Require on-the-wire SNI to pass IsValidSNI check This requirement existed in QUIC Crypto; it should exist when we run QUIC with TLS. Restrict sni in ietf quic draft versions. protected by reloadable flag quic_tls_enforce_valid_sni. PiperOrigin-RevId: 310054163 Change-Id: I9ffdea55c350e9c1592a71debb3fbb271eca7750

commit: e0f979c414ff989f93c0133912d6191f2db4ac3c [log] [tgz]
author: nharper <nharper@google.com> Tue May 05 17:31:55 2020 -0700
committer: Copybara-Service <copybara-worker@google.com> Tue May 05 17:32:25 2020 -0700
tree: 847ca0f9fa0f8c7609a78e5386d8a1fdd219e667
parent: da00058e9d3b82e9047bdd777bd07ddb558ee546 [diff] [blame]
diff --git a/quic/core/tls_server_handshaker.cc b/quic/core/tls_server_handshaker.cc
index 890abae..54a066f 100644
--- a/quic/core/tls_server_handshaker.cc
+++ b/quic/core/tls_server_handshaker.cc

@@ -484,6 +484,15 @@
     hostname_ = hostname;
     crypto_negotiated_params_->sni =
         QuicHostnameUtils::NormalizeHostname(hostname_);
+    if (GetQuicReloadableFlag(quic_tls_enforce_valid_sni)) {
+      QUIC_RELOADABLE_FLAG_COUNT(quic_tls_enforce_valid_sni);
+      if (!QuicHostnameUtils::IsValidSNI(hostname_)) {
+        // TODO(b/151676147): Include this error string in the CONNECTION_CLOSE
+        // frame.
+        QUIC_LOG(ERROR) << "Invalid SNI provided: \"" << hostname_ << "\"";
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+      }
+    }
   } else {
     QUIC_LOG(INFO) << "No hostname indicated in SNI";
   }
commit	e0f979c414ff989f93c0133912d6191f2db4ac3c	[log] [tgz]
author	nharper <nharper@google.com>	Tue May 05 17:31:55 2020 -0700
committer	Copybara-Service <copybara-worker@google.com>	Tue May 05 17:32:25 2020 -0700
tree	847ca0f9fa0f8c7609a78e5386d8a1fdd219e667
parent	da00058e9d3b82e9047bdd777bd07ddb558ee546 [diff] [blame]