tls_cache.c

Go to the documentation of this file.

/* Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#include <assert.h>
#include <apr_lib.h>
#include <apr_strings.h>
#include <apr_hash.h>
 
#include <httpd.h>
#include <http_connection.h>
#include <http_log.h>
#include <ap_socache.h>
#include <util_mutex.h>
 
#include <rustls.h>
 
#include "tls_conf.h"
#include "tls_core.h"
#include "tls_cache.h"
 
extern module AP_MODULE_DECLARE_DATA tls_module;
APLOG_USE_MODULE(tls);
 
#define TLS_CACHE_DEF_PROVIDER      "shmcb"
#define TLS_CACHE_DEF_DIR           "tls"
#define TLS_CACHE_DEF_FILE          "session_cache"
#define TLS_CACHE_DEF_SIZE          512000
 
static const char *cache_provider_unknown(const char *name, apr_pool_t *p)
{
    apr_array_header_t *known;
    const char *known_names;
 
    known = ap_list_provider_names(p, AP_SOCACHE_PROVIDER_GROUP,
                                   AP_SOCACHE_PROVIDER_VERSION);
    known_names = apr_array_pstrcat(p, known, ',');
    return apr_psprintf(p, "cache type '%s' not supported "
                        "(known names: %s). Maybe you need to load the "
                        "appropriate socache module (mod_socache_%s?).",
                        name, known_names, name);
}
 
void tls_cache_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp)
{
    (void)plog;
    (void)ptemp;
    /* we make this visible, in case someone wants to configure it.
     * this does not mean that we will really use it, which is determined
     * by configuration and cache provider capabilities. */
    ap_mutex_register(pconf, TLS_SESSION_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0);
}
 
static const char *cache_init(tls_conf_global_t *gconf, apr_pool_t *p, apr_pool_t *ptemp)
{
    const char *err = NULL;
    const char *name, *args = NULL;
    apr_status_t rv;
 
    if (gconf->session_cache) {
        goto cleanup;
    }
    else if (!apr_strnatcasecmp("none", gconf->session_cache_spec)) {
        gconf->session_cache_provider = NULL;
        gconf->session_cache = NULL;
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, gconf->ap_server, APLOGNO(10346)
                     "session cache explicitly disabled");
        goto cleanup;
    }
    else if (!apr_strnatcasecmp("default", gconf->session_cache_spec)) {
        const char *path = TLS_CACHE_DEF_DIR;
 
#if AP_MODULE_MAGIC_AT_LEAST(20180906, 2)
        path = ap_state_dir_relative(p, path);
#endif
        gconf->session_cache_spec = apr_psprintf(p, "%s:%s/%s(%ld)",
            TLS_CACHE_DEF_PROVIDER, path, TLS_CACHE_DEF_FILE, (long)TLS_CACHE_DEF_SIZE);
        gconf->session_cache_spec = "shmcb:mod_tls-sesss(64000)";
    }
 
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, gconf->ap_server, APLOGNO(10347)
                 "Using session cache: %s", gconf->session_cache_spec);
    name = gconf->session_cache_spec;
    args = ap_strchr((char*)name, ':');
    if (args) {
        name = apr_pstrmemdup(p, name, (apr_size_t)(args - name));
        ++args;
    }
    gconf->session_cache_provider = ap_lookup_provider(AP_SOCACHE_PROVIDER_GROUP,
                                                       name, AP_SOCACHE_PROVIDER_VERSION);
    if (!gconf->session_cache_provider) {
        err = cache_provider_unknown(name, p);
        goto cleanup;
    }
    err = gconf->session_cache_provider->create(&gconf->session_cache, args, ptemp, p);
    if (err != NULL) goto cleanup;
 
    if (gconf->session_cache_provider->flags & AP_SOCACHE_FLAG_NOTMPSAFE
        && !gconf->session_cache_mutex) {
        /* we need a global lock to access the cache */
        rv = ap_global_mutex_create(&gconf->session_cache_mutex, NULL,
            TLS_SESSION_CACHE_MUTEX_TYPE, NULL, gconf->ap_server, p, 0);
        if (APR_SUCCESS != rv) {
            err = apr_psprintf(p, "error setting up global %s mutex: %d",
                TLS_SESSION_CACHE_MUTEX_TYPE, rv);
            gconf->session_cache_mutex = NULL;
            goto cleanup;
        }
    }
 
cleanup:
    if (NULL != err) {
        gconf->session_cache_provider = NULL;
        gconf->session_cache = NULL;
    }
    return err;
}
 
const char *tls_cache_set_specification(
    const char *spec, tls_conf_global_t *gconf, apr_pool_t *p, apr_pool_t *ptemp)
{
    gconf->session_cache_spec = spec;
    return cache_init(gconf, p, ptemp);
}
 
apr_status_t tls_cache_post_config(apr_pool_t *p, apr_pool_t *ptemp, server_rec *s)
{
    tls_conf_server_t *sc = tls_conf_server_get(s);
    const char *err;
    apr_status_t rv = APR_SUCCESS;
 
    err = cache_init(sc->global, p, ptemp);
    if (err) {
        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10348)
                     "session cache [%s] could not be initialized, will continue "
                     "without session one. Since this will impact performance, "
                     "consider making use of the 'TLSSessionCache' directive. The "
                     "error was: %s", sc->global->session_cache_spec, err);
    }
 
    if (sc->global->session_cache) {
        struct ap_socache_hints hints;
 
        ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "provider init session cache [%s]",
                     sc->global->session_cache_spec);
        memset(&hints, 0, sizeof(hints));
        hints.avg_obj_size = 100;
        hints.avg_id_len = 33;
        hints.expiry_interval = 30;
 
        rv = sc->global->session_cache_provider->init(
            sc->global->session_cache, "mod_tls-sess", &hints, s, p);
        if (APR_SUCCESS != rv) {
            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10349)
                         "error initializing session cache.");
        }
    }
    return rv;
}
 
void tls_cache_init_child(apr_pool_t *p, server_rec *s)
{
    tls_conf_server_t *sc = tls_conf_server_get(s);
    const char *lockfile;
    apr_status_t rv;
 
    if (sc->global->session_cache_mutex) {
        lockfile = apr_global_mutex_lockfile(sc->global->session_cache_mutex);
        rv = apr_global_mutex_child_init(&sc->global->session_cache_mutex, lockfile, p);
        if (APR_SUCCESS != rv) {
            ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10350)
                         "Cannot reinit %s mutex (file `%s`)",
                         TLS_SESSION_CACHE_MUTEX_TYPE, lockfile? lockfile : "-");
        }
    }
}
 
void tls_cache_free(server_rec *s)
{
    tls_conf_server_t *sc = tls_conf_server_get(s);
    if (sc->global->session_cache_provider) {
        sc->global->session_cache_provider->destroy(sc->global->session_cache, s);
    }
}
 
static void tls_cache_lock(tls_conf_global_t *gconf)
{
    if (gconf->session_cache_mutex) {
        apr_status_t rv = apr_global_mutex_lock(gconf->session_cache_mutex);
        if (APR_SUCCESS != rv) {
            ap_log_error(APLOG_MARK, APLOG_WARNING, rv, gconf->ap_server, APLOGNO(10351)
                         "Failed to acquire TLS session cache lock");
        }
    }
}
 
static void tls_cache_unlock(tls_conf_global_t *gconf)
{
    if (gconf->session_cache_mutex) {
        apr_status_t rv = apr_global_mutex_unlock(gconf->session_cache_mutex);
        if (APR_SUCCESS != rv) {
            ap_log_error(APLOG_MARK, APLOG_WARNING, rv, gconf->ap_server, APLOGNO(10352)
                         "Failed to release TLS session cache lock");
        }
    }
}
 
static rustls_result tls_cache_get(
    void *userdata,
    const rustls_slice_bytes *key,
    int remove_after,
    unsigned char *buf,
    size_t count,
    size_t *out_n)
{
    conn_rec *c = userdata;
    tls_conf_conn_t *cc = tls_conf_conn_get(c);
    tls_conf_server_t *sc = tls_conf_server_get(cc->server);
    apr_status_t rv = APR_ENOENT;
    unsigned int vlen, klen;
    const unsigned char *kdata;
 
    if (!sc->global->session_cache) goto not_found;
    tls_cache_lock(sc->global);
 
    kdata = key->data;
    klen = (unsigned int)key->len;
    vlen = (unsigned int)count;
    rv = sc->global->session_cache_provider->retrieve(
        sc->global->session_cache, cc->server, kdata, klen, buf, &vlen, c->pool);
 
    if (APLOGctrace4(c)) {
        apr_ssize_t n = klen;
        ap_log_cerror(APLOG_MARK, APLOG_TRACE4, rv, c, "retrieve key %d[%8x], found %d val",
            klen, apr_hashfunc_default((const char*)kdata, &n), vlen);
    }
    if (remove_after || (APR_SUCCESS != rv && !APR_STATUS_IS_NOTFOUND(rv))) {
        sc->global->session_cache_provider->remove(
            sc->global->session_cache, cc->server, key->data, klen, c->pool);
    }
 
    tls_cache_unlock(sc->global);
    if (APR_SUCCESS != rv) goto not_found;
    cc->session_id_cache_hit = 1;
    *out_n = count;
    return RUSTLS_RESULT_OK;
 
not_found:
    *out_n = 0;
    return RUSTLS_RESULT_NOT_FOUND;
}
 
static rustls_result tls_cache_put(
    void *userdata,
    const rustls_slice_bytes *key,
    const rustls_slice_bytes *val)
{
    conn_rec *c = userdata;
    tls_conf_conn_t *cc = tls_conf_conn_get(c);
    tls_conf_server_t *sc = tls_conf_server_get(cc->server);
    apr_status_t rv = APR_ENOENT;
    apr_time_t expires_at;
    unsigned int klen, vlen;
    const unsigned char *kdata;
 
    if (!sc->global->session_cache) goto not_stored;
    tls_cache_lock(sc->global);
 
    expires_at = apr_time_now() + apr_time_from_sec(300);
    kdata = key->data;
    klen = (unsigned int)key->len;
    vlen = (unsigned int)val->len;
    rv = sc->global->session_cache_provider->store(sc->global->session_cache, cc->server,
                                                   kdata, klen, expires_at,
                                                   (unsigned char*)val->data, vlen, c->pool);
    if (APLOGctrace4(c)) {
        ap_log_cerror(APLOG_MARK, APLOG_TRACE4, rv, c,
            "stored %d key bytes, with %d val bytes", klen, vlen);
    }
    tls_cache_unlock(sc->global);
    if (APR_SUCCESS != rv) goto not_stored;
    return RUSTLS_RESULT_OK;
 
not_stored:
    return RUSTLS_RESULT_NOT_FOUND;
}
 
apr_status_t tls_cache_init_server(
    rustls_server_config_builder *builder, server_rec *s)
{
    tls_conf_server_t *sc = tls_conf_server_get(s);
 
    if (sc && sc->global->session_cache) {
        ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, "adding session persistence to rustls");
        rustls_server_config_builder_set_persistence(
            builder, tls_cache_get, tls_cache_put);
    }
    return APR_SUCCESS;
}