Commit 1f106643 authored by Fred Qiu's avatar Fred Qiu Committed by Facebook GitHub Bot

Enforce ALPN match when both client and server support ALPN - folly/openssl

Summary:
Added options to enforce ALPN when both client and support support ALPN for
folly/openssl.

Reviewed By: knekritz

Differential Revision: D29298491

fbshipit-source-id: acdd6001fea89606e2438640a4434cc56454f1aa
parent d7ba0791
...@@ -571,7 +571,11 @@ int SSLContext::alpnSelectCallback( ...@@ -571,7 +571,11 @@ int SSLContext::alpnSelectCallback(
item.length, item.length,
in, in,
inlen) != OPENSSL_NPN_NEGOTIATED) { inlen) != OPENSSL_NPN_NEGOTIATED) {
return SSL_TLSEXT_ERR_NOACK; if (context->getRequireAlpnIfClientSupports()) {
return SSL_TLSEXT_ERR_ALERT_FATAL;
} else {
return SSL_TLSEXT_ERR_NOACK;
}
} }
} }
return SSL_TLSEXT_ERR_OK; return SSL_TLSEXT_ERR_OK;
......
...@@ -530,6 +530,15 @@ class SSLContext { ...@@ -530,6 +530,15 @@ class SSLContext {
*/ */
void unsetNextProtocols(); void unsetNextProtocols();
void deleteNextProtocolsStrings(); void deleteNextProtocolsStrings();
bool getRequireAlpnIfClientSupports() const {
return requireAlpnIfClientSupports_;
}
void setRequireAlpnIfClientSupports(bool require) {
requireAlpnIfClientSupports_ = require;
}
#endif // FOLLY_OPENSSL_HAS_ALPN #endif // FOLLY_OPENSSL_HAS_ALPN
/** /**
...@@ -669,6 +678,8 @@ class SSLContext { ...@@ -669,6 +678,8 @@ class SSLContext {
size_t pickNextProtocols(); size_t pickNextProtocols();
bool requireAlpnIfClientSupports_{false};
#endif // FOLLY_OPENSSL_HAS_ALPN #endif // FOLLY_OPENSSL_HAS_ALPN
static int passwordCallback(char* password, int size, int, void* data); static int passwordCallback(char* password, int size, int, void* data);
......
...@@ -586,6 +586,38 @@ TEST_F(NextProtocolTest, RandomizedAlpnTest) { ...@@ -586,6 +586,38 @@ TEST_F(NextProtocolTest, RandomizedAlpnTest) {
} }
EXPECT_EQ(selectedProtocols.size(), 2); EXPECT_EQ(selectedProtocols.size(), 2);
} }
TEST_F(NextProtocolTest, AlpnRequiredIfClientSupportsTestNoClientProtocol) {
clientCtx->setAdvertisedNextProtocols({});
serverCtx->setAdvertisedNextProtocols({"foo", "bar", "baz"});
serverCtx->setRequireAlpnIfClientSupports(true);
connect();
expectHandshakeSuccess();
expectNoProtocol();
}
TEST_F(NextProtocolTest, AlpnRequiredIfClientSupportsTestOverlap) {
clientCtx->setAdvertisedNextProtocols({"blub", "baz"});
serverCtx->setAdvertisedNextProtocols({"foo", "bar", "baz"});
serverCtx->setRequireAlpnIfClientSupports(true);
connect();
expectProtocol("baz");
}
TEST_F(NextProtocolTest, AlpnRequiredIfClientSupportsTestNoOverlap) {
clientCtx->setAdvertisedNextProtocols({"blub"});
serverCtx->setAdvertisedNextProtocols({"foo", "bar", "baz"});
serverCtx->setRequireAlpnIfClientSupports(true);
connect();
expectHandshakeError();
}
#endif #endif
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment