Remove NPN support.

NPN was never standardised and the last draft expired in October 2012.
ALPN was standardised in July 2014 and has been supported in LibreSSL
since December 2014. NPN has also been removed from Chromium in May 2016.

TLS clients and servers that try to use/enable NPN will fail gracefully and
fallback to the default protocol, since it will essentially appear that the
otherside does not support NPN. At some point in the future we will
actually remove the NPN related symbols entirely.

ok bcook@ beck@ doug@

7 files changed, 28 insertions, 377 deletions

diff --git a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
index ea7b1faf483..eb6c543478b 100644
--- a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
+++ b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.2 2017/06/10 13:58:59 schwarze Exp $
+.\"	$OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.3 2017/08/12 21:03:08 jsing Exp $
 .\"	OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Todd Short <tshort@akamai.com>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2017 $
+.Dd $Mdocdate: August 12 2017 $
 .Dt SSL_CTX_SET_ALPN_SELECT_CB 3
 .Os
 .Sh NAME
@@ -181,7 +181,6 @@ If no match is found, the first item in
 is returned in
 .Fa out ,
 .Fa outlen .
-This function can also be used in the NPN callback.
 .Pp
 .Fn SSL_get0_alpn_selected
 returns a pointer to the selected protocol in
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 3a11d628930..acbe30d8040 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.157 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.158 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1705,10 +1705,6 @@ ssl3_clear(SSL *s)
 
 	s->internal->packet_length = 0;
 	s->version = TLS1_VERSION;
-
-	free(s->internal->next_proto_negotiated);
-	s->internal->next_proto_negotiated = NULL;
-	s->internal->next_proto_negotiated_len = 0;
 }
 
 static long
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 865c961db74..ec4a4104fcc 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.15 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.16 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -407,14 +407,11 @@ ssl3_connect(SSL *s)
 		case SSL3_ST_CW_CHANGE_A:
 		case SSL3_ST_CW_CHANGE_B:
 			ret = ssl3_send_change_cipher_spec(s,
-			SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
+			    SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
 			if (ret <= 0)
 				goto end;
 
-			if (S3I(s)->next_proto_neg_seen)
-				S3I(s)->hs.state = SSL3_ST_CW_NEXT_PROTO_A;
-			else
-				S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;
+			S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;
 			s->internal->init_num = 0;
 
 			s->session->cipher = S3I(s)->hs.new_cipher;
@@ -431,14 +428,6 @@ ssl3_connect(SSL *s)
 
 			break;
 
-		case SSL3_ST_CW_NEXT_PROTO_A:
-		case SSL3_ST_CW_NEXT_PROTO_B:
-			ret = ssl3_send_next_proto(s);
-			if (ret <= 0)
-				goto end;
-			S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;
-			break;
-
 		case SSL3_ST_CW_FINISHED_A:
 		case SSL3_ST_CW_FINISHED_B:
 			ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,
@@ -2599,45 +2588,6 @@ err:
 	return (0);
 }
 
-int
-ssl3_send_next_proto(SSL *s)
-{
-	CBB cbb, nextproto, npn, padding;
-	size_t pad_len;
-	uint8_t *pad;
-
-	memset(&cbb, 0, sizeof(cbb));
-
-	if (S3I(s)->hs.state == SSL3_ST_CW_NEXT_PROTO_A) {
-		pad_len = 32 - ((s->internal->next_proto_negotiated_len + 2) % 32);
-
-		if (!ssl3_handshake_msg_start_cbb(s, &cbb, &nextproto,
-		    SSL3_MT_NEXT_PROTO))
-			goto err;
-		if (!CBB_add_u8_length_prefixed(&nextproto, &npn))
-			goto err;
-		if (!CBB_add_bytes(&npn, s->internal->next_proto_negotiated,
-		    s->internal->next_proto_negotiated_len))
-			goto err;
-		if (!CBB_add_u8_length_prefixed(&nextproto, &padding))
-			goto err;
-		if (!CBB_add_space(&padding, &pad, pad_len))
-			goto err;
-		memset(pad, 0, pad_len);
-		if (!ssl3_handshake_msg_finish_cbb(s, &cbb))
-			goto err;
-
-		S3I(s)->hs.state = SSL3_ST_CW_NEXT_PROTO_B;
-	}
-
-	return (ssl3_handshake_write(s));
-
- err:
-	CBB_cleanup(&cbb);
-
-	return (-1);
-}
-
 /*
  * Check to see if handshake is full or resumed. Usually this is just a
  * case of checking to see if a cache hit has occurred. In the case of
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index de78ad2fcff..32a5680db77 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.166 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.167 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -339,8 +339,6 @@ SSL_new(SSL_CTX *ctx)
 		    ctx->internal->tlsext_supportedgroups_length;
 	}
 
-	s->internal->next_proto_negotiated = NULL;
-
 	if (s->ctx->internal->alpn_client_proto_list != NULL) {
 		s->internal->alpn_client_proto_list =
 		    malloc(s->ctx->internal->alpn_client_proto_list_len);
@@ -548,7 +546,6 @@ SSL_free(SSL *s)
 
 	SSL_CTX_free(s->ctx);
 
-	free(s->internal->next_proto_negotiated);
 	free(s->internal->alpn_client_proto_list);
 
 #ifndef OPENSSL_NO_SRTP
@@ -1541,33 +1538,15 @@ SSL_get_servername_type(const SSL *s)
 }
 
 /*
- * SSL_select_next_proto implements the standard protocol selection. It is
+ * SSL_select_next_proto implements standard protocol selection. It is
  * expected that this function is called from the callback set by
- * SSL_CTX_set_next_proto_select_cb.
+ * SSL_CTX_set_alpn_select_cb.
  *
  * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
  * strings. The length byte itself is not included in the length. A byte
  * string of length 0 is invalid. No byte string may be truncated.
  *
- * The current, but experimental algorithm for selecting the protocol is:
- *
- * 1) If the server doesn't support NPN then this is indicated to the
- * callback. In this case, the client application has to abort the connection
- * or have a default application level protocol.
- *
- * 2) If the server supports NPN, but advertises an empty list then the
- * client selects the first protcol in its list, but indicates via the
- * API that this fallback case was enacted.
- *
- * 3) Otherwise, the client finds the first protocol in the server's list
- * that it supports and selects this protocol. This is because it's
- * assumed that the server has better information about which protocol
- * a client should use.
- *
- * 4) If the client doesn't support any of the server's advertised
- * protocols, then this is treated the same as case 2.
- *
- * It returns either
+ * It returns either:
  * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
  * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
  */
@@ -1611,64 +1590,28 @@ found:
 	return (status);
 }
 
-/*
- * SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
- * requested protocol for this connection and returns 0. If the client didn't
- * request any protocol, then *data is set to NULL.
- *
- * Note that the client can request any protocol it chooses. The value returned
- * from this function need not be a member of the list of supported protocols
- * provided by the callback.
- */
+/* SSL_get0_next_proto_negotiated is deprecated. */
 void
 SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
     unsigned *len)
 {
-	*data = s->internal->next_proto_negotiated;
-	if (!*data) {
-		*len = 0;
-	} else {
-		*len = s->internal->next_proto_negotiated_len;
-	}
+	*data = NULL;
+	*len = 0;
 }
 
-/*
- * SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
- * TLS server needs a list of supported protocols for Next Protocol
- * Negotiation. The returned list must be in wire format.  The list is returned
- * by setting |out| to point to it and |outlen| to its length. This memory will
- * not be modified, but one should assume that the SSL* keeps a reference to
- * it.
- *
- * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise.
- * Otherwise, no such extension will be included in the ServerHello.
- */
+/* SSL_CTX_set_next_protos_advertised_cb is deprecated. */
 void
 SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl,
     const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
 {
-	ctx->internal->next_protos_advertised_cb = cb;
-	ctx->internal->next_protos_advertised_cb_arg = arg;
 }
 
-/*
- * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
- * client needs to select a protocol from the server's provided list. |out|
- * must be set to point to the selected protocol (which may be within |in|).
- * The length of the protocol name must be written into |outlen|. The server's
- * advertised protocols are provided in |in| and |inlen|. The callback can
- * assume that |in| is syntactically valid.
- *
- * The client must select a protocol. It is fatal to the connection if this
- * callback returns a value other than SSL_TLSEXT_ERR_OK.
- */
+/* SSL_CTX_set_next_proto_select_cb is deprecated. */
 void
 SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s,
     unsigned char **out, unsigned char *outlen, const unsigned char *in,
     unsigned int inlen, void *arg), void *arg)
 {
-	ctx->internal->next_proto_select_cb = cb;
-	ctx->internal->next_proto_select_cb_arg = arg;
 }
 
 /*
@@ -1912,9 +1855,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
 	ret->internal->tlsext_status_cb = 0;
 	ret->internal->tlsext_status_arg = NULL;
 
-	ret->internal->next_protos_advertised_cb = 0;
-	ret->internal->next_proto_select_cb = 0;
-
 #ifndef OPENSSL_NO_ENGINE
 	ret->internal->client_cert_engine = NULL;
 #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 6f9be12fa7c..914501213cc 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.188 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.189 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -575,24 +575,8 @@ typedef struct ssl_ctx_internal_st {
 	/* SRTP profiles we are willing to do from RFC 5764 */
 	STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
 
-	/* Next protocol negotiation information */
-	/* (for experimental NPN extension). */
-
-	/* For a server, this contains a callback function by which the set of
-	 * advertised protocols can be provided. */
-	int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,
-	    unsigned int *len, void *arg);
-	void *next_protos_advertised_cb_arg;
-	/* For a client, this contains a callback function that selects the
-	 * next protocol from the list provided by the server. */
-	int (*next_proto_select_cb)(SSL *s, unsigned char **out,
-	    unsigned char *outlen, const unsigned char *in,
-	    unsigned int inlen, void *arg);
-	void *next_proto_select_cb_arg;
-
 	/*
-	 * ALPN information
-	 * (we are in the process of transitioning from NPN to ALPN).
+	 * ALPN information.
 	 */
 
 	/*
@@ -627,16 +611,6 @@ typedef struct ssl_internal_st {
 	unsigned long options; /* protocol behaviour */
 	unsigned long mode; /* API behaviour */
 
-	/* Next protocol negotiation. For the client, this is the protocol that
-	 * we sent in NextProtocol and is set when handling ServerHello
-	 * extensions.
-	 *
-	 * For a server, this is the client's selected_protocol from
-	 * NextProtocol and is set when handling the NextProtocol message,
-	 * before the Finished message. */
-	unsigned char *next_proto_negotiated;
-	unsigned char next_proto_negotiated_len;
-
 	/* Client list of supported protocols in wire format. */
 	unsigned char *alpn_client_proto_list;
 	unsigned int alpn_client_proto_list_len;
@@ -881,16 +855,9 @@ typedef struct ssl3_state_internal_st {
 	/* Set if we saw a Renegotiation Indication extension from our peer. */
 	int renegotiate_seen;
 
-	/* Set if we saw the Next Protocol Negotiation extension from our peer.
-	 */
-	int next_proto_neg_seen;
-
-	/*
-	 * ALPN information
-	 * (we are in the process of transitioning from NPN to ALPN).
-	 */
-
 	/*
+	 * ALPN information.
+	 *
 	 * In a server these point to the selected ALPN protocol after the
 	 * ClientHello has been processed. In a client these contain the
 	 * protocol that the server selected once the ServerHello has been
@@ -1245,7 +1212,6 @@ int ssl3_get_server_key_exchange(SSL *s);
 int ssl3_get_server_certificate(SSL *s);
 int ssl3_check_cert_and_algorithm(SSL *s);
 int ssl3_check_finished(SSL *s);
-int ssl3_send_next_proto(SSL *s);
 
 /* some server-only functions */
 int ssl3_get_client_hello(SSL *s);
@@ -1257,7 +1223,6 @@ int ssl3_send_server_done(SSL *s);
 int ssl3_get_client_certificate(SSL *s);
 int ssl3_get_client_key_exchange(SSL *s);
 int ssl3_get_cert_verify(SSL *s);
-int ssl3_get_next_proto(SSL *s);
 
 int ssl23_accept(SSL *s);
 int ssl23_connect(SSL *s);
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index a21039e7278..50ce91ddd80 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.20 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.21 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -468,10 +468,7 @@ ssl3_accept(SSL *s)
 				 * the client uses its key from the certificate
 				 * for key exchange.
 				 */
-				if (S3I(s)->next_proto_neg_seen)
-					S3I(s)->hs.state = SSL3_ST_SR_NEXT_PROTO_A;
-				else
-					S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
+				S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
 				s->internal->init_num = 0;
 			} else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
 				S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
@@ -525,20 +522,8 @@ ssl3_accept(SSL *s)
 			if (ret <= 0)
 				goto end;
 
-			if (S3I(s)->next_proto_neg_seen)
-				S3I(s)->hs.state = SSL3_ST_SR_NEXT_PROTO_A;
-			else
-				S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
-			s->internal->init_num = 0;
-			break;
-
-		case SSL3_ST_SR_NEXT_PROTO_A:
-		case SSL3_ST_SR_NEXT_PROTO_B:
-			ret = ssl3_get_next_proto(s);
-			if (ret <= 0)
-				goto end;
-			s->internal->init_num = 0;
 			S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
+			s->internal->init_num = 0;
 			break;
 
 		case SSL3_ST_SR_FINISHED_A:
@@ -610,15 +595,9 @@ ssl3_accept(SSL *s)
 			if (ret <= 0)
 				goto end;
 			S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
-			if (s->internal->hit) {
-				if (S3I(s)->next_proto_neg_seen) {
-					s->s3->flags |= SSL3_FLAGS_CCS_OK;
-					S3I(s)->hs.next_state =
-					    SSL3_ST_SR_NEXT_PROTO_A;
-				} else
-					S3I(s)->hs.next_state =
-					    SSL3_ST_SR_FINISHED_A;
-			} else
+			if (s->internal->hit)
+				S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A;
+			else
 				S3I(s)->hs.next_state = SSL_ST_OK;
 			s->internal->init_num = 0;
 			break;
@@ -2708,74 +2687,3 @@ ssl3_send_cert_status(SSL *s)
 
 	return (-1);
 }
-
-/*
- * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
- * It sets the next_proto member in s if found
- */
-int
-ssl3_get_next_proto(SSL *s)
-{
-	CBS cbs, proto, padding;
-	int ok;
-	long n;
-	size_t len;
-
-	/*
-	 * Clients cannot send a NextProtocol message if we didn't see the
-	 * extension in their ClientHello
-	 */
-	if (!S3I(s)->next_proto_neg_seen) {
-		SSLerror(s, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
-		return (-1);
-	}
-
-	/* 514 maxlen is enough for the payload format below */
-	n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
-	    SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
-	if (!ok)
-		return ((int)n);
-
-	/*
-	 * S3I(s)->hs.state doesn't reflect whether ChangeCipherSpec has been received
-	 * in this handshake, but S3I(s)->change_cipher_spec does (will be reset
-	 * by ssl3_get_finished).
-	 */
-	if (!S3I(s)->change_cipher_spec) {
-		SSLerror(s, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
-		return (-1);
-	}
-
-	if (n < 2)
-		return (0);
-	/* The body must be > 1 bytes long */
-
-	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
-
-	/*
-	 * The payload looks like:
-	 *   uint8 proto_len;
-	 *   uint8 proto[proto_len];
-	 *   uint8 padding_len;
-	 *   uint8 padding[padding_len];
-	 */
-	if (!CBS_get_u8_length_prefixed(&cbs, &proto) ||
-	    !CBS_get_u8_length_prefixed(&cbs, &padding) ||
-	    CBS_len(&cbs) != 0)
-		return 0;
-
-	/*
-	 * XXX We should not NULL it, but this matches old behavior of not
-	 * freeing before malloc.
-	 */
-	s->internal->next_proto_negotiated = NULL;
-	s->internal->next_proto_negotiated_len = 0;
-
-	if (!CBS_stow(&proto, &s->internal->next_proto_negotiated, &len)) {
-		SSLerror(s, ERR_R_MALLOC_FAILURE);
-		return (0);
-	}
-	s->internal->next_proto_negotiated_len = (uint8_t)len;
-
-	return (1);
-}
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 3e5133ab54c..911e8d3f4e2 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.127 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.128 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -779,16 +779,6 @@ skip_ext:
 			i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret);
 	}
 
-	if (s->ctx->internal->next_proto_select_cb &&
-	    !S3I(s)->tmp.finish_md_len) {
-		/* The client advertises an emtpy extension to indicate its
-		 * support for Next Protocol Negotiation */
-		if ((size_t)(limit - ret) < 4)
-			return NULL;
-		s2n(TLSEXT_TYPE_next_proto_neg, ret);
-		s2n(0, ret);
-	}
-
 	if (s->internal->alpn_client_proto_list != NULL &&
 	    S3I(s)->tmp.finish_md_len == 0) {
 		if ((size_t)(limit - ret) <
@@ -868,7 +858,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 {
 	int extdatalen = 0;
 	unsigned char *ret = p;
-	int next_proto_neg_seen;
 	size_t len;
 	CBB cbb;
 
@@ -949,26 +938,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 		ret += sizeof(cryptopro_ext);
 	}
 
-	next_proto_neg_seen = S3I(s)->next_proto_neg_seen;
-	S3I(s)->next_proto_neg_seen = 0;
-	if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) {
-		const unsigned char *npa;
-		unsigned int npalen;
-		int r;
-
-		r = s->ctx->internal->next_protos_advertised_cb(s, &npa, &npalen,
-		    s->ctx->internal->next_protos_advertised_cb_arg);
-		if (r == SSL_TLSEXT_ERR_OK) {
-			if ((size_t)(limit - ret) < 4 + npalen)
-				return NULL;
-			s2n(TLSEXT_TYPE_next_proto_neg, ret);
-			s2n(npalen, ret);
-			memcpy(ret, npa, npalen);
-			ret += npalen;
-			S3I(s)->next_proto_neg_seen = 1;
-		}
-	}
-
 	if (S3I(s)->alpn_selected != NULL) {
 		const unsigned char *selected = S3I(s)->alpn_selected;
 		unsigned int len = S3I(s)->alpn_selected_len;
@@ -1070,7 +1039,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 	s->internal->servername_done = 0;
 	s->tlsext_status_type = -1;
 	S3I(s)->renegotiate_seen = 0;
-	S3I(s)->next_proto_neg_seen = 0;
 	free(S3I(s)->alpn_selected);
 	S3I(s)->alpn_selected = NULL;
 	s->internal->srtp_profile = NULL;
@@ -1227,36 +1195,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
  			 	*/
 				s->tlsext_status_type = -1;
 			}
-		}
-		else if (type == TLSEXT_TYPE_next_proto_neg &&
-		    S3I(s)->tmp.finish_md_len == 0 &&
-		    S3I(s)->alpn_selected == NULL) {
-			/* We shouldn't accept this extension on a
-			 * renegotiation.
-			 *
-			 * s->internal->new_session will be set on renegotiation, but we
-			 * probably shouldn't rely that it couldn't be set on
-			 * the initial renegotation too in certain cases (when
-			 * there's some other reason to disallow resuming an
-			 * earlier session -- the current code won't be doing
-			 * anything like that, but this might change).
-
-			 * A valid sign that there's been a previous handshake
-			 * in this connection is if S3I(s)->tmp.finish_md_len >
-			 * 0.  (We are talking about a check that will happen
-			 * in the Hello protocol round, well before a new
-			 * Finished message could have been computed.) */
-			S3I(s)->next_proto_neg_seen = 1;
-		}
-		else if (type ==
+		} else if (type ==
 		    TLSEXT_TYPE_application_layer_protocol_negotiation &&
 		    s->ctx->internal->alpn_select_cb != NULL &&
 		    S3I(s)->tmp.finish_md_len == 0) {
 			if (tls1_alpn_handle_client_hello(s, data,
 			    size, al) != 1)
 				return (0);
-			/* ALPN takes precedence over NPN. */
-			S3I(s)->next_proto_neg_seen = 0;
 		}
 
 		/* session ticket processed earlier */
@@ -1293,25 +1238,6 @@ err:
 	return 0;
 }
 
-/*
- * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
- * elements of zero length are allowed and the set of elements must exactly fill
- * the length of the block.
- */
-static char
-ssl_next_proto_validate(const unsigned char *d, unsigned int len)
-{
-	CBS npn, value;
-
-	CBS_init(&npn, d, len);
-	while (CBS_len(&npn) > 0) {
-		if (!CBS_get_u8_length_prefixed(&npn, &value) ||
-		    CBS_len(&value) == 0)
-			return 0;
-	}
-	return 1;
-}
-
 int
 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
 {
@@ -1323,7 +1249,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
 	CBS cbs;
 
 	S3I(s)->renegotiate_seen = 0;
-	S3I(s)->next_proto_neg_seen = 0;
 	free(S3I(s)->alpn_selected);
 	S3I(s)->alpn_selected = NULL;
 
@@ -1375,39 +1300,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
 			}
 			/* Set flag to expect CertificateStatus message */
 			s->internal->tlsext_status_expected = 1;
-		}
-		else if (type == TLSEXT_TYPE_next_proto_neg &&
-		    S3I(s)->tmp.finish_md_len == 0) {
-			unsigned char *selected;
-			unsigned char selected_len;
-
-			/* We must have requested it. */
-			if (s->ctx->internal->next_proto_select_cb == NULL) {
-				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
-				return 0;
-			}
-			/* The data must be valid */
-			if (!ssl_next_proto_validate(data, size)) {
-				*al = TLS1_AD_DECODE_ERROR;
-				return 0;
-			}
-			if (s->ctx->internal->next_proto_select_cb(s, &selected,
-			    &selected_len, data, size,
-			    s->ctx->internal->next_proto_select_cb_arg) !=
-			    SSL_TLSEXT_ERR_OK) {
-				*al = TLS1_AD_INTERNAL_ERROR;
-				return 0;
-			}
-			s->internal->next_proto_negotiated = malloc(selected_len);
-			if (!s->internal->next_proto_negotiated) {
-				*al = TLS1_AD_INTERNAL_ERROR;
-				return 0;
-			}
-			memcpy(s->internal->next_proto_negotiated, selected, selected_len);
-			s->internal->next_proto_negotiated_len = selected_len;
-			S3I(s)->next_proto_neg_seen = 1;
-		}
-		else if (type ==
+		} else if (type ==
 		    TLSEXT_TYPE_application_layer_protocol_negotiation) {
 			unsigned int len;