7 files changed, 28 insertions, 377 deletions
diff --git a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
index ea7b1faf483..eb6c543478b 100644
--- a/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
+++ b/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.2 2017/06/10 13:58:59 schwarze Exp $
+.\"	$OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.3 2017/08/12 21:03:08 jsing Exp $
 .\"	OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Todd Short <tshort@akamai.com>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2017 $
+.Dd $Mdocdate: August 12 2017 $
 .Dt SSL_CTX_SET_ALPN_SELECT_CB 3
 .Os
 .Sh NAME
@@ -181,7 +181,6 @@ If no match is found, the first item in
 is returned in
 .Fa out ,
 .Fa outlen .
-This function can also be used in the NPN callback.
 .Pp
 .Fn SSL_get0_alpn_selected
 returns a pointer to the selected protocol in
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 3a11d628930..acbe30d8040 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.157 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.158 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1705,10 +1705,6 @@ ssl3_clear(SSL *s)
 
 	s->internal->packet_length = 0;
 	s->version = TLS1_VERSION;
-
-	free(s->internal->next_proto_negotiated);
-	s->internal->next_proto_negotiated = NULL;
-	s->internal->next_proto_negotiated_len = 0;
 }
 
 static long
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 865c961db74..ec4a4104fcc 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.15 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.16 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -407,14 +407,11 @@ ssl3_connect(SSL *s)
 		case SSL3_ST_CW_CHANGE_A:
 		case SSL3_ST_CW_CHANGE_B:
 			ret = ssl3_send_change_cipher_spec(s,
-			SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
+			    SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
 			if (ret <= 0)
 				goto end;
 
-			if (S3I(s)->next_proto_neg_seen)
-				S3I(s)->hs.state = SSL3_ST_CW_NEXT_PROTO_A;
-			else
-				S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;
+			S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;
 			s->internal->init_num = 0;
 
 			s->session->cipher = S3I(s)->hs.new_cipher;
@@ -431,14 +428,6 @@ ssl3_connect(SSL *s)
 
 			break;
 
-		case SSL3_ST_CW_NEXT_PROTO_A:
-		case SSL3_ST_CW_NEXT_PROTO_B:
-			ret = ssl3_send_next_proto(s);
-			if (ret <= 0)
-				goto end;
-			S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;
-			break;
-
 		case SSL3_ST_CW_FINISHED_A:
 		case SSL3_ST_CW_FINISHED_B:
 			ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,
@@ -2599,45 +2588,6 @@ err:
 	return (0);
 }
 
-int
-ssl3_send_next_proto(SSL *s)
-{
-	CBB cbb, nextproto, npn, padding;
-	size_t pad_len;
-	uint8_t *pad;
-
-	memset(&cbb, 0, sizeof(cbb));
-
-	if (S3I(s)->hs.state == SSL3_ST_CW_NEXT_PROTO_A) {
-		pad_len = 32 - ((s->internal->next_proto_negotiated_len + 2) % 32);
-
-		if (!ssl3_handshake_msg_start_cbb(s, &cbb, &nextproto,
-		    SSL3_MT_NEXT_PROTO))
-			goto err;
-		if (!CBB_add_u8_length_prefixed(&nextproto, &npn))
-			goto err;
-		if (!CBB_add_bytes(&npn, s->internal->next_proto_negotiated,
-		    s->internal->next_proto_negotiated_len))
-			goto err;
-		if (!CBB_add_u8_length_prefixed(&nextproto, &padding))
-			goto err;
-		if (!CBB_add_space(&padding, &pad, pad_len))
-			goto err;
-		memset(pad, 0, pad_len);
-		if (!ssl3_handshake_msg_finish_cbb(s, &cbb))
-			goto err;
-
-		S3I(s)->hs.state = SSL3_ST_CW_NEXT_PROTO_B;
-	}
-
-	return (ssl3_handshake_write(s));
-
- err:
-	CBB_cleanup(&cbb);
-
-	return (-1);
-}
-
 /*
  * Check to see if handshake is full or resumed. Usually this is just a
  * case of checking to see if a cache hit has occurred. In the case of
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index de78ad2fcff..32a5680db77 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.166 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.167 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -339,8 +339,6 @@ SSL_new(SSL_CTX *ctx)
 		    ctx->internal->tlsext_supportedgroups_length;
 	}
 
-	s->internal->next_proto_negotiated = NULL;
-
 	if (s->ctx->internal->alpn_client_proto_list != NULL) {
 		s->internal->alpn_client_proto_list =
 		    malloc(s->ctx->internal->alpn_client_proto_list_len);
@@ -548,7 +546,6 @@ SSL_free(SSL *s)
 
 	SSL_CTX_free(s->ctx);
 
-	free(s->internal->next_proto_negotiated);
 	free(s->internal->alpn_client_proto_list);
 
 #ifndef OPENSSL_NO_SRTP
@@ -1541,33 +1538,15 @@ SSL_get_servername_type(const SSL *s)
 }
 
 /*
- * SSL_select_next_proto implements the standard protocol selection. It is
+ * SSL_select_next_proto implements standard protocol selection. It is
  * expected that this function is called from the callback set by
- * SSL_CTX_set_next_proto_select_cb.
+ * SSL_CTX_set_alpn_select_cb.
  *
  * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
  * strings. The length byte itself is not included in the length. A byte
  * string of length 0 is invalid. No byte string may be truncated.
  *
- * The current, but experimental algorithm for selecting the protocol is:
- *
- * 1) If the server doesn't support NPN then this is indicated to the
- * callback. In this case, the client application has to abort the connection
- * or have a default application level protocol.
- *
- * 2) If the server supports NPN, but advertises an empty list then the
- * client selects the first protcol in its list, but indicates via the
- * API that this fallback case was enacted.
- *
- * 3) Otherwise, the client finds the first protocol in the server's list
- * that it supports and selects this protocol. This is because it's
- * assumed that the server has better information about which protocol
- * a client should use.
- *
- * 4) If the client doesn't support any of the server's advertised
- * protocols, then this is treated the same as case 2.
- *
- * It returns either
+ * It returns either:
  * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
  * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
  */
@@ -1611,64 +1590,28 @@ found:
 	return (status);
 }
 
-/*
- * SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
- * requested protocol for this connection and returns 0. If the client didn't
- * request any protocol, then *data is set to NULL.
- *
- * Note that the client can request any protocol it chooses. The value returned
- * from this function need not be a member of the list of supported protocols
- * provided by the callback.
- */
+/* SSL_get0_next_proto_negotiated is deprecated. */
 void
 SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
     unsigned *len)
 {
-	*data = s->internal->next_proto_negotiated;
-	if (!*data) {
-		*len = 0;
-	} else {
-		*len = s->internal->next_proto_negotiated_len;
-	}
+	*data = NULL;
+	*len = 0;
 }
 
-/*
- * SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
- * TLS server needs a list of supported protocols for Next Protocol
- * Negotiation. The returned list must be in wire format.  The list is returned
- * by setting |out| to point to it and |outlen| to its length. This memory will
- * not be modified, but one should assume that the SSL* keeps a reference to
- * it.
- *
- * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise.
- * Otherwise, no such extension will be included in the ServerHello.
- */
+/* SSL_CTX_set_next_protos_advertised_cb is deprecated. */
 void
 SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl,
     const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
 {
-	ctx->internal->next_protos_advertised_cb = cb;
-	ctx->internal->next_protos_advertised_cb_arg = arg;
 }
 
-/*
- * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
- * client needs to select a protocol from the server's provided list. |out|
- * must be set to point to the selected protocol (which may be within |in|).
- * The length of the protocol name must be written into |outlen|. The server's
- * advertised protocols are provided in |in| and |inlen|. The callback can
- * assume that |in| is syntactically valid.
- *
- * The client must select a protocol. It is fatal to the connection if this
- * callback returns a value other than SSL_TLSEXT_ERR_OK.
- */
+/* SSL_CTX_set_next_proto_select_cb is deprecated. */
 void
 SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s,
     unsigned char **out, unsigned char *outlen, const unsigned char *in,
     unsigned int inlen, void *arg), void *arg)
 {
-	ctx->internal->next_proto_select_cb = cb;
-	ctx->internal->next_proto_select_cb_arg = arg;
 }
 
 /*
@@ -1912,9 +1855,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
 	ret->internal->tlsext_status_cb = 0;
 	ret->internal->tlsext_status_arg = NULL;
 
-	ret->internal->next_protos_advertised_cb = 0;
-	ret->internal->next_proto_select_cb = 0;
-
 #ifndef OPENSSL_NO_ENGINE
 	ret->internal->client_cert_engine = NULL;
 #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 6f9be12fa7c..914501213cc 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.188 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.189 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -575,24 +575,8 @@ typedef struct ssl_ctx_internal_st {
 	/* SRTP profiles we are willing to do from RFC 5764 */
 	STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
 
-	/* Next protocol negotiation information */
-	/* (for experimental NPN extension). */
-
-	/* For a server, this contains a callback function by which the set of
-	 * advertised protocols can be provided. */
-	int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,
-	    unsigned int *len, void *arg);
-	void *next_protos_advertised_cb_arg;
-	/* For a client, this contains a callback function that selects the
-	 * next protocol from the list provided by the server. */
-	int (*next_proto_select_cb)(SSL *s, unsigned char **out,
-	    unsigned char *outlen, const unsigned char *in,
-	    unsigned int inlen, void *arg);
-	void *next_proto_select_cb_arg;
-
 	/*
-	 * ALPN information
-	 * (we are in the process of transitioning from NPN to ALPN).
+	 * ALPN information.
 	 */
 
 	/*
@@ -627,16 +611,6 @@ typedef struct ssl_internal_st {
 	unsigned long options; /* protocol behaviour */
 	unsigned long mode; /* API behaviour */
 
-	/* Next protocol negotiation. For the client, this is the protocol that
-	 * we sent in NextProtocol and is set when handling ServerHello
-	 * extensions.
-	 *
-	 * For a server, this is the client's selected_protocol from
-	 * NextProtocol and is set when handling the NextProtocol message,
-	 * before the Finished message. */
-	unsigned char *next_proto_negotiated;
-	unsigned char next_proto_negotiated_len;
-
 	/* Client list of supported protocols in wire format. */
 	unsigned char *alpn_client_proto_list;
 	unsigned int alpn_client_proto_list_len;
@@ -881,16 +855,9 @@ typedef struct ssl3_state_internal_st {
 	/* Set if we saw a Renegotiation Indication extension from our peer. */
 	int renegotiate_seen;
 
-	/* Set if we saw the Next Protocol Negotiation extension from our peer.
-	 */
-	int next_proto_neg_seen;
-
-	/*
-	 * ALPN information
-	 * (we are in the process of transitioning from NPN to ALPN).
-	 */
-
 	/*
+	 * ALPN information.
+	 *
 	 * In a server these point to the selected ALPN protocol after the
 	 * ClientHello has been processed. In a client these contain the
 	 * protocol that the server selected once the ServerHello has been
@@ -1245,7 +1212,6 @@ int ssl3_get_server_key_exchange(SSL *s);
 int ssl3_get_server_certificate(SSL *s);
 int ssl3_check_cert_and_algorithm(SSL *s);
 int ssl3_check_finished(SSL *s);
-int ssl3_send_next_proto(SSL *s);
 
 /* some server-only functions */
 int ssl3_get_client_hello(SSL *s);
@@ -1257,7 +1223,6 @@ int ssl3_send_server_done(SSL *s);
 int ssl3_get_client_certificate(SSL *s);
 int ssl3_get_client_key_exchange(SSL *s);
 int ssl3_get_cert_verify(SSL *s);
-int ssl3_get_next_proto(SSL *s);
 
 int ssl23_accept(SSL *s);
 int ssl23_connect(SSL *s);
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index a21039e7278..50ce91ddd80 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.20 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.21 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -468,10 +468,7 @@ ssl3_accept(SSL *s)
 				 * the client uses its key from the certificate
 				 * for key exchange.
 				 */
-				if (S3I(s)->next_proto_neg_seen)
-					S3I(s)->hs.state = SSL3_ST_SR_NEXT_PROTO_A;
-				else
-					S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
+				S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
 				s->internal->init_num = 0;
 			} else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
 				S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
@@ -525,20 +522,8 @@ ssl3_accept(SSL *s)
 			if (ret <= 0)
 				goto end;
 
-			if (S3I(s)->next_proto_neg_seen)
-				S3I(s)->hs.state = SSL3_ST_SR_NEXT_PROTO_A;
-			else
-				S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
-			s->internal->init_num = 0;
-			break;
-
-		case SSL3_ST_SR_NEXT_PROTO_A:
-		case SSL3_ST_SR_NEXT_PROTO_B:
-			ret = ssl3_get_next_proto(s);
-			if (ret <= 0)
-				goto end;
-			s->internal->init_num = 0;
 			S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
+			s->internal->init_num = 0;
 			break;
 
 		case SSL3_ST_SR_FINISHED_A:
@@ -610,15 +595,9 @@ ssl3_accept(SSL *s)
 			if (ret <= 0)
 				goto end;
 			S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
-			if (s->internal->hit) {
-				if (S3I(s)->next_proto_neg_seen) {
-					s->s3->flags |= SSL3_FLAGS_CCS_OK;
-					S3I(s)->hs.next_state =
-					    SSL3_ST_SR_NEXT_PROTO_A;
-				} else
-					S3I(s)->hs.next_state =
-					    SSL3_ST_SR_FINISHED_A;
-			} else
+			if (s->internal->hit)
+				S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A;
+			else
 				S3I(s)->hs.next_state = SSL_ST_OK;
 			s->internal->init_num = 0;
 			break;
@@ -2708,74 +2687,3 @@ ssl3_send_cert_status(SSL *s)
 
 	return (-1);
 }
-
-/*
- * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
- * It sets the next_proto member in s if found
- */
-int
-ssl3_get_next_proto(SSL *s)
-{
-	CBS cbs, proto, padding;
-	int ok;
-	long n;
-	size_t len;
-
-	/*
-	 * Clients cannot send a NextProtocol message if we didn't see the
-	 * extension in their ClientHello
-	 */
-	if (!S3I(s)->next_proto_neg_seen) {
-		SSLerror(s, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
-		return (-1);
-	}
-
-	/* 514 maxlen is enough for the payload format below */
-	n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
-	    SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
-	if (!ok)
-		return ((int)n);
-
-	/*
-	 * S3I(s)->hs.state doesn't reflect whether ChangeCipherSpec has been received
-	 * in this handshake, but S3I(s)->change_cipher_spec does (will be reset
-	 * by ssl3_get_finished).
-	 */
-	if (!S3I(s)->change_cipher_spec) {
-		SSLerror(s, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
-		return (-1);
-	}
-
-	if (n < 2)
-		return (0);
-	/* The body must be > 1 bytes long */
-
-	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
-
-	/*
-	 * The payload looks like:
-	 *   uint8 proto_len;
-	 *   uint8 proto[proto_len];
-	 *   uint8 padding_len;
-	 *   uint8 padding[padding_len];
-	 */
-	if (!CBS_get_u8_length_prefixed(&cbs, &proto) ||
-	    !CBS_get_u8_length_prefixed(&cbs, &padding) ||
-	    CBS_len(&cbs) != 0)
-		return 0;
-
-	/*
-	 * XXX We should not NULL it, but this matches old behavior of not
-	 * freeing before malloc.
-	 */
-	s->internal->next_proto_negotiated = NULL;
-	s->internal->next_proto_negotiated_len = 0;
-
-	if (!CBS_stow(&proto, &s->internal->next_proto_negotiated, &len)) {
-		SSLerror(s, ERR_R_MALLOC_FAILURE);
-		return (0);
-	}
-	s->internal->next_proto_negotiated_len = (uint8_t)len;
-
-	return (1);
-}
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 3e5133ab54c..911e8d3f4e2 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.127 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.128 2017/08/12 21:03:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -779,16 +779,6 @@ skip_ext:
 			i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret);
 	}
 
-	if (s->ctx->internal->next_proto_select_cb &&
-	    !S3I(s)->tmp.finish_md_len) {
-		/* The client advertises an emtpy extension to indicate its
-		 * support for Next Protocol Negotiation */
-		if ((size_t)(limit - ret) < 4)
-			return NULL;
-		s2n(TLSEXT_TYPE_next_proto_neg, ret);
-		s2n(0, ret);
-	}
-
 	if (s->internal->alpn_client_proto_list != NULL &&
 	    S3I(s)->tmp.finish_md_len == 0) {
 		if ((size_t)(limit - ret) <
@@ -868,7 +858,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 {
 	int extdatalen = 0;
 	unsigned char *ret = p;
-	int next_proto_neg_seen;
 	size_t len;
 	CBB cbb;
 
@@ -949,26 +938,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 		ret += sizeof(cryptopro_ext);
 	}
 
-	next_proto_neg_seen = S3I(s)->next_proto_neg_seen;
-	S3I(s)->next_proto_neg_seen = 0;
-	if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) {
-		const unsigned char *npa;
-		unsigned int npalen;
-		int r;
-
-		r = s->ctx->internal->next_protos_advertised_cb(s, &npa, &npalen,
-		    s->ctx->internal->next_protos_advertised_cb_arg);
-		if (r == SSL_TLSEXT_ERR_OK) {
-			if ((size_t)(limit - ret) < 4 + npalen)
-				return NULL;
-			s2n(TLSEXT_TYPE_next_proto_neg, ret);
-			s2n(npalen, ret);
-			memcpy(ret, npa, npalen);
-			ret += npalen;
-			S3I(s)->next_proto_neg_seen = 1;
-		}
-	}
-
 	if (S3I(s)->alpn_selected != NULL) {
 		const unsigned char *selected = S3I(s)->alpn_selected;
 		unsigned int len = S3I(s)->alpn_selected_len;
@@ -1070,7 +1039,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 	s->internal->servername_done = 0;
 	s->tlsext_status_type = -1;
 	S3I(s)->renegotiate_seen = 0;
-	S3I(s)->next_proto_neg_seen = 0;
 	free(S3I(s)->alpn_selected);
 	S3I(s)->alpn_selected = NULL;
 	s->internal->srtp_profile = NULL;
@@ -1227,36 +1195,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
  			 	*/
 				s->tlsext_status_type = -1;
 			}
-		}
-		else if (type == TLSEXT_TYPE_next_proto_neg &&
-		    S3I(s)->tmp.finish_md_len == 0 &&
-		    S3I(s)->alpn_selected == NULL) {
-			/* We shouldn't accept this extension on a
-			 * renegotiation.
-			 *
-			 * s->internal->new_session will be set on renegotiation, but we
-			 * probably shouldn't rely that it couldn't be set on
-			 * the initial renegotation too in certain cases (when
-			 * there's some other reason to disallow resuming an
-			 * earlier session -- the current code won't be doing
-			 * anything like that, but this might change).
-
-			 * A valid sign that there's been a previous handshake
-			 * in this connection is if S3I(s)->tmp.finish_md_len >
-			 * 0.  (We are talking about a check that will happen
-			 * in the Hello protocol round, well before a new
-			 * Finished message could have been computed.) */
-			S3I(s)->next_proto_neg_seen = 1;
-		}
-		else if (type ==
+		} else if (type ==
 		    TLSEXT_TYPE_application_layer_protocol_negotiation &&
 		    s->ctx->internal->alpn_select_cb != NULL &&
 		    S3I(s)->tmp.finish_md_len == 0) {
 			if (tls1_alpn_handle_client_hello(s, data,
 			    size, al) != 1)
 				return (0);
-			/* ALPN takes precedence over NPN. */
-			S3I(s)->next_proto_neg_seen = 0;
 		}
 
 		/* session ticket processed earlier */
@@ -1293,25 +1238,6 @@ err:
 	return 0;
 }
 
-/*
- * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
- * elements of zero length are allowed and the set of elements must exactly fill
- * the length of the block.
- */
-static char
-ssl_next_proto_validate(const unsigned char *d, unsigned int len)
-{
-	CBS npn, value;
-
-	CBS_init(&npn, d, len);
-	while (CBS_len(&npn) > 0) {
-		if (!CBS_get_u8_length_prefixed(&npn, &value) ||
-		    CBS_len(&value) == 0)
-			return 0;
-	}
-	return 1;
-}
-
 int
 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
 {
@@ -1323,7 +1249,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
 	CBS cbs;
 
 	S3I(s)->renegotiate_seen = 0;
-	S3I(s)->next_proto_neg_seen = 0;
 	free(S3I(s)->alpn_selected);
 	S3I(s)->alpn_selected = NULL;
 
@@ -1375,39 +1300,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
 			}
 			/* Set flag to expect CertificateStatus message */
 			s->internal->tlsext_status_expected = 1;
-		}
-		else if (type == TLSEXT_TYPE_next_proto_neg &&
-		    S3I(s)->tmp.finish_md_len == 0) {
-			unsigned char *selected;
-			unsigned char selected_len;
-
-			/* We must have requested it. */
-			if (s->ctx->internal->next_proto_select_cb == NULL) {
-				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
-				return 0;
-			}
-			/* The data must be valid */
-			if (!ssl_next_proto_validate(data, size)) {
-				*al = TLS1_AD_DECODE_ERROR;
-				return 0;
-			}
-			if (s->ctx->internal->next_proto_select_cb(s, &selected,
-			    &selected_len, data, size,
-			    s->ctx->internal->next_proto_select_cb_arg) !=
-			    SSL_TLSEXT_ERR_OK) {
-				*al = TLS1_AD_INTERNAL_ERROR;
-				return 0;
-			}
-			s->internal->next_proto_negotiated = malloc(selected_len);
-			if (!s->internal->next_proto_negotiated) {
-				*al = TLS1_AD_INTERNAL_ERROR;
-				return 0;
-			}
-			memcpy(s->internal->next_proto_negotiated, selected, selected_len);
-			s->internal->next_proto_negotiated_len = selected_len;
-			S3I(s)->next_proto_neg_seen = 1;
-		}
-		else if (type ==
+		} else if (type ==
 		    TLSEXT_TYPE_application_layer_protocol_negotiation) {
 			unsigned int len;