Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 1 | --- openssl-1.0.0b.orig/ssl/ssl.h 2010-11-30 00:03:46.000000000 +0000 |
| 2 | +++ openssl-1.0.0b/ssl/ssl.h 2010-11-30 00:03:47.000000000 +0000 |
| 3 | @@ -1133,6 +1133,9 @@ struct ssl_st |
| 4 | /* This can also be in the session once a session is established */ |
| 5 | SSL_SESSION *session; |
| 6 | |
| 7 | + /* This can be disabled to prevent the use of uncached sessions */ |
| 8 | + int session_creation_enabled; |
| 9 | + |
| 10 | /* Default generate session ID callback. */ |
| 11 | GEN_SESSION_CB generate_session_id; |
| 12 | |
Alexandre Savard | 7541067 | 2012-08-08 09:50:01 -0400 | [diff] [blame] | 13 | @@ -1546,6 +1549,7 @@ const SSL_CIPHER *SSL_get_current_cipher |
| 14 | int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits); |
| 15 | char * SSL_CIPHER_get_version(const SSL_CIPHER *c); |
| 16 | const char * SSL_CIPHER_get_name(const SSL_CIPHER *c); |
| 17 | +const char * SSL_CIPHER_authentication_method(const SSL_CIPHER *c); |
| 18 | |
| 19 | int SSL_get_fd(const SSL *s); |
| 20 | int SSL_get_rfd(const SSL *s); |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 21 | @@ -1554,6 +1558,7 @@ const char * SSL_get_cipher_list(const |
| 22 | char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len); |
| 23 | int SSL_get_read_ahead(const SSL * s); |
| 24 | int SSL_pending(const SSL *s); |
| 25 | +const char * SSL_authentication_method(const SSL *c); |
| 26 | #ifndef OPENSSL_NO_SOCK |
| 27 | int SSL_set_fd(SSL *s, int fd); |
| 28 | int SSL_set_rfd(SSL *s, int fd); |
| 29 | @@ -1565,6 +1570,7 @@ BIO * SSL_get_rbio(const SSL *s); |
| 30 | BIO * SSL_get_wbio(const SSL *s); |
| 31 | #endif |
| 32 | int SSL_set_cipher_list(SSL *s, const char *str); |
| 33 | +int SSL_set_cipher_lists(SSL *s, STACK_OF(SSL_CIPHER) *sk); |
| 34 | void SSL_set_read_ahead(SSL *s, int yes); |
| 35 | int SSL_get_verify_mode(const SSL *s); |
| 36 | int SSL_get_verify_depth(const SSL *s); |
| 37 | @@ -1580,6 +1586,8 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKE |
| 38 | int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len); |
| 39 | int SSL_use_certificate(SSL *ssl, X509 *x); |
| 40 | int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); |
| 41 | +int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain); |
| 42 | +STACK_OF(X509) * SSL_get_certificate_chain(SSL *ssl, X509 *x); |
| 43 | |
| 44 | #ifndef OPENSSL_NO_STDIO |
| 45 | int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); |
| 46 | @@ -1615,6 +1623,7 @@ void SSL_copy_session_id(SSL *to,const S |
| 47 | SSL_SESSION *SSL_SESSION_new(void); |
| 48 | const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, |
| 49 | unsigned int *len); |
| 50 | +const char * SSL_SESSION_get_version(const SSL_SESSION *s); |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 51 | #ifndef OPENSSL_NO_FP_API |
| 52 | int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses); |
Alexandre Savard | 7541067 | 2012-08-08 09:50:01 -0400 | [diff] [blame] | 53 | #endif |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 54 | @@ -1624,6 +1633,7 @@ int SSL_SESSION_print(BIO *fp,const SSL_ |
| 55 | void SSL_SESSION_free(SSL_SESSION *ses); |
| 56 | int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); |
| 57 | int SSL_set_session(SSL *to, SSL_SESSION *session); |
| 58 | +void SSL_set_session_creation_enabled(SSL *, int); |
| 59 | int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c); |
| 60 | int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c); |
| 61 | int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB); |
| 62 | @@ -2066,6 +2076,7 @@ void ERR_load_SSL_strings(void); |
| 63 | #define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244 |
| 64 | #define SSL_F_SSL_USE_CERTIFICATE 198 |
| 65 | #define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 |
| 66 | +#define SSL_F_SSL_USE_CERTIFICATE_CHAIN 2000 |
| 67 | #define SSL_F_SSL_USE_CERTIFICATE_FILE 200 |
| 68 | #define SSL_F_SSL_USE_PRIVATEKEY 201 |
| 69 | #define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202 |
| 70 | @@ -2272,6 +2283,7 @@ void ERR_load_SSL_strings(void); |
| 71 | #define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345 |
| 72 | #define SSL_R_SERVERHELLO_TLSEXT 275 |
| 73 | #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 |
| 74 | +#define SSL_R_SESSION_MAY_NOT_BE_CREATED 2000 |
| 75 | #define SSL_R_SHORT_READ 219 |
| 76 | #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 |
| 77 | #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 |
| 78 | --- openssl-1.0.0b.orig/ssl/d1_clnt.c 2010-01-26 19:46:29.000000000 +0000 |
| 79 | +++ openssl-1.0.0b/ssl/d1_clnt.c 2010-11-30 00:03:47.000000000 +0000 |
| 80 | @@ -613,6 +613,12 @@ int dtls1_client_hello(SSL *s) |
| 81 | #endif |
| 82 | (s->session->not_resumable)) |
| 83 | { |
| 84 | + if (!s->session_creation_enabled) |
| 85 | + { |
| 86 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 87 | + SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 88 | + goto err; |
| 89 | + } |
| 90 | if (!ssl_get_new_session(s,0)) |
| 91 | goto err; |
| 92 | } |
| 93 | --- openssl-1.0.0b.orig/ssl/s23_clnt.c 2010-02-16 14:20:40.000000000 +0000 |
| 94 | +++ openssl-1.0.0b/ssl/s23_clnt.c 2010-11-30 00:03:47.000000000 +0000 |
| 95 | @@ -687,6 +687,13 @@ static int ssl23_get_server_hello(SSL *s |
| 96 | |
| 97 | /* Since, if we are sending a ssl23 client hello, we are not |
| 98 | * reusing a session-id */ |
| 99 | + if (!s->session_creation_enabled) |
| 100 | + { |
| 101 | + if (!(s->client_version == SSL2_VERSION)) |
| 102 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 103 | + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 104 | + goto err; |
| 105 | + } |
| 106 | if (!ssl_get_new_session(s,0)) |
| 107 | goto err; |
| 108 | |
| 109 | --- openssl-1.0.0b.orig/ssl/s3_both.c 2010-11-30 00:03:46.000000000 +0000 |
| 110 | +++ openssl-1.0.0b/ssl/s3_both.c 2010-11-30 00:03:47.000000000 +0000 |
| 111 | @@ -347,8 +347,11 @@ unsigned long ssl3_output_cert_chain(SSL |
| 112 | unsigned long l=7; |
| 113 | BUF_MEM *buf; |
| 114 | int no_chain; |
| 115 | + STACK_OF(X509) *cert_chain; |
| 116 | |
| 117 | - if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) |
| 118 | + cert_chain = SSL_get_certificate_chain(s, x); |
| 119 | + |
| 120 | + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs || cert_chain) |
| 121 | no_chain = 1; |
| 122 | else |
| 123 | no_chain = 0; |
| 124 | @@ -400,6 +403,10 @@ unsigned long ssl3_output_cert_chain(SSL |
| 125 | return(0); |
| 126 | } |
| 127 | |
| 128 | + for (i=0; i<sk_X509_num(cert_chain); i++) |
| 129 | + if (ssl3_add_cert_to_buf(buf, &l, sk_X509_value(cert_chain,i))) |
| 130 | + return(0); |
| 131 | + |
| 132 | l-=7; |
| 133 | p=(unsigned char *)&(buf->data[4]); |
| 134 | l2n3(l,p); |
| 135 | --- openssl-1.0.0b.orig/ssl/s3_clnt.c 2010-11-30 00:03:46.000000000 +0000 |
| 136 | +++ openssl-1.0.0b/ssl/s3_clnt.c 2010-11-30 00:03:47.000000000 +0000 |
| 137 | @@ -686,6 +686,12 @@ int ssl3_client_hello(SSL *s) |
| 138 | #endif |
| 139 | (sess->not_resumable)) |
| 140 | { |
| 141 | + if (!s->session_creation_enabled) |
| 142 | + { |
| 143 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 144 | + SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 145 | + goto err; |
| 146 | + } |
| 147 | if (!ssl_get_new_session(s,0)) |
| 148 | goto err; |
| 149 | } |
| 150 | @@ -894,6 +900,12 @@ int ssl3_get_server_hello(SSL *s) |
| 151 | s->hit=0; |
| 152 | if (s->session->session_id_length > 0) |
| 153 | { |
| 154 | + if (!s->session_creation_enabled) |
| 155 | + { |
| 156 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 157 | + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 158 | + goto err; |
| 159 | + } |
| 160 | if (!ssl_get_new_session(s,0)) |
| 161 | { |
| 162 | al=SSL_AD_INTERNAL_ERROR; |
| 163 | --- openssl-1.0.0b.orig/ssl/s3_srvr.c 2010-11-30 00:03:46.000000000 +0000 |
| 164 | +++ openssl-1.0.0b/ssl/s3_srvr.c 2010-11-30 00:03:47.000000000 +0000 |
| 165 | @@ -902,6 +902,12 @@ int ssl3_get_client_hello(SSL *s) |
| 166 | */ |
| 167 | if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) |
| 168 | { |
| 169 | + if (!s->session_creation_enabled) |
| 170 | + { |
| 171 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 172 | + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 173 | + goto err; |
| 174 | + } |
| 175 | if (!ssl_get_new_session(s,1)) |
| 176 | goto err; |
| 177 | } |
| 178 | @@ -916,6 +922,12 @@ int ssl3_get_client_hello(SSL *s) |
| 179 | goto err; |
| 180 | else /* i == 0 */ |
| 181 | { |
| 182 | + if (!s->session_creation_enabled) |
| 183 | + { |
| 184 | + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
| 185 | + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); |
| 186 | + goto err; |
| 187 | + } |
| 188 | if (!ssl_get_new_session(s,1)) |
| 189 | goto err; |
| 190 | } |
| 191 | --- openssl-1.0.0b.orig/ssl/ssl_ciph.c 2010-06-15 17:25:14.000000000 +0000 |
| 192 | +++ openssl-1.0.0b/ssl/ssl_ciph.c 2010-11-30 00:03:47.000000000 +0000 |
| 193 | @@ -1652,6 +1652,52 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER |
| 194 | return(ret); |
| 195 | } |
| 196 | |
| 197 | +/* return string version of key exchange algorithm */ |
| 198 | +const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher) |
| 199 | + { |
| 200 | + switch (cipher->algorithm_mkey) |
| 201 | + { |
| 202 | + case SSL_kRSA: |
| 203 | + return SSL_TXT_RSA; |
| 204 | + case SSL_kDHr: |
| 205 | + return SSL_TXT_DH "_" SSL_TXT_RSA; |
| 206 | + case SSL_kDHd: |
| 207 | + return SSL_TXT_DH "_" SSL_TXT_DSS; |
| 208 | + case SSL_kEDH: |
| 209 | + switch (cipher->algorithm_auth) |
| 210 | + { |
| 211 | + case SSL_aDSS: |
| 212 | + return "DHE_" SSL_TXT_DSS; |
| 213 | + case SSL_aRSA: |
| 214 | + return "DHE_" SSL_TXT_RSA; |
| 215 | + case SSL_aNULL: |
| 216 | + return SSL_TXT_DH "_anon"; |
| 217 | + default: |
| 218 | + return "UNKNOWN"; |
| 219 | + } |
| 220 | + case SSL_kKRB5: |
| 221 | + return SSL_TXT_KRB5; |
| 222 | + case SSL_kECDHr: |
| 223 | + return SSL_TXT_ECDH "_" SSL_TXT_RSA; |
| 224 | + case SSL_kECDHe: |
| 225 | + return SSL_TXT_ECDH "_" SSL_TXT_ECDSA; |
| 226 | + case SSL_kEECDH: |
| 227 | + switch (cipher->algorithm_auth) |
| 228 | + { |
| 229 | + case SSL_aECDSA: |
| 230 | + return "ECDHE_" SSL_TXT_ECDSA; |
| 231 | + case SSL_aRSA: |
| 232 | + return "ECDHE_" SSL_TXT_RSA; |
| 233 | + case SSL_aNULL: |
| 234 | + return SSL_TXT_ECDH "_anon"; |
| 235 | + default: |
| 236 | + return "UNKNOWN"; |
| 237 | + } |
| 238 | + default: |
| 239 | + return "UNKNOWN"; |
| 240 | + } |
| 241 | + } |
| 242 | + |
| 243 | SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) |
| 244 | { |
| 245 | SSL_COMP *ctmp; |
| 246 | --- openssl-1.0.0b.orig/ssl/ssl_err.c 2010-11-30 00:03:46.000000000 +0000 |
| 247 | +++ openssl-1.0.0b/ssl/ssl_err.c 2010-11-30 00:03:47.000000000 +0000 |
| 248 | @@ -465,6 +465,7 @@ static ERR_STRING_DATA SSL_str_reasons[] |
| 249 | {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"}, |
| 250 | {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"}, |
| 251 | {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"}, |
| 252 | +{ERR_REASON(SSL_R_SESSION_MAY_NOT_BE_CREATED),"session may not be created"}, |
| 253 | {ERR_REASON(SSL_R_SHORT_READ) ,"short read"}, |
| 254 | {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"}, |
| 255 | {ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"}, |
| 256 | --- openssl-1.0.0b.orig/ssl/ssl_lib.c 2010-11-30 00:03:46.000000000 +0000 |
| 257 | +++ openssl-1.0.0b/ssl/ssl_lib.c 2010-11-30 00:03:47.000000000 +0000 |
| 258 | @@ -326,6 +326,7 @@ SSL *SSL_new(SSL_CTX *ctx) |
| 259 | OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); |
| 260 | memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); |
| 261 | s->verify_callback=ctx->default_verify_callback; |
| 262 | + s->session_creation_enabled=1; |
| 263 | s->generate_session_id=ctx->generate_session_id; |
| 264 | |
| 265 | s->param = X509_VERIFY_PARAM_new(); |
| 266 | @@ -1311,6 +1312,32 @@ int SSL_set_cipher_list(SSL *s,const cha |
| 267 | return 1; |
| 268 | } |
| 269 | |
| 270 | +/** specify the ciphers to be used by the SSL */ |
| 271 | +int SSL_set_cipher_lists(SSL *s,STACK_OF(SSL_CIPHER) *sk) |
| 272 | + { |
| 273 | + STACK_OF(SSL_CIPHER) *tmp_cipher_list; |
| 274 | + |
| 275 | + if (sk == NULL) |
| 276 | + return 0; |
| 277 | + |
| 278 | + /* Based on end of ssl_create_cipher_list */ |
| 279 | + tmp_cipher_list = sk_SSL_CIPHER_dup(sk); |
| 280 | + if (tmp_cipher_list == NULL) |
| 281 | + { |
| 282 | + return 0; |
| 283 | + } |
| 284 | + if (s->cipher_list != NULL) |
| 285 | + sk_SSL_CIPHER_free(s->cipher_list); |
| 286 | + s->cipher_list = sk; |
| 287 | + if (s->cipher_list_by_id != NULL) |
| 288 | + sk_SSL_CIPHER_free(s->cipher_list_by_id); |
| 289 | + s->cipher_list_by_id = tmp_cipher_list; |
| 290 | + (void)sk_SSL_CIPHER_set_cmp_func(s->cipher_list_by_id,ssl_cipher_ptr_id_cmp); |
| 291 | + |
| 292 | + sk_SSL_CIPHER_sort(s->cipher_list_by_id); |
| 293 | + return 1; |
| 294 | + } |
| 295 | + |
| 296 | /* works well for SSLv2, not so good for SSLv3 */ |
| 297 | char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) |
| 298 | { |
Alexandre Savard | 7541067 | 2012-08-08 09:50:01 -0400 | [diff] [blame] | 299 | @@ -2551,18 +2578,45 @@ SSL_METHOD *ssl_bad_method(int ver) |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 300 | return(NULL); |
| 301 | } |
| 302 | |
| 303 | -const char *SSL_get_version(const SSL *s) |
| 304 | +static const char *ssl_get_version(int version) |
| 305 | { |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 306 | - if (s->version == TLS1_VERSION) |
| 307 | + if (version == TLS1_VERSION) |
| 308 | return("TLSv1"); |
| 309 | - else if (s->version == SSL3_VERSION) |
| 310 | + else if (version == SSL3_VERSION) |
| 311 | return("SSLv3"); |
| 312 | - else if (s->version == SSL2_VERSION) |
| 313 | + else if (version == SSL2_VERSION) |
| 314 | return("SSLv2"); |
| 315 | else |
| 316 | return("unknown"); |
| 317 | } |
| 318 | |
| 319 | +const char *SSL_get_version(const SSL *s) |
| 320 | + { |
| 321 | + return ssl_get_version(s->version); |
| 322 | + } |
| 323 | + |
| 324 | +const char *SSL_SESSION_get_version(const SSL_SESSION *s) |
| 325 | + { |
| 326 | + return ssl_get_version(s->ssl_version); |
| 327 | + } |
| 328 | + |
| 329 | +const char* SSL_authentication_method(const SSL* ssl) |
| 330 | + { |
| 331 | + if (ssl->cert != NULL && ssl->cert->rsa_tmp != NULL) |
| 332 | + return SSL_TXT_RSA "_" SSL_TXT_EXPORT; |
| 333 | + switch (ssl->version) |
| 334 | + { |
| 335 | + case SSL2_VERSION: |
| 336 | + return SSL_TXT_RSA; |
Alexandre Savard | 7541067 | 2012-08-08 09:50:01 -0400 | [diff] [blame] | 337 | + case SSL3_VERSION: |
| 338 | + case TLS1_VERSION: |
| 339 | + case DTLS1_VERSION: |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 340 | + return SSL_CIPHER_authentication_method(ssl->s3->tmp.new_cipher); |
Alexandre Savard | 7541067 | 2012-08-08 09:50:01 -0400 | [diff] [blame] | 341 | + default: |
| 342 | + return "UNKNOWN"; |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 343 | + } |
| 344 | + } |
| 345 | + |
| 346 | SSL *SSL_dup(SSL *s) |
| 347 | { |
| 348 | STACK_OF(X509_NAME) *sk; |
| 349 | --- openssl-1.0.0b.orig/ssl/ssl_locl.h 2010-11-30 00:03:46.000000000 +0000 |
| 350 | +++ openssl-1.0.0b/ssl/ssl_locl.h 2010-11-30 00:03:47.000000000 +0000 |
| 351 | @@ -456,6 +456,7 @@ |
| 352 | typedef struct cert_pkey_st |
| 353 | { |
| 354 | X509 *x509; |
| 355 | + STACK_OF(X509) *cert_chain; |
| 356 | EVP_PKEY *privatekey; |
| 357 | } CERT_PKEY; |
| 358 | |
| 359 | --- openssl-1.0.0b.orig/ssl/ssl_rsa.c 2009-09-12 23:09:26.000000000 +0000 |
| 360 | +++ openssl-1.0.0b/ssl/ssl_rsa.c 2010-11-30 00:03:47.000000000 +0000 |
| 361 | @@ -697,6 +697,42 @@ int SSL_CTX_use_PrivateKey_ASN1(int type |
| 362 | } |
| 363 | |
| 364 | |
| 365 | +int SSL_use_certificate_chain(SSL *ssl, STACK_OF(X509) *cert_chain) |
| 366 | + { |
| 367 | + if (ssl == NULL) |
| 368 | + { |
| 369 | + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,ERR_R_PASSED_NULL_PARAMETER); |
| 370 | + return(0); |
| 371 | + } |
| 372 | + if (ssl->cert == NULL) |
| 373 | + { |
| 374 | + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSIGNED); |
| 375 | + return(0); |
| 376 | + } |
| 377 | + if (ssl->cert->key == NULL) |
| 378 | + { |
| 379 | + SSLerr(SSL_F_SSL_USE_CERTIFICATE_CHAIN,SSL_R_NO_CERTIFICATE_ASSIGNED); |
| 380 | + return(0); |
| 381 | + } |
| 382 | + ssl->cert->key->cert_chain = cert_chain; |
| 383 | + return(1); |
| 384 | + } |
| 385 | + |
| 386 | +STACK_OF(X509) *SSL_get_certificate_chain(SSL *ssl, X509 *x) |
| 387 | + { |
| 388 | + int i; |
| 389 | + if (x == NULL) |
| 390 | + return NULL; |
| 391 | + if (ssl == NULL) |
| 392 | + return NULL; |
| 393 | + if (ssl->cert == NULL) |
| 394 | + return NULL; |
| 395 | + for (i = 0; i < SSL_PKEY_NUM; i++) |
| 396 | + if (ssl->cert->pkeys[i].x509 == x) |
| 397 | + return ssl->cert->pkeys[i].cert_chain; |
| 398 | + return NULL; |
| 399 | + } |
| 400 | + |
| 401 | #ifndef OPENSSL_NO_STDIO |
| 402 | /* Read a file that contains our certificate in "PEM" format, |
| 403 | * possibly followed by a sequence of CA certificates that should be |
| 404 | --- openssl-1.0.0b.orig/ssl/ssl_sess.c 2010-02-01 16:49:42.000000000 +0000 |
| 405 | +++ openssl-1.0.0b/ssl/ssl_sess.c 2010-11-30 00:03:47.000000000 +0000 |
| 406 | @@ -261,6 +261,11 @@ static int def_generate_session_id(const |
| 407 | return 0; |
| 408 | } |
| 409 | |
| 410 | +void SSL_set_session_creation_enabled (SSL *s, int creation_enabled) |
| 411 | + { |
| 412 | + s->session_creation_enabled = creation_enabled; |
| 413 | + } |
| 414 | + |
| 415 | int ssl_get_new_session(SSL *s, int session) |
| 416 | { |
| 417 | /* This gets used by clients and servers. */ |
| 418 | @@ -269,6 +274,8 @@ int ssl_get_new_session(SSL *s, int sess |
| 419 | SSL_SESSION *ss=NULL; |
| 420 | GEN_SESSION_CB cb = def_generate_session_id; |
| 421 | |
| 422 | + /* caller should check this if they can do better error handling */ |
| 423 | + if (!s->session_creation_enabled) return(0); |
| 424 | if ((ss=SSL_SESSION_new()) == NULL) return(0); |
| 425 | |
| 426 | /* If the context has a default timeout, use it */ |