1 files changed, 177 insertions, 0 deletions

diff --git a/modules/ssl/ssl_scache_dc.c b/modules/ssl/ssl_scache_dc.c
new file mode 100644
index 00000000..b03b0dea
--- /dev/null
+++ b/modules/ssl/ssl_scache_dc.c
@@ -0,0 +1,177 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*                      _             _
+ *  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
+ * | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
+ * | | | | | | (_) | (_| |   \__ \__ \ |
+ * |_| |_| |_|\___/ \__,_|___|___/___/_|
+ *                      |_____|
+ *  ssl_scache_dc.c
+ *  Distributed Session Cache (client support)
+ */
+
+#include "ssl_private.h"
+
+/* Only build this code if it's enabled at configure-time. */
+#ifdef HAVE_DISTCACHE
+
+#include "distcache/dc_client.h"
+
+#if !defined(DISTCACHE_CLIENT_API) || (DISTCACHE_CLIENT_API < 0x0001)
+#error "You must compile with a more recent version of the distcache-base package"
+#endif
+
+/*
+ * This cache implementation allows modssl to access 'distcache' servers (or
+ * proxies) to facilitate distributed session caching. It is based on code
+ * released as open source by Cryptographic Appliances Inc, and was developed by
+ * Geoff Thorpe, Steve Robb, and Chris Zimmerman.
+ */
+
+/*
+**
+** High-Level "handlers" as per ssl_scache.c
+**
+*/
+
+void ssl_scache_dc_init(server_rec *s, apr_pool_t *p)
+{
+    DC_CTX *ctx;
+    SSLModConfigRec *mc = myModConfig(s);
+    /*
+     * Create a session context
+     */
+    if (mc->szSessionCacheDataFile == NULL) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "SSLSessionCache required");
+        ssl_die();
+    }
+#if 0
+    /* If a "persistent connection" mode of operation is preferred, you *must*
+     * also use the PIDCHECK flag to ensure fork()'d processes don't interlace
+     * comms on the same connection as each other. */
+#define SESSION_CTX_FLAGS        SESSION_CTX_FLAG_PERSISTENT | \
+                                 SESSION_CTX_FLAG_PERSISTENT_PIDCHECK | \
+                                 SESSION_CTX_FLAG_PERSISTENT_RETRY | \
+                                 SESSION_CTX_FLAG_PERSISTENT_LATE
+#else
+    /* This mode of operation will open a temporary connection to the 'target'
+     * for each cache operation - this makes it safe against fork()
+     * automatically. This mode is preferred when running a local proxy (over
+     * unix domain sockets) because overhead is negligable and it reduces the
+     * performance/stability danger of file-descriptor bloatage. */
+#define SESSION_CTX_FLAGS        0
+#endif
+    ctx = DC_CTX_new(mc->szSessionCacheDataFile, SESSION_CTX_FLAGS);
+    if (!ctx) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache failed to obtain context");
+        ssl_die();
+    }
+    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "distributed scache context initialised");
+    /*
+     * Success ...
+     */
+    mc->tSessionCacheDataTable = ctx;
+    return;
+}
+
+void ssl_scache_dc_kill(server_rec *s)
+{
+    SSLModConfigRec *mc = myModConfig(s);
+
+    if (mc->tSessionCacheDataTable)
+        DC_CTX_free(mc->tSessionCacheDataTable);
+    mc->tSessionCacheDataTable = NULL;
+}
+
+BOOL ssl_scache_dc_store(server_rec *s, UCHAR *id, int idlen,
+                           time_t timeout, SSL_SESSION * pSession)
+{
+    unsigned char der[SSL_SESSION_MAX_DER];
+    int der_len;
+    unsigned char *pder = der;
+    SSLModConfigRec *mc = myModConfig(s);
+    DC_CTX *ctx = mc->tSessionCacheDataTable;
+
+    /* Serialise the SSL_SESSION object */
+    if ((der_len = i2d_SSL_SESSION(pSession, NULL)) > SSL_SESSION_MAX_DER)
+        return FALSE;
+    i2d_SSL_SESSION(pSession, &pder);
+    /* !@#$%^ - why do we deal with *absolute* time anyway??? */
+    timeout -= time(NULL);
+    /* Send the serialised session to the distributed cache context */
+    if (!DC_CTX_add_session(ctx, id, idlen, der, der_len,
+                            (unsigned long)timeout * 1000)) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'add_session' failed");
+        return FALSE;
+    }
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'add_session' successful");
+    return TRUE;
+}
+
+SSL_SESSION *ssl_scache_dc_retrieve(server_rec *s, UCHAR *id, int idlen)
+{
+    unsigned char der[SSL_SESSION_MAX_DER];
+    unsigned int der_len;
+    SSL_SESSION *pSession;
+    MODSSL_D2I_SSL_SESSION_CONST unsigned char *pder = der;
+    SSLModConfigRec *mc = myModConfig(s);
+    DC_CTX *ctx = mc->tSessionCacheDataTable;
+
+    /* Retrieve any corresponding session from the distributed cache context */
+    if (!DC_CTX_get_session(ctx, id, idlen, der, SSL_SESSION_MAX_DER,
+                            &der_len)) {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'get_session' MISS");
+        return NULL;
+    }
+    if (der_len > SSL_SESSION_MAX_DER) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'get_session' OVERFLOW");
+        return NULL;
+    }
+    pSession = d2i_SSL_SESSION(NULL, &pder, der_len);
+    if (!pSession) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'get_session' CORRUPT");
+        return NULL;
+    }
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'get_session' HIT");
+    return pSession;
+}
+
+void ssl_scache_dc_remove(server_rec *s, UCHAR *id, int idlen)
+{
+    SSLModConfigRec *mc = myModConfig(s);
+    DC_CTX *ctx = mc->tSessionCacheDataTable;
+
+    /* Remove any corresponding session from the distributed cache context */
+    if (!DC_CTX_remove_session(ctx, id, idlen)) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'remove_session' MISS");
+    } else {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'remove_session' HIT");
+    }
+}
+
+void ssl_scache_dc_status(request_rec *r, int flags, apr_pool_t *pool)
+{
+    SSLModConfigRec *mc = myModConfig(r->server);
+
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                  "distributed scache 'ssl_scache_dc_status'");
+    ap_rprintf(r, "cache type: <b>DC (Distributed Cache)</b>, "
+               " target: <b>%s</b><br>", mc->szSessionCacheDataFile);
+}
+
+#endif
+