Project homepage Mailing List  Warmcat.com  API Docs  Github Mirror 
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1762030846, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"722ee687e017142a7e053cd5dbd2146c", "commit": {"type":"commit", "time": 1532635613, "time_ofs": 18446744073709551316, "oid_tree": { "oid": "bd2885ee31f82f80860531af3d3590ea64242a3d", "alias": []}, "oid":{ "oid": "a75be9fd34b5d66f349186f21cd8d063d2fa87a4", "alias": []}, "msg": "Improve backwards compat for SSL_get_servername()", "sig_commit": { "git_time": { "time": 1532635613, "offset": -300 }, "name": "Benjamin Kaduk", "email": "kaduk@mit.edu", "md5": "4658a77df5a10149cf73d60e70f70b2d" }, "sig_author": { "git_time": { "time": 1532570445, "offset": -300 }, "name": "Benjamin Kaduk", "email": "bkaduk@akamai.com", "md5": "a05981ba89c2b7753f6e41ad2046bdd8" }}, "body": "Improve backwards compat for SSL_get_servername()\n\nCommit 1c4aa31d79821dee9be98e915159d52cc30d8403 changed how we process\nand store SNI information during the handshake, so that a hostname is\nonly saved in the SSL_SESSION structure if that SNI value has actually\nbeen negotiated. SSL_get_servername() was adjusted to match, with a new\nconditional being added to handle the case when the handshake processing\nis ongoing, and a different location should be consulted for the offered\nSNI value. This was done in an attempt to preserve the historical\nbehavior of SSL_get_servername(), a function whose behavior only mostly\nmatches its documentation, and whose documentation is both lacking and\ndoes not necessarily reflect the actual desired behavior for such an\nAPI. Unfortunately, sweeping changes that would bring more sanity to\nthis space are not possible until OpenSSL 1.2.0, for ABI compatibility\nreasons, so we must attempt to maintain the existing behavior to the\nextent possible.\n\nThe above-mentioned commit did not take into account the behavior\nof SSL_get_servername() during resumption handshakes for TLS 1.2 and\nprior, where no SNI negotiation is performed. In that case we would\nnot properly parse the incoming SNI and erroneously return NULL as\nthe servername, when instead the logical session is associated with\nthe SNI value cached in the SSL_SESSION. (Note that in some cases an\nSNI callback may not need to do anything in a TLS 1.2 or prior resumption\nflow, but we are calling the callbacks and did not provide any guidance\nthat they should no-op if the connection is being resumed, so we must\nhandle this case in a usable fashion.) Update our behavior accordingly to\nreturn the session's cached value during the handshake, when resuming.\nThis fixes the boringssl tests.\n\n[extended tests]\n\nReviewed-by: Richard Levitte \u003clevitte@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/6792)\n" , "diff": "diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c\nindex 10a7694..15380e1 100644\n--- a/ssl/ssl_lib.c\n+++ b/ssl/ssl_lib.c\n@@ -2618,8 +2618,11 @@ const char *SSL_get_servername(const SSL *s, const int type)\n * peer send\u0022 and \u0022what was actually negotiated\u0022; we should have\n * a clear distinction amongst those three.\n */\n- if (SSL_in_init(s))\n+ if (SSL_in_init(s)) {\n+ if (s-\u003ehit)\n+ return s-\u003esession-\u003eext.hostname;\n return s-\u003eext.hostname;\n+ }\n return (s-\u003esession !\u003d NULL \u0026\u0026 s-\u003eext.hostname \u003d\u003d NULL) ?\n s-\u003esession-\u003eext.hostname : s-\u003eext.hostname;\n }\n","s":{"c":1762030846,"u": 39602}} ],"g": 40456,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}