fixup! Add client-side session caching

Author: tmshort

doc/man3/SSL_set1_cache_id.pod

@@ -3,20 +3,20 @@
 =head1 NAME
 
 SSL_set1_cache_id,
-SSL_get0_cache_id,
+SSL_get1_cache_id,
 SSL_SESSION_set1_cache_id,
-SSL_SESSION_get0_cache_id,
+SSL_SESSION_get1_cache_id,
 SSL_get1_previous_client_session - use application-defined cache identifier for session caching
 
 =head1 SYNOPSIS
 
  #include <openssl/ssl.h>
 
  int SSL_set1_cache_id(SSL *s, const unsigned char *data, size_t len);
- int SSL_get0_cache_id(const SSL *s, const unsigned char **data, size_t *len);
+ int SSL_get1_cache_id(const SSL *s, const unsigned char **data, size_t *len);
 
  int SSL_SESSION_set1_cache_id(SSL_SESSION *ss, const unsigned char *data, size_t len);
- int SSL_SESSION_get0_cache_id(const SSL_SESSION *ss, const unsigned char **data, size_t *len);
+ int SSL_SESSION_get1_cache_id(const SSL_SESSION *ss, const unsigned char **data, size_t *len);
 
  int SSL_get1_previous_client_session(SSL *s, int flags);
 
@@ -26,13 +26,13 @@ SSL_set1_cache_id() sets the cache identifier specified by B<data> and B<len>
 into B<s>. This cache identifier is application-defined, and can be a domain
 name, IP address, port or other identifier.
 
-SSL_get0_cache_id() returns the cache identifier of B<s> into the B<data> and
+SSL_get1_cache_id() returns the cache identifier of B<s> into the B<data> and
 B<len> variables. The cache identifier is application-defined.
 
 SSL_SESSION_set1_cache_id() sets the cache identifier specified by B<data> and B<len>
 into B<ss>. This cache identifier is application-defined.
 
-SSL_SESSION_get0_cache_id() returns the cache identifier of B<ss> into the B<data> and
+SSL_SESSION_get1_cache_id() returns the cache identifier of B<ss> into the B<data> and
 B<len> variables. The cache identifier is application-defined.
 
 SSL_get1_previous_client_session() is used to search for and return a
@@ -68,12 +68,14 @@ function can only be used on non-cached SSL_SESSIONs.
 SSL_set1_cache_id() and SSL_SESSION_set1_cache_id() should not be used by servers,
 the functions will fail.
 
+The memory returned by SSL_get1_cache_id() and SSL_SESSION_get1_cache_id() must be freed.
+
 =head1 RETURN VALUES
 
-The SSL_set1_cache_id(), SSL_get0_cache_id(), SSL_SESSION_set1_cache_id() and
-SSL_SESSION_get0_cache_id() functions return 1 on success, 0 on failure.
+The SSL_set1_cache_id(), SSL_get1_cache_id(), SSL_SESSION_set1_cache_id() and
+SSL_SESSION_get1_cache_id() functions return 1 on success, 0 on failure.
 
-The SSL_get0_cache_id() function fills in the B<data> and B<len> parameters
+The SSL_get1_cache_id() function fills in the B<data> and B<len> parameters
 with the data from the B<s>.
 
 The SSL_get_previous_client_session() returns an SSL_SESSION on success, or NULL on
@@ -98,9 +100,9 @@ L<SSL_set_SSL_CTX(3)>,
 =head1 HISTORY
 
 The SSL_set1_cache_id(),
-SSL_get0_cache_id(),
+SSL_get1_cache_id(),
 SSL_SESSION_set1_cache_id(),
-SSL_SESSION_get0_cache_id(), and
+SSL_SESSION_get1_cache_id(), and
 SSL_get1_previous_client_session() functions were added in OpenSSL 3.5.
 
 =head1 COPYRIGHT

include/openssl/ssl.h.in

@@ -2883,9 +2883,9 @@ int SSL_set_quic_tls_early_data_enabled(SSL *s, int enabled);
 /* Client cache implementation */
 __owur SSL_SESSION *SSL_get1_previous_client_session(SSL *s);
 __owur int SSL_set1_cache_id(SSL *s, const unsigned char *data, size_t len);
-__owur int SSL_get0_cache_id(const SSL *s, const unsigned char **data, size_t *len);
+__owur int SSL_get1_cache_id(const SSL *s, unsigned char **data, size_t *len);
 __owur int SSL_SESSION_set1_cache_id(SSL_SESSION *ss, const unsigned char *data, size_t len);
-__owur int SSL_SESSION_get0_cache_id(const SSL_SESSION *ss, const unsigned char **data,
+__owur int SSL_SESSION_get1_cache_id(const SSL_SESSION *ss, unsigned char **data,
                                      size_t *len);
 
 # ifdef  __cplusplus

ssl/ssl_sess.c

@@ -1595,18 +1595,14 @@ int SSL_set1_cache_id(SSL *s, const unsigned char *data, size_t len)
     return 1;
 }
 
-int SSL_get0_cache_id(const SSL *s, const unsigned char **data, size_t *len)
+int SSL_get1_cache_id(const SSL *s, unsigned char **data, size_t *len)
 {
     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
 
-    if (sc == NULL)
-        return 0;
-    if (sc->server)
+    if (sc == NULL || sc->server || sc->cache_id == NULL)
         return 0;
-
-    if (sc->cache_id == NULL)
+    if ((*data = OPENSSL_memdup(sc->cache_id, sc->cache_id_len)) == NULL)
         return 0;
-    *data = sc->cache_id;
     *len = sc->cache_id_len;
     return 1;
 }
@@ -1633,11 +1629,12 @@ int SSL_SESSION_set1_cache_id(SSL_SESSION *ss, const unsigned char *data, size_t
     return 1;
 }
 
-int SSL_SESSION_get0_cache_id(const SSL_SESSION *ss, const unsigned char **data, size_t *len)
+int SSL_SESSION_get1_cache_id(const SSL_SESSION *ss, unsigned char **data, size_t *len)
 {
-    if (ss->cache_id == NULL)
+    if (ss == NULL || ss->cache_id == NULL)
+        return 0;
+    if ((*data = OPENSSL_memdup(ss->cache_id, ss->cache_id_len)) == NULL)
         return 0;
-    *data = ss->cache_id;
     *len = ss->cache_id_len;
     return 1;
 }

test/client_cache_test.c

@@ -21,6 +21,108 @@ static const unsigned char sid_ctx[] = "sid";
 static const unsigned char cache_id[] = "this is a test";
 static const unsigned char cache_id2[] = "different";
 
+static SSL_SESSION *external_cache = NULL;
+static SSL_SESSION *session_get_cb(SSL *ssl, const unsigned char *data, int len, int *copy)
+{
+    unsigned char *cid;
+    size_t cid_len;
+
+    if (!SSL_SESSION_get1_cache_id(external_cache, &cid, &cid_len))
+        return NULL;
+
+    if (len != (int)cid_len || memcmp(cid, data, len) != 0) {
+        OPENSSL_free(cid);
+        return NULL;
+    }
+
+    OPENSSL_free(cid);
+    *copy = 1;
+    return external_cache;
+}
+
+static int test_client_cache_external(void)
+{
+    int ret = 0;
+    SSL_CTX *cctx = NULL, *sctx = NULL;
+    SSL *cssl = NULL, *sssl = NULL;
+    uint32_t mode;
+    SSL_SESSION *sess1 = NULL;
+
+    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+                                       TLS_client_method(), TLS1_VERSION, TLS1_2_VERSION,
+                                       &sctx, &cctx, cert, privkey)))
+        return 0;
+
+    mode = SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_LOOKUP;
+    if (!TEST_true(SSL_CTX_set_session_cache_mode(cctx, mode))
+        || !TEST_true(SSL_CTX_set_session_id_context(sctx, sid_ctx, sizeof(sid_ctx)))
+        || !TEST_true(SSL_CTX_set_session_id_context(cctx, sid_ctx, sizeof(sid_ctx))))
+        goto end;
+
+    SSL_CTX_sess_set_get_cb(cctx, session_get_cb);
+
+    /* Initial connection - establishes external_cache */
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
+            || !TEST_true(SSL_set1_cache_id(cssl, cache_id, sizeof(cache_id)))
+            || !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE))
+            || !TEST_ptr(external_cache = SSL_get1_session(cssl)))
+        goto end;
+
+    shutdown_ssl_connection(sssl, cssl);
+    sssl = cssl = NULL;
+
+    /* Test automatic assignment of session when client has cache_id set */
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
+            || !TEST_true(SSL_set1_cache_id(cssl, cache_id, sizeof(cache_id)))
+            || !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE))
+            || !TEST_true(SSL_session_reused(cssl))
+            || !TEST_ptr(sess1 = SSL_get1_session(cssl)))
+        goto end;
+
+    shutdown_ssl_connection(sssl, cssl);
+    sssl = cssl = NULL;
+
+    /* Ensure client is resumed when no cache_id is set, but session is assigned */
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
+            || !TEST_true(SSL_set_session(cssl, sess1))
+            || !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE))
+            || !TEST_true(SSL_session_reused(cssl)))
+        goto end;
+
+    shutdown_ssl_connection(sssl, cssl);
+    sssl = cssl = NULL;
+
+    /* Ensure client is not resumed when no cache_id is set */
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
+            || !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE))
+            || !TEST_false(SSL_session_reused(cssl)))
+        goto end;
+
+    shutdown_ssl_connection(sssl, cssl);
+    sssl = cssl = NULL;
+
+    /* Ensure client is not resumed when a different cache_id is set */
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
+            || !TEST_true(SSL_set1_cache_id(cssl, cache_id2, sizeof(cache_id2)))
+            || !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE))
+            || !TEST_false(SSL_session_reused(cssl)))
+        goto end;
+
+    shutdown_ssl_connection(sssl, cssl);
+    sssl = cssl = NULL;
+
+    ret = 1;
+ end:
+    SSL_free(sssl);
+    SSL_free(cssl);
+    SSL_SESSION_free(external_cache);
+    external_cache = NULL;
+    SSL_SESSION_free(sess1);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+    return ret;
+}
+
 static int test_client_cache(void)
 {
     int ret = 0;
@@ -33,8 +135,8 @@ static int test_client_cache(void)
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
-    SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
-    if (!TEST_true(SSL_CTX_set_session_id_context(sctx, sid_ctx, sizeof(sid_ctx)))
+    if (!TEST_true(SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT))
+            || !TEST_true(SSL_CTX_set_session_id_context(sctx, sid_ctx, sizeof(sid_ctx)))
             || !TEST_true(SSL_CTX_set_session_id_context(cctx, sid_ctx, sizeof(sid_ctx))))
         goto end;
 
@@ -62,6 +164,16 @@ static int test_client_cache(void)
     shutdown_ssl_connection(sssl, cssl);
     sssl = cssl = NULL;
 
+    /* Ensure client is resumed when no cache_id is set, but session is assigned */
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
+            || !TEST_true(SSL_set_session(cssl, sess3))
+            || !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE))
+            || !TEST_true(SSL_session_reused(cssl)))
+        goto end;
+
+    shutdown_ssl_connection(sssl, cssl);
+    sssl = cssl = NULL;
+
     /* Ensure client is not resumed when no cache_id is set */
     if (!TEST_true(create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL))
             || !TEST_true(create_ssl_connection(sssl, cssl, SSL_ERROR_NONE))
@@ -117,6 +229,7 @@ int setup_tests(void)
         goto err;
 
     ADD_TEST(test_client_cache);
+    ADD_TEST(test_client_cache_external);
     return 1;
 
  err:

test/sslapitest.c

@@ -2073,7 +2073,7 @@ static int execute_test_session(int maxprot, int use_int_cache,
     int testresult = 0, numnewsesstick = 1;
     const unsigned char cache_id[] = "this is a test";
     size_t cache_id_len = sizeof("this is a test");
-    const unsigned char *new_cache_id;
+    unsigned char *new_cache_id = NULL;
     size_t new_cache_id_len;
 
     new_called = remove_called = 0;
@@ -2115,15 +2115,18 @@ static int execute_test_session(int maxprot, int use_int_cache,
     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
                                       NULL, NULL))
             || !TEST_true(SSL_set1_cache_id(clientssl1, cache_id, cache_id_len))
-            || !TEST_true(SSL_get0_cache_id(clientssl1, &new_cache_id, &new_cache_id_len))
+            || !TEST_true(SSL_get1_cache_id(clientssl1, &new_cache_id, &new_cache_id_len))
             || !TEST_mem_eq(cache_id, cache_id_len, new_cache_id, new_cache_id_len)
             || !TEST_true(create_ssl_connection(serverssl1, clientssl1, SSL_ERROR_NONE))
             || !TEST_false(SSL_set1_cache_id(clientssl1, cache_id, cache_id_len))
             || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
         goto end;
 
+    OPENSSL_free(new_cache_id);
+    new_cache_id = NULL;
+
     if (use_int_cache
-        && (!TEST_true(SSL_SESSION_get0_cache_id(sess1, &new_cache_id, &new_cache_id_len))
+        && (!TEST_true(SSL_SESSION_get1_cache_id(sess1, &new_cache_id, &new_cache_id_len))
             || !TEST_mem_eq(cache_id, cache_id_len, new_cache_id, new_cache_id_len)
             || !TEST_ptr(sess3 = SSL_get1_previous_client_session(clientssl1))
             || !TEST_ptr_eq(sess1, sess3)
@@ -2392,6 +2395,7 @@ static int execute_test_session(int maxprot, int use_int_cache,
     SSL_SESSION_free(sess3);
     SSL_CTX_free(sctx);
     SSL_CTX_free(cctx);
+    OPENSSL_free(new_cache_id);
 
     return testresult;
 }

util/libssl.num

@@ -608,6 +608,6 @@ SSL_get_domain_flags                    ?	3_5_0	EXIST::FUNCTION:
 SSL_CTX_set_new_pending_conn_cb         ?	3_5_0	EXIST::FUNCTION:
 SSL_get1_previous_client_session        ?	3_5_0	EXIST::FUNCTION:
 SSL_set1_cache_id                       ?	3_5_0	EXIST::FUNCTION:
-SSL_get0_cache_id                       ?	3_5_0	EXIST::FUNCTION:
+SSL_get1_cache_id                       ?	3_5_0	EXIST::FUNCTION:
 SSL_SESSION_set1_cache_id               ?	3_5_0	EXIST::FUNCTION:
-SSL_SESSION_get0_cache_id               ?	3_5_0	EXIST::FUNCTION:
+SSL_SESSION_get1_cache_id               ?	3_5_0	EXIST::FUNCTION: