Kinson Chik | a8fa74c | 2011-07-29 11:33:41 -0700 | [diff] [blame^] | 1 | --- openssl-1.0.0.orig/ssl/ssl.h 2010-07-13 22:24:27.000000000 +0000 |
| 2 | +++ openssl-1.0.0/ssl/ssl.h 2010-07-13 22:24:27.000000000 +0000 |
| 3 | @@ -1090,6 +1090,9 @@ struct ssl_st |
| 4 | /* This can also be in the session once a session is established */ |
| 5 | SSL_SESSION *session; |
| 6 | |
| 7 | + /* This can be disabled to prevent the use of uncached sessions */ |
| 8 | + int session_creation_enabled; |
| 9 | + |
| 10 | /* Default generate session ID callback. */ |
| 11 | GEN_SESSION_CB generate_session_id; |
| 12 | |
| 13 | @@ -1509,6 +1512,7 @@ BIO * SSL_get_rbio(const SSL *s); |
| 14 | BIO * SSL_get_wbio(const SSL *s); |
| 15 | #endif |
| 16 | int SSL_set_cipher_list(SSL *s, const char *str); |
| 17 | +int SSL_set_cipher_lists(SSL *s, STACK_OF(SSL_CIPHER) *sk); |
| 18 | void SSL_set_read_ahead(SSL *s, int yes); |
| 19 | int SSL_get_verify_mode(const SSL *s); |
| 20 | int SSL_get_verify_depth(const SSL *s); |
| 21 | @@ -1524,6 +1528,8 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKE |
| 22 | int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len); |
| 23 | int SSL_use_certificate(SSL *ssl, X509 *x); |
| 24 | int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); |
| 25 | +int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain); |
| 26 | +STACK_OF(X509) * SSL_get_certificate_chain(SSL *ssl, X509 *x); |
| 27 | |
| 28 | #ifndef OPENSSL_NO_STDIO |
| 29 | int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); |
| 30 | @@ -1568,6 +1574,7 @@ int SSL_SESSION_print(BIO *fp,const SSL_ |
| 31 | void SSL_SESSION_free(SSL_SESSION *ses); |
| 32 | int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); |
| 33 | int SSL_set_session(SSL *to, SSL_SESSION *session); |
| 34 | +void SSL_set_session_creation_enabled(SSL *, int); |
| 35 | int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c); |
| 36 | int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c); |
| 37 | int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB); |
| 38 | @@ -2009,6 +2016,7 @@ void ERR_load_SSL_strings(void); |
| 39 | #define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244 |
| 40 | #define SSL_F_SSL_USE_CERTIFICATE 198 |
| 41 | #define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 |
| 42 | +#define SSL_F_SSL_USE_CERTIFICATE_CHAIN 2000 |
| 43 | #define SSL_F_SSL_USE_CERTIFICATE_FILE 200 |
| 44 | #define SSL_F_SSL_USE_PRIVATEKEY 201 |
| 45 | #define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202 |
| 46 | @@ -2213,6 +2221,7 @@ void ERR_load_SSL_strings(void); |
| 47 | #define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345 |
| 48 | #define SSL_R_SERVERHELLO_TLSEXT 275 |
| 49 | #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 |
| 50 | +#define SSL_R_SESSION_MAY_NOT_BE_CREATED 2000 |
| 51 | #define SSL_R_SHORT_READ 219 |
| 52 | #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 |
| 53 | #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 |
| 54 | --- openssl-1.0.0.orig/ssl/d1_clnt.c 2010-01-26 19:46:29.000000000 +0000 |
| 55 | +++ openssl-1.0.0/ssl/d1_clnt.c 2010-07-13 22:24:27.000000000 +0000 |
| 56 | @@ -613,6 +613,12 @@ int dtls1_client_hello(SSL *s) |
| 57 | #endif |
| 58 | (s->session->not_resumable)) |
| 59 | { |
| 60 | + if (!s->session_creation_enabled) |
| 61 | + { |
| 62 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 63 | + SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 64 | + goto err; |
| 65 | + } |
| 66 | if (!ssl_get_new_session(s,0)) |
| 67 | goto err; |
| 68 | } |
| 69 | --- openssl-1.0.0.orig/ssl/s23_clnt.c 2010-02-16 14:20:40.000000000 +0000 |
| 70 | +++ openssl-1.0.0/ssl/s23_clnt.c 2010-07-13 22:24:27.000000000 +0000 |
| 71 | @@ -687,6 +687,13 @@ static int ssl23_get_server_hello(SSL *s |
| 72 | |
| 73 | /* Since, if we are sending a ssl23 client hello, we are not |
| 74 | * reusing a session-id */ |
| 75 | + if (!s->session_creation_enabled) |
| 76 | + { |
| 77 | + if (!(s->client_version == SSL2_VERSION)) |
| 78 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 79 | + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 80 | + goto err; |
| 81 | + } |
| 82 | if (!ssl_get_new_session(s,0)) |
| 83 | goto err; |
| 84 | |
| 85 | --- openssl-1.0.0.orig/ssl/s3_both.c 2010-07-13 22:24:27.000000000 +0000 |
| 86 | +++ openssl-1.0.0/ssl/s3_both.c 2010-07-13 22:24:27.000000000 +0000 |
| 87 | @@ -322,8 +322,11 @@ unsigned long ssl3_output_cert_chain(SSL |
| 88 | unsigned long l=7; |
| 89 | BUF_MEM *buf; |
| 90 | int no_chain; |
| 91 | + STACK_OF(X509) *cert_chain; |
| 92 | |
| 93 | - if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) |
| 94 | + cert_chain = SSL_get_certificate_chain(s, x); |
| 95 | + |
| 96 | + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs || cert_chain) |
| 97 | no_chain = 1; |
| 98 | else |
| 99 | no_chain = 0; |
| 100 | @@ -375,6 +378,10 @@ unsigned long ssl3_output_cert_chain(SSL |
| 101 | return(0); |
| 102 | } |
| 103 | |
| 104 | + for (i=0; i<sk_X509_num(cert_chain); i++) |
| 105 | + if (ssl3_add_cert_to_buf(buf, &l, sk_X509_value(cert_chain,i))) |
| 106 | + return(0); |
| 107 | + |
| 108 | l-=7; |
| 109 | p=(unsigned char *)&(buf->data[4]); |
| 110 | l2n3(l,p); |
| 111 | --- openssl-1.0.0.orig/ssl/s3_clnt.c 2010-07-13 22:24:27.000000000 +0000 |
| 112 | +++ openssl-1.0.0/ssl/s3_clnt.c 2010-07-13 22:24:27.000000000 +0000 |
| 113 | @@ -668,6 +668,12 @@ int ssl3_client_hello(SSL *s) |
| 114 | #endif |
| 115 | (sess->not_resumable)) |
| 116 | { |
| 117 | + if (!s->session_creation_enabled) |
| 118 | + { |
| 119 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 120 | + SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 121 | + goto err; |
| 122 | + } |
| 123 | if (!ssl_get_new_session(s,0)) |
| 124 | goto err; |
| 125 | } |
| 126 | @@ -876,6 +882,12 @@ int ssl3_get_server_hello(SSL *s) |
| 127 | s->hit=0; |
| 128 | if (s->session->session_id_length > 0) |
| 129 | { |
| 130 | + if (!s->session_creation_enabled) |
| 131 | + { |
| 132 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 133 | + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 134 | + goto err; |
| 135 | + } |
| 136 | if (!ssl_get_new_session(s,0)) |
| 137 | { |
| 138 | al=SSL_AD_INTERNAL_ERROR; |
| 139 | --- openssl-1.0.0.orig/ssl/s3_srvr.c 2010-02-27 23:04:10.000000000 +0000 |
| 140 | +++ openssl-1.0.0/ssl/s3_srvr.c 2010-07-13 22:24:27.000000000 +0000 |
| 141 | @@ -869,6 +869,12 @@ int ssl3_get_client_hello(SSL *s) |
| 142 | */ |
| 143 | if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) |
| 144 | { |
| 145 | + if (!s->session_creation_enabled) |
| 146 | + { |
| 147 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 148 | + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 149 | + goto err; |
| 150 | + } |
| 151 | if (!ssl_get_new_session(s,1)) |
| 152 | goto err; |
| 153 | } |
| 154 | @@ -883,6 +889,12 @@ int ssl3_get_client_hello(SSL *s) |
| 155 | goto err; |
| 156 | else /* i == 0 */ |
| 157 | { |
| 158 | + if (!s->session_creation_enabled) |
| 159 | + { |
| 160 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 161 | + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 162 | + goto err; |
| 163 | + } |
| 164 | if (!ssl_get_new_session(s,1)) |
| 165 | goto err; |
| 166 | } |
| 167 | --- openssl-1.0.0.orig/ssl/ssl_err.c 2010-01-06 17:37:38.000000000 +0000 |
| 168 | +++ openssl-1.0.0/ssl/ssl_err.c 2010-07-13 22:24:27.000000000 +0000 |
| 169 | @@ -462,6 +462,7 @@ static ERR_STRING_DATA SSL_str_reasons[] |
| 170 | {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"}, |
| 171 | {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"}, |
| 172 | {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"}, |
| 173 | +{ERR_REASON(SSL_R_SESSION_MAY_NOT_BE_CREATED),"session may not be created"}, |
| 174 | {ERR_REASON(SSL_R_SHORT_READ) ,"short read"}, |
| 175 | {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"}, |
| 176 | {ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"}, |
| 177 | --- openssl-1.0.0.orig/ssl/ssl_lib.c 2010-07-13 22:24:27.000000000 +0000 |
| 178 | +++ openssl-1.0.0/ssl/ssl_lib.c 2010-07-13 22:24:27.000000000 +0000 |
| 179 | @@ -326,6 +326,7 @@ SSL *SSL_new(SSL_CTX *ctx) |
| 180 | OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); |
| 181 | memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); |
| 182 | s->verify_callback=ctx->default_verify_callback; |
| 183 | + s->session_creation_enabled=1; |
| 184 | s->generate_session_id=ctx->generate_session_id; |
| 185 | |
| 186 | s->param = X509_VERIFY_PARAM_new(); |
| 187 | @@ -1303,6 +1304,32 @@ int SSL_set_cipher_list(SSL *s,const cha |
| 188 | return 1; |
| 189 | } |
| 190 | |
| 191 | +/** specify the ciphers to be used by the SSL */ |
| 192 | +int SSL_set_cipher_lists(SSL *s,STACK_OF(SSL_CIPHER) *sk) |
| 193 | + { |
| 194 | + STACK_OF(SSL_CIPHER) *tmp_cipher_list; |
| 195 | + |
| 196 | + if (sk == NULL) |
| 197 | + return 0; |
| 198 | + |
| 199 | + /* Based on end of ssl_create_cipher_list */ |
| 200 | + tmp_cipher_list = sk_SSL_CIPHER_dup(sk); |
| 201 | + if (tmp_cipher_list == NULL) |
| 202 | + { |
| 203 | + return 0; |
| 204 | + } |
| 205 | + if (s->cipher_list != NULL) |
| 206 | + sk_SSL_CIPHER_free(s->cipher_list); |
| 207 | + s->cipher_list = sk; |
| 208 | + if (s->cipher_list_by_id != NULL) |
| 209 | + sk_SSL_CIPHER_free(s->cipher_list_by_id); |
| 210 | + s->cipher_list_by_id = tmp_cipher_list; |
| 211 | + (void)sk_SSL_CIPHER_set_cmp_func(s->cipher_list_by_id,ssl_cipher_ptr_id_cmp); |
| 212 | + |
| 213 | + sk_SSL_CIPHER_sort(s->cipher_list_by_id); |
| 214 | + return 1; |
| 215 | + } |
| 216 | + |
| 217 | /* works well for SSLv2, not so good for SSLv3 */ |
| 218 | char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) |
| 219 | { |
| 220 | --- openssl-1.0.0.orig/ssl/ssl_locl.h 2009-12-08 11:38:18.000000000 +0000 |
| 221 | +++ openssl-1.0.0/ssl/ssl_locl.h 2010-07-13 22:24:27.000000000 +0000 |
| 222 | @@ -456,6 +456,7 @@ |
| 223 | typedef struct cert_pkey_st |
| 224 | { |
| 225 | X509 *x509; |
| 226 | + STACK_OF(X509) *cert_chain; |
| 227 | EVP_PKEY *privatekey; |
| 228 | } CERT_PKEY; |
| 229 | |
| 230 | --- openssl-1.0.0.orig/ssl/ssl_rsa.c 2009-09-12 23:09:26.000000000 +0000 |
| 231 | +++ openssl-1.0.0/ssl/ssl_rsa.c 2010-07-13 22:24:27.000000000 +0000 |
| 232 | @@ -697,6 +697,42 @@ int SSL_CTX_use_PrivateKey_ASN1(int type |
| 233 | } |
| 234 | |
| 235 | |
| 236 | +int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain) |
| 237 | + { |
| 238 | + if (ssl == NULL) |
| 239 | + { |
| 240 | + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,ERR_R_PASSED_NULL_PARAMETER); |
| 241 | + return(0); |
| 242 | + } |
| 243 | + if (ssl->cert == NULL) |
| 244 | + { |
| 245 | + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSIGNED); |
| 246 | + return(0); |
| 247 | + } |
| 248 | + if (ssl->cert->key == NULL) |
| 249 | + { |
| 250 | + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSIGNED); |
| 251 | + return(0); |
| 252 | + } |
| 253 | + ssl->cert->key->cert_chain = cert_chain; |
| 254 | + return(1); |
| 255 | + } |
| 256 | + |
| 257 | +STACK_OF(X509) *SSL_get_certificate_chain(SSL *ssl, X509 *x) |
| 258 | + { |
| 259 | + int i; |
| 260 | + if (x == NULL) |
| 261 | + return NULL; |
| 262 | + if (ssl == NULL) |
| 263 | + return NULL; |
| 264 | + if (ssl->cert == NULL) |
| 265 | + return NULL; |
| 266 | + for (i = 0; i < SSL_PKEY_NUM; i++) |
| 267 | + if (ssl->cert->pkeys[i].x509 == x) |
| 268 | + return ssl->cert->pkeys[i].cert_chain; |
| 269 | + return NULL; |
| 270 | + } |
| 271 | + |
| 272 | #ifndef OPENSSL_NO_STDIO |
| 273 | /* Read a file that contains our certificate in "PEM" format, |
| 274 | * possibly followed by a sequence of CA certificates that should be |
| 275 | --- openssl-1.0.0.orig/ssl/ssl_sess.c 2010-02-01 16:49:42.000000000 +0000 |
| 276 | +++ openssl-1.0.0/ssl/ssl_sess.c 2010-07-13 22:24:27.000000000 +0000 |
| 277 | @@ -261,6 +261,11 @@ static int def_generate_session_id(const |
| 278 | return 0; |
| 279 | } |
| 280 | |
| 281 | +void SSL_set_session_creation_enabled (SSL *s, int creation_enabled) |
| 282 | + { |
| 283 | + s->session_creation_enabled = creation_enabled; |
| 284 | + } |
| 285 | + |
| 286 | int ssl_get_new_session(SSL *s, int session) |
| 287 | { |
| 288 | /* This gets used by clients and servers. */ |
| 289 | @@ -269,6 +274,8 @@ int ssl_get_new_session(SSL *s, int sess |
| 290 | SSL_SESSION *ss=NULL; |
| 291 | GEN_SESSION_CB cb = def_generate_session_id; |
| 292 | |
| 293 | + /* caller should check this if they can do better error handling */ |
| 294 | + if (!s->session_creation_enabled) return(0); |
| 295 | if ((ss=SSL_SESSION_new()) == NULL) return(0); |
| 296 | |
| 297 | /* If the context has a default timeout, use it */ |