OLD | NEW |
| (Empty) |
1 --- openssl-1.0.0b.orig/ssl/ssl.h 2010-11-30 00:03:46.000000000 +0000 | |
2 +++ openssl-1.0.0b/ssl/ssl.h 2010-11-30 00:03:47.000000000 +0000 | |
3 @@ -1133,6 +1133,9 @@ struct ssl_st | |
4 /* This can also be in the session once a session is established */ | |
5 SSL_SESSION *session; | |
6 | |
7 + /* This can be disabled to prevent the use of uncached sessions */ | |
8 + int session_creation_enabled; | |
9 + | |
10 /* Default generate session ID callback. */ | |
11 GEN_SESSION_CB generate_session_id; | |
12 | |
13 @@ -1554,6 +1558,7 @@ const char * SSL_get_cipher_list(const | |
14 char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len); | |
15 int SSL_get_read_ahead(const SSL * s); | |
16 int SSL_pending(const SSL *s); | |
17 +const char * SSL_authentication_method(const SSL *c); | |
18 #ifndef OPENSSL_NO_SOCK | |
19 int SSL_set_fd(SSL *s, int fd); | |
20 int SSL_set_rfd(SSL *s, int fd); | |
21 @@ -1565,6 +1570,7 @@ BIO * SSL_get_rbio(const SSL *s); | |
22 BIO * SSL_get_wbio(const SSL *s); | |
23 #endif | |
24 int SSL_set_cipher_list(SSL *s, const char *str); | |
25 +int SSL_set_cipher_lists(SSL *s, STACK_OF(SSL_CIPHER) *sk); | |
26 void SSL_set_read_ahead(SSL *s, int yes); | |
27 int SSL_get_verify_mode(const SSL *s); | |
28 int SSL_get_verify_depth(const SSL *s); | |
29 @@ -1580,6 +1586,8 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKE | |
30 int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long le
n); | |
31 int SSL_use_certificate(SSL *ssl, X509 *x); | |
32 int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); | |
33 +int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain); | |
34 +STACK_OF(X509) * SSL_get_certificate_chain(SSL *ssl, X509 *x); | |
35 | |
36 #ifndef OPENSSL_NO_STDIO | |
37 int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); | |
38 @@ -1615,6 +1623,7 @@ void SSL_copy_session_id(SSL *to,const S | |
39 SSL_SESSION *SSL_SESSION_new(void); | |
40 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, | |
41 unsigned int *len); | |
42 +const char * SSL_SESSION_get_version(const SSL_SESSION *s); | |
43 unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s); | |
44 #ifndef OPENSSL_NO_FP_API | |
45 int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses); | |
46 @@ -1624,6 +1633,7 @@ int SSL_SESSION_print(BIO *fp,const SSL_ | |
47 void SSL_SESSION_free(SSL_SESSION *ses); | |
48 int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); | |
49 int SSL_set_session(SSL *to, SSL_SESSION *session); | |
50 +void SSL_set_session_creation_enabled(SSL *, int); | |
51 int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c); | |
52 int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c); | |
53 int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB); | |
54 @@ -2066,6 +2076,7 @@ void ERR_load_SSL_strings(void); | |
55 #define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244 | |
56 #define SSL_F_SSL_USE_CERTIFICATE 198 | |
57 #define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 | |
58 +#define SSL_F_SSL_USE_CERTIFICATE_CHAIN 2000 | |
59 #define SSL_F_SSL_USE_CERTIFICATE_FILE 200 | |
60 #define SSL_F_SSL_USE_PRIVATEKEY 201 | |
61 #define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202 | |
62 @@ -2272,6 +2283,7 @@ void ERR_load_SSL_strings(void); | |
63 #define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345 | |
64 #define SSL_R_SERVERHELLO_TLSEXT 275 | |
65 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 | |
66 +#define SSL_R_SESSION_MAY_NOT_BE_CREATED 2000 | |
67 #define SSL_R_SHORT_READ 219 | |
68 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 | |
69 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 | |
70 --- openssl-1.0.0b.orig/ssl/d1_clnt.c 2010-01-26 19:46:29.000000000 +0000 | |
71 +++ openssl-1.0.0b/ssl/d1_clnt.c 2010-11-30 00:03:47.000000000 +0000 | |
72 @@ -613,6 +613,12 @@ int dtls1_client_hello(SSL *s) | |
73 #endif | |
74 (s->session->not_resumable)) | |
75 { | |
76 + if (!s->session_creation_enabled) | |
77 + { | |
78 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE
_FAILURE); | |
79 + SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MA
Y_NOT_BE_CREATED); | |
80 + goto err; | |
81 + } | |
82 if (!ssl_get_new_session(s,0)) | |
83 goto err; | |
84 } | |
85 --- openssl-1.0.0b.orig/ssl/s23_clnt.c 2010-02-16 14:20:40.000000000 +0000 | |
86 +++ openssl-1.0.0b/ssl/s23_clnt.c 2010-11-30 00:03:47.000000000 +0000 | |
87 @@ -687,6 +687,13 @@ static int ssl23_get_server_hello(SSL *s | |
88 | |
89 /* Since, if we are sending a ssl23 client hello, we are not | |
90 * reusing a session-id */ | |
91 + if (!s->session_creation_enabled) | |
92 + { | |
93 + if (!(s->client_version == SSL2_VERSION)) | |
94 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE
); | |
95 + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CRE
ATED); | |
96 + goto err; | |
97 + } | |
98 if (!ssl_get_new_session(s,0)) | |
99 goto err; | |
100 | |
101 --- openssl-1.0.0b.orig/ssl/s3_both.c 2010-11-30 00:03:46.000000000 +0000 | |
102 +++ openssl-1.0.0b/ssl/s3_both.c 2010-11-30 00:03:47.000000000 +0000 | |
103 @@ -347,8 +347,11 @@ unsigned long ssl3_output_cert_chain(SSL | |
104 unsigned long l=7; | |
105 BUF_MEM *buf; | |
106 int no_chain; | |
107 + STACK_OF(X509) *cert_chain; | |
108 | |
109 - if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) | |
110 + cert_chain = SSL_get_certificate_chain(s, x); | |
111 + | |
112 + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs || cert_ch
ain) | |
113 no_chain = 1; | |
114 else | |
115 no_chain = 0; | |
116 @@ -400,6 +403,10 @@ unsigned long ssl3_output_cert_chain(SSL | |
117 return(0); | |
118 } | |
119 | |
120 + for (i=0; i<sk_X509_num(cert_chain); i++) | |
121 + if (ssl3_add_cert_to_buf(buf, &l, sk_X509_value(cert_chain,i))) | |
122 + return(0); | |
123 + | |
124 l-=7; | |
125 p=(unsigned char *)&(buf->data[4]); | |
126 l2n3(l,p); | |
127 --- openssl-1.0.0b.orig/ssl/s3_clnt.c 2010-11-30 00:03:46.000000000 +0000 | |
128 +++ openssl-1.0.0b/ssl/s3_clnt.c 2010-11-30 00:03:47.000000000 +0000 | |
129 @@ -686,6 +686,12 @@ int ssl3_client_hello(SSL *s) | |
130 #endif | |
131 (sess->not_resumable)) | |
132 { | |
133 + if (!s->session_creation_enabled) | |
134 + { | |
135 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE
_FAILURE); | |
136 + SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY
_NOT_BE_CREATED); | |
137 + goto err; | |
138 + } | |
139 if (!ssl_get_new_session(s,0)) | |
140 goto err; | |
141 } | |
142 @@ -894,6 +900,12 @@ int ssl3_get_server_hello(SSL *s) | |
143 s->hit=0; | |
144 if (s->session->session_id_length > 0) | |
145 { | |
146 + if (!s->session_creation_enabled) | |
147 + { | |
148 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE
_FAILURE); | |
149 + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION
_MAY_NOT_BE_CREATED); | |
150 + goto err; | |
151 + } | |
152 if (!ssl_get_new_session(s,0)) | |
153 { | |
154 al=SSL_AD_INTERNAL_ERROR; | |
155 --- openssl-1.0.0b.orig/ssl/s3_srvr.c 2010-11-30 00:03:46.000000000 +0000 | |
156 +++ openssl-1.0.0b/ssl/s3_srvr.c 2010-11-30 00:03:47.000000000 +0000 | |
157 @@ -902,6 +902,12 @@ int ssl3_get_client_hello(SSL *s) | |
158 */ | |
159 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_REN
EGOTIATION))) | |
160 { | |
161 + if (!s->session_creation_enabled) | |
162 + { | |
163 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE
); | |
164 + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT
_BE_CREATED); | |
165 + goto err; | |
166 + } | |
167 if (!ssl_get_new_session(s,1)) | |
168 goto err; | |
169 } | |
170 @@ -916,6 +922,12 @@ int ssl3_get_client_hello(SSL *s) | |
171 goto err; | |
172 else /* i == 0 */ | |
173 { | |
174 + if (!s->session_creation_enabled) | |
175 + { | |
176 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE
_FAILURE); | |
177 + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION
_MAY_NOT_BE_CREATED); | |
178 + goto err; | |
179 + } | |
180 if (!ssl_get_new_session(s,1)) | |
181 goto err; | |
182 } | |
183 --- openssl-1.0.0b.orig/ssl/ssl_ciph.c 2010-06-15 17:25:14.000000000 +0000 | |
184 +++ openssl-1.0.0b/ssl/ssl_ciph.c 2010-11-30 00:03:47.000000000 +0000 | |
185 @@ -1652,6 +1652,52 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER | |
186 return(ret); | |
187 } | |
188 | |
189 +/* return string version of key exchange algorithm */ | |
190 +const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher) | |
191 + { | |
192 + switch (cipher->algorithm_mkey) | |
193 + { | |
194 + case SSL_kRSA: | |
195 + return SSL_TXT_RSA; | |
196 + case SSL_kDHr: | |
197 + return SSL_TXT_DH "_" SSL_TXT_RSA; | |
198 + case SSL_kDHd: | |
199 + return SSL_TXT_DH "_" SSL_TXT_DSS; | |
200 + case SSL_kEDH: | |
201 + switch (cipher->algorithm_auth) | |
202 + { | |
203 + case SSL_aDSS: | |
204 + return "DHE_" SSL_TXT_DSS; | |
205 + case SSL_aRSA: | |
206 + return "DHE_" SSL_TXT_RSA; | |
207 + case SSL_aNULL: | |
208 + return SSL_TXT_DH "_anon"; | |
209 + default: | |
210 + return "UNKNOWN"; | |
211 + } | |
212 + case SSL_kKRB5: | |
213 + return SSL_TXT_KRB5; | |
214 + case SSL_kECDHr: | |
215 + return SSL_TXT_ECDH "_" SSL_TXT_RSA; | |
216 + case SSL_kECDHe: | |
217 + return SSL_TXT_ECDH "_" SSL_TXT_ECDSA; | |
218 + case SSL_kEECDH: | |
219 + switch (cipher->algorithm_auth) | |
220 + { | |
221 + case SSL_aECDSA: | |
222 + return "ECDHE_" SSL_TXT_ECDSA; | |
223 + case SSL_aRSA: | |
224 + return "ECDHE_" SSL_TXT_RSA; | |
225 + case SSL_aNULL: | |
226 + return SSL_TXT_ECDH "_anon"; | |
227 + default: | |
228 + return "UNKNOWN"; | |
229 + } | |
230 + default: | |
231 + return "UNKNOWN"; | |
232 + } | |
233 + } | |
234 + | |
235 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) | |
236 { | |
237 SSL_COMP *ctmp; | |
238 --- openssl-1.0.0b.orig/ssl/ssl_err.c 2010-11-30 00:03:46.000000000 +0000 | |
239 +++ openssl-1.0.0b/ssl/ssl_err.c 2010-11-30 00:03:47.000000000 +0000 | |
240 @@ -465,6 +465,7 @@ static ERR_STRING_DATA SSL_str_reasons[] | |
241 {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegot
iating"}, | |
242 {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"}, | |
243 {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uniniti
alized"}, | |
244 +{ERR_REASON(SSL_R_SESSION_MAY_NOT_BE_CREATED),"session may not be created"}, | |
245 {ERR_REASON(SSL_R_SHORT_READ) ,"short read"}, | |
246 {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non sig
ning certificate"}, | |
247 {ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"}
, | |
248 --- openssl-1.0.0b.orig/ssl/ssl_lib.c 2010-11-30 00:03:46.000000000 +0000 | |
249 +++ openssl-1.0.0b/ssl/ssl_lib.c 2010-11-30 00:03:47.000000000 +0000 | |
250 @@ -326,6 +326,7 @@ SSL *SSL_new(SSL_CTX *ctx) | |
251 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); | |
252 memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); | |
253 s->verify_callback=ctx->default_verify_callback; | |
254 + s->session_creation_enabled=1; | |
255 s->generate_session_id=ctx->generate_session_id; | |
256 | |
257 s->param = X509_VERIFY_PARAM_new(); | |
258 @@ -1311,6 +1312,32 @@ int SSL_set_cipher_list(SSL *s,const cha | |
259 return 1; | |
260 } | |
261 | |
262 +/** specify the ciphers to be used by the SSL */ | |
263 +int SSL_set_cipher_lists(SSL *s,STACK_OF(SSL_CIPHER) *sk) | |
264 + { | |
265 + STACK_OF(SSL_CIPHER) *tmp_cipher_list; | |
266 + | |
267 + if (sk == NULL) | |
268 + return 0; | |
269 + | |
270 + /* Based on end of ssl_create_cipher_list */ | |
271 + tmp_cipher_list = sk_SSL_CIPHER_dup(sk); | |
272 + if (tmp_cipher_list == NULL) | |
273 + { | |
274 + return 0; | |
275 + } | |
276 + if (s->cipher_list != NULL) | |
277 + sk_SSL_CIPHER_free(s->cipher_list); | |
278 + s->cipher_list = sk; | |
279 + if (s->cipher_list_by_id != NULL) | |
280 + sk_SSL_CIPHER_free(s->cipher_list_by_id); | |
281 + s->cipher_list_by_id = tmp_cipher_list; | |
282 + (void)sk_SSL_CIPHER_set_cmp_func(s->cipher_list_by_id,ssl_cipher_ptr_id_
cmp); | |
283 + | |
284 + sk_SSL_CIPHER_sort(s->cipher_list_by_id); | |
285 + return 1; | |
286 + } | |
287 + | |
288 /* works well for SSLv2, not so good for SSLv3 */ | |
289 char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) | |
290 { | |
291 @@ -2551,22 +2578,45 @@ SSL_METHOD *ssl_bad_method(int ver) | |
292 return(NULL); | |
293 } | |
294 | |
295 -const char *SSL_get_version(const SSL *s) | |
296 +static const char *ssl_get_version(int version) | |
297 { | |
298 - if (s->version == TLS1_2_VERSION) | |
299 + if (version == TLS1_2_VERSION) | |
300 return("TLSv1.2"); | |
301 - else if (s->version == TLS1_1_VERSION) | |
302 + else if (version == TLS1_1_VERSION) | |
303 return("TLSv1.1"); | |
304 - else if (s->version == TLS1_VERSION) | |
305 + else if (version == TLS1_VERSION) | |
306 return("TLSv1"); | |
307 - else if (s->version == SSL3_VERSION) | |
308 + else if (version == SSL3_VERSION) | |
309 return("SSLv3"); | |
310 - else if (s->version == SSL2_VERSION) | |
311 + else if (version == SSL2_VERSION) | |
312 return("SSLv2"); | |
313 else | |
314 return("unknown"); | |
315 } | |
316 | |
317 +const char *SSL_get_version(const SSL *s) | |
318 + { | |
319 + return ssl_get_version(s->version); | |
320 + } | |
321 + | |
322 +const char *SSL_SESSION_get_version(const SSL_SESSION *s) | |
323 + { | |
324 + return ssl_get_version(s->ssl_version); | |
325 + } | |
326 + | |
327 +const char* SSL_authentication_method(const SSL* ssl) | |
328 + { | |
329 + if (ssl->cert != NULL && ssl->cert->rsa_tmp != NULL) | |
330 + return SSL_TXT_RSA "_" SSL_TXT_EXPORT; | |
331 + switch (ssl->version) | |
332 + { | |
333 + case SSL2_VERSION: | |
334 + return SSL_TXT_RSA; | |
335 + default: | |
336 + return SSL_CIPHER_authentication_method(ssl->s3->tmp.new_cipher)
; | |
337 + } | |
338 + } | |
339 + | |
340 SSL *SSL_dup(SSL *s) | |
341 { | |
342 STACK_OF(X509_NAME) *sk; | |
343 --- openssl-1.0.0b.orig/ssl/ssl_locl.h 2010-11-30 00:03:46.000000000 +0000 | |
344 +++ openssl-1.0.0b/ssl/ssl_locl.h 2010-11-30 00:03:47.000000000 +0000 | |
345 @@ -456,6 +456,7 @@ | |
346 typedef struct cert_pkey_st | |
347 { | |
348 X509 *x509; | |
349 + STACK_OF(X509) *cert_chain; | |
350 EVP_PKEY *privatekey; | |
351 } CERT_PKEY; | |
352 | |
353 --- openssl-1.0.0b.orig/ssl/ssl_rsa.c 2009-09-12 23:09:26.000000000 +0000 | |
354 +++ openssl-1.0.0b/ssl/ssl_rsa.c 2010-11-30 00:03:47.000000000 +0000 | |
355 @@ -697,6 +697,42 @@ int SSL_CTX_use_PrivateKey_ASN1(int type | |
356 } | |
357 | |
358 | |
359 +int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain) | |
360 + { | |
361 + if (ssl == NULL) | |
362 + { | |
363 + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,ERR_R_PASSED_NULL_PARAMET
ER); | |
364 + return(0); | |
365 + } | |
366 + if (ssl->cert == NULL) | |
367 + { | |
368 + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSI
GNED); | |
369 + return(0); | |
370 + } | |
371 + if (ssl->cert->key == NULL) | |
372 + { | |
373 + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSI
GNED); | |
374 + return(0); | |
375 + } | |
376 + ssl->cert->key->cert_chain = cert_chain; | |
377 + return(1); | |
378 + } | |
379 + | |
380 +STACK_OF(X509) *SSL_get_certificate_chain(SSL *ssl, X509 *x) | |
381 + { | |
382 + int i; | |
383 + if (x == NULL) | |
384 + return NULL; | |
385 + if (ssl == NULL) | |
386 + return NULL; | |
387 + if (ssl->cert == NULL) | |
388 + return NULL; | |
389 + for (i = 0; i < SSL_PKEY_NUM; i++) | |
390 + if (ssl->cert->pkeys[i].x509 == x) | |
391 + return ssl->cert->pkeys[i].cert_chain; | |
392 + return NULL; | |
393 + } | |
394 + | |
395 #ifndef OPENSSL_NO_STDIO | |
396 /* Read a file that contains our certificate in "PEM" format, | |
397 * possibly followed by a sequence of CA certificates that should be | |
398 --- openssl-1.0.0b.orig/ssl/ssl_sess.c 2010-02-01 16:49:42.000000000 +0000 | |
399 +++ openssl-1.0.0b/ssl/ssl_sess.c 2010-11-30 00:03:47.000000000 +0000 | |
400 @@ -261,6 +261,11 @@ static int def_generate_session_id(const | |
401 return 0; | |
402 } | |
403 | |
404 +void SSL_set_session_creation_enabled (SSL *s, int creation_enabled) | |
405 + { | |
406 + s->session_creation_enabled = creation_enabled; | |
407 + } | |
408 + | |
409 int ssl_get_new_session(SSL *s, int session) | |
410 { | |
411 /* This gets used by clients and servers. */ | |
412 @@ -269,6 +274,8 @@ int ssl_get_new_session(SSL *s, int sess | |
413 SSL_SESSION *ss=NULL; | |
414 GEN_SESSION_CB cb = def_generate_session_id; | |
415 | |
416 + /* caller should check this if they can do better error handling */ | |
417 + if (!s->session_creation_enabled) return(0); | |
418 if ((ss=SSL_SESSION_new()) == NULL) return(0); | |
419 | |
420 /* If the context has a default timeout, use it */ | |
OLD | NEW |