// Copyright 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/socket/ssl_session_cache_openssl.h" #include #include #include #include #include "base/containers/hash_tables.h" #include "base/lazy_instance.h" #include "base/logging.h" #include "base/synchronization/lock.h" namespace net { namespace { // A helper class to lazily create a new EX_DATA index to map SSL_CTX handles // to their corresponding SSLSessionCacheOpenSSLImpl object. class SSLContextExIndex { public: SSLContextExIndex() { context_index_ = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); DCHECK_NE(-1, context_index_); session_index_ = SSL_SESSION_get_ex_new_index(0, NULL, NULL, NULL, NULL); DCHECK_NE(-1, session_index_); } int context_index() const { return context_index_; } int session_index() const { return session_index_; } private: int context_index_; int session_index_; }; // static base::LazyInstance::Leaky s_ssl_context_ex_instance = LAZY_INSTANCE_INITIALIZER; // Retrieve the global EX_DATA index, created lazily on first call, to // be used with SSL_CTX_set_ex_data() and SSL_CTX_get_ex_data(). static int GetSSLContextExIndex() { return s_ssl_context_ex_instance.Get().context_index(); } // Retrieve the global EX_DATA index, created lazily on first call, to // be used with SSL_SESSION_set_ex_data() and SSL_SESSION_get_ex_data(). static int GetSSLSessionExIndex() { return s_ssl_context_ex_instance.Get().session_index(); } // Helper struct used to store session IDs in a SessionIdIndex container // (see definition below). To save memory each entry only holds a pointer // to the session ID buffer, which must outlive the entry itself. On the // other hand, a hash is included to minimize the number of hashing // computations during cache operations. struct SessionId { SessionId(const unsigned char* a_id, unsigned a_id_len) : id(a_id), id_len(a_id_len), hash(ComputeHash(a_id, a_id_len)) {} explicit SessionId(const SessionId& other) : id(other.id), id_len(other.id_len), hash(other.hash) {} explicit SessionId(SSL_SESSION* session) : id(session->session_id), id_len(session->session_id_length), hash(ComputeHash(session->session_id, session->session_id_length)) {} bool operator==(const SessionId& other) const { return hash == other.hash && id_len == other.id_len && !memcmp(id, other.id, id_len); } const unsigned char* id; unsigned id_len; size_t hash; private: // Session ID are random strings of bytes. This happens to compute the same // value as std::hash without the extra string copy. See // base/containers/hash_tables.h. Other hashing computations are possible, // this one is just simple enough to do the job. size_t ComputeHash(const unsigned char* id, unsigned id_len) { size_t result = 0; for (unsigned n = 0; n < id_len; ++n) result += 131 * id[n]; return result; } }; } // namespace } // namespace net namespace BASE_HASH_NAMESPACE { template <> struct hash { std::size_t operator()(const net::SessionId& entry) const { return entry.hash; } }; } // namespace BASE_HASH_NAMESPACE namespace net { // Implementation of the real SSLSessionCache. // // The implementation is inspired by base::MRUCache, except that the deletor // also needs to remove the entry from other containers. In a nutshell, this // uses several basic containers: // // |ordering_| is a doubly-linked list of SSL_SESSION handles, ordered in // MRU order. // // |key_index_| is a hash table mapping unique cache keys (e.g. host/port // values) to a single iterator of |ordering_|. It is used to efficiently // find the cached session associated with a given key. // // |id_index_| is a hash table mapping SessionId values to iterators // of |key_index_|. If is used to efficiently remove sessions from the cache, // as well as check for the existence of a session ID value in the cache. // // SSL_SESSION objects are reference-counted, and owned by the cache. This // means that their reference count is incremented when they are added, and // decremented when they are removed. // // Assuming an average key size of 100 characters, each node requires the // following memory usage on 32-bit Android, when linked against STLport: // // 12 (ordering_ node, including SSL_SESSION handle) // 100 (key characters) // + 24 (std::string header/minimum size) // + 8 (key_index_ node, excluding the 2 lines above for the key). // + 20 (id_index_ node) // -------- // 164 bytes/node // // Hence, 41 KiB for a full cache with a maximum of 1024 entries, excluding // the size of SSL_SESSION objects and heap fragmentation. // class SSLSessionCacheOpenSSLImpl { public: // Construct new instance. This registers various hooks into the SSL_CTX // context |ctx|. OpenSSL will call back during SSL connection // operations. |key_func| is used to map a SSL handle to a unique cache // string, according to the client's preferences. SSLSessionCacheOpenSSLImpl(SSL_CTX* ctx, const SSLSessionCacheOpenSSL::Config& config) : ctx_(ctx), config_(config), expiration_check_(0) { DCHECK(ctx); // NO_INTERNAL_STORE disables OpenSSL's builtin cache, and // NO_AUTO_CLEAR disables the call to SSL_CTX_flush_sessions // every 256 connections (this number is hard-coded in the library // and can't be changed). SSL_CTX_set_session_cache_mode(ctx_, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE | SSL_SESS_CACHE_NO_AUTO_CLEAR); SSL_CTX_sess_set_new_cb(ctx_, NewSessionCallbackStatic); SSL_CTX_sess_set_remove_cb(ctx_, RemoveSessionCallbackStatic); SSL_CTX_set_generate_session_id(ctx_, GenerateSessionIdStatic); SSL_CTX_set_timeout(ctx_, config_.timeout_seconds); SSL_CTX_set_ex_data(ctx_, GetSSLContextExIndex(), this); } // Destroy this instance. Must happen before |ctx_| is destroyed. ~SSLSessionCacheOpenSSLImpl() { Flush(); SSL_CTX_set_ex_data(ctx_, GetSSLContextExIndex(), NULL); SSL_CTX_sess_set_new_cb(ctx_, NULL); SSL_CTX_sess_set_remove_cb(ctx_, NULL); SSL_CTX_set_generate_session_id(ctx_, NULL); } // Return the number of items in this cache. size_t size() const { return key_index_.size(); } // Retrieve the cache key from |ssl| and look for a corresponding // cached session ID. If one is found, call SSL_set_session() to associate // it with the |ssl| connection. // // Will also check for expired sessions every |expiration_check_count| // calls. // // Return true if a cached session ID was found, false otherwise. bool SetSSLSession(SSL* ssl) { std::string cache_key = config_.key_func(ssl); if (cache_key.empty()) return false; return SetSSLSessionWithKey(ssl, cache_key); } // Variant of SetSSLSession to be used when the client already has computed // the cache key. Avoid a call to the configuration's |key_func| function. bool SetSSLSessionWithKey(SSL* ssl, const std::string& cache_key) { base::AutoLock locked(lock_); DCHECK_EQ(config_.key_func(ssl), cache_key); if (++expiration_check_ >= config_.expiration_check_count) { expiration_check_ = 0; FlushExpiredSessionsLocked(); } KeyIndex::iterator it = key_index_.find(cache_key); if (it == key_index_.end()) return false; SSL_SESSION* session = *it->second; DCHECK(session); DVLOG(2) << "Lookup session: " << session << " for " << cache_key; void* session_is_good = SSL_SESSION_get_ex_data(session, GetSSLSessionExIndex()); if (!session_is_good) return false; // Session has not yet been marked good. Treat as a miss. // Move to front of MRU list. ordering_.push_front(session); ordering_.erase(it->second); it->second = ordering_.begin(); return SSL_set_session(ssl, session) == 1; } void MarkSSLSessionAsGood(SSL* ssl) { SSL_SESSION* session = SSL_get_session(ssl); if (!session) return; // Mark the session as good, allowing it to be used for future connections. SSL_SESSION_set_ex_data( session, GetSSLSessionExIndex(), reinterpret_cast(1)); } // Flush all entries from the cache. void Flush() { base::AutoLock lock(lock_); id_index_.clear(); key_index_.clear(); while (!ordering_.empty()) { SSL_SESSION* session = ordering_.front(); ordering_.pop_front(); SSL_SESSION_free(session); } } private: // Type for list of SSL_SESSION handles, ordered in MRU order. typedef std::list MRUSessionList; // Type for a dictionary from unique cache keys to session list nodes. typedef base::hash_map KeyIndex; // Type for a dictionary from SessionId values to key index nodes. typedef base::hash_map SessionIdIndex; // Return the key associated with a given session, or the empty string if // none exist. This shall only be used for debugging. std::string SessionKey(SSL_SESSION* session) { if (!session) return std::string(""); if (session->session_id_length == 0) return std::string(""); SessionIdIndex::iterator it = id_index_.find(SessionId(session)); if (it == id_index_.end()) return std::string(""); return it->second->first; } // Remove a given |session| from the cache. Lock must be held. void RemoveSessionLocked(SSL_SESSION* session) { lock_.AssertAcquired(); DCHECK(session); DCHECK_GT(session->session_id_length, 0U); SessionId session_id(session); SessionIdIndex::iterator id_it = id_index_.find(session_id); if (id_it == id_index_.end()) { LOG(ERROR) << "Trying to remove unknown session from cache: " << session; return; } KeyIndex::iterator key_it = id_it->second; DCHECK(key_it != key_index_.end()); DCHECK_EQ(session, *key_it->second); id_index_.erase(session_id); ordering_.erase(key_it->second); key_index_.erase(key_it); SSL_SESSION_free(session); DCHECK_EQ(key_index_.size(), id_index_.size()); } // Used internally to flush expired sessions. Lock must be held. void FlushExpiredSessionsLocked() { lock_.AssertAcquired(); // Unfortunately, OpenSSL initializes |session->time| with a time() // timestamps, which makes mocking / unit testing difficult. long timeout_secs = static_cast(::time(NULL)); MRUSessionList::iterator it = ordering_.begin(); while (it != ordering_.end()) { SSL_SESSION* session = *it++; // Important, use <= instead of < here to allow unit testing to // work properly. That's because unit tests that check the expiration // behaviour will use a session timeout of 0 seconds. if (session->time + session->timeout <= timeout_secs) { DVLOG(2) << "Expiring session " << session << " for " << SessionKey(session); RemoveSessionLocked(session); } } } // Retrieve the cache associated with a given SSL context |ctx|. static SSLSessionCacheOpenSSLImpl* GetCache(SSL_CTX* ctx) { DCHECK(ctx); void* result = SSL_CTX_get_ex_data(ctx, GetSSLContextExIndex()); DCHECK(result); return reinterpret_cast(result); } // Called by OpenSSL when a new |session| was created and added to a given // |ssl| connection. Note that the session's reference count was already // incremented before the function is entered. The function must return 1 // to indicate that it took ownership of the session, i.e. that the caller // should not decrement its reference count after completion. static int NewSessionCallbackStatic(SSL* ssl, SSL_SESSION* session) { GetCache(ssl->ctx)->OnSessionAdded(ssl, session); return 1; } // Called by OpenSSL to indicate that a session must be removed from the // cache. This happens when SSL_CTX is destroyed. static void RemoveSessionCallbackStatic(SSL_CTX* ctx, SSL_SESSION* session) { GetCache(ctx)->OnSessionRemoved(session); } // Called by OpenSSL to generate a new session ID. This happens during a // SSL connection operation, when the SSL object doesn't have a session yet. // // A session ID is a random string of bytes used to uniquely identify the // session between a client and a server. // // |ssl| is a SSL connection handle. Ignored here. // |id| is the target buffer where the ID must be generated. // |*id_len| is, on input, the size of the desired ID. It will be 16 for // SSLv2, and 32 for anything else. OpenSSL allows an implementation // to change it on output, but this will not happen here. // // The function must ensure the generated ID is really unique, i.e. that // another session in the cache doesn't already use the same value. It must // return 1 to indicate success, or 0 for failure. static int GenerateSessionIdStatic(const SSL* ssl, unsigned char* id, unsigned* id_len) { if (!GetCache(ssl->ctx)->OnGenerateSessionId(id, *id_len)) return 0; return 1; } // Add |session| to the cache in association with |cache_key|. If a session // already exists, it is replaced with the new one. This assumes that the // caller already incremented the session's reference count. void OnSessionAdded(SSL* ssl, SSL_SESSION* session) { base::AutoLock locked(lock_); DCHECK(ssl); DCHECK_GT(session->session_id_length, 0U); std::string cache_key = config_.key_func(ssl); KeyIndex::iterator it = key_index_.find(cache_key); if (it == key_index_.end()) { DVLOG(2) << "Add session " << session << " for " << cache_key; // This is a new session. Add it to the cache. ordering_.push_front(session); std::pair ret = key_index_.insert(std::make_pair(cache_key, ordering_.begin())); DCHECK(ret.second); it = ret.first; DCHECK(it != key_index_.end()); } else { // An existing session exists for this key, so replace it if needed. DVLOG(2) << "Replace session " << *it->second << " with " << session << " for " << cache_key; SSL_SESSION* old_session = *it->second; if (old_session != session) { id_index_.erase(SessionId(old_session)); SSL_SESSION_free(old_session); } ordering_.erase(it->second); ordering_.push_front(session); it->second = ordering_.begin(); } id_index_[SessionId(session)] = it; if (key_index_.size() > config_.max_entries) ShrinkCacheLocked(); DCHECK_EQ(key_index_.size(), id_index_.size()); DCHECK_LE(key_index_.size(), config_.max_entries); } // Shrink the cache to ensure no more than config_.max_entries entries, // starting with older entries first. Lock must be acquired. void ShrinkCacheLocked() { lock_.AssertAcquired(); DCHECK_EQ(key_index_.size(), ordering_.size()); DCHECK_EQ(key_index_.size(), id_index_.size()); while (key_index_.size() > config_.max_entries) { MRUSessionList::reverse_iterator it = ordering_.rbegin(); DCHECK(it != ordering_.rend()); SSL_SESSION* session = *it; DCHECK(session); DVLOG(2) << "Evicting session " << session << " for " << SessionKey(session); RemoveSessionLocked(session); } } // Remove |session| from the cache. void OnSessionRemoved(SSL_SESSION* session) { base::AutoLock locked(lock_); DVLOG(2) << "Remove session " << session << " for " << SessionKey(session); RemoveSessionLocked(session); } // See GenerateSessionIdStatic for a description of what this function does. bool OnGenerateSessionId(unsigned char* id, unsigned id_len) { base::AutoLock locked(lock_); // This mimics def_generate_session_id() in openssl/ssl/ssl_sess.cc, // I.e. try to generate a pseudo-random bit string, and check that no // other entry in the cache has the same value. const size_t kMaxTries = 10; for (size_t tries = 0; tries < kMaxTries; ++tries) { if (RAND_pseudo_bytes(id, id_len) <= 0) { DLOG(ERROR) << "Couldn't generate " << id_len << " pseudo random bytes?"; return false; } if (id_index_.find(SessionId(id, id_len)) == id_index_.end()) return true; } DLOG(ERROR) << "Couldn't generate unique session ID of " << id_len << "bytes after " << kMaxTries << " tries."; return false; } SSL_CTX* ctx_; SSLSessionCacheOpenSSL::Config config_; // method to get the index which can later be used with SSL_CTX_get_ex_data() // or SSL_CTX_set_ex_data(). base::Lock lock_; // Protects access to containers below. MRUSessionList ordering_; KeyIndex key_index_; SessionIdIndex id_index_; size_t expiration_check_; }; SSLSessionCacheOpenSSL::~SSLSessionCacheOpenSSL() { delete impl_; } size_t SSLSessionCacheOpenSSL::size() const { return impl_->size(); } void SSLSessionCacheOpenSSL::Reset(SSL_CTX* ctx, const Config& config) { if (impl_) delete impl_; impl_ = new SSLSessionCacheOpenSSLImpl(ctx, config); } bool SSLSessionCacheOpenSSL::SetSSLSession(SSL* ssl) { return impl_->SetSSLSession(ssl); } bool SSLSessionCacheOpenSSL::SetSSLSessionWithKey( SSL* ssl, const std::string& cache_key) { return impl_->SetSSLSessionWithKey(ssl, cache_key); } void SSLSessionCacheOpenSSL::MarkSSLSessionAsGood(SSL* ssl) { return impl_->MarkSSLSessionAsGood(ssl); } void SSLSessionCacheOpenSSL::Flush() { impl_->Flush(); } } // namespace net