Fix for SNI callback

* Fix for SNI callback on server to make sure the SNI data is stored even without setting a hostname. This makes sure the SNI extension is set when there is a registered SNI recv callback. * Fix for Apache HTTPD to include `WOLFSSL_ALWAYS_KEEP_SNI`
2021-03-22 10:45:31 -07:00
parent 19c321f165
commit 9313d59479
3 changed files with 17 additions and 10 deletions
--- a/configure.ac
+++ b/configure.ac
@ -4279,6 +4279,7 @@ then
    AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_COMP"
    AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DWOLFSSL_SIGNER_DER_CERT"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"

    # Requires OCSP make sure on
    if test "x$ENABLED_OCSP" = "xno"
--- a/examples/client/client.c
+++ b/examples/client/client.c
@ -2692,7 +2692,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)

 #ifdef HAVE_SNI
    if (sniHostName) {
-        if (wolfSSL_CTX_UseSNI(ctx, 0, sniHostName,
+        if (wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, sniHostName,
                    (word16) XSTRLEN(sniHostName)) != WOLFSSL_SUCCESS) {
            wolfSSL_CTX_free(ctx); ctx = NULL;
            err_sys("UseSNI failed");
--- a/src/tls.c
+++ b/src/tls.c
@ -2024,18 +2024,24 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,

 #ifndef NO_WOLFSSL_SERVER
    if (!extension || !extension->data) {
-        #if defined(WOLFSSL_ALWAYS_KEEP_SNI) && !defined(NO_WOLFSSL_SERVER)
-            /* This will keep SNI even though TLSX_UseSNI has not been called.
-            * Enable it so that the received sni is available to functions
-            * that use a custom callback when SNI is received.
-            */
-
+        /* This will keep SNI even though TLSX_UseSNI has not been called.
+         * Enable it so that the received sni is available to functions
+         * that use a custom callback when SNI is received.
+         */
+    #ifdef WOLFSSL_ALWAYS_KEEP_SNI
+        cacheOnly = 1;
+    #endif
+        if (ssl->ctx->sniRecvCb) {
            cacheOnly = 1;
+        }
+
+        if (cacheOnly) {
            WOLFSSL_MSG("Forcing SSL object to store SNI parameter");
-        #else
+        }
+        else {
            /* Skipping, SNI not enabled at server side. */
            return 0;
-        #endif
+        }
    }

    if (OPAQUE16_LEN > length)
@ -2096,7 +2102,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,

        TLSX_SNI_SetStatus(ssl->extensions, type, (byte)matchStat);

-        if(!cacheOnly)
+        if (!cacheOnly)
            TLSX_SetResponse(ssl, TLSX_SERVER_NAME);
    }
    else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) {