GH787: Fix ALPN

* Perform ALPN after the SNI callback; the SSL_CTX may change due to
  that processing
* Add flags to indicate that we actually sent ALPN, to properly error
  out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/CHANGES b/CHANGES
index 9f32b9adfd30e7cc58b67b189e90e9150aec1279..a5217e48ba0f741211f437d58761ca3ba7a3816c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,9 @@
      [Todd Short]
 
   *) Add SSL_CIPHER queries for authentication and key-exchange.
+
+  *) Modify behavior of ALPN to invoke callback after SNI/servername
+     callback, such that updates to the SSL_CTX affect ALPN.
      [Todd Short]
 
   *) Changes to the DEFAULT cipherlist:

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 5059e93748f86d477c9cff7b07870fc181274fa4..b26e9726972fe5d446394e7cd417f6b210d7afd4 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -2012,8 +2012,8 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
 
 const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr)
 {
-    const SSL_CIPHER *c;
-    c = ssl->method->get_cipher_by_char(ptr);
+    const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);
+
     if (c == NULL || c->valid == 0)
         return NULL;
     return c;
@@ -2037,10 +2037,8 @@ int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)
 
 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
 {
-    int i;
-    if (c == NULL)
-        return NID_undef;
-    i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
+    int i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
+
     if (i == -1)
         return NID_undef;
     return ssl_cipher_table_mac[i].nid;
@@ -2049,6 +2047,7 @@ int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
 {
     int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_mkey);
+
     if (i == -1)
         return NID_undef;
     return ssl_cipher_table_kx[i].nid;
@@ -2056,7 +2055,8 @@ int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
 
 int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
 {
-    int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_auth);
+    int i = ssl_cipher_info_lookup(ssl_cipher_table_auth, c->algorithm_auth);
+
     if (i == -1)
         return NID_undef;
     return ssl_cipher_table_kx[i].nid;