aboutsummaryrefslogtreecommitdiffstats
path: root/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
blob: a4f185501bb0da026d32026208ed9153b4739cd7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
Add support for TLS Next Protocol Negotiation:

* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
  hooks for next protocol advertisement/discovery.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
  NPN advertisement callback in handshake.

* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
  next-protocol discovery hook.

* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
  New callback.

* modules/ssl/ssl_private.h: Add prototype.

Submitted by: Matthew Steele <mdsteele google.com>
  with slight tweaks by jorton

http://svn.apache.org/viewvc?view=revision&revision=1332643
https://bugzilla.redhat.com//show_bug.cgi?id=809599
Upstream-Status: Backport
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 CHANGES                         |  2 +
 modules/ssl/mod_ssl.c           | 12 ++++++
 modules/ssl/mod_ssl.h           | 21 +++++++++++
 modules/ssl/ssl_engine_init.c   |  5 +++
 modules/ssl/ssl_engine_io.c     | 24 ++++++++++++
 modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
 modules/ssl/ssl_private.h       |  6 +++
 7 files changed, 152 insertions(+)

diff --git a/CHANGES b/CHANGES
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 
 Changes with Apache 2.4.7
+  *) mod_ssl: Add support for TLS Next Protocol Negotiation.  PR 52210.
+     [Matthew Steele <mdsteele google.com>]
 
   *) APR 1.5.0 or later is now required for the event MPM.
   
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
     AP_END_CMD
 };
 
+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+    modssl, AP, int, npn_advertise_protos_hook,
+    (conn_rec *connection, apr_array_header_t *protos),
+    (connection, protos), OK, DECLINED);
+
+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+    modssl, AP, int, npn_proto_negotiated_hook,
+    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
+    (connection, proto_name, proto_name_len), OK, DECLINED);
+
 /*
  *  the various processing hooks
  */
diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
 
 APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
 
+/** The npn_advertise_protos optional hook allows other modules to add entries
+ * to the list of protocol names advertised by the server during the Next
+ * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
+ * given the connection and an APR array; it should push one or more char*'s
+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
+ * the array and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
+                          (conn_rec *connection, apr_array_header_t *protos));
+
+/** The npn_proto_negotiated optional hook allows other modules to discover the
+ * name of the protocol that was chosen during the Next Protocol Negotiation
+ * (NPN) portion of the SSL handshake.  Note that this may be the empty string
+ * (in which case modules should probably assume HTTP), or it may be a protocol
+ * that was never even advertised by the server.  The hook callee is given the
+ * connection, a non-null-terminated string containing the protocol name, and
+ * the length of the string; it should do something appropriate (i.e. insert or
+ * remove filters) and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
+                          (conn_rec *connection, const char *proto_name,
+                           apr_size_t proto_name_len));
+
 #endif /* __MOD_SSL_H__ */
 /** @} */
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
 
     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+
+#ifdef HAVE_TLS_NPN
+    SSL_CTX_set_next_protos_advertised_cb(
+        ctx, ssl_callback_AdvertiseNextProtos, NULL);
+#endif
 }
 
 static void ssl_init_ctx_verify(server_rec *s,
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -28,6 +28,7 @@
                                   core keeps dumping.''
                                             -- Unknown    */
 #include "ssl_private.h"
+#include "mod_ssl.h"
 #include "apr_date.h"
 
 /*  _________________________________________________________________
@@ -297,6 +298,7 @@ typedef struct {
     apr_pool_t *pool;
     char buffer[AP_IOBUFSIZE];
     ssl_filter_ctx_t *filter_ctx;
+    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
 } bio_filter_in_ctx_t;
 
 /*
@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
         APR_BRIGADE_INSERT_TAIL(bb, bucket);
     }
 
+#ifdef HAVE_TLS_NPN
+    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
+     * our version of OpenSSL supports it).  If we haven't already, find out
+     * which protocol was decided upon and inform other modules by calling
+     * npn_proto_negotiated_hook. */
+    if (!inctx->npn_finished) {
+        const unsigned char *next_proto = NULL;
+        unsigned next_proto_len = 0;
+
+        SSL_get0_next_proto_negotiated(
+            inctx->ssl, &next_proto, &next_proto_len);
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
+                      "SSL NPN negotiated protocol: '%s'",
+                      apr_pstrmemdup(f->c->pool, (const char*)next_proto,
+                                     next_proto_len));
+        modssl_run_npn_proto_negotiated_hook(
+            f->c, (const char*)next_proto, next_proto_len);
+        inctx->npn_finished = 1;
+    }
+#endif
+
     return APR_SUCCESS;
 }
 
@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
     inctx->block = APR_BLOCK_READ;
     inctx->pool = c->pool;
     inctx->filter_ctx = filter_ctx;
+    inctx->npn_finished = 0;
 }
 
 /* The request_rec pointer is passed in here only to ensure that the
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -29,6 +29,7 @@
                                   time I was too famous.''
                                             -- Unknown                */
 #include "ssl_private.h"
+#include "mod_ssl.h"
 #include "util_md5.h"
 
 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
 }
 
 #endif /* HAVE_SRP */
+
+#ifdef HAVE_TLS_NPN
+/*
+ * This callback function is executed when SSL needs to decide what protocols
+ * to advertise during Next Protocol Negotiation (NPN).  It must produce a
+ * string in wire format -- a sequence of length-prefixed strings -- indicating
+ * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
+ * in OpenSSL for reference.
+ */
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
+                                     unsigned int *size_out, void *arg)
+{
+    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
+    apr_array_header_t *protos;
+    int num_protos;
+    unsigned int size;
+    int i;
+    unsigned char *data;
+    unsigned char *start;
+
+    *data_out = NULL;
+    *size_out = 0;
+
+    /* If the connection object is not available, then there's nothing for us
+     * to do. */
+    if (c == NULL) {
+        return SSL_TLSEXT_ERR_OK;
+    }
+
+    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
+     * add alternate protocol names to advertise. */
+    protos = apr_array_make(c->pool, 0, sizeof(char*));
+    modssl_run_npn_advertise_protos_hook(c, protos);
+    num_protos = protos->nelts;
+
+    /* We now have a list of null-terminated strings; we need to concatenate
+     * them together into a single string, where each protocol name is prefixed
+     * by its length.  First, calculate how long that string will be. */
+    size = 0;
+    for (i = 0; i < num_protos; ++i) {
+        const char *string = APR_ARRAY_IDX(protos, i, const char*);
+        unsigned int length = strlen(string);
+        /* If the protocol name is too long (the length must fit in one byte),
+         * then log an error and skip it. */
+        if (length > 255) {
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+                          "SSL NPN protocol name too long (length=%u): %s",
+                          length, string);
+            continue;
+        }
+        /* Leave room for the length prefix (one byte) plus the protocol name
+         * itself. */
+        size += 1 + length;
+    }
+
+    /* If there is nothing to advertise (either because no modules added
+     * anything to the protos array, or because all strings added to the array
+     * were skipped), then we're done. */
+    if (size == 0) {
+        return SSL_TLSEXT_ERR_OK;
+    }
+
+    /* Now we can build the string.  Copy each protocol name string into the
+     * larger string, prefixed by its length. */
+    data = apr_palloc(c->pool, size * sizeof(unsigned char));
+    start = data;
+    for (i = 0; i < num_protos; ++i) {
+        const char *string = APR_ARRAY_IDX(protos, i, const char*);
+        apr_size_t length = strlen(string);
+        *start = (unsigned char)length;
+        ++start;
+        memcpy(start, string, length * sizeof(unsigned char));
+        start += length;
+    }
+
+    /* Success. */
+    *data_out = data;
+    *size_out = size;
+    return SSL_TLSEXT_ERR_OK;
+}
+#endif /* HAVE_TLS_NPN */
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -123,6 +123,11 @@
 #define MODSSL_SSL_METHOD_CONST
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
+    && !defined(OPENSSL_NO_TLSEXT)
+#define HAVE_TLS_NPN
+#endif
+
 #if defined(OPENSSL_FIPS)
 #define HAVE_FIPS
 #endif
@@ -800,6 +805,7 @@ int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
 int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);
 #endif
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
 
 /**  Session Cache Support  */
 void         ssl_scache_init(server_rec *, apr_pool_t *);
-- 
1.8.1.2