| blob | 5bb0d16a31c8383e1d6d5367a01e8e03529789ed |
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <list>
8 #include <map>
10 #include <openssl/rand.h>
11 #include <openssl/ssl.h>
23 // A helper class to lazily create a new EX_DATA index to map SSL_CTX handles
24 // to their corresponding SSLSessionCacheOpenSSLImpl object.
32 }
40 };
42 // static
44 LAZY_INSTANCE_INITIALIZER;
46 // Retrieve the global EX_DATA index, created lazily on first call, to
47 // be used with SSL_CTX_set_ex_data() and SSL_CTX_get_ex_data().
50 }
52 // Retrieve the global EX_DATA index, created lazily on first call, to
53 // be used with SSL_SESSION_set_ex_data() and SSL_SESSION_get_ex_data().
56 }
58 // Helper struct used to store session IDs in a SessionIdIndex container
59 // (see definition below). To save memory each entry only holds a pointer
60 // to the session ID buffer, which must outlive the entry itself. On the
61 // other hand, a hash is included to minimize the number of hashing
62 // computations during cache operations.
78 }
85 // Session ID are random strings of bytes. This happens to compute the same
86 // value as std::hash<std::string> without the extra string copy. See
87 // base/containers/hash_tables.h. Other hashing computations are possible,
88 // this one is just simple enough to do the job.
94 }
95 };
107 }
108 };
114 // Implementation of the real SSLSessionCache.
115 //
116 // The implementation is inspired by base::MRUCache, except that the deletor
117 // also needs to remove the entry from other containers. In a nutshell, this
118 // uses several basic containers:
119 //
120 // |ordering_| is a doubly-linked list of SSL_SESSION handles, ordered in
121 // MRU order.
122 //
123 // |key_index_| is a hash table mapping unique cache keys (e.g. host/port
124 // values) to a single iterator of |ordering_|. It is used to efficiently
125 // find the cached session associated with a given key.
126 //
127 // |id_index_| is a hash table mapping SessionId values to iterators
128 // of |key_index_|. If is used to efficiently remove sessions from the cache,
129 // as well as check for the existence of a session ID value in the cache.
130 //
131 // SSL_SESSION objects are reference-counted, and owned by the cache. This
132 // means that their reference count is incremented when they are added, and
133 // decremented when they are removed.
134 //
135 // Assuming an average key size of 100 characters, each node requires the
136 // following memory usage on 32-bit Android, when linked against STLport:
137 //
138 // 12 (ordering_ node, including SSL_SESSION handle)
139 // 100 (key characters)
140 // + 24 (std::string header/minimum size)
141 // + 8 (key_index_ node, excluding the 2 lines above for the key).
142 // + 20 (id_index_ node)
143 // --------
144 // 164 bytes/node
145 //
146 // Hence, 41 KiB for a full cache with a maximum of 1024 entries, excluding
147 // the size of SSL_SESSION objects and heap fragmentation.
148 //
152 // Construct new instance. This registers various hooks into the SSL_CTX
153 // context |ctx|. OpenSSL will call back during SSL connection
154 // operations. |key_func| is used to map a SSL handle to a unique cache
155 // string, according to the client's preferences.
161 // NO_INTERNAL_STORE disables OpenSSL's builtin cache, and
162 // NO_AUTO_CLEAR disables the call to SSL_CTX_flush_sessions
163 // every 256 connections (this number is hard-coded in the library
164 // and can't be changed).
166 SSL_SESS_CACHE_CLIENT |
167 SSL_SESS_CACHE_NO_INTERNAL_STORE |
168 SSL_SESS_CACHE_NO_AUTO_CLEAR);
176 }
178 // Destroy this instance. Must happen before |ctx_| is destroyed.
185 }
187 // Return the number of items in this cache.
190 // Retrieve the cache key from |ssl| and look for a corresponding
191 // cached session ID. If one is found, call SSL_set_session() to associate
192 // it with the |ssl| connection.
193 //
194 // Will also check for expired sessions every |expiration_check_count|
195 // calls.
196 //
197 // Return true if a cached session ID was found, false otherwise.
204 }
206 // Variant of SetSSLSession to be used when the client already has computed
207 // the cache key. Avoid a call to the configuration's |key_func| function.
216 }
232 // Move to front of MRU list.
238 }
240 // Return true iff a cached session was associated with the given |cache_key|.
254 }
257 // Add |ssl| to the SSLToCallbackMap.
260 }
262 // Determines if the session for |ssl| is in the cache, and calls the
263 // appropriate callback if that is the case.
264 //
265 // The session must be both MarkedAsGood and Added in order for the
266 // callback to be run. These two events can occur in either order.
271 // Increment the session's completion count.
276 }
277 }
285 // Mark the session as good, allowing it to be used for future connections.
290 }
292 // Flush all entries from the cache.
301 }
302 }
305 // CallbackAndCompletionCounts are used to group a callback that should be
306 // run when a certain sesssion is added to the session cache with an integer
307 // indicating the status of that session.
314 // |count| < 2 means that the ssl session associated with this object
315 // has not been added to the session cache or has not been marked as good.
316 // |count| is incremented when a session is added to the cache or marked as
317 // good, thus |count| == 2 means that the session is ready for use.
319 };
321 // Type for list of SSL_SESSION handles, ordered in MRU order.
323 // Type for a dictionary from unique cache keys to session list nodes.
325 // Type for a dictionary from SessionId values to key index nodes.
327 // Type for a map from SSL* to associated callbacks
330 // Return the key associated with a given session, or the empty string if
331 // none exist. This shall only be used for debugging.
344 }
346 // Remove a given |session| from the cache. Lock must be held.
356 }
368 }
370 // Used internally to flush expired sessions. Lock must be held.
374 // Unfortunately, OpenSSL initializes |session->time| with a time()
375 // timestamps, which makes mocking / unit testing difficult.
381 // Important, use <= instead of < here to allow unit testing to
382 // work properly. That's because unit tests that check the expiration
383 // behaviour will use a session timeout of 0 seconds.
388 }
389 }
390 }
392 // Retrieve the cache associated with a given SSL context |ctx|.
398 }
400 // Called by OpenSSL when a new |session| was created and added to a given
401 // |ssl| connection. Note that the session's reference count was already
402 // incremented before the function is entered. The function must return 1
403 // to indicate that it took ownership of the session, i.e. that the caller
404 // should not decrement its reference count after completion.
410 }
412 // Called by OpenSSL to indicate that a session must be removed from the
413 // cache. This happens when SSL_CTX is destroyed.
416 }
418 // Called by OpenSSL to generate a new session ID. This happens during a
419 // SSL connection operation, when the SSL object doesn't have a session yet.
420 //
421 // A session ID is a random string of bytes used to uniquely identify the
422 // session between a client and a server.
423 //
424 // |ssl| is a SSL connection handle. Ignored here.
425 // |id| is the target buffer where the ID must be generated.
426 // |*id_len| is, on input, the size of the desired ID. It will be 16 for
427 // SSLv2, and 32 for anything else. OpenSSL allows an implementation
428 // to change it on output, but this will not happen here.
429 //
430 // The function must ensure the generated ID is really unique, i.e. that
431 // another session in the cache doesn't already use the same value. It must
432 // return 1 to indicate success, or 0 for failure.
440 }
442 // Add |session| to the cache in association with |cache_key|. If a session
443 // already exists, it is replaced with the new one. This assumes that the
444 // caller already incremented the session's reference count.
453 // This is a new session. Add it to the cache.
461 // An existing session exists for this key, so replace it if needed.
468 }
472 }
481 }
483 // Shrink the cache to ensure no more than config_.max_entries entries,
484 // starting with older entries first. Lock must be acquired.
499 }
500 }
502 // Remove |session| from the cache.
507 }
509 // See GenerateSessionIdStatic for a description of what this function does.
512 // This mimics def_generate_session_id() in openssl/ssl/ssl_sess.cc,
513 // I.e. try to generate a pseudo-random bit string, and check that no
514 // other entry in the cache has the same value.
521 }
524 }
528 }
532 SSLToCallbackMap ssl_to_callback_map_;
534 // method to get the index which can later be used with SSL_CTX_get_ex_data()
535 // or SSL_CTX_set_ex_data().
538 MRUSessionList ordering_;
539 KeyIndex key_index_;
540 SessionIdIndex id_index_;
543 };
554 }
558 }
564 }
569 }
573 }
578 }
582 }