summaryrefslogtreecommitdiff
path: root/src/lib/libtls
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libtls')
-rw-r--r--src/lib/libtls/tls.h6
-rw-r--r--src/lib/libtls/tls_client.c30
-rw-r--r--src/lib/libtls/tls_config.c7
-rw-r--r--src/lib/libtls/tls_init.38
-rw-r--r--src/lib/libtls/tls_internal.h6
-rw-r--r--src/lib/libtls/tls_verify.c64
6 files changed, 61 insertions, 60 deletions
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index bd1eed559b..c266832c80 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.h,v 1.5 2015/02/07 23:25:37 reyk Exp $ */ 1/* $OpenBSD: tls.h,v 1.6 2015/02/11 06:46:33 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -70,8 +70,8 @@ void tls_free(struct tls *ctx);
70int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket); 70int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket);
71int tls_connect(struct tls *ctx, const char *host, const char *port); 71int tls_connect(struct tls *ctx, const char *host, const char *port);
72int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, 72int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
73 const char *hostname); 73 const char *servername);
74int tls_connect_socket(struct tls *ctx, int s, const char *hostname); 74int tls_connect_socket(struct tls *ctx, int s, const char *servername);
75int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen); 75int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen);
76int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen); 76int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen);
77int tls_close(struct tls *ctx); 77int tls_close(struct tls *ctx);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 907c334f15..baa4805f57 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_client.c,v 1.13 2015/02/09 09:23:39 reyk Exp $ */ 1/* $OpenBSD: tls_client.c,v 1.14 2015/02/11 06:46:33 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -144,16 +144,16 @@ err:
144} 144}
145 145
146int 146int
147tls_connect_socket(struct tls *ctx, int s, const char *hostname) 147tls_connect_socket(struct tls *ctx, int s, const char *servername)
148{ 148{
149 ctx->socket = s; 149 ctx->socket = s;
150 150
151 return tls_connect_fds(ctx, s, s, hostname); 151 return tls_connect_fds(ctx, s, s, servername);
152} 152}
153 153
154int 154int
155tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, 155tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
156 const char *hostname) 156 const char *servername)
157{ 157{
158 union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; 158 union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
159 X509 *cert = NULL; 159 X509 *cert = NULL;
@@ -180,8 +180,8 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
180 if (tls_configure_ssl(ctx) != 0) 180 if (tls_configure_ssl(ctx) != 0)
181 goto err; 181 goto err;
182 182
183 if (ctx->config->verify_host) { 183 if (ctx->config->verify_name) {
184 if (hostname == NULL) { 184 if (servername == NULL) {
185 tls_set_error(ctx, "server name not specified"); 185 tls_set_error(ctx, "server name not specified");
186 goto err; 186 goto err;
187 } 187 }
@@ -226,11 +226,11 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
226 * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not 226 * RFC4366 (SNI): Literal IPv4 and IPv6 addresses are not
227 * permitted in "HostName". 227 * permitted in "HostName".
228 */ 228 */
229 if (hostname != NULL && 229 if (servername != NULL &&
230 inet_pton(AF_INET, hostname, &addrbuf) != 1 && 230 inet_pton(AF_INET, servername, &addrbuf) != 1 &&
231 inet_pton(AF_INET6, hostname, &addrbuf) != 1) { 231 inet_pton(AF_INET6, servername, &addrbuf) != 1) {
232 if (SSL_set_tlsext_host_name(ctx->ssl_conn, hostname) == 0) { 232 if (SSL_set_tlsext_host_name(ctx->ssl_conn, servername) == 0) {
233 tls_set_error(ctx, "SNI host name failed"); 233 tls_set_error(ctx, "server name indication failure");
234 goto err; 234 goto err;
235 } 235 }
236 } 236 }
@@ -246,16 +246,16 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
246 } 246 }
247 ctx->flags &= ~TLS_CONNECTING; 247 ctx->flags &= ~TLS_CONNECTING;
248 248
249 if (ctx->config->verify_host) { 249 if (ctx->config->verify_name) {
250 cert = SSL_get_peer_certificate(ctx->ssl_conn); 250 cert = SSL_get_peer_certificate(ctx->ssl_conn);
251 if (cert == NULL) { 251 if (cert == NULL) {
252 tls_set_error(ctx, "no server certificate"); 252 tls_set_error(ctx, "no server certificate");
253 goto err; 253 goto err;
254 } 254 }
255 if ((ret = tls_check_hostname(ctx, cert, hostname)) != 0) { 255 if ((ret = tls_check_servername(ctx, cert, servername)) != 0) {
256 if (ret != -2) 256 if (ret != -2)
257 tls_set_error(ctx, "host `%s' not present in" 257 tls_set_error(ctx, "name `%s' not present in"
258 " server certificate", hostname); 258 " server certificate", servername);
259 goto err; 259 goto err;
260 } 260 }
261 } 261 }
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 7697fa6ee8..116cde8297 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_config.c,v 1.3 2015/02/07 06:19:26 jsing Exp $ */ 1/* $OpenBSD: tls_config.c,v 1.4 2015/02/11 06:46:33 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -208,10 +208,11 @@ tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
208 config->verify_depth = verify_depth; 208 config->verify_depth = verify_depth;
209} 209}
210 210
211/* XXX - rename to noverifyname. */
211void 212void
212tls_config_insecure_noverifyhost(struct tls_config *config) 213tls_config_insecure_noverifyhost(struct tls_config *config)
213{ 214{
214 config->verify_host = 0; 215 config->verify_name = 0;
215} 216}
216 217
217void 218void
@@ -223,6 +224,6 @@ tls_config_insecure_noverifycert(struct tls_config *config)
223void 224void
224tls_config_verify(struct tls_config *config) 225tls_config_verify(struct tls_config *config)
225{ 226{
226 config->verify_host = 1;
227 config->verify_cert = 1; 227 config->verify_cert = 1;
228 config->verify_name = 1;
228} 229}
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 73234a427d..034c125347 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: tls_init.3,v 1.10 2015/02/07 23:45:06 reyk Exp $ 1.\" $OpenBSD: tls_init.3,v 1.11 2015/02/11 06:46:33 jsing Exp $
2.\" 2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> 3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\" 4.\"
@@ -14,7 +14,7 @@
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\" 16.\"
17.Dd $Mdocdate: February 7 2015 $ 17.Dd $Mdocdate: February 11 2015 $
18.Dt TLS 3 18.Dt TLS 3
19.Os 19.Os
20.Sh NAME 20.Sh NAME
@@ -111,9 +111,9 @@
111.Ft "int" 111.Ft "int"
112.Fn tls_connect "struct tls *ctx" "const char *host" "const char *port" 112.Fn tls_connect "struct tls *ctx" "const char *host" "const char *port"
113.Ft "int" 113.Ft "int"
114.Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *hostname" 114.Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *servername"
115.Ft "int" 115.Ft "int"
116.Fn tls_connect_socket "struct tls *ctx" "int s" "const char *hostname" 116.Fn tls_connect_socket "struct tls *ctx" "int s" "const char *servername"
117.Ft "int" 117.Ft "int"
118.Fn tls_accept_socket "struct tls *tls" "struct tls **cctx" "int socket" 118.Fn tls_accept_socket "struct tls *tls" "struct tls **cctx" "int socket"
119.Ft "int" 119.Ft "int"
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index f0feddcf5b..78e6b1fe2b 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_internal.h,v 1.9 2015/02/07 09:50:09 jsing Exp $ */ 1/* $OpenBSD: tls_internal.h,v 1.10 2015/02/11 06:46:33 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -41,8 +41,8 @@ struct tls_config {
41 size_t key_len; 41 size_t key_len;
42 uint32_t protocols; 42 uint32_t protocols;
43 int verify_cert; 43 int verify_cert;
44 int verify_host;
45 int verify_depth; 44 int verify_depth;
45 int verify_name;
46}; 46};
47 47
48#define TLS_CLIENT (1 << 0) 48#define TLS_CLIENT (1 << 0)
@@ -66,7 +66,7 @@ struct tls {
66struct tls *tls_new(void); 66struct tls *tls_new(void);
67struct tls *tls_server_conn(struct tls *ctx); 67struct tls *tls_server_conn(struct tls *ctx);
68 68
69int tls_check_hostname(struct tls *ctx, X509 *cert, const char *host); 69int tls_check_servername(struct tls *ctx, X509 *cert, const char *servername);
70int tls_configure_keypair(struct tls *ctx); 70int tls_configure_keypair(struct tls *ctx);
71int tls_configure_server(struct tls *ctx); 71int tls_configure_server(struct tls *ctx);
72int tls_configure_ssl(struct tls *ctx); 72int tls_configure_ssl(struct tls *ctx);
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index 4341802b5a..c1a5387829 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_verify.c,v 1.6 2014/12/17 17:51:33 doug Exp $ */ 1/* $OpenBSD: tls_verify.c,v 1.7 2015/02/11 06:46:33 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * 4 *
@@ -26,20 +26,20 @@
26 26
27#include "tls_internal.h" 27#include "tls_internal.h"
28 28
29int tls_match_hostname(const char *cert_hostname, const char *hostname); 29int tls_match_name(const char *cert_name, const char *name);
30int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host); 30int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name);
31int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host); 31int tls_check_common_name(struct tls *ctx, X509 *cert, const char *name);
32 32
33int 33int
34tls_match_hostname(const char *cert_hostname, const char *hostname) 34tls_match_name(const char *cert_name, const char *name)
35{ 35{
36 const char *cert_domain, *domain, *next_dot; 36 const char *cert_domain, *domain, *next_dot;
37 37
38 if (strcasecmp(cert_hostname, hostname) == 0) 38 if (strcasecmp(cert_name, name) == 0)
39 return 0; 39 return 0;
40 40
41 /* Wildcard match? */ 41 /* Wildcard match? */
42 if (cert_hostname[0] == '*') { 42 if (cert_name[0] == '*') {
43 /* 43 /*
44 * Valid wildcards: 44 * Valid wildcards:
45 * - "*.domain.tld" 45 * - "*.domain.tld"
@@ -48,7 +48,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
48 * Reject "*.tld". 48 * Reject "*.tld".
49 * No attempt to prevent the use of eg. "*.co.uk". 49 * No attempt to prevent the use of eg. "*.co.uk".
50 */ 50 */
51 cert_domain = &cert_hostname[1]; 51 cert_domain = &cert_name[1];
52 /* Disallow "*" */ 52 /* Disallow "*" */
53 if (cert_domain[0] == '\0') 53 if (cert_domain[0] == '\0')
54 return -1; 54 return -1;
@@ -66,9 +66,9 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
66 if (next_dot[1] == '.') 66 if (next_dot[1] == '.')
67 return -1; 67 return -1;
68 68
69 domain = strchr(hostname, '.'); 69 domain = strchr(name, '.');
70 70
71 /* No wildcard match against a hostname with no domain part. */ 71 /* No wildcard match against a name with no domain part. */
72 if (domain == NULL || strlen(domain) == 1) 72 if (domain == NULL || strlen(domain) == 1)
73 return -1; 73 return -1;
74 74
@@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
80} 80}
81 81
82int 82int
83tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) 83tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name)
84{ 84{
85 STACK_OF(GENERAL_NAME) *altname_stack = NULL; 85 STACK_OF(GENERAL_NAME) *altname_stack = NULL;
86 union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; 86 union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
@@ -93,10 +93,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
93 if (altname_stack == NULL) 93 if (altname_stack == NULL)
94 return -1; 94 return -1;
95 95
96 if (inet_pton(AF_INET, host, &addrbuf) == 1) { 96 if (inet_pton(AF_INET, name, &addrbuf) == 1) {
97 type = GEN_IPADD; 97 type = GEN_IPADD;
98 addrlen = 4; 98 addrlen = 4;
99 } else if (inet_pton(AF_INET6, host, &addrbuf) == 1) { 99 } else if (inet_pton(AF_INET6, name, &addrbuf) == 1) {
100 type = GEN_IPADD; 100 type = GEN_IPADD;
101 addrlen = 16; 101 addrlen = 16;
102 } else { 102 } else {
@@ -124,15 +124,15 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
124 124
125 if (len < 0 || len != strlen(data)) { 125 if (len < 0 || len != strlen(data)) {
126 tls_set_error(ctx, 126 tls_set_error(ctx,
127 "error verifying host '%s': " 127 "error verifying name '%s': "
128 "NUL byte in subjectAltName, " 128 "NUL byte in subjectAltName, "
129 "probably a malicious certificate", 129 "probably a malicious certificate",
130 host); 130 name);
131 rv = -2; 131 rv = -2;
132 break; 132 break;
133 } 133 }
134 134
135 if (tls_match_hostname(data, host) == 0) { 135 if (tls_match_name(data, name) == 0) {
136 rv = 0; 136 rv = 0;
137 break; 137 break;
138 } 138 }
@@ -172,20 +172,20 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
172} 172}
173 173
174int 174int
175tls_check_common_name(struct tls *ctx, X509 *cert, const char *host) 175tls_check_common_name(struct tls *ctx, X509 *cert, const char *name)
176{ 176{
177 X509_NAME *name; 177 X509_NAME *subject_name;
178 char *common_name = NULL; 178 char *common_name = NULL;
179 int common_name_len; 179 int common_name_len;
180 int rv = -1; 180 int rv = -1;
181 union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; 181 union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
182 182
183 name = X509_get_subject_name(cert); 183 subject_name = X509_get_subject_name(cert);
184 if (name == NULL) 184 if (subject_name == NULL)
185 goto out; 185 goto out;
186 186
187 common_name_len = X509_NAME_get_text_by_NID(name, NID_commonName, 187 common_name_len = X509_NAME_get_text_by_NID(subject_name,
188 NULL, 0); 188 NID_commonName, NULL, 0);
189 if (common_name_len < 0) 189 if (common_name_len < 0)
190 goto out; 190 goto out;
191 191
@@ -193,32 +193,32 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
193 if (common_name == NULL) 193 if (common_name == NULL)
194 goto out; 194 goto out;
195 195
196 X509_NAME_get_text_by_NID(name, NID_commonName, common_name, 196 X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name,
197 common_name_len + 1); 197 common_name_len + 1);
198 198
199 /* NUL bytes in CN? */ 199 /* NUL bytes in CN? */
200 if (common_name_len != strlen(common_name)) { 200 if (common_name_len != strlen(common_name)) {
201 tls_set_error(ctx, "error verifying host '%s': " 201 tls_set_error(ctx, "error verifying name '%s': "
202 "NUL byte in Common Name field, " 202 "NUL byte in Common Name field, "
203 "probably a malicious certificate.", host); 203 "probably a malicious certificate", name);
204 rv = -2; 204 rv = -2;
205 goto out; 205 goto out;
206 } 206 }
207 207
208 if (inet_pton(AF_INET, host, &addrbuf) == 1 || 208 if (inet_pton(AF_INET, name, &addrbuf) == 1 ||
209 inet_pton(AF_INET6, host, &addrbuf) == 1) { 209 inet_pton(AF_INET6, name, &addrbuf) == 1) {
210 /* 210 /*
211 * We don't want to attempt wildcard matching against IP 211 * We don't want to attempt wildcard matching against IP
212 * addresses, so perform a simple comparison here. 212 * addresses, so perform a simple comparison here.
213 */ 213 */
214 if (strcmp(common_name, host) == 0) 214 if (strcmp(common_name, name) == 0)
215 rv = 0; 215 rv = 0;
216 else 216 else
217 rv = -1; 217 rv = -1;
218 goto out; 218 goto out;
219 } 219 }
220 220
221 if (tls_match_hostname(common_name, host) == 0) 221 if (tls_match_name(common_name, name) == 0)
222 rv = 0; 222 rv = 0;
223out: 223out:
224 free(common_name); 224 free(common_name);
@@ -226,13 +226,13 @@ out:
226} 226}
227 227
228int 228int
229tls_check_hostname(struct tls *ctx, X509 *cert, const char *host) 229tls_check_servername(struct tls *ctx, X509 *cert, const char *servername)
230{ 230{
231 int rv; 231 int rv;
232 232
233 rv = tls_check_subject_altname(ctx, cert, host); 233 rv = tls_check_subject_altname(ctx, cert, servername);
234 if (rv == 0 || rv == -2) 234 if (rv == 0 || rv == -2)
235 return rv; 235 return rv;
236 236
237 return tls_check_common_name(ctx, cert, host); 237 return tls_check_common_name(ctx, cert, servername);
238} 238}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 13:04:17 +0000