diff options
author | Brent Cook <bcook@cvs.openbsd.org> | 2014-12-07 16:56:18 +0000 |
---|---|---|
committer | Brent Cook <bcook@cvs.openbsd.org> | 2014-12-07 16:56:18 +0000 |
commit | 571bb62a49e71517d028bd2a3e0fe326a5ca7413 (patch) | |
tree | 6483aa1953702030534f9a41583cc56a99e691b3 /lib/libtls | |
parent | f1560eedbdd4e71ccc23a03439eced8a9552ca29 (diff) |
Allow specific libtls hostname validation errors to propagate.
Remove direct calls to printf from the tls_check_hostname() path. This allows
NUL byte error messages to bubble up to the caller, to be logged in a
program-appropriate way. It also removes non-portable calls to getprogname().
ok jsing@
Diffstat (limited to 'lib/libtls')
-rw-r--r-- | lib/libtls/tls_client.c | 9 | ||||
-rw-r--r-- | lib/libtls/tls_internal.h | 4 | ||||
-rw-r--r-- | lib/libtls/tls_verify.c | 35 |
3 files changed, 27 insertions, 21 deletions
diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c index b851a6ecd0e..43819cf0b6f 100644 --- a/lib/libtls/tls_client.c +++ b/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.4 2014/12/07 15:48:02 bcook Exp $ */ +/* $OpenBSD: tls_client.c,v 1.5 2014/12/07 16:56:17 bcook Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -209,9 +209,10 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, tls_set_error(ctx, "no server certificate"); goto err; } - if (tls_check_hostname(cert, hostname) != 0) { - tls_set_error(ctx, "host `%s' not present in" - " server certificate", hostname); + if ((ret = tls_check_hostname(ctx, cert, hostname)) != 0) { + if (ret != -2) + tls_set_error(ctx, "host `%s' not present in" + " server certificate", hostname); goto err; } } diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index a23e63f7af4..bfd7146d7d0 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.3 2014/12/07 15:48:02 bcook Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.4 2014/12/07 16:56:17 bcook Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -62,7 +62,7 @@ struct tls { struct tls *tls_new(void); struct tls *tls_server_conn(struct tls *ctx); -int tls_check_hostname(X509 *cert, const char *host); +int tls_check_hostname(struct tls *ctx, X509 *cert, const char *host); int tls_configure_keypair(struct tls *ctx); int tls_configure_server(struct tls *ctx); int tls_configure_ssl(struct tls *ctx); diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c index ddc403fb10d..697432c429b 100644 --- a/lib/libtls/tls_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.4 2014/12/07 16:01:03 jsing Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.5 2014/12/07 16:56:17 bcook Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -27,8 +27,8 @@ #include "tls_internal.h" int tls_match_hostname(const char *cert_hostname, const char *hostname); -int tls_check_subject_altname(X509 *cert, const char *host); -int tls_check_common_name(X509 *cert, const char *host); +int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host); +int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host); int tls_match_hostname(const char *cert_hostname, const char *hostname) @@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname) } int -tls_check_subject_altname(X509 *cert, const char *host) +tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) { STACK_OF(GENERAL_NAME) *altname_stack = NULL; union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; @@ -123,10 +123,11 @@ tls_check_subject_altname(X509 *cert, const char *host) if (ASN1_STRING_length(altname->d.dNSName) != (int)strlen(data)) { - fprintf(stdout, "%s: NUL byte in " - "subjectAltName, probably a " - "malicious certificate.\n", - getprogname()); + tls_set_error(ctx, + "error verifying host '%s': " + "NUL byte in subjectAltName, " + "probably a malicious certificate", + host); rv = -2; break; } @@ -135,10 +136,13 @@ tls_check_subject_altname(X509 *cert, const char *host) rv = 0; break; } - } else + } else { +#ifdef DEBUG fprintf(stdout, "%s: unhandled subjectAltName " "dNSName encoding (%d)\n", getprogname(), format); +#endif + } } else if (type == GEN_IPADD) { unsigned char *data; @@ -160,7 +164,7 @@ tls_check_subject_altname(X509 *cert, const char *host) } int -tls_check_common_name(X509 *cert, const char *host) +tls_check_common_name(struct tls *ctx, X509 *cert, const char *host) { X509_NAME *name; char *common_name = NULL; @@ -186,8 +190,9 @@ tls_check_common_name(X509 *cert, const char *host) /* NUL bytes in CN? */ if (common_name_len != (int)strlen(common_name)) { - fprintf(stdout, "%s: NUL byte in Common Name field, " - "probably a malicious certificate.\n", getprogname()); + tls_set_error(ctx, "error verifying host '%s': " + "NUL byte in Common Name field, " + "probably a malicious certificate.", host); rv = -2; goto out; } @@ -213,13 +218,13 @@ out: } int -tls_check_hostname(X509 *cert, const char *host) +tls_check_hostname(struct tls *ctx, X509 *cert, const char *host) { int rv; - rv = tls_check_subject_altname(cert, host); + rv = tls_check_subject_altname(ctx, cert, host); if (rv == 0 || rv == -2) return rv; - return tls_check_common_name(cert, host); + return tls_check_common_name(ctx, cert, host); } |