Attachment #349444 for bug #471592




    AP_END_CMD
};

/* Implement 'modssl_run_npn_advertise_protos_hook'. */
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
    modssl, AP, int, npn_advertise_protos_hook,
    (conn_rec *connection, apr_array_header_t *protos),
    (connection, protos), OK, DECLINED);

/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
    modssl, AP, int, npn_proto_negotiated_hook,
    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
    (connection, proto_name, proto_name_len), OK, DECLINED);

/*
 *  the various processing hooks
 */





APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));

/** The npn_advertise_protos optional hook allows other modules to add entries
 * to the list of protocol names advertised by the server during the Next
 * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
 * given the connection and an APR array; it should push one or more char*'s
 * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
 * the array and return OK, or do nothing and return DECLINED. */
APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
                          (conn_rec *connection, apr_array_header_t *protos));

/** The npn_proto_negotiated optional hook allows other modules to discover the
 * name of the protocol that was chosen during the Next Protocol Negotiation
 * (NPN) portion of the SSL handshake.  Note that this may be the empty string
 * (in which case modules should probably assume HTTP), or it may be a protocol
 * that was never even advertised by the server.  The hook callee is given the
 * connection, a non-null-terminated string containing the protocol name, and
 * the length of the string; it should do something appropriate (i.e. insert or
 * remove filters) and return OK, or do nothing and return DECLINED. */
APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
                          (conn_rec *connection, const char *proto_name,
                           apr_size_t proto_name_len));

#endif /* __MOD_SSL_H__ */
/** @} */

Lines 725-730 Link Here

(-)modules/ssl/ssl_engine_init.c (+5 lines)
725	#endif	725	#endif
726		726
727	SSL_CTX_set_info_callback(ctx, ssl_callback_Info);	727	SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
		728
		729	#ifdef HAVE_TLS_NPN
		730	SSL_CTX_set_next_protos_advertised_cb(
		731	ctx, ssl_callback_AdvertiseNextProtos, NULL);
		732	#endif
728	}	733	}
729		734
730	static void ssl_init_ctx_verify(server_rec *s,	735	static void ssl_init_ctx_verify(server_rec *s,




    apr_pool_t *pool;
    char buffer[AP_IOBUFSIZE];
    ssl_filter_ctx_t *filter_ctx;
    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
} bio_filter_in_ctx_t;

/*

        APR_BRIGADE_INSERT_TAIL(bb, bucket);
    }

#ifdef HAVE_TLS_NPN
    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
     * our version of OpenSSL supports it).  If we haven't already, find out
     * which protocol was decided upon and inform other modules by calling
     * npn_proto_negotiated_hook. */
    if (!inctx->npn_finished) {
        const unsigned char *next_proto = NULL;
        unsigned next_proto_len = 0;

        SSL_get0_next_proto_negotiated(
            inctx->ssl, &next_proto, &next_proto_len);
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
                      "SSL NPN negotiated protocol: '%s'",
                      apr_pstrmemdup(f->c->pool, (const char*)next_proto,
                                     next_proto_len));
        modssl_run_npn_proto_negotiated_hook(
            f->c, (const char*)next_proto, next_proto_len);
        inctx->npn_finished = 1;
    }
#endif

    return APR_SUCCESS;
}


    inctx->block = APR_BLOCK_READ;
    inctx->pool = c->pool;
    inctx->filter_ctx = filter_ctx;
    inctx->npn_finished = 0;
}

/* The request_rec pointer is passed in here only to ensure that the




}

#endif /* OPENSSL_NO_SRP */

#ifdef HAVE_TLS_NPN
/*
 * This callback function is executed when SSL needs to decide what protocols
 * to advertise during Next Protocol Negotiation (NPN).  It must produce a
 * string in wire format -- a sequence of length-prefixed strings -- indicating
 * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
 * in OpenSSL for reference.
 */
int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
                                     unsigned int *size_out, void *arg)
{
    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
    apr_array_header_t *protos;
    int num_protos;
    unsigned int size;
    int i;
    unsigned char *data;
    unsigned char *start;

    *data_out = NULL;
    *size_out = 0;

    /* If the connection object is not available, then there's nothing for us
     * to do. */
    if (c == NULL) {
        return SSL_TLSEXT_ERR_OK;
    }

    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
     * add alternate protocol names to advertise. */
    protos = apr_array_make(c->pool, 0, sizeof(char*));
    modssl_run_npn_advertise_protos_hook(c, protos);
    num_protos = protos->nelts;

    /* We now have a list of null-terminated strings; we need to concatenate
     * them together into a single string, where each protocol name is prefixed
     * by its length.  First, calculate how long that string will be. */
    size = 0;
    for (i = 0; i < num_protos; ++i) {
        const char *string = APR_ARRAY_IDX(protos, i, const char*);
        unsigned int length = strlen(string);
        /* If the protocol name is too long (the length must fit in one byte),
         * then log an error and skip it. */
        if (length > 255) {
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
                          "SSL NPN protocol name too long (length=%u): %s",
                          length, string);
            continue;
        }
        /* Leave room for the length prefix (one byte) plus the protocol name
         * itself. */
        size += 1 + length;
    }

    /* If there is nothing to advertise (either because no modules added
     * anything to the protos array, or because all strings added to the array
     * were skipped), then we're done. */
    if (size == 0) {
        return SSL_TLSEXT_ERR_OK;
    }

    /* Now we can build the string.  Copy each protocol name string into the
     * larger string, prefixed by its length. */
    data = apr_palloc(c->pool, size * sizeof(unsigned char));
    start = data;
    for (i = 0; i < num_protos; ++i) {
        const char *string = APR_ARRAY_IDX(protos, i, const char*);
        apr_size_t length = strlen(string);
        *start = (unsigned char)length;
        ++start;
        memcpy(start, string, length * sizeof(unsigned char));
        start += length;
    }

    /* Success. */
    *data_out = data;
    *size_out = size;
    return SSL_TLSEXT_ERR_OK;
}
#endif

Lines 149-154 Link Here

(-)modules/ssl/ssl_private.h (+6 lines)
149	#define OPENSSL_NO_EC	149	#define OPENSSL_NO_EC
150	#endif	150	#endif
151		151
		152	#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
		153	&& !defined(OPENSSL_NO_TLSEXT)
		154	#define HAVE_TLS_NPN
		155	#endif
		156
152	#ifndef PEM_F_DEF_CALLBACK	157	#ifndef PEM_F_DEF_CALLBACK
153	#ifdef PEM_F_PEM_DEF_CALLBACK	158	#ifdef PEM_F_PEM_DEF_CALLBACK
154	/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */	159	/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
Lines 614-619 Link Here
614	unsigned char aes_key[16];	619	unsigned char aes_key[16];
615	} modssl_ticket_key_t;	620	} modssl_ticket_key_t;
616	#endif	621	#endif
		622	int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char data, unsigned int len, void *arg);
617		623
618	typedef struct SSLSrvConfigRec SSLSrvConfigRec;	624	typedef struct SSLSrvConfigRec SSLSrvConfigRec;
619		625

Return to bug 471592

Lines 272-277 Link Here

(-)modules/ssl/mod_ssl.c (+12 lines)
272	AP_END_CMD	272	AP_END_CMD
273	};	273	};
274		274
		275	/* Implement 'modssl_run_npn_advertise_protos_hook'. */
		276	APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
		277	modssl, AP, int, npn_advertise_protos_hook,
		278	(conn_rec connection, apr_array_header_t protos),
		279	(connection, protos), OK, DECLINED);
		280
		281	/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
		282	APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
		283	modssl, AP, int, npn_proto_negotiated_hook,
		284	(conn_rec connection, const char proto_name, apr_size_t proto_name_len),
		285	(connection, proto_name, proto_name_len), OK, DECLINED);
		286
275	/*	287	/*
276	* the various processing hooks	288	* the various processing hooks
277	*/	289	*/

Lines 63-67 Link Here

(-)modules/ssl/mod_ssl.h (+21 lines)
63		63
64	APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));	64	APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
65		65
		66	/** The npn_advertise_protos optional hook allows other modules to add entries
		67	* to the list of protocol names advertised by the server during the Next
		68	* Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
		69	* given the connection and an APR array; it should push one or more char*'s
		70	* pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
		71	* the array and return OK, or do nothing and return DECLINED. */
		72	APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
		73	(conn_rec connection, apr_array_header_t protos));
		74
		75	/** The npn_proto_negotiated optional hook allows other modules to discover the
		76	* name of the protocol that was chosen during the Next Protocol Negotiation
		77	* (NPN) portion of the SSL handshake. Note that this may be the empty string
		78	* (in which case modules should probably assume HTTP), or it may be a protocol
		79	* that was never even advertised by the server. The hook callee is given the
		80	* connection, a non-null-terminated string containing the protocol name, and
		81	* the length of the string; it should do something appropriate (i.e. insert or
		82	* remove filters) and return OK, or do nothing and return DECLINED. */
		83	APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
		84	(conn_rec connection, const char proto_name,
		85	apr_size_t proto_name_len));
		86
66	#endif /* __MOD_SSL_H__ */	87	#endif /* __MOD_SSL_H__ */
67	/** @} */	88	/** @} */

Lines 297-302 Link Here

(-)modules/ssl/ssl_engine_io.c (+23 lines)
297	apr_pool_t *pool;	297	apr_pool_t *pool;
298	char buffer[AP_IOBUFSIZE];	298	char buffer[AP_IOBUFSIZE];
299	ssl_filter_ctx_t *filter_ctx;	299	ssl_filter_ctx_t *filter_ctx;
		300	int npn_finished; /* 1 if NPN has finished, 0 otherwise */
300	} bio_filter_in_ctx_t;	301	} bio_filter_in_ctx_t;
301		302
302	/*	303	/*
Lines 1385-1390 Link Here
1385	APR_BRIGADE_INSERT_TAIL(bb, bucket);	1386	APR_BRIGADE_INSERT_TAIL(bb, bucket);
1386	}	1387	}
1387		1388
		1389	#ifdef HAVE_TLS_NPN
		1390	/* By this point, Next Protocol Negotiation (NPN) should be completed (if
		1391	* our version of OpenSSL supports it). If we haven't already, find out
		1392	* which protocol was decided upon and inform other modules by calling
		1393	* npn_proto_negotiated_hook. */
		1394	if (!inctx->npn_finished) {
		1395	const unsigned char *next_proto = NULL;
		1396	unsigned next_proto_len = 0;
		1397
		1398	SSL_get0_next_proto_negotiated(
		1399	inctx->ssl, &next_proto, &next_proto_len);
		1400	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
		1401	"SSL NPN negotiated protocol: '%s'",
		1402	apr_pstrmemdup(f->c->pool, (const char*)next_proto,
		1403	next_proto_len));
		1404	modssl_run_npn_proto_negotiated_hook(
		1405	f->c, (const char*)next_proto, next_proto_len);
		1406	inctx->npn_finished = 1;
		1407	}
		1408	#endif
		1409
1388	return APR_SUCCESS;	1410	return APR_SUCCESS;
1389	}	1411	}
1390		1412
Lines 1866-1871 Link Here
1866	inctx->block = APR_BLOCK_READ;	1888	inctx->block = APR_BLOCK_READ;
1867	inctx->pool = c->pool;	1889	inctx->pool = c->pool;
1868	inctx->filter_ctx = filter_ctx;	1890	inctx->filter_ctx = filter_ctx;
		1891	inctx->npn_finished = 0;
1869	}	1892	}
1870		1893
1871	/* The request_rec pointer is passed in here only to ensure that the	1894	/* The request_rec pointer is passed in here only to ensure that the

Lines 2186-2188 Link Here

(-)modules/ssl/ssl_engine_kernel.c (+81 lines)
2186	}	2186	}
2187		2187
2188	#endif /* OPENSSL_NO_SRP */	2188	#endif /* OPENSSL_NO_SRP */
		2189
		2190	#ifdef HAVE_TLS_NPN
		2191	/*
		2192	* This callback function is executed when SSL needs to decide what protocols
		2193	* to advertise during Next Protocol Negotiation (NPN). It must produce a
		2194	* string in wire format -- a sequence of length-prefixed strings -- indicating
		2195	* the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
		2196	* in OpenSSL for reference.
		2197	*/
		2198	int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char *data_out,
		2199	unsigned int size_out, void arg)
		2200	{
		2201	conn_rec c = (conn_rec)SSL_get_app_data(ssl);
		2202	apr_array_header_t *protos;
		2203	int num_protos;
		2204	unsigned int size;
		2205	int i;
		2206	unsigned char *data;
		2207	unsigned char *start;
		2208
		2209	*data_out = NULL;
		2210	*size_out = 0;
		2211
		2212	/* If the connection object is not available, then there's nothing for us
		2213	* to do. */
		2214	if (c == NULL) {
		2215	return SSL_TLSEXT_ERR_OK;
		2216	}
		2217
		2218	/* Invoke our npn_advertise_protos hook, giving other modules a chance to
		2219	* add alternate protocol names to advertise. */
		2220	protos = apr_array_make(c->pool, 0, sizeof(char*));
		2221	modssl_run_npn_advertise_protos_hook(c, protos);
		2222	num_protos = protos->nelts;
		2223
		2224	/* We now have a list of null-terminated strings; we need to concatenate
		2225	* them together into a single string, where each protocol name is prefixed
		2226	* by its length. First, calculate how long that string will be. */
		2227	size = 0;
		2228	for (i = 0; i < num_protos; ++i) {
		2229	const char string = APR_ARRAY_IDX(protos, i, const char);
		2230	unsigned int length = strlen(string);
		2231	/* If the protocol name is too long (the length must fit in one byte),
		2232	* then log an error and skip it. */
		2233	if (length > 255) {
		2234	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
		2235	"SSL NPN protocol name too long (length=%u): %s",
		2236	length, string);
		2237	continue;
		2238	}
		2239	/* Leave room for the length prefix (one byte) plus the protocol name
		2240	* itself. */
		2241	size += 1 + length;
		2242	}
		2243
		2244	/* If there is nothing to advertise (either because no modules added
		2245	* anything to the protos array, or because all strings added to the array
		2246	* were skipped), then we're done. */
		2247	if (size == 0) {
		2248	return SSL_TLSEXT_ERR_OK;
		2249	}
		2250
		2251	/* Now we can build the string. Copy each protocol name string into the
		2252	* larger string, prefixed by its length. */
2253	data = apr_palloc(c->pool, size * sizeof(unsigned char));
2254	start = data;
2255	for (i = 0; i < num_protos; ++i) {
2256	const char string = APR_ARRAY_IDX(protos, i, const char);
2257	apr_size_t length = strlen(string);
2258	*start = (unsigned char)length;
2259	++start;
2260	memcpy(start, string, length * sizeof(unsigned char));
2261	start += length;
2262	}
2263
2264	/* Success. */
2265	*data_out = data;
2266	*size_out = size;
2267	return SSL_TLSEXT_ERR_OK;
2268	}
2269	#endif