From 1fb5784eee903ab9b8621581b6128aaccf2d3120 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 10 Apr 2017 17:11:13 +0000 Subject: Rework name verification code so that a match is indicated via an argument, rather than return codes. More strictly follow RFC 6125, in particular only check the CN if there are no SAN identifiers present in the certificate (per section 6.4.4). Previous behaviour questioned by Daniel Stenberg . ok beck@ jca@ --- src/lib/libtls/tls_client.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'src/lib/libtls/tls_client.c') diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index a1e2caa717..0e519684ef 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.40 2017/01/26 12:56:37 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.41 2017/04/10 17:11:13 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -289,7 +289,7 @@ int tls_handshake_client(struct tls *ctx) { X509 *cert = NULL; - int ssl_ret; + int match, ssl_ret; int rv = -1; if ((ctx->flags & TLS_CLIENT) == 0) { @@ -311,11 +311,11 @@ tls_handshake_client(struct tls *ctx) tls_set_errorx(ctx, "no server certificate"); goto err; } - if ((rv = tls_check_name(ctx, cert, - ctx->servername)) != 0) { - if (rv != -2) - tls_set_errorx(ctx, "name `%s' not present in" - " server certificate", ctx->servername); + if (tls_check_name(ctx, cert, ctx->servername, &match) == -1) + goto err; + if (!match) { + tls_set_errorx(ctx, "name `%s' not present in" + " server certificate", ctx->servername); goto err; } } -- cgit v1.2.3-55-g6feb