We need you! We're working hard on the next version of Developer Fusion - Let us know what you think we should be up to!

The Labs \ Source Viewer \ SSCLI \ System.Net.Security \ SslSessionsCache

SSCLI
  1. //------------------------------------------------------------------------------
  2. // <copyright file="_SslSessionsCache.cs" company="Microsoft">
  3. //
  4. // Copyright (c) 2006 Microsoft Corporation. All rights reserved.
  5. //
  6. // The use and distribution terms for this software are contained in the file
  7. // named license.txt, which can be found in the root of this distribution.
  8. // By using this software in any fashion, you are agreeing to be bound by the
  9. // terms of this license.
  10. //
  11. // You must not remove this notice, or any other, from this software.
  12. //
  13. // </copyright>
  14. //------------------------------------------------------------------------------
  16. /*++   
  18. Abstract:
  19.     The file implements SSL session caching mechanism based on a static table of SSL credentials
  22. Author:
  24.     Alexei Vopilov    20-Jul-2004
  26. Revision History:
  29. --*/
  30. namespace System.Net.Security
  31. {
  32.    
  33.     using System.Net;
  34.     using System.Security.Cryptography.X509Certificates;
  35.     using System.Collections;
  36.    
  37.     static internal class SslSessionsCache
  38.     {
  39.        
  40.         private const int c_CheckExpiredModulo = 32;
  41.         private static Hashtable s_CachedCreds = new Hashtable(32);
  42.        
  43.         //
  44.         // Uses cryptographically strong certificate thumbprint comparison
  45.         //
  46.         private struct SslCredKey
  47.         {
  48.             private static readonly byte[] s_EmptyArray = new byte[0];
  49.            
  50.             private byte[] _CertThumbPrint;
  51.             private SchProtocols _AllowedProtocols;
  52.             private int _HashCode;
  53.             //
  54.             // SECURITY: X509Certificate.GetCertHash() is virtual hence before going here
  55.             // the caller of this ctor has to ensure that a user cert object was inspected and
  56.             // optionally cloned.
  57.             //
  58.             internal SslCredKey(byte[] thumbPrint, SchProtocols allowedProtocols)
  59.             {
  60.                 _CertThumbPrint = thumbPrint == null ? s_EmptyArray : thumbPrint;
  61.                 _HashCode = 0;
  62.                 if (thumbPrint != null) {
  63.                     _HashCode ^= _CertThumbPrint[0];
  64.                     if (1 < _CertThumbPrint.Length)
  65.                         _HashCode ^= (_CertThumbPrint[1] << 8);
  66.                     if (2 < _CertThumbPrint.Length)
  67.                         _HashCode ^= (_CertThumbPrint[2] << 16);
  68.                     if (3 < _CertThumbPrint.Length)
  69.                         _HashCode ^= (_CertThumbPrint[3] << 24);
  70.                 }
  71.                 _AllowedProtocols = allowedProtocols;
  72.                 _HashCode ^= (int)_AllowedProtocols;
  73.             }
  74.             //
  75.             public override int GetHashCode()
  76.             {
  77.                 return _HashCode;
  78.             }
  79.             //
  80.             public static bool operator ==(SslCredKey sslCredKey1, SslCredKey sslCredKey2)
  81.             {
  82.                 if ((object)sslCredKey1 == (object)sslCredKey2) {
  83.                     return true;
  84.                 }
  85.                 if ((object)sslCredKey1 == null || (object)sslCredKey2 == null) {
  86.                     return false;
  87.                 }
  88.                 return sslCredKey1.Equals(sslCredKey2);
  89.             }
  90.             //
  91.             public static bool operator !=(SslCredKey sslCredKey1, SslCredKey sslCredKey2)
  92.             {
  93.                 if ((object)sslCredKey1 == (object)sslCredKey2) {
  94.                     return false;
  95.                 }
  96.                 if ((object)sslCredKey1 == null || (object)sslCredKey2 == null) {
  97.                     return true;
  98.                 }
  99.                 return !sslCredKey1.Equals(sslCredKey2);
  100.             }
  101.             //
  102.             public override bool Equals(object y)
  103.             {
  104.                 SslCredKey she = (SslCredKey)y;
  105.                
  106.                 if (_CertThumbPrint.Length != she._CertThumbPrint.Length)
  107.                     return false;
  108.                
  109.                 if (_HashCode != she._HashCode)
  110.                     return false;
  111.                
  112.                 for (int i = 0; i < _CertThumbPrint.Length; ++i)
  113.                     if (_CertThumbPrint[i] != she._CertThumbPrint[i])
  114.                         return false;
  116.                
  117.                 return true;
  118.             }
  119.         }
  120.        
  121.        
  122.         //
  123.         // Returns null or previously cached cred handle
  124.         //
  125.         // ATTN: The returned handle can be invalid, the callers of InitializeSecurityContext and AcceptSecurityContext
  126.         // must be prepared to execute a backout code if the call fails.
  127.         //
  128.         // Note:thumbPrint is a cryptographicaly strong hash of a certificate
  129.         //
  130.         static internal SafeFreeCredentials TryCachedCredential(byte[] thumbPrint, SchProtocols allowedProtocols)
  131.         {
  132.             if (s_CachedCreds.Count == 0) {
  133.                 GlobalLog.Print("TryCachedCredential() Not Found, Current Cache Count = " + s_CachedCreds.Count);
  134.                 return null;
  135.             }
  136.            
  137.             object key = new SslCredKey(thumbPrint, allowedProtocols);
  138.            
  139.             SafeCredentialReference cached = s_CachedCreds[key] as SafeCredentialReference;
  140.            
  141.             if (cached == null || cached.IsClosed || cached._Target.IsInvalid) {
  142.                 GlobalLog.Print("TryCachedCredential() Not Found, Current Cache Count = " + s_CachedCreds.Count);
  143.                 return null;
  144.             }
  145.            
  146.             GlobalLog.Print("TryCachedCredential() Found a cached Handle = " + cached._Target.ToString());
  147.            
  148.             return cached._Target;
  149.         }
  150.         //
  151.         // The app is calling this method after starting an SSL handshake.
  152.         //
  153.         // ATTN: The thumbPrint must be from inspected and possbly cloned user Cert object or we get a security hole in SslCredKey ctor.
  154.         //
  155.         static internal void CacheCredential(SafeFreeCredentials creds, byte[] thumbPrint, SchProtocols allowedProtocols)
  156.         {
  157.             GlobalLog.Assert(creds != null, "CacheCredential|creds == null");
  158.             if (creds.IsInvalid) {
  159.                 GlobalLog.Print("CacheCredential() Refused to cache an Invalid Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count);
  160.                 return;
  161.             }
  162.            
  163.             object key = new SslCredKey(thumbPrint, allowedProtocols);
  164.            
  165.             SafeCredentialReference cached = s_CachedCreds[key] as SafeCredentialReference;
  166.            
  167.             if (cached == null || cached.IsClosed || cached._Target.IsInvalid) {
  168.                 lock (s_CachedCreds) {
  169.                     cached = s_CachedCreds[key] as SafeCredentialReference;
  170.                    
  171.                     if (cached == null || cached.IsClosed) {
  172.                         cached = SafeCredentialReference.CreateReference(creds);
  173.                        
  174.                         if (cached == null) {
  175.                             // Means the handle got closed in between, return it back and let caller deal with the issue.
  176.                             return;
  177.                         }
  178.                        
  179.                         s_CachedCreds[key] = cached;
  180.                         GlobalLog.Print("CacheCredential() Caching New Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count);
  181.                        
  182.                         //
  183.                         // A simplest way of preventing infinite cache grows.
  184.                         //
  185.                         // Security relief (DoS):
  186.                         // A number of active creds is never greater than a number of _outstanding_
  187.                         // security sessions, i.e. ssl connections.
  188.                         // So we will try to shrink cache to the number of active creds once in a while.
  189.                         //
  190.                         // Just to make clear we won't shrink cache in the case when NO new handles are coming to it.
  191.                         //
  192.                         if ((s_CachedCreds.Count % c_CheckExpiredModulo) == 0) {
  193.                             DictionaryEntry[] toRemoveAttempt = new DictionaryEntry[s_CachedCreds.Count];
  194.                             s_CachedCreds.CopyTo(toRemoveAttempt, 0);
  195.                            
  196.                             for (int i = 0; i < toRemoveAttempt.Length; ++i) {
  197.                                 cached = toRemoveAttempt[i].Value as SafeCredentialReference;
  198.                                
  199.                                 if (cached != null) {
  200.                                     creds = cached._Target;
  201.                                     cached.Close();
  202.                                    
  203.                                     if (!creds.IsClosed && !creds.IsInvalid && (cached = SafeCredentialReference.CreateReference(creds)) != null)
  204.                                         s_CachedCreds[toRemoveAttempt[i].Key] = cached;
  205.                                     else
  206.                                         s_CachedCreds.Remove(toRemoveAttempt[i].Key);
  207.                                 }
  208.                             }
  209.                             GlobalLog.Print("Scavenged cache, New Cache Count = " + s_CachedCreds.Count);
  210.                         }
  211.                     }
  212.                     else {
  213.                         GlobalLog.Print("CacheCredential() (locked retry) Found already cached Handle = " + cached._Target.ToString());
  214.                     }
  215.                 }
  216.             }
  217.             else {
  218.                 GlobalLog.Print("CacheCredential() Ignoring incoming handle = " + creds.ToString() + " since found already cached Handle = " + cached._Target.ToString());
  219.             }
  220.         }
  221.     }
  222. }

Developer Fusion