www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

Add support for TLS Next Protocol Negotiation:

Browse Source 
* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
  hooks for next protocol advertisement/discovery.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
  NPN advertisement callback in handshake.

* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
  next-protocol discovery hook.

* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos): 
  New callback.

* modules/ssl/ssl_private.h: Add prototype.

Submitted by: Matthew Steele <mdsteele google.com>
  with slight tweaks by jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1332643 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joe Orton
2012-05-01 13:27:14 +00:00
parent 6d378e85a0
commit dd5f55ce6b
7 changed files with 153 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
modules/ssl/ssl_engine_kernel.c
View File

@@ -29,6 +29,7 @@
time I was too famous.''
-- Unknown */
#include "ssl_private.h"
#include "mod_ssl.h"
#include "util_md5.h"
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
@@ -2143,3 +2144,84 @@ int ssl_callback_SessionTicket(SSL *ssl,
return -1;
}
#endif
#ifdef HAVE_TLS_NPN
/*
* This callback function is executed when SSL needs to decide what protocols
* to advertise during Next Protocol Negotiation (NPN). It must produce a
* string in wire format -- a sequence of length-prefixed strings -- indicating
* the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
* in OpenSSL for reference.
*/
int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
unsigned int *size_out, void *arg)
{
conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
apr_array_header_t *protos;
int num_protos;
unsigned int size;
int i;
unsigned char *data;
unsigned char *start;
*data_out = NULL;
*size_out = 0;
/* If the connection object is not available, then there's nothing for us
* to do. */
if (c == NULL) {
return SSL_TLSEXT_ERR_OK;
}
/* Invoke our npn_advertise_protos hook, giving other modules a chance to
* add alternate protocol names to advertise. */
protos = apr_array_make(c->pool, 0, sizeof(char*));
modssl_run_npn_advertise_protos_hook(c, protos);
num_protos = protos->nelts;
/* We now have a list of null-terminated strings; we need to concatenate
* them together into a single string, where each protocol name is prefixed
* by its length. First, calculate how long that string will be. */
size = 0;
for (i = 0; i < num_protos; ++i) {
const char *string = APR_ARRAY_IDX(protos, i, const char*);
unsigned int length = strlen(string);
/* If the protocol name is too long (the length must fit in one byte),
* then log an error and skip it. */
if (length > 255) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"SSL NPN protocol name too long (length=%u): %s",
length, string);
continue;
}
/* Leave room for the length prefix (one byte) plus the protocol name
* itself. */
size += 1 + length;
}
/* If there is nothing to advertise (either because no modules added
* anything to the protos array, or because all strings added to the array
* were skipped), then we're done. */
if (size == 0) {
return SSL_TLSEXT_ERR_OK;
}
/* Now we can build the string. Copy each protocol name string into the
* larger string, prefixed by its length. */
data = apr_palloc(c->pool, size * sizeof(unsigned char));
start = data;
for (i = 0; i < num_protos; ++i) {
const char *string = APR_ARRAY_IDX(protos, i, const char*);
apr_size_t length = strlen(string);
*start = (unsigned char)length;
++start;
memcpy(start, string, length * sizeof(unsigned char));
start += length;
}
/* Success. */
*data_out = data;
*size_out = size;
return SSL_TLSEXT_ERR_OK;
}
#endif