-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
+ [Matthew Steele <mdsteele google.com>]
+
*) mod_so: If a filename without slashes is specified for LoadFile or
LoadModule and the file cannot be found in the server root directory,
try to use the standard dlopen() search path. [Stefan Fritsch]
AP_END_CMD
};
+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ modssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec *connection, apr_array_header_t *protos),
+ (connection, protos), OK, DECLINED);
+
+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ modssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
+ (connection, proto_name, proto_name_len), OK, DECLINED);
+
/*
* the various processing hooks
*/
APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+/** The npn_advertise_protos optional hook allows other modules to add entries
+ * to the list of protocol names advertised by the server during the Next
+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
+ * given the connection and an APR array; it should push one or more char*'s
+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
+ * the array and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec *connection, apr_array_header_t *protos));
+
+/** The npn_proto_negotiated optional hook allows other modules to discover the
+ * name of the protocol that was chosen during the Next Protocol Negotiation
+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
+ * (in which case modules should probably assume HTTP), or it may be a protocol
+ * that was never even advertised by the server. The hook callee is given the
+ * connection, a non-null-terminated string containing the protocol name, and
+ * the length of the string; it should do something appropriate (i.e. insert or
+ * remove filters) and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec *connection, const char *proto_name,
+ apr_size_t proto_name_len));
+
#endif /* __MOD_SSL_H__ */
/** @} */
#endif
SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+
+#ifdef HAVE_TLS_NPN
+ SSL_CTX_set_next_protos_advertised_cb(
+ ctx, ssl_callback_AdvertiseNextProtos, NULL);
+#endif
}
static void ssl_init_ctx_verify(server_rec *s,
core keeps dumping.''
-- Unknown */
#include "ssl_private.h"
+#include "mod_ssl.h"
#include "apr_date.h"
/* _________________________________________________________________
apr_pool_t *pool;
char buffer[AP_IOBUFSIZE];
ssl_filter_ctx_t *filter_ctx;
+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
} bio_filter_in_ctx_t;
/*
APR_BRIGADE_INSERT_TAIL(bb, bucket);
}
+#ifdef HAVE_TLS_NPN
+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
+ * our version of OpenSSL supports it). If we haven't already, find out
+ * which protocol was decided upon and inform other modules by calling
+ * npn_proto_negotiated_hook. */
+ if (!inctx->npn_finished) {
+ const unsigned char *next_proto = NULL;
+ unsigned next_proto_len = 0;
+
+ SSL_get0_next_proto_negotiated(
+ inctx->ssl, &next_proto, &next_proto_len);
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
+ "SSL NPN negotiated protocol: '%s'",
+ apr_pstrmemdup(f->c->pool, (const char*)next_proto,
+ next_proto_len));
+ modssl_run_npn_proto_negotiated_hook(
+ f->c, (const char*)next_proto, next_proto_len);
+ inctx->npn_finished = 1;
+ }
+#endif
+
return APR_SUCCESS;
}
inctx->block = APR_BLOCK_READ;
inctx->pool = c->pool;
inctx->filter_ctx = filter_ctx;
+ inctx->npn_finished = 0;
}
/* The request_rec pointer is passed in here only to ensure that the
time I was too famous.''
-- Unknown */
#include "ssl_private.h"
+#include "mod_ssl.h"
#include "util_md5.h"
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
return -1;
}
#endif
+
+#ifdef HAVE_TLS_NPN
+/*
+ * This callback function is executed when SSL needs to decide what protocols
+ * to advertise during Next Protocol Negotiation (NPN). It must produce a
+ * string in wire format -- a sequence of length-prefixed strings -- indicating
+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
+ * in OpenSSL for reference.
+ */
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
+ unsigned int *size_out, void *arg)
+{
+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
+ apr_array_header_t *protos;
+ int num_protos;
+ unsigned int size;
+ int i;
+ unsigned char *data;
+ unsigned char *start;
+
+ *data_out = NULL;
+ *size_out = 0;
+
+ /* If the connection object is not available, then there's nothing for us
+ * to do. */
+ if (c == NULL) {
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
+ * add alternate protocol names to advertise. */
+ protos = apr_array_make(c->pool, 0, sizeof(char*));
+ modssl_run_npn_advertise_protos_hook(c, protos);
+ num_protos = protos->nelts;
+
+ /* We now have a list of null-terminated strings; we need to concatenate
+ * them together into a single string, where each protocol name is prefixed
+ * by its length. First, calculate how long that string will be. */
+ size = 0;
+ for (i = 0; i < num_protos; ++i) {
+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
+ unsigned int length = strlen(string);
+ /* If the protocol name is too long (the length must fit in one byte),
+ * then log an error and skip it. */
+ if (length > 255) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+ "SSL NPN protocol name too long (length=%u): %s",
+ length, string);
+ continue;
+ }
+ /* Leave room for the length prefix (one byte) plus the protocol name
+ * itself. */
+ size += 1 + length;
+ }
+
+ /* If there is nothing to advertise (either because no modules added
+ * anything to the protos array, or because all strings added to the array
+ * were skipped), then we're done. */
+ if (size == 0) {
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+ /* Now we can build the string. Copy each protocol name string into the
+ * larger string, prefixed by its length. */
+ data = apr_palloc(c->pool, size * sizeof(unsigned char));
+ start = data;
+ for (i = 0; i < num_protos; ++i) {
+ const char *string = APR_ARRAY_IDX(protos, i, const char*);
+ apr_size_t length = strlen(string);
+ *start = (unsigned char)length;
+ ++start;
+ memcpy(start, string, length * sizeof(unsigned char));
+ start += length;
+ }
+
+ /* Success. */
+ *data_out = data;
+ *size_out = size;
+ return SSL_TLSEXT_ERR_OK;
+}
+#endif
#define HAVE_FIPS
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
+ && !defined(OPENSSL_NO_TLSEXT)
+#define HAVE_TLS_NPN
+#endif
+
#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
#define MODSSL_SSL_CIPHER_CONST const
#define MODSSL_SSL_METHOD_CONST const
int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
EVP_CIPHER_CTX *, HMAC_CTX *, int);
#endif
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
/** Session Cache Support */
void ssl_scache_init(server_rec *, apr_pool_t *);
projects / thirdparty / apache / httpd.git / commitdiff
