Enforce ALPN match when both client and server support ALPN - folly/openssl

Summary: Added options to enforce ALPN when both client and support support ALPN for folly/openssl. Reviewed By: knekritz Differential Revision: D29298491 fbshipit-source-id: acdd6001fea89606e2438640a4434cc56454f1aa

Enforce ALPN match when both client and server support ALPN - folly/openssl
Summary: Added options to enforce ALPN when both client and support support ALPN for folly/openssl. Reviewed By: knekritz Differential Revision: D29298491 fbshipit-source-id: acdd6001fea89606e2438640a4434cc56454f1aa
1f106643 · Fred Qiu · Facebook GitHub Bot · d7ba0791 · 1f106643 · 1f106643
Commit 1f106643 authored Jun 29, 2021 by Fred Qiu Committed by Facebook GitHub Bot Jun 29, 2021
3 changed files
--- a/folly/io/async/SSLContext.cpp
+++ b/folly/io/async/SSLContext.cpp
@@ -571,7 +571,11 @@ int SSLContext::alpnSelectCallback(
            item.length,
            in,
            inlen) != OPENSSL_NPN_NEGOTIATED) {
-      return SSL_TLSEXT_ERR_NOACK;
+      if (context->getRequireAlpnIfClientSupports()) {
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+      } else {
+        return SSL_TLSEXT_ERR_NOACK;
+      }
    }
  }
  return SSL_TLSEXT_ERR_OK;

--- a/folly/io/async/SSLContext.h
+++ b/folly/io/async/SSLContext.h
@@ -530,6 +530,15 @@ class SSLContext {
   */
  void unsetNextProtocols();
  void deleteNextProtocolsStrings();
+
+  bool getRequireAlpnIfClientSupports() const {
+    return requireAlpnIfClientSupports_;
+  }
+
+  void setRequireAlpnIfClientSupports(bool require) {
+    requireAlpnIfClientSupports_ = require;
+  }
+
 #endif // FOLLY_OPENSSL_HAS_ALPN

  /**
@@ -669,6 +678,8 @@ class SSLContext {

  size_t pickNextProtocols();

+  bool requireAlpnIfClientSupports_{false};
+
 #endif // FOLLY_OPENSSL_HAS_ALPN

  static int passwordCallback(char* password, int size, int, void* data);

--- a/folly/io/async/test/AsyncSSLSocketTest.cpp
+++ b/folly/io/async/test/AsyncSSLSocketTest.cpp
@@ -586,6 +586,38 @@ TEST_F(NextProtocolTest, RandomizedAlpnTest) {
  }
  EXPECT_EQ(selectedProtocols.size(), 2);
 }
+
+TEST_F(NextProtocolTest, AlpnRequiredIfClientSupportsTestNoClientProtocol) {
+  clientCtx->setAdvertisedNextProtocols({});
+  serverCtx->setAdvertisedNextProtocols({"foo", "bar", "baz"});
+  serverCtx->setRequireAlpnIfClientSupports(true);
+
+  connect();
+
+  expectHandshakeSuccess();
+  expectNoProtocol();
+}
+
+TEST_F(NextProtocolTest, AlpnRequiredIfClientSupportsTestOverlap) {
+  clientCtx->setAdvertisedNextProtocols({"blub", "baz"});
+  serverCtx->setAdvertisedNextProtocols({"foo", "bar", "baz"});
+  serverCtx->setRequireAlpnIfClientSupports(true);
+
+  connect();
+
+  expectProtocol("baz");
+}
+
+TEST_F(NextProtocolTest, AlpnRequiredIfClientSupportsTestNoOverlap) {
+  clientCtx->setAdvertisedNextProtocols({"blub"});
+  serverCtx->setAdvertisedNextProtocols({"foo", "bar", "baz"});
+  serverCtx->setRequireAlpnIfClientSupports(true);
+
+  connect();
+
+  expectHandshakeError();
+}
+
 #endif

 #ifndef OPENSSL_NO_TLSEXT