Add SSL Server Name Indication (SNI) client support

See RFC 6066 section 3

6 files changed, 57 insertions, 13 deletions

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 445a47c07b..aac04095b4 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -52,6 +52,8 @@
       <item>CRL and policy certificate extensions are not supported
       yet. However CRL verification is supported by public_key, only not integrated
       in ssl yet. </item>
+      <item>Support for 'Server Name Indication' extension client side
+      (RFC 6066 section 3).</item>
     </list>
  
   </section>
diff --git a/lib/ssl/src/dtls_handshake.erl b/lib/ssl/src/dtls_handshake.erl
index 26e8ce7503..d0f9649f9f 100644
--- a/lib/ssl/src/dtls_handshake.erl
+++ b/lib/ssl/src/dtls_handshake.erl
@@ -46,7 +46,7 @@ client_hello(Host, Port, Cookie, ConnectionStates,
     SecParams = Pending#connection_state.security_parameters,
     CipherSuites = ssl_handshake:available_suites(UserSuites, Version),
 
-    Extensions = ssl_handshake:client_hello_extensions(Version, CipherSuites,
+    Extensions = ssl_handshake:client_hello_extensions(Host, Version, CipherSuites,
 						SslOpts, ConnectionStates, Renegotiation),
 
     Id = ssl_session:client_id({Host, Port, SslOpts}, Cache, CacheCb, OwnCert),
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index b18452a8f2..e1fd6970cc 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -53,7 +53,7 @@
 	 select_session/10, supported_ecc/1]).
 
 %% Extensions handling
--export([client_hello_extensions/5,
+-export([client_hello_extensions/6,
 	 handle_client_hello_extensions/8, %% Returns server hello extensions
 	 handle_server_hello_extensions/9, select_curve/2
 	]).
@@ -85,7 +85,7 @@ hello_request() ->
 server_hello_done() ->
     #server_hello_done{}.
 
-client_hello_extensions(Version, CipherSuites, SslOpts, ConnectionStates, Renegotiation) ->
+client_hello_extensions(Host, Version, CipherSuites, SslOpts, ConnectionStates, Renegotiation) ->
     {EcPointFormats, EllipticCurves} =
 	case advertises_ec_ciphers(lists:map(fun ssl_cipher:suite_definition/1, CipherSuites)) of
 	    true ->
@@ -104,7 +104,8 @@ client_hello_extensions(Version, CipherSuites, SslOpts, ConnectionStates, Renego
        elliptic_curves = EllipticCurves,
        next_protocol_negotiation =
 	   encode_client_protocol_negotiation(SslOpts#ssl_options.next_protocol_selector,
-					      Renegotiation)}.
+					      Renegotiation),
+       sni = sni(Host)}.
 
 %%--------------------------------------------------------------------
 -spec certificate(der_cert(), db_handle(), certdb_ref(), client | server) -> #certificate{} | #alert{}.
@@ -641,7 +642,19 @@ encode_hello_extensions([#hash_sign_algos{hash_sign_algos = HashSignAlgos} | Res
     ListLen = byte_size(SignAlgoList),
     Len = ListLen + 2,
     encode_hello_extensions(Rest, <<?UINT16(?SIGNATURE_ALGORITHMS_EXT),
-				 ?UINT16(Len), ?UINT16(ListLen), SignAlgoList/binary, Acc/binary>>).
+				 ?UINT16(Len), ?UINT16(ListLen), SignAlgoList/binary, Acc/binary>>);
+encode_hello_extensions([#sni{hostname = Hostname} | Rest], Acc) ->
+    HostLen = length(Hostname),
+    HostnameBin = list_to_binary(Hostname),
+    % Hostname type (1 byte) + Hostname length (2 bytes) + Hostname (HostLen bytes)
+    ServerNameLength = 1 + 2 + HostLen,
+    % ServerNameListSize (2 bytes) + ServerNameLength
+    ExtLength = 2 + ServerNameLength,
+    encode_hello_extensions(Rest, <<?UINT16(?SNI_EXT), ?UINT16(ExtLength),
+				    ?UINT16(ServerNameLength),
+				    ?BYTE(?SNI_NAMETYPE_HOST_NAME),
+				    ?UINT16(HostLen), HostnameBin/binary,
+				    Acc/binary>>).
 
 enc_server_key_exchange(Version, Params, {HashAlgo, SignAlgo},
 			ClientRandom, ServerRandom, PrivateKey) ->
@@ -1081,9 +1094,10 @@ hello_extensions_list(#hello_extensions{renegotiation_info = RenegotiationInfo,
 					hash_signs = HashSigns,
 					ec_point_formats = EcPointFormats,
 					elliptic_curves = EllipticCurves,
-					next_protocol_negotiation = NextProtocolNegotiation}) ->
+					next_protocol_negotiation = NextProtocolNegotiation,
+					sni = Sni}) ->
     [Ext || Ext <- [RenegotiationInfo, SRP, HashSigns,
-		    EcPointFormats,EllipticCurves, NextProtocolNegotiation], Ext =/= undefined].
+		    EcPointFormats, EllipticCurves, NextProtocolNegotiation, Sni], Ext =/= undefined].
 
 srp_user(#ssl_options{srp_identity = {UserName, _}}) ->
     #srp{username = UserName};
@@ -1146,6 +1160,13 @@ select_curve(Curves, [Curve| Rest]) ->
 	    select_curve(Curves, Rest)
     end.
 
+sni(Host) ->
+    %% RFC 6066, Section 3: Currently, the only server names supported are
+    %% DNS hostnames
+    case inet_parse:domain(Host) of
+        false -> undefined;
+        true -> #sni{hostname = Host}
+    end.
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/src/ssl_handshake.hrl b/lib/ssl/src/ssl_handshake.hrl
index f25b0df806..75160526b9 100644
--- a/lib/ssl/src/ssl_handshake.hrl
+++ b/lib/ssl/src/ssl_handshake.hrl
@@ -98,7 +98,8 @@
 	  next_protocol_negotiation = undefined, % [binary()]
 	  srp,
 	  ec_point_formats,
-	  elliptic_curves
+	  elliptic_curves,
+	  sni
 	 }).
 
 -record(server_hello, {
@@ -339,6 +340,19 @@
 -define(NAMED_CURVE, 3).
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%% Server name indication RFC 6066 section 3
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+-define(SNI_EXT, 16#0000).
+
+%% enum { host_name(0), (255) } NameType;
+-define(SNI_NAMETYPE_HOST_NAME, 0).
+
+-record(sni, {
+          hostname = undefined
+        }).
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %% Dialyzer types
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
@@ -353,6 +367,3 @@
 
 
 -endif. % -ifdef(ssl_handshake).
-
-
-     
diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index ecbca83e10..262f2d929f 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -56,7 +56,7 @@ client_hello(Host, Port, ConnectionStates,
     SecParams = Pending#connection_state.security_parameters,
     CipherSuites = ssl_handshake:available_suites(UserSuites, Version),
 
-    Extensions = ssl_handshake:client_hello_extensions(Version, CipherSuites,
+    Extensions = ssl_handshake:client_hello_extensions(Host, Version, CipherSuites,
 						SslOpts, ConnectionStates, Renegotiation),
 
     Id = ssl_session:client_id({Host, Port, SslOpts}, Cache, CacheCb, OwnCert),
diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl
index 9695710230..7e8e8d2611 100644
--- a/lib/ssl/test/ssl_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_handshake_SUITE.erl
@@ -34,7 +34,8 @@ suite() -> [{ct_hooks,[ts_install_cth]}].
 
 all() -> [decode_hello_handshake,
 	  decode_single_hello_extension_correctly,
-	  decode_unknown_hello_extension_correctly].
+	  decode_unknown_hello_extension_correctly,
+	  encode_single_hello_sni_extension_correctly].
 
 %%--------------------------------------------------------------------
 %% Test Cases --------------------------------------------------------
@@ -73,3 +74,12 @@ decode_unknown_hello_extension_correctly(_Config) ->
     Extensions = ssl_handshake:decode_hello_extensions(<<FourByteUnknown/binary, Renegotiation/binary>>),
      #renegotiation_info{renegotiated_connection = <<0>>}
 	= Extensions#hello_extensions.renegotiation_info.
+
+encode_single_hello_sni_extension_correctly(_Config) ->
+    Exts = #hello_extensions{sni = #sni{hostname = "test.com"}},
+    SNI = <<16#00, 16#00, 16#00, 16#0d, 16#00, 16#0b, 16#00, 16#00, 16#08,
+	    $t,    $e,    $s,    $t,    $.,    $c,    $o,    $m>>,
+    ExtSize = byte_size(SNI),
+    HelloExt = <<ExtSize:16/unsigned-big-integer, SNI/binary>>,
+    Encoded = ssl_handshake:encode_hello_extensions(Exts),
+    HelloExt = Encoded.