diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 33 |
1 files changed, 5 insertions, 28 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 08bf5593ec..9209597601 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.156 2025/06/07 10:23:21 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -2410,13 +2410,12 @@ tlsext_randomize_build_order(SSL *s) | |||
| 2410 | { | 2410 | { |
| 2411 | const struct tls_extension *psk_ext; | 2411 | const struct tls_extension *psk_ext; |
| 2412 | size_t idx, new_idx; | 2412 | size_t idx, new_idx; |
| 2413 | size_t alpn_idx = 0, sni_idx = 0; | ||
| 2414 | 2413 | ||
| 2415 | free(s->tlsext_build_order); | 2414 | free(s->tlsext_build_order); |
| 2416 | s->tlsext_build_order_len = 0; | 2415 | s->tlsext_build_order_len = 0; |
| 2417 | 2416 | ||
| 2418 | if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), | 2417 | if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS, |
| 2419 | N_TLS_EXTENSIONS)) == NULL) | 2418 | sizeof(*s->tlsext_build_order))) == NULL) |
| 2420 | return 0; | 2419 | return 0; |
| 2421 | s->tlsext_build_order_len = N_TLS_EXTENSIONS; | 2420 | s->tlsext_build_order_len = N_TLS_EXTENSIONS; |
| 2422 | 2421 | ||
| @@ -2433,28 +2432,6 @@ tlsext_randomize_build_order(SSL *s) | |||
| 2433 | s->tlsext_build_order[new_idx] = &tls_extensions[idx]; | 2432 | s->tlsext_build_order[new_idx] = &tls_extensions[idx]; |
| 2434 | } | 2433 | } |
| 2435 | 2434 | ||
| 2436 | /* | ||
| 2437 | * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN | ||
| 2438 | * for clients so that virtual host setups work correctly. | ||
| 2439 | */ | ||
| 2440 | |||
| 2441 | if (s->server) | ||
| 2442 | return 1; | ||
| 2443 | |||
| 2444 | for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { | ||
| 2445 | if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn) | ||
| 2446 | alpn_idx = idx; | ||
| 2447 | if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name) | ||
| 2448 | sni_idx = idx; | ||
| 2449 | } | ||
| 2450 | if (alpn_idx < sni_idx) { | ||
| 2451 | const struct tls_extension *tmp; | ||
| 2452 | |||
| 2453 | tmp = s->tlsext_build_order[alpn_idx]; | ||
| 2454 | s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx]; | ||
| 2455 | s->tlsext_build_order[sni_idx] = tmp; | ||
| 2456 | } | ||
| 2457 | |||
| 2458 | return 1; | 2435 | return 1; |
| 2459 | } | 2436 | } |
| 2460 | 2437 | ||
| @@ -2466,8 +2443,8 @@ tlsext_linearize_build_order(SSL *s) | |||
| 2466 | free(s->tlsext_build_order); | 2443 | free(s->tlsext_build_order); |
| 2467 | s->tlsext_build_order_len = 0; | 2444 | s->tlsext_build_order_len = 0; |
| 2468 | 2445 | ||
| 2469 | if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), | 2446 | if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS, |
| 2470 | N_TLS_EXTENSIONS)) == NULL) | 2447 | sizeof(*s->tlsext_build_order))) == NULL) |
| 2471 | return 0; | 2448 | return 0; |
| 2472 | s->tlsext_build_order_len = N_TLS_EXTENSIONS; | 2449 | s->tlsext_build_order_len = N_TLS_EXTENSIONS; |
| 2473 | 2450 | ||