diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-09-23 08:19:21 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-09-23 10:47:21 +0200 |
| commit | 8288ed0acee095894f411412664f4e2eb4f59159 (patch) | |
| tree | 6949b61dd49163661fca5978f53f39de56cd10ca | |
| parent | e2a05b97131f082303be1531fc43183acf01eb65 (diff) | |
| download | gnutls-8288ed0acee095894f411412664f4e2eb4f59159.tar.gz | |
server name: refuse to resume a session which server name doesn't match
That is, follow the RFC6066 requirement that server:
"MUST NOT accept the request to resume the session if the
server_name extension contains a different name."
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| -rw-r--r-- | lib/db.c | 4 | ||||
| -rw-r--r-- | lib/ext/server_name.c | 40 | ||||
| -rw-r--r-- | lib/ext/server_name.h | 2 |
3 files changed, 46 insertions, 0 deletions
@@ -29,6 +29,7 @@ #include <db.h> #include <session_pack.h> #include <datum.h> +#include "ext/server_name.h" /** * gnutls_db_set_retrieve_function: @@ -257,6 +258,9 @@ int _gnutls_check_resumed_params(gnutls_session_t session) session->security_parameters.ext_master_secret) return gnutls_assert_val(GNUTLS_E_INVALID_SESSION); + if (!_gnutls_server_name_matches_resumed(session)) + return gnutls_assert_val(GNUTLS_E_INVALID_SESSION); + return 0; } diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c index c6f1882ce2..2395b461af 100644 --- a/lib/ext/server_name.c +++ b/lib/ext/server_name.c @@ -444,3 +444,43 @@ _gnutls_server_name_unpack(gnutls_buffer_st * ps, gnutls_free(priv); return ret; } + +unsigned _gnutls_server_name_matches_resumed(gnutls_session_t session) +{ + server_name_ext_st *priv1, *priv2; + int ret; + gnutls_ext_priv_data_t epriv; + + ret = + _gnutls_ext_get_session_data(session, + GNUTLS_EXTENSION_SERVER_NAME, + &epriv); + if (ret < 0) /* no server name in this session */ + priv1 = NULL; + else + priv1 = epriv; + + ret = + _gnutls_ext_get_resumed_session_data(session, + GNUTLS_EXTENSION_SERVER_NAME, + &epriv); + if (ret < 0) /* no server name in extensions */ + priv2 = NULL; + else + priv2 = epriv; + + if (priv1 == NULL || priv2 == NULL) { + if (priv1 == priv2) + return 1; + else + return 0; + } + + if (priv1->name_length != priv2->name_length) + return 0; + + if (memcmp(priv1->name, priv2->name, priv1->name_length) != 0) + return 0; + + return 1; +} diff --git a/lib/ext/server_name.h b/lib/ext/server_name.h index dfb705a5fb..95caa33deb 100644 --- a/lib/ext/server_name.h +++ b/lib/ext/server_name.h @@ -33,4 +33,6 @@ typedef struct { extern const extension_entry_st ext_mod_server_name; +unsigned _gnutls_server_name_matches_resumed(gnutls_session_t); + #endif |