BOOL ssl_scache_shmht_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SSL_SESSION *sess)
{
SSLModConfigRec *mc = myModConfig();
void *vp;
UCHAR ucaData[SSL_SESSION_MAX_DER];
int nData;
UCHAR *ucp;
/* streamline session data */
if ((nData = i2d_SSL_SESSION(sess, NULL)) > sizeof(ucaData))
return FALSE;
ucp = ucaData;
i2d_SSL_SESSION(sess, &ucp);
ssl_mutex_on(s);
if (table_insert_kd(mc->tSessionCacheDataTable,
id, idlen, NULL, sizeof(time_t)+nData,
NULL, &vp, 1) != TABLE_ERROR_NONE) {
ssl_mutex_off(s);
return FALSE;
}
memcpy(vp, &expiry, sizeof(time_t));
memcpy((char *)vp+sizeof(time_t), ucaData, nData);
ssl_mutex_off(s);
/* allow the regular expiring to occur */
ssl_scache_shmht_expire(s);
return TRUE;
}
BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen,
apr_time_t expiry, SSL_SESSION *sess,
apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
unsigned char encoded[SSL_SESSION_MAX_DER], *ptr;
unsigned int len;
apr_status_t rv;
/* Serialise the session. */
len = i2d_SSL_SESSION(sess, NULL);
if (len > sizeof encoded) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01875)
"session is too big (%u bytes)", len);
return FALSE;
}
ptr = encoded;
len = i2d_SSL_SESSION(sess, &ptr);
if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) {
ssl_mutex_on(s);
}
rv = mc->sesscache->store(mc->sesscache_context, s, id, idlen,
expiry, encoded, len, p);
if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) {
ssl_mutex_off(s);
}
return rv == APR_SUCCESS ? TRUE : FALSE;
}
bool SSLSessionCacheManager::storeCacheRecord(const string& sessionId,
SSL_SESSION* session) {
std::string sessionString;
uint32_t sessionLen = i2d_SSL_SESSION(session, nullptr);
sessionString.resize(sessionLen);
uint8_t* cp = (uint8_t *)sessionString.data();
i2d_SSL_SESSION(session, &cp);
size_t expiration = SSL_CTX_get_timeout(ctx_->getSSLCtx());
return externalCache_->setAsync(sessionId, sessionString,
std::chrono::seconds(expiration));
}
NOEXPORT int sess_new_cb(SSL *ssl, SSL_SESSION *sess) {
unsigned char *val, *val_tmp;
int val_len;
val_len=i2d_SSL_SESSION(sess, NULL);
val_tmp=val=str_alloc(val_len);
i2d_SSL_SESSION(sess, &val_tmp);
cache_transfer(ssl->ctx, CACHE_CMD_NEW, SSL_SESSION_get_timeout(sess),
sess->session_id, sess->session_id_length, val, val_len, NULL, NULL);
str_free(val);
return 1; /* leave the session in local cache for reuse */
}
cache_val_t
cachessess_mkval(SSL_SESSION *sess)
{
dynbuf_t *db;
unsigned char *p;
size_t asn1sz;
asn1sz = i2d_SSL_SESSION(sess, NULL);
if (!asn1sz || !(db = dynbuf_new_alloc(asn1sz))) {
return NULL;
}
p = db->buf;
i2d_SSL_SESSION(sess, &p); /* updates p */
return db;
}
static int on_async_resumption_new(SSL *ssl, SSL_SESSION *session)
{
h2o_iovec_t data;
const unsigned char *id;
unsigned id_len;
unsigned char *p;
/* build data */
data.len = i2d_SSL_SESSION(session, NULL);
data.base = alloca(data.len);
p = (void *)data.base;
i2d_SSL_SESSION(session, &p);
id = SSL_SESSION_get_id(session, &id_len);
resumption_new(h2o_iovec_init(id, id_len), data);
return 0;
}
std::string getSessionData(SSL_SESSION* s, size_t expectedLength) {
std::unique_ptr<unsigned char[]>
sessionData(new unsigned char[expectedLength]);
auto p = sessionData.get();
auto len = i2d_SSL_SESSION(s, &p);
CHECK(expectedLength == len);
return std::string(reinterpret_cast<const char*>(sessionData.get()), len);
}
std::string SSLSessionImpl::serialize(void) const {
std::string ret;
// Get the length first, then we know how much space to allocate.
auto len = i2d_SSL_SESSION(session_, nullptr);
if (len > 0) {
std::unique_ptr<unsigned char[]> uptr(new unsigned char[len]);
auto p = uptr.get();
auto written = i2d_SSL_SESSION(session_, &p);
if (written <= 0) {
VLOG(2) << "Could not serialize SSL_SESSION!";
} else {
ret.assign(uptr.get(), uptr.get() + written);
}
}
return ret;
}
/*
* call-seq:
* session.to_der -> aString
*
* Returns an ASN1 encoded String that contains the Session object.
*/
static VALUE ossl_ssl_session_to_der(VALUE self)
{
SSL_SESSION *ctx;
unsigned char *p;
int len;
VALUE str;
GetSSLSession(self, ctx);
len = i2d_SSL_SESSION(ctx, NULL);
if (len <= 0) {
ossl_raise(eSSLSession, "i2d_SSL_SESSION");
}
str = rb_str_new(0, len);
p = (unsigned char *)RSTRING_PTR(str);
i2d_SSL_SESSION(ctx, &p);
ossl_str_adjust(str, p);
return str;
}
BOOL ssl_scache_shmcb_store(server_rec *s, UCHAR *id, int idlen,
time_t timeout, SSL_SESSION * pSession)
{
SSLModConfigRec *mc = myModConfig(s);
BOOL to_return = FALSE;
unsigned char encoded[SSL_SESSION_MAX_DER];
unsigned char *ptr_encoded;
unsigned int len_encoded;
SHMCBHeader *header = mc->tSessionCacheDataTable;
SHMCBSubcache *subcache = SHMCB_MASK(header, id);
ssl_mutex_on(s);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"ssl_scache_shmcb_store (0x%02x -> subcache %d)",
SHMCB_MASK_DBG(header, id));
if (idlen < 4) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "unusably short session_id provided "
"(%u bytes)", idlen);
goto done;
}
/* Serialise the session. */
len_encoded = i2d_SSL_SESSION(pSession, NULL);
if (len_encoded > SSL_SESSION_MAX_DER) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"session is too big (%u bytes)", len_encoded);
goto done;
}
ptr_encoded = encoded;
len_encoded = i2d_SSL_SESSION(pSession, &ptr_encoded);
if (!shmcb_subcache_store(s, header, subcache, encoded,
len_encoded, id, timeout)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"can't store a session!");
goto done;
}
header->stat_stores++;
to_return = TRUE;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"leaving ssl_scache_shmcb_store successfully");
done:
ssl_mutex_off(s);
return to_return;
}
NOEXPORT void cache_new(SSL *ssl, SSL_SESSION *sess) {
unsigned char *val, *val_tmp;
ssize_t val_len;
const unsigned char *session_id;
unsigned int session_id_length;
val_len=i2d_SSL_SESSION(sess, NULL);
val_tmp=val=str_alloc((size_t)val_len);
i2d_SSL_SESSION(sess, &val_tmp);
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
session_id=SSL_SESSION_get_id(sess, &session_id_length);
#else
session_id=(const unsigned char *)sess->session_id;
session_id_length=sess->session_id_length;
#endif
cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_NEW,
SSL_SESSION_get_timeout(sess),
session_id, session_id_length, val, (size_t)val_len, NULL, NULL);
str_free(val);
}
int uwsgi_ssl_session_new_cb(SSL *ssl, SSL_SESSION *sess) {
char session_blob[4096];
int len = i2d_SSL_SESSION(sess, NULL);
if (len > 4096) {
if (uwsgi.ssl_verbose) {
uwsgi_log("[uwsgi-ssl] unable to store session of size %d\n", len);
}
return 0;
}
unsigned char *p = (unsigned char *) session_blob;
i2d_SSL_SESSION(sess, &p);
// ok let's write the value to the cache
uwsgi_wlock(uwsgi.ssl_sessions_cache->lock);
if (uwsgi_cache_set2(uwsgi.ssl_sessions_cache, (char *) sess->session_id, sess->session_id_length, session_blob, len, uwsgi.ssl_sessions_timeout, 0)) {
if (uwsgi.ssl_verbose) {
uwsgi_log("[uwsgi-ssl] unable to store session of size %d in the cache\n", len);
}
}
uwsgi_rwunlock(uwsgi.ssl_sessions_cache->lock);
return 0;
}
BOOL ssl_scache_dc_store(server_rec *s, UCHAR *id, int idlen,
time_t timeout, SSL_SESSION * pSession)
{
unsigned char der[SSL_SESSION_MAX_DER];
int der_len;
unsigned char *pder = der;
SSLModConfigRec *mc = myModConfig(s);
DC_CTX *ctx = mc->tSessionCacheDataTable;
/* Serialise the SSL_SESSION object */
if ((der_len = i2d_SSL_SESSION(pSession, NULL)) > SSL_SESSION_MAX_DER)
return FALSE;
i2d_SSL_SESSION(pSession, &pder);
/* !@#$%^ - why do we deal with *absolute* time anyway??? */
timeout -= time(NULL);
/* Send the serialised session to the distributed cache context */
if (!DC_CTX_add_session(ctx, id, idlen, der, der_len,
(unsigned long)timeout * 1000)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "distributed scache 'add_session' failed");
return FALSE;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "distributed scache 'add_session' successful");
return TRUE;
}
/*
* call-seq:
* session.to_der -> aString
*
* Returns an ASN1 encoded String that contains the Session object.
*/
static VALUE ossl_ssl_session_to_der(VALUE self)
{
SSL_SESSION *ctx;
unsigned char buf[1024*10], *p;
int len;
GetSSLSession(self, ctx);
p = buf;
len = i2d_SSL_SESSION(ctx, &p);
if (len <= 0)
ossl_raise(eSSLSession, "i2d_SSL_SESSION");
else if (len >= sizeof(buf))
ossl_raise(eSSLSession, "i2d_SSL_SESSION too large");
return rb_str_new((const char *) p, len);
}
/* return the size of serialized session. */
int
ngx_http_lua_ffi_ssl_get_serialized_session_size(ngx_http_request_t *r,
char **err)
{
int len;
ngx_ssl_conn_t *ssl_conn;
ngx_connection_t *c;
ngx_ssl_session_t *session;
ngx_http_lua_ssl_ctx_t *cctx;
c = r->connection;
if (c == NULL || c->ssl == NULL) {
*err = "bad request";
return NGX_ERROR;
}
ssl_conn = c->ssl->connection;
if (ssl_conn == NULL) {
*err = "bad ssl conn";
return NGX_ERROR;
}
dd("get cctx session size");
cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection);
if (cctx == NULL) {
*err = "bad lua context";
return NGX_ERROR;
}
session = cctx->session;
if (session == NULL) {
*err = "bad session in lua context";
return NGX_ERROR;
}
len = i2d_SSL_SESSION(session, NULL);
if (len == 0) {
*err = "i2d_SSL_SESSION() failed";
return NGX_ERROR;
}
return len;
}
static void
ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
void *data)
{
ngx_stream_upstream_rr_peer_data_t *rrp = data;
ngx_ssl_session_t *old_ssl_session, *ssl_session;
ngx_stream_upstream_rr_peer_t *peer;
#if (NGX_STREAM_UPSTREAM_ZONE)
int len;
u_char *p;
ngx_stream_upstream_rr_peers_t *peers;
u_char buf[NGX_SSL_MAX_SESSION_SIZE];
#endif
#if (NGX_STREAM_UPSTREAM_ZONE)
peers = rrp->peers;
if (peers->shpool) {
ssl_session = SSL_get0_session(pc->connection->ssl->connection);
if (ssl_session == NULL) {
return;
}
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, pc->log, 0,
"save session: %p", ssl_session);
len = i2d_SSL_SESSION(ssl_session, NULL);
/* do not cache too big session */
if (len > NGX_SSL_MAX_SESSION_SIZE) {
return;
}
p = buf;
(void) i2d_SSL_SESSION(ssl_session, &p);
peer = rrp->current;
ngx_stream_upstream_rr_peers_rlock(peers);
ngx_stream_upstream_rr_peer_lock(peers, peer);
if (len > peer->ssl_session_len) {
ngx_shmtx_lock(&peers->shpool->mutex);
if (peer->ssl_session) {
ngx_slab_free_locked(peers->shpool, peer->ssl_session);
}
peer->ssl_session = ngx_slab_alloc_locked(peers->shpool, len);
ngx_shmtx_unlock(&peers->shpool->mutex);
if (peer->ssl_session == NULL) {
peer->ssl_session_len = 0;
ngx_stream_upstream_rr_peer_unlock(peers, peer);
ngx_stream_upstream_rr_peers_unlock(peers);
return;
}
peer->ssl_session_len = len;
}
ngx_memcpy(peer->ssl_session, buf, len);
ngx_stream_upstream_rr_peer_unlock(peers, peer);
ngx_stream_upstream_rr_peers_unlock(peers);
return;
}
#endif
ssl_session = ngx_ssl_get_session(pc->connection);
if (ssl_session == NULL) {
return;
}
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, pc->log, 0,
"save session: %p", ssl_session);
peer = rrp->current;
old_ssl_session = peer->ssl_session;
peer->ssl_session = ssl_session;
if (old_ssl_session) {
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, pc->log, 0,
"old session: %p", old_ssl_session);
/* TODO: may block */
ngx_ssl_free_session(old_ssl_session);
}
}
int MAIN(int argc, char **argv)
{
SSL_SESSION *x=NULL;
int ret=1,i,num,badops=0;
BIO *out=NULL;
int informat,outformat;
char *infile=NULL,*outfile=NULL,*context=NULL;
int cert=0,noout=0,text=0;
char **pp;
apps_startup();
if (bio_err == NULL)
if ((bio_err=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
informat=FORMAT_PEM;
outformat=FORMAT_PEM;
argc--;
argv++;
num=0;
while (argc >= 1)
{
if (strcmp(*argv,"-inform") == 0)
{
if (--argc < 1) goto bad;
informat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-outform") == 0)
{
if (--argc < 1) goto bad;
outformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-in") == 0)
{
if (--argc < 1) goto bad;
infile= *(++argv);
}
else if (strcmp(*argv,"-out") == 0)
{
if (--argc < 1) goto bad;
outfile= *(++argv);
}
else if (strcmp(*argv,"-text") == 0)
text= ++num;
else if (strcmp(*argv,"-cert") == 0)
cert= ++num;
else if (strcmp(*argv,"-noout") == 0)
noout= ++num;
else if (strcmp(*argv,"-context") == 0)
{
if(--argc < 1) goto bad;
context=*++argv;
}
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
badops=1;
break;
}
argc--;
argv++;
}
if (badops)
{
bad:
for (pp=sess_id_usage; (*pp != NULL); pp++)
BIO_printf(bio_err,*pp);
goto end;
}
ERR_load_crypto_strings();
x=load_sess_id(infile,informat);
if (x == NULL) { goto end; }
if(context)
{
x->sid_ctx_length=strlen(context);
if(x->sid_ctx_length > SSL_MAX_SID_CTX_LENGTH)
{
BIO_printf(bio_err,"Context too long\n");
goto end;
}
memcpy(x->sid_ctx,context,x->sid_ctx_length);
}
#ifdef undef
/* just testing for memory leaks :-) */
{
SSL_SESSION *s;
char buf[1024*10],*p;
int i;
s=SSL_SESSION_new();
p= &buf;
i=i2d_SSL_SESSION(x,&p);
p= &buf;
d2i_SSL_SESSION(&s,&p,(long)i);
p= &buf;
d2i_SSL_SESSION(&s,&p,(long)i);
p= &buf;
d2i_SSL_SESSION(&s,&p,(long)i);
SSL_SESSION_free(s);
}
#endif
if (!noout || text)
{
out=BIO_new(BIO_s_file());
if (out == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (outfile == NULL)
{
BIO_set_fp(out,stdout,BIO_NOCLOSE);
#ifdef VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
else
{
if (BIO_write_filename(out,outfile) <= 0)
{
perror(outfile);
goto end;
}
}
}
if (text)
{
SSL_SESSION_print(out,x);
if (cert)
{
if (x->peer == NULL)
BIO_puts(out,"No certificate present\n");
else
X509_print(out,x->peer);
}
}
if (!noout && !cert)
{
if (outformat == FORMAT_ASN1)
i=(int)i2d_SSL_SESSION_bio(out,x);
else if (outformat == FORMAT_PEM)
i=PEM_write_bio_SSL_SESSION(out,x);
else {
BIO_printf(bio_err,"bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err,"unable to write SSL_SESSION\n");
goto end;
}
}
else if (!noout && (x->peer != NULL)) /* just print the certificate */
{
if (outformat == FORMAT_ASN1)
i=(int)i2d_X509_bio(out,x->peer);
else if (outformat == FORMAT_PEM)
i=PEM_write_bio_X509(out,x->peer);
else {
BIO_printf(bio_err,"bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err,"unable to write X509\n");
goto end;
}
}
ret=0;
end:
if (out != NULL) BIO_free_all(out);
if (x != NULL) SSL_SESSION_free(x);
EXIT(ret);
}
