feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Added new option to SNI: CYASSL_SNI_ANSWER_ON_MISMATCH

Browse Source 
Added new function to SNI API: CyaSSL_SNI_Matched()
This commit is contained in:
Moisés Guimarães
2013-06-03 17:55:06 -03:00
parent cb2082edee
commit f1d1898ddf
4 changed files with 58 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cyassl/internal.h
View File

@@ -1157,6 +1157,7 @@ typedef struct SNI {
struct SNI* next; /* List Behavior */ struct SNI* next; /* List Behavior */
#ifndef NO_CYASSL_SERVER #ifndef NO_CYASSL_SERVER
byte options; /* Behaviour options */ byte options; /* Behaviour options */
byte matched; /* Matching result */
#endif #endif
} SNI; } SNI;
@@ -1164,6 +1165,7 @@ CYASSL_LOCAL int TLSX_UseSNI(TLSX** extensions, byte type, const void* data,
word16 size); word16 size);
#ifndef NO_CYASSL_SERVER #ifndef NO_CYASSL_SERVER
CYASSL_LOCAL byte TLSX_SNI_Matched(TLSX* extensions, byte type);
CYASSL_LOCAL void TLSX_SNI_SetOptions(TLSX* extensions, byte type, CYASSL_LOCAL void TLSX_SNI_SetOptions(TLSX* extensions, byte type,
byte options); byte options);
#endif #endif

5
cyassl/ssl.h
View File

@@ -944,9 +944,12 @@ CYASSL_API int CyaSSL_CTX_UseSNI(CYASSL_CTX* ctx, unsigned char type,
#ifndef NO_CYASSL_SERVER #ifndef NO_CYASSL_SERVER
/* SNI options */ /* SNI options */
enum { enum {
CYASSL_SNI_CONTINUE_ON_MISMATCH = 0x01 CYASSL_SNI_CONTINUE_ON_MISMATCH = 0x01, /* do not abort on mismatch flag */
CYASSL_SNI_ANSWER_ON_MISMATCH = 0x02 /* fake match on mismatch flag */
}; };
CYASSL_API unsigned char CyaSSL_SNI_Matched(CYASSL* ssl, unsigned char type);
CYASSL_API void CyaSSL_SNI_SetOptions(CYASSL* ssl, unsigned char type, CYASSL_API void CyaSSL_SNI_SetOptions(CYASSL* ssl, unsigned char type,
unsigned char options); unsigned char options);
CYASSL_API void CyaSSL_CTX_SNI_SetOptions(CYASSL_CTX* ctx, unsigned char type, CYASSL_API void CyaSSL_CTX_SNI_SetOptions(CYASSL_CTX* ctx, unsigned char type,

5
src/ssl.c
View File

@@ -528,6 +528,11 @@ int CyaSSL_CTX_UseSNI(CYASSL_CTX* ctx, byte type, const void* data, word16 size)
} }
#ifndef NO_CYASSL_SERVER #ifndef NO_CYASSL_SERVER
byte CyaSSL_SNI_Matched(CYASSL* ssl, byte type)
{
return TLSX_SNI_Matched(ssl ? ssl->extensions : NULL, type);
}
void CyaSSL_SNI_SetOptions(CYASSL* ssl, byte type, byte options) void CyaSSL_SNI_SetOptions(CYASSL* ssl, byte type, byte options)
{ {
if (ssl && ssl->extensions) if (ssl && ssl->extensions)

66
src/tls.c
View File

@@ -582,7 +582,12 @@ static int TLSX_SNI_Append(SNI** list, byte type, const void* data, word16 size)
sni->type = type; sni->type = type;
sni->next = *list; sni->next = *list;
#ifndef NO_CYASSL_SERVER
sni->options = 0; sni->options = 0;
sni->matched = 0;
#endif
*list = sni; *list = sni;
return 0; return 0;
@@ -648,6 +653,30 @@ static SNI* TLSX_SNI_Find(SNI *list, byte type)
return sni; return sni;
} }
#ifndef NO_CYASSL_SERVER
static void TLSX_SNI_SetMatched(TLSX* extensions, byte type)
{
TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
if (sni) {
sni->matched = 1;
CYASSL_MSG("SNI did match!");
}
}
byte TLSX_SNI_Matched(TLSX* extensions, byte type)
{
TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
if (sni)
return sni->matched;
return 0;
}
#endif
static int TLSX_SNI_Parse(CYASSL* ssl, byte* input, word16 length, static int TLSX_SNI_Parse(CYASSL* ssl, byte* input, word16 length,
byte isRequest) byte isRequest)
{ {
@@ -707,27 +736,24 @@ static int TLSX_SNI_Parse(CYASSL* ssl, byte* input, word16 length,
} }
switch(type) { switch(type) {
case CYASSL_SNI_HOST_NAME: case CYASSL_SNI_HOST_NAME: {
if (XSTRLEN(sni->data.host_name) != size byte matched = (XSTRLEN(sni->data.host_name) == size)
|| XSTRNCMP(sni->data.host_name, && (XSTRNCMP(sni->data.host_name,
(const char *) input + offset, size)) { (const char *) input + offset, size) == 0);
if (sni->options & CYASSL_SNI_CONTINUE_ON_MISMATCH)
break;
/**
* Better client thinks the server is not using SNI,
* instead of thinking that the host_name matched.
* No empty SNI response in this case.
*/
SendAlert(ssl, alert_fatal, unrecognized_name); if (matched || sni->options & CYASSL_SNI_ANSWER_ON_MISMATCH) {
return UNKNOWN_SNI_HOST_NAME_E;
} else {
int r = TLSX_UseSNI(&ssl->extensions, type, (byte *) "", 0); int r = TLSX_UseSNI(&ssl->extensions, type, (byte *) "", 0);
if (r) return r; /* throw error */ if (r) return r; /* throw error */
if (matched) TLSX_SNI_SetMatched(ssl->extensions, type);
} else if (!(sni->options & CYASSL_SNI_CONTINUE_ON_MISMATCH)) {
SendAlert(ssl, alert_fatal, unrecognized_name);
return UNKNOWN_SNI_HOST_NAME_E;
} }
break; break;
}
} }
TLSX_SetResponse(ssl, SERVER_NAME_INDICATION); TLSX_SetResponse(ssl, SERVER_NAME_INDICATION);
@@ -788,11 +814,11 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size)
#ifndef NO_CYASSL_SERVER #ifndef NO_CYASSL_SERVER
void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options) void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options)
{ {
TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
if (sni) if (sni)
sni->options = options; sni->options = options;
} }
#endif #endif
@@ -1047,6 +1073,8 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest,
switch (type) { switch (type) {
case SERVER_NAME_INDICATION: case SERVER_NAME_INDICATION:
CYASSL_MSG("SNI extension received");
ret = SNI_PARSE(ssl, input + offset, size, isRequest); ret = SNI_PARSE(ssl, input + offset, size, isRequest);
break; break;