Add support for OpenSSL Next Protocol Negotiation

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <openssl/ssl.h>
@@ skipping 157 matching lines @@
     ssl_socket_data_index_ = SSL_get_ex_new_index(0, 0, 0, 0, 0);
     DCHECK_NE(ssl_socket_data_index_, -1);
     ssl_ctx_.reset(SSL_CTX_new(SSLv23_client_method()));
     SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), NoOpVerifyCallback, NULL);
     SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_CLIENT);
     SSL_CTX_sess_set_new_cb(ssl_ctx_.get(), NewSessionCallbackStatic);
     SSL_CTX_sess_set_remove_cb(ssl_ctx_.get(), RemoveSessionCallbackStatic);
     SSL_CTX_set_timeout(ssl_ctx_.get(), kSessionCacheTimeoutSeconds);
     SSL_CTX_sess_set_cache_size(ssl_ctx_.get(), kSessionCacheMaxEntires);
     SSL_CTX_set_client_cert_cb(ssl_ctx_.get(), ClientCertCallback);
+#if defined(OPENSSL_NPN_NEGOTIATED)
+    // TODO(kristianm): Only select this if ssl_config_.next_proto is not empty.
+    // It would be better if the callback were not a global setting,
+    // but that is an OpenSSL issue.
+    SSL_CTX_set_next_proto_select_cb(ssl_ctx_.get(), SelectNextProtoCallback,
+                                     NULL);
+#endif
   }
 
   static int NewSessionCallbackStatic(SSL* ssl, SSL_SESSION* session) {
     return Get()->NewSessionCallback(ssl, session);
   }
 
   int NewSessionCallback(SSL* ssl, SSL_SESSION* session) {
     SSLClientSocketOpenSSL* socket = GetClientSocketFromSSL(ssl);
     session_cache_.OnSessionAdded(socket->host_and_port(), session);
     return 1;  // 1 => We took ownership of |session|.
   }
 
   static void RemoveSessionCallbackStatic(SSL_CTX* ctx, SSL_SESSION* session) {
     return Get()->RemoveSessionCallback(ctx, session);
   }
 
   void RemoveSessionCallback(SSL_CTX* ctx, SSL_SESSION* session) {
     DCHECK(ctx == ssl_ctx());
     session_cache_.OnSessionRemoved(session);
   }
 
   static int ClientCertCallback(SSL* ssl, X509** x509, EVP_PKEY** pkey) {
     SSLClientSocketOpenSSL* socket = Get()->GetClientSocketFromSSL(ssl);
     CHECK(socket);
     return socket->ClientCertRequestCallback(ssl, x509, pkey);
   }
 
+  static int SelectNextProtoCallback(SSL* ssl,
+                                     unsigned char** out, unsigned char* outlen,
+                                     const unsigned char* in,
+                                     unsigned int inlen, void* arg) {
+    SSLClientSocketOpenSSL* socket = Get()->GetClientSocketFromSSL(ssl);
+    return socket->SelectNextProtoCallback(out, outlen, in, inlen);
+  }
+
   // This is the index used with SSL_get_ex_data to retrieve the owner
   // SSLClientSocketOpenSSL object from an SSL instance.
   int ssl_socket_data_index_;
 
   base::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_;
   SSLSessionCache session_cache_;
 };
 
 // Utility to construct the appropriate set & clear masks for use the OpenSSL
 // options and mode configuration functions. (SSL_set_options etc)
@@ skipping 26 matching lines @@
       completed_handshake_(false),
       client_auth_cert_needed_(false),
       ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_(
           this, &SSLClientSocketOpenSSL::OnHandshakeIOComplete)),
       ssl_(NULL),
       transport_bio_(NULL),
       transport_(transport_socket),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       trying_cached_session_(false),
+      npn_status_(kNextProtoUnsupported),
       net_log_(transport_socket->socket()->NetLog()) {
 }
 
 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() {
   Disconnect();
 }
 
 bool SSLClientSocketOpenSSL::Init() {
   DCHECK(!ssl_);
   DCHECK(!transport_bio_);
@@ skipping 102 matching lines @@
 }
 
 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   cert_request_info->host_and_port = host_and_port_.ToString();
   cert_request_info->client_certs = client_certs_;
 }
 
 SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto(
     std::string* proto) {
-  proto->clear();
-  return kNextProtoUnsupported;
+  *proto = npn_proto_;
+  return npn_status_;
 }
 
 void SSLClientSocketOpenSSL::DoReadCallback(int rv) {
   // Since Run may result in Read being called, clear |user_read_callback_|
   // up front.
   CompletionCallback* c = user_read_callback_;
   user_read_callback_ = NULL;
   user_read_buf_ = NULL;
   user_read_buf_len_ = 0;
   c->Run(rv);
@@ skipping 175 matching lines @@
     // TODO(joth): We need a way to lookup the private key this
     // certificate. See http://crbug.com/64951 and example code in
     // http://codereview.chromium.org/5195001/diff/6001/net/socket/ssl_client_socket_openssl.cc
     NOTIMPLEMENTED();
   }
 
   // Send no client certificate.
   return 0;
 }
 
+int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out,
+                                                unsigned char* outlen,
+                                                const unsigned char* in,
+                                                unsigned int inlen) {
+#if defined(OPENSSL_NPN_NEGOTIATED)
+  if (ssl_config_.next_protos.empty()) {
+    *outlen = 0;

[agl, 2010/12/03 15:17:37]

*out = "http/1.1";
*outlen = 8;

[Kristian_, 2010/12/03 15:30:57]

I added this in later patch, should I change to this or leave it like it is
there?

+    return SSL_TLSEXT_ERR_OK;
+  }
+
+  int status = SSL_select_next_proto(
+      out, outlen, in, inlen,
+      reinterpret_cast<const unsigned char*>(ssl_config_.next_protos.data()),
+      ssl_config_.next_protos.size());
+
+  npn_proto_.assign(reinterpret_cast<const char*>(*out), *outlen);
+  switch (status) {
+    //case OPENSSL_NPN_UNSUPPORTED:

[agl, 2010/12/03 15:17:37]

Why commented out?

[Kristian_, 2010/12/03 15:30:57]

Thanks, it was to test compile on ubuntu where they are not defined.

+      npn_status_ = SSLClientSocket::kNextProtoUnsupported;
+      break;
+    //case OPENSSL_NPN_NEGOTIATED:
+      npn_status_ = SSLClientSocket::kNextProtoNegotiated;
+      break;
+    //case OPENSSL_NPN_NO_OVERLAP:
+      npn_status_ = SSLClientSocket::kNextProtoNoOverlap;
+      break;
+    default:
+      NOTREACHED() << status;
+      break;
+  }
+#endif
+  return SSL_TLSEXT_ERR_OK;
+}
+
 int SSLClientSocketOpenSSL::DoVerifyCert(int result) {
   DCHECK(server_cert_);
   GotoState(STATE_VERIFY_CERT_COMPLETE);
   int flags = 0;
 
   if (ssl_config_.rev_checking_enabled)
     flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED;
   if (ssl_config_.verify_ev_cert)
     flags |= X509Certificate::VERIFY_EV_CERT;
   verifier_.reset(new CertVerifier);
@@ skipping 364 matching lines @@
   int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_);
 
   if (rv >= 0)
     return rv;
 
   int err = SSL_get_error(ssl_, rv);
   return MapOpenSSLError(err);
 }
 
 } // namespace net