9 files changed, 136 insertions, 0 deletions

diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
index 5c58b23895..c12ff0e587 100644
--- a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
+++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
@@ -3,7 +3,9 @@
 =head1 NAME
 
 SSL_CTX_set_tlsext_status_cb,
+SSL_CTX_get_tlsext_status_cb,
 SSL_CTX_set_tlsext_status_arg,
+SSL_CTX_get_tlsext_status_arg,
 SSL_CTX_set_tlsext_status_type,
 SSL_CTX_get_tlsext_status_type,
 SSL_set_tlsext_status_type,
@@ -18,7 +20,11 @@ SSL_set_tlsext_status_ocsp_resp
 
  long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx,
                                    int (*callback)(SSL *, void *));
+ long SSL_CTX_get_tlsext_status_cb(SSL_CTX *ctx,
+                                   int (**callback)(SSL *, void *));
+
  long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
+ long SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg);
 
  long SSL_CTX_set_tlsext_status_type(SSL_CTX *ctx, int type);
  long SSL_CTX_get_tlsext_status_type(SSL_CTX *ctx);
@@ -48,6 +54,9 @@ acceptable or not. The callback will be passed as an argument the value
 previously set via a call to SSL_CTX_set_tlsext_status_arg(). Note that the
 callback will not be called in the event of a handshake where session resumption
 occurs (because there are no Certificates exchanged in such a handshake).
+The callback previously set via SSL_CTX_set_tlsext_status_cb() can be retrieved
+by calling SSL_CTX_get_tlsext_status_cb(), and the argument by calling
+SSL_CTX_get_tlsext_status_arg().
 
 On the client side SSL_get_tlsext_status_type() can be used to determine whether
 the client has previously called SSL_set_tlsext_status_type(). It will return
diff --git a/doc/ssl/SSL_SESSION_get0_id_context.pod b/doc/ssl/SSL_SESSION_get0_id_context.pod
new file mode 100644
index 0000000000..2ac3fc4dd0
--- /dev/null
+++ b/doc/ssl/SSL_SESSION_get0_id_context.pod
@@ -0,0 +1,41 @@
+=pod
+
+=head1 NAME
+
+SSL_SESSION_get0_id_context - get the SSL ID context associated with a session
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s,
+                                                  unsigned int *len)
+
+=head1 DESCRIPTION
+
+SSL_SESSION_get0_id_context() returns the ID context associated with
+the SSL/TLS session B<s>. The length of the ID context is written to
+B<*len> if B<len> is not NULL.
+
+The value returned is a pointer to an object maintained within B<s> and
+should not be released.
+
+=head1 SEE ALSO
+
+L<ssl(3)>,
+L<SSL_set_session_id_context(3)>
+
+=head1 HISTORY
+
+SSL_SESSION_get0_id_context() was first added to OpenSSL 1.1.0
+
+=head1 COPYRIGHT
+
+Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/ssl/SSL_SESSION_set1_id.pod b/doc/ssl/SSL_SESSION_set1_id.pod
new file mode 100644
index 0000000000..fe8a1c485a
--- /dev/null
+++ b/doc/ssl/SSL_SESSION_set1_id.pod
@@ -0,0 +1,41 @@
+=pod
+
+=head1 NAME
+
+SSL_SESSION_set1_id - set the SSL session ID
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
+                         unsigned int sid_len);
+
+=head1 DESCRIPTION
+
+SSL_SESSION_set1_id() sets the the session ID for the B<ssl> SSL/TLS session
+to B<sid> of length B<sid_len>.
+
+=head1 RETURN VALUES
+
+SSL_SESSION_set1_id() returns 1 for success and 0 for failure, for example
+if the supplied session ID length exceeds B<SSL_MAX_SSL_SESSION_ID_LENGTH>.
+
+=head1 SEE ALSO
+
+L<ssl(3)>
+
+=head1 HISTORY
+
+SSL_SESSION_set1_id() was first added to OpenSSL 1.1.0
+
+=head1 COPYRIGHT
+
+Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 0f2892032a..a7732ff512 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1137,6 +1137,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_CTRL_SET_SPLIT_SEND_FRAGMENT        125
 # define SSL_CTRL_SET_MAX_PIPELINES              126
 # define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE     127
+# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB       128
+# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG   129
 # define SSL_CERT_SET_FIRST                      1
 # define SSL_CERT_SET_NEXT                       2
 # define SSL_CERT_SET_SERVER                     3
@@ -1406,10 +1408,14 @@ __owur int SSL_copy_session_id(SSL *to, const SSL *from);
 __owur X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
 __owur int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
                                 unsigned int sid_ctx_len);
+__owur int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
+                               unsigned int sid_len);
 
 __owur SSL_SESSION *SSL_SESSION_new(void);
 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
                                         unsigned int *len);
+const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s,
+                                                unsigned int *len);
 __owur unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
 # ifndef OPENSSL_NO_STDIO
 int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
@@ -2169,6 +2175,7 @@ int ERR_load_SSL_strings(void);
 # define SSL_F_SSL_SESSION_DUP                            348
 # define SSL_F_SSL_SESSION_NEW                            189
 # define SSL_F_SSL_SESSION_PRINT_FP                       190
+# define SSL_F_SSL_SESSION_SET1_ID                        423
 # define SSL_F_SSL_SESSION_SET1_ID_CONTEXT                312
 # define SSL_F_SSL_SET_ALPN_PROTOS                        344
 # define SSL_F_SSL_SET_CERT                               191
@@ -2448,6 +2455,7 @@ int ERR_load_SSL_strings(void);
 # define SSL_R_SSL_SECTION_NOT_FOUND                      136
 # define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED             301
 # define SSL_R_SSL_SESSION_ID_CONFLICT                    302
+# define SSL_R_SSL_SESSION_ID_TOO_LONG                    408
 # define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG            273
 # define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH              303
 # define SSL_R_SSL_SESSION_VERSION_MISMATCH               210
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 11ad8e51e5..23e382cdd3 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -292,9 +292,13 @@ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
 # define SSL_CTX_set_tlsext_ticket_keys(ctx, keys, keylen) \
         SSL_CTX_ctrl((ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,(keylen),(keys))
 
+# define SSL_CTX_get_tlsext_status_cb(ssl, cb) \
+SSL_CTX_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
 # define SSL_CTX_set_tlsext_status_cb(ssl, cb) \
 SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB,(void (*)(void))cb)
 
+# define SSL_CTX_get_tlsext_status_arg(ssl, arg) \
+SSL_CTX_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG,0, (void *)arg
 # define SSL_CTX_set_tlsext_status_arg(ssl, arg) \
 SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0, (void *)arg)
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index eea75a3c5d..81d21f2b68 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3340,6 +3340,14 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
         ctx->tlsext_status_arg = parg;
         return 1;
 
+    case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
+        *(void**)parg = ctx->tlsext_status_arg;
+        break;
+
+    case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
+        *(int (**)(SSL*, void*))parg = ctx->tlsext_status_cb;
+        break;
+
 #ifndef OPENSSL_NO_SRP
     case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
         ctx->srp_ctx.srp_Mask |= SSL_kSRP;
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index f573633ac6..9644fd2466 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -182,6 +182,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_SESSION_DUP), "ssl_session_dup"},
     {ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
     {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
+    {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID), "SSL_SESSION_set1_id"},
     {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT),
      "SSL_SESSION_set1_id_context"},
     {ERR_FUNC(SSL_F_SSL_SET_ALPN_PROTOS), "SSL_set_alpn_protos"},
@@ -564,6 +565,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT), "ssl session id conflict"},
     {ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),
      "ssl session id context too long"},
+    {ERR_REASON(SSL_R_SSL_SESSION_ID_TOO_LONG),
+     "ssl session id too long"},
     {ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),
      "ssl session id has bad length"},
     {ERR_REASON(SSL_R_SSL_SESSION_VERSION_MISMATCH),
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 1a2872c6e0..509175b1ab 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -240,6 +240,13 @@ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
         *len = s->session_id_length;
     return s->session_id;
 }
+const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s,
+                                                unsigned int *len)
+{
+    if (len != NULL)
+        *len = s->sid_ctx_length;
+    return s->sid_ctx;
+}
 
 unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s)
 {
@@ -792,6 +799,19 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
     return 1;
 }
 
+int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
+                        unsigned int sid_len)
+{
+    if (sid_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
+      SSLerr(SSL_F_SSL_SESSION_SET1_ID,
+             SSL_R_SSL_SESSION_ID_TOO_LONG);
+      return 0;
+    }
+    s->session_id_length = sid_len;
+    memcpy(s->session_id, sid, sid_len);
+    return 1;
+}
+
 long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
 {
     if (s == NULL)
diff --git a/util/libssl.num b/util/libssl.num
index 02dfacef56..200629f74b 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -401,3 +401,5 @@ SSL_dane_set_flags                      401	1_1_0	EXIST::FUNCTION:
 SSL_CTX_dane_clear_flags                402	1_1_0	EXIST::FUNCTION:
 SSL_dane_clear_flags                    403	1_1_0	EXIST::FUNCTION:
 SSL_SESSION_get0_cipher                 404	1_1_0	EXIST::FUNCTION:
+SSL_SESSION_get0_id_context             405	1_1_0	EXIST::FUNCTION:
+SSL_SESSION_set1_id                     406	1_1_0	EXIST::FUNCTION: