diff options
| -rw-r--r-- | lib/libtls/Makefile | 4 | ||||
| -rw-r--r-- | lib/libtls/tls.h | 4 | ||||
| -rw-r--r-- | lib/libtls/tls_config.c | 11 | ||||
| -rw-r--r-- | lib/libtls/tls_init.3 | 22 | ||||
| -rw-r--r-- | usr.bin/ftp/main.c | 6 | ||||
| -rw-r--r-- | usr.sbin/ntpd/constraint.c | 4 | ||||
| -rw-r--r-- | usr.sbin/syslogd/syslogd.c | 4 |
7 files changed, 27 insertions, 28 deletions
diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile index 6baf210143b..e5434f50712 100644 --- a/lib/libtls/Makefile +++ b/lib/libtls/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.6 2015/02/15 13:33:14 jsing Exp $ +# $OpenBSD: Makefile,v 1.7 2015/02/22 15:09:54 jsing Exp $ CFLAGS+= -Wall -Werror -Wimplicit CFLAGS+= -DLIBRESSL_INTERNAL @@ -34,8 +34,8 @@ MLINKS+=tls_init.3 tls_config_set_key_mem.3 MLINKS+=tls_init.3 tls_config_set_protocols.3 MLINKS+=tls_init.3 tls_config_set_verify_depth.3 MLINKS+=tls_init.3 tls_config_clear_keys.3 -MLINKS+=tls_init.3 tls_config_insecure_noverifyhost.3 MLINKS+=tls_init.3 tls_config_insecure_noverifycert.3 +MLINKS+=tls_init.3 tls_config_insecure_noverifyname.3 MLINKS+=tls_init.3 tls_config_verify.3 MLINKS+=tls_init.3 tls_load_file.3 MLINKS+=tls_init.3 tls_client.3 diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 0af6194879d..071309242f5 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.9 2015/02/12 04:35:17 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.10 2015/02/22 15:09:54 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -61,8 +61,8 @@ void tls_config_set_verify_depth(struct tls_config *config, int verify_depth); void tls_config_clear_keys(struct tls_config *config); int tls_config_parse_protocols(uint32_t *protocols, const char *protostr); -void tls_config_insecure_noverifyhost(struct tls_config *config); void tls_config_insecure_noverifycert(struct tls_config *config); +void tls_config_insecure_noverifyname(struct tls_config *config); void tls_config_verify(struct tls_config *config); struct tls *tls_client(void); diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 0b0a8120a43..4c25a793039 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.8 2015/02/22 14:59:37 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.9 2015/02/22 15:09:54 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -282,17 +282,16 @@ tls_config_set_verify_depth(struct tls_config *config, int verify_depth) config->verify_depth = verify_depth; } -/* XXX - rename to noverifyname. */ void -tls_config_insecure_noverifyhost(struct tls_config *config) +tls_config_insecure_noverifycert(struct tls_config *config) { - config->verify_name = 0; + config->verify_cert = 0; } void -tls_config_insecure_noverifycert(struct tls_config *config) +tls_config_insecure_noverifyname(struct tls_config *config) { - config->verify_cert = 0; + config->verify_name = 0; } void diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index 52220fa4496..3e888115e8f 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.17 2015/02/21 21:41:00 tedu Exp $ +.\" $OpenBSD: tls_init.3,v 1.18 2015/02/22 15:09:54 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 21 2015 $ +.Dd $Mdocdate: February 22 2015 $ .Dt TLS 3 .Os .Sh NAME @@ -36,8 +36,8 @@ .Nm tls_config_set_protocols , .Nm tls_config_set_verify_depth , .Nm tls_config_clear_keys , -.Nm tls_config_insecure_noverifyhost , .Nm tls_config_insecure_noverifycert , +.Nm tls_config_insecure_noverifyname , .Nm tls_config_verify , .Nm tls_load_file , .Nm tls_client , @@ -93,10 +93,10 @@ .Ft "void" .Fn tls_config_clear_keys "struct tls_config *config" .Ft "void" -.Fn tls_config_insecure_noverifyhost "struct tls_config *config" -.Ft "void" .Fn tls_config_insecure_noverifycert "struct tls_config *config" .Ft "void" +.Fn tls_config_insecure_noverifyname "struct tls_config *config" +.Ft "void" .Fn tls_config_verify "struct tls_config *config" .Ft "uint8_t *" .Fn tls_load_file "const char *file" "size_t *len" "char *password" @@ -289,18 +289,18 @@ Additionally, the values clears any secret keys from memory. .Em (Server) .It -.Fn tls_config_insecure_noverifyhost -disables hostname verification. -Be careful when using this option. -.Em (Client) -.It .Fn tls_config_insecure_noverifycert disables certificate verification. Be extremely careful when using this option. .Em (Client) .It +.Fn tls_config_insecure_noverifyname +disables server name verification. +Be careful when using this option. +.Em (Client) +.It .Fn tls_config_verify -reenables hostname and certificate verification. +reenables server name and certificate verification. .Em (Client) .It .Fn tls_load_file diff --git a/usr.bin/ftp/main.c b/usr.bin/ftp/main.c index b6614ef03cd..3b1bc010574 100644 --- a/usr.bin/ftp/main.c +++ b/usr.bin/ftp/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.101 2015/02/22 14:55:41 jsing Exp $ */ +/* $OpenBSD: main.c,v 1.102 2015/02/22 15:09:54 jsing Exp $ */ /* $NetBSD: main.c,v 1.24 1997/08/18 10:20:26 lukem Exp $ */ /* @@ -347,10 +347,10 @@ main(volatile int argc, char *argv[]) errx(1, "tls ciphers failed"); break; case SSL_DONTVERIFY: - tls_config_insecure_noverifyhost( - tls_config); tls_config_insecure_noverifycert( tls_config); + tls_config_insecure_noverifyname( + tls_config); break; case SSL_DOVERIFY: tls_config_verify(tls_config); diff --git a/usr.sbin/ntpd/constraint.c b/usr.sbin/ntpd/constraint.c index c9c923e0d41..680afe16842 100644 --- a/usr.sbin/ntpd/constraint.c +++ b/usr.sbin/ntpd/constraint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: constraint.c,v 1.5 2015/02/22 14:55:41 jsing Exp $ */ +/* $OpenBSD: constraint.c,v 1.6 2015/02/22 15:09:54 jsing Exp $ */ /* * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> @@ -599,7 +599,7 @@ httpsdate_init(const char *hname, const char *port, const char *name, goto fail; /* XXX we have to pre-resolve, so name and host are not equal */ - tls_config_insecure_noverifyhost(httpsdate->tls_config); + tls_config_insecure_noverifyname(httpsdate->tls_config); if (ca == NULL || ca_len == 0) tls_config_insecure_noverifycert(httpsdate->tls_config); diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index cb63f8e0dc8..5c7fbcd08bd 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syslogd.c,v 1.158 2015/02/22 14:55:41 jsing Exp $ */ +/* $OpenBSD: syslogd.c,v 1.159 2015/02/22 15:09:54 jsing Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -518,8 +518,8 @@ main(int argc, char *argv[]) } else if ((tlsconfig = tls_config_new()) == NULL) { logerror("tls_config_new"); } else if (NoVerify) { - tls_config_insecure_noverifyhost(tlsconfig); tls_config_insecure_noverifycert(tlsconfig); + tls_config_insecure_noverifyname(tlsconfig); } else { struct stat sb; |