Changeset 836417f in mod_gnutls


Ignore:
Timestamp:
Apr 24, 2005, 8:34:34 PM (14 years ago)
Author:
Paul Querna <chip@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream
Children:
84cb5b2
Parents:
38435cc
Message:

Refactor finding the correct server record to fix resumed sessions.

Files:
3 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r38435cc r836417f  
    241241void *mgs_config_dir_create(apr_pool_t *p, char *dir);
    242242
     243mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
    243244
    244245/* mod_gnutls Hooks. */
  • src/gnutls_hooks.c

    r38435cc r836417f  
    301301{
    302302    mgs_handle_t *ctxt;
    303     gnutls_retr_st* ret;
     303    mgs_srvconf_rec *sc;
    304304    const char* sni_name;
    305305} vhost_cb_rec;
     
    320320    if (ap_strcasecmp_match(x->sni_name, tsc->cert_cn) == 0) {
    321321        /* found a match */
    322         x->ret->cert.x509 = &tsc->cert_x509;
    323         x->ret->key.x509 = tsc->privkey_x509;
    324322#if MOD_GNUTLS_DEBUG
    325323        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
     
    331329         * things like ClientVerify.
    332330         */
    333         x->ctxt->sc = tsc;
     331        x->sc = tsc;
    334332        /* Shit. Crap. Dammit. We *really* should rehandshake here, as our
    335333         * certificate structure *should* change when the server changes.
    336334         * acccckkkkkk.
    337335         */
    338         gnutls_certificate_server_set_request(x->ctxt->session, x->ctxt->sc->client_verify_mode);
    339336        return 1;
    340337    }
     
    343340#endif
    344341
    345 static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st* ret)
     342mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session)
    346343{
    347344    int rv;
     
    365362                     ctxt->c->base_server,
    366363                     "GnuTLS: Only x509 Certificates are currently supported.");
    367         return -1;
    368     }
    369 
    370     ret->type = GNUTLS_CRT_X509;
    371     ret->ncerts = 1;
    372     ret->deinit_all = 0;
     364        return NULL;
     365    }
    373366   
    374367    rv = gnutls_server_name_get(ctxt->session, sni_name,
    375368                                &data_len, &sni_type, 0);
    376 
     369   
    377370    if (rv != 0) {
    378         goto use_default_crt;
    379     }
    380 
     371        return NULL;
     372    }
     373   
    381374    if (sni_type != GNUTLS_NAME_DNS) {
    382375        ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
    383376                     ctxt->c->base_server,
    384377                     "GnuTLS: Unknown type '%d' for SNI: "
    385                      "'%s'", sni_type, sni_name);       
    386         goto use_default_crt;
     378                     "'%s'", sni_type, sni_name);
     379        return NULL;
    387380    }
    388381   
     
    393386#if USING_2_1_RECENT
    394387    cbx.ctxt = ctxt;
    395     cbx.ret = ret;
     388    cbx.sc = NULL;
    396389    cbx.sni_name = sni_name;
    397 
     390   
    398391    rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
    399392    if (rv == 1) {
    400         return 0;
     393        return cbx.sc;
    401394    }
    402395#else
     
    404397       
    405398        tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
    406                                                              &gnutls_module);
     399                                                       &gnutls_module);
    407400        if (tsc->enabled != GNUTLS_ENABLED_TRUE) {
    408401            continue;
     
    417410        /* The CN can contain a * -- this will match those too. */
    418411        if (ap_strcasecmp_match(sni_name, tsc->cert_cn) == 0) {
    419             /* found a match */
    420             ret->cert.x509 = &tsc->cert_x509;
    421             ret->key.x509 = tsc->privkey_x509;
    422412#if MOD_GNUTLS_DEBUG
    423413            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
     
    426416                         "'%s' == '%s'", tsc->cert_cn, sni_name);
    427417#endif
    428             ctxt->sc = tsc;
    429             gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode);
    430             return 0;
    431         }
    432     }
    433 #endif
    434    
    435     /**
    436      * If the client does not support the Server Name Indication, give the default
    437      * certificate for this server.
    438      */
    439 use_default_crt:
     418            return tsc;
     419        }
     420    }
     421#endif
     422    return NULL;
     423}
     424
     425
     426static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st* ret)
     427{
     428    mgs_handle_t *ctxt;
     429    mgs_srvconf_rec *tsc;
     430   
     431    ctxt = gnutls_transport_get_ptr(session);
     432
     433    ret->type = GNUTLS_CRT_X509;
     434    ret->ncerts = 1;
     435    ret->deinit_all = 0;
     436
     437    tsc = mgs_find_sni_server(session);
     438   
     439    if (tsc != NULL) {
     440        ctxt->sc = tsc;
     441        gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode);
     442    }
     443   
    440444    ret->cert.x509 = &ctxt->sc->cert_x509;
    441445    ret->key.x509 = ctxt->sc->privkey_x509;
    442 #if MOD_GNUTLS_DEBUG
    443     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
    444                  ctxt->c->base_server,
    445                  "GnuTLS: Using Default Certificate.");
    446 #endif
    447446    return 0;
    448447}
  • src/gnutls_io.c

    r38435cc r836417f  
    400400        /* all done with the handshake */
    401401        ctxt->status = 1;
     402        /* If the session was resumed, we did not set the correct
     403         * server_rec in ctxt->sc.  Go Find it. (ick!)
     404         */
     405        if (gnutls_session_is_resumed(ctxt->session)) {
     406            mgs_srvconf_rec* sc;
     407            sc = mgs_find_sni_server(ctxt->session);
     408            if (sc) {
     409                ctxt->sc = sc;
     410            }
     411        }
    402412        return 0;
    403413    }
Note: See TracChangeset for help on using the changeset viewer.