From 53b67cf53ae755b09e315a3bd30e87b66c4ea769 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 11 Feb 2015 07:01:10 +0000
Subject: Provide a tls_connect_servername() function that has the same
 behaviour as tls_connect(), however allows the name to use for verification
 to be explicitly provided, rather than being inferred from the host value.

Requested by reyk@

ok reyk@ tedu@
---
 src/lib/libtls/Makefile     |  4 +++-
 src/lib/libtls/tls.h        |  4 +++-
 src/lib/libtls/tls_client.c | 15 ++++++++++++---
 src/lib/libtls/tls_init.3   | 10 +++++++++-
 4 files changed, 27 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index 4ae970d093..61368bccfd 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.4 2015/02/07 23:45:06 reyk Exp $
+#	$OpenBSD: Makefile,v 1.5 2015/02/11 07:01:10 jsing Exp $
 
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -45,6 +45,8 @@ MLINKS+=tls_init.3 tls_reset.3
 MLINKS+=tls_init.3 tls_free.3
 MLINKS+=tls_init.3 tls_close.3
 MLINKS+=tls_init.3 tls_connect.3
+MLINKS+=tls_init.3 tls_connect_fds.3
+MLINKS+=tls_init.3 tls_connect_servername.3
 MLINKS+=tls_init.3 tls_connect_socket.3
 MLINKS+=tls_init.3 tls_accept_socket.3
 MLINKS+=tls_init.3 tls_read.3
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index c266832c80..0a6f8d7258 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.6 2015/02/11 06:46:33 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.7 2015/02/11 07:01:10 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -71,6 +71,8 @@ int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket);
 int tls_connect(struct tls *ctx, const char *host, const char *port);
 int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
     const char *servername);
+int tls_connect_servername(struct tls *ctx, const char *host, const char *port,
+    const char *servername);
 int tls_connect_socket(struct tls *ctx, int s, const char *servername);
 int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen);
 int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index baa4805f57..682153ca65 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.14 2015/02/11 06:46:33 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.15 2015/02/11 07:01:10 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -82,6 +82,13 @@ tls_connect_host(struct tls *ctx, const char *host, const char *port,
 
 int
 tls_connect(struct tls *ctx, const char *host, const char *port)
+{
+	return tls_connect_servername(ctx, host, port, NULL);
+}
+
+int
+tls_connect_servername(struct tls *ctx, const char *host, const char *port,
+    const char *servername)
 {
 	const char *h = NULL, *p = NULL;
 	char *hs = NULL, *ps = NULL;
@@ -128,7 +135,10 @@ tls_connect(struct tls *ctx, const char *host, const char *port)
 	    (s = tls_connect_host(ctx, h, p, AF_UNSPEC, AI_ADDRCONFIG)) == -1)
 		goto err;
 
-	if (tls_connect_socket(ctx, s, h) != 0) {
+	if (servername == NULL)
+		servername = h;
+
+	if (tls_connect_socket(ctx, s, servername) != 0) {
 		close(s);
 		goto err;
 	}
@@ -136,7 +146,6 @@ tls_connect(struct tls *ctx, const char *host, const char *port)
 	rv = 0;
 
 err:
-
 	free(hs);
 	free(ps);
 
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 034c125347..c1e59383c4 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.11 2015/02/11 06:46:33 jsing Exp $
+.\" $OpenBSD: tls_init.3,v 1.12 2015/02/11 07:01:10 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -47,6 +47,7 @@
 .Nm tls_free ,
 .Nm tls_connect ,
 .Nm tls_connect_fds ,
+.Nm tls_connect_servername ,
 .Nm tls_connect_socket ,
 .Nm tls_accept_socket ,
 .Nm tls_read ,
@@ -112,6 +113,7 @@
 .Fn tls_connect "struct tls *ctx" "const char *host" "const char *port"
 .Ft "int"
 .Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *servername"
+.Fn tls_connect_servername "struct tls *ctx" "const char *host" "const char *port" "const char *servername"
 .Ft "int"
 .Fn tls_connect_socket "struct tls *ctx" "int s" "const char *servername"
 .Ft "int"
@@ -159,6 +161,12 @@ A client connection is initiated after configuration by calling
 .Fn tls_connect .
 This function will create a new socket, connect to the specified host and
 port, and then establish a secure connection.
+The
+.Fn tls_connect_servername
+function has the same behaviour, however the name to use for verification is
+explicitly provided, rather than being inferred from the
+.Ar host
+value.
 An already existing socket can be upgraded to a secure connection by calling
 .Fn tls_connect_socket .
 Alternatively, a secure connection can be established over a pair of existing
-- 
cgit v1.2.3-55-g6feb