summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbcook <>2014-12-07 16:56:17 +0000
committerbcook <>2014-12-07 16:56:17 +0000
commit26bb73d6664efd39d99f8477df943507a7f03b5e (patch)
tree5c66d957212c1e16825ea92d01779555b1a78024
parentee67fae33e31b0a137774a402a100e614c3cbc9d (diff)
downloadopenbsd-26bb73d6664efd39d99f8477df943507a7f03b5e.tar.gz
openbsd-26bb73d6664efd39d99f8477df943507a7f03b5e.tar.bz2
openbsd-26bb73d6664efd39d99f8477df943507a7f03b5e.zip
Allow specific libtls hostname validation errors to propagate.
Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). ok jsing@
Diffstat
-rw-r--r--src/lib/libtls/tls_client.c9
-rw-r--r--src/lib/libtls/tls_internal.h4
-rw-r--r--src/lib/libtls/tls_verify.c35
-rw-r--r--src/regress/lib/libtls/verify/verifytest.c10
4 files changed, 34 insertions, 24 deletions
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index b851a6ecd0..43819cf0b6 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_client.c,v 1.4 2014/12/07 15:48:02 bcook Exp $ */ 1/* $OpenBSD: tls_client.c,v 1.5 2014/12/07 16:56:17 bcook Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -209,9 +209,10 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
209 tls_set_error(ctx, "no server certificate"); 209 tls_set_error(ctx, "no server certificate");
210 goto err; 210 goto err;
211 } 211 }
212 if (tls_check_hostname(cert, hostname) != 0) { 212 if ((ret = tls_check_hostname(ctx, cert, hostname)) != 0) {
213 tls_set_error(ctx, "host `%s' not present in" 213 if (ret != -2)
214 " server certificate", hostname); 214 tls_set_error(ctx, "host `%s' not present in"
215 " server certificate", hostname);
215 goto err; 216 goto err;
216 } 217 }
217 } 218 }
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index a23e63f7af..bfd7146d7d 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_internal.h,v 1.3 2014/12/07 15:48:02 bcook Exp $ */ 1/* $OpenBSD: tls_internal.h,v 1.4 2014/12/07 16:56:17 bcook Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -62,7 +62,7 @@ struct tls {
62struct tls *tls_new(void); 62struct tls *tls_new(void);
63struct tls *tls_server_conn(struct tls *ctx); 63struct tls *tls_server_conn(struct tls *ctx);
64 64
65int tls_check_hostname(X509 *cert, const char *host); 65int tls_check_hostname(struct tls *ctx, X509 *cert, const char *host);
66int tls_configure_keypair(struct tls *ctx); 66int tls_configure_keypair(struct tls *ctx);
67int tls_configure_server(struct tls *ctx); 67int tls_configure_server(struct tls *ctx);
68int tls_configure_ssl(struct tls *ctx); 68int tls_configure_ssl(struct tls *ctx);
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index ddc403fb10..697432c429 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_verify.c,v 1.4 2014/12/07 16:01:03 jsing Exp $ */ 1/* $OpenBSD: tls_verify.c,v 1.5 2014/12/07 16:56:17 bcook Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * 4 *
@@ -27,8 +27,8 @@
27#include "tls_internal.h" 27#include "tls_internal.h"
28 28
29int tls_match_hostname(const char *cert_hostname, const char *hostname); 29int tls_match_hostname(const char *cert_hostname, const char *hostname);
30int tls_check_subject_altname(X509 *cert, const char *host); 30int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host);
31int tls_check_common_name(X509 *cert, const char *host); 31int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host);
32 32
33int 33int
34tls_match_hostname(const char *cert_hostname, const char *hostname) 34tls_match_hostname(const char *cert_hostname, const char *hostname)
@@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
80} 80}
81 81
82int 82int
83tls_check_subject_altname(X509 *cert, const char *host) 83tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
84{ 84{
85 STACK_OF(GENERAL_NAME) *altname_stack = NULL; 85 STACK_OF(GENERAL_NAME) *altname_stack = NULL;
86 union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; 86 union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
@@ -123,10 +123,11 @@ tls_check_subject_altname(X509 *cert, const char *host)
123 123
124 if (ASN1_STRING_length(altname->d.dNSName) != 124 if (ASN1_STRING_length(altname->d.dNSName) !=
125 (int)strlen(data)) { 125 (int)strlen(data)) {
126 fprintf(stdout, "%s: NUL byte in " 126 tls_set_error(ctx,
127 "subjectAltName, probably a " 127 "error verifying host '%s': "
128 "malicious certificate.\n", 128 "NUL byte in subjectAltName, "
129 getprogname()); 129 "probably a malicious certificate",
130 host);
130 rv = -2; 131 rv = -2;
131 break; 132 break;
132 } 133 }
@@ -135,10 +136,13 @@ tls_check_subject_altname(X509 *cert, const char *host)
135 rv = 0; 136 rv = 0;
136 break; 137 break;
137 } 138 }
138 } else 139 } else {
140#ifdef DEBUG
139 fprintf(stdout, "%s: unhandled subjectAltName " 141 fprintf(stdout, "%s: unhandled subjectAltName "
140 "dNSName encoding (%d)\n", getprogname(), 142 "dNSName encoding (%d)\n", getprogname(),
141 format); 143 format);
144#endif
145 }
142 146
143 } else if (type == GEN_IPADD) { 147 } else if (type == GEN_IPADD) {
144 unsigned char *data; 148 unsigned char *data;
@@ -160,7 +164,7 @@ tls_check_subject_altname(X509 *cert, const char *host)
160} 164}
161 165
162int 166int
163tls_check_common_name(X509 *cert, const char *host) 167tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
164{ 168{
165 X509_NAME *name; 169 X509_NAME *name;
166 char *common_name = NULL; 170 char *common_name = NULL;
@@ -186,8 +190,9 @@ tls_check_common_name(X509 *cert, const char *host)
186 190
187 /* NUL bytes in CN? */ 191 /* NUL bytes in CN? */
188 if (common_name_len != (int)strlen(common_name)) { 192 if (common_name_len != (int)strlen(common_name)) {
189 fprintf(stdout, "%s: NUL byte in Common Name field, " 193 tls_set_error(ctx, "error verifying host '%s': "
190 "probably a malicious certificate.\n", getprogname()); 194 "NUL byte in Common Name field, "
195 "probably a malicious certificate.", host);
191 rv = -2; 196 rv = -2;
192 goto out; 197 goto out;
193 } 198 }
@@ -213,13 +218,13 @@ out:
213} 218}
214 219
215int 220int
216tls_check_hostname(X509 *cert, const char *host) 221tls_check_hostname(struct tls *ctx, X509 *cert, const char *host)
217{ 222{
218 int rv; 223 int rv;
219 224
220 rv = tls_check_subject_altname(cert, host); 225 rv = tls_check_subject_altname(ctx, cert, host);
221 if (rv == 0 || rv == -2) 226 if (rv == 0 || rv == -2)
222 return rv; 227 return rv;
223 228
224 return tls_check_common_name(cert, host); 229 return tls_check_common_name(ctx, cert, host);
225} 230}
diff --git a/src/regress/lib/libtls/verify/verifytest.c b/src/regress/lib/libtls/verify/verifytest.c
index bb8b372014..81dcb90a67 100644
--- a/src/regress/lib/libtls/verify/verifytest.c
+++ b/src/regress/lib/libtls/verify/verifytest.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: verifytest.c,v 1.1 2014/11/01 11:55:27 jsing Exp $ */ 1/* $OpenBSD: verifytest.c,v 1.2 2014/12/07 16:56:17 bcook Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -20,8 +20,9 @@
20#include <stdlib.h> 20#include <stdlib.h>
21 21
22#include <openssl/x509v3.h> 22#include <openssl/x509v3.h>
23#include <tls.h>
23 24
24extern int tls_check_hostname(X509 *cert, const char *host); 25extern int tls_check_hostname(struct tls *ctx, X509 *cert, const char *host);
25 26
26struct verify_test { 27struct verify_test {
27 const char common_name[128]; 28 const char common_name[128];
@@ -162,6 +163,7 @@ do_verify_test(int test_no, struct verify_test *vt)
162 GENERAL_NAME *alt_name; 163 GENERAL_NAME *alt_name;
163 X509_NAME *name; 164 X509_NAME *name;
164 X509 *cert; 165 X509 *cert;
166 struct tls *tls;
165 167
166 /* Build certificate structure. */ 168 /* Build certificate structure. */
167 if ((cert = X509_new()) == NULL) 169 if ((cert = X509_new()) == NULL)
@@ -174,6 +176,8 @@ do_verify_test(int test_no, struct verify_test *vt)
174 if (X509_set_subject_name(cert, name) == 0) 176 if (X509_set_subject_name(cert, name) == 0)
175 errx(1, "failed to set subject name"); 177 errx(1, "failed to set subject name");
176 X509_NAME_free(name); 178 X509_NAME_free(name);
179 if ((tls = tls_client()) == NULL)
180 errx(1, "failed to malloc tls_client");
177 181
178 if (vt->alt_name_type != 0) { 182 if (vt->alt_name_type != 0) {
179 if ((alt_name_stack = sk_GENERAL_NAME_new_null()) == NULL) 183 if ((alt_name_stack = sk_GENERAL_NAME_new_null()) == NULL)
@@ -209,7 +213,7 @@ do_verify_test(int test_no, struct verify_test *vt)
209 sk_GENERAL_NAME_pop_free(alt_name_stack, GENERAL_NAME_free); 213 sk_GENERAL_NAME_pop_free(alt_name_stack, GENERAL_NAME_free);
210 } 214 }
211 215
212 if (tls_check_hostname(cert, vt->hostname) != vt->want) { 216 if (tls_check_hostname(tls, cert, vt->hostname) != vt->want) {
213 fprintf(stderr, "FAIL: test %i failed with common name " 217 fprintf(stderr, "FAIL: test %i failed with common name "
214 "'%s', alt name '%s' and hostname '%s'\n", test_no, 218 "'%s', alt name '%s' and hostname '%s'\n", test_no,
215 vt->common_name, vt->alt_name, vt->hostname); 219 vt->common_name, vt->alt_name, vt->hostname);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-23 05:44:24 +0000