summaryrefslogtreecommitdiff
path: root/lib/libtls
diff options
context:
space:
mode:
authorBrent Cook <bcook@cvs.openbsd.org>2014-12-07 16:56:18 +0000
committerBrent Cook <bcook@cvs.openbsd.org>2014-12-07 16:56:18 +0000
commit571bb62a49e71517d028bd2a3e0fe326a5ca7413 (patch)
tree6483aa1953702030534f9a41583cc56a99e691b3 /lib/libtls
parentf1560eedbdd4e71ccc23a03439eced8a9552ca29 (diff)
Allow specific libtls hostname validation errors to propagate.
Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). ok jsing@
Diffstat (limited to 'lib/libtls')
-rw-r--r--lib/libtls/tls_client.c9
-rw-r--r--lib/libtls/tls_internal.h4
-rw-r--r--lib/libtls/tls_verify.c35
3 files changed, 27 insertions, 21 deletions
diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c
index b851a6ecd0e..43819cf0b6f 100644
--- a/lib/libtls/tls_client.c
+++ b/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.4 2014/12/07 15:48:02 bcook Exp $ */
+/* $OpenBSD: tls_client.c,v 1.5 2014/12/07 16:56:17 bcook Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -209,9 +209,10 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
tls_set_error(ctx, "no server certificate");
goto err;
}
- if (tls_check_hostname(cert, hostname) != 0) {
- tls_set_error(ctx, "host `%s' not present in"
- " server certificate", hostname);
+ if ((ret = tls_check_hostname(ctx, cert, hostname)) != 0) {
+ if (ret != -2)
+ tls_set_error(ctx, "host `%s' not present in"
+ " server certificate", hostname);
goto err;
}
}
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index a23e63f7af4..bfd7146d7d0 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.3 2014/12/07 15:48:02 bcook Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.4 2014/12/07 16:56:17 bcook Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -62,7 +62,7 @@ struct tls {
struct tls *tls_new(void);
struct tls *tls_server_conn(struct tls *ctx);
-int tls_check_hostname(X509 *cert, const char *host);
+int tls_check_hostname(struct tls *ctx, X509 *cert, const char *host);
int tls_configure_keypair(struct tls *ctx);
int tls_configure_server(struct tls *ctx);
int tls_configure_ssl(struct tls *ctx);
diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c
index ddc403fb10d..697432c429b 100644
--- a/lib/libtls/tls_verify.c
+++ b/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.4 2014/12/07 16:01:03 jsing Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.5 2014/12/07 16:56:17 bcook Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
*
@@ -27,8 +27,8 @@
#include "tls_internal.h"
int tls_match_hostname(const char *cert_hostname, const char *hostname);
-int tls_check_subject_altname(X509 *cert, const char *host);
-int tls_check_common_name(X509 *cert, const char *host);
+int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host);
+int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host);
int
tls_match_hostname(const char *cert_hostname, const char *hostname)
@@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
}
int
-tls_check_subject_altname(X509 *cert, const char *host)
+tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
{
STACK_OF(GENERAL_NAME) *altname_stack = NULL;
union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
@@ -123,10 +123,11 @@ tls_check_subject_altname(X509 *cert, const char *host)
if (ASN1_STRING_length(altname->d.dNSName) !=
(int)strlen(data)) {
- fprintf(stdout, "%s: NUL byte in "
- "subjectAltName, probably a "
- "malicious certificate.\n",
- getprogname());
+ tls_set_error(ctx,
+ "error verifying host '%s': "
+ "NUL byte in subjectAltName, "
+ "probably a malicious certificate",
+ host);
rv = -2;
break;
}
@@ -135,10 +136,13 @@ tls_check_subject_altname(X509 *cert, const char *host)
rv = 0;
break;
}
- } else
+ } else {
+#ifdef DEBUG
fprintf(stdout, "%s: unhandled subjectAltName "
"dNSName encoding (%d)\n", getprogname(),
format);
+#endif
+ }
} else if (type == GEN_IPADD) {
unsigned char *data;
@@ -160,7 +164,7 @@ tls_check_subject_altname(X509 *cert, const char *host)
}
int
-tls_check_common_name(X509 *cert, const char *host)
+tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
{
X509_NAME *name;
char *common_name = NULL;
@@ -186,8 +190,9 @@ tls_check_common_name(X509 *cert, const char *host)
/* NUL bytes in CN? */
if (common_name_len != (int)strlen(common_name)) {
- fprintf(stdout, "%s: NUL byte in Common Name field, "
- "probably a malicious certificate.\n", getprogname());
+ tls_set_error(ctx, "error verifying host '%s': "
+ "NUL byte in Common Name field, "
+ "probably a malicious certificate.", host);
rv = -2;
goto out;
}
@@ -213,13 +218,13 @@ out:
}
int
-tls_check_hostname(X509 *cert, const char *host)
+tls_check_hostname(struct tls *ctx, X509 *cert, const char *host)
{
int rv;
- rv = tls_check_subject_altname(cert, host);
+ rv = tls_check_subject_altname(ctx, cert, host);
if (rv == 0 || rv == -2)
return rv;
- return tls_check_common_name(cert, host);
+ return tls_check_common_name(ctx, cert, host);
}