diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-11 06:46:34 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-11 06:46:34 +0000 |
| commit | eaff2c189f29079871e2d19a876f5058cca68064 (patch) | |
| tree | c15f2a366d97686d433d5a2b04281430e3f714a5 | |
| parent | b6ab6a8777ef3af3750bc9a314acf6e1b35ca145 (diff) | |
Be consistent with naming - only use "host" and "hostname" when referring
to an actual host and use "servername" when referring to the name of the
TLS server that we expect to be indentified in the server certificate.
Likewise, rename verify_host to verify_name and use the term "name"
throughout the verification code (rather than host or hostname).
Requested by and ok tedu@
| -rw-r--r-- | lib/libtls/tls.h | 6 | ||||
| -rw-r--r-- | lib/libtls/tls_client.c | 30 | ||||
| -rw-r--r-- | lib/libtls/tls_config.c | 7 | ||||
| -rw-r--r-- | lib/libtls/tls_init.3 | 8 | ||||
| -rw-r--r-- | lib/libtls/tls_internal.h | 6 | ||||
| -rw-r--r-- | lib/libtls/tls_verify.c | 64 |
6 files changed, 61 insertions, 60 deletions
diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index bd1eed559b6..c266832c807 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.5 2015/02/07 23:25:37 reyk Exp $ */ +/* $OpenBSD: tls.h,v 1.6 2015/02/11 06:46:33 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -70,8 +70,8 @@ void tls_free(struct tls *ctx); int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket); int tls_connect(struct tls *ctx, const char *host, const char *port); int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, - const char *hostname); -int tls_connect_socket(struct tls *ctx, int s, const char *hostname); + const char *servername); +int tls_connect_socket(struct tls *ctx, int s, const char *servername); int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen); int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen); int tls_close(struct tls *ctx); diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c index 907c334f156..baa4805f572 100644 --- a/lib/libtls/tls_client.c +++ b/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.13 2015/02/09 09:23:39 reyk Exp $ */ +/* $OpenBSD: tls_client.c,v 1.14 2015/02/11 06:46:33 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -144,16 +144,16 @@ err: } int -tls_connect_socket(struct tls *ctx, int s, const char *hostname) +tls_connect_socket(struct tls *ctx, int s, const char *servername) { ctx->socket = s; - return tls_connect_fds(ctx, s, s, hostname); + return tls_connect_fds(ctx, s, s, servername); } int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, - const char *hostname) + const char *servername) { union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; X509 *cert = NULL; @@ -180,8 +180,8 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, if (tls_configure_ssl(ctx) != 0) goto err; - if (ctx->config->verify_host) { - if (hostname == NULL) { + if (ctx->config->verify_name) { + if (servername == NULL) { tls_set_error(ctx, "server name not specified"); goto err; } @@ -226,11 +226,11 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not * permitted in "HostName". */ - if (hostname != NULL && - inet_pton(AF_INET, hostname, &addrbuf) != 1 && - inet_pton(AF_INET6, hostname, &addrbuf) != 1) { - if (SSL_set_tlsext_host_name(ctx->ssl_conn, hostname) == 0) { - tls_set_error(ctx, "SNI host name failed"); + if (servername != NULL && + inet_pton(AF_INET, servername, &addrbuf) != 1 && + inet_pton(AF_INET6, servername, &addrbuf) != 1) { + if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) { + tls_set_error(ctx, "server name indication failure"); goto err; } } @@ -246,16 +246,16 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, } ctx->flags &= ~TLS_CONNECTING; - if (ctx->config->verify_host) { + if (ctx->config->verify_name) { cert = SSL_get_peer_certificate(ctx->ssl_conn); if (cert == NULL) { tls_set_error(ctx, "no server certificate"); goto err; } - if ((ret = tls_check_hostname(ctx, cert, hostname)) != 0) { + if ((ret = tls_check_servername(ctx, cert, servername)) != 0) { if (ret != -2) - tls_set_error(ctx, "host `%s' not present in" - " server certificate", hostname); + tls_set_error(ctx, "name `%s' not present in" + " server certificate", servername); goto err; } } diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 7697fa6ee85..116cde8297e 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.3 2015/02/07 06:19:26 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.4 2015/02/11 06:46:33 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -208,10 +208,11 @@ tls_config_set_verify_depth(struct tls_config *config, int verify_depth) config->verify_depth = verify_depth; } +/* XXX - rename to noverifyname. */ void tls_config_insecure_noverifyhost(struct tls_config *config) { - config->verify_host = 0; + config->verify_name = 0; } void @@ -223,6 +224,6 @@ tls_config_insecure_noverifycert(struct tls_config *config) void tls_config_verify(struct tls_config *config) { - config->verify_host = 1; config->verify_cert = 1; + config->verify_name = 1; } diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index 73234a427d5..034c1253476 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.10 2015/02/07 23:45:06 reyk Exp $ +.\" $OpenBSD: tls_init.3,v 1.11 2015/02/11 06:46:33 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 7 2015 $ +.Dd $Mdocdate: February 11 2015 $ .Dt TLS 3 .Os .Sh NAME @@ -111,9 +111,9 @@ .Ft "int" .Fn tls_connect "struct tls *ctx" "const char *host" "const char *port" .Ft "int" -.Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *hostname" +.Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *servername" .Ft "int" -.Fn tls_connect_socket "struct tls *ctx" "int s" "const char *hostname" +.Fn tls_connect_socket "struct tls *ctx" "int s" "const char *servername" .Ft "int" .Fn tls_accept_socket "struct tls *tls" "struct tls **cctx" "int socket" .Ft "int" diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index f0feddcf5b9..78e6b1fe2bf 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.9 2015/02/07 09:50:09 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.10 2015/02/11 06:46:33 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -41,8 +41,8 @@ struct tls_config { size_t key_len; uint32_t protocols; int verify_cert; - int verify_host; int verify_depth; + int verify_name; }; #define TLS_CLIENT (1 << 0) @@ -66,7 +66,7 @@ struct tls { struct tls *tls_new(void); struct tls *tls_server_conn(struct tls *ctx); -int tls_check_hostname(struct tls *ctx, X509 *cert, const char *host); +int tls_check_servername(struct tls *ctx, X509 *cert, const char *servername); int tls_configure_keypair(struct tls *ctx); int tls_configure_server(struct tls *ctx); int tls_configure_ssl(struct tls *ctx); diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c index 4341802b5ab..c1a5387829b 100644 --- a/lib/libtls/tls_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.6 2014/12/17 17:51:33 doug Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.7 2015/02/11 06:46:33 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -26,20 +26,20 @@ #include "tls_internal.h" -int tls_match_hostname(const char *cert_hostname, const char *hostname); -int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host); -int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host); +int tls_match_name(const char *cert_name, const char *name); +int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name); +int tls_check_common_name(struct tls *ctx, X509 *cert, const char *name); int -tls_match_hostname(const char *cert_hostname, const char *hostname) +tls_match_name(const char *cert_name, const char *name) { const char *cert_domain, *domain, *next_dot; - if (strcasecmp(cert_hostname, hostname) == 0) + if (strcasecmp(cert_name, name) == 0) return 0; /* Wildcard match? */ - if (cert_hostname[0] == '*') { + if (cert_name[0] == '*') { /* * Valid wildcards: * - "*.domain.tld" @@ -48,7 +48,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname) * Reject "*.tld". * No attempt to prevent the use of eg. "*.co.uk". */ - cert_domain = &cert_hostname[1]; + cert_domain = &cert_name[1]; /* Disallow "*" */ if (cert_domain[0] == '\0') return -1; @@ -66,9 +66,9 @@ tls_match_hostname(const char *cert_hostname, const char *hostname) if (next_dot[1] == '.') return -1; - domain = strchr(hostname, '.'); + domain = strchr(name, '.'); - /* No wildcard match against a hostname with no domain part. */ + /* No wildcard match against a name with no domain part. */ if (domain == NULL || strlen(domain) == 1) return -1; @@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname) } int -tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) +tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) { STACK_OF(GENERAL_NAME) *altname_stack = NULL; union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; @@ -93,10 +93,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) if (altname_stack == NULL) return -1; - if (inet_pton(AF_INET, host, &addrbuf) == 1) { + if (inet_pton(AF_INET, name, &addrbuf) == 1) { type = GEN_IPADD; addrlen = 4; - } else if (inet_pton(AF_INET6, host, &addrbuf) == 1) { + } else if (inet_pton(AF_INET6, name, &addrbuf) == 1) { type = GEN_IPADD; addrlen = 16; } else { @@ -124,15 +124,15 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) if (len < 0 || len != strlen(data)) { tls_set_error(ctx, - "error verifying host '%s': " + "error verifying name '%s': " "NUL byte in subjectAltName, " "probably a malicious certificate", - host); + name); rv = -2; break; } - if (tls_match_hostname(data, host) == 0) { + if (tls_match_name(data, name) == 0) { rv = 0; break; } @@ -172,20 +172,20 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) } int -tls_check_common_name(struct tls *ctx, X509 *cert, const char *host) +tls_check_common_name(struct tls *ctx, X509 *cert, const char *name) { - X509_NAME *name; + X509_NAME *subject_name; char *common_name = NULL; int common_name_len; int rv = -1; union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; - name = X509_get_subject_name(cert); - if (name == NULL) + subject_name = X509_get_subject_name(cert); + if (subject_name == NULL) goto out; - common_name_len = X509_NAME_get_text_by_NID(name, NID_commonName, - NULL, 0); + common_name_len = X509_NAME_get_text_by_NID(subject_name, + NID_commonName, NULL, 0); if (common_name_len < 0) goto out; @@ -193,32 +193,32 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *host) if (common_name == NULL) goto out; - X509_NAME_get_text_by_NID(name, NID_commonName, common_name, + X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name, common_name_len + 1); /* NUL bytes in CN? */ if (common_name_len != strlen(common_name)) { - tls_set_error(ctx, "error verifying host '%s': " + tls_set_error(ctx, "error verifying name '%s': " "NUL byte in Common Name field, " - "probably a malicious certificate.", host); + "probably a malicious certificate", name); rv = -2; goto out; } - if (inet_pton(AF_INET, host, &addrbuf) == 1 || - inet_pton(AF_INET6, host, &addrbuf) == 1) { + if (inet_pton(AF_INET, name, &addrbuf) == 1 || + inet_pton(AF_INET6, name, &addrbuf) == 1) { /* * We don't want to attempt wildcard matching against IP * addresses, so perform a simple comparison here. */ - if (strcmp(common_name, host) == 0) + if (strcmp(common_name, name) == 0) rv = 0; else rv = -1; goto out; } - if (tls_match_hostname(common_name, host) == 0) + if (tls_match_name(common_name, name) == 0) rv = 0; out: free(common_name); @@ -226,13 +226,13 @@ out: } int -tls_check_hostname(struct tls *ctx, X509 *cert, const char *host) +tls_check_servername(struct tls *ctx, X509 *cert, const char *servername) { int rv; - rv = tls_check_subject_altname(ctx, cert, host); + rv = tls_check_subject_altname(ctx, cert, servername); if (rv == 0 || rv == -2) return rv; - return tls_check_common_name(ctx, cert, host); + return tls_check_common_name(ctx, cert, servername); } |