early-access version 2698
This commit is contained in:
pineappleEA
34
externals/libressl/tls/tls_client.c
vendored
34
externals/libressl/tls/tls_client.c
vendored
@@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: tls_client.c,v 1.45 2018/03/19 16:34:47 jsing Exp $ */
|
||||
/* $OpenBSD: tls_client.c,v 1.48 2021/10/21 08:38:11 tb Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
|
||||
*
|
||||
@@ -74,11 +74,8 @@ tls_connect_servername(struct tls *ctx, const char *host, const char *port,
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
* If port is NULL try to extract a port from the specified host,
|
||||
* otherwise use the default.
|
||||
*/
|
||||
if ((p = (char *)port) == NULL) {
|
||||
/* If port is NULL, try to extract a port from the specified host. */
|
||||
if (port == NULL) {
|
||||
ret = tls_host_port(host, &hs, &ps);
|
||||
if (ret == -1) {
|
||||
tls_set_errorx(ctx, "memory allocation failure");
|
||||
@@ -279,6 +276,7 @@ static int
|
||||
tls_connect_common(struct tls *ctx, const char *servername)
|
||||
{
|
||||
union tls_addr addrbuf;
|
||||
size_t servername_len;
|
||||
int rv = -1;
|
||||
|
||||
if ((ctx->flags & TLS_CLIENT) == 0) {
|
||||
@@ -291,6 +289,17 @@ tls_connect_common(struct tls *ctx, const char *servername)
|
||||
tls_set_errorx(ctx, "out of memory");
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
* If there's a trailing dot, remove it. While an FQDN includes
|
||||
* the terminating dot representing the zero-length label of
|
||||
* the root (RFC 8499, section 2), the SNI explicitly does not
|
||||
* include it (RFC 6066, section 3).
|
||||
*/
|
||||
servername_len = strlen(ctx->servername);
|
||||
if (servername_len > 0 &&
|
||||
ctx->servername[servername_len - 1] == '.')
|
||||
ctx->servername[servername_len - 1] = '\0';
|
||||
}
|
||||
|
||||
if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
|
||||
@@ -306,7 +315,7 @@ tls_connect_common(struct tls *ctx, const char *servername)
|
||||
goto err;
|
||||
|
||||
if (ctx->config->verify_name) {
|
||||
if (servername == NULL) {
|
||||
if (ctx->servername == NULL) {
|
||||
tls_set_errorx(ctx, "server name not specified");
|
||||
goto err;
|
||||
}
|
||||
@@ -350,13 +359,14 @@ tls_connect_common(struct tls *ctx, const char *servername)
|
||||
}
|
||||
|
||||
/*
|
||||
* RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
|
||||
* RFC 6066 (SNI): Literal IPv4 and IPv6 addresses are not
|
||||
* permitted in "HostName".
|
||||
*/
|
||||
if (servername != NULL &&
|
||||
inet_pton(AF_INET, servername, &addrbuf) != 1 &&
|
||||
inet_pton(AF_INET6, servername, &addrbuf) != 1) {
|
||||
if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) {
|
||||
if (ctx->servername != NULL &&
|
||||
inet_pton(AF_INET, ctx->servername, &addrbuf) != 1 &&
|
||||
inet_pton(AF_INET6, ctx->servername, &addrbuf) != 1) {
|
||||
if (SSL_set_tlsext_host_name(ctx->ssl_conn,
|
||||
ctx->servername) == 0) {
|
||||
tls_set_errorx(ctx, "server name indication failure");
|
||||
goto err;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user