1 #ifndef HEADER_CURL_VTLS_SCACHE_H 2 #define HEADER_CURL_VTLS_SCACHE_H 3 /*************************************************************************** 4 * _ _ ____ _ 5 * Project ___| | | | _ \| | 6 * / __| | | | |_) | | 7 * | (__| |_| | _ <| |___ 8 * \___|\___/|_| \_\_____| 9 * 10 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 11 * 12 * This software is licensed as described in the file COPYING, which 13 * you should have received as part of this distribution. The terms 14 * are also available at https://curl.se/docs/copyright.html. 15 * 16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 17 * copies of the Software, and permit persons to whom the Software is 18 * furnished to do so, under the terms of the COPYING file. 19 * 20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 21 * KIND, either express or implied. 22 * 23 * SPDX-License-Identifier: curl 24 * 25 ***************************************************************************/ 26 #include "curl_setup.h" 27 #include "cfilters.h" 28 #include "urldata.h" 29 30 #ifdef USE_SSL 31 32 struct Curl_cfilter; 33 struct Curl_easy; 34 struct Curl_ssl_scache; 35 struct Curl_ssl_session; 36 struct ssl_peer; 37 38 /* RFC 8446 (TLSv1.3) restrict lifetime to one week max, for 39 * other, less secure versions, we restrict it to a day */ 40 #define CURL_SCACHE_MAX_13_LIFETIME_SEC (60*60*24*7) 41 #define CURL_SCACHE_MAX_12_LIFETIME_SEC (60*60*24) 42 43 /* Create a session cache for up to max_peers endpoints with a total 44 * of up to max_sessions SSL sessions per peer */ 45 CURLcode Curl_ssl_scache_create(size_t max_peers, 46 size_t max_sessions_per_peer, 47 struct Curl_ssl_scache **pscache); 48 49 void Curl_ssl_scache_destroy(struct Curl_ssl_scache *scache); 50 51 /* Create a key from peer and TLS configuration information that is 52 * unique for how the connection filter wants to establish a TLS 53 * connection to the peer. 54 * If the filter is a TLS proxy filter, it will use the proxy relevant 55 * information. 56 * @param cf the connection filter wanting to use it 57 * @param peer the peer the filter wants to talk to 58 * @param tls_id identifier of TLS implementation for sessions. Should 59 * include full version if session data from other versions 60 * is to be avoided. 61 * @param ppeer_key on successful return, the key generated 62 */ 63 CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf, 64 const struct ssl_peer *peer, 65 const char *tls_id, 66 char **ppeer_key); 67 68 /* Lock session cache mutex. 69 * Call this before calling other Curl_ssl_*session* functions 70 * Caller should unlock this mutex as soon as possible, as it may block 71 * other SSL connection from making progress. 72 * The purpose of explicitly locking SSL session cache data is to allow 73 * individual SSL engines to manage session lifetime in their specific way. 74 */ 75 void Curl_ssl_scache_lock(struct Curl_easy *data); 76 77 /* Unlock session cache mutex */ 78 void Curl_ssl_scache_unlock(struct Curl_easy *data); 79 80 /* Get TLS session object from the cache for the ssl_peer_ey. 81 * scache mutex must be locked (see Curl_ssl_scache_lock). 82 * Caller must make sure that the ownership of returned session object 83 * is properly taken (e.g. its refcount is incremented 84 * under scache mutex). 85 * @param cf the connection filter wanting to use it 86 * @param data the transfer involved 87 * @param ssl_peer_key the key for lookup 88 * @param sobj on return, the object for the peer key or NULL 89 */ 90 bool Curl_ssl_scache_get_obj(struct Curl_cfilter *cf, 91 struct Curl_easy *data, 92 const char *ssl_peer_key, 93 void **sobj); 94 95 typedef void Curl_ssl_scache_obj_dtor(void *sobj); 96 97 /* Add a TLS session related object to the cache. 98 * Replaces an existing object with the same peer_key. 99 * scache mutex must be locked (see Curl_ssl_scache_lock). 100 * Call takes ownership of `sobj`, using `sobj_dtor_cb` 101 * to deallocate it. Is called in all outcomes, either right away or 102 * later when the session cache is cleaned up. 103 * Caller must ensure that it has properly shared ownership of `sobj` 104 * with cache (e.g. incrementing refcount on success) 105 * @param cf the connection filter wanting to use it 106 * @param data the transfer involved 107 * @param ssl_peer_key the key for lookup 108 * @param sobj the TLS session object 109 * @param sobj_free_cb callback to free the session objectt 110 */ 111 CURLcode Curl_ssl_scache_add_obj(struct Curl_cfilter *cf, 112 struct Curl_easy *data, 113 const char *ssl_peer_key, 114 void *sobj, 115 Curl_ssl_scache_obj_dtor *sobj_dtor_cb); 116 117 /* All about a SSL session ticket */ 118 struct Curl_ssl_session { 119 const unsigned char *sdata; /* session ticket data, plain bytes */ 120 size_t sdata_len; /* number of bytes in sdata */ 121 curl_off_t time_received; /* seconds since EPOCH ticket was received */ 122 int lifetime_secs; /* ticket lifetime (-1 unknown) */ 123 int ietf_tls_id; /* TLS protocol identifier negotiated */ 124 char *alpn; /* APLN TLS negotiated protocol string */ 125 struct Curl_llist_node list; /* internal storage handling */ 126 }; 127 128 /* Create a `session` instance. Does NOT need locking. 129 * Takes ownership of `sdata` and `sobj` regardless of return code. 130 * @param sdata bytes of SSL session data or NULL (sobj then required) 131 * @param sdata_len amount of session data bytes 132 * @param ietf_tls_id IETF protocol version, e.g. 0x304 for TLSv1.3 133 * @param alpn ALPN protocol selected or NULL 134 * @param time_received seconds since EPOCH session was received, pass 0 135 * to have the value set to time of call 136 * @param lifetime_secs seconds of announced lifetime, <0 if unknown. 137 * values longer than 1 week will be capped as 138 * required by RFC 8446 139 * @param psession on return the scached session instance created 140 */ 141 CURLcode 142 Curl_ssl_session_create(unsigned char *sdata, size_t sdata_len, 143 int ietf_tls_id, const char *alpn, 144 curl_off_t time_received, long lifetime_secs, 145 struct Curl_ssl_session **psession); 146 147 /* Destroy a `session` instance. Can be called with NULL. 148 * Does NOT need locking. */ 149 void Curl_ssl_session_destroy(struct Curl_ssl_session *s); 150 151 /* Put the scache session into the cache. Does NOT need locking. 152 * Call takes ownership of `s` in all outcomes. 153 * @param cf the connection filter wanting to use it 154 * @param data the transfer involved 155 * @param ssl_peer_key the key for lookup 156 * @param s the scache session object 157 */ 158 CURLcode Curl_ssl_scache_put(struct Curl_cfilter *cf, 159 struct Curl_easy *data, 160 const char *ssl_peer_key, 161 struct Curl_ssl_session *s); 162 163 /* Take a matching scache session from the cache. Does NOT need locking. 164 * @param cf the connection filter wanting to use it 165 * @param data the transfer involved 166 * @param ssl_peer_key the key for lookup 167 * @param s on return, the scache session object or NULL 168 */ 169 CURLcode Curl_ssl_scache_take(struct Curl_cfilter *cf, 170 struct Curl_easy *data, 171 const char *ssl_peer_key, 172 struct Curl_ssl_session **ps); 173 174 /* Return a taken scache session to the cache. Does NOT need locking. 175 * Depending on TLS version and other criteria, it may cache it again 176 * or destroy it. Maybe called with a NULL session. 177 */ 178 void Curl_ssl_scache_return(struct Curl_cfilter *cf, 179 struct Curl_easy *data, 180 const char *ssl_peer_key, 181 struct Curl_ssl_session *s); 182 183 /* Remove all sessions and obj for the peer_key. Does NOT need locking. */ 184 void Curl_ssl_scache_remove_all(struct Curl_cfilter *cf, 185 struct Curl_easy *data, 186 const char *ssl_peer_key); 187 188 189 #else /* USE_SSL */ 190 191 #define Curl_ssl_scache_create(x,y) CURLE_OK 192 #define Curl_ssl_scache_destroy(x) CURLE_OK 193 194 #endif /* USE_SSL (else) */ 195 196 #endif /* HEADER_CURL_VTLS_SCACHE_H */ 197
