Remove NOPROTO definitions and error code comments.
[openssl.git] / ssl / ssl_sess.c
index af65c65..e06f3ad 100644 (file)
@@ -1,5 +1,5 @@
 /* ssl/ssl_sess.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
  */
 
 #include <stdio.h>
-#include "lhash.h"
-#include "rand.h"
+#include <openssl/lhash.h>
+#include <openssl/rand.h>
 #include "ssl_locl.h"
 
-SSL_SESSION *SSL_SESSION_new()
+static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
+static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
+static int ssl_session_num=0;
+static STACK *ssl_session_meth=NULL;
+
+SSL_SESSION *SSL_get_session(SSL *ssl)
+       {
+       return(ssl->session);
+       }
+
+int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+            int (*dup_func)(), void (*free_func)())
+        {
+        ssl_session_num++;
+        return(CRYPTO_get_ex_new_index(ssl_session_num-1,
+               &ssl_session_meth,
+                argl,argp,new_func,dup_func,free_func));
+        }
+
+int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
+       {
+       return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
+       }
+
+void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx)
+       {
+       return(CRYPTO_get_ex_data(&s->ex_data,idx));
+       }
+
+SSL_SESSION *SSL_SESSION_new(void)
        {
        SSL_SESSION *ss;
 
@@ -76,20 +105,24 @@ SSL_SESSION *SSL_SESSION_new()
        ss->references=1;
        ss->timeout=60*5+4; /* 5 minute timeout by default */
        ss->time=time(NULL);
+       ss->prev=NULL;
+       ss->next=NULL;
+       ss->compress_meth=0;
+       CRYPTO_new_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
        return(ss);
        }
 
-int ssl_get_new_session(s, session)
-SSL *s;
-int session;
+int ssl_get_new_session(SSL *s, int session)
        {
        SSL_SESSION *ss=NULL;
 
        if ((ss=SSL_SESSION_new()) == NULL) return(0);
 
        /* If the context has a default timeout, use it */
-       if (s->ctx->session_timeout != 0)
+       if (s->ctx->session_timeout == 0)
                ss->timeout=SSL_get_default_timeout(s);
+       else
+               ss->timeout=s->ctx->session_timeout;
 
        if (s->session != NULL)
                {
@@ -99,14 +132,19 @@ int session;
 
        if (session)
                {
-               if (s->version == SSL2_CLIENT_VERSION)
+               if (s->version == SSL2_VERSION)
                        {
-                       ss->ssl_version=2;
+                       ss->ssl_version=SSL2_VERSION;
                        ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
                        }
-               else if (s->version == SSL3_VERSION_MAJOR)
+               else if (s->version == SSL3_VERSION)
                        {
-                       ss->ssl_version=3;
+                       ss->ssl_version=SSL3_VERSION;
+                       ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+                       }
+               else if (s->version == TLS1_VERSION)
+                       {
+                       ss->ssl_version=TLS1_VERSION;
                        ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
                        }
                else
@@ -134,61 +172,71 @@ int session;
                ss->session_id_length=0;
                }
 
+       memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
+       ss->sid_ctx_length=s->sid_ctx_length;
        s->session=ss;
        ss->ssl_version=s->version;
 
        return(1);
        }
 
-int ssl_get_prev_session(s, len, session)
-SSL *s;
-int len;
-unsigned char *session;
+int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
        {
-       SSL_SESSION *ret,data;
+       SSL_SESSION *ret=NULL,data;
+       int copy=1;
 
        /* conn_init();*/
        data.ssl_version=s->version;
        data.session_id_length=len;
        if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
                return(0);
-       memcpy(data.session_id,session,len);;
+       memcpy(data.session_id,session_id,len);
 
-       CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-       ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,(char *)&data);
-       CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+       if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
+               {
+               CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
+               ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,(char *)&data);
+               CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+               }
 
        if (ret == NULL)
                {
-               int copy=1;
-
-               s->ctx->sess_miss++;
+               s->ctx->stats.sess_miss++;
                ret=NULL;
-               if ((s->ctx->get_session_cb != NULL) &&
-                       ((ret=s->ctx->get_session_cb(s,session,len,&copy))
-                               != NULL))
+               if (s->ctx->get_session_cb != NULL
+                   && (ret=s->ctx->get_session_cb(s,session_id,len,&copy))
+                      != NULL)
                        {
-                       s->ctx->sess_cb_hit++;
+                       s->ctx->stats.sess_cb_hit++;
 
                        /* The following should not return 1, otherwise,
                         * things are very strange */
                        SSL_CTX_add_session(s->ctx,ret);
-                       /* auto free it */
-                       if (!copy)
-                               SSL_SESSION_free(ret);
                        }
                if (ret == NULL) return(0);
                }
 
+       if((s->verify_mode&SSL_VERIFY_PEER)
+          && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length
+              || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)))
+           {
+           SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+           return 0;
+           }
+
+       /* auto free it */
+       if (!copy)
+           SSL_SESSION_free(ret);
+
        if (ret->cipher == NULL)
                {
-               char buf[5],*p;
+               unsigned char buf[5],*p;
                unsigned long l;
 
                p=buf;
                l=ret->cipher_id;
                l2n(l,p);
-               if (ret->ssl_version == 3)
+               if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR)
                        ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
                else 
                        ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));
@@ -204,14 +252,14 @@ unsigned char *session;
 
        if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
                {
-               s->ctx->sess_timeout++;
+               s->ctx->stats.sess_timeout++;
                /* remove it from the cache */
                SSL_CTX_remove_session(s->ctx,ret);
                SSL_SESSION_free(ret);          /* again to actually Free it */
                return(0);
                }
 
-       s->ctx->sess_hit++;
+       s->ctx->stats.sess_hit++;
 
        /* ret->time=time(NULL); */ /* rezero timeout? */
        /* again, just leave the session 
@@ -223,10 +271,9 @@ unsigned char *session;
        return(1);
        }
 
-int SSL_CTX_add_session(ctx,c)
-SSL_CTX *ctx;
-SSL_SESSION *c;
+int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
        {
+       int ret=0;
        SSL_SESSION *s;
 
        /* conn_init(); */
@@ -234,7 +281,10 @@ SSL_SESSION *c;
 
        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
        s=(SSL_SESSION *)lh_insert(ctx->sessions,(char *)c);
-       CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+       
+       /* Put on the end of the queue unless it is already in the cache */
+       if (s == NULL)
+               SSL_SESSION_list_add(ctx,c);
 
        /* If the same session if is being 're-added', Free the old
         * one when the last person stops using it.
@@ -243,24 +293,43 @@ SSL_SESSION *c;
        if (s != NULL)
                {
                SSL_SESSION_free(s);
-               return(0);
+               ret=0;
                }
        else
-               return(1);
+               {
+               ret=1;
+
+               if (SSL_CTX_sess_get_cache_size(ctx) > 0)
+                       {
+                       while (SSL_CTX_sess_number(ctx) >
+                               SSL_CTX_sess_get_cache_size(ctx))
+                               {
+                               if (!SSL_CTX_remove_session(ctx,
+                                       ctx->session_cache_tail))
+                                       break;
+                               else
+                                       ctx->stats.sess_cache_full++;
+                               }
+                       }
+               }
+       CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+       return(ret);
        }
 
-int SSL_CTX_remove_session(ctx,c)
-SSL_CTX *ctx;
-SSL_SESSION *c;
+int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
        {
        SSL_SESSION *r;
        int ret=0;
 
-       if ((c->session_id_length != 0) && (c != NULL))
+       if ((c != NULL) && (c->session_id_length != 0))
                {
                CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
                r=(SSL_SESSION *)lh_delete(ctx->sessions,(char *)c);
-               if (r != NULL) ret=1;
+               if (r != NULL)
+                       {
+                       ret=1;
+                       SSL_SESSION_list_remove(ctx,c);
+                       }
 
                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
 
@@ -268,7 +337,7 @@ SSL_SESSION *c;
                        {
                        r->not_resumable=1;
                        if (ctx->remove_session_cb != NULL)
-                               ctx->remove_session_cb(ctx,c);
+                               ctx->remove_session_cb(ctx,r);
                        SSL_SESSION_free(r);
                        }
                }
@@ -277,12 +346,17 @@ SSL_SESSION *c;
        return(ret);
        }
 
-void SSL_SESSION_free(ss)
-SSL_SESSION *ss;
+void SSL_SESSION_free(SSL_SESSION *ss)
        {
        int i;
 
+       if(ss == NULL)
+           return;
+
        i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION);
+#ifdef REF_PRINT
+       REF_PRINT("SSL_SESSION",ss);
+#endif
        if (i > 0) return;
 #ifdef REF_CHECK
        if (i < 0)
@@ -292,19 +366,19 @@ SSL_SESSION *ss;
                }
 #endif
 
+       CRYPTO_free_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
+
        memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
        memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
        memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH);
        if (ss->cert != NULL) ssl_cert_free(ss->cert);
        if (ss->peer != NULL) X509_free(ss->peer);
-       if (ss->ciphers != NULL) sk_free(ss->ciphers);
+       if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
        memset(ss,0,sizeof(*ss));
        Free(ss);
        }
 
-int SSL_set_session(s, session)
-SSL *s;
-SSL_SESSION *session;
+int SSL_set_session(SSL *s, SSL_SESSION *session)
        {
        int ret=0;
        SSL_METHOD *meth;
@@ -324,7 +398,10 @@ SSL_SESSION *session;
                        {
                        if (!SSL_set_ssl_method(s,meth))
                                return(0);
-                       session->timeout=SSL_get_default_timeout(s);
+                       if (s->ctx->session_timeout == 0)
+                               session->timeout=SSL_get_default_timeout(s);
+                       else
+                               session->timeout=s->ctx->session_timeout;
                        }
 
                /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
@@ -335,41 +412,66 @@ SSL_SESSION *session;
                /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
                ret=1;
                }
+       else
+               {
+               if (s->session != NULL)
+                       {
+                       SSL_SESSION_free(s->session);
+                       s->session=NULL;
+                       }
+
+               meth=s->ctx->method;
+               if (meth != s->method)
+                       {
+                       if (!SSL_set_ssl_method(s,meth))
+                               return(0);
+                       }
+               ret=1;
+               }
        return(ret);
        }
 
-long SSL_set_timeout(s,t)
-SSL_SESSION *s;
-long t;
+long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
        {
        if (s == NULL) return(0);
        s->timeout=t;
        return(1);
        }
 
-long SSL_get_timeout(s)
-SSL_SESSION *s;
+long SSL_SESSION_get_timeout(SSL_SESSION *s)
        {
        if (s == NULL) return(0);
        return(s->timeout);
        }
 
-long SSL_get_time(s)
-SSL_SESSION *s;
+long SSL_SESSION_get_time(SSL_SESSION *s)
        {
        if (s == NULL) return(0);
        return(s->time);
        }
 
-long SSL_set_time(s,t)
-SSL_SESSION *s;
-long t;
+long SSL_SESSION_set_time(SSL_SESSION *s, long t)
        {
        if (s == NULL) return(0);
        s->time=t;
        return(t);
        }
 
+long SSL_CTX_set_timeout(SSL_CTX *s, long t)
+       {
+       long l;
+       if (s == NULL) return(0);
+       l=s->session_timeout;
+       s->session_timeout=t;
+       return(l);
+       }
+
+long SSL_CTX_get_timeout(SSL_CTX *s)
+       {
+       if (s == NULL) return(0);
+       return(s->session_timeout);
+       }
+
 typedef struct timeout_param_st
        {
        SSL_CTX *ctx;
@@ -377,13 +479,14 @@ typedef struct timeout_param_st
        LHASH *cache;
        } TIMEOUT_PARAM;
 
-static void timeout(s,p)
-SSL_SESSION *s;
-TIMEOUT_PARAM *p;
+static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p)
        {
        if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */
                {
+               /* The reason we don't call SSL_CTX_remove_session() is to
+                * save on locking overhead */
                lh_delete(p->cache,(char *)s);
+               SSL_SESSION_list_remove(p->ctx,s);
                s->not_resumable=1;
                if (p->ctx->remove_session_cb != NULL)
                        p->ctx->remove_session_cb(p->ctx,s);
@@ -391,15 +494,13 @@ TIMEOUT_PARAM *p;
                }
        }
 
-void SSL_CTX_flush_sessions(s,t)
-SSL_CTX *s;
-long t;
+void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
        {
        unsigned long i;
        TIMEOUT_PARAM tp;
 
        tp.ctx=s;
-       tp.cache=SSL_CTX_sessions(s);
+       tp.cache=s->sessions;
        if (tp.cache == NULL) return;
        tp.time=t;
        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
@@ -410,8 +511,7 @@ long t;
        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
        }
 
-int ssl_clear_bad_session(s)
-SSL *s;
+int ssl_clear_bad_session(SSL *s)
        {
        if (    (s->session != NULL) &&
                !(s->shutdown & SSL_SENT_SHUTDOWN) &&
@@ -423,3 +523,59 @@ SSL *s;
        else
                return(0);
        }
+
+/* locked by SSL_CTX in the calling function */
+static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
+       {
+       if ((s->next == NULL) || (s->prev == NULL)) return;
+
+       if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
+               { /* last element in list */
+               if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
+                       { /* only one element in list */
+                       ctx->session_cache_head=NULL;
+                       ctx->session_cache_tail=NULL;
+                       }
+               else
+                       {
+                       ctx->session_cache_tail=s->prev;
+                       s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail);
+                       }
+               }
+       else
+               {
+               if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
+                       { /* first element in list */
+                       ctx->session_cache_head=s->next;
+                       s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
+                       }
+               else
+                       { /* middle of list */
+                       s->next->prev=s->prev;
+                       s->prev->next=s->next;
+                       }
+               }
+       s->prev=s->next=NULL;
+       }
+
+static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
+       {
+       if ((s->next != NULL) && (s->prev != NULL))
+               SSL_SESSION_list_remove(ctx,s);
+
+       if (ctx->session_cache_head == NULL)
+               {
+               ctx->session_cache_head=s;
+               ctx->session_cache_tail=s;
+               s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
+               s->next=(SSL_SESSION *)&(ctx->session_cache_tail);
+               }
+       else
+               {
+               s->next=ctx->session_cache_head;
+               s->next->prev=s;
+               s->prev=(SSL_SESSION *)&(ctx->session_cache_head);
+               ctx->session_cache_head=s;
+               }
+       }
+