Add support to libtls for client-side TLS session resumption.

A libtls client can specify a session file descriptor (a regular file
with appropriate ownership and permissions) and libtls will manage reading
and writing of session data across TLS handshakes.

Discussed at length with deraadt@ and tedu@.

Rides previous minor bump.

ok beck@

1 files changed, 40 insertions, 1 deletions

diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index 3db75dc62fc..6dfebfaebf9 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.47 2018/02/08 05:56:49 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.48 2018/02/10 04:41:24 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -89,6 +89,7 @@ tls_config_new(void)
 		goto err;
 
 	config->refcount = 1;
+	config->session_fd = -1;
 
 	/*
 	 * Default configuration.
@@ -670,6 +671,44 @@ tls_config_set_protocols(struct tls_config *config, uint32_t protocols)
 }
 
 int
+tls_config_set_session_fd(struct tls_config *config, int session_fd)
+{
+	struct stat sb;
+	mode_t mugo;
+
+	if (session_fd == -1) {
+		config->session_fd = session_fd;
+		return (0);
+	}
+
+	if (fstat(session_fd, &sb) == -1) {
+		tls_config_set_error(config, "failed to stat session file");
+		return (-1);
+	}
+	if (!S_ISREG(sb.st_mode)) {
+		tls_config_set_errorx(config,
+		    "session file is not a regular file");
+		return (-1);
+	}
+
+	if (sb.st_uid != getuid()) {
+		tls_config_set_errorx(config, "session file has incorrect "
+		    "owner (uid %i != %i)", sb.st_uid, getuid());
+		return (-1);
+	}
+	mugo = sb.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO);
+	if (mugo != (S_IRUSR|S_IWUSR)) {
+		tls_config_set_errorx(config, "session file has incorrect "
+		    "permissions (%o != 600)", mugo);
+		return (-1);
+	}
+
+	config->session_fd = session_fd;
+
+	return (0);
+}
+
+int
 tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
 {
 	config->verify_depth = verify_depth;