| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_session_cache_openssl.h" | 5 #include "net/socket/ssl_session_cache_openssl.h" |
| 6 | 6 |
| 7 #include <list> | 7 #include <list> |
| 8 #include <map> | 8 #include <map> |
| 9 | 9 |
| 10 #include <openssl/rand.h> | 10 #include <openssl/rand.h> |
| 11 #include <openssl/ssl.h> | 11 #include <openssl/ssl.h> |
| 12 | 12 |
| 13 #include "base/containers/hash_tables.h" | 13 #include "base/containers/hash_tables.h" |
| 14 #include "base/lazy_instance.h" | 14 #include "base/lazy_instance.h" |
| 15 #include "base/logging.h" | 15 #include "base/logging.h" |
| 16 #include "base/profiler/scoped_tracker.h" |
| 16 #include "base/synchronization/lock.h" | 17 #include "base/synchronization/lock.h" |
| 17 | 18 |
| 18 namespace net { | 19 namespace net { |
| 19 | 20 |
| 20 namespace { | 21 namespace { |
| 21 | 22 |
| 22 // A helper class to lazily create a new EX_DATA index to map SSL_CTX handles | 23 // A helper class to lazily create a new EX_DATA index to map SSL_CTX handles |
| 23 // to their corresponding SSLSessionCacheOpenSSLImpl object. | 24 // to their corresponding SSLSessionCacheOpenSSLImpl object. |
| 24 class SSLContextExIndex { | 25 class SSLContextExIndex { |
| 25 public: | 26 public: |
| (...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 149 | 150 |
| 150 class SSLSessionCacheOpenSSLImpl { | 151 class SSLSessionCacheOpenSSLImpl { |
| 151 public: | 152 public: |
| 152 // Construct new instance. This registers various hooks into the SSL_CTX | 153 // Construct new instance. This registers various hooks into the SSL_CTX |
| 153 // context |ctx|. OpenSSL will call back during SSL connection | 154 // context |ctx|. OpenSSL will call back during SSL connection |
| 154 // operations. |key_func| is used to map a SSL handle to a unique cache | 155 // operations. |key_func| is used to map a SSL handle to a unique cache |
| 155 // string, according to the client's preferences. | 156 // string, according to the client's preferences. |
| 156 SSLSessionCacheOpenSSLImpl(SSL_CTX* ctx, | 157 SSLSessionCacheOpenSSLImpl(SSL_CTX* ctx, |
| 157 const SSLSessionCacheOpenSSL::Config& config) | 158 const SSLSessionCacheOpenSSL::Config& config) |
| 158 : ctx_(ctx), config_(config), expiration_check_(0) { | 159 : ctx_(ctx), config_(config), expiration_check_(0) { |
| 160 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 161 tracked_objects::ScopedTracker tracking_profile( |
| 162 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 163 "424386 SSLSessionCacheOpenSSLImpl::SSLSessionCacheOpenSSLImpl")); |
| 164 |
| 159 DCHECK(ctx); | 165 DCHECK(ctx); |
| 160 | 166 |
| 161 // NO_INTERNAL_STORE disables OpenSSL's builtin cache, and | 167 // NO_INTERNAL_STORE disables OpenSSL's builtin cache, and |
| 162 // NO_AUTO_CLEAR disables the call to SSL_CTX_flush_sessions | 168 // NO_AUTO_CLEAR disables the call to SSL_CTX_flush_sessions |
| 163 // every 256 connections (this number is hard-coded in the library | 169 // every 256 connections (this number is hard-coded in the library |
| 164 // and can't be changed). | 170 // and can't be changed). |
| 165 SSL_CTX_set_session_cache_mode(ctx_, | 171 SSL_CTX_set_session_cache_mode(ctx_, |
| 166 SSL_SESS_CACHE_CLIENT | | 172 SSL_SESS_CACHE_CLIENT | |
| 167 SSL_SESS_CACHE_NO_INTERNAL_STORE | | 173 SSL_SESS_CACHE_NO_INTERNAL_STORE | |
| 168 SSL_SESS_CACHE_NO_AUTO_CLEAR); | 174 SSL_SESS_CACHE_NO_AUTO_CLEAR); |
| (...skipping 20 matching lines...) Expand all Loading... |
| 189 | 195 |
| 190 // Retrieve the cache key from |ssl| and look for a corresponding | 196 // Retrieve the cache key from |ssl| and look for a corresponding |
| 191 // cached session ID. If one is found, call SSL_set_session() to associate | 197 // cached session ID. If one is found, call SSL_set_session() to associate |
| 192 // it with the |ssl| connection. | 198 // it with the |ssl| connection. |
| 193 // | 199 // |
| 194 // Will also check for expired sessions every |expiration_check_count| | 200 // Will also check for expired sessions every |expiration_check_count| |
| 195 // calls. | 201 // calls. |
| 196 // | 202 // |
| 197 // Return true if a cached session ID was found, false otherwise. | 203 // Return true if a cached session ID was found, false otherwise. |
| 198 bool SetSSLSession(SSL* ssl) { | 204 bool SetSSLSession(SSL* ssl) { |
| 205 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 206 tracked_objects::ScopedTracker tracking_profile( |
| 207 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 208 "424386 SSLSessionCacheOpenSSLImpl::SetSSLSession")); |
| 209 |
| 199 std::string cache_key = config_.key_func(ssl); | 210 std::string cache_key = config_.key_func(ssl); |
| 200 if (cache_key.empty()) | 211 if (cache_key.empty()) |
| 201 return false; | 212 return false; |
| 202 | 213 |
| 203 return SetSSLSessionWithKey(ssl, cache_key); | 214 return SetSSLSessionWithKey(ssl, cache_key); |
| 204 } | 215 } |
| 205 | 216 |
| 206 // Variant of SetSSLSession to be used when the client already has computed | 217 // Variant of SetSSLSession to be used when the client already has computed |
| 207 // the cache key. Avoid a call to the configuration's |key_func| function. | 218 // the cache key. Avoid a call to the configuration's |key_func| function. |
| 208 bool SetSSLSessionWithKey(SSL* ssl, const std::string& cache_key) { | 219 bool SetSSLSessionWithKey(SSL* ssl, const std::string& cache_key) { |
| 220 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 221 tracked_objects::ScopedTracker tracking_profile( |
| 222 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 223 "424386 SSLSessionCacheOpenSSLImpl::SetSSLSessionWithKey")); |
| 224 |
| 209 base::AutoLock locked(lock_); | 225 base::AutoLock locked(lock_); |
| 210 | 226 |
| 211 DCHECK_EQ(config_.key_func(ssl), cache_key); | 227 DCHECK_EQ(config_.key_func(ssl), cache_key); |
| 212 | 228 |
| 213 if (++expiration_check_ >= config_.expiration_check_count) { | 229 if (++expiration_check_ >= config_.expiration_check_count) { |
| 214 expiration_check_ = 0; | 230 expiration_check_ = 0; |
| 215 FlushExpiredSessionsLocked(); | 231 FlushExpiredSessionsLocked(); |
| 216 } | 232 } |
| 217 | 233 |
| 218 KeyIndex::iterator it = key_index_.find(cache_key); | 234 KeyIndex::iterator it = key_index_.find(cache_key); |
| (...skipping 13 matching lines...) Expand all Loading... |
| 232 // Move to front of MRU list. | 248 // Move to front of MRU list. |
| 233 ordering_.push_front(session); | 249 ordering_.push_front(session); |
| 234 ordering_.erase(it->second); | 250 ordering_.erase(it->second); |
| 235 it->second = ordering_.begin(); | 251 it->second = ordering_.begin(); |
| 236 | 252 |
| 237 return SSL_set_session(ssl, session) == 1; | 253 return SSL_set_session(ssl, session) == 1; |
| 238 } | 254 } |
| 239 | 255 |
| 240 // Return true iff a cached session was associated with the given |cache_key|. | 256 // Return true iff a cached session was associated with the given |cache_key|. |
| 241 bool SSLSessionIsInCache(const std::string& cache_key) const { | 257 bool SSLSessionIsInCache(const std::string& cache_key) const { |
| 258 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 259 tracked_objects::ScopedTracker tracking_profile( |
| 260 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 261 "424386 SSLSessionCacheOpenSSLImpl::SSLSessionIsInCache")); |
| 262 |
| 242 base::AutoLock locked(lock_); | 263 base::AutoLock locked(lock_); |
| 243 KeyIndex::const_iterator it = key_index_.find(cache_key); | 264 KeyIndex::const_iterator it = key_index_.find(cache_key); |
| 244 if (it == key_index_.end()) | 265 if (it == key_index_.end()) |
| 245 return false; | 266 return false; |
| 246 | 267 |
| 247 SSL_SESSION* session = *it->second; | 268 SSL_SESSION* session = *it->second; |
| 248 DCHECK(session); | 269 DCHECK(session); |
| 249 | 270 |
| 250 void* session_is_good = | 271 void* session_is_good = |
| 251 SSL_SESSION_get_ex_data(session, GetSSLSessionExIndex()); | 272 SSL_SESSION_get_ex_data(session, GetSSLSessionExIndex()); |
| 252 | 273 |
| 253 return session_is_good != NULL; | 274 return session_is_good != NULL; |
| 254 } | 275 } |
| 255 | 276 |
| 256 void MarkSSLSessionAsGood(SSL* ssl) { | 277 void MarkSSLSessionAsGood(SSL* ssl) { |
| 278 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 279 tracked_objects::ScopedTracker tracking_profile( |
| 280 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 281 "424386 SSLSessionCacheOpenSSLImpl::MarkSSLSessionAsGood")); |
| 282 |
| 257 SSL_SESSION* session = SSL_get_session(ssl); | 283 SSL_SESSION* session = SSL_get_session(ssl); |
| 258 CHECK(session); | 284 CHECK(session); |
| 259 | 285 |
| 260 // Mark the session as good, allowing it to be used for future connections. | 286 // Mark the session as good, allowing it to be used for future connections. |
| 261 SSL_SESSION_set_ex_data( | 287 SSL_SESSION_set_ex_data( |
| 262 session, GetSSLSessionExIndex(), reinterpret_cast<void*>(1)); | 288 session, GetSSLSessionExIndex(), reinterpret_cast<void*>(1)); |
| 263 } | 289 } |
| 264 | 290 |
| 265 // Flush all entries from the cache. | 291 // Flush all entries from the cache. |
| 266 void Flush() { | 292 void Flush() { |
| 293 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 294 tracked_objects::ScopedTracker tracking_profile( |
| 295 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 296 "424386 SSLSessionCacheOpenSSLImpl::Flush")); |
| 297 |
| 267 base::AutoLock lock(lock_); | 298 base::AutoLock lock(lock_); |
| 268 id_index_.clear(); | 299 id_index_.clear(); |
| 269 key_index_.clear(); | 300 key_index_.clear(); |
| 270 while (!ordering_.empty()) { | 301 while (!ordering_.empty()) { |
| 271 SSL_SESSION* session = ordering_.front(); | 302 SSL_SESSION* session = ordering_.front(); |
| 272 ordering_.pop_front(); | 303 ordering_.pop_front(); |
| 273 SSL_SESSION_free(session); | 304 SSL_SESSION_free(session); |
| 274 } | 305 } |
| 275 } | 306 } |
| 276 | 307 |
| (...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 351 DCHECK(result); | 382 DCHECK(result); |
| 352 return reinterpret_cast<SSLSessionCacheOpenSSLImpl*>(result); | 383 return reinterpret_cast<SSLSessionCacheOpenSSLImpl*>(result); |
| 353 } | 384 } |
| 354 | 385 |
| 355 // Called by OpenSSL when a new |session| was created and added to a given | 386 // Called by OpenSSL when a new |session| was created and added to a given |
| 356 // |ssl| connection. Note that the session's reference count was already | 387 // |ssl| connection. Note that the session's reference count was already |
| 357 // incremented before the function is entered. The function must return 1 | 388 // incremented before the function is entered. The function must return 1 |
| 358 // to indicate that it took ownership of the session, i.e. that the caller | 389 // to indicate that it took ownership of the session, i.e. that the caller |
| 359 // should not decrement its reference count after completion. | 390 // should not decrement its reference count after completion. |
| 360 static int NewSessionCallbackStatic(SSL* ssl, SSL_SESSION* session) { | 391 static int NewSessionCallbackStatic(SSL* ssl, SSL_SESSION* session) { |
| 392 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 393 tracked_objects::ScopedTracker tracking_profile( |
| 394 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 395 "424386 SSLSessionCacheOpenSSLImpl::NewSessionCallbackStatic")); |
| 396 |
| 361 SSLSessionCacheOpenSSLImpl* cache = GetCache(ssl->ctx); | 397 SSLSessionCacheOpenSSLImpl* cache = GetCache(ssl->ctx); |
| 362 cache->OnSessionAdded(ssl, session); | 398 cache->OnSessionAdded(ssl, session); |
| 363 return 1; | 399 return 1; |
| 364 } | 400 } |
| 365 | 401 |
| 366 // Called by OpenSSL to indicate that a session must be removed from the | 402 // Called by OpenSSL to indicate that a session must be removed from the |
| 367 // cache. This happens when SSL_CTX is destroyed. | 403 // cache. This happens when SSL_CTX is destroyed. |
| 368 static void RemoveSessionCallbackStatic(SSL_CTX* ctx, SSL_SESSION* session) { | 404 static void RemoveSessionCallbackStatic(SSL_CTX* ctx, SSL_SESSION* session) { |
| 405 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 406 tracked_objects::ScopedTracker tracking_profile( |
| 407 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 408 "424386 SSLSessionCacheOpenSSLImpl::RemoveSessionCallbackStatic")); |
| 409 |
| 369 GetCache(ctx)->OnSessionRemoved(session); | 410 GetCache(ctx)->OnSessionRemoved(session); |
| 370 } | 411 } |
| 371 | 412 |
| 372 // Called by OpenSSL to generate a new session ID. This happens during a | 413 // Called by OpenSSL to generate a new session ID. This happens during a |
| 373 // SSL connection operation, when the SSL object doesn't have a session yet. | 414 // SSL connection operation, when the SSL object doesn't have a session yet. |
| 374 // | 415 // |
| 375 // A session ID is a random string of bytes used to uniquely identify the | 416 // A session ID is a random string of bytes used to uniquely identify the |
| 376 // session between a client and a server. | 417 // session between a client and a server. |
| 377 // | 418 // |
| 378 // |ssl| is a SSL connection handle. Ignored here. | 419 // |ssl| is a SSL connection handle. Ignored here. |
| 379 // |id| is the target buffer where the ID must be generated. | 420 // |id| is the target buffer where the ID must be generated. |
| 380 // |*id_len| is, on input, the size of the desired ID. It will be 16 for | 421 // |*id_len| is, on input, the size of the desired ID. It will be 16 for |
| 381 // SSLv2, and 32 for anything else. OpenSSL allows an implementation | 422 // SSLv2, and 32 for anything else. OpenSSL allows an implementation |
| 382 // to change it on output, but this will not happen here. | 423 // to change it on output, but this will not happen here. |
| 383 // | 424 // |
| 384 // The function must ensure the generated ID is really unique, i.e. that | 425 // The function must ensure the generated ID is really unique, i.e. that |
| 385 // another session in the cache doesn't already use the same value. It must | 426 // another session in the cache doesn't already use the same value. It must |
| 386 // return 1 to indicate success, or 0 for failure. | 427 // return 1 to indicate success, or 0 for failure. |
| 387 static int GenerateSessionIdStatic(const SSL* ssl, | 428 static int GenerateSessionIdStatic(const SSL* ssl, |
| 388 unsigned char* id, | 429 unsigned char* id, |
| 389 unsigned* id_len) { | 430 unsigned* id_len) { |
| 431 // TODO(vadimt): Remove ScopedTracker below once crbug.com/424386 is fixed. |
| 432 tracked_objects::ScopedTracker tracking_profile( |
| 433 FROM_HERE_WITH_EXPLICIT_FUNCTION( |
| 434 "424386 SSLSessionCacheOpenSSLImpl::GenerateSessionIdStatic")); |
| 435 |
| 390 if (!GetCache(ssl->ctx)->OnGenerateSessionId(id, *id_len)) | 436 if (!GetCache(ssl->ctx)->OnGenerateSessionId(id, *id_len)) |
| 391 return 0; | 437 return 0; |
| 392 | 438 |
| 393 return 1; | 439 return 1; |
| 394 } | 440 } |
| 395 | 441 |
| 396 // Add |session| to the cache in association with |cache_key|. If a session | 442 // Add |session| to the cache in association with |cache_key|. If a session |
| 397 // already exists, it is replaced with the new one. This assumes that the | 443 // already exists, it is replaced with the new one. This assumes that the |
| 398 // caller already incremented the session's reference count. | 444 // caller already incremented the session's reference count. |
| 399 void OnSessionAdded(SSL* ssl, SSL_SESSION* session) { | 445 void OnSessionAdded(SSL* ssl, SSL_SESSION* session) { |
| (...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 521 return impl_->SSLSessionIsInCache(cache_key); | 567 return impl_->SSLSessionIsInCache(cache_key); |
| 522 } | 568 } |
| 523 | 569 |
| 524 void SSLSessionCacheOpenSSL::MarkSSLSessionAsGood(SSL* ssl) { | 570 void SSLSessionCacheOpenSSL::MarkSSLSessionAsGood(SSL* ssl) { |
| 525 return impl_->MarkSSLSessionAsGood(ssl); | 571 return impl_->MarkSSLSessionAsGood(ssl); |
| 526 } | 572 } |
| 527 | 573 |
| 528 void SSLSessionCacheOpenSSL::Flush() { impl_->Flush(); } | 574 void SSLSessionCacheOpenSSL::Flush() { impl_->Flush(); } |
| 529 | 575 |
| 530 } // namespace net | 576 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 816543004:
Update from https://crrev.com/308996 (Closed)
Base URL: git@github.com:domokit/mojo.git@master