Hi,
updated diff after millert@ and beck@ remarks:
- use union to collapse in_addr + in6_addr
- doesn't allocate buffer and directly use s->relay->domain->name
Thanks.
--
Sebastien Marie
diff 73b535ef4537e8454483912fc3420bc304759e96 /home/semarie/repos/openbsd/src
blob - d384692a0e43de47d645142a6b99e72b7d83b687
file + usr.sbin/smtpd/mta_session.c
--- usr.sbin/smtpd/mta_session.c
+++ usr.sbin/smtpd/mta_session.c
@@ -26,6 +26,7 @@
#include <sys/stat.h>
#include <sys/uio.h>
+#include <arpa/inet.h>
#include <ctype.h>
#include <err.h>
#include <errno.h>
@@ -1604,6 +1605,10 @@ mta_cert_init_cb(void *arg, int status, const char *na
struct mta_session *s = arg;
void *ssl;
char *xname = NULL, *xcert = NULL;
+ union {
+ struct in_addr in4;
+ struct in6_addr in6;
+ } addrbuf;
if (s->flags & MTA_WAIT)
mta_tree_pop(&wait_tls_init, s->id);
@@ -1623,6 +1628,22 @@ mta_cert_init_cb(void *arg, int status, const char *na
free(xcert);
if (ssl == NULL)
fatal("mta: ssl_mta_init");
+
+ /*
+ * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
+ * permitted in "HostName".
+ */
+ if (s->relay->domain->as_host == 1) {
+ if (inet_pton(AF_INET, s->relay->domain->name, &addrbuf) != 1 &&
+ inet_pton(AF_INET6, s->relay->domain->name, &addrbuf) != 1)
{
+ log_debug("%016"PRIx64" mta tls setting SNI name=%s",
+ s->id, s->relay->domain->name);
+ if (SSL_set_tlsext_host_name(ssl,
s->relay->domain->name) == 0)
+ log_warnx("%016"PRIx64" mta tls setting SNI
failed",
+ s->id);
+ }
+ }
+
io_start_tls(s->io, ssl);
}
