Attachment #355170 for bug #471512




    AP_END_CMD
};

/* Implement 'modssl_run_npn_advertise_protos_hook'. */
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
    modssl, AP, int, npn_advertise_protos_hook,
    (conn_rec *connection, apr_array_header_t *protos),
    (connection, protos), OK, DECLINED);

/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
    modssl, AP, int, npn_proto_negotiated_hook,
    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
    (connection, proto_name, proto_name_len), OK, DECLINED);

/*
 *  the various processing hooks
 */





APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, ssl_extlist_by_oid, (request_rec *r, const char *oidstr));

/** The npn_advertise_protos optional hook allows other modules to add entries
 * to the list of protocol names advertised by the server during the Next
 * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
 * given the connection and an APR array; it should push one or more char*'s
 * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
 * the array and return OK, or do nothing and return DECLINED. */
APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
                          (conn_rec *connection, apr_array_header_t *protos));

/** The npn_proto_negotiated optional hook allows other modules to discover the
 * name of the protocol that was chosen during the Next Protocol Negotiation
 * (NPN) portion of the SSL handshake.  Note that this may be the empty string
 * (in which case modules should probably assume HTTP), or it may be a protocol
 * that was never even advertised by the server.  The hook callee is given the
 * connection, a non-null-terminated string containing the protocol name, and
 * the length of the string; it should do something appropriate (i.e. insert or
 * remove filters) and return OK, or do nothing and return DECLINED. */
APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
                          (conn_rec *connection, const char *proto_name,
                           apr_size_t proto_name_len));

#endif /* __MOD_SSL_H__ */
/** @} */

Lines 601-606 Link Here

(-)modules/ssl/ssl_engine_init.c (+5 lines)
601	SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);	601	SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
602		602
603	SSL_CTX_set_info_callback(ctx, ssl_callback_Info);	603	SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
		604
		605	#ifdef HAVE_TLS_NPN
		606	SSL_CTX_set_next_protos_advertised_cb(
		607	ctx, ssl_callback_AdvertiseNextProtos, NULL);
		608	#endif
604	}	609	}
605		610
606	static void ssl_init_ctx_verify(server_rec *s,	611	static void ssl_init_ctx_verify(server_rec *s,




    apr_pool_t *pool;
    char buffer[AP_IOBUFSIZE];
    ssl_filter_ctx_t *filter_ctx;
    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
} bio_filter_in_ctx_t;

/*

        APR_BRIGADE_INSERT_TAIL(bb, bucket);
    }

#ifdef HAVE_TLS_NPN
    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
     * our version of OpenSSL supports it).  If we haven't already, find out
     * which protocol was decided upon and inform other modules by calling
     * npn_proto_negotiated_hook. */
    if (!inctx->npn_finished) {
        const unsigned char *next_proto = NULL;
        unsigned next_proto_len = 0;

        SSL_get0_next_proto_negotiated(
            inctx->ssl, &next_proto, &next_proto_len);
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
                      "SSL NPN negotiated protocol: '%s'",
                      apr_pstrmemdup(f->c->pool, (const char*)next_proto,
                                     next_proto_len));
        modssl_run_npn_proto_negotiated_hook(
            f->c, (const char*)next_proto, next_proto_len);
        inctx->npn_finished = 1;
    }
#endif

    return APR_SUCCESS;
}


    inctx->block = APR_BLOCK_READ;
    inctx->pool = c->pool;
    inctx->filter_ctx = filter_ctx;
    inctx->npn_finished = 0;
}

void ssl_io_filter_init(conn_rec *c, SSL *ssl)




    return 0;
}
#endif

#ifdef HAVE_TLS_NPN
/*
 * This callback function is executed when SSL needs to decide what protocols
 * to advertise during Next Protocol Negotiation (NPN).  It must produce a
 * string in wire format -- a sequence of length-prefixed strings -- indicating
 * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
 * in OpenSSL for reference.
 */
int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
                                     unsigned int *size_out, void *arg)
{
    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
    apr_array_header_t *protos;
    int num_protos;
    unsigned int size;
    int i;
    unsigned char *data;
    unsigned char *start;

    *data_out = NULL;
    *size_out = 0;

    /* If the connection object is not available, then there's nothing for us
     * to do. */
    if (c == NULL) {
        return SSL_TLSEXT_ERR_OK;
    }

    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
     * add alternate protocol names to advertise. */
    protos = apr_array_make(c->pool, 0, sizeof(char*));
    modssl_run_npn_advertise_protos_hook(c, protos);
    num_protos = protos->nelts;

    /* We now have a list of null-terminated strings; we need to concatenate
     * them together into a single string, where each protocol name is prefixed
     * by its length.  First, calculate how long that string will be. */
    size = 0;
    for (i = 0; i < num_protos; ++i) {
        const char *string = APR_ARRAY_IDX(protos, i, const char*);
        apr_size_t length = strlen(string);
        /* If the protocol name is too long (the length must fit in one byte),
         * then log an error and skip it. */
        if (length > 255) {
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
                          "SSL NPN protocol name too long (length=%u): %s",
                          length, string);
            continue;
        }
        /* Leave room for the length prefix (one byte) plus the protocol name
         * itself. */
        size += 1 + length;
    }

    /* If there is nothing to advertise (either because no modules added
     * anything to the protos array, or because all strings added to the array
     * were skipped), then we're done. */
    if (size == 0) {
        return SSL_TLSEXT_ERR_OK;
    }

    /* Now we can build the string.  Copy each protocol name string into the
     * larger string, prefixed by its length. */
    data = apr_palloc(c->pool, size * sizeof(unsigned char));
    start = data;
    for (i = 0; i < num_protos; ++i) {
        const char *string = APR_ARRAY_IDX(protos, i, const char*);
        apr_size_t length = strlen(string);
        /* If the protocol name is too long then skip it. */
        if (length > 255) continue;
        *start++ = (unsigned char)length;
        memcpy(start, string, length * sizeof(unsigned char));
        start += length;
    }

    /* Success. */
    *data_out = data;
    *size_out = size;
    return SSL_TLSEXT_ERR_OK;
}
#endif

Lines 635-640 Link Here

(-)modules/ssl/ssl_private.h (+1 lines)
635	#ifndef OPENSSL_NO_TLSEXT	635	#ifndef OPENSSL_NO_TLSEXT
636	int ssl_callback_ServerNameIndication(SSL , int , modssl_ctx_t *);	636	int ssl_callback_ServerNameIndication(SSL , int , modssl_ctx_t *);
637	#endif	637	#endif
		638	int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char data, unsigned int len, void *arg);
638		639
639	/** Session Cache Support */	640	/** Session Cache Support */
640	void ssl_scache_init(server_rec , apr_pool_t );	641	void ssl_scache_init(server_rec , apr_pool_t );

Lines 145-150 Link Here

(-)modules/ssl/ssl_toolkit_compat.h (+5 lines)
145	#define HAVE_FIPS	145	#define HAVE_FIPS
146	#endif	146	#endif
147		147
		148	#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
		149	&& !defined(OPENSSL_NO_TLSEXT)
		150	#define HAVE_TLS_NPN
		151	#endif
		152
148	#ifndef PEM_F_DEF_CALLBACK	153	#ifndef PEM_F_DEF_CALLBACK
149	#ifdef PEM_F_PEM_DEF_CALLBACK	154	#ifdef PEM_F_PEM_DEF_CALLBACK
150	/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */	155	/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */

Return to bug 471512

Lines 237-242 Link Here

(-)modules/ssl/mod_ssl.c (+12 lines)
237	AP_END_CMD	237	AP_END_CMD
238	};	238	};
239		239
		240	/* Implement 'modssl_run_npn_advertise_protos_hook'. */
		241	APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
		242	modssl, AP, int, npn_advertise_protos_hook,
		243	(conn_rec connection, apr_array_header_t protos),
		244	(connection, protos), OK, DECLINED);
		245
		246	/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
		247	APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
		248	modssl, AP, int, npn_proto_negotiated_hook,
		249	(conn_rec connection, const char proto_name, apr_size_t proto_name_len),
		250	(connection, proto_name, proto_name_len), OK, DECLINED);
		251
240	/*	252	/*
241	* the various processing hooks	253	* the various processing hooks
242	*/	254	*/

Lines 338-343 Link Here

(-)modules/ssl/ssl_engine_io.c (+23 lines)
338	apr_pool_t *pool;	338	apr_pool_t *pool;
339	char buffer[AP_IOBUFSIZE];	339	char buffer[AP_IOBUFSIZE];
340	ssl_filter_ctx_t *filter_ctx;	340	ssl_filter_ctx_t *filter_ctx;
		341	int npn_finished; /* 1 if NPN has finished, 0 otherwise */
341	} bio_filter_in_ctx_t;	342	} bio_filter_in_ctx_t;
342		343
343	/*	344	/*
Lines 1448-1453 Link Here
1448	APR_BRIGADE_INSERT_TAIL(bb, bucket);	1449	APR_BRIGADE_INSERT_TAIL(bb, bucket);
1449	}	1450	}
1450		1451
		1452	#ifdef HAVE_TLS_NPN
		1453	/* By this point, Next Protocol Negotiation (NPN) should be completed (if
		1454	* our version of OpenSSL supports it). If we haven't already, find out
		1455	* which protocol was decided upon and inform other modules by calling
		1456	* npn_proto_negotiated_hook. */
		1457	if (!inctx->npn_finished) {
		1458	const unsigned char *next_proto = NULL;
		1459	unsigned next_proto_len = 0;
		1460
		1461	SSL_get0_next_proto_negotiated(
		1462	inctx->ssl, &next_proto, &next_proto_len);
		1463	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
		1464	"SSL NPN negotiated protocol: '%s'",
		1465	apr_pstrmemdup(f->c->pool, (const char*)next_proto,
		1466	next_proto_len));
		1467	modssl_run_npn_proto_negotiated_hook(
		1468	f->c, (const char*)next_proto, next_proto_len);
		1469	inctx->npn_finished = 1;
		1470	}
		1471	#endif
		1472
1451	return APR_SUCCESS;	1473	return APR_SUCCESS;
1452	}	1474	}
1453		1475
Lines 1792-1797 Link Here
1792	inctx->block = APR_BLOCK_READ;	1814	inctx->block = APR_BLOCK_READ;
1793	inctx->pool = c->pool;	1815	inctx->pool = c->pool;
1794	inctx->filter_ctx = filter_ctx;	1816	inctx->filter_ctx = filter_ctx;
		1817	inctx->npn_finished = 0;
1795	}	1818	}
1796		1819
1797	void ssl_io_filter_init(conn_rec c, SSL ssl)	1820	void ssl_io_filter_init(conn_rec c, SSL ssl)

Lines 2109-2111 Link Here

(-)modules/ssl/ssl_engine_kernel.c (+82 lines)
2109	return 0;	2109	return 0;
2110	}	2110	}
2111	#endif	2111	#endif
		2112
		2113	#ifdef HAVE_TLS_NPN
		2114	/*
		2115	* This callback function is executed when SSL needs to decide what protocols
		2116	* to advertise during Next Protocol Negotiation (NPN). It must produce a
		2117	* string in wire format -- a sequence of length-prefixed strings -- indicating
		2118	* the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
		2119	* in OpenSSL for reference.
		2120	*/
		2121	int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char *data_out,
		2122	unsigned int size_out, void arg)
		2123	{
		2124	conn_rec c = (conn_rec)SSL_get_app_data(ssl);
		2125	apr_array_header_t *protos;
		2126	int num_protos;
		2127	unsigned int size;
		2128	int i;
		2129	unsigned char *data;
		2130	unsigned char *start;
		2131
		2132	*data_out = NULL;
		2133	*size_out = 0;
		2134
		2135	/* If the connection object is not available, then there's nothing for us
		2136	* to do. */
		2137	if (c == NULL) {
		2138	return SSL_TLSEXT_ERR_OK;
		2139	}
		2140
		2141	/* Invoke our npn_advertise_protos hook, giving other modules a chance to
		2142	* add alternate protocol names to advertise. */
		2143	protos = apr_array_make(c->pool, 0, sizeof(char*));
		2144	modssl_run_npn_advertise_protos_hook(c, protos);
		2145	num_protos = protos->nelts;
		2146
		2147	/* We now have a list of null-terminated strings; we need to concatenate
		2148	* them together into a single string, where each protocol name is prefixed
		2149	* by its length. First, calculate how long that string will be. */
		2150	size = 0;
		2151	for (i = 0; i < num_protos; ++i) {
		2152	const char string = APR_ARRAY_IDX(protos, i, const char);
		2153	apr_size_t length = strlen(string);
		2154	/* If the protocol name is too long (the length must fit in one byte),
		2155	* then log an error and skip it. */
		2156	if (length > 255) {
		2157	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
		2158	"SSL NPN protocol name too long (length=%u): %s",
		2159	length, string);
		2160	continue;
		2161	}
		2162	/* Leave room for the length prefix (one byte) plus the protocol name
		2163	* itself. */
		2164	size += 1 + length;
		2165	}
		2166
		2167	/* If there is nothing to advertise (either because no modules added
		2168	* anything to the protos array, or because all strings added to the array
		2169	* were skipped), then we're done. */
		2170	if (size == 0) {
		2171	return SSL_TLSEXT_ERR_OK;
		2172	}
		2173
		2174	/* Now we can build the string. Copy each protocol name string into the
		2175	* larger string, prefixed by its length. */
2176	data = apr_palloc(c->pool, size * sizeof(unsigned char));
2177	start = data;
2178	for (i = 0; i < num_protos; ++i) {
2179	const char string = APR_ARRAY_IDX(protos, i, const char);
2180	apr_size_t length = strlen(string);
2181	/* If the protocol name is too long then skip it. */
2182	if (length > 255) continue;
2183	*start++ = (unsigned char)length;
2184	memcpy(start, string, length * sizeof(unsigned char));
2185	start += length;
2186	}
2187
2188	/* Success. */
2189	*data_out = data;
2190	*size_out = size;
2191	return SSL_TLSEXT_ERR_OK;
2192	}
2193	#endif

Lines 64-68 Link Here

(-)modules/ssl/mod_ssl.h (+21 lines)
64		64
65	APR_DECLARE_OPTIONAL_FN(apr_array_header_t , ssl_extlist_by_oid, (request_rec r, const char *oidstr));	65	APR_DECLARE_OPTIONAL_FN(apr_array_header_t , ssl_extlist_by_oid, (request_rec r, const char *oidstr));
66		66
		67	/** The npn_advertise_protos optional hook allows other modules to add entries
		68	* to the list of protocol names advertised by the server during the Next
		69	* Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
		70	* given the connection and an APR array; it should push one or more char*'s
		71	* pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
		72	* the array and return OK, or do nothing and return DECLINED. */
		73	APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
		74	(conn_rec connection, apr_array_header_t protos));
		75
		76	/** The npn_proto_negotiated optional hook allows other modules to discover the
		77	* name of the protocol that was chosen during the Next Protocol Negotiation
		78	* (NPN) portion of the SSL handshake. Note that this may be the empty string
		79	* (in which case modules should probably assume HTTP), or it may be a protocol
		80	* that was never even advertised by the server. The hook callee is given the
		81	* connection, a non-null-terminated string containing the protocol name, and
		82	* the length of the string; it should do something appropriate (i.e. insert or
		83	* remove filters) and return OK, or do nothing and return DECLINED. */
		84	APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
		85	(conn_rec connection, const char proto_name,
		86	apr_size_t proto_name_len));
		87
67	#endif /* __MOD_SSL_H__ */	88	#endif /* __MOD_SSL_H__ */
68	/** @} */	89	/** @} */