GH787: Fix ALPN
* Perform ALPN after the SNI callback; the SSL_CTX may change due to
that processing
* Add flags to indicate that we actually sent ALPN, to properly error
out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
diff --git a/CHANGES b/CHANGES
index 9f32b9a..a5217e4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,9 @@
[Todd Short]
*) Add SSL_CIPHER queries for authentication and key-exchange.
+
+ *) Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
[Todd Short]
*) Changes to the DEFAULT cipherlist:
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 5059e93..b26e972 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -2012,8 +2012,8 @@
const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr)
{
- const SSL_CIPHER *c;
- c = ssl->method->get_cipher_by_char(ptr);
+ const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);
+
if (c == NULL || c->valid == 0)
return NULL;
return c;
@@ -2037,10 +2037,8 @@
int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
{
- int i;
- if (c == NULL)
- return NID_undef;
- i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
+ int i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
+
if (i == -1)
return NID_undef;
return ssl_cipher_table_mac[i].nid;
@@ -2049,6 +2047,7 @@
int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
{
int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_mkey);
+
if (i == -1)
return NID_undef;
return ssl_cipher_table_kx[i].nid;
@@ -2056,7 +2055,8 @@
int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
{
- int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_auth);
+ int i = ssl_cipher_info_lookup(ssl_cipher_table_auth, c->algorithm_auth);
+
if (i == -1)
return NID_undef;
return ssl_cipher_table_kx[i].nid;
