Make SNI per-connection, not per-session.
Right now we report the per-connection value during the handshake and
the per-session value after the handshake. This also trims our tickets
slightly by removing a largely unused field from SSL_SESSION.
Putting it on SSL_HANDSHAKE would be better, but sadly a number of
bindings-type APIs expose it after the handshake.
Change-Id: I6a1383f95da9b1b141b9d6adadc05ee1e458a326
Reviewed-on: https://boringssl-review.googlesource.com/20064
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 481c9f8..ec70d27 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -619,31 +619,14 @@
static int ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
CBS *contents) {
- SSL *const ssl = hs->ssl;
- if (contents == NULL) {
- return 1;
- }
-
- if (CBS_len(contents) != 0) {
- return 0;
- }
-
- assert(ssl->tlsext_hostname != NULL);
-
- if (ssl->session == NULL) {
- OPENSSL_free(hs->new_session->tlsext_hostname);
- hs->new_session->tlsext_hostname = BUF_strdup(ssl->tlsext_hostname);
- if (!hs->new_session->tlsext_hostname) {
- *out_alert = SSL_AD_INTERNAL_ERROR;
- return 0;
- }
- }
-
- return 1;
+ // The server may acknowledge SNI with an empty extension. We check the syntax
+ // but otherwise ignore this signal.
+ return contents == NULL || CBS_len(contents) == 0;
}
static int ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
CBS *contents) {
+ SSL *const ssl = hs->ssl;
if (contents == NULL) {
return 1;
}
@@ -674,12 +657,10 @@
}
// Copy the hostname as a string.
- char *hostname_raw = nullptr;
- if (!CBS_strdup(&host_name, &hostname_raw)) {
+ if (!CBS_strdup(&host_name, &ssl->s3->hostname)) {
*out_alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
- hs->hostname.reset(hostname_raw);
hs->should_ack_sni = true;
return 1;
