Rewrite and move the last remnants of the ServerHello SNI handling into

tlsext_sni_serverhello_parse(). This also adds a check to ensure that if we have an existing session, the name matches what we specified via SNI. ok doug@
author: jsing <> 2017-07-24 17:39:43 +0000
committer: jsing <> 2017-07-24 17:39:43 +0000
commit: a3244a2497373d8f008d9ab9d18b2d98b92b84f3 (patch)
tree: 7bd66962dd8d0a3f77e083181d094633228b180a /src/lib/libssl/ssl_tlsext.c
parent: b458c380d4a5175d5bda251e8a549e7a58c48839 (diff)
download: openbsd-a3244a2497373d8f008d9ab9d18b2d98b92b84f3.tar.gz
openbsd-a3244a2497373d8f008d9ab9d18b2d98b92b84f3.tar.bz2
openbsd-a3244a2497373d8f008d9ab9d18b2d98b92b84f3.zip
1 files changed, 23 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 539c380fb9..400c69fa87 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.2 2017/07/24 17:10:31 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.3 2017/07/24 17:39:43 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -259,6 +259,28 @@ tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert)
                return 0;
        }
+        if (s->internal->hit) {
+                if (s->session->tlsext_hostname == NULL) {
+                        *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                        return 0;
+                }
+                if (strcmp(s->tlsext_hostname,
+                    s->session->tlsext_hostname) != 0) {
+                        *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                        return 0;
+                }
+        } else {
+                if (s->session->tlsext_hostname != NULL) {
+                        *alert = SSL_AD_DECODE_ERROR;
+                        return 0;
+                }
+                if ((s->session->tlsext_hostname =
+                    strdup(s->tlsext_hostname)) == NULL) {
+                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        return 0;
+                }
+        }
        return 1;
 }
author	jsing <>	2017-07-24 17:39:43 +0000
committer	jsing <>	2017-07-24 17:39:43 +0000
commit	a3244a2497373d8f008d9ab9d18b2d98b92b84f3 (patch)
tree	7bd66962dd8d0a3f77e083181d094633228b180a /src/lib/libssl/ssl_tlsext.c
parent	b458c380d4a5175d5bda251e8a549e7a58c48839 (diff)
download	openbsd-a3244a2497373d8f008d9ab9d18b2d98b92b84f3.tar.gz openbsd-a3244a2497373d8f008d9ab9d18b2d98b92b84f3.tar.bz2 openbsd-a3244a2497373d8f008d9ab9d18b2d98b92b84f3.zip

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 539c380fb9..400c69fa87 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.2 2017/07/24 17:10:31 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.3 2017/07/24 17:39:43 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -259,6 +259,28 @@ tlsext_sni_serverhello_parse(SSL s, CBS cbs, int *alert)
259	return 0;	259	return 0;
260	}	260	}
261		261
		262	if (s->internal->hit) {
		263	if (s->session->tlsext_hostname == NULL) {
		264	*alert = TLS1_AD_UNRECOGNIZED_NAME;
		265	return 0;
		266	}
		267	if (strcmp(s->tlsext_hostname,
		268	s->session->tlsext_hostname) != 0) {
		269	*alert = TLS1_AD_UNRECOGNIZED_NAME;
		270	return 0;
		271	}
		272	} else {
		273	if (s->session->tlsext_hostname != NULL) {
		274	*alert = SSL_AD_DECODE_ERROR;
		275	return 0;
		276	}
		277	if ((s->session->tlsext_hostname =
		278	strdup(s->tlsext_hostname)) == NULL) {
		279	*alert = TLS1_AD_INTERNAL_ERROR;
		280	return 0;
		281	}
		282	}
		283
262	return 1;	284	return 1;
263	}	285	}
264		286