From: Benjamin Kaduk Date: Wed, 25 Jul 2018 19:48:30 +0000 (-0500) Subject: Fix ossl_shim SNI handling X-Git-Tag: OpenSSL_1_1_1-pre9~77 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=45a2353056da3f357a924131578ad0a4a2e5fbb7;p=oweals%2Fopenssl.git Fix ossl_shim SNI handling To start with, actually set an SNI callback (copied from bssl_shim); we weren't actually testing much otherwise (and just happened to have been passing due to buggy libssl behavior prior to commit 1c4aa31d79821dee9be98e915159d52cc30d8403). Also use proper C++ code for handling C strings -- when a C API (SSL_get_servername()) returns NULL instead of a string, special-case that instead of blindly trying to compare NULL against a std::string, and perform the comparsion using the std::string operators instead of falling back to pointer comparison. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6792) --- diff --git a/test/ossl_shim/ossl_shim.cc b/test/ossl_shim/ossl_shim.cc index b1067e8420..90d1f1ef40 100644 --- a/test/ossl_shim/ossl_shim.cc +++ b/test/ossl_shim/ossl_shim.cc @@ -459,6 +459,20 @@ static int CustomExtensionParseCallback(SSL *ssl, unsigned extension_value, return 1; } +static int ServerNameCallback(SSL *ssl, int *out_alert, void *arg) { + // SNI must be accessible from the SNI callback. + const TestConfig *config = GetTestConfig(ssl); + const char *server_name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); + if (server_name == nullptr || + std::string(server_name) != config->expected_server_name) { + fprintf(stderr, "servername mismatch (got %s; want %s)\n", server_name, + config->expected_server_name.c_str()); + return SSL_TLSEXT_ERR_ALERT_FATAL; + } + + return SSL_TLSEXT_ERR_OK; +} + // Connect returns a new socket connected to localhost on |port| or -1 on // error. static int Connect(uint16_t port) { @@ -645,6 +659,10 @@ static bssl::UniquePtr SetupCtx(const TestConfig *config) { sizeof(sess_id_ctx) - 1)) return nullptr; + if (!config->expected_server_name.empty()) { + SSL_CTX_set_tlsext_servername_callback(ssl_ctx.get(), ServerNameCallback); + } + return ssl_ctx; } @@ -809,7 +827,8 @@ static bool CheckHandshakeProperties(SSL *ssl, bool is_resume) { if (!config->expected_server_name.empty()) { const char *server_name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); - if (server_name != config->expected_server_name) { + if (server_name == nullptr || + std::string(server_name) != config->expected_server_name) { fprintf(stderr, "servername mismatch (got %s; want %s)\n", server_name, config->expected_server_name.c_str()); return false;