tls: add client-side session resumption support

Sean Cunningham · bnoordhuis · commit eb99083d0bbc · 2011-09-07T20:01:14.000+02:00
diff --git a/lib/tls.js b/lib/tls.js
@@ -184,6 +184,21 @@ CryptoStream.prototype.getPeerCertificate = function() {
   return null;
 };
 
+CryptoStream.prototype.getSession = function() {
+  if (this.pair.ssl) {
+    return this.pair.ssl.getSession();
+  }
+
+  return null;
+};
+
+CryptoStream.prototype.isSessionReused = function() {
+  if (this.pair.ssl) {
+    return this.pair.ssl.isSessionReused();
+  }
+
+  return null;
+};
 
 CryptoStream.prototype.getCipher = function(err) {
   if (this.pair.ssl) {
@@ -956,6 +971,10 @@ exports.connect = function(port /* host, options, cb */) {
                               servername: options.servername || host
                             });
 
+  if (options.session) {
+    pair.ssl.setSession(options.session);
+  }
+
   var cleartext = pipe(pair, socket);
 
   socket.connect(port, host);
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -588,6 +588,9 @@ void Connection::Initialize(Handle<Object> target) {
   NODE_SET_PROTOTYPE_METHOD(t, "clearPending", Connection::ClearPending);
   NODE_SET_PROTOTYPE_METHOD(t, "encPending", Connection::EncPending);
   NODE_SET_PROTOTYPE_METHOD(t, "getPeerCertificate", Connection::GetPeerCertificate);
+  NODE_SET_PROTOTYPE_METHOD(t, "getSession", Connection::GetSession);
+  NODE_SET_PROTOTYPE_METHOD(t, "setSession", Connection::SetSession);
+  NODE_SET_PROTOTYPE_METHOD(t, "isSessionReused", Connection::IsSessionReused);
   NODE_SET_PROTOTYPE_METHOD(t, "isInitFinished", Connection::IsInitFinished);
   NODE_SET_PROTOTYPE_METHOD(t, "verifyError", Connection::VerifyError);
   NODE_SET_PROTOTYPE_METHOD(t, "getCurrentCipher", Connection::GetCurrentCipher);
@@ -1175,6 +1178,91 @@ Handle<Value> Connection::GetPeerCertificate(const Arguments& args) {
   return scope.Close(info);
 }
 
+Handle<Value> Connection::GetSession(const Arguments& args) {
+  HandleScope scope;
+
+  Connection *ss = Connection::Unwrap(args);
+
+  if (ss->ssl_ == NULL) return Undefined();
+
+  SSL_SESSION* sess = SSL_get_session(ss->ssl_);
+  if (!sess) return Undefined();
+
+  int slen = i2d_SSL_SESSION(sess, NULL);
+  assert(slen > 0);
+
+  Local<Value> s;
+
+  if (slen > 0) {
+    void* pp = malloc(slen);
+    if (pp)
+    {
+      unsigned char* p = (unsigned char*)pp;
+      i2d_SSL_SESSION(sess, &p);
+      s = Encode(pp, slen, BINARY);
+      free(pp);
+    }
+    else
+      return False();
+  }
+  else
+    return False();
+
+  return scope.Close(s);
+}
+
+Handle<Value> Connection::SetSession(const Arguments& args) {
+  HandleScope scope;
+
+  Connection *ss = Connection::Unwrap(args);
+
+  if (args.Length() < 1 || !args[0]->IsString()) {
+    Local<Value> exception = Exception::TypeError(String::New("Bad argument"));
+    return ThrowException(exception);
+  }
+
+  ASSERT_IS_STRING_OR_BUFFER(args[0]);
+  ssize_t slen = DecodeBytes(args[0], BINARY);
+
+  if (slen < 0) {
+    Local<Value> exception = Exception::TypeError(String::New("Bad argument"));
+    return ThrowException(exception);
+  }
+
+  char* sbuf = new char[slen];
+
+  ssize_t wlen = DecodeWrite(sbuf, slen, args[0], BINARY);
+  assert(wlen == slen);
+
+  const unsigned char* p = (unsigned char*) sbuf;
+  SSL_SESSION* sess = d2i_SSL_SESSION(NULL, &p, wlen);
+
+  delete [] sbuf;
+
+  if (!sess)
+    return Undefined();
+
+  int r = SSL_set_session(ss->ssl_, sess);
+  SSL_SESSION_free(sess);
+
+  if (!r) {
+    Local<String> eStr = String::New("SSL_set_session error");
+    return ThrowException(Exception::Error(eStr));
+  }
+
+  return True();
+}
+
+Handle<Value> Connection::IsSessionReused(const Arguments& args) {
+  HandleScope scope;
+
+  Connection *ss = Connection::Unwrap(args);
+
+  if (ss->ssl_ == NULL) return False();
+  return SSL_session_reused(ss->ssl_) ? True() : False();
+}
+
+
 Handle<Value> Connection::Start(const Arguments& args) {
   HandleScope scope;
 
diff --git a/src/node_crypto.h b/src/node_crypto.h
@@ -120,6 +120,9 @@ class Connection : ObjectWrap {
   static v8::Handle<v8::Value> EncOut(const v8::Arguments& args);
   static v8::Handle<v8::Value> ClearIn(const v8::Arguments& args);
   static v8::Handle<v8::Value> GetPeerCertificate(const v8::Arguments& args);
+  static v8::Handle<v8::Value> GetSession(const v8::Arguments& args);
+  static v8::Handle<v8::Value> SetSession(const v8::Arguments& args);
+  static v8::Handle<v8::Value> IsSessionReused(const v8::Arguments& args);
   static v8::Handle<v8::Value> IsInitFinished(const v8::Arguments& args);
   static v8::Handle<v8::Value> VerifyError(const v8::Arguments& args);
   static v8::Handle<v8::Value> GetCurrentCipher(const v8::Arguments& args);
diff --git a/test/simple/test-tls-client-resume.js b/test/simple/test-tls-client-resume.js
@@ -0,0 +1,76 @@
+// Copyright Joyent, Inc. and other Node contributors.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to permit
+// persons to whom the Software is furnished to do so, subject to the
+// following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+// Create an ssl server.  First connection, validate that not resume.
+// Cache session and close connection.  Use session on second connection.
+// ASSERT resumption.
+
+if (!process.versions.openssl) {
+  console.error("Skipping because node compiled without OpenSSL.");
+  process.exit(0);
+}
+
+var common = require('../common');
+var assert = require('assert');
+var tls = require('tls');
+var fs = require('fs');
+
+var options = {
+  key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
+  cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem')
+};
+
+var connections = 0;
+
+// create server
+var server = tls.Server(options, function(socket) {
+  socket.end("Goodbye");
+  connections++;
+});
+
+// start listening
+server.listen(common.PORT, function() {
+
+  var session1 = null;
+  var client1 = tls.connect(common.PORT, function () {
+    console.log('connect1');
+    assert.ok(!client1.isSessionReused(), "Session *should not* be reused.");
+    session1 = client1.getSession();
+  });
+
+  client1.on('close', function() {
+    console.log('close1');
+
+    var client2 = tls.connect(common.PORT, {'session':session1}, function () {
+      console.log('connect2');
+      assert.ok(client2.isSessionReused(), "Session *should* be reused.");
+    });
+
+    client2.on('close', function() {
+      console.log('close2');
+      server.close();
+    });
+  });
+});
+
+process.on('exit', function() {
+  assert.equal(2, connections);
+});
