diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 015c38a67..f1f6e84eb 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8247,7 +8247,7 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl, return( 0 ); } - MBEDTLS_SSL_DEBUG_MSG( 3, ( "Parse ServerName extension" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); server_name_list_len = MBEDTLS_GET_UINT16_BE( p, 0 ); @@ -8264,11 +8264,15 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl, if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) { + ssl->handshake->sni_name = p + 3; + ssl->handshake->sni_name_len = hostname_len; + if( ssl->conf->f_sni == NULL ) + return( 0 ); ret = ssl->conf->f_sni( ssl->conf->p_sni, ssl, p + 3, hostname_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "sni_wrapper", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 4ef37f2bb..e2f8c2e07 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11399,6 +11399,53 @@ run_test "TLS 1.3: Server side check, no server certificate available" \ -s "No certificate available." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Server side check - openssl with server name indication" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \ + sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + "$O_NEXT_CLI -msg -debug -servername localhost -CAfile data_files/test-ca_cat12.crt -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \ + 0 \ + -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ + -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \ + -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \ + -s "parse ServerName extension" \ + -s "=> parse client hello" \ + -s "<= parse client hello" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Server side check - gnutls with server name indication" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \ + sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + "$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \ + 0 \ + -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ + -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ + -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \ + -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \ + -s "parse ServerName extension" \ + -s "=> parse client hello" \ + -s "<= parse client hello" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C @@ -11407,14 +11454,17 @@ run_test "TLS 1.3: Server side check - mbedtls with server name indication" \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ "$P_CLI debug_level=4 server_name=localhost crt_file=data_files/server5.crt key_file=data_files/server5.key \ force_version=tls13" \ - 1 \ + 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ - -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ - -s "Parse ServerName extension" \ - -s "SSL - The requested feature is not available" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ + -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \ + -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \ + -s "parse ServerName extension" \ -s "=> parse client hello" \ -s "<= parse client hello"