Provide a tls_connect_servername() function that has the same behaviour

as tls_connect(), however allows the name to use for verification to be explicitly provided, rather than being inferred from the host value. Requested by reyk@ ok reyk@ tedu@
author: jsing <> 2015-02-11 07:01:10 +0000
committer: jsing <> 2015-02-11 07:01:10 +0000
commit: d641e8f3aa538ca2210627d0cd491ad424b56353 (patch)
tree: c6f7f9e067233df00a99495d7e346482bb70b61e /src
parent: 18dcc969364b2ee37a91a47c36b37a6fb023fb98 (diff)
download: openbsd-d641e8f3aa538ca2210627d0cd491ad424b56353.tar.gz
openbsd-d641e8f3aa538ca2210627d0cd491ad424b56353.tar.bz2
openbsd-d641e8f3aa538ca2210627d0cd491ad424b56353.zip
4 files changed, 27 insertions, 6 deletions
diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index 4ae970d093..61368bccfd 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.4 2015/02/07 23:45:06 reyk Exp $
+#       $OpenBSD: Makefile,v 1.5 2015/02/11 07:01:10 jsing Exp $
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -45,6 +45,8 @@ MLINKS+=tls_init.3 tls_reset.3
 MLINKS+=tls_init.3 tls_free.3
 MLINKS+=tls_init.3 tls_close.3
 MLINKS+=tls_init.3 tls_connect.3
+MLINKS+=tls_init.3 tls_connect_fds.3
+MLINKS+=tls_init.3 tls_connect_servername.3
 MLINKS+=tls_init.3 tls_connect_socket.3
 MLINKS+=tls_init.3 tls_accept_socket.3
 MLINKS+=tls_init.3 tls_read.3
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index c266832c80..0a6f8d7258 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.6 2015/02/11 06:46:33 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.7 2015/02/11 07:01:10 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -71,6 +71,8 @@ int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket);
 int tls_connect(struct tls *ctx, const char *host, const char *port);
 int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
    const char *servername);
+int tls_connect_servername(struct tls *ctx, const char *host, const char *port,
+    const char *servername);
 int tls_connect_socket(struct tls *ctx, int s, const char *servername);
 int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen);
 int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index baa4805f57..682153ca65 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.14 2015/02/11 06:46:33 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.15 2015/02/11 07:01:10 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -83,6 +83,13 @@ tls_connect_host(struct tls *ctx, const char *host, const char *port,
 int
 tls_connect(struct tls *ctx, const char *host, const char *port)
 {
+        return tls_connect_servername(ctx, host, port, NULL);
+}
+int
+tls_connect_servername(struct tls *ctx, const char *host, const char *port,
+    const char *servername)
+{
        const char *h = NULL, *p = NULL;
        char *hs = NULL, *ps = NULL;
        int rv = -1, s = -1, ret;
@@ -128,7 +135,10 @@ tls_connect(struct tls *ctx, const char *host, const char *port)
            (s = tls_connect_host(ctx, h, p, AF_UNSPEC, AI_ADDRCONFIG)) == -1)
                goto err;
-        if (tls_connect_socket(ctx, s, h) != 0) {
+        if (servername == NULL)
+                servername = h;
+        if (tls_connect_socket(ctx, s, servername) != 0) {
                close(s);
                goto err;
        }
@@ -136,7 +146,6 @@ tls_connect(struct tls *ctx, const char *host, const char *port)
        rv = 0;
 err:
        free(hs);
        free(ps);
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 034c125347..c1e59383c4 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.11 2015/02/11 06:46:33 jsing Exp $
+.\" $OpenBSD: tls_init.3,v 1.12 2015/02/11 07:01:10 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -47,6 +47,7 @@
 .Nm tls_free ,
 .Nm tls_connect ,
 .Nm tls_connect_fds ,
+.Nm tls_connect_servername ,
 .Nm tls_connect_socket ,
 .Nm tls_accept_socket ,
 .Nm tls_read ,
@@ -112,6 +113,7 @@
 .Fn tls_connect "struct tls *ctx" "const char *host" "const char *port"
 .Ft "int"
 .Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *servername"
+.Fn tls_connect_servername "struct tls *ctx" "const char *host" "const char *port" "const char *servername"
 .Ft "int"
 .Fn tls_connect_socket "struct tls *ctx" "int s" "const char *servername"
 .Ft "int"
@@ -159,6 +161,12 @@ A client connection is initiated after configuration by calling
 .Fn tls_connect .
 This function will create a new socket, connect to the specified host and
 port, and then establish a secure connection.
+The
+.Fn tls_connect_servername
+function has the same behaviour, however the name to use for verification is
+explicitly provided, rather than being inferred from the
+.Ar host
+value.
 An already existing socket can be upgraded to a secure connection by calling
 .Fn tls_connect_socket .
 Alternatively, a secure connection can be established over a pair of existing
author	jsing <>	2015-02-11 07:01:10 +0000
committer	jsing <>	2015-02-11 07:01:10 +0000
commit	d641e8f3aa538ca2210627d0cd491ad424b56353 (patch)
tree	c6f7f9e067233df00a99495d7e346482bb70b61e /src
parent	18dcc969364b2ee37a91a47c36b37a6fb023fb98 (diff)
download	openbsd-d641e8f3aa538ca2210627d0cd491ad424b56353.tar.gz openbsd-d641e8f3aa538ca2210627d0cd491ad424b56353.tar.bz2 openbsd-d641e8f3aa538ca2210627d0cd491ad424b56353.zip