diff options
| author |   jsing <jsing@openbsd.org> | 2017-08-12 21:03:08 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2017-08-12 21:03:08 +0000 |
| commit | 53b67670aed6045cad80223c1a6c17f141aad8a1 (patch) | |
| tree | bed76e9fd170536e08ca8df37c663d6ce1f30ece /lib/libssl/ssl_clnt.c | |
| parent | Use the NET_LOCK() macro instead of handrolling it. (diff) | |
| download | wireguard-openbsd-53b67670aed6045cad80223c1a6c17f141aad8a1.tar.xz wireguard-openbsd-53b67670aed6045cad80223c1a6c17f141aad8a1.zip | |
Remove NPN support.
NPN was never standardised and the last draft expired in October 2012.
ALPN was standardised in July 2014 and has been supported in LibreSSL
since December 2014. NPN has also been removed from Chromium in May 2016.
TLS clients and servers that try to use/enable NPN will fail gracefully and
fallback to the default protocol, since it will essentially appear that the
otherside does not support NPN. At some point in the future we will
actually remove the NPN related symbols entirely.
ok bcook@ beck@ doug@
Diffstat (limited to 'lib/libssl/ssl_clnt.c')
| -rw-r--r-- | lib/libssl/ssl_clnt.c | 56 |
1 files changed, 3 insertions, 53 deletions
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 865c961db74..ec4a4104fcc 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.15 2017/08/12 02:55:22 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.16 2017/08/12 21:03:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -407,14 +407,11 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CHANGE_A: case SSL3_ST_CW_CHANGE_B: ret = ssl3_send_change_cipher_spec(s, - SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); + SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); if (ret <= 0) goto end; - if (S3I(s)->next_proto_neg_seen) - S3I(s)->hs.state = SSL3_ST_CW_NEXT_PROTO_A; - else - S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A; + S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A; s->internal->init_num = 0; s->session->cipher = S3I(s)->hs.new_cipher; @@ -431,14 +428,6 @@ ssl3_connect(SSL *s) break; - case SSL3_ST_CW_NEXT_PROTO_A: - case SSL3_ST_CW_NEXT_PROTO_B: - ret = ssl3_send_next_proto(s); - if (ret <= 0) - goto end; - S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A; - break; - case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, @@ -2599,45 +2588,6 @@ err: return (0); } -int -ssl3_send_next_proto(SSL *s) -{ - CBB cbb, nextproto, npn, padding; - size_t pad_len; - uint8_t *pad; - - memset(&cbb, 0, sizeof(cbb)); - - if (S3I(s)->hs.state == SSL3_ST_CW_NEXT_PROTO_A) { - pad_len = 32 - ((s->internal->next_proto_negotiated_len + 2) % 32); - - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &nextproto, - SSL3_MT_NEXT_PROTO)) - goto err; - if (!CBB_add_u8_length_prefixed(&nextproto, &npn)) - goto err; - if (!CBB_add_bytes(&npn, s->internal->next_proto_negotiated, - s->internal->next_proto_negotiated_len)) - goto err; - if (!CBB_add_u8_length_prefixed(&nextproto, &padding)) - goto err; - if (!CBB_add_space(&padding, &pad, pad_len)) - goto err; - memset(pad, 0, pad_len); - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) - goto err; - - S3I(s)->hs.state = SSL3_ST_CW_NEXT_PROTO_B; - } - - return (ssl3_handshake_write(s)); - - err: - CBB_cleanup(&cbb); - - return (-1); -} - /* * Check to see if handshake is full or resumed. Usually this is just a * case of checking to see if a cache hit has occurred. In the case of |