Attachment #355168 for bug #471512




    AP_END_CMD
};

/* Implement 'modssl_run_npn_advertise_protos_hook'. */
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
    modssl, AP, int, npn_advertise_protos_hook,
    (conn_rec *connection, apr_array_header_t *protos),
    (connection, protos), OK, DECLINED);

/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
    modssl, AP, int, npn_proto_negotiated_hook,
    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
    (connection, proto_name, proto_name_len), OK, DECLINED);

/*
 *  the various processing hooks
 */





APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));

/** The npn_advertise_protos optional hook allows other modules to add entries
 * to the list of protocol names advertised by the server during the Next
 * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
 * given the connection and an APR array; it should push one or more char*'s
 * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
 * the array and return OK, or do nothing and return DECLINED. */
APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
                          (conn_rec *connection, apr_array_header_t *protos));

/** The npn_proto_negotiated optional hook allows other modules to discover the
 * name of the protocol that was chosen during the Next Protocol Negotiation
 * (NPN) portion of the SSL handshake.  Note that this may be the empty string
 * (in which case modules should probably assume HTTP), or it may be a protocol
 * that was never even advertised by the server.  The hook callee is given the
 * connection, a non-null-terminated string containing the protocol name, and
 * the length of the string; it should do something appropriate (i.e. insert or
 * remove filters) and return OK, or do nothing and return DECLINED. */
APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
                          (conn_rec *connection, const char *proto_name,
                           apr_size_t proto_name_len));

#endif /* __MOD_SSL_H__ */
/** @} */

Lines 725-730 Link Here

(-)modules/ssl/ssl_engine_init.c (+5 lines)
725	#endif	725	#endif
726		726
727	SSL_CTX_set_info_callback(ctx, ssl_callback_Info);	727	SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
		728
		729	#ifdef HAVE_TLS_NPN
		730	SSL_CTX_set_next_protos_advertised_cb(
		731	ctx, ssl_callback_AdvertiseNextProtos, NULL);
		732	#endif
728	}	733	}
729		734
730	static void ssl_init_ctx_verify(server_rec *s,	735	static void ssl_init_ctx_verify(server_rec *s,




    apr_pool_t *pool;
    char buffer[AP_IOBUFSIZE];
    ssl_filter_ctx_t *filter_ctx;
    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
} bio_filter_in_ctx_t;

/*

        APR_BRIGADE_INSERT_TAIL(bb, bucket);
    }

#ifdef HAVE_TLS_NPN
    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
     * our version of OpenSSL supports it).  If we haven't already, find out
     * which protocol was decided upon and inform other modules by calling
     * npn_proto_negotiated_hook. */
    if (!inctx->npn_finished) {
        const unsigned char *next_proto = NULL;
        unsigned next_proto_len = 0;

        SSL_get0_next_proto_negotiated(
            inctx->ssl, &next_proto, &next_proto_len);
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
                      "SSL NPN negotiated protocol: '%s'",
                      apr_pstrmemdup(f->c->pool, (const char*)next_proto,
                                     next_proto_len));
        modssl_run_npn_proto_negotiated_hook(
            f->c, (const char*)next_proto, next_proto_len);
        inctx->npn_finished = 1;
    }
#endif

    return APR_SUCCESS;
}


    inctx->block = APR_BLOCK_READ;
    inctx->pool = c->pool;
    inctx->filter_ctx = filter_ctx;
    inctx->npn_finished = 0;
}

/* The request_rec pointer is passed in here only to ensure that the




}

#endif /* OPENSSL_NO_SRP */

#ifdef HAVE_TLS_NPN
/*
 * This callback function is executed when SSL needs to decide what protocols
 * to advertise during Next Protocol Negotiation (NPN).  It must produce a
 * string in wire format -- a sequence of length-prefixed strings -- indicating
 * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
 * in OpenSSL for reference.
 */
int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
                                     unsigned int *size_out, void *arg)
{
    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
    apr_array_header_t *protos;
    int num_protos;
    unsigned int size;
    int i;
    unsigned char *data;
    unsigned char *start;

    *data_out = NULL;
    *size_out = 0;

    /* If the connection object is not available, then there's nothing for us
     * to do. */
    if (c == NULL) {
        return SSL_TLSEXT_ERR_OK;
    }

    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
     * add alternate protocol names to advertise. */
    protos = apr_array_make(c->pool, 0, sizeof(char*));
    modssl_run_npn_advertise_protos_hook(c, protos);
    num_protos = protos->nelts;

    /* We now have a list of null-terminated strings; we need to concatenate
     * them together into a single string, where each protocol name is prefixed
     * by its length.  First, calculate how long that string will be. */
    size = 0;
    for (i = 0; i < num_protos; ++i) {
        const char *string = APR_ARRAY_IDX(protos, i, const char*);
        apr_size_t length = strlen(string);
        /* If the protocol name is too long (the length must fit in one byte),
         * then log an error and skip it. */
        if (length > 255) {
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
                          "SSL NPN protocol name too long (length=%u): %s",
                          length, string);
            continue;
        }
        /* Leave room for the length prefix (one byte) plus the protocol name
         * itself. */
        size += 1 + length;
    }

    /* If there is nothing to advertise (either because no modules added
     * anything to the protos array, or because all strings added to the array
     * were skipped), then we're done. */
    if (size == 0) {
        return SSL_TLSEXT_ERR_OK;
    }

    /* Now we can build the string.  Copy each protocol name string into the
     * larger string, prefixed by its length. */
    data = apr_palloc(c->pool, size * sizeof(unsigned char));
    start = data;
    for (i = 0; i < num_protos; ++i) {
        const char *string = APR_ARRAY_IDX(protos, i, const char*);
        apr_size_t length = strlen(string);
        /* If the protocol name is too long then skip it. */
        if (length > 255) continue;
        *start++ = (unsigned char)length;
        memcpy(start, string, length * sizeof(unsigned char));
        start += length;
    }

    /* Success. */
    *data_out = data;
    *size_out = size;
    return SSL_TLSEXT_ERR_OK;
}
#endif

Lines 842-847 Link Here

(-)modules/ssl/ssl_private.h (+1 lines)
842	int ssl_callback_SessionTicket(SSL , unsigned char , unsigned char *,	842	int ssl_callback_SessionTicket(SSL , unsigned char , unsigned char *,
843	EVP_CIPHER_CTX , HMAC_CTX , int);	843	EVP_CIPHER_CTX , HMAC_CTX , int);
844	#endif	844	#endif
		845	int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char data, unsigned int len, void *arg);
845		846
846	/** Session Cache Support */	847	/** Session Cache Support */
847	void ssl_scache_init(server_rec , apr_pool_t );	848	void ssl_scache_init(server_rec , apr_pool_t );

Lines 139-144 Link Here

(-)modules/ssl/ssl_private.h (+5 lines)
139	#define HAVE_FIPS	139	#define HAVE_FIPS
140	#endif	140	#endif
141		141
		142	#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
		143	&& !defined(OPENSSL_NO_TLSEXT)
		144	#define HAVE_TLS_NPN
		145	#endif
		146
142	#if (OPENSSL_VERSION_NUMBER >= 0x10000000)	147	#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
143	#define MODSSL_SSL_CIPHER_CONST const	148	#define MODSSL_SSL_CIPHER_CONST const
144	#define MODSSL_SSL_METHOD_CONST const	149	#define MODSSL_SSL_METHOD_CONST const

Return to bug 471512

Lines 275-280 Link Here

(-)modules/ssl/mod_ssl.c (+12 lines)
275	AP_END_CMD	275	AP_END_CMD
276	};	276	};
277		277
		278	/* Implement 'modssl_run_npn_advertise_protos_hook'. */
		279	APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
		280	modssl, AP, int, npn_advertise_protos_hook,
		281	(conn_rec connection, apr_array_header_t protos),
		282	(connection, protos), OK, DECLINED);
		283
		284	/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
		285	APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
		286	modssl, AP, int, npn_proto_negotiated_hook,
		287	(conn_rec connection, const char proto_name, apr_size_t proto_name_len),
		288	(connection, proto_name, proto_name_len), OK, DECLINED);
		289
278	/*	290	/*
279	* the various processing hooks	291	* the various processing hooks
280	*/	292	*/

Lines 297-302 Link Here

(-)modules/ssl/ssl_engine_io.c (+23 lines)
297	apr_pool_t *pool;	298	apr_pool_t *pool;
298	char buffer[AP_IOBUFSIZE];	299	char buffer[AP_IOBUFSIZE];
299	ssl_filter_ctx_t *filter_ctx;	300	ssl_filter_ctx_t *filter_ctx;
		301	int npn_finished; /* 1 if NPN has finished, 0 otherwise */
300	} bio_filter_in_ctx_t;	302	} bio_filter_in_ctx_t;
301		303
302	/*	304	/*
Lines 1400-1405 Link Here
1400	APR_BRIGADE_INSERT_TAIL(bb, bucket);	1402	APR_BRIGADE_INSERT_TAIL(bb, bucket);
1401	}	1403	}
1402		1404
		1405	#ifdef HAVE_TLS_NPN
		1406	/* By this point, Next Protocol Negotiation (NPN) should be completed (if
		1407	* our version of OpenSSL supports it). If we haven't already, find out
		1408	* which protocol was decided upon and inform other modules by calling
		1409	* npn_proto_negotiated_hook. */
		1410	if (!inctx->npn_finished) {
		1411	const unsigned char *next_proto = NULL;
		1412	unsigned next_proto_len = 0;
		1413
		1414	SSL_get0_next_proto_negotiated(
		1415	inctx->ssl, &next_proto, &next_proto_len);
		1416	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
		1417	"SSL NPN negotiated protocol: '%s'",
		1418	apr_pstrmemdup(f->c->pool, (const char*)next_proto,
		1419	next_proto_len));
		1420	modssl_run_npn_proto_negotiated_hook(
		1421	f->c, (const char*)next_proto, next_proto_len);
		1422	inctx->npn_finished = 1;
		1423	}
		1424	#endif
		1425
1403	return APR_SUCCESS;	1426	return APR_SUCCESS;
1404	}	1427	}
1405		1428
Lines 1881-1886 Link Here
1881	inctx->block = APR_BLOCK_READ;	1903	inctx->block = APR_BLOCK_READ;
1882	inctx->pool = c->pool;	1904	inctx->pool = c->pool;
1883	inctx->filter_ctx = filter_ctx;	1905	inctx->filter_ctx = filter_ctx;
		1906	inctx->npn_finished = 0;
1884	}	1907	}
1885		1908
1886	/* The request_rec pointer is passed in here only to ensure that the	1909	/* The request_rec pointer is passed in here only to ensure that the

Lines 2186-2188 Link Here

(-)modules/ssl/ssl_engine_kernel.c (+82 lines)
2186	}	2187	}
2187		2188
2188	#endif /* OPENSSL_NO_SRP */	2189	#endif /* OPENSSL_NO_SRP */
		2190
		2191	#ifdef HAVE_TLS_NPN
		2192	/*
		2193	* This callback function is executed when SSL needs to decide what protocols
		2194	* to advertise during Next Protocol Negotiation (NPN). It must produce a
		2195	* string in wire format -- a sequence of length-prefixed strings -- indicating
		2196	* the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
		2197	* in OpenSSL for reference.
		2198	*/
		2199	int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char *data_out,
		2200	unsigned int size_out, void arg)
		2201	{
		2202	conn_rec c = (conn_rec)SSL_get_app_data(ssl);
		2203	apr_array_header_t *protos;
		2204	int num_protos;
		2205	unsigned int size;
		2206	int i;
		2207	unsigned char *data;
		2208	unsigned char *start;
		2209
		2210	*data_out = NULL;
		2211	*size_out = 0;
		2212
		2213	/* If the connection object is not available, then there's nothing for us
		2214	* to do. */
		2215	if (c == NULL) {
		2216	return SSL_TLSEXT_ERR_OK;
		2217	}
		2218
		2219	/* Invoke our npn_advertise_protos hook, giving other modules a chance to
		2220	* add alternate protocol names to advertise. */
		2221	protos = apr_array_make(c->pool, 0, sizeof(char*));
		2222	modssl_run_npn_advertise_protos_hook(c, protos);
		2223	num_protos = protos->nelts;
		2224
		2225	/* We now have a list of null-terminated strings; we need to concatenate
		2226	* them together into a single string, where each protocol name is prefixed
		2227	* by its length. First, calculate how long that string will be. */
		2228	size = 0;
		2229	for (i = 0; i < num_protos; ++i) {
		2230	const char string = APR_ARRAY_IDX(protos, i, const char);
		2231	apr_size_t length = strlen(string);
		2232	/* If the protocol name is too long (the length must fit in one byte),
		2233	* then log an error and skip it. */
		2234	if (length > 255) {
		2235	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
		2236	"SSL NPN protocol name too long (length=%u): %s",
		2237	length, string);
		2238	continue;
		2239	}
		2240	/* Leave room for the length prefix (one byte) plus the protocol name
		2241	* itself. */
		2242	size += 1 + length;
		2243	}
		2244
		2245	/* If there is nothing to advertise (either because no modules added
		2246	* anything to the protos array, or because all strings added to the array
		2247	* were skipped), then we're done. */
		2248	if (size == 0) {
		2249	return SSL_TLSEXT_ERR_OK;
		2250	}
		2251
		2252	/* Now we can build the string. Copy each protocol name string into the
		2253	* larger string, prefixed by its length. */
2254	data = apr_palloc(c->pool, size * sizeof(unsigned char));
2255	start = data;
2256	for (i = 0; i < num_protos; ++i) {
2257	const char string = APR_ARRAY_IDX(protos, i, const char);
2258	apr_size_t length = strlen(string);
2259	/* If the protocol name is too long then skip it. */
2260	if (length > 255) continue;
2261	*start++ = (unsigned char)length;
2262	memcpy(start, string, length * sizeof(unsigned char));
2263	start += length;
2264	}
2265
2266	/* Success. */
2267	*data_out = data;
2268	*size_out = size;
2269	return SSL_TLSEXT_ERR_OK;
2270	}
2271	#endif

Lines 63-67 Link Here

(-)modules/ssl/mod_ssl.h (+21 lines)
63		63
64	APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));	64	APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
65		65
		66	/** The npn_advertise_protos optional hook allows other modules to add entries
		67	* to the list of protocol names advertised by the server during the Next
		68	* Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
		69	* given the connection and an APR array; it should push one or more char*'s
		70	* pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
		71	* the array and return OK, or do nothing and return DECLINED. */
		72	APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
		73	(conn_rec connection, apr_array_header_t protos));
		74
		75	/** The npn_proto_negotiated optional hook allows other modules to discover the
		76	* name of the protocol that was chosen during the Next Protocol Negotiation
		77	* (NPN) portion of the SSL handshake. Note that this may be the empty string
		78	* (in which case modules should probably assume HTTP), or it may be a protocol
		79	* that was never even advertised by the server. The hook callee is given the
		80	* connection, a non-null-terminated string containing the protocol name, and
		81	* the length of the string; it should do something appropriate (i.e. insert or
		82	* remove filters) and return OK, or do nothing and return DECLINED. */
		83	APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
		84	(conn_rec connection, const char proto_name,
		85	apr_size_t proto_name_len));
		86
66	#endif /* __MOD_SSL_H__ */	87	#endif /* __MOD_SSL_H__ */
67	/** @} */	88	/** @} */