diff --git a/ChangeLog b/ChangeLog index 1a94b45fe..36c17795a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,7 @@ Changes * Split up the GCM module into a starts/update/finish cycle * Client and server now filter sent and accepted ciphersuites on minimum and maximum protocol version + * Ability to disable server_name extension (RFC 6066) * Renamed error_strerror() to the less conflicting polarssl_strerror() (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC) * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 9fc5458a7..799c031dd 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -597,6 +597,15 @@ */ #define POLARSSL_SSL_SESSION_TICKETS +/** + * \def POLARSSL_SSL_SERVER_NAME_INDICATION + * + * Enable support for RFC 6066 server name indication (SNI) in SSL + * + * Comment this macro to disable support for server name indication in SSL + */ +#define POLARSSL_SSL_SERVER_NAME_INDICATION + /** * \def POLARSSL_SSL_TRUNCATED_HMAC * diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 1576fcb2f..f9c6b8f8c 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -564,7 +564,6 @@ struct _ssl_context int (*f_send)(void *, const unsigned char *, size_t); int (*f_get_cache)(void *, ssl_session *); int (*f_set_cache)(void *, const ssl_session *); - int (*f_sni)(void *, ssl_context *, const unsigned char *, size_t); void *p_rng; /*!< context for the RNG function */ void *p_dbg; /*!< context for the debug function */ @@ -572,9 +571,13 @@ struct _ssl_context void *p_send; /*!< context for writing operations */ void *p_get_cache; /*!< context for cache retrieval */ void *p_set_cache; /*!< context for cache store */ - void *p_sni; /*!< context for SNI extension */ void *p_hw_data; /*!< context for HW acceleration */ +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) + int (*f_sni)(void *, ssl_context *, const unsigned char *, size_t); + void *p_sni; /*!< context for SNI extension */ +#endif + #if defined(POLARSSL_X509_PARSE_C) int (*f_vrfy)(void *, x509_cert *, int, int *); void *p_vrfy; /*!< context for verification */ @@ -689,11 +692,13 @@ struct _ssl_context size_t psk_identity_len; #endif +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) /* - * TLS extensions + * SNI extension */ unsigned char *hostname; size_t hostname_len; +#endif /* * Secure renegotiation @@ -1032,6 +1037,7 @@ int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G ); int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx ); #endif +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) /** * \brief Set hostname for ServerName TLS extension * (client-side only) @@ -1067,6 +1073,7 @@ void ssl_set_sni( ssl_context *ssl, int (*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni ); +#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ /** * \brief Set the maximum supported version sent from the client side diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 99d3206e5..e37a3c044 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -51,6 +51,7 @@ typedef UINT32 uint32_t; #include #endif +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) static void ssl_write_hostname_ext( ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -100,6 +101,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl, *olen = ssl->hostname_len + 9; } +#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ static void ssl_write_renegotiation_ext( ssl_context *ssl, unsigned char *buf, @@ -534,8 +536,10 @@ static int ssl_write_client_hello( ssl_context *ssl ) // First write extensions, then the total length // +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; +#endif ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 4a7136775..08b3bf9ae 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -336,6 +336,7 @@ static int ssl_parse_ticket( ssl_context *ssl, } #endif /* POLARSSL_SSL_SESSION_TICKETS */ +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) static int ssl_parse_servername_ext( ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -385,6 +386,7 @@ static int ssl_parse_servername_ext( ssl_context *ssl, return( 0 ); } +#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ static int ssl_parse_renegotiation_info( ssl_context *ssl, const unsigned char *buf, @@ -1157,6 +1159,7 @@ static int ssl_parse_client_hello( ssl_context *ssl ) } switch( ext_id ) { +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) case TLS_EXT_SERVERNAME: SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); if( ssl->f_sni == NULL ) @@ -1166,6 +1169,7 @@ static int ssl_parse_client_hello( ssl_context *ssl ) if( ret != 0 ) return( ret ); break; +#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ case TLS_EXT_RENEGOTIATION_INFO: SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 06eeb7130..44309f678 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -35,12 +35,12 @@ #if defined(POLARSSL_SSL_TLS_C) -#include "polarssl/aes.h" +#include "polarssl/debug.h" +#include "polarssl/ssl.h" + #include "polarssl/arc4.h" #include "polarssl/camellia.h" #include "polarssl/des.h" -#include "polarssl/debug.h" -#include "polarssl/ssl.h" #if defined(POLARSSL_GCM_C) #include "polarssl/gcm.h" @@ -3053,8 +3053,10 @@ int ssl_init( ssl_context *ssl ) memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN ); memset( ssl->out_ctr, 0, SSL_BUFFER_LEN ); +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) ssl->hostname = NULL; ssl->hostname_len = 0; +#endif #if defined(POLARSSL_SSL_SESSION_TICKETS) ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME; @@ -3356,6 +3358,7 @@ int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx ) } #endif /* POLARSSL_DHM_C */ +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) int ssl_set_hostname( ssl_context *ssl, const char *hostname ) { if( hostname == NULL ) @@ -3387,6 +3390,7 @@ void ssl_set_sni( ssl_context *ssl, ssl->f_sni = f_sni; ssl->p_sni = p_sni; } +#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ void ssl_set_max_version( ssl_context *ssl, int major, int minor ) { @@ -3918,12 +3922,14 @@ void ssl_free( ssl_context *ssl ) polarssl_free( ssl->ticket_keys ); #endif +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) if ( ssl->hostname != NULL) { memset( ssl->hostname, 0, ssl->hostname_len ); polarssl_free( ssl->hostname ); ssl->hostname_len = 0; } +#endif #if defined(POLARSSL_SSL_HW_RECORD_ACCEL) if( ssl_hw_record_finish != NULL ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index dd7fc465e..889c07755 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -719,7 +719,9 @@ int main( int argc, char *argv[] ) strlen( opt.psk_identity ) ); #endif +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) ssl_set_hostname( &ssl, opt.server_name ); +#endif if( opt.min_version != -1 ) ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 665cdbfe8..bc7135e09 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -596,7 +596,9 @@ int main( int argc, char *argv[] ) ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); ssl_set_own_cert( &ssl, &clicert, &rsa ); +#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) ssl_set_hostname( &ssl, opt.server_name ); +#endif if( opt.mode == MODE_SSL_TLS ) {