1 files changed, 3 insertions, 110 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 3e5133ab54..911e8d3f4e 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.127 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.128 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -779,16 +779,6 @@ skip_ext:
                        i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret);
        }
-        if (s->ctx->internal->next_proto_select_cb &&
-            !S3I(s)->tmp.finish_md_len) {
-                /* The client advertises an emtpy extension to indicate its
-                 * support for Next Protocol Negotiation */
-                if ((size_t)(limit - ret) < 4)
-                        return NULL;
-                s2n(TLSEXT_TYPE_next_proto_neg, ret);
-                s2n(0, ret);
-        }
        if (s->internal->alpn_client_proto_list != NULL &&
            S3I(s)->tmp.finish_md_len == 0) {
                if ((size_t)(limit - ret) <
@@ -868,7 +858,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 {
        int extdatalen = 0;
        unsigned char *ret = p;
-        int next_proto_neg_seen;
        size_t len;
        CBB cbb;
@@ -949,26 +938,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                ret += sizeof(cryptopro_ext);
        }
-        next_proto_neg_seen = S3I(s)->next_proto_neg_seen;
-        S3I(s)->next_proto_neg_seen = 0;
-        if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) {
-                const unsigned char *npa;
-                unsigned int npalen;
-                int r;
-                r = s->ctx->internal->next_protos_advertised_cb(s, &npa, &npalen,
-                    s->ctx->internal->next_protos_advertised_cb_arg);
-                if (r == SSL_TLSEXT_ERR_OK) {
-                        if ((size_t)(limit - ret) < 4 + npalen)
-                                return NULL;
-                        s2n(TLSEXT_TYPE_next_proto_neg, ret);
-                        s2n(npalen, ret);
-                        memcpy(ret, npa, npalen);
-                        ret += npalen;
-                        S3I(s)->next_proto_neg_seen = 1;
-                }
-        }
        if (S3I(s)->alpn_selected != NULL) {
                const unsigned char *selected = S3I(s)->alpn_selected;
                unsigned int len = S3I(s)->alpn_selected_len;
@@ -1070,7 +1039,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
        s->internal->servername_done = 0;
        s->tlsext_status_type = -1;
        S3I(s)->renegotiate_seen = 0;
-        S3I(s)->next_proto_neg_seen = 0;
        free(S3I(s)->alpn_selected);
        S3I(s)->alpn_selected = NULL;
        s->internal->srtp_profile = NULL;
@@ -1227,36 +1195,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                */
                                s->tlsext_status_type = -1;
                        }
-                }
+                } else if (type ==
-                else if (type == TLSEXT_TYPE_next_proto_neg &&
-                    S3I(s)->tmp.finish_md_len == 0 &&
-                    S3I(s)->alpn_selected == NULL) {
-                        /* We shouldn't accept this extension on a
-                         * renegotiation.
-                         *
-                         * s->internal->new_session will be set on renegotiation, but we
-                         * probably shouldn't rely that it couldn't be set on
-                         * the initial renegotation too in certain cases (when
-                         * there's some other reason to disallow resuming an
-                         * earlier session -- the current code won't be doing
-                         * anything like that, but this might change).
-                         * A valid sign that there's been a previous handshake
-                         * in this connection is if S3I(s)->tmp.finish_md_len >
-                         * 0.  (We are talking about a check that will happen
-                         * in the Hello protocol round, well before a new
-                         * Finished message could have been computed.) */
-                        S3I(s)->next_proto_neg_seen = 1;
-                }
-                else if (type ==
                    TLSEXT_TYPE_application_layer_protocol_negotiation &&
                    s->ctx->internal->alpn_select_cb != NULL &&
                    S3I(s)->tmp.finish_md_len == 0) {
                        if (tls1_alpn_handle_client_hello(s, data,
                            size, al) != 1)
                                return (0);
-                        /* ALPN takes precedence over NPN. */
-                        S3I(s)->next_proto_neg_seen = 0;
                }
                /* session ticket processed earlier */
@@ -1293,25 +1238,6 @@ err:
        return 0;
 }
-/*
- * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
- * elements of zero length are allowed and the set of elements must exactly fill
- * the length of the block.
- */
-static char
-ssl_next_proto_validate(const unsigned char *d, unsigned int len)
-{
-        CBS npn, value;
-        CBS_init(&npn, d, len);
-        while (CBS_len(&npn) > 0) {
-                if (!CBS_get_u8_length_prefixed(&npn, &value) ||
-                    CBS_len(&value) == 0)
-                        return 0;
-        }
-        return 1;
-}
 int
 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
 {
@@ -1323,7 +1249,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
        CBS cbs;
        S3I(s)->renegotiate_seen = 0;
-        S3I(s)->next_proto_neg_seen = 0;
        free(S3I(s)->alpn_selected);
        S3I(s)->alpn_selected = NULL;
@@ -1375,39 +1300,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
                        }
                        /* Set flag to expect CertificateStatus message */
                        s->internal->tlsext_status_expected = 1;
-                }
+                } else if (type ==
-                else if (type == TLSEXT_TYPE_next_proto_neg &&
-                    S3I(s)->tmp.finish_md_len == 0) {
-                        unsigned char *selected;
-                        unsigned char selected_len;
-                        /* We must have requested it. */
-                        if (s->ctx->internal->next_proto_select_cb == NULL) {
-                                *al = TLS1_AD_UNSUPPORTED_EXTENSION;
-                                return 0;
-                        }
-                        /* The data must be valid */
-                        if (!ssl_next_proto_validate(data, size)) {
-                                *al = TLS1_AD_DECODE_ERROR;
-                                return 0;
-                        }
-                        if (s->ctx->internal->next_proto_select_cb(s, &selected,
-                            &selected_len, data, size,
-                            s->ctx->internal->next_proto_select_cb_arg) !=
-                            SSL_TLSEXT_ERR_OK) {
-                                *al = TLS1_AD_INTERNAL_ERROR;
-                                return 0;
-                        }
-                        s->internal->next_proto_negotiated = malloc(selected_len);
-                        if (!s->internal->next_proto_negotiated) {
-                                *al = TLS1_AD_INTERNAL_ERROR;
-                                return 0;
-                        }
-                        memcpy(s->internal->next_proto_negotiated, selected, selected_len);
-                        s->internal->next_proto_negotiated_len = selected_len;
-                        S3I(s)->next_proto_neg_seen = 1;
-                }
-                else if (type ==
                    TLSEXT_TYPE_application_layer_protocol_negotiation) {
                        unsigned int len;

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 3e5133ab54..911e8d3f4e 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.127 2017/08/12 02:55:22 jsing Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.128 2017/08/12 21:03:08 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -779,16 +779,6 @@ skip_ext:
779	i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret);	779	i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret);
780	}	780	}
781		781
782	if (s->ctx->internal->next_proto_select_cb &&
783	!S3I(s)->tmp.finish_md_len) {
784	/* The client advertises an emtpy extension to indicate its
785	* support for Next Protocol Negotiation */
786	if ((size_t)(limit - ret) < 4)
787	return NULL;
788	s2n(TLSEXT_TYPE_next_proto_neg, ret);
789	s2n(0, ret);
790	}
791
792	if (s->internal->alpn_client_proto_list != NULL &&	782	if (s->internal->alpn_client_proto_list != NULL &&
793	S3I(s)->tmp.finish_md_len == 0) {	783	S3I(s)->tmp.finish_md_len == 0) {
794	if ((size_t)(limit - ret) <	784	if ((size_t)(limit - ret) <
@@ -868,7 +858,6 @@ ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)
868	{	858	{
869	int extdatalen = 0;	859	int extdatalen = 0;
870	unsigned char *ret = p;	860	unsigned char *ret = p;
871	int next_proto_neg_seen;
872	size_t len;	861	size_t len;
873	CBB cbb;	862	CBB cbb;
874		863
@@ -949,26 +938,6 @@ ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char *limit)
949	ret += sizeof(cryptopro_ext);	938	ret += sizeof(cryptopro_ext);
950	}	939	}
951		940
952	next_proto_neg_seen = S3I(s)->next_proto_neg_seen;
953	S3I(s)->next_proto_neg_seen = 0;
954	if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) {
955	const unsigned char *npa;
956	unsigned int npalen;
957	int r;
958
959	r = s->ctx->internal->next_protos_advertised_cb(s, &npa, &npalen,
960	s->ctx->internal->next_protos_advertised_cb_arg);
961	if (r == SSL_TLSEXT_ERR_OK) {
962	if ((size_t)(limit - ret) < 4 + npalen)
963	return NULL;
964	s2n(TLSEXT_TYPE_next_proto_neg, ret);
965	s2n(npalen, ret);
966	memcpy(ret, npa, npalen);
967	ret += npalen;
968	S3I(s)->next_proto_neg_seen = 1;
969	}
970	}
971
972	if (S3I(s)->alpn_selected != NULL) {	941	if (S3I(s)->alpn_selected != NULL) {
973	const unsigned char *selected = S3I(s)->alpn_selected;	942	const unsigned char *selected = S3I(s)->alpn_selected;
974	unsigned int len = S3I(s)->alpn_selected_len;	943	unsigned int len = S3I(s)->alpn_selected_len;
@@ -1070,7 +1039,6 @@ ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1070	s->internal->servername_done = 0;	1039	s->internal->servername_done = 0;
1071	s->tlsext_status_type = -1;	1040	s->tlsext_status_type = -1;
1072	S3I(s)->renegotiate_seen = 0;	1041	S3I(s)->renegotiate_seen = 0;
1073	S3I(s)->next_proto_neg_seen = 0;
1074	free(S3I(s)->alpn_selected);	1042	free(S3I(s)->alpn_selected);
1075	S3I(s)->alpn_selected = NULL;	1043	S3I(s)->alpn_selected = NULL;
1076	s->internal->srtp_profile = NULL;	1044	s->internal->srtp_profile = NULL;
@@ -1227,36 +1195,13 @@ ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1227	*/	1195	*/
1228	s->tlsext_status_type = -1;	1196	s->tlsext_status_type = -1;
1229	}	1197	}
1230	}	1198	} else if (type ==
1231	else if (type == TLSEXT_TYPE_next_proto_neg &&
1232	S3I(s)->tmp.finish_md_len == 0 &&
1233	S3I(s)->alpn_selected == NULL) {
1234	/* We shouldn't accept this extension on a
1235	* renegotiation.
1236	*
1237	* s->internal->new_session will be set on renegotiation, but we
1238	* probably shouldn't rely that it couldn't be set on
1239	* the initial renegotation too in certain cases (when
1240	* there's some other reason to disallow resuming an
1241	* earlier session -- the current code won't be doing
1242	* anything like that, but this might change).
1243
1244	* A valid sign that there's been a previous handshake
1245	* in this connection is if S3I(s)->tmp.finish_md_len >
1246	* 0. (We are talking about a check that will happen
1247	* in the Hello protocol round, well before a new
1248	* Finished message could have been computed.) */
1249	S3I(s)->next_proto_neg_seen = 1;
1250	}
1251	else if (type ==
1252	TLSEXT_TYPE_application_layer_protocol_negotiation &&	1199	TLSEXT_TYPE_application_layer_protocol_negotiation &&
1253	s->ctx->internal->alpn_select_cb != NULL &&	1200	s->ctx->internal->alpn_select_cb != NULL &&
1254	S3I(s)->tmp.finish_md_len == 0) {	1201	S3I(s)->tmp.finish_md_len == 0) {
1255	if (tls1_alpn_handle_client_hello(s, data,	1202	if (tls1_alpn_handle_client_hello(s, data,
1256	size, al) != 1)	1203	size, al) != 1)
1257	return (0);	1204	return (0);
1258	/* ALPN takes precedence over NPN. */
1259	S3I(s)->next_proto_neg_seen = 0;
1260	}	1205	}
1261		1206
1262	/* session ticket processed earlier */	1207	/* session ticket processed earlier */
@@ -1293,25 +1238,6 @@ err:
1293	return 0;	1238	return 0;
1294	}	1239	}
1295		1240
1296	/*
1297	* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1298	* elements of zero length are allowed and the set of elements must exactly fill
1299	* the length of the block.
1300	*/
1301	static char
1302	ssl_next_proto_validate(const unsigned char *d, unsigned int len)
1303	{
1304	CBS npn, value;
1305
1306	CBS_init(&npn, d, len);
1307	while (CBS_len(&npn) > 0) {
1308	if (!CBS_get_u8_length_prefixed(&npn, &value) \|\|
1309	CBS_len(&value) == 0)
1310	return 0;
1311	}
1312	return 1;
1313	}
1314
1315	int	1241	int
1316	ssl_parse_serverhello_tlsext(SSL s, unsigned char p, size_t n, int al)	1242	ssl_parse_serverhello_tlsext(SSL s, unsigned char p, size_t n, int al)
1317	{	1243	{
@@ -1323,7 +1249,6 @@ ssl_parse_serverhello_tlsext(SSL s, unsigned char p, size_t n, int al)
1323	CBS cbs;	1249	CBS cbs;
1324		1250
1325	S3I(s)->renegotiate_seen = 0;	1251	S3I(s)->renegotiate_seen = 0;
1326	S3I(s)->next_proto_neg_seen = 0;
1327	free(S3I(s)->alpn_selected);	1252	free(S3I(s)->alpn_selected);
1328	S3I(s)->alpn_selected = NULL;	1253	S3I(s)->alpn_selected = NULL;
1329		1254
@@ -1375,39 +1300,7 @@ ssl_parse_serverhello_tlsext(SSL s, unsigned char p, size_t n, int al)
1375	}	1300	}
1376	/* Set flag to expect CertificateStatus message */	1301	/* Set flag to expect CertificateStatus message */
1377	s->internal->tlsext_status_expected = 1;	1302	s->internal->tlsext_status_expected = 1;
1378	}	1303	} else if (type ==
1379	else if (type == TLSEXT_TYPE_next_proto_neg &&
1380	S3I(s)->tmp.finish_md_len == 0) {
1381	unsigned char *selected;
1382	unsigned char selected_len;
1383
1384	/* We must have requested it. */
1385	if (s->ctx->internal->next_proto_select_cb == NULL) {
1386	*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1387	return 0;
1388	}
1389	/* The data must be valid */
1390	if (!ssl_next_proto_validate(data, size)) {
1391	*al = TLS1_AD_DECODE_ERROR;
1392	return 0;
1393	}
1394	if (s->ctx->internal->next_proto_select_cb(s, &selected,
1395	&selected_len, data, size,
1396	s->ctx->internal->next_proto_select_cb_arg) !=
1397	SSL_TLSEXT_ERR_OK) {
1398	*al = TLS1_AD_INTERNAL_ERROR;
1399	return 0;
1400	}
1401	s->internal->next_proto_negotiated = malloc(selected_len);
1402	if (!s->internal->next_proto_negotiated) {
1403	*al = TLS1_AD_INTERNAL_ERROR;
1404	return 0;
1405	}
1406	memcpy(s->internal->next_proto_negotiated, selected, selected_len);
1407	s->internal->next_proto_negotiated_len = selected_len;
1408	S3I(s)->next_proto_neg_seen = 1;
1409	}
1410	else if (type ==
1411	TLSEXT_TYPE_application_layer_protocol_negotiation) {	1304	TLSEXT_TYPE_application_layer_protocol_negotiation) {
1412	unsigned int len;	1305	unsigned int len;
1413		1306