From 6642dc2432218e4d9462f7b283b0b3695c80f3ee Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 24 Jul 2017 17:39:43 +0000 Subject: Rewrite and move the last remnants of the ServerHello SNI handling into tlsext_sni_serverhello_parse(). This also adds a check to ensure that if we have an existing session, the name matches what we specified via SNI. ok doug@ --- src/lib/libssl/ssl_tlsext.c | 24 +++++++++++++++++++++++- src/lib/libssl/t1_lib.c | 30 ++---------------------------- 2 files changed, 25 insertions(+), 29 deletions(-) (limited to 'src') diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 539c380fb9..400c69fa87 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.2 2017/07/24 17:10:31 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.3 2017/07/24 17:39:43 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -259,6 +259,28 @@ tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert) return 0; } + if (s->internal->hit) { + if (s->session->tlsext_hostname == NULL) { + *alert = TLS1_AD_UNRECOGNIZED_NAME; + return 0; + } + if (strcmp(s->tlsext_hostname, + s->session->tlsext_hostname) != 0) { + *alert = TLS1_AD_UNRECOGNIZED_NAME; + return 0; + } + } else { + if (s->session->tlsext_hostname != NULL) { + *alert = SSL_AD_DECODE_ERROR; + return 0; + } + if ((s->session->tlsext_hostname = + strdup(s->tlsext_hostname)) == NULL) { + *alert = TLS1_AD_INTERNAL_ERROR; + return 0; + } + } + return 1; } diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index bf5e2de80b..b061bd1100 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.121 2017/07/24 17:10:31 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.122 2017/07/24 17:39:43 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1504,7 +1504,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) unsigned short len; unsigned char *data = *p; unsigned char *end = *p + n; - int tlsext_servername = 0; CBS cbs; S3I(s)->renegotiate_seen = 0; @@ -1537,15 +1536,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) if (!tlsext_serverhello_parse_one(s, &cbs, type, al)) return 0; - if (type == TLSEXT_TYPE_server_name) { - if (s->tlsext_hostname == NULL || size > 0) { - *al = TLS1_AD_UNRECOGNIZED_NAME; - return 0; - } - tlsext_servername = 1; - - } - else if (type == TLSEXT_TYPE_ec_point_formats && + if (type == TLSEXT_TYPE_ec_point_formats && s->version != DTLS1_VERSION) { unsigned char *sdata = data; size_t formatslen; @@ -1688,23 +1679,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) return 0; } - if (!s->internal->hit && tlsext_servername == 1) { - if (s->tlsext_hostname) { - if (s->session->tlsext_hostname == NULL) { - s->session->tlsext_hostname = - strdup(s->tlsext_hostname); - - if (!s->session->tlsext_hostname) { - *al = SSL_AD_UNRECOGNIZED_NAME; - return 0; - } - } else { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - } - } - *p = data; ri_check: -- cgit v1.2.3-55-g6feb