From 53b67670aed6045cad80223c1a6c17f141aad8a1 Mon Sep 17 00:00:00 2001 From: jsing Date: Sat, 12 Aug 2017 21:03:08 +0000 Subject: Remove NPN support. NPN was never standardised and the last draft expired in October 2012. ALPN was standardised in July 2014 and has been supported in LibreSSL since December 2014. NPN has also been removed from Chromium in May 2016. TLS clients and servers that try to use/enable NPN will fail gracefully and fallback to the default protocol, since it will essentially appear that the otherside does not support NPN. At some point in the future we will actually remove the NPN related symbols entirely. ok bcook@ beck@ doug@ --- lib/libssl/ssl_clnt.c | 56 +++------------------------------------------------ 1 file changed, 3 insertions(+), 53 deletions(-) (limited to 'lib/libssl/ssl_clnt.c') diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 865c961db74..ec4a4104fcc 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.15 2017/08/12 02:55:22 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.16 2017/08/12 21:03:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -407,14 +407,11 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_CHANGE_A: case SSL3_ST_CW_CHANGE_B: ret = ssl3_send_change_cipher_spec(s, - SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); + SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); if (ret <= 0) goto end; - if (S3I(s)->next_proto_neg_seen) - S3I(s)->hs.state = SSL3_ST_CW_NEXT_PROTO_A; - else - S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A; + S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A; s->internal->init_num = 0; s->session->cipher = S3I(s)->hs.new_cipher; @@ -431,14 +428,6 @@ ssl3_connect(SSL *s) break; - case SSL3_ST_CW_NEXT_PROTO_A: - case SSL3_ST_CW_NEXT_PROTO_B: - ret = ssl3_send_next_proto(s); - if (ret <= 0) - goto end; - S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A; - break; - case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, @@ -2599,45 +2588,6 @@ err: return (0); } -int -ssl3_send_next_proto(SSL *s) -{ - CBB cbb, nextproto, npn, padding; - size_t pad_len; - uint8_t *pad; - - memset(&cbb, 0, sizeof(cbb)); - - if (S3I(s)->hs.state == SSL3_ST_CW_NEXT_PROTO_A) { - pad_len = 32 - ((s->internal->next_proto_negotiated_len + 2) % 32); - - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &nextproto, - SSL3_MT_NEXT_PROTO)) - goto err; - if (!CBB_add_u8_length_prefixed(&nextproto, &npn)) - goto err; - if (!CBB_add_bytes(&npn, s->internal->next_proto_negotiated, - s->internal->next_proto_negotiated_len)) - goto err; - if (!CBB_add_u8_length_prefixed(&nextproto, &padding)) - goto err; - if (!CBB_add_space(&padding, &pad, pad_len)) - goto err; - memset(pad, 0, pad_len); - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) - goto err; - - S3I(s)->hs.state = SSL3_ST_CW_NEXT_PROTO_B; - } - - return (ssl3_handshake_write(s)); - - err: - CBB_cleanup(&cbb); - - return (-1); -} - /* * Check to see if handshake is full or resumed. Usually this is just a * case of checking to see if a cache hit has occurred. In the case of -- cgit v1.2.3-59-g8ed1b