diff options
| author | bcook <> | 2014-12-07 15:48:02 +0000 | 
|---|---|---|
| committer | bcook <> | 2014-12-07 15:48:02 +0000 | 
| commit | cd9aa6e67c54c989bae7409a97dfc1997ba3767f (patch) | |
| tree | c6456769d33b656c4b41c93e46127e6e910588d8 | |
| parent | b337353782d8665f6364fa0d468370c06ac96423 (diff) | |
| download | openbsd-cd9aa6e67c54c989bae7409a97dfc1997ba3767f.tar.gz openbsd-cd9aa6e67c54c989bae7409a97dfc1997ba3767f.tar.bz2 openbsd-cd9aa6e67c54c989bae7409a97dfc1997ba3767f.zip | |
revert previous change for now, adjusting based on comments from jsing@
| -rw-r--r-- | src/lib/libtls/tls.c | 13 | ||||
| -rw-r--r-- | src/lib/libtls/tls_client.c | 10 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 5 | ||||
| -rw-r--r-- | src/lib/libtls/tls_verify.c | 35 | 
4 files changed, 27 insertions, 36 deletions
| diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index d3bb79b3fe..6dae066922 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.2 2014/12/07 15:00:32 bcook Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.3 2014/12/07 15:48:02 bcook Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -56,22 +56,15 @@ tls_error(struct tls *ctx) | |||
| 56 | return ctx->errmsg; | 56 | return ctx->errmsg; | 
| 57 | } | 57 | } | 
| 58 | 58 | ||
| 59 | void | ||
| 60 | tls_clear_error(struct tls *ctx) | ||
| 61 | { | ||
| 62 | ctx->err = 0; | ||
| 63 | free(ctx->errmsg); | ||
| 64 | ctx->errmsg = NULL; | ||
| 65 | } | ||
| 66 | |||
| 67 | int | 59 | int | 
| 68 | tls_set_error(struct tls *ctx, char *fmt, ...) | 60 | tls_set_error(struct tls *ctx, char *fmt, ...) | 
| 69 | { | 61 | { | 
| 70 | va_list ap; | 62 | va_list ap; | 
| 71 | int rv; | 63 | int rv; | 
| 72 | 64 | ||
| 73 | tls_clear_error(ctx); | ||
| 74 | ctx->err = errno; | 65 | ctx->err = errno; | 
| 66 | free(ctx->errmsg); | ||
| 67 | ctx->errmsg = NULL; | ||
| 75 | 68 | ||
| 76 | va_start(ap, fmt); | 69 | va_start(ap, fmt); | 
| 77 | rv = vasprintf(&ctx->errmsg, fmt, ap); | 70 | rv = vasprintf(&ctx->errmsg, fmt, ap); | 
| diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index c5849a6897..b851a6ecd0 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_client.c,v 1.3 2014/12/07 15:00:32 bcook Exp $ */ | 1 | /* $OpenBSD: tls_client.c,v 1.4 2014/12/07 15:48:02 bcook Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -209,11 +209,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, | |||
| 209 | tls_set_error(ctx, "no server certificate"); | 209 | tls_set_error(ctx, "no server certificate"); | 
| 210 | goto err; | 210 | goto err; | 
| 211 | } | 211 | } | 
| 212 | tls_clear_error(ctx); | 212 | if (tls_check_hostname(cert, hostname) != 0) { | 
| 213 | if (tls_check_hostname(ctx, cert, hostname) != 0) { | 213 | tls_set_error(ctx, "host `%s' not present in" | 
| 214 | if (tls_error(ctx) == NULL) | 214 | " server certificate", hostname); | 
| 215 | tls_set_error(ctx, "host `%s' not present in" | ||
| 216 | " server certificate", hostname); | ||
| 217 | goto err; | 215 | goto err; | 
| 218 | } | 216 | } | 
| 219 | } | 217 | } | 
| diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index e6f2d4ac71..a23e63f7af 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.2 2014/12/07 15:00:32 bcook Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.3 2014/12/07 15:48:02 bcook Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 
| @@ -62,12 +62,11 @@ struct tls { | |||
| 62 | struct tls *tls_new(void); | 62 | struct tls *tls_new(void); | 
| 63 | struct tls *tls_server_conn(struct tls *ctx); | 63 | struct tls *tls_server_conn(struct tls *ctx); | 
| 64 | 64 | ||
| 65 | int tls_check_hostname(struct tls *ctx, X509 *cert, const char *host); | 65 | int tls_check_hostname(X509 *cert, const char *host); | 
| 66 | int tls_configure_keypair(struct tls *ctx); | 66 | int tls_configure_keypair(struct tls *ctx); | 
| 67 | int tls_configure_server(struct tls *ctx); | 67 | int tls_configure_server(struct tls *ctx); | 
| 68 | int tls_configure_ssl(struct tls *ctx); | 68 | int tls_configure_ssl(struct tls *ctx); | 
| 69 | int tls_host_port(const char *hostport, char **host, char **port); | 69 | int tls_host_port(const char *hostport, char **host, char **port); | 
| 70 | void tls_clear_error(struct tls *ctx); | ||
| 71 | int tls_set_error(struct tls *ctx, char *fmt, ...); | 70 | int tls_set_error(struct tls *ctx, char *fmt, ...); | 
| 72 | 71 | ||
| 73 | #endif /* HEADER_TLS_INTERNAL_H */ | 72 | #endif /* HEADER_TLS_INTERNAL_H */ | 
| diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c index 0252e20575..35a18202a9 100644 --- a/src/lib/libtls/tls_verify.c +++ b/src/lib/libtls/tls_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_verify.c,v 1.2 2014/12/07 15:00:32 bcook Exp $ */ | 1 | /* $OpenBSD: tls_verify.c,v 1.3 2014/12/07 15:48:02 bcook Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -27,8 +27,8 @@ | |||
| 27 | #include "tls_internal.h" | 27 | #include "tls_internal.h" | 
| 28 | 28 | ||
| 29 | int tls_match_hostname(const char *cert_hostname, const char *hostname); | 29 | int tls_match_hostname(const char *cert_hostname, const char *hostname); | 
| 30 | int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host); | 30 | int tls_check_subject_altname(X509 *cert, const char *host); | 
| 31 | int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host); | 31 | int tls_check_common_name(X509 *cert, const char *host); | 
| 32 | 32 | ||
| 33 | int | 33 | int | 
| 34 | tls_match_hostname(const char *cert_hostname, const char *hostname) | 34 | tls_match_hostname(const char *cert_hostname, const char *hostname) | 
| @@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname) | |||
| 80 | } | 80 | } | 
| 81 | 81 | ||
| 82 | int | 82 | int | 
| 83 | tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) | 83 | tls_check_subject_altname(X509 *cert, const char *host) | 
| 84 | { | 84 | { | 
| 85 | STACK_OF(GENERAL_NAME) *altname_stack = NULL; | 85 | STACK_OF(GENERAL_NAME) *altname_stack = NULL; | 
| 86 | union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; | 86 | union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; | 
| @@ -123,11 +123,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) | |||
| 123 | 123 | ||
| 124 | if (ASN1_STRING_length(altname->d.dNSName) != | 124 | if (ASN1_STRING_length(altname->d.dNSName) != | 
| 125 | (int)strlen(data)) { | 125 | (int)strlen(data)) { | 
| 126 | tls_set_error(ctx, | 126 | fprintf(stdout, "%s: NUL byte in " | 
| 127 | "error verifying host '%s': " | 127 | "subjectAltName, probably a " | 
| 128 | "NUL byte in subjectAltName, " | 128 | "malicious certificate.\n", | 
| 129 | "probably a malicious certificate", | 129 | getprogname()); | 
| 130 | host); | ||
| 131 | rv = -2; | 130 | rv = -2; | 
| 132 | break; | 131 | break; | 
| 133 | } | 132 | } | 
| @@ -136,7 +135,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) | |||
| 136 | rv = 0; | 135 | rv = 0; | 
| 137 | break; | 136 | break; | 
| 138 | } | 137 | } | 
| 139 | } | 138 | } else | 
| 139 | fprintf(stdout, "%s: unhandled subjectAltName " | ||
| 140 | "dNSName encoding (%d)\n", getprogname(), | ||
| 141 | format); | ||
| 140 | 142 | ||
| 141 | } else if (type == GEN_IPADD) { | 143 | } else if (type == GEN_IPADD) { | 
| 142 | unsigned char *data; | 144 | unsigned char *data; | 
| @@ -158,7 +160,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) | |||
| 158 | } | 160 | } | 
| 159 | 161 | ||
| 160 | int | 162 | int | 
| 161 | tls_check_common_name(struct tls *ctx, X509 *cert, const char *host) | 163 | tls_check_common_name(X509 *cert, const char *host) | 
| 162 | { | 164 | { | 
| 163 | X509_NAME *name; | 165 | X509_NAME *name; | 
| 164 | char *common_name = NULL; | 166 | char *common_name = NULL; | 
| @@ -184,9 +186,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *host) | |||
| 184 | 186 | ||
| 185 | /* NUL bytes in CN? */ | 187 | /* NUL bytes in CN? */ | 
| 186 | if (common_name_len != (int)strlen(common_name)) { | 188 | if (common_name_len != (int)strlen(common_name)) { | 
| 187 | tls_set_error(ctx, "error verifying host '%s': " | 189 | fprintf(stdout, "%s: NUL byte in Common Name field, " | 
| 188 | "NUL byte in Common Name field, " | 190 | "probably a malicious certificate.\n", getprogname()); | 
| 189 | "probably a malicious certificate.", host); | ||
| 190 | rv = -2; | 191 | rv = -2; | 
| 191 | goto out; | 192 | goto out; | 
| 192 | } | 193 | } | 
| @@ -212,13 +213,13 @@ out: | |||
| 212 | } | 213 | } | 
| 213 | 214 | ||
| 214 | int | 215 | int | 
| 215 | tls_check_hostname(struct tls *ctx, X509 *cert, const char *host) | 216 | tls_check_hostname(X509 *cert, const char *host) | 
| 216 | { | 217 | { | 
| 217 | int rv; | 218 | int rv; | 
| 218 | 219 | ||
| 219 | rv = tls_check_subject_altname(ctx, cert, host); | 220 | rv = tls_check_subject_altname(cert, host); | 
| 220 | if (rv == 0 || rv == -2) | 221 | if (rv == 0 || rv == -2) | 
| 221 | return rv; | 222 | return rv; | 
| 222 | 223 | ||
| 223 | return tls_check_common_name(ctx, cert, host); | 224 | return tls_check_common_name(cert, host); | 
| 224 | } | 225 | } | 
