From 2a50f4d2ac17bd1b5f2d6843a264b3cab6d46c7b Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue, 22 Dec 2015 16:29:20 -0500
Subject: [PATCH] Set tls_auth_failed when any present authentication mechanism
 fails

We used to only have hostnames available.  now we have pubkey_pinsets
available as well.

We want upstream->tls_auth_failed to be 1 when any authentication
mechanism we've been asked for fails (and also when we haven't been
given any authentication mechanism at all).
---
 src/stub.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/stub.c b/src/stub.c
index 456194d3..320300a6 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -862,6 +862,7 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 	if (pinset_ret != GETDNS_RETURN_GOOD) {
 		DEBUG_STUB("--- %s, PINSET VALIDATION FAILURE!!\n", __FUNCTION__);
 		preverify_ok = 0;
+		upstream->tls_auth_failed = 1;
 		if (upstream->tls_fallback_ok)
 			DEBUG_STUB("--- %s, PROCEEDING EVEN THOUGH PINSET VALIDATION FAILED!!\n", __FUNCTION__);
 	}
@@ -1006,10 +1007,15 @@ tls_do_handshake(getdns_upstream *upstream)
 	}
 	upstream->tls_hs_state = GETDNS_HS_DONE;
 	r = SSL_get_verify_result(upstream->tls_obj);
+	if (upstream->tls_auth_name[0])
 #ifdef X509_V_ERR_HOSTNAME_MISMATCH
-	if (r == X509_V_ERR_HOSTNAME_MISMATCH)
+		if (r == X509_V_ERR_HOSTNAME_MISMATCH)
+#else
+ /* if we weren't built against OpenSSL with hostname matching we
+  * could not have matched the hostname, so this would be an automatic
+  * tls_auth_fail. */
 #endif
-		upstream->tls_auth_failed = 1;
+			upstream->tls_auth_failed = 1;
 	/* Reset timeout on success*/
 	GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
 	upstream->event.read_cb = NULL;