revert previous change for now, adjusting based on comments from jsing@

author: bcook <> 2014-12-07 15:48:02 +0000
committer: bcook <> 2014-12-07 15:48:02 +0000
commit: 2a5c8a2aac92f6b7274d00080eb7e865b9d4ff56 (patch)
tree: c6456769d33b656c4b41c93e46127e6e910588d8 /src/lib/libtls/tls_verify.c
parent: 779d36f71d8c3200b1259a34322fa222e3b651ef (diff)
download: openbsd-2a5c8a2aac92f6b7274d00080eb7e865b9d4ff56.tar.gz
openbsd-2a5c8a2aac92f6b7274d00080eb7e865b9d4ff56.tar.bz2
openbsd-2a5c8a2aac92f6b7274d00080eb7e865b9d4ff56.zip
1 files changed, 18 insertions, 17 deletions
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index 0252e20575..35a18202a9 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.2 2014/12/07 15:00:32 bcook Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.3 2014/12/07 15:48:02 bcook Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 *
@@ -27,8 +27,8 @@
 #include "tls_internal.h"
 int tls_match_hostname(const char *cert_hostname, const char *hostname);
-int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host);
+int tls_check_subject_altname(X509 *cert, const char *host);
-int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host);
+int tls_check_common_name(X509 *cert, const char *host);
 int
 tls_match_hostname(const char *cert_hostname, const char *hostname)
@@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
 }
 int
-tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
+tls_check_subject_altname(X509 *cert, const char *host)
 {
        STACK_OF(GENERAL_NAME) *altname_stack = NULL;
        union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
@@ -123,11 +123,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
                                if (ASN1_STRING_length(altname->d.dNSName) !=
                                    (int)strlen(data)) {
-                                        tls_set_error(ctx,
+                                        fprintf(stdout, "%s: NUL byte in "
-                                            "error verifying host '%s': "
+                                            "subjectAltName, probably a "
-                                            "NUL byte in subjectAltName, "
+                                            "malicious certificate.\n",
-                                            "probably a malicious certificate",
+                                            getprogname());
-                                            host);
                                        rv = -2;
                                        break;
                                }
@@ -136,7 +135,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
                                        rv = 0;
                                        break;
                                }
-                        }
+                        } else
+                                fprintf(stdout, "%s: unhandled subjectAltName "
+                                    "dNSName encoding (%d)\n", getprogname(),
+                                    format);
                } else if (type == GEN_IPADD) {
                        unsigned char   *data;
@@ -158,7 +160,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
 }
 int
-tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
+tls_check_common_name(X509 *cert, const char *host)
 {
        X509_NAME *name;
        char *common_name = NULL;
@@ -184,9 +186,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
        /* NUL bytes in CN? */
        if (common_name_len != (int)strlen(common_name)) {
-                tls_set_error(ctx, "error verifying host '%s': "
+                fprintf(stdout, "%s: NUL byte in Common Name field, "
-                    "NUL byte in Common Name field, "
+                    "probably a malicious certificate.\n", getprogname());
-                    "probably a malicious certificate.", host);
                rv = -2;
                goto out;
        }
@@ -212,13 +213,13 @@ out:
 }
 int
-tls_check_hostname(struct tls *ctx, X509 *cert, const char *host)
+tls_check_hostname(X509 *cert, const char *host)
 {
        int     rv;
-        rv = tls_check_subject_altname(ctx, cert, host);
+        rv = tls_check_subject_altname(cert, host);
        if (rv == 0 || rv == -2)
                return rv;
-        return tls_check_common_name(ctx, cert, host);
+        return tls_check_common_name(cert, host);
 }
author	bcook <>	2014-12-07 15:48:02 +0000
committer	bcook <>	2014-12-07 15:48:02 +0000
commit	2a5c8a2aac92f6b7274d00080eb7e865b9d4ff56 (patch)
tree	c6456769d33b656c4b41c93e46127e6e910588d8 /src/lib/libtls/tls_verify.c
parent	779d36f71d8c3200b1259a34322fa222e3b651ef (diff)
download	openbsd-2a5c8a2aac92f6b7274d00080eb7e865b9d4ff56.tar.gz openbsd-2a5c8a2aac92f6b7274d00080eb7e865b9d4ff56.tar.bz2 openbsd-2a5c8a2aac92f6b7274d00080eb7e865b9d4ff56.zip