diff options
author | Todd Short <tshort@akamai.com> | 2016-03-12 09:14:05 -0500 |
---|---|---|
committer | Todd Short <tshort@akamai.com> | 2016-03-20 21:09:32 -0400 |
commit | 0351baae36afe1182237e0bd88ec9d13f5c97f32 (patch) | |
tree | e0eb86c7f9558a24e5a7f6cdc7a3c5aac29cea1e /ssl | |
parent | 89ff989d01314a6104e5063edfce316c8325f339 (diff) |
Fix ALPN - more fixes
* Clear proposed, along with selected, before looking at ClientHello
* Add test case for above
* Clear NPN seen after selecting ALPN on server
* Minor documentation updates
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/t1_lib.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 26c02a0e44..a20e85fb4b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1801,6 +1801,10 @@ static int tls1_alpn_handle_client_hello_late(SSL *s, int *ret, int *al) return 0; } s->s3->alpn_selected_len = selected_len; +#ifndef OPENSSL_NO_NEXTPROTONEG + /* ALPN takes precedence over NPN. */ + s->s3->next_proto_neg_seen = 0; +#endif } else { *al = SSL_AD_NO_APPLICATION_PROTOCOL; *ret = SSL_TLSEXT_ERR_ALERT_FATAL; @@ -1902,6 +1906,10 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; + s->s3->alpn_selected_len = 0; + OPENSSL_free(s->s3->alpn_proposed); + s->s3->alpn_proposed = NULL; + s->s3->alpn_proposed_len = 0; #ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED | SSL_DTLSEXT_HB_DONT_SEND_REQUESTS); @@ -2216,8 +2224,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) #endif #ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0 && - s->s3->alpn_selected == NULL) { + s->s3->tmp.finish_md_len == 0) { /*- * We shouldn't accept this extension on a * renegotiation. @@ -2243,10 +2250,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) s->s3->tmp.finish_md_len == 0) { if (!tls1_alpn_handle_client_hello(s, &extension, al)) return 0; -#ifndef OPENSSL_NO_NEXTPROTONEG - /* ALPN takes precedence over NPN. */ - s->s3->next_proto_neg_seen = 0; -#endif } /* session ticket processed earlier */ |