This is an automated email from the ASF dual-hosted git repository.
duke8253 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 1a1c2237cf remove ssl_session_reuse plugin (#11060)
1a1c2237cf is described below
commit 1a1c2237cf7c206cd37a6666f4aaab3f893a6778
Author: Fei Deng <[email protected]>
AuthorDate: Thu Feb 8 14:57:46 2024 -0500
remove ssl_session_reuse plugin (#11060)
---
doc/admin-guide/plugins/index.en.rst | 4 -
doc/admin-guide/plugins/ssl_session_reuse.en.rst | 93 ----
doc/admin-guide/plugins/stek_share.en.rst | 2 -
plugins/experimental/CMakeLists.txt | 1 -
plugins/experimental/ssl_session_reuse/.gitignore | 2 -
.../ssl_session_reuse/example_config.config | 61 ---
.../experimental/ssl_session_reuse/src/Config.h | 107 -----
.../ssl_session_reuse/src/ats_ssl_plugin.cc | 70 ---
.../experimental/ssl_session_reuse/src/common.cc | 202 ---------
.../experimental/ssl_session_reuse/src/common.h | 89 ----
.../experimental/ssl_session_reuse/src/config.cc | 158 -------
.../ssl_session_reuse/src/connection.cc | 56 ---
.../ssl_session_reuse/src/connection.h | 68 ---
.../experimental/ssl_session_reuse/src/globals.h | 46 --
.../experimental/ssl_session_reuse/src/message.h | 41 --
.../ssl_session_reuse/src/openssl_utils.cc | 120 ------
.../experimental/ssl_session_reuse/src/publish.cc | 430 -------------------
.../experimental/ssl_session_reuse/src/publisher.h | 105 -----
.../ssl_session_reuse/src/redis_auth.h | 28 --
.../ssl_session_reuse/src/redis_endpoint.cc | 66 ---
.../ssl_session_reuse/src/redis_endpoint.h | 47 --
.../ssl_session_reuse/src/session_process.cc | 205 ---------
.../ssl_session_reuse/src/session_process.h | 40 --
.../ssl_session_reuse/src/simple_pool.cc | 77 ----
.../ssl_session_reuse/src/simple_pool.h | 63 ---
.../experimental/ssl_session_reuse/src/ssl_init.cc | 129 ------
.../ssl_session_reuse/src/ssl_key_utils.cc | 472 ---------------------
.../experimental/ssl_session_reuse/src/ssl_utils.h | 70 ---
plugins/experimental/ssl_session_reuse/src/stek.h | 45 --
.../ssl_session_reuse/src/subscriber.cc | 225 ----------
.../ssl_session_reuse/src/subscriber.h | 59 ---
.../ssl_session_reuse/tests/plug-load.test.py | 61 ---
32 files changed, 3242 deletions(-)
diff --git a/doc/admin-guide/plugins/index.en.rst
b/doc/admin-guide/plugins/index.en.rst
index 66987a533c..001cf33560 100644
--- a/doc/admin-guide/plugins/index.en.rst
+++ b/doc/admin-guide/plugins/index.en.rst
@@ -188,7 +188,6 @@ directory of the |TS| source tree. Experimental plugins can
be compiled by passi
Legacy Signed URLs <url_sig.en>
Slice <slice.en>
SSL Headers <sslheaders.en>
- SSL Session Reuse <ssl_session_reuse.en>
Stale Response <stale_response.en>
STEK Share <stek_share.en>
System Statistics <system_stats.en>
@@ -266,9 +265,6 @@ directory of the |TS| source tree. Experimental plugins can
be compiled by passi
spread across multiple cache stripes. Allows arbitrary range requests to be
satisfied by stitching
these chunks together.
-:doc:`SSL Session Reuse <ssl_session_reuse.en>`
- Coordinates Session ID and ticket based TLS session resumption between a
group of ATS machines.
-
:doc:`SSL Headers <sslheaders.en>`
Populate request headers with SSL session information.
diff --git a/doc/admin-guide/plugins/ssl_session_reuse.en.rst
b/doc/admin-guide/plugins/ssl_session_reuse.en.rst
deleted file mode 100644
index 00becf55c9..0000000000
--- a/doc/admin-guide/plugins/ssl_session_reuse.en.rst
+++ /dev/null
@@ -1,93 +0,0 @@
-.. Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
-
-.. include:: ../../common.defs
-
-.. _admin-plugins-ssl_session_reuse:
-
-SSL Session Reuse Plugin
-************************
-
-This plugin coordinates session state data between ATS instances running in a
group. This should
-improve TLS session reuse (both ticket and ID based) for a set of machines
fronted by some form of
-layer 4 connection load balancer.
-
-How It Works
-============
-
-The plugin coordinates TLS session reuse for both Session ID based resumption
and ticket based resumption.
-For Session ID base resumption in uses the ATS SSL Session Cache for the local
store of TLS sessions. It uses
-Redis to communication new sessions with its peers. When a new session is
seen by an ATS instances it
-publishes an encrypted copy of the session state to the local Redis channel.
When a new session is received
-on the Redis channel, the plugin stores that session state into its local ATS
SSL session cache. Once the
-session state is in the local ATS SSL session cache it is available to the
OpenSSL library for future TLS
-handshakes.
-
-For the ticket based session resumption, the plugin implements logic to decide
on a Session Ticket Encryption Key (STEK)
-master. The master will periodically create a new STEK key and use the Redis
channel to publish the new STEK key
-to the other ATS boxes in the group. When the plugin starts up, it will
publish a Redis message requesting the master to
-resend the STEK key. The plugin uses the TSSslTicketKeyUpdate call to update
ATS with the last two STEK's it has received.
-
-All communication over the Redis channel is encrypted with a preshared key.
All the ATS boxes participating in the session
-reuse must have access to that preshared key.
-
-Building
-========
-
-This plugin uses Redis for communication. The hiredis client development
library must be installed
-for this plugin to build. It can be installed in the standard system location
or the install location
-can be specified by the --with-hiredis argument to configure.
-
-As part of the experimental plugs, the --enable-experimental-plugins option
must also be given to configure
-to build this plugin.
-
-Deploying
-=========
-
-The SSL Session Reuse plugin relies on Redis for communication. To deploy
build your own redis server or use a standard rpm
-package. It must be installed on at least one box in the ATS group. We have
it installed on two boxes in a failover
-scenario. The SSL Session Reuse configuration file describes how to
communicate with the redis servers.
-
-* :ts:cv:`proxy.config.ssl.session_cache` should be set to 2 to enable the ATS
implementation of session cache
-* :ts:cv:`proxy.config.ssl.session_cache.size` and
:ts:cv:`proxy.config.ssl.session_cache.num_buckets` may need to be adjusted to
ensure good hash table performance for your workload. For example, we needed
to increase the number of buckets to avoid long hash chains.
-* :ts:cv:`proxy.config.ssl.server.session_ticket.enable` should be set to 1 to
enable session ticket support.
-
-
-Config File
-===========
-
-SSL Session Reuse is a global plugin. Its configuration file is given as a
argument to the plugin.
-
-* redis.RedisEndpoints - This is a comma separated list of Redis servers to
connect to. The description of the redis server may include a port
-* redis.RedisConnectTimeout - Timeout on the redis connect attempt in
milliseconds.
-* redis.RedisRetryDelay - Timeout on retrying redis operations in milliseconds.
-* pubconfig.PubNumWorkers - Number of worker threads. Must be at least as
many as the number of redis servers.
-* pubconfig.PubRedisPublishTries - Number of times to attempt publishing data
-* pubconfig.PubRedisConnectTries - Number of times to retry a redis connection
attempt
-* pubconfig.PubMaxQueuedMessages - Maximum number of undelivered messages to
leave in the queue
-* ssl_session.ClusterName - Name associated with the group of machines. Used
to form basis of the redis channel name, e.g. Pool1
-* ssl_session.KeyUpdateInterval - How often to update the STEK key in seconds.
-* ssl_session.STEKMaster - If set to 1, the machine will assume it is the STEK
master on startup
-* ssl_session.redis_auth_key_file - The location of the file containing the
redis preshared secret.
-* subconfig.SubColoChannel - The redis channels to subscribe to, e.g. Pool1.*
-
-
-
-Example Config File
-===================
-
-.. literalinclude::
../../../plugins/experimental/ssl_session_reuse/example_config.config
diff --git a/doc/admin-guide/plugins/stek_share.en.rst
b/doc/admin-guide/plugins/stek_share.en.rst
index 43ac28c678..abdd428eea 100644
--- a/doc/admin-guide/plugins/stek_share.en.rst
+++ b/doc/admin-guide/plugins/stek_share.en.rst
@@ -25,8 +25,6 @@ STEK Share Plugin
*****************
This plugin coordinates STEK (Session Ticket Encryption Key) between ATS
instances running in a group.
-As the ID based session resumption rate continue to decrease, this new plugin
will replace the
-:ref:`admin-plugins-ssl_session_reuse` plugin.
How It Works
diff --git a/plugins/experimental/CMakeLists.txt
b/plugins/experimental/CMakeLists.txt
index ce518141e9..f451116f4b 100644
--- a/plugins/experimental/CMakeLists.txt
+++ b/plugins/experimental/CMakeLists.txt
@@ -46,7 +46,6 @@ if(USE_MAGICK)
endif()
#add_subdirectory(maxmind_acl)
#add_subdirectory(otel_tracer)
-#add_subdirectory(ssl_session_reuse)
#add_subdirectory(stek_share)
#add_subdirectory(uri_signing)
#add_subdirectory(wasm)
diff --git a/plugins/experimental/ssl_session_reuse/.gitignore
b/plugins/experimental/ssl_session_reuse/.gitignore
deleted file mode 100644
index 5de6b7a36e..0000000000
--- a/plugins/experimental/ssl_session_reuse/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-# This one gets written a few times with different content by the tests.
-tests/configs/reload.conf
diff --git a/plugins/experimental/ssl_session_reuse/example_config.config
b/plugins/experimental/ssl_session_reuse/example_config.config
deleted file mode 100644
index 55d96a5071..0000000000
--- a/plugins/experimental/ssl_session_reuse/example_config.config
+++ /dev/null
@@ -1,61 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-## start generic redis config parameters
-# endpoints
-redis.RedisEndpoints=host1.com:6379,host2.com:6379
-# in milliseconds
-redis.RedisConnectTimeout=20000
-# in milliseconds
-redis.RedisRetryDelay=5000000
-## end generic redis config parameters
-
-## start pub config settings
-pubconfig.PubNumWorkers=5
-pubconfig.PubRedisPublishTries=3
-pubconfig.PubRedisConnectTries=3
-pubconfig.PubMaxQueuedMessages=10000
-pubconfig.PubColoChannelId=sja
-## end pub config settings
-
-## start subconfig settings
-subconfig.SubColoChannel=sja.*
-## end subconfig settings
-
-#############################################################
-# This config file contains the starting values for the
-# ATS plugin ats_ssl_session_reuse.
-# Upon pkg install, settings may have been derived from yinst settings
-#############################################################
-## start ssl_session settings
-ssl_session.ClusterName=sja
-
-#############################################################
-# session-ticket-encryption-key (STEK) configs
-# KeyUpdateInterval (in seconds)
-# Specifies frequency of STEK rotation in POD, if I am STEK Master
-# maximum is 86400 (24 hours), default is 25200 (7 hours)
-
-ssl_session.KeyUpdateInterval=25200
-
-# STEKMaster= 1 (This instance will start as the STEK Master, initiating
rotation)
-# or 0 (start as STEK slave)
-ssl_session.STEKMaster=0
-
-ssl_session.redis_auth_key_file=/path/to/key/file
-
-## end ssl_session settings
diff --git a/plugins/experimental/ssl_session_reuse/src/Config.h
b/plugins/experimental/ssl_session_reuse/src/Config.h
deleted file mode 100644
index ac0eb786cc..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/Config.h
+++ /dev/null
@@ -1,107 +0,0 @@
-/** @file
-
- Config.h - configuration file support
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#pragma once
-
-#include <map>
-#include <string>
-#include <sstream>
-#include <mutex>
-
-struct fromstring {
- fromstring(const std::string &string) : _string(string) {}
- template <typename _T> operator _T() const
- {
- _T t;
- std::istringstream ss(_string);
- ss >> t;
- return t;
- }
-
-protected:
- std::string _string;
-};
-
-class Config
-{
-public:
- virtual bool loadConfig(const std::string &filename);
-
- static Config &
- getSingleton()
- {
- static Config onlyInstance;
- return onlyInstance;
- }
-
- bool getValue(const std::string &category, const std::string &key,
std::string &value);
-
- template <typename _T>
- bool
- getValue(const std::string &category, const std::string &key, _T &value)
- {
- std::string strvalue;
- if (!getValue(category, key, strvalue)) {
- return false;
- }
- value = fromstring(strvalue);
- return true;
- }
-
- template <typename _T>
- _T
- returnValue(const std::string &category, const std::string &key, _T
default_value)
- {
- std::string strvalue;
- if (!getValue(category, key, strvalue)) {
- return default_value;
- }
- return fromstring(strvalue);
- }
-
- bool configHasChanged();
-
-private:
- // make sure the unit tests can access internals
- friend class sslSessionReuseConfigTest;
-
- Config();
- virtual ~Config();
-
- bool loadConfigOnChange();
-
- static const int cCheckDivisor = 5;
-
- // returns true if the mtime is newer than m_lastmtime
- // forcefully changes m_lastmtime.
- bool setLastConfigChange();
-
- std::string m_filename;
- std::map<std::string, std::string> m_config;
- std::mutex m_yconfigLock;
- bool m_noConfig;
- bool m_alreadyLoaded;
- time_t m_lastCheck;
- time_t m_lastmtime;
-};
diff --git a/plugins/experimental/ssl_session_reuse/src/ats_ssl_plugin.cc
b/plugins/experimental/ssl_session_reuse/src/ats_ssl_plugin.cc
deleted file mode 100644
index c7ce00ae32..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/ats_ssl_plugin.cc
+++ /dev/null
@@ -1,70 +0,0 @@
-/** @file
-
- ats_ssl_plugin.cc - plugin setup
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include <cstdio>
-#include <openssl/ssl.h>
-#include <ts/ts.h>
-#include <ts/apidefs.h>
-
-#include "common.h"
-#include "ssl_utils.h"
-
-PluginThreads plugin_threads;
-
-static int
-shutdown_handler(TSCont contp, TSEvent event, void *edata)
-{
- if (event == TS_EVENT_LIFECYCLE_SHUTDOWN) {
- plugin_threads.terminate();
- }
- return 0;
-}
-
-void
-TSPluginInit(int argc, const char *argv[])
-{
- TSPluginRegistrationInfo info;
-
- info.plugin_name = (char *)("ats_session_reuse");
- info.vendor_name = (char *)("ats");
- info.support_email = (char *)("[email protected]");
-
- TSLifecycleHookAdd(TS_LIFECYCLE_SHUTDOWN_HOOK,
TSContCreate(shutdown_handler, nullptr));
-
- if (TSPluginRegister(&info) != TS_SUCCESS) {
- TSError("Plugin registration failed.");
- return;
- }
-
- if (argc < 2) {
- TSError("Must specify config file.");
- } else if (!init_ssl_params(argv[1])) {
- init_subscriber();
- TSCont cont = TSContCreate(SSL_session_callback, nullptr);
- Dbg(dbg_ctl, "TSPluginInit adding TS_SSL_SESSION_HOOK.");
- TSHttpHookAdd(TS_SSL_SESSION_HOOK, cont);
- } else {
- TSError("init_ssl_params failed.");
- }
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/common.cc
b/plugins/experimental/ssl_session_reuse/src/common.cc
deleted file mode 100644
index 29ae8ed7ac..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/common.cc
+++ /dev/null
@@ -1,202 +0,0 @@
-/** @file
-
- common.cc - Some common functions everyone needs
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include <cstdio>
-#include <cstring>
-#include <openssl/ssl.h>
-#include <ts/ts.h>
-#include <ts/apidefs.h>
-
-#include "common.h"
-
-namespace ssl_session_reuse_ns
-{
-DbgCtl dbg_ctl{PLUGIN};
-}
-
-const unsigned char salt[] = {115, 97, 108, 117, 0, 85, 137, 229};
-const unsigned char hex_chars[] = {'0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};
-
-std::string
-hex_str(std::string const &str)
-{
- size_t len = str.size() * 2 + 1;
- char hex_str[len];
- for (unsigned long int i = 0; i < str.size(); ++i) {
- unsigned char c = str.at(i);
- hex_str[i * 2] = hex_chars[(c & 0xF0) >> 4];
- hex_str[i * 2 + 1] = hex_chars[(c & 0x0F)];
- }
- hex_str[len - 1] = '\0';
- return std::string(hex_str, len);
-}
-
-int
-encrypt_encode64(const unsigned char *key, int key_length, const unsigned char
*in_data, int in_data_len, char *out_data,
- size_t out_data_size, size_t *out_data_len)
-{
- if (!key || !in_data || !out_data || !out_data_len) {
- return -1;
- }
-
- int cipher_block_size = 0;
- unsigned char *encrypted = nullptr;
- int encrypted_len = 0;
- int encrypted_len_extra = 0;
- int ret = -1;
-
- // Initialize context
- EVP_CIPHER_CTX *context = EVP_CIPHER_CTX_new();
- unsigned char iv[EVP_MAX_IV_LENGTH];
- unsigned char gen_key[EVP_MAX_KEY_LENGTH];
-
- // generate key and iv
- if (EVP_BytesToKey(EVP_aes_256_cbc(), EVP_md5(), salt, key, key_length, 1,
gen_key, iv) <= 0) {
- Dbg(dbg_ctl, "Error generating key.");
- ret = -2;
- goto Cleanup;
- }
-
- // Set context AES128 with the generated key and iv
- if (1 != EVP_EncryptInit_ex(context, EVP_aes_256_cbc(), nullptr, gen_key,
iv)) {
- Dbg(dbg_ctl, "EVP_EncryptInit_ex failed.");
- ret = -3;
- goto Cleanup;
- }
-
- // https://www.openssl.org/docs/manmaster/man3/EVP_EncryptUpdate.html
- // EVP_EncryptUpdate() needs (inl + cipher_block_size - 1) bytes.
- // EVP_EncryptFinal_ex needs (inl + cipher_block_size) bytes.
- cipher_block_size = EVP_CIPHER_CTX_block_size(context);
- encrypted = new unsigned char[in_data_len + cipher_block_size * 2];
- if (1 != EVP_EncryptUpdate(context, encrypted, &encrypted_len, in_data,
in_data_len)) {
- Dbg(dbg_ctl, "EVP_EncryptUpdate failed.");
- ret = -4;
- goto Cleanup;
- }
-
- if (1 != EVP_EncryptFinal_ex(context, encrypted + encrypted_len,
&encrypted_len_extra)) {
- Dbg(dbg_ctl, "EVP_EncryptFinal_ex failed.");
- ret = -5;
- goto Cleanup;
- }
-
- // We must encode it to base64 here, since the encryption doesn't guarantee
that there are no
- // null bytes in the output. Which will cause a problem when sending it
through redis since
- // the redis command needs to be formatted to a C string.
- if (TSBase64Encode(reinterpret_cast<char *>(encrypted), encrypted_len +
encrypted_len_extra, out_data, out_data_size,
- out_data_len) != 0) {
- Dbg(dbg_ctl, "Base 64 encoding failed.");
- ret = -6;
- goto Cleanup;
- }
-
- Dbg(dbg_ctl, "Encrypted buffer of size %d to buffer of size %lu.",
in_data_len, *out_data_len);
- ret = 0;
-
-Cleanup:
-
- if (encrypted) {
- delete[] encrypted;
- }
-
- if (context) {
- EVP_CIPHER_CTX_free(context);
- }
-
- return ret;
-}
-
-int
-decrypt_decode64(const unsigned char *key, int key_length, const char
*in_data, int in_data_len, unsigned char *out_data,
- size_t out_data_size, size_t *out_data_len)
-{
- if (!key || !in_data || !out_data || !out_data_len) {
- return -1;
- }
-
- size_t decoded_size = DECODED_LEN(in_data_len);
- size_t decoded_len = 0;
- unsigned char *decoded = new unsigned char[decoded_size];
- int decrypted_len = 0;
- int decrypted_len_extra = 0;
- int ret = -1;
-
- // Initialize context
- EVP_CIPHER_CTX *context = EVP_CIPHER_CTX_new();
- unsigned char iv[EVP_MAX_IV_LENGTH];
- unsigned char gen_key[EVP_MAX_KEY_LENGTH];
-
- // Decode base64
- std::memset(decoded, 0, decoded_size);
- if (TSBase64Decode(in_data, in_data_len, decoded, decoded_size,
&decoded_len) != 0) {
- Dbg(dbg_ctl, "Base 64 decoding failed.");
- ret = -2;
- goto Cleanup;
- }
-
- // generate key and iv
- if (EVP_BytesToKey(EVP_aes_256_cbc(), EVP_md5(), salt, key, key_length, 1,
gen_key, iv) <= 0) {
- Dbg(dbg_ctl, "Error generating key.");
- ret = -3;
- goto Cleanup;
- }
- // set context with the generated key and iv
- if (1 != EVP_DecryptInit_ex(context, EVP_aes_256_cbc(), nullptr, gen_key,
iv)) {
- Dbg(dbg_ctl, "EVP_DecryptInit_ex failed.");
- ret = -4;
- goto Cleanup;
- }
-
- // https://www.openssl.org/docs/manmaster/man3/EVP_DecryptUpdate.html
- // EVP_DecryptUpdate() and EVP_DecryptFinal_ex() have the exact same
requirements as their encrypt counterparts.
- if (1 != EVP_DecryptUpdate(context, out_data, &decrypted_len, decoded,
decoded_len)) {
- Dbg(dbg_ctl, "EVP_DecryptUpdate failed.");
- ret = -5;
- goto Cleanup;
- }
-
- if (1 != EVP_DecryptFinal_ex(context, out_data + decrypted_len,
&decrypted_len_extra)) {
- Dbg(dbg_ctl, "EVP_DecryptFinal_ex failed.");
- ret = -6;
- goto Cleanup;
- }
-
- *out_data_len = decrypted_len + decrypted_len_extra;
-
- Dbg(dbg_ctl, "Decrypted buffer of size %d to buffer of size %lu.",
in_data_len, *out_data_len);
- ret = 0;
-
-Cleanup:
-
- if (decoded) {
- delete[] decoded;
- }
-
- if (context) {
- EVP_CIPHER_CTX_free(context);
- }
-
- return ret;
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/common.h
b/plugins/experimental/ssl_session_reuse/src/common.h
deleted file mode 100644
index 479cb85492..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/common.h
+++ /dev/null
@@ -1,89 +0,0 @@
-/** @file
-
- common.h - Things that need to be everywhere
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-#include <iostream>
-#include <iomanip>
-#include <string>
-#include <cstring>
-#include <mutex>
-#include <deque>
-#include <cmath>
-
-#define PLUGIN "ssl_session_reuse"
-
-namespace ssl_session_reuse_ns
-{
-extern DbgCtl dbg_ctl;
-}
-using namespace ssl_session_reuse_ns;
-
-// Base 64 encoding takes 4*(ceil(n/3)) bytes
-#define ENCODED_LEN(len) (((int)ceil(1.34 * (len) + 5)) + 1)
-#define DECODED_LEN(len) (((int)ceil(0.75 * (len))) + 1)
-// 3DES encryption will take at most 8 extra bytes. Plus we base 64 encode
the result
-#define ENCRYPT_LEN(len) ((int)ceil(1.34 * ((len) + 8) + 5) + 1)
-#define DECRYPT_LEN(len) ((int)ceil(1.34 * ((len) + 8) + 5) + 1)
-
-class PluginThreads
-{
-public:
- bool shutdown = false;
-
- void
- store(const pthread_t &th)
- {
- std::lock_guard<std::mutex> lock(threads_mutex);
- threads_queue.push_back(th);
- }
-
- void
- terminate()
- {
- shutdown = true;
-
- std::lock_guard<std::mutex> lock(threads_mutex);
- while (!threads_queue.empty()) {
- pthread_t th = threads_queue.front();
- ::pthread_join(th, nullptr);
- threads_queue.pop_front();
- }
- }
-
-private:
- std::deque<pthread_t> threads_queue;
- std::mutex threads_mutex;
-};
-
-std::string hex_str(std::string const &str);
-
-int encrypt_encode64(const unsigned char *key, int key_length, const unsigned
char *in_data, int in_data_len, char *out_data,
- size_t out_data_size, size_t *out_data_len);
-
-int decrypt_decode64(const unsigned char *key, int key_length, const char
*in_data, int in_data_len, unsigned char *out_data,
- size_t out_data_size, size_t *out_data_len);
-
-extern const unsigned char salt[];
-
-extern PluginThreads plugin_threads;
diff --git a/plugins/experimental/ssl_session_reuse/src/config.cc
b/plugins/experimental/ssl_session_reuse/src/config.cc
deleted file mode 100644
index 1b840710eb..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/config.cc
+++ /dev/null
@@ -1,158 +0,0 @@
-/** @file
-
- config.cc - config file support
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include <cstring>
-#include <fcntl.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <ts/ts.h>
-#include <ts/apidefs.h>
-
-#include "Config.h"
-#include "common.h"
-#include "swoc/TextView.h"
-
-Config::Config()
-{
- m_filename = "";
- m_config.clear();
- m_noConfig = false;
- m_alreadyLoaded = false;
- m_lastCheck = 0;
- m_lastmtime = 0;
-}
-
-Config::~Config() = default;
-
-bool
-Config::loadConfig(const std::string &filename)
-{
- if (m_alreadyLoaded) {
- return true;
- }
-
- bool success = false;
-
- m_filename = filename;
-
- int fd = (this->m_filename.length() > 0 ? open(m_filename.c_str(), O_RDONLY)
: ts::NO_FD);
- struct stat info;
- if (fd >= 0 && 0 == fstat(fd, &info)) {
- size_t n = info.st_size;
- std::string config_data;
- config_data.resize(n);
- if (read(fd, const_cast<char *>(config_data.data()), n) !=
static_cast<int>(n)) {
- close(fd);
- return success;
- }
-
- swoc::TextView content(config_data);
- while (content) {
- swoc::TextView line = content.take_prefix_at('\n');
- if (line.empty() || '#' == *line) {
- continue;
- }
- line.ltrim_if(&isspace);
- swoc::TextView field = line.take_prefix_at('=');
- Dbg(dbg_ctl, "%.*s=%.*s", static_cast<int>(field.size()), field.data(),
static_cast<int>(line.size()), line.data());
- if (field.size() > 0) {
- m_config[std::string(field.data(), field.size())] =
std::string(line.data(), line.size());
- }
- }
-
- close(fd);
-
- m_noConfig = false;
- success = true;
- m_alreadyLoaded = true;
- }
-
- return success;
-}
-
-bool
-Config::setLastConfigChange()
-{
- struct stat s;
- time_t oldLastmtime = m_lastmtime;
-
- memset(&s, 0, sizeof(s));
- if (stat(m_filename.c_str(), &s) != 0) {
- return false;
- }
-
- m_lastmtime = s.st_mtime;
-
- if (s.st_mtime > oldLastmtime) {
- return true;
- }
- return false;
-}
-
-bool
-Config::configHasChanged()
-{
- time_t checkTime = time(nullptr) / cCheckDivisor;
-
- if (0 == m_lastmtime || m_lastCheck != checkTime) {
- m_lastCheck = checkTime;
- return setLastConfigChange();
- }
- return false;
-}
-
-bool
-Config::loadConfigOnChange()
-{
- if (configHasChanged()) {
- // loadConfig will check this, and if it hasn't been set it'll just bail.
- m_alreadyLoaded = false;
- return loadConfig(m_filename);
- }
-
- return true;
-}
-
-bool
-Config::getValue(const std::string &category, const std::string &key,
std::string &value)
-{
- if (!m_noConfig) {
- m_yconfigLock.lock();
-
- if (loadConfigOnChange()) {
- // convert to category.key= value.
- std::string keyname = category + "." + key;
- std::map<std::string, std::string>::iterator it = m_config.find(keyname);
-
- // we have to use find so we don't overwrite defaults when we don't find
anything.
- if (m_config.end() != it) {
- value = it->second;
- }
- }
- m_yconfigLock.unlock();
- }
-
- return !value.empty();
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/connection.cc
b/plugins/experimental/ssl_session_reuse/src/connection.cc
deleted file mode 100644
index 6c0cc956ed..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/connection.cc
+++ /dev/null
@@ -1,56 +0,0 @@
-/** @file
-
- connection.cc - connect to redis
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include "connection.h"
-
-connection::connection(const std::string &host, const unsigned int port, const
unsigned int timeout)
-{
- struct timeval tv;
- tv.tv_sec = timeout / 1000;
- tv.tv_usec = (timeout % 1000) * 1000;
-
- c = redisConnectWithTimeout(host.c_str(), port, tv);
- if (c) {
- if (c->err != REDIS_OK) {
- redisFree(c);
- c = nullptr;
- }
- }
-}
-
-connection::~connection()
-{
- if (c) {
- redisFree(c);
- }
-}
-
-bool
-connection::is_valid() const
-{
- if (c) {
- return c->err == REDIS_OK;
- }
- return false;
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/connection.h
b/plugins/experimental/ssl_session_reuse/src/connection.h
deleted file mode 100644
index 597f496c54..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/connection.h
+++ /dev/null
@@ -1,68 +0,0 @@
-/** @file
-
- Connection.h - connection class
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-#include <string>
-#include <hiredis/hiredis.h>
-
-/**
- * @brief The connection class, represent a connection to a Redis server
- */
-class connection
-{
-public:
- /**
- * @brief Create and open a new connection
- * @param host hostname or ip of redis server, default localhost
- * @param port port of redis server, default: 6379
- * @param timeout time out in milli-seconds, default: 5
- * @return
- */
- inline static connection *
- create(const std::string &host = "localhost", const unsigned int port =
6379, const unsigned int timeout = 5)
- {
- return (new connection(host, port, timeout));
- }
-
- ~connection();
-
- bool is_valid() const;
-
- /**
- * @brief Returns raw ptr to hiredis library connection.
- * Use it with caution and pay attention on memory
- * management.
- * @return
- */
- inline redisContext *
- c_ptr() const
- {
- return c;
- }
-
-private:
- friend class connection_pool;
- connection(const std::string &host, const unsigned int port, const unsigned
int timeout);
- redisContext *c;
-};
diff --git a/plugins/experimental/ssl_session_reuse/src/globals.h
b/plugins/experimental/ssl_session_reuse/src/globals.h
deleted file mode 100644
index a0c4819fdd..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/globals.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/** @file
-
- globals.h - global default values
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-#include <string>
-#include <vector>
-#include <sstream>
-
-const std::string cDefaultConfig("ats_ssl_session_reuse.xml");
-const unsigned int cPubNumWorkerThreads(100);
-const int cDefaultRedisPort(6379);
-const std::string cDefaultRedisHost("localhost");
-const std::string cDefaultRedisEndpoint("localhost:6379");
-const unsigned int cDefaultRedisConnectTimeout(1000000);
-const unsigned int cDefaultRedisPublishTries(5);
-const unsigned int cDefaultRedisConnectTries(5);
-const unsigned int cDefaultRedisRetryDelay(5000000);
-const unsigned int cDefaultMaxQueuedMessages(1000);
-const std::string cDefaultSubColoChannel("test.*");
-const unsigned int cDefaultRedisMessageWaitTime(100000);
-const unsigned int cDefaultMdbmCleanupTime(100);
-const unsigned int cDefaultMdbmMaxSize(65536);
-const unsigned int cDefaultMdbmPageSize(2048);
-const int SUCCESS(0);
-const int FAILURE(-1);
diff --git a/plugins/experimental/ssl_session_reuse/src/message.h
b/plugins/experimental/ssl_session_reuse/src/message.h
deleted file mode 100644
index df33f8c2fd..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/message.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/** @file
-
- messages.h - message class
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-#include <string>
-#include <set>
-
-#include "redis_endpoint.h"
-
-struct Message {
- std::string channel;
- std::string data;
- bool cleanup;
- std::set<RedisEndpoint, RedisEndpointCompare> hosts_tried;
-
- Message() {}
- Message(const struct Message &m) : channel(m.channel), data(m.data),
cleanup(m.cleanup), hosts_tried(m.hosts_tried) {}
- Message(const std::string &c, const std::string &d, bool quit = false) :
channel(c), data(d), cleanup(quit) {}
- virtual ~Message() {}
-};
diff --git a/plugins/experimental/ssl_session_reuse/src/openssl_utils.cc
b/plugins/experimental/ssl_session_reuse/src/openssl_utils.cc
deleted file mode 100644
index 9da6d0949f..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/openssl_utils.cc
+++ /dev/null
@@ -1,120 +0,0 @@
-/** @file
-
- openssl_utils.cc - Interaction with openssl constructs
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include <cstring>
-#include <cerrno>
-#include <cmath>
-#include <unistd.h>
-#include <fcntl.h>
-#include <pthread.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <openssl/rand.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <ts/ts.h>
-
-#include "ssl_utils.h"
-#include "Config.h"
-#include "session_process.h"
-#include "common.h"
-
-static int
-ssl_new_session(TSSslSessionID &sid)
-{
- // Encode ID
- std::string encoded_id;
- int ret = encode_id(sid.bytes, sid.len, encoded_id);
- if (ret < 0) {
- TSError("Encoded id failed.");
- return 0;
- }
- std::string redis_channel = ssl_param.cluster_name + "." + encoded_id;
-
- int session_ret_len = SSL_SESSION_MAX_DER;
- char session_data[SSL_SESSION_MAX_DER];
- const auto buffer_length = TSSslSessionGetBuffer(&sid, session_data,
&session_ret_len);
- if (buffer_length == 0) {
- Dbg(dbg_ctl, "Failed to find a session buffer.");
- return 0;
- } else if (buffer_length > session_ret_len) {
- TSError("Session data is too large. Its size is: %d but our max buffer
size is: %d.", buffer_length, SSL_SESSION_MAX_DER);
- return 0;
- }
-
- std::string encrypted_data;
- ret = encrypt_session(session_data, session_ret_len, (unsigned char
*)get_key_ptr(), get_key_length(), encrypted_data);
- if (ret < 0) {
- TSError("Encrypt_session failed.");
- return 0;
- }
-
- ssl_param.pub->publish(redis_channel, encrypted_data);
-
- Dbg(dbg_ctl, "Create new session id: %s encoded: %s channel: %s",
encoded_id.c_str(), encrypted_data.c_str(),
- redis_channel.c_str());
-
- return 0;
-}
-
-static int
-ssl_access_session(TSSslSessionID &sid)
-{
- return 0;
-}
-
-static int
-ssl_del_session(TSSslSessionID &sid)
-{
- std::string encoded_id;
-
- int ret = encode_id(sid.bytes, sid.len, encoded_id);
- if (!ret) {
- Dbg(dbg_ctl, "Session is deleted. id: %s", encoded_id.c_str());
- }
-
- return 0;
-}
-
-int
-SSL_session_callback(TSCont contp, TSEvent event, void *edata)
-{
- Dbg(dbg_ctl, "SSL_session_callback event: %d", event);
- TSSslSessionID *sessionid = reinterpret_cast<TSSslSessionID *>(edata);
-
- switch (event) {
- case TS_EVENT_SSL_SESSION_NEW:
- ssl_new_session(*sessionid);
- break;
- case TS_EVENT_SSL_SESSION_REMOVE:
- ssl_del_session(*sessionid);
- break;
- case TS_EVENT_SSL_SESSION_GET:
- ssl_access_session(*sessionid);
- break;
- default:
- break;
- }
- return 0;
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/publish.cc
b/plugins/experimental/ssl_session_reuse/src/publish.cc
deleted file mode 100644
index ca3a9ced7c..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/publish.cc
+++ /dev/null
@@ -1,430 +0,0 @@
-/** @file
-
- publish.cc - redis publisher class
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include <iostream>
-#include <exception>
-#include <cstring>
-#include <memory>
-#include <unistd.h>
-#include <sys/time.h>
-#include <ts/ts.h>
-
-#include "common.h"
-#include "publisher.h"
-#include "Config.h"
-#include "redis_auth.h"
-#include "ssl_utils.h"
-#include <cinttypes>
-#include <condition_variable>
-
-std::mutex q_mutex;
-std::condition_variable q_checker;
-bool q_ready = false;
-
-void *
-RedisPublisher::start_worker_thread(void *arg)
-{
- plugin_threads.store(pthread_self());
- ::pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, nullptr);
- ::pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, nullptr);
-
- RedisPublisher *publisher = static_cast<RedisPublisher *>(arg);
- publisher->runWorker();
- return arg;
-}
-
-RedisPublisher::RedisPublisher(const std::string &conf)
- : m_redisEndpointsStr(cDefaultRedisEndpoint),
- m_numWorkers(cPubNumWorkerThreads),
- m_redisConnectTimeout(cDefaultRedisConnectTimeout),
- m_redisConnectTries(cDefaultRedisConnectTries),
- m_redisPublishTries(cDefaultRedisPublishTries),
- m_redisRetryDelay(cDefaultRedisRetryDelay),
- m_maxQueuedMessages(cDefaultMaxQueuedMessages),
- m_poolRedisConnectTimeout(cDefaultRedisConnectTimeout)
-{
- if (Config::getSingleton().loadConfig(conf)) {
- Config::getSingleton().getValue("pubconfig", "PubNumWorkers",
m_numWorkers);
- Config::getSingleton().getValue("redis", "RedisEndpoints",
m_redisEndpointsStr);
- Config::getSingleton().getValue("redis", "RedisConnectTimeout",
m_redisConnectTimeout);
- Config::getSingleton().getValue("pubconfig", "PubRedisPublishTries",
m_redisPublishTries);
- Config::getSingleton().getValue("pubconfig", "PubRedisConnectTries",
m_redisConnectTries);
- Config::getSingleton().getValue("redis", "RedisRetryDelay",
m_redisRetryDelay);
- Config::getSingleton().getValue("pubconfig", "PubMaxQueuedMessages",
m_maxQueuedMessages);
- Config::getSingleton().getValue("redis", "RedisConnectTimeout",
m_poolRedisConnectTimeout);
- }
-
- // get our psk to access session_reuse redis network.
- char redis_auth_key[MAX_REDIS_KEYSIZE];
- if (!(get_redis_auth_key(redis_auth_key, MAX_REDIS_KEYSIZE))) {
- err = true;
- TSError("RedisPublisher::RedisPublisher: Cannot get redis AUTH password.");
- redis_passwd.clear();
- } else {
- redis_passwd = redis_auth_key;
- memset(redis_auth_key, 0, MAX_REDIS_KEYSIZE); // tidy up our stack
- }
-
- addto_endpoint_vector(m_redisEndpoints, m_redisEndpointsStr);
-
- Dbg(dbg_ctl, "RedisPublisher::RedisPublisher: NumWorkers: %d
RedisConnectTimeout: %d", m_numWorkers, m_redisConnectTimeout);
- Dbg(dbg_ctl,
- "RedisPublisher::RedisPublisher: RedisPublishTries: %d
RedisConnectTries: %d RedisRetryDelay: %d MaxQueuedMessages: %d",
- m_redisPublishTries, m_redisConnectTries, m_redisRetryDelay,
m_maxQueuedMessages);
-
- Dbg(dbg_ctl, "RedisPublisher::RedisPublisher: Redis Publish endpoints are as
follows:");
- for (auto &m_redisEndpoint : m_redisEndpoints) {
- simple_pool *pool = simple_pool::create(m_redisEndpoint.m_hostname,
m_redisEndpoint.m_port, m_poolRedisConnectTimeout);
- pools.push_back(pool);
- }
-
- Dbg(dbg_ctl, "RedisPublisher::RedisPublisher: PoolRedisConnectTimeout: %d",
m_poolRedisConnectTimeout);
-
- ::sem_init(&m_workerSem, 0, 0);
-
- if (m_redisEndpoints.size() > m_numWorkers) {
- err = true;
- TSError("RedisPublisher::RedisPublisher: Number of threads in the thread
pool less than the number of redis endpoints.");
- }
-
- if (!err) {
- for (unsigned int i = 0; i < m_redisEndpoints.size(); i++) {
- TSThreadCreate(RedisPublisher::start_worker_thread, static_cast<void
*>(this));
- }
- }
-}
-
-bool
-RedisPublisher::is_good()
-{
- return !err;
-}
-
-::redisContext *
-RedisPublisher::setup_connection(const RedisEndpoint &re)
-{
- uint64_t my_id = 0;
- if (dbg_ctl.on()) {
- my_id = static_cast<uint64_t>(pthread_self());
- Dbg(dbg_ctl, "RedisPublisher::setup_connection: Called by threadId: %"
PRIx64, my_id);
- }
-
- RedisContextPtr my_context;
- struct ::timeval timeout;
- timeout.tv_sec = m_redisConnectTimeout / 1000;
- timeout.tv_usec = (m_redisConnectTimeout % 1000) * 1000;
-
- for (int i = 0; i < static_cast<int>(m_redisConnectTries); ++i) {
- my_context.reset(::redisConnectWithTimeout(re.m_hostname.c_str(),
re.m_port, timeout));
- if (!my_context) {
- TSError("RedisPublisher::setup_connection: Connect to host: %s port: %d
fail count: %d threadId: %" PRIx64,
- re.m_hostname.c_str(), re.m_port, i + 1, my_id);
- } else if (my_context->err) {
- TSError("RedisPublisher::setup_connection: Connect to host: %s port: %d
fail count: %d threadId: %" PRIx64,
- re.m_hostname.c_str(), re.m_port, i + 1, my_id);
- my_context.reset(nullptr);
- } else {
- Dbg(dbg_ctl, "RedisPublisher::setup_connection: threadId: %" PRIx64 "
Successfully connected to the redis instance.", my_id);
-
- redisReply *reply = static_cast<redisReply
*>(redisCommand(my_context.get(), "AUTH %s", redis_passwd.c_str()));
-
- if (reply == nullptr) {
- TSError("RedisPublisher::setup_connection: Cannot AUTH redis server,
no reply.");
- my_context.reset(nullptr);
- } else if (reply->type == REDIS_REPLY_ERROR) {
- TSError("RedisPublisher::setup_connection: Cannot AUTH redis server,
error reply.");
- freeReplyObject(reply);
- my_context.reset(nullptr);
- } else {
- Dbg(dbg_ctl, "RedisPublisher::setup_connection: Successfully AUTH
redis server.");
- freeReplyObject(reply);
- }
- break;
- }
-
- TSError("RedisPublisher::setup_connection: Connect failed, will wait for:
%d microseconds and try again.", m_redisRetryDelay);
- ::usleep(m_redisRetryDelay);
- }
-
- return my_context.release();
-}
-
-::redisReply *
-RedisPublisher::send_publish(RedisContextPtr &ctx, const RedisEndpoint &re,
const Message &msg)
-{
- uint64_t my_id = 0;
- if (dbg_ctl.on()) {
- my_id = static_cast<uint64_t>(pthread_self());
- Dbg(dbg_ctl, "RedisPublisher::send_publish: Called by threadId: %" PRIx64,
my_id);
- }
-
- ::redisReply *current_reply(nullptr);
-
- for (int i = 0; i < static_cast<int>(m_redisPublishTries); ++i) {
- if (!ctx) {
- ctx.reset(setup_connection(re));
-
- if (!ctx) {
- TSError("RedisPublisher::send_publish: Unable to setup a connection to
the redis server: %s:%d threadId: %" PRIx64
- " try: %d",
- re.m_hostname.c_str(), re.m_port, my_id, (i + 1));
- continue;
- }
- }
-
- current_reply = static_cast<redisReply *>(::redisCommand(ctx.get(),
"PUBLISH %s %s", msg.channel.c_str(), msg.data.c_str()));
- if (!current_reply) {
- TSError("RedisPublisher::send_publish: Unable to get a reply from the
server for publish. threadId: %" PRIx64 " try: %d",
- my_id, (i + 1));
- ctx.reset(nullptr); // Clean up previous attempt
-
- } else if (REDIS_REPLY_ERROR == current_reply->type) {
- TSError("RedisPublisher::send_publish: Server responded with error for
publish. threadId: %" PRIx64 " try: %d", my_id, i + 1);
- clear_reply(current_reply);
- current_reply = nullptr;
- ctx.reset(nullptr); // Clean up previous attempt
- } else {
- break;
- }
- }
-
- return current_reply;
-}
-
-void
-RedisPublisher::clear_reply(::redisReply *reply)
-{
- if (reply) {
- ::freeReplyObject(reply);
- }
-}
-
-void
-RedisPublisher::runWorker()
-{
- m_endpointIndexMutex.lock();
- RedisEndpoint &my_endpoint(m_redisEndpoints[m_endpointIndex]);
-
- if (static_cast<int>(m_redisEndpoints.size() - 1) == m_endpointIndex) {
- m_endpointIndex = 0;
- } else {
- ++m_endpointIndex;
- }
- m_endpointIndexMutex.unlock();
-
- RedisContextPtr my_context;
- ::redisReply *current_reply(nullptr);
-
- while (!plugin_threads.shutdown) {
- try {
- ::sem_post(&m_workerSem);
- int readyWorkers = 0;
- ::sem_getvalue(&m_workerSem, &readyWorkers);
-
- // LOGDEBUG(PUB, "RedisPublisher::runWorker.Ready worker count: " <<
readyWorkers);
-
- m_messageQueueMutex.lock();
-
- if (m_messageQueue.empty()) {
- ::sem_wait(&m_workerSem);
- m_messageQueueMutex.unlock();
- std::unique_lock<std::mutex> lock(q_mutex);
- q_checker.wait(lock, [] { return q_ready; });
- // coverity[race condition q_mutex not held:FALSE]
- q_ready = false;
- continue;
- }
-
- // Can't do reference here, since we pop it off the queue, the reference
will be invalid.
- Message current_message(m_messageQueue.front());
- if (!current_message.cleanup) {
- m_messageQueue.pop_front();
- }
-
- m_messageQueueMutex.unlock();
- ::sem_wait(&m_workerSem);
-
- if (current_message.cleanup) {
- if (dbg_ctl.on()) {
- auto my_id = static_cast<uint64_t>(pthread_self());
- Dbg(dbg_ctl, "RedisPublisher::runWorker: threadId: %" PRIx64 "
received the cleanup message. Exiting!", my_id);
- }
- break;
- }
- current_reply = send_publish(my_context, my_endpoint, current_message);
-
- if (!current_reply) {
- current_message.hosts_tried.insert(my_endpoint);
- if (current_message.hosts_tried.size() < m_redisEndpoints.size()) {
- // all endpoints are not tried
- // someone else might be able to transmit
- m_messageQueueMutex.lock();
- if (!m_messageQueue.front().cleanup) {
- m_messageQueue.push_front(current_message);
- }
- m_messageQueueMutex.unlock();
-
- {
- std::lock_guard<std::mutex> lock(q_mutex);
- q_ready = true;
- }
- q_checker.notify_one();
- }
- }
-
- clear_reply(current_reply);
- current_reply = nullptr;
- } catch (...) {
- Dbg(dbg_ctl, "RedisPublisher::runWorker exception");
- break;
- }
- }
- my_context.reset(nullptr);
- clear_reply(current_reply);
-
- ::pthread_exit(nullptr);
-}
-
-int
-RedisPublisher::publish(const std::string &channel, const std::string &data)
-{
- Dbg(dbg_ctl, "RedisPublisher::publish: Publish request for channel: %s and
message: \"%s\" received.", channel.c_str(),
- hex_str(data).c_str());
-
- m_messageQueueMutex.lock();
-
- m_messageQueue.emplace_back(channel, data);
-
- if (m_messageQueue.size() > m_maxQueuedMessages) {
- m_messageQueue.pop_front();
- }
- m_messageQueueMutex.unlock();
-
- {
- std::lock_guard<std::mutex> lock(q_mutex);
- q_ready = true;
- }
- q_checker.notify_one();
-
- return SUCCESS;
-}
-
-int
-RedisPublisher::signal_cleanup()
-{
- Dbg(dbg_ctl, "RedisPublisher::signal_cleanup: Called.");
- Message cleanup_message("", "", true);
-
- m_messageQueueMutex.lock();
- m_messageQueue.push_front(cleanup_message); // highest priority
- m_messageQueueMutex.unlock();
-
- {
- std::lock_guard<std::mutex> lock(q_mutex);
- q_ready = true;
- }
- q_checker.notify_one();
-
- return SUCCESS;
-}
-
-RedisPublisher::~RedisPublisher()
-{
- Dbg(dbg_ctl, "RedisPublisher::~RedisPublisher: Called.");
- RedisPublisher::signal_cleanup();
-
- ::sem_destroy(&m_workerSem);
-}
-
-std::string
-RedisPublisher::get_session(const std::string &channel)
-{
- if (dbg_ctl.on()) {
- auto my_id = static_cast<uint64_t>(pthread_self());
- Dbg(dbg_ctl, "RedisPublisher::get_session: Called by threadId: %" PRIx64,
my_id);
- }
-
- std::string ret;
- uint32_t index = get_hash_index(channel);
- redisReply *reply = nullptr;
- Dbg(dbg_ctl, "RedisPublisher::get_session: Start to try to get session.");
- for (uint32_t i = 0; i < m_redisEndpoints.size(); i++) {
- connection *conn = pools[index]->get();
-
- if (conn) {
- reply = static_cast<redisReply *>(redisCommand(conn->c_ptr(), "GET %s",
channel.c_str()));
- if (reply && reply->type == REDIS_REPLY_STRING) {
- Dbg(dbg_ctl, "RedisPublisher::get_session: Success to GET a value from
redis server index: %d", index);
- pools[index]->put(conn);
- ret = reply->str;
- clear_reply(reply);
- return ret;
- }
- pools[index]->put(conn);
- clear_reply(reply);
- }
- TSError("RedisPublisher::get_session: Fail to GET a value from this redis
server index: %d", index);
- index = get_next_index(index);
- Dbg(dbg_ctl, "RedisPublisher::get_session: Will try the next redis server:
%d", index);
- }
-
- TSError("RedisPublisher::get_session: Fail to GET a value from all redis
servers!");
- return ret;
-}
-
-redisReply *
-RedisPublisher::set_session(const Message &msg)
-{
- if (dbg_ctl.on()) {
- auto my_id = static_cast<uint64_t>(pthread_self());
- Dbg(dbg_ctl, "RedisPublisher::set_session: Called by threadId: %" PRIx64,
my_id);
- }
-
- uint32_t index = get_hash_index(msg.channel);
- redisReply *reply = nullptr;
- for (uint32_t i = 0; i < m_redisEndpoints.size(); i++) {
- connection *conn = pools[index]->get();
-
- if (conn) {
- reply = static_cast<redisReply *>(redisCommand(conn->c_ptr(), "SET %s
%s", msg.channel.c_str(), msg.data.c_str()));
- if (reply && reply->type == REDIS_REPLY_STATUS && strcasecmp(reply->str,
"OK") == 0) {
- Dbg(dbg_ctl, "RedisPublisher::set_session: Success to SET a value to
redis server: %s:%d",
- m_redisEndpoints[index].m_hostname.c_str(),
m_redisEndpoints[index].m_port);
- pools[index]->put(conn);
- return reply;
- }
- pools[index]->put(conn);
- clear_reply(reply);
- }
- TSError("RedisPublisher::set_session: Fail to SET a value to this redis
server %s:%d",
- m_redisEndpoints[index].m_hostname.c_str(),
m_redisEndpoints[index].m_port);
-
- index = get_next_index(index);
- Dbg(dbg_ctl, "RedisPublisher::set_session: Will try the next redis server:
%s:%d", m_redisEndpoints[index].m_hostname.c_str(),
- m_redisEndpoints[index].m_port);
- }
-
- TSError("RedisPublisher::set_session: Fail to SET a value to all redis
servers!");
- return nullptr;
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/publisher.h
b/plugins/experimental/ssl_session_reuse/src/publisher.h
deleted file mode 100644
index 43c0368fa9..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/publisher.h
+++ /dev/null
@@ -1,105 +0,0 @@
-/** @file
-
- publisher.h - Redis publisher
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-#include <string>
-#include <deque>
-#include <vector>
-#include <mutex>
-#include <memory>
-#include <semaphore.h>
-#include <hiredis/hiredis.h>
-
-#include "message.h"
-#include "globals.h"
-#include "redis_endpoint.h"
-#include "simple_pool.h"
-#include "tscore/HashFNV.h"
-
-struct RedisContextDeleter {
- void
- operator()(::redisContext *ctx)
- {
- ::redisFree(ctx);
- }
-};
-
-using RedisContextPtr = std::unique_ptr<::redisContext, RedisContextDeleter>;
-
-class RedisPublisher
-{
- std::string redis_passwd;
- std::deque<Message> m_messageQueue;
- std::mutex m_messageQueueMutex;
- ::sem_t m_workerSem;
-
- std::vector<RedisEndpoint> m_redisEndpoints;
- std::string m_redisEndpointsStr;
- int m_endpointIndex = 0;
- std::mutex m_endpointIndexMutex;
-
- std::vector<simple_pool *> pools;
-
- unsigned int m_numWorkers;
- unsigned int m_redisConnectTimeout; // milliseconds
- unsigned int m_redisConnectTries;
- unsigned int m_redisPublishTries;
- unsigned int m_redisRetryDelay; // milliseconds
- unsigned int m_maxQueuedMessages;
- unsigned int m_poolRedisConnectTimeout; // milliseconds
-
- bool err = false;
-
- void runWorker();
-
- ::redisContext *setup_connection(const RedisEndpoint &re);
-
- ::redisReply *send_publish(RedisContextPtr &ctx, const RedisEndpoint &re,
const Message &msg);
- ::redisReply *set_session(const Message &msg);
- void clear_reply(::redisReply *reply);
-
- uint32_t
- get_hash_index(const std::string &str) const
- {
- ATSHash32FNV1a hashFNV;
- hashFNV.update(str.c_str(), str.length());
- return hashFNV.get();
- }
-
- uint32_t
- get_next_index(uint32_t index) const
- {
- return (index + 1) % m_redisEndpoints.size();
- }
-
- int signal_cleanup();
- static void *start_worker_thread(void *arg);
-
-public:
- RedisPublisher(const std::string &conf = cDefaultConfig);
- virtual ~RedisPublisher();
- int publish(const std::string &channel, const std::string &message);
- std::string get_session(const std::string &channel);
- bool is_good();
-};
diff --git a/plugins/experimental/ssl_session_reuse/src/redis_auth.h
b/plugins/experimental/ssl_session_reuse/src/redis_auth.h
deleted file mode 100644
index 5277640f8e..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/redis_auth.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/** @file
-
- redis_auth.h
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-#define MAX_REDIS_KEYSIZE 256
-
-int get_redis_auth_key(char *retKeyBuff, int buffSize);
diff --git a/plugins/experimental/ssl_session_reuse/src/redis_endpoint.cc
b/plugins/experimental/ssl_session_reuse/src/redis_endpoint.cc
deleted file mode 100644
index 66f9b3ac52..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/redis_endpoint.cc
+++ /dev/null
@@ -1,66 +0,0 @@
-/** @file
-
- redis_endpoint.cc - represent Redis endpoints
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include "redis_endpoint.h"
-
-RedisEndpoint::RedisEndpoint(const std::string &endpoint_spec)
-{
- std::stringstream ss;
- size_t delim_pos(endpoint_spec.find(':'));
- m_hostname = endpoint_spec.substr(0, delim_pos);
-
- if (m_hostname.empty()) {
- m_hostname = cDefaultRedisHost;
- }
-
- if (delim_pos != std::string::npos) {
- ss << endpoint_spec.substr(delim_pos + 1);
- ss >> m_port;
- } else {
- m_port = cDefaultRedisPort;
- }
-}
-
-void
-addto_endpoint_vector(std::vector<RedisEndpoint> &endpoints, const std::string
&endpoint_str)
-{
- char delim(',');
- size_t current_start_pos(0);
- size_t current_end_pos(0);
- std::string current_endpoint;
-
- while ((std::string::npos != current_end_pos) && (current_start_pos <
endpoint_str.size())) {
- current_end_pos = endpoint_str.find(delim, current_start_pos);
-
- if (std::string::npos != current_end_pos) {
- current_endpoint = endpoint_str.substr(current_start_pos,
current_end_pos - current_start_pos);
- } else {
- current_endpoint = endpoint_str.substr(current_start_pos);
- }
-
- endpoints.push_back(RedisEndpoint(current_endpoint));
-
- current_start_pos = current_end_pos + 1;
- }
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/redis_endpoint.h
b/plugins/experimental/ssl_session_reuse/src/redis_endpoint.h
deleted file mode 100644
index fa6df9f0ba..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/redis_endpoint.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/** @file
-
- redis_endpoint.h
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-#include <string>
-#include <vector>
-
-#include "globals.h"
-
-struct RedisEndpoint {
- std::string m_hostname;
- int m_port;
-
- RedisEndpoint() : m_hostname(cDefaultRedisHost), m_port(cDefaultRedisPort) {}
- RedisEndpoint(const std::string &endpoint_spec);
-};
-
-struct RedisEndpointCompare {
- bool
- operator()(const RedisEndpoint &lhs, const RedisEndpoint &rhs) const
- {
- return lhs.m_hostname < rhs.m_hostname || (lhs.m_hostname ==
rhs.m_hostname && lhs.m_port < rhs.m_port);
- }
-};
-
-void addto_endpoint_vector(std::vector<RedisEndpoint> &endpoints, const
std::string &endpoint_str);
diff --git a/plugins/experimental/ssl_session_reuse/src/session_process.cc
b/plugins/experimental/ssl_session_reuse/src/session_process.cc
deleted file mode 100644
index f249c45bd5..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/session_process.cc
+++ /dev/null
@@ -1,205 +0,0 @@
-/** @file
-
- session_process.cc - encrypt and decrypt sessions
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include <cmath>
-#include <cstring>
-#include <cerrno>
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
-#include <ts/ts.h>
-
-#include "session_process.h"
-#include "ssl_utils.h"
-#include "common.h"
-
-const uint64_t protocol_version = 2;
-
-int
-encrypt_session(const char *session_data, int32_t session_data_len, const
unsigned char *key, int key_length,
- std::string &encrypted_data)
-{
- if (!key || !session_data) {
- return -1;
- }
-
- int data_len = sizeof(int64_t) + sizeof(int32_t) + session_data_len;
- unsigned char *data = new unsigned char[data_len];
- int offset = 0;
- size_t encrypted_size = ENCODED_LEN(data_len + EVP_MAX_BLOCK_LENGTH * 2);
- size_t encrypted_len = 0;
- char *encrypted = new char[encrypted_size];
- int ret = 0;
-
- // Transition the expiration time into a protocol version field.
- // Keeping it unnecessarily long at 64 bits to have consistency with
previous version
- // Version 1, had a fixed expiration time of 2*3600 seconds
- std::memcpy(data + offset, &protocol_version, sizeof(int64_t));
- offset += sizeof(int64_t);
- std::memcpy(data + offset, &session_data_len, sizeof(int32_t));
- offset += sizeof(session_data_len);
- std::memcpy(data + offset, session_data, session_data_len);
-
- std::memset(encrypted, 0, encrypted_size);
- ret = encrypt_encode64(key, key_length, data, data_len, encrypted,
encrypted_size, &encrypted_len);
- if (ret == 0) {
- encrypted_data.assign(encrypted, encrypted_len);
- } else {
- Dbg(dbg_ctl, "encrypt_session calling encrypt_encode64 failed, error: %d",
ret);
- }
-
- delete[] data;
- delete[] encrypted;
-
- return ret;
-}
-
-/**
- * The initial value of session_data_len is the number of bytes in session_data
- * The return value of session_data_len is the number of bytes actually stored
in session_data
- * The return value is -1 on error or the number of bytes in the decrypted
session data (may be more
- * than the initial value of sesion_data_len
- */
-int
-decrypt_session(const std::string &encrypted_data, const unsigned char *key,
int key_length, char *session_data,
- int32_t &session_data_len)
-{
- if (!key || !session_data) {
- return -1;
- }
-
- unsigned char *ssl_sess_ptr = nullptr;
- size_t decrypted_size = DECODED_LEN(encrypted_data.length()) +
EVP_MAX_BLOCK_LENGTH * 2;
- size_t decrypted_len = 0;
- unsigned char *decrypted = new unsigned char[decrypted_size];
- int ret = -1;
- size_t len_all = 0;
-
- std::memset(decrypted, 0, decrypted_size);
- if ((ret = decrypt_decode64(key, key_length, encrypted_data.c_str(),
encrypted_data.length(), decrypted, decrypted_size,
- &decrypted_len)) != 0) {
- Dbg(dbg_ctl, "decrypt_session calling decrypt_decode64 failed, error: %d",
ret);
- goto Cleanup;
- }
-
- // Retrieve ssl_session
- ssl_sess_ptr = decrypted;
-
- // The first 64 bits are now the protocol version. Make sure it matches
what we expect
- if (protocol_version == *(reinterpret_cast<uint64_t *>(ssl_sess_ptr))) {
- // Move beyond the protocol version
- ssl_sess_ptr += sizeof(int64_t);
-
- // Length
- ret = *reinterpret_cast<int32_t *>(ssl_sess_ptr);
- ssl_sess_ptr += sizeof(int32_t);
-
- len_all = ret + sizeof(int64_t) + sizeof(int32_t);
- if (decrypted_len < len_all) {
- Dbg(dbg_ctl, "Session data length mismatch, got %lu, should be %lu.",
decrypted_len, len_all);
- ret = -1;
- goto Cleanup;
- }
-
- // If there is less data than the maximum buffer size, reduce accordingly
- if (ret < session_data_len) {
- session_data_len = ret;
- }
- std::memcpy(session_data, ssl_sess_ptr, session_data_len);
- }
-
-Cleanup:
-
- delete[] decrypted;
-
- return ret;
-}
-
-int
-encode_id(const char *id, int idlen, std::string &encoded_data)
-{
- char *encoded = new char[ENCODED_LEN(idlen)];
- memset(encoded, 0, ENCODED_LEN(idlen));
- size_t encoded_len = 0;
- if (TSBase64Encode(id, idlen, encoded, ENCODED_LEN(idlen), &encoded_len) !=
0) {
- TSError("ID base 64 encoding failed.");
- if (encoded) {
- delete[] encoded;
- }
- return -1;
- }
-
- encoded_data.assign(encoded, encoded_len);
-
- if (encoded) {
- delete[] encoded;
- }
-
- return 0;
-}
-
-int
-decode_id(const std::string &encoded_id, char *decoded_data, int
&decoded_data_len)
-{
- size_t decode_len = 0;
- memset(decoded_data, 0, decoded_data_len);
- if (TSBase64Decode(static_cast<const char *>(encoded_id.c_str()),
encoded_id.length(),
- reinterpret_cast<unsigned char *>(decoded_data),
decoded_data_len, &decode_len) != 0) {
- TSError("ID base 64 decoding failed.");
- return -1;
- }
- decoded_data_len = decode_len;
- return 0;
-}
-
-int
-add_session(char *session_id, int session_id_len, const std::string
&encrypted_session)
-{
- std::string session(session_id, session_id_len);
- Dbg(dbg_ctl, "add_session session_id: %s", hex_str(session).c_str());
- char session_data[SSL_SESSION_MAX_DER];
- int32_t session_data_len = SSL_SESSION_MAX_DER;
- int ret = decrypt_session(encrypted_session, (unsigned char *)get_key_ptr(),
get_key_length(), session_data, session_data_len);
- if (ret < 0) {
- Dbg(dbg_ctl, "Failed to decrypt session %.*s, error: %d", session_id_len,
hex_str(session).c_str(), ret);
- return ret;
- }
- const unsigned char *loc = reinterpret_cast<const unsigned char
*>(session_data);
- SSL_SESSION *sess = d2i_SSL_SESSION(nullptr, &loc, session_data_len);
- if (nullptr == sess) {
- Dbg(dbg_ctl, "Failed to transform session buffer %.*s", session_id_len,
hex_str(session).c_str());
- return -1;
- }
- TSSslSessionID sid;
- memcpy(reinterpret_cast<char *>(sid.bytes), session_id, session_id_len);
- sid.len = session_id_len;
- if (sid.len > sizeof(sid.bytes)) {
- sid.len = sizeof(sid.bytes);
- }
- TSSslSessionInsert(&sid, reinterpret_cast<TSSslSession>(sess), nullptr);
- // Free the sesison object created by d2i_SSL_SESSION
- // We should make an API that just takes the ASN buffer
- SSL_SESSION_free(sess);
- return 0;
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/session_process.h
b/plugins/experimental/ssl_session_reuse/src/session_process.h
deleted file mode 100644
index f987787f94..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/session_process.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/** @file
-
- session_process.h
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-#include <string>
-#include <cmath>
-
-#define SSL_SESSION_MAX_DER (1024 * 10)
-
-int encrypt_session(const char *session_data, int32_t session_data_len, const
unsigned char *key, int key_length,
- std::string &encrypted_data);
-
-int decrypt_session(const std::string &encrypted_data, const unsigned char
*key, int key_length, char *session_data,
- int32_t &session_len);
-
-int encode_id(const char *id, int idlen, std::string &decoded_data);
-int decode_id(const std::string &encoded_id, char *decoded_data, int
&decoded_data_len);
-
-int add_session(char *session_id, int session_id_len, const std::string
&encrypted_session);
diff --git a/plugins/experimental/ssl_session_reuse/src/simple_pool.cc
b/plugins/experimental/ssl_session_reuse/src/simple_pool.cc
deleted file mode 100644
index 84b38dbd78..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/simple_pool.cc
+++ /dev/null
@@ -1,77 +0,0 @@
-/** @file
-
- simple_pool.cc - a containuer of connection objects
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include "simple_pool.h"
-
-connection *
-simple_pool::get()
-{
- connection *ret = nullptr;
-
- access_mutex.lock();
- for (std::set<connection *>::iterator it = connections.begin(); it !=
connections.end();) {
- if (*it) {
- if ((*it)->is_valid()) {
- ret = *it;
- connections.erase(it++);
- break;
- } else {
- delete *it;
- connections.erase(it++);
- }
- }
- }
- access_mutex.unlock();
-
- if (ret == nullptr) {
- ret = connection::create(_host, _port, _timeout);
- if (ret && !ret->is_valid()) {
- delete ret;
- ret = nullptr;
- }
- }
-
- return ret;
-}
-
-void
-simple_pool::put(connection *conn)
-{
- if (conn == nullptr) {
- return;
- }
-
- if (!conn->is_valid()) {
- delete conn;
- return;
- }
- access_mutex.lock();
- connections.insert(conn);
- access_mutex.unlock();
-}
-
-simple_pool::simple_pool(const std::string &host, unsigned int port, unsigned
int timeout)
- : _host(host), _port(port), _timeout(timeout)
-{
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/simple_pool.h
b/plugins/experimental/ssl_session_reuse/src/simple_pool.h
deleted file mode 100644
index 2977e356a3..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/simple_pool.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/** @file
-
- simple_pool.h
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-#include <set>
-#include <mutex>
-
-#include "connection.h"
-
-/**
- * @brief Manages a pool of connections to a single Redis server
- */
-class simple_pool
-{
-public:
- static inline simple_pool *
- create(const std::string &host = "localhost", unsigned int port = 6379,
unsigned int timeout = 5)
- {
- return (new simple_pool(host, port, timeout));
- }
-
- /**
- * @brief Get a working connection
- * @return
- */
- connection *get();
-
- /**
- * @brief Put back a connection for reuse
- * @param conn
- */
- void put(connection *conn);
-
-private:
- simple_pool(const std::string &host, unsigned int port, unsigned int
timeout);
-
- std::string _host;
- unsigned int _port;
- unsigned int _timeout;
- std::set<connection *> connections;
- std::mutex access_mutex;
-};
diff --git a/plugins/experimental/ssl_session_reuse/src/ssl_init.cc
b/plugins/experimental/ssl_session_reuse/src/ssl_init.cc
deleted file mode 100644
index acfd2ea2a3..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/ssl_init.cc
+++ /dev/null
@@ -1,129 +0,0 @@
-/** @file
-
- ssl_init.cc - set up things
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include <string>
-#include <cstring>
-#include <fcntl.h>
-#include <unistd.h>
-#include <sys/stat.h>
-
-#include "ssl_utils.h"
-#include "Config.h"
-#include "common.h"
-
-ssl_session_param ssl_param; // <- global containing all operational info
-std::string conf_file;
-
-int
-init_subscriber()
-{
- ssl_param.sub = new RedisSubscriber(conf_file);
- if ((!ssl_param.sub) || (!ssl_param.sub->is_good())) {
- TSError("Construct RedisSubscriber error.");
- return -1;
- }
- return 0;
-}
-
-int
-init_ssl_params(const std::string &conf)
-{
- conf_file = conf;
- if (Config::getSingleton().loadConfig(conf)) {
- Config::getSingleton().getValue("ssl_session", "ClusterName",
ssl_param.cluster_name);
- Config::getSingleton().getValue("ssl_session", "KeyUpdateInterval",
ssl_param.key_update_interval);
- Config::getSingleton().getValue("ssl_session", "STEKMaster",
ssl_param.stek_master);
- Config::getSingleton().getValue("ssl_session", "redis_auth_key_file",
ssl_param.redis_auth_key_file);
- } else {
- return -1;
- }
-
- if (ssl_param.key_update_interval > STEK_MAX_LIFETIME) {
- ssl_param.key_update_interval = STEK_MAX_LIFETIME;
- Dbg(dbg_ctl, "KeyUpdateInterval too high, resetting session ticket key
rotation to %d seconds.", ssl_param.key_update_interval);
- }
-
- Dbg(dbg_ctl, "init_ssl_params: I %s been configured to initially be
stek_master.",
- ((ssl_param.stek_master) ? "HAVE" : "HAVE NOT"));
- Dbg(dbg_ctl, "init_ssl_params: Rotation interval
(ssl_param.key_update_interval) set to %d", ssl_param.key_update_interval);
- Dbg(dbg_ctl, "init_ssl_params: cluster_name set to %s",
ssl_param.cluster_name.c_str());
-
- ssl_param.pub = new RedisPublisher(conf);
- if ((!ssl_param.pub) || (!ssl_param.pub->is_good())) {
- TSError("Construct RedisPublisher error.");
- return -1;
- }
-
- int ret = STEK_init_keys();
- if (ret < 0) {
- TSError("STEK_init_keys failure: %s", conf.c_str());
- return -1;
- }
-
- return 0;
-}
-
-ssl_session_param::ssl_session_param() = default;
-
-ssl_session_param::~ssl_session_param()
-{
- // Let the publish object leak for now, we are shutting down anyway
- /*if (pub)
- delete pub; */
-}
-
-/*
- Read the redis auth key from file ssl_param.redis_auth_key_file in retKeyBuff
- Return length of key read.
- */
-int
-get_redis_auth_key(char *retKeyBuff, int buffSize)
-{
- int retval = 0;
- // Get the Key
- if (ssl_param.redis_auth_key_file.length()) {
- int fd = open(ssl_param.redis_auth_key_file.c_str(), O_RDONLY);
- struct stat info;
- if (fd >= 0 && 0 == fstat(fd, &info)) {
- size_t n = info.st_size;
- std::string key_data;
- key_data.resize(n);
- auto read_len = read(fd, const_cast<char *>(key_data.data()), n);
- // Strip any trailing newlines
- while (read_len > 1 && key_data[read_len - 1] == '\n') {
- --read_len;
- }
- if (read_len > 0 && read_len <= buffSize &&
static_cast<size_t>(read_len) <= key_data.length()) {
- memset(retKeyBuff, 0, buffSize);
- strncpy(retKeyBuff, key_data.c_str(), read_len);
- retval = read_len;
- }
- }
- close(fd);
- } else {
- TSError("Can not get redis auth key.");
- }
-
- return retval;
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/ssl_key_utils.cc
b/plugins/experimental/ssl_session_reuse/src/ssl_key_utils.cc
deleted file mode 100644
index d39a6f9bf2..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/ssl_key_utils.cc
+++ /dev/null
@@ -1,472 +0,0 @@
-/** @file
-
- ssl_key_utils.cc - Deal with STEK
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include <cstring>
-#include <mutex>
-#include <cassert>
-#include <thread>
-#include <chrono>
-#include <unistd.h>
-#include <sys/time.h>
-#include <openssl/rand.h>
-#include <ts/ts.h>
-
-#include "ssl_utils.h"
-#include "redis_auth.h"
-#include "stek.h"
-#include "common.h"
-
-#define SSL_AES_KEY_SUFFIX "_aes_key"
-#define SSL_HMAC_KEY_SUFFIX "_hmac_key"
-
-#define STEK_MAX_ENC_SIZE 512
-
-// Lock for when changing Session-Ticket-Encrypt-Key
-std::mutex ssl_key_lock;
-
-static char channel_key[MAX_REDIS_KEYSIZE] = {
- 0,
-};
-static int channel_key_length = 0;
-
-static std::atomic<bool> stek_master_setter_running(false); /* stek master
setter thread running */
-
-static std::atomic<bool> stek_initialized(false);
-
-using std::this_thread::sleep_for;
-using std::chrono::time_point_cast;
-using std::chrono::seconds;
-using std::chrono::system_clock;
-using TimePoint = std::chrono::time_point<system_clock, seconds>;
-
-TimePoint
-get_current_time()
-{
- return time_point_cast<seconds>(system_clock::now());
-}
-
-bool
-isSTEKMaster()
-{
- return stek_master_setter_running;
-}
-
-/*****************************************************************************
- * Overview of this module: Session-Ticket-Encryption-Key (STEK)
functionality
- * which include generating, setting, getting of stek for the POD
- * (redis connected network of nodes that share a common STEK).
- * All aspects of code in this module run in the ats_ssl_session_reuse
plugin
- * execution space, (as opposed to redis_subscriber, or redis server
execution space).
- *
- * Three main areas of interest in this module:
- *
- * 1) Initialization - STEK_init_keys()
- *
- * 2) STEK_Update_Setter_Thread() or Master STEK setter - Ultimately there is
one Master-STEK
- * setter node per POD where a POD is determined by all nodes on the redis
network.
- * At regular intervals this thread will generate a new STEK and publish it to
the POD.
- * This ensures proper key rotation.
- *
- * One node in the pod is configured to be Master STEK setter in charge of key
rotations.
- * The algorithm implemented allows for the POD to dynamically self configure
a master
- * which can recover from death of master, misconfigurations, ultimately
ineffective rotations.
- *
- * General description:
- *
- * - Master thread (of ATS plugin)-
- * Create and send STEK
- * sleep for configured period (e.g. 7 hours)
- * After wake up, if I'm no longer using STEK I created, then the POD is
sync'd to a new
- * POD stek-master...yield to it by exiting this thread.
- */
-
-/*----------------------------------------------------------------------------------------*/
-
-const char *
-get_key_ptr()
-{
- return channel_key;
-}
-
-int
-get_key_length()
-{
- return channel_key_length;
-}
-
-static int
-STEK_GetGoodRandom(char *buffer, int size, int needGoodEntropy)
-{
- FILE *fp;
- int numread = 0;
- char *randFileName;
-
- /* /dev/random blocks until good entropy and can take up to 2 seconds per
byte on idle machines */
- /* /dev/urandom does not have entropy check, and is very quick.
- * Caller decides quality needed */
- randFileName = const_cast<char *>((needGoodEntropy) ? /* Good & slow */
"/dev/random" : /*Fast*/ "/dev/urandom");
-
- if (nullptr == (fp = fopen(randFileName, "r"))) {
- // printf("Can't open %s",randFileName);
- return 0; /* failure */
- }
- numread = static_cast<int>(fread(buffer, 1, size, fp));
- fclose(fp);
-
- return ((numread == size) ? 1 /* success*/ : 0 /*failure*/);
-
-} /* STEK_GetRandom() */
-
-static int
-STEK_CreateNew(struct ssl_ticket_key_t *returnSTEK, int globalkey, int
entropyEnsured)
-{
- /* Create a new Session-Ticket-Encryption-Key and places it into buffer
provided
- * return 0 on failure, 1 on success.
- * if boolean globalkey is set (inidcating it's the global key space),
- will get global key lock before setting */
-
- struct ssl_ticket_key_t newKey; // tmp local buffer
-
- /* We create key in local buff to minimize lock time on global,
- * because entropy ensuring can take a very long time e.g. 2 seconds per
byte of entropy*/
- if ((!STEK_GetGoodRandom(reinterpret_cast<char *>(&(newKey.aes_key)),
SSL_KEY_LEN, (entropyEnsured) ? 1 : 0)) ||
- (!STEK_GetGoodRandom(reinterpret_cast<char *>(&(newKey.hmac_secret)),
SSL_KEY_LEN, (entropyEnsured) ? 1 : 0)) ||
- (!STEK_GetGoodRandom(reinterpret_cast<char *>(&(newKey.key_name)),
SSL_KEY_LEN, 0))) {
- return 0; /* couldn't generate new STEK */
- }
-
- // we presume return buffer may be the global active STEK, so we get lock
first before setting
- if (globalkey) {
- ssl_key_lock.lock();
- }
- memcpy(returnSTEK, &newKey, sizeof(struct ssl_ticket_key_t));
- if (globalkey) {
- ssl_key_lock.unlock();
- }
-
- memset(&newKey, 0, sizeof(struct ssl_ticket_key_t)); // keep our stack clean
-
- return 1; /* success */
-}
-
-static int
-STEK_encrypt(struct ssl_ticket_key_t *stek, const char *key, int key_length,
char *ret_encrypted, int *ret_len)
-{
- /* Encrypted stek will be placed in caller allocated ret_encrypted buffer */
- /* NOTE: ret_len must initially contain the size of the ret_encrypted buffer
*/
- /* return 1 on success, 0 on failure */
- int stek_len = sizeof(struct ssl_ticket_key_t);
- size_t encrypted_size = *ret_len;
- size_t encrypted_len = 0;
- int ret = -1;
-
- if ((ret = encrypt_encode64(reinterpret_cast<const unsigned char *>(key),
key_length, reinterpret_cast<unsigned char *>(stek),
- stek_len, ret_encrypted, encrypted_size,
&encrypted_len)) == 0) {
- *ret_len = encrypted_len;
- } else {
- Dbg(dbg_ctl, "STEK_encrypt calling encrypt_encode64 failed, error: %d",
ret);
- }
- return ret;
-}
-
-static int
-STEK_decrypt(const std::string &encrypted_data, const char *key, int
key_length, struct ssl_ticket_key_t *ret_STEK)
-{
- if (!ret_STEK) {
- return -1;
- }
-
- Dbg(dbg_ctl, "STEK_decrypt: requested to decrypt %lu bytes",
encrypted_data.length());
-
- int ret = -1;
- size_t decrypted_size = DECODED_LEN(encrypted_data.length()) +
EVP_MAX_BLOCK_LENGTH * 2;
- size_t decrypted_len = 0;
- unsigned char *decrypted = new unsigned char[decrypted_size];
-
- std::memset(decrypted, 0, decrypted_size);
- if ((ret = decrypt_decode64(reinterpret_cast<const unsigned char *>(key),
key_length, encrypted_data.c_str(),
- encrypted_data.length(), decrypted,
decrypted_size, &decrypted_len)) != 0) {
- Dbg(dbg_ctl, "STEK_decrypt calling decrypt_decode64 failed, error: %d",
ret);
- goto Cleanup;
- }
-
- if (sizeof(struct ssl_ticket_key_t) != decrypted_len) {
- TSError("STEK data length mismatch, got %lu, should be %lu",
decrypted_len, sizeof(struct ssl_ticket_key_t));
- ret = -1;
- goto Cleanup;
- }
-
- memcpy(ret_STEK, decrypted, sizeof(struct ssl_ticket_key_t));
- memset(decrypted, 0, decrypted_size); // warm fuzzies
- ret = 0;
-
-Cleanup:
-
- if (decrypted) {
- delete[] decrypted;
- }
-
- return ret; /* ok, length of data in ret_STEK will be sizeof(struct
ssl_ticket_key_t) */
-}
-
-int
-STEK_Send_To_Network(struct ssl_ticket_key_t *stekToSend)
-{
- /* Send new STEK to redis network */
- /* This function encrypts the STEK and then sends it to the redis network. */
- /* Description: The subscriber thread listens on the redis network and
updates its ATS
- * core with the new data
- */
- char encryptedData[STEK_MAX_ENC_SIZE] = {
- 0,
- };
- int encryptedDataLength = 0;
-
- // encrypt the STEK before sending
- encryptedDataLength = sizeof(encryptedData);
- if (STEK_encrypt(stekToSend, get_key_ptr(), get_key_length(), encryptedData,
&encryptedDataLength) != 0) {
- TSError("STEK_encrypt failed, not sending.");
- return 0; // failure
- }
-
- std::string redis_channel = ssl_param.cluster_name + "." + STEK_ID_NAME;
- ssl_param.pub->publish(redis_channel, encryptedData); // send it
-
- memset(encryptedData, 0, sizeof(encryptedData)); // warm fuzzies
- return 1;
-}
-
-static void *
-STEK_Update_Setter_Thread(void *arg)
-{
- plugin_threads.store(::pthread_self());
- ::pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, nullptr);
- ::pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, nullptr);
-
- int sleepInterval;
- struct ssl_ticket_key_t newKey;
- int startProblem = 0; // counter for start up and retry issues.
-
- /* This STEK-Master thread runs for the life of the executable setting the
- * Session-Ticket-Encryption-Key at every configured interval.
- * The key is generated and then redis published to the POD.
- * where the subscribers will pick it up and replace their ATS keys
- * If it detects another master in the POD setting keys, it will shut itself
down */
-
- if (stek_master_setter_running) {
- /* Sanity check triggered. Already running...don't do another. */
- Dbg(dbg_ctl, "Faulty STEK-master launch. Internal error. Moving on...");
- return nullptr;
- }
-
- stek_master_setter_running = true;
- Dbg(dbg_ctl, "Will now act as the STEK rotator for POD.");
-
- while (!plugin_threads.shutdown) {
- try {
- // Create new STEK, set it for me, and then send it to the POD.
- if ((!STEK_CreateNew(&newKey, 0, 1 /* entropy ensured */)) ||
(!STEK_Send_To_Network(&newKey))) {
- // Error occurred. We will retry after a short interval.
- // perhaps publishig isn't up yet.
- startProblem++; // count how many times we have this problem.
- sleepInterval = 60; // short sleep for error retry
- TSError("Could not create/send new STEK for key rotation... Try again
in %d seconds.", sleepInterval);
- } else {
- // Everything good. will sleep for normal rotation time period and
then repeat
- startProblem = 0;
- Dbg(dbg_ctl, "New POD STEK created and sent to network.");
-
- sleepInterval = ssl_param.key_update_interval;
- }
-
- ::sleep(sleepInterval);
-
- if ((!startProblem) && (memcmp(&newKey, &ssl_param.ticket_keys[0],
sizeof(struct ssl_ticket_key_t)))) {
- /* I am not using the key I set before sleeping. This means node (and
POD) has
- * sync'd onto a more recent master, which we will now yield to by
exiting
- * out of this thread. */
- goto done_master_setter;
- }
-
- if (startProblem > 60) {
- /* We've been trying every minute for more than an hour. Time to give
up and move on..*/
- /* Another node in pod will notice and pick up responsibility, else
we'll try again later */
- goto done_master_setter;
- }
- } catch (...) {
- Dbg(dbg_ctl, "STEK_Update_Setter_Thread exception");
- goto done_master_setter;
- }
- } // while(forever)
-
-done_master_setter:
- Dbg(dbg_ctl, "Yielding STEK-Master rotation responsibility to another node
in POD.");
- memset(&newKey, 0, sizeof(struct ssl_ticket_key_t));
- stek_master_setter_running = false;
- return nullptr;
-}
-
-TimePoint lastChangeTime;
-
-void
-STEK_update(const std::string &encrypted_stek)
-{
- struct ssl_ticket_key_t newSTEK;
- if (STEK_decrypt(encrypted_stek, get_key_ptr(), get_key_length(), &newSTEK)
== 0) {
- if (memcmp(&newSTEK, &ssl_param.ticket_keys[0], sizeof(struct
ssl_ticket_key_t)) != 0) {
- /* ... and it's a new one, so we will now set and use it. */
- ssl_key_lock.lock();
- memcpy(&ssl_param.ticket_keys[1], &ssl_param.ticket_keys[0],
sizeof(struct ssl_ticket_key_t));
- memcpy(&ssl_param.ticket_keys[0], &newSTEK, sizeof(struct
ssl_ticket_key_t));
-
- // Let TSAPI know about new ticket information
- stek_initialized = true;
- TSSslTicketKeyUpdate(reinterpret_cast<char *>(ssl_param.ticket_keys),
sizeof(ssl_param.ticket_keys));
- lastChangeTime = get_current_time();
- ssl_key_lock.unlock();
- }
- }
-}
-
-static void *
-STEK_Update_Checker_Thread(void *arg)
-{
- plugin_threads.store(::pthread_self());
- ::pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, nullptr);
- ::pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, nullptr);
-
- TimePoint currentTime;
- TimePoint lastWarningTime; // last time we put out a warning
-
- /* STEK_Update_Checker_Thread() - This thread runs forever, sleeping most
- * of the time, then checking and updating our Session-Ticket-Encryption-Key
- * If we don't get a STEK rotation during a certain time period,log warning
- * that something is up with our STEK master, and nominate a new STEK master.
- */
-
- Dbg(dbg_ctl, "Starting STEK_Update_Checker_Thread.");
-
- lastChangeTime = lastWarningTime = currentTime = get_current_time(); // init
to current to suppress a startup warning.
- int check_count = 0; // Keep track of how
many times we've checked whether we got a new STEK.
-
- while (!plugin_threads.shutdown) {
- try {
- if (!stek_initialized && ssl_param.pub) {
- // Launch a request for the master to resend you the ticket key
- std::string redis_channel = ssl_param.cluster_name + "." +
STEK_ID_RESEND;
- ssl_param.pub->publish(redis_channel, ""); // send it
- Dbg(dbg_ctl, "Request for ticket.");
- }
- currentTime = get_current_time();
- seconds sleepFor{0};
- if (stek_initialized) {
- // Sleep until we are overdue for a key update
- auto duration = currentTime - lastChangeTime;
- sleepFor = seconds{2 * STEK_MAX_LIFETIME} - duration;
- stek_initialized = false;
- check_count = 0;
- } else {
- // Wait for a while in hopes that the server gets back to us
- sleepFor = seconds{30};
- ++check_count;
- }
- sleep_for(sleepFor);
-
- if (check_count == 0) {
- continue;
- }
-
- /* We track last time STEK changed. If we haven't gotten a new STEK in
twice the max,
- * then we figure something is wrong with the POD STEK master and
nominate a new master.
- * STEK master may have been misconfigured, disconnected, died or
who-knows.
- * If we're have been checking in the past five minutes and still
haven't got a new
- * STEK, we believe that the master has died, so "now, I am the master".
- * ...no problem we will recover POD STEK rotation now */
-
- currentTime = get_current_time();
- if ((currentTime - lastChangeTime) > seconds{2 * STEK_MAX_LIFETIME} ||
check_count > 10) {
- // Yes we were way past due for a new STEK, and haven't received it.
- if ((currentTime - lastWarningTime) >
seconds{STEK_NOT_CHANGED_WARNING_INTERVAL}) {
- // Yes it's time to put another warning in log file.
- TSError("Session Ticket Encryption Key not syncd in past %d hours.",
- static_cast<int>(((currentTime - lastChangeTime).count() /
3600)));
-
- lastWarningTime = currentTime;
- }
-
- /* Time to nominate a new stek master for pod key rotation... */
- if (!stek_master_setter_running) {
- Dbg(dbg_ctl, "Will nominate a new STEK-master thread now for pod key
rotation.");
- TSThreadCreate(STEK_Update_Setter_Thread, nullptr);
- }
- }
- } catch (...) {
- Dbg(dbg_ctl, "STEK_Update_Checker_Thread exception");
- break;
- }
- } // while(forever)
-
- return nullptr;
-} // STEK_Update_Checker_Thread()
-
-int
-STEK_init_keys()
-{
- ssl_ticket_key_t initKey;
-
- channel_key_length = get_redis_auth_key(channel_key, MAX_REDIS_KEYSIZE);
- if (channel_key_length <= 0) {
- TSError("STEK_init_keys: Could not get redis authentication key.");
- return -1;
- }
-
- // Initialize starter Session Ticket Encryption Key
- // Will sync up with master later
- if (!STEK_CreateNew(&initKey, 0, 0 /*fast start*/)) {
- TSError("Can't init STEK.");
- return -1;
- }
- memcpy(&ssl_param.ticket_keys[0], &initKey, sizeof(struct ssl_ticket_key_t));
- memcpy(&ssl_param.ticket_keys[1], &initKey, sizeof(struct ssl_ticket_key_t));
- memset(&initKey, 0, sizeof(struct ssl_ticket_key_t));
-
- // Call into TSAPI to register the ticket info
- TSSslTicketKeyUpdate(reinterpret_cast<char *>(ssl_param.ticket_keys),
sizeof(ssl_param.ticket_keys));
-
- stek_initialized = false;
- if (ssl_param.stek_master) {
- /* config has chosen this instance to initially launch the STEK setting
master thread */
- /* We will generate and set STEK for the POD. If things go weird, another
node may
- * may take over this responsibility, so we only refer to this config parm
at init. */
- TSThreadCreate(STEK_Update_Setter_Thread, nullptr);
- stek_initialized = true;
- } else {
- // Note that we have a temp key. Probe the master once we are up
- }
-
- // Launch thread to listen for incoming STEK update rotation
- TSThreadCreate(STEK_Update_Checker_Thread, nullptr);
-
- return 1; // init ok
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/ssl_utils.h
b/plugins/experimental/ssl_session_reuse/src/ssl_utils.h
deleted file mode 100644
index adfc39c80d..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/ssl_utils.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/** @file
-
- ssl_utils.h - a containuer of connection objects
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-#include <string>
-#include <iostream>
-#include <iomanip>
-#include <atomic>
-#include <openssl/ssl.h>
-#include <ts/ts.h>
-
-#include "publisher.h"
-#include "subscriber.h"
-#include "stek.h"
-
-struct ssl_session_param {
- std::string cluster_name;
- int key_update_interval; // STEK master rotation period seconds
- int stek_master; // bool - Am I the STEK setter/rotator for
POD?
- ssl_ticket_key_t ticket_keys[2]; // current and past STEK
- std::string redis_auth_key_file;
- RedisPublisher *pub = nullptr;
- RedisSubscriber *sub;
-
- ssl_session_param();
- ~ssl_session_param();
-};
-
-int STEK_init_keys();
-
-const char *get_key_ptr();
-int get_key_length();
-
-/* Initialize ssl parameters */
-/**
- Return the result of initialization. If 0 is returned, it means
- the initializtion is success, -1 means it is failure.
-
- @param conf_file the configuration file
-
- @return @c 0 if it is success.
-
-*/
-int init_ssl_params(const std::string &conf_file);
-int init_subscriber();
-
-int SSL_session_callback(TSCont contp, TSEvent event, void *edata);
-
-extern ssl_session_param ssl_param; // almost everything one needs is stored
in here
diff --git a/plugins/experimental/ssl_session_reuse/src/stek.h
b/plugins/experimental/ssl_session_reuse/src/stek.h
deleted file mode 100644
index d7a6c07282..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/stek.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/** @file
-
- stek.h - a containuer of connection objects
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-/* STEK - Session Ticket Encryption Key stuff */
-
-#define STEK_ID_NAME "@stek@" // ACTUALLY it is redis channel minus
cluster_name prefix, aka mdbm keyname
-#define STEK_ID_RESEND "@resendstek@"
-#define STEK_MAX_LIFETIME 86400 // 24 hours max - should rotate STEK
-
-#define STEK_NOT_CHANGED_WARNING_INTERVAL (2 * STEK_MAX_LIFETIME) // warn on
non-stek rotate every X secs.
-
-#define SSL_KEY_LEN 16
-
-struct ssl_ticket_key_t // an STEK
-{
- unsigned char key_name[SSL_KEY_LEN]; // tickets use this name to identify
who encrypted
- unsigned char hmac_secret[SSL_KEY_LEN];
- unsigned char aes_key[SSL_KEY_LEN];
-};
-
-void STEK_update(const std::string &encrypted_stek);
-bool isSTEKMaster();
-int STEK_Send_To_Network(struct ssl_ticket_key_t *stekToSend);
diff --git a/plugins/experimental/ssl_session_reuse/src/subscriber.cc
b/plugins/experimental/ssl_session_reuse/src/subscriber.cc
deleted file mode 100644
index 9dcf3f9ca4..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/subscriber.cc
+++ /dev/null
@@ -1,225 +0,0 @@
-/** @file
-
- subscriber.cc - Redis subscriber
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-
-#include <cstring>
-#include <unistd.h>
-#include <openssl/ssl.h>
-#include <hiredis/hiredis.h>
-#include <ts/ts.h>
-
-#include "common.h"
-#include "subscriber.h"
-#include "Config.h"
-#include "redis_auth.h"
-#include "session_process.h"
-#include "stek.h"
-#include "ssl_utils.h"
-
-void *
-setup_subscriber(void *arg)
-{
- plugin_threads.store(::pthread_self());
- ::pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, nullptr);
- ::pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, nullptr);
-
- RedisSubscriber *me = static_cast<RedisSubscriber *>(arg);
- me->run();
- return (void *)1;
-}
-
-RedisSubscriber::RedisSubscriber(const std::string &conf)
- : m_channel(cDefaultSubColoChannel),
- m_redisConnectTimeout(cDefaultRedisConnectTimeout),
- m_redisRetryDelay(cDefaultRedisRetryDelay),
- err(false)
-{
- std::string redisEndpointsStr;
-
- if (Config::getSingleton().loadConfig(conf)) {
- Config::getSingleton().getValue("redis", "RedisConnectTimeout",
m_redisConnectTimeout);
- Config::getSingleton().getValue("redis", "RedisRetryDelay",
m_redisRetryDelay);
- Config::getSingleton().getValue("subconfig", "SubColoChannel", m_channel);
- Config::getSingleton().getValue("redis", "RedisEndpoints",
redisEndpointsStr);
- }
-
- // get our psk to access session_reuse redis network.
- char redis_auth_key[MAX_REDIS_KEYSIZE];
- if (!(get_redis_auth_key(redis_auth_key, MAX_REDIS_KEYSIZE))) {
- err = true;
- TSError("RedisPublisher::RedisPublisher: Cannot get redis AUTH password.");
- redis_passwd.clear();
- } else {
- redis_passwd = redis_auth_key;
- memset(redis_auth_key, 0, MAX_REDIS_KEYSIZE); // tidy up our stack
- }
-
- m_channel_prefix = m_channel.substr(0, m_channel.find('*'));
-
- Dbg(dbg_ctl, "RedisSubscriber::RedisSubscriber: SubscriberChannel: %s
SubscriberChannelPrefix: %s", m_channel.c_str(),
- m_channel_prefix.c_str());
-
- addto_endpoint_vector(m_redisEndpoints, redisEndpointsStr);
- m_redisEndpointsIndex = 0;
-
- for (unsigned int i = 0; i < m_redisEndpoints.size(); i++) {
- TSThreadCreate(setup_subscriber, static_cast<void *>(this));
- }
-}
-
-bool
-RedisSubscriber::is_good()
-{
- return !err;
-}
-
-int
-RedisSubscriber::get_endpoint_index()
-{
- return m_redisEndpointsIndex++;
-}
-
-::redisContext *
-RedisSubscriber::setup_connection(int index)
-{
- Dbg(dbg_ctl, "RedisSubscriber::setup_connection: Called for host: %s port:
%d", m_redisEndpoints[index].m_hostname.c_str(),
- m_redisEndpoints[index].m_port);
-
- ::redisContext *my_context(nullptr);
- struct ::timeval timeout_connect;
- timeout_connect.tv_sec = m_redisConnectTimeout / 1000;
- timeout_connect.tv_usec = (m_redisConnectTimeout % 1000) * 1000;
-
- while (true) {
- my_context =
- ::redisConnectWithTimeout(m_redisEndpoints[index].m_hostname.c_str(),
m_redisEndpoints[index].m_port, timeout_connect);
- if (!my_context) {
- TSError("RedisSubscriber::setup_connection: Connect to host: %s port: %d
failed.", m_redisEndpoints[index].m_hostname.c_str(),
- m_redisEndpoints[index].m_port);
- } else if (my_context->err) {
- TSError("RedisSubscriber::setup_connection: Connect to host: %s port: %d
failed.", m_redisEndpoints[index].m_hostname.c_str(),
- m_redisEndpoints[index].m_port);
- } else {
- Dbg(dbg_ctl, "RedisSubscriber::setup_connection: Successfully connected
to the redis host: %s port: %d",
- m_redisEndpoints[index].m_hostname.c_str(),
m_redisEndpoints[index].m_port);
-
- redisReply *reply = static_cast<redisReply *>(redisCommand(my_context,
"AUTH %s", redis_passwd.c_str()));
-
- if (reply == nullptr) {
- TSError("RedisSubscriber::setup_connection: Cannot AUTH redis server,
no reply.");
- } else if (reply->type == REDIS_REPLY_ERROR) {
- TSError("RedisSubscriber::setup_connection: Cannot AUTH redis server,
error reply.");
- freeReplyObject(reply);
- } else {
- Dbg(dbg_ctl, "RedisSubscriber::setup_connection: Successfully AUTH
redis server.");
- freeReplyObject(reply);
- }
-
- break;
- }
-
- TSError("RedisSubscriber::setup_connection: Will wait for: %d microseconds
and try again.", m_redisRetryDelay);
-
- ::usleep(m_redisRetryDelay);
- }
-
- return my_context;
-}
-
-void
-RedisSubscriber::run()
-{
- Dbg(dbg_ctl, "RedisSubscriber::run: Called.");
- int my_endpoint_index = get_endpoint_index();
- ::redisContext *my_context(setup_connection(my_endpoint_index));
- ::redisReply *current_reply(nullptr);
-
- while (!plugin_threads.shutdown) {
- try {
- while ((!my_context) || (my_context->err)) {
- ::usleep(m_redisRetryDelay);
- my_context = setup_connection(my_endpoint_index);
- }
-
- Dbg(dbg_ctl, "RedisSubscriber::run: Issuing command: PSUBSCRIBE %s",
m_channel.c_str());
- current_reply = static_cast<redisReply *>(::redisCommand(my_context,
"PSUBSCRIBE %s", m_channel.c_str()));
-
- if (!current_reply || (REDIS_REPLY_ERROR == current_reply->type)) {
- TSError("RedisSubscriber::run: Subscribe to redis server on channel:
%s failed.", m_channel.c_str());
- ::usleep(1000 * 1000);
- continue;
- } else {
- Dbg(dbg_ctl, "RedisSubscriber::run: Successfully subscribed to
channel: %s", m_channel.c_str());
- Dbg(dbg_ctl, "RedisSubscriber::run: Waiting for messages to appear on
the channel!");
- ::freeReplyObject(current_reply);
- }
-
- // Blocking read
- while (!plugin_threads.shutdown && REDIS_OK ==
::redisGetReply(my_context, reinterpret_cast<void **>(¤t_reply))) {
- // Process Message
- std::string channel(current_reply->element[2]->str,
current_reply->element[2]->len);
- std::string data(current_reply->element[3]->str,
current_reply->element[3]->len);
- Dbg(dbg_ctl, "RedisSubscriber::run: Redis request channel: %s message:
%s", channel.c_str(), hex_str(data).c_str());
-
- std::string key = "";
- // Strip the channel name to get the key
- if (channel.compare(0, m_channel_prefix.length(), m_channel_prefix) ==
0) {
- key = channel.substr(m_channel_prefix.length());
- }
-
- // If this is new keys, go do the ticket key updates
- if (strncmp(key.c_str(), STEK_ID_NAME, strlen(STEK_ID_NAME)) == 0) {
- STEK_update(data);
- // Requesting last ticket to be resent
- } else if (strncmp(key.c_str(), STEK_ID_RESEND,
strlen(STEK_ID_RESEND)) == 0) {
- if (isSTEKMaster()) {
- Dbg(dbg_ctl, "RedisSubscriber::run: Resend ticket.");
- STEK_Send_To_Network(ssl_param.ticket_keys);
- }
- } else { // Otherwise this is a new session. Let ATS core know about
it
- char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH * 2];
- int session_id_len = sizeof(session_id);
- if (decode_id(key, session_id, session_id_len) == 0) { // Decrypt
the data
- Dbg(dbg_ctl, "RedisSubscriber::run: Add session encoded_id: %s
decoded_id: %.*s %d", key.c_str(), session_id_len,
- hex_str(std::string(session_id, session_id_len)).c_str(),
session_id_len);
- add_session(session_id, session_id_len, data);
- } else {
- Dbg(dbg_ctl, "RedisSubscriber::run: Failed to decode key: %s",
key.c_str());
- }
- }
-
- ::freeReplyObject(current_reply);
-
- Dbg(dbg_ctl, "RedisSubscriber::run: Got message: %s channel: %s",
hex_str(data).c_str(), channel.c_str());
- }
- } catch (...) {
- Dbg(dbg_ctl, "RedisSubscriber::run exception");
- break;
- }
- }
-}
-
-RedisSubscriber::~RedisSubscriber()
-{
- Dbg(dbg_ctl, "RedisSubscriber::~RedisSubscriber: Called for endpoint.");
-}
diff --git a/plugins/experimental/ssl_session_reuse/src/subscriber.h
b/plugins/experimental/ssl_session_reuse/src/subscriber.h
deleted file mode 100644
index 4c5bb2e6db..0000000000
--- a/plugins/experimental/ssl_session_reuse/src/subscriber.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/** @file
-
- subscriber.h - a containuer of connection objects
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- */
-#pragma once
-
-#include <vector>
-#include <string>
-#include <atomic>
-
-#include "message.h"
-#include "globals.h"
-#include "redis_endpoint.h"
-
-class RedisSubscriber
-{
-private:
- std::string redis_passwd;
-
- std::vector<RedisEndpoint> m_redisEndpoints;
- std::atomic<int> m_redisEndpointsIndex;
- std::string m_channel;
- std::string m_channel_prefix;
-
- unsigned int m_redisConnectTimeout; // milliseconds
- unsigned int m_redisRetryDelay; // milliseconds
-
- bool err;
-
- ::redisContext *setup_connection(int index);
-
- friend void *start(void *arg);
-
-public:
- void run();
- RedisSubscriber(const std::string &conf = cDefaultConfig);
- virtual ~RedisSubscriber();
- bool is_good();
- int get_endpoint_index();
-};
diff --git a/plugins/experimental/ssl_session_reuse/tests/plug-load.test.py
b/plugins/experimental/ssl_session_reuse/tests/plug-load.test.py
deleted file mode 100644
index 8b74d22d95..0000000000
--- a/plugins/experimental/ssl_session_reuse/tests/plug-load.test.py
+++ /dev/null
@@ -1,61 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import os
-
-Test.Summary = '''
-Test a basic remap of a http connection
-'''
-
-pluginName = 'ats_ssl_plugin'
-path = os.path.abspath(".")
-configFile =
'./packages/rhel.6.5.package/conf/trafficserver/ats_ssl_session_reuse.xml'
-
-Test.ContinueOnFail = True
-# Define default ATS
-ts = Test.MakeATSProcess("ts")
-server = Test.MakeOriginServer("server")
-
-Test.testName = ""
-request_header = {"headers": "GET / HTTP/1.1\r\nHost:
www.example.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
-# expected response from the origin server
-response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n",
"timestamp": "1469733493.993", "body": ""}
-
-# add response to the server dictionary
-server.addResponse("sessionfile.log", request_header, response_header)
-ts.Disk.records_config.update({
- 'proxy.config.diags.debug.enabled': 1,
- 'proxy.config.diags.debug.tags': f'{pluginName}',
-})
-
-ts.Disk.plugin_config.AddLine(f'# {path}/{pluginName}.so {configFile}')
-ts.Disk.remap_config.AddLine(f'map http://www.example.com
http://127.0.0.1:{server.Variables.Port}')
-
-goldFile = os.path.join(Test.RunDirectory, f"{pluginName}.gold")
-with open(goldFile, 'w+') as jf:
- jf.write(f"``loading plugin ``{pluginName}.so``")
-
-# call localhost straight
-tr = Test.AddTestRun()
-tr.Processes.Default.Command = f'curl --proxy 127.0.0.1:{ts.Variables.port}
"http://www.example.com"; --verbose'
-tr.Processes.Default.ReturnCode = 0
-# time delay as proxy.config.http.wait_for_cache could be broken
-tr.Processes.Default.StartBefore(server,
ready=When.PortOpen(server.Variables.Port))
-tr.Processes.Default.StartBefore(Test.Processes.ts)
-tr.StillRunningAfter = server
-
-# ts.Streams.All=goldFile
-# ts.Disk.diags_log.Content+=goldFile
