1 files changed, 221 insertions, 32 deletions
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 8391d62212..8e5d8a0972 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -55,6 +55,85 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * The portions of the attached software ("Contribution") is developed by
+ * Nokia Corporation and is licensed pursuant to the OpenSSL open source
+ * license.
+ *
+ * The Contribution, originally written by Mika Kousa and Pasi Eronen of
+ * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+ * support (see RFC 4279) to OpenSSL.
+ *
+ * No patent licenses or other rights except those expressly stated in
+ * the OpenSSL open source license shall be deemed granted or received
+ * expressly, by implication, estoppel, or otherwise.
+ *
+ * No assurances are provided by Nokia that the Contribution does not
+ * infringe the patent or other intellectual property rights of any third
+ * party or that the license provides you with all the necessary rights
+ * to make use of the Contribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+ * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
 #include <stdio.h>
 #include <openssl/lhash.h>
@@ -127,8 +206,18 @@ SSL_SESSION *SSL_SESSION_new(void)
        ss->compress_meth=0;
 #ifndef OPENSSL_NO_TLSEXT
        ss->tlsext_hostname = NULL; 
+#ifndef OPENSSL_NO_EC
+        ss->tlsext_ecpointformatlist_length = 0;
+        ss->tlsext_ecpointformatlist = NULL;
+        ss->tlsext_ellipticcurvelist_length = 0;
+        ss->tlsext_ellipticcurvelist = NULL;
+#endif
 #endif
        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
+#ifndef OPENSSL_NO_PSK
+        ss->psk_identity_hint=NULL;
+        ss->psk_identity=NULL;
+#endif
        return(ss);
        }
@@ -183,10 +272,10 @@ int ssl_get_new_session(SSL *s, int session)
        if ((ss=SSL_SESSION_new()) == NULL) return(0);
        /* If the context has a default timeout, use it */
-        if (s->ctx->session_timeout == 0)
+        if (s->session_ctx->session_timeout == 0)
                ss->timeout=SSL_get_default_timeout(s);
        else
-                ss->timeout=s->ctx->session_timeout;
+                ss->timeout=s->session_ctx->session_timeout;
        if (s->session != NULL)
                {
@@ -211,6 +300,11 @@ int ssl_get_new_session(SSL *s, int session)
                        ss->ssl_version=TLS1_VERSION;
                        ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
                        }
+                else if (s->version == DTLS1_BAD_VER)
+                        {
+                        ss->ssl_version=DTLS1_BAD_VER;
+                        ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+                        }
                else if (s->version == DTLS1_VERSION)
                        {
                        ss->ssl_version=DTLS1_VERSION;
@@ -234,8 +328,8 @@ int ssl_get_new_session(SSL *s, int session)
                CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
                if(s->generate_session_id)
                        cb = s->generate_session_id;
-                else if(s->ctx->generate_session_id)
+                else if(s->session_ctx->generate_session_id)
-                        cb = s->ctx->generate_session_id;
+                        cb = s->session_ctx->generate_session_id;
                CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
                /* Choose a session ID */
                tmp = ss->session_id_length;
@@ -281,6 +375,32 @@ int ssl_get_new_session(SSL *s, int session)
                                return 0;
                                }
                        }
+#ifndef OPENSSL_NO_EC
+                if (s->tlsext_ecpointformatlist)
+                        {
+                        if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
+                        if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
+                                {
+                                SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
+                                SSL_SESSION_free(ss);
+                                return 0;
+                                }
+                        ss->tlsext_ecpointformatlist_length = s->tlsext_ecpointformatlist_length;
+                        memcpy(ss->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
+                        }
+                if (s->tlsext_ellipticcurvelist)
+                        {
+                        if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
+                        if ((ss->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
+                                {
+                                SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
+                                SSL_SESSION_free(ss);
+                                return 0;
+                                }
+                        ss->tlsext_ellipticcurvelist_length = s->tlsext_ellipticcurvelist_length;
+                        memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
+                        }
+#endif
 #endif
                }
        else
@@ -313,15 +433,15 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
 #ifndef OPENSSL_NO_TLSEXT
        int r;
 #endif
-  
        if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
                goto err;
 #ifndef OPENSSL_NO_TLSEXT
-        r = tls1_process_ticket(s, session_id, len, limit, &ret);
+        r = tls1_process_ticket(s, session_id, len, limit, &ret);
        if (r == -1)
                {
                fatal = 1;
-                goto err;
+                goto err;
                }
        else if (r == 0 || (!ret && !len))
                goto err;
@@ -329,7 +449,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
 #else
        if (len == 0)
                goto err;
-        if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
+        if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
 #endif
                {
                SSL_SESSION data;
@@ -337,9 +457,9 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                data.session_id_length=len;
                if (len == 0)
                        return 0;
-                memcpy(data.session_id,session_id,len);
+                memcpy(data.session_id,session_id,len);
                CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-                ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);
+                ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data);
                if (ret != NULL)
                    /* don't allow other threads to steal it: */
                    CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
@@ -350,13 +470,13 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                {
                int copy=1;
        
-                s->ctx->stats.sess_miss++;
+                s->session_ctx->stats.sess_miss++;
                ret=NULL;
-                if (s->ctx->get_session_cb != NULL
+                if (s->session_ctx->get_session_cb != NULL
-                    && (ret=s->ctx->get_session_cb(s,session_id,len,&copy))
+                    && (ret=s->session_ctx->get_session_cb(s,session_id,len,&copy))
                       != NULL)
                        {
-                        s->ctx->stats.sess_cb_hit++;
+                        s->session_ctx->stats.sess_cb_hit++;
                        /* Increment reference count now if the session callback
                         * asks us to do so (note that if the session structures
@@ -368,10 +488,10 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                        /* Add the externally cached session to the internal
                         * cache as well if and only if we are supposed to. */
-                        if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
+                        if(!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
                                /* The following should not return 1, otherwise,
                                 * things are very strange */
-                                SSL_CTX_add_session(s->ctx,ret);
+                                SSL_CTX_add_session(s->session_ctx,ret);
                        }
                if (ret == NULL)
                        goto err;
@@ -418,7 +538,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                p=buf;
                l=ret->cipher_id;
                l2n(l,p);
-                if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR)
+                if ((ret->ssl_version>>8) >= SSL3_VERSION_MAJOR)
                        ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
                else 
                        ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
@@ -438,13 +558,13 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
        if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
                {
-                s->ctx->stats.sess_timeout++;
+                s->session_ctx->stats.sess_timeout++;
                /* remove it from the cache */
-                SSL_CTX_remove_session(s->ctx,ret);
+                SSL_CTX_remove_session(s->session_ctx,ret);
                goto err;
                }
-        s->ctx->stats.sess_hit++;
+        s->session_ctx->stats.sess_hit++;
        /* ret->time=time(NULL); */ /* rezero timeout? */
        /* again, just leave the session 
@@ -477,7 +597,7 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
        /* if session c is in already in cache, we take back the increment later */
        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-        s=(SSL_SESSION *)lh_insert(ctx->sessions,c);
+        s=lh_SSL_SESSION_insert(ctx->sessions,c);
        
        /* s != NULL iff we already had a session with the given PID.
         * In this case, s == c should hold (then we did not really modify
@@ -543,10 +663,10 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
        if ((c != NULL) && (c->session_id_length != 0))
                {
                if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-                if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c)
+                if ((r = lh_SSL_SESSION_retrieve(ctx->sessions,c)) == c)
                        {
                        ret=1;
-                        r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
+                        r=lh_SSL_SESSION_delete(ctx->sessions,c);
                        SSL_SESSION_list_remove(ctx,c);
                        }
@@ -596,6 +716,18 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 #ifndef OPENSSL_NO_TLSEXT
        if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
        if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
+#ifndef OPENSSL_NO_EC
+        ss->tlsext_ecpointformatlist_length = 0;
+        if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
+        ss->tlsext_ellipticcurvelist_length = 0;
+        if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
+#endif /* OPENSSL_NO_EC */
+#endif
+#ifndef OPENSSL_NO_PSK
+        if (ss->psk_identity_hint != NULL)
+                OPENSSL_free(ss->psk_identity_hint);
+        if (ss->psk_identity != NULL)
+                OPENSSL_free(ss->psk_identity);
 #endif
        OPENSSL_cleanse(ss,sizeof(*ss));
        OPENSSL_free(ss);
@@ -604,7 +736,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 int SSL_set_session(SSL *s, SSL_SESSION *session)
        {
        int ret=0;
-        SSL_METHOD *meth;
+        const SSL_METHOD *meth;
        if (session != NULL)
                {
@@ -707,20 +839,75 @@ long SSL_CTX_get_timeout(const SSL_CTX *s)
        return(s->session_timeout);
        }
+#ifndef OPENSSL_NO_TLSEXT
+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
+        STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
+        {
+        if (s == NULL) return(0);
+        s->tls_session_secret_cb = tls_session_secret_cb;
+        s->tls_session_secret_cb_arg = arg;
+        return(1);
+        }
+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
+                                  void *arg)
+        {
+        if (s == NULL) return(0);
+        s->tls_session_ticket_ext_cb = cb;
+        s->tls_session_ticket_ext_cb_arg = arg;
+        return(1);
+        }
+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
+        {
+        if (s->version >= TLS1_VERSION)
+                {
+                if (s->tlsext_session_ticket)
+                        {
+                        OPENSSL_free(s->tlsext_session_ticket);
+                        s->tlsext_session_ticket = NULL;
+                        }
+                s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
+                if (!s->tlsext_session_ticket)
+                        {
+                        SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                if (ext_data)
+                        {
+                        s->tlsext_session_ticket->length = ext_len;
+                        s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
+                        memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
+                        }
+                else
+                        {
+                        s->tlsext_session_ticket->length = 0;
+                        s->tlsext_session_ticket->data = NULL;
+                        }
+                return 1;
+                }
+        return 0;
+        }
+#endif /* OPENSSL_NO_TLSEXT */
 typedef struct timeout_param_st
        {
        SSL_CTX *ctx;
        long time;
-        LHASH *cache;
+        LHASH_OF(SSL_SESSION) *cache;
        } TIMEOUT_PARAM;
-static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p)
+static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
        {
        if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
                {
                /* The reason we don't call SSL_CTX_remove_session() is to
                 * save on locking overhead */
-                lh_delete(p->cache,s);
+                (void)lh_SSL_SESSION_delete(p->cache,s);
                SSL_SESSION_list_remove(p->ctx,s);
                s->not_resumable=1;
                if (p->ctx->remove_session_cb != NULL)
@@ -729,7 +916,7 @@ static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p)
                }
        }
-static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION *, TIMEOUT_PARAM *)
+static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM)
 void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
        {
@@ -741,10 +928,11 @@ void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
        if (tp.cache == NULL) return;
        tp.time=t;
        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-        i=tp.cache->down_load;
+        i=CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load;
-        tp.cache->down_load=0;
+        CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=0;
-        lh_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), &tp);
+        lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout),
-        tp.cache->down_load=i;
+                                 TIMEOUT_PARAM, &tp);
+        CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=i;
        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
        }
@@ -904,3 +1092,4 @@ void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
        ctx->app_verify_cookie_cb=cb;
        }
+IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)

diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 8391d62212..8e5d8a0972 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c
@@ -55,6 +55,85 @@
55	* copied and put under another distribution licence	55	* copied and put under another distribution licence
56	* [including the GNU Public Licence.]	56	* [including the GNU Public Licence.]
57	*/	57	*/
		58	/* ====================================================================
		59	* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
		60	*
		61	* Redistribution and use in source and binary forms, with or without
		62	* modification, are permitted provided that the following conditions
		63	* are met:
		64	*
		65	* 1. Redistributions of source code must retain the above copyright
		66	* notice, this list of conditions and the following disclaimer.
		67	*
		68	* 2. Redistributions in binary form must reproduce the above copyright
		69	* notice, this list of conditions and the following disclaimer in
		70	* the documentation and/or other materials provided with the
		71	* distribution.
		72	*
		73	* 3. All advertising materials mentioning features or use of this
		74	* software must display the following acknowledgment:
		75	* "This product includes software developed by the OpenSSL Project
		76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
		77	*
		78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
		79	* endorse or promote products derived from this software without
		80	* prior written permission. For written permission, please contact
		81	* openssl-core@openssl.org.
		82	*
		83	* 5. Products derived from this software may not be called "OpenSSL"
		84	* nor may "OpenSSL" appear in their names without prior written
		85	* permission of the OpenSSL Project.
		86	*
		87	* 6. Redistributions of any form whatsoever must retain the following
		88	* acknowledgment:
		89	* "This product includes software developed by the OpenSSL Project
		90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
		91	*
		92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
		93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
		95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
		96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
		97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
		99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
		101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
		102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
		103	* OF THE POSSIBILITY OF SUCH DAMAGE.
		104	* ====================================================================
		105	*
		106	* This product includes cryptographic software written by Eric Young
		107	* (eay@cryptsoft.com). This product includes software written by Tim
		108	* Hudson (tjh@cryptsoft.com).
		109	*
		110	*/
		111	/* ====================================================================
		112	* Copyright 2005 Nokia. All rights reserved.
		113	*
		114	* The portions of the attached software ("Contribution") is developed by
		115	* Nokia Corporation and is licensed pursuant to the OpenSSL open source
		116	* license.
		117	*
		118	* The Contribution, originally written by Mika Kousa and Pasi Eronen of
		119	* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
		120	* support (see RFC 4279) to OpenSSL.
		121	*
		122	* No patent licenses or other rights except those expressly stated in
		123	* the OpenSSL open source license shall be deemed granted or received
		124	* expressly, by implication, estoppel, or otherwise.
		125	*
		126	* No assurances are provided by Nokia that the Contribution does not
		127	* infringe the patent or other intellectual property rights of any third
		128	* party or that the license provides you with all the necessary rights
		129	* to make use of the Contribution.
		130	*
		131	* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
		132	* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
		133	* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
		134	* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
		135	* OTHERWISE.
		136	*/
58		137
59	#include <stdio.h>	138	#include <stdio.h>
60	#include <openssl/lhash.h>	139	#include <openssl/lhash.h>
@@ -127,8 +206,18 @@ SSL_SESSION *SSL_SESSION_new(void)
127	ss->compress_meth=0;	206	ss->compress_meth=0;
128	#ifndef OPENSSL_NO_TLSEXT	207	#ifndef OPENSSL_NO_TLSEXT
129	ss->tlsext_hostname = NULL;	208	ss->tlsext_hostname = NULL;
		209	#ifndef OPENSSL_NO_EC
		210	ss->tlsext_ecpointformatlist_length = 0;
		211	ss->tlsext_ecpointformatlist = NULL;
		212	ss->tlsext_ellipticcurvelist_length = 0;
		213	ss->tlsext_ellipticcurvelist = NULL;
		214	#endif
130	#endif	215	#endif
131	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);	216	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
		217	#ifndef OPENSSL_NO_PSK
		218	ss->psk_identity_hint=NULL;
		219	ss->psk_identity=NULL;
		220	#endif
132	return(ss);	221	return(ss);
133	}	222	}
134		223
@@ -183,10 +272,10 @@ int ssl_get_new_session(SSL *s, int session)
183	if ((ss=SSL_SESSION_new()) == NULL) return(0);	272	if ((ss=SSL_SESSION_new()) == NULL) return(0);
184		273
185	/* If the context has a default timeout, use it */	274	/* If the context has a default timeout, use it */
186	if (s->ctx->session_timeout == 0)	275	if (s->session_ctx->session_timeout == 0)
187	ss->timeout=SSL_get_default_timeout(s);	276	ss->timeout=SSL_get_default_timeout(s);
188	else	277	else
189	ss->timeout=s->ctx->session_timeout;	278	ss->timeout=s->session_ctx->session_timeout;
190		279
191	if (s->session != NULL)	280	if (s->session != NULL)
192	{	281	{
@@ -211,6 +300,11 @@ int ssl_get_new_session(SSL *s, int session)
211	ss->ssl_version=TLS1_VERSION;	300	ss->ssl_version=TLS1_VERSION;
212	ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;	301	ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
213	}	302	}
		303	else if (s->version == DTLS1_BAD_VER)
		304	{
		305	ss->ssl_version=DTLS1_BAD_VER;
		306	ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
		307	}
214	else if (s->version == DTLS1_VERSION)	308	else if (s->version == DTLS1_VERSION)
215	{	309	{
216	ss->ssl_version=DTLS1_VERSION;	310	ss->ssl_version=DTLS1_VERSION;
@@ -234,8 +328,8 @@ int ssl_get_new_session(SSL *s, int session)
234	CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);	328	CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
235	if(s->generate_session_id)	329	if(s->generate_session_id)
236	cb = s->generate_session_id;	330	cb = s->generate_session_id;
237	else if(s->ctx->generate_session_id)	331	else if(s->session_ctx->generate_session_id)
238	cb = s->ctx->generate_session_id;	332	cb = s->session_ctx->generate_session_id;
239	CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);	333	CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
240	/* Choose a session ID */	334	/* Choose a session ID */
241	tmp = ss->session_id_length;	335	tmp = ss->session_id_length;
@@ -281,6 +375,32 @@ int ssl_get_new_session(SSL *s, int session)
281	return 0;	375	return 0;
282	}	376	}
283	}	377	}
		378	#ifndef OPENSSL_NO_EC
		379	if (s->tlsext_ecpointformatlist)
		380	{
		381	if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
		382	if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
		383	{
		384	SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
		385	SSL_SESSION_free(ss);
		386	return 0;
		387	}
		388	ss->tlsext_ecpointformatlist_length = s->tlsext_ecpointformatlist_length;
		389	memcpy(ss->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
		390	}
		391	if (s->tlsext_ellipticcurvelist)
		392	{
		393	if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
		394	if ((ss->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
		395	{
		396	SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
		397	SSL_SESSION_free(ss);
		398	return 0;
		399	}
		400	ss->tlsext_ellipticcurvelist_length = s->tlsext_ellipticcurvelist_length;
		401	memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
		402	}
		403	#endif
284	#endif	404	#endif
285	}	405	}
286	else	406	else
@@ -313,15 +433,15 @@ int ssl_get_prev_session(SSL s, unsigned char session_id, int len,
313	#ifndef OPENSSL_NO_TLSEXT	433	#ifndef OPENSSL_NO_TLSEXT
314	int r;	434	int r;
315	#endif	435	#endif
316		436
317	if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)	437	if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
318	goto err;	438	goto err;
319	#ifndef OPENSSL_NO_TLSEXT	439	#ifndef OPENSSL_NO_TLSEXT
320	r = tls1_process_ticket(s, session_id, len, limit, &ret);	440	r = tls1_process_ticket(s, session_id, len, limit, &ret);
321	if (r == -1)	441	if (r == -1)
322	{	442	{
323	fatal = 1;	443	fatal = 1;
324	goto err;	444	goto err;
325	}	445	}
326	else if (r == 0 \|\| (!ret && !len))	446	else if (r == 0 \|\| (!ret && !len))
327	goto err;	447	goto err;
@@ -329,7 +449,7 @@ int ssl_get_prev_session(SSL s, unsigned char session_id, int len,
329	#else	449	#else
330	if (len == 0)	450	if (len == 0)
331	goto err;	451	goto err;
332	if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))	452	if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
333	#endif	453	#endif
334	{	454	{
335	SSL_SESSION data;	455	SSL_SESSION data;
@@ -337,9 +457,9 @@ int ssl_get_prev_session(SSL s, unsigned char session_id, int len,
337	data.session_id_length=len;	457	data.session_id_length=len;
338	if (len == 0)	458	if (len == 0)
339	return 0;	459	return 0;
340	memcpy(data.session_id,session_id,len);	460	memcpy(data.session_id,session_id,len);
341	CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);	461	CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
342	ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);	462	ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data);
343	if (ret != NULL)	463	if (ret != NULL)
344	/* don't allow other threads to steal it: */	464	/* don't allow other threads to steal it: */
345	CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);	465	CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
@@ -350,13 +470,13 @@ int ssl_get_prev_session(SSL s, unsigned char session_id, int len,
350	{	470	{
351	int copy=1;	471	int copy=1;
352		472
353	s->ctx->stats.sess_miss++;	473	s->session_ctx->stats.sess_miss++;
354	ret=NULL;	474	ret=NULL;
355	if (s->ctx->get_session_cb != NULL	475	if (s->session_ctx->get_session_cb != NULL
356	&& (ret=s->ctx->get_session_cb(s,session_id,len,&copy))	476	&& (ret=s->session_ctx->get_session_cb(s,session_id,len,&copy))
357	!= NULL)	477	!= NULL)
358	{	478	{
359	s->ctx->stats.sess_cb_hit++;	479	s->session_ctx->stats.sess_cb_hit++;
360		480
361	/* Increment reference count now if the session callback	481	/* Increment reference count now if the session callback
362	* asks us to do so (note that if the session structures	482	* asks us to do so (note that if the session structures
@@ -368,10 +488,10 @@ int ssl_get_prev_session(SSL s, unsigned char session_id, int len,
368		488
369	/* Add the externally cached session to the internal	489	/* Add the externally cached session to the internal
370	* cache as well if and only if we are supposed to. */	490	* cache as well if and only if we are supposed to. */
371	if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))	491	if(!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
372	/* The following should not return 1, otherwise,	492	/* The following should not return 1, otherwise,
373	* things are very strange */	493	* things are very strange */
374	SSL_CTX_add_session(s->ctx,ret);	494	SSL_CTX_add_session(s->session_ctx,ret);
375	}	495	}
376	if (ret == NULL)	496	if (ret == NULL)
377	goto err;	497	goto err;
@@ -418,7 +538,7 @@ int ssl_get_prev_session(SSL s, unsigned char session_id, int len,
418	p=buf;	538	p=buf;
419	l=ret->cipher_id;	539	l=ret->cipher_id;
420	l2n(l,p);	540	l2n(l,p);
421	if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR)	541	if ((ret->ssl_version>>8) >= SSL3_VERSION_MAJOR)
422	ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));	542	ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
423	else	543	else
424	ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));	544	ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
@@ -438,13 +558,13 @@ int ssl_get_prev_session(SSL s, unsigned char session_id, int len,
438		558
439	if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */	559	if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
440	{	560	{
441	s->ctx->stats.sess_timeout++;	561	s->session_ctx->stats.sess_timeout++;
442	/* remove it from the cache */	562	/* remove it from the cache */
443	SSL_CTX_remove_session(s->ctx,ret);	563	SSL_CTX_remove_session(s->session_ctx,ret);
444	goto err;	564	goto err;
445	}	565	}
446		566
447	s->ctx->stats.sess_hit++;	567	s->session_ctx->stats.sess_hit++;
448		568
449	/* ret->time=time(NULL); / / rezero timeout? */	569	/* ret->time=time(NULL); / / rezero timeout? */
450	/* again, just leave the session	570	/* again, just leave the session
@@ -477,7 +597,7 @@ int SSL_CTX_add_session(SSL_CTX ctx, SSL_SESSION c)
477	/* if session c is in already in cache, we take back the increment later */	597	/* if session c is in already in cache, we take back the increment later */
478		598
479	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);	599	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
480	s=(SSL_SESSION *)lh_insert(ctx->sessions,c);	600	s=lh_SSL_SESSION_insert(ctx->sessions,c);
481		601
482	/* s != NULL iff we already had a session with the given PID.	602	/* s != NULL iff we already had a session with the given PID.
483	* In this case, s == c should hold (then we did not really modify	603	* In this case, s == c should hold (then we did not really modify
@@ -543,10 +663,10 @@ static int remove_session_lock(SSL_CTX ctx, SSL_SESSION c, int lck)
543	if ((c != NULL) && (c->session_id_length != 0))	663	if ((c != NULL) && (c->session_id_length != 0))
544	{	664	{
545	if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);	665	if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
546	if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c)	666	if ((r = lh_SSL_SESSION_retrieve(ctx->sessions,c)) == c)
547	{	667	{
548	ret=1;	668	ret=1;
549	r=(SSL_SESSION *)lh_delete(ctx->sessions,c);	669	r=lh_SSL_SESSION_delete(ctx->sessions,c);
550	SSL_SESSION_list_remove(ctx,c);	670	SSL_SESSION_list_remove(ctx,c);
551	}	671	}
552		672
@@ -596,6 +716,18 @@ void SSL_SESSION_free(SSL_SESSION *ss)
596	#ifndef OPENSSL_NO_TLSEXT	716	#ifndef OPENSSL_NO_TLSEXT
597	if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);	717	if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
598	if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);	718	if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
		719	#ifndef OPENSSL_NO_EC
		720	ss->tlsext_ecpointformatlist_length = 0;
		721	if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
		722	ss->tlsext_ellipticcurvelist_length = 0;
		723	if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
		724	#endif /* OPENSSL_NO_EC */
		725	#endif
		726	#ifndef OPENSSL_NO_PSK
		727	if (ss->psk_identity_hint != NULL)
		728	OPENSSL_free(ss->psk_identity_hint);
		729	if (ss->psk_identity != NULL)
		730	OPENSSL_free(ss->psk_identity);
599	#endif	731	#endif
600	OPENSSL_cleanse(ss,sizeof(*ss));	732	OPENSSL_cleanse(ss,sizeof(*ss));
601	OPENSSL_free(ss);	733	OPENSSL_free(ss);
@@ -604,7 +736,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
604	int SSL_set_session(SSL s, SSL_SESSION session)	736	int SSL_set_session(SSL s, SSL_SESSION session)
605	{	737	{
606	int ret=0;	738	int ret=0;
607	SSL_METHOD *meth;	739	const SSL_METHOD *meth;
608		740
609	if (session != NULL)	741	if (session != NULL)
610	{	742	{
@@ -707,20 +839,75 @@ long SSL_CTX_get_timeout(const SSL_CTX *s)
707	return(s->session_timeout);	839	return(s->session_timeout);
708	}	840	}
709		841
		842	#ifndef OPENSSL_NO_TLSEXT
		843	int SSL_set_session_secret_cb(SSL s, int (tls_session_secret_cb)(SSL s, void secret, int *secret_len,
		844	STACK_OF(SSL_CIPHER) peer_ciphers, SSL_CIPHER cipher, void arg), void *arg)
		845	{
		846	if (s == NULL) return(0);
		847	s->tls_session_secret_cb = tls_session_secret_cb;
		848	s->tls_session_secret_cb_arg = arg;
		849	return(1);
		850	}
		851
		852	int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
		853	void *arg)
		854	{
		855	if (s == NULL) return(0);
		856	s->tls_session_ticket_ext_cb = cb;
		857	s->tls_session_ticket_ext_cb_arg = arg;
		858	return(1);
		859	}
		860
		861	int SSL_set_session_ticket_ext(SSL s, void ext_data, int ext_len)
		862	{
		863	if (s->version >= TLS1_VERSION)
		864	{
		865	if (s->tlsext_session_ticket)
		866	{
		867	OPENSSL_free(s->tlsext_session_ticket);
		868	s->tlsext_session_ticket = NULL;
		869	}
		870
		871	s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
		872	if (!s->tlsext_session_ticket)
		873	{
		874	SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
		875	return 0;
		876	}
		877
		878	if (ext_data)
		879	{
		880	s->tlsext_session_ticket->length = ext_len;
		881	s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
		882	memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
		883	}
		884	else
		885	{
		886	s->tlsext_session_ticket->length = 0;
		887	s->tlsext_session_ticket->data = NULL;
		888	}
		889
		890	return 1;
		891	}
		892
		893	return 0;
		894	}
		895	#endif /* OPENSSL_NO_TLSEXT */
		896
710	typedef struct timeout_param_st	897	typedef struct timeout_param_st
711	{	898	{
712	SSL_CTX *ctx;	899	SSL_CTX *ctx;
713	long time;	900	long time;
714	LHASH *cache;	901	LHASH_OF(SSL_SESSION) *cache;
715	} TIMEOUT_PARAM;	902	} TIMEOUT_PARAM;
716		903
717	static void timeout(SSL_SESSION s, TIMEOUT_PARAM p)	904	static void timeout_doall_arg(SSL_SESSION s, TIMEOUT_PARAM p)
718	{	905	{
719	if ((p->time == 0) \|\| (p->time > (s->time+s->timeout))) /* timeout */	906	if ((p->time == 0) \|\| (p->time > (s->time+s->timeout))) /* timeout */
720	{	907	{
721	/* The reason we don't call SSL_CTX_remove_session() is to	908	/* The reason we don't call SSL_CTX_remove_session() is to
722	* save on locking overhead */	909	* save on locking overhead */
723	lh_delete(p->cache,s);	910	(void)lh_SSL_SESSION_delete(p->cache,s);
724	SSL_SESSION_list_remove(p->ctx,s);	911	SSL_SESSION_list_remove(p->ctx,s);
725	s->not_resumable=1;	912	s->not_resumable=1;
726	if (p->ctx->remove_session_cb != NULL)	913	if (p->ctx->remove_session_cb != NULL)
@@ -729,7 +916,7 @@ static void timeout(SSL_SESSION s, TIMEOUT_PARAM p)
729	}	916	}
730	}	917	}
731		918
732	static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION , TIMEOUT_PARAM )	919	static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM)
733		920
734	void SSL_CTX_flush_sessions(SSL_CTX *s, long t)	921	void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
735	{	922	{
@@ -741,10 +928,11 @@ void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
741	if (tp.cache == NULL) return;	928	if (tp.cache == NULL) return;
742	tp.time=t;	929	tp.time=t;
743	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);	930	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
744	i=tp.cache->down_load;	931	i=CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load;
745	tp.cache->down_load=0;	932	CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=0;
746	lh_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), &tp);	933	lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout),
747	tp.cache->down_load=i;	934	TIMEOUT_PARAM, &tp);
		935	CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load=i;
748	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);	936	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
749	}	937	}
750		938
@@ -904,3 +1092,4 @@ void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
904	ctx->app_verify_cookie_cb=cb;	1092	ctx->app_verify_cookie_cb=cb;
905	}	1093	}
906		1094
		1095	IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)