Changeset d827d0c in mod_gnutls for src

Timestamp:

May 30, 2020, 4:40:53 PM (8 months ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, master

Children:

411d286

Parents:

b14f6ae

Message:

Create cache keys for proxy session tickets

The key is based on the vhost name, backend server hostname (from SNI)
or IP, and its port. The vhost name is included because different
vhosts may have different settings for the same backend server. Post
handshake auth is not supported for proxy connections, so we do not
need to consider auth IDs.

Location:

src

Files:

• gnutls_hooks.c (modified) (1 diff)
• gnutls_proxy.c (modified) (3 diffs)
• gnutls_proxy.h (modified) (2 diffs)

src/gnutls_hooks.c

@@ -1168 +1168 @@
                   __func__, dump.size);
     gnutls_free(dump.data);
+    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
+                  "%s: cache key for the session ticket is %s",
+                  __func__, mgs_proxy_ticket_id(ctxt, NULL));
     return GNUTLS_E_SUCCESS;
 }

src/gnutls_proxy.c

@@ -1 +1 @@
 /*
- *  Copyright 2015-2019 Fiona Klute
+ *  Copyright 2015-2020 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -294 +294 @@
 
 
-static void proxy_conn_set_sni(mgs_handle_t *ctxt)
+/**
+ * Returns either a valid hostname for use with SNI, or NULL.
+ */
+static const char *get_proxy_sni_name(mgs_handle_t *ctxt)
 {
     /* Get peer hostname from note left by mod_proxy */
     const char *peer_hostname =
         apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE);
+
     /* Used only as target for apr_ipsubnet_create() */
     apr_ipsubnet_t *probe;
-    /* Check if the note is present (!= NULL) and NOT an IP
-     * address */
-    if ((peer_hostname) != NULL
+    /* If the note is present (!= NULL) check that the value is NOT an
+     * IP address, which wouldn't be valid for SNI. */
+    if ((peer_hostname != NULL)
         && (apr_ipsubnet_create(&probe, peer_hostname, NULL, ctxt->c->pool)
-            != APR_SUCCESS))
+            == APR_SUCCESS))
+        return NULL;
+
+    return peer_hostname;
+}
+
+
+
+static void proxy_conn_set_sni(mgs_handle_t *ctxt)
+{
+    const char *peer_hostname = get_proxy_sni_name(ctxt);
+    if (peer_hostname != NULL)
     {
         int ret = gnutls_server_name_set(ctxt->session, GNUTLS_NAME_DNS,
@@ -381 +396 @@
 
 
+char *mgs_proxy_ticket_id(mgs_handle_t *ctxt, apr_pool_t *pool)
+{
+    apr_pool_t *tmp;
+    if (pool)
+        tmp = pool;
+    else
+        tmp = ctxt->c->pool;
+
+    /* c->client_addr->port and c->client_ip actually contain
+     * information on the remote server for outgoing proxy
+     * connections, prefer SNI hostname over IP.
+     *
+     * The server_hostname is used to tie the cache entry to a
+     * specific vhost, because different vhosts may have different
+     * settings for the same backend server.
+     */
+    const char *peer_hostname = get_proxy_sni_name(ctxt);
+    return apr_psprintf(
+        tmp, "proxy:%s:%s:%d",
+        ctxt->c->base_server->server_hostname,
+        peer_hostname ? peer_hostname : ctxt->c->client_ip,
+        ctxt->c->client_addr->port);
+}
+
+
+
 void mgs_set_proxy_handshake_ext(mgs_handle_t *ctxt)
 {

src/gnutls_proxy.h

@@ -1 +1 @@
 /*
- *  Copyright 2015-2018 Fiona Klute
+ *  Copyright 2015-2020 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -42 +42 @@
 void mgs_set_proxy_handshake_ext(mgs_handle_t * ctxt);
 
+/**
+ * Create a cache key for a session ticket of a proxy connection.
+ *
+ * @param ctxt The proxy connection handle (mod_gnutls is client)
+ *
+ * @param pool Pool to allocate the string from, if `NULL` the
+ * connection pool is used
+ *
+ * @return string to be used as cache key
+ */
+char *mgs_proxy_ticket_id(mgs_handle_t *ctxt, apr_pool_t *pool);
+
 #endif /* __MOD_GNUTLS_PROXY_H__ */