tls: refactoring SNI ctx usage for libressl support (#1136)

* tls: refactoring sni ctx usage for libressl support * fix load verify locations * fix cleanup * fix ctx uninitialized goto * improve sni callback error handling * cleanup tls.h * refactor cert_store verify * check cert_store pointer * refactor goto error handling
baresip · Jun 6, 2024 · ef244d6 · ef244d6
1 parent 9f90b79
commit ef244d6
Show file tree

Hide file tree

Showing 3 changed files with 114 additions and 200 deletions.
diff --git a/src/tls/openssl/sni.c b/src/tls/openssl/sni.c
@@ -19,12 +19,10 @@
 #include "tls.h"
 
 
-#define DEBUG_MODULE "tls"
+#define DEBUG_MODULE "tls/sni"
 #define DEBUG_LEVEL 5
 #include <re_dbg.h>
 
-#if !defined(LIBRESSL_VERSION_NUMBER)
-
 struct tls_conn;
 
 
@@ -161,48 +159,33 @@ static int ssl_set_verify_client(SSL *ssl, const char *host)
 }
 
 
-static int ssl_use_cert(SSL *ssl, struct tls_cert *uc)
-{
-	int err;
-	long r;
-
-	SSL_certs_clear(ssl);
-	r = SSL_clear_chain_certs(ssl);
-	if (r != 1)
-		return EINVAL;
-
-	r = SSL_use_cert_and_key(ssl, tls_cert_x509(uc), tls_cert_pkey(uc),
-				 tls_cert_chain(uc), 1);
-	if (r != 1) {
-		ERR_clear_error();
-		return EINVAL;
-	}
-
-	err = ssl_set_verify_client(ssl, tls_cert_host(uc));
-	return err;
-}
-
-
 static int ssl_servername_handler(SSL *ssl, int *al, void *arg)
 {
-	struct tls *tls = arg;
+	struct tls *tls	= arg;
 	struct tls_cert *uc = NULL;
 	const char *sni;
-	(void)al;
 
 	sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-	if (!str_isset(sni))
-		goto out;
+	if (!str_isset(sni)) {
+		*al = SSL_AD_UNRECOGNIZED_NAME;
+		return SSL_TLSEXT_ERR_ALERT_FATAL;
+	}
 
 	/* find and apply matching certificate */
 	uc = tls_cert_for_sni(tls, sni);
-	if (!uc)
-		goto out;
+	if (!uc) {
+		*al = SSL_AD_UNRECOGNIZED_NAME;
+		return SSL_TLSEXT_ERR_ALERT_FATAL;
+	}
 
 	DEBUG_INFO("found cert for sni %s\n", sni);
-	(void)ssl_use_cert(ssl, uc);
+	if (SSL_set_SSL_CTX(ssl, tls_cert_ctx(uc)) == NULL) {
+		*al = SSL_AD_INTERNAL_ERROR;
+		return SSL_TLSEXT_ERR_ALERT_FATAL;
+	}
+
+	(void)ssl_set_verify_client(ssl, tls_cert_host(uc));
 
-out:
 	return SSL_TLSEXT_ERR_OK;
 }
 
@@ -218,5 +201,3 @@ void tls_enable_sni(struct tls *tls)
 					       ssl_servername_handler);
 	SSL_CTX_set_tlsext_servername_arg(tls_ssl_ctx(tls), tls);
 }
-
-#endif /* !defined(LIBRESSL_VERSION_NUMBER) */