xref: /openbsd/lib/libssl/man/SSL_CTX_set_generate_session_id.3 (revision 28b5fa2c)

.\"	$OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.5 2018/03/22 21:09:18 schwarze Exp $
.\"	OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\"
.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
.\" Copyright (c) 2001, 2014 The OpenSSL Project.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in
.\"    the documentation and/or other materials provided with the
.\"    distribution.
.\"
.\" 3. All advertising materials mentioning features or use of this
.\"    software must display the following acknowledgment:
.\"    "This product includes software developed by the OpenSSL Project
.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
.\"
.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
.\"    endorse or promote products derived from this software without
.\"    prior written permission. For written permission, please contact
.\"    openssl-core@openssl.org.
.\"
.\" 5. Products derived from this software may not be called "OpenSSL"
.\"    nor may "OpenSSL" appear in their names without prior written
.\"    permission of the OpenSSL Project.
.\"
.\" 6. Redistributions of any form whatsoever must retain the following
.\"    acknowledgment:
.\"    "This product includes software developed by the OpenSSL Project
.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: March 22 2018 $
.Dt SSL_CTX_SET_GENERATE_SESSION_ID 3
.Os
.Sh NAME
.Nm SSL_CTX_set_generate_session_id ,
.Nm SSL_set_generate_session_id ,
.Nm SSL_has_matching_session_id ,
.Nm GEN_SESSION_CB
.Nd manipulate generation of SSL session IDs (server only)
.Sh SYNOPSIS
.In openssl/ssl.h
.Ft typedef int
.Fo (*GEN_SESSION_CB)
.Fa "const SSL *ssl"
.Fa "unsigned char *id"
.Fa "unsigned int *id_len"
.Fc
.Ft int
.Fn SSL_CTX_set_generate_session_id "SSL_CTX *ctx" "GEN_SESSION_CB cb"
.Ft int
.Fn SSL_set_generate_session_id "SSL *ssl" "GEN_SESSION_CB cb"
.Ft int
.Fo SSL_has_matching_session_id
.Fa "const SSL *ssl" "const unsigned char *id" "unsigned int id_len"
.Fc
.Sh DESCRIPTION
.Fn SSL_CTX_set_generate_session_id
sets the callback function for generating new session ids for SSL/TLS sessions
for
.Fa ctx
to be
.Fa cb .
.Pp
.Fn SSL_set_generate_session_id
sets the callback function for generating new session ids for SSL/TLS sessions
for
.Fa ssl
to be
.Fa cb .
.Pp
.Fn SSL_has_matching_session_id
checks, whether a session with id
.Fa id
(of length
.Fa id_len )
is already contained in the internal session cache
of the parent context of
.Fa ssl .
.Pp
When a new session is established between client and server,
the server generates a session id.
The session id is an arbitrary sequence of bytes.
The length of the session id is between 1 and 32 bytes.
The session id is not security critical but must be unique for the server.
Additionally, the session id is transmitted in the clear when reusing the
session so it must not contain sensitive information.
.Pp
Without a callback being set, an OpenSSL server will generate a unique session
id from pseudo random numbers of the maximum possible length.
Using the callback function, the session id can be changed to contain
additional information like, e.g., a host id in order to improve load balancing
or external caching techniques.
.Pp
The callback function receives a pointer to the memory location to put
.Fa id
into and a pointer to the maximum allowed length
.Fa id_len .
The buffer at location
.Fa id
is only guaranteed to have the size
.Fa id_len .
The callback is only allowed to generate a shorter id and reduce
.Fa id_len ;
the callback
.Em must never
increase
.Fa id_len
or write to the location
.Fa id
exceeding the given limit.
.Pp
The location
.Fa id
is filled with 0x00 before the callback is called,
so the callback may only fill part of the possible length and leave
.Fa id_len
untouched while maintaining reproducibility.
.Pp
Since the sessions must be distinguished, session ids must be unique.
Without the callback a random number is used,
so that the probability of generating the same session id is extremely small
(2^256 for TLSv1).
In order to ensure the uniqueness of the generated session id,
the callback must call
.Fn SSL_has_matching_session_id
and generate another id if a conflict occurs.
If an id conflict is not resolved, the handshake will fail.
If the application codes, e.g., a unique host id, a unique process number, and
a unique sequence number into the session id, uniqueness could easily be
achieved without randomness added (it should however be taken care that
no confidential information is leaked this way).
If the application cannot guarantee uniqueness,
it is recommended to use the maximum
.Fa id_len
and fill in the bytes not used to code special information with random data to
avoid collisions.
.Pp
.Fn SSL_has_matching_session_id
will only query the internal session cache, not the external one.
Since the session id is generated before the handshake is completed,
it is not immediately added to the cache.
If another thread is using the same internal session cache,
a race condition can occur in that another thread generates the same session id.
Collisions can also occur when using an external session cache,
since the external cache is not tested with
.Fn SSL_has_matching_session_id
and the same race condition applies.
.Pp
The callback must return 0 if it cannot generate a session id for whatever
reason and return 1 on success.
.Sh RETURN VALUES
.Fn SSL_CTX_set_generate_session_id
and
.Fn SSL_set_generate_session_id
always return 1.
.Pp
.Fn SSL_has_matching_session_id
returns 1 if another session with the same id is already in the cache.
.Sh EXAMPLES
The callback function listed will generate a session id with the server id
given, and will fill the rest with pseudo random bytes:
.Bd -literal
const char session_id_prefix = "www-18";

#define MAX_SESSION_ID_ATTEMPTS 10
static int
generate_session_id(const SSL *ssl, unsigned char *id,
    unsigned int *id_len)
{
	unsigned int count = 0;

	do {
		RAND_pseudo_bytes(id, *id_len);
		/*
		 * Prefix the session_id with the required prefix. NB: If
		 * our prefix is too long, clip it \(en but there will be
		 * worse effects anyway, e.g., the server could only
		 * possibly create one session ID (the prefix!) so all
		 * future session negotiations will fail due to conflicts.
		 */
		memcpy(id, session_id_prefix,
		    (strlen(session_id_prefix) < *id_len) ?
		    strlen(session_id_prefix) : *id_len);
	} while (SSL_has_matching_session_id(ssl, id, *id_len) &&
	    (++count < MAX_SESSION_ID_ATTEMPTS));

	if (count >= MAX_SESSION_ID_ATTEMPTS)
		return 0;
	return 1;
}
.Ed
.Sh SEE ALSO
.Xr ssl 3 ,
.Xr SSL_get_version 3
.Sh HISTORY
.Fn SSL_CTX_set_generate_session_id ,
.Fn SSL_set_generate_session_id
and
.Fn SSL_has_matching_session_id
first appeared in OpenSSL 0.9.7 and have been available since
.Ox 3.2 .