Remove NPN support.

NPN was never standardised and the last draft expired in October 2012. ALPN was standardised in July 2014 and has been supported in LibreSSL since December 2014. NPN has also been removed from Chromium in May 2016. TLS clients and servers that try to use/enable NPN will fail gracefully and fallback to the default protocol, since it will essentially appear that the otherside does not support NPN. At some point in the future we will actually remove the NPN related symbols entirely. ok bcook@ beck@ doug@
author: jsing <> 2017-08-12 21:03:08 +0000
committer: jsing <> 2017-08-12 21:03:08 +0000
commit: c648197458d45db4f93561e9497fac0532e6d0bc (patch)
tree: 942d907ed1f094ec2a23893a790715396a4d7e4f /src/lib/libssl/t1_lib.c
parent: be646f37c6508ed75a22ff21af60f2496b432c9d (diff)
download: openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.tar.gz
openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.tar.bz2
openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.zip
1 files changed, 3 insertions, 110 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 3e5133ab54..911e8d3f4e 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.127 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.128 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -779,16 +779,6 @@ skip_ext:
                        i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret);
        }
-        if (s->ctx->internal->next_proto_select_cb &&
-            !S3I(s)->tmp.finish_md_len) {
-                /* The client advertises an emtpy extension to indicate its
-                 * support for Next Protocol Negotiation */
-                if ((size_t)(limit - ret) < 4)
-                        return NULL;
-                s2n(TLSEXT_TYPE_next_proto_neg, ret);
-                s2n(0, ret);
-        }
        if (s->internal->alpn_client_proto_list != NULL &&
            S3I(s)->tmp.finish_md_len == 0) {
                if ((size_t)(limit - ret) <
@@ -868,7 +858,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 {
        int extdatalen = 0;
        unsigned char *ret = p;
-        int next_proto_neg_seen;
        size_t len;
        CBB cbb;
@@ -949,26 +938,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                ret += sizeof(cryptopro_ext);
        }
-        next_proto_neg_seen = S3I(s)->next_proto_neg_seen;
-        S3I(s)->next_proto_neg_seen = 0;
-        if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) {
-                const unsigned char *npa;
-                unsigned int npalen;
-                int r;
-                r = s->ctx->internal->next_protos_advertised_cb(s, &npa, &npalen,
-                    s->ctx->internal->next_protos_advertised_cb_arg);
-                if (r == SSL_TLSEXT_ERR_OK) {
-                        if ((size_t)(limit - ret) < 4 + npalen)
-                                return NULL;
-                        s2n(TLSEXT_TYPE_next_proto_neg, ret);
-                        s2n(npalen, ret);
-                        memcpy(ret, npa, npalen);
-                        ret += npalen;
-                        S3I(s)->next_proto_neg_seen = 1;
-                }
-        }
        if (S3I(s)->alpn_selected != NULL) {
                const unsigned char *selected = S3I(s)->alpn_selected;
                unsigned int len = S3I(s)->alpn_selected_len;
@@ -1070,7 +1039,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
        s->internal->servername_done = 0;
        s->tlsext_status_type = -1;
        S3I(s)->renegotiate_seen = 0;
-        S3I(s)->next_proto_neg_seen = 0;
        free(S3I(s)->alpn_selected);
        S3I(s)->alpn_selected = NULL;
        s->internal->srtp_profile = NULL;
@@ -1227,36 +1195,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                */
                                s->tlsext_status_type = -1;
                        }
-                }
+                } else if (type ==
-                else if (type == TLSEXT_TYPE_next_proto_neg &&
-                    S3I(s)->tmp.finish_md_len == 0 &&
-                    S3I(s)->alpn_selected == NULL) {
-                        /* We shouldn't accept this extension on a
-                         * renegotiation.
-                         *
-                         * s->internal->new_session will be set on renegotiation, but we
-                         * probably shouldn't rely that it couldn't be set on
-                         * the initial renegotation too in certain cases (when
-                         * there's some other reason to disallow resuming an
-                         * earlier session -- the current code won't be doing
-                         * anything like that, but this might change).
-                         * A valid sign that there's been a previous handshake
-                         * in this connection is if S3I(s)->tmp.finish_md_len >
-                         * 0.  (We are talking about a check that will happen
-                         * in the Hello protocol round, well before a new
-                         * Finished message could have been computed.) */
-                        S3I(s)->next_proto_neg_seen = 1;
-                }
-                else if (type ==
                    TLSEXT_TYPE_application_layer_protocol_negotiation &&
                    s->ctx->internal->alpn_select_cb != NULL &&
                    S3I(s)->tmp.finish_md_len == 0) {
                        if (tls1_alpn_handle_client_hello(s, data,
                            size, al) != 1)
                                return (0);
-                        /* ALPN takes precedence over NPN. */
-                        S3I(s)->next_proto_neg_seen = 0;
                }
                /* session ticket processed earlier */
@@ -1293,25 +1238,6 @@ err:
        return 0;
 }
-/*
- * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
- * elements of zero length are allowed and the set of elements must exactly fill
- * the length of the block.
- */
-static char
-ssl_next_proto_validate(const unsigned char *d, unsigned int len)
-{
-        CBS npn, value;
-        CBS_init(&npn, d, len);
-        while (CBS_len(&npn) > 0) {
-                if (!CBS_get_u8_length_prefixed(&npn, &value) ||
-                    CBS_len(&value) == 0)
-                        return 0;
-        }
-        return 1;
-}
 int
 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
 {
@@ -1323,7 +1249,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
        CBS cbs;
        S3I(s)->renegotiate_seen = 0;
-        S3I(s)->next_proto_neg_seen = 0;
        free(S3I(s)->alpn_selected);
        S3I(s)->alpn_selected = NULL;
@@ -1375,39 +1300,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
                        }
                        /* Set flag to expect CertificateStatus message */
                        s->internal->tlsext_status_expected = 1;
-                }
+                } else if (type ==
-                else if (type == TLSEXT_TYPE_next_proto_neg &&
-                    S3I(s)->tmp.finish_md_len == 0) {
-                        unsigned char *selected;
-                        unsigned char selected_len;
-                        /* We must have requested it. */
-                        if (s->ctx->internal->next_proto_select_cb == NULL) {
-                                *al = TLS1_AD_UNSUPPORTED_EXTENSION;
-                                return 0;
-                        }
-                        /* The data must be valid */
-                        if (!ssl_next_proto_validate(data, size)) {
-                                *al = TLS1_AD_DECODE_ERROR;
-                                return 0;
-                        }
-                        if (s->ctx->internal->next_proto_select_cb(s, &selected,
-                            &selected_len, data, size,
-                            s->ctx->internal->next_proto_select_cb_arg) !=
-                            SSL_TLSEXT_ERR_OK) {
-                                *al = TLS1_AD_INTERNAL_ERROR;
-                                return 0;
-                        }
-                        s->internal->next_proto_negotiated = malloc(selected_len);
-                        if (!s->internal->next_proto_negotiated) {
-                                *al = TLS1_AD_INTERNAL_ERROR;
-                                return 0;
-                        }
-                        memcpy(s->internal->next_proto_negotiated, selected, selected_len);
-                        s->internal->next_proto_negotiated_len = selected_len;
-                        S3I(s)->next_proto_neg_seen = 1;
-                }
-                else if (type ==
                    TLSEXT_TYPE_application_layer_protocol_negotiation) {
                        unsigned int len;
author	jsing <>	2017-08-12 21:03:08 +0000
committer	jsing <>	2017-08-12 21:03:08 +0000
commit	c648197458d45db4f93561e9497fac0532e6d0bc (patch)
tree	942d907ed1f094ec2a23893a790715396a4d7e4f /src/lib/libssl/t1_lib.c
parent	be646f37c6508ed75a22ff21af60f2496b432c9d (diff)
download	openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.tar.gz openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.tar.bz2 openbsd-c648197458d45db4f93561e9497fac0532e6d0bc.zip

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 3e5133ab54..911e8d3f4e 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.127 2017/08/12 02:55:22 jsing Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.128 2017/08/12 21:03:08 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -779,16 +779,6 @@ skip_ext:
779	i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret);	779	i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret);
780	}	780	}
781		781
782	if (s->ctx->internal->next_proto_select_cb &&
783	!S3I(s)->tmp.finish_md_len) {
784	/* The client advertises an emtpy extension to indicate its
785	* support for Next Protocol Negotiation */
786	if ((size_t)(limit - ret) < 4)
787	return NULL;
788	s2n(TLSEXT_TYPE_next_proto_neg, ret);
789	s2n(0, ret);
790	}
791
792	if (s->internal->alpn_client_proto_list != NULL &&	782	if (s->internal->alpn_client_proto_list != NULL &&
793	S3I(s)->tmp.finish_md_len == 0) {	783	S3I(s)->tmp.finish_md_len == 0) {
794	if ((size_t)(limit - ret) <	784	if ((size_t)(limit - ret) <
@@ -868,7 +858,6 @@ ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)
868	{	858	{
869	int extdatalen = 0;	859	int extdatalen = 0;
870	unsigned char *ret = p;	860	unsigned char *ret = p;
871	int next_proto_neg_seen;
872	size_t len;	861	size_t len;
873	CBB cbb;	862	CBB cbb;
874		863
@@ -949,26 +938,6 @@ ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)
949	ret += sizeof(cryptopro_ext);	938	ret += sizeof(cryptopro_ext);
950	}	939	}
951		940
952	next_proto_neg_seen = S3I(s)->next_proto_neg_seen;
953	S3I(s)->next_proto_neg_seen = 0;
954	if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) {
955	const unsigned char *npa;
956	unsigned int npalen;
957	int r;
958
959	r = s->ctx->internal->next_protos_advertised_cb(s, &npa, &npalen,
960	s->ctx->internal->next_protos_advertised_cb_arg);
961	if (r == SSL_TLSEXT_ERR_OK) {
962	if ((size_t)(limit - ret) < 4 + npalen)
963	return NULL;
964	s2n(TLSEXT_TYPE_next_proto_neg, ret);
965	s2n(npalen, ret);
966	memcpy(ret, npa, npalen);
967	ret += npalen;
968	S3I(s)->next_proto_neg_seen = 1;
969	}
970	}
971
972	if (S3I(s)->alpn_selected != NULL) {	941	if (S3I(s)->alpn_selected != NULL) {
973	const unsigned char *selected = S3I(s)->alpn_selected;	942	const unsigned char *selected = S3I(s)->alpn_selected;
974	unsigned int len = S3I(s)->alpn_selected_len;	943	unsigned int len = S3I(s)->alpn_selected_len;
@@ -1070,7 +1039,6 @@ ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1070	s->internal->servername_done = 0;	1039	s->internal->servername_done = 0;
1071	s->tlsext_status_type = -1;	1040	s->tlsext_status_type = -1;
1072	S3I(s)->renegotiate_seen = 0;	1041	S3I(s)->renegotiate_seen = 0;
1073	S3I(s)->next_proto_neg_seen = 0;
1074	free(S3I(s)->alpn_selected);	1042	free(S3I(s)->alpn_selected);
1075	S3I(s)->alpn_selected = NULL;	1043	S3I(s)->alpn_selected = NULL;
1076	s->internal->srtp_profile = NULL;	1044	s->internal->srtp_profile = NULL;
@@ -1227,36 +1195,13 @@ ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1227	*/	1195	*/
1228	s->tlsext_status_type = -1;	1196	s->tlsext_status_type = -1;
1229	}	1197	}
1230	}	1198	} else if (type ==
1231	else if (type == TLSEXT_TYPE_next_proto_neg &&
1232	S3I(s)->tmp.finish_md_len == 0 &&
1233	S3I(s)->alpn_selected == NULL) {
1234	/* We shouldn't accept this extension on a
1235	* renegotiation.
1236	*
1237	* s->internal->new_session will be set on renegotiation, but we
1238	* probably shouldn't rely that it couldn't be set on
1239	* the initial renegotation too in certain cases (when
1240	* there's some other reason to disallow resuming an
1241	* earlier session -- the current code won't be doing
1242	* anything like that, but this might change).
1243
1244	* A valid sign that there's been a previous handshake
1245	* in this connection is if S3I(s)->tmp.finish_md_len >
1246	* 0. (We are talking about a check that will happen
1247	* in the Hello protocol round, well before a new
1248	* Finished message could have been computed.) */
1249	S3I(s)->next_proto_neg_seen = 1;
1250	}
1251	else if (type ==
1252	TLSEXT_TYPE_application_layer_protocol_negotiation &&	1199	TLSEXT_TYPE_application_layer_protocol_negotiation &&
1253	s->ctx->internal->alpn_select_cb != NULL &&	1200	s->ctx->internal->alpn_select_cb != NULL &&
1254	S3I(s)->tmp.finish_md_len == 0) {	1201	S3I(s)->tmp.finish_md_len == 0) {
1255	if (tls1_alpn_handle_client_hello(s, data,	1202	if (tls1_alpn_handle_client_hello(s, data,
1256	size, al) != 1)	1203	size, al) != 1)
1257	return (0);	1204	return (0);
1258	/* ALPN takes precedence over NPN. */
1259	S3I(s)->next_proto_neg_seen = 0;
1260	}	1205	}
1261		1206
1262	/* session ticket processed earlier */	1207	/* session ticket processed earlier */
@@ -1293,25 +1238,6 @@ err:
1293	return 0;	1238	return 0;
1294	}	1239	}
1295		1240
1296	/*
1297	* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1298	* elements of zero length are allowed and the set of elements must exactly fill
1299	* the length of the block.
1300	*/
1301	static char
1302	ssl_next_proto_validate(const unsigned char *d, unsigned int len)
1303	{
1304	CBS npn, value;
1305
1306	CBS_init(&npn, d, len);
1307	while (CBS_len(&npn) > 0) {
1308	if (!CBS_get_u8_length_prefixed(&npn, &value) \|\|
1309	CBS_len(&value) == 0)
1310	return 0;
1311	}
1312	return 1;
1313	}
1314
1315	int	1241	int
1316	ssl_parse_serverhello_tlsext(SSL s, unsigned char p, size_t n, int al)	1242	ssl_parse_serverhello_tlsext(SSL s, unsigned char p, size_t n, int al)
1317	{	1243	{
@@ -1323,7 +1249,6 @@ ssl_parse_serverhello_tlsext(SSL s, unsigned char p, size_t n, int al)
1323	CBS cbs;	1249	CBS cbs;
1324		1250
1325	S3I(s)->renegotiate_seen = 0;	1251	S3I(s)->renegotiate_seen = 0;
1326	S3I(s)->next_proto_neg_seen = 0;
1327	free(S3I(s)->alpn_selected);	1252	free(S3I(s)->alpn_selected);
1328	S3I(s)->alpn_selected = NULL;	1253	S3I(s)->alpn_selected = NULL;
1329		1254
@@ -1375,39 +1300,7 @@ ssl_parse_serverhello_tlsext(SSL s, unsigned char p, size_t n, int al)
1375	}	1300	}
1376	/* Set flag to expect CertificateStatus message */	1301	/* Set flag to expect CertificateStatus message */
1377	s->internal->tlsext_status_expected = 1;	1302	s->internal->tlsext_status_expected = 1;
1378	}	1303	} else if (type ==
1379	else if (type == TLSEXT_TYPE_next_proto_neg &&
1380	S3I(s)->tmp.finish_md_len == 0) {
1381	unsigned char *selected;
1382	unsigned char selected_len;
1383
1384	/* We must have requested it. */
1385	if (s->ctx->internal->next_proto_select_cb == NULL) {
1386	*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1387	return 0;
1388	}
1389	/* The data must be valid */
1390	if (!ssl_next_proto_validate(data, size)) {
1391	*al = TLS1_AD_DECODE_ERROR;
1392	return 0;
1393	}
1394	if (s->ctx->internal->next_proto_select_cb(s, &selected,
1395	&selected_len, data, size,
1396	s->ctx->internal->next_proto_select_cb_arg) !=
1397	SSL_TLSEXT_ERR_OK) {
1398	*al = TLS1_AD_INTERNAL_ERROR;
1399	return 0;
1400	}
1401	s->internal->next_proto_negotiated = malloc(selected_len);
1402	if (!s->internal->next_proto_negotiated) {
1403	*al = TLS1_AD_INTERNAL_ERROR;
1404	return 0;
1405	}
1406	memcpy(s->internal->next_proto_negotiated, selected, selected_len);
1407	s->internal->next_proto_negotiated_len = selected_len;
1408	S3I(s)->next_proto_neg_seen = 1;
1409	}
1410	else if (type ==
1411	TLSEXT_TYPE_application_layer_protocol_negotiation) {	1304	TLSEXT_TYPE_application_layer_protocol_negotiation) {
1412	unsigned int len;	1305	unsigned int len;
1413		1306