From c8ec56b58ad5c6ff02c6b212598c0fc2eb422e0f Mon Sep 17 00:00:00 2001
From: Maximilian Fridrich <m.fridrich@commend.com>
Date: Mon, 25 Mar 2024 08:40:15 +0100
Subject: [PATCH] tls: add session resumption setter (#1091)

---
 include/re_tls.h      |  8 ++++++++
 src/tls/openssl/tls.c | 42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/include/re_tls.h b/include/re_tls.h
index 61e28548f..eb944e57e 100644
--- a/include/re_tls.h
+++ b/include/re_tls.h
@@ -28,6 +28,13 @@ enum tls_keytype {
 	TLS_KEYTYPE_EC,
 };
 
+enum tls_resume_mode {
+	TLS_RESUMPTION_NONE	= 0,
+	TLS_RESUMPTION_IDS	= (1 << 0),
+	TLS_RESUMPTION_TICKETS	= (1 << 1),
+	TLS_RESUMPTION_ALL	= TLS_RESUMPTION_IDS | TLS_RESUMPTION_TICKETS,
+};
+
 struct tls_conn_d {
 	int (*verifyh) (int ok, void *arg);
 	void *arg;
@@ -75,6 +82,7 @@ int tls_get_issuer(struct tls *tls, struct mbuf *mb);
 int tls_get_subject(struct tls *tls, struct mbuf *mb);
 void tls_disable_verify_server(struct tls *tls);
 void tls_enable_verify_client(struct tls *tls, bool enable);
+int tls_set_resumption(struct tls *tls, const enum tls_resume_mode mode);
 
 int tls_set_min_proto_version(struct tls *tls, int version);
 int tls_set_max_proto_version(struct tls *tls, int version);
diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c
index a5b983ae9..1d9fb50cb 100644
--- a/src/tls/openssl/tls.c
+++ b/src/tls/openssl/tls.c
@@ -2190,3 +2190,45 @@ int tls_verify_client_post_handshake(struct tls_conn *tc)
 
 	return err;
 }
+
+
+/**
+ * Set TLS session resumption mode
+ *
+ * @param tls  TLS Object
+ * @param mode TLS session resumption mode
+ *
+ * @return 0 if success, otherwise errorcode
+ */
+int tls_set_resumption(struct tls *tls, const enum tls_resume_mode mode)
+{
+	long ok = 1;
+
+	if (!tls)
+		return EINVAL;
+
+	if (mode & TLS_RESUMPTION_IDS) {
+		ok = SSL_CTX_set_session_cache_mode(tls->ctx,
+						    SSL_SESS_CACHE_SERVER);
+	}
+	else {
+		ok = SSL_CTX_set_session_cache_mode(tls->ctx,
+						    SSL_SESS_CACHE_OFF);
+	}
+
+	if (mode & TLS_RESUMPTION_TICKETS) {
+		ok |= SSL_CTX_clear_options(tls->ctx, SSL_OP_NO_TICKET);
+		ok |= SSL_CTX_set_num_tickets(tls->ctx, 2);
+	}
+	else {
+		ok |= SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TICKET);
+		ok |= SSL_CTX_set_num_tickets(tls->ctx, 0);
+	}
+
+	if (!ok) {
+		ERR_clear_error();
+		return EFAULT;
+	}
+
+	return 0;
+}