tls: session API returns

Author: indutny

doc/api/tls.markdown

@@ -403,6 +403,31 @@ established - it will be forwarded here.
 `tlsSocket` is the [tls.TLSSocket][] that the error originated from.
 
 
+### Event: 'newSession'
+
+`function (sessionId, sessionData) { }`
+
+Emitted on creation of TLS session. May be used to store sessions in external
+storage.
+
+NOTE: adding this event listener will have an effect only on connections
+established after addition of event listener.
+
+
+### Event: 'resumeSession'
+
+`function (sessionId, callback) { }`
+
+Emitted when client wants to resume previous TLS session. Event listener may
+perform lookup in external storage using given `sessionId`, and invoke
+`callback(null, sessionData)` once finished. If session can't be resumed
+(i.e. doesn't exist in storage) one may call `callback(null, null)`. Calling
+`callback(err)` will terminate incoming connection and destroy socket.
+
+NOTE: adding this event listener will have an effect only on connections
+established after addition of event listener.
+
+
 ### server.listen(port, [host], [callback])
 
 Begin accepting connections on the specified `port` and `host`.  If the

lib/_tls_wrap.js

@@ -47,6 +47,33 @@ function onhandshakedone() {
 }
 
 
+function onclienthello(hello) {
+  var self = this,
+      once = false;
+
+  function callback(err, session) {
+    if (once)
+      return self.destroy(new Error('TLS session callback was called twice'));
+    once = true;
+
+    if (err)
+      return self.destroy(err);
+
+    self.ssl.loadSession(session);
+  }
+
+  if (hello.sessionId.length <= 0 ||
+      !this.server.emit('resumeSession', hello.sessionId, callback)) {
+    callback(null, null);
+  }
+}
+
+
+function onnewsession(key, session) {
+  this.server.emit('newSession', key, session);
+}
+
+
 /**
  * Provides a wrap of socket stream to do encrypted communication.
  */
@@ -92,6 +119,7 @@ TLSSocket.prototype._init = function() {
   // Wrap socket's handle
   var credentials = options.credentials || crypto.createCredentials();
   this.ssl = tls_wrap.wrap(this._handle, credentials.context, options.isServer);
+  this.server = options.server || null;
 
   // For clients, we will always have either a given ca list or be using
   // default one
@@ -104,8 +132,15 @@ TLSSocket.prototype._init = function() {
   if (options.isServer) {
     this.ssl.onhandshakestart = onhandshakestart.bind(this);
     this.ssl.onhandshakedone = onhandshakedone.bind(this);
+    this.ssl.onclienthello = onclienthello.bind(this);
+    this.ssl.onnewsession = onnewsession.bind(this);
     this.ssl.lastHandshakeTime = 0;
     this.ssl.handshakes = 0;
+
+    if (this.server.listeners('resumeSession').length > 0 ||
+        this.server.listeners('newSession').length > 0) {
+      this.ssl.enableSessionCallbacks();
+    }
   } else {
     this.ssl.onhandshakestart = function() {};
     this.ssl.onhandshakedone = this._finishInit.bind(this);

src/node_crypto.h

@@ -60,9 +60,10 @@ class SecureContext : ObjectWrap {
   // TODO: ca_store_ should probably be removed, it's not used anywhere.
   X509_STORE *ca_store_;
 
- protected:
   static const int kMaxSessionSize = 10 * 1024;
 
+ protected:
+
   static v8::Handle<v8::Value> New(const v8::Arguments& args);
   static v8::Handle<v8::Value> Init(const v8::Arguments& args);
   static v8::Handle<v8::Value> SetKey(const v8::Arguments& args);

src/node_crypto_bio.h

@@ -87,7 +87,9 @@ class NodeBIO {
   }
 
  protected:
-  static const size_t kBufferLength = 16 * 1024;
+  // NOTE: Size is maximum TLS frame length, this is required if we want
+  // to fit whole ClientHello into one Buffer of NodeBIO.
+  static const size_t kBufferLength = 16 * 1024 + 5;
 
   class Buffer {
    public: