TODO comments for #488,#515,#1054

tempesta_fw/client.c

@@ -87,6 +87,8 @@ EXPORT_SYMBOL(tfw_client_put);
  * Find a client corresponding to the @sk by IP address.
  * More advanced identification is possible based on User-Agent,
  * Cookie and other HTTP headers.
+ * TODO (#488,#598,#1054?) actually clients can be relatively reliably
+ * identified with TLS sessions (#1054) or HTTP sticky cookies.
  *
  * The returned TfwClient reference must be released via tfw_client_put()
  * when the @sk is closed.

tls/ssl_cache.c

@@ -1,36 +1,77 @@
 /*
- *  SSL session cache implementation
+ *		Tempesta TLS
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  Copyright (C) 2015-2018 Tempesta Technologies, Inc.
- *  SPDX-License-Identifier: GPL-2.0
+ * TLS session cache implementation
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright (C) 2015-2018 Tempesta Technologies, Inc.
+ * SPDX-License-Identifier: GPL-2.0
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
  *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 /*
  * These session callbacks use a simple chained list
  * to store and retrieve the session information.
+ * TODO #1054: the lists are bad, use TDB instead.
  */
+/**
+ * TODO #1054.
+ * ttls_conf_session_cache() was removed since we don't need to set
+ * f_get_cache() and f_set_cache() callbacks, instead just remove the callbacks
+ * completely and call the cache functions directly.
+ *
+ * The session cache has the responsibility to check for stale
+ * entries based on timeout. See RFC 5246 for recommendations.
+ *
+ * Warning: session.peer_cert is cleared by the SSL/TLS layer on
+ * connection shutdown, so do not cache the pointer! Either set
+ * it to NULL or make a full copy of the certificate.
+ *
+ * The get callback is called once during the initial handshake
+ * to enable session resuming. The get function has the
+ * following parameters: (void *parameter, TlsSess *session)
+ * If a valid entry is found, it should fill the master of
+ * the session object with the cached values and return 0,
+ * return 1 otherwise. Optionally peer_cert can be set as well
+ * if it is properly present in cache entry.
+ *
+ * The set callback is called once during the initial handshake
+ * to enable session resuming after the entire handshake has
+ * been finished. The set function has the following parameters:
+ * (void *parameter, const TlsSess *session). The function
+ * should create a cache entry for future retrieval based on
+ * the data in the session structure and should keep in mind
+ * that the TlsSess object presented (and all its referenced
+ * data) is cleared by the SSL/TLS layer when the connection is
+ * terminated. It is recommended to add metadata to determine if
+ * an entry is still valid in the future. Return 0 if
+ * successfully cached, return 1 otherwise.
+ */
+
 #include "config.h"
 
 #if defined(TTLS_CACHE_C)
 
 #include "ssl_cache.h"
 
+/* TODO #515: the constants must go to configuration directive describing
+ * the TDB collection.
+ */
+#define TTLS_CACHE_DEFAULT_TIMEOUT	86400 /* 1 day  */
+#define TTLS_CACHE_DEFAULT_MAX_ENTRIES	50 /* Maximum entries in cache */
+
 void ttls_cache_init(ttls_cache_context *cache)
 {
 	memset(cache, 0, sizeof(ttls_cache_context));
@@ -67,7 +108,7 @@ int ttls_cache_get(void *data, TlsSess *session)
 			continue;
 
 		if (memcmp(session->id, entry->session.id,
-		entry->session.id_len) != 0)
+				entry->session.id_len) != 0)
 			continue;
 
 		memcpy(session->master, entry->session.master, 48);
@@ -80,15 +121,15 @@ int ttls_cache_get(void *data, TlsSess *session)
 		if (entry->peer_cert.p != NULL)
 		{
 			if ((session->peer_cert = ttls_calloc(1,
-		 sizeof(ttls_x509_crt))) == NULL)
+				 sizeof(ttls_x509_crt))) == NULL)
 			{
 				ret = 1;
 				goto exit;
 			}
 
 			ttls_x509_crt_init(session->peer_cert);
 			if (ttls_x509_crt_parse(session->peer_cert, entry->peer_cert.p,
-		entry->peer_cert.len) != 0)
+						entry->peer_cert.len) != 0)
 			{
 				ttls_free(session->peer_cert);
 				session->peer_cert = NULL;

tls/ssl_cache.h

@@ -1,50 +1,29 @@
 /**
- * \file ssl_cache.h
+ *		Tempesta TLS
  *
- * \brief SSL session cache implementation
- */
-/*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  Copyright (C) 2015-2018 Tempesta Technologies, Inc.
- *  SPDX-License-Identifier: GPL-2.0
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright (C) 2015-2018 Tempesta Technologies, Inc.
+ * SPDX-License-Identifier: GPL-2.0
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
  *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 #ifndef TTLS_CACHE_H
 #define TTLS_CACHE_H
 
 #include "ttls.h"
 
-/**
- * \name SECTION: Module settings
- *
- * The configuration options you can set for this module are in this section.
- * Either change them in config.h or define them on the compiler command line.
- * \{
- */
-
-#if !defined(TTLS_CACHE_DEFAULT_TIMEOUT)
-#define TTLS_CACHE_DEFAULT_TIMEOUT	   86400   /*!< 1 day  */
-#endif
-
-#if !defined(TTLS_CACHE_DEFAULT_MAX_ENTRIES)
-#define TTLS_CACHE_DEFAULT_MAX_ENTRIES	  50   /*!< Maximum entries in cache */
-#endif
-
 typedef struct ttls_cache_context ttls_cache_context;
 typedef struct ttls_cache_entry ttls_cache_entry;
 

tls/ssl_ticket.c

@@ -1,23 +1,25 @@
-/*
- *  TLS server tickets callbacks implementation
+/**
+ *		Tempesta TLS
+ *
+ * TLS server tickets implementation (RFC 5077).
  *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  Copyright (C) 2015-2018 Tempesta Technologies, Inc.
- *  SPDX-License-Identifier: GPL-2.0
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright (C) 2015-2018 Tempesta Technologies, Inc.
+ * SPDX-License-Identifier: GPL-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 #include "config.h"
 

tls/ssl_ticket.h

@@ -1,28 +1,23 @@
 /**
- * \file ssl_ticket.h
+ *		Tempesta TLS
  *
- * \brief TLS server ticket callbacks implementation
- */
-/*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  Copyright (C) 2015-2018 Tempesta Technologies, Inc.
- *  SPDX-License-Identifier: GPL-2.0
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright (C) 2015-2018 Tempesta Technologies, Inc.
+ * SPDX-License-Identifier: GPL-2.0
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
  *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 #ifndef TTLS_TICKET_H
 #define TTLS_TICKET_H

tls/ttls.c

@@ -1663,16 +1663,6 @@ void ttls_conf_verify(ttls_config *conf,
 	conf->p_vrfy	 = p_vrfy;
 }
 
-void ttls_conf_session_cache(ttls_config *conf,
-		void *p_cache,
-		int (*f_get_cache)(void *, TlsSess *),
-		int (*f_set_cache)(void *, const TlsSess *))
-{
-	conf->p_cache = p_cache;
-	conf->f_get_cache = f_get_cache;
-	conf->f_set_cache = f_set_cache;
-}
-
 #if defined(TTLS_CLI_C)
 int ttls_set_session(ttls_context *tls, const ttls_ssl_session *session)
 {

tls/ttls.h

@@ -667,48 +667,6 @@ void ttls_conf_session_tickets_cb(ttls_config *conf,
 	ttls_ticket_parse_t *f_ticket_parse,
 	void *p_ticket);
 
-/**
- * \brief	Set the session cache callbacks (server-side only)
- *		If not set, no session resuming is done (except if session
- *		tickets are enabled too).
- *
- *		The session cache has the responsibility to check for stale
- *		entries based on timeout. See RFC 5246 for recommendations.
- *
- *		Warning: session.peer_cert is cleared by the SSL/TLS layer on
- *		connection shutdown, so do not cache the pointer! Either set
- *		it to NULL or make a full copy of the certificate.
- *
- *		The get callback is called once during the initial handshake
- *		to enable session resuming. The get function has the
- *		following parameters: (void *parameter, TlsSess *session)
- *		If a valid entry is found, it should fill the master of
- *		the session object with the cached values and return 0,
- *		return 1 otherwise. Optionally peer_cert can be set as well
- *		if it is properly present in cache entry.
- *
- *		The set callback is called once during the initial handshake
- *		to enable session resuming after the entire handshake has
- *		been finished. The set function has the following parameters:
- *		(void *parameter, const TlsSess *session). The function
- *		should create a cache entry for future retrieval based on
- *		the data in the session structure and should keep in mind
- *		that the TlsSess object presented (and all its referenced
- *		data) is cleared by the SSL/TLS layer when the connection is
- *		terminated. It is recommended to add metadata to determine if
- *		an entry is still valid in the future. Return 0 if
- *		successfully cached, return 1 otherwise.
- *
- * \param conf	SSL configuration
- * \param p_cache	parmater (context) for both callbacks
- * \param f_get_cache	session get callback
- * \param f_set_cache	session set callback
- */
-void ttls_conf_session_cache(ttls_config *conf,
-	void *p_cache,
-	int (*f_get_cache)(void *, TlsSess *),
-	int (*f_set_cache)(void *, const TlsSess *));
-
 #if defined(TTLS_CLI_C)
 /**
  * \brief	Request resumption of session (client-side only)