GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

TLS session resumption database was moved to sec-mod

Browse Source 
This reduces the number of sensitive data available to main process.
Resolves #21
This commit is contained in:
Nikos Mavrogiannopoulos
2015-12-07 19:51:11 +01:00
parent d378ce0709
commit e1fc1f3c45
13 changed files with 244 additions and 175 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/Makefile.am
View File

@@ -50,7 +50,7 @@ ACCT_SOURCES=acct/radius.c acct/radius.h acct/pam.c acct/pam.h
ocserv_SOURCES = main.c main-auth.c worker-vpn.c worker-auth.c tlslib.c \
cookies.c main-misc.c ip-lease.c ip-lease.h \
vpn.h cookies.h tlslib.h log.c tun.c tun.h config-kkdcp.c \
config.c worker-resume.c worker.h main-resume.c main.h \
config.c worker-resume.c worker.h sec-mod-resume.c main.h \
worker-http-handlers.c html.c html.h worker-http.c \
main-user.c worker-misc.c route-add.c route-add.h worker-privs.c \
sec-mod.c sec-mod-db.c sec-mod-auth.c sec-mod-auth.h sec-mod.h \
@@ -64,7 +64,7 @@ ocserv_SOURCES = main.c main-auth.c worker-vpn.c worker-auth.c tlslib.c \
proc-search.c proc-search.h http-heads.h ip-util.c ip-util.h \
main-ban.c main-ban.h common-config.h base64-helper.c base64-helper.h \
str.c str.h gettime.h $(CCAN_SOURCES) $(HTTP_PARSER_SOURCES) \
sec-mod-acct.h setproctitle.c setproctitle.h
sec-mod-acct.h setproctitle.c setproctitle.h sec-mod-resume.h
if ENABLE_COMPRESSION
ocserv_SOURCES += lzs.c lzs.h

9
src/ipc.proto
View File

@@ -86,6 +86,10 @@ message auth_reply_msg
message session_resume_fetch_msg
{
required bytes session_id = 1;
/* this is of type sockaddr_storage,
* and contains the address of the client.
*/
required bytes cli_addr = 2;
}
/* RESUME_STORE_REQ */
@@ -93,6 +97,10 @@ message session_resume_store_req_msg
{
required bytes session_id = 1;
required bytes session_data = 2;
/* this is of type sockaddr_storage,
* and contains the address of the client.
*/
required bytes cli_addr = 3;
}
/* RESUME_FETCH_REP */
@@ -123,6 +131,7 @@ message cli_stats_msg
optional string ipv6 = 7;
optional uint32 discon_reason = 8;
optional uint32 secmod_client_entries = 9; /* from sec-mod to main only */
optional uint32 secmod_tlsdb_entries = 10; /* from sec-mod to main only */
}
/* UDP_FD */

2
src/main-ctl-unix.c
View File

@@ -180,7 +180,7 @@ static void method_status(method_ctx *ctx, int cfd, uint8_t * msg,
rep.sec_mod_pid = ctx->s->sec_mod_pid;
rep.active_clients = ctx->s->active_clients;
rep.secmod_client_entries = ctx->s->secmod_client_entries;
rep.stored_tls_sessions = ctx->s->tls_db.entries;
rep.stored_tls_sessions = ctx->s->tlsdb_entries;
rep.banned_ips = main_ban_db_elems(ctx->s);
ret = send_msg(ctx->pool, cfd, CTL_CMD_STATUS_REP, &rep,

106
src/main-misc.c
View File

@@ -484,112 +484,6 @@ int handle_worker_commands(main_server_st * s, struct proc_st *proc)
}
break;
case RESUME_STORE_REQ:{
SessionResumeStoreReqMsg *smsg;
smsg =
session_resume_store_req_msg__unpack(&pa, raw_len,
raw);
if (smsg == NULL) {
mslog(s, proc, LOG_ERR, "error unpacking data");
ret = ERR_BAD_COMMAND;
goto cleanup;
}
ret = handle_resume_store_req(s, proc, smsg);
/* zeroize the data */
safe_memset(raw, 0, raw_len);
safe_memset(smsg->session_data.data, 0, smsg->session_data.len);
session_resume_store_req_msg__free_unpacked(smsg, &pa);
if (ret < 0) {
mslog(s, proc, LOG_DEBUG,
"could not store resumption data");
}
}
break;
case RESUME_DELETE_REQ:{
SessionResumeFetchMsg *fmsg;
fmsg =
session_resume_fetch_msg__unpack(&pa, raw_len,
raw);
if (fmsg == NULL) {
mslog(s, proc, LOG_ERR, "error unpacking data");
ret = ERR_BAD_COMMAND;
goto cleanup;
}
ret = handle_resume_delete_req(s, proc, fmsg);
session_resume_fetch_msg__free_unpacked(fmsg, &pa);
if (ret < 0) {
mslog(s, proc, LOG_DEBUG,
"could not delete resumption data.");
}
}
break;
case RESUME_FETCH_REQ:{
SessionResumeReplyMsg msg =
SESSION_RESUME_REPLY_MSG__INIT;
SessionResumeFetchMsg *fmsg;
if (proc->resume_reqs > 0) {
mslog(s, proc, LOG_ERR, "too many resumption requests");
ret = ERR_BAD_COMMAND;
goto cleanup;
}
proc->resume_reqs++;
fmsg =
session_resume_fetch_msg__unpack(&pa, raw_len,
raw);
if (fmsg == NULL) {
mslog(s, proc, LOG_ERR, "error unpacking data");
ret = ERR_BAD_COMMAND;
goto cleanup;
}
ret = handle_resume_fetch_req(s, proc, fmsg, &msg);
session_resume_fetch_msg__free_unpacked(fmsg, &pa);
if (ret < 0) {
msg.reply =
SESSION_RESUME_REPLY_MSG__RESUME__REP__FAILED;
mslog(s, proc, LOG_DEBUG,
"could not fetch resumption data.");
} else {
msg.reply =
SESSION_RESUME_REPLY_MSG__RESUME__REP__OK;
}
ret =
send_msg_to_worker(s, proc, RESUME_FETCH_REP, &msg,
(pack_size_func)
session_resume_reply_msg__get_packed_size,
(pack_func)
session_resume_reply_msg__pack);
if (ret < 0) {
mslog(s, proc, LOG_ERR,
"could not send reply cmd %d.",
(unsigned)cmd);
ret = ERR_BAD_COMMAND;
goto cleanup;
}
}
break;
case AUTH_COOKIE_REQ:
if (proc->status != PS_AUTH_INACTIVE) {
mslog(s, proc, LOG_ERR,

2
src/main-sec-mod-cmd.c
View File

@@ -528,6 +528,8 @@ int session_close(main_server_st * s, struct proc_st *proc)
proc->bytes_out = msg->bytes_out;
if (msg->has_secmod_client_entries)
s->secmod_client_entries = msg->secmod_client_entries;
if (msg->has_secmod_tlsdb_entries)
s->tlsdb_entries = msg->secmod_tlsdb_entries;
if (msg->has_discon_reason)
proc->discon_reason = msg->discon_reason;

3
src/main.c
View File

@@ -611,7 +611,6 @@ void clear_lists(main_server_st *s)
talloc_free(script_tmp);
}
tls_cache_deinit(&s->tls_db);
ip_lease_deinit(&s->ip_leases);
proc_table_deinit(s);
ctl_handler_deinit(s);
@@ -1075,7 +1074,6 @@ static void maintainance_watcher_cb(EV_P_ ev_timer *w, int revents)
/* Check if we need to expire any data */
mslog(s, NULL, LOG_DEBUG, "performing maintenance (banned IPs: %d)", main_ban_db_elems(s));
tls_reload_crl(s, s->creds, 0);
expire_tls_sessions(s);
cleanup_banned_entries(s);
clear_old_configs(s->perm_config);
}
@@ -1132,7 +1130,6 @@ int main(int argc, char** argv)
list_head_init(&s->proc_list.head);
list_head_init(&s->script_list.head);
tls_cache_init(s, &s->tls_db);
ip_lease_init(&s->ip_leases);
proc_table_init(s);
main_ban_db_init(s);

15
src/main.h
View File

@@ -149,7 +149,6 @@ typedef struct proc_st {
uint8_t ipv4_seed[4];
unsigned status; /* PS_AUTH_ */
unsigned resume_reqs; /* the number of requests received */
/* these are filled in after the worker process dies, using the
* Cli stats message. */
@@ -190,7 +189,6 @@ typedef struct main_server_st {
struct ip_lease_db_st ip_leases;
tls_sess_db_st tls_db;
struct htable *ban_db;
tls_st *creds;
@@ -217,6 +215,7 @@ typedef struct main_server_st {
/* updated on the cli_stats_msg from sec-mod.
* Holds the number of entries in secmod list of users */
unsigned secmod_client_entries;
unsigned tlsdb_entries;
time_t start_time;
void * auth_extra;
@@ -240,20 +239,8 @@ int handle_sec_mod_commands(main_server_st *s);
int user_connected(main_server_st *s, struct proc_st* cur);
void user_disconnected(main_server_st *s, struct proc_st* cur);
void expire_tls_sessions(main_server_st *s);
int send_udp_fd(main_server_st* s, struct proc_st * proc, int fd);
int handle_resume_delete_req(main_server_st* s, struct proc_st * proc,
const SessionResumeFetchMsg * req);
int handle_resume_fetch_req(main_server_st* s, struct proc_st * proc,
const SessionResumeFetchMsg * req,
SessionResumeReplyMsg* rep);
int handle_resume_store_req(main_server_st* s, struct proc_st *proc,
const SessionResumeStoreReqMsg *);
int session_open(main_server_st * s, struct proc_st *proc, const uint8_t *cookie, unsigned cookie_size);
int session_close(main_server_st * s, struct proc_st *proc);

3
src/sec-mod-auth.c
View File

@@ -541,6 +541,9 @@ int handle_sec_auth_session_close(sec_mod_st *sec, int fd, const SecAuthSessionM
rep.discon_reason = e->discon_reason;
rep.secmod_client_entries = sec_mod_client_db_elems(sec);
rep.secmod_tlsdb_entries = sec->tls_db.entries;
rep.has_secmod_tlsdb_entries = 1;
ret = send_msg(e, fd, SM_CMD_AUTH_CLI_STATS, &rep,
(pack_size_func) cli_stats_msg__get_packed_size,
(pack_func) cli_stats_msg__pack);

62
src/main-resume.c → src/sec-mod-resume.c
View File

@@ -34,12 +34,12 @@
#include <ccan/hash/hash.h>
#include <vpn.h>
#include <main.h>
#include <sec-mod-resume.h>
#include <common.h>
#include <ip-util.h>
#include <tlslib.h>
int handle_resume_delete_req(main_server_st * s, struct proc_st *proc,
int handle_resume_delete_req(sec_mod_st *sec,
const SessionResumeFetchMsg * req)
{
tls_cache_st *cache;
@@ -48,7 +48,7 @@ int handle_resume_delete_req(main_server_st * s, struct proc_st *proc,
key = hash_any(req->session_id.data, req->session_id.len, 0);
cache = htable_firstval(s->tls_db.ht, &iter, key);
cache = htable_firstval(sec->tls_db.ht, &iter, key);
while (cache != NULL) {
if (req->session_id.len == cache->session_id_size &&
memcmp(req->session_id.data, cache->session_id,
@@ -57,19 +57,19 @@ int handle_resume_delete_req(main_server_st * s, struct proc_st *proc,
cache->session_data_size = 0;
cache->session_id_size = 0;
htable_delval(s->tls_db.ht, &iter);
htable_delval(sec->tls_db.ht, &iter);
talloc_free(cache);
s->tls_db.entries--;
sec->tls_db.entries--;
return 0;
}
cache = htable_nextval(s->tls_db.ht, &iter, key);
cache = htable_nextval(sec->tls_db.ht, &iter, key);
}
return 0;
}
int handle_resume_fetch_req(main_server_st * s, struct proc_st *proc,
int handle_resume_fetch_req(sec_mod_st *sec,
const SessionResumeFetchMsg * req,
SessionResumeReplyMsg * rep)
{
@@ -81,14 +81,14 @@ int handle_resume_fetch_req(main_server_st * s, struct proc_st *proc,
key = hash_any(req->session_id.data, req->session_id.len, 0);
cache = htable_firstval(s->tls_db.ht, &iter, key);
cache = htable_firstval(sec->tls_db.ht, &iter, key);
while (cache != NULL) {
if (req->session_id.len == cache->session_id_size &&
memcmp(req->session_id.data, cache->session_id,
req->session_id.len) == 0) {
if (proc->remote_addr_len == cache->remote_addr_len &&
ip_cmp(&proc->remote_addr, &cache->remote_addr) == 0) {
if (req->cli_addr.len == cache->remote_addr_len &&
ip_cmp((struct sockaddr_storage *)req->cli_addr.data, &cache->remote_addr) == 0) {
rep->reply =
SESSION_RESUME_REPLY_MSG__RESUME__REP__OK;
@@ -100,7 +100,7 @@ int handle_resume_fetch_req(main_server_st * s, struct proc_st *proc,
rep->session_data.len =
cache->session_data_size;
mslog_hex(s, proc, LOG_DEBUG, "TLS session DB resuming",
seclog_hex(sec, LOG_DEBUG, "TLS session DB resuming",
req->session_id.data,
req->session_id.len, 0);
@@ -108,14 +108,14 @@ int handle_resume_fetch_req(main_server_st * s, struct proc_st *proc,
}
}
cache = htable_nextval(s->tls_db.ht, &iter, key);
cache = htable_nextval(sec->tls_db.ht, &iter, key);
}
return 0;
}
int handle_resume_store_req(main_server_st * s, struct proc_st *proc,
int handle_resume_store_req(sec_mod_st *sec,
const SessionResumeStoreReqMsg * req)
{
tls_cache_st *cache;
@@ -127,40 +127,46 @@ int handle_resume_store_req(main_server_st * s, struct proc_st *proc,
if (req->session_data.len > MAX_SESSION_DATA_SIZE)
return -1;
max = MAX(2 * s->config->max_clients, DEFAULT_MAX_CACHED_TLS_SESSIONS);
if (s->tls_db.entries >= max) {
mslog(s, NULL, LOG_INFO,
max = MAX(2 * sec->config->max_clients, DEFAULT_MAX_CACHED_TLS_SESSIONS);
if (sec->tls_db.entries >= max) {
seclog(sec, LOG_INFO,
"maximum number of stored TLS sessions reached (%u)",
max);
return -1;
}
if (req->cli_addr.len == 0) {
seclog(sec, LOG_INFO,
"invalid address length");
return -1;
}
key = hash_any(req->session_id.data, req->session_id.len, 0);
cache = talloc(s->tls_db.ht, tls_cache_st);
cache = talloc(sec->tls_db.ht, tls_cache_st);
if (cache == NULL)
return -1;
cache->session_id_size = req->session_id.len;
cache->session_data_size = req->session_data.len;
cache->remote_addr_len = proc->remote_addr_len;
cache->remote_addr_len = req->cli_addr.len;
memcpy(cache->session_id, req->session_id.data, req->session_id.len);
memcpy(cache->session_data, req->session_data.data,
req->session_data.len);
memcpy(&cache->remote_addr, &proc->remote_addr, proc->remote_addr_len);
memcpy(&cache->remote_addr, req->cli_addr.data, req->cli_addr.len);
htable_add(s->tls_db.ht, key, cache);
s->tls_db.entries++;
htable_add(sec->tls_db.ht, key, cache);
sec->tls_db.entries++;
mslog_hex(s, proc, LOG_DEBUG, "TLS session DB storing",
seclog_hex(sec, LOG_DEBUG, "TLS session DB storing",
req->session_id.data,
req->session_id.len, 0);
return 0;
}
void expire_tls_sessions(main_server_st * s)
void expire_tls_sessions(sec_mod_st *sec)
{
tls_cache_st *cache;
struct htable_iter iter;
@@ -168,7 +174,7 @@ void expire_tls_sessions(main_server_st * s)
now = time(0);
cache = htable_first(s->tls_db.ht, &iter);
cache = htable_first(sec->tls_db.ht, &iter);
while (cache != NULL) {
gnutls_datum_t d;
@@ -177,16 +183,16 @@ void expire_tls_sessions(main_server_st * s)
exp = gnutls_db_check_entry_time(&d);
if (now - exp > TLS_SESSION_EXPIRATION_TIME(s->config)) {
if (now - exp > TLS_SESSION_EXPIRATION_TIME(sec->config)) {
cache->session_id_size = 0;
htable_delval(s->tls_db.ht, &iter);
htable_delval(sec->tls_db.ht, &iter);
safe_memset(cache->session_data, 0, cache->session_data_size);
talloc_free(cache);
s->tls_db.entries--;
sec->tls_db.entries--;
}
cache = htable_next(s->tls_db.ht, &iter);
cache = htable_next(sec->tls_db.ht, &iter);
}
return;

38
src/sec-mod-resume.h Normal file
View File

@@ -0,0 +1,38 @@
/*
* Copyright (C) 2015 Nikos Mavrogiannopoulos
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of ocserv.
*
* The GnuTLS is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef SEC_MOD_RESUME_H
# define SEC_MOD_RESUME_H
#include <sec-mod.h>
int handle_resume_delete_req(sec_mod_st* sec,
const SessionResumeFetchMsg * req);
int handle_resume_fetch_req(sec_mod_st* sec,
const SessionResumeFetchMsg * req,
SessionResumeReplyMsg* rep);
int handle_resume_store_req(sec_mod_st* sec,
const SessionResumeStoreReqMsg *);
void expire_tls_sessions(sec_mod_st *sec);
#endif

104
src/sec-mod.c
View File

@@ -41,6 +41,7 @@
#include <tlslib.h>
#include <ipc.pb-c.h>
#include <sec-mod-sup-config.h>
#include <sec-mod-resume.h>
#include <cloexec.h>
#include <gnutls/gnutls.h>
@@ -322,6 +323,102 @@ int process_packet(void *pool, int cfd, pid_t pid, sec_mod_st * sec, cmd_request
sec_auth_cont_msg__free_unpacked(auth_cont, &pa);
return ret;
}
case RESUME_STORE_REQ:{
SessionResumeStoreReqMsg *smsg;
smsg =
session_resume_store_req_msg__unpack(&pa, buffer_size,
buffer);
if (smsg == NULL) {
seclog(sec, LOG_ERR, "error unpacking data");
return ERR_BAD_COMMAND;
}
ret = handle_resume_store_req(sec, smsg);
/* zeroize the data */
safe_memset(buffer, 0, buffer_size);
safe_memset(smsg->session_data.data, 0, smsg->session_data.len);
session_resume_store_req_msg__free_unpacked(smsg, &pa);
if (ret < 0) {
seclog(sec, LOG_DEBUG,
"could not store resumption data");
}
}
break;
case RESUME_DELETE_REQ:{
SessionResumeFetchMsg *fmsg;
fmsg =
session_resume_fetch_msg__unpack(&pa, buffer_size,
buffer);
if (fmsg == NULL) {
seclog(sec, LOG_ERR, "error unpacking data");
return ERR_BAD_COMMAND;
}
ret = handle_resume_delete_req(sec, fmsg);
session_resume_fetch_msg__free_unpacked(fmsg, &pa);
if (ret < 0) {
seclog(sec, LOG_DEBUG,
"could not delete resumption data.");
}
}
break;
case RESUME_FETCH_REQ:{
SessionResumeReplyMsg msg =
SESSION_RESUME_REPLY_MSG__INIT;
SessionResumeFetchMsg *fmsg;
/* FIXME: rate limit that */
fmsg =
session_resume_fetch_msg__unpack(&pa, buffer_size,
buffer);
if (fmsg == NULL) {
seclog(sec, LOG_ERR, "error unpacking data");
return ERR_BAD_COMMAND;
}
ret = handle_resume_fetch_req(sec, fmsg, &msg);
session_resume_fetch_msg__free_unpacked(fmsg, &pa);
if (ret < 0) {
msg.reply =
SESSION_RESUME_REPLY_MSG__RESUME__REP__FAILED;
seclog(sec, LOG_DEBUG,
"could not fetch resumption data.");
} else {
msg.reply =
SESSION_RESUME_REPLY_MSG__RESUME__REP__OK;
}
ret =
send_msg(pool, cfd, RESUME_FETCH_REP, &msg,
(pack_size_func)
session_resume_reply_msg__get_packed_size,
(pack_func)
session_resume_reply_msg__pack);
if (ret < 0) {
seclog(sec, LOG_ERR,
"could not send reply cmd %d.",
(unsigned)cmd);
return ERR_BAD_COMMAND;
}
}
break;
default:
seclog(sec, LOG_WARNING, "unknown type 0x%.2x", cmd);
return -1;
@@ -412,6 +509,7 @@ static void check_other_work(sec_mod_st *sec)
}
sec_mod_client_db_deinit(sec);
tls_cache_deinit(&sec->tls_db);
talloc_free(sec);
exit(0);
}
@@ -443,6 +541,7 @@ static void check_other_work(sec_mod_st *sec)
if (need_maintainance) {
seclog(sec, LOG_DEBUG, "performing maintenance");
cleanup_client_entries(sec);
expire_tls_sessions(sec);
seclog(sec, LOG_DEBUG, "active sessions %d",
sec_mod_client_db_elems(sec));
alarm(MAINTAINANCE_TIME);
@@ -507,7 +606,7 @@ int serve_request_main(sec_mod_st *sec, int fd, uint8_t *buffer, unsigned buffer
}
static
int serve_request(sec_mod_st *sec, int cfd, pid_t pid, uint8_t *buffer, unsigned buffer_size)
int serve_request_worker(sec_mod_st *sec, int cfd, pid_t pid, uint8_t *buffer, unsigned buffer_size)
{
int ret, e;
unsigned cmd, length;
@@ -636,6 +735,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
sec->perm_config = talloc_steal(sec, perm_config);
sec->config = sec->perm_config->config;
tls_cache_init(sec, &sec->tls_db);
sup_config_init(sec);
memset(&sa, 0, sizeof(sa));
@@ -845,7 +945,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
seclog(sec, LOG_INFO, "rejected unauthorized connection");
} else {
memset(buffer, 0, buffer_size);
serve_request(sec, cfd, pid, buffer, buffer_size);
serve_request_worker(sec, cfd, pid, buffer, buffer_size);
}
close(cfd);
}

2
src/sec-mod.h
View File

@@ -41,6 +41,8 @@ typedef struct sec_mod_st {
int cmd_fd;
int cmd_fd_sync;
tls_sess_db_st tls_db;
struct config_mod_st *config_module;
} sec_mod_st;

69
src/worker-resume.c
View File

@@ -41,13 +41,13 @@
#include <tlslib.h>
static int recv_resume_fetch_reply(worker_st *ws, gnutls_datum_t *sdata)
static int recv_resume_fetch_reply(worker_st *ws, int sd, gnutls_datum_t *sdata)
{
int ret;
SessionResumeReplyMsg *resp;
PROTOBUF_ALLOCATOR(pa, ws);
ret = recv_msg(ws, ws->cmd_fd, RESUME_FETCH_REP, (void*)&resp,
ret = recv_msg(ws, sd, RESUME_FETCH_REP, (void*)&resp,
(unpack_func)session_resume_reply_msg__unpack, DEFAULT_SOCKET_TIMEOUT);
if (ret < 0) {
oclog(ws, LOG_ERR, "error receiving resumption reply (fetch)");
@@ -81,27 +81,38 @@ cleanup:
*/
static gnutls_datum_t resume_db_fetch(void *dbf, gnutls_datum_t key)
{
worker_st *ws = dbf;
gnutls_datum_t r = { NULL, 0 };
int ret;
SessionResumeFetchMsg msg = SESSION_RESUME_FETCH_MSG__INIT;
worker_st *ws = dbf;
gnutls_datum_t r = { NULL, 0 };
int ret, sd;
SessionResumeFetchMsg msg = SESSION_RESUME_FETCH_MSG__INIT;
if (key.size > GNUTLS_MAX_SESSION_ID) {
oclog(ws, LOG_DEBUG, "session ID size exceeds the maximum %u", key.size);
return r;
}
sd = connect_to_secmod(ws);
if (sd == -1) {
oclog(ws, LOG_DEBUG, "cannot connect to secmod");
return r;
}
msg.session_id.len = key.size;
msg.session_id.data = key.data;
msg.cli_addr.len = ws->remote_addr_len;
msg.cli_addr.data = (void*)&ws->remote_addr;
ret = send_msg_to_main(ws, RESUME_FETCH_REQ, &msg,
ret = send_msg_to_secmod(ws, sd, RESUME_FETCH_REQ, &msg,
(pack_size_func)session_resume_fetch_msg__get_packed_size,
(pack_func)session_resume_fetch_msg__pack);
if (ret < 0)
return r;
if (ret < 0) {
goto cleanup;
}
recv_resume_fetch_reply(ws, &r);
recv_resume_fetch_reply(ws, sd, &r);
cleanup:
close(sd);
return r;
}
@@ -109,9 +120,9 @@ SessionResumeFetchMsg msg = SESSION_RESUME_FETCH_MSG__INIT;
static int
resume_db_store (void *dbf, gnutls_datum_t key, gnutls_datum_t data)
{
worker_st *ws = dbf;
SessionResumeStoreReqMsg msg = SESSION_RESUME_STORE_REQ_MSG__INIT;
int ret;
worker_st *ws = dbf;
SessionResumeStoreReqMsg msg = SESSION_RESUME_STORE_REQ_MSG__INIT;
int ret, sd;
if (data.size > MAX_SESSION_DATA_SIZE) {
oclog(ws, LOG_DEBUG, "session data size exceeds the maximum %u", data.size);
@@ -129,9 +140,21 @@ int ret;
msg.session_id.data = key.data;
msg.session_data.data = data.data;
ret = send_msg_to_main(ws, RESUME_STORE_REQ, &msg,
msg.cli_addr.len = ws->remote_addr_len;
msg.cli_addr.data = (void*)&ws->remote_addr;
sd = connect_to_secmod(ws);
if (sd == -1) {
oclog(ws, LOG_DEBUG, "cannot connect to secmod");
return GNUTLS_E_DB_ERROR;
}
ret = send_msg_to_secmod(ws, sd, RESUME_STORE_REQ, &msg,
(pack_size_func)session_resume_store_req_msg__get_packed_size,
(pack_func)session_resume_store_req_msg__pack);
close(sd);
if (ret < 0) {
return GNUTLS_E_DB_ERROR;
}
@@ -145,9 +168,9 @@ int ret;
*/
static int resume_db_delete(void *dbf, gnutls_datum_t key)
{
worker_st *ws = dbf;
int ret;
SessionResumeFetchMsg msg = SESSION_RESUME_FETCH_MSG__INIT;
worker_st *ws = dbf;
int ret, sd;
SessionResumeFetchMsg msg = SESSION_RESUME_FETCH_MSG__INIT;
if (key.size > GNUTLS_MAX_SESSION_ID) {
oclog(ws, LOG_DEBUG, "Session ID size exceeds the maximum %u", key.size);
@@ -157,9 +180,17 @@ SessionResumeFetchMsg msg = SESSION_RESUME_FETCH_MSG__INIT;
msg.session_id.len = key.size;
msg.session_id.data = key.data;
ret = send_msg_to_main(ws, RESUME_DELETE_REQ, &msg,
sd = connect_to_secmod(ws);
if (sd == -1) {
oclog(ws, LOG_DEBUG, "cannot connect to secmod");
return GNUTLS_E_DB_ERROR;
}
ret = send_msg_to_secmod(ws, sd, RESUME_DELETE_REQ, &msg,
(pack_size_func)session_resume_fetch_msg__get_packed_size,
(pack_func)session_resume_fetch_msg__pack);
close(sd);
if (ret < 0)
return GNUTLS_E_DB_ERROR;