|
|
17c662 |
diff --git a/src/serv-args.def b/src/serv-args.def
|
|
|
17c662 |
index 44b67f1ab..027737772 100644
|
|
|
17c662 |
--- a/src/serv-args.def
|
|
|
17c662 |
+++ b/src/serv-args.def
|
|
|
17c662 |
@@ -8,6 +8,19 @@ detail = "Server program that listens to incoming TLS connections.";
|
|
|
17c662 |
|
|
|
17c662 |
#include args-std.def
|
|
|
17c662 |
|
|
|
17c662 |
+flag = {
|
|
|
17c662 |
+ name = sni-hostname;
|
|
|
17c662 |
+ descrip = "Server's hostname for server name extension";
|
|
|
17c662 |
+ arg-type = string;
|
|
|
17c662 |
+ doc = "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert.";
|
|
|
17c662 |
+};
|
|
|
17c662 |
+
|
|
|
17c662 |
+flag = {
|
|
|
17c662 |
+ name = sni-hostname-fatal;
|
|
|
17c662 |
+ descrip = "Send fatal alert on sni-hostname mismatch";
|
|
|
17c662 |
+ doc = "";
|
|
|
17c662 |
+};
|
|
|
17c662 |
+
|
|
|
17c662 |
flag = {
|
|
|
17c662 |
name = noticket;
|
|
|
17c662 |
descrip = "Don't accept session tickets";
|
|
|
17c662 |
diff --git a/src/serv.c b/src/serv.c
|
|
|
17c662 |
index a1f9adfa8..f5ff48786 100644
|
|
|
17c662 |
--- a/src/serv.c
|
|
|
17c662 |
+++ b/src/serv.c
|
|
|
17c662 |
@@ -49,6 +49,8 @@
|
|
|
17c662 |
#include "sockets.h"
|
|
|
17c662 |
#include "udp-serv.h"
|
|
|
17c662 |
|
|
|
17c662 |
+#define _GNUTLS_E_UNRECOGNIZED_NAME -294
|
|
|
17c662 |
+
|
|
|
17c662 |
/* konqueror cannot handle sending the page in multiple
|
|
|
17c662 |
* pieces.
|
|
|
17c662 |
*/
|
|
|
17c662 |
@@ -81,6 +83,8 @@ const char *dh_params_file = NULL;
|
|
|
17c662 |
const char *x509_crlfile = NULL;
|
|
|
17c662 |
const char *priorities = NULL;
|
|
|
17c662 |
const char *status_response_ocsp = NULL;
|
|
|
17c662 |
+const char *sni_hostname = NULL;
|
|
|
17c662 |
+int sni_hostname_fatal = 0;
|
|
|
17c662 |
|
|
|
17c662 |
gnutls_datum_t session_ticket_key;
|
|
|
17c662 |
static void tcp_server(const char *name, int port);
|
|
|
17c662 |
@@ -312,6 +316,83 @@ int ret;
|
|
|
17c662 |
return 0;
|
|
|
17c662 |
}
|
|
|
17c662 |
|
|
|
17c662 |
+/* callback used to verify if the host name advertised in client hello matches
|
|
|
17c662 |
+ * the one configured in server
|
|
|
17c662 |
+ */
|
|
|
17c662 |
+static int
|
|
|
17c662 |
+post_client_hello(gnutls_session_t session)
|
|
|
17c662 |
+{
|
|
|
17c662 |
+ int ret;
|
|
|
17c662 |
+ /* DNS names (only type supported) may be at most 256 byte long */
|
|
|
17c662 |
+ char *name;
|
|
|
17c662 |
+ size_t len = 256;
|
|
|
17c662 |
+ unsigned int type;
|
|
|
17c662 |
+ int i;
|
|
|
17c662 |
+
|
|
|
17c662 |
+ name = malloc(len);
|
|
|
17c662 |
+ if (name == NULL)
|
|
|
17c662 |
+ return GNUTLS_E_MEMORY_ERROR;
|
|
|
17c662 |
+
|
|
|
17c662 |
+ for (i=0; ; ) {
|
|
|
17c662 |
+ ret = gnutls_server_name_get(session, name, &len, &type, i);
|
|
|
17c662 |
+ if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
|
|
|
17c662 |
+ char *new_name;
|
|
|
17c662 |
+ new_name = realloc(name, len);
|
|
|
17c662 |
+ if (new_name == NULL) {
|
|
|
17c662 |
+ ret = GNUTLS_E_MEMORY_ERROR;
|
|
|
17c662 |
+ goto end;
|
|
|
17c662 |
+ }
|
|
|
17c662 |
+ name = new_name;
|
|
|
17c662 |
+ continue; /* retry call with same index */
|
|
|
17c662 |
+ }
|
|
|
17c662 |
+
|
|
|
17c662 |
+ /* check if it is the last entry in list */
|
|
|
17c662 |
+ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
|
|
|
17c662 |
+ break;
|
|
|
17c662 |
+ i++;
|
|
|
17c662 |
+ if (ret != GNUTLS_E_SUCCESS)
|
|
|
17c662 |
+ goto end;
|
|
|
17c662 |
+ /* unknown types need to be ignored */
|
|
|
17c662 |
+ if (type != GNUTLS_NAME_DNS)
|
|
|
17c662 |
+ continue;
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if (strlen(sni_hostname) != len)
|
|
|
17c662 |
+ continue;
|
|
|
17c662 |
+ /* API guarantees that the name of type DNS will be null terminated */
|
|
|
17c662 |
+ if (!strncmp(name, sni_hostname, len)) {
|
|
|
17c662 |
+ ret = GNUTLS_E_SUCCESS;
|
|
|
17c662 |
+ goto end;
|
|
|
17c662 |
+ }
|
|
|
17c662 |
+ };
|
|
|
17c662 |
+ /* when there is no extension, we can't send the extension specific alert */
|
|
|
17c662 |
+ if (i == 0) {
|
|
|
17c662 |
+ fprintf(stderr, "Warning: client did not include SNI extension, using default host\n");
|
|
|
17c662 |
+ ret = GNUTLS_E_SUCCESS;
|
|
|
17c662 |
+ goto end;
|
|
|
17c662 |
+ }
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if (sni_hostname_fatal == 1) {
|
|
|
17c662 |
+ /* abort the connection, propagate error up the stack */
|
|
|
17c662 |
+ ret = _GNUTLS_E_UNRECOGNIZED_NAME;
|
|
|
17c662 |
+ goto end;
|
|
|
17c662 |
+ }
|
|
|
17c662 |
+
|
|
|
17c662 |
+ fprintf(stderr, "Warning: client provided unrecognized host name\n");
|
|
|
17c662 |
+ /* since we just want to send an alert, not abort the connection, we
|
|
|
17c662 |
+ * need to send it ourselves
|
|
|
17c662 |
+ */
|
|
|
17c662 |
+ do {
|
|
|
17c662 |
+ ret = gnutls_alert_send(session,
|
|
|
17c662 |
+ GNUTLS_AL_WARNING,
|
|
|
17c662 |
+ GNUTLS_A_UNRECOGNIZED_NAME);
|
|
|
17c662 |
+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
|
|
|
17c662 |
+
|
|
|
17c662 |
+ /* continue handshake, fall through */
|
|
|
17c662 |
+end:
|
|
|
17c662 |
+ free(name);
|
|
|
17c662 |
+ return ret;
|
|
|
17c662 |
+}
|
|
|
17c662 |
+
|
|
|
17c662 |
gnutls_session_t initialize_session(int dtls)
|
|
|
17c662 |
{
|
|
|
17c662 |
gnutls_session_t session;
|
|
|
17c662 |
@@ -343,6 +424,10 @@ gnutls_session_t initialize_session(int dtls)
|
|
|
17c662 |
&session_ticket_key);
|
|
|
17c662 |
#endif
|
|
|
17c662 |
|
|
|
17c662 |
+ if (sni_hostname != NULL)
|
|
|
17c662 |
+ gnutls_handshake_set_post_client_hello_function(session,
|
|
|
17c662 |
+ &post_client_hello);
|
|
|
17c662 |
+
|
|
|
17c662 |
if (gnutls_priority_set_direct(session, priorities, &err) < 0) {
|
|
|
17c662 |
fprintf(stderr, "Syntax error at: %s\n", err);
|
|
|
17c662 |
exit(1);
|
|
|
17c662 |
@@ -1629,6 +1714,12 @@ static void cmd_parser(int argc, char **argv)
|
|
|
17c662 |
if (HAVE_OPT(OCSP_RESPONSE))
|
|
|
17c662 |
status_response_ocsp = OPT_ARG(OCSP_RESPONSE);
|
|
|
17c662 |
|
|
|
17c662 |
+ if (HAVE_OPT(SNI_HOSTNAME))
|
|
|
17c662 |
+ sni_hostname = OPT_ARG(SNI_HOSTNAME);
|
|
|
17c662 |
+
|
|
|
17c662 |
+ if (HAVE_OPT(SNI_HOSTNAME_FATAL))
|
|
|
17c662 |
+ sni_hostname_fatal = 1;
|
|
|
17c662 |
+
|
|
|
17c662 |
}
|
|
|
17c662 |
|
|
|
17c662 |
/* session resuming support */
|
|
|
17c662 |
--
|
|
|
17c662 |
2.14.3
|
|
|
17c662 |
|