Changeset 764fef3 in mod_gnutls


Ignore:
Timestamp:
May 31, 2020, 6:24:41 AM (4 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master
Children:
e151b6f
Parents:
7e29705
git-author:
Fiona Klute <fiona.klute@…> (05/31/20 06:17:51)
git-committer:
Fiona Klute <fiona.klute@…> (05/31/20 06:24:41)
Message:

Load cached proxy TLS sessions from cache

Location:
src
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_cache.c

    r7e29705 r764fef3  
    33 *  Copyright 2008 Nikos Mavrogiannopoulos
    44 *  Copyright 2011 Dash Shendy
    5  *  Copyright 2015-2018 Fiona Klute
     5 *  Copyright 2015-2020 Fiona Klute
    66 *
    77 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    169169
    170170
    171 /** 8K is the maximum size accepted when receiving OCSP responses,
    172  * sessions cache entries should be much smaller. The buffer is
    173  * reallocated to actual size after fetching, so memory waste is
    174  * minimal and temporary. */
    175 #define SOCACHE_FETCH_BUF_SIZE (8 * 1024)
    176 
    177171apr_status_t mgs_cache_fetch(mgs_cache_t cache, server_rec *server,
    178172                             gnutls_datum_t key, gnutls_datum_t *output,
     
    240234        return data;
    241235
    242     data.data = gnutls_malloc(SOCACHE_FETCH_BUF_SIZE);
     236    data.data = gnutls_malloc(MGS_SESSION_FETCH_BUF_SIZE);
    243237    if (data.data == NULL)
    244238        return data;
    245     data.size = SOCACHE_FETCH_BUF_SIZE;
     239    data.size = MGS_SESSION_FETCH_BUF_SIZE;
    246240
    247241    apr_status_t rv = mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server,
  • src/gnutls_cache.h

    r7e29705 r764fef3  
    22 *  Copyright 2004-2005 Paul Querna
    33 *  Copyright 2014 Nikos Mavrogiannopoulos
    4  *  Copyright 2015-2018 Fiona Klute
     4 *  Copyright 2015-2020 Fiona Klute
    55 *
    66 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    3333 * `Mutex` directive */
    3434#define MGS_CACHE_MUTEX_NAME "gnutls-cache"
     35
     36/** 8K is the maximum size accepted when receiving OCSP responses,
     37 * sessions cache entries should be much smaller. The buffer is
     38 * reallocated to actual size after fetching, so memory waste is
     39 * minimal and temporary. */
     40#define MGS_SESSION_FETCH_BUF_SIZE (8 * 1024)
    3541
    3642/**
  • src/gnutls_io.c

    r7e29705 r764fef3  
    385385    }
    386386
    387     /* Enable SNI and ALPN for proxy connections */
     387    /* Enable SNI and ALPN for proxy connections, and load cached
     388     * session if any. */
    388389    if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE)
    389390        mgs_set_proxy_handshake_ext(ctxt);
  • src/gnutls_proxy.c

    r7e29705 r764fef3  
    1616
    1717#include "mod_gnutls.h"
     18#include "gnutls_cache.h"
    1819#include "gnutls_proxy.h"
    1920#include "gnutls_util.h"
     
    2122#include <apr_strings.h>
    2223#include <gnutls/gnutls.h>
     24
     25APLOG_USE_MODULE(gnutls);
    2326
    2427/*
     
    396399
    397400
     401/**
     402 * Check if there is a cached session for the connection, and load it
     403 * if yes. The session is deleted from the cache after that, because
     404 * tickets should not be reused for forward secrecy.
     405 *
     406 * @param ctxt the mod_gnutls connection handle
     407 */
     408static void proxy_conn_load_session(mgs_handle_t *ctxt)
     409{
     410    gnutls_datum_t data = {NULL, 0};
     411    data.data = gnutls_malloc(MGS_SESSION_FETCH_BUF_SIZE);
     412    if (data.data == NULL)
     413        return;
     414    data.size = MGS_SESSION_FETCH_BUF_SIZE;
     415
     416    apr_status_t rv = mgs_cache_fetch(ctxt->sc->cache, ctxt->c->base_server,
     417                                      ctxt->proxy_ticket_key, &data,
     418                                      ctxt->c->pool);
     419    if (rv != APR_SUCCESS)
     420    {
     421        gnutls_free(data.data);
     422        return;
     423    }
     424
     425    // TODO: delete the cache entry
     426
     427    int ret = gnutls_session_set_data(ctxt->session, data.data, data.size);
     428    if (ret == GNUTLS_E_SUCCESS)
     429        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     430                      "%s: Cached session loaded.", __func__);
     431    else
     432        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
     433                      "%s: Loading cached session failed: %s (%d)",
     434                      __func__, gnutls_strerror(ret), ret);
     435    gnutls_free(data.data);
     436}
     437
     438
     439
    398440gnutls_datum_t mgs_proxy_ticket_id(mgs_handle_t *ctxt, apr_pool_t *pool)
    399441{
     
    429471    proxy_conn_set_sni(ctxt);
    430472    proxy_conn_set_alpn(ctxt);
    431 }
     473    proxy_conn_load_session(ctxt);
     474}
Note: See TracChangeset for help on using the changeset viewer.