Support ALPN.

This change adds support for ALPN[1] in OpenSSL. ALPN is the IETF
blessed version of NPN and we'll be supporting both ALPN and NPN for
some time yet.

[1] https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-00

Conflicts:
	ssl/ssl3.h
	ssl/t1_lib.c

diff --git a/apps/s_client.c b/apps/s_client.c
index 5fb5dffda7cb3b528409805cfa6f8c9e36f64035..b7e4fbb40831639b5f22afbd5a935539f84bcc9d 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -364,6 +364,7 @@ static void sc_usage(void)
        BIO_printf(bio_err," -proof_debug      - request an audit proof and print its hex dump\n");
 # ifndef OPENSSL_NO_NEXTPROTONEG
        BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
        BIO_printf(bio_err," -proof_debug      - request an audit proof and print its hex dump\n");
 # ifndef OPENSSL_NO_NEXTPROTONEG
        BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");

+       BIO_printf(bio_err," -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");

 # endif
 #ifndef OPENSSL_NO_TLSEXT
        BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
 # endif
 #ifndef OPENSSL_NO_TLSEXT
        BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");


@@ -636,6 +637,7 @@ int MAIN(int argc, char **argv)
         {NULL,0};
 # ifndef OPENSSL_NO_NEXTPROTONEG
        const char *next_proto_neg_in = NULL;
         {NULL,0};
 # ifndef OPENSSL_NO_NEXTPROTONEG
        const char *next_proto_neg_in = NULL;

+       const char *alpn_in = NULL;

 # endif
 # define MAX_SI_TYPES 100
        unsigned short serverinfo_types[MAX_SI_TYPES];
 # endif
 # define MAX_SI_TYPES 100
        unsigned short serverinfo_types[MAX_SI_TYPES];


@@ -993,6 +995,11 @@ static char *jpake_secret = NULL;
                        if (--argc < 1) goto bad;
                        next_proto_neg_in = *(++argv);
                        }
                        if (--argc < 1) goto bad;
                        next_proto_neg_in = *(++argv);
                        }

+               else if (strcmp(*argv,"-alpn") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       alpn_in = *(++argv);
+                       }

 # endif
                else if (strcmp(*argv,"-serverinfo") == 0)
                        {
 # endif
                else if (strcmp(*argv,"-serverinfo") == 0)
                        {


@@ -1306,9 +1313,23 @@ bad:
         */
        if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
 
         */
        if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
 

-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_TLSEXT)
+# if !defined(OPENSSL_NO_NEXTPROTONEG)

        if (next_proto.data)
                SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
        if (next_proto.data)
                SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);

+# endif
+       if (alpn_in)
+               {
+               unsigned short alpn_len;
+               unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
+
+               if (alpn == NULL)
+                       {
+                       BIO_printf(bio_err, "Error parsing -alpn argument\n");
+                       goto end;
+                       }
+               SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
+               }

 #endif
 #ifndef OPENSSL_NO_TLSEXT
                if (serverinfo_types_count)
 #endif
 #ifndef OPENSSL_NO_TLSEXT
                if (serverinfo_types_count)


@@ -2265,7 +2286,8 @@ static void print_stuff(BIO *bio, SSL *s, int full)
        }
 #endif
 
        }
 #endif
 

-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_TLSEXT)
+# if !defined(OPENSSL_NO_NEXTPROTONEG)

        if (next_proto.status != -1) {
                const unsigned char *proto;
                unsigned int proto_len;
        if (next_proto.status != -1) {
                const unsigned char *proto;
                unsigned int proto_len;


@@ -2274,6 +2296,20 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                BIO_write(bio, proto, proto_len);
                BIO_write(bio, "\n", 1);
        }
                BIO_write(bio, proto, proto_len);
                BIO_write(bio, "\n", 1);
        }

+       {
+               const unsigned char *proto;
+               unsigned int proto_len;
+               SSL_get0_alpn_selected(s, &proto, &proto_len);
+               if (proto_len > 0)
+                       {
+                       BIO_printf(bio, "ALPN protocol: ");
+                       BIO_write(bio, proto, proto_len);
+                       BIO_write(bio, "\n", 1);
+                       }
+               else
+                       BIO_printf(bio, "No ALPN negotiated\n");
+       }
+# endif

 #endif
 
        {
 #endif
 
        {

diff --git a/apps/s_server.c b/apps/s_server.c
index bf61a8d09eefb9482576017b09ac22e777b90a84..f5c26dc60534c81bf8eb31d67882ab6ec9d9bd53 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -578,6 +578,7 @@ static void sv_usage(void)
        BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
 # endif
         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
        BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
 # endif
         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");

+       BIO_printf(bio_err," -alpn arg  - set the advertised protocols for the ALPN extension (comma-separated list)\n");

 #endif
        BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
        BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
 #endif
        BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
        BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");


@@ -932,7 +933,48 @@ static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
        return SSL_TLSEXT_ERR_OK;
        }
 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
        return SSL_TLSEXT_ERR_OK;
        }
 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */

-#endif
+
+/* This the context that we pass to alpn_cb */
+typedef struct tlsextalpnctx_st {
+       unsigned char *data;
+       unsigned short len;
+} tlsextalpnctx;
+
+static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
+       {
+       tlsextalpnctx *alpn_ctx = arg;
+
+       if (!s_quiet)
+               {
+               /* We can assume that |in| is syntactically valid. */
+               unsigned i;
+               BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
+               for (i = 0; i < inlen; )
+                       {
+                       if (i)
+                               BIO_write(bio_s_out, ", ", 2);
+                       BIO_write(bio_s_out, &in[i + 1], in[i]);
+                       i += in[i] + 1;
+                       }
+               BIO_write(bio_s_out, "\n", 1);
+               }
+
+       if (SSL_select_next_proto((unsigned char**) out, outlen, alpn_ctx->data, alpn_ctx->len, in, inlen) !=
+           OPENSSL_NPN_NEGOTIATED)
+               {
+               return SSL_TLSEXT_ERR_NOACK;
+               }
+
+       if (!s_quiet)
+               {
+               BIO_printf(bio_s_out, "ALPN protocols selected: ");
+               BIO_write(bio_s_out, *out, *outlen);
+               BIO_write(bio_s_out, "\n", 1);
+               }
+
+       return SSL_TLSEXT_ERR_OK;
+       }
+#endif  /* ndef OPENSSL_NO_TLSEXT */

 
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
        {
 
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
        {


@@ -988,6 +1030,8 @@ int MAIN(int argc, char *argv[])
 # ifndef OPENSSL_NO_NEXTPROTONEG
        const char *next_proto_neg_in = NULL;
        tlsextnextprotoctx next_proto;
 # ifndef OPENSSL_NO_NEXTPROTONEG
        const char *next_proto_neg_in = NULL;
        tlsextnextprotoctx next_proto;

+       const char *alpn_in = NULL;
+       tlsextalpnctx alpn_ctx = { NULL, 0};

 # endif
 #endif
 #ifndef OPENSSL_NO_PSK
 # endif
 #endif
 #ifndef OPENSSL_NO_PSK


@@ -1438,6 +1482,11 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        next_proto_neg_in = *(++argv);
                        }
                        if (--argc < 1) goto bad;
                        next_proto_neg_in = *(++argv);
                        }

+               else if (strcmp(*argv,"-alpn") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       alpn_in = *(++argv);
+                       }

 # endif
 #endif
 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
 # endif
 #endif
 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)


@@ -1565,7 +1614,8 @@ bad:
 #endif /* OPENSSL_NO_TLSEXT */
                }
 
 #endif /* OPENSSL_NO_TLSEXT */
                }
 

-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 
+#if !defined(OPENSSL_NO_TLSEXT)
+# if !defined(OPENSSL_NO_NEXTPROTONEG) 

        if (next_proto_neg_in)
                {
                unsigned short len;
        if (next_proto_neg_in)
                {
                unsigned short len;


@@ -1578,6 +1628,16 @@ bad:
                {
                next_proto.data = NULL;
                }
                {
                next_proto.data = NULL;
                }

+# endif
+       alpn_ctx.data = NULL;
+       if (alpn_in)
+               {
+               unsigned short len;
+               alpn_ctx.data = next_protos_parse(&len, alpn_in);
+               if (alpn_ctx.data == NULL)
+                       goto end;
+               alpn_ctx.len = len;
+               }

 #endif
 
        if (crl_file)
 #endif
 
        if (crl_file)


@@ -1812,6 +1872,8 @@ bad:
        if (next_proto.data)
                SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
 # endif
        if (next_proto.data)
                SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
 # endif

+       if (alpn_ctx.data)
+               SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);

 #endif 
 
 #ifndef OPENSSL_NO_DH
 #endif 
 
 #ifndef OPENSSL_NO_DH


@@ -2047,6 +2109,10 @@ end:
                BIO_free(authz_in);
        if (serverinfo_in != NULL)
                BIO_free(serverinfo_in);
                BIO_free(authz_in);
        if (serverinfo_in != NULL)
                BIO_free(serverinfo_in);

+       if (next_proto.data)
+               OPENSSL_free(next_proto.data);
+       if (alpn_ctx.data)
+               OPENSSL_free(alpn_ctx.data);

 #endif
        ssl_excert_free(exc);
        if (ssl_args)
 #endif
        ssl_excert_free(exc);
        if (ssl_args)

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 67eb92089e0b658d2e8d967db5efa87ad44f72f9..98a7621508ec419eec54910be3e4e915deb34133 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3020,6 +3020,11 @@ void ssl3_free(SSL *s)
                BIO_free(s->s3->handshake_buffer);
        }
        if (s->s3->handshake_dgst) ssl3_free_digest_list(s);
                BIO_free(s->s3->handshake_buffer);
        }
        if (s->s3->handshake_dgst) ssl3_free_digest_list(s);

+#ifndef OPENSSL_NO_TLSEXT
+       if (s->s3->alpn_selected)
+               OPENSSL_free(s->s3->alpn_selected);
+#endif
+

 #ifndef OPENSSL_NO_SRP
        SSL_SRP_CTX_free(s);
 #endif
 #ifndef OPENSSL_NO_SRP
        SSL_SRP_CTX_free(s);
 #endif


@@ -3098,6 +3103,14 @@ void ssl3_clear(SSL *s)
        if (s->s3->handshake_dgst) {
                ssl3_free_digest_list(s);
        }       
        if (s->s3->handshake_dgst) {
                ssl3_free_digest_list(s);
        }       

+
+#if !defined(OPENSSL_NO_TLSEXT)
+       if (s->s3->alpn_selected)
+               {
+               free(s->s3->alpn_selected);
+               s->s3->alpn_selected = NULL;
+               }
+#endif

        memset(s->s3,0,sizeof *s->s3);
        s->s3->rbuf.buf = rp;
        s->s3->wbuf.buf = wp;
        memset(s->s3,0,sizeof *s->s3);
        s->s3->rbuf.buf = rp;
        s->s3->wbuf.buf = wp;

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 9c19dc788affecd2b42412f23ad6ec4209679fdd..188ce736eec2e9776a738c3080093fd8d1fd4184 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1100,6 +1100,31 @@ struct ssl_ctx_st
                                    void *arg);
        void *next_proto_select_cb_arg;
 # endif
                                    void *arg);
        void *next_proto_select_cb_arg;
 # endif

+
+       /* ALPN information
+        * (we are in the process of transitioning from NPN to ALPN.) */
+
+       /* For a server, this contains a callback function that allows the
+        * server to select the protocol for the connection.
+        *   out: on successful return, this must point to the raw protocol
+        *        name (without the length prefix).
+        *   outlen: on successful return, this contains the length of |*out|.
+        *   in: points to the client's list of supported protocols in
+        *       wire-format.
+        *   inlen: the length of |in|. */
+       int (*alpn_select_cb)(SSL *s,
+                             const unsigned char **out,
+                             unsigned char *outlen,
+                             const unsigned char* in,
+                             unsigned int inlen,
+                             void *arg);
+       void *alpn_select_cb_arg;
+
+       /* For a client, this contains the list of supported protocols in wire
+        * format. */
+       unsigned char* alpn_client_proto_list;
+       unsigned alpn_client_proto_list_len;
+

         /* SRTP profiles we are willing to do from RFC 5764 */
        STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;  
 #endif
         /* SRTP profiles we are willing to do from RFC 5764 */
        STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;  
 #endif


@@ -1202,6 +1227,21 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
 
 #endif
 
 
 #endif
 

+int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char* protos,
+                           unsigned protos_len);
+int SSL_set_alpn_protos(SSL *ssl, const unsigned char* protos,
+                       unsigned protos_len);
+void SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx,
+                               int (*cb) (SSL *ssl,
+                                          const unsigned char **out,
+                                          unsigned char *outlen,
+                                          const unsigned char *in,
+                                          unsigned int inlen,
+                                          void *arg),
+                               void *arg);
+void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
+                           unsigned *len);
+

 #ifndef OPENSSL_NO_PSK
 /* the maximum length of the buffer given to callbacks containing the
  * resulting identity/psk */
 #ifndef OPENSSL_NO_PSK
 /* the maximum length of the buffer given to callbacks containing the
  * resulting identity/psk */


@@ -1508,6 +1548,11 @@ struct ssl_st
                                         */
        unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
        unsigned int tlsext_hb_seq;     /* HeartbeatRequest sequence number */
                                         */
        unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
        unsigned int tlsext_hb_seq;     /* HeartbeatRequest sequence number */

+
+       /* For a client, this contains the list of supported protocols in wire
+        * format. */
+       unsigned char* alpn_client_proto_list;
+       unsigned alpn_client_proto_list_len;

 #else
 #define session_ctx ctx
 #endif /* OPENSSL_NO_TLSEXT */
 #else
 #define session_ctx ctx
 #endif /* OPENSSL_NO_TLSEXT */

diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 77747c4c1efd466a046b8b583cbf64fbfaa227b7..f933108c654492081d8efdddf6aa95080f88a13b 100644 (file)
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -586,7 +586,17 @@ typedef struct ssl3_state_st
         * as the types were received in the client hello. */
        unsigned short *tlsext_custom_types;
        size_t tlsext_custom_types_count; /* how many tlsext_custom_types */
         * as the types were received in the client hello. */
        unsigned short *tlsext_custom_types;
        size_t tlsext_custom_types_count; /* how many tlsext_custom_types */

-#endif
+
+       /* ALPN information
+        * (we are in the process of transitioning from NPN to ALPN.) */
+
+       /* In a server these point to the selected ALPN protocol after the
+        * ClientHello has been processed. In a client these contain the
+        * protocol that the server selected once the ServerHello has been
+        * processed. */
+       unsigned char *alpn_selected;
+       unsigned alpn_selected_len;
+#endif /* OPENSSL_NO_TLSEXT */

        } SSL3_STATE;
 
 #endif
        } SSL3_STATE;
 
 #endif

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a48e09e521693976ddf824c2f8d58ffc7cabcc0c..ba9d921275b767ba02a59684e4dade7e8375a592 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -382,6 +382,17 @@ SSL *SSL_new(SSL_CTX *ctx)
 # ifndef OPENSSL_NO_NEXTPROTONEG
        s->next_proto_negotiated = NULL;
 # endif
 # ifndef OPENSSL_NO_NEXTPROTONEG
        s->next_proto_negotiated = NULL;
 # endif

+
+       if (s->ctx->alpn_client_proto_list)
+               {
+               s->alpn_client_proto_list =
+                       OPENSSL_malloc(s->ctx->alpn_client_proto_list_len);
+               if (s->alpn_client_proto_list == NULL)
+                       goto err;
+               memcpy(s->alpn_client_proto_list, s->ctx->alpn_client_proto_list,
+                      s->ctx->alpn_client_proto_list_len);
+               s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len;
+               }

 #endif
 
        s->verify_result=X509_V_OK;
 #endif
 
        s->verify_result=X509_V_OK;


@@ -606,6 +617,8 @@ void SSL_free(SSL *s)
                sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
        if (s->tlsext_ocsp_resp)
                OPENSSL_free(s->tlsext_ocsp_resp);
                sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
        if (s->tlsext_ocsp_resp)
                OPENSSL_free(s->tlsext_ocsp_resp);

+       if (s->alpn_client_proto_list)
+               OPENSSL_free(s->alpn_client_proto_list);

 #endif
 
        if (s->client_CA != NULL)
 #endif
 
        if (s->client_CA != NULL)


@@ -1754,7 +1767,78 @@ int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,
        return 1;
        }
 
        return 1;
        }
 

-#endif
+/* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
+ * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
+ * length-prefixed strings).
+ *
+ * Returns 0 on success. */
+int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char* protos,
+                           unsigned protos_len)
+       {
+       if (ctx->alpn_client_proto_list)
+               OPENSSL_free(ctx->alpn_client_proto_list);
+
+       ctx->alpn_client_proto_list = OPENSSL_malloc(protos_len);
+       if (!ctx->alpn_client_proto_list)
+               return 1;
+       memcpy(ctx->alpn_client_proto_list, protos, protos_len);
+       ctx->alpn_client_proto_list_len = protos_len;
+
+       return 0;
+       }
+
+/* SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|.
+ * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
+ * length-prefixed strings).
+ *
+ * Returns 0 on success. */
+int SSL_set_alpn_protos(SSL *ssl, const unsigned char* protos,
+                       unsigned protos_len)
+       {
+       if (ssl->alpn_client_proto_list)
+               OPENSSL_free(ssl->alpn_client_proto_list);
+
+       ssl->alpn_client_proto_list = OPENSSL_malloc(protos_len);
+       if (!ssl->alpn_client_proto_list)
+               return 1;
+       memcpy(ssl->alpn_client_proto_list, protos, protos_len);
+       ssl->alpn_client_proto_list_len = protos_len;
+
+       return 0;
+       }
+
+/* SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called
+ * during ClientHello processing in order to select an ALPN protocol from the
+ * client's list of offered protocols. */
+void SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx,
+                               int (*cb) (SSL *ssl,
+                                          const unsigned char **out,
+                                          unsigned char *outlen,
+                                          const unsigned char *in,
+                                          unsigned int inlen,
+                                          void *arg),
+                               void *arg)
+       {
+       ctx->alpn_select_cb = cb;
+       ctx->alpn_select_cb_arg = arg;
+       }
+
+/* SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|.
+ * On return it sets |*data| to point to |*len| bytes of protocol name (not
+ * including the leading length-prefix byte). If the server didn't respond with
+ * a negotiated protocol then |*len| will be zero. */
+void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
+                           unsigned *len)
+       {
+       *data = NULL;
+       if (ssl->s3)
+               *data = ssl->s3->alpn_selected;
+       if (*data == NULL)
+               *len = 0;
+       else
+               *len = ssl->s3->alpn_selected_len;
+       }
+#endif /* !OPENSSL_NO_TLSEXT */

 
 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
        const char *label, size_t llen, const unsigned char *p, size_t plen,
 
 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
        const char *label, size_t llen, const unsigned char *p, size_t plen,


@@ -2117,6 +2201,8 @@ void SSL_CTX_free(SSL_CTX *a)
        if (a->tlsext_ellipticcurvelist)
                OPENSSL_free(a->tlsext_ellipticcurvelist);
 # endif /* OPENSSL_NO_EC */
        if (a->tlsext_ellipticcurvelist)
                OPENSSL_free(a->tlsext_ellipticcurvelist);
 # endif /* OPENSSL_NO_EC */

+       if (a->alpn_client_proto_list != NULL)
+               OPENSSL_free(a->alpn_client_proto_list);

 #endif
 
        OPENSSL_free(a);
 #endif
 
        OPENSSL_free(a);

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 07cb0966461e23797f1ecfc103849ce24f1b9e99..3a048e145af532832ff6bf71adc0845fe4348d85 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1404,6 +1404,18 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                }
 #endif
 
                }
 #endif
 

+       if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
+               {
+               if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
+                       return NULL;
+               s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
+               s2n(2 + s->alpn_client_proto_list_len,ret);
+               s2n(s->alpn_client_proto_list_len,ret);
+               memcpy(ret, s->alpn_client_proto_list,
+                      s->alpn_client_proto_list_len);
+               ret += s->alpn_client_proto_list_len;
+               }
+

         if(SSL_get_srtp_profiles(s))
                 {
                 int el;
         if(SSL_get_srtp_profiles(s))
                 {
                 int el;


@@ -1784,6 +1796,21 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
                        }
                }
 
                        }
                }
 

+       if (s->s3->alpn_selected)
+               {
+               const unsigned char *selected = s->s3->alpn_selected;
+               unsigned len = s->s3->alpn_selected_len;
+
+               if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
+                       return NULL;
+               s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
+               s2n(3 + len,ret);
+               s2n(1 + len,ret);
+               *ret++ = len;
+               memcpy(ret, selected, len);
+               ret += len;
+               }
+

        if ((extdatalen = ret-p-2)== 0) 
                return p;
 
        if ((extdatalen = ret-p-2)== 0) 
                return p;
 


@@ -1791,6 +1818,76 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
        return ret;
        }
 
        return ret;
        }
 

+/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
+ * ClientHello.
+ *   data: the contents of the extension, not including the type and length.
+ *   data_len: the number of bytes in |data|
+ *   al: a pointer to the alert value to send in the event of a non-zero
+ *       return.
+ *
+ *   returns: 0 on success. */
+static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
+                                        unsigned data_len, int *al)
+       {
+       unsigned i;
+       unsigned proto_len;
+       const unsigned char *selected;
+       unsigned char selected_len;
+       int r;
+
+       if (s->ctx->alpn_select_cb == NULL)
+               return 0;
+
+       if (data_len < 2)
+               goto parse_error;
+
+       /* data should contain a uint16 length followed by a series of 8-bit,
+        * length-prefixed strings. */
+       i = ((unsigned) data[0]) << 8 |
+           ((unsigned) data[1]);
+       data_len -= 2;
+       data += 2;
+       if (data_len != i)
+               goto parse_error;
+
+       if (data_len < 2)
+               goto parse_error;
+
+       for (i = 0; i < data_len;)
+               {
+               proto_len = data[i];
+               i++;
+
+               if (proto_len == 0)
+                       goto parse_error;
+
+               if (i + proto_len < i || i + proto_len > data_len)
+                       goto parse_error;
+
+               i += proto_len;
+               }
+
+       r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
+                                  s->ctx->alpn_select_cb_arg);
+       if (r == SSL_TLSEXT_ERR_OK) {
+               if (s->s3->alpn_selected)
+                       OPENSSL_free(s->s3->alpn_selected);
+               s->s3->alpn_selected = OPENSSL_malloc(selected_len);
+               if (!s->s3->alpn_selected)
+                       {
+                       *al = SSL_AD_INTERNAL_ERROR;
+                       return -1;
+                       }
+               memcpy(s->s3->alpn_selected, selected, selected_len);
+               s->s3->alpn_selected_len = selected_len;
+       }
+       return 0;
+
+parse_error:
+       *al = SSL_AD_DECODE_ERROR;
+       return -1;
+       }
+

 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
        {       
        unsigned short type;
 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
        {       
        unsigned short type;


@@ -1806,6 +1903,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
        s->s3->next_proto_neg_seen = 0;
 #endif
 
        s->s3->next_proto_neg_seen = 0;
 #endif
 

+       if (s->s3->alpn_selected)
+               {
+               OPENSSL_free(s->s3->alpn_selected);
+               s->s3->alpn_selected = NULL;
+               }
+

 #ifndef OPENSSL_NO_HEARTBEATS
        s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
                               SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
 #ifndef OPENSSL_NO_HEARTBEATS
        s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
                               SSL_TLSEXT_HB_DONT_SEND_REQUESTS);


@@ -2261,7 +2364,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 #endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
                else if (type == TLSEXT_TYPE_next_proto_neg &&
 #endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
                else if (type == TLSEXT_TYPE_next_proto_neg &&

-                        s->s3->tmp.finish_md_len == 0)
+                        s->s3->tmp.finish_md_len == 0 &&
+                        s->s3->alpn_selected == NULL)

                        {
                        /* We shouldn't accept this extension on a
                         * renegotiation.
                        {
                        /* We shouldn't accept this extension on a
                         * renegotiation.


@@ -2282,6 +2386,16 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
                        }
 #endif
 
                        }
 #endif
 

+               else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
+                        s->ctx->alpn_select_cb &&
+                        s->s3->tmp.finish_md_len == 0)
+                       {
+                       if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
+                               return 0;
+                       /* ALPN takes precedence over NPN. */
+                       s->s3->next_proto_neg_seen = 0;
+                       }
+

                /* session ticket processed earlier */
                else if (type == TLSEXT_TYPE_use_srtp)
                         {
                /* session ticket processed earlier */
                else if (type == TLSEXT_TYPE_use_srtp)
                         {


@@ -2471,6 +2585,12 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char
        s->s3->next_proto_neg_seen = 0;
 #endif
 
        s->s3->next_proto_neg_seen = 0;
 #endif
 

+       if (s->s3->alpn_selected)
+               {
+               OPENSSL_free(s->s3->alpn_selected);
+               s->s3->alpn_selected = NULL;
+               }
+

 #ifndef OPENSSL_NO_HEARTBEATS
        s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
                               SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
 #ifndef OPENSSL_NO_HEARTBEATS
        s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
                               SSL_TLSEXT_HB_DONT_SEND_REQUESTS);


@@ -2633,6 +2753,52 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char
                        s->s3->next_proto_neg_seen = 1;
                        }
 #endif
                        s->s3->next_proto_neg_seen = 1;
                        }
 #endif

+
+               else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
+                       {
+                       unsigned len;
+
+                       /* We must have requested it. */
+                       if (s->alpn_client_proto_list == NULL)
+                               {
+                               *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+                               return 0;
+                               }
+                       if (size < 4)
+                               {
+                               *al = TLS1_AD_DECODE_ERROR;
+                               return 0;
+                               }
+                       /* The extension data consists of:
+                        *   uint16 list_length
+                        *   uint8 proto_length;
+                        *   uint8 proto[proto_length]; */
+                       len = data[0];
+                       len <<= 8;
+                       len |= data[1];
+                       if (len != (unsigned) size - 2)
+                               {
+                               *al = TLS1_AD_DECODE_ERROR;
+                               return 0;
+                               }
+                       len = data[2];
+                       if (len != (unsigned) size - 3)
+                               {
+                               *al = TLS1_AD_DECODE_ERROR;
+                               return 0;
+                               }
+                       if (s->s3->alpn_selected)
+                               OPENSSL_free(s->s3->alpn_selected);
+                       s->s3->alpn_selected = OPENSSL_malloc(len);
+                       if (!s->s3->alpn_selected)
+                               {
+                               *al = TLS1_AD_INTERNAL_ERROR;
+                               return 0;
+                               }
+                       memcpy(s->s3->alpn_selected, data + 3, len);
+                       s->s3->alpn_selected_len = len;
+                       }
+

                else if (type == TLSEXT_TYPE_renegotiate)
                        {
                        if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
                else if (type == TLSEXT_TYPE_renegotiate)
                        {
                        if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))

diff --git a/ssl/tls1.h b/ssl/tls1.h
index c59a02fee39523a40f92e9202fd36ce10b8ed085..b1b85bf6328869091f9435139d64e0a8cc0bc35e 100644 (file)
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -230,6 +230,9 @@ extern "C" {
 /* ExtensionType value from RFC5620 */
 #define TLSEXT_TYPE_heartbeat  15
 
 /* ExtensionType value from RFC5620 */
 #define TLSEXT_TYPE_heartbeat  15
 

+/* ExtensionType value from draft-ietf-tls-applayerprotoneg-00 */
+#define TLSEXT_TYPE_application_layer_protocol_negotiation 16
+

 /* ExtensionType value from RFC4507 */
 #define TLSEXT_TYPE_session_ticket             35
 
 /* ExtensionType value from RFC4507 */
 #define TLSEXT_TYPE_session_ticket             35