Create contexts for server side SNI - these include the additional SSL_CTX

that is required for certificate switching with libssl and the certificate
itself so that we can match against the subject and SANs. Hook up the
servername callback and switch to the appropriate SSL_CTX if we find a
matching certificate.

ok beck@

1 files changed, 27 insertions, 1 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index bf0e1f769f..df610fe238 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.46 2016/08/15 14:04:23 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.47 2016/08/22 14:51:37 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -177,6 +177,24 @@ tls_set_errorx(struct tls *ctx, const char *fmt, ...)
         return (rv);
 }
 
+struct tls_sni_ctx *
+tls_sni_ctx_new(void)
+{
+        return (calloc(1, sizeof(struct tls_sni_ctx)));
+}
+
+void
+tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx)
+{
+        if (sni_ctx == NULL)
+                return;
+
+        SSL_CTX_free(sni_ctx->ssl_ctx);
+        X509_free(sni_ctx->ssl_cert);
+
+        free(sni_ctx);
+}
+
 struct tls *
 tls_new(void)
 {
@@ -376,6 +394,8 @@ tls_free(struct tls *ctx)
 void
 tls_reset(struct tls *ctx)
 {
+        struct tls_sni_ctx *sni, *nsni;
+
         SSL_CTX_free(ctx->ssl_ctx);
         SSL_free(ctx->ssl_conn);
         X509_free(ctx->ssl_peer_cert);
@@ -397,6 +417,12 @@ tls_reset(struct tls *ctx)
         tls_free_conninfo(ctx->conninfo);
         free(ctx->conninfo);
         ctx->conninfo = NULL;
+
+        for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) {
+                nsni = sni->next;
+                tls_sni_ctx_free(sni);
+        }
+        ctx->sni_ctx = NULL;
 }
 
 int