Remove NPN support - the -nextprotoneg options now become no-ops.

ok bcook@ beck@ doug@

4 files changed, 13 insertions, 113 deletions

diff --git a/usr.bin/openssl/apps.c b/usr.bin/openssl/apps.c
index 7594e77c19b..a63bbf9c130 100644
--- a/usr.bin/openssl/apps.c
+++ b/usr.bin/openssl/apps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.c,v 1.43 2017/04/18 02:15:50 deraadt Exp $ */
+/* $OpenBSD: apps.c,v 1.44 2017/08/12 21:04:33 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -2079,7 +2079,8 @@ policies_print(BIO *out, X509_STORE_CTX *ctx)
 		BIO_free(out);
 }
 
-/* next_protos_parse parses a comma separated list of strings into a string
+/*
+ * next_protos_parse parses a comma separated list of strings into a string
  * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
  *   outlen: (output) set to the length of the resulting buffer on success.
  *   err: (maybe NULL) on failure, an error message line is written to this BIO.
diff --git a/usr.bin/openssl/s_cb.c b/usr.bin/openssl/s_cb.c
index d8ab83fb010..73c4953c623 100644
--- a/usr.bin/openssl/s_cb.c
+++ b/usr.bin/openssl/s_cb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_cb.c,v 1.7 2016/12/30 17:25:48 jsing Exp $ */
+/* $OpenBSD: s_cb.c,v 1.8 2017/08/12 21:04:33 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -732,12 +732,6 @@ tlsext_cb(SSL * s, int client_server, int type, unsigned char *data, int len,
 		extname = "renegotiation info";
 		break;
 
-#ifdef TLSEXT_TYPE_next_proto_neg
-	case TLSEXT_TYPE_next_proto_neg:
-		extname = "next protocol";
-		break;
-#endif
-
 	default:
 		extname = "unknown";
 		break;
diff --git a/usr.bin/openssl/s_client.c b/usr.bin/openssl/s_client.c
index aa1c5764bd2..f81d1a61bbf 100644
--- a/usr.bin/openssl/s_client.c
+++ b/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.32 2017/04/18 02:15:50 deraadt Exp $ */
+/* $OpenBSD: s_client.c,v 1.33 2017/08/12 21:04:33 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -243,7 +243,6 @@ sc_usage(void)
 	BIO_printf(bio_err, " -tlsextdebug      - hex dump of all TLS extensions received\n");
 	BIO_printf(bio_err, " -status           - request certificate status from server\n");
 	BIO_printf(bio_err, " -no_ticket        - disable use of RFC4507bis session tickets\n");
-	BIO_printf(bio_err, " -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
 	BIO_printf(bio_err, " -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
 	BIO_printf(bio_err, " -groups arg       - specify EC curve groups (colon-separated list)\n");
 #ifndef OPENSSL_NO_SRTP
@@ -278,36 +277,6 @@ ssl_servername_cb(SSL * s, int *ad, void *arg)
 char *srtp_profiles = NULL;
 #endif
 
-/* This the context that we pass to next_proto_cb */
-typedef struct tlsextnextprotoctx_st {
-	unsigned char *data;
-	unsigned short len;
-	int status;
-} tlsextnextprotoctx;
-
-static tlsextnextprotoctx next_proto;
-
-static int
-next_proto_cb(SSL * s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
-{
-	tlsextnextprotoctx *ctx = arg;
-
-	if (!c_quiet) {
-		/* We can assume that |in| is syntactically valid. */
-		unsigned i;
-		BIO_printf(bio_c_out, "Protocols advertised by server: ");
-		for (i = 0; i < inlen;) {
-			if (i)
-				BIO_write(bio_c_out, ", ", 2);
-			BIO_write(bio_c_out, &in[i + 1], in[i]);
-			i += in[i] + 1;
-		}
-		BIO_write(bio_c_out, "\n", 1);
-	}
-	ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
-	return SSL_TLSEXT_ERR_OK;
-}
-
 enum {
 	PROTO_OFF = 0,
 	PROTO_SMTP,
@@ -354,9 +323,7 @@ s_client_main(int argc, char **argv)
 	struct timeval timeout;
 	const char *errstr = NULL;
 	char *servername = NULL;
-	tlsextctx tlsextcbp =
-	{NULL, 0};
-	const char *next_proto_neg_in = NULL;
+	tlsextctx tlsextcbp = {NULL, 0};
 	const char *alpn_in = NULL;
 	const char *groups_in = NULL;
 	char *sess_in = NULL;
@@ -532,9 +499,10 @@ s_client_main(int argc, char **argv)
 		} else if (strcmp(*argv, "-no_ticket") == 0) {
 			off |= SSL_OP_NO_TICKET;
 		} else if (strcmp(*argv, "-nextprotoneg") == 0) {
+			/* Ignored. */
 			if (--argc < 1)
 				goto bad;
-			next_proto_neg_in = *(++argv);
+			++argv;
 		} else if (strcmp(*argv, "-alpn") == 0) {
 			if (--argc < 1)
 				goto bad;
@@ -633,16 +601,6 @@ bad:
 		goto end;
 	}
 
-	next_proto.status = -1;
-	if (next_proto_neg_in) {
-		next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
-		if (next_proto.data == NULL) {
-			BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
-			goto end;
-		}
-	} else
-		next_proto.data = NULL;
-
 	if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
@@ -704,8 +662,6 @@ bad:
 	if (socket_type == SOCK_DGRAM)
 		SSL_CTX_set_read_ahead(ctx, 1);
 
-	if (next_proto.data)
-		SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
 	if (alpn_in) {
 		unsigned short alpn_len;
 		unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
@@ -1256,7 +1212,6 @@ end:
 			print_stuff(bio_c_out, con, 1);
 		SSL_free(con);
 	}
-	free(next_proto.data);
 	if (ctx != NULL)
 		SSL_CTX_free(ctx);
 	if (cert)
@@ -1404,14 +1359,6 @@ print_stuff(BIO * bio, SSL * s, int full)
 	}
 #endif
 
-	if (next_proto.status != -1) {
-		const unsigned char *proto;
-		unsigned int proto_len;
-		SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
-		BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
-		BIO_write(bio, proto, proto_len);
-		BIO_write(bio, "\n", 1);
-	}
 	{
 		const unsigned char *proto;
 		unsigned int proto_len;
diff --git a/usr.bin/openssl/s_server.c b/usr.bin/openssl/s_server.c
index 493dc262644..7254109fba7 100644
--- a/usr.bin/openssl/s_server.c
+++ b/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.26 2017/04/18 02:15:50 deraadt Exp $ */
+/* $OpenBSD: s_server.c,v 1.27 2017/08/12 21:04:33 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -333,7 +333,6 @@ sv_usage(void)
 	BIO_printf(bio_err, "                 not specified (default is %s)\n", TEST_CERT2);
 	BIO_printf(bio_err, " -tlsextdebug  - hex dump of all TLS extensions received\n");
 	BIO_printf(bio_err, " -no_ticket    - disable use of RFC4507bis session tickets\n");
-	BIO_printf(bio_err, " -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
 	BIO_printf(bio_err," -alpn arg  - set the advertised protocols for the ALPN extension (comma-separated list)\n");
 #ifndef OPENSSL_NO_SRTP
 	BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
@@ -509,24 +508,6 @@ err:
 	goto done;
 }
 
-/* This is the context that we pass to next_proto_cb */
-typedef struct tlsextnextprotoctx_st {
-	unsigned char *data;
-	unsigned int len;
-} tlsextnextprotoctx;
-
-static int
-next_proto_cb(SSL * s, const unsigned char **data, unsigned int *len, void *arg)
-{
-	tlsextnextprotoctx *next_proto = arg;
-
-	*data = next_proto->data;
-	*len = next_proto->len;
-
-	return SSL_TLSEXT_ERR_OK;
-}
-
-
 /* This the context that we pass to alpn_cb */
 typedef struct tlsextalpnctx_st {
 	unsigned char *data;
@@ -599,8 +580,6 @@ s_server_main(int argc, char *argv[])
 	EVP_PKEY *s_key2 = NULL;
 	X509 *s_cert2 = NULL;
 	tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
-	const char *next_proto_neg_in = NULL;
-	tlsextnextprotoctx next_proto = { NULL, 0 };
 	const char *alpn_in = NULL;
 	tlsextalpnctx alpn_ctx = { NULL, 0 };
 
@@ -843,13 +822,12 @@ s_server_main(int argc, char *argv[])
 			if (--argc < 1)
 				goto bad;
 			s_key_file2 = *(++argv);
-		}
-		else if (strcmp(*argv, "-nextprotoneg") == 0) {
+		} else if (strcmp(*argv, "-nextprotoneg") == 0) {
+			/* Ignored. */
 			if (--argc < 1)
 				goto bad;
-			next_proto_neg_in = *(++argv);
-		}
-		else if	(strcmp(*argv,"-alpn") == 0) {
+			++argv;
+		} else if (strcmp(*argv,"-alpn") == 0) {
 			if (--argc < 1)
 				goto bad;
 			alpn_in = *(++argv);
@@ -928,15 +906,6 @@ bad:
 			}
 		}
 	}
-	if (next_proto_neg_in) {
-		unsigned short len;
-		next_proto.data = next_protos_parse(&len, next_proto_neg_in);
-		if (next_proto.data == NULL)
-			goto end;
-		next_proto.len = len;
-	} else {
-		next_proto.data = NULL;
-	}
 	alpn_ctx.data = NULL;
 	if (alpn_in) {
 		unsigned short len;
@@ -1083,8 +1052,6 @@ bad:
 		if (vpm)
 			SSL_CTX_set1_param(ctx2, vpm);
 	}
-	if (next_proto.data)
-		SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
 	if (alpn_ctx.data)
 		SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
 
@@ -1255,7 +1222,6 @@ end:
 		X509_free(s_cert2);
 	if (s_key2)
 		EVP_PKEY_free(s_key2);
-	free(next_proto.data);
 	free(alpn_ctx.data);
 	if (bio_s_out != NULL) {
 		BIO_free(bio_s_out);
@@ -1614,8 +1580,6 @@ init_ssl_connection(SSL * con)
 	X509 *peer;
 	long verify_error;
 	char buf[BUFSIZ];
-	const unsigned char *next_proto_neg;
-	unsigned next_proto_neg_len;
 	unsigned char *exportedkeymat;
 
 	i = SSL_accept(con);
@@ -1650,12 +1614,6 @@ init_ssl_connection(SSL * con)
 	str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
 	BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
 
-	SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
-	if (next_proto_neg) {
-		BIO_printf(bio_s_out, "NEXTPROTO is ");
-		BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
-		BIO_printf(bio_s_out, "\n");
-	}
 #ifndef OPENSSL_NO_SRTP
 	{
 		SRTP_PROTECTION_PROFILE *srtp_profile