/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
#include <openssl/engine.h>
#include "internal/refcount.h"
#include "internal/cryptlib.h"
-#include "ssl_locl.h"
-#include "statem/statem_locl.h"
+#include "ssl_local.h"
+#include "statem/statem_local.h"
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
ss = OPENSSL_zalloc(sizeof(*ss));
if (ss == NULL) {
- SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
return NULL;
}
ss->time = (unsigned long)time(NULL);
ss->lock = CRYPTO_THREAD_lock_new();
if (ss->lock == NULL) {
- SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
OPENSSL_free(ss);
return NULL;
}
return ss;
}
-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
{
return ssl_session_dup(src, 1);
}
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
* ticket == 0 then no ticket information is duplicated, otherwise it is.
*/
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
{
SSL_SESSION *dest;
- dest = OPENSSL_malloc(sizeof(*src));
+ dest = OPENSSL_malloc(sizeof(*dest));
if (dest == NULL) {
goto err;
}
dest->psk_identity_hint = NULL;
dest->psk_identity = NULL;
#endif
- dest->ciphers = NULL;
dest->ext.hostname = NULL;
-#ifndef OPENSSL_NO_EC
- dest->ext.ecpointformats = NULL;
- dest->ext.supportedgroups = NULL;
-#endif
dest->ext.tick = NULL;
dest->ext.alpn_selected = NULL;
#ifndef OPENSSL_NO_SRP
}
#endif
- if (src->ciphers != NULL) {
- dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers);
- if (dest->ciphers == NULL)
- goto err;
- }
-
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
&dest->ex_data, &src->ex_data)) {
goto err;
goto err;
}
}
-#ifndef OPENSSL_NO_EC
- if (src->ext.ecpointformats) {
- dest->ext.ecpointformats =
- OPENSSL_memdup(src->ext.ecpointformats,
- src->ext.ecpointformats_len);
- if (dest->ext.ecpointformats == NULL)
- goto err;
- }
- if (src->ext.supportedgroups) {
- dest->ext.supportedgroups =
- OPENSSL_memdup(src->ext.supportedgroups,
- src->ext.supportedgroups_len
- * sizeof(*src->ext.supportedgroups));
- if (dest->ext.supportedgroups == NULL)
- goto err;
- }
-#endif
if (ticket != 0 && src->ext.tick != NULL) {
dest->ext.tick =
return dest;
err:
- SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
SSL_SESSION_free(dest);
return NULL;
}
{
unsigned int retry = 0;
do
- if (RAND_bytes(id, *id_len) <= 0)
+ if (RAND_bytes_ex(ssl->ctx->libctx, id, *id_len) <= 0)
return 0;
while (SSL_has_matching_session_id(ssl, id, *id_len) &&
(++retry < MAX_SESS_ID_ATTEMPTS)) ;
return 0;
}
- if (s->ext.hostname) {
- ss->ext.hostname = OPENSSL_strdup(s->ext.hostname);
- if (ss->ext.hostname == NULL) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_NEW_SESSION,
- ERR_R_INTERNAL_ERROR);
- SSL_SESSION_free(ss);
- return 0;
- }
- }
} else {
ss->session_id_length = 0;
}
ss->verify_result = X509_V_OK;
/* If client supports extended master secret set it in session */
- if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
+ if (s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS)
ss->flags |= SSL_SESS_FLAG_EXTMS;
return 1;
size_t sess_id_len)
{
SSL_SESSION *ret = NULL;
- int discard;
if ((s->session_ctx->session_cache_mode
& SSL_SESS_CACHE_NO_INTERNAL_LOOKUP) == 0) {
}
CRYPTO_THREAD_unlock(s->session_ctx->lock);
if (ret == NULL)
- CRYPTO_atomic_add(&s->session_ctx->stats.sess_miss, 1, &discard,
- s->session_ctx->lock);
+ tsan_counter(&s->session_ctx->stats.sess_miss);
}
if (ret == NULL && s->session_ctx->get_session_cb != NULL) {
ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©);
if (ret != NULL) {
- CRYPTO_atomic_add(&s->session_ctx->stats.sess_cb_hit, 1, &discard,
- s->session_ctx->lock);
+ tsan_counter(&s->session_ctx->stats.sess_cb_hit);
/*
* Increment reference count now if the session callback asks us
/* This is used only by servers. */
SSL_SESSION *ret = NULL;
- int fatal = 0, discard;
+ int fatal = 0;
int try_session_cache = 0;
SSL_TICKET_STATUS r;
}
if (ret->timeout < (long)(time(NULL) - ret->time)) { /* timeout */
- CRYPTO_atomic_add(&s->session_ctx->stats.sess_timeout, 1, &discard,
- s->session_ctx->lock);
+ tsan_counter(&s->session_ctx->stats.sess_timeout);
if (try_session_cache) {
/* session was from the cache, so remove it */
SSL_CTX_remove_session(s->session_ctx, ret);
/* Check extended master secret extension consistency */
if (ret->flags & SSL_SESS_FLAG_EXTMS) {
/* If old session includes extms, but new does not: abort handshake */
- if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)) {
+ if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS)) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_GET_PREV_SESSION,
SSL_R_INCONSISTENT_EXTMS);
fatal = 1;
goto err;
}
- } else if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
+ } else if (s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) {
/* If new session includes extms, but old does not: do not resume */
goto err;
}
s->session = ret;
}
- CRYPTO_atomic_add(&s->session_ctx->stats.sess_hit, 1, &discard,
- s->session_ctx->lock);
+ tsan_counter(&s->session_ctx->stats.sess_hit);
s->verify_result = s->session->verify_result;
return 1;
int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
{
- int ret = 0, discard;
+ int ret = 0;
SSL_SESSION *s;
/*
if (!remove_session_lock(ctx, ctx->session_cache_tail, 0))
break;
else
- CRYPTO_atomic_add(&ctx->stats.sess_cache_full, 1, &discard,
- ctx->lock);
+ tsan_counter(&ctx->stats.sess_cache_full);
}
}
}
OPENSSL_cleanse(ss->session_id, sizeof(ss->session_id));
X509_free(ss->peer);
sk_X509_pop_free(ss->peer_chain, X509_free);
- sk_SSL_CIPHER_free(ss->ciphers);
OPENSSL_free(ss->ext.hostname);
OPENSSL_free(ss->ext.tick);
-#ifndef OPENSSL_NO_EC
- OPENSSL_free(ss->ext.ecpointformats);
- ss->ext.ecpointformats = NULL;
- ss->ext.ecpointformats_len = 0;
- OPENSSL_free(ss->ext.supportedgroups);
- ss->ext.supportedgroups = NULL;
- ss->ext.supportedgroups_len = 0;
-#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_PSK
OPENSSL_free(ss->psk_identity_hint);
OPENSSL_free(ss->psk_identity);
unsigned int sid_len)
{
if (sid_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
- SSLerr(SSL_F_SSL_SESSION_SET1_ID,
- SSL_R_SSL_SESSION_ID_TOO_LONG);
+ ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_TOO_LONG);
return 0;
}
s->session_id_length = sid_len;
unsigned int sid_ctx_len)
{
if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
- SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT,
- SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
+ ERR_raise(ERR_LIB_SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
return 0;
}
s->sid_ctx_length = sid_ctx_len;
s->ext.session_ticket =
OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
if (s->ext.session_ticket == NULL) {
- SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
return 0;
}
return ctx->client_cert_cb;
}
-#ifndef OPENSSL_NO_ENGINE
-int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
-{
- if (!ENGINE_init(e)) {
- SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
- return 0;
- }
- if (!ENGINE_get_ssl_client_cert_function(e)) {
- SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
- SSL_R_NO_CLIENT_CERT_METHOD);
- ENGINE_finish(e);
- return 0;
- }
- ctx->client_cert_engine = e;
- return 1;
-}
-#endif
-
void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
int (*cb) (SSL *ssl,
unsigned char *cookie,