Changeset de3fad3 in mod_gnutls


Ignore:
Timestamp:
Oct 24, 2018, 12:56:08 PM (10 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master
Children:
20c3f7b
Parents:
15368a4
Message:

Require handshake and request to use the same server

The new check prevents clients from establishing a TLS connection to
one virtual host and then requesting data from another. This is
particularly important for servers using TLS client authentication as
the only means of access control, because the server context for
certificate validation is selected based on the TLS connection.

Files:
3 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r15368a4 rde3fad3  
    431431int mgs_hook_fixups(request_rec *r);
    432432
     433/** Post request hook, checks if TLS connection and vhost match */
     434int mgs_req_vhost_check(request_rec *r);
     435
    433436int mgs_hook_authz(request_rec *r);
    434437
  • src/gnutls_hooks.c

    r15368a4 rde3fad3  
    12211221
    12221222
     1223/* Post request hook, checks if TLS connection and vhost match */
     1224int mgs_req_vhost_check(request_rec *r)
     1225{
     1226    /* mod_gnutls server record for the request vhost */
     1227    mgs_srvconf_rec *r_sc = (mgs_srvconf_rec *)
     1228        ap_get_module_config(r->server->module_config, &gnutls_module);
     1229    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(r->connection);
     1230
     1231    /* Nothing to check for non-TLS and outgoing proxy connections */
     1232    if (ctxt == NULL || !ctxt->enabled || ctxt->is_proxy)
     1233        return DECLINED;
     1234
     1235    if (ctxt->sc != r_sc)
     1236    {
     1237        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, ctxt->c,
     1238                      "%s: Mismatch between handshake and request servers!",
     1239                      __func__);
     1240        return HTTP_MISDIRECTED_REQUEST;
     1241    }
     1242
     1243    return DECLINED;
     1244}
     1245
     1246
     1247
    12231248int mgs_hook_fixups(request_rec * r) {
    12241249    unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
  • src/mod_gnutls.c

    r15368a4 rde3fad3  
    6868    /* Fixups Hook */
    6969    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
     70
     71    /* Request hook: Check if TLS connection and request host match */
     72    ap_hook_post_read_request(mgs_req_vhost_check, NULL, NULL, APR_HOOK_MIDDLE);
    7073
    7174    /* TODO: HTTP Upgrade Filter */
Note: See TracChangeset for help on using the changeset viewer.