Commit f6767f54 authored by Daniel Stenberg's avatar Daniel Stenberg Committed by Jay Satiro
Browse files

TLS: move the ALPN/NPN enable bits to the connection 

Only protocols that actually have a protocol registered for ALPN and NPN
should try to get that negotiated in the TLS handshake. That is only
HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
would wrongly be used in all handshakes if libcurl was built with it
enabled.

Reported-by: Jay Satiro

Fixes #789
parent 5bf5f6eb

lib/http.c

+1 −1
Original line number Diff line number Diff line
@@ -145,7 +145,7 @@ const struct Curl_handler Curl_handler_https = { 
  ZERO_NULL,                            /* readwrite */

  PORT_HTTPS,                           /* defport */

  CURLPROTO_HTTPS,                      /* protocol */

  PROTOPT_SSL | PROTOPT_CREDSPERREQUEST /* flags */

  PROTOPT_SSL | PROTOPT_CREDSPERREQUEST | PROTOPT_ALPN_NPN /* flags */

};

#endif

lib/url.c

+9 −0
Original line number Diff line number Diff line
@@ -6167,6 +6167,15 @@ static CURLcode create_conn(struct SessionHandle *data, 
       connections we are allowed to open. */

    struct connectbundle *bundle = NULL;



    if(conn->handler->flags & PROTOPT_ALPN_NPN) {

      /* The protocol wants it, so set the bits if enabled in the easy handle

         (default) */

      if(data->set.ssl_enable_alpn)

        conn->bits.tls_enable_alpn = TRUE;

      if(data->set.ssl_enable_npn)

        conn->bits.tls_enable_npn = TRUE;

    }



    if(waitpipe)

      /* There is a connection that *might* become usable for pipelining

         "soon", and we wait for that */

lib/urldata.h

+5 −3
Original line number Diff line number Diff line
@@ -544,6 +544,8 @@ struct ConnectBits { 
  bool multiplex; /* connection is multiplexed */



  bool tcp_fastopen; /* use TCP Fast Open */

  bool tls_enable_npn;  /* TLS NPN extension? */

  bool tls_enable_alpn; /* TLS ALPN extension? */

};



struct hostname {
@@ -815,7 +817,7 @@ struct Curl_handler { 
                                        url query strings (?foo=bar) ! */

#define PROTOPT_CREDSPERREQUEST (1<<7) /* requires login credentials per

                                          request instead of per connection */



#define PROTOPT_ALPN_NPN (1<<8) /* set ALPN and/or NPN for this */



/* return the count of bytes sent, or -1 on error */

typedef ssize_t (Curl_send)(struct connectdata *conn, /* connection data */

lib/vtls/cyassl.c

+2 −2
Original line number Diff line number Diff line
@@ -351,7 +351,7 @@ cyassl_connect_step1(struct connectdata *conn, 
  }



#ifdef HAVE_ALPN

  if(data->set.ssl_enable_alpn) {

  if(conn->bits.tls_enable_alpn) {

    char protocols[128];

    *protocols = '\0';
@@ -525,7 +525,7 @@ cyassl_connect_step2(struct connectdata *conn, 
  }



#ifdef HAVE_ALPN

  if(data->set.ssl_enable_alpn) {

  if(conn->bits.tls_enable_alpn) {

    int rc;

    char *protocol = NULL;

    unsigned short protocol_len = 0;

lib/vtls/gtls.c

+2 −2
Original line number Diff line number Diff line
@@ -641,7 +641,7 @@ gtls_connect_step1(struct connectdata *conn, 
#endif



#ifdef HAS_ALPN

  if(data->set.ssl_enable_alpn) {

  if(conn->bits.tls_enable_alpn) {

    int cur = 0;

    gnutls_datum_t protocols[2];
@@ -1240,7 +1240,7 @@ gtls_connect_step3(struct connectdata *conn, 
  infof(data, "\t compression: %s\n", ptr);



#ifdef HAS_ALPN

  if(data->set.ssl_enable_alpn) {

  if(conn->bits.tls_enable_alpn) {

    rc = gnutls_alpn_get_selected_protocol(session, &proto);

    if(rc == 0) {

      infof(data, "ALPN, server accepted to use %.*s\n", proto.size,