summaryrefslogtreecommitdiffstats
path: root/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
diff options
context:
space:
mode:
Diffstat (limited to 'secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3')
-rw-r--r--secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3272
1 files changed, 272 insertions, 0 deletions
diff --git a/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
new file mode 100644
index 0000000..c8f02d0
--- /dev/null
+++ b/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
@@ -0,0 +1,272 @@
+.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C` ""
+. ds C' ""
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.el \{\
+. de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "SSL_CTX_set_generate_session_id 3"
+.TH SSL_CTX_set_generate_session_id 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+SSL_CTX_set_generate_session_id, SSL_set_generate_session_id, SSL_has_matching_session_id \- manipulate generation of SSL session IDs (server only)
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
+\& unsigned int *id_len);
+\&
+\& int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb);
+\& int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB, cb);
+\& int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
+\& unsigned int id_len);
+.Ve
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fISSL_CTX_set_generate_session_id()\fR sets the callback function for generating
+new session ids for \s-1SSL/TLS\s0 sessions for \fBctx\fR to be \fBcb\fR.
+.PP
+\&\fISSL_set_generate_session_id()\fR sets the callback function for generating
+new session ids for \s-1SSL/TLS\s0 sessions for \fBssl\fR to be \fBcb\fR.
+.PP
+\&\fISSL_has_matching_session_id()\fR checks, whether a session with id \fBid\fR
+(of length \fBid_len\fR) is already contained in the internal session cache
+of the parent context of \fBssl\fR.
+.SH "NOTES"
+.IX Header "NOTES"
+When a new session is established between client and server, the server
+generates a session id. The session id is an arbitrary sequence of bytes.
+The length of the session id is 16 bytes for SSLv2 sessions and between
+1 and 32 bytes for SSLv3/TLSv1. The session id is not security critical
+but must be unique for the server. Additionally, the session id is
+transmitted in the clear when reusing the session so it must not contain
+sensitive information.
+.PP
+Without a callback being set, an OpenSSL server will generate a unique
+session id from pseudo random numbers of the maximum possible length.
+Using the callback function, the session id can be changed to contain
+additional information like e.g. a host id in order to improve load balancing
+or external caching techniques.
+.PP
+The callback function receives a pointer to the memory location to put
+\&\fBid\fR into and a pointer to the maximum allowed length \fBid_len\fR. The
+buffer at location \fBid\fR is only guaranteed to have the size \fBid_len\fR.
+The callback is only allowed to generate a shorter id and reduce \fBid_len\fR;
+the callback \fBmust never\fR increase \fBid_len\fR or write to the location
+\&\fBid\fR exceeding the given limit.
+.PP
+If a SSLv2 session id is generated and \fBid_len\fR is reduced, it will be
+restored after the callback has finished and the session id will be padded
+with 0x00. It is not recommended to change the \fBid_len\fR for SSLv2 sessions.
+The callback can use the \fISSL_get_version\fR\|(3) function
+to check, whether the session is of type SSLv2.
+.PP
+The location \fBid\fR is filled with 0x00 before the callback is called, so the
+callback may only fill part of the possible length and leave \fBid_len\fR
+untouched while maintaining reproducibility.
+.PP
+Since the sessions must be distinguished, session ids must be unique.
+Without the callback a random number is used, so that the probability
+of generating the same session id is extremely small (2^128 possible ids
+for an SSLv2 session, 2^256 for SSLv3/TLSv1). In order to assure the
+uniqueness of the generated session id, the callback must call
+\&\fISSL_has_matching_session_id()\fR and generate another id if a conflict occurs.
+If an id conflict is not resolved, the handshake will fail.
+If the application codes e.g. a unique host id, a unique process number, and
+a unique sequence number into the session id, uniqueness could easily be
+achieved without randomness added (it should however be taken care that
+no confidential information is leaked this way). If the application can not
+guarantee uniqueness, it is recommended to use the maximum \fBid_len\fR and
+fill in the bytes not used to code special information with random data
+to avoid collisions.
+.PP
+\&\fISSL_has_matching_session_id()\fR will only query the internal session cache,
+not the external one. Since the session id is generated before the
+handshake is completed, it is not immediately added to the cache. If
+another thread is using the same internal session cache, a race condition
+can occur in that another thread generates the same session id.
+Collisions can also occur when using an external session cache, since
+the external cache is not tested with \fISSL_has_matching_session_id()\fR
+and the same race condition applies.
+.PP
+When calling \fISSL_has_matching_session_id()\fR for an SSLv2 session with
+reduced \fBid_len\fR, the match operation will be performed using the
+fixed length required and with a 0x00 padded id.
+.PP
+The callback must return 0 if it cannot generate a session id for whatever
+reason and return 1 on success.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+The callback function listed will generate a session id with the
+server id given, and will fill the rest with pseudo random bytes:
+.PP
+.Vb 1
+\& const char session_id_prefix = "www\-18";
+\&
+\& #define MAX_SESSION_ID_ATTEMPTS 10
+\& static int generate_session_id(const SSL *ssl, unsigned char *id,
+\& unsigned int *id_len)
+\& {
+\& unsigned int count = 0;
+\& const char *version;
+\&
+\& version = SSL_get_version(ssl);
+\& if (!strcmp(version, "SSLv2"))
+\& /* we must not change id_len */;
+\&
+\& do {
+\& RAND_pseudo_bytes(id, *id_len);
+\& /* Prefix the session_id with the required prefix. NB: If our
+\& * prefix is too long, clip it \- but there will be worse effects
+\& * anyway, eg. the server could only possibly create 1 session
+\& * ID (ie. the prefix!) so all future session negotiations will
+\& * fail due to conflicts. */
+\& memcpy(id, session_id_prefix,
+\& (strlen(session_id_prefix) < *id_len) ?
+\& strlen(session_id_prefix) : *id_len);
+\& }
+\& while(SSL_has_matching_session_id(ssl, id, *id_len) &&
+\& (++count < MAX_SESSION_ID_ATTEMPTS));
+\& if(count >= MAX_SESSION_ID_ATTEMPTS)
+\& return 0;
+\& return 1;
+\& }
+.Ve
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fISSL_CTX_set_generate_session_id()\fR and \fISSL_set_generate_session_id()\fR
+always return 1.
+.PP
+\&\fISSL_has_matching_session_id()\fR returns 1 if another session with the
+same id is already in the cache.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIssl\fR\|(3), \fISSL_get_version\fR\|(3)
+.SH "HISTORY"
+.IX Header "HISTORY"
+\&\fISSL_CTX_set_generate_session_id()\fR, \fISSL_set_generate_session_id()\fR
+and \fISSL_has_matching_session_id()\fR have been introduced in
+OpenSSL 0.9.7.
OpenPOWER on IntegriCloud