Server based TLS-Session-Resumption

core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java

@@ -368,4 +368,22 @@ public NewSessionTicket getNewSessionTicket()
          */
         return new NewSessionTicket(0L, TlsUtils.EMPTY_BYTES);
     }
+
+
+    /*
+     * The next two methods take care about server session handling / resumption. If you need
+     * this, you have to overwrite the next two methods with your own implementation taking
+     * care about session caching and resumption
+     */
+    public TlsSession getResumableSession(byte[] sessionID)
+        throws IOException
+    {
+        return null;
+    }
+
+    public TlsSession getNewResumableSession(byte[] requestedClientSessionID)
+        throws IOException
+    {
+        return null;
+    }
 }

core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java

@@ -372,7 +372,7 @@ protected DTLSTransport clientHandshake(ClientHandshakeState state, DTLSRecordLa
                 .setPSKIdentity(securityParameters.getPSKIdentity())
                 .setSRPIdentity(securityParameters.getSRPIdentity())
                 // TODO Consider filtering extensions that aren't relevant to resumed sessions
-                .setServerExtensions(state.serverExtensions)
+                .setPeerExtensions(state.serverExtensions)
                 .build();
 
             state.tlsSession = TlsUtils.importSession(state.tlsSession.getSessionID(), state.sessionParameters);
@@ -759,7 +759,7 @@ protected void processServerHello(ClientHandshakeState state, byte[] body)
             }
 
             sessionClientExtensions = null;
-            sessionServerExtensions = state.sessionParameters.readServerExtensions();
+            sessionServerExtensions = state.sessionParameters.readPeerExtensions();
         }
 
         securityParameters.cipherSuite = selectedCipherSuite;

core/src/main/java/org/bouncycastle/crypto/tls/SessionParameters.java

@@ -17,7 +17,7 @@ public static final class Builder
         private Certificate peerCertificate = null;
         private byte[] pskIdentity = null;
         private byte[] srpIdentity = null;
-        private byte[] encodedServerExtensions = null;
+        private byte[] encodedPeerExtensions = null;
 
         public Builder()
         {
@@ -29,7 +29,7 @@ public SessionParameters build()
             validate(this.compressionAlgorithm >= 0, "compressionAlgorithm");
             validate(this.masterSecret != null, "masterSecret");
             return new SessionParameters(cipherSuite, compressionAlgorithm, masterSecret, peerCertificate, pskIdentity,
-                srpIdentity, encodedServerExtensions);
+                srpIdentity, encodedPeerExtensions);
         }
 
         public Builder setCipherSuite(int cipherSuite)
@@ -77,17 +77,17 @@ public Builder setSRPIdentity(byte[] srpIdentity)
             return this;
         }
 
-        public Builder setServerExtensions(Hashtable serverExtensions) throws IOException
+        public Builder setPeerExtensions(Hashtable peerExtensions) throws IOException
         {
-            if (serverExtensions == null)
+            if (peerExtensions == null)
             {
-                encodedServerExtensions = null;
+                encodedPeerExtensions = null;
             }
             else
             {
                 ByteArrayOutputStream buf = new ByteArrayOutputStream();
-                TlsProtocol.writeExtensions(buf, serverExtensions);
-                encodedServerExtensions = buf.toByteArray();
+                TlsProtocol.writeExtensions(buf, peerExtensions);
+                encodedPeerExtensions = buf.toByteArray();
             }
             return this;
         }
@@ -107,18 +107,18 @@ private void validate(boolean condition, String parameter)
     private Certificate peerCertificate;
     private byte[] pskIdentity = null;
     private byte[] srpIdentity = null;
-    private byte[] encodedServerExtensions;
+    private byte[] encodedPeerExtensions;
 
     private SessionParameters(int cipherSuite, short compressionAlgorithm, byte[] masterSecret,
-        Certificate peerCertificate, byte[] pskIdentity, byte[] srpIdentity, byte[] encodedServerExtensions)
+        Certificate peerCertificate, byte[] pskIdentity, byte[] srpIdentity, byte[] encodedPeerExtensions)
     {
         this.cipherSuite = cipherSuite;
         this.compressionAlgorithm = compressionAlgorithm;
         this.masterSecret = Arrays.clone(masterSecret);
         this.peerCertificate = peerCertificate;
         this.pskIdentity = Arrays.clone(pskIdentity);
         this.srpIdentity = Arrays.clone(srpIdentity);
-        this.encodedServerExtensions = encodedServerExtensions;
+        this.encodedPeerExtensions = encodedPeerExtensions;
     }
 
     public void clear()
@@ -132,7 +132,7 @@ public void clear()
     public SessionParameters copy()
     {
         return new SessionParameters(cipherSuite, compressionAlgorithm, masterSecret, peerCertificate, pskIdentity,
-            srpIdentity, encodedServerExtensions);
+            srpIdentity, encodedPeerExtensions);
     }
 
     public int getCipherSuite()
@@ -173,14 +173,14 @@ public byte[] getSRPIdentity()
         return srpIdentity;
     }
 
-    public Hashtable readServerExtensions() throws IOException
+    public Hashtable readPeerExtensions() throws IOException
     {
-        if (encodedServerExtensions == null)
+        if (encodedPeerExtensions == null)
         {
             return null;
         }
 
-        ByteArrayInputStream buf = new ByteArrayInputStream(encodedServerExtensions);
+        ByteArrayInputStream buf = new ByteArrayInputStream(encodedPeerExtensions);
         return TlsProtocol.readExtensions(buf);
     }
 }

core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java

@@ -753,7 +753,7 @@ protected void receiveServerHelloMessage(ByteArrayInputStream buf)
             }
 
             sessionClientExtensions = null;
-            sessionServerExtensions = this.sessionParameters.readServerExtensions();
+            sessionServerExtensions = this.sessionParameters.readPeerExtensions();
         }
 
         this.securityParameters.cipherSuite = selectedCipherSuite;

core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java

@@ -307,6 +307,7 @@ protected void completeHandshake()
             {
                 if (this.sessionParameters == null)
                 {
+                    boolean server = getContext().isServer();
                     this.sessionParameters = new SessionParameters.Builder()
                         .setCipherSuite(this.securityParameters.getCipherSuite())
                         .setCompressionAlgorithm(this.securityParameters.getCompressionAlgorithm())
@@ -315,7 +316,7 @@ protected void completeHandshake()
                         .setPSKIdentity(this.securityParameters.getPSKIdentity())
                         .setSRPIdentity(this.securityParameters.getSRPIdentity())
                         // TODO Consider filtering extensions that aren't relevant to resumed sessions
-                        .setServerExtensions(this.serverExtensions)
+                        .setPeerExtensions(server ? this.clientExtensions : this.serverExtensions)
                         .build();
 
                     this.tlsSession = new TlsSessionImpl(this.tlsSession.getSessionID(), this.sessionParameters);

core/src/main/java/org/bouncycastle/crypto/tls/TlsServer.java

@@ -92,4 +92,10 @@ void notifyClientCertificate(Certificate clientCertificate)
      */
     NewSessionTicket getNewSessionTicket()
         throws IOException;
+
+    TlsSession getResumableSession(byte[] sessionID)
+        throws IOException;
+
+    TlsSession getNewResumableSession(byte[] requestedClientSessionID)
+        throws IOException;
 }