polarssl: enable client side ssl verification if a certificate was loaded

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

diff --git a/ustream-polarssl.c b/ustream-polarssl.c
index c0147ed..8516d7f 100644 (file)
--- a/ustream-polarssl.c
+++ b/ustream-polarssl.c
@@ -95,6 +95,7 @@ __ustream_ssl_context_new(bool server)
        if (!ctx)
                return NULL;
 
+       ctx->auth = SSL_VERIFY_NONE;
        ctx->server = server;
 #ifdef USE_VERSION_1_3
        pk_init(&ctx->key);
@@ -117,6 +118,9 @@ __hidden int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char
        if (ret)
                return -1;
 
+       if (!ctx->server)
+               ctx->auth = SSL_VERIFY_OPTIONAL;
+
        return 0;
 }
 
@@ -256,7 +260,7 @@ static const int default_ciphersuites[] =
 __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx)
 {
        ssl_context *ssl;
-       int ep, auth;
+       int ep;
 
        ssl = calloc(1, sizeof(ssl_context));
        if (!ssl)
@@ -267,17 +271,14 @@ __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx)
                return NULL;
        }
 
-       if (ctx->server) {
+       if (ctx->server)
                ep = SSL_IS_SERVER;
-               auth = SSL_VERIFY_NONE;
-       } else {
+       else
                ep = SSL_IS_CLIENT;
-               auth = SSL_VERIFY_OPTIONAL;
-       }
 
        ssl_set_ciphersuites(ssl, default_ciphersuites);
        ssl_set_endpoint(ssl, ep);
-       ssl_set_authmode(ssl, auth);
+       ssl_set_authmode(ssl, ctx->auth);
        ssl_set_rng(ssl, _urandom, NULL);
 
        if (ctx->server) {

diff --git a/ustream-polarssl.h b/ustream-polarssl.h
index 70e8b42..1da2ff6 100644 (file)
--- a/ustream-polarssl.h
+++ b/ustream-polarssl.h
@@ -40,6 +40,7 @@ struct ustream_ssl_ctx {
        rsa_context key;
 #endif
        x509_crt cert;
+       int auth;
        bool server;
 };