From 5bdc435399643c5526aafbeddc1dd905dffe4399 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sat, 15 Mar 2014 16:01:06 +0100 Subject: [PATCH] polarssl: enable client side ssl verification if a certificate was loaded Signed-off-by: Felix Fietkau --- ustream-polarssl.c | 15 ++++++++------- ustream-polarssl.h | 1 + 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ustream-polarssl.c b/ustream-polarssl.c index c0147ed..8516d7f 100644 --- a/ustream-polarssl.c +++ b/ustream-polarssl.c @@ -95,6 +95,7 @@ __ustream_ssl_context_new(bool server) if (!ctx) return NULL; + ctx->auth = SSL_VERIFY_NONE; ctx->server = server; #ifdef USE_VERSION_1_3 pk_init(&ctx->key); @@ -117,6 +118,9 @@ __hidden int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char if (ret) return -1; + if (!ctx->server) + ctx->auth = SSL_VERIFY_OPTIONAL; + return 0; } @@ -256,7 +260,7 @@ static const int default_ciphersuites[] = __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx) { ssl_context *ssl; - int ep, auth; + int ep; ssl = calloc(1, sizeof(ssl_context)); if (!ssl) @@ -267,17 +271,14 @@ __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx) return NULL; } - if (ctx->server) { + if (ctx->server) ep = SSL_IS_SERVER; - auth = SSL_VERIFY_NONE; - } else { + else ep = SSL_IS_CLIENT; - auth = SSL_VERIFY_OPTIONAL; - } ssl_set_ciphersuites(ssl, default_ciphersuites); ssl_set_endpoint(ssl, ep); - ssl_set_authmode(ssl, auth); + ssl_set_authmode(ssl, ctx->auth); ssl_set_rng(ssl, _urandom, NULL); if (ctx->server) { diff --git a/ustream-polarssl.h b/ustream-polarssl.h index 70e8b42..1da2ff6 100644 --- a/ustream-polarssl.h +++ b/ustream-polarssl.h @@ -40,6 +40,7 @@ struct ustream_ssl_ctx { rsa_context key; #endif x509_crt cert; + int auth; bool server; }; -- 2.11.0