]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/security/Session.cc
2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 83 TLS session management */
12 #include "anyp/PortCfg.h"
13 #include "base/RunnersRegistry.h"
15 #include "ipc/MemMap.h"
16 #include "security/Session.h"
17 #include "SquidConfig.h"
19 #define SSL_SESSION_ID_SIZE 32
20 #define SSL_SESSION_MAX_SIZE 10*1024
23 Security::SessionIsResumed(const Security::SessionPointer
&s
)
27 result
= SSL_session_reused(s
.get()) == 1;
29 result
= gnutls_session_is_resumed(s
.get()) != 0;
31 debugs(83, 7, "session=" << (void*)s
.get() << ", query? answer: " << (result
? 'T' : 'F') );
36 Security::MaybeGetSessionResumeData(const Security::SessionPointer
&s
, Security::SessionStatePointer
&data
)
38 if (!SessionIsResumed(s
)) {
40 // nil is valid for SSL_get1_session(), it cannot fail.
41 data
.reset(SSL_get1_session(s
.get()));
43 gnutls_datum_t
*tmp
= nullptr;
44 const auto x
= gnutls_session_get_data2(s
.get(), tmp
);
45 if (x
!= GNUTLS_E_SUCCESS
) {
46 debugs(83, 3, "session=" << (void*)s
.get() << " error: " << Security::ErrorString(x
));
50 debugs(83, 5, "session=" << (void*)s
.get() << " data=" << (void*)data
.get());
52 debugs(83, 5, "session=" << (void*)s
.get() << " data=" << (void*)data
.get() << ", do nothing.");
57 Security::SetSessionResumeData(const Security::SessionPointer
&s
, const Security::SessionStatePointer
&data
)
61 if (!SSL_set_session(s
.get(), data
.get())) {
62 const auto ssl_error
= ERR_get_error();
63 debugs(83, 3, "session=" << (void*)s
.get() << " data=" << (void*)data
.get() <<
64 " resume error: " << Security::ErrorString(ssl_error
));
67 const auto x
= gnutls_session_set_data(s
.get(), data
->data
, data
->size
);
68 if (x
!= GNUTLS_E_SUCCESS
) {
69 debugs(83, 3, "session=" << (void*)s
.get() << " data=" << (void*)data
.get() <<
70 " resume error: " << Security::ErrorString(x
));
73 // critical because, how did it get here?
74 debugs(83, DBG_CRITICAL
, "no TLS library. session=" << (void*)s
.get() << " data=" << (void*)data
.get());
76 debugs(83, 5, "session=" << (void*)s
.get() << " data=" << (void*)data
.get());
78 debugs(83, 5, "session=" << (void*)s
.get() << " no resume data");
85 for (AnyP::PortCfgPointer s
= HttpPortList
; s
!= nullptr; s
= s
->next
) {
86 if (s
->secure
.encryptTransport
)
88 if (s
->flags
.tunnelSslBumping
)
96 initializeSessionCache()
99 // Check if the MemMap keys and data are enough big to hold
100 // session ids and session data
101 assert(SSL_SESSION_ID_SIZE
>= MEMMAP_SLOT_KEY_SIZE
);
102 assert(SSL_SESSION_MAX_SIZE
>= MEMMAP_SLOT_DATA_SIZE
);
104 int configuredItems
= ::Config
.SSL
.sessionCacheSize
/ sizeof(Ipc::MemMap::Slot
);
105 if (IamWorkerProcess() && configuredItems
)
106 Ssl::SessionCache
= new Ipc::MemMap(Ssl::SessionCacheName
);
108 Ssl::SessionCache
= nullptr;
112 for (AnyP::PortCfgPointer s
= HttpPortList
; s
!= nullptr; s
= s
->next
) {
113 if (s
->secure
.staticContext
)
114 Ssl::SetSessionCallbacks(s
->secure
.staticContext
);
119 /// initializes shared memory segments used by MemStore
120 class SharedSessionCacheRr
: public Ipc::Mem::RegisteredRunner
123 /* RegisteredRunner API */
124 SharedSessionCacheRr(): owner(nullptr) {}
125 virtual void useConfig();
126 virtual ~SharedSessionCacheRr();
129 virtual void create();
132 Ipc::MemMap::Owner
*owner
;
135 RunnerRegistrationEntry(SharedSessionCacheRr
);
138 SharedSessionCacheRr::useConfig()
140 #if USE_OPENSSL // while Ssl:: bits in use
141 if (Ssl::SessionCache
|| !isTlsServer()) //no need to configure ssl session cache.
144 Ipc::Mem::RegisteredRunner::useConfig();
145 initializeSessionCache();
150 SharedSessionCacheRr::create()
152 if (!isTlsServer()) //no need to configure ssl session cache.
155 #if USE_OPENSSL // while Ssl:: bits in use
156 if (int items
= Config
.SSL
.sessionCacheSize
/ sizeof(Ipc::MemMap::Slot
))
157 owner
= Ipc::MemMap::Init(Ssl::SessionCacheName
, items
);
161 SharedSessionCacheRr::~SharedSessionCacheRr()
163 // XXX: Enable after testing to reduce at-exit memory "leaks".
164 // delete Ssl::SessionCache;