Add new config MBEDTLS_SSL_SESSION_RESUMPTION

Add a new configuration option MBEDTLS_SSL_SESSION_RESUMPTION to enable/disable the session resumption feature including ticket and cache based session resumption.
2024-11-23 00:15:40 +01:00 · 2019-06-18 13:49:02 +03:00 · 2019-06-18 13:49:02 +03:00 · 59bd12bf14
commit 59bd12bf14
parent 590bf51cbb
7 changed files with 44 additions and 0 deletions
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -671,6 +671,12 @@
 #error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
 #endif

+#if ( defined(MBEDTLS_SSL_SESSION_TICKETS) ||  \
+      defined(MBEDTLS_SSL_SESSION_CACHE) ) &&  \
+      !defined(MBEDTLS_SSL_SESSION_RESUMPTION)
+#error "MBEDTLS_SSL_SESSION_TICKETS/MBEDTLS_SESSION_CACHE cannot be defined without MBEDTLS_SSL_SESSION_RESUMPTION"
+#endif
+
 #if defined(MBEDTLS_THREADING_PTHREAD)
 #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
 #error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1676,6 +1676,14 @@
 */
 #define MBEDTLS_SSL_SESSION_CACHE

+/**
+ * \def MBEDTLS_SSL_SESSION_RESUMPTION
+ *
+ *
+ * Comment this macro to disable support for SSL session resumption
+ */
+#define MBEDTLS_SSL_SESSION_RESUMPTION
+
 /**
 * \def MBEDTLS_SSL_EXPORT_KEYS
 *
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@ -509,7 +509,9 @@ struct mbedtls_ssl_handshake_params
    unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
                                        /*!<  premaster secret        */

+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
    int resume;                         /*!<  session resume indicator*/
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
    int max_major_ver;                  /*!< max. major version client*/
    int max_minor_ver;                  /*!< max. minor version client*/
    int cli_exts;                       /*!< client extension presence*/
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -888,7 +888,11 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
        ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
 #endif
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
        ssl->handshake->resume == 0 )
+#else /* MBEDTLS_SSL_SESSION_RESUMPTION */
+        0 )
+#endif
    {
        n = 0;
    }
@ -1795,6 +1799,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
    MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 35, n );

+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
    /*
     * Check if the session can be resumed
     */
@ -1818,6 +1823,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
        memcpy( ssl->session_negotiate->id, buf + 35, n );
    }
    else
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
    {
        ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;

@ -1830,8 +1836,10 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
        }
    }

+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
                   ssl->handshake->resume ? "a" : "no" ) );
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */

    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -2656,7 +2656,9 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
    }
 #endif /* MBEDTLS_SSL_SESSION_CACHE */

+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
    if( ssl->handshake->resume == 0 )
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
    {
        /*
         * New session, create a new session id,
@ -2683,6 +2685,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
                return( ret );
        }
    }
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
    else
    {
        /*
@ -2697,6 +2700,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
            return( ret );
        }
    }
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */

    /*
     *    38  .  38     session id length
@ -2712,8 +2716,10 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )

    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
    MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
                   ssl->handshake->resume ? "a" : "no" ) );
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */

    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite      );
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1263,11 +1263,13 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
    (void) ssl;
 #endif

+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
    if( handshake->resume != 0 )
    {
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
        return( 0 );
    }
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */

    MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
                                                  handshake->pmslen );
@ -7364,6 +7366,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
    ssl->out_msg[0]  = MBEDTLS_SSL_HS_FINISHED;

+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
    /*
     * In case of session resuming, invert the client and server
     * ChangeCipherSpec messages order.
@ -7380,6 +7383,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
 #endif
    }
    else
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
        ssl->state++;

    /*
@ -7520,6 +7524,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
    memcpy( ssl->peer_verify_data, buf, hash_len );
 #endif

+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
    if( ssl->handshake->resume != 0 )
    {
 #if defined(MBEDTLS_SSL_CLI_C)
@ -7532,6 +7537,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
 #endif
    }
    else
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
        ssl->state++;

 #if defined(MBEDTLS_SSL_PROTO_DTLS)
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@ -1418,6 +1418,14 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_SSL_SESSION_CACHE */

+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
+    if( strcmp( "MBEDTLS_SSL_SESSION_RESUMPTION", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SESSION_RESUMPTION );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
+
 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
    if( strcmp( "MBEDTLS_SSL_EXPORT_KEYS", config ) == 0 )
    {