Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback

As reported by Jeremy Harris, we inherited a strange behavior from OpenSSL, in that we ignore the SSL_TLSEXT_ERR_FATAL return from the ALPN callback. RFC 7301, 3.2 states: 'In the event that the server supports no protocols that the client advertises, then the server SHALL respond with a fatal "no_application_protocol" alert.' Honor this requirement and succeed only on SSL_TLSEXT_ERR_{OK,NOACK} which is the current behavior of OpenSSL. The documentation change is taken from OpenSSL 1.1.1 as well. As pointed out by jsing, there is more to be fixed here: - ensure that the same protocol is selected on session resumption - should the callback be called even if no ALPN extension was sent? - ensure for TLSv1.2 and earlier that the SNI has already been processed ok beck jsing
author: tb <> 2021-09-10 09:25:29 +0000
committer: tb <> 2021-09-10 09:25:29 +0000
commit: c9e7d5c2a853445ab5e839eb581700a7def5be3b (patch)
tree: 2fcdf6ff9ae24aab6ae8fc69b1f46e80b647dd92 /src/lib/libssl/ssl_tlsext.c
parent: 94aeb3e2fd2aa6f535f045b0ee734b5d1742522f (diff)
download: openbsd-c9e7d5c2a853445ab5e839eb581700a7def5be3b.tar.gz
openbsd-c9e7d5c2a853445ab5e839eb581700a7def5be3b.tar.bz2
openbsd-c9e7d5c2a853445ab5e839eb581700a7def5be3b.zip
1 files changed, 18 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 4d426f1487..3ad564964d 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.98 2021/09/02 11:10:43 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.99 2021/09/10 09:25:29 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -85,9 +85,16 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
        if (s->ctx->internal->alpn_select_cb == NULL)
                return 1;
+        /*
+         * XXX - A few things should be considered here:
+         * 1. Ensure that the same protocol is selected on session resumption.
+         * 2. Should the callback be called even if no ALPN extension was sent?
+         * 3. TLSv1.2 and earlier: ensure that SNI has already been processed.
+         */
        r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
            CBS_data(&alpn), CBS_len(&alpn),
            s->ctx->internal->alpn_select_cb_arg);
        if (r == SSL_TLSEXT_ERR_OK) {
                free(S3I(s)->alpn_selected);
                if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) {
@@ -97,9 +104,18 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
                }
                memcpy(S3I(s)->alpn_selected, selected, selected_len);
                S3I(s)->alpn_selected_len = selected_len;
+                return 1;
        }
-        return 1;
+        /* On SSL_TLSEXT_ERR_NOACK behave as if no callback was present. */
+        if (r == SSL_TLSEXT_ERR_NOACK)
+                return 1;
+        *alert = SSL_AD_NO_APPLICATION_PROTOCOL;
+        SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL);
+        return 0;
 err:
        *alert = SSL_AD_DECODE_ERROR;
author	tb <>	2021-09-10 09:25:29 +0000
committer	tb <>	2021-09-10 09:25:29 +0000
commit	c9e7d5c2a853445ab5e839eb581700a7def5be3b (patch)
tree	2fcdf6ff9ae24aab6ae8fc69b1f46e80b647dd92 /src/lib/libssl/ssl_tlsext.c
parent	94aeb3e2fd2aa6f535f045b0ee734b5d1742522f (diff)
download	openbsd-c9e7d5c2a853445ab5e839eb581700a7def5be3b.tar.gz openbsd-c9e7d5c2a853445ab5e839eb581700a7def5be3b.tar.bz2 openbsd-c9e7d5c2a853445ab5e839eb581700a7def5be3b.zip