Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 1 | /* |
| 2 | * shctx.c - shared context management functions for SSL |
| 3 | * |
| 4 | * Copyright (C) 2011-2012 EXCELIANCE |
| 5 | * |
| 6 | * Author: Emeric Brun - emeric@exceliance.fr |
| 7 | * |
| 8 | * This program is free software; you can redistribute it and/or |
| 9 | * modify it under the terms of the GNU General Public License |
| 10 | * as published by the Free Software Foundation; either version |
| 11 | * 2 of the License, or (at your option) any later version. |
| 12 | */ |
| 13 | |
| 14 | #include <sys/mman.h> |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 15 | #include <arpa/inet.h> |
Willy Tarreau | ce3f913 | 2014-05-28 16:47:01 +0200 | [diff] [blame] | 16 | #include <ebmbtree.h> |
Emeric Brun | cd1a526 | 2014-05-07 23:11:42 +0200 | [diff] [blame] | 17 | |
William Lallemand | 24a7a75 | 2017-10-09 14:17:39 +0200 | [diff] [blame] | 18 | #include <proto/shctx.h> |
| 19 | #include <proto/openssl-compat.h> |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 20 | |
William Lallemand | 24a7a75 | 2017-10-09 14:17:39 +0200 | [diff] [blame] | 21 | #include <types/global.h> |
| 22 | #include <types/shctx.h> |
Emeric Brun | 4b3091e | 2012-09-24 15:48:52 +0200 | [diff] [blame] | 23 | |
William Lallemand | 24a7a75 | 2017-10-09 14:17:39 +0200 | [diff] [blame] | 24 | #if !defined (USE_PRIVATE_CACHE) |
| 25 | int use_shared_mem = 0; |
Emeric Brun | 9faf071 | 2012-09-25 11:11:16 +0200 | [diff] [blame] | 26 | #endif |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 27 | |
| 28 | /* List Macros */ |
| 29 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 30 | #define shblock_unset(s) (s)->n->p = (s)->p; \ |
| 31 | (s)->p->n = (s)->n; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 32 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 33 | static inline void shblock_set_free(struct shared_context *shctx, |
| 34 | struct shared_block *s) |
| 35 | { |
| 36 | shblock_unset(s); |
| 37 | (s)->n = &shctx->free; |
| 38 | (s)->p = shctx->free.p; |
| 39 | shctx->free.p->n = s; |
| 40 | shctx->free.p = s; |
| 41 | } |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 42 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 43 | static inline void shblock_set_active(struct shared_context *shctx, |
| 44 | struct shared_block *s) |
| 45 | { |
| 46 | shblock_unset(s) |
| 47 | (s)->n = &shctx->active; |
| 48 | (s)->p = shctx->active.p; |
| 49 | shctx->active.p->n = s; |
| 50 | shctx->active.p = s; |
| 51 | } |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 52 | |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 53 | /* Tree Macros */ |
| 54 | |
| 55 | #define shsess_tree_delete(s) ebmb_delete(&(s)->key); |
| 56 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 57 | #define shsess_tree_insert(shctx, s) (struct shared_session *)ebmb_insert(&shctx->active.data.session.key.node.branches, \ |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 58 | &(s)->key, SSL_MAX_SSL_SESSION_ID_LENGTH); |
| 59 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 60 | #define shsess_tree_lookup(shctx, k) (struct shared_session *)ebmb_lookup(&shctx->active.data.session.key.node.branches, \ |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 61 | (k), SSL_MAX_SSL_SESSION_ID_LENGTH); |
| 62 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 63 | /* shared session functions */ |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 64 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 65 | /* Free session blocks, returns number of freed blocks */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 66 | static int shsess_free(struct shared_context *shctx, struct shared_session *shsess) |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 67 | { |
| 68 | struct shared_block *block; |
| 69 | int ret = 1; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 70 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 71 | if (((struct shared_block *)shsess)->data_len <= sizeof(shsess->data)) { |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 72 | shblock_set_free(shctx, (struct shared_block *)shsess); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 73 | return ret; |
| 74 | } |
| 75 | block = ((struct shared_block *)shsess)->n; |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 76 | shblock_set_free(shctx, (struct shared_block *)shsess); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 77 | while (1) { |
| 78 | struct shared_block *next; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 79 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 80 | if (block->data_len <= sizeof(block->data)) { |
| 81 | /* last block */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 82 | shblock_set_free(shctx, block); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 83 | ret++; |
| 84 | break; |
| 85 | } |
| 86 | next = block->n; |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 87 | shblock_set_free(shctx, block); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 88 | ret++; |
| 89 | block = next; |
| 90 | } |
| 91 | return ret; |
| 92 | } |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 93 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 94 | /* This function frees enough blocks to store a new session of data_len. |
| 95 | * Returns a ptr on a free block if it succeeds, or NULL if there are not |
| 96 | * enough blocks to store that session. |
| 97 | */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 98 | static struct shared_session *shsess_get_next(struct shared_context *shctx, int data_len) |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 99 | { |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 100 | int head = 0; |
| 101 | struct shared_block *b; |
| 102 | |
| 103 | b = shctx->free.n; |
| 104 | while (b != &shctx->free) { |
| 105 | if (!head) { |
| 106 | data_len -= sizeof(b->data.session.data); |
| 107 | head = 1; |
| 108 | } |
| 109 | else |
| 110 | data_len -= sizeof(b->data.data); |
| 111 | if (data_len <= 0) |
| 112 | return &shctx->free.n->data.session; |
| 113 | b = b->n; |
| 114 | } |
| 115 | b = shctx->active.n; |
| 116 | while (b != &shctx->active) { |
| 117 | int freed; |
| 118 | |
| 119 | shsess_tree_delete(&b->data.session); |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 120 | freed = shsess_free(shctx, &b->data.session); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 121 | if (!head) |
| 122 | data_len -= sizeof(b->data.session.data) + (freed-1)*sizeof(b->data.data); |
| 123 | else |
| 124 | data_len -= freed*sizeof(b->data.data); |
| 125 | if (data_len <= 0) |
| 126 | return &shctx->free.n->data.session; |
| 127 | b = shctx->active.n; |
| 128 | } |
| 129 | return NULL; |
| 130 | } |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 131 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 132 | /* store a session into the cache |
| 133 | * s_id : session id padded with zero to SSL_MAX_SSL_SESSION_ID_LENGTH |
| 134 | * data: asn1 encoded session |
| 135 | * data_len: asn1 encoded session length |
| 136 | * Returns 1 id session was stored (else 0) |
| 137 | */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 138 | static int shsess_store(struct shared_context *shctx, unsigned char *s_id, unsigned char *data, int data_len) |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 139 | { |
| 140 | struct shared_session *shsess, *oldshsess; |
| 141 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 142 | shsess = shsess_get_next(shctx, data_len); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 143 | if (!shsess) { |
| 144 | /* Could not retrieve enough free blocks to store that session */ |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 145 | return 0; |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 146 | } |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 147 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 148 | /* prepare key */ |
| 149 | memcpy(shsess->key_data, s_id, SSL_MAX_SSL_SESSION_ID_LENGTH); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 150 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 151 | /* it returns the already existing node |
| 152 | or current node if none, never returns null */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 153 | oldshsess = shsess_tree_insert(shctx, shsess); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 154 | if (oldshsess != shsess) { |
| 155 | /* free all blocks used by old node */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 156 | shsess_free(shctx, oldshsess); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 157 | shsess = oldshsess; |
| 158 | } |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 159 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 160 | ((struct shared_block *)shsess)->data_len = data_len; |
| 161 | if (data_len <= sizeof(shsess->data)) { |
| 162 | /* Store on a single block */ |
| 163 | memcpy(shsess->data, data, data_len); |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 164 | shblock_set_active(shctx, (struct shared_block *)shsess); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 165 | } |
| 166 | else { |
| 167 | unsigned char *p; |
| 168 | /* Store on multiple blocks */ |
| 169 | int cur_len; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 170 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 171 | memcpy(shsess->data, data, sizeof(shsess->data)); |
| 172 | p = data + sizeof(shsess->data); |
| 173 | cur_len = data_len - sizeof(shsess->data); |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 174 | shblock_set_active(shctx, (struct shared_block *)shsess); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 175 | while (1) { |
| 176 | /* Store next data on free block. |
| 177 | * shsess_get_next guarantees that there are enough |
| 178 | * free blocks in queue. |
| 179 | */ |
| 180 | struct shared_block *block; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 181 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 182 | block = shctx->free.n; |
| 183 | if (cur_len <= sizeof(block->data)) { |
| 184 | /* This is the last block */ |
| 185 | block->data_len = cur_len; |
| 186 | memcpy(block->data.data, p, cur_len); |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 187 | shblock_set_active(shctx, block); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 188 | break; |
| 189 | } |
| 190 | /* Intermediate block */ |
| 191 | block->data_len = cur_len; |
| 192 | memcpy(block->data.data, p, sizeof(block->data)); |
| 193 | p += sizeof(block->data.data); |
| 194 | cur_len -= sizeof(block->data.data); |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 195 | shblock_set_active(shctx, block); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 196 | } |
| 197 | } |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 198 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 199 | return 1; |
| 200 | } |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 201 | |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 202 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 203 | /* SSL context callbacks */ |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 204 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 205 | /* SSL callback used on new session creation */ |
| 206 | int shctx_new_cb(SSL *ssl, SSL_SESSION *sess) |
| 207 | { |
William Lallemand | 2a97966 | 2017-09-18 17:37:07 +0200 | [diff] [blame] | 208 | unsigned char encsess[SHSESS_MAX_DATA_LEN]; /* encoded session */ |
| 209 | unsigned char encid[SSL_MAX_SSL_SESSION_ID_LENGTH]; /* encoded id */ |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 210 | unsigned char *p; |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 211 | int data_len; |
| 212 | unsigned int sid_length, sid_ctx_length; |
| 213 | const unsigned char *sid_data; |
| 214 | const unsigned char *sid_ctx_data; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 215 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 216 | /* Session id is already stored in to key and session id is known |
| 217 | * so we dont store it to keep size. |
| 218 | */ |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 219 | |
| 220 | sid_data = SSL_SESSION_get_id(sess, &sid_length); |
| 221 | sid_ctx_data = SSL_SESSION_get0_id_context(sess, &sid_ctx_length); |
| 222 | SSL_SESSION_set1_id(sess, sid_data, 0); |
| 223 | SSL_SESSION_set1_id_context(sess, sid_ctx_data, 0); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 224 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 225 | /* check if buffer is large enough for the ASN1 encoded session */ |
| 226 | data_len = i2d_SSL_SESSION(sess, NULL); |
| 227 | if (data_len > SHSESS_MAX_DATA_LEN) |
| 228 | goto err; |
| 229 | |
William Lallemand | 2a97966 | 2017-09-18 17:37:07 +0200 | [diff] [blame] | 230 | p = encsess; |
| 231 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 232 | /* process ASN1 session encoding before the lock */ |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 233 | i2d_SSL_SESSION(sess, &p); |
| 234 | |
William Lallemand | 2a97966 | 2017-09-18 17:37:07 +0200 | [diff] [blame] | 235 | memcpy(encid, sid_data, sid_length); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 236 | if (sid_length < SSL_MAX_SSL_SESSION_ID_LENGTH) |
William Lallemand | 2a97966 | 2017-09-18 17:37:07 +0200 | [diff] [blame] | 237 | memset(encid + sid_length, 0, SSL_MAX_SSL_SESSION_ID_LENGTH-sid_length); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 238 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 239 | shared_context_lock(ssl_shctx); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 240 | |
| 241 | /* store to cache */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 242 | shsess_store(ssl_shctx, encid, encsess, data_len); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 243 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 244 | shared_context_unlock(ssl_shctx); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 245 | |
| 246 | err: |
| 247 | /* reset original length values */ |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 248 | SSL_SESSION_set1_id(sess, sid_data, sid_length); |
| 249 | SSL_SESSION_set1_id_context(sess, sid_ctx_data, sid_ctx_length); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 250 | |
| 251 | return 0; /* do not increment session reference count */ |
| 252 | } |
| 253 | |
| 254 | /* SSL callback used on lookup an existing session cause none found in internal cache */ |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 255 | SSL_SESSION *shctx_get_cb(SSL *ssl, __OPENSSL_110_CONST__ unsigned char *key, int key_len, int *do_copy) |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 256 | { |
| 257 | struct shared_session *shsess; |
| 258 | unsigned char data[SHSESS_MAX_DATA_LEN], *p; |
| 259 | unsigned char tmpkey[SSL_MAX_SSL_SESSION_ID_LENGTH]; |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 260 | int data_len; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 261 | SSL_SESSION *sess; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 262 | |
Willy Tarreau | ce3f913 | 2014-05-28 16:47:01 +0200 | [diff] [blame] | 263 | global.shctx_lookups++; |
| 264 | |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 265 | /* allow the session to be freed automatically by openssl */ |
| 266 | *do_copy = 0; |
| 267 | |
| 268 | /* tree key is zeros padded sessionid */ |
| 269 | if (key_len < SSL_MAX_SSL_SESSION_ID_LENGTH) { |
| 270 | memcpy(tmpkey, key, key_len); |
| 271 | memset(tmpkey + key_len, 0, SSL_MAX_SSL_SESSION_ID_LENGTH - key_len); |
| 272 | key = tmpkey; |
| 273 | } |
| 274 | |
| 275 | /* lock cache */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 276 | shared_context_lock(ssl_shctx); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 277 | |
| 278 | /* lookup for session */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 279 | shsess = shsess_tree_lookup(ssl_shctx, key); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 280 | if (!shsess) { |
| 281 | /* no session found: unlock cache and exit */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 282 | shared_context_unlock(ssl_shctx); |
Willy Tarreau | ce3f913 | 2014-05-28 16:47:01 +0200 | [diff] [blame] | 283 | global.shctx_misses++; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 284 | return NULL; |
| 285 | } |
| 286 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 287 | data_len = ((struct shared_block *)shsess)->data_len; |
| 288 | if (data_len <= sizeof(shsess->data)) { |
| 289 | /* Session stored on single block */ |
| 290 | memcpy(data, shsess->data, data_len); |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 291 | shblock_set_active(ssl_shctx, (struct shared_block *)shsess); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 292 | } |
| 293 | else { |
| 294 | /* Session stored on multiple blocks */ |
| 295 | struct shared_block *block; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 296 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 297 | memcpy(data, shsess->data, sizeof(shsess->data)); |
| 298 | p = data + sizeof(shsess->data); |
| 299 | block = ((struct shared_block *)shsess)->n; |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 300 | shblock_set_active(ssl_shctx, (struct shared_block *)shsess); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 301 | while (1) { |
| 302 | /* Retrieve data from next block */ |
| 303 | struct shared_block *next; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 304 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 305 | if (block->data_len <= sizeof(block->data.data)) { |
| 306 | /* This is the last block */ |
| 307 | memcpy(p, block->data.data, block->data_len); |
| 308 | p += block->data_len; |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 309 | shblock_set_active(ssl_shctx, block); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 310 | break; |
| 311 | } |
| 312 | /* Intermediate block */ |
| 313 | memcpy(p, block->data.data, sizeof(block->data.data)); |
| 314 | p += sizeof(block->data.data); |
| 315 | next = block->n; |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 316 | shblock_set_active(ssl_shctx, block); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 317 | block = next; |
| 318 | } |
| 319 | } |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 320 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 321 | shared_context_unlock(ssl_shctx); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 322 | |
| 323 | /* decode ASN1 session */ |
| 324 | p = data; |
| 325 | sess = d2i_SSL_SESSION(NULL, (const unsigned char **)&p, data_len); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 326 | /* Reset session id and session id contenxt */ |
| 327 | if (sess) { |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 328 | SSL_SESSION_set1_id(sess, key, key_len); |
| 329 | SSL_SESSION_set1_id_context(sess, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME)); |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 330 | } |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 331 | |
| 332 | return sess; |
| 333 | } |
| 334 | |
| 335 | /* SSL callback used to signal session is no more used in internal cache */ |
| 336 | void shctx_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess) |
| 337 | { |
| 338 | struct shared_session *shsess; |
| 339 | unsigned char tmpkey[SSL_MAX_SSL_SESSION_ID_LENGTH]; |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 340 | unsigned int sid_length; |
| 341 | const unsigned char *sid_data; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 342 | (void)ctx; |
| 343 | |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 344 | sid_data = SSL_SESSION_get_id(sess, &sid_length); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 345 | /* tree key is zeros padded sessionid */ |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 346 | if (sid_length < SSL_MAX_SSL_SESSION_ID_LENGTH) { |
| 347 | memcpy(tmpkey, sid_data, sid_length); |
| 348 | memset(tmpkey+sid_length, 0, SSL_MAX_SSL_SESSION_ID_LENGTH - sid_length); |
| 349 | sid_data = tmpkey; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 350 | } |
| 351 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 352 | shared_context_lock(ssl_shctx); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 353 | |
| 354 | /* lookup for session */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 355 | shsess = shsess_tree_lookup(ssl_shctx, sid_data); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 356 | if (shsess) { |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 357 | /* free session */ |
| 358 | shsess_tree_delete(shsess); |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 359 | shsess_free(ssl_shctx, shsess); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 360 | } |
| 361 | |
| 362 | /* unlock cache */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 363 | shared_context_unlock(ssl_shctx); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 364 | } |
| 365 | |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 366 | /* Allocate shared memory context. |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 367 | * <size> is maximum cached sessions. |
Emeric Brun | 22890a1 | 2012-12-28 14:41:32 +0100 | [diff] [blame] | 368 | * If <size> is set to less or equal to 0, ssl cache is disabled. |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 369 | * Returns: -1 on alloc failure, <size> if it performs context alloc, |
| 370 | * and 0 if cache is already allocated. |
| 371 | */ |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 372 | int shared_context_init(struct shared_context **orig_shctx, int size, int shared) |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 373 | { |
| 374 | int i; |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 375 | struct shared_context *shctx; |
| 376 | int ret; |
Emeric Brun | 9faf071 | 2012-09-25 11:11:16 +0200 | [diff] [blame] | 377 | #ifndef USE_PRIVATE_CACHE |
Emeric Brun | cd1a526 | 2014-05-07 23:11:42 +0200 | [diff] [blame] | 378 | #ifdef USE_PTHREAD_PSHARED |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 379 | pthread_mutexattr_t attr; |
Emeric Brun | cd1a526 | 2014-05-07 23:11:42 +0200 | [diff] [blame] | 380 | #endif |
Emeric Brun | 9faf071 | 2012-09-25 11:11:16 +0200 | [diff] [blame] | 381 | #endif |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 382 | struct shared_block *prev,*cur; |
Emeric Brun | 4b3091e | 2012-09-24 15:48:52 +0200 | [diff] [blame] | 383 | int maptype = MAP_PRIVATE; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 384 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 385 | if (orig_shctx && *orig_shctx) |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 386 | return 0; |
| 387 | |
| 388 | if (size<=0) |
Emeric Brun | 22890a1 | 2012-12-28 14:41:32 +0100 | [diff] [blame] | 389 | return 0; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 390 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 391 | /* Increate size by one to reserve one node for lookup */ |
| 392 | size++; |
Emeric Brun | 9faf071 | 2012-09-25 11:11:16 +0200 | [diff] [blame] | 393 | #ifndef USE_PRIVATE_CACHE |
Emeric Brun | 4b3091e | 2012-09-24 15:48:52 +0200 | [diff] [blame] | 394 | if (shared) |
| 395 | maptype = MAP_SHARED; |
Emeric Brun | 9faf071 | 2012-09-25 11:11:16 +0200 | [diff] [blame] | 396 | #endif |
Emeric Brun | 4b3091e | 2012-09-24 15:48:52 +0200 | [diff] [blame] | 397 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 398 | shctx = (struct shared_context *)mmap(NULL, sizeof(struct shared_context)+(size*sizeof(struct shared_block)), |
Emeric Brun | 4b3091e | 2012-09-24 15:48:52 +0200 | [diff] [blame] | 399 | PROT_READ | PROT_WRITE, maptype | MAP_ANON, -1, 0); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 400 | if (!shctx || shctx == MAP_FAILED) { |
| 401 | shctx = NULL; |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 402 | ret = SHCTX_E_ALLOC_CACHE; |
| 403 | goto err; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 404 | } |
| 405 | |
Emeric Brun | 9faf071 | 2012-09-25 11:11:16 +0200 | [diff] [blame] | 406 | #ifndef USE_PRIVATE_CACHE |
Emeric Brun | caa19cc | 2014-05-07 16:10:18 +0200 | [diff] [blame] | 407 | if (maptype == MAP_SHARED) { |
Emeric Brun | cd1a526 | 2014-05-07 23:11:42 +0200 | [diff] [blame] | 408 | #ifdef USE_PTHREAD_PSHARED |
Emeric Brun | caa19cc | 2014-05-07 16:10:18 +0200 | [diff] [blame] | 409 | if (pthread_mutexattr_init(&attr)) { |
| 410 | munmap(shctx, sizeof(struct shared_context)+(size*sizeof(struct shared_block))); |
| 411 | shctx = NULL; |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 412 | ret = SHCTX_E_INIT_LOCK; |
| 413 | goto err; |
Emeric Brun | caa19cc | 2014-05-07 16:10:18 +0200 | [diff] [blame] | 414 | } |
| 415 | |
| 416 | if (pthread_mutexattr_setpshared(&attr, PTHREAD_PROCESS_SHARED)) { |
| 417 | pthread_mutexattr_destroy(&attr); |
| 418 | munmap(shctx, sizeof(struct shared_context)+(size*sizeof(struct shared_block))); |
| 419 | shctx = NULL; |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 420 | ret = SHCTX_E_INIT_LOCK; |
| 421 | goto err; |
Emeric Brun | caa19cc | 2014-05-07 16:10:18 +0200 | [diff] [blame] | 422 | } |
| 423 | |
| 424 | if (pthread_mutex_init(&shctx->mutex, &attr)) { |
| 425 | pthread_mutexattr_destroy(&attr); |
| 426 | munmap(shctx, sizeof(struct shared_context)+(size*sizeof(struct shared_block))); |
| 427 | shctx = NULL; |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 428 | ret = SHCTX_E_INIT_LOCK; |
| 429 | goto err; |
Emeric Brun | caa19cc | 2014-05-07 16:10:18 +0200 | [diff] [blame] | 430 | } |
Emeric Brun | cd1a526 | 2014-05-07 23:11:42 +0200 | [diff] [blame] | 431 | #else |
| 432 | shctx->waiters = 0; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 433 | #endif |
Emeric Brun | 4b3091e | 2012-09-24 15:48:52 +0200 | [diff] [blame] | 434 | use_shared_mem = 1; |
Emeric Brun | caa19cc | 2014-05-07 16:10:18 +0200 | [diff] [blame] | 435 | } |
Emeric Brun | 9faf071 | 2012-09-25 11:11:16 +0200 | [diff] [blame] | 436 | #endif |
Emeric Brun | 4b3091e | 2012-09-24 15:48:52 +0200 | [diff] [blame] | 437 | |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 438 | memset(&shctx->active.data.session.key, 0, sizeof(struct ebmb_node)); |
| 439 | memset(&shctx->free.data.session.key, 0, sizeof(struct ebmb_node)); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 440 | |
| 441 | /* No duplicate authorized in tree: */ |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 442 | shctx->active.data.session.key.node.branches = EB_ROOT_UNIQUE; |
| 443 | |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 444 | cur = &shctx->active; |
| 445 | cur->n = cur->p = cur; |
| 446 | |
| 447 | cur = &shctx->free; |
| 448 | for (i = 0 ; i < size ; i++) { |
| 449 | prev = cur; |
Vincent Bernat | 3c2f2f2 | 2016-04-03 13:48:42 +0200 | [diff] [blame] | 450 | cur++; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 451 | prev->n = cur; |
| 452 | cur->p = prev; |
| 453 | } |
| 454 | cur->n = &shctx->free; |
| 455 | shctx->free.p = cur; |
| 456 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 457 | ret = size; |
| 458 | |
| 459 | err: |
| 460 | *orig_shctx = shctx; |
| 461 | return ret; |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 462 | } |
| 463 | |
| 464 | |
| 465 | /* Set session cache mode to server and disable openssl internal cache. |
| 466 | * Set shared cache callbacks on an ssl context. |
| 467 | * Shared context MUST be firstly initialized */ |
| 468 | void shared_context_set_cache(SSL_CTX *ctx) |
| 469 | { |
Emeric Brun | 786991e | 2012-11-26 18:37:12 +0100 | [diff] [blame] | 470 | SSL_CTX_set_session_id_context(ctx, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME)); |
| 471 | |
William Lallemand | 3f85c9a | 2017-10-09 16:30:50 +0200 | [diff] [blame^] | 472 | if (!ssl_shctx) { |
Emeric Brun | 22890a1 | 2012-12-28 14:41:32 +0100 | [diff] [blame] | 473 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 474 | return; |
Emeric Brun | 22890a1 | 2012-12-28 14:41:32 +0100 | [diff] [blame] | 475 | } |
| 476 | |
| 477 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | |
| 478 | SSL_SESS_CACHE_NO_INTERNAL | |
| 479 | SSL_SESS_CACHE_NO_AUTO_CLEAR); |
Emeric Brun | 3e541d1 | 2012-09-03 11:14:36 +0200 | [diff] [blame] | 480 | |
| 481 | /* Set callbacks */ |
| 482 | SSL_CTX_sess_set_new_cb(ctx, shctx_new_cb); |
| 483 | SSL_CTX_sess_set_get_cb(ctx, shctx_get_cb); |
| 484 | SSL_CTX_sess_set_remove_cb(ctx, shctx_remove_cb); |
| 485 | } |