Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- diff -Naur httpd-2.2.22-orig/modules/ssl/mod_ssl.c httpd-2.2.22/modules/ssl/mod_ssl.c
- --- httpd-2.2.22-orig/modules/ssl/mod_ssl.c 2012-06-21 22:10:22.538184960 +0200
- +++ httpd-2.2.22/modules/ssl/mod_ssl.c 2012-06-21 22:12:27.894721826 +0200
- @@ -220,6 +220,18 @@
- AP_END_CMD
- };
- +/* Implement 'ssl_run_npn_advertise_protos_hook'. */
- +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
- + ssl, AP, int, npn_advertise_protos_hook,
- + (conn_rec *connection, apr_array_header_t *protos),
- + (connection, protos), OK, DECLINED);
- +
- +/* Implement 'ssl_run_npn_proto_negotiated_hook'. */
- +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
- + ssl, AP, int, npn_proto_negotiated_hook,
- + (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
- + (connection, proto_name, proto_name_len), OK, DECLINED);
- +
- /*
- * the various processing hooks
- */
- diff -Naur httpd-2.2.22-orig/modules/ssl/mod_ssl.h httpd-2.2.22/modules/ssl/mod_ssl.h
- --- httpd-2.2.22-orig/modules/ssl/mod_ssl.h 2012-06-21 22:10:22.538184960 +0200
- +++ httpd-2.2.22/modules/ssl/mod_ssl.h 2012-06-21 22:13:30.569379528 +0200
- @@ -64,5 +64,26 @@
- APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, ssl_extlist_by_oid, (request_rec *r, const char *oidstr));
- +/** The npn_advertise_protos optional hook allows other modules to add entries
- + * to the list of protocol names advertised by the server during the Next
- + * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
- + * given the connection and an APR array; it should push one or more char*'s
- + * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
- + * the array and return OK, or do nothing and return DECLINED. */
- +APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_advertise_protos_hook,
- + (conn_rec *connection, apr_array_header_t *protos));
- +
- +/** The npn_proto_negotiated optional hook allows other modules to discover the
- + * name of the protocol that was chosen during the Next Protocol Negotiation
- + * (NPN) portion of the SSL handshake. Note that this may be the empty string
- + * (in which case modules should probably assume HTTP), or it may be a protocol
- + * that was never even advertised by the server. The hook callee is given the
- + * connection, a non-null-terminated string containing the protocol name, and
- + * the length of the string; it should do something appropriate (i.e. insert or
- + * remove filters) and return OK, or do nothing and return DECLINED. */
- +APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_proto_negotiated_hook,
- + (conn_rec *connection, const char *proto_name,
- + apr_size_t proto_name_len));
- +
- #endif /* __MOD_SSL_H__ */
- /** @} */
- diff -Naur httpd-2.2.22-orig/modules/ssl/ssl_engine_init.c httpd-2.2.22/modules/ssl/ssl_engine_init.c
- --- httpd-2.2.22-orig/modules/ssl/ssl_engine_init.c 2012-06-21 22:10:22.538184960 +0200
- +++ httpd-2.2.22/modules/ssl/ssl_engine_init.c 2012-06-21 22:15:09.974884418 +0200
- @@ -559,6 +559,11 @@
- SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
- SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
- +
- +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
- + SSL_CTX_set_next_protos_advertised_cb(
- + ctx, ssl_callback_AdvertiseNextProtos, NULL);
- +#endif
- }
- static void ssl_init_ctx_verify(server_rec *s,
- diff -Naur httpd-2.2.22-orig/modules/ssl/ssl_engine_io.c httpd-2.2.22/modules/ssl/ssl_engine_io.c
- --- httpd-2.2.22-orig/modules/ssl/ssl_engine_io.c 2012-06-21 22:10:22.537184970 +0200
- +++ httpd-2.2.22/modules/ssl/ssl_engine_io.c 2012-06-21 22:18:27.251901885 +0200
- @@ -28,6 +28,7 @@
- core keeps dumping.''
- -- Unknown */
- #include "ssl_private.h"
- +#include "mod_ssl.h"
- #include "apr_date.h"
- /* _________________________________________________________________
- @@ -338,6 +339,7 @@
- apr_pool_t *pool;
- char buffer[AP_IOBUFSIZE];
- ssl_filter_ctx_t *filter_ctx;
- + int npn_finished; /* 1 if NPN has finished, 0 otherwise */
- } bio_filter_in_ctx_t;
- /*
- @@ -1409,6 +1411,26 @@
- APR_BRIGADE_INSERT_TAIL(bb, bucket);
- }
- + /* By this point, Next Protocol Negotiation (NPN) should be completed (if
- + * our version of OpenSSL supports it). If we haven't already, find out
- + * which protocol was decided upon and inform other modules by calling
- + * npn_proto_negotiated_hook. */
- + if (!inctx->npn_finished) {
- +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
- + const unsigned char *next_proto = NULL;
- + unsigned next_proto_len = 0;
- + SSL_get0_next_proto_negotiated(
- + inctx->ssl, &next_proto, &next_proto_len);
- + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
- + "SSL NPN negotiated protocol: '%s'",
- + apr_pstrmemdup(f->c->pool, (const char*)next_proto,
- + next_proto_len));
- + ssl_run_npn_proto_negotiated_hook(
- + f->c, (const char*)next_proto, next_proto_len);
- +#endif
- + inctx->npn_finished = 1;
- + }
- +
- return APR_SUCCESS;
- }
- @@ -1753,6 +1775,7 @@
- inctx->block = APR_BLOCK_READ;
- inctx->pool = c->pool;
- inctx->filter_ctx = filter_ctx;
- + inctx->npn_finished = 0;
- }
- void ssl_io_filter_init(conn_rec *c, SSL *ssl)
- diff -Naur httpd-2.2.22-orig/modules/ssl/ssl_engine_kernel.c httpd-2.2.22/modules/ssl/ssl_engine_kernel.c
- --- httpd-2.2.22-orig/modules/ssl/ssl_engine_kernel.c 2012-06-21 22:10:22.537184970 +0200
- +++ httpd-2.2.22/modules/ssl/ssl_engine_kernel.c 2012-06-21 22:21:44.340920268 +0200
- @@ -29,6 +29,7 @@
- time I was too famous.''
- -- Unknown */
- #include "ssl_private.h"
- +#include "mod_ssl.h"
- static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
- #ifndef OPENSSL_NO_TLSEXT
- @@ -2103,4 +2104,84 @@
- return 0;
- }
- +
- +/*
- + * This callback function is executed when SSL needs to decide what protocols
- + * to advertise during Next Protocol Negotiation (NPN). It must produce a
- + * string in wire format -- a sequence of length-prefixed strings -- indicating
- + * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
- + * in OpenSSL for reference.
- + */
- +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
- + unsigned int *size_out, void *arg)
- +{
- + conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
- + apr_array_header_t *protos;
- + int num_protos;
- + unsigned int size;
- + int i;
- + unsigned char *data;
- + unsigned char *start;
- +
- + *data_out = NULL;
- + *size_out = 0;
- +
- + /* If the connection object is not available, then there's nothing for us
- + * to do. */
- + if (c == NULL) {
- + return SSL_TLSEXT_ERR_OK;
- + }
- +
- + /* Invoke our npn_advertise_protos hook, giving other modules a chance to
- + * add alternate protocol names to advertise. */
- + protos = apr_array_make(c->pool, 0, sizeof(char*));
- + ssl_run_npn_advertise_protos_hook(c, protos);
- + num_protos = protos->nelts;
- +
- + /* We now have a list of null-terminated strings; we need to concatenate
- + * them together into a single string, where each protocol name is prefixed
- + * by its length. First, calculate how long that string will be. */
- + size = 0;
- + for (i = 0; i < num_protos; ++i) {
- + const char *string = APR_ARRAY_IDX(protos, i, const char*);
- + unsigned int length = strlen(string);
- + /* If the protocol name is too long (the length must fit in one byte),
- + * then log an error and skip it. */
- + if (length > 255) {
- + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
- + "SSL NPN protocol name too long (length=%u): %s",
- + length, string);
- + continue;
- + }
- + /* Leave room for the length prefix (one byte) plus the protocol name
- + * itself. */
- + size += 1 + length;
- + }
- +
- + /* If there is nothing to advertise (either because no modules added
- + * anything to the protos array, or because all strings added to the array
- + * were skipped), then we're done. */
- + if (size == 0) {
- + return SSL_TLSEXT_ERR_OK;
- + }
- +
- + /* Now we can build the string. Copy each protocol name string into the
- + * larger string, prefixed by its length. */
- + data = apr_palloc(c->pool, size * sizeof(unsigned char));
- + start = data;
- + for (i = 0; i < num_protos; ++i) {
- + const char *string = APR_ARRAY_IDX(protos, i, const char*);
- + apr_size_t length = strlen(string);
- + *start = (unsigned char)length;
- + ++start;
- + memcpy(start, string, length * sizeof(unsigned char));
- + start += length;
- + }
- +
- + /* Success. */
- + *data_out = data;
- + *size_out = size;
- + return SSL_TLSEXT_ERR_OK;
- +}
- +
- #endif
- diff -Naur httpd-2.2.22-orig/modules/ssl/ssl_private.h httpd-2.2.22/modules/ssl/ssl_private.h
- --- httpd-2.2.22-orig/modules/ssl/ssl_private.h 2012-06-21 22:10:22.538184960 +0200
- +++ httpd-2.2.22/modules/ssl/ssl_private.h 2012-06-21 22:11:31.016579969 +0200
- @@ -604,6 +604,8 @@
- int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
- #endif
- +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
- +
- /** Session Cache Support */
- void ssl_scache_init(server_rec *, apr_pool_t *);
- void ssl_scache_status_register(apr_pool_t *p);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement