Rename initial_ctx to session_ctx. This makes its purpose clearer. That the session cache is based on the initial SSL_CTX is confusing (it's a remnant of OpenSSL's backwards session resumption ordering), but we're probably stuck with it. Relatedly, document SSL_set_SSL_CTX better. Change-Id: I2832efc63f6c959c5424271b365825afc7eec5e4 Reviewed-on: https://boringssl-review.googlesource.com/14204 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h index b8d3211..bc72239 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -1881,7 +1881,9 @@ size_t supported_group_list_len; uint16_t *supported_group_list; /* our list */ - SSL_CTX *initial_ctx; /* initial ctx, used to store sessions */ + /* session_ctx is the |SSL_CTX| used for the session cache and related + * settings. */ + SSL_CTX *session_ctx; /* srtp_profiles is the list of configured SRTP protection profiles for * DTLS-SRTP. */
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 6e0ece9..95ea170 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c
@@ -397,7 +397,7 @@ SSL_CTX_up_ref(ctx); ssl->ctx = ctx; SSL_CTX_up_ref(ctx); - ssl->initial_ctx = ctx; + ssl->session_ctx = ctx; if (!ssl->ctx->x509_method->ssl_new(ssl)) { goto err; @@ -480,7 +480,7 @@ ssl_cert_free(ssl->cert); OPENSSL_free(ssl->tlsext_hostname); - SSL_CTX_free(ssl->initial_ctx); + SSL_CTX_free(ssl->session_ctx); OPENSSL_free(ssl->supported_group_list); OPENSSL_free(ssl->alpn_client_proto_list); EVP_PKEY_free(ssl->tlsext_channel_id_private); @@ -1800,7 +1800,7 @@ void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { SSL *const ssl = hs->ssl; - SSL_CTX *ctx = ssl->initial_ctx; + SSL_CTX *ctx = ssl->session_ctx; /* Never cache sessions with empty session IDs. */ if (ssl->s3->established_session->session_id_length == 0 || (ctx->session_cache_mode & mode) != mode) { @@ -1985,7 +1985,7 @@ } if (ctx == NULL) { - ctx = ssl->initial_ctx; + ctx = ssl->session_ctx; } ssl_cert_free(ssl->cert);
diff --git a/ssl/ssl_session.c b/ssl/ssl_session.c index c9390d2..e11238f 100644 --- a/ssl/ssl_session.c +++ b/ssl/ssl_session.c
@@ -535,13 +535,13 @@ if (version >= TLS1_3_VERSION) { /* TLS 1.3 uses tickets as authenticators, so we are willing to use them for * longer. */ - session->timeout = ssl->initial_ctx->session_psk_dhe_timeout; + session->timeout = ssl->session_ctx->session_psk_dhe_timeout; session->auth_timeout = SSL_DEFAULT_SESSION_AUTH_TIMEOUT; } else { /* TLS 1.2 resumption does not incorporate new key material, so we use a * much shorter timeout. */ - session->timeout = ssl->initial_ctx->session_timeout; - session->auth_timeout = ssl->initial_ctx->session_timeout; + session->timeout = ssl->session_ctx->session_timeout; + session->auth_timeout = ssl->session_ctx->session_timeout; } if (is_server) { @@ -611,7 +611,7 @@ /* Initialize HMAC and cipher contexts. If callback present it does all the * work otherwise use generated values from parent ctx. */ - SSL_CTX *tctx = ssl->initial_ctx; + SSL_CTX *tctx = ssl->session_ctx; uint8_t iv[EVP_MAX_IV_LENGTH]; uint8_t key_name[16]; if (tctx->tlsext_ticket_key_cb != NULL) { @@ -736,27 +736,27 @@ SSL_SESSION *session = NULL; /* Try the internal cache, if it exists. */ - if (!(ssl->initial_ctx->session_cache_mode & + if (!(ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { SSL_SESSION data; data.ssl_version = ssl->version; data.session_id_length = session_id_len; OPENSSL_memcpy(data.session_id, session_id, session_id_len); - CRYPTO_MUTEX_lock_read(&ssl->initial_ctx->lock); - session = lh_SSL_SESSION_retrieve(ssl->initial_ctx->sessions, &data); + CRYPTO_MUTEX_lock_read(&ssl->session_ctx->lock); + session = lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &data); if (session != NULL) { SSL_SESSION_up_ref(session); } /* TODO(davidben): This should probably move it to the front of the list. */ - CRYPTO_MUTEX_unlock_read(&ssl->initial_ctx->lock); + CRYPTO_MUTEX_unlock_read(&ssl->session_ctx->lock); } /* Fall back to the external cache, if it exists. */ if (session == NULL && - ssl->initial_ctx->get_session_cb != NULL) { + ssl->session_ctx->get_session_cb != NULL) { int copy = 1; - session = ssl->initial_ctx->get_session_cb(ssl, (uint8_t *)session_id, + session = ssl->session_ctx->get_session_cb(ssl, (uint8_t *)session_id, session_id_len, ©); if (session == NULL) { @@ -776,16 +776,16 @@ } /* Add the externally cached session to the internal cache if necessary. */ - if (!(ssl->initial_ctx->session_cache_mode & + if (!(ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE)) { - SSL_CTX_add_session(ssl->initial_ctx, session); + SSL_CTX_add_session(ssl->session_ctx, session); } } if (session != NULL && !ssl_session_is_time_valid(ssl, session)) { /* The session was from the cache, so remove it. */ - SSL_CTX_remove_session(ssl->initial_ctx, session); + SSL_CTX_remove_session(ssl->session_ctx, session); SSL_SESSION_free(session); session = NULL; }
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 4a7fbd3..34478ed 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c
@@ -3013,9 +3013,9 @@ if (ssl->ctx->tlsext_servername_callback != 0) { ret = ssl->ctx->tlsext_servername_callback(ssl, &al, ssl->ctx->tlsext_servername_arg); - } else if (ssl->initial_ctx->tlsext_servername_callback != 0) { - ret = ssl->initial_ctx->tlsext_servername_callback( - ssl, &al, ssl->initial_ctx->tlsext_servername_arg); + } else if (ssl->session_ctx->tlsext_servername_callback != 0) { + ret = ssl->session_ctx->tlsext_servername_callback( + ssl, &al, ssl->session_ctx->tlsext_servername_arg); } switch (ret) { @@ -3048,7 +3048,7 @@ size_t ticket_len, const uint8_t *session_id, size_t session_id_len) { int ret = 1; /* Most errors are non-fatal. */ - SSL_CTX *ssl_ctx = ssl->initial_ctx; + SSL_CTX *ssl_ctx = ssl->session_ctx; uint8_t *plaintext = NULL; HMAC_CTX hmac_ctx;
diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c index d5f88c9..f13a4f7 100644 --- a/ssl/tls13_client.c +++ b/ssl/tls13_client.c
@@ -258,7 +258,7 @@ /* Resumption incorporates fresh key material, so refresh the timeout. */ ssl_session_renew_timeout(ssl, hs->new_session, - ssl->initial_ctx->session_psk_dhe_timeout); + ssl->session_ctx->session_psk_dhe_timeout); } else if (!ssl_get_new_session(hs, 0)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return ssl_hs_error;
diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c index 59c126e..4136a69 100644 --- a/ssl/tls13_server.c +++ b/ssl/tls13_server.c
@@ -256,7 +256,7 @@ /* Resumption incorporates fresh key material, so refresh the timeout. */ ssl_session_renew_timeout(ssl, hs->new_session, - ssl->initial_ctx->session_psk_dhe_timeout); + ssl->session_ctx->session_psk_dhe_timeout); } if (ssl->ctx->dos_protection_cb != NULL &&