+{
+ SSL_SESSION *ss;
+
+ ss = (SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION));
+ if (ss == NULL) {
+ SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
+ return (0);
+ }
+ memset(ss, 0, sizeof(SSL_SESSION));
+
+ ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
+ ss->references = 1;
+ ss->timeout = 60 * 5 + 4; /* 5 minute timeout by default */
+ ss->time = (unsigned long)time(NULL);
+ ss->prev = NULL;
+ ss->next = NULL;
+ ss->compress_meth = 0;
+#ifndef OPENSSL_NO_TLSEXT
+ ss->tlsext_hostname = NULL;
+# ifndef OPENSSL_NO_EC
+ ss->tlsext_ecpointformatlist_length = 0;
+ ss->tlsext_ecpointformatlist = NULL;
+ ss->tlsext_ellipticcurvelist_length = 0;
+ ss->tlsext_ellipticcurvelist = NULL;
+# endif
+#endif
+ CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
+#ifndef OPENSSL_NO_PSK
+ ss->psk_identity_hint = NULL;
+ ss->psk_identity = NULL;
+#endif
+#ifndef OPENSSL_NO_SRP
+ ss->srp_username = NULL;
+#endif
+ return (ss);
+}
+
+/*
+ * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+ * ticket == 0 then no ticket information is duplicated, otherwise it is.
+ */
+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
+{
+ SSL_SESSION *dest;
+
+ dest = OPENSSL_malloc(sizeof(*src));
+ if (dest == NULL) {
+ goto err;
+ }
+ memcpy(dest, src, sizeof(*dest));
+
+ /*
+ * Set the various pointers to NULL so that we can call SSL_SESSION_free in
+ * the case of an error whilst halfway through constructing dest
+ */
+#ifndef OPENSSL_NO_PSK
+ dest->psk_identity_hint = NULL;
+ dest->psk_identity = NULL;
+#endif
+ dest->ciphers = NULL;
+#ifndef OPENSSL_NO_TLSEXT
+ dest->tlsext_hostname = NULL;
+# ifndef OPENSSL_NO_EC
+ dest->tlsext_ecpointformatlist = NULL;
+ dest->tlsext_ellipticcurvelist = NULL;
+# endif
+ dest->tlsext_tick = NULL;
+#endif
+#ifndef OPENSSL_NO_SRP
+ dest->srp_username = NULL;
+#endif
+ memset(&dest->ex_data, 0, sizeof(dest->ex_data));
+
+ /* We deliberately don't copy the prev and next pointers */
+ dest->prev = NULL;
+ dest->next = NULL;
+
+ dest->references = 1;
+
+ if (src->sess_cert != NULL)
+ CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT);
+
+ if (src->peer != NULL)
+ CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
+
+#ifndef OPENSSL_NO_PSK
+ if (src->psk_identity_hint) {
+ dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint);
+ if (dest->psk_identity_hint == NULL) {
+ goto err;
+ }
+ }
+ if (src->psk_identity) {
+ dest->psk_identity = BUF_strdup(src->psk_identity);
+ if (dest->psk_identity == NULL) {
+ goto err;
+ }
+ }
+#endif
+
+ if(src->ciphers != NULL) {
+ dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers);
+ if (dest->ciphers == NULL)
+ goto err;
+ }
+
+ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
+ &dest->ex_data, &src->ex_data)) {
+ goto err;
+ }
+
+#ifndef OPENSSL_NO_TLSEXT
+ if (src->tlsext_hostname) {
+ dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname);
+ if (dest->tlsext_hostname == NULL) {
+ goto err;
+ }
+ }
+# ifndef OPENSSL_NO_EC
+ if (src->tlsext_ecpointformatlist) {
+ dest->tlsext_ecpointformatlist =
+ BUF_memdup(src->tlsext_ecpointformatlist,
+ src->tlsext_ecpointformatlist_length);
+ if (dest->tlsext_ecpointformatlist == NULL)
+ goto err;
+ }
+ if (src->tlsext_ellipticcurvelist) {
+ dest->tlsext_ellipticcurvelist =
+ BUF_memdup(src->tlsext_ellipticcurvelist,
+ src->tlsext_ellipticcurvelist_length);
+ if (dest->tlsext_ellipticcurvelist == NULL)
+ goto err;
+ }
+# endif
+
+ if (ticket != 0) {
+ dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen);
+ if(dest->tlsext_tick == NULL)
+ goto err;
+ } else {
+ dest->tlsext_tick_lifetime_hint = 0;
+ dest->tlsext_ticklen = 0;
+ }
+#endif
+
+#ifndef OPENSSL_NO_SRP
+ if (src->srp_username) {
+ dest->srp_username = BUF_strdup(src->srp_username);
+ if (dest->srp_username == NULL) {
+ goto err;
+ }
+ }
+#endif
+
+ return dest;
+err:
+ SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
+ SSL_SESSION_free(dest);
+ return NULL;
+}
+
+const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
+ unsigned int *len)
+{
+ if (len)
+ *len = s->session_id_length;
+ return s->session_id;
+}
+
+unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s)
+{
+ return s->compress_meth;
+}
+
+/*
+ * Even with SSLv2, we have 16 bytes (128 bits) of session ID space.
+ * SSLv3/TLSv1 has 32 bytes (256 bits). As such, filling the ID with random
+ * gunk repeatedly until we have no conflict is going to complete in one
+ * iteration pretty much "most" of the time (btw: understatement). So, if it
+ * takes us 10 iterations and we still can't avoid a conflict - well that's a
+ * reasonable point to call it quits. Either the RAND code is broken or
+ * someone is trying to open roughly very close to 2^128 (or 2^256) SSL
+ * sessions to our server. How you might store that many sessions is perhaps
+ * a more interesting question ...
+ */
+
+#define MAX_SESS_ID_ATTEMPTS 10
+static int def_generate_session_id(const SSL *ssl, unsigned char *id,
+ unsigned int *id_len)
+{
+ unsigned int retry = 0;
+ do
+ if (RAND_pseudo_bytes(id, *id_len) <= 0)
+ return 0;
+ while (SSL_has_matching_session_id(ssl, id, *id_len) &&
+ (++retry < MAX_SESS_ID_ATTEMPTS)) ;
+ if (retry < MAX_SESS_ID_ATTEMPTS)
+ return 1;
+ /* else - woops a session_id match */
+ /*
+ * XXX We should also check the external cache -- but the probability of
+ * a collision is negligible, and we could not prevent the concurrent
+ * creation of sessions with identical IDs since we currently don't have
+ * means to atomically check whether a session ID already exists and make
+ * a reservation for it if it does not (this problem applies to the
+ * internal cache as well).
+ */
+ return 0;
+}