diff options
Diffstat (limited to 'tls_client.c')
| -rw-r--r-- | tls_client.c | 34 |
1 files changed, 22 insertions, 12 deletions
diff --git a/tls_client.c b/tls_client.c index 0743495..deb24eb 100644 --- a/tls_client.c +++ b/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.45 2018/03/19 16:34:47 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.49 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -75,11 +75,8 @@ tls_connect_servername(struct tls *ctx, const char *host, const char *port, goto err; } - /* - * If port is NULL try to extract a port from the specified host, - * otherwise use the default. - */ - if ((p = (char *)port) == NULL) { + /* If port is NULL, try to extract a port from the specified host. */ + if (port == NULL) { ret = tls_host_port(host, &hs, &ps); if (ret == -1) { tls_set_errorx(ctx, "memory allocation failure"); @@ -280,6 +277,7 @@ static int tls_connect_common(struct tls *ctx, const char *servername) { union tls_addr addrbuf; + size_t servername_len; int rv = -1; if ((ctx->flags & TLS_CLIENT) == 0) { @@ -292,6 +290,17 @@ tls_connect_common(struct tls *ctx, const char *servername) tls_set_errorx(ctx, "out of memory"); goto err; } + + /* + * If there's a trailing dot, remove it. While an FQDN includes + * the terminating dot representing the zero-length label of + * the root (RFC 8499, section 2), the SNI explicitly does not + * include it (RFC 6066, section 3). + */ + servername_len = strlen(ctx->servername); + if (servername_len > 0 && + ctx->servername[servername_len - 1] == '.') + ctx->servername[servername_len - 1] = '\0'; } if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { @@ -307,7 +316,7 @@ tls_connect_common(struct tls *ctx, const char *servername) goto err; if (ctx->config->verify_name) { - if (servername == NULL) { + if (ctx->servername == NULL) { tls_set_errorx(ctx, "server name not specified"); goto err; } @@ -351,13 +360,14 @@ tls_connect_common(struct tls *ctx, const char *servername) } /* - * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not + * RFC 6066 (SNI): Literal IPv4 and IPv6 addresses are not * permitted in "HostName". */ - if (servername != NULL && - inet_pton(AF_INET, servername, &addrbuf) != 1 && - inet_pton(AF_INET6, servername, &addrbuf) != 1) { - if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) { + if (ctx->servername != NULL && + inet_pton(AF_INET, ctx->servername, &addrbuf) != 1 && + inet_pton(AF_INET6, ctx->servername, &addrbuf) != 1) { + if (SSL_set_tlsext_host_name(ctx->ssl_conn, + ctx->servername) == 0) { tls_set_errorx(ctx, "server name indication failure"); goto err; } |