From 56fa8e69cf1e742da8087de60152519127c79983 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lutz=20J=C3=A4nicke?= Date: Fri, 12 Oct 2001 12:29:16 +0000 Subject: [PATCH] Update information as a partial response to the post From: "Chris D. Peterson" Subject: Implementation Issues with OpenSSL To: openssl-users@openssl.org Date: Wed, 22 Aug 2001 16:13:17 -0700 The patch included in the original post may improve the internal session list handling (and is therefore worth a seperate investigation). No change to the list handling will however solve the problems of incorrect SSL_SESSION_free() calls. The session list is only one possible point of failure, dangling pointers would also occur for SSL object currently using the session. The correct solution is to only use SSL_SESSION_free() when applicable! --- doc/ssl/SSL_CTX_sess_set_get_cb.pod | 8 ++++++-- doc/ssl/SSL_SESSION_free.pod | 30 ++++++++++++++++++++++++++++- doc/ssl/SSL_get_session.pod | 6 ++++++ doc/ssl/SSL_set_session.pod | 9 +++++++++ doc/ssl/d2i_SSL_SESSION.pod | 14 ++++++++++++-- 5 files changed, 62 insertions(+), 5 deletions(-) diff --git a/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/doc/ssl/SSL_CTX_sess_set_get_cb.pod index b6f15b4404..6e0ef00632 100644 --- a/doc/ssl/SSL_CTX_sess_set_get_cb.pod +++ b/doc/ssl/SSL_CTX_sess_set_get_cb.pod @@ -70,12 +70,16 @@ proposed by the client. The get_session_cb() is always called, also when session caching was disabled. The get_session_cb() is passed the B connection, the session id of length B at the memory location B. With the parameter B the callback can require the -SSL engine to increment the reference count of the SSL_SESSION object. +SSL engine to increment the reference count of the SSL_SESSION object, +Normally the reference count is not incremented and therefore the +session must not be explicitly freed with +L. =head1 SEE ALSO L, L, L, -L +L, +L =cut diff --git a/doc/ssl/SSL_SESSION_free.pod b/doc/ssl/SSL_SESSION_free.pod index 9275d88a40..558de01df9 100644 --- a/doc/ssl/SSL_SESSION_free.pod +++ b/doc/ssl/SSL_SESSION_free.pod @@ -16,12 +16,40 @@ SSL_SESSION_free() decrements the reference count of B and removes the B structure pointed to by B and frees up the allocated memory, if the the reference count has reached 0. +=head1 NOTES + +SSL_SESSION objects are allocated, when a TLS/SSL handshake operation +is successfully completed. Depending on the settings, see +L, +the SSL_SESSION objects are internally referenced by the SSL_CTX and +linked into its session cache. SSL objects may be using the SSL_SESSION object; +as a session may be reused, several SSL objects may be using one SSL_SESSION +object at the same time. It is therefore crucial to keep the reference +count (usage information) correct and not delete a SSL_SESSION object +that is still used, as this may lead to program failures due to +dangling pointers. These failures may also appear delayed, e.g. +when an SSL_SESSION object was completely freed as the reference count +incorrectly became 0, but it is still referenced in the internal +session cache and the cache list is processed during a +L operation. + +SSL_SESSION_free() must only be called for SSL_SESSION objects, for +which the reference count was explicitly incremented (e.g. +by calling SSL_get1_session(), see L) +or when the SSL_SESSION object was generated outside a TLS handshake +operation, e.g. by using L. +It must not be called on other SSL_SESSION objects, as this would cause +incorrect reference counts and therefore program failures. + =head1 RETURN VALUES SSL_SESSION_free() does not provide diagnostic information. =head1 SEE ALSO -L, L +L, L, +L, +L, + L =cut diff --git a/doc/ssl/SSL_get_session.pod b/doc/ssl/SSL_get_session.pod index a0266e2ac6..8547faa58b 100644 --- a/doc/ssl/SSL_get_session.pod +++ b/doc/ssl/SSL_get_session.pod @@ -40,6 +40,12 @@ If the data is to be kept, SSL_get1_session() will increment the reference count and the session will stay in memory until explicitly freed with L, regardless of its state. +SSL_SESSION objects keep internal link information about the session cache +list, when being inserted into one SSL_CTX object's session cache. +One SSL_SESSION object, regardless of its reference count, must therefore +only be used with one SSL_CTX object (and the SSL objects created +from this SSL_CTX object). + =head1 RETURN VALUES The following return values can occur: diff --git a/doc/ssl/SSL_set_session.pod b/doc/ssl/SSL_set_session.pod index 1de232fbbc..5f54714ad8 100644 --- a/doc/ssl/SSL_set_session.pod +++ b/doc/ssl/SSL_set_session.pod @@ -23,6 +23,14 @@ If there is already a session set inside B (because it was set with SSL_set_session() before or because the same B was already used for a connection), SSL_SESSION_free() will be called for that session. +=head1 NOTES + +SSL_SESSION objects keep internal link information about the session cache +list, when being inserted into one SSL_CTX object's session cache. +One SSL_SESSION object, regardless of its reference count, must therefore +only be used with one SSL_CTX object (and the SSL objects created +from this SSL_CTX object). + =head1 RETURN VALUES The following return values can occur: @@ -42,6 +50,7 @@ The operation succeeded. =head1 SEE ALSO L, L, +L, L, L diff --git a/doc/ssl/d2i_SSL_SESSION.pod b/doc/ssl/d2i_SSL_SESSION.pod index 9a1ba6c47b..0321a5a36f 100644 --- a/doc/ssl/d2i_SSL_SESSION.pod +++ b/doc/ssl/d2i_SSL_SESSION.pod @@ -30,7 +30,17 @@ session data on disk or into a database, it must be transformed into a binary ASN1 representation. When using d2i_SSL_SESSION(), the SSL_SESSION object is automatically -allocated. +allocated. The reference count is 1, so that the session must be +explicitly removed using L, +unless the SSL_SESSION object is completely taken over, when being called +inside the get_session_cb() (see +L). + +SSL_SESSION objects keep internal link information about the session cache +list, when being inserted into one SSL_CTX object's session cache. +One SSL_SESSION object, regardless of its reference count, must therefore +only be used with one SSL_CTX object (and the SSL objects created +from this SSL_CTX object). When using i2d_SSL_SESSION(), the memory location pointed to by B must be large enough to hold the binary representation of the session. There is no @@ -50,7 +60,7 @@ When the session is not valid, B<0> is returned and no operation is performed. =head1 SEE ALSO -L, +L, L, L =cut