ssl: Add value 'save' to reuse_sessions and reuse_session client option

We want to be able to save a specific session to reuse, and make sure
it is reusable immediatly when the connection has been established.

Add client option {reuse_session, SessionID::binary()}

We also do not want clients to save sessions that it did not verify.

Additionaly change behaviour of the client and server to not save sessions
if reuse_session is set to false.

5 files changed, 97 insertions, 32 deletions

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 03a1e40bfc..29129d4b6c 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -891,8 +891,6 @@ handle_options(Opts0, Role, Host) ->
 			     {list, [{mode, list}]}], Opts0),
     assert_proplist(Opts),
     RecordCb = record_cb(Opts),
-
-    ReuseSessionFun = fun(_, _, _, _) -> true end,
     CaCerts = handle_option(cacerts, Opts, undefined),
 
     {Verify, FailIfNoPeerCert, CaCertDefault, VerifyFun, PartialChainHanlder, VerifyClientOnce} =
@@ -945,9 +943,8 @@ handle_options(Opts0, Role, Host) ->
 									     default_option_role(server, 
 												 tls_v1:default_signature_algs(Versions), Role)),
 							 tls_version(RecordCb:highest_protocol_version(Versions))), 
-		    %% Server side option
-		    reuse_session = handle_option(reuse_session, Opts, ReuseSessionFun),
-		    reuse_sessions = handle_option(reuse_sessions, Opts, true),
+                    reuse_sessions = handle_reuse_sessions_option(reuse_sessions, Opts, Role),
+		    reuse_session = handle_reuse_session_option(reuse_session, Opts, Role),
 		    secure_renegotiate = handle_option(secure_renegotiate, Opts, true),
 		    client_renegotiation = handle_option(client_renegotiation, Opts, 
 							 default_option_role(server, true, Role), 
@@ -1138,11 +1135,16 @@ validate_option(srp_identity, {Username, Password})
     {unicode:characters_to_binary(Username),
      unicode:characters_to_binary(Password)};
 
+validate_option(reuse_session, undefined) ->
+    undefined;
 validate_option(reuse_session, Value) when is_function(Value) ->
     Value;
+validate_option(reuse_session, Value) when is_binary(Value) ->
+    Value;
 validate_option(reuse_sessions, Value) when is_boolean(Value) ->
     Value;
-
+validate_option(reuse_sessions, save = Value) ->
+    Value;
 validate_option(secure_renegotiate, Value) when is_boolean(Value) ->
     Value;
 validate_option(client_renegotiation, Value) when is_boolean(Value) ->
@@ -1265,6 +1267,26 @@ handle_hashsigns_option(_, Version) when Version >= {3, 3} ->
 handle_hashsigns_option(_, _Version) ->
     undefined.
 
+handle_reuse_sessions_option(Key, Opts, client) ->
+    Value = proplists:get_value(Key, Opts, true),
+    validate_option(Key, Value),
+    Value;
+handle_reuse_sessions_option(Key, Opts0, server) ->
+    Opts = proplists:delete({Key, save}, Opts0),
+    Value = proplists:get_value(Key, Opts, true),
+    validate_option(Key, Value),
+    Value.
+
+handle_reuse_session_option(Key, Opts, client) ->
+    Value = proplists:get_value(Key, Opts, undefined),
+    validate_option(Key, Value),
+    Value;
+handle_reuse_session_option(Key, Opts, server) ->
+    ReuseSessionFun = fun(_, _, _, _) -> true end,
+    Value = proplists:get_value(Key, Opts, ReuseSessionFun),
+    validate_option(Key, Value),
+    Value.
+
 validate_options([]) ->
 	[];
 validate_options([{Opt, Value} | Tail]) ->
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 0529194f82..7d7da2dcec 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -2406,22 +2406,35 @@ session_handle_params(#server_ecdh_params{curve = ECCurve}, Session) ->
 session_handle_params(_, Session) ->
     Session.
 
-handle_session(Role = server, SslOpts, Host, Port, Session0) ->
-    register_session(Role, host_id(Role, Host, SslOpts), Port, Session0);
-handle_session(Role = client, #ssl_options{verify = verify_peer} = SslOpts, Host, Port, Session0) ->
-    register_session(Role, host_id(Role, Host, SslOpts), Port, Session0);
-handle_session(client, _, _, _, Session0) ->
-    Session0.
-
-register_session(client, Host, Port, #session{is_resumable = new} = Session0) ->
+handle_session(Role = server, #ssl_options{reuse_sessions = true} = SslOpts, 
+               Host, Port, Session0) ->
+    register_session(Role, host_id(Role, Host, SslOpts), Port, Session0, true);
+handle_session(Role = client, #ssl_options{verify = verify_peer,
+                                           reuse_sessions = Reuse} = SslOpts, 
+               Host, Port, Session0) when Reuse =/= false ->
+    register_session(Role, host_id(Role, Host, SslOpts), Port, Session0, reg_type(Reuse));
+handle_session(server, _, Host, Port, Session) ->
+    %% Remove "session of type new" entry from session DB 
+    ssl_manager:invalidate_session(Host, Port, Session),
+    Session;
+handle_session(client, _,_,_, Session) ->
+    %% In client case there is no entry yet, so nothing to remove
+    Session.
+
+reg_type(save) ->
+    true;
+reg_type(true) ->
+    unique.
+
+register_session(client, Host, Port, #session{is_resumable = new} = Session0, Save) ->
     Session = Session0#session{is_resumable = true},
-    ssl_manager:register_session(Host, Port, Session),
+    ssl_manager:register_session(Host, Port, Session, Save),
     Session;
-register_session(server, _, Port, #session{is_resumable = new} = Session0) ->
+register_session(server, _, Port, #session{is_resumable = new} = Session0, _) ->
     Session = Session0#session{is_resumable = true},
     ssl_manager:register_session(Port, Session),
     Session;
-register_session(_, _, _, Session) ->
+register_session(_, _, _, Session, _) ->
     Session. %% Already registered
 
 host_id(client, _Host, #ssl_options{server_name_indication = Hostname}) when is_list(Hostname) ->
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index 63e751440a..91623db79e 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -111,10 +111,10 @@
 	  %% Local policy for the server if it want's to reuse the session
 	  %% or not. Defaluts to allways returning true.
 	  %% fun(SessionId, PeerCert, Compression, CipherSuite) -> boolean()
-	  reuse_session,  
+	  reuse_session        :: fun() | binary() | undefined, %% Server side is a fun()
 	  %% If false sessions will never be reused, if true they
 	  %% will be reused if possible.
-	  reuse_sessions       :: boolean(),
+	  reuse_sessions       :: boolean() | save,  %% Only client side can use value save
 	  renegotiate_at,
 	  secure_renegotiate,
 	  client_renegotiation,
@@ -148,6 +148,8 @@
           max_handshake_size         :: integer(),
           handshake,
           customize_hostname_check
+    %%                 ,
+      %%    save_session               :: boolean()            
          }).
 
 -record(socket_options,
diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index 4b735b2400..dcd26635c0 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -30,7 +30,7 @@
 	 connection_init/3, cache_pem_file/2,
 	 lookup_trusted_cert/4,
 	 new_session_id/1, clean_cert_db/2,
-	 register_session/2, register_session/3, invalidate_session/2,
+	 register_session/2, register_session/4, invalidate_session/2,
 	 insert_crls/2, insert_crls/3, delete_crls/1, delete_crls/2, 
 	 invalidate_session/3, name/1]).
 
@@ -170,9 +170,11 @@ clean_cert_db(Ref, File) ->
 %%
 %% Description: Make the session available for reuse.
 %%--------------------------------------------------------------------
--spec register_session(host(), inet:port_number(), #session{}) -> ok.
-register_session(Host, Port, Session) ->
-    cast({register_session, Host, Port, Session}).
+-spec register_session(host(), inet:port_number(), #session{}, unique | true) -> ok.
+register_session(Host, Port, Session, true) ->
+    call({register_session, Host, Port, Session});
+register_session(Host, Port, Session, unique = Save) ->
+    cast({register_session, Host, Port, Session, Save}).
 
 -spec register_session(inet:port_number(), #session{}) -> ok.
 register_session(Port, Session) ->
@@ -301,7 +303,10 @@ handle_call({{new_session_id, Port}, _},
 	    _, #state{session_cache_cb = CacheCb,
 		      session_cache_server = Cache} = State) ->
     Id = new_id(Port, ?GEN_UNIQUE_ID_MAX_TRIES, Cache, CacheCb),
-    {reply, Id, State}.
+    {reply, Id, State};
+handle_call({{register_session, Host, Port, Session},_}, _, State0) ->
+    State = client_register_session(Host, Port, Session, State0), 
+    {reply, ok, State}.
 
 %%--------------------------------------------------------------------
 -spec  handle_cast(msg(), #state{}) -> {noreply, #state{}}.
@@ -311,8 +316,12 @@ handle_call({{new_session_id, Port}, _},
 %%
 %% Description: Handling cast messages
 %%--------------------------------------------------------------------
-handle_cast({register_session, Host, Port, Session}, State0) ->
-    State = ssl_client_register_session(Host, Port, Session, State0), 
+handle_cast({register_session, Host, Port, Session, unique}, State0) ->
+    State = client_register_unique_session(Host, Port, Session, State0), 
+    {noreply, State};
+
+handle_cast({register_session, Host, Port, Session, true}, State0) ->
+    State = client_register_session(Host, Port, Session, State0), 
     {noreply, State};
 
 handle_cast({register_session, Port, Session}, State0) ->    
@@ -540,10 +549,10 @@ clean_cert_db(Ref, CertDb, RefDb, FileMapDb, File) ->
 	    ok
     end.
 
-ssl_client_register_session(Host, Port, Session, #state{session_cache_client = Cache,
-							session_cache_cb = CacheCb,
-							session_cache_client_max = Max,
-							session_client_invalidator = Pid0} = State) ->
+client_register_unique_session(Host, Port, Session, #state{session_cache_client = Cache,
+                                                           session_cache_cb = CacheCb,
+                                                           session_cache_client_max = Max,
+                                                           session_client_invalidator = Pid0} = State) ->
     TimeStamp = erlang:monotonic_time(),
     NewSession = Session#session{time_stamp = TimeStamp},
     
@@ -557,6 +566,17 @@ ssl_client_register_session(Host, Port, Session, #state{session_cache_client = C
 	    register_unique_session(Sessions, NewSession, {Host, Port}, State)
     end.
 
+client_register_session(Host, Port, Session, #state{session_cache_client = Cache,
+                                                    session_cache_cb = CacheCb,
+                                                    session_cache_client_max = Max,
+                                                    session_client_invalidator = Pid0} = State) ->
+    TimeStamp = erlang:monotonic_time(),
+    NewSession = Session#session{time_stamp = TimeStamp},
+    Pid = do_register_session({{Host, Port}, 
+                               NewSession#session.session_id}, 
+                              NewSession, Max, Pid0, Cache, CacheCb),
+    State#state{session_client_invalidator = Pid}.
+
 server_register_session(Port, Session, #state{session_cache_server_max = Max,
 					      session_cache_server = Cache,
 					      session_cache_cb = CacheCb,
diff --git a/lib/ssl/src/ssl_session.erl b/lib/ssl/src/ssl_session.erl
index c9607489e9..a9759c9b43 100644
--- a/lib/ssl/src/ssl_session.erl
+++ b/lib/ssl/src/ssl_session.erl
@@ -53,6 +53,13 @@ is_new(_ClientSuggestion, _ServerDecision) ->
 %% Description: Should be called by the client side to get an id
 %%              for the client hello message.
 %%--------------------------------------------------------------------
+client_id({Host, Port, #ssl_options{reuse_session = SessionId}}, Cache, CacheCb, _) when is_binary(SessionId)->
+    case CacheCb:lookup(Cache, {{Host, Port}, SessionId}) of
+        undefined ->
+	    <<>>;
+	#session{} ->
+	    SessionId
+    end;
 client_id(ClientInfo, Cache, CacheCb, OwnCert) ->
     case select_session(ClientInfo, Cache, CacheCb, OwnCert) of
 	no_session ->
@@ -91,7 +98,8 @@ server_id(Port, SuggestedId, Options, Cert, Cache, CacheCb) ->
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
-select_session({_, _, #ssl_options{reuse_sessions=false}}, _Cache, _CacheCb, _OwnCert) ->
+select_session({_, _, #ssl_options{reuse_sessions = Reuse}}, _Cache, _CacheCb, _OwnCert) when Reuse =/= true ->
+    %% If reuse_sessions == true | save a new session should be created
     no_session;
 select_session({HostIP, Port, SslOpts}, Cache, CacheCb, OwnCert) ->
     Sessions = CacheCb:select_session(Cache, {HostIP, Port}),
@@ -132,7 +140,7 @@ is_resumable(SuggestedSessionId, Port, #ssl_options{reuse_session = ReuseFun} =
 		false -> {false, undefined}
 	    end;
 	undefined ->
-	    {false, undefined}
+ 	    {false, undefined}
     end.
 
 resumable(new) ->