diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-11 07:01:11 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-11 07:01:11 +0000 |
| commit | 0980b0a5576b31b8beebf58ba89e9c93653d6e32 (patch) | |
| tree | 4deff15a488d0af53b81d903c321cd4d7f29e482 /lib | |
| parent | eaff2c189f29079871e2d19a876f5058cca68064 (diff) | |
Provide a tls_connect_servername() function that has the same behaviour
as tls_connect(), however allows the name to use for verification to be
explicitly provided, rather than being inferred from the host value.
Requested by reyk@
ok reyk@ tedu@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libtls/Makefile | 4 | ||||
| -rw-r--r-- | lib/libtls/tls.h | 4 | ||||
| -rw-r--r-- | lib/libtls/tls_client.c | 15 | ||||
| -rw-r--r-- | lib/libtls/tls_init.3 | 10 |
4 files changed, 27 insertions, 6 deletions
diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile index 4ae970d0932..61368bccfd4 100644 --- a/lib/libtls/Makefile +++ b/lib/libtls/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.4 2015/02/07 23:45:06 reyk Exp $ +# $OpenBSD: Makefile,v 1.5 2015/02/11 07:01:10 jsing Exp $ CFLAGS+= -Wall -Werror -Wimplicit CFLAGS+= -DLIBRESSL_INTERNAL @@ -45,6 +45,8 @@ MLINKS+=tls_init.3 tls_reset.3 MLINKS+=tls_init.3 tls_free.3 MLINKS+=tls_init.3 tls_close.3 MLINKS+=tls_init.3 tls_connect.3 +MLINKS+=tls_init.3 tls_connect_fds.3 +MLINKS+=tls_init.3 tls_connect_servername.3 MLINKS+=tls_init.3 tls_connect_socket.3 MLINKS+=tls_init.3 tls_accept_socket.3 MLINKS+=tls_init.3 tls_read.3 diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index c266832c807..0a6f8d72584 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.6 2015/02/11 06:46:33 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.7 2015/02/11 07:01:10 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -71,6 +71,8 @@ int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket); int tls_connect(struct tls *ctx, const char *host, const char *port); int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, const char *servername); +int tls_connect_servername(struct tls *ctx, const char *host, const char *port, + const char *servername); int tls_connect_socket(struct tls *ctx, int s, const char *servername); int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen); int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen); diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c index baa4805f572..682153ca650 100644 --- a/lib/libtls/tls_client.c +++ b/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.14 2015/02/11 06:46:33 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.15 2015/02/11 07:01:10 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -83,6 +83,13 @@ tls_connect_host(struct tls *ctx, const char *host, const char *port, int tls_connect(struct tls *ctx, const char *host, const char *port) { + return tls_connect_servername(ctx, host, port, NULL); +} + +int +tls_connect_servername(struct tls *ctx, const char *host, const char *port, + const char *servername) +{ const char *h = NULL, *p = NULL; char *hs = NULL, *ps = NULL; int rv = -1, s = -1, ret; @@ -128,7 +135,10 @@ tls_connect(struct tls *ctx, const char *host, const char *port) (s = tls_connect_host(ctx, h, p, AF_UNSPEC, AI_ADDRCONFIG)) == -1) goto err; - if (tls_connect_socket(ctx, s, h) != 0) { + if (servername == NULL) + servername = h; + + if (tls_connect_socket(ctx, s, servername) != 0) { close(s); goto err; } @@ -136,7 +146,6 @@ tls_connect(struct tls *ctx, const char *host, const char *port) rv = 0; err: - free(hs); free(ps); diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index 034c1253476..c1e59383c46 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.11 2015/02/11 06:46:33 jsing Exp $ +.\" $OpenBSD: tls_init.3,v 1.12 2015/02/11 07:01:10 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -47,6 +47,7 @@ .Nm tls_free , .Nm tls_connect , .Nm tls_connect_fds , +.Nm tls_connect_servername , .Nm tls_connect_socket , .Nm tls_accept_socket , .Nm tls_read , @@ -112,6 +113,7 @@ .Fn tls_connect "struct tls *ctx" "const char *host" "const char *port" .Ft "int" .Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *servername" +.Fn tls_connect_servername "struct tls *ctx" "const char *host" "const char *port" "const char *servername" .Ft "int" .Fn tls_connect_socket "struct tls *ctx" "int s" "const char *servername" .Ft "int" @@ -159,6 +161,12 @@ A client connection is initiated after configuration by calling .Fn tls_connect . This function will create a new socket, connect to the specified host and port, and then establish a secure connection. +The +.Fn tls_connect_servername +function has the same behaviour, however the name to use for verification is +explicitly provided, rather than being inferred from the +.Ar host +value. An already existing socket can be upgraded to a secure connection by calling .Fn tls_connect_socket . Alternatively, a secure connection can be established over a pair of existing |