diff --git a/lib/tls.js b/lib/tls.js index 43f565d4617..63d6bd079ae 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -184,6 +184,21 @@ CryptoStream.prototype.getPeerCertificate = function() { return null; }; +CryptoStream.prototype.getSession = function() { + if (this.pair.ssl) { + return this.pair.ssl.getSession(); + } + + return null; +}; + +CryptoStream.prototype.isSessionReused = function() { + if (this.pair.ssl) { + return this.pair.ssl.isSessionReused(); + } + + return null; +}; CryptoStream.prototype.getCipher = function(err) { if (this.pair.ssl) { @@ -956,6 +971,10 @@ exports.connect = function(port /* host, options, cb */) { servername: options.servername || host }); + if (options.session) { + pair.ssl.setSession(options.session); + } + var cleartext = pipe(pair, socket); socket.connect(port, host); diff --git a/src/node_crypto.cc b/src/node_crypto.cc index d3f061cc500..04ebbc6c9fc 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -588,6 +588,9 @@ void Connection::Initialize(Handle target) { NODE_SET_PROTOTYPE_METHOD(t, "clearPending", Connection::ClearPending); NODE_SET_PROTOTYPE_METHOD(t, "encPending", Connection::EncPending); NODE_SET_PROTOTYPE_METHOD(t, "getPeerCertificate", Connection::GetPeerCertificate); + NODE_SET_PROTOTYPE_METHOD(t, "getSession", Connection::GetSession); + NODE_SET_PROTOTYPE_METHOD(t, "setSession", Connection::SetSession); + NODE_SET_PROTOTYPE_METHOD(t, "isSessionReused", Connection::IsSessionReused); NODE_SET_PROTOTYPE_METHOD(t, "isInitFinished", Connection::IsInitFinished); NODE_SET_PROTOTYPE_METHOD(t, "verifyError", Connection::VerifyError); NODE_SET_PROTOTYPE_METHOD(t, "getCurrentCipher", Connection::GetCurrentCipher); @@ -1175,6 +1178,91 @@ Handle Connection::GetPeerCertificate(const Arguments& args) { return scope.Close(info); } +Handle Connection::GetSession(const Arguments& args) { + HandleScope scope; + + Connection *ss = Connection::Unwrap(args); + + if (ss->ssl_ == NULL) return Undefined(); + + SSL_SESSION* sess = SSL_get_session(ss->ssl_); + if (!sess) return Undefined(); + + int slen = i2d_SSL_SESSION(sess, NULL); + assert(slen > 0); + + Local s; + + if (slen > 0) { + void* pp = malloc(slen); + if (pp) + { + unsigned char* p = (unsigned char*)pp; + i2d_SSL_SESSION(sess, &p); + s = Encode(pp, slen, BINARY); + free(pp); + } + else + return False(); + } + else + return False(); + + return scope.Close(s); +} + +Handle Connection::SetSession(const Arguments& args) { + HandleScope scope; + + Connection *ss = Connection::Unwrap(args); + + if (args.Length() < 1 || !args[0]->IsString()) { + Local exception = Exception::TypeError(String::New("Bad argument")); + return ThrowException(exception); + } + + ASSERT_IS_STRING_OR_BUFFER(args[0]); + ssize_t slen = DecodeBytes(args[0], BINARY); + + if (slen < 0) { + Local exception = Exception::TypeError(String::New("Bad argument")); + return ThrowException(exception); + } + + char* sbuf = new char[slen]; + + ssize_t wlen = DecodeWrite(sbuf, slen, args[0], BINARY); + assert(wlen == slen); + + const unsigned char* p = (unsigned char*) sbuf; + SSL_SESSION* sess = d2i_SSL_SESSION(NULL, &p, wlen); + + delete [] sbuf; + + if (!sess) + return Undefined(); + + int r = SSL_set_session(ss->ssl_, sess); + SSL_SESSION_free(sess); + + if (!r) { + Local eStr = String::New("SSL_set_session error"); + return ThrowException(Exception::Error(eStr)); + } + + return True(); +} + +Handle Connection::IsSessionReused(const Arguments& args) { + HandleScope scope; + + Connection *ss = Connection::Unwrap(args); + + if (ss->ssl_ == NULL) return False(); + return SSL_session_reused(ss->ssl_) ? True() : False(); +} + + Handle Connection::Start(const Arguments& args) { HandleScope scope; diff --git a/src/node_crypto.h b/src/node_crypto.h index fb620227602..0d05279d38e 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -120,6 +120,9 @@ class Connection : ObjectWrap { static v8::Handle EncOut(const v8::Arguments& args); static v8::Handle ClearIn(const v8::Arguments& args); static v8::Handle GetPeerCertificate(const v8::Arguments& args); + static v8::Handle GetSession(const v8::Arguments& args); + static v8::Handle SetSession(const v8::Arguments& args); + static v8::Handle IsSessionReused(const v8::Arguments& args); static v8::Handle IsInitFinished(const v8::Arguments& args); static v8::Handle VerifyError(const v8::Arguments& args); static v8::Handle GetCurrentCipher(const v8::Arguments& args); diff --git a/test/simple/test-tls-client-resume.js b/test/simple/test-tls-client-resume.js new file mode 100644 index 00000000000..bdf0527fb79 --- /dev/null +++ b/test/simple/test-tls-client-resume.js @@ -0,0 +1,76 @@ +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +// Create an ssl server. First connection, validate that not resume. +// Cache session and close connection. Use session on second connection. +// ASSERT resumption. + +if (!process.versions.openssl) { + console.error("Skipping because node compiled without OpenSSL."); + process.exit(0); +} + +var common = require('../common'); +var assert = require('assert'); +var tls = require('tls'); +var fs = require('fs'); + +var options = { + key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'), + cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem') +}; + +var connections = 0; + +// create server +var server = tls.Server(options, function(socket) { + socket.end("Goodbye"); + connections++; +}); + +// start listening +server.listen(common.PORT, function() { + + var session1 = null; + var client1 = tls.connect(common.PORT, function () { + console.log('connect1'); + assert.ok(!client1.isSessionReused(), "Session *should not* be reused."); + session1 = client1.getSession(); + }); + + client1.on('close', function() { + console.log('close1'); + + var client2 = tls.connect(common.PORT, {'session':session1}, function () { + console.log('connect2'); + assert.ok(client2.isSessionReused(), "Session *should* be reused."); + }); + + client2.on('close', function() { + console.log('close2'); + server.close(); + }); + }); +}); + +process.on('exit', function() { + assert.equal(2, connections); +});