feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

add support for Application-Layer Protocol Name (RFC 7301) in the TLS extensions

Browse Source
This commit is contained in:
Ludovic FLAMENT
2015-10-09 15:18:41 +02:00
parent b1c5f3b299
commit bf3b0a228d
11 changed files with 773 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
configure.ac
View File

@ -1565,6 +1565,19 @@ AC_ARG_ENABLE([maxfragment],
[ ENABLED_MAX_FRAGMENT=no ]
)
# ALPN
AC_ARG_ENABLE([alpn],
[ --enable-alpn Enable ALPN (default: disabled)],
[ ENABLED_ALPN=$enableval ],
[ ENABLED_ALPN=no ]
)
if test "x$ENABLED_ALPN" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN"
fi
# Maximum Fragment Length
if test "x$ENABLED_MAX_FRAGMENT" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_MAX_FRAGMENT"
@ -1647,7 +1660,8 @@ then
ENABLED_MAX_FRAGMENT=yes
ENABLED_TRUNCATED_HMAC=yes
ENABLED_SUPPORTED_CURVES=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_SUPPORTED_CURVES"
ENABLED_ALPN=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_SUPPORTED_CURVES -DHAVE_ALPN"
fi
# PKCS7
@ -2473,6 +2487,7 @@ echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER"
echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS"
echo " * NTRU: $ENABLED_NTRU"
echo " * SNI: $ENABLED_SNI"
echo " * ALPN: $ENABLED_ALPN"
echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT"
echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC"
echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION"

55
examples/client/client.c
View File

@ -193,6 +193,9 @@ static void Usage(void)
#ifdef HAVE_CRL
printf("-C Disable CRL\n");
#endif
#ifdef HAVE_ALPN
printf("-n <str> Application-Layer Protocole Name\n");
#endif
}
THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
@ -243,6 +246,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
int pkCallbacks = 0;
int overrideDateErrors = 0;
int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
char* alpnList = NULL;
char* cipherList = NULL;
const char* verifyCert = caCert;
const char* ourCert = cliCert;
@ -289,11 +293,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
(void)overrideDateErrors;
(void)disableCRL;
(void)minDhKeyBits;
(void)alpnList;
StackTrap();
while ((ch = mygetopt(argc, argv,
"?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:L:ToO:a"))
"?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:L:ToO:an:"))
!= -1) {
switch (ch) {
case '?' :
@ -492,6 +497,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif
break;
case 'n' :
#ifdef HAVE_ALPN
alpnList = myoptarg;
#endif
break;
default:
Usage();
exit(MY_EX_USAGE);
@ -797,6 +808,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifdef HAVE_SESSION_TICKET
wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");
#endif
#ifdef HAVE_ALPN
if (alpnList != NULL) {
printf("ALPN accepted protocols list : %s\n", alpnList);
wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList));
}
#endif
if (doDTLS) {
SOCKADDR_IN_T addr;
build_addr(&addr, host, port, 1);
@ -865,6 +884,20 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif
showPeer(ssl);
#ifdef HAVE_ALPN
{
char *protocol_name = NULL;
word16 protocol_nameSz = 0;
if (wolfSSL_ALPN_GetProtocol(ssl, &protocol_name,
&protocol_nameSz) != SSL_SUCCESS)
printf("Getting ALPN protocol name failed\n");
else
printf("Received ALPN protocol : %s (%d)\n",
protocol_name, protocol_nameSz);
}
#endif
#ifdef HAVE_SECURE_RENEGOTIATION
if (scr && forceScr) {
if (nonBlocking) {
@ -952,6 +985,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
tcp_connect(&sockfd, host, port, 0);
}
wolfSSL_set_fd(sslResume, sockfd);
#ifdef HAVE_ALPN
if (alpnList != NULL) {
printf("ALPN accepted protocols list : %s\n", alpnList);
wolfSSL_UseALPN(sslResume, alpnList, (word32)XSTRLEN(alpnList));
}
#endif
#ifdef HAVE_SECURE_RENEGOTIATION
if (scr) {
if (wolfSSL_UseSecureRenegotiation(sslResume) != SSL_SUCCESS)
@ -984,6 +1023,20 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
else
printf("didn't reuse session id!!!\n");
#ifdef HAVE_ALPN
{
char *protocol_name = NULL;
word16 protocol_nameSz = 0;
printf("Sending ALPN accepted list : %s\n", alpnList);
if (wolfSSL_ALPN_GetProtocol(sslResume, &protocol_name,
&protocol_nameSz) != SSL_SUCCESS)
printf("Getting ALPN protocol name failed\n");
else
printf("Received ALPN protocol : %s (%d)\n",
protocol_name, protocol_nameSz);
}
#endif
if (wolfSSL_write(sslResume, resumeMsg, resumeSz) != resumeSz)
err_sys("SSL_write failed");

34
examples/server/server.c
View File

@ -161,6 +161,9 @@ static void Usage(void)
#ifndef NO_PSK
printf("-I Do not send PSK identity hint\n");
#endif
#ifdef HAVE_ALPN
printf("-L <str> Application-Layer Protocole Name\n");
#endif
}
THREAD_RETURN CYASSL_THREAD server_test(void* args)
@ -194,6 +197,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
int resume = 0; /* do resume, and resume count */
int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
int ret;
char* alpnList = NULL;
char* cipherList = NULL;
const char* verifyCert = cliCert;
const char* ourCert = svrCert;
@ -232,12 +236,13 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
(void)useNtruKey;
(void)doCliCertCheck;
(void)minDhKeyBits;
(void)alpnList;
#ifdef CYASSL_TIRTOS
fdOpenSession(Task_self());
#endif
while ((ch = mygetopt(argc, argv, "?dbstnNufrRawPIp:v:l:A:c:k:Z:S:oO:D:"))
while ((ch = mygetopt(argc, argv, "?dbstnNufrRawPIp:v:l:A:c:k:Z:S:oO:D:L:"))
!= -1) {
switch (ch) {
case '?' :
@ -376,6 +381,11 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#endif
break;
case 'L' :
#ifdef HAVE_ALPN
alpnList = myoptarg;
#endif
break;
default:
Usage();
exit(MY_EX_USAGE);
@ -622,6 +632,14 @@ while (1) { /* allow resume option */
}
SSL_set_fd(ssl, clientfd);
#ifdef HAVE_ALPN
if (alpnList != NULL) {
printf("ALPN accepted protocols list : %s\n", alpnList);
wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList));
}
#endif
#ifdef WOLFSSL_DTLS
if (doDTLS) {
SOCKADDR_IN_T cliaddr;
@ -664,6 +682,20 @@ while (1) { /* allow resume option */
#endif
showPeer(ssl);
#ifdef HAVE_ALPN
{
char *protocol_name = NULL;
word16 protocol_nameSz = 0;
if (wolfSSL_ALPN_GetProtocol(ssl, &protocol_name,
&protocol_nameSz) != SSL_SUCCESS)
printf("Getting ALPN protocol name failed\n");
else
printf("Send ALPN protocol : %s (%d)\n",
protocol_name, protocol_nameSz);
}
#endif
idx = SSL_read(ssl, input, sizeof(input)-1);
if (idx > 0) {
input[idx] = 0;

3
src/internal.c
View File

@ -8500,6 +8500,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case RSA_SIGN_FAULT:
return "RSA Signature Fault Error";
case UNKNOWN_ALPN_PROTOCOL_NAME_E:
return "Unrecognized protocol name Error";
default :
return "unknown error number";
}

63
src/ssl.c
View File

@ -882,6 +882,69 @@ int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, word16 name)
#endif /* NO_WOLFSSL_CLIENT */
#endif /* HAVE_QSH */
/* Application-Layer Procotol Name */
#ifdef HAVE_ALPN
int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list,
word32 protocol_name_listSz)
{
char *list, *ptr, *token[10];
word16 len;
int idx = 0;
int ret = SSL_FAILURE;
WOLFSSL_ENTER("wolfSSL_UseALPN");
if (ssl == NULL || protocol_name_list == NULL)
return BAD_FUNC_ARG;
if (protocol_name_listSz > (WOLFSSL_MAX_ALPN_NUMBER *
WOLFSSL_MAX_ALPN_PROTO_NAME_LEN +
WOLFSSL_MAX_ALPN_NUMBER)) {
WOLFSSL_MSG("Invalid arguments, procolt name list too long");
return BAD_FUNC_ARG;
}
list = (char *)XMALLOC(protocol_name_listSz+1, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (list == NULL) {
WOLFSSL_MSG("Memory failure");
return MEMORY_ERROR;
}
XMEMSET(list, 0, protocol_name_listSz+1);
XSTRNCPY(list, protocol_name_list, protocol_name_listSz);
/* read all protocol name from the list */
token[idx] = XSTRTOK(list, ",", &ptr);
while (token[idx] != NULL)
token[++idx] = XSTRTOK(NULL, ",", &ptr);
/* add protocol name list in the TLS extension in reverse order */
while ((idx--) > 0) {
len = (word16)XSTRLEN(token[idx]);
ret = TLSX_UseALPN(&ssl->extensions, token[idx], len);
if (ret != SSL_SUCCESS) {
WOLFSSL_MSG("TLSX_UseALPN failure");
break;
}
}
XFREE(list, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
int wolfSSL_ALPN_GetProtocol(WOLFSSL* ssl, char **protocol_name, word16 *size)
{
return TLSX_ALPN_GetRequest(ssl ? ssl->extensions : NULL,
(void **)protocol_name, size);
}
#endif /* HAVE_ALPN */
/* Secure Renegotiation */
#ifdef HAVE_SECURE_RENEGOTIATION

309
src/tls.c
View File

@ -845,6 +845,296 @@ void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type)
#endif
#ifdef HAVE_ALPN
/** Creates a new ALPN object, providing protocol name to use. */
static ALPN* TLSX_ALPN_New(char *protocol_name, word16 protocol_nameSz)
{
ALPN *alpn;
WOLFSSL_ENTER("TLSX_ALPN_New");
if (protocol_name == NULL ||
protocol_nameSz > WOLFSSL_MAX_ALPN_PROTO_NAME_LEN) {
WOLFSSL_MSG("Invalid arguments");
return NULL;
}
alpn = (ALPN*)XMALLOC(sizeof(ALPN), 0, DYNAMIC_TYPE_TLSX);
if (alpn == NULL) {
WOLFSSL_MSG("Memory failure");
return NULL;
}
alpn->next = NULL;
alpn->protocol_name = XMALLOC(protocol_nameSz + 1, 0, DYNAMIC_TYPE_TLSX);
if (alpn->protocol_name == NULL) {
WOLFSSL_MSG("Memory failure");
XFREE(alpn, 0, DYNAMIC_TYPE_TLSX);
return NULL;
}
XMEMCPY(alpn->protocol_name, protocol_name, protocol_nameSz);
alpn->protocol_name[protocol_nameSz] = 0;
return alpn;
}
/** Releases an ALPN object. */
static void TLSX_ALPN_Free(ALPN *alpn)
{
if (alpn == NULL)
return;
XFREE(alpn->protocol_name, 0, DYNAMIC_TYPE_TLSX);
XFREE(alpn, 0, DYNAMIC_TYPE_TLSX);
}
/** Releases all ALPN objects in the provided list. */
static void TLSX_ALPN_FreeAll(ALPN *list)
{
ALPN* alpn;
while ((alpn = list)) {
list = alpn->next;
TLSX_ALPN_Free(alpn);
}
}
/** Tells the buffered size of the ALPN objects in a list. */
static word16 TLSX_ALPN_GetSize(ALPN *list)
{
ALPN* alpn;
word16 length = OPAQUE16_LEN; /* list length */
while ((alpn = list)) {
list = alpn->next;
length++; /* protocol name length is on one byte */
length += XSTRLEN(alpn->protocol_name);
}
return length;
}
/** Writes the ALPN objects of a list in a buffer. */
static word16 TLSX_ALPN_Write(ALPN *list, byte *output)
{
ALPN* alpn;
word16 length = 0;
word16 offset = OPAQUE16_LEN; /* list length offset */
while ((alpn = list)) {
list = alpn->next;
length = XSTRLEN(alpn->protocol_name);
/* protocol name length */
output[offset++] = (byte)length;
/* protocol name value */
XMEMCPY(output + offset, alpn->protocol_name, length);
offset += length;
}
/* writing list length */
c16toa(offset - OPAQUE16_LEN, output);
return offset;
}
/** Finds a protocol name in the provided ALPN list */
static ALPN* TLSX_ALPN_Find(ALPN *list, char *protocol_name, word16 size)
{
ALPN *alpn;
if (list == NULL || protocol_name == NULL)
return NULL;
alpn = list;
while (alpn != NULL && (
XSTRLEN(alpn->protocol_name) != size ||
XSTRNCMP(alpn->protocol_name, protocol_name, size)))
alpn = alpn->next;
return alpn;
}
/** Set the ALPN matching client and server requirements */
static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size)
{
ALPN *alpn;
int ret;
if (extensions == NULL || data == NULL)
return BAD_FUNC_ARG;
alpn = TLSX_ALPN_New((char *)data, size);
if (alpn == NULL) {
WOLFSSL_MSG("Memory failure");
return MEMORY_E;
}
ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn);
if (ret != 0) {
TLSX_ALPN_Free(alpn);
return ret;
}
return SSL_SUCCESS;
}
/** Parses a buffer of ALPN extensions and set the first one matching
* client and server requirements */
static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length,
byte isRequest)
{
word16 size = 0;
word16 offset = 0;
int r = BUFFER_ERROR;
TLSX *extension;
ALPN *alpn = NULL;
extension = TLSX_Find(ssl->extensions, WOLFSSL_ALPN);
if (extension == NULL)
extension = TLSX_Find(ssl->ctx->extensions, WOLFSSL_ALPN);
if (extension == NULL || extension->data == NULL) {
WOLFSSL_MSG("No ALPN extensions not used or bad");
return isRequest ? 0 /* not using ALPN */
: BUFFER_ERROR; /* unexpected ALPN response */
}
if (OPAQUE16_LEN > length)
return BUFFER_ERROR;
ato16(input, &size);
offset += OPAQUE16_LEN;
/* validating alpn list length */
if (length != OPAQUE16_LEN + size)
return BUFFER_ERROR;
for (size = 0; offset < length; offset += size) {
size = input[offset++];
if (offset + size > length)
return BUFFER_ERROR;
alpn = TLSX_ALPN_Find((ALPN*)extension->data,
(char*)input + offset, size);
if (alpn != NULL) {
WOLFSSL_MSG("ALPN protocol match");
break;
}
}
if (alpn == NULL) {
WOLFSSL_MSG("No ALPN protocol match");
SendAlert(ssl, alert_fatal, no_application_protocol);
return UNKNOWN_ALPN_PROTOCOL_NAME_E;
}
/* set the matching negociated protocol */
r = TLSX_SetALPN(&ssl->extensions,
alpn->protocol_name, XSTRLEN(alpn->protocol_name));
if (r != SSL_SUCCESS) {
WOLFSSL_MSG("TLSX_UseALPN failed");
return BUFFER_ERROR;
}
/* reply to ALPN extension sent from client */
if (isRequest) {
#ifndef NO_WOLFSSL_SERVER
TLSX_SetResponse(ssl, WOLFSSL_ALPN);
#endif
}
return 0;
}
/** Add a protocol name to the list of accepted usable ones */
int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size)
{
ALPN *alpn;
TLSX *extension;
int ret;
if (extensions == NULL || data == NULL)
return BAD_FUNC_ARG;
alpn = TLSX_ALPN_New((char *)data, size);
if (alpn == NULL) {
WOLFSSL_MSG("Memory failure");
return MEMORY_E;
}
extension = TLSX_Find(*extensions, WOLFSSL_ALPN);
if (extension == NULL) {
ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn);
if (ret != 0) {
TLSX_ALPN_Free(alpn);
return ret;
}
}
else {
/* push new ALPN object to extension data. */
alpn->next = (ALPN*)extension->data;
extension->data = (void*)alpn;
}
return SSL_SUCCESS;
}
/** Get the protocol name set by the server */
int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz)
{
TLSX *extension;
ALPN *alpn;
if (extensions == NULL || data == NULL || dataSz == NULL)
return BAD_FUNC_ARG;
extension = TLSX_Find(extensions, WOLFSSL_ALPN);
if (extension == NULL) {
WOLFSSL_MSG("TLS extension not found");
return SSL_FATAL_ERROR;
}
alpn = (ALPN *)extension->data;
if (alpn == NULL) {
WOLFSSL_MSG("ALPN extension not found");
return WOLFSSL_ALPN_NO_MATCH;
}
if (alpn->next != NULL) {
WOLFSSL_MSG("Only one protocol name must be accepted");
return SSL_FATAL_ERROR;
}
*data = alpn->protocol_name;
*dataSz = XSTRLEN(*data);
return SSL_SUCCESS;
}
#define ALPN_FREE_ALL TLSX_ALPN_FreeAll
#define ALPN_GET_SIZE TLSX_ALPN_GetSize
#define ALPN_WRITE TLSX_ALPN_Write
#define ALPN_PARSE TLSX_ALPN_ParseAndSet
#else /* HAVE_ALPN */
#define ALPN_FREE_ALL(list)
#define ALPN_GET_SIZE(list) 0
#define ALPN_WRITE(a, b) 0
#define ALPN_PARSE(a, b, c, d) 0
#endif /* HAVE_ALPN */
/* Server Name Indication */
#ifdef HAVE_SNI
@ -2712,6 +3002,10 @@ void TLSX_FreeAll(TLSX* list)
case WOLFSSL_QSH:
QSH_FREE_ALL(extension->data);
break;
case WOLFSSL_ALPN:
ALPN_FREE_ALL((ALPN*)extension->data);
break;
}
XFREE(extension, 0, DYNAMIC_TYPE_TLSX);
@ -2775,6 +3069,11 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
case WOLFSSL_QSH:
length += QSH_GET_SIZE(extension->data, isRequest);
break;
case WOLFSSL_ALPN:
length += ALPN_GET_SIZE(extension->data);
break;
}
/* marks the extension as processed so ctx level */
@ -2845,6 +3144,10 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
offset += QSHPK_WRITE(extension->data, output + offset);
offset += QSH_SERREQ(output + offset, isRequest);
break;
case WOLFSSL_ALPN:
offset += ALPN_WRITE(extension->data, output + offset);
break;
}
/* writes extension data length. */
@ -3335,6 +3638,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest,
ret = QSH_PARSE(ssl, input + offset, size, isRequest);
break;
case WOLFSSL_ALPN:
WOLFSSL_MSG("ALPN extension received");
ret = ALPN_PARSE(ssl, input + offset, size, isRequest);
break;
case HELLO_EXT_SIG_ALGO:
if (isRequest) {
/* do not mess with offset inside the switch! */

297
tests/api.c
View File

@ -507,8 +507,8 @@ done2:
return;
}
/* SNI helper functions */
#ifdef HAVE_SNI
/* SNI / ALPN helper functions */
#if defined(HAVE_SNI) || defined(HAVE_ALPN)
static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args)
{
@ -685,7 +685,7 @@ static void run_wolfssl_client(void* args)
#endif
}
#endif /* HAVE_SNI */
#endif /* defined(HAVE_SNI) || defined(HAVE_ALPN) */
#endif /* io tests dependencies */
@ -747,6 +747,51 @@ static void test_wolfSSL_read_write(void)
| TLS extensions tests
*----------------------------------------------------------------------------*/
#if defined(HAVE_SNI) || defined(HAVE_ALPN)
/* connection test runner */
static void test_wolfSSL_client_server(callback_functions* client_callbacks,
callback_functions* server_callbacks)
{
#ifdef HAVE_IO_TESTS_DEPENDENCIES
tcp_ready ready;
func_args client_args;
func_args server_args;
THREAD_TYPE serverThread;
StartTCP();
client_args.callbacks = client_callbacks;
server_args.callbacks = server_callbacks;
#ifdef WOLFSSL_TIRTOS
fdOpenSession(Task_self());
#endif
/* RUN Server side */
InitTcpReady(&ready);
server_args.signal = &ready;
client_args.signal = &ready;
start_thread(run_wolfssl_server, &server_args, &serverThread);
wait_tcp_ready(&server_args);
/* RUN Client side */
run_wolfssl_client(&client_args);
join_thread(serverThread);
FreeTcpReady(&ready);
#ifdef WOLFSSL_TIRTOS
fdCloseSession(Task_self());
#endif
#else
(void)client_callbacks;
(void)server_callbacks;
#endif
}
#endif /* defined(HAVE_SNI) || defined(HAVE_ALPN) */
#ifdef HAVE_SNI
static void test_wolfSSL_UseSNI_params(void)
{
@ -827,11 +872,6 @@ static void use_PSEUDO_MANDATORY_SNI_at_ctx(WOLFSSL_CTX* ctx)
WOLFSSL_SNI_ANSWER_ON_MISMATCH | WOLFSSL_SNI_ABORT_ON_ABSENCE);
}
static void verify_FATAL_ERROR_on_client(WOLFSSL* ssl)
{
AssertIntEQ(FATAL_ERROR, wolfSSL_get_error(ssl, 0));
}
static void verify_UNKNOWN_SNI_on_server(WOLFSSL* ssl)
{
AssertIntEQ(UNKNOWN_SNI_HOST_NAME_E, wolfSSL_get_error(ssl, 0));
@ -874,48 +914,12 @@ static void verify_SNI_fake_matching(WOLFSSL* ssl)
AssertNotNull(request);
AssertStrEQ("ww2.wolfssl.com", request);
}
/* END of connection tests callbacks */
/* connection test runner */
static void test_wolfSSL_client_server(callback_functions* client_callbacks,
callback_functions* server_callbacks)
static void verify_FATAL_ERROR_on_client(WOLFSSL* ssl)
{
#ifdef HAVE_IO_TESTS_DEPENDENCIES
tcp_ready ready;
func_args client_args;
func_args server_args;
THREAD_TYPE serverThread;
StartTCP();
client_args.callbacks = client_callbacks;
server_args.callbacks = server_callbacks;
#ifdef WOLFSSL_TIRTOS
fdOpenSession(Task_self());
#endif
/* RUN Server side */
InitTcpReady(&ready);
server_args.signal = &ready;
client_args.signal = &ready;
start_thread(run_wolfssl_server, &server_args, &serverThread);
wait_tcp_ready(&server_args);
/* RUN Client side */
run_wolfssl_client(&client_args);
join_thread(serverThread);
FreeTcpReady(&ready);
#ifdef WOLFSSL_TIRTOS
fdCloseSession(Task_self());
#endif
#else
(void)client_callbacks;
(void)server_callbacks;
#endif
AssertIntEQ(FATAL_ERROR, wolfSSL_get_error(ssl, 0));
}
/* END of connection tests callbacks */
static void test_wolfSSL_UseSNI_connection(void)
{
@ -1197,6 +1201,204 @@ static void test_wolfSSL_UseSupportedCurve(void)
#endif
}
#ifdef HAVE_ALPN
static void verify_ALPN_FATAL_ERROR_on_client(WOLFSSL* ssl)
{
AssertIntEQ(UNKNOWN_ALPN_PROTOCOL_NAME_E, wolfSSL_get_error(ssl, 0));
}
static void use_ALPN_all(WOLFSSL* ssl)
{
/* http/1.1,spdy/1,spdy/2,spdy/3 */
char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c,
0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c,
0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c,
0x73, 0x70, 0x64, 0x79, 0x2f, 0x33};
AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, alpn_list, sizeof(alpn_list)));
}
static void use_ALPN_one(WOLFSSL* ssl)
{
/* spdy/2 */
char proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32};
AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto)));
}
static void use_ALPN_unknown(WOLFSSL* ssl)
{
/* http/2.0 */
char proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x32, 0x2e, 0x30};
AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto)));
}
static void verify_ALPN_not_matching_spdy3(WOLFSSL* ssl)
{
/* spdy/3 */
char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33};
char *proto;
word16 protoSz = 0;
printf("verify_ALPN_not_matching GetProtocol(ssl) = %d\n",
wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz));
AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz));
/* check value */
AssertIntNE(1, sizeof(nego_proto) == protoSz);
AssertIntNE(0, XMEMCMP(nego_proto, proto, sizeof(nego_proto)));
}
static void verify_ALPN_matching_http1(WOLFSSL* ssl)
{
/* http/1.1 */
char nego_proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31};
char *proto;
word16 protoSz = 0;
printf("verify_ALPN_matching GetProtocol(ssl) = %d\n",
wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz));
AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz));
/* check value */
AssertIntEQ(1, sizeof(nego_proto) == protoSz);
AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz));
}
static void verify_ALPN_matching_spdy2(WOLFSSL* ssl)
{
/* spdy/2 */
char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32};
char *proto;
word16 protoSz = 0;
printf("verify_ALPN_matching GetProtocol(ssl) = %d\n",
wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz));
AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz));
/* check value */
AssertIntEQ(1, sizeof(nego_proto) == protoSz);
AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz));
}
static void test_wolfSSL_UseALPN_connection(void)
{
unsigned long i;
callback_functions callbacks[] = {
/* success case same list */
{0, 0, use_ALPN_all, 0},
{0, 0, use_ALPN_all, verify_ALPN_matching_http1},
/* success case only one for server */
{0, 0, use_ALPN_all, 0},
{0, 0, use_ALPN_one, verify_ALPN_matching_spdy2},
/* success case only one for client */
{0, 0, use_ALPN_one, 0},
{0, 0, use_ALPN_all, verify_ALPN_matching_spdy2},
/* success case none for client */
{0, 0, 0, 0},
{0, 0, use_ALPN_all, 0},
/* missmatch behavior with same list
* the first and only this one must be taken */
{0, 0, use_ALPN_all, 0},
{0, 0, use_ALPN_all, verify_ALPN_not_matching_spdy3},
/* default missmatch behavior */
{0, 0, use_ALPN_all, 0},
{0, 0, use_ALPN_unknown, verify_ALPN_FATAL_ERROR_on_client},
};
for (i = 0; i < sizeof(callbacks) / sizeof(callback_functions); i += 2) {
callbacks[i ].method = wolfSSLv23_client_method;
callbacks[i + 1].method = wolfSSLv23_server_method;
test_wolfSSL_client_server(&callbacks[i], &callbacks[i + 1]);
}
}
static void test_wolfSSL_UseALPN_params(void)
{
/* "http/1.1" */
char http1[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31};
/* "spdy/1" */
char spdy1[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x31};
/* "spdy/2" */
char spdy2[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32};
/* "spdy/3" */
char spdy3[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33};
char buff[256];
word32 idx;
WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
WOLFSSL *ssl = wolfSSL_new(ctx);
AssertNotNull(ctx);
AssertNotNull(ssl);
/* error cases */
AssertIntNE(SSL_SUCCESS,
wolfSSL_UseALPN(NULL, http1, sizeof(http1)));
AssertIntNE(SSL_SUCCESS, wolfSSL_UseALPN(ssl, NULL, 0));
/* success case */
/* http1 only */
AssertIntEQ(SSL_SUCCESS,
wolfSSL_UseALPN(ssl, http1, sizeof(http1)));
/* http1, spdy1 */
memcpy(buff, http1, sizeof(http1));
idx = sizeof(http1);
buff[idx++] = ',';
memcpy(buff+idx, spdy1, sizeof(spdy1));
idx += sizeof(spdy1);
AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx));
/* http1, spdy2, spdy1 */
memcpy(buff, http1, sizeof(http1));
idx = sizeof(http1);
buff[idx++] = ',';
memcpy(buff+idx, spdy2, sizeof(spdy2));
idx += sizeof(spdy2);
buff[idx++] = ',';
memcpy(buff+idx, spdy1, sizeof(spdy1));
idx += sizeof(spdy1);
AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx));
/* spdy3, http1, spdy2, spdy1 */
memcpy(buff, spdy3, sizeof(spdy3));
idx = sizeof(spdy3);
buff[idx++] = ',';
memcpy(buff+idx, http1, sizeof(http1));
idx += sizeof(http1);
buff[idx++] = ',';
memcpy(buff+idx, spdy2, sizeof(spdy2));
idx += sizeof(spdy2);
buff[idx++] = ',';
memcpy(buff+idx, spdy1, sizeof(spdy1));
idx += sizeof(spdy1);
AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx));
wolfSSL_free(ssl);
wolfSSL_CTX_free(ctx);
}
#endif /* HAVE_ALPN */
static void test_wolfSSL_UseALPN(void)
{
#ifdef HAVE_ALPN
test_wolfSSL_UseALPN_connection();
test_wolfSSL_UseALPN_params();
#endif
}
/*----------------------------------------------------------------------------*
| Main
*----------------------------------------------------------------------------*/
@ -1220,6 +1422,7 @@ void ApiTest(void)
test_wolfSSL_UseMaxFragment();
test_wolfSSL_UseTruncatedHMAC();
test_wolfSSL_UseSupportedCurve();
test_wolfSSL_UseALPN();
test_wolfSSL_Cleanup();
printf(" End API Tests\n");

2
wolfssl/error-ssl.h
View File

@ -137,6 +137,8 @@ enum wolfSSL_ErrorCodes {
SNI_ABSENT_ERROR = -402, /* No SNI request. */
RSA_SIGN_FAULT = -403, /* RSA Sign fault */
UNKNOWN_ALPN_PROTOCOL_NAME_E = -404, /* Unrecognized protocol name Error*/
/* add strings to SetErrorString !!!!! */
/* begin negotiation parameter errors */

20
wolfssl/internal.h
View File

@ -1453,7 +1453,8 @@ typedef enum {
ELLIPTIC_CURVES = 0x000a,
SESSION_TICKET = 0x0023,
SECURE_RENEGOTIATION = 0xff01,
WOLFSSL_QSH = 0x0018 /* Quantum-Safe-Hybrid */
WOLFSSL_QSH = 0x0018, /* Quantum-Safe-Hybrid */
WOLFSSL_ALPN = 0x0010 /* Application-Layer Protocol Name */
} TLSX_Type;
typedef struct TLSX {
@ -1486,7 +1487,8 @@ WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length,
|| defined(HAVE_TRUNCATED_HMAC) \
|| defined(HAVE_SUPPORTED_CURVES) \
|| defined(HAVE_SECURE_RENEGOTIATION) \
|| defined(HAVE_SESSION_TICKET)
|| defined(HAVE_SESSION_TICKET) \
|| defined(HAVE_ALPN)
#error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined.
@ -1520,6 +1522,20 @@ WOLFSSL_LOCAL int TLSX_SNI_GetFromBuffer(const byte* buffer, word32 bufferSz,
#endif /* HAVE_SNI */
/* Application-layer Protocol Name */
#ifdef HAVE_ALPN
typedef struct ALPN {
char* protocol_name; /* ALPN protocol name */
struct ALPN* next; /* List Behavior */
} ALPN;
WOLFSSL_LOCAL int TLSX_ALPN_GetRequest(TLSX* extensions,
void** data, word16 *dataSz);
WOLFSSL_LOCAL int TLSX_UseALPN(TLSX** extensions, const void* data,
word16 size);
#endif /* HAVE_ALPN */
/* Maximum Fragment Length */
#ifdef HAVE_MAX_FRAGMENT

25
wolfssl/ssl.h
View File

@ -187,7 +187,8 @@ enum AlertDescription {
protocol_version = 70,
#endif
no_renegotiation = 100,
unrecognized_name = 112
unrecognized_name = 112,
no_application_protocol = 120
};
@ -1346,6 +1347,28 @@ WOLFSSL_API int wolfSSL_SNI_GetFromBuffer(
#endif
#endif
/* Application-Layer Protocol Name */
#ifdef HAVE_ALPN
/* ALPN status code */
enum {
WOLFSSL_ALPN_NO_MATCH = 0,
WOLFSSL_ALPN_MATCH = 1
};
enum {
WOLFSSL_MAX_ALPN_PROTO_NAME_LEN = 255,
WOLFSSL_MAX_ALPN_NUMBER = 257
};
WOLFSSL_API int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list,
unsigned int protocol_name_listSz);
WOLFSSL_API int wolfSSL_ALPN_GetProtocol(WOLFSSL* ssl, char **protocol_name,
unsigned short *size);
#endif /* HAVE_ALPN */
/* Maximum Fragment Length */
#ifdef HAVE_MAX_FRAGMENT

2
wolfssl/wolfcrypt/types.h
View File

@ -216,7 +216,7 @@
#define XSTRNCASECMP(s1,s2,n) _strnicmp((s1),(s2),(n))
#endif
#ifdef WOLFSSL_CERT_EXT
#if defined(WOLFSSL_CERT_EXT) || defined(HAVE_ALPN)
/* use only Thread Safe version of strtok */
#ifndef USE_WINDOWS_API
#define XSTRTOK strtok_r