Changeset 0da10eb in mod_gnutls

Timestamp:

Nov 21, 2018, 2:38:58 PM (20 months ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

debian/master, master, proxy-ticket

Children:

2ead314

Parents:

0020874

Message:

Document Early SNI related functions and rename the post client hello hook

Location:

src

Files:

• gnutls_hooks.c (modified) (5 diffs)
• gnutls_sni.c (modified) (4 diffs)

src/gnutls_hooks.c

@@ -351 +351 @@
 
 /**
- * Post client hello function for GnuTLS, used to configure the TLS
- * server based on virtual host configuration. Uses SNI to select the
- * virtual host if available.
+ * Post client hello hook function for GnuTLS. This function has two
+ * purposes: Firstly, it acts as a fallback for early_sni_hook(), by
+ * parsing SNI and selecting a virtual host based on it if
+ * necessary. Secondly, it calls ALPN processing.
  *
  * @param session the TLS session
@@ -360 +361 @@
  * definition
  */
-static int mgs_select_virtual_server_cb(gnutls_session_t session)
+static int post_client_hello_hook(gnutls_session_t session)
 {
     int ret = 0;
@@ -1022 +1023 @@
 
 #ifdef ENABLE_EARLY_SNI
+/**
+ * Pre client hello hook function for GnuTLS that implements early SNI
+ * processing using `gnutls_ext_raw_parse()` (available since GnuTLS
+ * 3.6.3). Reading the SNI (if any) before GnuTLS processes the client
+ * hello allows loading virtual host settings that cannot be changed
+ * in the post client hello hook, including ALPN proposals (required
+ * for HTTP/2 support using the `Protocols` directive). In addition to
+ * ALPN this function configures the server credentials.
+ *
+ * The function signature is required by the GnuTLS API.
+ *
+ * @param session the current session
+ * @param htype handshake message type
+ * @param when hook position relative to GnuTLS processing
+ * @param incoming true if the message is incoming, for client hello
+ * that means the hook is running on the server
+ * @param msg raw message data
+ *
+ * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code
+ */
 static int early_sni_hook(gnutls_session_t session,
-                          unsigned int htype __attribute__((unused)),
-                          unsigned when __attribute__((unused)),
+                          unsigned int htype,
+                          unsigned when,
                           unsigned int incoming,
                           const gnutls_datum_t *msg)
@@ -1176 +1197 @@
     /* Post client hello hook (called after GnuTLS has parsed it) */
     gnutls_handshake_set_post_client_hello_function(ctxt->session,
-            mgs_select_virtual_server_cb);
+            post_client_hello_hook);
 
     /* Set GnuTLS user pointer, so we can access the module session
@@ -1182 +1203 @@
     gnutls_session_set_ptr(ctxt->session, ctxt);
 
-    /* If mod_gnutls is the TLS server, mgs_select_virtual_server_cb
-     * will load appropriate credentials during handshake. However,
+    /* If mod_gnutls is the TLS server, early_sni_hook (or
+     * post_client_hello_hook, if early SNI is not available) will
+     * load appropriate credentials during the handshake. However,
      * when handling a proxy backend connection, mod_gnutls acts as
      * TLS client and credentials must be loaded here. */

src/gnutls_sni.c

@@ -32 +32 @@
 #define SERVER_NAME_HDR_SIZE (sizeof(uint16_t) + sizeof(uint8_t))
 
+/**
+ * Read a 16 bit unsigned int in network byte order from the data,
+ * and return the value in host byte order.
+ */
 static inline uint16_t read_uint16(const unsigned char *data)
 {
@@ -43 +47 @@
 
 /**
- * APR port of GnuTLS' _gnutls_dnsname_is_valid() (from lib/str.h)
+ * Check if the string contains only alphanumeric characters, `-`, and
+ * `.`. APR port of GnuTLS' _gnutls_dnsname_is_valid() (from
+ * lib/str.h).
+ *
+ * @param str the string to check
+ * @param size length of the input string (must not include any
+ * terminating null byte)
+ *
+ * @return `1` if the string is a valid DNS name, `0` otherwise
  */
 static inline int is_valid_dnsname(const unsigned char *str, unsigned int size)
@@ -56 +68 @@
 
 /**
- * Callback for gnutls_ext_raw_parse(), called for each
- * extension. Check if the extension is a Server Name Indication,
- * parse if so. The SNI data structure is defined in [RFC 6066
- * Sec. 3](https://tools.ietf.org/html/rfc6066#section-3)
+ * Callback for gnutls_ext_raw_parse(), checks if the extension is a
+ * Server Name Indication, and tries to parse it if so. In case of
+ * success the requested hostname is stored in the mod_gnutls session
+ * context.
+ *
+ * See [RFC 6066 Sec. 3](https://tools.ietf.org/html/rfc6066#section-3)
+ * for the definition of the SNI data structure. The function
+ * signature is defined by the GnuTLS API.
+ *
+ * @param ctx must be the `gnutls_session_t` for the current
+ * connection
+ * @param tls_id TLS extension ID
+ * @param data the extension data
+ * @param size length of the extension data (bytes)
+ *
+ * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code
  */
 int mgs_sni_ext_hook(void *ctx, unsigned tls_id,
@@ -136 +160 @@
         ctxt->sni_name = name;
     }
-    return 0;
+    return GNUTLS_E_SUCCESS;
 }