1 files changed, 74 insertions, 87 deletions
diff --git a/lib/ssl/src/ssl_session.erl b/lib/ssl/src/ssl_session.erl
index bf738649f6..c9607489e9 100644
--- a/lib/ssl/src/ssl_session.erl
+++ b/lib/ssl/src/ssl_session.erl
@@ -1,18 +1,19 @@
 %%
 %% %CopyrightBegin%
 %% 
-%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2016. All Rights Reserved.
 %% 
-%% The contents of this file are subject to the Erlang Public License,
-%% Version 1.1, (the "License"); you may not use this file except in
-%% compliance with the License. You should have received a copy of the
-%% Erlang Public License along with this software. If not, it can be
-%% retrieved online at http://www.erlang.org/.
-%% 
-%% Software distributed under the License is distributed on an "AS IS"
-%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
-%% the License for the specific language governing rights and limitations
-%% under the License.
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
 %% 
 %% %CopyrightEnd%
 %%
@@ -28,9 +29,7 @@
 -include("ssl_internal.hrl").
 
 %% Internal application API
--export([is_new/2, id/4, id/7, valid_session/2]).
-
--define(GEN_UNIQUE_ID_MAX_TRIES, 10).
+-export([is_new/2, client_id/4, server_id/6, valid_session/2]).
 
 -type seconds()   :: integer(). 
 
@@ -48,13 +47,13 @@ is_new(_ClientSuggestion, _ServerDecision) ->
     true.
 
 %%--------------------------------------------------------------------
--spec id({host(), inet:port_number(), #ssl_options{}}, db_handle(), atom(),
+-spec client_id({host(), inet:port_number(), #ssl_options{}}, db_handle(), atom(),
 	 undefined | binary()) -> binary().
 %%
-%% Description: Should be called by the client side to get an id 
+%% Description: Should be called by the client side to get an id
 %%              for the client hello message.
 %%--------------------------------------------------------------------
-id(ClientInfo, Cache, CacheCb, OwnCert) ->
+client_id(ClientInfo, Cache, CacheCb, OwnCert) ->
     case select_session(ClientInfo, Cache, CacheCb, OwnCert) of
 	no_session ->
 	    <<>>;
@@ -62,99 +61,87 @@ id(ClientInfo, Cache, CacheCb, OwnCert) ->
 	    SessionId
     end.
 
-%%--------------------------------------------------------------------
--spec id(inet:port_number(), binary(), #ssl_options{}, db_handle(),
-	 atom(), seconds(), binary()) -> binary().
-%%
-%% Description: Should be called by the server side to get an id 
-%%              for the server hello message.
-%%--------------------------------------------------------------------
-id(Port, <<>>, _, Cache, CacheCb, _, _) ->
-    new_id(Port, ?GEN_UNIQUE_ID_MAX_TRIES, Cache, CacheCb);
-
-id(Port, SuggestedSessionId, #ssl_options{reuse_sessions = ReuseEnabled,
-					  reuse_session = ReuseFun}, 
-   Cache, CacheCb, SecondLifeTime, OwnCert) ->
-    case is_resumable(SuggestedSessionId, Port, ReuseEnabled, 
-		      ReuseFun, Cache, CacheCb, SecondLifeTime, OwnCert) of
-	true ->
-	    SuggestedSessionId;
-	false ->
-	    new_id(Port, ?GEN_UNIQUE_ID_MAX_TRIES, Cache, CacheCb)
-    end.
-%%--------------------------------------------------------------------
--spec valid_session(#session{}, seconds()) -> boolean().
+-spec valid_session(#session{}, seconds() | {invalidate_before, integer()}) -> boolean().
 %%
 %% Description: Check that the session has not expired
 %%--------------------------------------------------------------------
+valid_session(#session{time_stamp = TimeStamp}, {invalidate_before, Before}) ->
+    TimeStamp > Before;
 valid_session(#session{time_stamp = TimeStamp}, LifeTime) ->
-    Now =  calendar:datetime_to_gregorian_seconds({date(), time()}),
-    Now - TimeStamp < LifeTime.
+    Now = erlang:monotonic_time(),
+    Lived = erlang:convert_time_unit(Now-TimeStamp, native, seconds),
+    Lived < LifeTime.
+
+server_id(Port, <<>>, _SslOpts, _Cert, _, _) ->
+    {ssl_manager:new_session_id(Port), undefined};
+server_id(Port, SuggestedId, Options, Cert, Cache, CacheCb) ->
+    LifeTime = case application:get_env(ssl, session_lifetime) of
+		   {ok, Time} when is_integer(Time) -> Time;
+		   _ -> ?'24H_in_sec'
+	       end,
+    case is_resumable(SuggestedId, Port, Options,
+		      Cache, CacheCb, LifeTime, Cert)
+    of
+	{true, Resumed} ->
+	    {SuggestedId, Resumed};
+	{false, undefined} ->
+	    {ssl_manager:new_session_id(Port), undefined}
+    end.
 
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
+select_session({_, _, #ssl_options{reuse_sessions=false}}, _Cache, _CacheCb, _OwnCert) ->
+    no_session;
 select_session({HostIP, Port, SslOpts}, Cache, CacheCb, OwnCert) ->
     Sessions = CacheCb:select_session(Cache, {HostIP, Port}),
     select_session(Sessions, SslOpts, OwnCert).
 
 select_session([], _, _) ->
     no_session;
-
-select_session(Sessions, #ssl_options{ciphers = Ciphers,
-				      reuse_sessions = ReuseSession}, OwnCert) ->
-    IsResumable = 
- 	fun(Session) -> 
- 		ReuseSession andalso (Session#session.is_resumable) andalso  
- 		    lists:member(Session#session.cipher_suite, Ciphers)
-		    andalso (OwnCert == Session#session.own_certificate)
+select_session(Sessions, #ssl_options{ciphers = Ciphers}, OwnCert) ->
+    IsNotResumable =
+	fun(Session) ->
+		not (resumable(Session#session.is_resumable) andalso
+		     lists:member(Session#session.cipher_suite, Ciphers)
+		     andalso (OwnCert == Session#session.own_certificate))
  	end,
-    case [Id || [Id, Session] <- Sessions, IsResumable(Session)] of
- 	[] ->
- 	    no_session;
- 	List ->
- 	    hd(List)
-    end.
-
-%% If we can not generate a not allready in use session ID in
-%% ?GEN_UNIQUE_ID_MAX_TRIES we make the new session uncacheable The
-%% value of ?GEN_UNIQUE_ID_MAX_TRIES is stolen from open SSL which
-%% states : "If we can not find a session id in
-%% ?GEN_UNIQUE_ID_MAX_TRIES either the RAND code is broken or someone
-%% is trying to open roughly very close to 2^128 (or 2^256) SSL
-%% sessions to our server"
-new_id(_, 0, _, _) ->
-    <<>>;
-new_id(Port, Tries, Cache, CacheCb) ->
-    Id = crypto:rand_bytes(?NUM_OF_SESSION_ID_BYTES),
-    case CacheCb:lookup(Cache, {Port, Id}) of
-	undefined ->
-	    Now =  calendar:datetime_to_gregorian_seconds({date(), time()}),
-	    %% New sessions can not be set to resumable
-	    %% until handshake is compleate and the
-	    %% other session values are set.
-	    CacheCb:update(Cache, {Port, Id}, #session{session_id = Id,
-						       is_resumable = false,
-						       time_stamp = Now}),
-	    Id;
-	_ ->
-	    new_id(Port, Tries - 1, Cache, CacheCb)
+    case lists:dropwhile(IsNotResumable, Sessions) of
+	[] ->   no_session;
+	[Session | _] -> Session#session.session_id
     end.
 
-is_resumable(SuggestedSessionId, Port, ReuseEnabled, ReuseFun, Cache, 
+is_resumable(_, _, #ssl_options{reuse_sessions = false}, _, _, _, _) ->
+    {false, undefined};
+is_resumable(SuggestedSessionId, Port, #ssl_options{reuse_session = ReuseFun} = Options, Cache,
 	     CacheCb, SecondLifeTime, OwnCert) ->
     case CacheCb:lookup(Cache, {Port, SuggestedSessionId}) of
 	#session{cipher_suite = CipherSuite,
 		 own_certificate = SessionOwnCert,
 		 compression_method = Compression,
-		 is_resumable = Is_resumable,
+		 is_resumable = IsResumable,
 		 peer_certificate = PeerCert} = Session ->
-	    ReuseEnabled 
-		andalso Is_resumable  
+	    case resumable(IsResumable)
 		andalso (OwnCert == SessionOwnCert)
-		andalso valid_session(Session, SecondLifeTime) 
-		andalso ReuseFun(SuggestedSessionId, PeerCert, 
-				 Compression, CipherSuite);
+		andalso valid_session(Session, SecondLifeTime)
+		andalso reusable_options(Options, Session)
+		andalso ReuseFun(SuggestedSessionId, PeerCert,
+				 Compression, CipherSuite)
+	    of
+		true  -> {true, Session};
+		false -> {false, undefined}
+	    end;
 	undefined ->
-	    false
+	    {false, undefined}
     end.
+
+resumable(new) ->
+    false;
+resumable(IsResumable) ->
+    IsResumable.
+
+reusable_options(#ssl_options{fail_if_no_peer_cert = true,
+			   verify = verify_peer}, Session) ->
+    (Session#session.peer_certificate =/= undefined);
+reusable_options(_,_) ->
+    true.