Use hostname removing peer_cn.
authorNIIBE Yutaka <gniibe@fsij.org>
Thu, 19 Jan 2017 01:04:48 +0000 (10:04 +0900)
committerNIIBE Yutaka <gniibe@fsij.org>
Thu, 19 Jan 2017 01:04:48 +0000 (10:04 +0900)
* src/context.h (struct _ntbtls_context_s): Remove peer_cn field.
* src/protocol.c (_ntbtls_read_certificate): Use ->hostname.

--

This change reflects the change of mbedtls API:
bc2b771af4b67c900813e58e7c8c77d7907291c1

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
src/context.h
src/ntbtls.h.in
src/protocol.c

index 9cd5d4a..4b0d86f 100644 (file)
@@ -385,7 +385,6 @@ struct _ntbtls_context_s
 
   x509_cert_t ca_chain;         /*!<  own trusted CA chain      */
   x509_crl_t  ca_crl;           /*!<  trusted CA CRLs           */
-  const char *peer_cn;          /*!<  expected peer CN          */
 
   /*
    * Support for generating and checking session tickets
@@ -413,6 +412,9 @@ struct _ntbtls_context_s
   gcry_mpi_t dhm_P;             /*!<  prime modulus for DHM   */
   gcry_mpi_t dhm_G;             /*!<  generator for DHM       */
 
+  char *hostname;               /*!< expected peer CN for verification
+                                    and SNI                            */
+
   /*
    * PSK values
    */
@@ -422,11 +424,6 @@ struct _ntbtls_context_s
   size_t psk_identity_len;
 
   /*
-   * SNI extension
-   */
-  char *hostname;
-
-  /*
    * ALPN extension
    */
   const char **alpn_list;       /*!<  ordered list of supported protocols   */
index 8c14e1c..9085d03 100644 (file)
@@ -73,7 +73,8 @@ gpg_error_t ntbtls_get_stream (ntbtls_t tls,
                                gpgrt_stream_t *r_readfp,
                                gpgrt_stream_t *r_writefp);
 
-/* Set the hostname for SNI.  */
+/* Set the hostname to check against the received server certificate.
+   It is used for SNI, too.  */
 gpg_error_t ntbtls_set_hostname (ntbtls_t tls, const char *hostname);
 
 /* Perform the handshake with the peer.  The transport streams must be
index 5e8361c..61ca008 100644 (file)
@@ -2005,7 +2005,7 @@ _ntbtls_read_certificate (ntbtls_t tls)
        */
       err = _ntbtls_x509_verify (tls->session_negotiate->peer_chain,
                                  tls->ca_chain, tls->ca_crl,
-                                 tls->peer_cn,
+                                 tls->hostname,
                                  &tls->session_negotiate->verify_result);
       if (err)
         {
@@ -3035,11 +3035,10 @@ _ntbtls_set_session (ntbtls_t tls, const session_t session)
 
 /* void */
 /* ssl_set_ca_chain (ntbtls_t ssl, x509_crt * ca_chain, */
-/*                   x509_crl_t ca_crl, const char *peer_cn) */
+/*                   x509_crl_t ca_crl) */
 /* { */
 /*   ssl->ca_chain = ca_chain; */
 /*   ssl->ca_crl = ca_crl; */
-/*   ssl->peer_cn = peer_cn; */
 /* } */