Changeset 0da10eb in mod_gnutls
- Timestamp:
- Nov 21, 2018, 2:38:58 PM (4 years ago)
- Branches:
- asyncio, debian/master, master, proxy-ticket
- Children:
- 2ead314
- Parents:
- 0020874
- Location:
- src
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_hooks.c
r0020874 r0da10eb 351 351 352 352 /** 353 * Post client hello function for GnuTLS, used to configure the TLS 354 * server based on virtual host configuration. Uses SNI to select the 355 * virtual host if available. 353 * Post client hello hook function for GnuTLS. This function has two 354 * purposes: Firstly, it acts as a fallback for early_sni_hook(), by 355 * parsing SNI and selecting a virtual host based on it if 356 * necessary. Secondly, it calls ALPN processing. 356 357 * 357 358 * @param session the TLS session … … 360 361 * definition 361 362 */ 362 static int mgs_select_virtual_server_cb(gnutls_session_t session)363 static int post_client_hello_hook(gnutls_session_t session) 363 364 { 364 365 int ret = 0; … … 1022 1023 1023 1024 #ifdef ENABLE_EARLY_SNI 1025 /** 1026 * Pre client hello hook function for GnuTLS that implements early SNI 1027 * processing using `gnutls_ext_raw_parse()` (available since GnuTLS 1028 * 3.6.3). Reading the SNI (if any) before GnuTLS processes the client 1029 * hello allows loading virtual host settings that cannot be changed 1030 * in the post client hello hook, including ALPN proposals (required 1031 * for HTTP/2 support using the `Protocols` directive). In addition to 1032 * ALPN this function configures the server credentials. 1033 * 1034 * The function signature is required by the GnuTLS API. 1035 * 1036 * @param session the current session 1037 * @param htype handshake message type 1038 * @param when hook position relative to GnuTLS processing 1039 * @param incoming true if the message is incoming, for client hello 1040 * that means the hook is running on the server 1041 * @param msg raw message data 1042 * 1043 * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code 1044 */ 1024 1045 static int early_sni_hook(gnutls_session_t session, 1025 unsigned int htype __attribute__((unused)),1026 unsigned when __attribute__((unused)),1046 unsigned int htype, 1047 unsigned when, 1027 1048 unsigned int incoming, 1028 1049 const gnutls_datum_t *msg) … … 1176 1197 /* Post client hello hook (called after GnuTLS has parsed it) */ 1177 1198 gnutls_handshake_set_post_client_hello_function(ctxt->session, 1178 mgs_select_virtual_server_cb);1199 post_client_hello_hook); 1179 1200 1180 1201 /* Set GnuTLS user pointer, so we can access the module session … … 1182 1203 gnutls_session_set_ptr(ctxt->session, ctxt); 1183 1204 1184 /* If mod_gnutls is the TLS server, mgs_select_virtual_server_cb 1185 * will load appropriate credentials during handshake. However, 1205 /* If mod_gnutls is the TLS server, early_sni_hook (or 1206 * post_client_hello_hook, if early SNI is not available) will 1207 * load appropriate credentials during the handshake. However, 1186 1208 * when handling a proxy backend connection, mod_gnutls acts as 1187 1209 * TLS client and credentials must be loaded here. */ -
src/gnutls_sni.c
r0020874 r0da10eb 32 32 #define SERVER_NAME_HDR_SIZE (sizeof(uint16_t) + sizeof(uint8_t)) 33 33 34 /** 35 * Read a 16 bit unsigned int in network byte order from the data, 36 * and return the value in host byte order. 37 */ 34 38 static inline uint16_t read_uint16(const unsigned char *data) 35 39 { … … 43 47 44 48 /** 45 * APR port of GnuTLS' _gnutls_dnsname_is_valid() (from lib/str.h) 49 * Check if the string contains only alphanumeric characters, `-`, and 50 * `.`. APR port of GnuTLS' _gnutls_dnsname_is_valid() (from 51 * lib/str.h). 52 * 53 * @param str the string to check 54 * @param size length of the input string (must not include any 55 * terminating null byte) 56 * 57 * @return `1` if the string is a valid DNS name, `0` otherwise 46 58 */ 47 59 static inline int is_valid_dnsname(const unsigned char *str, unsigned int size) … … 56 68 57 69 /** 58 * Callback for gnutls_ext_raw_parse(), called for each 59 * extension. Check if the extension is a Server Name Indication, 60 * parse if so. The SNI data structure is defined in [RFC 6066 61 * Sec. 3](https://tools.ietf.org/html/rfc6066#section-3) 70 * Callback for gnutls_ext_raw_parse(), checks if the extension is a 71 * Server Name Indication, and tries to parse it if so. In case of 72 * success the requested hostname is stored in the mod_gnutls session 73 * context. 74 * 75 * See [RFC 6066 Sec. 3](https://tools.ietf.org/html/rfc6066#section-3) 76 * for the definition of the SNI data structure. The function 77 * signature is defined by the GnuTLS API. 78 * 79 * @param ctx must be the `gnutls_session_t` for the current 80 * connection 81 * @param tls_id TLS extension ID 82 * @param data the extension data 83 * @param size length of the extension data (bytes) 84 * 85 * @return `GNUTLS_E_SUCCESS` or a GnuTLS error code 62 86 */ 63 87 int mgs_sni_ext_hook(void *ctx, unsigned tls_id, … … 136 160 ctxt->sni_name = name; 137 161 } 138 return 0;162 return GNUTLS_E_SUCCESS; 139 163 } 140 164
Note: See TracChangeset
for help on using the changeset viewer.