tls: Add support for session caching

Synss · Synss · commit d91a640eb2b1 · 2021-10-08T22:16:42.000+02:00
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+[next]
+
+* tls: Add support for session caching.
+
 [1.6.0] - 2021-10-03
 
 * tls: Fix arguments of TLSWrappedSocket.sendto() method.
diff --git a/src/mbedtls/tls.pxd b/src/mbedtls/tls.pxd
@@ -350,7 +350,7 @@ cdef extern from "mbedtls/ssl.h" nogil:
     # mbedtls_ssl_set_hs_authmode
     const char* mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ctx)
     size_t mbedtls_ssl_get_bytes_avail(const mbedtls_ssl_context *ctx)
-    # mbedtls_ssl_get_verify_result
+    int mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
     const char* mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
     const char* mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
     # mbedtls_ssl_get_record_expansion
@@ -441,7 +441,7 @@ cdef class DTLSConfiguration(_BaseConfiguration):
     cdef _set_cookie(self, _DTLSCookie cookie)
 
 
-cdef class _TLSSession:
+cdef class TLSSession:
     cdef mbedtls_ssl_session _ctx
 
 
diff --git a/src/mbedtls/tls.pyx b/src/mbedtls/tls.pyx
@@ -1151,7 +1151,7 @@ cdef class DTLSConfiguration(_BaseConfiguration):
 DEFAULT_CIPHER_LIST = None
 
 
-cdef class _TLSSession:
+cdef class TLSSession:
     def __cinit__(self):
         """Initialize SSL session structure."""
         _tls.mbedtls_ssl_session_init(&self._ctx)
@@ -1163,6 +1163,24 @@ cdef class _TLSSession:
     def __getstate__(self):
         raise TypeError(f"cannot pickle {self.__class__.__name__!r} object")
 
+    def __repr__(self):
+        return "%s()" % type(self).__name__
+
+    def save(self, ClientContext context):
+        try:
+            _exc.check_error(
+                _tls.mbedtls_ssl_get_session(&context._ctx, &self._ctx)
+            )
+        except _exc.TLSError as exc:
+            raise ValueError(context) from exc
+
+    def resume(self, _BaseConfiguration configuration not None):
+        cdef ClientContext client = ClientContext(configuration)
+        _exc.check_error(
+            _tls.mbedtls_ssl_set_session(&client._ctx, &self._ctx)
+        )
+        return client
+
 
 cdef class _BaseContext:
     # _pep543._BaseContext
@@ -1204,6 +1222,10 @@ cdef class _BaseContext:
     def _purpose(self):
         return Purpose(self._conf._ctx.endpoint)
 
+    @property
+    def _verified(self):
+        return _tls.mbedtls_ssl_get_verify_result(&self._ctx) == 0
+
     def _reset(self):
         _exc.check_error(_tls.mbedtls_ssl_session_reset(&self._ctx))
 
diff --git a/tests/test_tls.py b/tests/test_tls.py
@@ -19,7 +19,7 @@
 from mbedtls.tls import _enable_debug_output
 from mbedtls.tls import _PSKSToreProxy as PSKStoreProxy
 from mbedtls.tls import _set_debug_level
-from mbedtls.tls import _TLSSession as TLSSession
+from mbedtls.tls import TLSSession
 from mbedtls.x509 import CRT, CSR, BasicConstraints
 
 try:
@@ -55,6 +55,12 @@ def __exit__(self, *exc_info):
     def __del__(self):
         self.stop()
 
+    @property
+    def context(self):
+        if self._sock is None:
+            return None
+        return self._sock.context
+
     def do_handshake(self):
         if not self._sock:
             return
@@ -110,6 +116,12 @@ def __exit__(self, *exc_info):
     def __del__(self):
         self.stop()
 
+    @property
+    def context(self):
+        if self._sock is None:
+            return None
+        return self._sock.context
+
     def start(self):
         if self._sock:
             self.stop()
@@ -356,6 +368,15 @@ def test_serialization(self, header):
         assert TLSRecordHeader.from_bytes(serialized) == header
 
 
+class TestTLSSession:
+    @pytest.fixture
+    def session(self):
+        return TLSSession()
+
+    def test_repr(self, session):
+        assert isinstance(repr(session), str)
+
+
 class Chain:
     @pytest.fixture(scope="class")
     def now(self):
@@ -862,3 +883,22 @@ def test_client_server(self, client, buffer, chunksize):
                 break
 
         assert client.echo(buffer, chunksize) == buffer
+
+    @pytest.mark.timeout(10)
+    @pytest.mark.usefixtures("server")
+    @pytest.mark.parametrize("ciphers", (ciphers_available(),), indirect=True)
+    def test_session_caching(self, client, cli_conf):
+        while True:
+            try:
+                client.do_handshake()
+            except (WantReadError, WantWriteError):
+                pass
+            else:
+                break
+
+        session = TLSSession()
+        session.save(client.context)
+
+        new_context = session.resume(cli_conf)
+        assert isinstance(new_context, ClientContext)
+        assert new_context._verified
