From: Aki Tuomi Date: Tue, 26 Nov 2024 22:29:01 +0000 (+0200) Subject: lib-ssl-iostream: Move ServerName handling to ssl_servername_process() X-Git-Tag: 2.4.1~491 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e623f0c529951071cc8eee4247edb8d1ed0b9d3;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream: Move ServerName handling to ssl_servername_process() Simplifies next commit --- diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index 0384182877..b906642124 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -295,36 +295,48 @@ ssl_iostream_ctx_verify_remote_cert(struct ssl_iostream_context *ctx, SSL_CTX_set_client_CA_list(ctx->ssl_ctx, ca_names); } +static int ssl_servername_process(struct ssl_iostream *ssl_io, const char *host, + int *al) +{ + const char *error; + + i_free(ssl_io->sni_host); + if (host != NULL && !connection_is_valid_dns_name(host)) { + openssl_iostream_set_error(ssl_io, + "TLS SNI servername sent by client is not a valid DNS name"); + *al = SSL_AD_UNRECOGNIZED_NAME; + return -1; + } + ssl_io->sni_host = i_strdup(host); + + if (ssl_io->sni_callback != NULL) { + if (ssl_io->sni_callback(ssl_io->sni_host, &error, + ssl_io->sni_context) < 0) { + openssl_iostream_set_error(ssl_io, error); + *al = SSL_AD_INTERNAL_ERROR; + return -1; + } + } + + return 0; +} + static int ssl_servername_callback(SSL *ssl, int *al, void *context ATTR_UNUSED) { struct ssl_iostream *ssl_io; - const char *host, *error; + const char *host; ssl_io = SSL_get_ex_data(ssl, dovecot_ssl_extdata_index); host = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); - if (SSL_get_servername_type(ssl) != -1) { - if (!connection_is_valid_dns_name(host)) { - openssl_iostream_set_error(ssl_io, - "TLS SNI servername sent by client is not a valid DNS name"); - *al = SSL_AD_UNRECOGNIZED_NAME; - return SSL_TLSEXT_ERR_ALERT_FATAL; - } - i_free(ssl_io->sni_host); - ssl_io->sni_host = i_strdup(host); - } else { + if (SSL_get_servername_type(ssl) == -1) { e_debug(ssl_io->event, "SSL_get_servername() failed"); } - if (ssl_io->sni_callback != NULL) { - if (ssl_io->sni_callback(ssl_io->sni_host, &error, - ssl_io->sni_context) < 0) { - *al = SSL_AD_INTERNAL_ERROR; - openssl_iostream_set_error(ssl_io, error); - return SSL_TLSEXT_ERR_ALERT_FATAL; - } - } + if (ssl_servername_process(ssl_io, host, al) < 0) + return SSL_TLSEXT_ERR_ALERT_FATAL; + return SSL_TLSEXT_ERR_OK; }