prefer server alpn ordering over the client's

aa707584 · Benjamin Peterson · 65aa261e · aa707584 · aa707584 · aa707584
Commit aa707584 authored Jan 23, 2015 by Benjamin Peterson
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 16 deletions

Doc/library/ssl.rst Doc/library/ssl.rst +2 -1

Lib/test/test_ssl.py Lib/test/test_ssl.py +2 -2

Modules/_ssl.c Modules/_ssl.c +20 -13

No files found.
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -875,7 +875,8 @@ SSL sockets also have the following additional methods and attributes:

   Return the protocol that was selected during the TLS handshake.  If
   :meth:`SSLContext.set_alpn_protocols` was not called, if the other party does
-   not support ALPN, or if the handshake has not happened yet, ``None`` is
+   not support ALPN, if this socket does not support any of the client's
+   proposed protocols, or if the handshake has not happened yet, ``None`` is
   returned.

   .. versionadded:: 2.7.10

--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -2819,9 +2819,9 @@ else:
            server_protocols = ['foo', 'bar', 'milkshake']
            protocol_tests = [
                (['foo', 'bar'], 'foo'),
-                (['bar', 'foo'], 'bar'),
+                (['bar', 'foo'], 'foo'),
                (['milkshake'], 'milkshake'),
-                (['http/3.0', 'http/4.0'], 'foo')
+                (['http/3.0', 'http/4.0'], None)
            ]
            for client_protocols, expected in protocol_tests:
                server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2149,18 +2149,25 @@ set_ciphers(PySSLContext *self, PyObject *args)
 }

 static int
-do_protocol_selection(unsigned char **out, unsigned char *outlen,
-                      const unsigned char *remote_protocols, unsigned int remote_protocols_len,
-                      unsigned char *our_protocols, unsigned int our_protocols_len)
+do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
+                      const unsigned char *server_protocols, unsigned int server_protocols_len,
+                      const unsigned char *client_protocols, unsigned int client_protocols_len)
 {
-    if (our_protocols == NULL) {
-        our_protocols = (unsigned char*)"";
-        our_protocols_len = 0;
+    int ret;
+    if (client_protocols == NULL) {
+        client_protocols = (unsigned char *)"";
+        client_protocols_len = 0;
+    }
+    if (server_protocols == NULL) {
+        server_protocols = (unsigned char *)"";
+        server_protocols_len = 0;
    }

-    SSL_select_next_proto(out, outlen,
-                          remote_protocols, remote_protocols_len,
-                          our_protocols, our_protocols_len);
+    ret = SSL_select_next_proto(out, outlen,
+                                server_protocols, server_protocols_len,
+                                client_protocols, client_protocols_len);
+    if (alpn && ret != OPENSSL_NPN_NEGOTIATED)
+        return SSL_TLSEXT_ERR_NOACK;

    return SSL_TLSEXT_ERR_OK;
 }
@@ -2192,7 +2199,7 @@ _selectNPN_cb(SSL *s,
              void *args)
 {
    PySSLContext *ctx = (PySSLContext *)args;
-    return do_protocol_selection(out, outlen, server, server_len,
+    return do_protocol_selection(0, out, outlen, server, server_len,
                                 ctx->npn_protocols, ctx->npn_protocols_len);
 }
 #endif
@@ -2244,9 +2251,9 @@ _selectALPN_cb(SSL *s,
              void *args)
 {
    PySSLContext *ctx = (PySSLContext *)args;
-    return do_protocol_selection((unsigned char **)out, outlen,
-                                 client_protocols, client_protocols_len,
-                                 ctx->alpn_protocols, ctx->alpn_protocols_len);
+    return do_protocol_selection(1, (unsigned char **)out, outlen,
+                                 ctx->alpn_protocols, ctx->alpn_protocols_len,
+                                 client_protocols, client_protocols_len);
 }
 #endif