summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBen Kaduk <kaduk@mit.edu>2018-09-04 12:30:00 -0500
committerMatt Caswell <matt@openssl.org>2018-09-07 15:21:27 +0100
commit328a0547ad61d9e260fca73a280d2288714f2b92 (patch)
treefad0422e2f958d6c8b886a1f5a0a4e586bc97023
parent2c0267fdc99f8a06cb205f0faecc2ff06f0de8bf (diff)
downloadopenssl-new-328a0547ad61d9e260fca73a280d2288714f2b92.tar.gz
Simplify SSL_get_servername() to avoid session references
Ideally, SSL_get_servername() would do exactly as it is documented and return exactly what the client sent (i.e., what we currently are stashing in the SSL's ext.hostname), without needing to refer to an SSL_SESSION object. For historical reasons, including the parsed SNI value from the ClientHello originally being stored in the SSL_SESSION's ext.hostname field, we have had references to the SSL_SESSION in this function. We cannot fully excise them due to the interaction between user-supplied callbacks and TLS 1.2 resumption flows, where we call all callbacks but the client did not supply an SNI value. Existing callbacks expect to receive a valid SNI value in this case, so we must fake one up from the resumed session in order to avoid breakage. Otherwise, greatly simplify the implementation and just return the value in the SSL, as sent by the client. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7115)
-rw-r--r--ssl/ssl_lib.c18
1 files changed, 7 insertions, 11 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 7e8093bcfd..3d25da637d 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2600,18 +2600,14 @@ const char *SSL_get_servername(const SSL *s, const int type)
return NULL;
/*
- * TODO(OpenSSL1.2) clean up this compat mess. This API is
- * currently a mix of "what did I configure" and "what did the
- * peer send" and "what was actually negotiated"; we should have
- * a clear distinction amongst those three.
+ * SNI is not negotiated in pre-TLS-1.3 resumption flows, so fake up an
+ * SNI value to return if we are resuming/resumed. N.B. that we still
+ * call the relevant callbacks for such resumption flows, and callbacks
+ * might error out if there is not a SNI value available.
*/
- if (SSL_in_init(s)) {
- if (s->hit)
- return s->session->ext.hostname;
- return s->ext.hostname;
- }
- return (s->session != NULL && s->ext.hostname == NULL) ?
- s->session->ext.hostname : s->ext.hostname;
+ if (s->hit)
+ return s->session->ext.hostname;
+ return s->ext.hostname;
}
int SSL_get_servername_type(const SSL *s)