[BB10-internal] QSslConfiguration: add API to persist and resume SSL sessions

Session tickets can be cached on the client side for hours (e.g.
graph.facebook.com: ~ 24 hours, api.twitter.com: 4 hours), because the
server does not need to maintain state.
We need public API for it so an application can cache the session (e.g.
to disk) and resume a session already with the 1st handshake, saving
one network round trip.

Task-number: QTBUG-20668
(backport of commit 3be197881f100d1c3c8f3ce00501d7a32eb51119)

Change-Id: I4c7f3a749edf0012b52deeb495706e550d24c42d
Signed-off-by: Peter Hartmann <[email protected]>

Author: phartmann

src/network/access/qhttpnetworkrequest.cpp

@@ -50,6 +50,7 @@ QHttpNetworkRequestPrivate::QHttpNetworkRequestPrivate(QHttpNetworkRequest::Oper
         QHttpNetworkRequest::Priority pri, const QUrl &newUrl)
     : QHttpNetworkHeaderPrivate(newUrl), operation(op), priority(pri), uploadByteDevice(0),
       autoDecompress(false), pipeliningAllowed(false), withCredentials(true)
+    , m_cacheSslSession(false)
 {
 }
 
@@ -64,6 +65,7 @@ QHttpNetworkRequestPrivate::QHttpNetworkRequestPrivate(const QHttpNetworkRequest
     customVerb = other.customVerb;
     withCredentials = other.withCredentials;
     ssl = other.ssl;
+    m_cacheSslSession = other.m_cacheSslSession;
 }
 
 QHttpNetworkRequestPrivate::~QHttpNetworkRequestPrivate()
@@ -75,7 +77,8 @@ bool QHttpNetworkRequestPrivate::operator==(const QHttpNetworkRequestPrivate &ot
     return QHttpNetworkHeaderPrivate::operator==(other)
         && (operation == other.operation)
         && (ssl == other.ssl)
-        && (uploadByteDevice == other.uploadByteDevice);
+        && (uploadByteDevice == other.uploadByteDevice)
+        && (m_cacheSslSession == other.m_cacheSslSession);
 }
 
 QByteArray QHttpNetworkRequestPrivate::methodName() const
@@ -311,6 +314,16 @@ QNonContiguousByteDevice* QHttpNetworkRequest::uploadByteDevice() const
     return d->uploadByteDevice;
 }
 
+bool QHttpNetworkRequest::cacheSslSession()
+{
+    return d->m_cacheSslSession;
+}
+
+void QHttpNetworkRequest::setCacheSslSession(bool cacheSession)
+{
+    d->m_cacheSslSession = cacheSession;
+}
+
 int QHttpNetworkRequest::majorVersion() const
 {
     return 1;

src/network/access/qhttpnetworkrequest_p.h

@@ -122,6 +122,9 @@ class Q_AUTOTEST_EXPORT QHttpNetworkRequest: public QHttpNetworkHeader
     void setUploadByteDevice(QNonContiguousByteDevice *bd);
     QNonContiguousByteDevice* uploadByteDevice() const;
 
+    bool cacheSslSession();
+    void setCacheSslSession(bool cacheSession);
+
 private:
     QSharedDataPointer<QHttpNetworkRequestPrivate> d;
     friend class QHttpNetworkRequestPrivate;
@@ -150,6 +153,7 @@ class QHttpNetworkRequestPrivate : public QHttpNetworkHeaderPrivate
     bool pipeliningAllowed;
     bool withCredentials;
     bool ssl;
+    bool m_cacheSslSession;
 };
 
 

src/network/access/qhttpthreaddelegate.cpp

@@ -279,6 +279,9 @@ void QHttpThreadDelegate::startRequest()
 #endif
 #ifndef QT_NO_OPENSSL
         // Set the QSslConfiguration from this QNetworkRequest.
+        if (httpRequest.cacheSslSession())
+            incomingSslConfiguration.d->cacheSslSession = true;
+
         if (ssl && incomingSslConfiguration != QSslConfiguration::defaultConfiguration()) {
             httpConnection->setSslConfiguration(incomingSslConfiguration);
         }

src/network/access/qnetworkaccesshttpbackend.cpp

@@ -518,6 +518,9 @@ void QNetworkAccessHttpBackend::postRequest()
                              QNetworkRequest::Automatic).toInt()) == QNetworkRequest::Manual)
         httpRequest.setWithCredentials(false);
 
+    if (request().attribute(static_cast<QNetworkRequest::Attribute>(
+                                static_cast<int>(QNetworkRequest::User)-1)).toBool() == true)
+        httpRequest.setCacheSslSession(true);
 
     // Create the HTTP thread delegate
     QHttpThreadDelegate *delegate = new QHttpThreadDelegate;
@@ -544,8 +547,15 @@ void QNetworkAccessHttpBackend::postRequest()
 #endif
     delegate->ssl = ssl;
 #ifndef QT_NO_OPENSSL
-    if (ssl)
+    if (ssl) {
         delegate->incomingSslConfiguration = request().sslConfiguration();
+        QNetworkRequest::Attribute sslSessionAttribute =
+                static_cast<QNetworkRequest::Attribute>(
+                    static_cast<int>(QNetworkRequest::User)-3);
+        QByteArray sslSession = request().attribute(sslSessionAttribute).toByteArray();
+        if (!sslSession.isEmpty())
+            delegate->incomingSslConfiguration.d->sslSession = sslSession;
+    }
 #endif
 
     // Do we use synchronous HTTP?
@@ -913,6 +923,21 @@ void QNetworkAccessHttpBackend::replySslConfigurationChanged(const QSslConfigura
         *pendingSslConfiguration = c;
     else if (!c.isNull())
         pendingSslConfiguration = new QSslConfiguration(c);
+
+    if (c.d->sslSession.size() > 0) {
+        QNetworkRequest::Attribute sslSessionAttribute =
+                static_cast<QNetworkRequest::Attribute>(
+                    static_cast<int>(QNetworkRequest::User)-3);
+        QNetworkRequest::Attribute sslSessionTicketLifeTimeHintAttribute =
+                static_cast<QNetworkRequest::Attribute>(
+                    static_cast<int>(QNetworkRequest::User)-2);
+        // only set the attribute once; this method is called several times
+        if (attribute(sslSessionAttribute).toByteArray().isEmpty()) {
+            setAttribute(sslSessionAttribute, c.d->sslSession);
+            setAttribute(sslSessionTicketLifeTimeHintAttribute,
+                         c.d->sslSessionTicketLifeTimeHint);
+        }
+    }
 }
 #endif
 

src/network/ssl/qsslconfiguration.cpp

@@ -169,7 +169,10 @@ bool QSslConfiguration::operator==(const QSslConfiguration &other) const
         d->peerVerifyMode == other.d->peerVerifyMode &&
         d->peerVerifyDepth == other.d->peerVerifyDepth &&
         d->allowRootCertOnDemandLoading == other.d->allowRootCertOnDemandLoading &&
-        d->sslOptions == other.d->sslOptions;
+        d->sslOptions == other.d->sslOptions &&
+        d->sslSession == other.d->sslSession &&
+        d->cacheSslSession == other.d->cacheSslSession &&
+        d->sslSessionTicketLifeTimeHint == other.d->sslSessionTicketLifeTimeHint;
 }
 
 /*!
@@ -205,7 +208,10 @@ bool QSslConfiguration::isNull() const
             d->peerCertificateChain.count() == 0 &&
             d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments
                               |QSsl::SslOptionDisableLegacyRenegotiation
-                              |QSsl::SslOptionDisableCompression));
+                              |QSsl::SslOptionDisableCompression) &&
+            d->sslSession.isNull() &&
+            d->cacheSslSession == false &&
+            d->sslSessionTicketLifeTimeHint == -1);
 }
 
 /*!

src/network/ssl/qsslconfiguration.h

@@ -130,6 +130,10 @@ class Q_NETWORK_EXPORT QSslConfiguration
     friend class QSslConfigurationPrivate;
     friend class QSslSocketBackendPrivate;
     friend class QSslContext;
+    // hack to set the SSL session from a QNAM attribute:
+    friend class QHttpThreadDelegate;
+    friend class QNetworkAccessHttpBackend;
+
     QSslConfiguration(QSslConfigurationPrivate *dd);
     QSharedDataPointer<QSslConfigurationPrivate> d;
 };

src/network/ssl/qsslconfiguration_p.h

@@ -87,7 +87,9 @@ class QSslConfigurationPrivate: public QSharedData
           peerSessionShared(false),
           sslOptions(QSsl::SslOptionDisableEmptyFragments
                      |QSsl::SslOptionDisableLegacyRenegotiation
-                     |QSsl::SslOptionDisableCompression)
+                     |QSsl::SslOptionDisableCompression),
+          cacheSslSession(false),
+          sslSessionTicketLifeTimeHint(-1)
     { }
 
     QSslCertificate peerCertificate;
@@ -110,6 +112,10 @@ class QSslConfigurationPrivate: public QSharedData
 
     QSsl::SslOptions sslOptions;
 
+    bool cacheSslSession;
+    QByteArray sslSession;
+    int sslSessionTicketLifeTimeHint;
+
     // in qsslsocket.cpp:
     static QSslConfiguration defaultConfiguration();
     static void setDefaultConfiguration(const QSslConfiguration &configuration);

src/network/ssl/qsslcontext.cpp

@@ -58,7 +58,8 @@ extern QString getErrorsFromOpenSsl();
 QSslContext::QSslContext()
     : ctx(0),
     pkey(0),
-    session(0)
+    session(0),
+    m_sessionTicketLifeTimeHint(-1)
 {
 }
 
@@ -259,6 +260,10 @@ QSslContext* QSslContext::fromConfiguration(QSslSocket::SslMode mode, const QSsl
     if (sslContext->sslConfiguration.peerVerifyDepth() != 0)
         q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth());
 
+    // set persisted session if the user set it
+    if (!configuration.d->sslSession.isEmpty())
+        sslContext->setSessionASN1(configuration.d->sslSession);
+
     return sslContext;
 }
 
@@ -268,6 +273,12 @@ SSL* QSslContext::createSsl()
     SSL* ssl = q_SSL_new(ctx);
     q_SSL_clear(ssl);
 
+    if (!session && !sessionASN1().isEmpty()
+            && !sslConfiguration.testSslOption(QSsl::SslOptionDisableSessionTickets)) {
+        const unsigned char *data = reinterpret_cast<const unsigned char *>(m_sessionASN1.constData());
+        session = q_d2i_SSL_SESSION(0, &data, m_sessionASN1.size()); // refcount is 1 already, set by function above
+    }
+
     if (session) {
         // Try to resume the last session we cached
         if (!q_SSL_set_session(ssl, session)) {
@@ -293,8 +304,35 @@ bool QSslContext::cacheSession(SSL* ssl)
 
     // cache the session the caller gave us and increase reference count
     session = q_SSL_get1_session(ssl);
-    return (session != NULL);
 
+    if (session && !sslConfiguration.testSslOption(QSsl::SslOptionDisableSessionTickets)
+            && sslConfiguration.d->cacheSslSession == true) {
+        int sessionSize = q_i2d_SSL_SESSION(session, 0);
+        if (sessionSize > 0) {
+            m_sessionASN1.resize(sessionSize);
+            unsigned char *data = reinterpret_cast<unsigned char *>(m_sessionASN1.data());
+            if (!q_i2d_SSL_SESSION(session, &data))
+                qWarning("could not store persistent version of SSL session");
+            m_sessionTicketLifeTimeHint = session->tlsext_tick_lifetime_hint;
+        }
+    }
+
+    return (session != 0);
+}
+
+QByteArray QSslContext::sessionASN1() const
+{
+    return m_sessionASN1;
+}
+
+void QSslContext::setSessionASN1(const QByteArray &session)
+{
+    m_sessionASN1 = session;
+}
+
+int QSslContext::sessionTicketLifeTimeHint() const
+{
+    return m_sessionTicketLifeTimeHint;
 }
 
 QSslError::SslError QSslContext::error() const

src/network/ssl/qsslcontext_p.h

@@ -69,13 +69,18 @@ class QSslContext
     SSL* createSsl();
     bool cacheSession(SSL*); // should be called when handshake completed
 
+    QByteArray sessionASN1() const;
+    void setSessionASN1(const QByteArray &sessionASN1);
+    int sessionTicketLifeTimeHint() const;
 protected:
     QSslContext();
 
 private:
     SSL_CTX* ctx;
     EVP_PKEY *pkey;
     SSL_SESSION *session;
+    QByteArray m_sessionASN1;
+    int m_sessionTicketLifeTimeHint;
     QSslError::SslError errorCode;
     QString errorStr;
     QSslConfiguration sslConfiguration;

src/network/ssl/qsslsocket.cpp

@@ -897,6 +897,9 @@ void QSslSocket::setSslConfiguration(const QSslConfiguration &configuration)
     d->configuration.peerVerifyMode = configuration.peerVerifyMode();
     d->configuration.protocol = configuration.protocol();
     d->configuration.sslOptions = configuration.d->sslOptions;
+    d->configuration.cacheSslSession = configuration.d->cacheSslSession;
+    d->configuration.sslSession = configuration.d->sslSession;
+    d->configuration.sslSessionTicketLifeTimeHint = configuration.d->sslSessionTicketLifeTimeHint;
 
     // if the CA certificates were set explicitly (either via
     // QSslConfiguration::setCaCertificates() or QSslSocket::setCaCertificates(),

src/network/ssl/qsslsocket_openssl.cpp

@@ -1271,8 +1271,16 @@ bool QSslSocketBackendPrivate::startHandshake()
 
     // Cache this SSL session inside the QSslContext
     if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionTickets)) {
-        if (!sslContextPointer->cacheSession(ssl))
+        if (!sslContextPointer->cacheSession(ssl)) {
             sslContextPointer.clear(); // we could not cache the session
+        } else {
+            // Cache the session for permanent usage as well
+            if (!sslContextPointer->sessionASN1().isEmpty()) {
+                configuration.sslSession = sslContextPointer->sessionASN1();
+                configuration.sslSessionTicketLifeTimeHint =
+                        sslContextPointer->sessionTicketLifeTimeHint();
+            }
+        }
     }
 
     connectionEncrypted = true;

src/network/ssl/qsslsocket_openssl_symbols.cpp

@@ -286,6 +286,8 @@ DEFINEFUNC(void, OPENSSL_add_all_algorithms_noconf, void, DUMMYARG, return, DUMM
 DEFINEFUNC(void, OPENSSL_add_all_algorithms_conf, void, DUMMYARG, return, DUMMYARG)
 DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return)
 DEFINEFUNC(long, SSLeay, void, DUMMYARG, return 0, return)
+DEFINEFUNC2(int, i2d_SSL_SESSION, SSL_SESSION *in, in, unsigned char **pp, pp, return 0, return)
+DEFINEFUNC3(SSL_SESSION *, d2i_SSL_SESSION, SSL_SESSION **a, a, const unsigned char **pp, pp, long length, length, return 0, return)
 
 #ifdef Q_OS_SYMBIAN
 #define RESOLVEFUNC(func, ordinal, lib) \
@@ -872,6 +874,8 @@ bool q_resolveOpenSslSymbols()
     RESOLVEFUNC(OPENSSL_add_all_algorithms_conf)
     RESOLVEFUNC(SSL_CTX_load_verify_locations)
     RESOLVEFUNC(SSLeay)
+    RESOLVEFUNC(i2d_SSL_SESSION)
+    RESOLVEFUNC(d2i_SSL_SESSION)
 #endif // Q_OS_SYMBIAN
     symbolsResolved = true;
     delete libs.first;

src/network/ssl/qsslsocket_openssl_symbols_p.h

@@ -429,6 +429,8 @@ void q_OPENSSL_add_all_algorithms_noconf();
 void q_OPENSSL_add_all_algorithms_conf();
 int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);
 long q_SSLeay();
+int q_i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
+SSL_SESSION *q_d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length);
 
 // Helper function
 class QDateTime;