For better forward-security support, add functions
SSL_[CTX_]set_not_resumable_session_callback.

Submitted by: Emilia Kasper (Google)

[A part of this change affecting ssl/s3_lib.c was accidentally commited
separately, together with a compilation fix for that file;
see s3_lib.c CVS revision 1.133 (http://cvs.openssl.org/chngview?cn=19855).]
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index c2874e7..bc6ece4 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1251,6 +1251,13 @@
 			goto f_err;
 			}
 		s->s3->tmp.new_cipher=c;
+		/* check whether we should disable session resumption */
+		if (s->not_resumable_session_cb != NULL)
+			s->session->not_resumable=s->not_resumable_session_cb(s,
+				((c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)) != 0));
+		if (s->session->not_resumable)
+			/* do not send a session ticket */
+			s->tlsext_ticket_expected = 0;
 		}
 	else
 		{
@@ -1354,8 +1361,9 @@
 		 * if session caching is disabled so existing functionality
 		 * is unaffected.
 		 */
-		if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
-			&& !s->hit)
+		if (s->session->not_resumable ||
+			(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+				&& !s->hit))
 			s->session->session_id_length=0;
 
 		sl=s->session->session_id_length;
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 5a35c67..20e49ec 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -468,6 +468,9 @@
 	char *psk_identity_hint;
 	char *psk_identity;
 #endif
+	/* Used to indicate that session resumption is not allowed.
+	 * Applications can also set this bit for a new session via
+	 * not_resumable_session_cb to disable session caching and tickets. */
 	int not_resumable;
 
 	/* The cert is the certificate used to establish this connection */
@@ -811,6 +814,10 @@
 
 	X509_VERIFY_PARAM *param;
 
+	/* Callback for disabling session caching and ticket support
+	 * on a session basis, depending on the chosen cipher. */
+	int (*not_resumable_session_cb)(SSL *ssl, int is_forward_secure);
+
 #if 0
 	int purpose;		/* Purpose setting */
 	int trust;		/* Trust setting */
@@ -1088,6 +1095,10 @@
 
 	X509_VERIFY_PARAM *param;
 
+	/* Callback for disabling session caching and ticket support
+	 * on a session basis, depending on the chosen cipher. */
+	int (*not_resumable_session_cb)(SSL *ssl, int is_forward_secure);
+
 #if 0
 	int purpose;		/* Purpose setting */
 	int trust;		/* Trust setting */
@@ -1477,6 +1488,7 @@
 #define SSL_CTRL_GET_RI_SUPPORT			76
 #define SSL_CTRL_CLEAR_OPTIONS			77
 #define SSL_CTRL_CLEAR_MODE			78
+#define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB	79
 
 #define DTLSv1_get_timeout(ssl, arg) \
 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1875,6 +1887,12 @@
                            unsigned char *context, int context_len,
                            unsigned char *out, int olen);
 
+void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
+	int (*cb)(SSL *ssl, int is_forward_secure));
+
+void SSL_set_not_resumable_session_callback(SSL *ssl,
+	int (*cb)(SSL *ssl, int is_forward_secure));
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ff71004..9dfa3aa 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -319,6 +319,7 @@
 	s->msg_callback=ctx->msg_callback;
 	s->msg_callback_arg=ctx->msg_callback_arg;
 	s->verify_mode=ctx->verify_mode;
+	s->not_resumable_session_cb=ctx->not_resumable_session_cb;
 #if 0
 	s->verify_depth=ctx->verify_depth;
 #endif
@@ -3164,6 +3165,19 @@
 	SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
 	}
 
+void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
+	int (*cb)(SSL *ssl, int is_forward_secure))
+	{
+	SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
+		(void (*)(void))cb);
+	}
+void SSL_set_not_resumable_session_callback(SSL *ssl,
+	int (*cb)(SSL *ssl, int is_forward_secure))
+	{
+	SSL_callback_ctrl(ssl, SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB,
+		(void (*)(void))cb);
+	}
+
 /* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
  * vairable, freeing  EVP_MD_CTX previously stored in that variable, if
  * any. If EVP_MD pointer is passed, initializes ctx with this md