From: Remi Gacogne Date: Mon, 16 Sep 2024 08:59:21 +0000 (+0200) Subject: dnsdist: Remove NPN support, it has been deprecated for a very long time X-Git-Tag: rec-5.2.0-alpha1~78^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ccceb5291eb4a59c92ccf5f1eccba79435f65ac7;p=thirdparty%2Fpdns.git dnsdist: Remove NPN support, it has been deprecated for a very long time --- diff --git a/pdns/dnsdistdist/dnsdist-nghttp2.cc b/pdns/dnsdistdist/dnsdist-nghttp2.cc index 79b39adc04..07033f04ec 100644 --- a/pdns/dnsdistdist/dnsdist-nghttp2.cc +++ b/pdns/dnsdistdist/dnsdist-nghttp2.cc @@ -922,16 +922,6 @@ static void dohClientThread(pdns::channel::Receiver&& receiv errlog("Fatal error in outgoing DoH thread: %s", e.what()); } } - -static bool select_next_proto_callback(unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen) -{ - if (nghttp2_select_next_protocol(out, outlen, in, inlen) <= 0) { - vinfolog("The remote DoH backend did not advertise " NGHTTP2_PROTO_VERSION_ID); - return false; - } - return true; -} - #endif /* HAVE_DNS_OVER_HTTPS && HAVE_NGHTTP2 */ struct DoHClientCollection::DoHWorkerThread @@ -1051,7 +1041,6 @@ bool setupDoHClientProtocolNegotiation(std::shared_ptr& ctx) /* we want to set the ALPN to h2, if only to mitigate the ALPACA attack */ const std::vector> h2Alpns = {{'h', '2'}}; ctx->setALPNProtos(h2Alpns); - ctx->setNextProtocolSelectCallback(select_next_proto_callback); return true; #else /* HAVE_DNS_OVER_HTTPS && HAVE_NGHTTP2 */ return false; diff --git a/pdns/libssl.cc b/pdns/libssl.cc index a2e2cae299..c81127c1ff 100644 --- a/pdns/libssl.cc +++ b/pdns/libssl.cc @@ -1091,16 +1091,7 @@ pdns::UniqueFilePtr libssl_set_key_log_file(std::unique_ptr, std::vector& ctx, const std::string& logFile); -/* called in a client context, if the client advertised more than one ALPN values and the server returned more than one as well, to select the one to use. */ -#ifndef DISABLE_NPN -void libssl_set_npn_select_callback(SSL_CTX* ctx, int (*cb)(SSL* s, unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg), void* arg); -#endif /* DISABLE_NPN */ - /* called in a server context, to select an ALPN value advertised by the client if any */ void libssl_set_alpn_select_callback(SSL_CTX* ctx, int (*cb)(SSL* s, const unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg), void* arg); /* set the supported ALPN protos in client context */ diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc index 991a44ca7d..83aad570b6 100644 --- a/pdns/tcpiohandler.cc +++ b/pdns/tcpiohandler.cc @@ -494,11 +494,6 @@ public: const unsigned char* alpn = nullptr; unsigned int alpnLen = 0; -#ifndef DISABLE_NPN -#ifdef HAVE_SSL_GET0_NEXT_PROTO_NEGOTIATED - SSL_get0_next_proto_negotiated(d_conn.get(), &alpn, &alpnLen); -#endif /* HAVE_SSL_GET0_NEXT_PROTO_NEGOTIATED */ -#endif /* DISABLE_NPN */ #ifdef HAVE_SSL_GET0_ALPN_SELECTED if (alpn == nullptr) { SSL_get0_alpn_selected(d_conn.get(), &alpn, &alpnLen); @@ -901,32 +896,8 @@ public: return libssl_set_alpn_protos(openSSLContext, protos); } -#ifndef DISABLE_NPN - bool setNextProtocolSelectCallback(bool(*cb)(unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen)) override - { - d_nextProtocolSelectCallback = cb; - libssl_set_npn_select_callback(getOpenSSLContext(), npnSelectCallback, this); - return true; - } -#endif /* DISABLE_NPN */ - private: - /* called in a client context, if the client advertised more than one ALPN values and the server returned more than one as well, to select the one to use. */ -#ifndef DISABLE_NPN - static int npnSelectCallback(SSL* /* s */, unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg) - { - if (!arg) { - return SSL_TLSEXT_ERR_ALERT_WARNING; - } - OpenSSLTLSIOCtx* obj = reinterpret_cast(arg); - if (obj->d_nextProtocolSelectCallback) { - return (*obj->d_nextProtocolSelectCallback)(out, outlen, in, inlen) ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_ALERT_WARNING; - } - - return SSL_TLSEXT_ERR_OK; - } -#endif /* NPN */ - + /* called in a client context, if the client advertised more than one ALPN value and the server returned more than one as well, to select the one to use. */ static int alpnServerSelectCallback(SSL*, const unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg) { if (!arg) { diff --git a/pdns/tcpiohandler.hh b/pdns/tcpiohandler.hh index 191a161e5c..9e0aa09137 100644 --- a/pdns/tcpiohandler.hh +++ b/pdns/tcpiohandler.hh @@ -117,12 +117,6 @@ public: return false; } - /* called in a client context, if the client advertised more than one ALPN values and the server returned more than one as well, to select the one to use. */ - virtual bool setNextProtocolSelectCallback(bool(*)(unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen)) - { - return false; - } - using tickets_key_added_hook = std::function; static void setTicketsKeyAddedHook(const tickets_key_added_hook& hook)