Attachment 28588 Details for Bug 52210 – Updated patch for mod_ssl to add NPN hooks

[patch] Updated patch for mod_ssl to add NPN hooks

revised-revised-revised-ssl-npn.patch (text/plain), 9.05 KB, created by mdsteele on 2012-04-11 23:04:13 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: mdsteele

Created: 2012-04-11 23:04:13 UTC

Size: 9.05 KB

patch

obsolete

>Index: modules/ssl/ssl_private.h
>===================================================================
>--- modules/ssl/ssl_private.h	(revision 1306012)
>+++ modules/ssl/ssl_private.h	(working copy)
>@@ -807,6 +807,7 @@
> int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
>                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);
> #endif
>+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
> 
> /**  Session Cache Support  */
> void         ssl_scache_init(server_rec *, apr_pool_t *);
>Index: modules/ssl/mod_ssl.c
>===================================================================
>--- modules/ssl/mod_ssl.c	(revision 1306012)
>+++ modules/ssl/mod_ssl.c	(working copy)
>@@ -260,6 +260,18 @@
>     AP_END_CMD
> };
> 
>+/* Implement 'ssl_run_npn_advertise_protos_hook'. */
>+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>+    ssl, AP, int, npn_advertise_protos_hook,
>+    (conn_rec *connection, apr_array_header_t *protos),
>+    (connection, protos), OK, DECLINED);
>+
>+/* Implement 'ssl_run_npn_proto_negotiated_hook'. */
>+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
>+    ssl, AP, int, npn_proto_negotiated_hook,
>+    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
>+    (connection, proto_name, proto_name_len), OK, DECLINED);
>+
> /*
>  *  the various processing hooks
>  */
>Index: modules/ssl/mod_ssl.h
>===================================================================
>--- modules/ssl/mod_ssl.h	(revision 1306012)
>+++ modules/ssl/mod_ssl.h	(working copy)
>@@ -63,5 +63,26 @@
> 
> APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
> 
>+/** The npn_advertise_protos optional hook allows other modules to add entries
>+ * to the list of protocol names advertised by the server during the Next
>+ * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
>+ * given the connection and an APR array; it should push one or more char*'s
>+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
>+ * the array and return OK, or do nothing and return DECLINED. */
>+APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_advertise_protos_hook,
>+                          (conn_rec *connection, apr_array_header_t *protos));
>+
>+/** The npn_proto_negotiated optional hook allows other modules to discover the
>+ * name of the protocol that was chosen during the Next Protocol Negotiation
>+ * (NPN) portion of the SSL handshake.  Note that this may be the empty string
>+ * (in which case modules should probably assume HTTP), or it may be a protocol
>+ * that was never even advertised by the server.  The hook callee is given the
>+ * connection, a non-null-terminated string containing the protocol name, and
>+ * the length of the string; it should do something appropriate (i.e. insert or
>+ * remove filters) and return OK, or do nothing and return DECLINED. */
>+APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_proto_negotiated_hook,
>+                          (conn_rec *connection, const char *proto_name,
>+                           apr_size_t proto_name_len));
>+
> #endif /* __MOD_SSL_H__ */
> /** @} */
>Index: modules/ssl/ssl_engine_init.c
>===================================================================
>--- modules/ssl/ssl_engine_init.c	(revision 1306012)
>+++ modules/ssl/ssl_engine_init.c	(working copy)
>@@ -681,6 +681,11 @@
> #endif
> 
>     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
>+
>+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
>+    SSL_CTX_set_next_protos_advertised_cb(
>+        ctx, ssl_callback_AdvertiseNextProtos, NULL);
>+#endif
> }
> 
> static void ssl_init_ctx_verify(server_rec *s,
>Index: modules/ssl/ssl_engine_io.c
>===================================================================
>--- modules/ssl/ssl_engine_io.c	(revision 1306012)
>+++ modules/ssl/ssl_engine_io.c	(working copy)
>@@ -28,6 +28,7 @@
>                                   core keeps dumping.''
>                                             -- Unknown    */
> #include "ssl_private.h"
>+#include "mod_ssl.h"
> #include "apr_date.h"
> 
> /*  _________________________________________________________________
>@@ -297,6 +298,7 @@
>     apr_pool_t *pool;
>     char buffer[AP_IOBUFSIZE];
>     ssl_filter_ctx_t *filter_ctx;
>+    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
> } bio_filter_in_ctx_t;
> 
> /*
>@@ -1364,6 +1366,26 @@
>         APR_BRIGADE_INSERT_TAIL(bb, bucket);
>     }
> 
>+    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
>+     * our version of OpenSSL supports it).  If we haven't already, find out
>+     * which protocol was decided upon and inform other modules by calling
>+     * npn_proto_negotiated_hook. */
>+    if (!inctx->npn_finished) {
>+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
>+        const unsigned char *next_proto = NULL;
>+        unsigned next_proto_len = 0;
>+        SSL_get0_next_proto_negotiated(
>+            inctx->ssl, &next_proto, &next_proto_len);
>+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
>+                      "SSL NPN negotiated protocol: '%s'",
>+                      apr_pstrmemdup(f->c->pool, (const char*)next_proto,
>+                                     next_proto_len));
>+        ssl_run_npn_proto_negotiated_hook(
>+            f->c, (const char*)next_proto, next_proto_len);
>+#endif
>+        inctx->npn_finished = 1;
>+    }
>+
>     return APR_SUCCESS;
> }
> 
>@@ -1845,6 +1867,7 @@
>     inctx->block = APR_BLOCK_READ;
>     inctx->pool = c->pool;
>     inctx->filter_ctx = filter_ctx;
>+    inctx->npn_finished = 0;
> }
> 
> /* The request_rec pointer is passed in here only to ensure that the
>Index: modules/ssl/ssl_engine_kernel.c
>===================================================================
>--- modules/ssl/ssl_engine_kernel.c	(revision 1306012)
>+++ modules/ssl/ssl_engine_kernel.c	(working copy)
>@@ -29,6 +29,7 @@
>                                   time I was too famous.''
>                                             -- Unknown                */
> #include "ssl_private.h"
>+#include "mod_ssl.h"
> #include "util_md5.h"
> 
> static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
>@@ -2164,3 +2165,82 @@
>     return -1;
> }
> #endif
>+
>+/*
>+ * This callback function is executed when SSL needs to decide what protocols
>+ * to advertise during Next Protocol Negotiation (NPN).  It must produce a
>+ * string in wire format -- a sequence of length-prefixed strings -- indicating
>+ * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
>+ * in OpenSSL for reference.
>+ */
>+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
>+                                     unsigned int *size_out, void *arg)
>+{
>+    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
>+    apr_array_header_t *protos;
>+    int num_protos;
>+    unsigned int size;
>+    int i;
>+    unsigned char *data;
>+    unsigned char *start;
>+
>+    *data_out = NULL;
>+    *size_out = 0;
>+
>+    /* If the connection object is not available, then there's nothing for us
>+     * to do. */
>+    if (c == NULL) {
>+        return SSL_TLSEXT_ERR_OK;
>+    }
>+
>+    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
>+     * add alternate protocol names to advertise. */
>+    protos = apr_array_make(c->pool, 0, sizeof(char*));
>+    ssl_run_npn_advertise_protos_hook(c, protos);
>+    num_protos = protos->nelts;
>+
>+    /* We now have a list of null-terminated strings; we need to concatenate
>+     * them together into a single string, where each protocol name is prefixed
>+     * by its length.  First, calculate how long that string will be. */
>+    size = 0;
>+    for (i = 0; i < num_protos; ++i) {
>+        const char *string = APR_ARRAY_IDX(protos, i, const char*);
>+        unsigned int length = strlen(string);
>+        /* If the protocol name is too long (the length must fit in one byte),
>+         * then log an error and skip it. */
>+        if (length > 255) {
>+            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
>+                          "SSL NPN protocol name too long (length=%u): %s",
>+                          length, string);
>+            continue;
>+        }
>+        /* Leave room for the length prefix (one byte) plus the protocol name
>+         * itself. */
>+        size += 1 + length;
>+    }
>+
>+    /* If there is nothing to advertise (either because no modules added
>+     * anything to the protos array, or because all strings added to the array
>+     * were skipped), then we're done. */
>+    if (size == 0) {
>+        return SSL_TLSEXT_ERR_OK;
>+    }
>+
>+    /* Now we can build the string.  Copy each protocol name string into the
>+     * larger string, prefixed by its length. */
>+    data = apr_palloc(c->pool, size * sizeof(unsigned char));
>+    start = data;
>+    for (i = 0; i < num_protos; ++i) {
>+        const char *string = APR_ARRAY_IDX(protos, i, const char*);
>+        apr_size_t length = strlen(string);
>+        *start = (unsigned char)length;
>+        ++start;
>+        memcpy(start, string, length * sizeof(unsigned char));
>+        start += length;
>+    }
>+
>+    /* Success. */
>+    *data_out = data;
>+    *size_out = size;
>+    return SSL_TLSEXT_ERR_OK;
>+}

Actions: View | Diff

Attachments on bug 52210: 27969 | 28486 | 28513 | 28588 | 32381 | 32399 | 32452 | 32463 | 32464 | 32521 | 32523