Add mode to disallow session creation.
Android needs this and it was patched into their OpenSSL in
https://android.googlesource.com/platform/external/openssl.git/+/master/patches/0003-jsse.patch
It appears that this is needed because javax.net.ssl.SSLEngine has it as
part of its interface and thus it's part of the Android API. No idea why
anything would ever want to disable that though.
Change-Id: I9c6279a961637f44936889edbe269b9d5c19746d
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index c042256..a1412ab 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -671,6 +671,11 @@
* attacks. */
#define SSL_MODE_CBC_RECORD_SPLITTING 0x00000100L
+/* SSL_MODE_NO_SESSION_CREATION will cause any attempts to create a session to
+ * fail with SSL_R_SESSION_MAY_NOT_BE_CREATED. This can be used to enforce that
+ * session resumption is used for a given SSL*. */
+#define SSL_MODE_NO_SESSION_CREATION 0x00000200L
+
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
@@ -2809,6 +2814,7 @@
#define SSL_R_DECODE_ERROR 439
#define SSL_R_UNPROCESSED_HANDSHAKE_DATA 440
#define SSL_R_HANDSHAKE_RECORD_BEFORE_CCS 441
+#define SSL_R_SESSION_MAY_NOT_BE_CREATED 442
#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
diff --git a/ssl/ssl_error.c b/ssl/ssl_error.c
index 7a7a3ad..12c1ffd 100644
--- a/ssl/ssl_error.c
+++ b/ssl/ssl_error.c
@@ -430,6 +430,7 @@
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING), "SCSV_RECEIVED_WHEN_RENEGOTIATING"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SERVERHELLO_TLSEXT), "SERVERHELLO_TLSEXT"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED), "SESSION_ID_CONTEXT_UNINITIALIZED"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SESSION_MAY_NOT_BE_CREATED), "SESSION_MAY_NOT_BE_CREATED"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHORT_READ), "SHORT_READ"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_ALGORITHMS_ERROR), "SIGNATURE_ALGORITHMS_ERROR"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE), "SIGNATURE_FOR_NON_SIGNING_CERTIFICATE"},
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index ffc0d15..75e2110 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -274,6 +274,12 @@
SSL_SESSION *ss=NULL;
GEN_SESSION_CB cb = def_generate_session_id;
+ if (s->mode & SSL_MODE_NO_SESSION_CREATION)
+ {
+ OPENSSL_PUT_ERROR(SSL, ssl_get_new_session, SSL_R_SESSION_MAY_NOT_BE_CREATED);
+ return 0;
+ }
+
if ((ss=SSL_SESSION_new()) == NULL) return(0);
/* If the context has a default timeout, use it */
