From 59bd12bf141b43a50142398d3b6aff5828face23 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 18 Jun 2019 13:49:02 +0300 Subject: [PATCH] Add new config MBEDTLS_SSL_SESSION_RESUMPTION Add a new configuration option MBEDTLS_SSL_SESSION_RESUMPTION to enable/disable the session resumption feature including ticket and cache based session resumption. --- include/mbedtls/check_config.h | 6 ++++++ include/mbedtls/config.h | 8 ++++++++ include/mbedtls/ssl_internal.h | 2 ++ library/ssl_cli.c | 8 ++++++++ library/ssl_srv.c | 6 ++++++ library/ssl_tls.c | 6 ++++++ programs/ssl/query_config.c | 8 ++++++++ 7 files changed, 44 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 88f47011b..e3d13e6ef 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -671,6 +671,12 @@ #error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites" #endif +#if ( defined(MBEDTLS_SSL_SESSION_TICKETS) || \ + defined(MBEDTLS_SSL_SESSION_CACHE) ) && \ + !defined(MBEDTLS_SSL_SESSION_RESUMPTION) +#error "MBEDTLS_SSL_SESSION_TICKETS/MBEDTLS_SESSION_CACHE cannot be defined without MBEDTLS_SSL_SESSION_RESUMPTION" +#endif + #if defined(MBEDTLS_THREADING_PTHREAD) #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL) #error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 81c1340d7..7ceccee35 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1676,6 +1676,14 @@ */ #define MBEDTLS_SSL_SESSION_CACHE +/** + * \def MBEDTLS_SSL_SESSION_RESUMPTION + * + * + * Comment this macro to disable support for SSL session resumption + */ +#define MBEDTLS_SSL_SESSION_RESUMPTION + /** * \def MBEDTLS_SSL_EXPORT_KEYS * diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 7009c4f8b..439994334 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -509,7 +509,9 @@ struct mbedtls_ssl_handshake_params unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; /*!< premaster secret */ +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) int resume; /*!< session resume indicator*/ +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ int max_major_ver; /*!< max. major version client*/ int max_minor_ver; /*!< max. minor version client*/ int cli_exts; /*!< client extension presence*/ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 17611d6fc..f47d34e8c 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -888,7 +888,11 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_RENEGOTIATION) ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || #endif +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) ssl->handshake->resume == 0 ) +#else /* MBEDTLS_SSL_SESSION_RESUMPTION */ + 0 ) +#endif { n = 0; } @@ -1795,6 +1799,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) /* * Check if the session can be resumed */ @@ -1818,6 +1823,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) memcpy( ssl->session_negotiate->id, buf + 35, n ); } else +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ { ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; @@ -1830,8 +1836,10 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } } +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", ssl->handshake->resume ? "a" : "no" ) ); +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 55a59765a..a76ce1675 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2656,7 +2656,9 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_SESSION_CACHE */ +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) if( ssl->handshake->resume == 0 ) +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ { /* * New session, create a new session id, @@ -2683,6 +2685,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) return( ret ); } } +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) else { /* @@ -2697,6 +2700,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) return( ret ); } } +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ /* * 38 . 38 session id length @@ -2712,8 +2716,10 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", ssl->handshake->resume ? "a" : "no" ) ); +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 10232bb30..420eba29d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1263,11 +1263,13 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, (void) ssl; #endif +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) if( handshake->resume != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) ); return( 0 ); } +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster, handshake->pmslen ); @@ -7364,6 +7366,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) /* * In case of session resuming, invert the client and server * ChangeCipherSpec messages order. @@ -7380,6 +7383,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) #endif } else +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ ssl->state++; /* @@ -7520,6 +7524,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) memcpy( ssl->peer_verify_data, buf, hash_len ); #endif +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) if( ssl->handshake->resume != 0 ) { #if defined(MBEDTLS_SSL_CLI_C) @@ -7532,6 +7537,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) #endif } else +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 30b9d7975..5a1f69e2e 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1418,6 +1418,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_SESSION_CACHE */ +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) + if( strcmp( "MBEDTLS_SSL_SESSION_RESUMPTION", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SESSION_RESUMPTION ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ + #if defined(MBEDTLS_SSL_EXPORT_KEYS) if( strcmp( "MBEDTLS_SSL_EXPORT_KEYS", config ) == 0 ) {