From 50c5042c705a399ebc178b204a1e6148a26966e1 Mon Sep 17 00:00:00 2001
From: Cody P Schafer <dev@codyps.com>
Date: Tue, 1 Sep 2015 17:09:19 -0400
Subject: [PATCH] ssl/npn+alpn: adjust protocol selection to fail if no
 protocols match

The current behavior causes a server written using rust-openssl to (if
it cannot negotiate a protocol) fallback to the first protocol it has
avaliable.

This makes it impossible to detect protocol mismatches.

This updates our selection to be more similar to how openssl's
s_server behaves: non-matching protocols are not supplied with a
fallback.

Note that some setups may actually want a fallback protocol supplied
via ALPN. To support those cases, we should consider adding a generic
callback that allows protocol selection to be entirely controlled by
the programmer.

For the purposes of having a sane default, however, not supplying a
default (and mimicing s_server's behavior) is the best choice.
---
 openssl-sys/src/lib.rs | 6 +++---
 openssl/src/ssl/mod.rs | 7 +++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs
index 9b5fd7447..91b090e2c 100644
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@@ -167,11 +167,11 @@ macro_rules! import_options {
 
 include!("ssl_options.rs");
 
-#[cfg(feature = "npn")]
+#[cfg(any(feature = "npn", feature = "alpn"))]
 pub const OPENSSL_NPN_UNSUPPORTED: c_int = 0;
-#[cfg(feature = "npn")]
+#[cfg(any(feature = "npn", feature = "alpn"))]
 pub const OPENSSL_NPN_NEGOTIATED: c_int = 1;
-#[cfg(feature = "npn")]
+#[cfg(any(feature = "npn", feature = "alpn"))]
 pub const OPENSSL_NPN_NO_OVERLAP: c_int = 2;
 
 pub const V_ASN1_GENERALIZEDTIME: c_int = 24;
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
index ee2e1f9f8..1f198643b 100644
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@@ -308,8 +308,11 @@ unsafe fn select_proto_using(ssl: *mut ffi::SSL,
         let client_len = protocols.len() as c_uint;
         // Finally, let OpenSSL find a protocol to be used, by matching the given server and
         // client lists.
-        ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len);
-        ffi::SSL_TLSEXT_ERR_OK
+        if ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len) != ffi::OPENSSL_NPN_NEGOTIATED {
+            ffi::SSL_TLSEXT_ERR_NOACK
+        } else {
+            ffi::SSL_TLSEXT_ERR_OK
+        }
 }
 
 /// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`.
-- 
GitLab