Add new config MBEDTLS_SSL_SESSION_RESUMPTION
Add a new configuration option MBEDTLS_SSL_SESSION_RESUMPTION
to enable/disable the session resumption feature including
ticket and cache based session resumption.
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 88f4701..e3d13e6 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -671,6 +671,12 @@
#error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
#endif
+#if ( defined(MBEDTLS_SSL_SESSION_TICKETS) || \
+ defined(MBEDTLS_SSL_SESSION_CACHE) ) && \
+ !defined(MBEDTLS_SSL_SESSION_RESUMPTION)
+#error "MBEDTLS_SSL_SESSION_TICKETS/MBEDTLS_SESSION_CACHE cannot be defined without MBEDTLS_SSL_SESSION_RESUMPTION"
+#endif
+
#if defined(MBEDTLS_THREADING_PTHREAD)
#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
#error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 81c1340..7ceccee 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1677,6 +1677,14 @@
#define MBEDTLS_SSL_SESSION_CACHE
/**
+ * \def MBEDTLS_SSL_SESSION_RESUMPTION
+ *
+ *
+ * Comment this macro to disable support for SSL session resumption
+ */
+#define MBEDTLS_SSL_SESSION_RESUMPTION
+
+/**
* \def MBEDTLS_SSL_EXPORT_KEYS
*
* Enable support for exporting key block and master secret.
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 7009c4f..4399943 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -509,7 +509,9 @@
unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
/*!< premaster secret */
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
int resume; /*!< session resume indicator*/
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
int max_major_ver; /*!< max. major version client*/
int max_minor_ver; /*!< max. minor version client*/
int cli_exts; /*!< client extension presence*/
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 17611d6..f47d34e 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -888,7 +888,11 @@
#if defined(MBEDTLS_SSL_RENEGOTIATION)
ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
#endif
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
ssl->handshake->resume == 0 )
+#else /* MBEDTLS_SSL_SESSION_RESUMPTION */
+ 0 )
+#endif
{
n = 0;
}
@@ -1795,6 +1799,7 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
/*
* Check if the session can be resumed
*/
@@ -1818,6 +1823,7 @@
memcpy( ssl->session_negotiate->id, buf + 35, n );
}
else
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
{
ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
@@ -1830,8 +1836,10 @@
}
}
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
ssl->handshake->resume ? "a" : "no" ) );
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 55a5976..a76ce16 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2656,7 +2656,9 @@
}
#endif /* MBEDTLS_SSL_SESSION_CACHE */
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
if( ssl->handshake->resume == 0 )
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
{
/*
* New session, create a new session id,
@@ -2683,6 +2685,7 @@
return( ret );
}
}
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
else
{
/*
@@ -2697,6 +2700,7 @@
return( ret );
}
}
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
/*
* 38 . 38 session id length
@@ -2712,8 +2716,10 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
ssl->handshake->resume ? "a" : "no" ) );
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 10232bb..420eba2 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1263,11 +1263,13 @@
(void) ssl;
#endif
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
if( handshake->resume != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
return( 0 );
}
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
handshake->pmslen );
@@ -7364,6 +7366,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
/*
* In case of session resuming, invert the client and server
* ChangeCipherSpec messages order.
@@ -7380,6 +7383,7 @@
#endif
}
else
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
ssl->state++;
/*
@@ -7520,6 +7524,7 @@
memcpy( ssl->peer_verify_data, buf, hash_len );
#endif
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
if( ssl->handshake->resume != 0 )
{
#if defined(MBEDTLS_SSL_CLI_C)
@@ -7532,6 +7537,7 @@
#endif
}
else
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
ssl->state++;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index 30b9d79..5a1f69e 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -1418,6 +1418,14 @@
}
#endif /* MBEDTLS_SSL_SESSION_CACHE */
+#if defined(MBEDTLS_SSL_SESSION_RESUMPTION)
+ if( strcmp( "MBEDTLS_SSL_SESSION_RESUMPTION", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SESSION_RESUMPTION );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */
+
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( strcmp( "MBEDTLS_SSL_EXPORT_KEYS", config ) == 0 )
{