Add a TlsServerHandshaker::ValidateHostname method to validate SNI.
PiperOrigin-RevId: 343381779
Change-Id: I2c449c1fc2769297d5b730cdf4b6eff7b6eb389f
diff --git a/quic/core/tls_server_handshaker.cc b/quic/core/tls_server_handshaker.cc
index e0fe84d..01b5df6 100644
--- a/quic/core/tls_server_handshaker.cc
+++ b/quic/core/tls_server_handshaker.cc
@@ -506,16 +506,23 @@
return ssl_ticket_aead_success;
}
+bool TlsServerHandshaker::ValidateHostname(const std::string& hostname) const {
+ if (!QuicHostnameUtils::IsValidSNI(hostname)) {
+ // TODO(b/151676147): Include this error string in the CONNECTION_CLOSE
+ // frame.
+ QUIC_LOG(ERROR) << "Invalid SNI provided: \"" << hostname << "\"";
+ return false;
+ }
+ return true;
+}
+
int TlsServerHandshaker::SelectCertificate(int* out_alert) {
const char* hostname = SSL_get_servername(ssl(), TLSEXT_NAMETYPE_host_name);
if (hostname) {
hostname_ = hostname;
crypto_negotiated_params_->sni =
QuicHostnameUtils::NormalizeHostname(hostname_);
- if (!QuicHostnameUtils::IsValidSNI(hostname_)) {
- // TODO(b/151676147): Include this error string in the CONNECTION_CLOSE
- // frame.
- QUIC_LOG(ERROR) << "Invalid SNI provided: \"" << hostname_ << "\"";
+ if (!ValidateHostname(hostname_)) {
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
} else {
diff --git a/quic/core/tls_server_handshaker.h b/quic/core/tls_server_handshaker.h
index 4d12bf3..c6426ce 100644
--- a/quic/core/tls_server_handshaker.h
+++ b/quic/core/tls_server_handshaker.h
@@ -156,6 +156,7 @@
TlsServerHandshaker* handshaker_;
};
+ virtual bool ValidateHostname(const std::string& hostname) const;
bool SetTransportParameters();
bool ProcessTransportParameters(std::string* error_details);