Add Next Protocol Negotiation.
authorBen Laurie <ben@openssl.org>
Wed, 28 Jul 2010 10:06:55 +0000 (10:06 +0000)
committerBen Laurie <ben@openssl.org>
Wed, 28 Jul 2010 10:06:55 +0000 (10:06 +0000)
18 files changed:
CHANGES
Configure
apps/apps.c
apps/apps.h
apps/s_client.c
apps/s_server.c
ssl/s3_both.c
ssl/s3_clnt.c
ssl/s3_lib.c
ssl/s3_pkt.c
ssl/s3_srvr.c
ssl/ssl.h
ssl/ssl3.h
ssl/ssl_err.c
ssl/ssl_lib.c
ssl/ssl_locl.h
ssl/t1_lib.c
ssl/tls1.h

diff --git a/CHANGES b/CHANGES
index 96bc626..813a8bc 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 1.0.0 and 1.1.0  [xx XXX xxxx]
 
+  *) Add Next Protocol Negotiation,
+     http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
+     disabled with a no-npn flag to config or Configure. Code donated
+     by Google.
+     [Adam Langley <agl@google.com> and Ben Laurie]
+
   *) Use type ossl_ssize_t instad of ssize_t which isn't available on
      all platforms. Move ssize_t definition from e_os.h to the public
      header file e_os2.h as it now appears in public header file cms.h
index 6b5b6c2..9203ad2 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -168,7 +168,7 @@ my %table=(
 "debug-ben",   "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::bn86-elf.o co86-elf.o",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
-"debug-ben-debug",     "gcc:$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
+"debug-ben-debug",     "gcc:$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
 "debug-ben-no-opt",    "gcc: -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -DTERMIOS -Wall -g3::(unknown)::::::",
 "debug-ben-strict",    "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
index 3a3009d..5bd19c5 100644 (file)
@@ -3031,3 +3031,46 @@ int raw_write_stdout(const void *buf,int siz)
 int raw_write_stdout(const void *buf,int siz)
        {       return write(fileno(stdout),buf,siz);   }
 #endif
+
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+/* next_protos_parse parses a comma separated list of strings into a string
+ * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
+ *   outlen: (output) set to the length of the resulting buffer on success.
+ *   in: a NUL termianted string like "abc,def,ghi"
+ *
+ *   returns: a malloced buffer or NULL on failure.
+ */
+unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
+       {
+       size_t len;
+       unsigned char *out;
+       size_t i, start = 0;
+
+       len = strlen(in);
+       if (len > 65535)
+               return NULL;
+
+       out = OPENSSL_malloc(strlen(in) + 1);
+       if (!out)
+               return NULL;
+
+       for (i = 0; i <= len; ++i)
+               {
+               if (i == len || in[i] == ',')
+                       {
+                       if (i - start > 255)
+                               {
+                               OPENSSL_free(out);
+                               return NULL;
+                               }
+                       out[start] = i - start;
+                       start = i + 1;
+                       }
+               else
+                       out[i+1] = in[i];
+               }
+
+       *outlen = len + 1;
+       return out;
+       }
+#endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NPN */
index b1b7e97..bc4d6ee 100644 (file)
@@ -364,3 +364,7 @@ int raw_write_stdout(const void *,int);
 #define TM_STOP                1
 double app_tminterval (int stop,int usertime);
 #endif
+
+#ifndef OPENSSL_NO_NPN
+unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
+#endif
index 484d009..11da205 100644 (file)
@@ -343,6 +343,9 @@ static void sc_usage(void)
        BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
        BIO_printf(bio_err," -status           - request certificate status from server\n");
        BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
+# ifndef OPENSSL_NO_NPN
+       BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
+# endif
 #endif
        BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
        }
@@ -367,6 +370,40 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
        
        return SSL_TLSEXT_ERR_OK;
        }
+
+# ifndef OPENSSL_NO_NPN
+/* This the context that we pass to next_proto_cb */
+typedef struct tlsextnextprotoctx_st {
+       unsigned char *data;
+       unsigned short len;
+       int status;
+} tlsextnextprotoctx;
+
+static tlsextnextprotoctx next_proto;
+
+static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
+       {
+       tlsextnextprotoctx *ctx = arg;
+
+       if (!c_quiet)
+               {
+               /* We can assume that |in| is syntactically valid. */
+               unsigned i;
+               BIO_printf(bio_c_out, "Protocols advertised by server: ");
+               for (i = 0; i < inlen; )
+                       {
+                       if (i)
+                               BIO_write(bio_c_out, ", ", 2);
+                       BIO_write(bio_c_out, &in[i + 1], in[i]);
+                       i += in[i] + 1;
+                       }
+               BIO_write(bio_c_out, "\n", 1);
+               }
+
+       ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
+       return SSL_TLSEXT_ERR_OK;
+       }
+# endif  /* ndef OPENSSL_NO_NPN */
 #endif
 
 enum
@@ -430,6 +467,9 @@ int MAIN(int argc, char **argv)
        char *servername = NULL; 
         tlsextctx tlsextcbp = 
         {NULL,0};
+# ifndef OPENSSL_NO_NPN
+       const char *next_proto_neg_in = NULL;
+# endif
 #endif
        char *sess_in = NULL;
        char *sess_out = NULL;
@@ -661,6 +701,13 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv,"-no_ticket") == 0)
                        { off|=SSL_OP_NO_TICKET; }
+# ifndef OPENSSL_NO_NPN
+               else if (strcmp(*argv,"-nextprotoneg") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       next_proto_neg_in = *(++argv);
+                       }
+# endif
 #endif
                else if (strcmp(*argv,"-serverpref") == 0)
                        off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
@@ -767,6 +814,21 @@ bad:
        OpenSSL_add_ssl_algorithms();
        SSL_load_error_strings();
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+       next_proto.status = -1;
+       if (next_proto_neg_in)
+               {
+               next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
+               if (next_proto.data == NULL)
+                       {
+                       BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
+                       goto end;
+                       }
+               }
+       else
+               next_proto.data = NULL;
+#endif
+
 #ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine_id, 1);
        if (ssl_client_engine_id)
@@ -888,6 +950,11 @@ bad:
         */
        if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+       if (next_proto.data)
+               SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
+#endif
+
        if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
        if (cipher != NULL)
                if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
@@ -1747,6 +1814,18 @@ static void print_stuff(BIO *bio, SSL *s, int full)
        BIO_printf(bio,"Expansion: %s\n",
                expansion ? SSL_COMP_get_name(expansion) : "NONE");
 #endif
+
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+       if (next_proto.status != -1) {
+               const unsigned char *proto;
+               unsigned int proto_len;
+               SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
+               BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
+               BIO_write(bio, proto, proto_len);
+               BIO_write(bio, "\n", 1);
+       }
+#endif
+
        SSL_SESSION_print(bio,SSL_get_session(s));
        BIO_printf(bio,"---\n");
        if (peer != NULL)
index e4a9a2b..d339968 100644 (file)
@@ -493,9 +493,12 @@ static void sv_usage(void)
        BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT2);
        BIO_printf(bio_err," -key2 arg     - Private Key file to use for servername, in cert file if\n");
        BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT2);
+# ifndef OPENSSL_NO_NPN
        BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions received\n");
+# endif
        BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session tickets\n");
        BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+       BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
 #endif
        }
 
@@ -830,6 +833,24 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
        ret = SSL_TLSEXT_ERR_ALERT_FATAL;
        goto done;
        }
+
+# ifndef OPENSSL_NO_NPN
+/* This is the context that we pass to next_proto_cb */
+typedef struct tlsextnextprotoctx_st {
+       unsigned char *data;
+       unsigned int len;
+} tlsextnextprotoctx;
+
+static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
+       {
+       tlsextnextprotoctx *next_proto = arg;
+
+       *data = next_proto->data;
+       *len = next_proto->len;
+
+       return SSL_TLSEXT_ERR_OK;
+       }
+# endif  /* ndef OPENSSL_NO_NPN */
 #endif
 
 int MAIN(int, char **);
@@ -871,6 +892,10 @@ int MAIN(int argc, char *argv[])
 #endif
 #ifndef OPENSSL_NO_TLSEXT
         tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
+# ifndef OPENSSL_NO_NPN
+       const char *next_proto_neg_in = NULL;
+       tlsextnextprotoctx next_proto;
+# endif
 #endif
 #ifndef OPENSSL_NO_PSK
        /* by default do not send a PSK identity hint */
@@ -1201,7 +1226,13 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_key_file2= *(++argv);
                        }
-                       
+# ifndef OPENSSL_NO_NPN
+               else if (strcmp(*argv,"-nextprotoneg") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       next_proto_neg_in = *(++argv);
+                       }
+# endif
 #endif
 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
                else if (strcmp(*argv,"-jpake") == 0)
@@ -1306,6 +1337,21 @@ bad:
                                goto end;
                                }
                        }
+# ifndef OPENSSL_NO_NPN
+               if (next_proto_neg_in)
+                       {
+                       unsigned short len;
+                       next_proto.data = next_protos_parse(&len,
+                               next_proto_neg_in);
+                       if (next_proto.data == NULL)
+                               goto end;
+                       next_proto.len = len;
+                       }
+               else
+                       {
+                       next_proto.data = NULL;
+                       }
+# endif
 #endif
                }
 
@@ -1490,6 +1536,11 @@ bad:
                if (vpm)
                        SSL_CTX_set1_param(ctx2, vpm);
                }
+
+# ifndef OPENSSL_NO_NPN
+       if (next_proto.data)
+               SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
+# endif
 #endif 
 
 #ifndef OPENSSL_NO_DH
@@ -2174,6 +2225,10 @@ static int init_ssl_connection(SSL *con)
        X509 *peer;
        long verify_error;
        MS_STATIC char buf[BUFSIZ];
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+       const unsigned char *next_proto_neg;
+       unsigned next_proto_neg_len;
+#endif
 
        if ((i=SSL_accept(con)) <= 0)
                {
@@ -2213,6 +2268,15 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
        str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
        BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+       SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
+       if (next_proto_neg)
+               {
+               BIO_printf(bio_s_out,"NEXTPROTO is ");
+               BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
+               BIO_printf(bio_s_out, "\n");
+               }
+#endif
        if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n");
        if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
                TLS1_FLAGS_TLS_PADDING_BUG)
index a6d869d..89f7c42 100644 (file)
@@ -202,15 +202,40 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
        }
 
+#ifndef OPENSSL_NO_NPN
+/* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */
+static void ssl3_take_mac(SSL *s)
+       {
+       const char *sender;
+       int slen;
+
+       if (s->state & SSL_ST_CONNECT)
+               {
+               sender=s->method->ssl3_enc->server_finished_label;
+               slen=s->method->ssl3_enc->server_finished_label_len;
+               }
+       else
+               {
+               sender=s->method->ssl3_enc->client_finished_label;
+               slen=s->method->ssl3_enc->client_finished_label_len;
+               }
+
+       s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
+               sender,slen,s->s3->tmp.peer_finish_md);
+       }
+#endif
+
 int ssl3_get_finished(SSL *s, int a, int b)
        {
        int al,i,ok;
        long n;
        unsigned char *p;
 
+#ifdef OPENSSL_NO_NPN
        /* the mac has already been generated when we received the
         * change cipher spec message and is in s->s3->tmp.peer_finish_md
         */ 
+#endif
 
        n=s->method->ssl_get_message(s,
                a,
@@ -514,6 +539,15 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                s->init_num += i;
                n -= i;
                }
+
+#ifndef OPENSSL_NO_NPN
+       /* If receiving Finished, record MAC of prior handshake messages for
+        * Finished verification. */
+       if (*s->init_buf->data == SSL3_MT_FINISHED)
+               ssl3_take_mac(s);
+#endif
+
+       /* Feed this message into MAC computation. */
        ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
        if (s->msg_callback)
                s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg);
index 41769fe..aa5604c 100644 (file)
@@ -423,7 +423,15 @@ int ssl3_connect(SSL *s)
                        ret=ssl3_send_change_cipher_spec(s,
                                SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
                        if (ret <= 0) goto end;
+
+#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NPN)
                        s->state=SSL3_ST_CW_FINISHED_A;
+#else
+                       if (s->next_proto_negotiated)
+                               s->state=SSL3_ST_CW_NEXT_PROTO_A;
+                       else
+                               s->state=SSL3_ST_CW_FINISHED_A;
+#endif
                        s->init_num=0;
 
                        s->session->cipher=s->s3->tmp.new_cipher;
@@ -451,6 +459,15 @@ int ssl3_connect(SSL *s)
 
                        break;
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+               case SSL3_ST_CW_NEXT_PROTO_A:
+               case SSL3_ST_CW_NEXT_PROTO_B:
+                       ret=ssl3_send_next_proto(s);
+                       if (ret <= 0) goto end;
+                       s->state=SSL3_ST_CW_FINISHED_A;
+                       break;
+#endif
+
                case SSL3_ST_CW_FINISHED_A:
                case SSL3_ST_CW_FINISHED_B:
                        ret=ssl3_send_finished(s,
@@ -3000,6 +3017,32 @@ err:
  */
 
 #ifndef OPENSSL_NO_TLSEXT
+# ifndef OPENSSL_NO_NPN
+int ssl3_send_next_proto(SSL *s)
+       {
+       unsigned int len, padding_len;
+       unsigned char *d;
+
+       if (s->state == SSL3_ST_CW_NEXT_PROTO_A)
+               {
+               len = s->next_proto_negotiated_len;
+               padding_len = 32 - ((len + 2) % 32);
+               d = (unsigned char *)s->init_buf->data;
+               d[4] = len;
+               memcpy(d + 5, s->next_proto_negotiated, len);
+               d[5 + len] = padding_len;
+               memset(d + 6 + len, 0, padding_len);
+               *(d++)=SSL3_MT_NEXT_PROTO;
+               l2n3(2 + len + padding_len, d);
+               s->state = SSL3_ST_CW_NEXT_PROTO_B;
+               s->init_num = 4 + 2 + len + padding_len;
+               s->init_off = 0;
+               }
+
+       return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
+       }
+# endif
+
 int ssl3_check_finished(SSL *s)
        {
        int ok;
index d6b047c..497f64f 100644 (file)
@@ -2230,6 +2230,15 @@ void ssl3_clear(SSL *s)
        s->s3->num_renegotiations=0;
        s->s3->in_read_app_data=0;
        s->version=SSL3_VERSION;
+
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+       if (s->next_proto_negotiated)
+               {
+               OPENSSL_free(s->next_proto_negotiated);
+               s->next_proto_negotiated = NULL;
+               s->next_proto_negotiated_len = 0;
+               }
+#endif
        }
 
 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
index b30c032..08a7233 100644 (file)
@@ -1374,8 +1374,10 @@ err:
 int ssl3_do_change_cipher_spec(SSL *s)
        {
        int i;
+#ifdef OPENSSL_NO_NPN
        const char *sender;
        int slen;
+#endif
 
        if (s->state & SSL_ST_ACCEPT)
                i=SSL3_CHANGE_CIPHER_SERVER_READ;
@@ -1398,6 +1400,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
        if (!s->method->ssl3_enc->change_cipher_state(s,i))
                return(0);
 
+#ifdef OPENSSL_NO_NPN
        /* we have to record the message digest at
         * this point so we can get it before we read
         * the finished message */
@@ -1414,6 +1417,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
 
        s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
                sender,slen,s->s3->tmp.peer_finish_md);
+#endif
 
        return(1);
        }
index 92f73b6..57e516f 100644 (file)
@@ -538,7 +538,14 @@ int ssl3_accept(SSL *s)
                                 * the client uses its key from the certificate
                                 * for key exchange.
                                 */
+#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NPN)
                                s->state=SSL3_ST_SR_FINISHED_A;
+#else
+                               if (s->s3->next_proto_neg_seen)
+                                       s->state=SSL3_ST_SR_NEXT_PROTO_A;
+                               else
+                                       s->state=SSL3_ST_SR_FINISHED_A;
+#endif
                                s->init_num = 0;
                                }
                        else
@@ -581,10 +588,27 @@ int ssl3_accept(SSL *s)
                        ret=ssl3_get_cert_verify(s);
                        if (ret <= 0) goto end;
 
+#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NPN)
                        s->state=SSL3_ST_SR_FINISHED_A;
+#else
+                       if (s->s3->next_proto_neg_seen)
+                               s->state=SSL3_ST_SR_NEXT_PROTO_A;
+                       else
+                               s->state=SSL3_ST_SR_FINISHED_A;
+#endif
                        s->init_num=0;
                        break;
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+               case SSL3_ST_SR_NEXT_PROTO_A:
+               case SSL3_ST_SR_NEXT_PROTO_B:
+                       ret=ssl3_get_next_proto(s);
+                       if (ret <= 0) goto end;
+                       s->init_num = 0;
+                       s->state=SSL3_ST_SR_FINISHED_A;
+                       break;
+#endif
+
                case SSL3_ST_SR_FINISHED_A:
                case SSL3_ST_SR_FINISHED_B:
                        ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
@@ -655,7 +679,16 @@ int ssl3_accept(SSL *s)
                        if (ret <= 0) goto end;
                        s->state=SSL3_ST_SW_FLUSH;
                        if (s->hit)
+                               {
+#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NPN)
                                s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+#else
+                               if (s->s3->next_proto_neg_seen)
+                                       s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
+                               else
+                                       s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+#endif
+                               }
                        else
                                s->s3->tmp.next_state=SSL_ST_OK;
                        s->init_num=0;
@@ -3177,4 +3210,72 @@ int ssl3_send_cert_status(SSL *s)
        /* SSL3_ST_SW_CERT_STATUS_B */
        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
        }
+
+# ifndef OPENSSL_NO_NPN
+/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
+ * sets the next_proto member in s if found */
+int ssl3_get_next_proto(SSL *s)
+       {
+       int ok;
+       unsigned proto_len, padding_len;
+       long n;
+       const unsigned char *p;
+
+       /* Clients cannot send a NextProtocol message if we didn't see the
+        * extension in their ClientHello */
+       if (!s->s3->next_proto_neg_seen)
+               {
+               SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
+               return -1;
+               }
+
+       n=s->method->ssl_get_message(s,
+               SSL3_ST_SR_NEXT_PROTO_A,
+               SSL3_ST_SR_NEXT_PROTO_B,
+               SSL3_MT_NEXT_PROTO,
+               129,
+               &ok);
+
+       if (!ok)
+               return((int)n);
+
+       /* s->state doesn't reflect whether ChangeCipherSpec has been received
+        * in this handshake, but s->s3->change_cipher_spec does (will be reset
+        * by ssl3_get_finished). */
+       if (!s->s3->change_cipher_spec)
+               {
+               SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
+               return -1;
+               }
+
+       if (n < 2)
+               return 0;  /* The body must be > 1 bytes long */
+
+       p=(unsigned char *)s->init_msg;
+
+       /* The payload looks like:
+        *   uint8 proto_len;
+        *   uint8 proto[proto_len];
+        *   uint8 padding_len;
+        *   uint8 padding[padding_len];
+        */
+       proto_len = p[0];
+       if (proto_len + 2 > s->init_num)
+               return 0;
+       padding_len = p[proto_len + 1];
+       if (proto_len + padding_len + 2 != s->init_num)
+               return 0;
+
+       s->next_proto_negotiated = OPENSSL_malloc(proto_len);
+       if (!s->next_proto_negotiated)
+               {
+               SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
+               return 0;
+               }
+       memcpy(s->next_proto_negotiated, p + 1, proto_len);
+       s->next_proto_negotiated_len = proto_len;
+
+       return 1;
+       }
+# endif
 #endif
index e6244b0..971208b 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -852,6 +852,25 @@ struct ssl_ctx_st
        /* draft-rescorla-tls-opaque-prf-input-00.txt information */
        int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
        void *tlsext_opaque_prf_input_callback_arg;
+
+# ifndef OPENSSL_NO_NPN
+       /* Next protocol negotiation information */
+       /* (for experimental NPN extension). */
+
+       /* For a server, this contains a callback function by which the set of
+        * advertised protocols can be provided. */
+       int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,
+                                        unsigned int *len, void *arg);
+       void *next_protos_advertised_cb_arg;
+       /* For a client, this contains a callback function that selects the
+        * next protocol from the list provided by the server. */
+       int (*next_proto_select_cb)(SSL *s, unsigned char **out,
+                                   unsigned char *outlen,
+                                   const unsigned char *in,
+                                   unsigned int inlen,
+                                   void *arg);
+       void *next_proto_select_cb_arg;
+# endif
 #endif
 
 #ifndef OPENSSL_NO_PSK
@@ -923,6 +942,30 @@ int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
 #endif
 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
+#ifndef OPENSSL_NO_NPN
+void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
+                                          int (*cb) (SSL *ssl,
+                                                     const unsigned char **out,
+                                                     unsigned int *outlen,
+                                                     void *arg), void *arg);
+void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
+                                     int (*cb) (SSL *ssl, unsigned char **out,
+                                                unsigned char *outlen,
+                                                const unsigned char *in,
+                                                unsigned int inlen, void *arg),
+                                     void *arg);
+
+int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
+                         const unsigned char *in, unsigned int inlen,
+                         const unsigned char *client, unsigned int client_len);
+void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
+                                   unsigned *len);
+
+#define OPENSSL_NPN_UNSUPPORTED        0
+#define OPENSSL_NPN_NEGOTIATED 1
+#define OPENSSL_NPN_NO_OVERLAP 2
+
+#endif
 
 #ifndef OPENSSL_NO_PSK
 /* the maximum length of the buffer given to callbacks containing the
@@ -1179,6 +1222,19 @@ struct ssl_st
        void *tls_session_secret_cb_arg;
 
        SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
+
+#ifndef OPENSSL_NO_NPN
+       /* Next protocol negotiation. For the client, this is the protocol that
+        * we sent in NextProtocol and is set when handling ServerHello
+        * extensions.
+        *
+        * For a server, this is the client's selected_protocol from
+        * NextProtocol and is set when handling the NextProtocol message,
+        * before the Finished message. */
+       unsigned char *next_proto_negotiated;
+       unsigned char next_proto_negotiated_len;
+#endif
+
 #define session_ctx initial_ctx
 #else
 #define session_ctx ctx
@@ -1910,6 +1966,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL3_GET_KEY_EXCHANGE                     141
 #define SSL_F_SSL3_GET_MESSAGE                          142
 #define SSL_F_SSL3_GET_NEW_SESSION_TICKET               283
+#define SSL_F_SSL3_GET_NEXT_PROTO                       304
 #define SSL_F_SSL3_GET_RECORD                           143
 #define SSL_F_SSL3_GET_SERVER_CERTIFICATE               144
 #define SSL_F_SSL3_GET_SERVER_DONE                      145
@@ -2107,6 +2164,8 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_EXCESSIVE_MESSAGE_SIZE                    152
 #define SSL_R_EXTRA_DATA_IN_MESSAGE                     153
 #define SSL_R_GOT_A_FIN_BEFORE_A_CCS                    154
+#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS               346
+#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION          347
 #define SSL_R_HTTPS_PROXY_REQUEST                       155
 #define SSL_R_HTTP_REQUEST                              156
 #define SSL_R_ILLEGAL_PADDING                           283
index baaa89e..e98aac5 100644 (file)
@@ -455,6 +455,12 @@ typedef struct ssl3_state_st
        void *server_opaque_prf_input;
        size_t server_opaque_prf_input_len;
 
+#ifndef OPENSSL_NO_NPN
+       /* Set if we saw the Next Protocol Negotiation extension from
+          our peer. */
+       int next_proto_neg_seen;
+#endif
+
        struct  {
                /* actually only needs to be 16+20 */
                unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
@@ -546,6 +552,10 @@ typedef struct ssl3_state_st
 #define SSL3_ST_CW_CERT_VRFY_B         (0x191|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CHANGE_A            (0x1A0|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CHANGE_B            (0x1A1|SSL_ST_CONNECT)
+#ifndef OPENSSL_NO_NPN
+#define SSL3_ST_CW_NEXT_PROTO_A                (0x200|SSL_ST_CONNECT)
+#define SSL3_ST_CW_NEXT_PROTO_B                (0x201|SSL_ST_CONNECT)
+#endif
 #define SSL3_ST_CW_FINISHED_A          (0x1B0|SSL_ST_CONNECT)
 #define SSL3_ST_CW_FINISHED_B          (0x1B1|SSL_ST_CONNECT)
 /* read from server */
@@ -591,6 +601,10 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SR_CERT_VRFY_B         (0x1A1|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANGE_A            (0x1B0|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANGE_B            (0x1B1|SSL_ST_ACCEPT)
+#ifndef OPENSSL_NO_NPN
+#define SSL3_ST_SR_NEXT_PROTO_A                (0x210|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_NEXT_PROTO_B                (0x211|SSL_ST_ACCEPT)
+#endif
 #define SSL3_ST_SR_FINISHED_A          (0x1C0|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_FINISHED_B          (0x1C1|SSL_ST_ACCEPT)
 /* write to client */
@@ -615,6 +629,9 @@ typedef struct ssl3_state_st
 #define SSL3_MT_CLIENT_KEY_EXCHANGE            16
 #define SSL3_MT_FINISHED                       20
 #define SSL3_MT_CERTIFICATE_STATUS             22
+#ifndef OPENSSL_NO_NPN
+#define SSL3_MT_NEXT_PROTO                     67
+#endif
 #define DTLS1_MT_HELLO_VERIFY_REQUEST    3
 
 
index 0eed464..414f9d9 100644 (file)
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2009 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -155,6 +155,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE),        "SSL3_GET_KEY_EXCHANGE"},
 {ERR_FUNC(SSL_F_SSL3_GET_MESSAGE),     "SSL3_GET_MESSAGE"},
 {ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET),  "SSL3_GET_NEW_SESSION_TICKET"},
+{ERR_FUNC(SSL_F_SSL3_GET_NEXT_PROTO),  "SSL3_GET_NEXT_PROTO"},
 {ERR_FUNC(SSL_F_SSL3_GET_RECORD),      "SSL3_GET_RECORD"},
 {ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE),  "SSL3_GET_SERVER_CERTIFICATE"},
 {ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "SSL3_GET_SERVER_DONE"},
@@ -355,6 +356,8 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
 {ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
 {ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
+{ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS),"got next proto before a ccs"},
+{ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION),"got next proto without seeing extension"},
 {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   ,"https proxy request"},
 {ERR_REASON(SSL_R_HTTP_REQUEST)          ,"http request"},
 {ERR_REASON(SSL_R_ILLEGAL_PADDING)       ,"illegal padding"},
index 3c74ec1..f59a454 100644 (file)
@@ -353,6 +353,9 @@ SSL *SSL_new(SSL_CTX *ctx)
        s->tlsext_ocsp_resplen = -1;
        CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
        s->initial_ctx=ctx;
+# ifndef OPENSSL_NO_NPN
+       s->next_proto_negotiated = NULL;
+# endif
 #endif
 
        s->verify_result=X509_V_OK;
@@ -586,6 +589,11 @@ void SSL_free(SSL *s)
                kssl_ctx_free(s->kssl_ctx);
 #endif /* OPENSSL_NO_KRB5 */
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+       if (s->next_proto_negotiated)
+               OPENSSL_free(s->next_proto_negotiated);
+#endif
+
        OPENSSL_free(s);
        }
 
@@ -1476,6 +1484,124 @@ int SSL_get_servername_type(const SSL *s)
                return TLSEXT_NAMETYPE_host_name;
        return -1;
        }
+
+# ifndef OPENSSL_NO_NPN
+/* SSL_select_next_proto implements the standard protocol selection. It is
+ * expected that this function is called from the callback set by
+ * SSL_CTX_set_next_proto_select_cb.
+ *
+ * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
+ * strings. The length byte itself is not included in the length. A byte
+ * string of length 0 is invalid. No byte string may be truncated.
+ *
+ * The current, but experimental algorithm for selecting the protocol is:
+ *
+ * 1) If the server doesn't support NPN then this is indicated to the
+ * callback. In this case, the client application has to abort the connection
+ * or have a default application level protocol.
+ *
+ * 2) If the server supports NPN, but advertises an empty list then the
+ * client selects the first protcol in its list, but indicates via the
+ * API that this fallback case was enacted.
+ *
+ * 3) Otherwise, the client finds the first protocol in the server's list
+ * that it supports and selects this protocol. This is because it's
+ * assumed that the server has better information about which protocol
+ * a client should use.
+ *
+ * 4) If the client doesn't support any of the server's advertised
+ * protocols, then this is treated the same as case 2.
+ *
+ * It returns either
+ * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
+ * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
+ */
+int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *server, unsigned int server_len, const unsigned char *client, unsigned int client_len)
+       {
+       unsigned int i, j;
+       const unsigned char *result;
+       int status = OPENSSL_NPN_UNSUPPORTED;
+
+       /* For each protocol in server preference order, see if we support it. */
+       for (i = 0; i < server_len; )
+               {
+               for (j = 0; j < client_len; )
+                       {
+                       if (server[i] == client[j] &&
+                           memcmp(&server[i+1], &client[j+1], server[i]) == 0)
+                               {
+                               /* We found a match */
+                               result = &server[i];
+                               status = OPENSSL_NPN_NEGOTIATED;
+                               goto found;
+                               }
+                       j += client[j];
+                       j++;
+                       }
+               i += server[i];
+               i++;
+               }
+
+       /* There's no overlap between our protocols and the server's list. */
+       result = client;
+       status = OPENSSL_NPN_NO_OVERLAP;
+
+       found:
+       *out = (unsigned char *) result + 1;
+       *outlen = result[0];
+       return status;
+       }
+
+/* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
+ * requested protocol for this connection and returns 0. If the client didn't
+ * request any protocol, then *data is set to NULL.
+ *
+ * Note that the client can request any protocol it chooses. The value returned
+ * from this function need not be a member of the list of supported protocols
+ * provided by the callback.
+ */
+void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len)
+       {
+       *data = s->next_proto_negotiated;
+       if (!*data) {
+               *len = 0;
+       } else {
+               *len = s->next_proto_negotiated_len;
+       }
+}
+
+/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
+ * TLS server needs a list of supported protocols for Next Protocol
+ * Negotiation. The returned list must be in wire format.  The list is returned
+ * by setting |out| to point to it and |outlen| to its length. This memory will
+ * not be modified, but one should assume that the SSL* keeps a reference to
+ * it.
+ *
+ * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. Otherwise, no
+ * such extension will be included in the ServerHello. */
+void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
+       {
+       ctx->next_protos_advertised_cb = cb;
+       ctx->next_protos_advertised_cb_arg = arg;
+       }
+
+/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
+ * client needs to select a protocol from the server's provided list. |out|
+ * must be set to point to the selected protocol (which may be within |in|).
+ * The length of the protocol name must be written into |outlen|. The server's
+ * advertised protocols are provided in |in| and |inlen|. The callback can
+ * assume that |in| is syntactically valid.
+ *
+ * The client must select a protocol. It is fatal to the connection if this
+ * callback returns a value other than SSL_TLSEXT_ERR_OK.
+ */
+void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg)
+       {
+       ctx->next_proto_select_cb = cb;
+       ctx->next_proto_select_cb_arg = arg;
+       }
+
+# endif
 #endif
 
 static unsigned long ssl_session_hash(const SSL_SESSION *a)
@@ -1640,6 +1766,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
        ret->tlsext_status_cb = 0;
        ret->tlsext_status_arg = NULL;
 
+# ifndef OPENSSL_NO_NPN
+       ret->next_protos_advertised_cb = 0;
+       ret->next_proto_select_cb = 0;
+# endif
 #endif
 #ifndef OPENSSL_NO_PSK
        ret->psk_identity_hint=NULL;
index 41f0f77..95ec8a6 100644 (file)
@@ -968,6 +968,9 @@ int ssl3_get_server_certificate(SSL *s);
 int ssl3_check_cert_and_algorithm(SSL *s);
 #ifndef OPENSSL_NO_TLSEXT
 int ssl3_check_finished(SSL *s);
+# ifndef OPENSSL_NO_NPN
+int ssl3_send_next_proto(SSL *s);
+# endif
 #endif
 
 int dtls1_client_hello(SSL *s);
@@ -986,6 +989,9 @@ int ssl3_check_client_hello(SSL *s);
 int ssl3_get_client_certificate(SSL *s);
 int ssl3_get_client_key_exchange(SSL *s);
 int ssl3_get_cert_verify(SSL *s);
+#ifndef OPENSSL_NO_NPN
+int ssl3_get_next_proto(SSL *s);
+#endif
 
 int dtls1_send_hello_request(SSL *s);
 int dtls1_send_server_hello(SSL *s);
index ef40e5e..39b5e72 100644 (file)
@@ -494,6 +494,18 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                        i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
                }
 
+#ifndef OPENSSL_NO_NPN
+       if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
+               {
+               /* The client advertises an emtpy extension to indicate its
+                * support for Next Protocol Negotiation */
+               if (limit - ret - 4 < 0)
+                       return NULL;
+               s2n(TLSEXT_TYPE_next_proto_neg,ret);
+               s2n(0,ret);
+               }
+#endif
+
        if ((extdatalen = ret-p-2)== 0) 
                return p;
 
@@ -505,6 +517,9 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
        {
        int extdatalen=0;
        unsigned char *ret = p;
+#ifndef OPENSSL_NO_NPN
+       char next_proto_neg_seen;
+#endif
 
        /* don't add extensions for SSLv3, unless doing secure renegotiation */
        if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
@@ -618,6 +633,28 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
 
                }
 
+#ifndef OPENSSL_NO_NPN
+       next_proto_neg_seen = s->s3->next_proto_neg_seen;
+       s->s3->next_proto_neg_seen = 0;
+       if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
+               {
+               const unsigned char *npa;
+               unsigned int npalen;
+               int r;
+
+               r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
+               if (r == SSL_TLSEXT_ERR_OK)
+                       {
+                       if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
+                       s2n(TLSEXT_TYPE_next_proto_neg,ret);
+                       s2n(npalen,ret);
+                       memcpy(ret, npa, npalen);
+                       ret += npalen;
+                       s->s3->next_proto_neg_seen = 1;
+                       }
+               }
+#endif
+
        if ((extdatalen = ret-p-2)== 0) 
                return p;
 
@@ -958,6 +995,28 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                else
                                        s->tlsext_status_type = -1;
                        }
+#ifndef OPENSSL_NO_NPN
+               else if (type == TLSEXT_TYPE_next_proto_neg &&
+                         s->s3->tmp.finish_md_len == 0)
+                       {
+                       /* We shouldn't accept this extension on a
+                        * renegotiation.
+                        *
+                        * s->new_session will be set on renegotiation, but we
+                        * probably shouldn't rely that it couldn't be set on
+                        * the initial renegotation too in certain cases (when
+                        * there's some other reason to disallow resuming an
+                        * earlier session -- the current code won't be doing
+                        * anything like that, but this might change).
+
+                        * A valid sign that there's been a previous handshake
+                        * in this connection is if s->s3->tmp.finish_md_len >
+                        * 0.  (We are talking about a check that will happen
+                        * in the Hello protocol round, well before a new
+                        * Finished message could have been computed.) */
+                       s->s3->next_proto_neg_seen = 1;
+                       }
+#endif
 
                /* session ticket processed earlier */
                data+=size;
@@ -981,6 +1040,26 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
        return 1;
        }
 
+#ifndef OPENSSL_NO_NPN
+/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
+ * elements of zero length are allowed and the set of elements must exactly fill
+ * the length of the block. */
+static char ssl_next_proto_validate(unsigned char *d, unsigned len)
+       {
+       unsigned int off = 0;
+
+       while (off < len)
+               {
+               if (d[off] == 0)
+                       return 0;
+               off += d[off];
+               off++;
+               }
+
+       return off == len;
+       }
+#endif
+
 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
        {
        unsigned short length;
@@ -1115,6 +1194,39 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        /* Set flag to expect CertificateStatus message */
                        s->tlsext_status_expected = 1;
                        }
+#ifndef OPENSSL_NO_NPN
+               else if (type == TLSEXT_TYPE_next_proto_neg)
+                       {
+                       unsigned char *selected;
+                       unsigned char selected_len;
+
+                       /* We must have requested it. */
+                       if ((s->ctx->next_proto_select_cb == NULL))
+                               {
+                               *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+                               return 0;
+                               }
+                       /* The data must be valid */
+                       if (!ssl_next_proto_validate(data, size))
+                               {
+                               *al = TLS1_AD_DECODE_ERROR;
+                               return 0;
+                               }
+                       if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
+                               {
+                               *al = TLS1_AD_INTERNAL_ERROR;
+                               return 0;
+                               }
+                       s->next_proto_negotiated = OPENSSL_malloc(selected_len);
+                       if (!s->next_proto_negotiated)
+                               {
+                               *al = TLS1_AD_INTERNAL_ERROR;
+                               return 0;
+                               }
+                       memcpy(s->next_proto_negotiated, selected, selected_len);
+                       s->next_proto_negotiated_len = selected_len;
+                       }
+#endif
                else if (type == TLSEXT_TYPE_renegotiate)
                        {
                        if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
index b32b713..c1b6546 100644 (file)
@@ -208,6 +208,11 @@ extern "C" {
 /* Temporary extension type */
 #define TLSEXT_TYPE_renegotiate                 0xff01
 
+#ifndef OPENSSL_NO_NPN
+/* This is not an IANA defined extension number */
+#define TLSEXT_TYPE_next_proto_neg             13172
+#endif
+
 /* NameType value from RFC 3546 */
 #define TLSEXT_NAMETYPE_host_name 0
 /* status request value from RFC 3546 */