Changeset 6fa6095 in mod_gnutls for src/gnutls_io.c


Ignore:
Timestamp:
Jan 21, 2020, 2:29:27 AM (9 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
1c76ea7
Parents:
e24e3bf9
Message:

Partial post-handshake auth support

Needs proper error handling, especially for
GNUTLS_E_GOT_APPLICATION_DATA, which can randomly happen with requests
containing a body.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_io.c

    re24e3bf9 r6fa6095  
    33 *  Copyright 2008 Nikos Mavrogiannopoulos
    44 *  Copyright 2011 Dash Shendy
    5  *  Copyright 2015-2019 Fiona Klute
     5 *  Copyright 2015-2020 Fiona Klute
    66 *
    77 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    449449}
    450450
    451 int mgs_rehandshake(mgs_handle_t * ctxt) {
    452     int rv;
    453 
     451
     452
     453int mgs_reauth(mgs_handle_t * ctxt)
     454{
    454455    if (ctxt->session == NULL)
    455         return -1;
    456 
    457     rv = gnutls_rehandshake(ctxt->session);
    458 
    459     if (rv != 0) {
    460         /* the client did not want to rehandshake. goodbye */
     456        return GNUTLS_E_INVALID_REQUEST;
     457
     458    int rv = gnutls_reauth(ctxt->session, 0);
     459    // TODO: Handle non-fatal errors: GNUTLS_E_INTERRUPTED,
     460    // GNUTLS_E_AGAIN, GNUTLS_E_GOT_APPLICATION_DATA
     461
     462    /* GNUTLS_E_GOT_APPLICATION_DATA can (randomly, depending on
     463     * timing) happen with a request containing a body. According to
     464     * https://tools.ietf.org/html/rfc8446#appendix-E.1.2
     465     * post-handshake authentication proves that the authenticated
     466     * party is the one that did the handshake, so caching the data
     467     * is appropriate. */
     468    /* Allocate cache to content-length (if available), with an upper
     469     * limit to prevent resource exhaustion attacks. Do we have to
     470     * prevent creating multiple caches for one connection? */
     471    /* ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, */
     472    /*               "Request content: %s bytes", */
     473    /*               apr_table_get(r->headers_in, "Content-Length")); */
     474    /* If the cache is too small,
     475     * a) return HTTP_REQUEST_ENTITY_TOO_LARGE to the client
     476     * b) IF reauth was successful set Retry-After to immediately: */
     477    /* apr_table_setn(r->err_headers_out, "Retry-After", "0"); */
     478
     479    if (rv != GNUTLS_E_SUCCESS)
     480    {
    461481        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,
    462                       "GnuTLS: Client Refused Rehandshake request.");
    463         return -1;
    464     }
    465 
    466     ctxt->status = 0;
    467 
    468     rv = gnutls_do_handshake(ctxt);
    469 
    470     return rv;
     482                      "Reauthentication failed: %s (%d)",
     483                      gnutls_strerror(rv), rv);
     484        return rv;
     485    }
     486
     487    return GNUTLS_E_SUCCESS;
    471488}
    472489
Note: See TracChangeset for help on using the changeset viewer.