s4:lib/tls: include a TLS server name indication in the client handshake

This is not strictly needed, but it might be useful
for load balancers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index cfcff8366244a0f3c733e60b98bf2af81596ecec..8b6d89b802abcd96877ea648cb829a3b8ea5e595 100644 (file)
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -992,6 +992,7 @@ static NTSTATUS tstream_tls_prepare_gnutls(struct tstream_tls_params *_tlsp,
        struct tstream_tls_params_internal *tlsp = NULL;
        int ret;
        unsigned int flags;
+       const char *hostname = NULL;
 
        if (tlss->is_server) {
                flags = GNUTLS_SERVER;
@@ -1025,10 +1026,20 @@ static NTSTATUS tstream_tls_prepare_gnutls(struct tstream_tls_params *_tlsp,
 
        tlss->verify_peer = tlsp->verify_peer;
        if (tlsp->peer_name != NULL) {
+               bool ip = is_ipaddress(tlsp->peer_name);
+
                tlss->peer_name = talloc_strdup(tlss, tlsp->peer_name);
                if (tlss->peer_name == NULL) {
                        return NT_STATUS_NO_MEMORY;
                }
+
+               if (!ip) {
+                       hostname = tlss->peer_name;
+               }
+
+               if (tlss->verify_peer < TLS_VERIFY_PEER_CA_AND_NAME) {
+                       hostname = NULL;
+               }
        }
 
        if (tlss->current_ev != NULL) {
@@ -1070,6 +1081,17 @@ static NTSTATUS tstream_tls_prepare_gnutls(struct tstream_tls_params *_tlsp,
                                NT_STATUS_CRYPTO_SYSTEM_INVALID);
        }
 
+       if (hostname != NULL) {
+               ret = gnutls_server_name_set(tlss->tls_session,
+                                            GNUTLS_NAME_DNS,
+                                            hostname,
+                                            strlen(hostname));
+               if (ret != GNUTLS_E_SUCCESS) {
+                       return gnutls_error_to_ntstatus(ret,
+                                       NT_STATUS_CRYPTO_SYSTEM_INVALID);
+               }
+       }
+
        if (tlss->is_server) {
                gnutls_certificate_server_set_request(tlss->tls_session,
                                                      GNUTLS_CERT_REQUEST);