Context Navigation

← Previous Changeset
Next Changeset →

Changeset c0fc11e in mod_gnutls

Timestamp:

Nov 5, 2018, 2:20:54 AM (10 months ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

debian/master, master

Children:

d4c1a4e

Parents:

7ff6c6c

Message:

Separate functions for default SNI and loading virtual host credentials

The default SNI method using gnutls_server_name_get() won't be
necessary with early SNI parsing, but needs to remain available as a
fallback for old GnuTLS versions.

Loading virtual host credentials should happen in a separate function
so it can easily happen in pre or post client hello hooks alike.

Files:

: 4 edited

include/mod_gnutls.h.in (modified) (1 diff)
src/gnutls_hooks.c (modified) (8 diffs)
src/gnutls_sni.c (modified) (1 diff)
src/gnutls_sni.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

include/mod_gnutls.h.in

r7ff6c6c	rc0fc11e
403	403	void mgs_config_dir_create(apr_pool_t p, char *dir);
404	404
405		~~mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);~~
406
407	405	const char mgs_store_cred_path(cmd_parms parms,
408	406	void *dummy __attribute__((unused)),

src/gnutls_hooks.c

-                      r7ff6c6c
+                      rc0fc11e
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
 /* use side==0 for server and side==1 for client */
+/** use side==0 for server and side==1 for client */
 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, size_t export_cert_size);
+mgs_srvconf_rec* mgs_find_sni_server(mgs_handle_t *ctxt);
 static int mgs_status_hook(request_rec *r, int flags);
 #ifdef ENABLE_MSVA
 …
 /**
+ * (Re-)Load credentials and priorities for the connection. This is
+ * meant to be called after virtual host selection in the pre or post
+ * client hello hook.
+ */
+static int reload_session_credentials(mgs_handle_t *ctxt)
+{
+    int ret = 0;
+    gnutls_certificate_server_set_request(ctxt->session,
+                                          ctxt->sc->client_verify_mode);
+    /* Set x509 credentials */
+    gnutls_credentials_set(ctxt->session,
+                           GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
+    /* Set Anon credentials */
+    gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON,
+                           ctxt->sc->anon_creds);
+#ifdef ENABLE_SRP
+        /* Set SRP credentials */
+    if (ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) {
+        gnutls_credentials_set(ctxt->session, GNUTLS_CRD_SRP,
+                               ctxt->sc->srp_creds);
+    }
+#endif
+    /* Enable session tickets */
+    if (session_ticket_key.data != NULL &&
+        ctxt->sc->tickets == GNUTLS_ENABLED_TRUE)
+    {
+        ret = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
+        if (ret != GNUTLS_E_SUCCESS)
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
+                          "gnutls_session_ticket_enable_server failed: %s (%d)",
+                          gnutls_strerror(ret), ret);
+    }
+    /* Update the priorities - to avoid negotiating a ciphersuite that is not
+     * enabled on this virtual server. Note that here we ignore the version
+     * negotiation. */
+    ret = gnutls_priority_set(ctxt->session, ctxt->sc->priorities);
+    return ret;
+}
+/**
  * Post client hello function for GnuTLS, used to configure the TLS
  * server based on virtual host configuration. Uses SNI to select the
 …
     /* try to find a virtual host */
     mgs_srvconf_rec *tsc = mgs_find_sni_server(session);
+    mgs_srvconf_rec *tsc = mgs_find_sni_server(ctxt);
     if (tsc != NULL)
+    {
 …
+        }
+    gnutls_certificate_server_set_request(session, ctxt->sc->client_verify_mode);
+    /* Set x509 credentials */
+    gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
+    /* Set Anon credentials */
+    gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
+#ifdef ENABLE_SRP
+        /* Set SRP credentials */
+    if (ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) {
+        gnutls_credentials_set(session, GNUTLS_CRD_SRP, ctxt->sc->srp_creds);
+    }
+#endif
+    /* Enable session tickets */
+    if (session_ticket_key.data != NULL &&
+        ctxt->sc->tickets == GNUTLS_ENABLED_TRUE)
+    {
+        ret = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
+        if (ret != GNUTLS_E_SUCCESS)
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
+                          "gnutls_session_ticket_enable_server failed: %s (%d)",
+                          gnutls_strerror(ret), ret);
+    }
+    reload_session_credentials(ctxt);
     ret = process_alpn_result(ctxt);
     if (ret != GNUTLS_E_SUCCESS)
         return ret;
-    /* Update the priorities - to avoid negotiating a ciphersuite that is not
-     * enabled on this virtual server. Note that here we ignore the version
-     * negotiation. */
-    ret = gnutls_priority_set(session, ctxt->sc->priorities);
     /* actually it shouldn't fail since we have checked at startup */
 …
+}
+/**
+ * Default buffer size for SNI data, including the terminating NULL
+ * byte. The size matches what gnutls-cli uses initially.
+ */
+#define DEFAULT_SNI_HOST_LEN 256
 typedef struct {
 …
  * hello function.
+ *
  * @param session the GnuTLS session
+ * @param ctxt the mod_gnutls connection handle
+ *
  * @return either the matching mod_gnutls server config, or `NULL`
  */
 mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
+mgs_srvconf_rec *mgs_find_sni_server(mgs_handle_t *ctxt)
+{
+    mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
+    char *sni_name = apr_palloc(ctxt->c->pool, DEFAULT_SNI_HOST_LEN);
+    size_t sni_len = DEFAULT_SNI_HOST_LEN;
+    unsigned int sni_type;
+    /* Search for a DNS SNI element. Note that RFC 6066 prohibits more
+     * than one server name per type. */
+    int sni_index = -1;
+    int rv = 0;
+    do {
+        /* The sni_index is incremented before each use, so if the
+         * loop terminates with a type match we will have the right
+         * one stored. */
+        rv = gnutls_server_name_get(session, sni_name,
+                                    &sni_len, &sni_type, ++sni_index);
+        if (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+        {
+            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c,
+                          "%s: no DNS SNI found (last index: %d).",
+                          __func__, sni_index);
+            return NULL;
+        }
+    } while (sni_type != GNUTLS_NAME_DNS);
+    /* The (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) path inside
+     * the loop above returns, so if we reach this point we have a DNS
+     * SNI at the current index. */
+    if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER)
+    {
+        /* Allocate a new buffer of the right size and retry */
+        sni_name = apr_palloc(ctxt->c->pool, sni_len);
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                      "%s: reallocated SNI data buffer for %" APR_SIZE_T_FMT
+                      " bytes.", __func__, sni_len);
+        rv = gnutls_server_name_get(session, sni_name,
+                                    &sni_len, &sni_type, sni_index);
+    }
+    /* Unless there's a bug in the GnuTLS API only GNUTLS_E_IDNA_ERROR
+     * can occur here, but a catch all is safer and no more
+     * complicated. */
+    if (rv != GNUTLS_E_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_INFO, APR_EGENERAL, ctxt->c,
+                      "%s: error while getting SNI DNS data: '%s' (%d).",
+                      __func__, gnutls_strerror(rv), rv);
+    if (ctxt->sni_name == NULL)
+    {
+        const char *sni_name = mgs_server_name_get(ctxt);
+        if (sni_name != NULL)
+            ctxt->sni_name = sni_name;
         return NULL;
+    }
 …
     ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
                   "%s: client requested server '%s'.",
+                  __func__, sni_name);
+    ctxt->sni_name = sni_name;
+                  __func__, ctxt->sni_name);
     /* Search for vhosts matching connection parameters and the
 …
         .ctxt = ctxt,
         .sc = NULL,
         .sni_name = sni_name
+        .sni_name = ctxt->sni_name
     };
     rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
+    int rv = ap_vhost_iterate_given_conn(ctxt->c, vhost_cb, &cbx);
     if (rv == 1) {
         return cbx.sc;

src/gnutls_sni.c

-                      r7ff6c6c
+                      rc0fc11e
     return 0;
+}
+/**
+ * Default buffer size for SNI data, including the terminating NULL
+ * byte. The size matches what gnutls-cli uses initially.
+ */
+#define DEFAULT_SNI_HOST_LEN 256
+const char* mgs_server_name_get(mgs_handle_t *ctxt)
+{
+    char *sni_name = apr_palloc(ctxt->c->pool, DEFAULT_SNI_HOST_LEN);
+    size_t sni_len = DEFAULT_SNI_HOST_LEN;
+    unsigned int sni_type;
+    /* Search for a DNS SNI element. Note that RFC 6066 prohibits more
+     * than one server name per type. */
+    int sni_index = -1;
+    int rv = 0;
+    do {
+        /* The sni_index is incremented before each use, so if the
+         * loop terminates with a type match we will have the right
+         * one stored. */
+        rv = gnutls_server_name_get(ctxt->session, sni_name,
+                                    &sni_len, &sni_type, ++sni_index);
+        if (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+        {
+            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_EGENERAL, ctxt->c,
+                          "%s: no DNS SNI found (last index: %d).",
+                          __func__, sni_index);
+            return NULL;
+        }
+    } while (sni_type != GNUTLS_NAME_DNS);
+    /* The (rv == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) path inside
+     * the loop above returns, so if we reach this point we have a DNS
+     * SNI at the current index. */
+    if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER)
+    {
+        /* Allocate a new buffer of the right size and retry */
+        sni_name = apr_palloc(ctxt->c->pool, sni_len);
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                      "%s: reallocated SNI data buffer for %" APR_SIZE_T_FMT
+                      " bytes.", __func__, sni_len);
+        rv = gnutls_server_name_get(ctxt->session, sni_name,
+                                    &sni_len, &sni_type, sni_index);
+    }
+    /* Unless there's a bug in the GnuTLS API only GNUTLS_E_IDNA_ERROR
+     * can occur here, but a catch all is safer and no more
+     * complicated. */
+    if (rv != GNUTLS_E_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_INFO, APR_EGENERAL, ctxt->c,
+                      "%s: error while getting SNI DNS data: '%s' (%d).",
+                      __func__, gnutls_strerror(rv), rv);
+        return NULL;
+    }
+    return sni_name;
+}

src/gnutls_sni.h

-                      r7ff6c6c
+                      rc0fc11e
                      const unsigned char *data, unsigned size);
+/**
+ * Wrapper for gnutls_server_name_get(): Retrieve SNI data from the
+ * TLS session associated with the connection, store it in a string
+ * allocated from the connection pool.
+ *
+ * Note that `ctxt->sni_name` is not automatically updated.
+ *
+ * @param ctxt the connection to read from
+ *
+ * @return the requested server name, or NULL.
+ */
+const char* mgs_server_name_get(mgs_handle_t *ctxt);
 #endif /* __MOD_GNUTLS_SNI_H__ */

Note: See TracChangeset for help on using the changeset viewer.