diff options
Diffstat (limited to 'modules/ssl/ssl_scache_dc.c')
-rw-r--r-- | modules/ssl/ssl_scache_dc.c | 177 |
1 files changed, 177 insertions, 0 deletions
diff --git a/modules/ssl/ssl_scache_dc.c b/modules/ssl/ssl_scache_dc.c new file mode 100644 index 00000000..b03b0dea --- /dev/null +++ b/modules/ssl/ssl_scache_dc.c @@ -0,0 +1,177 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* _ _ + * _ __ ___ ___ __| | ___ ___| | mod_ssl + * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL + * | | | | | | (_) | (_| | \__ \__ \ | + * |_| |_| |_|\___/ \__,_|___|___/___/_| + * |_____| + * ssl_scache_dc.c + * Distributed Session Cache (client support) + */ + +#include "ssl_private.h" + +/* Only build this code if it's enabled at configure-time. */ +#ifdef HAVE_DISTCACHE + +#include "distcache/dc_client.h" + +#if !defined(DISTCACHE_CLIENT_API) || (DISTCACHE_CLIENT_API < 0x0001) +#error "You must compile with a more recent version of the distcache-base package" +#endif + +/* + * This cache implementation allows modssl to access 'distcache' servers (or + * proxies) to facilitate distributed session caching. It is based on code + * released as open source by Cryptographic Appliances Inc, and was developed by + * Geoff Thorpe, Steve Robb, and Chris Zimmerman. + */ + +/* +** +** High-Level "handlers" as per ssl_scache.c +** +*/ + +void ssl_scache_dc_init(server_rec *s, apr_pool_t *p) +{ + DC_CTX *ctx; + SSLModConfigRec *mc = myModConfig(s); + /* + * Create a session context + */ + if (mc->szSessionCacheDataFile == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "SSLSessionCache required"); + ssl_die(); + } +#if 0 + /* If a "persistent connection" mode of operation is preferred, you *must* + * also use the PIDCHECK flag to ensure fork()'d processes don't interlace + * comms on the same connection as each other. */ +#define SESSION_CTX_FLAGS SESSION_CTX_FLAG_PERSISTENT | \ + SESSION_CTX_FLAG_PERSISTENT_PIDCHECK | \ + SESSION_CTX_FLAG_PERSISTENT_RETRY | \ + SESSION_CTX_FLAG_PERSISTENT_LATE +#else + /* This mode of operation will open a temporary connection to the 'target' + * for each cache operation - this makes it safe against fork() + * automatically. This mode is preferred when running a local proxy (over + * unix domain sockets) because overhead is negligable and it reduces the + * performance/stability danger of file-descriptor bloatage. */ +#define SESSION_CTX_FLAGS 0 +#endif + ctx = DC_CTX_new(mc->szSessionCacheDataFile, SESSION_CTX_FLAGS); + if (!ctx) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache failed to obtain context"); + ssl_die(); + } + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "distributed scache context initialised"); + /* + * Success ... + */ + mc->tSessionCacheDataTable = ctx; + return; +} + +void ssl_scache_dc_kill(server_rec *s) +{ + SSLModConfigRec *mc = myModConfig(s); + + if (mc->tSessionCacheDataTable) + DC_CTX_free(mc->tSessionCacheDataTable); + mc->tSessionCacheDataTable = NULL; +} + +BOOL ssl_scache_dc_store(server_rec *s, UCHAR *id, int idlen, + time_t timeout, SSL_SESSION * pSession) +{ + unsigned char der[SSL_SESSION_MAX_DER]; + int der_len; + unsigned char *pder = der; + SSLModConfigRec *mc = myModConfig(s); + DC_CTX *ctx = mc->tSessionCacheDataTable; + + /* Serialise the SSL_SESSION object */ + if ((der_len = i2d_SSL_SESSION(pSession, NULL)) > SSL_SESSION_MAX_DER) + return FALSE; + i2d_SSL_SESSION(pSession, &pder); + /* !@#$%^ - why do we deal with *absolute* time anyway??? */ + timeout -= time(NULL); + /* Send the serialised session to the distributed cache context */ + if (!DC_CTX_add_session(ctx, id, idlen, der, der_len, + (unsigned long)timeout * 1000)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'add_session' failed"); + return FALSE; + } + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'add_session' successful"); + return TRUE; +} + +SSL_SESSION *ssl_scache_dc_retrieve(server_rec *s, UCHAR *id, int idlen) +{ + unsigned char der[SSL_SESSION_MAX_DER]; + unsigned int der_len; + SSL_SESSION *pSession; + MODSSL_D2I_SSL_SESSION_CONST unsigned char *pder = der; + SSLModConfigRec *mc = myModConfig(s); + DC_CTX *ctx = mc->tSessionCacheDataTable; + + /* Retrieve any corresponding session from the distributed cache context */ + if (!DC_CTX_get_session(ctx, id, idlen, der, SSL_SESSION_MAX_DER, + &der_len)) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'get_session' MISS"); + return NULL; + } + if (der_len > SSL_SESSION_MAX_DER) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'get_session' OVERFLOW"); + return NULL; + } + pSession = d2i_SSL_SESSION(NULL, &pder, der_len); + if (!pSession) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'get_session' CORRUPT"); + return NULL; + } + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'get_session' HIT"); + return pSession; +} + +void ssl_scache_dc_remove(server_rec *s, UCHAR *id, int idlen) +{ + SSLModConfigRec *mc = myModConfig(s); + DC_CTX *ctx = mc->tSessionCacheDataTable; + + /* Remove any corresponding session from the distributed cache context */ + if (!DC_CTX_remove_session(ctx, id, idlen)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'remove_session' MISS"); + } else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'remove_session' HIT"); + } +} + +void ssl_scache_dc_status(request_rec *r, int flags, apr_pool_t *pool) +{ + SSLModConfigRec *mc = myModConfig(r->server); + + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "distributed scache 'ssl_scache_dc_status'"); + ap_rprintf(r, "cache type: <b>DC (Distributed Cache)</b>, " + " target: <b>%s</b><br>", mc->szSessionCacheDataFile); +} + +#endif + |