Ability to disable server_name extension (RFC 6066)

2025-11-04 04:32:24 -05:00 · 2013-08-27 21:55:01 +02:00 · 2013-08-27 21:55:01 +02:00 · 0be444a8b1
commit 0be444a8b1
parent d2f068e071
8 changed files with 41 additions and 6 deletions
--- a/1
+++ b/1
@ -31,6 +31,7 @@ Changes
   * Split up the GCM module into a starts/update/finish cycle
   * Client and server now filter sent and accepted ciphersuites on minimum
     and maximum protocol version
+   * Ability to disable server_name extension (RFC 6066)
   * Renamed error_strerror() to the less conflicting polarssl_strerror()
     (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
   * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -597,6 +597,15 @@
 */
 #define POLARSSL_SSL_SESSION_TICKETS

+/**
+ * \def POLARSSL_SSL_SERVER_NAME_INDICATION
+ *
+ * Enable support for RFC 6066 server name indication (SNI) in SSL
+ *
+ * Comment this macro to disable support for server name indication in SSL
+ */
+#define POLARSSL_SSL_SERVER_NAME_INDICATION
+
 /**
 * \def POLARSSL_SSL_TRUNCATED_HMAC
 *
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -564,7 +564,6 @@ struct _ssl_context
    int (*f_send)(void *, const unsigned char *, size_t);
    int (*f_get_cache)(void *, ssl_session *);
    int (*f_set_cache)(void *, const ssl_session *);
-    int (*f_sni)(void *, ssl_context *, const unsigned char *, size_t);

    void *p_rng;                /*!< context for the RNG function     */
    void *p_dbg;                /*!< context for the debug function   */
@ -572,9 +571,13 @@ struct _ssl_context
    void *p_send;               /*!< context for writing operations   */
    void *p_get_cache;          /*!< context for cache retrieval      */
    void *p_set_cache;          /*!< context for cache store          */
-    void *p_sni;                /*!< context for SNI extension        */
    void *p_hw_data;            /*!< context for HW acceleration      */

+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
+    int (*f_sni)(void *, ssl_context *, const unsigned char *, size_t);
+    void *p_sni;                /*!< context for SNI extension        */
+#endif
+
 #if defined(POLARSSL_X509_PARSE_C)
    int (*f_vrfy)(void *, x509_cert *, int, int *);
    void *p_vrfy;               /*!< context for verification         */
@ -689,11 +692,13 @@ struct _ssl_context
    size_t         psk_identity_len;
 #endif

+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    /*
-     * TLS extensions
+     * SNI extension
     */
    unsigned char *hostname;
    size_t         hostname_len;
+#endif

    /*
     * Secure renegotiation
@ -1032,6 +1037,7 @@ int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G );
 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx );
 #endif

+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
 /**
 * \brief          Set hostname for ServerName TLS extension
 *                 (client-side only)
@ -1067,6 +1073,7 @@ void ssl_set_sni( ssl_context *ssl,
                  int (*f_sni)(void *, ssl_context *, const unsigned char *,
                               size_t),
                  void *p_sni );
+#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */

 /**
 * \brief          Set the maximum supported version sent from the client side
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -51,6 +51,7 @@ typedef UINT32 uint32_t;
 #include <time.h>
 #endif

+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
 static void ssl_write_hostname_ext( ssl_context *ssl,
                                    unsigned char *buf,
                                    size_t *olen )
@ -100,6 +101,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl,

    *olen = ssl->hostname_len + 9;
 }
+#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */

 static void ssl_write_renegotiation_ext( ssl_context *ssl,
                                         unsigned char *buf,
@ -534,8 +536,10 @@ static int ssl_write_client_hello( ssl_context *ssl )

    // First write extensions, then the total length
    //
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
    ext_len += olen;
+#endif

    ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
    ext_len += olen;
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -336,6 +336,7 @@ static int ssl_parse_ticket( ssl_context *ssl,
 }
 #endif /* POLARSSL_SSL_SESSION_TICKETS */

+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
 static int ssl_parse_servername_ext( ssl_context *ssl,
                                     const unsigned char *buf,
                                     size_t len )
@ -385,6 +386,7 @@ static int ssl_parse_servername_ext( ssl_context *ssl,

    return( 0 );
 }
+#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */

 static int ssl_parse_renegotiation_info( ssl_context *ssl,
                                         const unsigned char *buf,
@ -1157,6 +1159,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
        }
        switch( ext_id )
        {
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
        case TLS_EXT_SERVERNAME:
            SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
            if( ssl->f_sni == NULL )
@ -1166,6 +1169,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
            if( ret != 0 )
                return( ret );
            break;
+#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */

        case TLS_EXT_RENEGOTIATION_INFO:
            SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -35,12 +35,12 @@

 #if defined(POLARSSL_SSL_TLS_C)

-#include "polarssl/aes.h"
+#include "polarssl/debug.h"
+#include "polarssl/ssl.h"
+
 #include "polarssl/arc4.h"
 #include "polarssl/camellia.h"
 #include "polarssl/des.h"
-#include "polarssl/debug.h"
-#include "polarssl/ssl.h"

 #if defined(POLARSSL_GCM_C)
 #include "polarssl/gcm.h"
@ -3053,8 +3053,10 @@ int ssl_init( ssl_context *ssl )
    memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
    memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );

+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    ssl->hostname = NULL;
    ssl->hostname_len = 0;
+#endif

 #if defined(POLARSSL_SSL_SESSION_TICKETS)
    ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
@ -3356,6 +3358,7 @@ int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
 }
 #endif /* POLARSSL_DHM_C */

+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
 {
    if( hostname == NULL )
@ -3387,6 +3390,7 @@ void ssl_set_sni( ssl_context *ssl,
    ssl->f_sni = f_sni;
    ssl->p_sni = p_sni;
 }
+#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */

 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
 {
@ -3918,12 +3922,14 @@ void ssl_free( ssl_context *ssl )
    polarssl_free( ssl->ticket_keys );
 #endif

+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    if ( ssl->hostname != NULL)
    {
        memset( ssl->hostname, 0, ssl->hostname_len );
        polarssl_free( ssl->hostname );
        ssl->hostname_len = 0;
    }
+#endif

 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
    if( ssl_hw_record_finish != NULL )
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -719,7 +719,9 @@ int main( int argc, char *argv[] )
                 strlen( opt.psk_identity ) );
 #endif

+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    ssl_set_hostname( &ssl, opt.server_name );
+#endif

    if( opt.min_version != -1 )
        ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@ -596,7 +596,9 @@ int main( int argc, char *argv[] )
    ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
    ssl_set_own_cert( &ssl, &clicert, &rsa );

+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    ssl_set_hostname( &ssl, opt.server_name );
+#endif

    if( opt.mode == MODE_SSL_TLS )
    {