From f5ab0b8eff0fa56ebb9269ebd0025de4de12c7b1 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sat, 12 Aug 2017 21:04:33 +0000 Subject: Remove NPN support - the -nextprotoneg options now become no-ops. ok bcook@ beck@ doug@ --- src/usr.bin/openssl/apps.c | 5 ++-- src/usr.bin/openssl/s_cb.c | 8 +----- src/usr.bin/openssl/s_client.c | 61 +++--------------------------------------- src/usr.bin/openssl/s_server.c | 52 ++++------------------------------- 4 files changed, 13 insertions(+), 113 deletions(-) (limited to 'src') diff --git a/src/usr.bin/openssl/apps.c b/src/usr.bin/openssl/apps.c index 7594e77c19..a63bbf9c13 100644 --- a/src/usr.bin/openssl/apps.c +++ b/src/usr.bin/openssl/apps.c @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.c,v 1.43 2017/04/18 02:15:50 deraadt Exp $ */ +/* $OpenBSD: apps.c,v 1.44 2017/08/12 21:04:33 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -2079,7 +2079,8 @@ policies_print(BIO *out, X509_STORE_CTX *ctx) BIO_free(out); } -/* next_protos_parse parses a comma separated list of strings into a string +/* + * next_protos_parse parses a comma separated list of strings into a string * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. * outlen: (output) set to the length of the resulting buffer on success. * err: (maybe NULL) on failure, an error message line is written to this BIO. diff --git a/src/usr.bin/openssl/s_cb.c b/src/usr.bin/openssl/s_cb.c index d8ab83fb01..73c4953c62 100644 --- a/src/usr.bin/openssl/s_cb.c +++ b/src/usr.bin/openssl/s_cb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_cb.c,v 1.7 2016/12/30 17:25:48 jsing Exp $ */ +/* $OpenBSD: s_cb.c,v 1.8 2017/08/12 21:04:33 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -732,12 +732,6 @@ tlsext_cb(SSL * s, int client_server, int type, unsigned char *data, int len, extname = "renegotiation info"; break; -#ifdef TLSEXT_TYPE_next_proto_neg - case TLSEXT_TYPE_next_proto_neg: - extname = "next protocol"; - break; -#endif - default: extname = "unknown"; break; diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c index aa1c5764bd..f81d1a61bb 100644 --- a/src/usr.bin/openssl/s_client.c +++ b/src/usr.bin/openssl/s_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_client.c,v 1.32 2017/04/18 02:15:50 deraadt Exp $ */ +/* $OpenBSD: s_client.c,v 1.33 2017/08/12 21:04:33 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -243,7 +243,6 @@ sc_usage(void) BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err, " -status - request certificate status from server\n"); BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); - BIO_printf(bio_err, " -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); BIO_printf(bio_err, " -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n"); BIO_printf(bio_err, " -groups arg - specify EC curve groups (colon-separated list)\n"); #ifndef OPENSSL_NO_SRTP @@ -278,36 +277,6 @@ ssl_servername_cb(SSL * s, int *ad, void *arg) char *srtp_profiles = NULL; #endif -/* This the context that we pass to next_proto_cb */ -typedef struct tlsextnextprotoctx_st { - unsigned char *data; - unsigned short len; - int status; -} tlsextnextprotoctx; - -static tlsextnextprotoctx next_proto; - -static int -next_proto_cb(SSL * s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) -{ - tlsextnextprotoctx *ctx = arg; - - if (!c_quiet) { - /* We can assume that |in| is syntactically valid. */ - unsigned i; - BIO_printf(bio_c_out, "Protocols advertised by server: "); - for (i = 0; i < inlen;) { - if (i) - BIO_write(bio_c_out, ", ", 2); - BIO_write(bio_c_out, &in[i + 1], in[i]); - i += in[i] + 1; - } - BIO_write(bio_c_out, "\n", 1); - } - ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); - return SSL_TLSEXT_ERR_OK; -} - enum { PROTO_OFF = 0, PROTO_SMTP, @@ -354,9 +323,7 @@ s_client_main(int argc, char **argv) struct timeval timeout; const char *errstr = NULL; char *servername = NULL; - tlsextctx tlsextcbp = - {NULL, 0}; - const char *next_proto_neg_in = NULL; + tlsextctx tlsextcbp = {NULL, 0}; const char *alpn_in = NULL; const char *groups_in = NULL; char *sess_in = NULL; @@ -532,9 +499,10 @@ s_client_main(int argc, char **argv) } else if (strcmp(*argv, "-no_ticket") == 0) { off |= SSL_OP_NO_TICKET; } else if (strcmp(*argv, "-nextprotoneg") == 0) { + /* Ignored. */ if (--argc < 1) goto bad; - next_proto_neg_in = *(++argv); + ++argv; } else if (strcmp(*argv, "-alpn") == 0) { if (--argc < 1) goto bad; @@ -633,16 +601,6 @@ bad: goto end; } - next_proto.status = -1; - if (next_proto_neg_in) { - next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in); - if (next_proto.data == NULL) { - BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n"); - goto end; - } - } else - next_proto.data = NULL; - if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; @@ -704,8 +662,6 @@ bad: if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); - if (next_proto.data) - SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); if (alpn_in) { unsigned short alpn_len; unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in); @@ -1256,7 +1212,6 @@ end: print_stuff(bio_c_out, con, 1); SSL_free(con); } - free(next_proto.data); if (ctx != NULL) SSL_CTX_free(ctx); if (cert) @@ -1404,14 +1359,6 @@ print_stuff(BIO * bio, SSL * s, int full) } #endif - if (next_proto.status != -1) { - const unsigned char *proto; - unsigned int proto_len; - SSL_get0_next_proto_negotiated(s, &proto, &proto_len); - BIO_printf(bio, "Next protocol: (%d) ", next_proto.status); - BIO_write(bio, proto, proto_len); - BIO_write(bio, "\n", 1); - } { const unsigned char *proto; unsigned int proto_len; diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c index 493dc26264..7254109fba 100644 --- a/src/usr.bin/openssl/s_server.c +++ b/src/usr.bin/openssl/s_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_server.c,v 1.26 2017/04/18 02:15:50 deraadt Exp $ */ +/* $OpenBSD: s_server.c,v 1.27 2017/08/12 21:04:33 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -333,7 +333,6 @@ sv_usage(void) BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT2); BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); - BIO_printf(bio_err, " -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n"); BIO_printf(bio_err," -alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)\n"); #ifndef OPENSSL_NO_SRTP BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); @@ -509,24 +508,6 @@ err: goto done; } -/* This is the context that we pass to next_proto_cb */ -typedef struct tlsextnextprotoctx_st { - unsigned char *data; - unsigned int len; -} tlsextnextprotoctx; - -static int -next_proto_cb(SSL * s, const unsigned char **data, unsigned int *len, void *arg) -{ - tlsextnextprotoctx *next_proto = arg; - - *data = next_proto->data; - *len = next_proto->len; - - return SSL_TLSEXT_ERR_OK; -} - - /* This the context that we pass to alpn_cb */ typedef struct tlsextalpnctx_st { unsigned char *data; @@ -599,8 +580,6 @@ s_server_main(int argc, char *argv[]) EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; - const char *next_proto_neg_in = NULL; - tlsextnextprotoctx next_proto = { NULL, 0 }; const char *alpn_in = NULL; tlsextalpnctx alpn_ctx = { NULL, 0 }; @@ -843,13 +822,12 @@ s_server_main(int argc, char *argv[]) if (--argc < 1) goto bad; s_key_file2 = *(++argv); - } - else if (strcmp(*argv, "-nextprotoneg") == 0) { + } else if (strcmp(*argv, "-nextprotoneg") == 0) { + /* Ignored. */ if (--argc < 1) goto bad; - next_proto_neg_in = *(++argv); - } - else if (strcmp(*argv,"-alpn") == 0) { + ++argv; + } else if (strcmp(*argv,"-alpn") == 0) { if (--argc < 1) goto bad; alpn_in = *(++argv); @@ -928,15 +906,6 @@ bad: } } } - if (next_proto_neg_in) { - unsigned short len; - next_proto.data = next_protos_parse(&len, next_proto_neg_in); - if (next_proto.data == NULL) - goto end; - next_proto.len = len; - } else { - next_proto.data = NULL; - } alpn_ctx.data = NULL; if (alpn_in) { unsigned short len; @@ -1083,8 +1052,6 @@ bad: if (vpm) SSL_CTX_set1_param(ctx2, vpm); } - if (next_proto.data) - SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); if (alpn_ctx.data) SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx); @@ -1255,7 +1222,6 @@ end: X509_free(s_cert2); if (s_key2) EVP_PKEY_free(s_key2); - free(next_proto.data); free(alpn_ctx.data); if (bio_s_out != NULL) { BIO_free(bio_s_out); @@ -1614,8 +1580,6 @@ init_ssl_connection(SSL * con) X509 *peer; long verify_error; char buf[BUFSIZ]; - const unsigned char *next_proto_neg; - unsigned next_proto_neg_len; unsigned char *exportedkeymat; i = SSL_accept(con); @@ -1650,12 +1614,6 @@ init_ssl_connection(SSL * con) str = SSL_CIPHER_get_name(SSL_get_current_cipher(con)); BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)"); - SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); - if (next_proto_neg) { - BIO_printf(bio_s_out, "NEXTPROTO is "); - BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len); - BIO_printf(bio_s_out, "\n"); - } #ifndef OPENSSL_NO_SRTP { SRTP_PROTECTION_PROFILE *srtp_profile -- cgit v1.2.3-55-g6feb