Commit e586eac8 authored by Matt Caswell's avatar Matt Caswell
Browse files

Add support for SSL_SESSION_is_resumable() 



Provide a way to test whether the SSL_SESSION object can be used to resume a
sesion or not.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3008)
parent 3348fc7e

include/openssl/ssl.h

+1 −0
Original line number Diff line number Diff line
@@ -1502,6 +1502,7 @@ __owur int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ 
                                unsigned int sid_ctx_len);

__owur int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,

                               unsigned int sid_len);

__owur int SSL_SESSION_is_resumable(const SSL_SESSION *s);



__owur SSL_SESSION *SSL_SESSION_new(void);

const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,

ssl/ssl_sess.c

+16 −6
Original line number Diff line number Diff line
@@ -46,12 +46,12 @@ static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s); 
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);



/*

 * TODO(TLS1.3): SSL_get_session() and SSL_get1_session() are problematic in

 * TLS1.3 because, unlike in earlier protocol versions, the session ticket

 * may not have been sent yet even though a handshake has finished. The session

 * ticket data could come in sometime later...or even change if multiple session

 * ticket messages are sent from the server. We need to work out how to deal

 * with this.

 * SSL_get_session() and SSL_get1_session() are problematic in TLS1.3 because,

 * unlike in earlier protocol versions, the session ticket may not have been

 * sent yet even though a handshake has finished. The session ticket data could

 * come in sometime later...or even change if multiple session ticket messages

 * are sent from the server. The preferred way for applications to obtain

 * a resumable session is to use SSL_CTX_sess_set_new_cb().

 */



SSL_SESSION *SSL_get_session(const SSL *ssl)
@@ -929,6 +929,16 @@ int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, 
    return 1;

}



int SSL_SESSION_is_resumable(const SSL_SESSION *s)

{

    /*

     * In the case of EAP-FAST, we can have a pre-shared "ticket" without a

     * session ID.

     */

    return !s->not_resumable

           && (s->session_id_length > 0 || s->ext.ticklen > 0);

}



long SSL_CTX_set_timeout(SSL_CTX *s, long t)

{

    long l;

ssl/statem/statem_clnt.c

+3 −7
Original line number Diff line number Diff line
@@ -1049,13 +1049,9 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) 
        return 0;

    }



    if ((sess == NULL) || !ssl_version_supported(s, sess->ssl_version) ||

        /*

         * In the case of EAP-FAST, we can have a pre-shared

         * "ticket" without a session ID.

         */

        (!sess->session_id_length && !sess->ext.tick) ||

        (sess->not_resumable)) {

    if (sess == NULL

            || !ssl_version_supported(s, sess->ssl_version)

            || !SSL_SESSION_is_resumable(sess)) {

        if (!ssl_get_new_session(s, 0))

            return 0;

    }

util/libssl.num

+1 −0
Original line number Diff line number Diff line
@@ -440,3 +440,4 @@ SSL_get0_peer_CA_list 440 1_1_1 EXIST::FUNCTION: 
SSL_CTX_add1_CA_list                    441	1_1_1	EXIST::FUNCTION:

SSL_CTX_get0_CA_list                    442	1_1_1	EXIST::FUNCTION:

SSL_CTX_add_custom_ext                  443	1_1_1	EXIST::FUNCTION:

SSL_SESSION_is_resumable                444	1_1_1	EXIST::FUNCTION: