Perform SNI lookups with a derived key

Although at this point it's the same good old key. Refs #301
varnish · Jul 12, 2019 · 156242c · 156242c
1 parent 5fa0164
commit 156242c
Showing 1 changed file with 15 additions and 4 deletions.
diff --git a/src/hitch.c b/src/hitch.c
@@ -776,29 +776,40 @@ sni_try_lookup(SSL *ssl, const char *sni_key, const struct sni_name_s *sn_tab)
 static int
 sni_switch_ctx(SSL *ssl, int *al, void *data)
 {
-	const char *servername;
 	const struct frontend *fr = NULL;
+	const char *servername;
+	char *sni_key;
 	int lookup_global = 1;
 	int sni_nomatch_abort = CONFIG->SNI_NOMATCH_ABORT;
 
+	AN(ssl);
 	(void)al;
 	if (data != NULL)
 		CAST_OBJ_NOTNULL(fr, data, FRONTEND_MAGIC);
 
 	servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-	if (!servername)
+	if (servername == NULL)
 		return (SSL_TLSEXT_ERR_NOACK);
 
+	sni_key = strdup(servername);
+	AN(sni_key);
+
 	if (fr != NULL) {
-		if (sni_try_lookup(ssl, servername, fr->sni_names))
+		if (sni_try_lookup(ssl, sni_key, fr->sni_names)) {
+			free(sni_key);
 			return (SSL_TLSEXT_ERR_OK);
+		}
 		lookup_global = fr->match_global_certs;
 		if (fr->sni_nomatch_abort != -1)
 			sni_nomatch_abort = fr->sni_nomatch_abort;
 	}
 
-	if (lookup_global && sni_try_lookup(ssl, servername, sni_names))
+	if (lookup_global && sni_try_lookup(ssl, sni_key, sni_names)) {
+		free(sni_key);
 		return (SSL_TLSEXT_ERR_OK);
+	}
+
+	free(sni_key);
 
 	/* No matching certs */
 	if (sni_nomatch_abort)