[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Mon Mar 21 01:27:31 UTC 2016
The branch master has been updated
via 0351baae36afe1182237e0bd88ec9d13f5c97f32 (commit)
from 89ff989d01314a6104e5063edfce316c8325f339 (commit)
- Log -----------------------------------------------------------------
commit 0351baae36afe1182237e0bd88ec9d13f5c97f32
Author: Todd Short <tshort at akamai.com>
Date: Sat Mar 12 09:14:05 2016 -0500
Fix ALPN - more fixes
* Clear proposed, along with selected, before looking at ClientHello
* Add test case for above
* Clear NPN seen after selecting ALPN on server
* Minor documentation updates
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
doc/ssl/SSL_CTX_set_alpn_select_cb.pod | 12 ++++++------
ssl/t1_lib.c | 15 +++++++++------
test/recipes/80-test_ssl.t | 8 ++++++--
3 files changed, 21 insertions(+), 14 deletions(-)
diff --git a/doc/ssl/SSL_CTX_set_alpn_select_cb.pod b/doc/ssl/SSL_CTX_set_alpn_select_cb.pod
index 974ca86..1a3d92c 100644
--- a/doc/ssl/SSL_CTX_set_alpn_select_cb.pod
+++ b/doc/ssl/SSL_CTX_set_alpn_select_cb.pod
@@ -2,8 +2,8 @@
=head1 NAME
-SSL_CTX_set_alpn_select_cb, SSL_CTX_set_alpn_protos, SSL_set_alpn_protos,
-SSL_get0_alpn_selected, SSL_select_next_proto - handle application layer
+SSL_CTX_set_alpn_protos, SSL_set_alpn_protos, SSL_CTX_set_alpn_select_cb,
+SSL_select_next_proto, SSL_get0_alpn_selected - handle application layer
protocol negotiation (ALPN)
=head1 SYNOPSIS
@@ -38,19 +38,19 @@ B<protos_len>.
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
server to select which protocol to use for the incoming connection. When B<cb>
-is NULL, no ALPN is not used. The B<arg> value is pointer which is passed to
+is NULL, ALPN is not used. The B<arg> value is a pointer which is passed to
the application callback.
B<cb> is the application defined callback. The B<in>, B<inlen> parameters are a
vector in protocol-list format. The value of the B<out>, B<outlen> vector
-should be set to the value of a single protocol contained with in the B<in>,
+should be set to the value of a single protocol selected from the B<in>,
B<inlen> vector. The B<arg> parameter is the pointer set via
SSL_CTX_set_alpn_select_cb().
SSL_select_next_proto() is a helper function used to select protocols. It
implements the standard protocol selection. It is expected that this function
is called from the application callback B<cb>. The protocol data in B<server>,
-B<server_len> and B<client>, B<client_len> must be in protocol-list format
+B<server_len> and B<client>, B<client_len> must be in the protocol-list format
described below. The first item in the B<server>, B<server_len> list that
matches an item in the B<client>, B<client_len> list is selected, and returned
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
@@ -60,7 +60,7 @@ function can also be used in the NPN callback.
SSL_get0_alpn_selected() returns a pointer to the selected protocol in B<data>
with length B<len>. It is not NUL-terminated. B<data> is set to NULL and B<len>
-is set to 0 if no protocol has been selected. B<data> value must not be freed.
+is set to 0 if no protocol has been selected. B<data> must not be freed.
=head1 NOTES
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 26c02a0..a20e85f 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1801,6 +1801,10 @@ static int tls1_alpn_handle_client_hello_late(SSL *s, int *ret, int *al)
return 0;
}
s->s3->alpn_selected_len = selected_len;
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ /* ALPN takes precedence over NPN. */
+ s->s3->next_proto_neg_seen = 0;
+#endif
} else {
*al = SSL_AD_NO_APPLICATION_PROTOCOL;
*ret = SSL_TLSEXT_ERR_ALERT_FATAL;
@@ -1902,6 +1906,10 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = NULL;
+ s->s3->alpn_selected_len = 0;
+ OPENSSL_free(s->s3->alpn_proposed);
+ s->s3->alpn_proposed = NULL;
+ s->s3->alpn_proposed_len = 0;
#ifndef OPENSSL_NO_HEARTBEATS
s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED |
SSL_DTLSEXT_HB_DONT_SEND_REQUESTS);
@@ -2216,8 +2224,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
else if (type == TLSEXT_TYPE_next_proto_neg &&
- s->s3->tmp.finish_md_len == 0 &&
- s->s3->alpn_selected == NULL) {
+ s->s3->tmp.finish_md_len == 0) {
/*-
* We shouldn't accept this extension on a
* renegotiation.
@@ -2243,10 +2250,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
s->s3->tmp.finish_md_len == 0) {
if (!tls1_alpn_handle_client_hello(s, &extension, al))
return 0;
-#ifndef OPENSSL_NO_NEXTPROTONEG
- /* ALPN takes precedence over NPN. */
- s->s3->next_proto_neg_seen = 0;
-#endif
}
/* session ticket processed earlier */
diff --git a/test/recipes/80-test_ssl.t b/test/recipes/80-test_ssl.t
index ba57695..da32fac 100644
--- a/test/recipes/80-test_ssl.t
+++ b/test/recipes/80-test_ssl.t
@@ -627,10 +627,10 @@ sub testssl {
subtest 'ALPN tests' => sub {
######################################################################
- plan tests => 12;
+ plan tests => 13;
SKIP: {
- skip "TLSv1.0 is not supported by this OpenSSL build", 12
+ skip "TLSv1.0 is not supported by this OpenSSL build", 13
if $no_tls1;
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo"])));
@@ -658,6 +658,10 @@ sub testssl {
"-alpn_server1", "foo,123", "-sn_server1", "alice",
"-alpn_server2", "bar,456", "-sn_server2", "bob",
"-alpn_expected", "bar"])));
+ ok(run(test([@ssltest, "-bio_pair",
+ "-alpn_client", "foo,bar", "-sn_client", "bob",
+ "-alpn_server2", "bar,456", "-sn_server2", "bob",
+ "-alpn_expected", "bar"])));
}
};
More information about the openssl-commits
mailing list