8 files changed, 16 insertions, 170 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 2584ceb88b..ddf847d390 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.42 2016/08/01 17:32:19 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.43 2016/08/02 07:47:11 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -310,14 +310,6 @@ tls_configure_ssl(struct tls *ctx)
         if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
                 SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
 
-        if (ctx->config->alpn != NULL) {
-                if (SSL_CTX_set_alpn_protos(ctx->ssl_ctx, ctx->config->alpn,
-                    ctx->config->alpn_len) != 0) {
-                        tls_set_errorx(ctx, "failed to set alpn");
-                        goto err;
-                }
-        }
-
         if (ctx->config->ciphers != NULL) {
                 if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
                     ctx->config->ciphers) != 1) {
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index e518623a71..1497319611 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.31 2016/08/01 17:40:23 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.32 2016/08/02 07:47:11 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -52,7 +52,6 @@ const char *tls_error(struct tls *_ctx);
 struct tls_config *tls_config_new(void);
 void tls_config_free(struct tls_config *_config);
 
-int tls_config_set_alpn(struct tls_config *_config, const char *_alpn);
 int tls_config_set_ca_file(struct tls_config *_config, const char *_ca_file);
 int tls_config_set_ca_path(struct tls_config *_config, const char *_ca_path);
 int tls_config_set_ca_mem(struct tls_config *_config, const uint8_t *_ca,
@@ -117,9 +116,8 @@ const char *tls_peer_cert_subject(struct tls *_ctx);
 time_t  tls_peer_cert_notbefore(struct tls *_ctx);
 time_t  tls_peer_cert_notafter(struct tls *_ctx);
 
-const char *tls_conn_alpn_selected(struct tls *_ctx);
-const char *tls_conn_cipher(struct tls *_ctx);
 const char *tls_conn_version(struct tls *_ctx);
+const char *tls_conn_cipher(struct tls *_ctx);
 
 uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password);
 
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 640a69e783..63054ab1e9 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.23 2016/08/01 17:32:19 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.24 2016/08/02 07:47:11 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -166,7 +166,6 @@ tls_config_free(struct tls_config *config)
 
         free(config->error.msg);
 
-        free(config->alpn);
         free((char *)config->ca_file);
         free((char *)config->ca_mem);
         free((char *)config->ca_path);
@@ -250,73 +249,6 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr)
         return (0);
 }
 
-static int
-tls_config_parse_alpn(struct tls_config *config, const char *alpn,
-    char **alpn_data, size_t *alpn_len)
-{
-        size_t buf_len, i, len;
-        char *buf = NULL;
-        char *s = NULL;
-        char *p, *q;
-
-        free(*alpn_data);
-        *alpn_data = NULL;
-        *alpn_len = 0;
-
-        if ((buf_len = strlen(alpn) + 1) > 65535) {
-                tls_config_set_errorx(config, "alpn too large");
-                goto err;
-        }
-
-        if ((buf = malloc(buf_len)) == NULL) {
-                tls_config_set_errorx(config, "out of memory");
-                goto err;
-        }
-
-        if ((s = strdup(alpn)) == NULL) {
-                tls_config_set_errorx(config, "out of memory");
-                goto err;
-        }
-
-        i = 0;
-        q = s;
-        while ((p = strsep(&q, ",")) != NULL) {
-                if ((len = strlen(p)) == 0) {
-                        tls_config_set_errorx(config,
-                            "alpn protocol with zero length");
-                        goto err;
-                }
-                if (len > 255) {
-                        tls_config_set_errorx(config,
-                            "alpn protocol too long");
-                        goto err;
-                }
-                buf[i++] = len & 0xff;
-                memcpy(&buf[i], p, len);
-                i += len;
-        }
-
-        free(s);
-
-        *alpn_data = buf;
-        *alpn_len = buf_len;
-
-        return (0);
-
- err:
-        free(buf);
-        free(s);
-
-        return (-1);
-}
-
-int
-tls_config_set_alpn(struct tls_config *config, const char *alpn)
-{
-        return tls_config_parse_alpn(config, alpn, &config->alpn,
-            &config->alpn_len);
-}
-
 int
 tls_config_set_ca_file(struct tls_config *config, const char *ca_file)
 {
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 93526fceeb..6caf655536 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.6 2016/08/01 17:32:19 jsing Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.7 2016/08/02 07:47:11 jsing Exp $ */
 /*
  * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -150,26 +150,6 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, time_t *notafter)
         return (rv);
 }
 
-static int
-tls_conninfo_alpn_proto(struct tls *ctx)
-{
-        const unsigned char *p;
-        unsigned int len;
-
-        free(ctx->conninfo->alpn);
-        ctx->conninfo->alpn = NULL;
-
-        SSL_get0_alpn_selected(ctx->ssl_conn, &p, &len);
-        if (len > 0) {
-                if ((ctx->conninfo->alpn = malloc(len + 1)) == NULL)
-                        return (-1);
-                memcpy(ctx->conninfo->alpn, p, len);
-                ctx->conninfo->alpn[len] = '\0';
-        }
-
-        return (0);
-}
-
 int
 tls_get_conninfo(struct tls *ctx) {
         const char * tmp;
@@ -195,9 +175,6 @@ tls_get_conninfo(struct tls *ctx) {
         ctx->conninfo->cipher = strdup(tmp);
         if (ctx->conninfo->cipher == NULL)
                 goto err;
-        if (tls_conninfo_alpn_proto(ctx) == -1)
-                goto err;
-
         return (0);
 err:
         tls_free_conninfo(ctx->conninfo);
@@ -207,8 +184,6 @@ err:
 void
 tls_free_conninfo(struct tls_conninfo *conninfo) {
         if (conninfo != NULL) {
-                free(conninfo->alpn);
-                conninfo->alpn = NULL;
                 free(conninfo->hash);
                 conninfo->hash = NULL;
                 free(conninfo->subject);
@@ -223,14 +198,6 @@ tls_free_conninfo(struct tls_conninfo *conninfo) {
 }
 
 const char *
-tls_conn_alpn_selected(struct tls *ctx)
-{
-        if (ctx->conninfo == NULL)
-                return (NULL);
-        return (ctx->conninfo->alpn);
-}
-
-const char *
 tls_conn_cipher(struct tls *ctx)
 {
         if (ctx->conninfo == NULL)
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 0969c093a1..6ba2cb28be 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.63 2016/08/01 17:32:19 jsing Exp $
+.\" $OpenBSD: tls_init.3,v 1.64 2016/08/02 07:47:11 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 1 2016 $
+.Dd $Mdocdate: August 2 2016 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
@@ -24,7 +24,6 @@
 .Nm tls_config_new ,
 .Nm tls_config_free ,
 .Nm tls_config_parse_protocols ,
-.Nm tls_config_set_alpn ,
 .Nm tls_config_set_ca_file ,
 .Nm tls_config_set_ca_path ,
 .Nm tls_config_set_ca_mem ,
@@ -55,9 +54,8 @@
 .Nm tls_peer_cert_hash ,
 .Nm tls_peer_cert_notbefore ,
 .Nm tls_peer_cert_notafter ,
-.Nm tls_conn_alpn_selected ,
-.Nm tls_conn_cipher ,
 .Nm tls_conn_version ,
+.Nm tls_conn_cipher ,
 .Nm tls_load_file ,
 .Nm tls_client ,
 .Nm tls_server ,
@@ -90,8 +88,6 @@
 .Ft "int"
 .Fn tls_config_parse_protocols "uint32_t *protocols" "const char *protostr"
 .Ft "int"
-.Fn tls_config_set_alpn "struct tls_config *config" "const char *alpn"
-.Ft "int"
 .Fn tls_config_set_ca_file "struct tls_config *config" "const char *ca_file"
 .Ft "int"
 .Fn tls_config_set_ca_path "struct tls_config *config" "const char *ca_path"
@@ -152,11 +148,9 @@
 .Ft "time_t"
 .Fn tls_peer_cert_notafter "struct tls *ctx"
 .Ft "const char *"
-.Fn tls_conn_alpn_selected "struct tls *ctx"
+.Fn tls_conn_version "struct tls *ctx"
 .Ft "const char *"
 .Fn tls_conn_cipher "struct tls *ctx"
-.Ft "const char *"
-.Fn tls_conn_version "struct tls *ctx"
 .Ft "uint8_t *"
 .Fn tls_load_file "const char *file" "size_t *len" "char *password"
 .Ft "struct tls *"
@@ -301,11 +295,6 @@ The following functions modify a configuration by setting parameters.
 Configuration options may apply to only clients or only servers or both.
 .Bl -bullet -offset four
 .It
-.Fn tls_config_set_alpn
-sets the ALPN protocols that are supported.
-The alpn string is a comma separated list of protocols, in order of preference.
-.Em (Client and Server)
-.It
 .Fn tls_config_set_ca_file
 sets the filename used to load a file
 containing the root certificates.
@@ -491,14 +480,13 @@ the peer certificate from
 will only succeed after the handshake is complete.
 .Em (Server and client)
 .It
-.Fn tls_conn_alpn_selected
-returns a string that specifies the ALPN protocol selected for use with the peer
+.Fn tls_conn_version
+returns a string
+corresponding to a TLS version negotiated with the peer
 connected to
 .Ar ctx .
-If no protocol was selected then NULL is returned.
-.Fn tls_conn_alpn_selected
+.Fn tls_conn_version
 will only succeed after the handshake is complete.
-.Em (Server and Client)
 .It
 .Fn tls_conn_cipher
 returns a string
@@ -509,14 +497,6 @@ connected to
 will only succeed after the handshake is complete.
 .Em (Server and client)
 .It
-.Fn tls_conn_version
-returns a string
-corresponding to a TLS version negotiated with the peer
-connected to
-.Ar ctx .
-.Fn tls_conn_version
-will only succeed after the handshake is complete.
-.It
 .Fn tls_load_file
 loads a certificate or key from disk into memory to be loaded with
 .Fn tls_config_set_ca_mem ,
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 17358429c7..be5d659e68 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.33 2016/08/01 17:32:19 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.34 2016/08/02 07:47:11 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -55,8 +55,6 @@ struct tls_keypair {
 struct tls_config {
         struct tls_error error;
 
-        char *alpn;
-        size_t alpn_len;
         const char *ca_file;
         const char *ca_path;
         char *ca_mem;
@@ -75,7 +73,6 @@ struct tls_config {
 };
 
 struct tls_conninfo {
-        char *alpn;
         char *issuer;
         char *subject;
         char *hash;
@@ -107,7 +104,6 @@ struct tls {
         SSL *ssl_conn;
         SSL_CTX *ssl_ctx;
         X509 *ssl_peer_cert;
-
         struct tls_conninfo *conninfo;
 };
 
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index f13c9db083..bba15aae7e 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.20 2016/08/01 17:32:19 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.21 2016/08/02 07:47:11 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -48,20 +48,6 @@ tls_server_conn(struct tls *ctx)
         return (conn_ctx);
 }
 
-static int
-tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
-    const unsigned char *in, unsigned int inlen, void *arg)
-{
-        struct tls *ctx = arg;
-
-        if (SSL_select_next_proto((unsigned char**)out, outlen,
-            ctx->config->alpn, ctx->config->alpn_len, in, inlen) ==
-            OPENSSL_NPN_NEGOTIATED)
-                return (SSL_TLSEXT_ERR_OK);
-
-        return (SSL_TLSEXT_ERR_NOACK);
-}
-
 int
 tls_configure_server(struct tls *ctx)
 {
@@ -85,10 +71,6 @@ tls_configure_server(struct tls *ctx)
                         goto err;
         }
 
-        if (ctx->config->alpn != NULL)
-                SSL_CTX_set_alpn_select_cb(ctx->ssl_ctx, tls_server_alpn_cb,
-                    ctx);
-
         if (ctx->config->dheparams == -1)
                 SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1);
         else if (ctx->config->dheparams == 1024)
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index eec72bade8..9e73750a6e 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.15 2015/09/29 13:10:53 jsing Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.16 2016/08/02 07:47:11 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -114,7 +114,6 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name)
                 GENERAL_NAME    *altname;
 
                 altname = sk_GENERAL_NAME_value(altname_stack, i);
-
                 if (altname->type != type)
                         continue;