Changeset 7ff6c6c in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Nov 4, 2018, 4:55:35 PM (15 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master
Children:
c0fc11e
Parents:
99eb567
Message:

Add proof-of-concept SNI parser in a pre client hello hook

The SNI parser is complete, but right now the hook only retrieves the
SNI data and logs it. The goal is to select the right virtual host and
load ALPN parameters (and possibly others) before GnuTLS processes the
ClientHello? message. That should make different "Protocols" directives
between virtual hosts work as expected.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r99eb567 r7ff6c6c  
    2323#include "gnutls_config.h"
    2424#include "gnutls_ocsp.h"
     25#include "gnutls_sni.h"
    2526#include "gnutls_util.h"
    2627#include "gnutls_watchdog.h"
     
    10321033}
    10331034
     1035
     1036
     1037#ifdef ENABLE_EARLY_SNI
     1038static int early_sni_hook(gnutls_session_t session,
     1039                          unsigned int htype __attribute__((unused)),
     1040                          unsigned when __attribute__((unused)),
     1041                          unsigned int incoming,
     1042                          const gnutls_datum_t *msg)
     1043{
     1044    //assert(htype == GNUTLS_HANDSHAKE_CLIENT_HELLO);
     1045    //assert(when == GNUTLS_HOOK_PRE);
     1046    if (!incoming)
     1047        return 0;
     1048
     1049    mgs_handle_t *ctxt = (mgs_handle_t *) gnutls_session_get_ptr(session);
     1050    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     1051                  "%s: Trying early SNI.",
     1052                  __func__);
     1053
     1054    int ret = gnutls_ext_raw_parse(session, mgs_sni_ext_hook, msg,
     1055                                   GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
     1056    if (ret == 0 && ctxt->sni_name != NULL)
     1057        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     1058                      "%s: Early SNI result: %s",
     1059                      __func__, ctxt->sni_name);
     1060    return ret;
     1061}
     1062#endif
     1063
     1064
     1065
    10341066/**
    10351067 * This function is intended as a cleanup handler for connections
     
    11221154        ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
    11231155                      "gnutls_priority_set failed!");
     1156#ifdef ENABLE_EARLY_SNI
     1157    /* Pre-handshake hook, EXPERIMENTAL */
     1158    gnutls_handshake_set_hook_function(ctxt->session,
     1159                                       GNUTLS_HANDSHAKE_CLIENT_HELLO,
     1160                                       GNUTLS_HOOK_PRE, early_sni_hook);
     1161#endif
    11241162    /* Set Handshake function */
    11251163    gnutls_handshake_set_post_client_hello_function(ctxt->session,
Note: See TracChangeset for help on using the changeset viewer.