Add TLS session resumption

2016-04-28 15:41:34 +01:00 · 2016-04-28 15:41:34 +01:00 · 5f225d6be3
parent d8b2b776a8
commit 5f225d6be3
3 changed files with 14 additions and 3 deletions
--- a/src/context.c
+++ b/src/context.c
@ -655,6 +655,8 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 			    dnsreq->trans_id, 1);
 		}
 		if (upstream->tls_obj != NULL) {
+		    if (upstream->tls_session != NULL)
+				SSL_SESSION_free(upstream->tls_session);
 			SSL_shutdown(upstream->tls_obj);
 			SSL_free(upstream->tls_obj);
 		}
@ -810,6 +812,7 @@ upstream_init(getdns_upstream *upstream,
 	/* For sharing a socket to this upstream with TCP  */
 	upstream->fd       = -1;
 	upstream->tls_obj  = NULL;
+	upstream->tls_session = NULL;
 	upstream->transport = GETDNS_TRANSPORT_TCP;
 	upstream->tls_hs_state = GETDNS_HS_NONE;
 	upstream->tls_auth_failed = 0;
--- a/src/context.h
+++ b/src/context.h
@ -127,6 +127,7 @@ typedef struct getdns_upstream {
 	int                      fd;
 	getdns_transport_list_t  transport;
 	SSL*                     tls_obj;
+    SSL_SESSION*             tls_session;
 	getdns_tls_hs_state_t    tls_hs_state;
 	getdns_eventloop_event   event;
 	getdns_eventloop        *loop;
--- a/src/stub.c
+++ b/src/stub.c
@ -320,15 +320,13 @@ process_keepalive(
 	uint16_t option_len = 0;
 	int found = match_edns_opt_rr(GLDNS_EDNS_KEEPALIVE, response, 
 	                              response_len, &position, &option_len);
-	if (found != 2) {
+	if (found != 2 || option_len != 2) {
 		if (netreq->keepalive_sent == 1)
 			/* If no keepalive sent back, then we must use 0 idle timeout
 			   as server does not support it.*/
 			upstream->keepalive_timeout = 0;
 		return;
 	}
-	if (option_len != 2)
-		return; /* FORMERR */
 	/* Use server sent value unless the client specified a shorter one.
 	   Convert to ms first (wire value has units of 100ms) */
 	uint64_t server_keepalive = ((uint64_t)gldns_read_uint16(position))*100;
@ -1036,6 +1034,12 @@ tls_do_handshake(getdns_upstream *upstream)
  * tls_auth_fail. */
 #endif
 			upstream->tls_auth_failed = 1;
+	DEBUG_STUB("%s %-35s: FD:  %d Session is %s\n", 
+		         STUB_DEBUG_SETUP_TLS, __FUNCTION__, upstream->fd,
+		         SSL_session_reused(upstream->tls_obj) ?"re-used":"new");
+	if (upstream->tls_session != NULL)
+	    SSL_SESSION_free(upstream->tls_session);
+	upstream->tls_session = SSL_get1_session(upstream->tls_obj);
 	/* Reset timeout on success*/
 	GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
 	upstream->event.read_cb = NULL;
@ -1696,6 +1700,9 @@ upstream_connect(getdns_upstream *upstream, getdns_transport_list_t transport,
 			close(fd);
 			return -1;
 		}
+
+		if (upstream->tls_session != NULL) 
+		    SSL_set_session(upstream->tls_obj, upstream->tls_session);
 		upstream->tls_hs_state = GETDNS_HS_WRITE;
 		upstream->loop = dnsreq->loop;
 		upstream->is_sync_loop = dnsreq->is_sync_request;