From 1fb5784eee903ab9b8621581b6128aaccf2d3120 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 10 Apr 2017 17:11:13 +0000 Subject: Rework name verification code so that a match is indicated via an argument, rather than return codes. More strictly follow RFC 6125, in particular only check the CN if there are no SAN identifiers present in the certificate (per section 6.4.4). Previous behaviour questioned by Daniel Stenberg . ok beck@ jca@ --- src/lib/libtls/tls_server.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'src/lib/libtls/tls_server.c') diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index 51deff2510..39c6ca79e9 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.35 2017/01/31 15:57:43 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.36 2017/04/10 17:11:13 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -75,11 +75,13 @@ tls_servername_cb(SSL *ssl, int *al, void *arg) union tls_addr addrbuf; struct tls *conn_ctx; const char *name; + int match; if ((conn_ctx = SSL_get_app_data(ssl)) == NULL) goto err; - if ((name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) == NULL) { + if ((name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) == + NULL) { /* * The servername callback gets called even when there is no * TLS servername extension provided by the client. Sigh! @@ -98,7 +100,10 @@ tls_servername_cb(SSL *ssl, int *al, void *arg) /* Find appropriate SSL context for requested servername. */ for (sni_ctx = ctx->sni_ctx; sni_ctx != NULL; sni_ctx = sni_ctx->next) { - if (tls_check_name(ctx, sni_ctx->ssl_cert, name) == 0) { + if (tls_check_name(ctx, sni_ctx->ssl_cert, name, + &match) == -1) + goto err; + if (match) { SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx); return (SSL_TLSEXT_ERR_OK); } -- cgit v1.2.3-55-g6feb