From dd5cda336851212e200f3b62cf9c89a6984725c3 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Tue, 16 Aug 2016 15:45:10 -0400 Subject: Add a Callbacks function for ALPN --- src/lib/tls/tls_callbacks.h | 35 +++++++++++++++++++++++++++++++---- src/lib/tls/tls_server.cpp | 16 +++++++++++----- src/lib/tls/tls_server.h | 7 ++----- 3 files changed, 44 insertions(+), 14 deletions(-) (limited to 'src/lib') diff --git a/src/lib/tls/tls_callbacks.h b/src/lib/tls/tls_callbacks.h index db1b70693..5c7b21a99 100644 --- a/src/lib/tls/tls_callbacks.h +++ b/src/lib/tls/tls_callbacks.h @@ -61,9 +61,25 @@ class BOTAN_DLL Callbacks /** * Optional callback: inspect handshake message + * Throw an exception to abort the handshake. */ virtual void tls_inspect_handshake_msg(const Handshake_Message&) {} + /** + * Optional callback for server: choose ALPN protocol + * ALPN (RFC 7301) works by the client sending a list of application + * protocols it is willing to negotiate. The server then selects which + * protocol to use, which is not necessarily even on the list that + * the client sent. + * + * If the empty string is returned from this function the server will + * just ignore the client ALPN extension. + */ + virtual std::string tls_server_choose_app_protocol(const std::vector& client_protos) + { + return ""; + } + /** * Optional callback: debug logging. (not currently used) */ @@ -83,6 +99,7 @@ class BOTAN_DLL Compat_Callbacks final : public Callbacks typedef std::function alert_cb; typedef std::function handshake_cb; typedef std::function handshake_msg_cb; + typedef std::function)> next_protocol_fn; /** * @param output_fn is called with data for the outbound socket @@ -95,18 +112,21 @@ class BOTAN_DLL Compat_Callbacks final : public Callbacks */ BOTAN_DEPRECATED("Use TLS::Callbacks (virtual interface).") Compat_Callbacks(output_fn out, data_cb app_data_cb, alert_cb alert_cb, - handshake_cb hs_cb, handshake_msg_cb hs_msg_cb = nullptr) + handshake_cb hs_cb, handshake_msg_cb hs_msg_cb = nullptr, + next_protocol_fn next_proto = nullptr) : m_output_function(out), m_app_data_cb(app_data_cb), m_alert_cb(std::bind(alert_cb, std::placeholders::_1, nullptr, 0)), - m_hs_cb(hs_cb), m_hs_msg_cb(hs_msg_cb) {} + m_hs_cb(hs_cb), m_hs_msg_cb(hs_msg_cb), m_next_proto(next_proto) {} BOTAN_DEPRECATED("Use TLS::Callbacks (virtual interface).") Compat_Callbacks(output_fn out, data_cb app_data_cb, std::function alert_cb, - handshake_cb hs_cb, handshake_msg_cb hs_msg_cb = nullptr) + handshake_cb hs_cb, + handshake_msg_cb hs_msg_cb = nullptr, + next_protocol_fn next_proto = nullptr) : m_output_function(out), m_app_data_cb(app_data_cb), m_alert_cb(alert_cb), - m_hs_cb(hs_cb), m_hs_msg_cb(hs_msg_cb) {} + m_hs_cb(hs_cb), m_hs_msg_cb(hs_msg_cb), m_next_proto(next_proto) {} void tls_emit_data(const byte data[], size_t size) override { @@ -136,6 +156,12 @@ class BOTAN_DLL Compat_Callbacks final : public Callbacks return m_hs_cb(session); } + std::string tls_server_choose_app_protocol(const std::vector& client_protos) override + { + if(m_next_proto != nullptr) { return m_next_proto(client_protos); } + return ""; + } + void tls_inspect_handshake_msg(const Handshake_Message& hmsg) override { // The handshake message callback is optional so we can @@ -149,6 +175,7 @@ class BOTAN_DLL Compat_Callbacks final : public Callbacks const std::function m_alert_cb; const handshake_cb m_hs_cb; const handshake_msg_cb m_hs_msg_cb; + const next_protocol_fn m_next_proto; }; } diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp index 5eccec2a7..2e546eab1 100644 --- a/src/lib/tls/tls_server.cpp +++ b/src/lib/tls/tls_server.cpp @@ -242,13 +242,11 @@ Server::Server(Callbacks& callbacks, Credentials_Manager& creds, const Policy& policy, RandomNumberGenerator& rng, - next_protocol_fn next_proto, bool is_datagram, size_t io_buf_sz) : Channel(callbacks, session_manager, rng, policy, is_datagram, io_buf_sz), - m_creds(creds), - m_choose_next_protocol(next_proto) + m_creds(creds) { } @@ -419,8 +417,16 @@ void Server::process_client_hello_msg(const Handshake_State* active_state, catch(...) {} m_next_protocol = ""; - if(m_choose_next_protocol && pending_state.client_hello()->supports_alpn()) - m_next_protocol = m_choose_next_protocol(pending_state.client_hello()->next_protocols()); + if(pending_state.client_hello()->supports_alpn()) + { + m_next_protocol = callbacks().tls_server_choose_app_protocol(pending_state.client_hello()->next_protocols()); + + // if the callback return was empty, fall back to the (deprecated) std::function + if(m_next_protocol.empty() && m_choose_next_protocol) + { + m_next_protocol = m_choose_next_protocol(pending_state.client_hello()->next_protocols()); + } + } if(resuming) { diff --git a/src/lib/tls/tls_server.h b/src/lib/tls/tls_server.h index 508dde440..051eda445 100644 --- a/src/lib/tls/tls_server.h +++ b/src/lib/tls/tls_server.h @@ -42,9 +42,6 @@ class BOTAN_DLL Server final : public Channel * * @param rng a random number generator * - * @param next_proto is called with client's ALPN protocol list - * and returns chosen protocol. - * * @param is_datagram set to true if this server should expect DTLS * connections. Otherwise TLS connections are expected. * @@ -57,7 +54,6 @@ class BOTAN_DLL Server final : public Channel Credentials_Manager& creds, const Policy& policy, RandomNumberGenerator& rng, - next_protocol_fn next_proto = next_protocol_fn(), bool is_datagram = false, size_t reserved_io_buffer_size = TLS::Server::IO_BUF_DEFAULT_SIZE ); @@ -148,9 +144,10 @@ class BOTAN_DLL Server final : public Channel Handshake_State* new_handshake_state(Handshake_IO* io) override; Credentials_Manager& m_creds; + std::string m_next_protocol; + // Set by deprecated constructor, Server calls both this fn and Callbacks version next_protocol_fn m_choose_next_protocol; - std::string m_next_protocol; }; } -- cgit v1.2.3