[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Mon Apr 10 16:06:05 UTC 2017

The branch master has been updated
       via  8313a787d770ac1d7ddafcbc41b13e7fb5841eae (commit)
      from  f120fa1efe6377850d1ecd389a02e0e2241912bc (commit)

- Log -----------------------------------------------------------------
commit 8313a787d770ac1d7ddafcbc41b13e7fb5841eae
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Tue Feb 7 16:23:16 2017 -0600

    Allow an ALPN callback to pretend to not exist
    RFC 7301 mandates that the server SHALL respond with a fatal
    "no_application_protocol" alert when there is no overlap between
    the client's supplied list and the server's list of supported protocols.
    In commit 062178678f5374b09f00d70796f6e692e8775aca we changed from
    ignoring non-success returns from the supplied alpn_select_cb() to
    treating such non-success returns as indicative of non-overlap and
    sending the fatal alert.
    In effect, this is using the presence of an alpn_select_cb() as a proxy
    to attempt to determine whether the application has configured a list
    of supported protocols.  However, there may be cases in which an
    application's architecture leads it to supply an alpn_select_cb() but
    have that callback be configured to take no action on connections that
    do not have ALPN configured; returning SSL_TLSEXT_ERR_NOACK from
    the callback would be the natural way to do so.  Unfortunately, the
    aforementioned behavior change also treated SSL_TLSEXT_ERR_NOACK as
    indicative of no overlap and terminated the connection; this change
    supplies special handling for SSL_TLSEXT_ERR_NOACK returns from the
    callback.  In effect, it provides a way for a callback to obtain the
    behavior that would have occurred if no callback was registered at
    all, which was not possible prior to this change.
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2570)


Summary of changes:
 doc/man3/SSL_CTX_set_alpn_select_cb.pod | 8 +++++++-
 ssl/statem/extensions.c                 | 3 +++
 test/handshake_helper.c                 | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
index 5ff5a93..5ad063e 100644
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
@@ -113,9 +113,15 @@ The ALPN select callback B<cb>, must return one of the following:
 ALPN protocol selected.
+There was no overlap between the client's supplied list and the server
-ALPN protocol not selected.
+ALPN protocol not selected, e.g., because no ALPN protocols are configured for
+this connection.
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index cd1d0bd..7ec7128 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -919,6 +919,9 @@ static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
             /* ALPN takes precedence over NPN. */
             s->s3->npn_seen = 0;
+        } else if (r == SSL_TLSEXT_ERR_NOACK) {
+            /* Behave as if no callback was present. */
+            return 1;
         } else {
             return 0;
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 47af3fe..94fa5c5 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -413,7 +413,7 @@ static int server_alpn_cb(SSL *s, const unsigned char **out,
     *out = tmp_out;
     /* Unlike NPN, we don't tolerate a mismatch. */

More information about the openssl-commits mailing list