server: restore exact comparison of SNI values

2021-04-19 22:34:31 +02:00 · 2021-04-19 22:34:31 +02:00 · 1ce0d9886d
parent d9f17b1e6b
commit 1ce0d9886d
1 changed files with 17 additions and 2 deletions
--- a/rustls/src/server/hs.rs
+++ b/rustls/src/server/hs.rs
@ -72,7 +72,22 @@ pub fn can_resume(
    // establish a new session."
    resumedata.cipher_suite == suite.suite
        && (resumedata.extended_ms == using_ems || (resumedata.extended_ms && !using_ems))
-        && &resumedata.sni == sni
+        && sni_exact_eq(&resumedata.sni, &sni)
+}
+
+/// Exactly compare `DnsName` values
+///
+/// webpki compares `DnsName`s case-insensitively, but for the purpose of comparing SNI values
+/// from resumption to current handshake or HelloRetryRequest to ServerHello, we need an exact
+/// comparison.
+pub(super) fn sni_exact_eq(a: &Option<webpki::DnsName>, b: &Option<webpki::DnsName>) -> bool {
+    let a = a
+        .as_ref()
+        .map(|sni| <webpki::DnsName as AsRef<str>>::as_ref(sni));
+    let b = b
+        .as_ref()
+        .map(|sni| <webpki::DnsName as AsRef<str>>::as_ref(sni));
+    a == b
 }

 #[derive(Default)]
@ -369,7 +384,7 @@ impl State for ExpectClientHello {
            // The SNI hostname is immutable once set.
            assert!(conn.sni.is_none());
            conn.sni = Some(sni.clone());
-        } else if conn.sni != sni {
+        } else if !sni_exact_eq(&conn.sni, &sni) {
            return Err(Error::PeerIncompatibleError(
                "SNI differed on retry".to_string(),
            ));