Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit fd113c0

Browse files
bdcgooglebdcgoogle
committed
Adding SSL_set_session_creation_enabled for SSLSocket.setEnableSessionCreation(false) support
SSL_set_session_creation_enabled implementation Add session_creation_enabled to ssl_st (aka SSL) Add SSL_set_session_creation_enabled(SSL*, int) declaration Add SSL_R_SESSION_MAY_NOT_BE_CREATED error reason include/openssl/ssl.h ssl/ssl.h Before creating session, check if session_creation_enabled. If not, error out, sending alert when possible in SSL3+ cases. ssl/d1_clnt.c ssl/s23_clnt.c ssl/s3_clnt.c ssl/s3_srvr.c Add error message for SSL_R_SESSION_MAY_NOT_BE_CREATED ssl/ssl_err.c Initialize session_creation_enabled to 1 in SSL_new ssl/ssl_lib.c Definition of SSL_set_session_creation_enabled. Add lower level check for session_creation_enabled in ssl_get_new_session in case it is not caught by higher levels. ssl/ssl_sess.c Patch details Added jsse.patch to list and add list of patched files. Fix whitespace to be tabs for consistency. openssl.config Add description of jsse.patch patches/README The patch itself, containing the above described changes patches/jsse.patch Testing Updated with note to run javax.net.ssl tests now that they are working reliably. README.android Change-Id: I21763ffbb29278b1c2d88d947eb780f38f637b2d
1 parent 0e804ca commit fd113c0

13 files changed

Lines changed: 251 additions & 18 deletions

File tree

README.android

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ The following steps are recommended for porting new OpenSSL versions.
5151

5252
(cd android.testssl/ && ./testssl.sh)
5353
adb shell run-core-tests tests.xnet.AllTests
54+
adb shell run-core-tests javax.net.ssl.AllTests
5455
adb shell run-core-tests org.apache.harmony.math.tests.java.math.AllTests
5556
adb shell run-core-tests tests.api.java.math.BigIntegerTest
5657
adb shell am start https://online.citibank.com # confirm result in browser

include/openssl/ssl.h

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1090,6 +1090,9 @@ struct ssl_st
10901090
/* This can also be in the session once a session is established */
10911091
SSL_SESSION *session;
10921092

1093+
/* This can be disabled to prevent the use of uncached sessions */
1094+
int session_creation_enabled;
1095+
10931096
/* Default generate session ID callback. */
10941097
GEN_SESSION_CB generate_session_id;
10951098

@@ -1568,6 +1571,7 @@ int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
15681571
void SSL_SESSION_free(SSL_SESSION *ses);
15691572
int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
15701573
int SSL_set_session(SSL *to, SSL_SESSION *session);
1574+
void SSL_set_session_creation_enabled(SSL *, int);
15711575
int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
15721576
int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
15731577
int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
@@ -2213,6 +2217,7 @@ void ERR_load_SSL_strings(void);
22132217
#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345
22142218
#define SSL_R_SERVERHELLO_TLSEXT 275
22152219
#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
2220+
#define SSL_R_SESSION_MAY_NOT_BE_CREATED 2000
22162221
#define SSL_R_SHORT_READ 219
22172222
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
22182223
#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221

openssl.config

Lines changed: 30 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
CONFIGURE_ARGS="\
2-
linux-generic32 \
3-
no-idea no-bf no-cast no-seed no-md2 no-whrlpool \
2+
linux-generic32 \
3+
no-idea no-bf no-cast no-seed no-md2 no-whrlpool \
44
-DL_ENDIAN"
55

66
# unneeded directories
@@ -38,7 +38,7 @@ UNNEEDED_SOURCES+="\
3838
CHANGES \
3939
CHANGES.SSLeay \
4040
ChangeLog.0_9_7-stable_not-in-head \
41-
ChangeLog.0_9_7-stable_not-in-head_FIPS \
41+
ChangeLog.0_9_7-stable_not-in-head_FIPS \
4242
Configure \
4343
FAQ \
4444
INSTALL \
@@ -163,28 +163,40 @@ OPENSSL_PATCHES="\
163163
progs.patch \
164164
small_records.patch \
165165
handshake_cutthrough.patch \
166+
jsse.patch \
166167
"
167168

168169
OPENSSL_PATCHES_progs_SOURCES="\
169-
apps/progs.h \
170+
apps/progs.h \
170171
apps/speed.c"
171172

172173
OPENSSL_PATCHES_handshake_cutthrough_SOURCES="\
173-
apps/s_client.c \
174-
ssl/s3_clnt.c \
175-
ssl/s3_lib.c \
176-
ssl/ssl.h \
177-
ssl/ssl3.h \
178-
ssl/ssl_lib.c \
179-
ssl/ssltest.c \
174+
apps/s_client.c \
175+
ssl/s3_clnt.c \
176+
ssl/s3_lib.c \
177+
ssl/ssl.h \
178+
ssl/ssl3.h \
179+
ssl/ssl_lib.c \
180+
ssl/ssltest.c \
180181
test/testssl"
181182

182183
OPENSSL_PATCHES_small_records_SOURCES="\
183-
ssl/d1_pkt.c \
184-
ssl/s23_srvr.c \
185-
ssl/s3_both.c \
186-
ssl/s3_pkt.c \
187-
ssl/ssl.h \
188-
ssl/ssl3.h \
189-
ssl/ssltest.c \
184+
ssl/d1_pkt.c \
185+
ssl/s23_srvr.c \
186+
ssl/s3_both.c \
187+
ssl/s3_pkt.c \
188+
ssl/ssl.h \
189+
ssl/ssl3.h \
190+
ssl/ssltest.c \
190191
test/testssl"
192+
193+
OPENSSL_PATCHES_jsse_SOURCES="\
194+
ssl/ssl.h \
195+
ssl/d1_clnt.c \
196+
ssl/s23_clnt.c \
197+
ssl/s3_clnt.c \
198+
ssl/s3_srvr.c \
199+
ssl/ssl_err.c \
200+
ssl/ssl_lib.c \
201+
ssl/ssl_sess.c \
202+
"

patches/README

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,3 +21,9 @@ Enables SSL3+ clients to send application data immediately following the
2121
Finished message even when negotiating full-handshakes. With this patch,
2222
clients can negotiate SSL connections in 1-RTT even when performing
2323
full-handshakes.
24+
25+
jsse.patch
26+
27+
Support for JSSE implementation based on OpenSSL.
28+
29+

patches/jsse.patch

Lines changed: 158 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,158 @@
1+
--- openssl-1.0.0.orig/ssl/ssl.h 2010-01-06 09:37:38.000000000 -0800
2+
+++ openssl-1.0.0/ssl/ssl.h 2010-05-03 01:44:52.000000000 -0700
3+
@@ -1083,6 +1090,9 @@ struct ssl_st
4+
/* This can also be in the session once a session is established */
5+
SSL_SESSION *session;
6+
7+
+ /* This can be disabled to prevent the use of uncached sessions */
8+
+ int session_creation_enabled;
9+
+
10+
/* Default generate session ID callback. */
11+
GEN_SESSION_CB generate_session_id;
12+
13+
@@ -1559,6 +1571,7 @@ int SSL_SESSION_print(BIO *fp,const SSL_
14+
void SSL_SESSION_free(SSL_SESSION *ses);
15+
int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
16+
int SSL_set_session(SSL *to, SSL_SESSION *session);
17+
+void SSL_set_session_creation_enabled(SSL *, int);
18+
int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
19+
int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
20+
int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
21+
@@ -2204,6 +2217,7 @@ void ERR_load_SSL_strings(void);
22+
#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345
23+
#define SSL_R_SERVERHELLO_TLSEXT 275
24+
#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
25+
+#define SSL_R_SESSION_MAY_NOT_BE_CREATED 2000
26+
#define SSL_R_SHORT_READ 219
27+
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
28+
#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
29+
--- openssl-1.0.0.orig/ssl/d1_clnt.c 2010-01-26 11:46:29.000000000 -0800
30+
+++ openssl-1.0.0/ssl/d1_clnt.c 2010-05-03 01:44:52.000000000 -0700
31+
@@ -613,6 +613,12 @@ int dtls1_client_hello(SSL *s)
32+
#endif
33+
(s->session->not_resumable))
34+
{
35+
+ if (!s->session_creation_enabled)
36+
+ {
37+
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
38+
+ SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
39+
+ goto err;
40+
+ }
41+
if (!ssl_get_new_session(s,0))
42+
goto err;
43+
}
44+
--- openssl-1.0.0.orig/ssl/s23_clnt.c 2010-02-16 06:20:40.000000000 -0800
45+
+++ openssl-1.0.0/ssl/s23_clnt.c 2010-05-03 01:44:52.000000000 -0700
46+
@@ -687,6 +687,13 @@ static int ssl23_get_server_hello(SSL *s
47+
48+
/* Since, if we are sending a ssl23 client hello, we are not
49+
* reusing a session-id */
50+
+ if (!s->session_creation_enabled)
51+
+ {
52+
+ if (!(s->client_version == SSL2_VERSION))
53+
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
54+
+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
55+
+ goto err;
56+
+ }
57+
if (!ssl_get_new_session(s,0))
58+
goto err;
59+
60+
--- openssl-1.0.0.orig/ssl/s3_clnt.c 2010-02-27 16:24:24.000000000 -0800
61+
+++ openssl-1.0.0/ssl/s3_clnt.c 2010-05-03 01:44:52.000000000 -0700
62+
@@ -621,6 +668,12 @@ int ssl3_client_hello(SSL *s)
63+
#endif
64+
(sess->not_resumable))
65+
{
66+
+ if (!s->session_creation_enabled)
67+
+ {
68+
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
69+
+ SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
70+
+ goto err;
71+
+ }
72+
if (!ssl_get_new_session(s,0))
73+
goto err;
74+
}
75+
@@ -829,6 +882,12 @@ int ssl3_get_server_hello(SSL *s)
76+
s->hit=0;
77+
if (s->session->session_id_length > 0)
78+
{
79+
+ if (!s->session_creation_enabled)
80+
+ {
81+
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
82+
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
83+
+ goto err;
84+
+ }
85+
if (!ssl_get_new_session(s,0))
86+
{
87+
al=SSL_AD_INTERNAL_ERROR;
88+
--- openssl-1.0.0.orig/ssl/s3_srvr.c 2010-02-27 15:04:10.000000000 -0800
89+
+++ openssl-1.0.0/ssl/s3_srvr.c 2010-05-03 01:44:52.000000000 -0700
90+
@@ -869,6 +869,12 @@ int ssl3_get_client_hello(SSL *s)
91+
*/
92+
if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
93+
{
94+
+ if (!s->session_creation_enabled)
95+
+ {
96+
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
97+
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
98+
+ goto err;
99+
+ }
100+
if (!ssl_get_new_session(s,1))
101+
goto err;
102+
}
103+
@@ -883,6 +889,12 @@ int ssl3_get_client_hello(SSL *s)
104+
goto err;
105+
else /* i == 0 */
106+
{
107+
+ if (!s->session_creation_enabled)
108+
+ {
109+
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
110+
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
111+
+ goto err;
112+
+ }
113+
if (!ssl_get_new_session(s,1))
114+
goto err;
115+
}
116+
--- openssl-1.0.0.orig/ssl/ssl_err.c 2010-01-06 09:37:38.000000000 -0800
117+
+++ openssl-1.0.0/ssl/ssl_err.c 2010-05-03 01:44:52.000000000 -0700
118+
@@ -462,6 +462,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
119+
{ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
120+
{ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"},
121+
{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
122+
+{ERR_REASON(SSL_R_SESSION_MAY_NOT_BE_CREATED),"session may not be created"},
123+
{ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
124+
{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
125+
{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
126+
--- openssl-1.0.0.orig/ssl/ssl_lib.c 2010-02-17 11:43:46.000000000 -0800
127+
+++ openssl-1.0.0/ssl/ssl_lib.c 2010-05-03 01:44:52.000000000 -0700
128+
@@ -326,6 +326,7 @@ SSL *SSL_new(SSL_CTX *ctx)
129+
OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
130+
memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
131+
s->verify_callback=ctx->default_verify_callback;
132+
+ s->session_creation_enabled=1;
133+
s->generate_session_id=ctx->generate_session_id;
134+
135+
s->param = X509_VERIFY_PARAM_new();
136+
--- openssl-1.0.0.orig/ssl/ssl_sess.c 2010-02-01 08:49:42.000000000 -0800
137+
+++ openssl-1.0.0/ssl/ssl_sess.c 2010-05-03 01:44:52.000000000 -0700
138+
@@ -261,6 +261,11 @@ static int def_generate_session_id(const
139+
return 0;
140+
}
141+
142+
+void SSL_set_session_creation_enabled (SSL *s, int creation_enabled)
143+
+ {
144+
+ s->session_creation_enabled = creation_enabled;
145+
+ }
146+
+
147+
int ssl_get_new_session(SSL *s, int session)
148+
{
149+
/* This gets used by clients and servers. */
150+
@@ -269,6 +274,8 @@ int ssl_get_new_session(SSL *s, int sess
151+
SSL_SESSION *ss=NULL;
152+
GEN_SESSION_CB cb = def_generate_session_id;
153+
154+
+ /* caller should check this if they can do better error handling */
155+
+ if (!s->session_creation_enabled) return(0);
156+
if ((ss=SSL_SESSION_new()) == NULL) return(0);
157+
158+
/* If the context has a default timeout, use it */

ssl/d1_clnt.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -613,6 +613,12 @@ int dtls1_client_hello(SSL *s)
613613
#endif
614614
(s->session->not_resumable))
615615
{
616+
if (!s->session_creation_enabled)
617+
{
618+
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
619+
SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
620+
goto err;
621+
}
616622
if (!ssl_get_new_session(s,0))
617623
goto err;
618624
}

ssl/s23_clnt.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -687,6 +687,13 @@ static int ssl23_get_server_hello(SSL *s)
687687

688688
/* Since, if we are sending a ssl23 client hello, we are not
689689
* reusing a session-id */
690+
if (!s->session_creation_enabled)
691+
{
692+
if (!(s->client_version == SSL2_VERSION))
693+
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
694+
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
695+
goto err;
696+
}
690697
if (!ssl_get_new_session(s,0))
691698
goto err;
692699

ssl/s3_clnt.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -668,6 +668,12 @@ int ssl3_client_hello(SSL *s)
668668
#endif
669669
(sess->not_resumable))
670670
{
671+
if (!s->session_creation_enabled)
672+
{
673+
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
674+
SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
675+
goto err;
676+
}
671677
if (!ssl_get_new_session(s,0))
672678
goto err;
673679
}
@@ -876,6 +882,12 @@ int ssl3_get_server_hello(SSL *s)
876882
s->hit=0;
877883
if (s->session->session_id_length > 0)
878884
{
885+
if (!s->session_creation_enabled)
886+
{
887+
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
888+
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
889+
goto err;
890+
}
879891
if (!ssl_get_new_session(s,0))
880892
{
881893
al=SSL_AD_INTERNAL_ERROR;

ssl/s3_srvr.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -869,6 +869,12 @@ int ssl3_get_client_hello(SSL *s)
869869
*/
870870
if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
871871
{
872+
if (!s->session_creation_enabled)
873+
{
874+
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
875+
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
876+
goto err;
877+
}
872878
if (!ssl_get_new_session(s,1))
873879
goto err;
874880
}
@@ -883,6 +889,12 @@ int ssl3_get_client_hello(SSL *s)
883889
goto err;
884890
else /* i == 0 */
885891
{
892+
if (!s->session_creation_enabled)
893+
{
894+
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
895+
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
896+
goto err;
897+
}
886898
if (!ssl_get_new_session(s,1))
887899
goto err;
888900
}

ssl/ssl.h

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1090,6 +1090,9 @@ struct ssl_st
10901090
/* This can also be in the session once a session is established */
10911091
SSL_SESSION *session;
10921092

1093+
/* This can be disabled to prevent the use of uncached sessions */
1094+
int session_creation_enabled;
1095+
10931096
/* Default generate session ID callback. */
10941097
GEN_SESSION_CB generate_session_id;
10951098

@@ -1568,6 +1571,7 @@ int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
15681571
void SSL_SESSION_free(SSL_SESSION *ses);
15691572
int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
15701573
int SSL_set_session(SSL *to, SSL_SESSION *session);
1574+
void SSL_set_session_creation_enabled(SSL *, int);
15711575
int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
15721576
int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
15731577
int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
@@ -2213,6 +2217,7 @@ void ERR_load_SSL_strings(void);
22132217
#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345
22142218
#define SSL_R_SERVERHELLO_TLSEXT 275
22152219
#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
2220+
#define SSL_R_SESSION_MAY_NOT_BE_CREATED 2000
22162221
#define SSL_R_SHORT_READ 219
22172222
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
22182223
#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221

0 commit comments

Comments
 (0)