[release/7.0] set session ID when TLS resume is enabled (#75507)

* set session ID when TLS resume is enabled * feedback from review * remove random.h * Apply suggestions from code review Co-authored-by: Jeremy Barton <jbarton@microsoft.com> Co-authored-by: wfurt <tweinfurt@yahoo.com> Co-authored-by: Jeremy Barton <jbarton@microsoft.com>
dotnet · Sep 13, 2022 · 77295ad · 77295ad
1 parent b483931
commit 77295ad
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 6 deletions.
diff --git a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs
@@ -203,18 +203,20 @@ internal static unsafe SafeSslContextHandle AllocateSslContext(SslAuthentication
  {
  if (sslAuthenticationOptions.IsServer)
  {
- Ssl.SslCtxSetCaching(sslCtx, 1, s_cacheSize, null, null);
+ Span<byte> contextId = stackalloc byte[32];
+ RandomNumberGenerator.Fill(contextId);
+ Ssl.SslCtxSetCaching(sslCtx, 1, s_cacheSize, contextId.Length, contextId, null, null);
  }
  else
  {
- int result = Ssl.SslCtxSetCaching(sslCtx, 1, s_cacheSize, &NewSessionCallback, &RemoveSessionCallback);
+ int result = Ssl.SslCtxSetCaching(sslCtx, 1, s_cacheSize, 0, null, &NewSessionCallback, &RemoveSessionCallback);
  Debug.Assert(result == 1);
  sslCtx.EnableSessionCache();
  }
  }
  else
  {
- Ssl.SslCtxSetCaching(sslCtx, 0, -1, null, null);
+ Ssl.SslCtxSetCaching(sslCtx, 0, -1, 0, null, null, null);
  }
 
  if (sslAuthenticationOptions.IsServer && sslAuthenticationOptions.ApplicationProtocols != null && sslAuthenticationOptions.ApplicationProtocols.Count != 0)

diff --git a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.SslCtx.cs b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.SslCtx.cs
@@ -33,7 +33,7 @@ internal static partial class Ssl
  internal static unsafe partial void SslCtxSetAlpnSelectCb(SafeSslContextHandle ctx, delegate* unmanaged<IntPtr, byte**, byte*, byte*, uint, IntPtr, int> callback, IntPtr arg);
 
  [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_SslCtxSetCaching")]
- internal static unsafe partial int SslCtxSetCaching(SafeSslContextHandle ctx, int mode, int cacheSize, delegate* unmanaged<IntPtr, IntPtr, int> neewSessionCallback, delegate* unmanaged<IntPtr, IntPtr, void> removeSessionCallback);
+ internal static unsafe partial int SslCtxSetCaching(SafeSslContextHandle ctx, int mode, int cacheSize, int contextIdLength, Span<byte> contextId, delegate* unmanaged<IntPtr, IntPtr, int> neewSessionCallback, delegate* unmanaged<IntPtr, IntPtr, void> removeSessionCallback);
 
  internal static bool AddExtraChainCertificates(SafeSslContextHandle ctx, X509Certificate2[] chain)
  {

diff --git a/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
@@ -486,6 +486,7 @@ const EVP_CIPHER* EVP_chacha20_poly1305(void);
  REQUIRED_FUNCTION(SSL_CTX_set_quiet_shutdown) \
  FALLBACK_FUNCTION(SSL_CTX_set_options) \
  FALLBACK_FUNCTION(SSL_CTX_set_security_level) \
+ REQUIRED_FUNCTION(SSL_CTX_set_session_id_context) \
  REQUIRED_FUNCTION(SSL_CTX_set_verify) \
  REQUIRED_FUNCTION(SSL_CTX_use_certificate) \
  REQUIRED_FUNCTION(SSL_CTX_use_PrivateKey) \
@@ -965,6 +966,7 @@ FOR_ALL_OPENSSL_FUNCTIONS
 #define SSL_CTX_set_options SSL_CTX_set_options_ptr
 #define SSL_CTX_set_quiet_shutdown SSL_CTX_set_quiet_shutdown_ptr
 #define SSL_CTX_set_security_level SSL_CTX_set_security_level_ptr
+#define SSL_CTX_set_session_id_context SSL_CTX_set_session_id_context_ptr
 #define SSL_CTX_set_verify SSL_CTX_set_verify_ptr
 #define SSL_CTX_use_certificate SSL_CTX_use_certificate_ptr
 #define SSL_CTX_use_PrivateKey SSL_CTX_use_PrivateKey_ptr

diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c
@@ -655,7 +655,7 @@ void CryptoNative_SslSetVerifyPeer(SSL* ssl)
  SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_callback);
 }
 
-int CryptoNative_SslCtxSetCaching(SSL_CTX* ctx, int mode, int cacheSize, SslCtxNewSessionCallback newSessionCb, SslCtxRemoveSessionCallback removeSessionCb)
+int CryptoNative_SslCtxSetCaching(SSL_CTX* ctx, int mode, int cacheSize, int contextIdLength, uint8_t* contextId, SslCtxNewSessionCallback newSessionCb, SslCtxRemoveSessionCallback removeSessionCb)
 {
  int retValue = 1;
  if (mode && !API_EXISTS(SSL_SESSION_get0_hostname))
@@ -683,6 +683,11 @@ int CryptoNative_SslCtxSetCaching(SSL_CTX* ctx, int mode, int cacheSize, SslCtxN
  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_SIZE, (long)cacheSize, NULL);
  }
 
+ if (contextIdLength > 0 && contextId != NULL)
+ {
+ SSL_CTX_set_session_id_context(ctx, contextId, contextIdLength <= SSL_MAX_SID_CTX_LENGTH ? (unsigned int)contextIdLength : SSL_MAX_SID_CTX_LENGTH);
+ }
+
  if (newSessionCb != NULL)
  {
  SSL_CTX_sess_set_new_cb(ctx, newSessionCb);

diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.h b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.h
@@ -162,7 +162,7 @@ PALEXPORT void CryptoNative_SslSetPostHandshakeAuth(SSL* ssl, int32_t val);
 /*
 Sets session caching. 0 is disabled.
 */
-PALEXPORT int CryptoNative_SslCtxSetCaching(SSL_CTX* ctx, int mode, int cacheSize, SslCtxNewSessionCallback newCb, SslCtxRemoveSessionCallback removeCb);
+PALEXPORT int CryptoNative_SslCtxSetCaching(SSL_CTX* ctx, int mode, int cacheSize, int contextIdLength, uint8_t* contextId, SslCtxNewSessionCallback newSessionCb, SslCtxRemoveSessionCallback removeSessionCb);
 
 /*
 Returns name associated with given ssl session.