next=NULL;
124	ss->compress_meth=0;	124	ss->compress_meth=0;
		125	#ifndef OPENSSL_NO_TLSEXT
		126	ss->tlsext_hostname = NULL;
		127	#endif
125	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);	128	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
126	return(ss);	129	return(ss);
127	}	130	}
128		131
		132	const unsigned char SSL_SESSION_get_id(const SSL_SESSION s, unsigned int *len)
		133	{
		134	if(len)
		135	*len = s->session_id_length;
		136	return s->session_id;
		137	}
		138
129	/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1	139	/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
130	* has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly	140	* has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
131	* until we have no conflict is going to complete in one iteration pretty much	141	* until we have no conflict is going to complete in one iteration pretty much
@@ -141,7 +151,7 @@ static int def_generate_session_id(const SSL ssl, unsigned char id,
141	{	151	{
142	unsigned int retry = 0;	152	unsigned int retry = 0;
143	do	153	do
144	if(RAND_pseudo_bytes(id, *id_len) <= 0)	154	if (RAND_pseudo_bytes(id, *id_len) <= 0)
145	return 0;	155	return 0;
146	while(SSL_has_matching_session_id(ssl, id, *id_len) &&	156	while(SSL_has_matching_session_id(ssl, id, *id_len) &&
147	(++retry < MAX_SESS_ID_ATTEMPTS));	157	(++retry < MAX_SESS_ID_ATTEMPTS));
@@ -198,12 +208,25 @@ int ssl_get_new_session(SSL *s, int session)
198	ss->ssl_version=TLS1_VERSION;	208	ss->ssl_version=TLS1_VERSION;
199	ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;	209	ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
200	}	210	}
		211	else if (s->version == DTLS1_VERSION)
		212	{
		213	ss->ssl_version=DTLS1_VERSION;
		214	ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
		215	}
201	else	216	else
202	{	217	{
203	SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);	218	SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
204	SSL_SESSION_free(ss);	219	SSL_SESSION_free(ss);
205	return(0);	220	return(0);
206	}	221	}
		222	#ifndef OPENSSL_NO_TLSEXT
		223	/* If RFC4507 ticket use empty session ID */
		224	if (s->tlsext_ticket_expected)
		225	{
		226	ss->session_id_length = 0;
		227	goto sess_id_done;
		228	}
		229	#endif
207	/* Choose which callback will set the session ID */	230	/* Choose which callback will set the session ID */
208	CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);	231	CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
209	if(s->generate_session_id)	232	if(s->generate_session_id)
@@ -245,6 +268,17 @@ int ssl_get_new_session(SSL *s, int session)
245	SSL_SESSION_free(ss);	268	SSL_SESSION_free(ss);
246	return(0);	269	return(0);
247	}	270	}
		271	#ifndef OPENSSL_NO_TLSEXT
		272	sess_id_done:
		273	if (s->tlsext_hostname) {
		274	ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
		275	if (ss->tlsext_hostname == NULL) {
		276	SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
		277	SSL_SESSION_free(ss);
		278	return 0;
		279	}
		280	}
		281	#endif
248	}	282	}
249	else	283	else
250	{	284	{
@@ -266,21 +300,41 @@ int ssl_get_new_session(SSL *s, int session)
266	return(1);	300	return(1);
267	}	301	}
268		302
269	int ssl_get_prev_session(SSL s, unsigned char session_id, int len)	303	int ssl_get_prev_session(SSL s, unsigned char session_id, int len,
		304	const unsigned char *limit)
270	{	305	{
271	/* This is used only by servers. */	306	/* This is used only by servers. */
272		307
273	SSL_SESSION *ret=NULL,data;	308	SSL_SESSION *ret=NULL;
274	int fatal = 0;	309	int fatal = 0;
275		310	#ifndef OPENSSL_NO_TLSEXT
276	data.ssl_version=s->version;	311	int r;
277	data.session_id_length=len;	312	#endif
		313
278	if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)	314	if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
279	goto err;	315	goto err;
280	memcpy(data.session_id,session_id,len);	316	#ifndef OPENSSL_NO_TLSEXT
281		317	r = tls1_process_ticket(s, session_id, len, limit, &ret);
		318	if (r == -1)
		319	{
		320	fatal = 1;
		321	goto err;
		322	}
		323	else if (r == 0 \|\| (!ret && !len))
		324	goto err;
		325	else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
		326	#else
		327	if (len == 0)
		328	goto err;
282	if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))	329	if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
		330	#endif
283	{	331	{
		332	SSL_SESSION data;
		333	data.ssl_version=s->version;
		334	data.session_id_length=len;
		335	if (len == 0)
		336	return 0;
		337	memcpy(data.session_id,session_id,len);
284	CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);	338	CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
285	ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);	339	ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);
286	if (ret != NULL)	340	if (ret != NULL)
@@ -322,33 +376,35 @@ int ssl_get_prev_session(SSL s, unsigned char session_id, int len)
322		376
323	/* Now ret is non-NULL, and we own one of its reference counts. */	377	/* Now ret is non-NULL, and we own one of its reference counts. */
324		378
325	if((s->verify_mode&SSL_VERIFY_PEER)	379	if (ret->sid_ctx_length != s->sid_ctx_length
326	&& (!s->sid_ctx_length \|\| ret->sid_ctx_length != s->sid_ctx_length	380	\|\| memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))
327	\|\| memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)))	381	{
328	{
329	/* We've found the session named by the client, but we don't	382	/* We've found the session named by the client, but we don't
330	* want to use it in this context. */	383	* want to use it in this context. */
331
332	if (s->sid_ctx_length == 0)
333	{
334	/* application should have used SSL[_CTX]_set_session_id_context
335	* -- we could tolerate this and just pretend we never heard
336	* of this session, but then applications could effectively
337	* disable the session cache by accident without anyone noticing */
338		384
339	SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
340	fatal = 1;
341	goto err;
342	}
343	else
344	{
345	#if 0 /* The client cannot always know when a session is not appropriate,	385	#if 0 /* The client cannot always know when a session is not appropriate,
346	* so we shouldn't generate an error message. */	386	* so we shouldn't generate an error message. */
347		387
348	SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);	388	SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
349	#endif	389	#endif
350	goto err; /* treat like cache miss */	390	goto err; /* treat like cache miss */
351	}	391	}
		392
		393	if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0)
		394	{
		395	/* We can't be sure if this session is being used out of
		396	* context, which is especially important for SSL_VERIFY_PEER.
		397	* The application should have used SSL[_CTX]_set_session_id_context.
		398	*
		399	* For this error case, we generate an error instead of treating
		400	* the event like a cache miss (otherwise it would be easy for
		401	* applications to effectively disable the session cache by
		402	* accident without anyone noticing).
		403	*/
		404
		405	SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
		406	fatal = 1;
		407	goto err;
352	}	408	}
353		409
354	if (ret->cipher == NULL)	410	if (ret->cipher == NULL)
@@ -534,6 +590,10 @@ void SSL_SESSION_free(SSL_SESSION *ss)
534	if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);	590	if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
535	if (ss->peer != NULL) X509_free(ss->peer);	591	if (ss->peer != NULL) X509_free(ss->peer);
536	if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);	592	if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
		593	#ifndef OPENSSL_NO_TLSEXT
		594	if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
		595	if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
		596	#endif
537	OPENSSL_cleanse(ss,sizeof(*ss));	597	OPENSSL_cleanse(ss,sizeof(*ss));
538	OPENSSL_free(ss);	598	OPENSSL_free(ss);
539	}	599	}
@@ -568,7 +628,7 @@ int SSL_set_session(SSL s, SSL_SESSION session)
568	if (s->kssl_ctx && !s->kssl_ctx->client_princ &&	628	if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
569	session->krb5_client_princ_len > 0)	629	session->krb5_client_princ_len > 0)
570	{	630	{
571	s->kssl_ctx->client_princ = (char *)malloc(session->krb5_client_princ_len + 1);	631	s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
572	memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,	632	memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
573	session->krb5_client_princ_len);	633	session->krb5_client_princ_len);
574	s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';	634	s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
@@ -753,3 +813,72 @@ static void SSL_SESSION_list_add(SSL_CTX ctx, SSL_SESSION s)
753	}	813	}
754	}	814	}
755		815
		816	void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
		817	int (cb)(struct ssl_st ssl,SSL_SESSION *sess))
		818	{
		819	ctx->new_session_cb=cb;
		820	}
		821
		822	int (SSL_CTX_sess_get_new_cb(SSL_CTX ctx))(SSL ssl, SSL_SESSION sess)
		823	{
		824	return ctx->new_session_cb;
		825	}
		826
		827	void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
		828	void (cb)(SSL_CTX ctx,SSL_SESSION *sess))
		829	{
		830	ctx->remove_session_cb=cb;
		831	}
		832
		833	void (SSL_CTX_sess_get_remove_cb(SSL_CTX ctx))(SSL_CTX * ctx,SSL_SESSION *sess)
		834	{
		835	return ctx->remove_session_cb;
		836	}
		837
		838	void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
		839	SSL_SESSION (cb)(struct ssl_st *ssl,
		840	unsigned char data,int len,int copy))
		841	{
		842	ctx->get_session_cb=cb;
		843	}
		844
		845	SSL_SESSION * (SSL_CTX_sess_get_get_cb(SSL_CTX ctx))(SSL *ssl,
		846	unsigned char data,int len,int copy)
		847	{
		848	return ctx->get_session_cb;
		849	}
		850
		851	void SSL_CTX_set_info_callback(SSL_CTX *ctx,
		852	void (cb)(const SSL ssl,int type,int val))
		853	{
		854	ctx->info_callback=cb;
		855	}
		856
		857	void (SSL_CTX_get_info_callback(SSL_CTX ctx))(const SSL *ssl,int type,int val)
		858	{
		859	return ctx->info_callback;
		860	}
		861
		862	void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
		863	int (cb)(SSL ssl, X509 x509, EVP_PKEY pkey))
		864	{
		865	ctx->client_cert_cb=cb;
		866	}
		867
		868	int (SSL_CTX_get_client_cert_cb(SSL_CTX ctx))(SSL * ssl, X509 x509 , EVP_PKEY pkey)
		869	{
		870	return ctx->client_cert_cb;
		871	}
		872
		873	void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
		874	int (cb)(SSL ssl, unsigned char cookie, unsigned int cookie_len))
		875	{
		876	ctx->app_gen_cookie_cb=cb;
		877	}
		878
		879	void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
		880	int (cb)(SSL ssl, unsigned char *cookie, unsigned int cookie_len))
		881	{
		882	ctx->app_verify_cookie_cb=cb;
		883	}
		884