Changeset 564f33f in mod_gnutls

Timestamp:

Dec 17, 2018, 4:39:50 PM (4 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, debian/master, main, master, proxy-ticket

Children:

c7710cf

Parents:

0378c22

Message:

Move SNI and ALPN setup for proxy connections to gnutls_proxy.c

Location:

src

Files:

• gnutls_io.c (modified) (2 diffs)
• gnutls_proxy.c (modified) (2 diffs)
• gnutls_proxy.h (modified) (1 diff)

src/gnutls_io.c

@@ -20 +20 @@
 #include "mod_gnutls.h"
 #include "gnutls_proxy.h"
-#include <apr_strings.h>
 
 #ifdef APLOG_USE_MODULE
@@ -385 +384 @@
     }
 
-    /* Enable SNI for proxy connections */
+    /* Enable SNI and ALPN for proxy connections */
     if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE)
-    {
-        /* Get peer hostname from note left by mod_proxy */
-        const char *peer_hostname =
-            apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE);
-        /* Used only as target for apr_ipsubnet_create() */
-        apr_ipsubnet_t *probe;
-        /* Check if the note is present (!= NULL) and NOT an IP
-         * address */
-        if ((peer_hostname) != NULL
-            && (apr_ipsubnet_create(&probe, peer_hostname, NULL, ctxt->c->pool)
-                != APR_SUCCESS))
-        {
-            ret = gnutls_server_name_set(ctxt->session, GNUTLS_NAME_DNS,
-                                         peer_hostname, strlen(peer_hostname));
-            if (ret != GNUTLS_E_SUCCESS)
-                ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, ctxt->c,
-                              "Could not set SNI '%s' for proxy connection: "
-                              "%s (%d)",
-                              peer_hostname, gnutls_strerror(ret), ret);
-        }
-
-        const char *proxy_alpn =
-            apr_table_get(ctxt->c->notes, PROXY_ALPN_NOTE);
-        if (proxy_alpn != NULL)
-        {
-            // TODO: mod_ssl ssl_engine_io.c does some tokenization of
-            // the input string, so it looks like the API allows
-            // multiple protocols.
-            gnutls_datum_t alpn_proto = {
-                .data = (unsigned char *) apr_pstrdup(ctxt->c->pool, proxy_alpn),
-                .size = strlen(proxy_alpn)
-            };
-            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
-                          "%s: proxy module requests ALPN proto '%s', "
-                          "length %" APR_SIZE_T_FMT ".",
-                          __func__, proxy_alpn, strlen(proxy_alpn));
-            ret = gnutls_alpn_set_protocols(ctxt->session,
-                                            &alpn_proto,
-                                            1 /* number of proposals */,
-                                            0 /* flags */);
-            if (ret != GNUTLS_E_SUCCESS)
-                ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, ctxt->c,
-                              "Could not set ALPN proposal '%s' for proxy "
-                              "connection: %s (%d)",
-                              proxy_alpn, gnutls_strerror(ret), ret);
-        }
-    }
+        mgs_set_proxy_handshake_ext(ctxt);
 
 tryagain:

src/gnutls_proxy.c

@@ -19 +19 @@
 #include "gnutls_util.h"
 
+#include <apr_strings.h>
 #include <gnutls/gnutls.h>
 
@@ -290 +291 @@
     return ret;
 }
+
+
+
+static void proxy_conn_set_sni(mgs_handle_t *ctxt)
+{
+    /* Get peer hostname from note left by mod_proxy */
+    const char *peer_hostname =
+        apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE);
+    /* Used only as target for apr_ipsubnet_create() */
+    apr_ipsubnet_t *probe;
+    /* Check if the note is present (!= NULL) and NOT an IP
+     * address */
+    if ((peer_hostname) != NULL
+        && (apr_ipsubnet_create(&probe, peer_hostname, NULL, ctxt->c->pool)
+            != APR_SUCCESS))
+    {
+        int ret = gnutls_server_name_set(ctxt->session, GNUTLS_NAME_DNS,
+                                         peer_hostname, strlen(peer_hostname));
+        if (ret != GNUTLS_E_SUCCESS)
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, ctxt->c,
+                          "Could not set SNI '%s' for proxy connection: "
+                          "%s (%d)",
+                          peer_hostname, gnutls_strerror(ret), ret);
+    }
+}
+
+
+
+static void proxy_conn_set_alpn(mgs_handle_t *ctxt)
+{
+    const char *proxy_alpn =
+        apr_table_get(ctxt->c->notes, PROXY_ALPN_NOTE);
+    if (proxy_alpn != NULL)
+    {
+        // TODO: mod_ssl ssl_engine_io.c does some tokenization of
+        // the input string, so it looks like the API allows
+        // multiple protocols.
+        gnutls_datum_t alpn_proto = {
+            .data = (unsigned char *) apr_pstrdup(ctxt->c->pool, proxy_alpn),
+            .size = strlen(proxy_alpn)
+        };
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
+                      "%s: proxy module requests ALPN proto '%s', "
+                      "length %" APR_SIZE_T_FMT ".",
+                      __func__, proxy_alpn, strlen(proxy_alpn));
+        int ret = gnutls_alpn_set_protocols(ctxt->session,
+                                            &alpn_proto,
+                                            1 /* number of proposals */,
+                                            0 /* flags */);
+        if (ret != GNUTLS_E_SUCCESS)
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, ctxt->c,
+                          "Could not set ALPN proposal '%s' for proxy "
+                          "connection: %s (%d)",
+                          proxy_alpn, gnutls_strerror(ret), ret);
+    }
+}
+
+
+
+void mgs_set_proxy_handshake_ext(mgs_handle_t *ctxt)
+{
+    proxy_conn_set_sni(ctxt);
+    proxy_conn_set_alpn(ctxt);
+}

src/gnutls_proxy.h

@@ -36 +36 @@
     __attribute__((nonnull));
 
+/**
+ * Configure extensions for the TLS handshake on proxy connections,
+ * currently SNI and ALPN.
+ */
+void mgs_set_proxy_handshake_ext(mgs_handle_t * ctxt);
+
 #endif /* __MOD_GNUTLS_PROXY_H__ */