1 --- openssl-1.0.0b.orig/ssl/ssl.h 2010-11-30 00:03:46.000000000 +0000 2 +++ openssl-1.0.0b/ssl/ssl.h 2010-11-30 00:03:47.000000000 +0000 3 @@ -1133,6 +1133,9 @@ struct ssl_st 4 /* This can also be in the session once a session is established */ 5 SSL_SESSION *session; 6 7 + /* This can be disabled to prevent the use of uncached sessions */ 8 + int session_creation_enabled; 9 + 10 /* Default generate session ID callback. */ 11 GEN_SESSION_CB generate_session_id; 12 13 @@ -1546,6 +1549,7 @@ const SSL_CIPHER *SSL_get_current_cipher 14 int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits); 15 char * SSL_CIPHER_get_version(const SSL_CIPHER *c); 16 const char * SSL_CIPHER_get_name(const SSL_CIPHER *c); 17 +const char * SSL_CIPHER_authentication_method(const SSL_CIPHER *c); 18 19 int SSL_get_fd(const SSL *s); 20 int SSL_get_rfd(const SSL *s); 21 @@ -1554,6 +1558,7 @@ const char * SSL_get_cipher_list(const 22 char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len); 23 int SSL_get_read_ahead(const SSL * s); 24 int SSL_pending(const SSL *s); 25 +const char * SSL_authentication_method(const SSL *c); 26 #ifndef OPENSSL_NO_SOCK 27 int SSL_set_fd(SSL *s, int fd); 28 int SSL_set_rfd(SSL *s, int fd); 29 @@ -1565,6 +1570,7 @@ BIO * SSL_get_rbio(const SSL *s); 30 BIO * SSL_get_wbio(const SSL *s); 31 #endif 32 int SSL_set_cipher_list(SSL *s, const char *str); 33 +int SSL_set_cipher_lists(SSL *s, STACK_OF(SSL_CIPHER) *sk); 34 void SSL_set_read_ahead(SSL *s, int yes); 35 int SSL_get_verify_mode(const SSL *s); 36 int SSL_get_verify_depth(const SSL *s); 37 @@ -1580,6 +1586,8 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKE 38 int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len); 39 int SSL_use_certificate(SSL *ssl, X509 *x); 40 int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); 41 +int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain); 42 +STACK_OF(X509) * SSL_get_certificate_chain(SSL *ssl, X509 *x); 43 44 #ifndef OPENSSL_NO_STDIO 45 int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); 46 @@ -1615,6 +1623,7 @@ void SSL_copy_session_id(SSL *to,const S 47 SSL_SESSION *SSL_SESSION_new(void); 48 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, 49 unsigned int *len); 50 +const char * SSL_SESSION_get_version(const SSL_SESSION *s); 51 #ifndef OPENSSL_NO_FP_API 52 int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses); 53 #endif 54 @@ -1624,6 +1633,7 @@ int SSL_SESSION_print(BIO *fp,const SSL_ 55 void SSL_SESSION_free(SSL_SESSION *ses); 56 int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); 57 int SSL_set_session(SSL *to, SSL_SESSION *session); 58 +void SSL_set_session_creation_enabled(SSL *, int); 59 int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c); 60 int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c); 61 int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB); 62 @@ -2066,6 +2076,7 @@ void ERR_load_SSL_strings(void); 63 #define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244 64 #define SSL_F_SSL_USE_CERTIFICATE 198 65 #define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 66 +#define SSL_F_SSL_USE_CERTIFICATE_CHAIN 2000 67 #define SSL_F_SSL_USE_CERTIFICATE_FILE 200 68 #define SSL_F_SSL_USE_PRIVATEKEY 201 69 #define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202 70 @@ -2272,6 +2283,7 @@ void ERR_load_SSL_strings(void); 71 #define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345 72 #define SSL_R_SERVERHELLO_TLSEXT 275 73 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 74 +#define SSL_R_SESSION_MAY_NOT_BE_CREATED 2000 75 #define SSL_R_SHORT_READ 219 76 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 77 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 78 --- openssl-1.0.0b.orig/ssl/d1_clnt.c 2010-01-26 19:46:29.000000000 +0000 79 +++ openssl-1.0.0b/ssl/d1_clnt.c 2010-11-30 00:03:47.000000000 +0000 80 @@ -613,6 +613,12 @@ int dtls1_client_hello(SSL *s) 81 #endif 82 (s->session->not_resumable)) 83 { 84 + if (!s->session_creation_enabled) 85 + { 86 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 87 + SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 88 + goto err; 89 + } 90 if (!ssl_get_new_session(s,0)) 91 goto err; 92 } 93 --- openssl-1.0.0b.orig/ssl/s23_clnt.c 2010-02-16 14:20:40.000000000 +0000 94 +++ openssl-1.0.0b/ssl/s23_clnt.c 2010-11-30 00:03:47.000000000 +0000 95 @@ -687,6 +687,13 @@ static int ssl23_get_server_hello(SSL *s 96 97 /* Since, if we are sending a ssl23 client hello, we are not 98 * reusing a session-id */ 99 + if (!s->session_creation_enabled) 100 + { 101 + if (!(s->client_version == SSL2_VERSION)) 102 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 103 + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 104 + goto err; 105 + } 106 if (!ssl_get_new_session(s,0)) 107 goto err; 108 109 --- openssl-1.0.0b.orig/ssl/s3_both.c 2010-11-30 00:03:46.000000000 +0000 110 +++ openssl-1.0.0b/ssl/s3_both.c 2010-11-30 00:03:47.000000000 +0000 111 @@ -347,8 +347,11 @@ unsigned long ssl3_output_cert_chain(SSL 112 unsigned long l=7; 113 BUF_MEM *buf; 114 int no_chain; 115 + STACK_OF(X509) *cert_chain; 116 117 - if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) 118 + cert_chain = SSL_get_certificate_chain(s, x); 119 + 120 + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs || cert_chain) 121 no_chain = 1; 122 else 123 no_chain = 0; 124 @@ -400,6 +403,10 @@ unsigned long ssl3_output_cert_chain(SSL 125 return(0); 126 } 127 128 + for (i=0; i<sk_X509_num(cert_chain); i++) 129 + if (ssl3_add_cert_to_buf(buf, &l, sk_X509_value(cert_chain,i))) 130 + return(0); 131 + 132 l-=7; 133 p=(unsigned char *)&(buf->data[4]); 134 l2n3(l,p); 135 --- openssl-1.0.0b.orig/ssl/s3_clnt.c 2010-11-30 00:03:46.000000000 +0000 136 +++ openssl-1.0.0b/ssl/s3_clnt.c 2010-11-30 00:03:47.000000000 +0000 137 @@ -686,6 +686,12 @@ int ssl3_client_hello(SSL *s) 138 #endif 139 (sess->not_resumable)) 140 { 141 + if (!s->session_creation_enabled) 142 + { 143 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 144 + SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 145 + goto err; 146 + } 147 if (!ssl_get_new_session(s,0)) 148 goto err; 149 } 150 @@ -894,6 +900,12 @@ int ssl3_get_server_hello(SSL *s) 151 s->hit=0; 152 if (s->session->session_id_length > 0) 153 { 154 + if (!s->session_creation_enabled) 155 + { 156 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 157 + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 158 + goto err; 159 + } 160 if (!ssl_get_new_session(s,0)) 161 { 162 al=SSL_AD_INTERNAL_ERROR; 163 --- openssl-1.0.0b.orig/ssl/s3_srvr.c 2010-11-30 00:03:46.000000000 +0000 164 +++ openssl-1.0.0b/ssl/s3_srvr.c 2010-11-30 00:03:47.000000000 +0000 165 @@ -902,6 +902,12 @@ int ssl3_get_client_hello(SSL *s) 166 */ 167 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 168 { 169 + if (!s->session_creation_enabled) 170 + { 171 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 172 + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 173 + goto err; 174 + } 175 if (!ssl_get_new_session(s,1)) 176 goto err; 177 } 178 @@ -916,6 +922,12 @@ int ssl3_get_client_hello(SSL *s) 179 goto err; 180 else /* i == 0 */ 181 { 182 + if (!s->session_creation_enabled) 183 + { 184 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 185 + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 186 + goto err; 187 + } 188 if (!ssl_get_new_session(s,1)) 189 goto err; 190 } 191 --- openssl-1.0.0b.orig/ssl/ssl_ciph.c 2010-06-15 17:25:14.000000000 +0000 192 +++ openssl-1.0.0b/ssl/ssl_ciph.c 2010-11-30 00:03:47.000000000 +0000 193 @@ -1652,6 +1652,52 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER 194 return(ret); 195 } 196 197 +/* return string version of key exchange algorithm */ 198 +const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher) 199 + { 200 + switch (cipher->algorithm_mkey) 201 + { 202 + case SSL_kRSA: 203 + return SSL_TXT_RSA; 204 + case SSL_kDHr: 205 + return SSL_TXT_DH "_" SSL_TXT_RSA; 206 + case SSL_kDHd: 207 + return SSL_TXT_DH "_" SSL_TXT_DSS; 208 + case SSL_kEDH: 209 + switch (cipher->algorithm_auth) 210 + { 211 + case SSL_aDSS: 212 + return "DHE_" SSL_TXT_DSS; 213 + case SSL_aRSA: 214 + return "DHE_" SSL_TXT_RSA; 215 + case SSL_aNULL: 216 + return SSL_TXT_DH "_anon"; 217 + default: 218 + return "UNKNOWN"; 219 + } 220 + case SSL_kKRB5: 221 + return SSL_TXT_KRB5; 222 + case SSL_kECDHr: 223 + return SSL_TXT_ECDH "_" SSL_TXT_RSA; 224 + case SSL_kECDHe: 225 + return SSL_TXT_ECDH "_" SSL_TXT_ECDSA; 226 + case SSL_kEECDH: 227 + switch (cipher->algorithm_auth) 228 + { 229 + case SSL_aECDSA: 230 + return "ECDHE_" SSL_TXT_ECDSA; 231 + case SSL_aRSA: 232 + return "ECDHE_" SSL_TXT_RSA; 233 + case SSL_aNULL: 234 + return SSL_TXT_ECDH "_anon"; 235 + default: 236 + return "UNKNOWN"; 237 + } 238 + default: 239 + return "UNKNOWN"; 240 + } 241 + } 242 + 243 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) 244 { 245 SSL_COMP *ctmp; 246 --- openssl-1.0.0b.orig/ssl/ssl_err.c 2010-11-30 00:03:46.000000000 +0000 247 +++ openssl-1.0.0b/ssl/ssl_err.c 2010-11-30 00:03:47.000000000 +0000 248 @@ -465,6 +465,7 @@ static ERR_STRING_DATA SSL_str_reasons[] 249 {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"}, 250 {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"}, 251 {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"}, 252 +{ERR_REASON(SSL_R_SESSION_MAY_NOT_BE_CREATED),"session may not be created"}, 253 {ERR_REASON(SSL_R_SHORT_READ) ,"short read"}, 254 {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"}, 255 {ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"}, 256 --- openssl-1.0.0b.orig/ssl/ssl_lib.c 2010-11-30 00:03:46.000000000 +0000 257 +++ openssl-1.0.0b/ssl/ssl_lib.c 2010-11-30 00:03:47.000000000 +0000 258 @@ -326,6 +326,7 @@ SSL *SSL_new(SSL_CTX *ctx) 259 OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); 260 memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); 261 s->verify_callback=ctx->default_verify_callback; 262 + s->session_creation_enabled=1; 263 s->generate_session_id=ctx->generate_session_id; 264 265 s->param = X509_VERIFY_PARAM_new(); 266 @@ -1311,6 +1312,32 @@ int SSL_set_cipher_list(SSL *s,const cha 267 return 1; 268 } 269 270 +/** specify the ciphers to be used by the SSL */ 271 +int SSL_set_cipher_lists(SSL *s,STACK_OF(SSL_CIPHER) *sk) 272 + { 273 + STACK_OF(SSL_CIPHER) *tmp_cipher_list; 274 + 275 + if (sk == NULL) 276 + return 0; 277 + 278 + /* Based on end of ssl_create_cipher_list */ 279 + tmp_cipher_list = sk_SSL_CIPHER_dup(sk); 280 + if (tmp_cipher_list == NULL) 281 + { 282 + return 0; 283 + } 284 + if (s->cipher_list != NULL) 285 + sk_SSL_CIPHER_free(s->cipher_list); 286 + s->cipher_list = sk; 287 + if (s->cipher_list_by_id != NULL) 288 + sk_SSL_CIPHER_free(s->cipher_list_by_id); 289 + s->cipher_list_by_id = tmp_cipher_list; 290 + (void)sk_SSL_CIPHER_set_cmp_func(s->cipher_list_by_id,ssl_cipher_ptr_id_cmp); 291 + 292 + sk_SSL_CIPHER_sort(s->cipher_list_by_id); 293 + return 1; 294 + } 295 + 296 /* works well for SSLv2, not so good for SSLv3 */ 297 char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) 298 { 299 @@ -2551,18 +2578,45 @@ SSL_METHOD *ssl_bad_method(int ver) 300 return(NULL); 301 } 302 303 -const char *SSL_get_version(const SSL *s) 304 +static const char *ssl_get_version(int version) 305 { 306 - if (s->version == TLS1_VERSION) 307 + if (version == TLS1_VERSION) 308 return("TLSv1"); 309 - else if (s->version == SSL3_VERSION) 310 + else if (version == SSL3_VERSION) 311 return("SSLv3"); 312 - else if (s->version == SSL2_VERSION) 313 + else if (version == SSL2_VERSION) 314 return("SSLv2"); 315 else 316 return("unknown"); 317 } 318 319 +const char *SSL_get_version(const SSL *s) 320 + { 321 + return ssl_get_version(s->version); 322 + } 323 + 324 +const char *SSL_SESSION_get_version(const SSL_SESSION *s) 325 + { 326 + return ssl_get_version(s->ssl_version); 327 + } 328 + 329 +const char* SSL_authentication_method(const SSL* ssl) 330 + { 331 + if (ssl->cert != NULL && ssl->cert->rsa_tmp != NULL) 332 + return SSL_TXT_RSA "_" SSL_TXT_EXPORT; 333 + switch (ssl->version) 334 + { 335 + case SSL2_VERSION: 336 + return SSL_TXT_RSA; 337 + case SSL3_VERSION: 338 + case TLS1_VERSION: 339 + case DTLS1_VERSION: 340 + return SSL_CIPHER_authentication_method(ssl->s3->tmp.new_cipher); 341 + default: 342 + return "UNKNOWN"; 343 + } 344 + } 345 + 346 SSL *SSL_dup(SSL *s) 347 { 348 STACK_OF(X509_NAME) *sk; 349 --- openssl-1.0.0b.orig/ssl/ssl_locl.h 2010-11-30 00:03:46.000000000 +0000 350 +++ openssl-1.0.0b/ssl/ssl_locl.h 2010-11-30 00:03:47.000000000 +0000 351 @@ -456,6 +456,7 @@ 352 typedef struct cert_pkey_st 353 { 354 X509 *x509; 355 + STACK_OF(X509) *cert_chain; 356 EVP_PKEY *privatekey; 357 } CERT_PKEY; 358 359 --- openssl-1.0.0b.orig/ssl/ssl_rsa.c 2009-09-12 23:09:26.000000000 +0000 360 +++ openssl-1.0.0b/ssl/ssl_rsa.c 2010-11-30 00:03:47.000000000 +0000 361 @@ -697,6 +697,42 @@ int SSL_CTX_use_PrivateKey_ASN1(int type 362 } 363 364 365 +int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain) 366 + { 367 + if (ssl == NULL) 368 + { 369 + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,ERR_R_PASSED_NULL_PARAMETER); 370 + return(0); 371 + } 372 + if (ssl->cert == NULL) 373 + { 374 + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSIGNED); 375 + return(0); 376 + } 377 + if (ssl->cert->key == NULL) 378 + { 379 + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSIGNED); 380 + return(0); 381 + } 382 + ssl->cert->key->cert_chain = cert_chain; 383 + return(1); 384 + } 385 + 386 +STACK_OF(X509) *SSL_get_certificate_chain(SSL *ssl, X509 *x) 387 + { 388 + int i; 389 + if (x == NULL) 390 + return NULL; 391 + if (ssl == NULL) 392 + return NULL; 393 + if (ssl->cert == NULL) 394 + return NULL; 395 + for (i = 0; i < SSL_PKEY_NUM; i++) 396 + if (ssl->cert->pkeys[i].x509 == x) 397 + return ssl->cert->pkeys[i].cert_chain; 398 + return NULL; 399 + } 400 + 401 #ifndef OPENSSL_NO_STDIO 402 /* Read a file that contains our certificate in "PEM" format, 403 * possibly followed by a sequence of CA certificates that should be 404 --- openssl-1.0.0b.orig/ssl/ssl_sess.c 2010-02-01 16:49:42.000000000 +0000 405 +++ openssl-1.0.0b/ssl/ssl_sess.c 2010-11-30 00:03:47.000000000 +0000 406 @@ -261,6 +261,11 @@ static int def_generate_session_id(const 407 return 0; 408 } 409 410 +void SSL_set_session_creation_enabled (SSL *s, int creation_enabled) 411 + { 412 + s->session_creation_enabled = creation_enabled; 413 + } 414 + 415 int ssl_get_new_session(SSL *s, int session) 416 { 417 /* This gets used by clients and servers. */ 418 @@ -269,6 +274,8 @@ int ssl_get_new_session(SSL *s, int sess 419 SSL_SESSION *ss=NULL; 420 GEN_SESSION_CB cb = def_generate_session_id; 421 422 + /* caller should check this if they can do better error handling */ 423 + if (!s->session_creation_enabled) return(0); 424 if ((ss=SSL_SESSION_new()) == NULL) return(0); 425 426 /* If the context has a default timeout, use it */ 427
