Add support to mod_ssl for a distributed session cache using (b7d30053) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

config.m4

+75 −0

Original line number	Diff line number	Diff line
		@@ -46,6 +46,79 @@ dnl ## OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
		dnl ## SUCH DAMAGE.
		dnl ## ====================================================================

		AC_DEFUN([CHECK_DISTCACHE], [
		AC_MSG_CHECKING(whether Distcache is required)
		ap_ssltk_dc="no"
		tmp_nomessage=""
		tmp_forced="no"
		AC_ARG_ENABLE(distcache,
		APACHE_HELP_STRING(--enable-distcache,Select distcache support in mod_ssl),
		ap_ssltk_dc="$enableval"
		tmp_nomessage=""
		tmp_forced="yes"
		if test "x$ap_ssltk_dc" = "x"; then
		ap_ssltk_dc="yes"
		dnl our "error"s become "tests revealed that..."
		tmp_forced="no"
		fi
		if test "$ap_ssltk_dc" != "yes" -a "$ap_ssltk_dc" != "no"; then
		tmp_nomessage="--enable-distcache had illegal syntax - disabling"
		ap_ssltk_dc="no"
		fi)
		if test "$tmp_forced" = "no"; then
		AC_MSG_RESULT($ap_ssltk_dc (default))
		else
		AC_MSG_RESULT($ap_ssltk_dc (specified))
		fi
		if test "$tmp_forced" = "yes" -a "x$ap_ssltk_dc" = "xno" -a "x$tmp_nomessage" != "x"; then
		AC_MSG_ERROR(distcache support failed: $tmp_nomessage)
		fi
		if test "$ap_ssltk_dc" = "yes"; then
		AC_CHECK_HEADER(
		[distcache/dc_client.h],
		[],
		[tmp_nomessage="can't include distcache headers"
		ap_ssltk_dc="no"])
		if test "$tmp_forced" = "yes" -a "x$ap_ssltk_dc" = "xno"; then
		AC_MSG_ERROR(distcache support failed: $tmp_nomessage)
		fi
		fi
		if test "$ap_ssltk_dc" = "yes"; then
		AC_MSG_CHECKING(for Distcache version)
		AC_TRY_COMPILE(
		[#include <distcache/dc_client.h>],
		[#if DISTCACHE_CLIENT_API != 0x0001
		#error "distcache API version is unrecognised"
		#endif],
		[],
		[tmp_nomessage="distcache has an unsupported API version"
		ap_ssltk_dc="no"])
		AC_MSG_RESULT($ap_ssltk_dc)
		if test "$tmp_forced" = "yes" -a "x$ap_ssltk_dc" = "xno"; then
		AC_MSG_ERROR(distcache support failed: $tmp_nomessage)
		fi
		fi
		if test "$ap_ssltk_dc" = "yes"; then
		AC_MSG_CHECKING(for Distcache libraries)
		save_libs=$LIBS
		LIBS="$LIBS -ldistcache -lnal"
		AC_TRY_LINK(
		[#include <distcache/dc_client.h>],
		[DC_CTX foo = DC_CTX_new((const char )0,0);],
		[],
		[tmp_no_message="failed to link with distcache libraries"
		ap_ssltk_dc="no"])
		LIBS=$save_libs
		AC_MSG_RESULT($ap_ssltk_dc)
		if test "$tmp_forced" = "yes" -a "x$ap_ssltk_dc" = "xno"; then
		AC_MSG_ERROR(distcache support failed: $tmp_nomessage)
		else
		APR_ADDTO(LIBS,[-ldistcache -lnal])
		AC_DEFINE(HAVE_DISTCACHE, 1, [Define if distcache support is enabled])
		fi
		fi
		])

		dnl # start of module specific part
		APACHE_MODPATH_INIT(ssl)

		@@ -69,12 +142,14 @@ ssl_expr_scan.lo dnl
		ssl_scache.lo dnl
		ssl_scache_dbm.lo dnl
		ssl_scache_shmcb.lo dnl
		ssl_scache_dc.lo dnl
		ssl_util.lo dnl
		ssl_util_ssl.lo dnl
		"
		dnl # hook module into the Autoconf mechanism (--enable-ssl option)
		APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , no, [
		APACHE_CHECK_SSL_TOOLKIT
		CHECK_DISTCACHE
		])

		dnl # end of module specific part

mod_ssl.dsp

+4 −0

Original line number	Diff line number	Diff line
		@@ -164,6 +164,10 @@ SOURCE=.\ssl_scache_shmcb.c
		# End Source File
		# Begin Source File

		SOURCE=.\ssl_scache_dc.c
		# End Source File
		# Begin Source File

		SOURCE=.\ssl_util.c
		# End Source File
		# Begin Source File

mod_ssl.h

+11 −2

Original line number	Diff line number	Diff line
		@@ -306,7 +306,8 @@ typedef enum {
		SSL_SCMODE_UNSET = UNSET,
		SSL_SCMODE_NONE = 0,
		SSL_SCMODE_DBM = 1,
		SSL_SCMODE_SHMCB = 3
		SSL_SCMODE_SHMCB = 3,
		SSL_SCMODE_DC = 4
		} ssl_scmode_t;

		/*
		@@ -602,7 +603,15 @@ void ssl_scache_shmcb_remove(server_rec , UCHAR , int);
		void ssl_scache_shmcb_expire(server_rec *);
		void ssl_scache_shmcb_status(request_rec r, int flags, apr_pool_t pool);

		/* Pass Phrase Support */
		void ssl_scache_dc_init(server_rec , apr_pool_t );
		void ssl_scache_dc_kill(server_rec *);
		BOOL ssl_scache_dc_store(server_rec , UCHAR , int, time_t, SSL_SESSION *);
		SSL_SESSION ssl_scache_dc_retrieve(server_rec , UCHAR *, int);
		void ssl_scache_dc_remove(server_rec , UCHAR , int);
		void ssl_scache_dc_expire(server_rec *);
		void ssl_scache_dc_status(request_rec r, int flags, apr_pool_t pool);

		/* PASS Phrase Support */
		void ssl_pphrase_Handle(server_rec , apr_pool_t );

		/* Diffie-Hellman Parameter Support */

ssl_engine_config.c

+13 −0

Original line number	Diff line number	Diff line
		@@ -1051,6 +1051,19 @@ const char ssl_cmd_SSLSessionCache(cmd_parms cmd,
		}
		}
		}
		else if ((arglen > 3) && strcEQn(arg, "dc:", 3)) {
		#ifdef HAVE_DISTCACHE
		mc->nSessionCacheMode = SSL_SCMODE_DC;
		mc->szSessionCacheDataFile = apr_pstrdup(mc->pPool, arg+3);
		if (!mc->szSessionCacheDataFile) {
		return apr_pstrcat(cmd->pool,
		"SSLSessionCache: Invalid cache file path: ",
		arg+3, NULL);
		}
		#else
		return "SSLSessionCache: distcache support disabled";
		#endif
		}
		else {
		return "SSLSessionCache: Invalid argument";
		}

ssl_scache.c

+24 −0

Original line number	Diff line number	Diff line
		@@ -88,6 +88,10 @@ void ssl_scache_init(server_rec s, apr_pool_t p)

		if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
		ssl_scache_dbm_init(s, p);
		#ifdef HAVE_DISTCACHE
		else if (mc->nSessionCacheMode == SSL_SCMODE_DC)
		ssl_scache_dc_init(s, p);
		#endif
		else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) {
		void *data;
		const char *userdata_key = "ssl_scache_init";
		@@ -110,6 +114,10 @@ void ssl_scache_kill(server_rec *s)
		ssl_scache_dbm_kill(s);
		else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
		ssl_scache_shmcb_kill(s);
		#ifdef HAVE_DISTCACHE
		else if (mc->nSessionCacheMode == SSL_SCMODE_DC)
		ssl_scache_dc_kill(s);
		#endif
		return;
		}

		@@ -122,6 +130,10 @@ BOOL ssl_scache_store(server_rec s, UCHAR id, int idlen, time_t expiry, SSL_SE
		rv = ssl_scache_dbm_store(s, id, idlen, expiry, sess);
		else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
		rv = ssl_scache_shmcb_store(s, id, idlen, expiry, sess);
		#ifdef HAVE_DISTCACHE
		else if (mc->nSessionCacheMode == SSL_SCMODE_DC)
		rv = ssl_scache_dc_store(s, id, idlen, expiry, sess);
		#endif
		return rv;
		}

		@@ -134,6 +146,10 @@ SSL_SESSION ssl_scache_retrieve(server_rec s, UCHAR *id, int idlen)
		sess = ssl_scache_dbm_retrieve(s, id, idlen);
		else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
		sess = ssl_scache_shmcb_retrieve(s, id, idlen);
		#ifdef HAVE_DISTCACHE
		else if (mc->nSessionCacheMode == SSL_SCMODE_DC)
		sess = ssl_scache_dc_retrieve(s, id, idlen);
		#endif
		return sess;
		}

		@@ -145,6 +161,10 @@ void ssl_scache_remove(server_rec s, UCHAR id, int idlen)
		ssl_scache_dbm_remove(s, id, idlen);
		else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
		ssl_scache_shmcb_remove(s, id, idlen);
		#ifdef HAVE_DISTCACHE
		else if (mc->nSessionCacheMode == SSL_SCMODE_DC)
		ssl_scache_dc_remove(s, id, idlen);
		#endif
		return;
		}

		@@ -182,6 +202,10 @@ static int ssl_ext_status_hook(request_rec *r, int flags)
		ssl_scache_dbm_status(r, flags, r->pool);
		else if (sc->mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
		ssl_scache_shmcb_status(r, flags, r->pool);
		#ifdef HAVE_DISTCACHE
		else if (sc->mc->nSessionCacheMode == SSL_SCMODE_DC)
		ssl_scache_dc_status(r, flags, r->pool);
		#endif

		ap_rputs("</td></tr>\n", r);
		ap_rputs("</table>\n", r);