diff options
| author |   bcook <bcook@openbsd.org> | 2014-12-07 15:48:02 +0000 |
|---|---|---|
| committer | bcook <bcook@openbsd.org> | 2014-12-07 15:48:02 +0000 |
| commit | 31a3a711f2fbe8e417eca0e2bdbfc443ec2a72ff (patch) | |
| tree | e5fdc0cda36e19fe0e102c29e0fc46cfdedd4d37 /lib/libtls/tls_verify.c | |
| parent | Revert to the use of C code for the basic BN routines (bn_add_words, (diff) | |
| download | wireguard-openbsd-31a3a711f2fbe8e417eca0e2bdbfc443ec2a72ff.tar.xz wireguard-openbsd-31a3a711f2fbe8e417eca0e2bdbfc443ec2a72ff.zip | |
revert previous change for now, adjusting based on comments from jsing@
Diffstat (limited to 'lib/libtls/tls_verify.c')
| -rw-r--r-- | lib/libtls/tls_verify.c | 35 |
1 files changed, 18 insertions, 17 deletions
diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c index 0252e205752..35a18202a9f 100644 --- a/lib/libtls/tls_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.2 2014/12/07 15:00:32 bcook Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.3 2014/12/07 15:48:02 bcook Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -27,8 +27,8 @@ #include "tls_internal.h" int tls_match_hostname(const char *cert_hostname, const char *hostname); -int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host); -int tls_check_common_name(struct tls *ctx, X509 *cert, const char *host); +int tls_check_subject_altname(X509 *cert, const char *host); +int tls_check_common_name(X509 *cert, const char *host); int tls_match_hostname(const char *cert_hostname, const char *hostname) @@ -80,7 +80,7 @@ tls_match_hostname(const char *cert_hostname, const char *hostname) } int -tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) +tls_check_subject_altname(X509 *cert, const char *host) { STACK_OF(GENERAL_NAME) *altname_stack = NULL; union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; @@ -123,11 +123,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) if (ASN1_STRING_length(altname->d.dNSName) != (int)strlen(data)) { - tls_set_error(ctx, - "error verifying host '%s': " - "NUL byte in subjectAltName, " - "probably a malicious certificate", - host); + fprintf(stdout, "%s: NUL byte in " + "subjectAltName, probably a " + "malicious certificate.\n", + getprogname()); rv = -2; break; } @@ -136,7 +135,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) rv = 0; break; } - } + } else + fprintf(stdout, "%s: unhandled subjectAltName " + "dNSName encoding (%d)\n", getprogname(), + format); } else if (type == GEN_IPADD) { unsigned char *data; @@ -158,7 +160,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *host) } int -tls_check_common_name(struct tls *ctx, X509 *cert, const char *host) +tls_check_common_name(X509 *cert, const char *host) { X509_NAME *name; char *common_name = NULL; @@ -184,9 +186,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *host) /* NUL bytes in CN? */ if (common_name_len != (int)strlen(common_name)) { - tls_set_error(ctx, "error verifying host '%s': " - "NUL byte in Common Name field, " - "probably a malicious certificate.", host); + fprintf(stdout, "%s: NUL byte in Common Name field, " + "probably a malicious certificate.\n", getprogname()); rv = -2; goto out; } @@ -212,13 +213,13 @@ out: } int -tls_check_hostname(struct tls *ctx, X509 *cert, const char *host) +tls_check_hostname(X509 *cert, const char *host) { int rv; - rv = tls_check_subject_altname(ctx, cert, host); + rv = tls_check_subject_altname(cert, host); if (rv == 0 || rv == -2) return rv; - return tls_check_common_name(ctx, cert, host); + return tls_check_common_name(cert, host); } |