diff options
author | Bodo Möller <bodo@openssl.org> | 2010-08-26 15:15:47 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2010-08-26 15:15:47 +0000 |
commit | 7c2d4fee2547650102cd16d23f8125b76112ae75 (patch) | |
tree | b65012d1d3e0ee6d3dae907da20a00f3cbd0d56e /ssl | |
parent | f16176dab409c8de444315ba00c4eff36dd0e063 (diff) |
For better forward-security support, add functions
SSL_[CTX_]set_not_resumable_session_callback.
Submitted by: Emilia Kasper (Google)
[A part of this change affecting ssl/s3_lib.c was accidentally commited
separately, together with a compilation fix for that file;
see s3_lib.c CVS revision 1.133 (http://cvs.openssl.org/chngview?cn=19855).]
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_srvr.c | 12 | ||||
-rw-r--r-- | ssl/ssl.h | 18 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 14 |
3 files changed, 42 insertions, 2 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index c2874e7feb..bc6ece47c1 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1251,6 +1251,13 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } s->s3->tmp.new_cipher=c; + /* check whether we should disable session resumption */ + if (s->not_resumable_session_cb != NULL) + s->session->not_resumable=s->not_resumable_session_cb(s, + ((c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)) != 0)); + if (s->session->not_resumable) + /* do not send a session ticket */ + s->tlsext_ticket_expected = 0; } else { @@ -1354,8 +1361,9 @@ int ssl3_send_server_hello(SSL *s) * if session caching is disabled so existing functionality * is unaffected. */ - if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) - && !s->hit) + if (s->session->not_resumable || + (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) + && !s->hit)) s->session->session_id_length=0; sl=s->session->session_id_length; @@ -468,6 +468,9 @@ typedef struct ssl_session_st char *psk_identity_hint; char *psk_identity; #endif + /* Used to indicate that session resumption is not allowed. + * Applications can also set this bit for a new session via + * not_resumable_session_cb to disable session caching and tickets. */ int not_resumable; /* The cert is the certificate used to establish this connection */ @@ -811,6 +814,10 @@ struct ssl_ctx_st X509_VERIFY_PARAM *param; + /* Callback for disabling session caching and ticket support + * on a session basis, depending on the chosen cipher. */ + int (*not_resumable_session_cb)(SSL *ssl, int is_forward_secure); + #if 0 int purpose; /* Purpose setting */ int trust; /* Trust setting */ @@ -1088,6 +1095,10 @@ struct ssl_st X509_VERIFY_PARAM *param; + /* Callback for disabling session caching and ticket support + * on a session basis, depending on the chosen cipher. */ + int (*not_resumable_session_cb)(SSL *ssl, int is_forward_secure); + #if 0 int purpose; /* Purpose setting */ int trust; /* Trust setting */ @@ -1477,6 +1488,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_GET_RI_SUPPORT 76 #define SSL_CTRL_CLEAR_OPTIONS 77 #define SSL_CTRL_CLEAR_MODE 78 +#define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB 79 #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) @@ -1875,6 +1887,12 @@ int SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len, unsigned char *context, int context_len, unsigned char *out, int olen); +void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, + int (*cb)(SSL *ssl, int is_forward_secure)); + +void SSL_set_not_resumable_session_callback(SSL *ssl, + int (*cb)(SSL *ssl, int is_forward_secure)); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ff710045dc..9dfa3aa711 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -319,6 +319,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->msg_callback=ctx->msg_callback; s->msg_callback_arg=ctx->msg_callback_arg; s->verify_mode=ctx->verify_mode; + s->not_resumable_session_cb=ctx->not_resumable_session_cb; #if 0 s->verify_depth=ctx->verify_depth; #endif @@ -3164,6 +3165,19 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int con SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); } +void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, + int (*cb)(SSL *ssl, int is_forward_secure)) + { + SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB, + (void (*)(void))cb); + } +void SSL_set_not_resumable_session_callback(SSL *ssl, + int (*cb)(SSL *ssl, int is_forward_secure)) + { + SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB, + (void (*)(void))cb); + } + /* Allocates new EVP_MD_CTX and sets pointer to it into given pointer * vairable, freeing EVP_MD_CTX previously stored in that variable, if * any. If EVP_MD pointer is passed, initializes ctx with this md |