Access to session cache is now atomic

- Adding and getting sessions to and from the local cache is now atomic.
  - The new internal `wolfSSL_GetSessionFromCache` requires a destination object to be supplied when retrieving from the cache so that items can be retrieved independently from the cache. For most existing calls, the destination is `ssl->session`.
  -`PREALLOC_SESSION_TICKET_LEN` defines how much memory is temporarily allocated for the ticket if it doesn't fit in the static session buffer.

src/internal.c

@@ -6629,6 +6629,8 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     }
 #endif /*OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */
 
+    ssl->session.heap = ssl->heap;
+    ssl->session.type = WOLFSSL_SESSION_TYPE_SSL;
     ssl->session.masterSecret = ssl->session._masterSecret;
 #ifndef NO_CLIENT_CACHE
     ssl->session.serverID = ssl->session._serverID;
@@ -7230,9 +7232,6 @@ void SSL_ResourceFree(WOLFSSL* ssl)
         ssl->session.ticketLen = 0;
     }
 #endif
-#ifdef ENABLE_CLIENT_SESSION_REF
-    wolfSSL_SESSION_free(ssl->session.refPtr);
-#endif
 #ifdef HAVE_EXT_CACHE
     wolfSSL_SESSION_free(ssl->extSession);
 #endif
@@ -29269,9 +29268,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     {
         int ret = 0;
         WOLFSSL_SESSION* session;
-    #ifdef HAVE_EXT_CACHE
-        byte gotSess = 0;
-    #endif
         (void)bogusID;
     #ifdef HAVE_SESSION_TICKET
         if (ssl->options.useTicket == 1) {
@@ -29283,9 +29279,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     #endif
         {
             session = wolfSSL_GetSession(ssl, ssl->arrays->masterSecret, 1);
-        #ifdef HAVE_EXT_CACHE
-            gotSess = 1;
-        #endif
         }
         if (!session) {
             WOLFSSL_MSG("Session lookup for resume failed");
@@ -29375,12 +29368,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
             }
         }
 
-    #ifdef HAVE_EXT_CACHE
-        if (gotSess) {
-            wolfSSL_SESSION_free(session);
-        }
-    #endif
-
         return ret;
     }
 

tests/api.c

@@ -39252,7 +39252,10 @@ static void test_wolfSSL_SESSION(void)
 
     AssertPtrNE((sess = wolfSSL_get1_session(ssl)), NULL); /* ref count 1 */
     AssertPtrNE((sess_copy = wolfSSL_get1_session(ssl)), NULL); /* ref count 2 */
-    AssertPtrEq(sess, sess_copy); /* they should be the same pointer */
+#ifdef HAVE_EXT_CACHE
+    AssertPtrEq(sess, sess_copy); /* they should be the same pointer but without
+                                   * HAVE_EXT_CACHE we get new objects each time */
+#endif
     wolfSSL_SESSION_free(sess_copy); sess_copy = NULL;
     wolfSSL_SESSION_free(sess);      sess = NULL; /* free session ref */
 
@@ -39273,6 +39276,9 @@ static void test_wolfSSL_SESSION(void)
     #endif
 #endif /* OPENSSL_EXTRA */
 
+    /* Retain copy of the session for later testing */
+    AssertNotNull(sess = wolfSSL_get1_session(ssl));
+
     wolfSSL_shutdown(ssl);
     wolfSSL_free(ssl);
 

wolfssl/internal.h

@@ -1567,6 +1567,10 @@ enum Misc {
     #define SESSION_TICKET_LEN 256
 #endif
 
+#ifndef PREALLOC_SESSION_TICKET_LEN
+    #define PREALLOC_SESSION_TICKET_LEN 512
+#endif
+
 #ifndef SESSION_TICKET_HINT_DEFAULT
     #define SESSION_TICKET_HINT_DEFAULT 300
 #endif
@@ -3303,22 +3307,31 @@ typedef enum WOLFSSL_SESSION_TYPE {
     WOLFSSL_SESSION_TYPE_SSL,    /* in ssl->session */
     WOLFSSL_SESSION_TYPE_CACHE,  /* pointer to internal cache */
     WOLFSSL_SESSION_TYPE_HEAP    /* allocated from heap SESSION_new */
-#ifdef ENABLE_CLIENT_SESSION_REF
-   ,WOLFSSL_SESSION_TYPE_REF     /* smaller allocation with reference to internal cache */
-#endif
 } WOLFSSL_SESSION_TYPE;
 
 /* wolfSSL session type */
 struct WOLFSSL_SESSION {
+    /* WARNING Do not add fields here. They will be ignored in
+     *         wolfSSL_DupSession. */
     WOLFSSL_SESSION_TYPE type;
+    int                cacheRow;          /* row in session cache     */
+    int                refCount;          /* reference count */
+#ifndef SINGLE_THREADED
+    wolfSSL_Mutex      refMutex;          /* ref count mutex */
+#endif
+    void*              heap;
+    /* WARNING The above fields (up to and including the heap) are not copied
+     *         in wolfSSL_DupSession. Place new fields after the heap
+     *         member */
+
     byte               side;              /* Either WOLFSSL_CLIENT_END or
                                                     WOLFSSL_SERVER_END */
 
-    int                cacheRow;          /* row in session cache     */
     word32             bornOn;            /* create time in seconds   */
     word32             timeout;           /* timeout in seconds       */
 
-    byte               sessionID[ID_LEN]; /* id for protocol          */
+    byte               sessionID[ID_LEN]; /* id for protocol or bogus
+                                           * ID for TLS 1.3           */
     byte               sessionIDSz;
 
     byte*              masterSecret;      /* stored secret            */
@@ -3364,11 +3377,6 @@ struct WOLFSSL_SESSION {
     word16             ticketLen;
     word16             ticketLenAlloc;    /* is dynamic */
 #endif
-    int                refCount;          /* reference count */
-#ifndef SINGLE_THREADED
-    wolfSSL_Mutex      refMutex;          /* ref count mutex */
-#endif
-    void*              heap;
 
 #ifdef SESSION_CERTS
     WOLFSSL_X509_CHAIN chain;             /* peer cert chain, static  */
@@ -3380,11 +3388,6 @@ struct WOLFSSL_SESSION {
     WOLFSSL_CRYPTO_EX_DATA ex_data;
 #endif
 
-#ifdef ENABLE_CLIENT_SESSION_REF
-    /* pointer to WOLFSSL_SESSION in internal cache (for WOLFSSL_SESSION_TYPE_REF) */
-    void*              refPtr;
-#endif
-
     /* Below buffers are not allocated for the WOLFSSL_SESSION_TYPE_REF, instead
      * the above pointers reference the session cache for backwards
      * compatibility. For all other session types the above pointers reference
@@ -3406,9 +3409,13 @@ struct WOLFSSL_SESSION {
 WOLFSSL_LOCAL WOLFSSL_SESSION* wolfSSL_NewSession(void* heap);
 WOLFSSL_LOCAL WOLFSSL_SESSION* wolfSSL_GetSession(
     WOLFSSL* ssl, byte* masterSecret, byte restoreSessionCerts);
+WOLFSSL_LOCAL int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output);
 WOLFSSL_LOCAL WOLFSSL_SESSION* wolfSSL_GetSessionRef(WOLFSSL* ssl);
 WOLFSSL_LOCAL int wolfSSL_SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session);
 WOLFSSL_LOCAL void wolfSSL_FreeSession(WOLFSSL_SESSION* session);
+WOLFSSL_LOCAL int wolfSSL_DupSession(const WOLFSSL_SESSION* input,
+        WOLFSSL_SESSION* output, int avoidSysCalls);
+
 
 typedef int (*hmacfp) (WOLFSSL*, byte*, const byte*, word32, int, int, int, int);
 

wolfssl/openssl/ssl.h

@@ -1269,15 +1269,6 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE      SRTP_PROTECTION_PROFILE;
 
 #define SSL3_RANDOM_SIZE                32 /* same as RAN_LEN in internal.h */
 
-#define SSL2_VERSION                     0x0002
-#define SSL3_VERSION                     0x0300
-#define TLS1_VERSION                     0x0301
-#define TLS1_1_VERSION                   0x0302
-#define TLS1_2_VERSION                   0x0303
-#define TLS1_3_VERSION                   0x0304
-#define DTLS1_VERSION                    0xFEFF
-#define DTLS1_2_VERSION                  0xFEFD
-
 /* Used as message callback types */
 #define SSL3_RT_CHANGE_CIPHER_SPEC       20
 #define SSL3_RT_ALERT                    21

wolfssl/ssl.h

@@ -1501,7 +1501,7 @@ WOLFSSL_API int wolfSSL_CIPHER_get_digest_nid(const WOLFSSL_CIPHER* cipher);
 WOLFSSL_API int wolfSSL_CIPHER_get_kx_nid(const WOLFSSL_CIPHER* cipher);
 WOLFSSL_API int wolfSSL_CIPHER_is_aead(const WOLFSSL_CIPHER* cipher);
 WOLFSSL_API const WOLFSSL_CIPHER* wolfSSL_get_cipher_by_value(word16 value);
-WOLFSSL_API const char*  wolfSSL_SESSION_CIPHER_get_name(WOLFSSL_SESSION* session);
+WOLFSSL_API const char*  wolfSSL_SESSION_CIPHER_get_name(const WOLFSSL_SESSION* session);
 WOLFSSL_API const char*  wolfSSL_get_cipher(WOLFSSL* ssl);
 WOLFSSL_API void wolfSSL_sk_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk);
 WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl);
@@ -4436,12 +4436,13 @@ WOLFSSL_API int wolfSSL_ASN1_BIT_STRING_set_bit(
                             WOLFSSL_ASN1_BIT_STRING* str, int pos, int val);
 #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 
+WOLFSSL_API int  wolfSSL_version(WOLFSSL* ssl);
+
 #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \
     || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
 
 WOLFSSL_API int        wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session);
 
-WOLFSSL_API int  wolfSSL_version(WOLFSSL* ssl);
 
 WOLFSSL_API int wolfSSL_get_state(const WOLFSSL* ssl);
 
@@ -4471,8 +4472,8 @@ WOLFSSL_API int wolfSSL_SESSION_set_ex_data_with_cleanup(
 WOLFSSL_API int wolfSSL_SESSION_get_ex_new_index(long idx,void* data,void* cb1,void* cb2,
         CRYPTO_free_func* cb3);
 
-WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(WOLFSSL_SESSION* sess,
-        unsigned int* idLen);
+WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(
+        const WOLFSSL_SESSION* sess, unsigned int* idLen);
 
 WOLFSSL_API int wolfSSL_SESSION_print(WOLFSSL_BIO* bp, const WOLFSSL_SESSION* session);
 
@@ -4901,6 +4902,17 @@ WOLFSSL_API int wolfSSL_CRYPTO_get_ex_new_index(int class_index, long argl, void
                                            WOLFSSL_CRYPTO_EX_dup* dup_func,
                                            WOLFSSL_CRYPTO_EX_free* free_func);
 #endif /* HAVE_EX_DATA || WOLFSSL_WPAS_SMALL */
+
+/*  */
+#define SSL2_VERSION                     0x0002
+#define SSL3_VERSION                     0x0300
+#define TLS1_VERSION                     0x0301
+#define TLS1_1_VERSION                   0x0302
+#define TLS1_2_VERSION                   0x0303
+#define TLS1_3_VERSION                   0x0304
+#define DTLS1_VERSION                    0xFEFF
+#define DTLS1_2_VERSION                  0xFEFD
+
 #ifdef __cplusplus
     }  /* extern "C" */
 #endif