Wire up the servername callback in the TLSv1.3 server.

This makes SNI work correctly with TLSv1.3. Found the hard way by danj@, gonzalo@ and others. ok beck@ inoguchi@ tb@
author: jsing <> 2020-05-29 17:47:30 +0000
committer: jsing <> 2020-05-29 17:47:30 +0000
commit: 574d6f0d7739a1810b9aad1f62716ceadbe58540 (patch)
tree: 87f4d432f87e6b391e38fa5c2e73bbef1e8dd87d /src/lib/libssl/tls13_legacy.c
parent: ff2fa7afa324d94c7698c829a723c0673f95c345 (diff)
download: openbsd-574d6f0d7739a1810b9aad1f62716ceadbe58540.tar.gz
openbsd-574d6f0d7739a1810b9aad1f62716ceadbe58540.tar.bz2
openbsd-574d6f0d7739a1810b9aad1f62716ceadbe58540.zip
1 files changed, 27 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index be89e9aa24..4d68287141 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.7 2020/05/16 14:42:35 jsing Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.8 2020/05/29 17:47:30 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -519,3 +519,29 @@ tls13_legacy_shutdown(SSL *ssl)
        return 0;
 }
+int
+tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert)
+{
+        int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
+        int ret = SSL_TLSEXT_ERR_NOACK;
+        SSL_CTX *ssl_ctx = ctx->ssl->ctx;
+        SSL *ssl = ctx->ssl;
+        if (ssl_ctx->internal->tlsext_servername_callback == NULL)
+                ssl_ctx = ssl->initial_ctx;
+        if (ssl_ctx->internal->tlsext_servername_callback == NULL)
+                return 1;
+        ret = ssl_ctx->internal->tlsext_servername_callback(ssl, &legacy_alert,
+            ssl_ctx->internal->tlsext_servername_arg);
+        if (ret == SSL_TLSEXT_ERR_ALERT_FATAL ||
+            ret == SSL_TLSEXT_ERR_ALERT_WARNING) {
+                if (legacy_alert >= 0 && legacy_alert <= 255)
+                        *alert = legacy_alert;
+                return 0;
+        }
+        return 1;
+}
author	jsing <>	2020-05-29 17:47:30 +0000
committer	jsing <>	2020-05-29 17:47:30 +0000
commit	574d6f0d7739a1810b9aad1f62716ceadbe58540 (patch)
tree	87f4d432f87e6b391e38fa5c2e73bbef1e8dd87d /src/lib/libssl/tls13_legacy.c
parent	ff2fa7afa324d94c7698c829a723c0673f95c345 (diff)
download	openbsd-574d6f0d7739a1810b9aad1f62716ceadbe58540.tar.gz openbsd-574d6f0d7739a1810b9aad1f62716ceadbe58540.tar.bz2 openbsd-574d6f0d7739a1810b9aad1f62716ceadbe58540.zip

diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c index be89e9aa24..4d68287141 100644 --- a/src/lib/libssl/tls13_legacy.c +++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_legacy.c,v 1.7 2020/05/16 14:42:35 jsing Exp $ */	1	/* $OpenBSD: tls13_legacy.c,v 1.8 2020/05/29 17:47:30 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -519,3 +519,29 @@ tls13_legacy_shutdown(SSL *ssl)
519		519
520	return 0;	520	return 0;
521	}	521	}
		522
		523	int
		524	tls13_legacy_servername_process(struct tls13_ctx ctx, uint8_t alert)
		525	{
		526	int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
		527	int ret = SSL_TLSEXT_ERR_NOACK;
		528	SSL_CTX *ssl_ctx = ctx->ssl->ctx;
		529	SSL *ssl = ctx->ssl;
		530
		531	if (ssl_ctx->internal->tlsext_servername_callback == NULL)
		532	ssl_ctx = ssl->initial_ctx;
		533	if (ssl_ctx->internal->tlsext_servername_callback == NULL)
		534	return 1;
		535
		536	ret = ssl_ctx->internal->tlsext_servername_callback(ssl, &legacy_alert,
		537	ssl_ctx->internal->tlsext_servername_arg);
		538
		539	if (ret == SSL_TLSEXT_ERR_ALERT_FATAL \|\|
		540	ret == SSL_TLSEXT_ERR_ALERT_WARNING) {
		541	if (legacy_alert >= 0 && legacy_alert <= 255)
		542	*alert = legacy_alert;
		543	return 0;
		544	}
		545
		546	return 1;
		547	}