Merge pull request #4032 from TakayukiMatsuo/tk11968

Make wolfSSL_CTX_set_timeout reflect to Session-ticket-lifetime-hint
2026-01-29 20:42:14 +01:00 · 2021-07-07 22:26:06 +07:00
parent 7b9d6a3f5e 567d8ed704
commit 86e5287a14
3 changed files with 134 additions and 9 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -11108,7 +11108,24 @@ WOLFSSL_SESSION* wolfSSL_get_session(WOLFSSL* ssl)
    return NULL;
 }

-
+/*
+ * Sets the session object to use when establishing a TLS/SSL session using
+ * the ssl object. Therefore, this function must be called before
+ * wolfSSL_connect. The session object to use can be obtained in a previous
+ * TLS/SSL connection using wolfSSL_get_session.
+ *
+ * This function rejects the session if it has been expired when this function
+ * is called. Note that this expiration check is wolfSSL specific and differs
+ * from OpenSSL return code behavior.
+ *
+ * By default, wolfSSL_set_session returns WOLFSSL_SUCCESS on successfully
+ * setting the session, WOLFSSL_FAILURE on failure due to the session cache
+ * being disabled, or the session has expired.
+ *
+ * To match OpenSSL return code behavior when session is expired, define
+ * OPENSSL_EXTRA and WOLFSSL_ERROR_CODE_OPENSSL. This behavior will return
+ * WOLFSSL_SUCCESS even when the session is expired and rejected.
+ */
 WOLFSSL_ABI
 int wolfSSL_set_session(WOLFSSL* ssl, WOLFSSL_SESSION* session)
 {
@@ -13663,18 +13680,65 @@ int wolfSSL_set_timeout(WOLFSSL* ssl, unsigned int to)
 }


-/* set ctx session timeout in seconds */
+/**
+ * Sets ctx session timeout in seconds.
+ * The timeout value set here should be reflected in the
+ * "session ticket lifetime hint" if this API works in the openssl compat-layer.
+ * Therefore wolfSSL_CTX_set_TicketHint is called internally.
+ * Arguments:
+ *  - ctx  WOLFSSL_CTX object which the timeout is set to
+ *  - to   timeout value in second
+ * Returns:
+ *  WOLFSSL_SUCCESS on success, BAD_FUNC_ARG on failure.
+ *  When WOLFSSL_ERROR_CODE_OPENSSL is defined, returns previous timeout value
+ *  on success, BAD_FUNC_ARG on failure.
+ */
 WOLFSSL_ABI
 int wolfSSL_CTX_set_timeout(WOLFSSL_CTX* ctx, unsigned int to)
 {
+    #if defined(WOLFSSL_ERROR_CODE_OPENSSL)
+    word32 prev_timeout;
+    #endif
+
+    int ret = WOLFSSL_SUCCESS;
+    (void)ret;
+
    if (ctx == NULL)
-        return BAD_FUNC_ARG;
+        ret = BAD_FUNC_ARG;

-    if (to == 0)
-        to = WOLFSSL_SESSION_TIMEOUT;
-    ctx->timeout = to;
+    if (ret == WOLFSSL_SUCCESS) {
+    #if defined(WOLFSSL_ERROR_CODE_OPENSSL)
+        prev_timeout = ctx->timeout;
+    #endif
+        if (to == 0) {
+            ctx->timeout = WOLFSSL_SESSION_TIMEOUT;
+        }
+        else {
+            ctx->timeout = to;
+        }
+    }
+#if defined(OPENSSL_EXTRA) && defined(HAVE_SESSION_TICKET) && \
+   !defined(NO_WOLFSSL_SERVER)
+    if (ret == WOLFSSL_SUCCESS) {
+        if (to == 0) {
+            ret = wolfSSL_CTX_set_TicketHint(ctx, SESSION_TICKET_HINT_DEFAULT);
+        }
+        else {
+            ret = wolfSSL_CTX_set_TicketHint(ctx, to);
+        }
+    }
+#endif /* OPENSSL_EXTRA && HAVE_SESSION_TICKET && !NO_WOLFSSL_SERVER */

-    return WOLFSSL_SUCCESS;
+#if defined(WOLFSSL_ERROR_CODE_OPENSSL)
+    if (ret == WOLFSSL_SUCCESS) {
+        return prev_timeout;
+    }
+    else {
+        return ret;
+    }
+#else
+    return ret;
+#endif /* WOLFSSL_ERROR_CODE_OPENSSL */
 }


@@ -14048,7 +14112,14 @@ int SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session)

        return ret;
    }
-    return WOLFSSL_FAILURE;  /* session timed out */
+    else {
+#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_ERROR_CODE_OPENSSL)
+        WOLFSSL_MSG("Session is expired but return success for \
+                              OpenSSL compatibility");
+        return WOLFSSL_SUCCESS;
+#endif /* OPENSSL_EXTRA && WOLFSSL_ERROR_CODE_OPENSSL */
+        return WOLFSSL_FAILURE;  /* session timed out */
+    }
 }