1 /* Copyright 2004-2006 The Apache Software Foundation or its licensors, as
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * _ __ ___ ___ __| | ___ ___| | mod_ssl
19 * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
20 * | | | | | | (_) | (_| | \__ \__ \ |
21 * |_| |_| |_|\___/ \__,_|___|___/___/_|
24 * Distributed Session Cache (client support)
27 #include "ssl_private.h"
29 /* Only build this code if it's enabled at configure-time. */
32 #include "distcache/dc_client.h"
34 #if !defined(DISTCACHE_CLIENT_API) || (DISTCACHE_CLIENT_API < 0x0001)
35 #error "You must compile with a more recent version of the distcache-base package"
39 * This cache implementation allows modssl to access 'distcache' servers (or
40 * proxies) to facilitate distributed session caching. It is based on code
41 * released as open source by Cryptographic Appliances Inc, and was developed by
42 * Geoff Thorpe, Steve Robb, and Chris Zimmerman.
47 ** High-Level "handlers" as per ssl_scache.c
51 void ssl_scache_dc_init(server_rec *s, apr_pool_t *p)
54 SSLModConfigRec *mc = myModConfig(s);
56 * Create a session context
58 if (mc->szSessionCacheDataFile == NULL) {
59 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "SSLSessionCache required");
63 /* If a "persistent connection" mode of operation is preferred, you *must*
64 * also use the PIDCHECK flag to ensure fork()'d processes don't interlace
65 * comms on the same connection as each other. */
66 #define SESSION_CTX_FLAGS SESSION_CTX_FLAG_PERSISTENT | \
67 SESSION_CTX_FLAG_PERSISTENT_PIDCHECK | \
68 SESSION_CTX_FLAG_PERSISTENT_RETRY | \
69 SESSION_CTX_FLAG_PERSISTENT_LATE
71 /* This mode of operation will open a temporary connection to the 'target'
72 * for each cache operation - this makes it safe against fork()
73 * automatically. This mode is preferred when running a local proxy (over
74 * unix domain sockets) because overhead is negligable and it reduces the
75 * performance/stability danger of file-descriptor bloatage. */
76 #define SESSION_CTX_FLAGS 0
78 ctx = DC_CTX_new(mc->szSessionCacheDataFile, SESSION_CTX_FLAGS);
80 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache failed to obtain context");
83 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "distributed scache context initialised");
87 mc->tSessionCacheDataTable = ctx;
91 void ssl_scache_dc_kill(server_rec *s)
93 SSLModConfigRec *mc = myModConfig(s);
95 if (mc->tSessionCacheDataTable)
96 DC_CTX_free(mc->tSessionCacheDataTable);
97 mc->tSessionCacheDataTable = NULL;
100 BOOL ssl_scache_dc_store(server_rec *s, UCHAR *id, int idlen,
101 time_t timeout, SSL_SESSION * pSession)
103 unsigned char der[SSL_SESSION_MAX_DER];
105 unsigned char *pder = der;
106 SSLModConfigRec *mc = myModConfig(s);
107 DC_CTX *ctx = mc->tSessionCacheDataTable;
109 /* Serialise the SSL_SESSION object */
110 if ((der_len = i2d_SSL_SESSION(pSession, NULL)) > SSL_SESSION_MAX_DER)
112 i2d_SSL_SESSION(pSession, &pder);
113 /* !@#$%^ - why do we deal with *absolute* time anyway??? */
114 timeout -= time(NULL);
115 /* Send the serialised session to the distributed cache context */
116 if (!DC_CTX_add_session(ctx, id, idlen, der, der_len,
117 (unsigned long)timeout * 1000)) {
118 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'add_session' failed");
121 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'add_session' successful");
125 SSL_SESSION *ssl_scache_dc_retrieve(server_rec *s, UCHAR *id, int idlen)
127 unsigned char der[SSL_SESSION_MAX_DER];
128 unsigned int der_len;
129 SSL_SESSION *pSession;
130 MODSSL_D2I_SSL_SESSION_CONST unsigned char *pder = der;
131 SSLModConfigRec *mc = myModConfig(s);
132 DC_CTX *ctx = mc->tSessionCacheDataTable;
134 /* Retrieve any corresponding session from the distributed cache context */
135 if (!DC_CTX_get_session(ctx, id, idlen, der, SSL_SESSION_MAX_DER,
137 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'get_session' MISS");
140 if (der_len > SSL_SESSION_MAX_DER) {
141 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'get_session' OVERFLOW");
144 pSession = d2i_SSL_SESSION(NULL, &pder, der_len);
146 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'get_session' CORRUPT");
149 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'get_session' HIT");
153 void ssl_scache_dc_remove(server_rec *s, UCHAR *id, int idlen)
155 SSLModConfigRec *mc = myModConfig(s);
156 DC_CTX *ctx = mc->tSessionCacheDataTable;
158 /* Remove any corresponding session from the distributed cache context */
159 if (!DC_CTX_remove_session(ctx, id, idlen)) {
160 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'remove_session' MISS");
162 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'remove_session' HIT");
166 void ssl_scache_dc_status(request_rec *r, int flags, apr_pool_t *pool)
168 SSLModConfigRec *mc = myModConfig(r->server);
170 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
171 "distributed scache 'ssl_scache_dc_status'");
172 ap_rprintf(r, "cache type: <b>DC (Distributed Cache)</b>, "
173 " target: <b>%s</b><br>", mc->szSessionCacheDataFile);