[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Thu Oct 12 14:25:39 UTC 2017 

The branch master has been updated
       via  141e470947327e0c4e8ef3c299b42d01064c484c (commit)
       via  9fb6cb810b769abbd60f11ef6e936a4e4456b19d (commit)
      from  549be25303943738340e1edc22f71672c969cf62 (commit)


- Log -----------------------------------------------------------------
commit 141e470947327e0c4e8ef3c299b42d01064c484c
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Oct 11 14:42:25 2017 +0100

    Add a test for setting initial SNI in CH but not using it with early_data
    
    Test for the bug where early_data is not accepted by the server when it
    does not have an SNI callback set up, but the client sent a servername in
    the initial ClientHello establishing the session.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/4519)

commit 9fb6cb810b769abbd60f11ef6e936a4e4456b19d
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Oct 10 09:50:56 2017 +0100

    Fix bug where early_data does not work if no SNI callback is present
    
    Fixes #4496
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/4519)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/extensions.c |  5 +++++
 test/sslapitest.c       | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index f6a200f..b5091ac 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -834,6 +834,11 @@ static int final_server_name(SSL *s, unsigned int context, int sent,
         ret = s->session_ctx->ext.servername_cb(s, &altmp,
                                        s->session_ctx->ext.servername_arg);
 
+    if (!sent) {
+        OPENSSL_free(s->session->ext.hostname);
+        s->session->ext.hostname = NULL;
+    }
+
     /*
      * If we're expecting to send a ticket, and tickets were previously enabled,
      * and now tickets are disabled, then turn off expected ticket.
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 5299d57..c1137b0 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -1507,6 +1507,16 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
                                       NULL, NULL)))
         return 0;
 
+    /*
+     * For one of the run throughs (doesn't matter which one), we'll try sending
+     * some SNI data in the initial ClientHello. This will be ignored (because
+     * there is no SNI cb set up by the server), so it should not impact
+     * early_data.
+     */
+    if (idx == 1
+            && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
+        return 0;
+
     if (idx == 2) {
         /* Create the PSK */
         const SSL_CIPHER *cipher = NULL;

More information about the openssl-commits mailing list