fixup! Add client-side session caching

tmshort · tmshort · commit 40573881ba6c · 2025-03-27T15:40:07.000-04:00
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
@@ -2218,6 +2218,8 @@ int SSL_accept(SSL *s)
 int SSL_connect(SSL *s)
 {
     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+    SSL_SESSION *sess;
+    int ret;
 
 #ifndef OPENSSL_NO_QUIC
     if (IS_QUIC(s))
@@ -2232,6 +2234,24 @@ int SSL_connect(SSL *s)
         SSL_set_connect_state(s);
     }
 
+    /*
+     * If a client session has not been set, and there's a previous session
+     * that matches the cache_id, use it.
+     * If the cache is not set to client mode, an error will be raised, so
+     * pop off as necessary.
+     */
+    if (sc->session == NULL && sc->cache_id != NULL) {
+        ERR_set_mark();
+        sess = SSL_get1_previous_client_session(s);
+        ERR_pop_to_mark();
+        if (sess != NULL) {
+            ret = SSL_set_session(s, sess);
+            SSL_SESSION_free(sess);
+            if (!ret)
+                return ret;
+        }
+    }
+
     return SSL_do_handshake(s);
 }
 
diff --git a/test/build.info b/test/build.info
@@ -69,7 +69,8 @@ IF[{- !$disabled{tests} -}]
           ca_internals_test bio_tfo_test membio_test bio_dgram_test list_test \
           fips_version_test x509_test hpke_test pairwise_fail_test \
           nodefltctxtest evp_xof_test x509_load_cert_file_test bio_meth_test \
-          x509_acert_test x509_req_test strtoultest bio_pw_callback_test
+          x509_acert_test x509_req_test strtoultest bio_pw_callback_test \
+          client_cache_test
 
   IF[{- !$disabled{'rpk'} -}]
     PROGRAMS{noinst}=rpktest
@@ -583,6 +584,10 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[rpktest]=../include ../apps/include ..
   DEPEND[rpktest]=../libcrypto ../libssl libtestutil.a
 
+  SOURCE[client_cache_test]=client_cache_test.c helpers/ssltestlib.c
+  INCLUDE[client_cache_test]=../include ../apps/include ..
+  DEPEND[client_cache_test]=../libcrypto ../libssl libtestutil.a
+
   SOURCE[defltfips_test]=defltfips_test.c
   INCLUDE[defltfips_test]=../include  ../apps/include
   DEPEND[defltfips_test]=../libcrypto libtestutil.a
diff --git a/test/client_cache_test.c b/test/client_cache_test.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright 2023-2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#include <openssl/ssl.h>
+
+#include "helpers/ssltestlib.h"
+#include "internal/dane.h"
+#include "testutil.h"
+
+static char *certsdir = NULL;
+static char *cert = NULL;
+static char *privkey = NULL;
+static OSSL_LIB_CTX *libctx = NULL;
+
+static const unsigned char sid_ctx[] = "sid";
+static const unsigned char cache_id[] = "this is a test";
+static const unsigned char cache_id2[] = "different";
+
+static int test_client_cache(void)
+{
+    int ret = 0;
+    SSL_CTX *cctx = NULL, *sctx = NULL;
+    SSL *cssl = NULL, *sssl = NULL;
+    SSL_SESSION *sess1 = NULL, *sess2 = NULL, *sess3 = NULL;
+
+    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+                                       TLS_client_method(), TLS1_VERSION, TLS1_2_VERSION,
+                                       &sctx, &cctx, cert, privkey)))
+        return 0;
+
+    SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
+    if (!TEST_true(SSL_CTX_set_session_id_context(sctx, sid_ctx, sizeof(sid_ctx)))
+            || !TEST_true(SSL_CTX_set_session_id_context(cctx, sid_ctx, sizeof(sid_ctx))))
+        goto end;
+
+    /* Initial connection */
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
+            || !TEST_true(SSL_set1_cache_id(cssl, cache_id, sizeof(cache_id)))
+            || !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE))
+            || !TEST_ptr(sess1 = SSL_get1_session(cssl)))
+        goto end;
+
+    shutdown_ssl_connection(sssl, cssl);
+    sssl = cssl = NULL;
+
+    /* Test automatic assignment of session when client has cache_id set */
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
+            || !TEST_true(SSL_set1_cache_id(cssl, cache_id, sizeof(cache_id)))
+            || !TEST_ptr(sess2 = SSL_get1_previous_client_session(cssl))
+            || !TEST_ptr_eq(sess1, sess2)
+            || !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE))
+            || !TEST_true(SSL_session_reused(cssl))
+            || !TEST_ptr(sess3 = SSL_get1_session(cssl))
+            || !TEST_ptr_eq(sess2, sess3))
+        goto end;
+
+    shutdown_ssl_connection(sssl, cssl);
+    sssl = cssl = NULL;
+
+    /* Ensure client is not resumed when no cache_id is set */
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
+            || !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE))
+            || !TEST_false(SSL_session_reused(cssl)))
+        goto end;
+
+    shutdown_ssl_connection(sssl, cssl);
+    sssl = cssl = NULL;
+
+    /* Ensure client is not resumed when a different cache_id is set */
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
+            || !TEST_true(SSL_set1_cache_id(cssl, cache_id2, sizeof(cache_id2)))
+            || !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE))
+            || !TEST_false(SSL_session_reused(cssl)))
+        goto end;
+
+    shutdown_ssl_connection(sssl, cssl);
+    sssl = cssl = NULL;
+
+    ret = 1;
+ end:
+    SSL_free(sssl);
+    SSL_free(cssl);
+    SSL_SESSION_free(sess1);
+    SSL_SESSION_free(sess2);
+    SSL_SESSION_free(sess3);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+    return ret;
+}
+OPT_TEST_DECLARE_USAGE("certdir\n")
+
+int setup_tests(void)
+{
+    if (!test_skip_common_options()) {
+        TEST_error("Error parsing test options\n");
+        return 0;
+    }
+
+    if (!TEST_ptr(certsdir = test_get_argument(0)))
+        return 0;
+
+    cert = test_mk_file_path(certsdir, "servercert.pem");
+    if (cert == NULL)
+        goto err;
+
+    privkey = test_mk_file_path(certsdir, "serverkey.pem");
+    if (privkey == NULL)
+        goto err;
+
+    libctx = OSSL_LIB_CTX_new();
+    if (libctx == NULL)
+        goto err;
+
+    ADD_TEST(test_client_cache);
+    return 1;
+
+ err:
+    return 0;
+}
+
+void cleanup_tests(void)
+{
+    OPENSSL_free(cert);
+    OPENSSL_free(privkey);
+    OSSL_LIB_CTX_free(libctx);
+ }
diff --git a/test/recipes/90-test_client_cache.t b/test/recipes/90-test_client_cache.t
@@ -0,0 +1,23 @@
+#! /usr/bin/env perl
+# Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use OpenSSL::Test::Utils;
+use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir/;
+
+BEGIN {
+    setup("test_client_cache");
+}
+
+use lib srctop_dir('Configurations');
+use lib bldtop_dir('.');
+
+plan skip_all => "TLS is disabled in this OpenSSL build" if disabled("tls1") && disabled("tls1_1") && disabled("tls1_2");
+
+plan tests => 1;
+
+ok(run(test(["client_cache_test", srctop_dir("test", "certs")])), "running client_cache_test");
