6 files changed, 61 insertions, 60 deletions

diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index bd1eed559b..c266832c80 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.5 2015/02/07 23:25:37 reyk Exp $ */
+/* $OpenBSD: tls.h,v 1.6 2015/02/11 06:46:33 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -70,8 +70,8 @@ void tls_free(struct tls *ctx);
 int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket);
 int tls_connect(struct tls *ctx, const char *host, const char *port);
 int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
-    const char *hostname);
-int tls_connect_socket(struct tls *ctx, int s, const char *hostname);
+    const char *servername);
+int tls_connect_socket(struct tls *ctx, int s, const char *servername);
 int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen);
 int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen);
 int tls_close(struct tls *ctx);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 907c334f15..baa4805f57 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.13 2015/02/09 09:23:39 reyk Exp $ */
+/* $OpenBSD: tls_client.c,v 1.14 2015/02/11 06:46:33 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -144,16 +144,16 @@ err:
 }
 
 int
-tls_connect_socket(struct tls *ctx, int s, const char *hostname)
+tls_connect_socket(struct tls *ctx, int s, const char *servername)
 {
         ctx->socket = s;
 
-        return tls_connect_fds(ctx, s, s, hostname);
+        return tls_connect_fds(ctx, s, s, servername);
 }
 
 int
 tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
-    const char *hostname)
+    const char *servername)
 {
         union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
         X509 *cert = NULL;
@@ -180,8 +180,8 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
         if (tls_configure_ssl(ctx) != 0)
                 goto err;
 
-        if (ctx->config->verify_host) {
-                if (hostname == NULL) {
+        if (ctx->config->verify_name) {
+                if (servername == NULL) {
                         tls_set_error(ctx, "server name not specified");
                         goto err;
                 }
@@ -226,11 +226,11 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
          * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
          * permitted in "HostName".
          */
-        if (hostname != NULL &&
-            inet_pton(AF_INET, hostname, &addrbuf) != 1 &&
-            inet_pton(AF_INET6, hostname, &addrbuf) != 1) {
-                if (SSL_set_tlsext_host_name(ctx->ssl_conn, hostname) == 0) {
-                        tls_set_error(ctx, "SNI host name failed");
+        if (servername != NULL &&
+            inet_pton(AF_INET, servername, &addrbuf) != 1 &&
+            inet_pton(AF_INET6, servername, &addrbuf) != 1) {
+                if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) {
+                        tls_set_error(ctx, "server name indication failure");
                         goto err;
                 }
         }
@@ -246,16 +246,16 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
         }
         ctx->flags &= ~TLS_CONNECTING;
 
-        if (ctx->config->verify_host) {
+        if (ctx->config->verify_name) {
                 cert = SSL_get_peer_certificate(ctx->ssl_conn);
                 if (cert == NULL) {
                         tls_set_error(ctx, "no server certificate");
                         goto err;
                 }
-                if ((ret = tls_check_hostname(ctx, cert, hostname)) != 0) {
+                if ((ret = tls_check_servername(ctx, cert, servername)) != 0) {
                         if (ret != -2)
-                                tls_set_error(ctx, "host `%s' not present in"
-                                    " server certificate", hostname);
+                                tls_set_error(ctx, "name `%s' not present in"
+                                    " server certificate", servername);
                         goto err;
                 }
         }
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 7697fa6ee8..116cde8297 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.3 2015/02/07 06:19:26 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.4 2015/02/11 06:46:33 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -208,10 +208,11 @@ tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
         config->verify_depth = verify_depth;
 }
 
+/* XXX - rename to noverifyname. */
 void
 tls_config_insecure_noverifyhost(struct tls_config *config)
 {
-        config->verify_host = 0;
+        config->verify_name = 0;
 }
 
 void
@@ -223,6 +224,6 @@ tls_config_insecure_noverifycert(struct tls_config *config)
 void
 tls_config_verify(struct tls_config *config)
 {
-        config->verify_host = 1;
         config->verify_cert = 1;
+        config->verify_name = 1;
 }
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 73234a427d..034c125347 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.10 2015/02/07 23:45:06 reyk Exp $
+.\" $OpenBSD: tls_init.3,v 1.11 2015/02/11 06:46:33 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 7 2015 $
+.Dd $Mdocdate: February 11 2015 $
 .Dt TLS 3
 .Os
 .Sh NAME
@@ -111,9 +111,9 @@
 .Ft "int"
 .Fn tls_connect "struct tls *ctx" "const char *host" "const char *port"
 .Ft "int"
-.Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *hostname"
+.Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *servername"
 .Ft "int"
-.Fn tls_connect_socket "struct tls *ctx" "int s" "const char *hostname"
+.Fn tls_connect_socket "struct tls *ctx" "int s" "const char *servername"
 .Ft "int"
 .Fn tls_accept_socket "struct tls *tls" "struct tls **cctx" "int socket"
 .Ft "int"
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index f0feddcf5b..78e6b1fe2b 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.9 2015/02/07 09:50:09 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.10 2015/02/11 06:46:33 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -41,8 +41,8 @@ struct tls_config {
         size_t key_len;
         uint32_t protocols;
         int verify_cert;
-        int verify_host;
         int verify_depth;
+        int verify_name;
 };
 
 #define TLS_CLIENT              (1 << 0)
@@ -66,7 +66,7 @@ struct tls {
 struct tls *tls_new(void);
 struct tls *tls_server_conn(struct tls *ctx);
 
-int tls_check_hostname(struct tls *ctx, X509 *cert, const char *host);
+int tls_check_servername(struct tls *ctx, X509 *cert, const char *servername);
 int tls_configure_keypair(struct tls *ctx);
 int tls_configure_server(struct tls *ctx);
 int tls_configure_ssl(struct tls *ctx);
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index 4341802b5a..c1a5387829 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.6 2014/12/17 17:51:33 doug Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.7 2015/02/11 06:46:33 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -26,20 +26,20 @@
 
 #include "tls_internal.h"
 
-int tls_match_hostname(const char *cert_hostname, const char *hostname);
-int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host);
-int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host);
+int tls_match_name(const char *cert_name, const char *name);
+int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name);
+int tls_check_common_name(struct tls *ctx, X509 *cert, const char *name);
 
 int
-tls_match_hostname(const char *cert_hostname, const char *hostname)
+tls_match_name(const char *cert_name, const char *name)
 {
         const char *cert_domain, *domain, *next_dot;
 
-        if (strcasecmp(cert_hostname, hostname) == 0)
+        if (strcasecmp(cert_name, name) == 0)
                 return 0;
 
         /* Wildcard match? */
-        if (cert_hostname[0] == '*') {
+        if (cert_name[0] == '*') {
                 /*
                  * Valid wildcards:
                  * - "*.domain.tld"
@@ -48,7 +48,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
                  * Reject "*.tld".
                  * No attempt to prevent the use of eg. "*.co.uk".
                  */
-                cert_domain = &cert_hostname[1];
+                cert_domain = &cert_name[1];
                 /* Disallow "*"  */
                 if (cert_domain[0] == '\0')
                         return -1;
@@ -66,9 +66,9 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
                 if (next_dot[1] == '.')
                         return -1;
 
-                domain = strchr(hostname, '.');
+                domain = strchr(name, '.');
 
-                /* No wildcard match against a hostname with no domain part. */
+                /* No wildcard match against a name with no domain part. */
                 if (domain == NULL || strlen(domain) == 1)
                         return -1;
 
@@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
 }
 
 int
-tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
+tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name)
 {
         STACK_OF(GENERAL_NAME) *altname_stack = NULL;
         union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
@@ -93,10 +93,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
         if (altname_stack == NULL)
                 return -1;
 
-        if (inet_pton(AF_INET, host, &addrbuf) == 1) {
+        if (inet_pton(AF_INET, name, &addrbuf) == 1) {
                 type = GEN_IPADD;
                 addrlen = 4;
-        } else if (inet_pton(AF_INET6, host, &addrbuf) == 1) {
+        } else if (inet_pton(AF_INET6, name, &addrbuf) == 1) {
                 type = GEN_IPADD;
                 addrlen = 16;
         } else {
@@ -124,15 +124,15 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
 
                                 if (len < 0 || len != strlen(data)) {
                                         tls_set_error(ctx,
-                                            "error verifying host '%s': "
+                                            "error verifying name '%s': "
                                             "NUL byte in subjectAltName, "
                                             "probably a malicious certificate",
-                                            host);
+                                            name);
                                         rv = -2;
                                         break;
                                 }
 
-                                if (tls_match_hostname(data, host) == 0) {
+                                if (tls_match_name(data, name) == 0) {
                                         rv = 0;
                                         break;
                                 }
@@ -172,20 +172,20 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
 }
 
 int
-tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
+tls_check_common_name(struct tls *ctx, X509 *cert, const char *name)
 {
-        X509_NAME *name;
+        X509_NAME *subject_name;
         char *common_name = NULL;
         int common_name_len;
         int rv = -1;
         union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
 
-        name = X509_get_subject_name(cert);
-        if (name == NULL)
+        subject_name = X509_get_subject_name(cert);
+        if (subject_name == NULL)
                 goto out;
 
-        common_name_len = X509_NAME_get_text_by_NID(name, NID_commonName,
-            NULL, 0);
+        common_name_len = X509_NAME_get_text_by_NID(subject_name,
+            NID_commonName, NULL, 0);
         if (common_name_len < 0)
                 goto out;
 
@@ -193,32 +193,32 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
         if (common_name == NULL)
                 goto out;
 
-        X509_NAME_get_text_by_NID(name, NID_commonName, common_name,
+        X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name,
             common_name_len + 1);
 
         /* NUL bytes in CN? */
         if (common_name_len != strlen(common_name)) {
-                tls_set_error(ctx, "error verifying host '%s': "
+                tls_set_error(ctx, "error verifying name '%s': "
                     "NUL byte in Common Name field, "
-                    "probably a malicious certificate.", host);
+                    "probably a malicious certificate", name);
                 rv = -2;
                 goto out;
         }
 
-        if (inet_pton(AF_INET,  host, &addrbuf) == 1 ||
-            inet_pton(AF_INET6, host, &addrbuf) == 1) {
+        if (inet_pton(AF_INET,  name, &addrbuf) == 1 ||
+            inet_pton(AF_INET6, name, &addrbuf) == 1) {
                 /*
                  * We don't want to attempt wildcard matching against IP
                  * addresses, so perform a simple comparison here.
                  */
-                if (strcmp(common_name, host) == 0)
+                if (strcmp(common_name, name) == 0)
                         rv = 0;
                 else
                         rv = -1;
                 goto out;
         }
 
-        if (tls_match_hostname(common_name, host) == 0)
+        if (tls_match_name(common_name, name) == 0)
                 rv = 0;
 out:
         free(common_name);
@@ -226,13 +226,13 @@ out:
 }
 
 int
-tls_check_hostname(struct tls *ctx, X509 *cert, const char *host)
+tls_check_servername(struct tls *ctx, X509 *cert, const char *servername)
 {
         int     rv;
 
-        rv = tls_check_subject_altname(ctx, cert, host);
+        rv = tls_check_subject_altname(ctx, cert, servername);
         if (rv == 0 || rv == -2)
                 return rv;
 
-        return tls_check_common_name(ctx, cert, host);
+        return tls_check_common_name(ctx, cert, servername);
 }