Changeset 7ff6c6c in mod_gnutls


Ignore:
Timestamp:
Nov 4, 2018, 4:55:35 PM (13 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master
Children:
c0fc11e
Parents:
99eb567
Message:

Add proof-of-concept SNI parser in a pre client hello hook

The SNI parser is complete, but right now the hook only retrieves the
SNI data and logs it. The goal is to select the right virtual host and
load ALPN parameters (and possibly others) before GnuTLS processes the
ClientHello? message. That should make different "Protocols" directives
between virtual hosts work as expected.

Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • configure.ac

    r99eb567 r7ff6c6c  
    6767AC_SEARCH_LIBS([gnutls_srp_server_get_username], [gnutls], [], [use_srp="no"])
    6868
    69 SRP_CFLAGS=""
     69GNUTLS_FEAT_CFLAGS=""
    7070if test "$use_srp" != "no"; then
    71         SRP_CFLAGS="-DENABLE_SRP=1"
     71        GNUTLS_FEAT_CFLAGS="-DENABLE_SRP=1"
     72fi
     73
     74# check if the available GnuTLS library supports raw extension parsing
     75AC_SEARCH_LIBS([gnutls_ext_raw_parse], [gnutls], [early_sni="yes"],
     76        [early_sni="no"])
     77if test "$early_sni" != "no"; then
     78        GNUTLS_FEAT_CFLAGS="${GNUTLS_FEAT_CFLAGS} -DENABLE_EARLY_SNI"
    7279fi
    7380
     
    223230AC_PATH_PROGS([HTTP_CLI], [curl wget], [no])
    224231
    225 MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${MSVA_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}"
     232MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${GNUTLS_FEAT_CFLAGS} ${MSVA_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES} ${STRICT_CFLAGS}"
    226233MODULE_LIBS="${LIBGNUTLS_LIBS}"
    227234
     
    315322echo "   * SRP Authentication:  ${use_srp}"
    316323echo "   * MSVA Client Verification:    ${use_msva}"
     324echo "   * Early SNI (experimental):    ${early_sni}"
    317325echo "   * Build documentation: ${build_doc}"
    318326echo ""
  • src/Makefile.am

    r99eb567 r7ff6c6c  
    77
    88mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c \
    9         gnutls_config.c gnutls_hooks.c gnutls_ocsp.c gnutls_util.c \
    10         gnutls_watchdog.c
     9        gnutls_config.c gnutls_hooks.c gnutls_ocsp.c gnutls_sni.c \
     10        gnutls_util.c gnutls_watchdog.c
    1111mod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}
    1212mod_gnutls_la_LDFLAGS = -module -avoid-version ${MODULE_LIBS}
    13 noinst_HEADERS = gnutls_cache.h gnutls_config.h gnutls_ocsp.h gnutls_util.h \
    14         gnutls_watchdog.h
     13noinst_HEADERS = gnutls_cache.h gnutls_config.h gnutls_ocsp.h gnutls_sni.h \
     14        gnutls_util.h gnutls_watchdog.h
    1515
    1616apmodpkglib_LTLIBRARIES = mod_gnutls.la
  • src/gnutls_hooks.c

    r99eb567 r7ff6c6c  
    2323#include "gnutls_config.h"
    2424#include "gnutls_ocsp.h"
     25#include "gnutls_sni.h"
    2526#include "gnutls_util.h"
    2627#include "gnutls_watchdog.h"
     
    10321033}
    10331034
     1035
     1036
     1037#ifdef ENABLE_EARLY_SNI
     1038static int early_sni_hook(gnutls_session_t session,
     1039                          unsigned int htype __attribute__((unused)),
     1040                          unsigned when __attribute__((unused)),
     1041                          unsigned int incoming,
     1042                          const gnutls_datum_t *msg)
     1043{
     1044    //assert(htype == GNUTLS_HANDSHAKE_CLIENT_HELLO);
     1045    //assert(when == GNUTLS_HOOK_PRE);
     1046    if (!incoming)
     1047        return 0;
     1048
     1049    mgs_handle_t *ctxt = (mgs_handle_t *) gnutls_session_get_ptr(session);
     1050    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     1051                  "%s: Trying early SNI.",
     1052                  __func__);
     1053
     1054    int ret = gnutls_ext_raw_parse(session, mgs_sni_ext_hook, msg,
     1055                                   GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
     1056    if (ret == 0 && ctxt->sni_name != NULL)
     1057        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     1058                      "%s: Early SNI result: %s",
     1059                      __func__, ctxt->sni_name);
     1060    return ret;
     1061}
     1062#endif
     1063
     1064
     1065
    10341066/**
    10351067 * This function is intended as a cleanup handler for connections
     
    11221154        ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
    11231155                      "gnutls_priority_set failed!");
     1156#ifdef ENABLE_EARLY_SNI
     1157    /* Pre-handshake hook, EXPERIMENTAL */
     1158    gnutls_handshake_set_hook_function(ctxt->session,
     1159                                       GNUTLS_HANDSHAKE_CLIENT_HELLO,
     1160                                       GNUTLS_HOOK_PRE, early_sni_hook);
     1161#endif
    11241162    /* Set Handshake function */
    11251163    gnutls_handshake_set_post_client_hello_function(ctxt->session,
Note: See TracChangeset for help on using the changeset viewer.