Changeset 3f661849

Timestamp:

2012-12-24T12:51:26Z (12 years ago)

Author:

Wilmer van der Gaast <wilmer@…>

Branches:

master

Children:

def3650

Parents:

bbc69f7

Message:

SNI client support in GnuTLS+OpenSSL modules.

Location:

lib

Files:

• ssl_gnutls.c (modified) (1 diff)
• ssl_openssl.c (modified) (10 diffs)

lib/ssl_gnutls.c

@@ -273 +273 @@
         gnutls_set_default_priority( conn->session );
         gnutls_credentials_set( conn->session, GNUTLS_CRD_CERTIFICATE, xcred );
+        if( conn->hostname && !isdigit( conn->hostname[0] ) )
+                gnutls_server_name_set( conn->session, GNUTLS_NAME_DNS,
+                                        conn->hostname, strlen( conn->hostname ) );
         
         sock_make_nonblocking( conn->fd );

lib/ssl_openssl.c

@@ -47 +47 @@
         gboolean established;
         gboolean verify;
+        char *hostname;
         
         int inpa;
@@ -54 +55 @@
 };
 
+static void ssl_conn_free( struct scd *conn );
 static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond );
 static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition cond );
@@ -73 +75 @@
         if( conn->fd < 0 )
         {
-                g_free( conn );
+                ssl_conn_free( conn );
                 return NULL;
         }
@@ -80 +82 @@
         conn->data = data;
         conn->inpa = -1;
+        conn->hostname = g_strdup( host );
         
         return conn;
@@ -93 +96 @@
         conn->inpa = -1;
         conn->verify = verify && global.conf->cafile;
+        conn->hostname = g_strdup( hostname );
         
         /* This function should be called via a (short) timeout instead of
@@ -120 +124 @@
         const SSL_METHOD *meth;
         
-        /* Right now we don't have any verification functionality for OpenSSL. */
-
         if( conn->verify )
         {
+                /* Right now we don't have any verification functionality for OpenSSL. */
                 conn->func( conn->data, 1, NULL, cond );
                 if( source >= 0 ) closesocket( source );
-                g_free( conn );
+                ssl_conn_free( conn );
 
                 return FALSE;
@@ -152 +155 @@
         SSL_set_fd( conn->ssl, conn->fd );
         
+        if( conn->hostname && !isdigit( conn->hostname[0] ) )
+                SSL_set_tlsext_host_name( conn->ssl, conn->hostname );
+        
         return ssl_handshake( data, source, cond );
 
 ssl_connected_failure:
         conn->func( conn->data, 0, NULL, cond );
-        
-        if( conn->ssl )
-        {
-                SSL_shutdown( conn->ssl );
-                SSL_free( conn->ssl );
-        }
-        if( conn->ssl_ctx )
-        {
-                SSL_CTX_free( conn->ssl_ctx );
-        }
-        if( source >= 0 ) closesocket( source );
-        g_free( conn );
-        
+        ssl_disconnect( conn );
         return FALSE;
 
@@ -184 +178 @@
                 {
                         conn->func( conn->data, 0, NULL, cond );
-                        
-                        SSL_shutdown( conn->ssl );
-                        SSL_free( conn->ssl );
-                        SSL_CTX_free( conn->ssl_ctx );
-                        
-                        if( source >= 0 ) closesocket( source );
-                        g_free( conn );
-                        
+                        ssl_disconnect( conn );
                         return FALSE;
                 }
@@ -261 +248 @@
 }
 
+static void ssl_conn_free( struct scd *conn )
+{
+        SSL_free( conn->ssl );
+        SSL_CTX_free( conn->ssl_ctx );
+        g_free( conn->hostname );
+        g_free( conn );
+        
+}
+
 void ssl_disconnect( void *conn_ )
 {
@@ -273 +269 @@
         closesocket( conn->fd );
         
-        SSL_free( conn->ssl );
-        SSL_CTX_free( conn->ssl_ctx );
-        g_free( conn );
+        ssl_conn_free( conn );
 }