Remove NPN support.

NPN was never standardised and the last draft expired in October 2012. ALPN was standardised in July 2014 and has been supported in LibreSSL since December 2014. NPN has also been removed from Chromium in May 2016. TLS clients and servers that try to use/enable NPN will fail gracefully and fallback to the default protocol, since it will essentially appear that the otherside does not support NPN. At some point in the future we will actually remove the NPN related symbols entirely. ok bcook@ beck@ doug@
author: jsing <> 2017-08-12 21:03:08 +0000
committer: jsing <> 2017-08-12 21:03:08 +0000
commit: c648197458d45db4f93561e9497fac0532e6d0bc (patch)
tree: 942d907ed1f094ec2a23893a790715396a4d7e4f /src/lib/libssl/ssl_srvr.c
parent: be646f37c6508ed75a22ff21af60f2496b432c9d (diff)
download: openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.tar.gz
openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.tar.bz2
openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.zip
1 files changed, 6 insertions, 98 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index a21039e727..50ce91ddd8 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.20 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.21 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -468,10 +468,7 @@ ssl3_accept(SSL *s)
                                 * the client uses its key from the certificate
                                 * for key exchange.
                                 */
-                                if (S3I(s)->next_proto_neg_seen)
+                                S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
-                                        S3I(s)->hs.state = SSL3_ST_SR_NEXT_PROTO_A;
-                                else
-                                        S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
                                s->internal->init_num = 0;
                        } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
                                S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
@@ -525,20 +522,8 @@ ssl3_accept(SSL *s)
                        if (ret <= 0)
                                goto end;
-                        if (S3I(s)->next_proto_neg_seen)
-                                S3I(s)->hs.state = SSL3_ST_SR_NEXT_PROTO_A;
-                        else
-                                S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
-                        s->internal->init_num = 0;
-                        break;
-                case SSL3_ST_SR_NEXT_PROTO_A:
-                case SSL3_ST_SR_NEXT_PROTO_B:
-                        ret = ssl3_get_next_proto(s);
-                        if (ret <= 0)
-                                goto end;
-                        s->internal->init_num = 0;
                        S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
+                        s->internal->init_num = 0;
                        break;
                case SSL3_ST_SR_FINISHED_A:
@@ -610,15 +595,9 @@ ssl3_accept(SSL *s)
                        if (ret <= 0)
                                goto end;
                        S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
-                        if (s->internal->hit) {
+                        if (s->internal->hit)
-                                if (S3I(s)->next_proto_neg_seen) {
+                                S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A;
-                                        s->s3->flags |= SSL3_FLAGS_CCS_OK;
+                        else
-                                        S3I(s)->hs.next_state =
-                                            SSL3_ST_SR_NEXT_PROTO_A;
-                                } else
-                                        S3I(s)->hs.next_state =
-                                            SSL3_ST_SR_FINISHED_A;
-                        } else
                                S3I(s)->hs.next_state = SSL_ST_OK;
                        s->internal->init_num = 0;
                        break;
@@ -2708,74 +2687,3 @@ ssl3_send_cert_status(SSL *s)
        return (-1);
 }
-/*
- * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
- * It sets the next_proto member in s if found
- */
-int
-ssl3_get_next_proto(SSL *s)
-{
-        CBS cbs, proto, padding;
-        int ok;
-        long n;
-        size_t len;
-        /*
-         * Clients cannot send a NextProtocol message if we didn't see the
-         * extension in their ClientHello
-         */
-        if (!S3I(s)->next_proto_neg_seen) {
-                SSLerror(s, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
-                return (-1);
-        }
-        /* 514 maxlen is enough for the payload format below */
-        n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
-            SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
-        if (!ok)
-                return ((int)n);
-        /*
-         * S3I(s)->hs.state doesn't reflect whether ChangeCipherSpec has been received
-         * in this handshake, but S3I(s)->change_cipher_spec does (will be reset
-         * by ssl3_get_finished).
-         */
-        if (!S3I(s)->change_cipher_spec) {
-                SSLerror(s, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
-                return (-1);
-        }
-        if (n < 2)
-                return (0);
-        /* The body must be > 1 bytes long */
-        CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
-        /*
-         * The payload looks like:
-         *   uint8 proto_len;
-         *   uint8 proto[proto_len];
-         *   uint8 padding_len;
-         *   uint8 padding[padding_len];
-         */
-        if (!CBS_get_u8_length_prefixed(&cbs, &proto) ||
-            !CBS_get_u8_length_prefixed(&cbs, &padding) ||
-            CBS_len(&cbs) != 0)
-                return 0;
-        /*
-         * XXX We should not NULL it, but this matches old behavior of not
-         * freeing before malloc.
-         */
-        s->internal->next_proto_negotiated = NULL;
-        s->internal->next_proto_negotiated_len = 0;
-        if (!CBS_stow(&proto, &s->internal->next_proto_negotiated, &len)) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                return (0);
-        }
-        s->internal->next_proto_negotiated_len = (uint8_t)len;
-        return (1);
-}
author	jsing <>	2017-08-12 21:03:08 +0000
committer	jsing <>	2017-08-12 21:03:08 +0000
commit	c648197458d45db4f93561e9497fac0532e6d0bc (patch)
tree	942d907ed1f094ec2a23893a790715396a4d7e4f /src/lib/libssl/ssl_srvr.c
parent	be646f37c6508ed75a22ff21af60f2496b432c9d (diff)
download	openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.tar.gz openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.tar.bz2 openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.zip

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index a21039e727..50ce91ddd8 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.20 2017/08/12 02:55:22 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.21 2017/08/12 21:03:08 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -468,10 +468,7 @@ ssl3_accept(SSL *s)
468	* the client uses its key from the certificate	468	* the client uses its key from the certificate
469	* for key exchange.	469	* for key exchange.
470	*/	470	*/
471	if (S3I(s)->next_proto_neg_seen)	471	S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
472	S3I(s)->hs.state = SSL3_ST_SR_NEXT_PROTO_A;
473	else
474	S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
475	s->internal->init_num = 0;	472	s->internal->init_num = 0;
476	} else if (SSL_USE_SIGALGS(s) \|\| (alg_k & SSL_kGOST)) {	473	} else if (SSL_USE_SIGALGS(s) \|\| (alg_k & SSL_kGOST)) {
477	S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;	474	S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
@@ -525,20 +522,8 @@ ssl3_accept(SSL *s)
525	if (ret <= 0)	522	if (ret <= 0)
526	goto end;	523	goto end;
527		524
528	if (S3I(s)->next_proto_neg_seen)
529	S3I(s)->hs.state = SSL3_ST_SR_NEXT_PROTO_A;
530	else
531	S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
532	s->internal->init_num = 0;
533	break;
534
535	case SSL3_ST_SR_NEXT_PROTO_A:
536	case SSL3_ST_SR_NEXT_PROTO_B:
537	ret = ssl3_get_next_proto(s);
538	if (ret <= 0)
539	goto end;
540	s->internal->init_num = 0;
541	S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;	525	S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
		526	s->internal->init_num = 0;
542	break;	527	break;
543		528
544	case SSL3_ST_SR_FINISHED_A:	529	case SSL3_ST_SR_FINISHED_A:
@@ -610,15 +595,9 @@ ssl3_accept(SSL *s)
610	if (ret <= 0)	595	if (ret <= 0)
611	goto end;	596	goto end;
612	S3I(s)->hs.state = SSL3_ST_SW_FLUSH;	597	S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
613	if (s->internal->hit) {	598	if (s->internal->hit)
614	if (S3I(s)->next_proto_neg_seen) {	599	S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A;
615	s->s3->flags \|= SSL3_FLAGS_CCS_OK;	600	else
616	S3I(s)->hs.next_state =
617	SSL3_ST_SR_NEXT_PROTO_A;
618	} else
619	S3I(s)->hs.next_state =
620	SSL3_ST_SR_FINISHED_A;
621	} else
622	S3I(s)->hs.next_state = SSL_ST_OK;	601	S3I(s)->hs.next_state = SSL_ST_OK;
623	s->internal->init_num = 0;	602	s->internal->init_num = 0;
624	break;	603	break;
@@ -2708,74 +2687,3 @@ ssl3_send_cert_status(SSL *s)
2708		2687
2709	return (-1);	2688	return (-1);
2710	}	2689	}
2711
2712	/*
2713	* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
2714	* It sets the next_proto member in s if found
2715	*/
2716	int
2717	ssl3_get_next_proto(SSL *s)
2718	{
2719	CBS cbs, proto, padding;
2720	int ok;
2721	long n;
2722	size_t len;
2723
2724	/*
2725	* Clients cannot send a NextProtocol message if we didn't see the
2726	* extension in their ClientHello
2727	*/
2728	if (!S3I(s)->next_proto_neg_seen) {
2729	SSLerror(s, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
2730	return (-1);
2731	}
2732
2733	/* 514 maxlen is enough for the payload format below */
2734	n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
2735	SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
2736	if (!ok)
2737	return ((int)n);
2738
2739	/*
2740	* S3I(s)->hs.state doesn't reflect whether ChangeCipherSpec has been received
2741	* in this handshake, but S3I(s)->change_cipher_spec does (will be reset
2742	* by ssl3_get_finished).
2743	*/
2744	if (!S3I(s)->change_cipher_spec) {
2745	SSLerror(s, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
2746	return (-1);
2747	}
2748
2749	if (n < 2)
2750	return (0);
2751	/* The body must be > 1 bytes long */
2752
2753	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
2754
2755	/*
2756	* The payload looks like:
2757	* uint8 proto_len;
2758	* uint8 proto[proto_len];
2759	* uint8 padding_len;
2760	* uint8 padding[padding_len];
2761	*/
2762	if (!CBS_get_u8_length_prefixed(&cbs, &proto) \|\|
2763	!CBS_get_u8_length_prefixed(&cbs, &padding) \|\|
2764	CBS_len(&cbs) != 0)
2765	return 0;
2766
2767	/*
2768	* XXX We should not NULL it, but this matches old behavior of not
2769	* freeing before malloc.
2770	*/
2771	s->internal->next_proto_negotiated = NULL;
2772	s->internal->next_proto_negotiated_len = 0;
2773
2774	if (!CBS_stow(&proto, &s->internal->next_proto_negotiated, &len)) {
2775	SSLerror(s, ERR_R_MALLOC_FAILURE);
2776	return (0);
2777	}
2778	s->internal->next_proto_negotiated_len = (uint8_t)len;
2779
2780	return (1);
2781	}