Ability to disable server_name extension (RFC 6066)
diff --git a/ChangeLog b/ChangeLog
index 1a94b45..36c1779 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,7 @@
* Split up the GCM module into a starts/update/finish cycle
* Client and server now filter sent and accepted ciphersuites on minimum
and maximum protocol version
+ * Ability to disable server_name extension (RFC 6066)
* Renamed error_strerror() to the less conflicting polarssl_strerror()
(Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
* SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 9fc5458..799c031 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -598,6 +598,15 @@
#define POLARSSL_SSL_SESSION_TICKETS
/**
+ * \def POLARSSL_SSL_SERVER_NAME_INDICATION
+ *
+ * Enable support for RFC 6066 server name indication (SNI) in SSL
+ *
+ * Comment this macro to disable support for server name indication in SSL
+ */
+#define POLARSSL_SSL_SERVER_NAME_INDICATION
+
+/**
* \def POLARSSL_SSL_TRUNCATED_HMAC
*
* Enable support for RFC 6066 truncated HMAC in SSL
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 1576fcb..f9c6b8f 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -564,7 +564,6 @@
int (*f_send)(void *, const unsigned char *, size_t);
int (*f_get_cache)(void *, ssl_session *);
int (*f_set_cache)(void *, const ssl_session *);
- int (*f_sni)(void *, ssl_context *, const unsigned char *, size_t);
void *p_rng; /*!< context for the RNG function */
void *p_dbg; /*!< context for the debug function */
@@ -572,9 +571,13 @@
void *p_send; /*!< context for writing operations */
void *p_get_cache; /*!< context for cache retrieval */
void *p_set_cache; /*!< context for cache store */
- void *p_sni; /*!< context for SNI extension */
void *p_hw_data; /*!< context for HW acceleration */
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
+ int (*f_sni)(void *, ssl_context *, const unsigned char *, size_t);
+ void *p_sni; /*!< context for SNI extension */
+#endif
+
#if defined(POLARSSL_X509_PARSE_C)
int (*f_vrfy)(void *, x509_cert *, int, int *);
void *p_vrfy; /*!< context for verification */
@@ -689,11 +692,13 @@
size_t psk_identity_len;
#endif
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
/*
- * TLS extensions
+ * SNI extension
*/
unsigned char *hostname;
size_t hostname_len;
+#endif
/*
* Secure renegotiation
@@ -1032,6 +1037,7 @@
int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx );
#endif
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
/**
* \brief Set hostname for ServerName TLS extension
* (client-side only)
@@ -1067,6 +1073,7 @@
int (*f_sni)(void *, ssl_context *, const unsigned char *,
size_t),
void *p_sni );
+#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
/**
* \brief Set the maximum supported version sent from the client side
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 99d3206..e37a3c0 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -51,6 +51,7 @@
#include <time.h>
#endif
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
static void ssl_write_hostname_ext( ssl_context *ssl,
unsigned char *buf,
size_t *olen )
@@ -100,6 +101,7 @@
*olen = ssl->hostname_len + 9;
}
+#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
static void ssl_write_renegotiation_ext( ssl_context *ssl,
unsigned char *buf,
@@ -534,8 +536,10 @@
// First write extensions, then the total length
//
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
+#endif
ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 4a71367..08b3bf9 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -336,6 +336,7 @@
}
#endif /* POLARSSL_SSL_SESSION_TICKETS */
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
static int ssl_parse_servername_ext( ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -385,6 +386,7 @@
return( 0 );
}
+#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
static int ssl_parse_renegotiation_info( ssl_context *ssl,
const unsigned char *buf,
@@ -1157,6 +1159,7 @@
}
switch( ext_id )
{
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
case TLS_EXT_SERVERNAME:
SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
if( ssl->f_sni == NULL )
@@ -1166,6 +1169,7 @@
if( ret != 0 )
return( ret );
break;
+#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
case TLS_EXT_RENEGOTIATION_INFO:
SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 06eeb71..44309f6 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -35,12 +35,12 @@
#if defined(POLARSSL_SSL_TLS_C)
-#include "polarssl/aes.h"
+#include "polarssl/debug.h"
+#include "polarssl/ssl.h"
+
#include "polarssl/arc4.h"
#include "polarssl/camellia.h"
#include "polarssl/des.h"
-#include "polarssl/debug.h"
-#include "polarssl/ssl.h"
#if defined(POLARSSL_GCM_C)
#include "polarssl/gcm.h"
@@ -3053,8 +3053,10 @@
memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
ssl->hostname = NULL;
ssl->hostname_len = 0;
+#endif
#if defined(POLARSSL_SSL_SESSION_TICKETS)
ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
@@ -3356,6 +3358,7 @@
}
#endif /* POLARSSL_DHM_C */
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
int ssl_set_hostname( ssl_context *ssl, const char *hostname )
{
if( hostname == NULL )
@@ -3387,6 +3390,7 @@
ssl->f_sni = f_sni;
ssl->p_sni = p_sni;
}
+#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
void ssl_set_max_version( ssl_context *ssl, int major, int minor )
{
@@ -3918,12 +3922,14 @@
polarssl_free( ssl->ticket_keys );
#endif
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
if ( ssl->hostname != NULL)
{
memset( ssl->hostname, 0, ssl->hostname_len );
polarssl_free( ssl->hostname );
ssl->hostname_len = 0;
}
+#endif
#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
if( ssl_hw_record_finish != NULL )
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index dd7fc46..889c077 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -719,7 +719,9 @@
strlen( opt.psk_identity ) );
#endif
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
ssl_set_hostname( &ssl, opt.server_name );
+#endif
if( opt.min_version != -1 )
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 665cdbf..bc7135e 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -596,7 +596,9 @@
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
ssl_set_own_cert( &ssl, &clicert, &rsa );
+#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
ssl_set_hostname( &ssl, opt.server_name );
+#endif
if( opt.mode == MODE_SSL_TLS )
{
