ssl_scache.c

Checkout Tools
  • last updated 4 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Support for OpenSSL 1.1.0:

- The callback function passed to

SSL_CTX_sess_set_get_cb() now needs the

session id argument to be const.

So constify the session id.

  1. … 5 more files in changeset.
mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.

For related discussion, see the dev@ thread starting at:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

  1. … 5 more files in changeset.
Add output for "?auto" version of server-status

to proxy status, mod_ssl session cache info,

mod_cache_socache and the status hook of the

individual socache implementations.

  1. … 5 more files in changeset.
Address a todo listed in

https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E

"init functions should return status code rather than ssl_die()"

For diagnostic purposes, ssl_die() is still there, but instead

of abruptly exit(1)ing, it will return APR_EGENERAL to the

ssl_init_* callers in ssl_engine_init.c, and these will propagate

the status back to ssl_init_Module.

  1. … 7 more files in changeset.
Increase minimum required OpenSSL version to 0.9.8a (in preparation

for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y

functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether

they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward

#ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E

  1. … 11 more files in changeset.
Pass the server_rec to ssl_die() and use it to log a message to the main error

log, pointing to the appropriate virtual host error log

  1. … 8 more files in changeset.
Add lots of unique tags to error log messages

  1. … 172 more files in changeset.
Cleanup effort in prep for GA push:

Trim trailing whitespace... no func change

  1. … 118 more files in changeset.
Fix two bugs introduced by r1070153

  1. … 1 more file in changeset.
Use ap_state_query() to fix many modules that were not correctly initializing

if they were not active during server startup but got enabled later during a

graceful restart (in which case they need to do all work during a single

config run).

  1. … 12 more files in changeset.
Consistently use loglevel emerg before ssl_die()

  1. … 4 more files in changeset.
Catch up ssl to socache store expiry change, and clarify what the code is doing
  1. … 3 more files in changeset.
Add support for OCSP "stapling":

* modules/ssl/ssl_util_stapling.c: New file.

* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.

* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if

OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS

extension support enabled).

* modules/ssl/mod_ssl.c: Add config directives.

* modules/ssl/ssl_private.h: Add prototypes for new functions.

(SSLModConfigRec): Add fields for stapling socache instance and

associated mutex.

(modssl_ctx_t): Add config fields for stapling.

* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):

Call the stapling initialization functions.

* modules/ssl/ssl_engine_config.c: Add config hooks.

* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache

instance for OCSP responses.

Submitted by: Dr Stephen Henson <shenson oss-institute.org>

  1. … 9 more files in changeset.
socache API tweaks based on chrisd's review:

* include/ap_socache.h (ap_socache_provider_t::store): Take a pool.

(ap_socache_provider_t::retrieve): Guarantee APR_NOTFOUND for a

"not found" result.

(ap_socache_provider_t::remove): Return an apr_status_t.

* modules/cache/mod_socache_dc.c, modules/cache/mod_socache_dbm.c,

modules/cache/mod_socache_shmcb,

modules/cache/mod_socache_memcache.c: Adjust accordingly.

* modules/ssl/ssl_scache.c (ssl_scache_store): Pass pool to

sesscache->store.

  1. … 5 more files in changeset.
* include/ap_socache.h: Use C++ safety wrappers, and rename ->delete

to ->remove since the former is a C++ reserved word.

* modules/ssl/ssl_scache.c (ssl_scache_remove): Update accordingly.

  1. … 1 more file in changeset.
Adjust socache init interface to take sizing hints, and namespace tag

for memcache:

* modules/cache/ap_socache.h (struct ap_socache_hints): New structure.

Change init callback to take namespace string and hints structure pointer.

* modules/cache/mod_socache_dc.c (socache_dc_init): Adjust accordingly.

* modules/cache/mod_socache_dbm.c (struct ap_socache_instance_t): Rename

timeout field to expiry_interval.

(socache_dbm_init, socache_dbm_create): Take expiry interval from

hints rather than hard-code to 30.

(socache_dbm_expire): Update for timeout field rename.

* modules/cache/mod_socache_shmcb.c (socache_shmcb_init): Adjust for

hints and namespace; adjust subcache index sizing heuristics to use

passed-in hints.

* modules/cache/mod_socache_memcache.c (struct ap_socache_instance_t):

Add tag, taglen fields.

(socache_mc_init): Store the passed-in namespace in instance

structure.

(mc_session_id2sz): Adjust to not take context, use configured

tag as string prefix, and not use a return value.

(socache_mc_store, socache_mc_retrieve, socache_mc_remove):

Adjust for mc_session_id2sz interface changes.

* modules/ssl/ssl_scache.c (ssl_scache_init): Pass namespace and hints

to socache provider init function.

  1. … 5 more files in changeset.
Missed in r645940:

* modules/ssl/ssl_scache.c: Switch to using socache constants.

Session cache interface redesign, Part 9:

Switch mod_ssl to use the ap_socache interface.

* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c,

modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove

files.

* modules/ssl/mod_ssl.c (modssl_register_scache): Remove function.

* modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc.

(SSLModConfigRec): Switch to using socache types.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to

use socache provider.

* modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to

using socache constants.

* modules/ssl/config.m4: Drop distache/memcache configuration, remove

old objects.

  1. … 9 more files in changeset.
Session cache interface redesign, Part 7:

Clean up provider interface, removing use of mod_ssl-specific types:

* modules/ssl/ssl_private.h (modssl_sesscache_provider): Replace BOOL

with apr_status_t, UCHAR with unsigned char; use 'unsigned int' for

idlen; constify id arguments; remove pool argument from ->status.

* modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_memcache,

modules/ssl/ssl_scache_shmcb.c, modules/ssl_scache_dbm.c: Update

accordingly.

* modules/ssl/ssl_scache.c (ssl_scache_retrieve, ssl_scache_store):

Adjust for BOOL->apr_status_t change.

(ssl_ext_status_hook): Update for dropped pool argument.

  1. … 5 more files in changeset.
Session cache interface redesign, Part 6:

Move mutex handling up out of the session cache providers:

* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add name and

flags fields. Define MODSSL_SESSCACHE_FLAG_NOTMPSAFE constant.

* modules/ssl/ssl_scache.c (ssl_scache_store, ssl_scache_retrieve,

ssl_scache_remove, ssl_ext_status_hook): Lock and release the mutex

around provider calls, if necessary.

* modules/ssl/ssl_engine_mutex.c (ssl_mutex_init): Do nothing if no

session cache is configured, or the session cache does not require a

mutex. Otherwise, fail if no mutex is configured and the session

cache *does* require a mutex.

(ssl_mutex_on, ssl_mutex_off): Remove checks for mutex mode;

functions now invoked only if necessary.

* modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_memcache: Set

name and flags fields in provider structures.

* modules/ssl/ssl_scache_shmcb.c, modules/ssl_scache_dbm.c: Remove

mutex handling through; set name and flags fields in provider

structures; mark both as unsafe for concurrent access in flags.

  1. … 6 more files in changeset.
* modules/ssl/ssl_scache.c (ssl_ext_status_hook): Do nothing

if no provider is configured.

Submitted by: rpluem

Session cache interface redesign, Part 4:

Move provider-specific configuration handling down into the provider

code. Eliminate all use of SSLModConfigRec within provider code.

* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add 'create'

function which creates and configures the cache provider, before

initialisation. Change 'init' function to take the context pointer

as an input parameter, and reorder to be first.

* modules/ssl/ssl_scache.c (ssl_scache_init): Adjust accordingly.

* modules/ssl/ssl_scache_memcache.c (struct context): Add servers

field.

(ssl_scache_mc_create): New function.

(ssl_scache_mc_init): Use servers from context not SSLModConfigRec.

* modules/ssl/ssl_scache_dbm.c (struct context): Define.

(ssl_scache_dbm_create): New function.

(ssl_scache_dbm_init, ssl_scache_dbm_kill): Adjust to use filename

and pool from context.

(ssl_scache_dbm_store, ssl_scache_dbm_retrieve,

ssl_scache_dbm_status): Use filename from context. Use context pool

for temp storage of the DBM object, and clear before use.

(ssl_scache_dbm_expire): Remove static tLast; use last_expiry from

context. Use context pool for temp storage and clear before use.

* modules/ssl/ssl_scache_dc.c (struct context): Add target field.

(ssl_scache_dc_init, ssl_scache_dc_status): Use target from context.

* modules/ssl/ssl_scache_shmcb.c (struct context): Add data_file,

shm_size fields.

(ssl_scache_shmcb_create): New function; moved argument parsing

logic from ssl_cmd_SSLSessionCache

(ssl_scache_shmcb_init, ssl_scache_shmcb_status): Use config from

context.

* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Remove

handling of old provider-specific fields.

(ssl_cmd_SSLSessionCache): Call provider ->create function to parse

the argument and create provider-specific context structure.

  1. … 6 more files in changeset.
* modules/ssl/ssl_scache.c (ssl_scache_init): Reformat

code and update the comment. No functional change.

Session cache interface redesign, Part 3:

Move provider-private context out of SSLModConfigRec and into an

opaque context pointer. Use real error propagation in the ->init

functions rather than ssl_die().

* modules/ssl/ssl_private.h (modssl_sesscache_provider): Take a

context out-parameter from ->init, and return an apr_status_t.

Add context pointer as first arg for the other function types.

(SSLModConfigRec): Remove tSessionCacheData* fields; add

sesscache_context field.

* modules/ssl/ssl_scache.c (ssl_scache_init): Move once-per-process

invocation check back into here.

(ssl_scache_*): Adjust to use context pointer.

* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_dc.c,

modules/ssl/ssl_scache_dbm.c: Adjust all implementations to use

opaque context pointer.

* modules/ssl/ssl_scache_memcache.c: Move memcache context into the

context structure rather than using global state.

* modules/ssl/ssl_engine_config.c: Remove handling of

pSessionCacheData* fields in SSLModConfigRec.

  1. … 6 more files in changeset.
Move SSL session data deserialization up out of the session cache

storage providers; includes a significant change to the shmcb storage

structure:

* modules/ssl/ssl_private.h (modssl_sesscache_provider): Change

retrieve function to take dest/destlen output buffer, to take a

constant id paramater, and to return a BOOL.

* modules/ssl/ssl_scache.c (ssl_scache_retrieve): Update accordingly,

perform SSL deserialization here.

* modules/ssl/ssl_scache_dc.c (ssl_scache_dc_retrieve),

modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_retrieve),

modules/ssl/ssl_scache_memcache.c (ssl_scache_mc_retrieve):

Update accordingly.

* modules/ssl/ssl_scache_shmcb.c: Store the whole ID in the cache

before the data, so that each index can be compared against the

requested ID without deserializing the data. This requires approx

20% extra storage per session in the common case, though should

reduce CPU overhead in some retrieval paths.

(SHMCBIndex): Replace s_id2 field with id_len.

(shmcb_cyclic_memcmp): New function.

(ssl_scache_shmcb_init): Change the heuristics to allow for increase

in per-session storage requirement.

(ssl_scache_shmcb_retrieve): Drop requirement on ID length.

(shmcb_subcache_store): Store the ID in the cyclic buffer.

(shmcb_subcache_retrieve, shmcb_subcache_remove): Compare against

the stored ID rather than deserializing the data.

(ssl_scache_shmcb_retrieve, ssl_scache_shmcb_store): Update

accordingly.

  1. … 5 more files in changeset.
Move SSL session data serialization up out of the session cache

storage providers:

* modules/ssl/ssl_private.h (modssl_sesscache_provider): Change

'store' interface to take a data/length pair rather than an

SSL_SESSION pointer.

* modules/ssl/ssl_scache.c (ssl_scache_store): Serialize the SSL

session here and pass down the raw DER.

* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c,

modules/ssl_scache_shmcb.c, modules/ssl_scache_dbm.c: Adjust ->store

implementations accordingly, removing the four sets of identical

code doing the i2d dance.

  1. … 5 more files in changeset.
Re-implement the SSL session cache abstraction using a vtable; first

step towards use of the ap_provider interface:

* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add new

vtable type.

(SSLModConfigRec): Reference the vtable here.

Replace all the ssl_scache_* prototypes with provider vtable objects.

* modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill,

ssl_scache_retrieve, ssl_scache_store, ssl_scache_remove,

ssl_ext_status_hook): Use callbacks from vtable rather than ifdef

spaghetti.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache):

Only install the OpenSSL callbacks if a vtable is configured.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Set up

vtable pointer.

* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c: Adjust to make

implementations static, and add vtable definition.

* modules/ssl_scache_shmcb.c: Likewise; also move the init

one-per-process requirement down here.

* modules/ssl_scache_dbm.c: Likewise; also (temporarily) use a local

subpool in the store callback.

  1. … 7 more files in changeset.
For the DBM SSL Session Cache, propogate down pools to use for allocations. In most cases, we can use the conn_rec::pool, but for ssl_callback_DelSessionCacheEntry, we still use the long lived configuration pool, but this change at least makes it easier to fix in the future.

  1. … 3 more files in changeset.
Propogate the conn_rec::pool down to ssl_scache_retrieve so that the memcache layer doesn't 'leak' into a long lived pool for temp allocations.

  1. … 3 more files in changeset.
Add support for distributed caching of SSL Sessions inside memcached, using apr_memcache, which is present in APR-Util 1.3/trunk.

This was originally written at ApacheCon US 2005 (San Diego), and was sent to the list:

http://mail-archives.apache.org/mod_mbox/httpd-dev/200512.mbox/%3C439C6C07.9030904@force-elite.com%3E

This version is slightly cleaned up, and of course, uses the now bundled apr_memcache, rather than an external dependency.

  1. … 5 more files in changeset.