From 305a61b3d3a69aaea55e15e3fbd47b1c4247cf33 Mon Sep 17 00:00:00 2001
From: Steve Bennett <steveb@workware.net.au>
Date: Sun, 3 May 2020 21:26:25 +1000
Subject: aio: ssl: Allow SNI to be specified

For some SSL connections it is necessary to set the Server Name
Indication in the connection in order to receive the correct
certificate. Allow this as part of the client ssl call with:

  $sock ssl -sni $servername

Also for -server mode, allow the certificate and private key to be
stored in a single file and only be specified once.

Signed-off-by: Steve Bennett <steveb@workware.net.au>
---
 jim-aio.c | 41 +++++++++++++++++++++++++++++++----------
 1 file changed, 31 insertions(+), 10 deletions(-)

(limited to 'jim-aio.c')

diff --git a/jim-aio.c b/jim-aio.c
index 0376de4..56c8adf 100644
--- a/jim-aio.c
+++ b/jim-aio.c
@@ -1421,15 +1421,31 @@ static int aio_cmd_ssl(Jim_Interp *interp, int argc, Jim_Obj *const *argv)
     SSL *ssl;
     SSL_CTX *ssl_ctx;
     int server = 0;
+    const char *sni = NULL;
 
-    if (argc == 5) {
-        if (!Jim_CompareStringImmediate(interp, argv[2], "-server")) {
+    if (argc > 2) {
+        static const char * const options[] = { "-server", "-sni", NULL };
+        enum { OPT_SERVER, OPT_SNI };
+        int option;
+
+        if (Jim_GetEnum(interp, argv[2], options, &option, NULL, JIM_ERRMSG) != JIM_OK) {
             return JIM_ERR;
         }
-        server = 1;
-    }
-    else if (argc != 2) {
-        return -1;
+        switch (option) {
+            case OPT_SERVER:
+                if (argc != 4 && argc != 5) {
+                    return JIM_ERR;
+                }
+                server = 1;
+                break;
+
+            case OPT_SNI:
+                if (argc != 4) {
+                    return JIM_ERR;
+                }
+                sni = Jim_String(argv[3]);
+                break;
+        }
     }
 
     if (af->ssl) {
@@ -1454,11 +1470,12 @@ static int aio_cmd_ssl(Jim_Interp *interp, int argc, Jim_Obj *const *argv)
     }
 
     if (server) {
-        if (SSL_use_certificate_file(ssl, Jim_String(argv[3]), SSL_FILETYPE_PEM) != 1) {
+        const char *certfile = Jim_String(argv[3]);
+        const char *keyfile = (argc == 4) ? certfile : Jim_String(argv[4]);
+        if (SSL_use_certificate_file(ssl, certfile, SSL_FILETYPE_PEM) != 1) {
             goto out;
         }
-
-        if (SSL_use_PrivateKey_file(ssl, Jim_String(argv[4]), SSL_FILETYPE_PEM) != 1) {
+        if (SSL_use_PrivateKey_file(ssl, keyfile, SSL_FILETYPE_PEM) != 1) {
             goto out;
         }
 
@@ -1467,6 +1484,10 @@ static int aio_cmd_ssl(Jim_Interp *interp, int argc, Jim_Obj *const *argv)
         }
     }
     else {
+        if (sni) {
+            /* Set server name indication if requested */
+            SSL_set_tlsext_host_name(ssl, sni);
+        }
         if (SSL_connect(ssl) != 1) {
             goto out;
         }
@@ -1796,7 +1817,7 @@ static const jim_subcmd_type aio_command_table[] = {
 #if !defined(JIM_BOOTSTRAP)
 #if defined(JIM_SSL)
     {   "ssl",
-        "?-server cert priv?",
+        "?-server cert ?priv?|-sni servername?",
         aio_cmd_ssl,
         0,
         3,
-- 
cgit v1.1