Add ctrls to set and get RFC4507bis keys to enable several contexts to

reuse the same tickets.

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 872f8fdd891100c3ad889e02cefd31a9bb4ae32c..7a4ddd8548e4cffc0ab0679d71426118b5fe063d 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2536,6 +2536,31 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
        case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
                ctx->tlsext_servername_arg=parg;
                break;
+       case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
+       case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
+               {
+               unsigned char *keys = parg;
+               if (!keys)
+                       return 48;
+               if (larg != 48)
+                       {
+                       SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
+                       return 0;
+                       }
+               if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS)
+                       {
+                       memcpy(ctx->tlsext_tick_key_name, keys, 16);
+                       memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16);
+                       memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16);
+                       }
+               else
+                       {
+                       memcpy(keys, ctx->tlsext_tick_key_name, 16);
+                       memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16);
+                       memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16);
+                       }
+               return 1;
+               }
 #endif /* !OPENSSL_NO_TLSEXT */
        /* A Thawte special :-) */
        case SSL_CTRL_EXTRA_CHAIN_CERT:

diff --git a/ssl/ssl.h b/ssl/ssl.h
index dc04c7bfab663b91fa2f332eda6ccdce29a516f0..3f3be3990265cce09942a7d9b4c909710fc820ec 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1302,6 +1302,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_SET_TLSEXT_HOSTNAME           55
 #define SSL_CTRL_SET_TLSEXT_DEBUG_CB           56
 #define SSL_CTRL_SET_TLSEXT_DEBUG_ARG          57
+#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS                58
+#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS                59
 #endif
 
 #define SSL_session_reused(ssl) \
@@ -1946,6 +1948,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_INVALID_CHALLENGE_LENGTH                  158
 #define SSL_R_INVALID_COMMAND                           280
 #define SSL_R_INVALID_PURPOSE                           278
+#define SSL_R_INVALID_TICKET_KEYS_LENGTH                324
 #define SSL_R_INVALID_TRUST                             279
 #define SSL_R_KEY_ARG_TOO_LONG                          284
 #define SSL_R_KRB5                                      285

diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 2d5dc7a8dc03336758e9104a8c21d845c044072e..6520cda329b330eb4239566d65619bd794a45e6c 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -338,6 +338,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
 {ERR_REASON(SSL_R_INVALID_COMMAND)       ,"invalid command"},
 {ERR_REASON(SSL_R_INVALID_PURPOSE)       ,"invalid purpose"},
+{ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"},
 {ERR_REASON(SSL_R_INVALID_TRUST)         ,"invalid trust"},
 {ERR_REASON(SSL_R_KEY_ARG_TOO_LONG)      ,"key arg too long"},
 {ERR_REASON(SSL_R_KRB5)                  ,"krb5"},

diff --git a/ssl/tls1.h b/ssl/tls1.h
index e166bcb1fc5e9245420a32fef1fa9b6e725eeaca..bf802d9e146f5bad369f78cd970eb445f88d4c8a 100644 (file)
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -230,6 +230,11 @@ SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb)
 
 #define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
+
+#define SSL_CTX_get_tlsext_ticket_keys(ctx, keys, keylen) \
+       SSL_CTX_ctrl((ctx),SSL_CTRL_GET_TLXEXT_TICKET_KEYS,(keylen),(keys))
+#define SSL_CTX_set_tlsext_ticket_keys(ctx, keys, keylen) \
+       SSL_CTX_ctrl((ctx),SSL_CTRL_SET_TLXEXT_TICKET_KEYS,(keylen),(keys))
 #endif
 
 /* PSK ciphersuites from 4279 */