add pseudo session ID for TLS 1.3

Author: JacobBarthelmeh

src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java

@@ -38,6 +38,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.UnrecoverableKeyException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Date;
 import java.util.Enumeration;
@@ -96,8 +97,8 @@ protected WolfSSLAuthStore(KeyManager[] keyman, TrustManager[] trustman,
         this.currentVersion = version;
         store = new SessionStore<Integer,
                                  WolfSSLImplementSSLSession>(defaultCacheSize);
-        this.serverCtx = new WolfSSLSessionContext(this, defaultCacheSize);
-        this.clientCtx = new WolfSSLSessionContext(this, defaultCacheSize);
+        this.serverCtx = new WolfSSLSessionContext(this, defaultCacheSize, WolfSSL.WOLFSSL_SERVER_END);
+        this.clientCtx = new WolfSSLSessionContext(this, defaultCacheSize, WolfSSL.WOLFSSL_CLIENT_END);
     }
 
     /**
@@ -259,11 +260,13 @@ protected WolfSSLSessionContext getClientContext() {
     /**
      * Reset the size of the array to cache sessions
      * @param sz new array size
+     * @param side server/client side for cache resize
      */
-    protected void resizeCache(int sz) {
+    protected void resizeCache(int sz, int side) {
             SessionStore<Integer, WolfSSLImplementSSLSession> newStore =
                     new SessionStore<Integer, WolfSSLImplementSSLSession>(sz);
 
+        //@TODO check for side server/client, currently a resize is for all
         store.putAll(newStore);
         store = newStore;
     }
@@ -303,12 +306,7 @@ protected WolfSSLImplementSSLSession getSession(WolfSSLSession ssl,
             /* not found in stored sessions create a new one */
             ses = new WolfSSLImplementSSLSession(ssl, port, host, this);
             ses.setValid(true); /* new sessions marked as valid */
-            if (ssl.getSide() == WolfSSL.WOLFSSL_SERVER_END) {
-                ses.setSessionContext(serverCtx);
-            }
-            else {
-                ses.setSessionContext(clientCtx);
-            }
+            ses.setPseudoSessionId(Integer.toString(ssl.hashCode()).getBytes());
         }
         else {
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
@@ -328,12 +326,7 @@ protected WolfSSLImplementSSLSession getSession(WolfSSLSession ssl) {
         WolfSSLImplementSSLSession ses = new WolfSSLImplementSSLSession(ssl, this);
         if (ses != null) {
             ses.setValid(true);
-            if (ssl.getSide() == WolfSSL.WOLFSSL_SERVER_END) {
-                ses.setSessionContext(serverCtx);
-            }
-            else {
-                ses.setSessionContext(clientCtx);
-            }
+            ses.setPseudoSessionId(Integer.toString(ssl.hashCode()).getBytes());
         }
         return ses;
     }
@@ -345,49 +338,64 @@ protected WolfSSLImplementSSLSession getSession(WolfSSLSession ssl) {
      */
     protected int addSession(WolfSSLImplementSSLSession session) {
         String toHash;
+        int    hashCode = 0;
 
         if (session.getPeerHost() != null) {
             /* register into session table for resumption */
             session.fromTable = true;
             toHash = session.getPeerHost().concat(Integer.toString(
                      session.getPeerPort()));
-            store.put(toHash.hashCode(), session);
-
+            hashCode = toHash.hashCode();
+        }
+        else {
+                /* if no peer host is available then create hash key from
+                 * session id */
+                hashCode = Arrays.toString(session.getId()).hashCode();
+        }
 
+        if (hashCode != 0 && store.containsKey(hashCode) != true) {
             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                     "stored session in cache table (host: " +
                     session.getPeerHost() + ", port: " +
-                    session.getPeerPort() + ")");
+                    session.getPeerPort() + ") " +
+                    "hashCode = " + hashCode + " side = " + session.getSide());
+                store.put(hashCode, session);
         }
-
         return WolfSSL.SSL_SUCCESS;
     }
 
 
     /**
-     * @returns enumerated session IDs
+     * Internal function to return a list of all session ID's
+     * @param side server or client side to get list of ID's from
+     * @return enumerated session IDs
      */
-    protected Enumeration<byte[]> getAllIDs() {
+    protected Enumeration<byte[]> getAllIDs(int side) {
         List<byte[]> ret = new ArrayList<byte[]>();
 
         for (Object obj : store.values()) {
             WolfSSLImplementSSLSession current = (WolfSSLImplementSSLSession)obj;
-            ret.add(current.getId());
+            if (current.getSide() == side) {
+                ret.add(current.getId());
+            }
         }
         return Collections.enumeration(ret);
     }
 
 
     /**
      * Getter function for session with session id 'ID'
+     * @param ID the session id to search for
+     * @param side if the session is expected on the server or client side
      * @return session from the store that has session id 'ID'
      */
-    protected WolfSSLImplementSSLSession getSession(byte[] ID) {
+    protected WolfSSLImplementSSLSession getSession(byte[] ID, int side) {
         WolfSSLImplementSSLSession ret = null;
 
         for (Object obj : store.values()) {
             WolfSSLImplementSSLSession current = (WolfSSLImplementSSLSession)obj;
-            if (java.util.Arrays.equals(ID, current.getId())) {
+            if (current.getSide() == side &&
+                    java.util.Arrays.equals(ID, current.getId())) {
                 ret = current;
                 break;
             }
@@ -399,9 +407,10 @@ protected WolfSSLImplementSSLSession getSession(byte[] ID) {
     /**
      * Goes through the list of sessions and checks for timeouts. If timed out
      * then the session is invalidated.
-     * @params in the updated timeout value to check against
+     * @param in the updated timeout value to check against
+     * @param side server or client side getting the timeout update
      */
-    protected void updateTimeouts(int in) {
+    protected void updateTimeouts(int in, int side) {
         Date currentDate = new Date();
         long now = currentDate.getTime();
 
@@ -410,18 +419,20 @@ protected void updateTimeouts(int in) {
             WolfSSLImplementSSLSession current =
                 (WolfSSLImplementSSLSession)obj;
 
-            /* difference in seconds */
-            diff = (now - current.creation.getTime()) / 1000;
+            if (current.getSide() == side) {
+                /* difference in seconds */
+                diff = (now - current.creation.getTime()) / 1000;
 
-            if (diff < 0) {
+                if (diff < 0) {
                 /* session is from the future ... */ //@TODO
 
-            }
+                }
 
-            if (in > 0 && diff > in) {
-                current.invalidate();
+                if (in > 0 && diff > in) {
+                    current.invalidate();
+                }
+                current.setNativeTimeout(in);
             }
-            current.setNativeTimeout(in);
         }
     }
 

src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java

@@ -478,6 +478,15 @@ protected void initHandshake() throws SSLException {
         this.session = this.authStore.getSession(ssl, this.port, this.hostname,
             this.clientMode);
 
+        if (this.session != null && this.clientMode) {
+            this.session.setSessionContext(authStore.getClientContext());
+            this.session.setSide(WolfSSL.WOLFSSL_CLIENT_END);
+        }
+        else {
+            this.session.setSessionContext(authStore.getServerContext());
+            this.session.setSide(WolfSSL.WOLFSSL_SERVER_END);
+        }
+
         if (this.session != null && this.sessionCreation == false &&
                 !this.session.fromTable) {
             /* new handshakes can not be made in this case. */
@@ -491,8 +500,7 @@ protected void initHandshake() throws SSLException {
             throw new SSLHandshakeException("Session creation not allowed");
         }
 
-        if (this.session != null && this.clientMode == true &&
-                this.sessionCreation) {
+        if (this.session != null && this.sessionCreation) {
             /* can only add new sessions to the resumption table if session
              * creation is allowed */
             this.authStore.addSession(this.session);
@@ -564,7 +572,7 @@ protected int doHandshake(int isSSLEngine) throws SSLException {
      * Saves session on connection close for resumption
      */
     protected void saveSession() {
-        if (this.session.isValid()) {
+        if (this.session != null && this.session.isValid()) {
             this.session.setResume();
         }
     }

src/java/com/wolfssl/provider/jsse/WolfSSLImplementSSLSession.java

@@ -27,7 +27,6 @@
 import java.security.Principal;
 import java.security.cert.Certificate;
 import java.util.Date;
-import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -55,6 +54,8 @@ public class WolfSSLImplementSSLSession implements SSLSession {
     private final String host;
     Date creation;
     Date accessed; /* when new connection was made using session */
+    byte pseudoSessionID[] = null; /* used with TLS 1.3*/
+    private int side = 0;
 
     /**
      * has this session been registered
@@ -106,7 +107,17 @@ public synchronized byte[] getId() {
         if (ssl == null) {
             return new byte[0];
         }
-        return this.ssl.getSessionID();
+        try {
+            if (this.ssl.getVersion().equals("TLSv1.3")) {
+                 return this.pseudoSessionID;
+            }
+            else {
+                return this.ssl.getSessionID();
+            }
+        } catch (IllegalStateException | WolfSSLJNIException e) {
+            e.printStackTrace();
+            return null;
+        }
     }
 
     public synchronized SSLSessionContext getSessionContext() {
@@ -138,8 +149,8 @@ public boolean isValid() {
     }
 
     /**
-     * After a connection has been established or on restoring connection the session
-     * is then valid and can be joined or resumed
+     * After a connection has been established or on restoring connection the
+     * session is then valid and can be joined or resumed
      * @param in true/false valid boolean
      */
     protected void setValid(boolean in) {
@@ -376,4 +387,32 @@ protected synchronized void setResume() {
     protected void setNativeTimeout(long in) {
         ssl.setSessTimeout(in);
     }
+
+
+    /**
+     * TLS 1.3 removed session ID's, this can be used instead to
+     * search for sessions.
+     * @param id pseudo session ID at the java wrapper level
+     */
+    protected synchronized void setPseudoSessionId(byte id[]) {
+        this.pseudoSessionID = id.clone();
+    }
+
+
+    /**
+     * Sets (server/client) side of the connection for session
+     * @param in the side to be set, server or client
+     */
+    protected void setSide(int in) {
+        this.side = in;
+    }
+
+
+    /**
+     * Returns the side session is on (server/client)
+     * @return WolfSSL.* integer value of side on
+     */
+    protected int getSide() {
+        return this.side;
+    }
 }

src/java/com/wolfssl/provider/jsse/WolfSSLSessionContext.java

@@ -21,39 +21,34 @@
 
 package com.wolfssl.provider.jsse;
 
-import com.wolfssl.WolfSSL;
-import com.wolfssl.WolfSSLException;
-import com.wolfssl.WolfSSLJNIException;
-import com.wolfssl.WolfSSLSession;
 import java.util.Enumeration;
-import java.util.logging.Level;
-import java.util.logging.Logger;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSessionContext;
 
 public class WolfSSLSessionContext implements SSLSessionContext {
     private WolfSSLAuthStore store;
-    private WolfSSLSession sslCtx;
-
     private int sesTimout;
     private int sesCache;
+    private int side;
 
-    public WolfSSLSessionContext(WolfSSLAuthStore in, int defaultCacheSize) {
+    public WolfSSLSessionContext(WolfSSLAuthStore in, int defaultCacheSize,
+            int side) {
         this.store     = in;
         this.sesCache  = defaultCacheSize;
-        this.sesTimout = 86400; /* this is the default value found in SunJSSE too */
+        this.sesTimout = 86400; /* this is the default value in SunJSSE too */
+        this.side      = side;
     }
 
 
     @Override
     public SSLSession getSession(byte[] sessionId) {
-        return store.getSession(sessionId);
+        return store.getSession(sessionId, side);
     }
 
 
     @Override
     public Enumeration<byte[]> getIds() {
-        return store.getAllIDs();
+        return store.getAllIDs(side);
     }
 
 
@@ -62,7 +57,7 @@ public void setSessionTimeout(int in) throws IllegalArgumentException {
         this.sesTimout = in;
 
         /* check for any new timeouts after timeout has been set */
-        store.updateTimeouts(in);
+        store.updateTimeouts(in, this.side);
     }
 
     @Override
@@ -81,7 +76,7 @@ public void setSessionCacheSize(int in)
 
         /* resize store array if needed */
         if (this.sesCache != in) {
-            store.resizeCache(in);
+            store.resizeCache(in, this.side);
         }
         this.sesCache = in;
     }
@@ -90,5 +85,4 @@ public void setSessionCacheSize(int in)
     public int getSessionCacheSize() {
         return this.sesCache;
     }
-
 }