diff --git a/configure.ac b/configure.ac index a239a89de..018685731 100644 --- a/configure.ac +++ b/configure.ac @@ -1565,6 +1565,19 @@ AC_ARG_ENABLE([maxfragment], [ ENABLED_MAX_FRAGMENT=no ] ) +# ALPN +AC_ARG_ENABLE([alpn], + [ --enable-alpn Enable ALPN (default: disabled)], + [ ENABLED_ALPN=$enableval ], + [ ENABLED_ALPN=no ] + ) + +if test "x$ENABLED_ALPN" = "xyes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN" +fi + +# Maximum Fragment Length if test "x$ENABLED_MAX_FRAGMENT" = "xyes" then AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_MAX_FRAGMENT" @@ -1647,7 +1660,8 @@ then ENABLED_MAX_FRAGMENT=yes ENABLED_TRUNCATED_HMAC=yes ENABLED_SUPPORTED_CURVES=yes - AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_SUPPORTED_CURVES" + ENABLED_ALPN=yes + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_SUPPORTED_CURVES -DHAVE_ALPN" fi # PKCS7 @@ -2473,6 +2487,7 @@ echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER" echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS" echo " * NTRU: $ENABLED_NTRU" echo " * SNI: $ENABLED_SNI" +echo " * ALPN: $ENABLED_ALPN" echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" diff --git a/examples/client/client.c b/examples/client/client.c index b37fd4cd3..3f8d232df 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -193,6 +193,9 @@ static void Usage(void) #ifdef HAVE_CRL printf("-C Disable CRL\n"); #endif +#ifdef HAVE_ALPN + printf("-n Application-Layer Protocole Name\n"); +#endif } THREAD_RETURN WOLFSSL_THREAD client_test(void* args) @@ -243,6 +246,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) int pkCallbacks = 0; int overrideDateErrors = 0; int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS; + char* alpnList = NULL; char* cipherList = NULL; const char* verifyCert = caCert; const char* ourCert = cliCert; @@ -289,11 +293,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) (void)overrideDateErrors; (void)disableCRL; (void)minDhKeyBits; + (void)alpnList; StackTrap(); while ((ch = mygetopt(argc, argv, - "?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:L:ToO:a")) + "?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:L:ToO:an:")) != -1) { switch (ch) { case '?' : @@ -492,6 +497,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif break; + case 'n' : + #ifdef HAVE_ALPN + alpnList = myoptarg; + #endif + break; + default: Usage(); exit(MY_EX_USAGE); @@ -797,6 +808,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef HAVE_SESSION_TICKET wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session"); #endif + +#ifdef HAVE_ALPN + if (alpnList != NULL) { + printf("ALPN accepted protocols list : %s\n", alpnList); + wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList)); + } +#endif + if (doDTLS) { SOCKADDR_IN_T addr; build_addr(&addr, host, port, 1); @@ -865,6 +884,20 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif showPeer(ssl); +#ifdef HAVE_ALPN + { + char *protocol_name = NULL; + word16 protocol_nameSz = 0; + + if (wolfSSL_ALPN_GetProtocol(ssl, &protocol_name, + &protocol_nameSz) != SSL_SUCCESS) + printf("Getting ALPN protocol name failed\n"); + else + printf("Received ALPN protocol : %s (%d)\n", + protocol_name, protocol_nameSz); + } +#endif + #ifdef HAVE_SECURE_RENEGOTIATION if (scr && forceScr) { if (nonBlocking) { @@ -952,6 +985,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) tcp_connect(&sockfd, host, port, 0); } wolfSSL_set_fd(sslResume, sockfd); +#ifdef HAVE_ALPN + if (alpnList != NULL) { + printf("ALPN accepted protocols list : %s\n", alpnList); + wolfSSL_UseALPN(sslResume, alpnList, (word32)XSTRLEN(alpnList)); + } +#endif #ifdef HAVE_SECURE_RENEGOTIATION if (scr) { if (wolfSSL_UseSecureRenegotiation(sslResume) != SSL_SUCCESS) @@ -984,6 +1023,20 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) else printf("didn't reuse session id!!!\n"); +#ifdef HAVE_ALPN + { + char *protocol_name = NULL; + word16 protocol_nameSz = 0; + + printf("Sending ALPN accepted list : %s\n", alpnList); + if (wolfSSL_ALPN_GetProtocol(sslResume, &protocol_name, + &protocol_nameSz) != SSL_SUCCESS) + printf("Getting ALPN protocol name failed\n"); + else + printf("Received ALPN protocol : %s (%d)\n", + protocol_name, protocol_nameSz); + } +#endif if (wolfSSL_write(sslResume, resumeMsg, resumeSz) != resumeSz) err_sys("SSL_write failed"); diff --git a/examples/server/server.c b/examples/server/server.c index 07f3012e4..b2e90ad31 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -161,6 +161,9 @@ static void Usage(void) #ifndef NO_PSK printf("-I Do not send PSK identity hint\n"); #endif +#ifdef HAVE_ALPN + printf("-L Application-Layer Protocole Name\n"); +#endif } THREAD_RETURN CYASSL_THREAD server_test(void* args) @@ -194,6 +197,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int resume = 0; /* do resume, and resume count */ int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS; int ret; + char* alpnList = NULL; char* cipherList = NULL; const char* verifyCert = cliCert; const char* ourCert = svrCert; @@ -232,12 +236,13 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) (void)useNtruKey; (void)doCliCertCheck; (void)minDhKeyBits; + (void)alpnList; #ifdef CYASSL_TIRTOS fdOpenSession(Task_self()); #endif - while ((ch = mygetopt(argc, argv, "?dbstnNufrRawPIp:v:l:A:c:k:Z:S:oO:D:")) + while ((ch = mygetopt(argc, argv, "?dbstnNufrRawPIp:v:l:A:c:k:Z:S:oO:D:L:")) != -1) { switch (ch) { case '?' : @@ -376,6 +381,11 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif break; + case 'L' : + #ifdef HAVE_ALPN + alpnList = myoptarg; + #endif + break; default: Usage(); exit(MY_EX_USAGE); @@ -622,6 +632,14 @@ while (1) { /* allow resume option */ } SSL_set_fd(ssl, clientfd); + +#ifdef HAVE_ALPN + if (alpnList != NULL) { + printf("ALPN accepted protocols list : %s\n", alpnList); + wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList)); + } +#endif + #ifdef WOLFSSL_DTLS if (doDTLS) { SOCKADDR_IN_T cliaddr; @@ -664,6 +682,20 @@ while (1) { /* allow resume option */ #endif showPeer(ssl); +#ifdef HAVE_ALPN + { + char *protocol_name = NULL; + word16 protocol_nameSz = 0; + + if (wolfSSL_ALPN_GetProtocol(ssl, &protocol_name, + &protocol_nameSz) != SSL_SUCCESS) + printf("Getting ALPN protocol name failed\n"); + else + printf("Send ALPN protocol : %s (%d)\n", + protocol_name, protocol_nameSz); + } +#endif + idx = SSL_read(ssl, input, sizeof(input)-1); if (idx > 0) { input[idx] = 0; diff --git a/src/internal.c b/src/internal.c index 9321a840e..f0e54cf2f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8500,6 +8500,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case RSA_SIGN_FAULT: return "RSA Signature Fault Error"; + case UNKNOWN_ALPN_PROTOCOL_NAME_E: + return "Unrecognized protocol name Error"; + default : return "unknown error number"; } diff --git a/src/ssl.c b/src/ssl.c index bb2bd9276..a0d7dd6dd 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -882,6 +882,69 @@ int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, word16 name) #endif /* NO_WOLFSSL_CLIENT */ #endif /* HAVE_QSH */ + +/* Application-Layer Procotol Name */ +#ifdef HAVE_ALPN + +int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list, + word32 protocol_name_listSz) +{ + char *list, *ptr, *token[10]; + word16 len; + int idx = 0; + int ret = SSL_FAILURE; + + WOLFSSL_ENTER("wolfSSL_UseALPN"); + + if (ssl == NULL || protocol_name_list == NULL) + return BAD_FUNC_ARG; + + if (protocol_name_listSz > (WOLFSSL_MAX_ALPN_NUMBER * + WOLFSSL_MAX_ALPN_PROTO_NAME_LEN + + WOLFSSL_MAX_ALPN_NUMBER)) { + WOLFSSL_MSG("Invalid arguments, procolt name list too long"); + return BAD_FUNC_ARG; + } + + list = (char *)XMALLOC(protocol_name_listSz+1, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (list == NULL) { + WOLFSSL_MSG("Memory failure"); + return MEMORY_ERROR; + } + + XMEMSET(list, 0, protocol_name_listSz+1); + XSTRNCPY(list, protocol_name_list, protocol_name_listSz); + + /* read all protocol name from the list */ + token[idx] = XSTRTOK(list, ",", &ptr); + while (token[idx] != NULL) + token[++idx] = XSTRTOK(NULL, ",", &ptr); + + /* add protocol name list in the TLS extension in reverse order */ + while ((idx--) > 0) { + len = (word16)XSTRLEN(token[idx]); + + ret = TLSX_UseALPN(&ssl->extensions, token[idx], len); + if (ret != SSL_SUCCESS) { + WOLFSSL_MSG("TLSX_UseALPN failure"); + break; + } + } + + XFREE(list, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + return ret; +} + +int wolfSSL_ALPN_GetProtocol(WOLFSSL* ssl, char **protocol_name, word16 *size) +{ + return TLSX_ALPN_GetRequest(ssl ? ssl->extensions : NULL, + (void **)protocol_name, size); +} + +#endif /* HAVE_ALPN */ + /* Secure Renegotiation */ #ifdef HAVE_SECURE_RENEGOTIATION diff --git a/src/tls.c b/src/tls.c index 5d4657941..42176353c 100644 --- a/src/tls.c +++ b/src/tls.c @@ -845,6 +845,296 @@ void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type) #endif + +#ifdef HAVE_ALPN +/** Creates a new ALPN object, providing protocol name to use. */ +static ALPN* TLSX_ALPN_New(char *protocol_name, word16 protocol_nameSz) +{ + ALPN *alpn; + + WOLFSSL_ENTER("TLSX_ALPN_New"); + + if (protocol_name == NULL || + protocol_nameSz > WOLFSSL_MAX_ALPN_PROTO_NAME_LEN) { + WOLFSSL_MSG("Invalid arguments"); + return NULL; + } + + alpn = (ALPN*)XMALLOC(sizeof(ALPN), 0, DYNAMIC_TYPE_TLSX); + if (alpn == NULL) { + WOLFSSL_MSG("Memory failure"); + return NULL; + } + + alpn->next = NULL; + + alpn->protocol_name = XMALLOC(protocol_nameSz + 1, 0, DYNAMIC_TYPE_TLSX); + if (alpn->protocol_name == NULL) { + WOLFSSL_MSG("Memory failure"); + XFREE(alpn, 0, DYNAMIC_TYPE_TLSX); + return NULL; + } + + XMEMCPY(alpn->protocol_name, protocol_name, protocol_nameSz); + alpn->protocol_name[protocol_nameSz] = 0; + + return alpn; +} + +/** Releases an ALPN object. */ +static void TLSX_ALPN_Free(ALPN *alpn) +{ + if (alpn == NULL) + return; + + XFREE(alpn->protocol_name, 0, DYNAMIC_TYPE_TLSX); + XFREE(alpn, 0, DYNAMIC_TYPE_TLSX); +} + +/** Releases all ALPN objects in the provided list. */ +static void TLSX_ALPN_FreeAll(ALPN *list) +{ + ALPN* alpn; + + while ((alpn = list)) { + list = alpn->next; + TLSX_ALPN_Free(alpn); + } +} + +/** Tells the buffered size of the ALPN objects in a list. */ +static word16 TLSX_ALPN_GetSize(ALPN *list) +{ + ALPN* alpn; + word16 length = OPAQUE16_LEN; /* list length */ + + while ((alpn = list)) { + list = alpn->next; + + length++; /* protocol name length is on one byte */ + length += XSTRLEN(alpn->protocol_name); + } + + return length; +} + +/** Writes the ALPN objects of a list in a buffer. */ +static word16 TLSX_ALPN_Write(ALPN *list, byte *output) +{ + ALPN* alpn; + word16 length = 0; + word16 offset = OPAQUE16_LEN; /* list length offset */ + + while ((alpn = list)) { + list = alpn->next; + + length = XSTRLEN(alpn->protocol_name); + + /* protocol name length */ + output[offset++] = (byte)length; + + /* protocol name value */ + XMEMCPY(output + offset, alpn->protocol_name, length); + + offset += length; + } + + /* writing list length */ + c16toa(offset - OPAQUE16_LEN, output); + + return offset; +} + +/** Finds a protocol name in the provided ALPN list */ +static ALPN* TLSX_ALPN_Find(ALPN *list, char *protocol_name, word16 size) +{ + ALPN *alpn; + + if (list == NULL || protocol_name == NULL) + return NULL; + + alpn = list; + while (alpn != NULL && ( + XSTRLEN(alpn->protocol_name) != size || + XSTRNCMP(alpn->protocol_name, protocol_name, size))) + alpn = alpn->next; + + return alpn; +} + +/** Set the ALPN matching client and server requirements */ +static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size) +{ + ALPN *alpn; + int ret; + + if (extensions == NULL || data == NULL) + return BAD_FUNC_ARG; + + alpn = TLSX_ALPN_New((char *)data, size); + if (alpn == NULL) { + WOLFSSL_MSG("Memory failure"); + return MEMORY_E; + } + + ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn); + if (ret != 0) { + TLSX_ALPN_Free(alpn); + return ret; + } + + return SSL_SUCCESS; +} + +/** Parses a buffer of ALPN extensions and set the first one matching + * client and server requirements */ +static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length, + byte isRequest) +{ + word16 size = 0; + word16 offset = 0; + int r = BUFFER_ERROR; + TLSX *extension; + ALPN *alpn = NULL; + + extension = TLSX_Find(ssl->extensions, WOLFSSL_ALPN); + if (extension == NULL) + extension = TLSX_Find(ssl->ctx->extensions, WOLFSSL_ALPN); + + if (extension == NULL || extension->data == NULL) { + WOLFSSL_MSG("No ALPN extensions not used or bad"); + return isRequest ? 0 /* not using ALPN */ + : BUFFER_ERROR; /* unexpected ALPN response */ + } + + if (OPAQUE16_LEN > length) + return BUFFER_ERROR; + + ato16(input, &size); + offset += OPAQUE16_LEN; + + /* validating alpn list length */ + if (length != OPAQUE16_LEN + size) + return BUFFER_ERROR; + + for (size = 0; offset < length; offset += size) { + + size = input[offset++]; + if (offset + size > length) + return BUFFER_ERROR; + + alpn = TLSX_ALPN_Find((ALPN*)extension->data, + (char*)input + offset, size); + if (alpn != NULL) { + WOLFSSL_MSG("ALPN protocol match"); + break; + } + } + + if (alpn == NULL) { + WOLFSSL_MSG("No ALPN protocol match"); + + SendAlert(ssl, alert_fatal, no_application_protocol); + return UNKNOWN_ALPN_PROTOCOL_NAME_E; + } + + /* set the matching negociated protocol */ + r = TLSX_SetALPN(&ssl->extensions, + alpn->protocol_name, XSTRLEN(alpn->protocol_name)); + if (r != SSL_SUCCESS) { + WOLFSSL_MSG("TLSX_UseALPN failed"); + return BUFFER_ERROR; + } + + /* reply to ALPN extension sent from client */ + if (isRequest) { +#ifndef NO_WOLFSSL_SERVER + TLSX_SetResponse(ssl, WOLFSSL_ALPN); +#endif + } + + return 0; +} + +/** Add a protocol name to the list of accepted usable ones */ +int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size) +{ + ALPN *alpn; + TLSX *extension; + int ret; + + if (extensions == NULL || data == NULL) + return BAD_FUNC_ARG; + + alpn = TLSX_ALPN_New((char *)data, size); + if (alpn == NULL) { + WOLFSSL_MSG("Memory failure"); + return MEMORY_E; + } + + extension = TLSX_Find(*extensions, WOLFSSL_ALPN); + if (extension == NULL) { + ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn); + if (ret != 0) { + TLSX_ALPN_Free(alpn); + return ret; + } + } + else { + /* push new ALPN object to extension data. */ + alpn->next = (ALPN*)extension->data; + extension->data = (void*)alpn; + } + + return SSL_SUCCESS; +} + +/** Get the protocol name set by the server */ +int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz) +{ + TLSX *extension; + ALPN *alpn; + + if (extensions == NULL || data == NULL || dataSz == NULL) + return BAD_FUNC_ARG; + + extension = TLSX_Find(extensions, WOLFSSL_ALPN); + if (extension == NULL) { + WOLFSSL_MSG("TLS extension not found"); + return SSL_FATAL_ERROR; + } + + alpn = (ALPN *)extension->data; + if (alpn == NULL) { + WOLFSSL_MSG("ALPN extension not found"); + return WOLFSSL_ALPN_NO_MATCH; + } + + if (alpn->next != NULL) { + WOLFSSL_MSG("Only one protocol name must be accepted"); + return SSL_FATAL_ERROR; + } + + *data = alpn->protocol_name; + *dataSz = XSTRLEN(*data); + + return SSL_SUCCESS; +} + +#define ALPN_FREE_ALL TLSX_ALPN_FreeAll +#define ALPN_GET_SIZE TLSX_ALPN_GetSize +#define ALPN_WRITE TLSX_ALPN_Write +#define ALPN_PARSE TLSX_ALPN_ParseAndSet + +#else /* HAVE_ALPN */ + +#define ALPN_FREE_ALL(list) +#define ALPN_GET_SIZE(list) 0 +#define ALPN_WRITE(a, b) 0 +#define ALPN_PARSE(a, b, c, d) 0 + +#endif /* HAVE_ALPN */ + /* Server Name Indication */ #ifdef HAVE_SNI @@ -2712,6 +3002,10 @@ void TLSX_FreeAll(TLSX* list) case WOLFSSL_QSH: QSH_FREE_ALL(extension->data); break; + + case WOLFSSL_ALPN: + ALPN_FREE_ALL((ALPN*)extension->data); + break; } XFREE(extension, 0, DYNAMIC_TYPE_TLSX); @@ -2775,6 +3069,11 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) case WOLFSSL_QSH: length += QSH_GET_SIZE(extension->data, isRequest); break; + + case WOLFSSL_ALPN: + length += ALPN_GET_SIZE(extension->data); + break; + } /* marks the extension as processed so ctx level */ @@ -2845,6 +3144,10 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, offset += QSHPK_WRITE(extension->data, output + offset); offset += QSH_SERREQ(output + offset, isRequest); break; + + case WOLFSSL_ALPN: + offset += ALPN_WRITE(extension->data, output + offset); + break; } /* writes extension data length. */ @@ -3335,6 +3638,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest, ret = QSH_PARSE(ssl, input + offset, size, isRequest); break; + case WOLFSSL_ALPN: + WOLFSSL_MSG("ALPN extension received"); + + ret = ALPN_PARSE(ssl, input + offset, size, isRequest); + break; + case HELLO_EXT_SIG_ALGO: if (isRequest) { /* do not mess with offset inside the switch! */ diff --git a/tests/api.c b/tests/api.c index a34ecebbc..000c7d92d 100644 --- a/tests/api.c +++ b/tests/api.c @@ -507,8 +507,8 @@ done2: return; } -/* SNI helper functions */ -#ifdef HAVE_SNI +/* SNI / ALPN helper functions */ +#if defined(HAVE_SNI) || defined(HAVE_ALPN) static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args) { @@ -685,7 +685,7 @@ static void run_wolfssl_client(void* args) #endif } -#endif /* HAVE_SNI */ +#endif /* defined(HAVE_SNI) || defined(HAVE_ALPN) */ #endif /* io tests dependencies */ @@ -747,6 +747,51 @@ static void test_wolfSSL_read_write(void) | TLS extensions tests *----------------------------------------------------------------------------*/ +#if defined(HAVE_SNI) || defined(HAVE_ALPN) +/* connection test runner */ +static void test_wolfSSL_client_server(callback_functions* client_callbacks, + callback_functions* server_callbacks) +{ +#ifdef HAVE_IO_TESTS_DEPENDENCIES + tcp_ready ready; + func_args client_args; + func_args server_args; + THREAD_TYPE serverThread; + + StartTCP(); + + client_args.callbacks = client_callbacks; + server_args.callbacks = server_callbacks; + +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif + + /* RUN Server side */ + InitTcpReady(&ready); + server_args.signal = &ready; + client_args.signal = &ready; + start_thread(run_wolfssl_server, &server_args, &serverThread); + wait_tcp_ready(&server_args); + + /* RUN Client side */ + run_wolfssl_client(&client_args); + join_thread(serverThread); + + FreeTcpReady(&ready); +#ifdef WOLFSSL_TIRTOS + fdCloseSession(Task_self()); +#endif + +#else + (void)client_callbacks; + (void)server_callbacks; +#endif +} + +#endif /* defined(HAVE_SNI) || defined(HAVE_ALPN) */ + + #ifdef HAVE_SNI static void test_wolfSSL_UseSNI_params(void) { @@ -827,11 +872,6 @@ static void use_PSEUDO_MANDATORY_SNI_at_ctx(WOLFSSL_CTX* ctx) WOLFSSL_SNI_ANSWER_ON_MISMATCH | WOLFSSL_SNI_ABORT_ON_ABSENCE); } -static void verify_FATAL_ERROR_on_client(WOLFSSL* ssl) -{ - AssertIntEQ(FATAL_ERROR, wolfSSL_get_error(ssl, 0)); -} - static void verify_UNKNOWN_SNI_on_server(WOLFSSL* ssl) { AssertIntEQ(UNKNOWN_SNI_HOST_NAME_E, wolfSSL_get_error(ssl, 0)); @@ -874,48 +914,12 @@ static void verify_SNI_fake_matching(WOLFSSL* ssl) AssertNotNull(request); AssertStrEQ("ww2.wolfssl.com", request); } -/* END of connection tests callbacks */ -/* connection test runner */ -static void test_wolfSSL_client_server(callback_functions* client_callbacks, - callback_functions* server_callbacks) +static void verify_FATAL_ERROR_on_client(WOLFSSL* ssl) { -#ifdef HAVE_IO_TESTS_DEPENDENCIES - tcp_ready ready; - func_args client_args; - func_args server_args; - THREAD_TYPE serverThread; - - StartTCP(); - - client_args.callbacks = client_callbacks; - server_args.callbacks = server_callbacks; - -#ifdef WOLFSSL_TIRTOS - fdOpenSession(Task_self()); -#endif - - /* RUN Server side */ - InitTcpReady(&ready); - server_args.signal = &ready; - client_args.signal = &ready; - start_thread(run_wolfssl_server, &server_args, &serverThread); - wait_tcp_ready(&server_args); - - /* RUN Client side */ - run_wolfssl_client(&client_args); - join_thread(serverThread); - - FreeTcpReady(&ready); -#ifdef WOLFSSL_TIRTOS - fdCloseSession(Task_self()); -#endif - -#else - (void)client_callbacks; - (void)server_callbacks; -#endif + AssertIntEQ(FATAL_ERROR, wolfSSL_get_error(ssl, 0)); } +/* END of connection tests callbacks */ static void test_wolfSSL_UseSNI_connection(void) { @@ -1197,6 +1201,204 @@ static void test_wolfSSL_UseSupportedCurve(void) #endif } +#ifdef HAVE_ALPN + +static void verify_ALPN_FATAL_ERROR_on_client(WOLFSSL* ssl) +{ + AssertIntEQ(UNKNOWN_ALPN_PROTOCOL_NAME_E, wolfSSL_get_error(ssl, 0)); +} + +static void use_ALPN_all(WOLFSSL* ssl) +{ + /* http/1.1,spdy/1,spdy/2,spdy/3 */ + char alpn_list[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x31, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x32, 0x2c, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; + AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, alpn_list, sizeof(alpn_list))); +} + +static void use_ALPN_one(WOLFSSL* ssl) +{ + /* spdy/2 */ + char proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; + + AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto))); +} + +static void use_ALPN_unknown(WOLFSSL* ssl) +{ + /* http/2.0 */ + char proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x32, 0x2e, 0x30}; + + AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, proto, sizeof(proto))); +} + +static void verify_ALPN_not_matching_spdy3(WOLFSSL* ssl) +{ + /* spdy/3 */ + char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; + + char *proto; + word16 protoSz = 0; + + printf("verify_ALPN_not_matching GetProtocol(ssl) = %d\n", + wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); + + AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); + + /* check value */ + AssertIntNE(1, sizeof(nego_proto) == protoSz); + AssertIntNE(0, XMEMCMP(nego_proto, proto, sizeof(nego_proto))); +} + +static void verify_ALPN_matching_http1(WOLFSSL* ssl) +{ + /* http/1.1 */ + char nego_proto[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31}; + char *proto; + word16 protoSz = 0; + + printf("verify_ALPN_matching GetProtocol(ssl) = %d\n", + wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); + + AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); + + /* check value */ + AssertIntEQ(1, sizeof(nego_proto) == protoSz); + AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); +} + +static void verify_ALPN_matching_spdy2(WOLFSSL* ssl) +{ + /* spdy/2 */ + char nego_proto[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; + char *proto; + word16 protoSz = 0; + + printf("verify_ALPN_matching GetProtocol(ssl) = %d\n", + wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); + + AssertIntEQ(SSL_SUCCESS, wolfSSL_ALPN_GetProtocol(ssl, &proto, &protoSz)); + + /* check value */ + AssertIntEQ(1, sizeof(nego_proto) == protoSz); + AssertIntEQ(0, XMEMCMP(nego_proto, proto, protoSz)); +} + + +static void test_wolfSSL_UseALPN_connection(void) +{ + unsigned long i; + callback_functions callbacks[] = { + /* success case same list */ + {0, 0, use_ALPN_all, 0}, + {0, 0, use_ALPN_all, verify_ALPN_matching_http1}, + + /* success case only one for server */ + {0, 0, use_ALPN_all, 0}, + {0, 0, use_ALPN_one, verify_ALPN_matching_spdy2}, + + /* success case only one for client */ + {0, 0, use_ALPN_one, 0}, + {0, 0, use_ALPN_all, verify_ALPN_matching_spdy2}, + + /* success case none for client */ + {0, 0, 0, 0}, + {0, 0, use_ALPN_all, 0}, + + /* missmatch behavior with same list + * the first and only this one must be taken */ + {0, 0, use_ALPN_all, 0}, + {0, 0, use_ALPN_all, verify_ALPN_not_matching_spdy3}, + + /* default missmatch behavior */ + {0, 0, use_ALPN_all, 0}, + {0, 0, use_ALPN_unknown, verify_ALPN_FATAL_ERROR_on_client}, + }; + + for (i = 0; i < sizeof(callbacks) / sizeof(callback_functions); i += 2) { + callbacks[i ].method = wolfSSLv23_client_method; + callbacks[i + 1].method = wolfSSLv23_server_method; + test_wolfSSL_client_server(&callbacks[i], &callbacks[i + 1]); + } +} + +static void test_wolfSSL_UseALPN_params(void) +{ + /* "http/1.1" */ + char http1[] = {0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31}; + /* "spdy/1" */ + char spdy1[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x31}; + /* "spdy/2" */ + char spdy2[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x32}; + /* "spdy/3" */ + char spdy3[] = {0x73, 0x70, 0x64, 0x79, 0x2f, 0x33}; + char buff[256]; + word32 idx; + + WOLFSSL_CTX *ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); + WOLFSSL *ssl = wolfSSL_new(ctx); + + AssertNotNull(ctx); + AssertNotNull(ssl); + + /* error cases */ + AssertIntNE(SSL_SUCCESS, + wolfSSL_UseALPN(NULL, http1, sizeof(http1))); + AssertIntNE(SSL_SUCCESS, wolfSSL_UseALPN(ssl, NULL, 0)); + + /* success case */ + /* http1 only */ + AssertIntEQ(SSL_SUCCESS, + wolfSSL_UseALPN(ssl, http1, sizeof(http1))); + + /* http1, spdy1 */ + memcpy(buff, http1, sizeof(http1)); + idx = sizeof(http1); + buff[idx++] = ','; + memcpy(buff+idx, spdy1, sizeof(spdy1)); + idx += sizeof(spdy1); + AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx)); + + /* http1, spdy2, spdy1 */ + memcpy(buff, http1, sizeof(http1)); + idx = sizeof(http1); + buff[idx++] = ','; + memcpy(buff+idx, spdy2, sizeof(spdy2)); + idx += sizeof(spdy2); + buff[idx++] = ','; + memcpy(buff+idx, spdy1, sizeof(spdy1)); + idx += sizeof(spdy1); + AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx)); + + /* spdy3, http1, spdy2, spdy1 */ + memcpy(buff, spdy3, sizeof(spdy3)); + idx = sizeof(spdy3); + buff[idx++] = ','; + memcpy(buff+idx, http1, sizeof(http1)); + idx += sizeof(http1); + buff[idx++] = ','; + memcpy(buff+idx, spdy2, sizeof(spdy2)); + idx += sizeof(spdy2); + buff[idx++] = ','; + memcpy(buff+idx, spdy1, sizeof(spdy1)); + idx += sizeof(spdy1); + AssertIntEQ(SSL_SUCCESS, wolfSSL_UseALPN(ssl, buff, idx)); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +} +#endif /* HAVE_ALPN */ + +static void test_wolfSSL_UseALPN(void) +{ +#ifdef HAVE_ALPN + test_wolfSSL_UseALPN_connection(); + test_wolfSSL_UseALPN_params(); +#endif +} + /*----------------------------------------------------------------------------* | Main *----------------------------------------------------------------------------*/ @@ -1220,6 +1422,7 @@ void ApiTest(void) test_wolfSSL_UseMaxFragment(); test_wolfSSL_UseTruncatedHMAC(); test_wolfSSL_UseSupportedCurve(); + test_wolfSSL_UseALPN(); test_wolfSSL_Cleanup(); printf(" End API Tests\n"); diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 309be9eca..ec2d9af82 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -137,6 +137,8 @@ enum wolfSSL_ErrorCodes { SNI_ABSENT_ERROR = -402, /* No SNI request. */ RSA_SIGN_FAULT = -403, /* RSA Sign fault */ + UNKNOWN_ALPN_PROTOCOL_NAME_E = -404, /* Unrecognized protocol name Error*/ + /* add strings to SetErrorString !!!!! */ /* begin negotiation parameter errors */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 99831e599..f88e96e9e 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1453,7 +1453,8 @@ typedef enum { ELLIPTIC_CURVES = 0x000a, SESSION_TICKET = 0x0023, SECURE_RENEGOTIATION = 0xff01, - WOLFSSL_QSH = 0x0018 /* Quantum-Safe-Hybrid */ + WOLFSSL_QSH = 0x0018, /* Quantum-Safe-Hybrid */ + WOLFSSL_ALPN = 0x0010 /* Application-Layer Protocol Name */ } TLSX_Type; typedef struct TLSX { @@ -1486,7 +1487,8 @@ WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, || defined(HAVE_TRUNCATED_HMAC) \ || defined(HAVE_SUPPORTED_CURVES) \ || defined(HAVE_SECURE_RENEGOTIATION) \ - || defined(HAVE_SESSION_TICKET) + || defined(HAVE_SESSION_TICKET) \ + || defined(HAVE_ALPN) #error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined. @@ -1520,6 +1522,20 @@ WOLFSSL_LOCAL int TLSX_SNI_GetFromBuffer(const byte* buffer, word32 bufferSz, #endif /* HAVE_SNI */ +/* Application-layer Protocol Name */ +#ifdef HAVE_ALPN +typedef struct ALPN { + char* protocol_name; /* ALPN protocol name */ + struct ALPN* next; /* List Behavior */ +} ALPN; + +WOLFSSL_LOCAL int TLSX_ALPN_GetRequest(TLSX* extensions, + void** data, word16 *dataSz); + +WOLFSSL_LOCAL int TLSX_UseALPN(TLSX** extensions, const void* data, + word16 size); +#endif /* HAVE_ALPN */ + /* Maximum Fragment Length */ #ifdef HAVE_MAX_FRAGMENT diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 8df18bd37..1f4963c7b 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -187,7 +187,8 @@ enum AlertDescription { protocol_version = 70, #endif no_renegotiation = 100, - unrecognized_name = 112 + unrecognized_name = 112, + no_application_protocol = 120 }; @@ -1346,6 +1347,28 @@ WOLFSSL_API int wolfSSL_SNI_GetFromBuffer( #endif #endif +/* Application-Layer Protocol Name */ +#ifdef HAVE_ALPN + +/* ALPN status code */ +enum { + WOLFSSL_ALPN_NO_MATCH = 0, + WOLFSSL_ALPN_MATCH = 1 +}; + +enum { + WOLFSSL_MAX_ALPN_PROTO_NAME_LEN = 255, + WOLFSSL_MAX_ALPN_NUMBER = 257 +}; + +WOLFSSL_API int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list, + unsigned int protocol_name_listSz); + +WOLFSSL_API int wolfSSL_ALPN_GetProtocol(WOLFSSL* ssl, char **protocol_name, + unsigned short *size); + +#endif /* HAVE_ALPN */ + /* Maximum Fragment Length */ #ifdef HAVE_MAX_FRAGMENT diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 55969ee23..d97636e0a 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -216,7 +216,7 @@ #define XSTRNCASECMP(s1,s2,n) _strnicmp((s1),(s2),(n)) #endif - #ifdef WOLFSSL_CERT_EXT + #if defined(WOLFSSL_CERT_EXT) || defined(HAVE_ALPN) /* use only Thread Safe version of strtok */ #ifndef USE_WINDOWS_API #define XSTRTOK strtok_r