diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 695b23328..069c60e38 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1706,6 +1706,22 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +/** + * \brief Set own certificate and key for the current handshake + * + * \note Same as \c mbedtls_ssl_set_own_cert() but for use within + * the SNI callback. + * + * \param ssl SSL context + * \param own_cert own public certificate chain + * \param pk_key own private key + * + * \return 0 on success or MBEDTLS_ERR_SSL_MALLOC_FAILED + */ +int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, + mbedtls_x509_crt *own_cert, + mbedtls_pk_context *pk_key ); + /** * \brief Set server side ServerName TLS extension callback * (optional, server-side only). @@ -1716,8 +1732,8 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); * following parameters: (void *parameter, mbedtls_ssl_context *ssl, * const unsigned char *hostname, size_t len). If a suitable * certificate is found, the callback should set the - * certificate and key to use with mbedtls_ssl_set_own_cert() (and - * possibly adjust the CA chain as well) and return 0. The + * certificate and key to use with mbedtls_ssl_set_hs_own_cert() (and + * possibly adjust the CA chain as well TODO: broken) and return 0. The * callback should return -1 to abort the handshake at this * point. * diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 0ff3c18ca..ea015ae70 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -389,25 +389,6 @@ void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_config *conf, #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -/* - * Wrapper around f_sni, allowing use of mbedtls_ssl_set_own_cert() but - * making it act on ssl->handshake->sni_key_cert instead. - */ -static int ssl_sni_wrapper( mbedtls_ssl_context *ssl, - const unsigned char* name, size_t len ) -{ - int ret; - mbedtls_ssl_key_cert *key_cert_ori = ssl->conf->key_cert; - - ssl->conf->key_cert = NULL; - ret = ssl->conf->f_sni( ssl->conf->p_sni, ssl, name, len ); - ssl->handshake->sni_key_cert = ssl->conf->key_cert; - - ssl->conf->key_cert = key_cert_ori; - - return( ret ); -} - static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -437,7 +418,8 @@ static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) { - ret = ssl_sni_wrapper( ssl, p + 3, hostname_len ); + ret = ssl->conf->f_sni( ssl->conf->p_sni, + ssl, p + 3, hostname_len ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1a75deffe..6f6e74e29 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5352,6 +5352,16 @@ void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, + mbedtls_x509_crt *own_cert, + mbedtls_pk_context *pk_key ) +{ + return( ssl_append_key_cert( &ssl->handshake->sni_key_cert, + own_cert, pk_key ) ); +} +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) int mbedtls_ssl_set_psk( mbedtls_ssl_config *conf, const unsigned char *psk, size_t psk_len, diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index f4c206ece..8cc3ac177 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -547,7 +547,7 @@ int sni_callback( void *p_info, mbedtls_ssl_context *ssl, if( name_len == strlen( cur->name ) && memcmp( name, cur->name, name_len ) == 0 ) { - return( mbedtls_ssl_set_own_cert( ssl, cur->cert, cur->key ) ); + return( mbedtls_ssl_set_hs_own_cert( ssl, cur->cert, cur->key ) ); } cur = cur->next;