From: Felix Fietkau Date: Sat, 15 Mar 2014 15:01:06 +0000 (+0100) Subject: polarssl: enable client side ssl verification if a certificate was loaded X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=5bdc435399643c5526aafbeddc1dd905dffe4399;p=project%2Fustream-ssl.git polarssl: enable client side ssl verification if a certificate was loaded Signed-off-by: Felix Fietkau --- diff --git a/ustream-polarssl.c b/ustream-polarssl.c index c0147ed..8516d7f 100644 --- a/ustream-polarssl.c +++ b/ustream-polarssl.c @@ -95,6 +95,7 @@ __ustream_ssl_context_new(bool server) if (!ctx) return NULL; + ctx->auth = SSL_VERIFY_NONE; ctx->server = server; #ifdef USE_VERSION_1_3 pk_init(&ctx->key); @@ -117,6 +118,9 @@ __hidden int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char if (ret) return -1; + if (!ctx->server) + ctx->auth = SSL_VERIFY_OPTIONAL; + return 0; } @@ -256,7 +260,7 @@ static const int default_ciphersuites[] = __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx) { ssl_context *ssl; - int ep, auth; + int ep; ssl = calloc(1, sizeof(ssl_context)); if (!ssl) @@ -267,17 +271,14 @@ __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx) return NULL; } - if (ctx->server) { + if (ctx->server) ep = SSL_IS_SERVER; - auth = SSL_VERIFY_NONE; - } else { + else ep = SSL_IS_CLIENT; - auth = SSL_VERIFY_OPTIONAL; - } ssl_set_ciphersuites(ssl, default_ciphersuites); ssl_set_endpoint(ssl, ep); - ssl_set_authmode(ssl, auth); + ssl_set_authmode(ssl, ctx->auth); ssl_set_rng(ssl, _urandom, NULL); if (ctx->server) { diff --git a/ustream-polarssl.h b/ustream-polarssl.h index 70e8b42..1da2ff6 100644 --- a/ustream-polarssl.h +++ b/ustream-polarssl.h @@ -40,6 +40,7 @@ struct ustream_ssl_ctx { rsa_context key; #endif x509_crt cert; + int auth; bool server; };