Changes between 0.9.8a and 0.9.9 [xx XXX xxxx]
- *) Add support for TLS extensions, specifically for the HostName extension
- so far. The SSL_SESSION, SSL_CTX, and SSL data structures now have new
- members for HostName support.
+ *) Add initial support for TLS extensions, specifically for the server_name
+ extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
+ have new members for a host name. The SSL data structure has an
+ additional member SSL_CTX *initial_ctx so that new sessions can be
+ stored in that context to allow for session resumption, even after the
+ SSL has been switched to a new SSL_CTX in reaction to a client's
+ server_name extension.
New functions (subject to change):
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
- SSL_CTX_set_tlsext_servername_arg()
SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_hostname()
- SSL_CTRL_GET_TLSEXT_HOSTNAME [similar to SSL_get_servername()]
SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE
- SSL_set_tlsext_servername_done()
else
BIO_printf(bio_err,"Can't use SSL_get_servername\n");
- return SSL_ERROR_NONE;
+ return 1;
}
#endif
{
tlsextctx * p = (tlsextctx *) arg;
const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
- if (servername)
+ if (servername && p->biodebug)
BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername);
if (!p->servername)
{
SSL_set_tlsext_servername_done(s,2);
- return SSL_ERROR_NONE;
+ return 1;
}
if (servername)
{
if (strcmp(servername,p->servername))
- return TLS1_AD_UNRECOGNIZED_NAME;
+ return 0;
if (ctx2)
SSL_set_SSL_CTX(s,ctx2);
SSL_set_tlsext_servername_done(s,1);
}
- return SSL_ERROR_NONE;
+ return 1;
}
#endif
{
if (--argc < 1) goto bad;
tlsextcbp.servername= *(++argv);
- /* meth=TLSv1_server_method(); */
}
else if (strcmp(*argv,"-cert2") == 0)
{
break;
#endif /* !OPENSSL_NO_ECDH */
#ifndef OPENSSL_NO_TLSEXT
- case SSL_CTRL_GET_TLSEXT_HOSTNAME:
- if (larg != TLSEXT_NAMETYPE_host_name)
- {
- SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
- return(0);
- }
- /* XXX cf. SSL_get_servername() (ssl_lib.c) */
- if (s->session && s->session->tlsext_hostname)
- *((char **) parg) = s->session->tlsext_hostname;
- else
- *((char **) parg) = s->tlsext_hostname;
- ret = 1;
- break;
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
if (larg == TLSEXT_NAMETYPE_host_name)
{
1 : prepare 2, allow last ack just after in server callback.
2 : don't call servername callback, no ack in server hello
*/
+ SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
#endif
};
#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52
/* see tls.h for macros based on these */
+#ifndef OPENSSL_NO_TLSEXT
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
-#define SSL_CTRL_GET_TLSEXT_HOSTNAME 56
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE 57
+#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE 56
+#endif
#define SSL_session_reused(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
s->ctx=ctx;
+#ifndef OPENSSL_NO_TLSEXT
+ CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
+ s->initial_ctx=ctx;
+#endif
s->verify_result=X509_V_OK;
/* Free up if allocated */
if (s->ctx) SSL_CTX_free(s->ctx);
+#ifndef OPENSSL_NO_TLSEXT
+ if (s->initial_ctx) SSL_CTX_free(s->initial_ctx);
+#endif
if (s->client_CA != NULL)
sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
#include <openssl/rand.h>
#include "ssl_locl.h"
+#ifndef OPENSSL_NO_TLSEXT
+#define session_ctx initial_ctx
+#else
+#define session_ctx ctx
+#endif
+
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
if ((ss=SSL_SESSION_new()) == NULL) return(0);
/* If the context has a default timeout, use it */
- if (s->ctx->session_timeout == 0)
+ if (s->session_ctx->session_timeout == 0)
ss->timeout=SSL_get_default_timeout(s);
else
ss->timeout=s->ctx->session_timeout;
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
if(s->generate_session_id)
cb = s->generate_session_id;
- else if(s->ctx->generate_session_id)
- cb = s->ctx->generate_session_id;
+ else if(s->session_ctx->generate_session_id)
+ cb = s->session_ctx->generate_session_id;
CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
/* Choose a session ID */
tmp = ss->session_id_length;
goto err;
memcpy(data.session_id,session_id,len);
- if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
+ if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
{
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
- ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);
+ ret=(SSL_SESSION *)lh_retrieve(s->session_ctx->sessions,&data);
if (ret != NULL)
/* don't allow other threads to steal it: */
CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
{
int copy=1;
- s->ctx->stats.sess_miss++;
+ s->session_ctx->stats.sess_miss++;
ret=NULL;
- if (s->ctx->get_session_cb != NULL
- && (ret=s->ctx->get_session_cb(s,session_id,len,©))
+ if (s->session_ctx->get_session_cb != NULL
+ && (ret=s->session_ctx->get_session_cb(s,session_id,len,©))
!= NULL)
{
- s->ctx->stats.sess_cb_hit++;
+ s->session_ctx->stats.sess_cb_hit++;
/* Increment reference count now if the session callback
* asks us to do so (note that if the session structures
/* Add the externally cached session to the internal
* cache as well if and only if we are supposed to. */
- if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
+ if(!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
/* The following should not return 1, otherwise,
* things are very strange */
- SSL_CTX_add_session(s->ctx,ret);
+ SSL_CTX_add_session(s->session_ctx,ret);
}
if (ret == NULL)
goto err;
if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
{
- s->ctx->stats.sess_timeout++;
+ s->session_ctx->stats.sess_timeout++;
/* remove it from the cache */
- SSL_CTX_remove_session(s->ctx,ret);
+ SSL_CTX_remove_session(s->session_ctx,ret);
goto err;
}
- s->ctx->stats.sess_hit++;
+ s->session_ctx->stats.sess_hit++;
/* ret->time=time(NULL); */ /* rezero timeout? */
/* again, just leave the session
#define TLSEXT_TYPE_trusted_ca_keys 3
#define TLSEXT_TYPE_truncated_hmac 4
#define TLSEXT_TYPE_status_request 5
-#if 0
-#define TLSEXT_TYPE_srp 6
-#endif
/* NameType value from RFC 3546 */
#define TLSEXT_NAMETYPE_host_name 0
#define SSL_set_tlsext_servername_done(s,t) \
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
-
-#if 0
-# if 0
-
- #define SSL_get_tlsext_hostname(s,psn) \
- SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name, (void *)psn)
-# else
- /* XXX this looks weird for a macro, define a function instead? */
- * or just used SSL_get_servername() directly ... */
- #define SSL_get_tlsext_hostname(s,psn) \
- (*psn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name),*psn != NULL)
-# endif
-#endif
#endif
projects / openssl.git / commitdiff