summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls_verify.c
diff options
context:
space:
mode:
authorbcook <>2014-12-07 16:56:17 +0000
committerbcook <>2014-12-07 16:56:17 +0000
commit26bb73d6664efd39d99f8477df943507a7f03b5e (patch)
tree5c66d957212c1e16825ea92d01779555b1a78024 /src/lib/libtls/tls_verify.c
parentee67fae33e31b0a137774a402a100e614c3cbc9d (diff)
downloadopenbsd-26bb73d6664efd39d99f8477df943507a7f03b5e.tar.gz
openbsd-26bb73d6664efd39d99f8477df943507a7f03b5e.tar.bz2
openbsd-26bb73d6664efd39d99f8477df943507a7f03b5e.zip
Allow specific libtls hostname validation errors to propagate.
Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). ok jsing@
Diffstat (limited to '')
-rw-r--r--src/lib/libtls/tls_verify.c35
1 files changed, 20 insertions, 15 deletions
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index ddc403fb10..697432c429 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_verify.c,v 1.4 2014/12/07 16:01:03 jsing Exp $ */ 1/* $OpenBSD: tls_verify.c,v 1.5 2014/12/07 16:56:17 bcook Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * 4 *
@@ -27,8 +27,8 @@
27#include "tls_internal.h" 27#include "tls_internal.h"
28 28
29int tls_match_hostname(const char *cert_hostname, const char *hostname); 29int tls_match_hostname(const char *cert_hostname, const char *hostname);
30int tls_check_subject_altname(X509 *cert, const char *host); 30int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host);
31int tls_check_common_name(X509 *cert, const char *host); 31int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host);
32 32
33int 33int
34tls_match_hostname(const char *cert_hostname, const char *hostname) 34tls_match_hostname(const char *cert_hostname, const char *hostname)
@@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
80} 80}
81 81
82int 82int
83tls_check_subject_altname(X509 *cert, const char *host) 83tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
84{ 84{
85 STACK_OF(GENERAL_NAME) *altname_stack = NULL; 85 STACK_OF(GENERAL_NAME) *altname_stack = NULL;
86 union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; 86 union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
@@ -123,10 +123,11 @@ tls_check_subject_altname(X509 *cert, const char *host)
123 123
124 if (ASN1_STRING_length(altname->d.dNSName) != 124 if (ASN1_STRING_length(altname->d.dNSName) !=
125 (int)strlen(data)) { 125 (int)strlen(data)) {
126 fprintf(stdout, "%s: NUL byte in " 126 tls_set_error(ctx,
127 "subjectAltName, probably a " 127 "error verifying host '%s': "
128 "malicious certificate.\n", 128 "NUL byte in subjectAltName, "
129 getprogname()); 129 "probably a malicious certificate",
130 host);
130 rv = -2; 131 rv = -2;
131 break; 132 break;
132 } 133 }
@@ -135,10 +136,13 @@ tls_check_subject_altname(X509 *cert, const char *host)
135 rv = 0; 136 rv = 0;
136 break; 137 break;
137 } 138 }
138 } else 139 } else {
140#ifdef DEBUG
139 fprintf(stdout, "%s: unhandled subjectAltName " 141 fprintf(stdout, "%s: unhandled subjectAltName "
140 "dNSName encoding (%d)\n", getprogname(), 142 "dNSName encoding (%d)\n", getprogname(),
141 format); 143 format);
144#endif
145 }
142 146
143 } else if (type == GEN_IPADD) { 147 } else if (type == GEN_IPADD) {
144 unsigned char *data; 148 unsigned char *data;
@@ -160,7 +164,7 @@ tls_check_subject_altname(X509 *cert, const char *host)
160} 164}
161 165
162int 166int
163tls_check_common_name(X509 *cert, const char *host) 167tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
164{ 168{
165 X509_NAME *name; 169 X509_NAME *name;
166 char *common_name = NULL; 170 char *common_name = NULL;
@@ -186,8 +190,9 @@ tls_check_common_name(X509 *cert, const char *host)
186 190
187 /* NUL bytes in CN? */ 191 /* NUL bytes in CN? */
188 if (common_name_len != (int)strlen(common_name)) { 192 if (common_name_len != (int)strlen(common_name)) {
189 fprintf(stdout, "%s: NUL byte in Common Name field, " 193 tls_set_error(ctx, "error verifying host '%s': "
190 "probably a malicious certificate.\n", getprogname()); 194 "NUL byte in Common Name field, "
195 "probably a malicious certificate.", host);
191 rv = -2; 196 rv = -2;
192 goto out; 197 goto out;
193 } 198 }
@@ -213,13 +218,13 @@ out:
213} 218}
214 219
215int 220int
216tls_check_hostname(X509 *cert, const char *host) 221tls_check_hostname(struct tls *ctx, X509 *cert, const char *host)
217{ 222{
218 int rv; 223 int rv;
219 224
220 rv = tls_check_subject_altname(cert, host); 225 rv = tls_check_subject_altname(ctx, cert, host);
221 if (rv == 0 || rv == -2) 226 if (rv == 0 || rv == -2)
222 return rv; 227 return rv;
223 228
224 return tls_check_common_name(cert, host); 229 return tls_check_common_name(ctx, cert, host);
225} 230}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 05:15:35 +0000