revert previous change for now, adjusting based on comments from jsing@

4 files changed, 27 insertions, 36 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index d3bb79b3fe..6dae066922 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.2 2014/12/07 15:00:32 bcook Exp $ */
+/* $OpenBSD: tls.c,v 1.3 2014/12/07 15:48:02 bcook Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -56,22 +56,15 @@ tls_error(struct tls *ctx)
         return ctx->errmsg;
 }
 
-void
-tls_clear_error(struct tls *ctx)
-{
-        ctx->err = 0;
-        free(ctx->errmsg);
-        ctx->errmsg = NULL;
-}
-
 int
 tls_set_error(struct tls *ctx, char *fmt, ...)
 {
         va_list ap;
         int rv;
 
-        tls_clear_error(ctx);
         ctx->err = errno;
+        free(ctx->errmsg);
+        ctx->errmsg = NULL;
 
         va_start(ap, fmt);
         rv = vasprintf(&ctx->errmsg, fmt, ap);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index c5849a6897..b851a6ecd0 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.3 2014/12/07 15:00:32 bcook Exp $ */
+/* $OpenBSD: tls_client.c,v 1.4 2014/12/07 15:48:02 bcook Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -209,11 +209,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
                         tls_set_error(ctx, "no server certificate");
                         goto err;
                 }
-                tls_clear_error(ctx);
-                if (tls_check_hostname(ctx, cert, hostname) != 0) {
-                        if (tls_error(ctx) == NULL)
-                                tls_set_error(ctx, "host `%s' not present in"
-                                    " server certificate", hostname);
+                if (tls_check_hostname(cert, hostname) != 0) {
+                        tls_set_error(ctx, "host `%s' not present in"
+                            " server certificate", hostname);
                         goto err;
                 }
         }
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index e6f2d4ac71..a23e63f7af 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.2 2014/12/07 15:00:32 bcook Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.3 2014/12/07 15:48:02 bcook Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -62,12 +62,11 @@ struct tls {
 struct tls *tls_new(void);
 struct tls *tls_server_conn(struct tls *ctx);
 
-int tls_check_hostname(struct tls *ctx, X509 *cert, const char *host);
+int tls_check_hostname(X509 *cert, const char *host);
 int tls_configure_keypair(struct tls *ctx);
 int tls_configure_server(struct tls *ctx);
 int tls_configure_ssl(struct tls *ctx);
 int tls_host_port(const char *hostport, char **host, char **port);
-void tls_clear_error(struct tls *ctx);
 int tls_set_error(struct tls *ctx, char *fmt, ...);
 
 #endif /* HEADER_TLS_INTERNAL_H */
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index 0252e20575..35a18202a9 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.2 2014/12/07 15:00:32 bcook Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.3 2014/12/07 15:48:02 bcook Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -27,8 +27,8 @@
 #include "tls_internal.h"
 
 int tls_match_hostname(const char *cert_hostname, const char *hostname);
-int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host);
-int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host);
+int tls_check_subject_altname(X509 *cert, const char *host);
+int tls_check_common_name(X509 *cert, const char *host);
 
 int
 tls_match_hostname(const char *cert_hostname, const char *hostname)
@@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
 }
 
 int
-tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
+tls_check_subject_altname(X509 *cert, const char *host)
 {
         STACK_OF(GENERAL_NAME) *altname_stack = NULL;
         union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
@@ -123,11 +123,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
 
                                 if (ASN1_STRING_length(altname->d.dNSName) !=
                                     (int)strlen(data)) {
-                                        tls_set_error(ctx,
-                                            "error verifying host '%s': "
-                                            "NUL byte in subjectAltName, "
-                                            "probably a malicious certificate",
-                                            host);
+                                        fprintf(stdout, "%s: NUL byte in "
+                                            "subjectAltName, probably a "
+                                            "malicious certificate.\n",
+                                            getprogname());
                                         rv = -2;
                                         break;
                                 }
@@ -136,7 +135,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
                                         rv = 0;
                                         break;
                                 }
-                        }
+                        } else
+                                fprintf(stdout, "%s: unhandled subjectAltName "
+                                    "dNSName encoding (%d)\n", getprogname(),
+                                    format);
 
                 } else if (type == GEN_IPADD) {
                         unsigned char   *data;
@@ -158,7 +160,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
 }
 
 int
-tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
+tls_check_common_name(X509 *cert, const char *host)
 {
         X509_NAME *name;
         char *common_name = NULL;
@@ -184,9 +186,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
 
         /* NUL bytes in CN? */
         if (common_name_len != (int)strlen(common_name)) {
-                tls_set_error(ctx, "error verifying host '%s': "
-                    "NUL byte in Common Name field, "
-                    "probably a malicious certificate.", host);
+                fprintf(stdout, "%s: NUL byte in Common Name field, "
+                    "probably a malicious certificate.\n", getprogname());
                 rv = -2;
                 goto out;
         }
@@ -212,13 +213,13 @@ out:
 }
 
 int
-tls_check_hostname(struct tls *ctx, X509 *cert, const char *host)
+tls_check_hostname(X509 *cert, const char *host)
 {
         int     rv;
 
-        rv = tls_check_subject_altname(ctx, cert, host);
+        rv = tls_check_subject_altname(cert, host);
         if (rv == 0 || rv == -2)
                 return rv;
 
-        return tls_check_common_name(ctx, cert, host);
+        return tls_check_common_name(cert, host);
 }