1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
/* Copyright 2004-2005 The Apache Software Foundation or its licensors, as
* applicable.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/* _ _
* _ __ ___ ___ __| | ___ ___| | mod_ssl
* | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
* | | | | | | (_) | (_| | \__ \__ \ |
* |_| |_| |_|\___/ \__,_|___|___/___/_|
* |_____|
* ssl_scache_dc.c
* Distributed Session Cache (client support)
*/
#include "ssl_private.h"
/* Only build this code if it's enabled at configure-time. */
#ifdef HAVE_DISTCACHE
#include "distcache/dc_client.h"
#if !defined(DISTCACHE_CLIENT_API) || (DISTCACHE_CLIENT_API < 0x0001)
#error "You must compile with a more recent version of the distcache-base package"
#endif
/*
* This cache implementation allows modssl to access 'distcache' servers (or
* proxies) to facilitate distributed session caching. It is based on code
* released as open source by Cryptographic Appliances Inc, and was developed by
* Geoff Thorpe, Steve Robb, and Chris Zimmerman.
*/
/*
**
** High-Level "handlers" as per ssl_scache.c
**
*/
void ssl_scache_dc_init(server_rec *s, apr_pool_t *p)
{
DC_CTX *ctx;
SSLModConfigRec *mc = myModConfig(s);
/*
* Create a session context
*/
if (mc->szSessionCacheDataFile == NULL) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "SSLSessionCache required");
ssl_die();
}
#if 0
/* If a "persistent connection" mode of operation is preferred, you *must*
* also use the PIDCHECK flag to ensure fork()'d processes don't interlace
* comms on the same connection as each other. */
#define SESSION_CTX_FLAGS SESSION_CTX_FLAG_PERSISTENT | \
SESSION_CTX_FLAG_PERSISTENT_PIDCHECK | \
SESSION_CTX_FLAG_PERSISTENT_RETRY | \
SESSION_CTX_FLAG_PERSISTENT_LATE
#else
/* This mode of operation will open a temporary connection to the 'target'
* for each cache operation - this makes it safe against fork()
* automatically. This mode is preferred when running a local proxy (over
* unix domain sockets) because overhead is negligable and it reduces the
* performance/stability danger of file-descriptor bloatage. */
#define SESSION_CTX_FLAGS 0
#endif
ctx = DC_CTX_new(mc->szSessionCacheDataFile, SESSION_CTX_FLAGS);
if (!ctx) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache failed to obtain context");
ssl_die();
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "distributed scache context initialised");
/*
* Success ...
*/
mc->tSessionCacheDataTable = ctx;
return;
}
void ssl_scache_dc_kill(server_rec *s)
{
SSLModConfigRec *mc = myModConfig(s);
if (mc->tSessionCacheDataTable)
DC_CTX_free(mc->tSessionCacheDataTable);
mc->tSessionCacheDataTable = NULL;
}
BOOL ssl_scache_dc_store(server_rec *s, UCHAR *id, int idlen,
time_t timeout, SSL_SESSION * pSession)
{
unsigned char der[SSL_SESSION_MAX_DER];
int der_len;
unsigned char *pder = der;
SSLModConfigRec *mc = myModConfig(s);
DC_CTX *ctx = mc->tSessionCacheDataTable;
/* Serialise the SSL_SESSION object */
if ((der_len = i2d_SSL_SESSION(pSession, NULL)) > SSL_SESSION_MAX_DER)
return FALSE;
i2d_SSL_SESSION(pSession, &pder);
/* !@#$%^ - why do we deal with *absolute* time anyway??? */
timeout -= time(NULL);
/* Send the serialised session to the distributed cache context */
if (!DC_CTX_add_session(ctx, id, idlen, der, der_len,
(unsigned long)timeout * 1000)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'add_session' failed");
return FALSE;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'add_session' successful");
return TRUE;
}
SSL_SESSION *ssl_scache_dc_retrieve(server_rec *s, UCHAR *id, int idlen)
{
unsigned char der[SSL_SESSION_MAX_DER];
unsigned int der_len;
SSL_SESSION *pSession;
unsigned char *pder = der;
SSLModConfigRec *mc = myModConfig(s);
DC_CTX *ctx = mc->tSessionCacheDataTable;
/* Retrieve any corresponding session from the distributed cache context */
if (!DC_CTX_get_session(ctx, id, idlen, der, SSL_SESSION_MAX_DER,
&der_len)) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'get_session' MISS");
return NULL;
}
if (der_len > SSL_SESSION_MAX_DER) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'get_session' OVERFLOW");
return NULL;
}
pSession = d2i_SSL_SESSION(NULL, &pder, der_len);
if (!pSession) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'get_session' CORRUPT");
return NULL;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'get_session' HIT");
return pSession;
}
void ssl_scache_dc_remove(server_rec *s, UCHAR *id, int idlen)
{
SSLModConfigRec *mc = myModConfig(s);
DC_CTX *ctx = mc->tSessionCacheDataTable;
/* Remove any corresponding session from the distributed cache context */
if (!DC_CTX_remove_session(ctx, id, idlen)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'remove_session' MISS");
} else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'remove_session' HIT");
}
}
void ssl_scache_dc_status(request_rec *r, int flags, apr_pool_t *pool)
{
SSLModConfigRec *mc = myModConfig(r->server);
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"distributed scache 'ssl_scache_dc_status'");
ap_rprintf(r, "cache type: <b>DC (Distributed Cache)</b>, "
" target: <b>%s</b><br>", mc->szSessionCacheDataFile);
}
#endif
|