Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / ded1b70c6b9957722d8b85a78263af7ccd8d6379^! / . / server / dns / DnsTlsSessionCache.h
commitded1b70c6b9957722d8b85a78263af7ccd8d6379[log] [tgz]
authorBen Schwartz <bemasc@google.com>Wed Oct 25 14:41:02 2017 -0400
committerBen Schwartz <bemasc@google.com>Tue Jan 23 12:21:57 2018 -0500
tree62b74af6edc5a00e2c84e926f4c97b88c27048cf
parentfa8616c1cc1d6972da1fbd5745c1e0c86ec5daea [diff] [blame]
Refactor, prerequisite for DNS-over-TLS pipelining

This change should have no effect on behavior, but it divides functionality
out into classes in a way that will enable pipelining.
It also adds unit tests for the newly divided functionality.

Test: Unit and integration tests pass.
Bug: 63448521
Change-Id: I08948be304b7a3e4ba10f754ef58bd41db6824c4

diff --git a/server/dns/DnsTlsSessionCache.h b/server/dns/DnsTlsSessionCache.h
new file mode 100644
index 0000000..32b8b55
--- /dev/null
+++ b/server/dns/DnsTlsSessionCache.h

@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _DNS_DNSTLSSESSIONCACHE_H
+#define _DNS_DNSTLSSESSIONCACHE_H
+
+#include <mutex>
+#include <deque>
+
+#include <openssl/ssl.h>
+
+#include <android-base/thread_annotations.h>
+#include <android-base/unique_fd.h>
+
+#include "dns/DnsTlsServer.h"
+
+namespace android {
+namespace net {
+
+// Cache of recently seen SSL_SESSIONs.  This is used to support session tickets.
+// This class is thread-safe.
+class DnsTlsSessionCache {
+public:
+    // Prepare SSL objects to use this session cache.  These methods must be called
+    // before making use of either object.
+    void prepareSslContext(SSL_CTX* _Nonnull ssl_ctx);
+    bool prepareSsl(SSL* _Nonnull ssl);
+
+    // Get the most recently discovered session.  For TLS 1.3 compatibility and
+    // maximum privacy, each session will only be returned once, so the caller
+    // gains ownership of the session.  (Here and throughout,
+    // bssl::UniquePtr<SSL_SESSION> is actually serving as a reference counted
+    // pointer.)
+    bssl::UniquePtr<SSL_SESSION> getSession() EXCLUDES(mLock);
+
+private:
+    static constexpr size_t kMaxSize = 5;
+    static int newSessionCallback(SSL* _Nullable ssl, SSL_SESSION* _Nullable session);
+
+    std::mutex mLock;
+    void recordSession(SSL_SESSION* _Nullable session) EXCLUDES(mLock);
+
+    // Queue of sessions, from least recently added to most recently.
+    std::deque<bssl::UniquePtr<SSL_SESSION>> mSessions GUARDED_BY(mLock);
+};
+
+}  // end of namespace net
+}  // end of namespace android
+
+#endif  // _DNS_DNSTLSSESSIONCACHE_H