Create contexts for server side SNI - these include the additional SSL_CTX

that is required for certificate switching with libssl and the certificate
itself so that we can match against the subject and SANs. Hook up the
servername callback and switch to the appropriate SSL_CTX if we find a
matching certificate.

ok beck@

1 files changed, 14 insertions, 1 deletions

diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index bbd231e00e..428e29c857 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.39 2016/08/15 15:44:58 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.40 2016/08/22 14:51:37 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -91,6 +91,13 @@ struct tls_conninfo {
 #define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0)
 #define TLS_HANDSHAKE_COMPLETE  (1 << 1)
 
+struct tls_sni_ctx {
+        struct tls_sni_ctx *next;
+
+        SSL_CTX *ssl_ctx;
+        X509 *ssl_cert;
+};
+
 struct tls {
         struct tls_config *config;
         struct tls_error error;
@@ -103,11 +110,17 @@ struct tls {
 
         SSL *ssl_conn;
         SSL_CTX *ssl_ctx;
+
+        struct tls_sni_ctx *sni_ctx;
+
         X509 *ssl_peer_cert;
 
         struct tls_conninfo *conninfo;
 };
 
+struct tls_sni_ctx *tls_sni_ctx_new(void);
+void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
+
 struct tls *tls_new(void);
 struct tls *tls_server_conn(struct tls *ctx);