SSL_CTX_set_alpn_select_cb.pod 8.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197
  1. =pod
  2. =head1 NAME
  3. SSL_CTX_set_alpn_protos, SSL_set_alpn_protos, SSL_CTX_set_alpn_select_cb,
  4. SSL_CTX_set_next_proto_select_cb, SSL_CTX_set_next_protos_advertised_cb,
  5. SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
  6. - handle application layer protocol negotiation (ALPN)
  7. =head1 SYNOPSIS
  8. #include <openssl/ssl.h>
  9. int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
  10. unsigned int protos_len);
  11. int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
  12. unsigned int protos_len);
  13. void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
  14. int (*cb) (SSL *ssl,
  15. const unsigned char **out,
  16. unsigned char *outlen,
  17. const unsigned char *in,
  18. unsigned int inlen,
  19. void *arg), void *arg);
  20. void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
  21. unsigned int *len);
  22. void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx,
  23. int (*cb)(SSL *ssl,
  24. const unsigned char **out,
  25. unsigned int *outlen,
  26. void *arg),
  27. void *arg);
  28. void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx,
  29. int (*cb)(SSL *s,
  30. unsigned char **out,
  31. unsigned char *outlen,
  32. const unsigned char *in,
  33. unsigned int inlen,
  34. void *arg),
  35. void *arg);
  36. int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
  37. const unsigned char *server,
  38. unsigned int server_len,
  39. const unsigned char *client,
  40. unsigned int client_len)
  41. void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
  42. unsigned *len);
  43. =head1 DESCRIPTION
  44. SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
  45. set the list of protocols available to be negotiated. The B<protos> must be in
  46. protocol-list format, described below. The length of B<protos> is specified in
  47. B<protos_len>.
  48. SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
  49. server to select which protocol to use for the incoming connection. When B<cb>
  50. is NULL, ALPN is not used. The B<arg> value is a pointer which is passed to
  51. the application callback.
  52. B<cb> is the application defined callback. The B<in>, B<inlen> parameters are a
  53. vector in protocol-list format. The value of the B<out>, B<outlen> vector
  54. should be set to the value of a single protocol selected from the B<in>,
  55. B<inlen> vector. The B<out> buffer may point directly into B<in>, or to a
  56. buffer that outlives the handshake. The B<arg> parameter is the pointer set via
  57. SSL_CTX_set_alpn_select_cb().
  58. SSL_select_next_proto() is a helper function used to select protocols. It
  59. implements the standard protocol selection. It is expected that this function
  60. is called from the application callback B<cb>. The protocol data in B<server>,
  61. B<server_len> and B<client>, B<client_len> must be in the protocol-list format
  62. described below. The first item in the B<server>, B<server_len> list that
  63. matches an item in the B<client>, B<client_len> list is selected, and returned
  64. in B<out>, B<outlen>. The B<out> value will point into either B<server> or
  65. B<client>, so it should be copied immediately. If no match is found, the first
  66. item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
  67. function can also be used in the NPN callback.
  68. SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
  69. client needs to select a protocol from the server's provided list, and a
  70. user-defined pointer argument B<arg> which will be passed to this callback.
  71. For the callback itself, B<out>
  72. must be set to point to the selected protocol (which may be within B<in>).
  73. The length of the protocol name must be written into B<outlen>. The
  74. server's advertised protocols are provided in B<in> and B<inlen>. The
  75. callback can assume that B<in> is syntactically valid. The client must
  76. select a protocol. It is fatal to the connection if this callback returns
  77. a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
  78. set via SSL_CTX_set_next_proto_select_cb().
  79. SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
  80. when a TLS server needs a list of supported protocols for Next Protocol
  81. Negotiation. The returned list must be in protocol-list format, described
  82. below. The list is
  83. returned by setting B<out> to point to it and B<outlen> to its length. This
  84. memory will not be modified, but the B<SSL> does keep a
  85. reference to it. The callback should return B<SSL_TLSEXT_ERR_OK> if it
  86. wishes to advertise. Otherwise, no such extension will be included in the
  87. ServerHello.
  88. SSL_get0_alpn_selected() returns a pointer to the selected protocol in B<data>
  89. with length B<len>. It is not NUL-terminated. B<data> is set to NULL and B<len>
  90. is set to 0 if no protocol has been selected. B<data> must not be freed.
  91. SSL_get0_next_proto_negotiated() sets B<data> and B<len> to point to the
  92. client's requested protocol for this connection. If the client did not
  93. request any protocol or NPN is not enabled, then B<data> is set to NULL and
  94. B<len> to 0. Note that
  95. the client can request any protocol it chooses. The value returned from
  96. this function need not be a member of the list of supported protocols
  97. provided by the callback.
  98. =head1 NOTES
  99. The protocol-lists must be in wire-format, which is defined as a vector of
  100. non-empty, 8-bit length-prefixed, byte strings. The length-prefix byte is not
  101. included in the length. Each string is limited to 255 bytes. A byte-string
  102. length of 0 is invalid. A truncated byte-string is invalid. The length of the
  103. vector is not in the vector itself, but in a separate variable.
  104. Example:
  105. unsigned char vector[] = {
  106. 6, 's', 'p', 'd', 'y', '/', '1',
  107. 8, 'h', 't', 't', 'p', '/', '1', '.', '1'
  108. };
  109. unsigned int length = sizeof(vector);
  110. The ALPN callback is executed after the servername callback; as that servername
  111. callback may update the SSL_CTX, and subsequently, the ALPN callback.
  112. If there is no ALPN proposed in the ClientHello, the ALPN callback is not
  113. invoked.
  114. =head1 RETURN VALUES
  115. SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() return 0 on success, and
  116. non-0 on failure. WARNING: these functions reverse the return value convention.
  117. SSL_select_next_proto() returns one of the following:
  118. =over 4
  119. =item OPENSSL_NPN_NEGOTIATED
  120. A match was found and is returned in B<out>, B<outlen>.
  121. =item OPENSSL_NPN_NO_OVERLAP
  122. No match was found. The first item in B<client>, B<client_len> is returned in
  123. B<out>, B<outlen>.
  124. =back
  125. The ALPN select callback B<cb>, must return one of the following:
  126. =over 4
  127. =item SSL_TLSEXT_ERR_OK
  128. ALPN protocol selected.
  129. =item SSL_TLSEXT_ERR_ALERT_FATAL
  130. There was no overlap between the client's supplied list and the server
  131. configuration.
  132. =item SSL_TLSEXT_ERR_NOACK
  133. ALPN protocol not selected, e.g., because no ALPN protocols are configured for
  134. this connection.
  135. =back
  136. The callback set using SSL_CTX_set_next_proto_select_cb() should return
  137. B<SSL_TLSEXT_ERR_OK> if successful. Any other value is fatal to the connection.
  138. The callback set using SSL_CTX_set_next_protos_advertised_cb() should return
  139. B<SSL_TLSEXT_ERR_OK> if it wishes to advertise. Otherwise, no such extension
  140. will be included in the ServerHello.
  141. =head1 SEE ALSO
  142. L<ssl(7)>, L<SSL_CTX_set_tlsext_servername_callback(3)>,
  143. L<SSL_CTX_set_tlsext_servername_arg(3)>
  144. =head1 COPYRIGHT
  145. Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
  146. Licensed under the Apache License 2.0 (the "License"). You may not use
  147. this file except in compliance with the License. You can obtain a copy
  148. in the file LICENSE in the source distribution or at
  149. L<https://www.openssl.org/source/license.html>.
  150. =cut