提交 e586eac8 编写于 作者: M Matt Caswell

Add support for SSL_SESSION_is_resumable()

Provide a way to test whether the SSL_SESSION object can be used to resume a
sesion or not.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3008)
上级 3348fc7e
......@@ -1502,6 +1502,7 @@ __owur int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_
unsigned int sid_ctx_len);
__owur int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
unsigned int sid_len);
__owur int SSL_SESSION_is_resumable(const SSL_SESSION *s);
__owur SSL_SESSION *SSL_SESSION_new(void);
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
......
......@@ -46,12 +46,12 @@ static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
/*
* TODO(TLS1.3): SSL_get_session() and SSL_get1_session() are problematic in
* TLS1.3 because, unlike in earlier protocol versions, the session ticket
* may not have been sent yet even though a handshake has finished. The session
* ticket data could come in sometime later...or even change if multiple session
* ticket messages are sent from the server. We need to work out how to deal
* with this.
* SSL_get_session() and SSL_get1_session() are problematic in TLS1.3 because,
* unlike in earlier protocol versions, the session ticket may not have been
* sent yet even though a handshake has finished. The session ticket data could
* come in sometime later...or even change if multiple session ticket messages
* are sent from the server. The preferred way for applications to obtain
* a resumable session is to use SSL_CTX_sess_set_new_cb().
*/
SSL_SESSION *SSL_get_session(const SSL *ssl)
......@@ -929,6 +929,16 @@ int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
return 1;
}
int SSL_SESSION_is_resumable(const SSL_SESSION *s)
{
/*
* In the case of EAP-FAST, we can have a pre-shared "ticket" without a
* session ID.
*/
return !s->not_resumable
&& (s->session_id_length > 0 || s->ext.ticklen > 0);
}
long SSL_CTX_set_timeout(SSL_CTX *s, long t)
{
long l;
......
......@@ -1049,13 +1049,9 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
return 0;
}
if ((sess == NULL) || !ssl_version_supported(s, sess->ssl_version) ||
/*
* In the case of EAP-FAST, we can have a pre-shared
* "ticket" without a session ID.
*/
(!sess->session_id_length && !sess->ext.tick) ||
(sess->not_resumable)) {
if (sess == NULL
|| !ssl_version_supported(s, sess->ssl_version)
|| !SSL_SESSION_is_resumable(sess)) {
if (!ssl_get_new_session(s, 0))
return 0;
}
......
......@@ -440,3 +440,4 @@ SSL_get0_peer_CA_list 440 1_1_1 EXIST::FUNCTION:
SSL_CTX_add1_CA_list 441 1_1_1 EXIST::FUNCTION:
SSL_CTX_get0_CA_list 442 1_1_1 EXIST::FUNCTION:
SSL_CTX_add_custom_ext 443 1_1_1 EXIST::FUNCTION:
SSL_SESSION_is_resumable 444 1_1_1 EXIST::FUNCTION:
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册