1 | /*
|
---|
2 | * SSL session cache implementation
|
---|
3 | *
|
---|
4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
---|
5 | * SPDX-License-Identifier: Apache-2.0
|
---|
6 | *
|
---|
7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may
|
---|
8 | * not use this file except in compliance with the License.
|
---|
9 | * You may obtain a copy of the License at
|
---|
10 | *
|
---|
11 | * http://www.apache.org/licenses/LICENSE-2.0
|
---|
12 | *
|
---|
13 | * Unless required by applicable law or agreed to in writing, software
|
---|
14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
---|
15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
---|
16 | * See the License for the specific language governing permissions and
|
---|
17 | * limitations under the License.
|
---|
18 | *
|
---|
19 | * This file is part of mbed TLS (https://tls.mbed.org)
|
---|
20 | */
|
---|
21 | /*
|
---|
22 | * These session callbacks use a simple chained list
|
---|
23 | * to store and retrieve the session information.
|
---|
24 | */
|
---|
25 |
|
---|
26 | #if !defined(MBEDTLS_CONFIG_FILE)
|
---|
27 | #include "mbedtls/config.h"
|
---|
28 | #else
|
---|
29 | #include MBEDTLS_CONFIG_FILE
|
---|
30 | #endif
|
---|
31 |
|
---|
32 | #if defined(MBEDTLS_SSL_CACHE_C)
|
---|
33 |
|
---|
34 | #if defined(MBEDTLS_PLATFORM_C)
|
---|
35 | #include "mbedtls/platform.h"
|
---|
36 | #else
|
---|
37 | #include <stdlib.h>
|
---|
38 | #define mbedtls_calloc calloc
|
---|
39 | #define mbedtls_free free
|
---|
40 | #endif
|
---|
41 |
|
---|
42 | #include "mbedtls/ssl_cache.h"
|
---|
43 |
|
---|
44 | #include <string.h>
|
---|
45 |
|
---|
46 | void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache )
|
---|
47 | {
|
---|
48 | memset( cache, 0, sizeof( mbedtls_ssl_cache_context ) );
|
---|
49 |
|
---|
50 | cache->timeout = MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT;
|
---|
51 | cache->max_entries = MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES;
|
---|
52 |
|
---|
53 | #if defined(MBEDTLS_THREADING_C)
|
---|
54 | mbedtls_mutex_init( &cache->mutex );
|
---|
55 | #endif
|
---|
56 | }
|
---|
57 |
|
---|
58 | int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
|
---|
59 | {
|
---|
60 | int ret = 1;
|
---|
61 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
62 | mbedtls_time_t t = mbedtls_time( NULL );
|
---|
63 | #endif
|
---|
64 | mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
|
---|
65 | mbedtls_ssl_cache_entry *cur, *entry;
|
---|
66 |
|
---|
67 | #if defined(MBEDTLS_THREADING_C)
|
---|
68 | if( mbedtls_mutex_lock( &cache->mutex ) != 0 )
|
---|
69 | return( 1 );
|
---|
70 | #endif
|
---|
71 |
|
---|
72 | cur = cache->chain;
|
---|
73 | entry = NULL;
|
---|
74 |
|
---|
75 | while( cur != NULL )
|
---|
76 | {
|
---|
77 | entry = cur;
|
---|
78 | cur = cur->next;
|
---|
79 |
|
---|
80 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
81 | if( cache->timeout != 0 &&
|
---|
82 | (int) ( t - entry->timestamp ) > cache->timeout )
|
---|
83 | continue;
|
---|
84 | #endif
|
---|
85 |
|
---|
86 | if( session->ciphersuite != entry->session.ciphersuite ||
|
---|
87 | session->compression != entry->session.compression ||
|
---|
88 | session->id_len != entry->session.id_len )
|
---|
89 | continue;
|
---|
90 |
|
---|
91 | if( memcmp( session->id, entry->session.id,
|
---|
92 | entry->session.id_len ) != 0 )
|
---|
93 | continue;
|
---|
94 |
|
---|
95 | memcpy( session->master, entry->session.master, 48 );
|
---|
96 |
|
---|
97 | session->verify_result = entry->session.verify_result;
|
---|
98 |
|
---|
99 | #if defined(MBEDTLS_X509_CRT_PARSE_C)
|
---|
100 | /*
|
---|
101 | * Restore peer certificate (without rest of the original chain)
|
---|
102 | */
|
---|
103 | if( entry->peer_cert.p != NULL )
|
---|
104 | {
|
---|
105 | if( ( session->peer_cert = mbedtls_calloc( 1,
|
---|
106 | sizeof(mbedtls_x509_crt) ) ) == NULL )
|
---|
107 | {
|
---|
108 | ret = 1;
|
---|
109 | goto exit;
|
---|
110 | }
|
---|
111 |
|
---|
112 | mbedtls_x509_crt_init( session->peer_cert );
|
---|
113 | if( mbedtls_x509_crt_parse( session->peer_cert, entry->peer_cert.p,
|
---|
114 | entry->peer_cert.len ) != 0 )
|
---|
115 | {
|
---|
116 | mbedtls_free( session->peer_cert );
|
---|
117 | session->peer_cert = NULL;
|
---|
118 | ret = 1;
|
---|
119 | goto exit;
|
---|
120 | }
|
---|
121 | }
|
---|
122 | #endif /* MBEDTLS_X509_CRT_PARSE_C */
|
---|
123 |
|
---|
124 | ret = 0;
|
---|
125 | goto exit;
|
---|
126 | }
|
---|
127 |
|
---|
128 | exit:
|
---|
129 | #if defined(MBEDTLS_THREADING_C)
|
---|
130 | if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
|
---|
131 | ret = 1;
|
---|
132 | #endif
|
---|
133 |
|
---|
134 | return( ret );
|
---|
135 | }
|
---|
136 |
|
---|
137 | int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
|
---|
138 | {
|
---|
139 | int ret = 1;
|
---|
140 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
141 | mbedtls_time_t t = mbedtls_time( NULL ), oldest = 0;
|
---|
142 | mbedtls_ssl_cache_entry *old = NULL;
|
---|
143 | #endif
|
---|
144 | mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
|
---|
145 | mbedtls_ssl_cache_entry *cur, *prv;
|
---|
146 | int count = 0;
|
---|
147 |
|
---|
148 | #if defined(MBEDTLS_THREADING_C)
|
---|
149 | if( ( ret = mbedtls_mutex_lock( &cache->mutex ) ) != 0 )
|
---|
150 | return( ret );
|
---|
151 | #endif
|
---|
152 |
|
---|
153 | cur = cache->chain;
|
---|
154 | prv = NULL;
|
---|
155 |
|
---|
156 | while( cur != NULL )
|
---|
157 | {
|
---|
158 | count++;
|
---|
159 |
|
---|
160 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
161 | if( cache->timeout != 0 &&
|
---|
162 | (int) ( t - cur->timestamp ) > cache->timeout )
|
---|
163 | {
|
---|
164 | cur->timestamp = t;
|
---|
165 | break; /* expired, reuse this slot, update timestamp */
|
---|
166 | }
|
---|
167 | #endif
|
---|
168 |
|
---|
169 | if( memcmp( session->id, cur->session.id, cur->session.id_len ) == 0 )
|
---|
170 | break; /* client reconnected, keep timestamp for session id */
|
---|
171 |
|
---|
172 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
173 | if( oldest == 0 || cur->timestamp < oldest )
|
---|
174 | {
|
---|
175 | oldest = cur->timestamp;
|
---|
176 | old = cur;
|
---|
177 | }
|
---|
178 | #endif
|
---|
179 |
|
---|
180 | prv = cur;
|
---|
181 | cur = cur->next;
|
---|
182 | }
|
---|
183 |
|
---|
184 | if( cur == NULL )
|
---|
185 | {
|
---|
186 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
187 | /*
|
---|
188 | * Reuse oldest entry if max_entries reached
|
---|
189 | */
|
---|
190 | if( count >= cache->max_entries )
|
---|
191 | {
|
---|
192 | if( old == NULL )
|
---|
193 | {
|
---|
194 | ret = 1;
|
---|
195 | goto exit;
|
---|
196 | }
|
---|
197 |
|
---|
198 | cur = old;
|
---|
199 | }
|
---|
200 | #else /* MBEDTLS_HAVE_TIME */
|
---|
201 | /*
|
---|
202 | * Reuse first entry in chain if max_entries reached,
|
---|
203 | * but move to last place
|
---|
204 | */
|
---|
205 | if( count >= cache->max_entries )
|
---|
206 | {
|
---|
207 | if( cache->chain == NULL )
|
---|
208 | {
|
---|
209 | ret = 1;
|
---|
210 | goto exit;
|
---|
211 | }
|
---|
212 |
|
---|
213 | cur = cache->chain;
|
---|
214 | cache->chain = cur->next;
|
---|
215 | cur->next = NULL;
|
---|
216 | prv->next = cur;
|
---|
217 | }
|
---|
218 | #endif /* MBEDTLS_HAVE_TIME */
|
---|
219 | else
|
---|
220 | {
|
---|
221 | /*
|
---|
222 | * max_entries not reached, create new entry
|
---|
223 | */
|
---|
224 | cur = mbedtls_calloc( 1, sizeof(mbedtls_ssl_cache_entry) );
|
---|
225 | if( cur == NULL )
|
---|
226 | {
|
---|
227 | ret = 1;
|
---|
228 | goto exit;
|
---|
229 | }
|
---|
230 |
|
---|
231 | if( prv == NULL )
|
---|
232 | cache->chain = cur;
|
---|
233 | else
|
---|
234 | prv->next = cur;
|
---|
235 | }
|
---|
236 |
|
---|
237 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
238 | cur->timestamp = t;
|
---|
239 | #endif
|
---|
240 | }
|
---|
241 |
|
---|
242 | memcpy( &cur->session, session, sizeof( mbedtls_ssl_session ) );
|
---|
243 |
|
---|
244 | #if defined(MBEDTLS_X509_CRT_PARSE_C)
|
---|
245 | /*
|
---|
246 | * If we're reusing an entry, free its certificate first
|
---|
247 | */
|
---|
248 | if( cur->peer_cert.p != NULL )
|
---|
249 | {
|
---|
250 | mbedtls_free( cur->peer_cert.p );
|
---|
251 | memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) );
|
---|
252 | }
|
---|
253 |
|
---|
254 | /*
|
---|
255 | * Store peer certificate
|
---|
256 | */
|
---|
257 | if( session->peer_cert != NULL )
|
---|
258 | {
|
---|
259 | cur->peer_cert.p = mbedtls_calloc( 1, session->peer_cert->raw.len );
|
---|
260 | if( cur->peer_cert.p == NULL )
|
---|
261 | {
|
---|
262 | ret = 1;
|
---|
263 | goto exit;
|
---|
264 | }
|
---|
265 |
|
---|
266 | memcpy( cur->peer_cert.p, session->peer_cert->raw.p,
|
---|
267 | session->peer_cert->raw.len );
|
---|
268 | cur->peer_cert.len = session->peer_cert->raw.len;
|
---|
269 |
|
---|
270 | cur->session.peer_cert = NULL;
|
---|
271 | }
|
---|
272 | #endif /* MBEDTLS_X509_CRT_PARSE_C */
|
---|
273 |
|
---|
274 | ret = 0;
|
---|
275 |
|
---|
276 | exit:
|
---|
277 | #if defined(MBEDTLS_THREADING_C)
|
---|
278 | if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
|
---|
279 | ret = 1;
|
---|
280 | #endif
|
---|
281 |
|
---|
282 | return( ret );
|
---|
283 | }
|
---|
284 |
|
---|
285 | #if defined(MBEDTLS_HAVE_TIME)
|
---|
286 | void mbedtls_ssl_cache_set_timeout( mbedtls_ssl_cache_context *cache, int timeout )
|
---|
287 | {
|
---|
288 | if( timeout < 0 ) timeout = 0;
|
---|
289 |
|
---|
290 | cache->timeout = timeout;
|
---|
291 | }
|
---|
292 | #endif /* MBEDTLS_HAVE_TIME */
|
---|
293 |
|
---|
294 | void mbedtls_ssl_cache_set_max_entries( mbedtls_ssl_cache_context *cache, int max )
|
---|
295 | {
|
---|
296 | if( max < 0 ) max = 0;
|
---|
297 |
|
---|
298 | cache->max_entries = max;
|
---|
299 | }
|
---|
300 |
|
---|
301 | void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache )
|
---|
302 | {
|
---|
303 | mbedtls_ssl_cache_entry *cur, *prv;
|
---|
304 |
|
---|
305 | cur = cache->chain;
|
---|
306 |
|
---|
307 | while( cur != NULL )
|
---|
308 | {
|
---|
309 | prv = cur;
|
---|
310 | cur = cur->next;
|
---|
311 |
|
---|
312 | mbedtls_ssl_session_free( &prv->session );
|
---|
313 |
|
---|
314 | #if defined(MBEDTLS_X509_CRT_PARSE_C)
|
---|
315 | mbedtls_free( prv->peer_cert.p );
|
---|
316 | #endif /* MBEDTLS_X509_CRT_PARSE_C */
|
---|
317 |
|
---|
318 | mbedtls_free( prv );
|
---|
319 | }
|
---|
320 |
|
---|
321 | #if defined(MBEDTLS_THREADING_C)
|
---|
322 | mbedtls_mutex_free( &cache->mutex );
|
---|
323 | #endif
|
---|
324 | cache->chain = NULL;
|
---|
325 | }
|
---|
326 |
|
---|
327 | #endif /* MBEDTLS_SSL_CACHE_C */
|
---|