looks good to me ok beck@
On Sun, May 31, 2020 at 03:38:00PM +0200, Sebastien Marie wrote: > Hi, > > updated diff after millert@ and beck@ remarks: > - use union to collapse in_addr + in6_addr > - doesn't allocate buffer and directly use s->relay->domain->name > > Thanks. > -- > Sebastien Marie > > > diff 73b535ef4537e8454483912fc3420bc304759e96 /home/semarie/repos/openbsd/src > blob - d384692a0e43de47d645142a6b99e72b7d83b687 > file + usr.sbin/smtpd/mta_session.c > --- usr.sbin/smtpd/mta_session.c > +++ usr.sbin/smtpd/mta_session.c > @@ -26,6 +26,7 @@ > #include <sys/stat.h> > #include <sys/uio.h> > > +#include <arpa/inet.h> > #include <ctype.h> > #include <err.h> > #include <errno.h> > @@ -1604,6 +1605,10 @@ mta_cert_init_cb(void *arg, int status, const char *na > struct mta_session *s = arg; > void *ssl; > char *xname = NULL, *xcert = NULL; > + union { > + struct in_addr in4; > + struct in6_addr in6; > + } addrbuf; > > if (s->flags & MTA_WAIT) > mta_tree_pop(&wait_tls_init, s->id); > @@ -1623,6 +1628,22 @@ mta_cert_init_cb(void *arg, int status, const char *na > free(xcert); > if (ssl == NULL) > fatal("mta: ssl_mta_init"); > + > + /* > + * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not > + * permitted in "HostName". > + */ > + if (s->relay->domain->as_host == 1) { > + if (inet_pton(AF_INET, s->relay->domain->name, &addrbuf) != 1 && > + inet_pton(AF_INET6, s->relay->domain->name, &addrbuf) != 1) > { > + log_debug("%016"PRIx64" mta tls setting SNI name=%s", > + s->id, s->relay->domain->name); > + if (SSL_set_tlsext_host_name(ssl, > s->relay->domain->name) == 0) > + log_warnx("%016"PRIx64" mta tls setting SNI > failed", > + s->id); > + } > + } > + > io_start_tls(s->io, ssl); > } > >