Changeset 33d812d in mod_gnutls

Timestamp:

May 26, 2020, 4:24:47 PM (3 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, main, master, proxy-ticket

Children:

b14f6ae

Parents:

15ce4db

Message:

Retrieve received session tickets

The tickets aren't used yet. Making the handshake hook function work
requires a little rearrangement: GnuTLS supports only one handshake
hook function on a session, so the early SNI hook must be enabled only
on server session, and the new ticket hook only on client (proxy)
sessions.

File:

• src/gnutls_hooks.c (modified) (4 diffs)

src/gnutls_hooks.c

@@ -1130 +1130 @@
 }
 
+static int got_ticket_func(gnutls_session_t session,
+                           unsigned int htype,
+                           unsigned when,
+                           unsigned int incoming __attribute__((unused)),
+                           const gnutls_datum_t *msg __attribute__((unused)))
+{
+    /* Ignore all unexpected messages */
+    if (htype != GNUTLS_HANDSHAKE_NEW_SESSION_TICKET
+        || when != GNUTLS_HOOK_POST)
+        return GNUTLS_E_SUCCESS;
+
+    mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
+    if (!(gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET))
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, ctxt->c,
+                      "%s called but session has no ticket!",
+                      __func__);
+        /* Tickets are optional, so don't break the session on
+         * errors. */
+        return GNUTLS_E_SUCCESS;
+    }
+
+    gnutls_datum_t dump;
+    int ret = gnutls_session_get_data2(session, &dump);
+    if (ret != GNUTLS_E_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
+                      "%s: error reading session ticket: %s (%d)",
+                      __func__, gnutls_strerror(ret), ret);
+        if (dump.data)
+            gnutls_free(dump.data);
+        return GNUTLS_E_SUCCESS;
+    }
+
+    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
+                  "%s: session ticket read (%u bytes)",
+                  __func__, dump.size);
+    gnutls_free(dump.data);
+    return GNUTLS_E_SUCCESS;
+}
+
 static void create_gnutls_handle(conn_rec * c)
 {
@@ -1156 +1197 @@
                           "gnutls_init for proxy connection failed: %s (%d)",
                           gnutls_strerror(err), err);
+        gnutls_handshake_set_hook_function(ctxt->session,
+                                           GNUTLS_HANDSHAKE_NEW_SESSION_TICKET,
+                                           GNUTLS_HOOK_POST, got_ticket_func);
     }
     else
@@ -1166 +1210 @@
                           "gnutls_init for server side failed: %s (%d)",
                           gnutls_strerror(err), err);
+
+        /* Pre-handshake hook for early SNI parsing */
+        gnutls_handshake_set_hook_function(ctxt->session,
+                                           GNUTLS_HANDSHAKE_CLIENT_HELLO,
+                                           GNUTLS_HOOK_PRE, early_sni_hook);
     }
 
@@ -1177 +1226 @@
         ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
                       "gnutls_priority_set failed!");
-
-    /* Pre-handshake hook for early SNI parsing */
-    gnutls_handshake_set_hook_function(ctxt->session,
-                                       GNUTLS_HANDSHAKE_CLIENT_HELLO,
-                                       GNUTLS_HOOK_PRE, early_sni_hook);
 
     /* Post client hello hook (called after GnuTLS has parsed it) */