summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/libtls/Makefile4
-rw-r--r--lib/libtls/tls.h4
-rw-r--r--lib/libtls/tls_client.c15
-rw-r--r--lib/libtls/tls_init.310
4 files changed, 27 insertions, 6 deletions
diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile
index 4ae970d0932..61368bccfd4 100644
--- a/lib/libtls/Makefile
+++ b/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.4 2015/02/07 23:45:06 reyk Exp $
+# $OpenBSD: Makefile,v 1.5 2015/02/11 07:01:10 jsing Exp $
CFLAGS+= -Wall -Werror -Wimplicit
CFLAGS+= -DLIBRESSL_INTERNAL
@@ -45,6 +45,8 @@ MLINKS+=tls_init.3 tls_reset.3
MLINKS+=tls_init.3 tls_free.3
MLINKS+=tls_init.3 tls_close.3
MLINKS+=tls_init.3 tls_connect.3
+MLINKS+=tls_init.3 tls_connect_fds.3
+MLINKS+=tls_init.3 tls_connect_servername.3
MLINKS+=tls_init.3 tls_connect_socket.3
MLINKS+=tls_init.3 tls_accept_socket.3
MLINKS+=tls_init.3 tls_read.3
diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h
index c266832c807..0a6f8d72584 100644
--- a/lib/libtls/tls.h
+++ b/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.6 2015/02/11 06:46:33 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.7 2015/02/11 07:01:10 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -71,6 +71,8 @@ int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket);
int tls_connect(struct tls *ctx, const char *host, const char *port);
int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
const char *servername);
+int tls_connect_servername(struct tls *ctx, const char *host, const char *port,
+ const char *servername);
int tls_connect_socket(struct tls *ctx, int s, const char *servername);
int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen);
int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen);
diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c
index baa4805f572..682153ca650 100644
--- a/lib/libtls/tls_client.c
+++ b/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.14 2015/02/11 06:46:33 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.15 2015/02/11 07:01:10 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -83,6 +83,13 @@ tls_connect_host(struct tls *ctx, const char *host, const char *port,
int
tls_connect(struct tls *ctx, const char *host, const char *port)
{
+ return tls_connect_servername(ctx, host, port, NULL);
+}
+
+int
+tls_connect_servername(struct tls *ctx, const char *host, const char *port,
+ const char *servername)
+{
const char *h = NULL, *p = NULL;
char *hs = NULL, *ps = NULL;
int rv = -1, s = -1, ret;
@@ -128,7 +135,10 @@ tls_connect(struct tls *ctx, const char *host, const char *port)
(s = tls_connect_host(ctx, h, p, AF_UNSPEC, AI_ADDRCONFIG)) == -1)
goto err;
- if (tls_connect_socket(ctx, s, h) != 0) {
+ if (servername == NULL)
+ servername = h;
+
+ if (tls_connect_socket(ctx, s, servername) != 0) {
close(s);
goto err;
}
@@ -136,7 +146,6 @@ tls_connect(struct tls *ctx, const char *host, const char *port)
rv = 0;
err:
-
free(hs);
free(ps);
diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3
index 034c1253476..c1e59383c46 100644
--- a/lib/libtls/tls_init.3
+++ b/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.11 2015/02/11 06:46:33 jsing Exp $
+.\" $OpenBSD: tls_init.3,v 1.12 2015/02/11 07:01:10 jsing Exp $
.\"
.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
.\"
@@ -47,6 +47,7 @@
.Nm tls_free ,
.Nm tls_connect ,
.Nm tls_connect_fds ,
+.Nm tls_connect_servername ,
.Nm tls_connect_socket ,
.Nm tls_accept_socket ,
.Nm tls_read ,
@@ -112,6 +113,7 @@
.Fn tls_connect "struct tls *ctx" "const char *host" "const char *port"
.Ft "int"
.Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *servername"
+.Fn tls_connect_servername "struct tls *ctx" "const char *host" "const char *port" "const char *servername"
.Ft "int"
.Fn tls_connect_socket "struct tls *ctx" "int s" "const char *servername"
.Ft "int"
@@ -159,6 +161,12 @@ A client connection is initiated after configuration by calling
.Fn tls_connect .
This function will create a new socket, connect to the specified host and
port, and then establish a secure connection.
+The
+.Fn tls_connect_servername
+function has the same behaviour, however the name to use for verification is
+explicitly provided, rather than being inferred from the
+.Ar host
+value.
An already existing socket can be upgraded to a secure connection by calling
.Fn tls_connect_socket .
Alternatively, a secure connection can be established over a pair of existing