Changeset 0da10eb in mod_gnutls


Ignore:
Timestamp:
Nov 21, 2018, 2:38:58 PM (13 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master
Children:
2ead314
Parents:
0020874
Message:

Document Early SNI related functions and rename the post client hello hook

Location:
src
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r0020874 r0da10eb  
    351351
    352352/**
    353  * Post client hello function for GnuTLS, used to configure the TLS
    354  * server based on virtual host configuration. Uses SNI to select the
    355  * virtual host if available.
     353 * Post client hello hook function for GnuTLS. This function has two
     354 * purposes: Firstly, it acts as a fallback for early_sni_hook(), by
     355 * parsing SNI and selecting a virtual host based on it if
     356 * necessary. Secondly, it calls ALPN processing.
    356357 *
    357358 * @param session the TLS session
     
    360361 * definition
    361362 */
    362 static int mgs_select_virtual_server_cb(gnutls_session_t session)
     363static int post_client_hello_hook(gnutls_session_t session)
    363364{
    364365    int ret = 0;
     
    10221023
    10231024#ifdef ENABLE_EARLY_SNI
     1025/**
     1026 * Pre client hello hook function for GnuTLS that implements early SNI
     1027 * processing using `gnutls_ext_raw_parse()` (available since GnuTLS
     1028 * 3.6.3). Reading the SNI (if any) before GnuTLS processes the client
     1029 * hello allows loading virtual host settings that cannot be changed
     1030 * in the post client hello hook, including ALPN proposals (required
     1031 * for HTTP/2 support using the `Protocols` directive). In addition to
     1032 * ALPN this function configures the server credentials.
     1033 *
     1034 * The function signature is required by the GnuTLS API.
     1035 *
     1036 * @param session the current session
     1037 * @param htype handshake message type
     1038 * @param when hook position relative to GnuTLS processing
     1039 * @param incoming true if the message is incoming, for client hello
     1040 * that means the hook is running on the server
     1041 * @param msg raw message data
     1042 *
     1043 * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code
     1044 */
    10241045static int early_sni_hook(gnutls_session_t session,
    1025                           unsigned int htype __attribute__((unused)),
    1026                           unsigned when __attribute__((unused)),
     1046                          unsigned int htype,
     1047                          unsigned when,
    10271048                          unsigned int incoming,
    10281049                          const gnutls_datum_t *msg)
     
    11761197    /* Post client hello hook (called after GnuTLS has parsed it) */
    11771198    gnutls_handshake_set_post_client_hello_function(ctxt->session,
    1178             mgs_select_virtual_server_cb);
     1199            post_client_hello_hook);
    11791200
    11801201    /* Set GnuTLS user pointer, so we can access the module session
     
    11821203    gnutls_session_set_ptr(ctxt->session, ctxt);
    11831204
    1184     /* If mod_gnutls is the TLS server, mgs_select_virtual_server_cb
    1185      * will load appropriate credentials during handshake. However,
     1205    /* If mod_gnutls is the TLS server, early_sni_hook (or
     1206     * post_client_hello_hook, if early SNI is not available) will
     1207     * load appropriate credentials during the handshake. However,
    11861208     * when handling a proxy backend connection, mod_gnutls acts as
    11871209     * TLS client and credentials must be loaded here. */
  • src/gnutls_sni.c

    r0020874 r0da10eb  
    3232#define SERVER_NAME_HDR_SIZE (sizeof(uint16_t) + sizeof(uint8_t))
    3333
     34/**
     35 * Read a 16 bit unsigned int in network byte order from the data,
     36 * and return the value in host byte order.
     37 */
    3438static inline uint16_t read_uint16(const unsigned char *data)
    3539{
     
    4347
    4448/**
    45  * APR port of GnuTLS' _gnutls_dnsname_is_valid() (from lib/str.h)
     49 * Check if the string contains only alphanumeric characters, `-`, and
     50 * `.`. APR port of GnuTLS' _gnutls_dnsname_is_valid() (from
     51 * lib/str.h).
     52 *
     53 * @param str the string to check
     54 * @param size length of the input string (must not include any
     55 * terminating null byte)
     56 *
     57 * @return `1` if the string is a valid DNS name, `0` otherwise
    4658 */
    4759static inline int is_valid_dnsname(const unsigned char *str, unsigned int size)
     
    5668
    5769/**
    58  * Callback for gnutls_ext_raw_parse(), called for each
    59  * extension. Check if the extension is a Server Name Indication,
    60  * parse if so. The SNI data structure is defined in [RFC 6066
    61  * Sec. 3](https://tools.ietf.org/html/rfc6066#section-3)
     70 * Callback for gnutls_ext_raw_parse(), checks if the extension is a
     71 * Server Name Indication, and tries to parse it if so. In case of
     72 * success the requested hostname is stored in the mod_gnutls session
     73 * context.
     74 *
     75 * See [RFC 6066 Sec. 3](https://tools.ietf.org/html/rfc6066#section-3)
     76 * for the definition of the SNI data structure. The function
     77 * signature is defined by the GnuTLS API.
     78 *
     79 * @param ctx must be the `gnutls_session_t` for the current
     80 * connection
     81 * @param tls_id TLS extension ID
     82 * @param data the extension data
     83 * @param size length of the extension data (bytes)
     84 *
     85 * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code
    6286 */
    6387int mgs_sni_ext_hook(void *ctx, unsigned tls_id,
     
    136160        ctxt->sni_name = name;
    137161    }
    138     return 0;
     162    return GNUTLS_E_SUCCESS;
    139163}
    140164
Note: See TracChangeset for help on using the changeset viewer.