ITS#9176 check for numeric addrs before passing SNI

2025-12-26 09:39:45 -05:00 · 2020-04-27 18:25:10 +01:00 · 2020-04-27 18:25:10 +01:00 · b8f34888c3
commit b8f34888c3
parent 8f174209e1
2 changed files with 24 additions and 2 deletions
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@ -342,6 +342,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
 	Sockbuf *sb = conn->lconn_sb;
 	int	err;
 	tls_session	*ssl = NULL;
+	char *sni = host;

 	if ( HAS_TLS( sb )) {
 		ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
@ -376,7 +377,26 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
 			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
 	}

-	err = tls_imp->ti_session_connect( ld, ssl, host );
+	/* pass hostname for SNI, but only if it's an actual name
+	 * and not a numeric address
+	 */
+	{
+		int numeric = 1;
+		char *c;
+		for ( c = sni; *c; c++ ) {
+			if ( *c == ':' )	/* IPv6 address */
+				break;
+			if ( *c == '.' )
+				continue;
+			if ( !isdigit( *c )) {
+				numeric = 0;
+				break;
+			}
+		}
+		if ( numeric )
+			sni = NULL;
+	}
+	err = tls_imp->ti_session_connect( ld, ssl, sni );

 #ifdef HAVE_WINSOCK
 	errno = WSAGetLastError();
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@ -530,7 +530,9 @@ tlso_session_connect( LDAP *ld, tls_session *sess, const char *name_in )
 	int rc;

 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-	SSL_set_tlsext_host_name( s, name_in );
+	if ( name_in ) {
+		SSL_set_tlsext_host_name( s, name_in );
+	}
 #endif
 	/* Caller expects 0 = success, OpenSSL returns 1 = success */
 	rc = SSL_connect( s ) - 1;