Attachment #28486 for bug #52210

View | Details | Raw Unified | Return to bug 52210
Collapse All | Expand All




    AP_END_CMD
};

/* Implement 'ssl_run_npn_advertise_protos_hook'. */
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
    ssl, AP, int, npn_advertise_protos_hook,
    (conn_rec* connection, apr_array_header_t* protos),
    (connection, protos), OK, DECLINED);

/* Implement 'ssl_run_npn_proto_negotiated_hook'. */
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
    ssl, AP, int, npn_proto_negotiated_hook,
    (conn_rec* connection, const char* proto_name, apr_size_t proto_name_len),
    (connection, proto_name, proto_name_len), OK, DECLINED);

/*
 *  the various processing hooks
 */

Lines 807-812 Link Here

(-)modules/ssl/ssl_private.h (-1 / +1 lines)
807	int ssl_callback_SessionTicket(SSL , unsigned char , unsigned char *,	807	int ssl_callback_SessionTicket(SSL , unsigned char , unsigned char *,
808	EVP_CIPHER_CTX , HMAC_CTX , int);	808	EVP_CIPHER_CTX , HMAC_CTX , int);
809	#endif	809	#endif
		810	int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char data, unsigned int len, void *arg);
810		811
811	/** Session Cache Support */	812	/** Session Cache Support */
812	void ssl_scache_init(server_rec , apr_pool_t );	813	void ssl_scache_init(server_rec , apr_pool_t );
Lines 959-962 Link Here
959		960
960	#endif /* SSL_PRIVATE_H */	961	#endif /* SSL_PRIVATE_H */
961	/** @} */	962	/** @} */
962





APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));

/** The npn_advertise_protos optional hook allows other modules to add entries
 * to the list of protocol names advertised by the server during the Next
 * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
 * given the connection and an APR array; it should push one or more char*'s
 * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
 * the array and return OK, or do nothing and return DECLINED. */
APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_advertise_protos_hook,
                          (conn_rec* connection, apr_array_header_t* protos));

/** The npn_proto_negotiated optional hook allows other modules to discover the
 * name of the protocol that was chosen during the Next Protocol Negotiation
 * (NPN) portion of the SSL handshake.  Note that this may be the empty string
 * (in which case modules should probably assume HTTP), or it may be a protocol
 * that was never even advertised by the server.  The hook callee is given the
 * connection, a non-null-terminated string containing the protocol name, and
 * the length of the string; it should do something appropriate (i.e. insert or
 * remove filters) and return OK, or do nothing and return DECLINED. */
APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_proto_negotiated_hook,
                          (conn_rec* connection, const char* proto_name,
                           apr_size_t proto_name_len));

#endif /* __MOD_SSL_H__ */
/** @} */

Lines 681-686 Link Here

(-)modules/ssl/ssl_engine_init.c (-1 / +5 lines)
681	#endif	681	#endif
682		682
683	SSL_CTX_set_info_callback(ctx, ssl_callback_Info);	683	SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
		684
		685	#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
		686	SSL_CTX_set_next_protos_advertised_cb(
		687	ctx, ssl_callback_AdvertiseNextProtos, NULL);
		688	#endif
684	}	689	}
685		690
686	static void ssl_init_ctx_verify(server_rec *s,	691	static void ssl_init_ctx_verify(server_rec *s,
Lines 1743-1746 Link Here
1743		1748
1744	return APR_SUCCESS;	1749	return APR_SUCCESS;
1745	}	1750	}
1746




                                  core keeps dumping.''
                                            -- Unknown    */
#include "ssl_private.h"
#include "mod_ssl.h"
#include "apr_date.h"

/*  _________________________________________________________________

    apr_pool_t *pool;
    char buffer[AP_IOBUFSIZE];
    ssl_filter_ctx_t *filter_ctx;
    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
} bio_filter_in_ctx_t;

/*

        APR_BRIGADE_INSERT_TAIL(bb, bucket);
    }

    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
     * our version of OpenSSL supports it).  If we haven't already, find out
     * which protocol was decided upon and inform other modules by calling
     * npn_proto_negotiated_hook. */
    if (!inctx->npn_finished) {
#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
        const char *next_proto = NULL;
        unsigned next_proto_len = 0;
        SSL_get0_next_proto_negotiated(
            inctx->ssl, (const unsigned char**)&next_proto, &next_proto_len);
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
                      "SSL NPN negotiated protocol: '%s'",
                      apr_pstrmemdup(f->c->pool, next_proto, next_proto_len));
        ssl_run_npn_proto_negotiated_hook(f->c, next_proto, next_proto_len);
#endif
        inctx->npn_finished = 1;
    }

    return APR_SUCCESS;
}


    inctx->block = APR_BLOCK_READ;
    inctx->pool = c->pool;
    inctx->filter_ctx = filter_ctx;
    inctx->npn_finished = 0;
}

/* The request_rec pointer is passed in here only to ensure that the




                                  time I was too famous.''
                                            -- Unknown                */
#include "ssl_private.h"
#include "mod_ssl.h"
#include "util_md5.h"

static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);

    return -1;
}
#endif

/*
 * This callback function is executed when SSL needs to decide what protocols
 * to advertise during Next Protocol Negotiation (NPN).  It must produce a
 * string in wire format -- a sequence of length-prefixed strings -- indicating
 * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
 * in OpenSSL for reference.
 */
int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
                                     unsigned int *size_out, void *arg)
{
    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
    apr_array_header_t *protos;
    int num_protos;
    unsigned int size;
    int i;
    unsigned char *data;
    unsigned char *start;

    *data_out = NULL;
    *size_out = 0;

    /* If the connection object is not available, then there's nothing for us
     * to do. */
    if (c == NULL) {
        return SSL_TLSEXT_ERR_OK;
    }

    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
     * add alternate protocol names to advertise. */
    protos = apr_array_make(c->pool, 0, sizeof(char*));
    ssl_run_npn_advertise_protos_hook(c, protos);
    num_protos = protos->nelts;

    /* We now have a list of null-terminated strings; we need to concatenate
     * them together into a single string, where each protocol name is prefixed
     * by its length.  First, calculate how long that string will be. */
    size = 0;
    for (i = 0; i < num_protos; ++i) {
        const char* string = APR_ARRAY_IDX(protos, i, const char*);
        unsigned int length = strlen(string);
        /* If the protocol name is too long (the length must fit in one byte),
         * then log an error and skip it. */
        if (length > 255) {
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
                          "SSL NPN protocol name too long (length=%u): %s",
                          length, string);
            continue;
        }
        /* Leave room for the length prefix (one byte) plus the protocol name
         * itself. */
        size += 1 + length;
    }

    /* If there is nothing to advertise (either because no modules added
     * anything to the protos array, or because all strings added to the array
     * were skipped), then we're done. */
    if (size == 0) {
        return SSL_TLSEXT_ERR_OK;
    }

    /* Now we can build the string.  Copy each protocol name string into the
     * larger string, prefixed by its length. */
    data = apr_palloc(c->pool, size * sizeof(unsigned char));
    start = data;
    for (i = 0; i < num_protos; ++i) {
        const char *string = APR_ARRAY_IDX(protos, i, const char*);
        apr_size_t length = strlen(string);
        *start = (unsigned char)length;
        ++start;
        memcpy(start, string, length * sizeof(unsigned char));
        start += length;
    }

    /* Success. */
    apr_array_clear(protos);
    *data_out = data;
    *size_out = size;
    return SSL_TLSEXT_ERR_OK;
}

Return to bug 52210

Lines 260-265 Link Here

(-)modules/ssl/mod_ssl.c (+12 lines)
260	AP_END_CMD	260	AP_END_CMD
261	};	261	};
262		262
		263	/* Implement 'ssl_run_npn_advertise_protos_hook'. */
		264	APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
		265	ssl, AP, int, npn_advertise_protos_hook,
		266	(conn_rec* connection, apr_array_header_t* protos),
		267	(connection, protos), OK, DECLINED);
		268
		269	/* Implement 'ssl_run_npn_proto_negotiated_hook'. */
		270	APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
		271	ssl, AP, int, npn_proto_negotiated_hook,
		272	(conn_rec* connection, const char* proto_name, apr_size_t proto_name_len),
		273	(connection, proto_name, proto_name_len), OK, DECLINED);
		274
263	/*	275	/*
264	* the various processing hooks	276	* the various processing hooks
265	*/	277	*/

Lines 28-33 Link Here

(-)modules/ssl/ssl_engine_io.c (+21 lines)
28	core keeps dumping.''	28	core keeps dumping.''
29	-- Unknown */	29	-- Unknown */
30	#include "ssl_private.h"	30	#include "ssl_private.h"
		31	#include "mod_ssl.h"
31	#include "apr_date.h"	32	#include "apr_date.h"
32		33
33	/* _________________________________________________________________	34	/* _________________________________________________________________
Lines 297-302 Link Here
297	apr_pool_t *pool;	298	apr_pool_t *pool;
298	char buffer[AP_IOBUFSIZE];	299	char buffer[AP_IOBUFSIZE];
299	ssl_filter_ctx_t *filter_ctx;	300	ssl_filter_ctx_t *filter_ctx;
		301	int npn_finished; /* 1 if NPN has finished, 0 otherwise */
300	} bio_filter_in_ctx_t;	302	} bio_filter_in_ctx_t;
301		303
302	/*	304	/*
Lines 1364-1369 Link Here
1364	APR_BRIGADE_INSERT_TAIL(bb, bucket);	1366	APR_BRIGADE_INSERT_TAIL(bb, bucket);
1365	}	1367	}
1366		1368
		1369	/* By this point, Next Protocol Negotiation (NPN) should be completed (if
		1370	* our version of OpenSSL supports it). If we haven't already, find out
		1371	* which protocol was decided upon and inform other modules by calling
		1372	* npn_proto_negotiated_hook. */
		1373	if (!inctx->npn_finished) {
		1374	#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
		1375	const char *next_proto = NULL;
		1376	unsigned next_proto_len = 0;
		1377	SSL_get0_next_proto_negotiated(
		1378	inctx->ssl, (const unsigned char**)&next_proto, &next_proto_len);
		1379	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
		1380	"SSL NPN negotiated protocol: '%s'",
		1381	apr_pstrmemdup(f->c->pool, next_proto, next_proto_len));
		1382	ssl_run_npn_proto_negotiated_hook(f->c, next_proto, next_proto_len);
		1383	#endif
		1384	inctx->npn_finished = 1;
		1385	}
		1386
1367	return APR_SUCCESS;	1387	return APR_SUCCESS;
1368	}	1388	}
1369		1389
Lines 1845-1850 Link Here
1845	inctx->block = APR_BLOCK_READ;	1865	inctx->block = APR_BLOCK_READ;
1846	inctx->pool = c->pool;	1866	inctx->pool = c->pool;
1847	inctx->filter_ctx = filter_ctx;	1867	inctx->filter_ctx = filter_ctx;
		1868	inctx->npn_finished = 0;
1848	}	1869	}
1849		1870
1850	/* The request_rec pointer is passed in here only to ensure that the	1871	/* The request_rec pointer is passed in here only to ensure that the

Lines 29-34 Link Here

(-)modules/ssl/ssl_engine_kernel.c (+81 lines)
29	time I was too famous.''	29	time I was too famous.''
30	-- Unknown */	30	-- Unknown */
31	#include "ssl_private.h"	31	#include "ssl_private.h"
		32	#include "mod_ssl.h"
32	#include "util_md5.h"	33	#include "util_md5.h"
33		34
34	static void ssl_configure_env(request_rec r, SSLConnRec sslconn);	35	static void ssl_configure_env(request_rec r, SSLConnRec sslconn);
Lines 2164-2166 Link Here
2164	return -1;	2165	return -1;
2165	}	2166	}
2166	#endif	2167	#endif
		2168
		2169	/*
		2170	* This callback function is executed when SSL needs to decide what protocols
		2171	* to advertise during Next Protocol Negotiation (NPN). It must produce a
		2172	* string in wire format -- a sequence of length-prefixed strings -- indicating
		2173	* the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
		2174	* in OpenSSL for reference.
		2175	*/
		2176	int ssl_callback_AdvertiseNextProtos(SSL ssl, const unsigned char *data_out,
		2177	unsigned int size_out, void arg)
		2178	{
		2179	conn_rec c = (conn_rec)SSL_get_app_data(ssl);
		2180	apr_array_header_t *protos;
		2181	int num_protos;
		2182	unsigned int size;
		2183	int i;
		2184	unsigned char *data;
		2185	unsigned char *start;
		2186
		2187	*data_out = NULL;
		2188	*size_out = 0;
		2189
		2190	/* If the connection object is not available, then there's nothing for us
		2191	* to do. */
		2192	if (c == NULL) {
		2193	return SSL_TLSEXT_ERR_OK;
		2194	}
		2195
		2196	/* Invoke our npn_advertise_protos hook, giving other modules a chance to
		2197	* add alternate protocol names to advertise. */
		2198	protos = apr_array_make(c->pool, 0, sizeof(char*));
		2199	ssl_run_npn_advertise_protos_hook(c, protos);
		2200	num_protos = protos->nelts;
		2201
		2202	/* We now have a list of null-terminated strings; we need to concatenate
		2203	* them together into a single string, where each protocol name is prefixed
		2204	* by its length. First, calculate how long that string will be. */
		2205	size = 0;
		2206	for (i = 0; i < num_protos; ++i) {
		2207	const char* string = APR_ARRAY_IDX(protos, i, const char*);
		2208	unsigned int length = strlen(string);
		2209	/* If the protocol name is too long (the length must fit in one byte),
		2210	* then log an error and skip it. */
		2211	if (length > 255) {
		2212	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
		2213	"SSL NPN protocol name too long (length=%u): %s",
		2214	length, string);
		2215	continue;
		2216	}
		2217	/* Leave room for the length prefix (one byte) plus the protocol name
		2218	* itself. */
		2219	size += 1 + length;
		2220	}
		2221
		2222	/* If there is nothing to advertise (either because no modules added
		2223	* anything to the protos array, or because all strings added to the array
		2224	* were skipped), then we're done. */
		2225	if (size == 0) {
		2226	return SSL_TLSEXT_ERR_OK;
		2227	}
		2228
		2229	/* Now we can build the string. Copy each protocol name string into the
		2230	* larger string, prefixed by its length. */
		2231	data = apr_palloc(c->pool, size * sizeof(unsigned char));
2232	start = data;
2233	for (i = 0; i < num_protos; ++i) {
2234	const char string = APR_ARRAY_IDX(protos, i, const char);
2235	apr_size_t length = strlen(string);
2236	*start = (unsigned char)length;
2237	++start;
2238	memcpy(start, string, length * sizeof(unsigned char));
2239	start += length;
2240	}
2241
2242	/* Success. */
2243	apr_array_clear(protos);
2244	*data_out = data;
2245	*size_out = size;
2246	return SSL_TLSEXT_ERR_OK;
2247	}

Lines 63-67 Link Here

(-)modules/ssl/mod_ssl.h (+21 lines)
63		63
64	APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));	64	APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
65		65
		66	/** The npn_advertise_protos optional hook allows other modules to add entries
		67	* to the list of protocol names advertised by the server during the Next
		68	* Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
		69	* given the connection and an APR array; it should push one or more char*'s
		70	* pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
		71	* the array and return OK, or do nothing and return DECLINED. */
		72	APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_advertise_protos_hook,
		73	(conn_rec* connection, apr_array_header_t* protos));
		74
		75	/** The npn_proto_negotiated optional hook allows other modules to discover the
		76	* name of the protocol that was chosen during the Next Protocol Negotiation
		77	* (NPN) portion of the SSL handshake. Note that this may be the empty string
		78	* (in which case modules should probably assume HTTP), or it may be a protocol
		79	* that was never even advertised by the server. The hook callee is given the
		80	* connection, a non-null-terminated string containing the protocol name, and
		81	* the length of the string; it should do something appropriate (i.e. insert or
		82	* remove filters) and return OK, or do nothing and return DECLINED. */
		83	APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_proto_negotiated_hook,
		84	(conn_rec* connection, const char* proto_name,
		85	apr_size_t proto_name_len));
		86
66	#endif /* __MOD_SSL_H__ */	87	#endif /* __MOD_SSL_H__ */
67	/** @} */	88	/** @} */