summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.35
-rw-r--r--src/lib/libssl/s3_lib.c6
-rw-r--r--src/lib/libssl/ssl_clnt.c56
-rw-r--r--src/lib/libssl/ssl_lib.c78
-rw-r--r--src/lib/libssl/ssl_locl.h43
-rw-r--r--src/lib/libssl/ssl_srvr.c104
-rw-r--r--src/lib/libssl/t1_lib.c113
7 files changed, 28 insertions, 377 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
index ea7b1faf48..eb6c543478 100644
--- a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.2 2017/06/10 13:58:59 schwarze Exp $ 1.\" $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.3 2017/08/12 21:03:08 jsing Exp $
2.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 2.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
3.\" 3.\"
4.\" This file was written by Todd Short <tshort@akamai.com>. 4.\" This file was written by Todd Short <tshort@akamai.com>.
@@ -48,7 +48,7 @@
48.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 48.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49.\" OF THE POSSIBILITY OF SUCH DAMAGE. 49.\" OF THE POSSIBILITY OF SUCH DAMAGE.
50.\" 50.\"
51.Dd $Mdocdate: June 10 2017 $ 51.Dd $Mdocdate: August 12 2017 $
52.Dt SSL_CTX_SET_ALPN_SELECT_CB 3 52.Dt SSL_CTX_SET_ALPN_SELECT_CB 3
53.Os 53.Os
54.Sh NAME 54.Sh NAME
@@ -181,7 +181,6 @@ If no match is found, the first item in
181is returned in 181is returned in
182.Fa out , 182.Fa out ,
183.Fa outlen . 183.Fa outlen .
184This function can also be used in the NPN callback.
185.Pp 184.Pp
186.Fn SSL_get0_alpn_selected 185.Fn SSL_get0_alpn_selected
187returns a pointer to the selected protocol in 186returns a pointer to the selected protocol in
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 3a11d62893..acbe30d804 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.157 2017/08/12 02:55:22 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.158 2017/08/12 21:03:08 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1705,10 +1705,6 @@ ssl3_clear(SSL *s)
1705 1705
1706 s->internal->packet_length = 0; 1706 s->internal->packet_length = 0;
1707 s->version = TLS1_VERSION; 1707 s->version = TLS1_VERSION;
1708
1709 free(s->internal->next_proto_negotiated);
1710 s->internal->next_proto_negotiated = NULL;
1711 s->internal->next_proto_negotiated_len = 0;
1712} 1708}
1713 1709
1714static long 1710static long
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 865c961db7..ec4a4104fc 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.15 2017/08/12 02:55:22 jsing Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.16 2017/08/12 21:03:08 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -407,14 +407,11 @@ ssl3_connect(SSL *s)
407 case SSL3_ST_CW_CHANGE_A: 407 case SSL3_ST_CW_CHANGE_A:
408 case SSL3_ST_CW_CHANGE_B: 408 case SSL3_ST_CW_CHANGE_B:
409 ret = ssl3_send_change_cipher_spec(s, 409 ret = ssl3_send_change_cipher_spec(s,
410 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); 410 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
411 if (ret <= 0) 411 if (ret <= 0)
412 goto end; 412 goto end;
413 413
414 if (S3I(s)->next_proto_neg_seen) 414 S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;
415 S3I(s)->hs.state = SSL3_ST_CW_NEXT_PROTO_A;
416 else
417 S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;
418 s->internal->init_num = 0; 415 s->internal->init_num = 0;
419 416
420 s->session->cipher = S3I(s)->hs.new_cipher; 417 s->session->cipher = S3I(s)->hs.new_cipher;
@@ -431,14 +428,6 @@ ssl3_connect(SSL *s)
431 428
432 break; 429 break;
433 430
434 case SSL3_ST_CW_NEXT_PROTO_A:
435 case SSL3_ST_CW_NEXT_PROTO_B:
436 ret = ssl3_send_next_proto(s);
437 if (ret <= 0)
438 goto end;
439 S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;
440 break;
441
442 case SSL3_ST_CW_FINISHED_A: 431 case SSL3_ST_CW_FINISHED_A:
443 case SSL3_ST_CW_FINISHED_B: 432 case SSL3_ST_CW_FINISHED_B:
444 ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, 433 ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,
@@ -2599,45 +2588,6 @@ err:
2599 return (0); 2588 return (0);
2600} 2589}
2601 2590
2602int
2603ssl3_send_next_proto(SSL *s)
2604{
2605 CBB cbb, nextproto, npn, padding;
2606 size_t pad_len;
2607 uint8_t *pad;
2608
2609 memset(&cbb, 0, sizeof(cbb));
2610
2611 if (S3I(s)->hs.state == SSL3_ST_CW_NEXT_PROTO_A) {
2612 pad_len = 32 - ((s->internal->next_proto_negotiated_len + 2) % 32);
2613
2614 if (!ssl3_handshake_msg_start_cbb(s, &cbb, &nextproto,
2615 SSL3_MT_NEXT_PROTO))
2616 goto err;
2617 if (!CBB_add_u8_length_prefixed(&nextproto, &npn))
2618 goto err;
2619 if (!CBB_add_bytes(&npn, s->internal->next_proto_negotiated,
2620 s->internal->next_proto_negotiated_len))
2621 goto err;
2622 if (!CBB_add_u8_length_prefixed(&nextproto, &padding))
2623 goto err;
2624 if (!CBB_add_space(&padding, &pad, pad_len))
2625 goto err;
2626 memset(pad, 0, pad_len);
2627 if (!ssl3_handshake_msg_finish_cbb(s, &cbb))
2628 goto err;
2629
2630 S3I(s)->hs.state = SSL3_ST_CW_NEXT_PROTO_B;
2631 }
2632
2633 return (ssl3_handshake_write(s));
2634
2635 err:
2636 CBB_cleanup(&cbb);
2637
2638 return (-1);
2639}
2640
2641/* 2591/*
2642 * Check to see if handshake is full or resumed. Usually this is just a 2592 * Check to see if handshake is full or resumed. Usually this is just a
2643 * case of checking to see if a cache hit has occurred. In the case of 2593 * case of checking to see if a cache hit has occurred. In the case of
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index de78ad2fcf..32a5680db7 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.166 2017/08/12 02:55:22 jsing Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.167 2017/08/12 21:03:08 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -339,8 +339,6 @@ SSL_new(SSL_CTX *ctx)
339 ctx->internal->tlsext_supportedgroups_length; 339 ctx->internal->tlsext_supportedgroups_length;
340 } 340 }
341 341
342 s->internal->next_proto_negotiated = NULL;
343
344 if (s->ctx->internal->alpn_client_proto_list != NULL) { 342 if (s->ctx->internal->alpn_client_proto_list != NULL) {
345 s->internal->alpn_client_proto_list = 343 s->internal->alpn_client_proto_list =
346 malloc(s->ctx->internal->alpn_client_proto_list_len); 344 malloc(s->ctx->internal->alpn_client_proto_list_len);
@@ -548,7 +546,6 @@ SSL_free(SSL *s)
548 546
549 SSL_CTX_free(s->ctx); 547 SSL_CTX_free(s->ctx);
550 548
551 free(s->internal->next_proto_negotiated);
552 free(s->internal->alpn_client_proto_list); 549 free(s->internal->alpn_client_proto_list);
553 550
554#ifndef OPENSSL_NO_SRTP 551#ifndef OPENSSL_NO_SRTP
@@ -1541,33 +1538,15 @@ SSL_get_servername_type(const SSL *s)
1541} 1538}
1542 1539
1543/* 1540/*
1544 * SSL_select_next_proto implements the standard protocol selection. It is 1541 * SSL_select_next_proto implements standard protocol selection. It is
1545 * expected that this function is called from the callback set by 1542 * expected that this function is called from the callback set by
1546 * SSL_CTX_set_next_proto_select_cb. 1543 * SSL_CTX_set_alpn_select_cb.
1547 * 1544 *
1548 * The protocol data is assumed to be a vector of 8-bit, length prefixed byte 1545 * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
1549 * strings. The length byte itself is not included in the length. A byte 1546 * strings. The length byte itself is not included in the length. A byte
1550 * string of length 0 is invalid. No byte string may be truncated. 1547 * string of length 0 is invalid. No byte string may be truncated.
1551 * 1548 *
1552 * The current, but experimental algorithm for selecting the protocol is: 1549 * It returns either:
1553 *
1554 * 1) If the server doesn't support NPN then this is indicated to the
1555 * callback. In this case, the client application has to abort the connection
1556 * or have a default application level protocol.
1557 *
1558 * 2) If the server supports NPN, but advertises an empty list then the
1559 * client selects the first protcol in its list, but indicates via the
1560 * API that this fallback case was enacted.
1561 *
1562 * 3) Otherwise, the client finds the first protocol in the server's list
1563 * that it supports and selects this protocol. This is because it's
1564 * assumed that the server has better information about which protocol
1565 * a client should use.
1566 *
1567 * 4) If the client doesn't support any of the server's advertised
1568 * protocols, then this is treated the same as case 2.
1569 *
1570 * It returns either
1571 * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or 1550 * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
1572 * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached. 1551 * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
1573 */ 1552 */
@@ -1611,64 +1590,28 @@ found:
1611 return (status); 1590 return (status);
1612} 1591}
1613 1592
1614/* 1593/* SSL_get0_next_proto_negotiated is deprecated. */
1615 * SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
1616 * requested protocol for this connection and returns 0. If the client didn't
1617 * request any protocol, then *data is set to NULL.
1618 *
1619 * Note that the client can request any protocol it chooses. The value returned
1620 * from this function need not be a member of the list of supported protocols
1621 * provided by the callback.
1622 */
1623void 1594void
1624SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, 1595SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
1625 unsigned *len) 1596 unsigned *len)
1626{ 1597{
1627 *data = s->internal->next_proto_negotiated; 1598 *data = NULL;
1628 if (!*data) { 1599 *len = 0;
1629 *len = 0;
1630 } else {
1631 *len = s->internal->next_proto_negotiated_len;
1632 }
1633} 1600}
1634 1601
1635/* 1602/* SSL_CTX_set_next_protos_advertised_cb is deprecated. */
1636 * SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
1637 * TLS server needs a list of supported protocols for Next Protocol
1638 * Negotiation. The returned list must be in wire format. The list is returned
1639 * by setting |out| to point to it and |outlen| to its length. This memory will
1640 * not be modified, but one should assume that the SSL* keeps a reference to
1641 * it.
1642 *
1643 * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise.
1644 * Otherwise, no such extension will be included in the ServerHello.
1645 */
1646void 1603void
1647SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, 1604SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl,
1648 const unsigned char **out, unsigned int *outlen, void *arg), void *arg) 1605 const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
1649{ 1606{
1650 ctx->internal->next_protos_advertised_cb = cb;
1651 ctx->internal->next_protos_advertised_cb_arg = arg;
1652} 1607}
1653 1608
1654/* 1609/* SSL_CTX_set_next_proto_select_cb is deprecated. */
1655 * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
1656 * client needs to select a protocol from the server's provided list. |out|
1657 * must be set to point to the selected protocol (which may be within |in|).
1658 * The length of the protocol name must be written into |outlen|. The server's
1659 * advertised protocols are provided in |in| and |inlen|. The callback can
1660 * assume that |in| is syntactically valid.
1661 *
1662 * The client must select a protocol. It is fatal to the connection if this
1663 * callback returns a value other than SSL_TLSEXT_ERR_OK.
1664 */
1665void 1610void
1666SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, 1611SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s,
1667 unsigned char **out, unsigned char *outlen, const unsigned char *in, 1612 unsigned char **out, unsigned char *outlen, const unsigned char *in,
1668 unsigned int inlen, void *arg), void *arg) 1613 unsigned int inlen, void *arg), void *arg)
1669{ 1614{
1670 ctx->internal->next_proto_select_cb = cb;
1671 ctx->internal->next_proto_select_cb_arg = arg;
1672} 1615}
1673 1616
1674/* 1617/*
@@ -1912,9 +1855,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
1912 ret->internal->tlsext_status_cb = 0; 1855 ret->internal->tlsext_status_cb = 0;
1913 ret->internal->tlsext_status_arg = NULL; 1856 ret->internal->tlsext_status_arg = NULL;
1914 1857
1915 ret->internal->next_protos_advertised_cb = 0;
1916 ret->internal->next_proto_select_cb = 0;
1917
1918#ifndef OPENSSL_NO_ENGINE 1858#ifndef OPENSSL_NO_ENGINE
1919 ret->internal->client_cert_engine = NULL; 1859 ret->internal->client_cert_engine = NULL;
1920#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO 1860#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 6f9be12fa7..914501213c 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.188 2017/08/12 02:55:22 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.189 2017/08/12 21:03:08 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -575,24 +575,8 @@ typedef struct ssl_ctx_internal_st {
575 /* SRTP profiles we are willing to do from RFC 5764 */ 575 /* SRTP profiles we are willing to do from RFC 5764 */
576 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; 576 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
577 577
578 /* Next protocol negotiation information */
579 /* (for experimental NPN extension). */
580
581 /* For a server, this contains a callback function by which the set of
582 * advertised protocols can be provided. */
583 int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,
584 unsigned int *len, void *arg);
585 void *next_protos_advertised_cb_arg;
586 /* For a client, this contains a callback function that selects the
587 * next protocol from the list provided by the server. */
588 int (*next_proto_select_cb)(SSL *s, unsigned char **out,
589 unsigned char *outlen, const unsigned char *in,
590 unsigned int inlen, void *arg);
591 void *next_proto_select_cb_arg;
592
593 /* 578 /*
594 * ALPN information 579 * ALPN information.
595 * (we are in the process of transitioning from NPN to ALPN).
596 */ 580 */
597 581
598 /* 582 /*
@@ -627,16 +611,6 @@ typedef struct ssl_internal_st {
627 unsigned long options; /* protocol behaviour */ 611 unsigned long options; /* protocol behaviour */
628 unsigned long mode; /* API behaviour */ 612 unsigned long mode; /* API behaviour */
629 613
630 /* Next protocol negotiation. For the client, this is the protocol that
631 * we sent in NextProtocol and is set when handling ServerHello
632 * extensions.
633 *
634 * For a server, this is the client's selected_protocol from
635 * NextProtocol and is set when handling the NextProtocol message,
636 * before the Finished message. */
637 unsigned char *next_proto_negotiated;
638 unsigned char next_proto_negotiated_len;
639
640 /* Client list of supported protocols in wire format. */ 614 /* Client list of supported protocols in wire format. */
641 unsigned char *alpn_client_proto_list; 615 unsigned char *alpn_client_proto_list;
642 unsigned int alpn_client_proto_list_len; 616 unsigned int alpn_client_proto_list_len;
@@ -881,16 +855,9 @@ typedef struct ssl3_state_internal_st {
881 /* Set if we saw a Renegotiation Indication extension from our peer. */ 855 /* Set if we saw a Renegotiation Indication extension from our peer. */
882 int renegotiate_seen; 856 int renegotiate_seen;
883 857
884 /* Set if we saw the Next Protocol Negotiation extension from our peer.
885 */
886 int next_proto_neg_seen;
887
888 /*
889 * ALPN information
890 * (we are in the process of transitioning from NPN to ALPN).
891 */
892
893 /* 858 /*
859 * ALPN information.
860 *
894 * In a server these point to the selected ALPN protocol after the 861 * In a server these point to the selected ALPN protocol after the
895 * ClientHello has been processed. In a client these contain the 862 * ClientHello has been processed. In a client these contain the
896 * protocol that the server selected once the ServerHello has been 863 * protocol that the server selected once the ServerHello has been
@@ -1245,7 +1212,6 @@ int ssl3_get_server_key_exchange(SSL *s);
1245int ssl3_get_server_certificate(SSL *s); 1212int ssl3_get_server_certificate(SSL *s);
1246int ssl3_check_cert_and_algorithm(SSL *s); 1213int ssl3_check_cert_and_algorithm(SSL *s);
1247int ssl3_check_finished(SSL *s); 1214int ssl3_check_finished(SSL *s);
1248int ssl3_send_next_proto(SSL *s);
1249 1215
1250/* some server-only functions */ 1216/* some server-only functions */
1251int ssl3_get_client_hello(SSL *s); 1217int ssl3_get_client_hello(SSL *s);
@@ -1257,7 +1223,6 @@ int ssl3_send_server_done(SSL *s);
1257int ssl3_get_client_certificate(SSL *s); 1223int ssl3_get_client_certificate(SSL *s);
1258int ssl3_get_client_key_exchange(SSL *s); 1224int ssl3_get_client_key_exchange(SSL *s);
1259int ssl3_get_cert_verify(SSL *s); 1225int ssl3_get_cert_verify(SSL *s);
1260int ssl3_get_next_proto(SSL *s);
1261 1226
1262int ssl23_accept(SSL *s); 1227int ssl23_accept(SSL *s);
1263int ssl23_connect(SSL *s); 1228int ssl23_connect(SSL *s);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index a21039e727..50ce91ddd8 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.20 2017/08/12 02:55:22 jsing Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.21 2017/08/12 21:03:08 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -468,10 +468,7 @@ ssl3_accept(SSL *s)
468 * the client uses its key from the certificate 468 * the client uses its key from the certificate
469 * for key exchange. 469 * for key exchange.
470 */ 470 */
471 if (S3I(s)->next_proto_neg_seen) 471 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
472 S3I(s)->hs.state = SSL3_ST_SR_NEXT_PROTO_A;
473 else
474 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
475 s->internal->init_num = 0; 472 s->internal->init_num = 0;
476 } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) { 473 } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
477 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; 474 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
@@ -525,20 +522,8 @@ ssl3_accept(SSL *s)
525 if (ret <= 0) 522 if (ret <= 0)
526 goto end; 523 goto end;
527 524
528 if (S3I(s)->next_proto_neg_seen)
529 S3I(s)->hs.state = SSL3_ST_SR_NEXT_PROTO_A;
530 else
531 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
532 s->internal->init_num = 0;
533 break;
534
535 case SSL3_ST_SR_NEXT_PROTO_A:
536 case SSL3_ST_SR_NEXT_PROTO_B:
537 ret = ssl3_get_next_proto(s);
538 if (ret <= 0)
539 goto end;
540 s->internal->init_num = 0;
541 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A; 525 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
526 s->internal->init_num = 0;
542 break; 527 break;
543 528
544 case SSL3_ST_SR_FINISHED_A: 529 case SSL3_ST_SR_FINISHED_A:
@@ -610,15 +595,9 @@ ssl3_accept(SSL *s)
610 if (ret <= 0) 595 if (ret <= 0)
611 goto end; 596 goto end;
612 S3I(s)->hs.state = SSL3_ST_SW_FLUSH; 597 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
613 if (s->internal->hit) { 598 if (s->internal->hit)
614 if (S3I(s)->next_proto_neg_seen) { 599 S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A;
615 s->s3->flags |= SSL3_FLAGS_CCS_OK; 600 else
616 S3I(s)->hs.next_state =
617 SSL3_ST_SR_NEXT_PROTO_A;
618 } else
619 S3I(s)->hs.next_state =
620 SSL3_ST_SR_FINISHED_A;
621 } else
622 S3I(s)->hs.next_state = SSL_ST_OK; 601 S3I(s)->hs.next_state = SSL_ST_OK;
623 s->internal->init_num = 0; 602 s->internal->init_num = 0;
624 break; 603 break;
@@ -2708,74 +2687,3 @@ ssl3_send_cert_status(SSL *s)
2708 2687
2709 return (-1); 2688 return (-1);
2710} 2689}
2711
2712/*
2713 * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
2714 * It sets the next_proto member in s if found
2715 */
2716int
2717ssl3_get_next_proto(SSL *s)
2718{
2719 CBS cbs, proto, padding;
2720 int ok;
2721 long n;
2722 size_t len;
2723
2724 /*
2725 * Clients cannot send a NextProtocol message if we didn't see the
2726 * extension in their ClientHello
2727 */
2728 if (!S3I(s)->next_proto_neg_seen) {
2729 SSLerror(s, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
2730 return (-1);
2731 }
2732
2733 /* 514 maxlen is enough for the payload format below */
2734 n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
2735 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
2736 if (!ok)
2737 return ((int)n);
2738
2739 /*
2740 * S3I(s)->hs.state doesn't reflect whether ChangeCipherSpec has been received
2741 * in this handshake, but S3I(s)->change_cipher_spec does (will be reset
2742 * by ssl3_get_finished).
2743 */
2744 if (!S3I(s)->change_cipher_spec) {
2745 SSLerror(s, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
2746 return (-1);
2747 }
2748
2749 if (n < 2)
2750 return (0);
2751 /* The body must be > 1 bytes long */
2752
2753 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
2754
2755 /*
2756 * The payload looks like:
2757 * uint8 proto_len;
2758 * uint8 proto[proto_len];
2759 * uint8 padding_len;
2760 * uint8 padding[padding_len];
2761 */
2762 if (!CBS_get_u8_length_prefixed(&cbs, &proto) ||
2763 !CBS_get_u8_length_prefixed(&cbs, &padding) ||
2764 CBS_len(&cbs) != 0)
2765 return 0;
2766
2767 /*
2768 * XXX We should not NULL it, but this matches old behavior of not
2769 * freeing before malloc.
2770 */
2771 s->internal->next_proto_negotiated = NULL;
2772 s->internal->next_proto_negotiated_len = 0;
2773
2774 if (!CBS_stow(&proto, &s->internal->next_proto_negotiated, &len)) {
2775 SSLerror(s, ERR_R_MALLOC_FAILURE);
2776 return (0);
2777 }
2778 s->internal->next_proto_negotiated_len = (uint8_t)len;
2779
2780 return (1);
2781}
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 3e5133ab54..911e8d3f4e 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.127 2017/08/12 02:55:22 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.128 2017/08/12 21:03:08 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -779,16 +779,6 @@ skip_ext:
779 i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret); 779 i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret);
780 } 780 }
781 781
782 if (s->ctx->internal->next_proto_select_cb &&
783 !S3I(s)->tmp.finish_md_len) {
784 /* The client advertises an emtpy extension to indicate its
785 * support for Next Protocol Negotiation */
786 if ((size_t)(limit - ret) < 4)
787 return NULL;
788 s2n(TLSEXT_TYPE_next_proto_neg, ret);
789 s2n(0, ret);
790 }
791
792 if (s->internal->alpn_client_proto_list != NULL && 782 if (s->internal->alpn_client_proto_list != NULL &&
793 S3I(s)->tmp.finish_md_len == 0) { 783 S3I(s)->tmp.finish_md_len == 0) {
794 if ((size_t)(limit - ret) < 784 if ((size_t)(limit - ret) <
@@ -868,7 +858,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
868{ 858{
869 int extdatalen = 0; 859 int extdatalen = 0;
870 unsigned char *ret = p; 860 unsigned char *ret = p;
871 int next_proto_neg_seen;
872 size_t len; 861 size_t len;
873 CBB cbb; 862 CBB cbb;
874 863
@@ -949,26 +938,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
949 ret += sizeof(cryptopro_ext); 938 ret += sizeof(cryptopro_ext);
950 } 939 }
951 940
952 next_proto_neg_seen = S3I(s)->next_proto_neg_seen;
953 S3I(s)->next_proto_neg_seen = 0;
954 if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) {
955 const unsigned char *npa;
956 unsigned int npalen;
957 int r;
958
959 r = s->ctx->internal->next_protos_advertised_cb(s, &npa, &npalen,
960 s->ctx->internal->next_protos_advertised_cb_arg);
961 if (r == SSL_TLSEXT_ERR_OK) {
962 if ((size_t)(limit - ret) < 4 + npalen)
963 return NULL;
964 s2n(TLSEXT_TYPE_next_proto_neg, ret);
965 s2n(npalen, ret);
966 memcpy(ret, npa, npalen);
967 ret += npalen;
968 S3I(s)->next_proto_neg_seen = 1;
969 }
970 }
971
972 if (S3I(s)->alpn_selected != NULL) { 941 if (S3I(s)->alpn_selected != NULL) {
973 const unsigned char *selected = S3I(s)->alpn_selected; 942 const unsigned char *selected = S3I(s)->alpn_selected;
974 unsigned int len = S3I(s)->alpn_selected_len; 943 unsigned int len = S3I(s)->alpn_selected_len;
@@ -1070,7 +1039,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1070 s->internal->servername_done = 0; 1039 s->internal->servername_done = 0;
1071 s->tlsext_status_type = -1; 1040 s->tlsext_status_type = -1;
1072 S3I(s)->renegotiate_seen = 0; 1041 S3I(s)->renegotiate_seen = 0;
1073 S3I(s)->next_proto_neg_seen = 0;
1074 free(S3I(s)->alpn_selected); 1042 free(S3I(s)->alpn_selected);
1075 S3I(s)->alpn_selected = NULL; 1043 S3I(s)->alpn_selected = NULL;
1076 s->internal->srtp_profile = NULL; 1044 s->internal->srtp_profile = NULL;
@@ -1227,36 +1195,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1227 */ 1195 */
1228 s->tlsext_status_type = -1; 1196 s->tlsext_status_type = -1;
1229 } 1197 }
1230 } 1198 } else if (type ==
1231 else if (type == TLSEXT_TYPE_next_proto_neg &&
1232 S3I(s)->tmp.finish_md_len == 0 &&
1233 S3I(s)->alpn_selected == NULL) {
1234 /* We shouldn't accept this extension on a
1235 * renegotiation.
1236 *
1237 * s->internal->new_session will be set on renegotiation, but we
1238 * probably shouldn't rely that it couldn't be set on
1239 * the initial renegotation too in certain cases (when
1240 * there's some other reason to disallow resuming an
1241 * earlier session -- the current code won't be doing
1242 * anything like that, but this might change).
1243
1244 * A valid sign that there's been a previous handshake
1245 * in this connection is if S3I(s)->tmp.finish_md_len >
1246 * 0. (We are talking about a check that will happen
1247 * in the Hello protocol round, well before a new
1248 * Finished message could have been computed.) */
1249 S3I(s)->next_proto_neg_seen = 1;
1250 }
1251 else if (type ==
1252 TLSEXT_TYPE_application_layer_protocol_negotiation && 1199 TLSEXT_TYPE_application_layer_protocol_negotiation &&
1253 s->ctx->internal->alpn_select_cb != NULL && 1200 s->ctx->internal->alpn_select_cb != NULL &&
1254 S3I(s)->tmp.finish_md_len == 0) { 1201 S3I(s)->tmp.finish_md_len == 0) {
1255 if (tls1_alpn_handle_client_hello(s, data, 1202 if (tls1_alpn_handle_client_hello(s, data,
1256 size, al) != 1) 1203 size, al) != 1)
1257 return (0); 1204 return (0);
1258 /* ALPN takes precedence over NPN. */
1259 S3I(s)->next_proto_neg_seen = 0;
1260 } 1205 }
1261 1206
1262 /* session ticket processed earlier */ 1207 /* session ticket processed earlier */
@@ -1293,25 +1238,6 @@ err:
1293 return 0; 1238 return 0;
1294} 1239}
1295 1240
1296/*
1297 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1298 * elements of zero length are allowed and the set of elements must exactly fill
1299 * the length of the block.
1300 */
1301static char
1302ssl_next_proto_validate(const unsigned char *d, unsigned int len)
1303{
1304 CBS npn, value;
1305
1306 CBS_init(&npn, d, len);
1307 while (CBS_len(&npn) > 0) {
1308 if (!CBS_get_u8_length_prefixed(&npn, &value) ||
1309 CBS_len(&value) == 0)
1310 return 0;
1311 }
1312 return 1;
1313}
1314
1315int 1241int
1316ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) 1242ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
1317{ 1243{
@@ -1323,7 +1249,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
1323 CBS cbs; 1249 CBS cbs;
1324 1250
1325 S3I(s)->renegotiate_seen = 0; 1251 S3I(s)->renegotiate_seen = 0;
1326 S3I(s)->next_proto_neg_seen = 0;
1327 free(S3I(s)->alpn_selected); 1252 free(S3I(s)->alpn_selected);
1328 S3I(s)->alpn_selected = NULL; 1253 S3I(s)->alpn_selected = NULL;
1329 1254
@@ -1375,39 +1300,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
1375 } 1300 }
1376 /* Set flag to expect CertificateStatus message */ 1301 /* Set flag to expect CertificateStatus message */
1377 s->internal->tlsext_status_expected = 1; 1302 s->internal->tlsext_status_expected = 1;
1378 } 1303 } else if (type ==
1379 else if (type == TLSEXT_TYPE_next_proto_neg &&
1380 S3I(s)->tmp.finish_md_len == 0) {
1381 unsigned char *selected;
1382 unsigned char selected_len;
1383
1384 /* We must have requested it. */
1385 if (s->ctx->internal->next_proto_select_cb == NULL) {
1386 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1387 return 0;
1388 }
1389 /* The data must be valid */
1390 if (!ssl_next_proto_validate(data, size)) {
1391 *al = TLS1_AD_DECODE_ERROR;
1392 return 0;
1393 }
1394 if (s->ctx->internal->next_proto_select_cb(s, &selected,
1395 &selected_len, data, size,
1396 s->ctx->internal->next_proto_select_cb_arg) !=
1397 SSL_TLSEXT_ERR_OK) {
1398 *al = TLS1_AD_INTERNAL_ERROR;
1399 return 0;
1400 }
1401 s->internal->next_proto_negotiated = malloc(selected_len);
1402 if (!s->internal->next_proto_negotiated) {
1403 *al = TLS1_AD_INTERNAL_ERROR;
1404 return 0;
1405 }
1406 memcpy(s->internal->next_proto_negotiated, selected, selected_len);
1407 s->internal->next_proto_negotiated_len = selected_len;
1408 S3I(s)->next_proto_neg_seen = 1;
1409 }
1410 else if (type ==
1411 TLSEXT_TYPE_application_layer_protocol_negotiation) { 1304 TLSEXT_TYPE_application_layer_protocol_negotiation) {
1412 unsigned int len; 1305 unsigned int len;
1413 1306
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-23 04:03:06 +0000