From 837fef78b16a5a83657c7cfa9a79d8a0f926bc3c Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Fri, 9 Dec 2022 18:44:01 +0200
Subject: [PATCH] Fix TLS session resumption via IDs when Mutual TLS is used

This commit fixes TLS session resumption via session IDs when
client certificates are used. To do so it makes sure that session ID
contexts are set within server TLS contexts. See OpenSSL documentation
for 'SSL_CTX_set_session_id_context()', the "Warnings" section.
---
 lib/isc/include/isc/tls.h | 20 ++++++++++++++++++++
 lib/isc/tls.c             | 13 +++++++++++++
 lib/ns/listenlist.c       | 11 +++++++++++
 3 files changed, 44 insertions(+)

diff --git a/lib/isc/include/isc/tls.h b/lib/isc/include/isc/tls.h
index 26c684d6a2..24577ec13d 100644
--- a/lib/isc/include/isc/tls.h
+++ b/lib/isc/include/isc/tls.h
@@ -563,6 +563,26 @@ isc_tlsctx_cache_find(
  *		relation between stores and contexts.
  */
 
+void
+isc_tlsctx_set_random_session_id_context(isc_tlsctx_t *ctx);
+/*%<
+ * Set context within which session can be reused to a randomly
+ * generated value. This one is used for TLS session resumption using
+ * session IDs. See OpenSSL documentation for
+ * 'SSL_CTX_set_session_id_context()'.
+ *
+ * It might be worth noting that usually session ID contexts are kept
+ * static for an application and particular certificate
+ * combination. However, for the cases when exporting server side TLS
+ * session cache to/loading from external memory is not required, we
+ * might use random IDs just fine. See,
+ * e.g. 'ngx_ssl_session_id_context()' in NGINX for an example of how
+ * a session ID might be obtained.
+ *
+ * Requires:
+ *\li   'ctx' - a valid non-NULL pointer;
+ */
+
 void
 isc__tls_initialize(void);
 
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index c027ed91e0..a7d9a93332 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -1728,3 +1728,16 @@ isc_tlsctx_client_session_cache_getctx(
 	REQUIRE(VALID_TLSCTX_CLIENT_SESSION_CACHE(cache));
 	return (cache->ctx);
 }
+
+void
+isc_tlsctx_set_random_session_id_context(isc_tlsctx_t *ctx) {
+	uint8_t session_id_ctx[SSL_MAX_SID_CTX_LENGTH] = { 0 };
+	const size_t len = ISC_MIN(20, sizeof(session_id_ctx));
+
+	REQUIRE(ctx != NULL);
+
+	RUNTIME_CHECK(RAND_bytes(session_id_ctx, len) == 1);
+
+	RUNTIME_CHECK(
+		SSL_CTX_set_session_id_context(ctx, session_id_ctx, len) == 1);
+}
diff --git a/lib/ns/listenlist.c b/lib/ns/listenlist.c
index df9719f5e1..d864ca97f1 100644
--- a/lib/ns/listenlist.c
+++ b/lib/ns/listenlist.c
@@ -64,6 +64,17 @@ listenelt_create(isc_mem_t *mctx, in_port_t port, isc_dscp_t dscp,
 				goto tls_error;
 			}
 
+			/*
+			 * We need to initialise session ID context to make TLS
+			 * session resumption work correctly - in particular in
+			 * the case when client certificates are used (Mutual
+			 * TLS) - otherwise resumption attempts will lead to
+			 * handshake failures. See OpenSSL documentation for
+			 * 'SSL_CTX_set_session_id_context()', the "Warnings"
+			 * section.
+			 */
+			isc_tlsctx_set_random_session_id_context(sslctx);
+
 			/*
 			 * If CA-bundle file is specified - enable client
 			 * certificates validation.