| Brian Carlstrom | e296ea5 | 2010-04-23 15:24:16 -0700 | [diff] [blame^] | 1 | --- openssl-1.0.0.orig/ssl/ssl.h 2010-01-06 09:37:38.000000000 -0800 |
| 2 | +++ openssl-1.0.0/ssl/ssl.h 2010-05-03 01:44:52.000000000 -0700 |
| 3 | @@ -1083,6 +1090,9 @@ struct ssl_st |
| 4 | /* This can also be in the session once a session is established */ |
| 5 | SSL_SESSION *session; |
| 6 | |
| 7 | + /* This can be disabled to prevent the use of uncached sessions */ |
| 8 | + int session_creation_enabled; |
| 9 | + |
| 10 | /* Default generate session ID callback. */ |
| 11 | GEN_SESSION_CB generate_session_id; |
| 12 | |
| 13 | @@ -1559,6 +1571,7 @@ int SSL_SESSION_print(BIO *fp,const SSL_ |
| 14 | void SSL_SESSION_free(SSL_SESSION *ses); |
| 15 | int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); |
| 16 | int SSL_set_session(SSL *to, SSL_SESSION *session); |
| 17 | +void SSL_set_session_creation_enabled(SSL *, int); |
| 18 | int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c); |
| 19 | int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c); |
| 20 | int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB); |
| 21 | @@ -2204,6 +2217,7 @@ void ERR_load_SSL_strings(void); |
| 22 | #define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345 |
| 23 | #define SSL_R_SERVERHELLO_TLSEXT 275 |
| 24 | #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 |
| 25 | +#define SSL_R_SESSION_MAY_NOT_BE_CREATED 2000 |
| 26 | #define SSL_R_SHORT_READ 219 |
| 27 | #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 |
| 28 | #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 |
| 29 | --- openssl-1.0.0.orig/ssl/d1_clnt.c 2010-01-26 11:46:29.000000000 -0800 |
| 30 | +++ openssl-1.0.0/ssl/d1_clnt.c 2010-05-03 01:44:52.000000000 -0700 |
| 31 | @@ -613,6 +613,12 @@ int dtls1_client_hello(SSL *s) |
| 32 | #endif |
| 33 | (s->session->not_resumable)) |
| 34 | { |
| 35 | + if (!s->session_creation_enabled) |
| 36 | + { |
| 37 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 38 | + SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 39 | + goto err; |
| 40 | + } |
| 41 | if (!ssl_get_new_session(s,0)) |
| 42 | goto err; |
| 43 | } |
| 44 | --- openssl-1.0.0.orig/ssl/s23_clnt.c 2010-02-16 06:20:40.000000000 -0800 |
| 45 | +++ openssl-1.0.0/ssl/s23_clnt.c 2010-05-03 01:44:52.000000000 -0700 |
| 46 | @@ -687,6 +687,13 @@ static int ssl23_get_server_hello(SSL *s |
| 47 | |
| 48 | /* Since, if we are sending a ssl23 client hello, we are not |
| 49 | * reusing a session-id */ |
| 50 | + if (!s->session_creation_enabled) |
| 51 | + { |
| 52 | + if (!(s->client_version == SSL2_VERSION)) |
| 53 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 54 | + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 55 | + goto err; |
| 56 | + } |
| 57 | if (!ssl_get_new_session(s,0)) |
| 58 | goto err; |
| 59 | |
| 60 | --- openssl-1.0.0.orig/ssl/s3_clnt.c 2010-02-27 16:24:24.000000000 -0800 |
| 61 | +++ openssl-1.0.0/ssl/s3_clnt.c 2010-05-03 01:44:52.000000000 -0700 |
| 62 | @@ -621,6 +668,12 @@ int ssl3_client_hello(SSL *s) |
| 63 | #endif |
| 64 | (sess->not_resumable)) |
| 65 | { |
| 66 | + if (!s->session_creation_enabled) |
| 67 | + { |
| 68 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 69 | + SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 70 | + goto err; |
| 71 | + } |
| 72 | if (!ssl_get_new_session(s,0)) |
| 73 | goto err; |
| 74 | } |
| 75 | @@ -829,6 +882,12 @@ int ssl3_get_server_hello(SSL *s) |
| 76 | s->hit=0; |
| 77 | if (s->session->session_id_length > 0) |
| 78 | { |
| 79 | + if (!s->session_creation_enabled) |
| 80 | + { |
| 81 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 82 | + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 83 | + goto err; |
| 84 | + } |
| 85 | if (!ssl_get_new_session(s,0)) |
| 86 | { |
| 87 | al=SSL_AD_INTERNAL_ERROR; |
| 88 | --- openssl-1.0.0.orig/ssl/s3_srvr.c 2010-02-27 15:04:10.000000000 -0800 |
| 89 | +++ openssl-1.0.0/ssl/s3_srvr.c 2010-05-03 01:44:52.000000000 -0700 |
| 90 | @@ -869,6 +869,12 @@ int ssl3_get_client_hello(SSL *s) |
| 91 | */ |
| 92 | if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) |
| 93 | { |
| 94 | + if (!s->session_creation_enabled) |
| 95 | + { |
| 96 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 97 | + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 98 | + goto err; |
| 99 | + } |
| 100 | if (!ssl_get_new_session(s,1)) |
| 101 | goto err; |
| 102 | } |
| 103 | @@ -883,6 +889,12 @@ int ssl3_get_client_hello(SSL *s) |
| 104 | goto err; |
| 105 | else /* i == 0 */ |
| 106 | { |
| 107 | + if (!s->session_creation_enabled) |
| 108 | + { |
| 109 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 110 | + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 111 | + goto err; |
| 112 | + } |
| 113 | if (!ssl_get_new_session(s,1)) |
| 114 | goto err; |
| 115 | } |
| 116 | --- openssl-1.0.0.orig/ssl/ssl_err.c 2010-01-06 09:37:38.000000000 -0800 |
| 117 | +++ openssl-1.0.0/ssl/ssl_err.c 2010-05-03 01:44:52.000000000 -0700 |
| 118 | @@ -462,6 +462,7 @@ static ERR_STRING_DATA SSL_str_reasons[] |
| 119 | {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"}, |
| 120 | {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"}, |
| 121 | {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"}, |
| 122 | +{ERR_REASON(SSL_R_SESSION_MAY_NOT_BE_CREATED),"session may not be created"}, |
| 123 | {ERR_REASON(SSL_R_SHORT_READ) ,"short read"}, |
| 124 | {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"}, |
| 125 | {ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"}, |
| 126 | --- openssl-1.0.0.orig/ssl/ssl_lib.c 2010-02-17 11:43:46.000000000 -0800 |
| 127 | +++ openssl-1.0.0/ssl/ssl_lib.c 2010-05-03 01:44:52.000000000 -0700 |
| 128 | @@ -326,6 +326,7 @@ SSL *SSL_new(SSL_CTX *ctx) |
| 129 | OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); |
| 130 | memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); |
| 131 | s->verify_callback=ctx->default_verify_callback; |
| 132 | + s->session_creation_enabled=1; |
| 133 | s->generate_session_id=ctx->generate_session_id; |
| 134 | |
| 135 | s->param = X509_VERIFY_PARAM_new(); |
| 136 | --- openssl-1.0.0.orig/ssl/ssl_sess.c 2010-02-01 08:49:42.000000000 -0800 |
| 137 | +++ openssl-1.0.0/ssl/ssl_sess.c 2010-05-03 01:44:52.000000000 -0700 |
| 138 | @@ -261,6 +261,11 @@ static int def_generate_session_id(const |
| 139 | return 0; |
| 140 | } |
| 141 | |
| 142 | +void SSL_set_session_creation_enabled (SSL *s, int creation_enabled) |
| 143 | + { |
| 144 | + s->session_creation_enabled = creation_enabled; |
| 145 | + } |
| 146 | + |
| 147 | int ssl_get_new_session(SSL *s, int session) |
| 148 | { |
| 149 | /* This gets used by clients and servers. */ |
| 150 | @@ -269,6 +274,8 @@ int ssl_get_new_session(SSL *s, int sess |
| 151 | SSL_SESSION *ss=NULL; |
| 152 | GEN_SESSION_CB cb = def_generate_session_id; |
| 153 | |
| 154 | + /* caller should check this if they can do better error handling */ |
| 155 | + if (!s->session_creation_enabled) return(0); |
| 156 | if ((ss=SSL_SESSION_new()) == NULL) return(0); |
| 157 | |
| 158 | /* If the context has a default timeout, use it */ |