222 lines
8.6 KiB
Diff
222 lines
8.6 KiB
Diff
|
# This patch adds hooks for Next Protocol Negotiation (NPN) into mod_ssl. This
|
||
|
# change is under review to be included in Apache trunk:
|
||
|
# https://issues.apache.org/bugzilla/show_bug.cgi?id=52210
|
||
|
# But until it becomes part of an Apache 2.2 release, we need to apply the patch
|
||
|
# ourselves.
|
||
|
Index: modules/ssl/ssl_private.h
|
||
|
===================================================================
|
||
|
--- modules/ssl/ssl_private.h (revision 1202283)
|
||
|
+++ modules/ssl/ssl_private.h (working copy)
|
||
|
@@ -603,6 +603,7 @@
|
||
|
#ifndef OPENSSL_NO_TLSEXT
|
||
|
int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
|
||
|
#endif
|
||
|
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
|
||
|
|
||
|
/** Session Cache Support */
|
||
|
void ssl_scache_init(server_rec *, apr_pool_t *);
|
||
|
@@ -714,4 +715,3 @@
|
||
|
|
||
|
#endif /* SSL_PRIVATE_H */
|
||
|
/** @} */
|
||
|
-
|
||
|
Index: modules/ssl/ssl_engine_init.c
|
||
|
===================================================================
|
||
|
--- modules/ssl/ssl_engine_init.c (revision 1202283)
|
||
|
+++ modules/ssl/ssl_engine_init.c (working copy)
|
||
|
@@ -559,6 +559,11 @@
|
||
|
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
|
||
|
|
||
|
SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
|
||
|
+
|
||
|
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
||
|
+ SSL_CTX_set_next_protos_advertised_cb(
|
||
|
+ ctx, ssl_callback_AdvertiseNextProtos, NULL);
|
||
|
+#endif
|
||
|
}
|
||
|
|
||
|
static void ssl_init_ctx_verify(server_rec *s,
|
||
|
@@ -1352,4 +1357,3 @@
|
||
|
|
||
|
return APR_SUCCESS;
|
||
|
}
|
||
|
-
|
||
|
Index: modules/ssl/ssl_engine_io.c
|
||
|
===================================================================
|
||
|
--- modules/ssl/ssl_engine_io.c (revision 1202283)
|
||
|
+++ modules/ssl/ssl_engine_io.c (working copy)
|
||
|
@@ -338,6 +338,7 @@
|
||
|
apr_pool_t *pool;
|
||
|
char buffer[AP_IOBUFSIZE];
|
||
|
ssl_filter_ctx_t *filter_ctx;
|
||
|
+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
|
||
|
} bio_filter_in_ctx_t;
|
||
|
|
||
|
/*
|
||
|
@@ -1409,6 +1410,21 @@
|
||
|
APR_BRIGADE_INSERT_TAIL(bb, bucket);
|
||
|
}
|
||
|
|
||
|
+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
|
||
|
+ * our version of OpenSSL supports it). If we haven't already, find out
|
||
|
+ * which protocol was decided upon and inform other modules by calling
|
||
|
+ * npn_proto_negotiated_hook. */
|
||
|
+ if (!inctx->npn_finished) {
|
||
|
+ inctx->npn_finished = 1;
|
||
|
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
||
|
+ const unsigned char *next_proto = NULL;
|
||
|
+ unsigned next_proto_len = 0;
|
||
|
+ SSL_get0_next_proto_negotiated(inctx->ssl, &next_proto,
|
||
|
+ &next_proto_len);
|
||
|
+ ssl_run_npn_proto_negotiated_hook(f->c, next_proto, next_proto_len);
|
||
|
+#endif
|
||
|
+ }
|
||
|
+
|
||
|
return APR_SUCCESS;
|
||
|
}
|
||
|
|
||
|
@@ -1753,6 +1769,7 @@
|
||
|
inctx->block = APR_BLOCK_READ;
|
||
|
inctx->pool = c->pool;
|
||
|
inctx->filter_ctx = filter_ctx;
|
||
|
+ inctx->npn_finished = 0;
|
||
|
}
|
||
|
|
||
|
void ssl_io_filter_init(conn_rec *c, SSL *ssl)
|
||
|
Index: modules/ssl/ssl_engine_kernel.c
|
||
|
===================================================================
|
||
|
--- modules/ssl/ssl_engine_kernel.c (revision 1202283)
|
||
|
+++ modules/ssl/ssl_engine_kernel.c (working copy)
|
||
|
@@ -1969,6 +1969,77 @@
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+/*
|
||
|
+ * This callback function is executed when SSL needs to decide what protocols
|
||
|
+ * to advertise during Next Protocol Negotiation (NPN). It must produce a
|
||
|
+ * string in wire format -- a sequence of length-prefixed strings -- indicating
|
||
|
+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
|
||
|
+ * in OpenSSL for reference.
|
||
|
+ */
|
||
|
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
|
||
|
+ unsigned int *size_out, void *arg)
|
||
|
+{
|
||
|
+ *data_out = NULL;
|
||
|
+ *size_out = 0;
|
||
|
+
|
||
|
+ /* Get the connection object. If it's not available, then there's nothing
|
||
|
+ * for us to do. */
|
||
|
+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
|
||
|
+ if (c == NULL) {
|
||
|
+ return SSL_TLSEXT_ERR_OK;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
|
||
|
+ * add alternate protocol names to advertise. */
|
||
|
+ apr_array_header_t *protos = apr_array_make(c->pool, 0, sizeof(char*));
|
||
|
+ ssl_run_npn_advertise_protos_hook(c, protos);
|
||
|
+ int num_protos = protos->nelts;
|
||
|
+
|
||
|
+ /* If no other modules added any alternate protocols, then we're done. */
|
||
|
+ if (num_protos == 0) {
|
||
|
+ return SSL_TLSEXT_ERR_OK;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* We now have a list of null-terminated strings; we need to concatenate
|
||
|
+ * them together into a single string, where each protocol name is prefixed
|
||
|
+ * by its length. First, calculate how long that string will be. */
|
||
|
+ unsigned int size = 0;
|
||
|
+ int i;
|
||
|
+ for (i = 0; i < num_protos; ++i) {
|
||
|
+ const char* string = APR_ARRAY_IDX(protos, i, const char*);
|
||
|
+ unsigned int length = strlen(string);
|
||
|
+ /* If the protocol name is too long (the length must fit in one byte),
|
||
|
+ * then log an error and quit. */
|
||
|
+ if (length > 255) {
|
||
|
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
|
||
|
+ "SSL NPN protocol name too long (length=%u): %s",
|
||
|
+ length, string);
|
||
|
+ return SSL_TLSEXT_ERR_OK;
|
||
|
+ }
|
||
|
+ /* Leave room for the length prefix (one byte) plus the protocol name
|
||
|
+ * itself. */
|
||
|
+ size += 1 + length;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Now we can build the string. Copy each protocol name string into the
|
||
|
+ * larger string, prefixed by its length. */
|
||
|
+ unsigned char* data = apr_palloc(c->pool, size * sizeof(unsigned char));
|
||
|
+ unsigned char* start = data;
|
||
|
+ for (i = 0; i < num_protos; ++i) {
|
||
|
+ const char* string = APR_ARRAY_IDX(protos, i, const char*);
|
||
|
+ size_t length = strlen(string);
|
||
|
+ *start = (unsigned char)length;
|
||
|
+ ++start;
|
||
|
+ memcpy(start, string, length * sizeof(unsigned char));
|
||
|
+ start += length;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Success. */
|
||
|
+ *data_out = data;
|
||
|
+ *size_out = size;
|
||
|
+ return SSL_TLSEXT_ERR_OK;
|
||
|
+}
|
||
|
+
|
||
|
#ifndef OPENSSL_NO_TLSEXT
|
||
|
/*
|
||
|
* This callback function is executed when OpenSSL encounters an extended
|
||
|
Index: modules/ssl/mod_ssl.c
|
||
|
===================================================================
|
||
|
--- modules/ssl/mod_ssl.c (revision 1202283)
|
||
|
+++ modules/ssl/mod_ssl.c (working copy)
|
||
|
@@ -220,6 +220,18 @@
|
||
|
AP_END_CMD
|
||
|
};
|
||
|
|
||
|
+/* Implement 'ssl_run_npn_advertise_protos_hook'. */
|
||
|
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
|
||
|
+ ssl, AP, int, npn_advertise_protos_hook,
|
||
|
+ (conn_rec* connection, apr_array_header_t* protos),
|
||
|
+ (connection, protos), OK, DECLINED);
|
||
|
+
|
||
|
+/* Implement 'ssl_run_npn_proto_negotiated_hook'. */
|
||
|
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
|
||
|
+ ssl, AP, int, npn_proto_negotiated_hook,
|
||
|
+ (conn_rec* connection, char* proto_name, apr_size_t proto_name_len),
|
||
|
+ (connection, proto_name, proto_name_len), OK, DECLINED);
|
||
|
+
|
||
|
/*
|
||
|
* the various processing hooks
|
||
|
*/
|
||
|
Index: modules/ssl/mod_ssl.h
|
||
|
===================================================================
|
||
|
--- modules/ssl/mod_ssl.h (revision 1202283)
|
||
|
+++ modules/ssl/mod_ssl.h (working copy)
|
||
|
@@ -60,5 +60,26 @@
|
||
|
|
||
|
APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, ssl_extlist_by_oid, (request_rec *r, const char *oidstr));
|
||
|
|
||
|
+/** The npn_advertise_protos optional hook allows other modules to add entries
|
||
|
+ * to the list of protocol names advertised by the server during the Next
|
||
|
+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
|
||
|
+ * given the connection and an APR array; it should push one or more char*'s
|
||
|
+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
|
||
|
+ * the array and return OK, or do nothing and return DECLINED. */
|
||
|
+APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_advertise_protos_hook,
|
||
|
+ (conn_rec* connection, apr_array_header_t* protos));
|
||
|
+
|
||
|
+/** The npn_proto_negotiated optional hook allows other modules to discover the
|
||
|
+ * name of the protocol that was chosen during the Next Protocol Negotiation
|
||
|
+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
|
||
|
+ * (in which case modules should probably assume HTTP), or it may be a protocol
|
||
|
+ * that was never even advertised by the server. The hook callee is given the
|
||
|
+ * connection, a non-null-terminated string containing the protocol name, and
|
||
|
+ * the length of the string; it should do something appropriate (i.e. insert or
|
||
|
+ * remove filters) and return OK, or do nothing and return DECLINED. */
|
||
|
+APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_proto_negotiated_hook,
|
||
|
+ (conn_rec* connection, char* proto_name,
|
||
|
+ apr_size_t proto_name_len));
|
||
|
+
|
||
|
#endif /* __MOD_SSL_H__ */
|
||
|
/** @} */
|