revert previous change for now, adjusting based on comments from jsing@

4 files changed, 27 insertions, 36 deletions

diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index d3bb79b3fe2..6dae066922a 100644
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.2 2014/12/07 15:00:32 bcook Exp $ */
+/* $OpenBSD: tls.c,v 1.3 2014/12/07 15:48:02 bcook Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -56,22 +56,15 @@ tls_error(struct tls *ctx)
 	return ctx->errmsg;
 }
 
-void
-tls_clear_error(struct tls *ctx)
-{
-	ctx->err = 0;
-	free(ctx->errmsg);
-	ctx->errmsg = NULL;
-}
-
 int
 tls_set_error(struct tls *ctx, char *fmt, ...)
 {
 	va_list ap;
 	int rv;
 
-	tls_clear_error(ctx);
 	ctx->err = errno;
+	free(ctx->errmsg);
+	ctx->errmsg = NULL;
 
 	va_start(ap, fmt);
 	rv = vasprintf(&ctx->errmsg, fmt, ap);
diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c
index c5849a6897c..b851a6ecd0e 100644
--- a/lib/libtls/tls_client.c
+++ b/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.3 2014/12/07 15:00:32 bcook Exp $ */
+/* $OpenBSD: tls_client.c,v 1.4 2014/12/07 15:48:02 bcook Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -209,11 +209,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
 			tls_set_error(ctx, "no server certificate");
 			goto err;
 		}
-		tls_clear_error(ctx);
-		if (tls_check_hostname(ctx, cert, hostname) != 0) {
-			if (tls_error(ctx) == NULL)
-				tls_set_error(ctx, "host `%s' not present in"
-				    " server certificate", hostname);
+		if (tls_check_hostname(cert, hostname) != 0) {
+			tls_set_error(ctx, "host `%s' not present in"
+			    " server certificate", hostname);
 			goto err;
 		}
 	}
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index e6f2d4ac714..a23e63f7af4 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.2 2014/12/07 15:00:32 bcook Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.3 2014/12/07 15:48:02 bcook Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -62,12 +62,11 @@ struct tls {
 struct tls *tls_new(void);
 struct tls *tls_server_conn(struct tls *ctx);
 
-int tls_check_hostname(struct tls *ctx, X509 *cert, const char *host);
+int tls_check_hostname(X509 *cert, const char *host);
 int tls_configure_keypair(struct tls *ctx);
 int tls_configure_server(struct tls *ctx);
 int tls_configure_ssl(struct tls *ctx);
 int tls_host_port(const char *hostport, char **host, char **port);
-void tls_clear_error(struct tls *ctx);
 int tls_set_error(struct tls *ctx, char *fmt, ...);
 
 #endif /* HEADER_TLS_INTERNAL_H */
diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c
index 0252e205752..35a18202a9f 100644
--- a/lib/libtls/tls_verify.c
+++ b/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.2 2014/12/07 15:00:32 bcook Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.3 2014/12/07 15:48:02 bcook Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -27,8 +27,8 @@
 #include "tls_internal.h"
 
 int tls_match_hostname(const char *cert_hostname, const char *hostname);
-int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host);
-int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host);
+int tls_check_subject_altname(X509 *cert, const char *host);
+int tls_check_common_name(X509 *cert, const char *host);
 
 int
 tls_match_hostname(const char *cert_hostname, const char *hostname)
@@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname)
 }
 
 int
-tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
+tls_check_subject_altname(X509 *cert, const char *host)
 {
 	STACK_OF(GENERAL_NAME) *altname_stack = NULL;
 	union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
@@ -123,11 +123,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
 
 				if (ASN1_STRING_length(altname->d.dNSName) !=
 				    (int)strlen(data)) {
-					tls_set_error(ctx,
-					    "error verifying host '%s': "
-					    "NUL byte in subjectAltName, "
-					    "probably a malicious certificate",
-					    host);
+					fprintf(stdout, "%s: NUL byte in "
+					    "subjectAltName, probably a "
+					    "malicious certificate.\n",
+					    getprogname());
 					rv = -2;
 					break;
 				}
@@ -136,7 +135,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
 					rv = 0;
 					break;
 				}
-			}
+			} else
+				fprintf(stdout, "%s: unhandled subjectAltName "
+				    "dNSName encoding (%d)\n", getprogname(),
+				    format);
 
 		} else if (type == GEN_IPADD) {
 			unsigned char	*data;
@@ -158,7 +160,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host)
 }
 
 int
-tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
+tls_check_common_name(X509 *cert, const char *host)
 {
 	X509_NAME *name;
 	char *common_name = NULL;
@@ -184,9 +186,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *host)
 
 	/* NUL bytes in CN? */
 	if (common_name_len != (int)strlen(common_name)) {
-		tls_set_error(ctx, "error verifying host '%s': "
-		    "NUL byte in Common Name field, "
-		    "probably a malicious certificate.", host);
+		fprintf(stdout, "%s: NUL byte in Common Name field, "
+		    "probably a malicious certificate.\n", getprogname());
 		rv = -2;
 		goto out;
 	}
@@ -212,13 +213,13 @@ out:
 }
 
 int
-tls_check_hostname(struct tls *ctx, X509 *cert, const char *host)
+tls_check_hostname(X509 *cert, const char *host)
 {
 	int	rv;
 
-	rv = tls_check_subject_altname(ctx, cert, host);
+	rv = tls_check_subject_altname(cert, host);
 	if (rv == 0 || rv == -2)
 		return rv;
 
-	return tls_check_common_name(ctx, cert, host);
+	return tls_check_common_name(cert, host);
 }