From: Doug Freed <dwfreed@mtu.edu>
Date: Sun, 3 Mar 2024 09:24:34 +0000 (+0000)
Subject: tcpiohandler: Use server preference algoritm for ALPN selection
X-Git-Tag: dnsdist-1.10.0-alpha0~16^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b599f69b2090a1269cdce49a53297201772c454c;p=thirdparty%2Fpdns.git

tcpiohandler: Use server preference algoritm for ALPN selection

This complies with RFC 7301 section 3.2
---

diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index 841d9e3217..77eeedeaa8 100644
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -878,23 +878,24 @@ private:
     }
     OpenSSLTLSIOCtx* obj = reinterpret_cast<OpenSSLTLSIOCtx*>(arg);
 
-    size_t pos = 0;
-    while (pos < inlen) {
-      size_t protoLen = in[pos];
-      pos++;
-      if (protoLen > (inlen - pos)) {
-        /* something is very wrong */
-        return SSL_TLSEXT_ERR_ALERT_WARNING;
-      }
+    // Server preference algorithm as per RFC 7301 section 3.2
+    for (const auto& tentative : obj->d_alpnProtos) {
+      size_t pos = 0;
+      while (pos < inlen) {
+        size_t protoLen = in[pos];
+        pos++;
+        if (protoLen > (inlen - pos)) {
+          /* something is very wrong */
+          return SSL_TLSEXT_ERR_ALERT_WARNING;
+        }
 
-      for (const auto& tentative : obj->d_alpnProtos) {
         if (tentative.size() == protoLen && memcmp(in + pos, tentative.data(), tentative.size()) == 0) {
           *out = in + pos;
           *outlen = protoLen;
           return SSL_TLSEXT_ERR_OK;
         }
+        pos += protoLen;
       }
-      pos += protoLen;
     }
 
     return SSL_TLSEXT_ERR_NOACK;