Changeset 6fa6095 in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Jan 21, 2020, 2:29:27 AM (9 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
1c76ea7
Parents:
e24e3bf9
Message:

Partial post-handshake auth support

Needs proper error handling, especially for
GNUTLS_E_GOT_APPLICATION_DATA, which can randomly happen with requests
containing a body.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    re24e3bf9 r6fa6095  
    11711171    {
    11721172        /* incoming connection, server mode */
    1173         err = gnutls_init(&ctxt->session, GNUTLS_SERVER);
     1173        err = gnutls_init(&ctxt->session,
     1174                          GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH);
    11741175        if (err != GNUTLS_E_SUCCESS)
    11751176            ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
     
    14601461        gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
    14611462
    1462     if (cert_list == NULL || cert_list_size == 0) {
     1463    /* We can reauthenticate the client if using TLS 1.3 and the
     1464     * client annouced support. Note that there may still not be any
     1465     * client certificate after. */
     1466    if ((cert_list == NULL || cert_list_size == 0)
     1467        && gnutls_protocol_get_version(ctxt->session) == GNUTLS_TLS1_3
     1468        && (gnutls_session_get_flags(ctxt->session)
     1469            & GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH))
     1470    {
    14631471        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
    1464                       "%s: No certificate, attempting to rehandshake "
    1465                       "with peer (%d)",
     1472                      "%s: No certificate, attempting to reauthenticate "
     1473                      "peer (%d)",
    14661474                      __func__, client_verify_mode);
    14671475
     
    14831491        gnutls_certificate_server_set_request(ctxt->session,
    14841492                                              client_verify_mode);
    1485         /* TODO: rehandshake code is broken and has been for years,
    1486          * replace with TLS 1.3 post-handshake auth. */
    1487         if (mgs_rehandshake(ctxt) != 0) {
     1493        if (mgs_reauth(ctxt) != GNUTLS_E_SUCCESS) {
    14881494            return HTTP_FORBIDDEN;
    14891495        }
Note: See TracChangeset for help on using the changeset viewer.