From 574d6f0d7739a1810b9aad1f62716ceadbe58540 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 29 May 2020 17:47:30 +0000
Subject: Wire up the servername callback in the TLSv1.3 server.

This makes SNI work correctly with TLSv1.3.

Found the hard way by danj@, gonzalo@ and others.

ok beck@ inoguchi@ tb@
---
 src/lib/libssl/tls13_server.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'src/lib/libssl/tls13_server.c')

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 621e51d501..181ba583a0 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.53 2020/05/23 11:58:46 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.54 2020/05/29 17:47:30 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -373,6 +373,19 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
 	return 1;
 }
 
+static int
+tls13_servername_process(struct tls13_ctx *ctx)
+{
+	uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
+
+	if (!tls13_legacy_servername_process(ctx, &alert)) {
+		ctx->alert = alert;
+		return 0;
+	}
+
+	return 1;
+}
+
 int
 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
@@ -380,6 +393,8 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 		return 0;
 	if (!tls13_key_share_generate(ctx->hs->key_share))
 		return 0;
+	if (!tls13_servername_process(ctx))
+		return 0;
 
 	ctx->hs->server_group = 0;
 
-- 
cgit v1.2.3-55-g6feb