net: split the SSL session cache between incognito and normal.

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <openssl/ssl.h>
@@ skipping 182 matching lines @@
 
 // We do certificate verification after handshake, so we disable the default
 // by registering a no-op verify function.
 int NoOpVerifyCallback(X509_STORE_CTX*, void *) {
   DVLOG(3) << "skipping cert verify";
   return 1;
 }
 
 // OpenSSL manages a cache of SSL_SESSION, this class provides the application
 // side policy for that cache about session re-use: we retain one session per
 // unique HostPortPair.

[joth, 2011/12/09 23:28:37]

per unique HostPortPair per shard.

[agl, 2011/12/12 22:18:20]

Done.

 class SSLSessionCache {
  public:
   SSLSessionCache() {}
 
-  void OnSessionAdded(const HostPortPair& host_and_port, SSL_SESSION* session) {
+  void OnSessionAdded(const HostPortPair& host_and_port,
+                      const std::string& shard,
+                      SSL_SESSION* session) {
     // Declare the session cleaner-upper before the lock, so any call into
     // OpenSSL to free the session will happen after the lock is released.
     crypto::ScopedOpenSSL<SSL_SESSION, SSL_SESSION_free> session_to_free;
     base::AutoLock lock(lock_);
 
     DCHECK_EQ(0U, session_map_.count(session));
+    const std::string cache_key = GetCacheKey(host_and_port, shard);
+
     std::pair<HostPortMap::iterator, bool> res =
-        host_port_map_.insert(std::make_pair(host_and_port, session));
+        host_port_map_.insert(std::make_pair(cache_key, session));
     if (!res.second) {  // Already exists: replace old entry.
       session_to_free.reset(res.first->second);
       session_map_.erase(session_to_free.get());
       res.first->second = session;
     }
     DVLOG(2) << "Adding session " << session << " => "
-             << host_and_port.ToString() << ", new entry = " << res.second;
-    DCHECK(host_port_map_[host_and_port] == session);
+             << cache_key << ", new entry = " << res.second;
+    DCHECK(host_port_map_[cache_key] == session);
     session_map_[session] = res.first;
     DCHECK_EQ(host_port_map_.size(), session_map_.size());
     DCHECK_LE(host_port_map_.size(), kSessionCacheMaxEntires);
   }
 
   void OnSessionRemoved(SSL_SESSION* session) {
     // Declare the session cleaner-upper before the lock, so any call into
     // OpenSSL to free the session will happen after the lock is released.
     crypto::ScopedOpenSSL<SSL_SESSION, SSL_SESSION_free> session_to_free;
     base::AutoLock lock(lock_);
 
     SessionMap::iterator it = session_map_.find(session);
     if (it == session_map_.end())
       return;
     DVLOG(2) << "Remove session " << session << " => "
-             << it->second->first.ToString();
+             << it->second->first;

[joth, 2011/12/09 23:28:37]

nit: no need to line break

[agl, 2011/12/12 22:18:20]

Done.

     DCHECK(it->second->second == session);
     host_port_map_.erase(it->second);
     session_map_.erase(it);
     session_to_free.reset(session);
     DCHECK_EQ(host_port_map_.size(), session_map_.size());
   }
 
   // Looks up the host:port in the cache, and if a session is found it is added
   // to |ssl|, returning true on success.
-  bool SetSSLSession(SSL* ssl, const HostPortPair& host_and_port) {
+  bool SetSSLSession(SSL* ssl, const HostPortPair& host_and_port,
+                     const std::string& shard) {
     base::AutoLock lock(lock_);
-    HostPortMap::iterator it = host_port_map_.find(host_and_port);
+    const std::string cache_key = GetCacheKey(host_and_port, shard);
+    HostPortMap::iterator it = host_port_map_.find(cache_key);
     if (it == host_port_map_.end())
       return false;
     DVLOG(2) << "Lookup session: " << it->second << " => "
-             << host_and_port.ToString();
+             << cache_key;

[joth, 2011/12/09 23:28:37]

nit: no need for line break

[agl, 2011/12/12 22:18:20]

Done.

     SSL_SESSION* session = it->second;
     DCHECK(session);
     DCHECK(session_map_[session] == it);
     // Ideally we'd release |lock_| before calling into OpenSSL here, however
     // that opens a small risk |session| will go out of scope before it is used.
     // Alternatively we would take a temporary local refcount on |session|,
     // except OpenSSL does not provide a public API for adding a ref (c.f.
     // SSL_SESSION_free which decrements the ref).
     return SSL_set_session(ssl, session) == 1;
   }
 
+  // Flush removes all entries from the cache. This is called when a client
+  // certificate is added.
+  void Flush() {
+    for (HostPortMap::iterator i = host_port_map_.begin();
+         i != host_port_map_.end(); i++) {
+      SSL_SESSION_free(i->second);
+    }
+    host_port_map_.clear();
+    session_map_.clear();
+  }
+
  private:
+  static std::string GetCacheKey(const HostPortPair& host_and_port,
+                                 const std::string& shard) {
+    return host_and_port.ToString() + "/" + shard;
+  }
+
   // A pair of maps to allow bi-directional lookups between host:port and an
   // associated session.
-  // TODO(joth): When client certificates are implemented we should key the
-  // cache on the client certificate used in addition to the host-port pair.

[joth, 2011/12/09 23:28:37]

thanks for handling this one too. if I've followed it right, we re-use the
client cert selection so long as the session remains in the cache?

[agl, 2011/12/12 22:18:20]

Right. And when we add a new client-cert, we flush the session cache.

-  typedef std::map<HostPortPair, SSL_SESSION*> HostPortMap;
+  typedef std::map<std::string, SSL_SESSION*> HostPortMap;
   typedef std::map<SSL_SESSION*, HostPortMap::iterator> SessionMap;
   HostPortMap host_port_map_;
   SessionMap session_map_;
 
   // Protects access to both the above maps.
   base::Lock lock_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLSessionCache);
 };
 
@@ skipping 38 matching lines @@
                                      NULL);
 #endif
   }
 
   static int NewSessionCallbackStatic(SSL* ssl, SSL_SESSION* session) {
     return GetInstance()->NewSessionCallback(ssl, session);
   }
 
   int NewSessionCallback(SSL* ssl, SSL_SESSION* session) {
     SSLClientSocketOpenSSL* socket = GetClientSocketFromSSL(ssl);
-    session_cache_.OnSessionAdded(socket->host_and_port(), session);
+    session_cache_.OnSessionAdded(socket->host_and_port(),
+                                  socket->session_cache_shard(),
+                                  session);
     return 1;  // 1 => We took ownership of |session|.
   }
 
   static void RemoveSessionCallbackStatic(SSL_CTX* ctx, SSL_SESSION* session) {
     return GetInstance()->RemoveSessionCallback(ctx, session);
   }
 
   void RemoveSessionCallback(SSL_CTX* ctx, SSL_SESSION* session) {
     DCHECK(ctx == ssl_ctx());
     session_cache_.OnSessionRemoved(session);
@@ skipping 10 matching lines @@
                                      const unsigned char* in,
                                      unsigned int inlen, void* arg) {
     SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
     return socket->SelectNextProtoCallback(out, outlen, in, inlen);
   }
 
   // This is the index used with SSL_get_ex_data to retrieve the owner
   // SSLClientSocketOpenSSL object from an SSL instance.
   int ssl_socket_data_index_;
 
+  // session_cache_ must appear before |ssl_ctx_| because the destruction of
+  // |ssl_ctx_| may trigger callbacks into |session_cache_|. Therefore,
+  // |session_cache_| must be destructed after |ssl_ctx_|.
+  SSLSessionCache session_cache_;
   crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_;
-  SSLSessionCache session_cache_;
 };
 
 // Utility to construct the appropriate set & clear masks for use the OpenSSL
 // options and mode configuration functions. (SSL_set_options etc)
 struct SslSetClearMask {
   SslSetClearMask() : set_mask(0), clear_mask(0) {}
   void ConfigureFlag(long flag, bool state) {
     (state ? set_mask : clear_mask) |= flag;
     // Make sure we haven't got any intersection in the set & clear options.
     DCHECK_EQ(0, set_mask & clear_mask) << flag << ":" << state;
   }
   long set_mask;
   long clear_mask;
 };
 
 }  // namespace
 
+// static
+void SSLClientSocket::ClearSessionCache() {
+  SSLContext* context = SSLContext::GetInstance();
+  context->session_cache()->Flush();
+}
+
 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
     ClientSocketHandle* transport_socket,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
     const SSLClientSocketContext& context)
     : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_(
           this, &SSLClientSocketOpenSSL::BufferSendComplete)),
       ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_(
           this, &SSLClientSocketOpenSSL::BufferRecvComplete)),
       transport_send_busy_(false),
       transport_recv_busy_(false),
       old_user_connect_callback_(NULL),
       old_user_read_callback_(NULL),
       user_write_callback_(NULL),
       completed_handshake_(false),
       client_auth_cert_needed_(false),
       cert_verifier_(context.cert_verifier),
       ssl_(NULL),
       transport_bio_(NULL),
       transport_(transport_socket),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
+      session_cache_shard_(context.session_cache_shard),
       trying_cached_session_(false),
       npn_status_(kNextProtoUnsupported),
       net_log_(transport_socket->socket()->NetLog()) {
 }
 
 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() {
   Disconnect();
 }
 
 bool SSLClientSocketOpenSSL::Init() {
   DCHECK(!ssl_);
   DCHECK(!transport_bio_);
 
   SSLContext* context = SSLContext::GetInstance();
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
   ssl_ = SSL_new(context->ssl_ctx());
   if (!ssl_ || !context->SetClientSocketForSSL(ssl_, this))
     return false;
 
   if (!SSL_set_tlsext_host_name(ssl_, host_and_port_.host().c_str()))
     return false;
 
   trying_cached_session_ =
-      context->session_cache()->SetSSLSession(ssl_, host_and_port_);
+      context->session_cache()->SetSSLSession(ssl_, host_and_port_,
+                                              session_cache_shard_);
 
   BIO* ssl_bio = NULL;
   // 0 => use default buffer sizes.
   if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0))
     return false;
   DCHECK(ssl_bio);
   DCHECK(transport_bio_);
 
   SSL_set_bio(ssl_, ssl_bio, ssl_bio);
 
@@ skipping 244 matching lines @@
     user_connect_callback_ = callback;
   } else {
     net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
   }
 
   return rv > OK ? OK : rv;
 }
 
 void SSLClientSocketOpenSSL::Disconnect() {
   if (ssl_) {
+    // Calling SSL_shutdown prevents the session from being marked as
+    // unresumable.
+    SSL_shutdown(ssl_);
     SSL_free(ssl_);
     ssl_ = NULL;
   }
   if (transport_bio_) {
     BIO_free_all(transport_bio_);
     transport_bio_ = NULL;
   }
 
   // Shut down anything that may call us back.
   verifier_.reset();
@@ skipping 600 matching lines @@
     net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
                                   user_write_buf_->data());
     return rv;
   }
 
   int err = SSL_get_error(ssl_, rv);
   return MapOpenSSLError(err, err_tracer);
 }
 
 }  // namespace net