tls: preserve servername on resumed sessions

Author: jorgitin02

deps/ncrypto/ncrypto.cc

@@ -2941,8 +2941,25 @@ std::optional<const std::string_view> SSLPointer::GetServerName(
     const SSL* ssl) {
   if (ssl == nullptr) return std::nullopt;
   auto res = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-  if (res == nullptr) return std::nullopt;
-  return res;
+  if (res != nullptr) return res;
+
+#ifndef OPENSSL_IS_BORINGSSL
+  const SSL_SESSION* sess = SSL_get_session(ssl);
+  if (sess == nullptr) return std::nullopt;
+
+  res = SSL_SESSION_get0_hostname(sess);
+  if (res != nullptr) return res;
+
+  void* appdata = nullptr;
+  size_t appdata_len = 0;
+  if (SSL_SESSION_get0_ticket_appdata(
+          const_cast<SSL_SESSION*>(sess), &appdata, &appdata_len) == 1 &&
+      appdata != nullptr && appdata_len > 0) {
+    return std::string_view(static_cast<const char*>(appdata), appdata_len);
+  }
+#endif
+
+  return std::nullopt;
 }
 
 std::optional<const std::string_view> SSLPointer::getServerName() const {

src/crypto/crypto_context.cc

@@ -27,6 +27,7 @@
 #include <wincrypt.h>
 #endif
 
+#include <cstring>
 #include <set>
 
 namespace node {
@@ -1548,6 +1549,38 @@ void SecureContext::SetSelectSNIContextCallback(SelectSNIContextCb cb) {
   SSL_CTX_set_tlsext_servername_callback(ctx_.get(), cb);
 }
 
+void SecureContext::RememberSessionServername(const unsigned char* session_id,
+                                              unsigned int session_id_length,
+                                              std::string_view servername) {
+  if (session_id == nullptr || session_id_length == 0 || servername.empty())
+    return;
+
+  std::string key(reinterpret_cast<const char*>(session_id),
+                  session_id_length);
+
+  if (session_servernames_.size() >= kSessionServernameCacheLimit &&
+      session_servernames_.find(key) == session_servernames_.end()) {
+    session_servernames_.clear();
+  }
+
+  session_servernames_[std::move(key)] = std::string(servername);
+}
+
+std::optional<std::string> SecureContext::GetSessionServername(
+    const unsigned char* session_id,
+    unsigned int session_id_length) const {
+  if (session_id == nullptr || session_id_length == 0)
+    return std::nullopt;
+
+  std::string key(reinterpret_cast<const char*>(session_id),
+                  session_id_length);
+  auto it = session_servernames_.find(key);
+  if (it == session_servernames_.end())
+    return std::nullopt;
+
+  return it->second;
+}
+
 void SecureContext::SetKeylogCallback(KeylogCb cb) {
   SSL_CTX_set_keylog_callback(ctx_.get(), cb);
 }
@@ -2303,6 +2336,22 @@ int SecureContext::TicketCompatibilityCallback(SSL* ssl,
       SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl)));
 
   if (enc) {
+#ifndef OPENSSL_IS_BORINGSSL
+    // Persist SNI in the session before serializing/encrypting the ticket so
+    // it remains available on resumed handshakes.
+    if (const char* servername =
+            SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+        servername != nullptr) {
+      SSL_SESSION* sess = SSL_get_session(ssl);
+      if (sess != nullptr &&
+          (SSL_SESSION_set1_hostname(sess, servername) != 1 ||
+           SSL_SESSION_set1_ticket_appdata(
+               sess, servername, strlen(servername)) != 1)) {
+        return -1;
+      }
+    }
+#endif
+
     memcpy(name, sc->ticket_key_name_, sizeof(sc->ticket_key_name_));
     if (!ncrypto::CSPRNG(iv, 16) ||
         EVP_EncryptInit_ex(

src/crypto/crypto_context.h

@@ -10,6 +10,11 @@
 #include "memory_tracker.h"
 #include "v8.h"
 
+#include <optional>
+#include <string>
+#include <string_view>
+#include <unordered_map>
+
 namespace node {
 namespace crypto {
 // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
@@ -53,6 +58,12 @@ class SecureContext final : public BaseObject {
   void SetKeylogCallback(KeylogCb cb);
   void SetNewSessionCallback(NewSessionCb cb);
   void SetSelectSNIContextCallback(SelectSNIContextCb cb);
+  void RememberSessionServername(const unsigned char* session_id,
+                                 unsigned int session_id_length,
+                                 std::string_view servername);
+  std::optional<std::string> GetSessionServername(
+      const unsigned char* session_id,
+      unsigned int session_id_length) const;
 
   inline const ncrypto::X509Pointer& issuer() const { return issuer_; }
   inline const ncrypto::X509Pointer& cert() const { return cert_; }
@@ -144,6 +155,8 @@ class SecureContext final : public BaseObject {
   void Reset();
 
  private:
+  static constexpr size_t kSessionServernameCacheLimit = 4096;
+
   ncrypto::SSLCtxPointer ctx_;
   ncrypto::X509Pointer cert_;
   ncrypto::X509Pointer issuer_;
@@ -157,6 +170,7 @@ class SecureContext final : public BaseObject {
   unsigned char ticket_key_name_[16];
   unsigned char ticket_key_aes_[16];
   unsigned char ticket_key_hmac_[16];
+  std::unordered_map<std::string, std::string> session_servernames_;
 };
 
 int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,

src/crypto/crypto_tls.cc

@@ -21,6 +21,7 @@
 
 #include "crypto/crypto_tls.h"
 #include <cstdio>
+#include <cstring>
 #include "async_wrap-inl.h"
 #include "crypto/crypto_bio.h"
 #include "crypto/crypto_clienthello-inl.h"
@@ -163,6 +164,29 @@ int NewSessionCallback(SSL* s, SSL_SESSION* sess) {
   HandleScope handle_scope(env->isolate());
   Context::Scope context_scope(env->context());
 
+#ifndef OPENSSL_IS_BORINGSSL
+  // OpenSSL does not expose the SNI via SSL_get_servername() on resumed
+  // handshakes. Persist the original SNI in the session so it can be restored
+  // when the handshake is resumed.
+  if (const char* servername =
+          SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+      servername != nullptr) {
+    if (SSL_SESSION_set1_hostname(sess, servername) != 1 ||
+        SSL_SESSION_set1_ticket_appdata(sess, servername, strlen(servername)) !=
+            1) {
+      return 0;
+    }
+
+    unsigned int session_id_length = 0;
+    const unsigned char* session_id_data =
+        SSL_SESSION_get_id(sess, &session_id_length);
+    if (SecureContext* sc = w->secure_context(); sc != nullptr) {
+      sc->RememberSessionServername(
+          session_id_data, session_id_length, servername);
+    }
+  }
+#endif
+
   if (!w->has_session_callbacks()) [[unlikely]]
     return 0;
 
@@ -1367,9 +1391,26 @@ void TLSWrap::GetServername(const FunctionCallbackInfo<Value>& args) {
     auto& sn = servername.value();
     args.GetReturnValue().Set(
         OneByteString(args.GetIsolate(), sn.data(), sn.length()));
-  } else {
-    args.GetReturnValue().Set(false);
+    return;
   }
+
+  SSL_SESSION* sess = SSL_get_session(wrap->ssl_.get());
+  if (sess != nullptr && wrap->secure_context() != nullptr) {
+    unsigned int session_id_length = 0;
+    const unsigned char* session_id_data =
+        SSL_SESSION_get_id(sess, &session_id_length);
+
+    auto cached = wrap->secure_context()->GetSessionServername(
+        session_id_data, session_id_length);
+    if (cached.has_value()) {
+      auto& sn = cached.value();
+      args.GetReturnValue().Set(
+          OneByteString(args.GetIsolate(), sn.data(), sn.length()));
+      return;
+    }
+  }
+
+  args.GetReturnValue().Set(false);
 }
 
 void TLSWrap::SetServername(const FunctionCallbackInfo<Value>& args) {

src/crypto/crypto_tls.h

@@ -69,6 +69,7 @@ class TLSWrap : public AsyncWrap,
   inline bool is_server() const { return kind_ == Kind::kServer; }
   inline bool is_client() const { return kind_ == Kind::kClient; }
   inline bool is_awaiting_new_session() const { return awaiting_new_session_; }
+  inline SecureContext* secure_context() const { return sc_.get(); }
 
   // Implement StreamBase:
   bool IsAlive() override;