From: Hugo Landau <hlandau@openssl.org>
Date: Mon, 16 Jan 2023 15:20:20 +0000 (+0000)
Subject: QUIC: Forbid NPN
X-Git-Tag: openssl-3.2.0-alpha1~529
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68dbff4c040e6f1b65f84b649185aa466c4fba24;p=thirdparty%2Fopenssl.git

QUIC: Forbid NPN

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
---

diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
index 102e6578512..84b2bc5dfe8 100644
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
@@ -111,6 +111,9 @@ the client can request any protocol it chooses. The value returned from
 this function need not be a member of the list of supported protocols
 provided by the callback.
 
+NPN functionality cannot be used with QUIC SSL objects. Use of ALPN is mandatory
+when using QUIC SSL objects.
+
 =head1 NOTES
 
 The protocol-lists must be in wire-format, which is defined as a vector of
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e14eeffd1be..ad3afe33ebe 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3548,6 +3548,10 @@ void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx,
                                    SSL_CTX_npn_advertised_cb_func cb,
                                    void *arg)
 {
+    if (IS_QUIC_CTX(ctx))
+        /* NPN not allowed for QUIC */
+        return;
+
     ctx->ext.npn_advertised_cb = cb;
     ctx->ext.npn_advertised_cb_arg = arg;
 }
@@ -3566,6 +3570,10 @@ void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx,
                                SSL_CTX_npn_select_cb_func cb,
                                void *arg)
 {
+    if (IS_QUIC_CTX(ctx))
+        /* NPN not allowed for QUIC */
+        return;
+
     ctx->ext.npn_select_cb = cb;
     ctx->ext.npn_select_cb_arg = arg;
 }